Cisco FirePOWER
Benjamin Doyle
October 15th, 2015
Agenda
-
Sourcefire
Cisco ASA Next-Gen Firewall (NGFW)
FireSIGHT Management Center (FMC)
FirePOWER Services
Intrusion Prevention System (IPS)
Advanced Malware Protection (AMP)
URL Filtering
Meraki Security Appliance (MX)
Sourcefire
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
Sourcefire

Founded in 2001

2013: Acquired by Cisco for US$2.7B

2014: Technology integration within Cisco

Hardware and Software

ClamAV and Snort

File reputation and dynamic analysis

Analysis of behaviours & containment

Retrospective protection

Visibility through dashboards

2015: EoL non-SF IPS appliances
Cisco ASA
Next-Generation
Firewall
(NGFW)
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
Cisco ASA and Sourcefire FirePOWER
Cisco ASA Product Line
ASA 5585-SSP60
Performance and Scalability
ASA 5585-SSP40
ASA 5585-SSP20
ASA 5585-SSP10
ASA 5555-X
ASA 5545-X
ASA 5525-X
ASA 5512-X
ASA 5515-X
2 RU Platforms - 5585
1 RU Platforms
Internet Edge/Campus/Data Center
Branch Office/Internet Edge
2 – 20 Gbps: Firewall
200Mbps - 2 Gbps: Firewall
1.2 – 6 Gbps: Next Gen IPS
100 – 725 Mbps: Next Gen IPS
30-160 Mbps: NGIPS, AVC, AMP
* Performance
to be finalized
650Mbps – numbers
2.4 Gbps:NGIPS,
AVC, AMP
NGFW with NGIPS
Source: Cisco Live! BRKSEC-2762 San Diego 2015
Multilayered Protection – Next Gen. FW + Gen2 IPS
► World’s most widely deployed,
enterprise-class ASA stateful firewall
Cisco Collective Security Intelligence Enabled
Clustering &
High Availability
Network Firewall
Routing |
Switching
Intrusion
Prevention
(Subscription)
Advanced
Malware
Protection
FireSIGHT
Analytics &
Automation
(Subscription)
WWW
URL Filtering
► Granular Cisco® Application Visibility
and Control (AVC)
(Subscription)
► Industry-leading FirePOWER Next-
Generation IPS (NGIPS)
Application
Visibility &
Control
Built-in Network
Profiling
Identity-Policy
Control & VPN
► Reputation- and category-based URL
filtering
Cisco ASA
► Advanced Malware Protection
• Visibility over – Network, Device, Application,
Threat Detection & Mitigation
FireSIGHT
Management
Center
(FMC)
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
FireSIGHT Components
Network Discovery & Connection Awareness
Host
discovery
Identifies OS,
protocols and
services
running on
each host
Reports on
potential
vulnerabilities
present on each
host based on the
information it’s
gathered
Application
identification
FireSIGHT can
identify over
1900 unique
applications using
OpenAppID
Includes
applications that
run over web
services such as
Facebook or
LinkedIn
Applications can
be used as
criteria for access
control
User discovery
Monitors for user
IDs transmitted
as services are
used
Integrates with
MS AD servers to
authoritatively ID
users
Authoritative
users can be used
as access control
criteria
FireSIGHT Management
Discovery is reported
to you by way of
events
• Connection events are
recorded as every
connection in a
monitored network is
seen
• Host events are recorded
when something new on
a host is detected or a
change to a host is
detected
Information about all
the hosts in your
environment is stored
in host profiles
Host and Event Correlation
•
When a host in the network
map is seen to exhibit signs
of compromise
Security Intelligence Events
C&C Detection
via Protocol Analysis
Contextual NGIPS
Events (Impact 1)
FireAMP Endpoint
Malware Events
FireSIGHT Discovery
By knowing the details of what’s running in your environment, the
Sourcefire System can produce a list of what vulnerabilities likely exist
This allows the Sourcefire System to put intrusion events in context for
more accurate and actionable alerting
Which would matter more to you?
• A code red attack against a host running Linux in your environment
Or
• A code red attack against a host running a vulnerable version of Windows in your
environment
FireSIGHT Impact Assessment
With FireSIGHT, IPS events are assigned an impact level
•
•
•
•
•
0 – host not on monitored networks
4 – no entry for the host in the network map
3 – host not running the service or protocol that was attacked
2 – host is running the service or protocol that was attacked
1 – host is running the service or protocol that was attacked an a vulnerability is against
the service or protocol is mapped to the host
FireSIGHT also lets you fine-tune your IPS polices by recommending
rules to protect against the known vulnerabilities in your environment
