BRKSEC-3300
Advanced Firepower IPS Deployment
Gary Halleen, Technical Solutions Architect Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space cs.co/ciscolivebot#BRKSEC-3300
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 About Your Speaker
Gary Halleen Email: [email protected] Security Architect Global Security Architect Team
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 About Your Speaker
Gary Halleen Email: [email protected] Security Architect Global Security Architect Team 19 years at Cisco
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 About Your Speaker
Gary Halleen Email: [email protected] Security Architect Global Security Architect Team 19 years at Cisco Amateur Radio: K7TRO
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 About Your Speaker
Gary Halleen Email: [email protected] Security Architect Global Security Architect Team 19 years at Cisco Amateur Radio: K7TRO
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 About Your Speaker
Gary Halleen Email: [email protected] Security Architect Global Security Architect Team 19 years at Cisco Amateur Radio: K7TRO
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 About Your Speaker
Gary Halleen Email: [email protected] Security Architect Global Security Architect Team 19 years at Cisco Amateur Radio: K7TRO
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Oregon – Pacific Wonderland
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Oregon – Pacific Wonderland
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Oregon – Pacific Wonderland
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Some of My Hobbies
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Some of My Hobbies
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Some of My Hobbies
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Some of My Hobbies
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Cisco Firepower Sessions: Building Blocks Tuesday Wednesday Thursday Friday
BRKSEC-3035 BRKSEC-2064 BRKSEC-3455 Dissecting Firepower Platform NGFWv and ASAv Firepower FTD &
Deep Dive in Public Cloud
08:30 08:30
09:00 Firepower Services
BRKSEC-3328 BRKSEC-3300 BRKSEC-3032 BRKSEC-2020 FMC Internals: Firepower NGFW in Advanced IPS NGFW Clustering Making FMC Do the DC and
Deployment Deep Dive
11:30 11:00 11:00 Enterprise
More 11:00
BRKSEC-2112 Firepower Internet Edge Best Practices 14:30 We Are Here! BRKSEC-3352 Advanced Snort Rule Writing for
Firepower 16:30
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Agenda • Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 For Your Reference Introduction
For the purposes of this session, these terms are treated the same.
• Firepower • Firepower Threat Defense • ASA with Firepower Services
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Introduction
Centralized On-box Cloud-based Upcoming
Firepower Management Firepower Device Cisco Defense Center (FMC) Manager (FDM) Orchestrator (CDO)
Enables comprehensive Enables easy on- Enables cloud-based security administration and box management of policy management of automation of multiple common security multiple deployments appliances and policy tasks
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Firepower Management Center (FMC) This session covers Firepower 6.2.x and later, managed with FMC. We will NOT cover the older Cisco IPS 7.0.
Centralized Management Firepower Management Center
Multi-domain management Firewall & AVC
Role-based access control NGIPS
High availability AMP
APIs and pxGrid integration Security Intelligence
Manage across many sites Control access and set policies Investigate incidents Prioritize response
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 For Your Firepower 6.3 Reference Platform Capabilities Operations Visibility & Security
Multi-Instance for 4100/9300 Airgap/Export Licensing Events direct-from-device • Flexible approach for up to 14 • Controlled subscription licensing for • Integrate better with other Cisco instances closed networks and 3rd party SIEMs • Supports HA • Export licensing for government and • Connection and IPS military customers outside the TLS HW Accelerated Decryption United States FQDN based access control • Higher TLS inspection throughput • Enables control for dynamic cloud • Supported on all Firepower Local Management for FTD based apps platforms • Onbox manager for many commercial use-cases 2FA & RADIUS CoA for RA VPN in Fail-to-Wire Netmods for FP2100 • Supports HA, Passive Auth with FMC • Transition NGIPS to Firepower Audit Logging and Connection and • RA VPN Migration 2100s IPS syslogs from the device
Improved Migrations Direct-to-Device APIs (2100 and • New migration tools below) • Automation and Orchestration for MSPs • Enable Integrations
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 6.3 Multi-Instance for Firepower 4100/9300
• Allows organizations to deploy independent tenants for multiple departments or customers FTD FTD FTD FTD 1 2 3 4 • Resource and Management Separation • Instances are fully independent and fault tolerant • Smooth workflow enabling faster provisioning • 3-14 instances (FP9300 and FP4100s only) • Multi-Instance is free – no SKU
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Pick from many deployment modes
Inline or Passive Fail-to-wire NetMods Additional options Inline Routed
NetMod
101110
Inline Tap Transparent
101110
Passive Virtual or Physical
Available on 2100, 4100 and 9300
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Agenda • Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Firepower Policies
How often are Policies Modified?
Frequently Little Rarely
Access Control Policy Malware and File Policy Network Discovery Policy
Intrusion Policy DNS Policy Network Analysis Policy
SSL Policy Correlation Policy
Identity Policy Health Policy
Prefilter Policy
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Policy Order of Operation
Access Prefilter Intrusion Control Policy (FTD only) (for AppID)
Optional
SSL Identity SI / DNS
Access Intrusion File / Control Rules Malware
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Intrusion Policy The Intrusion Policy defines which Snort rules are used in packet inspection.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Intrusion Policy The Intrusion Policy defines which Snort rules are used in packet inspection.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Intrusion Base Policy
Policy CVSS Score Vulnerability Age
Connectivity over Security 10 Current year, plus 2 prior (2019, 2018, and 2017) Balanced Security and 9+ Current year, plus 2 prior Connectivity Rule Categories: Malware-CNC, Blacklist, SQL Injection, Exploit Kit Security over Connectivity 8+ Current year, plus 3 prior (2019, 2018, 2017, and 2016) Rule Categories: Malware-CNC, Blacklist, SQL Injection, Exploit Kit, App-Detect Maximum Detection 7.5+ 2005 and later Rule Categories: Malware-CNC, Exploit Kit
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Intrusion Policy
You can manually Enable/Disable individual rules or configure actions.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Intrusion Policy
Several ways to search for rules…
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Intrusion Policy
Several ways to search for rules…
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Network Discovery Policy
• Used to identify which networks Firepower should “learn” from.
