next-generation security...
TRANSCRIPT
Next-Generation Security Services Naasief Edross [email protected]
What would you do differently if you KNEW you were going to be compromised?
A change in mind-set occurs
A Threat-Centric Security Model is Needed
BEFORE Discover Enforce Harden
AFTER Scope
Contain Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect Block
Defend
DURING
Point in Time Continuous
Shared Context & Security Intelligence
Network-Integrated, Broad Sensor Base, Context sharing and
Automation
Continuous Advanced Threat Protection, Cloud-Based
Security Intelligence
Agile and Open Platforms, Built for Scale, Consistent
Control, Management
Cisco Security Strategic Imperatives
Visibility-Driven Threat-Focused Platform Focused
Security Intelligence and Services
NGFW
Secure Access + Identity Services
VPN
UTM
NGIPS
Web Security
Email Security
Advanced Malware Protection
Network Behavior Analysis
Cisco uniquely covers the ENTIRE Attack Continuum
BEFORE Discover Enforce Harden
AFTER Scope
Contain Remediate
Attack Continuum
Detect Block
Defend
DURING
Sandboxing
TrustSec
Building a Threat-Centric Cisco Security Architecture
BEFORE Discover Enforce Harden
AFTER Scope
Contain Remediate
Detect Block
Defend
DURING
Attack Continuum
Cisco NGFW / NGIPS Offerings
FirePOWER NGIPS
• Best-of-Breed NGIPS for Advanced Threat Protection
• Scalability up to 60Gbps+
• Application and Identity Aware
• Lower TCO Through Automation
Embedded Advanced Malware Prevention (AMP) ASA w/ FirePOWER Services
• Only threat-focused NGFW to cover full attack continuum
• Available on existing ASA-x platforms
• Integrated NGIPS + AMP
• Ultra-Granular Policies: App, Identity, Risk, Business Relevance
• Class-leading advanced malware solution
• File reputation and sandboxing
• Malware Forensics reports
• Malware and file Retrospection
• Cisco AMP Everywhere ensures pervasive coverage
Appliance Virtual Flexible Deployment Cloud
Cisco NGFW
Common NGIPS and AMP code base
Common Threat Management– FireSIGHT Common Collective Security Intelligence
ASA and FirePOWER – Better Together The Cisco ASA with FirePOWER Services brings together two mature industry-leading products
• Cisco ASA
- Best-of-breed stateful inspection firewall
- Applies NAT to embedded application protocol data
- Integrates with many other solutions, including: Unified Communications technologies, Active Directory, etc.
- Acts as a VPN termination: Site-to-site, remote access, and clientless SSL VPN
• Sourcefire FirePOWER services
- URL filtering to enforce acceptable use
- Application visibility and control (AVC)
- Threat protection (NGIPS) and Advanced Malware Protection (AMP)
• ASA provides ingress and egress processing for the Sourcefire module
- Ingress – ACLs, IP defragmentation, TCP normalization, TCP intercept
- Egress – ACLs, NAT, routing
Identity-Policy Control & VPN
ASA with FirePOWER Services Best-in-Class NGFW
URL Filtering (subscription)
FireSIGHT Analytics & Automation
Advanced Malware Protection (subscription)
Intrusion Prevention (subscription)
Application Visibility & Control
Network Firewall Routing | Switching
Clustering & High Availability
WWW
Cisco Collective Security Intelligence Enabled
Built-in Network Profiling
Cisco FireSIGHT Management Automates Operations
Cisco Multi-scale Performance Security for the Internet Edge
1 Gbps Max 100K Connections 10,000 CPS
Branch Locations Small / Medium Internet Edge ASA 5512-X
1.2 Gbps Max 250K Connections 15,000 CPS
ASA 5515-X
2 Gbps Max 500K Connections 20,000 CPS
3 Gbps Max 750K Connections 30,000 CPS
4 Gbps Max 1M Connections 50,000 CPS
ASA 5525-X
ASA 5545-X
ASA 5555-X
.
