toronto,. ca may 30 cisco next generation firewall services · information such as fqdn and...
TRANSCRIPT
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 1 © 2012 Cisco and/or its affiliates. All rights reserved.
Toronto,. CA
May 30th, 2013
Eric Kostlan
Cisco Technical Marketing
Cisco Next Generation Firewall Services
Objectives At the conclusion of this presentation and demonstration, you will be able to:
• Describe the ASA NGFW and PRSM architecture
• Describe the feature of the ASA NGFW
Application Visibility and Control (AVC)
Web Security Essentials
• Utilize the policy framework
Policy objects, policies, policy sets
Device and object discovery
Module Map • Architecture
• Policy framework
• Device import
• Eventing and reporting
• Demonstration
ASA 5585-X with CX hardware module
Two Hard Drives Raid 1
(Event Data)
10GE and GE ports Two GE Management Ports
8 GB eUSB (System)
The ASA 5500-X series firewalls • Models are 5512-X, 5515-X, 5525-X,
5545-X and 5555-X
• 1-4 Gbps throughput
• Integrated services implemented as a software module
o Intrusion prevention system (IPS)
o Context aware next generation firewall (CX)
• Feature parity with the ASA CX on the 5585-X
• Must add a SSD to the ASA 5500-X to install the CX module
Cisco Prime Security Manager (PRSM) • Built-in
Configuration
Eventing
Reporting
• Off-box
Configuration
Eventing
Reporting
Multi-device Manager for ASA CX
Role Based Access Control
Virtual Machine or UCS Appliance
PRSM Virtual Machine supports VMWare ESXi
PRSM ASA CX communication
RESTful XML
[REST = Representational State Transfer]
ASA CX PRSM
Reliable Binary Logging
Cisco SIO
Application
Identification
Updates
HTTPS HTTPS
Packet flow diagram – ASA and CX • ASA processes all ingress/egress packets
No packets are directly process by CX except for management
• CX provides Next Generation Firewall Services
Egress after CX Processing
CX Ingress
ASA Ingress
CPU
Complex
Fabric
Switch
Crypto or
Regex
Engine
CX Module
CPU
Complex
Fabric
Switch Crypto Engine
ASA Module
PORTS
PORTS
ASA CX
Backplane
10GE
NICs
10GE
NICs
Functional distribution
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing
TCP Proxy
TLS Proxy
AVC Multiple Policy Decision
Points
HTTP Inspection
URL Category/Reputation
CX
ASA
Botnet filtering
TLS Proxy
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing
TCP Proxy
TLS Proxy
AVC Multiple Policy Decision
Points
HTTP Inspection
URL Category/Reputation
CX
ASA
Botnet filtering
TLS proxy acts as man-in-the-middle • Two separate sessions, separate certificates and keys
• ASA CX acts as a CA, and issues a certificate for the web server Corporate
network
Web server
1. Negotiate algorithms. 1. Negotiate algorithms.
2. Authenticate server
certificate. 3. Generate proxied
server certificate. 4. Client Authenticates “server”
certificate.
5. Generate encryption
keys. 5. Generate encryption
keys.
6. Encrypted data channel
established. 6. Encrypted data channel
established.
ASA CX
Cert is generated
dynamically with destination
name but signed by ASA CX.
TLS Proxy – Extending NGFW services to TLS traffic • Decrypts SSL and TLS traffic across any port
• Self-signed (default) certificate or customer certificate and key
Self-signed certificate can be downloaded and added to trusted root certificate store on client
• Decryption policies can determine which traffic to decrypt
CX cannot determine the hostname in the client request to choose a decryption policy because the traffic is encrypted
FQDN and URL Category are determined using the server certificate
• If the decision is made to decrypt, CX acts like man-in-the-middle
A new certificate is created, signed by CX or by the customer CA
Information such as FQDN and validity dates are copied from the original cert
Name mismatches and expired certificate errors are ignored
Name mismatches and expired certificate errors must be handled by the client
Licensed feature – Application Visibility and Control
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing
TCP Proxy
TLS Proxy
AVC Multiple Policy Decision
Points
HTTP Inspection
URL Category/Reputation
CX
ASA
Botnet filtering
Application Visibility and Control • Supported Applications 1000+
• Supported Micro-Applications 150,000+
• Powered by the Cisco Security Intelligence Operation (SIO)
Utilizes Application Signatures
By default, PRSM and CX check for updates every 5 minutes
Broad AVC vs. Web AVC • Broad AVC
Broad protocol support
Resides in data plane
Less granular control
Supports:
Application types – for example email
Applications – for example Simple Mail Transfer Protocol
• Web AVC
HTTP and decrypted HTTPS only
More granular control
Supports:
Application types – for example, Instant Messaging
Applications – for example, Yahoo Messenger
Application behavior – for example, File Transfer
None HTTP/HTTPS packet flow
HTTP packet flow
HTTPS packet flow
Licensed feature – Web Security Essentials
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing
TCP Proxy
TLS Proxy
AVC Multiple Policy Decision
Points
HTTP Inspection
URL Category/Reputation
CX
ASA
Botnet filtering
-10 +10 -5 +5 0
Default web reputation profile
Dedicated or hijacked sites persistently distributing key loggers, root kits and other malware. Almost guaranteed malicious.
Aggressive Ad syndication and user tracking networks. Sites suspected to be malicious, but not confirmed
Sites with some history of Responsible behavior or 3rd party validation
Phishing sites, bots, drive by installers. Extremely likely to be malicious.
Well managed, Responsible content Syndication networks and user generated content
Sites with long history of Responsible behavior. Have significant volume and are widely accessed
Suspicious (-10 through -6)
Not suspicious (-5.9 through +10)
Web Security Essentials -- Reputation
Web Security Essentials – URL filtering • Used to enforce acceptable use
• Predefined and custom URL categories
• 78 predefined URL categories
• 20,000,000+ URLs categorized
• 60+ languages
• Powered by the Cisco Security Intelligence Operation (SIO)
Utilizes Application Signatures
By default, PRSM and CX check for updates every 5 minutes
Active authentication • Requires HTTP request to initiate authentication
1. ASA CX sees HTTP request from a client to a remote website
2. ASA CX redirects the client to the ASA inside interface (port 885 by default) Redirect is accomplished by sending a proxy redirect to the client (HTTP return code 307) spoofing the remote website
3. Sends client authentication request (HTTP return code 401)
4. After authentication, the ASA CX redirects the client back to the remote website (HTTP return code 307)
• After authentication, ASA CX uses IP address to track user
Both HTTP and non-HTTP traffic will now be associated with the user
• Integrates with enterprise infrastructure
• Supported directories include
Microsoft Active Directory
OpenLDAP
IBM Tivoli Directory Server
Passive authentication • Endpoint must be domain member
• Supported for all traffic and all clients
• Utilizes an agent Agent gathers information from Active Directory server
Agent caches information
ASA CX/PRSM queries agent for user information
ASA CX/PRSM queries Active Directory server for group membership information
• Two agents available Cisco Active Directory Agent (AD agent) – older agent
Windows application
Context Directory Agent (CDA) – newer agent
Stand alone, Linux based server – can be run as VM
Intuitive web based GUI , and Cisco IOS style CLI
Passive authentication protocols
Active Directory
AD Agent or CDA (RADIUS server)
ASA CX
Clients
WMI RADIUS
LDAP
Module Map • Architecture
• Policy framework
• Device import
• Eventing and reporting
• Demonstration
Policy objects, policies and policy sets
Policies and policy sets • Policies apply actions to subsets of network traffic
• Two main components Policy match – a set of criteria used to match traffic to the policies
Action – the action to be taken if the policy is matched
• Three types of policies Access
Identity
Decryption
• A policy set is an ordered collection of policies of a particular type For any ASA CX at most one policy set of each type is in use
Policies are assigned using top-down policy matching – order matters!
At most one policy is matched for each policy set
If no defined policy match is achieved, implicit policy is enforced
• Policy sets implicit policies are as follows Access policy sets end with implicit allow all
Decryption policy sets end with implicit do not decrypt
Identity policy sets end with implicit do not require authentication
Policy sets
• How users will be identified? Identity
• What TLS/SSL traffic should be decrypted? Decryption
• What traffic will be Allowed or Denied? Access
Policy objects • Used to create policies
Policy objects classify traffic
Are used to decide which policy to match
• Predefined and user defined
• Used to create policies.
• May be nested
• Many types
URL objects • Used to identify traffic based on
URL or URL category
• Can only be used as a destination in a policy
• HTTP or HTTPS only For HTTPS, URL object uses information in the subject of the certificate
Do not specify the protocol. URL objects will match both HTTP and HTTPS
• Contains URLs
Enter a domain to match any URL in domain
Supports limited string matching:
URL categories
Other URL objects
• Contain include and exclude lists
Application objects • Used to identify what application
the client is attempting to use
• Utilizes the Application Visibility And Control (AVC) functionality of the ASA CX
• Contains
Applications (recognized by the ASA CX) Examples: Facebook photos, webmail, yahoo IM
Application types Examples: Facebook, e-mail, IM
Other Application objects
UserAgent objects • User-agent string
Part of the HTTP request header
Identifies the client OS and agent
Examples:
Safari running on an iPad
Windows update agent
• User agent object Can only be used for HTTP traffic
Can only be used as a source in a policy
Predefined user agent objectsare sufficient for most uses
Contains
User agent string – An asterisk (*) can be used to match zero or more characters,
Other user agent objects
Example of user-agent string
Secure Mobility objects
• Used to create policies specific to AnyConnect VPN traffic
• Can only be used as a source in a policy
• One exists by default: All remote users
• Others can be created to match specific device types
• Can contain
Device types
Other Secure Mobility objects
Complex objects • Allow for more complicated
traffic matching
• Contains collections of entries, or rows Elements of each entry are ANDed together Entries are then ORed together
• Application-Service objects Match combinations of applications and services
• Destination object groups Match combinations of URL objects and Network objects
• Source object groups Match combinations of: Network objects Identity objects User Agent Objects Secure Mobility Objects
Profiles • File filtering profile
HTTP and decryptedHTTPS traffic only
Blocks the download of specific MIME types
Blocks the upload of specific MIME types
• Web reputation profile HTTP and decrypted HTTPS traffic only
Web reputation scores are provided for websites by the Cisco Security Intelligence Operations
Web reputation scores vary from -10 to 10
Default profile considers websites with reputation score from -10 through -6 (the default profile cannot be edited or deleted)
Websites without reputation scores are not considered suspicious
The action that is taken for suspicious website depends on the policy type For example, access policies can block websites of low reputation
Module Map • Architecture
• Policy framework
• Device import
• Eventing and reporting
• Demonstration
Device discovery and import (multi-device mode only)
• First you must enter the IP address (or hostname) of the ASA, along with privileged credentials
• The CX module will be discovered through the ASA. You must enter the admin password to complete the import.
• When a device is imported, it is placed into a device group
• Device groups are assigned policy sets. Therefore, policies are consistent within a device group
• When the device is imported, you must resolve any policy set naming conflict
Valid Policy Set Assignment
Invalid Policy Set Assignment
ASA object discovery (multi-device mode only) • Network and service objects and groups are imported from ASA during device imported
• Added to PRSM policy database and are available for policy configuration
Modifications made to objects on PRSM are not pushed to ASA
Modifications made to objects on ASA are not pushed to PRSM
• Are automatically renamed if there are naming conflicts
_<PRSM name for the ASA > is appended to name of imported object.
Module Map • Architecture
• Policy framework
• Device import
• Eventing and reporting
• Demonstration
The Event viewer • Gives visiblity to events generated by the CX module
• Tabs
System events
All events
Authentication
ASA (only used if PRSM is a SYSLOG server for ASAs)
Encrypted Traffic View
Context Aware Security Shows next generation functionality
Context Aware Events
Custom tabs
Two Modes • Real time eventing – user defined refresh interval
• Historic eventing – user defined time range
Event viewer filters • Used to reduce the number of events that are displayed
• Filters are a list of attribute-value pairs
Attribute value pairs with the same attribute are ORed together
The expressions for each attribute are then ANDed together
Example: Username=Fred Username=Gail Application=Twitter means (Username=Fred OR Username=Gail) AND Application=Twitter
Most attributes support the operations = and !=. Some also support > and <
• Two ways to add to filter
Click on the cell in the event viewer adds that attribute-value pair to the filter
Select attribute (with operation <,=,>) from the Filter drop-down list and then select the value
If you want the operator to be inequality, you must manually change = to !=
• Filters may be saved and recalled
Saved filters are added to right-hand side of the Filter drop-down list
Event viewer filters
Event Details
Event Details
Policy correlation
Network Overview (top)
Network Overview (middle)
Network Overview (bottom)
Other tabs
Malicious Traffic
Drill Down (Slide 1 of sequence)
Drill Down (Slide 2 of sequence)
Drill Down to view more details
Drill down to launch event viewer
Drill down to launch event viewer
Sample exported PDF report
Module Map • Architecture
• Policy framework
• Device import
• Eventing and reporting
• Demonstration
Complete Your Paper “Session Evaluation”
Give us your feedback and you could win
1 of 2 fabulous prizes in a random draw.
Complete and return your paper
evaluation form to the room attendant
as you leave this session.
Winners will be announced today.
You must be present to win!
..visit them at BOOTH# 100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 65
Thank you.