Deploying Next Generation Firewall with ASA and Firepower services

Transcription

Deploying Next
Generation Firewall with
ASA and Firepower
services
Dragan Novaković
Security Consulting Systems Engineer
March 2015.
Threat Landscape Demands more than Application Control
60%
54%
of data
is stolen
in hours
of breaches
remain undiscovered
for months
100%
of companies connect
to domains that host
malicious files or services
It is a Community
that hides in plain sight
avoids detection
and attacks swiftly
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
‘Defense-in-Depth’ Security Alone Is Not Enough
Siloed
Approach
Poor
Visibility
Manual
and Static
Increased
complexity
and reduced
effectiveness
Undetected
multivector
and advanced
threats
Slow, manual
inefficient
response
Cisco Confidential
3
Why?
Cisco Confidential
5
5
The Configuration Problem
•  Poor awareness of true operational environment
•  Change to environment requiring configuration/posture changes
unrecognized
•  Detection content unavailable
•  0-day
•  No anomaly detection mechanisms in place
Cisco Confidential
6
6
The Organizational Problem
•  False positive rates too high
•  Operator overload due to mass of equally meaningless events that must be
contextualized
•  Frequently technologies are deployed but not properly operationalized
•  Check-box security
•  In 2014, the average cost of an organizational
data breach was US$3.5 million
Source: The Ponemon Institute
Cisco Confidential
7
7
Integrated Threat Defense Across the Attack Continuum
Attack Continuum
BEFORE
DURING
AFTER
Control
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
Firewall/VPN
NGIPS
Advanced Malware Protection
Granular App Control
Security Intelligence
Retrospective Security
Modern Threat Control
Web Security
IoCs/Incident Response
Visibility and Automation
Cisco Confidential
8
What is Sourcefire?
From a historical perspective
•  Snort Created
•  Created by Martin Roesch in 1998
•  Open source network intrusion system
• 
Engine
• 
Rules Language
•  Sourcefire Founded
•  Founded in 2001 by Martin Roesch
•  Created a commercial version of Snort
•  Sourcefire acquires Immunet
•  Acquisition completed 2011
•  Advanced Malware Protection
•  ClamAV
•  Cisco acquires Sourcefire
•  Acquisition completed 2013
Cisco Confidential
9
What is Sourcefire?
From a product perspective
•  Sourcefire IPS/NGFW
•  IPS powered by Snort
•  Includes NGFW features such as URL filtering and Application Visibility and
Control
•  Sensors are controlled and monitored by FireSIGHT Defense Center (on
premises)
•  AMP for Endpoints
•  Agent installed on each endpoint
•  Endpoints connected to off-premises cloud for has lookups, sandboxing
•  Managed by FIreAMP Console (cloud based)
•  Cisco products
•  Content: ESA, WSA, CWS
•  Network: ASA
Cisco Confidential
10
Addressing The Configuration Problem
•  Visibility Architecture
•  Collect context about the operational environment
•  Continuously in real-time
•  Visibility data is used to recommend configuration of
security infrastructure
•  Real-time notifications of change to drive real-time
change in security posture
•  Content
•  Rapid development and dissemination of updated
detection is a fundamental
•  Vendor
•  Security operations teams
Cisco Confidential
11
Addressing The Organizational Problem
•  Contextualization
•  Event loads are high due to misconfiguration
•  Even when well tuned, raw events must be contextualized automatically when possible
•  Operationalization
•  That’s your job…
•  Engagement from corporate boards is crucial
in setting security priorities and
expectations
•  Boards need to know what the cybersecurity
risks to the business are and their potential
impact
•  CIOs must ask tough questions about security
