BRKSEC-3300.Pdf

BRKSEC-3300

Advanced Firepower IPS Deployment

Gary Halleen, Technical Solutions Architect Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space cs.co/ciscolivebot#BRKSEC-3300

Gary Halleen Email: [email protected] Security Architect Global Security Architect Team

Gary Halleen Email: [email protected] Security Architect Global Security Architect Team 19 years at Cisco

Gary Halleen Email: [email protected] Security Architect Global Security Architect Team 19 years at Cisco Amateur Radio: K7TRO

BRKSEC-3035 BRKSEC-2064 BRKSEC-3455 Dissecting Firepower Platform NGFWv and ASAv Firepower FTD &

Deep Dive in Public Cloud

08:30 08:30

09:00 Firepower Services

BRKSEC-3328 BRKSEC-3300 BRKSEC-3032 BRKSEC-2020 FMC Internals: Firepower NGFW in Advanced IPS NGFW Clustering Making FMC Do the DC and

Deployment Deep Dive

11:30 11:00 11:00 Enterprise

More 11:00

BRKSEC-2112 Firepower Internet Edge Best Practices 14:30 We Are Here! BRKSEC-3352 Advanced Snort Rule Writing for

Firepower 16:30

• Advanced Tuning Topics

• IPS Events

• Importing Snort Rules

• IPS Pass Rule

• Bypass Options

• OpenAppID

• Security Intelligence

• SSL Inspection for IPS

For the purposes of this session, these terms are treated the same.

• Firepower • Firepower Threat Defense • ASA with Firepower Services

Centralized On-box Cloud-based Upcoming

Firepower Management Firepower Device Cisco Defense Center (FMC) Manager (FDM) Orchestrator (CDO)

Enables comprehensive Enables easy on- Enables cloud-based security administration and box management of policy management of automation of multiple common security multiple deployments appliances and policy tasks

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Firepower Management Center (FMC) This session covers Firepower 6.2.x and later, managed with FMC. We will NOT cover the older Cisco IPS 7.0.

Centralized Management Firepower Management Center

Multi-domain management Firewall & AVC

Role-based access control NGIPS

High availability AMP

APIs and pxGrid integration Security Intelligence

Manage across many sites Control access and set policies Investigate incidents Prioritize response

Multi-Instance for 4100/9300 Airgap/Export Licensing Events direct-from-device • Flexible approach for up to 14 • Controlled subscription licensing for • Integrate better with other Cisco instances closed networks and 3rd party SIEMs • Supports HA • Export licensing for government and • Connection and IPS military customers outside the TLS HW Accelerated Decryption United States FQDN based access control • Higher TLS inspection throughput • Enables control for dynamic cloud • Supported on all Firepower Local Management for FTD based apps platforms • Onbox manager for many commercial use-cases 2FA & RADIUS CoA for RA VPN in Fail-to-Wire Netmods for FP2100 • Supports HA, Passive Auth with FMC • Transition NGIPS to Firepower Audit Logging and Connection and • RA VPN Migration 2100s IPS syslogs from the device

Improved Migrations Direct-to-Device APIs (2100 and • New migration tools below) • Automation and Orchestration for MSPs • Enable Integrations

• Allows organizations to deploy independent tenants for multiple departments or customers FTD FTD FTD FTD 1 2 3 4 • Resource and Management Separation • Instances are fully independent and fault tolerant • Smooth workflow enabling faster provisioning • 3-14 instances (FP9300 and FP4100s only) • Multi-Instance is free – no SKU

Inline or Passive Fail-to-wire NetMods Additional options Inline Routed

NetMod

101110

Inline Tap Transparent

101110

Passive Virtual or Physical

Available on 2100, 4100 and 9300

• Advanced Tuning Topics

• IPS Events

• Importing Snort Rules

• IPS Pass Rule

• Bypass Options

• OpenAppID

• Security Intelligence

• SSL Inspection for IPS

How often are Policies Modified?

Frequently Little Rarely

Access Control Policy Malware and File Policy Network Discovery Policy

Intrusion Policy DNS Policy Network Analysis Policy

SSL Policy Correlation Policy

Identity Policy Health Policy

Prefilter Policy

Access Prefilter Intrusion Control Policy (FTD only) (for AppID)

Optional

SSL Identity SI / DNS

Access Intrusion File / Control Rules Malware

Policy CVSS Score Vulnerability Age

Connectivity over Security 10 Current year, plus 2 prior (2019, 2018, and 2017) Balanced Security and 9+ Current year, plus 2 prior Connectivity Rule Categories: Malware-CNC, Blacklist, SQL Injection, Exploit Kit Security over Connectivity 8+ Current year, plus 3 prior (2019, 2018, 2017, and 2016) Rule Categories: Malware-CNC, Blacklist, SQL Injection, Exploit Kit, App-Detect Maximum Detection 7.5+ 2005 and later Rule Categories: Malware-CNC, Exploit Kit

You can manually Enable/Disable individual rules or configure actions.

