Upload
others
View
3
Download
1
Embed Size (px)
Citation preview
1 © 2018 Cisco Systems, Inc. All rights reserved.
.......................................................................................................... 2
............................................................................................................... 2
............................................................. 2
.................................................................................................. 3
......................................................................................................... 3
....................................................................................... 4
................................................................. 6
................................................................................. 7
................................................................................................................ 7
........................................................................................................ 8
..................................................................................... 8
............................................................................................. 8
............................................................................................ 8
...................................................................................................... 9
........................................................................................... 9
...................................................................................................... 10
................................................................................................ 10
........................................................................... 11
2 © 2018 Cisco Systems, Inc. All rights reserved.
................................................................... 12
................................................................................................ 13
.................................................................................................................. 13
................................................................................. 14
................................................................................. 14
............................................................................................................................. 15
................................................................................. 15
................................................................................. 15
..................................................................................................... 16
................................................................................. 16
................................................................................. 17
................................................................... 17
................................................................................................................... 17
3 © 2018 Cisco Systems, Inc. All rights reserved.
4 © 2018 Cisco Systems, Inc. All rights reserved.
Layer 2-4 Fast Path
IP Security Blocking
Layer 3 – 7,Security Group Tag,
and IdentityMatching
Threat InspectionAnd Blocking
LeafDomain
Final Action(Block, IPS, Network Discovery)
NGFW Policies: Efficiently Building Zero-Trust
• Like traditional firewall policies, rules run from top to bottom
• Some functions (fast path, IPSec, SSL, and traffic normalization) run before traffic is matched against an Access Control Rule
• Good to always be reducing the potential number of rules that any traffic pattern can hit.• Exp: SSH matches more than tcp/22• Caveat: matches without port info means
some packets will potentially pass until the app is detected.
• Each matched ACL has it’s own threat monitoring conditions (IPS, Malware, IPS Variables)
• The model can apply to policy “blocks” and/or leaf-domains.
5 © 2018 Cisco Systems, Inc. All rights reserved.
6 © 2018 Cisco Systems, Inc. All rights reserved.
9
Packets and Policies: Know What’s Happening Where
SI (IP)
File/AMP IPS
SSL
SI:
DNS
URL Pre-proc
NAP
IPSID
L7 ACLDiscovery
App
Pasv ID
Host
Prefilter
Policy
DAQ
RXIngres
InterfaceTX
Existing
Conn
Egress
InterfacePre-Filter
L3/L4
ACL
ALG
ChecksNAT
L3, L2
Hops
Y
VPN
Decrypt
N
QoS
VPN Encrypt
Fastpathed
VPN
Config
ASA/Lina
Firepower
Knowing your detection process impacts:
• How you analyze the data
• How you tune your security applianceElement Enabled in AC Policy
Access
Control
Policy
Intrusion
Policy
Network
Discovery
Policy
Intrusion
Policy
(NAP)
Network
Analysis
Policy
Malware
& File
Policy
Identity
Policy
DNS
Policy
SSL
Policy
$VAR
$VAR Objects
File/AMP IPSL7 ACL
ACP Rule Chain
7 © 2018 Cisco Systems, Inc. All rights reserved.
8 © 2018 Cisco Systems, Inc. All rights reserved.
9 © 2018 Cisco Systems, Inc. All rights reserved.
10 © 2018 Cisco Systems, Inc. All rights reserved.
11 © 2018 Cisco Systems, Inc. All rights reserved.
12 © 2018 Cisco Systems, Inc. All rights reserved.
13 © 2018 Cisco Systems, Inc. All rights reserved.
14 © 2018 Cisco Systems, Inc. All rights reserved.
15 © 2018 Cisco Systems, Inc. All rights reserved.
16 © 2018 Cisco Systems, Inc. All rights reserved.
17 © 2018 Cisco Systems, Inc. All rights reserved.
18 © 2018 Cisco Systems, Inc. All rights reserved.