Brksec 3007 PDF

Advanced IOS Security
BRKSEC-3007
Kural Arangasamy, Technical Marketing Engineer

@kuralvanan
Kureli Sankar, Technical Marketing Engineer,

CCIE Security #35505
@jmckg
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
Cisco Spark spaces will be cs.co/ciscolivebot#BRKSEC-3007

available until July 3, 2017.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• WAN Edge Secure Gateway - Solution Components
• Threat Landscape & Threat Analysis
• Technical Deep Dive – Zone Based Firewall
• Technical Deep Dive – Snort IPS
• Technical Deep Dive – SLNL
• Q/A
Changes @ Branch Lead to Security Challenges
Increased Threat Increased Threat Increased Complexity

Surface Area Sophistication for Mitigation
Mobile, Cloud, IoT, DIA Average time to Average time to
discover 80 days* resolve 123 days
*Ponemon Institute Study

**Gartner, Forecast Analysis: Worldwide Enterprise Network Services, Q2 2014 Update
****Ponemon
Gartner: “Bring Branch
Institute StudyOffice Network Security Up to the Enterprise Standard, Jeremy D’Hoinne, 26 April. 2013.
“30% of advanced targeted threats specifically target branch offices as an entry point.”
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
WAN Edge Secure Gateway Accelerates DIA Deployments
VPN FW URLF IPS AMP
VPN FW URLF IPS AMP IPsec VPN Corporate

Network
Virtual
ASR
Private Cloud
ISR4K Internet
Branch
Direct Internet Public
Access Cloud
Umbrella Secure Internet Gateway
Compliance Guest Access SaaS Direct Cloud Access Direct Internet Access
IPsec VPN IPsec VPN IPsec VPN IPsec VPN
Zone Based Firewall Risk Zone Based Firewall Zone Based Firewall Zone Based Firewall
Snort IPS Umbrella URL Filtering Risk Firepower NGIPSv Firepower NGIPSv Risk
[OR] Umbrella SIG Risk [OR] Umbrella SIG
BRKSEC-3007 Anomaly Detection Anomaly
© 2017 Cisco and/or its affiliates. All Detection
rights reserved. Cisco Public 6
WAN Edge Secure Gateway
Solution Components
Trustworthy Systems
ISR4K
Secure Connectivity Threat Protection Anomaly Detection Access Control
Scalable, Strong Encryption FW, IPS, AMP, Threat Grid, Application Visibility, CASB, NaaE, ISE, TrustSec,
Site-to-site VPN, NGIPSv, Umbrella Branch NaaS/Stealthwatch,
Remote Access VPN SIG SLNL
Secure, Reliable and High Performance Application Experience

Trustworthy Systems
Trusted Hardware ISR4K
Trusted Software
Power-Up Secure Boot Process
TAM/Secure Identity Product Security
Integrity Image Image Image
Verification
Check Signing Signing Signing
Checks to Verify TAM Power On Signed Signed

as Cisco Features & Hardware Secure Bootloader/ Operating
Genuine Services Microloader System
Anchor BIOS
• Immutable
• Authenticity Identity Immutable A Signed
& License Microloader Launch
• Secure Anchor Bootloader/
Operating
Check Storage (Keys ensuring verifies BIOS
Bootloader System
& Objects) hardware validates
• Verify Secure • Certifiable integrity and BIOS Operating
Identity Entropy and key System
Source authenticity
• Secure Crypto
Assist
• Secure
Application
Certificates
Learn more: BRKARC-1010 “Protecting the Device: Cisco Trustworthy Systems & Embedded Security”
Threat Landscape & Analysis
Threat Landscape Types of Threats
• Security bug / Vulnerability
• Cyber Warfare e.g.: Heartbleed, SMBv1 vulnerability, IKEv1 vulnerability,
SQL Injection, Buffer Overflow, Cross-site request forgery,
Cross Site Scripting (XSS)
• Nation-State Sponsored
• Malware
• Organized Crime / Targeted
• Viruses, Worms, Trojans
Attacks • Phishing, Adware, Spyware, Scareware
• Keyloggers, Backdoors, Exploits, Rootkits
• Ransomware
• Denial of Service
• Financially Motivated e.g.: Dyn Attack (Oct 2016)
• Botnets
e.g. : LinkedIn attack (Aug 2016), Deutsche Telekom (Nov
2016)
• Social Engineering
Recent High Profile Incidents
• DDoS
• Dyn attack
• Mirai Botnet
• Ransomware
• CryptoLocker, CryptoWall
• WannaCry (>150 countries, >230,000 computers within a day)
• Malware
• Stuxnet
• Yahoo! Data breach
• 1 billion user accounts
NSA Hacking Tools Released by Shadow Brokers
Codename Vulnerability Addressed By
“EternalBlue” Remote Exploit via SMB & NBT (Windows XP to Windows 2012) MS17-010
“EmeraldThread” Remote code execution vulnerability in Windows Print Spooler Service MS10-061
“EternalChampion”, Remote exploit up to Windows 8 and 2012 CVE-2017-0146 & CVE-2017-0147
“EternalSystem”
“ErraticGopher” Microsoft SMB Remote Code execution vulnerability in Microsoft Windows 2003 Addressed prior to the release of
and XP Windows Vista
“EsikmoRoll” Elevation of Privilege exploit in Kerberos MS14-068
“EternalRomance” Remote privilege escalation (SYSTEM) exploit (Windows XP to Windows 2008 MS17-010
over TCP port 445)
“EducatedScholar” Remote code execution vulnerability in Microsoft SMBv2 MS09-050

“EternalSynergy” Windows 8 and Windows Server 2012 MS17-010
“EclipsedWing” Remote code execution vulnerability in Microsoft Server Service MS08-067
“ExplodingCan” Remote IIS 6.0 buffer overflow exploit for Windows 2003
“EworkFrenzy” Lotus Domino 6.5.4 and 7.0.2 exploit
“Fuzzbunch” Exploit Framework (Similar to Metasploit) for the exploits.
“EsteemAudit” Remote Desktop Protocol (RDP) exploit for Windows 2003 and XP
“EnglishmanDentist” Targeting Outlook/Exchange leveraging OLE in TNEF email
Digging Deeper – WannaCry Ransomware
Malware Analysis
 Uses “EternalBlue”* exploit to enter
 Implants DOUBLEPULSAR**, a persistent backdoor, to inject ransomware payload
 Encrypts certain file extensions using 2048-bit RSA encryption
 Installs Tor browser to preserve anonymity by proxying their traffic
 Heavily scans over TCP 445 (SMB) – Port 139 is also vulnerable
 Scans internal & external facing hosts across the Internet to spread
 Uses a ”KillSwitch” to terminate execution, possibly to avoid sandbox environment
Mitigations
 Apply latest Windows patch

 Block incoming connections on Ports 139, 445
 Block Tor exit nodes
 Regular Backup of your data
 Update IPS rules * EternalBlue is a SMBv1 exploit for Microsoft Windows OS
** DOUBLEPULSAR is a trojan that installs backdoor that runs in kernel mode
Mitigation and Prevention
Multi-Layer, Multi-Level Approach
WAN
Enterprise Network Public
PoS Employee Internet Cloud
Endpoint Network WAN Data Center Public Cloud

 Authentication  Application Control  Application Control  Anti Malware
 Application Control
 Application Control  Authentication  Anti Malware  Anti Virus
 Application Firewall
 Anti Virus  Anomaly Detection  Anti Virus  Authentication
 Anti Spam
 Anti Malware  Behavioral Analytics  Content Filtering  Application Control
 Anti Malware, Anti Virus
 Data Encryption  Mobile Device Management  Encryption  Application Firewall
 Content Filtering
 Host IDS/IPS  Guest Access Management  Firewall  Data Encryption
 Data Encryption, DLP
 Patch Management  Network Admission Control  Intrusion Prevention (IPS)  Device Access Control
 DoS Protection
 Personal Firewall  Path Control  DoS Protection  Firewall
 Email Filtering
 Posture  Quality of Service  Web Filtering  Intrusion Prevention (IPS)
 Host Firewall, IDS/IPS
 Spyware Blocking  Segmentation  VPN  Micro Segmentation
 Sandbox
 VPN Enforcement  Wireless Security  Patch Management
 Micro Segmentation
 Web Filtering  Patch Management  User Access Control
Security Best Practices
• Segmentation
• Authentication & Admission Control
• Posture Evaluation
• Security Tools - Firewall, IPS, Anti-Malware, Anti-Virus
• Anomaly Detection
• Visibility
• Penetration Testing Assume Breach
• Defensive Security
Technical Deep Dive
Zone Based Firewall
Zone Based Firewall
• Data Plane Security

• Control Plane Protection
• Management Plane Protection
Data Plane Security
Advanced IOS Security – Overview
• Data Plane Security • Control Plane Security

• Traffic that passes through the router • Infrastructure traffic that maintains a
network
• User and Services traffic
• Routing Protocols (BGP, EIGRP, OSPF)
• HTTP traffic to webservers
• Management (SSH, HTTP)
• SIP traffic for voice phones
• Monitoring (SNMP, Syslogs, NTP)
• RDP sessions
• “To The Box”
• “Through The Box”
Data Plane Security using Zone Based Firewall
• Build a comprehensive security
solution to protect user services
 Permit trusted traffic
 URL Filtering
• Using ZBFW provides standardized
 DoS Mitigation framework for all security based
 Resource Management features
 Log traffic
 Multi Tenancy • Session will cover design
considerations and the resources
section will have configuration
examples
Data Plane Security – Identifying Traffic
G0/0/2.20 G0/0/3
Internet
HTTP
SMTP
Client
HTTP
SMTP SMTP
SMTP Server
FTP
HTTP Server
Access-lists (ACLs) as a Security Solution
IOS-FW(config)# ip access-list extended 100
syn, fin, rst, ack – Only matches TCP flag IOS-FW(config-ext-nacl)#permit tcp any any ?
ack Match on the ACK bit
– Not truly stateful
eq Match only packets on a given port number
fin Match on the FIN bit
established – Only matches on ACK and RST flag
match-all Match if all specified flags are present
– Not truly stateful
match-any Match if any specified flag is present
rst Match on the RST bit
fragments – prevent fragments from entering network
syn Match on the SYN bit
– heavy handed prevention of fragmentation attacks established Match established connections
fragments Check non-initial fragments
ttl – restrict how far into the network traffic can pass ttl Match packets with given TTL value
– prevent control traffic from leaving the network
IOS-FW(config)# ipv6 access-list IN->OUT_IPv6
routing – restrict loose source routing
IOS-FW(config-ipv6-acl)#permit any any ?
– prevent clients from choosing their routing path
routing Routing header (all types)
Access-group and Access-list Limitations
G0/0/2.20 G0/0/3
How do we differentiate ?
Client between Webserver Webserver
Response and Attacker
traffic? ?
Attacker
ip access-list extended IN->OUT ip access-list extended OUT->IN
permit tcp host Client any eq 80 permit tcp any eq 80 host Client
Firewall – Basic Functionality
TRUSTED UNTRUSTED
HTTP Request
HTTP Response
Client Webserver
Firewall prevents
malicious traffic from
entering the network by Malicious
tracking connections
Attacker
SMTP Server SMTP
Internet
Zone Based Firewall
Overview
• Recommended IOS Dataplane • Custom zone
Security solution
• default zone
• Policies are applied to zones
• “default” security zone for all INSIDE
• Zones are applied to interfaces interfaces
• Allows for scalable security policy
• Default Zone has been in IOS-XE, first
• Zone policies are directional support on ISR-G2 starting 15.6(1)T.
• Matches initial packet of the flow
• TCP – matches SYN • Self Zone
• Non-TCP – matches any packet
• Default drop policy

• Tight security for unreferenced traffic
Zone Policy Assignment and Scalability
• Same zone can be assigned source EMPLOYEES destination INTERNET
to multiple interfaces
G0/0/2.20
• Zone-pair policy can be reused
• Interface can only be part of
one zone Users
Internet
• Zone-pairs permit traffic G0/0/2.40
between two zones source EMPLOYEES
• Traffic between same zones is
optional and requires policy
destination EMPLOYEES
• Traffic is specific to a zone-pair
which allows for directed
Users G0/0/2.50
control
Zone Policy Assignment and Scalability
source default destination INTERNET
• default zone G0/0/2.20

• Interfaces that do not belong to
a custom zone automatically Users
belong to default zone
Internet
G0/0/2.40
ISR4(config)#zone security ?
WORD Name of security zone
default Default zone
Users G0/0/2.50
Zone Policy Assignment
Self Zone
• Pre-defined zone member Monitoring traffic Routing Protocols
• Protects traffic to and from router • SNMP • EIGRP
• Syslogs • OSPF
• Traffic sourced or destined to router • Netflow • BGP
• Excludes NAT traffic
Management VPN
traffic • ESP
• Two differences • SSH • GRE
1. Pre-defined and available for use • Telnet • NAT-T
• HTTP • ISAKMP
2. Reverse functionality of zones Self Zone
• Explicit allow compared to explicit deny
• Use to protect management and control plane traffic
Zone Based Firewall
Configuration Theory
Identify traffic • Access-list

using class- • Protocols
map
Take action • Inspect

using • Drop
policy-map • Pass
Apply action • Service policy applied traffic

using • Apply action to traffic
zone-pair
Identifying Traffic using Class-maps
• Class-maps identify traffic

• Access-lists for IP addresses and ports Class-map
• Protocols for Layer 7 matching
• Class-maps can be nested

Class Protocol
• Scalability through reuse
• Directed match criteria
-map
Access-list
class-map type inspect match-all USERS_PROTOCOLS

match access-group name USER_ACL
match protocol ftp
Identifying Traffic using Class-maps
Match-Any vs Match-All
Access-list USER_ACL
Access-list USER_ACL + ftp
ftp
Match-All
Access-list USER_ACL
Access-list USER_ACL || ftp
ftp
Match-Any
Identifying Traffic – Mixing and Matching
ip access-list extended USER_ACL

permit ip 192.168.1.0 255.255.255.0 any
class-map type inspect match-all USERS->INTERNET_CMAP

match access-group name USER_ACL
match class-map USER_PROTOCOLS_CMAP
class-map type inspect match-any USER_PROTOCOLS_CMAP

match protocol http
match protocol ftp
Take Action using Policy-Map • Builds connections for traffic
• Statefully examines the flow
Inspect • Allows return packets that
match connection
• Preferred action for traffic
Inspect
Drop • Drops packets silently
Drop
• Bypasses firewall checks

Pass • Return traffic must be
Pass explicitly allowed
• Only for customized traffic
Take Action using Policy-Map
Class-maps Order of Operation
• Class-maps are policy-map type inspect INTERNET->APPLICATION_PMAP

processed in order class type inspect TCP_TRAFFIC_CMAP
drop
class type inspect SMTP_TRAFFIC_CMAP
• Always put more specific inspect
match conditions first
policy-map type inspect INTERNET->APPLICATION_PMAP
class type inspect SMTP_TRAFFIC_CMAP
• Order matters when
applying inspect
action/application class type inspect TCP_TRAFFIC_CMAP
inspection drop
Zone Based Firewall - Configuration
Live Action
PC1 10.20.20.20/24 10.1.10.253
EMPLOYEE HQ - Router
Splunk
G0/0/2.20
Switch 10.20.20.1 10.1.10.253:8000
EMPLOYEE ISR 4451 MPLS Internet
Internet
Cisco Prime
G0/0/3  HQ 10.1.10.251
128.X.X.X
VRF: INET
G0/0/2.30
10.20.30.1/24
GUEST
VRF: INET
Cisco
Umbrella
PC2 10.20.30.30/24
GUEST
Internet
zone security GUEST
zone security INTERNET HQ
class-map type inspect match-any GUEST-INTERNET-CLASS

match protocol dns
match protocol http
match protocol https Internet DMVPN
Security Zone Security Zone
INTERNET T1: 10.1.20.3 HQ
policy-map type inspect GUEST-INTERNET-POLICY VRF: INET Tunnel Key: 1000
class type inspect GUEST-INTERNET-CLASS G0/0/2.30
inspect G0/0/3 10.20.30.1
class class-default 128.X.X.X
drop IOS Zone
Firewall
Security Zone
Interface G0/0/3 Security Zone G0/0/2.20 GUEST
zone security INTERNET EMPLOYEE 10.20.20.1 VRF: INET
Interface g0/0/2.30
Zone security GUEST
zone-pair security GUEST-INTERNET source GUEST destination INTERNET

service-policy type inspect GUEST-INTERNET-POLICY
Zone Based Firewall

ISR4451#show policy-map type inspect zone-pair GUEST-INTERNET sessions
Zone-pair: GUEST-INTERNET
Service-policy inspect : GUEST-INTERNET-POLICY
Class-map: GUEST-INTERNET-CLASS (match-any)

Match: protocol dns
33 packets, 2654 bytes
Match: protocol http
Match: protocol https
Inspect
Established Sessions
Session ID 0x00011323 (10.20.30.30:51459)=>(X.X.X.X:443) https SIS_OPEN
Created 00:00:04, Last heard 00:00:04
Bytes sent (initiator:responder) [414:176]
Session ID 0x000112FF (10.20.30.30:51435)=>(Y.Y.Y.Y:443) https SIS_OPEN
Session ID 0x00011319 (10.20.30.30:51451)=>(Z.Z.Z.Z:443) https SIS_OPEN
Zone Based Firewall – DMVPN tunnel inbound “TO” the router G0/0/3
ip access-list extended INTERNET-SELF
permit esp any any
class-map type inspect match-any INTERNET-SELF-class
match access-group name INTERNET-SELF HQ
ip access-list extended INTERNET-SELF-udp

permit udp any any eq isakmp
class-map type inspect match-any INTERNET-SELF-udp-class
match access-group name INTERNET-SELF-udp Internet DMVPN
ip access-list extended INTERNET-SELF-tcp INTERNET T1: 10.1.20.3 HQ
permit tcp any any eq 22 VRF: INET Tunnel Key: 1000
class-map type inspect match-any INTERNET-SELF-tcp-class
G0/0/2.30
match access-group name INTERNET-SELF-tcp G0/0/3 10.20.30.1
128.X.X.X
policy-map type inspect INTERNET-SELF-policy
class type inspect INTERNET-SELF-class IOS Zone
pass Firewall
Security Zone
class type inspect INTERNET-SELF-udp-class
Security Zone G0/0/2.20 GUEST
inspect VRF: INET
EMPLOYEE 10.20.20.1
class type inspect INTERNET-SELF-tcp-class
inspect
class class-default
drop
zone-pair security INTERNET-SELF source INTERNET destination self
service-policy type inspect INTERNET-SELF-policy
Zone Based Firewall
ISR4451#show policy-map type inspect zone-pair INTERNET-SELF sessions
Zone-pair: INTERNET-SELF
Service-policy inspect : INTERNET-SELF-policy
Class-map: INTERNET-SELF-class (match-any) ZP, SP, PM, CM
Match: access-group name INTERNET-SELF
0 packets, 0 bytes
Pass
0 packets, 0 bytes
Class-map: INTERNET-SELF-udp-class (match-any)
Match: access-group name INTERNET-SELF-udp
Inspect
Class-map: INTERNET-SELF-tcp-class (match-any)
Match: access-group name INTERNET-SELF-tcp
Inspect
Established Sessions
Session ID 0x0001144D (10.118.34.5:64458)=>(X.X.X.X:22) ssh SIS_OPEN
Created 01:30:56, Last heard 00
Bytes sent (initiator:responder) [96741:312311] Bytes transferred
Class-map: class-default (match-any)
Match: any
Drop
1698455 packets, 875491299 bytes BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Zone Based Firewall – Provisioning (Prime Infrastructure 3.1)
On-Box WebUI - Zone Based Firewall
Coming in
XE 16.6.1
July 2017

 URL/Content Filtering
 DoS Mitigation
 Resource Management
 Log traffic
 Multi Tenancy
URL/Content Filtering – Websense, Trend Micro
ip inspect name test http urlfilter
ip urlfilter allow-mode on
ip urlfilter exclusive-domain permit www.cisco.com
ip urlfilter audit-trail
ip urlfilter urlf-server-log
ip urlfilter server vendor websense 192.168.15.15
interface FastEthernet0
ip address 192.168.5.10 255.255.255.0
ip inspect test in
Websense Configuration:
http://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/110318-ciscoiosurlfiltering.html#steps
Trend Micro Configuration:
http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/white_paper_c89-492776.html
EOS/EOL:
http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/eol_c51-698205.html
Cisco Umbrella
DNS is the first step in internet connections

Malware and is used by all devices
C2 Callbacks
Phishing Protect against malware, phishing and C2
callbacks
Enable domain filtering
Create policies for different network

CISCO ISR 4K segments (e.g. employees and guests)
Review deployment and research incidents

using reports
EMPLOYEE GUEST
Cisco Umbrella – Fast & Easy Deployment
1. Cisco Umbrella provisioning

• Get token ID
• Cloud Portal Login Malware
C2 Callbacks
2. Subscription is per site per device Phishing
3. Configure ISR Connector (can be

provisioned via Cisco Prime or CLI)
4. ISR registers and obtains device IDs SEC-K9 License is required
XE 16.3 and above
• ISR encrypts and redirects DNS packets
to Cisco Umbrella cloud
• Security policies are applied
Cisco Umbrella - Solution Overview
Safe Blocked
request request
ISR4K
DNS Request (1) Cisco Umbrella
DNS Response (4)
Internet
Martha Approved Content (5)
Web Servers
Cisco Umbrella – Configuration
Step 1 –– Enable
Step 32 Cisco
Certificate
Configure Umbrella
import
local “out”
(mandatory
domain and “in”
andwith
for device
(optional) a tag
registration
token via https)
Router(config)#crypto
parameter-map pkidns_bypass
type regex trustpool import terminal
% Enter PEM-formatted
www.cisco.com CA certificate.
Router(config-if)#interface
pattern g0/0/0
%Router(config-if)#opendns
End with
pattern a blank line or out
.*eisg.cisco.* "quit" on a line by itself.
30820494 3082037C A0030201 02021001 FDA3EB6E CA75C888 438B724B
….
2E4134EF 7CA5501D BF3AF9D3 C1080CE6
Router(config)#parameter-map g0/0/1 ED1E8A58
type Cisco 25E4B877
Umbrella AD2D6EF5 52DDB474
global
8FAB492E 9D3B9334 281F78CE in
Router(config-if)#opendns
Router(config-profile)#token 94EAC7BD
Guest D3C96D1C DE5C32F3
0F32C32FEC26991C2B562D3C7FF844E0001C70E7
Router(config-profile)#local-domain dns_bypass
quit
https://www.digicert.com/CACerts/DigiCertSecureServerCA.crt - Certificate URL

“opendns” command will be changed to “umbrella” starting 16.6.1
Cisco Umbrella – Configuration
Step. 1 Certificate import (mandatory for device Step. 2 Configure local domain (optional) and token
registration via https) parameter-map type regex dns_bypass
Router(config)#crypto pki trustpool import terminal pattern www.cisco.com
% Enter PEM-formatted CA certificate. pattern .*eisg.cisco.*
% End with a blank line or "quit" on a line by itself.
30820494 3082037C A0030201 02021001 FDA3EB6E Router(config)#parameter-map type opendns global
CA75C888 438B724B Router(config-profile)#token
…. 0F32C32FEC26991C2B562D3C7FF844001C70E7
8FAB492E 9D3B9334 281F78CE 94EAC7BD Router(config-profile)#local-domain dns_bypass
D3C96D1C DE5C32F3
quit
Step. 3 Enable OpenDNS “out” and “in” with a tag

Router(config-if)#interface g0/0/0
Router(config-if)#opendns out ”umbrella out” starting 16.6.1
Router(config-if)#interface g0/0/1
Router(config-if)#opendns in Guest ”umbrella in Guest” starting 16.6.1
Zone Based Firewall – DMVPN tunnel outbound “FROM” the router
ip access-list extended SELF-INTERNET-ESP G0/0/3
permit esp any any
class-map type inspect match-any SELF-INTERNET-ESP
match access-group name SELF-INTERNET-ESP
HQ
ip access-list extended SELF-INTERNET-udp
permit udp any any eq isakmp
permit udp any any eq domain
class-map type inspect match-any SELF-INTERNET-udp-class
match access-group name SELF-INTERNET-udp Internet DMVPN
ip access-list extended SELF-INTERNET-tcp
INTERNET T1: 10.1.20.3 HQ
permit tcp any any eq 443
VRF: INET Tunnel Key: 1000
class-map type inspect match-any SELF-INTERNET-tcp-class
match access-group name SELF-INTERNET-tcp G0/0/2.30
G0/0/3 10.20.30.1
128.X.X.X
policy-map type inspect SELF-INTERNET-policy
class type inspect SELF-INTERNET-ESP IOS Zone
pass Firewall
class type inspect SELF-INTERNET-udp-class Security Zone
inspect Security Zone G0/0/2.20 GUEST
EMPLOYEE 10.20.20.1 VRF: INET
class type inspect SELF-INTERNET-tcp-class
inspect
class class-default
drop
zone-pair security SELF-INTERNET source self destination INTERNET
service-policy type inspect SELF-INTERNET-policy
Zone Based Firewall
Cisco Umbrella – Provisioning (Prime Infrastructure)
On-Box WebUI – Cisco Umbrella
On-Box WebUI - Cisco Umbrella Coming in
XE 16.6.1
July 2017
 DoS Mitigation
 Log traffic
 Multi Tenancy
Mitigation of DoS attack on IOS-XE
Spoofed SYNs to Server
Laptop
EMPLOYEE
Internet
Attacker
PC INTERNET
self
Server
SYN ACK to spoofed IP address that is black holed

TCP 3-Way Handshake
Client Server
SYN=1, seq=client_isn
SYN=1, ACK=1, seq=server_isn, ack=client_isn+1
ACK=1, seq=client_isn+1, ack=server_isn+1
By default both server and the firewall need to allocate memory to track the TCP connection
from when the SYN is received.
SYN Cookie Protection Packet Flow
1.Client initiates a SYN
2. Firewall intercepts and

