Advanced Firepower IPS Deployment

Transcription

1

2 Advanced Firepower IPS Deployment Gary Halleen, Technical Solutions Architect BRKSEC-3300

3 Webex Teams Questions? Use Webex Teams to chat with the speaker after the session How Find this session in the Cisco Events App Click Join the Discussion Install Spark or go directly to the space Enter messages/questions in the space Webex Teams spaces will be available until June 28, cs.co/ciscolivebot#brksec-3300 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 3

4 About the Speaker Gary Halleen: Technical Solutions Architect Global Security Architect Team BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Oregon Pacific Wonderland BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Some of My Hobbies BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Complete your Online Session Evaluation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 13:30 16:00 13:30 13:30 08:00 13:30 10:30 08:30 08:30 08:30 08:00 Cisco Firepower Sessions: Building Blocks Monday Tuesday Wednesday Thursday BRKSEC-2031 ASA Fleet Management at Scale BRKSEC-2064 NGFWv and ASAv in Public Cloud (AWS and Azure) BRKSEC-3300 Advanced Firepower IPS Deployment BRKSEC-3032 NGFW Clustering Deep Dive BRKSEC-2050 Firepower NGFW Internet Edge Deployment Scenarios BRKSEC-3455 Dissecting Firepower Installation & Troubleshooting BRKSEC-2050 Firepower NGFW Internet Edge Deployment BRKSEC-2020 Firepower Deployment Data Center & Enterprise Network Edge BRKSEC-3035 Firepower Platform Deep Dive BRKSEC-2066 Optimizing Your Firepower/FTD Deployment BRKSEC-2058 Deep Dive into Firepower Manager BRKSEC-3300 We are here! 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

