Cisco FirePOWER

Benjamin Doyle
October 15th, 2015
 Agenda
- Sourcefire
- Cisco ASA Next-Gen Firewall (NGFW)
- FireSIGHT Management Center (FMC)
- FirePOWER Services
- Intrusion Prevention System (IPS)
- Advanced Malware Protection (AMP)
- URL Filtering
- Meraki Security Appliance (MX)
 Sourcefire

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
 Sourcefire
 Founded in 2001
 2013: Acquired by Cisco for US$2.7B
 2014: Technology integration within Cisco
 Hardware and Software
 ClamAV and Snort
 File reputation and dynamic analysis
 Analysis of behaviours & containment
 Retrospective protection
 Visibility through dashboards
 2015: EoL non-SF IPS appliances
 Cisco ASA
Next-Generation
Firewall
(NGFW)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Cisco ASA and Sourcefire FirePOWER
 Cisco ASA Product Line
ASA 5585-SSP60

ASA 5585-SSP40
Performance and Scalability

ASA 5585-SSP20

ASA 5585-SSP10

ASA 5555-X
ASA 5545-X
ASA 5525-X
ASA 5515-X
ASA 5512-X
2 RU Platforms - 5585
1 RU Platforms
Internet Edge/Campus/Data Center
Branch Office/Internet Edge
2 – 20 Gbps: Firewall
200Mbps - 2 Gbps: Firewall
1.2 – 6 Gbps: Next Gen IPS
100 – 725 Mbps: Next Gen IPS
650Mbps – numbers
* Performance to be finalized
2.4 Gbps:NGIPS, AVC, AMP
30-160 Mbps: NGIPS, AVC, AMP
NGFW with NGIPS

Source: Cisco Live! BRKSEC-2762 San Diego 2015

 Multilayered Protection – Next Gen. FW + Gen2 IPS

► World’s most widely deployed,

Cisco Collective Security Intelligence Enabled enterprise-class ASA stateful firewall

Advanced WWW ► Granular Cisco® Application Visibility

Malware
Clustering & Intrusion
Prevention Protection URL Filtering and Control (AVC)
High Availability (Subscription)
(Subscription) FireSIGHT (Subscription)

Analytics &
Automation ► Industry-leading FirePOWER Next-
Generation IPS (NGIPS)
Application
Network Firewall Visibility & Built-in Network Identity-Policy
Routing | Profiling
Switching
Control Control & VPN
► Reputation- and category-based URL
filtering
Cisco ASA
► Advanced Malware Protection

• Visibility over – Network, Device, Application,

Threat Detection & Mitigation
 FireSIGHT
Management
Center
(FMC)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
 FireSIGHT Components

Network Discovery & Connection Awareness

Host Application
User discovery
discovery identification

Reports on
Identifies OS, Includes
potential FireSIGHT can
protocols and applications that Applications can Monitors for user Integrates with Authoritative
vulnerabilities identify over
run over web be used as IDs transmitted MS AD servers to users can be used
services present on each 1900 unique
services such as criteria for access as services are authoritatively ID as access control
running on host based on the applications using
Facebook or control used users criteria
each host information it’s OpenAppID
LinkedIn
gathered
 FireSIGHT Management

Discovery is reported
to you by way of
events

• Connection events are

recorded as every
connection in a
monitored network is
seen
• Host events are recorded
when something new on
a host is detected or a
change to a host is
detected

Information about all

the hosts in your
environment is stored
in host profiles
Host and Event Correlation
• When a host in the network
map is seen to exhibit signs
of compromise
Security Intelligence Events

C&C Detection
via Protocol Analysis

Contextual NGIPS
Events (Impact 1)

FireAMP Endpoint
Malware Events
 FireSIGHT Discovery
By knowing the details of what’s running in your environment, the
Sourcefire System can produce a list of what vulnerabilities likely exist

This allows the Sourcefire System to put intrusion events in context for
more accurate and actionable alerting

Which would matter more to you?

