Deploying Intrusion Prevention Systems

Similar documents
Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Resilient WAN and Security for Distributed Networks with Cisco Meraki MX

Key Security Measures to Enable Next-Generation Data Center Transformation

Design and Deployment of SourceFire NGIPS and NGFWL

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

Chapter 6: IPS. CCNA Security Workbook

Agile Security Solutions

Cisco Firepower NGIPS Tuning and Best Practices

Deploying Intrusion Prevention Systems

Cisco Firepower Thread Defence. Claudiu Boar

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Firewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků

Designing Solution with Cisco Intrusion Prevention Systems

Cisco ASA with FirePOWER Services

The Internet of Everything is changing Everything

FirePower 2100 NGFW. Elodie Heurtevent Security BDM Commercial. 21 March 2017

Configuring Event Action Rules

The Future of Threat Prevention

Cisco FirePOWER 8000 Series Appliances

CCIE Collaboration Lab

FP NGIPS Deployment and Operationalisation Mark Pretty, Consulting Systems Engineer

Cisco ASA with FirePOWER Services

Configuring Event Action Rules

The IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title.

Cisco Cyber Threat Defense Solution 1.0

Cisco ASA 5500-X NGFW

Cisco ASA 5500 Series IPS Solution

Next Generation IPS and Advance Malware Protection. Mahmoud Rabi Consulting Systems Engineer - Security

Networking Drivers & Trends

Intelligent WAN Sumanth Kakaraparthi Principal Product Manager PSOCRS-2010

Cisco ASA with FirePOWER Services

UCS Management Deep Dive

Cisco Advanced Malware Protection for Networks

Access Control Using Intrusion and File Policies

Virtualized Video Processing: Video Infrastructure Transformation Yoav Schreiber, Product Marketing Manager, Service Provider Video BRKSPV-1112

Implementing Cisco Network Security (IINS) 3.0

Nexus 7000 F3 or Mx/F2e VDC Migration Use Cases

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

Snort: The World s Most Widely Deployed IPS Technology

CIH

SIEM (Security Information Event Management)

Access Control Using Intrusion and File Policies

NGFW Requirements for SMBs and Distributed Enterprises

Corrigendum 3. Tender Number: 10/ dated

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

Borderless Networks. Tom Schepers, Director Systems Engineering

Cloud-Managed Security for Distributed Networks with Cisco Meraki MX

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

Before You Update: Important Notes

The Internet of Everything is changing Everything

Protection - Before, During And After Attack

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

Monitoring the Device

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Data Center Security. Fuat KILIÇ Consulting Systems

Licensing the Firepower System

Cisco Cloud Security for Public & Private Cloud Villayat Muhammad : Technical Leader BRKSEC-2016

Future-ready security for small and mid-size enterprises

Licensing the Firepower System

Features. HDX WAN optimization. QoS

Improving Security with Cisco ASA Firepower Services Claudiu Onisoru, Senior Solutions Engineer Cisco Connect - 18 March 2015

ABSOLUTE REAL-TIME PROTECTION SERIES

F5 DDoS Hybrid Defender : Setup. Version

Network Security Platform Overview

Cisco - ASA Lab Camp v9.0

Cisco Intrusion Prevention Solutions

FireSIGHT Virtual Installation Guide

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Cisco Advanced Malware Protection for Networks

McAfee Network Security Platform 8.3

McAfee Network Security Platform

Traffic Flow, Inspection, and Device Behavior During Upgrade

Cisco IOS Inline Intrusion Prevention System (IPS)

Cisco Security Exposed Through the Cyber Kill Chain

Network Security Platform 8.1

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

STONESOFT. New Appliances2012

Firepower Techupdate April Jesper Rathsach, Consulting Systems Engineer Cisco Security North April 2017

Deployments and Network Topologies

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458

Cisco Next Generation Firewall Services

Cisco Comstor

IPS-1 Robust and accurate intrusion prevention

SOURCEFIRE 3D SYSTEM RELEASE NOTES

McAfee Network Security Platform 9.1

Event-Based Software-Defined Networking: Build a Secure Science DMZ

McAfee Network Security Platform 8.1

JURUMANI MERAKI CLOUD MANAGED SECURITY & SD-WAN

Threat Centric Network Security

ASACAMP - ASA Lab Camp (5316)

PrepKing. PrepKing

Network Security Platform 8.1

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Implementing Cisco Edge Network Security Solutions ( )