Client Firewall Server
responds back with a SYN/ACK
with a cookie as ISN and window 0 1. SYN
3. Client send the ACK

2. SYN/ACK
4. Firewall verifies cookie and sends
SYN to the server
3. ACK 4. SYN
5. Firewall receives the SYN/ACK,
computes the SYN cookie fixup
6. SYN/ACK 5. SYN/ACK
6. SYN/ACK from server opens up
the TCP window for the client
7. ACK 7. ACK
7. Client sends ACK and subsequent
packets flow as usual with seq/ack
number being adjusted with SYN
cookie fixup
SYN cookie protection packet flow
Client Firewall Server

1. SYN
2. SYN/ACK
3. ACK
----------------------->
If the SYN is spoofed, then the firewall will never receive an ACK and no resources will
be wasted.
What is in the Cookie?
The Cookie contains some essential information, so the FW doesn’t have to

remember that in memory.
t is a 32 bit number that increases every 64 seconds.
Secret function is the client IP/port and Server IP/port and t
SYN Cookie Protection Configuration
Two types of protection

 Host Based
Limit the rate of SYN packets to each host
 Session Table Protection

Limit the rate of half-open session counts for each VRF domain
Limitation
 Because a ‘default’ zone does not support zone type parameter map,
you cannot configure the Firewall TCP SYN Cookie feature for a default zone.
 TCP SYN Cookie feature does not support per-subscriber firewall.
Sample Configuration – Host Protection
Router(config)# parameter-map type inspect-zone zone-pmap

Router(config-profile)# tcp syn-flood rate per-destination 400
Router(config-profile)# max-destination 10000
Router(config-profile)# exit
Router(config)# zone security EMPLOYEE

Router(config-sec-zone)# protection zone-pmap
Sample Configuration – Session Table Protection
Firewall session table protection for global routing domains:
Router(config)# parameter-map type inspect-global

Router(config-profile)# tcp syn-flood limit 500
Router(config-profile)# end
Number of half-open connections

Firewall session table protection for VRF routing domains: that triggers SYN cookie
Router(config)# parameter-map type inspect-vrf vrf-pmap

Router(config-profile)# tcp syn-flood limit 200
Router(config-profile)# exit
Router(config)# parameter-map type inspect-global

Router(config-profile)# inspect vrf vrf1 inspect vrf-pmap
Router(config-profile)# end
Spoofing Attack Mitigation
uRPF configuration example
• Strict mode
• The source address is in the Forwarding Information Base (FIB) and reachable only
through the interface on which the packet was received
Router(config)# interface G0/0/2.20
Router(config-if)# ip verify unicast source reachable-via rx
• Loose mode
• If the source address is in the FIB and reachable through any interface on the router
• Used for asymmetric routing or multi-homed ISP connections
Router(config)# interface G0/0/2.20
Router(config-if)# ip verify unicast source reachable-via any
IP Fragmentation Attacks
Original Packet IP Header TCP Header Data
TCP
IP Header
Header
Tiny Fragment
TCP
IP Header Data
Header
Fragment 1
IP Header TCP Header
Overlapping Fragments Data
Fragment 2
IP Header
Data
Buffer
Buffer Overflow Fragment 1
IP Header TCP Header
Data
Fragment 2
IP Header
Data
IP Fragmentation Attack Mitigation
• IP Virtual Fragment Reassembly (VFR) Configuration
• Enabling VFR
Router(config)# interface G0/0/3
Router(config-if)# ip virtual-reassembly
• Restricting the number of concurrent IP datagrams
Router(config)# interface Ethernet0/0
Router(config-if)# ip virtual-reassembly in max-reassemblies 64
• Limiting the number of fragments per IP datagram

Router(config-if)# ip virtual-reassembly in max-fragments 16
• Drop all IP fragments
Router(config-if)# ip virtual-reassembly in drop-fragments
 DoS Mitigation
 Log traffic
 Multi Tenancy
Resource Management Config
Laptop ISR 4451

INTERNET
VRF1 self
E0
Internet
PC
EMPLOYEE
GUEST
Server
Resource Management Config
zone security GUEST Parameter-map type inspect GUEST-PRAM-MAP
zone security INTERNET session maximum 1000

match protocol dns
match protocol http
match protocol https
policy-map type inspect GUEST-INTERNET-POLICY

class type inspect GUEST-INTERNET-CLASS
inspect GUEST-PRAM-MAP
class class-default
drop
Interface G0/0/3
zone security INTERNET
Interface g0/0/2.30
Zone security GUEST

Resource Management Config (VRF based)
Laptop ISR 4451
EMPLOYEE self INTERNET
Internet
VRF: INET
PC
GUEST
VRF: GUEST
Server GUEST zone is on VRF GUEST

EMPLOYEE zone is on VRF global
GUEST session total (tcp and udp) 1000
Resource Management Config (VRF based)
zone security GUEST

Parameter-map type inspect GUEST-PRAM-MAP
match protocol dns
session maximum 1000
match protocol http
match protocol https

class type inspect GUEST-INTERNET-CLASS Parameter-map type inspect GUEST-PRAM-MAP-VRF-GUEST
inspect GUEST-PRAM-MAP session total 1000
class class-default
drop
parameter-map type inspect-global
vrf GUEST inspect GUEST-PRAM-MAP-VRF-GUEST
Interface G0/0/3
Interface g0/0/2.30
Zone security GUEST
vrf forward GUEST

 DoS Mitigation
 Log traffic
 Multi Tenancy
Logging Dropped Packets
• Dropped logging is enabled in two ways:
1. Parameter-map globally policy-map type inspect GUEST-INTERNET-POLICY
• Does not affect drop actions class class-default
2. With drop action drop log
• Logs only traffic in class-map
log dropped-packets
• Dropped packet logging is severely rate limited to 2 messages every min

• Used for troubleshooting, unreliable for global monitoring
%FW-6-DROP_PKT: Dropping tcp session 10.20.30.30:29201 4.2.2.2:81 on zone-

pair GUEST-INTERNET class class-default due to DROP action found in policy-
map with ip ident 0
Logging New Connections
• Logging new connections is not on by default
parameter-map type inspect LOG_CONNECTION_PARAM
audit-trail on
• Processor intensive
• Interrupt driven messages can cause high CPU
• Similar to log keyword on ACLs
• Used for troubleshooting

• Not recommended for monitoring
%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(INSIDE->OUTSIDE_ZP:INSIDE->OUTSIDE_CMAP):Start tcp
session: initiator (192.168.1.100:34166) -- responder (4.2.2.2:80)
%FW-6-SESS_AUDIT_TRAIL: (target:class)-(INSIDE->OUTSIDE_ZP:INSIDE->OUTSIDE_CMAP):Stop tcp session:

initiator (192.168.1.100:34166) sent 164 bytes -- responder (4.2.2.2:80) sent 5980 bytes
Logging New Connections and Dropped packets
zone security GUEST Parameter-map type inspect inspect-global
zone security INTERNET log dropped-packets
log flow-export v9 udp destination 10.0.2.0
5000
class-map type inspect match-any GUEST-INTERNET-CLASS log flow-export template timeout-rate 5000
match protocol dns
match protocol http Parameter-map type inspect LOG_CONNECTION_PARAM
match protocol https audit-trail on

inspect LOG_CONNECTION_PARAM
class class-default
drop log
Interface G0/0/3
Interface g0/0/2.30
Zone security GUEST

High Speed Logging (HSL)
log dropped-packets
log flow-export v9 udp destination 10.0.2.0 5000
log flow-export template timeout-rate 5000
parameter-map type inspect LOG_CONNECTION_PARAM

audit trail on
alert on
one-minute high 10000
tcp max-incomplete host 100

class class-default
drop log
High Speed Logging (HSL)
zone security GUEST Parameter-map type inspect inspect-global
zone security INTERNET log dropped-packets
log flow-export v9 udp destination 10.0.2.0 5000
log flow-export template timeout-rate 5000
match protocol dns
match protocol http Parameter-map type inspect LOG_CONNECTION_PARAM
match protocol https audit-trail on
alert on
class class-default
drop log
Interface G0/0/3
Interface g0/0/2.30
Zone security GUEST

 DoS Mitigation
 Log traffic
 Multi Tenancy
Zone Based Firewall – Multi Tenancy
zone security CUSTOMER1
zone security INTERNET Parameter-map type inspect inspect-global
multi-tenancy
class-map type inspect match-any CUSTOMER1-INTERNET-CLASS
match protocol dns Parameter-map type inspect LOG_CONNECTION_PARAM
match protocol http audit-trail on
match protocol https alert on
policy-map type inspect CUSTOMER1-INTERNET-POLICY
class type inspect CUSTOMER1-INTERNET-CLASS
inspect
class class-default
drop
Interface G0/0/3 NEW in XE

vrf forwarding INET 16.4.1
Interface g0/0/2.30
Zone security CUSTOMER1
vrf forwarding CUSTOMER1
zone-pair security CUSTOMER1-INTERNET source CUSTOMER1 destination INTERNET

service-policy type inspect CUSTOMER1-INTERNET-POLICY
Zone Based Firewall – Multi Tenancy
Syslogs enhanced to include customer vrf information
*Jun 24 13:11:17.740 IST: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:000 TS:00000002984859710089

