Cisco ASA mit FirePower Services Britta Paty und Manfred Brabec Cisco Security Juni 2015
If you knew you were going to be compromised, would you do security differently? Cisco Confidential 2
Cisco + Sourcefire = Better Together Attack Continuum Discover Enforce Harden Detect Block Defend Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web Security Network Behavior Analysis NAC + Identity Services Email Security Malware Sandboxing Security Services Cisco Confidential 3
ASA = Integrierter Schutz vor Bedrohungen im gesamten Angriffskontinuum Angriffskontinuum DAVOR Entdecken Durchsetzen Sichern WÄHREND Erkennen Blockieren Abwehren DANACH Bewerten Eindämmen Beseitigen Firewall/VPN Detaillierte Anwendungskontrolle Moderner Bedrohungsschutz NGIPS Security Intelligence Web Security Transparenz und Automatisierung Advanced Malware Protection Retrospective Security IoCs/Reaktion auf Zwischenfälle Cisco Confidential 4
Cisco Annual Security Report 2015 Cisco Annual Security Report Findings: Security is now a boardroom discussion. Incidence Response: 92% of midsize organizations have internal security teams. Executive Accountability: 94% of midsize organizations have an executive directly accountable for security. Data from Interviews with Hundreds of Security and IT Pros in Nine Countries Cisco Confidential 5
NEW: Cisco 2015 Annual Security Report Download Link: http://www.cisco.com/web/offers/lp/2015-annual-securityreport/index.html?keycode=000657647 Cisco Confidential 6
Cisco Advanced Malware Protection Built on unmatched collective security intelligence Cisco Collective Security Intelligence 1001 1101 1110011 0110011 101000 0110 00 1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 101000 110 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 1100001110001110 0110 1001 1101 1110011 0110011 101000 0110 00 Cisco Collective Security Intelligence Cloud WWW 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers 35% worldwide email traffic 13 billion web requests 24x7x365 operations 40+ languages Email Endpoints Web Networks IPS Devices 180,000+ File Samples per Day AMP Community AMP Threat Grid Intelligence AMP Threat Grid Dynamic Analysis 10 million files/month Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities AEGIS Program Private/Public Threat Feeds Automatic Updates every 3-5 minutes Cisco Confidential 7
Cisco AMP bietet laufend retrospektive Security Breite der Kontrollpunkte E-Mail Endgeräte WWW Web Netzwerk IPS Geräte Telemetrie- Stream Datei-Fingerprint und -Metadaten Datei- und Netzwerk-E/A Kontinuierlicher Feed 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 Prozessinformationen Durchgängige Analyse Cisco Confidential 8
Schutz vor, während und nach einem Angriff DAVOR Entdecken Durchsetzen Sichern WÄHREND Erkennen Blockieren Abwehren DANACH Bewerten Eindämmen Beseitigen Point-in-Time Durchgängig Mit herausragender Transparenz, Kontrolle und Reparaturfunktionen für komplexe Bedrohungen Cisco Confidential 9
Cisco AMP Everywhere Strategy Means Protection Across the Extended Network Virtual *AMP for Endpoints can be launched from AnyConnect AMP for Networks Windows OS Android Mobile MAC OS AMP for Endpoints AMP on Cisco ASA Firewall with FirePOWER Services AMP Advanced Malware Protection AMP Private Cloud Virtual Appliance AMP Threat Grid Malware Analysis + Threat Intelligence Engine Appliance or Cloud CWS AMP on Web and Email Security Appliances AMP for Cloud Web Security and Hosted Email Cisco Confidential 10
AMP Threat Grid Feeds Dynamic Malware Analysis and Threat Intelligence to the Cisco AMP Solution 1001 1101 1110011 0110011 101000 01101001 1101 1110011 0110011 101000 0110 00 Actionable AMP Threat threat Grid content platform and 101000 0110 00 0111000 111010011 101000101 0110 1100001 0111000 110 111010011 101 1100001 110 intelligence correlates is generated the sample that can 1100001110001110 1001 1101101000 1110011 be packaged 0110011 result 00 with and 0111000 101000 integrated millions 111010011 0110 in to 00 101 1100001 110 a variety of other of existing samples systems and or used billions independently. of artifacts Low Prevalence Files Analyst or system (API) submits suspicious sample to Threat Grid Actionable Intelligence Threat Score / Behavioral Indicators Big Data Correlation Threat Feeds AMP Threat Grid platform correlates the sample result with millions of other samples and billions of artifacts Proprietary techniques for static and dynamic analysis Outside looking in approach 350 Behavioral Indicators An automated engine observes, deconstructs, and analyzes using multiple techniques Sample and Artifact Intelligence Database Actionable threat content and intelligence is generated that can be utilized by AMP, or packaged and integrated into a variety of existing systems or used independently. Cisco Confidential 11