Cisco Multi-scale Performance Security for the Enterprise and Data Centre
Enterprise Internet Edge and Data Centre
4 Gbps Max 1 Million Connections 50,000 CPS
ASA 5585-SSP10 10 Gbps Max
2 Million Connections 125,000 CPS
ASA 5585-SSP20
20 Gbps Max 4 Million Connections 200,000 CPS
ASA 5585-SSP40 40 Gbps Max
10 Million Connections 360,000 CPS
ASA 5585-SSP60
FireSIGHT Management Centre Models
* Max number of devices is dependent upon sensor type and event rate
750 1500 2000 3500 4000 Virtual
Max. Devices Managed 10 35 70 150 300 Virtual FireSIGHT
Management Centre
Up to 25 Managed Devices
Event Storage 100 GB 125 GB 1.8 TB 400 GB 4.8/6.3 TB
Max. Network Map (hosts /
users) 2K/2K 50K/50K 150K/150K 300K/300K 600K/600K
Virtual FireSIGHT Management
Centre offerings limited to 2 or 10
Managed Devices FS-VMW-2-SW-K9
FS-VMW-10-SW-K9 Events per Sec (EPS) 2000 6000 12000 10000 20000
Deployment Guidelines
ASA Deployment Modes for FirePOWER Services
• FirePOWER Services is supported in the following ASA deployment modes: – Active Standby for locations where high availability is the primary concern – Clustering for locations where:
• Asymmetry is a concern • High availability is required • Horizontal performance scaling is needed
– Multi-Context for separation of policy by logical and physical interfaces
Active Standby High Availability
– Available on ASA 5500-X and ASA 5585-X
– L2 Transparent or L3 Routed deployment options
– Failover Link – ASA provides valid, normalized
flows to FirePOWER module – State-sharing between Firewalls for
high availability • NOTE: State sharing does not occur
between FirePOWER Services Modules
Deploying ASA w/ FirePOWER Services
Scaling FirePOWER Services with ASA5585-X Clustering
– Up to 16 ASA5585-X with FirePOWER Services – Stateless load balancing by external switch to
ASA – L2 Transparent or L3 Routed deployment
options – Support for vPC, VSS and LACP – Cluster Control Protocol/Link – State-sharing between Firewalls for symmetry
and high availability • NOTE: State sharing does not occur between
FirePOWER Services Modules – Every session has a Primary Owner and
Director – ASA provides traffic symmetry to FirePOWER
module
Deploying ASA w/ FirePOWER Services
Multi-Context ASA Deployments – ASA can be configured in multi context mode such
that traffic going through the ASA can be assigned different policies
– These interfaces are reported to the FirePOWER blade and can be assigned to security zones that can be used in differentiated policies.
– In this example, you could create one policy for traffic going from Context A Outside to Context A Inside. And then a different policy for Context B Outside to Context B Inside.
– Note: There is no management segmentation inside the FirePOWER module similar to the context idea inside ASA configuration
A B
Outside
Inside
Multi-Context ASA Deployments
Admin Context
Context1
FirePOWER Services Demonstration Monitor-Only Mode
– Monitor Mode allows FirePOWER Services to analyze traffic without the ASA being placed in the data path.
– Shows the features and services provided by FirePOWER services without the need to fully configure firewall services on the ASA
– Customer demonstrations are the best way to show proof of value
(Currently, For Demonstration Purposes Only)
SPAN FirePOWER Services for ASA in Monitor-Only Mode
Clustering Solves Customer Requirements
– ASA Clustering provides a variety of benefits – Investment Protection: Pay as you grow
• Performance scaling
– High Availability – Simplifies Deployments in complicated environments
• Handles some geographically separated Data Centre designs • Dynamically handles asymmetric traffic for security service
inspection without forcing changes to routing or packet flow.
Investment Protection: Pay as you Grow Horizontal Scaling
• FW MAX Throughput: 640 Gbps • FW+FirePOWER IPS Maximum
Throughput: 160+ Gbps • FirePOWER IPS 440 Byte
Throughput: 96 Gbps
Up to 16 ASA 5585-X Devices
Performance and Sizing
Performance: How to Measure and Why it Matters?
– Sizing: Which device do I need to buy? • Upgrade of existing or new device?
