Professional Documents
Culture Documents
BRKSEC-3007
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• WAN Edge Secure Gateway - Solution Components
• Threat Landscape & Threat Analysis
• Technical Deep Dive – Zone Based Firewall
• Technical Deep Dive – Snort IPS
• Technical Deep Dive – SLNL
• Q/A
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Changes @ Branch Lead to Security Challenges
“30% of advanced targeted threats specifically target branch offices as an entry point.”
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
WAN Edge Secure Gateway Accelerates DIA Deployments
ISR4K Internet
Branch
Direct Internet Public
Access Cloud
Compliance Guest Access SaaS Direct Cloud Access Direct Internet Access
Zone Based Firewall Risk Zone Based Firewall Zone Based Firewall Zone Based Firewall
Snort IPS Umbrella URL Filtering Risk Firepower NGIPSv Firepower NGIPSv Risk
[OR] Umbrella SIG Risk [OR] Umbrella SIG
BRKSEC-3007 Anomaly Detection Anomaly
© 2017 Cisco and/or its affiliates. All Detection
rights reserved. Cisco Public 6
WAN Edge Secure Gateway
Solution Components
Trustworthy Systems
ISR4K
Scalable, Strong Encryption FW, IPS, AMP, Threat Grid, Application Visibility, CASB, NaaE, ISE, TrustSec,
Site-to-site VPN, NGIPSv, Umbrella Branch NaaS/Stealthwatch,
Remote Access VPN SIG SLNL
Learn more: BRKARC-1010 “Protecting the Device: Cisco Trustworthy Systems & Embedded Security”
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Threat Landscape & Analysis
Threat Landscape Types of Threats
• Security bug / Vulnerability
• Cyber Warfare e.g.: Heartbleed, SMBv1 vulnerability, IKEv1 vulnerability,
SQL Injection, Buffer Overflow, Cross-site request forgery,
Cross Site Scripting (XSS)
• Nation-State Sponsored
• Malware
• Organized Crime / Targeted
• Viruses, Worms, Trojans
Attacks • Phishing, Adware, Spyware, Scareware
• Keyloggers, Backdoors, Exploits, Rootkits
• Ransomware
• Denial of Service
• Financially Motivated e.g.: Dyn Attack (Oct 2016)
• Botnets
e.g. : LinkedIn attack (Aug 2016), Deutsche Telekom (Nov
2016)
• Social Engineering
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Recent High Profile Incidents
• DDoS
• Dyn attack
• Mirai Botnet
• Ransomware
• CryptoLocker, CryptoWall
• WannaCry (>150 countries, >230,000 computers within a day)
• Malware
• Stuxnet
• Yahoo! Data breach
• 1 billion user accounts
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
NSA Hacking Tools Released by Shadow Brokers
Codename Vulnerability Addressed By
“EternalBlue” Remote Exploit via SMB & NBT (Windows XP to Windows 2012) MS17-010
“EmeraldThread” Remote code execution vulnerability in Windows Print Spooler Service MS10-061
“EternalChampion”, Remote exploit up to Windows 8 and 2012 CVE-2017-0146 & CVE-2017-0147
“EternalSystem”
“ErraticGopher” Microsoft SMB Remote Code execution vulnerability in Microsoft Windows 2003 Addressed prior to the release of
and XP Windows Vista
“EsikmoRoll” Elevation of Privilege exploit in Kerberos MS14-068
“EternalRomance” Remote privilege escalation (SYSTEM) exploit (Windows XP to Windows 2008 MS17-010
over TCP port 445)
“EsteemAudit” Remote Desktop Protocol (RDP) exploit for Windows 2003 and XP
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Digging Deeper – WannaCry Ransomware
Malware Analysis
Uses “EternalBlue”* exploit to enter
Heavily scans over TCP 445 (SMB) – Port 139 is also vulnerable
Scans internal & external facing hosts across the Internet to spread
Mitigations
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Mitigation and Prevention
Multi-Layer, Multi-Level Approach
WAN
Enterprise Network Public
PoS Employee Internet Cloud
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Technical Deep Dive
Zone Based Firewall
Zone Based Firewall
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Data Plane Security using Zone Based Firewall
• Build a comprehensive security
solution to protect user services
Permit trusted traffic
URL Filtering
• Using ZBFW provides standardized
DoS Mitigation framework for all security based
Resource Management features
Log traffic
Multi Tenancy • Session will cover design
considerations and the resources
section will have configuration
examples
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Data Plane Security – Identifying Traffic
G0/0/2.20 G0/0/3
Internet
HTTP
SMTP
Client
HTTP
SMTP SMTP
SMTP Server
FTP
HTTP Server
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Access-lists (ACLs) as a Security Solution
IOS-FW(config)# ip access-list extended 100
syn, fin, rst, ack – Only matches TCP flag IOS-FW(config-ext-nacl)#permit tcp any any ?
ack Match on the ACK bit
– Not truly stateful
eq Match only packets on a given port number
fin Match on the FIN bit
established – Only matches on ACK and RST flag
match-all Match if all specified flags are present
– Not truly stateful
match-any Match if any specified flag is present
rst Match on the RST bit
fragments – prevent fragments from entering network
syn Match on the SYN bit
– heavy handed prevention of fragmentation attacks established Match established connections
fragments Check non-initial fragments
ttl – restrict how far into the network traffic can pass ttl Match packets with given TTL value
– prevent control traffic from leaving the network
IOS-FW(config)# ipv6 access-list IN->OUT_IPv6
routing – restrict loose source routing
IOS-FW(config-ipv6-acl)#permit any any ?
– prevent clients from choosing their routing path
routing Routing header (all types)
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Access-group and Access-list Limitations
G0/0/2.20 G0/0/3
How do we differentiate ?
Client between Webserver Webserver
Response and Attacker
traffic? ?
Attacker
ip access-list extended IN->OUT ip access-list extended OUT->IN
permit tcp host Client any eq 80 permit tcp any eq 80 host Client
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Firewall – Basic Functionality
TRUSTED UNTRUSTED
HTTP Request
HTTP Response
Client Webserver
Firewall prevents
malicious traffic from
entering the network by Malicious
tracking connections
Attacker
Internet
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Zone Based Firewall
Overview
• Recommended IOS Dataplane • Custom zone
Security solution
• default zone
• Policies are applied to zones
• “default” security zone for all INSIDE
• Zones are applied to interfaces interfaces
• Allows for scalable security policy
• Default Zone has been in IOS-XE, first
• Zone policies are directional support on ISR-G2 starting 15.6(1)T.
• Matches initial packet of the flow
• TCP – matches SYN • Self Zone
• Non-TCP – matches any packet
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Zone Policy Assignment and Scalability
• Same zone can be assigned source EMPLOYEES destination INTERNET
to multiple interfaces
G0/0/2.20
• Zone-pair policy can be reused
• Interface can only be part of
one zone Users
Internet
• Zone-pairs permit traffic G0/0/2.40
between two zones source EMPLOYEES
• Traffic between same zones is
optional and requires policy
destination EMPLOYEES
• Traffic is specific to a zone-pair
which allows for directed
Users G0/0/2.50
control
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Zone Policy Assignment and Scalability
source default destination INTERNET
ISR4(config)#zone security ?
WORD Name of security zone
default Default zone
Users G0/0/2.50
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Zone Policy Assignment
Self Zone
• Pre-defined zone member Monitoring traffic Routing Protocols
• Protects traffic to and from router • SNMP • EIGRP
• Syslogs • OSPF
• Traffic sourced or destined to router • Netflow • BGP
• Excludes NAT traffic
Management VPN
traffic • ESP
• Two differences • SSH • GRE
1. Pre-defined and available for use • Telnet • NAT-T
• HTTP • ISAKMP
2. Reverse functionality of zones Self Zone
• Explicit allow compared to explicit deny
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Zone Based Firewall
Configuration Theory
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Identifying Traffic using Class-maps
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Identifying Traffic using Class-maps
Match-Any vs Match-All
Access-list USER_ACL
Access-list USER_ACL + ftp
ftp
Match-All
Access-list USER_ACL
Access-list USER_ACL || ftp
ftp
Match-Any
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Identifying Traffic – Mixing and Matching
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Take Action using Policy-Map • Builds connections for traffic
• Statefully examines the flow
Inspect • Allows return packets that
match connection
• Preferred action for traffic
Inspect
Drop
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Take Action using Policy-Map
Class-maps Order of Operation
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Zone Based Firewall - Configuration
Live Action
PC1 10.20.20.20/24 10.1.10.253
EMPLOYEE HQ - Router
Splunk
G0/0/2.20
Switch 10.20.20.1 10.1.10.253:8000
EMPLOYEE ISR 4451 MPLS Internet
Internet
Cisco Prime
G0/0/3 HQ 10.1.10.251
128.X.X.X
VRF: INET
G0/0/2.30
10.20.30.1/24
GUEST
VRF: INET
Cisco
Umbrella
PC2 10.20.30.30/24
GUEST
Internet
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Zone Based Firewall - Configuration
zone security GUEST
zone security INTERNET HQ
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
On-Box WebUI - Zone Based Firewall
Coming in
XE 16.6.1
July 2017
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Data Plane Security using Zone Based Firewall
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
URL/Content Filtering – Websense, Trend Micro
ip inspect name test http urlfilter
ip urlfilter allow-mode on
ip urlfilter exclusive-domain permit www.cisco.com
ip urlfilter audit-trail
ip urlfilter urlf-server-log
ip urlfilter server vendor websense 192.168.15.15
interface FastEthernet0
ip address 192.168.5.10 255.255.255.0
ip inspect test in
Websense Configuration:
http://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/110318-ciscoiosurlfiltering.html#steps
Trend Micro Configuration:
http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/white_paper_c89-492776.html
EOS/EOL:
http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/eol_c51-698205.html
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Cisco Umbrella
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Cisco Umbrella – Fast & Easy Deployment
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Cisco Umbrella - Solution Overview
Safe Blocked
request request
ISR4K
DNS Request (1) Cisco Umbrella
DNS Response (4)
Internet
Web Servers
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Cisco Umbrella – Configuration
Step 1 –– Enable
Step 32 Cisco
Certificate
Configure Umbrella
import
local “out”
(mandatory
domain and “in”
andwith
for device
(optional) a tag
registration
token via https)
Router(config)#crypto
parameter-map pkidns_bypass
type regex trustpool import terminal
% Enter PEM-formatted
www.cisco.com CA certificate.
