This presentation will explain the technology and capabilities behind Cisco’s new context aware firewall: Cisco ASA–CX. We will introduce a new approach to firewall policy creation based on contextual attributes such as: user identity, device type and application usage.
2. Objectives
At the conclusion of this presentation and demonstration, you will be able to:
• Describe the ASA NGFW and PRSM architecture
• Describe the feature of the ASA NGFW
Application Visibility and Control (AVC)
Web Security Essentials
• Utilize the policy framework
Policy objects, policies, policy sets
Device and object discovery
4. ASA 5585-X with CX hardware module
Two Hard Drives Raid 1
(Event Data)
10GE and GE ports
Two GE Management Ports
8 GB eUSB (System)
5. The ASA 5500-X series firewalls
• Models are 5512-X, 5515-X, 5525-X,
5545-X and 5555-X
• 1-4 Gbps throughput
• Integrated services implemented as a
software module
o Intrusion prevention system (IPS)
o Context aware next generation firewall
(CX)
• Feature parity with the ASA CX on the
5585-X
• Must add a SSD to the ASA 5500-X to
install the CX module
6. Cisco Prime Security Manager (PRSM)
• Built-in
Configuration
Eventing
Reporting
• Off-box
Configuration
Eventing
Reporting
Multi-device Manager for ASA CX
Role Based Access Control
Virtual Machine or UCS Appliance
PRSM Virtual Machine supports VMWare ESXi
7. PRSM ASA CX communication
RESTful XML
[REST = Representational State Transfer]
ASA CX PRSM
Reliable Binary Logging
Cisco SIO
Application
Identification
Updates
HTTPS HTTPS
8. Packet flow diagram – ASA and CX
• ASA processes all ingress/egress packets
No packets are directly process by CX except for management
• CX provides Next Generation Firewall Services
Egress after CX Processing
CX Ingress
ASA Ingress
CPU
Complex
Fabric
Switch
Crypto or
Regex
Engine
CX Module
CPU
Complex
Fabric
Switch
Crypto Engine
ASA Module
PORTS
PORTS
ASA CX
Backplane
10GE
NICs
10GE
NICs
11. TLS proxy acts as man-in-the-middle
• Two separate sessions, separate certificates and keys
• ASA CX acts as a CA, and issues a certificate for the web server
Corporate
network
Web server
1. Negotiate algorithms. 1. Negotiate algorithms.
2. Authenticate server
certificate.3. Generate proxied
server certificate.
4. Client Authenticates “server”
certificate.
5. Generate encryption
keys.
5. Generate encryption
keys.
6. Encrypted data channel
established.
6. Encrypted data channel
established.
ASA CX
Cert is generated
dynamically with destination
name but signed by ASA CX.
12. TLS Proxy – Extending NGFW services to TLS traffic
• Decrypts SSL and TLS traffic across any port
• Self-signed (default) certificate or customer certificate and key
Self-signed certificate can be downloaded and added to trusted root certificate store on client
• Decryption policies can determine which traffic to decrypt
CX cannot determine the hostname in the client request to choose a decryption policy because the traffic is
encrypted
FQDN and URL Category are determined using the server certificate
• If the decision is made to decrypt, CX acts like man-in-the-middle
A new certificate is created, signed by CX or by the customer CA
Information such as FQDN and validity dates are copied from the original cert
Name mismatches and expired certificate errors are ignored
Name mismatches and expired certificate errors must be handled by the client
13. Licensed feature – Application Visibility and Control
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing
TCP Proxy
TLS Proxy
AVC
Multiple Policy Decision
Points
HTTP Inspection
URL Category/Reputation
CX
ASA
Botnet filtering
14. Application Visibility and Control
• Supported Applications 1000+
• Supported Micro-Applications 150,000+
• Powered by the Cisco Security Intelligence Operation (SIO)
Utilizes Application Signatures
By default, PRSM and CX check for updates every 5 minutes
15. Broad AVC vs. Web AVC
• Broad AVC
Broad protocol support
Resides in data plane
Less granular control
Supports:
Application types – for example email
Applications – for example
Simple Mail Transfer Protocol
• Web AVC
HTTP and decrypted HTTPS only
More granular control
Supports:
Application types – for example, Instant Messaging
Applications – for example, Yahoo Messenger
Application behavior – for example, File Transfer
20. -10 +10-5 +50
Default web reputation profile
Dedicated or hijacked sites
persistently distributing
key loggers, root kits and
other malware. Almost
guaranteed malicious.