9 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

10 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Introduction This session covers Firepower 6.2.3, managed with Firepower Management Center (FMC). It does NOT cover Cisco IPS 7.0. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Introduction For Your Reference For the purposes of this session, these terms are treated the same. Firepower Firepower Threat Defense ASA with Firepower Services BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Firepower Policies How often are Policies Modified? Frequently Little Rarely Access Control Policy Malware and File Policy Network Discovery Policy Intrusion Policy DNS Policy Network Analysis Policy SSL Policy Identity Policy Correlation Policy Health Policy Prefilter Policy BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Policy Order of Operation Prefilter (FTD only) Intrusion (for AppID) Access Control Policy Optional SSL Identity SI / DNS Access Control Rules Intrusion File / Malware BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Intrusion Policy The Intrusion Policy defines which Snort rules are used in packet inspection. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Intrusion Base Policy Policy CVSS Score Vulnerability Age Connectivity over Security 10 Current year, plus 2 prior (2018, 2017, and 2016) Balanced Security and Connectivity 9+ Current year, plus 2 prior Rule Categories: Malware-CNC, Blacklist, SQL Injection, Exploit Kit Security over Connectivity 8+ Current year, plus 3 prior (2018, 2017, 2016, and 2015) Rule Categories: Malware-CNC, Blacklist, SQL Injection, Exploit Kit, App-Detect Maximum Detection and later Rule Categories: Malware-CNC, Exploit Kit BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Intrusion Policy You can manually Enable/Disable individual rules or configure actions. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Intrusion Policy Several ways to search for rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Network Discovery Policy Used to identify which networks Firepower should learn from. Useful for applications, and especially for maintaining the Firepower Recommended Rules in the Intrusion Policy. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Access Control Policy Traffic must match in the Access Control Policy in order to be Inspected For a simple IPS deployment, you can use the Default Action BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Access Control Policy In a NGFW deployment, the Default Action will likely be Block All Traffic. Intrusion Policy needs to be defined for each Allow Action. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Access Control Policy If you need, different Allow rules can have different Intrusion Policies assigned. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Agenda Policy Interaction and Firepower Recommendations Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Network Analysis Policy What is this? Do I need to do anything here? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Network Analysis Policy The Network Analysis Policy (NAP) controls the Preprocessors, and determines things such as: o Fragmentation Reassembly o Protocol Compliance What should we tune? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 Network Analysis Policy Security Usability BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Fragmentation Both IP and TCP can cause a stream of data to break into many parts Both IP fragmentation and TCP segmentation may be naturally occurring or performed intentionally to evade IPS IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate this evasion technique USER root TCP: HDR USER HDR root IP: HDR HDR US HDR ER HDR HDR ro HDR ot BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 How Bad can Fragmentation Get? IP TCP SMB MSRPC Payload Packet capture of regular attack is ~4k, after layers of evasion 30MB or more! Hundreds of thousands of packets BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Network Analysis Policy Do these Base Policies look familiar? Besides the name, these Base Policies have NOTHING in common with the Intrusion Base Policies. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Network Analysis Policy Inline Normalization: MAYBE Enforces Protocol Compliance for TCP and IP protocols. Enabling normalization will block some non-standard implementations and many attacks. However, it potentially can block poorly-written legitimate traffic. How Risk-Averse are you? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Network Analysis Policy TCP Stream: YES Unless you are deploying IPS into a segment containing ONLY Windows hosts, you absolutely should tune this. TCP Stream determines how fragmented TCP traffic is reassembled. Different operating systems handle reassembly differently, and it is critical that your IPS understands the hosts. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Network Analysis Policy UDP Stream: Probably Not Not much to tune. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Network Analysis Policy IP Defragmentation: YES Similar reason as TCP Stream. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Access Control Policy Advanced Settings Don t forget to select the Network Analysis Policy from the Access Control Policy -> Advanced Tab If you need to use multiple Network Analysis Policies (maybe some networks have Windows servers, and another has Linux, for example), you can create Rules to perform the mapping. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Snort Rules All Firepower Intrusion Rules are Snort Rules. Cisco provides regular rule updates, and these are typically automatically updated. Third-party Snort rules can be added manually through the Rule Editor (Objects -> Intrusion Rules -> Create Rule), or can be imported. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Snort Rules Snort Rules are normally created on a single line, with no special characters, and in ASCII or UTF-8 format. The Import file can contain many rules as long as they are one rule perline. Many of the Emerging Threat rules use deprecated syntax ( threshold statement). If you are importing ET rules, you ll need to correct or remove these rules first. Threshold has been replaced with detection_filter. SHOULD not have a rule SID, but is allowed. All on ONE Line alert tcp [ /19, /22, /17, /14, /22, /18,42. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Snort Rules (continued) Sometimes it is much more readable to spread the rule across multiple lines. Do this with the backslash character - \ Example Rule (from Emerging Threats): alert tcp \ [ /19, /22, /17, /14, /22, /18,\ /22, /12, /12, /22, /22, /17,\ /12, /22, /16, /22, /22,\ /22, /22, /22] \ any -> $HOME_NET any (msg:"et DROP Spamhaus DROP Listed Traffic Inbound group 2"; \ flags:s; reference:url, \ threshold: type limit, track by_src, seconds 3600, count 1; \ classtype:misc-attack; flowbits:set,et.evil; flowbits:set,et.dropip; sid: ; \ rev:2607;) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Snort Rules (continued) This ET rule has a deprecated keyword threshold, so let s fix it. alert tcp \ [ /19, /22, /17, /14, /22, /18,\ /22, /12, /12, /22, /22, /17,\ /12, /22, /16, /22, /22,\ /22, /22, /22] \ any -> $HOME_NET any (msg:"et DROP Spamhaus DROP Listed Traffic Inbound group 2"; \ flags:s; reference:url, \ threshold: detection_filter: type limit, track track by_src, by_src, seconds seconds 3600, 3600, count count 1; \ 1; \ classtype:misc-attack; flowbits:set,et.evil; flowbits:set,et.dropip; sid: ; \ rev:2607;) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Importing Snort Rules Once your Snort rules are in a text file, navigate to Objects -> Intrusion Rules. Click on Import Rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 Importing Snort Rules Click on Browse to locate your file, and click Import. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Importing Snort Rules If successful, you will see a screen showing what has been imported. If unsuccessful, the Rule Update Log will tell you what was wrong with the file. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 Enabling Snort Rules Remember, all imported rules are Disabled by default. You need to enable these. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 How do you Exempt Specific Servers from a Snort Rule? Options: 1. Look at the rule and see if you can modify the variables in use? ($EXTERNAL_NET and $HOME_NET, for example) 2. Use a different Intrusion Policy for some hosts. This could have memory or performance impact if overused. 3. Create a Pass Rule > Probably the Best Option BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 Pass Rule Open the firing rule in the Rule Editor (Objects -> Intrusion Rules) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 Pass Rule Change Action to pass BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 Pass Rule Change the Message. (add PASS RULE to the beginning) Add the IP address or variable name (i.e. $SCANNER_HOSTS) to the source or destination IP. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 Pass Rule Click Save as New BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 Pass Rule Finally, Edit the Intrusion Policy, and change the Rule State for your new Local Rule to Generate Events. Save and Deploy the Intrusion Policy. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 Snort Restart and Reload Architecture Prior to Firepower 6.2.2, making the Intrusion Rule changes just described would have caused a Snort Restart, and potentially disrupted network traffic. Significant improvements in and software have dramatically reduced the number of things that can cause a Snort Restart. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 Why does Snort Restart? New version of Snort in policy deploy Reallocate memory for preprocessors/security Intelligence Reload shared objects Pre-processor configuration changes Configured to restart instead of reload Cisco.com Info on Restart Conditions: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55

56 Why does Snort Restart? warns if any configuration change will interrupt inspection (restart Snort): BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 56

57 Mitigations 1 2 Snort Preserve-Connection (6.2.0 / introduction) Software Bypass BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 Snort Preserve-Connection When Snort goes down, connections with Allow verdict are preserved in LINA Snort does NOT do a mid-session pickup on preserved flows on coming up Does NOT protect against new flows while Snort is down /6.2.3 Feature Introduction. Enabled by default in Can be enabled/disabled from CLI: configure snort preserve-connection enable/disable BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 Software Bypass With inline Fail-Open deployments traffic is passed uninspected on the Software bridge when Snort is down. When Snort comes up, Snort does a mid-session pickup on traffic BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 Bypass Options Software Bypass Enable traffic, uninspected, when Snort is down or busy. Fail-to-Wire Interfaces Automatic Application Bypass Bypass traffic upon appliance failure, including loss of power. Restarts Snort processes upon degraded performance Intelligent Application Bypass Trust Rules Prefilter Policy Application-specific acceleration of defined applications if performance is degraded Accelerate defined traffic but still apply Security Intelligence Bypass deep inspection and Security Intelligence based on Port / Protocol / IP Address / Zone BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 Software Bypass Software Bypass is only available in Inline Pairing mode or ASA with Firepower Services. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 Fail to Wire Interfaces Fail-to-wire NetMod Fail-to-Wire interfaces allow for passthrough of traffic in case of appliance failure or loss of power. FP-9300 FP-4100 FP-2100 (not yet available) FP-7000, 7100, 8100, 8200, and 8300 IPS appliances Fail-to-Wire requires Inline Set, Inline Pair, or Inline Tap deployment. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 Automatic Application Bypass (AAB) Detects Snort failures or degraded performance and triggers a restart of the impacted Snort process. First available in FTD in BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 Trust Rules Within the Access Control Policy, defined traffic can be exempted from File and IPS inspection, which accelerates it through the appliance. Basing the rule on Source/Destination Port and IP addresses is most effective. Security Intelligence feeds are still applied to Trust rules. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 PreFilter Policy PreFilter rules are processed prior to Intrusion Prevention or Access Control Policies. If traffic can be defined by Zone, Network, and Port (similar to an ASA rule), the traffic can be FastPathed. This is similar to a Trust rule, but Security Intelligence is not applied. PreFilter rules require Firepower Threat Defense. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 66

