You are on page 1of 65

Next Generation Firewall

Services for the ASA


May 2013

Presenter: Eric Kostlan

2012 Cisco and/or its affiliates. All rights reserved.

At the conclusion of this presentation and demonstration, you will


be able to:
Describe the ASA NGFW and PRSM architecture
Describe the feature of the ASA NGFW
Application Visibility and Control (AVC)
Web Security Essentials

Utilize the policy framework


Policy objects, policies, policy sets
Device and object discovery

2012 Cisco and/or its affiliates. All rights reserved.

Architecture
Policy framework
Device import
Eventing and reporting
Demonstration

2012 Cisco and/or its affiliates. All rights reserved.

Two Hard Drives


Raid 1 (Event Data)

10GE and GE ports

2012 Cisco and/or its affiliates. All rights reserved.

8 GB eUSB
(System)

Two GE
Management Ports

2012 Cisco and/or its affiliates. All rights reserved.

Built-in
Configuration
Eventing
Reporting

Off-box
Configuration
Eventing
Reporting
Multi-device Manager for ASA CX
Role Based Access Control
Virtual Machine or UCS Appliance
PRSM Virtual Machine supports VMWare ESXi

2012 Cisco and/or its affiliates. All rights reserved.

Cisco SIO

ASA CX

Application
Identification
Updates

PRSM

RESTful XML

[REST = Representational State Transfer]


Reliable Binary Logging

HTTPS

2012 Cisco and/or its affiliates. All rights reserved.

HTTPS

ASA processes all ingress/egress packets


No packets are directly process by CX except for management

CX provides Next Generation Firewall Services

ASA CX
PORTS

CX Module
Crypto or
Regex
Engine

CPU
Complex

10GE
NICs

Fabric
Switch

Backplane

ASA Module
Crypto
Engine

CPU
Complex

10GE
NICs

Fabric
Switch

ASA Ingress
CX Ingress
Egress after CX Processing

PORTS

2012 Cisco and/or its affiliates. All rights reserved.

URL Category/Reputation
HTTP Inspection
AVC
TLS Proxy

Multiple Policy
Decision Points

TCP Proxy

TCP Normalization

NAT

TCP Intercept

Routing

IP Option Inspection

ACL

IP Fragmentation

VPN Termination

CX
ASA

Botnet filtering

2012 Cisco and/or its affiliates. All rights reserved.

URL Category/Reputation
HTTP Inspection
AVC
TLS Proxy

Multiple Policy
Decision Points

TCP Proxy

TCP Normalization

NAT

TCP Intercept

Routing

IP Option Inspection

ACL

IP Fragmentation

VPN Termination

CX
ASA

Botnet filtering

2012 Cisco and/or its affiliates. All rights reserved.

10

Decrypts SSL and TLS traffic across any port


Self-signed (default) certificate or customer certificate and key
Self-signed certificate can be downloaded and added to trusted root certificate
store on client

Decryption policies can determine which traffic to decrypt


CX cannot determine the hostname in the client request to choose a
decryption policy because the traffic is encrypted
FQDN and URL Category are determined using the server certificate

If the decision is made to decrypt, CX acts like man-in-the-middle


A new certificate is created, signed by CX or by the customer CA
Information such as FQDN and validity dates are copied from the original cert
Name mismatches and expired certificate errors are ignored
Name mismatches and expired certificate errors must be handled by the client

2012 Cisco and/or its affiliates. All rights reserved.

11

Two separate sessions, separate certificates and keys


ASA CX acts as a CA, and issues a certificate for the web server
Corporate
network

Web server
ASA CX
1. Negotiate
algorithms.

4. Client Authenticates
server certificate.

Cert is generated
dynamically with
destination name but
signed by ASA CX.

2012 Cisco and/or its affiliates. All rights reserved.

3. Generate
proxied server
certificate.
5. Generate
encryption keys.
6. Encrypted data
channel established.

1. Negotiate
algorithms.
2. Authenticate
server certificate.

5. Generate
encryption keys.
6. Encrypted data
channel established.

12

URL Category/Reputation
HTTP Inspection
AVC
TLS Proxy

Multiple Policy
Decision Points

TCP Proxy

TCP Normalization

NAT

TCP Intercept

Routing

IP Option Inspection

ACL

IP Fragmentation

VPN Termination

CX
ASA

Botnet filtering

2012 Cisco and/or its affiliates. All rights reserved.

13

Supported Applications 1000+


Supported Micro-Applications 150,000+
Powered by the Cisco Security Intelligence Operation (SIO)
Utilizes Application Signatures
By default, PRSM and CX check for updates every 5 minutes

2012 Cisco and/or its affiliates. All rights reserved.

14

Broad AVC
Broad protocol support
Resides in data plan
Less granular control
Supports:
Application types for example email
Applications for example
Simple Mail Transfer Protocol

Web AVC
HTTP and decrypted HTTPS only
More granular control
Supports:
Application types for example, Instant Messaging
Applications for example, Yahoo Messenger
Application behavior for example, File Transfer

2012 Cisco and/or its affiliates. All rights reserved.

15

2012 Cisco and/or its affiliates. All rights reserved.

16

2012 Cisco and/or its affiliates. All rights reserved.

17

2012 Cisco and/or its affiliates. All rights reserved.

18

URL Category/Reputation
HTTP Inspection
AVC
TLS Proxy

Multiple Policy
Decision Points

TCP Proxy

2012 Cisco and/or its affiliates. All rights reserved.

TCP Normalization

NAT

TCP Intercept

Routing

IP Option Inspection

ACL

IP Fragmentation

VPN Termination

CX
ASA

19

Dedicated or hijacked sites"


persistently distributing "
key loggers, root kits and "
other malware. Almost "
guaranteed malicious.

-10"

Phishing sites, bots, drive "


by installers. Extremely "
likely to be malicious."

Aggressive Ad syndication "


and user tracking networks. "
Sites suspected to be "
malicious, but not confirmed"

-5"

0"

Sites with some history of"


Responsible behavior "
or 3rd party validation"

+5"

Well managed, "


Responsible content"
Syndication networks and "
user generated content"

+10"

Sites with long history of"


Responsible behavior."
Have significant volume "
and are widely accessed"

Default web reputation profile


Not suspicious
Suspicious
(-5.9 through +10)
(-10 through -6)
2012 Cisco and/or its affiliates. All rights reserved.

20

Used to enforce acceptable use


Predefined and custom URL categories
78 predefined URL categories
20,000,000+ URLs categoried
60+ languages
Powered by the Cisco Security Intelligence Operation (SIO)
Utilizes Application Signatures
By default, PRSM and CX check for updates every 5 minutes

2012 Cisco and/or its affiliates. All rights reserved.

21

Requires HTTP request to initiate authentication


1. ASA CX sees HTTP request from a client to a remote website
2. ASA CX redirects the client to the ASA inside interface (port 885 by default)
Redirect is accomplished by sending a proxy redirect to the client
(HTTP return code 307) spoofing the remote website
3. Sends client authentication request (HTTP return code 401)
4. After authentication, the ASA CX redirects the client back to the remote website
(HTTP return code 307)

After authentication, ASA CX uses IP address to track user


Both HTTP and non-HTTP traffic will now be associated with the user

Integrates with enterprise infrastructure


Supported directories include
Microsoft Active Directory
OpenLDAP
IBM Tivoli Directory Server
2012 Cisco and/or its affiliates. All rights reserved.

22

Endpoint must be domain member


Supported for all traffic and all clients
Utilizes an agent
Agent gathers information from Active Directory server
Agent caches information
ASA CX/PRSM queries agent for user information
ASA CX/PRSM queries Active Directory server for group membership
information

Two agents available


Cisco Active Directory Agent (AD agent) older agent
Windows application
Context Directory Agent (CDA) newer agent
Stand alone, Linux based server can be run as VM
Intuitive web based GUI , and Cisco IOS style CLI

2012 Cisco and/or its affiliates. All rights reserved.

23

AD Agent or CDA
(RADIUS server)
RADIUS

WMI

Active
Directory

LDAP

ASA CX
Clients
2012 Cisco and/or its affiliates. All rights reserved.

24

Architecture
Policy framework
Device import
Eventing and reporting
Demonstration

2012 Cisco and/or its affiliates. All rights reserved.

25

2012 Cisco and/or its affiliates. All rights reserved.

26

Policies apply actions to subsets of network traffic


Two main components
Policy match a set of criteria used to match traffic to the policies
Action the action to be taken if the policy is matched

Three types of policies


Access
Identity
Decryption

A policy set is an ordered collection of policies of a particular type


For any ASA CX at most one policy set of each type is in use
Policies are assigned using top-down policy matching order matters!
At most one policy is matched for each policy set
If no defined policy match is achieved, implicit policy is enforced

Policy sets implicit policies are as follows


Access policy sets end with implicit allow all
Decryption policy sets end with implicit do not decrypt
Identity policy sets end with implicit do not require authentication

2012 Cisco and/or its affiliates. All rights reserved.

27

Access

What traffic will be


Allowed or Denied?

Identity

How users will be


identified?

Decryption
2012 Cisco and/or its affiliates. All rights reserved.

What TLS/SSL traffic


should be decrypted?
28

Used to create policies


Policy objects classify traffic
Are used to decide which policy to match

Predefined and user defined


Used to create policies.
May be nested
Many types

2012 Cisco and/or its affiliates. All rights reserved.

29

Used to create policies


Policy objects classify traffic
Are used to decide which policy to match

Predefined and user defined


Used to create policies.
May be nested
Many types

2012 Cisco and/or its affiliates. All rights reserved.

30

Used to identify traffic based on

URL or URL category

Can only be used as a destination

in a policy

HTTP or HTTPS only


For HTTPS, URL object uses information
in the subject of the certificate
Do not specify the protocol. URL objects
will match both HTTP and HTTPS

Contains
URLs
Enter a domain to match any URL in domain
Supports limited string matching:
URL categories
Other URL objects

Contain include and exclude lists


2012 Cisco and/or its affiliates. All rights reserved.

31

Used to identify what application

the client is attempting to use


Utilizes the Application Visibility

And Control (AVC) functionality


of the ASA CX
Contains
Applications (recognized by the ASA CX)
Examples:
Facebook photos, webmail, yahoo IM
Application types
Examples:
Facebook, e-mail, IM
Other Application objects

2012 Cisco and/or its affiliates. All rights reserved.

32

User-agent string
Part of the HTTP request header
Identifies the client OS and agent
Examples:
Safari running on an iPad
Windows update agent

User agent object


Can only be used for HTTP traffic
Can only be used as a source
in a policy
Predefined user agent objectsare sufficient
for most uses
Contains
User agent string An asterisk (*) can be used
to match zero or more characters,
Other user agent objects

2012 Cisco and/or its affiliates. All rights reserved.

33

2012 Cisco and/or its affiliates. All rights reserved.

34

Used to create policies specific

to AnyConnect VPN traffic


Can only be used as a source

in a policy
One exists by default:

All remote users


Others can be created to match

specific device types


Can contain
Device types
Other Secure Mobility objects

2012 Cisco and/or its affiliates. All rights reserved.

35

Allow for more complicated

traffic matching

Contains collections of entries, or rows


Elements of each entry are ANDed together
Entries are then ORed together

Application-Service objects
Match combinations of applications
and services

Destination object groups


Match combinations of URL objects
and Network objects

Source object groups


Match combinations of:
Network objects
Identity objects
User Agent Objects
Secure Mobility Objects
2012 Cisco and/or its affiliates. All rights reserved.

36

File filtering profile


HTTP and decryptedHTTPS traffic only
Blocks the download of specific MIME types
Blocks the upload of specific MIME types

Web reputation profile


HTTP and decrypted HTTPS traffic only
Web reputation scores are provided for websites
by the Cisco Security Intelligence Operations
Web reputation scores vary from -10 to 10
Default profile considers websites with reputation
score from -10 through -6
(the default profile cannot be edited or deleted)
Websites without reputation scores are not considered suspicious
The action that is taken for suspicious website depends on the policy type
For example, access policies can block websites of low reputation
2012 Cisco and/or its affiliates. All rights reserved.

37

Architecture
Policy framework
Device import
Eventing and reporting
Demonstration

2012 Cisco and/or its affiliates. All rights reserved.

38

First you must enter the IP address (or hostname) of the ASA,

along with privileged credentials


The CX module will be discovered through the ASA. You must

enter the admin password to complete the import.


When a device is imported, it is placed into a device group
Device groups are assigned policy sets. Therefore, policies are

consistent within a device group


When the device is imported, you must resolve any policy set

naming conflict

2012 Cisco and/or its affiliates. All rights reserved.

39

Valid Policy Set


Assignment
2012 Cisco and/or its affiliates. All rights reserved.

40

Invalid Policy Set


Assignment
2012 Cisco and/or its affiliates. All rights reserved.

41

Network and service objects and groups are imported from ASA

during device imported


Added to PRSM policy database and are available for policy

configuration
Modifications made to objects on PRSM are not pushed to ASA
Modifications made to objects on ASA are not pushed to PRSM

Are automatically renamed if there are naming conflicts


_<PRSM name for the ASA > is appended to name of imported object.

2012 Cisco and/or its affiliates. All rights reserved.

42

Architecture
Policy framework
Device import
Eventing and reporting
Demonstration

2012 Cisco and/or its affiliates. All rights reserved.

43

Gives visiblity to events generated by the CX module


Tabs
System events
All events
Authentication
ASA (only used if PRSM is a SYSLOG server for ASAs)
Encrypted Traffic View
Context Aware Security Shows next generation functionality

2012 Cisco and/or its affiliates. All rights reserved.

44

2012 Cisco and/or its affiliates. All rights reserved.

45

2012 Cisco and/or its affiliates. All rights reserved.

46

Real time eventing user defined refresh interval

Historic eventing user defined time range

2012 Cisco and/or its affiliates. All rights reserved.

47

Used to reduce the number of events that are displayed


Filters are a list of attribute-value pairs
Attribute value pairs with the same attribute are ORed together
The expressions for each attribute are then ANDed together
Example: Username=Fred Username=Gail Application=Twitter
means (Username=Fred OR Username=Gail) AND Application=Twitter
Most attributes support the operations = and !=. Some also support > and <

Two ways to add to filter


Click on the cell in the event viewer adds that attribute-value pair to the filter
Select attribute (with operation <,=,>) from the Filter drop-down list and then
select the value
If you want the operator to be inequality, you must manually change = to !=

Filters may be saved and recalled


Saved filters are added to right-hand side of the Filter drop-down list
2012 Cisco and/or its affiliates. All rights reserved.

48

2012 Cisco and/or its affiliates. All rights reserved.

49

2012 Cisco and/or its affiliates. All rights reserved.

50

2012 Cisco and/or its affiliates. All rights reserved.

51

2012 Cisco and/or its affiliates. All rights reserved.

52

2012 Cisco and/or its affiliates. All rights reserved.

53

2012 Cisco and/or its affiliates. All rights reserved.

54

2012 Cisco and/or its affiliates. All rights reserved.

55

2012 Cisco and/or its affiliates. All rights reserved.

56

2012 Cisco and/or its affiliates. All rights reserved.

57

2012 Cisco and/or its affiliates. All rights reserved.

58

2012 Cisco and/or its affiliates. All rights reserved.

59

2012 Cisco and/or its affiliates. All rights reserved.

60

2012 Cisco and/or its affiliates. All rights reserved.

61

2012 Cisco and/or its affiliates. All rights reserved.

62

2012 Cisco and/or its affiliates. All rights reserved.

63

Architecture
Policy framework
Device import
Eventing and reporting
Demonstration

2012 Cisco and/or its affiliates. All rights reserved.

64

Thank you.