Brksec 3300

Advanced Firepower IPS
Deployment
Gary Halleen, Technical Solutions Architect
BRKSEC-3300
About Your Speaker
Gary Halleen
Email: gary@cisco.com
19+ years at Cisco Senior Security Architect

Global Security Architect Team
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Oregon – Pacific Wonderland
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Some of my Hobbies
Firepower Diagonal Learning Map Thursday BRKSEC-2034 -14h45
Cloud Management of Firepower
and ASA with Cisco Defense
BRKSEC 3629 – 14h45 Orchestrator
Designing IPSec VPNs with Firepower Threat
Monday – 8h30 Defense integration for Scale and High Availability
TECSEC-2600
Next Generation Firewall Platforms and
Integrations
BRKSEC-2056 – 9h45 Friday
TECSEC-3004 Threat Centric Network
Troubleshooting Firepower Threat Security
Defense like a TAC Engineer PSOSEC-4905 - 13h30
The Future of the
Firewall BRKSEC-3035 – 8H30
Firepower Platforms Deep Dive
BRKSEC-3093 - 14h45
BRKSEC-3328 – 11h00 ARM yourself using
Making Firepower Management NGFWv in AZUR
Center (FMC) Do More
BRKSEC-3300 – 9h00
Thursday
Advanced IPS Deployment
BRKSEC 2348 – 17h00 with Firepower NGFW
Deploying AC with FP – posture & MFA
BRKSEC-2140 – 9h00
2 birds with 1 stone: DUO
Wednesday integration with Cisco ISE and
BRKSEC 2020 – 11h00 Firewall solutions
Deploying FP Tips and Tricks BRKSEC-3455 – 11h15
Dissecting Firepower NGFW:
Architecture and Troubleshooting
Tuesday
BRKSEC 2494 – 8h30 BRKSEC-3032 – 11h30
Maximizing Threat Efficacy & Perf Firepower NGFW
BRKSEC-2663 -16h45 Clustering Deep Dive
BRKSEC 3063 - 14h30 DDoS Mitigation: Introducing Radware Deployment
Decrypting the Internet with Firepower!
Security Track
Overview © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
• Policy Interaction and Firepower Recommendations

• TLS Inspection
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• Exempting a Host from a Snort Rule
• Bypass Options
• Asymmetric Traffic
About this Session
Firepower 1100
ASA 5516-X
Firepower 9300
ASA 5508-X Firepower 4100

Firepower 1000
ASA 5545-X
ASA 5555-X
Firepower FirePOWER 7000/8000 NGIPS
ASA 5525-X 2100
ISA3000 NGFWv
In BRKSEC-3300, the terms Firepower, Firepower Threat Defense (FTD) and

ASA with Firepower Services (ASA+SFR) are treated mostly the same.
Firepower Management Center (FMC)
FMC offers the best management

CentralizedforManagement
capabilities an Intrusion Prevention Firepower Management Center
Device, and this session will focus on it.
Multi-domain management Firewall & AVC
We will coveraccess
Role-based 6.2.3control
software,NGIPS
and greater,
through 6.6.
High availability AMP
This session does not cover older (EOL)

APIs and pxGrid integration Security Intelligence
Cisco IPS 7.0.
Manage across many sites Control access and set policies Investigate incidents Prioritize response
In the Appendix
• Using OpenAppID to create new applications, and use them to reduce your
attack surface.
• Using Custom Security Intelligence Feeds
#CiscoLiveLA BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
FMC Themes
FMC 6.5 introduces an optional light-colored theme.
6.4 and earlier

6.5 and later
Firepower Deployment Modes
IPS / IDS Fail-to-wire NetMods Firewall

Inline Routed
NetMod
101110
Inline Tap Transparent
101110
Passive Virtual or Physical
Available on 2100, 4100 and 9300,

and older FP-7100/8000 series
IPS Events into Cisco Threat Response 6.4
1. FMC or FTD sends IPS events to CTR

2. Query anything: IP address, Domain,
File Hash, IOC, or more.
3. See where it is reported by your
other security products.
4. Remediate on other device or

service, if desired.
See BRKSEC-2433 for more information

Enable Cisco Threat Response
Agenda

• TLS Inspection
• IPS Events
• Bypass Options
Firepower Policies
How often are Policies Modified?

Frequently Little Rarely
Access Control Policy Malware and File Policy Network Discovery Policy
Intrusion Policy DNS Policy Network Analysis Policy
SSL Policy Correlation Policy
Identity Policy Health Policy
Prefilter Policy
Packets and Policies: Know What’s Happening Where
Prefilter
Policy ASA (“LINA”)
Fastpathed
Ingres Existing N Egress L3/L4 ALG L3, L2 Egress

RX Pre-Filter NAT TX
Interface Conn Interface ACL Checks Hops Interface
VPN
Decrypt
Y QoS
VPN VPN Encrypt
Config DAQ
Discovery L7 ACL File/AMP IPS

SI:
NAP App
SI (IP) SSL Pre-proc DNS ID
IPS Pasv ID
URL
Host L7 ACL File/AMP IPS
ACP Rule Chain
Firepower
SSL Network DNS Identity Intrusion Network Access Malware Intrusion
Policy Analysis Policy Policy Policy Discovery Control & File Policy
Policy (NAP) Policy Policy Policy
Packets and Policies: Know What’s Happening Where
ASA (“LINA”)
Fastpathed
RX
Ingres
Interface
Existing N
Conn
Egress
Interface
PrefilterL3/L4
Pre-Filter
ACL
ALG
Checks
NAT
L3, L2
Hops
Egress
Interface
TX
(FTD)
Y
DAQ
Discovery L7 ACL File/AMP IPS

SI:
NAP App
SI (IP) SSL Pre-proc DNS ID
IPS Pasv ID
URL
Host L7 ACL File/AMP IPS
ACP Rule Chain
Firepower
Network Intrusion Network Access Malware
SSL DNS Identity Intrusion
Analysis Policy Discovery Control & File
Policy Policy Policy Policy
Policy (NAP) Policy Rules Policy
Access Control Policy
Prefilter Policy
FTD-Only Feature
The Prefilter policy is the

first set of rules that can
act on traffic, and
controls what traffic is
sent for additional
Fastpath is same as ASA inspection.
Permit rule. This traffic is
accelerated through the
appliance without IPS, AMP, L7
firewall rules, or Security
Intelligence.
Prefilter Policy
FTD-Only Feature

first set of rules that can
act on traffic, and
Block is same as ASA Deny controls what traffic is
rule. This traffic dropped sent for additional
immediately. inspection.
Prefilter Policy
FTD-Only Feature

Analyze send traffic to Firepower first set of rules that can
for additional inspection: act on traffic, and
application firewall rules, IPS, controls what traffic is
AMP, Security Intelligence, etc. sent for additional
inspection.
Intrusion Policy
The Intrusion Policy defines which Snort rules are used in packet inspection.
Intrusion Base Policy
Policy CVSS Score Vulnerability Age
Connectivity over Security 10 Current year, plus 2 prior

(2020, 2019, and 2018)
Balanced Security and 9+ Current year, plus 2 prior
Connectivity Rule Categories: Malware-CNC, Blacklist, SQL
Injection, Exploit Kit
Security over Connectivity 8+ Current year, plus 3 prior
(2020, 2019, 2018, and 2017)
Rule Categories: Malware-CNC, Blacklist, SQL
Injection, Exploit Kit, App-Detect
Maximum Detection 7.5+ 2005 and later
Rule Categories: Malware-CNC, Exploit Kit
Intrusion Policy
You can manually Enable/Disable individual rules or configure actions.
Intrusion Policy
Several ways to search for rules…
Network Discovery Policy
• Defines which networks Firepower should “learn” from.
• Used for maintaining the Firepower Recommended Rules in the Intrusion Policy.
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tune your Snort rules for the
applications, servers, and hosts on your network.
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tunes your Snort rules for the
applications, servers, and hosts on your network.
• Traffic must match in the Access Control Policy in order to be Inspected
For a simple IPS deployment, you

can use the Default Action
In a NGFW deployment, the Default Action

will likely be “Block All Traffic”.
Intrusion Policy needs to be defined for each
Allow Action.
If you need, different Allow rules

can have different Intrusion
Policies assigned.
Things to watch out for
Expected nmap results: Actual nmap results:
Nmap scan report for nomad Nmap scan report for nomad
Host is up (0.20s latency). Host is up (0.20s latency).
Not shown: 997 filtered ports Not shown: 989 closed ports
PORT STATE SERVICE PORT STATE SERVICE
22/tcp open ssh 22/tcp open ssh
80/tcp open http 53/tcp open domain
443/tcp open https 80/tcp open http
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https
What is wrong here? Any ideas? 445/tcp filtered microsoft-ds
1443/tcp open ies-lm
5060/tcp filtered sip
“nmap nomad” run from Internet. 8080/tcp open http-proxy
10000/tcp open snet-sensor-mgmt
A Monitor rule allows a TCP three-way handshake for all ports to

take place, and then passes the traffic to the rest of the ruleset.
Application rules can cause a similar issue.
Agenda

• TLS Inspection
• IPS Events
• Bypass Options
According to Network
Computing, 72% of all internet
traffic is SSL encrypted.
(November 2018)
Is your IPS still effective?

TLS / SSL Inspection
The percentages of TLS/SSL traffic is increasing dramatically. IDS and IPS

deployments need to take this into consideration.
Options to consider:
1. Decryption Offload, passing decrypted traffic to the Sensor
2. Onbox Decryption
Additionally, do you decrypt Inbound, Outbound, or both traffic?
Why Decrypt?
• Needed for most Snort HTTP signatures, and many

others also
• Advanced Malware Detection (AMP) file inspection
• Security Intelligence URL Feed matching
• Threat Intelligence Director STIX / TAXII URL
indicators
TLS Inspection on Passive Interface
no longer supported
ABC
ABC
ABC #$* #$*
Client TAP Server
Perfect Forward Secrecy makes passive decryption of flows

impractical. Must be in inline!
• Not supported in Passive Interface or Inline Tap
TLS / SSL Inspection
Inbound Traffic
• Traffic is decrypted by installing the Servers’ SSL Certificate
and Private Key onto the FMC. Action = Decrypt-Known Key
Outbound Traffic
• Traffic is decrypted by installing a wildcard certificate and
performing a “man in the middle attack” against your users’
SSL traffic. Action = Decrypt-Resign
In this session, we will focus only at Inbound.
For an in-depth discussion of TLS Inspection, with a focus on Outbound

(Decrypt-Resign) see Jeff Fanelli’s BRKSEC-3063 session.
TLS / SSL Decryption with Known Key
Example
You need both the host’s private key and

the .crt file.
Go to Objects -> PKI -> Internal Certs to
add the certificate information for the host.
Example
Create an SSL Policy to decrypt traffic with this known key for the associated host.
Example
Assign the SSL Policy to your Access Control Policy:
Alert when Certificate Changes
SSL Hardware Decryption
• Firepower 6.2.3 enabled Hardware Decryption on FP-4100/9300 platforms, but was disabled
by default.
FTD 6.2.3: system support ssl-hw-offload (enable/disable)
• Firepower 6.3 enabled Hardware Decryption, by default, on Firepower appliances: FP-2100,

4100, and 9300.
FTD 6.3: system support ssl-hw-force-offload-(enable/disable)
• Firepower 6.4 and greater uses Hardware Decryption on Firepower appliances: FP-1000,
2100, 4100, and 9300.
FTD 6.4+: hardware decryption can not be disabled without TAC
Agenda

• TLS Inspection
• IPS Events
• Bypass Options
Variable Sets
Variable Sets
What is a Variable Set, and why do

I need it?
Variable Sets
The variable set defines commonly-

used IP addresses and ports
You can either edit the default-set,

or you can create a new one.
It is easy to revert any values back

to default.
My Recommendation: Default-Set
Variable Sets
Most variables don’t need to be

changed.
Consider these as the most

important (or maybe controversial):
• HOME_NET
• EXTERNAL_NET
By default, these are both defined

as “any”.
Variable Sets Sample Rule
How are they used? alert tcp $EXTERNAL_NET any -> $HOME_NET 143 \
(msg:"PROTOCOL-IMAP login brute force attempt";
flow:to_server,established,no_stream; \
content:"LOGIN"; fast_pattern:only; \
detection_filter:track by_dst, count 30, seconds 30; \
metadata:ruleset community, service imap;\
reference:url,attack.mitre.org/techniques/T1110; \
classtype:suspicious-login; sid:2273; rev:12;)
Variables provide Directionality, especially in Passive Deployments.
This sample rule is written to watch for attempted IMAP (email) logins from outside
your network, to a server inside your network:
• Looking for 30 attempts in 30 seconds
However, this might also be useful to detect events WITHIN your network, especially
if your IPS is deployed separating different network segments.
Variable Sets Sample Snort Rule
How are they used? alert tcp $EXTERNAL_NET any -> $HOME_NET 143 \
(msg:"PROTOCOL-IMAP login brute force attempt";
flow:to_server,established,no_stream; \
content:"LOGIN"; fast_pattern:only; \
detection_filter:track by_dst, count 30, seconds 30; \
metadata:ruleset community, service imap;\
reference:url,attack.mitre.org/techniques/T1110; \
classtype:suspicious-login; sid:2273; rev:12;)
So, how should you define EXTERNAL_NET and HOME_NET?

If you leave them default, the detection will work without
regard for direction.
• This MAY be what you want – BUT, it’ll cause your IPS to
generate more alerts.
Variable Sets
Thinking about HOME_NET…
If you choose to modify HOME_NET, what should it look like?

If you only include your used IP space, you’ll have to
remember to update it as you add more networks.
Variable Sets
If you choose to modify HOME_NET, what should it look like?

So, maybe it should be all RFC-1918 addresses, and any
Internet-routable IP space.
Oh, and maybe also multicast and automatic private IP

addresses (169.254.x.x)
Variable Sets
BUT, what am I forgetting?

Do you have IPv6 on your network today, or will you EVER use it?
Maybe you need to add your IPv6 address space, as well.
If you don’t, attacks will often not be detected because Snort will
only be looking for IPv4.
Variable Sets
Now, what about EXTERNAL_NET?
- or -
If I’ve modified HOME_NET, what do I do with EXTERNAL_NET?

1. You can leave it as “any”, or
2. You can set it as the opposite of HOME_NET
Which is best?
Variable Sets
My Recommendations
SecOps-managed or Internal IPS Internet Perimeter Deployment
If your staff is interested in Threat If your staff wants a simple IPS

Hunting, and is willing to spend time deployment, with a minimal amount of
tuning: alerts:
1. Leave EXTERNAL_NET as “any”. 1. Configure HOME_NET to match all
RFC-1918 IPv4 addresses, your
2. Make an internal decision on how to Internet-routable addresses, and
configure, or not configure, your IPv6 space.
HOME_NET.
2. Configure EXTERNAL_NET as
!HOME_NET.
The Network Analysis Policy
Network Analysis Policy
What is this?
Do I need to do anything here?
The Network Analysis Policy (NAP) controls the Preprocessors, and determines things such as:
o Fragmentation Reassembly
o Protocol Compliance
o Inline Normalization
o SCADA Preprocessors
“What should we tune?”

Security Usability
Security Usability
By default, there are no tunable NAP policies.

You’ll need to create one.
Create Policy
• Give your policy a name.
Select Base Policy, as

well as whether this is
for Inline traffic
Create and Edit Policy
Do these Base Policies look familiar?
Besides the name, these Base
Policies have NOTHING in
common with the Intrusion Base
Policies.
However, default settings are

different in each, and matching
this to your Intrusion Policy is a
good place to start, but not
required.
Enable/Disable Preprocessors
• Some Preprocessors are

disabled by default:
o Portscan Detection
o Rate-Based Attack Prevention
o Inline Normalization (enabled only in
Security over Connectivity)
o SCADA (Modbus, DNP3, and

SIP)
• Enable these if you need them
Fragmentation
Both IP and TCP can cause a stream of data to break into many parts
Both IP fragmentation and TCP segmentation may be naturally occurring or performed
intentionally to evade IPS
IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate
this evasion technique
If attack is: USER root
TCP: HDR USER HDR root
IP: HDR HDR US HDR ER HDR HDR ro HDR ot
How Bad can Fragmentation Get?
IP TCP SMB MSRPC Payload
Packet capture of regular attack is ~4k, after

layers of evasion 30MB or more!
Hundreds of thousands of packets

Inline Normalization
Enable and Tune it? Probably

• Disabled by Default in most base policies.
• Enforces Protocol Compliance for TCP and

IP protocols.
• Enabling normalization will block some
non-standard implementations and many
attacks. However, it might block poorly-
written legitimate traffic.
• How Risk-Averse are you?
Inline Normalization
If Enabled:
• FMC will learn the Operating System and
version automatically, and apply the correct
fragmentation reassembly policy so the IPS
detects attacks in the same order as the
host they’re directed to.
• If unable to determine the OS, it will enforce
the “First” fragmentation reassembly.
• If Adaptive Profile Updates is enabled in the
Access Control Policy, this capability will
extend even to passive deployments.
Detection Enhancement Settings
Enable Profile Updates
These settings are on the Advanced Tab of the Access Control Policy.
Recommendations
Inline Deployment Passive Deployment
1. Enable Inline Normalization 1. Enable Adaptive Profile Updates

2. Enable Adaptive Profile Updates 2. Verify Network Discovery Policy is
correct
3. Verify Network Discovery Policy is
correct. 3. Take a look at TCP Stream settings
4. Take a look at IP Defragmentation
settings
TCP Stream
Tune it? If Passive Deployment, and you

did not Enable Profile Updates.
• TCP Stream determines how
fragmented TCP traffic is
reassembled.
• Different operating systems handle
reassembly differently, and it is
critical that your IPS understands the
hosts.
IP Defragmentation
Tune it? If Passive Deployment, and

you did not Enable Profile Updates.
• Similar reason as TCP Stream.
Access Control Policy – Advanced Settings
Don’t forget to select the Network Analysis Policy from the Access Control Policy -> Advanced
If you need to use multiple Network Analysis Policies

(maybe some networks have Windows servers, and
another has Linux, for example), you can create Rules to
perform the mapping.
Agenda

• TLS Inspection
• IPS Events
• Bypass Options
Impact Flags For an in-depth discussion of Impact Flags,
see Will Young’s BRKSEC-3328 session.
Remember, we recommend you utilize the Network Discovery Policy…
This enables Impact Flags for analysis.
Do you know what these mean?
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks
Protocol (TCP/UDP) IP Address
User IDs
4 Previously unseen host
within monitored network
Source / Destination Port Protocols
Server Side Ports If Impact 4 events start to

Service
increase, it is a good
Client Side Ports
indication your FMC is
Services undersized, and the host
database is overflowing.
CVE
Snort ID Client / Server Apps
Operating System
IOC: Predefined Impact
Potential Vulnerabilities
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks
Protocol (TCP/UDP) IP Address
User IDs
4 Previously unseen host
within monitored network
Source / Destination Port Protocols
Server Side Ports

3 Relevant port not open or
protocol not in use
Service Client Side Ports

Relevant port or protocol in
Services
2 use but no vulnerability
mapped
CVE
Snort ID Client / Server Apps
Operating System
1 Host vulnerable to attack or
showing an IOC.
IOC: Predefined Impact
Potential Vulnerabilities
Contextual Cross-Launch 6.3
• New to Firepower Management Center (FMC) 6.3
• From any relevant event or dashboard, right-click and

launch a query into a different product.
Several tools already included
• Do you have a favorite tool?
• Add your own: Analysis -> Advanced -> Contextual Cross-Launch
• Example for Cisco Stealthwatch:
• Do you have a favorite tool?
• Add your own: Analysis -> Advanced -> Contextual Cross-Launch
• Example for Cisco Tetration:
Note: The URL will

differ according to your
Tetration deployment
and tenant IDs.
Stealthwatch Cross-Launch Example
Tetration Cross-Launch Example
Agenda

• TLS Inspection
• IPS Events
• Bypass Options
Snort Rules
Firepower uses Snort Rules for Intrusion Prevention.
Cisco provides regular rule updates. Most customers deploy these automatically.
Third-party Snort rules can be added manually through the Rule Editor (Objects -> Intrusion
Rules -> Create Rule), or can be imported.
Snort Rule Editor
Snort Rules
• Snort Rules are normally created on a single line, with no special

characters, and in ASCII or UTF-8 format.
• The Import file can contain many rules as long as they are one rule per-
line.
• Many of the Emerging Threat rules use deprecated syntax (”threshold”
statement). If you are importing ET rules, you’ll need to correct or remove
these rules first. Threshold has been replaced with detection_filter.
• SHOULD not have a rule SID, but is allowed.
All on ONE Line
alert tcp [43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,45.43.128.0/18,45.65.188.0/
Snort Rules (continued)
• Sometimes it is much more readable to spread the rule across multiple lines. Do this with
the backslash character - \
Example Rule (from Emerging Threats):

alert tcp \
[43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\
45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\
45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\
49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \
any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \
flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \
threshold: type limit, track by_src, seconds 3600, count 1; \
classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \
rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \
tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)
Snort Rules (continued)
• This ET rule has a deprecated keyword – “threshold”, as well as “type limit”, so let’s fix it.
alert tcp \
[43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\
45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\
45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\
49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \
any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \
flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \
threshold: type limit,
detection_filter: tracktrack
by_src,
by_src,
seconds
seconds
3600,3600,
countcount
1; \ 1; \
classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \
rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \
tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)
Importing Snort Rules
• Once your Snort rules are in a text file, navigate to Objects -> Intrusion Rules.
• Click on “Import Rules”
• Click on “Browse” to locate your file, and click “Import”.
• If successful, you will see a screen showing what has been imported.
Enabling Snort Rules
• Remember, all imported rules are Disabled by default. You need to enable
these.
Agenda

• TLS Inspection
• IPS Events
• Bypass Options
How do you Exempt Specific Servers from a Snort Rule?
Options:
1. Use a different Intrusion Policy for some hosts.
(This could have memory or performance impact if overused.)
2. Use a Trust Rule or Fastpath action.

3. Create a Pass Rule
How do you Exempt Specific Hosts from a Snort Rule?
Preprocessor Rule or a Text Rule?

Look at the Generator ID (GID) – that’s the number before the :
In this example, the GID is 1, meaning this is a Standard Text Rule.
How do you Exempt Specific Hosts from a Snort Rule?
GID Type of Rule Method to Use Can Use Pass Rule?
1 Standard Text Rule Any YES
3 Shared Object Rule Any YES
1000 – 2000 Custom Text Rule Any YES
100+ (3 digits) Preprocessor Trust Rule or Fastpath NO
Pass Rule Example
Pass Rule
Open the firing rule in the Rule Editor (Objects -> Intrusion Rules)
203.0.113.24
Network
Scanner
Campus
Web
Server
SSH
Server
Pass Rule
Change Action to “pass”
Pass Rule
Change the Message.

(add “PASS RULE – “ to the beginning)
$SCANNER_HOSTS
Add the IP address or variable name

(i.e. $SCANNER_HOSTS) to the source or
destination IP.
Pass Rule
Click “Save as New”
Pass Rule
Finally, Edit the Intrusion Policy, and change the Rule State for your new Local Rule to
“Generate Events”. Save and Deploy the Intrusion Policy.
Agenda

• TLS Inspection
• IPS Events
• Bypass Options
Bypass Options
Software Bypass Enable traffic, uninspected, when Snort is down or busy.
Fail-to-Wire Interfaces Bypass traffic upon appliance failure, including loss of

power.
Automatic Application Bypass Restarts Snort processes upon degraded performance
Intelligent Application Bypass Application-specific acceleration of defined applications if

performance is degraded
Trust Rules Accelerate defined traffic but still apply Security
Intelligence
Prefilter Policy Bypass deep inspection and Security Intelligence based

on Port / Protocol / IP Address / Zone
Software Bypass
Supported Deployment:
• Inline Set, Inline TAP
• ASA with Firepower Services
Fail to Wire Interfaces
Fail-to-wire Fail-to-Wire interfaces allow for pass-through

of traffic in case of appliance failure or loss of
NetMod
power.
• FP-9300
• FP-4100
• FP-2100 (requires 6.3 or later)
• FP-7000, 7100, 8100, 8200, and 8300
Supported Deployment:
• Inline Set, Inline TAP
Automatic Application Bypass (AAB)
Detects Snort failures or degraded performance and triggers a restart of the

impacted Snort process. First available in FTD in 6.2.2.
Trust Rules
Within the Access Control Policy, defined traffic can be exempted from File and IPS
inspection, which accelerates it through the appliance. Basing the rule on
Source/Destination Port and IP addresses is most effective.
Security Intelligence feeds and SSL/TLS Decryption are still applied to Trust rules.
On FP-4100/9300 appliances, a Trust rule enables Dynamic Flow Offload on eligible

flows, and handles the traffic on the HW NIC. Not supported on Inline, Inline Tap, or
Passive Interfaces.
PreFilter Policy
PreFilter rules are processed prior to Intrusion Prevention or Access Control Policies. If
traffic can be defined by Zone, Network, and Port (similar to an ASA rule), the traffic can be
FastPathed. This is similar to a Trust rule, but Security Intelligence is not applied.
On FP-4100/9300 appliances, a Fastpath rule enables Static Flow Offload on eligible

• PreFilter rules require Firepower Threat Defense.
flows, and handles the traffic on the HW NIC. Static Flow Offload is not supported on
Inline, Inline Tap, or Passive interfaces.
Intelligent Application Bypass (IAB)
Detects degraded performance
within an application.
If that application is trusted,
you can configure it to
automatically bypass the
inspection, and accelerate the
traffic.
Snort Restart and Reload Architecture
Prior to Firepower 6.2.2, making

Intrusion Rule or Access Control Rule
changes would have caused a Snort
Restart, and potentially disrupted
network traffic.
Significant improvements in 6.2.3, and

especially 6.3, 6.4, and 6.5 software
have dramatically reduced the number
of things that can cause a Snort
Restart.
Why does Snort Restart?
• New version of Snort in policy deploy
• Reallocate memory for pre-

processors/Security Intelligence (6.2.x)
“No” means Snort
• Reload shared objects will restart every time
• Pre-processor configuration changes a policy changes.
(6.2.x)
• Configured to restart instead of reload
Why does Snort Restart?
6.2.3 and later warns if any configuration change will interrupt inspection
(restart Snort):
When does Snort Restart?
Cisco Fire Linux OS v6.5.0 (build 4)
Cisco Firepower 2110 Threat Defense v6.5.0 (build 115)
> admin@fp2110:~$ sudo egrep "Initializing Snort|Reloading Snort" /ngfw/var/log/messages
Password:
Oct 20 20:43:18 fp2110 SF-IMS[10541]: --== Reloading Snort ==--
Oct 21 22:58:55 fp2110 SF-IMS[10542]: --== Reloading Snort ==--
admin@fp2110:~$
Mitigations
Snort Preserve-Connection
1 (6.2.0 / 6.2.3 introduction)
2 Software Bypass
Upgrade to Firepower 6.3 or later

3 (6.4.0.4 is currently the recommended software release)
Snort Preserve-Connection
• When Snort goes down, connections with Allow verdict are preserved
in LINA
• Snort does NOT do a mid-session pickup on preserved flows on
coming up
• Does NOT protect against new flows while Snort is down
• 6.2.0.2/6.2.3 Feature Introduction. Enabled by default in 6.2.3
• Can be enabled/disabled from CLI:
configure snort preserve-connection enable/disable
Agenda

• TLS Inspection
• IPS Events
• Bypass Options – Intelligent Application Bypass
Intelligent Application Bypass
What is IAB?
IAB takes action when a Snort instance is Under Duress if conditions are
met:
1. Is the flow a candidate for bypass?
2. Is this a bypassable application?
If conditions are satisfied, then Firepower will accelerate the flow.
Configuring Intelligent Application Bypass
Find IAB on the Advanced tab of the Access Control Policy. In 6.2.3, it is on the
bottom left of the page. In 6.3 and later, it is on the top right.
• By default, IAB is disabled.

• With 6.2.3, all fields are blank. No default values.
• With 6.3 and later, default values are entered.
Set the State to On or Test.
And set the sample period.
Inspection Performance Thresholds
“Is a snort process under duress?”
(6.3 - 6.6 default values)
These fields are a Logical OR, and

refer to the Snort process rather
than overall appliance CPU.
Flow Bypass Thresholds
“Is the flow a candidate for bypass?”
(6.3 - 6.6 default values)

500 MB
Bytes per Flow is “How big is the flow?”
These fields are a Logical OR.
2 Gbps
Flow Bypass Thresholds: Is the flow a candidate to bypass?
Flow Velocity is “Size over time (6.3 - 6.6 default values)

of the flow”
Each snort instance can handle

approximately 1Gbps, which is
125,000 kbytes/second.
45000
I disagree with this default value. 250,000 kbytes/second will never trigger on today’s FTD or ASA
hardware. A better starting value for most customers is about 40,000 or 50,000 kbytes/second.
Define Applications that are Bypassable
May be easier to just allow All Applications
Monitoring Intelligent Application Bypass
IAB Events appear in Connection Events with reason of “Intelligent App Bypass”
Agenda

• TLS Inspection
• IPS Events
• Bypass Options
The Problem with Asymmetric Traffic
Asymmetric traffic flows prevent a

security device from seeing the full
traffic flow.
For best results, design your network

to force symmetry.
Web Server
Clustering
Internet
Clustering is supported on FP-4100 and
9300 appliances, as well as several larger
ASA appliances.
Clustering enables multiple security

appliances to function as a single device,
and support asymmetric traffic flows, while
also providing N+1 redundancy.
Web Server
Extend PBR Inter-site Cluster to ACI Multi-Pod
Localize Firewall Inspection and Apply Policy Only to Master
Inter-Pod
Network
Pod1 Pod2
App EPGs App EPGs
DB EPGs DB EPGs
Spanned Port-Channel
ASA or FTD Image
FW PBR IP 10.1.0.1 FW PBR IP 10.1.0.1
ACI fabric tracks local and remote Anycast Service IPs of the firewall cluster units. Fabric always prefers a
local firewall IP. If local Anycast Service IP fails, fabric will send to the remote firewall IP.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Cluster Resiliency
Firewalls Sync the State of Workload Connections
Inter-Pod
Network
Pod1 Pod2
App EPGs App EPGs
DB EPGs DB EPGs
Failure Spanned Port-Channel 3- FPR4100

ASA or FTD Image New Master
FW PBR IP 10.1.0.1 FW PBR IP 10.1.0.1
In case of failure of both firewalls in Pod1, fabric forwards traffic for PBR service graph inspection to Pod2
firewalls. Pod1 App to DB connections continue because Firepower cluster syncs connection state.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot# BRKSEC-3300
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
Thank you
Appendix
NGFW: Crypto Acceleration
TLS Crypto Acceleration Status in FMC
FP1000 & FP2000 TLS Crypto
Acceleration:
• FP1000 uses Quick Assist Technology
• FP2100 uses Cavium Hardware Assist
• These platforms will show TLS Crypto
Acceleration: DISABLED in FMC.
FP4100 & FP9300 TLS Crypto
Acceleration:
• Hardware acceleration permanently
enabled by default for “non-instances”
• Multi-Instance instances enabled by
default (up to 16).
Crypto Acceleration in hardware
Assists with VPN and decryption crypto functions
Datasheet AVC + SSL Throughput

ASA ASA ASA ASA ASA FPR FPR FPR FPR FPR FPR FPR FPR
5508 5516 5525 5545 5555 1010 1120 1140 1150 2110 2120 2130 2140
250 265 270 290 370 150 700 1000 1400 365 475 735 1400
MB MB MB MB MB MB MB MB MB MB MB MB MB
• 5506/08/16/25/45/55: Cavium Octeon (TLS offload not supported)

• FTD 1000 platforms include Intel Quick Assist Technology (QAT) Crypto
acceleration onboard with 6 accelerators.
• FTD 2100 platforms perform TLS operations in software.
Crypto Acceleration in hardware
Assists with VPN and decryption crypto functions
Datasheet AVC + SSL Throughput

4110 4115 4120 4125 4140 4145 4150 9300 9300 9300 9300 9300 9300
SM-12 SM-24S SM-24 SM-32S SM-36 SM-44S SM-44 SM-24 SM-36 SM-40 SM-44 SM-48 SM-56
4.5 6.5 7.1 8 7.3 10 7.5 7.5 8.5 10 10 11 12

Gb Gb Gb Gb Gb Gb Gb Gb Gb Gb Gb Gb Gb
• FTD 4100 and 9300 platforms perform offloading TLS operations onto its Nitrox chipset
• 4120/40/50 & 9300 SM24/36/44 - Two Nitrox processors (4110 has only ONE)
• 4115/25/45 + 9300 SM40/48/56 - Two Nitrox processors (4112 has only ONE)
Crypto Key Exchange Acceleration
Client Key Exchange with RSA or Server Key Exchange with Diffie Hellman
Latency in micro seconds (Lower is Better!)
Software
Intel QAT
Nitrox 3
Nitrox 5
0 1 2 3 4 5 6 7
TLS Hardware Offload Limitations
• When TLS HW offload is enabled, decryption is never done in software

• Some cipher suites are not supported for decrypt. Client-Hello rewrite..
• “system support ssl-hw-supported-ciphers” from FTD CLI.
• Cluster and failover unit failure will terminate the connection
• Tunneled traffic will be decrypted only in 6.4+
• Lina is only aware of the tunneling protocol (GRE, IPv6-in-IP, etc.)
• Snort cannot decrypt tunneled protocols
• Passive interfaces are not supported
Security Intelligence Example
Security Intelligence Custom Feed
An Example
A publicly-exposed SSH Server will be continuously probed for weaknesses, as

well as brute-force login attempts.
Let’s use failed login attempts to build our own SI Feed.
Jan 9 15:42:50 SSH Server

www unix_chkpwd[28658]: password check failed for user (root)
Jan 9 15:42:57 www unix_chkpwd[28680]: password check failed for user (root)
Jan 9 15:42:58 www sshd[10692]: Invalid user cypherpunks from 198.51.100.87
Jan 9 15:43:02 www sshd[10693]: Invalid user cdowns from 198.51.100.87
Internet
Jan 9 15:43:25 www unix_chkpwd[28886]: password check failed for user (don)
Jan 9 15:43:25 www unix_chkpwd[28887]: password check failed for user (rich)
Jan 9 15:43:31 www unix_chkpwd[28922]: password check failed for user (gary)
Jan 9 15:44:33 www unix_chkpwd[29302]: password check failed for user (daemon)
Jan 9 15:44:38 www unix_chkpwd[29341]: password check failed for user (kim)
[blkh4t@wd40 ~]$ ncrack zenbango.com:22
Jan 9 15:45:44 www unix_chkpwd[29737]: password check failed for user (operator)
Jan 9 15:45:52 www sshd[10694]: Invalid user dan from 198.51.100.87
Starting Ncrack 0.5 ( http://ncrack.org
Jan 9 15:45:54 )
wwwat 2017-01-09 12:42
unix_chkpwd[29797]: password PST
check failed for user (root)
Jan 9 15:46:02 www unix_chkpwd[29842]: password check failed for user (mail)
Jan 9 15:46:09 www unix_chkpwd[29878]: password check failed for user (nobody)
Jan 9 15:46:31 www unix_chkpwd[30019]: password check failed for user (rich)
Jan 9 15:46:31 www unix_chkpwd[30020]: password check failed for user (don)
Jan 9 15:46:38 www unix_chkpwd[30065]: password check failed for user (gary)
An Example
The Goal:
Create your own Security Intelligence Feed to block hosts that attempt to login to
your SSH Server and fail authentication multiple times.
X Web Server
Internet
SSH Server
Prerequisites
1. The first step is to configure your honeypot with the desired services
installed, hardened, and logged.
There are a number of tools available to dynamically block or log

connection/authentication attempts. Two that work well are fail2ban and
denyhosts.
Prepare the Target
2. In this example, we’re using denyhosts to dynamically block

SSH attempts after 6 failed login attempts.
/etc/denyhosts.conf file (pertinent sections):

SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 4w
BLOCK_SERVICE = ALL
DENY_THRESHOLD_INVALID = 6
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
RESET_ON_SUCCESS = yes
Prepare the Target
3. Create a script to parse the blocked IP addresses from denyhost’s log file.
/etc/hosts.deny file looks like this:
# DenyHosts: Thu Jan 26 22:31:28 2017 | ALL: 203.0.113.4
ALL: 203.0.113.4
# DenyHosts: Sat Jan 28 10:58:51 2017 | ALL: 192.0.2.120
ALL: 192.0.2.120
# DenyHosts: Tue Jan 31 09:42:58 2017 | ALL: 198.51.100.3
ALL: 198.51.100.3
# DenyHosts: Tue Jan
ALL: 198.51.100.27 The output file should be in a
31 19:50:17 2017 | ALL: 198.51.100.27
# DenyHosts: Wed Feb

ALL: 203.0.113.230 directory accessible to your web
1 16:57:02 2017 | ALL: 203.0.113.230
server. Consider placing it on a

different
4. Use your favorite scripting language to parse theserver.
addresses. This simple
Bash script works:
#! /bin/bash
blocklist=` cat /etc/hosts.deny | grep -v \# | awk '{print $2}' > /var/www/html/sshblock.txt`
Prepare the Target
5. Generate some SSH traffic, with failed logins, to make sure you are capturing
the addresses. Be careful. denyhosts will by default ban your IP address in
the hosts.deny file. You will need to know how to clear the blocks.
This is a useful site:
http://www.tecmint.com/block-ssh-server-attacks-brute-force-attacks-using-denyhosts/
6. Make sure to run your script (from Step 4) on a regular basis by running a
cron job every few minutes or so.
/var/www/html/sshblock.txt
203.0.113.4
192.0.2.120
One IP Address 198.51.100.3
per line. 198.51.100.27
203.0.113.230
Prepare the Target
7. Verify you can download the file with a web browser. It is a good idea to
host the file on a server reachable internally only, rather than one accessible
to the outside world.
Create the Feed
8. On Firepower Management Center (FMC), navigate to Objects -> Security

Intelligence -> Network Lists and Feeds. Click “Add Network Lists and
Feeds” in the upper right corner.
Create the Feed
9. Select Feed, and populate the URL information and Update Frequency.
In the current software release, updates are limited to no shorter than

every 30 minutes.
Click Save.
Create the Feed
10.In your Access Policy, click the Security Intelligence tab, and add the new
feed to the Blacklist
SSH-Blacklist should be placed here.
Create the Feed
11.Verify the blocks are occurring.
Reason for block is SSH-Blacklist
Blocks are protecting ALL hosts –

not just those running Denyhosts
OpenAppID
OpenAppID
Cisco’s Open Source Application Layer Plugin for Snort and Firepower
OpenAppID uses the Lua programming language to identify applications. There are a
number of attributes it can look at, including:
• ASCII or Hex patterns and offset • SSL Organization Unit

• HTTP User Agent • SSL Common Name
• HTTP URL • SIP Server
• HTTP Content Type • SIP User Agent
• SSL Host • RTMP URL Pattern
OpenAppID
Most internal Firepower Application Detectors are included in the Snort OpenAppID rules,
including Lua source code.
OpenAppID within Firepower
Application Detectors
All Application Detectors in