• Useful for applications, and especially for maintaining the Firepower Recommended Rules in the Intrusion Policy.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Access Control Policy
• Traffic must match in the Access Control Policy in order to be Inspected
For a simple IPS deployment, you can use the Default Action
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Access Control Policy
In a NGFW deployment, the Default Action will likely be “Block All Traffic”. Intrusion Policy needs to be defined for each Allow Action.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Access Control Policy
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Access Control Policy
If you need, different Allow rules can have different Intrusion Policies assigned.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Agenda • Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Network Analysis Policy
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Network Analysis Policy
What is this? Do I need to do anything here?
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Network Analysis Policy
• The Network Analysis Policy (NAP) controls the Preprocessors, and determines things such as: o Fragmentation Reassembly o Protocol Compliance
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Network Analysis Policy
• The Network Analysis Policy (NAP) controls the Preprocessors, and determines things such as: o Fragmentation Reassembly o Protocol Compliance
“What should we tune?”
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Network Analysis Policy
Security
Usability
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Network Analysis Policy
Usability
Security
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Network Analysis Policy
• By default, there are no tunable NAP policies. You’ll need to create one.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Network Analysis Policy
• By default, there are no tunable NAP policies. You’ll need to create one.
Create Policy
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Network Analysis Policy
• Give your policy a name.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Network Analysis Policy
• Give your policy a name.
Create and Edit Policy
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Network Analysis Policy
Do these Base Policies look familiar?
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Network Analysis Policy
Do these Base Policies look familiar?
Besides the name, these Base Policies have NOTHING in common with the Intrusion Base Policies.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Network Analysis Policy
Do these Base Policies look familiar?
Besides the name, these Base Policies have NOTHING in common with the Intrusion Base Policies.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Network Analysis Policy Enable/Disable Preprocessors
• Some Preprocessors are disabled by default: o Portscan Detection o Rate-Based Attack Prevention o Inline Normalization
• Enable these if you need them
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Network Analysis Policy Enable/Disable Preprocessors
• Some Preprocessors are disabled by default: o Portscan Detection o Rate-Based Attack Prevention o Inline Normalization
• Enable these if you need them
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Fragmentation
Both IP and TCP can cause a stream of data to break into many parts Both IP fragmentation and TCP segmentation may be naturally occurring or performed intentionally to evade IPS IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate this evasion technique
If attack is: USER root
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Fragmentation
Both IP and TCP can cause a stream of data to break into many parts Both IP fragmentation and TCP segmentation may be naturally occurring or performed intentionally to evade IPS IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate this evasion technique
If attack is: USER root
TCP: HDR USER HDR root
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Fragmentation
Both IP and TCP can cause a stream of data to break into many parts Both IP fragmentation and TCP segmentation may be naturally occurring or performed intentionally to evade IPS IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate this evasion technique
If attack is: USER root
TCP: HDR USER HDR root
IP: HDR HDR US HDR ER HDR HDR ro HDR ot
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Fragmentation
Both IP and TCP can cause a stream of data to break into many parts Both IP fragmentation and TCP segmentation may be naturally occurring or performed intentionally to evade IPS IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate this evasion technique
If attack is: USER root
TCP: HDR USER HDR root
IP: HDR HDR US HDR ER HDR HDR ro HDR ot
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 How Bad can Fragmentation Get?
IP TCP SMB MSRPC Payload
Packet capture of regular attack is ~4k, after layers of evasion 30MB or more!
Hundreds of thousands of packets
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Network Analysis Policy Inline Normalization Tune it? MAYBE
• Disabled by Default
• Enforces Protocol Compliance for TCP and IP protocols.
• Enabling normalization will block some non-standard implementations and many attacks. However, it potentially can block poorly-written legitimate traffic.
• How Risk-Averse are you?
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Network Analysis Policy TCP Stream Tune it? YES
• Unless you are deploying IPS into a segment containing ONLY Windows hosts, you absolutely should tune this.
• TCP Stream determines how fragmented TCP traffic is reassembled.
• Different operating systems handle reassembly differently, and it is critical that your IPS understands the hosts.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Network Analysis Policy UDP Stream Tune it? Probably Not
• Not much to tune.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Network Analysis Policy IP Defragmentation
Tune it? YES
• Similar reason as TCP Stream.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Access Control Policy – Advanced Settings
Don’t forget to select the Network Analysis Policy from the Access Control Policy -> Advanced Tab
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Access Control Policy – Advanced Settings
Don’t forget to select the Network Analysis Policy from the Access Control Policy -> Advanced Tab
If you need to use multiple Network Analysis Policies (maybe some networks have Windows servers, and another has Linux, for example), you can create Rules to perform the mapping.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Agenda • Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Impact Flags
• Remember, we recommend you utilize the Network Discovery Policy…
• This allows you to use Impact Flags for analysis.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Impact Flags
• Remember, we recommend you utilize the Network Discovery Policy…
• This allows you to use Impact Flags for analysis.
Do you know what these mean?
