software and management - cisco
Post on 31-Oct-2021
4 Views
Preview:
TRANSCRIPT
Mateusz Pastewski
mpastews@cisco.com
Security Account Manager
Software and Management
15/03/2016
Cisco Confidential 2© 2015 Cisco and/or its affiliates. All rights reserved.
Agenda
- Disclaimer
- Ewolucja Cisco ASA z Firepower
- Czym jest Firepower Threat Defense (FTD)?
- Funkcjonalności Firepower 6.0
- Firepower 4100
Cisco Confidential 3© 2015 Cisco and/or its affiliates. All rights reserved.
Celem prezentacji jest pokazanie Firepower 6.0.1, które jest już „za rogiem”
W prezentacji nie pokażę map drogowych rozwoju produktów – jeżeli taka wiedza jest wymagana w obecnie prowadzonych przez Państwa projektach to prosimy o kontakt osobisty
Disclaimer
Cisco Confidential 4© 2015 Cisco and/or its affiliates. All rights reserved.
Firepower Evolution
Oct ‘13
FirePOWERAppliances
andASA 5500-X
Sept ’14
FirePOWER Services
onASA 5500-X
Oct ’15
FirepowerThreat Defense
for ASA 5500-X*,New Appliances and
Virtual Platforms
Customer
Preview
Only
*Excludes 5585-X
Cisco Confidential 5© 2015 Cisco and/or its affiliates. All rights reserved.
Firepower Threat Defense – Delivery Phases
November
2015
March
2016
ROADMAP
Customer Preview
v6.0
General Availability
v6.0.1
ASA Feature Parity(Key features)
v6.x
Cisco Confidential 6© 2015 Cisco and/or its affiliates. All rights reserved.
Firepower Threat Defense (FTD)
Unified codebase software image
Firepower 4100 Series and 9300 Appliances
Brand for new hardware product offerings. Can run FTD or ASA
“Firepower Next-Generation Firewall (NGFW)”
FTD + Hardware appliance
Firepower Management Center
Formerly FireSIGHT. Unified manager for NGFW, NGIPS, AMP, FirePOWER on ISR
ASA with FirePOWER Services
Two managers, full firewall feature set
Relevant Terminology
Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Introducing Firepower 6.0.1
Cisco Confidential 8© 2015 Cisco and/or its affiliates. All rights reserved.
New Features
FirePOWER
ASA
Customer Preview Program beginning in November 2015
New Converged Software Image:Firepower Threat Defense
Contains all Firepower Services plusselect ASA capabilities
Single Manager:Firepower Management Center*
Same subscriptions as FirePOWER Services, enabled by Smart Licensing:
Threat (IPS + SI + DNS)
Malware (AMP + ThreatGrid)
URL Filtering
Converged Software – Firepower Threat Defense
* Also manages Firepower Appliances, Firepower Services (not ASA Software)
Cisco Confidential 9© 2015 Cisco and/or its affiliates. All rights reserved.
Platforms Supporting Firepower 6.0
FirePOWER Services
on ASA 5500-X
FirePOWER
7000 / 8000 / NGIPSvFirepower Threat Defense
ASA 5500-X*, Firepower 9300,
VMware and AWS
*Excludes 5585-X
Customer
Preview
for 6.0
All** Managed by Firepower Management Center 6.0
**Does not manage ASA software
Cisco Confidential 10© 2015 Cisco and/or its affiliates. All rights reserved.
Firepower 6.0.1 Software Support by Platform
Firepower Threat
Defense
Firepower
NGIPS
Firepower
Services
on ASA
Old (Series 2) FirePOWER Appliances ✗ ✗ ✗
FirePOWER 7000 Series ✗ ✓ ✗
FirePOWER 8000 Series ✗ ✓ ✗
ASA Low-end (5506/08/16) ✓(reimage) ✗ ✓
ASA Mid-Range (5512/15/25/45/55) ✓(reimage) ✗ ✓
ASA High-end (5585 SSP-10/20/40/60) ✗ ✗ ✓
Firepower 9300 (SSP 3RU - SM-24/36) ✓ ✗ ✗
VMware ✓ ✓ ✗
AWS ✓ ✗ ✗
Cisco Confidential 11© 2015 Cisco and/or its affiliates. All rights reserved.
Firepower 6.0 on ASA – Upgrade vs Re-ImageChoose Firepower Services or Firepower Threat Defense
Firepower Software on ASA Platforms
Firepower
Services 5.4
ASA 9.5.x
Upgrade
Firepower
Services 6.0
ASA 9.5.x*
Re-Image
Firepower
Threat Defensevs
*Firepower Services 6.0 compatible ASA Version Required
(Customer Preview)
Cisco Confidential 12© 2015 Cisco and/or its affiliates. All rights reserved.
Installing Firepower Threat Defense - Customer Preview
Management Center
FireSIGHT 5.4
Upgrade/
Install
Firepower
Management
Center 6.0*
1.
Firepower Services on ASA
Firepower 5.4
ASA 9.4.x
Reimage
Firepower Threat
Defense
3.
Register
2.
Cisco Smart
Software Manager
Firepower
Management
Center 6.0
Smart License
Cisco Confidential 13© 2015 Cisco and/or its affiliates. All rights reserved.
New Capabilities in Firepower Threat Defense 6.0
Network Firewall
Unified ASA & Firepower Rules
Unified ASA & Firepower Objects
Transparent & Routed Deployment
ASA NAT (Dynamic & Static)
ASA Routing: OSPF, BGP, RIP,
Static (no EIGRP, or Multicast)
ASA Syn Cookies / Anti-Spoofing
ASA ALGs (fixed configuration)
ONLY IN FIREPOWER
THREAT DEFENSE
Threat Innovation Enterprise Management
DNS Inspection and Sink-holing
URL-based Security Intelligence
SSL Decryption
ThreatGRID Analysis &
Intelligence
OpenAppID Application Detectors
Captive Portal and Active Auth
File Property Analysis and Local
Malware Checks
ISE Identity/Device/SGT in Policy
Domains with Role-Based Access
Policy Hierarchy with Inheritance
COMMON ACROSS FIREPOWER PLATFORMS
Cisco Confidential 14© 2015 Cisco and/or its affiliates. All rights reserved.
Everything from Firepower 6.0
Phased introduction of features from ASA
FTD 6.0.1
IPv4 and IPv6 Connection state tracking and TCP normalization
Access Control
NAT (Full support)
Unicast Routing (except EIGRP)
ALGs (only default configuration)
Intra chassis Clustering on Firepower 9300
Stateful Failover (HA)
What features are available?
Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Firepower Threat Defense Architecture
Cisco Confidential 17© 2015 Cisco and/or its affiliates. All rights reserved.
In the Firepower services on ASA
2 Images need to be deployed
2 OSs running on the same hardware
Packet traverses virtual machine boundaries
Functionality is duplicated
2 management applications
Advantages of Firepower Threat Defense
ASA
FirePOWER
CSM FireSIGHT
Cisco Confidential 18© 2015 Cisco and/or its affiliates. All rights reserved.
New Next Generation Firewall offering
Brings together the best features from ASA and Firepower, all under one OS
Zero-copy packet inspection
No functionality will be duplicated*
Single management application
Firepower Threat Defense
Firepower Threat Defense
L2-L4Inspections
(ASA Technology)
Advanced Inspections(FirePOWERTechnology)
Firepower Management Center
Cisco Confidential 19© 2015 Cisco and/or its affiliates. All rights reserved.
Basic deployment modes: Firewall modes
Routed
Transparent
Other interface modes: IPS/IDS modes
Inline
Inline Tap
Passive
Deployment Modes
Cisco Confidential 20© 2015 Cisco and/or its affiliates. All rights reserved.
Access policies broken down into 2 sets of rules
Advanced ACLs - Evaluate L2 – L4 attributes and give a verdict
Permit
Deny
Trust
NGFW ACLs – Evaluate L7 attributes
Allow
Block
TrustPath
Unified Access Control policies
Cisco Confidential 21© 2015 Cisco and/or its affiliates. All rights reserved.
Only manager required for Firepower Threat Defense
Added functionality to manage the features brought in from ASA
Can also manage Firepower appliance and services deployments
Unified policy management for Firepower appliances/services and Firepower Threat Defense
Enhanced configuration management built on tested technology
Firepower Management Center 6.0: Overview
Cisco Confidential 22© 2015 Cisco and/or its affiliates. All rights reserved.
Firepower Management Center: Configuration deployment
Firepower Management Center 6.0
Firepower Threat Defense 6.0
L2-L4
inspections
Advanced
inspections
Config
Dispatcher
Config CommsManager
2.Download
1.Notify
3.Parse4. Install
4. Install
FireSIGHT 5.4
FirePOWER 5.4
1.Connect2. Download
update 2. Execute
Scripts
Cisco Confidential 23© 2015 Cisco and/or its affiliates. All rights reserved.
Objects Configuration
Objects in 5.4
Objects in 6.0
Cisco Confidential 24© 2015 Cisco and/or its affiliates. All rights reserved.
Routing Configuration
Cisco Confidential 25© 2015 Cisco and/or its affiliates. All rights reserved.
NAT configuration
Cisco Confidential 26© 2015 Cisco and/or its affiliates. All rights reserved.
Access policy configuration
Cisco Confidential 28© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Firepower Threat Defense Feature Deep Dive: Management Domains
Cisco Confidential 29© 2015 Cisco and/or its affiliates. All rights reserved.
Use cases
Large Enterprises
MSSP
Benefits
Segmentation
Granular RBAC
Overlapping IP Addresses
Maintaining Privacy
Multi-Tenancy through Domains and Multiple Network Maps
Cisco Confidential 30© 2015 Cisco and/or its affiliates. All rights reserved.
UK/London
Domain Overview
USA INDIA
Supports up to 50 domains and 3 levels
Available for all platforms running 6.0
UK
UK/Oxford
1
2
3
Cisco Confidential 31© 2015 Cisco and/or its affiliates. All rights reserved.
