next generation firewall services for the asa eric kostlan

2012 Cisco and/or its affiliates. All rights reserved. 1

Next Generation Firewall Services for the ASA May 2013 Presenter: Eric Kostlan


At the conclusion of this presentation and demonstration, you will be able to:

Describe the ASA NGFW and PRSM architecture

Describe the feature of the ASA NGFW Application Visibility and Control (AVC) Web Security Essentials

Utilize the policy framework Policy objects, policies, policy sets Device and object discovery


Architecture

Policy framework

Device import

Eventing and reporting

Demonstration


Two Hard Drives Raid 1 (Event Data)

10GE and GE ports Two GE Management Ports

8 GB eUSB (System)


Built-in Configuration Eventing Reporting

Off-box Configuration Eventing Reporting Multi-device Manager for ASA CX Role Based Access Control Virtual Machine or UCS Appliance PRSM Virtual Machine supports VMWare ESXi


RESTful XML [REST = Representational State Transfer]

ASA CX PRSM

Reliable Binary Logging

Cisco SIO

Application Identification

Updates

HTTPS HTTPS


ASA processes all ingress/egress packets No packets are directly process by CX except for management

CX provides Next Generation Firewall Services

Egress after CX Processing

CX Ingress ASA Ingress

CPU Complex

Fabric Switch

Crypto or Regex Engine

CX Module

CPU Complex

Fabric Switch

Crypto Engine

ASA Module

PORTS

PORTS

ASA CX

Backplane

10GE NICs

10GE NICs


IP Fragmentation

IP Option Inspection

TCP Intercept

TCP Normalization

ACL

NAT

VPN Termination

Routing

TCP Proxy

TLS Proxy

AVC Multiple Policy Decision Points

HTTP Inspection

URL Category/Reputation

CX ASA

Botnet filtering


IP Fragmentation


TCP Intercept

TCP Normalization

ACL

NAT

VPN Termination

Routing

TCP Proxy

TLS Proxy


HTTP Inspection


CX ASA

Botnet filtering


Decrypts SSL and TLS traffic across any port

Self-signed (default) certificate or customer certificate and key Self-signed certificate can be downloaded and added to trusted root certificate store on client

Decryption policies can determine which traffic to decrypt CX cannot determine the hostname in the client request to choose a decryption policy because the traffic is encrypted FQDN and URL Category are determined using the server certificate

If the decision is made to decrypt, CX acts like man-in-the-middle A new certificate is created, signed by CX or by the customer CA Information such as FQDN and validity dates are copied from the original cert Name mismatches and expired certificate errors are ignored Name mismatches and expired certificate errors must be handled by the client


Two separate sessions, separate certificates and keys

ASA CX acts as a CA, and issues a certificate for the web server Corporate network

Web server

1. Negotiate algorithms.

1. Negotiate algorithms.

2. Authenticate server certificate. 3. Generate

proxied server certificate. 4. Client Authenticates

server certificate.

5. Generate encryption keys.

5. Generate encryption keys.

6. Encrypted data channel established.

6. Encrypted data channel established.

ASA CX

Cert is generated dynamically with

destination name but signed by ASA CX.


IP Fragmentation


TCP Intercept

TCP Normalization

ACL

NAT

VPN Termination

Routing

TCP Proxy

TLS Proxy


HTTP Inspection


CX ASA

Botnet filtering


Supported Applications 1000+

Supported Micro-Applications 150,000+

Powered by the Cisco Security Intelligence Operation (SIO) Utilizes Application Signatures By default, PRSM and CX check for updates every 5 minutes


Broad AVC Broad protocol support Resides in data plan Less granular control Supports:

Application types for example email Applications for example

Simple Mail Transfer Protocol

Web AVC HTTP and decrypted HTTPS only More granular control Supports:

Application types for example, Instant Messaging Applications for example, Yahoo Messenger Application behavior for example, File Transfer


IP Fragmentation


TCP Intercept

TCP Normalization

ACL

NAT

VPN Termination

Routing

TCP Proxy

TLS Proxy


HTTP Inspection


CX ASA


-10" +10"-5" +5"0"

Default web reputation profile

Dedicated or hijacked sites"persistently distributing "

key loggers, root kits and "other malware. Almost "guaranteed malicious.

Aggressive Ad syndication "and user tracking networks. "

Sites suspected to be "malicious, but not confirmed"

Sites with some history of"Responsible behavior "or 3rd party validation"

Phishing sites, bots, drive "by installers. Extremely "

likely to be malicious."

Well managed, "Responsible content"

Syndication networks and "user generated content"

Sites with long history of"Responsible behavior."

Have significant volume "and are widely accessed"

Suspicious (-10 through -6)

Not suspicious (-5.9 through +10)


Used to enforce acceptable use

Predefined and custom URL categories

78 predefined URL categories

20,000,000+ URLs categoried

60+ languages

Powered by the Cisco Security Intelligence Operation (SIO) Utilizes Application Signatures By default, PRSM and CX check for updates every 5 minutes


Requires HTTP request to initiate authentication 1. ASA CX sees HTTP request from a client to a remote website 2. ASA CX redirects the client to the ASA inside interface (port 885 by default)

Redirect is accomplished by sending a proxy redirect to the client (HTTP return code 307) spoofing the remote website

3. Sends client authentication request (HTTP return code 401) 4. After authentication, the ASA CX redirects the client back to the remote website

(HTTP return code 307)

After authentication, ASA CX uses IP address to track user Both HTTP and non-HTTP traffic will now be associated with the user