Several ways to search for rules…

• Used to identify which networks Firepower should “learn” from.

• Useful for applications, and especially for maintaining the Firepower Recommended Rules in the Intrusion Policy.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network.

• Traffic must match in the Access Control Policy in order to be Inspected

For a simple IPS deployment, you can use the Default Action

In a NGFW deployment, the Default Action will likely be “Block All Traffic”. Intrusion Policy needs to be defined for each Allow Action.

If you need, different Allow rules can have different Intrusion Policies assigned.

• Advanced Tuning Topics

• IPS Events

• Importing Snort Rules

• IPS Pass Rule

• Bypass Options

• OpenAppID

• Security Intelligence

• SSL Inspection for IPS

What is this? Do I need to do anything here?

• The Network Analysis Policy (NAP) controls the Preprocessors, and determines things such as: o Fragmentation Reassembly o Protocol Compliance

“What should we tune?”

Security

Usability

Security

• By default, there are no tunable NAP policies. You’ll need to create one.

Create Policy

• Give your policy a name.

Create and Edit Policy

Do these Base Policies look familiar?

Besides the name, these Base Policies have NOTHING in common with the Intrusion Base Policies.

Do these Base Policies look familiar?

Besides the name, these Base Policies have NOTHING in common with the Intrusion Base Policies.

• Some Preprocessors are disabled by default: o Portscan Detection o Rate-Based Attack Prevention o Inline Normalization

• Enable these if you need them

• Some Preprocessors are disabled by default: o Portscan Detection o Rate-Based Attack Prevention o Inline Normalization

• Enable these if you need them

Both IP and TCP can cause a stream of data to break into many parts Both IP fragmentation and TCP segmentation may be naturally occurring or performed intentionally to evade IPS IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate this evasion technique

If attack is: USER root

TCP: HDR USER HDR root

If attack is: USER root

TCP: HDR USER HDR root

IP: HDR HDR US HDR ER HDR HDR ro HDR ot

If attack is: USER root

TCP: HDR USER HDR root

IP: HDR HDR US HDR ER HDR HDR ro HDR ot

IP TCP SMB MSRPC Payload

Packet capture of regular attack is ~4k, after layers of evasion 30MB or more!

Hundreds of thousands of packets

• Disabled by Default

• Enforces Protocol Compliance for TCP and IP protocols.

• Enabling normalization will block some non-standard implementations and many attacks. However, it potentially can block poorly-written legitimate traffic.

• How Risk-Averse are you?

• Unless you are deploying IPS into a segment containing ONLY Windows hosts, you absolutely should tune this.

• TCP Stream determines how fragmented TCP traffic is reassembled.

• Different operating systems handle reassembly differently, and it is critical that your IPS understands the hosts.

• Not much to tune.

Tune it? YES

• Similar reason as TCP Stream.

Don’t forget to select the Network Analysis Policy from the Access Control Policy -> Advanced Tab

If you need to use multiple Network Analysis Policies (maybe some networks have Windows servers, and another has Linux, for example), you can create Rules to perform the mapping.

• Advanced Tuning Topics

• IPS Events

• Importing Snort Rules

• IPS Pass Rule

• Bypass Options

• OpenAppID

• Security Intelligence

• SSL Inspection for IPS

• Remember, we recommend you utilize the Network Discovery Policy…

• This allows you to use Impact Flags for analysis.

• Remember, we recommend you utilize the Network Discovery Policy…

• This allows you to use Impact Flags for analysis.

Do you know what these mean?

Intrusion Events Impact Flag

Source / Destination IP

Protocol (TCP/UDP)

Source / Destination Port

Service

Snort ID

IOC: Predefined Impact

Intrusion Events Host Profile Impact Flag [Outside Profile Range] Source / Destination IP [Host not yet profiled]

Protocol (TCP/UDP) IP Address User IDs

Source / Destination Port Protocols

Server Side Ports

Service Client Side Ports

Services CVE Snort ID Client / Server Apps

Operating System IOC: Predefined Impact Potential Vulnerabilities

Intrusion Events Host Profile Impact Flag Action Why [Outside Profile Range] Source / Destination IP Event occurred outside [Host not yet profiled] 0 profiled networks

Protocol (TCP/UDP) IP Address User IDs

Source / Destination Port Protocols

Server Side Ports

Service Client Side Ports

Services CVE Snort ID Client / Server Apps

Operating System IOC: Predefined Impact Potential Vulnerabilities

Intrusion Events Host Profile Impact Flag Action Why [Outside Profile Range] Source / Destination IP Event occurred outside [Host not yet profiled] 0 profiled networks

