Cisco Firepower NGIPS Tuning and Best Practices John Wise, Security Instructor High Touch Delivery, Cisco Learning Services CTHCRT-2000
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, 2017. cs.co/ciscolivebot#cthcrt-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda Introduction Inspection Order Network Discovery Traffic to Not Inspect and Fast Path Base Intrusion Policies Variables Connection Events
Introduction
Cisco Learning Services Internet crime costs companies billions of dollars annually Where can you get official training on Firepower technologies? Cisco High Touch Delivery at Learning@Cisco! We offer a 4-day ILT or Virtual course based on Firepower, where we cover everything from the ground up. Developed and delivered by Cisco High Tough Delivery in Advanced Services, we are the official place for all Firepower security training. Understanding how to profile attackers and defend network and data assets is essential Firepower Class offerings: Firepower200: 5-day course covering Firepower Threat Defense SSFIPS: 4-day course covering Firepower NGIPS Cisco Learning Services Security training will help protect your business s reputation, which is one of its most important assets Just ask if you would like additional information! To learn more about the Cisco Learning Services Security courses, visit www.cisco.com/web/learning/learning_services/courses/security.html CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Ask Yourself Am I sure I am properly configured? Am I optimally tuned? Could I improve my system performance, security posture, and reduce false positives? Let s look at a few of the most common misunderstandings and misconfigurations save yourself a call to support! We have 30 minutes. Lets begin! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Understand The Order of Inspection
Firepower Order of Inspection Memorize This! Traffic Flow Security Intelligence SSL Access Control Further Inspection Malware & File Intrusion Inspect, block, or store files. Detect, block, and alert on files determined to be malware. IPS. Traffic inspection by Snort Rules looking for malicious traffic. Blocks: Blacklisted IPs, DNS, and URLs before inspection by ACP. Traffic blocked here never enters the later policies. Decrypts SSL traffic. Ability to block SSL traffic based on criteria. Decrypted traffic can be seen by the later policies. Firewall Component Inspect up to Layer 7. Make Block, Inspect, or Trust (no further inspection) decisions on traffic. CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Define Your Network Discovery
Network Discovery Firepower will automatically build Host Profiles Based on your Network Discovery Firepower Management Center Automatically Generated Host Profiles Network Discovery Services Applications Vulnerabilities Protocols Ports Operating Systems Managed Device CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Network Discovery Processing Order But this only occurs here Further Inspection Traffic Flow Fast Path Security Intelligence SSL Access Control Network Discovery Malware & File Intrusion Therefore, If traffic does not reach this inspection point no discovery information is captured! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Is Your Network Discovery Defined? so you must go in and define this policy! Define your network here Did you know? Not defining your Network Discovery can cause you to exceed your host limits! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Define Your Network 2 nd, Discover to build host profiles Your internal network what you are protecting 1 st ensure this is enabled. In 6.x this is off by default 3 rd, Exclude to prevent host profiles for certain devices Load Balancers, NAT Devices, anything you are not protecting CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Identify Traffic to Not Inspect
Should You Inspect all Traffic? Probably Not. Traffic not requiring inspection VOIP Backup Scanner How? You use an ACP rule with the trust action to not inspect traffic Elephant flows can cause performance issues! Backup traffic is a prime example You can usually tell you have an elephant flow when you see just one CPU core spike! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Can You Fast Path Any Traffic?
Fast Pathing Traffic is Fast! Fast Pathing traffic is the fastest way to not inspect certain traffic Can also be used to block in certain hardware and configurations Further Inspection Traffic Flow Fast Path Security Intelligence SSL Access Control Network Discovery Malware & File Intrusion This is where fast pathed traffic is processed CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Fast Pathing Based On Firepower Platform Cisco ASA with FirePOWER Services You fast path differently in each of these three platforms! FirePOWER 7000/8000 Firepower Threat Defense Image for ASA 5500-X*, Firepower 2100, 4100, 9300, VMware, and Amazon Web Services *Excludes AS5585-X CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Fast Pathing With ASA Firepower Services Fast Path on the ASA, not in Firepower FirePOWER Yes Receive Packet Ingress Interface Existing Conn. ACL Match Permit Xlate No Yes Yes Inspections Sec. Checks No Drop No Drop No Drop NAT IP Header Egress Interface L3 Route Yes L2 Address Yes XMIT Packet No No Drop Drop CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Fast Pathing With Firepower 8000 Series 8000 Series devices can use Fast Path Rules defined in Devices tab Fast path rules are slowly going away however use promoted rules instead CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Fast Pathing With Firepower 7000/8000 Series 7000/8000 use Promoted ACP Rules to fast path traffic Create ACP rules that: 1. Are Trust, Block, or Block with Reset 2. Have only: VLAN IP Security Zone Port 3. Be placed above all other ACP Rules If the ACP rule meets all these conditions, the rule will be promoted CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Rule Promotion Example These two rules will automatically be promoted to fast path Notice both are using Port and IP for identifying the traffic, and are placed above all other rules! You wont see this occur in the GUI! This is an automatic system process CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Promoted ACP Rule Processing 7000/8000 The promoted rules are written in ACP Further Inspection Traffic Flow Fast Path Security Intelligence SSL Access Control Network Discovery Malware & File Intrusion When applied to your Sensor they get automatically pushed to here CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Fast Pathing With Firepower Threat Defense FTD Code has a new policy called Prefilter Prefilter uses limited outer-header criteria to quickly process traffic Fast Pathing occurs here Further Inspection Further Inspection Traffic Flow Prefilter Security Intelligence SSL Access Control Access Control Network Discovery Malware & File Intrusion CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Base Intrusion Policies
Use One of These 3 Base Intrusion Policies Cisco Talos provides and updates Base Polices for you Choose the security approach you wish to have Talos provides updates at least twice a week, and respond to ever-changing security threats in real time Base Policies Connectivity over Security Balanced Security and Connectivity Security over Connectivity Increasing Protection Level CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Are You Using One of These Base Policies? Maximum Detection Not for use in deployment Do Not Use unless directed to do so! No Rules Active Often used if planning to use Firepower Recommendations to turn rules on based on your environment Tip! If you plan to use Firepower Recommendations to adjust SNORT rule states, it is best to start with Security Over Conn and use the recommendations to adjust these in a layer Note: Talos rule updates do not automatically affect no rules active, and you will no longer have the advantage of Talos input for the rule states CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Define Your HOME_NET Variable
Did You Define HOME_NET? HOME_NET is used in the majority of your SNORT rules Defining HOME_NET will significantly tune your system and reduce false positives This is one of the most important settings to configure! Look! This is defined as any you need to go in and define this with your internal and protected networks CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
EXTERNAL_NET
Did You Define EXTERNAL_NET? EXTERNAL_NET defines what is outside your network This is any by default You have two options: Define as not HOME_NET (!HOME_NET) Or Leave as any CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Defining EXTERNAL_NET as!home_net is Popular, But Not Always Appropriate If you define EXTERNAL_NET as!home_net you will miss some internally-based attacks, but will notice a significant performance gain Be careful If you defined EXTERNAL_NET as!home_net and associated it to traffic originating from inside your network CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Remember, Variables Are Assigned to Intrusion Policies in ACP Rules And therefore you can have multiple definitions! You choose the variable set here! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
So Consider Using Multiple EXTERNAL_NET Definitions Create a definition of EXTERNAL_NET as!home_net for traffic from outside your network to the inside of your network Leave EXTERNAL_NET as any for traffic that is Internal to Internal You can do this with Security Zones in your ACP rules! Traffic Flow ACP Rule 1 ACP Rule 2 EXTERNAL_NET set to any EXTERNAL_NET set to!home_net Access Control Sec over Conn Balanced ACP Rule 3 EXTERNAL_NET set to any CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Tune Your Connection Events
Remember The Logging Flow Connection Events sent to Firepower Management Center Did you know Event Viewer refers to your Firepower Management Center? Traffic Flow Note: If connection logging is not enabled, no connection events are sent to the Firepower Management Center! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
But Should You Log All Connection Events? Probably Not. If you are logging all traffic, you will likely have poor retention times and could overwork your FMC So, create ACP rules to identify traffic you do not wish to log on! The best way to do this create a DNS query ACP rule that does not log connection events! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Final Considerations!
Are You Aware? Security Intelligence Whitelists are only for overriding a Blacklist entry Whitelisted traffic is NOT trusted This traffic will continue through inspection! Did you know? In order to take advantage of DNS Security Intelligence (New in 6.x) you must first create a DNS and associate that policy to your ACP CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
And Lastly Turn it on here Use Adaptive Profiles This will reassemble IP fragments and Streams based on the OS seen in the Host Profile Do not modify or change your Network Analysis unless under guidance Leave this alone unless under expert guidance! CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on www.ciscolive.com/us. Don t forget: Cisco Live sessions will be available for viewing on demand after the event at www.ciscolive.com/online. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions CTHCRT-2000 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Thank you