Deploying Intrusion Prevention Systems Gary Halleen Consulting Systems Engineer II
Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS 7.x to Sourcefire NGIPS Conclusion 3
Goal of this Session 1. Understand Cisco s IDS/IPS Portfolio, including new additions from Sourcefire. 2. Understand options around deploying an IPS solution. 3. Understand options for high availability. 4. Understand strategy around migrating an IPS solution. 4
Introduction to IPS
What is IPS? 6
Intrusion Detection System (IDS) Sensor Alert! Internet No IP Address Host Sensing Interface received copies of network traffic from a SPAN port, hub, tap, or VACL Capture. It does not sit in the flow of traffic. 7
Intrusion Prevention System (IPS) Sensor Alert! Internet Block No IP Address Host Sensor sits in the traffic path, and has the capability to drop traffic when desired. Inline Interfaces Do Not Have IP Addresses. IPS Operates at Layer 2, and Can Be Thought of as a Smart Wire 8
Integrated IPS or IDS Traffic is passed, via ASA Backplane, to sensor as IDS, IPS, or both. Internet ASA in Routed or Transparent Mode Host 9
Cisco IPS Solutions Cisco acquired Sourcefire in October, 2013 Cisco is committed to maintaining and contributing to Sourcefire Open Source Projects. 10
Cisco IPS Solutions Cisco IPS 7.x Traditional IPS Solution Supported on IPS 4200, 4300, 4500-series appliances, as well as ASA IPS Modules Cisco anticipates many Cisco IPS 7 customers will want to migrate to Sourcefire in order to take advantage of its Next-Generation features. Cisco Sourcefire IPS Next-Generation IPS, Firewall, and Anti-Malware Solution Supported on Sourcefire 7000 and 8000-series Appliances Supported in VMware ESX 11
Next-Generation Security What does Next-Gen mean? Traditional security appliances rely on 5 Tuples of information to determine traffic, source, and destination: (Source Address, Destination Address, Source Port, Destination Port, Protocol) Next-Generation Security Appliances, like Sourcefire FirePower, enhance traditional security by combining it with much more information, such as: User Identity Application Protocol Application Client Application Operating System Geographic Location of Source or Destination URL Category 12
Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS 7.x to Sourcefire NGIPS Conclusion 13
Comparing Cisco s IPS Solutions
Hardware
Performance, Scalability, Adaptivity Cisco IPS 7.x: Dedicated IPS Family IPS 4520-XL IPS 4500-series 10 Gbps IPS 4360 3 to 5 Gbps IPS 4345 1.25 Gbps 750 Mbps Branch Office Internet Edge Campus Data Center 16
Performance, Scalability, Adaptivity Cisco IPS 7.x: Integrated IPS Family ASA5585-X SSP-40 / SSP-60 ASA5585-X SSP-10 / SSP-20 5 to 10 Gbps ASA5545-X IPS ASA5555-X IPS 2 to 3 Gbps ASA5515-X IPS ASA5525-X IPS 900 Mbps to 1.3 Gbps ASA5512-X IPS 250 Mbps 400 to 600 Mbps 17 SOHO Branch Office Internet Edge Campus Data Center
Next-Generation Security! Sourcefire: Appliance Family 8100-series 8200 and 8300-series 10 to 60 Gbps 7100-series 2 to 12 Gbps 7000-series 500 Mbps to 2 Gbps 50 to 250 Mbps Branch Office Internet Edge Campus Data Center 18
FirePower 8200/8300 Single-pass, high-performance, low-latency Flexible in Software NGIPS, NGFW, AMP All of the above (just size appropriately) Flexible in Hardware Modular for options in Interfaces, including 10GE and 40GE High-Performance: 10Gbps with 8250 15Gbps with 8350 Cost Effective Best in class for IPS by NSS Labs Best in class for NGFW by NSS Labs Best in class for Breach Detection by NSS Labs 19
FirePower 8200/8300 Single-pass, high-performance, low-latency 8200-series 8250 10Gbps 2x 8250 = 8260 20Gbps 3x 8250 = 8270 30Gbps 4x 8250 = 8290 40Gbps 8300-series 8350 15Gbps 2x 8350 = 8360 30Gbps 3x 8350 = 8370 45Gbps 4x 8350 = 8390 60Gbps 20
Sourcefire: Virtual Appliance (VMware ESX) Virtual Appliance performance is entirely dependent on the CPU resources and RAM that is allocated it in VMware. Performance range is typically between 250 Mbps and 2 Gbps. 21
Cisco IPS Platform Features IPS-4200* IPS-4300 IPS-4500 1GE Interfaces YES YES YES 10GE Interfaces NO NO YES 40GE Interfaces NO NO NO SFP Ports NO NO YES Hardware Bypass NO YES NO Software Bypass YES YES YES Hardware Fast Pass NO NO NO L3 Mode NO NO NO * IPS-4200 series is End of Sale 22
Sourcefire IPS Platform Features Virtual 7000 7100 8100 8200+ 1GE Interfaces YES YES YES YES 10GE Interfaces NO NO YES YES 40GE Interfaces NO NO NO YES SFP Ports NO YES * YES ** YES ** Hardware Bypass YES YES YES YES Software Bypass YES YES YES YES YES Hardware Fast Pass NO NO YES YES L3 Mode NO YES YES YES YES * 7115, 7125, and 7150 models only ** Fiber-to-SFP Tranceiver 23
Management
IPS Management Comparison Cisco IPS 7.x Cisco Security Manager (CSM) for Enterprise Management Features and Limitations: Client/Server Windows Application Java Application Supports Out-of-Band Change Detection Manages, Monitors, and Reports for hundreds of Sensors 25
IPS Management Comparison Cisco IPS 7.x IPS Manager Express (IME) for Individual or Small Network Management Features and Limitations: Windows Desktop Application Written in Java Functional for Small Deployments, only 26
IPS Management Comparison Sourcefire 5.3 Defense Center for All Deployment Sizes Features and Limitations: HTML5 Application FireSIGHT provides network visibility and contextual information estreamer Support for 3 rd Party Integration Available as Hardware Appliance or VM (ESX) Manage up to 150 Sourcefire Sensors Also Manages Next-Gen Firewall Features! 27
Sourcefire Defense Center GUI Walkthrough
29
30
31
32
33
34
35
36
37
38
39
40
41
Software
Software Feature Comparison IPS 7.x SF 5.3 Open IPS Signatures or Rules YES YES Passive OS Fingerprinting YES YES User Identity Reporting within Events NO YES Integrated Firewalling Capability NO YES Application Control Limited YES Visibility and Control of Client Applications NO YES Geo-Location Reporting and Policies NO YES 3 rd Party API NO YES URL Filtering Capability NO YES 43
Cisco IPS 7.x Risk Rating Risk Rating Alert Severity Target Value Signature Fidelity Attack Relevancy Promiscuous Delta Global Correlation Informational = 25, Low = 50, Medium = 75, High = 100 Low value = 75, Medium = 100 High value = 150, Mission Critical = 200 Given by Cisco per signature If relevant added by 10 If irrelevant reduced by 10 only in promiscuous Between 0 and 30 Depending on the reputation RR (ASR TVR SFR) 10,000 ARR PD GC 44
Risk Rating and IPS Policy Risk Rating IPS Policy Action Event Severity Urgency of threat? RR > 90 Deny Packet Inline + Signature Fidelity How Prone to false positive? 35 <RR< 90 Verbose Alert RR < 34 Default Action + + + Attack Relevancy Asset Value of Target Global Correlation Important to attack target? How critical is this destination host? What is the Attacker s Reputation? 45
Sourcefire Priority Levels Priority Level: How Dangerous is the Attack? 46
Sourcefire Impact Levels Impact Level: Are my hosts VULNERABLE to the attack? 47
Sourcefire Impact Levels Impact Level Vulnerable? 0 Unknown 1 Vulnerable 2 3 Potentially Vulnerable Not Vulnerable Definition Neither the Source or Destination Hosts exists on a network monitored by network discovery. Either the Source or Destination is vulnerable to the attack, or a Host is compromised by Malware. Either the Source or Destination is running the Port or Protocol used in the Attack. The Port or Protocol used in the Attack is not running on the Host. 4 Unknown The Host is on a monitored network, but doesn t appear to exist. 48
Sourcefire search Levels and Impacts 49
Indicators of Compromise
Sourcefire IOC Indicators of Compromise: New to SF 5.3 Wouldn t it be nice if your IPS console could tell you if you appeared to have a compromised host? For example: o Has the host connected to an exploit kit? o Has the host been involved in an Impact 1 event? o Has the host downloaded malware? o Did the malware execute? o Has the host connected to a CNC server? 51
Sourcefire IOC Configurable Settings 52
IOC Dashboard Widget Because IOCs enable a quick way of classifying a host s potentially compromised state, having this data on a dashboard is desirable Host Number of IOCs set against the host Click to expand 53
IOC Host Profile View 54
Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS 7.x to Sourcefire NGIPS Conclusion 55