Sourcefire and ThreatGrid. A new perspective on network security

ASA Access Control. Section 3

Transcription:

Deploying Intrusion Prevention Systems Gary Halleen Consulting Systems Engineer II

Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS 7.x to Sourcefire NGIPS Conclusion 3

Goal of this Session 1. Understand Cisco s IDS/IPS Portfolio, including new additions from Sourcefire. 2. Understand options around deploying an IPS solution. 3. Understand options for high availability. 4. Understand strategy around migrating an IPS solution. 4

Introduction to IPS

What is IPS? 6

Intrusion Detection System (IDS) Sensor Alert! Internet No IP Address Host Sensing Interface received copies of network traffic from a SPAN port, hub, tap, or VACL Capture. It does not sit in the flow of traffic. 7

Intrusion Prevention System (IPS) Sensor Alert! Internet Block No IP Address Host Sensor sits in the traffic path, and has the capability to drop traffic when desired. Inline Interfaces Do Not Have IP Addresses. IPS Operates at Layer 2, and Can Be Thought of as a Smart Wire 8

Integrated IPS or IDS Traffic is passed, via ASA Backplane, to sensor as IDS, IPS, or both. Internet ASA in Routed or Transparent Mode Host 9

Cisco IPS Solutions Cisco acquired Sourcefire in October, 2013 Cisco is committed to maintaining and contributing to Sourcefire Open Source Projects. 10

Cisco IPS Solutions Cisco IPS 7.x Traditional IPS Solution Supported on IPS 4200, 4300, 4500-series appliances, as well as ASA IPS Modules Cisco anticipates many Cisco IPS 7 customers will want to migrate to Sourcefire in order to take advantage of its Next-Generation features. Cisco Sourcefire IPS Next-Generation IPS, Firewall, and Anti-Malware Solution Supported on Sourcefire 7000 and 8000-series Appliances Supported in VMware ESX 11

Next-Generation Security What does Next-Gen mean? Traditional security appliances rely on 5 Tuples of information to determine traffic, source, and destination: (Source Address, Destination Address, Source Port, Destination Port, Protocol) Next-Generation Security Appliances, like Sourcefire FirePower, enhance traditional security by combining it with much more information, such as: User Identity Application Protocol Application Client Application Operating System Geographic Location of Source or Destination URL Category 12

Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS 7.x to Sourcefire NGIPS Conclusion 13

Comparing Cisco s IPS Solutions

Hardware

Performance, Scalability, Adaptivity Cisco IPS 7.x: Dedicated IPS Family IPS 4520-XL IPS 4500-series 10 Gbps IPS 4360 3 to 5 Gbps IPS 4345 1.25 Gbps 750 Mbps Branch Office Internet Edge Campus Data Center 16

Performance, Scalability, Adaptivity Cisco IPS 7.x: Integrated IPS Family ASA5585-X SSP-40 / SSP-60 ASA5585-X SSP-10 / SSP-20 5 to 10 Gbps ASA5545-X IPS ASA5555-X IPS 2 to 3 Gbps ASA5515-X IPS ASA5525-X IPS 900 Mbps to 1.3 Gbps ASA5512-X IPS 250 Mbps 400 to 600 Mbps 17 SOHO Branch Office Internet Edge Campus Data Center

Next-Generation Security! Sourcefire: Appliance Family 8100-series 8200 and 8300-series 10 to 60 Gbps 7100-series 2 to 12 Gbps 7000-series 500 Mbps to 2 Gbps 50 to 250 Mbps Branch Office Internet Edge Campus Data Center 18

FirePower 8200/8300 Single-pass, high-performance, low-latency Flexible in Software NGIPS, NGFW, AMP All of the above (just size appropriately) Flexible in Hardware Modular for options in Interfaces, including 10GE and 40GE High-Performance: 10Gbps with 8250 15Gbps with 8350 Cost Effective Best in class for IPS by NSS Labs Best in class for NGFW by NSS Labs Best in class for Breach Detection by NSS Labs 19

FirePower 8200/8300 Single-pass, high-performance, low-latency 8200-series 8250 10Gbps 2x 8250 = 8260 20Gbps 3x 8250 = 8270 30Gbps 4x 8250 = 8290 40Gbps 8300-series 8350 15Gbps 2x 8350 = 8360 30Gbps 3x 8350 = 8370 45Gbps 4x 8350 = 8390 60Gbps 20

Sourcefire: Virtual Appliance (VMware ESX) Virtual Appliance performance is entirely dependent on the CPU resources and RAM that is allocated it in VMware. Performance range is typically between 250 Mbps and 2 Gbps. 21

