0% found this document useful (0 votes)

237 views27 pages

ASA SFR Overview and Design

This document provides an overview of the Cisco ASA with FirePOWER Services next generation firewall. It describes the types of firewall appliances and highlights the key features of the Cisco ASA 5500-X series when used with the FirePOWER security module. These features include application control, identity control, security intelligence, intrusion prevention, URL filtering, advanced malware protection, file blocking, and SSL decryption. The document also discusses licensing, integration between the ASA and FirePOWER modules, and management options.

Uploaded by

zamis ali

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

237 views27 pages

ASA SFR Overview and Design

Uploaded by

zamis ali

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 27

Cisco ASA with FirePOWER Services

Training Series
Overview and Design

www.routehub.net

Michel Thomatis, CCIE #6778

Chief Network Architect and Lead Trainer
Type of Firewall Appliances
• 1st Generation Firewalls filtered based on:
• Network, IP Address (e.g. 10.67.78.0/24, 10.67.78.10)
• Protocol (e.g. IP, TCP, UDP)
• Protocol Port number (e.g. TCP/80 for HTTP)
• Example: Cisco ASA

• Next Generation Firewalls filtered based on:

• 1st Generation Firewall filtering (Network/IP, Protocol, Port)
• URL (e.g. facebook.com, Social Networking)
• User Endpoints (e.g. Web Browser, OS, Mobile)
• Applications (e.g. Facebook, Dropbox, Google Mail)
• Micro-Applications (e.g. Facebook Games)
• Examples: Cisco ASA SFR, Palo Alto Networks
Cisco ASA 5500-X with FirePOWER Services
• Next Generation Firewall (NGFW):
• Cisco ASA 5500-X Series using CX
• Cisco ASA 5500-X Series using SourceFire FirePOWER Services
Cisco ASA 5500-X with FirePOWER Services
• SourceFire FirePOWER security module
• Cisco ASA 5506-X to 5555-X: software-based security module
• Cisco ASA 5585-X: hardware-based security module (SSP)
• Gigabit Ethernet ports:
• No Layer 2 ports
• No PoE ports

• Management port
• Console Port
FirePOWER Security Features
• Application Control
• Identity Control
• Security Intelligence
• Intrusion Detection and Prevention (IPS)
• URL Filtering
• Advanced Malware Protection (AMP)
• File Blocking
• SSL Decryption
Security Features – Application Control
• Filter traffic based on applications (Facebook, Skype, etc)
• Filter traffic based on micro-applications (e.g. Facebook Post, Chat)
• Require SSL Decryption
• Application Filtering not very reliable
Security Features – Identity Control
• Filter traffic based on the user account and group
• Integrated with Active Directory or LDAP
• Identity Control Methods:
• Active Authentication
• Passive Authentication
Security Features – Security Intelligence
• First line of security defense on the ASA FirePOWER appliance
• Provides a blacklist of networks/IPs with bad reputations
Security Features – URL Filtering
• Filter traffic based on web URL
• Block based on:
• Web categories (e.g. Violence, Nudity)
• Reputation
• Business Relevance
Security Features – IPS
• Last line of security defense on the ASA FirePOWER appliance
• Inspecting traffic for specific patterns of data in a traffic flow
Security Features – Malware Protection
• Filter files for malware/virus content
• Uses the Security Intelligence Cloud
• Looks at the files SHA-256 hash value
• Operations:
• Malware Lookup
• Block Malware
Security Features – File Blocking
• Filter traffic with files of certain types (e.g. ZIP, EXE)
• Files being uploaded or downloaded
Security Features – SSL Decryption
• Allows decrypting HTTPS websites for firewall inspection
Security Flow
• Action: Allow (continue for further inspection)

• Action: Trust (no further inspection)

Security Flow
• Action: Block
Licensing
• Protection: IPS, file control, & Security Intelligence
• Control: User and Application control
• URL Filtering: URL filtering
• Malware: AMP
ASA and FirePOWER (SFR) Integration

1. Traffic comes in, checked against a configured ASA firewall policy

2. If the traffic is allowed, send the traffic to the SFR module
3. Traffic is checked against a configured SFR (NGFW) firewall policy
4. If traffic is still allowed, send back out through ASA firewall
Management Options
• Cisco ASDM
• Cisco FirePOWER Management Center (FMC)
• Palo Alto Networks - Panorama
• Fortinet FortiGate - FortiManager

FMC
ASDM
Management Options: FMC
• Cisco ASDM
• Interfaces, VPN, NAT, Routing
• Cisco FirePOWER Management Center (FMC)
• NGFW features: Application Control, IPS, URL filtering, AMP, File Control, etc.
• Robust Reporting of FirePOWER services
Management Options: ASDM
• Cisco ASDM
• NGFW features: Application Control, IPS, URL filtering, AMP, File Control, etc.
• Interfaces, VPN, NAT, Routing
• Basic Reporting of FirePOWER services
Management Options: Comparisons
Cisco ASA Cisco ASA with FirePOWER

• Web Administration: Cisco Adaptive • Web Administration: Cisco Adaptive

Security Device Manager (ASDM) Security Device Manager (ASDM),
• 1st Generation Firewall policies FirePOWER Management Center (FMC)
• Site VPN (IPSec) • Next Generation Firewall policies
• Client VPN (IPSec, SSL) • Application Control
• Network Address Translations (NAT) • Identity Control
• IP Routing (OSPF, EIGRP) • Security Intelligence
• Interfaces and VLAN tags • Intrusion Detection and Prevention (IPS)
• Cisco TrustSec • URL Filtering
• Advanced Malware Protection (AMP)
• File Blocking
• SSL Decryption
Caveats
• Pros:
• Security Intelligence
• Licensing
• Performance

• Cons:
• Instability of features (e.g. SSL Decryption)
• Administration
• Late Feature support (e.g. SSL Decryption)

• SSL Decryption
• Version 5.4.1 and earlier: requires standalone SSL decryption appliance
• Supported on NGFW (e.g. Palo Alto, FortiGate, Cisco ASA using CX)
• Supported natively in Version 6.0 (November 2015) and later

• Version 6.0 instability with some of the security features

Caveats: Instabilities
• Issues with SSL Decryption (not 100% reliable)

• Issues with URL filtering and using custom URL groups

• Issues with Active Authentication

• Issues with the latest User Agent installed on Windows Server

Video Series: Network Design
Video Series: OS 6.0
• Cisco ASA with FirePOWER Services
• Version 6.0
• SSL Decryption

• Considerations:
• Version 6.0 instabilities (SSL Decryption, URL Filtering)
• Recommended to use version 5.4.1 for production deployments
• Caution to use version 6.0 for production deployments
Video Series: Administration
• Administration using ASDM
Video Series: Topics
• Application Control
• Identity Control
• Security Intelligence
• Intrusion Detection and Prevention (IPS)
• URL Filtering
• Advanced Malware Protection (AMP)
• File Blocking
• SSL Decryption

