Beruflich Dokumente
Kultur Dokumente
Cisco Confidential
NGFW Services Review Peregrine What is new in NGFW Policy Enhancements IPS Demonstration Rate Limiting Multi-mode Warning Feature
Cisco Confidential
Cisco Confidential
URL Category/Reputation HTTP Inspection AVC TLS Proxy TCP Proxy Multiple Policy Decision Points NGFW IPS NAT Routing ACL VPN Termination
TCP Normalization TCP Intercept IP Option Inspection IP Fragmentation Botnet Traffic Filter
ASA Module
Cisco Confidential
Broad AVC Broad protocol support Resides in data plane Less granular control Supports: Application types for example email Applications for example Simple Mail Transfer Protocol Web AVC HTTP and decrypted HTTPS only More granular control Supports: Application types for example, Instant Messaging Applications for example, Yahoo Messenger Application behavior for example, File Transfer
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Cisco Confidential
Dedicated or hijacked sites! persistently distributing ! key loggers, root kits and ! other malware. Almost ! guaranteed malicious.
Aggressive Ad syndication ! and user tracking networks. ! Sites suspected to be ! malicious, but not conrmed!
Sites with some history of! Responsible behavior ! or 3rd party validation!
-10!
-5!
0!
+5!
+10!
Well managed, ! Responsible content! Syndication networks and ! user generated content!
Sites with long history of! Responsible behavior.! Have signicant volume ! and are widely accessed!
Cisco Confidential
" Two separate sessions, separate certificates and keys " ASA CX acts as a CA, and issues a certificate for the web server
Corporate network
1. Negotiate algorithms.
Cert is generated dynamically with destination name but signed by ASA CX.
Cisco Confidential
NGFW NEW
Peregrine Release
Cisco Confidential
10
PRSM can discover HA configuration and treat HA pair as a single device (policy configuration, reporting)
" Next Generation IPS " Platform support
Platform support has been added for SSP 40, 60 NGFW is now available on all midrange and all high-end models of ASA
Cisco Confidential
11
" Time ranges " Interface roles collections of interfaces that can be used to construct policies " Rate limits " Safe Search
Note: Not all features are available for all types of policies.
Cisco Confidential
12
" At the top is the universal top context-aware access policy set, applied first " At the bottom is the universal bottom context-aware access policy set, applied last
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
IPS
Cisco Confidential
14
Available in Peregrine release Simplified Operation Rich Policy Options Highly Dynamic
acceptance signatures
updates available:
Threats /Signatures Reputation feeds Parsing engines
reputation
Cisco Confidential
15
through license
" NGFW IPS ON/OFF switch " Blocking of traffic sourced from
blacklisted IPs
" Option to exclude high reputation
traffic
Cisco Confidential
16
exceptions
Cisco Confidential
17
Cisco Confidential
18
Cisco Confidential
19
Profiles are NOT visible the local Device Level Profile automatically applied
policies
Cisco Confidential
20
Dedicated
Customizable
Simple
Threats Risk-focused settings Edge-focused coverage Automatic engine/ signature update " Consumption of App ID and Web Security data
Effective
DC-ready
Signatures Broad coverage Tunable and Custom signatures Wide range of Event Actions
Cisco Confidential
21
Cisco Confidential
22
Threat Rating
100
10
20
30
40
50
60
70
80
90
NGFW - IPS
Signature Count
Cisco Confidential 23
IPS
1 19 37 55 73 91 109 127 145 163 181 199 217 235 253 271 289 307 325 343 361 379 397 415 433 451 469 487 505 523 541 559 577 595 613 631 649 667 685 703 721 739 757 775 793 811 829 847 865 883 901 919 937 955 973 991 1009 1027 1045 1063 1081 1099 1117 1135 1153 1171 1189 1207 1225 1243 1261
Demonstration
Stijn Vanveerdeghem
Cisco Confidential
24
Cisco Confidential
25
Allows context-aware access policies only Limits bandwidth usage per policy Excessive packets are dropped Rate limit is an obligation attached to the policy Allotted bandwidth is shared between all flows that match the policy
Cisco Confidential
26
Allows context-aware access policies only Blocks searches on supported search engines if:
" Safe Search is enabled in a matching access policy and Safe Search is disabled in a browser
Cisco Confidential
27
" When a policy is installed, create a bucket to contain the traffic that
" Several flows can match the policy. All of them are rate-limited using
a single bucket.
