Transcription
Cisco Secure Firewall7.0 Release PreviewRuslan IvanovTechnical Solutions Architectruivanov@cisco.com
‣ Introduction‣ Threat EfficacyAgenda‣ Event Management‣ VPN and Identity Updates‣ Policy Workflow and Device Administration‣ Virtual and Platform Features‣ Integrations‣ CDO Updates
Brand Naming ChangesFirepowerManagement Center(FMC)Cisco Secure FirewallManagement Center (FMC)Firepower ThreatDefense (FTD)Cisco Secure Firewall ThreatDefense (FTD)Adaptive SecurityAppliance (ASA)Cisco Secure Firewall ASAFirepower HardwareApplianceCisco Secure Firewall2100 SeriesFirepower ThreatDefense Virtual /NGFWvCisco Secure FirewallThreat Defense Virtual (FTDv) 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public3
Introduction
ASA/FTD Release Lifecycle9.12 / 6.49.13 / 6.59.14 / 6.69.15 / 6.7Spring 2021 Release9.16 / 7.09.17 / 7.1 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public5
Preview of Firepower 7.0 and ASA 9.16.1 Cisco’s next long-term release for FTD and ASA includes: Government certification Incorporates several high-profile customer and field requests Further reduces the VPN parity gap between the ASA and FTD Better performance, reduced time to upgrade Policy deploy improvements Extended deployment opportunities 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public6
Firewall Threat Defense 7.0 (1HCY21)Major improvements in an extra long-term release – shifting to 7.0 in Spring 2021Scalable Eventing andLoggingDynamic objects forquick changesSimplified ProductExperienceThreat EfficacyEnhancementPublic Cloud &VirtualizationReal time event viewer,scalable eventing and loggingusing on-prem SALAttribute based policyfeature adds dynamicnetwork objects in ACpolicyUnified health metrics(via SNMP), healthdashboard in FMC,Change management(rollback, changepreviews, improved auditlogs), Searching andFilteringetc.BusinessOutcomesOutcomesImproved Threat Detectionenabled via majorarchitecture updates:Snort 3 in FMCSupport dynamic policiesfor cloud-native policyand createquick instance (withSecure Threat Services)Troubleshoot and trackcurrent and historicalevent data in common UIChange dynamic objects inpolicies quickly withoutneed for deployconfigurationMuch better userexperience, reducedoperational complexityand costCustomers get betterdetection with less resourceconsumption.Hybrid cloud support readyfor any customerenvironmentMany more improvements in Remote access and site-to-site VPN Secure-X Integration FMC API for orchestration and 2021 Cisco and/or its affiliates. All migrationrights reserved. Cisco Public APIC FMC App Multi domainsupport PAT operations in clustering Multiple realm support for Identity7
Threat EfficacyImprovements‣ Snort 3‣ DNS Reputation
Snort 3 Overview
Snort 2 vs. Snort 3Snort 2Snort 3Multi-Threaded ArchitectureCapable of running multiple Snort ProcessesPort Independent Protocol InspectionIPS Accelerators / Hyperscan SupportModularity – Easier TALOS contributionsScalable Memory AllocationNext Gen TALOS Rules – e.g., Regex/Rule Options/Sticky BuffersNew and Improved HTTP Inspector – e.g., HTTP/2 supportLightweight content updates from TALOS 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public10
Snort 3 Enablement in 7.0FDM*FunctionalityFMCUpgradeSnort 2Snort version maintained fromprevious configBase InstallSnort 3Snort 3FTD Device API*CDO similar to FDM 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public11
FMC Management
What’s New - Overview Snort 3 is now supported with FMC as well as FDM Snort 3 Device Management- Ability to toggle device Snort versions (Snort 2 - Snort 3) from FMCdevice managementSolution Upgrade / Migration Changes- Simplified Migration of Snort 2 to Snort 3 policies after upgrading toFP 7.0- Support for synchronizing common intrusion policies between Snort 2and Snort 3 versions 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public13
Snort Engine Selection- For existing deployments (upgrades), after upgrade to FP 7.0, devices willcontinue to use Snort 2 as the detection engine- For new deployments (fresh install of FMC), new 7.x devices will receive Snort3. Existing devices registered running 6.x will remain at Snort 2How it Works7.0.07.0.0 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public14
Intrusion Rule Groups - Navigation Rule groups can be accessed for an intrusion policy under Policies- Intrusion- Intrusion Policies - Snort 3 versionHow it Works 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public15
Feature Overview – Custom Intrusion Rules Users can upload custom intrusion rules, written in Snort 3 rule syntax snort2lua tool on the FMC can be used to convert Snort 2 rules to Snort3 syntax Each custom rule must have a SID ( 1000000) and REV information GID need not be provided by the user- GID will be auto-generated per domain as in case of Snort 2- Auto generated GID will be different from Snort 2 GID to avoid SIDcollision How it Works 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public16
