Professional Documents
Culture Documents
Transformation
-a closer look at ASA and Firepower-
Ciara Campbell - Bart Van Hoecke - Dragan Novakovic - Gyorgy Acs - Stefan Duernberger
TECSEC-2600
Picture Puzzle
+
Berlin Ale
= Berlinale (the film festival)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Ciara Campbell | Ireland
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Housekeeping (cont.)
• Please note the handout-material has much more slides than presented
• Various slides are marked as Reference for your own rehearsal
and will not be covered in detail
For Your
• Breaks for coffee and lunch Reference
• 11.00 – 11.15
• 13.15 – 14.15
• 16.15 – 16.30
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Session Objectives
• This is an intermediate level technical seminar
• At the end of this session, participants should have:
• Understanding of the in-depth hardware and software capabilities
• Knowledge of Cisco´s NextGen Security
• Cross-Architectural integration
• We want this class to be informal, with open discussion
• Be collaborative, curious and ask questions
• Enjoy your time
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Related sessions
• Protecting the Network with Firepower NGFW LTRSEC-2101
• NGFW Clustering Deep Dive BRKSEC-3032
• A Deep Dive into using the Firepower Manager BRKSEC-2058
• Firepower Platform Deep Dive BRKSEC-3035
• ASA Firepower NGFW typical deployment scenarios BRKSEC-2050
• Dissecting Firepower-NGFW(FTD) & Firepower-Services: Design &
Troubleshooting BRKSEC-3455
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Hardware | Software Overview
Security Software Convergence
Two Appliances One Appliance – Two Images One Appliance – One Image
Two Management Consoles Two Management Consoles One Management Console
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Security Software Convergence
ASA FirePOWER
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Hardware Platforms Firepower 9300
Firepower
4110/20/40/50
ASA 5516-X
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Software Support by Platform
Firepower
Firepower Threat Firepower ASA
Services
Defense NGIPS Firewall
on ASA
Firewall Throughput
750 Mbps 1 Gbps 1.8 Gbps 2 Gbps 3 Gbps 4 Gbps
(ASA)
Throughput:
FW + AVC 250 Mbps 450 Mbps 850 Mbps 1100 Mbps 1500 Mbps 1750 Mbps
(FTD)1
Throughput:
FW + AVC + NGIPS 125 Mbps 250 Mbps 450 Mbps 650 Mbps 1000 Mbps 1250 Mbps
(FTD)1
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
For Your
Reference
Firewall Throughput
(ASA)
35 Gbps 60 Gbps 70 Gbps 75 Gbps 75 Gbps 80 Gbps 80 Gbps 234 Gbps
Throughput:
FW + AVC 12 Gbps 20 Gbps 25 Gbps 30 Gbps 30 Gbps 42 Gbps 54 Gbps 135 Gbps
(FTD)1
Throughput:
FW + AVC + NGIPS 10 Gbps 15 Gbps 20 Gbps 24 Gbps 24 Gbps 34 Gbps 53 Gbps 133 Gbps
(FTD)1
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Firepower Management Center
Firepower Management Center (FMC)
• Defense Center -> FireSIGHT Management -> Firepower Management Center
• Physical and Virtual Appliances
• Physical FMC Models:
• DC750
• FS2000
• FS4000
• Models are based on the UCS C220 M3 series except for the DC750
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
For Your
Reference
3RU
Security Modules
• Embedded Smart NIC and crypto hardware
• Cisco (ASA, FTD) and third-party (Radware DDoS) applications
• Standalone or clustered within and across chassis
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Supervisor Module
RJ-45 1GE Management Built-in 10GE Data Optional Network
Console (SFP) (SFP+) Modules (NM)
1 2
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Supervisor Simplified Hardware Diagram
System Bus
Security Security Security
RAM
Module 1 Module 2 Module 3
On-board 8x10GE NM NM
interfaces Slot 1 Slot 2
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Standard Network Modules
• All interfaces are called “Ethernet” (i.e. Ethernet 1/1)
• All standard network modules require fiber or copper transceivers
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Hardware Bypass Fail-to-Wire Network Modules
• Fixed interfaces, no removable SFP support
• NGIPS inline interfaces for standalone FTD 6.1 only
• Sub-second reaction time to application, software, or hardware failure
• Firepower 4100 only • Firepower 4100 and • Firepower 4100 and 9300
• Single width 9300 • Single width
• 1GE copper • Single width • 40GE SR4
• 1GE fiber SX,10GE • No 10GE breakout support
SR or LR
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Firepower 9300 Security Modules
• Same modules must be installed across entire chassis or cluster
• SM-44: 88 x86 CPU cores (10-15% higher performance than SM-36)
• SM-36: 72 x86 CPU cores
• SM-24: 48 x86 CPU cores
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Security Module Simplified Diagram
System Bus
RAM
256GB x86 CPU 1 x86 CPU 2
SM24: 24cores SM24: 24cores
SM36: 36cores SM36: 36cores Ethernet
SM44: 44cores SM44: 44cores
2x100Gbps
2x40Gbps
Backplane Supervisor Connection
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Firepower 9300 Software
• Supervisor and security modules use multiple independent images
• All images are digitally signed and validated through Secure Boot
• Security application images are in Cisco Secure Package (CSP) format
Logical
Supervisor Data Outside Data Inside Packet Flow
PortChannel2 PortChannel1
Ethernet1/7
(Management)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
BRKSEC-3032
Clustered
Firewall Clustering Firewall
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
FTD Inter-chassis vs Intra-chassis clustering
FTD Inter-Chassis Cluster (with FTD 6.2)
• Cluster of up to 6 modules (in 2 chassis)
• Off-chassis flow backup for complete redundancy
Switch 1 Switch 2
Nexus vPC
Supervisor Supervisor
FTD FTD FTD FTD
Cluster
FTD Cluster FTD
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Firepower 4100
Firepower 4100 Overview
Solid State Drives
Built-in Supervisor and Security Module • Independent operation (no RAID)
• Same hardware and software architecture as 9300 • Slot 1 today provides limited AMP storage
• Fixed configurations (4110, 4120, 4140, 4150) • Slot 2 provides optional AMP storage
1RU
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Firepower 4100 Logical Diagram
RAM
4110: 64Gb x86 CPU 1 x86 CPU 2
4120: 128Gb 4110: 12 cores 4110: N/A
System Bus
4140: 256Gb 4120: 12 cores 4120: 12 cores
4150: 256Gb 4140: 36 cores 4140: 36 cores
4150: 44 cores 4150: 44 cores RAM
4110: 1x100Gbps Ethernet
4120-4150: 2x100Gbps
Smart NIC and
Crypto Accelerator
4110: 1x40Gbps
4120-4150: 2x40Gbps
On-board 8x10GE NM NM
interfaces Slot 1 Slot 2
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Firepower 4110 - HW Components
SSD
Security Engine
Supervisor Module SSD
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Firepower 4120, 4140 and 4150 - HW Components
SSD
Security Engine
Supervisor Module SSD
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
For Your
Reference
• 10 and 40G Port Modules are same for both FP 9300 and FP 4100 Series
• DC Power Supply optional
• NEBS Certification completion for FP 4120 and FP 4140
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Firepower 4100 Software
Decorator application from third-party
• FXOS provides interface for (KVM)
device management and
provisioning of the security Primary application
application on security engine from Cisco (Native)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
ASA Appliances
ASA 5500-X Appliances
On-Board
• 6 GE copper 5512-5525-X Solid State Drives
• 8 GE copper 5545-5555-X • One Hard Disk Drive 5512-5525-X
• Dual Power Supplies 5545-5555-X • Redundant Hard Disk Drives 5545-5555-X
ASA5512-X
ASA5515-X
ASA5525-X
ASA5545-X
ASA5555-X
Expansion Slot
• 6 GE copper or 6 GE Small Form-Factor Pluggable (SFP)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
ASA 5500-X Appliances
Management0/0
1GE
CPU System Bus
RAM
6x1Gbps 6x1Gbps* or
8x1Gbps**
External Interfaces On-board Interfaces
6x1GE 6x1GE* or 8x1GE**
2RU
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
ASA 5585-X Extended Performance Models
• S10F40 - ASA5585-S10F40-K9
• S20F60 - ASA5585-S20F60-K9
ASA 5585-S10F40 ASA 5585-S20F60
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
ASA 5585-X Appliances
CPU Complex
SSP-10: 1 CPU 4 cores Crypto
RAM SSP-20: 1 CPU 8 cores System Bus
Complex
SSP-40: 2 CPU 16 cores
SSP-60: 2 CPU 24 cores
Management Ethernet
2x1GE
MAC 2
MAC 1
SSP-40/60
2x10Gbps 2x10Gbps
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Firepower Threat Defense (FTD) -
Packet Processing
Day in a life of a packet
Packet Processing - Overview
• A packet enters the ingress interface and it is handled by the datapath
• If the policy dictates so the packet is inspected by the advanced inspection
engines
• Advanced inspection engines returns a verdict for the packet
• Datapath drops or forwards the packet based on the verdict
Packets Verdict
Datapath
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
FTD CLI configuration modes
• Three CLI modes:
CLISH mode
> expert
admin@FTD5506-1:~$ sudo su Expert mode
Password:
root@FTD:/home/admin# lina_cli
Attaching to ASA console ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
firepower#
FTD CLI
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
For Your
Reference
> capture CAP interface inside match ip host 1.1.1.1 host 2.2.2.2
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
For Your
Reference
Phase: 12
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Verdict: (pass-packet) allow this packet
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Packet Processing – Ingress Interface
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Packet Processing – Defrag Policy
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Packet Processing – Connection Lookup
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Packet Processing – VPN Decryption
• ‘same-security-traffic permit intra-interface’ implicitly enabled (hairpinning
capable)
• Only Tunnel mode is supported (no Transport mode)
• Supports tunnel with a 3rd party VPN device (Extranet)
• 3 different VPN deployment topologies
• Point-to-Point, Hub and Spoke, Full Mesh
• No GETVPN, DMVPN, EzVPN support
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Packet Processing – UN-NAT/Egress Interface
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Packet Processing – Prefilter Policy
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Packet Processing – Prefilter Policy, Tunnel
• Adds additional flexibility when it comes to handling tunneled traffic:
• GRE, IP-in-IP, IPv6-in-IP, Teredo Port 3544
• Block – Drops the tunneled traffic
• Fastpath – Allows the tunneled traffic and bypasses advanced inspection engines
• Analyze – Will send the tunneled traffic to advanced inspection engines.