Router(config-if)#interface
pattern g0/0/0
%Router(config-if)#opendns
End with
pattern a blank line or out
.*eisg.cisco.* "quit" on a line by itself.
30820494 3082037C A0030201 02021001 FDA3EB6E CA75C888 438B724B
….
2E4134EF 7CA5501D BF3AF9D3 C1080CE6
Router(config-if)#interface
Router(config)#parameter-map g0/0/1 ED1E8A58
type Cisco 25E4B877
Umbrella AD2D6EF5 52DDB474
global
8FAB492E 9D3B9334 281F78CE in
Router(config-if)#opendns
Router(config-profile)#token 94EAC7BD
Guest D3C96D1C DE5C32F3
0F32C32FEC26991C2B562D3C7FF844E0001C70E7
Router(config-profile)#local-domain dns_bypass
quit
Router(config-if)#interface g0/0/1
Router(config-if)#opendns in Guest ”umbrella in Guest” starting 16.6.1
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Zone Based Firewall – DMVPN tunnel outbound “FROM” the router
ip access-list extended SELF-INTERNET-ESP G0/0/3
permit esp any any
class-map type inspect match-any SELF-INTERNET-ESP
match access-group name SELF-INTERNET-ESP
HQ
ip access-list extended SELF-INTERNET-udp
permit udp any any eq isakmp
permit udp any any eq domain
class-map type inspect match-any SELF-INTERNET-udp-class
match access-group name SELF-INTERNET-udp Internet DMVPN
Security Zone Security Zone
ip access-list extended SELF-INTERNET-tcp
INTERNET T1: 10.1.20.3 HQ
permit tcp any any eq 443
VRF: INET Tunnel Key: 1000
class-map type inspect match-any SELF-INTERNET-tcp-class
match access-group name SELF-INTERNET-tcp G0/0/2.30
G0/0/3 10.20.30.1
128.X.X.X
policy-map type inspect SELF-INTERNET-policy
class type inspect SELF-INTERNET-ESP IOS Zone
pass Firewall
class type inspect SELF-INTERNET-udp-class Security Zone
inspect Security Zone G0/0/2.20 GUEST
EMPLOYEE 10.20.20.1 VRF: INET
class type inspect SELF-INTERNET-tcp-class
inspect
class class-default
drop
zone-pair security SELF-INTERNET source self destination INTERNET
service-policy type inspect SELF-INTERNET-policy
Zone Based Firewall
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Cisco Umbrella – Provisioning (Prime Infrastructure)
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
On-Box WebUI – Cisco Umbrella
On-Box WebUI - Cisco Umbrella Coming in
XE 16.6.1
July 2017
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Data Plane Security using Zone Based Firewall
Permit trusted traffic
URL/Content Filtering
DoS Mitigation
Resource Management
Log traffic
Multi Tenancy
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Mitigation of DoS attack on IOS-XE
Spoofed SYNs to Server
Laptop
EMPLOYEE
Internet
Attacker
PC INTERNET
self
Server
By default both server and the firewall need to allocate memory to track the TCP connection
from when the SYN is received.
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
SYN Cookie Protection Packet Flow
1.Client initiates a SYN
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
SYN cookie protection packet flow
2. SYN/ACK
3. ACK
----------------------->
If the SYN is spoofed, then the firewall will never receive an ACK and no resources will
be wasted.
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
What is in the Cookie?
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
SYN Cookie Protection Configuration
Limitation
Because a ‘default’ zone does not support zone type parameter map,
you cannot configure the Firewall TCP SYN Cookie feature for a default zone.
