TC - SECVFTD25 - PPT - Securing Enterprise Networks With Cisco Firepower Threat Defense Virtual Appliance v25 - drn1 - 4 PDF

SECVFTD25 – Securing Enterprise
Networks with Cisco Firepower Threat

Defense Virtual appliance
 Introduction to NGFW
 Firepower Threat Defense (FTD)
 Learning the deployment of FirePOWER
Threat Defense virtual edition
 Management options
 FTD NGFW Policies
 Firepower v6.2.X Features
 VPN- Virtual Private Network
 Management And Events
 Integrations
 Reports and Dashboards
Cisco Firepower™ NGFW
Stop more Gain more Detect earlier, Reduce Get more from
threats insight act faster complexity your network
Threat Focused Fully Integrated

Enable your business with a fully integrated, threat- focused
solution
► World’s most widely deployed,

Cisco Collective Security Intelligence Enabled enterprise-class ASA stateful
firewall
Advanced WWW
Malware
Clustering & Intrusion
Prevention Protection URL Filtering ► Granular Cisco® Application
High Availability (Subscription) (Subscription)
(Subscription) FireSIGHT
Analytics & Visibility and Control (AVC)
Automation
► Industry-leading FirePOWER
Network Firewall Application Built-in Network Identity-Policy
Routing | Switching Visibility & Control Profiling Control & VPN next-generation IPS (NGIPS)
► Reputation- and category-based

Cisco ASA
URL filtering
► Advanced malware protection

What NGFW can……
Prevent breaches Deep network and security Automate operations to save

automatically to keep visibility to detect and stop time, reduce complexity and
the business moving threats fast work smart
How? How? How?
The Power of Talos AMP Built-in automation

Cisco Threat Response Integrated Architecture
Enterprise Agreements
3 Main Security concerns
Prevention They aren’t confident in their ability to prevent the next big breach.
Visibility They lack visibility needed to be able to see and stop threats quickly
They have limited budgets, staff and time. They can’t keep up with
Resources
the constant attacks and threat alerts. More tools more complexity.
Are you prepared for the next big breach or
ransomware infection ?
Cisco NGFW have a pretty good track record
Stop more threats across the entire attack continuum
BEFORE DURING AFTER
Discover threats and enforce Detect, block, and defend Remediate breaches and
security policies against attacks prevent future attacks
For Advanced Malware Threat Detection Across the Network
Can your firewall continuously analyze files in your
system to catch stealthy threats that evaded front-
line defenses?
Can it provide visibility across users, hosts and

devices?
Gain more insight with increased visibility
“You can’t protect what you can’t see” Client applications
Operating systems
Command
and control
File transfers servers Mobile devices
Threats
Routers and switches
Users Application
protocols
Web applications
Typical IPS Printers
Malware
Typical NGFW Network servers
VoIP phones

More visibility equals faster time to detection
• Visibility into threat activity across users, hosts,

networks and infrastructure.
• Network file trajectory maps how transfer files,

including malware files across your network to
scope an attack, to set outbreak controls and
identify the sources of the threat.
See more to
detect threats • Centralized management provides contextual threat
faster analysis and reporting, with consolidated visibility
into security and network operations.
Detect infections earlier and act faster
Industry TTD rate:* 100 days Cisco: 17.5 hours
• Automated attack
correlation
JAN JAN • Indications of
FEB MONDAY compromise

• Local or cloud
MAR sandboxing
1
APR • Malware infection
tracking
• Two-click containment
• Malware analysis
Can your firewall talk to the rest of your security
tools to find threats faster?
Can your firewall automate security to save
you time?
Uncover hidden threats at the edge
SSL decryption engine
SSL Enforcement
NGIPS AVC http://www.%$*#$@#$.com 
decryption engine decisions
http://www.%$*#$@#$.com 
http://www.%$&^*#$@#$.com http://www.%$*#$@#$.com 
http://www.%$*#$@#$.com 
gambling
http://www.%$&^*#$@#$.com elicit
Encrypted Traffic Log
Decrypt 3.5 Gbps traffic over

Inspect deciphered packets Track and log all SSL sessions
five million simultaneous flows
Uncover hidden threats in the environment
Advanced Malware Protection (AMP)
c
File Reputation File & Device Trajectory
AMP for AMP for
Endpoint Log Network Log
Threat Grid Sandboxing Threat Disposition

• Known Signatures
• Advanced Analytics
Uncertain Safe Risky
• Fuzzy Fingerprinting • Dynamic analysis Enforcement across all
• Indications of compromise • Threat intelligence
Sandbox Analysis endpoints
Block known malware Investigate files safely Detect new threats Respond to alerts
Provide next-generation visibility into app usage
Application Visibility & Control

Cisco database
• 4,000+ apps 

• 180,000+ Micro- Network &
apps users
 1 OpenAppID


2
Prioritize traffic
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
Block or allow access to URLs and domains
Web controls
Security feeds
Cisco URL Database
00100101101
01001010100
URL | IP | DNS
NGFW
Filtering Safe Search
gambling
 
Allow Block
Allow Block
DNS Sinkhole Category-based

Policy Creation
Admin
Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs
Extend AVC to proprietary and custom apps
OpenAppID
Self-Service Open-Source
Easily customize application detectors Detect custom and proprietary apps Share detectors with other users
Dashboard
Firepower System dashboards provide you with at-a-glance views of current system status,
including data about the events collected and generated by the system.
Get real-time protection against global threats
Talos
Threat Intelligence Security Coverage Research Response
Endpoints
1.5 million daily malware samples 250+
WWW Web
Researchers
Networks
600 billion daily email messages Jan
NGIPS
24 x 7 x 365
Operations
16 billion daily web requests Devices
Identify advanced threats Get specific intelligence Catch stealthy threats Stay protected with updates
Improve traffic control with new features
Additional Firewall Features
Identity Integration Captive Portal FlexConfig

• ISE • Active/Passive • CLI policies
• pxGrid • NTLM • Legacy ASA
• VDI • Kerberos feature control
Target threats accurately Enforce authentication Granular Config Controls
Rate limiting Tunnel Policy

• Rule-based limits • Pre-filtering
• Reports • Priority policy
• QoS rules • Policy migration
Control application usage Block unwanted traffic early

The Problem with Legacy Next-Generation Firewalls
Focus on the Apps But totally miss the threat…

0100 111001 1001 11 111
0
0011 0
0100 1110101001 1101
111
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1001 1101 1110011 0110011 101000 0110
1100001110001110 00
00 01000111 0100 11101 1000111010011101 1000111010011101 1100001 1100 0111010011101 1001 1101 1110011 0110011 10
110000111000111
0
0111100 011 1010011101
1
Legacy NGFW can reduce attack surface area but advanced malware often evades security
controls.
Threat Landscape Demands more than Application Control
54% 100%
60% of breaches of companies connect
of data is to domains that host
remain
stolen in malicious files or services
undiscovered
hours
for months
It is a Community
that hides in plain sight
avoids detection and
attacks swiftly
Legacy NGFWs Lack Complete Visibility and Control
Without Proper Visibility Threat Protection Cannot Be Operationalized

Which dramatically expands what you have to worry
about
New More Specialized

demands things threats
Global collaboration Phishing
messages
Anywhere access opened by the
target across
BYOD campaigns
Access is tougher to manage Visibility is more elusive Threats are harder to stop
Business resiliency requires security, but…
Security hasn’t scaled

as fast as your network
It’s costly and complex

to deploy and maintain
Ineffective security
doesn’t stop malware
Must overprovision
to avoid performance
problems
Other “next-generation” firewalls fix some problems but
create new ones
They’re only app-focused… They can’t help you once you’ve

been breached…
Threat
Attack Continuum
Threat
BEFORE DURING AFTER
Threat
They’re another silo to manage…
IPS Acceptable use NGFW DDoS Sandbox

Campus NGFW Internet Edge Cloud Data Center Edge Local Data Center Edge
Acceptable Use ACI Integration Complex remote access Rapid Threat Containment
Secure your company’s internet edge
I want to…
DNS Sinkhole
Security feeds
• URL AMP file inspection
AMP Threat Grid
• IP • Dynamic and Static NAT
• DNS • High Availability DNS
0110110010101001010100 • High Bandwidth www

0010010110100101101101
@
SSL AVC NGIPS
Decryption
Engine
Allow DMZ
%*
$#
Block
Stop threats at the edge ,

find and fix breaches, and
Internet Firewall Private Network
increase throughput.
Protect your cloud data center at the edge
I want to…
Prepare Secure Define policies Uncover threats Respond Remediate
Security feeds
• High Availability
URL | IP | DNS
0110110010101001010100 • High Bandwidth
0010010110100101101101
AMP file inspection
AMP Threat Grid
SSL AVC NGIPS

HR Decryption
TrustSec Engine Financial data
Finance Allow
%*
$# HR data
Block
DevOps
In-house app
Extend my trusted on-
premises security to the
Data Center Edge Virtual Firewall Cloud Data Center
cloud.
Protect your local data center at the edge
I want to…
Prepare Secure Define policies Uncover threats Respond Remediate
Security feeds
AMP file inspection
URL | IP | DNS • High Availability AMP Threat Grid
0110110010101001010100
0010010110100101101101 • High Bandwidth • Clustering
• Support for North-South
and East-West traffic
SSL AVC NGIPS
HR Decryption
TrustSec Engine Financial
data
Finance Allow
%* HR
$# data
Block
In-house
DevOps
app
Reduce the company’s

attack surface and detect
Data Center Edge Firewall Data Center Network
data center threats.
Enforce acceptable use within the organization
I want to…
Reputation scoring
SSL Decryption Engine
www Filter Decrypt
www unwanted %* www hidden
$#
URLs traffic
4000+ web and in-
house applications
User identity
Partial
Block
1
Allow
2
Prioritize
Block
Traffic
…and additional
custom applications Define
access Firewall Network
Stop risky web traffic, control
Gambling Application
control application use, and
allocate bandwidth.
Extend secure access to other locations
I want to…
Security feeds
00100101101
01001010100
URL | IP | DNS
Firewall • High bandwidth