Protocol (TCP/UDP) IP Address Previously unseen host User IDs 4 within monitored network

Source / Destination Port Protocols

Server Side Ports

Service Client Side Ports

Services CVE Snort ID Client / Server Apps

Operating System IOC: Predefined Impact Potential Vulnerabilities

Intrusion Events Host Profile Impact Flag Action Why [Outside Profile Range] Source / Destination IP Event occurred outside [Host not yet profiled] 0 profiled networks

Protocol (TCP/UDP) IP Address Previously unseen host User IDs 4 within monitored network

Source / Destination Port Protocols Relevant port not open or Server Side Ports 3 protocol not in use

Service Client Side Ports

Services CVE Snort ID Client / Server Apps

Operating System IOC: Predefined Impact Potential Vulnerabilities

Intrusion Events Host Profile Impact Flag Action Why [Outside Profile Range] Source / Destination IP Event occurred outside [Host not yet profiled] 0 profiled networks

Protocol (TCP/UDP) IP Address Previously unseen host User IDs 4 within monitored network

Source / Destination Port Protocols Relevant port not open or Server Side Ports 3 protocol not in use

Service Client Side Ports Relevant port or protocol in 2 use but no vulnerability

Services mapped CVE Snort ID Client / Server Apps

Operating System IOC: Predefined Impact Potential Vulnerabilities

Intrusion Events Host Profile Impact Flag Action Why [Outside Profile Range] Source / Destination IP Event occurred outside [Host not yet profiled] 0 profiled networks

Protocol (TCP/UDP) IP Address Previously unseen host User IDs 4 within monitored network

Source / Destination Port Protocols Relevant port not open or Server Side Ports 3 protocol not in use

Service Client Side Ports Relevant port or protocol in 2 use but no vulnerability

Services mapped CVE Snort ID Client / Server Apps Host vulnerable to attack or Operating System 1 showing an IOC. IOC: Predefined Impact Potential Vulnerabilities

Intrusion Events Host Profile Impact Flag Action Why [Outside Profile Range] Source / Destination IP Event occurred outside [Host not yet profiled] 0 profiled networks

Protocol (TCP/UDP) IP Address Previously unseen host User IDs 4 within monitored network

Source / Destination Port Protocols Relevant port not open or Server Side Ports 3 protocol not in use

Service Client Side Ports Relevant port or protocol in 2 use but no vulnerability

Services mapped CVE Snort ID Client / Server Apps Host vulnerable to attack or Operating System 1 showing an IOC. IOC: Predefined Impact Potential Vulnerabilities

• New to Firepower Management Center (FMC) 6.3

• From any relevant event or dashboard, right-click and launch a query into a different product.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 6.3 Contextual Cross-Launch Do you have a favorite tool? • Add your own: Analysis -> Advanced -> Contextual Cross-Launch • Example for Cisco Stealthwatch:

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 6.3 Contextual Cross-Launch Do you have a favorite tool? • Add your own: Analysis -> Advanced -> Contextual Cross-Launch • Example for Cisco Tetration:

Note: The URL will differ according to your Tetration deployment and tenant IDs.

• Advanced Tuning Topics

• IPS Events

• Importing Snort Rules

• IPS Pass Rule

• Bypass Options

• OpenAppID

• Security Intelligence

• SSL Inspection for IPS

Firepower uses Snort Rules for Intrusion Prevention.

Cisco provides regular rule updates. Most customers deploy these automatically.

Third-party Snort rules can be added manually through the Rule Editor (Objects -> Intrusion Rules -> Create Rule), or can be imported.

• Snort Rules are normally created on a single line, with no special characters, and in ASCII or UTF-8 format. • The Import file can contain many rules as long as they are one rule per- line. • Many of the Emerging Threat rules use deprecated syntax (”threshold” statement). If you are importing ET rules, you’ll need to correct or remove these rules first. Threshold has been replaced with detection_filter. • SHOULD not have a rule SID, but is allowed. All on ONE Line

alert tcp [43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,45.43.128.0/18,45.65.188.0/22,45.114

, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; rev:2690;

• Sometimes it is much more readable to spread the rule across multiple lines. Do this with the backslash character - \

Example Rule (from Emerging Threats): alert tcp \ [43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\ 45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\ 45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\ 49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \ any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \ flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \ threshold: type limit, track by_src, seconds 3600, count 1; \ classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \ rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \ tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)

• This ET rule has a deprecated keyword – “threshold”, as well as “type limit”, so let’s fix it.

alert tcp \ [43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\ 45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\ 45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\ 49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \ any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \ flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \ threshold: type limit, track by_src, seconds 3600, count 1; \ classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \ rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \ tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)

• This ET rule has a deprecated keyword – “threshold”, as well as “type limit”, so let’s fix it.

alert tcp \ [43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\ 45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\ 45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\ 49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \ any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \ flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \ detection_filterthreshold: type :limit, track trackby_src by_src, seconds, seconds 3600, 3600,count count1; \ 1; \ classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \ rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \ tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)

• Once your Snort rules are in a text file, navigate to Objects -> Intrusion Rules. • Click on “Import Rules”

• Click on “Browse” to locate your file, and click “Import”.