Cisco IPS Platform Features IPS-4200* IPS-4300 IPS-4500 1GE Interfaces YES YES YES 10GE Interfaces NO NO YES 40GE Interfaces NO NO NO SFP Ports NO NO YES Hardware Bypass NO YES NO Software Bypass YES YES YES Hardware Fast Pass NO NO NO L3 Mode NO NO NO * IPS-4200 series is End of Sale 22

Sourcefire IPS Platform Features Virtual 7000 7100 8100 8200+ 1GE Interfaces YES YES YES YES 10GE Interfaces NO NO YES YES 40GE Interfaces NO NO NO YES SFP Ports NO YES * YES ** YES ** Hardware Bypass YES YES YES YES Software Bypass YES YES YES YES YES Hardware Fast Pass NO NO YES YES L3 Mode NO YES YES YES YES * 7115, 7125, and 7150 models only ** Fiber-to-SFP Tranceiver 23

Management

IPS Management Comparison Cisco IPS 7.x Cisco Security Manager (CSM) for Enterprise Management Features and Limitations: Client/Server Windows Application Java Application Supports Out-of-Band Change Detection Manages, Monitors, and Reports for hundreds of Sensors 25

IPS Management Comparison Cisco IPS 7.x IPS Manager Express (IME) for Individual or Small Network Management Features and Limitations: Windows Desktop Application Written in Java Functional for Small Deployments, only 26

IPS Management Comparison Sourcefire 5.3 Defense Center for All Deployment Sizes Features and Limitations: HTML5 Application FireSIGHT provides network visibility and contextual information estreamer Support for 3 rd Party Integration Available as Hardware Appliance or VM (ESX) Manage up to 150 Sourcefire Sensors Also Manages Next-Gen Firewall Features! 27

Sourcefire Defense Center GUI Walkthrough

29

30

31

32

33

34

35

36

37

38

39

40

41

Software

Software Feature Comparison IPS 7.x SF 5.3 Open IPS Signatures or Rules YES YES Passive OS Fingerprinting YES YES User Identity Reporting within Events NO YES Integrated Firewalling Capability NO YES Application Control Limited YES Visibility and Control of Client Applications NO YES Geo-Location Reporting and Policies NO YES 3 rd Party API NO YES URL Filtering Capability NO YES 43

Cisco IPS 7.x Risk Rating Risk Rating Alert Severity Target Value Signature Fidelity Attack Relevancy Promiscuous Delta Global Correlation Informational = 25, Low = 50, Medium = 75, High = 100 Low value = 75, Medium = 100 High value = 150, Mission Critical = 200 Given by Cisco per signature If relevant added by 10 If irrelevant reduced by 10 only in promiscuous Between 0 and 30 Depending on the reputation RR (ASR TVR SFR) 10,000 ARR PD GC 44

Risk Rating and IPS Policy Risk Rating IPS Policy Action Event Severity Urgency of threat? RR > 90 Deny Packet Inline + Signature Fidelity How Prone to false positive? 35 <RR< 90 Verbose Alert RR < 34 Default Action + + + Attack Relevancy Asset Value of Target Global Correlation Important to attack target? How critical is this destination host? What is the Attacker s Reputation? 45

Sourcefire Priority Levels Priority Level: How Dangerous is the Attack? 46

Sourcefire Impact Levels Impact Level: Are my hosts VULNERABLE to the attack? 47

Sourcefire Impact Levels Impact Level Vulnerable? 0 Unknown 1 Vulnerable 2 3 Potentially Vulnerable Not Vulnerable Definition Neither the Source or Destination Hosts exists on a network monitored by network discovery. Either the Source or Destination is vulnerable to the attack, or a Host is compromised by Malware. Either the Source or Destination is running the Port or Protocol used in the Attack. The Port or Protocol used in the Attack is not running on the Host. 4 Unknown The Host is on a monitored network, but doesn t appear to exist. 48

Sourcefire search Levels and Impacts 49

Indicators of Compromise

Sourcefire IOC Indicators of Compromise: New to SF 5.3 Wouldn t it be nice if your IPS console could tell you if you appeared to have a compromised host? For example: o Has the host connected to an exploit kit? o Has the host been involved in an Impact 1 event? o Has the host downloaded malware? o Did the malware execute? o Has the host connected to a CNC server? 51