Optionally allows traffic Tagging
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Prefilter Demo
Packet Processing – Prefilter Policy, EAC
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
For Your
Reference
access-list CSM_FW_ACL_ line 10 remark rule-id 268434445: ACCESS POLICY: FTD5506-1 - Mandatory/1
access-list CSM_FW_ACL_ line 11 remark rule-id 268434445: L4 RULE: Block ICMP
access-list CSM_FW_ACL_ line 12 advanced deny ip host 10.1.1.1 any rule-id 268434445 event-log flow-start (hitcnt=0) 0x8bf72c63
access-list CSM_FW_ACL_ line 13 remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1
access-list CSM_FW_ACL_ line 14 remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE
access-list CSM_FW_ACL_ line 15 advanced permit ip any any rule-id 268434434 (hitcnt=410) 0xa1d3780e L3/L4
ACEs
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Packet Processing – L3/L4 ACL, Allow
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
For Your
Reference
• The rule ID correlates datapath rules with the advanced inspection rules
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Packet Processing – L3/L4 ACL, Trust
• Trust Rule will be pushed to datapath as trust action and to advanced inspection
engine as fastpath action
• Packet-tracer shows that datapath will not send any packets to advanced
inspection engine
> packet-tracer input inside udp 4.4.4.4 1111 5.5.5.5 53 Information means the packet
No Additional
Phase: 4 is not going to be redirected to advanced
Type: ACCESS-LIST inspection engine
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust udp host 4.4.4.4 host 5.5.5.5 eq domain rule-id 268435477 event-log
flow-end
access-list CSM_FW_ACL_ remark rule-id 268435477: ACCESS POLICY: FTD5506-1 - Mandatory/4
access-list CSM_FW_ACL_ remark rule-id 268435477: L4 RULE: ACP_Rule4_Trust_DNS_Port
Additional Information:
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Packet Processing – L3/L4 ACL, Trust
• In case one or more of the following is true the Trust Rule will be pushed to
datapath as permit action:
• Application is used as a condition and/or SI, QoS, Identity Policy, SSL Policy
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Packet Processing – L3/L4 ACL, Monitor
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Packet Processing – L3/L4 ACL, Block
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Packet Processing – L3/L4 ACL, Block
Packet matching this
rule will be dropped
by datapath
according to the
verdict
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
For Your
Reference
• When matching Block with Reset rule FTD sends a TCP Reset packet or an
ICMP Type 3 Code 13 Destination Unreachable (Administratively filtered)
message
> system support firewall-engine-debug
7.7.7.7-36778 > 8.8.8.8-80 6 AS 1 I 0 match rule order 7, 'ACP_Rule7_Block_RST_Youtube', action Reset
7.7.7.7-36778 > 8.8.8.8-80 6 AS 1 I 0 reset action
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Packet Processing – L3/L4 ACL, Interactive Block
• The user can click on Continue button or Refresh the browser page to bypass
and continue
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
For Your
Packet Processing – L3/L4 ACL, Interactive Reference
• Similar to Block with Reset, the user can click on Continue button
> system support firewall-engine-debug
192.168.75.14-36815 > 192.168.76.14-80 6 AS 1 I 1 Starting with minimum 9,
'ACL_Rule9_Interactive_Blck_RST', and IPProto first with zones 3 -> 1, geo 0(0) -> 0,
192.168.75.14-36815 > 192.168.76.14-80 6 AS 1 I 1 match rule order 9, 'ACL_Rule9_Interactive_Blck_RST',
action Interactive Reset
192.168.75.14-36815 > 192.168.76.14-80 6 AS 1 I 1 bypass action sending interactive response of 1093 bytes
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
BRKSEC-3455
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
For Your
Reference
> show asp inspect-dp snort queues > show asp inspect-dp snort
SNORT Inspect Instance Queue Configuration SNORT Inspect Instance Status Info
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Packet Processing – Packet Decoding
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Packet Processing – L2-L4 Preprocessors
• TCP Stream Preprocessor (Stream5) defines how Snort handles TCP streams.
Troubleshooting Tip
You can enable Intrusion Rule ID
(129:SID) to generate events for
TCP Stream Preprocessor
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Packet Processing – SI (IP)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
For Your
Reference
• The interface mode dictates which engine (datapath or Snort) handles the
fragments
• Frag3 Snort preprocessor handles fragmented traffic at Snort level
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Packet Processing – SSL Decryption
• SSL Inspection Policy controls which traffic will be decrypted by FTD so that
other policies (ACP, File, Snort) can inspect the traffic
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Packet Processing – SI (DNS/URL)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Packet Processing – SI (DNS/URL)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Packet Processing – Identity Policy
• Identity Policy enables user-based authentication. The user info can be obtain
in various ways:
Active Authentication Passive Authentication
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Packet Processing – L7 ACL
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Packet Processing – QoS Rate Limiting
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
BRKSEC-2058
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Packet Processing – File Policy (AMP)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Packet Processing – Intrusion Policy
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Packet Processing – Snort Verdict and Flow Update
• At this point the Snort Engine returns to ASA DATAPATH through the DAQ and
PDTS framework a Verdict (Pass, Blacklist (Block), Fast-Forward etc)
> show logging | include connection
Jun 13 2016 13:32:49: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.76.14/0 gaddr 192.168.75.14/0
laddr 192.168.75.14/0
Jun 13 2016 13:33:00: %ASA-6-302016: Teardown UDP connection 357875 for inside:192.168.75.14/60131 to
dmz:192.168.76.14/53 duration 0:02:01 bytes 43
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Packet Processing – ALG Checks
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Packet Processing – NAT IP Header
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Packet Processing – L3 Route Lookup
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Packet Processing – L2 Address Lookup
DC1 DC2
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Flow Offload Operation
Dynamically program offload engine after flow establishment
Full Inspection
Bring flows out of and back to full inspection on demand
Application Instance
New and fully
inspected flows Full Cisco® ASA,
NGFW, or NGIPS
Incoming traffic NPU Engine
Offload instructions Flow updates
Classifier
Established trusted Lightweight Data
and jumbo flows Path
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Cisco Firepower Threat Defense
Firewall Architecture
INGRESS EGRESS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firewall Architecture
• The traffic could be impacted (dropped, denied, modified, etc.) when traversing
the Datapath and Advanced Inspection Engines
• Datapath keeps track for flows and maintains states (Full ASA data plane
function)
• Advanced Inspection Engines has access to complete packet from L2
• Advanced Inspection Engines performs the normalization and defragmentation
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
FTD Initial Setup
Installing Firepower Threat Defense
Management Center Smart License FirePOWER Services on ASA
Upgrade/
Register Reimage
Install
Firepower
Cisco Smart Firepower
Management
Software Manager Threat Defense
Center 6.0
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
FTD Initial Setup – FTD Console
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
FTD Initial Setup – FTD Console
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
FTD Initial Setup – Adding a Device to FMC
Either hostname
or IP address
Registration key
we used in CLI
Access Control
Policy
Select based
upon
subscriptions
purchased
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Firewall Deployment Modes
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or 10.1.1.0/24
more interfaces that separate L3 domains – Firewall is the
10.1.1.1
Router and Gateway for local hosts
NAT
DRP
192.168.1.1
192.168.1.0/24
IP:192.168.1.100
GW: 192.168.1.1
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Firewall Design: Modes of Operation 192.168.1.1
• Note:
IP:192.168.1.100
• No multiple context mode and RA VPN available on FTD today GW: 192.168.1.1
• Routed or transparent mode configured with setup dialog
• Changing between these modes requires re-registering with FMC
• Policies will be re-deployed
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
IPS/IDS Modes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPS Mode Deployment
• Inline Mode
• Two physical interfaces paired together
• Paired interfaces must be assigned to an inline set
• Bump in the wire, entirely transparent to the network
• Bypass functionality with hardware bypass interfaces on 4100 and
9300
• Easy to insert into an existing network
• Multiple Pairs can be configured on same sensor as sets
• Inline with tap mode
• Same as Inline, but packets are never dropped
• Used for evaluating and tuning of rules
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Inline Pair Architecture
INGRESS EGRESS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inline TAP Architecture
INGRESS EGRESS
Copy
Ingress NIC Egress NIC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Passive (IDS) mode deployment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Passive Architecture
INGRESS EGRESS
TCP DROP
L4 Decode
Normalization
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
For Your
Reference
High Level Matrix for Deployment
Routed Transparent Inline Inline Tap Passive
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Optional Interface Modes
• By default, all interfaces are firewall
interfaces (routed or transparent)
• Optionally, specific interfaces can be
configured for use as IDS or IPS
• IDS Mode
• Inline Tap
• Passive
• ERSPAN
• IPS Mode
• Inline
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Mix and Match Interface Modes
A Routed/Transparent
F Interfaces
Passive Policy Tables
B G
Inline Pair 1 H
C
Inline Set
Inline Pair 2
D I
Inline Tap
E J
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Integrated Routing and Bridging
FTD
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Integrated Routing and Switching Via FMC
• BVI interface can now have name assigned to it - this
enables it to participate in routing
• Only static routing is enabled on BVI interfaces in
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intra BVI use case
ACLs and other
Inspections
H3 H4
No routing needed
BVI 2 (Micro-Segmentation)
BVI 1
H1 H2
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inter BVI use case
H3 H4
H1 H2
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traffic between BVI and regular routed interface
H3 H4
H1 H2
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Features supported
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Routing on FTD
Routing on FTD
• FTD performs L3 route lookup as part of its normal packet processing flow
• FTD is optimized as a flow-based inspection device
• For smaller deployments, FTD is perfectly acceptable as the router
• For larger deployments, a dedicated router (ISR, ASR, Nexus) is a much better option
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
FTD Routing – Static Use Case
Outside Network
FHRP 128.107.1.1
Static or IGP
G1/2
Inside 10.120.1.0/24
Inside Network
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
FTD Routing – Dynamic Use Case
Step 1 – Enable the OSPF Process
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
FTD Routing – Dynamic Use Case
Step 2 – Add an Area
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
FTD Routing – Dynamic Use Case
Step 3 – Add Redistribution
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
NAT on FTD
NAT on FTD
• NAT on FTD is built around objects, with two types of NAT:
• Auto NAT
• Only source is used as a match criteria
• Only used for static or dynamic NAT
• Manual NAT
• Source (and possibly destination) is used as a match criteria
• More flexibility in NAT rules (one-to-one, one-to-many, many-to-many, many-to-one)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
NAT on FTD
• Auto NAT
• When configuring, it is configured within a network object (internally)
• Device automatically orders the rules for processing:
• Static over dynamic
• Quantity of real IP addresses – from smallest to largest
• IP address – from lowest to highest
• Name of network object – in alphabetical order
• Manual NAT
• Supports NAT of the source and destination in a single rule
• Only the order matters for processing
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
NAT on FTD Processing
• Single NAT rule table (matching on a first match basis)
• Uses a simplified “Original Packet” to “Translated Packet” approach:
• By default only Sections 1 and 2 are used. Select “NAT Rule After” category
when configuring a Manual NAT rule to place it within Section 3
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Auto NAT Use Case
Dynamic NAT translation of 10.120.1.0/24 to the using Interface PAT
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Auto NAT Use Case
Static NAT translation of 172.16.25.200 to a public IP of 128.107.1.200
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Auto NAT Use Case
Dynamic NAT translation of 10.120.1.0/24 to 128.107.1.10-128.107.1.20
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Manual NAT Use Case
Static NAT of 192.168.1.10 128.107.1.242 to 192.168.1.155 128.107.1.155
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Sample NAT Policy
Easy to understand
NAT logic
Manual NAT Rules
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
FTD NGFW Policies
Access Control Policy
The glue that ties everything together
Inspection Options
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
For Your
Reference
NGFW Policy Types in FTD
Policy Type Function
Access Control Specify, inspect and log network traffic
Intrusion Inspect traffic for security violations (including block or alter)
Malware & File Detect and inspect files for malware (including block)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
For Your
Reference
Access Control Policy Overview
• Controls what and how traffic is allowed, blocked, inspected and logged
• Simplest policy contains only default action
• Block All Traffic
• Trust All Traffic – Does not pass through Intrusion and Malware & File inspection
• Network Discovery – Discovery applications, users and devices on the network only
• Intrusion Prevention – Using a specific intrusion policy
• Criteria can includes zones, networks, VLAN tags, applications, ports, URLs and
SGT/ISE attributes
• The same Access Control Policy can be applied to one or more device
• Complex policies can contain multiple rules, inherit settings from other access
control policies and specify other policy types that should be used for inspection
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
For Your
Reference
Intrusion Policy Overview
• Controls how IDS or IPS inspection is performed on network traffic
• Simple policy inherits settings from 1 of 5 Cisco Talos maintained base policies:
• Balanced Security and Connectivity – Default and recommended
• Connectivity Over Security – Fewer rules enabled, only most critical rules block
• Maximum Detection – Favors detection over rated throughput
• No Rules Active
• Security Over Connectivity – More rules enabled, deeper inspection
• Individual rules can be set to generate events, drop and generate events, or
disabled
• Layers allow for grouping of settings/rules for easier management
• Complex policies can contain multiple layers and multiple levels of inheritance
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
For Your
Reference
Malware & File Policy Overview
• Controls what and how files are allowed, blocked and inspected
• Simple policy applies the same action (Malware Cloud Lookup) to all files
• Actions are:
• Detect Files – Detect and log the file transfer, perform no inspection
• Block Files – Block and log the file transfer, perform no inspection
• Malware Cloud Lookup – Inspect the file to determine disposition (Malware, Unknown or
Clean) and log
• Block Malware – Inspect the file to determine disposition, log and block if Malware
• Inspection includes static analysis of the file (via Spero), dynamic analysis (via
AMP Threat Grid) and local analysis (via ClamAV)
• Complex policies can include different actions and levels of inspections for
different application protocols, directions and file types
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
For Your
Reference
SSL Policy Overview
• Controls how and what encrypted traffic is inspected and decrypted
• Simple policy blocks all encrypted traffic that uses a self-signed certificate
• Actions are:
• Decrypt - Resign – Used for SSL decryption of public services (Google, Facebook, etc.)