VPN
• High availability
Distributed
Enterprise • Hardware and virtual options
VPN SSL AVC NGIPS

Decryption
Firewall Firewall Engine
Branch
Allow
%*
VPN $#
Block
Firewall Headquarters
Remote user
Stop threats from getting in
by extending secure access Branch WAN and
Internet Firewall Highlights
to all users. Remote Users
Improve scalability and control with ACI
I want to…
Integrated Management
Application Policy Infrastructure Firepower Management
Controller (APIC) Center Detect threats with NGIPS using
AVC NGIPS ACI fabric visibility
White list policies
Allow
Segmentation
APIC APIs
Block
Multi-tenancy Set policies with integrated
management tool
Spine
Leaf Refine policies over time through

activity analysis
Host 1 Host 2 Host 3
Protect the data center with
consistent and targeted Application 1 Application 2
VM VM VM
(Physical) (Physical) Nodes
security policies.
Defend the network with Rapid Threat Containment
I want to…
www
Firepower ISE
Management Center
pxGrid Receive alert of pxGrid

intrusion event
Alerts Alerts
Issue quarantine
command
TrustSec
Quarantine Tag Employee Tag Guest Tag

Isolate compromised Supplier Tag Quarantine Tag
resources quickly before the
problem grows. Automatic Isolation
Network & business resiliency require effective security
• In the 2017 NSS NGFW evaluation,

Cisco:
• Blocked 100% of evasions –
one of only two vendors to do so
• Evasion blocking critical – NSS
said evasion techniques “render devices
virtually useless.”
• Provided “Above Average Value”
in total cost of ownership (TCO)
Security Value Map Cisco one of only two
vendors blocking 100% of
evasions (green dot) and
scored above average in
total cost of ownership.
Product Rating
Key Message Talking Points

Cisco Firepower NGFW leads again, earns Today’s digital network depends on effective security,
‘Recommended’ rating. and Cisco Firepower NGFW delivers.
• 4 years running: ‘Recommended’ rating
In security effectiveness testing:
• Security effectiveness—better than 8 others
• Cisco Firepower NGFW: 95.5%
• Outperformed eight competitors
• One of only two vendors blocking 100% of evasions.
• Blocked 100% of evasions NSS said evasions
“…render devices virtually useless.”
• Surpassed four major vendors by over
50 points • Cisco provides “Above Average Value” in TCO
Product Rating
Security Effectiveness

• Our NGIPS capability is a key NGFW security
Cisco NGFW is a leader in security differentiator
effectiveness, surpassing major
competitors in testing • Cisco consistently leads in NSS security
effectiveness testing:
• 95.5%: 2017 NGFW –Security Effectiveness
• 100%: 2016 GIPS & AMP - Breach Detection
• 98.7%: 2016 NGIPS – Security Effectiveness
• NSS NGFW test methodology did not allow for our

cloud-connected security services (AMP, Threat
Grid), which were allowed in the NSS Breach
Detection Test, where we achieved in 2016, a 99.7%
Security Effectiveness score with Firepower 8120
A Legacy of Leading Security Effectiveness
Strong Performance in NSS Labs testing Year after Year
100 NGIPS
(test average)
98
NGIPS Cisco NGFW
96 (test average)
2010-2017
94
NGFW BDS
92 (test average)
2010-2017
90 Evasions
BDS
(test average)
(Cisco AMP)
88
2015-2017
86
Evasions
(Cisco All) 84
Test Average
82
2010 2011 2012 2013 2014 2015 2016 2017

68
Evasion Mitigation

• Cisco one of only two vendors blocking
NSS Wrote: 100% of evasions
“Failure of a security device to correctly
• Blocking exploits without also blocking
identify a specific type of evasion potentially
evasions is only half the battle
allows an attacker to use an entire class of
exploits for which the device is assumed to • We also scored well in:
have protection. This renders the device • Combined Exploits & Evasions
virtually useless.” • Cisco 98.2%,
• Client-side Exploits & Evasions
• Cisco 98.8%
Exploits Using Evasion Techniques
Superior Threat Intelligence
Cisco Talos Leads the Pack
Top 5 Vendors Providing the Best Cybersecurity Intelligence
Cisco 47%
Notice who’s not listed? IBM Security 28%

Every other NGFW vendor.
Microsoft 27%
Symantec 24%
(including Blue Coat)
McAfee
(formerly Intel Security)
20%
Firepower Threat Defense (FTD) Software
Firepower (L7) Firepower Threat Defense

• Threat-Centric NGIPS
• AVC, URL Filtering for NGFW Full Feature Set Single Converged OS
• Advanced Malware Protection
ASA (L2-L4)
• L2-L4 Stateful Firewall
• Scalable CGNAT, ACL, routing Continuous Feature Firewall URL Visibility Threats
• Application inspection Migration
Firepower Management
Center (FMC)*
* Also manages Firepower Appliances and FirePOWER Services (not ASA Software)
Security Application Convergence
ASA FirePOWER
• L2-L4 Stateful Firewall • Threat-centric NGIPS
• Scalable CGNAT, ACL, routing • AVC, URL Filtering for NGFW
• Application inspection • Advanced Malware Protection
Firepower Threat Defense (FTD)

• Converged NGFW/NGIPS image on Firepower 4100/9300 and ASA5500-X platforms
• Single point of management with Firepower Management Center
• Full FirePOWER functionality for NGFW/NGIPS deployments
• ASA Data Plane with TCP Normalizer, NAT, ACL, dynamic routing, failover functions
FTD– Rough Packet Flow
1. Ingress into server put into memory.

2. Memory point sent to firewall process.
3. Firewall process runs checks against packet at
that memory pointer and then sends memory
pointer IPS process.
4. IPS process runs checks against packets at that
memory pointer and sends result to firewall
process.
5. Firewall process sends packet to server for
6. egress.
Firepower Threat Defense Packet Flow
Zero Copy Single OS
Route Lookup
Flow Lookup
NAT Lookup File/AMP

L4 Decode
Event
IPS
Packet Library (PDTS)

Inspection Database
checks
L2/L3 Decode
AVC
Flow Update
Ingress NIC
Kernel
Routing
NAT
Egress NIC
What features are available?
 Everything from Firepower 6.1.0
 New Features in Version 6.2.0: Migration Enablers
Migration Tool
REST API
Packet Tracer and Capture
 New Features for Version 6.2.0: Platform/Integration
Firepower Threat Defense on Microsoft Azure
Firepower Threat Grid API Key Integration
ISE and SGT tags without Identity
TS Agent (VDI Identity Support)
 New Features for Version 6.2.0: Firepower Threat Defense and Threat
Site-to-Site VPN
PKI Support for Firepower Management Center
User-based Indications of Compromise (IOCs)
URL Lookups
FlexConfig
 New Features for Version 6.2.1
Remote Access VPN
Rate Limiting Enhancements
Automatic Application Bypass
Cisco Threat Intelligence Director
Intelligence Application Bypass
Security Enhancements for Site to Site VPN
SSL/TLS Decryption
Intrusion Rule Tuning
Web Applications and Malware Dashboard
Automatic Network Analysis Policy based on Intrusion Policy
FTD virtual for kernel-based virtual machine hypervisor device configuration
Firepower Threat Defense REST API, and an API Explorer
Advantages of Firepower Threat Defense
• New Next Generation Firewall offering
L2-L4 Advanced • Brings together the best features from FirePOWER

Inspections Inspections
(ASA (FirePOWER ASA and Firepower, all under one OS Services
Technology) Technology)
• Zero-copy packet inspection
Firepower Threat • Single management application ASA
Defense
• Duplicate functionality removed
Firepower
Management Center CSM/ASD FireSIGH
M T
FTD CLI
3 “shells” that you can access:
• FTD shell (AKA CLISH) – “>”
• Linux shell (AKA BASH)
• Non-root – “$”
• Root – “#”
• ASA Shell (AKA Lina CLI) –
“firepower>”
Cisco Virtual FTD and FMC
VMware KVM (FTD 6.2)

OVF for vSphere and ESXi Cisco FTDv qcow2 image
VMware ESXi 5.x, 6.x Public Cloud
KVM 1.0 Virtio driver
E1000, VMXNET3
Amazon Web Services
AMI in the marketplace
Same Feature Set As Physical Appliances

Cisco FTDv for VMware
• ESXi version 5.1(FTD 6.0), 5.5 (FTD 6.0,FTD 6.1,FTD 6.2), ESXi version 6.0
(FTD 6.1 and FTD 6.2) and ESXi version 6.5(FTD 6.2)
• Interfaces
• Default of 4 E1000 interfaces (1 management, 3 data)
• Minimum of 4 interfaces required – even if your use case requires less
• Maximum of 10 interfaces (1 management, 9 data)
• VMXNET3 interfaces for 10G also supported
• 4 GB default / 8 GB max (allocate more, based upon features – e.g. AMP)
• 4 vCPU default / 8 vCPU max (allocate more for better performance)
• 40GB hard disk is allocated and cannot be changed
• No web interface. You must initially configure via console CLI and manage from
Firepower Management Center.
High Level Packet Processing on FTD
FTDv Deployment Scenario – Passive
• Monitoring traffic between Server A
ESXi Host
and Server B
Management
• Dedicated FTDv per ESXi host
• Promiscuous mode enabled in ESXi for FTDv
Sensing
FTDv Sensing port group vSwitch2

