next generation firewall services for the asa eric kostlan
DESCRIPTION
Los nuevos FW CiscoTRANSCRIPT
-
2012 Cisco and/or its affiliates. All rights reserved. 1
Next Generation Firewall Services for the ASA May 2013 Presenter: Eric Kostlan
-
2012 Cisco and/or its affiliates. All rights reserved. 2
At the conclusion of this presentation and demonstration, you will be able to:
Describe the ASA NGFW and PRSM architecture
Describe the feature of the ASA NGFW Application Visibility and Control (AVC) Web Security Essentials
Utilize the policy framework Policy objects, policies, policy sets Device and object discovery
-
2012 Cisco and/or its affiliates. All rights reserved. 3
Architecture
Policy framework
Device import
Eventing and reporting
Demonstration
-
2012 Cisco and/or its affiliates. All rights reserved. 4
Two Hard Drives Raid 1 (Event Data)
10GE and GE ports Two GE Management Ports
8 GB eUSB (System)
-
2012 Cisco and/or its affiliates. All rights reserved. 5
-
2012 Cisco and/or its affiliates. All rights reserved. 6
Built-in Configuration Eventing Reporting
Off-box Configuration Eventing Reporting Multi-device Manager for ASA CX Role Based Access Control Virtual Machine or UCS Appliance PRSM Virtual Machine supports VMWare ESXi
-
2012 Cisco and/or its affiliates. All rights reserved. 7
RESTful XML [REST = Representational State Transfer]
ASA CX PRSM
Reliable Binary Logging
Cisco SIO
Application Identification
Updates
HTTPS HTTPS
-
2012 Cisco and/or its affiliates. All rights reserved. 8
ASA processes all ingress/egress packets No packets are directly process by CX except for management
CX provides Next Generation Firewall Services
Egress after CX Processing
CX Ingress ASA Ingress
CPU Complex
Fabric Switch
Crypto or Regex Engine
CX Module
CPU Complex
Fabric Switch
Crypto Engine
ASA Module
PORTS
PORTS
ASA CX
Backplane
10GE NICs
10GE NICs
-
2012 Cisco and/or its affiliates. All rights reserved. 9
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing
TCP Proxy
TLS Proxy
AVC Multiple Policy Decision Points
HTTP Inspection
URL Category/Reputation
CX ASA
Botnet filtering
-
2012 Cisco and/or its affiliates. All rights reserved. 10
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing
TCP Proxy
TLS Proxy
AVC Multiple Policy Decision Points
HTTP Inspection
URL Category/Reputation
CX ASA
Botnet filtering
-
2012 Cisco and/or its affiliates. All rights reserved. 11
Decrypts SSL and TLS traffic across any port
Self-signed (default) certificate or customer certificate and key Self-signed certificate can be downloaded and added to trusted root certificate store on client
Decryption policies can determine which traffic to decrypt CX cannot determine the hostname in the client request to choose a decryption policy because the traffic is encrypted FQDN and URL Category are determined using the server certificate
If the decision is made to decrypt, CX acts like man-in-the-middle A new certificate is created, signed by CX or by the customer CA Information such as FQDN and validity dates are copied from the original cert Name mismatches and expired certificate errors are ignored Name mismatches and expired certificate errors must be handled by the client
-
2012 Cisco and/or its affiliates. All rights reserved. 12
Two separate sessions, separate certificates and keys
ASA CX acts as a CA, and issues a certificate for the web server Corporate network
Web server
1. Negotiate algorithms.
1. Negotiate algorithms.
2. Authenticate server certificate. 3. Generate
proxied server certificate. 4. Client Authenticates
server certificate.
5. Generate encryption keys.
5. Generate encryption keys.
6. Encrypted data channel established.
6. Encrypted data channel established.
ASA CX
Cert is generated dynamically with
destination name but signed by ASA CX.
-
2012 Cisco and/or its affiliates. All rights reserved. 13
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing
TCP Proxy
TLS Proxy
AVC Multiple Policy Decision Points
HTTP Inspection
URL Category/Reputation
CX ASA
Botnet filtering
-
2012 Cisco and/or its affiliates. All rights reserved. 14
Supported Applications 1000+
Supported Micro-Applications 150,000+
Powered by the Cisco Security Intelligence Operation (SIO) Utilizes Application Signatures By default, PRSM and CX check for updates every 5 minutes
-
2012 Cisco and/or its affiliates. All rights reserved. 15
Broad AVC Broad protocol support Resides in data plan Less granular control Supports:
Application types for example email Applications for example
Simple Mail Transfer Protocol
Web AVC HTTP and decrypted HTTPS only More granular control Supports:
Application types for example, Instant Messaging Applications for example, Yahoo Messenger Application behavior for example, File Transfer
-
2012 Cisco and/or its affiliates. All rights reserved. 16
-
2012 Cisco and/or its affiliates. All rights reserved. 17
-
2012 Cisco and/or its affiliates. All rights reserved. 18
-
2012 Cisco and/or its affiliates. All rights reserved. 19
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing
TCP Proxy
TLS Proxy
AVC Multiple Policy Decision Points
HTTP Inspection
URL Category/Reputation
CX ASA
-
2012 Cisco and/or its affiliates. All rights reserved. 20
-10" +10"-5" +5"0"
Default web reputation profile
Dedicated or hijacked sites"persistently distributing "
key loggers, root kits and "other malware. Almost "guaranteed malicious.