• Decrypt - Known Key – Used when you have the certificate’s private key
• Do not decrypt
• Block
• Block with reset
• Monitor
• Many actions can be taken on encrypted traffic without decryption by inspecting
the certificate, DN, cert status, cipher suite and version (all supported by FTD)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Firepower Threat Defense (FTD)
Upgrade/Migration
What can I migrate to FTD?
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
ASA Device Requirements for Migration Tool
• Any platform running the following ASA software 9.1+
• ASA must be in single context mode (multi-context is not supported)
• It must be the active unit if in a failover pair
• The master unit if it is part of a cluster
• The ASA can be running transparent or routed mode
• http://www.cisco.com/c/en/us/td/docs/security/firepower/620/asa2ftd-migration/asa2ftd-
migration-guide-620.html
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
Firepower Device Requirements
• A migration tool running on a dedicated Firepower Management Center virtual
for VMware. The migration tool is not supported in a production environment.
• Migration FMC – to enable migration tool Run as root: enableMigrationTool.pl
• The customer FMC must be running a supported environment on a supported
platform. The migration FMC must be the same software version as the
production FMC e.g. Migration FMC 6.1- Production FMC 6.1
• Firepower Management Center FS750, FS1500, FS2000, FS3500, FS4000, Virtual
• Supported FMC environments Firepower System Version 6.1
• The migration tool does not migrate license information, you must purchase
new FTD licenses, as they are a different license to the ASA. If you have
existing FirePOWER licenses, work with licensing at cisco.com to convert to
FTD licesning.
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
For Your
Reference
Migration Capabilities
ASA Features supported for Migration Migration Limitations
Extended access rules (can be assigned to Only converts ASA configurations
interfaces and assigned globally)
Twice NAT and network object NAT rules ACL and ACE limit of 600,000 access
rule elements.
Any network objects/groups associated with the It will only convert ACLs that are applied
extended access rules and NAT rules that the to an interface, must be paired access-list
tool converts and access-group commands. EtherType
or Webtype ACLs are not supported.
ASA software version 9.1 onwards ACL and NAT exceptions are Users, Time
Range, FQDN, SGT and Per session
NAT rules.
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
Migration Checklist
• ASA device meets all the requirements
• ASA configuration file is in either .cfg or .txt format
• The ASA configuration file contains only supported configurations and meets the
required limits for migration
• The ASA configuration file only contains valid ASA CLI configurations. Correct
any incorrect or incomplete commands before continuing or the migration will
fail.
• Download the .ovf file of Firepower Management Center on VMWare platform to
install the migration tool. The migration tool is not supported in a production
environment.
• In the migration FMC - Run as root: enableMigrationTool.pl
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
Import as ACL or Pre-
Migration at a Glance filter policies
Apply Migrated
Single Context Mode
Migration
Configs
Transparent or Routed ASA .cfg
Register
Report
Active Unit (in HA pair) or .txt file
ASA FTD
Manual Reimage
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
For Your
Reference
Best Practices and Recommendations
• Policy for Migration
• Pre-filter Policy: Action Fastpath or Analyze - Use analyze for inspection
• Access Policy: To use advance layer 7 inspections and does not involve tunneled
traffic
• Configuration Size for Migration
• 600K expanded ASA rules and 10K UI rules in version 6.1
• show access-list acl_name | i elements (determines how many entries in the ACL)
• Targeting 1M expanded ASA rules and 20K UI rules in version 6.2
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
FTD Migration Demo
Import as ACL or Pre-
Migration Summary filter policies
Apply Migrated
Single Context Mode
Migration
Configs
Transparent or Routed ASA .cfg
Register
Report
Active Unit (in HA pair) or .txt file
ASA FTD
Manual Reimage
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Management
Managing NGFW
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
Firepower Device Manager, FDM
• OS : Firepower Threat Defense
• Supported platforms in 6.1: ASA 5506-X (all), 5508-X, 5512-X, 5515-X, 5516-X,
5525-X, 5545-X, 5555-X
• Available from version 6.1
• State of the art infrastructure (HTMLv5, REST and others), UI based on REST
API, No more java
• Typical home user feature set
• Subset only of the FMC feature set
• FDM or FMC (FDM will be disabled if you add device to FMC)
• No historical database, No host database, …
• Rule, VDB, GeoDB regular update from TALOS (no rollback support)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
User Experience
• Only WEB UI (only HTTPS, no CLI) • Not all features are exposed (no
page (no thick client), parity with FMC)
• 1st release : Access, NAT, Identity,
• Configuration, monitoring and Basic IPS, AMP, Device settings, …
events, new GUI
• No EtherChannel, PPPoE, dynamic
• Simplified user experience routing, advanced IPS & Malware in
6.1
• Easy Setup Wizard
• Default Policies • From 6.2 :
• Targeting users who are not security • VPN support, site-2-site support
experts • Physical and virtual options, Integrated
Routing and Switching, SoftSwitch
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
For Your
Reference
Smart Licensing
90 day with Smart License evaluation :
• Base (Firewall, AVC, networking, perpetual)
• Threat (IPS, SI, DNS Sinkhole), Malware
(AMP/File/TG) and URL licenses, time
based, no satellite license yet,
• You can disable/enable licenses these 3
licenses
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
For Your
Reference
FDM Installation
• After the setup (Admin account, IP address, GW, DNS, NTP)
Manage the device locally? (yes/no) [yes]:
• If you would like to change the manager, standard FTD command helps
> configure manager local | add | delete
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 179
Tasks
• Task list :
• Backup/ restore
• GeoDB/SRU/VDB
• Deployments
• Generating troubleshooting logs
• Licensing task, like license
registration, update
• Current task limitations:
• You can re-schedule but no re-run
• Cannot stop a task
• You can delete Failed / Success task
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 180
Backup – restore
• Only complete config, compressed and encrypted files
• You can upload/download file, folder: /var/sf/backup
• If the platforms and versions are the same, you can upload other device’s
backup file
• Restore cannot be scheduled
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 181
For Your
Reference
• Go to “Datapath”
• system support diagnostic-cli
• After you can use ASA commands, like:
• show run interface GigabitEthernet 0/1.1
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
VPN Enhancements in FTD 6.2
• Site-to-Site VPN configuration support from FDM
• Wizard to walk you through creation of a IPsec VPN Tunnel
• Only pre-shared key supported currently
• Encryptions:
• Evaluation Mode: only DES encryption available
• Registered Smart License: Strong encryptions available (AES,3DES)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
For Your
Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 189
BRKSEC-3555
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inter-Chassis Clustering .
.
.
• Intra-Chassis Clustering was
already supported on FP9300 Inside Outside
before 6.2
• Inter-chassis requires at least FXOS
2.1.1 and FTD 6.2
• All NGFWs in cluster must be
identical:
• 9300 – modules must be the same
type
• 4100 – chassis must be the same
model • Only Spanned EtherChannel mode
(L2) is supported,
• Equal-Cost Multi-Path (ECMP) mode
(L3) is not supported
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 191
Steps Involved in Bringing up a FTD Cluster
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
Clustering Setup – Firepower Chassis Manager
Interface #1 – Management Interface for FTD
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
Clustering Setup – Firepower Chassis Manager
Interface #2 – Cluster Control Link
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 194
Clustering Setup – Firepower Chassis Manager
Interface #3 – Data Link
None
VPC
VPC
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 196
Steps Involved in Bringing up a FTD Cluster
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 197
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #1
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 198
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #1
Port-channel48 is
automatically selected as the
cluster interface if configured
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 199
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #1
Chassis ID of the
unit in the cluster
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 200
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #1
Key to authenticate
the management
connection from
FMC
Admin password to
login to FTD
Needed for
uploading files to
AMP, etc. Routed or
Transparent
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #1
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 202
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #1
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 203
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #1
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 204
Steps Involved in Bringing up a FTD Cluster
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 205
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #2
If this isn’t
checked, you will
need to enter
each cluster
detail manually in
the next step
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 206
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #2
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 207
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #2
Must be different
than other units
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 208
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #2
Key to authenticate
the management
connection from
FMC
Admin password to
login to FTD
Populated from the
pasted config
Change to be
unique
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 209
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #2
Change to be
unique
Populated from the
pasted config
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 210
Steps Involved in Bringing up a FTD Cluster
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 211
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #2
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 212
Clustering Setup – Firepower Management Center
Creating the Cluster
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 213
Cluster Successfully Added
Clustering is coming up
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 214
Summary
• FXOS manages the interfaces, images and hardware
• FXOS can install software (ASA/FTD) and provision ASA or FTD cluster
configuration
• But FMC will manage the security services
• Do not forget the role of interface
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 215
Cisco Defense Orchestrator (CDO)
What is Cisco Defense Orchestrator (CDO)?
• CDO is a Cloud-based policy management platform
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 217
What devices can I manage with CDO today?
• ASA 5500-X with ASA software version 8.4+
• ASAv
• OpenDNS Umbrella
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 218
Key capabilities of CDO
• Device onboarding
• Object and policy analysis
• Security templates
• Simple search-based management
• Change impact modelling
• Out-of-band notifications
• Automatic reports
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 219
Cisco Defense Orchestrator Is Secure at Every
Level, Regardless of Connection Method
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 220
Demo of
Cisco Defense Orchestrator
Comparison of Management Tools
ASDM : OnBox Manager Firepower Services
Status
• OnBox Manager: Remove
configured manager on
Firepower services module
(configure manager
delete)
• By default, the Firepower
Services module is visible to
the manager. You don’t have
to add the module (device) to
the manager. In case the
device is managed by central
FMC, the module will be
disabled on ASDM.
• Both Firepower Services and Onbox Reporting
the ASA can be managed using and Dashboard
the same ASDM manager.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Firepower Services: ASDM
Other policies (SSL, ID,…)
Access Control Policies are available and similar
IPS policies to FMC
Files Policies
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Device Manager (FDM)
• Web-based
On-Box
Manager
• Workflows,
diagrams and
default
configuration
options
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 225
Firepower Device Manager (FDM)
Change displayed
time range
Can change to
show a particular
interface
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 226
Firepower Management Center - FMC
• Centralized, role
based manager
• Manages firewall,
applications, files
and threats
• Rule
recommendations
• Impact
Assessment
• Customizable
dashboards
• REST API
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 227
Cisco Defense Orchestrator
• Cloud based
policy
management
• Object and
policy
Objectanalysis
and Policy
• Analysis
Device
onboarding
• Security
Templates
Different device
types - not just
firewalls
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 228
Cisco Security Manager - CSM
• Centralized Manager for Cisco
ASA firewall, VPN and Cisco IPS
(ASA, IPS, FWSM, ISR/ASR)
• Log Management
• Image Management
• Application Programming
Interface (API)
• Network Health
• Policy Management
• Reports
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 229
For Your
Reference
Comparison of Management Tools
Features FMC ASDM FDM
Manageability Centralized Web On-Box, Java based Web-based On-Box
Based GUI – manage for a single device manager for a single
up to 500 sensors. comes with ASA device with FTD image.
image.
Form Factor Physical, Virtual, AWS Available on all ASA’s Available on mid-range
ASA’s (5500-X)
FirePower Services on Yes Yes – limited No
ASA
FirePower Appliances (SF) Yes No No
ASA Software No Yes No
FTD Software Yes (limitations)6.0.1 + No Yes 6.1 +
S2S VPN Yes 6.1 Yes, ASA 6.2 (pre-shared keys)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 230
For Your
Reference
Comparison of Management Tools
Features FMC ASDM FDM
RA VPN No Yes, ASA No – future release
Routing no EIGRP, Multicast in 6.1 Yes, ASA Static only
Interfaces Static, DHCP, PPPoE Static, DHCP, PPPoE Static, DHCP
NAT Manual NAT (Twice NAT), Object NAT, Twice NAT Manual NAT (Twice
Auto NAT, FirePower NAT NAT), Auto NAT (Object
– static or dynamic NAT) – static or dynamic
High Availability A/S from 6.1 onwards A/S No
A/A in 5.4 A/A
Domain Management 6.0 + No No
Risk Reports 6.1 + No No
Reporting Extended functionality Base Functionality Base Functionality
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 231
Smart Licensing
Smart Licensing – Smart Accounts
• Smart Licensing is a cloud-based approach to licensing. Centralized account to
pool all assets.
