BRKSEC-3300 Advanced Firepower IPS Deployment Gary Halleen, Technical Solutions Architect Cisco Webex Teams Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space cs.co/ciscolivebot#BRKSEC-3300 BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 About Your Speaker Gary Halleen Email: [email protected] Security Architect Global Security Architect Team BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 About Your Speaker Gary Halleen Email: [email protected] Security Architect Global Security Architect Team 19 years at Cisco BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 About Your Speaker Gary Halleen Email: [email protected] Security Architect Global Security Architect Team 19 years at Cisco Amateur Radio: K7TRO BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 About Your Speaker Gary Halleen Email: [email protected] Security Architect Global Security Architect Team 19 years at Cisco Amateur Radio: K7TRO BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 About Your Speaker Gary Halleen Email: [email protected] Security Architect Global Security Architect Team 19 years at Cisco Amateur Radio: K7TRO BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 About Your Speaker Gary Halleen Email: [email protected] Security Architect Global Security Architect Team 19 years at Cisco Amateur Radio: K7TRO BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Oregon – Pacific Wonderland BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Oregon – Pacific Wonderland BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Oregon – Pacific Wonderland BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Some of My Hobbies BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Some of My Hobbies BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Some of My Hobbies BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Some of My Hobbies BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Cisco Firepower Sessions: Building Blocks Tuesday Wednesday Thursday Friday BRKSEC-3035 BRKSEC-2064 BRKSEC-3455 Dissecting Firepower Platform NGFWv and ASAv Firepower FTD & Deep Dive in Public Cloud 08:30 08:30 09:00 Firepower Services BRKSEC-3328 BRKSEC-3300 BRKSEC-3032 BRKSEC-2020 FMC Internals: Firepower NGFW in Advanced IPS NGFW Clustering Making FMC Do the DC and Deployment Deep Dive 11:30 11:00 11:00 Enterprise More 11:00 BRKSEC-2112 Firepower Internet Edge Best Practices 14:30 We Are Here! BRKSEC-3352 Advanced Snort Rule Writing for Firepower 16:30 BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Agenda • Policy Interaction and Firepower Recommendations • Advanced Tuning Topics • IPS Events • Importing Snort Rules • IPS Pass Rule • Bypass Options • OpenAppID • Security Intelligence • SSL Inspection for IPS BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 For Your Reference Introduction For the purposes of this session, these terms are treated the same. • Firepower • Firepower Threat Defense • ASA with Firepower Services BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Introduction Centralized On-box Cloud-based Upcoming Firepower Management Firepower Device Cisco Defense Center (FMC) Manager (FDM) Orchestrator (CDO) Enables comprehensive Enables easy on- Enables cloud-based security administration and box management of policy management of automation of multiple common security multiple deployments appliances and policy tasks BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Firepower Management Center (FMC) This session covers Firepower 6.2.x and later, managed with FMC. We will NOT cover the older Cisco IPS 7.0. Centralized Management Firepower Management Center Multi-domain management Firewall & AVC Role-based access control NGIPS High availability AMP APIs and pxGrid integration Security Intelligence Manage across many sites Control access and set policies Investigate incidents Prioritize response BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 For Your Firepower 6.3 Reference Platform Capabilities Operations Visibility & Security Multi-Instance for 4100/9300 Airgap/Export Licensing Events direct-from-device • Flexible approach for up to 14 • Controlled subscription licensing for • Integrate better with other Cisco instances closed networks and 3rd party SIEMs • Supports HA • Export licensing for government and • Connection and IPS military customers outside the TLS HW Accelerated Decryption United States FQDN based access control • Higher TLS inspection throughput • Enables control for dynamic cloud • Supported on all Firepower Local Management for FTD based apps platforms • Onbox manager for many commercial use-cases 2FA & RADIUS CoA for RA VPN in Fail-to-Wire Netmods for FP2100 • Supports HA, Passive Auth with FMC • Transition NGIPS to Firepower Audit Logging and Connection and • RA VPN Migration 2100s IPS syslogs from the device Improved Migrations Direct-to-Device APIs (2100 and • New migration tools below) • Automation and Orchestration for MSPs • Enable Integrations BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 6.3 Multi-Instance for Firepower 4100/9300 • Allows organizations to deploy independent tenants for multiple departments or customers FTD FTD FTD FTD 1 2 3 4 • Resource and Management Separation • Instances are fully independent and fault tolerant • Smooth workflow enabling faster provisioning • 3-14 instances (FP9300 and FP4100s only) • Multi-Instance is free – no SKU BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Pick from many deployment modes Inline or Passive Fail-to-wire NetMods Additional options Inline Routed NetMod 101110 Inline Tap Transparent 101110 Passive Virtual or Physical Available on 2100, 4100 and 9300 BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Agenda • Policy Interaction and Firepower Recommendations • Advanced Tuning Topics • IPS Events • Importing Snort Rules • IPS Pass Rule • Bypass Options • OpenAppID • Security Intelligence • SSL Inspection for IPS BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Firepower Policies How often are Policies Modified? Frequently Little Rarely Access Control Policy Malware and File Policy Network Discovery Policy Intrusion Policy DNS Policy Network Analysis Policy SSL Policy Correlation Policy Identity Policy Health Policy Prefilter Policy BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Policy Order of Operation Access Prefilter Intrusion Control Policy (FTD only) (for AppID) Optional SSL Identity SI / DNS Access Intrusion File / Control Rules Malware BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Intrusion Policy The Intrusion Policy defines which Snort rules are used in packet inspection. BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Intrusion Policy The Intrusion Policy defines which Snort rules are used in packet inspection. BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Intrusion Base Policy Policy CVSS Score Vulnerability Age Connectivity over Security 10 Current year, plus 2 prior (2019, 2018, and 2017) Balanced Security and 9+ Current year, plus 2 prior Connectivity Rule Categories: Malware-CNC, Blacklist, SQL Injection, Exploit Kit Security over Connectivity 8+ Current year, plus 3 prior (2019, 2018, 2017, and 2016) Rule Categories: Malware-CNC, Blacklist, SQL Injection, Exploit Kit, App-Detect Maximum Detection 7.5+ 2005 and later Rule Categories: Malware-CNC, Exploit Kit BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Intrusion Policy You can manually Enable/Disable individual rules or configure actions. BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Intrusion Policy Several ways to search for rules… BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Intrusion Policy Several ways to search for rules… BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Network Discovery Policy • Used to identify which networks Firepower should “learn” from. • Useful for applications, and especially for maintaining the Firepower Recommended Rules in the Intrusion Policy. BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network. BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Intrusion Policy and Network Discovery Policy Firepower Recommended Rules automatically tunes your Snort rules for the applications,