Cisco Secure Firewall Product Overview TDM Engineering FY22 PDF
advertisement
Fire Jumper Academy
Stage 2
Cisco Secure Firewall
Product Overview
Submit questions here
February 2022
Table
of contents
9
1
Overview
2
Secure Firewall Platforms
10
Secure Firewall ASA
3
Secure Firewall
Threat Defense (FTD)
11
Integrated Security
Portfolio
4
Consistent Policy
and Visibility
12
Talos
5
Secure Firewall Management
Center (FMC)
13
Secure Firewall and
Secure Workload
6
Secure Firewall Device
Manager (FDM)
14
SecureX
7
Cisco Defense
Orchestrator (CDO)
15
Migrating from ASA
to FTD
8
Security Analytics and
Logging
16
Use Cases
Small Business Edition
Overview
Brand Naming Changes
Further Cisco Security Brand
Details
Firepower Management
Center (FMC)
Cisco Secure Firewall Management
Center (FMC)
Firepower Threat Defense
(FTD)
Cisco Secure Firewall
Threat Defense (FTD)
Adaptive Security
Appliance (ASA)
Cisco Secure Firewall
ASA
Firepower Threat Defense
Virtual / NGFWv
Cisco Secure Firewall
Threat Defense Virtual (FTDv)
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
5
Traditional Network Security
Public internet
One control point for all
traffic
Firewall
Internal traffic was
considered trustworthy,
and external traffic was
untrustworthy
Data center
Network edge
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
6
The New Reality
A one-size fits all approach has proved ineffective in today’s landscape
Single control point is not adequate
Management complexity
Every environment needs its own microperimeter
NetSec and IT use dozens of point
products, each with its own management
console
Evolving form factor
Singe control point replaced by multiple
firewalls, both physical and virtual
Policy sprawl
Harmonizing policies across micro-perimeters
is challenging
$
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
$
Evolving threat landscape
Security products need a continuous feed of
threat intelligence to stay ahead of attackers
7
Firewall Validated Use Cases
Where can Cisco help?
Internet Edge
Data Center
Branch
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Cloud/Virtual
Secure IPS
Remote
Access VPN
8
Why Cisco Secure Firewall?
World-class
security controls
Consistent policy
and visibility
Integrated security
portfolio
Protect your workloads with a
complete portfolio of Firewall
solutions, backed by industryleading threat intelligence.
Streamline security policy and
device management across your
extended network and accelerate
key security operations.
Extend network security beyond the
firewall with malware protection,
identity-based routing, multi-factor
authentication, and more.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
9
Cisco’s Comprehensive Security Portfolio
World-class
security controls
Consistent policies
and visibility
Integrated security
portfolio
Secure Firewall Threat Defense
Secure Firewall Management Center
Secure Access by Duo
Secure Firewall ASA
Secure Firewall Device Manager
Secure Endpoint
Talos
Cisco Defense Orchestrator
TrustSec
SecureX threat response
Cisco Identity Services Engine
Secure Network Analytics
Rapid Threat Containment
Application Centric Infrastructure
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
10
World-class security
controls
World-Class Security Controls
Need: improve encrypted traffic performance and detect more sophisticated
threats with a complete line of firewall solutions.
Cisco offering:
• Stop more threats: Contain known and unknown malware with leading Cisco® Advanced Malware Protection and
sandboxing (Secure Malware Analytics).
• Prioritize threats: Gain superior visibility into your environment. Automate risk rankings and impact flags to quickly
identify priorities.
• Detect earlier, act faster: Talos threat intelligence underpins the entire Cisco Secure ecosystem:
if you own a Cisco Secure product, you’re harnessing the power of Talos
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
12
Additional Secure Firewall Resources
•
Secure Firewall Release 7.1 Overview
•
Secure Firewall Cloud Native TDM
•
Secure Firewall YouTube channel
•
Secure Firewall GitHub repository – cs.co/sfGitHub
•
Secure Firewall DevNet portal – cs.co/sfDevNet
•
Secure Firewall AppID portal – appid.cisco.com
- Previous release overview presentation under Features > Release Overviews
- Additional Secure Firewall content: https://cs.co/netsec-portal
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
13
Secure Firewall Platforms
Secure Firewall Portfolio
FPR 1120/40/50
FPR 4112/15/25/45
FPR 2110/20/30/40
FPR 1010
ASA 5508/16
FPR 4110/20/40/50
FPR 9300 Series
SM-40
SM-48
SM-56
SM-24
SM-36
SM-44
Check out the Small Business Edition offering!
650 Mbps AVC
650 Mbps AVC+IPS
SOHO/
SMB
650 Mbps AVC
650 Mbps AVC+IPS
Branch
Office
1.5-3 Gbps AVC
1.5-3 Gbps AVC+IPS
2-8.5 Gbps AVC
2-8.5 Gbps AVC+IPS
Stand-alone device:
12-53 Gbps AVC
10-47 Gbps AVC+IPS 6
Six node cluster:
Up to 254 Gbps AVC
Up to 226 Gbps AVC+IPS
One Module:
30-70 Gbps AVC
24-64 Gbps AVC+IPS
Six node (2 chassis) cluster:
Up to 336 Gbps AVC
Up to 307 Gbps AVC+IPS
Mid-Size
Enterprise
Large
Enterprise
Data
Center
Service
Provider
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
15
What’s new? – Firewall Virtual Platforms
Private Cloud
Public Cloud
• FMCv and FTDv
• ESXi 7.0 support
• Support for: Cisco Hyperflex, Nutanix
Enterprise Cloud, OpenStack
• ASAc Docker containers
• Azure Application Insights for FTD metrics
• FMCv/FTDv ASAv on Google Cloud Platform &
Oracle Cloud Infrastructure
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
16
Smart Licensing Performance Tiers
• 7.0 Evaluation mode and Smart License performance tiers
• Current perpetual BASE license moves to a subscription model
Performance
Tier
Device
Specifications
Rate
Limit
RA VPN
Session Limit
FTDv5
4 cores/8 GB
100Mbps
50
FTDv10
4 cores/8 GB
1Gbps
250
FTDv20
4 cores/8 GB
3Gbps
250
FTDv30
8 cores/16 GB
5Gbps
250
FTDv50
12 cores/24 GB
10Gbps
750
FTDv100
16 cores/32 GB
20Gbps
10000
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
17
Enabling the cloud transition
Secure Firewall Cloud Native
Application Cluster
Firewall Cluster
Easily deliver firewall services with
massive scale and resiliency in cloud
environments
Micro Service 1
Web
WebServer
Server
VPN
VPN
Service
Service
Threat
VPN
Defense
Service
Pods
Micro Service 2
Database
Database
Micro Service N
Insert security controls next to
application containers
Highly scalable & elastic firewall for edge
use cases – RA VPN, DC Backhaul, Mobility
carriers, MSP/MSSPs
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Access
Control
Pods
Malware
Protection
Micro Service N
Image
Processing
Pods
Developer-friendly elastic firewall for
Kubernetes-based environments
18
Firepower Hardware Update
As the threat landscape evolves, our firewall portfolio does too. Gain more features and
better performance at the same or lower price point.
