cisco virtual update cisco firewalls i azure og amazon web ... · -hvshu 5dwkvdfk ²mudwkvdf#flvfr...
Transcript of cisco virtual update cisco firewalls i azure og amazon web ... · -hvshu 5dwkvdfk ²mudwkvdf#flvfr...
Jesper Rathsach – [email protected]
Consulting cybersecurity systems engineer, Cisco Systems
29th August 2018
Amazon Web Services (AWS) and Azure
NGFWv and ASAv in Public Cloud
Dagens Agenda
• Introduktion til public cloud
• Overblik over NGFWv, FMCv og ASAv
• NGFWv & ASAv I Azure med use-cases
• NGFWv & ASAv I AWS med use-cases
• Licensing og diverse
• Tak for I dag
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public cloud has great benefits
5Public Cloud Security
Customers
Employees
Partners
Data Center
Applications Or
Workload
PublicCloud
Application agility
Cost effectivenessPer-hour, per-minute and per-second billing options
ScalabilityScale-up and scale-down
High availabilityRegions and Availability zones
Applications or Workload
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public cloud comes with challenges
6Public Cloud Security
L2 abstraction
Connection to Data Center(IPSEC, DX or Express Route)
Security
New Services/Environment
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7Public Cloud Security
Shared security model in Public Cloud
Physical Infrastructure
Network Infrastructure
VirtualizationLayer
Network Security
NSG SG NACL
NGFWv
ASAv
Firewall, AVC, Threat-Centric
URL filtering, AMP & VPN
Firewall & VPN
Customer
Responsibility
AWS components
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
AWS components Overview
9Public Cloud Security
Code Name
us-east-1 US East (N. Virginia)
us-east-2 US East (Ohio)
us-west-1 US West (N. California)
us-west-2 US West (Oregon)
ca-central-1 Canada (Central)
eu-central-1 EU (Frankfurt)
eu-west-1 EU (Ireland)
eu-west-2 EU (London)
eu-west-3 EU (Paris)
ap-northeast-1 Asia Pacific (Tokyo)
ap-northeast-2 Asia Pacific (Seoul)
ap-northeast-3 Asia Pacific (Osaka-Local)
ap-southeast-1
Asia Pacific (Singapore)
ap-southeast-2
Asia Pacific (Sydney)
ap-south-1 Asia Pacific (Mumbai)
sa-east-1 South America (São Paulo)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
LB
IGW
Route Table: RT
destination next-hop
0.0.0.0 IGW
Elastic IPinside-1c
outside-1cworkload1
us-east-1c
mgmt-1c
inside-2c
outside-2cworkload2
us-east-2c
mgmt-2c
AWS components Overview
10Public Cloud Security
VPC
Virtual Private Cloud
Availability Zone
Subnet
EC2 InstanceWorkload
Elastic IP
Load BalancerNLB, CLB and ALB
Internet Gateway
Route Table
VGW & Direct Connect
Direct Connect
Virtual Private Gateway
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Route Table and VPCLimitations
17Public Cloud Security
VPC
CIDR - 192.168.0.0/16
192.168.1.0/24
192.168.2.0/24
Route Table
destination subnet next-hop
192.168.0.0/16 local
0.0.0.0/0 IGW
192.168.2.0/24 x.x.x.x
Security Group
EC2 instance
Network ACL
IGW
More specific route is not permitted in route table
Route Table
• Route table is associated to a subnet
• User defined route can be added
• More specific routes are not permit
Network limitation
• No link local multicast or broadcast
• No IGPs
• No Proxy ARP and Gratuitous ARP
• Complex environment for native HA support but workarounds are available for resilient and scalable design
