Professional Documents
Culture Documents
BRKSEC-2093 Hardening The Secure Firewall - 2023
BRKSEC-2093 Hardening The Secure Firewall - 2023
Hardening
The Secure Firewall
BRKSEC-2093
#CiscoLive
About the Speaker
Srinivasa Munagala
• Passionate FW Technologies.
• Hobbies include playing volleyball, Cricket and watch Crime thriller movies.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
• Introduction
• Dataplane Hardening
• Control Plane Hardening
• VPN Hardening
• Logging and Monitoring
• Software and Content Updates
Agenda • Disaster Recovery
• Compliance
• Performance Best Practices
• Conclusion
BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Introduction
Introduction to Hardening
• Firewall is the critical component of the network perimeter that
protects most of the enterprise networks.
• It is very important to harden the Firewall configurations to reduce
potential threats in your network.
• Firewall hardening is an ongoing process which involves..
• Enhancing network security
• Minimizing risks
• Preventing unauthorized access
• Mitigating malware and cyber threats
• Maintaining Compliance requirements
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Secure Firewall Terminology
Term Definition
Firepower Threat Defense (OR Secure Firewall) – unified software image
FTD
(ASA + Firepower)
Lina Underlying ASA-derived process that is integrated into the FTD product
The Inspection engine of the Firepower product integrated into FTD doing
Snort
the IPS functionality
Secure Firepower Management Center – Off-box GUI used to manage
FMC
FTD devices (Configuration, reporting, monitoring, etc.)
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Dataplane
Hardening
Reference Slide: FTD Routed Packet Flow
Drop
Yes
Blacklist
Packet PDTS L2-L4
Existing No UN-NAT/ Global Rule Action: Frag3
arrives on DAQ Decode SI (IP)
Conn? Egress Int ACL Permit Preproc
interface Extensions Preproc
Drop
Snort File
Drop Rules Policy
Drop
Yes Application PDTS
Yes L3 VPN QOS NAT IP Flow
TX L2 Addr Layer DAQ
Route Encrypt (Enforce) Header Gateway Update
Extensions
No No
Drop Drop
1 SYN SYN
Outside FTD Inside 2
SYN ACK SYN ACK
Nmap
Internal
Scanner
Servers
1 Outside host sends a SYN to the Inside Server
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Access Control Rules - Case Study
Problem - NMAP detects All Listening ports on an Internal Server
There are no Access Control Rules which allows traffic on following ports
• FTP (tcp/21)
• SMB (tcp/445)
• NFS (tcp/2049)
• RDP (tcp/3389) so on
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Access Control Rules - Case Study
• NMAP receives response for SYN packet, it shows as OPEN.
• Application Services can run on custom ports . Example: HTTP can run on Port 8081.
FW has to inspect the first few data packets after the TCP 3-way handshake to
determine the application.
• FW allows the first few data packets temporarily (*with IPS inspection) until the
application is determined.
• Once the application is a Non-HTTP, this rule will not be a match and will move on to
the next rules.
FW Trace w/ Engine Debugs:
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Packet 5327: TCP ******S*, 05/23-22:49:09.534075, seq 3605876215, dsize 0
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Session: new snort session
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Firewall: starting rule matching, zone 2 -> 1, geo 0(0) -> 0, vlan 0, src sgt: 0, src sgt type:
unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Firewall: pending rule-matching, 'Inbound-Web_server', pending AppID
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 AppID: service: (0), client: (0), payload: (0), misc: (0)
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Firewall: pending rule-matching, 'Inbound-Web_server', nothing has changed
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Policies: Network 0,
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 pending rule id 268434435 nothing has changed
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Access Control Rules - Case Study - Solution
Previous Rule Config
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Access Control Rules - Case Study
Verification
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: DROP
Elapsed time: 0 ns
Port 21-FTP SYN
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268434438
access-list CSM_FW_ACL_ remark rule-id 268434438: ACCESS POLICY: FTD-ACP1 - Default
access-list CSM_FW_ACL_ remark rule-id 268434438: L4 RULE: deny_block
Additional Information:
Result:
input-interface: Outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: Inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 3294 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055f948cc64e7 flow (NA)/NA
1 packet shown
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Access Control Rules - Best Practices
Rule ordering Base line Rule Action - ordering
• Geolocation Rules Rule Match Incoming Packet
Top to
• Layer-3/4 rules Bottom
• Block > Trust > Allow Rules Rule 1: Monitor
Matching traffic
• Layer-7 (App/URL) Outbound Rules Continues
No
• Block > Trust > Allow Rules Rule 2: Trust Inspection
• Default Action No match
Always order rules
No
Guidelines: to suite your Rule 2: Block Inspection
organization needs
No match
• Specific rules should come before general rules.
