Embed Size (px)
Citation preview
Cisco Firewall BasicsMark Cairns, Consulting Systems Engineer
BRKSEC-1020
Mark Cairns
• Based in Richmond, VA and cover select accounts in VA, DC and MD
• 17 years experience with Cisco Security Products
• CCIE #17755, Security
• You can reach me at [email protected] and @12LISN2
Consulting Systems Engineer, GSSO supporting US Commercial
Session Information
• This is an introductory session
• It is not meant for professionals with deep knowledge of firewalls and Cisco ASA
• This session is not for you if you want to deep dive into configurations for specific features / functionality
• References may be made to advanced functionality for context but we will stay at a fairly high level
Basic Firewall Understanding
• Introduction
• Back to Basics - Firewalls in General
• Where and Why – The Edge, Data Center and Hosted Environment
• What – Cloud Management, Security Zones, Physical and Virtual Appliances
• Additional Functions – When a Taller Wall Isn’t Enough
• Did you know? – Two use cases for ASA and Secure Group Tags
Agenda
Firewalls in General
Securing/Hardening for What Purpose or Need?
SubversionBots, Viruses, and Worms
Spyware and Adware
DisruptionDenial of service attacks
Advanced Persistent Threats (APTs)
Penetration Attempt
Zero-day Attacks
Hacker Attacks
Data LossData theft and/or
interception
Identity theft
FirewallsWhat are they?
• Primary filtering appliances/VMs that work at both the network and application layers
• Provide a platform for the features/functionality needed for network security
• VPNs (remote-access and site to site)
• NGIPS
• Anti-malware
• Next-generation security should not abandon proven stateful inspection capabilities in favor of application and user ID awareness by itself
• Comprehensive network security solution needs includes firewalls, next-generation firewalls (application inspection and filtering) and next generation intrusion prevention systems (context aware)
• The firewall often is the conduit from which other defense components combat the threats that face the network
Where and Why
Filtering on a Tuple?
• The genesis of firewalls was initially a means to filter traffic based on the five tuple
• Source IP address – the IP address of the initiator of the IP packet
• Destination IP Address – the IP address of the destination of the IP packet
• Source Port – UDP or TCP port used by initiator to establish communications with destination
• Destination Port – UDP or TCP port used by destination to establish communications with source
• IP Protocol – the specific IP protocol used in the communication
Packet
Filtering – IP Protocols
• ICMP (1)
• TCP (6)
• UDP (17)
• GRE (47)
• ESP (50)
• AH (51)
• EIGRP (88)
• OSPF (89)
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
Packet
Stateful Inspection
• Most routers and switches can filter based on the five tuple…why a firewall then?
• Stateful firewalls track L3/L4 traffic as it leaves and returns to the network
• Connections are maintained in the connection table tracking five tuple and additional information such as sequence
Packet
Packet
TCP outside:2.2.2.2/80 (2.2.2.2/80) inside:1.1.1.1/35478 (1.1.1.1/35478), flags UIO, idle 4m39s, uptime 6m16s, timeout 1h0m, bytes 3002
Src IP – 2.2.2.2
Dest IP – 1.1.1.1
Src Port – TCP/80
Dest Port – TCP/35478
Src IP – 1.1.1.1
Dest IP – 2.2.2.2
Src Port – TCP/35478
Dest Port – TCP/80*Best Practice – Limit outbound connections to known services and hosts such as SMTP servers only for port 25.
Network Address Translation
• Network address translation (NAT) is the mapping of IP addresses from a private network to a public network
• NAT gives network administrators and security administrators:
• Access to non-publically routable IPv4 space
• Cost savings because addresses are not cheap
• Allows for masquerading of internal network addresses
• IPv4 Address space is exhausted
Packet
Src IP – 3.3.3.3
Dest IP – 2.2.2.2
Src Port – TCP/35478
Dest Port – TCP/80
Src IP – 10.1.1.1
Dest IP – 2.2.2.2
Src Port – TCP/35478
Dest Port – TCP/80
Edge With DMZ
• Similar to a basic edge design with the addition of inbound traffic
• Traffic inbound from the DMZ to the trusted network may or may not pass the firewall.