• Purchase your licenses and they get deposited to your Virtual account for usage
and flexible licensing.
• Eliminates the need to install license file on every device.
• Manage product registration and monitor smart license consumption on Cisco
Smart Software Manager (CSSM).
• Moving away from Classic Licensing based on Product Activation Keys (PAK).
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 233
Security Products Smart-Enabled
Products Using Smart Licensing
ASAv & FTDv
Firepower 9300
Firepower 4100
Firepower 2100
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 234
How Does Smart Software Licensing Work?
Smart Licensing provides a Software Inventory Management System that provides Customers,
Cisco, and Selected Partners with information about Software Ownership and Software
Utilization
Ownership Usage
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 235
Smart Account Types
• Holding Smart Account – where partners/distributors can temporarily deposit
order until the end customer smart account is identified. Licenses can not be
consumed from a holding account.
• Virtual Account – create virtual accounts according to your needs i.e. to reflect
your company organization, geography, budgeting or other structure. Share
licenses across virtual accounts. Maintained by CSSM Administrator (Cisco
Smart Software Manager).
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 236
Connectivity Options
Direct cloud access (Default)
Cisco product sends usage information directly over the internet. No additional
components are needed.
Your Cisco
Software Manager
HTTPs
Cisco.com
Cisco Product
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 237
Connectivity Options
Direct cloud access through an HTTP proxy
Cisco products send usage information over the internet via a Proxy Server
Your Cisco
Software Manager
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 238
Connectivity Options
Mediated access through an on-premises satellite - connected
Cisco products send usage information to a local connected collector, which acts
as a local license authority. Periodically, an exchange of information is done to
keep databases in sync.
Your Cisco
Software Manager
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 239
Connectivity Options
Mediated access through an on-premises satellite - disconnected
Cisco products send usage information to a local disconnected collector, which
acts as a local license authority. Once a month, an exchange of information will be
performed to keep the databases in sync.
File Transfer
File
Transfer
Your Cisco
Software Manager
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 240
https://software.cisco.com
Create a Smart Account
Your smart
account
Smart account
properties, list them if
Training and more than one
Documentation
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 241
Firepower Management Center – Smart License
Steps to register FTDv for smart licensing
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 242
Cisco Smart Software Manager Portal - CSSM
CSSM Portal – See all your
purchased licenses for
your organization
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 243
Firepower Management Center – Smart Licenses
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 244
Firepower Management Center – Device
Management
Go to Devices,
Device Management
and register your The smart licenses
FTDv or new device, you purchased can
apply the licenses be applied to your
you require or want. device here.
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 245
Firepower Management Center
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 246
Permanent License Reservation (PLR) Overview
• PLR is an enhancement to the Smart Licensing feature on the ASAv
• Designed for highly secure environments where communication with either
Cisco Smart Software Manager (CSSM) or a local Smart Software Satellite is
not allowed
• Allows license reservation from virtual account, tie them to a device’s UDI, and
use the device with these reserved licenses in a disconnected mode
• Includes ability to return the license into the Smart virtual account
• Available from ASA 9.5.2.200, 9.6.2 and onward
• Licenses are permanent, not time based
• Provides off-line method of licensing similar to PAK (Product Activation Key)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 247
Permanent License Reservation (PLR) Overview
Supported on VMware ESXi, KVM
and Hyper-v Hypervisors CSSM
Internet
Support for AWS public cloud
No support for Azure
PLR is available at appliance level x xSmart Software
and not available on feature basis Satellite
ASAv
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 248
Show commands
# show license status
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Show commands
# show license summary
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Show commands
# show version
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Show commands
# show license udi
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA REST API
ASA REST API : Introduction/Overview
• Provides programmatic model based interface to configure/monitor
classic ASA
• Classic ASA refers to ASA which doesn’t include Firepower module.
• Provides different use cases of firewall and VPN features support
such as access control, NAT etc.
• Support for OOB by co-existing CLI and API, Bulk API and
providing CLI pass-through API for features not supported in API
• Provides critical Monitoring API
• 2 phases : ASA version 9.3 and 9.4
• Token based authentication authentication in addition to existing basic authentication
• Adds limited support for Multi-context ASA
• Performance improvements over Phase1
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 254
Restful API basics
• Each policy is modelled as a resource
• Use HTTP methods (POST, GET, PUT/PATCH, DELETE) for CRUD
(Create/Read/Update/Delete) operations on a given resource
• Uses JSON as the interface
• JavaScript Object Notation {
"host": {
• Sample JSON for a resource : "kind": "IPv4Address",
"value": "1.10.8.10"
},
"kind": "object#NetworkObj",
"name": "ASA_Demo_NObj_1190",
"objectId": "ASA_Demo_NObj_1190"
}
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 255
For Your
Reference
Request Structure
Available request methods are: (non-bulk)
• GET – Retrieves data from the specified object.
•PUT – Adds the supplied information to the specified object; returns a 404
Resource Not Found error if the object does not exist.
• POST – Creates the object with the supplied information.
• DELETE – Deletes the specified object.
• PATCH – Applies partial modifications to the specified object.
Available request methods are: (bulk)
• POST – create/update/partial-update/remove of several resource objects
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 256
Example for PUT method
HTTP request will be a POST instead of a GET when the data parameter is provided.
More info : Using Python to Access Web Data by Dr. Charles Severance
https://www.coursera.org/learn/python-network-data
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 257
REST Agent setup/installation
• The REST Agent + JRE is packaged separately, and is not part of the ASA
image.
• The Agent is published separately on Cisco.com (latest: v1.3.2)
• To use REST API, you need to download this separate package, put it on flash
and invoke CLI commands to start REST API Agent.
• CLIs:
[no] rest-api image disk0:/<package>
[no] rest-api agent
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 258
Additional bootstrapping
• Enable http server and let clients connect over management interface:
http server enable
http 0.0.0.0 0.0.0.0 <mgmt interface nameif>
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 259
ASA REST API Documentation and Console
Python, JavaScript or
Perl
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 260
For Your
Reference
import base64
import json
import sys
import urllib2
username = "cisco"
if len(sys.argv) > 1:
username = sys.argv[1]
password = "cisco"
if len(sys.argv) > 2:
password = sys.argv[2]
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
For Your
Reference
Certificate
• REST API client requires a trusted ASA certificate
• For non production environment:
import urllib2
import ssl
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
urllib2.urlopen("https://your-test-server.local", context=ctx)
More info:
http://stackoverflow.com/questions/19268548/python-ignore-certicate-validation-
urllib2
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 263
For Your
Reference
username = "cisco"
if len(sys.argv) > 1:
username = sys.argv[1]
password = "cisco"
if len(sys.argv) > 2:
password = sys.argv[2]
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 264
For Your
Add new host object – part 2 Reference
# POST OPERATION
post_data = {
"host": {
"kind": "IPv4Address", Network Object in JSON
"value": "1.10.8.10"
}, format for POST data
"kind": "object#NetworkObj",
"name": "ASA_Demo_NObj_1190",
"objectId": "ASA_Demo_NObj_1190"
}
req = urllib2.Request(url, json.dumps(post_data), headers)
base64string = base64.encodestring('%s:%s' % (username, password)).replace('\n', '')
req.add_header("Authorization", "Basic %s" % base64string)
try:
f = urllib2.urlopen(req)
status_code = f.getcode()
print "Status code is "+str(status_code)
if status_code == 201:
print "Create was successful"
except urllib2.HTTPError, err:
print "Error received from server. HTTP Status code :"+str(err.code)
try:
json_error = json.loads(err.read())
if json_error:
print json.dumps(json_error,sort_keys=True,indent=4, separators=(',', ': '))
except ValueError:
pass
finally:
if f: f.close() TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 265
ASA REST API Demo
FMC REST API
REST API from FMC 6.1 Managed devices
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 268
What we support in 6.1 via FMC?
Management for : Feature Access Rights
C(register) RUD(Deregister)
• FTD Setup Device
Device Group - CRUD
• Firepower Services
Read only for FTD, CRUD on FP
Interfaces
• Firepower appliances Appliance/Services
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 269
FMC 6.2 : Automate FTD provisioning with REST
API
Feature Access Rights
• Interface configuration of FTD devices
Physical RU
Sub-Interfaces CRUD
• Use Cases:
• Cisco ACI solutions Etherchannel R
• SDN controllers traffic path
Bridge Group CRUD
Redundant CRUD
Inline Set CRUD
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 270
API Service : Default off
• Different methods :
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 271
Best Practices
• Keep UI users and script users
separate. Especially do not use the
admin account as an API user
• There is no specific REST API role
for admins
• Do not give script users more
privilege than needed
• Always validate the content coming
from the server
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 272
API Explorer
Free tool built into the FMC that can be used to use the REST API
https://<management_center_IP_or_name>:<https_port>/api/api-explorer
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 273
For Your
Reference
Domain Overview
• Separate devices, policies,
objects, events based on
geographic, functional,
customers or organizational
requirements
• Supports up to 50 domains
and 3 levels, available for all
platforms running from FMC
6.0
• Perfect RBAC for policies
and object, and so on
• Domain => UUID
(Universally Unique
Identifier)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 274
API Explorer and Access Policy
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 275
Example Request and Exported python script:
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 276
Token based
Authentication
• Open your REST API Client.
• Set the client to make a
POST command to the
following URL:
https://<management_center_
IP_or_name>/api/fmc_platfor
m/v1/auth/generatetoken Add the header X-auth-access-
• Include the username and token:<authentication token
password as a basic value> in requests to the API
authentication header. The
POST body should be blank.
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 277
Postman plugin:
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 278
For Your
Reference
Path to cert
Trusted Certificate
• SSL cert verification:
Bypass: “verify=False”
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 279
Result of a GET “Access Policy” request
• Hierarchical structure with IDs
Domain UUID
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 280
FMC REST API Demo
192.68.0.23
User 1 10110110010101001010100101010010100100100 10110110 Internet
10100101001010001001010100010101001010010 10101111
1
10101111
192.68.0.24
User to IP mapping
User 2
User 1
User 2
User 3
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 284
User Identity Sources
The Firepower System supports the following identity sources:
• Traffic-based detection
• User Agent Passive Authentication
• Identity Services Engine (ISE)
• Cisco Terminal Services (TS) Agent
• Captive portal authentication Active Authentication
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 285
Access Control Identity Policy
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 286
Access Control Identity Policy
Add Rule
Active or Passive Authentication
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 287
Access Control Identity Policy
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 288
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 289
Traffic Based Detection
Traffic Based Detection
• Passive Network Discovery
• Real-time Network/User Awareness
(RNA/RUA)
• Network Discovery Policy -> Users
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 291
FMC – Network Discovery Process
• Limited Database -> Discover only the important hosts (internal network)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 292
User Based IoC
• Before 6.2, Indications of compromise (IoCs) where associated with hosts
• Host profiles contained list of indications of compromise for that host
• Dashboard widgets for IoCs by host
• Dedicated events page: Analysis Hosts Indications of Compromise
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 293
User Based IoC
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 294
User Agent
Firepower User-Agent
• AD-Connector Agent for up to 5 AD-
Servers
• Requires WMI/DCOM instrumentation
for AD communication
• IP to Identity mapping by scraping AD-
Login/Logout events
• Creates local database of USER/IP-
mappings
• Can run on AD-DC, AD-Member-Server
or any AD-Member
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 296
FP-User-Agent Integration with Firepower
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 297
Passive Authentication ID policy is required
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 298
Identity Services Engine (ISE)
BRKSEC-3697
• Username
• Device Type
• Location IP
• Security Group Tag
• FMC can use this information for ISE Cisco and Partner
Ecosystem
context and enforcement
• FMC can direct ISE to take
remediation or other network Cisco Network
action
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 300
pxGrid Configuration in FMC
3 topics:
• Session
• MetaData
FMC configuration: • TrustSec
pxGrid and FMC certificates
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 301
ISE Integration – AD Group Information
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 302
Use of ISE Metadata in FMC (6.0 & 6.1)
• FMC can consume ISE Metadata to use in access control policies
• Security Group Tag
• Device type
• Location IP
IP Address Username
ID Policy
Src IP Attribute Group
Src Port Attribute ISE SGT
Packet
Dst IP Attribute ISE Attr2
Dst Port ISE Attr3
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 304
FMC 6.2 ISE Metadata Processing
• ISE metadata are part of IP attributes in authentication database.