67 Intelligent Application Bypass (IAB) Detects degraded performance within an application. If that application is trusted, you can configure it to automatically bypass inspection for it, and accelerate the traffic. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options Intelligent Application Bypass OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 Intelligent Application Bypass What is IAB? IAB takes action when a Snort instance is Under Duress if conditions are met: Is the flow a candidate for bypass? Does the network traffic meet requirements (bytes per flow, packets per flow, flow duration, or flow velocity)? Is this a bypassable application? Are you willing to bypass inspection for this particular application? If conditions are satisfied, then Firepower will accelerate the flow. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 Intelligent Application Bypass Caveats! When IAB works to full capability, the flow under duress is executed the same as a PreFilter FastPath rule. If the Access Control Policy (ACP) uses IP-based Security Intelligence, then Snort needs to see the traffic briefly before it is FastPathed. If the ACP uses DNS- or URL-based Security Intelligence, then both Snort and AppID need to see traffic before it is FastPathed. AppID sometimes takes longer to identify the application, depending on which application it is. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71 Configuring Intelligent Application Bypass Find IAB on the Advanced tab of the Access Control Policy, on the bottom of the left side of the page. By default, IAB is disabled. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 71

72 Configuring Intelligent Application Bypass Set the State to On or Test. And set the sample period. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 72

73 Configuring Intelligent Application Bypass Inspection Performance Thresholds: Is the snort process under duress? These fields are a Logical OR, and refer to the Snort process rather than overall appliance CPU. Drop Percentage Processor Utilization Packet Latency Flow Rate BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 Configuring Intelligent Application Bypass Flow Bypass Thresholds: Is the flow a candidate to bypass? These are also a Logical OR Bytes per Flow is How big is the flow? Take AMP max file size under consideration! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 Configuring Intelligent Application Bypass Flow Bypass Thresholds: Is the flow a candidate to bypass? These are also a Logical OR Flow Velocity is Size over time of the flow Each snort instance can handle approximately 1Gbps, which is 125,000 kbytes/second. A good starting point for Flow Velocity is 30% of this, or about 40,000 kb/second. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 75

76 Configuring Intelligent Application Bypass Define Applications that are Bypassable May be easier to just allow All Applications BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 76

77 Monitoring Intelligent Application Bypass IAB Events appear in Connection Events with reason of Intelligent App Bypass BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 77

78 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 78

79 OpenAppID Cisco s Open Source Application Layer Plugin for Snort and Firepower OpenAppID uses the Lua programming language to identify applications. There are a number of attributes it can look at, including: ASCII or Hex patterns and offset HTTP User Agent HTTP URL HTTP Content Type SSL Host SSL Organization Unit SSL Common Name SIP Server SIP User Agent RTMP URL Pattern BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 79

80 OpenAppID Most internal Firepower Application Detectors are included in the Snort OpenAppID rules, including Lua source code. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 80

81 OpenAppID within Firepower Application Detectors All Application Detectors in Firepower 6.0 and later use OpenAppID. Custom Application Detectors can be created here, as well. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 81

82 OpenAppID within Firepower Basic Application Detectors FMC provides a Wizard for creation of Basic detectors. Advanced detectors require you to upload the Lua file. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 82

83 OpenAppID within Firepower Advanced Application Detectors For Your Reference BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 83

84 OpenAppID Example with Intrusion Policy

85 OpenAppID and the Intrusion Policy An Example A lot of noise is created in the Intrusion Logs of any IDS/IPS product by automated scripts searching for vulnerable systems, and trying generic attacks. Web Server Internet [blkh4t@wd40 ~]$ hackerw3bscan v Ports open: tcp/80, tcp/443 Server: apache Vulnerabilities found: CVE SSL Bypass CVE HTTP2 DOS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 85

86 OpenAppID and the Intrusion Policy An Example These scans or attacks against your IP addresses may or may not be successfully blocked by your IPS devices. They generate noise in your logs. Question: Is there a legitimate reason for Internet users to access your server(s) by IP address instead of FQDN? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 86

87 OpenAppID and the Intrusion Policy An Example The Goal: Block all web traffic that targets an IP Address rather than correct hostname. Use Intrusion Policy to inspect legitimate traffic. Internet X Web Server [blkh4t@wd40 ~]$ hackerw3bscan v No web server found! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 87

88 OpenAppID and the Intrusion Policy Creating the Custom Detector 1. From Application Detectors screen, click the button to Create Custom Detector. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 88

89 OpenAppID and the Intrusion Policy Creating the Custom Detector 2. Click the Add button. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 89

90 OpenAppID and the Intrusion Policy Creating the Custom Detector 3. Complete the required fields to name your custom application. 4. Click OK. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 90

91 OpenAppID and the Intrusion Policy Creating the Custom Detector 5. Enter the same Name and Description as previous step, and select the Application you just created from the pulldown menu. 6. Leave the Detector_Type as Basic. 7. Click OK BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 91

92 OpenAppID and the Intrusion Policy Creating the Custom Detector 8. Click Add to add Detection Patterns. This is where we ll define what the application looks like to Firepower. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 92

93 OpenAppID and the Intrusion Policy Creating the Custom Detector 9. Select HTTP from the Protocol pulldown menu, and URL as Type. 10.Enter your domain name. 11.Click OK. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 93

94 OpenAppID and the Intrusion Policy Creating the Custom Detector 12.Repeat the process to add the SSL information. 13.Click OK. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 94

95 OpenAppID and the Intrusion Policy Creating the Custom Detector 14.Click on Save. Remember: Basic Detectors perform an OR operation on the Detection Patterns. In this example, any HTTP or HTTPS connection destined to *.zenbango.com will trigger the detector. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 95

96 OpenAppID and the Intrusion Policy Activating the Custom Detector WARNING: When you Activate or Deactivate any Detector, it will trigger your appliances to restart Snort. This will potentially be disruptive to your network traffic. 15.You can find your Application Detector by selecting Custom Type in the Filters. 16.The new Application Detector will not function until it is Activated by clicking on the State slider. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 96

97 OpenAppID and the Intrusion Policy Assigning Custom Detector to Access Control and Intrusion Policy 15.Tie it all together by using an Allow Rule (with Intrusion Policy assigned) for traffic matching the new application. Block all other traffic. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 97

98 OpenAppID and the Intrusion Policy Effectiveness BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 98

99 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 99

100 Security Intelligence Feeds Some of the built-in SI Feeds: For Your Reference IP Address: URLs: DNS: Attackers Bogon Bots CnC Cryptomining (NEW) Dga ExploitKit Malware Open_proxy Open_relay Phishing Response Spam Suspicious Tor_exit_node URL Attackers URL Bogon URL Bots URL CnC URL Cryptomining (NEW) URL Dga URL Exploitkit URL Malware URL Open_proxy URL Open_relay URL Phishing URL Response URL Spam URL Suspicious URL Tor_exit_node DNS Attackers DNS Bogon DNS Bots DNS CnC DNS Cryptomining (NEW) DNS Dga DNS Exploitkit DNS Malware DNS Open_proxy DNS Open_relay DNS Phishing DNS Response DNS Spam DNS Suspicious DNS Tor_exit_node BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 100

101 Security Intelligence Go to the Appendix for an example on creating a custom Security Intelligence feed. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 101

102 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 102

103 SSL Inspection SSL-encrypted traffic can be inspected by decrypting the traffic. Decryption can occur off-box, on a dedicated SSL Appliance, or on-box, within the Firepower software. This session will focus on On-Box decryption for Inbound Traffic. Inbound Traffic Traffic is decrypted by installing the Servers SSL Certificate and Private Key Outbound Traffic Traffic is decrypted by installing a wildcard certificate and performing a man in the middle attack against your users SSL traffic. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 103

104 SSL Inspection with Known Key Example You need both the host s private key and the.crt file. Go to Objects -> PKI -> Internal Certs to add the certificate information for the host. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 104

105 SSL Inspection with Known Key Example Create an SSL Policy to decrypt traffic with this known key for the associated host. Once this is complete, add this SSL Policy to the Access Control Policy. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 105

106 Complete your online session evaluation Give us your feedback to be entered into a Daily Survey Drawing. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 106

107 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 107

108 Thank you

109 Additional Slides

110 Security Intelligence Example

111 Security Intelligence Custom Feed An Example A publicly-exposed SSH Server will be continuously probed for weaknesses, as well as brute-force login attempts. Let s use failed login attempts to build our own SI Feed. Internet [blkh4t@wd40 ~]$ ncrack zenbango.com:22 Jan 9 15:42:50 www unix_chkpwd[28658]: SSH Server password check failed for user (root) Jan 9 15:42:57 www unix_chkpwd[28680]: password check failed for user (root) Jan 9 15:42:58 www sshd[10692]: Invalid user cypherpunks from Jan 9 15:43:02 www sshd[10693]: Invalid user cdowns from Jan 9 15:43:25 www unix_chkpwd[28886]: password check failed for user (don) Jan 9 15:43:25 www unix_chkpwd[28887]: password check failed for user (rich) Jan 9 15:43:31 www unix_chkpwd[28922]: password check failed for user (gary) Jan 9 15:44:33 www unix_chkpwd[29302]: password check failed for user (daemon) Jan 9 15:44:38 www unix_chkpwd[29341]: password check failed for user (kim) Jan 9 15:45:44 www unix_chkpwd[29737]: password check failed for user (operator) Jan 9 15:45:52 www sshd[10694]: Invalid user dan from Jan 9 15:45:54 www unix_chkpwd[29797]: password check failed for user (root) Jan 9 15:46:02 www unix_chkpwd[29842]: password check failed for user (mail) Jan 9 15:46:09 www unix_chkpwd[29878]: password check failed for user (nobody) Jan 9 15:46:31 www unix_chkpwd[30019]: password check failed for user (rich) Jan 9 15:46:31 www unix_chkpwd[30020]: password check failed for user (don) Jan 9 15:46:38 www unix_chkpwd[30065]: password check failed for user (gary) Starting Ncrack 0.5 ( ) at :42 PST BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 111

112 Security Intelligence Custom Feed An Example The Goal: Create your own Security Intelligence Feed to block hosts that attempt to login to your SSH Server and fail authentication multiple times. Internet X Web Server SSH Server BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 112

113 Security Intelligence Custom Feed Prerequisites 1. The first step is to configure your honeypot with the desired services installed, hardened, and logged. There are a number of tools available to dynamically block or log connection/authentication attempts. Two that work well are fail2ban and denyhosts. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 113

114 Security Intelligence Custom Feed Prepare the Target 2. In this example, we re using denyhosts to dynamically block SSH attempts after 6 failed login attempts. /etc/denyhosts.conf file (pertinent sections): SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.deny PURGE_DENY = 4w BLOCK_SERVICE = ALL DENY_THRESHOLD_INVALID = 6 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 1 RESET_ON_SUCCESS = yes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 114

115 Security Intelligence Custom Feed Prepare the Target 3. Create a script to parse the blocked IP addresses from denyhost s log file. /etc/hosts.deny file looks like this: # DenyHosts: Thu Jan 26 22:31: ALL: ALL: # DenyHosts: Sat Jan 28 10:58: ALL: ALL: # DenyHosts: Tue Jan 31 09:42: ALL: ALL: # DenyHosts: Tue Jan 31 19:50: ALL: ALL: # DenyHosts: Wed Feb 1 16:57: ALL: ALL: The output file should be in a directory accessible to your web server. Consider placing it on a 4. Use your favorite scripting language to parse different the server. addresses. This simple Bash script works: #! /bin/bash blocklist=` cat /etc/hosts.deny grep -v \# awk '{print $2}' > /var/www/html/sshblock.txt` BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 115

116 Security Intelligence Custom Feed Prepare the Target 5. Generate some SSH traffic, with failed logins, to make sure you are capturing the addresses. Be careful. denyhosts will by default ban your IP address in the hosts.deny file. You will need to know how to clear the blocks. This is a useful site: 6. Make sure to run your script (from Step 4) on a regular basis by running a cron job every few minutes or so. One IP Address per line. /var/www/html/sshblock.txt BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 116

117 Security Intelligence Custom Feed Prepare the Target 7. Verify you can download the file with a web browser. It is a good idea to host the file on a server reachable internally only, rather than one accessible to the outside world. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 117

118 Security Intelligence Custom Feed Create the Feed 8. On Firepower Management Center (FMC), navigate to Objects -> Security Intelligence -> Network Lists and Feeds. Click Add Network Lists and Feeds in the upper right corner. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 118

119 Security Intelligence Custom Feed Create the Feed 9. Select Feed, and populate the URL information and Update Frequency. In the current software release, updates are limited to no shorter than every 30 minutes. Click Save. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 119

120 Security Intelligence Custom Feed Create the Feed 10.In your Access Policy, click the Security Intelligence tab, and add the new feed to the Blacklist SSH-Blacklist should be placed here. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 120

121 Security Intelligence Custom Feed Create the Feed 11.Verify the blocks are occurring. Reason for block is SSH-Blacklist Blocks are protecting ALL hosts not just those running Denyhosts BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 121

122 Impact on Different Deployment Methodologies Deployment Software Bypass Disruption? Legacy Firepower (Inline Fail-open) Enabled No Legacy Firepower (Inline Fail-closed) Disabled Yes ASA W/ Firepower Services (Fail-open) Enabled No ASA W/ Firepower Services (Fail-closed) Disabled Yes FTD Routed or Transparent Mode (Stand Alone) FTD Routed or Transparent Mode (HA) N/A Yes FTD Routed or Transparent Mode (Cluster) Deployed to Slave Node First Maybe FTD Inline (Fail-open) Enabled No FTD Inline (Fail-closed) Disabled Yes N/A Yes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 122

123 Firepower Traditional Firepower appliances use Firepower software. Example: FP-7050, FP-7125, FP-8130, FP-8250, FP-8370, Firepower Virtual IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 123

124 ASA with Firepower Services ASA with Firepower Services uses traditional ASA software and a hardware or virtual IPS module running Firepower software. Often referred to as ASA+SFR. Example: ASA-5506-X, ASA-5525-X, ASA-5545-X, ASA-5585-X BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 124

125 Firepower Threat Defense Firepower Threat Defense (FTD) software combines ASA and Firepower features into a single software image. This is available on newer Firepower appliances and most ASA-5500-X models. Example: ASA-5506-X, ASA-5545-X, FP-2110, FP-4140, FP-9300, NGFWv, but NOT the ASA-5585-X BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 125

126 Routed / Transparent Mode Firepower Threat Defense VLAN 10 VLAN 20 The appliance will be installed in either Routed or Transparent mode. This is a global setting. Routed: Interfaces belong to different L3 networks. Transparent: Interfaces belong to different L2 networks (different VLANs). BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 126

127 Passive Mode Firepower Threat Defense, Firepower, ASA with Firepower Services Passive: A Promiscuous Interface receives copies of traffic from a SPAN port or TAP. Passive interfaces are available regardless of whether the appliance is installed in Transparent or Routed mode. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 127

128 Inline Pair Mode Firepower Threat Defense or Firepower VLAN 10 VLAN 10 Inline Pair: Traffic passes from one member interface to another, without changing either VLAN or L3 network. It functions as a smart wire. Inline Pairs are available regardless of whether the appliance is installed in Transparent or Routed mode. Interfaces can also be 802.1q trunks. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 128

129 Inline Pair Mode Firepower Threat Defense or Firepower Inline Set: A grouping of two or more Inline Pairs. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 129

130 Inline Pair Mode Firepower Threat Defense or Firepower Inline TAP: Traffic passes from one member interface to another, without changing either VLAN or L3 network. As traffic passed, it is copied to the inspection engine, so traffic cannot be blocked. Inline Pairs are available regardless of whether the appliance is installed in Transparent or Routed mode. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 130

131 The Problem with Asymmetric Traffic Asymmetric traffic flows prevent a security device from seeing the full traffic flow. For best results, design your network to force symmetry. Web Server BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 131

132 Clustering Internet If you are using Firepower Threat Defense (FTD) or ASA with Firepower Services (ASA+SFR), Inter-Chassis Clustering is a great option. Clustering enables multiple security appliances to function as a single device, and support asymmetric traffic flows, while also providing N+1 redundancy. Web Server FTD supports Inter-Chassis Clustering in 6.2 and later software, on FP-4100 and FP-9300 appliances. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 132

133 Complete your online session evaluation Give us your feedback to be entered into a Daily Survey Drawing. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 133

134 Continue your education Demos in the Cisco campus Walk-in self-paced labs Meet the engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 134

135 Thank you

136