Virtual
Server A
Virtual
Server B
vSwitch3 | P Port Group
NIC2 NIC3
FTDv Deployment Scenario – Routed
• L3 NGFW gateway for servers
ESXi Host
• Configure 2 vSwitches: Management
• One with external interface (Outside)
• One with without (Inside) Outside Inside
FTDv
• Servers connect to Inside vSwitch vSwitch2
Virtual
Server A
• Port groups used for the Outside
interface must have only 1 active Virtual
uplink Server B
vSwitch4 vSwitch3 | P Port Group

Protected vSwitch
NIC2 NIC4
FTDv Deployment Scenario – Transparent
• NGFW segmentation between hosts
ESXi Host
• Bridge up to 4 segments per BVI
Management
• Configure 2 vSwitches:
• One with external interface (Outside) Outside Inside
FTDv
• One with without (Inside) vSwitch2
Virtual
• Servers connect to Inside vSwitch Server A
• Promiscuous mode enabled in ESXi Virtual

Server B
for FTDv Inside port group
vSwitch3 | P Port Group
• Use port channels to avoid loops – vSwitch4
Protected vSwitch
disable any NIC teaming NIC2 NIC4
Virtual FTD Installation steps (vSphere)
Deploy OVF Template
Enter the details asked for

by the Setup Wizard
Add FTD to Firepower

Management Center
Management designed for the user
On-box Centralized Cloud-based
Firepower Device Firepower Management Cisco Defense

Manager Center Orchestrator
Enables easy on-box Enables comprehensive Enables cloud-based

management of security administration policy management of
common security and and automation of multiple deployments
policy tasks multiple appliances
Data Plane Configuration Options
Firepower Management Center Firepower Device Manager
• Firepower Management Center (FMC): Centralized server for managing multiple devices
• Firepower Device Manager: On-box manager for a single FTD device.
Firepower Management Center (FMC)
• Centralize manager that allows common configuration across
several devices.
• Configure once, deploy to many.
• Doesn’t manage ASA.
• Manages Firepower and FTD devices.
• Communicates with managed device via TCP/8305.
• Can receive updates via “cloud” services, such as Cisco Talos.
• Offline update available too if direct INET access not allowed.
Firepower Management Center (FMC)
Easily manage NGFWs across multiple sites
Firepower Management Center
Centralized management for multi-site deployments

Firepower Management Center
Multi-domain management Firewall & AVC
Role-based access control NGIPS
High availability AMP
APIs and pxGrid integration Security Intelligence
…Available in physical and virtual options
Manage across many sites Control access and set policies Investigate incidents Prioritize response
Centralize security administration and automation of multi-
device deployments
Firepower Management Center Same trusted functionality
Unified insight
Gain network to endpoint visibility, with deep
insight into the network firewall, applications,
and threats – all in one place
Scalable management
Utilize policy inheritance and centralized role-
based management to easily expand
Intelligent automation
Leverage intelligent rule recommendations,
remediation APIs, and impact assessments to
minimize management burden
New integration features
Threat Grid ISE AMP for Endpoints

Reduce complexity with simplified, consistent
management
Unified
• Network-to-endpoint visibility
• Manages firewall, applications, threats, and files
• Track, contain, and recover remediation tools
Scalable
• Central, role-based management
• Multitenancy
• Policy inheritance
Automated
• Impact assessment
• Rule recommendations
• Remediation APIs Cisco Firepower™ Management Center
Get more from your network through integrated defenses
Shared intelligence Talos
Shared
contextual Radware Network Identity
Visibility DDoS URL analysis Email Threats and NAC DNS Firewall
awareness
Consistent Firepower 4100 Firepower 9300
policy Series Platform
enforcement Cisco Firepower™ Management

Center
Know what and when you need to update
Smart Licensing
Report
Software
Services
Devices
View software, services, and Track software usage with

Activate software automatically Extend licenses automatically
devices in one easy to use portal regular reports to Cisco
Visibility Comparison
Category Firepower Management Typical IPS Typical NGFW
Center
Threats Yes Yes Yes
Users Yes Yes Yes
Web applications Yes No Yes
Application protocols Yes No Yes
File transfers Yes No Yes
Malware Yes No No
Command-and-control servers Yes No No
Client applications Yes No No
Network servers Yes No No
Operating systems Yes No No
Routers and switches Yes No No
Mobile devices Yes No No
Printers Yes No No
VoIP phones Yes No No
Virtual machines Yes No No
Vulnerability information Yes No No

Management
Firepower Management Center Appliances
FS750 FS2000 FS4000 Virtual
Maximum Virtual FireSIGHT®

devices 10 70 300 Management Center
managed* Up to 25 managed devices
Event storage 100 GB 1.8 TB 3.2 TB ASA or FirePOWER appliances
Maximum Virtual FireSIGHT®

150,000/ 600,000/
network map 2000/2000 Management for 2 or 10 ASA
150,000 600,000
(hosts/users) devices only!
Not upgradeable
Events per FS-VMW-2-SW-K9
2000 12,000 20,000
second (EPS) FS-VMW-10-SW-K9
served.
Select a new FMC appliance that provides greater scalability
Form Maximum # of IPS Event

Model
Factor Devices Managed Capacity
50% increase in supported
FMC 750 1RU 10 20 million managed devices
FMC 1000 1RU 50 60 million Consolidated, central management

for all threat platforms
FMC 2500 1RU 300 60 million (NGFW, ASA-FirePOWER Services, NGIPS,
FTD for ISR, AMP for Networks)
FMC 4500 1RU 750 300 million
Improved IT efficiency via

FMC virtual n.a. 2, 10, or 25 10 million
automation
FMCv in AWS BYOL 2, 10, or 25 10 million
Open analysis platform
(OpenAppID, Threat Intelligence Director,
pxGrid, eStreamer)
System Improvements in FMC
HA and Clustering Hardening
• FTD HA creation ~30% faster
• Improved reliability and configuration sync
• Enhanced outputs and logging
FMC Optimization
• Context Explorer has faster load times when there a large number of events
• FTD Configuration export/import
New FMC APIs introduced

• NAT policies and NAT Rules, Static Routes (IPv4 and IPv6) and HA
• Enables interoperability with third party firewall management tools

Upgrade Improvements in 6.2.3
Single-Step Backward
Upgrade Management
• Single-step upgrade from • 6.2.3 installed on all
6.1
6.1 (and interim versions) new systems by
to 6.2.3 default 6.2
• For FMC, FTD, Firepower • 6.2.3 FMC will manage
Services, 7000/8000 as far back as 6.1
Series devices 6.2.2
• FMC Push feature
reduces software
installation time
Result: Much easier, less time-consuming upgrade
process
Smart Licensing
• Firepower Threat Defense uses ONLY Smart Licensing. Other products
(Firepower 7000/8000 series appliances or Firepower Services modules) still
use Classic Licensing.
• Controlled through FMC, restricting what features can be configured per device.
Without license FMC cannot deploy policy or receive events.
• Existing ASA classic licensing is not used.
• Evaluation mode is possible using build-in 90 days evaluation period. It has start
and end date, renewal required for continued entitlement.
• Purchased licenses are added to Smart Account automatically.
• Equivalent licenses must be purchased for HA devices.
Smart Licensing
License feature Description License type
Base NGFW (Firewall and AVC) Perpetual
Threat Protection IPS policies, Security Term

Intelligence, DNS policies
Malware Advance Malware Protection and Term
Threat Grid
URL Filtering Category and web reputation Term
filtering
Firepower Management Center Management license for Perpetual
host/user count
Enabling Evaluation Mode for the Smart licenses
• Log in into Cisco Firepower management center.
• Navigate to System  Licenses  Smart licenses.
NOTE: To add the Firepower threat defense sensor to the Management center, Smart License is
required.
• Click on the Evaluation Mode to enable smart licensing. Click Yes to start the evaluation period
for the Smart license.
Either hostname
or IP address
Registration key
we used in CLI
Select based Access Control

