Software and Management - Cisco

Mateusz Pastewski

[email protected]

Security Account Manager

Software and Management

15/03/2016

Cisco Confidential 2© 2015 Cisco and/or its affiliates. All rights reserved.

Agenda

- Disclaimer

- Ewolucja Cisco ASA z Firepower

- Czym jest Firepower Threat Defense (FTD)?

- Funkcjonalności Firepower 6.0

- Firepower 4100


Celem prezentacji jest pokazanie Firepower 6.0.1, które jest już „za rogiem”

W prezentacji nie pokażę map drogowych rozwoju produktów – jeżeli taka wiedza jest wymagana w obecnie prowadzonych przez Państwa projektach to prosimy o kontakt osobisty

Disclaimer


Firepower Evolution

Oct ‘13

FirePOWERAppliances

andASA 5500-X

Sept ’14

FirePOWER Services

onASA 5500-X

Oct ’15

FirepowerThreat Defense

for ASA 5500-X*,New Appliances and

Virtual Platforms

Customer

Preview

Only

*Excludes 5585-X


Firepower Threat Defense – Delivery Phases

November

2015

March

2016

ROADMAP

Customer Preview

v6.0

General Availability

v6.0.1

ASA Feature Parity(Key features)

v6.x


Firepower Threat Defense (FTD)

Unified codebase software image

Firepower 4100 Series and 9300 Appliances

Brand for new hardware product offerings. Can run FTD or ASA

“Firepower Next-Generation Firewall (NGFW)”

FTD + Hardware appliance

Firepower Management Center

Formerly FireSIGHT. Unified manager for NGFW, NGIPS, AMP, FirePOWER on ISR

ASA with FirePOWER Services

Two managers, full firewall feature set

Relevant Terminology

Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Introducing Firepower 6.0.1


New Features

FirePOWER

ASA

Customer Preview Program beginning in November 2015

New Converged Software Image:Firepower Threat Defense

Contains all Firepower Services plusselect ASA capabilities

Single Manager:Firepower Management Center*

Same subscriptions as FirePOWER Services, enabled by Smart Licensing:

Threat (IPS + SI + DNS)

Malware (AMP + ThreatGrid)

URL Filtering

Converged Software – Firepower Threat Defense

* Also manages Firepower Appliances, Firepower Services (not ASA Software)


Platforms Supporting Firepower 6.0

FirePOWER Services

on ASA 5500-X

FirePOWER

7000 / 8000 / NGIPSvFirepower Threat Defense

ASA 5500-X*, Firepower 9300,

VMware and AWS

*Excludes 5585-X

Customer

Preview

for 6.0

All** Managed by Firepower Management Center 6.0

**Does not manage ASA software


Firepower 6.0.1 Software Support by Platform

Firepower Threat

Defense

Firepower

NGIPS

Firepower

Services

on ASA

Old (Series 2) FirePOWER Appliances ✗ ✗ ✗

FirePOWER 7000 Series ✗ ✓ ✗

FirePOWER 8000 Series ✗ ✓ ✗

ASA Low-end (5506/08/16) ✓(reimage) ✗ ✓

ASA Mid-Range (5512/15/25/45/55) ✓(reimage) ✗ ✓

ASA High-end (5585 SSP-10/20/40/60) ✗ ✗ ✓

Firepower 9300 (SSP 3RU - SM-24/36) ✓ ✗ ✗

VMware ✓ ✓ ✗

AWS ✓ ✗ ✗


Firepower 6.0 on ASA – Upgrade vs Re-ImageChoose Firepower Services or Firepower Threat Defense

Firepower Software on ASA Platforms

Firepower

Services 5.4

ASA 9.5.x

Upgrade

Firepower

Services 6.0

ASA 9.5.x*

Re-Image

Firepower

Threat Defensevs

*Firepower Services 6.0 compatible ASA Version Required

(Customer Preview)


Installing Firepower Threat Defense - Customer Preview

Management Center

FireSIGHT 5.4

Upgrade/

Install

Firepower

Management

Center 6.0*

1.

Firepower Services on ASA

Firepower 5.4

ASA 9.4.x

Reimage

Firepower Threat

Defense

3.

