cisco ngfwv and asav in azure · * platform runs only asa code, no firepower features...
TRANSCRIPT
Milan Habrcetl, Cisco Cyber Security Specialist
27th February, 2018
Cisco NGFWv and ASAvin Azure
Agenda
• Introduction Cisco Security
• Introduction to Security in Public Cloud
• NGFWv/FTDv & ASAv overview
• Performance numbers
• Deployment models
• Licensing
• NGFWv/FTDv & ASAv in Azure
• Cisco Defense Orchestration – cloud mngmt
NGFWv
ASAv
Cisco Concept for continual Cyber Security
• Cisco ASAFirewall
• Cisco Firepower NGFW
• Meraki MX
• Cisco AMP
• Cisco ISE
• Cisco AnyConnect
• Cisco Umbrella
• Cisco Firepower NGIPS
• Cisco Web Security
• Cisco Cloud Web Security
• Cisco E-mail Security
• Cisco Umbrella
• Cloudlock
• Cisco AMP
• Cognitive Threat Analysis
• Cisco Stealthwatch
• Cisco Threat Grid
• Cisco Investigate
• Security Packet Analyzer
Before
Discover
Enforce
Harden
During
Detect
Block
Defend
After
Scope
Contain
Remediate
– Threat Intelligence
Services
Integrated Threat Defense
Endpoint CloudNetwork
Cisco Security Architecture
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Challenges for IT
Applications
On-premise or
cloud?
Build/Buy/Rent?
Agility
Provision Infra @
app development
Risk Mitigation
Security Compliance.
APP
Native security in Azure
Azure Network Security Group (NSG)
• Similar to access control list
• Action (Allow or Deny) traffic
• Layer 3/Layer 4 rules
• Control Inbound and Outbound traffic
Today security requires critical function like stateful packet inspection,
application visibility and control, threat centric protection, URL filtering,
advanced malware protection and Virtual Private Network (VPN)
Advanced Threat Defensein the Public Cloud
Cisco Firepower™ Threat Defense 6.2.3 and ASA 9.8.1
Cisco Advanced Threat Defense Platforms
* Platform runs only ASA code, no FirePOWER features
SOHO/Teleworker Branch Office Internet Edge Campus
ASA 5505* (150 Mbps, 4000 conn/s)
ASA 5506(W/H)(750 Mbps, 5000 conn/s)(125 Mb NGFW/NGIPS)
ASA 5512/15-X(1-1.2 Gbps, 15,000 conn/s)(150-250 Mb NGFW/NGIPS)
ASA 5525-X(1-2 Gbps, 20,000 conn/s)(650 Mb NGFW/NGIPS)
ASA Cluster 2-16x(320-640 Gbps, 2.8 million cps, 96 million conn/s)
(>100 Gbps NGIPS/NGFW)
ASA 5545-X(1-3 Gbps, 30,000 conn/s)
(1 Gb NGFW/NGIPS)
ASA 5555-X(2-4 Gbps, 50,000 conn/s)(1.25 Gb NGFW/NGIPS) ASA 5585-X SSP10
(2-4 Gbps, 75,000 conn/s (2 Gb NGFW/NGIPS, 5000 VPN)
Cisco Firepower 9300 (3xSM36s, ASA code, one chassis)
(80-225 Gbps, 2.5 million cps, 55 million conn/s)(16xSM36s, ASA code, five chassis)
(1.2 Tbps, 12.5 million cps, 500 million conn/s)
Cisco Firepower™ 4100 (4140 ASA code)
(30-60 Gbps, 350,000 cps, 25 million conn/s)
ASA 5508-X(1 Gbps, 10,000 conn/s)(250 Mb NGFW/NGIPS)
ASA 5516-X(1.8 Gbps, 20,000 conn/s)(450 Mb NGFW/NGIPS)
ASA 5585-X SSP60(20-40 Gbps, 350,000 conn/s
(10 Gb NGFW/NGIPS, 10,000 VPN)
ASA 5585-X SSP40(10-20 Gbps, 240,000 conn/s
(6 Gb NGFW/NGIPS, 10,000 VPN)
ASA SM (Cisco® Catalyst® 6500)*(16-20 Gbps, 300,000 conn/s)
FirePOWER 7000/8000 (8350 stack of 4, Firepower code)
(60 Gbps NGIPS)
ASA 5585-X SSP20 (5-10 Gbps, 125,000 conn/s
(3.5Gb NGFW/NGIPS, 5000 VPN)
Data Center
Virtualization
NGFWv
ASAv***
(1-2 & 10 Gbps ASAv50, 60,000 cps, VPN)
(1 Gbps NGFW)
(600 Mbps NGIPS)
NGIPSv
Cisco Firepower™ 2100 (1.9-8.5 Gbps)
Next Generation Firewall (NGFWv) Features (Public Cloud)
NSS leading next-generation intrusion prevention system (NGIPS)
Deployment modes - Routed & Passive (AWS)
Comprehensive threat prevention, Layer 7 Application Visibility and Control
Site-to-Site VPN & RAVPN (FTD release 6.2.3)
Security intelligence (C&C, botnets, IP, DNS, etc.), threat/risk reports
Blocking of files by type, protocol, and direction, protocol rate limiting
Access control: Enforcement by application and user AD integration
Switch, routing, NAT options, and Cisco® ISE PxGRID integration
URL filtering, malware blocking, continuous file analysis, malware network trajectory
Cisco® AMP public and private cloud with Threat Grid integration
Next
Generation
Firewall
6.2.3
(FTD Image)
Management Tool – Firepower Management Center - FMC (formerly FireSIGHT or Defense Center)
Firepower Management Center (FMC)
Next
Generation
Firewall
6.2
• FMC is required for managing FTDv/NGFWv
• Virtual FMC can be deployed on ESXi, KVM and in AWS
• Required for configuration, management & checking events
• NGFWv in cloud can be managed by FMC in AWS or FMC on premise
(physical or virtual)
• FMC dashboard provides complete visibility
FMC 1000,
2500, 4500
&
Virtual
Appliance
No support for passive mode in Azure because ERSPAN is not supported
Deployment modes NGFWv (FTDv)
Next Generation Firewall Virtual on
Hypervisors (ESXi and KVM)
Routed
Transparent
Inline
Inline Tap
Passive
Next Generation Firewall Virtual in
Public Cloud
Azure
Routed mode
ASAv Firewall Features (Public Cloud)
• Firewall functionality, NAT, ACL and packet inspection
• VPN capability (LAN-to-LAN, RAVPN - AnyConnect & Clientless VPN)
• REST API for programmed configuration and monitoring
• AAA with Local, Radius, TACACS+, and LDAP support
• Route based VPN – (VTI)
• Dynamic Inspection for dynamic pin holing
• Active/Standby HA in Azure
• Support for IKEv2, certificate based authentication, and ACL in VTI
• SAML 2.0 SSO Updates
• Mobile IKEv2 (MobIKE) is enabled by default
Management tools – ASDM, CSM, API or Cisco Defense Orchestrator
ASA
9.8.1
Cisco Firepower NGFWv and Management Center in Azure
Cisco Virtual NGFW Managed by On-Premises Cisco Firepower Management Center or FMCv in
AWS cloud
NGFWv
Cisco Firepower™
Management Center
Virtual/Physical
NGFWv Instance
Standard D3 & D3v2
License Type
Bring your own license (BYOL)
Azure
NGFWv in Azure
Deploy NGFWv in Azure (Routed Mode)
• NGFWv supports Routed mode
• Provides Networking, firewalling, threat-centric protection, URL
filtering & AMP capabilities
• NSG should allow SSH/HTTPs and UDP 8305 (SF-Tunnel)
access to your instances on eth0 interface for management
access.
• Two management interfaces required for NGFWv in Azure
• North/South, East/West traffic inspection and Micro-segmentation
NGFWv Supported
Machine Size
Number of
Interfaces
(Subnets)
NGFW
PlatformNumber of vCPUs RAM (GB)
Standard D3 & D3v2 4 (2+2*) NGFWv 4 14
eth0
eth1
eth2
eth3
Interface eth0 and eth1 are mgmt.
interfaces
Interface eth2 and eth3 are data
interfaces
NGFWv
* Management interface
Cisco ASAv Firewall in the Public Cloud
Cisco® Virtual Firewall ASAv – Multiple-Hypervisor Support with Traditional
Network Interaction
ASAv Instance (Marketplace)
Standard D3 & D3v2
License Type
Bring your own license (BYOL)
Azure
ASAv
Management
• Command Line Interface (CLI)
• REST-API
• Adaptive Security Device
Manager (ASDM)
• Cisco Security Manager (CSM)
• Cisco Defense Orchestrator
(CDO)
ASAv in Azure
Deploy ASAv in Azure in Routed Mode
• Launch supported ASAv instance from Azure Marketplace
• Deploy ASAv at the edge to provide RA VPN, Site to Site VPN,
edge firewall and VNET peering capabilities
• North-South, East-West traffic inspection and Micro-segmentation.