Domain Feature Coverage
• Allows segmented user access for:
• Analysis
• Devices (at leaf level)
• Objects
• Policies
• AMP
• Health
• System
• Events
• Network map
• System
• Local
• Configuration
• High Availability
• System Policies
• Updates
• Licenses
• Management System Monitoring
• Syslog
• Statistics
• Tools
• Backup/Restore
• Data Purge
• ThreatGrid Analysis*
Global FeaturesDomain-Aware Features
* Will be made domain aware in future release
Cisco Confidential 32© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Use Cases
Cisco Confidential 33© 2015 Cisco and/or its affiliates. All rights reserved.
Qualifying New Firepower Opportunities
Firepower Appliances
Need a dedicated
NGIPS or AMP solution
Needs fail-to-wire
for inline deployment
ASA Firepower Services
Need firewall functionality
not initially provided by
Firepower Threat Defense:
• Site-to-Site VPN
• Remote Access VPN
• Multi-cast Routing
• Clustering
• Contexts
Firepower Threat Defense
Need new Firepower 9300*
Require single
management platform*
(*can forgo functionality
like VPN and rate limiting
in the short term)
POSITION NOW,
READY FOR GACONTINUE TO SELL AS NORMAL
Cisco Confidential 34© 2015 Cisco and/or its affiliates. All rights reserved.
Use Case Internet Edge Firewall
Requirement
Connectivity and Availability Requirement:• Firewall for High Availability (Redundancy)
• Firewall should support Router or Transparent Mode
• vPC/Port-Channel for interface redundancy and link speed
aggregation
Security Requirement:
• Dynamic NAT/PAT and Static NAT
• AVC, URL filtering, IPS and Malware protection
• SSL Decryption
Solution
Security Application: Firepower Threat Defense application with
FMC
ISP
FW in HA
Private Network
Service
Provider
Campus/Priv
ate Network
DMZ Network
vPC / Port-
Channel
Internet Edge
HSRP
Cisco Confidential 35© 2015 Cisco and/or its affiliates. All rights reserved.
Use CaseInternet Edge Firewall with VPN Support
Requirement
Connectivity and Availability Requirement:• Firewall for High Availability (Redundancy)
• Firewall in the Router Mode
• vPC/Port-Channel for interface redundancy and link speed
aggregation
Security Requirement:
• Dynamic NAT/PAT and Static NAT
• Application Inspection
• ACL to control the traffic flows
• VPN support (S2S, SSL and AnyConnect)
Solution
Security Application: ASA Firewall
ISP
FW in HA
Private Network
Service
Provider
Campus/Priv
ate Network
DMZ Network
vPC / Port-
Channel
Internet Edge
Remote VPN
Users
Branch Office
HSRP
Cisco Confidential 37© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Firepower Threat DefenseSmart Licensing
Cisco Confidential 38© 2015 Cisco and/or its affiliates. All rights reserved.
Firepower Threat Defense Licensing Structure
• Base License enables NGFW
• Networking, Firewall and Application Visibility & Control
• Perpetual license - included with appliance purchase
• Term-based licenses for advanced protection
• Threat, Malware and URL Filtering
• Traditional ASA licenses not needed Base (NGFW)
Thre
at
(IP
S / S
I / D
NS
)
Malw
are
(AM
P /
TG
)
UR
L F
iltering
Blue = Term-based
Green = Perpetual
Cisco Confidential 39© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Firepower 4100 Series
Cisco Confidential 40© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Firepower 4100 Series
Introducing four new high-
performance models
Performance and
Density OptimizationUnified Management
Multiservice
Security
• Integrated inspection engines
for FW, NGIPS, Application
Visibility and Control (AVC),
URL, Cisco Advanced
Malware Protection (AMP)
• Radware DefensePro DDoS
• ASA and other future
third party
• 10-Gbps and 40-Gbps
interfaces
• Up to 80-Gbps throughput
• 1-rack-unit (RU) form factor
• Low latency
• Single management interface
with Firepower Threat Defense
• Unified policy with inheritance
• Choice of management
deployment options
Cisco Confidential 41© 2015 Cisco and/or its affiliates. All rights reserved.
Firepower 4100 Series Front and Rear View
SSD1 SSD2
1 3 5 7 NetMod 1 (Slot) NetMod 2 (Slot)
2 4 6 8
PS1 PS2 FAN1 FAN2 FAN3 FAN4 FAN5 FAN6
Power
Console
Mgmt. SYS
ACT SSD Status
Cisco Confidential 42© 2015 Cisco and/or its affiliates. All rights reserved.
FP 4100 Series of platform supported from FXOS 1.1.4
FXOS provides interface for device management and provisioning of the security application on security engine.
All images are digitally signed and validated through Secure Boot.
Security application images are in Cisco Secure Package (CSP) format
Multiple version of same application can be stored in Supervisor. It can deployed to Security Engine on demand
Contains system (i.e. ASA, FTD) and other images (i.e. ASDM, REST, and so on)
Firepower 4100 Software
Decorator application from third-party (KVM)
Primary application from
Cisco (Native)
DDoS (Future)
ASA or FTD
FXOS
Firepower Extensible Operating System (FXOS)
Supervisor
Security
Engine
Future
top related