Firepower 6.0+ use OpenAppID.
Custom Application Detectors

can be created here, as well.
OpenAppID within Firepower
Basic Application Detector
FMC provides a Wizard for creation of

Basic detectors. Advanced detectors
require you to upload the Lua file.
OpenAppID within Firepower For Your
Reference
Advanced Application Detector
If you need an Advanced

detector, you’ll need to write it
yourself, or request one from
TAC.
OpenAppID Example
with Intrusion Policy
OpenAppID and the Intrusion Policy
A lot of “noise” is created in the Intrusion Logs of any IDS/IPS product by automated
scripts searching for vulnerable systems, and trying generic attacks.
Web Server
Internet
[blkh4t@wd40 ~]$ hackerw3bscan –v 198.51.100.33

Ports open: tcp/80, tcp/443
Server: apache 2.4.18
Vulnerabilities found: CVE-2016-4979 SSL Bypass
CVE-2016-1546 HTTP2 DOS
An Example
These scans or attacks against your IP addresses may or may not be successfully
blocked by your IPS devices.
They generate noise in your logs.
Question:
Is there a legitimate reason for Internet users to access your server(s) by IP address instead of
FQDN?
An Example
The Goal:
Block all web traffic that targets an IP Address rather than correct hostname. Use
Intrusion Policy to inspect legitimate traffic.
X Web Server
Internet
[blkh4t@wd40 ~]$ hackerw3bscan –v 198.51.100.33

No web server found!
Creating the Custom Detector
1. From Application Detectors

screen, click the button to
Create Custom Detector.
2. Click the “Add”

button.
3. Complete the
required fields to
name your custom
application.
4. Click OK.
5. Enter the same Name

and Description as
previous step, and
select the Application
you just created from
the pulldown menu.
6. Leave the
Detector_Type as
Basic.
7. Click OK
8. Click “Add” to add

Detection Patterns.
This is where we’ll define

what the application
”looks like” to Firepower.
9. Select HTTP from the Protocol pulldown menu,

and URL as Type.
10.Enter your domain name.
11.Click OK.
12.Repeat the process to add the SSL information.

13.Click OK.
14.Click on “Save”.
Remember: Basic Detectors

perform an OR operation on the
Detection Patterns.
In this example, any HTTP or HTTPS
connection destined to
*.zenbango.com will trigger the
detector.
Activating the Custom Detector
WARNING:
15.You can find your Application Detector by selecting Custom Type in the
When you Activate or Deactivate any Detector, it will trigger your appliances
Filters.
in the current domain or child domain to restart Snort. This will potentially
16.The new Application
be disruptive Detector
to your network will not function until it is Activated by
traffic.
clicking on the State slider.
Assigning Custom Detector to Access Control and Intrusion Policy
15.Tie it all together by using an Allow Rule (with Intrusion Policy

assigned) for traffic matching the new application. Block all other
traffic.
Effectiveness…

Brksec 3300

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 3300

Uploaded by

Copyright:

Available Formats

Advanced Firepower IPS

19+ years at Cisco Senior Security Architect

• Policy Interaction and Firepower Recommendations

ASA 5508-X Firepower 4100

In BRKSEC-3300, the terms Firepower, Firepower Threat Defense (FTD) and

FMC offers the best management

This session does not cover older (EOL)

FMC 6.5 introduces an optional light-colored theme.

6.4 and earlier

IPS / IDS Fail-to-wire NetMods Firewall

Inline Tap Transparent

Passive Virtual or Physical

Available on 2100, 4100 and 9300,

1. FMC or FTD sends IPS events to CTR

4. Remediate on other device or

See BRKSEC-2433 for more information

• Policy Interaction and Firepower Recommendations

How often are Policies Modified?

Intrusion Policy DNS Policy Network Analysis Policy

SSL Policy Correlation Policy

Identity Policy Health Policy

Ingres Existing N Egress L3/L4 ALG L3, L2 Egress

Discovery L7 ACL File/AMP IPS

ACP Rule Chain

Discovery L7 ACL File/AMP IPS

ACP Rule Chain

Access Control Policy

The Prefilter policy is the

The Prefilter policy is the

The Prefilter policy is the

Policy CVSS Score Vulnerability Age

Connectivity over Security 10 Current year, plus 2 prior

You can manually Enable/Disable individual rules or configure actions.

• Traffic must match in the Access Control Policy in order to be Inspected

For a simple IPS deployment, you

In a NGFW deployment, the Default Action

If you need, different Allow rules

A Monitor rule allows a TCP three-way handshake for all ports to

Application rules can cause a similar issue.

• Policy Interaction and Firepower Recommendations

Is your IPS still effective?

The percentages of TLS/SSL traffic is increasing dramatically. IDS and IPS

Additionally, do you decrypt Inbound, Outbound, or both traffic?

• Needed for most Snort HTTP signatures, and many

Client TAP Server

Perfect Forward Secrecy makes passive decryption of flows

In this session, we will focus only at Inbound.

For an in-depth discussion of TLS Inspection, with a focus on Outbound

You need both the host’s private key and

Assign the SSL Policy to your Access Control Policy:

• Firepower 6.3 enabled Hardware Decryption, by default, on Firepower appliances: FP-2100,

• Policy Interaction and Firepower Recommendations

What is a Variable Set, and why do

The variable set defines commonly-

You can either edit the default-set,

It is easy to revert any values back

Most variables don’t need to be

Consider these as the most

By default, these are both defined

Variables provide Directionality, especially in Passive Deployments.

So, how should you define EXTERNAL_NET and HOME_NET?

If you choose to modify HOME_NET, what should it look like?

If you choose to modify HOME_NET, what should it look like?