Advanced Firepower IPS Deployment
|
|
- Ashlee Burns
- 5 years ago
- Views:
Transcription
1
2 Advanced Firepower IPS Deployment Gary Halleen, Technical Solutions Architect BRKSEC-3300
3 Webex Teams Questions? Use Webex Teams to chat with the speaker after the session How Find this session in the Cisco Events App Click Join the Discussion Install Spark or go directly to the space Enter messages/questions in the space Webex Teams spaces will be available until June 28, cs.co/ciscolivebot#brksec-3300 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 3
4 About the Speaker Gary Halleen: Technical Solutions Architect Global Security Architect Team BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 4
5 Oregon Pacific Wonderland BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 5
6 Some of My Hobbies BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 6
7 Complete your Online Session Evaluation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 7
8 13:30 16:00 13:30 13:30 08:00 13:30 10:30 08:30 08:30 08:30 08:00 Cisco Firepower Sessions: Building Blocks Monday Tuesday Wednesday Thursday BRKSEC-2031 ASA Fleet Management at Scale BRKSEC-2064 NGFWv and ASAv in Public Cloud (AWS and Azure) BRKSEC-3300 Advanced Firepower IPS Deployment BRKSEC-3032 NGFW Clustering Deep Dive BRKSEC-2050 Firepower NGFW Internet Edge Deployment Scenarios BRKSEC-3455 Dissecting Firepower Installation & Troubleshooting BRKSEC-2050 Firepower NGFW Internet Edge Deployment BRKSEC-2020 Firepower Deployment Data Center & Enterprise Network Edge BRKSEC-3035 Firepower Platform Deep Dive BRKSEC-2066 Optimizing Your Firepower/FTD Deployment BRKSEC-2058 Deep Dive into Firepower Manager BRKSEC-3300 We are here! 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
9 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
10 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 10
11 Introduction This session covers Firepower 6.2.3, managed with Firepower Management Center (FMC). It does NOT cover Cisco IPS 7.0. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11
12 Introduction For Your Reference For the purposes of this session, these terms are treated the same. Firepower Firepower Threat Defense ASA with Firepower Services BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12
13 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13
14 Firepower Policies How often are Policies Modified? Frequently Little Rarely Access Control Policy Malware and File Policy Network Discovery Policy Intrusion Policy DNS Policy Network Analysis Policy SSL Policy Identity Policy Correlation Policy Health Policy Prefilter Policy BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14
15 Policy Order of Operation Prefilter (FTD only) Intrusion (for AppID) Access Control Policy Optional SSL Identity SI / DNS Access Control Rules Intrusion File / Malware BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15
16 Intrusion Policy The Intrusion Policy defines which Snort rules are used in packet inspection. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16
17 Intrusion Base Policy Policy CVSS Score Vulnerability Age Connectivity over Security 10 Current year, plus 2 prior (2018, 2017, and 2016) Balanced Security and Connectivity 9+ Current year, plus 2 prior Rule Categories: Malware-CNC, Blacklist, SQL Injection, Exploit Kit Security over Connectivity 8+ Current year, plus 3 prior (2018, 2017, 2016, and 2015) Rule Categories: Malware-CNC, Blacklist, SQL Injection, Exploit Kit, App-Detect Maximum Detection and later Rule Categories: Malware-CNC, Exploit Kit BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17
18 Intrusion Policy You can manually Enable/Disable individual rules or configure actions. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18
19 Intrusion Policy Several ways to search for rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19
20 Network Discovery Policy Used to identify which networks Firepower should learn from. Useful for applications, and especially for maintaining the Firepower Recommended Rules in the Intrusion Policy. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20
21 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21
22 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22
23 Access Control Policy Traffic must match in the Access Control Policy in order to be Inspected For a simple IPS deployment, you can use the Default Action BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23
24 Access Control Policy In a NGFW deployment, the Default Action will likely be Block All Traffic. Intrusion Policy needs to be defined for each Allow Action. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24
25 Access Control Policy If you need, different Allow rules can have different Intrusion Policies assigned. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25
26 Agenda Policy Interaction and Firepower Recommendations Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26
27 Network Analysis Policy What is this? Do I need to do anything here? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27
28 Network Analysis Policy The Network Analysis Policy (NAP) controls the Preprocessors, and determines things such as: o Fragmentation Reassembly o Protocol Compliance What should we tune? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28
29 Network Analysis Policy Security Usability BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29
30 Fragmentation Both IP and TCP can cause a stream of data to break into many parts Both IP fragmentation and TCP segmentation may be naturally occurring or performed intentionally to evade IPS IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate this evasion technique USER root TCP: HDR USER HDR root IP: HDR HDR US HDR ER HDR HDR ro HDR ot BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30
31 How Bad can Fragmentation Get? IP TCP SMB MSRPC Payload Packet capture of regular attack is ~4k, after layers of evasion 30MB or more! Hundreds of thousands of packets BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31
32 Network Analysis Policy Do these Base Policies look familiar? Besides the name, these Base Policies have NOTHING in common with the Intrusion Base Policies. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 32
33 Network Analysis Policy Inline Normalization: MAYBE Enforces Protocol Compliance for TCP and IP protocols. Enabling normalization will block some non-standard implementations and many attacks. However, it potentially can block poorly-written legitimate traffic. How Risk-Averse are you? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33
34 Network Analysis Policy TCP Stream: YES Unless you are deploying IPS into a segment containing ONLY Windows hosts, you absolutely should tune this. TCP Stream determines how fragmented TCP traffic is reassembled. Different operating systems handle reassembly differently, and it is critical that your IPS understands the hosts. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34
35 Network Analysis Policy UDP Stream: Probably Not Not much to tune. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35
36 Network Analysis Policy IP Defragmentation: YES Similar reason as TCP Stream. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36
