cisco ngfw and utm update•all ngfw editions have stateful inspection firewall functionality. •...
TRANSCRIPT
![Page 1: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/1.jpg)
6th of October 2016.
Istvan Segyik (CCIE security #47531) – Escalations Engineer, Cisco GVE
Security Expert Call series
Cisco NGFW and UTM update
![Page 2: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/2.jpg)
• Cisco Firepower NGFW overview
• Cisco NGFW platforms and software editions
• Firepower 6.1 – What is new?
• Cisco Meraki Cloud Managed networking overview
• Cisco Meraki MX security gateways
• Demo: quick impression on both systems
• Q&A
Today’s topics
![Page 3: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/3.jpg)
Cisco Firepower NGFW
![Page 4: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/4.jpg)
Cisco NGFW overview
![Page 5: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/5.jpg)
Secure the perimeter and the DC while...
New
demands
More
things
Threats are harder to stopVisibility is more elusiveAccess is tougher to manage
Sophisticated
threatsGlobal collaboration
Private and Public
Cloud datacenters
Anywhere access,
BYOD
Sophisticated
penetration
Complex
malware
![Page 6: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/6.jpg)
What Cisco offers is...
Detect earlier,
act faster
Gain more
insight
Reduce
complexity
Stop more
threats
Get more from
your network
Cisco Firepower™ NGFW
Fully IntegratedThreat Focused
![Page 7: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/7.jpg)
Major NGFW system components
Security feeds
• URL
• IP
• DNS
0110110010101001010100
0010010110100101101101
Firewall
AVCSSL
Decryption
Engine
NGIPS
#$%*
• Dynamic and Static NAT
• High Availability
• High Bandwidth
Private Network
DMZ
@
www
DNS
Internet
Block
Allow
AMP file inspectionAMP Threat Grid
DNS Sinkhole
![Page 8: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/8.jpg)
• Cisco NGFW can:• Inspect SMTP, POP3, IMAP, etc. traffic – as an application and transport method for data;
• Inspect the content, look for malware;
• Do these things fast.
• But E-mail security is more than a potentially added single anti-SPAM engine:• Multiple anti-SPAM engines, flexible SPAM quarantine;
• E-mail authentication, integration: SPF, DKIM, DMARC handling;
• Sophisticated filtering: application parameters, content, volumetric, etc.;
• Conditional email routing;
• Graymail detection, classification, proper control;
• Handling payload encryption (S/MIME, CRES, PGP, other proprietary...);
• Granular reporting;
• Etc..
• We recommend our market leading E-mail Security Appliance: www.cisco.com/go/esa
Wait! Where is anti-spam?! *+%#&
![Page 9: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/9.jpg)
• All NGFW editions have Stateful inspection firewall functionality.
• The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the ASA (LINA) Firewall engine:• Which is the World’s most proven stateful inspection engine being continuously developed;
• Has sophisticated Application Level GW (ALG) functions to let modern applications safely passing the FW and address translation.
• Legacy Sourcefire appliances have a good firewall too.
NGFW components: Firewall
![Page 10: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/10.jpg)
• By now all hardware platforms support SSL decryption.• ... but all of them do it software or minimal HW assistance on the data plane CPUs.
• The next generation platforms have high performance cryptographic accelerator ASICs:• At the moment they are used for IPsec acceleration only;
• Forthcoming software release is going to enable HW acceleration of SSL/TLS decryption.
• On the other hand be aware of big industry players’ intention to prevent Enterprise firewalls and proxies sniffing into TLS/SSL channels!
NGFW components: SSL decryption#$
%*
![Page 11: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/11.jpg)
NGFW components: Application Visibility & Control (AVC)
OpenAppID
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
Cisco database (based
on OppenAppID):
• 4,000+ apps
Network & users
1
2
Prioritize traffic
![Page 12: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/12.jpg)
NGFW components: web controls
Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs
Category-based
Policy Creation
Allow Block
Admin
Cisco URL Database
DNS Sinkhole
01
00
10
10
10
0
00
10
01
01
10
1
Security feeds
URL | IP | DNS
NGFWFiltering
BlockAllow
Safe Search
gambling
![Page 13: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/13.jpg)
• We have: dynamic URL category filtering and URL | IP | DNS reputation filtering capabilities.
• They are different technologies, mainly different purposes with very little overlap.
• Dynamic URL filtering:• Huge, cached DB of URLs with on-demand query in case of unknown URLs seen;
• 80 categories plus each URL has a reputation score;
• Now provides ‚Safe search’ capabilities too;
• Primary intention is enforcing acceptable web usage;
• Requires ‚URL’ license.
• URL and IP reputation filtering:• Cisco Talos provided or custom static list of categorized URLs and IP addresses – pre-downloaded and cached;
• URLs on this list can be handled together with Dynamic URL categories in an Access Control Policy rule – but this is a separate feed;
• They focus on known bad hosts;
• They are included in the ‚Threat license along with IPS functionality’.
NGFW components: web controls - explained
Security feeds
URL | IP | DNS
![Page 14: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/14.jpg)
• DNS reputation filtering:• Talos provided list of domain names – pre-positioned and cached;
• This feeds the DNS sniffing and redirection engine;
• Included in the ‚Threat license’ along with IPS and IP | URL reputation feeds.
• Wait...! Open DNS?
• Not yet. Talos might use some information from ODNS for this feed but there is no direct API connection to ODNS cloud in this case.
• Still ODNS can be used in parallel with a Cisco NGFW.
• ... and that makes sense, ODNS is the best tool to prevent connection to suspicious hosts behind dynamically generated ‚fast flux’ domains.
NGFW components: web controls – explained cont.
Security feeds
URL | IP | DNS
![Page 15: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/15.jpg)
• There are multiple Snort engines running in parallel.
• Cisco Talos provides signature updates and/or 3rd party feeds can be used as well.
• The IPS system is tightly integrated with the AVC engine which is based on OpenAppID
• Highly tunable:
• Custom policies and rules can be added over the GUI or imported in Snort rule format;
• Cloning policies, policy sections and rules can be done on the GUI;
• Access Control Policy can assign separate IPS policy to a rule;
• Intelligent Application Bypass can SECURELY optimize inspection for certain applications.
• Advanced pre-processors for:
• Protocol normalization;
• Fighting certain attacks like volumetric DoS;
• Increasing application protocol security, e.g. SIP or SCADA protocols.
NGFW components: Intrusion Prevention System
![Page 16: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/16.jpg)
NGFW components: improved traffic control
Identity Integration
Target threats accurately
• ISE
• pxGrid
• VDI
Captive Portal
Enforce authentication
• Active/Passive
• NTLM
• Kerberos
Rate limiting
Control application usage
• Rule-based limits
• Reports
• QoS rules
True-IP Policy
Analyze headers in more depth
• X-Forwarded-For
• True-Client-IP
• Custom Headers
Tunnel Policy
Block unwanted traffic early
• Pre-filtering
• Priority policy
• Policy migration
![Page 17: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/17.jpg)
NGFW components: anti-malware – nice diagram
c
File Reputation
• Known Signatures
• Fuzzy Fingerprinting
• Indications of compromise
Block known malware Investigate files safely Detect new threats Respond to alerts
File & Device TrajectoryAMP for
Network Log
Threat Grid Sandboxing
• Advanced Analytics
• Dynamic analysis
• Threat intelligence
?
AMP for
Endpoint Log
Threat Disposition
Enforcement across
all endpoints
RiskySafeUncertain
Sandbox Analysis
![Page 18: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/18.jpg)
• FireAMP for Networks runs on Cisco NGFW products. It is a composite engine:• Creates a hash and runs a reputation check against AMP Cloud or on-premises Private AMP appliance;
• Creates a behavior pattern analysis for executables and compares that against the AMP Cloud (Spero engine);
• May run local Clam AV check (traditional, off-line AV engine);
• Can submit a file to Cisco Threat Grid Cloud or on-premises dynamic analysis (sandbox) system;
• Can store files, whatever files for additional analysis;
• It can retrospectively convict files that have been passed, alert, remediate and draw network trajectory for forensics;
• It requires a ‚Malware’ license which includes certain (platform dependent) number of daily TG submissions.
• AMP has an endpoint version as well: called AMP for Endpoints (AMP4E).
• AMP4E can report compromise events and contextual data to Firepower Management center.
NGFW components: anti-malware – explanation
![Page 19: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/19.jpg)
NGFW components: Correlation Engine – nice picture
Communications
App & Device Data
010111010010
10 010001101
010010 10 10
Data packets
Prioritize
response
Blended threats
• Network
profiling
• Phishing
attacks
• Innocuous
payloads
• Infrequent
callouts
3
1
2
Accept
Block
Automate
policies
ISE
Scan network traffic Correlate data Detect stealthy threats Respond based on priority
![Page 20: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/20.jpg)
• Available only with centralized management at the moment (FMC).
