Beruflich Dokumente
Kultur Dokumente
Stop more Gain more Detect earlier, Reduce Get more from
threats insight act faster complexity your network
► Industry-leading FirePOWER
Network Firewall Application Built-in Network Identity-Policy
Routing | Switching Visibility & Control Profiling Control & VPN next-generation IPS (NGIPS)
Prevention They aren’t confident in their ability to prevent the next big breach.
Visibility They lack visibility needed to be able to see and stop threats quickly
They have limited budgets, staff and time. They can’t keep up with
Resources
the constant attacks and threat alerts. More tools more complexity.
Are you prepared for the next big breach or
ransomware infection ?
Cisco NGFW have a pretty good track record
Stop more threats across the entire attack continuum
Discover threats and enforce Detect, block, and defend Remediate breaches and
security policies against attacks prevent future attacks
For Advanced Malware Threat Detection Across the Network
Can your firewall continuously analyze files in your
system to catch stealthy threats that evaded front-
line defenses?
Operating systems
Command
and control
File transfers servers Mobile devices
Threats
Routers and switches
Users Application
protocols
Web applications
Typical IPS Printers
Malware
VoIP phones
• Automated attack
correlation
JAN JAN • Indications of
1
APR • Malware infection
tracking
• Two-click containment
• Malware analysis
Can your firewall talk to the rest of your security
tools to find threats faster?
Can your firewall automate security to save
you time?
Uncover hidden threats at the edge
SSL decryption engine
SSL Enforcement
NGIPS AVC http://www.%$*#$@#$.com
decryption engine decisions
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$&^*#$@#$.com http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
gambling
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$&^*#$@#$.com elicit
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
c
File Reputation File & Device Trajectory
AMP for AMP for
Endpoint Log Network Log
Block known malware Investigate files safely Detect new threats Respond to alerts
Provide next-generation visibility into app usage
Application Visibility & Control
Cisco database
• 4,000+ apps
• 180,000+ Micro- Network &
apps users
1 OpenAppID
2
Prioritize traffic
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
Block or allow access to URLs and domains
Web controls
Security feeds
Cisco URL Database
00100101101
01001010100
URL | IP | DNS
NGFW
Filtering Safe Search
gambling
Allow Block
Allow Block
Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs
Extend AVC to proprietary and custom apps
OpenAppID
Self-Service Open-Source
Easily customize application detectors Detect custom and proprietary apps Share detectors with other users
Dashboard
Firepower System dashboards provide you with at-a-glance views of current system status,
including data about the events collected and generated by the system.
Get real-time protection against global threats
Talos
Endpoints
1.5 million daily malware samples 250+
WWW Web
Researchers
Networks
600 billion daily email messages Jan
NGIPS
24 x 7 x 365
Operations
Identify advanced threats Get specific intelligence Catch stealthy threats Stay protected with updates
Improve traffic control with new features
Additional Firewall Features
0011 0
0100 1110101001 1101
111
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1001 1101 1110011 0110011 101000 0110
1100001110001110 00
00 01000111 0100 11101 1000111010011101 1000111010011101 1100001 1100 0111010011101 1001 1101 1110011 0110011 10
110000111000111
0
0111100 011 1010011101
1
Legacy NGFW can reduce attack surface area but advanced malware often evades security
controls.
Threat Landscape Demands more than Application Control
54% 100%
60% of breaches of companies connect
of data is to domains that host
remain
stolen in malicious files or services
undiscovered
hours
for months
It is a Community
that hides in plain sight
avoids detection and
attacks swiftly
Legacy NGFWs Lack Complete Visibility and Control
Access is tougher to manage Visibility is more elusive Threats are harder to stop
Business resiliency requires security, but…
Ineffective security
doesn’t stop malware
Must overprovision
to avoid performance
problems
Other “next-generation” firewalls fix some problems but
create new ones
Threat
BEFORE DURING AFTER
Threat
Acceptable Use ACI Integration Complex remote access Rapid Threat Containment
Secure your company’s internet edge
I want to…
DNS Sinkhole
Security feeds
• URL AMP file inspection
AMP Threat Grid
• IP • Dynamic and Static NAT
• DNS • High Availability DNS
Allow DMZ
%*
$#
Block
Security feeds
• High Availability
URL | IP | DNS
0110110010101001010100 • High Bandwidth
0010010110100101101101
AMP file inspection
AMP Threat Grid
Finance Allow
%*
$# HR data
Block
DevOps
In-house app
Extend my trusted on-
premises security to the
Data Center Edge Virtual Firewall Cloud Data Center
cloud.
Protect your local data center at the edge
I want to…
Prepare Secure Define policies Uncover threats Respond Remediate
Security feeds
AMP file inspection
URL | IP | DNS • High Availability AMP Threat Grid
0110110010101001010100
0010010110100101101101 • High Bandwidth • Clustering
• Support for North-South
and East-West traffic
SSL AVC NGIPS
HR Decryption
TrustSec Engine Financial
data
Finance Allow
%* HR
$# data
Block
In-house
DevOps
app
User identity
Partial
Block
1
Allow
2
Prioritize
Block
Traffic
…and additional
custom applications Define
access Firewall Network
Stop risky web traffic, control
Gambling Application
control application use, and
allocate bandwidth.
Extend secure access to other locations
I want to…
Security feeds
00100101101
01001010100
URL | IP | DNS
Firewall Headquarters
Remote user
Stop threats from getting in
by extending secure access Branch WAN and
Internet Firewall Highlights
to all users. Remote Users
Improve scalability and control with ACI
I want to…
Integrated Management
Application Policy Infrastructure Firepower Management
Controller (APIC) Center Detect threats with NGIPS using
AVC NGIPS ACI fabric visibility
White list policies
Allow
Segmentation
APIC APIs
Block
Multi-tenancy Set policies with integrated
management tool
Spine
TrustSec
100 NGIPS
(test average)
98
NGIPS Cisco NGFW
96 (test average)
2010-2017
94
NGFW BDS
92 (test average)
2010-2017
90 Evasions
BDS
(test average)
(Cisco AMP)
88
2015-2017
86
Evasions
(Cisco All) 84
Test Average
82
Cisco 47%
Symantec 24%
(including Blue Coat)
McAfee
(formerly Intel Security)
20%
Firepower Threat Defense (FTD) Software
ASA (L2-L4)
• L2-L4 Stateful Firewall
• Scalable CGNAT, ACL, routing Continuous Feature Firewall URL Visibility Threats
Firepower Management
Center (FMC)*
* Also manages Firepower Appliances and FirePOWER Services (not ASA Software)
Security Application Convergence
ASA FirePOWER
• L2-L4 Stateful Firewall • Threat-centric NGIPS
• Scalable CGNAT, ACL, routing • AVC, URL Filtering for NGFW
• Application inspection • Advanced Malware Protection
Flow Update
Ingress NIC
Kernel
Routing
NAT
Egress NIC
What features are available?
Everything from Firepower 6.1.0
New Features in Version 6.2.0: Migration Enablers
Migration Tool
REST API
Packet Tracer and Capture
New Features for Version 6.2.0: Platform/Integration
Firepower Threat Defense on Microsoft Azure
Firepower Threat Grid API Key Integration
ISE and SGT tags without Identity
TS Agent (VDI Identity Support)
New Features for Version 6.2.0: Firepower Threat Defense and Threat
Site-to-Site VPN
PKI Support for Firepower Management Center
User-based Indications of Compromise (IOCs)
URL Lookups
FlexConfig
New Features for Version 6.2.1
Remote Access VPN
Rate Limiting Enhancements
Automatic Application Bypass
New Features for Version 6.2.2
Cisco Threat Intelligence Director
Intelligence Application Bypass
Security Enhancements for Site to Site VPN
New Features for Version 6.2.3
SSL/TLS Decryption
Intrusion Rule Tuning
Web Applications and Malware Dashboard
Automatic Network Analysis Policy based on Intrusion Policy
FTD virtual for kernel-based virtual machine hypervisor device configuration
Firepower Threat Defense REST API, and an API Explorer
Advantages of Firepower Threat Defense
Firepower
Management Center CSM/ASD FireSIGH
M T
FTD CLI
3 “shells” that you can access:
• FTD shell (AKA CLISH) – “>”
• Linux shell (AKA BASH)
• Non-root – “$”
• Root – “#”
• ASA Shell (AKA Lina CLI) –
“firepower>”
Cisco Virtual FTD and FMC
Virtual
Server B
NIC2 NIC3
FTDv Deployment Scenario – Routed
• L3 NGFW gateway for servers
ESXi Host
• Configure 2 vSwitches: Management
• One with external interface (Outside)
• One with without (Inside) Outside Inside
FTDv
• Servers connect to Inside vSwitch vSwitch2
Virtual
Server A
• Port groups used for the Outside
interface must have only 1 active Virtual
uplink Server B
• Firepower Management Center (FMC): Centralized server for managing multiple devices
• Firepower Device Manager: On-box manager for a single FTD device.
Firepower Management Center (FMC)
• Centralize manager that allows common configuration across
several devices.
• Configure once, deploy to many.
• Doesn’t manage ASA.
• Manages Firepower and FTD devices.
• Communicates with managed device via TCP/8305.
• Can receive updates via “cloud” services, such as Cisco Talos.
• Offline update available too if direct INET access not allowed.
Firepower Management Center (FMC)
Easily manage NGFWs across multiple sites
Firepower Management Center
Manage across many sites Control access and set policies Investigate incidents Prioritize response
Centralize security administration and automation of multi-
device deployments
Firepower Management Center Same trusted functionality
Unified insight
Gain network to endpoint visibility, with deep
insight into the network firewall, applications,
and threats – all in one place
Scalable management
Utilize policy inheritance and centralized role-
based management to easily expand
Intelligent automation
Leverage intelligent rule recommendations,
remediation APIs, and impact assessments to
minimize management burden
Unified
• Network-to-endpoint visibility
• Manages firewall, applications, threats, and files
• Track, contain, and recover remediation tools
Scalable
• Central, role-based management
• Multitenancy
• Policy inheritance
Automated
• Impact assessment
• Rule recommendations
• Remediation APIs Cisco Firepower™ Management Center
Get more from your network through integrated defenses
Shared
contextual Radware Network Identity
Visibility DDoS URL analysis Email Threats and NAC DNS Firewall
awareness
Report
Software
Services
Devices
Malware Yes No No
Command-and-control servers Yes No No
Client applications Yes No No
Printers Yes No No
served.
Select a new FMC appliance that provides greater scalability
FMC Optimization
• Context Explorer has faster load times when there a large number of events
NOTE: To add the Firepower threat defense sensor to the Management center, Smart License is
required.
• Click on the Evaluation Mode to enable smart licensing. Click Yes to start the evaluation period
for the Smart license.
Either hostname
or IP address
Registration key
we used in CLI
6 Interface Modes
• Routed
• Switched (BVI) } Interface Modes inherited from ASA
}
• Passive
• Passive (ERSPAN)
Interface Modes inherited from FirePOWER
• Inline pair
• Inline pair with tap
Note - Interface modes can be mixed on a single FTD device
Deployment Mode: Routed
• Traditional L3 firewall deployment
• Allows configuring all interface modes apart from Switched (BVI) (6.2 onwards
Switched interfaces are allowed too)
• You can specify the firewall mode (Routed or Transparent) during the FTD
setup process:
Configure firewall mode? (routed/transparent) [routed]: routed
• You can later change the FTD mode from CLISH CLI:
> configure firewall routed
This will destroy the current interface configurations, are you sure that you want to
proceed? [y/N] y
The firewall mode was changed successfully.
>
Note - The FTD mode can be changed only if the device is unregistered
Deployment Mode: Transparent
• Traditional L2 firewall deployment
• Allows configuring all interface modes apart from Routed, Passive ERSPAN
• You can specify the firewall mode (Routed or Transparent) during the FTD
setup process:
Configure firewall mode? (routed/transparent) [routed]: transparent
• You can change the FTD mode from firewall to transparent from CLISH:
> configure firewall transparent
This will destroy the current interface configurations, are you sure that you want to
proceed? [y/N] y
The firewall mode was changed successfully.
>
Note - The FTD mode can be changed only if the device is unregistered
Interface Mode: Routed
• Available only in Routed Deployment
• Traditional L3 firewall deployment
• One or more physical or logical (VLAN) routable interfaces
• Allows features like NAT or Dynamic Routing protocols to be configured
• Packets are being forwarded based on Route Lookup
• Full ASA engine checks are applied along with full Snort engine checks
• Actual traffic can be dropped
Interface Mode: Switched
• Available only in Transparent Deployment mode
• Very similar to classic Transparent firewall
• Two or more physical or logical interfaces are assigned to a Bridge Group
• Full ASA engine checks are applied along with full Snort engine checks
• Packets are being forwarded based on CAM table Lookup
• BVI interface is being used to resolve next hop MAC using ARP or ICMP
• Actual traffic can be dropped
Interface Mode: Inline Pair
• 2 Physical interfaces internally bridged
• Very similar to classic inline IPS
• Available in Routed or Transparent Deployment modes
• Most of ASA features (NAT, Routing, L3/L4 ACL etc) are not available for flows going
through an Inline Pair.
• Few ASA engine checks are applied along with full Snort engine checks
• Actual traffic can be dropped
Interface Mode: Inline Pair with Tap
• 2 Physical interfaces internally bridged
• Available in Routed or Transparent Deployment modes
• Most of ASA features (NAT, Routing, L3/L4 ACL etc) are not available for flows going
through an Inline Pair
• Few ASA engine checks are applied along with full Snort engine checks to a copy of
the actual traffic
• Actual traffic cannot be dropped
Interface Mode: Passive
• 1 Physical interface operating as a sniffer
• Very similar to classic IDS
• Available in Routed or Transparent Deployment modes
• Few ASA engine and Full Snort engine checks to a copy of the actual traffic
• Actual traffic cannot be dropped
Interface Mode: Passive (ERSPAN)
• 1 Physical interface operating as a sniffer
• Very similar to a remote IDS
• Available only in Routed Deployment mode
• A GRE tunnel between the capture point and the FTD carries the packets
• Few ASA engine and Full Snort engine checks a copy of the actual traffic
• Actual traffic cannot be dropped
Basic Interface Configuration
Just an example – Final config will be different once redundancy is added
Basic Interface Configuration
Interface in RED
Just an example – final config will be different Outside1
once redundancy is added Network
G 0/2
Inside
FTD
Network
G 0/1 G 0/0 Outside
Network
Basic Interface Configuration
Interface in RED
Just an example – final config will be different Outside1
once redundancy is added Network
G 0/2
Inside
FTD
Network
G 0/1 G 0/0 Outside
Network
Basic Interface Configuration
Interface in RED
Just an example – final config will be different
Outside1
once redundancy is added Network
G 0/2
Inside
FTD
Network
G 0/1 G 0/0 Outside
Network
Deploying the Redundant Outside Interfaces
Edge Use Case
outside
ISP-A ISP-B
Edge
Aggregation
DMZ Network(2)
(Public Web/DB)
G1/1 G1/2
VPC VPC
Edge Aggregation
VDC
Deploying Changes
Changes don’t take affect until you deploy the policy
Can optionally
check for rule
conflicts
Network Address Translation(NAT)
• Two “types” of NAT in FTD devices: Auto-NAT and Manual NAT
• NAT Policy
• FTD Policies vs. Firepower Policies
• Associated with Devices
• Contains rules (edit policy to see rules)
• A single NAT Policy can be applied to more than 1 device (think common
policy for a group of FTD devices).