Better performance
• Up to 3.5x boost in Firewall throughput
• Up to 5x boost in VPN throughput
More connections
• Up to 2x more connections per second (CPS)
Improved encrypted traffic throughput
• Up to 3x boost in encrypted traffic performance
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
19
Firepower 1000 Series
Small business and branch office security with superior price/performance
Firepower 1010
Firepower 1120/40/50
• High–performance desktop firewall
• High–performance rackmount firewall
• PoE, 8 10/100/1000 Base-T RJ45 switching ports
• 8 10/100/1000Base-T RJ45 switching ports, 4 1000BaseF SFP switching ports, 2 x 1/10Gbps SFP+ (1150)
• Stateful firewall, AVC, NGIPS, AMP, URL filtering
650Mbps Firewall Throughput
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
• Stateful firewall, AVC, NGIPS, AMP, URL filtering
1120-1.5Gbps Firewall Throughput
1140-2.2Gbps Firewall Throughput
1150-3 Gbps Firewall Throughput
20
Firepower 4100 Series
• Up to 50% performance improvement over
previous models
• Up to 44% higher TLS performance!
• Supported software releases:
•
FTD 6.4+ – including multi-instance
•
ASA 9.12.1+
•
FXOS 2.6.1+
Enterprise and data center security with
exceptional price/performance
Four new appliance models:
4112*, 4115, 4125, 4145
up to 47 Gbps Firewall throughput**
* 4112 FXOS 2.8.1, FTD 6.6 or ASA 9.14.1
** 1024B FW+AVC+IPS
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
21
Firepower 9300 Service Modules
• Up to 80% performance boost than previous
generation SM
• Up to 33% higher TLS performance!
• Supported software releases:
•
FTD 6.4+ – including multi-instance
•
ASA 9.12.1+
•
FXOS 2.6.1+
3 new 9300 SM models:
SM-40, SM-48, SM-56
up to 153 Gbps Firewall throughput*
*1024B FW+AVC+IPS
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
22
FMC Virtual 300
• Up to 300 managed devices!
• CPU: 2 x 8 cores, Memory: 64 GB, hard disk:
2.2 TB
• Migrate easily from one FMC model to
another
• High Availability for on prem, AWS and OCI
clouds – 7.1 or higher
• Supported software releases:
•
FTD 6.5 or higher – including multi-instance
•
FMC 6.5 or higher
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
23
Multi-Instance Expands Deployment Options
•
•
Install multiple FTD logical devices on a single module
or appliance
•
Container architecture
•
Instance failure does not affect other instances
Allows tenant management separation, independent instance
upgrade
•
Supports HA between identical instances on different physical
devices
•
Example: 54 instances on a FPR9300 chassis with 3 x SM-56
modules
•
Improved crypto acceleration in hardware
NEW
FTD Instance A Active
FTD Instance B Standalone
Firepower 9300/4100 Service Module
HA/State
Link
Firepower 9300/4100 MIO
Ethernet
1/1.10
FTD Instance A Standby
Port-channel
11.11
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
FTD Instance C Standalone
Firepower 9300/4100 Service Module
Firepower 9300/4100 MIO
Ethernet
1/1.10
Port-channel
11.11
24
Clustering
Drive high return on investment while
maintaining high availability
• Combine multiple devices to make a single scalable logical
device
• Scale as you grow
vPC
FTD Cluster
• Scale throughput, concurrent and new connection
• Can span multiple datacenters
vPC
• N+1 resilience
• Handles asymmetric traffic seamlessly
Example: 6 node cluster created by 2 x FPR9300 fully loaded
chassis (with SM-56)
336 Gbps AVC
307 Gbps AVC+IPS
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
25
Multi-Site Data Center
• North-South insertion with LISP
inspection and owner reassignment
Site 1
Site 2
Firewall Cluster
CCL is fully extended between DCs at L2 with <10ms latency
• East-West insertion for first hop
redundancy with VM mobility
CCL
CCL
Local VPC/VSS pairs at
each site
VPC1
Sigle Spanned
EtherChannel for Data
on cluster side
Local Data EtherChannel
on each VPC/VSS switch
pair
CCL
CCL
Local VPC/VSS pairs at
each site
VPC2
Data VLANs are not extended for North-South insertion; filtering is required
to avoid loops and MAC/IP conflicts for East-West
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
26
Secure Firewall Threat
Defense
What is Secure Firewall Threat Defense (FTD)?
Delivers nearly 100% efficacy on blocking malicious flows and guards the
network against threats
• Key Benefits
•
•
•
•
Tenant management separation
Scale as you grow
Impact analysis
Prioritize administration
• Features
•
•
•
•
•
•
Firewall
Intrusion Prevention
Integrated TLS Decryption
VPN
Cisco Threat Intelligence Director
Malware Continuous Analysis with Retrospection
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
28
Interim Release 7.1 Highlights
Snort 3
•
•
•
•
Elephant flow visibility
Encrypted Visibility Engine
Intrusion Rule Recommendations
Additional rule actions
VPN
Management
•
•
•
•
•
Unique local tunnel ID for IKEv2
Anyconnect native browser support
RA VPN multiple trustpoint in SAML IDP
Copy RA VPN access config on FMC
Site to site VPN enhancements
Public Cloud
•
•
•
•
•
Additional instance type support in AWS, Azure
FMCv HA and FMCv300 in AWS and OCI
Geneve AWS proxy support
Automated FTDv horizontal scaling in OCI
AWS CloudWatch health monitoring integration
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
29
Firewall Policy Powered by Talos and OpenAppID
Control traffic based on IP, URL, FQDN, or application
Security feeds
URL | IP |DNS
0100
0010
Firewall
Allow
Warn
Block
Block
Allow
Category-based
Policy Creation
DNS Sinkhole
Security Intelligence:
Block latest malicious
IPs, URLs and FQDNs
AVC with OpenAppID:
Identify and control over
4,000+ pre-defined apps
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
AVC with OpenAppID:
Easily create custom
application detectors
Admin
URL Categories:
Classify 280M+ URLs
using 80+ categories
30
Secure IPS
Reduce the noise/volume of events and prioritize administration
Powered by Snort 3 – Best of breed, open source IPS
Firewall brings the power of context to IPS
Impact of IPS events can be deduced.
Firewall recommendation can tune IPS
Impact flag
Administrator action
Why
1
Act immediately,
Vulnerable
Event Corresponds
to vulnerability
mapped to host
2
Investigate, Potentially
Vulnerable
Relevant port open or
protocol in use but
no vuln mapped
3
Good to know, Currently
Not available
Relevant port not
open or protocol not
in use
4
Good to know,
Unknown Target
Monitored network
but unknown host
0
Good to know,
Unknown Network
Unmonitored network
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
31
Snort 2 vs. Snort 3
Snort 2
Snort 3
Multi-Threaded Architecture
Capable of running multiple Snort Processes
Port Independent Protocol Inspection
IPS Accelerators / Hyperscan Support
Modularity – Easier TALOS contributions
Scalable Memory Allocation
Next Gen TALOS Rules – e.g., Regex/Rule Options/Sticky Buffers
New and Improved HTTP Inspector – e.g., HTTP/2 support
Lightweight content updates from TALOS
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
32
Correlate Host Profile and IPS
Drive impact analysis and rule recommendations
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
33
Cisco Threat Intelligence Director (CTID)
Support of open integration
• Extend Talos Security Intelligence with 3rd party cyber threat intelligence
• Parse and operationalize simple and complex threat indicators
FMC ingests third-party
cyber threat intelligence (CTI)
Cisco Threat
Intelligence Director
FMC publishes
observables
to FTD
FTD
Block
FMC detects incidents
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Monitor
FTD reports observables
34
Indications of Compromise (IoCs) Events
IPS Events
Malware backdoors
Web app attacks
Exploits kits
Admin privilege
escalations
Security Intelligence Events
Connections to known
CnC IPs: DNS Servers,
Suspect URLs
Malware Events
Malware detections
Malware executions
Office/PDF/Java
Compromises
Dropper infections
Web app attacks
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
35
IoCs Facilitate Remediation
Facilitate understanding and remediation to reduce impact
• Identifies compromised and potentially compromised systems
• Take automatic action through Cisco Rapid Threat Containment
Indications of Compromise
Hosts by Indication
Impact 2
intrus…dmin
Threat
Detected…sfer
Impact 1
intrus…tack
Impact 2
intrus…user
Impact 1
intrus…user
Impact 1
intrus…dmin
Impact 2
intrus…tack
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
36
Integrated TLS Decryption
Finds encrypted threat while reducing performance impact
• TLS hardware acceleration delivers high-performance inspection of encrypted traffic
• Centralized enforcement of TLS certificate policies
‒ Examples: Blocking self-signed encrypted traffic, specified TLS version, cypher suites
TLS
decryption engine
Encrypted Traffic
Firewall/NGIPS
Enforcement
decisions
AVC
https://www.goodsite.com
https://www.badsite.com
https://www.badsite.com
https://www.goodsite.com
https://www.goodsite.com
https://www.goodsite.com
gambling
https://www.goodsite.com
https://www.badsite.com
https://www.goodsite.com
https://www.badsite.com
ilicit
https://www.badsite.com
https://www.badsite.com
Log
Decrypt traffic in hardware
or software
Inspect deciphered packets
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Track and log all TLS sessions
37
Fast App and URL Actions with TLS 1.3
AVC, URL, and Decryption Policy decisions on pre-1.3 TLS header
Common and Subject Alternative Names are encrypted in TLS 1.3
Cleartext, but spoofable
Client
ClientHello, Server Name Indication (SNI)
ServerHello, ServerCertificate, ServerHelloDone
Server
[…] ApplicationData
TLS Session
TLS Server Identity Discovery without decryption since FTD 6.7
2. FTD opens a sidecar TLS 1.2 connection to identify server,
cache the result, make policy decision
1. TLS 1.3 ClientHello
FTD
3. If permitted without TLS decryption, pass original ClientHello and
disengage; if permitted with TLS decryption, engage TLS Proxy and
generate new ClientHello
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
38
Encrypted Visibility Engine
•
Experimental feature in release 7.1
•
Utilizes machine learning to determine the application (client process) generating the
Client Hello packet
•
Identifies known processes/browsers
•
Identifies malware based on Secure Malware Analytics fingerprints
TLS
SERVER
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
39
Site-to-Site VPN
Easily and securely interconnect remote sites
• IKEv1/IKEv2 policy-based
VPN
FTD
or
FTD
• Easy topology-based
management of VPN on
multiple peers
• Point-to-point
• Hub and Spoke
• Full Mesh
• Flexible authentication
options – pre-shared key
(automatic) and certificates
FTD
or
FTD
Router
Hub
Third Party
Device
Point-to-Point
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Hub and Spoke
Full Mesh
40
Remote Access VPN
Provide ubiquitous secure access from remote and roaming users
• Posture assessment
• Uses TLS, DTLS or IKEv2
AnyConnect
• Easy wizard-based
configuration
• Identity based security
policies
• Enhanced security with 2
FA/MFA provided by Secure
Access (Duo)
• Passwordless Authentication
Extend access remotely
Protect
important data
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Maintain application
performance
Support multiple
sites
41
Consistent Policy
and Visibility
Consistent Policy and Visibility
Need: stronger security policy management practices that can effectively
protect the business at scale
Cisco offering:
• Maintain consistent policies: Write a policy once and scale enforcement consistently across tens of
thousands of security controls throughout your network.
• Reduce complexity: Get unified management and automated threat correlation across tightly integrated
security functions, including application firewalling, NGIPS, and AMP.
• Accelerate key security operations functions: Leveraging existing resources and make the team more
efficient by removing manual processes. Access security patches and new features faster by completing
software image upgrades in a just a few clicks.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
43
Management Designed for the User
Flexibility of Cloud or on-premises options
Security Integrations
Firewall Management Center
Common APIs
Cisco Firewall
Device Manager (FDM)
Cisco Defense Orchestrator
Coexist
On premise centralized manager
SecOps focused
Cloud-based centralized manager
NetOps focused
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
On-box manager
NetOps focused
44
Management Platforms: When to Position?
Use case
Managers of choice
Details
Internet edge
CDO or FMC
• Cisco Defense Orchestrator for ease of use and netops users
• FMC for advanced security analytics
• Ask your customer about their priority
Enterprise branch
CDO or FMC
• FTD can connect to Cisco Defense Orchestrator directly through
the data interface
• Low-touch onboarding
SMB / Small Business Edition
CDO or FDM
• FDM or Cisco Defense Orchestrator provide greater usability
• CDO is recommended for multiple firewall management
Data center Edge / Core
FMC
• FMC supports 4100 and 9300, clustering, TrustSec
Campus fabric
FMC
• FMC supports 4100 and 9300, clustering, TrustSec
Firewall running in public cloud
FMC
• FMC supports Firewall in AWS and Azure
IPS only
FMC
• FMC supports all the advanced IPS features and provides a
separate interface from the Firewall
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
45
Secure Firewall
Management Center
(FMC)
What is Firewall Management Center (FMC)?
On-premise, centralized management for multi-site deployments
• Key Benefits
•
•
•
•
•
Manage across many sites
Control access and set policies
Investigate incidents
Prioritize response
Available in physical and virtual options
• Features
•
•
•
•
•
•
•
Multi-domain management
Role-based access control
High availability
APIs and pxGrid integration
Policy & device management
Endpoint
Security intelligence
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
47
Network Discovery
Provides the right data, at the right time, in the right format
• Discovers applications, users, and
hosts through passive analysis of network
traffic
• Provides context and helps determine the
impact of attacks
• Tune IPS signature sets to devices
discovered on the network
• Update host profiles with 3rd party
vulnerability management integration
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
48
Policy Management
Reduce complexity of policy maintenance
• Centralized on premise management
across multiple Firewall platforms
• Integrates multiple security features into a
single access policy
• Reduces manual configuration of policy
through inheritance and template use.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
49
FMC: Automate Security Response
Reduce the noise and connect the dots
• Correlate Security events
Correlation Policy
• Trigger automated response
•
•
•
•
Email
Syslog
SNMP
Remediation module
Correlation Rule
Correlation Event
Correlation Rule
Action
• Integration with Secure Network
Access and other Cisco/3rd party
products
100,000 events
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
3 events
50
Unified Event Viewer
1
Expand rows to view all details
True Correlation
Clicking on the
Intrusion Event
highlights the
associated
Connection Event
2
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
51
FMC Integrations
Visibility and analytics beyond network discovery
• Close integration of FMC with Secure Endpoint
• Standards based threat indicators (STIX/TAXII)
• Cisco Threat Intelligence Director (CTID)
• Drive down TTR with broad detection and
collation
• SecureX threat response
• Leverage other Cisco and 3rd party product to
extend visibility
• FMC external Cisco lookups
• Leverage SIEMs with Unified Events
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
52
Contextual cross-launch
Tight integration and pivoting to accelerate threat hunting
1
Right-click on an IP address
• Pivot directly to Cisco
Architecture
• Pivot 3rd party tools
• Reduce time to analyze
IoCs to drive down TTR
• Reduce complexity of
integration
2
Select Talos IP lookup
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
53
Dynamic Policy Across Multicloud Environments
Secure Firewall
Zone-based
segmentation rules
Seamless Integration
Unified segmentation policy across
Secure Firewall & Secure Workload
Microsegmentation
rules
Firewall
Policies
Dynamic Policies
Policy updated dynamically based on
application communications information
Expanding to Cloud Providers
This fall, extending recommendation functionality
to AWS and Azure security groups
awaiting this! Integration across our multicloud controls
“ Eagerly
will help drive better security in our distributed environment.
“
Secure
Workload
-- Global payments and fleet management enterprise
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
54
Cisco Secure Dynamic Attribute Connector
Problem: In a dynamic and multicloud world,
admins struggle to keep up with ever changing
object IPs as workloads are spun up, down and
change.
Solution: Cisco provides a programmatic way
to create, deploy and maintain dynamic
objects.
Benefits: Dramatically reduces the admin
overhead to keep security policies up to date,
provides on demand updates without a deploy.
Gain confident control of cloud services and
other dynamic environments.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
55
Cisco Secure Dynamic Attribute Connector
Integrations:
•
AWS instances
•
Azure instances
•
Azure service tags
•
Vmware catagories and tags managed by vCenter and
NSX-T
•
Office 365
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
56
Cisco Secure Dynamic Attributes Connector
Dynamic
Object
Mappings
LinuxServers
172.16.0.1
172.16.0.3
WindowsServers
10.0.1.11
10.0.1.14
10.0.1.20
Powered-On
10.0.1.14
Finance
App
Dynamic Attributes Filters
Adapters
Name
{REST}
FMC
Adapter
FMC
FMC
(Consumer)
Benefits:
•
Sensors immediately see
dynamic object changes
•
Change without policy deploy
Connector
Query
os = 'RHEL 7 (64-bit)’
OR
os = 'CentOS 7 (64-bit)’
LinuxServers
vCenter
WindowsServers
vCenter
os = 'MS Windows Server 2016 (64-bit)’
AND
network=‘PROD_NETW’
AND
Power=‘running’
PoweredOn
vCenter
Power=‘running’
AND
(network=‘PROD_NETW’ OR host=‘SplunkVM’)
CSDAC
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Connectors
Azure
HR
App
Azure
Connector
AWS
Connector
IT
App
AWS
HR
App
vCenter
Connector
HR
DB
vCenter Private Cloud
57
Secure Firewall Device
Manager (FDM)
What is Secure Firewall Device Manager (FDM)
On-box manager and API platform
• Key Benefits
•
•
•
•
Easy set up
Control access and set policies
Automate configuration
Enhanced control
• Features
•
•
•
•
•
•
Role-based access control
High availability
NAT and routing
Intrusion and malware protection
Device monitoring
VPN support
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
59
What’s New? – FDM
NEW
FTD Release 7.1
• Dyamic DNS support
• DHCP relay UI
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
60
Simplified Firewall Management
Easy to setup, management, and monitoring
Manages Firepower Threat Defense on low-end and mid-range platforms
Wizard-based guided workflows
Predefined security policies for quick
administration
Built on FTD Device APIs
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
61
API-First Approach
An open, documented management and reporting architecture
Achieve operational
efficiency
• Day 0 Provisioning
• Operations,
Troubleshooting,
Monitoring
Integrate with
ecosystem
FDM and CDO use the
FTD APIs
Key Features
• Day 1-2
Configuration
Management
Automate complex
tasks at scale
FTD
FDM
CDO
FTD
FDM
Everyone can use the APIs
for automation
Automation Scripts
Orchestration Tools:
• NSO, DNAC
• Ansible, AlgoSec,
Tufin
FTD
FTD
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
TDM
62
Cisco Defense
Orchestrator
Cisco Defense Orchestrator Overview
Consistently manage policies across your cisco security products.
CDO is a Cloud-based application that cuts through complexity to save time and
keep your organization protected against the latest threats.
Key Benefits
•
Streamline security management
•
Reduce time spent on security
management tasks up to 90%
•
Achieve better security while reducing
complexity
•
Roaming Users
Cloud applications
Log Data
Policies
SD-WAN
Prioritize response
Features
Policy – CDO
Visibility and Evening – Secure Analytics
Incident response - SecureX
On-premises network
Branch
•
Consistent policy enforcement
•
Faster device deployments
•
Configuration management
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Admin
Cisco Umbrella
Network
Data center
Users
Roaming User
64
What’s New? – CDO
NEW
November 2021
CDO is continually updated, check here for the latest information
• CDO Notifications
• Webhooks (Webex, Slack etc.), CDO UI,
Email
•
Cisco Secure Firewall Cloud Native
Support
•
CDO managed ASA-Umbrella SIG
SASE tunnels
• Anyconnect Package Upload from
CDO Repository
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
65
Cisco Defense Orchestrator
MSP Portal
• Use the CDO MSP portal to manage an unlimited
number of customer accounts
• Easily view and search devices across all customer
tenants
• Split customers across multiple MSP portals to limit
admin access
Benefits
•
•
•
•
•
•
Low Upfront Cost(s) – Pay As You Grow
Minimized Deployment and Adoption Time
Central Visibility with the MSP Portal
Support for a Multi-Tenant Architecture
Audit and Optimize
Drive Automation Via API
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
66
Cloud / SaaS Delivery Advantages
Highly available, full featured/managed cloud deployment
Global
• Scalability / Flexibility
• Connects to devices using device API with TLS v1.2
• No maintenance
• Configuration encrypted at rest and in transit.
• Faster feature delivery
• CDO data center locations:
• AWS – US West
• AWS – US East
• AWS – EU Central
• AWS – APJC
• Secures management access using role-based
access control with SAML based 2-factor
authentication
• Allows multi-tenant management – full
client separation
• Low up-front cost
99.999%
SLA Backed Uptime
• Responsive to new requirements
Provision in
<1 day
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Subscription pay as
you grow model
Low maintenance
costs
67
Scalable Policy Management
Simple, flexible management platform for mixed firewall environment
•
Policy management at a
large scale
•
•
•
Templates and macros allow quick
creation of configuration across
1000s of devices
Single pane migration of ASA
to FTD
Integrate multiple security features
into a single access policy
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
68
Simple and Effective Object Management
Provides easy graphical comparison across objects
• Object conflict detection allows easy
mitigation of unnecessary objects
•
•
•
Duplicate
Unused
Inconsistent
• Object analysis reduces configuration
bulk
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
69
CDO: Easier Device Management
Full lifecycle management of firewalls
• Fast device onboarding
• Easy bulk image upgrades
•
Reduce the time it takes to plan and
execute upgrades
• Capture configuration changes globally
using audit log
• Quick configuration backup and restore
reduces network downtime
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
70
Secure Services Edge Enablement
ASA to Umbrella SIG SASE Tunnels
• Onboard Umbrella Organization
• View, Manage and Create SSE tunnels
from Branch ASAs to Umbrella SIG
• Ensure consistency by leveraging Cross
Launch into Umbrella Dashboard
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
71
Monitor Remote Access VPN Users
Visibility into active sessions across a customer's ASA and FTD headends
• View all active sessions across a
customer's ASA and FTD headends
• Filter, search and export the data
• Historical Reporting of VPN sessions
• Usage patterns
• Terminate sessions
• Cisco+ Secure Connect Flex (formerly
CSMRA)
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
72
Defense Orchestrator Supported Platforms
Hardware
Minimum Software
ASA 5500-X
ASA 8.4 FTD 6.4
Firepower 1000
ASA 9.13 FTD 6.4 (6.5 for 1150)
Firepower 2100
ASA 8.4 FTD 6.4
Firepower 4100
ASA 8.4 FTD 6.5 (6.6 for 4112)
Firepower 9300
ASA 8.4 FTD 6.5
Virtual – Private Cloud
KVM, VMWare
ASA 8.4 FTD 6.4
Virtual – Public Cloud
AWS, Azure, HyperFlex, Nutanix
ASA 8.4 FTD 6.5 (Azure) 6.6 (AWS)
7.0 (Nutanix and HyperFlex)
Meraki MX
Latest software update
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
73
Cisco Security Analytics
and Logging
SAL (SaaS) Cloud Hosted Features
Cloud storage 90 days (default) up to 3 years, with
viewing and download enabled within CDO
Supports all Cisco FTD & ASA devices. Direct-to-cloud
option enabled for FMC 7.0+ managed devices
Firewall log analysis for advanced threat
detections using Secure Cloud Analytics (SCA)
Correlation of firewall logs with internal network
and cloud logs in SCA
Existing CTR-SecureX customers can opt-in to SAL
logging easily by merging with their SecureX tenant
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
76
CDO: Cisco Security Analytics and Logging
Reduce complexity and logging event volume
Store firewall and network logs securely
in the cloud, accessible
and searchable from CDO
Identify and enrich high
fidelity alerts
Enable smarter response and
reduce investigation times
Enhance breach detection
capability using best-in-class security
analytics
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
77
SAL On-Premise Features
FTD (including data plane logs) and ASA logging in
a scalable data store hosted on-premises
Logging wizard in FMC 7.0+ simplifies on-premises
and cloud logging configuration
FMC 7.0+ logging and analytics scale drastically
extended by a significant 300X magnitude via remote
query of SAL/ SNA 7.3.2+
Context pivot to SAL’s event viewer in Secure
Network Analytics (SNA) for enhanced context
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
78
FMC Integration with Cisco Security Analytics and
Logging (On-Prem )
Easy button for setup
•
Setup FMC analytics cross launch links to the Secure
Analytics console
•
Setup remote query credentials from Secure
Analytics datastore
Longer Event Retention and increased scale
•
External Storage through Cisco Security Analytics and
Logging On-Prem
•
Auto select event source or manually specify
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
79
Security Analytics and Logging Licenses
3 license tiers (nested)
Logging and
Troubleshooting*
Logging Analytics and
Detection
Total Network Analytics and
Detection
Scalable FTD and ASA event logging both
in the cloud and on-premises, with API
integration with Manager; CDO for
cloud, and FMC for on premises stores
Firewall log data analysis using the
behavior-based threat detections of Secure
Cloud Analytics (SaaS)
Consolidated analysis run on combined
dataset of firewall, internal and public
cloud logs for comprehensive threat
detection
*Security Analytics and Logging (On Premises) is currently only available with Logging and Troubleshooting License, which includes remote query by the FMC
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
80
ASA
Adaptive Security Appliance (ASA)
Robust and effective firewall with stateful inspection and VPN functionality
ASA 5500X Series or Firewall hardware and ASA Stateful Firewall OS
• Key Benefits
•
•
•
•
•
Basic inspection ( L2-L4)
Layer 7 Protocol Inspection
Simple 5 tuple-based rules
Multi-Context
VPN load balancing
• Features
•
•
•
•
•
Remote Access and Clientess VPN
EzVPN, IKEv2/L2TP, DTSL1.2
Site to Site VPN
SSO with SAML, DAP
Routing, CG NAT, QOS
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
82
ASA Software Provides
Robust, resilient stateful firewall and VPN concentrator
Rule
Feature
• Stateful controls
• Rules based on 5 Tuples
only
• Allow or Block as two
primary rule action
• VPN: Remote Access,
Clientess, EzVPN,
IKEv2/L2TP/3rd party
Remote Access, Site-Site
Route Based and Policy
Based VPN, DTLS 1.2
• Routing and Quality
of Service
Automate
• Leverage API’s to integrate
with SIEM
• API’s to create enforcement
based on
5 tuples
Security
• Packet Filtering and legacy
Layer 2 to Layer
4 security and controls
• No advanced security
controls like IPS, Endpoint,
URL Filtering, Application
control etc.
• Carrier Grade NAT
• DAP
• SSO with SAML
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
83
ASA Installation Modes
Platform Mode
Appliance Mode
• Provisioning and Initial configuration done from FXOS
CLI or Firewall Chassis Manager
• Provisioning and initial configuration
can be done from the ASA CLI or ASDM
• Firewall 2100/4100/9300
• Firewall 1000/2100
• Default before 9.13.1, maintained on upgrading from
lower releases to 9.13.1 or higher
• Default starting ASA 9.13.1 ( fresh
installation or reimage )
• FXOS CLI is used only for advanced
troubleshooting
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
84
ASA Release 9.17.1 Highlights
Usability
• FQDN NAT
• PCAP replay
• SNMP hostgroup IPv6 CIDR address support
VPN
Management
• Anyconnect native browser support
• RA VPN multiple trustpoint in SAML IDP
• Support for SAML attributes with DAP constraint
Public Cloud
•
•
•
•
Geneve AWS proxy support
Automated ASAv horizontal scaling in GCP and OCI
OCI autoscale support
Additional instance types in AWS and Azure
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
85
Integrated Security
Portfolio
Gain an Integrated Security Portfolio
Need: As IT infrastructure continues to become more diverse, the job of securing it
becomes more dynamic. The perimeter becomes flexible, which requires a broader
portfolio of security solutions.
Cisco offering:
Get more from your
existing network
Greater security
control points
Extend
protection
Tightly integrate existing investments,
including Cisco Application-Centric
Infrastructure (ACI) and Network Access
with your Firewall solution.
Enforce polices across your entire
environment, including any device
administered by the organization.
Remove blind spots, protect users
anywhere they go and anywhere they
access the internet.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
87
Cisco Rapid Threat Containment
Proven approach to reduce time and impact of threat
• Automatic network threat
containment using the
network as
an enforcer
• Threat-centric network
access determines
network access based on
IoCs
• Richer visibility from
bidirectional data sharing
with the network access
Open
Remediation
API
3 rd Party
Devices
172.20.100.3
Secure
Workload
ISE
Authorization
ACI
APIC
FMC
Routers
EMPLOYEES
Firepower
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
88
Protect Your Network Using AMP
Understand the motion and behavior of files through network and endpoint visibility.
Threat Visibility
Breadth and Control points
Email
Endpoints
Web
Network
IPS
Devices
Retrospective
Detection
Behavioral
IoCs
File
Trajectory
Threat
Hunting
Telemetry Stream
File and Network I/O
Process Information
File Fingerprint and
Metadata
Talos and Malware Analytics
Intelligence
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
89
Application-Centric Infrastructure
Transparent policy-based security for both physical and virtual environments
• Link security to software
defined networking
• Create identity-based policy with Application
Policy Infrastructure Controller (APIC)
• Segment physical and virtual endpoints based
on group policies with detailed and flexible
segmentation
• Release 7.1 – added support for ASA
devices/contexts, FMC dynamic objects
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
90
Control Traffic Based on User Awareness
• Use Active Directory users and groups in
policy configuration
• Use Cisco Identity Services Engine to provide
identity
• TrustSec Security Group Tag (SGT)
• Device type (endpoint profiles)
and location
• Identity Mapping Propagation & device level
filtering
• Examples
• Block HR users from using personal iPads
• Create rules for quarantined iPhones
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
91
Simplify Security Management with TrustSec
Leverage the network and investment
• Scalable and agile
segmentation
technology in over 40
different Cisco
product families
• Enables dynamic, rolebased policy
enforcement
anywhere on
your network
• Extend TrustSec
policies over
Firepower Threat
Defense with SRC &
DST SGT matching
Simplified Access Management
Manage policies using plain language and
maintain compliance by regulating access
based on
business role
€¥£
$
Employee
Info
Financial
Server
HTTP
SGACLs
Deny Employee to Financial Server
Permit Developer to Developer Server
Permit G ues t to W eb
Permit Developer to Developer Server
Enterprise
Network
Key
Rapid Security Administration
Speed-up adds, moves, and changes,
simplifying firewall administration to
speed up
server onboarding
Developer
Server
Employee Tag
Developer Tag
Accelerated
Security Options
Simplified Access
Management
Consistent
Policy Anywhere
Voice Tag
Non-Compliant Tag
Employee Info Tag
Consistent Policy Anywhere
Control all network segments centrally,
regardless of whether devices are wired,
wireless or on VPN
Developer Server Tag
Financial Server Tag
HTTP Tag
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Guest
endpoint
Non
Compliant
endpoint
Developer
endpoint
Employee
endpoint
92
Talos
What is Talos?
Talos is the threat intelligence group at Cisco. We are here to fight the good
fight — we work to keep our customers, and users at large, safe from malicious
actors.
Threat Intelligence
and Interdiction
Vulnerability
Research and Discovery
Global Outreach
Detection Research
Community
Engineering
and Development
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
94
From Unknown to Understood
Endpoint Detection and Response
Product
Telemetry
Endpoint
Mobile Security
Multi-factor authentication
Data
Sharing
Firewall
Intrusion Prevention
Network
Web Security
SD Segmentation
Vulnerability
Discovery
Behavioral Analytics
Security Internet Gateway
Threat Traps
Cloud
DNS Security
Secure Email
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
95
Secure Firewall & Secure
Workload
Policy Authoring is a Significant Roadblock
When Adding Segmentation
Cisco Secure Workload provides industry-leading integrated policy discovery as a part of
the firewall policy lifecycle.
On-premises
See all workload
network behavior
SaaS
Automatically discover
workload identity and
groups
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Validate and simulate
policy prior to
enforcement
97
Secure Workload Features
Contains lateral
movement
Continuously tracks
security compliance
Identifies behavioral
anomalies
Reduces your attack surface
SecureX integrated,
unifying visibility and
enabling automation
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
98
Breaking down silos
DevSecOps
Security Architects
•
•
Synchronized Security
Policy enforcement on
agents & network
•
•
NetOps
•
•
Full Visibility & Control
Real time updates using
dynamic objects
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Security at application
speed
Full Visibility & Automation
Auditors
•
Single pane of glass view
ensuring security controls
across workloads & firewall
99
Cisco end-to-end protections bridges the gap
North-South Security with
Cisco Secure Firewall
(formerly NGFW)
Broad Visibility
• Secure Firewall at data center
edge
• Visibility into Internet, branch,
campus
• Attribute based policies
East-West Security with
Cisco Secure Firewall
Coarse Control
• Segment within your data centers
• Handles workloads without agents
• Single/multi site public cloud
Workload Security with
Cisco Secure Workload
Fine-Grained Control
• Provides detailed inter-application
controls, software-based
• Supports rapid automation
• Physical/virtual form factors
Closer to application
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
100
Secure Firewall & Secure Workload Integration
Key Functions
Key Capabilities
• Real time updates on rules using
Dynamic objects without policy
deployment
• Leveraging Secure Firewall for Policy
enforcement on workloads without
agents
• Additional threat protection using
Secure Firewall on existing Secure
Workload policies
• Enhancing static firewall rules with
dynamic workload intelligence
• Advanced access control options
(intrusion and file/malware policy,
URL filtering etc.)
• Fine grained policies from Secure
Workload to implement contextual
access-rules on firewall
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
• Ensuring security at application
speed with constantly changing
DevOps environment
• Automated firewall access-rule
updates based on workload changes
101
Secure Firewall – High Level Architecture
Secure Workload
Secure
Connector
Dynamic Policy
Secure Firewall
Management Center
(FMC)
SaaS or proxy
Ingest
Connector
NSEL
Virtual Machines
Containers
Bare Metal
Segmentation policies enforcement at workloads
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Secure Firewall
Threat Defense
Workloads without Agents
Segmentation policies enforcement at firewall
102
Dynamic Policy with Secure Firewall
NEW Dynamic Objects
FMC v7.x
Access Control
Policy
Dynamic Objects
• Reduced deployments
• Faster updates
• Greater efficiency
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
103
Secure Firewall Integration – Dynamic Objects
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
104
Secure Workload Integration Use Cases
Secure Firewall
Fine control
Agentless control
End-User to Application
App servers without
agent
App to App
Workload to Internet
Secure Firewall
FMC
Dynamic Firewall rule
updates
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Secure
Workload
Dynamic object updates
105
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
106
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
107
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
108
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
109
SecureX
What is SecureX threat response?
Automates integrations across networks, endpoints, and Cloud environments
• Key Benefits
• Out of box integrations
• Speed cyber investigations
• Included with Cisco security product licenses
• Reduce burden of other security products
• Features
• Aggregated threat intelligence
• Automated enrichment
• Incident tracking
• Seamless drill down
• Direct remediation
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
111
Investigate Any Item: Endpoint
Reduce complexity and time needed for threat hunting
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
112
Leverage a Seamless Workflow
FTD supplies security events to SecureX threat response
• Limited data is stored in cloud
• FMC can send IPS events to SecureX threat response
• Any IP, domain, file hash or IoC seen in FMC can queried in SecureX threat response, reducing complexity and time for threat
hunting
• Continuous analysis with retrospection facilitates remediation and enhances forensics
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
113
FMC SecureX Ribbon Expanded
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
114
SecureX threat response and CDO Integration
Pivot to threat response from CDO using the event viewer
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
115
Migrating to FTD
What’s New? – Firepower Migration Tool
NEW
Version 2.5
• Optimized ASA migrations to FMC
• Wildcard mask configurations for FMC 7.1 or later
• ACL Optimization and Post Migration Reports
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
117
Migration from ASA to FTD
Automation
Reporting
Scale
Easy and fast cloud based and
stand-alone solutions
Pre- and postmigration reports
FMC REST API based, supports
Windows or Mac
Selective migration and
optimizations such as
object re-use
Ability to edit the configuration
being migrated
CDO integration* to leverage
orchestration benefits
Live running logs, graceful error
handling and resume from
failure
Programmability* through
tool APIs
Object conflict detection
and resolution
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
118
Firepower Migration Tool Paths (ASA to FTD)
Firewall Migration Tool
FMC
Upload
ASA
Configuration
API Calls
Deploy
Firepower
Threat Defense
Shared FMT core engine*
Template
creation
Upload
Apply
CDO
CDO FMT Service
*features shared in CDO depend on FTD-API and CDO support
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
119
Benefit of the Firepower Migration Tool
Derive faster value realization from
Cisco’s Firepower Threat Defense
Complementary to partner
driven services
Cisco Secure Services
Migration configuration
validated by seasoned and
skilled Secure consultants
Our Secure Services portfolio of
people, tool, processes and
technology helps you to do more,
and many of our services are
widely recognized by industry
leaders and analysts as amongst
the best capabilities in the market
Provide support during migration
to help mitigate risks during migration
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Provide you with design best
practices based on Cisco’s
history of experience with
variety of vertical industries
Enhance your knowledge on Cisco’s
Firewall product features
120
Use Cases
Common and Unique Requirements for Secure Firewall
Internet Edge
Data Center
Branch
Cloud/Virtual
Secure IPS
RA VPN
High availability and
redundancy
High availability
Site to site VPN
High availability
Separation of duties
Scalability
High availability
IPS capability
Very high bandwidth, very
low latency
Dynamic routing
Support for DPDK and
SRIOV
Cisco VPN and third-party
VPN clients
Dynamic routing and
address translation
Integration with end
point security
Cloud scale
Integration with NAC
network access control
Hyper-density and
high performing volts
DDoS
IPS capability
Multi-instance
Application visibility
and control
Breach detection
Threat intelligence
Incident response
Dual-WAN
Internet edge or VPN
gateway
Superior threat efficacy
Threat intelligence
SD-WAN backhaul
TLS decryption
NSEW inspection
Inbound inspection
Mirror traffic and deploy
in active, inline, or passive
mode
Device acting as edge
Network reliability
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Integration with end point
security
Authentication,
Authorization, Accounting
Scalability
122
Internet Edge
Key Functions
Service
Provider
Remote
User
Key Capabilities
• Resilience (and scalability)
• Advanced Access Control
• Block access to malicious IP's, URL's,
DNS
• Dynamic NAT/PAT and Static NAT
• Remote Access VPN
• Site to Site VPN
• Detecting malicious network traffic
• Visibility and tracking of file transfers,
Blocking of malicious files
• Dynamic analysis of unknown files
HSRP
• VPN load balancing
• Applications, URLs, Users, and
TrustSec Policy using SGTs
• Talos Security Intelligence
Internet Edge
DMZ
• Carrier Grade NAT
Firepower or ASA
HA
• Cisco Secure VPN
• Point to Point, Hub and Spoke,
Full mesh
• Snort IPS
• Advanced Malware Protection
Campus/ Private
Network
• Malware Analytics Integration
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
123
Remote Access VPN (RA VPN)
Key Functions
Key Capabilities
• Resilience (and scalability)
• VPN load balancing
• Advanced Access Control
• IPSEC and SSL
• Block access to malicious IP's, URL's,
DNS
• Talos Security Intelligence
• Dynamic NAT/PAT and Static NAT
• AD, LDAP and Radius
• Remote Access VPN
• IKEv2
• Site to Site VPN
• RADIUS CoA
• Detecting malicious network traffic
• Snort IPS
• Visibility and tracking of file transfers,
Blocking of malicious files
• Advanced Malware Protection
• Dynamic analysis of unknown files
• Malware Analytics Integration
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Service
Provider
Extranet
Remote
User
HSRP
Internet Edge
DMZ
Firepower or ASA
HA
Campus/ Private
Network
124
Data Center N/S
Branch
Firewall HA
Key Functions
Key Capabilities
• Advanced access control options
• Applications, URLs, Users, and TrustSec
Policy using SGTs
EDGE router (HSRP)
• Remote Access VPN
• Site to site VPN
• Cisco Secure VPN
Internet
• Route Based VPN
• Dual ISP Support
• Block access to malicious
IP's, URL's, DNS
• Block traffic to 3rd party lists
• Detecting malicious network traffic
• IP SLA or Traffic Zones
• Talos Security Intelligence
EDGE router (HSRP)
• Threat Intelligence Director
Firewall HA
• Snort IPS
• Visibility and tracking of file transfers,
Blocking of malicious files
• Advanced Malware Protection
• Dynamic analysis of unknown files
• Malware Analytics Integration
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Internal
Network
125
Data Center
Data Center
Edge
Key Functions
Key Capabilities
• Advanced Access Control
• TrustSec Policy using SGTs,
ACI Policy Control with EPGs
• Low Latency Capabilities
• Hardware Flow Offload
• Scalability and Resilience
• HA or Clustering
• Geographic DC Separation
• Inter-site Clustering
vPC/Port-Channel
Extranet
Firewall in HA/Cluster
Data Center
Distribution
vPC/Port-Channel
• Detecting malicious network traffic
• Snort IPS
Firewall Cluster
• Visibility and tracking of file transfers,
Blocking of malicious files
• Advanced Malware Protection
• Dynamic analysis of unknown files
• Malware Analytics Integration
• Firewall Segmentation
• Multi-Instance
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Access Layer
126
Cloud/Virtual
Key Functions
Data Center N/S
Inside
External
LB
Key Capabilities
• Advanced Access Control options
• Remote
• Applications, URLs, Users, and
TrustSec Policy using SGTs/CCP
• VPN
• Site to Site VPN
DMZ
ESXi Host
A
Inside
E/W
DMZ
• Block traffic to 3rd party lists
• Detecting malicious network traffic
• Visibility and tracking of file transfers,
blocking of malicious files
• Dynamic analysis of unknown files
N/S
Outside
ESXi Host
B
• Route Based VPN (ASA) and
Policy Based VPN
• Block access to malicious IP's, URL's, DNS
Inside
HA Pair
Internet
External
LB
E/W
N/S
KVM Host
A
Inside
• Snort IPS
E/W
DMZ
• Advanced Malware Protection
Internal
LB
DMZ
• Talos Security Intelligence
• Threat Intelligence Director
E/W
CSP or ENCS
(Computer cluster)
Branch
Outside
Inside
KVM Host
B
HA Pair
• Malware Analytics Integration
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
N/S
127
NGIPS
Service
Provider
Key Functions
Key Capabilities
• Advanced access
control options
• Applications, URLs, Users, and
TrustSec Policy using SGTs
• Block access to malicious IP's,
URL's, DNS
• Talos Security Intelligence
• Block traffic to 3rd party lists
• Threat Intelligence Director
• Detecting malicious network
traffic
• Snort IPS
• Visibility and tracking of file
transfers, Blocking of malicious
files
VPC
Active
HA Update
NGIPS
Standby
NGIPS
• Advanced Malware Protection
VPC
• Malware Analytics Integration
• Dynamic analysis of
unknown files
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Internal
Network
128
