Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
January 2017
Product Overview
Capabilities
Platform
Management
Sizing
Agenda Licensing
Evolution of Firepower and ASA
March 2016
September 2014 Firepower Threat Defense
ASA with Firepower Services
FOR the ASA-5500-X,
ON the ASA-5500-X and FP-4100, and FP-9300
ASA-5585-X
October 2013
Firepower AND
ASA
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Relevant Terminology
Firepower Threat Defense (FTD)
Unified codebase software image
ASA with FirePOWER Services
Two managers, full firewall feature set
Firepower 4100 Series and 9300 Appliances
Brand for new hardware product offerings. Can run FTD or ASA
Firepower Next-Generation Firewall (NGFW)
FTD + Hardware or Virtual appliance
Firepower Management Center (FMC)
Formerly FireSIGHT Management Center, Defense Center
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Converged Software Firepower Threat Defense
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
The industry focus has been protecting before, but not
during and after, attacks
Attack Continuum
Enable applications
IPS URL GAP
DDoS Sandbox
Incident
Response
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
What does Firepower NGFW enable?
Stop more Gain more Detect earlier, Reduce Get more from
threats insight act faster complexity your network
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Gain more insight
with increased visibility
You cant protect what you cant see
Client applications
Operating systems
C&C
Servers
File transfers Mobile Devices
Threats
Routers & switches
Users Application
protocols
Web applications
Typical IPS Printers
Malware
VOIP phones
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Reduce complexity with simplified,
consistent management
Unified
Network to endpoint visibility
Manages firewall, applications, threats, & files
Track, contain, recover remediation tools
Scalable
Central, role-based management
Multi tenancy
Policy inheritance
Automated
Impact assessment
Rule recommendations
Firepower Management Center
Remediation APIs
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Capabilities
Firepower Capabilities
Overview
Application visibility
Advanced malware protection Security intelligence
& control
Tailor application behavior to reduce Protect against the most advanced forms Block access to known malicious IPs and
attack surface and risk of data loss of malware and remediate after a breach URLs
Restrict access to specific sites and sub- Enforce policy with complete visibility and Superior intrusion detection and threat
sites, as well as categories of sites granular control across the network prevention
Application Visibility and Control (AVC)
Overview
Control port- and protocol-hopping apps that evade Enforce acceptable use policies with granular control over
traditional firewalls applications
Apps
Limit the exposure created by social media applications Use custom application detectors/Open App ID
Enhanced Application Visibility and Control
Cisco database
4,000+ apps
Network & users
1 OpenAppID
2
Prioritize traffic
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
OpenAppID Overview
What is OpenAppID?
Application Visibility and Control (AVC) done the right way
An open source application-focused detection language
Enables users to create, share and implement custom application detection
Available for download as an extension of Snort 2.9.7 from http://www.snort.org
Key advantages
New simple language to detect apps
Reduces dependency on vendor release cycles
Build custom detections for new or specific
(ex. Geo-based) app-based threats
Application-specific detail with security events
15
With the smartest threat defense available
Talos
Inspect over 300 insight
III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00 into
Identify advanced threats quickly with III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00
nearly 16 billion
billion emails per
industry-leading threat data and research III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I
web requests
day 00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00
each day
II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00
Receives 1.5 II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0
million incoming 200
00 Billion
Get industry-specific threat intelligence malware 00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0IThreats000 Blocked
tailored to your business samples daily Daily
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0
00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I
Threat Intelligence
Catch advanced threats endpoints miss WWW
with Ciscos threat engineers and analysts
Email Endpoints Web Networks NGIPS Devices
Research Response
Stay protected against the latest threats Jan
with regular updates pushed automatically 250+ Researchers 24 7 365 Operations
Uncover hidden threats in the environment
Advanced Malware Protection (AMP)
c
File Reputation File & Device Trajectory
AMP for AMP for
Endpoint Log Network Log
Block known malware Investigate files safely Detect new threats Respond to alerts
AMP for Networks Network File Trajectory
18
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
AMP Everywhere Remote Endpoints
AMP
Architecture Cloud AMP for Endpoints
Threat Grid
AMP on Firepower NGIPS Malware Analysis + Threat AMP Private Cloud
Appliance Intelligence Engine Virtual Appliance
(AMP for Networks)
CWS/CTA
Gambling
office365.com Health
Drug Use
How
Restrict access to specific sites and subsites Filter out over 280 million URLs based on Blocks malicious websites based on who,
any of the 80+ categories into which they are what, where, how and when
grouped
Block or Allow Access to IPs or URLs
00100101101
01001010100
URL | IP | DNS URL Database
NGFW
Filtering Safe Search
Allow Block
Allow Block
Classify 280M+ URLs Filter sites using 80+ categories Manage allow/block lists easily Block latest malicious URLs
Identity Based Policy Control
Integrates with Cisco Identity Services Engine