Sourcefire IOC Configurable Settings 52

IOC Dashboard Widget Because IOCs enable a quick way of classifying a host s potentially compromised state, having this data on a dashboard is desirable Host Number of IOCs set against the host Click to expand 53

IOC Host Profile View 54

Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS 7.x to Sourcefire NGIPS Conclusion 55

IPS Deployment Considerations

Connectivity

Connectivity How should the Sensor be Connected? Promiscuous Mode IDS Promiscuous interface Inline Mode IPS Inline Interface Pairs Inline VLAN Pairs Integrated IPS/IDS Inline Promiscuous 58

Connectivity Promiscuous Interface Only copies of the packets are sent to the sensor Mostly detection, limited protection Optional prevention through external blocking Separate device must send copies of the packets Span (or monitor) from a switch VACL capture from a switch Network Taps Ethernet Switch Promiscuous Interface SPAN Destination Port or VACL Capture 59

Connectivity Inline Interface Pairs o o o o o o o Two physical interfaces paired together Multiple Pairs can be configured on same sensor IPS between two access-ports on the same switch or between two different switches Traffic passes through the sensor Pass Good Traffic, and Block Bad Redundancy can be provided with STP or additional sensor. Fail-open can be provided with hardware-bypass interfaces Sensor sits between two physical ports on a switch or two different switches Transparent Interfaces Sensor is Layer 2 Bridge 60

Connectivity Inline Routed Interfaces (Sourcefire) o o o o o o Two or more physical or VLAN interfaces defined as routable interfaces Traffic passes through the sensor Pass Good Traffic, and Drop Bad Redundancy can be provided through SFRP to a standby sensor Fail-open can is NOT supported with hardware-bypass interfaces Routed Interfaces are most commonly used in a NGFW deployment Routed Interfaces Sensor is Layer 3 Router 61

Connectivity Inline VLAN Pairs (Cisco IPS 7.x) HostB o IPS sits on a trunk between two VLANs on switch, if using Cisco IPS. VLAN20 o Traffic passes through IPS and gets inspected and retagged or dropped. o Supported with ECLB high-availability deployments. o o Redundancy can be provided with STP deployments. Fail open can be provided with a redundant wire. VLAN10 Trunk Sensor rewrites 802.1Q header HostA 62

Connectivity Switched Deployment Mode (Sourcefire) HostB o o o o o Virtual Switch is defined within Sensor Two or more Physical Interfaces or VLANs are assigned to the Virtual Switch Traffic passes through IPS and gets inspected Redundancy can be provided with STP deployments. Fail open can be provided with a redundant wire. VLAN20 VLAN10 HostA 63

Connectivity Relationship to the Firewall o Dedicated IPS behind the firewall o Dedicated IPS in front of the firewall o Integrated IPS inside the firewall 64

Connectivity Dedicated IPS Behind the Firewall + Most organizations place the IPS behind the Firewall. + Firewall blocks all inbound traffic unless addressed to server or response to an earlier request. - IPS s visibility is limited to what the Firewall allows in. + Best of breed functionality. Internet Intranet 65 65

Connectivity Dedicated IPS In Front of the Firewall + Provides better visibility into attacks from the internet - Increases Noise - IPS handles more state and may become a bottleneck during DDoS attack Internet Intranet 66

Connectivity Integrated IPS inside the Firewall + Placing IPS inside the firewall provides all the benefits of ASA + full IPS functionality + Flexible IPS/IDS Policy selection based on 5-tuple, User-ID, SXP + ASA Provides traffic symmetry, normalization resiliency (failover) and scaling (clustering) to IPS + IPS inspection of traffic from VPN-tunnels terminated on ASA Internet Intranet 67

Performance

Performance Interface Types and Speeds: o 1GE, 10GE, 40GE? o Fiber or Copper? Connections: o Interface speed is important, but traffic type is more important. o How many CONNECTIONS do you need to support? 69

Fixed Interface Models Not All Models are Listed Model Firewall (w/o Inspection) * AMP Appliances are sized with ALL features enabled IPS Connections CPS Size (Rack Units) 3D7030 500 Mbps 250 Mbps 500,000 5,000 1 IPS-4345 750 Mbps 750,000 30,000 1 3D7115 1.5 Gbps 750 Mbps 1,500,000 27,500 1 IPS-4360 1.25 Gbps 1,700,000 45,000 1 3D7125 2.5 Gbps 1.25 Gbps 2,500,000 42,500 1 AMP-7150 * 500 Mbps * 500 Mbps * 2,500,000 42,500 1 IPS-4510 3 Gbps 3,800,000 72,000 2 IPS-4520 5 Gbps 8,400,000 100,000 2 IPS-4520-XL 10 Gbps 16,800,000 200,000 2 70

