Scribd
Upload
718 views

© 2018 Cisco Systems, Inc. All Rights Reserved

Uploaded by

aabcd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
718 views

© 2018 Cisco Systems, Inc. All Rights Reserved

Uploaded by

aabcd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

..........................................................................................................

2
............................................................................................................... 2
............................................................. 2
.................................................................................................. 3
......................................................................................................... 3
....................................................................................... 4
................................................................. 6
................................................................................. 7
................................................................................................................ 7
........................................................................................................ 8
..................................................................................... 8
............................................................................................. 8
............................................................................................ 8
...................................................................................................... 9
........................................................................................... 9
...................................................................................................... 10
................................................................................................ 10
........................................................................... 11

1
© 2018 Cisco Systems, Inc. All rights reserved.
................................................................... 12
................................................................................................ 13
.................................................................................................................. 13
................................................................................. 14
................................................................................. 14
............................................................................................................................. 15
................................................................................. 15
................................................................................. 15
..................................................................................................... 16
................................................................................. 16
................................................................................. 17
................................................................... 17
................................................................................................................... 17

2
© 2018 Cisco Systems, Inc. All rights reserved.
3
© 2018 Cisco Systems, Inc. All rights reserved.
NGFW Policies: Efficiently Building Zero-Trust
• Like traditional firewall policies, rules run from
Layer 2-4 Fast Path top to bottom
IP Security Blocking • Some functions (fast path, IPSec, SSL, and
traffic normalization) run before traffic is
matched against an Access Control Rule
Leaf • Good to always be reducing the potential
Domain number of rules that any traffic pattern can
hit.
Layer 3 – 7, • Exp: SSH matches more than tcp/22
Security Group Tag, • Caveat: matches without port info means
and Identity some packets will potentially pass until
Matching the app is detected.
• Each matched ACL has it’s own threat
monitoring conditions (IPS, Malware, IPS
Variables)
• The model can apply to policy “blocks” and/or
leaf-domains.
Threat Inspection
Final Action And Blocking
(Block, IPS, Network Discovery)

4
© 2018 Cisco Systems, Inc. All rights reserved.
5
© 2018 Cisco Systems, Inc. All rights reserved.
Packets and Policies: Know What’s Happening Where
Prefilter
Policy ASA/Lina
Fastpathed

Ingres Existing N Egress L3/L4 ALG L3, L2


RX Pre-Filter NAT TX
Interface Conn Interface ACL Checks Hops
VPN
Decrypt
Y QoS
VPN VPN Encrypt
Config DAQ

Discovery L7 ACL File/AMP IPS


SI:
NAP App
SI (IP) SSL Pre-proc DNS ID
IPS Pasv ID
URL
Host L7 ACL File/AMP IPS

ACP Rule Chain

Firepower
SSL Network DNS Identity Intrusion Network Access Malware Intrusion
Policy Analysis Policy Policy Policy Discovery Control & File Policy
Policy (NAP) Policy Policy Policy
$VAR
$VAR Objects
Knowing your detection process impacts:
• How you analyze the data Element Enabled in AC Policy
• How you tune your security appliance 9

6
© 2018 Cisco Systems, Inc. All rights reserved.
7
© 2018 Cisco Systems, Inc. All rights reserved.
8
© 2018 Cisco Systems, Inc. All rights reserved.
9
© 2018 Cisco Systems, Inc. All rights reserved.
10
© 2018 Cisco Systems, Inc. All rights reserved.



11
© 2018 Cisco Systems, Inc. All rights reserved.

12
© 2018 Cisco Systems, Inc. All rights reserved.
13
© 2018 Cisco Systems, Inc. All rights reserved.

14
© 2018 Cisco Systems, Inc. All rights reserved.

15
© 2018 Cisco Systems, Inc. All rights reserved.

16
© 2018 Cisco Systems, Inc. All rights reserved.

17
© 2018 Cisco Systems, Inc. All rights reserved.
18
© 2018 Cisco Systems, Inc. All rights reserved.

You might also like