• A code red attack against a host running Linux in your environment

Or
• A code red attack against a host running a vulnerable version of Windows in your
environment
FireSIGHT Impact Assessment

With FireSIGHT, IPS events are assigned an impact level

• 0 – host not on monitored networks

• 4 – no entry for the host in the network map
• 3 – host not running the service or protocol that was attacked
• 2 – host is running the service or protocol that was attacked
• 1 – host is running the service or protocol that was attacked an a vulnerability is against
the service or protocol is mapped to the host

FireSIGHT also lets you fine-tune your IPS polices by recommending

rules to protect against the known vulnerabilities in your environment
FireSIGHT Management Center (FMC)
 Why is FireSIGHT Important?

It gives you real-time information about what’s in your network

• Based on this knowledge …

• It can inform you of the vulnerabilities associated with what is running in your
environment
• You can fine-tune policies to focus on the threats specific to your environment

It can detect changes to your environment and alert you as soon as

the change is detected
• You can act dynamically with custom alerting (email, syslog, SNMP, eStreamer)
• You can take action dynamically as well with remediation modules
• Remediation include scripts you can launch from the defense center
How is FireSIGHT information used?

Fine-tuning IPS policies

• You can automatically select the rules and preprocessor configurations that apply to your
environment
• You can protect hosts running services on non-standard ports (ie. HTTP running on port
1080 on a host and 8080 on antother)

Enforce an organization’s security/usage policies

• Block or alert on use of unauthorized applications for example

Monitor and act on unusual network behavior

• Alert on new hosts showing up in restricted network spaces or detect unusually high
utilization

Act on user activity

 FireSIGHT Management Center (FMC)
FirePOWER TYPICAL TYPICAL
CATEGORIES EXAMPLES APPLIANCE IPS NGFW
Threats Attacks, Anomalies ✔ ✔ ✔
Users AD, LDAP, POP3 ✔ ✗ ✔
Web Applications Facebook Chat, Ebay ✔ ✗ ✔
Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔
File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔
Malware Conficker, Flame ✔ ✗ ✗
Command & Control Servers C&C Security Intelligence ✔ ✗ ✗
Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗
Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗
Operating Systems Windows, Linux ✔ ✗ ✗
Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗
Mobile Devices iPhone, Android, Jail ✔ ✗ ✗
Printers HP, Xerox, Canon ✔ ✗ ✗
VoIP Phones Avaya, Polycom ✔ ✗ ✗
Virtual Machines VMware, Xen, RHEV ✔ ✗ ✗

Contextual
Information Superiority Awareness
FireSIGHT Management Center:
Threat Information
FireSIGHT Management Center:
Operational Value
 FirePOWER
Services

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
 Traditional Defense-in-Depth
• Forced to buy multiple security solutions – firewalls, web filters, IPS modules,
etc.
• Often from different vendors – compatibility issues
• Increases complexity, limited visibility
• Vulnerability – lack of unified protection creates gaps and blindspots
• Need several dedicated teams to configure, install, and monitor multiple
systems
• Increased cost and labor, reduced incident response time
Challenges with Traditional Defense-in-Depth Security
 Cisco ASA with FirePOWER

• Industry’s first adaptive, threat-focused NGFW

designed for a new era of threat and advanced
malware protection
• Delivers an integrated threat defense across the
entire attack continuum
• Combines proven security of Cisco ASA firewall with
industry-leading Sourcefire threat and advanced
malware protection in a single device
• Unparalleled network visibility
Integrated Threat Defense Across the Attack Continuum

Attack Continuum

BEFORE DURING AFTER

Discover Detect Scope
Enforce Block Contain
Harden Defend Remediate

Advanced Malware
Firewall/VPN NGIPS
Protection

Granular App Control Security Intelligence Retrospective Security

IoCs/Incident
Modern Threat Control Web Security Response

Visibility and Automation

FirePOWER Services for ASA: Subscriptions

FirePOWER Services for ASA Included * * Included - Smartnet Required

Configurable Fail Open ✓ for Security Intel. Updates
Connection/Flow Logging ✓
Network, User, and Application Discovery [4] ✓
Traffic filtering / ACLs ✓ Routing
NSS Leading IPS Engine ✓ ACL’s – Protocol Inspection
Appliance
Feature Comprehensive Threat Prevention ✓ Base ASA
VPN Termination
Defaults
Security Intelligence (C&C, Botnets, SPAM etc) ✓
Firewall
Network Address Translation
Blocking of Files by Type, Protocol, and Direction ✓
Basic DLP in IPS Rules (SSN, Credit Card etc.) ✓ Next Gen IPS
Access Control: AVC - Enforcement by Application ✓ App Visibility / Control Sourcefire
Access Control: Enforcement by User ✓ Advanced Malware Protection Services
IPS and App
Updates
IPS Rule and Application Updates Annual Fee URL Filtering

URL Filtering URL Filtering Subscription Annual Fee

Malware Subscription for Malware Blocking, Continuous

Annual Fee
Protection File Analysis, Malware Network Trajectory
 FirePOWER Licensing

 Virtual or Physical FireSIGHT Management Center required

 All FirePOWER Service device licenses are managed on the FireSIGHT
Management Console.
 Licenses are specific to each ASA model and mapped to managed
ASA devices
 Term licenses have a start and end date, beyond the end date requires
renewal to receive subscription updates.
 Application Visibility and Control updates are included in SMARTnet
Services
 IPS subscription is a pre-requisite for Advanced Malware Protection
(AMP)
 SSDs are included in all new ASA FirePOWER Services hardware SKUs
 FirePOWER Licensing

Five Subscription Packages to Choose From

for Each Appliance

• 1 and 3 year terms URL

• AVC is part of the

default offering URL AMP AMP

• AVC updates are

IPS IPS
included in SMARTnet URL IPS IPS

• IPS is required before

AMP or URL license
can be added URL TA TAC TAM TAMC
 Intrusion
Prevention
System
(IPS)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Sourcefire NGIPS

Source: Cisco Live! BRKSEC-1030 San Diego 2015

IPS – File Processing

Source: FireSIGHT User Guide 5.4.0.1

IPS Automation
 Before Attack
The Next Generation Security Model
Attack Continuum

BEFORE DURING AFTER

Control Detect Scope
Enforce Block Contain
Harden Defend Remediate

BEFORE THE ATTACK: You need to know what's on your network to

be able to defend it – devices / OS / services / applications / users
(FireSight)

Access Controls, Enforce Policy, Manage Applications And Overall

Access To Assets.
Network Endpoint Mobile Virtual Cloud
Access Controls reduce the surface area of attack, but there will still
be holes that the bad guys will find.

What Device Types, Users & Applications ATTACKERS

should be onDISCRIMINATE.
DO NOT the Network? They will find any gap in
Point in time Continuous
defenses and exploit it to achieve their objective

34
 After Attack
The Next Generation Security Model
Attack Continuum

BEFORE DURING AFTER

Control Detect Scope
Enforce Block Contain
Harden Defend Remediate

Network Endpoint Mobile Virtual Cloud

AFTER THE ATTACK: Cross Device Information Sharing - Evolving

invariably some attacks will be successful, and customers need to be able to determine the scope of the damage, contain the
event, remediate, and bring operationsPoint
back toinnormal
time Continuous
Also need to address a broad range of attack vectors, with solutions that operate everywhere the threat can manifest itself –
on the network, endpoint, mobile devices, virtual environments, including cloud
 Advanced
Malware
Protection
(AMP)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
 AMP

• File Reputation
• Dynamic
Analysis
(Sandboxing)

• Retrospective
Security
 Anti-Malware Protection & the Attack Continuum

BEFORE DURING AFTER

Control Detect Scope
Enforce Block Contain
Harden Defend Remediate

File Retrospection
File Trajectory
Contextual Awareness In-line Threat Detection
Network Control Automation and Prevention

File Retrospection
File Trajectory
Device Trajectory
Endpoint File Analysis

File Execution Blocking Indications of

Compromise
Outbreak Control
Anti-Malware Process - Infected File Tracking
 AMP: File Disposition and Dynamic Analysis

hash

hash

Cisco Cloud is TALOS => Cisco SIO + Sourcefire VRT

Source: Cisco Live! BRKSEC-2028 Melbourne 2015

Retrospective Security
Host Profile
Network File Trajectory
Correlation Analysis with Context Produces IoC

Source: Cisco Live! BRKSEC-1030 San Diego 2015

 URL
Filtering

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
 URL Filtering

• Offers reputation and category-based

filtering
• Comprehensive alerting and control over
suspect traffic
• Enforces policies on hundreds of millions of
websites in over 80 categories
URL Filtering
 Meraki
Security
Appliance
(MX)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
 Meraki
• Leader in cloud networking: 20,000+ customer networks
deployed
• Founded in 2006 at MIT - tradition of innovation and R&D
• 350 employees worldwide
• 100% Cloud-managed edge and branch networking portfolio
• Complete line of wireless, switching, security, WAN optimization,
• and mobile device management products
• Now part of Cisco
• Increasing R&D investment in Meraki products
• Leveraging Cisco’s reach to bring Meraki to new markets
• No near-term changes planned to pricing, licenses, product roadmap,
etc.
• Cisco purchased Meraki for 1.2B in 2012.
 Order Process

How Meraki Works

Step 1: Step 2: Step 3: Step 4:

Pick Hardware Cloud Subscription Install Dashboard
& Warranty Support Management

Cloud License
1yr, 3yr, 5yr

Install

Warranty
 Meraki Management

Management – Cloud Dashboard

• Self-provisioning for rapid deployment and expansions

• Scalable network-wide monitoring and management tools
• Integrated Wireless, LAN, and WAN management, as well as Mobile Device management
• Seamless over-the-web maintenance, upgrades, monitoring, etc.
Application Visibility

Layer 7 - Complete visibility and control

 Meraki Pros

Out of band cloud management

Scalable
• Unlimited throughput, no bottlenecks
• Add devices or sites in minutes

WAN Reliable
Management • Highly available cloud with multiple datacenters
data (1 kb/s)
• Network functions even if connection to cloud is interrupted
• 99.99% uptime SLA

Secure
• No user traffic passes through cloud
LAN • Fully HIPAA / PCI compliant (level 1 certified)
• 3rd party security audits, daily penetration test

Reliability and security information at meraki.com/trust

 Meraki Features

Hardware – “MX”
o Next Generation Firewall: o 3G / 4G Failover:
 Layer 7 traffic classification and control  Cellular support for maximum uptime
 Intrusion detection engine  Seamless, automatic failover with traffic
 Identity based and device-aware security prioritization
o WAN Optimization:
o Auto VPN:
 Universal data store with de-duplication
 Auto-provisioning IPSec VPN
 WAN link compression
 Automatically configured VPN parameters
 Flexible tunneling, topology and security o Content Filtering:
policies  Identity-based filtering policies
Meraki Licensing

Subscription/License – “MX”
 Meraki Sizing

Hardware – “MX”
MX400 MX100 MX80 MX60W MX60 Z1 (Teleworker)
• Integrated Intrusion Detection
Stateful Firewall
Throughput
1 Gbps 500 Mbps 250 Mbps 100 Mbps 100 Mbps 50 Mbps (IDS)
• Device Aware Access Controls
VPN Throughput 325 Mbps 225 Mbps 125 Mbps 50 Mbps 50 Mbps 10 Mbps
(BYOD) (Layer 7)
WAN • Category-based content filtering
Optimization 1 TB SATA 1 TB SATA 1 TB SATA 100 MB 100 MB N/A • Load Balance WAN connections
Cache
• 3G/4G backup WAN connectivity
8 x GbE
8 x GbE 5 × GbE 1 x GbE WAN • WAN Acceleration/Optimization
Interfaces 8 x GbE (SFP) 5 x GbE 5 x GbE
2 x GbE (SFP) 1 × 802.11n 4 x GbE LAN
4 x 10 GbE (SFP+)
 Meraki Cloud

Cloud Value Proposition

o Maintenance & Upgrades (Quarterly Releases):
 Automatic firmware maintenance
 New feature implementation
 Automatic implementation of performance
improvements and enhancements
o Monitoring:
 Application level (layer 7) monitoring & reporting
 Performance monitoring
o Technology and Configuration:
 Extremely easy configuration
 Fully featured Cloud Managed
 Warranty & Maintenance:
 Case-based support viewable in dashboard
 Firmware and Software updates/upgrades
 24x7 telephone support
 Next: More Intrusion Alert
Methods

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58