Register

2.

Cisco Smart

Software Manager

Firepower

Management

Center 6.0

Smart License


New Capabilities in Firepower Threat Defense 6.0

Network Firewall

Unified ASA & Firepower Rules

Unified ASA & Firepower Objects

Transparent & Routed Deployment

ASA NAT (Dynamic & Static)

ASA Routing: OSPF, BGP, RIP,

Static (no EIGRP, or Multicast)

ASA Syn Cookies / Anti-Spoofing

ASA ALGs (fixed configuration)

ONLY IN FIREPOWER

THREAT DEFENSE

Threat Innovation Enterprise Management

DNS Inspection and Sink-holing

URL-based Security Intelligence

SSL Decryption

ThreatGRID Analysis &

Intelligence

OpenAppID Application Detectors

Captive Portal and Active Auth

File Property Analysis and Local

Malware Checks

ISE Identity/Device/SGT in Policy

Domains with Role-Based Access

Policy Hierarchy with Inheritance

COMMON ACROSS FIREPOWER PLATFORMS


Everything from Firepower 6.0

Phased introduction of features from ASA

FTD 6.0.1

IPv4 and IPv6 Connection state tracking and TCP normalization

Access Control

NAT (Full support)

Unicast Routing (except EIGRP)

ALGs (only default configuration)

Intra chassis Clustering on Firepower 9300

Stateful Failover (HA)

What features are available?


Firepower Threat Defense Architecture


In the Firepower services on ASA

2 Images need to be deployed

2 OSs running on the same hardware

Packet traverses virtual machine boundaries

Functionality is duplicated

2 management applications

Advantages of Firepower Threat Defense

ASA

FirePOWER

CSM FireSIGHT


New Next Generation Firewall offering

Brings together the best features from ASA and Firepower, all under one OS

Zero-copy packet inspection

No functionality will be duplicated*

Single management application

Firepower Threat Defense


L2-L4Inspections

(ASA Technology)

Advanced Inspections(FirePOWERTechnology)

Firepower Management Center


Basic deployment modes: Firewall modes

Routed

Transparent

Other interface modes: IPS/IDS modes

Inline

Inline Tap

Passive

Deployment Modes


Access policies broken down into 2 sets of rules

Advanced ACLs - Evaluate L2 – L4 attributes and give a verdict

Permit

Deny

Trust

NGFW ACLs – Evaluate L7 attributes

Allow

Block

TrustPath

Unified Access Control policies


Only manager required for Firepower Threat Defense

Added functionality to manage the features brought in from ASA

Can also manage Firepower appliance and services deployments

Unified policy management for Firepower appliances/services and Firepower Threat Defense

Enhanced configuration management built on tested technology

Firepower Management Center 6.0: Overview


Firepower Management Center: Configuration deployment

Firepower Management Center 6.0

Firepower Threat Defense 6.0

L2-L4

inspections

Advanced

inspections

Config

Dispatcher

Config CommsManager

2.Download

1.Notify

3.Parse4. Install

4. Install

FireSIGHT 5.4

FirePOWER 5.4

1.Connect2. Download

update 2. Execute

Scripts


Objects Configuration

Objects in 5.4

Objects in 6.0


Routing Configuration


NAT configuration


Access policy configuration


Firepower Threat Defense Feature Deep Dive: Management Domains


Use cases

Large Enterprises

MSSP

Benefits

Segmentation

Granular RBAC

Overlapping IP Addresses

Maintaining Privacy

Multi-Tenancy through Domains and Multiple Network Maps


UK/London

Domain Overview

USA INDIA

Supports up to 50 domains and 3 levels

Available for all platforms running 6.0

UK

UK/Oxford

1

2

3


Domain Feature Coverage

• Allows segmented user access for:

• Analysis

• Devices (at leaf level)

• Objects

• Policies

• AMP

• Health

• System

• Events

• Network map

• System

• Local

• Configuration

• High Availability

• System Policies

• Updates

• Licenses

• Management System Monitoring

• Syslog

• Statistics

• Tools

• Backup/Restore

• Data Purge

• ThreatGrid Analysis*

Global FeaturesDomain-Aware Features

* Will be made domain aware in future release


Use Cases


Qualifying New Firepower Opportunities

Firepower Appliances

Need a dedicated

NGIPS or AMP solution

Needs fail-to-wire

for inline deployment

ASA Firepower Services

Need firewall functionality

not initially provided by

Firepower Threat Defense:

• Site-to-Site VPN

• Remote Access VPN

• Multi-cast Routing

• Clustering

• Contexts


Need new Firepower 9300*

Require single

management platform*

(*can forgo functionality

like VPN and rate limiting

in the short term)

POSITION NOW,

READY FOR GACONTINUE TO SELL AS NORMAL


Use Case Internet Edge Firewall

Requirement

Connectivity and Availability Requirement:• Firewall for High Availability (Redundancy)

• Firewall should support Router or Transparent Mode

• vPC/Port-Channel for interface redundancy and link speed

aggregation

Security Requirement:

• Dynamic NAT/PAT and Static NAT

• AVC, URL filtering, IPS and Malware protection

• SSL Decryption

Solution

Security Application: Firepower Threat Defense application with

FMC

ISP

FW in HA

Private Network

Service

Provider

Campus/Priv

ate Network

DMZ Network

vPC / Port-

Channel

Internet Edge

HSRP


Use CaseInternet Edge Firewall with VPN Support

Requirement

Connectivity and Availability Requirement:• Firewall for High Availability (Redundancy)

• Firewall in the Router Mode

• vPC/Port-Channel for interface redundancy and link speed

aggregation

Security Requirement:

• Dynamic NAT/PAT and Static NAT

• Application Inspection

• ACL to control the traffic flows

• VPN support (S2S, SSL and AnyConnect)

Solution

Security Application: ASA Firewall

ISP

FW in HA

Private Network

Service

Provider

Campus/Priv

ate Network

DMZ Network

vPC / Port-

Channel

Internet Edge

Remote VPN

Users

Branch Office

HSRP


Firepower Threat DefenseSmart Licensing


Firepower Threat Defense Licensing Structure

• Base License enables NGFW

• Networking, Firewall and Application Visibility & Control

• Perpetual license - included with appliance purchase

• Term-based licenses for advanced protection

• Threat, Malware and URL Filtering

• Traditional ASA licenses not needed Base (NGFW)

Thre

at

(IP

S / S

I / D

NS

)

Malw

are

(AM

P /

TG

)

UR

L F

iltering

Blue = Term-based

Green = Perpetual


Firepower 4100 Series


Cisco Firepower 4100 Series

Introducing four new high-

performance models

Performance and

Density OptimizationUnified Management

Multiservice

Security

• Integrated inspection engines

for FW, NGIPS, Application

Visibility and Control (AVC),

URL, Cisco Advanced

Malware Protection (AMP)

• Radware DefensePro DDoS

• ASA and other future

third party

• 10-Gbps and 40-Gbps

interfaces

• Up to 80-Gbps throughput

• 1-rack-unit (RU) form factor

• Low latency

• Single management interface

with Firepower Threat Defense

• Unified policy with inheritance

• Choice of management

deployment options


Firepower 4100 Series Front and Rear View

SSD1 SSD2

1 3 5 7 NetMod 1 (Slot) NetMod 2 (Slot)

2 4 6 8

PS1 PS2 FAN1 FAN2 FAN3 FAN4 FAN5 FAN6

Power

Console

Mgmt. SYS

ACT SSD Status


FP 4100 Series of platform supported from FXOS 1.1.4

FXOS provides interface for device management and provisioning of the security application on security engine.

All images are digitally signed and validated through Secure Boot.

Security application images are in Cisco Secure Package (CSP) format

Multiple version of same application can be stored in Supervisor. It can deployed to Security Engine on demand

Contains system (i.e. ASA, FTD) and other images (i.e. ASDM, REST, and so on)

Firepower 4100 Software

Decorator application from third-party (KVM)

Primary application from

Cisco (Native)

DDoS (Future)

ASA or FTD

FXOS

Firepower Extensible Operating System (FXOS)

Supervisor

Security

Engine

Future

Documents

Software and Management - Cisco