Reference: AWS RT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Workload security in AWS
Security Group
• SG acts as a virtual firewall for instance to control inbound and outbound traffic, only L4 rules
• Security groups are can only have allow action not deny
• SGs are stateful
• SG limit per region 50
• Maximum rule per SG 100
Network ACL
• Same as SG but applied to subnet
• L4 visibility
• Action – Allow or Deny
Security Groups (SG) and Network ACL (NACL)
18Public Cloud Security
VPC
192.168.1.0/24
192.168.2.0/24
Security Group
EC2 instance
Network ACL
Reference: AWS Service Limits
Azure components
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Azure components
Public Cloud Security 27
Region and Availability Zone
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
vNET
WEB
APP
DB
NGFWv ASAv
Network Virtual Appliance (NVA)
Gateway Subnet
AzureExpress Route
Virtual Network Gateway
LB
Availability Set
Azure components
Resource Group
Virtual Network vNET
Subnet
WorkloadVM
User Defined Route UDR
Network Virtual Appliance NVA
Availability Set
Load BalancerInternal and External
Express Route
WEB-UDR
Destination Next Hop
x.x.x.x NVA (Internal)
APP-UDR
Destination Next Hop
x.x.x.x NVA (Internal)
DB-UDR
Destination Next Hop
x.x.x.x NVA (Internal)
Public Cloud Security 28
New: Availability Zone
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Workload security in Azure
• NSG restricts traffic to resources in a virtual network
• Action – Allow or Deny
• Direction – Inbound and outbound
• L4 rules
• Source IP
• Destination IP
• Port
• Protocol
• NSG limit – 5000 (per region per subscription)
• NSG rule limit – 1000 (per NSG)
Network Security Group (NSG)
29Public Cloud Security
vNET
10.0.1.0/24
10.0.2.0/24
NSG
NSG
eth0
eth1
NSG
Reference: Azure Limits and Quotas
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Azure componentsRoute Table and vNET
30Public Cloud Security
vNET- 10.0.0.0/16Route Table
• Route table is associated to subnet
• User defined route can be added in RT
• UDRs takes precedence over system routes
• API integration with UDR
Network limitation
• No link local multicast or broadcast
• No IGPs
• No Proxy ARP and Gratuitous ARP
• No native high availability support for NVA
• ASAv HA is available
• ERSPAN is not support because GRE is blocked
Web10.0.1.0/24
App10.0.2.0/24
Db10.0.3.0/24
WEB-UDR
Destination Next Hop
x.x.x.x NVA (Internal)
APP-UDR
Destination Next Hop
x.x.x.x NVA (Internal)
DB-UDR
Destination Next Hop
x.x.x.x NVA (Internal)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security
Azure and AWS components are similar
37Public Cloud Security
Virtual NetworkvNET
Availability Set
Subnet
Azure Virtual MachineVM
User Defined RouteUDR
ARM Template
Load BalancerInternal, external and ILB Standard
ExpressRoute
Public IP
Virtual Private CloudVPC
Availability ZoneAZ
Subnet
EC2 Instance
Route TableRT
CloudFormation TemplateCF template
Load BalancerNLB, CLB, ALB, Internal and External
Direct Connect
Elastic IPEIP
Security Group
NACL
Network Security Group
NGFWv and ASAvOverview
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Let’s begin journey towards secured cloud environment
Why are we here?