controls that are meaningful to the board and outline the business implications
Cisco Confidential
12
12
Introducing
Industry’s First Threat-Focused NGFW
Proven Cisco ASA firewalling
Industry leading NGIPS and AMP
Cisco ASA with FirePOWER Services
•  Integrating defense layers helps organizations
get the best visibility
•  Enable dynamic controls
to automatically adapt
#1 Cisco Security announcement of the year!
•  Protect against advanced threats
across the entire attack continuum
Cisco Confidential
13
ASA 5585-X SSP-60
(40 Gbps)
Introducing ASA
with FirePOWER services
ASA 5585 –X SSP-40
ASA 5585-X SSP-20
ASA 5585-X SSP-10
ASA 5555-X
ASA 5545-X
ASA 5525-X
ASA 5515-X
ASA 5512-X
FirePOWER Software module – *requires SSD disk
FirePOWER Hardware module
Cisco Confidential
14
Superior Integrated & Multilayered Protection
World’s most widely deployed, enterpriseclass ASA stateful firewall
Cisco Collective Security Intelligence Enabled
Clustering &
High Availability
Network Firewall
Routing | Switching
Intrusion
Prevention
(Subscription)
Advanced
Malware
Protection
FireSIGHT
Analytics &
Automation
Application
Visibility & Control
(Subscription)
WWW
URL Filtering
Granular Cisco® Application
Visibility and Control (AVC)
(Subscription)
Industry-leading FirePOWER
next-generation IPS (NGIPS)
Built-in Network
Profiling
Identity-Policy
Control & VPN
Reputation- and category-based
URL filtering
Cisco ASA
Advanced malware protection
Cisco Confidential
15
Visibility Is the Key
T h
r
e a
h
i
t
d d e n
p
s
l
i
n
a
i
n
s
i
g h
t
Cisco Confidential
16
Central Management, Intelligence and Context
FireSIGHT Management Centre
•  FireSIGHT
•  Central Management
Processes
events
•  Policy Definition
•  Event Analysis
•  Correlation
•  Network Map (Users, devices, apps, etc)
Generates
events
-  IPS
•  FirePOWER
-  Intelligence
•  Realtime traffic analysis
-  File
•  Access Control
-  Malware
-  Access Control
•  Passive acquisition
-  Flow
-  Discovery
Cisco Confidential
17
FireSiGHT Management Centre
SecOPS Workflows -FireSIGHT Management Center
FireSIGHT
NGFW/NGIPS Management
Forensics / Log Management
Network AMP / Trajectory
Vulnerability Management
Incident Control System
Adaptive Security Policy
Retrospective Analysis
Correlated SIEM Eventing
Network-Wide / Client Visibility
Visibility Categories
Threats
Users
Web Applications
Application Protocols
File Transfers
Malware
Command & Control Servers
Client Applications
Network Servers
Operating Systems
Routers & Switches
Mobile Devices
Printers
VoIP Phones
Virtual Machines
Cisco Confidential
18
FireSIGHT Fuels Automation
IT Insight
Impact Assessment
Spot rogue hosts, anomalies, policy
violations, and more
Threat correlation reduces actionable
events by up to 99%
Automated Tuning
User Identification
Associate users with security
and compliance events
Adjust IPS policies automatically
based on network change
19
Cisco Confidential
19
Impact Assessment
Correlates all intrusion events
to an impact of the attack against the target
Administrator
Action
Why
1
Act immediately,
vulnerable
Event corresponds
to vulnerability mapped
to host
2
Investigate,
potentially vulnerable
Relevant port open
or protocol in use,
but no vuln mapped
3
Good to know,
currently not
vulnerable
Relevant port not open
or protocol
not in use
4
Good to know,
unknown target
Monitored network, but
unknown host
0
Good to know,
unknown network
Unmonitored network
Impact Flag
Cisco Confidential
20
Cisco FireSIGHT Fuels Automation
Impact Assessment and Recommended Rules Automate Routine Tasks
Cisco Confidential
21
FireSIGHT : Detecting Anomalies
§ 
Detects if new application appears or traffic profile changes
§ 
Identify Hacked Hosts
§ 
Useful in static environments: Scada, DMZ, MEDTEC...