Snort 3 Rule Conversion – Finalalert tcp HOME NET any - EXTERNAL NET HTTP PORTS (msg:"BLACKLIST URI request forknown malicious URI"; flow:established,to server; content:"/setup b.asp?prj "; nocase;http uri; content:"&pid "; nocase; http uri; content:"&mac "; nocase; http uri;pcre:"/\/setup b\.asp\?prj \d\x26pid [ \r\n]*\x26mac /Ui"; metadata:service http;sid:19626; rev:2;)alert http(msg:"BLACKLIST URI request for known malicious URI";flow:established,to server;http uri;regex:"/setup b\.asp\?prj \d&pid .*&mac ", nocase, fast pattern;sid:19626; rev:4;) 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public17
FDM Management
Firepower Device Manager - Custom Snort 3 Rules Custom Snort 3 rules supported Paste in single rule Upload rule text file User-defined rule groups 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public19
DNS Based Reputation
What’s New New feature support:- User can filter web traffic at the DNS level using category-reputation rules inthe access control policy.Solution- Connection events are shown with category-reputation information for domainnames.- Because the majority of DNS traffic is not encrypted, performance on thedevice should improve because decryption using an SSL policy is not needed. 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public21
FMC Configuration Reputation enforcement on DNStraffic is enabled by default inFirepower 7.0. Setting is available in FMC under- Access control policy Advanced tab General Settings Enablereputation enforcement on DNStraffic. Available through AC policy. 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public22
FDM Configuration On FDM, from the AC Policy page, click the tool icon to open the settings dialog.toClick the Tool iconto open the AccessPolicy Settingswindow 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public23
EventManagement‣ Unified Event Viewer‣ Remote Event Data Storage
Unified Event Viewer
What’s NewThis release adds a new Unified Event Viewer with the following new capabilities- Unified view SolutionConnection, File, Malware, and Intrusion events are in a single page- Simplified searching Search bar on top of page rather than a completely different page- Real time mode Automatically loads new events into the view- View full event details inline- Updated UX/UI- Supports querying events stored locally as well as remotely (using CiscoSecurity Analytics and Logging On Prem) 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public26
WalkthroughModify event filtersShrink/Expand the time window.or use real-time viewShow/Hide specific event columns 2021 Cisco and/or its affiliates. All rights reserved. Cisco PublicExpand rows to view all details ofspecific events27
Walkthrough1True CorrelationClicking on theIntrusion Eventhighlights theassociatedConnection Event2 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public28
Monitoring the Event Capacity and Rate External Storage through Cisco Security Analytics and Logging On-Prem Auto select event source or manually specify 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public29
External Event Storage forFMC
FMC Integration with Cisco Security Analyticsand Logging (SAL)FMC Integration with SAL Cloud Builds on the existing cloud loggingavailable in FMC starting FTD release6.4- Only high priority connection eventswere supported through direct to cloudintegration Enables FMC managed FTDs to sendall types of connection events toStealthwatch Analytics and LoggingCloud 2021 Cisco and/or its affiliates. All rights reserved. Cisco PublicFMC Integration with SAL On-Prem Phase 1 introduced in release 6.7 Phase 2 adds supports for- Easy Provisioning wizard forStealthwatch integration- Allow FMC Analytics to use bothStealthwatch Appliance Event datastoreand local connection event datastore- FMC Cross Launch- FTD Security events and FTD-LINAsyslogs31
FMC Integration with Cisco Security Analytics andLogging (Cloud ) 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public32
FMC Integration with Cisco Security Analytics andLogging (On-Prem ) 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public33
FMC Integration with Cisco Security Analyticsand Logging (SAL On Prem ) – Easy WizardEasy button for setup Setup cross launch links forFMC analytics to theStealthwatch console Setup credentials forremote query fromStealthwatch datastore 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public34
FMC Integration with Cisco Security Analyticsand Logging (SAL On Prem) – Cross Launch11 Cross-launches are created and enabled by default when SAL is configured 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public35
FMC Integration with Cisco Security Analyticsand Logging (SAL On Prem ) – Data Store selection External Storage through Cisco Security Analytics and Logging On-Prem Auto select event source or manually specify 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public36
‣ Authentication and Authorization‣ Dynamic Access Policy‣ Custom Attributes‣ SAML Authorization‣ Local User‣ Multiple CertificatesVPN Updates‣ Scaling and Redundancy‣ Load Balancing‣ VTI Enhancements‣ Minor Improvements‣ SSL Ciphers FDM UI‣ PKI Enhancements‣ VPN API
Dynamic Access PolicySupport in FMC
What’s New Introduction of Dynamic Access Policy in FMC for managed FTDs Simplified Dynamic Access Policy UI Editor Configure AAA attributesSolution Configure Endpoint attributes Unified flow for both HostScan and Dynamic Access Policy configurations Easy migration of DAP policies from ASA to FTD- FDM/FTD API to upload DAP xml file previously available in 6.7 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public39
Configuration Dialogs Example 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public40
Anyconnect CustomAttributes
What’s New In 7.0, FMC will support a user-friendly way to configure the Anyconnect CustomAttributes- Per App VPN on mobile devices with AnyConnect- Dynamic Split TunnelingSolution- AnyConnect Defer Update FMC 7.0 builds the framework for flexibility to configure other custom attributesin addition to the above-mentioned ones. This will allow user to configure otherexisting and new AnyConnect featuresCustom attribute provides a generic infrastructure to configure AnyConnectclient features without adding hard-coded support for these features on the FTDand FMC UI 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public42
Per App VPN on Mobile devices Allows for tunneling specified subset of appsthrough one AnyConnect tunnel. Forexample:- Save resources: don’t Netflix over VPN tunnel- Security: don’t allow non enterprise apps onenterprise network- Avoiding tunneling trusted cloud applications(to minimize latency) NGFWPerApp VPN must be configured via MobileDevice Manager (MDM) and each devicemust be enrolled to the MDM server 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public43
Dynamic Split Tunneling Static split tunneling involves defining the IP addresses of hosts and networks that should beincluded in or excluded from the remote access VPN tunnel. Dynamic Split tunnel with AnyConnect was introduced to dynamically provision splitinclude/exclude tunneling after tunnel establishment based on the host DNS domain name. Dynamic Split tunneling can be provisioned using- Dynamic Split Exclude- Dynamic Split Include 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public44
Defer Update Defer Update allows the user to delay update of the AnyConnect client When a client update is available, AnyConnect opens a dialog asking the user if they would liketo update or defer the update 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public45
SAML Authorization
What’s New The release 7.0 introduces- SAML authorization support for Remote Access VPN using Dynamic AccessPolicy (DAP) in FMC- SAML authentication for Remote Access VPN users was added in 6.7 releaseSolution Support for user attributes delivered in SAML assertions within the AAAand DAP frameworks ASA 9.16 adds support for using SAML Assertion Attributes for DynamicAccess Policy outcomes 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public47
Local User Authenticationfor Anyconnect VPN users
What’s New In the release 7.0,- FMC introduces the ability to configure and deploy Local Users to FTD via GUIand REST APISolution When a RADIUS/LDAP/AD Server used for RA VPN Authentication fails, a fallbackto authenticate to the Corporate Network through RA VPN and fix the issue Need a quick way to setup RA VPN for a quick demo/test Use cases where the authentication requests cannot go outside of FTD to anexternal AAA server for reasons of securing data in transit and data at rest It is already supported with FDM management 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public49
Feature OverviewLocal User Database can be used for VPNPrimary Authentication Secondary Authentication Fallback for Primary Authentication Fallback for Secondary Authentication AAA ServerNGFWLocal Users database configured as Realm(like AD/LDAP implementation) Can be reused or shared across VPNconfigurations on multiple FTDs 2021 Cisco and/or its affiliates. All rights reserved. Cisco PublicCorporate Network RA VPN Endpoints Local UserDatabase50
Multiple CertificateAuthentication
What’s New This release allows Certificate-based authentication in Remote Access VPN Connection Profile touse both User certificate and Machine certificate Administrator can choose if the username for the session should be taken fromthe machine certificate or user certificateSolution Validate if the device is a corporate device along with the identity of theuser 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public52
