Professional Documents
Culture Documents
Deployment
Gary Halleen, Technical Solutions Architect
BRKSEC-3300
About Your Speaker
Gary Halleen
Email: gary@cisco.com
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Oregon – Pacific Wonderland
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Some of my Hobbies
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Firepower Diagonal Learning Map Thursday BRKSEC-2034 -14h45
Cloud Management of Firepower
and ASA with Cisco Defense
BRKSEC 3629 – 14h45 Orchestrator
Designing IPSec VPNs with Firepower Threat
Monday – 8h30 Defense integration for Scale and High Availability
TECSEC-2600
Next Generation Firewall Platforms and
Integrations
BRKSEC-2056 – 9h45 Friday
TECSEC-3004 Threat Centric Network
Troubleshooting Firepower Threat Security
Defense like a TAC Engineer PSOSEC-4905 - 13h30
The Future of the
Firewall BRKSEC-3035 – 8H30
Firepower Platforms Deep Dive
BRKSEC-3093 - 14h45
BRKSEC-3328 – 11h00 ARM yourself using
Making Firepower Management NGFWv in AZUR
Center (FMC) Do More
BRKSEC-3300 – 9h00
Thursday
Advanced IPS Deployment
BRKSEC 2348 – 17h00 with Firepower NGFW
Deploying AC with FP – posture & MFA
BRKSEC-2140 – 9h00
2 birds with 1 stone: DUO
Wednesday integration with Cisco ISE and
BRKSEC 2020 – 11h00 Firewall solutions
Deploying FP Tips and Tricks BRKSEC-3455 – 11h15
Dissecting Firepower NGFW:
Architecture and Troubleshooting
Tuesday
BRKSEC 2494 – 8h30 BRKSEC-3032 – 11h30
Maximizing Threat Efficacy & Perf Firepower NGFW
BRKSEC-2663 -16h45 Clustering Deep Dive
BRKSEC 3063 - 14h30 DDoS Mitigation: Introducing Radware Deployment
Decrypting the Internet with Firepower!
Security Track
Overview © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
About this Session
Firepower 1100
ASA 5516-X
Firepower 9300
ASA 5545-X
ASA 5555-X
Firepower FirePOWER 7000/8000 NGIPS
ASA 5525-X 2100
ISA3000 NGFWv
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Firepower Management Center (FMC)
We will coveraccess
Role-based 6.2.3control
software,NGIPS
and greater,
through 6.6.
High availability AMP
Manage across many sites Control access and set policies Investigate incidents Prioritize response
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
In the Appendix
• Using OpenAppID to create new applications, and use them to reduce your
attack surface.
• Using Custom Security Intelligence Feeds
#CiscoLiveLA BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
FMC Themes
NetMod
101110
101110
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
IPS Events into Cisco Threat Response 6.4
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Agenda
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Firepower Policies
Access Control Policy Malware and File Policy Network Discovery Policy
Prefilter Policy
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Packets and Policies: Know What’s Happening Where
Prefilter
Policy ASA (“LINA”)
Fastpathed
Firepower
SSL Network DNS Identity Intrusion Network Access Malware Intrusion
Policy Analysis Policy Policy Policy Discovery Control & File Policy
Policy (NAP) Policy Policy Policy
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Packets and Policies: Know What’s Happening Where
ASA (“LINA”)
Fastpathed
RX
Ingres
Interface
Existing N
Conn
Egress
Interface
PrefilterL3/L4
Pre-Filter
ACL
ALG
Checks
NAT
L3, L2
Hops
Egress
Interface
TX
(FTD)
Y
DAQ
Firepower
Network Intrusion Network Access Malware
SSL DNS Identity Intrusion
Analysis Policy Discovery Control & File
Policy Policy Policy Policy
Policy (NAP) Policy Rules Policy
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Prefilter Policy
FTD-Only Feature
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Prefilter Policy
FTD-Only Feature
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Prefilter Policy
FTD-Only Feature
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Intrusion Policy
The Intrusion Policy defines which Snort rules are used in packet inspection.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Intrusion Base Policy
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Intrusion Policy
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Intrusion Policy
Several ways to search for rules…
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Network Discovery Policy
• Defines which networks Firepower should “learn” from.
• Used for maintaining the Firepower Recommended Rules in the Intrusion Policy.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tune your Snort rules for the
applications, servers, and hosts on your network.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tunes your Snort rules for the
applications, servers, and hosts on your network.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Access Control Policy
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Access Control Policy
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Access Control Policy
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Things to watch out for
Access Control Policy
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Access Control Policy
Expected nmap results: Actual nmap results:
Nmap scan report for nomad Nmap scan report for nomad
Host is up (0.20s latency). Host is up (0.20s latency).
Not shown: 997 filtered ports Not shown: 989 closed ports
PORT STATE SERVICE PORT STATE SERVICE
22/tcp open ssh 22/tcp open ssh
80/tcp open http 53/tcp open domain
443/tcp open https 80/tcp open http
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https
What is wrong here? Any ideas? 445/tcp filtered microsoft-ds
1443/tcp open ies-lm
5060/tcp filtered sip
“nmap nomad” run from Internet. 8080/tcp open http-proxy
10000/tcp open snet-sensor-mgmt
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Access Control Policy
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Access Control Policy
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Agenda
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
According to Network
Computing, 72% of all internet
traffic is SSL encrypted.
(November 2018)
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Why Decrypt?
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
TLS Inspection on Passive Interface
no longer supported
ABC
ABC
ABC #$* #$*
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
TLS / SSL Inspection
Inbound Traffic
• Traffic is decrypted by installing the Servers’ SSL Certificate
and Private Key onto the FMC. Action = Decrypt-Known Key
Outbound Traffic
• Traffic is decrypted by installing a wildcard certificate and
performing a “man in the middle attack” against your users’
SSL traffic. Action = Decrypt-Resign
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
TLS / SSL Decryption with Known Key
Example
Create an SSL Policy to decrypt traffic with this known key for the associated host.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
TLS / SSL Decryption with Known Key
Example
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
TLS / SSL Decryption with Known Key
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Alert when Certificate Changes
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
SSL Hardware Decryption
• Firepower 6.2.3 enabled Hardware Decryption on FP-4100/9300 platforms, but was disabled
by default.
FTD 6.2.3: system support ssl-hw-offload (enable/disable)
• Firepower 6.4 and greater uses Hardware Decryption on Firepower appliances: FP-1000,
2100, 4100, and 9300.
FTD 6.4+: hardware decryption can not be disabled without TAC
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Agenda
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Variable Sets
Variable Sets
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Variable Sets
My Recommendation: Default-Set
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Variable Sets
• HOME_NET
• EXTERNAL_NET
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Variable Sets Sample Rule
How are they used? alert tcp $EXTERNAL_NET any -> $HOME_NET 143 \
(msg:"PROTOCOL-IMAP login brute force attempt";
flow:to_server,established,no_stream; \
content:"LOGIN"; fast_pattern:only; \
detection_filter:track by_dst, count 30, seconds 30; \
metadata:ruleset community, service imap;\
reference:url,attack.mitre.org/techniques/T1110; \
classtype:suspicious-login; sid:2273; rev:12;)
This sample rule is written to watch for attempted IMAP (email) logins from outside
your network, to a server inside your network:
• Looking for 30 attempts in 30 seconds
However, this might also be useful to detect events WITHIN your network, especially
if your IPS is deployed separating different network segments.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Variable Sets Sample Snort Rule
How are they used? alert tcp $EXTERNAL_NET any -> $HOME_NET 143 \
(msg:"PROTOCOL-IMAP login brute force attempt";
flow:to_server,established,no_stream; \
content:"LOGIN"; fast_pattern:only; \
detection_filter:track by_dst, count 30, seconds 30; \
metadata:ruleset community, service imap;\
reference:url,attack.mitre.org/techniques/T1110; \
classtype:suspicious-login; sid:2273; rev:12;)
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Variable Sets
Thinking about HOME_NET…
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Variable Sets
Thinking about HOME_NET…
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Variable Sets
Thinking about HOME_NET…
If you don’t, attacks will often not be detected because Snort will
only be looking for IPv4.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Variable Sets
Now, what about EXTERNAL_NET?
