Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Pieter van Schaik & Gerard van Bon
Consulting System Engineers
Breakfast & Learn
Firepower NGFW
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Introduction
• Appliances
• Management
• Deployment Options
• Threat Protection
• Integration
Agenda
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ArchitectureIntegrated
PortfolioBest of breed
IntelligenceCloud-Delivered
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Security Effectiveness Gap
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Time
ResponseDetectionThreat
The Outcome: Effective Security Posture
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
“Security controls are only as good as the breadth and quality of the threat
intelligence behind them…”
“..the ability to apply threat intelligence correctly and at scale is the ‘magic of true protection’”
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Unmatched Threat Visibility to Complete Protection
1.5 millionMalware Samples
8.5 billionEmail Queries
7 billionAMP Queries
2.6 billionCWS/WSA
Queries
150 billionDNS Requests
NGFW
NGIPS
AMPfor Networks
Meraki
AMP forEndpoints
Email SecurityAppliance
Web SecurityAppliance
AMP for Gateways
CiscoUmbrella
SnortSubscription
Rule Set
Firepower/ASA
Network
Endpoint
Cloud
CloudEmail Security
CloudWeb Security
Daily Visibility Real-time and At-Scale
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Appliances
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco has an NGFW solution for every business…
Small and Midsized Business Midrange Enterprise
ASA 5525-X/ ASA 5545-X/
ASA 5555-X
Firepower
2130/2140
Firepower
2110/2120
ASA 5506-X / 5506W-X / 5506H-X /
5508-X / 5516-X
Firepower
4110/4120/4140/4150 Firepower 9300
NGFWs for SMBs and distributed
enterprises with integrated threat defense,
a low TCO, and simplified security
management.
Enterprise-class security for the internet
edge, with superior threat defense,
sustained performance, and simple
management.
From the internet edge to carrier grade
security for data centers and other high-
performance settings, with multiservice
security, flexible architecture, and unified
management.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
1.9 Gbps AVC1.9 Gbps AVC+IPS
Firepower2110
Firepower2120
3 Gbps AVC3 Gbps AVC+IPS
Firepower2130
4.75 Gbps AVC4.75 Gbps AVC+IPS
8.5 Gbps AVC8.5 Gbps AVC+IPS
Cisco Firepower 2100 Appliances
Firepower2140
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Firepower 2100
1RU
Integrated Security Platform• Fixed configurations (2110, 2120, 2130, 2140)• Dual redundant power supplies on 2130 and 2140 only• SSL Decryption in Hardware
SFP/SFP+ Data Interfaces• 4x1GE on Firepower 2110 and 2120• 4x10GE on Firepower 2130 and 2140
Network Module• Firepower 2130 and 2140 only• Same 8x10GE SFP module as on Firepower 4100/9300• Fail to Wire Option
Copper Data Interfaces• 12x1GE Ethernet
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
12 Gbps AVC10 Gbps AVC+IPS
Firepower4110
Firepower4120
20 Gbps AVC15 Gbps AVC+IPS
Firepower4140
25 Gbps AVC20 Gbps AVC+IPS
30 Gbps AVC
24 Gbps AVC+IPS
Cisco Firepower 4100 Appliances
Firepower4150
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Firepower 4100 Overview
1RU
Built-in Supervisor and Security Module• Application deployment and orchestration• Dual PSU (Optional on 4110, 4120)• SSL Decryption in Hardware
Solid State Drives• Independent operation (no RAID)• Slot 1 today provides limited AMP storage• Slot 2 adds 400GB of AMP storage
Network Modules• 2 Slots• 10GE/40GE interchangeable with 9300• Fail to Wire option
Fixed Data Interfaces• 8xSFP+
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Firepower 9300 Appliances
Firepower9300
With 1 SM24
Firepower9300
With 1 SM36
Firepower9300
With 1 SM44
Firepower9300
With 3 SM44
30 Gbps AVC24 Gbps AVC+IPS
42 Gbps AVC34 Gbps AVC+IPS
54 Gbps AVC53 Gbps AVC+IPS
135 Gbps AVC133 Gbps AVC+IPS
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Modules
• Embedded Smart NIC and crypto hardware
• Cisco and third-party applications
• Standalone or clustered within and across chassis
Supervisor
• Application deployment and orchestration
• Network attachment and traffic distribution
• Clustering base layer
Firepower 9300Network Modules
• 10GE, 40GE, and 100GE
• Hardware bypass for inline NGIPS
