Advanced IPS Deployment
|
|
- Gertrude O’Connor’
- 6 years ago
- Views:
Transcription
1
2 Advanced IPS Deployment Gary Halleen, Technical Solutions Architect BRKSEC-3300
3 About your Speaker Gary Halleen Technical Solutions Architect Cisco Global Security Sales Organization
4 Oregon Pacific Wonderland
5 Some of My Hobbies
6 Cisco Firepower Sessions: Building Blocks BRKSEC-2056 Threat Centric Network Security Tuesday 11:15 BRKSEC-2050 ASA Firepower NGFW typical deployment scenarios Tuesday 14:15 BRKSEC-2058 A Deep Dive into using the Firepower Manager Tuesday 16:45 BRKSEC-3032 NGFW Clustering Deep Dive Wednesday 9:00 BRKSEC-3035 Firepower Platform Deep Dive Thursday 9:00 BRKSEC-3455 Dissecting Firepower NGFW (FTD+FPS) Friday 9:00 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 6
7 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS
8 Introduction This session covers Firepower 6.x, managed with Firepower Management Center (FMC). BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8
9 Introduction For the purposes of this session, all of these terms have the same meaning. Some slides are included as Reference only, and will be lightly covered unless there are questions. For Your Reference Firepower Firepower Threat Defense ASA with Firepower Services Firepower AMP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 9
10 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS
11 Firepower Traditional Firepower appliances use Firepower software. Example: FP-7050, FP-7125, FP-8130, FP-8250, FP-8370, Firepower Virtual IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11
12 ASA with Firepower Services ASA with Firepower Services uses traditional ASA software and a hardware or virtual IPS module running Firepower software. Often referred to as ASA+SFR. Example: ASA-5506-X, ASA-5545-X, ASA-5585-X BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12
13 Firepower Threat Defense Firepower Threat Defense (FTD) software combines ASA and Firepower features into a single software image. This is available on newer Firepower appliances and most ASA-5500-X models. Example: ASA-5506-X, ASA-5545-X, FP-2100, FP-4100, FP-9300, NGFWv. NOT the ASA-5585-X BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13
14 Routed / Transparent Mode Firepower Threat Defense VLAN 10 VLAN 20 The appliance will be installed in either Routed or Transparent mode. This is a global setting. Routed: Interfaces belong to different L3 networks. Transparent: Interfaces belong to different L2 networks (different VLANs). BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14
15 Passive Mode Firepower Threat Defense, Firepower, ASA with Firepower Services Passive: A Promiscuous Interface receives copies of traffic from a SPAN port or TAP. Passive interfaces are available regardless of whether the appliance is installed in Transparent or Routed mode. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15
16 Inline Pair Mode Firepower Threat Defense or Firepower Inline Pair: Traffic passes from one member interface to another, without changing either VLAN or L3 network. It functions as a smart wire. VLAN 10 VLAN 10 Inline Pairs are available regardless of whether the appliance is installed in Transparent or Routed mode. Interfaces can also be 802.1q trunks. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16
17 Inline Set Firepower Threat Defense or Firepower Inline Set: A grouping of two or more Inline Pairs. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17
18 Inline TAP Firepower Threat Defense or Firepower Inline TAP: Traffic passes from one member interface to another, without changing either VLAN or L3 network. As traffic passed, it is copied to the inspection engine, so traffic cannot be blocked. Inline Pairs are available regardless of whether the appliance is installed in Transparent or Routed mode. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18
19 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS
20 Firepower Policies Access Control Intrusion Malware & File DNS Identity SSL Prefilter Network Discovery Network Analysis Correlation Health BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20
21 Policy Order of Operation Access Prefilter DNS Identity Control (FTD only) SSL Intrusion File BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21
22 Intrusion Policy The Intrusion Policy defines which Snort rules are used in packet inspection, as well as the configuration of the Preprocessors. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22
23 Intrusion Policy The Intrusion Policy defines which Snort rules are used in packet inspection, as well as the configuration of the Preprocessors. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23
24 Intrusion Policy Understanding the Connectivity Over Security base Intrusion Policy: CVSS Score: 10 Vulnerability Age: Current year and 2 prior years (2017, 2016, and 2015) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24
25 Intrusion Policy Understanding the Balanced Security and Connectivity base Intrusion Policy: CVSS Score: 9 and greater Vulnerability Age: Current year and 2 prior years (2017, 2016, and 2015) Rule Categories: Malware-CNC, Blacklist, SQL Injection, Exploit-Kit BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25
26 Intrusion Policy Understanding the Security Over Connectivity base Intrusion Policy: CVSS Score: 8 and greater Vulnerability Age: Current year and 3 prior years (2017, 2016, 2015, and 2014) Rule Categories: Malware-CNC, Blacklist, SQL Injection, Exploit-Kit, App-Detect BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26
27 Intrusion Policy Understanding the Maximum Detection base Intrusion Policy: CVSS Score: 7.5 and greater Vulnerability Age: 2005 and later Rule Categories: Malware-CNC, Exploit-Kit The "Maximum Detection" policy favors detection over rated throughput. In some situations this policy can and will cause significant throughput reductions. Cisco Talos continues to recommend the "Balanced Connectivity and Security" policy for most networks, and the "Security Over Connectivity" policy for customers with more rigorous security requirements. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27
28 Intrusion Policy You can manually Enable/Disable individual rules or configure actions. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28
29 Intrusion Policy Several ways to search for rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29
30 Intrusion Policy Several ways to search for rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30
31 Network Discovery Policy The Network Discovery Policy is used to identify which networks Firepower should learn from. This is useful for applications, and especially for maintaining the Firepower Recommended Rules in the Intrusion Policy. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31
32 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 32
33 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network. If you would like a different Intrusion Policy for areas of your network, you can define them here. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33
34 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34
35 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35
36 Access Control Policy Traffic must match in the Access Control Policy in order to be Inspected For a simple IPS deployment, you can use the Default Action BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36
37 Access Control Policy In a NGFW deployment, the Default Action will likely be Block All Traffic. Intrusion Policy needs to be defined for each Allow Action. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 37
38 Access Control Policy If you need, different Allow rules can have different Intrusion Policies assigned. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38
39 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS
40 Snort Rules All Firepower Intrusion Rules are Snort Rules. Cisco provides regular rule updates, and these are typically automatically updated. Third-party Snort rules can be added manually through the Rule Editor (Objects -> Intrusion Rules -> Create Rule), or can be imported. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40
41 Snort Rules 1. Snort Rules MUST be a single line, with no special characters, and in ASCII or UTF-8 format. 2. The Import file can contain many rules as long as they are one rule per-line. 3. Many of the Emerging Threat rules use deprecated syntax ( threshold statement). If you are importing ET rules, you ll need to correct or remove these rules first. Threshold has been replaced with detection_filter. 4. SHOULD not have a rule SID, but is allowed. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"et SCAN Havij SQL Injection Tool User-Agent Outbound"; flow:established,to_server; content:" 29 Havij 0d 0a Connection 3a "; http_header; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid: ; rev:2;) All on ONE Line BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41
42 Importing Snort Rules Once your Snort rules are in a text file, navigate to Objects -> Intrusion Rules. Click on Import Rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42
43 Importing Snort Rules Click on Browse to locate your file, and click Import. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43
44 Importing Snort Rules If successful, you will see a screen showing what has been imported. If unsuccessful, the Rule Update Log will tell you what was wrong with the file. SID Numbers: Up to Cisco Emerging Threats Local Rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44
45 Enabling Snort Rules Remember, all imported rules are Disabled by default. You need to enable these. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 45
46 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS
47 Bypass Options Fail-to-Wire Interfaces Bypass traffic upon appliance failure, including loss of power. Automatic Application Bypass Restarts Snort processes upon degraded performance Intelligent Application Bypass Application-specific acceleration of defined applications if performance is degraded Trust Rules Acceleration defined traffic but still apply Security Intelligence Prefilter Policy Bypass deep inspection and Security Intelligence based on Port / Protocol / IP Address / Zone BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47
48 Fail to Wire Interfaces Fail-to-wire NetMod Fail-to-Wire interfaces allow for pass-through of traffic in case of appliance failure or loss of power. FP-9300 FP-4100 FP-2100 FP-7000, 7100, 8100, 8200, and 8300 IPS appliances Fail-to-Wire requires Inline Set, Inline Pair, or Inline Tap deployment. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public
49 Automatic Application Bypass Detects Snort failures or degraded performance and triggers a restart of all Snort processes. Disabled by default. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49
50 Intelligent Application Bypass Detects degraded performance within an application. If that application is trusted, you can configure it to automatically bypass inspection for it, and accelerate the traffic. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 50
51 Intelligent Application Bypass BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51
52 Trust Rules Within the Access Control Policy, defined traffic can be exempted from File and IPS inspection, which accelerates it through the appliance. Basing the rule on Source/Destination Port and IP addresses is most effective. Security Intelligence feeds are still applied to Trust rules. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52
53 PreFilter Policy PreFilter rules are processed prior to Intrusion Prevention or Access Control Policies. If traffic can be defined by Zone, Network, and Port (similar to an ASA rule), the traffic can be FastPathed. This is similar to a Trust rule, but Security Intelligence is not applied. PreFilter rules require Firepower Threat Defense. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53
54 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS
55 The Problem with Asymmetric Traffic Asymmetric traffic flows prevent a security device from seeing the full traffic flow. For best results, design your network to force symmetry. Web Server 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
56 Clustering Internet If you are using Firepower Threat Defense (FTD) or ASA with Firepower Services (ASA+SFR), Inter-Chassis Clustering is a great option. Clustering enables multiple security appliances to function as a single device, and support asymmetric traffic flows, while also providing N+1 redundancy. FTD supports Inter-Chassis Clustering in 6.2 and later software, on FP-4100 and FP-9300 appliances. Web Server 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
57 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS
58 OpenAppID Cisco s Open Source Application Layer Plugin for Snort and Firepower OpenAppID uses the Lua programming language to identify applications. There are a number of attributes it can look at, including: ASCII or Hex patterns and offset HTTP User Agent HTTP URL HTTP Content Type SSL Host SSL Organization Unit SSL Common Name SIP Server SIP User Agent RTMP URL Pattern BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58
59 OpenAppID Most internal Firepower Application Detectors are included in the Snort OpenAppID rules, including Lua source code. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59
60 OpenAppID Application Coverage Website Visit this public site to find information about existing Firepower application detectors. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60
61 OpenAppID within Firepower Application Detectors All Application Detectors in Firepower 6.0 and later use OpenAppID. Custom Application Detectors can be created here, as well. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61
62 OpenAppID within Firepower Basic Application Detectors FMC provides a Wizard for creation of Basic detectors. Advanced detectors require you to upload the Lua file. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62
