Cisco ASA with FirePOWER Services

Training Series
Overview and Design

www.routehub.net

Michel Thomatis, CCIE #6778

Chief Network Architect and Lead Trainer
Type of Firewall Appliances
• 1st Generation Firewalls filtered based on:
• Network, IP Address (e.g. 10.67.78.0/24, 10.67.78.10)
• Protocol (e.g. IP, TCP, UDP)
• Protocol Port number (e.g. TCP/80 for HTTP)
• Example: Cisco ASA

• Next Generation Firewalls filtered based on:

• 1st Generation Firewall filtering (Network/IP, Protocol, Port)
• URL (e.g. facebook.com, Social Networking)
• User Endpoints (e.g. Web Browser, OS, Mobile)
• Applications (e.g. Facebook, Dropbox, Google Mail)
• Micro-Applications (e.g. Facebook Games)
• Examples: Cisco ASA SFR, Palo Alto Networks
Cisco ASA 5500-X with FirePOWER Services
• Next Generation Firewall (NGFW):
• Cisco ASA 5500-X Series using CX
• Cisco ASA 5500-X Series using SourceFire FirePOWER Services
Cisco ASA 5500-X with FirePOWER Services
• SourceFire FirePOWER security module
• Cisco ASA 5506-X to 5555-X: software-based security module
• Cisco ASA 5585-X: hardware-based security module (SSP)
• Gigabit Ethernet ports:
• No Layer 2 ports
• No PoE ports

• Management port
• Console Port
FirePOWER Security Features
• Application Control
• Identity Control
• Security Intelligence
• Intrusion Detection and Prevention (IPS)
• URL Filtering
• Advanced Malware Protection (AMP)
• File Blocking
• SSL Decryption
Security Features – Application Control
• Filter traffic based on applications (Facebook, Skype, etc)
• Filter traffic based on micro-applications (e.g. Facebook Post, Chat)
• Require SSL Decryption
• Application Filtering not very reliable
Security Features – Identity Control
• Filter traffic based on the user account and group
• Integrated with Active Directory or LDAP
• Identity Control Methods:
• Active Authentication
• Passive Authentication
Security Features – Security Intelligence
• First line of security defense on the ASA FirePOWER appliance
• Provides a blacklist of networks/IPs with bad reputations
Security Features – URL Filtering
• Filter traffic based on web URL
• Block based on:
• Web categories (e.g. Violence, Nudity)
• Reputation
• Business Relevance
Security Features – IPS
• Last line of security defense on the ASA FirePOWER appliance
• Inspecting traffic for specific patterns of data in a traffic flow
Security Features – Malware Protection
• Filter files for malware/virus content
• Uses the Security Intelligence Cloud
• Looks at the files SHA-256 hash value
• Operations:
• Malware Lookup
• Block Malware
Security Features – File Blocking
• Filter traffic with files of certain types (e.g. ZIP, EXE)
• Files being uploaded or downloaded
Security Features – SSL Decryption
• Allows decrypting HTTPS websites for firewall inspection
Security Flow
• Action: Allow (continue for further inspection)

• Action: Trust (no further inspection)

Security Flow
• Action: Block
Licensing
• Protection: IPS, file control, & Security Intelligence
• Control: User and Application control
• URL Filtering: URL filtering
• Malware: AMP
ASA and FirePOWER (SFR) Integration

1. Traffic comes in, checked against a configured ASA firewall policy

2. If the traffic is allowed, send the traffic to the SFR module
3. Traffic is checked against a configured SFR (NGFW) firewall policy
4. If traffic is still allowed, send back out through ASA firewall
Management Options
• Cisco ASDM
• Cisco FirePOWER Management Center (FMC)
• Palo Alto Networks - Panorama
• Fortinet FortiGate - FortiManager

FMC
ASDM
Management Options: FMC
• Cisco ASDM
• Interfaces, VPN, NAT, Routing
• Cisco FirePOWER Management Center (FMC)
• NGFW features: Application Control, IPS, URL filtering, AMP, File Control, etc.
• Robust Reporting of FirePOWER services
Management Options: ASDM
• Cisco ASDM
• NGFW features: Application Control, IPS, URL filtering, AMP, File Control, etc.
• Interfaces, VPN, NAT, Routing
• Basic Reporting of FirePOWER services
Management Options: Comparisons
Cisco ASA
• Web Administration: Cisco Adaptive
Security Device Manager (ASDM)
• 1st Generation Firewall policies
• Site VPN (IPSec)
• Client VPN (IPSec, SSL)
• Network Address Translations (NAT)
• IP Routing (OSPF, EIGRP)
• Interfaces and VLAN tags
• Cisco TrustSec
Cisco ASA with FirePOWER
• Web Administration: Cisco Adaptive
Security Device Manager (ASDM),
FirePOWER Management Center (FMC)
• Next Generation Firewall policies
• Application Control
• Identity Control
• Security Intelligence
• Intrusion Detection and Prevention (IPS)
• URL Filtering
• Advanced Malware Protection (AMP)
• File Blocking
• SSL Decryption
Caveats
• Pros:
• Security Intelligence
• Licensing
• Performance

• Cons:
• Instability of features (e.g. SSL Decryption)
• Administration
• Late Feature support (e.g. SSL Decryption)

• SSL Decryption
• Version 5.4.1 and earlier: requires standalone SSL decryption appliance
• Supported on NGFW (e.g. Palo Alto, FortiGate, Cisco ASA using CX)
• Supported natively in Version 6.0 (November 2015) and later

• Version 6.0 instability with some of the security features

Caveats: Instabilities
• Issues with SSL Decryption (not 100% reliable)

• Issues with URL filtering and using custom URL groups

• Issues with Active Authentication

• Issues with the latest User Agent installed on Windows Server

Video Series: Network Design
Video Series: OS 6.0
• Cisco ASA with FirePOWER Services
• Version 6.0
• SSL Decryption

• Considerations:
• Version 6.0 instabilities (SSL Decryption, URL Filtering)
• Recommended to use version 5.4.1 for production deployments
• Caution to use version 6.0 for production deployments
Video Series: Administration
• Administration using ASDM
Video Series: Topics
• Application Control
• Identity Control
• Security Intelligence
• Intrusion Detection and Prevention (IPS)
• URL Filtering
• Advanced Malware Protection (AMP)
• File Blocking
• SSL Decryption