Edge With DMZ - VPN
• Multiple path options for VPN with trusted and untrusted packets.
• VPN Concentrator may be connected outside the firewall
• Trusted traffic path usually depends on source. Employee or Vendor, B2B, etc.
*Best Practices – Remember that controlling access from a VPN to an internal resource is not a dead end! Jump box scenario.
Hide your firewall with private IP space on the outside.
Tiered DMZs
• Typically seen in multi-tiered hosting for e-commerce
• Forces all traffic between tiers to pass firewall rules
• Can help mitigate risk and contain exploits and/or breaches within a DMZ
Bridge across your DMZs
• Sometimes referred to as clean and dirty DMZs
• VPN, Video, etc.
• Avoids hair-pinning
*Best Practice – Use destination NAT with a block of unused private IPs for outbound L2L VPN instead of routing individual remote IPs.
Split Firewalls
• Not common without Layer 3
• Forces routing on endpoints
Split Firewalls
• Layer 3 hop between firewalls
• Avoids hair-pinning
• May still have an optional trusted connection
Securing the WAN
• Typical MPLS WAN
• Does not ensure privacy
Internet based WAN
• Lower cost alternative to MPLS
• Dictates VPN for routing and privacy
• Direct Internet Access (DIA) adds security risk
Internet based WAN
• Secure router combines functions
• Inspect DIA
• Typically no need for inbound access directly from Internet
From branch to SOHO
• Add trusted connectivity to an untrusted environment
• Leverages firewalling and authentication
Manage to Scale
• Growth dictates migration from on-box to off-box management
• Control and Data plane is local to firewall
Scale to the Cloud
• Move control plane to cloud portal
• Data plane remains local
• OpEx cost reduction
Data Center Clustering for Performance and Scale
• Handles asymmetric traffic associated with VPC/VSS
• N+1 redundancy
• Keeps DC design intact
• Scale to 16 firewalls
Securing VMs and Hosting Environments
What is the right solution?
Cloud Networking Group
About Cisco Cloud-Managed Networking
• Cisco Meraki: a complete cloud-managed networking solution
• Wireless, switching, security, WAN optimization, and MDM, centrally managed over the web
• Built from the ground up for cloud management
• Integrated hardware, software, and cloud services
• Leader in cloud-managed networking
• Among Cisco’s fastest-growing portfolios
• Tens of millions of devices connected worldwide
• Recognized for innovation
• Gartner Magic Quadrant, InfoWorld Technology of the Year, CRN Coolest Technologies
Distributed networks
Centralized cloud
management scales to
thousands of sites
Multi-site visibility and control Map-based dashboard; configuration sync; remote diagnostics; automatic monitoring and alerts
Zero-touch provisioning Devices automatically provision from the cloud, no staging required; self-configuring site-to-site VPN
Traffic acceleration WAN optimization and web caching accelerates and de-duplicates network traffic; application-aware QoS prioritizes productivity apps
Automated site-to-site VPN
Site-to-site IPsec VPN in just two
clicks in the Dashboard
Simple Creates L3 site-to-site VPN tunnels with just 2 clicks in the dashboard
Automatic Comparable to Cisco DMVPN, it creates a mesh or hub-and-spoke VPN tunnel
between all peers and adjusts to IP changes
Resilient Automatic failover over to secondary WAN link or 3G/4G USB modem
Diverse Security
Best IPSSourcefire IDS / IPS, updated
every day
Content
Filtering
4+ billions URLS, updated in
real-time
Geo-based
security
Block attackers from rogue
countries
AV / anti-
phishing
Kaspersky AV, updated every
hour
PCI
compliance
PCI L1 certified cloud-based
management
Choosing the right MX for your environment
MX64 / 64W
MX80
MX100
MX400
MX600
Z1
Small branches
(~50 users)
Where FW Throughput
200 Mbps
Large
branch/campus
(~10,000 users)
Large
branch/campus
(~2,000 users)
Mid-size branches
(~100 users)
Mid-size branches
(~500 users)
Unique Features
802.11ac Wireless
(MX64W)
High-speed uplinks
Built-in redundancy
Modular interface
Large Web cache (4TB)
250 MbpsLarge Web cache (1TB)
500 MbpsGigabit uplinks
Large Web cache (1TB)
1 Gbps
2 Gbps
High-speed uplinks
Built-in redundancy
Modular interface
Large Web cache (1TB)
For teleworkers
(1-5 users)
Dual-radio wireless
FW throughput: 50
Mbps
All devices support 3G/4G
Zone Based Firewall
Zone Based Firewall
G0/1.103
G0/0G0/1.101
DMZ
InternetTrusted
TCP/UDP/ICMP
Response OK
All Traffic Permit
Support for:
• ISR, ASR, CSR
• NAT
• WAAS
• VRFs
• Redundancy
• VTIs for VPNs
• Deep Packet Inspection
Configuring ZBFzone security Internet
zone security Trusted
zone security DMZ
interface LISP0
zone-member security DMZ
!