• The system can do active and passive profiling of:• Network segment traffic;
• Hosts (OS, applications, versions, AMP4E information, etc.).
• FMC has a Nessus vulnerability database as well.
• FMC can correlate:• Host profiles and profile changes;
• The vulnerability DB;
• Traffic profile changes or certain patterns;
• Local Malware and/or IPS events;
• External AMP4E events;
• Connection events (local and NetFlow reported);
• Etc.
• Correlation is driven by correlation policies and can trigger ‚Remediation’ actions.
• Plus there are some built-in correlations that improves alerting (calculation of impact score).
NGFW components: Correlation Engine - explained
![Page 21: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/21.jpg)
NGFW components: Firepower Management Center
Manage across many sites Control access and set policies Investigate incidents Prioritize response
Firepower Management CenterCentralized management for multi-site deployments
Multi-domain management
Role-based access control
High availability
APIs and pxGrid integration
NGIPS
Firewall & AVC
AMP
Security Intelligence
…Available in physical and virtual options
![Page 22: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/22.jpg)
• FMC is the centralized management server for:• Legacy Sourcefire Firepower appliances;
• Firepower Threat Defense (FTD) unified code based appliances;
• Firepower modules of hybrid ‚editions’ (ASA code is still independently managed).
• There are plans to manage ASA module of hybrid editions in FMC as well.
• FMC is not only management but:• Important integration point: provides APIs, calls APIs (e.g. ISE pxGrid);
• Event management, aggregation,, correlation, alerting, historical data storage point;
• Provides forensics tools as well like: different dashboards, data mining capabilities, network file trajectories, etc..
NGFW components: FMC – explained
![Page 23: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/23.jpg)
NGFW components: Firepower Device Manager
Set up easily Control access and set policies Investigate incidents Prioritize response
Firepower Device ManagerIntegrated on-box option for single instance deployment
Physical and virtual options
Easy set-up NAT and Routing
Role-based access controlIntrusion and Malware
prevention
High availability Device monitoring
VPN support
![Page 24: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/24.jpg)
• Embedded device manager for Firepower Threat Defense based appliances.
• Legacy Sourcefire appliances has only a status monitoring HTML GUI, ASA+FP editions uses ASDM.
• FDM and FMC are exclusive, both cannot be used together.
• Main usage scenarios:• Simplified systems management and monitoring for simple deployments;
• Initial deployment of the appliance by a technician at a remote site.
NGFW components: Firepower Device Manager - explained
![Page 25: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/25.jpg)
NGFW components: Cisco Defense Orchestrator
Plan and model security policy changes
before deploying them across the cloud
Deploy changes across virtual environments
in real time or offline
Receive notifications about any unplanned
changes to security policies and objects
• Import From Offline
• Discover Direct From
Device
Device Onboarding
Object & Policy
Analysis
Application, URL,
Malware & Threat
Policy Management
Change Impact
Modeling
Security
Templates
Simplify security policy management in the cloud with Cisco Defense Orchestrator Security
ReportsNotifications
Simple Search-
Based Management
Security Policy
Management
![Page 26: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/26.jpg)
• CDO is an optional simplified Cloud Management platform for on-premises NGFW deployments.
• Simplified because it is a product in an ‚early stage’.
• Sales is limited to qualified opportunities only.
NGFW components: Cisco Defense Orchestrator - explained
![Page 27: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/27.jpg)
10x times more data than what nearest competitor sees and analyzes
NGFW components: Security Intelligence
Identify advanced threats Get specific intelligence Catch stealthy threats Stay protected with updates
Endpoints
Devices
Networks
NGIPS
WWW Web250+Researchers
Jan
24 x 7 x 365 Operations
Security Coverage Research Response
1.5 million daily malware samples
600 billion daily email messages
16 billion daily web requests
Threat Intelligence
![Page 28: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/28.jpg)
• The latest NSS breach detection test justified the effectiveness of Firepower.
• Two highlights:• 100% Detection Rate with 100% anti-evasion rating;
• Far most threat found in 1 min: 67% and in 3 min: 91.8%.
• Find more: www.nsslabs.com
And this works... NSS proven
![Page 29: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/29.jpg)
NGFW integrations
![Page 30: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/30.jpg)
• Sensors and FMC has had the eStreamer API for a long time:
• Open specification;
• A bit more complex.
• FMC now has a REST based API which is:
• Simple;
• Being developed fast;
• Already makes possible things like Cisco ACI DC fabric integration.
• FMC can run built in custom external remediation modules (Perl script format) triggered by correlation policies.
• The system uses open protocols: Open AppID, Snort signatures, (STIX, TAXII on roadmap).
• There are closed APIs used for advanced integrations like:
• ISE pxGrid for user- and endpoint identity and context information retrieval;
• ISE EPS API calls for ISE enforced endpoint quarantine in the access layer.
APIs and programmability quick overview
![Page 31: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/31.jpg)
Integration with Cisco Identity Services Engine
TrustSec
Set access control policies Propagate rules and contextRemediate breaches
automatically
pxGrid
Propagate
• User Context
• Device context
• Access policies
Employee Tag
Supplier Tag
Server Tag
Guest Tag
Quarantine Tag
Suspicious Tag
ISE
Policy automation
ISE
Establish a secure network
Firepower
Management Center
BYOD
Guest Access
Segmentation
![Page 32: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/32.jpg)
Integration with MS Terminal server based VDI solutions
Terminal Services Agent
10
11
01
10
10
10
11
11
Route user information to Terminal Services Capture information using APIs Identify risky behavior
192.068.0.23
123.018.6.53
135.036.5.49
User IPs
www
User 1 User 2 User 3
Firepower Management Center
User 1
User 2
User 3
APIs
VDI 192.068.0.23
![Page 33: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/33.jpg)
NGFW Platforms and software ‚Editions’
![Page 34: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/34.jpg)
Fast moving target
![Page 35: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/35.jpg)
• Cisco is working on multiple NGFW transitions:• Moving away from legacy Sourcefire appliances to new generation platforms
running Firepower Threat Defense image.
• Moving from legacy ASA 5500-X hardware based ASA+FP solutions to FTD on same- or new hardware.
• Industry is moving as well:• Firewall and IPS functions are getting virtualized at some points. They become
Virtual Network Functions (NFV).
• Virtualized security devices are many times sold as on-demand, subscription based ‚services’.
It is transition time, and they are not always easy...
![Page 36: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/36.jpg)
Cisco Firepower ‚Editions’
* Except: 5585, 5505, 5512 and 5515
„Legacy” Sourcefire appliance
Firepower NGIPS
x86 server
VMware ESXi
Firepower NGIPSv
NGIPS
(Legacy Sourcefire appliances)
ASA55xx *
FTD
x86 server
ESXi, KVM or AWS
FTDv
Firepower 4100 / 9300
FXOS
FTD
Firepower Threat Defense
(Unified Image)
ASA55xx
ASA-OS
Firepower NGIPS (in container)
ASA5585 chassis
ASA-OS Firep. NGIPS
ASA SSP FP SSP
ASA with Firepower services
(Hybrid)
Hardware
Virtual
![Page 37: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/37.jpg)
NGFW / NGIPS HW / SW bundles overviewPlatform Image(s) ASA
engine
Firepower
engines
FX-OS Redundancy Embedded
GUI
Centralized
management
AMP extra
storage
Radware
DefensePro
Firepower 7K/8K NGIPS No * Full No Stateful Active / Standby ** Health status
only
FMC No No
AMP 7K/8K NGIPS No * Full No Stateful Active / Standby ** Health status
only
FMC Yes No
Firepower 4K-ASA ASA Full No Yes Stateful A/S or A/A or
clustering
ASDM CSM No 4150 only
Firepower 4K-FTD FTD Limited Full Yes Stateful A/S FDM FMC Optional No
Firepower 9300-ASA ASA Full No Yes Stateful A/S or A/A and
clustering
ASDM CSM No Yes
Firepower 9300-FTD FTD Limited Full Yes Stateful A/S or
Intra-chassis clustering only
FDM FMC No No
ASA55xx-ASA ASA Full No Yes Stateful A/S or A/A or
clustering
ASDM CSM No No
ASA55xx w/ FP
(Hybrid)
ASA +
NGIPS
Full Full No Stateful A/S or A/A or
clustering
ASDM FMC + CSM No No
ASA55xx-FTD *** FTD Limited Full No Stateful A/S FDM FMC No No
* NGIPS only image has limited stateful FW functions embedded.
** Routed mode is stateful, switch mode is stateless.
*** ASA 5505, 5512 and 5515 are not supported
![Page 38: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/38.jpg)
• This is Cisco’s unified NGFW code. Main things to know:• It replaces the stateful FW and VPN modules of the former Sourcefire code with ASA engines.
• FTD keeps IPS only deployment options like physical in-line, in-line tap mode and promiscuous modes.
• It has a unified CLI and can be fully managed by FMC (former ASA functions as well).
• There are three missing important features that the ASA+SF ‚hybrid edition’ has:• Multiple context mode;
• RA VPN;
• Clustering.
• These missing features are being built and going to be launched in foreseeable time.
Firepower Threat Defense
![Page 39: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/39.jpg)
FTD deployment modes
IPS/IDS only ports Fail-to-wire NetMods Full Firewall Ports
NetMod
Virtual or Physical
Routed
Transparent
101110
101110
Inline
Inline Tap
Passive
![Page 40: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/40.jpg)
• Latest high performance 1 RU platform.
• Flexible platform with hardware acceleration where needed and with no bottleneck.
• Runs FX-OS as chassis manager layer.
• 8 built in 10G SFP+ ports and 2 network module slots.
• Multi-port 10G and 40G network modules with Fail-to-wire (HW bypass) models.
• Modules are compatible with the FP9300 series.
• Redundant- hot swappable power supplies and fans.
• It can run ASA or FTD ‚logical devices’.
• FP 4150 can run Radware Defense Pro as well with ASA.
Firepower 4100 series
![Page 41: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/41.jpg)
• Latest high performance 3 RU, modular platform.
• Flexible platform with hardware acceleration where needed and with no bottleneck.
• Runs FX-OS as chassis manager layer.
• 8 built in 10G SFP+ ports and 2 network module slots.
• Multi-port 10G, 40G and 100G network modules with Fail-to-wire (HW bypass) models.
• 10G and 40G modules are compatible with the FP9300 series.
• Redundant- hot swappable power supplies and fans.
• It can run ASA (optionally with DefensePro) or FTD ‚logical devices’.
Firepower 9300 series
![Page 42: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/42.jpg)
• This is how we say: Welcome to NFV everywhere!
• It is a secure boot enabled software layer that:• Manages the chassis hardware;
• Runs on separate CPU on the FP4100 and 9300 series;
• Allocates resources to logical devices;
• Manages logical devices;
• Boots and updates logical devices (securely, signed packages only);
• Has an IOS like CLI and an HTML GUI;
• Was built to be highly programmable over its REST API.
• No, it is not a ‚bootloader’ causing extra complications
Hey, what is FX-OS?!
FX-OS
![Page 43: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/43.jpg)
Virtual NGFW platforms
Platform ASA
engine
Firepower
engines
Hypervisor support Application level Redundancy Embedded GUI Centralized
management
NGIPSv No Yes VMware ESXi only. No No FMC
ASAv Yes No ESXi, KVM, Hyper-V,
Azure, AWS,
Stateful Active / Standby ASDM CSM
FTDv Yes Yes KVM, ESXi, AWS Stateful Active / Standby No FMC
![Page 44: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/44.jpg)
Firepower 6.1 – What is new?
![Page 45: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/45.jpg)
• FMCv and FTDv support on KVM;
• VDI identity FW in Windows Terminal Server based VDI environments;
• Safe Search and YouTube EDU Policies (for US. customers mainly);
• Official- built-in ISE Remediation;
• Inline Source SGT Tags – not only on FTDv but legacy Sourcefire Appliances as well;
• On-premise AMP Private Cloud appliance support;
• On-Box device manager (limited, no Java) for FTD on former ASA Saleen (5500X) platforms;
• Official FMC HA (FMC 1500, 2000, 3500 and 4000 appliances only);
• REST API through FMC only at the moment. FTD is not officially supported (though certain features work for FTD appliances);
• Rate limiting – QoS phase 1 (FTD(v) only);
• Pre-filter policies – (FTD(v) only);
• Site-to-Site VPN for FTD (officially supported between FTD devices only at the moment, simple ‘crypto map like’, no overlay routing, IKEv1 and IKEv2 are both supported);
• Multicast routing for FTD(v);
• Shared NAT policies for FTD(v) so identical NAT policies must not have to be configured on each and every FTD device in FTD;
• Support for Fail-to-Wire Netmods in FP4000 and FP9300 chassis – IPS inline-pair and inline-pair tap mode interfaces only;
• Unified CLI for FTD(v) – you don’t have to change to ‘diagnostic CLI’ to see former ASA LINA CLI commands;
• True-IP Policy Enforcement (XFF).
New features in Firepower 6.1
![Page 46: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/46.jpg)
VDI identity FW in Windows Terminal Server environments
• Supports Microsoft Windows TS environments only.
• Provides user identity information for VDI users.
• The agent sends information to FMC over the REST API and does PAT as well.
• FMC configures the sensor over eStreamer.
![Page 47: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/47.jpg)
• First REST based API opened into the Firepower system.
• FTD is officially not supported, but some parts (policy, identity work).
• Built in REST API explorer with script examples, available functions, etc.
• Main functions:• Interface, virtual switch and virtual bridge configurations (legacy NGIPS only) – already used in the NGIPS ACI
device pack;
• Identity functions – already used by the VDI identity ‚TS agent’;
• Policy functions: Access Rule granularity.
• Disabled by default.
• More information: http://www.cisco.com/c/en/us/support/security/defense-center/products-programming-reference-guides-list.html
FMC REST API
![Page 48: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/48.jpg)
• Officially called: Firepower Device Manager (FDM).
• Java-less embedded GUI for FTD on ASA 55xx devices only at the moment.
• It is not supported to work in parallel with FMC (centralized management).
• Primary usage scenarios:• Small Business with no IT security personnel;
• Initial provisioning by an onsite technician.
• Limited functionality which is going to be improved step by step in forthcoming releases.
• It has an ‚Easy Setup Wizard’ which can useful during provisioning, even if FMC takes over later on.
• You may read more here:http://www.cisco.com/c/en/us/support/security/defense-center/products-programming-reference-guides-list.html
On-box device manager
![Page 49: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/49.jpg)
On-box device manager
![Page 50: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/50.jpg)
• Supported on FTD devices managed by FMC only.
• Uses bi-directional rate limiters – no shaping, no BW. reservation at the moment.
• Separate QoS policy object which can be mapped to one or more devices.
• One device can have one QoS policy only.
• The QoS policy rules can use the same object DB and conditions as other policies.
• Rate limiters are applied per interface when configured for Zones:
• E.g. DMZ Zone has two interfaces: ‚dmz1’ and ‚dmz2’;
• QoS policy rule applies 20 Mbps upload limitation for an application towards the DMZ zone;
• FTD will limit traffic to 20 Mbps upload on each interface separately – which means aggregate 40 for the whole zone.
• Note: this is phase one only. QoS is actively developed in forthcoming releases.
Rate Limiting – QoS Phase 1.
![Page 51: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/51.jpg)
• Firepower has inspected clear-text tunneled packets before 6.1 automatically.
• Pre-filter policies can match:• GRE, IP-in-IP, 6in4 and Teredo tunnels based on ‚port’ numbers or custom tunnel policies;
• Source/Destination interfaces, subnets and ports.
• Pre-filter policy is applied before the Access Control Policy.
• One Pre-filter policy can be enforced on a certain FTD device.
• Actions:• Block – drops the packet;
• Fastpath – forwards the packets without additional inspection, if possible forwards in SmartNIC (no data-plane CPU usage);
• Analyze – Analyze the packet as per the matching Access Control Policy rule.
Pre-filter policy on FTD
![Page 52: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/52.jpg)
Pre-filter policy on FTD
![Page 53: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/53.jpg)
Cisco Meraki Cloud Managed networks
![Page 54: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/54.jpg)
Cisco Meraki Cloud Managed Networking Overview
![Page 55: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/55.jpg)
Cisco Cloud Managed Networking (Meraki)
• Wireless Access Points (MR series)
• Layer 2 and Layer 3 switches (MS series)
• Security Gateways (MX series)
• IP Telephony (MC47)
• Mobile Device Management (Meraki Systems Manager)
• More on Meraki: http://meraki.cisco.com
![Page 56: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/56.jpg)
Cisco Cloud Managed Networking (Meraki)• Unified cloud-based management: the ‚Dashboard’.
• A complete enterprise network can be modeled with Meraki.
• Dashboard hierarchy: one ‚Organization’ includes one or more ‚Networks’.
• Role Based Access Control.
• Advanced Networking Functions.
• Simple and fast deployment.
• Advanced Troubleshooting functions.
• Partners can easily sell it as ‚Managed Networking Service’.
• Since it is fully cloud managed, it is ‚cloud supported’ as well, it is Cisco who checks the log files in CLI shells, etc. for you.
![Page 57: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/57.jpg)
Meraki Wireless
• Quality 802.11n and 802.11ac, Indoor and Outdoor Access Points
• Dedicated ‚security’ radios to detect RF interference and L1 / L2 attacks
• The Dashboard has integrated CMX Location Analytics function
• Wireless Mesh capabilities
• Seamless roaming (802.11r)
• Advanced QoS
• Advanced RF optimization and monitoring
• Extensive Client monitoring and profiling
• Paid (guest) Access (PayPal)
![Page 58: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/58.jpg)
Meraki Wireless Security• Multiple Authentication Types
• WPA(2)-PSK
• WPA(2)-Enterprise: Meraki (back-end) or RADIUS (can be ISE)
• Open- with optional web authentication: RADIUS, LDAP, Facebook, Google, AUP only...
• Web authentication can be combined with WPA (and NAC)
• Air Marshal WIPS with automated or manual containment
• NAT mode with optional peer-to-peer traffic restrictions within an SSID
• L3 and L7 (AVC) Firewall and URL filtering
• Meraki MDM (Systems Manager) integration
• Simplified NAC (host compliance) that works with Web Authentication
• VPN tunneling from AP to a central MX Security Gateway (remote- small office solution)
![Page 59: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/59.jpg)
Meraki wired LAN Switches
• Many L2 and L3 models, some of them can be stacked
• 10G and Nbase-T Multi-gigabit technology support
• PoE and PoE+ plus support
• Advanced QoS
• Security functions
• Useful troubleshooting tools: Packet Capture, Cable Test, etc.
![Page 60: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/60.jpg)
Meraki wired LAN security
• Port Security
• DHCP Guard
• Port isolation (PVLAN)
• Multiple authentication technologies:
• Web authentication;
• 802.1X with Meraki backend or external RADIUS server.
• L3 and L7 (AVC) packet filtering
![Page 61: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/61.jpg)
Meraki MX Security Gateways – Cisco UTM
![Page 62: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/62.jpg)
Cisco Meraki MX Security Gateway overview
• This is a UTM. It has advanced- and integrated security features implemented in a simplified way.
• Multiple hardware options, some with built in Access Point.
• Cloud managed over Dashboard with cross device (MR, MX, MS) group policies.
• Advanced site-to-site VPN (iWAN)
• Flexible balancing between two ISP uplinks
• AVC and URL filtering
• Advanced QoS (shaping, policing, dynamic routing between uplinks based on latency, etc.)
• 3G / 4G support with external USB attached modems.
• Active / Standby stateless failover support.
![Page 63: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/63.jpg)
Meraki MX Security
• L3-L7 Firewall Meraki with Cloud Application Detection
• Snort IPS engine with built in rules and minimal customization.
• Anti-malware:• Currently Kaspersky;
• Soon: Cisco AMP with ThreatGrid.
• Dynamic URL filtering.
• Geolocation based filtering.
• Web authentication.
• ID Firewall with Active Directory integration.
![Page 64: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/64.jpg)
Meraki MX models
MX64/64W
MX84
MX100
MX400
MX600
Z1
Small branch
(~50 clients)
Where Throughput
250 Mbps (FW)
200 Mbps (UTM)
Campus/
VPN Concentration
(~10,000 clients)
Large
branch/campus
(~2,000 clients)
Mid-size branch
(~200 clients)
Mid-size branch/
Small campus
(~500 clients)
Notable Features
11ac wireless (MX64W)
Power redundancy
Modular interface
SFP or SFP+ (with modules)
500 Mbps (FW)
300 Mbps (UTM)
SFP Ports
750 Mbps (FW)
650 Mbps (UTM)SFP Ports
1 Gbps (FW)
1 Gbps (UTM)
1 Gbps (FW)
1 Gbps (UTM)
Power redundancy
Modular interface
SFP or SFP+ (with modules)
For teleworkers
(1-5 users)
Dual-radio wireless
FW throughput: 50
Mbps
All devices support 3G/4G
MX65/65W
Small branch
(~50 clients)PoE+, dual WAN, 802.11ac 250 Mbps (FW)
200 Mbps (UTM)
Price (USD List)
$595/$945
$1,995
$4,995
$15,995
$31,995
$945/$1,245
![Page 65: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/65.jpg)
Example: MX65W hardware elements included
![Page 66: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/66.jpg)
MX ordering and BoM example
• Ordering a Cisco Meraki unit requires two items:
• Hardware
• 1, 3, 5, 7 or 10 years license
• Example: MX 84 with 3 years Advanced Security licence:
Name Catalog Num Vendor Description Qty Unit Price Duration Prorated Unit List Price Extended
Price
Discount % Total
Price
LIC-MX84-SEC-3YR LIC-MX84-SEC-3YR Cisco Meraki MX84 Advanced Security 1 4000,00 0 4000,00 0,00 4000,00
4000,00
MX84-HW MX84-HW Cisco Meraki MX84 Cloud Managed Security Appliance 1 1995,00 0 1995,00 0,00 1995,00
1995,00
5995,00
LIC-MX84-SEC-3YR
MX84-HW
Meraki MX(USD)
![Page 67: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/67.jpg)
Meraki MX VPN• Simple RA VPN using the native VPN capabilities of common Operating Systems.
• AnyConnect based RA VPN is on roadmap.
• Hub & Spoke or Mesh site-to-site VPN among Meraki devices:
• Automated configuration;
• The IPsec and IKE policies cannot be tuned;
• Split or Full tunneling (it is possible to concentrate Internet breakout to a dedicated HUB locations);
• iWAN capabilities: in case of dual WAN uplink, it is possible to have dual VPN connection with quality based
routing.
• IPsec/IKEv1 site-to-site VPN tunnels to other Cisco and 3rd party devices.
• IKEv1;
• Pre-shared key;
• Possible to tune IKEv1 and IPsec settings in this case.
![Page 68: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/68.jpg)
Meraki MX vs. Cisco ISRFeature Description On-Premise - Cisco ISR Cloud Managed - Meraki MX
Intelligent Path Selection Load Balancing
Policy-Based Path Selection
Number of Paths Supported
Rapid Failure Detection and Mitigation
Yes
Yes (L7 / app level)
Multiple (Any Transport)
Yes (Blackout & Brownout)
Yes
Yes (L3-L4 - based on loss, jitter,
latency)
2 (Broadband,4G,MPLS)
Yes
Security & Compliance Virtual Private Network
Firewall
Intrusion Prevention & Detection
Content/URL Filtering
Anti-Virus / Malware Detection
Yes
Yes
Yes (Snort)
Yes (Cloud Web Security)
AMP
Yes
Yes
Yes (Snort)
Yes (Built-in)
AMP
Transport Independence WAN Connectivity
Cellular
IPv6
T1/E1, T3/E3, Serial, xDSL, Ethernet
Yes (Integrated/Module)
Yes
Ethernet
Yes (Dongle)
Planned (2H2016)
Application Optimization WAN Optimization
Content Caching
Application Visibility
Congestion Control
Yes (WAAS)
Yes (Akamai)
Yes
Yes (HQoS)
No
Yes (Squid-Cache)
Yes
Yes (L7 Traffic prioritization)
Unified Communications Voice Gateway
Session Border Controller
Call Control Agent
Yes
Yes
Yes
No
No
No
Routed Protocols OSPF
EIGRP
BGP
Yes
Yes
Yes
Supported at the headend
No
Planned (FY17)
Integrated Storage & Compute Integrated Compute Yes (UCS E-Series) No
![Page 69: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/69.jpg)
• Less granular and less flexible policies.
• Less customizable and less granular logging.
• Less granular reporting and monitoring.
• No AMP4E integration (network AMP is on roadmap only).
• No granular file filtering.
• Less granular AVC functionality, no integration with the IPS engine.
• Far less customizable IPS (Snort) engines, no customization of preprocessors at all.
• No multiple context mode.
• Less granular „Forensics” capabilities.
• Host profiling is less granular and not security focused.
• No built in vulnerability analysis engine.
• No IoC support.
• No IPv6 support yet.
• Etc.
Meraki MX vs. ASA/Firepower major differences
![Page 70: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/70.jpg)
Real quick demo and Q&A
![Page 71: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/71.jpg)
• With this offer, you will:
• Gain valuable information on your network including critical attacks
• Reduce risk and make security a growth engine for your business
• This offer is valid through December 29th, 2016 in Austria, Belgium, Denmark, Finland, France, Germany, Ireland, Italy, Luxemburg, Netherlands, Norway, Spain, Sweden, Switzerland and United Kingdom.
• For more information and to request a Threat Scan POV, go to www.cisco.com/go/threatscanpov
![Page 72: Cisco NGFW and UTM update•All NGFW editions have Stateful inspection firewall functionality. • The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the](https://reader035.vdocument.in/reader035/viewer/2022062917/5eda0f14b3745412b570b016/html5/thumbnails/72.jpg)