You are on page 1of 125

Cisco Firewall Basics

Mark Cairns, Consulting Systems Engineer


BRKSEC-1020
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session

How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space

Cisco Spark spaces will be cs.co/clus17/#BRKSEC-1020


available until July 3, 2017.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Mark Cairns
Consulting Systems Engineer, GSSO, supporting US Commercial
• Based in Richmond, VA and cover accounts in Virginia and Washington DC
• 19 years experience with Cisco Security Solutions
• You can reach me at marcairn@cisco.com and @12LISN2

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Session Information
Cisco Firewall Basics
• This is an introductory 1000 level session
• It is not meant for professionals with deep knowledge of firewalls and Cisco ASA
• This session is not for you if you want to deep dive into configurations for specific
features / functionality
• References may be made to advanced functionality for context but we will stay at a fairly
high level

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Follow up Sessions
Deeper dives on specific content
Session ID Session Description Time

BRKSEC-2058 A Deep Dive into using the Firepower Manager Wed 4:00-5:30

BRKSEC-3007 Advanced Cisco IOS Security Tuesday 1:30-3:30

BRKSEC-3300 Advanced IPS Deployment Thursday 8:30-10:00

BRKSEC-3690 Advanced Security Group Tags Monday 1:30-3:30

BRKSEC-2050 ASA Firepower NGFW typical deployment scenarios Monday 1:30-3:30, Tuesday 1:30-3:30

BRKSEC-2033 Best Security and deployment strategies SMB NGFW Tuesday 8:00-10:00

BRKSEC-2342 Branch Router Security Thursday 10:30-12:00

BRKSEC-2055 Cloud-Managed Security for Distributed Networks with Cisco Meraki MX Wednesday 4-5:30

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Follow up Sessions
Deeper dives on specific content
Session ID Session Description Time

BRKSEC-2203 Deploying TrustSec Security Group Tagging Tuesday 4:00-5:30

BRKSEC-3455 Dissecting Firepower NGFW "Installation & Troubleshooting" Tuesday 1:30-3:30

BRKSEC-3035 Firepower Platform Deep Dive Wednesday 1:30-3:30

LTRSEC-1000 Firepower Threat Defense Deployment Hands-on Lab Wed 8:00-12:00, Thursday 8:00-12:00

BRKSEC-3032 NGFW Clustering Deep Dive Tuesday 8:00-10:00

BRKSEC-2020 NGFW Deployment in the Data Center and Network Edge Using Tuesday 8:00-10:00, Wed 1:30-3:30
Firepower Threat Defense

BRKSEC-2064 NGFW and ASAv in Public Cloud (AWS and Azure) Thursday 1:00-2:30

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Agenda
• Introduction
• Firewalls in General
• Use Cases - Why
• Firewall Options - What
• Introduction to Firepower
• Advanced Use Case Examples
• Q&A – Feel free to ask questions
Firewalls in General
Securing/Hardening for What Purpose or Need?

Subversion Disruption
Bots, Viruses, and Worms Denial of service attacks
Spyware and Adware Advanced Persistent
Threats (APTs)

Penetration Attempt Data Loss

Zero-day Attacks Data theft and/or


interception
Hacker Attacks
Identity theft

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Firewalls
What are they?

• Primary filtering appliances/VMs that work at both the network and application layers
• Provide a platform for the features/functionality needed for network security
• VPNs (remote-access and site to site)
• NGIPS
• Anti-Malware Protection
• Next-generation security should not abandon proven stateful inspection capabilities in
favor of application and user ID awareness by itself
• Comprehensive network security solution needs include firewalls, next-generation firewalls
(application inspection and filtering) and next generation intrusion prevention systems
(context aware)
• The firewall often is the conduit from which other defense components combat the threats
that face the network

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Filtering on a Tuple? Packet

• The genesis of firewalls was initially a


means to filter traffic based on the five
tuple
• Source IP address – the IP address of the
initiator of the IP packet
• Destination IP Address – the IP address of
the destination of the IP packet
• Source Port – UDP or TCP port used by
initiator to establish communications with
destination
• Destination Port – UDP or TCP port used by
destination to establish communications with
source
• IP Protocol – the specific IP protocol used in
the communication

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Filtering – IP Protocols Packet

• ICMP (1)
• TCP (6)
• UDP (17)
• GRE (47)
• ESP (50)
• AH (51)
• EIGRP (88)
• OSPF (89)
http://www.iana.org/assignments/protocol-
numbers/protocol-numbers.xhtml

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Stateful Inspection Src IP – 2.2.2.2
Dest IP – 1.1.1.1
Src Port – TCP/80
• Most routers and switches can filter Dest Port – TCP/35478
based on the five tuple…why a firewall Packet
then?
• Stateful firewalls track L3/L4 traffic as it
leaves and returns to the network
• Connections are maintained in the
connection table tracking five tuple and
additional information such as sequence
Packet
TCP outside:2.2.2.2/80 (2.2.2.2/80) inside:1.1.1.1/35478 (1.1.1.1/35478), Src IP – 1.1.1.1
flags UIO, idle 4m39s, uptime 6m16s, timeout 1h0m, bytes 3002 Dest IP – 2.2.2.2
Src Port – TCP/35478
*Best Practice – Limit outbound Dest Port – TCP/80

connections to known services and hosts


such as SMTP servers only for port 25.

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Network Address Translation Src IP – 3.3.3.3
Dest IP – 2.2.2.2
Src Port – TCP/35478
• Network address translation (NAT) is the Dest Port – TCP/80
mapping of IP addresses from a private
network to a public network
• NAT gives network administrators and
security administrators:
• Access to non-publically routable IPv4
space
• Cost savings because addresses are not
cheap Packet
• Allows for masquerading of internal network Src IP – 10.1.1.1
addresses Dest IP – 2.2.2.2
Src Port – TCP/35478
• IPv4 Address space is exhausted Dest Port – TCP/80

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Use Cases
Use Case #1
• Hospitality, Retail or other similar distributed deployment
• Remote sites 100+
• Direct Internet Access (DIA) at remote sites
• Company has a “Cloud First” mandate
• 4 Network / Security Engineers (“jack of all trades, master of none”)
• Basic security needs for URL filtering, DNS security, IPS
• Need VPN connectivity to HQ

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Cloud Networking Group

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Meraki MX Options
Reference

Small Mid-
branch sized
branch
MX64(W) MX65(W) MX84 MX100
~50 users ~50 users ~200 users ~500 users
802.11ac wireless 802.11ac wireless & PoE+ Dedicated WAN uplinks Gigabit uplinks
FW throughput: 250 Mbps FW throughput: 250 Mbps FW throughput: 500 Mbps FW throughput: 750 Mbps

Large Teleworker
branch
or campus
MX400 MX600 Z1
~2,000 users ~10,000 users 1-5 users
Modular interface Modular interface Dual-radio wireless
FW throughput: 1 Gbps FW throughput: 1 Gbps FW throughput: 50 Mbps All devices support 3G/4G

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Meraki MX Security
Next Generation Firewall Application aware firewalling

Intrusion Prevention
Based on Cisco Snort
(IPS)

With over 80 categories and


URL Content Filtering
over 4 billion categorized URLs

Geo-based security Allow or block traffic by country

Malware Protection Cisco AMP and Threat Grid

Software and security updates


Automatic updates
delivered from the cloud

PCI 3.2 certified cloud


PCI compliance
management backend

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Meraki MX Basics

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Meraki MX Basics continued

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Meraki MX Basics continued

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Meraki Threat and Filtering

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Meraki Threat and Filtering continued

Cisco Umbrella

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Use Case #2
• Regional Services Company
• 8 sites on MPLS with ISR routers deployed
• Broadband Internet being added for DMVPN backup/redundancy (IWAN)
• Simple filter to protect the new Internet link
• HQ has a proxy for Internet

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Securing the WAN
• Typical MPLS WAN
• Does not ensure privacy

• Best Practice – Consider encryption


across existing WAN

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Internet based WAN
• Lower cost alternative to MPLS
• Dictates VPN for routing and privacy
• Balance complexity with features
and functionality
• Typically no need for inbound
access directly from Internet

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Zone Based Firewall

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Note: For simple inside to outside
Zone Based Firewall configuration, remove all reference to
DMZ interface. This DMZ configuration
Support for: assumes a second security device to filter
• ISR, ASR, CSR traffic or terminate VPN.

• NAT DMZ
All Traffic
• WAAS Permit
• VRFs G0/1.103
• Redundancy
• VTIs for VPNs G0/1.101 G0/0
• Deep Packet
Inspection Trusted Internet

TCP/UDP/ICMP
Response OK

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Note: For simple inside to outside
Configuring ZBF configuration, remove all reference to
DMZ interface. This DMZ configuration
zone security Internet
zone security Trusted Create Zones assumes a second security device to filter
zone security DMZ traffic or terminate VPN.

interface LISP0
zone-member security DMZ
!
interface GigabitEthernet0/0
description Public Outside
zone-member security Internet
! Assign interfaces to security
interface GigabitEthernet0/1.101 zones
description Inside
zone-member security Trusted
!
interface GigabitEthernet0/1.103
description Public DMZ
zone-member security DMZ

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Note: For simple inside to outside
Configuring ZBF configuration, remove all reference to
class-map type inspect match-any All_Protocols
DMZ interface. This DMZ configuration
description - Match all outgoing protocols assumes a second security device to filter
match protocol tcp traffic or terminate VPN.
match protocol udp Create Inspection Class
match protocol icmp

policy-map type inspect trusted-to-internet


class type inspect All_Protocols
inspect
class class-default Create Inspection Policy
drop
policy-map type inspect DMZ
class class-default
pass
Create Zone Pairs and
Associate Policy
zone-pair security Trusted->Internet source Trusted destination Internet
service-policy type inspect trusted-to-internet
zone-pair security Internet->DMZ source Internet destination DMZ
service-policy type inspect DMZ
zone-pair security DMZ->Internet source DMZ destination Internet
service-policy type inspect DMZ

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Use Case #2 (Variant)
• Regional Services Company
• 8 sites on MPLS with ISR routers deployed
• Broadband Internet being added for DMVPN backup and DIA
• Simple Complete filter to protect the new Internet link

Firepower Virtual – VMware / KVM

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Internet based WAN
• Lower cost alternative to MPLS
• Dictates VPN for routing and privacy
• Balance complexity with features
and functionality
• Typically no need for inbound
access directly from Internet
• Direct Internet Access (DIA) adds
security risk

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Use Case #3
• Data Center upgrade
• Adding security to new design
• No L3 hop for security to reduce convergence time
• N+1 redundancy
• Multi 10 Gbps throughput

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Data Center
A/S or Clustering for Performance and Scale

Firepower 9300 with SM-24, SM-36 or Firepower 4110, 4120, 4140 or 4150
SM-44

Firepower 2110, 2120, 2130*, 2140*

*10 Gig Interfaces


BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Data Center
Reference
Specifications

*Note 2100 models do


not support clustering.
Only 2130 and 2140
support 10 Gbps
interfaces and optional
network module.

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Firepower 2100 Series

Firepower High Performance, Purpose Built


FPR 2140 12x 1G 12x 10G Port 2100 Hardware for Cisco NGFW

FPR 2130 12x-1G 12x 10G Port


Firepower
2100
Available in 4 Platforms

Firepower
FPR 2120 16x 1G Port 2100 Higher Port Density in 1 Rack Unit

Firepower
FPR 2110 16x 1G Port 2100 10 Gbps Support (2130 and 2140)

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Data Center
Clustering for Performance and Scale

Handles asymmetric traffic associated with VPC/VSS


N+1 redundancy
Keeps DC design intact
Scale to 16 firewalls

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Data Center
ACI Deployments
APIC

Agility and Scale and Performance


Simplicity Automation Security Open
Visibility

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Use Case #4
• Cloud expansion / Cloud First
• AWS and/or Azure
• Need to replicate security / inspection policy for cloud traffic

Your Data Here

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Cisco ASAv and Threat Defense Virtual
Cisco® ASA 9 Feature Set / Threat Defense 6

ASA
 10 vNIC interfaces and VLAN tagging
 Virtualization displaces multiple-context and clustering
 Parity with all other Cisco ASA platform features
Cisco  SDN (Cisco APIC) and traditional (Cisco ASDM and CSM)
ASAv management tools

FTDv  Dynamic routing includes OSPF, EIGRP, and BGP


 REST API for programmed configuration and monitoring
 Cisco TrustSec® PEP with SGT-based ACLs
 Failover Active/Standby HA model
FTDv
• 4 vNIC default
• 8 GB RAM, 4 vCPU
VMware, KVM, Hyper V (ASA only), AWS, Azure (features can differ
for cloud)
BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Cisco ASAv Platforms

Cisco®
100 Mbps
ASAv5

Cisco® 1 Gbps
ASAv10

Cisco® 2 Gbps
ASAv30

* Lab Edition license is built in with 100-Kbps throughput and 100 total
connections allowed

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Cisco ASAv Platforms

Cisco®
10 Gbps
ASAv50

• Introduced with ASA release 9.8(1)


• Supported on KVM or ESXi
• Uses IXGBE-VF vNIC
• Does not support Transparent mode (promiscuous restriction on IXGBE-VF)
• Not supported in Amazon Web Services, Microsoft Azure or Hyper-V

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
ASAv and/or NGFW

• Supported in both AWS and Azure


• *Note restrictions based on cloud deployment

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Meraki Virtual MX for AWS (vMX100)

• Appears in the dashboard


• 500 Mbps VPN throughput
• Bring Your Own License
(BYOL)

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Use Case #5
• Typical Internet Edge designs
• Outbound Internet (Web, Email, FTP, etc)
• Inbound traffic to DMZ and/or eCommerce
• VPN for Remote Access, L2L, business partners

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Edge With DMZ
• Similar to a basic edge design with
the addition of inbound traffic
• Traffic inbound from the DMZ to the
trusted network may or may not
pass the firewall.

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Edge With DMZ - VPN
• Multiple path options for VPN with
trusted and untrusted packets.
• VPN Concentrator may be
connected outside the firewall
• Trusted traffic path usually depends
on source. Employee or Vendor,
B2B, etc.
*Best Practices – Remember that controlling
access from a VPN to an internal resource is
not a dead end! Jump box scenario.
Hide your firewall with private IP space on
the outside.

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Tiered DMZs
• Typically seen in multi-tiered
hosting for e-commerce
• Forces all traffic between tiers
to pass firewall rules
• Can help mitigate risk and
contain exploits and/or
breaches within a DMZ

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Bridge across your DMZs
• Sometimes referred to as clean and
dirty DMZs
• VPN, Video, etc.
• Avoids hair-pinning

*Best Practice – Use destination NAT with


a block of unused private IPs for outbound
L2L VPN instead of routing individual
remote IPs.

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Split Firewalls
• Layer 3 hop between firewalls
• Avoids hair-pinning within a firewall
• Simplifies policy
• May still have an optional trusted
connection

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Quick Hardware Snapshot
Portfolio

FPR 2110 FPR 4110 FPR 9300 -SM-24


ASA 5506-X
FPR 2120 FPR 4120 FPR 9300 -SM-36
FPR 2130 FPR 4140 FPR 9300 -SM-44
ASA 5508-X
FPR 2140 FPR 4150
ASA 5516-X

ASA 5585-X SSP60


ASA 5585-X SSP40
EOS Aug 2017 ASA 5555-X
EOS Aug 2017 ASA 5515-X ASA 5545-X ASA 5585-X SSP20
ASA 5505 ASA 5512-X ASA 5525-X ASA 5585-X SSP10

SMB/SOHO Branch Internet Edge Data Center Service Provider

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Latest Additions to the 5500 Portfolio
Reference
5506X with Firepower Services

• Max 250 Mbps AVC throughput


• Max 125 Mbps AVC and NGIPS
• 90 Mbps AVC or IPS with 440
byte HTTP
• ASDM 7.3.x or CSM and
Firepower Management Center
• Available in hardened and
wireless configurations

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Latest Additions to the 5500 Portfolio
Reference
5508X with FirePOWER Services

• Max 450 Mbps AVC throughput


• Max 250 Mbps AVC and NGIPS
• 180 Mbps AVC or IPS with 440
byte HTTP
• ASDM 7.3.x or CSM, Firepower
Management Center, On-box,
CDO

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Latest Additions to the 5500 Portfolio
Reference
5516X with FirePOWER Services

• Max 850 Mbps AVC throughput


• Max 425 Mbps AVC and NGIPS
• 300 Mbps AVC or IPS with 440
byte HTTP
• ASDM 7.3.x or CSM, Firepower
Management Center, On-box,
CDO

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Over, Through or Around The Wall
Things Change

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
If you knew you were going to be
compromised, would you do
security differently?

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
The package
Tracking history
Chicken Pox Virus

Sender Receiver

Reputation? Content
(deep packet inspection) Vaccine

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
The Threat-Centric Firewall

Proven Cisco ASA firewalling

Industry leading NGIPS and AMP

Cisco ASA with FirePOWER Services

• Integrating defense layers helps organizations


get the best visibility
• Enable dynamic controls
to automatically adapt
• Protect against advanced threats
across the entire attack continuum

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Indications of Compromise (IoCs)

IPS Events SI Events Malware Events

Malware Backdoors Connections Malware Detections


Exploit Kits to Known CnC IPs Office/PDF/Java Compromises
Web App Attacks Malware Executions
CnC Connections Dropper Infections
Admin Privilege Escalations

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Application Visibility and Control

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
IPS with Snort

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Host Profiles
• What OS?
• What Services?
• What Applications?
• What Vulnerabilities?

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Impact Assessment
Administrator
Impact Flag Why
Action

Event corresponds
Act immediately,
1 vulnerable
to vulnerability
mapped to host

Relevant port open


Investigate,
2 potentially vulnerable
or protocol in use,
but no vuln mapped

Good to know, Relevant port not


3 currently not
vulnerable
open or protocol
not in use

Good to know, Monitored network,


4 unknown target but unknown host

Good to know,
0 unknown network
Unmonitored network

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Advanced Malware Analysis

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Network File Trajectory – Where Has It Been Seen?

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
SSL Inspection issues? - AMP for Endpoints

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Firepower NGFW
Introducing Cisco Firepower NGFW

Fully Integrated Threat Focused Unified Management


• FW / applications / IPS • Networkwide visibility • Across attack continuum
• Cisco® AMP – network / • Industry-best threat • Manage, control, and
endpoint protection investigate
• Analysis and remediation • Known and unknown threats • Automatically prioritize
• Cisco security solutions • Track / contain / recover • Automatically protect
• Application-aware DDoS

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Firepower 6.x on ASA – Upgrade vs Re-Image
Choose Firepower Services or Firepower Threat Defense
Firepower Software on ASA Platforms

Firepower
Services 5.4

ASA 9.5.x

Upgrade Re-Image

Firepower Firepower 9300 – ASA or TD


Services 6.0
vs Firepower Firepower 4100 – ASA or TD
Threat Defense
ASA 9.5.x* Firepower 2100 – TD Only

*Firepower Services 6.x compatible ASA Version Required


BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Firepower 6.x Virtual – Upgrade vs Migrate
Choose NGIPSv + ASAv or Firepower Threat Defense

Firepower
ASAv
NGIPSv 5.4

Upgrade Migrate Upgrade

Firepower
Firepower
Threat Defense ASAv
NGIPSv 6.0
Virtual 6.0

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
FXOS
Chassis Operating System

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
FXOS
Chassis Operating System - Continued

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
FXOS
Chassis Operating System - Continued

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Advanced Use Cases
ASA Policy Enforcement with MDM
ASA
3
WLC
Policy on ASA by
Security Group Web
Server
9

7 2
AP Security Group
Query

SXP
5 8 Leverage security groups
to authorize endpoints
based on MDM
compliance.
Create Security
4 1 Groups on ISE
1 Compliant
6
2 Non-Compliant ISE MDM
Compliance check

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
TrustSec Demo
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
TrustSec (WLC, ISE, ASA, Firepower)
Reference

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Correlation
Custom Security Intelligence
• Correlate an action(s) with a remediation (in this case, create a custom security
intelligence block list)
• In this example we are looking for blocking events based on geolocation and
dropping the source IP into the custom security intelligence list.
• Monitor the events in Firepower Manager for a match against a rule.
• The remediation runs a perl script on the Firepower Manager, which leverages
the remediation framework to parse event information.

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Custom Security Intelligence

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Custom Security Intelligence

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Custom Security Intelligence

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Custom Security Intelligence

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Custom Security Intelligence

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Custom Security Intelligence

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Custom Security Intelligence

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Custom Security Intelligence

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Custom Security Intelligence

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Custom Security Intelligence

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Custom Security Intelligence

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Reference Material
Support Tools
http://www.cisco.com/c/en/us/support/web/tools-catalog.html

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Security Threats and Notifications

http://www.cisco.com/security

Current News

Proactive Notifications

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
www.talosintel.com

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
SAFE Architecture

www.cisco.com/go/safe

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.

Don’t forget: Cisco Live sessions will be


available for viewing on demand after the
event at www.CiscoLive.com/Online.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Thank you
Cybersecurity Cisco Education Offerings
Course Description Cisco Certification
Understanding Cisco Cybersecurity The SECFND course provides understanding of CCNA® Cyber Ops
Fundamentals (SFUND) cybersecurity’s basic principles, foundational knowledge, and
core skills needed to build a foundation for understanding
more advanced cybersecurity material & skills.
Implementing Cisco Cybersecurity This course prepares candidates to begin a career within a CCNA® Cyber Ops
Operations (SECOPS) Security Operations Center (SOC), working with
Cybersecurity Analysts at the associate level.
Securing Cisco Networks with Threat Designed for security analysts who work in a Security Cisco Cybersecurity
Detection and Analysis (SCYBER) Operations Center, the course covers essential areas of Specialist
security operations competency, including SIEM, Event
monitoring, security event/alarm/traffic analysis (detection),
and incident response
Cisco Security Product Training Courses Official deep-dive, hands-on product training on Cisco’s
latest security products, including NGFW, ASA, NGIPS,
AMP, Identity Services Engine, Email and Web Security
Appliances, and more.
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Cybersecurity Cisco Education Offerings
Course Description Cisco Certification
New! CCIE Security 5.0 CCIE® Security

Implementing Cisco Edge Network Security Configure Cisco perimeter edge security solutions utilizing Cisco CCNP® Security
Solutions (SENSS) Switches, Cisco Routers, and Cisco Adaptive Security Appliance
(ASA) Firewalls
Implementing Cisco Threat Control
Solutions (SITCS) v1.5 Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER
NGIPS (Next Generation IPS), Cisco AMP (Advanced Malware
Protection), as well as Web Security, Email Security and Cloud
Implementing Cisco Secure Access Web Security
Solutions (SISAS)
Deploy Cisco’s Identity Services Engine and 802.1X secure
Implementing Cisco Secure Mobility network access
Solutions (SIMOS)
Protect data traversing a public or shared infrastructure such as the
Internet by implementing and maintaining Cisco VPN solutions
Implementing Cisco Network Security Focuses on the design, implementation, and monitoring of a CCNA® Security
(IINS 3.0) comprehensive security policy, using Cisco IOS security features

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com


Questions? Visit the Learning@Cisco Booth

BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 125