Modular Models Not All Models are Listed Model Firewall (w/o Inspection) * AMP Appliances are sized with ALL features enabled IPS Connections CPS Size (Rack Units) 3D8120 4 Gbps 2 Gbps 3,000,000 45,000 1 3D8150 * 2 Gbps * 2 Gbps * 3,000,000 45,000 1 3D8130 8 Gbps 4 Gbps 4,500,000 70,000 1 3D8140 10 Gbps 6 Gbps 7,000,000 100,000 1 3D8250 20 Gbps 10 Gbps 12,000,000 180,000 2 3D8350 30 Gbps 15 Gbps 12,000,000 180,000 2 3D8360 60 Gbps 30 Gbps 24,000,000 360,000 4 3D8370 90 Gbps 45 Gbps 36,000,000 540,000 6 3D8390 120 Gbps 60 Gbps 48,000,000 720,000 8 71

Availability

Availability What should happen if the IPS fails? Integrated ASA+IPS IDS Appliance IPS Appliance Network Availability ASA/IPS Fail-Open N/A Software Bypass Hardware Bypass STP and redundant cable Security Availability ASA Failover Multiple IDS connected to multiple Monitor Ports STP and redundant sensor Port-channel with 2 or more sensors IPS Clustering (Sourcefire) 73

Availability What is Sourcefire s Clustering? Description Interface Pairing Inline Deployment Redundancy Traffic passes through either Sensor. Mid-Session Pickup allows established flows to pass. Spanning-Tree typically places one in Blocking state. VLAN Pairing Switched Deployment Redundancy Spanning-Tree Protocol is used to determine redundancy. Layer 3 Mode Routed Deployment Redundancy SFRP (similar to VRRP) creates an Active/Passive deployment. IDS Mode Passive Deployment Redundancy Same as having multiple standalone IDS appliances, except duplicate events are suppressed. 74

Ethernet Switch Availability Sensors with Spanning-Tree Protocol o Sensors between 2 switches or 2 VLANs on the same switch o STP determines FW/Blocking path o SW-bypass configured to off for always inspect requirement o Sensor failure cause STP to place other sensor in forwarding state o UDLD supported for failure-detection Data Flow Ethernet Switch 75

Availability ASA Failover Active/Active, Active/Standby, and Clustering ASA synchronizes connection table ASA configuration automatically synched. IPS Configuration Synchronization using CSM Policy-bundle, or through Sourcefire Defense Center. 76

Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS 7.x to Sourcefire NGIPS Conclusion 82

Migrating from Cisco IPS 7 to Sourcefire Before the Migration Think about the existing deployment: o Speed and latency needs? o Interface needs? o Have HA needs been considered? o Have you backed up any custom IPS signatures? o Which migration strategy makes sense to your organization? 83

Migrating from Cisco IPS 7 to Sourcefire Migration Strategies, based on Risk Assessment 1. Cut over to Inline IPS Mode Replace Cisco IPS 7 with Sourcefire in IPS mode. Monitor closely, and adjust the policy. Most risky option for Legitimate Traffic. 2. Cut over to Inline Audit Mode Replace Cisco IPS 7 with Sourcefire in Audit mode. Monitor traffic and alerts, and then put sensor in IPS mode. Most risky option vs malicious traffic and for compliance. 3. Run Both Temporarily Install Sourcefire in IDS Mode, connected to a SPAN port or other method of capturing network traffic. Sourcefire should be placed on the UNTRUSTED side of the Cisco IPS sensor, while leaving Cisco IPS in place. Monitor the sensor and adjust policy accordingly. When sensor is tuned, complete migration with either Step 1 or 2, above. This is the best option for most organizations. 84

Migrating from Cisco IPS 7 to Sourcefire For most organizations 1. Before Migration: Running Cisco IPS 7 2. During Migration: Running both Cisco IPS 7 and Sourcefire 3. After Migration: Running only Sourcefire 85

Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS 7.x to Sourcefire NGIPS Conclusion 86

Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Your favorite speaker s Twitter handle <@GaryHalleen> Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to follow @CiscoLive and @CiscoPress View the official rules at http://bit.ly/cluswin 87

Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 88

Continue Your Education Demos in the Cisco Campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings 89

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback