Deep Dive Lab on Cisco Firepower NGFW and ASA Dive Lab on Cisco Firepower NGFW and ASA Integration...
Transcript of Deep Dive Lab on Cisco Firepower NGFW and ASA Dive Lab on Cisco Firepower NGFW and ASA Integration...
Deep Dive Lab on Cisco Firepower NGFW and ASA Integration in ACI
Goran Saradzic – Security TME ManagerMinako Higuchi – ACI TME
LTRSEC-3001
Lab Guide can be downloaded at http://cs.co/acisec-lab-guide
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Programmatic Approach with Security
Stand up defenses at the same time as applications
APIC Security Device Packages.
Cisco Security Device Packages
Automate security policy updates with tighter integration
between security appliances and APIC.
Dynamic EPG updates to Rules/ACLs
Embrace a dynamic workload quarantine with
programmable policy enforcement.
Cisco FMC Remediation Package for APIC
LTRSEC-3001 4
• Introduction
• Work through Lab 1 together
• Run Labs 2-7 on your own
Agenda
SECURITY
ASAv NGIPSv
FTDv
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Firepower NGFW and ASA Integration in ACI
Lab Exercises:
1. Connect and run scripts to build-out your Tenant with security services
2. Change FTDv service graph to unmanaged mode on app-to-db contract
3. Change FTDv to EPG-attached NGFW Service with no Contract
4. Apply malware protection to FTDv service graph on app-to-db contract
5. Run Rapid Threat Containment with APIC Firepower remediation package
6. Enable Dynamic update to EPG feature on out-to-web contract
7. Study the mechanics and benefits of the ASA PBR service graph
LTRSEC-3001 6
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7LTRSEC-3001
Physical Gear – Two Fabrics
Nexus9396PX - Leaf Nexus9396PX - Leaf
Nexus9336PQ - Spine
4x ASA5525 ASA+SFR
2x FirePOWER7010
40G 40G
4x1G
4x1G
4x1G
4x1G
10G10G
2x UCS C220 M4L
10G10G
Fabric 1: pod1 to pod20
APIC: 10.10.35.10
vCenter: 10.10.35.120
Fabric 2: pod21 to pod40
APIC: 10.10.35.11
vCenter: 10.10.35.125
vCenter
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Orchestrate Cisco ASA and FTD in ACI Fabric
ASA5585-X (EoS)
ASA5500-X
Divert to SFR
ASAv50
ASAv30
ASAv10
Firepower
Management
Console
(FMC)
FPR9300
FPR4100/2100
Run ASA app
ASA Device Package
FPR9300, FPR4100,
FPR2100Run FTD app
FTD Device Package
Automation and
Orchestration
NGFWv
Virtual FTD
FMC Remediation
Module for ACI
ASAv
React to detected threats
in an automated fashion
LTRSEC-3001 8
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ASA and FTD Device Packages for ACI
Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs
APIC Configures Tenant Networking and Service Graph Parameters in the ACI Fabric
Interfaces, IP Addresses,
VLANs, Inline IPS pairs,
Security Zones
Access & Threat Policies
URL filter, NGIPS, AMP, etc.
APIC configures via FMCVia FTD Device Package
Security team configures via FMC
Cisco NGFW (FTD image)
Interfaces, VLANs, IPs, Static
or Dynamic Routes
ASA Embedded FirePOWER
Services - Threat Polices
ACLs, Inspections, HA,
Special Features
APIC Configures on ASAvia ASA Device Package
Security team configures via FMC
ASA with FirePOWER Services
APIC Added/Validated
Config
Config added manually
via FMC, outside of
APIC control/visibility
Adding Security Zone to pre-
defined rules under Access &
Threat Policies
LTRSEC-3001 9
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD Device Package for ACI
Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs
APIC Configures Service Graph in the ACI Fabric
Interfaces, VLANs, BVIs,
Inline Pairs (Cross-connects)
Threat Defense Policies
Access Control, URL filtering,
Geolocation features, etc.
APIC configures via FMC on NGFW(v)Via FTD Device Package
Hybrid – Device Manager
Security team configures via FMC
Firepower NGFW 6.2 Code
Posted on Cisco.com
APIC configures in FMC:• Interfaces and VLANs
• Routed, Transparent FW, NGIPS
• Create Security Zone
• Create/Update Policy & Rule
Security Team update FMC:• Network Access Policy
• NGIPS, File, Geo-location
• Other items beyond APIC cfg
SECURITYDevice ManagerDevice Manager
LTRSEC-3001 10
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Security Devices in ACI Fabric
Cisco L4-7 Device Supported PlatformsDevice Package
Device Version
L4-7 Insertion
ModeHA Mode
FTD on physical
appliance
FPR9300, FPR4100,
FPR2100, ASA5500-XFTD_FI DP 1.0.2
FMC/FTD 6.2.2
APIC 2.2.2e
Go-To
(Routed, no L3out),
Go-Through
(L2FW, inline IPS)
FTD DP 1.0.2 released!!!
HA (L3FW, L2FW, IPS) or
Fail-to-Wire (IPS only)
FTDv virtual Vmware, KVM FTD DP 1.0.2 released
ASA physical appliance
FPR9300, FPR4100,
ASA5585-X,
ASA5500-X
DP 1.2.8
8.4+
9.6+ (ASA app)
Go-To (Routed,
L3out supported)
Go-Through (L2FW)
ASA Active/Standby Failover,
ASA Clustering (Active/Active)
ASAv virtualASAv5, v10, v30
VMware, Hyper-V
DP 1.2.7
9.4+(SMART)
ASAv Active/Standby Failover
KVM SR-IOV use as Phys.Dom
FirePOWER physical
appliance
FP71x0, FP71x5,
FP70x0, FP8100,
FP8300Unmanaged
DP in the plans
Go-To (Routed)
Go-Through
(inline IPS)
PBR works with Routed
Fail-to-Wire for IPS
Go-Through
(inline IPS)Firepower NGIPSv VMware N/A
Reference
LTRSEC-3001 11
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Security Device Insertion into ACI
ASA 1.2.8 Device Package
GoTo (L3FW), GoThrough (L2FW)
ACL, DPI, Netflow, Syslogs, TrustSec
L3out Dynamic Routing (BGP/OSPF)
NAT4/6, Dynamic Update EPG ACL
Global Service-Policy
Active / Standby Failover
Divert to embedded Firepower
Firepower NGFW (FTD) 1.0.2
Device Manager Package
GoTo (L3FW),
GoThrough (L2FW and Inline NGIPS)
APIC orchestrates Data Plane
Interfaces, creates Security Zones, and
attaches to pre-defined FMC Policy
FMC controls policy on FTD app,
including AMP, URL filter, Sandbox, etc.
APIC Managed Service Graph APIC Unmanaged Service Graph
APIC orchestrates the service graph on
Nexus leaf switches
Security devices ASA, FirePOWER, or
Firepower NGFW (FTD) are managed
using CLI, REST-API, or purpose-built
management tools (ASDM, CSM,
FMC), and we now match settings on
unmanaged service graph (plug into
configured ports, and match interface
static/dynamic VLANs)
Run Any ASA or Fire(power)
Platform, Code, and Features
Partial orchestration: APIC controls
networking and policy on fabric leaf
switches but not L4-L7 devices
NGFWvASAv
ASA app FTD app
Reference
LTRSEC-3001 12
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Security Device Integration in LTRSEC-3001
ASA 1.2 Device Package
Exercise 1 – ASA5525-X2x Go-To Service Graphs:
PBR Failover & L3out Cluster
Exercise 6 – ASA5525-XDynamic update on Web/App
Exercise 7 – PBRStudy PBR Contracts/Graph
FTD 1.0.2 Device Manager
Package
Exercise 1 – FTD 6.2.2Go-To Service Graph
Access Control Policy on FMC
Exercise 4,5 – FMC Add Malware block policy,
Then add APIC remediation instance & quarantine
APIC Managed Service Graph APIC Unmanaged Service Graph
Exercise 2 – FTD 6.2.2 Unmanaged Service Graph
Run Any ASA, FTD, or Fire(power)
Platform, Code, and Features
Lab Guide can be downloaded at http://cs.co/acisec-lab-guide
APIC EPG-attached Services
Run Any ASA, FTD, or Fire(power)
Platform, Code, and Features
Exercise 3 – FTD 6.2.2 and EPG attached NGFW
LTRSEC-3001 13
Access Your Pod with RDP Session
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15LTRSEC-3001
POD Access and InstructionsOpen RDP Session
Prep
Proctor provides
RDP Access and
Credentials
Remember you POD Number
Open you instructions PDF
http://cs.co/acisec-lab-guide
Exercises in Detailed Lab Diagrams
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17LTRSEC-3001
Application Profile Before and After Orchestration
rebuild-mypod.bash+ later exercises
contracts:
out-to-web (ASA)
web-to-app (ASA)
app-to-db (FTD)
Exercise 1
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Outside Network
External VRF
vrf(pod#)netInternal VRF – pod(pod#)net
DB EPGApp EPGWeb EPG
18LTRSEC-3001
ASA and Firepower NGFW in ACI
Web host App host DB host
ASAv5
outside
ASA5525 Cluster
Routed L3FW Context
Dynamic Routing to vPC
GoTo Non-PBR
Outside host
ASA Cluster
IP 10.1.0.101/16 IP 10.1.pod#.102/16 IP 10.2.0.103
10.3.0.110.2.0.1
10.40.0.10
10.40.0.1
10.50.0.10
10.50.0.1
10.60.0.1
10.60.0.10
out-to-web contractSource: 10.70.0.101Destination: 10.1.0.10110.70.0.101
web-to-appSrc: 10.1.0.101Dst: 10.1.p#.102
app-to-dbSrc: 10.1.0.102Dst: 10.2.#.103
NGFWv (FTDv)
Routed Mode
GoTo Non-PBR
ASA5525 Dynamic EPG
PBR GoTo L3FW
RoutedL3FW Context
One-Arm Mode
ASA Failover
BD1 (web) BD2 (db)
10.1.0.1
10.3.0.2
FTDv
CL18 Barcelona
10.70.0.1
L3out2
L3out3
L3out1 BD3
pbr-bd
SVI/Subnet 10.1.0.2/24
Click to Jumpbox icon to see RDP menu.
Login info shown under RDP icon in Topology tab of labops portal
FMC https://10.0.0.30Login: (aciadmin / cisco)
pod1 to pod20: APIC: 10.10.35.10, vCenter: 10.10.35.120
pod21 to pod40: APIC: 10.10.35.11, vCenter: 10.10.35.125
APIC/vCenter Login: (pod# / cisco)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Let’s Do Exercise 1 Together…
• Open Chrome and log into your APIC (pod# / cisco)
• Click Tenants and find you pod# Tenant
• Open another tab in Chrome and log into your FMC
• https://10.0.0.30 (aciadmin /cisco)
• Go to System -> Licenses -> Smart Licenses
• Click on Evaluation (enable 90day eval)
• Open Superputty via menu or desktop shortcut
• Go to bottom-left api-client tab and run ./ftd-reg.pl
• This will register two FTDv instances on Vmware with your FMCv
• Now we wait for FTDv to show up in FMC
Fabric 1: pod1 to pod20
APIC: 10.10.35.10
vCenter: 10.10.35.120
Fabric 2: pod21 to pod40
APIC: 10.10.35.11
vCenter: 10.10.35.125
LTRSEC-3001 19
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Choose to use FTDv in HA or Standalone
• Standalone FTDv
• Takes about 1min to deploy configuration from FMC
• FTDv HA pair
• Takes about 3min to deploy configuration from FMC
• Building HA pair will take about 5min
• FTDv HA Build Details
• Go to Step 13 of Exercise 1 for details or follow me along
• Gi0/0 is configured for HA link and lan
• Use Primary IP 10.10.1.1 and Secondary IP 10.10.1.2
• Now we wait for FTDv to show up in FMC
Fabric 1: pod1 to pod20
APIC: 10.10.35.10
vCenter: 10.10.35.120
Fabric 2: pod21 to pod40
APIC: 10.10.35.11
vCenter: 10.10.35.125
LTRSEC-3001 20
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Let’s Do Exercise 1 Together… (continuted)
• In APIC Tenant assigned to you, open L4-L7 services
• Expand folder L4-L7 devices
• Expand folder Function Profiles
• Expand L4-L7 Service Graphs
• In Superputty api-client run your python script
• cd demo/
• ./rebuild-mypod.bash
• Now press Enter at each step to run each python script
• Watch your APIC folders reflect your script changes
Fabric 1: pod1 to pod20
APIC: 10.10.35.10
vCenter: 10.10.35.120
Fabric 2: pod21 to pod40
APIC: 10.10.35.11
vCenter: 10.10.35.125
LTRSEC-3001 21
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
External VRF Internal Tenant VRF
DB EPGApp EPG
Firepower NGFWv HA in ACI
App host DB hostapp-to-dbContract
FTDv HA
pair
FMC
api-client
Step 1
Orchestrate FTDv
config to secure App
to DB communication
python
scripts
Exercise 1
LTRSEC-3001 22
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD Device Package in ACI
GoTo (Routed L3FW)
GoThrough (Transp. L2FW,
Inline NGIPS)
FMC manages FTDv Policy
APIC uses FMC APIs to
define interfaces, VLAN,
IPs, BVIs, Inline pairs, etc.
APIC tell vCenter to
connect graph vNICs
FTDv Managed Service Graph – vNIC Pairs
vNIC2 vNIC3
Vlan 100 Vlan 200
Vlan 304 Vlan 305
app db
consumer
SG portgroupprovider
SG portgroup
FTDv on VMware
vCenter
FTDvFMC Security Zones are defined
by APIC and inserted in ACP
rules which can be configured by
security admin to carry
appropriate traffic controls and
inspections (i.e. AMP) .
LTRSEC-3001 23
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
External VRF Internal Tenant VRF
App EPGWeb EPG
ASA HA Context in ACI
Web host App hostweb-to-appContract
ASA Context
on HA pair
api-client
Step 2
Orchestrate ASA
config to secure Web
to App communication
python
scripts
Exercise 1
LTRSEC-3001 24
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
PBR Service Graph to a Single Interface L3FW ASA
Protected
Servers
EPG Web
N9k SVIs
BD_pbr
10.3.0.2
DHCP: 10.1.0.100 – 10.1.0.140
ASA Context
10.3.0.1
Default or Static Route to SVI
Custom MAC 5585.4100.9300
BD1
EPG App
Fabric directs traffic in and
out of the same interface,
using managed ASA. Must
enable this ASA feature:
same-security intra-interface
We can script a custom MAC
on ASA(v) and set that MAC
on the PBR redirect.
PBR Service Graph
redirects traffic between
two EPGs within the same
Bridge Domain (subnet).
Select type of traffic to
redirect, verses what
protocols not to redirect.
APIC 2.0
http
ssh (file copy)
One-arm Graph
Managed
LTRSEC-3001 25
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Campus Network
Internal Tenant VRF
Web EPG
ASA Cluster Context in ACI
Web hostOutside host
ASA Context
on a Cluster
out-to-web Contract
Step 3
Orchestrate ASA
config and OSPF
peers to secure
campus to Web
communication
External VRF
Exercise 1
api-client
python
scripts
LTRSEC-3001 26
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Outside Network
External VRF
vrf(pod#)netInternal VRF – pod(pod#)net
App EPGWeb EPG
Contract out-to-web and ASA GoTo Service Graph
Web host App host
ASAv5
outside
ASA5525 Cluster
Routed L3FW Context
Dynamic Routing to vPC
GoTo Non-PBR
Outside host
ASA Cluster
IP 10.1.0.101/16 IP 10.1.pod#.102/16
10.40.0.10
10.40.0.1
10.50.0.10
10.50.0.1
10.60.0.1
10.60.0.10
out-to-web contractSource: 10.70.0.101Destination: 10.1.0.10110.70.0.101
BD1 (web)
SVI/Subnet 10.1.0.2/1610.70.0.1
L3out2
L3out3
L3out1
LTRSEC-3001 27
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internal VRF – pod(pod#)net
DB EPGApp EPG
Contract app-to-db: FTDv GoTo Unmanaged Service Graph
Web host App host DB host
IP 10.1.0.101/16 IP 10.1.pod#.102/16 IP 10.2.0.103
10.2.0.1
app-to-dbSrc: 10.1.0.102Dst: 10.2.0.103
NGFWv (FTDv)
Routed Mode
GoTo Non-PBR
BD1 (web) BD2 (db)
10.1.0.1
FTDv
Exercise 2
SVI/Subnet 10.1.0.2/24
FMCService Manager
Hybrid Model
Web EPG
