Professional Documents
Culture Documents
Brksec 2236
Brksec 2236
Andrew Ossipov
Distinguished Engineer, Portfolio CTO
BRKSEC-2236
Session Abstract
The network security death rumors are highly exaggerated, and Cisco
Secure Firewall is the best proof of all. Whether you are an
experienced Firepower aficionado, or someone who is open to trying
something new, this session will get you the fix. From a completely
transformed management experience, to blazing-fast new hardware
platforms, to maintaining visibility in the world of pervasive TLS
encryption, there is something for everyone to get at least a little
excited about.
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Your Speaker
Andrew Ossipov
aeo@cisco.com
Distinguished Engineer
Portfolio CTO for Cloud and Network Security
Firewall Architecture, Threat Visibility, Hybrid Cloud, SSE
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
FTD ASA
• Introduction
• Platforms
• Threat Prevention
• Connectivity
Agenda • Private and Public Cloud
• Management
• Secure Workload
• Conclusion
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Secure Firewall: Inspect, Infer, and Cooperate
Customers
CloudLock
SaaS
Remote
Umbrella Inbound
Mapping network flows to specific user
actions via cloud application API and CASB
Continue to decrypt inbound for full app threat protection
(IPS, WAF, AMP, API) with minimal functional impact
Outbound
Apps
Campus New-Normal Firewall
TCP inside:192.168.1.11/54397 outside:203.0.113.100/443
TCP inside:192.168.2.110/34624 DC:172.16.45.200/443
TCP outside:198.51.100.231/13945 DC: 172.16.45.201/443
Secure Client Secure Dynamic Attribute
Workload Connector
Client context discovery via passive fingerprinting Workload isolation, posture enforcement,
and trusted endpoint agent cooperation host OS and cloud native API protection
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Firewall Vision: Network, Workload, and Cloud
Single security management plane to abstract end-to-end policy intent from enforcement point specific configuration.
VM 1 VM 2
Firewall Firewall
Secure Workload protects host OS at process and file levels,
selectively inspects network and service mesh traffic with inline
Firewall and API controls, integrates with public cloud and
Logic DB Secure Front Secure cloud-native orchestrators for posture and policy, consumes
Workload Workload
policy as code from DevOps tools.
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Platforms
FTD ASA
1RU
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
FTD ASA
10GE SFP On-board 8x1GE 3105-3120: On-board 8x10GE SFP Hot-swappable interface
Management/Events copper interfaces 3130-3140: On-board 8x25GE SFP expansion module
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
FTD ASA
Up to 7x Boost in
FW+AVC+IPS
Up to 17x Boost in
IPsec VPN
Up to 14x Boost in
TLS
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
FTD
• FTD uses a static CPU core allocation between Data Plane and Snort
FTD on Firepower 4145
Data Plane (32 Cores) “Snort” Advanced Inspection (52 Cores) System (2 cores)
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Threat Protection
Enhance Firewall with Umbrella Cloud Security
• Edge firewall is less effective against some outbound traffic
• Dynamically changing DNS and undecryptable TLS connections
• Selectively redirect DNS, SaaS, and other traffic to Umbrella instead
• Cloud-delivered DNS blocks most threats early with no local cycles spent
• No SaaS traffic decryption with Cloud Security Access Broker (CASB)
CloudLock
Campus Internet
Traditional
Branch FTD Firewall
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
FTD
Firewall Management
Center
3. FTD intercepts DNS request, applies
local policy, and then redirects to Umbrella
2. Client DNS request to any DNS server. with organizational and client metadata.
Campus Umbrella
5. Umbrella response transparently FTD 4. Umbrella sends DNS response.
Branch
delivered to client.
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
FTD
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
FTD
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
FTD
TLS ClientHello
Confidence: 99.94%
Process: firefox.exe
Version: 76.0.1
Category: browser
OS: Windows 10 19041.329
Destination FQDN: cisco.com
https://github.com/cisco/mercury
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
FTD
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
FTD
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
FTD
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Connectivity
FTD
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
FTD
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
FTD ASA
Static/Dynamic VTI
ASA only:
IPsec VPN
SSH
Loopback0
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
FTD
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
FTD
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
SecureX Device Insights: Client Profile Editor
Now
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Private and Public
Cloud
FTD
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Automation with Infrastructure-as-Code
FTD ASA
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
FTD ASA
AWS Cloud
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
FTD ASA
vPC
• Clustering combines multiple firewalls into one logical device
• Seamless scalability up to 16 FTD units with no traffic disruption Cluster
FTD FTD
• Stateful handling of asymmetric traffic and failure recovery
• Single point of management and unified reporting vPC
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
FTD
Custom
Orchestrator
Pull Model: Orchestrator-specific
Dynamic Attribute Connectors for subscribing to
Connector near-real-time updates.
Push Model: FMC REST API for
populating/updating attribute
mappings synchronously.
Label IP Address
FMC WebApp_Logic 192.168.1.151
Windows_OS 192.168.1.120-130
DB_Cluster 172.16.45.90
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Management
FMC
Interface Throughput
Disk Usage
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
FMC
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
FMC
Modified
Responsible User
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
FMC
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Simplified Access Control Policy (ACP) View FMC
7.2
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
FMC
Wizard-style object
definition for all source and
destination properties.
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
FMC
Headend session
utilization heatmap to
avoid oversubscription.
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Cloud-Delivered Firewall Management Center cdFMC
7.2
• Fully-featured FMC experience within Cisco Defense Orchestrator
• Managed backend from platform upgrades to configuration backup
Configuration Secure Analytics
Cloud-hosted DAC instance cdFMC and Logging
for attribute-based policies. Cloud event consumption and full
analytics can co-exist or replace
privately deployed FMC instances.
Dynamic Attribute
Connector Managed FMC cloud instances configure CDO
up to 1000 devices per tenant. Events
SaaS
Private Cloud
LDAP/ISE
Events FTD A local FTD instance is used to
Analytics FMC proxy Identity connections for
Privately managed FMC continues
FTD cloud FMC instances.
to receive events, generate
dashboards and reports.
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
cdFMC
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
cdFMC
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
FMC
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Secure Workload
Secure Workload Functional Overview
• Born for app visibility (Tetration), graduated to microsegmentation
• Employs host OS agents for visibility and built-in firewalls for enforcement
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
End-to-End Application Protection
Hybrid Data Center
Internet
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Workload
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Workload
Inserted rules are Dynamic objects are used to replace Different rulesets are
organized by sections. IP addresses where applicable. scoped by domains.
“I've been involved in many beta programs…I must say that this one has been the
best organized. This beta takes a very active, hands-on approach.”
Higher-Ed Beta Customer
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Complete your Session Survey
• Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (open from Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events Mobile App or
by logging in to the Session Catalog and clicking the
"Attendee Dashboard” at
https://www.ciscolive.com/emea/learn/sessions/session-
catalog.html
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Continue Your Education
BRKSEC-2236 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Thank you