39Public Cloud Security
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security model in public cloud is not enough
40Public Cloud Security
Cloud Providers
Physical Infrastructure
Network Infrastructure
Virtualization Layer
Customer
Network and Workload Security
NSG SG NACL
Layer 4 Visibility
ASAvNGFWv
Firewall, AVC, NGIPS, AMP VPN and URL Filtering
(L4-L7 visibility)
Stateful firewall, NAT, Routing, ACL and VPN
Cisco Security for Public Cloud
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv/FTDv overview
41Public Cloud Security
Managed by Firepower Management Center (FMC)
Firewall
NGFWvFTD Appliance
AVC
NGIPS
AMP
URL
VPN(IPSEC and SSL)AVC - Application Visibility and Control
NGIPS – Next-Generation Intrusion Prevention System AMP – Advanced Malware ProtectionVPN – Virtual Private NetworkURL – URL filtering
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Management Center
42Public Cloud Security
NGFWvFMC Appliance
Centralized Management
Total Visibility
Real-time threat management
Security Automation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASAv overview
44Public Cloud Security
ASAv9.9.xASAv9.9.x
ASA Appliance
Stateful F/W, NAT, Routing and ACL
VPNIPSEC and SSL
REST API
Route based VPNVTI
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASAv Management options
For easy on-box management of common security and
policy tasks and CLI based configuration
Helps administrators enforce consistent access policies,
rapidly troubleshoot security events, and view summarized reports across the deployment
For centralized cloud-based policy management of multiple
deployments*only for ASA
Cisco ASDM(on-box manager) Cisco Security Manager
(Centralized Manager)
Cisco DefenseOrchestrator(Cloud Based)
Public Cloud Security 45
NGFWv and ASAvIn public cloud
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv, FMCv and ASAv in Public CloudInstance types
49Public Cloud Security
NGFWv Instance (Marketplace)
c3.xlarge, c4.xlarge
FMCv Instance (Marketplace)
c3.xlarge, c3.2xlarge
c4.xlarge, c4.2xlarge
ASA instance (Marketplace)
c3.large, c3.xlarge
c4. large, c4.xlarge
m4.large, m4.xlarge
SSD storage on c3 instance and EBS storage on c4 or m4 instance
large instance is ASAv10, xlarge instance is ASAv30
NGFWv Instance (Marketplace)
Standard D3 and Dv2
ASAv Instance (Marketplace)
Standard D3 and D3v2
D3 and D3v2 instance is ASAv30
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv in AWS
52Public Cloud Security
Deploy NGFWv in routed or passive mode
• Provides Networking, firewalling, threat-centric protection, URL
filtering & AMP capabilities
• An elastic IP (static persistent public IP) is required for either
NGFWv or Cisco Firepower™ Management Centre Virtual
remote admin access.
• AWS Security Group Access control must permit SSH/HTTPs
access to your instances and 8305 for SF tunnel
• Two management interfaces required for AWS NGFWv
eth0
eth1
eth2
eth3
Interface eth0 and eth1 are mgmt. interfaces
Interface eth2 and eth3 are data interfaces
NGFWv
Instance Type Interfaces Number of vCPUs RAM (GB)
FMCv & NGFWvc3.xlarge
c4.xlarge2 + 2* 4 7.5
FMCvc3.2xlarge
c4.2xlarge8 4 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv in Azure
53Public Cloud Security
Deploy NGFWv in Routed Mode
• NGFWv supports Routed mode
• Provides Networking, firewalling, threat-centric protection, URL
filtering & AMP capabilities
• NSG should allow SSH/HTTPs and TCP 8305 (SF-Tunnel)
access to your instances on eth0 interface for management
access.
• Two management interfaces required for NGFWv in Azure
• North/South, East/West traffic inspection and Micro-
segmentation
eth0
eth1
eth2
eth3
Interface eth0 and eth1 are mgmt. interfaces
Interface eth2 and eth3 are data interfaces
NGFWv
* Management interface
NGFWv Supported Machine Size
Number of Interfaces (Subnets)
NGFW PlatformNumber of
vCPUsRAM (GB)
Standard D3 & D3v2 4 (2+2*) NGFWv 4 14
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv & ASAv Datasheet Numbers
58Public Cloud Security
* Management interface
AWS
Instance Instance type Throughput Interfaces VPN endpoint
NGFWv c3.xlarge, c4.xlarge 1 Gbps 2 + 2* 250
FMCvc3.xlarge, c4.xlarge
(-) Management (-)c3.2xlarge, c4.2xlarge
ASAvc3/c4/m4.large (ASAv10) 1 Gbps 2 + 1* 250
c3/c4/m4.xlarge (ASAv30) 1 Gbps 3 + 1* 750
Azure
Instance Instance type Throughput Interfaces VPN endpoint
NGFWv Standard D3, D3v2 1 Gbps 2 + 2* 250
ASAvStandard D3, D3v2
(ASAv30)
100 Mbps (ASAv5)
1 Gbps (ASAv10, ASAv30)3 + 1* 50, 250 or 750
Note: Maximum throughput is measured with traffic under ideal conditionsStandard D3, D3v2 supports ASAv5, ASAv10 and ASAv30 license entitlement
Deployment modes
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv Deployment Modes in Public Cloud
60Public Cloud Security
Routed mode (NGFWv) - AWS Passive mode (NGFWv) - AWS Routed mode (NGFWv) - Azure
• Passive mode is only applicable to NGFWv in AWS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASAv Deployment Modes in Public Cloud
Public Cloud Security 61
Routed mode (ASAv) - AWS Routed mode (ASAv) - Azure
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv in Azure – Routed Mode
62Public Cloud Security
Deployment
• Deploy NGFWv in routed mode (L3)
• NGFWv available in Azure marketplace
• Next hop for workloads in Azure
Management
• Managed by FMC or FMCv
• Public or private IP for Management
Use cases
• VPN (S2S and RA VPN)
• Firewall, NGIPS, URL-filtering & AMP integration
Internal
NGFWv
FMCInternet
External
eth3
eth2
eth1
(diagnostic interface)
vNET
Internet & RA users
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASAv in Azure – Routed Mode
63Public Cloud Security
Deployment
• Deploy NGFWv in routed mode (L3)
• ASAv is available in Azure marketplace (ASAv30)
• Next hop for workloads in AWS
• ASAv HA (Active/Standby)
Management
• Management interface can be used as a data interface
Use cases
• VPN (S2S and RA VPN) and Firewall
• Option of installing license for 250 or 750 VPN endpoint
Inside
Internet
Management
DMZ2DMZ2ASAv
Internet &
RA users
vNET
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv in AWS – Routed Mode
64Public Cloud Security
Deployment
• Deploy NGFWv in routed mode (L3)
• NGFWv and FMCv available in AWS marketplace
• Next hop for workloads in AWS
Management
• Managed by FMC or FMCv
• Elastic or private IP for Management
Use cases
• VPN (S2S and RA VPN)
• Firewall, IPS, URL & AMP integration
NGFWv
Internal
FMC
External
Mgmt
Internet &
RA users
VPC
IGW
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv in AWS – Passive Mode
65Public Cloud Security
Deployment
• Deploy NGFWv in Passive Mode
Management
• Managed by FMC or FMCv
• Elastic or private IP for Management
Passive mode requirement
• Cisco Cloud Services Router forward copy of the traffic to NGFWv
• NGFWv passively inspects traffic sent over ERSPAN session
• NGFWv sets interface type as ERSPAN and sets MTU 1600 and assigns IP address
NGFWv
Internal
External
CSRv
Internet &
RA users
VPC
IGW
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASAv in AWS – Routed Mode
66Public Cloud Security
Deployment
• Deploy ASAv in routed mode (L3)
• Next hop for workloads in AWS
Management
• Elastic or private IP for Management
• Managed using CLI, Cisco Security Manager, ASDM, REST-API and Cisco Defense Orchestrator (CDO)
Use cases
• VPN (S2S and RA VPN)
• Inter-subnet filteringInternet
& RA users
Inside
DMZ2
Management/Outside
DMZ1
ASAv
DMZ2
IGW
VPC
Management access
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management access – NGFWv
68Public Cloud Security
vNET
Data Center
FMC
Gateway Subnet
Virtual Network Gateway
NGFWv
AzureExpress Route
Internet
Data Center
FMC
NGFWv
Internet
Manage using public IP(Internet)
Manage using public IP(Internet)
Manage using private IP(Azure Express Route)Manage using private IP
(AWS Direct Connect – DX)
Direct Connect
AWS Azure
IGW
Use cases (Azure)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Azure User defined route (UDR)
72Public Cloud Security
vNET
WEB – 192.168.1.0/24
Default gateway on WebServer01 is 192.168.1.1
WebServer01
WEB-UDR
Destination Next Hop
Default routeASAv
Inside
APP, DBASAv
Inside
APP DBASAv
Traffic is forwarded based on the routes in the UDR
UDR overrides system routes
Associated to a subnet
Next-hop option (virtual appliance, VNG, vNET, Internet and none)
API integration to modify routesInternet
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
E/W traffic inspection - NGFWv
73Public Cloud Security
vNET
WEB
APP
DB
Internal
Internet & RAVPNusers
Data Center
FMC
External InternetNGFWv
Gateway Subnet
AzureExpress Route
Virtual Network Gateway
SF tunnel between FMC and NGFWv (management)
DB-UDR
Destination Next Hop
Internet, WEB, APP & DC NGFWv (Internal)
DB NGFWv (Internal)
GW-Subnet-UDR
Destination Next Hop
WEB, APP & DB NGFWv (Internal)
APP-UDR
Destination Next Hop
Internet, WEB, DB & DC NGFWv (Internal)
APP NGFWv (Internal)
WEB-UDR
Destination Next Hop
Internet, WEB, DB & DC NGFWv (Internal)
WEB NGFWv (Internal)
Highlighted routes are required for Micro Segmentation
Youtube: Demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
E/W traffic inspection - ASAv
74Public Cloud Security
vNET
WEB
APP
DB
Inside
Internet & RAVPNusers
Data Center
Outside Internet
Gateway Subnet
AzureExpress Route
Virtual Network Gateway
DB-UDR
Destination Next Hop
Internet, WEB, APP & DC ASAv (Inside)
DB ASAv (Inside)
GW-Subnet-UDR
Destination Next Hop
WEB, APP & DB ASAv (Inside)
APP-UDR
Destination Next Hop
Internet, WEB, DB & DC ASAv (Inside)
DB ASAv (Inside)
WEB-UDR
Destination Next Hop
Internet, WEB, DB & DC ASAv (Inside)
DB ASAv (Inside)
Highlighted routes are required for Micro
Segmentation
ASAv
“same-security-traffic permit intra-interface” command is required on ASA for hairpinning
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv/ASAv scalable designusing Azure ILB with HA ports
82Public Cloud Security
FWv01ilb-ha-fw1
FWv04ilb-ha-fw4
10.82.1.50
WEB10.82.1.0/24
10.82.0.50
APP10.82.0.0/24
Azure ILB with HA ports10.82.2.100Nva-subnet
10.82.2.0/24
10.82.2.10 10.82.2.11 10.82.2.12 10.82.2.13
Default route on FWs 10.82.2.1
APP-UDR
Destination Next Hop
WEB ILB VIP
WEB-UDR
Destination Next Hop
APP ILB VIP
FWv02ilb-ha-fw2
FWv03ilb-ha-fw3
• Azure ILB standard with HA• ILB is next hop in UDR• ILB load balances complete
IP traffic• ILB is design to provide
traffic symmetry
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service vNET – NGFWv and ASAvScalable design
83Public Cloud Security
vNET01 vNET02
Virtual Network Gateway
Gateway Subnet
ILB HA10.82.2.100
Nva-Subnet10.82.2.0/24FWv02
ilb-ha-fw2
Default route on FWs 10.82.2.1
Hub
service vNET
All-Subnets-UDR
Destination Next Hop
All-Subnets ILB VIP
All-Subnets-UDR
Destination Next Hop
All-Subnets ILB VIP
Multiple SubnetMultiple Subnet Spoke
FWv01ilb-ha-fw1
FWv03ilb-ha-fw3
FWv04ilb-ha-fw4
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Interconnecting vNET NGFWv UDR detail
84Public Cloud Security
FMC
NGFWv
InternalvNET1
Internal
NGFWvNGFWv
External External
Internal-UDR
Destination Next Hop
Internet NGFWv (Inside)
vNET2 subnets NGFWv (Inside)
Internal-UDR
Destination Next Hop
Internet NGFWv (Inside)
vNET1 subnets NGFWv (Inside)
vNET2
Site to Site VPN Tunnel
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Site-to-site and RAVPNNGFWv – UDR detail
85Public Cloud Security
NGFWv
Internal
ASAv
vNET
NGFW
External
RA VPNUsers
Internet
Internal-UDR
Destination Next Hop
Internet NGFWv (Inside)
RAVPN Pool NGFWv (Inside)
Datacenter (DC) NGFWv (Inside)
USE cases
Network Address Translation (NAT)
Site to Site Tunnel
Access Control Policy, IPS Policy and AMP policy
Networking, Firewalling and AVCData Centre
Site to Site VPN Tunnel
Internet and RAVPN
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inter subnet filtering – NGFWv
86Public Cloud Security
Internet users
APP
WEB
vNET
InternetNGFWv NGFWv
USE cases
Network Address Translation (NAT)
Site to Site Tunnel
Access Control Policy, IPS Policy and AMP policy
Networking, Firewalling and AVC
APP-UDR
Destination Next Hop
Internet NGFWv (Inside)
WEB NGFWv (Inside)
WEB-UDR
Destination Next Hop
Internet NGFWv-edge(Inside)
WEB NGFWv-Internal(Outside)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv and ASAv scalable designAzure internal load balancer (ILB) standard & external load balancer
x
vNET
WEB
APP
DBData Center
FMC
Gateway Subnet
AzureExpress Route
Virtual Network Gateway
DB-UDR
Destination Next Hop
Default/Internet ILB VIP
APP, WEB & DC ILB VIP
APP-UDR
Destination Next Hop
Default/Internet ILB VIP
DB, WEB and DC ILB VIP
WEB-UDR
Destination Next Hop
Default/Internet ILB VIP
DB, APP and DC ILB VIP
Internet
ILB Standard
(VIP)HA Port
GW-UDR
Destination Next Hop
WEB, APP & DB ILB VIP
FW01
FW02
FW..n
NGFWv
NGFWv
NGFWv
NVA Subnet (inside)
ExternalLB
Internet Users
Stateless Switchover
Public Cloud Security 87
Firewalls in Availability Set
Youtube: overview
ARM template deployment
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Azure Resource Manager (ARM) Template
89Public Cloud Security
ASAv NGFWv
ASAv
ASAv
ASAv
NGFWv
NGFWv
NGFWv
• JSON based template for deploying NGFWv and ASAv
• Multiple/repeated deployments• Add firewall to exiting resource group• Add additional attributes for scalable
deployment i.e. Availability Set• Publish tested templates • Deploy multiple Azure resources using
single ARM template • Create following resources before
deploying ASA or NGFWv using template
• Resource group, availability set, vnet, subnet and storage account
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Azure Resource Manager TemplateARM templates and demo videos
90Public Cloud Security
• NGFWv ARM Template: http://cs.co/NGFWvARMTemplate
• Youtube: Demo
• ASAv ARM Template: http://cs.co/ASAvARMTemplate
• Youtube: Demo
• NGFWv ARM Template (LB Sandwich): coming soon
• Youtube: coming soon
Use cases (AWS)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CloudFormation Template
92Public Cloud Security
CF template deploys resources in AWS
• Group of resources in template are called stack
• Resources are added using JSON object
• Publish CF template using S3 bucket
Advantage of using CF template
• Simplified infrastructure management
• Repeated or multiple deployment
• Reduced human errors
• Version control using template
• Update stack and track changes
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intersubnet filteringNGFWv
93Public Cloud Security
NGFWv
DB – 192.168.100.0/24
External
VPC
IGW
RT-DB
destination subnet next-hop
192.168.0.0/16 local
0.0.0.0/0 eni-ngfwv(internal)
CIDR - 192.168.0.0/16
ASAv
WEB- 192.168.2.0
RT-WEB
destination subnet next-hop
192.168.0.0/16 local
0.0.0.0/0 eni-asav(inside)
• CIDR has a local route for VPC
• Specific route is not allowed in route table
• Default route will not cover local network
• Host routes are required to enable Intersubnet filtering
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Transit VPC - NGFWv
94Public Cloud Security
CSRvCSRv
NGFWvInternet
VPC A VPC B
AZ1 AZ2
Transit
VPC
Spoke
VPC
NGFWvRT
Scalable design
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv scalable design using AWS NLBNetwork Load Balancer (NLB)
96Public Cloud Security
inside-1c
NLB
outside-1c
inside-1d
management-1c
Route Table: RT
subnet next-hop
0.0.0.0 IGW
FMCv
WebServer01
NGFWv
management-1d
us-east-1c
us-east-1d
Elastic IP
NGFWv
outside-1d
NGFWv
Stateless switchover
WebServer02
Youtube: Demo
VPC
IGW
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv scalable design using AWS NLBNetwork Load Balancer (NLB)
97Public Cloud Security
inside-1c
NLB
outside-1c
inside-1d
management-1c
Route Table: RT
subnet next-hop
0.0.0.0 IGW
FMCv
WebServer01
NGFWv
management-1d
us-east-1c
us-east-1d
Elastic IP
NGFWv
outside-1d
NGFWv
Stateless switchover
WebServer02
NGFWv
NGFWv
Multiple firewalls can be added per Availability Zone to provide AZ level scalability
Youtube: Demo
VPC
IGW
Advanced Malware protection in Azure and AWS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv integration with AMPAWS and Azure
99Public Cloud Security
DB – 192.168.100.0/24VPC
CIDR - 192.168.0.0/16
WEB- 192.168.2.0
IGW
NGFWv
NGFWv integrates with AMP solution and provide following features
• AMP for network• Continuous analysis• Retrospective security• Reduce event notifications• Integrated malware analysis
File capture allows you to store and retrieve files for further analysis. The integration of Threat Grid allows you to examine unknown and suspicious files in a safe, highly secure sandbox environment, either in the cloud or locally
Malware is detected and dropped by NGFWv
Licensing
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Licensing
101Public Cloud Security
Azu
re Cisco Smart Licensing• Bring your own license (BYOL)
Base License(Firewall and AVC)
Term based(Threat, URL and AMP)
NGFW
Standard License(Firewall and throughput)
AnyconnectApex License
(SSL and IPSEC)
ASAASA
AW
S
Cisco Smart Licensing• Bring your own license (BYOL)
Pay as you go model• Hourly and annual license
Note: No Cisco TAC support from AWS pay-as-you-go model license model but you can purchase one year TAC support from listed partner: https://aws.amazon.com/marketplace/pp/B01HQPRQMQ?qid=1522335115947&sr=0-7&ref_=srh_res_product_title
Important Resources
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
YouTube ChannelYoutube Channel: http://cs.co/DCandCloudSecurity
103Public Cloud Security
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFWv and ASAv Marketplace Listings
104Public Cloud Security
AWS
Product Marketplace Listing
NGFWv Marketplace listing – BYOL http://cs.co/CiscoNGFWvBYOL
NGFWv Marketplace listing – Hourly & Annual http://cs.co/CiscoNGFWvHourlyAnnual
FMCv Marketplace listing – BYOL http://cs.co/CiscoFMCvBYOL
ASAv Marketplace listing – BYOL, Hourly & Annual http://cs.co/CiscoASAvBYOLHourlyAnnual
Azure
Product Marketplace Listing
NGFWv Marketplace listing – BYOL http://cs.co/CiscoNGFWv
ASAv Marketplace listing – BYOL http://cs.co/CiscoASAv
ASAv HA Marketplace listing - BYOL http://cs.co/AzureASAvHA
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Importance Links
Security in public cloud Youtube channelhttp://cs.co/DCandCloudSecurity
Cisco NGFWv, ASAv and FMC Chalk talk in Public Cloudhttp://cs.co/PublicCloudSecChalkTalk
Public Cloud Technical Decision Maker Deck (TDM) – (Partner level access required)http://cs.co/Azure-AWS-PublicCloudTDMs
Cisco ASAv licensing (BYOL)http://cs.co/ASAvLicensing
Cisco NGFWv licensing (BYOL)http://cs.co/CiscoNGFWvLicensing
NGFWv ARM Templatehttp://cs.co/NGFWvARMTemplate
ASAv ARM Templatehttp://cs.co/ASAvARMTemplate
105Public Cloud Security