interface GigabitEthernet0/0
description Public Outside
zone-member security Internet
!
interface GigabitEthernet0/1.101
description Inside
zone-member security Trusted
!
interface GigabitEthernet0/1.103
description Public DMZ
zone-member security DMZ
Create Zones
Assign interfaces to security zones
Configuring ZBFclass-map type inspect match-any All_Protocols
description - Match all outgoing protocols
match protocol tcp
match protocol udp
match protocol icmp
policy-map type inspect trusted-to-internet
class type inspect All_Protocols
inspect
class class-default
drop
policy-map type inspect DMZ
class class-default
pass
zone-pair security Trusted->Internet source Trusted destination Internet
service-policy type inspect trusted-to-internet
zone-pair security Internet->DMZ source Internet destination DMZ
service-policy type inspect DMZ
zone-pair security DMZ->Internet source DMZ destination Internet
service-policy type inspect DMZ
Create Inspection Class
Create Inspection Policy
Create Zone Pairs and Associate Policy
ASA – Physical and Virtual
Cisco ASA 5500 Series PortfolioComprehensive Solutions from SOHO to the Data Center
Multi-Service
(Firewall/VPN and IPS)
Pe
rfo
rma
nce
an
d S
ca
lab
ility
Data CenterCampusBranch Office Internet Edge
ASA 5585-X SSP-20(10 Gbps, 125K cps)
ASA 5585-X SSP-60(40 Gbps, 350K cps)
ASA 5585-X SSP-40(20 Gbps, 200K cps)
ASA 5585-X SSP-10(4 Gbps, 50K cps)
ASA 5555-X (4 Gbps,50K cps)
ASA 5545-X (3 Gbps,30K cps)
ASA 5525-X (2 Gbps,20K cps)
ASA 5512-X (1 Gbps, 10K cps)
ASA 5515-X (1.2 Gbps,15K cps)
SOHO
ASA 5505 (150 Mbps, 4K cps)
ASA 5500-X Firewall Hardware Comparison
ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X
64Bit Multi Core Processors Yes Yes Yes Yes Yes
Maximum Memory 4 GB 8 GB 8 GB 12 GB 16 GB
Maximum Storage Form Factor 8 GB eUSB 8 GB eUSB 8 GB eUSB 8 GB eUSB
Base I/O Ports6 x 1GbE Cu
1 x 1GbE Cu Mgmt
6 x 1GbE Cu
1 x 1GbE Cu Mgmt
8 x 1GbE Cu
1 x 1GbE Cu Mgmt
8 x 1GbE Cu
1 x 1GbE Cu Mgmt
8 x 1GbE Cu
1 x 1GbE Cu
Expansion I/O Module6 x 1GbE Cu
or 6 x 1GbE SFP
6 x 1GbE Cu
or 6 x 1GbE SFP
6 x 1GbE Cu
or 6 x 1GbE SFP
6 x 1GbE Cu
or 6 x 1GbE SFP
6 x 1GbE Cu
or 6 x 1GbE SFP
Power SupplySingle Fixed Power
Supply
Single Fixed Power
Supply
Single Fixed Power
Supply
Dual Hot-Swappable
Redundant Power
Supply
Dual Hot-Swappable
Redundant Power
Supply
VPN Crypto Hardware
Accelerator Yes Yes Yes Yes Yes
IPS Hardware Accelerator No No Yes Yes Yes
ASA 5500-X
ASA 5585-X Firewall Module Hardware Comparison
ASA SSP-10 ASA SSP-20 ASA SSP-40 ASA SSP-60
Processor1 x 2.0 GHz
(2 cores/