Aggressive Ad syndication "and user tracking networks. "
Sites suspected to be "malicious, but not confirmed"
Sites with some history of"Responsible behavior "or 3rd party validation"
Phishing sites, bots, drive "by installers. Extremely "
likely to be malicious."
Well managed, "Responsible content"
Syndication networks and "user generated content"
Sites with long history of"Responsible behavior."
Have significant volume "and are widely accessed"
Suspicious (-10 through -6)
Not suspicious (-5.9 through +10)
-
2012 Cisco and/or its affiliates. All rights reserved. 21
Used to enforce acceptable use
Predefined and custom URL categories
78 predefined URL categories
20,000,000+ URLs categoried
60+ languages
Powered by the Cisco Security Intelligence Operation (SIO) Utilizes Application Signatures By default, PRSM and CX check for updates every 5 minutes
-
2012 Cisco and/or its affiliates. All rights reserved. 22
Requires HTTP request to initiate authentication 1. ASA CX sees HTTP request from a client to a remote website 2. ASA CX redirects the client to the ASA inside interface (port 885 by default)
Redirect is accomplished by sending a proxy redirect to the client (HTTP return code 307) spoofing the remote website
3. Sends client authentication request (HTTP return code 401) 4. After authentication, the ASA CX redirects the client back to the remote website
(HTTP return code 307)
After authentication, ASA CX uses IP address to track user Both HTTP and non-HTTP traffic will now be associated with the user
Integrates with enterprise infrastructure
Supported directories include Microsoft Active Directory OpenLDAP IBM Tivoli Directory Server
-
2012 Cisco and/or its affiliates. All rights reserved. 23
Endpoint must be domain member Supported for all traffic and all clients Utilizes an agent
Agent gathers information from Active Directory server Agent caches information ASA CX/PRSM queries agent for user information ASA CX/PRSM queries Active Directory server for group membership information
Two agents available Cisco Active Directory Agent (AD agent) older agent
Windows application Context Directory Agent (CDA) newer agent
Stand alone, Linux based server can be run as VM Intuitive web based GUI , and Cisco IOS style CLI
-
2012 Cisco and/or its affiliates. All rights reserved. 24
Active Directory
AD Agent or CDA (RADIUS server)
ASA CX
Clients
WMI RADIUS
LDAP
-
2012 Cisco and/or its affiliates. All rights reserved. 25
Architecture
Policy framework
Device import
Eventing and reporting
Demonstration
-
2012 Cisco and/or its affiliates. All rights reserved. 26
-
2012 Cisco and/or its affiliates. All rights reserved. 27
Policies apply actions to subsets of network traffic Two main components
Policy match a set of criteria used to match traffic to the policies Action the action to be taken if the policy is matched
Three types of policies Access Identity Decryption
A policy set is an ordered collection of policies of a particular type For any ASA CX at most one policy set of each type is in use Policies are assigned using top-down policy matching order matters! At most one policy is matched for each policy set If no defined policy match is achieved, implicit policy is enforced
Policy sets implicit policies are as follows Access policy sets end with implicit allow all Decryption policy sets end with implicit do not decrypt Identity policy sets end with implicit do not require authentication
-
2012 Cisco and/or its affiliates. All rights reserved. 28
How users will be identified? Identity
What TLS/SSL traffic should be decrypted? Decryption
What traffic will be Allowed or Denied? Access
-
2012 Cisco and/or its affiliates. All rights reserved. 29
Used to create policies Policy objects classify traffic Are used to decide which policy to match
Predefined and user defined
Used to create policies.
May be nested
Many types
-
2012 Cisco and/or its affiliates. All rights reserved. 30
Used to create policies Policy objects classify traffic Are used to decide which policy to match
Predefined and user defined
Used to create policies.
May be nested
Many types
-
2012 Cisco and/or its affiliates. All rights reserved. 31
Used to identify traffic based on URL or URL category
Can only be used as a destination in a policy
HTTP or HTTPS only For HTTPS, URL object uses information in the subject of the certificate Do not specify the protocol. URL objects will match both HTTP and HTTPS
Contains URLs
Enter a domain to match any URL in domain Supports limited string matching:
URL categories Other URL objects
Contain include and exclude lists
-
2012 Cisco and/or its affiliates. All rights reserved. 32
Used to identify what application the client is attempting to use
Utilizes the Application Visibility And Control (AVC) functionality of the ASA CX
Contains Applications (recognized by the ASA CX)
Examples: Facebook photos, webmail, yahoo IM
Application types Examples: Facebook, e-mail, IM
Other Application objects
-
2012 Cisco and/or its affiliates. All rights reserved. 33
User-agent string Part of the HTTP request header Identifies the client OS and agent Examples:
Safari running on an iPad Windows update agent
User agent object Can only be used for HTTP traffic Can only be used as a source in a policy Predefined user agent objectsare sufficient for most uses Contains
User agent string An asterisk (*) can be used to match zero or more characters, Other user agent objects
-
2012 Cisco and/or its affiliates. All rights reserved. 34
-
2012 Cisco and/or its affiliates. All rights reserved. 35
Used to create policies specific to AnyConnect VPN traffic
Can only be used as a source in a policy
One exists by default: All remote users
Others can be created to match specific device types
Can contain Device types Other Secure Mobility objects
-
2012 Cisco and/or its affiliates. All rights reserved. 36
Allow for more complicated traffic matching
Contains collections of entries, or rows Elements of each entry are ANDed together Entries are then ORed together
Application-Service objects Match combinations of applications and services
Destination object groups Match combinations of URL objects and Network objects
Source object groups Match combinations of: Network objects Identity objects User Agent Objects Secure Mobility Objects
-
2012 Cisco and/or its affiliates. All rights reserved. 37
File filtering profile HTTP and decryptedHTTPS traffic only Blocks the download of specific MIME types Blocks the upload of specific MIME types
Web reputation profile HTTP and decrypted HTTPS traffic only Web reputation scores are provided for websites by the Cisco Security Intelligence Operations Web reputation scores vary from -10 to 10 Default profile considers websites with reputation score from -10 through -6 (the default profile cannot be edited or deleted) Websites without reputation scores are not considered suspicious The action that is taken for suspicious website depends on the policy type For example, access policies can block websites of low reputation
-
2012 Cisco and/or its affiliates. All rights reserved. 38
Architecture
Policy framework
Device import
Eventing and reporting
Demonstration
-
2012 Cisco and/or its affiliates. All rights reserved. 39
First you must enter the IP address (or hostname) of the ASA, along with privileged credentials
The CX module will be discovered through the ASA. You must enter the admin password to complete the import.
When a device is imported, it is placed into a device group
Device groups are assigned policy sets. Therefore, policies are consistent within a device group
When the device is imported, you must resolve any policy set naming conflict
-
2012 Cisco and/or its affiliates. All rights reserved. 40
Valid Policy Set Assignment
-
2012 Cisco and/or its affiliates. All rights reserved. 41
Invalid Policy Set Assignment
-
2012 Cisco and/or its affiliates. All rights reserved. 42
Network and service objects and groups are imported from ASA during device imported
Added to PRSM policy database and are available for policy configuration
Modifications made to objects on PRSM are not pushed to ASA Modifications made to objects on ASA are not pushed to PRSM
Are automatically renamed if there are naming conflicts _ is appended to name of imported object.
-
2012 Cisco and/or its affiliates. All rights reserved. 43
Architecture
Policy framework
Device import
Eventing and reporting
Demonstration
-
2012 Cisco and/or its affiliates. All rights reserved. 44
Gives visiblity to events generated by the CX module
Tabs System events All events Authentication ASA (only used if PRSM is a SYSLOG server for ASAs) Encrypted Traffic View Context Aware Security Shows next generation functionality
-
2012 Cisco and/or its affiliates. All rights reserved. 45
-
2012 Cisco and/or its affiliates. All rights reserved. 46
-
2012 Cisco and/or its affiliates. All rights reserved. 47
Real time eventing user defined refresh interval
Historic eventing user defined time range
-
2012 Cisco and/or its affiliates. All rights reserved. 48
Used to reduce the number of events that are displayed
Filters are a list of attribute-value pairs Attribute value pairs with the same attribute are ORed together The expressions for each attribute are then ANDed together Example: Username=Fred Username=Gail Application=Twitter means (Username=Fred OR Username=Gail) AND Application=Twitter Most attributes support the operations = and !=. Some also support > and <
Two ways to add to filter Click on the cell in the event viewer adds that attribute-value pair to the filter Select attribute (with operation ) from the Filter drop-down list and then select the value If you want the operator to be inequality, you must manually change = to !=
Filters may be saved and recalled Saved filters are added to right-hand side of the Filter drop-down list
-
2012 Cisco and/or its affiliates. All rights reserved. 49
-
2012 Cisco and/or its affiliates. All rights reserved. 50
-
2012 Cisco and/or its affiliates. All rights reserved. 51
-
2012 Cisco and/or its affiliates. All rights reserved. 52
-
2012 Cisco and/or its affiliates. All rights reserved. 53
-
2012 Cisco and/or its affiliates. All rights reserved. 54
-
2012 Cisco and/or its affiliates. All rights reserved. 55
-
2012 Cisco and/or its affiliates. All rights reserved. 56
-
2012 Cisco and/or its affiliates. All rights reserved. 57
-
2012 Cisco and/or its affiliates. All rights reserved. 58
-
2012 Cisco and/or its affiliates. All rights reserved. 59
-
2012 Cisco and/or its affiliates. All rights reserved. 60
-
2012 Cisco and/or its affiliates. All rights reserved. 61
-
2012 Cisco and/or its affiliates. All rights reserved. 62
-
2012 Cisco and/or its affiliates. All rights reserved. 63
-
2012 Cisco and/or its affiliates. All rights reserved. 64
Architecture
Policy framework
Device import
Eventing and reporting
Demonstration
-
Thank you.