Brksec 1020

Cisco Firewall Basics
Mark Cairns, Consulting Systems Engineer

BRKSEC-1020
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
Cisco Spark spaces will be cs.co/clus17/#BRKSEC-1020

available until July 3, 2017.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKSEC-1020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Mark Cairns
Consulting Systems Engineer, GSSO, supporting US Commercial
• Based in Richmond, VA and cover accounts in Virginia and Washington DC
• 19 years experience with Cisco Security Solutions
• You can reach me at marcairn@cisco.com and @12LISN2
Session Information
Cisco Firewall Basics
• This is an introductory 1000 level session
• It is not meant for professionals with deep knowledge of firewalls and Cisco ASA
• This session is not for you if you want to deep dive into configurations for specific
features / functionality
• References may be made to advanced functionality for context but we will stay at a fairly
high level
Follow up Sessions
Deeper dives on specific content
Session ID Session Description Time
BRKSEC-2058 A Deep Dive into using the Firepower Manager Wed 4:00-5:30
BRKSEC-3007 Advanced Cisco IOS Security Tuesday 1:30-3:30
BRKSEC-3300 Advanced IPS Deployment Thursday 8:30-10:00
BRKSEC-3690 Advanced Security Group Tags Monday 1:30-3:30
BRKSEC-2050 ASA Firepower NGFW typical deployment scenarios Monday 1:30-3:30, Tuesday 1:30-3:30
BRKSEC-2033 Best Security and deployment strategies SMB NGFW Tuesday 8:00-10:00
BRKSEC-2342 Branch Router Security Thursday 10:30-12:00
BRKSEC-2055 Cloud-Managed Security for Distributed Networks with Cisco Meraki MX Wednesday 4-5:30
Follow up Sessions
Deeper dives on specific content
Session ID Session Description Time
BRKSEC-2203 Deploying TrustSec Security Group Tagging Tuesday 4:00-5:30
BRKSEC-3455 Dissecting Firepower NGFW "Installation & Troubleshooting" Tuesday 1:30-3:30
BRKSEC-3035 Firepower Platform Deep Dive Wednesday 1:30-3:30
LTRSEC-1000 Firepower Threat Defense Deployment Hands-on Lab Wed 8:00-12:00, Thursday 8:00-12:00
BRKSEC-3032 NGFW Clustering Deep Dive Tuesday 8:00-10:00
BRKSEC-2020 NGFW Deployment in the Data Center and Network Edge Using Tuesday 8:00-10:00, Wed 1:30-3:30
Firepower Threat Defense
BRKSEC-2064 NGFW and ASAv in Public Cloud (AWS and Azure) Thursday 1:00-2:30
Agenda
• Introduction
• Firewalls in General
• Use Cases - Why
• Firewall Options - What
• Introduction to Firepower
• Advanced Use Case Examples
• Q&A – Feel free to ask questions
Firewalls in General
Securing/Hardening for What Purpose or Need?
Subversion Disruption
Bots, Viruses, and Worms Denial of service attacks
Spyware and Adware Advanced Persistent
Threats (APTs)
Penetration Attempt Data Loss
Zero-day Attacks Data theft and/or

interception
Hacker Attacks
Identity theft
Firewalls
What are they?
• Primary filtering appliances/VMs that work at both the network and application layers
• Provide a platform for the features/functionality needed for network security
• VPNs (remote-access and site to site)
• NGIPS
• Anti-Malware Protection
• Next-generation security should not abandon proven stateful inspection capabilities in
favor of application and user ID awareness by itself
• Comprehensive network security solution needs include firewalls, next-generation firewalls
(application inspection and filtering) and next generation intrusion prevention systems
(context aware)
• The firewall often is the conduit from which other defense components combat the threats
that face the network
Filtering on a Tuple? Packet
• The genesis of firewalls was initially a

means to filter traffic based on the five
tuple
• Source IP address – the IP address of the
initiator of the IP packet
• Destination IP Address – the IP address of
the destination of the IP packet
• Source Port – UDP or TCP port used by
initiator to establish communications with
destination
• Destination Port – UDP or TCP port used by
destination to establish communications with
source
• IP Protocol – the specific IP protocol used in
the communication
Filtering – IP Protocols Packet
• ICMP (1)
• TCP (6)
• UDP (17)
• GRE (47)
• ESP (50)
• AH (51)
• EIGRP (88)
• OSPF (89)
http://www.iana.org/assignments/protocol-
numbers/protocol-numbers.xhtml
Stateful Inspection Src IP – 2.2.2.2
Dest IP – 1.1.1.1
Src Port – TCP/80
• Most routers and switches can filter Dest Port – TCP/35478
based on the five tuple…why a firewall Packet
then?
• Stateful firewalls track L3/L4 traffic as it
leaves and returns to the network
• Connections are maintained in the
connection table tracking five tuple and
additional information such as sequence
Packet
TCP outside:2.2.2.2/80 (2.2.2.2/80) inside:1.1.1.1/35478 (1.1.1.1/35478), Src IP – 1.1.1.1
flags UIO, idle 4m39s, uptime 6m16s, timeout 1h0m, bytes 3002 Dest IP – 2.2.2.2
Src Port – TCP/35478
*Best Practice – Limit outbound Dest Port – TCP/80
connections to known services and hosts

such as SMTP servers only for port 25.
Network Address Translation Src IP – 3.3.3.3
Dest IP – 2.2.2.2
• Network address translation (NAT) is the Dest Port – TCP/80
mapping of IP addresses from a private
network to a public network
• NAT gives network administrators and
security administrators:
• Access to non-publically routable IPv4
space
• Cost savings because addresses are not
cheap Packet
• Allows for masquerading of internal network Src IP – 10.1.1.1
addresses Dest IP – 2.2.2.2
• IPv4 Address space is exhausted Dest Port – TCP/80
Use Cases
Use Case #1
• Hospitality, Retail or other similar distributed deployment
• Remote sites 100+
• Direct Internet Access (DIA) at remote sites
• Company has a “Cloud First” mandate
• 4 Network / Security Engineers (“jack of all trades, master of none”)
• Basic security needs for URL filtering, DNS security, IPS
• Need VPN connectivity to HQ
Cloud Networking Group
Meraki MX Options
Reference
Small Mid-
branch sized
branch
MX64(W) MX65(W) MX84 MX100
~50 users ~50 users ~200 users ~500 users
802.11ac wireless 802.11ac wireless & PoE+ Dedicated WAN uplinks Gigabit uplinks
FW throughput: 250 Mbps FW throughput: 250 Mbps FW throughput: 500 Mbps FW throughput: 750 Mbps
Large Teleworker
branch
or campus
MX400 MX600 Z1
~2,000 users ~10,000 users 1-5 users
Modular interface Modular interface Dual-radio wireless
FW throughput: 1 Gbps FW throughput: 1 Gbps FW throughput: 50 Mbps All devices support 3G/4G
Meraki MX Security
Next Generation Firewall Application aware firewalling
Intrusion Prevention
Based on Cisco Snort
(IPS)
With over 80 categories and

URL Content Filtering
over 4 billion categorized URLs
Geo-based security Allow or block traffic by country
Malware Protection Cisco AMP and Threat Grid
Software and security updates

Automatic updates
delivered from the cloud
PCI 3.2 certified cloud

PCI compliance
management backend
Meraki MX Basics
Meraki MX Basics continued
Meraki MX Basics continued
Meraki Threat and Filtering
Meraki Threat and Filtering continued
Cisco Umbrella
Use Case #2
• Regional Services Company
• 8 sites on MPLS with ISR routers deployed
• Broadband Internet being added for DMVPN backup/redundancy (IWAN)
• Simple filter to protect the new Internet link
• HQ has a proxy for Internet
Securing the WAN
• Typical MPLS WAN
• Does not ensure privacy
• Best Practice – Consider encryption

across existing WAN
Internet based WAN
• Lower cost alternative to MPLS
• Dictates VPN for routing and privacy
• Balance complexity with features
and functionality
• Typically no need for inbound
access directly from Internet
Zone Based Firewall
Note: For simple inside to outside
Zone Based Firewall configuration, remove all reference to
DMZ interface. This DMZ configuration
Support for: assumes a second security device to filter
• ISR, ASR, CSR traffic or terminate VPN.
• NAT DMZ
All Traffic
• WAAS Permit
• VRFs G0/1.103
• Redundancy
• VTIs for VPNs G0/1.101 G0/0
• Deep Packet
Inspection Trusted Internet
TCP/UDP/ICMP
Response OK
Configuring ZBF configuration, remove all reference to
zone security Internet
zone security Trusted Create Zones assumes a second security device to filter
zone security DMZ traffic or terminate VPN.
interface LISP0
zone-member security DMZ
!
interface GigabitEthernet0/0
description Public Outside
zone-member security Internet
! Assign interfaces to security
interface GigabitEthernet0/1.101 zones
description Inside
zone-member security Trusted
!
interface GigabitEthernet0/1.103
description Public DMZ
zone-member security DMZ
Configuring ZBF configuration, remove all reference to
class-map type inspect match-any All_Protocols
description - Match all outgoing protocols assumes a second security device to filter
match protocol tcp traffic or terminate VPN.
match protocol udp Create Inspection Class
match protocol icmp
policy-map type inspect trusted-to-internet

class type inspect All_Protocols
inspect
class class-default Create Inspection Policy
drop
policy-map type inspect DMZ
class class-default
pass
Create Zone Pairs and
Associate Policy
zone-pair security Trusted->Internet source Trusted destination Internet
service-policy type inspect trusted-to-internet
zone-pair security Internet->DMZ source Internet destination DMZ
service-policy type inspect DMZ
zone-pair security DMZ->Internet source DMZ destination Internet
service-policy type inspect DMZ
Use Case #2 (Variant)
• Regional Services Company
• 8 sites on MPLS with ISR routers deployed
• Broadband Internet being added for DMVPN backup and DIA
• Simple Complete filter to protect the new Internet link
Firepower Virtual – VMware / KVM
Internet based WAN
• Lower cost alternative to MPLS
• Dictates VPN for routing and privacy
• Balance complexity with features
and functionality
• Typically no need for inbound
access directly from Internet
• Direct Internet Access (DIA) adds
security risk
Use Case #3
• Data Center upgrade
• Adding security to new design
• No L3 hop for security to reduce convergence time
• N+1 redundancy
• Multi 10 Gbps throughput
Data Center
A/S or Clustering for Performance and Scale
Firepower 9300 with SM-24, SM-36 or Firepower 4110, 4120, 4140 or 4150
SM-44
Firepower 2110, 2120, 2130*, 2140*
*10 Gig Interfaces

Data Center
Reference
Specifications
*Note 2100 models do

not support clustering.
Only 2130 and 2140
support 10 Gbps
interfaces and optional
network module.
Firepower 2100 Series
Firepower High Performance, Purpose Built

FPR 2140 12x 1G 12x 10G Port 2100 Hardware for Cisco NGFW
FPR 2130 12x-1G 12x 10G Port

Firepower
2100
Available in 4 Platforms
Firepower
FPR 2120 16x 1G Port 2100 Higher Port Density in 1 Rack Unit
Firepower
FPR 2110 16x 1G Port 2100 10 Gbps Support (2130 and 2140)
Data Center
Clustering for Performance and Scale
Handles asymmetric traffic associated with VPC/VSS

N+1 redundancy
Keeps DC design intact
Scale to 16 firewalls
Data Center
ACI Deployments
APIC
Agility and Scale and Performance

Simplicity Automation Security Open
Visibility
Use Case #4
• Cloud expansion / Cloud First
• AWS and/or Azure
• Need to replicate security / inspection policy for cloud traffic
Your Data Here
Cisco ASAv and Threat Defense Virtual
Cisco® ASA 9 Feature Set / Threat Defense 6
ASA
 10 vNIC interfaces and VLAN tagging
 Virtualization displaces multiple-context and clustering
 Parity with all other Cisco ASA platform features
Cisco  SDN (Cisco APIC) and traditional (Cisco ASDM and CSM)
ASAv management tools
FTDv  Dynamic routing includes OSPF, EIGRP, and BGP

 REST API for programmed configuration and monitoring
 Cisco TrustSec® PEP with SGT-based ACLs
 Failover Active/Standby HA model
FTDv
• 4 vNIC default
• 8 GB RAM, 4 vCPU
VMware, KVM, Hyper V (ASA only), AWS, Azure (features can differ
for cloud)
Cisco ASAv Platforms
Cisco®
100 Mbps
ASAv5
Cisco® 1 Gbps
ASAv10
Cisco® 2 Gbps
ASAv30
* Lab Edition license is built in with 100-Kbps throughput and 100 total
connections allowed
Cisco ASAv Platforms
Cisco®
10 Gbps
ASAv50
• Introduced with ASA release 9.8(1)

• Supported on KVM or ESXi
• Uses IXGBE-VF vNIC
• Does not support Transparent mode (promiscuous restriction on IXGBE-VF)
• Not supported in Amazon Web Services, Microsoft Azure or Hyper-V
ASAv and/or NGFW
• Supported in both AWS and Azure

• *Note restrictions based on cloud deployment
Meraki Virtual MX for AWS (vMX100)
• Appears in the dashboard

• 500 Mbps VPN throughput
• Bring Your Own License
(BYOL)
Use Case #5
• Typical Internet Edge designs
• Outbound Internet (Web, Email, FTP, etc)
• Inbound traffic to DMZ and/or eCommerce
• VPN for Remote Access, L2L, business partners
Edge With DMZ
• Similar to a basic edge design with
the addition of inbound traffic
• Traffic inbound from the DMZ to the
trusted network may or may not
pass the firewall.
Edge With DMZ - VPN
• Multiple path options for VPN with
trusted and untrusted packets.
• VPN Concentrator may be
connected outside the firewall
• Trusted traffic path usually depends
on source. Employee or Vendor,
B2B, etc.
*Best Practices – Remember that controlling
access from a VPN to an internal resource is
not a dead end! Jump box scenario.
Hide your firewall with private IP space on
the outside.
Tiered DMZs
• Typically seen in multi-tiered
hosting for e-commerce
• Forces all traffic between tiers
to pass firewall rules
• Can help mitigate risk and
contain exploits and/or
breaches within a DMZ
Bridge across your DMZs
• Sometimes referred to as clean and
dirty DMZs
• VPN, Video, etc.
• Avoids hair-pinning
*Best Practice – Use destination NAT with

a block of unused private IPs for outbound
L2L VPN instead of routing individual
remote IPs.
Split Firewalls
• Layer 3 hop between firewalls
• Avoids hair-pinning within a firewall
• Simplifies policy
• May still have an optional trusted
connection
Quick Hardware Snapshot
Portfolio
FPR 2110 FPR 4110 FPR 9300 -SM-24

ASA 5506-X
FPR 2120 FPR 4120 FPR 9300 -SM-36
FPR 2130 FPR 4140 FPR 9300 -SM-44
ASA 5508-X
FPR 2140 FPR 4150
ASA 5516-X
ASA 5585-X SSP60

ASA 5585-X SSP40
EOS Aug 2017 ASA 5555-X
EOS Aug 2017 ASA 5515-X ASA 5545-X ASA 5585-X SSP20
ASA 5505 ASA 5512-X ASA 5525-X ASA 5585-X SSP10
SMB/SOHO Branch Internet Edge Data Center Service Provider
Latest Additions to the 5500 Portfolio
Reference
5506X with Firepower Services
• Max 250 Mbps AVC throughput

• Max 125 Mbps AVC and NGIPS
• 90 Mbps AVC or IPS with 440
byte HTTP
• ASDM 7.3.x or CSM and
Firepower Management Center
• Available in hardened and
wireless configurations
Reference
5508X with FirePOWER Services

byte HTTP
• ASDM 7.3.x or CSM, Firepower
Management Center, On-box,
CDO
Reference
5516X with FirePOWER Services

byte HTTP
• ASDM 7.3.x or CSM, Firepower
Management Center, On-box,
CDO
Over, Through or Around The Wall
Things Change
If you knew you were going to be
compromised, would you do
security differently?
The package
Tracking history
Chicken Pox Virus
Sender Receiver
Reputation? Content
(deep packet inspection) Vaccine
The Threat-Centric Firewall
Proven Cisco ASA firewalling
Industry leading NGIPS and AMP
Cisco ASA with FirePOWER Services
• Integrating defense layers helps organizations

get the best visibility
• Enable dynamic controls
to automatically adapt
• Protect against advanced threats
across the entire attack continuum
Indications of Compromise (IoCs)
IPS Events SI Events Malware Events
Malware Backdoors Connections Malware Detections

Exploit Kits to Known CnC IPs Office/PDF/Java Compromises
Web App Attacks Malware Executions
CnC Connections Dropper Infections
Admin Privilege Escalations
Application Visibility and Control
IPS with Snort
Host Profiles
• What OS?
• What Services?
• What Applications?
• What Vulnerabilities?
Impact Assessment
Administrator
Impact Flag Why
Action
Event corresponds
Act immediately,
1 vulnerable
to vulnerability
mapped to host
Relevant port open

Investigate,
2 potentially vulnerable
or protocol in use,
but no vuln mapped
Good to know, Relevant port not

3 currently not
vulnerable
open or protocol
not in use
Good to know, Monitored network,

4 unknown target but unknown host
Good to know,
0 unknown network
Unmonitored network
Advanced Malware Analysis
Network File Trajectory – Where Has It Been Seen?
SSL Inspection issues? - AMP for Endpoints
Firepower NGFW
Introducing Cisco Firepower NGFW
Fully Integrated Threat Focused Unified Management

• FW / applications / IPS • Networkwide visibility • Across attack continuum
• Cisco® AMP – network / • Industry-best threat • Manage, control, and
endpoint protection investigate
• Analysis and remediation • Known and unknown threats • Automatically prioritize
• Cisco security solutions • Track / contain / recover • Automatically protect
• Application-aware DDoS
Firepower 6.x on ASA – Upgrade vs Re-Image
Choose Firepower Services or Firepower Threat Defense
Firepower Software on ASA Platforms
Firepower
Services 5.4
ASA 9.5.x
Upgrade Re-Image
Firepower Firepower 9300 – ASA or TD

Services 6.0
vs Firepower Firepower 4100 – ASA or TD
Threat Defense
ASA 9.5.x* Firepower 2100 – TD Only
*Firepower Services 6.x compatible ASA Version Required

Firepower 6.x Virtual – Upgrade vs Migrate
Choose NGIPSv + ASAv or Firepower Threat Defense
Firepower
ASAv
NGIPSv 5.4
Upgrade Migrate Upgrade
Firepower
Firepower
Threat Defense ASAv
NGIPSv 6.0
Virtual 6.0
FXOS
Chassis Operating System
FXOS
Chassis Operating System - Continued
FXOS
Chassis Operating System - Continued
Advanced Use Cases
ASA Policy Enforcement with MDM
ASA
3
WLC
Policy on ASA by
Security Group Web
Server
9
7 2
AP Security Group
Query
SXP
5 8 Leverage security groups
to authorize endpoints
based on MDM
compliance.
Create Security
4 1 Groups on ISE
1 Compliant
6
2 Non-Compliant ISE MDM
Compliance check
TrustSec Demo
TrustSec (WLC, ISE, ASA, Firepower)
Reference
Reference
Reference
Reference
Reference
Reference
Reference
Reference
Reference
Reference
Reference
Reference
Reference
Reference
Reference
Reference
Reference
Reference
Reference
Reference
Correlation
Custom Security Intelligence
• Correlate an action(s) with a remediation (in this case, create a custom security
intelligence block list)
• In this example we are looking for blocking events based on geolocation and
dropping the source IP into the custom security intelligence list.
• Monitor the events in Firepower Manager for a match against a rule.
• The remediation runs a perl script on the Firepower Manager, which leverages
the remediation framework to parse event information.
Reference Material
Support Tools
http://www.cisco.com/c/en/us/support/web/tools-catalog.html
Security Threats and Notifications
http://www.cisco.com/security
Current News
Proactive Notifications
www.talosintel.com
SAFE Architecture
www.cisco.com/go/safe
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be