" The flows may match only after the evaluation from an Inspector (say
HTTP or TLS). In those cases, the data-plane will wait for the flags to be set from the inspector before negotiating the flow to a bucket.
" A change in policy, may result in removal of rate-limit obligation.
Cisco Confidential
28
TLS Enhancements
Cisco Confidential
29
" Web reputation filtering can now be applied to HTTPS traffic " Uses the FQDN from the certificate to determine the web reputation of the server
Cisco Confidential
30
Certificate Caching
" Aimed to improve Connections per second performance of Decryption Engine " Decryption Engine generated replacement certificates for every TLS connection. " Once generated replacement certificates are cached now and reused for following ssl
" Decryption engine keeps a list of certificate authority certificates it trusts. " Existing CA list updated to match the CAs trusted by Firefox browser (list posted by Mozilla)
Cisco Confidential
31
Cisco Confidential
32
Cisco Confidential
33
" Adds CX support for multimode ASA (routed, tfw or mixed). " Each context should configure CX redirection specifically. " CX as a single instance works with ASA by using vcid per transaction. " CX policies are global and applicable to all contexts on the ASA. " Active authentication is supported with auth proxy port configurable. " PRSM Events displays context names. " Interface roles are context aware.
Cisco Confidential
34
Cisco Confidential
35
Cisco Confidential
36
Cisco Confidential
37
Step 1: Which hardware is needed ! ASA-X with SSD or ASA 5585-X with CX SSP Step 2: What service is needed ! Application Visibility & Control, Web Security, NGFW IPS or Bundles Step 3: How long is the service needed ! 1, 3, or 5 years
Hardware
ASA 5512-X with SSD (ASA5512-SSD120-K8, ASA5512-SSD120-K9)
License Duration
1 year 3 years 5 years
ASA 5515-X with SSD (ASA5515-SSD120-K8, ASA5515-SSD120-K9) ASA 5525-X with SSD (ASA5525-SSD120-K8, ASA5525-SSD120-K9) ASA 5545-X with SSD (ASA5545-2SSD120-K8, ASA5545-2SSD120-K9) ASA 5555-X with SSD (ASA5555-2SSD120-K8, ASA5555-2SSD120-K9)
2010 Cisco and/or its affiliates. All rights reserved.
1 year 3 years 5 years 1 year 3 years 5 years 1 year 3 years 5 years 1 year 3 years 5 years
Hardware
ASA 5512-X with SSD (ASA5512-SSD120-K8, ASA5512-SSD120-K9)
License Duration
1 year 3 years 5 years
AVC+WSE
ASA5512-AW1Y ASA5512-AW3Y ASA5512-AW5Y ASA5515-AW1Y ASA5515-AW3Y ASA5515-AW5Y ASA5525-AW1Y ASA5525-AW3Y ASA5525-AW5Y ASA5545-AW1Y ASA5545-AW3Y ASA5545-AW5Y ASA5555-AW1Y ASA5555-AW3Y ASA5555-AW5Y
AVC+NGFW IPS
ASA5512-AI1Y ASA5512-AI3Y ASA5512-AI5Y ASA5515-AI1Y ASA5515-AI3Y ASA5515-AI5Y ASA5525-AI1Y ASA5525-AI3Y ASA5525-AI5Y ASA5545-AI1Y ASA5545-AI3Y ASA5545-AI5Y ASA5555-AI1Y ASA5555-AI3Y ASA5555-AI5Y
AVC+WSE+NGFW IPS