– Features: What features am I going to need or want to run? • Firewall, IPS, Application Control, URL, Malware?
– Location: Where is the device in the network? • In front of a DNS only Data Centre with millions of very small very fast
transactions or in front of HTTP web servers serving normal web pages? • Data Centre looking at only internal traffic or Internet Edge looking at the wild
Internet? – As with all performance discussions, YOUR MILEAGE MAY VARY
How to Measure? – Different product spaces have different typical “throughput” tests – Firewall max throughput numbers tend to be based on non-helpful
packet sizes • UDP 1518 byte packet size is fairly common
– IPS performance range is much more variable than firewalls, and partly because of industry choice
• TCP 440 byte HTTP is fairly common Multi-features devices must somehow provide useful, accurate performance numbers
Performance Impacts by Location • Direct Impact Factors
– Different traffic types – Different average packet sizes
• Indirect Impact – Physical Placement – Amount of traffic to be inspected – Level of malicious traffic – Level of analysis and logging
Location Specific Traffic Profiles – When deploying FirePOWER
Services for ASA, the traffic profiles at the location can impact the performance of the device differently than standard test methods.
– Educational, ISP, and SMB protocol mixes have a slight impact
– Enterprise applications and Enterprise Data Centre have a greater impact
How to Use the Numbers? – Maximum Throughput numbers used to compare datasheets. – Tested using traffic types or configuration profiles that do not
represent real deployments – Sizing Data should always be measured with device under load – Configurations should use a variety of inspection paths – 440 byte HTTP average packet size connections stress devices and
are easy to reproduce and reflect real world traffic patterns – Multi-protocol tests can be used, but are harder to reproduce and
results may be confusing
FirePOWER Services on ASA Feature Guidance – Comparable performance to classic IPS on same platforms
with 440 byte TCP/Transactional Profile (same test as FirePOWER appliance)
– If you run AVC or AVC+AMP on top of IPS, reduce throughput by:
• 30-45% less for IPS + AVC • 50-65% less for IPS + AVC + AMP • Proportions generally consistent with FirePOWER Appliances
FirePOWER Services for ASA Data Sheet – FirePOWER Services for ASA will include both a maximum throughput number as well
as a 440 Byte HTTP number more relevant for sizing.
Model 5512-X 5515-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60
Maximum Application Control Throughput in Mbps
300 500 1100 1500 1750 4500 7000 10000 15000
Maximum Application Control and IPS Throughput in Mbps
150 250 650 1000 1250 2000 3500 6000 10000
Application Control or IPS Sizing Throughput in Mbps (440 Byte HTTP)
100 150 375 575 725 1200 2000 3500 6000
Sizing Guidance for Upgrade – When replacing an existing service module like Cisco CX or the
classic IPS module: • Understand the traffic load the device is seeing • Understand the inspection load the current device is under • Compare the current inspection load if possible, to the expected load on
the new module, reducing available throughput based on the features required
– If you run more features, the performance will be impacted (more work is harder than less work!)
FirePOWER Services for ASA vs. Cisco ASA-CX – Comparing FirePOWER Services to CX on ASA 5525-X using EMIX (ASA
multiprotocol test) – AVC URL: matched applications and HTTP URLs on both platforms – ASA-CX IPS: Around 1000 threats – FirePOWER Services IPS:
• Balanced policy with ~4000 sigs
AVC URL AVC URL IPS
FirePOWER Services on 5525 750 400
CX on 5525 675 260
FirePOWER Services vs. ASA Classic IPS – IPS-only test comparing throughput of FirePOWER Services for ASA
to the classic IPS only module. – Tested using the same 440 byte HTTP Transactional test that was
the benchmark for classic IPS.
5512 5515 5525 5545 5555 5585-10 5585-20 5585-40 5585-60
FirePOWER Services On ASA
100 150 375 575 725 1200 2000 3500 6000
Classic IPS on ASA 150 250 400 600 850 1150 1500 3000 5000
Upgrading from ASA with Classic IPS to FirePOWER Services for ASA – When upgrading from classic IPS to FirePOWER services, adding new
features can require a platform change. Generally each new major feature is a step up, assuming the box is near capacity.
Model 5512-X 5515-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60
Original IPS Module 150 250 400 600 850 1150 1500 3000 5000
FirePOWER IPS + AVC 75 100 255 360 450 800 1200 2100 3500
FirePOWER IPS + AVC + AMP 60 85 205 310 340 550 850 1500 2300
Start with Best-of-breed Products NSS Labs Testing – Sept, 2014 NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS
NSS Labs – Breach Detection Systems Security Value Map
Source: NSS Labs 2014
Cisco Advanced Malware Protection (AMP) has the lowest TCO of any product tested. It is also a a leader in security effectiveness achieving detection of 99 percent of all tested attacks AMP excelled in time-to-detection, catching threats faster than competing Breach Detection Systems.
NSS Labs – Intrusion Prevention Systems Security Value Map
Sourcefire Virtual IPS Sourcefire 3D8120
Sourcefire 3D8250
Sourcefire 3D8260
Source: NSS Labs 2012
Based on individual and comparative testing of vendors in the IPS market Cisco* FirePOWER NGIPS leads the Security Value Map and provides the best protection possible while also leading the class in total cost of ownership. * Formerly Sourcefire FirePOWER
Superior Intelligence to battle Advanced Threats
10I000 0II0 00 0III000 II1010011 101 1100001 110 110000III000III0 I00I II0I III0011 0110011 101000 0110 00
I00I III0I III00II 0II00II I0I000 0110 00
180,000+ File Samples per Day
FireAMP™ Community, 3+ million
Advanced Microsoft and Industry Disclosures
Snort and ClamAV Open Source Communities
Honeypots
Sourcefire AEGIS™ Program
Private and Public Threat Feeds
Dynamic Analysis
101000 0II0 00 0III000 III0I00II II II0000I II0 1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00
100I II0I III00II 0II00II I0I000 0II0 00
Cisco® SIO Talos
Cisco Collective Security Intelligence
Email AMP Web Network NGIPS NGFW
WWW
1.6 million global sensors
100 TB of data received per day
150 million+ deployed endpoints
600+ engineers, technicians, and researchers
35% worldwide email traffic
13 billion web requests
24x7x365 operations
40+ languages
Sourcefire VRT®
Pervasive across Portfolio
“So do any network security vendors understand Data Centre and what’s needed to accommodate network security? Cisco certainly does.”
“Cisco is disrupting the advanced threat defense industry.”
“… AMP will be one of the most beneficial aspects of the [Sourcefire] acquisition.”
“Based on our (Breach Detection Systems) reports, Advanced Malware Protection from Cisco should be on everyone’s short list.”
2014 Vendor Rating for Security: Positive
Recognition Market The AMP products will provide deeper capability to Cisco's role in providing secure services for the Internet of Everything (IoE).
3rd Party
Response
Forensics
Threat Summary Execution Reports
Save File Content Policy Control Safe Retrieval
File Detection Custom Apps SHA256
Dynamic Analysis File Threat Scores Block by Threat Score
FirePOWER Services New Capabilities
Block Source Block Destination
Country Continent
Prioritize Response Discover infected hosts Correlates data from all engines Endpoint and Network working together
A Trusted Security Advisor
“Cisco figured out a way to cohesively explain how its security offerings fit together. For the first time, the company presented an organizing principle or model to better explain its sprawling portfolio of products, services, and embedded features: It now organizes its portfolio into technology and capabilities that you need before, during, and after an attack.”
“Sourcefire, architecture, and services place Cisco in the catbird seat for emerging enterprise cybersecurity requirements if Cisco remains aggressive… Based upon what I saw the week at Cisco Live, I believe that the company has turned a corner. Cisco can now return to a leadership role in enterprise security technology...”
Enhance with Cisco Security Services
Advisory Integration
Managed
Custom Threat Intelligence
Technical Security Assessments
Integration Services
Security Optimization Services
Managed Threat Defense
Remote Managed Services
Cisco Services Portfolio
Managed Security
Hosted Security
Product Support
Deployment
Migration
Optimization Program Strategy
Architecture and Design
Assessments