Comparing Networking Security Solutions & Deployment Models

Cisco SAFE and CVDs

Cisco SAFE (Security Architecture for the Enterprise)

  • One of Cisco’s Validated Designs (CVD)

  • Module framework of CVDs

    • Combine to create a secure architecture

  • Allow the proper design of Cisco security products

  • We’re going to focus on IPS (Firepower) and Firewall (ASA)

Security Control Framework

  • Firewalls and Intrusion prevention system work together with other products

  • SCF increases visibility and control in a network environment

Defence in Depth

  • Crucial to the security of a network

  • Device availability and resiliency

  • Regulatory compliance

  • Operational effeciency

  • Auditable implementations

  • Global information sharing and collaboration

  • SAFE allows for modularity and flexibility in design to meet our needs

Cisco Validated Designs

  • Be familiar with CVDs

  • Proven designs to allow products to function the way you want to use them

  • Edge connectivity

  • Firewall segmentation

  • IPS

  • VPN Solutions

Solutions:

  • Not a one size fits all

  • Every environment is different

  • Apply the designs that are closest to your environment

Architectures

Data Centre:

  • Firewalls would enforce access policies

    • Exclude insecure protocols

    • Protect against internal threats

  • Intrusion prevention systems

    • Provide deep packet inspection

    • Cisco Firepower

WAN Edge:

  • Firewall to protect WAN Edge

    • Adaptive Security Appliance (ASA)

    • Firepower Threat Defence (FTD)

    • IOS Zone Based Firewalls

  • Enforce security policy

    • Provide inspections at firewall level

Branch:

  • Multiple attack vectors

  • VPNs - connect back to enterprise

  • Firewalls - implicit deny

  • IPS

Designing & Deploying Firewall Solutions

IOS Zone Based Firewall

  • Zone Based Firewall running on an IOS device

  • Protects network with security zones

  • Stateful

  • Define zones, assign interfaces to zones, define zone to zone allow traffic

    • Replaces ACLs on each interface

High Availablity

Active/Active:

  • Two devices can pass traffic at the same time

  • Configurations are replicated

  • Both devices are providing services

Active/Standby:

  • Only one (active) firewall is passing the traffic

  • Configs are replicated from active device to standby device

  • If active device fails, standby device would take over role of active

Adaptive Security Appliance

  • Cisco’s firewall workhorse for years

  • Single or multi-context mode

  • Multi-context mode logically divides 1 physical appliance

    • Each logical ASA is called a security context

  • Only active/active mode is available if using multiple contexts

  • ASA Cluster

    • Group multiple ASAs together into one logical device

      • Easier management

      • Better throughput

      • Better redundancy - shared workload

Transparent vs Routed Mode

Routed Mode:

  • Firewall is next routing hop

  • Either default gateway

  • Or visible layer 3 hop in the packets

Transparent mode:

  • Layer 2 device

  • Only a bump in the wire

VPN Termination

  • VPNs are in most organizations

    • Will determine where ASAs of FTD are placed in the network

    • Place firewall close to the border

      OR

    • Have a separate set of dedicated for VPN termination

  • Firepower threat defense can be the firewall solution

Designing & Deploying IPS Solutions

Firepower features

  • Analytics and automated defense against threats

  • URL Filtering

  • Malware protection

  • Network profiling

  • Identity-based policies and control

  • Application visibility and control

Firepower Module in an ASA

  • Provides IPS/IDS functionality to an ASA

  • Next Generation IPS

    • ASA FirePOWER Services

  • CVDs will help determine where to place ASA with FirePOWER Services

Next Generation IPS

  • Defense in depth

  • Deploy sensors throughout the network

  • Allows us to protect critical systems, not just the border

Firepower Threat Defence

  • Many firewall features from the ASA, as well as Firepower IPS features

    • Deep packet inspection

    • Malware protection

    • Firewall features

    • VPN termination

  • Not all ASA features are available on FTD yet

Managing Firepower

  • Firepower Device Manager (FDM)

    • On board management of a single FTD

    • Smaller, less complex deployments

    • Less analytics and configuration options

  • Firepower Management Center (FMC)

    • Manage multiple firepowers

      • FTD

      • Firepower sensors

      • FirePOWER services on an ASA

    • Analytics

    • Security Intelligence

    • Correlation tools for the threats

Firepower High Availability

  • Firepower and FMC can be configured for Active/Standby

  • FTD devices can be deployed in a cluster

  • Multitenancy (similar to multi-context mode)

Additional Integrations for Firepower and ASAs

REST APIs

  • Create custom programs or scripts to gain context or control FTD or ASA

pxGrid

  • Platform Exchange Grid (pxGrid)

    • Used in almost all of Cisco’s security products

    • ISE is needed to run pxGrid

  • Rapid Threat Containment

    • Create policy based on user information

    • dynamically shut down hosts

Cisco Threat Response

  • Cloud Offering

    • Detect, investigate, analyse and respond to threats

Authentication Integrations

  • Use Cisco ISE to authenticate management administrators and VPN users