3RU
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Virtual Appliances
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Management
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Management Options
Cisco Defense
Orchestrator (CDO)
Enables cloud-based policy management of multiple deployments
Cloud-based Upcoming
Enables comprehensive security administration and
automation of multiple appliances
Firepower Management Center (FMC)
Centralized
Firepower Device
Manager (FDM)
Enables easy on-box management of
common security and policy tasks
On-box
Manage across many sites Control access and set policies Investigate incidents Prioritize response
Firepower Management Center
Centralized management for multi-site
deployments
Multi-domain management
Role-based access control
High availability
APIs and pxGrid integration
NGIPS
Firewall & AVC
AMP
Security Intelligence
…Available in physical and virtual options
Firepower Management Center (FMC)
Set up easily Control access and set policies Automate Configuration Enhanced Control
Firepower Device Manager
Integrated on-box option for single
instance deployment
Physical and virtual options
Easy set-up NAT and Routing
Role-based access controlIntrusion and Malware
prevention
High availability Device monitoring
VPN support
Firepower Device Manager (FDM)
Plan and model security policy changes
before deploying them across the cloud
Deploy changes across virtual
environments in real time or offline
Receive notifications about any unplanned
changes to security policies and objects
• Import From Offline
• Discover Direct From
Device
Device Onboarding
Object &
Policy Analysis
Application, URL,
Malware & Threat
Policy
Management
Change
Impact
Modeling
Security
Templates
Simplify security policy management in the cloud with Cisco Defense Orchestrator Security
ReportsNotifications
Simple Search-
Based Management
Security Policy
Management
Cisco Defense Orchestrator (CDO)
Deployment Options
Active/Standby Failover
Inside OutsideA
S
Link Scalability Distributed Plan Inter-site Clustering
Increasethroughput
Handle more connections Combine multiple
individual firewallsand manage as one
Clustering
Location A Location B
FTD is both NGFW and NGIPS on different network interfaces
• NGFW inherits operational modes from ASA and adds FirePOWER features
• NGIPS operates as standalone FirePOWER with limited ASA data plane functionality
FTD Deployment Modes
NGIPSNGFWFTDInline
Eth1/1 Eth1/2
Inline TapEth1/1 Eth1/2
Passive
Routedinside outside
FTD
DMZ
Transparentinside outside
FTD
DMZ
10.1.1.0/24 10.1.2.0/24
10.1.3.0/24
10.1.1.0/24
FTDEth1/1
Integrated Routing and Bridging
inside outsideFTD
DMZ10.1.1.0/24
10.1.2.0/24
FTD
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Multi-Instance for true Multi-Tenancy
• Firepower 4100 and 9300 only
• Instantiate multiple logical devices on a single module or appliance
• Complete traffic processing and management separation
• CPU/memory/disk resources are dedicated to an instance at provisioning
• Physical and logical interface and VLAN separation at Supervisor
29
Supervisor
….MI1 MI2 MI3
Network
1Network
2Internet
Network
3
Network
4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Intelligence
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• IP SI drops packets based on lists of malicious IP addresses
• SI drops packets at the IP-level without higher layer inspects
• Whitelist overrides Blacklist
IP Security Intelligence
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• URL SI is independent from Access Control URL rules
• Blocks lists of malicious domains
• Matches the HTTP GET or TLS Client Hello
URL Security Intelligence
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Option 1:
• Alter DNS response to NXDOMAIN (domain not found)
Option 2:
• Alter DNS response to inject a Sinkhole server IP address
DNS Security IntelligenceDNS SI Performs a “Man in the Middle” of DNS Queries
NXDOMAINResponse
Cisco Threat Intelligence Director
Integrate third-party security intelligence
Firepower Management
Center
Ingest Security
Intelligence
Generate Rich Incident
ReportsCorrelate Observations Refine Security Posture
Ingest Observables
Cisco Security Sensors
•Firepower NGFW
•FirePOWER NGIPS
•AMPThreat Intelligence
Director
CSVEvents
….but an efficient, effective security practice requires more.
Visibility
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Know Your Network
Server Apps
Network
Operating Systems
Users
Files
ClientApps
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Understand Its Weakness
Server Apps
Network
Operating Systems
Users
Files
ClientApps
Vulnerabilities
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
And Then Protect It
Server Apps
Network
Operating Systems
Users
Files
ClientApps
Vulnerabilities
Malware
Intrusion Events
Policy Violations
ThreatIntel
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Host Profile
Server, Service, Port
Applications
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Next Gen IPS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Impact Flags
0
4
2
3
1
Action Why
General info††
Event outside profiled networks
Event occurred outside profiled
networks
Good information host is currently
not known
Previously unseen host
within monitored network
Good information event may not
have connected
Relevant port not open or protocol
not in use
Worth investigation.
Host exposed.
Relevant port or protocol in
use but no vulnmapped
Act immediately.Host vulnerable
or compromised.
Host vulnerable to attack or
showing an IOC.
†† If you have a fully profiled network
this may be a critical event!
Impact FlagIntrusion Events
Source / Destination IP
Protocol (TCP/UDP)
Source / Destination Port
Service
Snort ID
IOC: Predefined Impact
Host Profile
[Outside Profile Range]
[Host not yet profiled]
IP Address
Protocols
Server Side Ports
Client Side Ports
User IDs
Potential Vulnerabilities
Services
Client / Server Apps
Operating System
CV
E
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Impact 1
• Impact 2
• CNC Connected Events
• Threat detected in file transfer
• Look for Malware Executed
• Dropper Infection
• Shell Code Executed
Focus on a Hosts Real Issues
Let’s see what these 63 events are all about.
THEME: Start with what is compromised first.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Auto Tuning of Signatures
© 2018 Cisco and/or its affiliates. All rights reserved.
Correlation Rules / Correlation Policy
• Automate Security Decisions
• Track Business Outcome
• Trigger Automated Response
Syslog
SNMP
Remediation
Module
100,000 events
5,000 events
500 events
20 events
10 events
3 Events
Correlation PolicyCorrelation
Rule
Correlation Rule
Correlation Event
Action
100 events
© 2018 Cisco and/or its affiliates. All rights reserved.
Advanced Malware Protection
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Reputation Lookup
• Spero Analysis
• Dynamic Analysis
• Local Malware Engine
Multiple File Engines
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
An unknown file is present on
IP: 10.4.10.183, having been
downloaded via Firefox
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
At 10:57, the unknown file is
transf from IP 10.4.10.183 to IP:
10.5.11.8
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Seven hours later the file is
then transferred to a third
device (10.3.4.51) using via
SMB
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The file is copied yet again
onto a fourth device
(10.5.60.66) via SMB a half
hour later
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Cisco AMP Cloud has
learned this file is malicious
and a retrospective event is
raised for all four devices
immediately.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
At the same time, a device with
the AMP for Endpoints
connector reacts to the
retrospective event and
immediately stops and
quarantines the newly detected
malware
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
8 hours after the first attack,
the Malware tries to re-enter
the system through the
original point of entry but is
recognized and blocked.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threat Grid as Information for File Behavior
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Visibility and Control
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Support for 6834+ applications and detectors
• Applications are grouped according to:
• Risk
• Business relevance
• Types, categories and tags
• User-Created Filters
• OpenAppID
Application Visibility and Control
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Custom Applications
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Integration
PxGrid ISE and DNA SDA
Software-Defined SegmentationEasily Classify Endpoints Devices and Use Group-Based Policies in NGFWs and the Network
Printer 1 Printer 2
SGT_Guest SGT_Building
Management
SGT_Employee
Guest 1
Guest 2
Guest 3 Guest 4
Employee 1 Employee 2 Employee 3
Employee 4
SGT_FinanceServer SGT_Printers
Fin 1 Fin 2
Temperature
Device 1
Temperature
Device 2
Surveillance
Device 1
Surveillance
Device 2
50°
50°
DNA Center SD-access with SGT tagging
Employees Production Contractors Development
Source Destination
FABRIC NODES
Contract
CISCO
DNA CENTER
CISCO ISE
FABRIC POLICIES
DENY
Employees Contractors
Employees Contractors
API
POLICY DOWNLOAD
Policy Matrix (SGACL) in ISE
Servers
SGT: 10
Enforcement
permit tcp dst eq 6970 log
permit tcp dst eq 6972 log
permit tcp dst eq 3804 log
permit tcp dst eq 8443 log
permit tcp dst eq 8191 log
permit tcp dst eq 5222 log
permit tcp dst eq 37200 log
permit tcp dst eq 443 log
permit tcp dst eq 2748 log
permit tcp dst eq 5060 log
permit tcp dst eq 5061 log
permit tcp dst range 30000 39999 log
permit udp dst range 5070 6070 log
deny ip log
Give the Right People on the Right Devices the Right Access to the Right Resources with Cisco SGT
Internet
Confidential
Student Records
Internal Student
Intranet
Who: Guest
What: iPad
Where: Office
Who: Student
What: iPad
Where: Campus
Who: Employee
What: Laptop
Where: Office
Enforce business role policies
for all network services
and decisions
Define security groups and
access policies based on
business roles
Implement granular control on
traffic, users, and assets
APIC-EM
ISEDC
Identity Services
Fabric Border Nodes
Fabric Edge Nodes
DNA Center
Control-PlaneNodes
B
Cisco Digital Network Architecture (DNA)SDA Fabric Roles & Terminology
B
Fabric Wireless
Controller
Campus
SDA
Fabric
DNAC
CC
Fusion FW
vn
Virtual networks vn
Internet
Firepower polices based on ISE attributes
Threat Containment
PxG
RID
FMC-Firepower
‘Access Control Policies’ based on ISE Attributes (SGT, Device-type and Endpoint Location)
AMP for Endpointsevent to FMC
AMP for Endpoints
Retrospective Security Plan B
Unique to AMP - Continuous Analysis & Retrospective
Security
Point-in-Time Detection – Plan A
All Prevention < 100%
File Reputation & Sandboxing
Dynamic
Analysis
Machine
Learning
Fuzzy
Fingerprinting
Advanced
AnalyticsOne-to-One
Signature
Indications of
Compromise
Device Flow
Correlation
Exploit
PreventionHeuristic
Engine
Is there a Breach and
What Happened ?
Where Did The Malware Come
From and Where has it been
AMP for Endpoints breach research
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2890
AMP UnityEnhanced Operational Visibility and Control
71
AMP for Endpoints
Systems Security Team
• Consolidation of connector events in AMP Console
• Visibility into the threat vector
• A4E Policy Management
Firepower (FMC) Cisco ESA & WSA
FMC
Event Sync
Network Security Team
• Visibility into AMP Events at the Endpoint
AMP Event sharing between Endpoints and Network
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2890
AMP Unity
74
AMP for Endpoints
Manages for Endpoints:• Endpoint Policies• Black & White Lists• Exclusions
Provides for Endpoints• Device Trajectories• File Trajectories• Retrospection
Manages for Network:• Network Policies• Black & White Lists
Provides for Network• File Trajectories• Retrospection
Manages for Content:• Content Policies• Black & White Lists
Provides for Content• File Trajectories• Retrospection
Firepower (FMC) Cisco ESA & WSA
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2890
Integrating Connectors into AMP CloudFirepower via FMC
75
• Register Firepower Management Center (FMC) with AMP Cloud (A4E portal)
• Firepower will show data for all sensors
AMP for Endpoints ID identifies thedevice in AMP Console ...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2890