FireSIGHT Management Center (FMC)
Why is FireSIGHT Important?
It gives you real-time information about what’s in your network
• Based on this knowledge …
• It can inform you of the vulnerabilities associated with what is running in your
environment
• You can fine-tune policies to focus on the threats specific to your environment
It can detect changes to your environment and alert you as soon as
the change is detected
• You can act dynamically with custom alerting (email, syslog, SNMP, eStreamer)
• You can take action dynamically as well with remediation modules
• Remediation include scripts you can launch from the defense center
How is FireSIGHT information used?
Fine-tuning IPS policies
• You can automatically select the rules and preprocessor configurations that apply to your
environment
• You can protect hosts running services on non-standard ports (ie. HTTP running on port
1080 on a host and 8080 on antother)
Enforce an organization’s security/usage policies
• Block or alert on use of unauthorized applications for example
Monitor and act on unusual network behavior
• Alert on new hosts showing up in restricted network spaces or detect unusually high
utilization
Act on user activity
FireSIGHT Management Center (FMC)
CATEGORIES
EXAMPLES
FirePOWER
APPLIANCE
TYPICAL
IPS
TYPICAL
NGFW
Threats
Attacks, Anomalies
✔
✔
✔
Users
AD, LDAP, POP3
✔
✗
✔
Web Applications
Facebook Chat, Ebay
✔
✗
✔
Application Protocols
HTTP, SMTP, SSH
✔
✗
✔
File Transfers
PDF, Office, EXE, JAR
✔
✗
✔
Malware
Conficker, Flame
✔
✗
✗
Command & Control Servers
C&C Security Intelligence
✔
✗
✗
Client Applications
Firefox, IE6, BitTorrent
✔
✗
✗
Network Servers
Apache 2.3.1, IIS4
✔
✗
✗
Operating Systems
Windows, Linux
✔
✗
✗
Routers & Switches
Cisco, Nortel, Wireless
✔
✗
✗
Mobile Devices
iPhone, Android, Jail
✔
✗
✗
Printers
HP, Xerox, Canon
✔
✗
✗
VoIP Phones
Avaya, Polycom
✔
✗
✗
Virtual Machines
VMware, Xen, RHEV
✔
✗
✗
Information Superiority
Contextual
Awareness
FireSIGHT Management Center:
Threat Information
FireSIGHT Management Center:
Operational Value
FirePOWER
Services
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
22
Traditional Defense-in-Depth
•
•
•
•
•
•
Forced to buy multiple security solutions – firewalls, web filters, IPS modules,
etc.
Often from different vendors – compatibility issues
Increases complexity, limited visibility
Vulnerability – lack of unified protection creates gaps and blindspots
Need several dedicated teams to configure, install, and monitor multiple
systems
Increased cost and labor, reduced incident response time
Challenges with Traditional Defense-in-Depth Security
Cisco ASA with FirePOWER
• Industry’s first adaptive, threat-focused NGFW
designed for a new era of threat and advanced
malware protection
• Delivers an integrated threat defense across the
entire attack continuum
• Combines proven security of Cisco ASA firewall with
industry-leading Sourcefire threat and advanced
malware protection in a single device
• Unparalleled network visibility
Integrated Threat Defense Across the Attack Continuum
Attack Continuum
BEFORE
DURING
AFTER
Discover
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
Firewall/VPN
NGIPS
Advanced Malware
Protection
Granular App Control
Security Intelligence
Retrospective Security
Modern Threat Control
Web Security
IoCs/Incident
Response
Visibility and Automation
FirePOWER Services for ASA: Subscriptions
FirePOWER Services for ASA
Appliance
Feature
Defaults
Included *
Configurable Fail Open
✓
Connection/Flow Logging
✓
Network, User, and Application Discovery [4]
✓
Traffic filtering / ACLs
✓
Routing
NSS Leading IPS Engine
✓
ACL’s – Protocol Inspection
Comprehensive Threat Prevention
✓
VPN Termination
Security Intelligence (C&C, Botnets, SPAM etc)
✓
Blocking of Files by Type, Protocol, and Direction
✓
Basic DLP in IPS Rules (SSN, Credit Card etc.)
✓
Next Gen IPS
Access Control: AVC - Enforcement by Application
✓
App Visibility / Control
Access Control: Enforcement by User
✓
Advanced Malware Protection
URL Filtering
IPS and App
Updates
IPS Rule and Application Updates
Annual Fee
URL Filtering
URL Filtering Subscription
Annual Fee
Subscription for Malware Blocking, Continuous
File Analysis, Malware Network Trajectory
Annual Fee
Malware
Protection
* Included - Smartnet Required
for Security Intel. Updates
Base ASA
Firewall
Network Address Translation
Sourcefire
Services
FirePOWER Licensing

Virtual or Physical FireSIGHT Management Center required

All FirePOWER Service device licenses are managed on the FireSIGHT
Management Console.

Licenses are specific to each ASA model and mapped to managed
ASA devices

Term licenses have a start and end date, beyond the end date requires
renewal to receive subscription updates.

Application Visibility and Control updates are included in SMARTnet
Services

IPS subscription is a pre-requisite for Advanced Malware Protection
(AMP)

SSDs are included in all new ASA FirePOWER Services hardware SKUs
FirePOWER Licensing
Five Subscription Packages to Choose From
for Each Appliance
• 1 and 3 year terms
URL
• AVC is part of the
default offering
URL
AMP
AMP
• AVC updates are
included in SMARTnet
URL
IPS
IPS
IPS
IPS
• IPS is required before
AMP or URL license
can be added
URL
TA
TAC
TAM
TAMC
Intrusion
Prevention
System
(IPS)
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
30
Sourcefire NGIPS
Source: Cisco Live! BRKSEC-1030 San Diego 2015
IPS – File Processing
Source: FireSIGHT User Guide 5.4.0.1
IPS Automation
Before Attack
The Next Generation Security Model
Attack Continuum
BEFORE
DURING
AFTER
Control
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
BEFORE THE ATTACK: You need to know what's on your network to
be able to defend it – devices / OS / services / applications / users
(FireSight)
Access Controls, Enforce Policy, Manage Applications And Overall
Access To Assets.
Network
Endpoint
Mobile
Virtual
Cloud
Access Controls reduce the surface area of attack, but there will still
be holes that the bad guys will find.
DO NOT
They will find any gap in
What Device Types, Users & Applications ATTACKERS
should be
onDISCRIMINATE.
the Network?
Point in time
defenses and exploit it to achieve their objective
Continuous
34
After Attack
The Next Generation Security Model
Attack Continuum
Network
BEFORE
DURING
AFTER
Control
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
Endpoint
Mobile
Virtual
Cloud
AFTER THE ATTACK:
Cross Device Information Sharing - Evolving
invariably some attacks will be successful, and customers need to be able to determine the scope of the damage, contain the
event, remediate, and bring operations
back to
Point
innormal
time
Continuous
Also need to address a broad range of attack vectors, with solutions that operate everywhere the threat can manifest itself –
on the network, endpoint, mobile devices, virtual environments, including cloud
Advanced
Malware
Protection
(AMP)
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
36
AMP
• File Reputation
• Dynamic
Analysis
(Sandboxing)
• Retrospective
Security
Anti-Malware Protection & the Attack Continuum
BEFORE
DURING
AFTER
Control
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
File Retrospection
File Trajectory
Network
Contextual Awareness
Control Automation
In-line Threat Detection
and Prevention
File Retrospection
File Trajectory
Device Trajectory
File Analysis
Endpoint
File Execution Blocking
Indications of
Compromise
Outbreak Control
Anti-Malware Process - Infected File Tracking
AMP: File Disposition and Dynamic Analysis
hash
hash
Cisco Cloud is TALOS => Cisco SIO + Sourcefire VRT
Retrospective Security
Source: Cisco Live! BRKSEC-2028 Melbourne 2015
Host Profile
Network File Trajectory
Correlation Analysis with Context Produces IoC
Source: Cisco Live! BRKSEC-1030 San Diego 2015
URL
Filtering
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
45
URL Filtering
• Offers reputation and category-based
filtering
• Comprehensive alerting and control over
suspect traffic
• Enforces policies on hundreds of millions of
websites in over 80 categories
URL Filtering
Meraki
Security
Appliance
(MX)
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
48
Meraki
• Leader in cloud networking: 20,000+ customer networks
deployed
•
•
Founded in 2006 at MIT - tradition of innovation and R&D
350 employees worldwide
• 100% Cloud-managed edge and branch networking portfolio
•
•
Complete line of wireless, switching, security, WAN optimization,
and mobile device management products
• Now part of Cisco
•
•
•
•
Increasing R&D investment in Meraki products
Leveraging Cisco’s reach to bring Meraki to new markets
No near-term changes planned to pricing, licenses, product roadmap,
etc.
Cisco purchased Meraki for 1.2B in 2012.
Order Process
How Meraki Works
Step 1:
Pick Hardware
Step 2:
Cloud Subscription
& Warranty Support
Step 3:
Install
Cloud License
1yr, 3yr, 5yr
Install
Warranty
Step 4:
Dashboard
Management
Meraki Management
Management – Cloud Dashboard
• Self-provisioning for rapid deployment and expansions
• Scalable network-wide monitoring and management tools
• Integrated Wireless, LAN, and WAN management, as well as Mobile Device management
• Seamless over-the-web maintenance, upgrades, monitoring, etc.
Application Visibility
Layer 7 - Complete visibility and control
Meraki Pros
Out of band cloud management
Scalable
•
•
Unlimited throughput, no bottlenecks
Add devices or sites in minutes
Reliable
WAN
Management
data (1 kb/s)
•
•
•
Highly available cloud with multiple datacenters
Network functions even if connection to cloud is interrupted
99.99% uptime SLA
Secure
LAN
•
•
•
No user traffic passes through cloud
Fully HIPAA / PCI compliant (level 1 certified)
3rd party security audits, daily penetration test
Reliability and security information at meraki.com/trust
Meraki Features
Hardware – “MX”
o Next Generation Firewall:
 Layer 7 traffic classification and control
 Intrusion detection engine
 Identity based and device-aware security
o Auto VPN:
 Auto-provisioning IPSec VPN
 Automatically configured VPN parameters
 Flexible tunneling, topology and security
policies
o 3G / 4G Failover:
 Cellular support for maximum uptime
 Seamless, automatic failover with traffic
prioritization
o WAN Optimization:
 Universal data store with de-duplication
 WAN link compression
o Content Filtering:
 Identity-based filtering policies
Meraki Licensing
Subscription/License – “MX”
Meraki Sizing
Hardware – “MX”
MX400
MX100
MX80
MX60W
MX60
Z1 (Teleworker)
Stateful Firewall
Throughput
1 Gbps
500 Mbps
250 Mbps
100 Mbps
100 Mbps
50 Mbps
VPN Throughput
325 Mbps
225 Mbps
125 Mbps
50 Mbps
50 Mbps
10 Mbps
WAN
Optimization
Cache
1 TB SATA
1 TB SATA
1 TB SATA
100 MB
100 MB
N/A
Interfaces
8 x GbE
8 x GbE (SFP)
4 x 10 GbE (SFP+)
8 x GbE
2 x GbE (SFP)
5 x GbE
5 × GbE
1 × 802.11n
5 x GbE
1 x GbE WAN
4 x GbE LAN
•
•
•
•
•
•
Integrated Intrusion Detection
(IDS)
Device Aware Access Controls
(BYOD) (Layer 7)
Category-based content filtering
Load Balance WAN connections
3G/4G backup WAN connectivity
WAN Acceleration/Optimization
Meraki Cloud
Cloud Value Proposition
o Maintenance & Upgrades (Quarterly Releases):
 Automatic firmware maintenance
 New feature implementation
 Automatic implementation of performance
improvements and enhancements
o Monitoring:
 Application level (layer 7) monitoring & reporting
 Performance monitoring
o Technology and Configuration:
 Extremely easy configuration
 Fully featured Cloud Managed
 Warranty & Maintenance:
 Case-based support viewable in dashboard
 Firmware and Software updates/upgrades
 24x7 telephone support
Next: More Intrusion Alert
Methods
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
58