Cisco Firepower 6.x With Firepower Threat Defense
100% (3)
Cisco Firepower 6.x With Firepower Threat Defense
504 pages
Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security
From Everand
Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security
Redouane MEDDANE
No ratings yet
CCNPSecurityExamCertificationGuide SNCF 300 710 VI
No ratings yet
CCNPSecurityExamCertificationGuide SNCF 300 710 VI
857 pages
Brksec 3455 PDF
No ratings yet
Brksec 3455 PDF
173 pages
Cisco FireSight NRFU
No ratings yet
Cisco FireSight NRFU
16 pages
FPTD FDM Config Guide 660
No ratings yet
FPTD FDM Config Guide 660
798 pages
Cisco Asa With Firepower Services: Superior Multilayered Protection
No ratings yet
Cisco Asa With Firepower Services: Superior Multilayered Protection
19 pages
Install Guide FirePower Module On Cisco ASA v1.1
100% (1)
Install Guide FirePower Module On Cisco ASA v1.1
22 pages
Datanet Asa
No ratings yet
Datanet Asa
40 pages
77 - Cisco ASA 5516 Data Sheet
No ratings yet
77 - Cisco ASA 5516 Data Sheet
15 pages
Cisco Firewall Comparison
No ratings yet
Cisco Firewall Comparison
17 pages
Cisco Next-Generation Security Solutions-1
No ratings yet
Cisco Next-Generation Security Solutions-1
297 pages
Cisco Asa Firepower
No ratings yet
Cisco Asa Firepower
11 pages
Cisco Adds Firepower Capabilities To Asa Firewalls: John Grady
100% (1)
Cisco Adds Firepower Capabilities To Asa Firewalls: John Grady
2 pages
1.Fire-power PPT
No ratings yet
1.Fire-power PPT
79 pages
BRKSEC-2028 Deploying Next Generation Firewall With ASA and Firepower Services PDF
No ratings yet
BRKSEC-2028 Deploying Next Generation Firewall With ASA and Firepower Services PDF
73 pages
PIW-FTD-4k-Technical
No ratings yet
PIW-FTD-4k-Technical
46 pages
Cisco ASA With FirePOWER Services Local Management Configuration Guide, Version 6.0
No ratings yet
Cisco ASA With FirePOWER Services Local Management Configuration Guide, Version 6.0
780 pages
Asa With Firepower Services Local Management Configuration Guide v610
No ratings yet
Asa With Firepower Services Local Management Configuration Guide v610
806 pages
Scor 07
No ratings yet
Scor 07
19 pages
Introduction To FirePOWER & FireSIGHT Policies PDF
No ratings yet
Introduction To FirePOWER & FireSIGHT Policies PDF
20 pages
What Is Cisco ASA Firewall
No ratings yet
What Is Cisco ASA Firewall
42 pages
Brksec 2050
No ratings yet
Brksec 2050
103 pages
Catalog Security
No ratings yet
Catalog Security
51 pages
Brksec 2050
100% (1)
Brksec 2050
146 pages
Slide Ch7
No ratings yet
Slide Ch7
47 pages
Brksec 2050
No ratings yet
Brksec 2050
115 pages
Cisco Firepower Next-Generation Firewall: Performance Highlights
No ratings yet
Cisco Firepower Next-Generation Firewall: Performance Highlights
12 pages
firepower
No ratings yet
firepower
127 pages
FPTD FDM Config Guide 621 PDF
No ratings yet
FPTD FDM Config Guide 621 PDF
346 pages
firepower feature (1)
No ratings yet
firepower feature (1)
22 pages
Cisco ASA DataSheet
No ratings yet
Cisco ASA DataSheet
7 pages
ASA Firepower NGFW Typical Deployment Scenarios
No ratings yet
ASA Firepower NGFW Typical Deployment Scenarios
114 pages
TC - SECVFTD25 - PPT - Securing Enterprise Networks With Cisco Firepower Threat Defense Virtual Appliance v25 - drn1 - 4 PDF
100% (1)
TC - SECVFTD25 - PPT - Securing Enterprise Networks With Cisco Firepower Threat Defense Virtual Appliance v25 - drn1 - 4 PDF
303 pages
asafps-local-mgmt-config-guide-v67
No ratings yet
asafps-local-mgmt-config-guide-v67
526 pages
Ordering Guide - FirePower Services
No ratings yet
Ordering Guide - FirePower Services
24 pages
Cisco Asa 5500 With Firepower Services Datasheet
No ratings yet
Cisco Asa 5500 With Firepower Services Datasheet
22 pages
Firepower Scalable Designs: Tue Frei Nørgaard Consulting Systems Engineer
No ratings yet
Firepower Scalable Designs: Tue Frei Nørgaard Consulting Systems Engineer
42 pages
Brksec 3004
No ratings yet
Brksec 3004
126 pages
FPTD FDM Config Guide 620
No ratings yet
FPTD FDM Config Guide 620
318 pages
FPTD FDM Config Guide
No ratings yet
FPTD FDM Config Guide
276 pages
Asdm 75 Firewall Config
No ratings yet
Asdm 75 Firewall Config
430 pages
Cisco Firepower NGFW Datasheet
No ratings yet
Cisco Firepower NGFW Datasheet
17 pages
CISCO Firepower NXGFW
No ratings yet
CISCO Firepower NXGFW
24 pages
Tecsec 2600
No ratings yet
Tecsec 2600
597 pages
Tecsec 3004
No ratings yet
Tecsec 3004
299 pages
Cisco Asa Competitive Cheat Sheets e PDF
No ratings yet
Cisco Asa Competitive Cheat Sheets e PDF
5 pages
SCOR - sesion 10ff
No ratings yet
SCOR - sesion 10ff
65 pages
Network Security v1.0 - Module 20
No ratings yet
Network Security v1.0 - Module 20
29 pages
Chapter 2 Network Security Devices and Cloud Services