AMP Unity – Full Visibility into the Threat Vector
76
First, it traversed the Firepower NGFW
Then it was observed on the Email Security Solution
And finally stored on the Endpoint
Vulnerability information to FMC
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Automatically built from Network Discovery
• Container for Context about the Devices on your network
• User Customizable
• Provide better data and context through the HOST Input API
Host Profiles
78BRKSEC-3328
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Input API
• Uses either FMC Command Line or a Host Input Client
• Allows 3rd Party Vulnerability data to be mapped for Impact Correlation & Firepower Recommendations
• Import additional data, such as OS Information or Custom Attributes
79BRKSEC-3328
nmimport.pl
Host input Client
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Vulnerable Software in AMP for Endpoints
80BRKSEC-3328
FMC
AMP
Cloud
81BRKSEC-2058
Import Vuln Data from AMP 4 Endpoints
Rapid Threat ContainmentISE PxGrid and FMC
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Rapid Threat Containment with Firepower Management Center and ISE
Threat Containment
MnT
FMC
Controller
WWW
NGFW
2. Correlation
Rules Trigger
Remediation Action
3. pxGrid EPS
Action: Quarantine
+ Re-Auth
1. Security
Events / IOCs
Reported
i-Net
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Rapid Threat Containment with Firepower Management Center and ISE
Threat Containment
MnT
FMC
Controller
WWW
NGFW
4. Endpoint Assigned Quarantine + CoA-Reauth Sent
i-Net
BRKSEC-3557 84
MnT
FMC
RTC with AMP, FMC and ISE
Controller
WWW
NGFW
2. Correlation
Rules Trigger
Remediation Action
3. pxGrid EPS
Action: Quarantine
+ Re-Auth
i-Net
Threat Containment
1. Threat /
IOCs Reported
MnT
FMC
RTC with AMP, FMC and ISE
Controller
WWW
NGFW
4. Endpoint
Assigned Quarantine
+ CoA-Reauth Sent
i-Net
Threat Containment
FMC Correlation Rule
Malware Events
• Network
• Endpoint
• Retrospection
Threat Containment
FMC Correlation Rule
Threat Containment
Endpoint Malware
General Event from AMP for
Endpoints Cloud
FMC Correlation Rule
Threat Containment
Endpoint Malware
Specific Events from AMP
for Endpoints Cloud
The Remediation
Threat Containment
Quarantine
Remediation that triggers EPS
Quarantine via ISE pxGrid
Threat Intelligence Director
• Uses customer CTI to identify threats using sophisticated correlation across Firepower NGFW/AMP
• Automatically blocks supported indicators on Cisco NGFW using added context from intelligence sources
• Provides a single integration point for all STIX and CSV intelligence sources
Cisco Threat Intelligence Director (CTID)
Targeted at
• Security Buyers with Cisco Firepower/AMP• Financial Institutions/FS-ISAC who are mandated to
ingest and share CTI in STIX and TAXII• Enterprises with mature security programs that have
made the investment into intelligence sources
• Intelligence Vendors• AlienVault
• Crowdstrike
• FireEye/iSIGHT Partners
• Flashpoint
• Symantec DeepSight
Target Customer Using CTID Third Parties
• Threat Intelligence Platforms (TIP) Vendors• Anomali
• EclecticIQ
• Lookingglass
• ThreatConnect
• ThreatQuotient
Note: These are the tested third parties. The architecture supports any third party that provides indicators in STIX or flat file format.
Cisco Threat Intelligence Director (CTID)
Step 1
1. Ingest third-party
Cyber Threat
Intelligence indicators
Step 2
2. Publish
observables to
sensors
Step 3
3. Detect and alert to
create incidents
NGFW / NGIPS
Block Monitor
Cisco Threat
Intelligence Director
FMC
Cisco Threat Response
Threat Hunting with CTR
AMPThreatGrid Umbrella SMATALOSVirusTotal
StealthWatch
Threat IntelligenceWhat do you know about these observables (IP, Hash, URL, etc.)?
Talos or other intel sources Threat Response
automatically queries Cisco Security & 3rd party products via APIs to enrich investigation
NGFW (Eventing Service, FMC)
Threat Investigation• Have we seen these observables? • Which end-points interacted with the threat?