63 OpenAppID within Firepower For Your Reference Advanced Application Detectors BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 63
64 OpenAppID Example with Intrusion Policy
65 OpenAppID and the Intrusion Policy An Example A lot of noise is created in the Intrusion Logs of any IDS/IPS product by automated scripts searching for vulnerable systems, and trying generic attacks. Web Server Internet [blkh4t@wd40 ~]$ hackerw3bscan v Ports open: tcp/80, tcp/443 Server: apache Vulnerabilities found: CVE SSL Bypass CVE HTTP2 DOS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 65
66 OpenAppID and the Intrusion Policy An Example These scans or attacks against your IP addresses may or may not be successfully blocked by your IPS devices. They generate noise in your logs. Question: Is there a legitimate reason for Internet users to access your server(s) by IP address instead of FQDN? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 66
67 OpenAppID and the Intrusion Policy An Example The Goal: Block all web traffic that targets an IP Address rather than correct hostname. Use Intrusion Policy to inspect legitimate traffic. X Web Server Internet [blkh4t@wd40 ~]$ hackerw3bscan v No web server found! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 67
68 OpenAppID and the Intrusion Policy Creating the Custom Detector 1. From Application Detectors screen, click the button to Create Custom Detector. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 68
69 OpenAppID and the Intrusion Policy Creating the Custom Detector 2. Click the Add button. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 69
70 OpenAppID and the Intrusion Policy Creating the Custom Detector 3. Complete the required fields to name your custom application. 4. Click OK. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 70
71 OpenAppID and the Intrusion Policy Creating the Custom Detector 5. Enter the same Name and Description as previous step, and select the Application you just created from the pulldown menu. 6. Leave the Detector_Type as Basic. 7. Click OK BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 71
72 OpenAppID and the Intrusion Policy Creating the Custom Detector 8. Click Add to add Detection Patterns. This is where we ll define what the application looks like to Firepower. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 72
73 OpenAppID and the Intrusion Policy Creating the Custom Detector 9. Select HTTP from the Protocol pulldown menu, and URL as Type. 10. Enter your domain name. 11. Click OK. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 73
74 OpenAppID and the Intrusion Policy Creating the Custom Detector 12. Repeat the process to add the SSL information. 13. Click OK. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 74
75 OpenAppID and the Intrusion Policy Creating the Custom Detector 14. Click on Save. Remember: Basic Detectors perform an OR operation on the Detection Patterns. In this example, any HTTP or HTTPS connection destined to *.zenbango.com will trigger the detector. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 75
76 OpenAppID and the Intrusion Policy Activating the Custom Detector 15. You can find your Application Detector by selecting Custom Type in the Filters. 16. The new Application Detector will not function until it is Activated by clicking on the State slider. WARNING: When you Activate or Deactivate any Detector, it will trigger your appliances to restart Snort. This will potentially be disruptive to your network traffic. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 76
77 OpenAppID and the Intrusion Policy Assigning Custom Detector to Access Control and Intrusion Policy 15. Tie it all together by using an Allow Rule (with Intrusion Policy assigned) for traffic matching the new application. Block all other traffic. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 77
78 OpenAppID and the Intrusion Policy Effectiveness BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 78
79 OpenAppID and the Intrusion Policy Effectiveness BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 79
80 OpenAppID and the Intrusion Policy Effectiveness BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 80
81 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS
82 Security Intelligence Refresher Security Intelligence (SI) refers to the ability to utilize data feeds to identify IP addresses, URLs, and DNS names that act maliciously. SI is used commonly, in Firepower, to block hosts that are known to attack others, as well as hosts that are known to host malware. Can SI be used to enhance the effectiveness of an IPS? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 82
83 Security Intelligence Feeds Some of the built-in SI Feeds: For Your Reference IP Address: URLs: DNS: Attackers Bogon Bots CnC Dga ExploitKit Malware Open_proxy Open_relay Phishing Response Spam Suspicious Tor_exit_node URL Attackers URL Bogon URL Bots URL CnC URL Dga URL Exploitkit URL Malware URL Open_proxy URL Open_relay URL Phishing URL Response URL Spam URL Suspicious URL Tor_exit_node DNS Attackers DNS Bogon DNS Bots DNS CnC DNS Dga DNS Exploitkit DNS Malware DNS Open_proxy DNS Open_relay DNS Phishing DNS Response DNS Spam DNS Suspicious DNS Tor_exit_node BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 83
84 Security Intelligence Example
85 Security Intelligence Custom Feed An Example A publicly-exposed SSH Server will be continuously probed for weaknesses, as well as brute-force login attempts. Let s use failed login attempts to build our own SI Feed. Jan 9 15:42:50 www unix_chkpwd[28658]: SSH Server password check failed for user (root) Jan 9 15:42:57 www unix_chkpwd[28680]: password check failed for user (root) Jan 9 15:42:58 www sshd[10692]: Invalid user cypherpunks from Internet Jan 9 15:43:02 www sshd[10693]: Invalid user cdowns from Jan 9 15:43:25 www unix_chkpwd[28886]: password check failed for user (don) Jan 9 15:43:25 www unix_chkpwd[28887]: password check failed for user (rich) Jan 9 15:43:31 www unix_chkpwd[28922]: password check failed for user (gary) Jan 9 15:44:33 www unix_chkpwd[29302]: password check failed for user (daemon) Jan 9 15:44:38 www unix_chkpwd[29341]: password check failed for user (kim) Jan 9 15:45:44 www unix_chkpwd[29737]: password check failed for user (operator) Jan 9 15:45:52 www sshd[10694]: Invalid user dan from Jan 9 15:45:54 www unix_chkpwd[29797]: password check failed for user (root) Jan 9 15:46:02 www unix_chkpwd[29842]: password check failed for user (mail) Jan 9 15:46:09 www unix_chkpwd[29878]: password check failed for user (nobody) Jan 9 15:46:31 www unix_chkpwd[30019]: password check failed for user (rich) Jan 9 15:46:31 www unix_chkpwd[30020]: password check failed for user (don) Jan 9 15:46:38 www unix_chkpwd[30065]: password check failed for user (gary) [blkh4t@wd40 ~]$ ncrack zenbango.com:22 Starting Ncrack 0.5 ( ) at :42 PST BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 85
86 Security Intelligence Custom Feed An Example The Goal: Create your own Security Intelligence Feed to block hosts that attempt to login to your SSH Server and fail authentication multiple times. X Web Server Internet SSH Server BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 86
87 Security Intelligence Custom Feed Prerequisites 1. The first step is to configure your honeypot with the desired services installed, hardened, and logged. There are a number of tools available to dynamically block or log connection/authentication attempts. Two that work well are fail2ban and denyhosts. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 87
88 Security Intelligence Custom Feed Prepare the Target 2. In this example, we re using denyhosts to dynamically block SSH attempts after 6 failed login attempts. /etc/denyhosts.conf file (pertinent sections): SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.deny PURGE_DENY = 4w BLOCK_SERVICE = ALL DENY_THRESHOLD_INVALID = 6 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 1 RESET_ON_SUCCESS = yes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 88
89 Security Intelligence Custom Feed Prepare the Target 3. Create a script to parse the blocked IP addresses from denyhost s log file. /var/lib/denyhosts/hosts-restricted file looks like this: :0:Sat Oct 22 06:08: :0:Wed Oct 19 07:30: :0:Fri Oct 21 13:53: :0:Wed Oct 19 07:31: :0:Wed Oct 19 07:31: The output file should be in a directory accessible to your web server. Consider placing it on a different server. 4. Use your favorite scripting language to parse the addresses. This simple Bash script works: #! /bin/bash blocklist=`cat /var/lib/denyhosts/hosts-restricted awk '{print $1}' cut -d : -f 1 grep -v > /var/www/html/sshblock.txt` Inverse match means to exclude source addresses that match my internal network. You might want to modify or remove this section. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 89
90 Security Intelligence Custom Feed Prepare the Target 5. Generate some SSH traffic, with failed logins, to make sure you are capturing the addresses. Be careful. denyhosts will by default ban your IP address in the hosts.deny file. You will need to know how to clear the blocks. This is a useful site: 6. Make sure to run your script (from Step 4) on a regular basis by running a cron job every few minutes or so. If everything works well, your sshblock.txt file should resemble this: One IP Address per line. /var/www/html/sshblock.txt BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 90
91 Security Intelligence Custom Feed Prepare the Target 7. Verify you can download the file with a web browser. It is a good idea to host the file on a server reachable internally only, rather than one accessible to the outside world. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 91
92 Security Intelligence Custom Feed Create the Feed 8. On Firepower Management Center (FMC), navigate to Objects -> Security Intelligence -> Network Lists and Feeds. Click Add Network Lists and Feeds in the upper right corner. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 92
93 Security Intelligence Custom Feed Create the Feed 9. Select Feed, and populate the URL information and Update Frequency. In the current software release, updates are limited to no shorter than every 30 minutes. Click Save. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 93
94 Security Intelligence Custom Feed Create the Feed 10. In your Access Policy, click the Security Intelligence tab, and add the new feed to the Blacklist SSH-Blacklist should be placed here. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 94
95 Security Intelligence Custom Feed Create the Feed 11. Verify the blocks are occurring. Reason for block is SSH-Blacklist Blocks are protecting ALL hosts not just those running Denyhosts BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 95
96 Security Intelligence Example 2
97 Security Intelligence Custom Feed Summary For Your Reference Security Intelligence is a great way to automate blocking of sources and destinations, whether IP-based or DNS/URL. Here are some useful feeds you might consider: Cisco Talos IP Blacklist Malc0de Blacklist SANS Suspicious Domains: High Sensitivity Medium Sensitivity Low Sensitivity BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 97
98 Custom Security Intelligence Feed Example: SANS Suspicious Domains BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 98
99 Cisco Threat Intelligence Director (CTID) Uses customer threat intelligence to identify threats Automatically blocks supported indicators on Cisco NGFW Provides a single integration point for all STIX and CSV intelligence sources BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 99
100 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS
101 SSL Inspection SSL-encrypted traffic can be inspected by decrypting the traffic. Decryption can occur off-box, on a dedicated SSL Appliance, or on-box, within the Firepower software. This session will focus on On-Box decryption for Inbound Traffic. Inbound Traffic Traffic is decrypted by installing the Servers SSL Certificate and Private Key Outbound Traffic Traffic is decrypted by installing a wildcard certificate and performing a man in the middle attack against your users SSL traffic. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 101
102 SSL Inspection with Known Key Example You need both the host s private key and the.crt file. Go to Objects -> PKI -> Internal Certs to add the certificate information for the host. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 102
103 SSL Inspection with Known Key Example Create an SSL Policy to decrypt traffic with this known key for the associated host. Once this is complete, add this SSL Policy to the Access Control Policy. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 103
104 SSL Inspection Caveat! I recommend NOT performing SSL Inspection on an ASA with Firepower Services if the ASA is also performing NAT. The Access Control Policy configuration is difficult, currently, in the current version of software. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 104
105 Agenda IPS Deployment Modes Policy Interaction and Firepower Recommendations Importing Snort Rules Bypass Options Asymmetric Traffic OpenAppID Using Security Intelligence to Improve IPS SSL Inspection for IPS
106 Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 106
107 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 107
108 Q & A
109 Thank You
110
Advanced Firepower IPS Deployment
Advanced Firepower IPS Deployment Gary Halleen, Technical Solutions Architect BRKSEC-3300 Webex Teams Questions? Use Webex Teams to chat with the speaker after the session How 1 2 3 4 Find this session
More informationCisco Firepower NGIPS Tuning and Best Practices
Cisco Firepower NGIPS Tuning and Best Practices John Wise, Security Instructor High Touch Delivery, Cisco Learning Services CTHCRT-2000 Cisco Spark How Questions? Use Cisco Spark to communicate with the
More informationThreat Centric Network Security
BRKSEC-2056 Threat Centric Network Security Ted Bedwell, Principal Engineer Network Threat Defence Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this