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Understanding Impact Flags
Intrusion Events Impact Flag
Source / Destination IP
Protocol (TCP/UDP)
Source / Destination Port
Service
Snort ID
IOC: Predefined Impact
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Understanding Impact Flags
Intrusion Events Host Profile Impact Flag [Outside Profile Range] Source / Destination IP [Host not yet profiled]
Protocol (TCP/UDP) IP Address User IDs
Source / Destination Port Protocols
Server Side Ports
Service Client Side Ports
Services CVE Snort ID Client / Server Apps
Operating System IOC: Predefined Impact Potential Vulnerabilities
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why [Outside Profile Range] Source / Destination IP Event occurred outside [Host not yet profiled] 0 profiled networks
Protocol (TCP/UDP) IP Address User IDs
Source / Destination Port Protocols
Server Side Ports
Service Client Side Ports
Services CVE Snort ID Client / Server Apps
Operating System IOC: Predefined Impact Potential Vulnerabilities
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why [Outside Profile Range] Source / Destination IP Event occurred outside [Host not yet profiled] 0 profiled networks
Protocol (TCP/UDP) IP Address Previously unseen host User IDs 4 within monitored network
Source / Destination Port Protocols
Server Side Ports
Service Client Side Ports
Services CVE Snort ID Client / Server Apps
Operating System IOC: Predefined Impact Potential Vulnerabilities
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why [Outside Profile Range] Source / Destination IP Event occurred outside [Host not yet profiled] 0 profiled networks
Protocol (TCP/UDP) IP Address Previously unseen host User IDs 4 within monitored network
Source / Destination Port Protocols Relevant port not open or Server Side Ports 3 protocol not in use
Service Client Side Ports
Services CVE Snort ID Client / Server Apps
Operating System IOC: Predefined Impact Potential Vulnerabilities
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why [Outside Profile Range] Source / Destination IP Event occurred outside [Host not yet profiled] 0 profiled networks
Protocol (TCP/UDP) IP Address Previously unseen host User IDs 4 within monitored network
Source / Destination Port Protocols Relevant port not open or Server Side Ports 3 protocol not in use
Service Client Side Ports Relevant port or protocol in 2 use but no vulnerability
Services mapped CVE Snort ID Client / Server Apps
Operating System IOC: Predefined Impact Potential Vulnerabilities
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why [Outside Profile Range] Source / Destination IP Event occurred outside [Host not yet profiled] 0 profiled networks
Protocol (TCP/UDP) IP Address Previously unseen host User IDs 4 within monitored network
Source / Destination Port Protocols Relevant port not open or Server Side Ports 3 protocol not in use
Service Client Side Ports Relevant port or protocol in 2 use but no vulnerability
Services mapped CVE Snort ID Client / Server Apps Host vulnerable to attack or Operating System 1 showing an IOC. IOC: Predefined Impact Potential Vulnerabilities
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why [Outside Profile Range] Source / Destination IP Event occurred outside [Host not yet profiled] 0 profiled networks
Protocol (TCP/UDP) IP Address Previously unseen host User IDs 4 within monitored network
Source / Destination Port Protocols Relevant port not open or Server Side Ports 3 protocol not in use
Service Client Side Ports Relevant port or protocol in 2 use but no vulnerability
Services mapped CVE Snort ID Client / Server Apps Host vulnerable to attack or Operating System 1 showing an IOC. IOC: Predefined Impact Potential Vulnerabilities
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6.3 Contextual Cross-Launch
• New to Firepower Management Center (FMC) 6.3
• From any relevant event or dashboard, right-click and launch a query into a different product.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 6.3 Contextual Cross-Launch Several tools already included
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 6.3 Contextual Cross-Launch Do you have a favorite tool? • Add your own: Analysis -> Advanced -> Contextual Cross-Launch • Example for Cisco Stealthwatch:
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 6.3 Contextual Cross-Launch Do you have a favorite tool? • Add your own: Analysis -> Advanced -> Contextual Cross-Launch • Example for Cisco Tetration:
Note: The URL will differ according to your Tetration deployment and tenant IDs.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 6.3 Contextual Cross-Launch Stealthwatch Cross-Launch Example
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 6.3 Contextual Cross-Launch Tetration Cross-Launch Example
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 6.3 Contextual Cross-Launch Tetration Cross-Launch Example
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Agenda • Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 Snort Rules
Firepower uses Snort Rules for Intrusion Prevention.
Cisco provides regular rule updates. Most customers deploy these automatically.
Third-party Snort rules can be added manually through the Rule Editor (Objects -> Intrusion Rules -> Create Rule), or can be imported.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Snort Rule Editor
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Snort Rules
• Snort Rules are normally created on a single line, with no special characters, and in ASCII or UTF-8 format. • The Import file can contain many rules as long as they are one rule per- line. • Many of the Emerging Threat rules use deprecated syntax (”threshold” statement). If you are importing ET rules, you’ll need to correct or remove these rules first. Threshold has been replaced with detection_filter. • SHOULD not have a rule SID, but is allowed. All on ONE Line
alert tcp [43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,45.43.128.0/18,45.65.188.0/22,45.114
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Snort Rules
• Snort Rules are normally created on a single line, with no special characters, and in ASCII or UTF-8 format. • The Import file can contain many rules as long as they are one rule per- line. • Many of the Emerging Threat rules use deprecated syntax (”threshold” statement). If you are importing ET rules, you’ll need to correct or remove these rules first. Threshold has been replaced with detection_filter. • SHOULD not have a rule SID, but is allowed. All on ONE Line
, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; rev:2690;
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Snort Rules (continued)
• Sometimes it is much more readable to spread the rule across multiple lines. Do this with the backslash character - \
Example Rule (from Emerging Threats): alert tcp \ [43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\ 45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\ 45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\ 49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \ any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \ flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \ threshold: type limit, track by_src, seconds 3600, count 1; \ classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \ rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \ tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 Snort Rules (continued)
• This ET rule has a deprecated keyword – “threshold”, as well as “type limit”, so let’s fix it.
alert tcp \ [43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\ 45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\ 45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\ 49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \ any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \ flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \ threshold: type limit, track by_src, seconds 3600, count 1; \ classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \ rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \ tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Snort Rules (continued)
• This ET rule has a deprecated keyword – “threshold”, as well as “type limit”, so let’s fix it.
alert tcp \ [43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\ 45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\ 45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\ 49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \ any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \ flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \ detection_filterthreshold: type :limit, track trackby_src by_src, seconds, seconds 3600, 3600,count count1; \ 1; \ classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \ rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \ tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Importing Snort Rules
• Once your Snort rules are in a text file, navigate to Objects -> Intrusion Rules. • Click on “Import Rules”
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 Importing Snort Rules
• Click on “Browse” to locate your file, and click “Import”.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 Importing Snort Rules
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 Importing Snort Rules
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 Importing Snort Rules
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 Importing Snort Rules
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 Importing Snort Rules
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Importing Snort Rules • If successful, you will see a screen showing what has been imported.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 Importing Snort Rules • If successful, you will see a screen showing what has been imported.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 Enabling Snort Rules
• Remember, all imported rules are Disabled by default. You need to enable these.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Enabling Snort Rules
• Remember, all imported rules are Disabled by default. You need to enable these.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Agenda • Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 How do you Exempt Specific Servers from a Snort Rule?
Options:
1. Look at the rule and see if you can modify the variables in use? ($EXTERNAL_NET and $HOME_NET, for example)
2. Use a different Intrusion Policy for some hosts. This could have memory or performance impact if overused.
3. Create a Pass Rule –> Probably the Best Option
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 Pass Rule Example Pass Rule
Open the firing rule in the Rule Editor (Objects -> Intrusion Rules)
203.0.113.24
Network Scanner
Campus
Web Server SSH Server
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 Pass Rule
Change Action to “pass”
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 Pass Rule
Change the Message. (add “PASS RULE – “ to the beginning)
Add the IP address or variable name (i.e. $SCANNER_HOSTS) to the source or destination IP.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 Pass Rule
Click “Save as New”
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 Pass Rule
Finally, Edit the Intrusion Policy, and change the Rule State for your new Local Rule to “Generate Events”. Save and Deploy the Intrusion Policy.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 Pass Rule
Finally, Edit the Intrusion Policy, and change the Rule State for your new Local Rule to “Generate Events”. Save and Deploy the Intrusion Policy.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 Snort Restart and Reload Architecture
Prior to Firepower 6.2.2, making the Intrusion Rule changes just described would have caused a Snort Restart, and potentially disrupted network traffic.
Significant improvements in 6.2.3, and especially 6.3 software have dramatically reduced the number of things that can cause a Snort Restart.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Why does Snort Restart?
• New version of Snort in policy deploy • Reallocate memory for pre- processors/Security Intelligence (6.2.x) • Reload shared objects • Pre-processor configuration changes (6.2.x) • Configured to restart instead of reload
Cisco.com info on 6.2.3 Restart Conditions: http://cs.co/9006DcfbG
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 Why does Snort Restart?
• New version of Snort in policy deploy • Reallocate memory for pre- processors/Security Intelligence (6.2.x) “No” means Snort will restart every time • Reload shared objects a policy changes. • Pre-processor configuration changes (6.2.x) • Configured to restart instead of reload
Cisco.com info on 6.2.3 Restart Conditions: http://cs.co/9006DcfbG
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 Why does Snort Restart?
6.2.3 and later warns if any configuration change will interrupt inspection (restart Snort):
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 Mitigations
Snort Preserve-Connection 1 (6.2.0 / 6.2.3 introduction)
2 Software Bypass
3 Upgrade to Firepower 6.3
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77 Snort Preserve-Connection
• When Snort goes down, connections with Allow verdict are preserved in LINA
• Snort does NOT do a mid-session pickup on preserved flows on coming up
• Does NOT protect against new flows while Snort is down
• 6.2.0.2/6.2.3 Feature Introduction. Enabled by default in 6.2.3
• Can be enabled/disabled from CLI: configure snort preserve-connection enable/disable
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 Software Bypass
• With inline Fail-Open deployments traffic is passed uninspected on the Software bridge when Snort is down.
• When Snort comes up, Snort does a mid-session pickup on traffic
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 Agenda • Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 Bypass Options
Software Bypass Enable traffic, uninspected, when Snort is down or busy.
Fail-to-Wire Interfaces Bypass traffic upon appliance failure, including loss of power.
Automatic Application Bypass Restarts Snort processes upon degraded performance
Intelligent Application Bypass Application-specific acceleration of defined applications if performance is degraded Trust Rules Accelerate defined traffic but still apply Security Intelligence
Prefilter Policy Bypass deep inspection and Security Intelligence based on Port / Protocol / IP Address / Zone
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 Software Bypass
Software Bypass is only available in Inline Pairing mode or ASA with Firepower Services.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82 Fail to Wire Interfaces
Fail-to-wire Fail-to-Wire interfaces allow for pass-through of traffic in case of appliance failure or loss of NetMod power. • FP-9300 • FP-4100 • FP-2100 (requires 6.3) • FP-7000, 7100, 8100, 8200, and 8300
Fail-to-Wire requires: Inline Set, Inline Pair, or Inline Tap deployment.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 Automatic Application Bypass (AAB) Detects Snort failures or degraded performance and triggers a restart of the impacted Snort process. First available in FTD in 6.2.2.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 Trust Rules
Within the Access Control Policy, defined traffic can be exempted from File and IPS inspection, which accelerates it through the appliance. Basing the rule on Source/Destination Port and IP addresses is most effective. Security Intelligence feeds are still applied to Trust rules.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 Trust Rules
Within the Access Control Policy, defined traffic can be exempted from File and IPS inspection, which accelerates it through the appliance. Basing the rule on Source/Destination Port and IP addresses is most effective. Security Intelligence feeds are still applied to Trust rules.
On FP-4100/9300 appliances, a Trust rule enables Dynamic Flow Offload on eligible flows, and handles the traffic on the HW NIC. Not supported on Inline, Inline Tap, or Passive Interfaces!
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 PreFilter Policy
PreFilter rules are processed prior to Intrusion Prevention or Access Control Policies. If traffic can be defined by Zone, Network, and Port (similar to an ASA rule), the traffic can be FastPathed. This is similar to a Trust rule, but Security Intelligence is not applied.
• PreFilter rules require Firepower Threat Defense.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 PreFilter Policy
PreFilter rules are processed prior to Intrusion Prevention or Access Control Policies. If traffic can be defined by Zone, Network, and Port (similar to an ASA rule), the traffic can be FastPathed. This is similar to a Trust rule, but Security Intelligence is not applied.
• PreFilter rules require Firepower Threat Defense. On FP-4100/9300 appliances, a Fastpath rule enables Static Flow Offload on eligible flows, and handles the traffic on the HW NIC. Static Flow Offload is not supported on Inline, Inline Tap, or Passive interfaces.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 Intelligent Application Bypass (IAB)
Detects degraded performance within an application. If that application is trusted, you can configure it to automatically bypass inspection for it, and accelerate the traffic.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87 Agenda • Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options – Intelligent Application Bypass
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88 Intelligent Application Bypass What is IAB?
IAB takes action when a Snort instance is Under Duress if conditions are met: 1. Is the flow a candidate for bypass? 2. Is this a bypassable application?
If conditions are satisfied, then Firepower will accelerate the flow.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89 Intelligent Application Bypass Caveats!
• When IAB works to full capability, the flow under duress is executed the same as a PreFilter FastPath or ACP Trust rule.
• If the Access Control Policy (ACP) uses IP-based Security Intelligence, then Snort needs to see the traffic briefly before it is FastPathed.
• If the ACP uses DNS- or URL-based Security Intelligence, then both Snort and AppID need to see traffic before it is FastPathed. AppID sometimes takes longer to identify the application, depending on which application it is.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90 Configuring Intelligent Application Bypass
Find IAB on the Advanced tab of the Access Control Policy. In 6.2.3, it is on the bottom left of the page. In 6.3, it is on the top right.
• By default, IAB is disabled. • With 6.2.3, all fields are blank. No default values. • With 6.3, default values are entered.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91 Configuring Intelligent Application Bypass
Set the State to On or Test.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92 Configuring Intelligent Application Bypass
Set the State to On or Test.
And set the sample period.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92 Configuring Intelligent Application Bypass
Inspection Performance Thresholds: Is the snort process under duress?
These fields are a Logical OR, and refer to the Snort process rather than overall appliance CPU.
• Drop Percentage • Processor Utilization • Packet Latency • Flow Rate
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93 Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass? These values are all a Logical OR
Bytes per Flow is “How big is the flow?”
Take AMP max file size under consideration!
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95 Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?
Flow Velocity is “Size over time of the flow”
Each snort instance can handle approximately 1Gbps, which is 125,000 kbytes/second.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97 Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?
Flow Velocity is “Size over time of the flow”
Each snort instance can handle approximately 1Gbps, which is 125,000 kbytes/second.
I disagree with this default value. 250,000 kbytes/second will never trigger on today’s FP or ASA hardware. A better starting value for most customers is about 40,000 or 50,000 kbytes/second.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97 Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?
Flow Velocity is “Size over time of the flow”
Each snort instance can handle approximately 1Gbps, which is 125,000 kbytes/second.
45000
I disagree with this default value. 250,000 kbytes/second will never trigger on today’s FP or ASA hardware. A better starting value for most customers is about 40,000 or 50,000 kbytes/second.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97 Configuring Intelligent Application Bypass Define Applications that are Bypassable
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99 Configuring Intelligent Application Bypass Define Applications that are Bypassable
May be easier to just allow All Applications
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99 Monitoring Intelligent Application Bypass
IAB Events appear in Connection Events with reason of “Intelligent App Bypass”
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100 Agenda • Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101 OpenAppID Cisco’s Open Source Application Layer Plugin for Snort and Firepower
OpenAppID uses the Lua programming language to identify applications. There are a number of attributes it can look at, including:
• ASCII or Hex patterns and offset • SSL Organization Unit • HTTP User Agent • SSL Common Name • HTTP URL • SIP Server • HTTP Content Type • SIP User Agent • SSL Host • RTMP URL Pattern
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102 OpenAppID Most internal Firepower Application Detectors are included in the Snort OpenAppID rules, including Lua source code.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103 OpenAppID within Firepower
Application Detectors
All Application Detectors in Firepower 6.0+ use OpenAppID.
Custom Application Detectors can be created here, as well.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104 OpenAppID within Firepower Basic Application Detector
FMC provides a Wizard for creation of Basic detectors. Advanced detectors require you to upload the Lua file.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105 For Your OpenAppID within Firepower Reference Advanced Application Detector
If you need an Advanced detector, you’ll need to write it yourself, or request one from TAC.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 OpenAppID Example with Intrusion Policy OpenAppID and the Intrusion Policy A lot of “noise” is created in the Intrusion Logs of any IDS/IPS product by automated scripts searching for vulnerable systems, and trying generic attacks.
Web Server
Internet
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108 OpenAppID and the Intrusion Policy A lot of “noise” is created in the Intrusion Logs of any IDS/IPS product by automated scripts searching for vulnerable systems, and trying generic attacks.
Web Server
Internet
[blkh4t@wd40 ~]$ hackerw3bscan –v 198.51.100.33 Ports open: tcp/80, tcp/443 Server: apache 2.4.18 Vulnerabilities found: CVE-2016-4979 SSL Bypass CVE-2016-1546 HTTP2 DOS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108 OpenAppID and the Intrusion Policy An Example
These scans or attacks against your IP addresses may or may not be successfully blocked by your IPS devices. They generate noise in your logs.