Reduced Risk and Cost
ssh
ALERT
Host has suddenly
started to use SSH
client and outgoing
traffic volume has
increased by 3
Cisco Confidential
22
FireSIGHT : Automated Responses
§ 
Use pre-defined or custom script to initiate automatic actions
§ 
E.g, Quarantine device with ISE API
Reduced Risk and Cost
change VLAN
or SGT
I
S
E
Indications Of Compromise
- IPS event impact 1
- Malware
- Communication with BOTNET
QUARANTINE
Cisco Confidential
23
Automated, Integrated Threat Defense
Superior Protection for Entire Attack Continuum
Context
and Threat
Correlation
Context and Threat Correlation
Dynamic
Security Control
Priority 1
Priority 2
Multi-vector
Correlation
Priority 3
Impact Assessment
Retrospective
Security
Cisco Confidential
24
Context
and Threat
Correlation
Dynamic Security Control
Dynamic
Security Control
http://
WEB
http://
WWW
WWW
WWW
WWW
Multi-vector
Correlation
Adapt Policy to Risks
Retrospective
Security
Cisco Confidential
25
Context
and Threat
Correlation
Dynamic
Security Control
Multi-vector Correlation
Host A
Admin
Request
5 IoCs
Admin
Request
Mail
Multi-vector
Correlation
Mail
PDF
Host B
3 IoCs
PDF
Early Warning for Advanced Threats
Host C
Retrospective
Security
Cisco Confidential
26
Context
and Threat
Correlation
Retrospective Security
Dynamic
Security Control
Multi-vector
Correlation
Shrink Time between Detection and Cure
Retrospective
Security
Cisco Confidential
27
OpenAppID – First OSS Application and Control
•  OpenAppID Language Documentation
o  Accelerate the identification and protection for new clouddelivered applications
•  Special Snort engine with OpenAppID preprocessor
o  Detect apps on network
o  Report usage stats
o  Block apps by policy
o  Snort rule language extensions to enable app specification
o  Append ‘App Name’ to IPS events
Available now at Snort.org •  Library of Open App ID Detectors
o  Over 1000 new detectors to use with Snort preprocessor
o  Extendable sample detectors
Cisco Confidential
28
Reduced Cost and Complexity
Annual Costs of IPS Maintenance
•  Multilayered protection
in a single device
Cisco’s FirePOWER Next-Generation IPS
collectively saves this customer $230,100 per year
•  Highly scalable
$144,000
•  Automates security tasks
–  Impact assessment
$72,000
–  Policy tuning
$59,400
–  User identification
$24,300
$18,000
$3,000
Impact Assessment of IPS Events
IPS Tuning
Typical IPS
Linking IPS Events to Users
•  Integrates with third-party
security solutions
Next-Generation IPS
Cisco Confidential
29
Indications of Compromise (IoCs)
IPS Events
SI Events
Malware Events
Malware Backdoors
Connections
to Known CnC IPs
Malware Detections
Exploit Kits
Office/PDF/Java Compromises
Web App Attacks
Malware Executions
CnC Connections
Dropper Infections
Admin Privilege Escalations
Cisco Confidential
30
AMP Provides Continuous Retrospective Security
Breadth of
Control Points
WWW
Email
Endpoints
Web
Telemetry Stream
IPS
Devices
Continuous Analysis
File Fingerprint and Metadata
File and Network I/O
Network
Continuous Feed
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Process Information
Cisco Confidential
31
The Cisco Collective Security
8 hours
after
thelearned
first
attack,
At
theCloud
same
time,
a device
with
has
An unknown fileIntelligence
is present
the
Malware endpoint
triesato re-enter
the
FireAMP
connector
this
file
is
malicious
and
on
IP:
10.4.10.183,
having
At 10:57,
the
unknown
file
is
thethe
system
Seven
hours
later
file
istothrough
reacts
to
retrospective
event
retrospective
event
is
fororiginal
been
The
filefrom
is
copied
yetthe
a raisedthe
from downloaded
IP
10.4.10.183
to
IP:
then fourth
transferred
to(10.5.60.66)
aimmediately
third
point
of entry butstops
is recognized
and
and
Firefox
device
all
four
devices
immediately
.
10.5.11.8
device
(10.3.4.51)
using
an the newly detected
and
blocked.
through
thequarantines
same
SMB
SMB applicationmalware
application a half hour later
Cisco Confidential
32
Sample Solution Architecture with Management
FireSIGHT
Management Center
Configuration (policy)
File Trajectory
AMP Events
Correlation
Link to AMP Public Cloud
for Endpoint Connector
Events
Cisco Security
Manager or ASDM
ASA Cluster with
FirePOWER Services
File Submitted for
Dynamic Analysis
VRT Dynamic Analysis
Cloud
Endpoint
Connectors
File Disposition
queried against AMP
Cloud
(SHA256, Spero)
AMP Cloud
Manual Dynamic Analysis
for Endpoint Connectors
Cisco Confidential
33
ASA FirePOWER Services Packet Flow
SFR
YES
1
2
Receive
PKT
3
Ingress
Interface
4
Existing
Conn
NO
5
ACL
Permit
YES
NO
8
NAT IP
Header
9
Egress
Interface
NO
DROP
© 2014 Cisco and/or its affiliates. All rights reserved.
YES
YES
Inspections
sec checks
NO
DROP
10
L3
Route
Match
Xlate
NO
DROP
7
6
DROP
11
L2
Addr
YES
XMIT
PKT
NO
DROP
Cisco Public
34
ASA FirePOWER Functional Distribution
URL Category/Reputation
NGIPS
Application Visibility and Control
File Type Filtering
Advanced Malware Protection
File Capture
TCP Normalization
NAT
TCP Intercept
Routing
IP Option Inspection
ACL
IP Fragmentation
VPN Termination
FirePOWER®
Services Module
ASA Module
Botnet Traffic Filter
Cisco Public
35
FireSIGHT Management Center Appliances
New
New
Max.
Devices
Managed*
Event
Storage
Max.
Network
Map
(hosts /
users)
Events
per Sec
(EPS)
750
1500
2000
3500
4000
Virtual
10
35
70
150
300
Virtual FireSIGHT
Management Center
Up to 25 Managed Devices
100 GB
2K/2K
2000
125 GB
50K/50K
6000
1.8 TB
150K/150K
12000
400 GB
300K/300K
10000
4.8/6.3 TB
600K/600K
20000
* Max number of devices is dependent upon sensor type and event rate
Virtual FireSIGHTNew
Management Center
Up to 2 or 10 Managed
Devices - Promotional PID
FS-VMW-2-SW-K9
FS-VMW-10-SW-K9
Cisco Public
36
Collective Security Intelligence
Malware
Protection
Reputation
Feeds
Cisco Talos
Vulnerability
Database Updates
(Talos Security
Intelligence and
Research Group)
IPS Rules
Sandboxing
Machine Learning
Big Data Infrastructure
Private and
Public
Threat Feeds
Sandnets
File Samples
(>1.1 Million per
Day)
Advanced Microsoft
and Industry
Disclosures
FireAMP™
Community
SPARK Program
Honeypots
Snort and ClamAV
Open Source
Communities
Sourcefire
AEGIS™
Program
Cisco Confidential
37
Robust Partner Ecosystem
Vulnerability Management
Full Packet Capture
Custom Detection
BEFORE
Network Access Taps
AFTER
DURING
Policy and
Control
Analysis and
Remediation
Identification
and Block
Visualization
Infrastructure & Mobility
Combined API Framework
38
Incident Response
NAC
SIEM
Cisco Confidential
38
Only Cisco Delivers
Unmatched
Visibility
Consistent
Control
Advanced Threat
Protection
Complexity
Reduction
Global Intelligence
With the Right
Context
Consistent Policies
Across the
Network and
Data Center
Detects and Stops
Advanced Threats
Fits and Adapts
to Changing
Business Models
Cisco Confidential
39
Cisco ASA with FirePOWER Services
A New, Adaptive, Threat-Focused NGFW
Integrated Threat Defense
Best-in-class, multilayered protection
in a single device
Superior Visibility
Full contextual awareness
to eliminate gaps
Automation
Simplified operations and dynamic
response and remediation
Cisco Confidential
40
Thank you.

Deploying Next Generation Firewall with ASA and Firepower services

Transcription

Similar documents

Cisco Recruitment Session* When

Virtual Lock for Corporate IP Telephony v 3.0

Achieving Fast IT With Continuous Delivery

5.3.4.2 Lab - Hard Drive Maintenance in Windows 7

crescent village - Prime Commercial, Inc.

Cisco.com AEM Integration and Migration

Real, Relevant, Surprising and Fresh: Cisco Brand

Sales Forecast Accuracy