• Remember, all imported rules are Disabled by default. You need to enable these.

• Advanced Tuning Topics

• IPS Events

• Importing Snort Rules

• IPS Pass Rule

• Bypass Options

• OpenAppID

• Security Intelligence

• SSL Inspection for IPS

Options:

1. Look at the rule and see if you can modify the variables in use? ($EXTERNAL_NET and $HOME_NET, for example)

2. Use a different Intrusion Policy for some hosts. This could have memory or performance impact if overused.

3. Create a Pass Rule –> Probably the Best Option

Open the firing rule in the Rule Editor (Objects -> Intrusion Rules)

203.0.113.24

Network Scanner

Campus

Web Server SSH Server

Change Action to “pass”

Change the Message. (add “PASS RULE – “ to the beginning)

Add the IP address or variable name (i.e. $SCANNER_HOSTS) to the source or destination IP.

Click “Save as New”

Finally, Edit the Intrusion Policy, and change the Rule State for your new Local Rule to “Generate Events”. Save and Deploy the Intrusion Policy.

Prior to Firepower 6.2.2, making the Intrusion Rule changes just described would have caused a Snort Restart, and potentially disrupted network traffic.

Significant improvements in 6.2.3, and especially 6.3 software have dramatically reduced the number of things that can cause a Snort Restart.

• New version of Snort in policy deploy • Reallocate memory for preprocessors/Security Intelligence (6.2.x) • Reload shared objects • Pre-processor configuration changes (6.2.x) • Configured to restart instead of reload

Cisco.com info on 6.2.3 Restart Conditions: http://cs.co/9006DcfbG

• New version of Snort in policy deploy • Reallocate memory for preprocessors/Security Intelligence (6.2.x) “No” means Snort will restart every time • Reload shared objects a policy changes. • Pre-processor configuration changes (6.2.x) • Configured to restart instead of reload

Cisco.com info on 6.2.3 Restart Conditions: http://cs.co/9006DcfbG

6.2.3 and later warns if any configuration change will interrupt inspection (restart Snort):

Snort Preserve-Connection 1 (6.2.0 / 6.2.3 introduction)

2 Software Bypass

3 Upgrade to Firepower 6.3

• When Snort goes down, connections with Allow verdict are preserved in LINA

• Snort does NOT do a mid-session pickup on preserved flows on coming up

• Does NOT protect against new flows while Snort is down

• 6.2.0.2/6.2.3 Feature Introduction. Enabled by default in 6.2.3

• Can be enabled/disabled from CLI: configure snort preserve-connection enable/disable

• With inline Fail-Open deployments traffic is passed uninspected on the Software bridge when Snort is down.

• When Snort comes up, Snort does a mid-session pickup on traffic

• Advanced Tuning Topics

• IPS Events

• Importing Snort Rules

• IPS Pass Rule

• Bypass Options

• OpenAppID

• Security Intelligence

• SSL Inspection for IPS

Software Bypass Enable traffic, uninspected, when Snort is down or busy.

Fail-to-Wire Interfaces Bypass traffic upon appliance failure, including loss of power.

Automatic Application Bypass Restarts Snort processes upon degraded performance

Intelligent Application Bypass Application-specific acceleration of defined applications if performance is degraded Trust Rules Accelerate defined traffic but still apply Security Intelligence

Prefilter Policy Bypass deep inspection and Security Intelligence based on Port / Protocol / IP Address / Zone

Software Bypass is only available in Inline Pairing mode or ASA with Firepower Services.

Fail-to-wire Fail-to-Wire interfaces allow for pass-through of traffic in case of appliance failure or loss of NetMod power. • FP-9300 • FP-4100 • FP-2100 (requires 6.3) • FP-7000, 7100, 8100, 8200, and 8300

Fail-to-Wire requires: Inline Set, Inline Pair, or Inline Tap deployment.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 Automatic Application Bypass (AAB) Detects Snort failures or degraded performance and triggers a restart of the impacted Snort process. First available in FTD in 6.2.2.

Within the Access Control Policy, defined traffic can be exempted from File and IPS inspection, which accelerates it through the appliance. Basing the rule on Source/Destination Port and IP addresses is most effective. Security Intelligence feeds are still applied to Trust rules.

On FP-4100/9300 appliances, a Trust rule enables Dynamic Flow Offload on eligible flows, and handles the traffic on the HW NIC. Not supported on Inline, Inline Tap, or Passive Interfaces!