Aggressive Ad syndication
and user tracking networks.
Sites suspected to be
malicious, but not confirmed
Sites with some history of
Responsible behavior
or 3rd party validation
Phishing sites, bots, drive
by installers. Extremely
likely to be malicious.
Well managed,
Responsible content
Syndication networks and
user generated content
Sites with long history of
Responsible behavior.
Have significant volume
and are widely accessed
Suspicious
(-10 through -6)
Not suspicious
(-5.9 through +10)
Web Security Essentials -- Reputation
21. Web Security Essentials – URL filtering
• Used to enforce acceptable use
• Predefined and custom URL categories
• 78 predefined URL categories
• 20,000,000+ URLs categorized
• 60+ languages
• Powered by the Cisco Security Intelligence Operation (SIO)
Utilizes Application Signatures
By default, PRSM and CX check for updates every 5 minutes
22. Active authentication
• Requires HTTP request to initiate authentication
1. ASA CX sees HTTP request from a client to a remote website
2. ASA CX redirects the client to the ASA inside interface (port 885 by default)
Redirect is accomplished by sending a proxy redirect to the client
(HTTP return code 307) spoofing the remote website
3. Sends client authentication request (HTTP return code 401)
4. After authentication, the ASA CX redirects the client back to the remote website
(HTTP return code 307)
• After authentication, ASA CX uses IP address to track user
Both HTTP and non-HTTP traffic will now be associated with the user
• Integrates with enterprise infrastructure
• Supported directories include
Microsoft Active Directory
OpenLDAP
IBM Tivoli Directory Server
23. Passive authentication
• Endpoint must be domain member
• Supported for all traffic and all clients
• Utilizes an agent
Agent gathers information from Active Directory server
Agent caches information
ASA CX/PRSM queries agent for user information
ASA CX/PRSM queries Active Directory server for group membership information
• Two agents available
Cisco Active Directory Agent (AD agent) – older agent
Windows application
Context Directory Agent (CDA) – newer agent
Stand alone, Linux based server – can be run as VM
Intuitive web based GUI , and Cisco IOS style CLI
27. Policies and policy sets
• Policies apply actions to subsets of network traffic
• Two main components
Policy match – a set of criteria used to match traffic to the policies
Action – the action to be taken if the policy is matched
• Three types of policies
Access
Identity
Decryption
• A policy set is an ordered collection of policies of a particular type
For any ASA CX at most one policy set of each type is in use
Policies are assigned using top-down policy matching – order matters!
At most one policy is matched for each policy set
If no defined policy match is achieved, implicit policy is enforced
• Policy sets implicit policies are as follows
Access policy sets end with implicit allow all
Decryption policy sets end with implicit do not decrypt
Identity policy sets end with implicit do not require authentication
28. Policy sets
• How users will be identified?Identity
• What TLS/SSL traffic should be
decrypted?Decryption
• What traffic will be Allowed or
Denied?Access
29. Policy objects
• Used to create policies
Policy objects classify traffic
Are used to decide which policy to match
• Predefined and user defined
• Used to create policies.