Integrates with enterprise infrastructure

Supported directories include Microsoft Active Directory OpenLDAP IBM Tivoli Directory Server


Endpoint must be domain member Supported for all traffic and all clients Utilizes an agent

Agent gathers information from Active Directory server Agent caches information ASA CX/PRSM queries agent for user information ASA CX/PRSM queries Active Directory server for group membership information

Two agents available Cisco Active Directory Agent (AD agent) older agent

Windows application Context Directory Agent (CDA) newer agent

Stand alone, Linux based server can be run as VM Intuitive web based GUI , and Cisco IOS style CLI


Active Directory

AD Agent or CDA (RADIUS server)

ASA CX

Clients

WMI RADIUS

LDAP


Architecture

Policy framework

Device import


Demonstration


Policies apply actions to subsets of network traffic Two main components

Policy match a set of criteria used to match traffic to the policies Action the action to be taken if the policy is matched

Three types of policies Access Identity Decryption

A policy set is an ordered collection of policies of a particular type For any ASA CX at most one policy set of each type is in use Policies are assigned using top-down policy matching order matters! At most one policy is matched for each policy set If no defined policy match is achieved, implicit policy is enforced

Policy sets implicit policies are as follows Access policy sets end with implicit allow all Decryption policy sets end with implicit do not decrypt Identity policy sets end with implicit do not require authentication


How users will be identified? Identity

What TLS/SSL traffic should be decrypted? Decryption

What traffic will be Allowed or Denied? Access


Used to create policies Policy objects classify traffic Are used to decide which policy to match

Predefined and user defined

Used to create policies.

May be nested

Many types


Used to identify traffic based on URL or URL category

Can only be used as a destination in a policy

HTTP or HTTPS only For HTTPS, URL object uses information in the subject of the certificate Do not specify the protocol. URL objects will match both HTTP and HTTPS

Contains URLs

Enter a domain to match any URL in domain Supports limited string matching:

URL categories Other URL objects

Contain include and exclude lists


Used to identify what application the client is attempting to use

Utilizes the Application Visibility And Control (AVC) functionality of the ASA CX

Contains Applications (recognized by the ASA CX)

Examples: Facebook photos, webmail, yahoo IM

Application types Examples: Facebook, e-mail, IM

Other Application objects


User-agent string Part of the HTTP request header Identifies the client OS and agent Examples:

Safari running on an iPad Windows update agent

User agent object Can only be used for HTTP traffic Can only be used as a source in a policy Predefined user agent objectsare sufficient for most uses Contains

User agent string An asterisk (*) can be used to match zero or more characters, Other user agent objects


Used to create policies specific to AnyConnect VPN traffic

Can only be used as a source in a policy

One exists by default: All remote users

Others can be created to match specific device types

Can contain Device types Other Secure Mobility objects


Allow for more complicated traffic matching

Contains collections of entries, or rows Elements of each entry are ANDed together Entries are then ORed together

Application-Service objects Match combinations of applications and services

Destination object groups Match combinations of URL objects and Network objects

Source object groups Match combinations of: Network objects Identity objects User Agent Objects Secure Mobility Objects


File filtering profile HTTP and decryptedHTTPS traffic only Blocks the download of specific MIME types Blocks the upload of specific MIME types

Web reputation profile HTTP and decrypted HTTPS traffic only Web reputation scores are provided for websites by the Cisco Security Intelligence Operations Web reputation scores vary from -10 to 10 Default profile considers websites with reputation score from -10 through -6 (the default profile cannot be edited or deleted) Websites without reputation scores are not considered suspicious The action that is taken for suspicious website depends on the policy type For example, access policies can block websites of low reputation


Architecture

Policy framework

Device import


Demonstration


First you must enter the IP address (or hostname) of the ASA, along with privileged credentials

The CX module will be discovered through the ASA. You must enter the admin password to complete the import.

When a device is imported, it is placed into a device group

Device groups are assigned policy sets. Therefore, policies are consistent within a device group

When the device is imported, you must resolve any policy set naming conflict


Valid Policy Set Assignment


Invalid Policy Set Assignment


Network and service objects and groups are imported from ASA during device imported

Added to PRSM policy database and are available for policy configuration

Modifications made to objects on PRSM are not pushed to ASA Modifications made to objects on ASA are not pushed to PRSM

Are automatically renamed if there are naming conflicts _ is appended to name of imported object.


Architecture

Policy framework

Device import


Demonstration


Gives visiblity to events generated by the CX module

Tabs System events All events Authentication ASA (only used if PRSM is a SYSLOG server for ASAs) Encrypted Traffic View Context Aware Security Shows next generation functionality


Real time eventing user defined refresh interval

Historic eventing user defined time range


Used to reduce the number of events that are displayed

Filters are a list of attribute-value pairs Attribute value pairs with the same attribute are ORed together The expressions for each attribute are then ANDed together Example: Username=Fred Username=Gail Application=Twitter means (Username=Fred OR Username=Gail) AND Application=Twitter Most attributes support the operations = and !=. Some also support > and <

Two ways to add to filter Click on the cell in the event viewer adds that attribute-value pair to the filter Select attribute (with operation ) from the Filter drop-down list and then select the value If you want the operator to be inequality, you must manually change = to !=

Filters may be saved and recalled Saved filters are added to right-hand side of the Filter drop-down list


Architecture

Policy framework

Device import


Demonstration

Thank you.

next generation firewall services for the asa eric kostlan

Documents