More informationDevice Management Basics
The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Add Devices to the Firepower Management Center,
More informationAccess Control Using Intrusion and File Policies
The following topics describe how to configure access control policies to use intrusion and file policies: Intrusions and Malware Inspection Overview, page 1 Access Control Traffic Handling, page 2 File
More informationCisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339
Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339 Agenda Introduction to Lab Exercises Platforms and Solutions ASA with
More information* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).
Contents Introduction Prerequisites Requirements Components Used Background Information Configuration Step 1. Configure Intrusion Policy Step 1.1. Create Intrusion Policy Step 1.2. Modify Intrusion Policy
More informationUser Identity Sources
The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, on page 1 The
More informationDevice Management Basics
The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Adding Devices to the Firepower Management
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats You have a mandate to build and secure a network that supports ongoing innovation Mobile access Social collaboration Public / private hybrid
More informationThe following topics describe how to manage various policies on the Firepower Management Center:
The following topics describe how to manage various policies on the Firepower Management Center: Policy Deployment, page 1 Policy Comparison, page 11 Policy Reports, page 12 Out-of-Date Policies, page
More informationAccess Control Using Intrusion and File Policies
The following topics describe how to configure access control policies to use intrusion and file policies: About Deep Inspection, page 1 Access Control Traffic Handling, page 2 File and Intrusion Inspection
More informationConnection Logging. Introduction to Connection Logging
The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: Introduction to, page 1 Strategies, page 2 Logging Decryptable Connections
More informationConnection Logging. About Connection Logging
The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: About, page 1 Strategies, page 2 Logging Decryptable Connections with SSL
More informationThis document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).
Contents Introduction Prerequisites Requirements Components Used Background Information Outbound SSL Decryption Inbound SSL Decryption Configuration for SSL Decryption Outbound SSL decryption (Decrypt
More informationDevice Management Basics
The following topics describe how to manage devices in the Firepower System: The Device Management Page, page 1 Remote Management Configuration, page 2 Adding Devices to the Firepower Management Center,
More informationPass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS
Pass4sure.500-285.42q Number: 500-285 Passing Score: 800 Time Limit: 120 min File Version: 6.1 Cisco 500-285 Securing Cisco Networks with Sourcefire IPS I'm quite happy to announce that I passed 500-285
More informationUser Identity Sources
The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, page 1 The User
More informationDeploying Intrusion Prevention Systems
Deploying Intrusion Prevention Systems Gary Halleen Consulting Systems Engineer II Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS
More informationGetting Started with Access Control Policies
Getting Started with Control Policies The following topics describe how to start using access control policies: Introduction to Control, page 1 Managing Control Policies, page 6 Creating a Basic Control
More informationGetting Started with Network Analysis Policies
The following topics describe how to get started with network analysis policies: Network Analysis Policy Basics, page 1 Managing Network Analysis Policies, page 2 Network Analysis Policy Basics Network
More informationHost Identity Sources
The following topics provide information on host identity sources: Overview: Host Data Collection, on page 1 Determining Which Host Operating Systems the System Can Detect, on page 2 Identifying Host Operating
More informationUse Cases for Firepower Threat Defense
The following topics explain some common tasks you might want to accomplish with Firepower Threat Defense using Firepower Device Manager. These use cases assume that you completed the device configuration
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.3 Original Publication: April 21, 2014 These release notes are valid for Version 5.3.0.3 of the Sourcefire 3D System. Even if you are familiar with the
More informationRealms and Identity Policies
The following topics describe realms and identity policies: Introduction:, page 1 Creating a Realm, page 5 Creating an Identity Policy, page 11 Creating an Identity Rule, page 15 Managing Realms, page
More informationApplication Detection
The following topics describe Firepower System application detection : Overview:, on page 1 Custom Application Detectors, on page 6 Viewing or Downloading Detector Details, on page 14 Sorting the Detector
More informationAccess Control. Access Control Overview. Access Control Rules and the Default Action
The following topics explain access control rules. These rules control which traffic is allowed to pass through the device, and apply advanced services to the traffic, such as intrusion inspection. Overview,
More informationConfiguration Import and Export
The following topics explain how to use the Import/Export feature: About Configuration Import/Export, page 1 Exporting Configurations, page 3 Importing Configurations, page 4 About Configuration Import/Export
More informationA Deep Dive into the Firepower Manager
A Deep Dive into the Firepower Manager William Young, Security Solutions Architect willyou@cisco.com @WilliamDYoung BRKSEC-2058 Just some Security Guy William Young Security Solutions Architect, Cisco
More informationUse Cases for Firepower Threat Defense
The following topics explain some common tasks you might want to accomplish with Firepower Threat Defense using Firepower Device Manager. These use cases assume that you completed the device configuration
More informationMonitoring the Device
The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring
More informationDPI-SSL. DPI-SSL Overview
DPI-SSL Document Scope This document describes the DPI-SSL feature available in SonicOS 5.6. This document contains the following sections: DPI-SSL Overview section on page 1 Using DPI-SSL section on page
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.2 Original Publication: April 21, 2014 Last Updated: April 25, 2016 These release notes are valid for Version 5.3.0.2 of the Sourcefire 3D System. Even
More informationUnderstanding HTTPS to Decrypt it
Understanding HTTPS to Decrypt it James Everett Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join
More informationThe following topics describe how to configure correlation policies and rules.
The following topics describe how to configure correlation policies and rules. Introduction to and Rules, page 1 Configuring, page 2 Configuring Correlation Rules, page 5 Configuring Correlation Response
More informationAccess Control. Access Control Overview. Access Control Rules and the Default Action
The following topics explain access control rules. These rules control which traffic is allowed to pass through the device, and apply advanced services to the traffic, such as intrusion inspection. Overview,
More informationThe following topics explain how to get started configuring Firepower Threat Defense. Table 1: Firepower Device Manager Supported Models
The following topics explain how to get started configuring Firepower Threat Defense. Is This Guide for You?, page 1 Logging Into the System, page 2 Setting Up the System, page 6 Configuration Basics,
More informationDesign and Deployment of SourceFire NGIPS and NGFWL
Design and Deployment of SourceFire NGIPS and NGFWL BRKSEC - 2024 Marcel Skjald Consulting Systems Engineer Enterprise / Security Architect Abstract Overview of Session This technical session covers the
More informationUnderstanding Cisco Cybersecurity Fundamentals
210-250 Understanding Cisco Cybersecurity Fundamentals NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 210-250 Exam on Understanding Cisco
More informationCorrigendum 3. Tender Number: 10/ dated
(A premier Public Sector Bank) Information Technology Division Head Office, Mangalore Corrigendum 3 Tender Number: 10/2016-17 dated 07.09.2016 for Supply, Installation and Maintenance of Distributed Denial
More informationNew Features and Functionality
This section describes the new and updated features and functionality included in Version 6.2.1. Note that only the Firepower 2100 series devices support Version 6.2.1, so new features deployed to devices
More informationCisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer
Cisco Next Generation Firewall and IPS Dragan Novakovic Security Consulting Systems Engineer Cisco ASA with Firepower services Cisco TALOS - Collective Security Intelligence Enabled Clustering & High Availability
More informationCisco Firepower Thread Defence. Claudiu Boar
Cisco Firepower Thread Defence Claudiu Boar Security everywhere Stop threats at the edge Control who gets onto your network Find and contain problems fast Protect users wherever they work Simplify network
More informationCisco Next Generation Firewall Services
Toronto,. CA May 30 th, 2013 Cisco Next Generation Firewall Services Eric Kostlan Cisco Technical Marketing 2011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 Objectives At the
More informationLicensing the Firepower System
The following topics explain how to license the Firepower System. About Firepower Feature Licenses, on page 1 Service Subscriptions for Firepower Features, on page 2 Smart Licensing for the Firepower System,
More informationPrefiltering and Prefilter Policies
The following topics describe how to configure prefiltering: Introduction to Prefiltering, on page 1 Prefiltering vs Access Control, on page 2 About Prefilter Policies, on page 4 Configuring Prefiltering,
More informationLicensing the Firepower System
The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 2 Smart Licensing for the Firepower System,
More informationLicensing the Firepower System
The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 1 Classic Licensing for the Firepower System,
More informationUnderstanding Traffic Decryption
The following topics provide an overview of SSL inspection, describe the prerequisites for SSL inspection configuration, and detail deployment scenarios. Traffic Decryption Overview, page 1 SSL Handshake
More informationRealms and Identity Policies
The following topics describe realms and identity policies: About, page 1 Create a Realm, page 8 Create an Identity Policy, page 15 Create an Identity Rule, page 15 Manage a Realm, page 20 Manage an Identity
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats Digital Transformation on a Massive Scale 15B Devices Today Attack Surface 500B Devices In 2030 Threat Actors $19T Opportunity Next 10 Years
More informationClassic Device Management Basics
The following topics describe how to manage Classic devices (7000 and 8000 Series devices, ASA with FirePOWER Services, and NGIPSv) in the Firepower System: Remote Management Configuration, page 1 Interface
More informationThe following topics provide more information on user identity. Establishing User Identity Through Passive Authentication
You can use identity policies to collect user identity information from connections. You can then view usage based on user identity in the dashboards, and configure access control based on user or user
More informationConfiguring F5 for SSL Intercept
Configuring F5 for Welcome to the F5 deployment guide for configuring the BIG-IP system for SSL intercept (formerly called with Air Gap Egress Inspection). This document contains guidance on configuring
More informationLogging into the Firepower System
The following topics describe how to log into the Firepower System: Firepower System User Accounts, on page 1 User Interfaces in Firepower Management Center Deployments, on page 3 Logging Into the Firepower
More informationIPS Device Deployments and Configuration
The following topics describe how to configure your device in an IPS deployment: Introduction to IPS Device Deployment and Configuration, page 1 Passive IPS Deployments, page 1 Inline IPS Deployments,
More informationCisco Threat Intelligence Director (TID)
The topics in this chapter describe how to configure and use TID in the Firepower System. Overview, page 1 Using TID Sources to Ingest Feed Data, page 6 Using Access Control to Publish TID Data and Generate
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : 300-207 Title : Implementing Cisco Threat Control Solutions (SITCS) Vendor : Cisco Version : DEMO Get Latest & Valid
More informationIdentity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication
You can use identity policies to collect user identity information from connections. You can then view usage based on user identity in the dashboards, and configure access control based on user or user
More informationThe IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title.
I n t r o d u c t i o n The CCNA Security IINS exam topics have been refreshed from version 2.0 to version 3.0. This document will highlight exam topic changes between the current 640-554 IINS exam and
More informationCisco Threat Intelligence Director (TID)
The topics in this chapter describe how to configure and use TID in the Firepower System. Overview, page 1 Requirements for Threat Intelligence Director, page 4 How To Set Up, page 6 Analyze TID Incident
More informationBarracuda Firewall Release Notes 6.6.X
Please Read Before Upgrading Before installing the new firmware version, back up your configuration and read all of the release notes that apply to the versions that are more current than the version that
More informationDissecting Firepower-FTD & Firepower-Services Design & Troubleshooting
BRKSEC-3455 Dissecting Firepower-FTD & Firepower-Services Design & Troubleshooting Foster Lipkey, Technical Leader Veronika Klauzova, TAC Tech Lead Cisco Spark How Questions? Use Cisco Spark to communicate
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.2.0.2 Original Publication: October 18, 2013 Last Updated: October 18, 2013 These release notes are valid for Version 5.2.0.2 of the Sourcefire 3D System. Even
More informationDissecting Firepower-FTD & Firepower-Services Design & Troubleshooting
Dissecting Firepower-FTD & Firepower-Services Design & Troubleshooting Veronika Klauzova BRKSEC-3455 Agenda Introduction Updated FTD Packet Flow Data-Path Improvements Best Practices for Deployments Troubleshooting
More informationFP NGIPS Deployment and Operationalisation Mark Pretty, Consulting Systems Engineer
FP NGIPS Deployment and Operationalisation Mark Pretty, Consulting Systems Engineer Agenda Introduction The Issue of Threats Introduction to IPS Deploying IPS Operationalise IPS Q & A Objectives What will
More informationFirepower Management Center High Availability
The following topics describe how to configure Active/Standby high availability of Cisco Firepower Management Centers: About, on page 1 Establishing, on page 7 Viewing Status, on page 8 Configurations
More informationFeatures and Functionality
Features and functionality introduced in previous versions may be superseded by new features and functionality in later versions. New or Changed Functionality in Version 6.2.2.x, page 1 Features Introduced
More informationRealms and Identity Policies
The following topics describe realms and identity policies: About, page 1 Create a Realm, page 8 Create an Identity Policy, page 14 Create an Identity Rule, page 15 Manage a Realm, page 17 Manage an Identity
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.2.0.7 Original Publication: October 20, 2014 These release notes are valid for Version 5.2.0.7 of the Sourcefire 3D System. Even if you are familiar with the
More informationChapter 1: Content Security
Chapter 1: Content Security Cisco Cloud Web Security (CWS) Cisco offers Cisco Cloud Web Security (CWS) to protect End Stations and Users devices from infection. Cisco Cloud Web Security (CWS) depends upon
More informationGlobal vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year
Global vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year Firepower Next Generation Firewall Subtitle goes here William Young Security Solutions Architect, Global Security Architecture Team
More informationImplementing Cisco Edge Network Security Solutions ( )
Implementing Cisco Edge Network Security Solutions (300-206) Exam Description: The Implementing Cisco Edge Network Security (SENSS) (300-206) exam tests the knowledge of a network security engineer to
More informationNetwork Discovery Policies
The following topics describe how to create, configure, and manage network discovery policies: Overview:, page 1 Network Discovery Customization, page 2 Network Discovery Rules, page 3 Configuring Advanced
More informationASACAMP - ASA Lab Camp (5316)
ASACAMP - ASA Lab Camp (5316) Price: $4,595 Cisco Course v1.0 Cisco Security Appliance Software v8.0 Based on our enhanced FIREWALL and VPN courses, this exclusive, lab-based course is designed to provide
More informationAccessEnforcer Version 4.0 Features List
AccessEnforcer Version 4.0 Features List AccessEnforcer UTM Firewall is the simple way to secure and manage your small business network. You can choose from six hardware models, each designed to protect
More informationAgile Security Solutions
Agile Security Solutions Piotr Linke Security Engineer CISSP CISA CRISC CISM Open Source SNORT 2 Consider these guys All were smart. All had security. All were seriously compromised. 3 The Industrialization
More informationACS / Computer Security And Privacy. Fall 2018 Mid-Term Review
ACS-3921-001/4921-001 Computer Security And Privacy Fall 2018 Mid-Term Review ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been adopted and/or modified
More informationCisco s Appliance-based Content Security: IronPort and Web Security
Cisco s Appliance-based Content Security: IronPort E-mail and Web Security Hrvoje Dogan Consulting Systems Engineer, Security, Emerging Markets East 2010 Cisco and/or its affiliates. All rights reserved.
More informationSecurity Architect Northeast US Enterprise CISSP, GCIA, GCFA Cisco Systems. BRKSEC-2052_c Cisco Systems, Inc. All rights reserved.
Web 2.0 Security Recommendations Ken Kaminski Security Architect Northeast US Enterprise CISSP, GCIA, GCFA Cisco Systems 1 Agenda Reputation Services Web application security Secure Coding and Web Application
More informationThe Intrusion Rules Editor
The following topics describe how to use the intrusion rules editor: An Introduction to Intrusion Rule Editing, on page 1 Rule Anatomy, on page 2 Custom Rule Creation, on page 14 Searching for Rules, on
More informationCisco - ASA Lab Camp v9.0
Cisco - ASA Lab Camp v9.0 Code: 0007 Lengt h: 5 days URL: View Online Based on our enhanced SASAC v1.0 and SASAA v1.2 courses, this exclusive, lab-based course, provides you with your own set of equipment
More informationRule Management: Common Characteristics
The following topics describe how to manage common characteristics of rules in various policies on the Firepower Management Center: Introduction to Rules, page 1 Rule Condition Types, page 2 Searching
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.2.0.6 Original Publication: February 10, 2015 These release notes are valid for Version 5.2.0.6 of the Sourcefire 3D System. Even if you are familiar with the
More informationClarify Firepower Threat Defense Access Control Policy Rule Actions
Clarify Firepower Threat Defense Access Control Policy Rule Actions Contents Introduction Prerequisites Requirements Components Used Background Information How ACP is Deployed Configure ACP Available Actions
More informationRemote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN
Remote Access virtual private network (VPN) allows individual users to connect to your network from a remote location using a laptop or desktop computer connected to the Internet. This allows mobile workers
More informationMcAfee Network Security Platform 8.3
8.3.7.28-8.3.7.6 Manager-Virtual IPS Release Notes McAfee Network Security Platform 8.3 Revision B Contents About this release New features Enhancements Resolved issues Installation instructions Known
More informationThe Intrusion Rules Editor
The following topics describe how to use the intrusion rules editor: An Introduction to Intrusion Rule Editing, page 1 Rule Anatomy, page 2 Custom Rule Creation, page 14 Searching for Rules, page 20 Rule
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3 Original Publication: April 21, 2014 These release notes are valid for Version 5.3 of the Sourcefire 3D System. Even if you are familiar with the update process,
More informationConfiguration Import and Export
The following topics explain how to use the Import/Export feature: About Configuration Import/Export, page 1 Exporting Configurations, page 3 Importing Configurations, page 4 About Configuration Import/Export
More informationUSM Anywhere AlienApps Guide
USM Anywhere AlienApps Guide Updated April 23, 2018 Copyright 2018 AlienVault. All rights reserved. AlienVault, AlienApp, AlienApps, AlienVault OSSIM, Open Threat Exchange, OTX, Unified Security Management,
More informationMcAfee Network Security Platform Administration Course
McAfee Network Security Platform Administration Course Education Services administration course The McAfee Network Security Platform Administration course from McAfee Education Services is an essential
More informationUnderstanding Traffic Decryption
The following topics provide an overview of SSL inspection, describe the prerequisites for SSL inspection configuration, and detail deployment scenarios. About Traffic Decryption, page 1 SSL Inspection
More informationImplementing Cisco Network Security (IINS) 3.0
Implementing Cisco Network Security (IINS) 3.0 COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.4 Original Publication: May 7, 2015 Last Updated: April 25, 2016Sourcefire-3D-System-Release-Notes-5-3-0-3 These release notes are valid for Version 5.3.0.4
More informationAbout Advanced Access Control Settings for Network Analysis and Intrusion Policies
Advanced Access Control Settings for Network Analysis and Intrusion Policies The following topics describe how to configure advanced settings for network analysis and intrusion policies: About Advanced
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.5 Original Publication: June 8, 2015 Last Updated: April 25, 2016 These release notes are valid for Version 5.3.0.5 of the Sourcefire 3D System. Even if
More informationDNS Policies. DNS Policy Overview. The following topics explain DNS policies, DNS rules, and how to deploy DNS policies to managed devices.
The following topics explain DNS policies, DNS rules, and how to deploy DNS policies to managed devices. DNS Policy Overview, page 1 DNS Policy Components, page 2 DNS Rules, page 6 DNS Policy Deploy, page
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.8 Original Publication: May 2, 2016 These release notes are valid for Version 5.3.0.8 of the Sourcefire 3D System. Even if you are familiar with the update
More informationA10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS
DEPLOYMENT GUIDE A10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS A10 NETWORKS SSL INSIGHT & FIREWALL LOAD BALANCING SOLUTION FOR SONICWALL SUPERMASSIVE NEXT GENERATION FIREWALLS OVERVIEW This document describes
More information