Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Brksec 1138

Download as pdf or txt
Download as pdf or txt
You are on page 1of 101

#CiscoLiveAPJC

Cisco Defense Orchestrator


Manage Your Cisco Firewalls Anywhere
Anshul Kaushik Lookman Kurusumuthu
Technical Solutions Architect Director, System Engineering

BRKSEC-1138

#CiscoLiveAPJC
#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Abstract
Cisco Defense Orchestrator is a SaaS that provides management to your Firewall wherever it sits: Physical, Virtual, On
Prem, Public Cloud, Private Cloud even in a container.

Cisco Defense Orchestrator (CDO) is a SaaS that is delivered from the Cloud but provides management to your Firewall
wherever it sits: Physical, Virtual, On Prem, Public Cloud, Private Cloud, or even in a container. Cloud Deleivered Firewall
Management Center (cdFMC) is a cloud delivered, turnkey SaaS for managing all of your FTD needs without the need to
manage FMC infrastructure. Cisco Secure Analytics and Logging (SAL) is a SaaS that enables Firewalls to send their logs
safely and securely to the Cloud while providing one convenient place to troubleshoot, audit, and analyze your events. In this
session, you will learn:
1. How these services integrate and work together to provide a comprehensive, end to end Firewall Management solution, no
matter the platform.
2. The architecture of the CDO, cdFMC, Multi-Cloud Defense (MCD), & SAL deployment models
3. How to use CDO to operationalize your logging views under a single pane of glass
4. How SAL leverages log data to provide actionable analytics using an embedded Cisco Secure Analtics integration
5. Best practices for operationalizing CDO, cdFMC, MCD & SAL together in your environment

The session will include a mixture of lecture and real product demos.
A basic understanding of Cisco Firewalls (ASA and/or FTD) by attendees is assumed for this session.

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco Webex App

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App

2 Click “Join the Discussion”

3 Install the Webex App or go directly to the Webex space Enter your personal notes here

4 Enter messages/questions in the Webex space

Webex spaces will be moderated


by the speaker until December 22, 2023. https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-1138

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Your Speaker
Anshul Kaushik

• ankaushi@cisco.com
• CCIE Security #23790
• 20 Years in Industry, 18 with Cisco
• TAC – Presales - Channels
• Drive end to end Security Enablement
• Lives in Melbourne and like outdoors

#CiscoLiveAPJC BRKSEC-11138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
• Introduction/Overview – What,
Where & Why?
• Cloud Delivered FMC and
Managing FTD
• Multi-Cloud Defense
• Managing ASA and other
Platforms
Agenda • Security Analytics and Logging
• API Integrations with API and
Devops
• Wrap up

BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Cisco
Defense
Orchestrator
What is Cisco Defense Orchestrator (CDO)?
Consistently manage policies across your Cisco security products. CDO is a cloud-based application that cuts through complexity
to save time and keep your organization protected against the latest threats.

Key Benefits Features


Policy – CDO
Visibility & Evening – SAL

Streamline security Consistent policy


Incident response - CTR

management
AS A FT D

enforcement HQ

Reduce time spent on Faster device deployments


Network

security management tasks SD-WAN Users


up to 90% Configuration management
Cloud Application

Achieve better security while API Integrations Branch


Data Center
reducing complexity Roaming Users
Manage Anywhere
Prioritize response Admin
Turnkey SaaS
Visibility
Low Touch Provisioning
Lower TCO
Shared Objects

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Challenges to Securing an Enterprise
Perimeters are no longer geographically defined, so a single perimeter firewall is no longer the norm.

Single control point is not adequate


Every environment needs its own
Management complexity
micro-perimeter
NetSec and IT use dozens of point
products, each with its own
management console
Evolving form factor
Singe control points are now replaced by
multiple firewalls, both physical and virtual
Evolving threat landscape
Security products need a
continuous feed of threat
Policy sprawl intelligence to stay ahead of
attackers
Harmonizing policies across
micro-perimeters is challenging

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Managing network
and application
security is hard
work.