PreFilter rules are processed prior to Intrusion Prevention or Access Control Policies. If traffic can be defined by Zone, Network, and Port (similar to an ASA rule), the traffic can be FastPathed. This is similar to a Trust rule, but Security Intelligence is not applied.

• PreFilter rules require Firepower Threat Defense.

• PreFilter rules require Firepower Threat Defense. On FP-4100/9300 appliances, a Fastpath rule enables Static Flow Offload on eligible flows, and handles the traffic on the HW NIC. Static Flow Offload is not supported on Inline, Inline Tap, or Passive interfaces.

Detects degraded performance within an application. If that application is trusted, you can configure it to automatically bypass inspection for it, and accelerate the traffic.

• Advanced Tuning Topics

• IPS Events

• Importing Snort Rules

• IPS Pass Rule

• Bypass Options – Intelligent Application Bypass

• OpenAppID

• Security Intelligence

• SSL Inspection for IPS

IAB takes action when a Snort instance is Under Duress if conditions are met: 1. Is the flow a candidate for bypass? 2. Is this a bypassable application?

If conditions are satisfied, then Firepower will accelerate the flow.

• When IAB works to full capability, the flow under duress is executed the same as a PreFilter FastPath or ACP Trust rule.

• If the Access Control Policy (ACP) uses IP-based Security Intelligence, then Snort needs to see the traffic briefly before it is FastPathed.

• If the ACP uses DNS- or URL-based Security Intelligence, then both Snort and AppID need to see traffic before it is FastPathed. AppID sometimes takes longer to identify the application, depending on which application it is.

Find IAB on the Advanced tab of the Access Control Policy. In 6.2.3, it is on the bottom left of the page. In 6.3, it is on the top right.

• By default, IAB is disabled. • With 6.2.3, all fields are blank. No default values. • With 6.3, default values are entered.

Set the State to On or Test.

And set the sample period.

Inspection Performance Thresholds: Is the snort process under duress?

These fields are a Logical OR, and refer to the Snort process rather than overall appliance CPU.

• Drop Percentage • Processor Utilization • Packet Latency • Flow Rate

Flow Bypass Thresholds: Is the flow a candidate to bypass? These values are all a Logical OR

Bytes per Flow is “How big is the flow?”

Take AMP max file size under consideration!

Flow Bypass Thresholds: Is the flow a candidate to bypass?

Flow Velocity is “Size over time of the flow”

Each snort instance can handle approximately 1Gbps, which is 125,000 kbytes/second.

Flow Bypass Thresholds: Is the flow a candidate to bypass?

Flow Velocity is “Size over time of the flow”

Each snort instance can handle approximately 1Gbps, which is 125,000 kbytes/second.

I disagree with this default value. 250,000 kbytes/second will never trigger on today’s FP or ASA hardware. A better starting value for most customers is about 40,000 or 50,000 kbytes/second.

Flow Bypass Thresholds: Is the flow a candidate to bypass?

Flow Velocity is “Size over time of the flow”

Each snort instance can handle approximately 1Gbps, which is 125,000 kbytes/second.

45000

I disagree with this default value. 250,000 kbytes/second will never trigger on today’s FP or ASA hardware. A better starting value for most customers is about 40,000 or 50,000 kbytes/second.

May be easier to just allow All Applications

IAB Events appear in Connection Events with reason of “Intelligent App Bypass”

• Advanced Tuning Topics

• IPS Events

• Importing Snort Rules

• IPS Pass Rule

• Bypass Options

• OpenAppID

• Security Intelligence

• SSL Inspection for IPS

OpenAppID uses the Lua programming language to identify applications. There are a number of attributes it can look at, including:

• ASCII or Hex patterns and offset • SSL Organization Unit • HTTP User Agent • SSL Common Name • HTTP URL • SIP Server • HTTP Content Type • SIP User Agent • SSL Host • RTMP URL Pattern

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102 OpenAppID Most internal Firepower Application Detectors are included in the Snort OpenAppID rules, including Lua source code.

Application Detectors

All Application Detectors in Firepower 6.0+ use OpenAppID.

Custom Application Detectors can be created here, as well.

FMC provides a Wizard for creation of Basic detectors. Advanced detectors require you to upload the Lua file.

If you need an Advanced detector, you’ll need to write it yourself, or request one from TAC.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 OpenAppID Example with Intrusion Policy OpenAppID and the Intrusion Policy A lot of “noise” is created in the Intrusion Logs of any IDS/IPS product by automated scripts searching for vulnerable systems, and trying generic attacks.

Web Server

Internet

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108 OpenAppID and the Intrusion Policy A lot of “noise” is created in the Intrusion Logs of any IDS/IPS product by automated scripts searching for vulnerable systems, and trying generic attacks.

Web Server

Internet

[blkh4t@wd40 ~]$ hackerw3bscan –v 198.51.100.33 Ports open: tcp/80, tcp/443 Server: apache 2.4.18 Vulnerabilities found: CVE-2016-4979 SSL Bypass CVE-2016-1546 HTTP2 DOS

These scans or attacks against your IP addresses may or may not be successfully blocked by your IPS devices. They generate noise in your logs.

Question: Is there a legitimate reason for Internet users to access your server(s) by IP address instead of FQDN?

The Goal: Block all web traffic that targets an IP Address rather than correct hostname. Use Intrusion Policy to inspect legitimate traffic.

Web Server

Internet

The Goal: Block all web traffic that targets an IP Address rather than correct hostname. Use Intrusion Policy to inspect legitimate traffic.

X Web Server

Internet

[blkh4t@wd40 ~]$ hackerw3bscan –v 198.51.100.33 No web server found!

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110 OpenAppID and the Intrusion Policy Creating the Custom Detector 1. From Application Detectors screen, click the button to Create Custom Detector.

2. Click the “Add” button.

3. Complete the required fields to name your custom application. 4. Click OK.

5. Enter the same Name and Description as previous step, and select the Application you just created from the pulldown menu. 6. Leave the Detector_Type as Basic. 7. Click OK

This is where we’ll define what the application ”looks like” to Firepower.

9. Select HTTP from the Protocol pulldown menu, and URL as Type. 10.Enter your domain name. 11.Click OK.

12.Repeat the process to add the SSL information. 13.Click OK.

14.Click on “Save”.

Remember: Basic Detectors perform an OR operation on the Detection Patterns. In this example, any HTTP or HTTPS connection destined to *.zenbango.com will trigger the detector.

15.You can find your Application Detector by selecting Custom Type in the Filters. 16.The new Application Detector will not function until it is Activated by clicking on the State slider.

WARNING: 15.You can find your Application Detector by selecting Custom Type in the When you Activate or Deactivate any Detector, it will trigger your appliances Filters. in the current domain or child domain to restart Snort. This will potentially be16. disruptiveThe new Application to your network Detector traffic. will not function until it is Activated by clicking on the State slider.

15.Tie it all together by using an Allow Rule (with Intrusion Policy assigned) for traffic matching the new application. Block all other traffic.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121 Agenda • Policy Interaction and Firepower Recommendations • Advanced Tuning Topics • Importing Snort Rules • IPS Pass Rule • Bypass Options • OpenAppID • Security Intelligence • SSL Inspection for IPS

IP Address: URLs: DNS:

• Attackers • URL Attackers • DNS Attackers • Bogon • URL Bogon • DNS Bogon • Bots • URL Bots • DNS Bots • CnC • URL CnC • DNS CnC • Cryptomining (NEW) • URL Cryptomining (NEW) • DNS Cryptomining (NEW) • Dga • URL Dga • DNS Dga • ExploitKit • URL Exploitkit • DNS Exploitkit • Malware • URL Malware • DNS Malware • Open_proxy • URL Open_proxy • DNS Open_proxy • Open_relay • URL Open_relay • DNS Open_relay • Phishing • URL Phishing • DNS Phishing • Response • URL Response • DNS Response • Spam • URL Spam • DNS Spam • Suspicious • URL Suspicious • DNS Suspicious • Tor_exit_node • URL Tor_exit_node • DNS Tor_exit_node

Go to the Appendix for an example on creating a custom Security Intelligence feed.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124 Agenda • Policy Interaction and Firepower Recommendations • Advanced Tuning Topics • Importing Snort Rules • IPS Pass Rule • Bypass Options • OpenAppID • Security Intelligence • SSL Inspection for IPS

Is your IPS still effective?

The percentages of TLS/SSL traffic is increasing dramatically. IDS/IPS deployments need to take this into consideration. Options to consider: 1. Decryption Offload, passing decrypted traffic to the Sensor 2. Onbox Decryption

Additionally, do you decrypt Inbound, Outbound, or both traffic?

Firepower can decrypt TLS/SSL traffic, if you are wanting onbox.

Inbound Traffic • Traffic is decrypted by installing the Servers’ SSL Certificate and Private Key onto the FMC Outbound Traffic

• Traffic is decrypted by installing a wildcard certificate and performing a “man in the middle attack” against your users’ SSL traffic.

In this session, we will focus only at Inbound.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128 SSL Inspection with Known Key Example You need both the host’s private key and the .crt file. Go to Objects -> PKI -> Internal Certs to add the certificate information for the host.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129 SSL Inspection with Known Key Example Create an SSL Policy to decrypt traffic with this known key for the associated host. Once this is complete, add this SSL Policy to the Access Control Policy.

