Pieter van Schaik & Gerard van Bon Consulting System Engineers · FTD is both NGFW and NGIPS on...

Pieter van Schaik & Gerard van Bon

Consulting System Engineers

Breakfast & Learn

Firepower NGFW

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Introduction

• Appliances

• Management

• Deployment Options

• Threat Protection

• Integration

Agenda

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

ArchitectureIntegrated

PortfolioBest of breed

IntelligenceCloud-Delivered


The Security Effectiveness Gap


Time

ResponseDetectionThreat

The Outcome: Effective Security Posture


“Security controls are only as good as the breadth and quality of the threat

intelligence behind them…”

“..the ability to apply threat intelligence correctly and at scale is the ‘magic of true protection’”


Unmatched Threat Visibility to Complete Protection

1.5 millionMalware Samples

8.5 billionEmail Queries

7 billionAMP Queries

2.6 billionCWS/WSA

Queries

150 billionDNS Requests

NGFW

NGIPS

AMPfor Networks

Meraki

AMP forEndpoints

Email SecurityAppliance

Web SecurityAppliance

AMP for Gateways

CiscoUmbrella

SnortSubscription

Rule Set

Firepower/ASA

Network

Endpoint

Cloud

CloudEmail Security

CloudWeb Security

Daily Visibility Real-time and At-Scale


Appliances


Cisco has an NGFW solution for every business…

Small and Midsized Business Midrange Enterprise

ASA 5525-X/ ASA 5545-X/

ASA 5555-X

Firepower

2130/2140

Firepower

2110/2120

ASA 5506-X / 5506W-X / 5506H-X /

5508-X / 5516-X

Firepower

4110/4120/4140/4150 Firepower 9300

NGFWs for SMBs and distributed

enterprises with integrated threat defense,

a low TCO, and simplified security

management.

Enterprise-class security for the internet

edge, with superior threat defense,

sustained performance, and simple

management.

From the internet edge to carrier grade

security for data centers and other high-

performance settings, with multiservice

security, flexible architecture, and unified

management.


1.9 Gbps AVC1.9 Gbps AVC+IPS

Firepower2110

Firepower2120

3 Gbps AVC3 Gbps AVC+IPS

Firepower2130



Cisco Firepower 2100 Appliances

Firepower2140


Firepower 2100

1RU

Integrated Security Platform• Fixed configurations (2110, 2120, 2130, 2140)• Dual redundant power supplies on 2130 and 2140 only• SSL Decryption in Hardware

SFP/SFP+ Data Interfaces• 4x1GE on Firepower 2110 and 2120• 4x10GE on Firepower 2130 and 2140

Network Module• Firepower 2130 and 2140 only• Same 8x10GE SFP module as on Firepower 4100/9300• Fail to Wire Option

Copper Data Interfaces• 12x1GE Ethernet



Firepower4110

Firepower4120


Firepower4140


30 Gbps AVC

24 Gbps AVC+IPS


Firepower4150


Firepower 4100 Overview

1RU

Built-in Supervisor and Security Module• Application deployment and orchestration• Dual PSU (Optional on 4110, 4120)• SSL Decryption in Hardware

Solid State Drives• Independent operation (no RAID)• Slot 1 today provides limited AMP storage• Slot 2 adds 400GB of AMP storage

Network Modules• 2 Slots• 10GE/40GE interchangeable with 9300• Fail to Wire option

Fixed Data Interfaces• 8xSFP+



Firepower9300

With 1 SM24

Firepower9300

With 1 SM36

Firepower9300

With 1 SM44

Firepower9300

With 3 SM44






Security Modules

• Embedded Smart NIC and crypto hardware

• Cisco and third-party applications

• Standalone or clustered within and across chassis

Supervisor

• Application deployment and orchestration

• Network attachment and traffic distribution

• Clustering base layer

Firepower 9300Network Modules

• 10GE, 40GE, and 100GE

• Hardware bypass for inline NGIPS

3RU


Virtual Appliances


Management


Management Options

Cisco Defense

Orchestrator (CDO)

Enables cloud-based policy management of multiple deployments

Cloud-based Upcoming

Enables comprehensive security administration and

automation of multiple appliances

Firepower Management Center (FMC)

Centralized

Firepower Device

Manager (FDM)

Enables easy on-box management of

common security and policy tasks

On-box

Manage across many sites Control access and set policies Investigate incidents Prioritize response

Firepower Management Center

Centralized management for multi-site

deployments

Multi-domain management

Role-based access control

High availability

APIs and pxGrid integration

NGIPS

Firewall & AVC

AMP

Security Intelligence

…Available in physical and virtual options

Firepower Management Center (FMC)

Set up easily Control access and set policies Automate Configuration Enhanced Control

Firepower Device Manager

Integrated on-box option for single

instance deployment

Physical and virtual options

Easy set-up NAT and Routing

Role-based access controlIntrusion and Malware

prevention

High availability Device monitoring

VPN support

Firepower Device Manager (FDM)

Plan and model security policy changes

before deploying them across the cloud

Deploy changes across virtual

environments in real time or offline

Receive notifications about any unplanned

changes to security policies and objects

• Import From Offline

• Discover Direct From

Device

Device Onboarding

Object &

Policy Analysis

Application, URL,

Malware & Threat

Policy

Management

Change

Impact

Modeling

Security

Templates

Simplify security policy management in the cloud with Cisco Defense Orchestrator Security

ReportsNotifications

Simple Search-

Based Management

Security Policy

Management

Cisco Defense Orchestrator (CDO)

Deployment Options

Active/Standby Failover

Inside OutsideA

S

Link Scalability Distributed Plan Inter-site Clustering

Increasethroughput

Handle more connections Combine multiple

individual firewallsand manage as one

Clustering

Location A Location B

FTD is both NGFW and NGIPS on different network interfaces

• NGFW inherits operational modes from ASA and adds FirePOWER features

• NGIPS operates as standalone FirePOWER with limited ASA data plane functionality

FTD Deployment Modes

NGIPSNGFWFTDInline

Eth1/1 Eth1/2

Inline TapEth1/1 Eth1/2

Passive

Routedinside outside

FTD

DMZ

Transparentinside outside

FTD

DMZ

10.1.1.0/24 10.1.2.0/24

10.1.3.0/24

10.1.1.0/24

FTDEth1/1

Integrated Routing and Bridging

inside outsideFTD

DMZ10.1.1.0/24

10.1.2.0/24

FTD


Multi-Instance for true Multi-Tenancy

• Firepower 4100 and 9300 only

• Instantiate multiple logical devices on a single module or appliance

• Complete traffic processing and management separation

• CPU/memory/disk resources are dedicated to an instance at provisioning

• Physical and logical interface and VLAN separation at Supervisor

29

Supervisor

….MI1 MI2 MI3

Network

1Network

2Internet

Network

3

Network

4


Security Intelligence


• IP SI drops packets based on lists of malicious IP addresses

• SI drops packets at the IP-level without higher layer inspects

• Whitelist overrides Blacklist

IP Security Intelligence


• URL SI is independent from Access Control URL rules

• Blocks lists of malicious domains

• Matches the HTTP GET or TLS Client Hello

URL Security Intelligence


Option 1:

• Alter DNS response to NXDOMAIN (domain not found)

Option 2:

• Alter DNS response to inject a Sinkhole server IP address

DNS Security IntelligenceDNS SI Performs a “Man in the Middle” of DNS Queries

NXDOMAINResponse

Cisco Threat Intelligence Director

Integrate third-party security intelligence

Firepower Management

Center

Ingest Security

Intelligence

Generate Rich Incident

ReportsCorrelate Observations Refine Security Posture

Ingest Observables

Cisco Security Sensors

•Firepower NGFW

•FirePOWER NGIPS

•AMPThreat Intelligence

Director

CSVEvents

….but an efficient, effective security practice requires more.

Visibility


Know Your Network

Server Apps

Network

Operating Systems

Users

Files

ClientApps


Understand Its Weakness

Server Apps

Network

Operating Systems

Users

Files

ClientApps

Vulnerabilities


And Then Protect It

Server Apps

Network

Operating Systems

Users

Files

ClientApps

Vulnerabilities

Malware

Intrusion Events

Policy Violations

ThreatIntel


Host Profile

Server, Service, Port

Applications


Next Gen IPS


Impact Flags

0

4

2

3

1

Action Why

General info††

Event outside profiled networks

Event occurred outside profiled

networks

Good information host is currently

not known

Previously unseen host

within monitored network

Good information event may not

have connected

Relevant port not open or protocol

not in use

Worth investigation.

Host exposed.

Relevant port or protocol in

use but no vulnmapped

Act immediately.Host vulnerable

or compromised.

Host vulnerable to attack or

showing an IOC.

†† If you have a fully profiled network

this may be a critical event!

Impact FlagIntrusion Events

Source / Destination IP

Protocol (TCP/UDP)

Source / Destination Port

Service

Snort ID

IOC: Predefined Impact

Host Profile

[Outside Profile Range]

[Host not yet profiled]

IP Address

Protocols

Server Side Ports

Client Side Ports

User IDs

Potential Vulnerabilities

Services

Client / Server Apps

Operating System

CV

E


• Impact 1

• Impact 2

• CNC Connected Events

• Threat detected in file transfer

• Look for Malware Executed

• Dropper Infection

• Shell Code Executed

Focus on a Hosts Real Issues

Let’s see what these 63 events are all about.

THEME: Start with what is compromised first.


Auto Tuning of Signatures

© 2018 Cisco and/or its affiliates. All rights reserved.

Correlation Rules / Correlation Policy

• Automate Security Decisions

• Track Business Outcome

• Trigger Automated Response

Email

Syslog

SNMP

Remediation

Module

100,000 events

5,000 events

500 events

20 events

10 events

3 Events

Correlation PolicyCorrelation

Rule

Correlation Rule

Correlation Event

Action

100 events

© 2018 Cisco and/or its affiliates. All rights reserved.

Advanced Malware Protection


• Reputation Lookup

• Spero Analysis

• Dynamic Analysis

• Local Malware Engine

Multiple File Engines


An unknown file is present on

IP: 10.4.10.183, having been

downloaded via Firefox


At 10:57, the unknown file is

transf from IP 10.4.10.183 to IP:

10.5.11.8


Seven hours later the file is

then transferred to a third

device (10.3.4.51) using via

SMB


The file is copied yet again

onto a fourth device

(10.5.60.66) via SMB a half

hour later


The Cisco AMP Cloud has

learned this file is malicious

and a retrospective event is

raised for all four devices

immediately.


At the same time, a device with

the AMP for Endpoints

connector reacts to the

retrospective event and

immediately stops and

quarantines the newly detected

malware


8 hours after the first attack,

the Malware tries to re-enter

the system through the

original point of entry but is

recognized and blocked.


Threat Grid as Information for File Behavior


Application Visibility and Control


• Support for 6834+ applications and detectors

• Applications are grouped according to:

• Risk

• Business relevance

• Types, categories and tags

• User-Created Filters

• OpenAppID

Application Visibility and Control


Custom Applications


Integration

PxGrid ISE and DNA SDA

Software-Defined SegmentationEasily Classify Endpoints Devices and Use Group-Based Policies in NGFWs and the Network

Printer 1 Printer 2

SGT_Guest SGT_Building

Management

SGT_Employee

Guest 1

Guest 2

Guest 3 Guest 4

Employee 1 Employee 2 Employee 3

Employee 4

SGT_FinanceServer SGT_Printers

Fin 1 Fin 2

Temperature

Device 1

Temperature

Device 2

Surveillance

Device 1

Surveillance

Device 2

50°

50°

DNA Center SD-access with SGT tagging

Employees Production Contractors Development

Source Destination

FABRIC NODES

Contract

CISCO

DNA CENTER

CISCO ISE

FABRIC POLICIES

DENY

Employees Contractors

Employees Contractors

API

POLICY DOWNLOAD

Policy Matrix (SGACL) in ISE

Servers

SGT: 10

Enforcement

permit tcp dst eq 6970 log











permit tcp dst range 30000 39999 log

permit udp dst range 5070 6070 log

deny ip log

Give the Right People on the Right Devices the Right Access to the Right Resources with Cisco SGT

Internet

Confidential

Student Records

Internal Student

Intranet

Who: Guest

What: iPad

Where: Office

Who: Student

What: iPad

Where: Campus

Who: Employee

What: Laptop

Where: Office

Enforce business role policies

for all network services

and decisions

Define security groups and

access policies based on

business roles

Implement granular control on

traffic, users, and assets

APIC-EM

ISEDC

Identity Services

Fabric Border Nodes

Fabric Edge Nodes

DNA Center

Control-PlaneNodes

B

Cisco Digital Network Architecture (DNA)SDA Fabric Roles & Terminology

B

Fabric Wireless

Controller

Campus

SDA

Fabric

DNAC

CC

Fusion FW

vn

Virtual networks vn

Internet

Firepower polices based on ISE attributes

Threat Containment

PxG

RID

FMC-Firepower

‘Access Control Policies’ based on ISE Attributes (SGT, Device-type and Endpoint Location)

AMP for Endpointsevent to FMC

AMP for Endpoints

Retrospective Security Plan B

Unique to AMP - Continuous Analysis & Retrospective

Security

Point-in-Time Detection – Plan A

All Prevention < 100%

File Reputation & Sandboxing

Dynamic

Analysis

Machine

Learning

Fuzzy

Fingerprinting

Advanced

AnalyticsOne-to-One

Signature

Indications of

Compromise

Device Flow

Correlation

Exploit

PreventionHeuristic

Engine

Is there a Breach and

What Happened ?

Where Did The Malware Come

From and Where has it been

AMP for Endpoints breach research

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2890

AMP UnityEnhanced Operational Visibility and Control

71

AMP for Endpoints

Systems Security Team

• Consolidation of connector events in AMP Console

• Visibility into the threat vector

• A4E Policy Management

Firepower (FMC) Cisco ESA & WSA

FMC

Event Sync

Network Security Team

• Visibility into AMP Events at the Endpoint

AMP Event sharing between Endpoints and Network


AMP Unity

74

AMP for Endpoints

Manages for Endpoints:• Endpoint Policies• Black & White Lists• Exclusions

Provides for Endpoints• Device Trajectories• File Trajectories• Retrospection

Manages for Network:• Network Policies• Black & White Lists

Provides for Network• File Trajectories• Retrospection

Manages for Content:• Content Policies• Black & White Lists

Provides for Content• File Trajectories• Retrospection

Firepower (FMC) Cisco ESA & WSA


Integrating Connectors into AMP CloudFirepower via FMC

75

• Register Firepower Management Center (FMC) with AMP Cloud (A4E portal)

• Firepower will show data for all sensors

AMP for Endpoints ID identifies thedevice in AMP Console ...


AMP Unity – Full Visibility into the Threat Vector

76

First, it traversed the Firepower NGFW

Then it was observed on the Email Security Solution

And finally stored on the Endpoint

Vulnerability information to FMC

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

• Automatically built from Network Discovery

• Container for Context about the Devices on your network

• User Customizable

• Provide better data and context through the HOST Input API

Host Profiles

78BRKSEC-3328


Host Input API

• Uses either FMC Command Line or a Host Input Client

• Allows 3rd Party Vulnerability data to be mapped for Impact Correlation & Firepower Recommendations

• Import additional data, such as OS Information or Custom Attributes

79BRKSEC-3328

nmimport.pl

Host input Client


Vulnerable Software in AMP for Endpoints

80BRKSEC-3328

FMC

AMP

Cloud

81BRKSEC-2058

Import Vuln Data from AMP 4 Endpoints

Rapid Threat ContainmentISE PxGrid and FMC

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS

Rapid Threat Containment with Firepower Management Center and ISE

Threat Containment

MnT

FMC

Controller

WWW

NGFW

2. Correlation

Rules Trigger

Remediation Action

3. pxGrid EPS

Action: Quarantine

+ Re-Auth

1. Security

Events / IOCs

Reported

i-Net

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS

Rapid Threat Containment with Firepower Management Center and ISE

Threat Containment

MnT

FMC

Controller

WWW

NGFW

4. Endpoint Assigned Quarantine + CoA-Reauth Sent

i-Net

BRKSEC-3557 84

MnT

FMC

RTC with AMP, FMC and ISE

Controller

WWW

NGFW

2. Correlation

Rules Trigger

Remediation Action

3. pxGrid EPS

Action: Quarantine

+ Re-Auth

i-Net

Threat Containment

1. Threat /

IOCs Reported

MnT

FMC

RTC with AMP, FMC and ISE

Controller

WWW

NGFW

4. Endpoint

Assigned Quarantine

+ CoA-Reauth Sent

i-Net

Threat Containment

FMC Correlation Rule

Malware Events

• Network

• Endpoint

• Retrospection

Threat Containment


Threat Containment

Endpoint Malware

General Event from AMP for

Endpoints Cloud


Threat Containment

Endpoint Malware

Specific Events from AMP

for Endpoints Cloud

The Remediation

Threat Containment

Quarantine

Remediation that triggers EPS

Quarantine via ISE pxGrid

Threat Intelligence Director

• Uses customer CTI to identify threats using sophisticated correlation across Firepower NGFW/AMP

• Automatically blocks supported indicators on Cisco NGFW using added context from intelligence sources

• Provides a single integration point for all STIX and CSV intelligence sources

Cisco Threat Intelligence Director (CTID)

Targeted at

• Security Buyers with Cisco Firepower/AMP• Financial Institutions/FS-ISAC who are mandated to

ingest and share CTI in STIX and TAXII• Enterprises with mature security programs that have

made the investment into intelligence sources

• Intelligence Vendors• AlienVault

• Crowdstrike

• FireEye/iSIGHT Partners

• Flashpoint

• Symantec DeepSight

Target Customer Using CTID Third Parties

• Threat Intelligence Platforms (TIP) Vendors• Anomali

• EclecticIQ

• Lookingglass

• ThreatConnect

• ThreatQuotient

Note: These are the tested third parties. The architecture supports any third party that provides indicators in STIX or flat file format.

Cisco Threat Intelligence Director (CTID)

Step 1

1. Ingest third-party

Cyber Threat

Intelligence indicators

Step 2

2. Publish

observables to

sensors

Step 3

3. Detect and alert to

create incidents

NGFW / NGIPS

Block Monitor

Cisco Threat

Intelligence Director

FMC

Cisco Threat Response

Threat Hunting with CTR

AMPThreatGrid Umbrella SMATALOSVirusTotal

StealthWatch

Threat IntelligenceWhat do you know about these observables (IP, Hash, URL, etc.)?

Talos or other intel sources Threat Response

automatically queries Cisco Security & 3rd party products via APIs to enrich investigation

NGFW (Eventing Service, FMC)

Threat Investigation• Have we seen these observables? • Which end-points interacted with the threat?

[email protected]@cisco.com

mailto:[email protected]

mailto:[email protected]

Pieter van Schaik & Gerard van Bon Consulting System Engineers · FTD is both NGFW and NGIPS on...

Documents

Transcript of Pieter van Schaik & Gerard van Bon Consulting System Engineers · FTD is both NGFW and NGIPS on...