ASA NGFW With IPS-Security 2

ASA-NGFW with IPS
2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
NGFW Services Review Peregrine What is new in NGFW Policy Enhancements IPS Demonstration Rate Limiting Multi-mode Warning Feature
Licensing and Pricing Questions and Answers
Cisco Confidential
NGFW Services Refresher
Cisco Confidential
URL Category/Reputation HTTP Inspection AVC TLS Proxy TCP Proxy Multiple Policy Decision Points NGFW IPS NAT Routing ACL VPN Termination
NGFW Services Module
TCP Normalization TCP Intercept IP Option Inspection IP Fragmentation Botnet Traffic Filter
ASA Module
Cisco Confidential
Broad AVC Broad protocol support Resides in data plane Less granular control Supports: Application types for example email Applications for example Simple Mail Transfer Protocol Web AVC HTTP and decrypted HTTPS only More granular control Supports: Application types for example, Instant Messaging Applications for example, Yahoo Messenger Application behavior for example, File Transfer
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Cisco Confidential
Dedicated or hijacked sites! persistently distributing ! key loggers, root kits and ! other malware. Almost ! guaranteed malicious.
Aggressive Ad syndication ! and user tracking networks. ! Sites suspected to be ! malicious, but not conrmed!
Sites with some history of! Responsible behavior ! or 3rd party validation!
-10!
-5!
0!
+5!
+10!
Phishing sites, bots, drive ! by installers. Extremely ! likely to be malicious.!
Well managed, ! Responsible content! Syndication networks and ! user generated content!
Sites with long history of! Responsible behavior.! Have signicant volume ! and are widely accessed!
Default web reputation profile

Suspicious (-10 through -6)
Not suspicious (-5.9 through +10)
Cisco Confidential
Used within polices

" Utilized after the policy has been matched
File filtering profile

" Blocks the download of specific MIME types " Blocks the upload of specific MIME types
Web reputation profile

" Specifies threshold value for web reputation filter " Default profile sets threshold to -6
Next-generation IPS profile

" Specifies threshold values for NGFW IPS " Default: Block & Monitor 70, Allow & Monitor 40
" Two separate sessions, separate certificates and keys " ASA CX acts as a CA, and issues a certificate for the web server
Corporate network
1. Negotiate algorithms.
Web server ASA CX

1. Negotiate algorithms.
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the le again. If the red x still appears, you may have to delete the image and then insert it again.
4. Client Authenticates server certificate.
3. Generate proxied server certificate.
2. Authenticate server certificate.
Cert is generated dynamically with destination name but signed by ASA CX.
5. Generate encryption keys. 6. Encrypted data channel established.
5. Generate encryption keys. 6. Encrypted data channel established.
Cisco Confidential
NGFW NEW
Peregrine Release
Cisco Confidential
10
Peregrine has added the following features:
" Support for Active/Standby
PRSM can discover HA configuration and treat HA pair as a single device (policy configuration, reporting)
" Next Generation IPS " Platform support
Platform support has been added for SSP 40, 60 NGFW is now available on all midrange and all high-end models of ASA
Cisco Confidential
11
Peregrine has added the following features:
" Time ranges " Interface roles collections of interfaces that can be used to construct policies " Rate limits " Safe Search
Note: Not all features are available for all types of policies.
Cisco Confidential
12
New with NGFW 9.2
" Policy sets can have different scopes:

!" Universal policy set is shared by all devices !" Shared policy set is shared among some devices !" Local policy set only applies to one device
" At the top is the universal top context-aware access policy set, applied first " At the bottom is the universal bottom context-aware access policy set, applied last
IPS
Cisco Confidential
14
Available in Peregrine release Simplified Operation Rich Policy Options Highly Dynamic
" Policy driven by risk
" IPS policy a part of the
" Daily hourly
acceptance signatures
" Threats are the focus not
overall NGFW access policy Awareness
updates available:
Threats /Signatures Reputation feeds Parsing engines
" References Application " References source
reputation
Cisco Confidential
15
" NGFW IPS Feature available
through license
" NGFW IPS ON/OFF switch " Blocking of traffic sourced from
blacklisted IPs
" Option to exclude high reputation
traffic
Cisco Confidential
16
Available in Peregrine release
" Risk Based Control " 3 ranges
Block and Monitor Allow and Monitor Dont Monitor

" Customizable
exceptions
Cisco Confidential
17
" Threat Profile Field " Use Custom IPS Profile
or the Device Level profile

" Different profiles can be
applied to different subset of traffic

" Selection criteria include
5-tuple, user and application
Cisco Confidential
18
Cisco Confidential
19
" Important to remember: " At the Access policy view,
Profiles are NOT visible the local Device Level Profile automatically applied
" Access policies will have
" Be certain to open the
Profile tab of your Access policy to understand what is there

" Do this for ALL Access
policies
Cisco Confidential
20

Integrated
Dedicated
Customizable
Simple
" " " "
Threats Risk-focused settings Edge-focused coverage Automatic engine/ signature update " Consumption of App ID and Web Security data
Effective
DC-ready
" " " "
Signatures Broad coverage Tunable and Custom signatures Wide range of Event Actions
Cisco Confidential
21
Threats: " Threats

What the attack is about its target and potential impact 730+ Threats
Signatures: " Signatures

The means of detecting a threat 950+ Signatures
Engines " Engines

The parser that applies signatures to the traffic Borrowed / repurposed / improved different Can be updated without a dot release delivered with sig updates
Release " Release Plans Plans

Expand beyond classic IPS default NGFW signatures will parallel classic IPS releases starting December, 1 day lag by February
Cisco Confidential
22
Threat Rating
100
10
20
30
40
50
60
70
80
90
NGFW - IPS
Signature Count
Cisco Confidential 23
IPS
1 19 37 55 73 91 109 127 145 163 181 199 217 235 253 271 289 307 325 343 361 379 397 415 433 451 469 487 505 523 541 559 577 595 613 631 649 667 685 703 721 739 757 775 793 811 829 847 865 883 901 919 937 955 973 991 1009 1027 1045 1063 1081 1099 1117 1135 1153 1171 1189 1207 1225 1243 1261
Demonstration
Stijn Vanveerdeghem
Cisco Confidential
24
Rate Limiting and Safe Search
Cisco Confidential
25
New with NGFW 9.2
Allows context-aware access policies only Limits bandwidth usage per policy Excessive packets are dropped Rate limit is an obligation attached to the policy Allotted bandwidth is shared between all flows that match the policy
Cisco Confidential
26
New with NGFW 9.2
Allows context-aware access policies only Blocks searches on supported search engines if:
" Safe Search is enabled in a matching access policy and Safe Search is disabled in a browser
Blocks searches on supported search engines if:

" " " " " Google Yahoo Bing Ask Duckduckgo
C97-729687-00 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
" When a policy is installed, create a bucket to contain the traffic that
hits the policy.
" Several flows can match the policy. All of them are rate-limited using
a single bucket.
" The flows may match only after the evaluation from an Inspector (say
HTTP or TLS). In those cases, the data-plane will wait for the flags to be set from the inspector before negotiating the flow to a bucket.
" A change in policy, may result in removal of rate-limit obligation.
Bucket exists till the flows exist.
Cisco Confidential
28
TLS Enhancements
Cisco Confidential
29
Available with Peregrine release

"
Enforce certificate best practices
Web Reputation filtering support for HTTPS
" Web reputation filtering can now be applied to HTTPS traffic " Uses the FQDN from the certificate to determine the web reputation of the server
Cisco Confidential
30
Certificate Caching
" Aimed to improve Connections per second performance of Decryption Engine " Decryption Engine generated replacement certificates for every TLS connection. " Once generated replacement certificates are cached now and reused for following ssl
requests to the same servers.

Trusted CA list updated
" Decryption engine keeps a list of certificate authority certificates it trusts. " Existing CA list updated to match the CAs trusted by Firefox browser (list posted by Mozilla)
Cisco Confidential
31
Cisco Confidential
32
CX support for Multimode ASA
Cisco Confidential
33
" Adds CX support for multimode ASA (routed, tfw or mixed). " Each context should configure CX redirection specifically. " CX as a single instance works with ASA by using vcid per transaction. " CX policies are global and applicable to all contexts on the ASA. " Active authentication is supported with auth proxy port configurable. " PRSM Events displays context names. " Interface roles are context aware.
Cisco Confidential
34
Cisco Confidential
35
Licensing and Pricing
Cisco Confidential
36
Cisco Confidential
37
Step 1: Which hardware is needed ! ASA-X with SSD or ASA 5585-X with CX SSP Step 2: What service is needed ! Application Visibility & Control, Web Security, NGFW IPS or Bundles Step 3: How long is the service needed ! 1, 3, or 5 years
Hardware
ASA 5512-X with SSD (ASA5512-SSD120-K8, ASA5512-SSD120-K9)
License Duration
1 year 3 years 5 years
Application Visibility & Control (AVC)

ASA5512-AP1Y ASA5512-AP3Y ASA5512-AP5Y ASA5515-AP1Y ASA5515-AP3Y ASA5515-AP5Y ASA5525-AP1Y ASA5525-AP3Y ASA5525-AP5Y ASA5545-AP1Y ASA5545-AP3Y ASA5545-AP5Y ASA5555-AP1Y ASA5555-AP3Y ASA5555-AP5Y
Web Security Essentials (WSE)

ASA5512-WS1Y ASA5512-WS3Y ASA5512-WS5Y ASA5515-WS1Y ASA5515-WS3Y ASA5515-WS5Y ASA5525-WS1Y ASA5525-WS3Y ASA5525-WS5Y ASA5545-WS1Y ASA5545-WS3Y ASA5545-WS5Y ASA5555-WS1Y ASA5555-WS3Y ASA5555-WS5Y
Next-Generation Firewall IPS (NGFW IPS)

ASA5512-IP1Y ASA5512-IP3Y ASA5512-IP5Y ASA5515-IP1Y ASA5515-IP3Y ASA5515-IP5Y ASA5525-IP1Y ASA5525-IP3Y ASA5525-IP5Y ASA5545-IP1Y ASA5545-IP3Y ASA5545-IP5Y ASA5555-IP1Y ASA5555-IP3Y
Cisco Confidential ASA5555-IP5Y 38
ASA 5515-X with SSD (ASA5515-SSD120-K8, ASA5515-SSD120-K9) ASA 5525-X with SSD (ASA5525-SSD120-K8, ASA5525-SSD120-K9) ASA 5545-X with SSD (ASA5545-2SSD120-K8, ASA5545-2SSD120-K9) ASA 5555-X with SSD (ASA5555-2SSD120-K8, ASA5555-2SSD120-K9)
1 year 3 years 5 years 1 year 3 years 5 years 1 year 3 years 5 years 1 year 3 years 5 years
Hardware
ASA 5512-X with SSD (ASA5512-SSD120-K8, ASA5512-SSD120-K9)
License Duration
1 year 3 years 5 years
AVC+WSE
ASA5512-AW1Y ASA5512-AW3Y ASA5512-AW5Y ASA5515-AW1Y ASA5515-AW3Y ASA5515-AW5Y ASA5525-AW1Y ASA5525-AW3Y ASA5525-AW5Y ASA5545-AW1Y ASA5545-AW3Y ASA5545-AW5Y ASA5555-AW1Y ASA5555-AW3Y ASA5555-AW5Y
AVC+NGFW IPS
ASA5512-AI1Y ASA5512-AI3Y ASA5512-AI5Y ASA5515-AI1Y ASA5515-AI3Y ASA5515-AI5Y ASA5525-AI1Y ASA5525-AI3Y ASA5525-AI5Y ASA5545-AI1Y ASA5545-AI3Y ASA5545-AI5Y ASA5555-AI1Y ASA5555-AI3Y ASA5555-AI5Y
AVC+WSE+NGFW IPS
ASA5512-AWI1Y ASA5512-AWI3Y ASA5512-AWI5Y ASA5515-AWI1Y ASA5515-AWI3Y ASA5515-AWI5Y ASA5525-AWI1Y ASA5525-AWI3Y ASA5525-AWI5Y ASA5545-AWI1Y ASA5545-AWI3Y ASA5545-AWI5Y ASA5555-AWI1Y ASA5555-AWI3Y ASA5555-AWI5Y
ASA 5515-X with SSD (ASA5515-SSD120-K8, ASA5515-SSD120-K9) ASA 5525-X with SSD (ASA5525-SSD120-K8, ASA5525-SSD120-K9) ASA 5545-X with SSD (ASA5545-2SSD120-K8, ASA5545-2SSD120-K9) ASA 5555-X with SSD (ASA5555-2SSD120-K8, ASA5555-2SSD120-K9)
Spare Solid State Drive (SSD) for existing ASA 5500-X customers
ASA5500X-SSD120=
Hardware
ASA 5585-X CX SSP-10 (ASA5585-S10C10-K8, ASA5585-S10C10-K9, ASA5585-S10C10XK9) ASA 5585-X CX SSP-20 (ASA5585-S20C20-K8, ASA5585-S20C20-K9, ASA5585-S20C20XK9) ASA 5585-X CX SSP-40 (ASA5585-S40C40-K8, ASA5585-S40C40-K9, ASA5585-S40C40XK9) ASA 5585-X CX SSP-60 (ASA5585-S60C60-K8, ASA5585-S60C60-K9, ASA5585-S60C60XK9)
License Duration
Application Visibility & Control (AVC)

ASA5585-10-AP1Y ASA5585-10-AP3Y ASA5585-10-AP5Y ASA5585-20-AP1Y ASA5585-20-AP3Y ASA5585-20-AP5Y ASA5585-40-AP1Y ASA5585-40-AP3Y ASA5585-40-AP5Y ASA5585-60-AP1Y ASA5585-60-AP3Y ASA5585-60-AP5Y
Web Security Essentials (WSE)

ASA5585-10-WS1Y ASA5585-10-WS3Y ASA5585-10-WS5Y ASA5585-20-WS1Y ASA5585-20-WS3Y ASA5585-20-WS5Y ASA5585-40-WS1Y ASA5585-40-WS3Y ASA5585-40-WS5Y ASA5585-60-WS1Y ASA5585-60-WS3Y ASA5585-60-WS5Y
Next-Generation Firewall IPS (NGFW IPS)

ASA5585-10-IP1Y ASA5585-10-IP3Y ASA5585-10-IP5Y ASA5585-20-IP1Y ASA5585-20-IP3Y ASA5585-20-IP5Y ASA5585-40-IP1Y ASA5585-40-IP3Y ASA5585-40-IP5Y ASA5585-60-IP1Y ASA5585-60-IP3Y ASA5585-60-IP5Y
Cisco Confidential
40
Hardware
ASA 5585-X CX SSP-10 (ASA5585-S10C10-K8, ASA5585-S10C10-K9, ASA5585-S10C10XK9) ASA 5585-X CX SSP-20 (ASA5585-S20C20-K8, ASA5585-S20C20-K9, ASA5585-S20C20XK9) ASA 5585-X CX SSP-40 (ASA5585-S40C40-K8, ASA5585-S40C40-K9, ASA5585-S40C40XK9) ASA 5585-X CX SSP-60 (ASA5585-S60C60-K8, ASA5585-S60C60-K9, ASA5585-S60C60XK9)
License Duration
AVC+WSE
ASA5585-10-AW1Y ASA5585-10-AW3Y ASA5585-10-AW5Y ASA5585-20-AW1Y ASA5585-20-AW3Y ASA5585-20-AW5Y ASA5585-40-AW1Y ASA5585-40-AW3Y ASA5585-40-AW5Y ASA5585-60-AW1Y ASA5585-60-AW3Y ASA5585-60-AW5Y
AVC+NGFW IPS
ASA5585-10-AI1Y ASA5585-10-AI3Y ASA5585-10-AI5Y ASA5585-20-AI1Y ASA5585-20-AI3Y ASA5585-20-AI5Y ASA5585-40-AI1Y ASA5585-40-AI3Y ASA5585-40-AI5Y ASA5585-60-AI1Y ASA5585-60-AI3Y ASA5585-60-AI5Y
AVC+WSE+NGFW IPS
ASA5585-10-AWI1Y ASA5585-10-AWI3Y ASA5585-10-AWI5Y ASA5585-20-AWI1Y ASA5585-20-AWI3Y ASA5585-20-AWI5Y ASA5585-40-AWI1Y ASA5585-40-AWI3Y ASA5585-40-AWI5Y ASA5585-60-AWI1Y ASA5585-60-AWI3Y ASA5585-60-AWI5Y
Cisco Confidential
41
" VMWare ESX based virtual appliance or Physical appliance (bundles hardware and software) " Licensing based on the number of ASA NGFWs that will be managed using the product
Cisco Prime Security Manager VMWare Virtual Appliance PIDs

PRSMv9-SW-5-K9 PRSMv9-SW-10-K9 PRSMv9-SW-25-K9 PRSMV9-SW-50-K9 PRSMV9-SW-100-K9
Description
Prime Security Manager - Software - 5 Device Management Prime Security Manager - Software - 10 Device Management Prime Security Manager - Software - 25 Device Management Prime Security Manager - Software - 50-Device Management Prime Security Manager - Software - 100-Device Management
Cisco Prime Security Manager VMWare Physical Appliance PIDs

PRSM-HW1-25-K9 PRSMv9-HW-50-K9 PRSMv9-HW-100-K9
Description
Prime Security Manager - Appliance - 25 Device Management PRSM - Appliance - 50-Device Management PRSM - Appliance - 100-Device Management
Cisco Confidential
42
Thanks
Cisco Confidential
43

ASA NGFW With IPS-Security 2

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

ASA NGFW With IPS-Security 2

Hochgeladen von

Copyright:

Verfügbare Formate

ASA-NGFW with IPS

2010 Cisco and/or its affiliates. All rights reserved.

Licensing and Pricing Questions and Answers

2010 Cisco and/or its affiliates. All rights reserved.

NGFW Services Refresher

2010 Cisco and/or its affiliates. All rights reserved.

NGFW Services Module

2010 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

Phishing sites, bots, drive ! by installers. Extremely ! likely to be malicious.!

Default web reputation profile

Not suspicious (-5.9 through +10)

Used within polices

File filtering profile

Web reputation profile

Next-generation IPS profile

Web server ASA CX

4. Client Authenticates server certificate.

3. Generate proxied server certificate.

2. Authenticate server certificate.

5. Generate encryption keys. 6. Encrypted data channel established.

5. Generate encryption keys. 6. Encrypted data channel established.

2010 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

Peregrine has added the following features:

" Support for Active/Standby

2010 Cisco and/or its affiliates. All rights reserved.

Peregrine has added the following features:

2010 Cisco and/or its affiliates. All rights reserved.

New with NGFW 9.2

" Policy sets can have different scopes:

2010 Cisco and/or its affiliates. All rights reserved.

" Policy driven by risk

" IPS policy a part of the

" Daily hourly

" Threats are the focus not

overall NGFW access policy Awareness

" References Application " References source

2010 Cisco and/or its affiliates. All rights reserved.

" NGFW IPS Feature available

2010 Cisco and/or its affiliates. All rights reserved.

Available in Peregrine release

" Risk Based Control " 3 ranges

Block and Monitor Allow and Monitor Dont Monitor

2010 Cisco and/or its affiliates. All rights reserved.

Available in Peregrine release

" Threat Profile Field " Use Custom IPS Profile

or the Device Level profile

applied to different subset of traffic

5-tuple, user and application

2010 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

" Important to remember: " At the Access policy view,

" Access policies will have

" Be certain to open the

Profile tab of your Access policy to understand what is there

2010 Cisco and/or its affiliates. All rights reserved.

Available in Peregrine release

" " " "

" " " "

2010 Cisco and/or its affiliates. All rights reserved.

Threats: " Threats

Signatures: " Signatures

Engines " Engines