Question: Is there a legitimate reason for Internet users to access your server(s) by IP address instead of FQDN?
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109 OpenAppID and the Intrusion Policy An Example
The Goal: Block all web traffic that targets an IP Address rather than correct hostname. Use Intrusion Policy to inspect legitimate traffic.
Web Server
Internet
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110 OpenAppID and the Intrusion Policy An Example
The Goal: Block all web traffic that targets an IP Address rather than correct hostname. Use Intrusion Policy to inspect legitimate traffic.
X Web Server
Internet
[blkh4t@wd40 ~]$ hackerw3bscan –v 198.51.100.33 No web server found!
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110 OpenAppID and the Intrusion Policy Creating the Custom Detector 1. From Application Detectors screen, click the button to Create Custom Detector.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111 OpenAppID and the Intrusion Policy Creating the Custom Detector
2. Click the “Add” button.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112 OpenAppID and the Intrusion Policy Creating the Custom Detector
3. Complete the required fields to name your custom application. 4. Click OK.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113 OpenAppID and the Intrusion Policy Creating the Custom Detector
3. Complete the required fields to name your custom application. 4. Click OK.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113 OpenAppID and the Intrusion Policy Creating the Custom Detector
5. Enter the same Name and Description as previous step, and select the Application you just created from the pulldown menu. 6. Leave the Detector_Type as Basic. 7. Click OK
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114 OpenAppID and the Intrusion Policy Creating the Custom Detector
5. Enter the same Name and Description as previous step, and select the Application you just created from the pulldown menu. 6. Leave the Detector_Type as Basic. 7. Click OK
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114 OpenAppID and the Intrusion Policy Creating the Custom Detector 8. Click “Add” to add Detection Patterns.
This is where we’ll define what the application ”looks like” to Firepower.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115 OpenAppID and the Intrusion Policy Creating the Custom Detector
9. Select HTTP from the Protocol pulldown menu, and URL as Type. 10.Enter your domain name. 11.Click OK.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116 OpenAppID and the Intrusion Policy Creating the Custom Detector
9. Select HTTP from the Protocol pulldown menu, and URL as Type. 10.Enter your domain name. 11.Click OK.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116 OpenAppID and the Intrusion Policy Creating the Custom Detector
12.Repeat the process to add the SSL information. 13.Click OK.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117 OpenAppID and the Intrusion Policy Creating the Custom Detector
12.Repeat the process to add the SSL information. 13.Click OK.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117 OpenAppID and the Intrusion Policy Creating the Custom Detector
14.Click on “Save”.
Remember: Basic Detectors perform an OR operation on the Detection Patterns. In this example, any HTTP or HTTPS connection destined to *.zenbango.com will trigger the detector.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118 OpenAppID and the Intrusion Policy Activating the Custom Detector
15.You can find your Application Detector by selecting Custom Type in the Filters. 16.The new Application Detector will not function until it is Activated by clicking on the State slider.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119 OpenAppID and the Intrusion Policy Activating the Custom Detector
WARNING: 15.You can find your Application Detector by selecting Custom Type in the When you Activate or Deactivate any Detector, it will trigger your appliances Filters. in the current domain or child domain to restart Snort. This will potentially be16. disruptiveThe new Application to your network Detector traffic. will not function until it is Activated by clicking on the State slider.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119 OpenAppID and the Intrusion Policy Assigning Custom Detector to Access Control and Intrusion Policy
15.Tie it all together by using an Allow Rule (with Intrusion Policy assigned) for traffic matching the new application. Block all other traffic.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120 OpenAppID and the Intrusion Policy Effectiveness…
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121 OpenAppID and the Intrusion Policy Effectiveness…
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121 OpenAppID and the Intrusion Policy Effectiveness…
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121 Agenda • Policy Interaction and Firepower Recommendations • Advanced Tuning Topics • Importing Snort Rules • IPS Pass Rule • Bypass Options • OpenAppID • Security Intelligence • SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122 For Your Security Intelligence Feeds Reference Included SI Feeds:
IP Address: URLs: DNS:
• Attackers • URL Attackers • DNS Attackers • Bogon • URL Bogon • DNS Bogon • Bots • URL Bots • DNS Bots • CnC • URL CnC • DNS CnC • Cryptomining (NEW) • URL Cryptomining (NEW) • DNS Cryptomining (NEW) • Dga • URL Dga • DNS Dga • ExploitKit • URL Exploitkit • DNS Exploitkit • Malware • URL Malware • DNS Malware • Open_proxy • URL Open_proxy • DNS Open_proxy • Open_relay • URL Open_relay • DNS Open_relay • Phishing • URL Phishing • DNS Phishing • Response • URL Response • DNS Response • Spam • URL Spam • DNS Spam • Suspicious • URL Suspicious • DNS Suspicious • Tor_exit_node • URL Tor_exit_node • DNS Tor_exit_node
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 123 Security Intelligence
Go to the Appendix for an example on creating a custom Security Intelligence feed.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124 Agenda • Policy Interaction and Firepower Recommendations • Advanced Tuning Topics • Importing Snort Rules • IPS Pass Rule • Bypass Options • OpenAppID • Security Intelligence • SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125 According to Network Computing, 72% of all internet traffic is SSL encrypted.
Is your IPS still effective?
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126 SSL Inspection
The percentages of TLS/SSL traffic is increasing dramatically. IDS/IPS deployments need to take this into consideration. Options to consider: 1. Decryption Offload, passing decrypted traffic to the Sensor 2. Onbox Decryption
Additionally, do you decrypt Inbound, Outbound, or both traffic?
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127 SSL Inspection
Firepower can decrypt TLS/SSL traffic, if you are wanting onbox.
