1. Cisco FirePOWER
Benjamin Doyle
October 15th, 2015

2. Agenda Sourcefire Cisco ASA Next-Gen Firewall (NGFW)
FireSIGHT Management Center (FMC)
FirePOWER Services
Intrusion Prevention System (IPS)
Advanced Malware Protection (AMP)
URL Filtering
Meraki Security Appliance (MX)

3. Sourcefire

4. Sourcefire Founded in 2001 2013: Acquired by Cisco for US$2.7B
2014: Technology integration within Cisco
Hardware and Software
ClamAV and Snort
File reputation and dynamic analysis
Analysis of behaviours & containment
Retrospective protection
Visibility through dashboards
2015: EoL non-SF IPS appliances

5. Cisco ASA Next-Generation Firewall (NGFW)

6. Cisco ASA and Sourcefire FirePOWER

7. Cisco ASA Product Line ASA 5585-SSP60 ASA 5585-SSP40 ASA 5585-SSP20
Performance and Scalability
ASA 5555-X
ASA 5545-X
ASA 5525-X
ASA 5515-X
ASA 5512-X
Field: slide that shows the three solutions on a slide like this. Maybe one for firewall, one for IPS and one for NGFW/UTM. Or maybe just the one
2 RU Platforms
Internet Edge/Campus/Data Center
2 – 20 Gbps: Firewall
1.2 – 6 Gbps: Next Gen IPS
650Mbps – 2.4 Gbps:NGIPS, AVC, AMP
1 RU Platforms
Branch Office/Internet Edge
200Mbps - 2 Gbps: Firewall
100 – 725 Mbps: Next Gen IPS
Mbps: NGIPS, AVC, AMP
* Performance numbers to be finalized

8. NGFW with NGIPS
Context awareness is done through Passive Network Detection
Source: Cisco Live! BRKSEC-2762 San Diego 2015

9. Multilayered Protection – Next Gen. FW + Gen2 IPS
World’s most widely deployed, enterprise-class ASA stateful firewall
Granular Cisco® Application Visibility and Control (AVC)
Industry-leading FirePOWER Next- Generation IPS (NGIPS)
Reputation- and category-based URL filtering
Advanced Malware Protection
Identity-Policy Control & VPN
URL Filtering
(Subscription)
FireSIGHT
Analytics & Automation
Advanced Malware Protection
Application Visibility & Control
Network Firewall
Routing | Switching
Clustering & High Availability
WWW
Cisco Collective Security Intelligence Enabled
Built-in Network Profiling
Intrusion Prevention (Subscription)
Cisco ASA
Now we’ll go into greater detail on one of the most important benefits of Cisco ASA: superior multilayer protection.
Its enterprise-class granular Application Visibility and Control, or AVC, feature sees over 2,500 applications. It uses risk-based controls that invoke custom-tailored IPS threat detection policies.
Its industry-leading FirePOWER Next-Generation IPS, or NGIPS, provides comprehensive threat prevention and full contextual awareness of users, infrastructure, applications, and content. This way, it can detect multivector threats and automate a defense response.
Its reputation- and category-based URL filtering offers comprehensive alerts and control over suspect web traffic, and enforces policies on hundreds of millions of URLs in over 80 categories. This help make sure that your users are accessing web sites based on your organization’s acceptable use policies.
And its advanced malware protection provides industry-leading breach detection effectiveness, helping you discover, understand, and stop emerging, persistent threats missed by traditional security defenses. You can fingerprint files that are coming in, to get inline disposition, and keep threats from spreading from machine to machine.
Visibility over – Network, Device, Application, Threat Detection & Mitigation

10. FireSIGHT Management Center (FMC)

11. FireSIGHT Components Network Discovery & Connection Awareness
Host discovery
Identifies OS, protocols and services running on each host
Reports on potential vulnerabilities present on each host based on the information it’s gathered
Application identification
FireSIGHT can identify over 1900 unique applications using OpenAppID
Includes applications that run over web services such as Facebook or LinkedIn
Applications can be used as criteria for access control
User discovery
Monitors for user IDs transmitted as services are used
Integrates with MS AD servers to authoritatively ID users
Authoritative users can be used as access control criteria

12. FireSIGHT Management Discovery is reported to you by way of events
Connection events are recorded as every connection in a monitored network is seen
Host events are recorded when something new on a host is detected or a change to a host is detected
Information about all the hosts in your environment is stored in host profiles