Gain awareness of everything hitting your network
Provide access consistently and efficiently
Relieve the stress of complex access management
ISE
How
Stop threats from getting in and spreading
Ease security policy setting
Limit unnecessary network exposure
Prevent threats from compromising your network in real
time
Rapid Threat Containment
Corporate user Cisco security FMC detects Based on the new Device is
downloads file, not sensors scan the flagrantly suspicious policy, network quarantined for
knowing its actually user activity and file and alerts ISE. enforcers remediation or
malicious downloaded file. ISE then changes automatically mitigationaccess
FMC aggregates the users/devices restrict access is denied per
and correlates access policy to security policy
sensor data suspicious
Intrusion Prevention (IPS)
Protect the network more effectively
Impact 1 www
Impact 2
Impact 3
Policies can be updated automatically based on Admins can make adjustments to policies and system
vulnerabilities and previous intrusion events settings across locations from a single, central location
Speed Impact Assessment and Response
Administrator
Correlates all intrusion events Impact Flag
Action
Why
to an impact of the attack against the target
Event corresponds
Act immediately;
1 vulnerable
to vulnerability
mapped to host
Good to know;
0 unknown network
Unmonitored network
Streamline Operations
Recommend Rules to Improve Defenses
Indications of Compromise (IoCs)
SSL Enforcement
NGIPS and AMP AVC https://www.%$*#$@#$.com
decryption engine decisions
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$&^*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
gambling
https//www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$&^*#$@#$.com elicit
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
Decrypt interesting traffic Inspect deciphered packets Track and log all SSL sessions
Secure Remote Access for
Mobile User
Secure access using FP2100 ISP
Secure SSL/IPSec AnyConnect access to corporate
network
Easy RA VPN Wizard to configure AnyConnect Internet Edge
Remote Access VPN
Advanced Application level inspection can be
enabled to enforce security on inbound Remote
Access User data.
AMP / File inspection Policy to monitor roaming user
data. FP2100 in HA
Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Campus/
Private
Network
Private Network
Secure Connection with
Branch Office
Secure Connection with Branch Office
Simplified IPSec Wizard for Site to Site VPN
Configuration
Advanced Application level inspection can be ISP
enabled VPN traffic of Partner and Vendor Network.
IPSec VPN
Prefilter policy to bypass Advance inspection and
improve performance. Edge Router
Authentication supports both Pre-Share Key and
PKI.
Branch Office Deployment to secure connection with FRP2100
Head Office. Failover
Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Platform
Firepower Threat Defense (FTD) Software
ASA (L2-L4)
L2-L4 Stateful Firewall
Scalable CGNAT, ACL, routing Continuous Feature Firewall URL Visibility Threats
Application inspection Migration
* Also manages Firepower Appliances and Firepower Services (not ASA Software)
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Feature Comparison: ASA with Firepower Services and
Firepower Threat Defense (6.2)
Features Firepower Threat Defense Firepower Services for ASA
Routing (OSPF, BGP, Static, RIP, Multicast, EIGRP/PBR (OSPF, BGP, EIGRP, static, RIP,
via FlexConfig) Multicast)
SIMILARITIES
NAT
OnBox Management
HA (Active/Passive)
Clustering (Active/Active)
Site to Site VPN
Policy based on SGT tags
Unified ASA and Firepower rules and
objects
DIFFERENCES
Hypervisor Support
(AWS, VMware, KVM, Azure)
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Cisco Firepower NGIPS Platform
All appliances include:
Integrated lights-out management
Firepower acceleration technology
LCD display
IPS Performance and Scalability
AMP 8150
2 Gbps, All Services Enabled
AMP 7150
500 Mbps, All Services Enabled
Firepower 8300 Series
15 Gbps 60 Gbps
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Cisco ASA and Firepower Platforms
FP 2100
FPR 2100Series
Series FPR 4110, FPR 4120 FPR 9300 -SM-24
ASA 5506-X
FPR 4140, FPR 4150 FPR 9300 -SM-36
FPR 9300 -SM-44
ASA 5508-X
ASA 5516-X
ASA 5585-X SSP10
SSP20, SSP40, SSP60
ASA 5555-X
ASA 5515-X ASA 5545-X
ASA 5505 ASA 5512-X ASA 5525-X FTDv NGIPSv
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Software Support by Platform
Firepower
Firepower Threat Firepower ASA
Services
Defense NGIPS Firewall
on ASA
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Management
Simplify management with an easy, unified approach
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
ASA Software Management
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
On-box Vs. Off-box Comparison at 6.2
Firepower Management Center Firepower Device Manager
(Off-box) (On-box)
=> Detailed => Optimized for SMBs => Not Present NCP => No Current Plan
Available only for Firepower Threat Defense Software (FTD)
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Cisco Defense Orchestrator
Ciscos vision for managing a wide range of security solutions
Simple
Cisco Defense
Manage next-gen protection through a single interface
Orchestrator
Orchestrate security policy management from one place
Build security policy templates that help to apply consistent security policy
across all branches
Efficient
Enable security experts to craft policy templates to be deployed by any
member of your team
Use simple search-based management to quickly see how policies are
enforced across devices
Leverage automatic layer 7 protection
Effective
Design and deploy policy uniformly
Uncover and remediate unplanned changes
Extend protection to the application layer
UMBRELLA
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
FMC Appliance Refresh
New FMC Platforms
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Sizing
NGFW Performance and Size
Why it matters?
Impact a Sale
Properly sizing a NGFW impacts customer satisfaction
Firewall sizing is based on performance estimates, and sizing and features
determine NGFW solution cost
Product specification sheets do not typically include performance estimates that
are based on real-world traffic characteristics
As with all performance discussions, YOUR MILEAGE MAY VARY!!
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
NGFW Performance and Size
Features Enabled
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
NGFW Performance and Size
NGFW location in a network also affects performance
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Factors that affect NGFW performance
Data to collect before starting a sizing estimation
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Factors that affect NGFW performance
Understanding the data sheets
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Cisco NGFW Performance Metrics as of September 2016
Publicly published in Data Sheets: 1024 Bytes
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
450 Byte HTTP Throughput:
AVC and IPS
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Impact of enabling URL Filtering
URL Filtering
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Impact of Enabling Cisco AMP for Networks
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Firepower 2100 Series Performance
FPR 2110 FPR 2120 FPR 2130 FPR 2140
Throughput FW
+ AVC 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Throughput FW
+ AVC + NGIPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Maximum
concurrent
sessions, with 1M 1.2 M 2M 3.5 M
AVC
Maximum new
connections per
second, with 12000 16000 24000 40000
AVC
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
https://communities.cisco.com/docs/DOC- https://communities.cisco.com/docs/DOC-70837
69840
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Licensing
Cisco Firepower Management Center
Management Center 750, 2000, and 4000 physical appliances or the Management Center virtual
appliance
See Network Security Ordering Guide page on the Security Partner Community for information
on ordering FMCv https://communities.cisco.com/docs/DOC-70838
Management Center hardware is selected based on the firewall configuration deployed and the
number of appliances and events to be monitored
SMARTnet is ordered separately
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
Firepower Management Center Virtual (FMCv) licensing
Clarification
When ordering FMCv for 5.4 and prior, you purchase on the following SKUs noting that the 2 and 10 device SKUs
are only for ASA 5500 platforms.
FS-VMW-SW-K9 - Cisco Firepower Management Center, (VMWare) for 25 devices
FS-VMW-2-SW-K9 - Cisco Firepower Management Center,(VMWare) for 2 devices
FS-VMW-10-SW-K9 - Cisco Firepower Management Center,(VMWare) for 10 devices
When ordering FMC for 6.0 or later, the guide states that a FireSIGHT license is no longer required. This does NOT
mean that you do not need to purchase the FMCv. You still need to purchase one of the following SKUs which are
Smart License Enabled. These do not come up in a CCW search, but can be added to your ordering by entering the
correct SKU. The 2 and 10 device SKUs can currently be used to manage any FTD device. This is inclusive of
FTDv, 4100, and 9300 unlike the classic 2 and 10 SKUs for for Firepower Services which only support ASA based
systems.
SF-FMC-VMW-K9 - Cisco Firepower Management Center, (VMWare) for 25 devices
SF-FMC-VMW-2-K9 - Cisco Firepower Management Center,(VMWare) for 2 devices
SF-FMC-VMW-10-K9 - Cisco Firepower Management Center,(VMWare) for 10 devices
SF-FMC-KVM-K9 - Cisco Firepower Management Center, (KVM) for 25 devices
SF-FMC-KVM-2-K9 - Cisco Firepower Management Center,(KVM) for 2 devices
SF-FMC-KVM-10-K9 - Cisco Firepower Management Center,(KVM) for 10 devices
(IPS / SI / DNS)
URL Filtering
(Networking, Firewall and AVC)
(AMP / TG)
Malware
Threat
Term-based licenses for advanced protection
(Threat, Malware, and URL Filtering)
One (1), three (3) and five (5) year Licensing
terms available
SMARTnet is ordered separately Base (NGFW)
Traditional ASA licenses not needed Blue = Term-based
Green = Perpetual
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
ASA Firepower Services Packaging
Subscription Packages Component License Name and Features Enabled License Type Fulfillment
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
Smart Licensing: Key Benefits
Helps customers understand how Cisco Software is used across their network
Limited View
Classic Complete View
Smart
Customers do not know Software, services, devices
what they own. in one easy to use portal.
Customer needs
Smart Account
Ordering
https://communities.cisco.com/docs/DOC-70838
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83