• Firepower 6.3 enables Hardware Decryption, by default, for SSL/TLS traffic on Firepower appliances, including the FP-2100.

• Firepower 6.2.3 enabled Hardware Decryption on FP-4100/9300 platforms, but was disabled by default.

• Performance is dramatically improved over Software Decryption that was previously performed.

To disable hardware decryption, you can use the following command from the FTD CLI:

FTD 6.2.3: system support ssl-hw-offload disable FTD 6.3: system support ssl-hw-force-offload-disable

• Please complete your Online Session Survey after each session

• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T- shirt

• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com

Related Demos in Walk-in Meet the sessions the Cisco self-paced engineer Showcase labs 1:1 meetings

Additional Slides These slides did not fit in the time allowed for the session.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Security Intelligence Example Security Intelligence Custom Feed An Example A publicly-exposed SSH Server will be continuously probed for weaknesses, as well as brute-force login attempts. Let’s use failed login attempts to build our own SI Feed.

SSH Server

Internet

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139 Security Intelligence Custom Feed An Example A publicly-exposed SSH Server will be continuously probed for weaknesses, as well as brute-force login attempts. Let’s use failed login attempts to build our own SI Feed.

SSH Server

Internet

[blkh4t@wd40 ~]$ ncrack zenbango.com:22 Starting Ncrack 0.5 ( http://ncrack.org ) at 2017-01-09 12:42 PST

Jan 9 15:42:50 www unix_chkpwd[28658]:SSH Server password check failed for user (root) Jan 9 15:42:57 www unix_chkpwd[28680]: password check failed for user (root) Jan 9 15:42:58 www sshd[10692]: Invalid user cypherpunks from 198.51.100.87 Internet Jan 9 15:43:02 www sshd[10693]: Invalid user cdowns from 198.51.100.87 Jan 9 15:43:25 www unix_chkpwd[28886]: password check failed for user (don) Jan 9 15:43:25 www unix_chkpwd[28887]: password check failed for user (rich) Jan 9 15:43:31 www unix_chkpwd[28922]: password check failed for user (gary) Jan 9 15:44:33 www unix_chkpwd[29302]: password check failed for user (daemon) Jan 9 15:44:38 www unix_chkpwd[29341]: password check failed for user (kim) [blkh4t@wd40 ~]$ ncrack zenbango.com:22Jan 9 15:45:44 www unix_chkpwd[29737]: password check failed for user (operator) Jan 9 15:45:52 www sshd[10694]: Invalid user dan from 198.51.100.87 Starting Ncrack 0.5 ( http://ncrack.orgJan 9 15:45:54 ) www atunix_chkpwd 2017-01[29797]:-09 12:42 password PST check failed for user (root) Jan 9 15:46:02 www unix_chkpwd[29842]: password check failed for user (mail) Jan 9 15:46:09 www unix_chkpwd[29878]: password check failed for user (nobody) Jan 9 15:46:31 www unix_chkpwd[30019]: password check failed for user (rich) Jan 9 15:46:31 www unix_chkpwd[30020]: password check failed for user (don) Jan 9 15:46:38 www unix_chkpwd[30065]: password check failed for user (gary)

The Goal: Create your own Security Intelligence Feed to block hosts that attempt to login to your SSH Server and fail authentication multiple times.

X Web Server

Internet

SSH Server

1. The first step is to configure your honeypot with the desired services installed, hardened, and logged.

There are a number of tools available to dynamically block or log connection/authentication attempts. Two that work well are fail2ban and denyhosts.

2. In this example, we’re using denyhosts to dynamically block SSH attempts after 6 failed login attempts.

/etc/denyhosts.conf file (pertinent sections): SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.deny PURGE_DENY = 4w BLOCK_SERVICE = ALL DENY_THRESHOLD_INVALID = 6 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 1 RESET_ON_SUCCESS = yes

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142 Security Intelligence Custom Feed Prepare the Target 3. Create a script to parse the blocked IP addresses from denyhost’s log file. /etc/hosts.deny file looks like this: # DenyHosts: Thu Jan 26 22:31:28 2017 | ALL: 203.0.113.4 ALL: 203.0.113.4 # DenyHosts: Sat Jan 28 10:58:51 2017 | ALL: 192.0.2.120 ALL: 192.0.2.120 # DenyHosts: Tue Jan 31 09:42:58 2017 | ALL: 198.51.100.3 ALL: 198.51.100.3 # DenyHosts: Tue Jan 31 19:50:17 2017 | ALL: 198.51.100.27 ALL: 198.51.100.27 # DenyHosts: Wed Feb 1 16:57:02 2017 | ALL: 203.0.113.230 ALL: 203.0.113.230

4. Use your favorite scripting language to parse the addresses. This simple Bash script works:

#! /bin/bash

blocklist=` cat /etc/hosts.deny | grep -v \# | awk '{print $2}' > /var/www/html/sshblock.txt`