IPS Deployment Considerations
Connectivity
Connectivity How should the Sensor be Connected? Promiscuous Mode IDS Promiscuous interface Inline Mode IPS Inline Interface Pairs Inline VLAN Pairs Integrated IPS/IDS Inline Promiscuous 58
Connectivity Promiscuous Interface Only copies of the packets are sent to the sensor Mostly detection, limited protection Optional prevention through external blocking Separate device must send copies of the packets Span (or monitor) from a switch VACL capture from a switch Network Taps Ethernet Switch Promiscuous Interface SPAN Destination Port or VACL Capture 59
Connectivity Inline Interface Pairs o o o o o o o Two physical interfaces paired together Multiple Pairs can be configured on same sensor IPS between two access-ports on the same switch or between two different switches Traffic passes through the sensor Pass Good Traffic, and Block Bad Redundancy can be provided with STP or additional sensor. Fail-open can be provided with hardware-bypass interfaces Sensor sits between two physical ports on a switch or two different switches Transparent Interfaces Sensor is Layer 2 Bridge 60
Connectivity Inline Routed Interfaces (Sourcefire) o o o o o o Two or more physical or VLAN interfaces defined as routable interfaces Traffic passes through the sensor Pass Good Traffic, and Drop Bad Redundancy can be provided through SFRP to a standby sensor Fail-open can is NOT supported with hardware-bypass interfaces Routed Interfaces are most commonly used in a NGFW deployment Routed Interfaces Sensor is Layer 3 Router 61
Connectivity Inline VLAN Pairs (Cisco IPS 7.x) HostB o IPS sits on a trunk between two VLANs on switch, if using Cisco IPS. VLAN20 o Traffic passes through IPS and gets inspected and retagged or dropped. o Supported with ECLB high-availability deployments. o o Redundancy can be provided with STP deployments. Fail open can be provided with a redundant wire. VLAN10 Trunk Sensor rewrites 802.1Q header HostA 62
Connectivity Switched Deployment Mode (Sourcefire) HostB o o o o o Virtual Switch is defined within Sensor Two or more Physical Interfaces or VLANs are assigned to the Virtual Switch Traffic passes through IPS and gets inspected Redundancy can be provided with STP deployments. Fail open can be provided with a redundant wire. VLAN20 VLAN10 HostA 63
Connectivity Relationship to the Firewall o Dedicated IPS behind the firewall o Dedicated IPS in front of the firewall o Integrated IPS inside the firewall 64
Connectivity Dedicated IPS Behind the Firewall + Most organizations place the IPS behind the Firewall. + Firewall blocks all inbound traffic unless addressed to server or response to an earlier request. - IPS s visibility is limited to what the Firewall allows in. + Best of breed functionality. Internet Intranet 65 65
Connectivity Dedicated IPS In Front of the Firewall + Provides better visibility into attacks from the internet - Increases Noise - IPS handles more state and may become a bottleneck during DDoS attack Internet Intranet 66
Connectivity Integrated IPS inside the Firewall + Placing IPS inside the firewall provides all the benefits of ASA + full IPS functionality + Flexible IPS/IDS Policy selection based on 5-tuple, User-ID, SXP + ASA Provides traffic symmetry, normalization resiliency (failover) and scaling (clustering) to IPS + IPS inspection of traffic from VPN-tunnels terminated on ASA Internet Intranet 67
Performance
Performance Interface Types and Speeds: o 1GE, 10GE, 40GE? o Fiber or Copper? Connections: o Interface speed is important, but traffic type is more important. o How many CONNECTIONS do you need to support? 69
Fixed Interface Models Not All Models are Listed Model Firewall (w/o Inspection) * AMP Appliances are sized with ALL features enabled IPS Connections CPS Size (Rack Units) 3D7030 500 Mbps 250 Mbps 500,000 5,000 1 IPS-4345 750 Mbps 750,000 30,000 1 3D7115 1.5 Gbps 750 Mbps 1,500,000 27,500 1 IPS-4360 1.25 Gbps 1,700,000 45,000 1 3D7125 2.5 Gbps 1.25 Gbps 2,500,000 42,500 1 AMP-7150 * 500 Mbps * 500 Mbps * 2,500,000 42,500 1 IPS-4510 3 Gbps 3,800,000 72,000 2 IPS-4520 5 Gbps 8,400,000 100,000 2 IPS-4520-XL 10 Gbps 16,800,000 200,000 2 70
