Remote Access VPN
|
Firepower Remote Access (RA) VPN allows individual users to connect to a private business network from a remote location using a laptop or desktop computer connected to the internet, or an Android or Apple iOS mobile device. Remote users transfer data securely and confidentially using encryption techniques crucial for data being transferred over shared mediums and the Internet. Key capabilities of RA VPN include:
-
Secured Access – provided by the Cisco AnyConnect VPN client using either SSL or IPsec tunneling and encryption protocols. This is the only client supported for remote access connectivity.
-
Authenticated & Authorized Access – AAA support for Authentication (LDAP/AD/RADIUS and Client Certificate-based), Authorization (RADIUS Authorization Attributes-DACL, Group Policy, Address Assignment, etc.) and Accounting (RADIUS).
-
VPN Connectivity – Connection Profiles and Group Policies allow you to define address assignments, split tunneling, the DNS server, timeouts, access hours, client firewall ACLs, and AnyConnect client profiles.
-
Monitoring & Troubleshooting – provides multiple analysis views so that VPN user activity can be tracked and analyzed over time. In addition, you can view the Remote Access VPN Troubleshooting Logs. Troubleshooting can be used when having issues creating or deploying a RA VPN policy, if RA VPN connections or traffic is not as expected, or if events and statistics are not populating properly. This feature also provides the capability to bulk logout the currently logged in VPN users. These functions can be used in either the Firepower Management
Center or the Firepower Device
Manager.
-
Availability – Firepower Threat Defense high availability, multiple interfaces (dual ISP), and multiple AAA servers are supported.
-
Licensing – Smart Licensing, based on the AnyConnect 4.x model, for Apex, Plus and VPN-only licenses.
-
Management – A simple RA VPN wizard on both the Firepower Management
Center and the Firepower Device
Manager which provides quick and easy set-up of:
-
RA VPN Policy configuration entities: including Connection Profiles, Group Polices, Address Pools,etc.
-
secure gateways to which the remote user connects to Firepower Threat Defense devices.
-
Interfaces on the managed Firepower Threat Defense that users will access to establish VPN connections.
-
The AnyConnect client image downloaded when a connection is initiated by a desktop or laptop platform. Mobile devices obtain AnyConnect from their App store.
-
Identity Integration and Monitoring – Seven new dashboard widgets allow you to monitor user VPN activity. This includes logon and logoff events, active session status, and the ability to monitor and terminate specific VPN sessions.
|
|
QoS/Rate Limiting Enhancements
|
Rate limiting is a mechanism to manage the rate of traffic flowing in and out of network interfaces based on traffic attributes, such as application, file downloading, etc. It can achieve great results when enhanced with the capability to provide bandwidth control based on the traffic attributes, such as source zones, destination zones, source networks, destination networks, source ports, destination ports, applications, users, URLs, and ISE attributes. Network administrators are able to achieve rate limiting per network interface by configuring a QoS (Quality of Service) Policy on their Firepower Device
Manager and deploying the policy to Firepower Threat Defense devices. Administrators can do the following in Version 6.2.1:
-
Rate limit traffic up to 100,000 Mbps (previously 1,000Mbps).
-
Use customer Security Group Tags (SGTs) in QoS rules.
-
Use original client network conditions (XFF, True-Client-IP, or custom-defined HTTP headers) in QoS rules.
|
|
Packet Capture at Time of Crash
|
Previously, the contents of any active capture on Firepower were not saved when the appliance experienced issues. You can now store active capture contents to flash/disk at the time of an appliance crash to facilitate troubleshooting.
Often times, when you troubleshoot a crash that involves traffic,Cisco TAC requires exactly what traffic causes the crash. Cisco TAC can get this info from a core dump, but the information may be limited by the following factors:
-
The packet might have been corrupted so no useful info is present in the core dump.
-
The crash is caused by combination of conditions createdby a series of packets, but core dump offers information from only the last packet.
Version 6.2.1 now saves captured packets that are in and out of the Firepower appliance up until the point of box crash (if circular option is specified for capture).
|
|
Access Rule Bulk Insert
|
Using the REST API, Version 6.2.1 now supports bulk access control rule creation. Previously, if you had a thousand access rules to create, each access rule required a post process that could take anywhere from 5-10 seconds to complete. Now, using this API enhancement you can submit all of these rules through a single post process and greatly reducing the amount of time it takes to perform this action.
|
|
Firepower Management
Center API Enhancement
|
The Firepower Management
Center API now supports bulk access control rule creation. Previously, if you had a thousand access rules to create, each access rule required a post process that could take anywhere from 5-10 seconds to complete. Now, using this API enhancement you can submit all of these rules through a single post process and greatly reduce the amount of time it takes to perform this action.
|
|
Automatic Application Bypass
|
Automatic Application Bypass (AAB) provides the ability to limit the amount of time spent processing a single packet through an interface. It enables those packets to bypass detection if the time is exceeded. The feature functions with any deployment; however, it is most valuable in IPS inline deployments to balance packet processing delays with network’s tolerance for packet latency. When a malfunction within Snort or a device misconfiguration causes traffic processing time to exceed a specified threshold, AAB causes Snort to restart and generates troubleshooting data that can be analyzed to determine the cause of the excessive processing time. A user can change the bypass threshold if the option is selected. The default setting is 3,000 milliseconds. The valid range is from 250 milliseconds to 60,000 milliseconds.
|
|
FlexConfig Updates
|
FlexConfig uses CLI template-based functionality on the Firepower Management
Center to enable ASA functions that are not yet supported through the Firepower Management
Center user interface.
As per the Government Certification requirements, all sensitive information like password, shared keys in system-provided or user-defined FlexConfig object should be masked using secret key variables. After you update the Firepower Management
Center to Version 6.2.1, all sensitive information in FlexConfigObjects are converted to secret key variable format.
In addition, the following new FlexConfig templates are added as part of Version 6.2.1:
-
TCP Embryonic connection limit and timeout configuration template allows you to configure embryonic connection limits/timeout CLIs to protect from SYN Flood DoSAttack.
-
Turn on threat detection configure and clear templates allow you to configure threat detection statistics for attacks intercepted by TCP Intercept.
-
IPV6 router header inspection template allows you to configure of IPV6 inspection header for selectively allow/block certain headers with different types (e.g. allowing RH Type 2,mobile).
-
DHCPv6 prefix delegation template allows you to configure one outside (PD client) and one inside interface (recipient of delegated prefix) for IPv6 prefix delegation.
|
|
Policy Deployment Improvements
|
Elimination of Snort restarts during configuration deployment of:
-
SMTP, POP, and IMAP preprocessor decoding depths
-
HTTP preprocessor compression depths
-
Affected adaptive profile, performance monitor, and advanced access control policy file and malware settings
Warnings of Snort restarts when:
-
Turning on or breaking Firepower Threat Defense high availability
-
Activating, deactivating, or modifying application detectors
|
|
CLI Command to Control TCP Sequence Randomization
|
Each TCP packet carries two sequence numbers. Firepower Threat Defense devices, by default, randomizes the sequence numbers in both the inbound and outbound directions. This feature provides the ability to enable and disable this randomization via the command line.
If necessary, to confirm TCP randomization is disabled, collect TCP packets on inside and outside interface. For the same packet on inside and outside interface sequence numbers will remain the same.
|
|