Network Address Translation (NAT) (cont.)
• NAT Rule
• Various settings to specify source/destination interfaces, IP addresses, Ports, etc.
• Can be “Manual” or “Auto”. (More about these later.)
Network Address Translation (NAT) (cont.)
NAT order of operations:
• Section 1 and 3 rules are manually ordered.(i.e. The administrator orders them.)
• Section 2 (i.e. Auto-NAT rules) are ordered Static NAT before Dynamic NAT and then
within each of those categories Longest to Shortest Prefix.
FTD Packet Processing Flow
No DROP No
RX Ingress Existing Advanced No
NAT
Pkt Conn Fastpath? DROP
Interface Untranslate ACL
Permit
Yes
No
No No
No No
Outside1
Network
G 0/2
Inside
FTD G 0/0
Network
G 0/1 outside Outside
Network
Gateway IP
NGFW Policy Types in FTD
Policy Type Function
Access Control Specify, inspect and log network traffic
Intrusion Inspect traffic for security violations (including block or alter)
Malware & File Detect and inspect files for malware (including block)
SSL Inspect encrypted traffic (including decrypt and block)
DNS Controls whitelisting or blacklisting of traffic based on domain
Identity Collect identity information via captive portal
Prefilter Early handling of traffic based L1-L4 criteria
Inspection Policy Relationships
Access Control Policy blocking inappropriate content
Malware and File Analysis
Attached to Access Policy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom IPS Policy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL Decrypt is fully configurable
Can specify by application, certificate fields / status, ciphers, etc
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS Sink-holing / Traffic Drop Rule Set
Based on DNS query results of client
Security Intelligence DNS Global Settings
Whitelist / Blacklist capabilities
Identity Policy based on Passive Authentication
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Malware & File Policy Overview
• Controls what and how files are allowed, blocked and inspected
• Simple policy applies the same action (Malware Cloud Lookup) to all files
• Actions are:
• Detect Files – Detect and log the file transfer, perform no inspection
• Block Files – Block and log the file transfer, perform no inspection
• Malware Cloud Lookup – Inspect the file to determine disposition (Malware, Unknown or
Clean) and log
• Block Malware – Inspect the file to determine disposition, log and block if Malware
• Inspection includes static analysis of the file (via Spero), dynamic analysis (via
AMP Threat Grid) and local analysis (via ClamAV)
• Complex policies can include different actions and levels of inspections for
different application protocols, directions and file types.
Malware & File Policy for Use Case #1
Block malicious Office, Executable and PDF files transferred over HTTP
Malware & File Policy for Use Case #2
Block malicious Office, Executable and PDF files transferred over HTTP
Detection only
(no blocking)
Malware & File Policy for Use Case #3
Block malicious Office, Executable and PDF files transferred over HTTP
Rule We Just
Created
Intrusion Policy Overview
• Controls how IDS or IPS inspection is performed on network traffic
• Simple policy inherits settings from 1 of 5 Cisco Talos maintained base policies:
• Balanced Security and Connectivity – Default and recommended
• Connectivity Over Security – Fewer rules enabled, only most critical rules block
• Maximum Detection – Favors detection over rated throughput
• No Rules Active
• Security Over Connectivity – More rules enabled, deeper inspection
• Individual rules can be set to generate events, drop and generate events, or
disabled
• Layers allow for grouping of settings/rules for easier management
• Complex policies can contain multiple layers and multiple levels of inheritance
Intrusion Policy for Use Case
The Name and Default Action are required. All other fields are optional.
Access Control Policy Overview(cont.)
• Policy is applied on a per device basis (though multiple devices can be associated to the same policy).
• A device can only be “directly” associated with one Access Control Policy but can get other policy’s
rule via inheritance.
Access Control Policy Configuration
• There is a LOT more to Access Control Policies:
Rules
Security Intelligence
HTTP Responses
Advanced
• MANY Advanced features: SSL Policy, Prefilter Policy, Variable Set, Intrusion Policy, etc.
Rule Constraints
• Zones • Ports
• Networks • URLs
• VLAN Tags • SGT/ISE Attributes
• Users • Inspection
• Applications • Logging
• Comments
Security Intelligence
You can edit whitelist/blacklist properties from the Access Control Policy page. Each access
control policy has Security Intelligence options. You can whitelist or blacklist network objects,
URL objects and lists, and Security Intelligence feeds and lists, all of which you can constrain by
security zone. You can also associate a DNS policy with your access control policy, and whitelist
or blacklist domain names.
HTTP Responses
You can configured an HTTP response page to display when the system blocks web requests, using either access
control rules or the access control policy default action.
You can choose a generic system-provided response page, or you can enter custom HTML. The reponse page
displayed depends on how you block the session:
Block or Block with reset—A blocked session times out or resets. The Block Response Page overrides the
default browser or server page that explains that the connection was denied.
Interactive Block or Interactive Block with reset—The system can display an Interactive Block Response
Page to warn users, but also allow them to click a button (or refresh the page) to load the originally requested
site. Users may have to refresh after bypassing the response page to load page elements that did not load.
Access Control Rules
Access Control Policy (cont.)
Within an Access Control Policy rules are sorted into two sections:
Mandatory and Default
Mandatory rules are checked first (top down) and then Default rules
(top down).
Adding Access Control Rule Constraints
Zones, Networks, VLAN Tags, Users, Applications, Ports, URLs, SGT/ISE
Attributes, Inspection, Logging, Comments
Zones
Select the zones you wish to use as sources and destinations in your rule.
It Matches traffic entering or leaving a device via an interface in a specific security
zone. A security zone is a logical grouping of one or more interfaces according to your
deployment and security policies.
Networks
In the Networks tab, you can select source and destination networks or network
groups. It Matches traffic by its source or destination IP address, country, or
continent (geolocation).
Networks-Geolocation
The Geolocation feature identifies the source and destination geographical
locations (countries and continents) of traffic on your network.
Users
You can use users and/or user groups to constrain access control rules. It Matches traffic
by the user, user group, or realm involved in the session.
Applications & Filters
Applications can be used as a rule constraint.
It Matches traffic by the application detected in a session. You can control access
to individual applications, or filter access according to basic characteristics: type,
risk, business relevance, categories, and tags.
Source and Destination Ports
It Matches traffic by its source or destination port. For TCP and UDP, you can
control traffic based on the transport layer protocol. For ICMP and ICMPv6
(IPv6-ICMP), you can control traffic based on its Internet layer protocol plus an
optional type and code. Using port conditions, you can also control traffic
using other protocols that do not use ports.
URLs
It Matches traffic by the URL requested in the session. You can control access
to individual websites, use lists and feeds, or filter access based on a site’s
general classification and risk level.
ISE Attributes
Matches traffic by ISE attribute (Security Group Tag (SGT), Endpoint Profile,
or Endpoint Location).
Inspection
Inspection options for an access control rule govern how the system inspects and blocks malicious
traffic you would otherwise allow. When you allow traffic with a rule, you can specify that the
system first inspect it with intrusion or file policies to block any exploits, malware, or prohibited
files before they reach your assets or exit your network.
Logging
A rule’s logging settings govern the records the system keeps of the traffic it handles. You can keep
a record of traffic that matches a rule. In general, you can log sessions at the beginning or end of a
connection, or both. You can log connections to the Defense Center database, as well as to the
system log (syslog) or to an SNMP trap server.
Access Control Rule Actions
Every access control rule has an action that
determines the following for matching
traffic:
handling—foremost, the rule action
governs whether the system will
monitor, trust, block, or allow traffic
that matches the rule’s conditions.
inspection—certain rule actions allow
you, when properly licensed, to further
inspect matching traffic before allowing
it to pass.
logging—the rule action determines
when and how you can log details about
matching traffic.
Allow Action: Allowing and Inspecting Traffic
The Allow action allows matching traffic to pass. When you allow traffic,
you can use an associated intrusion or file policy (or both) to further
inspect and block unencrypted or decrypted network traffic.
Trust Action: Passing Traffic Without Inspection
The Trust action allows traffic to pass without further inspection of any
kind.
You can log trusted network traffic at both the beginning and end of
connections.
Monitor Action: Postponing Action and Ensuring Logging
The Monitor action does not affect traffic flow; matching traffic is neither
immediately permitted nor denied. Rather, traffic is matched against
additional rules to determine whether to permit or deny it.
The first non-Monitor rule matched determines traffic flow and any further
inspection. If there are no additional matching rules, the system uses the
default action.
Because the primary purpose of Monitor rules is to track network traffic,
the system automatically logs end-of connection events for monitored
traffic. That is, connections are logged even if the traffic matches no other
rules and you do not enable logging on the default action.
Blocking Actions: Blocking Traffic Without Inspection
The Block and Block with reset actions deny traffic without
further inspection of any kind. Block with reset rules also reset
the connection
Interactive Blocking Actions: Allowing Users to Bypass Website
Blocks
For unencrypted HTTP traffic, the Interactive Block and Interactive Block
with reset actions give users a chance to bypass a website block by clicking
through a customizable warning page, called an HTTP response page.
Interactive Block with reset rules also reset the connection.
Access Control Policy Use Case #1-Action
Allow MS SQL from inside to outside
Displays block
page over HTTP
Access Control Policy Use Case #1-Action
Allow MS SQL from inside to outside
Gambling
Health
Gaming
Drug Use
• Filter based on Category and/or Reputation, or via a specific URL (an object manually
created, a list of
URLs, or an automatically updated list of URLs).
Note: To use category and/or reputation requires URL License.
URL Filtering (cont.)
• Select a category and then optionally choose a reputation.
• Uses Cisco Security Intelligence to define what URLs match these categories and reputations.
URL Object
• By default Network Discovery examines ALL traffic traversing the FTD (i.e.
0.0.0.0/0 and ANY zone.)
• Create new network discovery rule or modify default to meet you needs.
• Can create exclusion rules to single out exceptions.
Network Discovery Results
Host Profile of Discovered Host
Network File Trajectory Use Case
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
An unknown file is present on
IP: 10.4.10.183, having been
downloaded from Firefox
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
At 10:57, the unknown
file is from IP
10.4.10.183 to IP:
10.5.11.8
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Seven hours later the file
is then transferred to a
third device (10.3.4.51)
using an SMB application
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
The file is copied yet
again onto a fourth
device (10.5.60.66)
through the same SMB
application a half hour
later
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
The Cisco Talos
Intelligence has learned
this file is malicious and
a retrospective event is
raised for all four devices
immediately.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
At the same time, a
device with the AMP
endpoint connector
reacts to the
retrospective event and
immediately stops and
quarantines the newly
detected malware
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
8 hours after the first
attack, the Malware tries
to re-enter the system
through the original point
of entry but is recognized
and blocked.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Application Detection Overview
• When the Firepower System analyzes IP traffic, it attempts to identify the
commonly used applications on your network. Application awareness is
crucial to performing application-based access control.
• There are two sources of application detectors in the Firepower System:
System-provided detectors detect web applications, clients, and
application protocols.
The availability of system-provided detectors for applications (and operating
systems) depends on the version of the Firepower System and the version of
the VDB you have installed. Release notes and advisories contain information on
new and updated detectors. You can also import individual detectors authored
by Professional Services. For a complete list of detected applications, see the
Support site.
Custom application protocol detectors are user-created and detect
web applications, clients, and application protocols.
Custom Application Detector
Custom application detectors are pattern-based, detecting patterns in packets from client, web application, or
application protocol traffic. You can activate and deactivate application detectors according to the needs of your
organization.
SSL Policies
• Controls how and what encrypted traffic is inspected and decrypted
• Simple policy blocks all encrypted traffic that uses a self-signed certificate.
• Actions are:
a) Decrypt – Resign: Used for SSL decryption of public services (Google, Facebook, etc.)
b) Decrypt – Known Key: Used when you have the certificate’s private key
c) Do not decrypt
d) Block
e) Block with reset
f) Monitor
• Many actions can be taken on encrypted traffic without decryption by inspecting the
certificate, DN, cert status, cipher suite, and version (all supported by FTD).
Noob Guide to SSL Encryption for HTTPS
1. Computers agree on how to encrypt.
a) Client’s browser attempts to connect to SSL port on server.It sends a preferred Key, Cipher, Hash, (AKA
Cipher Suite) and SSL version to server.(Client also sends a random number that will be used to create a
master secret code.)
b) Server responds with what Cipher Suite and SSL version it can do.
2. Client’s browser requests web server identity.
3. Server sends certificate to the client.
4. Browser checks whether SSL Certificate is trustworthy.
a) Is certificate self-signed or signed via certificate authority that the client computer trusts.
5. Browser sends a “Start Encrypting” message to server.(Note: This is the last unencrypted
transmission.)
6. Server sends back “Start Encrypting”, digitally signed ACK, to start session.
7. Encrypted data is shared.
Basic 4 Use Cases for SSL
1. Known Key
2. Unknown Key
3. Don’t Decrypt
4. Block
Basic 4 Use Cases for SSL (cont.)
1. Known Key
a) Install server’s private key into NGFW.
b) NGFW will then decrypt, inspect, and re-encrypt with server’s key.
2. Unknown Key
3. Don’t Decrypt
4. Block
Basic 4 Use Cases for SSL (cont.)
1. Known Key
2. Unknown Key
a) Install trust of NGFW as CA in workstations.
b) Create NGFW key.
c) Decrypt SSL, inspect, and then re-encrypt with NGFW’s key.
3. Don’t Decrypt
4. Block
Basic 4 Use Cases for SSL (cont.)
1. Known Key
2. Unknown Key
3. Don’t Decrypt
1. Acknowledge SSL use but just pass through (supposedly).
4. Block
Basic 4 Use Cases for SSL (cont.)
1. Known Key
2. Unknown Key
3. Don’t Decrypt
4. Block
Create SSL Policy
Create SSL Rule
For servers
you
control
Assign SSL Policy to ACP
DNS Inspection
Security Intelligence support for
domains
Addresses challenges with fast-flux
domains
Multiple Actions: Block, Domain Not
Found, Sinkhole, Monitor
Indications of Compromise extended
with DNS Security Intelligence
Cisco provided and user defined DNS
lists: CnC, Spam, Malware, Phishing
New Dashboard widget for URL/DNS SI
DNS List Action
NGFW Policy
DNS Inspection: Domain Not Found Can configure: Lists/Feeds/Global lists
Action: DNS NXDOMAIN
Generates SI events
X Sinkhole
Connection to Sinkhole IP
Endpoint
(10.15.0.21)
Rate Limiting
• Streamline Bandwidth usage by applications, users, networks, etc…
• Enforce internet usage policy
• Internet Edge, campus edge
• SGT/ISE Parameters
• Upload/Download
• The limits can be expressed in terms of actual rate or percentage of overall interface
bandwidth
• A username can only uniquely log into FMC via HTTPS once. If that username attempts to
log in a 2nd time their 1st connection will be logged out.
• Creation of a special “API User” might be best to avoid HTTPS access collisions since
API calls and web page calls are treated the same.
• Firepower Version 6.2.X allows REST clients to create and configure interfaces for
Firepower Threat Defense devices via the Firepower Management Center REST API.
This feature enables the Firepower Management Center to interact with various Cisco
products and services, as well as those from third-party vendors.
API Explorer
https://<fmc IP>/api/api-explorer
API Explorer (cont.)
Cisco Threat Intelligence Director
• New feature introduced in 6.2.X version.
• Cisco Threat Intelligence Director (TID) operationalizes threat intelligence data, helping
you aggregate intelligence data, configure defensive actions, and analyze threats in your
environment.
• To enable this new feature, minimum
15GB Ram for FMC is mandatory
• By default Threat Intelligence Director
is enabled.
• Steps to configure Intelligence
feature in FMC:
a. Indicators are being processed to TID
database.
b. Observables are being published.
c. Observations are correalated.
d. Incidents are being detected.
Data Flow of Threat Intelligence Director
Benefits of Threat Intelligence Director
• Ingest threat intelligence using open industry standard interfaces.
1. Confidentiality (encryption) – The sender can encrypt the packets before transmitting
them across a network.
By doing so, no one can access the communication without permission.
If intercepted, the communications cannot be read.
2. Data integrity – The receiver can verify that the data was transmitted through the
Internet without being altered.
3. Origin authentication – The receiver can authenticate the source of the packet,
guaranteeing and certifying the source of the information
Integrated NGFW RA VPN
Key features delivered with 6.2.1
ISP
• Next generation security
• Basic AAA
Internet
• LDAP/AD, client certificate, RADIUS Edge
attributes, DACLs, Time ranges
• Time Ranges
• AnyConnect client
FP2100 in
• Proxy/DNS/WINS server assignment HA
• Simple configuration
• Session monitoring and control Private Network
• Site-to-site tunnels are built using the Internet Protocol Security (IPsec)
protocol suite and IKEv1 or IKEv2.
• Site-to-site tunnels are built using the Internet Protocol Security (IPsec)
protocol suite and IKEv1 or IKEv2.
FTD FTD
or
Router HUB
FTD
or
IPsec traffic
enters LINA first
Type of Topology
Ikev1 or Ikev2
Tunnel Endpoints
Site to Site VPN deployment on FMC
Defining
IKE policy
IKEv1 policy
configuration
IKEv2 policy
configuration
Site to Site VPN deployment on FMC
IPsec Policy
Crypto Map
Type Transform-set
configuration
Site to Site VPN deployment on FMC
Configuring
additional
features such
as IKE
keepalives,
Ikev2 cookie
challenge, Max
SAs etc.
Site to Site VPN deployment on FMC
FirePOWER Management Center
Single console for event, policy, and configuration management
Connection Events
Connection events contain data about the detected sessions. The information available for any individual connection
event depends on several factors, but in general includes:
• Basic connection properties: timestamp, source and destination IP address, ingress and egress zones, the device
that handled the connection, and so on
• Additional connection properties discovered or inferred by the system: applications, requested URLs, or users
associated with the connection, and so on
• Metadata about why the connection was logged: which configuration handled the traffic, whether the
connection was allowed or blocked, details about encrypted and decrypted connections, and so on
Intelligence
User Identification
User identification uses two distinct mechanisms
1. Network discovery
• Understands AIM, IMAP, LDAP, Oracle, POP3 and SIP
• Will only provide limited information when deployed at the Internet edge
2. Sourcefire User Agent (SFUA)
• Installed on a Windows Platform
• Windows server does not have to be a domain member
• Communicates with the AD using WMI – starts on port 136 then switches
to random TCP ports
• Communicates with FMC through a persistent connection to TCP port
3306 on the FMC
• Endpoints must be domain members
• Well-suited for Internet edge firewalls
Note: This solution does not use the Cisco Context Directory Agent (CDA)
Indication of Compromise (IoCs)
Impact Assessment
Enforce consistent policies in branch offices
Cisco Defense Orchestrator
Device Onboarding
• Import From Offline
• Discover Direct From Device
Object & Policy Application, URL, Change Impact Security
Analysis Malware & Threat Modeling Templates
Policy Management
Notifications Reports
Simplify security policy management in the cloud with Cisco Defense Orchestrator Security
Plan and model security policy changes before Deploy changes across virtual environments in Receive notifications about any unplanned
deploying them across the cloud real time or offline changes to security policies and objects
Ensure compliance before granting access
Identity Services Engine (ISE)
Propagate
Segmentation
• User Context
Policy automation
Set access control policies Propagate rules and context Establish a secure network Remediate breaches automatically
ISE Integration
• pxGrid feed to retrieve from ISE:
• AD Username (Group lookup via AD Realm)
• Device type profile & location
• TrustSec Security Group Tag (SGT)
APIs
Third-party solutions
• Radware DDoS
• VDI identity
• VPN capabilities
Currently available on the Firepower 9300 and 4100 series appliances. Coming soon
to the Firepower 2100 series.
Cloud scrubber
User IPs
User 1
VDI 192.168.0.23
192.068.0.23
123.018.6.53
135.036.5.49 APIs User 2
User 3
Route user information to Terminal Services Capture information using APIs Identify risky behavior
See web attacks before they reach the network
Cisco Umbrella
Get intelligence from a large database See more threats with industry-leading research
Extend security to remote users and branches
Remote and site-to-site VPN
AnyConnect
IKEv2 support
Third-party VPN
Maintain application
Extend access remotely Protect important data Support multiple sites
performance
Integrate third-party security intelligence
Cisco Intelligence Manager
CSV files
Ingests Communicates
Cisco sources Cisco Appliances
• Talos • NGFW
• ThreatGRID • ESA
• WSA
Analyze security intelligence Correlate observations Generate rich incident reports Refine security posture
Dashboards
• The FirePOWER System dashboard provides
you with at-a-glance views of current system
status, including data about the events
collected and generated by the system.
• You can also use the dashboard to see
information about the status and overall
health of the appliances in your deployment.
Only certain user roles (Administrator,
Maintenance User, Security Analyst, Security
Analyst [Read Only], and custom roles with
the Dashboards permission) have access to
the dashboard.
• Other roles see as their default start pages a
page relevant to the role; for example, a
Discovery Admin sees the Network Discovery
page.
Dashboards (cont.)
Reporting Overview - Introduction
• The Firepower System provides a flexible reporting system that allows you to
quickly and easily generate multi-section reports with the event views or
dashboards that appear on your Firepower Management Center.
• You can also design your own custom reports from scratch.
• A report is a document file formatted in PDF, HTML, or CSV with the content
you want to communicate.
Report Templates
• You use report templates to define the content and format of the data in each of the report’s
sections, as well as the document attributes of the report file (cover page, table of contents,
and page headers and footers).
• After you generate a report, the template stays available for reuse until you delete it.
• Your reports contain one or more information sections. You choose the format (text, table, or
chart)for each section individually. The format you select for a section may constrain the data
that can be included.
• For example, you cannot show time-based information in certain tables using a pie chart
format. You can change the data criteria or format of a section at any time to obtain optimum
presentation.
Report Templates of the FirePOWER Management center
Report Template Creation
• A report template is a framework of sections, each independently built from its own database
query.
• You can build a new report template by creating a new template, using an existing template, basing
a template off an event view, or importing a dashboard or workflow.
• If you do not want to copy an existing report template, you can create an entirely new template.
The first step in creating a template is to generate the framework that allows you to add and
format the sections. Then, in the order you prefer, you design the individual template sections and
set attributes for the report document.
• Each template section consists of a dataset generated by a search or filter, and has a format
specification (table, pie chart, and so on) that determines the mode of presentation.
• You further determine section content by selecting the fields in the data records you want to
include in the output, as well as the time frame and number of records to show.
Report Template creation
Creating a Custom Report Template
• Click Create Report Template.
• Optionally, enter a name for your new template in the Report Title field, and click Save.
• To add an input parameter to the report title, place your cursor in the title where the
parameter value should appear, then click the insert input parameter icon ().
• Use the set of add icons under the Report Sections title bar to insert sections as
necessary.
• Click Save.
Creating a Custom Report Template(cont.)
Click Advanced to set attributes for PDF and HTML reports.
Creating a Report Template by Importing a Dashboard or
Workflow
• Click the import sections icon.
• Choose a dashboard, workflow, or summary from the drop-down menus.
• Choose a dashboard, workflow, or summary from the drop-down menus.
• Click Import.
Report Template Configuration
• You can modify and customize a report template once you create it. You can modify a
variety of report section attributes to adjust the content of the section and its data
presentation.
Report Template section
Reports are divided into sections
Report sections can be comprised of the following types:
$<Time> The date and time of day the report ran, with one-second granularity
$<Time Window> The time window currently applied to the report section
• File names using Unicode (UTF-8) characters are not supported in PDF reports. If you generate a report in
PDF format, any report sections that include special Unicode file names (such as those appearing in file or
malware events) display these file names in transliterated form.
• If the report template includes user input parameters in its search specification, the generation process
prompts you to enter values, which tailor this run of the report to a subset of the data.
• If you have a DNS server configured and IP address resolution enabled, reports contain host names if
resolution was successful.
• In a multidomain deployment, when you generate a report in an ancestor domain, it can include results from
all descendant domains. To generate a report for a specific leaf domain, switch to that domain.
Creating advance malware risk report
The below Reports generate the Advance malware Risk report in detailed view
Advance malware risk report
Attacks Risk Report
Network Risk Report
Generating Reports From Report Template
• Report generation process lets you to select the report’s format – PDF,HTML or CSV
• You can adjust the report's global time window – a consistent time window to all
sections, except those exempt.
• The generated reports are made available under the reports tab.
• The reports tab lists all previously generated reports.
Global Time Windows and Report Template Sections
• Report templates with time-based data (such as intrusion or discovery
events) have a global time window, which the time-based sections in the
template inherit by default when created.
• Changing the global time window changes the local time window for the
sections that are configured to inherit the global time window. You can
disable time window inheritance for an individual section by clearing
its Inherit Time Window check box. You can then edit the local time window.
Formatting Sections
Clicking on the preview button at the corner of each report section to view the graphical
representation of the report.
Summary
NGFW - The Cisco Firepower™ Next-Generation Firewall (NGFW) is the industry’s first fully integrated,
threat-focused NGFW. It delivers comprehensive, unified policy management of firewall functions,
application control, threat prevention, and advanced malware protection from the network to the
endpoint.
Firepower Threat Defense - Cisco Firepower Threat Defense (FTD) is a unified software image, which
includes the Cisco ASA features and FirePOWER Services. This unified software is capable of offering
the function of ASA and FirePOWER in one platform, both in terms of hardware and software
features.
FMC - It provides complete and unified management over firewalls, application control, intrusion
prevention, URL filtering, and advanced malware protection.
Thank you