Configuration Workflow in FMC Enable Multiple CertificateAuthenticationSelect the certificate for prefilling username 2021 Cisco and/or its affiliates. All rights reserved. Cisco PublicPre-fill username for SecondaryAuthentication53
Remote Access VPN LoadBalancing
What’s New This release adds support for configuring and deploying two or more FTDs in a logical group forLoad Balancing the Remote Access VPN sessions share the Load Balancing configuration among multiple devicesSolution VPN Scalability combined with increased availability Different from FTD Clustering or FTD High Availability FTD Standalone or High Availability pair can be added as part of the LoadBalancing group 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public55
Feature Overview AnyConnect VPN session shared among devices Two or more devices virtually grouped to form a Load Balancing Group Members- FTDs participating in Load Balancing Group- Share the VPN connections Director- One FTD acts as a director- Distributes the load to other members in the group- Also participates in serving VPN sessions 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public56
Virtual Tunnel Interface(VTI) Enhancements
What’s New This release adds support for IPv6 addressing on Static Virtual Tunnel Interface Ability to configure backup VTI interfaces natively from FMC Increased the maximum number of VTI from 100 to 1024Solution Adds support for ASA and CSM UI as well 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public58
Feature Overview - IPv6 VTI IPv6 addressed VTIs can be configured The tunnel source interface can have a IPv6 address and this IPv6 address can beused as the tunnel endpoint Following combinations of VTI IP (or internal networks IP version) over public IPversions are supported:- IPv6 over IPv6- IPv4 over IPv6- IPv4 over IPv4Example - IPv6 over IPv4 tunnel anda IPv4 over IPv4 to the AWS cloud- IPv6 over IPv4 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public59
FDM SSL Ciphers UISupport
FDM SSL Ciphers UI Support Starting with 7.0 release, customers will be able to configure SSL Ciphers from theFDM UI- Currently in FDM, customer can configure SSL Cipher server via FTD DeviceREST APIsSolution Support is added from FDM UI for configuring SSL Cipher Objects:- Allow configuring the relation between protocol versions and SSL security level Support is added from FDM UI for updating SSL Cipher Data settings:- Allow configuring Diffie Hellman and Elliptical Curve Diffie Hellman group- Allow selection of multiple SSL Cipher objects 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public61
VPN PKI Enhancements
Enrollment over Secure Transport (EST) A new enrollment type - Enrollment over Secure Transport (EST)supported in this release.- EST is the successor to the Simple Certificate Enrollment Protocol (SCEP)- EST uses TLS for the secure transport of messages.- In EST, the certificate signing request (CSR) can be tied to a requestor that isalready trusted and authenticated with TLS.Solution EST is described in RFC 7030 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public63
Edwards-Curve Digital Signature Algorithm (EdDSA)Support Support for the Edwards-Curve Digital Signature Algorithm (EdDSA) keyalgorithm support added. Ed25519 is the EdDSA signature scheme using SHA-512 (SHA-2)and Curve25519. The key is encoded in 256 bits.Solution 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public64
1K/SHA1 RSA Constraints Generation of RSA keys less than 2048 has been removed By default, certificates signed with SHA-1 or with a key size less than2048 will not be accepted by FTD. There is an option for users to override this restriction.Solution- Useful in upgrade scenarios.- Certificates with key size lower than 1024 and signed by SHA-1 can beimported.- Override does not apply to key generation. 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public65
GET API for RemoteAccess VPN
FMC VPN API FMC RAVPN REST APIs delivered in 7.0:- FMC Get APIs for RAVPN Objects- FMC Get APIs for RAVPN Policies- Existing Policy Assignment’s GET APIs enhanced to return RAVPN Policy AssignmentsSolution These REST APIs are not being used by the FMC UI itself FMC only feature- FTD can be on older release 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public67
‣ Subnet Filter for Identity PolicyMappingsIdentity Updates‣ FMC Cross Domain Groups‣ Refreshed Realm UI‣ Identity Change Management‣ Dynamic Objects
Subnet Filter for IdentityPolicy Mappings
Where does Identity Filter takes place?UsersMS Active DirectoryFirepower 9300 SM-56300kSwitch300kCi
May 20, 2021 · Containerization of ASA using Docker containers Supported platforms: - OpenStack - AWS Managed by Kubernetes using kubectl Provisioning via MsgLayer and ZeroMQ Integrates with Radware load balance