Network File Intrusion
• Avoid L7(App/URL) based rules from Untrust to Rule 2: Allow Discovery Policy Policy
Trust network when possible. No match
Network Intrusion
• Subject Untrust to Trust traffic W/IPS inspection. Default Action Discovery Policy
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Access Control Rules - Best Practices
Rule Order Example
Geolocation Rules
Layer-3/4 Rules
URL Rules
App Rules
Default Action
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Reference Slide: FTD Routed Packet Flow
Drop
Yes
Blacklist
Packet PDTS L2-L4
Existing No UN-NAT/ Global Rule Action: Frag3
arrives on DAQ Decode SI (IP)
Conn? Egress Int ACL Permit Preproc
interface Extensions Preproc
Drop
Snort File
Drop Rules Policy
Drop
No No
Drop Drop
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Security Intelligence – DNS
DNS Domain Not Found
1
DNS SI performs a “man Policies >> DNS >>
in the middle” for DNS Edit DNS Policy
queries.
3 Edit Access control Policy >> Security Intelligence
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Security Intelligence - Events
Analysis > Connections > Security-Related Events
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Reference Slide: FTD Routed Packet Flow
Drop
Yes
Blacklist
Packet PDTS L2-L4
Existing No UN-NAT/ Global Rule Action: Frag3
arrives on DAQ Decode SI (IP)
Conn? Egress Int ACL Permit Preproc
interface Extensions Preproc
Drop
Snort File
Drop Rules Policy
Drop
No No
Drop Drop
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Encrypted Visibility Engine
1 Edit Access control Policy >> Advanced
2
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Encrypted Visibility Engine …Cont’d
Client OS discovery – How It Works
• To see Client OS detection by EVE, the feature toggle must be enabled from AC
Policy’s advanced UI under the Encrypted Visibility Engine
• Next, Hosts must be enabled under Policies > Network Discovery
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Encrypted Visibility Engine cont'd
OS information can be viewed here:
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Encrypted Visibility Engine
Events View with Application Assignment
• This feature allows applications to be
assigned to processes identified by EVE.
• Customers can add AC rules to allow,
block or trust applications mapped to
processes.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
TLS Decryption Policy
Policies >> Decryption policy >> Advanced
Advanced Options
• By default, Do not decrypt is the default action.
• Customize based on your organization Needs if using Decryption
Policy.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Reference Slide: FTD Routed Packet Flow
Drop
Yes
Blacklist
Packet PDTS L2-L4
Existing No UN-NAT/ Global Rule Action: Frag3
arrives on DAQ Decode SI (IP)
Conn? Egress Int ACL Permit Preproc
interface Extensions Preproc
Drop
Snort File
Drop Rules Policy
Drop
No No
Drop Drop
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Network Discovery
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Reference Slide: FTD Routed Packet Flow
Drop
Yes
Blacklist
Packet PDTS L2-L4
Existing No UN-NAT/ Global Rule Action: Frag3
arrives on DAQ Decode SI (IP)
Conn? Egress Int ACL Permit Preproc
interface Extensions Preproc
Drop
Snort File
Drop Rules Policy
Drop
Yes Application PDTS
Yes L3 VPN QOS NAT IP Flow
TX L2 Addr Layer DAQ
Route Encrypt (Enforce) Header Gateway Update
Extensions
No No
Drop Drop
Connectivity Over Security Built for organizations where connectivity takes precedence over
network infrastructure security.
Balanced Security and These policies are built for both speed and detection. This policy
Connectivity is a good starting point for most organizations and deployment
types.
Security Over Connectivity These policies are built for organizations where network
infrastructure security takes precedence over user convenience
Maximum Detection Built for organizations where network infrastructure security is
given even more emphasis than is given by the Security Over
Connectivity policies, with the potential for even greater
operational impact
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Intrusion Policy
Cisco Recommendations Rules Configurations
1 Policies > Intrusion > Edit the snort3 policy > Recommendations
• Cisco Recommended
Rules automatically tune
your snort rules for the
applications, servers and
hosts on your network
• To enable Cisco
Recommended Rules
• Hosts need to be enabled in
Network Discovery Policy.
• Add Protected Network
2
During configuration
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Variable Sets Objects > Object Management > Variable Set
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Variable Sets
• Variables provide directionality.
• This sample rule triggers for traffic from External net to Home net
on http port with the content as described.
• This might also be useful to detect events within your network, if
your IPS is deployed separating different network segments.
Client IP Client port Server IP Server port
Sample Rule
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Accellion FTA
arbitrary file read attempt"; flow:to_server,established; http_uri;
content:"/courier/intermediate_login",fast_pattern,nocase; http_cookie; content:"statecode",nocase;
content:"%00"; metadata:policy max-detect-ips drop,policy security-ips drop; service:http;
reference:cve,2015-2856; classtype:attempted-recon; sid:35302; rev:2; )
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Variable Sets
Recommendations
SecOps Managed Or Internal IPS Internet Perimeter Deployment
If your team is interested in Threat If you team wants a simple IPS
Hunting and is willing to spending deployment with minimal amount
time tuning: of alerts:
a. Leave EXTERNAL_NET as “any” a. Configure HOME_NET to match
all RFC-1918 IPv4 addresses,
b. Make an internal decision on
your Internet routable
how to configure, or not
addresses, and your IPv6
configure, HOME_NET.
space.
b. Configure EXTERNAL_NET as
!HOME_NET
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Access Control Rules – Best Practices
What happens to the traffic during pending rule evaluation?
Edit Access control Policy >> Advanced
• The highlighted IPS policy will be used for inspection when Firewall Engine is trying
to determine the application/URL Category for a specific traffic.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Reference Slide: FTD Routed Packet Flow
Drop
Yes
Blacklist
Packet PDTS L2-L4
Existing No UN-NAT/ Global Rule Action: Frag3
arrives on DAQ Decode SI (IP)
Conn? Egress Int ACL Permit Preproc
interface Extensions Preproc
VPN Decrypt Drop Drop
SI Stream5
URL/DNS SSL Policy AppID
Blacklist Preproc
Rule Action: Advanced Trust
Prefilter Fastpath or
QOS Network
Top L3/L4 Trust Rules Identity L7 ACL
(Classify) Discovery
Policy APP/URL
Drop
Snort File
Drop Rules Policy
Drop
Yes Application PDTS
Yes L3 VPN QOS NAT IP Flow
TX L2 Addr Layer DAQ
Route Encrypt (Enforce) Header Gateway Update
Extensions
No No
Drop Drop
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Network Analysis Policy
Snort2
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Network Analysis Policy
Snort3
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Network Analysis Policy
Policies > Intrusion > Network Analysis Policies
Inline Normalization
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Network Analysis Policy
Enable the Network Analysis Policy
Policies
Access control
Edit the policy
Advanced
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
PortScan Detection and Prevention
• Can detect different port-scans
1 Edit Access control Policy >> Advanced
and port sweep.
• Supported with Snort3 starting
from 7.2 2
• Configuration Settings is granular.
• Can be enabled in Detection or 3
Prevention mode
• By default, port scan detection
will be done on Allowed traffic
but can also be enabled on
Denied traffic.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
PortScan Detection and Prevention
• Traffic Selection
• Monitor
• Ignore Scanner
• Ignore Target
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
PortScan Detection and Prevention
Example
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Anti Spoof or Reverse Path check
Recommendations
• Checks the Ingress packet is being received on the right interface
based on routing table.
Edit Device >> Device Management >> Edit the device >> Edit the interface
CLI Command
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Anti Spoof or Reverse Path check
CLI show commands
FTD#show asp drop
Frame drop:
…
Reverse-path verify failed (rpf-violated) 90
Syslogs
FTD-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.
FTD-1-106021: Deny protocol reverse path check from source_address to dest_address on interface
interface_name
FTD-1-106022: Deny protocol connection spoof from source_address to dest_address on interface
interface_name
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Fragmentation
Recommendations
• Default behavior is to do Edit Device >> Device Management >>
virtual re-assembly. Edit the device >> Edit the interface
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Fragmentation
Logs
Syslog:
FTD-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address
FTD-4-209003: Fragment database limit of number exceeded: src = source_address, dest = dest_address, proto = protocol, id
= number
FTD-4-209004: Invalid IP fragment, size = bytes exceeds maximum size = bytes: src = source_address, dest = dest_address,
proto = protocol, id = number
FTD-4-209005: Discard IP fragment set with more than number elements: src = Too many elements are in a fragment set.
FTD-4-209006: Fragment queue threshold exceeded, dropped TCP fragment from IP address/port to IP address/port on
outside interface
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Reference Slide: FTD Routed Packet Flow
Drop
Yes
Blacklist
Packet PDTS L2-L4
Existing No UN-NAT/ Global Rule Action: Frag3
arrives on DAQ Decode SI (IP)
Conn? Egress Int ACL Permit Preproc
interface Extensions Preproc
Drop
Snort File
Drop Rules Policy
Drop
No No
Drop Drop
CLI
• To enable
• > configure inspection <protocol> enable
• To Disable
• > configure inspection <protocol> disable
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Application Layer Protocol Inspections cont'd
Examples
ICMP
➢ Keeps track for echo request and allows the echo response back without the need of
an Access-list
➢ The ICMP inspection engine ensures that there is only one response for each
request, and that the sequence number is correct.
➢ This helps with ICMP attacks
DNS
➢ DNS inspection is enabled by default, using the preset_dns_map inspection class map:
➢ The maximum DNS message length is 512 bytes.
➢ DNS Guard is enabled, so the FTD tears down the DNS session associated with a DNS
query as soon as the respective DNS reply is forwarded by the FTD.
➢ Protocol enforcement is enabled, which enables DNS message format check, including
domain name length of no more than 255 characters, label length of 63 characters,
compression, and looped pointer check.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Management
Access
AND
Control Plane
FMC Access-list
Access to FMC GUI and SSH
• By default, SSH and HTTPS is set to any. It is suggested to add
Rules to allow specific hosts/subnets and remove the any.
• SSH
Default ACL
• HTTPS 2
1
System >> Configuration >> Access List 3
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
FMC Authentication
FMC login FMC
Auth
LDAP/S RADIUS
SSO
External Internal
LDAP/S RADIUS
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
FMC – Internal Users
Recommendations
• Customize these options based on Organization
Security Policy
• Set the Maximum Number of Failed Logins.
• Set the Minimum Password Length.
• Set the Days Until Password Expiration.
• Set the Days Before Password Expiration
Warning.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
FMC User Configuration
Recommendations
• By default, these settings are disabled. Password Reuse Limit:
The number of passwords in a user’s most recent history
• Customize these options based on that cannot be reused.
Organization Security Policy
Track Successful Logins:
System ( ) > Configuration > User Configuration The number of days that the system tracks successful
logins to the management center GUI/CLI.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
FMC User Configuration
Set Time in Minutes to Temporarily Lockout Users:
The duration in minutes for a temporary web
interface user lockout if Max Number of Failed
Logins is non-zero.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
FMC Login Timeout
Recommendations • Web interface (management center only): Configure
the Browser Session Timeout (Minutes). The default
value is 60; the maximum value is 1440 (24 hours).
• Customize these options based on
Organization Security Policy
• To exempt users from this session timeout, see Add
an Internal User.
System ( ) > Configuration.
• CLI: Configure the CLI Timeout (Minutes) field. The
default value is 0; the maximum value is 1440 (24
hours)
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
External Authentication
System ( ) > Users > External Authentication.
• LDAP can be hardened by
making them Secure.
• Port tcp/389 – None or TLS
• Port tcp/636 - SSL
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
FMC Login Banner
Recommendations
• Login Banner serves as a System ( ) > Configuration >> Login Banner
Warning for Unauthorized
users.
• You can use ASCII
characters and carriage
returns to create a
custom login banner.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
FTD - Mgmt Access
Recommendations
• Few things which could help Harden – FTD User Accounts
• Maxfailed logins - Set maximum failed logins configure user maxfailedlogins <user> <count>
• Minpasswdlen - Set minimum password length configure user minpasswdlen <user> <length>
• User aging - Set user password aging configure user minpasswdlen <user> <days>
• Strengthcheck - Set strength requirement on user password configure user strengthcheck <user> <enable>
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Mgmt Access – Restrict Expert mode
• Restrict Linux Shell Access
• Users with Config level access can use the CLI expert command to
access the Linux shell.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
NTP
Recommendations
• Certain features on Secure Firewall depend on system time for its
operations like syslog, Writing log files, time-based ACLs,
Certificate functions etc.
• Recommended to use a Trusted NTP Server for time sync of FMC
and FTD.
• FMC Supports 3 Authentication types.
• MD5
• SHA-1
• AES-128 CMAC
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
DNS
Recommendations
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
VPN
Deprecated Ciphers based on version
Deprecated Hash Algorithms, Encryption Algorithms, and Diffie-Hellman Groups
• As Newer and more Secure Ciphers get added, the older and less secure
Algorithms are deprecated.
• Update your IKE proposals and IPSec policies to maintain the Security
standards.
• Example:
• In version 6.7, The following less secure ciphers have been removed or deprecated in
FTD 6.7 onwards:
• Diffie-Hellman GROUP 5 is deprecated for IKEv1 and removed for IKEv2
• Diffie-Hellman groups 2 and 24 have been removed.
• Encryption algorithms: 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256 have been removed.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
High to low secure Ciphers
TLS configuration for Remote Access VPN.
Devices >> Platform Settings >> SSL
1 2
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Logging and
Monitoring
FMC - Monitoring
SNMP Polling Recommendations
• SNMPv1 and 2 is supported. But not secure as the data is in Clear text.
• SNMPv3 is preferred to ensure security. 1 System ( ) > Configuration >> SNMP
2
3
4 System ( ) > Configuration >> Access List
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
FMC – Monitoring
Syslog Alerts Recommendations
• FMC can send Alerts using 3 New SNMP Server
ways New syslog Server
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
FMC – Monitoring
Email Configuration Recommendations
2 Policies >>Actions >> Alerts
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
FMC – Monitoring
Health Alert Configuration
Health Alert Configuration
Example SNMP Trap
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
FMC – Monitoring
Emails for Intrusion
• Emails can be setup based on
Specific Signatures.
• Specifically useful if there is a
Team reviewing these IPS alerts.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Monitoring
FTD
• SNMPv3 is preferred to ensure security.
• Supported User Types
• Auth—Authentication but No Privacy
• No Auth—No Authentication and No Privacy,
• Priv—Authentication and Privacy
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
FTD Logging
• FTD Logging can be Event Data or System Messages
• Send event data to centralized logging system.
• Regularly monitor and analyze intrusion alerts to identify potential threats.
• Review and fine tune the IPS policy based on the alerts to improve the detection
accuracy.
Policies Access control Edit the policy
Logging
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
FTD Logging
Syslogs
• Can be configured to be generated using Source interface as
Management or any Data Interface.
• Connection Events and system messages are both generated from
the FW.
430001: Intrusion event
430002: Connection event logged at beginning of connection
430003: Connection event logged at end of connection
430004: File events
430005: File malware events
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
FTD Logging
Syslogs 1
• LINA messages can be
sent over to syslog server
as well.
2
• Recommended to be set at
Informational (TAC
suggestion)
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
FTD Logging cont’d
Secure Syslog
• Only Supported on Data Interface.
• Needs to be TCP
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Netflow
• Supports NSEL to track connection info and trends.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Netflow
• Disable Syslogs which provides redundant information as Netflow
• Helps with performance too.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Audit Logs
• Compare View is available on what changes were made within the policies.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Audit Logs - Screenshot
System Configuration
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Audit Logs - Syslogs
• Has details on User Activity.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
SW and Content
Updates
Different Updates
Update type Manual Scheduled Frequency of
updates
Software Yes Yes Every few
update months
GeoDB Yes Yes 1-2/Month
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Software Update
• Need to have a software Life cycle strategy based on your
company’s security needs.
• PSIRT Releases
• Monitor Security Advisories and Field Notices.
• Lookout for the PSIRT releases.
• Golden star releases.
• Most stable version available.
• Golden Star release is usually tagged to a Long term or Extra Long term
release.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Intrusion Policy
Keep your rules up to date
• Regularly update your IPS rule
set to ensure latest protection.
• Schedule recurring automatic
updates of intrusion rules on n
FMC with internet access.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Different Updates
• VDB install and some other configuration changes may require
Snort restart.
• Recommended to schedule these updates during low traffic times.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
URL Filtering
• URL Query Source (Available from
7.3)
• Local Database Only
• Local Database and Cisco Cloud
• Cisco Cloud Only
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Compliance
Security Certifications Compliance
• Some organization might be required to use only equipment and software complying
with security standards established by the U.S. Department of Defense and global
certification organizations.
• Firepower supports compliance with the following security certifications standards:
• Common Criteria (CC): a global standard established by the international Common Criteria
Recognition Arrangement, defining properties for security products
• Unified Capabilities Approved Products List (UCAPL): a list of products meeting security
requirements established by the U.S. Defense Information Systems Agency (DISA)
• Federal Information Processing Standards (FIPS) 140: a requirements specification for
encryption modules
PS: After you enable this setting, you cannot disable it. If you need to take an appliance out of CC or UCAPL mode, you must reimage.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Performance
Best Practices
Intrusion
Snort2 vs Snort3
Snort 2 Snort 3
Multi-Threaded Architecture Yes
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Elephant Flows
• Flows that are large, continuous, long duration and fast flows with
high ability to cause duress for snort CPU cores.
• By default, elephant flows are those larger than 1GB/10 seconds.
• EF Example: VM migration, database replication, nightly backup etc.
• NEF Example: Web searching.
Note: Elephant flow can be interchangeably used with other terms like fat flow, single flow as
well. We will be using Elephant flow during the rest of the presentation.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Overview of Elephant Flow Detection
• You can use the elephant flow detection feature to take action on
elephant flows.
• Bypass elephant flow – Bypass from snort inspection.
• Throttle elephant flow – Apply rate-limit to the flow and continue to
inspect. The flow rate is calculated dynamically and 10% of the flow rate
is reduced.
7.1 – feature introduced in FTD CLI (only with detection). Snort3 must be the detection engine.
7.2 - feature introduced on FMC GUI (with remediations). Doesn’t apply to encrypted traffic.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Configure Elephant Flow Detection
Access control policy → Advanced → Elephant
Flow
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Elephant Flows – Identification 7.1 and later
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Elephant Flow
All Options to remediate Elephant Flow
Platform Snort2 Snort3 IAB Static Dynamic Elephant Flows
(FMC)
Offload Offload 7.1 (only detection) snort3
7.2 + detection and remediation
9300 FTD Yes Yes - Yes Yes Yes – 6.3 Yes – 7.1 +
7.0 + +
4100 FTD Yes Yes - Yes Yes Yes – 6.3 Yes – 7.1 +
7.0 + +
3100 FTD Yes Yes - Yes Planned - Yes – 7.1 +
7.0 +
2100 FTD Yes Yes - Yes NA NA Yes – 7.1 +
7.0 +
1000 FTD Yes Yes - Yes NA NA Yes – 7.1 +
7.0 +
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
DDOS Protection – Threat Detection
Option 1
1
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
DDOS Protection-TCP intercept in MPF
Option 1
1 3
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Access-List Recommended Limit
• Every Platform has a Cisco recommended ACL limit for optimal
Performance.
• A Health Alert gets generated when this limit is exceeded.
PS: Any number of New rules can be deployed if you have Free memory as there is no hard limit. However, these limits are recommended
limits for optimal performance.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Access-List Limit
• Memory required for rule usage can be reduced by enabling object
group search.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Access-List Limit
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Access-List Limit
With OGS – 107 rules
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Interface Object Optimization
• Needs to be enabled with OGS.
• When both enabled, the system will
instead
deploy a single rule per access
control/prefilter rule.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Transactional Commit
• Default behavior (Without Transactional Commit )
• New applied rule gets immediately effective.
• When large ACL is deployed, this immediacy comes at a slight cost in performance and
becomes noticeable in high Conns/sec environment.
• When enabled, a rule update is applied after the rule compilation is completed; without affecting
the rule lookup performance.
• Very effective in dealing with High CPU during loading startupconfig/config replication in
HA/Cluster/compiling large ACL rulebase.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Transactional Commit – Configuration
Create a FlexConfig Object
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Transactional Commit – Configuration
Add the FlexConfig Object to the FlexConfig Policy
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
FMC Database Limits
System ( ) > Configuration >> Database
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Conclusion
Conclusion
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
As we’ve come to realize, the idea
that security starts and ends with
the purchase of a prepackaged
firewall is simply misguided.
-Art Wittmann
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Fill out your session surveys!
These points help you get on the leaderboard and increase your chances of winning daily and grand prizes
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
• Visit the Cisco Showcase
for related demos
BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Thank you
#CiscoLive
Gamify your Cisco Live experience!
Get points for attending this session!
How:
1 Open the Cisco Events App.
4 Click the + at the bottom of the screen and scan the QR code:
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
#CiscoLive