Scribd Logo
Upload

Welcome to Scribd!

  • 120 views

    Brksec 2417

    Uploaded by

    Dinesh

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Brksec 2417

    Uploaded by

    Dinesh
    120 views30 pages

    Original Title

    BRKSEC-2417

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    120 views30 pages

    Brksec 2417

    Uploaded by

    Dinesh

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 30

    #CiscoLive

    Keeping Up on Network
    Security with Cisco Secure
    Firewall

    Andrew Ossipov
    Distinguished Engineer
    BRKSEC-2417

    #CiscoLive
    Your Speaker

    Andrew Ossipov
    aeo@cisco.com
    Distinguished Engineer
    Network and Workload Security Portfolio CTO

    IETF: OpSec and TLS Working Groups

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
    Is Network Firewall Dead?

    Direct Internet Access Public Cloud

    WWW
    Branch Apps
    IaaS Customers
    SIG/SWG

    SaaS

    Remote
    Work Anywhere w/SaaS

    Pervasive Encryption

    Campus
    ? 😐 Apps

    ?
    ? TCP inside:192.168.1.11/54397 outside:203.0.113.100/443
    TCP inside:192.168.2.110/34624 DC:172.16.45.200/443
    TCP outside:198.51.100.231/13945 DC: 172.16.45.201/443

    ? ?
    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
    Agenda: Cisco Secure Firewall Threat Defense
    Past and Present are set in stone, but the Future may change at any time
    FTDv Cloud
    1. Insert Anywhere

    WWW
    Branch Tetration Apps
    IaaS Customers
    SIG/SWG
    FTDv
    SaaS
    4. Abstract Policy
    Remote
    AMP4E 3. Infer Flow Context
    2. Inspect Inbound Tetration

    FTD

    Campus 😊 Apps

    AnyConnect 5. Manage Delightfully

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
    Insert
    Remote Branch Deployment in FMC 6.7
    • FMC management over one data interface for non-VPN use case
    • Multiple data interfaces with redundancy will be supported in the future
    Register dynamic IP to FQDN
    Branch Dynamic
    DNS Initiate directly from HQ
    ISP1 FTD to FMC public IP

    Internet
    FTD ISP2 Initiate from FMC
    via FTD FQDN FMC

    • Initial outside interface configuration through a CLI wizard


    • Can be used to repair connectivity after an inadvertent change

    • Support a manual FTD configuration rollback to last working state

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
    Low-Touch Provisioning
    • Management flexibility for Enterprise and In-Band use cases
    DHCP Server
    FMC
    2. New device online
    1. DHCP on dedicated Management interface

    3. Push configuration
    Firepower 1000/2100

    Firepower 4100/9300
    Provisioning Server FDM

    • Firepower 1000/2100 CDO on-boarding by serial number in 6.7


    • Day 0 configuration files and automation templates for FTDv

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
    Virtual Functions
    • Broad private and public cloud support for FTDv and ASAv
    • Now:
    • FTDv 7.0:
    • Fully automated stateless AutoScale in AWS and Azure
    Serverless
    AutoScale
    Internet function
    Load
    Balancer FMC
    FTDv

    • Container-based ASAc with Kubernetes orchestration in 9.16

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
    End-to-End Threat Protection in Modern DC
    Hybrid Data Center

    Internet

    North-South Security East-West Security Workload Security


    • NGFW/NGIPS at DC Edge • Segment DC networks • Fine-grained inter-
    Branch • See into Campus, Branch, • NGFW as gateway to application controls
    Internet servers and VMs • No clearly defined network
    • Attribute Based Policies • Single- or multi-site, boundary
    public cloud • Rapid automation

    Campus

    Tetration
    FTD FTD FTDv

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
    Inspect
    TLS Decryption
    • TLS Decryption is mandatory for IPS, AMP, and other DPI functions
    Client Public Key FTD Public Key
    FTD (Resign) or Server (Known) Public Key Server Public Key

    FTD

    • Resign: outbound, broken by public key pinning or native client apps


    • Known Key: inbound to controlled apps, broken by client cert auth
    • TLS 1.3 allows decryption directly, or by downgrade to TLS 1.2
    • Per-session keys (DH) break passive IDS decryption with either version

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
    Snort 3 NGIPS Engine
    • FDM/CDO availability in FTD 6.7; FMC in FTD 7.0
    • Much more efficient memory utilization from multi-threaded architecture
    • Faster/deeper pattern lookups with HyperScan for higher efficacy
    • Event-driven plugins replace preprocessors for quicker verdicts
    • Improved human-readable signature language
    • Single-flow TCP/UDP throughput is still tied to a single CPU core performance
    • Future opportunity for parallel processing with HTTP/2 multiplexing
    CPU1 CPU2

    Request 1 Response 1
    HTTP/2 Request 2 Response 2

    TLS Encrypted Records

    TCP Seq 1-2000 Seq 2001-4000

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
    Future Look: Web Application Protection

    Impose general HTTP session constraints at individual


    Main Access Control Policy rule level.

    Perform granular HTTP header


    manipulation.

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
    Infer
    TLS Application and URL Visibility
    • AVC, URL, and “SSL” Policy decisions on pre-1.3 TLS header
    Cleartext, but spoofable Common and Subject Alternative Names are encrypted in TLS 1.3

    Client ClientHello, Server Name Indication (SNI)


    Server
    ServerHello, ServerCertificate, ServerHelloDone
    […]
    ApplicationData
    TLS Session
    • TLS Server Identity Discovery without decryption in FTD 6.7
    2. FTD opens a sidecar TLS 1.2 connection to identify
    server, cache the result, make policy decision
    1. TLS 1.3 ClientHello

    FTD 3. If permitted without TLS decryption, pass original


    ClientHello and disengage; if permitted with TLS decryption,
    engage TLS Proxy and generate new ClientHello

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
    Future Look: App Fingerprinting https://github.com/cisco/mercury
    TLS ClientHello

    Confidence: 99.94%
    Process: firefox.exe
    Version: 76.0.1
    Category: browser
    OS: Windows 10 19041.329
    Typical FQDN: cisco.com

    Generate unique fingerprints for client


    TCP/TLS 192.168.2.110/34624->172.16.45.200/443 applications based on TLS, TCP, HTTP,
    TCP/TLS 192.168.2.110/21013->203.0.113.154/443 and DHCP fields and use for policy
    matching and context enrichment.
    FTD
    TLS ClientHello
    Confidence: 100%
    Process: tor.exe
    Version: 9.0.2
    Category: anonymizer
    OS: Windows 10 19041.329
    Typical FQDN: nsksdlkoup.me

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
    Future Look: Flow Context via Client Endpoint
    Request additional host information (e.g.
    DNS cache or presence of certain files), AMP Cloud
    quarantine/remove known malware.
    Orbital

    AMP4E
    TCP/TLS 192.168.2.110/34624->203.0.113.142/443 FTD

    192.168.2.110
    IPFIX
    Unique Endpoint ID
    AnyConnect Geo Coordinates Apply additional flow context to
    Network Visibility Logged User: CISCO\John policy decision, highlight anomalies,
    Module OS Version: Windows 10.10 block explicit matches to blocklist
    System Manufacturer: Dell (e.g. known malicious processes).
    Process User: JOHNPC\system
    Process: firefox.exe [Unique Hash]
    Parent Process: malware.exe [Unique Hash]
    Target FQDN: botnet-cc.dyndns.me
    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
    Abstract
    User Identity Policies in FMC 6.7
    • AD user identity across multiple Forest domains in a single IP space
    john@na.cisco.com
    10.10.100.156 10.20.108.26

    na.cisco.com
    10.10.0.0/16 eu.cisco.com
    10.20.0.0/16
    AD
    FTD
    FMC cisco.com

    • Support groups with users across multiple Forest member domains in FMC 7.0

    • Higher FMC device scale per ISE/ISE-PIC instance with pxGrid 2.0

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
    Attribute-Based Policies in FTD 7.0+
    Future Future Future
    7.0 7.0 7.0
    Custom
    Tetration
    Orchestrator

    Push Model: FMC REST API Pull Model: Orchestrator-specific


    for populating/updating translation modules for subscribing to
    attribute mappings synchronous updates (Cisco Secure
    asynchronously. Dynamic Attributes Connector).

    Attribute Type Label IP Address Protocol Port


    FMC
    FQDN webapp.cisco.com 192.168.1.151 All All
    Host OS MS Windows 192.168.1.120-130 All All
    Workload Name DB App 172.16.45.90 TCP 13758

    Real-time mapping updates without


    a full configuration deployment.

    FTD FTD FTD

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
    FTD 7.0: Dynamic Attributes Connector UI

    Learn and reference environment-specific


    attributes freely across the policy.

    Narrow down tracked workload sets to


    reduce noise.

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
    Manage
    Reinforcing the Foundation
    • New FMC user interface in 6.5

    • Dramatically faster (10x+) event lookup starting in FMC 6.5


    • Each new release consistently drops deployment times by 10-20%
    • Software optimizations for 25% higher throughput in FTD 7.0

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
    Multi-Column Policy Filtering in FMC 6.6
    Reusable query language.

    OR matching within a single field.

    AND matching across multiple fields.

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
    Change Management
    • Selective deployment, and detailed audit transcripts in FMC 6.7
    • Filtering individual changes by user in FMC 7.0

    Modified
    Responsible User

    Affected Configuration New

    • Emergency rollback within last 10 configuration versions in FMC 7.0

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
    Health and Event Monitoring
    • New FTD monitoring dashboard and unified SNMP agent in 6.7

    CPU (DP + CP + Snort) Memory Utilization

    Interface Throughput Connections and NAT

    Critical Processes and Alerts


    Disk Usage

    • FMC health dashboard, and real-time Event Viewer in 7.0

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
    Thank you

    #CiscoLive
    Other Relevant Sessions
    • BRKSEC-1022 Health Monitoring in Next Generation Firewall
    • BRKSEC-2014 Deploy Network Security as Code Using DevOps
    • BRKSEC-2029 Security in an Encrypted World: Enhancing Firewalls, IPS, and Proxies
    • BRKSEC-2411 Zero Trust: Securing Applications and Workloads Using a Cloud Native Approach
    • BRKSEC-2412 Leveraging Endpoint Security in Our Encrypted World!
    • BRKSEC-2415 The Future of Network Security is in the Cloud with Cisco SASE!
    • BRKSEC-3008 Demystify Public Cloud Security Using Secure Firewall and Tetration

    #CiscoLive BRKSEC-2417 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
    #CiscoLive

    You might also like