No ratings yet
Chapter 2 Network Security Devices and Cloud Services
36 pages
fptd-fdm-config-guide-670
No ratings yet
fptd-fdm-config-guide-670
836 pages
300 210 Sitcs
No ratings yet
300 210 Sitcs
3 pages
Ccnas CH9
No ratings yet
Ccnas CH9
230 pages
Hillstone E-Series V5.5R8 EN
No ratings yet
Hillstone E-Series V5.5R8 EN
8 pages
Installing The Chassis: Interface Connectivity
No ratings yet
Installing The Chassis: Interface Connectivity
2 pages
Cisco NGFW Datasheet 4
No ratings yet
Cisco NGFW Datasheet 4
10 pages
Isapre Cruz Blanca
No ratings yet
Isapre Cruz Blanca
797 pages
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
From Everand
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
Tim Speed
No ratings yet
IPFire Network Security Reference: Definitive Reference for Developers and Engineers
From Everand
IPFire Network Security Reference: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
(ISC)2 Certified Cloud Security Professional CCSP Realistic Practice Tests
From Everand
(ISC)2 Certified Cloud Security Professional CCSP Realistic Practice Tests
CertSquad Professional Trainers
No ratings yet
Grade 3 Science Quiz
100% (1)
Grade 3 Science Quiz
2 pages
Read This Also-Configuring Cisco Stackwise Virtual
No ratings yet
Read This Also-Configuring Cisco Stackwise Virtual
26 pages
New Text Document
No ratings yet
New Text Document
1 page
Rick's Subnetting Worksheet: Subnet Information
No ratings yet
Rick's Subnetting Worksheet: Subnet Information
4 pages
Vss
No ratings yet
Vss
1 page
Cisco Security Curriculum-Course Outlines
No ratings yet
Cisco Security Curriculum-Course Outlines
92 pages
Pix To ASA
No ratings yet
Pix To ASA
24 pages
Deploying Cisco ASA Firewall Features (Firewall)
No ratings yet
Deploying Cisco ASA Firewall Features (Firewall)
4 pages
Cisco ASA 5520
100% (1)
Cisco ASA 5520
47 pages
2013 Cisco Icons
No ratings yet
2013 Cisco Icons
41 pages
Cisco ASA 8
No ratings yet
Cisco ASA 8
18 pages
Auditing With Nipper
No ratings yet
Auditing With Nipper
11 pages
Password Recovery Procedures
No ratings yet
Password Recovery Procedures
6 pages
To Paste Nov8
No ratings yet
To Paste Nov8
194 pages
Cisco® Foundation Express For Systems Engineers (FOUNDSE)
No ratings yet
Cisco® Foundation Express For Systems Engineers (FOUNDSE)
11 pages
Ossec Docs
No ratings yet
Ossec Docs
196 pages
Clientless SSL VPN Remote Access Set-Up Guide For The Cisco ASA
No ratings yet
Clientless SSL VPN Remote Access Set-Up Guide For The Cisco ASA
10 pages
Intro Asav
No ratings yet
Intro Asav
4 pages
Auto Proxy
No ratings yet
Auto Proxy
56 pages
Hardware Emulated by GNS3
No ratings yet
Hardware Emulated by GNS3
8 pages
Configuring Avaya 9600 Series Phones With Cisco ASA
No ratings yet
Configuring Avaya 9600 Series Phones With Cisco ASA
53 pages
Firewall-Migration-Services-v3.0 (1) 333333333333333333333333333333
No ratings yet
Firewall-Migration-Services-v3.0 (1) 333333333333333333333333333333
3 pages
IVR
No ratings yet
IVR
26 pages
Newest PP Icons
No ratings yet
Newest PP Icons
81 pages
This Lab Deals With A Basic Configuration of The Cisco ASA
No ratings yet
This Lab Deals With A Basic Configuration of The Cisco ASA
15 pages
Cisco SIEM Deployment Guide
No ratings yet
Cisco SIEM Deployment Guide
19 pages
Fortinet FortiGate Versus Cisco ASA 5500 Hot Sheet 022610 R1
100% (1)
Fortinet FortiGate Versus Cisco ASA 5500 Hot Sheet 022610 R1
2 pages
How To - Establish VPN Tunnel Between Cyberoam and CISCO PIX
No ratings yet
How To - Establish VPN Tunnel Between Cyberoam and CISCO PIX
4 pages
AlgoSec Firewall Analyzer Datasheet
No ratings yet
AlgoSec Firewall Analyzer Datasheet
2 pages
Cisco Security Troubleshooting: Part III - Intrusion Prevention Systems
No ratings yet
Cisco Security Troubleshooting: Part III - Intrusion Prevention Systems
14 pages
ASA Data Sheet
No ratings yet
ASA Data Sheet
8 pages
CCIE Security V4 Workbook v2.3 - Lab 1
No ratings yet
CCIE Security V4 Workbook v2.3 - Lab 1
76 pages
Quick HOWTO - Configuring Cisco PIX Firewalls
No ratings yet
Quick HOWTO - Configuring Cisco PIX Firewalls
7 pages

ASA SFR Overview and Design

Uploaded by

ASA SFR Overview and Design

Uploaded by

Cisco ASA with FirePOWER Services

Michel Thomatis, CCIE #6778

• Next Generation Firewalls filtered based on:

• Action: Trust (no further inspection)

1. Traffic comes in, checked against a configured ASA firewall policy

• Web Administration: Cisco Adaptive • Web Administration: Cisco Adaptive

• Version 6.0 instability with some of the security features

• Issues with URL filtering and using custom URL groups

• Issues with Active Authentication

• Issues with the latest User Agent installed on Windows Server

You might also like