upon Policy we just
subscriptions created
purchased
Verifying registration of FTD Sensor to Firepower
management center
Security Zones vs. Security Levels
Security Levels are like waterfalls with one Security Zones are like fences by dividing
interface having a higher “level” and thus more interfaces into “like groups” and establishing the
secure than another interface. rules for crossing the fence line.
FTD Security Zones
• True zone-based firewall
• Security Zones are collections of interfaces or sub-interfaces
• Policy rules can apply to source and/or destination security zones
• Security levels are not used
FTD Deployment and Interface Modes
2 Deployment Modes:
• Routed
• Transparent
} Device Modes inherited from ASA
6 Interface Modes
• Routed
• Switched (BVI) } Interface Modes inherited from ASA
}
• Passive
• Passive (ERSPAN)
Interface Modes inherited from FirePOWER
• Inline pair
• Inline pair with tap
Note - Interface modes can be mixed on a single FTD device
Deployment Mode: Routed
• Traditional L3 firewall deployment
• Allows configuring all interface modes apart from Switched (BVI) (6.2 onwards
Switched interfaces are allowed too)
• You can specify the firewall mode (Routed or Transparent) during the FTD
setup process:
Configure firewall mode? (routed/transparent) [routed]: routed
• You can later change the FTD mode from CLISH CLI:
> configure firewall routed
This will destroy the current interface configurations, are you sure that you want to
proceed? [y/N] y
The firewall mode was changed successfully.
>
Note - The FTD mode can be changed only if the device is unregistered
Deployment Mode: Transparent
• Allows configuring all interface modes apart from Routed, Passive ERSPAN
• You can specify the firewall mode (Routed or Transparent) during the FTD
setup process:
Configure firewall mode? (routed/transparent) [routed]: transparent
• You can change the FTD mode from firewall to transparent from CLISH:
> configure firewall transparent
This will destroy the current interface configurations, are you sure that you want to
proceed? [y/N] y
The firewall mode was changed successfully.
>
Note - The FTD mode can be changed only if the device is unregistered
Interface Mode: Routed
• Available only in Routed Deployment
• One or more physical or logical (VLAN) routable interfaces
• Allows features like NAT or Dynamic Routing protocols to be configured
• Packets are being forwarded based on Route Lookup
• Full ASA engine checks are applied along with full Snort engine checks
• Actual traffic can be dropped
Interface Mode: Switched
• Available only in Transparent Deployment mode
• Very similar to classic Transparent firewall
• Two or more physical or logical interfaces are assigned to a Bridge Group
• Full ASA engine checks are applied along with full Snort engine checks
• Packets are being forwarded based on CAM table Lookup
• BVI interface is being used to resolve next hop MAC using ARP or ICMP
Interface Mode: Inline Pair
• 2 Physical interfaces internally bridged
• Very similar to classic inline IPS
• Available in Routed or Transparent Deployment modes
• Most of ASA features (NAT, Routing, L3/L4 ACL etc) are not available for flows going
through an Inline Pair.
• Few ASA engine checks are applied along with full Snort engine checks
Interface Mode: Inline Pair with Tap
• 2 Physical interfaces internally bridged
• Most of ASA features (NAT, Routing, L3/L4 ACL etc) are not available for flows going
through an Inline Pair
• Few ASA engine checks are applied along with full Snort engine checks to a copy of
the actual traffic
• Actual traffic cannot be dropped
Interface Mode: Passive
• 1 Physical interface operating as a sniffer
• Very similar to classic IDS
• Few ASA engine and Full Snort engine checks to a copy of the actual traffic
Interface Mode: Passive (ERSPAN)
• 1 Physical interface operating as a sniffer
• Very similar to a remote IDS
• Available only in Routed Deployment mode
• A GRE tunnel between the capture point and the FTD carries the packets
• Few ASA engine and Full Snort engine checks a copy of the actual traffic
Basic Interface Configuration
Just an example – Final config will be different once redundancy is added
Interface in RED
Just an example – final config will be different Outside1
once redundancy is added Network
G 0/2
Inside
FTD
Network
G 0/1 G 0/0 Outside
Network
Interface in RED
Just an example – final config will be different Outside1
G 0/2
Inside
FTD
Network
G 0/1 G 0/0 Outside
Network
Interface in RED
Just an example – final config will be different
Outside1
G 0/2
Inside
FTD
Network
G 0/1 G 0/0 Outside
Network
Deploying the Redundant Outside Interfaces
Edge Use Case
outside
ISP-A ISP-B
Edge
Aggregation
DMZ Network(2)
(Public Web/DB)
G1/1 G1/2
VPC VPC
Edge Aggregation
VDC
Deploying Changes
Changes don’t take affect until you deploy the policy
Can optionally
check for rule
conflicts
Network Address Translation(NAT)
• Two “types” of NAT in FTD devices: Auto-NAT and Manual NAT
• Auto-NAT, also known as Object-NAT or Host NAT.

• Defined within an object.
• Just translates the source IP or IP range.
• Can be a static or dynamic NAT. (Think 1:1 NAT or PAT.)
• Manual NAT, also known as Twice-NAT.

• Can specify the source and destination addresses for NAT.
Network Address Translation (NAT)(cont.)
• NAT Policy
• FTD Policies vs. Firepower Policies
• Associated with Devices
• Contains rules (edit policy to see rules)
• A single NAT Policy can be applied to more than 1 device (think common
policy for a group of FTD devices).
Network Address Translation (NAT) (cont.)
• NAT Rule
• Various settings to specify source/destination interfaces, IP addresses, Ports, etc.
• Can be “Manual” or “Auto”. (More about these later.)
Network Address Translation (NAT) (cont.)
NAT order of operations:
• Section 1 and 3 rules are manually ordered.(i.e. The administrator orders them.)
• Section 2 (i.e. Auto-NAT rules) are ordered Static NAT before Dynamic NAT and then
within each of those categories Longest to Shortest Prefix.
FTD Packet Processing Flow
SSL Policy Enforcement

Yes
IP Application Policy Enforcement
Application
Reputation/ URL Policy Enforcement
Identification
SI NGIPS Policy Enforcement
AMP Policy Enforcement Fastpath
Event Gen or Allow
Yes No
No DROP No
RX Ingress Existing Advanced No
NAT
Pkt Conn Fastpath? DROP
Interface Untranslate ACL
Permit
Yes
No
Yes Yes Yes

DROP
ALG NAT IP Egress L3 L2 TX
Checks Header Interface Route Addr Pkt
No No
No No
DROP DROP DROP DROP

Routing on FTD
• FTD performs L3 route lookup as part of its
normal packet processing flow
Outside1
• FTD is optimized as a flow-based inspection device
Network
• For smaller deployments, FTD is perfectly
acceptable as the router
• For larger deployments, a dedicated router (ISR,
ASR, Nexus) is a
much better option.
• FTD may originate routes depending on the network
design
G 0/2
• FTD Supports static routing and most Inside
FTD
Network
IGP routing protocols: G 0/1 G 0/0 Outside
Network
• BGP-4 with IPv4 & IPv6 (aka BGPv4 &
BGPv6)
• OSPFv2 & OSPFv3 (IPv6)
• RIP v1/v2
• Multicast
• No EIGRP
BGP
• FTD supports BGPv4 and BGPv6 for dynamic routing across all platforms
• Standard communities and all path attributes, route redistribution; up to 100K prefixes and 2000 neighbors
• Null0 and Remotely-Triggered Black Hole (RTBH) support
• RTBH – DDoS mitigation
• Confederations, route reflectors, tagging, neighbor source-interface, and BFD are not supported
• BGP RIB is replicated in failover along with other protocols

FTD Routing – Static Use Case
Outside1
Network
G 0/2
Inside
FTD G 0/0
Network
G 0/1 outside Outside
Network
Gateway IP
NGFW Policy Types in FTD
Policy Type Function
Access Control Specify, inspect and log network traffic
Intrusion Inspect traffic for security violations (including block or alter)
Malware & File Detect and inspect files for malware (including block)
SSL Inspect encrypted traffic (including decrypt and block)
DNS Controls whitelisting or blacklisting of traffic based on domain
Identity Collect identity information via captive portal
Prefilter Early handling of traffic based L1-L4 criteria
Inspection Policy Relationships
Access Control Policy blocking inappropriate content
Malware and File Analysis
Attached to Access Policy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom IPS Policy
SSL Decrypt is fully configurable
Can specify by application, certificate fields / status, ciphers, etc
DNS Sink-holing / Traffic Drop Rule Set
Based on DNS query results of client
Security Intelligence DNS Global Settings
Whitelist / Blacklist capabilities
Identity Policy based on Passive Authentication
Attaches to Access Control Policy

Access Control Policy Identity Control
Can Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
Malware & File Policy Overview
• Controls what and how files are allowed, blocked and inspected
• Simple policy applies the same action (Malware Cloud Lookup) to all files
• Actions are:
• Detect Files – Detect and log the file transfer, perform no inspection
• Block Files – Block and log the file transfer, perform no inspection
• Malware Cloud Lookup – Inspect the file to determine disposition (Malware, Unknown or
Clean) and log
• Block Malware – Inspect the file to determine disposition, log and block if Malware
• Inspection includes static analysis of the file (via Spero), dynamic analysis (via
AMP Threat Grid) and local analysis (via ClamAV)
• Complex policies can include different actions and levels of inspections for
different application protocols, directions and file types.
Malware & File Policy for Use Case #1
Block malicious Office, Executable and PDF files transferred over HTTP
Blocks all files matching

policy file type(s)
Detection only
(no blocking)
Spero = Static Analysis

Stores files on
Dynamic Analysis = Upload of the sensor for
file to the cloud for analysis further
investigation by
Capacity Handling = Store file analyst
and resubmit if file submission
limit exceeded
Local Malware Analysis = Local

ClamAV signature scanning
Malware & File Policy for Usecase#5
Block All malicious Files Over any Protocol
Malware & File Policy for Use Case – Rule Added
Block All malicious Files Over any Protocol
Add more Rules

as we needed
Rule We Just
Created
Intrusion Policy Overview
• Controls how IDS or IPS inspection is performed on network traffic
• Simple policy inherits settings from 1 of 5 Cisco Talos maintained base policies:
• Balanced Security and Connectivity – Default and recommended
• Connectivity Over Security – Fewer rules enabled, only most critical rules block
• Maximum Detection – Favors detection over rated throughput
• No Rules Active
• Security Over Connectivity – More rules enabled, deeper inspection
• Individual rules can be set to generate events, drop and generate events, or
disabled
• Layers allow for grouping of settings/rules for easier management
• Complex policies can contain multiple layers and multiple levels of inheritance
Intrusion Policy for Use Case
IDS  Drop when Inline unchecked

IPS  Drop when Inline checked
Intrusion Policy’s are Highly Customizable
Firepower Recommendations
Firepower Recommendations (cont.)
IPS Policy Rule Management
Rule Management UI
Interface Elements
Filter Bar
Rule Group Accordion
Rule Options Bar
Rule Query Results
Rule State
Generate Events
Drop and Generate Events
Disable
Does not match recommendation
Event Filtering
Threshold
Suppression
Remove Thresholds
Remove Suppressions
Dynamic State
Add Rate-Based Rule State
Remove Rate-Based Rule States
Alerting
Add SNMP Alert
Remove SNMP Alerts
Comments
Add Rule Comment
Policy Layers
Policy
Layer: My Changes
Base Policy
Access Control Policy Overview
• An ACP is the collection/association point for

MANY of the other policies and rules. (Think of
an ACP as the gateway to applying policy to a
device.)
• 1:N -- A single ACP can be assigned to multiple
devices but a device can only be associated with one
ACP.
• Supports nesting/inheritance of ACPs.
Access Control Policy Overview(cont.)
• Controls what and how traffic is allowed, blocked, inspected and logged
• Simplest policy contains only default action:
• Block All Traffic
• Trust All Traffic – Does not pass through Intrusion and Malware & File inspection
• Network Discovery – Discovery applications, users and devices on the network only
• Intrusion Prevention – Using a specific intrusion policy
• Criteria can includes zones, networks, VLAN tags, applications, ports, URLs and
SGT/ISE attributes
• The same Access Control Policy can be applied to one or more device
• Complex policies can contain multiple rules, inherit settings from other access
control policies and specify other policy types that should be used for inspection
Creating an ACP
The Name and Default Action are required. All other fields are optional.
• Policy is applied on a per device basis (though multiple devices can be associated to the same policy).
• Specifies a “Default Action”.(What to do if no rules apply.)
• Uses an interesting inheritance association between access control

policies.
• Nested Access Control Policies.
• A device can only be “directly” associated with one Access Control Policy but can get other policy’s
rule via inheritance.
Access Control Policy Configuration
• There is a LOT more to Access Control Policies:
Rules
Security Intelligence
HTTP Responses
Advanced
• MANY Advanced features: SSL Policy, Prefilter Policy, Variable Set, Intrusion Policy, etc.
Rule Constraints
• Zones • Ports
• Networks • URLs
• VLAN Tags • SGT/ISE Attributes
• Users • Inspection
• Applications • Logging
• Comments
Security Intelligence
You can edit whitelist/blacklist properties from the Access Control Policy page. Each access
control policy has Security Intelligence options. You can whitelist or blacklist network objects,
URL objects and lists, and Security Intelligence feeds and lists, all of which you can constrain by
security zone. You can also associate a DNS policy with your access control policy, and whitelist
or blacklist domain names.
HTTP Responses
You can configured an HTTP response page to display when the system blocks web requests, using either access
control rules or the access control policy default action.
You can choose a generic system-provided response page, or you can enter custom HTML. The reponse page
displayed depends on how you block the session:
 Block or Block with reset—A blocked session times out or resets. The Block Response Page overrides the
default browser or server page that explains that the connection was denied.
 Interactive Block or Interactive Block with reset—The system can display an Interactive Block Response
Page to warn users, but also allow them to click a button (or refresh the page) to load the originally requested
site. Users may have to refresh after bypassing the response page to load page elements that did not load.
Access Control Rules
Access Control Policy (cont.)
 Within an Access Control Policy rules are sorted into two sections:
Mandatory and Default
 Mandatory rules are checked first (top down) and then Default rules
(top down).
Adding Access Control Rule Constraints
 Zones, Networks, VLAN Tags, Users, Applications, Ports, URLs, SGT/ISE
Attributes, Inspection, Logging, Comments
Zones
 Select the zones you wish to use as sources and destinations in your rule.
 It Matches traffic entering or leaving a device via an interface in a specific security
zone. A security zone is a logical grouping of one or more interfaces according to your
deployment and security policies.
Networks
 In the Networks tab, you can select source and destination networks or network
groups. It Matches traffic by its source or destination IP address, country, or
continent (geolocation).
Networks-Geolocation
 The Geolocation feature identifies the source and destination geographical
locations (countries and continents) of traffic on your network.
Users
 You can use users and/or user groups to constrain access control rules. It Matches traffic
by the user, user group, or realm involved in the session.
Applications & Filters
 Applications can be used as a rule constraint.
 It Matches traffic by the application detected in a session. You can control access
to individual applications, or filter access according to basic characteristics: type,
risk, business relevance, categories, and tags.
Source and Destination Ports
 It Matches traffic by its source or destination port. For TCP and UDP, you can
control traffic based on the transport layer protocol. For ICMP and ICMPv6
(IPv6-ICMP), you can control traffic based on its Internet layer protocol plus an
optional type and code. Using port conditions, you can also control traffic
using other protocols that do not use ports.
URLs
 It Matches traffic by the URL requested in the session. You can control access
to individual websites, use lists and feeds, or filter access based on a site’s
general classification and risk level.
ISE Attributes
 Matches traffic by ISE attribute (Security Group Tag (SGT), Endpoint Profile,
or Endpoint Location).
Inspection
 Inspection options for an access control rule govern how the system inspects and blocks malicious
traffic you would otherwise allow. When you allow traffic with a rule, you can specify that the
system first inspect it with intrusion or file policies to block any exploits, malware, or prohibited
files before they reach your assets or exit your network.
Logging
 A rule’s logging settings govern the records the system keeps of the traffic it handles. You can keep
a record of traffic that matches a rule. In general, you can log sessions at the beginning or end of a
connection, or both. You can log connections to the Defense Center database, as well as to the
system log (syslog) or to an SNMP trap server.
Access Control Rule Actions
 Every access control rule has an action that
determines the following for matching
traffic:
 handling—foremost, the rule action
governs whether the system will
monitor, trust, block, or allow traffic
that matches the rule’s conditions.
 inspection—certain rule actions allow
you, when properly licensed, to further
inspect matching traffic before allowing
it to pass.
 logging—the rule action determines
when and how you can log details about
matching traffic.
Allow Action: Allowing and Inspecting Traffic
 The Allow action allows matching traffic to pass. When you allow traffic,
you can use an associated intrusion or file policy (or both) to further
inspect and block unencrypted or decrypted network traffic.
Trust Action: Passing Traffic Without Inspection
 The Trust action allows traffic to pass without further inspection of any
kind.
 You can log trusted network traffic at both the beginning and end of
connections.
Monitor Action: Postponing Action and Ensuring Logging
 The Monitor action does not affect traffic flow; matching traffic is neither
immediately permitted nor denied. Rather, traffic is matched against
additional rules to determine whether to permit or deny it.
 The first non-Monitor rule matched determines traffic flow and any further
inspection. If there are no additional matching rules, the system uses the
default action.
 Because the primary purpose of Monitor rules is to track network traffic,
the system automatically logs end-of connection events for monitored
traffic. That is, connections are logged even if the traffic matches no other
rules and you do not enable logging on the default action.
Blocking Actions: Blocking Traffic Without Inspection
 The Block and Block with reset actions deny traffic without
further inspection of any kind. Block with reset rules also reset
the connection
Interactive Blocking Actions: Allowing Users to Bypass Website
Blocks
 For unencrypted HTTP traffic, the Interactive Block and Interactive Block
with reset actions give users a chance to bypass a website block by clicking
through a customizable warning page, called an HTTP response page.
Interactive Block with reset rules also reset the connection.
Access Control Policy Use Case #1-Action
Allow MS SQL from inside to outside
Rules below are

still processed
Displays block
page over HTTP
Access Control Policy Use Case #1-Action
Determines if rule can be

overridden by child policy
Access Control Policy Use Case #1 – Applications
Access Control Policy Use Case #1 – Logging Tab
Logging will increase the number of

events the FMC must handle. Be
sure to consider your logging
requirements when sizing your FMC
Access Control Policy Use Case #2 – Introduction
Requirements:
• Add a mandatory rule in the Default Intrusion Prevention access control policy
that will use the Block Malware file policy and the Initial Inline Policy -
firepower3D.gkapac.local intrusion policy.
• Policies we’ll need to create:
 Intrusion Policy:
Initial Inline Policy - firepower3D.gkapac.local
 Malware & File Policy:
Block Malware
Logging Tab
In the Logging tab, enable Log at Beginning of Connection and Log at End of Connection.
Associating a file policy with the rule automatically enables the Log Files check box. Leave the
Log Files box checked. Leave the default of sending the events to the Event Viewer.
URL Filtering - Minimize your exposure to web-based
threats
Block specific URLs Restrict categories of URLs Change policies easily
 Gambling
 Social Media Allowed Restricted
 Health
 Gaming
Drug Use

Filter out over 280 million URLs based on

Restrict access to specific sites any of the 80+ categories into which they Use the refined user interface to make
and subsites are grouped; new URLs are added daily additions or changes with just a few clicks
URL Filtering (cont.)
• Filter based on Category and/or Reputation, or via a specific URL (an object manually
created, a list of
URLs, or an automatically updated list of URLs).
Note: To use category and/or reputation requires URL License.
URL Filtering (cont.)
• Select a category and then optionally choose a reputation.
• Notice how any reputation score equal to or higher is also selected.
• Uses Cisco Security Intelligence to define what URLs match these categories and reputations.
URL Object
• A URL object defines a single URL or IP address

• Performs a simple substring match
• Disregards the protocol (HTTP/HTTPS)
URL List and Feed
• A URL list is a text file of specific URLs

