Firepower NGFW Internet Edge Best - Session Presentation
-
Upload
khangminh22 -
Category
Documents
-
view
1 -
download
0
Transcript of Firepower NGFW Internet Edge Best - Session Presentation
#CLUS
Jeff Fanelli - Principal Security Architect [email protected]
Firepower NGFW Internet Edge Best Practices
#jefanell
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower NGFW Internet Edge Best Practices
Supercharge your Firepower deployments! This session detail multiple Internet edge use cases with and without remote access and site to site VPN. Best practices and configuration examples will be provided for DUO Multi Factor Authentication integration, TLS Decrypt, AMP and 3rd party logging and monitoring. An exploration of on-box and API management options will also be covered. This is NOT an introductory session; attendees should have existing knowledge of Firepower capabilities.
BRKSEC-2112
3BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 4
Important: Hidden Slide Alert
Look for this “For Your Reference” Symbol in your PDF’s
There is a tremendous amount of hidden content, for you to use
later!(60+ slides)
BRKSEC-2112
Questions? Use Cisco Webex Teams to chat with the speaker after the session
Find this session in the Cisco Live Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
Webex Teams will be moderated by the speaker until June 16, 2019.
1
2
3
4
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Webex Teams
cs.co/ciscolivebot#
5
BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
About Your Speaker
Jeff Fanelli
Email: [email protected]
Principal Security Architect
Global Security Architect Team
Cisco Live U.S. Security SGM
13 years at Cisco
BRKSEC-2112 6
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Firepower Sessions: Building Blocks
BRKSEC-3035
Firepower Platform Deep Dive
ThursdayWednesdayTuesday
BRKSEC-3300
Advanced IPS Deployment1
3:0
0
08
:00BRKSEC-2020
Firepower NGFW in the DC and Enterprise0
8:0
0
BRKSEC-3328
FMC Internals: Making FMC Do
More16
:00
BRKSEC-3032
NGFW Clustering Deep Dive0
8:0
0BRKSEC-2112
Firepower Internet Edge Best Practices8
:00
BRKSEC-2056
Threat Centric Network Security1
3:0
0
BRKSEC-2034
Cloud Management of ASA and FTD
with CDO16
:00
BRKSEC-2066
Optimizing Your Firepower / FTD
Deployment13
:00
Monday
BRKSEC-2101
Deep Dive on ASA to FTD Migration0
9:3
0
We Are Here!
BRKSEC-3300 7
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Agenda
• Management Options
• Internet Edge Use Case
• Security Policy Best Practices
• DUO Multi-Factor Authentication
• Remote Access VPN Use Case
• 3rd Party Integration / monitoring
• APIs
BRKSEC-2112 8
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
End User Experience vs. Security vs. Horsepower
End users want a good experience!
• Fast loading applications
• Uninterrupted file downloads
• No browser errors messages
SecOps wants high security efficacy!
• Full visibility of encrypted traffic
• All network threats blocked
• All files and archives scanned for malware
Advanced Inspection Capabilities use system resources!
• TLS Decryption
• AMP File Inspection
• IPS Inspection
BRKSEC-2112 10
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• Less trustworthy users and devices get more inspection
• Trustworthy apps (SaaS etc) are trusted by firewall; inspected in cloud
• Trust evaluation is continuous and can change!
• Decryption isn’t hard.. But measure twice and cut once!
Risk-based Inspection and Control
11BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Internet Edge
13BRKSEC-2112
Requirements
Network:• High Availability (Redundancy) • Routed Mode• Remote Access VPN• Dynamic Routing (OSPF / BGP) • Dynamic and Static NAT/PAT
Security:• Application Control along with URL Filtering• NGIPS and Advance Malware Protection • Visibility and Contextual Awareness• User visibility and identity• SSL decryption
Firepower NGFW + Firepower Device Manager + APIFirepower NGFW + Firepower Management Center
ISP
FW in HA
Private Network
Service
Provider
Campus/Private
Network
DMZ Network
Port-
Channel
Internet
Edge
HSRP
Solution
Management designed for the user
15BRKSEC-2112
For easy on-box management of single FTD or pair of FTDs
running in HA
For centralized cloud-based policy management of multiple
deployments*For FTD release 6.4 or higher
Cisco Firepower Device Manager
(FDM)
Cisco Defense Orchestrator
(CDO)
Helps administrators enforce consistent access policies,
rapidly troubleshoot security events, and view summarized reports across the deployment
Cisco Firepower Management Center
(FMC)
Common APIsSecurity Integrations
On premise Centralized ManagerSecOps Focused
On-box managerNetOps Focused
Cloud Based Centralized ManagerNetOps Focused
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• Centralized on premise
management across multiple
firepower platforms
• Integrates multiple security
features into a single access
policy
• Reduces manual configuration
of policy through inheritance
and template use.
FMC Policy Management
BRKSEC-2112 16
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• Discovers applications, users, and hosts through passive analysis of network traffic
• Provides context and helps determine the impact of attacks
• Tune IPS signature sets to devices discovered on the network
Firepower NGFW Network DiscoveryProvides the right data, at the right time, in the right format
BRKSEC-2112 17
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Automate Security Response with Correlation Policy
• Automate Security Decisions
• Track Business Outcome
• Trigger Automated Response
• Syslog
• SNMP
• Remediation Module
• Integration with ISE and other
Cisco/3rd party products
100,000 events3 Events
Correlation Policy
Correlation Rule
Correlation Rule
Correlation Event
Action
BRKSEC-2112 18
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower Device Manager (FDM)
Set up easily Control access and set policies Automate Configuration Enhanced Control
Firepower Device Manager
Integrated on-box option for single instance deployment
Physical and virtual options
Easy set-up NAT and Routing
Role-based access controlIntrusion and Malwareprevention
High availability Device monitoring
VPN support
BRKSEC-2112 19
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKSEC-2112 20
Unified Firewall Management and PolicyCisco Defense Orchestrator (CDO)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Unifying management through APIsAchieve
operational
efficiency
Integrate with
ecosystem
Automation
scriptsEveryone can use
the APIs for automation
FDM and CDO use
the FTD APIs
FTDFDM
CDO
FMC
FTDFDM
Automate
complex tasks
at scale
FTD
FTD
Automation ScriptsOrchestration Tools:NSO, DNAC Ansible, AlgoSec, Tufin
BRKSEC-2112 21
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• Close integration of FMC with AMP for Endpoints
• Standards based threat indicators (STIX/TAXII)
• Threat Intelligence Director (CTID)
• Drive down TTR with broad detection and collation
• Cisco Threat Response
• Leverage other Cisco and 3rd party product to extend visibility
• FMC External Cisco Lookups
• Leverage SEIMs with Unified Events
Visibility and Analytics Beyond Network Discovery
BRKSEC-2112 22
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Access Control Policy
• Use rule groupings for separation (i.e. inbound vs. outbound rules)
• Use separate rules for highly trusted traffic
• Disable logging (per rule) where not needed
Guiding Principals
24BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• FQDN = Fully Qualified Domain Name
• Permit/Deny Traffic based on Domain Name (FQDN)
• Ability to resolve the FQDN to IP address
• Useful for any application / protocol
FQDN Objects
26BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FQDN Objects Workflow
27BRKSEC-2112
FQDN network objects can be configured in access rules in source networks and/or destination networks fields.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FQDN Objects Workflow
28BRKSEC-2112
DNS Settings for Data and Management Interfaces configured from System Settings
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FQDN Objects Workflow
Configuration
• User configures the DNS server group object parameters.
• User associates DNS Server group object to DNS Settings.
• User creates FQDN objects.
• User associates FQDN object in source and/or destination in Access Rule.
• User deploys the configuration.
29BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FQDN Workflow for Firepower Management Center
30BRKSEC-2112
Configuration
• User Configures the FQDN source and destination objects
• User configures the DNS server object parameters
• Use the DNS object in Platform Settings
• Use the FQDN in Access Rule and deploy the changes
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Creating DNS Server Group
31BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Access Control Policy Rule with FQDN Objects on FMC
32BRKSEC-2112
FQDN network objects can be configured in access rules in source networks and/or destination networks fields.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Identity Use Cases
• Associate traffic to users and devices (IoT etc)
• Access based on users, groups and TrustSec tag
34BRKSEC-2112
Method Source LDAP/AD Authoritative?
Active Forced authentication through device
LDAP and AD yes
Passive Identity and IP mapping from ADAgent (best practice!)
AD yes
User Discovery
Username scraped from traffic. LDAP and AD, passive from the wire
no
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
User Discovery
• Deduces user identity bypassively analyzing networktraffic
• Considered non-authoritative
• Cannot be used in accesscontrol policies
35BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Active and Passive Authentication
• Passive authentication
• IP-to-user mappings are learned from ISE or Firepower User Agent
• Active authentication
• Also called captive portal
• Redirects user to HTTPS server running on the firewall
• User authenticates with username and password
• Identity policy
• Specifies what traffic requires active, passive or no authentication
• Attached to an access control policy
36BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Firepower User Agent
• Monitors users when they log in and out of hosts or authenticate with Active Directory credentials
• The User Agent does not report failed login attempts
• The agents associate users with IP addresses
• Can use one agent to monitor user activity• Up to five Active Directory servers
• Send encrypted data to up to five Firepower Management Centers
38BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
All ISE retrieved attributes can be used in:
• Access Policies
• Decryption Policies
• QoS Policies
• FMC has 64k tested user limit
• Mappings sent to all firewalls
Identity Services Engine Integration
39BRKSEC-2112
Uses pxGrid protocol to retrieve:
• ISE username (can map to Active Directory)
• Device type profile & location
• TrustSec Scalable Group Tag (SGT)
• ISE-PIC provides username identity only
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower Device ManagerPassive Identity Support
• User identity mappings learned by firewall
• Each firewall forms PXGrid peering with ISE / ISE-PIC directly
• Active Directory information only, no TrustSec TAG support (*6.5!)
• Ability to filter identity mappings by subnet per firewall
Identity Services Engine – Passive Identity Connector
40BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower Device Manager Identity Rule Examples
• Active Identity Rules will use ISE-PIC with HTTP authentication
• Default Passive Auth rule will use ISE-PIC and / or VPN identity sources
41BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
What’s in the Default IPS & Network Access Policies?
43BRKSEC-2112
Connectivity Over Security
• CVSS Score 10. 2 years
• 499 rules
• 15 preprocessors enabled
Balanced Security and Connectivity
• CVSS Score 9 or higher. 2 years
• 9250 rules
• 15 preprocessors enabled
Security Over Connectivity
• CVSS Score 8 or higher. 3 years
• 12706 rules
• 17 preprocessors enabled
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Custom IPS Policy
44BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• Signature Details
• Ability to set event action:
• Alert
• Drop
• Disabled
IPS Policy Customization in Firepower Device Manager
45BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
AMP Best Practices
• Block “forbidden” file types (.exe etc)
• Block malware all know file types
• Block malware with additional “local analysis” based on Firewall sizing / load
• Detect Files “catch all” to log any file transfers we didn’t inspect
47BRKSEC-2112
Firepower Device Manager ->
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Network & URL-Based Security Intelligence
49BRKSEC-2112
• Block traffic to IP addresses and URLs with bad reputation
• TALOS dynamic feed, 3rd party feeds
• Multiple Actions: Allow, Monitor, Block, Interactive Block
• Policy configured via Access Rules or black-list
• IoC tags for CnC and Malware matches
• Black/White-list IP / URL with one click
• Blocked traffic not subject to additional inspection. Logged separately!
URL-SI Categories
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Network & URL-Based Security Intelligence in FDM
50BRKSEC-2112
• Network (IP address) and URL categories only in Firepower Device Manager
• Part of “Threat License”
• Network (IP address) feed will act on all connections, including encrypted flows!
Network S.I. Categories
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Security Intelligence Network & URL Categories
51
Category Description
Attacker Active scanners and blacklisted hosts known for outbound malicious activity
Malware Sites that host malware binaries or exploit kits
Phishing Sites that host phishing pages
Spam Mail hosts that are known for sending spam
Bots Sites that host binary malware droppers
CnC Sites that host command and control servers for botnets
Open Proxy Open proxies that allow anonymous web browsing
Open Relay Open mail relays that are known to be used for spam
Tor Exit Node Tor exit nodes
Bogon Bogon networks and unallocated IP addresses
BRKSEC-2112 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
DNS Inspection *FMC managed Firepower only
• Security Intelligence support for domains
• Addresses challenges with fast-flux domains
• Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing
• Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor
• Indications of Compromise extended with DNS Security Intelligence
52BRKSEC-2112
DNS List Action
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Additional Categories for DNS Security Intelligence FeedsSame categories as Network and URL feeds plus the following:
53BRKSEC-2112
Category Description
DGA Malware algorithms used to generate a large number of domain names acting as rendezvous points with their command and control servers
Exploit Kit Software kit designed to identify software vulnerabilities in client machines
Response A list of IP/ URLs which seems to be actively participation in the malicious/ suspicious activity
Suspicious Files that appear to be suspicious and have characteristics that resembles known malware
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Why Decrypt?
• Needed for AMP, IPS and URL Security Intelligence feeds
• Not just for decryption!
• Block connections to “weak” servers
• Needed for micro-application controls (i.e. “Facebook Games”)
• Performed in hardware on Firepower 1000, 2100, 4100, and 9300
• Selective Decrypt is a Best Practice
55BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKSEC-2112
Decrypt requirements
• Upload Certificate Authority “signing” certificate and private key to Firepower Device Manager (or FMC)
• Trust this certificate on all client devices (think MDM)
• “Decrypt Re-Sign” for Internet sites
• User Identity (optional)
56
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Why selective decrypt?
• Reduced firewall throughput
• Many applications will break:
• Public Key Pinning
• Client certificate authentication
• Clients without Enterprise Certificate Authority trust will get browser errors
• Do not decrypt rules may require breaking sessions (client reset)
57BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
How does Firepower know what to decrypt?
Decryption policy rules can match on:
• Zones / Networks / Protocols
• User identity
Need to see the TLS Server hello for these:
• Applications / Risk Levels / Categories
• Certificate Matching / Certificate Distinguished Name / Issuer
• Certificate attributes / expiry
• Cipher Suit & Version
58BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
What changes with TLS 1.3?
Decryption policy rules can match on:
• Zones / Networks / Protocols
• User identity
Need to spoof client to match on:
• Applications / Risk Levels / Categories
• Certificate Matching / Certificate Distinguished Name / Issuer
• Certificate attributes / expiry
• Cipher Suit & Version
59BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• If we see client advertise support for TLS 1.3 and the connection MIGHT match a decrypt rule, we have to spoof
• If we don’t and server responds with TLS 1.3 we will be blind to response
What if server doesn’t advertise TLS 1.3?
60BRKSEC-2112
• After spoofed client hello, server response is seen for decrypt decision
• Spoofed client hello advertise TLS 1.2 only, called a “downgrade”
• Server certificate cached for next
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Aggressive TLS 1.3 downgrade client experience?
Client with trusted CA cert installed:
• “Decrypt session” = no client problem
• “Do not decrypt session” when firewall had no cached certificate = browser error
• ERR_SSL_PROTOCOL_ERROR
• SEC_ERROR_BAD_SIGNATURE
• ERR_SSL_VERSION_INTERFERENCE
Client without trusted CA cert installed:
• Constant browser certificate errors
61BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Session matching a Decrypt rule:
• Connection is downgraded and the server responds with a TLS 1.2 session
• In some scenarios, if we did not downgrade the client hello we cannot decrypt the TLS1.3 session and will have either “Do not decrypt” the flow or block / reset the flow.
Disable Aggressive TLS 1.3 downgrade?
62BRKSEC-2112
Disabling Aggressive downgrade
• In Firepower 6.2.3-7 or later:
• “system support ssl-client-hello-enabled aggressive_tls13_downgrade false”
SecurityUsability
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
What should I consider excepting from decryption?
63BRKSEC-2112
• Enterprise SaaS applications
• Office 365, Cloud Backups, etc
• Cloud Infrastructure Services
• Apple / Azure / AWS / GCP
• Traffic from personal devices on guest / segregated networks
• Trusted source networks
• Trusted / managed devices
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Do Not Decrypt options
1. By destination network / IP rules (i.e. 17.0.0.0/8 for Apple)
2. By source network (BYOD devices)
3. By server certificate Distinguished Name field (site you don’t want to decrypt)
4. By application / web category (banking, social media etc)
64BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
What about other encrypted communications?
• There are several other encrypted transports growing in use:
• QUIC is mostly used by Google (YouTube)
• DNS over HTTP (Optionally used by Firefox) and DNS over TLS
• Blocking these will cause the clients to fall back to standard TLS / DNS
65BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Multi Factor Authentication (MFA)
Adaptive MFA
DUO Use Cases for Multi-Factor Authentication
67BRKSEC-2112
Verify
User Trust
Verify
Device Trust
Controls for
Every App
1 2 3
Mobile security without MDM
Unified Endpoint Visibility
Easier Remote Access
Zero Trust / BeyondCorp
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Duo & AnyConnect Secure Remote Access
68BRKSEC-2112
● Secure AnyConnect in < 30 minutes
● User authentication in seconds
● Works with AnyConnect thick clienton ASA with (RADIUS & SAML) & SSL VPN
● Firepower & Duo (via RADIUS)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
DUO RADIUS Integration with Firepower overview
69BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
DUO RADIUS Proxy (Windows or Linux)
• Follow DUO portal instructions for RADIUS Proxy deployment
• Config file contains your DUO account API information
• Optionally, configure RADIUS proxy to authenticate password requests to Active Directory or RADIUS (Cisco ISE)
70BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
DUO Administrative Portal
• Create new “Application” -> Cisco RADIUS VPN
• Make note of Integration Key, Secret Key, and API Hostname
• Create global Policy options to choose:
• authentication methods
• mobile device requirements
71BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower Management Center + DUO for VPN
• Add DUO RADIUS Group & Server(s)
• Configure VPN Profile
• Primary authentication can be AD / ISE / 3rd party AAA
• Authorization set for DUO RADIUS
• Alternate option to use DUO for primary authentication
72BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower Management Center + DUO for VPN
73BRKSEC-2112
If using DUO for Authorization only!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower Management Center Admin Login w/DUO
System->Users->External Auth
• Add RADIUS External AuthObject
• Hostname / RADIUS Secret
• Ensure “Timeout” is at least 30 seconds
• Choose “Administrator” as Default User Role
75BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower Management Center + DUO Admin Login
Management access configured for DUO RADIUS Group!
Last step:
DUO RADIUS server must be configured to pass through RADIUS Attribute for login role
ISE Example:
Access Type = ACCESS_ACCEPT
cisco-av-pair = fdm.userrole.authority.admin
76BRKSEC-2112
8
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower Device Manager + RBAC + DUO
• RADIUS support for Management Authentication
• 3 system-defined user roles
• READ_ONLY
• READ_WRITE
• Cannot perform System critical actions like Upgrade, Restore etc.,
• ADMIN
• Ability to monitor active user sessions and delete a user session
77BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
How It Works
78BRKSEC-2112
1
2
3
45
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
How it works (continued)
79BRKSEC-2112
7
6
8
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
RADIUS configuration
DUO RADIUS server must be configured to pass through RADIUS Attribute for login role. Role attribute must come from upstream RADIUS server (ISE).
ISE Example (only specify one role!):
Access Type = ACCESS_ACCEPT
cisco-av-pair = fdm.userrole.authority.admin
cisco-av-pair = fdm.userrole.authority.ro
cisco-av-pair = fdm.userrole.authority.rw
80BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower Device Manager Audit Log
User Login Events as well as other user actions (deployments, etc) will show up here.
81BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower VPN RADIUS AttributesUpstream attributes sent from Firepower Threat Defense to RADIUS server:
For VPN Connections:
• 146 - Tunnel Group Name or Connection Profile Name.
• 150 - Client Type (Applicable values: 2 = AnyConnect Client SSL VPN, 6 = AnyConnect Client IPsec VPN (IKEv2).
• 151 - Session Type (Applicable values: 1 = AnyConnect Client SSL VPN, 2 = AnyConnect Client IPSec VPN (IKEv2).
RADIUS attributes 146 and 150 are sent for authentication and Authorization requests. Use these to determine Authorization policy on RADIUS server (ISE etc).
All three (146, 150, and 151) for accounting start, interim-update, and stop requests.
82BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Branch Use Case WAN Edge Firewall with Direct Internet Access
84BRKSEC-2112
Internet
NGFW
LAN
Firewall
“Outside”
Local Area
Network
MPLS WAN
Internet
Edge
OSPF Routing
VPN Tunnel
Firewall
“Inside”
Firewall
“MPLS”
Requirements
Connectivity and Availability• MPLS Primary Network Connectivity• Direct Internet Access for LAN Traffic• VPN Tunnel as WAN Backup (Hub and Spoke)• Standalone or High Availability NGFW• Will manage Firewall over VPN
Routing• OSPF Routing (or BGP) for MPLS WAN• Static or learned routes for Internet• Dynamic NAT/PAT for outbound Internet traffic
Security & Identity• Application Control + URL Acceptable Use• IPS and Malware protection
Ordered Steps for Remote Site Configuration
• Create Shared Access Policy
• Add firewalls to management console
• Configure Interfaces and static routes on each firewall
• Configure dynamic routing for dedicated WAN (optional)
• Configure Shared VPN Policy
• Deploy policies
• Re-address firewalls for remote site and bring on-line!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKSEC-2112
Headquarters and Branch NGFW ExampleShared Access Policy for all sites
• Allow traffic from all Branch and HQ LAN subnets to each other
86
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Adding Firewall to Firepower Management Center
• Host = Out of band management IP
• Must be reachable by FMC
• Can add with temporary “staging” IP if ”NAT ID” field is used (don’t forget this!)
• Device can be set to “offline” in FMC. Devices -> Device Management -> Device TAB -> Management
87BRKSEC-2112 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKSEC-2112 88© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Branch NGFW Use Case – Interface ConfigurationOutside / Inside / MPLS Interfaces configuration (Static IP)
• Can have dual MPLS and multiple inside interfaces / LAN segments
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Headquarters and Branch NGFW ExampleHUB (Headquarters) Static Routes:
• Note “floating static routes” for all remote branch subnets to Internet gateway!
89BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Headquarters and Branch NGFW ExampleHQ & Branch OSPF Routing Configuration for MPLS:
• Redistributing ”connected” and “static” routes to OSPF
90BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Headquarters and Branch NGFW ExampleSingle Hub & Spoke Site to Site VPN Configuration
• Static ”outside” IP Addresses on HUB and all Spoke firewalls
91BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Headquarters and Branch NGFW ExampleCreate Hub and Spoke IKEv2 VPN Topology with all default settings
• DISABLE Reverse Route Injection on IPSec Tab or OSPF routes are ignored
92BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Headquarters and Branch NGFW ExampleDynamic Endpoint option for sites with DHCP Outside Interface
• Set Crypto Map type to Dynamic in IPSec Tab. Hub + Spokes as Bi-directional
93BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Headquarters and Branch NGFW ExampleBest Practice: Disable Health Monitoring Interface Warnings
• Will prevent FMC warnings when no traffic seen on an interface
94BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Deploy Configurations To All Firewalls
• FTD configurations are pushed to firewalls via “STUNNEL” secure communications channel via management interface
• After configuration deployment, management interface can be changed for target site
95BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Manually Changing FTD Management IP Address
Serial Console connection to firewall is easiest (can be done via ssh)
• configure network ipv4 manual <IP> <MASK> <GW>
Both IPv4 and IPv6 management addresses may be configured and used for SSH to Firewall.
Only IPv4 -or- IPv6 will be used for SFTUNNEL communication to Firepower Manager Center
96BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Bring Spoke Firewalls Online
After connecting interface cables, firewall should come online (verify ICMP ping to next hop on all interfaces)
If no dedicated WAN, spoke VPN tunnel should immediately come up.
Optional: Verify with “show crypto ipsec sa” via CLI.
Don’t forget! Configure FMC with new management IP of device and turn management back on!
97BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Headquarters and Branch NGFW ExampleBest Practice: Use of Groups in FMC for organisation
• GREEN status bubble indicates firewall is online and reachable from FMC
• Same policy sets applied to all branch firewalls
98BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Headquarters and Branch NGFW Example
• OSPF routes from private WAN will always be preferred
• Routing “failover” time to VPN tunnel will depend upon OSPF Hello & Dead Interval values (must use FlexConfigto change)
• Spoke-to-spoke traffic will transit VPN hub for sites with WAN down (only for static IP spokes!)
• Use dynamic spoke option for DHCP addressed sites.
• Static spoke supports tunnel creation from hub or spoke
• Add “VPN only” network route to keep tunnels forced up
Benefits and Caveats
99BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Headquarters and Branch NGFW ExampleHQ Firewall Routing Table with all site MPLS links UP
• FTDv-A Hub Site routing table (branch site routing tables will look similar)
100BRKSEC-2112
Learned OSPF routes from MPLS WAN for Branch LANs
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Headquarters and Branch NGFW ExampleHQ Firewall Routing Table with MPLS links to FTDv-C Branch DOWN
• FTDv-A Hub Site routing table
101BRKSEC-2112
OSPF route for Branch LAN replaced by “floating static” route to outside (VPN)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Headquarters and Branch NGFW ExampleHQ Firewall Routing Table with MPLS links to FTDv-C Branch DOWN
• FTDv-B Branch routing table
102BRKSEC-2112
OSPF route for Branch FTDv-C LAN now points to MPLS connected Hub firewall
FTDv-B branch will “talk” through MPLS to Hub site then VPN connection to FTDv-C
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Multi-Instance for Firepower 4100/9300
104BRKSEC-2112
• Allows organizations to deploy independent tenants for multiple departments or customers
• Resource and Management Separation
• Instances are fully independent and fault tolerant
• Smooth workflow enabling faster provisioning
• 7-18 instances (FP9300 and FP4100s only)
• Up to 18 instances per module (54 per chassis) with newest FP9300 SM-56 module.
• Multi-Instance is free – no SKU
FTD1
FTD2
FTD3
FTD4
Container Instances
BRKSEC-3035
Firepower Platform Deep Dive0
8:0
0
Wednesday
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• Connection & IPS events can be sent directly from FTD
• Events can be sent from management or data interfaces
Unified Event Service
106BRKSEC-2112
• SIEM Integration / any syslog server
• eStreamer not required
• Offload connection events from the FMC
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Fully Qualified Events / Unified Syslog• Unifying syslog output between Lina and Snort
• Data Interface support for Snort event syslogs
• Management Interface support for Lina (diagnostic) event syslogs
• Delivery of Snort event syslogs over TCP
• New event ID/category in Snort syslogs to make consumer-side filtering easier
• 430001 - Intrusion Event
• 430002 - Beginning of Connection
• 430003 - End of Connection
• Reduced the size of Snort event syslogs
107BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Syslog Integration (Pre 6.3)
108BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Syslog Integration (Pre 6.3)
109BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
eStreamer APIs
FMC Syslog
FTD Syslog & NetFlow
• 5 tuple
• NAT
• Routing
• VPN
• IP
• HA
• sessions
• other stateful features
• Connection Logs
• Health
• IPS (including Impact
flags)
• Malware (network,
retrospective)
• Discovery events (Host
profiles, IOC , port, etc..)
Event output options
110BRKSEC-2112
• Intrusion Events
• Intrusion Event Packet Data (optional)
• Intrusion Event Extra DataMalware Events
• File Events- SHA, SPERO
• Connection Logs and Security Intelligence Events
• Correlation and White List Events
• Impact Flag Alerts
• Connection Events (optional)
• URL categories
• Rule ids
• AMP endpoint detectors
• Sinkhole Metadata
• SSL
• Network Analysis, Discovery events
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SNMP, Syslog, NetFlow or eStreamer
SNMP support for:
• Firepower NGFW Software
• FXOS / Chassis Manager
• (2100, 4100, 9300)
• Firepower Management Center
Firepower NGFW also supports:
• NetFlow Security Event Logging
• Syslog (for all event types)
• eStreamer (full IPS and Connection details)
111BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FTD Syslog Configuration
112© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FMC Syslog Alert Configuration
113BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
eStreamer Overview
• Allows you to stream event data from an FMC, or 7000 or 8000 series device to a client application
• Client Server Model
• Server (FMC) accepts connection requests on port 8302
• Communicates using SSL
• Client application must support SSL-based authentication
• Waits for the client to initiate all communication sessions
• Writes all message fields in network byte order (big endian
• Encodes text in UTF-8
114BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 115BRKSEC-2112
Configuring eStreamer
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Example: QRadar Integration
116BRKSEC-2112
1. Create Client
2. Select Data Source
3. Download certificates
4. Create Log source on QRadar
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Firepower app for Splunk (new)S
plu
nk
117BRKSEC-2112 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 118BRKSEC-2112
Cisco eStreamer app for Splunk
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 119BRKSEC-2112
• Firepower App• Intrusion Events
by Impact
• Indicators of Compromise
• Malware Sources
• Malware Recipients
• Malware hashed
IBM
QR
adar
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 120BRKSEC-2112
Firepower App for QRadar
Shows hosts that are
potentially
compromised
Which hosts on my
network have sent
the most malwareIntrusion events by
‘Impact’ or likelihood
of an attack
impacting the
targeted system
Malware observed
most often on my
network
Shows hosts that are
know to be
compromised
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Sola
rWin
ds
Ori
on
BRKSEC-2112 122
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower Device Manager API
124BRKSEC-2112
https://ftd.example.com/#/api-explorer
https://ftd.example.com/#/help/g_The_API_Explorer.html
Accessing the API documentation:
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower Management Center API
125BRKSEC-2112
https://fmc/api/api-explorer
API Documentation is built in to the API explorer.
Click one left side objects to view examples.
Latest full documentation available on cisco.com by searching for:
“Firepower Management Center REST API Quick Start Guide”
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
cMaple
FMC
SW
FDM
ISE
Tetration
Syslog
SNMP
???
Existing Problem:
• Export/Import from one FMC to another requires both FMCs to be on the same versions and of same model type
Solution:
• cMAPLE uses the FMC REST API to migrate configuration data between FMCs. No dependency on source or target FMC version/platform.
cMAPLE – Multipurpose API Programming Language Extension
126BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
What is the cMAPLE API tool?
• Enable non-programmers/programmers to access powerful cross-platform API features
• Does not require python installed to run cli file operations
• Provide a real time bus to translate and exchange data between APIs
• Facilitate non-API sources/destinations such as syslog, db, snmp, etc.
• Currently supports AMP, TG, and FMC
• SW, ISE, ASA, SSH, Tetration in progress
• Future – Multi-threading/processor support
127BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
cMAPLE for FMC Migration – How it works
• cMAPLE will migrate anything accessible on the source FMC via the API as long as the object can be created via the API on the target FMC
• If an object cannot be created on the target (i.e. the API does not yet support creation for the object such as IPS policy) it will be removed from the containing object.
• Usually the containing policy can be successfully created without the object (will need to be manually added)
• Removed objects will be logged
• This means it is possible to use cMAPLE for downgrade operations
128BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
cMAPLE for FMC Migration– How it works
• cMAPLE will recursively discover from a starting API path location all top level objects and all dependent child objects
• If an object cannot be created on the target (i.e. the API does not yet support creation for the object such as IPS policy) it will be removed from the containing object.
• Usually the containing policy can be successfully created without the object (will need to be manually added)
• If an object with the same name exists on the target, it will not attempt to modify it (i.e. built-ins and other user created objects). However, it will add the existing object to any parent policies referencing it.
129BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Downloading cMAPLE for FMC-Migration• The cMAPLE github repository is located here:
https://github.com/rhindere/cmaple
• A dedicated scripts directory “scripts/FMC-Migrate_Policy” contains instructions, sample files and binaries for Mac and Windows
• Read and follow the instructions in the README.txt (key points described below)
• Use a plain text editor to modify the following files:
• cmaple_cli_parameters.parameters – common parameters such as username/password
• discover_fmc.operations – Info about the source FMC
• migrate_fmc.operations – Info about the destination FMC
130BRKSEC-2112 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
cmaple_cli_parameters.parameters
• Contains common access parameters. If both FMCs use the same admin user/password, you can modify them here.
-rest_admin_user=rest_admin
-rest_admin_password=C1sc0123
-maple_working_dir=.
• Leaving “maple_working_dir = “.” will place all working files and results in the current directory. You may modify this to force creation elsewhere.
131BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
discover_fmc.operations and migrate_fmc.operations
• Contains specific information about the source and target FMCs respectively.
• Minimally, the FMC_<src/dst>_host parameters need to be modified:# vars specific to the <source/destination> fmc
FMC_<src/dst>_host=<ip or fqdn of your host> #Specify your host ip or fqdn here
FMC_<src/dst>_port=443 # Modify if using a different port
FMC_<src/dst>_name=fmc_mig_src #No need to modify, recommend leaving as is
FMC_<src/dst>_user=@rest_admin_user #Change if this FMC user name different from that in parameters file
FMC_<src/dst>_pass=@rest_admin_password #Change if this FMC password is different from that in parameters file
132BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
discover_fmc.operations – additional options
• Remove the ‘#’ symbol to discover additional API resource paths. Note, this could significantly increase discovery and migration time if paths with a lot of built-in objects are included (i.e. applications). By default, only NAT and Access Policies are discovered.#Discover the source objects. Remove the # symbol for elements to be discovered
### Policies
RUN accesspolicies={leaf$RUN leaf}.walk_API_path_gets(url=policy/accesspolicies)
RUN ftdnatpolicies={leaf$RUN leaf}.walk_API_path_gets(url=policy/ftdnatpolicies)
<lines omitted>
### Objects
#RUN anyprotocolportobjects={leaf$RUN leaf}.walk_API_path_gets(url=object/anyprotocolportobjects)
#RUN applicationcategories={leaf$RUN leaf}.walk_API_path_gets(url=object/applicationcategories)
<lines omitted>
#RUN applicationproductivities={leaf$RUN leaf}.walk_API_path_gets(url=object/applicationproductivities)
133BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
cMAPLE Additional Information & Caveats
• Both FMCs do not need to running at the same time. cMAPLE will persist the discovery from a given FMC. It can then be applied to a migrate FMC at any time. The same discovery can be used for multiple FMCs (Gold config)
• CAVEAT: Due to the way the current API model allows multiple NAT objects with the same name, running the migrate multiple times against a migrate FMC will result in duplicated NAT policies. These will need to be removed manually. Will correct this in the future.
134BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower Threat Defense Summary
Security Controls require balance!
• Advanced security capabilities and identity integration are allow for granular policies
• Decryption is an important part of a security solution
• DUO and 3rd party integrations provide powerful enhancements
135BRKSEC-2112
Unified Management
Robust NGFW Feature set
Flexible Deployment
Complete your online session evaluation
• Please complete your session survey after each session. Your feedback is very important.
• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKSEC-2112 136
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Continue your education
137BRKSEC-2112
Related sessions
Walk-in labsDemos in the Cisco campus
Meet the engineer 1:1 meetings
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Active Authentication / Captive Portal Use Cases
• Can be used for non-domain endpoints
• Enforces authentication through the browser
• Can augment passive authentication (Fall-back to Active feature)
• Various Supported Authentication types (Basic, NTLM, Kerberos, Form)
• Guest / Non Windows Device Authentication Support
• Multi-realm Support
141BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
High Level Configuration Steps
1. Configure a realm
2. Create a certificate/key pair
3. Configure an Identity Policy
4. Modify the access control policy
5. Deploy the identity and access control policy
142BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Create Certificate/Key Pair
• The redirect URL will contain an IP addressHTTP/1.1 307 Proxy Redirect
Location:
https://198.19.10.1:885/x.auth?s=Ehf2Y7FP177kbui%2B665%2BYV%2FrX3Mq9Piz8%2B
VbQsq%2FpsY%3D&u=http%3A%2F%2Foutside%2F
Connection: close
• To avoid certificate warnings on the endpoint, the IP addresses must be included either as:• The CN in the Subject
• IP Address entries in the Subject Alternative Name
143BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKSEC-2112
Sample Certificate
144
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Configure an Identity Policy
1. Create an Identity Policy
2. Upload the Certificate/Key pair
3. Create a rule
Case 1: Create passive authentication rule with fall-back to active authentication
Case 2: Create active authentication rule.
4. Save the Identity Policy
145BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Configure Captive Portal
146BRKSEC-2112
Setup An identity realm (System ->Integration -> Realms) and an identity source (System -
>Integration>Identity Sources)
• To allow Kerberos authentication,
LDAPS must be enabled on domain
controllers
• No specific TLS requirements are
required. Enabling LDAPS, as
described below, is sufficient.
• Workstations must be able to resolve
the sensor's hostname in the Active
Directory domain.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Modify the Access Control Policy
1. Edit the desired access control policy
2. Select the Advanced tab
3. Under Identity Policy Settings, un-check the Inherit from base policy checkbox, if necessary
4. Under Identity Policy Settings, select the appropriate identity policy
5. Save the access control policy
147BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
10.1.1.0/24
192.168.1.0/24
192.168.1.1
10.1.1.1
IP:192.168.1.100GW: 192.168.1.1
NAT
DRP
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts.
• Transparent Mode is where the firewall acts as a bridge functioning at L2.
• Transparent mode firewall offers some unique benefits in the DC.
• Transparent deployment is tightly integrated with our ‘best practice’ data Center designs.
• Integrated Routing and Bridging (IRB) combines both modes. Helpful for grouping “switch ports” in routed mode.
149BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
NGFW Interface Modes
150BRKSEC-2112
• Must choose routed or transparent at deployment
• Must configure IP on BVI in transparent mode
• Integrated Routing and Bridging combines both in routed mode
• Full feature set and state enforcement
• VLAN or VxLAN ID must change during traversal
inside1
inside2
Routedinside outside
FTD
DMZ
Transparent inside outsideFTD
DMZ
10.1.1.0/24 10.1.2.0/24
10.1.3.0/24 10.1.1.0/24
Routed with IRBoutside
FTD
DMZ
10.1.1.1/24
10.1.2.0/24
10.1.3.0/24
BVI:inside
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FTD Deployment and Interface Modes
151BRKSEC-2112
• 2 Deployment Modes:
• Routed
• Transparent
• 6 Interface Modes
• Routed
• Switched (BVI)
• Passive
• Passive (ERSPAN)
• Inline pair
• Inline pair with tap
• Note - interface modes can be mixed on a single FTD device
Device Modes inherited from ASA}
Interface Modes inherited from ASA}
Interface Modes inherited from FirePOWER}
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Link Redundancy
Resiliency with link failures
Link and Platform Redundancy Capabilities
152BRKSEC-2112
• Firewall Link Aggregation – High Availability - Clustering
Inter-chassis Clustering
Combine up to
169300 blades or 4100 chassis
Active / Standby HA
LACP Link Redundancy
LACP Link Aggregation
Control Protocol
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FTD High Availability
• Full flow state replication with NGFW policy verdicts
• Active/Standby operation in all NGFW/NGIPS interface modes
• Interfaces are always up on standby, but any transit traffic is dropped
• MAC learning/spoofing on switchover in transparent NGFW, inline NGIPS
• GARP on switchover in routed NGFW
• Interface and Snort instance (at least 50%) status monitoring
• Zero-downtime upgrades for most applications
• Some packet loss is always expected with failover
153BRKSEC-2112
vPC
vPC
FTD FTD
A SHA Link
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FTD High Availability
• Unlike ASA, the Management interface does not change its IP address on failover
• Data interfaces have an active address and the IP address remains with the active unit
• Standby address configuration is optional, but it is very important that you configure it
• Tune your interface monitoring configuration
• Virtual MAC address configuration avoids traffic disruption in RMA use cases
154BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
What’s New in Firepower Device Manager 6.3
• Deploy button now brings up Pending Changes Dialog
• Option to name a deployment (ticket number, comment)
• Audit page to display various management change events
• Download Configuration option
156BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 157
Pending changes and actions• Display detailed
configuration changes
• Copy the current changes to clipboard in YAML format
• Download the changes in YAML format
• Discard changes
BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Name deployment job (ticket number, comment)
158BRKSEC-2112
• Deployment in Progress (can leave and return to check progress)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 159BRKSEC-2112
Audit Log• Login / logout + deployment events,
entity changes
• Audit event details, including the configuration changes
• Filter based on timestamp, Event Type, Entity Type, uuid, etc.
• Predefined Deployment History Filter
• Export config to JSON
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Pre-Join Criteria
• No interface can be DCHP
• Not already in an HA pair
• No deployment pending
High Availability(new for FDM)
161BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Manage HA Configuration and Actions From UI
162BRKSEC-2112
Ability to:
• Suspect HA
• Break HA
• Switch Mode (force failover)
All ASA CLI failover show commands also available!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Order of Configuration and Join Actions
• Configure and join primary (controlled by a single button in the UI)
• Wait until primary reports it is active
• Configure and join secondary
• Wait until secondary becomes standby
• Configure failover criteria
• Do not configure the secondary first or it will become active and overwrite the primary. The device whose config you want to keep should be configured and joined first, as the primary.
163BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Features Not Shared in High Availability Mode
• Events are not synced between devices.
• Use failover history to determine if the device was active during a given period of time.
• Task history is not synced between devices.
• Backup and restore are performed independently on each device.
164BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Introduction
• Enables passive mode on a physical interface and security zone.
• Allows to user to detect intrusions, malwares, URLs without interrupting the traffic flow.
• Allows user to monitor traffic and demonstrate abilities of appliance passively.
166BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Passive interface reporting
• All Network, User, Application, Web and URL reports available for passive traffic
• TLS (SSL) decryption is NOT POSSIBLE for passive interface
• Don’t forget to create a PERMIT rule for Passive interface(s) traffic!
167BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Allows configuration of advanced features
Configuration for:
• NetFlow Security Event Logging
• SNMP polling
• Advanced routing
169BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 170BRKSEC-2112
NetFlow Export & Deployment log
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKSEC-2112 171
Feature Overview
• OSPFv2 Routing
• BGP Routing
• Routing objects
• Smart CLI Framework
• Nested duplication
• Multi selection
• Auto-correction configuration
• Delta deployment
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FlexConfig
172BRKSEC-2112
• Provides a way to configure ASA features not exposed directly by Firepower Management Center
• EIGRP / ISIS Routing
• Policy Based Routing
• Equal-cost Multi-path routing
• NetFlow (NSEL) export
• VXLAN
• ALG inspections
• IPv6 header inspection
• BGP-BFD
• Platform Sysopt commands
• WCCP
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FlexConfig Policies – should I use them?
• Device-level free form CLI policies that follow ASA syntax
• Supports pre-defined object templates and completely custom objects
• Natively managed feature commands are blacklisted
• Must push an object with negated commands to remove
• FlexConfig is only supported on best-effort basis
• Assume no validation and no interoperability guarantees
• When in doubt, don’t use it
• Deploy Once; Everytime is for interactions with managed features
• Always select Append rather than Prepend type
173BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FlexConfig for Internet Edge Use Case:
Prepend FlexConfig:
• Disables DNS Inspection to allow Umbrella DNSCrypt Traffic
Append FlexConfig:
• Enables ICMP and ICMP Error ASA Inspection Engines in Firepower
• Edit FlexConfig Text Object as below
174BRKSEC-2112
• Enable ICMP Inspection & Disable DNS Inspection
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FlexConfig for Internet Edge Use Case:
Prepend FlexConfig:
• Clears IPv6-PD on each deployment
Append FlexConfig:
• Enables outside interface (recipient of delegated prefix) for IPv6 prefix delegation
• Assigns one or more inside interfaces with a subnet and address from delegated prefix
• Trust IPv6 default route from IPv6 DHCP Server (Neighbour Advertisement)
175BRKSEC-2112
• IPv6 Prefix Delegation (IPv6-PD)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Equal Cost Muti-Path Internet with Traffic Zones
176BRKSEC-2112
The zone creation command should be deployed only
once. Also, notice the additional “ECMP” keyword
compared to the corresponding ASA command
The zone-member command should be deployed every
time because FMC overwrites interface configurations
during each deployment.
1 2
Traffic zone
configuration can be
used for
1. Traffic Load-
balancing (ECMP)
2. Route redundancy
3. Asymmetric traffic
handling
3. Use the FlexObjects in a FlexPolicy and deploy the changes to the device
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Packet TX
Packet RX
Existing
Logical Packet Flow
178BRKSEC-2112
PrefilterPolicy
Main Access Policy
IP Reputation, SI
Flow Creation
Ingress Checks
Flow Lookup Clustering VPN
Normalization
Flow LookupAnomaly,
NGIPS, AMP
Egress Checks
Lina
Snort
New
Pointer
Verdict
FTD
New Existing
Fastpath
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Prefilter Policy (Optional) – Based on L2-L4 flow Attributes
179BRKSEC-2112
• First access control phase in Data Plane for each new flow
• Block: Deny the flow without any further processing
• Fastpath: Allow and process entirely in Data Plane, attempt Flow Offload
• Analyze: Pass for evaluation in Main AP, optionally assign tunnel zone
• Use correctly -- not a “high performance” substitute to NGFW policies
• Limited early IP blacklisting
• Tunneled traffic inspection
• Allowing high-bandwidth and low latency trusted flows (Flow Offload)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKSEC-2112
Access Policy – Based on Layer 2 - Layer 7 Flow Attributes
• Primary access control phase in Snort
• Block [with reset]: Deny connection [and TCP RST]
• Interactive Block [with reset]: Show HTTP(S) block page [and TCP RST]
• Monitor: Log event and continue policy evaluation
• Trust: Push all subsequent flow processing into Data Plane only
• Allow: Permit connection to go through NGIPS/File inspection
• Appropriate place for implementing NGFW policy rules
• Full NGFW traffic selection criteria
• Decisions may need multiple packets
180
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Access Control Policy Blocking Example
181BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Pre-filter Fastpath and Access Rule Trust Difference?Both methods bypass Snort Inspection!
182BRKSEC-2112
Access Policy Trust
Prefilter Policy Fastpath
Can be defined based on L4-L7 parameters
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Identity Policy based on Passive Authentication
183BRKSEC-2112
Must create, attaches to Access Control Policy
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Access Control Policy Identity ControlCan Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
184BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
TrustSec Scalable Group Tag based identity from ISECan also reference Identity Services Engine identified Device Profiles
185BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
ISE Remediation in using pxGrid
186BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Active Directory “Realm” Configuration
• Realm configuration used in Identity Policy
• User and Group downloads used in Access Policy
• Can have Multiple Entries
• LDAP / LDAPS
187BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 188BRKSEC-2112
Identity Services Engine pxGrid Integration
• MUST install ROOT certificate (chain) on FMC that signed ISE pxGrid Cert
• MUST install ROOT certificate (chain) on ISE that signed FMC Cert
• Private keys not needed (of course!)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 189BRKSEC-2112
External Authenticationfor Administration• LDAP / AD or RADIUS
• Example allows “External Users” to be defined that exist in Active-Directory for FMC or shell login
• Can stack multiple methods
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS69
Rate limiting Cloud File Sharing TrafficQOS Policy is a new policy type with separate policy table
Not associated with an Access Control Policy – directly associated with devices
190BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Remote User Use Case Remote Access VPN for Roaming User
192BRKSEC-2112
Requirements
Connectivity and Availability
• Secure SSL/IPsec AnyConnect access to corporate network
Routing
• Support for Split Tunnelling or Backhauling to handle traffic
from remote uses to Internet.
Security and Identity
• AMP and File inspection Policy to monitor roaming user data.
• Identity based advanced application level inspection can be
enabled to enforce security on inbound Remote Access User
data.
• Monitoring and Troubleshooting to monitor remote access
activity and simplified tool for troubleshooting
ISP
FP2100 in
HA
Private Network
Campus/Private
Network
Internet
Edge
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower Device Manager
• AnyConnect SSL/IPSec Support
• Active Directory or Local Auth
• API Orchestration Support
Coming soon (6.4):
• RADIUS + ISE Posture / DUO MFA
• Multiple Connection Profiles
Remote Access VPN Management Comparison
193BRKSEC-2112
Firepower Management Center
• AnyConnect SSL/IPSec Support
• Active Directory or RADIUS Auth
• Multiple Connection Profiles
• API Orchestration Support
• ISE Posture / Change of Authorization
• DUO Multi Factor Authentication
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 194BRKSEC-2112 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local User Authentication as Primary or Fallback Identity Source
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Remote Access VPN
• AnyConnect client-based VPN
• Limitations:
• No clientless VPN support (client download only)
• No legacy Cisco IPsec IKEv1 client support
• No Dynamic Access Policies
195BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Before You Start Wizard:
1. Configure Realm or RADIUS Server Group for authentication
2. Upload AnyConnect package(s) (can pull from Cisco during wizard)
Firepower AnyConnect Remote Access
196BRKSEC-2112
3. Have Firepower device interfaces and routing configured
4. Install Self-Signed Certificate or enroll device with public CA
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 197
Firepower AnyConnect Remote Access
Configuration Wizard Steps:
1. (Group) Policy Assignment
2. Connection Profile Creation
3. AnyConnect package selection
4. Access & Certificates
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 198
Connection Profile:
1. Name (mandatory)
2. Authentication Method (AAA = username + password)
3. IPv4 / IPv6 Address Pool(s)
4. Group Policy Selection (can use default)
Firepower AnyConnect Remote Access
BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 199
Firepower AnyConnect Remote Access
AnyConnect client software selection:
• Upload from your workstation
• Download from Cisco.com using Wizard (need CCO credentials)
BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 200
Firepower AnyConnect Remote Access
Interface Selection & Certificate:
1. Choose Interface / Zone
2. Choose Interface Identity Certificate
3. Optional: Create Self-Signed Certificate
4. Can also enroll device in public Certificate Authority *best practice
BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 201
Firepower AnyConnect Remote Access
• Configuration Summary
• Recommended Next Steps
BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 202
Firepower AnyConnect Remote Access
Don’t forget!
1. Allow VPN traffic from Outside zone in your Access Policy!
2. Exempt traffic to and from your VPN subnet from NAT!
3. Disable proxy ARP in your NAT Exempt rule
BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
RA VPN Wizard Summary (FMC)
203BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
RA VPN Configuration Wizard (FDM)
204BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
RA VPN Licensing
• Smart License support is provided for the following RA VPN license types and combinations
• VPN-only
• Apex
• Plus
• Apex and Plus
• A valid Smart license token is required for any of the RA VPN licenses
• RA VPN deployment is not be supported in Smart license evaluation mode
• Configuration cannot be deployed to a device unless the device has entitlement for at least oneRA VPN license
• Health events and licensing alerts are shown when licenses go out of compliance
205BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Licencing in FMC Device Management Page
206BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
RA VPN Components• Access interfaces – determine interfaces to be used by RA VPN
• SSL settings, such as access ports
• IKEv2 settings such as certificate
• AnyConnect image – client package to be installed on the endpoint
• AnyConnect client profile – XML can be uploaded into the FMC as file object.
• Referenced in the group policy and downloaded to the endpoint while the VPN connection is initiating
• Includes may parameters for the AnyConnect client.
• Connection profiles – determine how authentication is performed
• Group policies -- a set of user-oriented attribute/value pairs for RA VPN users
• DNS/WINS, SSL/DTLS, timeouts, client bypass protocol and DHCP network scope
• Split tunnel and split DNS configuration
• VPN filter , egress VLAN and client firewall rules
• AnyConnect client profile, SSL/DTLS settings and connection settings
207BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Objects Associated with RA VPN
208BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Modifying Other RA VPN Components
209BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Dashboard Widgets
210BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Remote Access VPN User Activity
211BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Troubleshooting
212BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Advanced Troubleshooting
213BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Remote Access VPN: Feature Differences Between NGFW & ASA
214BRKSEC-2112
• Next generation security
• Basic AAA (authentication, Authorization, accounting)
• LDAP/AD, client certificate, RADIUS attributes, DACLs, Time ranges
• Time Ranges
• AnyConnect client
• Proxy/DNS/WINS server assignment
• Simple configuration
• Session monitoring and control
Includes Features Provided In NGFW
Additional Advanced Features Supported By ASA
• Advanced AAA
• Kerberos, TACACS, SAM, RSA SDI, Local Authentication, RADIUS CoA
• Host scan/Endpoint assessment
• AnyConnect client customisation
• Dynamic Access Policies (DAP)
• LDAP attribute map
• VPN Load Balancing
• Clientless RA VPN
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Customer Use Case
• Protect the network from threats from remote TLS servers
• Called the outbound or unknown key case
• Example: Malware downloaded over HTTPS by users surfing the web.
• Protect the network from attacks on internal TLS servers
• Called the inbound or known key case
• Example: Protect DMZ HTTPS servers from intrusion attacks
216BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Challenges
• Inspection fails for some applications
• No end-user notifications unless traffic is decrypted
• Inspection fails for some client/server combinations
• Load on firewall creates throughput degradation• Currently TLS is being performed in software
• TLS decryption will be in hardware (roadmap / release beta)
217BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKSEC-2112
Best Practices
• Block TLS traffic without decrypting• Block URL categories
• Block Application (approx. 400 applications can be identified)
• Block based on certificate status, TLS version or cipher suite
• Use Replace Key Only feature
• Enable loggingto helptroubleshooting
218
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Granular TLS DecryptCan specify by application, certificate fields / status, ciphers, etc.
219BRKSEC-2112
Decrypt Cert required!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Transport Layer Security
220BRKSEC-2112
• Secure Sockets Layer (SSL) is broken, obsolete and no longer in use
• Transport Layer Security (TLS) is the current generic protocol layer
• Some detectors do not need decryption without Diffie-Hellman (DH)
• Cleartext SNI extension indicates where client may be going – spoofable
• ServerCertificate contains server identity – legitimate if CA is trusted
• Man-in-the-Middle (MITM) inspection is inevitable with TLS 1.3
Client Server
ClientHello, Server Name Identifier (SNI)
ServerHello, ServerCertificate, ServerHelloDone
ClientKeyExchange, ChangeCipherSpec, Finished
ChangeCipherSpec, Finished
ApplicationData
PKI Phase
Bulk Data Phase
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Transport Layer Security
221BRKSEC-2112
• MITM TLS inspection is two separate sessions with client and server
• Resign mode breaks with Public Key Pinning, not Certificate Pinning
• Client certificate authentication or custom encryption always break MITM
• Hardware acceleration of PKI and Bulk Data phases still leans on x86
• 3-4 times performance improvement with large transfers (Bulk Data)
• 7-8 times performance improvement with a transactional profile (PKI)
Client Public Key FTD Public Key
Server Public KeyFTD (Resign) or Server (Known) Public Key
x86Crypto Engine
CPU Bus
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Crypto
Hardware Data Plane
NGFW Inspection and Policy Enforcement
TLS
Endpoints
TLS
Endpoints
Hardware Data Plane
NGFW Inspection and Policy Enforcement
TLS
Endpoints
TLS
Endpoints
Software SSL
Hardware Accelerated SSL
Crypto
Decrypted
TLS Hardware Acceleration Architecture
222BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Limitations and Workarounds
• At 6.3 FCS, SSL Hardware Acceleration IS officially released / supported, and enabled by default.
• Must use CLI to enable in 6.2.3.
• If a customer encounters a blocking issue that only shows up in Hardware Acceleration mode, they should toggle back to Software mode until the engineering team can provide a Hardware mode workaround or fix.
223BRKSEC-2112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Lina Debug CLI• For live troubleshooting of traffic going through the box, new Lina debug CLI commands.
• Log into the enable mode of the lina terminal on FTD:> ssh admin@[ftd]
> expert
$ sudo su
# lina_cli
> en
• #debug snort tls-offload
• This will print out error debug logs for proxy, tracker, and dispatcher (packetizer) modules.
• # debug snort tls-offload [all | tracker | proxy | dispatcher] [error | event | packet]
• This allows you to specify which lina component to print out errors, events, or packet data to the terminal.
• To turn these commands off, run # no debug snort tls-offload
• # show snort tls-offload
• This will display statistics related to packets encrypted and decrypted by Snort in HW acceleration mode.
• # clear snort tls-offload
• This will clear the statistics.
224BRKSEC-2112