37 Access Control Policy Advanced Settings Don t forget to select the Network Analysis Policy from the Access Control Policy -> Advanced Tab If you need to use multiple Network Analysis Policies (maybe some networks have Windows servers, and another has Linux, for example), you can create Rules to perform the mapping. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 37
38 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38
39 Snort Rules All Firepower Intrusion Rules are Snort Rules. Cisco provides regular rule updates, and these are typically automatically updated. Third-party Snort rules can be added manually through the Rule Editor (Objects -> Intrusion Rules -> Create Rule), or can be imported. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 39
40 Snort Rules Snort Rules are normally created on a single line, with no special characters, and in ASCII or UTF-8 format. The Import file can contain many rules as long as they are one rule perline. Many of the Emerging Threat rules use deprecated syntax ( threshold statement). If you are importing ET rules, you ll need to correct or remove these rules first. Threshold has been replaced with detection_filter. SHOULD not have a rule SID, but is allowed. All on ONE Line alert tcp [ /19, /22, /17, /14, /22, /18,42. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40
41 Snort Rules (continued) Sometimes it is much more readable to spread the rule across multiple lines. Do this with the backslash character - \ Example Rule (from Emerging Threats): alert tcp \ [ /19, /22, /17, /14, /22, /18,\ /22, /12, /12, /22, /22, /17,\ /12, /22, /16, /22, /22,\ /22, /22, /22] \ any -> $HOME_NET any (msg:"et DROP Spamhaus DROP Listed Traffic Inbound group 2"; \ flags:s; reference:url, \ threshold: type limit, track by_src, seconds 3600, count 1; \ classtype:misc-attack; flowbits:set,et.evil; flowbits:set,et.dropip; sid: ; \ rev:2607;) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41
42 Snort Rules (continued) This ET rule has a deprecated keyword threshold, so let s fix it. alert tcp \ [ /19, /22, /17, /14, /22, /18,\ /22, /12, /12, /22, /22, /17,\ /12, /22, /16, /22, /22,\ /22, /22, /22] \ any -> $HOME_NET any (msg:"et DROP Spamhaus DROP Listed Traffic Inbound group 2"; \ flags:s; reference:url, \ threshold: detection_filter: type limit, track track by_src, by_src, seconds seconds 3600, 3600, count count 1; \ 1; \ classtype:misc-attack; flowbits:set,et.evil; flowbits:set,et.dropip; sid: ; \ rev:2607;) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42
43 Importing Snort Rules Once your Snort rules are in a text file, navigate to Objects -> Intrusion Rules. Click on Import Rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43
44 Importing Snort Rules Click on Browse to locate your file, and click Import. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44
45 Importing Snort Rules If successful, you will see a screen showing what has been imported. If unsuccessful, the Rule Update Log will tell you what was wrong with the file. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 45
46 Enabling Snort Rules Remember, all imported rules are Disabled by default. You need to enable these. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46
47 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47
48 How do you Exempt Specific Servers from a Snort Rule? Options: 1. Look at the rule and see if you can modify the variables in use? ($EXTERNAL_NET and $HOME_NET, for example) 2. Use a different Intrusion Policy for some hosts. This could have memory or performance impact if overused. 3. Create a Pass Rule > Probably the Best Option BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48
49 Pass Rule Open the firing rule in the Rule Editor (Objects -> Intrusion Rules) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49
50 Pass Rule Change Action to pass BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 50
51 Pass Rule Change the Message. (add PASS RULE to the beginning) Add the IP address or variable name (i.e. $SCANNER_HOSTS) to the source or destination IP. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51
52 Pass Rule Click Save as New BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52
53 Pass Rule Finally, Edit the Intrusion Policy, and change the Rule State for your new Local Rule to Generate Events. Save and Deploy the Intrusion Policy. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53
54 Snort Restart and Reload Architecture Prior to Firepower 6.2.2, making the Intrusion Rule changes just described would have caused a Snort Restart, and potentially disrupted network traffic. Significant improvements in and software have dramatically reduced the number of things that can cause a Snort Restart. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 54
55 Why does Snort Restart? New version of Snort in policy deploy Reallocate memory for preprocessors/security Intelligence Reload shared objects Pre-processor configuration changes Configured to restart instead of reload Cisco.com Info on Restart Conditions: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55
56 Why does Snort Restart? warns if any configuration change will interrupt inspection (restart Snort): BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 56
57 Mitigations 1 2 Snort Preserve-Connection (6.2.0 / introduction) Software Bypass BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57
58 Snort Preserve-Connection When Snort goes down, connections with Allow verdict are preserved in LINA Snort does NOT do a mid-session pickup on preserved flows on coming up Does NOT protect against new flows while Snort is down /6.2.3 Feature Introduction. Enabled by default in Can be enabled/disabled from CLI: configure snort preserve-connection enable/disable BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58
59 Software Bypass With inline Fail-Open deployments traffic is passed uninspected on the Software bridge when Snort is down. When Snort comes up, Snort does a mid-session pickup on traffic BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59
60 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60
61 Bypass Options Software Bypass Enable traffic, uninspected, when Snort is down or busy. Fail-to-Wire Interfaces Automatic Application Bypass Bypass traffic upon appliance failure, including loss of power. Restarts Snort processes upon degraded performance Intelligent Application Bypass Trust Rules Prefilter Policy Application-specific acceleration of defined applications if performance is degraded Accelerate defined traffic but still apply Security Intelligence Bypass deep inspection and Security Intelligence based on Port / Protocol / IP Address / Zone BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61
62 Software Bypass Software Bypass is only available in Inline Pairing mode or ASA with Firepower Services. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62
63 Fail to Wire Interfaces Fail-to-wire NetMod Fail-to-Wire interfaces allow for passthrough of traffic in case of appliance failure or loss of power. FP-9300 FP-4100 FP-2100 (not yet available) FP-7000, 7100, 8100, 8200, and 8300 IPS appliances Fail-to-Wire requires Inline Set, Inline Pair, or Inline Tap deployment. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 63
64 Automatic Application Bypass (AAB) Detects Snort failures or degraded performance and triggers a restart of the impacted Snort process. First available in FTD in BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 64
65 Trust Rules Within the Access Control Policy, defined traffic can be exempted from File and IPS inspection, which accelerates it through the appliance. Basing the rule on Source/Destination Port and IP addresses is most effective. Security Intelligence feeds are still applied to Trust rules. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 65
66 PreFilter Policy PreFilter rules are processed prior to Intrusion Prevention or Access Control Policies. If traffic can be defined by Zone, Network, and Port (similar to an ASA rule), the traffic can be FastPathed. This is similar to a Trust rule, but Security Intelligence is not applied. PreFilter rules require Firepower Threat Defense. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 66
67 Intelligent Application Bypass (IAB) Detects degraded performance within an application. If that application is trusted, you can configure it to automatically bypass inspection for it, and accelerate the traffic. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 67
68 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options Intelligent Application Bypass OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 68
69 Intelligent Application Bypass What is IAB? IAB takes action when a Snort instance is Under Duress if conditions are met: Is the flow a candidate for bypass? Does the network traffic meet requirements (bytes per flow, packets per flow, flow duration, or flow velocity)? Is this a bypassable application? Are you willing to bypass inspection for this particular application? If conditions are satisfied, then Firepower will accelerate the flow. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 69
70 Intelligent Application Bypass Caveats! When IAB works to full capability, the flow under duress is executed the same as a PreFilter FastPath rule. If the Access Control Policy (ACP) uses IP-based Security Intelligence, then Snort needs to see the traffic briefly before it is FastPathed. If the ACP uses DNS- or URL-based Security Intelligence, then both Snort and AppID need to see traffic before it is FastPathed. AppID sometimes takes longer to identify the application, depending on which application it is. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 70
71 Configuring Intelligent Application Bypass Find IAB on the Advanced tab of the Access Control Policy, on the bottom of the left side of the page. By default, IAB is disabled. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 71
72 Configuring Intelligent Application Bypass Set the State to On or Test. And set the sample period. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 72
73 Configuring Intelligent Application Bypass Inspection Performance Thresholds: Is the snort process under duress? These fields are a Logical OR, and refer to the Snort process rather than overall appliance CPU. Drop Percentage Processor Utilization Packet Latency Flow Rate BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 73
74 Configuring Intelligent Application Bypass Flow Bypass Thresholds: Is the flow a candidate to bypass? These are also a Logical OR Bytes per Flow is How big is the flow? Take AMP max file size under consideration! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 74
75 Configuring Intelligent Application Bypass Flow Bypass Thresholds: Is the flow a candidate to bypass? These are also a Logical OR Flow Velocity is Size over time of the flow Each snort instance can handle approximately 1Gbps, which is 125,000 kbytes/second. A good starting point for Flow Velocity is 30% of this, or about 40,000 kb/second. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 75
76 Configuring Intelligent Application Bypass Define Applications that are Bypassable May be easier to just allow All Applications BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 76
77 Monitoring Intelligent Application Bypass IAB Events appear in Connection Events with reason of Intelligent App Bypass BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 77
78 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 78
79 OpenAppID Cisco s Open Source Application Layer Plugin for Snort and Firepower OpenAppID uses the Lua programming language to identify applications. There are a number of attributes it can look at, including: ASCII or Hex patterns and offset HTTP User Agent HTTP URL HTTP Content Type SSL Host SSL Organization Unit SSL Common Name SIP Server SIP User Agent RTMP URL Pattern BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 79
80 OpenAppID Most internal Firepower Application Detectors are included in the Snort OpenAppID rules, including Lua source code. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 80
81 OpenAppID within Firepower Application Detectors All Application Detectors in Firepower 6.0 and later use OpenAppID. Custom Application Detectors can be created here, as well. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 81
82 OpenAppID within Firepower Basic Application Detectors FMC provides a Wizard for creation of Basic detectors. Advanced detectors require you to upload the Lua file. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 82
83 OpenAppID within Firepower Advanced Application Detectors For Your Reference BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 83
84 OpenAppID Example with Intrusion Policy
85 OpenAppID and the Intrusion Policy An Example A lot of noise is created in the Intrusion Logs of any IDS/IPS product by automated scripts searching for vulnerable systems, and trying generic attacks. Web Server Internet [blkh4t@wd40 ~]$ hackerw3bscan v Ports open: tcp/80, tcp/443 Server: apache Vulnerabilities found: CVE SSL Bypass CVE HTTP2 DOS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 85
86 OpenAppID and the Intrusion Policy An Example These scans or attacks against your IP addresses may or may not be successfully blocked by your IPS devices. They generate noise in your logs. Question: Is there a legitimate reason for Internet users to access your server(s) by IP address instead of FQDN? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 86
87 OpenAppID and the Intrusion Policy An Example The Goal: Block all web traffic that targets an IP Address rather than correct hostname. Use Intrusion Policy to inspect legitimate traffic. Internet X Web Server [blkh4t@wd40 ~]$ hackerw3bscan v No web server found! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 87
88 OpenAppID and the Intrusion Policy Creating the Custom Detector 1. From Application Detectors screen, click the button to Create Custom Detector. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 88
89 OpenAppID and the Intrusion Policy Creating the Custom Detector 2. Click the Add button. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 89
90 OpenAppID and the Intrusion Policy Creating the Custom Detector 3. Complete the required fields to name your custom application. 4. Click OK. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 90
91 OpenAppID and the Intrusion Policy Creating the Custom Detector 5. Enter the same Name and Description as previous step, and select the Application you just created from the pulldown menu. 6. Leave the Detector_Type as Basic. 7. Click OK BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 91
92 OpenAppID and the Intrusion Policy Creating the Custom Detector 8. Click Add to add Detection Patterns. This is where we ll define what the application looks like to Firepower. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 92
93 OpenAppID and the Intrusion Policy Creating the Custom Detector 9. Select HTTP from the Protocol pulldown menu, and URL as Type. 10.Enter your domain name. 11.Click OK. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 93
94 OpenAppID and the Intrusion Policy Creating the Custom Detector 12.Repeat the process to add the SSL information. 13.Click OK. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 94
95 OpenAppID and the Intrusion Policy Creating the Custom Detector 14.Click on Save. Remember: Basic Detectors perform an OR operation on the Detection Patterns. In this example, any HTTP or HTTPS connection destined to *.zenbango.com will trigger the detector. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 95
96 OpenAppID and the Intrusion Policy Activating the Custom Detector WARNING: When you Activate or Deactivate any Detector, it will trigger your appliances to restart Snort. This will potentially be disruptive to your network traffic. 15.You can find your Application Detector by selecting Custom Type in the Filters. 16.The new Application Detector will not function until it is Activated by clicking on the State slider. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 96
97 OpenAppID and the Intrusion Policy Assigning Custom Detector to Access Control and Intrusion Policy 15.Tie it all together by using an Allow Rule (with Intrusion Policy assigned) for traffic matching the new application. Block all other traffic. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 97
98 OpenAppID and the Intrusion Policy Effectiveness BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 98
99 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 99
100 Security Intelligence Feeds Some of the built-in SI Feeds: For Your Reference IP Address: URLs: DNS: Attackers Bogon Bots CnC Cryptomining (NEW) Dga ExploitKit Malware Open_proxy Open_relay Phishing Response Spam Suspicious Tor_exit_node URL Attackers URL Bogon URL Bots URL CnC URL Cryptomining (NEW) URL Dga URL Exploitkit URL Malware URL Open_proxy URL Open_relay URL Phishing URL Response URL Spam URL Suspicious URL Tor_exit_node DNS Attackers DNS Bogon DNS Bots DNS CnC DNS Cryptomining (NEW) DNS Dga DNS Exploitkit DNS Malware DNS Open_proxy DNS Open_relay DNS Phishing DNS Response DNS Spam DNS Suspicious DNS Tor_exit_node BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 100
101 Security Intelligence Go to the Appendix for an example on creating a custom Security Intelligence feed. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 101
102 Agenda Policy Interaction and Firepower Recommendations Advanced Tuning Topics Importing Snort Rules IPS Pass Rule Bypass Options OpenAppID Security Intelligence SSL Inspection for IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 102
103 SSL Inspection SSL-encrypted traffic can be inspected by decrypting the traffic. Decryption can occur off-box, on a dedicated SSL Appliance, or on-box, within the Firepower software. This session will focus on On-Box decryption for Inbound Traffic. Inbound Traffic Traffic is decrypted by installing the Servers SSL Certificate and Private Key Outbound Traffic Traffic is decrypted by installing a wildcard certificate and performing a man in the middle attack against your users SSL traffic. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 103
104 SSL Inspection with Known Key Example You need both the host s private key and the.crt file. Go to Objects -> PKI -> Internal Certs to add the certificate information for the host. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 104
105 SSL Inspection with Known Key Example Create an SSL Policy to decrypt traffic with this known key for the associated host. Once this is complete, add this SSL Policy to the Access Control Policy. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 105
106 Complete your online session evaluation Give us your feedback to be entered into a Daily Survey Drawing. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 106
107 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 107
108 Thank you
109 Additional Slides
110 Security Intelligence Example
111 Security Intelligence Custom Feed An Example A publicly-exposed SSH Server will be continuously probed for weaknesses, as well as brute-force login attempts. Let s use failed login attempts to build our own SI Feed. Internet [blkh4t@wd40 ~]$ ncrack zenbango.com:22 Jan 9 15:42:50 www unix_chkpwd[28658]: SSH Server password check failed for user (root) Jan 9 15:42:57 www unix_chkpwd[28680]: password check failed for user (root) Jan 9 15:42:58 www sshd[10692]: Invalid user cypherpunks from Jan 9 15:43:02 www sshd[10693]: Invalid user cdowns from Jan 9 15:43:25 www unix_chkpwd[28886]: password check failed for user (don) Jan 9 15:43:25 www unix_chkpwd[28887]: password check failed for user (rich) Jan 9 15:43:31 www unix_chkpwd[28922]: password check failed for user (gary) Jan 9 15:44:33 www unix_chkpwd[29302]: password check failed for user (daemon) Jan 9 15:44:38 www unix_chkpwd[29341]: password check failed for user (kim) Jan 9 15:45:44 www unix_chkpwd[29737]: password check failed for user (operator) Jan 9 15:45:52 www sshd[10694]: Invalid user dan from Jan 9 15:45:54 www unix_chkpwd[29797]: password check failed for user (root) Jan 9 15:46:02 www unix_chkpwd[29842]: password check failed for user (mail) Jan 9 15:46:09 www unix_chkpwd[29878]: password check failed for user (nobody) Jan 9 15:46:31 www unix_chkpwd[30019]: password check failed for user (rich) Jan 9 15:46:31 www unix_chkpwd[30020]: password check failed for user (don) Jan 9 15:46:38 www unix_chkpwd[30065]: password check failed for user (gary) Starting Ncrack 0.5 ( ) at :42 PST BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 111
112 Security Intelligence Custom Feed An Example The Goal: Create your own Security Intelligence Feed to block hosts that attempt to login to your SSH Server and fail authentication multiple times. Internet X Web Server SSH Server BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 112
113 Security Intelligence Custom Feed Prerequisites 1. The first step is to configure your honeypot with the desired services installed, hardened, and logged. There are a number of tools available to dynamically block or log connection/authentication attempts. Two that work well are fail2ban and denyhosts. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 113
114 Security Intelligence Custom Feed Prepare the Target 2. In this example, we re using denyhosts to dynamically block SSH attempts after 6 failed login attempts. /etc/denyhosts.conf file (pertinent sections): SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.deny PURGE_DENY = 4w BLOCK_SERVICE = ALL DENY_THRESHOLD_INVALID = 6 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 1 RESET_ON_SUCCESS = yes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 114
115 Security Intelligence Custom Feed Prepare the Target 3. Create a script to parse the blocked IP addresses from denyhost s log file. /etc/hosts.deny file looks like this: # DenyHosts: Thu Jan 26 22:31: ALL: ALL: # DenyHosts: Sat Jan 28 10:58: ALL: ALL: # DenyHosts: Tue Jan 31 09:42: ALL: ALL: # DenyHosts: Tue Jan 31 19:50: ALL: ALL: # DenyHosts: Wed Feb 1 16:57: ALL: ALL: The output file should be in a directory accessible to your web server. Consider placing it on a 4. Use your favorite scripting language to parse different the server. addresses. This simple Bash script works: #! /bin/bash blocklist=` cat /etc/hosts.deny grep -v \# awk '{print $2}' > /var/www/html/sshblock.txt` BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 115
116 Security Intelligence Custom Feed Prepare the Target 5. Generate some SSH traffic, with failed logins, to make sure you are capturing the addresses. Be careful. denyhosts will by default ban your IP address in the hosts.deny file. You will need to know how to clear the blocks. This is a useful site: 6. Make sure to run your script (from Step 4) on a regular basis by running a cron job every few minutes or so. One IP Address per line. /var/www/html/sshblock.txt BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 116
117 Security Intelligence Custom Feed Prepare the Target 7. Verify you can download the file with a web browser. It is a good idea to host the file on a server reachable internally only, rather than one accessible to the outside world. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 117
118 Security Intelligence Custom Feed Create the Feed 8. On Firepower Management Center (FMC), navigate to Objects -> Security Intelligence -> Network Lists and Feeds. Click Add Network Lists and Feeds in the upper right corner. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 118
119 Security Intelligence Custom Feed Create the Feed 9. Select Feed, and populate the URL information and Update Frequency. In the current software release, updates are limited to no shorter than every 30 minutes. Click Save. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 119
120 Security Intelligence Custom Feed Create the Feed 10.In your Access Policy, click the Security Intelligence tab, and add the new feed to the Blacklist SSH-Blacklist should be placed here. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 120
121 Security Intelligence Custom Feed Create the Feed 11.Verify the blocks are occurring. Reason for block is SSH-Blacklist Blocks are protecting ALL hosts not just those running Denyhosts BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 121
122 Impact on Different Deployment Methodologies Deployment Software Bypass Disruption? Legacy Firepower (Inline Fail-open) Enabled No Legacy Firepower (Inline Fail-closed) Disabled Yes ASA W/ Firepower Services (Fail-open) Enabled No ASA W/ Firepower Services (Fail-closed) Disabled Yes FTD Routed or Transparent Mode (Stand Alone) FTD Routed or Transparent Mode (HA) N/A Yes FTD Routed or Transparent Mode (Cluster) Deployed to Slave Node First Maybe FTD Inline (Fail-open) Enabled No FTD Inline (Fail-closed) Disabled Yes N/A Yes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 122
123 Firepower Traditional Firepower appliances use Firepower software. Example: FP-7050, FP-7125, FP-8130, FP-8250, FP-8370, Firepower Virtual IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 123
124 ASA with Firepower Services ASA with Firepower Services uses traditional ASA software and a hardware or virtual IPS module running Firepower software. Often referred to as ASA+SFR. Example: ASA-5506-X, ASA-5525-X, ASA-5545-X, ASA-5585-X BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 124
125 Firepower Threat Defense Firepower Threat Defense (FTD) software combines ASA and Firepower features into a single software image. This is available on newer Firepower appliances and most ASA-5500-X models. Example: ASA-5506-X, ASA-5545-X, FP-2110, FP-4140, FP-9300, NGFWv, but NOT the ASA-5585-X BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 125
126 Routed / Transparent Mode Firepower Threat Defense VLAN 10 VLAN 20 The appliance will be installed in either Routed or Transparent mode. This is a global setting. Routed: Interfaces belong to different L3 networks. Transparent: Interfaces belong to different L2 networks (different VLANs). BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 126
127 Passive Mode Firepower Threat Defense, Firepower, ASA with Firepower Services Passive: A Promiscuous Interface receives copies of traffic from a SPAN port or TAP. Passive interfaces are available regardless of whether the appliance is installed in Transparent or Routed mode. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 127
128 Inline Pair Mode Firepower Threat Defense or Firepower VLAN 10 VLAN 10 Inline Pair: Traffic passes from one member interface to another, without changing either VLAN or L3 network. It functions as a smart wire. Inline Pairs are available regardless of whether the appliance is installed in Transparent or Routed mode. Interfaces can also be 802.1q trunks. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 128
129 Inline Pair Mode Firepower Threat Defense or Firepower Inline Set: A grouping of two or more Inline Pairs. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 129
130 Inline Pair Mode Firepower Threat Defense or Firepower Inline TAP: Traffic passes from one member interface to another, without changing either VLAN or L3 network. As traffic passed, it is copied to the inspection engine, so traffic cannot be blocked. Inline Pairs are available regardless of whether the appliance is installed in Transparent or Routed mode. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 130
131 The Problem with Asymmetric Traffic Asymmetric traffic flows prevent a security device from seeing the full traffic flow. For best results, design your network to force symmetry. Web Server BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 131
132 Clustering Internet If you are using Firepower Threat Defense (FTD) or ASA with Firepower Services (ASA+SFR), Inter-Chassis Clustering is a great option. Clustering enables multiple security appliances to function as a single device, and support asymmetric traffic flows, while also providing N+1 redundancy. Web Server FTD supports Inter-Chassis Clustering in 6.2 and later software, on FP-4100 and FP-9300 appliances. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 132
133 Complete your online session evaluation Give us your feedback to be entered into a Daily Survey Drawing. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 133
134 Continue your education Demos in the Cisco campus Walk-in self-paced labs Meet the engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 134
135 Thank you
136
Advanced IPS Deployment
Advanced IPS Deployment Gary Halleen, Technical Solutions Architect BRKSEC-3300 About your Speaker Gary Halleen gary@cisco.com Technical Solutions Architect Cisco Global Security Sales Organization Oregon
More informationCisco Firepower NGIPS Tuning and Best Practices
Cisco Firepower NGIPS Tuning and Best Practices John Wise, Security Instructor High Touch Delivery, Cisco Learning Services CTHCRT-2000 Cisco Spark How Questions? Use Cisco Spark to communicate with the
More informationDevice Management Basics
The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Add Devices to the Firepower Management Center,
More information* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).
Contents Introduction Prerequisites Requirements Components Used Background Information Configuration Step 1. Configure Intrusion Policy Step 1.1. Create Intrusion Policy Step 1.2. Modify Intrusion Policy
More informationGetting Started with Access Control Policies
Getting Started with Control Policies The following topics describe how to start using access control policies: Introduction to Control, page 1 Managing Control Policies, page 6 Creating a Basic Control
More informationDevice Management Basics
The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Adding Devices to the Firepower Management
More informationThe following topics describe how to manage various policies on the Firepower Management Center:
The following topics describe how to manage various policies on the Firepower Management Center: Policy Deployment, page 1 Policy Comparison, page 11 Policy Reports, page 12 Out-of-Date Policies, page
More informationCisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339
Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339 Agenda Introduction to Lab Exercises Platforms and Solutions ASA with
More informationDevice Management Basics
The following topics describe how to manage devices in the Firepower System: The Device Management Page, page 1 Remote Management Configuration, page 2 Adding Devices to the Firepower Management Center,
More informationConnection Logging. About Connection Logging
The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: About, page 1 Strategies, page 2 Logging Decryptable Connections with SSL
More informationThreat Centric Network Security
BRKSEC-2056 Threat Centric Network Security Ted Bedwell, Principal Engineer Network Threat Defence Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this
More informationAccess Control Using Intrusion and File Policies
The following topics describe how to configure access control policies to use intrusion and file policies: Intrusions and Malware Inspection Overview, page 1 Access Control Traffic Handling, page 2 File
More informationUser Identity Sources
The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, on page 1 The
More informationConnection Logging. Introduction to Connection Logging
The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: Introduction to, page 1 Strategies, page 2 Logging Decryptable Connections
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.3 Original Publication: April 21, 2014 These release notes are valid for Version 5.3.0.3 of the Sourcefire 3D System. Even if you are familiar with the
More informationRealms and Identity Policies
The following topics describe realms and identity policies: Introduction:, page 1 Creating a Realm, page 5 Creating an Identity Policy, page 11 Creating an Identity Rule, page 15 Managing Realms, page
More informationCorrigendum 3. Tender Number: 10/ dated
(A premier Public Sector Bank) Information Technology Division Head Office, Mangalore Corrigendum 3 Tender Number: 10/2016-17 dated 07.09.2016 for Supply, Installation and Maintenance of Distributed Denial
More informationDissecting Firepower-FTD & Firepower-Services Design & Troubleshooting
Dissecting Firepower-FTD & Firepower-Services Design & Troubleshooting Veronika Klauzova BRKSEC-3455 Agenda Introduction Updated FTD Packet Flow Data-Path Improvements Best Practices for Deployments Troubleshooting
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats You have a mandate to build and secure a network that supports ongoing innovation Mobile access Social collaboration Public / private hybrid
More informationAccess Control Using Intrusion and File Policies
The following topics describe how to configure access control policies to use intrusion and file policies: About Deep Inspection, page 1 Access Control Traffic Handling, page 2 File and Intrusion Inspection
More informationPass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS
Pass4sure.500-285.42q Number: 500-285 Passing Score: 800 Time Limit: 120 min File Version: 6.1 Cisco 500-285 Securing Cisco Networks with Sourcefire IPS I'm quite happy to announce that I passed 500-285
More informationUser Identity Sources
The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, page 1 The User
More informationApplication Detection
The following topics describe Firepower System application detection : Overview:, on page 1 Custom Application Detectors, on page 6 Viewing or Downloading Detector Details, on page 14 Sorting the Detector
More informationThis document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).
Contents Introduction Prerequisites Requirements Components Used Background Information Outbound SSL Decryption Inbound SSL Decryption Configuration for SSL Decryption Outbound SSL decryption (Decrypt
More informationGetting Started with Network Analysis Policies
The following topics describe how to get started with network analysis policies: Network Analysis Policy Basics, page 1 Managing Network Analysis Policies, page 2 Network Analysis Policy Basics Network
More informationHost Identity Sources
The following topics provide information on host identity sources: Overview: Host Data Collection, on page 1 Determining Which Host Operating Systems the System Can Detect, on page 2 Identifying Host Operating
More informationNew Features and Functionality
This section describes the new and updated features and functionality included in Version 6.2.1. Note that only the Firepower 2100 series devices support Version 6.2.1, so new features deployed to devices
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.2 Original Publication: April 21, 2014 Last Updated: April 25, 2016 These release notes are valid for Version 5.3.0.2 of the Sourcefire 3D System. Even
More informationUnderstanding HTTPS to Decrypt it
Understanding HTTPS to Decrypt it James Everett Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join
More informationMonitoring the Device
The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring
More informationDeploying Intrusion Prevention Systems
Deploying Intrusion Prevention Systems Gary Halleen Consulting Systems Engineer II Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS
More informationUse Cases for Firepower Threat Defense
The following topics explain some common tasks you might want to accomplish with Firepower Threat Defense using Firepower Device Manager. These use cases assume that you completed the device configuration
More informationThe following topics describe how to configure correlation policies and rules.
The following topics describe how to configure correlation policies and rules. Introduction to and Rules, page 1 Configuring, page 2 Configuring Correlation Rules, page 5 Configuring Correlation Response
More informationFirepower Management Center High Availability
The following topics describe how to configure Active/Standby high availability of Cisco Firepower Management Centers: About, on page 1 Establishing, on page 7 Viewing Status, on page 8 Configurations
More informationLicensing the Firepower System
The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 2 Smart Licensing for the Firepower System,
More informationLicensing the Firepower System
The following topics explain how to license the Firepower System. About Firepower Feature Licenses, on page 1 Service Subscriptions for Firepower Features, on page 2 Smart Licensing for the Firepower System,
More informationFeatures and Functionality
Features and functionality introduced in previous versions may be superseded by new features and functionality in later versions. New or Changed Functionality in Version 6.2.2.x, page 1 Features Introduced
More informationBarracuda Firewall Release Notes 6.6.X
Please Read Before Upgrading Before installing the new firmware version, back up your configuration and read all of the release notes that apply to the versions that are more current than the version that
More informationCisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer
Cisco Next Generation Firewall and IPS Dragan Novakovic Security Consulting Systems Engineer Cisco ASA with Firepower services Cisco TALOS - Collective Security Intelligence Enabled Clustering & High Availability
More informationThe following topics explain how to get started configuring Firepower Threat Defense. Table 1: Firepower Device Manager Supported Models
The following topics explain how to get started configuring Firepower Threat Defense. Is This Guide for You?, page 1 Logging Into the System, page 2 Setting Up the System, page 6 Configuration Basics,
More informationDissecting Firepower-FTD & Firepower-Services Design & Troubleshooting
BRKSEC-3455 Dissecting Firepower-FTD & Firepower-Services Design & Troubleshooting Foster Lipkey, Technical Leader Veronika Klauzova, TAC Tech Lead Cisco Spark How Questions? Use Cisco Spark to communicate
More informationAccess Control. Access Control Overview. Access Control Rules and the Default Action
The following topics explain access control rules. These rules control which traffic is allowed to pass through the device, and apply advanced services to the traffic, such as intrusion inspection. Overview,
More informationUnderstanding Cisco Cybersecurity Fundamentals
210-250 Understanding Cisco Cybersecurity Fundamentals NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 210-250 Exam on Understanding Cisco
More informationRemote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN
Remote Access virtual private network (VPN) allows individual users to connect to your network from a remote location using a laptop or desktop computer connected to the Internet. This allows mobile workers
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.2.0.2 Original Publication: October 18, 2013 Last Updated: October 18, 2013 These release notes are valid for Version 5.2.0.2 of the Sourcefire 3D System. Even
More informationPrefiltering and Prefilter Policies
The following topics describe how to configure prefiltering: Introduction to Prefiltering, on page 1 Prefiltering vs Access Control, on page 2 About Prefilter Policies, on page 4 Configuring Prefiltering,
More informationUse Cases for Firepower Threat Defense
The following topics explain some common tasks you might want to accomplish with Firepower Threat Defense using Firepower Device Manager. These use cases assume that you completed the device configuration
More informationCisco Firepower Thread Defence. Claudiu Boar
Cisco Firepower Thread Defence Claudiu Boar Security everywhere Stop threats at the edge Control who gets onto your network Find and contain problems fast Protect users wherever they work Simplify network
More informationIPS Device Deployments and Configuration
The following topics describe how to configure your device in an IPS deployment: Introduction to IPS Device Deployment and Configuration, page 1 Passive IPS Deployments, page 1 Inline IPS Deployments,
More informationClarify Firepower Threat Defense Access Control Policy Rule Actions
Clarify Firepower Threat Defense Access Control Policy Rule Actions Contents Introduction Prerequisites Requirements Components Used Background Information How ACP is Deployed Configure ACP Available Actions
More informationAccess Control. Access Control Overview. Access Control Rules and the Default Action
The following topics explain access control rules. These rules control which traffic is allowed to pass through the device, and apply advanced services to the traffic, such as intrusion inspection. Overview,
More informationLicensing the Firepower System
The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 1 Classic Licensing for the Firepower System,
More informationUnderstanding Traffic Decryption
The following topics provide an overview of SSL inspection, describe the prerequisites for SSL inspection configuration, and detail deployment scenarios. Traffic Decryption Overview, page 1 SSL Handshake
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.2.0.7 Original Publication: October 20, 2014 These release notes are valid for Version 5.2.0.7 of the Sourcefire 3D System. Even if you are familiar with the
More informationAccess Control Using Intelligent Application Bypass
Access Control Using Intelligent Application Bypass The following topics describe how to configure access control policies to use Intelligent Application Bypass: Introducing Intelligent Application Bypass,
More informationConfiguring F5 for SSL Intercept
Configuring F5 for Welcome to the F5 deployment guide for configuring the BIG-IP system for SSL intercept (formerly called with Air Gap Egress Inspection). This document contains guidance on configuring
More informationDesign and Deployment of SourceFire NGIPS and NGFWL
Design and Deployment of SourceFire NGIPS and NGFWL BRKSEC - 2024 Marcel Skjald Consulting Systems Engineer Enterprise / Security Architect Abstract Overview of Session This technical session covers the
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.2.0.6 Original Publication: February 10, 2015 These release notes are valid for Version 5.2.0.6 of the Sourcefire 3D System. Even if you are familiar with the
More informationClassic Device Management Basics
The following topics describe how to manage Classic devices (7000 and 8000 Series devices, ASA with FirePOWER Services, and NGIPSv) in the Firepower System: Remote Management Configuration, page 1 Interface
More informationDetecting Specific Threats
The following topics explain how to use preprocessors in a network analysis policy to detect specific threats: Introduction to Specific Threat Detection, page 1 Back Orifice Detection, page 1 Portscan
More informationThe following topics provide more information on user identity. Establishing User Identity Through Passive Authentication
You can use identity policies to collect user identity information from connections. You can then view usage based on user identity in the dashboards, and configure access control based on user or user
More informationRealms and Identity Policies
The following topics describe realms and identity policies: About, page 1 Create a Realm, page 8 Create an Identity Policy, page 15 Create an Identity Rule, page 15 Manage a Realm, page 20 Manage an Identity
More informationCisco Next Generation Firewall Services
Toronto,. CA May 30 th, 2013 Cisco Next Generation Firewall Services Eric Kostlan Cisco Technical Marketing 2011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 Objectives At the
More informationConfigure FTD Interfaces in Inline-Pair Mode
Configure FTD Interfaces in Inline-Pair Mode Contents Introduction Prerequisites Requirements Components Used Background Information Configure Inline Pair Interface on FTD Network Diagram Verify Verify
More informationConfiguration Import and Export
The following topics explain how to use the Import/Export feature: About Configuration Import/Export, page 1 Exporting Configurations, page 3 Importing Configurations, page 4 About Configuration Import/Export
More informationSensitive Data Detection
The following topics explain sensitive data detection and how to configure it: Basics, page 1 Global Options, page 2 Individual Sensitive Data Type Options, page 3 System-Provided Sensitive Data Types,
More informationCloudLink SecureVM. Administration Guide. Version 4.0 P/N REV 01
CloudLink SecureVM Version 4.0 Administration Guide P/N 302-002-056 REV 01 Copyright 2015 EMC Corporation. All rights reserved. Published June 2015 EMC believes the information in this publication is accurate
More informationA Deep Dive into the Firepower Manager
A Deep Dive into the Firepower Manager William Young, Security Solutions Architect willyou@cisco.com @WilliamDYoung BRKSEC-2058 Just some Security Guy William Young Security Solutions Architect, Cisco
More informationIntrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia
Intrusion Detection - Snort Network Security Workshop 25-27 April 2017 Bali Indonesia Issue Date: [31-12-2015] Revision: [V.1] Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied
More informationSecuring CS-MARS C H A P T E R
C H A P T E R 4 Securing CS-MARS A Security Information Management (SIM) system can contain a tremendous amount of sensitive information. This is because it receives event logs from security systems throughout
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.8 Original Publication: May 2, 2016 These release notes are valid for Version 5.3.0.8 of the Sourcefire 3D System. Even if you are familiar with the update
More informationF5 DDoS Hybrid Defender : Setup. Version
F5 DDoS Hybrid Defender : Setup Version 13.1.0.3 Table of Contents Table of Contents Introducing DDoS Hybrid Defender... 5 Introduction to DDoS Hybrid Defender...5 DDoS deployments... 5 Example DDoS Hybrid
More informationThe Intrusion Rules Editor
The following topics describe how to use the intrusion rules editor: An Introduction to Intrusion Rule Editing, on page 1 Rule Anatomy, on page 2 Custom Rule Creation, on page 14 Searching for Rules, on
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.5 Original Publication: June 8, 2015 Last Updated: April 25, 2016 These release notes are valid for Version 5.3.0.5 of the Sourcefire 3D System. Even if
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats Digital Transformation on a Massive Scale 15B Devices Today Attack Surface 500B Devices In 2030 Threat Actors $19T Opportunity Next 10 Years
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.2.0.8 Original Publication: March 30, 2015 Last Updated: May 18, 2015 These release notes are valid for Version 5.2.0.8 of the Sourcefire 3D System. Even if
More informationLogging into the Firepower System
The following topics describe how to log into the Firepower System: Firepower System User Accounts, on page 1 User Interfaces in Firepower Management Center Deployments, on page 3 Logging Into the Firepower
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.6 Original Publication: August 3, 2015 Last Updated: August 20, 2015 These release notes are valid for Version 5.3.0.6 of the Sourcefire 3D System. Even
More informationImplementing Cisco Network Security (IINS) 3.0
Implementing Cisco Network Security (IINS) 3.0 COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationWhy is performance testing of security devices so hard?
Why is performance testing of security devices so hard? Charlie Stokes Technical Marketing Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find
More informationAccessEnforcer Version 4.0 Features List
AccessEnforcer Version 4.0 Features List AccessEnforcer UTM Firewall is the simple way to secure and manage your small business network. You can choose from six hardware models, each designed to protect
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : 300-207 Title : Implementing Cisco Threat Control Solutions (SITCS) Vendor : Cisco Version : DEMO Get Latest & Valid
More informationRealms and Identity Policies
The following topics describe realms and identity policies: About, page 1 Create a Realm, page 8 Create an Identity Policy, page 14 Create an Identity Rule, page 15 Manage a Realm, page 17 Manage an Identity
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3 Original Publication: April 21, 2014 These release notes are valid for Version 5.3 of the Sourcefire 3D System. Even if you are familiar with the update process,
More informationCisco Threat Intelligence Director (TID)
The topics in this chapter describe how to configure and use TID in the Firepower System. Overview, page 1 Requirements for Threat Intelligence Director, page 4 How To Set Up, page 6 Analyze TID Incident
More informationIdentity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication
You can use identity policies to collect user identity information from connections. You can then view usage based on user identity in the dashboards, and configure access control based on user or user
More informationA10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS
DEPLOYMENT GUIDE A10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS A10 NETWORKS SSL INSIGHT & FIREWALL LOAD BALANCING SOLUTION FOR SONICWALL SUPERMASSIVE NEXT GENERATION FIREWALLS OVERVIEW This document describes
More informationApplication Layer Preprocessors
The following topics explain application layer preprocessors and how to configure them: Introduction to, page 1 The DCE/RPC Preprocessor, page 2 The DNS Preprocessor, page 12 The FTP/Telnet Decoder, page
More informationRule Management: Common Characteristics
The following topics describe how to manage common characteristics of rules in various policies on the Firepower Management Center: Introduction to Rules, page 1 Rule Condition Types, page 2 Searching
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.4 Original Publication: May 7, 2015 Last Updated: April 25, 2016Sourcefire-3D-System-Release-Notes-5-3-0-3 These release notes are valid for Version 5.3.0.4
More informationSecurity, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: Security Requirements Security Requirements, on
More informationAgile Security Solutions
Agile Security Solutions Piotr Linke Security Engineer CISSP CISA CRISC CISM Open Source SNORT 2 Consider these guys All were smart. All had security. All were seriously compromised. 3 The Industrialization
More informationTraffic Flow, Inspection, and Device Behavior During Upgrade
Traffic Flow, Inspection, and Device Behavior During Upgrade You must identify potential interruptions in traffic flow and inspection during the upgrade. This can occur: When you upgrade the operating
More informationCisco - ASA Lab Camp v9.0
Cisco - ASA Lab Camp v9.0 Code: 0007 Lengt h: 5 days URL: View Online Based on our enhanced SASAC v1.0 and SASAA v1.2 courses, this exclusive, lab-based course, provides you with your own set of equipment
More informationMcAfee Network Security Platform Administration Course
McAfee Network Security Platform Administration Course Education Services administration course The McAfee Network Security Platform Administration course from McAfee Education Services is an essential
More informationASA Access Control. Section 3
[ 39 ] CCNP Security Firewall 642-617 Quick Reference Section 3 ASA Access Control Now that you have connectivity to the ASA and have configured basic networking settings on the ASA, you can start to look
More informationO365 Solutions. Three Phase Approach. Page 1 34
O365 Solutions Three Phase Approach msfttechteam@f5.com Page 1 34 Contents Use Cases... 2 Use Case One Advanced Traffic Management for WAP and ADFS farms... 2 Use Case Two BIG-IP with ADFS-PIP... 3 Phase
More informationUpdating to Version 6.2.2
Before you begin the update, you must thoroughly read and understand these release notes, especially Before You Update: Important Notes and Pre-Update Readiness Checks. If you are unsure whether you should
More informationThe Intrusion Rules Editor
The following topics describe how to use the intrusion rules editor: An Introduction to Intrusion Rule Editing, page 1 Rule Anatomy, page 2 Custom Rule Creation, page 14 Searching for Rules, page 20 Rule
More informationNew methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall
New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall Claudiu Onisoru, Senior Network Specialist Cisco Connect - 15 May 2014 1 Agenda Frontal Communication: Who
More information