Transcript ftd-6-1 - InfoS3c T@lk

Firepower Threat Defense
Version 6.1 Overview
Deepti Hemwani
Technical Marketing Engineer
Sept 2016
Firepower 6.1 addresses the Internet Edge
Internet Edge
• What’s New:
• Site-to-Site VPN, Rate Limiting, Safe Search,
Captive Portal Enhancements, Kerberos
• Management Scale
• AMP Private Cloud with ThreatGrid
Campus
• What's New:
• ISE Remediation
• Fail to Wire
Data Center - OnPremise or Cloud
• What’s New:
KVM
Firepower 6.1 – A Quick Glance
NGFW &
Network Firewall
Integration &
Infrastructure
Site-to-Site VPN
Traffic Rate-Limiting
Routing Enhancements
Tunneled Traffic Policies
Safe Search enforcement
True-IP Policy (XFF)
SSL Client Hello
Captive Portal Enhancements
ISE Remediation
Inline SGT Tags
KVM Support
Converged CLI
AMP Private Cloud
Fail-to-Wire
Available only on Firepower Threat Defense Software (FTD)
Management
Improved Scale
Usability Improvements
Integrated Risk Reports
High Availability
Firepower Device Manager
Software Support by Platform
Firepower Threat
Defense
Firepower
NGIPS
ASA Firewall
Firepower
Services
on ASA
Old (Series 2) FirePOWER Appliances
✗
✗
✗
✗
FirePOWER 7000 Series
✗
✓
✗
✗
FirePOWER 8000 Series
✗
✓
✗
✗
ASA Low-end (5506/08/16)
✓(reimage)
✗
✓
✓
ASA Mid-Range (5512/15/25/45/55)
✓(reimage)
✗
✓
✓
ASA High-end (5585 SSP-10/20/40/60)
✗
✗
✓
✓
Firepower 4100, 9300 (SSP 3RU - SM-24/36)
✓
✗
✓
✗
VMware
✓
✓
✓
✗
AWS
✓
✗
✓
✗
KVM
✓
✗
✓
✗
Firepower 6.1
Feature Overview
© 2015-2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
NGFW and Network Firewall
Site-to-Site VPN
•
Between multiple FTDs or between FTD and ASA
•
•
•
•
•
Topology based design
Point to point
Hub and Spoke
Full Mesh
Uses pre-shared key only, no PKI
Available only on Firepower Threat Defense Software (FTD)
Routing Enhancements: Multicast Support Added
Available only on Firepower Threat Defense Software (FTD)
Inline Security Group Tags (SGT)
•
Behavior in 6.1
•
SGTs in network traffic are utilized
• SGTs seen in traffic take precedence SGT to IP mapping provided by ISE
• Untagged traffic is still matched to rule using IP to SGT mapping provided by ISE
• ISE integration is no longer needed – SGTs can be defined in FMC
•
Sensor does not add or remove tags from traffic
Available only on Firepower Threat Defense Software (FTD)
Shared NAT
•
FMC now supports applying the same NAT policy to multiple devices
Available only on Firepower Threat Defense Software (FTD)
Rate limiting
•
Rate limiting provides
•
Limits based on apps/groups, user/groups, Networks/Geo, Ports, URL, etc.
• Separate limits can be applied for download or upload
• Rate limits applied on routed mode interface objects
• Limits can be expressed in terms of actual rate or percentage of overall interface bandwidth
•
Supported only on FTD
•
Limitations
•
•
Maximum number of QoS rules is 32 per interface on which rate limiting is getting applied
Rate Limiting range is 8000 bits to 2Gbs (same as ASA)
Available only on Firepower Threat Defense Software (FTD)
True-IP Policy
•
In 6.1 True-IP Policy can be used in policy decisions
•
X-Forwarded-For
• True-Client-IP header
• Custom headers that support XFF like syntax – see RFC 7239
•
Precedence is set in the HTTP pre-processor settings
•
Can specify which source IPs (Proxy servers) are trusted for these headers
Safe Search YouTube EDU enforcement
•
Enforce Safe Search using supported search engines
•
Can Allow, Block or Block with Reset for unsupported engines
•
Utilizes a new Snort preprocessor: HTTP header modification Pre-processor
•
•
Safe Search
•
•
Last preprocessor in Snort preprocessor chain:
,…  AppID  Access Control Rules Engine  …  HTTP  HTTP Header Modification
Action varies depending
on search engine
YouTube EDU
•
Injects X-YouTube-Edu-Filter
•
Can provide Custom ID
Safe Search YouTube EDU configuration
•
•
Customers needs to have YouTube Edu account for this feature to work.
An SSL policy must be configured for either features to work
•
•
•
YouTube Edu and Safe Search are enabled by creating access policy rule
You cannot enable both in the same rule
•
•
Policy must be configured to re-sign certificate for YouTube and Supported Search engine
YouTube must be first, This is because YouTube is a supported Safe Search engine
ClientHello feature also introduced in 6.1 must be enabled (default)
Active authentication enhancements
•
Kerberos authentication is now supported in 6.1
•
Guest access
•
Before 6.1, guest policies could be
provided to users that failed authentication
• With 6.1, there is a new button on the
portal page. This button allows a user to
choose guest access without trying to
authenticate.
VDI Identity
Terminal Server Usecase
• Problem:
• IP Address is shared among all user
session logged on to a shared system
• Only the last logged in user-ip bindings is
available
• NGFW cant apply policies accurately
• Solution:
• Traffic needs to be identified by source port
+ IP
• Need Dedicated (TS) Agent
• (TS) Agent feeds session binding to FMC
via REST API
Prefilter Policies
•
New type of policy called Prefilter policies
•
Precedes access control policy
• Together with access control policy, allows control of both tunneled and tunneling protocol
•
Prefilter Policies are implemented without involving Snort
•
Prefilter Policy is associated with one or more Access Control Policies
Available only on Firepower Threat Defense Software (FTD)
Integration and Infrastructure
ISE remediation via pxGrid
•
Ability to register from FMC to ISE's Endpoint Services Protection providing the ability to quarantine,
unquarantine or deactivate ports on endpoints visible to ISE
• ISE 1.3 and 2.0 are supported
FMC
Internet
Sensor
SGTs and Endpoint Profiles
Remediation requests
(quarantine, un-quarantine)
ISE
Servicing
Router
Client PC
REST API
•
•
•
The REST API provides Setup, Monitoring, & Config
Programmability APIs for Firepower devices
Supports FirePOWER appliances, ASA w/ FirePOWER
services and Firepower Threat Defense (limited support)
Provides ability to setup Firepower for SDN use cases
like Cisco ACI solutions and Customer-developed
orchestration solutions
API Functions
•
Secure API (Token Based Authentication)
•
API Explorer/Browser, with Example Code
•
Packaged with FMC software, no license required
•
For FTD and FTDv, type of interfaces supported
depends on:
• mode (routed/transparent)
• form-factor (physical/virtual)
•
•
•
•
•
•
•
•
Register/De-register Device
Manage Device Group
Manage Interfaces, lnline Sets,
Virtual Switch, Security Zones
Manage Objects
Manage Access Control and Access Rules
Read Intrusion Policy
Deploy to Device
Monitor Device Status - Device & Interface Statistics
API Explorer
•
Free tool built into the FMC that can be used to use the REST API
•
Facilitates in the creation of Python, PERL, and JavaScript code
AMP Private Cloud
Firepower 6.1 is capable of using both
the AMP Private Cloud and ThreatGrid
Private Cloud
1.
Log into your
Private Cloud Portal
2.
Navigate to
Integrations 
Defense Center
3.
