asa nextgeneration firewall - czyli dlaczego “zwykły ... · asa nextgeneration firewall - czyli...
TRANSCRIPT
ASA NextGeneration Firewall - czyli dlaczego “zwykły ogniomurek” to za mało Michał Ceklarz
20 stycznia 2015
2 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Forward-Looking Statements
This presentation may be deemed to contain forward-looking statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding the combination of the companies’ products and technologies to provide continuous and pervasive advanced threat protection across the entire attack continuum and from any device to any cloud, the acceleration of delivery of Cisco’s security strategy as a result of the acquisition, the delivery of a new continuous security approach for customers, the acceleration of the realization of the vision for a new model of security across the extended network, the expected completion of the acquisition and the time frame in which this will occur, the expected benefits to Cisco and its customers from completing the acquisition, the expected financial performance of Cisco following completion of the acquisition, and plans regarding Sourcefire personnel. Statements regarding future events are based on the parties’ current expectations and are necessarily subject to associated risks related to, among other things, obtaining Sourcefire’s stockholder and regulatory approval of the acquisition or that other conditions to the closing of the transaction may not be satisfied, the potential impact on the business of Sourcefire due to the uncertainty about the acquisition, the occurrence of any event, change or other circumstances that could give rise to the termination of the definitive agreement, the outcome of any legal proceedings related to the transaction, general economic conditions, the retention of employees of Sourcefire and the ability of Cisco to successfully integrate Sourcefire’s market opportunities, technology, personnel and operations and to achieve expected benefits. Therefore, actual results may differ materially and adversely from those expressed in any forward-looking statements. For information regarding other related risks, see the “Risk Factors” section of Cisco’s most recent reports on Form 10-K and Form 10-Q filed with the SEC on September 12, 2012 and May 21, 2013, respectively. Cisco undertakes no obligation to revise or update any forward-looking statements for any reason.
3 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
FirePOWER niejedno ma imię
Cisco AMP
VMWare Appliance
FirePOWER na Cisco ASA
FirePOWER HW Appliance
FirePOWER na ASA
5 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Oficjalna premiera ASA FirePOWER Services 16 września 2014
Pierwszy NGFW skoncentrowany na zagrożeniach
Najważniejsze rozwiązanie Cisco Security w tym roku!
Najpopularniejsza ściana ogniowa ASA + wiodący na rynku NGIPS i AMP Cisco ASA z FirePOWER Services
• Połączenie warstw ochrony i najlepsza widoczność • Dynamiczna kontrola środowiska • Ochrona przed zaawansowanymi zagrożeniami
Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
6 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
FirePOWER Services dla 5585-X (Blade)
FirePOWER Services dla 5500-X (Software)
ASA z FirePOWER Services jako software/hardware
7 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Cisco Public 8 © 2014 Cisco and/or its affiliates. All rights reserved.
Wyd
ajność
i sk
alow
alność
ASA 5512-X ASA 5515-X ASA 5525-X
ASA 5545-X
ASA 5555-X
ASA 5585-SSP10
ASA 5585-SSP20
ASA 5585-SSP40
ASA 5585-SSP60
FirePOWER Services dla Cisco ASA 5500-X (Software)
FirePOWER Services dla Cisco ASA 5585-X (Blade)
FirePOWER Services: Nowe usługi subskrybcyjne dla rodziny firewalli ASA
9 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Najbardziej kompletny system w swojej klasie
Identity-Policy Control & VPN
URL Filtering Cisco FireSIGHT® Management Center
Analytics and Automation
Advanced Malware Protection
Application Visibility and Control
Network Firewall Routing | Switching
Clustering High Availability
WWW
ZINTEGROWANA OCHRONA OPARTA O GLOBALNĄ TELEMETRIĘ TALOS (SIO, VRT)
Built-in Network Profiling
Next-Generation Intrusion
Prevention
Cisco ASA z FirePOWER Services
10 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
• Pasywna analiza ruchu sieciowego: klient, serwer, OS, aplikacja
• Korelacja zdarzeń Intrusion z poziomem zagrożenia dla konkretnego hosta będącego celu ataku
• Pozwala analitykowi skoncentrować się na podzbiorze zdarzeń na które host może być podatny
IMPACT FLAG
AKCJA ADMINISTRATORA
DLACZEGO?
Działaj Natychmiast, Cel Podatny
Zdarzenie odpowiada zidentyfikowanej podatności hosta
Inwestyguj, Prawdopodobnie Podatny
Port otwarty lub użyty protokół, ale podatność nie zmapowana
Dobrze Wiedzieć, Obecnie Nie Jest Podatny
Relevant port not open or protocol not in use
Good to Know, Unknown Target
Monitored network, but unknown host
Good to Know, Unknown Network
Unmonitored network
Impact Assessment
11 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
IPS Events
Malware Backdoors
CnC Connections
Exploit Kits Admin Privilege Esclations
Web App Attacks
SI Events
Connections to Known CnC IPs
Malware Events
Malware Detections
Malware Executions
Office/PDF/Java
Compromises Dropper
Infections
IOC: “tag” informuje o prawdopodobnej infekcji hosta i innych wysoce krytycznych zdarzeniach IOCs są budowane dla każdego hosta
IoC: Indicators of Compromise
12 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
§ Datasheets zawierają wskazówki dotyczące wydajności. Parametr throughput jest bardzo często wartością marketingową (czyt. osiągalną jedynie teoretycznie)
§ Branża firewalli prawie zawsze publikuje parametr max throughput dla ruchu UDP 1518B. Jest to bezużyteczne.
§ Branża IPS jest zasadniczo bardziej konserwatywna. Zazwyczaj jest to ruch TCP 440B HTTP.
§ Wydajność IPS będzie znacząco fluktuowała zależnie od funkcjonalności oraz konfiguracji urządzenia (czyt. Poziomu ochrony).
Jak mierzyć wydajność Security Appliances?
13 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
§ Porównywalna wydajność z klasycznym Cisco IPS dla profilu ruchowego 440-Byte TCP/Transactional (taki sam test jak dla dedykowanych urządzeń FirePOWER)
§ Po włączeniu AVC lub AVC+AMP z IPS, redukcja wydajności o: § 30-45% dla IPS + AVC § 50-65% dla IPS + AVC + AMP § Proporcje są spójne z dedykowanymi FirePOWER Appliances
Ogólne zasady wymiarowania ASA FirePOWER Services
14 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
§ Upgrade z klasycznego Cisco IPS 7.x do usług FirePOWER i nowych funkcjonalności może wymagać zmiany platformy, jeżeli ASA obecnie obsługuje ruch na granicy swojej pojemności. Profil ruchowy „Transactional”.
Porównanie wydajności FirePOWER z klasycznym Cisco IPS
Model 5512-X 5515-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60
Klasyczny Moduł IPS 150 250 400 600 850 1150 1500 3000 5000
FirePOWER AVC lub IPS 100 150 375 575 725 1200 2000 3500 6000
FirePOWER IPS + AVC 75 100 255 360 450 800 1200 2100 3500
FirePOWER IPS + AVC +
AMP 60 85 205 310 340 550 850 1500 2300
15 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
§ The ASA 5525-X is rated by NSS at 954 Mbps, which exceeds the vendor-claimed performance (Cisco rates this device at 650 Mbps).
§ The FirePOWER 8350 is rated by NSS at 18,771 Mbps, which exceeds the vendor-claimed performance (Cisco rates this device at 15 Gbps).
§ The ASA 5585-X SSP60 is rated by NSS at 9,500 Mbps, which exceeds the vendor-claimed performance (Cisco rates this device at 6,000 Mbps).
Wydajności „też” realne NSS Labs Report
16 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
NSS Labs Report „Inne” J spostrzeżenia
17
Leadership
Sourcefire has been a leader in the Gartner
Magic Quadrant for IPS since 2006.
Dedykowane sondy FirePOWER
19 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
FirePOWER™: wysoka wydajność, małe opóźnienia, wysoka skuteczność
• Elastyczność oprogramowania • NGIPS,NGFW, AMP, URL Filtering • Wszystko w jednym rozwiązaniu
• Elastyczność oprogramowania • Skalowalność: 50Mbps->60Gbps, • Opcja stackowania
• Efektywność kosztowa • Najlepszy w klasie IPS, NGFW wg testów
NSS Labs
20 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Platformy dedykowanych sond – seria 8000
21 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
22 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Platformy dedykowanych sond – seria 7000
23 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
750 1500 2000* 3500 4000* Maszyna wirtualna (VM)
Urządzeń FirePOWER* 10 35 70 150 300 Virtual FireSIGHT®
Management Center Do 25 urządzeń Storage -
Eventy 100 GB 125 GB 1.8 TB 400 GB 4.8/6.3 TB
Mapa sieci (hosts/users) 2000/2000 50,000/
50,000 150,000/ 150,000
300,000/ 300,000
600,000/ 600,000 Virtual FireSIGHT
Management Center Do 5 urządzeń – „Promo” Events per
second (EPS) 2000 6000 12,000 10,000 20,000
FireSIGHT - Integralna część rozwiązania
* Maksymalna ilość urządzeń zależy od typu sensora i ilości eventów na sekundę
Licencjonowanie i migracja
25 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
§ AVC jest domyślnym komponentem systemu
§ Licencje subskrypcyjne: § URL Filtering § NGIPS § AMP
§ Programy migracji: § Hardware IPS, CX § Kredyt za aktywne
subskrypcje IPS i CX
Licencjonowanie FirePOWER Services dla ASA
URL
IPS
URL IPS
AMP
IPS
Podejście “NGFW”
Podejście “NGIPS”
AMP
URL
IPS
Cisco Public 26 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ASA z FirePOWER Services: Zamawianie
ASA 5500-X with FirePOWER Services
ASA 5585-X with FirePOWER Services
1. Nowe urządzenie lub 1. Upgrade urządzenia
FirePOWER Services Blade
SSD + FirePOWER Services Upgrade
License Serwis SMARTnet Serwis SMARTnet
• Jedna z 5 paczek subskrybcyjnych IPS, URL Filtering, Advanced Malware
• 1 lub 3 letni okres subskrybcji
2. Subskrybcje na usługi
• Cisco FireSIGHT Manager Virtual lub FireSIGHT Appliance
• Cisco Security Manager (CSM) (opcjonalnie)
• SMARTnet / SASU
3. System zarządzania
27 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Promocja – do 15 Marca 2015
Trade-In Product Trade-to TMP Trade-in Credit Any Cisco ASA 5500 Series HW ASA 5500-X with FirePOWER Services 15% Any Cisco ASA 5500 Series HW ASA 5585-X with FirePOWER Services 15% Cisco ASA 5585-X IPS or CX HW Modules
FirePOWER Services Module for ASA 5585-X
20%
Competitive Hardware ASA 5585-X with FirePOWER Services or ASA 5500-X with FirePOWER Services
Variable
28 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
f
NEW - ASA with FirePOWER Services Offer
Subscription 1 Options NGFW + IPS 1Yr . Subscription Subscription 2 Options NGFW + IPS, URL, AMP 1 Yr. License Subscription 3 Options NGFW + IPS, URL, AMP 3 Yr. License
Limited Time List Price Discount Special end of year promo Expires Jan 24th 2015 Step 1 - Pick your platform: ASA 5512, 5515 or 5525 Step 2 – Pick your Subscription 3 options to secure your customer with Cisco’s NEW ASA Next Gen Firewall with FirePOWER Services
1. NGFW + IPS 1Yr . Subscription 2. NGFW + IPS, URL, AMP 1 Yr. License 3. NGFW + IPS, URL, AMP 3 Yr. License
Offer requirements: 1. Must purchase ASA appliance with SSD 2. Requires purchase of FireSIGHT Manager
Promotional SKU Promo List Price Limited Time List Price Discount
L-ASA5512-TA-1PR $790 25% L-ASA5515-TA-1PR $970 25% L-ASA5525-TA-1PR $1900 25%
Promotional SKU Promo List Price Limited Time List Price Discount
L-ASA5512-TAMC-1PR $1350 50% L-ASA5515-TAMC-1PR $1,640 50% L-ASA5525-TAMC-3PR $3,085 50%
Promotional SKU Promo List Price Limited Time List Price Discount
L-ASA5512-TAMC-3PR $4,335 33% L-ASA5515-TAMC-3PR $5,280 33% L-ASA5525-TAMC-3PR $9,920 33%
29 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Przykładowa ścieżka migracji
IPS 4270 2 Gbps Throughput
IPS 4260 1 Gbps Throughput
IPS 4255 500 Mbps Throughput
IPS 4225 250 Mbps Throughput
IPS 4215 150 Mbps Throughput
*Suggested FirePOWER upgrade appliance assumes desired performance boost. Model throughputs will vary depending on traffic mix – assumes transactional or full inspection loadings. Other factors may require consideration.
FirePOWER 8140 6 Gbps Throughput
FirePOWER 8120 2 Gbps Throughput
FirePOWER 7115 750 Mbps Throughput
FirePOWER 7110 500 Mbps Throughput
FirePOWER 7030 250 Mbps Throughput
FirePower NGIPS
Cisco IPS
30 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Programy migracyjne
Cisco Public 31 © 2014 Cisco and/or its affiliates. All rights reserved.
Podsumowując…
32 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
FirePOWER niejedno ma imię
Cisco AMP
VMWare Appliance
FirePOWER na Cisco ASA
FirePOWER HW Appliance
33 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Collective Security Intelligence (CSI)
Contextual Device, Network and End-Point Visibility
Classic Stateful Firewall Gen1 IPS
Application Visibility Web—URL Controls
AV and Basic Protections
NGIPS
Vulnerability Management
*Client Anti-Malware (AMP)
Correlated SIEM Eventing
Incident Control System
Network Anti-Malware Controls
(AMP)
Behawioralne Indications of Compromise
User Identity
NGFW
Open APP-ID SNORT Open IPS Host Trajectory Retrospective Analysis
NG Sandbox dla Evasive Malware Auto-Remediation / Dynamic Policies
*Agent
Adaptive Security
Sandboxing
Classic Stateful Firewall
Retrospective Detection Malware File Trajectory
Threat Hunting
Forensics and Log Management
Dynamic Outbreak Controls Reputacja URL i IP
1
2
ASA FirePOWER – kompletne rozwiązanie BEFORE DURING AFTER Cisco
Interfejs zarządzania
n
Dziękuję.