%FW-6-SESS_AUDIT_TRAIL: (target:class)-(CUSTOMER1-INTERNET:inspect-protocols):Stop tcp session: initiator
(10.20.30.30:42769) sent 0 bytes
-- responder (2.0.0.31:80) sent 0 bytes, from GigabitEthernet1 (srcvrf:dstvrf)-(CUSTOMER1:INET)
*Jun 24 13:12:54.526 IST: %IOSXE-4-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:000 TS:00000003081648283391

%FW-4-HOST_TCP_ALERT_ON: (target:class)-(CUSTOMER1-INTERNET:inspect-protocols):Max tcp half-open connections (5)
exceeded for host 2.0.0.31. (srcvrf:dstvrf)-(CUSTOMER1:INET)
Show commands enhanced to include customer vrf information
deebc-tb-rhel-csr#show platform hardware qfp active feature firewall drop vrf id 1

deebc-tb-rhel-csr#show platform hardware qfp active feature firewall datapath vrf id 1
deebc-tb-rhel-csr#show platform hardware qfp active feature firewall memory
CloudUTD for SOHO/SMB – ZBF Multi Tenancy
SOHO/SMB customers Internet
Customer bandwidth North-south traffic

< 10 Mbps
SP Data Center
LOWER OPERATING COSTS SIMPLE CLOUD ORCHESTRATION

• Multi-tenant solution • Any CPE/ThinCPE • Automatic deployment
• Low compute requirements • No security appliance on site • NSO function pack
• Single VM • Easy service customization • Open APIs
Security Components
VPN Firewall IPS Web Filtering

Shifting Security from On-Premise to the Cloud
Internet
Internet
SP Data Center
 Multi-tenant architecture
SP Data Center  No service chaining
 Low footprint
 Easy service creation
• No dedicated security
appliance
• ThinCPE
Customer A Customer B Customer C

Customer A Customer B Customer C
Control Plane Security
Control Plane Policing
Police inbound UDP traffic to 16 Kbps
ip access-list extended UDP

permit udp any any
class-map match-all UDP

match access-group name UDP
policy-map CoPP
class UDP
police 16000 conform-action transmit exceed-action drop violate-action drop
control-plane
service-policy input CoPP
Punt Policing and Monitoring
Punt policing frees the RP from having to process noncritical traffic.
• Global Configuration
platform punt-police queue 20 9000 10000
NEW in XE
• Per Interface Configuration (PPS) 16.4.1
platform punt-interface rate 10
interface G0/0/3
punt-control enable 20
show platform software infrastructure punt statistics
Management Plane Security
Management Plane Protection
• Allow only ssh and snmp
Router(config)# control-plane host

Router(config-cp-host)# management-interface GigabitEthernet 0/0/3 allow ssh snmp
Router# show management-interface
Management interface GigabitEthernet 0/0/3

Protocol Packets processed
ssh 0
snmp 0
Technical Deep Dive
Snort IPS
Use Case: Meet PCI Compliance
NGFW
MVP NGIPS
FW AMP
IPS URL Filtering
Corporate + Internet Traffic AVC
Branch
VPN Tunnel Enterprise
Employees
Network
Internet Corporate
Firewall Snort IPS

Examples:
Value Prop Retail stores
 Best of Routing & Security at Head Quarters
Hospitals / Pharmacies
 Good Enough Security at the Branch to Meet Compliance
 Advanced Behavior Analysis at the Head-end
Snort IPS – Container Architecture
Snort WAAS Other apps

LXC KVM LXC CPU Cores
Control Plane
Virtual Ethernet Allocated
IOSd Virtualization Manager (VMAN)

Linux OS
Management VPG
Traffic VPG Virtual Ports (VPG)
Data Plane
Traffic Path
Data Plane
- Snort IPS runs on a Linux Container using control plane resources

- Traffic is punted to Snort Container using Virtual Port Group interface
- Reserved CPU and memory for Snort process enables deterministic performance
 Over 4 million downloads
 500,000 registered users
Snort IDS/IPS  Widely deployed IPS in the world
 Solution requires:
 ISR4K with 8G DRAM & Flash + SEC license
 Signature updates term subscriptions (1Y or 3Y)
Helps meet PCI compliance mandate at

the Branch Office Snort
Now
Threat protection built into ISR 4000 Orderable!
branch routers
Complement ISR 4000 Integrated Security
Lightweight Threat Defense with low TCO

and automated signature updates
Cisco ISR 4000
Splunk monitoring available Series
Snort IPS – Signature Details
• Only the signatures hosted on cisco.com can be used
• Signatures are same as on snort.org but validated on ISR4K
• Community signature pack or paid yearly subscription pack
• Subscription signature pack is more exhaustive and up-to-date
• Only community signature set packaged with OVA
• No support for custom signatures
• Signature white list support
Snort Configuration –Virtual Service Networking
Container
- VPGs to communicate between container
and data plane
- VPG1 <==> eth2 (data plane)
eth1 eth3 eth2
VPG0 G0 VPG1 - VPG0 <==> eth1 (management)

[OR]
G0/0/1
- eth3 can be mapped to dedicated mgmt
G0/0/0
port G0 of the router
Router
Snort IPS - Configuration
1 – TFTP
Step 6
2
3
4
5 Configure
Activate
Configuring
Enabling
Whitelisting
snort
virtual
UTD
virtual
OVA
(Optional)
UTD (data
service
to
portgroups
(service
flash
plane)
and
and
plane)
configure
configure virtual service
Router(config)#utd
Router(config)#utd engine
Router(config-utd)# standard
all-interfaces
Router(config-virt-serv)#vnic gateway VirtualPortGroup0
Router(config-utd-eng-std)#threat
Router(config-utd)# engine
Router(config)#interface standardinspection
VirtualPortGroup0
Router(config-virt-serv-vnic)# guest ip address 172.18.21.2
Router(config-utd-engstd-insp)#threat
Router(config-engine-std)#fail
Router(config)#Description close Protection
Management-Interface
Router(config-utd-engstd-insp)#policy
Router(config-if)#
Router(config)#utd ip
whitelist security
address 172.18.21.1 255.255.255.252
Router(config-virt-serv-vnic)#
Router#virtual-service install vnic
name gateway VirtualPortGroup1
myips package flash:utd.ova
[OR]
Router(config-utd-whitelist)#signature
Router ( config-utd-engstd-insp)#signatureid 15update
comment test1 cisco username
server
Router(config-virt-serv-vnic)# guest ip address 192.168.0.2
Router(config-utd-whitelist)#signature
<uname> password <paswd> VirtualPortGroup1id 12 comment test2
Router(config-virt-serv-vnic)#exit
Router(config)#Description
Router(config)# Data-Interface
interface GigabitEthernet0/0/0
Router(config-utd-engstd-insp)#signature update occur-at daily 0 0
Router(config-if)#
Router(config-if)# ip address
utd enable 192.168.0.1 255.255.255.252
Router(config-utd-engstd-insp)#logging server 10.12.5.55 syslog level
Router(config-virt-serv)#activate
warning
Snort IPS – Configuration
Step.4 Configuring UTD (service plane)
Step. 1 Configure virtual service
utd engine standard
virtual-service install name myips package flash:utd.ova
threat inspection
threat protection (protection-ips, detection-ids)
Step. 2 Configure Port Groups
policy security (balanced, connectivity)
interface VirtualPortGroup0 logging server 10.12.5.55 syslog level warning
description Management interface signature update server cisco username <blah>
ip address 172.18.21.1 255.255.255.252 signature update occur-at daily 0 0
Interface VirtualPortGroup1
description Data interface Step.5 Enabling UTD (data plane)
ip address 192.168.0.1 255.255.255.252
utd
all-interfaces
Step. 3 Activate virtual service and configure engine standard
virtual-service myips fail close
vnic gateway VirtualPortGroup0
guest ip address 172.18.21.2 Step.6 Whitelisting (optional)
vnic gateway VirtualPortGroup1 utd whitelist
guest ip address 192.168.0.2 signature id 12 comment test1
activate signature id 15 comment test2
Snort IPS – Provisioning (Prime Infrastructure 3.1 and above)
Snort IPS/IDS – Management using on-box WEB UI
Coming in
XE 16.6.1
July 2017
Configuration – Snort Engine OVA Upgrade
Step 1: Deactivate Snort IPS
• From config mode:
virtual-service myips
no activate
Step 2: Update Snort Engine OVA file

• From exec mode:
virtual-service upgrade name myips package flash:newutd.ova
Step 3: Activate Snort IPS

activate
Configuration – Cisco Prime CLI Templates
 Import Snort CLI Templates into Prime
From Prime Web UI, navigate to Configuration >> Templates >> Features & Technologies and click on
"CLI Templates (User Defined)" and then click on "Import”
Snort IPS - Copy OVA to Device Snort IPS – IP Unnumbered

Purpose: Use this template to copy Snort IPS OVA file to flash. Purpose: Use this template to configure Snort IPS and required Virtual-Service for IP
Unnumbered deployment
Snort IPS - Delete OVA
Purpose: Use this template to delete previously copied Snort IPS OVA file from Snort IPS – IP Unnumbered Cleanup
flash. Purpose: Use this template to delete previously configured Snort IPS Management interface with
"IP Unnumbered".
Snort IPS - Dynamic NAT Snort IPS – Management Interface
Purpose: Use this template if Dynamic NAT (Network Address Translation) is configured in
your environment and an Access List is used to select the NAT translation that needs to Purpose: Use this template if you would like to use System Management interface (e.g.
be modified for Snort IPS Management Interface IP. GigabitEthernet0) to route Snort IPS Management traffic.
Snort IPS - Dynamic NAT Cleanup Snort IPS – Management Interface Cleanup
Purpose: Use this template to delete previously configured NAT configuration for Snort Purpose: Use this template to delete previously configured System Management interface (e.g.
IPS. GigabitEthernet0) to route the Snort IPS Management traffic.
Snort IPS – Dynamic PAT Snort IPS - Static NAT

Purpose: Use this template if Dynamic PAT (Port Address Translation) is configured in Purpose: Use this template to configure Snort IPS and required Virtual-Service for existing Static
your environment and an Access List is used to select the PAT translation that needs to NAT deployment
be modified for Snort IPS Management Interface IP. Snort IPS - Static NAT Cleanup
Snort IPS – Dynamic PAT Cleanup Purpose: Use this template to delete previously configured Snort IPS in a Static NAT deployment
Purpose: Use this template to delete previously configured PAT configuration for Snort Snort IPS - Upgrade OVA
IPS. Purpose: Use this template to upgrade Snort IPS OVA file.
Snort IPS – Management & Monitoring
2
Signature and Snort 3
Engine update
repository Data Center
cisco.com
Management Tool
Branch
IWAN APP
ISR 4K
APIC-EM
Prime
Infrastructure
VPN
Local Signature
Repository (http)
1 On-Box Management & Monitoring
On Premise
1 WEB-UI*
2 Signature Update Event Monitoring
3 Centralized Provisioning & Monitoring
* Web UI will be available in IOS XE 16.6.1 ~July, 2017

Troubleshooting
Snort IPS – Unable to update signature pkg
Live Action
PC1 10.20.20.20/24 10.1.10.253
EMPLOYEE HQ - Router
Splunk
G0/0/2.20
Switch 10.20.20.1 10.1.10.253:8000
EMPLOYEE ISR 4451 MPLS Internet
Internet
Cisco Prime
G0/0/3  HQ 10.1.10.251
128.X.X.X
VRF: INET
G0/0/2.30
10.20.30.1/24
GUEST
VRF: INET
Cisco
Umbrella
PC2 10.20.30.30/24
GUEST
Internet
ISR4451#virtual-service install name myips package flash:iosxe-utd.16.04.01.SV2982.ova
ISR4451#show virtual-service list

Virtual Service List:
Name Status Package
Name
------------------------------------------------------------------------------
myips Installed iosxe-utd.16.04.01.SV2982.ova
ISR4451(config)#virtual-service myips
ISR4451(config-virt-serv)#activate

Name Status Package
Name
------------------------------------------------------------------------------
myips Activated iosxe-utd.16.04.01.SV2982.ova
Snort IPS Troubleshooting - Check Virtual Service Status
Name Status Package Name
------------------------------------------------------------------------------
myips Activated iosxe-utd.16.04.01.SV2982.ova
How to check if Snort Service is Alive ?

ISR4451#show service-insertion type utd service-node-group
Service Node Group name : utd_sng_1
Service Context : utd/1
Member Service Node count : 1
Service Node (SN) : 192.168.0.2

Auto discovered : No
SN belongs to SNG : utd_sng_1
Current status of SN : Alive
Time current status was reached : Mon Jun 5 03:53:17 2017
Snort IPS Troubleshooting
Verify Snort Configuration on the Container
ISR4451#show utd engine standard config
UTD Engine Standard Configuration:
Operation Mode : Intrusion Prevention
Policy : Security
Signature Update:
Server : cisco
User Name : kusankar
Password : EbVSH[CG[PeUHXTQHOXLSD\V^ULbPKLEb
Occurs-at : None
Logging:
Server : IOS Syslog; 10.1.10.253
Level : warning
Whitelist disabled/No config found
ISR4451#show utd engine standard status
Engine version : 1.0.0_SV2982_XE_16_4
Profile : Low
System memory :
Usage : 8.40 %
Status : Green
Number of engines : 1
Engine Running CFT flows Health Reason

=======================================================
Engine(#1): Yes 0 Green None
=======================================================
Overall system status: Green
Signature update status: Community
Signature
=========================
Current Signature package version: 29.0.c
Current Signature package name: default
Previous Signature package version: None
Last update status: None
Last failure Reason: None
ISR4451#show virtual-service detail
Virtual service myips detail
State : Activated
Owner : IOSd
Package information
Name : iosxe-utd.16.04.01.SV2982.ova
Path : bootflash:/iosxe-utd.16.04.01.SV2982.ova
Application
Name : UTD-Snort-Feature
Installed version : 1.0.0_SV2982_XE_16_4
Description : Unified Threat Defense
Signing
Key type : Cisco development key
Method : SHA-1
Licensing All three
Name : Not Available processes
Version : Not Available should show
“UP “
Detailed guest status
----------------------------------------------------------------------
Process Status Uptime # of restarts
----------------------------------------------------------------------
climgr UP 0Y 0W 0D 0:27: 3 2
logger UP 0Y 0W 0D 0:26:50 0
snort_1 UP 0Y 0W 0D 0:26:50 0
Network stats:
eth0: RX packets:1625, TX packets:6
eth1: RX packets:358, TX packets:6
---- snipped details ---- BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Snort IPS – Two ways to update the signature pkg
From configuration mode
ISR4451(config)# utd engine standard
ISR4451(config-utd-eng-std)#threat-inspection
ISR4451(config-utd-engstd-insp)# signature update server cisco username kusankar
password VKec\JASXPAUESLUN
[OR]
ISR4451(config)#utd engine standard
ISR4451(config-utd-eng-std)#threat-inspection
ISR4451(config-utd-engstd-insp)#signature update server url http://1.2.3.4/path
From exec mode (overrides what is configured in config mode):
ISR4451#utd threat-inspection signature update server url http://1.2.3.4/sig-file

I chose this
[OR] method
ISR4451#utd threat-inspection signature update server cisco username <blah>

password <blah>
ISR4451# show utd engine standard threat-inspection signature update status
Last update status: Failed
Last failure Reason: ('Connection aborted.', gaierror(-2, 'Name or service not known'))
Last successful update method: None
Last successful update server: None
Last successful update time: None
Last successful update speed: None
Last failed update method: Manual
Last failed update server: cisco
Last failed update time: Tue Jun 6 18:28:18 2017 PDT
Last attempted update method: Manual
Last attempted update server: cisco
Last attempted update time: Tue Jun 6 18:28:18 2017 PDT
Total num of updates successful: 0
Num of attempts successful: 0
Num of attempts failed: 1
Total num of attempts: 1
Next update scheduled at: None
Current Status: Idle
Container
Eth1
172.18.0.2
eth2
VPG0
172.18.0.1 VPG1
Internet/VPN
G0/0/3
G0/0/0.20
VRF: INET
Employee
ISR- 4451
Full Snort IPS configuration – Head Quarters CSR
CSR at the HQ is providing NAT for Snort IPS
• ip nat inside source list nat-acl interface GigabitEthernet1 overload

• IP access list nat-acl
• …
• 50 permit ip 172.18.0.0 0.0.0.255 any = added this line
CSR#show ip nat translations | i 172.18.0.2

tcp 128.107.213.166:4352 172.18.0.2:43993 173.37.144.211:443 173.37.144.211:443
udp 128.107.213.166:4865 172.18.0.2:46829 4.2.2.2:53 4.2.2.2:53
Snort IPS Troubleshooting - Verify Snort Signature Update Status
ISR4451#show utd engine standard threat-inspection signature update status
Last update status: Failed
Last failure Reason: ('Connection aborted.', gaierror(-2, 'Name or service not known')
Last successful update method: None
Last successful update server: None
Last successful update time: None
Last successful update speed: None
Next update scheduled at: None
Current Status: In-progress
ISR4451#show utd engine standard threat-inspection signature update status
Current Signature package version: 2982.14.s
Current Signature package name: UTD-STD-SIGNATURE-2982-14-S.pkg
Previous Signature package version: 29.0.c
Last update status: Successful
Last failure Reason: ('Connection aborted.', gaierror(-2, 'Name or service not known'))
Last successful update method: Manual
Last successful update server: cisco
Last successful update time: Tue Jun 6 18:36:18 2017 PDT
Last successful update speed: 2874800 bytes in 18 secs
Next update schedule
Configuration – Snort Engine OVA Upgrade
Step 1: Deactivate Snort IPS
no activate
Step 2: Update Snort Engine OVA file

• From exec mode:
virtual-service upgrade name myips package flash:newutd.ova
Step 3: Activate Snort IPS

activate
Snort IPS configuration – Branch ISR 4451
virtual-service myips interface VirtualPortGroup0

vnic gateway VirtualPortGroup0 description Management Interface
guest ip address 172.18.0.2 ip address 172.18.0.1 255.255.255.252
zone-member security HQ
guest ip address 192.168.0.2 interface VirtualPortGroup1
description Data Interface
activate ip address 192.168.0.1 255.255.255.252
Snort IPS – Troubleshooting Commands
show virtual-service list
show utd engine standard config
show virtual-service detail
show platform hardware qfp active feature utd stats
show platform hardware qfp active feature utd config
show platform hardware qfp active feature utd stat divert
Snort IPS – Debug Commands
debug platform packet copy packet out size 2048
debug platform packet-trace enable
debug platform packet-trace packet 64 circular fia-trace
Note: Conditional debugging needs to be enabled along with packet tracing
debug platform condition interface g0/0/0 both

debug platform condition start
Note: Optionally the utd debugging can be enabled along with packet tracing
debug platform condition feature utd dataplane submode divert level info
Packet Tracer
http://www.cisco.com/c/en/us/support/docs/content-networking/adaptive-session-redundancy-
asr/117858-technote-asr-00.html
Technical Deep
Dive – SLNL
Anomaly Detection
0 day Attacks & Vulnerabilities are still common
Date Released Who Dit it? Target Attack type Vulnerabilities Discovered
Feb 18, 2016 Unknown Hollywood Hospital Ransomware
May 8, 2016 Unknown Several MS Word embedded macros Elevation of Privilege (EoP)
May 10, 2016 Unknown Adobe Flash Player Flash exploit inside MS Office Remote code execution
Documents
Aug 13, 2016 Shadow Brokers Equation Group Unknown Several 0-day Vulnerabilities
Aug 25, 2016 NSO Group Human Rights Activist iPhone Remote Jailbreak Three 0-day vulnerabilities
Verizon 2016 Data Breach Investigations Report Cisco 2016 Midyear Cybersecurity Report
References/Sources are in the notes section
Anomaly Detection - Needle in a Haystack
Source: Google.com image search

Stealthwatch Learning Networks (SLN) License
Learning Network Manager

Brings self-learning attributes to the Cisco 4000 ISR
Needs no programming of firewall rules, malware

signatures, or access control lists (ACLs)
Headquarters
Uses machine learning, network context, and packet

capture to determine what’s normal and what’s not
Branch 1 Branch 2 Uses advanced analytics and models to identify and

DLA DLA
block true anomalies
ISR ISR
Distributed Learning Agents (DLA) Adapts as conditions change
Stealthwatch Portfolio: Learning Network
Stealthwatch Labs
Cisco Intelligence Center (SLIC)
Stealthwatch
ISE threat feed
Management
Learning Console
Network
Manager
User and Device
Information Flow
Collector The Stealthwatch
Learning Network
Branch
License adds anomaly
Network Flow Enabled
Infrastructure detection & mitigation
capabilities deployed
in an ISR 4000.
Learning Network Components
Machine-learning security agent software for the

Learning
Cisco 4000 Integrated Services Router that
Network
Agent collects and analyzes information, which it
communicates to the Manager.
Virtual machine application software that

Learning provides advanced visualization of the
Network anomalies that the Learning Agents discover. It
Manager displays visuals using the management
application.
Automating Security in your Branch Offices
Packet
ISE
Analysis
Manager
Private / Public
Network
ISR4K with Agent

Branch ISR4K with Agent
Network
Basic Operation of the Learning Network
Builds map of IP
Discovers traffic paths 1 2 addresses to learn
about its environment
Studies traffic movement,

Identifies applications on
3 4 volumes, patterns,
NBAR and DPI
times of day
Precisely identifies
Learns to distinguish
5 6 anomaly; allows operator
normal from anomalous
to take action to remediate
Use Case: DNS Tunneling
Before After
Headquarters Headquarters
Internet Internet
Branch Branch
Using Stealthwatch Learning Network License, the analyst can

The agent notes a sudden increase in DNS traffic.
identify attempts to pass additional data over DNS and bypass the
firewall.
Use Case: New Application at the Branch
Headquarters Headquarters
Internet Internet
Branch Branch
A branch user opens an application developed to send data The router-based security agent identifies the attempt to
to a suspect Internet site. connect to a suspect site and drops the connection.
The Power of the Learning Network:
What’s New?
Current Security Solutions Stealthwatch Learning Network License
 Consist of specialized security appliances  Pervasive and adaptive

connected to the network, such as firewalls
and intrusion prevention systems  Uses machine learning
(artificial intelligence) to detect advanced,
 Rely heavily on known signatures to detect evasive malware network-wide
known malware
 High focus on 0-day attacks
 Have limited adaptability so newer threats
are more likely to get through  Uses ISR 4000 as distributed analytic
engines (sensor) and security
system (enforcer)
The Power of the Learning Network:
Precision Detection
Traditional Anomaly Detection System Stealthwatch Learning Network License
 Focuses on detecting as many events  Fast, efficient, precise detection

as it can
 The network learns from its own mistakes
 Creates unwieldy number of false positives and minimizes chasing false positives
and irrelevant alarms
 Detects and accounts for multiple indicators
 Alone, the volume of detections isn’t the of an anomaly
best measure of a system’s effectiveness
 Bandwidth and processor-light, distributed
 Telemetry-driven, centralized solutions solution
A Closer Look:
ISR 4000 with Learning Agent
Learning
IOSd Agent
Control Plane
Linux Service Container
Linux OS
Data
Platform-Specific Data Plane
Cisco ISR 4000 Platform
A Closer Look: Learning Agent
To Centralized Controller
Learning Agent
Anomaly Alerts
Mitigation
Trending Data
Distributed Learning Component
Network Sensing Component Network Control Component
Receive Raw Modify Network

Network Data Packets Behavior
(e.g.,NetFlow Export) (e.g., SSH/CLI)
ISR 4000
To Linux Container
See All Your Branches from One Location
The web-based dashboard makes it easy to:

 View all branch intelligent sensors
 Examine nodes, packets and applications
Enhanced visibility enabled by  Rate system for traffic and exceptions
Identity Services
Engine
SLNL Deployment Requirements
Learning Network Manager* Learning Network Agent
 VMWare ESXi 5.5  ISR 4000 series
 Memory 16 GB  IOS-XE v3.13 or Later with KVM Container
 4 Virtual CPUs  IOS Application Experience (AX) Bundle
 1 Virtual NIC  8 GB or 16 GB memory & Flash
 200 GB of hard disk  Optional: NIM-SSD 200 GB Persistent

Storage
 Learning Network Manager License
 SLNL Agent Term Subscription: 1y or 3y
 sln-sca-k9-<ver>.ova image
 sln-dla-44xx-cont-250Ms-3Gr-k9-<ver>.ova
* Install the Learning Manager first to make use of the scripts to auto provision Agents
SLNL Learning Agent – Provisioning (CLI)
Step. 1 Configure virtual service Step.4 Configure SLN Agent
virtual-service install name sln package flash:sln.ova
Virtual-service connect name sln console
Configure Networking for eth0 & eth1 as follows:
Step. 2 Configure Port Groups
Routable Subnet Eth0:
interface VirtualPortGroup1 or NATed Address 172.18.21.2 / 255.255.255.0 / 172.18.21.1
description Management interface Eth1:
ip address 172.18.21.1 255.255.255.252 192.168.0.2 / 255.255.255.0
VirtualPortGroup2
description Data interface Step.5 Enable SSH
ip address 192.168.0.1 255.255.255.252
Step.6 Configure NTP
Step. 3 Configure & Activate virtual service
virtual-service sln
Step.7 Configure NetFlow
activate Step.8 Add Learning Agent to the Manager
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide

http://www.cisco.com/c/en/us/td/docs/security/sln/installation/guide/Learning_Network_License_Virtual_Service_Installation_Guide/SLN_Container_Installation_Guide_chapter_01010.html
Cisco Stealthwatch Learning Network License Configuration Guide
http://www.cisco.com/c/en/us/td/docs/security/sln/configuration/guide/Learning_Network_License_Configuration_Guide/SLN_Configuration_Guide_chapter_00.html
SLNL on ISR 4431 & 4451 step-by-step configuration
https://cisco.jiveon.com/docs/DOC-1552071 BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Dashboard View
Dashboard Single Agent View
Inbox Top Level view
Inbox Facts View
Inbox Conversations
Inbox – Conversations - Host Details
Inbox – Graph View
Inbox – Cluster details
Inbox – Single Conversation
Inbox – Conversations - Expanded
Inbox – White List
Learning Agents – View All
Agent Expanded View
Stealthwatch Learning Network Expansion
Stealthwatch Learning Network
Target Network Enterprise network Branch network
Data Source Aggregates data from many devices Processes data from each router separately
Contexts NetFlow, Syslog NetFlow, NBAR, DPI
Database IP Connectivity Database Detected Anomaly Database
Detection Analytics & Rules Distributed Machine Learning
Packet Capture Triggered On Demand Automatic
Integration ISE (identity & mitigation), AD integration ISE (identity only) Integration
Threat Intel Feed SLIC Feed Talos Threat Feed
Physical/Virtual Delivered as Appliance or VM ISR 44xx & OVA for LXC or UCS-e
References
ZBFW - Resources For Your
Reference
ZE SYN cookie configuration guide:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/conf-fw-tcp-
syn-cookie.html
XE - Zone Based Firewall configuration guide:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-zone-
pol-fw.html
IOS - Zone Based Firewall configuration guide:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/15-mt/sec-data-zbf-15-
mt-book.html
ISR TCP intercept configuration guide:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_tcp_intercpt.html
For Your
Snort IPS - Resources

Reference
• At-A-Glance
http://www.cisco.com/c/dam/en/us/products/collateral/security/router-security/at-a-glance-c45-
735895.pdf
• Data Sheet
http://www.cisco.com/c/en/us/products/collateral/security/router-security/datasheet-c78-736114.html
• Ordering Guide
http://www.cisco.com/c/en/us/products/collateral/security/router-security/guide-c07-736115.html
For Your
Umbrella Branch (OpenDNS) - Resources Reference
• Business Decision Maker (BDM):

http://www-author.cisco.com/c/dam/en/us/products/collateral/security/router-security/presentation-c97-
737415.pptx
• At-A-Glance (AAG):
http://www-author.cisco.com/c/dam/en/us/products/collateral/security/router-security/at-a-glance-c45-
737403.pdf
• Frequently Asked Questions (FAQ):

http://www-author.cisco.com/c/dam/en/us/products/collateral/security/router-security/q-and-a-c67-
737410.pdf
• Cisco Umbrella Video:
https://youtu.be/CGeLQTWKaPQ
Firepower Threat Defense for ISR - Resources
For Your
Reference
• Configuration Guide - Firepower Threat Defense for ISR

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-3s/sec-data-utd-xe-
3s-book.html#concept_0AC4C1AE8D714F1C9533FD3B383EC8AF
• Router Security – Firepower Threat Defense for ISR

http://www.cisco.com/c/en/us/products/security/router-security/firepower-threat-defense-isr.html
• Firepower Threat Defense for ISR 4K & G2 - IPS inline mode using UCS-E front panel
port
https://supportforums.cisco.com/document/13016901/Firepower-threat-defense-isr-ips-using-front-
panel-port-ucs-e
• Firepower Threat Defense for ISR 4K & G2 - IPS inline mode using VRF method
https://supportforums.cisco.com/document/13050311/Firepower-threat-defense-isr-4k-g2-ips-inline-
mode-using-vrf-method
For Your
Reference
SLNL - Resources
• Cisco Stealthwatch Learning Network License Configuration Guide
http://www.cisco.com/c/en/us/td/docs/security/sln/configuration/guide/Learning_Network_LicenseConfi
guration_Guide.html
• Cisco Stealthwatch Learning Network License UCS E-Series Server Installation
http://www.cisco.com/c/en/us/td/docs/security/sln/installation/guide/Learning_Network_License_UCS_
E_Server_Installation_Guide.html
• Cisco Stealthwatch Learning Network License UCS E-Series Server Quick Start Guide
http://www.cisco.com/c/en/us/td/docs/security/sln/quick_start/guide/Learning_Network_License_UCS_
E_Server_Quick_Start_Guide.html
• Cisco Stealthwatch Learning Network License Virtual Service Installation Guide
http://www.cisco.com/c/en/us/td/docs/security/sln/installation/guide/Learning_Network_License_Virtual
_Service_Installation_Guide.html
• Cisco Stealthwatch Learning Network License Virtual Service Quick Start Guide
http://www.cisco.com/c/en/us/td/docs/security/sln/quick_start/guide/Learning_Network_License_Virtua
l_Service_Quick_Start_Guide.html
• Router-security@cisco.com
Participate in the “My Favorite Speaker” Contest
Promote Your Favorite Speaker and You Could be a Winner
• Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle @jmckg
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be

available for viewing on demand after the
event at www.CiscoLive.com/Online.
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
• BRKSEC-2342 Branch Router Security – Thursday (10:30-12:00)
• BRKSEC-2809 Deciphering Malware's Use of TLS (without Decryption) – Thursday (10:30-12:00)
• BRKSEC-2010 Talos Insights: The State of Cyber Security – Thursday (1:00-2:30)
• LABSEC-2006 Cisco Umbrella (OpenDNS) - Walk-In Self-Paced
Q&A
Thank you

Brksec 3007 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 3007 PDF

Uploaded by

Copyright:

Available Formats

Advanced IOS Security

Kural Arangasamy, Technical Marketing Engineer

Kureli Sankar, Technical Marketing Engineer,

Cisco Spark spaces will be cs.co/ciscolivebot#BRKSEC-3007

Increased Threat Increased Threat Increased Complexity

*Ponemon Institute Study

VPN FW URLF IPS AMP

VPN FW URLF IPS AMP IPsec VPN Corporate

Umbrella Secure Internet Gateway

IPsec VPN IPsec VPN IPsec VPN IPsec VPN

Secure Connectivity Threat Protection Anomaly Detection Access Control

Secure, Reliable and High Performance Application Experience

Checks to Verify TAM Power On Signed Signed

“EducatedScholar” Remote code execution vulnerability in Microsoft SMBv2 MS09-050

“EworkFrenzy” Lotus Domino 6.5.4 and 7.0.2 exploit

“Fuzzbunch” Exploit Framework (Similar to Metasploit) for the exploits.

“EnglishmanDentist” Targeting Outlook/Exchange leveraging OLE in TNEF email

 Implants DOUBLEPULSAR**, a persistent backdoor, to inject ransomware payload

 Encrypts certain file extensions using 2048-bit RSA encryption

 Installs Tor browser to preserve anonymity by proxying their traffic

 Uses a ”KillSwitch” to terminate execution, possibly to avoid sandbox environment

 Apply latest Windows patch

Endpoint Network WAN Data Center Public Cloud

• Data Plane Security

• Data Plane Security • Control Plane Security

SMTP Server SMTP

• Default drop policy

• default zone G0/0/2.20

• Use to protect management and control plane traffic

Identify traffic • Access-list

Take action • Inspect

Apply action • Service policy applied traffic

• Class-maps identify traffic

• Class-maps can be nested

class-map type inspect match-all USERS_PROTOCOLS

ip access-list extended USER_ACL

class-map type inspect match-all USERS->INTERNET_CMAP

class-map type inspect match-any USER_PROTOCOLS_CMAP

Drop • Drops packets silently

• Bypasses firewall checks

• Class-maps are policy-map type inspect INTERNET->APPLICATION_PMAP

class-map type inspect match-any GUEST-INTERNET-CLASS

zone-pair security GUEST-INTERNET source GUEST destination INTERNET

Zone Based Firewall

Class-map: GUEST-INTERNET-CLASS (match-any)

ip access-list extended INTERNET-SELF-udp

 Permit trusted traffic

DNS is the first step in internet connections

Enable domain filtering

Create policies for different network

Review deployment and research incidents

1. Cisco Umbrella provisioning

3. Configure ISR Connector (can be

Martha Approved Content (5)

https://www.digicert.com/CACerts/DigiCertSecureServerCA.crt - Certificate URL

Step. 3 Enable OpenDNS “out” and “in” with a tag

SYN ACK to spoofed IP address that is black holed

SYN=1, ACK=1, seq=server_isn, ack=client_isn+1

ACK=1, seq=client_isn+1, ack=server_isn+1

2. Firewall intercepts and

3. Client send the ACK

Client Firewall Server

The Cookie contains some essential information, so the FW doesn’t have to