4 threads)
1 x 2.13 GHz
(4 cores/
8 threads)
2 x 2.13 GHz
(8 cores/
16 threads)
2 x 2.46 GHz
(12 cores/
24 threads)
Maximum memory 6 GB 12 GB 12 GB 12 GB
Maximum storage 2 GB eUSB 2 GB eUSB 2 GB eUSB 2 GB eUSB
Ports 2 SFP+
8 x 1 GE Cu
2 x 1 GE Cu mgmt
2 SFP+
8 x 1GE Cu
2 x 1 GE Cu mgmt
4 SFP+
6 x 1 GE Cu
2 x 1 GE Cu mgmt
4 SFP+
6 x 1GE Cu
2 x 1 GE Cu mgmt
Security1 Cavium Nitrox 1620
1.5 Gbps
AES 256
2 Cavium Nitrox 1620
3 Gbps
AES 256
3 Cavium Nitrox 1620
4.5 Gbps
AES 256
4 Cavium Nitrox 1620
6 Gbps
AES 256
ASA 5585-X
ASA 5585-X (FirePOWER Next-Generation IPS)
Internet Edge/
Campus
ASA 5585 SSP10F10
Internet
Edge/Campus
ASA 5585 SSP20F20
Campus/
Data Center
ASA 5585 SSP40F40
Data Center
ASA 5585 SSP60F60
PerformanceMax firewall
Max traditional IPS
Max IPS
Max IPS + AVC
Max IPsec VPN
Max IPsec/SSL VPN peers
4 Gbps
2 Gbps
2.5 Gbps
2 Gbps
1 Gbps
5000
10 Gbps
3 Gbps
7 Gbps
3.5 Gbps
2 Gbps
10,000
20 Gbps
5 Gbps
10 Gbps
6 Gbps
3 Gbps
10,000
40 Gbps
10 Gbps
15 Gbps
10 Gbps
5 Gbps
10,000
Platform CapabilitiesMax firewall connections
Max connections per second
Packets per second (64 byte)
Base I/O
Max I/O
VLANs supported
High availability supported
1 million
50,000
1.5 million
8 x 1 GE + 2 x 10 GE
16 x 1 GE + 4 x 10 GE
250
A/A and A/S
2 million
125,000
3 million
8 x 1 GE + 2 x 10 GE
16 x 1 GE + 4 x 10 GE
250
A/A and A/S
4 million
200,000
5 million
6 x 1 GE + 4 x 10 GE
12 x 1 GE + 8 x 10 GE
250
A/A and A/S
10 million
350,000
9 million
6 x 1 GE + 4 x 10 GE
12 x 1 GE + 8 x 10 GE
250
A/A and A/S
New Additions to the 5500 Portfolio5506X with FirePOWER Services
• Max 250 Mbps AVC throughput
• Max 125 Mbps AVC and NGIPS
• 90 Mbps AVC or IPS with 440 byte HTTP
• ASDM 7.3.x or CSM and FireSIGHT
• Available in hardened and wireless configurations
New Additions to the 5500 Portfolio5508X with FirePOWER Services
• Max 450 Mbps AVC throughput
• Max 250 Mbps AVC and NGIPS
• 180 Mbps AVC or IPS with 440 byte HTTP
• ASDM 7.3.x or CSM and FireSIGHT
New Additions to the 5500 Portfolio5516X with FirePOWER Services
• Max 850 Mbps AVC throughput
• Max 425 Mbps AVC and NGIPS
• 300 Mbps AVC or IPS with 440 byte HTTP
• ASDM 7.3.x or CSM and FireSIGHT
Horizontal Scaling through Clustering
Up to 16 Units
Firewall maximum throughput: 640 Gbps
Firewall + FirePOWER® IPS maximum
throughput: 160+ Gbps
FirePOWER IPS 440-byte throughput: 96 Gbps
Cisco ASAv Firewall and Management Features
Cisco® ASA 9 Feature Set
Cisco
ASAv
Removed clustering and
multiple-context mode
10 vNIC interfaces and VLAN tagging
Virtualization displaces multiple-context and clustering