• Realm and identity policy with passive authentication rule are not required
(unless ISE is used for passive authentication).
IP Address Username
Src IP Attribute
Src Port Attribute
Packet
Dst IP Attribute
Dst Port ISE SGT
ISE Attr2
ISE Attr3
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 305
Inline Security Group Tags (SGT)
• Behavior in 6.0
• SGTs in network traffic were not utilized
• Access policy rules used IP to SGT mapping provided by ISE
• SGTs could not be defined locally on the FMC
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC
CMD EtherType Version Length SGT Opt Type SGT Value Other CMD Options
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 306
Inline Security Group Tags (SGT)
• Behavior in 6.1
• SGTs in network traffic are utilized
• SGTs seen in traffic take precedence SGT to IP mapping provided by ISE
• Untagged traffic is still matched to rule using IP to SGT mapping provided by ISE
• ISE integration is no longer needed – SGTs can be defined in FMC
• If ISE integration is enabled, locally defined SGTs are not available
• Sensor does not add or remove tags from traffic
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 307
Inline Security Group Tags (SGT) Configuration
• Locally defined SGTs are Objects on the FMC
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 308
ISE Passive Identity Connector
ISE Passive Identity Connector (ISE-PIC)
• Input to ISE-PIC
• WMI, ISE-PIC Agent, Kerberos SPAN
FMC
• REST API
• Syslog
Output
• Endpoint Probe
• Output ISE-PIC
• Legacy CDA-RADIUS
Input
• pxGrid Publish/Subsribe
Identity Information
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 310
Terminal Services Agent
Identify threats hidden by desktop virtualization
Virtual Desktop Infrastructure (VDI) Identity 192.68.0.23:4001
Is 192.68.0.23
user Is user
1 or 1 2?
user
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 312
Firepower Terminal Services Agent (TSAgent)
• Monitor user logon/logoff User
session events User Space
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 313
User Identity REST API
• Allows any user agent to feed user session bindings to FMC using REST
requests
• add/delete a user session binding whenever a new user logs on/off
• Both single IP session binding as well as shared-IP session binding
• Shared-IP will contain IP + port range
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 314
User Identity REST API
• patRangeStart: start port for the full range allocated by TS Agent to perform user
specific PAT
• userPatStart: start port for the user pat range, traffic from the user will originate
from a source port within this range
• userPatEnd: end port for user pat range
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 315
User Identity REST API
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 316
Firepower Terminal Services Agent (TSAgent)
Username :
Start Port/Range User Role with permissions "REST VDI"
and "Modify REST VDI"
• REST VDI gives read only
permissions, e.g. GET request
• Modify REST VDI gives both read-write
permissions, e.g. POST/GET/DELETE
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 317
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 318
For Your
Reference
TSAgent Troubleshooting
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 319
FMC now shows port range for shared-IP users
User Name
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 320
For Your
Reference
• The TS Agent is compatible with any of the following terminal services solutions
installed on your server:
• Citrix XenDesktop
• Citrix XenApp
• Xen Project Hypervisor
• VMware vSphere Hypervisor/VMware ESXi 6.0
• Windows Terminal Services/Windows Remote Desktop Services (RDS)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 321
Terminal Services Agent Demo
Captive Portal Authentication or
Active Authentication
Active Authentication
• HTTP Basic: In this method, the browser prompts for user credentials.
• NTLM: NTLM uses windows workstation credentials and negotiates it with Active
directory using a web browser. You need to enable the NTLM authentication in
the browser.
• Kerberos: This selection is available only when you select an AD realm for a
server with secure LDAP (LDAPS) enabled.
• HTTP Negotiate: In this type, the system tries to authenticate using NTLM, if it
fails then the sensor will use HTTP Basic authentication type as a fallback
method and will prompt a dialog box for user credentials.
• HTTP Response page: This is similar to HTTP basic type, however, here user
is prompted to fill the authentication in an HTML form which can be
customized.
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 324
Access Control Identity Policy
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 325
Active Authentication Response Page
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 326
Active Authentication Rule
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 327
Application Visibility and Control and
Intrusion Prevention System
Advanced Inspection Engines
Network
network
Advanced Inspection Engines DAQ libraries
High-level architecture
• Packet sniffer Packet decoder
• Packets are read using the Data AcQuisition library (DAQ)
• Packet decoder
Preprocessors
• Decodes datalink, network and transport protocols
• Preprocessors
• Normalize traffic Detection engine
• Detection engine
• Uses Snort rules to create signatures for threats
Output module
• Output module
• Handles the task of writing and displaying events
Alert and log files
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 330
Advanced Inspection Engines
Packet sniffer (DAQ)
• Snort uses a Data Acquisition Module Network
(DAQ) to collect packets DAQ libraries
• PCAP
• AFPacket Output module
• IPQ
• NFQ IPFW Alert and log files
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 331
Advanced Inspection Engines
Packet decoder
Network
DAQ libraries
Packet decoder
Preprocessors
Detection engine
Output module
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 332
For Your
Advanced Inspection Engines Reference
Packet decoder
Network
DAQ libraries
Packet decoder
Preprocessors
Detection engine
Output module
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 333
Advanced Inspection Engines
Packet decoder
• Decodes Layer 2 and Layer 3 protocols
• Focused on TCP/IP protocol suite
• Stores decoded packet information in data structures help in memory
• Data structures are utilized by the detection engine
• Configured at Snort start time (using CLI options of the configuration file)
• Specify DAQ mode
• Specify DAQ type
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 334
Advanced Inspection Engines
Preprocessors
Network
DAQ libraries
Packet decoder
Preprocessors
Detection engine
Output module
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 335
For Your
Advanced Inspection Engines Reference
Preprocessors
Network
DAQ libraries
Packet decoder
Preprocessors
Detection engine
Output module
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 336
Advanced Inspection Engines
Preprocessors
• Preprocessors play a vital function in network traffic inspection
• Present packets to the detection engine in a contextually relevant way
• Normalize traffic
• Alert if they detect anomalous conditions as defined by their settings
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 337
Advanced Inspection Engines
Detection engine
Network
DAQ libraries
Packet decoder
Preprocessors
Detection engine
Output module
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 338
Advanced Inspection Engines
Detection engine
• Consists of two components to perform inspection
• Rules builder
• Inspection component
• Rules builder
• On Snort startup, assembles rules into rule chains
• Optimizes rule matching by the inspection component
• Sources, destinations and port sources and destinations redundancies are eliminated
• Implements rules chains as linked lists
• Inspection component
• Matches traffic to a rule chain
• Further inspects traffic against the options in the matching rule chain
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 339
Advanced Inspection Engines
Output module
Network
DAQ libraries
Packet decoder
Preprocessors
Detection engine
Output module
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 340
Advanced Inspection Engines
Output module
• Handles the task of writing and displaying events
• Supports several output formats
• Can send output to files or Syslog
• Can send logs and alerts in straight ASCII
• Can send packets in PCAP format
• Can use Unified2 format (the replacement for Unified format)
• Fast and lightweight binary format
• Can be converted to other formats by utilities such as Barnyard2
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 341
For Your
Snort Language Reference
Overview
• A simple lightweight language for identifying
• Security policy violations
• Known network attacks and IDS/IPS evasion techniques
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 342
For Your
Snort Language Reference
Rule structure
• Rule header
• Used to match traffic and perform
Action (pass, drop, sdrop, alert, log)
• Protocol, Source, Destination 5-tuple
• Rule body
• Contains the message used for alerts
• Contains flow attributes
• Contains the Signature ID and revision number
• Can specify content or regular expressions
in combinations and locations in packet
• Can read packet contents to calculate offsets
• Can set and read flowbits to link to other rules
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 343
AVC – Application Visibility and
Control
Network Discovery
Overview
• Host discovery
• Application identification
• User discovery
• Control access for applications, users and devices
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 345
Network Discovery
Application identification
• Firepower can identify over 3000 unique applications
• Applications can be used as criteria for access control
• Application awareness is crucial for app-based access control
• Three types of applications that system detects
• Application protocols (communications between hosts)
• Client applications (software running on host)
• Web applications (HTTP content)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 346
Application Detection
Overview
• Two sources of application detectors
• System-provided detectors
• Custom application protocol detectors
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 347
System-provided detectors
Internal Detectors
Client Detectors
Web App Detectors
Port Detectors
Firepower Detectors
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 348
Custom Application Detectors
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 349
OpenAppID
OpenAppID Overview
• What is OpenAppID?
• Application Visibility and Control (AVC) done the right way
• An open source application-focused detection language
• Enables users to create, share and implement custom application detection
• Available for download as an extension of Snort 2.9.7 from http://www.snort.org
• Key advantages
New simple Lua scripting language to detect apps
Reduces dependency on vendor release cycles
Build custom detections for new or specific (ex. Geo-based) app-based threats
Easily engage and strengthen detector solutions
Application-specific detail with security events
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 351
For Your
Reference
The AppID Preprocessor
• Identifies the application
• Generates appid attributes (payload, misc, client, service) that can be used in
snort rules.
alert tcp any any -> any any (msg:"FTP CWD to root"; appid:ftp;
pcre:"/cwd.*root/i"; gid:1000001; sid:1018758; rev:4; )
• Leverages Snort HTTP preprocessor for header extraction
• Generates application statistics
• Statistics are stored in Uniform2 format
• Statistics file can be read with the u2openappid or u2spewfoo commands
• Statistics can be forwarded to Syslog by using the u2streamer command
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 352
Custom Application Demo
Application Visibility
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 354
Application Visibility
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 355
Application Control
Access Control
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 356
Access control policy Demo
Intrusion Prevention System
Policy Definition
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 359
What are the different Base IPS Policies ?
• Connectivity over Security: ~ 500
Rules
• CVSS Score of 10
• Age of Vulnerability: 1 year before
last and newer
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 360
What are the different Base IPS Policies ?
• Balanced: ~ 8770 Rules
• CVSS Score of 9 or greater
• Age of Vulnerability: 1 year before
last and newer
• Or: Rule category equals Malware-
CnC, blacklist, SQL Injection,
Exploit-kit
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 361
What are the different Base IPS Policies ?
• Security over Connectivity: ~ 12350
Rules
• CVSS Score of 8 or greater
• Age of Vulnerability: 2 years before last
and newer
• Or: Rule category equals Malware-
CnC, blacklist, SQL Injection, Exploit-
kit, App-detect
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 362
Implementation - Audit mode
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 363
Policy Architecture
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 364
IPS Policy Layering
Allows Users to create Policy Components that can be added to individual
inspection policies
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 365
For Your
Reference
Rule Details
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 366
Rule Details
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 367
Rule Details
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 368
For Your
Reference
Own Rules
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 369
Policy Definition
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 370
Access Control – IPS inspection
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 371
Access Control – IPS inspection
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 372
Network Discovery
How is the Information used ?
• Firepower Recommendations
• Users information we learned about each host
• Automatically selection of rules that apply to your environment
• Impact Assessment
• Correlation of IPS Events with Impact on the Target host
• Preprocessors send alerts on detection of anomalous conditions
• Indications of Compromise
• Tags that indicate a likely host infection has occurred
• FMC tracks and correlations IoCs across all sensor points with Security Intelligence and
Malware Active
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 373
Network Discovery
Host Discovery
• Identifies OS, protocols and
services running on each host
• Reports on potential vulnerabilities
present on each host based on the
information it’s gathered
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 374
Firepower Recommendations
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 375
Why Recommended rules are important
• Context enabled the detections that
are relevant to your specific network
• Firepower Recommendations makes
sure your system has the right
detections enabled
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 376
Impact Assessment
How Relevant is the Attack ?