• A URL feed is a continuously updated
list of URLs
Network Discovery Customization
• By default Network Discovery examines ALL traffic traversing the FTD (i.e.
0.0.0.0/0 and ANY zone.)
• Create new network discovery rule or modify default to meet you needs.
• Can create exclusion rules to single out exceptions.
Network Discovery Results
Host Profile of Discovered Host
Network File Trajectory Use Case
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
An unknown file is present on
IP: 10.4.10.183, having been
downloaded from Firefox
At 10:57, the unknown
file is from IP
10.4.10.183 to IP:
10.5.11.8
Seven hours later the file
is then transferred to a
third device (10.3.4.51)
using an SMB application
The file is copied yet
again onto a fourth
device (10.5.60.66)
through the same SMB
application a half hour
later
The Cisco Talos
Intelligence has learned
this file is malicious and
a retrospective event is
raised for all four devices
immediately.
At the same time, a
device with the AMP
endpoint connector
reacts to the
retrospective event and
immediately stops and
quarantines the newly
detected malware
8 hours after the first
attack, the Malware tries
to re-enter the system
through the original point
of entry but is recognized
and blocked.
Application Detection Overview
• When the Firepower System analyzes IP traffic, it attempts to identify the
commonly used applications on your network. Application awareness is
crucial to performing application-based access control.
• There are two sources of application detectors in the Firepower System:
 System-provided detectors detect web applications, clients, and
application protocols.
The availability of system-provided detectors for applications (and operating
systems) depends on the version of the Firepower System and the version of
the VDB you have installed. Release notes and advisories contain information on
new and updated detectors. You can also import individual detectors authored
by Professional Services. For a complete list of detected applications, see the
Support site.
 Custom application protocol detectors are user-created and detect
web applications, clients, and application protocols.
Custom Application Detector
Custom application detectors are pattern-based, detecting patterns in packets from client, web application, or
application protocol traffic. You can activate and deactivate application detectors according to the needs of your
organization.
SSL Policies
• Controls how and what encrypted traffic is inspected and decrypted
• Simple policy blocks all encrypted traffic that uses a self-signed certificate.
• Actions are:
a) Decrypt – Resign: Used for SSL decryption of public services (Google, Facebook, etc.)
b) Decrypt – Known Key: Used when you have the certificate’s private key
c) Do not decrypt
d) Block
e) Block with reset
f) Monitor
• Many actions can be taken on encrypted traffic without decryption by inspecting the
certificate, DN, cert status, cipher suite, and version (all supported by FTD).
Noob Guide to SSL Encryption for HTTPS
1. Computers agree on how to encrypt.
a) Client’s browser attempts to connect to SSL port on server.It sends a preferred Key, Cipher, Hash, (AKA
Cipher Suite) and SSL version to server.(Client also sends a random number that will be used to create a
master secret code.)
b) Server responds with what Cipher Suite and SSL version it can do.
2. Client’s browser requests web server identity.
3. Server sends certificate to the client.
4. Browser checks whether SSL Certificate is trustworthy.
a) Is certificate self-signed or signed via certificate authority that the client computer trusts.
5. Browser sends a “Start Encrypting” message to server.(Note: This is the last unencrypted
transmission.)
6. Server sends back “Start Encrypting”, digitally signed ACK, to start session.
7. Encrypted data is shared.
Basic 4 Use Cases for SSL
1. Known Key
2. Unknown Key
3. Don’t Decrypt
4. Block
Basic 4 Use Cases for SSL (cont.)
1. Known Key
a) Install server’s private key into NGFW.
b) NGFW will then decrypt, inspect, and re-encrypt with server’s key.
2. Unknown Key
3. Don’t Decrypt
4. Block
1. Known Key
2. Unknown Key
a) Install trust of NGFW as CA in workstations.
b) Create NGFW key.
c) Decrypt SSL, inspect, and then re-encrypt with NGFW’s key.
3. Don’t Decrypt
4. Block
1. Known Key
2. Unknown Key
3. Don’t Decrypt
1. Acknowledge SSL use but just pass through (supposedly).
4. Block
1. Known Key
2. Unknown Key
3. Don’t Decrypt
4. Block
Create SSL Policy
Create SSL Rule
For public servers (you

don’t control)
For servers
you
control
Assign SSL Policy to ACP
DNS Inspection
 Security Intelligence support for
domains
 Addresses challenges with fast-flux
domains
 Multiple Actions: Block, Domain Not
Found, Sinkhole, Monitor
 Indications of Compromise extended
with DNS Security Intelligence
 Cisco provided and user defined DNS
lists: CnC, Spam, Malware, Phishing
 New Dashboard widget for URL/DNS SI
DNS List Action
NGFW Policy
DNS Inspection: Domain Not Found Can configure: Lists/Feeds/Global lists
Action: DNS NXDOMAIN
Generates SI events
Local DNS Server

NGFW Policy
DNS Inspection: DNS Sinkhole DNS SI: C&C servers
Action: DNS Sinkhole
Local DNS Server Generates SI events & IOC’s
X Sinkhole
Connection to Sinkhole IP
Endpoint
(10.15.0.21)
Rate Limiting
• Streamline Bandwidth usage by applications, users, networks, etc…
• Enforce internet usage policy
• Internet Edge, campus edge
What you can do:

• “Keep Netflix from using more
than X Mbps on my network”
• “Restrict YouTube traffic to be Y%
of my interface capacity”
Rate Limiting
• Policies configured on interfaces
• Match criteria can be
• Source Zone, Networks, Geo (Only routed
mode zones)
• Destination Zone, Networks, Geo (Only routed
mode zones) Snort
Lina Forwarded packets Snort
• Users/Groups Snort
• Application Packets Apply
Return with QOS rule ID QOS
Rule
QOS
• URL Engine
Flow Termination Event
• Ports with Statistics
• SGT/ISE Parameters
• Upload/Download
• The limits can be expressed in terms of actual rate or percentage of overall interface
bandwidth
• Policing abilities only

QoS Policy
 QoS policies deployed to managed devices govern rate limiting.
 Each QoS policy can target multiple devices; each device can have one
deployed QoS policy at a time.
 The system rate limits traffic according to the first rule where all rule
conditions match the traffic. Traffic that does not match any of the rules is
not rate limited.
 You must constrain QoS rules by source or destination (routed) interfaces.
 QoS rules can also rate limit traffic by other network characteristics, as well
as contextual information such as application, URL, and user identity.
 You can rate limit download and upload traffic independently. The system
determines download and upload directions based on the connection
initiator.
Create QoS Policy
1. Devices > QoS
2. Click New Policy
3. Give Name
4. Assign FTDs
5. Save
Create QoS Rule for Rate Limiting
 A new QoS policy with no rules performs no rate limiting.
Create QoS Rule for Rate Limiting(cont.)
What is SafeSearch/YouTube EDU?
• SafeSearch is an “app” that certain search engines provide that will filter out inappropriate content
from search results.
• SafeSearch can be manually turned on within google.com. (Per browser, per device, per user).
• It could then also be turned off by the end user.
SafeSearch and Youtube.edu enforcement
• Filter inappropriate content from search results
• Critical for enabling education customers to adhere to the
Internet edge
What You Can Do:
• “Keep people from searching adult
sites”
• “Make sure students stay on approved
YouTube channels”
SafeSearch and Youtube.edu Enforcement
• YouTube EDU allows institutes to access
educational content, while restricting non
educational content
• Customers needs to have YouTube Edu account for
this feature to work.
• Safe Search will provide content filtering
for objectionable contents in business,
education, Government etc.)
• SSL policies must be configured for both
features to work
• YouTube Edu and Safe Search can be enabled
when creating access rule.
Configure ACP Rule for SafeSearch
1. In an ACP Rule, on the Applications tab, click the SafeSearch link.

2. Enable Safe Search.
3. Choose what to do about search engines that don’t support Safe Search.
4. Build remaining criteria for ACP rule to match traffic you want.
Supported Search Engines for SafeSearch
Warning that it is a 2-step process
Configure SSL Policy Rule for SafeSearch
1. Create SSL Policy Rule.

2. On the Applications tab search for and select “search engine” category.
3. Rule’s action must be “Decrypt – Resign”.
Associate SSL Policy to ACP
SafeSearch Permanently Enabled
Even if user tries to

disable SafeSearch
the page will reload
and SafeSearch will
remain “on”.
User-based Indications of Compromise
This feature allows you to generate user-based IOCs from intrusion events, or view the
associations of users and IOCs. You can also enable and disable event of a given IOC per
user (against false positives). With this feature, you can correlate IOCs and events to both
hosts and users, plus give them more visibility and alerting options on a per-user basis.
Packet Tracer and Capture
The Packet Tracer and Capture offers the ability to show all the processing steps that a
packet takes, the outcomes, and whether the traffic is blocked or allowed. This allows
users to initiate and display output of tracing from the Firepower Management Center.
The tracing information includes information from SNORT and preprocessors about
verdicts and action taken while processing a packet.
URL Lookups
• This feature allows you to perform a bulk lookup of URLs (up to 250 URLs at a time) to
obtain information, such as reputation, category, and matching policy. You can also
export the results as a file of comma-separated values.
• The feature reduces the manual work necessary to determine if your organization is
protected against a malicious URL or if you should add a custom rule for a specific IOC.
You can use this feature to reduce the number of custom rules, which in turn reduces
the chance of performance degradation due to extensive custom rule lists.
Lookup features – Geolocation & WHOIS
REST API
• Good for regular/mass repetitive changes (PUT or POST or DELETE)
• Great for regularly retrieving JSON formatted information (GET)
• Use to updated 3rd party and/or in-house external monitoring tools
• A username can only uniquely log into FMC via HTTPS once. If that username attempts to
log in a 2nd time their 1st connection will be logged out.
• Creation of a special “API User” might be best to avoid HTTPS access collisions since
API calls and web page calls are treated the same.
• Firepower Version 6.2.X allows REST clients to create and configure interfaces for
Firepower Threat Defense devices via the Firepower Management Center REST API.
This feature enables the Firepower Management Center to interact with various Cisco
products and services, as well as those from third-party vendors.
API Explorer
https://<fmc IP>/api/api-explorer
API Explorer (cont.)
Cisco Threat Intelligence Director
• New feature introduced in 6.2.X version.
• Cisco Threat Intelligence Director (TID) operationalizes threat intelligence data, helping
you aggregate intelligence data, configure defensive actions, and analyze threats in your
environment.
• To enable this new feature, minimum
15GB Ram for FMC is mandatory
• By default Threat Intelligence Director
is enabled.
• Steps to configure Intelligence
feature in FMC:
a. Indicators are being processed to TID
database.
b. Observables are being published.
c. Observations are correalated.
d. Incidents are being detected.
Data Flow of Threat Intelligence Director
Benefits of Threat Intelligence Director
• Ingest threat intelligence using open industry standard interfaces.
• Stream indicators of compromise to Cisco security sensors to