Modular Models Not All Models are Listed Model Firewall (w/o Inspection) * AMP Appliances are sized with ALL features enabled IPS Connections CPS Size (Rack Units) 3D8120 4 Gbps 2 Gbps 3,000,000 45,000 1 3D8150 * 2 Gbps * 2 Gbps * 3,000,000 45,000 1 3D8130 8 Gbps 4 Gbps 4,500,000 70,000 1 3D8140 10 Gbps 6 Gbps 7,000,000 100,000 1 3D8250 20 Gbps 10 Gbps 12,000,000 180,000 2 3D8350 30 Gbps 15 Gbps 12,000,000 180,000 2 3D8360 60 Gbps 30 Gbps 24,000,000 360,000 4 3D8370 90 Gbps 45 Gbps 36,000,000 540,000 6 3D8390 120 Gbps 60 Gbps 48,000,000 720,000 8 71
Availability
Availability What should happen if the IPS fails? Integrated ASA+IPS IDS Appliance IPS Appliance Network Availability ASA/IPS Fail-Open N/A Software Bypass Hardware Bypass STP and redundant cable Security Availability ASA Failover Multiple IDS connected to multiple Monitor Ports STP and redundant sensor Port-channel with 2 or more sensors IPS Clustering (Sourcefire) 73
Availability What is Sourcefire s Clustering? Description Interface Pairing Inline Deployment Redundancy Traffic passes through either Sensor. Mid-Session Pickup allows established flows to pass. Spanning-Tree typically places one in Blocking state. VLAN Pairing Switched Deployment Redundancy Spanning-Tree Protocol is used to determine redundancy. Layer 3 Mode Routed Deployment Redundancy SFRP (similar to VRRP) creates an Active/Passive deployment. IDS Mode Passive Deployment Redundancy Same as having multiple standalone IDS appliances, except duplicate events are suppressed. 74
Ethernet Switch Availability Sensors with Spanning-Tree Protocol o Sensors between 2 switches or 2 VLANs on the same switch o STP determines FW/Blocking path o SW-bypass configured to off for always inspect requirement o Sensor failure cause STP to place other sensor in forwarding state o UDLD supported for failure-detection Data Flow Ethernet Switch 75
Availability ASA Failover Active/Active, Active/Standby, and Clustering ASA synchronizes connection table ASA configuration automatically synched. IPS Configuration Synchronization using CSM Policy-bundle, or through Sourcefire Defense Center. 76
Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS 7.x to Sourcefire NGIPS Conclusion 82
Migrating from Cisco IPS 7 to Sourcefire Before the Migration Think about the existing deployment: o Speed and latency needs? o Interface needs? o Have HA needs been considered? o Have you backed up any custom IPS signatures? o Which migration strategy makes sense to your organization? 83
Migrating from Cisco IPS 7 to Sourcefire Migration Strategies, based on Risk Assessment 1. Cut over to Inline IPS Mode Replace Cisco IPS 7 with Sourcefire in IPS mode. Monitor closely, and adjust the policy. Most risky option for Legitimate Traffic. 2. Cut over to Inline Audit Mode Replace Cisco IPS 7 with Sourcefire in Audit mode. Monitor traffic and alerts, and then put sensor in IPS mode. Most risky option vs malicious traffic and for compliance. 3. Run Both Temporarily Install Sourcefire in IDS Mode, connected to a SPAN port or other method of capturing network traffic. Sourcefire should be placed on the UNTRUSTED side of the Cisco IPS sensor, while leaving Cisco IPS in place. Monitor the sensor and adjust policy accordingly. When sensor is tuned, complete migration with either Step 1 or 2, above. This is the best option for most organizations. 84
Migrating from Cisco IPS 7 to Sourcefire For most organizations 1. Before Migration: Running Cisco IPS 7 2. During Migration: Running both Cisco IPS 7 and Sourcefire 3. After Migration: Running only Sourcefire 85
Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS 7.x to Sourcefire NGIPS Conclusion 86
Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Your favorite speaker s Twitter handle <@GaryHalleen> Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to follow @CiscoLive and @CiscoPress View the official rules at http://bit.ly/cluswin 87
Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 88
Continue Your Education Demos in the Cisco Campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings 89