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Sample Configuration – Host Protection
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Sample Configuration – Session Table Protection
Firewall session table protection for global routing domains:
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Spoofing Attack Mitigation
uRPF configuration example
• Strict mode
• The source address is in the Forwarding Information Base (FIB) and reachable only
through the interface on which the packet was received
Router(config)# interface G0/0/2.20
Router(config-if)# ip verify unicast source reachable-via rx
• Loose mode
• If the source address is in the FIB and reachable through any interface on the router
• Used for asymmetric routing or multi-homed ISP connections
Router(config)# interface G0/0/2.20
Router(config-if)# ip verify unicast source reachable-via any
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
IP Fragmentation Attacks
Original Packet IP Header TCP Header Data
TCP
IP Header
Header
Tiny Fragment
TCP
IP Header Data
Header
Fragment 1
IP Header TCP Header
Overlapping Fragments Data
Fragment 2
IP Header
Data
Buffer
Buffer Overflow Fragment 1
IP Header TCP Header
Data
Fragment 2
IP Header
Data
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
IP Fragmentation Attack Mitigation
• IP Virtual Fragment Reassembly (VFR) Configuration
• Enabling VFR
Router(config)# interface G0/0/3
Router(config-if)# ip virtual-reassembly
• Restricting the number of concurrent IP datagrams
Router(config)# interface Ethernet0/0
Router(config-if)# ip virtual-reassembly in max-reassemblies 64
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Data Plane Security using Zone Based Firewall
Permit trusted traffic
URL/Content Filtering
DoS Mitigation
Resource Management
Log traffic
Multi Tenancy
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Resource Management Config
PC
EMPLOYEE
GUEST
Server
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Resource Management Config
zone security GUEST Parameter-map type inspect GUEST-PRAM-MAP
zone security INTERNET session maximum 1000
Interface G0/0/3
zone security INTERNET
Interface g0/0/2.30
Zone security GUEST
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Resource Management Config (VRF based)
Internet
VRF: INET
PC
GUEST
VRF: GUEST
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Resource Management Config (VRF based)
zone security GUEST
zone security INTERNET
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Data Plane Security using Zone Based Firewall
Permit trusted traffic
URL/Content Filtering
DoS Mitigation
Resource Management
Log traffic
Multi Tenancy
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Logging Dropped Packets
• Dropped logging is enabled in two ways:
1. Parameter-map globally policy-map type inspect GUEST-INTERNET-POLICY
• Does not affect drop actions class class-default
2. With drop action drop log
• Logs only traffic in class-map
parameter-map type inspect-global
log dropped-packets
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Logging New Connections
• Logging new connections is not on by default
parameter-map type inspect LOG_CONNECTION_PARAM
audit-trail on
• Processor intensive
• Interrupt driven messages can cause high CPU
• Similar to log keyword on ACLs
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Logging New Connections and Dropped packets
zone security GUEST Parameter-map type inspect inspect-global
zone security INTERNET log dropped-packets
log flow-export v9 udp destination 10.0.2.0
5000
class-map type inspect match-any GUEST-INTERNET-CLASS log flow-export template timeout-rate 5000
match protocol dns
match protocol http Parameter-map type inspect LOG_CONNECTION_PARAM
match protocol https audit-trail on
Interface G0/0/3
zone security INTERNET
Interface g0/0/2.30
Zone security GUEST
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
High Speed Logging (HSL)
parameter-map type inspect-global
log dropped-packets
log flow-export v9 udp destination 10.0.2.0 5000
log flow-export template timeout-rate 5000
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
High Speed Logging (HSL)
zone security GUEST Parameter-map type inspect inspect-global
zone security INTERNET log dropped-packets
log flow-export v9 udp destination 10.0.2.0 5000
log flow-export template timeout-rate 5000
class-map type inspect match-any GUEST-INTERNET-CLASS
match protocol dns
match protocol http Parameter-map type inspect LOG_CONNECTION_PARAM
match protocol https audit-trail on
alert on
one-minute high 10000
policy-map type inspect GUEST-INTERNET-POLICY
tcp max-incomplete host 100
class type inspect GUEST-INTERNET-CLASS
inspect LOG_CONNECTION_PARAM
class class-default
drop log
Interface G0/0/3
zone security INTERNET
Interface g0/0/2.30
Zone security GUEST
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Data Plane Security using Zone Based Firewall
Permit trusted traffic
URL/Content Filtering
DoS Mitigation
Resource Management
Log traffic
Multi Tenancy
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Zone Based Firewall – Multi Tenancy
zone security CUSTOMER1
zone security INTERNET Parameter-map type inspect inspect-global
multi-tenancy
class-map type inspect match-any CUSTOMER1-INTERNET-CLASS
match protocol dns Parameter-map type inspect LOG_CONNECTION_PARAM
match protocol http audit-trail on
match protocol https alert on
one-minute high 10000
tcp max-incomplete host 100
policy-map type inspect CUSTOMER1-INTERNET-POLICY
class type inspect CUSTOMER1-INTERNET-CLASS
inspect
class class-default
drop
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Zone Based Firewall – Multi Tenancy
Syslogs enhanced to include customer vrf information
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
CloudUTD for SOHO/SMB – ZBF Multi Tenancy
SOHO/SMB customers Internet
SP Data Center
Security Components
Internet
Internet
SP Data Center
Multi-tenant architecture
SP Data Center No service chaining
Low footprint
Easy service creation
• No dedicated security
appliance
• ThinCPE
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Control Plane Security
Control Plane Policing
Police inbound UDP traffic to 16 Kbps
policy-map CoPP
class UDP
police 16000 conform-action transmit exceed-action drop violate-action drop
control-plane
service-policy input CoPP
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Punt Policing and Monitoring
Punt policing frees the RP from having to process noncritical traffic.
