Design and Deployment of SourceFire NGIPS and NGFWL

Similar documents
Sourcefire Network Security Analytics: Finding the Needle in the Haystack

Agile Security Solutions

Firewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků

Next Generation IPS and Advance Malware Protection. Mahmoud Rabi Consulting Systems Engineer - Security

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

Cisco Advanced Malware Protection for Networks

Protection - Before, During And After Attack

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Cisco Advanced Malware Protection for Networks

Introduction to the Cisco Sourcefire NGIPS

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Sourcefire and ThreatGrid. A new perspective on network security

Cisco ASA with FirePOWER Services

Deploying Intrusion Prevention Systems

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Cisco FirePOWER 8000 Series Appliances

Corrigendum 3. Tender Number: 10/ dated

Security for the real World NG IPS Jean-Paul Kerouanton Sourcefire, Inc.

Snort: The World s Most Widely Deployed IPS Technology

Cisco ASA with FirePOWER Services

Cloud-Managed Security for Distributed Networks with Cisco Meraki MX

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

SOURCEFIRE 3D SYSTEM RELEASE NOTES

A Comprehensive CyberSecurity Policy

Firepower Techupdate April Jesper Rathsach, Consulting Systems Engineer Cisco Security North April 2017

FP NGIPS Deployment and Operationalisation Mark Pretty, Consulting Systems Engineer

The Future of Threat Prevention

Cisco Firepower Thread Defence. Claudiu Boar

Cisco ASA with FirePOWER Services

Getting Started with Network Analysis Policies

Cisco ASA 5500-X NGFW

SDN Security BRKSEC Alok Mittal Security Business Group, Cisco

The Internet of Everything is changing Everything

FireSIGHT Virtual Installation Guide

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

Monitoring the Device

Cisco Security Exposed Through the Cyber Kill Chain

Threat Centric Network Security

Resilient WAN and Security for Distributed Networks with Cisco Meraki MX

Security, Internet Access, and Communication Ports

Cisco Firepower NGIPS Tuning and Best Practices

Security, Internet Access, and Communication Ports

AKAMAI CLOUD SECURITY SOLUTIONS

FirePower 2100 NGFW. Elodie Heurtevent Security BDM Commercial. 21 March 2017

Security, Internet Access, and Communication Ports

Intelligent Edge Protection

Simple and Powerful Security for PCI DSS

Cisco Comstor

The following topics describe how to manage various policies on the Firepower Management Center:

Features and Functionality

Access Control Using Intrusion and File Policies

JURUMANI MERAKI CLOUD MANAGED SECURITY & SD-WAN

A Deep Dive into the Firepower Manager

Improving Security with Cisco ASA Firepower Services Claudiu Onisoru, Senior Solutions Engineer Cisco Connect - 18 March 2015

Chapter 6: IPS. CCNA Security Workbook

Data Center Security. Fuat KILIÇ Consulting Systems

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Rethinking Security: The Need For A Security Delivery Platform

Passit4Sure (50Q) Cisco Advanced Security Architecture for System Engineers

Seceon s Open Threat Management software

Licensing the Firepower System

A New Security Model for the IoE World. Henry Ong SE Manager - ASEAN Cisco Global Security Sales Organization

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

Stop Threats Before They Stop You

File Policies and AMP for Firepower

BRKSEC Snort Implementation in Cisco Products Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems

The Internet of Everything is changing Everything

Implementing Cisco Network Security (IINS) 3.0

All-in one security for large and medium-sized businesses.

CyberP3i Course Module Series

FirePOWER: Advanced Configuration and Tuning

Lastline Breach Detection Platform

Connection Logging. Introduction to Connection Logging

Easy Setup Guide. Cisco ASA with Firepower Services. You can easily set up your ASA in this step-by-step guide.

Expert Reference Series of White Papers. Cisco Completes the Security Picture with Sourcefire

The following topics describe how to configure correlation policies and rules.

Compare Security Analytics Solutions

Connection Logging. About Connection Logging

Licensing the Firepower System

Chapter 1: Content Security

SOURCEFIRE 3D SYSTEM RELEASE NOTES

Meraki MX Family Cloud Managed Security Appliances

Security, Internet Access, and Communication Ports

Meraki Solution Brochure

ForeScout Extended Module for Carbon Black

Qualys Cloud Platform

Global vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year

SOURCEFIRE 3D SYSTEM RELEASE NOTES

Cisco AMP Solution. Rene Straube CSE, Cisco Germany January 2017

Next Generation Computing Architectures for Cloud Scale Applications

SERVICE DESCRIPTION SD-WAN. from NTT Communications

Cisco ASA 5500 Series IPS Solution

Meraki 2018 Solution Brochure

Surat Smart City Development Ltd. Surat Municipal Corporation 1

Aby se z toho bezpečnostní správci nezbláznili Cisco security integrace. Milan Habrcetl Cisco CyberSecurity Specialist Mikulov, 5. 9.

Ciprian Stroe Senior Presales Consultant, CCIE# Cisco and/or its affiliates. All rights reserved.

Licensing the Firepower System

Transcription:

Design and Deployment of SourceFire NGIPS and NGFWL BRKSEC - 2024 Marcel Skjald Consulting Systems Engineer Enterprise / Security Architect

Abstract Overview of Session This technical session covers the FirePOWER security appliance product line and how it uniquely uses context to deliver true next generation network security capabilities including NGIPS, NGFW, and AMP (Next Generation IPS, Next Generation Firewall, and Advanced Malware Protection). The session will begin with a detailed review of the FirePOWER architecture including hardware acceleration, packet, flow and stream processing, and then move on to introduce why network context from FireSIGHT is a vital component in delivering these next generation services. Followed by a detailed review of Advanced Malware Protection, and how it uses context in detailing Malware behaviour. Deployment Scenarios. 3

Agenda Why do we need NGIPS or Advanced Malware Protection? What is FirePOWER? Performance and functional characteristics Packet and flow processing (day in the life of a stream) What is FireSIGHT? Awareness and the Network Map Why this context is vital in modern networks FirePOWER: Security deployment modes NGIPS NGFW Advanced Malware Protection (AMP) Deployment Scenarios / Considerations 4

Why do we Need NGIPS & Advanced Malware Detection? Hackers State Based Actors Criminals Insider Threats Compliance Due Diligence Knowledge! 5

Where did it all Start? Marty Roesch 6

Threat Focused Approach to Network Security Subtitle: Size 18, Left Aligned 7

FirePOWER Platform - Overview

What is FirePOWER? Industry-leading security platform Unmatched performance from a single-pass, low-latency design Configuration flexibility Standard platform for delivering the Sourcefire network capability NGIPS, NGFW & AMP 9

FirePOWER Platform 10

Fixed Connectivity Mixed / SFP Modular Connectivity Stackable FirePOWER Platform All appliances include: Integrated lights-out management Sourcefire acceleration technology LCD display IPS Throughput 40 Gbps 30 Gbps 20 Gbps 10 Gbps 6 Gbps 4 Gbps 2 Gbps 1.5 Gbps 1.25 Gbps 8270 8260 8250 8140 8130 8120 7125 7120 1 Gbps 750 Mbps 7115 500 Mbps 250 Mbps 100 Mbps 50 Mbps 8290 7110 7030 7020 7010 11

FirePOWER Scalability 12

New FirePower Appliances 8300 Series IPS Throughput Current 8200 Offerings IPS Throughput New 8300 Offerings 40 Gbps 8290 60 Gbps 8390 30 Gbps 8270 45 Gbps 8370 20 Gbps 8260 30 Gbps 8360 10 Gbps 8250 15 Gbps 8350 13

8300 Series Performance Specifications Rack Height NGIPS Throughput Maximum Monitoring Interfaces (1Gbs) x86 Cores/ threads and # Microengines Netmod Bays Stacking 8350 2U 15Gbps 28 20/40 and 80 7 Yes, with additional 8350 appliances. 8360 4U 30Gbps 24 40/80 and 160 6 Yes, with additional 8350 appliances. 8370 6U 45Gbps 20 60/120 and 240 5 Yes, with additional 8350 appliances. 8390 8U 60Gbps 16 80/160 and 320 4 Yes, with additional 8350 appliances. 14

FirePOWER - 7010,7020,7030 15

FirePOWER Defence Centres (Mgmt Console) 16

FirePOWER Virtual 17

FirePOWER Architecture

The Power of Hardware & Software Combined Enables industry leading, energy efficient performance for Sourcefire NGIPS NGFW Technology Custom designed, specialised network processor accelerates data acquisition and classification. 19

Single Pass Architecture 20

480 Gbps Load Balancer Single Pass Architecture 480Gbps Layer 2-4 packet classification Multiple 20Gbps Layer 2-7 flow classification Detection Engines DAQ traffic NetMods {1..7} 20 Gbps Load 2 x 40 microcores, each @ 1,800 instructions/packet @ 30 million pps Decode Pre-process Analysis Output {1..n} modular network interfaces x 28 Cluster NetMod to stacked device 21

FirePOWER Architecture V5.X 22

Life of a Flow Hardware processing Initial processing IP Blacklist (Security Intelligence) Flows that are blocked/trusted via AC rules Network Layer Processing IP Defrag Frag, Stream, Rate Based Attack Application Identification AC Rule Evaluation Network Discovery IPS & File Processing 23

Life of a Flow Hardware Processing Look for flow in flow state table Create if not there If flow has disposition of Block or Trust, take immediate action Evaluate hardware rules If block or trust, mark entry in flow state table Take action on rule If inspect Store information about AC rule and Start Inspection 24

Life of a Flow Initial processing Packet decoding IP Blacklist (Security Intelligence) immediately mark flow as blocked, update hardware flow state monitor - mark flow, log later Network Layer Processing IP Defragmentation/Connection Tracking/TCP Stream reassembly Connection tracking by IPs, Ports, VLAN, IP Protocol, MPLS Label, In/Out zones unique ID Application Identification When needed for AC rules 25

Life of a Flow AC Rule evaluation Can match Zones, VLAN, IPs, Ports & User/Group based on packet header Need App ID for matching Applications and URLs Packets continue to flow until Application is identified and the rule criteria can be matched or considered a non-match If Application not yet determined, IPS policy from Default is used ( No Rules Active if that is Block or Trust) If action of block/trust Immediately mark flow, update hardware flow state If action of allow Select IPS policy? Select File policy? 26

Life of a Flow Network Discovery Only if within Networks Discovery Policy Hosts, users, applications App ID Leverage information from earlier if done for AC rule Network Map Events 27

Life of a Flow IPS IPS Event logging for Decode/Frag/Stream events May block flow at this point Application Preprocessors HTTP Inspect, FTP/Telnet, SMTP, POP, IMAP, DCE/RPC, DNS, DNP3, Modbus, GTP, SSH, SSL IPS Rules Leverage Application Protocol ID to select rules IPS Events if block, mark flow as blocked, update hardware flow state 28

Life of a Flow File Processing Leverage HTTP, SMTP, POP, IMAP, FTP preprocessors File type ID Usually within first part of the file Malware signature calculation & lookup Requires entire file Blocking & Logging of File events 29

FireSight - Context

Got a lot of Data? Well what was the question? 31

Why is Context Important? Event: Attempted Privilege Gain Target: 96.16.242.135 (vulnerable) Host OS: Blackberry Apps: Mail, Browswer, Twitter Location: Whitehouse, US User ID: bobama Full Name: Barack Obama Department: Executive Office Event: Attempted Privilege Gain Target: 96.16.242.135 (vulnerable) Host OS: Blackberry Apps: Mail, Browser, Twitter Location: Whitehouse, US Event: Attempted Privilege Gain Target: 96.16.242.135 32

Dashboard - Context Browse all application traffic Look for risky applications What else have these users been up to? On what operating systems? What does their traffic look like over time? 33

FireSIGHT - CONTEXT Who is at the host What other systems / IPs did user have, when? OS & version Identified Server applications and version Client Applications Client Version Application 34

Context - Geolocation Visualise and map countries, cities of hosts, events 35

Network AMP - Context The time of entry 36

Advanced Malware Protection - AMP

AMP - Overview Complete advanced malware protection suite to protect networks and devices Dedicated Advanced Malware Protection (AMP) appliance Advanced Malware Protection Subscription for FirePOWER appliances Advanced malware protection for hosts virtual and mobile devices 38

AMP - Overview Defence Centre Event Stream Fingerprint Advanced Malware Protection Malware detection of files across the wire In-line Retrospective Security for continuous analysis and detection including retrospective alerts Security Intelligence for outbound / C&C Retrospective Security Continuous File Analytics Reputation Determination Event Stream Control: FireAMP Connectors (Client/Mobile/Virtual) Provide: Enhanced Intelligence Cleanup Capabilities 39

AMP Device trajectory 40

AMP Context Threat Root Cause 41

AMP Context Explorer Details 42

AMP Context IOC s Indicators of Compromise Monitor and Analyse files potential Malware traits Monitors the now & retrospectively convicts files Filters and sorts the most important events Tells the analyst what is happening to reduce TCO Quick links to trajectory Search for SHA s (fingerprints, list all computers that have the file 43

BEFORE DURING AFTER See it, Control it Intelligent & Context Aware Retrospective Security Vulnerability Management Custom Detection Full Packet Capture NAC Incident Response Network Access/Data Capture Visualisation SIEM FireSIGHT Management Centre Sourcefire STP Program API Framework 44

Deployment Scenarios / Considerations

Deployment Scenarios / Usage NGIPS / NGFW Data Centre GW Partner Networks / OGO s Branch Office Links ISP feeds DMZs Segregated PCI LAN Out of band management LAN VLAN s Internal (Core) LAN Critical Infrastructure LAN Traditional IDS / IPS Malware Detection Data Exfiltration (insider threat) Bandwidth Hogs Improper use of Corporate systems (Websites / BitTorrent) Compliance PII / PCI data breaches Application usage / control and adherence to policies BYOD Due Diligence 46

Deployment Scenarios / Usage Virtual Partner Networks / OGO s Branch Office Links DMZs Segregated PCI LAN Out of band management LAN VLAN s Internal (Core) LAN Critical Infrastructure LAN Deployed Infrastructure (Defence) Cloud Services Traditional IDS / IPS Malware Detection Data Exfiltration (insider threat) Bandwidth Hogs Improper use of Corporate systems (Websites / BitTorrent) Compliance PII / PCI data breaches Application usage / control and adherence to policies BYOD Due Diligence Resilience! 47

Q & A

Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2014 Polo Shirt! Complete your Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site www.ciscoliveaustralia.com/mobile Visit any Cisco Live Internet Station located throughout the venue Polo Shirts can be collected in the World of Solutions on Friday 21 March 12:00pm - 2:00pm Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations. www.ciscoliveapac.com 49

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback