Cisco Firepower NGIPS Tuning and Best Practices

Similar documents
Monitoring the Device

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

Access Control Using Intrusion and File Policies

Getting Started with Access Control Policies

Connection Logging. Introduction to Connection Logging

Threat Centric Network Security

NXOS in the Real World Using NX-API REST

Cisco Tetration Analytics

Connection Logging. About Connection Logging

The following topics describe how to manage various policies on the Firepower Management Center:

Introduction to Cisco ASA to Firepower Threat Defense Migration

Cisco Next Generation Firewall Services

Access Control Using Intrusion and File Policies

* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).

Device Management Basics

Advanced Firepower IPS Deployment

Deploying Intrusion Prevention Systems

Clarify Firepower Threat Defense Access Control Policy Rule Actions

PSOACI Tetration Overview. Mike Herbert

Intelligent WAN Sumanth Kakaraparthi Principal Product Manager PSOCRS-2010

Snort: The World s Most Widely Deployed IPS Technology

Configure FTD Interfaces in Inline-Pair Mode

Configuration and Operation of FTD Prefilter

Dissecting Firepower-FTD & Firepower-Services Design & Troubleshooting

Understanding HTTPS to Decrypt it

Chapter 6: IPS. CCNA Security Workbook

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

Cisco Firepower NGFW. Anticipate, block, and respond to threats

DNA Automation Services Offerings

Advanced IPS Deployment

TRex Realistic Traffic Generator

Device Management Basics

DNS Policies. DNS Policy Overview. The following topics explain DNS policies, DNS rules, and how to deploy DNS policies to managed devices.

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Design and Deployment of SourceFire NGIPS and NGFWL

Device Management Basics

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Cisco ASA with FirePOWER Services

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Activating Intrusion Prevention Service

Routing Underlay and NFV Automation with DNA Center

Configuring Firepower Threat Defense interfaces in Routed mode

Licensing the Firepower System

Prefiltering and Prefilter Policies

Tetration Hands-on Lab from Deployment to Operations Support

Dissecting Firepower-FTD & Firepower-Services Design & Troubleshooting

Getting Started with Network Analysis Policies

Cloud-Managed Security for Distributed Networks with Cisco Meraki MX

AMP for Endpoints & Threat Grid

Key Security Measures to Enable Next-Generation Data Center Transformation

The following topics describe how to configure correlation policies and rules.

Host Identity Sources

Configuration Import and Export

Network Discovery Policies

Introduction to Cisco IoT Tools for Developers IoT 101

Access Control. Access Control Overview. Access Control Rules and the Default Action

APIC-EM / EasyQoS - End to End Orchestration of QoS in Enterprise Networks

McAfee Network Security Platform Administration Course

Agile Security Solutions

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

CloudCenter for Developers

Resilient WAN and Security for Distributed Networks with Cisco Meraki MX

Features and Functionality

The Internet of Everything is changing Everything

Radware: Anatomy of an IoT Botnet and Economics of Defense

FirePOWER: Advanced Configuration and Tuning

Cisco Cloud Security for Public & Private Cloud Villayat Muhammad : Technical Leader BRKSEC-2016

Benefits of SDN Modeling and Analytics tool for complex Service Provider Network

Your API Toolbelt Tools and techniques for testing, monitoring, and troubleshooting REST API requests

BGP in the Enterprise for Fun and (fake) Profit: A Hands-On Lab

Introducing Cisco Network Assurance Engine

Hands-On with IoT Standards & Protocols

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Next generation branch with SD-WAN and NFV

A Deep Dive into the Firepower Manager

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

Demystifying Machine Learning

Multicast Troubleshooting

About Advanced Access Control Settings for Network Analysis and Intrusion Policies

Introduction to Cisco ASA Firewall Services

Access Control. Access Control Overview. Access Control Rules and the Default Action

Get Hands On With DNA Center APIs for Managing Intent

Task Scheduling. Introduction to Task Scheduling. Configuring a Recurring Task

Implementing Cisco Network Security (IINS) 3.0

Firepower Management Center High Availability

CSE 565 Computer Security Fall 2018

Maximum Security with Minimum Impact : Going Beyond Next Gen

Migrating Applications with CloudCenter

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Cisco Security Monitoring, Analysis and Response System 4.2

Managing Latency in IPS Networks

McAfee Web Gateway Administration

Fully Integrated, Threat-Focused Next-Generation Firewall

Git, Atom, virtualenv, oh my! Learn about dev tools to live by!

Cisco UCS Agentless Configuration Management Ansible or Microsoft DSC

Cisco Threat Intelligence Director (TID)

DEVNET Introduction to Git. Ashley Roach Principal Engineer Evangelist

Transcription:

Cisco Firepower NGIPS Tuning and Best Practices John Wise, Security Instructor High Touch Delivery, Cisco Learning Services CTHCRT-2000

Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, 2017. cs.co/ciscolivebot#cthcrt-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Agenda Introduction Inspection Order Network Discovery Traffic to Not Inspect and Fast Path Base Intrusion Policies Variables Connection Events

Introduction

Cisco Learning Services Internet crime costs companies billions of dollars annually Where can you get official training on Firepower technologies? Cisco High Touch Delivery at Learning@Cisco! We offer a 4-day ILT or Virtual course based on Firepower, where we cover everything from the ground up. Developed and delivered by Cisco High Tough Delivery in Advanced Services, we are the official place for all Firepower security training. Understanding how to profile attackers and defend network and data assets is essential Firepower Class offerings: Firepower200: 5-day course covering Firepower Threat Defense SSFIPS: 4-day course covering Firepower NGIPS Cisco Learning Services Security training will help protect your business s reputation, which is one of its most important assets Just ask if you would like additional information! To learn more about the Cisco Learning Services Security courses, visit www.cisco.com/web/learning/learning_services/courses/security.html CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Ask Yourself Am I sure I am properly configured? Am I optimally tuned? Could I improve my system performance, security posture, and reduce false positives? Let s look at a few of the most common misunderstandings and misconfigurations save yourself a call to support! We have 30 minutes. Lets begin! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

Understand The Order of Inspection

Firepower Order of Inspection Memorize This! Traffic Flow Security Intelligence SSL Access Control Further Inspection Malware & File Intrusion Inspect, block, or store files. Detect, block, and alert on files determined to be malware. IPS. Traffic inspection by Snort Rules looking for malicious traffic. Blocks: Blacklisted IPs, DNS, and URLs before inspection by ACP. Traffic blocked here never enters the later policies. Decrypts SSL traffic. Ability to block SSL traffic based on criteria. Decrypted traffic can be seen by the later policies. Firewall Component Inspect up to Layer 7. Make Block, Inspect, or Trust (no further inspection) decisions on traffic. CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Define Your Network Discovery

Network Discovery Firepower will automatically build Host Profiles Based on your Network Discovery Firepower Management Center Automatically Generated Host Profiles Network Discovery Services Applications Vulnerabilities Protocols Ports Operating Systems Managed Device CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

Network Discovery Processing Order But this only occurs here Further Inspection Traffic Flow Fast Path Security Intelligence SSL Access Control Network Discovery Malware & File Intrusion Therefore, If traffic does not reach this inspection point no discovery information is captured! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Is Your Network Discovery Defined? so you must go in and define this policy! Define your network here Did you know? Not defining your Network Discovery can cause you to exceed your host limits! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

Define Your Network 2 nd, Discover to build host profiles Your internal network what you are protecting 1 st ensure this is enabled. In 6.x this is off by default 3 rd, Exclude to prevent host profiles for certain devices Load Balancers, NAT Devices, anything you are not protecting CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Identify Traffic to Not Inspect

Should You Inspect all Traffic? Probably Not. Traffic not requiring inspection VOIP Backup Scanner How? You use an ACP rule with the trust action to not inspect traffic Elephant flows can cause performance issues! Backup traffic is a prime example You can usually tell you have an elephant flow when you see just one CPU core spike! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Can You Fast Path Any Traffic?

Fast Pathing Traffic is Fast! Fast Pathing traffic is the fastest way to not inspect certain traffic Can also be used to block in certain hardware and configurations Further Inspection Traffic Flow Fast Path Security Intelligence SSL Access Control Network Discovery Malware & File Intrusion This is where fast pathed traffic is processed CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

Fast Pathing Based On Firepower Platform Cisco ASA with FirePOWER Services You fast path differently in each of these three platforms! FirePOWER 7000/8000 Firepower Threat Defense Image for ASA 5500-X*, Firepower 2100, 4100, 9300, VMware, and Amazon Web Services *Excludes AS5585-X CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Fast Pathing With ASA Firepower Services Fast Path on the ASA, not in Firepower FirePOWER Yes Receive Packet Ingress Interface Existing Conn. ACL Match Permit Xlate No Yes Yes Inspections Sec. Checks No Drop No Drop No Drop NAT IP Header Egress Interface L3 Route Yes L2 Address Yes XMIT Packet No No Drop Drop CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Fast Pathing With Firepower 8000 Series 8000 Series devices can use Fast Path Rules defined in Devices tab Fast path rules are slowly going away however use promoted rules instead CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Fast Pathing With Firepower 7000/8000 Series 7000/8000 use Promoted ACP Rules to fast path traffic Create ACP rules that: 1. Are Trust, Block, or Block with Reset 2. Have only: VLAN IP Security Zone Port 3. Be placed above all other ACP Rules If the ACP rule meets all these conditions, the rule will be promoted CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Rule Promotion Example These two rules will automatically be promoted to fast path Notice both are using Port and IP for identifying the traffic, and are placed above all other rules! You wont see this occur in the GUI! This is an automatic system process CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

Promoted ACP Rule Processing 7000/8000 The promoted rules are written in ACP Further Inspection Traffic Flow Fast Path Security Intelligence SSL Access Control Network Discovery Malware & File Intrusion When applied to your Sensor they get automatically pushed to here CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

Fast Pathing With Firepower Threat Defense FTD Code has a new policy called Prefilter Prefilter uses limited outer-header criteria to quickly process traffic Fast Pathing occurs here Further Inspection Further Inspection Traffic Flow Prefilter Security Intelligence SSL Access Control Access Control Network Discovery Malware & File Intrusion CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Base Intrusion Policies

Use One of These 3 Base Intrusion Policies Cisco Talos provides and updates Base Polices for you Choose the security approach you wish to have Talos provides updates at least twice a week, and respond to ever-changing security threats in real time Base Policies Connectivity over Security Balanced Security and Connectivity Security over Connectivity Increasing Protection Level CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

Are You Using One of These Base Policies? Maximum Detection Not for use in deployment Do Not Use unless directed to do so! No Rules Active Often used if planning to use Firepower Recommendations to turn rules on based on your environment Tip! If you plan to use Firepower Recommendations to adjust SNORT rule states, it is best to start with Security Over Conn and use the recommendations to adjust these in a layer Note: Talos rule updates do not automatically affect no rules active, and you will no longer have the advantage of Talos input for the rule states CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

Define Your HOME_NET Variable

Did You Define HOME_NET? HOME_NET is used in the majority of your SNORT rules Defining HOME_NET will significantly tune your system and reduce false positives This is one of the most important settings to configure! Look! This is defined as any you need to go in and define this with your internal and protected networks CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

EXTERNAL_NET

Did You Define EXTERNAL_NET? EXTERNAL_NET defines what is outside your network This is any by default You have two options: Define as not HOME_NET (!HOME_NET) Or Leave as any CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Defining EXTERNAL_NET as!home_net is Popular, But Not Always Appropriate If you define EXTERNAL_NET as!home_net you will miss some internally-based attacks, but will notice a significant performance gain Be careful If you defined EXTERNAL_NET as!home_net and associated it to traffic originating from inside your network CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

Remember, Variables Are Assigned to Intrusion Policies in ACP Rules And therefore you can have multiple definitions! You choose the variable set here! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

So Consider Using Multiple EXTERNAL_NET Definitions Create a definition of EXTERNAL_NET as!home_net for traffic from outside your network to the inside of your network Leave EXTERNAL_NET as any for traffic that is Internal to Internal You can do this with Security Zones in your ACP rules! Traffic Flow ACP Rule 1 ACP Rule 2 EXTERNAL_NET set to any EXTERNAL_NET set to!home_net Access Control Sec over Conn Balanced ACP Rule 3 EXTERNAL_NET set to any CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

Tune Your Connection Events

Remember The Logging Flow Connection Events sent to Firepower Management Center Did you know Event Viewer refers to your Firepower Management Center? Traffic Flow Note: If connection logging is not enabled, no connection events are sent to the Firepower Management Center! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

But Should You Log All Connection Events? Probably Not. If you are logging all traffic, you will likely have poor retention times and could overwork your FMC So, create ACP rules to identify traffic you do not wish to log on! The best way to do this create a DNS query ACP rule that does not log connection events! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

Final Considerations!

Are You Aware? Security Intelligence Whitelists are only for overriding a Blacklist entry Whitelisted traffic is NOT trusted This traffic will continue through inspection! Did you know? In order to take advantage of DNS Security Intelligence (New in 6.x) you must first create a DNS and associate that policy to your ACP CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

And Lastly Turn it on here Use Adaptive Profiles This will reassemble IP fragments and Streams based on the OS seen in the Host Profile Do not modify or change your Network Analysis unless under guidance Leave this alone unless under expert guidance! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on www.ciscolive.com/us. Don t forget: Cisco Live sessions will be available for viewing on demand after the event at www.ciscolive.com/online. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback