new methods to protect the network. deeper visibility with ... · new methods to protect the...

1 2014 Frontal Communication. All rights reserved

New methods to protect the network. Deeper visibility with Cisco NGFW – Next Generation Firewall Claudiu Onisoru, Senior Network Specialist Cisco Connect - 15 May 2014


Agenda

• Frontal Communication: Who we are?

- Key points

- Competencies Areas

- Cisco Partnership

• Cisco NGFW – Next Generation Firewall.

- Introduction

- Hardware overview

- Packet flow

- Management architecture


‣ Established in 1994

‣ Top Romanian SYSTEM INTEGRATOR

‣ Cisco GOLD Partner

‣ Oracle Gold Partner

‣ VMware Partner Enterprise Solution Provider

‣ EMC Premier Velocity Partner

‣ Areas of competency in Infrastructure, Datacenter, Multiservice, Security

‣ VMware Training Center due to strategic partnership with Omnilogic and Cisco Authorized

Training Center

‣ Testing Center PEARSON VUE and PROMETRIC due to strategic partnership with Omnilogic

‣ VCE partner

‣ Citrix Silver Solution Advisor Partner

Key Points


DATA CENTER

Storage

Switching

Applications

Security

Network Managementt

UNIFIED COMMUNICATION

IP Telephony

Applications

Contact Center

Voice Management

Call accounting

SECURITY

Firewall

Attack and Intrusion Prevention

Spam and Virus Protection

Virtual Private Networks

Network Admission Control

Security Management

Physical Security

Web and Email security

Video Surveillance

Identity Services Engine

MOBILITY SOLUTIONS

Wireless LAN

Remote Access

Business Class Teleworker Solutions

Mobile Solutions for

Unified Communications

NETWORK SYSTEMS

Routing

LAN Switching

Network Management

Competencies Areas


Cisco Partnership

Certifications

• Gold Certified Partner

Specialization

• Advanced Collaboration

Architecture (1st in Romania

and Region)

• Advanced Borderless

Architecture

• Advanced Routing & Switching

• Advanced Security

• Advanced Data Center

Architecture

Other Authorizations

• Cisco Learning Partner

Associate

• Smart Care Registered Partner

• Academy Network Partner

• Customer Satisfaction

Excellence

• ATP Telepresence Express

• ATP Identity Services Engine

• ATP IP Interoperability and

Collaborative System (the

only one in Romania)


Cisco NGFW – Next Generation Firewall

- Introduction

- Hardware overview

- Packet flow



IP & Ports

Phase 1 Phase 2

Applications &

Users

Full Context-

Awareness

Phase 3

Firewall Evolution

ASA NGFW adds context-aware security to the ASA

product line.

PRSM provides common management experience.


Cisco Next Generation Firewall

• Build on the best-of-breed ASA stateful inspection

firewall

• Applies NAT to embedded application protocol data

• Integrates with many other solutions, including:

Unified Communications technologies, Active

Directory, etc.

• Acts as a VPN termination:

Site-to-site, remote access, and clientless SSL

VPN

• Provides next-generation firewall (NGFW) services:

Web reputation for malware protection

URL filtering to enforce acceptable use

Application visibility and control (AVC)

Threat protection (NGFW IPS)


HowASA NGFW Addresses Access Control

• Beyond ports and protocols

Who: Identity and Authentication

What: Application, URL Category, Reputation

How: Device, OS, User Agent, Posture

Where: Local, Remote


Application Visibility and Control

• Enforcing acceptable usage

150,000+ MicroApps

Application Behavior

1,200+ apps

• Greatest control and visibility

over mobile, collaborative,

and web 2.0 applications

• Ensures security of (and from)

port-hopping applications, such

as Skype and BitTorrent

• Granular enforcement of

behaviors within applications

• Visibility of activity across the

network

• Visit http://asacx-cisco.com

http://asacx-cisco.com




Supported approximately 1200 applications

• By default, PRSM and ASA NGFW check for application signature updates every 5 minutes

Powered by the Cisco® Security Intelligence Operation (SIO)

Supported applications are recognized on any port

Supported 3 levels of granularity

• Application type

Examples: Collaboration, Facebook, games, social networking

• Application

Examples: BitTorrent, Cisco phones, ftp-agent, ftp-agent, Google Translate, iTunes, LDAP, oracle-sqlnet, RADIUS, WCCP, WebEx®

• Application behavior

For example, you could allow the collaboration application type, but not allow uploads

Application Visibility and Control


Default web reputation profile Suspicious

(-10 through -6) Not suspicious (-5.9 through +10)

-10 +10 -5 +5 0

Dedicated or hijacked sites persistently distributing key loggers, root kits and other malware. Almost guaranteed malicious.

Aggressive Ad syndication and user tracking networks. Sites suspected to be malicious, but not confirmed

Sites with some history of Responsible behavior or 3rd party validation

Phishing sites, bots, drive by installers. Extremely

likely to be malicious.

Well managed, Responsible content Syndication networks and user generated content

Sites with long history of Responsible behavior. Have significant volume and are widely accessed

Web Security Essentials Reputation


Used to enforce acceptable use

Predefined and custom URL categories

Utilizes application signatures

By default, PRSM and NGFW check for updates

every 5 minutes

78 predefined URL categories

20,000,000+ URLs categorized

60+ languages

Powered by the Cisco® Security Intelligence Operation (SIO)

Web Security Essentials

URL Filtering


New with

NGFW 9.2

Simplified Operation

Rich Policy Options

Highly Dynamic

• Policy is driven by

risk acceptance

• Threats are the

focus, not

signatures

• IPS policy is part of

the overall NGFW

access policy

• References application

awareness

• References source

reputation

• Daily and hourly

updates

available:

Threats /

signatures

Reputation

feeds

Parsing

engines

Cisco NGFW IPS



- Introduction

- Hardware overview

- Packet flow



ASA NGFW – Front View

Two Hard Drives Raid 1 (Event Data)

10GE and GE ports Two GE Management Ports

8 GB eUSB (System)


200 Mbps NGFW 60 Mbps NGFW + IPS 100K Connections 10,000 CPS

Branch Locations Small / Medium Internet Edge

ASA 5512-X


ASA 5515-X


1 Gbps NGFW 450 Mbps NGFW + IPS 750K Connections 30,000 CPS

1.4 Gbps NGFW 600 Mbps NGFW + IPS 1M Connections 50,000 CPS

ASA 5525-X

ASA 5545-X

ASA 5555-X

Cisco MultiScale Performance Next-Generation Security for the Internet Edge


Medium Internet Edge

2 Gbps NGFW 1 Gbps NGFW + IPS 500K Connections 40,000 CPS

ASA 5585-SSP10

Medium Internet Edge

5 Gbps NGFW 1.5 Gbps NGFW + IPS 1 Million Connections 75,000 CPS

ASA 5585-SSP20

9 Gbps NGFW 2.5 Gbps NGFW + IPS 1.8 Million Connections 120,000 CPS

ASA 5585-SSP40 13 Gbps NGFW 4 Gbps NGFW + IPS 4 Million Connections 160,000 CPS

ASA 5585-SSP60

New with 9.2

New with 9.2

Cisco MultiScale Performance Next-Generation Security for the Internet Edge



- Introduction

- Hardware overview

- Packet flow



IP Fragmentation

IP Option Inspection

TCP Intercept

TCP Normalization

ACL

NAT

VPN Termination

Routing

Botnet Traffic Filter

TCP Proxy

TLS Proxy

AVC Multiple Policy Decision Points

HTTP Inspection

URL Category/Reputation

NGFW IPS

NGFW Services Module

ASA Module

Functional Distribution


Day-in-the-life of a packet -- example

• Note: Details of flow differs for different traffic characteristics

Auth/Access Policy

Broad AVC TLS Proxy TCP

Proxy

Access Policy

HTTP Inspector

Packet Egress

Active Auth

Determine Protocol and Application

Check L3/L4 and Identity Access Policies

Handle TCP 3-way handshake

Proxy encryption to decrypt traffic for inspection

Determine Application, URL Category, Reputation, User Agent

If passive auth not available, authenticate using NTLM, Kerberos, or Basic auth

Allow or Deny verdict based on access policy

Return packet back to the ASA SSP with an allow verdict


• Two separate sessions, separate certificates, and keys

• ASA NGFW acts as a CA, and issues a certificate for the web server

Corporate Network Web

Server TLS

Proxy

4. Client authenticates “server” certificate

Certificate is generated dynamically with

destination name but signed by ASA NGFW

1. Negotiate algorithms

3. Generate proxied server certificate

5. Generate encryption keys

6. Encrypted data channel established

1. Negotiate algorithms

3. Authenticate server certificate

5. Generate encryption keys

6. Encrypted data channel established

TLS Proxy acts as a Liason


Decrypts SSL and TLS traffic across any port

• Self-signed certificate can be downloaded and added to trusted root certificate store on client

Self-signed (default) certificate or customer certificate and key

Decryption policies determine which traffic to decrypt

• ASA NGFW cannot determine the host name in the client request to choose a decryption policy because the traffic is encrypted

• FQDN and URL Category are determined using the server certificate

If the decision is made to decrypt, ASA NGFW acts the liaison

• A new certificate is created, signed by ASA NGFW or by the customer CA

• Information such as FQDN and validity dates are copied from original certificate

• Name mismatches and expired certificate errors are ignored

• Name mismatches and expired certificate errors must be handled by the client

TLSProxy Extends NGFW Services

to TLS Traffic


Requires HTTP request to initiate authentication

1. ASA NGFW sees HTTP request from a client to a remote website

2. ASA NGFW redirects the client to the ASA inside interface (port 885 by default)

Redirect is accomplished by sending a proxy redirect to the client (HTTP return code 307) - spoofing the remote website

3. ASA sends a client authentication request (HTTP return code 401)

4. After authentication, the ASA NGFW redirects the client back to the remote website (HTTP return code 307)

After authentication, the ASA NGFW uses the IP address to track the user

• Both HTTP and non-HTTP traffic will now be associated with the user

Integrates with enterprise infrastructure

Supported directories include:

• Microsoft Active Directory

• OpenLDAP

• IBM Tivoli Directory Server

ActiveAuthentication


Client HTTP Request

Forward HTTP traffic

ASA CX-Policy Active Authentication required

Client

HTTP (307) redirect to ASA CT-Proxy Port/default port 885

HTTP (407) Auth. required

Forward Authentication Data

Validate Credentials with ADI Service

HTTP (307) redirect again to final destination

Regular HTTP traffic

ASA & CX Target Server

Example active authentication


Passive Authentication

Endpoint must be a domain member

Supported for all traffic and all clients

• Standalone, Linux-based server that can be run as

a virtual machine (VM)

• Intuitive, web-based GUI, and Cisco IOS®

Software-style CLI

Utilizes the Cisco® Context Directory Agent (CDA), which includes:

• CDA gathers information from Active Directory

server

• CDA caches information

• ASA NGFW/PRSM queries CDA for user

information

• ASA NGFW/PRSM queries Active Directory server

for group membership information



- Introduction

- Hardware overview

- Software overview

- Packet flow



Cisco Prime Security Manager (PRSM)

• Build-in

– Configuration

– Eventing

– Reporting

• Off-box

– Configuration

– Eventing

– Reporting

– Multi-device Manager for ASA NGFW (CX)

– Role Based Access Control

– Virtual Machine or UCS Appliance

– PRSM Virtual Machine supports VMWare ESX 4.1+


PRSM ASA CX communication

RESTful XML [REST = Representational State Transfer]

ASA NGFW PRSM

Reliable Binary Logging

Cisco SIO

Application Identification Updates

HTTPS HTTPS


Q & A

new methods to protect the network. deeper visibility with ... · new methods to protect the...

Documents