ADMINISTRATOR
• Prevents information overload IMPACT FLAG
ACTION
WHY
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 377
IPS policy Demo
Operational Insights
Correlation Rules / Correlation Policy
Respond in real time to threats and
network traffic deviates from its
normal profile
Correlation Policy
Correlation Correlation
Rule Event
Correlation
Action
Rule
Email
Syslog
SNMP
Remediation Module
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 380
Correlating Event Data
Flow and connection conditions Data from User Table (name,
Data from Host Profiles
over time or volume. group info, etc)
When a…
Intrusion Event ✔ ✔ ✔
Discovery Event ✔ ✔ ✔
Connection Event ✔ ✔ ✔
Host Input Event ✔ ✔ ✔
User Activity Occurs ✔ ✔
Traffic Profile Changes
Malware Event
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 381
For Your
Reference
Network traffic deviates from its normal
Correlation Rule to:
• Ensure only HTTPS traffic is
used on port 443
• Ensure traffic is initiated by a
Host with a defined Location
(host Attribute) is POS
• Ensure the HTTPS traffic
from the POS host is received
on hosts in the PCI network.
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 382
For Your
Reference
Production Network Change
As new IP addresses
appear on the network,
Firepower Correlation
Polices can trigger
Nmap to perform an
active scan of the new
hosts
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 383
Correlation Rule example
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 384
For Your
Action example Reference
NMAP Scan
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 385
Correlation policy Demo
Rapid Threat Containment
Rapid Threat Containment with Firepower Management
Center and ISE
pxGrid controller
Controller MnT
3. pxGrid EPS
1. Security Action: Quarantine
Events / IOCs + Re-Auth
Reported
2. Correlation
FMC
Rules Trigger
i-Net Remediation Action
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 388
Rapid Threat Containment with Firepower Management
Center and ISE
4. Endpoint Assigned
Quarantine + CoA-
Reauth Sent
pxGrid controller
Controller MnT
FMC
i-Net
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 389
Rapid Threat Containment
• FMC 6.1 and pxGrid / Fire+ISE is supported in as an integrated solution
• No more pxGrid connection agent / external remediation module is needed
• Session information obtained from ISE via pxGrid
• SGTs can be used in FMC 6.1 access control policies
• ISE remediation capabilities:
• Quarantine, Un-quarantine (VLAN, dACL, SGT), port shutdown
• Quarantine actions triggered per policy with FMC and ISE
• Infected users can be notified and re-directed to portal for remediation
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 390
Correlation and Remediation
Automating Response – FMC Remediation API
Boolean
Remediation Modules : Intrusion Events
Discovery Events
Conditions
Correlation Rules
• Security Intelligence
Blacklisting
• Nmap Scan
• SSH / Expect Scripts
• F5 iRules
• Solera DeepSee
• Netscaler
• PacketFence
• Bradford
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 392
ISE Remediation in 6.1 Using pxGrid
Configure
remediation action
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 393
RTC Demo
Configuration Guide
• https://communities.cisco.com/docs/DOC-68292
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 395
Break
Security Intelligence
Security Intelligence
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 398
Security Intelligence
• TALOS dynamic feed, 3rd party feeds and lists
• Network_Intelligence-<category>
• URL_Intelligence-<category>
• DNS_Intelligence-<category>
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 399
Security Intelligence Policy Configuration
IPs
URLs
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 400
Security Intelligence Dashboard
Network_Intelligence-<category>
URL_Intelligence-<category>
DNS_Intelligence-<category>
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 401
DNS
DNS Protection
• Attackers are leveraging DNS !
• Blacklist domains associated with Bots,
CnC, Malware Delivery
• Fast-flux: High Frequency DNS Record
Changes
• Control C&C traffic and Botnets
• Restrict access to domains violating
corporate policy
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 403
DNS Inspection
• Security Intelligence extended to inspect DNS lookups
• Drop or monitor DNS connections to malicious sites
• Support all of the functionality in IP/URL based SI (i.e., custom lists/feeds/global
blacklists/whitelists)
• Blocking DNS connections should support the following additional actions
• Sinkhole
• NXDOMAIN
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 404
Adds new DNS Policy
Configuring DNS Policy
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 405
DNS Policy
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 406
DNS Rule Configuration
Actions
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 407
Associate DNS Policy with an Access Control Policy
DNS Policy
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 408
Action: DNS Sinkhole
• NGFW Policy
Sinkhole Server
• DNS SI: C&C servers
• Action: DNS Sinkhole
Local
DNS Server
C&C over DNS C&C over DNS
10110110 Internet
10101111
Sinkhole IP Sinkhole IP
Connection to Sinkhole IP
Generate SI Event
& IOC
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 409
For Your
Reference
Action: Sinkhole
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 410
Identifying an Infected endpoint via DNS Sinkholing
Generate SI Event
& IOC
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 411
SSL Decryption
The Importance of SSL
• Google, Facebook, Twitter
encrypting all traffic
• Google ranking influenced by using
HTTPS
• Browser Vendors aggressively
pushing HTTPS
• Problems with older TLS versions
leading to upgrade of servers to
newer protocols and ciphers
• Poodle, Freak, Beast, ….
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 413
SSL/TLS Decryption Hardware and Service IPS rules
Data acquisition
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 414
SSL/TLS Decryption
• It works on any port, not just 443 and HTTPS :
• SMTPS, IMAPS, POP3S, FTPS…
• SSL 3.0, TLS 1.0, 1.1, 1.2 (SSLv2 : based on the config)
• Certificate Revocation List, CRL
• No SSH, Spdy, Quic
• No additional SSL license is needed
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 415
With known
server keys
Use Cases
• Inspect incoming SSL traffic to an internet
internal server.
• passive (with known keys) or inline (with or
without known keys)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 416
SSL Session : Without SSL Decryption
Client Server
Client Hello
I can speak I choose to speak :
TLS1.2 or less, Server Hello / Certificate and key exchange / TLS1.2 AES256 and
Cypher list, Server Hello Done this is my cert
extensions
Client Key Exchange / Change Cipher Spec /
Subject and Subject
Server Name Finished Alternate Names:
Indication (SNI) Fields in the
extension : Change Cipher Spec / Certificate that
client indicates Finished identify the server
which hostname hostname (FQDNs)
it is attempting
to connect Cannot filter HTTP
[raw data] Application data (encrypted), for example, HTTP request request and content,
since it is encrypted.
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 417
Configuration
For Your
Reference
Access Control Policy – Revisited
The glue that ties everything together
Inspection Options
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 419
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 421
SSL Policy Rule Actions
• Each rule can specify how to process the matching
SSL traffic
• The system matches traffic to rules in top-down order
• It does not continue to evaluate (except in the case of
Monitor rules) after that traffic matches a rule
• Decrypt using known certificate and key (for traffic
destined to internal server)
• Decrypt using certificate re-sign (for outgoing traffic)
• Do-not-decrypt and Block/Block with Reset
• Monitor evaluates encrypted traffic next. Monitor rules
track and log encrypted traffic but do not affect traffic
flow
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 422
SSL Inspection on Passive Interface
NGFW with
copy of Server ABC
key and cert
ABC
ABC #$* #$*
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 423
For Your
SSL Inspection on Passive Interface Reference
Configuration
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 424
SSL Inspection on Inline Interface for Outgoing
Traffic
ABC
ABC #$* >!?
It cannot inspect outgoing traffic in passive mode since it requires modifying (re-signing) the server cert.
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 425
Certificate Installation and Usage
• The NGFW needs a CA certificate to be installed for TLS decryption
• Not a WEB SERVER CERTIFICATE!!! TAC will say thank you for this!
• Key Usage=Certificate Signing, Extension : Basic Constraints
• After receiving the HTTPS Request, the NGFW will grab the server certificate
from the destination
• It will create a new certificate with (nearly) all the fields and sign this with its own
certificate
• CRL is not replicated because it would not match the “new” certificate
• Client needs to trust the certificate from the NGFW
• Use a trusted Enterprise subordinate CA certificate or roll out your self-signed
cert to the clients via GPO
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 426
For Your
Reference
Intermediate CA Certificate
• A CA certificate that is issued by
another CA
• It is signed by either another
intermediate CA or by a root CA
• Intermediate CAs can sign server
certificates in exactly the same way
a root CA can
• Subject Type=CA
• Key Usage=Certificate Signing
• Issuer = the CA CN
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 427
Inline SSL Decryption- Man in the Middle (MitM)
Proxy Server
Client
Client Hello
Proxied Client Hello
HTTP Request
(encrypted) HTTP Request
(encrypted)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 428
For Your
Reference
Action: Decrypt
and resign
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 429
Rule
Resign Explained
Internal CA
Original certificate
Generated certificate
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 430
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 431
SSL Policy Rules (continued)
• Certificate Status:
• Revoked, self-signed, not yet valid, expired, invalid
issuer, invalid signature, valid.
• Cipher suite
• SSL version
if the certificate
matches any of the
selected statuses,
the rule matches
the traffic.
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 432
Block Page; End User Notification, EUN
• From 6.1 : The system now displays
an HTTP response page for
connections decrypted by the SSL
policy, then blocked by access
control rules.
• However, the system does not
display a response page for
encrypted connections blocked by
access control rules (or any other
configuration)
• NGFW cannot support EUN for bad
certs at the moment (6.2)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 433
Monitoring page
Global SSL Rule Settings
• Default action (Block, Block with
reset, Do not decrypt)
• Uncached session ID/Ticket
• SSL Compression
• SSLv2
• Unsupported cipher suite
• Handshake or decryption error
• External CA list – used to validate
server certs
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 434
Trusted CA’s CRL
• You can upload CRLs to a trusted CA
object. Supported formats: DER, PEM
• If you reference that trusted CA object in
an SSL policy, you can control encrypted
traffic based on whether the CA that
issued the session encryption certificate
subsequently revoked the certificate.
• There is no limit to the number of CRLs
you can add to a trusted CA object. You
must save the object each time you
upload a CRL, before adding another
CRL.
• Add CA who signed the CRL
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 435
Bad Certificate Handling – The Risk
Expired or
Modified server cert revoked
server cert
Client Server
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 436
Bad Certificate Handling
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 437
Block Certificate Issue
• Test with non trusted cert:
• Log:
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 438
PKI Objects : Independent of SSL design
• Internal CA – Used to resign certificates.
• External CA list – Used to validate server certificates
• Known certificates and keys – Used to decrypt traffic going to internal servers.
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 439
SSL Decryption Use Case:
Block Connections That Use a Self-
Signed Certificate
For Your
Reference
SSL Policy Use Case
Block Connections That Use a Self-Signed Certificate
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 441
For Your
Reference
SSL Policy Use Case
Block Connections That Use a Self-Signed Certificate
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 442
For Your
Reference
SSL Policy Use Case
Block Connections That Use a Self-Signed Certificate
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 443
For Your
Reference
SSL Policy Use Case – Cert Status Tab
Block Connections That Use a Self-Signed Certificate
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 444
Additional Design Questions
Decryption and Access Policies IPS rules
Packet, TCP
stream
processing
Decrypt if
SSL
Data acquisition
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 446
Do Not Decrypt Well Known (high rep.) and Finance,
Block Weak Ciphers, Decrypt Uncategorized
Switch ON logging (Default : No logging) TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 447
HTTP Strict Transport Security (HSTS) and MiTM
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 449
Monitoring
BRKSEC-3006
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 451
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 452
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 453
For Your
Test Your Configuration Reference
Badssl.com, revoked.grc.com
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 454
For Your
Reference
Let’s see it :
• openssl crl -inform DER -text -noout -in crl.der | grep 1121B4 CA signature
algorithm and
Or : openssl verify -crl_check -CAfile crl_chain.pem wikipedia.pem signature
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 455
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 456
Table view
Very useful;
Default = No SSL info
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 457
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 458
Detailed SSL Information
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 459
Debug Command
> system support ssl-debug debug_policy_all
debug_policy_all
You must restart snort before this change will take affect
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 460
SSL Flow Status: 2 - success - SSL Rule successfully
Example Transaction applied.
SSL Flow Error: 0x00000000 - NSLIB:Logging
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 464
Community Based Navigation
• Community based collaboration
• First victim reports*
• Rest of the community is protected
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 465
AMP Analysis
Action
• Action
Y
In Cloud AMP
Cloud
Threat Grid
Interval
Talos Sandbox
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 466
AMP Retrospective Security
AMP
Cloud
Check
Change
Changes
Initiate
Retrospective
Event /
Quarantine
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 467
For Your
Reference
Rule 1 : Monitor
No match
No inspection Destination
Rule 3 : Block
Intrusion
File/Malware blocked blocked
Y Malware Event
File is Malware?
and Block
N Known Malware
N Y No further
File was captured? File is Clean? end or Clean file
processing
Y
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 469
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 470
Malware and File Policy Order of Processing
(unknown file)
Y
Inspect archive? Extract contents Uninspectable archive
N
Y
Store files? Capture file
N
Y Y
Spero? Spero Supported File Compute spero hash AMP
N
Y Y ClamAV
Local Malware Office, pdf, exe,
Analysis? match? Pre-class + High
Fidelity Scan
N
Y Y Threat Grid
ClamAV File Submission (Cloud or
Dynamic Analysis?
Pre-class Flagged Appliance)
N
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 471
FMC 6 : File Property Analysis
• The device generates a file composition report detailing a file's properties,
embedded objects, and possible malware.
• Pre-classification engines : byte-code rules that detect suspicious indicators, like
• embedded macros, exe’s, flash, exe packed,
• JavaScript in PDF, Corrupt headers, VBA in OLE, etc.
Submitted
• High fidelity signatures pushed by TALOS (every 30 minutes) to Sandbox
…..
….. File Composition
….. Suspect
Report File
File
Normal
File
Not submitted
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 472
FMC 6 : Local Malware Checks and File Property
Analysis
• Identify popular/common malware on the
appliance
• Reduced need to send samples to the
cloud for dynamic analysis
• Local assessment of container files for
malware viability inside nested content.
• File Composition report with risk
assessment File Composition Report
• Expand file type support for automatic
dynamic analysis: • Using a local malware inspection engine,
• PDF blocks it if the file contains malware and the
• Office Documents file rule is configured to do so, and generates
• Others: EXE/DLL, MSOLE2…
malware events.
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 473
Protection Technic: Spero Engine
SPERO = Machine Learning using active heuristics
Hypothesis Customer
Featureprint Data
(file)
Clean
Data Predictive
Machine
Feature Vectors Model Expected Label
Learning [Disposition]
Decision
Algorithm
Dirty Trees
Data Clean
Performance
Unknown
Labels System environment
export, keyboard API
Monitoring
Malware
hook, DLL loaded,… TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 474
Protection Framework: Spero Engine
• AMP Labels = Attributes derived
during execution
• Network connections? Machine Learning Decision Tree
• Non-standard protocols for an Confirmed
application? Possible
malware
Confirmed
• Hooking which APIs? malware
clean file
• Filesystem changes?
Confirmed
• Copies itself Possible malware
• Moving files clean file
Confirmed
• Launching other processes? clean file
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 475
attributes
• Are they pure ? (all Yes or all No) D9 sunny normal weak Yes
https://www.youtube.com/watch?v=eKD5gxPPeY0 TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 476
9 Yes / 5 No For Your
Reference
outlook
overcast
D1 sunny high weak No D12 overcast high strong Yes Day Outlook Humidity Wind Play
D2 sunny high strong No D13 overcast normal weak Yes D4 rain high weak Yes
D11 sunny normal strong Yes D10 rain normal weak Yes
D14 rain high strong No
3 Yes / 2 No
Split further 3 Yes / 2 No
Split further
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 477
9 Yes / 5 No For Your
Reference
outlook
overcast
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 478
9 Yes / 5 No For Your
Reference
outlook
overcast
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 479
9 Yes / 5 No For Your
Reference
outlook
4/ 0
2/ 3 overcast
sunny Yes 3/ 2
rain
humidity
wind
0/ 3 2/ 0 3/ 0 0/ 2
high normal weak strong
No Yes Yes No
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 480
Sandboxing with Threat Grid
BRKSEC-2029
AMP Threat Grid Processes Sleep() Value and Crypto API Manipulation
Injects into interesting processes
Outside & invisible to the Guest OS User Land Instrumentation
Sample
Static Artifact Runtime Kernel Dynamic Cloak & Post Dynamic Static Artifact
Classification
Analysis Analysis Monitor Disk Analysis Dagger Processing Disk Analysis Analysis
Tool
CiscoLive BRKSEC-2029 - An Introduction to Malware / Advanced Threats and the response methods used
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 482
Indicator Engine
• Observations
forensics
attribute
• Indicator Types
weakening
• Behavioral
artifact
• Static
network
• Malware
enumeration
• Compromise
malware
• Evasion
file
• Compound
evasion
• Feeds
persistence
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 483
Inner Workings of a Compound Indicator
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 484
Dynamic Analysis Report
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 485
Ransomware
• Excessive Suspicious
Activity
• Generic Ransomware
• Desktop Background
Change
• Generic Ransom
Note
• Shadow Copy
Deletion
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 486
AMP Configuration on FMC
Malware Configuration Flexibility
Rule1 :allow (inside) Matching traffic Inside malware policy
No match
Rule2 :allow (internet) Matching traffic Internet malware policy Different malware
No match policies
Default action :allow Access rule
Default action =
No Malware policy
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 488
Action Options:
Detect files, Block Files,
File Rule Configuration Malware Cloud Lookup,
Block Malware
Application
Protocol
options:
Any, HTTP,
SMTP,
IMAP,
POP3, FTP,
NetBIOS-
ssn (SMB)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 489
File Rules – No order of Precedence
Order does not matter!
If two or more rules match for the same file type:
1. Block Files 2. Block Malware
3. Malware Cloud Lookup 4. Detect Files
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 490
Configure AMP Cloud Connection
• Allows FMC to get events from AMP Cloud or Private Cloud for AMP Clients
• Each FMC can have only one AMP for Firepower connection
login
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 491
AMP Privacy Cisco®
Talos
Federated Data
Files to be analysed Files hashes
Customer Premise
Cisco AMP AMP Threat Grid
Private Cloud Dynamic Analysis
Appliance 2.2 Appliance
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 492
Local AMP Threat Grid Configuration from FMC 6.0
• Add cloud or local dynamic analysis (sandboxing) under Dynamic Analysis Connections
• Only a Single connection can be configured for file submissions
• When a local connection is configured, the public cloud configuration will still be used for public threat
report lookups
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 493
For Your
AMP and Threat Grid Private Reference
File
Threat Grid
NGFW Appliance
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 494
Advanced Malware - File Policy Medium: 25-69
High: 70-94
Very high : 95-100
Local exceptions
Override AMP Cloud
Disposition based on
dynamic analysis threat
score
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 495
Firepower Services, FTD Software 6.1-6.2
• Support for AMP Private Cloud Virtual Appliance
• AMP Private Cloud Virtual Appliance instance in the Internal Network
• Can be used for file disposition lookup and AMP for Endpoints Event Feeds
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 496
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 497
For Your
User Based IoC Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 498
AMP Monitoring on FMC Demo
AMP 4
Endpoint
collaboration
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 500
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 501
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 502
Report For Your
Reference
Report
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 503
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 504
For Your
Reference
Before Retrospection
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 505
For Your
Reference
After Retrospection
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 506
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 507
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 508
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 509
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
For Your
Reference
Conclusion
• Modern malware is engineered specifically to bypass point-in-time detection
• Detection innovation is still important, but you need more
• Retrospection gives visibility of what was missed
• AMP Everywhere gives administrators control of their entire environment
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 511
FTDv on KVM
FTDv KVM installation- Prerequisites
• Supported and tested on Ubuntu 14.04 LTS and RHEL
cisco@ubuntu:~$ cat /proc/version
Linux version 4.4.0-51-generic (buildd@lgw01-18) (gcc version 4.8.4 (Ubuntu 4.8.4-
2ubuntu1~14.04.3) ) #72~14.04.1-Ubuntu SMP Thu Nov 24 19:22:30 UTC 2016
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 513
FTDv KVM installation- Prerequisites
• Correct libvirt and QEMU version is very
important
cisco@ubuntu:~$ virsh version
setlocale: No such file or directory
Compiled against library: libvirt 1.2.2
Using library: libvirt 1.2.2
Using API: QEMU 1.2.2
Running hypervisor: QEMU 2.0.0
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 514
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 515
FTDv KVM installation- Prerequisites
The Firepower Threat Defense Virtual on KVM supports the following
• Processors
• Requires 4 vCPUs
• Memory
• Requires 8 GB RAM
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 516
FTDv KVM installation- License and Day0 config
• Firepower Threat Defense Virtual devices require Smart Software Licensing
• As an option you can prepare a Day0 configuration file before you launch the
Firepower Threat Defense Virtual
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 517
FTDv KVM installation- Create Day0 config file
cisco@ubuntu:~$ more day0-config
{
"EULA": "accept",
"Hostname": "FTDv-CiscoLive",
"AdminPassword": "Admin123",
"FirewallMode": "routed", File must be named
"DNS1": "10.1.200.102",
"DNS2": "none", day0-config
"DNS3": "none",
"IPv4Mode": "manual",
"IPv4Addr": "10.10.10.10",
"IPv4Mask": "255.255.255.0",
"IPv4Gw": "10.10.10.254",
"IPv6Mode": "disabled",
"IPv6Addr": "",
"IPv6Mask": "",
"IPv6Gw": "",
"FmcIp": "10.1.200.171",
"FmcRegKey": "123Cisco123",
"FmcNatId": ""
}
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 518
FTDv KVM installation- Create day0.iso file
• Generate the virtual CD-ROM by converting the text file to an ISO file
cisco@ubuntu:~$ genisoimage -r -o day0.iso day0-config
I: -input-charset not specified, using utf-8 (detected in locale settings)
Total translation table size: 0
Total rockridge attributes bytes: 250
Total directory bytes: 0
Path table size(bytes): 10
Max brk space used 0
176 extents written (0 MB)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 519
For Your
Reference
FTDv KVM
• Download FTDv from CCO
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 520
For Your
Reference
FTDv KVM
• Verify SHA checksum
cisco@ubuntu:~$ ls -l
-rw-r--r-- 1 cisco cisco 1025310720 Jan 24 22:15 Cisco_Firepower_Threat_Defense_Virtual-6.2.0-362.qcow2
cisco@ubuntu:~$ echo
"15099d91b1a5bb8ef42063656b7ee14c84b2866fb00f0bd22272010c4ab2d11f7a3902e4a3d97a8f482553c6b5a6346904711c6
a00a7c0b384351a12a091325d *Cisco_Firepower_Threat_Defense_Virtual-6.2.0-362.qcow2" | sha512sum -c -
Cisco_Firepower_Threat_Defense_Virtual-6.2.0-362.qcow2: OK
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 521
FTDv KVM installation- working with virsh
• Create bridge XML files and interfaces
Create XML files for all
cisco@ubuntu:~$ more virbr1.xml interfaces. Make
<network> appropriate modifcations
<name>MGMT</name>
<bridge name='MGMT' stp='on' delay='0' />
for MAC and name.
<mac address='DE:AD:00:00:BE:EF' />
</network>
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 522
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 523
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 524
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 525
FTDv KVM installation- create install script
cisco@ubuntu:~$ more install_ftdv.sh
virt-install \
--connect=qemu:///system \
--network network=MGMT,model=virtio \
--network network=DIAG,model=virtio \
--network network=INSIDE,model=virtio \ Order of Interfaces
--network network=OUTSIDE,model=virtio \
--name=FTDv_6.2_day0 \
is important!
--arch=x86_64 \
--cpu host \
--vcpus=4 \
--ram=8192 \
--os-type=linux \
--os-variant=generic26 \
--virt-type=kvm \
--import \
--watchdog i6300esb,action=reset \
--disk path=/home/cisco/Cisco_Firepower_Threat_Defense_Virtual-6.2.0-
362.qcow2,format=qcow2,device=disk,bus=virtio,cache=none \
--disk path=/home/cisco/day0.iso,format=iso,device=cdrom \
--console pty,target_type=serial \
--serial tcp,host=127.0.0.1:4495,mode=bind,protocol=telnet \
--force
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 526
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 527
FTDv KVM installation- execute install script
cisco@ubuntu:~$ ./install_ftdv.sh
warning: failed to set locale, defaulting to C
Starting install...
Creating domain...
| 0 B 00:01
Connected to domain FTDv_6.2_day0
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 528
FTDv KVM installation- interact with FTDv
• Enable X11 Forwarding and make sure you run a X-Server on your host
• X-Server for Windows: Xming
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 529
FTDv KVM installation- interact with FTDv
cisco@ubuntu:~$ virt-manager &
[1] 4637 Interact with new VM – Power on,
Power off, Reset, Console, Take
Snapshots
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 530
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 531
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 532
FTDv on Openstack
What is Openstack
• A feature rich set of software tools for building and managing cloud computing
platforms for public, private, and hybrid clouds.