BRKSEC-1138
BRKSEC-1138 © 2023 Cisco
© 2023 and/or
Cisco its affiliates.
and/or All rights
its affiliates. reserved.
All rights Cisco
reserved. Public
Cisco Public 11
CDO Solves Problems
CDO Solves Problems FAST

CDO is a SaaS leveraging a CI/CD Pipeline


(Continuous Integration, Continuous Delivery)

Releases/Sprints Plan

• CDO 1 Week Build

Release/Deploy
• cdFMC 4-6 Weeks Code
• Customers ask...we deliver Continuous Testing

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
CDO Needs NO Inbound Access
• Devices initiate connection via
Internet

• CDO does not need inbound


connectivity

CDO • Flexible connectivity options

• CLI and API access via CDO

• SDC/SEC for ASA IOS

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
CDO “Outbound Only” Connectivity

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
CDO Manages Devices Anywhere
Physical Hardware, Public or Private Cloud Virtual, FTD Instances,
ASA Contexts, and even containerized

CDO

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
CDO Simplifies Advanced Tooling

• Migrate FTD from On-Prem FMC to cdFMC

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
CDO Simplifies Advanced Tooling

• Firewall Migration Tool

• ASA → cdFMC/FTD

• FDM → cdFMC/FTD

• PAN → cdFMC/FTD

• Fortinet → cdFMC/FTD

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
CDO Simplifies Advanced Tooling

• Cisco Secure Dynamic Attributes Connector (CSDAC)

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
CDO Simplifies Fleet Management
❖ New notifications coming for AnyConnect Certificate Expiration

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
CDO Simplifies Fleet Management
• Scheduled code upgrades

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
CDO Simplifies Fleet Management
• Notifications via email or webhooks

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
CDO Simplifies Visibility
• Device configuration changes

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
CDO Simplifies Visibility
• Remote Access VPN (Live and Historical)

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
CDO Simplifies Visibility
• Site-to-Site VPN

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
CDO Simplifies Visibility
• Centralized Logging and Analytics for ASA and FTD

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
CDO Simplifies FTD Management at Scale
• Manage up to 1000 FTDs from a single instance of cdFMC

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
CDO Simplifies Cloud Security
• Integration with Multicloud Defense

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
CDO to integrate
with “all the things”

BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
OnPrem FMCs
Auto-Discover and share
objects with OnPrem FMCs

BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA Object and
Policy Management

BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
AWS VPC Security
Group Policy
Management

BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Meraki MX Policy
Management

BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
IOS Bulk CLI Access
& Config Visibility

BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Multicloud Defense
Multicloud Defense

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Multicloud Defense

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Cloud Delivered
Firewall Management Center
(cdFMC)
Cloud Delivered Firewall Management Center

• Cloud native FMC platform provided by Cisco Defense Orchestrator


• Not just a lift-and-shift VM of FMC
• Manage any FTD from any form factor – physical or virtual
• Manage any FTD from anywhere

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Cloud Delivered Firewall Management Center

• Manage up to 1000 FTDs from a SINGLE INSTANCE of cdFMC


• Roadmap is 2000 FTDs from a single instance
• Rapid release CI/CD pipeline = new features in weeks instead of months
• SaaS – Cisco FULLY manages and maintains the FMC
• SaaS – Focus on managing security posture, not “managing the manager”

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Cloud Delivered Firewall Management Center

Requirements to be managed by cdFMC:

• FTD Version 7.0.3+ minimum


• FTD Version 7.2+ to use Low Touch Provisioning (LTP)
• OnPrem FMC 7.2+ to migrate FTD to cdFMC (Manager migration)
• Internet access from management-interface or from a data-interface
• Legacy FMC migration coming soon!

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Complete FTD Mgmt with cdFMC

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploy FTD to Cloud of Choice

❖ Wizard Driven
❖ Deploy instance
❖ Auto-Add to cdFMC
❖ All from CDO

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Onboard Cisco Secure Firewall

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Onboard Cisco Secure Firewall

Select FTD

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Onboard Cisco Secure Firewall
Low touch provisioning for
“configure manager” CLI method FPR1000, FPR2100, FPR3100
See demo video here

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Onboard Cisco Secure Firewall

Assign the default policy

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Onboard Cisco Secure Firewall

• Select the device form factor


• Select the tier (virtual only)
• Select the feature entitlements

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Onboard Cisco Secure Firewall

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Onboard Cisco Secure Firewall Refresh connectivity status

Registration will retry every 5 minutes or


We can click “Retry Onboarding” for on-demand retry.

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Onboard Cisco Secure Firewall
Ensure management-plane
has outbound Internet
access and DNS resolution
is working

ping system <hostname>

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Onboard Cisco Secure Firewall
Paste the CDO generated configuration to the FTD CLI

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Onboard Cisco Secure Firewall

• SFTunnel was successfully


built

• Initial device config and


default policy are being
pushed to the FTD

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Onboard Cisco Secure Firewall

❖ Device fully onboarded


❖ Ready to manage with cdFMC

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Onboard Cisco Secure Firewall

Launch into
Cloud Delivered
Firewall Management Center

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Onboard Cisco Secure Firewall

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Onboard Cisco Secure Firewall

When secondary device


is initially added, it will
show up as a distinct
device

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Onboard Cisco Secure Firewall

• Once the HA has


been configured in
HA Group Name firewall management
center, the CDO
device objects will be
automatically merged
into 1 device

HA roles and status (green/red)

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Cloud Delivered FMC

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Live demo of cdFMC and FTD management

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
ASA Management
ASA Management
Platform Settings

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA Management
Interface Settings

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA Management
Static Routing

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA Management
New Policy Editor Coming Soon!

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA Management
Objects and Policy Management

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
ASA Management
Policy Based and VTI/Route-Based VPN Wizards

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
ASA Management
ASA Bulk CLI and Macros

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
ASA Management
Scheduled ASA Upgrades

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
ASA Management
Detailed Changelogs and Diff Views Available

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
ASA Management
Troubleshooting Tools From CDO – No CLI required

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
ASA Management Lots more functionality including:
• Configuration visibility
• NAT policy
• Backups
• File management
• Certificate management
• Out of band change management
• Interface configuration
• Routing configuration
• Platform Settings Policy

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Live demo of common ASA tasks

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
CDO Visibility
Security Analytics and Logging
Security Analytics and Logging

Unified views:
• FTD Connection Events
• FTD IPS/Threat Events
• FTD Malware Events
• FTD URL Events
• FTD Threat Intelligence Events
• ASA Connections, Syslog,
Netflow, etc.

SCALE BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Security Analytics and Logging
Log from anywhere securely

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Security Analytics and Logging
FTD Analytics Dashboard

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Security Analytics and Logging
Telemetry for each event is visible

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Security Analytics and Logging
Background Search

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Security Analytics and Logging
Scheduled Searches

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Security Analytics and Logging
Feeds Telemetry to Cisco Secure Analytics (Formerly Stealthwatch Cloud)

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Security Analytics and Logging
What’s coming for Security Analytics and Logging*

• Security Analytics and Logging 2.0

• Improved search times

• Closer alignment to OnPrem FMC event viewer

• Packet Payload Capture for IPS Events

* Subject to change
#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Security Analytics and Logging

Live demo of SAL

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Devops
CDO Terraform Provider
CDO terraform provider available through the Terraform Registry
https://registry.terraform.io/providers/CiscoDevNet/cdo/latest

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
CDO Ansible Collection
CDO Ansible collection available through Ansible-Galaxy
https://galaxy.ansible.com/ui/repo/published/cisco/cdo

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
CDO API
A NEW customer API is coming! (March/April 2024*)
Both fully documented and DevNet community supported

* Subject to change

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
CDO API
Step 1: Create an API only user for your tenant and select RBAC role

*Disclaimer: API is not fully supported (YET!) today but nothing is stopping your careful use of it.

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
CDO API
Step 2: Authentication and content-type
• Each API call requires an HTTP authentication header
• It is a simple bearer token (Use API token from step 1)
• Must also include a content-type “application/json” header
Postman Example:

cURL Example:

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
CDO API
Step 3: How does the CDO UI do it?

Using “Developer Tools” in Firefox, you can see the API endpoints and
the data structures of the POST/PUT payloads in the “network” tab.

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
CDO API
Step 3: How does the CDO UI do it?

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Automating CDO using Terraform and Ansible

#CiscoLiveAPJC Session ID © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Wrap-Up
Register today for your free Demo/POV of
CDO and cloud delivered FMC

[APJ] https://apj.cdo.cisco.com

[US] https://www.defenseorchestrator.com
Try it out!
[EMEA] https://www.defenseorchestrator.eu

Or go to https://getcdo.com

BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Summary

• Firewall management platform and orchestration


• You ain’t seen nothing yet! CI/CD = Rapid innovation!
• cdFMC is a game changer – Focus on policy not the manager
• cdFMC LTP makes remote branch deployments plug-and-play
• Shared Objects = more consistent policy and fewer mistakes
• RA VPN visibility is excellent for managing work-from-anywhere
• Operation at scale is possible

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Cisco Secure Firewall YouTube Channel
Cisco Secure Firewall YouTube Channel
Low Touch Provisioning Demo

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Session Surveys
We would love to know your feedback on this session!
• Complete a minimum of four session surveys and the overall event surveys to claim
a Cisco Live T-Shirt

#CiscoLiveAPJC BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
• Visit the Cisco Showcase for
related demos

• Book your one-on-one


Meet the Expert meeting

• Attend the interactive education


with DevNet, Capture the Flag,
Continue and Walk-in Labs

your education • Visit the On-Demand Library


for more sessions at
www.CiscoLive.com/on-demand

BRKSEC-1138 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Thank you

#CiscoLiveAPJC
#CiscoLiveAPJC

You might also like