Brksec 2236

#CiscoLive
Keeping Up on Network
Security with Cisco Secure
Firewall
Subtitle goes here
Andrew Ossipov
Distinguished Engineer, CTO
BRKSEC-2236
#CiscoLive
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-2236
by the speaker until June 17, 2022.
#CiscoLive BRKSEC-2236 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Your Speaker
Andrew Ossipov
aeo@cisco.com
Distinguished Engineer
Product CTO for Network, Workload, and Cloud Security
Firewall Architecture, Hybrid Cloud, Unified Policy, SASE
FTD ASA
• Introduction
• Secure Firewall 3100
• Threat Prevention
Agenda • Connectivity
• Private and Public Cloud
• Management
• Conclusion
Firewall: From DPI to Inference and Cooperation
Customers
CloudLock
SaaS
Remote
Umbrella Inbound
Mapping network flows to specific user actions via
cloud application API and CASB
Continue to decrypt inbound for full app threat protection
(IPS, WAF, AMP, API) with minimal functional impact
Outbound
Apps
Campus New-Normal Firewall
TCP inside:192.168.1.11/54397 outside:203.0.113.100/443
TCP inside:192.168.2.110/34624 DC:172.16.45.200/443
TCP outside:198.51.100.231/13945 DC: 172.16.45.201/443 Dynamic Attribute
Secure Endpoint Secure Workload Connector
Client context discovery via passive fingerprinting and Server/workload attribute discovery, host
trusted endpoint agent cooperation OS and cloud native API protection
Secure Firewall 3100
FTD ASA
Secure Firewall 3100 Overview 7.1 9.17
Appliance-Mode Security Platform for FTD or ASA Application

• Fixed configurations: 3110, 3120, 3130, 3140
• Lightweight virtual Supervisor module w/Multi-Instance SFP Data Interfaces
• Integrated Datapath FPGA w/Flow Offload and Crypto Engine • 8x1/10GE on Firepower 3110-3120
• Rear dual redundant power supplies and fan trays • 8x1/10/25GE on Firepower 3130-3140
1RU
Copper Data Interfaces Network Module

• 8x10M/100M/1GE Ethernet • 8x1/10/25GE or 6x10/25GE FTW on Firepower 3110-3120
• 4x40GE or 2x40GE FTW on Firepower 3130-3140
FTD ASA
Secure Firewall 3100 Architecture 7.1 9.17
x86 CPU Complex RAM

3110: 24 cores 3110: 64GB
3120: 32 cores 3120-3130:
3130: 48 cores 128GB System Bus
3140: 64 cores 3140: 256GB
Ethernet
3110-3120: 25Gbps
Flow Offload Crypto
3130-3140: 80Gbps
Crypto
Engine Offload
Engine
Chip-to-Chip Link
3110-3120 :2x10Gbps 3110-3120: 40Gbps
3130-3140: 2x25Gbps 3130-3140: 50Gbps
Internal Switch Fabric

3110-3120 :8x10Gbps 3110-3120 :8x10Gbps
8x1Gbps 3130-3140: 8x25Gbps 3130-3140: 8x25Gbps
10GE SFP On-board 8x1GE 3110-3120: On-board 8x10GE SFP Hot-swappable interface
Management/Events copper interfaces 3130-3140: On-board 8x25GE SFP expansion module
FTD ASA
Secure Firewall 3100 Performance 7.2 9.18
3110 3120 3130 3140
FW+AVC+IPS 17Gbps 21Gbps 38Gbps 45Gbps

1024B Avg Packet (6Gbps with 450B) (8Gbps with 450B) (11.5Gbps with 450B) (14Gbps with 450B)
IPsec VPN 11Gbps 13.5Gbps 33Gbps 39Gbps

1024B Avg Packet (11Gbps per tunnel) (13.5Gbps per tunnel) (30Gbps per tunnel) (31Gbps per tunnel)
Up to 7x Boost in
FW+AVC+IPS
Up to 17x Boost in
IPsec VPN
Up to 14x Boost in
TLS
*Performance Estimates are subject to change in public release.
Threat Protection
FTD
7.1
Encrypted Visibility Engine (EVE)
TLS ClientHello
Confidence: 99.94%
Process: firefox.exe
Version: 76.0.1
Category: browser
OS: Windows 10 19041.329
Destination FQDN: cisco.com
Generate unique fingerprints for client

TCP/TLS 192.168.2.110/34624->172.16.45.200/443 applications based on outer packet
TCP/TLS 192.168.2.110/21013->203.0.113.154/443 fields; use for policy matching and
context enrichment with TLS and QUIC.
TLS ClientHello Firewall
Confidence: 100%
Process: tor.exe
Version: 9.0.2
Category: anonymizer
OS: Windows 10 19041.329
Destination FQDN: nsksdlkoup.me
https://github.com/cisco/mercury
FTD
EVE-enriched Unified Events 7.1
Client process name and detection confidence score; the name
can be linked to a custom AppID for enforcement in FTD 7.2.
Inference-based threat alert and confidence level.
FTD
Portscan Detection and Prevention 7.2
• Evolved Portscan protection engine directly within the data plane

• Much higher performance and detection efficacy
• Recognizes single-host, decoy-based, distributed, and port sweep scanning types
• Optional time-based blocking of potential attackers
• Granular configuration profiles at Access Control Policy level
Connectivity
FTD
Application-Aware Policy Routing 7.1
• Native support for Policy Based Routing configuration in FMC

• Commonly used SaaS applications can be used as matching criteria
• Automatically expanded by data plane into IP-based Network Service Groups
• Monitors DNS traffic to Trusted Servers to support domain pattern matching
• Useful for Direct Internet Access (DIA) provisioning in SD-WAN deployments
Flexible egress interface selection policy,

including ECMP over cleartext or VPN tunnels.
SaaS application aware first packet match.
FTD
Elephant Flow Detection 7.2
• Per-flow bandwidth and load tracking replaces Intelligent

Application Bypass
Throughput threshold to qualify as

an Elephant Flow
Optional flow-specific CPU resource

consumption for the qualification.
Optional flow actions based on

configurable packet drop thresholds.
FTD ASA
Loopback Interface 7.3 9.18.2
• Abstract to- and from-device connectivity from physical interfaces

• IPv4 and IPv6 addressing in routed and transparent (except for VTI) modes
• HA/failover and clustering (except for VTI) support
VTI IPsec VPN SSH
Loopback0
BGP SNMP, AAA,

Firewall Syslog
Private and Public Cloud
FTD ASA
AWS Gateway Load-Balancer Integration 7.1+ 9.17+
• Network firewall service insertion for both inbound and outbound flows
• Redirection with GEneric NEtwork Virtualization Encapsulation (GENEVE)
• Bring-your-own TLS decryption with available software capabilities
AWS Cloud
Application VPC 3 Appliance VPC

4
Internet 1 2 7
6
Users Internet gateway Gateway Load EC2 Instances Gateway Load 5 FTD
Balancer Endpoint Balancer
• FTD 7.2 and ASA 9.18 add Autoscale support and snapshot-based image bring-up
FTD ASA
Clustering for Virtual Firewalls 7.1 9.17
vPC
• Clustering combines multiple firewalls into one logical device
• Seamless scalability up to 16 FTD units with no traffic disruption
Cluster
• Stateful handling of asymmetric traffic and failure recovery FTD FTD
• Single point of management and unified reporting

vPC
• Better elasticity and failure handling in hybrid cloud with clustering
•
• Individual IP addresses on data interfaces instead of a single Port-channel
• VxLAN-based Cluster Control Link for unicast inter-member communication
• Flow re-hosting on failure in supported environments
Infrastructure as Code
FTD ASA
• Management and provisioning of Secure Firewall assets in hybrid cloud

• Declarative Teraform templates for ASA and FTD (via FMC)
•
• FTD Dynamic Object integration with HashiCorp Consul
• Imperative Ansible tasks for ASA and FTD (FDM and now FMC)
• Continuously updated Cisco DevNet repositories
• https://developer.cisco.com/secure-firewall/cloud-resources/
• https://github.com/CiscoDevNet/secure-firewall
• https://github.com/CiscoDevNet/FMCAnsible
Management
FMC
“Shallow” Access Policy Locking 7.2
Simplified Access Control Policy View FMC
7.2
FMC
Simplified Rule Editor 7.2
Inline rule navigation.
Direct access to all

advanced actions.
Wizard-style object definition

for all parameters.
FMC
Cloud-Delivered Firewall Management 7.2
• Embed fully-featured FMC experience within Cisco Defense Orchestrator

• Completely managed backend from platform upgrades to configuration backup
Secure Analytics
Cloud-hosted DAC instance Configuration FMCv and Logging
for attribute-based policies.
(Future) Cloud event consumption and
full analytics can co-exist or replace
Dynamic Attribute privately deployed FMC instances.
Connector Managed FMC cloud instances CDO
configure up to 1000 devices per
tenant.
Events
SaaS
Private Cloud
Privately managed FMC LDAP/ISE
continues to receive events, Events FTD A privately managed FTD instance
generate dashboards and Analytics FMC is used to proxy Identity
reports. FTD connections for cloud FMC
instances.
FMC
Cloud Analytics Dashboard 7.2
FMC
Simple Migration of FTD to Cloud Management 7.2
• On-board privately managed FMC instances to CDO for fleet migrations
Per-device co-management dispositions.
Migrations are reversible for 14 days.
Cisco Security Beta Programs
Sign-Up Now:
http://cs.co/clive-security-beta
“I've been involved in many beta programs…I must say that this one has been the
best organized. This beta takes a very active, hands-on approach.”
Higher-Ed Beta Customer
Early Feedback Beta Software Product Influence

Programs Access Training Product Roadmap
Presented by Security Customer Insights

Technical Session Surveys
• Attendees who fill out a minimum of four
session surveys and the overall event
survey will get Cisco Live branded socks!
• Attendees will also earn 100 points

in the Cisco Live Game for every
survey completed.
• These points help you get on the

leaderboard and increase your chances
of winning daily and grand prizes.
Pay for Learning with
Cisco Learning Credits
Cisco Learning and Certifications (CLCs) are prepaid training
vouchers redeemed directly
From technology training and team development to Cisco certifications and learning with Cisco.
plans, let us help you empower your business and career. www.cisco.com/go/certs
Learn Train Certify

Cisco U. Cisco Training Bootcamps Cisco Certifications and
IT learning hub that guides teams Intensive team & individual automation Specialist Certifications
and learners toward their goals and technology training programs Award-winning certification
program empowers students
Cisco Digital Learning Cisco Learning Partner Program and IT Professionals to advance
Subscription-based product, technology, Authorized training partners supporting their technical careers
and certification training Cisco technology and career certifications
Cisco Guided Study Groups
Cisco Modeling Labs Cisco Instructor-led and 180-day certification prep program
Network simulation platform for design, Virtual Instructor-led training with learning and support
testing, and troubleshooting Accelerated curriculum of product,
technology, and certification courses Cisco Continuing
Cisco Learning Network Education Program
Resource community portal for Recertification training options
certifications and learning for Cisco certified individuals
Here at the event? Visit us at The Learning and Certifications lounge at the World of Solutions
• Visit the Cisco Showcase
for related demos
• Book your one-on-one

Meet the Engineer meeting
• Attend the interactive education

with DevNet, Capture the Flag,
Continue and Walk-in Labs
your education • Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand
BRKSEC-2236 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Thank you
#CiscoLive
#CiscoLive

Brksec 2236

Uploaded by

Copyright:

Available Formats

Brksec 2236

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 2236

Uploaded by

Copyright:

Available Formats

#CiscoLive

4 Enter messages/questions in the Webex space

Webex spaces will be moderated https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-2236

by the speaker until June 17, 2022.

Secure Firewall 3100 Overview 7.1 9.17

Appliance-Mode Security Platform for FTD or ASA Application

Copper Data Interfaces Network Module

Secure Firewall 3100 Architecture 7.1 9.17

x86 CPU Complex RAM

Internal Switch Fabric

Secure Firewall 3100 Performance 7.2 9.18

3110 3120 3130 3140

FW+AVC+IPS 17Gbps 21Gbps 38Gbps 45Gbps

IPsec VPN 11Gbps 13.5Gbps 33Gbps 39Gbps

*Performance Estimates are subject to change in public release.

Generate unique fingerprints for client

Inference-based threat alert and confidence level.

• Evolved Portscan protection engine directly within the data plane

• Native support for Policy Based Routing configuration in FMC

Flexible egress interface selection policy,

• Per-flow bandwidth and load tracking replaces Intelligent

Throughput threshold to qualify as

Optional flow-specific CPU resource

Optional flow actions based on

• Abstract to- and from-device connectivity from physical interfaces

VTI IPsec VPN SSH

BGP SNMP, AAA,

AWS Gateway Load-Balancer Integration 7.1+ 9.17+

Application VPC 3 Appliance VPC

Clustering for Virtual Firewalls 7.1 9.17

• Single point of management and unified reporting

• Management and provisioning of Secure Firewall assets in hybrid cloud

“Shallow” Access Policy Locking 7.2

Simplified Rule Editor 7.2

Inline rule navigation.

Direct access to all

Wizard-style object definition

Cloud-Delivered Firewall Management 7.2

• Embed fully-featured FMC experience within Cisco Defense Orchestrator

Cloud Analytics Dashboard 7.2

Simple Migration of FTD to Cloud Management 7.2

• On-board privately managed FMC instances to CDO for fleet migrations

Per-device co-management dispositions.

Migrations are reversible for 14 days.

Early Feedback Beta Software Product Influence

Presented by Security Customer Insights

• Attendees will also earn 100 points

• These points help you get on the

Learn Train Certify

• Book your one-on-one

• Attend the interactive education

your education • Visit the On-Demand Library

You might also like