• Core components: compute, network, storage, analysis, and management
• Massively scalable
• Open APIs above and below for interoperability
• Open Source- entirely community driven
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 534
Openstack- High Level Overview
Source: openstack.org
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 535
For Your
Reference
Neutron
• Neutron is an OpenStack project to provide "networking as a service" between
interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
nova)
• Plugins
• Cisco Nexus1000v Plugin
• Modular Layer 2 Plugin
• … and much more
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 536
For Your
Reference
Neutron
• ML2 plugin architecture facilitates the type drivers to support multiple networking
technologies, and mechanism drivers to facilitate the access to the networking
configuration in a transactional model
• Following Type and Mechanism Drivers are supported
Type Drivers Mechanism Drivers
Flat Cisco Nexus Driver
Local Tail-f NCS Driver
VLAN …
GRE
VXLAN
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 537
Horizon Demo
Openstack – Use Cases
• Single Flat
• Multiple Flat
• Mixed Flat and Private Network
• Provider Router with Private Networks
• Per-tenant Routers with Private Networks
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 539
Getting started with Openstack
cisco@ubuntu:~$ openstack router list
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 540
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 541
Getting started with Openstack
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 542
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 543
Getting started with Openstack
change to demo project
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 544
FTDv needs 4
Openstack- FTDv Prerequesities Interfaces
• Create Network and Subnet
cisco@ubuntu:~$ openstack network create Net2 --description Mgmt_Net
cisco@ubuntu:~$ openstack subnet create Subnet2 --network Net2 --subnet-range 10.0.2.0/24
cisco@ubuntu:~$ openstack network create Net3 --description Diagnostic_Net
cisco@ubuntu:~$ openstack subnet create Subnet3 --network Net3 --subnet-range 10.0.3.0/24
cisco@ubuntu:~$ openstack network create Net4 --description Inside_Net
cisco@ubuntu:~$ openstack subnet create Subnet4 --network Net4 --subnet-range 10.0.4.0/24
cisco@ubuntu:~$ openstack network create Net5 --description Outside_Net
cisco@ubuntu:~$ openstack subnet create Subnet5 --network Net5 --subnet-range 10.0.5.0/24
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 545
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 546
Openstack- FTDv Prerequesities
• Create an Image
cisco@ubuntu:~$ openstack image create FTDv --disk-format qcow2 --container-format bare -
-public --file /home/cisco/Cisco_Firepower_Threat_Defense_Virtual-6.2.0-362.qcow2
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 547
Openstack- FTDv Prerequesities
• Create Security Groups and Rules
cisco@ubuntu:~$ openstack security group create SecGroup1 --description
Security_Group_for_Tenant1
cisco@ubuntu:~$ openstack security group rule create SecGroup1 --protocol tcp --dst-port
22:22 --remote-ip 0.0.0.0/0
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 549
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 550
Openstack- Spin up FTDv
• Create your Server (VM)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 551
Openstack- How to access your FTDv
• Connect FTDv to ´the outside´ - attach port to Router1
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 552
Openstack- How to access your FTDv
• Assign a Floating IP
cisco@ubuntu:~$ openstack floating ip create public
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 553
Openstack- How to access your FTDv IT´S ALIVE
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 554
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 555
Openstack- Dashboard View
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 556
For Your
Reference
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 557
Openstack- Dashboard View
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 558
Application Centric Infrastructure -
ACI
Applications All Around Us
…while requiring…
• Frequent updates and
• Highest Availability (SLAs)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Challenge for Infrastructure
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
For Your
Reference
Software-Defined Networking
…Comes to the Rescue
“…is an emerging architecture that is dynamic, manageable, cost-
effective, and adaptable, making it ideal for the high-bandwidth,
dynamic nature of today's applications. This architecture decouples the
network control and forwarding functions enabling the network control to
become directly programmable and the underlying infrastructure to be
abstracted for applications and network services.”
Source: www.opennetworking.org
• Device Package - contains xml file and python scripts, xml file tells you what configuration options you have in the
APIC- vendor specific configuration.
• APIC – centralized controller for ACI, single point of policy management and automation.
• EPG – Endpoint Group logical group that can contain virtual machines or physical servers.
• Contracts - a set of rules to govern communication between EPG’s, it defines specific ports and protocols between
EPG’s eg. TCP 80 or TCP 443. These are bi-directional.
• Service Graphs - L4-7 services such as security, you can add a service graph to a contract (ACL) to redirect traffic to
a Service Producer such as an ASA or NGIPS or Load Balancer.
• VRF – (also known as contexts) are defined within a tenant to allow isolated and potentially overlapping IP addresses
• Bridge Domain - Used to define a L2 boundary (Flood Domain) and impose additional constraints (such as no
broadcast) within that L2 boundary. NOT A VLAN, simply a container for subnets. EPGs can only be a member of a
single BD.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 563
Application Centric Infrastructure
Nexus9000 Switch Fabric Centralized Management – APIC Controller
Orchestrate networking
and L4-L7 Services
Add any hypervisor or
physical workloads
Controls CLOS of N9ks
VLAN pooling
Any subnet anywhere
Embrace open systems, APIs, and abstracted models to benefit any type of workload
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
LTRSEC-3001
ACI Infrastructure
ACI Fabric
Spine Nodes
Leaf Nodes
APIC x3
Virtual Leaf
(AVS)
L3Out EPG
“Outside” L4-L7 Devices Provider EPG Consumer EPG
Logical/Concrete “Files” “Users”
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Whitelist Policy supports “Zero Trust” Model
Whitelist policy = Explicitly configured ACI contract between EPG 1 and EPG 2
allowing traffic between their members
1 2 3 4
1 2 3 4
EPG 1 EPG 2
“WEB” “APP”
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Endpoint Groups Communications
EP EP EP EP EP EP
EP EP EP EP EP EP
EP EP EP EP EP EP
EP EP EP EP EP EP
EP EP EP EP EP EP
Contract Contract
EP EP EP EP EP EP
In order to add L4-L7 services such as security, you can add a Service
Graph to a contract to redirect traffic to a Service Producer such as an
ASA or Firepower NGIPS
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 569
ACI Communication Abstraction
APIC All TCP/UDP:
- Accept
- Redirect to FW and IPS
Security Policy All Other :
“App” → “DB” - Drop
ACI Fabric
“DB” “App”
Security Services
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Modeling
Tenant “University”
Infrastructure
PN/VRF “Engineering” PN/VRF “Business”
Subnet 172.16.1.0/24
Subnet 10.1.1.0/24
Subnet 172.16.2.0/24
…
Subnet 10.1.1.0/24 Subnet 10.1.2.0/24
Subnet 172.16.10.0/24 …
EP
EPG EPG G Policy “HTTP”
Web Web
DB EP
Apps
Policy “HTTP”
G
Policy “SQL” EP
App
G
EPG Policy “SQL”
DB
App
APIC in
Control
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Fabric is L2
Allow flexibility to enable ACI fabric for EPG management, and attach security directly into EPGs.
Endpoint Group (EPG): Contract: Service Chain: Programmability:
Creation of EPG segments still Not implemented yet. Not implemented yet. Northbound API to script
done on APIC, EPs are virtual Firewalls control traffic Firewalls are GWs and full Tenant network
machines or physical servers. flows between EPGs. peer with external© routers. creation.
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
No Device Package
Customers enable full ACI fabric benefits with out forcing a device package.
Endpoint Group (EPG): Contract: Service Chain: Programmability:
Creation of EPG segments still Is between EPGs and Graphs in fabric and Northbound API to script
done on APIC, EPs are virtual adds unmanaged Service Firewalls match SG fabric full Tenant network and
machines or physical servers. Graphs (no device pkg). attached VLANs/PGs.
TECSEC-2600
unmanaged SG creation.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 574
Full Orchestration – One Controller
Leverage the full benefits of ACI fabric with ability to program L4-L7 using device package.
Endpoint Group (EPG): Contract: Service Chain: Programmability:
Creation of EPG segments still Is between EPGs and Graphs in fabric and Northbound API to script
done on APIC, EPs are virtual adds Managed Service Firewalls match SG fabric full Tenant network, SG
machines or physical servers. Graphs via device pkg attached VLANs/PGs. creation, and FW config.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Micro-Segmentation – Two Parts
Isolate Workloads within Application Tier uSeg with
VM Attribute
OS=‘Linux’
APP EPG
uSeg EPG isolates
Intra-EPG Isolation EPs from base EPG
APP EPG
ACI Benefits
IP OS
‘10.1.1.1’
‘Linux’
Name
‘Finance’
Attribute-based
Intra-EPG Isolation
Micro-Segmentation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ACI and Cisco Advanced Security
Cisco Advanced Security – ASA / Firepower / AMP
APIC
vm vm vm
Cisco ACI + Cisco Advanced Security Advantages: • Industry’s most comprehensive threat intelligence with TALOS
• Addresses key DC challenges: threat-centric, visibility, compliance • Highest rated Next Generation Intrusion Prevention System*
• Only complete Before, During, and After approach to threats • Highest rated Breach Detection System – 99.2% effective**
*NSS NGIPS SVM Report, April©2015.
2017 **NSS
Cisco Breach Detection
and/or its affiliates.SVM Report,
All rights August 2015..
reserved. Cisco Public
Cisco Advanced
ASA Cluster 2-16x
Security Platforms Firepower9300
Firepower4100
ASA 5585-X SSP40
ASA 5516-X
ASA 5585-X SSP20
ASA 5508-X
ASA 5506(W/H)
ASA 5555-X ASA 5585-X SSP10 FTDv
ASA 5545-X
ASA 5525-X
ASA 5512/15-X FPv
ASA 5505**
FirePOWER 7000/8000 ASA SM (Cat6500)**
ASAv**
FirePOWER(v)
Nexus9000 ASA(v) FTD(v), FMC
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 580
Service Automation Through Device Package Device Package
Device Specification
<dev type= “f5”>
<service type= “slb”>
FirePOWER Device
ASA Device Package Unmanaged Devices
Package
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 582
Advanced Security in Application Centric
Infrastructure
FTDv
Unmanaged
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Security Device Packages
APIC Managed Service Graph APIC Unmanaged Service Graph
FirePOWER 1.0 Device Manager Run Any ASA or Fire(power)
ASA 1.2 Device Package
Package Platform, Code, and Features
GoTo (Routed FW) GoThrough (L2 NGIPS) APIC orchestrates the service graph on
GoThrough (Transp. FW) Inline Sensor Nexus leaf switches
ACL, DPI, Netflow, Syslogs, TrustSec APIC orchestrates Data Plane
L3out Dynamic Routing (BGP/OSPF) FMC installs policy on Sensors Security devices (ASA, FirePOWER, or
Dynamic Update EPG ACL Access Control / NGIPS Policy FTD) are managed using CLI, REST-
Active / Standby Failover Show real-time Events API, or purpose-built management
Divert to embedded Firepower Advance Malware Policy tools (ASDM, CSM, FMC), and we now
must match unmanaged service graph
settings (plug into configured ports, and
match interface static/dynamic VLANs)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 585
Why use Unmanaged Service Graph
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Security ACI Device Package Integration
Netflow and Syslogs Stealthwatch Visibility and
Real-Time Alerts
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Fabric Building Blocks
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 589
ASA Device Package
Marketing SXP
Engineering App EPG
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI End Point (EP) Isolation within EPG
Intra-EPG Isolation Added in APIC 1.2(2g)+
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Attribute-based Micro-Segmentation
Quarantine Infected
VMs With
VM Name = Added in APIC 1.2
VDI-MARKET*
Bare-metal, Cisco AVS (VMware), Hyper-V,
IP = 1.1.1.x VM Name = VDI Name = Finance-* Vmware DVS*
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Closing
Thank you!
• Thank you very much for your attendance and interaction
• Speakers
• Ciara Campell (FTD Migration, CDO, ACI,…)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 594
Complete Your Online Session Evaluation
• Please complete your Online
Session Evaluations after each
session
• Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Don’t forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 595
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 596