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143 Security Intelligence Custom Feed Prepare the Target 3. Create a script to parse the blocked IP addresses from denyhost’s log file. /etc/hosts.deny file looks like this: # DenyHosts: Thu Jan 26 22:31:28 2017 | ALL: 203.0.113.4 ALL: 203.0.113.4 # DenyHosts: Sat Jan 28 10:58:51 2017 | ALL: 192.0.2.120 ALL: 192.0.2.120 # DenyHosts: Tue Jan 31 09:42:58 2017 | ALL: 198.51.100.3 ALL: 198.51.100.3 # DenyHosts: Tue Jan 31 19:50:17 2017 | ALL: 198.51.100.27 ALL: 198.51.100.27 The output file should be in a # DenyHosts: Wed Feb 1 16:57:02 2017 | ALL: 203.0.113.230 ALL: 203.0.113.230 directory accessible to your web server. Consider placing it on a 4. Use your favorite scripting language to parsedifferent the server. addresses. This simple Bash script works:

#! /bin/bash

blocklist=` cat /etc/hosts.deny | grep -v \# | awk '{print $2}' > /var/www/html/sshblock.txt`

5. Generate some SSH traffic, with failed logins, to make sure you are capturing the addresses. Be careful. denyhosts will by default ban your IP address in the hosts.deny file. You will need to know how to clear the blocks. This is a useful site: http://www.tecmint.com/block-ssh-server-attacks-brute-force-attacks-using-denyhosts/

6. Make sure to run your script (from Step 4) on a regular basis by running a cron job every few minutes or so. /var/www/html/sshblock.txt 203.0.113.4 192.0.2.120 One IP Address 198.51.100.3 198.51.100.27 per line. 203.0.113.230

7. Verify you can download the file with a web browser. It is a good idea to host the file on a server reachable internally only, rather than one accessible to the outside world.

8. On Firepower Management Center (FMC), navigate to Objects -> Security Intelligence -> Network Lists and Feeds. Click “Add Network Lists and Feeds” in the upper right corner.

9. Select Feed, and populate the URL information and Update Frequency.

In the current software release, updates are limited to no shorter than every 30 minutes. Click Save.

10.In your Access Policy, click the Security Intelligence tab, and add the new feed to the Blacklist

SSH-Blacklist should be placed here.

11.Verify the blocks are occurring.

Reason for block is SSH-Blacklist

Blocks are protecting ALL hosts – not just those running Denyhosts

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 149 Firepower Traditional Firepower appliances use Firepower software. Example: FP-7050, FP-7125, FP-8130, FP-8250, FP-8370, Firepower Virtual IPS

ASA with Firepower Services uses traditional ASA software and a hardware or virtual IPS module running Firepower software. Often referred to as ASA+SFR. Example: ASA-5506-X, ASA-5525-X, ASA-5545-X, ASA-5585-X

Firepower Threat Defense (FTD) software combines ASA and Firepower features into a single software image. This is available on newer Firepower appliances and most ASA- 5500-X models. Example: ASA-5506-X, ASA-5545-X, FP-2110, FP-4140, FP-9300, NGFWv, but NOT the ASA-5585-X

VLAN 10

VLAN 20

The appliance will be installed in either Routed or Transparent mode. This is a global setting.

Routed: Interfaces belong to different L3 networks.

Transparent: Interfaces belong to different L2 networks (different VLANs).

Passive: A Promiscuous Interface receives copies of traffic from a SPAN port or TAP.

Passive interfaces are available regardless of whether the appliance is installed in Transparent or Routed mode.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 154 Inline Pair Mode Firepower Threat Defense or Firepower Inline Pair: Traffic passes from one member interface to another, without changing either VLAN or L3 network. It functions as a smart wire.

VLAN 10 VLAN 10 Inline Pairs are available regardless of whether the appliance is installed in Transparent or Routed mode.

Interfaces can also be 802.1q trunks.

Inline Set:

A grouping of two or more Inline Pairs.

Inline TAP: Traffic passes from one member interface to another, without changing either VLAN or L3 network. As traffic passed, it is copied to the inspection engine, so traffic cannot be blocked.

Inline Pairs are available regardless of whether the appliance is installed in Transparent or Routed mode.

Asymmetric traffic flows prevent a security device from seeing the full traffic flow.

For best results, design your network to force symmetry.

Web Server

If you are using Firepower Threat Defense (FTD) or ASA with Firepower Services Internet (ASA+SFR), Inter-Chassis Clustering is a great option.

Clustering enables multiple security appliances to function as a single device, and support asymmetric traffic flows, while also providing N+1 redundancy.

FTD supports Inter-Chassis Clustering in 6.2 and later software, on FP-4100 and FP-9300 appliances.

Web Server