• Supports Cisco Smart BYOL model
• Cisco ASAv10 in Azure can be licensed for 750 VPN Endpoints by
consuming ASAv30 license but F/W throughput stays the same
• Management interface can handle through-the-box traffic
• Active/Standby HA using built-in HA agent
ASAv Supported
Machine Size
Number of
Interfaces
(Subnets)
ASAv
PlatformNumber of vCPUs RAM (GB)
Standard D3 & D3v2 4 ASAv10 4 14
eth0
eth1
eth2
eth3
Eth0 is management interface which
can be used as a data interface
By default management0/0 IP
address is mapped to public IP
address on Azure NAT gateway
ASAv
Cisco NGFWv & ASAv Performance Numbers
Cisco NGFWv & Cisco ASAv Performance Numbers in Azure
Instance Instance Type Throughput Interface VPN Endpoints
NGFWv Standard D3, D3v2 1 Gbps 2 + 2* 250
ASAvStandard D3, D3v2
(ASAv10)1 Gbps 3 + 1* 250 or 750
Azure
* Management interface
Deployment Models(Azure and AWS)
NGFWv in Azure – Routed Mode
Workloads
Internal
ASAv
vNET
NGFWv
On premise
FMC
Management
eth2eth3
Internet users
External Internet
• NGFWv by default gets private IP on
eth0, which is mapped to a public IP
address on Azure NAT gateway for
management access.
• If there is an express route connectivity
from Data Center then public IP access
can be disabled and private IP can be
used for management access.
• If eth2 interface is used as an external
interface then we can assign multiple
private address to eth2, each
additional private address can be
mapped to a Public address on Azure
NAT gateway.
ASAv in Azure – Routed Mode
Workloads
Inside
ASAv
vNET
dmz1
Workloads
dmz2
Workloads
ASAv
Internet & RA VPN
users
Mgmt/Outside Internet
ASAv can be managed via CLI,
REST API, Cisco® ASDM,
Cisco® Security Manager or
Cisco® Defense Orchestrator
Third Party Management Tools via
REST-API
(IKEv2 and
IPsec/L2TP)
Cisco Smart Licensing for NGFWv and ASAv in Public Cloud
NGFWv licensingA
zu
re
• Cisco Smart License (BYOL)
• Bring your own license
Place Order
Cisco Smart SoftwareManager
Distribution
Entitlement
1
2
Activate and Use Software
Licenses are managed by Firepower
Management Center
3
Cisco
Smart
Software
Manager
BASE License(Networking, Firewalling, AVC)
Term Based
Licenses*(Threat, URL Filtering, AMP)
* Term is 1yr, 3yr & 5 year
ASAv licensingA
WS
Azu
re
• Cisco Smart License (BYOL)
Place Order
Cisco Smart SoftwareManager
Distribution
Entitlement
1
2
Activate and Use Software
Standard License(Firewalling & Throughput)
AnyConnect License(supports SSL [TLS/DTLS] and IPsec
IKEv2)
Clientless SSL VPN support available
with Apex or VPN Only license tiers
Note: For AnyConnect licenses purchases, you do not complete the
license registration to ASAv. You will need to register the Contract# to
your Cisco.com ID to access SW DLs and tech support.
Orchestrate configuration using Cisco Defense Orchestrator (CDO)
Orchestrate configuration using Cisco Defense Orchestrator (CDO)
Cisco Defense Orchestrator (CDO)
• ASA configuration orchestration
• CDO is licensed per device
• Cloud based solution
• Easy to integrate
Internet
Cisco Defense Orchestrator
Premiere Portfolio in the Industry
UTM
Network
Analytics
Advanced
Malware
Secure Internet Gateway
WebW W W
Policy and Access
NGFW/
NGIPS
Cloud Access Security