Parity with all other Cisco ASA platform features
SDN (Cisco APIC) and traditional (Cisco ASDM and CSM)
management tools
Dynamic routing includes OSPF, EIGRP, and BGP
IPv6 inspection support, NAT66, and NAT46/NAT64
REST API for programmed configuration and monitoring
Cisco TrustSec® PEP with SGT-based ACLs
Zone-based firewall
Equal-Cost Multipath
Failover Active/Standby HA model
* Lab Edition license is built in with 100-Kbps throughput and 100 total
connections allowed
Cisco ASAv Platforms
100 Mbps
1 Gbps
2 Gbps
Cisco®
ASAv5
Cisco®
ASAv10
Cisco®
ASAv30
ASAv Deployed in Amazon Web Services
• Management (required) interface - used for SSH/ASDM
access from the Jumpbox, and is provided by default.
It has no Public/Elastic IPs and can not be used for through
traffic.
• Outside Interface (required) - used to connect ASAv to the
public network and is an alternative path for management
access
• Inside Interface (required) and DMZ Interface (optional) – as
in previous slides are used to connect ASAv to internal
subnets
Cisco®
ASAv30
In AWS
Ubuntu1
jumpbox
Management
(no routes)
Inside
Internet
Ubuntu3
Outside
(default route)
DMZ
Ubuntu2
Internetadmin
Routed Firewall
Outside1
Inside
Shared
DMZ
Security Zone
Inside
Outside2
Gateway 1 Gateway 2
Cisco®
ASAv
Routed
client
host2
host1
• Routed – Tenant Edge use case
• Traditional Layer 3 boundary
• First-hop gateway to hosts
• Enable physical and VM hosts
• Dynamic routing
• Support VPN
Transparent Firewall
Cisco®
ASAv
Transp
client
Segment-1
Segment-3
host1
host2
Segment-2
Segment-4
Gateway • Bridge up to 4 interfaces / sub-interfaces
• NAT and ACLs are available
• Traditional Layer 2 boundary between hosts
• All segments in one broadcast domain
Cisco ASAv Data Sheet - Performance and Scale
Data Sheet Metric Cisco® ASAv5 Cisco ASAv10 Cisco ASAv30
Stateful Inspection Throughput (Maximum) 100 Mbps 1 Gbps 2 Gbps
Stateful Inspection Throughput
(Multi-Protocol)50 Mbps 500 Mbps 1 Gbps
3DES/AES VPN Throughput 30 Mbps 125 Mbps 300 Mbps
Connections per Second 8,000 20,000 60,000
Concurrent Sessions 50,000 100,000 500,000
VLANS 25 50 200
Bridge Groups (2 VLANs/BVI) 12 25 100
Cisco® Cloud Web Security Users 50 150 500
IPsec VPN Peers 50 250 750
Cisco AnyConnect® or
Clientless User Sessions50 250 750
UC Phone Proxy 50 250 1000
Cisco UCS® C260 M2
Cisco UCS B200 M3
Intel Xeon processor E5-2640
Tested on Hardware
9.3.2
Over, Through or Around The Wall
Things Change
Introducing
Industry’s First Threat-Focused NGFW
#1 Cisco Security announcement of the year!