available for viewing on demand after the
event at www.CiscoLive.com/Online.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
Cybersecurity Cisco Education Offerings
Course Description Cisco Certification
Understanding Cisco Cybersecurity The SECFND course provides understanding of CCNA® Cyber Ops
Fundamentals (SFUND) cybersecurity’s basic principles, foundational knowledge, and
core skills needed to build a foundation for understanding
more advanced cybersecurity material & skills.
Implementing Cisco Cybersecurity This course prepares candidates to begin a career within a CCNA® Cyber Ops
Operations (SECOPS) Security Operations Center (SOC), working with
Cybersecurity Analysts at the associate level.
Securing Cisco Networks with Threat Designed for security analysts who work in a Security Cisco Cybersecurity
Detection and Analysis (SCYBER) Operations Center, the course covers essential areas of Specialist
security operations competency, including SIEM, Event
monitoring, security event/alarm/traffic analysis (detection),
and incident response
Cisco Security Product Training Courses Official deep-dive, hands-on product training on Cisco’s
latest security products, including NGFW, ASA, NGIPS,
AMP, Identity Services Engine, Email and Web Security
Appliances, and more.
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth
Cybersecurity Cisco Education Offerings
Course Description Cisco Certification
New! CCIE Security 5.0 CCIE® Security
Implementing Cisco Edge Network Security Configure Cisco perimeter edge security solutions utilizing Cisco CCNP® Security
Solutions (SENSS) Switches, Cisco Routers, and Cisco Adaptive Security Appliance
(ASA) Firewalls
Implementing Cisco Threat Control
Solutions (SITCS) v1.5 Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER
NGIPS (Next Generation IPS), Cisco AMP (Advanced Malware
Protection), as well as Web Security, Email Security and Cloud
Implementing Cisco Secure Access Web Security
Solutions (SISAS)
Deploy Cisco’s Identity Services Engine and 802.1X secure
Implementing Cisco Secure Mobility network access
Solutions (SIMOS)
Protect data traversing a public or shared infrastructure such as the
Internet by implementing and maintaining Cisco VPN solutions
Implementing Cisco Network Security Focuses on the design, implementation, and monitoring of a CCNA® Security
(IINS 3.0) comprehensive security policy, using Cisco IOS security features
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth

Brksec 1020

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Brksec 1020

Загружено:

Авторское право:

Доступные форматы

Cisco Firewall Basics

Mark Cairns, Consulting Systems Engineer

Cisco Spark spaces will be cs.co/clus17/#BRKSEC-1020

BRKSEC-3007 Advanced Cisco IOS Security Tuesday 1:30-3:30

BRKSEC-3300 Advanced IPS Deployment Thursday 8:30-10:00

BRKSEC-3690 Advanced Security Group Tags Monday 1:30-3:30

BRKSEC-2342 Branch Router Security Thursday 10:30-12:00

BRKSEC-2203 Deploying TrustSec Security Group Tagging Tuesday 4:00-5:30

BRKSEC-3455 Dissecting Firepower NGFW "Installation & Troubleshooting" Tuesday 1:30-3:30

BRKSEC-3035 Firepower Platform Deep Dive Wednesday 1:30-3:30

BRKSEC-3032 NGFW Clustering Deep Dive Tuesday 8:00-10:00

Penetration Attempt Data Loss

Zero-day Attacks Data theft and/or

• The genesis of firewalls was initially a

connections to known services and hosts

With over 80 categories and

Geo-based security Allow or block traffic by country

Malware Protection Cisco AMP and Threat Grid

Software and security updates

PCI 3.2 certified cloud

• Best Practice – Consider encryption

policy-map type inspect trusted-to-internet

Firepower Virtual – VMware / KVM

Firepower 2110, 2120, 2130*, 2140*

*10 Gig Interfaces

*Note 2100 models do

Firepower High Performance, Purpose Built

FPR 2130 12x-1G 12x 10G Port

Handles asymmetric traffic associated with VPC/VSS

Agility and Scale and Performance

Your Data Here

FTDv  Dynamic routing includes OSPF, EIGRP, and BGP

• Introduced with ASA release 9.8(1)

• Supported in both AWS and Azure

• Appears in the dashboard

*Best Practice – Use destination NAT with

FPR 2110 FPR 4110 FPR 9300 -SM-24

ASA 5585-X SSP60

SMB/SOHO Branch Internet Edge Data Center Service Provider

• Max 250 Mbps AVC throughput

• Max 450 Mbps AVC throughput

• Max 850 Mbps AVC throughput

Proven Cisco ASA firewalling

Industry leading NGIPS and AMP

Cisco ASA with FirePOWER Services

• Integrating defense layers helps organizations

IPS Events SI Events Malware Events

Malware Backdoors Connections Malware Detections

Relevant port open

Good to know, Relevant port not

Good to know, Monitored network,

Fully Integrated Threat Focused Unified Management

Firepower Firepower 9300 – ASA or TD

*Firepower Services 6.x compatible ASA Version Required

Upgrade Migrate Upgrade

Don’t forget: Cisco Live sessions will be

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com

Вам также может понравиться

Firepower 2110, 2120, 2130, 2140