13. Host and Event Correlation
When a host in the network map is seen to exhibit signs of compromise
Security Intelligence Events
C&C Detection via Protocol Analysis
Contextual NGIPS Events (Impact 1)
FireAMP Endpoint Malware Events

14. FireSIGHT Discovery
By knowing the details of what’s running in your environment, the Sourcefire System can produce a list of what vulnerabilities likely exist
This allows the Sourcefire System to put intrusion events in context for more accurate and actionable alerting
Which would matter more to you?
A code red attack against a host running Linux in your environment Or
A code red attack against a host running a vulnerable version of Windows in your environment

15. FireSIGHT Impact Assessment
With FireSIGHT, IPS events are assigned an impact level
0 – host not on monitored networks
4 – no entry for the host in the network map
3 – host not running the service or protocol that was attacked
2 – host is running the service or protocol that was attacked
1 – host is running the service or protocol that was attacked an a vulnerability is against the service or protocol is mapped to the host
FireSIGHT also lets you fine-tune your IPS polices by recommending rules to protect against the known vulnerabilities in your environment

16. FireSIGHT Management Center (FMC)

17. Why is FireSIGHT Important?
It gives you real-time information about what’s in your network
Based on this knowledge …
It can inform you of the vulnerabilities associated with what is running in your environment
You can fine-tune policies to focus on the threats specific to your environment
It can detect changes to your environment and alert you as soon as the change is detected
You can act dynamically with custom alerting ( , syslog, SNMP, eStreamer)
You can take action dynamically as well with remediation modules
Remediation include scripts you can launch from the defense center

18. How is FireSIGHT information used?
Fine-tuning IPS policies
You can automatically select the rules and preprocessor configurations that apply to your environment
You can protect hosts running services on non-standard ports (ie. HTTP running on port 1080 on a host and 8080 on antother)
Enforce an organization’s security/usage policies
Block or alert on use of unauthorized applications for example
Monitor and act on unusual network behavior
Alert on new hosts showing up in restricted network spaces or detect unusually high utilization
Act on user activity

19. FireSIGHT Management Center (FMC)
CATEGORIES
EXAMPLES
FirePOWER APPLIANCE
TYPICAL IPS
TYPICAL NGFW
Threats
Attacks, Anomalies ✔
Users
AD, LDAP, POP3 ✗
Web Applications
Facebook Chat, Ebay
Application Protocols
HTTP, SMTP, SSH
File Transfers
PDF, Office, EXE, JAR
Malware
Conficker, Flame
Command & Control Servers
C&C Security Intelligence
Client Applications
Firefox, IE6, BitTorrent
Network Servers
Apache 2.3.1, IIS4
Operating Systems
Windows, Linux
Routers & Switches
Cisco, Nortel, Wireless
Mobile Devices
iPhone, Android, Jail
Printers
HP, Xerox, Canon
VoIP Phones
Avaya, Polycom
Virtual Machines
VMware, Xen, RHEV
Contextual Awareness
Information Superiority

20. FireSIGHT Management Center: Threat Information

21. FireSIGHT Management Center: Operational Value

22. FirePOWER Services

23. Traditional Defense-in-Depth
Forced to buy multiple security solutions – firewalls, web filters, IPS modules, etc.
Often from different vendors – compatibility issues
Increases complexity, limited visibility
Vulnerability – lack of unified protection creates gaps and blindspots
Need several dedicated teams to configure, install, and monitor multiple systems
Increased cost and labor, reduced incident response time

24. Challenges with Traditional Defense-in-Depth Security

25. Cisco ASA with FirePOWER
Industry’s first adaptive, threat-focused NGFW designed for a new era of threat and advanced malware protection
Delivers an integrated threat defense across the entire attack continuum
Combines proven security of Cisco ASA firewall with industry-leading Sourcefire threat and advanced malware protection in a single device
Unparalleled network visibility

26. Integrated Threat Defense Across the Attack Continuum
BEFORE Discover
Enforce
Harden
DURING Detect
Block
Defend
AFTER Scope
Contain Remediate
Firewall/VPN
NGIPS
Advanced Malware Protection
With Cisco ASA, all the different layers of security you see at the bottom of this slide work together, so we’re able to pull intelligence from these layers. Unlike traditional solutions, we layer security intelligence, for greater visibility and to protect against threats coming from multiple vectors across the attack continuum.
With our unique approach, all the solution parts know about each other. For example, the firewall knows about the IPS and its policies, the IPS sees data coming through the firewall, and the malware engine correlates its events with the IPS events. This integration even extend to correlating Indications of Compromise across endpoints and networks – no other solution provides this comprehensive capability. (Most competitors are still just trying to build out their portfolios to have solutions across the attack continuum!)
Granular App Control
Security Intelligence
Retrospective Security
Modern Threat Control
Web Security
IoCs/Incident Response
Visibility and Automation

27. FirePOWER Services for ASA: Subscriptions
Included *
Appliance Feature
Defaults
Configurable Fail Open ✓
Connection/Flow Logging
Network, User, and Application Discovery [4]
Traffic filtering / ACLs
NSS Leading IPS Engine
Comprehensive Threat Prevention
Security Intelligence (C&C, Botnets, SPAM etc)
Blocking of Files by Type, Protocol, and Direction
Basic DLP in IPS Rules (SSN, Credit Card etc.)
Access Control: AVC - Enforcement by Application
Access Control: Enforcement by User
IPS and App Updates
IPS Rule and Application Updates
Annual Fee
URL Filtering
URL Filtering Subscription
Malware Protection
Subscription for Malware Blocking, Continuous File Analysis, Malware Network Trajectory
* Included - Smartnet Required
for Security Intel. Updates
App Visibility / Control
URL Filtering
Advanced Malware Protection
Next Gen IPS
VPN Termination
ACL’s – Protocol Inspection
Routing
Network Address Translation
Base ASA Firewall
Sourcefire
Services

28. FirePOWER Licensing
Virtual or Physical FireSIGHT Management Center required
All FirePOWER Service device licenses are managed on the FireSIGHT Management Console.
Licenses are specific to each ASA model and mapped to managed ASA devices
Term licenses have a start and end date, beyond the end date requires renewal to receive subscription updates.
Application Visibility and Control updates are included in SMARTnet Services
IPS subscription is a pre-requisite for Advanced Malware Protection (AMP)
SSDs are included in all new ASA FirePOWER Services hardware SKUs

29. Five Subscription Packages to Choose From for Each Appliance
FirePOWER Licensing
Five Subscription Packages to Choose From for Each Appliance
URL
1 and 3 year terms
AVC is part of the default offering
AVC updates are included in SMARTnet
IPS is required before AMP or URL license can be added
URL
AMP
AMP
URL
IPS
IPS
IPS
IPS TA
TAC
TAM
TAMC

30. Intrusion Prevention System (IPS)

31. Sourcefire NGIPS Security Automation for Dynamic Defense
Automatic threat assessment to prioritize relevance and impact
Correlation and remediation features for real-time threat response
Automated policy tuning to protect against new threats
Protection and counter-measures maintained in optimal state
Source: Cisco Live! BRKSEC-1030 San Diego 2015

32. IPS – File Processing File Policy: Blocked by policy Check dispo
Blocked by dispo
Store file
Submit for Dynamic Analysis
Logging:
Recording file Movement
Network file movement
Store file content
Source: FireSIGHT User Guide

33. IPS Automation

34. The Next Generation Security Model
Cisco Live 2014
4/26/2017
Before Attack
The Next Generation Security Model
Attack Continuum
BEFORE
DURING
AFTER
Control
Enforce Harden
Detect
Block
Defend
Scope
Contain
Remediate
BEFORE THE ATTACK: You need to know what's on your network to be able to defend it – devices / OS / services / applications / users (FireSight)
Access Controls, Enforce Policy, Manage Applications And Overall Access To Assets.
Access Controls reduce the surface area of attack, but there will still be holes that the bad guys will find.
ATTACKERS DO NOT DISCRIMINATE. They will find any gap in defenses and exploit it to achieve their objective
Network
Endpoint
Mobile
Virtual
Cloud
What Device Types, Users & Applications should be on the Network?
Point in time
Continuous

35. The Next Generation Security Model
After Attack
The Next Generation Security Model
Attack Continuum
BEFORE
DURING
AFTER
Control
Enforce Harden
Detect
Block
Defend
Scope
Contain
Remediate
Network
Endpoint
Mobile
Virtual
Cloud
AFTER THE ATTACK: Cross Device Information Sharing - Evolving
invariably some attacks will be successful, and customers need to be able to determine the scope of the damage, contain the event, remediate, and bring operations back to normal
Also need to address a broad range of attack vectors, with solutions that operate everywhere the threat can manifest itself – on the network, endpoint, mobile devices, virtual environments, including cloud
Point in time
Continuous