• Integrating defense layers helps organizations
get the best visibility
• Enable dynamic controls
to automatically adapt
• Protect against advanced threats
across the entire attack continuum
Proven Cisco ASA firewalling
Industry leading NGIPS and AMP
Cisco ASA with FirePOWER Services
Application Visibility and Control
Host Profiles
• What OS?
• What Services?
• What Applications?
• What Vulnerabilities?
Impact Assessment
Impact FlagAdministrator
ActionWhy
1 Act immediately,
vulnerable
Event corresponds
to vulnerability
mapped to host
2 Investigate,
potentially vulnerable
Relevant port open
or protocol in use,
but no vuln mapped
3Good to know,
currently not
vulnerable
Relevant port not
open or protocol
not in use
4 Good to know,
unknown target
Monitored network,
but unknown host
0 Good to know,
unknown networkUnmonitored network
Indications of Compromise (IoCs)
IPS Events
Malware Backdoors
Exploit Kits
Web App Attacks
CnC Connections
Admin Privilege Escalations
SI Events
Connections
to Known CnC IPs
Malware Events
Malware Detections
Office/PDF/Java Compromises
Malware Executions
Dropper Infections
Advanced Malware Analysis
Network File Trajectory – Where Has It Been Seen?
Host File Trajectory – What Has It Done?
Security Threats and Notifications
http://www.cisco.com/security
Notification Registration
Current News
Use Cases For Secure Group Tags
ASA Policy Enforcement with MDM
AP
WLC
ASA
Web Server
ISE MDM
Leverage security groups to authorize endpoints based on MDM compliance.
Compliance check
Security Group Query
SXP
Create Security Groups on ISE
1 Compliant
2 Non-Compliant
Policy on ASA by Security Group
1
2
3
4
5
6
7
8
9
ASA Policy Enforcement with Nexus 1000V
AP
WLC
ASA
VirtualWeb
Server
ISE
Leverage security groups to automate provisioning of virtual servers.
Security Group Query
SXP
Create Port Profiles on N1000V
• DMZ
• Web
• HR
Policy on ASA by Security Group
23
4
5
6
78
10
1000V
SXP
vCenter
HTTPS
9
1
11
Thank you
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle @12LISN2
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could Be a Winner
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Security Cisco Education OfferingsCourse Description Cisco Certification
Implementing Cisco IOS Network Security (IINS)
Implementing Cisco Edge Network Security Solutions
(SENSS)
Implementing Cisco Threat Control Solutions (SITCS)
Implementing Cisco Secure Access Solutions (SISAS)
Implementing Cisco Secure Mobility Solutions
(SIMOS)
Focuses on the design, implementation, and monitoring of a comprehensive
security policy, using Cisco IOS security features
Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco
Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls
Deploy Cisco’s Next Generation Firewall (NGFW) as well as Web Security, Email
Security and Cloud Web Security
Deploy Cisco’s Identity Services Engine and 802.1X secure network access
Protect data traversing a public or shared infrastructure such as the Internet by
implementing and maintaining Cisco VPN solutions
CCNA® Security
Securing Cisco Networks with Threat Detection and
Analysis (SCYBER)
Designed for professional security analysts, the course covers essential areas of
competency including event monitoring, security event/alarm/traffic analysis, and
incident response
Cisco Cybersecurity Specialist
Network Security Product and Solutions Training For official product training on Cisco’s latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances see
www.cisco.com/go/securitytraining
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
Design Cisco Education OfferingsCourse Description Cisco Certification
Designing Cisco Network Service Architectures
(ARCH)
Provides learner with the ability to perform conceptual, intermediate, and
detailed design of a network infrastructure that supports desired capacity,
performance, availability required for converged Enterprise network
services and applications.
CCDP® (Design Professional)
Designing for Cisco Internetwork Solutions
(DESGN)
Instructor led training focused on fundamental design methodologies used
to determine requirements for network performance, security, voice, and
wireless solutions. Prepares candidates for the CCDA certification exam.
CCDA® (Design Associate)
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