- or -
Which is best?
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Variable Sets
My Recommendations
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
The Network Analysis Policy
Network Analysis Policy
What is this?
Do I need to do anything here?
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Network Analysis Policy
The Network Analysis Policy (NAP) controls the Preprocessors, and determines things such as:
o Fragmentation Reassembly
o Protocol Compliance
o Inline Normalization
o SCADA Preprocessors
Security Usability
Security Usability
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Network Analysis Policy
Create Policy
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Network Analysis Policy
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Network Analysis Policy
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Network Analysis Policy
Do these Base Policies look familiar?
Besides the name, these Base
Policies have NOTHING in
common with the Intrusion Base
Policies.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Network Analysis Policy
Enable/Disable Preprocessors
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Fragmentation
Both IP and TCP can cause a stream of data to break into many parts
Both IP fragmentation and TCP segmentation may be naturally occurring or performed
intentionally to evade IPS
IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate
this evasion technique
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
How Bad can Fragmentation Get?
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Network Analysis Policy
Inline Normalization
If Enabled:
• FMC will learn the Operating System and
version automatically, and apply the correct
fragmentation reassembly policy so the IPS
detects attacks in the same order as the
host they’re directed to.
• If unable to determine the OS, it will enforce
the “First” fragmentation reassembly.
• If Adaptive Profile Updates is enabled in the
Access Control Policy, this capability will
extend even to passive deployments.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Detection Enhancement Settings
Enable Profile Updates
These settings are on the Advanced Tab of the Access Control Policy.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Network Analysis Policy
Recommendations
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Network Analysis Policy
TCP Stream
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Network Analysis Policy
IP Defragmentation
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Access Control Policy – Advanced Settings
Don’t forget to select the Network Analysis Policy from the Access Control Policy -> Advanced
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Agenda
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Impact Flags For an in-depth discussion of Impact Flags,
see Will Young’s BRKSEC-3328 session.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks
User IDs
4 Previously unseen host
within monitored network
CVE
Snort ID Client / Server Apps
Operating System
IOC: Predefined Impact
Potential Vulnerabilities
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks
User IDs
4 Previously unseen host
within monitored network
CVE
Snort ID Client / Server Apps
Operating System
1 Host vulnerable to attack or
showing an IOC.
IOC: Predefined Impact
Potential Vulnerabilities
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Contextual Cross-Launch 6.3
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Contextual Cross-Launch 6.3
Several tools already included
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Contextual Cross-Launch 6.3
• Do you have a favorite tool?
• Add your own: Analysis -> Advanced -> Contextual Cross-Launch
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Contextual Cross-Launch 6.3
• Do you have a favorite tool?
• Add your own: Analysis -> Advanced -> Contextual Cross-Launch
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Contextual Cross-Launch 6.3
Stealthwatch Cross-Launch Example
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Contextual Cross-Launch 6.3
Tetration Cross-Launch Example
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Agenda
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Snort Rules
Cisco provides regular rule updates. Most customers deploy these automatically.
Third-party Snort rules can be added manually through the Rule Editor (Objects -> Intrusion
Rules -> Create Rule), or can be imported.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Snort Rule Editor
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Snort Rules
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Snort Rules (continued)
• Sometimes it is much more readable to spread the rule across multiple lines. Do this with
the backslash character - \
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Snort Rules (continued)
• This ET rule has a deprecated keyword – “threshold”, as well as “type limit”, so let’s fix it.
alert tcp \
[43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\
45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\
45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\
49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \
any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \
flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \
threshold: type limit,
detection_filter: tracktrack
by_src,
by_src,
seconds
seconds
3600,3600,
countcount
1; \ 1; \
classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \
rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \
tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Importing Snort Rules
• Once your Snort rules are in a text file, navigate to Objects -> Intrusion Rules.
• Click on “Import Rules”
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Importing Snort Rules
• Click on “Browse” to locate your file, and click “Import”.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Importing Snort Rules
• If successful, you will see a screen showing what has been imported.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Importing Snort Rules
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Importing Snort Rules
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Importing Snort Rules
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Enabling Snort Rules
• Remember, all imported rules are Disabled by default. You need to enable
these.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Agenda
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
How do you Exempt Specific Servers from a Snort Rule?
Options:
1. Use a different Intrusion Policy for some hosts.
(This could have memory or performance impact if overused.)
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
How do you Exempt Specific Hosts from a Snort Rule?
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
How do you Exempt Specific Hosts from a Snort Rule?
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Pass Rule Example
Pass Rule
Open the firing rule in the Rule Editor (Objects -> Intrusion Rules)
203.0.113.24
Network
Scanner
Campus
Web
Server
SSH
Server
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Pass Rule
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Pass Rule
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Pass Rule
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Pass Rule
Finally, Edit the Intrusion Policy, and change the Rule State for your new Local Rule to
“Generate Events”. Save and Deploy the Intrusion Policy.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Agenda
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Bypass Options
Software Bypass Enable traffic, uninspected, when Snort is down or busy.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Software Bypass
Supported Deployment:
• Inline Set, Inline TAP
• ASA with Firepower Services
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Fail to Wire Interfaces
Supported Deployment:
• Inline Set, Inline TAP
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Automatic Application Bypass (AAB)
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Trust Rules
Within the Access Control Policy, defined traffic can be exempted from File and IPS
inspection, which accelerates it through the appliance. Basing the rule on
Source/Destination Port and IP addresses is most effective.
Security Intelligence feeds and SSL/TLS Decryption are still applied to Trust rules.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
PreFilter Policy
PreFilter rules are processed prior to Intrusion Prevention or Access Control Policies. If
traffic can be defined by Zone, Network, and Port (similar to an ASA rule), the traffic can be
FastPathed. This is similar to a Trust rule, but Security Intelligence is not applied.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Intelligent Application Bypass (IAB)
Detects degraded performance
within an application.
If that application is trusted,
you can configure it to
automatically bypass the
inspection, and accelerate the
traffic.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Snort Restart and Reload Architecture
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Why does Snort Restart?
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Why does Snort Restart?
6.2.3 and later warns if any configuration change will interrupt inspection
(restart Snort):
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
When does Snort Restart?
Password:
admin@fp2110:~$
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Mitigations
Snort Preserve-Connection
1 (6.2.0 / 6.2.3 introduction)
2 Software Bypass
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Snort Preserve-Connection
• When Snort goes down, connections with Allow verdict are preserved
in LINA
• Snort does NOT do a mid-session pickup on preserved flows on
coming up
• Does NOT protect against new flows while Snort is down
• 6.2.0.2/6.2.3 Feature Introduction. Enabled by default in 6.2.3
• Can be enabled/disabled from CLI:
configure snort preserve-connection enable/disable
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Agenda
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Intelligent Application Bypass
What is IAB?
IAB takes action when a Snort instance is Under Duress if conditions are
met:
1. Is the flow a candidate for bypass?
2. Is this a bypassable application?
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Configuring Intelligent Application Bypass
Find IAB on the Advanced tab of the Access Control Policy. In 6.2.3, it is on the
bottom left of the page. In 6.3 and later, it is on the top right.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Configuring Intelligent Application Bypass
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Configuring Intelligent Application Bypass
Inspection Performance Thresholds
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Configuring Intelligent Application Bypass
Flow Bypass Thresholds
2 Gbps
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Configuring Intelligent Application Bypass
45000
I disagree with this default value. 250,000 kbytes/second will never trigger on today’s FTD or ASA
hardware. A better starting value for most customers is about 40,000 or 50,000 kbytes/second.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Configuring Intelligent Application Bypass
Define Applications that are Bypassable
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Monitoring Intelligent Application Bypass
IAB Events appear in Connection Events with reason of “Intelligent App Bypass”
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Agenda
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
The Problem with Asymmetric Traffic
Web Server
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Clustering
Internet
Clustering is supported on FP-4100 and
9300 appliances, as well as several larger
ASA appliances.
Web Server
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Extend PBR Inter-site Cluster to ACI Multi-Pod
Localize Firewall Inspection and Apply Policy Only to Master
Inter-Pod
Network
Pod1 Pod2
DB EPGs DB EPGs
Spanned Port-Channel
ASA or FTD Image
FW PBR IP 10.1.0.1 FW PBR IP 10.1.0.1
ACI fabric tracks local and remote Anycast Service IPs of the firewall cluster units. Fabric always prefers a
local firewall IP. If local Anycast Service IP fails, fabric will send to the remote firewall IP.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Cluster Resiliency
Firewalls Sync the State of Workload Connections
Inter-Pod
Network
Pod1 Pod2
DB EPGs DB EPGs
In case of failure of both firewalls in Pod1, fabric forwards traffic for PBR service graph inspection to Pod2
firewalls. Pod1 App to DB connections continue because Firepower cluster syncs connection state.
BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot# BRKSEC-3300
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Continue your education
Demos in the
Walk-in labs
Cisco campus
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Thank you
Appendix
NGFW: Crypto Acceleration
TLS Crypto Acceleration Status in FMC
FP1000 & FP2000 TLS Crypto
Acceleration:
• FP1000 uses Quick Assist Technology
• FP2100 uses Cavium Hardware Assist
• These platforms will show TLS Crypto
Acceleration: DISABLED in FMC.
FP4100 & FP9300 TLS Crypto
Acceleration:
• Hardware acceleration permanently
enabled by default for “non-instances”
• Multi-Instance instances enabled by
default (up to 16).
BRKSEC-3063 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Crypto Acceleration in hardware
Assists with VPN and decryption crypto functions
BRKSEC-3063 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Crypto Acceleration in hardware
Assists with VPN and decryption crypto functions
• FTD 4100 and 9300 platforms perform offloading TLS operations onto its Nitrox chipset
• 4120/40/50 & 9300 SM24/36/44 - Two Nitrox processors (4110 has only ONE)
• 4115/25/45 + 9300 SM40/48/56 - Two Nitrox processors (4112 has only ONE)
BRKSEC-3063 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Crypto Key Exchange Acceleration
Client Key Exchange with RSA or Server Key Exchange with Diffie Hellman
Software
Intel QAT
Nitrox 3
Nitrox 5
0 1 2 3 4 5 6 7
BRKSEC-3063 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
TLS Hardware Offload Limitations
BRKSEC-3063 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Security Intelligence Example
Security Intelligence Custom Feed
An Example
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Security Intelligence Custom Feed
An Example
The Goal:
Create your own Security Intelligence Feed to block hosts that attempt to login to
your SSH Server and fail authentication multiple times.
X Web Server
Internet
SSH Server
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Security Intelligence Custom Feed
Prerequisites
1. The first step is to configure your honeypot with the desired services
installed, hardened, and logged.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Security Intelligence Custom Feed
Prepare the Target
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Security Intelligence Custom Feed
Prepare the Target
3. Create a script to parse the blocked IP addresses from denyhost’s log file.
/etc/hosts.deny file looks like this:
# DenyHosts: Thu Jan 26 22:31:28 2017 | ALL: 203.0.113.4
ALL: 203.0.113.4
# DenyHosts: Sat Jan 28 10:58:51 2017 | ALL: 192.0.2.120
ALL: 192.0.2.120
# DenyHosts: Tue Jan 31 09:42:58 2017 | ALL: 198.51.100.3
ALL: 198.51.100.3
# DenyHosts: Tue Jan
ALL: 198.51.100.27 The output file should be in a
31 19:50:17 2017 | ALL: 198.51.100.27
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Security Intelligence Custom Feed
Prepare the Target
5. Generate some SSH traffic, with failed logins, to make sure you are capturing
the addresses. Be careful. denyhosts will by default ban your IP address in
the hosts.deny file. You will need to know how to clear the blocks.
This is a useful site:
http://www.tecmint.com/block-ssh-server-attacks-brute-force-attacks-using-denyhosts/
6. Make sure to run your script (from Step 4) on a regular basis by running a
cron job every few minutes or so.
/var/www/html/sshblock.txt
203.0.113.4
192.0.2.120
One IP Address 198.51.100.3
per line. 198.51.100.27
203.0.113.230
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Security Intelligence Custom Feed
Prepare the Target
7. Verify you can download the file with a web browser. It is a good idea to
host the file on a server reachable internally only, rather than one accessible
to the outside world.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Security Intelligence Custom Feed
Create the Feed
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Security Intelligence Custom Feed
Create the Feed
9. Select Feed, and populate the URL information and Update Frequency.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
Security Intelligence Custom Feed
Create the Feed
10.In your Access Policy, click the Security Intelligence tab, and add the new
feed to the Blacklist
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Security Intelligence Custom Feed
Create the Feed
OpenAppID uses the Lua programming language to identify applications. There are a
number of attributes it can look at, including:
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
OpenAppID
Most internal Firepower Application Detectors are included in the Snort OpenAppID rules,
including Lua source code.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
OpenAppID within Firepower
Application Detectors
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
OpenAppID within Firepower
Basic Application Detector
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
OpenAppID within Firepower For Your
Reference
Advanced Application Detector
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
OpenAppID Example
with Intrusion Policy
OpenAppID and the Intrusion Policy
A lot of “noise” is created in the Intrusion Logs of any IDS/IPS product by automated
scripts searching for vulnerable systems, and trying generic attacks.
Web Server
Internet
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
OpenAppID and the Intrusion Policy
An Example
These scans or attacks against your IP addresses may or may not be successfully
blocked by your IPS devices.
They generate noise in your logs.
Question:
Is there a legitimate reason for Internet users to access your server(s) by IP address instead of
FQDN?
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
OpenAppID and the Intrusion Policy
An Example
The Goal:
Block all web traffic that targets an IP Address rather than correct hostname. Use
Intrusion Policy to inspect legitimate traffic.
X Web Server
Internet
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
OpenAppID and the Intrusion Policy
Creating the Custom Detector
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
OpenAppID and the Intrusion Policy
Creating the Custom Detector
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
OpenAppID and the Intrusion Policy
Creating the Custom Detector
3. Complete the
required fields to
name your custom
application.
4. Click OK.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
OpenAppID and the Intrusion Policy
Creating the Custom Detector
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
OpenAppID and the Intrusion Policy
Creating the Custom Detector
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
OpenAppID and the Intrusion Policy
Creating the Custom Detector
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 179
OpenAppID and the Intrusion Policy
Creating the Custom Detector
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 180
OpenAppID and the Intrusion Policy
Creating the Custom Detector
14.Click on “Save”.
WARNING:
15.You can find your Application Detector by selecting Custom Type in the
When you Activate or Deactivate any Detector, it will trigger your appliances
Filters.
in the current domain or child domain to restart Snort. This will potentially
16.The new Application
be disruptive Detector
to your network will not function until it is Activated by
traffic.
clicking on the State slider.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
OpenAppID and the Intrusion Policy
Assigning Custom Detector to Access Control and Intrusion Policy
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 184