LTRSEC-3001 28
api-client
python
scripts
APIC will create service graph port-groups and assign them to:Network Adapter 3 & 4
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internal VRF – pod(pod#)net
DB EPGApp EPG
No Contract FTDv Routed EPG-attached Integration
Web host App host DB host
IP 10.1.0.101/16 IP 10.1.pod#.102/16 IP 10.2.0.103
10.2.0.1
app-to-dbSrc: 10.1.0.102Dst: 10.2.0.103
NGFWv (FTDv)
Routed Mode
EPG-attached vNICs
BD1 (web) BD2 (db)
10.1.0.1
FTDv
Exercise 3
SVI/Subnet 10.1.0.2/24
FMCService Manager
Web EPG
LTRSEC-3001 29
api-client
python
scripts
Network Adapter 5 & 6 are already statically assigned to App and DB EPGs
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30LTRSEC-3001
FMC to APIC Rapid Threat ContainmentFMC Remediation Module for APIC
DB EPG
ACI Fabric
App EPG
Infected App1
Step 4: APIC Quarantines infected App1
workload into an isolated uSeg EPG
Step 1: Infected End Point launches an attack
that NGFW(v), FirePOWER Services in ASA,
or FirePOWER appliance blocks the attack
Step 2: Event is generated to FMC about an attack
blocked from infected host
Step 3: Attack event is configured to trigger
remediation module for APIC and quarantine
infected host using APIC NB API
1
FMC
App2
2
34
See demo on http://cs.co/rtc-with-apic
Exercise 5
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Attachment Notification on Service Graph Terminals
P2-ASA5525-1/pod37# show object-group
object-group network __$EPG$_pod37-wan-out-out-l3out3
network-object 10.70.0.0 255.255.255.0
object-group network __$EPG$_pod37-aprof-app
network-object host 10.1.37.102
object-group network __$EPG$_pod37-aprof-web
network-object host 10.1.0.101
Outside Network App EPGWeb EPG
Web hostOutside host
IP 10.1.0.101/16
out-to-web contractSource: 10.70.0.101Destination: 10.1.0.10110.70.0.101
10.70.0.1
App host
IP 10.1.37.102/16
BD1 (web)
SVI/Subnet 10.1.0.2/24
LTRSEC-3001 31
Exercise 6
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Study Mechanics and Benefits of PBR Service Graph
Protected
Servers
EPG Web
N9k SVIs
BD_pbr
10.3.0.2
DHCP: 10.1.0.100 – 10.1.0.140
ASA Context
10.3.0.1
Default or Static Route to SVI
Custom MAC 5585.4100.9300
BD1
EPG Apphttp/ssh
icmp
One-arm Graph
LTRSEC-3001 32
Exercise 7
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the WoS – Visit Security Booths
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
LTRSEC-3001 35
Thank you
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
List of ACI White Papers - https://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-infrastructure/white-paper-listing.html
Service Graph design - https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-734298.html
ASAv PBR Service Graph - https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/secure-data-center-solution/guide-c07-739765.html
PBR Service Graph Designs - https://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html
Cisco Advanced Security in ACI Playlist
https://www.youtube.com/playlist?list=PLvnemMVdgW1s77HuPk04VWwP47Y8EvlQl
GitHub python scripting for automation of ASA and FTD service graph with ACI
https://github.com/cisco-security
Additional Resources
LTRSEC-3001 37
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD 1.0.2 FI Device Package Posted
LTRSEC-3001 38
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA PO & FI Device Package
LTRSEC-3001 39
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40LTRSEC-3001
FMC Remediation Module for ACI on Cisco.com