ASA5512-AWI1Y ASA5512-AWI3Y ASA5512-AWI5Y ASA5515-AWI1Y ASA5515-AWI3Y ASA5515-AWI5Y ASA5525-AWI1Y ASA5525-AWI3Y ASA5525-AWI5Y ASA5545-AWI1Y ASA5545-AWI3Y ASA5545-AWI5Y ASA5555-AWI1Y ASA5555-AWI3Y ASA5555-AWI5Y
ASA 5515-X with SSD (ASA5515-SSD120-K8, ASA5515-SSD120-K9) ASA 5525-X with SSD (ASA5525-SSD120-K8, ASA5525-SSD120-K9) ASA 5545-X with SSD (ASA5545-2SSD120-K8, ASA5545-2SSD120-K9) ASA 5555-X with SSD (ASA5555-2SSD120-K8, ASA5555-2SSD120-K9)
1 year 3 years 5 years 1 year 3 years 5 years 1 year 3 years 5 years 1 year 3 years 5 years
Spare Solid State Drive (SSD) for existing ASA 5500-X customers
ASA5500X-SSD120=
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Hardware
ASA 5585-X CX SSP-10 (ASA5585-S10C10-K8, ASA5585-S10C10-K9, ASA5585-S10C10XK9) ASA 5585-X CX SSP-20 (ASA5585-S20C20-K8, ASA5585-S20C20-K9, ASA5585-S20C20XK9) ASA 5585-X CX SSP-40 (ASA5585-S40C40-K8, ASA5585-S40C40-K9, ASA5585-S40C40XK9) ASA 5585-X CX SSP-60 (ASA5585-S60C60-K8, ASA5585-S60C60-K9, ASA5585-S60C60XK9)
License Duration
1 year 3 years 5 years 1 year 3 years 5 years 1 year 3 years 5 years 1 year 3 years 5 years
Cisco Confidential
40
Hardware
ASA 5585-X CX SSP-10 (ASA5585-S10C10-K8, ASA5585-S10C10-K9, ASA5585-S10C10XK9) ASA 5585-X CX SSP-20 (ASA5585-S20C20-K8, ASA5585-S20C20-K9, ASA5585-S20C20XK9) ASA 5585-X CX SSP-40 (ASA5585-S40C40-K8, ASA5585-S40C40-K9, ASA5585-S40C40XK9) ASA 5585-X CX SSP-60 (ASA5585-S60C60-K8, ASA5585-S60C60-K9, ASA5585-S60C60XK9)
License Duration
1 year 3 years 5 years 1 year 3 years 5 years 1 year 3 years 5 years 1 year 3 years 5 years
AVC+WSE
ASA5585-10-AW1Y ASA5585-10-AW3Y ASA5585-10-AW5Y ASA5585-20-AW1Y ASA5585-20-AW3Y ASA5585-20-AW5Y ASA5585-40-AW1Y ASA5585-40-AW3Y ASA5585-40-AW5Y ASA5585-60-AW1Y ASA5585-60-AW3Y ASA5585-60-AW5Y
AVC+NGFW IPS
ASA5585-10-AI1Y ASA5585-10-AI3Y ASA5585-10-AI5Y ASA5585-20-AI1Y ASA5585-20-AI3Y ASA5585-20-AI5Y ASA5585-40-AI1Y ASA5585-40-AI3Y ASA5585-40-AI5Y ASA5585-60-AI1Y ASA5585-60-AI3Y ASA5585-60-AI5Y
AVC+WSE+NGFW IPS
ASA5585-10-AWI1Y ASA5585-10-AWI3Y ASA5585-10-AWI5Y ASA5585-20-AWI1Y ASA5585-20-AWI3Y ASA5585-20-AWI5Y ASA5585-40-AWI1Y ASA5585-40-AWI3Y ASA5585-40-AWI5Y ASA5585-60-AWI1Y ASA5585-60-AWI3Y ASA5585-60-AWI5Y
Cisco Confidential
41
" VMWare ESX based virtual appliance or Physical appliance (bundles hardware and software) " Licensing based on the number of ASA NGFWs that will be managed using the product
Description
Prime Security Manager - Software - 5 Device Management Prime Security Manager - Software - 10 Device Management Prime Security Manager - Software - 25 Device Management Prime Security Manager - Software - 50-Device Management Prime Security Manager - Software - 100-Device Management
Description
Prime Security Manager - Appliance - 25 Device Management PRSM - Appliance - 50-Device Management PRSM - Appliance - 100-Device Management
Cisco Confidential
42
Thanks
Cisco Confidential
43