• Global Configuration
platform punt-police queue 20 9000 10000
NEW in XE
• Per Interface Configuration (PPS) 16.4.1
interface G0/0/3
punt-control enable 20
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Management Plane Security
Management Plane Protection
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Technical Deep Dive
Snort IPS
Use Case: Meet PCI Compliance
NGFW
MVP NGIPS
FW AMP
IPS URL Filtering
Corporate + Internet Traffic AVC
Branch
VPN Tunnel Enterprise
Employees
Network
Internet Corporate
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Snort IPS – Container Architecture
Control Plane
Virtual Ethernet Allocated
Data Plane
Traffic Path
Data Plane
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Over 4 million downloads
500,000 registered users
Snort IDS/IPS Widely deployed IPS in the world
Solution requires:
ISR4K with 8G DRAM & Flash + SEC license
Signature updates term subscriptions (1Y or 3Y)
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Snort IPS – Signature Details
• Only the signatures hosted on cisco.com can be used
• Signatures are same as on snort.org but validated on ISR4K
• Community signature pack or paid yearly subscription pack
• Subscription signature pack is more exhaustive and up-to-date
• Only community signature set packaged with OVA
• No support for custom signatures
• Signature white list support
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Snort Configuration –Virtual Service Networking
Container
- VPGs to communicate between container
and data plane
- VPG1 <==> eth2 (data plane)
eth1 eth3 eth2
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Snort IPS - Configuration
1 – TFTP
Step 6
2
3
4
5 Configure
Activate
Configuring
Enabling
Whitelisting
snort
virtual
UTD
virtual
OVA
(Optional)
UTD (data
service
to
portgroups
(service
flash
plane)
and
and
plane)
configure
configure virtual service
Router(config)#utd
Router(config)#utd engine
Router(config-utd)# standard
all-interfaces
Router(config-virt-serv)#vnic gateway VirtualPortGroup0
Router(config-utd-eng-std)#threat
Router(config-utd)# engine
Router(config)#interface standardinspection
VirtualPortGroup0
Router(config-virt-serv-vnic)# guest ip address 172.18.21.2
Router(config-utd-engstd-insp)#threat
Router(config-engine-std)#fail
Router(config)#Description close Protection
Management-Interface
Router(config-utd-engstd-insp)#policy
Router(config-if)#
Router(config)#utd ip
whitelist security
address 172.18.21.1 255.255.255.252
Router(config-virt-serv-vnic)#
Router#virtual-service install vnic
name gateway VirtualPortGroup1
myips package flash:utd.ova
[OR]
Router(config-utd-whitelist)#signature
Router ( config-utd-engstd-insp)#signatureid 15update
comment test1 cisco username
server
Router(config-virt-serv-vnic)# guest ip address 192.168.0.2
Router(config-if)#interface
Router(config-utd-whitelist)#signature
<uname> password <paswd> VirtualPortGroup1id 12 comment test2
Router(config-virt-serv-vnic)#exit
Router(config)#Description
Router(config)# Data-Interface
interface GigabitEthernet0/0/0
Router(config-utd-engstd-insp)#signature update occur-at daily 0 0
Router(config-if)#
Router(config-if)# ip address
utd enable 192.168.0.1 255.255.255.252
Router(config-utd-engstd-insp)#logging server 10.12.5.55 syslog level
Router(config-virt-serv)#activate
warning
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Snort IPS – Configuration
Step.4 Configuring UTD (service plane)
Step. 1 Configure virtual service
utd engine standard
virtual-service install name myips package flash:utd.ova
threat inspection
threat protection (protection-ips, detection-ids)
Step. 2 Configure Port Groups
policy security (balanced, connectivity)
interface VirtualPortGroup0 logging server 10.12.5.55 syslog level warning
description Management interface signature update server cisco username <blah>
ip address 172.18.21.1 255.255.255.252 signature update occur-at daily 0 0
Interface VirtualPortGroup1
description Data interface Step.5 Enabling UTD (data plane)
ip address 192.168.0.1 255.255.255.252
utd
all-interfaces
Step. 3 Activate virtual service and configure engine standard
virtual-service myips fail close
vnic gateway VirtualPortGroup0
guest ip address 172.18.21.2 Step.6 Whitelisting (optional)
vnic gateway VirtualPortGroup1 utd whitelist
guest ip address 192.168.0.2 signature id 12 comment test1
activate signature id 15 comment test2
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Snort IPS – Provisioning (Prime Infrastructure 3.1 and above)
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Snort IPS/IDS – Management using on-box WEB UI
Coming in
XE 16.6.1
July 2017
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Configuration – Snort Engine OVA Upgrade
Step 1: Deactivate Snort IPS
• From config mode:
virtual-service myips
no activate
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Configuration – Cisco Prime CLI Templates
Import Snort CLI Templates into Prime
From Prime Web UI, navigate to Configuration >> Templates >> Features & Technologies and click on
"CLI Templates (User Defined)" and then click on "Import”
Snort IPS - Dynamic NAT Cleanup Snort IPS – Management Interface Cleanup
Purpose: Use this template to delete previously configured NAT configuration for Snort Purpose: Use this template to delete previously configured System Management interface (e.g.
IPS. GigabitEthernet0) to route the Snort IPS Management traffic.
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Snort IPS – Management & Monitoring
2
Signature and Snort 3
Engine update
repository Data Center
cisco.com
Management Tool
Branch
IWAN APP
ISR 4K
APIC-EM
Prime
Infrastructure
VPN
Local Signature
Repository (http)
1 On-Box Management & Monitoring
On Premise
1 WEB-UI*
2 Signature Update Event Monitoring
Splunk
G0/0/2.20
Switch 10.20.20.1 10.1.10.253:8000
EMPLOYEE ISR 4451 MPLS Internet
Internet
Cisco Prime
G0/0/3 HQ 10.1.10.251
128.X.X.X
VRF: INET
G0/0/2.30
10.20.30.1/24
GUEST
VRF: INET
Cisco
Umbrella
PC2 10.20.30.30/24
GUEST
Internet
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
ISR4451#virtual-service install name myips package flash:iosxe-utd.16.04.01.SV2982.ova
ISR4451(config)#virtual-service myips
ISR4451(config-virt-serv)#activate
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Snort IPS Troubleshooting - Check Virtual Service Status
ISR4451#show virtual-service list
Virtual Service List:
Name Status Package Name
------------------------------------------------------------------------------
myips Activated iosxe-utd.16.04.01.SV2982.ova
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Snort IPS Troubleshooting
Verify Snort Configuration on the Container
ISR4451#show utd engine standard config
UTD Engine Standard Configuration:
Operation Mode : Intrusion Prevention
Policy : Security
Signature Update:
Server : cisco
User Name : kusankar
Password : EbVSH[CG[PeUHXTQHOXLSD\V^ULbPKLEb
Occurs-at : None
Logging:
Server : IOS Syslog; 10.1.10.253
Level : warning
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
ISR4451#show utd engine standard status
Engine version : 1.0.0_SV2982_XE_16_4
Profile : Low
System memory :
Usage : 8.40 %
Status : Green
Number of engines : 1
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
ISR4451#show virtual-service detail
Virtual service myips detail
State : Activated
Owner : IOSd
Package information
Name : iosxe-utd.16.04.01.SV2982.ova
Path : bootflash:/iosxe-utd.16.04.01.SV2982.ova
Application
Name : UTD-Snort-Feature
Installed version : 1.0.0_SV2982_XE_16_4
Description : Unified Threat Defense
Signing
Key type : Cisco development key
Method : SHA-1
Licensing All three
Name : Not Available processes
Version : Not Available should show
“UP “
Detailed guest status
----------------------------------------------------------------------
Process Status Uptime # of restarts
----------------------------------------------------------------------
climgr UP 0Y 0W 0D 0:27: 3 2
logger UP 0Y 0W 0D 0:26:50 0
snort_1 UP 0Y 0W 0D 0:26:50 0
Network stats:
eth0: RX packets:1625, TX packets:6
eth1: RX packets:358, TX packets:6
---- snipped details ---- BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Snort IPS – Two ways to update the signature pkg
From configuration mode
ISR4451(config)# utd engine standard
ISR4451(config-utd-eng-std)#threat-inspection
ISR4451(config-utd-engstd-insp)# signature update server cisco username kusankar
password VKec\JASXPAUESLUN
[OR]
ISR4451(config)#utd engine standard
ISR4451(config-utd-eng-std)#threat-inspection
ISR4451(config-utd-engstd-insp)#signature update server url http://1.2.3.4/path
From exec mode (overrides what is configured in config mode):
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
ISR4451# show utd engine standard threat-inspection signature update status
Current Signature package version: 29.0.c
Current Signature package name: default
Previous Signature package version: None
Last update status: Failed
Last failure Reason: ('Connection aborted.', gaierror(-2, 'Name or service not known'))
Last successful update method: None
Last successful update server: None
Last successful update time: None
Last successful update speed: None
Last failed update method: Manual
Last failed update server: cisco
Last failed update time: Tue Jun 6 18:28:18 2017 PDT
Last attempted update method: Manual
Last attempted update server: cisco
Last attempted update time: Tue Jun 6 18:28:18 2017 PDT
Total num of updates successful: 0
Num of attempts successful: 0
Num of attempts failed: 1
Total num of attempts: 1
Next update scheduled at: None
Current Status: Idle
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Snort IPS – Unable to update signature pkg
Container
Eth1
172.18.0.2
eth2
VPG0
172.18.0.1 VPG1
Internet/VPN
G0/0/3
G0/0/0.20
VRF: INET
Employee
ISR- 4451
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Full Snort IPS configuration – Head Quarters CSR
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Snort IPS Troubleshooting - Verify Snort Signature Update Status
ISR4451#show utd engine standard threat-inspection signature update status
Current Signature package version: 29.0.c
Current Signature package name: default
Previous Signature package version: None
Last update status: Failed
Last failure Reason: ('Connection aborted.', gaierror(-2, 'Name or service not known')
Last successful update method: None
Last successful update server: None
Last successful update time: None
Last successful update speed: None
Last failed update method: Manual
Last failed update server: cisco
Last failed update time: Tue Jun 6 18:35:04 2017 PDT
Last attempted update method: Manual
Last attempted update server: cisco
Last attempted update time: Tue Jun 6 18:35:04 2017 PDT
Total num of updates successful: 0
Num of attempts successful: 0
Num of attempts failed: 2
Total num of attempts: 2
Next update scheduled at: None
Current Status: In-progress
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Snort IPS – Unable to update signature pkg
ISR4451#show utd engine standard threat-inspection signature update status
Current Signature package version: 2982.14.s
Current Signature package name: UTD-STD-SIGNATURE-2982-14-S.pkg
Previous Signature package version: 29.0.c
Last update status: Successful
Last failure Reason: ('Connection aborted.', gaierror(-2, 'Name or service not known'))
Last successful update method: Manual
Last successful update server: cisco
Last successful update time: Tue Jun 6 18:36:18 2017 PDT
Last successful update speed: 2874800 bytes in 18 secs
Last failed update method: Manual
Last failed update server: cisco
Last failed update time: Tue Jun 6 18:35:04 2017 PDT
Last attempted update method: Manual
Last attempted update server: cisco
Last attempted update time: Tue Jun 6 18:36:18 2017 PDT
Total num of updates successful: 1
Num of attempts successful: 1
Num of attempts failed: 2
Total num of attempts: 3
Next update schedule
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Configuration – Snort Engine OVA Upgrade
Step 1: Deactivate Snort IPS
• From config mode:
virtual-service myips
no activate
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Snort IPS configuration – Branch ISR 4451
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Snort IPS – Troubleshooting Commands
show virtual-service list
show utd engine standard config
show virtual-service detail
show platform hardware qfp active feature utd stats
show platform hardware qfp active feature utd config
show platform hardware qfp active feature utd stat divert
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Snort IPS – Debug Commands
debug platform packet copy packet out size 2048
debug platform packet-trace enable
debug platform packet-trace packet 64 circular fia-trace
Note: Optionally the utd debugging can be enabled along with packet tracing
debug platform condition feature utd dataplane submode divert level info
Packet Tracer
http://www.cisco.com/c/en/us/support/docs/content-networking/adaptive-session-redundancy-
asr/117858-technote-asr-00.html
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Technical Deep
Dive – SLNL
Anomaly Detection
0 day Attacks & Vulnerabilities are still common
Date Released Who Dit it? Target Attack type Vulnerabilities Discovered
May 8, 2016 Unknown Several MS Word embedded macros Elevation of Privilege (EoP)
May 10, 2016 Unknown Adobe Flash Player Flash exploit inside MS Office Remote code execution
Documents
Aug 13, 2016 Shadow Brokers Equation Group Unknown Several 0-day Vulnerabilities
Aug 25, 2016 NSO Group Human Rights Activist iPhone Remote Jailbreak Three 0-day vulnerabilities
Verizon 2016 Data Breach Investigations Report Cisco 2016 Midyear Cybersecurity Report
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Anomaly Detection - Needle in a Haystack
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Stealthwatch Portfolio: Learning Network
Stealthwatch Labs
Cisco Intelligence Center (SLIC)
Stealthwatch
ISE threat feed
Management
Learning Console
Network
Manager
User and Device
Information Flow
Collector The Stealthwatch
Learning Network
Branch
License adds anomaly
Network Flow Enabled
Infrastructure detection & mitigation
capabilities deployed
in an ISR 4000.
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Learning Network Components
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Automating Security in your Branch Offices
Packet
ISE
Analysis
Manager
Private / Public
Network
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Basic Operation of the Learning Network
Builds map of IP
Discovers traffic paths 1 2 addresses to learn
about its environment
Precisely identifies
Learns to distinguish
5 6 anomaly; allows operator
normal from anomalous
to take action to remediate
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Use Case: DNS Tunneling
Before After
Headquarters Headquarters
Internet Internet
Branch Branch
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Use Case: New Application at the Branch
Headquarters Headquarters
Internet Internet
Branch Branch
A branch user opens an application developed to send data The router-based security agent identifies the attempt to
to a suspect Internet site. connect to a suspect site and drops the connection.
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
The Power of the Learning Network:
What’s New?
Current Security Solutions Stealthwatch Learning Network License
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
The Power of the Learning Network:
Precision Detection
Traditional Anomaly Detection System Stealthwatch Learning Network License
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
A Closer Look:
ISR 4000 with Learning Agent
Learning
IOSd Agent
Control Plane
Linux Service Container
Linux OS
Data
Platform-Specific Data Plane
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
A Closer Look: Learning Agent
To Centralized Controller
Learning Agent
Anomaly Alerts
Mitigation
Trending Data
To Linux Container
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
See All Your Branches from One Location
Identity Services
Engine
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
SLNL Deployment Requirements
* Install the Learning Manager first to make use of the scripts to auto provision Agents
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
SLNL Learning Agent – Provisioning (CLI)
Step. 1 Configure virtual service Step.4 Configure SLN Agent
virtual-service install name sln package flash:sln.ova
Virtual-service connect name sln console
Configure Networking for eth0 & eth1 as follows:
Step. 2 Configure Port Groups
Routable Subnet Eth0:
interface VirtualPortGroup1 or NATed Address 172.18.21.2 / 255.255.255.0 / 172.18.21.1
description Management interface Eth1:
ip address 172.18.21.1 255.255.255.252 192.168.0.2 / 255.255.255.0
VirtualPortGroup2
description Data interface Step.5 Enable SSH
ip address 192.168.0.1 255.255.255.252
Step.6 Configure NTP
Step. 3 Configure & Activate virtual service
virtual-service sln
Step.7 Configure NetFlow
vnic gateway VirtualPortGroup1
vnic gateway VirtualPortGroup2
activate Step.8 Add Learning Agent to the Manager
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Learning Network Manager
Dashboard Single Agent View
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Learning Network Manager
Inbox Top Level view
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Learning Network Manager
Inbox Facts View
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Learning Network Manager
Inbox Conversations
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Learning Network Manager
Inbox – Conversations - Host Details
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Learning Network Manager
Inbox – Graph View
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Learning Network Manager
Inbox – Cluster details
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Learning Network Manager
Inbox – Single Conversation
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Learning Network Manager
Inbox – Conversations - Expanded
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Learning Network Manager
Inbox – White List
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Learning Network Manager
Learning Agents – View All
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Learning Network Manager
Agent Expanded View
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Stealthwatch Learning Network Expansion
Stealthwatch Learning Network
Data Source Aggregates data from many devices Processes data from each router separately
Integration ISE (identity & mitigation), AD integration ISE (identity only) Integration
Physical/Virtual Delivered as Appliance or VM ISR 44xx & OVA for LXC or UCS-e
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
References
ZBFW - Resources For Your
Reference
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
For Your
• At-A-Glance
http://www.cisco.com/c/dam/en/us/products/collateral/security/router-security/at-a-glance-c45-
735895.pdf
• Data Sheet
http://www.cisco.com/c/en/us/products/collateral/security/router-security/datasheet-c78-736114.html
• Ordering Guide
http://www.cisco.com/c/en/us/products/collateral/security/router-security/guide-c07-736115.html
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
For Your
• At-A-Glance (AAG):
http://www-author.cisco.com/c/dam/en/us/products/collateral/security/router-security/at-a-glance-c45-
737403.pdf
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Firepower Threat Defense for ISR - Resources
For Your
Reference
• Firepower Threat Defense for ISR 4K & G2 - IPS inline mode using UCS-E front panel
port
https://supportforums.cisco.com/document/13016901/Firepower-threat-defense-isr-ips-using-front-
panel-port-ucs-e
• Firepower Threat Defense for ISR 4K & G2 - IPS inline mode using VRF method
https://supportforums.cisco.com/document/13050311/Firepower-threat-defense-isr-4k-g2-ips-inline-
mode-using-vrf-method
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
For Your
Reference
SLNL - Resources
• Cisco Stealthwatch Learning Network License Configuration Guide
http://www.cisco.com/c/en/us/td/docs/security/sln/configuration/guide/Learning_Network_LicenseConfi
guration_Guide.html
• Cisco Stealthwatch Learning Network License UCS E-Series Server Installation
http://www.cisco.com/c/en/us/td/docs/security/sln/installation/guide/Learning_Network_License_UCS_
E_Server_Installation_Guide.html
• Cisco Stealthwatch Learning Network License UCS E-Series Server Quick Start Guide
http://www.cisco.com/c/en/us/td/docs/security/sln/quick_start/guide/Learning_Network_License_UCS_
E_Server_Quick_Start_Guide.html
• Cisco Stealthwatch Learning Network License Virtual Service Installation Guide
http://www.cisco.com/c/en/us/td/docs/security/sln/installation/guide/Learning_Network_License_Virtual
_Service_Installation_Guide.html
• Cisco Stealthwatch Learning Network License Virtual Service Quick Start Guide
http://www.cisco.com/c/en/us/td/docs/security/sln/quick_start/guide/Learning_Network_License_Virtua
l_Service_Quick_Start_Guide.html
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
• Router-security@cisco.com
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Participate in the “My Favorite Speaker” Contest
Promote Your Favorite Speaker and You Could be a Winner
• Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle @jmckg
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
• BRKSEC-2342 Branch Router Security – Thursday (10:30-12:00)
• BRKSEC-2809 Deciphering Malware's Use of TLS (without Decryption) – Thursday (10:30-12:00)
• BRKSEC-2010 Talos Insights: The State of Cyber Security – Thursday (1:00-2:30)
• LABSEC-2006 Cisco Umbrella (OpenDNS) - Walk-In Self-Paced
BRKSEC-3007 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Q&A
Thank you