Sicherheit und Transparenz für eine präzise und effektive Bekämpfung Wer? Was? Wo? Wann? Wie? Zuerst auf diese Benutzer konzentrieren DieseAnwendungen sind betroffen Die Sicherheitsverletzung betraf diese Bereiche Die Sicherheitsverletzung hatte dieses zeitliche Ausmaß Dies sind Ursprung und Entwicklung der Bedrohung Cisco Confidential 12
ASA mit FirePower Services: Erstklassiger integrierter und mehrschichtiger Schutz Cisco Collective Security Intelligence Die am häufigsten installierte Cisco ASA Stateful-Firewall Clustering und Hochverfügbarkeit Intrusion Prevention (Abonnement) FireSIGHT Analyse und Automatisierung Advanced Malware Protection (Abonnement) WWW URL-Filterung (Abonnement) Cisco Application Visibility and Control (AVC) mit detaillierten Kontrollfunktionen Branchenführendes Cisco FirePOWER Netzwerk-Firewall Routing Switching Anwendungstran sparenz und -kontrolle Integrierte Netzwerkprofilierung Identitätsbasierte Zugriffskontrolle und VPN Next-Generation IPS (NGIPS) Reputations- und kategoriebasierte URL-Filterung Cisco ASA Cisco Advanced Malware Protection (AMP) Cisco Confidential 13
Application Visibility and Control (AVC) Included (no extra license, requires SMARTNET) Visibility into applications and users Control what applications are used and who uses them Block Bittorrent and Dropbox 100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 0110011 1 01 Cisco Confidential 14
URL Filtering URL Subscription License Block (or warn) non-business-related sites by category Based on user and user group Block Gambling Warn non-business related Cisco Confidential 15
Intrusion Prevention (IPS) IPS Subscription License Blocks hacking attacks Based on industry leading and award winning SourceFIRE IPS - protects high security environments: Government, Finance, Defence... around the world 100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 0110011 1 01 Internet Cisco Confidential 16
Snort IPS: Analyse der Auswirkungen IMPACT FLAG MASSNAHMEN DES ADMINISTRATORS GRUND 1 2 3 Sofortige Maßnahmen; Angreifbar Untersuchen; Potentiell angreifbar Wissenswert; Derzeit nicht angreifbar Ereignis deckt sich mit dem Host zugeordneten Schwachstellen Entsprechender Port offen oder Protokoll in Verwendung, aber keine Schwachstelle erkannt Entsprechender Port nicht offen oder Protokoll nicht in Verwendung 4 Wissenswert; Ziel unbekannt Überwachtes Netzwerk, aber Host unbekannt Korreliert alle Zugriffsversuchs-Ereignisse mit Auswirkungen auf das Ziel 0 Wissenswert; Netzwerk unbekannt Nicht überwachtes Netzwerk Cisco Confidential 17
ASA mit FirePower Service Portfolio ASA NGFW für alle Kundengößen ASA 5555-X ASA 5585-X ASA 5545-X ASA 5525-X ASA 5516-X ASA 5506-X ASA 5508-X ASA 5512-X ASA 5515-X FirePOWER ready FirePOWER ready FirePOWER Software module *requires SSD disc FirePOWER Hardware module Cisco Confidential 18
NEU: Cisco NextGen Firewalls for SMB, Distributed Enterprise, and Industrial Control Q2CY15 Q2CY15 Q2CY15 Q2CY15 Perfect for ASA 5505 Refreshes 5506-X 5506W-X 5508-X 5516-X 1RU Models 5506H-X Desktop Model Integrated Wireless AP Higher Performance; Upsell Opportunity Ruggedized 100% NGFW ships with FirePOWER Services Enables additional small office/home office deployments 5508-X: A new priceperformance point Extends NGFW into industrial control and critical infrastructure Cisco Confidential 19
Cisco Desktop ASA 5506-X Parameters CPU Accelerator RAM/Storage Management ports Console port Value Multicore CPU at 1.25 GHz Hardware crypto accelerator 4 GB/64 GB msata 1 management port with 10/100/1000 Base-T RJ45, mini USB USB port Type A supports 2.0 Data ports 8 * 1 Gb interface, all Layer 3 interfaces Cooling Convection 7.92 in. x 8.92 in. x 1.73 in. Power AC external, no DC Cisco Confidential 20
Cisco Wireless Desktop ASA 5506W-X The 5506W-X configuration is the same as the desktop 5506-X. Wireless information follows. Parameters Wireless access point Value ASA5506_AP702, IEEE 802.11n, 2 x 2 MIMO Dual band access point, 2.5 GHz and 5 GHz Port 8 x external data ports, 1 access point (attached to 1 internal data port - g1/9) Management port Any-data data port of g1/1 - g1/8, management 1/1 is used only for firewall management 7.92 in. x 8.92 in. x 1.73 in. Management Autonomous (AP onbox GUI) or a Cisco wireless LAN controller Cisco Confidential 21
Ruggedized 5506H-X *The 5506-H configuration is the same as the desktop 5506-X, except the parameters are listed below. Parameters Data ports 4 x data ports Value Management 1 port, 10/100/1000 Base T, 100Base-FX, 1000Base-X, SFP Voltage 5 V (*5506 is 12 V) Operating temperature Mounting IP rating 40-20 C to +60 C Wall mount, horizontal desk, rack mount, and DIN rail mount 9 in. x 9.2 in. x 2.5 in. Certifications Tested for heat, extended vibe, and shock Cisco Confidential 22
Rack Mount 5508-X and 5516-X Parameters CPU Accelerator Value Multicore 5508-X at 2 GHz 5516-X at 2.4GHz Hardware crypto accelerator RAM/Storage Ports Console port 8 GB Intel/120 GB SSD 1 management port with 10/100/1000 Base-T RJ45, mini USB USB port Type A supports 2.0 Data Ports 8 * 1 GE Interface, all Layer 3 interfaces Cooling Power FAN AC internal, no DC 17.2 in. x 11.11 in. x 1.72 in. Cisco Confidential 23
Key Enhancements of the Cisco ASA 5505 Category 5505 New ASA with FirePOWER Services NGFW - FirePOWER Services Hardware security Simplified Purchase Experience Application Visibility and Control No Yes AMP, NGIPS, URL filtering, subscriptions Cisco Trust Anchor Module Hardware Anti-Tamper Unlimited user (node) support No Yes No No Yes Yes 5506-X More Secure More Scalable More Flexible VPN Enhanced mobility support No Yes Throughput Over 2.5X steteful performance Additional Features Integrated wireless access point No Yes (5506W-X variant) Ruggedized option No Yes (5506H-X variant) Power over Ethernet (PoE) Yes No Cisco Confidential 24
New Extended Performance ASA5585-X new Cisco ASA5585-X appliance models for use with ASA with FirePOWER Services: S10F40 - ASA5585-S10F40-K9 S20F60 - ASA5585-S20F60-K9 Cisco Confidential 25
Centralized Management Provides Security Teams with: Management for multiple devices Comprehensive visibility and control over network activity Optimal remediation through infection scoping and root-cause determination BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Centralized Management: Same as Larger Models - Uses CSM and FireSIGHT Cisco Confidential 26
NEW - Integrated Onbox Management The Cisco Adaptive Security Device Manager (ADSM) 7 combines control of access policy and advanced threat defense functions The enhanced UI provides quick views on trends and the ability to navigate to more details Centralized management is optionally available with FireSIGHT + Cisco Security Manager Cisco Confidential 27
Cisco FirePOWER Provides Superior Visibility for Accurate Threat Detection and Adaptive Defense Cisco Confidential 28
FireSIGHT Full Stack Visibility Information Superiority CATEGORIES EXAMPLES SOURCEFIRE FireSIGHT TYPICAL IPS Threats Attacks, Anomalies Users AD, LDAP, POP3 Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame Command & Control Servers C&C Security Intelligence Client Applications Firefox, IE6, BitTorrent Network Servers Apache 2.3.1, IIS4 Operating Systems Windows, Linux Routers & Switches Cisco, Nortel, Wireless Mobile Devices iphone, Android, Jail Printers HP, Xerox, Canon VoIP Phones Avaya, Polycom Virtual Machines VMware, Xen, RHEV TYPICAL NGFW Contextual Awareness Cisco Confidential 29
Performance Comparison ~1.5x to 2x ~1.5x to 2x Category Features ASA 5506-X/5506H- X/5506W-X ASA 5508-X ASA 5516-X Maximum stateful firewall throughput 750 Mbps 1 Gbps 1.8 Gbps VPN throughput 100 Mbps 175 Mbps 250 Mbps Maximum AVC throughput 250 Mbps 450 Mbps 850 Mbps Performance Maximum AVC and NGIPS throughput AVC or IPS sizing throughput [440 B] 125 Mbps 250 Mbps 450 Mbps 90 Mbps 180 Mbps 300 Mbps Maximum concurrent sessions 50,000 1 100,000 250,000 Maximum CPS 5000 10000 20000 Cisco Confidential 30
Functional Distribution of Features URL Category and Reputation NGIPS Application Visibility and Control Advanced Malware Protection File Type Filtering *File Capture FirePOWER Services TCP Normalization TCP Intercept IP Option Inspection IP Fragmentation NAT Routing ACL VPN Termination ASA Cisco Confidential 31
An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox Cisco Confidential 32
At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8 Cisco Confidential 33
Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application Cisco Confidential 34
The Cisco Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately. Cisco Confidential 35
At the same time, a device with the FireAMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware Cisco Confidential 36
8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked. Cisco Confidential 37
What Cisco Offers the NGFW Space Sandboxing NG Sandbox for Evasive Malware URL and IP Reputation Malware File Trajectory Host Trajectory Open APP-ID Correlated SIEM Eventing² Incident Control System¹ Vulnerability Management¹ 2 1 Collective Security Intelligence (Talos) Adaptive Security NGIPS Threat Hunting User Identity AV and Basic Protections Web URL Controls Application Visibility Gen1 IPS Classic Stateful Firewall NGFW Forensics and Log Management Auto-Remediation / Dynamic Policies Dynamic Outbreak Controls Contextual Device, Network and End-Point Visibility Retrospective Analysis Retrospective Detection SNORT Open IPS Behavioral Indications of Compromise Network Anti-Malware Controls (AMP) *Client Anti-Malware (AMP) Integrated Threat Defense System ¹ Passive Vulnerability Management and Basic ICS Customer may still choose to invest in a commercial product ² FMC is NOT itself a SIEM, while it does provide Correlated SIEM eventing and integrates natively into the SIEM used by the customer BEFORE DURING AFTER n *Agent Cisco Only Cisco and Our Competitors Management Interfaces Cisco Confidential 38
NSS Labs: Next-Generation Firewall Security Value Map The NGFW Security Value Map shows the placement of Cisco ASA with FirePOWER Services and the FirePOWER 8350 as compared to other vendors. All products achieved 99.2 percent in security effectiveness. Now customers can be confident they ll get the best protections possible, regardless of deployment. Source: NSS Labs 2014 Cisco Confidential 39
Cisco Confidential 40
So arbeitet die integrierte Abwehr von Bedrohungen Durch intelligente Schutzlösungen konnte die umfassende Malware-Kampagne String of Paerls erkannt und gestoppt werden Cisco erkennt, analysiert und schützt gegen bekannte und neue Bedrohungen Wichtigste Verfahren Nutzung von Datenquellen aus E-Mail, Internet und Advanced Malware Protection-Produkten Verknüpfung verschiedener Ereignisse und Malware- Aktivitäten durch Big Data-Analysen Ergebnis: Malware-Infektion wurde durch mehrere Indications of Compromise (IoCs) erkannt Weitere Informationen: http://blogs.cisco.com/security/a-string-of-paerls Cisco Confidential 41
Cisco Positioned as Leader in the 2014 Gartner Magic Quadrant for Intrusion Prevention Systems Link: http://www.gartner.com/technolog y/reprints.do?id=1-26vh860&ct=150105&st=sb Cisco Confidential 42
Cisco AnyConnect Comprehensive Secure Endpoint Access Cisco AnyConnect Context Posture Secure Access Connectivity Security User type, broad device support, and access method insight Check and remediate for latest OS, AV, etc. VPN Wired Wireless Cellular Always-on connectivity, clientless, 802.1X Web inspection, encryption, and secure access All-in-One Endpoint Services Simple Management: IT and User Cisco Confidential 43
Additional Resources At-a-Glance Document http://www.cisco.com/c/en/us/support/security/asa-5506-x-firepowerservices/model.html#at-a-glance Data Sheet http://www.cisco.com/c/en/us/products/collateral/security/asa-5500- series-next-generation-firewalls/datasheet-c78-733916.html Cisco Talos Security Intelligence and Research http://www.cisco.com/c/en/us/products/security/talos.html Cisco Confidential 44