Cisco ASA with FirePOWER Services Training Series Overview and Design
www.routehub.net Michel Thomatis, CCIE #6778 Chief Network Architect and Lead Trainer
Type of Firewall Appliances • 1st Generation Firewalls filtered based on: • Network, IP Address (e.g. 10.67.78.0/24, 10.67.78.10) • Protocol (e.g. IP, TCP, UDP) • Protocol Port number (e.g. TCP/80 for HTTP) •
Example: Cisco ASA
• Next Generation Firewalls filtered based on: • 1st Generation Firewall filtering (Network/IP, Protocol, Port) • URL (e.g. facebook.com, Social Networking) • User Endpoints (e.g. Web Browser, OS, Mobile) • Applications (e.g. Facebook, Dropbox, Google Mail) • Micro-Applications (e.g. Facebook Games) •
Examples: Cisco ASA SFR, Palo Alto Networks
Cisco ASA 5500-X with FirePOWER Services • Next Generation Firewall (NGFW): • Cisco ASA 5500-X Series using CX • Cisco ASA 5500-X Series using SourceFire FirePOWER Services
Cisco ASA 5500-X with FirePOWER Services • SourceFire FirePOWER security module • Cisco ASA 5506-X to 5555-X: software-based security module • Cisco ASA 5585-X: hardware-based security module (SSP) • Gigabit Ethernet ports: • No Layer 2 ports • No PoE ports
• Management port • Console Port
FirePOWER Security Features • Application Control • Identity Control • Security Intelligence • Intrusion Detection and Prevention (IPS) • URL Filtering • Advanced Malware Protection (AMP) • File Blocking • SSL Decryption
Security Features – Application Control • Filter traffic based on applications (Facebook, Skype, etc) • Filter traffic based on micro-applications (e.g. Facebook Post, Chat) • Require SSL Decryption • Application Filtering not very reliable
Security Features – Identity Control • Filter traffic based on the user account and group • Integrated with Active Directory or LDAP • Identity Control Methods: • Active Authentication • Passive Authentication
Security Features – Security Intelligence • First line of security defense on the ASA FirePOWER appliance • Provides a blacklist of networks/IPs with bad reputations
Security Features – URL Filtering • Filter traffic based on web URL • Block based on: • Web categories (e.g. Violence, Nudity) • Reputation • Business Relevance
Security Features – IPS • Last line of security defense on the ASA FirePOWER appliance • Inspecting traffic for specific patterns of data in a traffic flow
Security Features – Malware Protection • Filter files for malware/virus content • Uses the Security Intelligence Cloud • Looks at the files SHA-256 hash value • Operations: • Malware Lookup • Block Malware
Security Features – File Blocking • Filter traffic with files of certain types (e.g. ZIP, EXE) • Files being uploaded or downloaded
Security Features – SSL Decryption • Allows decrypting HTTPS websites for firewall inspection
Security Flow • Action: Allow (continue for further inspection)
• Action: Trust (no further inspection)
Security Flow • Action: Block
Licensing • Protection: IPS, file control, & Security Intelligence • Control: User and Application control • URL Filtering: URL filtering • Malware: AMP
ASA and FirePOWER (SFR) Integration
1. 2. 3. 4.
Traffic comes in, checked against a configured ASA firewall policy If the traffic is allowed, send the traffic to the SFR module Traffic is checked against a configured SFR (NGFW) firewall policy If traffic is still allowed, send back out through ASA firewall
Management Options • Cisco ASDM • Cisco FirePOWER Management Center (FMC) • Palo Alto Networks - Panorama • Fortinet FortiGate - FortiManager
ASDM
FMC
Management Options: FMC • Cisco ASDM • Interfaces, VPN, NAT, Routing
• Cisco FirePOWER Management Center (FMC) • NGFW features: Application Control, IPS, URL filtering, AMP, File Control, etc. • Robust Reporting of FirePOWER services
Management Options: ASDM • Cisco ASDM • NGFW features: Application Control, IPS, URL filtering, AMP, File Control, etc. • Interfaces, VPN, NAT, Routing • Basic Reporting of FirePOWER services
Management Options: Comparisons Cisco ASA with FirePOWER
Cisco ASA • Web Administration: Cisco Adaptive • • • • • • •
Security Device Manager (ASDM) 1st Generation Firewall policies Site VPN (IPSec) Client VPN (IPSec, SSL) Network Address Translations (NAT) IP Routing (OSPF, EIGRP) Interfaces and VLAN tags Cisco TrustSec
• Web Administration: Cisco Adaptive
• • • • • • • • •
Security Device Manager (ASDM), FirePOWER Management Center (FMC) Next Generation Firewall policies Application Control Identity Control Security Intelligence Intrusion Detection and Prevention (IPS) URL Filtering Advanced Malware Protection (AMP) File Blocking SSL Decryption
Caveats • Pros: • Security Intelligence • Licensing • Performance
• Cons: • Instability of features (e.g. SSL Decryption) • Administration • Late Feature support (e.g. SSL Decryption)
• SSL Decryption • Version 5.4.1 and earlier: requires standalone SSL decryption appliance • Supported on NGFW (e.g. Palo Alto, FortiGate, Cisco ASA using CX)
• Supported natively in Version 6.0 (November 2015) and later
• Version 6.0 instability with some of the security features
Caveats: Instabilities • Issues with SSL Decryption (not 100% reliable) • Issues with URL filtering and using custom URL groups • Issues with Active Authentication • Issues with the latest User Agent installed on Windows Server
Video Series: Network Design
Video Series: OS 6.0 • Cisco ASA with FirePOWER Services • Version 6.0 • SSL Decryption
• Considerations: • Version 6.0 instabilities (SSL Decryption, URL Filtering) • Recommended to use version 5.4.1 for production deployments • Caution to use version 6.0 for production deployments
Video Series: Administration • Administration using ASDM
Video Series: Topics • Application Control • Identity Control • Security Intelligence • Intrusion Detection and Prevention (IPS) • URL Filtering • Advanced Malware Protection (AMP) • File Blocking • SSL Decryption