NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events...
Transcript of NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events...
Pavel RodionovTechnical Solutions Architect
Cisco GSSOBRKSEC-2064AWS и Azure
NGFWv и ASAv в публичных облаках
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
• Введение в публичные облака• Преимущества и проблемы использования AWS и Azure)• Компоненты и сервисы AWS и Azure
• NGFWv м ASA в Azure • Модели развертывания, лицензии, масштабирование
• NGFWv и ASAv в AWS• Модели развертывания, лицензии, масштабирование
• Полезные ссылки• Канал Youtube, руководства и другая полезная информация
Программа
© 2019 Cisco and/or its affiliates. All rights reserved.
Приложения в ЦОД
Полный контроль и видимость
© 2019 Cisco and/or its affiliates. All rights reserved.
Сдвиг прилодженийПреимущества и проблемы публичных облаков
Публичные облака Гибридные облакаЦОД(Локальные облака –
гипервизоры)
Multi Cloud
Видимость и контроль
Абстракция Layer 2
Модель безопасности
Облачные сервисы
Проблемы
Выгоды Гибкость приложений HA и масштабируемость Стоимость
© 2019 Cisco and/or its affiliates. All rights reserved.
Компоненты облаков
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
LB
IGW
RRoouuttee TTaabbllee:: RRTT
destination next-hop
0.0.0.0 IGW
Elastic IPinside-1c
outside-1cworkload1
us-east-1c
mgmt-1c
inside-2c
outside-2cworkload2
us-east-2c
mgmt-2c
Компоненты AWSОбзор
8
VPC
Virtual Private Cloud
Availability Zone
SubnetEC2 Instance
Workload
Elastic IPLoad Balancer
NLB, CLB and ALB
Internet Gateway
Route Table
Region
VGW & Direct Connect
Direct Connect
Virtual Private Gateway
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
vNET
WEB
APP
DB
NNGGFFWWvv AASSAAvvNetwork Virtual
Appliance (NVA)
Gateway Subnet
AzureExpress Route
Virtual Network Gateway
LB
Availability Set
Компоненты Azure
11
Resource GroupVirtual Network
vNET
Subnet
WorkloadVM
User Defined Route UDR
Network Virtual Appliance NVA
Availability Set
Load BalancerInternal and External
Express Route
WEB-UDR
Destination Next Hop
x.x.x.x NVA (Internal)
APP-UDR
Destination Next Hop
x.x.x.x NVA (Internal)
DB-UDR
Destination Next Hop
x.x.x.x NVA (Internal)
New: Availability Zone
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security
Новые компоненты
14
Virtual NetworkvNET
Availability Set
SubnetAzure Virtual Machine
VM
User Defined RouteUDR
ARM TemplateLoad Balancer
Internal, external and ILB Standard
ExpressRoute
Public IP
Virtual Private CloudVPC
Availability ZoneAZ
Subnet
EC2 InstanceRoute Table
RT
CloudFormation TemplateCF template
Load BalancerNLB, CLB, ALB, Internal and External
Direct ConnectElastic IP
EIP
Security Group
NACL
Network Security Group and
Layer 7 firewall
© 2019 Cisco and/or its affiliates. All rights reserved.
Компоненты облачной безопасности
© 2019 Cisco and/or its affiliates. All rights reserved.
Набор средств безопасности Cisco
Firewalls NGFWv, FMCv, ASAv, и
ASAv umbrella connector
ПолитикиCloud Policy Connector
CDO
SteathwatchCloud/Tetration
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Обзор NGFWvAWS и Azure
17
Firewall
Stateful firewallNATСтатическая и динамическая маршрутизация
NGFWvFTD Appliance
AVC
NGIPS
AMP
URL
VPNIPSEC
(S2S & RAVPN)AVC - Application Visibility and ControlNGIPS – Next-Generation Intrusion Prevention System AMP – Advanced Malware ProtectionVPN – Virtual Private NetworkURL – URL фильтрацияSI – Security Intelligence
SI
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Опции управления
18
Помогает администратору применять согласованные политики, быстро
получать информацию о событиях безопасности, автоматизировать
реакцию, проводить расследования
Cisco Firepower Management Center
(FMC)ЦЦааннттррааллииззооввааннннооее ууппррааввллееннииее
GUI и API API
Простой интерфейс управления для одного или
двух устройств (в HA)
Cisco Firepower Device Manager
(FDM)ЛЛооккааллььннооее ууппррааввллееннииее
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Оркестрация конфигурацииFMC API• FMC поддерживает следующие API• Регистрация/дерегистрация устройств• Группы устройств• Объекты• Access Control Policy• Интерфейсы• Физические, сабинтерфейсы• Port Channel, BVI, inline pair
• Security Zone• NAT• Маршрутизация• VPN • FTD High Availability
19
Оркестрация настроек - API Explorer
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Обзор ASAvAWS и Azure
20
ASAv9.14.x
ASA Appliance
Stateful F/W, NAT, маршрутизация и ACL
VPNIIPPSSEECC ии SSSSLL
REST API
Route based VPNVVTTII
УправлениеCCLLII,, AASSDDMM,, CCSSMM ии CCDDOO
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Стандартной безопасности в облаке недостаточно
21
Операторы облака
Физическая инфраструктура
Сетевая инфраструктура
Уровень виртуализации
Клиент
Защита сети и приложений
NSG & L7FW
ВВииддииммооссттьь LL44 ии ооггррааннииччеенннноо LL77
ASAvNGFWv
Firewall, AVC, NGIPS, AMP VPN и URL фильтрация
(L4 и L7 видимость)
Stateful firewall, NAT, маршрутизация, ACL и
VPNCisco Security для Public Cloud
SG NACL
© 2019 Cisco and/or its affiliates. All rights reserved.
NGFWv и ASAv в публичных облаках
© 2019 Cisco and/or its affiliates. All rights reserved.
NGFWv and ASAv InstancesPublic and Gov Cloud
NNGGFFWWvv IInnssttaannccee ((MMaarrkkeettppllaaccee))c3.xlarge, c4.xlarge
FFMMCCvv IInnssttaannccee ((MMaarrkkeettppllaaccee))c3.xlarge, c3.2xlargec4.xlarge, c4.2xlarge
cc55..eexxttrraallaarrggee((66..66))
ASA instance (Marketplace)c3.large, c3.xlarge c4.large, c4.xlargecc55..eexxttrraallaarrggee((66..55))
m4.large, m4.xlarge
SSD storage on c3 instance and EBS storage on c4 or m4 instance
large instance is ASAv10, xlarge instance is ASAv30
NGFWv Instance (Marketplace)Standard D3, D3v2, DD44vv22 aanndd DD55vv22((66..55))
FMCv Instance (Marketplace)Standard D3v2 and D4v2AAvvaaiillaabbllee ffrroomm FFMMCC//FFTTDD rreelleeaassee 66..44
ASAv Instance (Marketplace)Standard D3 and D3v2
D3 и D3v2 instance is ASAv30Standard_D3v2 (4 CPU, memory: 14GB) Standard_D4v2 (8CPU, Memory: 28GB) D5v2 (16 CPU, 56 GB)
© 2019 Cisco and/or its affiliates. All rights reserved.
Режимы развертывания
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Режимы развертывания NGFWv
29
Routed mode (NGFWv) - AWS Passive mode (NGFWv) - AWS Routed mode (NGFWv) - Azure
• Пассивный режим доступен только для NGFWv в AWS
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
FMC в облакахAWS and Azure
30
• FMC доступен в AWS
• FMC доступен в Azure начиная с релиза 6.4
Standard_D3v2 (4 CPU, memory: 14GB)Standard_D4v2 – (8CPU, Memory: 28GB)
Release 6.4
NEW
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Режимы развертывания ASAv в облаках
31
Routed mode (ASAv) - AWS Routed mode (ASAv) - Azure
© 2019 Cisco and/or its affiliates. All rights reserved.
Управление
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management access – NGFWv
38
vNET
Data Center
FMC
Gateway Subnet
Virtual Network Gateway
eth0
NNGGFFWWvv
AzureExpress Route
Internet
Data Center
FMC
eth0
NNGGFFWWvv
Internet
Manage using public IP(Internet)
Manage using public IP(Internet)
Manage using private IP(Azure Express Route)Manage using private IP
(AWS Direct Connect – DX)
Direct Connect
AWS Azure
IGW
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management access - ASAv
39
vNET
Data CenterGateway Subnet
Virtual Network Gateway
AASSAAvvAASSAAvv
Internet
Data Center
Internet
Manage using private IP(AWS Direct Connect – DX)
Direct Connect
AWS Azure
IGWManage using public IP
(Internet)Manage using public IP
(Internet)
AzureExpress Route
Manage using private IP(Azure Express Route)
ASDM ASDM
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Оркестрация с помощью Cisco Defense Orchestrator (CDO)
40BRKSEC-2064
Cisco Defense Orchestrator (CDO)
• Оркестрация конфигурации ASA/FTDv
• CDO лицензируется на устройство
• Облачное решение• Простая интеграция и настройка• Согласованные политики и
объекты
Internet
Cisco Defense Orchestrator
Internet
© 2019 Cisco and/or its affiliates. All rights reserved.
Отказоустойчивость в облаках…
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Active/Standby HA в современных Firewall(как организованы потоки трафика)
Active MAC
Active MAC
Standby MAC
Standby MAC
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Active/Standby HA в современных Firewall(как организованы потоки трафика)
Active MAC
Active MAC
Standby MAC
Standby MAC
© 2019 Cisco and/or its affiliates. All rights reserved.
• В облаках отсутствует доступ к L2, поэтому нельзя быстро поменять MAC и IP и затем использовать gratuitous ARP для того, чтобы заставить коммутаторы на любой стороне обновить свои CAM таблицы. Это можно сделать только с помощью API на Azure или AWS для того, чтобы сохранить изменения IP на узле и затем подождать распространения этой информации. Это занимает время. В целом довольно много времени.
• Балансировщики в Azure и AWS не могут изменить путь существующего потока на новый IP адрес, поэтому это исключает их использование в дизайне, где основная задача --это перемещение потока из одного устройства на другое.
Почему это не работает в публичных облаках?
© 2019 Cisco and/or its affiliates. All rights reserved.
Масштабируемый дизайнAzure
© 2019 Cisco and/or its affiliates. All rights reserved.
ASAv HA (Active/Backup)
vNET
Protected Workloads
Inside
Azure UDR(user defined route)
Availability Set
HA Agent
Active ASAv
BackupASAv
HA Agent• Communicates with Peer
and determines Active/Backup State
• Responses to LB probes• Programs Azure user
defined route (UDR)
HA Agent
PublicIP
Frontend Public IPFrontend IP is assigned on
Azure Load Balancer
Load Balancer ProbesLoad balancer probes each
ASAv’s using TCP handshake and HA agent on Active ASAv
responds to the probes.
Azure LB
ASAv HA выпущен в 9.8.1.200(Август 2017)
• Traffic is steered to active ASAv
• Routes are programmed via Azure Rest APIs
UDR for Inside Subnet
Destination Next Hop
0.0.0.0/0 Active ASAv
Интегрированное решение
Не требуются внешние скрипты/агент
Поддержка несколькихSubscription
HA модифицирует UDR в нескольких subscription
Быстрое переключение
Обнаружение и переключение в секунды
Stateless переключение
Соединения не реплицируются
Youtube: Demo1 Demo2Probe port – TCP 44441, Control port – TCP 44442
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Масштабируемый дизайн NGFWv и ASAvAzure internal load balancer (ILB) standard и external load balancer
48BRKSEC-2064
x
vNET
WEB
APP
DB Data Center
FMC
Gateway Subnet
AzureExpress Route
Virtual Network Gateway
DB-UDR
Destination Next Hop
Default/Internet ILB VIP
APP, WEB & DC ILB VIP
APP-UDR
Destination Next Hop
Default/Internet ILB VIP
DB, WEB and DC ILB VIP
WEB-UDR
Destination Next Hop
Default/Internet ILB VIP
DB, APP and DC ILB VIP
InternetILB
Standard (VIP)
HA Port
GW-UDR
Destination Next Hop
WEB, APP & DB ILB VIP
FW01
FW02
FW..n
NNGGFFWWvv
NNGGFFWWvv
NNGGFFWWvv
NVA Subnet (inside)
ExternalLB
Internet Users
Stateless Switchover
Firewalls in Availability Set
Youtube video1: overview video2: End to end deployment demoNGFWv ARM Template (LB Sandwich): Template
© 2019 Cisco and/or its affiliates. All rights reserved.
Масштабируемый дизайнAWS
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Балансировщики AWSALB, NLB и CLB
50
AApppplliiccaattiioonn LLooaadd BBaallaanncceerr
Cookie based Load Balancing
Не для межсетевого экрана
NNeettwwoorrkk LLooaadd BBaallaanncceerr
IP адреса как Targets
Поддержка ASAv и NGFWv
CCllaassssiiccLLooaadd BBaallaanncceerr
Отправляет трафик на интерфейс VM
Не поддерживается с NGFWV
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv масштабируемый дизайн AWS NLBNetwork Load Balancer (NLB) или Application Load Balancer
inside-1c
ALB/NLB
outside-1c
inside-1d
management-1c
Route Table: RT
subnet next-hop
0.0.0.0 IGW
FMCv
WebServer01
NNGGFFWWvv
management-1d
us-east-1c
us-east-1d
Elastic IP
NNGGFFWWvv
outside-1d
NNGGFFWWvv
Stateless switchover
WebServer02
Youtube: Demo
VPC
IGW
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv масштабируемый дизайн AWS NLBNetwork Load Balancer (NLB) или Application Load Balancer
inside-1c
ALB/NLB
outside-1c
inside-1d
management-1c
Route Table: RT
subnet next-hop
0.0.0.0 IGW
FMCv
WebServer01
NNGGFFWWvv
management-1d
us-east-1c
us-east-1d
Elastic IP
NNGGFFWWvv
outside-1d
NNGGFFWWvv
Stateless switchover
WebServer02
Youtube: Demo
VPC
IGW
NNGGFFWWvv
NNGGFFWWvv
Для масштабируемости на уровне Avalability Zone можно добавить несколько Firewalls
© 2019 Cisco and/or its affiliates. All rights reserved.
Лицензирование
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ЛицензированиеNGFWv и ASAv в публичных облаках
54
Cisco Smart Licensing для NGFWv и ASAv в AWS и Azure
SSttaannddaarrdd LLiicceennsseeFFiirreewwaallll,, tthhrroouugghhppuutt
AAnnyyccoonnnneecctt AAppeexx LLiicceennsseeSSSSLL,, IIPPSSEECC
AWS Azure
• Bring you own license • Hourly or Annual
license
• Bring you own license • Pay as you goAASSAA
NNGGFFWW
BBaassee LLiicceennsseeFFiirreewwaallll,, AAVVCC
TTeerrmm bbaasseeddTThhrreeaatt,, UURRLL,, AAMMPP
AWS Azure
• Bring you own license • Hourly or Annual
license
• Bring you own license • Pay as you go
Примечание: При применении модели Pay as you go отсутствует поддержка TAC, но вы можете приобрести дополнительный контракт на поддержку
ASAv entitlement in Public Cloud
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Youtube Channel http://cs.co/DCandCloudSecurity
55
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv and ASAv Marketplace Listings
56
AWSProduct Marketplace ListingNGFWv Marketplace listing – BYOL http://cs.co/CiscoNGFWvBYOL
NGFWv Marketplace listing – Hourly & Annual http://cs.co/CiscoNGFWvHourlyAnnual
FMCv Marketplace listing – BYOL http://cs.co/CiscoFMCvBYOL
ASAv Marketplace listing – BYOL, Hourly & Annual http://cs.co/CiscoASAvBYOLHourlyAnnual
Azure
Product Marketplace ListingNGFWv Marketplace listing – BYOL http://cs.co/CiscoNGFWv
ASAv Marketplace listing – BYOL http://cs.co/CiscoASAv
ASAv HA Marketplace listing - BYOL http://cs.co/AzureASAvHA
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Важные ссылкиSecurity in public cloud Youtube channelhttp://cs.co/DCandCloudSecurity
Cisco NGFWv, ASAv and FMC Chalk talk in Public Cloudhttp://cs.co/PublicCloudSecChalkTalk
Cisco ASAv licensing (BYOL)http://cs.co/ASAvLicensing
Cisco NGFWv licensing (BYOL)http://cs.co/CiscoNGFWvLicensing
57
Спасибо!