Inbound Traffic • Traffic is decrypted by installing the Servers’ SSL Certificate and Private Key onto the FMC Outbound Traffic
• Traffic is decrypted by installing a wildcard certificate and performing a “man in the middle attack” against your users’ SSL traffic.
In this session, we will focus only at Inbound.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128 SSL Inspection with Known Key Example You need both the host’s private key and the .crt file. Go to Objects -> PKI -> Internal Certs to add the certificate information for the host.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129 SSL Inspection with Known Key Example Create an SSL Policy to decrypt traffic with this known key for the associated host. Once this is complete, add this SSL Policy to the Access Control Policy.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 130 SSL Hardware Decryption
• Firepower 6.3 enables Hardware Decryption, by default, for SSL/TLS traffic on Firepower appliances, including the FP-2100.
• Firepower 6.2.3 enabled Hardware Decryption on FP-4100/9300 platforms, but was disabled by default.
• Performance is dramatically improved over Software Decryption that was previously performed.
To disable hardware decryption, you can use the following command from the FTD CLI:
FTD 6.2.3: system support ssl-hw-offload disable FTD 6.3: system support ssl-hw-force-offload-disable
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131 Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space cs.co/ciscolivebot#BRKSEC-3300
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132 Complete your online session survey
• Please complete your Online Session Survey after each session
• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T- shirt
• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com
Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 133 Continue Your Education
Related Demos in Walk-in Meet the sessions the Cisco self-paced engineer Showcase labs 1:1 meetings
Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134 Thank you
Additional Slides These slides did not fit in the time allowed for the session.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Security Intelligence Example Security Intelligence Custom Feed An Example A publicly-exposed SSH Server will be continuously probed for weaknesses, as well as brute-force login attempts. Let’s use failed login attempts to build our own SI Feed.
SSH Server
Internet
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139 Security Intelligence Custom Feed An Example A publicly-exposed SSH Server will be continuously probed for weaknesses, as well as brute-force login attempts. Let’s use failed login attempts to build our own SI Feed.
SSH Server
Internet
[blkh4t@wd40 ~]$ ncrack zenbango.com:22 Starting Ncrack 0.5 ( http://ncrack.org ) at 2017-01-09 12:42 PST
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139 Security Intelligence Custom Feed An Example A publicly-exposed SSH Server will be continuously probed for weaknesses, as well as brute-force login attempts. Let’s use failed login attempts to build our own SI Feed.
Jan 9 15:42:50 www unix_chkpwd[28658]:SSH Server password check failed for user (root) Jan 9 15:42:57 www unix_chkpwd[28680]: password check failed for user (root) Jan 9 15:42:58 www sshd[10692]: Invalid user cypherpunks from 198.51.100.87 Internet Jan 9 15:43:02 www sshd[10693]: Invalid user cdowns from 198.51.100.87 Jan 9 15:43:25 www unix_chkpwd[28886]: password check failed for user (don) Jan 9 15:43:25 www unix_chkpwd[28887]: password check failed for user (rich) Jan 9 15:43:31 www unix_chkpwd[28922]: password check failed for user (gary) Jan 9 15:44:33 www unix_chkpwd[29302]: password check failed for user (daemon) Jan 9 15:44:38 www unix_chkpwd[29341]: password check failed for user (kim) [blkh4t@wd40 ~]$ ncrack zenbango.com:22Jan 9 15:45:44 www unix_chkpwd[29737]: password check failed for user (operator) Jan 9 15:45:52 www sshd[10694]: Invalid user dan from 198.51.100.87 Starting Ncrack 0.5 ( http://ncrack.orgJan 9 15:45:54 ) www atunix_chkpwd 2017-01[29797]:-09 12:42 password PST check failed for user (root) Jan 9 15:46:02 www unix_chkpwd[29842]: password check failed for user (mail) Jan 9 15:46:09 www unix_chkpwd[29878]: password check failed for user (nobody) Jan 9 15:46:31 www unix_chkpwd[30019]: password check failed for user (rich) Jan 9 15:46:31 www unix_chkpwd[30020]: password check failed for user (don) Jan 9 15:46:38 www unix_chkpwd[30065]: password check failed for user (gary)
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139 Security Intelligence Custom Feed An Example
The Goal: Create your own Security Intelligence Feed to block hosts that attempt to login to your SSH Server and fail authentication multiple times.
X Web Server
Internet
SSH Server
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 140 Security Intelligence Custom Feed Prerequisites
1. The first step is to configure your honeypot with the desired services installed, hardened, and logged.
There are a number of tools available to dynamically block or log connection/authentication attempts. Two that work well are fail2ban and denyhosts.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 141 Security Intelligence Custom Feed Prepare the Target
2. In this example, we’re using denyhosts to dynamically block SSH attempts after 6 failed login attempts.
/etc/denyhosts.conf file (pertinent sections): SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.deny PURGE_DENY = 4w BLOCK_SERVICE = ALL DENY_THRESHOLD_INVALID = 6 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 1 RESET_ON_SUCCESS = yes
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142 Security Intelligence Custom Feed Prepare the Target 3. Create a script to parse the blocked IP addresses from denyhost’s log file. /etc/hosts.deny file looks like this: # DenyHosts: Thu Jan 26 22:31:28 2017 | ALL: 203.0.113.4 ALL: 203.0.113.4 # DenyHosts: Sat Jan 28 10:58:51 2017 | ALL: 192.0.2.120 ALL: 192.0.2.120 # DenyHosts: Tue Jan 31 09:42:58 2017 | ALL: 198.51.100.3 ALL: 198.51.100.3 # DenyHosts: Tue Jan 31 19:50:17 2017 | ALL: 198.51.100.27 ALL: 198.51.100.27 # DenyHosts: Wed Feb 1 16:57:02 2017 | ALL: 203.0.113.230 ALL: 203.0.113.230
4. Use your favorite scripting language to parse the addresses. This simple Bash script works:
#! /bin/bash
blocklist=` cat /etc/hosts.deny | grep -v \# | awk '{print $2}' > /var/www/html/sshblock.txt`
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143 Security Intelligence Custom Feed Prepare the Target 3. Create a script to parse the blocked IP addresses from denyhost’s log file. /etc/hosts.deny file looks like this: # DenyHosts: Thu Jan 26 22:31:28 2017 | ALL: 203.0.113.4 ALL: 203.0.113.4 # DenyHosts: Sat Jan 28 10:58:51 2017 | ALL: 192.0.2.120 ALL: 192.0.2.120 # DenyHosts: Tue Jan 31 09:42:58 2017 | ALL: 198.51.100.3 ALL: 198.51.100.3 # DenyHosts: Tue Jan 31 19:50:17 2017 | ALL: 198.51.100.27 ALL: 198.51.100.27 The output file should be in a # DenyHosts: Wed Feb 1 16:57:02 2017 | ALL: 203.0.113.230 ALL: 203.0.113.230 directory accessible to your web server. Consider placing it on a 4. Use your favorite scripting language to parsedifferent the server. addresses. This simple Bash script works:
#! /bin/bash
blocklist=` cat /etc/hosts.deny | grep -v \# | awk '{print $2}' > /var/www/html/sshblock.txt`
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143 Security Intelligence Custom Feed Prepare the Target
5. Generate some SSH traffic, with failed logins, to make sure you are capturing the addresses. Be careful. denyhosts will by default ban your IP address in the hosts.deny file. You will need to know how to clear the blocks. This is a useful site: http://www.tecmint.com/block-ssh-server-attacks-brute-force-attacks-using-denyhosts/
6. Make sure to run your script (from Step 4) on a regular basis by running a cron job every few minutes or so. /var/www/html/sshblock.txt 203.0.113.4 192.0.2.120 One IP Address 198.51.100.3 198.51.100.27 per line. 203.0.113.230
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 144 Security Intelligence Custom Feed Prepare the Target
7. Verify you can download the file with a web browser. It is a good idea to host the file on a server reachable internally only, rather than one accessible to the outside world.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 145 Security Intelligence Custom Feed Create the Feed
8. On Firepower Management Center (FMC), navigate to Objects -> Security Intelligence -> Network Lists and Feeds. Click “Add Network Lists and Feeds” in the upper right corner.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 146 Security Intelligence Custom Feed Create the Feed
9. Select Feed, and populate the URL information and Update Frequency.
In the current software release, updates are limited to no shorter than every 30 minutes. Click Save.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 147 Security Intelligence Custom Feed Create the Feed
10.In your Access Policy, click the Security Intelligence tab, and add the new feed to the Blacklist
SSH-Blacklist should be placed here.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 148 Security Intelligence Custom Feed Create the Feed
11.Verify the blocks are occurring.
Reason for block is SSH-Blacklist
Blocks are protecting ALL hosts – not just those running Denyhosts
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 149 Firepower Traditional Firepower appliances use Firepower software. Example: FP-7050, FP-7125, FP-8130, FP-8250, FP-8370, Firepower Virtual IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 150 ASA with Firepower Services
ASA with Firepower Services uses traditional ASA software and a hardware or virtual IPS module running Firepower software. Often referred to as ASA+SFR. Example: ASA-5506-X, ASA-5525-X, ASA-5545-X, ASA-5585-X
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 151 Firepower Threat Defense
Firepower Threat Defense (FTD) software combines ASA and Firepower features into a single software image. This is available on newer Firepower appliances and most ASA- 5500-X models. Example: ASA-5506-X, ASA-5545-X, FP-2110, FP-4140, FP-9300, NGFWv, but NOT the ASA-5585-X
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 152 Routed / Transparent Mode Firepower Threat Defense
VLAN 10
VLAN 20
The appliance will be installed in either Routed or Transparent mode. This is a global setting.
Routed: Interfaces belong to different L3 networks.
Transparent: Interfaces belong to different L2 networks (different VLANs).
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 153 Passive Mode Firepower Threat Defense, Firepower, ASA with Firepower Services
Passive: A Promiscuous Interface receives copies of traffic from a SPAN port or TAP.
Passive interfaces are available regardless of whether the appliance is installed in Transparent or Routed mode.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 154 Inline Pair Mode Firepower Threat Defense or Firepower Inline Pair: Traffic passes from one member interface to another, without changing either VLAN or L3 network. It functions as a smart wire.
VLAN 10 VLAN 10 Inline Pairs are available regardless of whether the appliance is installed in Transparent or Routed mode.
Interfaces can also be 802.1q trunks.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 155 Inline Pair Mode Firepower Threat Defense or Firepower
Inline Set:
A grouping of two or more Inline Pairs.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 156 Inline Pair Mode Firepower Threat Defense or Firepower
Inline TAP: Traffic passes from one member interface to another, without changing either VLAN or L3 network. As traffic passed, it is copied to the inspection engine, so traffic cannot be blocked.
Inline Pairs are available regardless of whether the appliance is installed in Transparent or Routed mode.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 157 The Problem with Asymmetric Traffic
Asymmetric traffic flows prevent a security device from seeing the full traffic flow.
For best results, design your network to force symmetry.
Web Server
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 158 Clustering
If you are using Firepower Threat Defense (FTD) or ASA with Firepower Services Internet (ASA+SFR), Inter-Chassis Clustering is a great option.
Clustering enables multiple security appliances to function as a single device, and support asymmetric traffic flows, while also providing N+1 redundancy.
FTD supports Inter-Chassis Clustering in 6.2 and later software, on FP-4100 and FP-9300 appliances.
Web Server
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 159 Thank you