36. Advanced Malware Protection (AMP)

37. AMP File Reputation Dynamic Analysis Retrospective Security
(Sandboxing)
Retrospective Security

38. Anti-Malware Protection & the Attack Continuum
BEFORE
Control
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain Remediate
File Retrospection
File Trajectory
Contextual Awareness
Control Automation
Network
In-line Threat Detection and Prevention
File Retrospection
File Trajectory
Device Trajectory
File Analysis
THE WAY WE ANALYZE THE PROBLEM IS BY LOOKING AT THE ENTIRE ATTACK CONTINUUM OF THINGS YOU MUST DO: BEFORE, DURING AND AFTER AN ATTACK TAKES PLACE.
IN ORDER TO DEAL WITH THE INDUSTRIALIZED THREAT, WE NEED TO LOOK AT THESE PHASES COMPREHENSIVELY:
BEFORE AN ATTACK:
WE NEED TO KNOW WHAT WE ARE DEFENDING….YOU NEED TO KNOW WHATS ON YOUR NETWORK TO BE ABLE TO DEFEND IT – DEVICES / OS / SERVICES / APPLICATIONS / USERS
WE NEED TO IMPLEMENT ACCESS CONTROLS, ENFORCE POLICY AND BLOCK APPLICATIONS AND OVERALL ACCESS TO ASSETS.
HOWEVER POLICY AND CONTROLS ARE A SMALL PIECE OF WHAT NEEDS TO HAPPEN. THEY MAY REDUCE THE SURFACE AREA OF ATTACK, BUT THERE WILL STILL BE HOLES THAT THE BAD GUYS WILL FIND.
ATTACKERS DO NOT DISCRIMINATE. THEY WILL FIND ANY GAP IN DEFENSES AND EXPLOIT IT TO ACHIEVE THEIR OBJECTIVE.
DURING THE ATTACK:
WE MUST HAVE THE BEST DETECTION OF THREATS THAT YOU CAN GET
ONCE WE DETECT ATTACKS, WE CAN BLOCK THEM AND DEFEND OUR ENVIRONMENT
AFTER THE ATTACK:
INVARIABLY ATTACKS WILL BE SUCCESSFUL, AND WE NEED TO BE ABLE TO DETERMINE THE SCOPE OF THE DAMAGE, CONTAIN THE EVENT, REMEDIATE, AND BRING OPERATIONS BACK TO NORMAL
YOU ALSO NEED TO ADDRESS A BROAD RANGE OF ATTACK VECTORS, WITH SOLUTIONS THAT OPERATE EVERYWHERE THE THREAT CAN MANIFEST ITSELF – ON THE NETWORK, ENDPOINT, MOBILE DEVICES, VIRTUAL ENVIRONMENTS.
FINALLY, TRADITIONAL SECURITY TECHNOLOGIES ONLY OPERATE AT A POINT IN TIME. THEY HAVE ONE SHOT TO DETERMINE IF SOMETHING IS BAD OR NOT. WITH TODAY’S THREAT LANDSCAPE FULL OF ADVANCED MALWARE AND ZERO DAY ATTACKS POINT IN TIME ALONE DOES NOT WORK. WHAT IS NEEDED IS A CONTINUOUS CAPABILITY, ALWAYS WATCHING, ALWAYS ANALYZING AND CAN DETECT, CONTAIN AND REMEDIATE A THREAT REGARDLESS OF TIME.
Optional points (justification that new model is required)
“Traditional defense tools are failing to protect enterprises from advanced targeted attacks and the broader problem of advanced malware” - Gartner, Five Styles of Advanced Threat Defense, August 20, 2013
“The free flow of information must continue to drive economic value…resilience, not just bigger locks, is the goal; accepting that failures will occur, the objective is to restore normal operations and ensure assets and reputations are protected”
-Partnering for Cyber Resilience, World Economic Forum, March 2012
“There will continue to be an increase in advanced targeted attacks that bypass traditional protection mechanisms and persist undetected for extended periods of time. As a result, in all scenarios, systems and individuals mush be considered compromised”
- Gartner, Prevention is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence, May 30, 2013
Endpoint
File Execution Blocking
Indications of Compromise
Outbreak Control

39. Anti-Malware Process - Infected File Tracking

40. AMP: File Disposition and Dynamic Analysis
Cisco Cloud is TALOS => Cisco SIO + Sourcefire VRT
hash
hash
Retrospective Security
Source: Cisco Live! BRKSEC-2028 Melbourne 2015

41. Host Profile

42. Network File Trajectory

43. Correlation Analysis with Context Produces IoC
Source: Cisco Live! BRKSEC-1030 San Diego 2015

45. URL Filtering

46. URL Filtering Offers reputation and category-based filtering
Comprehensive alerting and control over suspect traffic
Enforces policies on hundreds of millions of websites in over 80 categories

47. URL Filtering

48. Meraki Security Appliance (MX)

49. Meraki Leader in cloud networking: 20,000+ customer networks deployed
Founded in 2006 at MIT - tradition of innovation and R&D
350 employees worldwide
100% Cloud-managed edge and branch networking portfolio
Complete line of wireless, switching, security, WAN optimization,
and mobile device management products
Now part of Cisco
Increasing R&D investment in Meraki products
Leveraging Cisco’s reach to bring Meraki to new markets
No near-term changes planned to pricing, licenses, product roadmap, etc.
Cisco purchased Meraki for 1.2B in 2012.

50. Cloud Subscription & Warranty Support
Order Process
How Meraki Works
Step 1:
Pick Hardware
Step 2:
Cloud Subscription & Warranty Support
Step 3:
Install
Step 4:
Dashboard Management
Cloud License
1yr, 3yr, 5yr
Install
Warranty

51. Management – Cloud Dashboard
Meraki Management
Management – Cloud Dashboard
Self-provisioning for rapid deployment and expansions
Scalable network-wide monitoring and management tools
Integrated Wireless, LAN, and WAN management, as well as Mobile Device management
Seamless over-the-web maintenance, upgrades, monitoring, etc.

52. Application Visibility
Layer 7 - Complete visibility and control

53. Out of band cloud management
Meraki Pros
Out of band cloud management
Scalable
Unlimited throughput, no bottlenecks
Add devices or sites in minutes
Reliable
Highly available cloud with multiple datacenters
Network functions even if connection to cloud is interrupted
99.99% uptime SLA
Secure
No user traffic passes through cloud
Fully HIPAA / PCI compliant (level 1 certified)
3rd party security audits, daily penetration test
Reliability and security information at meraki.com/trust
WAN
Management data (1 kb/s)
LAN

54. Meraki Features Hardware – “MX” Next Generation Firewall:
Layer 7 traffic classification and control
Intrusion detection engine
Identity based and device-aware security
3G / 4G Failover:
Cellular support for maximum uptime
Seamless, automatic failover with traffic prioritization
WAN Optimization:
Universal data store with de-duplication
WAN link compression
Auto VPN:
Auto-provisioning IPSec VPN
Automatically configured VPN parameters
Flexible tunneling, topology and security policies
Content Filtering:
Identity-based filtering policies

55. Subscription/License – “MX”
Meraki Licensing
Subscription/License – “MX”

56. Stateful Firewall Throughput WAN Optimization Cache
Meraki Sizing
Hardware – “MX”
MX400
MX100
MX80
MX60W
MX60
Z1 (Teleworker)
Stateful Firewall Throughput
1 Gbps
500 Mbps
250 Mbps
100 Mbps
50 Mbps
VPN Throughput
325 Mbps
225 Mbps
125 Mbps
10 Mbps
WAN Optimization Cache
1 TB SATA
100 MB
N/A
Interfaces
8 x GbE
8 x GbE (SFP)
4 x 10 GbE (SFP+)
2 x GbE (SFP)
5 x GbE
5 × GbE
1 × n
1 x GbE WAN
4 x GbE LAN
Integrated Intrusion Detection (IDS)
Device Aware Access Controls (BYOD) (Layer 7)
Category-based content filtering
Load Balance WAN connections
3G/4G backup WAN connectivity
WAN Acceleration/Optimization

57. Cloud Value Proposition
Meraki Cloud
Cloud Value Proposition
Maintenance & Upgrades (Quarterly Releases):
Automatic firmware maintenance
New feature implementation
Automatic implementation of performance improvements and enhancements
Monitoring:
Application level (layer 7) monitoring & reporting
Performance monitoring
Technology and Configuration:
Extremely easy configuration
Fully featured Cloud Managed
Warranty & Maintenance:
Case-based support viewable in dashboard
Firmware and Software updates/upgrades
24x7 telephone support

58. Next: More Intrusion Alert Methods