• May be nested
• Many types
30. URL objects
• Used to identify traffic based on
URL or URL category
• Can only be used as a destination
in a policy
• HTTP or HTTPS only
For HTTPS, URL object uses information
in the subject of the certificate
Do not specify the protocol. URL objects
will match both HTTP and HTTPS
• Contains
URLs
Enter a domain to match any URL in domain
Supports limited string matching:
URL categories
Other URL objects
• Contain include and exclude lists
31. Application objects
• Used to identify what application
the client is attempting to use
• Utilizes the Application Visibility
And Control (AVC) functionality
of the ASA CX
• Contains
Applications (recognized by the ASA CX)
Examples:
Facebook photos, webmail, yahoo IM
Application types
Examples:
Facebook, e-mail, IM
Other Application objects
32. UserAgent objects
• User-agent string
Part of the HTTP request header
Identifies the client OS and agent
Examples:
Safari running on an iPad
Windows update agent
• User agent object
Can only be used for HTTP traffic
Can only be used as a source
in a policy
Predefined user agent objectsare sufficient
for most uses
Contains
User agent string – An asterisk (*) can be used
to match zero or more characters,
Other user agent objects
34. Secure Mobility objects
• Used to create policies specific
to AnyConnect VPN traffic
• Can only be used as a source
in a policy
• One exists by default:
All remote users
• Others can be created to match
specific device types
• Can contain
Device types
Other Secure Mobility objects
35. Complex objects
• Allow for more complicated
traffic matching
• Contains collections of entries, or rows
Elements of each entry are ANDed together
Entries are then ORed together
• Application-Service objects
Match combinations of applications
and services
• Destination object groups
Match combinations of URL objects
and Network objects
• Source object groups
Match combinations of:
Network objects
Identity objects
User Agent Objects
Secure Mobility Objects
36. Profiles
• File filtering profile
HTTP and decryptedHTTPS traffic only
Blocks the download of specific MIME types
Blocks the upload of specific MIME types
• Web reputation profile
HTTP and decrypted HTTPS traffic only
Web reputation scores are provided for websites
by the Cisco Security Intelligence Operations
Web reputation scores vary from -10 to 10
Default profile considers websites with reputation
score from -10 through -6
(the default profile cannot be edited or deleted)
Websites without reputation scores are not considered suspicious
The action that is taken for suspicious website depends on the policy type
For example, access policies can block websites of low reputation
38. Device discovery and import (multi-device mode only)
• First you must enter the IP address (or hostname) of the ASA, along with privileged
credentials
• The CX module will be discovered through the ASA. You must enter the admin
password to complete the import.
• When a device is imported, it is placed into a device group
• Device groups are assigned policy sets. Therefore, policies are consistent within a
device group
• When the device is imported, you must resolve any policy set naming conflict
41. ASA object discovery (multi-device mode only)
• Network and service objects and groups are imported from ASA during device imported
• Added to PRSM policy database and are available for policy configuration
Modifications made to objects on PRSM are not pushed to ASA
Modifications made to objects on ASA are not pushed to PRSM
• Are automatically renamed if there are naming conflicts
_<PRSM name for the ASA > is appended to name of imported object.
43. The Event viewer
• Gives visiblity to events generated by the CX module
• Tabs
System events
All events
Authentication
ASA (only used if PRSM is a SYSLOG server for ASAs)
Encrypted Traffic View
Context Aware Security Shows next generation functionality
46. Two Modes
• Real time eventing – user defined refresh interval
• Historic eventing – user defined time range
47. Event viewer filters
• Used to reduce the number of events that are displayed
• Filters are a list of attribute-value pairs
Attribute value pairs with the same attribute are ORed together
The expressions for each attribute are then ANDed together
Example: Username=Fred Username=Gail Application=Twitter
means (Username=Fred OR Username=Gail) AND Application=Twitter
Most attributes support the operations = and !=. Some also support > and <
• Two ways to add to filter
Click on the cell in the event viewer adds that attribute-value pair to the filter
Select attribute (with operation <,=,>) from the Filter drop-down list and then select the value
If you want the operator to be inequality, you must manually change = to !=
• Filters may be saved and recalled
Saved filters are added to right-hand side of the Filter drop-down list
64. Complete Your Paper
“Session Evaluation”
Give us your feedback and you could win
1 of 2 fabulous prizes in a random draw.
Complete and return your paper
evaluation form to the room attendant
as you leave this session.
Winners will be announced today.
You must be present to win!
..visit them at BOOTH# 100