automatically block or monitor suspicious activity.
• Correlate observations from network sensors and send alerts on

incidents.
• Improve your security posture based on enhanced security

intelligence.
VPN
• A virtual private network (VPN) connection establishes a secure tunnel
between endpoints over a public network such as the Internet.
• Tunneling makes it possible to use a public TCP/IP network, such as the
Internet, to create secure connections between remote users and private
corporate networks. Each secure connection is called a tunnel.
• To implement VPNs, a VPN gateway is necessary: it could be a router, a
firewall, or a Cisco Adaptive Security Appliance (ASA).
• VPN Types
-Site to Site
-Remote Access
VPN Functions
A VPN carries private traffic over a public network using advanced encryption and tunnels
to protect:
1. Confidentiality (encryption) – The sender can encrypt the packets before transmitting
them across a network.
By doing so, no one can access the communication without permission.
If intercepted, the communications cannot be read.
2. Data integrity – The receiver can verify that the data was transmitted through the
Internet without being altered.
3. Origin authentication – The receiver can authenticate the source of the packet,
guaranteeing and certifying the source of the information
Integrated NGFW RA VPN
Key features delivered with 6.2.1
ISP
• Next generation security
• Basic AAA
Internet
• LDAP/AD, client certificate, RADIUS Edge
attributes, DACLs, Time ranges
• Time Ranges
• AnyConnect client
FP2100 in
• Proxy/DNS/WINS server assignment HA
• Simple configuration
• Session monitoring and control Private Network
Can position FP 2100 Private Network

RA VPN Capabilities – Slide 1 of 2
RA VPN Capabilities – Slide 2 of 2
RA VPN FMC Configuration Wizard
RA VPN Identity Integration and Monitoring
• Dashboard widgets show VPN
usage by user
• User Activity event page gives
details of logon and logoff
events
• Active Sessions page
shows status of active
sessions
• Administrator may monitor and
terminate specific sessions
• A Site-to-Site VPN connects networks in different geographic locations.
• Can create site-to-site IPsec connections between managed devices, and

other managed devices and other Cisco or third-party peers that comply with
all relevant standards.
• Site-to-site tunnels are built using the Internet Protocol Security (IPsec)
protocol suite and IKEv1 or IKEv2.
• Internal hosts have no knowledge that a VPN exists.
• The VPN gateway is responsible for encapsulating and encrypting outbound

traffic for all traffic from a particular site
Site to Site VPN
Site to Site VPN
• A Site-to-Site VPN connects networks in different geographic locations.
• Can create site-to-site IPsec connections between managed devices, and

other managed devices and other Cisco or third-party peers that comply with
all relevant standards.
• Site-to-site tunnels are built using the Internet Protocol Security (IPsec)
protocol suite and IKEv1 or IKEv2.
• Internal hosts have no knowledge that a VPN exists.
• The VPN gateway is responsible for encapsulating and encrypting outbound

traffic for all traffic from a particular site
Site-to-Site VPN(cont..)
S2S Tunnel between devices

• Table stakes for truly competitive firewall offering
• IKEv1 and IKEv2 are supported
What You Can Do:
• Only Pre-Shared keys are supported (limitation for
• Connect branch offices/
federal and financial customers)
campuses using a secure
• Both static and dynamic tunnel types are supported
tunnel
• FTD to FTD and FTD to ASA
• Monitoring: Events for tunnel status and when tunnel

is down. For other statistics unified CLI to be used
Site to Site VPN(cont..)
Secure Connection with Branch Office
Secure Connection with Branch Office
• Simplified IPsec Wizard for Site to Site VPN
Configuration
ISP
• Advanced Application level inspection can be
enabled VPN traffic of Partner and Vendor Network.
• Prefilter policy to bypass Advance inspection and IPSec VPN
improve performance. Edge Router
• Authentication supports both Pre-Share Key and PKI.
• Branch Office Deployment to secure connection with
Head Office. FRP2100
• Monitoring and Troubleshooting to monitor remote Failover
access activity and simplified tool for troubleshooting.
Site to Site VPN deployment topology on FMC (off-box)
FTD FTD
or
Router HUB
FTD
or
FTD Third Party Device
Hub and Full Mesh

Point-to-Point nt
Spoke
FTD – VPN Packet Processing
IPsec traffic
enters LINA first
Decrypted packet punted to "no sysopt connection permit-

snort ( if no pre-filter policy vpn" pushed by to the FTD
present) device . We would need to write
an access rule to permit all the
vpn traffic
Site to Site VPN deployment on FMC
Devices VPNSite To Site
Add VPN  Firepower Threat Defense Device
Topology Name
Type of Topology
Ikev1 or Ikev2
Tunnel Endpoints
Defining
IKE policy
IKEv1 policy
configuration
IKEv2 policy
configuration
IPsec Policy
Crypto Map
Type Transform-set
configuration
Configuring
additional
features such
as IKE
keepalives,
Ikev2 cookie
challenge, Max
SAs etc.
FirePOWER Management Center
Single console for event, policy, and configuration management
Connection Events
Connection events contain data about the detected sessions. The information available for any individual connection
event depends on several factors, but in general includes:
• Basic connection properties: timestamp, source and destination IP address, ingress and egress zones, the device
that handled the connection, and so on
• Additional connection properties discovered or inferred by the system: applications, requested URLs, or users
associated with the connection, and so on
• Metadata about why the connection was logged: which configuration handled the traffic, whether the
connection was allowed or blocked, details about encrypted and decrypted connections, and so on
Intelligence
User Identification
User identification uses two distinct mechanisms
1. Network discovery
• Understands AIM, IMAP, LDAP, Oracle, POP3 and SIP
• Will only provide limited information when deployed at the Internet edge
2. Sourcefire User Agent (SFUA)
• Installed on a Windows Platform
• Windows server does not have to be a domain member
• Communicates with the AD using WMI – starts on port 136 then switches
to random TCP ports
• Communicates with FMC through a persistent connection to TCP port
3306 on the FMC
• Endpoints must be domain members
• Well-suited for Internet edge firewalls
Note: This solution does not use the Cisco Context Directory Agent (CDA)
Indication of Compromise (IoCs)
Impact Assessment
Enforce consistent policies in branch offices
Cisco Defense Orchestrator
Security Policy Simple Search-

Management Based Management
Device Onboarding
• Import From Offline
• Discover Direct From Device
Object & Policy Application, URL, Change Impact Security
Analysis Malware & Threat Modeling Templates
Policy Management
Notifications Reports
Simplify security policy management in the cloud with Cisco Defense Orchestrator Security
Plan and model security policy changes before Deploy changes across virtual environments in Receive notifications about any unplanned
deploying them across the cloud real time or offline changes to security policies and objects
Ensure compliance before granting access
Identity Services Engine (ISE)
ISE pxGrid TrustSec

BYOD Employee Tag Guest Tag
Supplier Tag Quarantine Tag ISE
Guest Access Server Tag Suspicious Tag
Propagate
Segmentation
• User Context
Firepower • Device context

Management Center • Access policies
Policy automation
Set access control policies Propagate rules and context Establish a secure network Remediate breaches automatically
ISE Integration
• pxGrid feed to retrieve from ISE:
• AD Username (Group lookup via AD Realm)
• Device type profile & location
• TrustSec Security Group Tag (SGT)
• Ability to exert control based on the above in rules

• i.e. block HR users from using personal iPads
• Reduces ACL size and complexity

Build on your solution with an open platform
REST APIs and Third-party integration
Custom functionality Firepower Management Center
• Authentication tokens API Explorer

• Access control
• Virtual switch
APIs
Third-party solutions
• Radware DDoS
• VDI identity
• VPN capabilities
Augment functionality with third party solutions Integrate custom-built features

Prevent network and application downtime
Firepower DDoS Mitigation
Currently available on the Firepower 9300 and 4100 series appliances. Coming soon
to the Firepower 2100 series.
Cloud scrubber
SYN flood attacks

Flood
DDoS attacks
traffic
Nonstandard packet attacks
110101010101000101011011101010010010101010101001010101011101010
Legitimate 010101101010101010001010110111010100100101010101010010101010111 Network and
traffic 010101001010100101010111010101010100010101101110101001001010101 applications
Maintain up to 42 Gbps total Handle 627,000 Block 5,400,000 packets of

mitigation capacity connections per second flood traffic per second
Stop attacks within seconds of detection Block or allow traffic automatically

Identify threats hidden by desktop virtualization
Virtual Desktop Infrastructure (VDI) Identity
www Terminal Services Agent Firepower Management Center

10110110
10101111
User IPs
User 1
VDI 192.168.0.23
192.068.0.23
123.018.6.53
135.036.5.49 APIs User 2
User 3
User 1 User 2 User 3
Route user information to Terminal Services Capture information using APIs Identify risky behavior
See web attacks before they reach the network
Cisco Umbrella
85 million Cutting-edge approach

• Graph theory
daily active users • Machine learning
• Artificial intelligence
• 3D Visualization
100 billion
daily DNS requests Experienced teams
• Data scientists
• Engineers
160+ • Mathematicians
• Security researchers
countries
Get intelligence from a large database See more threats with industry-leading research
Extend security to remote users and branches
Remote and site-to-site VPN
AnyConnect
IKEv2 support
Third-party VPN
Maintain application
Extend access remotely Protect important data Support multiple sites
performance
Integrate third-party security intelligence
Cisco Intelligence Manager
Third-party sources Analytics Elements