Follow the
instructions provided
KVM Support
•
FMCv and FTDv are supported on KVM
•
Both are functionally equivalent to FMCv on VMware
•
Virtio driver support
•
FMCv "Graceful Shutdown" - Allows the FMC to save critical data before shutting down
•
Restrictions and Limitations
•
Nested hypervisors (KVM running on top of VMware/ESXi) are not supported. Only bare-metal KVM
deployments are supported
• Onbox management is not supported
Available only on Firepower Threat Defense Software (FTD)
Management Specific Features
FMC HA
•
Active/Standby Deployment
•
Manual Failover
•
Sybase database duplicated
•
Both FMC nodes receive
events from each sensor
• Policy changes made on primary
are copied over to the secondary
•
Supported on 2K,4K,3500 and
1500
Integrated Risk Reports
•
There are three risk reports
•
•
•
•
Prior to 6.1 risk reports where
generated offline
•
•
•
Advanced Malware
Attacks
Network
Generated by Cisco or partners
Customers could not create reports.
In 6.1 reports are integrated into the
FMC UI
Analysis Tool: Lookup
•
The Lookup tool can be used to get:
• Geolocation for an IP Address
• Whois Information for an IP
Address
• Internet Connectivity is required
Firepower Device Manager
Firepower Device Manager
Easily manage individual NGFWs
Web-based OnBox Manager
Simplified and better user
experience
Workflows, Diagrams and Default
configuration options
Manages Next Generation Firewall software
On Cisco ASA 5500-FTD-X Models
On-box Vs. Off-box Comparison at 6.1
Firepower Management Center
(Off-box)
Firepower Device Manager
(On-box)
NAT & Routing
Access Control
Intrusion & Malware
Device & Events Monitoring
Site to Site VPN
In Roadmap
Security Intelligence
In Roadmap
Other Policies: SSL, Identity, Rate Limiting (QoS) etc.
In Roadmap
Active/Passive Authentications
In Roadmap
Threat Intelligence & Analytics
NCP
Risk Reports
NCP
Correlation & Remediation
NCP
Easy Device Setup
=> Detailed
=> Optimized for SMBs
=> Not Present
Available only for Firepower Threat Defense Software (FTD)
NCP => No Current Plan
Migration
Migration from ASA to FTD
• For 6.1,
• Available as standalone tool
• Converts ASA configuration to the
format (.sfo) that can be imported by
FMC
• Migrates ACLs, NAT and Objects
• Scales upto 10K ACLs
• For Partners and Internal use only
https://cisco.jiveon.com/message/359
204 (lookout for updates)
Summary
High-Level Feature Comparison:
ASA with FirePOWER Services, Firepower Threat Defense
Note: Not an exhaustive list of differences between these offerings.
Feature
Firepower
Services for ASA
Firepower Threat
Defense
Notes for Firepower Threat
Defense
HA, NAT
✔
✔
Routing
✔
✔
Unified ASA and Firepower rules/objects
✘
✔
Local Management
✔
✔
Multi-Context
✔
✘
Clustering
✔
✘
VPN
✔
✔
Site-to-Site VPN in 6.1
Hypervisor Support
✘
✔
AWS, VMware; KVM in 6.1
Smart Licensing support
✘
✔
No EIGRP in 6.1
Features Differ in FDM and ASDM
What Firepower 6.1 Brings Us
Firepower
Threat
Defense
Palo Alto
Networks
Visibility & Control
✔
✔
NGIPS
✔
✘
Palo Alto lacks packet logging, analysis,
automation
Reputation based proactive
protection
✔
✔
Palo Alto has limited reputation
capability
Advanced Malware
✔
✔
Palo Alto has no retrospective
remediation/forensic detail
Central Management
✔
✔
HA
✔
✔
Palo Alto has active/active
SSL Decryption
✔
✔
Both are in software
VPN
✔
✔
Site-to-site delivered. RA in roadmap.
Multi-Context/
Virtual Firewalls
✘
✔
In roadmap
Rate Limiting
✔
✔
Local Management
✔
✔
Differences/Detail
Thank You
© 2015-2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
36