Advanced IPS Deployment

Transcription

1

2 Advanced IPS Deployment Gary Halleen, Technical Solutions Architect BRKSEC-3300

3 About your Speaker Gary Halleen Technical Solutions Architect Cisco Global Security Sales Organization

4 Oregon Pacific Wonderland

5 Some of My Hobbies

6 Cisco Firepower Sessions: Building Blocks BRKSEC-2056 Threat Centric Network Security Tuesday 11:15 BRKSEC-2050 ASA Firepower NGFW typical deployment scenarios Tuesday 14:15 BRKSEC-2058 A Deep Dive into using the Firepower Manager Tuesday 16:45 BRKSEC-3032 NGFW Clustering Deep Dive Wednesday 9:00 BRKSEC-3035 Firepower Platform Deep Dive Thursday 9:00 BRKSEC-3455 Dissecting Firepower NGFW (FTD+FPS) Friday 9:00 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS

8 Introduction This session covers Firepower 6.x, managed with Firepower Management Center (FMC). BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Introduction For the purposes of this session, all of these terms have the same meaning. Some slides are included as Reference only, and will be lightly covered unless there are questions. For Your Reference Firepower Firepower Threat Defense ASA with Firepower Services Firepower AMP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS

11 Firepower Traditional Firepower appliances use Firepower software. Example: FP-7050, FP-7125, FP-8130, FP-8250, FP-8370, Firepower Virtual IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 ASA with Firepower Services ASA with Firepower Services uses traditional ASA software and a hardware or virtual IPS module running Firepower software. Often referred to as ASA+SFR. Example: ASA-5506-X, ASA-5545-X, ASA-5585-X BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Firepower Threat Defense Firepower Threat Defense (FTD) software combines ASA and Firepower features into a single software image. This is available on newer Firepower appliances and most ASA-5500-X models. Example: ASA-5506-X, ASA-5545-X, FP-2100, FP-4100, FP-9300, NGFWv. NOT the ASA-5585-X BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Routed / Transparent Mode Firepower Threat Defense VLAN 10 VLAN 20 The appliance will be installed in either Routed or Transparent mode. This is a global setting. Routed: Interfaces belong to different L3 networks. Transparent: Interfaces belong to different L2 networks (different VLANs). BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Passive Mode Firepower Threat Defense, Firepower, ASA with Firepower Services Passive: A Promiscuous Interface receives copies of traffic from a SPAN port or TAP. Passive interfaces are available regardless of whether the appliance is installed in Transparent or Routed mode. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Inline Pair Mode Firepower Threat Defense or Firepower Inline Pair: Traffic passes from one member interface to another, without changing either VLAN or L3 network. It functions as a smart wire. VLAN 10 VLAN 10 Inline Pairs are available regardless of whether the appliance is installed in Transparent or Routed mode. Interfaces can also be 802.1q trunks. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Inline Set Firepower Threat Defense or Firepower Inline Set: A grouping of two or more Inline Pairs. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Inline TAP Firepower Threat Defense or Firepower Inline TAP: Traffic passes from one member interface to another, without changing either VLAN or L3 network. As traffic passed, it is copied to the inspection engine, so traffic cannot be blocked. Inline Pairs are available regardless of whether the appliance is installed in Transparent or Routed mode. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS

20 Firepower Policies Access Control Intrusion Malware & File DNS Identity SSL Prefilter Network Discovery Network Analysis Correlation Health BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Policy Order of Operation Access Prefilter DNS Identity Control (FTD only) SSL Intrusion File BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Intrusion Policy The Intrusion Policy defines which Snort rules are used in packet inspection, as well as the configuration of the Preprocessors. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Intrusion Policy The Intrusion Policy defines which Snort rules are used in packet inspection, as well as the configuration of the Preprocessors. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Intrusion Policy Understanding the Connectivity Over Security base Intrusion Policy: CVSS Score: 10 Vulnerability Age: Current year and 2 prior years (2017, 2016, and 2015) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Intrusion Policy Understanding the Balanced Security and Connectivity base Intrusion Policy: CVSS Score: 9 and greater Vulnerability Age: Current year and 2 prior years (2017, 2016, and 2015) Rule Categories: Malware-CNC, Blacklist, SQL Injection, Exploit-Kit BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Intrusion Policy Understanding the Security Over Connectivity base Intrusion Policy: CVSS Score: 8 and greater Vulnerability Age: Current year and 3 prior years (2017, 2016, 2015, and 2014) Rule Categories: Malware-CNC, Blacklist, SQL Injection, Exploit-Kit, App-Detect BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Intrusion Policy Understanding the Maximum Detection base Intrusion Policy: CVSS Score: 7.5 and greater Vulnerability Age: 2005 and later Rule Categories: Malware-CNC, Exploit-Kit The "Maximum Detection" policy favors detection over rated throughput. In some situations this policy can and will cause significant throughput reductions. Cisco Talos continues to recommend the "Balanced Connectivity and Security" policy for most networks, and the "Security Over Connectivity" policy for customers with more rigorous security requirements. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Intrusion Policy You can manually Enable/Disable individual rules or configure actions. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 Intrusion Policy Several ways to search for rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Intrusion Policy Several ways to search for rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 Network Discovery Policy The Network Discovery Policy is used to identify which networks Firepower should learn from. This is useful for applications, and especially for maintaining the Firepower Recommended Rules in the Intrusion Policy. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network. If you would like a different Intrusion Policy for areas of your network, you can define them here. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Access Control Policy Traffic must match in the Access Control Policy in order to be Inspected For a simple IPS deployment, you can use the Default Action BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Access Control Policy In a NGFW deployment, the Default Action will likely be Block All Traffic. Intrusion Policy needs to be defined for each Allow Action. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Access Control Policy If you need, different Allow rules can have different Intrusion Policies assigned. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS

40 Snort Rules All Firepower Intrusion Rules are Snort Rules. Cisco provides regular rule updates, and these are typically automatically updated. Third-party Snort rules can be added manually through the Rule Editor (Objects -> Intrusion Rules -> Create Rule), or can be imported. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Snort Rules 1. Snort Rules MUST be a single line, with no special characters, and in ASCII or UTF-8 format. 2. The Import file can contain many rules as long as they are one rule per-line. 3. Many of the Emerging Threat rules use deprecated syntax ( threshold statement). If you are importing ET rules, you ll need to correct or remove these rules first. Threshold has been replaced with detection_filter. 4. SHOULD not have a rule SID, but is allowed. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"et SCAN Havij SQL Injection Tool User-Agent Outbound"; flow:established,to_server; content:" 29 Havij 0d 0a Connection 3a "; http_header; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid: ; rev:2;) All on ONE Line BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Importing Snort Rules Once your Snort rules are in a text file, navigate to Objects -> Intrusion Rules. Click on Import Rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Importing Snort Rules Click on Browse to locate your file, and click Import. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 Importing Snort Rules If successful, you will see a screen showing what has been imported. If unsuccessful, the Rule Update Log will tell you what was wrong with the file. SID Numbers: Up to Cisco Emerging Threats Local Rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Enabling Snort Rules Remember, all imported rules are Disabled by default. You need to enable these. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS

47 Bypass Options Fail-to-Wire Interfaces Bypass traffic upon appliance failure, including loss of power. Automatic Application Bypass Restarts Snort processes upon degraded performance Intelligent Application Bypass Application-specific acceleration of defined applications if performance is degraded Trust Rules Acceleration defined traffic but still apply Security Intelligence Prefilter Policy Bypass deep inspection and Security Intelligence based on Port / Protocol / IP Address / Zone BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 Fail to Wire Interfaces Fail-to-wire NetMod Fail-to-Wire interfaces allow for pass-through of traffic in case of appliance failure or loss of power. FP-9300 FP-4100 FP-2100 FP-7000, 7100, 8100, 8200, and 8300 IPS appliances Fail-to-Wire requires Inline Set, Inline Pair, or Inline Tap deployment. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public

49 Automatic Application Bypass Detects Snort failures or degraded performance and triggers a restart of all Snort processes. Disabled by default. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 Intelligent Application Bypass Detects degraded performance within an application. If that application is trusted, you can configure it to automatically bypass inspection for it, and accelerate the traffic. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 Intelligent Application Bypass BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 Trust Rules Within the Access Control Policy, defined traffic can be exempted from File and IPS inspection, which accelerates it through the appliance. Basing the rule on Source/Destination Port and IP addresses is most effective. Security Intelligence feeds are still applied to Trust rules. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 PreFilter Policy PreFilter rules are processed prior to Intrusion Prevention or Access Control Policies. If traffic can be defined by Zone, Network, and Port (similar to an ASA rule), the traffic can be FastPathed. This is similar to a Trust rule, but Security Intelligence is not applied. PreFilter rules require Firepower Threat Defense. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS

55 The Problem with Asymmetric Traffic Asymmetric traffic flows prevent a security device from seeing the full traffic flow. For best results, design your network to force symmetry. Web Server 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

56 Clustering Internet If you are using Firepower Threat Defense (FTD) or ASA with Firepower Services (ASA+SFR), Inter-Chassis Clustering is a great option. Clustering enables multiple security appliances to function as a single device, and support asymmetric traffic flows, while also providing N+1 redundancy. FTD supports Inter-Chassis Clustering in 6.2 and later software, on FP-4100 and FP-9300 appliances. Web Server 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

57 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS

58 OpenAppID Cisco s Open Source Application Layer Plugin for Snort and Firepower OpenAppID uses the Lua programming language to identify applications. There are a number of attributes it can look at, including: ASCII or Hex patterns and offset HTTP User Agent HTTP URL HTTP Content Type SSL Host SSL Organization Unit SSL Common Name SIP Server SIP User Agent RTMP URL Pattern BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 OpenAppID Most internal Firepower Application Detectors are included in the Snort OpenAppID rules, including Lua source code. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 OpenAppID Application Coverage Website Visit this public site to find information about existing Firepower application detectors. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 OpenAppID within Firepower Application Detectors All Application Detectors in Firepower 6.0 and later use OpenAppID. Custom Application Detectors can be created here, as well. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 OpenAppID within Firepower Basic Application Detectors FMC provides a Wizard for creation of Basic detectors. Advanced detectors require you to upload the Lua file. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 OpenAppID within Firepower For Your Reference Advanced Application Detectors BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 OpenAppID Example with Intrusion Policy

65 OpenAppID and the Intrusion Policy An Example A lot of noise is created in the Intrusion Logs of any IDS/IPS product by automated scripts searching for vulnerable systems, and trying generic attacks. Web Server Internet [blkh4t@wd40 ~]$ hackerw3bscan v Ports open: tcp/80, tcp/443 Server: apache Vulnerabilities found: CVE SSL Bypass CVE HTTP2 DOS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 OpenAppID and the Intrusion Policy An Example These scans or attacks against your IP addresses may or may not be successfully blocked by your IPS devices. They generate noise in your logs. Question: Is there a legitimate reason for Internet users to access your server(s) by IP address instead of FQDN? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 66

67 OpenAppID and the Intrusion Policy An Example The Goal: Block all web traffic that targets an IP Address rather than correct hostname. Use Intrusion Policy to inspect legitimate traffic. X Web Server Internet [blkh4t@wd40 ~]$ hackerw3bscan v No web server found! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 OpenAppID and the Intrusion Policy Creating the Custom Detector 1. From Application Detectors screen, click the button to Create Custom Detector. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 OpenAppID and the Intrusion Policy Creating the Custom Detector 2. Click the Add button. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 OpenAppID and the Intrusion Policy Creating the Custom Detector 3. Complete the required fields to name your custom application. 4. Click OK. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71 OpenAppID and the Intrusion Policy Creating the Custom Detector 5. Enter the same Name and Description as previous step, and select the Application you just created from the pulldown menu. 6. Leave the Detector_Type as Basic. 7. Click OK BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 71

72 OpenAppID and the Intrusion Policy Creating the Custom Detector 8. Click Add to add Detection Patterns. This is where we ll define what the application looks like to Firepower. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 72

73 OpenAppID and the Intrusion Policy Creating the Custom Detector 9. Select HTTP from the Protocol pulldown menu, and URL as Type. 10. Enter your domain name. 11. Click OK. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 OpenAppID and the Intrusion Policy Creating the Custom Detector 12. Repeat the process to add the SSL information. 13. Click OK. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 OpenAppID and the Intrusion Policy Creating the Custom Detector 14. Click on Save. Remember: Basic Detectors perform an OR operation on the Detection Patterns. In this example, any HTTP or HTTPS connection destined to *.zenbango.com will trigger the detector. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 75

76 OpenAppID and the Intrusion Policy Activating the Custom Detector 15. You can find your Application Detector by selecting Custom Type in the Filters. 16. The new Application Detector will not function until it is Activated by clicking on the State slider. WARNING: When you Activate or Deactivate any Detector, it will trigger your appliances to restart Snort. This will potentially be disruptive to your network traffic. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 76

77 OpenAppID and the Intrusion Policy Assigning Custom Detector to Access Control and Intrusion Policy 15. Tie it all together by using an Allow Rule (with Intrusion Policy assigned) for traffic matching the new application. Block all other traffic. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 77

78 OpenAppID and the Intrusion Policy Effectiveness BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 78

79 OpenAppID and the Intrusion Policy Effectiveness BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 79

80 OpenAppID and the Intrusion Policy Effectiveness BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 80

81 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS

82 Security Intelligence Refresher Security Intelligence (SI) refers to the ability to utilize data feeds to identify IP addresses, URLs, and DNS names that act maliciously. SI is used commonly, in Firepower, to block hosts that are known to attack others, as well as hosts that are known to host malware. Can SI be used to enhance the effectiveness of an IPS? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 82

83 Security Intelligence Feeds Some of the built-in SI Feeds: For Your Reference IP Address: URLs: DNS: Attackers Bogon Bots CnC Dga ExploitKit Malware Open_proxy Open_relay Phishing Response Spam Suspicious Tor_exit_node URL Attackers URL Bogon URL Bots URL CnC URL Dga URL Exploitkit URL Malware URL Open_proxy URL Open_relay URL Phishing URL Response URL Spam URL Suspicious URL Tor_exit_node DNS Attackers DNS Bogon DNS Bots DNS CnC DNS Dga DNS Exploitkit DNS Malware DNS Open_proxy DNS Open_relay DNS Phishing DNS Response DNS Spam DNS Suspicious DNS Tor_exit_node BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 83

84 Security Intelligence Example

85 Security Intelligence Custom Feed An Example A publicly-exposed SSH Server will be continuously probed for weaknesses, as well as brute-force login attempts. Let s use failed login attempts to build our own SI Feed. Jan 9 15:42:50 www unix_chkpwd[28658]: SSH Server password check failed for user (root) Jan 9 15:42:57 www unix_chkpwd[28680]: password check failed for user (root) Jan 9 15:42:58 www sshd[10692]: Invalid user cypherpunks from Internet Jan 9 15:43:02 www sshd[10693]: Invalid user cdowns from Jan 9 15:43:25 www unix_chkpwd[28886]: password check failed for user (don) Jan 9 15:43:25 www unix_chkpwd[28887]: password check failed for user (rich) Jan 9 15:43:31 www unix_chkpwd[28922]: password check failed for user (gary) Jan 9 15:44:33 www unix_chkpwd[29302]: password check failed for user (daemon) Jan 9 15:44:38 www unix_chkpwd[29341]: password check failed for user (kim) Jan 9 15:45:44 www unix_chkpwd[29737]: password check failed for user (operator) Jan 9 15:45:52 www sshd[10694]: Invalid user dan from Jan 9 15:45:54 www unix_chkpwd[29797]: password check failed for user (root) Jan 9 15:46:02 www unix_chkpwd[29842]: password check failed for user (mail) Jan 9 15:46:09 www unix_chkpwd[29878]: password check failed for user (nobody) Jan 9 15:46:31 www unix_chkpwd[30019]: password check failed for user (rich) Jan 9 15:46:31 www unix_chkpwd[30020]: password check failed for user (don) Jan 9 15:46:38 www unix_chkpwd[30065]: password check failed for user (gary) [blkh4t@wd40 ~]$ ncrack zenbango.com:22 Starting Ncrack 0.5 ( ) at :42 PST BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 85

86 Security Intelligence Custom Feed An Example The Goal: Create your own Security Intelligence Feed to block hosts that attempt to login to your SSH Server and fail authentication multiple times. X Web Server Internet SSH Server BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 86

87 Security Intelligence Custom Feed Prerequisites 1. The first step is to configure your honeypot with the desired services installed, hardened, and logged. There are a number of tools available to dynamically block or log connection/authentication attempts. Two that work well are fail2ban and denyhosts. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 87

88 Security Intelligence Custom Feed Prepare the Target 2. In this example, we re using denyhosts to dynamically block SSH attempts after 6 failed login attempts. /etc/denyhosts.conf file (pertinent sections): SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.deny PURGE_DENY = 4w BLOCK_SERVICE = ALL DENY_THRESHOLD_INVALID = 6 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 1 RESET_ON_SUCCESS = yes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 88

89 Security Intelligence Custom Feed Prepare the Target 3. Create a script to parse the blocked IP addresses from denyhost s log file. /var/lib/denyhosts/hosts-restricted file looks like this: :0:Sat Oct 22 06:08: :0:Wed Oct 19 07:30: :0:Fri Oct 21 13:53: :0:Wed Oct 19 07:31: :0:Wed Oct 19 07:31: The output file should be in a directory accessible to your web server. Consider placing it on a different server. 4. Use your favorite scripting language to parse the addresses. This simple Bash script works: #! /bin/bash blocklist=`cat /var/lib/denyhosts/hosts-restricted awk '{print $1}' cut -d : -f 1 grep -v > /var/www/html/sshblock.txt` Inverse match means to exclude source addresses that match my internal network. You might want to modify or remove this section. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 89

90 Security Intelligence Custom Feed Prepare the Target 5. Generate some SSH traffic, with failed logins, to make sure you are capturing the addresses. Be careful. denyhosts will by default ban your IP address in the hosts.deny file. You will need to know how to clear the blocks. This is a useful site: 6. Make sure to run your script (from Step 4) on a regular basis by running a cron job every few minutes or so. If everything works well, your sshblock.txt file should resemble this: One IP Address per line. /var/www/html/sshblock.txt BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 90

91 Security Intelligence Custom Feed Prepare the Target 7. Verify you can download the file with a web browser. It is a good idea to host the file on a server reachable internally only, rather than one accessible to the outside world. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 91

92 Security Intelligence Custom Feed Create the Feed 8. On Firepower Management Center (FMC), navigate to Objects -> Security Intelligence -> Network Lists and Feeds. Click Add Network Lists and Feeds in the upper right corner. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 92

93 Security Intelligence Custom Feed Create the Feed 9. Select Feed, and populate the URL information and Update Frequency. In the current software release, updates are limited to no shorter than every 30 minutes. Click Save. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 93

94 Security Intelligence Custom Feed Create the Feed 10. In your Access Policy, click the Security Intelligence tab, and add the new feed to the Blacklist SSH-Blacklist should be placed here. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 94

95 Security Intelligence Custom Feed Create the Feed 11. Verify the blocks are occurring. Reason for block is SSH-Blacklist Blocks are protecting ALL hosts not just those running Denyhosts BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 95

96 Security Intelligence Example 2

97 Security Intelligence Custom Feed Summary For Your Reference Security Intelligence is a great way to automate blocking of sources and destinations, whether IP-based or DNS/URL. Here are some useful feeds you might consider: Cisco Talos IP Blacklist Malc0de Blacklist SANS Suspicious Domains: High Sensitivity Medium Sensitivity Low Sensitivity BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 97

98 Custom Security Intelligence Feed Example: SANS Suspicious Domains BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 98

99 Cisco Threat Intelligence Director (CTID) Uses customer threat intelligence to identify threats Automatically blocks supported indicators on Cisco NGFW Provides a single integration point for all STIX and CSV intelligence sources BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 99

100 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS

101 SSL Inspection SSL-encrypted traffic can be inspected by decrypting the traffic. Decryption can occur off-box, on a dedicated SSL Appliance, or on-box, within the Firepower software. This session will focus on On-Box decryption for Inbound Traffic. Inbound Traffic Traffic is decrypted by installing the Servers SSL Certificate and Private Key Outbound Traffic Traffic is decrypted by installing a wildcard certificate and performing a man in the middle attack against your users SSL traffic. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 101

102 SSL Inspection with Known Key Example You need both the host s private key and the.crt file. Go to Objects -> PKI -> Internal Certs to add the certificate information for the host. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 102

103 SSL Inspection with Known Key Example Create an SSL Policy to decrypt traffic with this known key for the associated host. Once this is complete, add this SSL Policy to the Access Control Policy. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 103

104 SSL Inspection Caveat! I recommend NOT performing SSL Inspection on an ASA with Firepower Services if the ASA is also performing NAT. The Access Control Policy configuration is difficult, currently, in the current version of software. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 104

105 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS

106 Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 106

107 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 107

108 Q & A

109 Thank You

110