• Crowdstrike • Threat Intelligence
• Flashpoint Platforms (TIPs)
• Soltra Edge • SIEM
Cisco Intelligence
• EclecticIQ • IR management
Manager
• Lookingglass • Case management
STIX
CSV files
Ingests Communicates
Cisco sources Cisco Appliances
• Talos • NGFW
• ThreatGRID • ESA
• WSA
Analyze security intelligence Correlate observations Generate rich incident reports Refine security posture
Dashboards
• The FirePOWER System dashboard provides
you with at-a-glance views of current system
status, including data about the events
collected and generated by the system.
• You can also use the dashboard to see
information about the status and overall
health of the appliances in your deployment.
Only certain user roles (Administrator,
Maintenance User, Security Analyst, Security
Analyst [Read Only], and custom roles with
the Dashboards permission) have access to
the dashboard.
• Other roles see as their default start pages a
page relevant to the role; for example, a
Discovery Admin sees the Network Discovery
page.
Dashboards (cont.)
Reporting Overview - Introduction
• The Firepower System provides a flexible reporting system that allows you to
quickly and easily generate multi-section reports with the event views or
dashboards that appear on your Firepower Management Center.
• You can also design your own custom reports from scratch.
• A report is a document file formatted in PDF, HTML, or CSV with the content
you want to communicate.
Report Templates
• You use report templates to define the content and format of the data in each of the report’s
sections, as well as the document attributes of the report file (cover page, table of contents,
and page headers and footers).
• After you generate a report, the template stays available for reuse until you delete it.
• Your reports contain one or more information sections. You choose the format (text, table, or
chart)for each section individually. The format you select for a section may constrain the data
that can be included.
• For example, you cannot show time-based information in certain tables using a pie chart
format. You can change the data criteria or format of a section at any time to obtain optimum
presentation.
Report Templates of the FirePOWER Management center
Report Template Creation
• A report template is a framework of sections, each independently built from its own database
query.
• You can build a new report template by creating a new template, using an existing template, basing
a template off an event view, or importing a dashboard or workflow.
• If you do not want to copy an existing report template, you can create an entirely new template.
The first step in creating a template is to generate the framework that allows you to add and
format the sections. Then, in the order you prefer, you design the individual template sections and
set attributes for the report document.
• Each template section consists of a dataset generated by a search or filter, and has a format
specification (table, pie chart, and so on) that determines the mode of presentation.
• You further determine section content by selecting the fields in the data records you want to
include in the output, as well as the time frame and number of records to show.
Report Template creation
Creating a Custom Report Template
• Click Create Report Template.
• Optionally, enter a name for your new template in the Report Title field, and click Save.
• To add an input parameter to the report title, place your cursor in the title where the
parameter value should appear, then click the insert input parameter icon ().
• Use the set of add icons under the Report Sections title bar to insert sections as
necessary.
• Click Save.
Creating a Custom Report Template(cont.)
Click Advanced to set attributes for PDF and HTML reports.
Creating a Report Template by Importing a Dashboard or
Workflow
• Click the import sections icon.
• Choose a dashboard, workflow, or summary from the drop-down menus.
• Choose a dashboard, workflow, or summary from the drop-down menus.
• Click Import.
Report Template Configuration
• You can modify and customize a report template once you create it. You can modify a
variety of report section attributes to adjust the content of the section and its data
presentation.
Report Template section
Reports are divided into sections
Report sections can be comprised of the following types:
Add line chart

Add pie chart
Add bar chart
Add table view
Add detail view
Add text section
Add page break
Import sections from Dashboard and workflows
Report Designer
Input Parameters
• You can use input parameters in a report template that the report can dynamically
update at generation time.
• There are two kinds of input parameters:
 Predefined input parameters are resolved by internal system functions or
configuration information. For example, at report generation time, the system
replaces the $<Time> parameter with the current date and time.
 User-defined input parameters supply constraints in section searches.
Constraining a search with an input parameter instructs the system to collect a
value at generation time from the person who requests the report.
Insert this parameter... ...to include this information in your template:
$<Logo> The selected uploaded logo
$<Report Title> The report title
$<Time> The date and time of day the report ran, with one-second granularity
$<Month> The current month
$<Year> The current year
$<System Name> The name of the Firepower Management Center
$<Model Number> The model number of the Firepower Management Center
$<Time Window> The time window currently applied to the report section
$<Constraints> The search constraints currently applied to the report section

Pre Defined Input Parameters
Creating User-Defined Input Parameters
Creating User-Defined Input Parameters
Flexible Reporting
Edit section of the Report templates
Generating Reports Using Templates
• After you create and customize your report template, you are ready to generate the report itself. The
generation process lets you select the report’s format (HTML, PDF, or CSV). You can also adjust the report’s
global time window, which applies a consistent time frame to all sections except those you exempt.
• File names using Unicode (UTF-8) characters are not supported in PDF reports. If you generate a report in
PDF format, any report sections that include special Unicode file names (such as those appearing in file or
malware events) display these file names in transliterated form.
• If the report template includes user input parameters in its search specification, the generation process
prompts you to enter values, which tailor this run of the report to a subset of the data.
• If you have a DNS server configured and IP address resolution enabled, reports contain host names if
resolution was successful.
• In a multidomain deployment, when you generate a report in an ancestor domain, it can include results from
all descendant domains. To generate a report for a specific leaf domain, switch to that domain.
Creating advance malware risk report
The below Reports generate the Advance malware Risk report in detailed view
Advance malware risk report
Attacks Risk Report
Network Risk Report
Generating Reports From Report Template
• Report generation process lets you to select the report’s format – PDF,HTML or CSV
• You can adjust the report's global time window – a consistent time window to all
sections, except those exempt.
• The generated reports are made available under the reports tab.
• The reports tab lists all previously generated reports.
Global Time Windows and Report Template Sections
• Report templates with time-based data (such as intrusion or discovery
events) have a global time window, which the time-based sections in the
template inherit by default when created.
• Changing the global time window changes the local time window for the
sections that are configured to inherit the global time window. You can
disable time window inheritance for an individual section by clearing
its Inherit Time Window check box. You can then edit the local time window.
Formatting Sections
Allows customization of the look and feel of reports

Previewing a Report Template Section
The preview function shows the field layout and sort order for table views and important
legibility characteristics of graphics, such as pie chart colors, bar graphs etc..
Clicking on the preview button at the corner of each report section to view the graphical
representation of the report.
Summary
 NGFW - The Cisco Firepower™ Next-Generation Firewall (NGFW) is the industry’s first fully integrated,
threat-focused NGFW. It delivers comprehensive, unified policy management of firewall functions,
application control, threat prevention, and advanced malware protection from the network to the
endpoint.
 Firepower Threat Defense - Cisco Firepower Threat Defense (FTD) is a unified software image, which
includes the Cisco ASA features and FirePOWER Services. This unified software is capable of offering
the function of ASA and FirePOWER in one platform, both in terms of hardware and software
features.
 FMC - It provides complete and unified management over firewalls, application control, intrusion
prevention, URL filtering, and advanced malware protection.
Thank you

TC - SECVFTD25 - PPT - Securing Enterprise Networks With Cisco Firepower Threat Defense Virtual Appliance v25 - drn1 - 4 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

TC - SECVFTD25 - PPT - Securing Enterprise Networks With Cisco Firepower Threat Defense Virtual Appliance v25 - drn1 - 4 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

SECVFTD25 – Securing Enterprise

Networks with Cisco Firepower Threat

Threat Focused Fully Integrated

► World’s most widely deployed,

► Reputation- and category-based

► Advanced malware protection

Prevent breaches Deep network and security Automate operations to save

How? How? How?

The Power of Talos AMP Built-in automation

BEFORE DURING AFTER

Cisco Firepower™ NGFW

Can it provide visibility across users, hosts and

“You can’t protect what you can’t see” Client applications

Typical NGFW Network servers

Cisco Firepower™ NGFW

• Visibility into threat activity across users, hosts,

• Network file trajectory maps how transfer files,

FEB MONDAY compromise

Encrypted Traffic Log

Decrypt 3.5 Gbps traffic over

Threat Grid Sandboxing Threat Disposition

DNS Sinkhole Category-based

Threat Intelligence Security Coverage Research Response

16 billion daily web requests Devices

Identity Integration Captive Portal FlexConfig

Target threats accurately Enforce authentication Granular Config Controls

Rate limiting Tunnel Policy

Control application usage Block unwanted traffic early

Focus on the Apps But totally miss the threat…

Without Proper Visibility Threat Protection Cannot Be Operationalized

New More Specialized

Security hasn’t scaled

It’s costly and complex

They’re only app-focused… They can’t help you once you’ve

They’re another silo to manage…

IPS Acceptable use NGFW DDoS Sandbox

0110110010101001010100 • High Bandwidth www

Stop threats at the edge ,

SSL AVC NGIPS

Reduce the company’s

Firewall • High bandwidth

VPN SSL AVC NGIPS

Leaf Refine policies over time through

pxGrid Receive alert of pxGrid

Quarantine Tag Employee Tag Guest Tag

• In the 2017 NSS NGFW evaluation,

Key Message Talking Points

Key Message Talking Points

• NSS NGFW test methodology did not allow for our

2010 2011 2012 2013 2014 2015 2016 2017

Key Message Talking Points

Top 5 Vendors Providing the Best Cybersecurity Intelligence

Notice who’s not listed? IBM Security 28%

Firepower (L7) Firepower Threat Defense

• Application inspection Migration

Firepower Threat Defense (FTD)

1. Ingress into server put into memory.

NAT Lookup File/AMP

Packet Library (PDTS)

• New Next Generation Firewall offering

L2-L4 Advanced • Brings together the best features from FirePOWER

VMware KVM (FTD 6.2)

Same Feature Set As Physical Appliances