cisco firepower ngips tuning and live las vegas... · 2017-09-13 · where can you get official...

Cisco Firepower NGIPS Tuning and Best Practices

John Wise, Security Instructor

High Touch Delivery, Cisco Learning Services

CTHCRT-2000

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

Cisco Spark spaces will be available until July 3, 2017.

cs.co/ciscolivebot#CTHCRT-2000

• Introduction

• Inspection Order

• Network Discovery

• Traffic to Not Inspect and Fast Path

• Base Intrusion Policies

• Variables

• Connection Events

Agenda

Introduction


Cisco Learning ServicesWhere can you get official training on Firepower technologies? Cisco High Touch Delivery

at Learning@Cisco!

We offer a 4-day ILT or Virtual course based on Firepower, where we cover everything from the ground up. Developed and delivered by Cisco High Tough Delivery in Advanced Services, we are the official place for all Firepower security training.

Firepower Class offerings:

• Firepower200: 5-day course covering Firepower Threat Defense

• SSFIPS: 4-day course covering Firepower NGIPS

Just ask if you would like additional information!

Internet crime costs companies billions of dollars annually

Understanding how to profile attackers and defend network and data assets is essential

Cisco Learning Services Security training will help protect your business’s reputation, which is one of its most important assets

To learn more about the Cisco Learning Services Security courses, visit www.cisco.com/web/learning/learning_services/courses/security.html

CTHCRT-2000 6

http://www.cisco.com/web/learning/learning_services/courses/security.html


Ask Yourself…

“Am I sure I am properly configured?”

“Am I optimally tuned? Could I improve my system performance, security posture, and reduce false positives?”

Let’s look at a few of the most common misunderstandings and misconfigurations – save

yourself a call to support!

We have 30 minutes. Lets begin!

CTHCRT-2000 7

Understand The Order of Inspection


SSL

Policy

Access

Control

Policy

Traffic FlowSecurity

Intelligence

Malware &

File Policy

Intrusion

Policy

Further Inspection

Firepower Order of Inspection

• Blocks: Blacklisted IPs, DNS,

and URLs before inspection by

ACP.

• Traffic blocked here never

enters the later policies.

• Decrypts SSL traffic .

• Ability to block SSL traffic

based on criteria.

• Decrypted traffic can be seen

by the later policies.

Firewall Component

• Inspect up to Layer 7.

• Make Block, Inspect, or Trust

(no further inspection)

decisions on traffic.

IPS. Traffic inspection

by Snort Rules looking

for malicious traffic.

Inspect, block, or

store files. Detect,

block, and alert on

files determined to be

malware.

“Memorize This!”

CTHCRT-2000 9

Define Your Network Discovery Policy


Network Discovery PolicyFirepower will automatically build Host Profiles Based on your Network Discovery Policy

Firepower Management Center

Automatically Generated Host Profiles

Vulnerabilities

Operating Systems

Services

Ports

Protocols

Applications

Managed Device

Network

Discovery

Policy

CTHCRT-2000 11


Network Discovery Policy Processing OrderBut this only occurs here

Therefore, If traffic does not reach this inspection point no discovery information is captured!

SSL

Policy

Access Control

Policy

Traffic

FlowSecurity

Intelligence

Malware & File

Policy

Intrusion

Policy

Further Inspection

Network

DiscoveryFast

Path

CTHCRT-2000 12


Is Your Network Discovery Policy Defined?

… so you must go in and define this policy!

Define your network here

“Did you know? Not defining your Network Discovery Policy can cause you to exceed your host limits!”

CTHCRT-2000 13


Define Your Network

• 2’nd, Discover to build host profiles

• Your internal network – what you are protecting

• 3’rd, Exclude to prevent host profiles for certain devices

• Load Balancers, NAT Devices, anything you are not protecting

1’st – ensure this is enabled. In 6.x this is off by default

CTHCRT-2000 14

Identify Traffic to Not Inspect


Should You Inspect all Traffic? Probably Not.

• Traffic not requiring inspection

• VOIP

• Backup

• Scanner

• Elephant flows can cause performance issues!

• Backup traffic is a prime example

• How? You use an ACP rule with the ‘trust’ action to not inspect traffic

CTHCRT-2000 16

You can usually tell you have an elephant flow when you see just one CPU core spike!

Can You Fast Path Any Traffic?


Fast Pathing Traffic is Fast!

• Fast Pathing traffic is the fastest way to not inspect certain traffic

• Can also be used to block in certain hardware and configurations

Fast

Path

SSL

Policy

Access Control

PolicyTraffic

Flow

Security

Intelligence

Malware & File

Policy

Intrusion

Policy

Further Inspection

Network

Discovery

This is where fast pathed traffic is processed

CTHCRT-2000 18


Fast Pathing Based On Firepower Platform

Cisco ASA with FirePOWER

ServicesFirePOWER 7000/8000 Firepower Threat Defense Image for

ASA 5500-X*,

Firepower 2100, 4100, 9300, VMware, and

Amazon Web Services

*Excludes AS5585-X

You fast path differently in each of these three platforms!

CTHCRT-2000 19


No

Drop

No

Drop

No

Drop

Yes

No Yes Yes

No

Drop

Fast Pathing With ASA Firepower Services

Receive Packet Ingress InterfaceInspections

Sec. Checks

Existing

Conn.

ACL

Permit

Match

Xlate

L3

Route

L2 AddressNAT IP

HeaderEgress Interface

XMIT

Packet

FirePOWER

No

Drop

Yes Yes

Fast Path on the ASA, not in Firepower

CTHCRT-2000 20


Fast Pathing With Firepower 8000 Series

• 8000 Series devices can use ‘Fast Path Rules’ defined in ‘Devices’ tab

“Fast path rules are slowly going away however – use promoted rules instead”

CTHCRT-2000 21


Fast Pathing With Firepower 7000/8000 Series

• 7000/8000 use ‘Promoted ACP Rules’ to fast path traffic

• Create ACP rules that:

1. Are Trust, Block, or Block with Reset

2. Have only:

VLAN

IP

Security Zone

Port

3. Be placed above all other ACP Rules

CTHCRT-2000 22

If the ACP rule meets all these conditions, the rule will be ‘promoted’


Rule Promotion Example

These two rules will automatically be promoted to fast path

Notice both are using Port and IP for identifying the traffic, and are placed above all other rules!

“You wont see this occur in the GUI! This is an automatic system process”

CTHCRT-2000 23


SSL

Policy

Access Control

Policy

Traffic

FlowSecurity

Intelligence

Malware & File

Policy

Intrusion

Policy

Further Inspection

Network

Discovery

Promoted ACP Rule Processing – 7000/8000

• The promoted rules are written in ACP

When applied to your Sensor they get automatically pushed to here

Fast

Path

CTHCRT-2000 24


Fast Pathing With Firepower Threat Defense

• FTD Code has a new policy called ‘Prefilter’

• Prefilter Policy uses limited outer-header criteria to quickly process traffic

Access Control

Policy

Further Inspection

Fast Pathing occurs here

SSL

Policy

Access Control

Policy

Traffic

FlowSecurity

Intelligence

Malware & File

Policy

Intrusion

Policy

Further Inspection

Network

Discovery

Prefilter

Policy

CTHCRT-2000 25

Base Intrusion Policies


Use One of These 3 Base Intrusion Policies

• Cisco Talos provides and updates Base Polices for you – Choose the security approach you wish to have

• Talos provides updates at least twice a week, and respond to ever-changing security threats in real time

Base Policies

Connectivity

over

Security

Balanced Security

and

Connectivity

Security

over

Connectivity

Increasing Protection Level

CTHCRT-2000 27


Are You Using One of These Base Policies?

• Maximum Detection• Not for use in deployment – Do Not Use unless directed to do so!

• No Rules Active• Often used if planning to use Firepower Recommendations to turn rules on based on your

environment

• Tip! If you plan to use ‘Firepower Recommendations’ to adjust SNORT rule states, it is best to start with Security Over Conn and use the recommendations to adjust these in a layer

• “Note: Talos rule updates do not automatically affect ‘no rules active’, and you will no longer have the advantage of Talos’ input for the rule states”

CTHCRT-2000 28

Define Your HOME_NET Variable


Did You Define HOME_NET?

• HOME_NET is used in the majority of your SNORT rules

• Defining HOME_NET will significantly tune your system and reduce false positives

• This is one of the most important settings to configure!

“Look! This is defined as ‘any’ – you need to go in and define this with your internal and protected networks”

CTHCRT-2000 30

EXTERNAL_NET


Did You Define EXTERNAL_NET?

• EXTERNAL_NET — defines what is outside your network – This is ‘any’ by default

You have two options:

• Define as not HOME_NET (!HOME_NET)

Or

• Leave as ’any’

CTHCRT-2000 32


Defining EXTERNAL_NET as !HOME_NET is Popular, But Not Always Appropriate

• If you define EXTERNAL_NET as !HOME_NET you will miss some internally-based attacks, but will notice a significant performance gain

“Be careful If you defined EXTERNAL_NET as !HOME_NET and associated it to traffic originating from inside your network”

CTHCRT-2000 33


Remember, Variables Are Assigned to Intrusion Policies in ACP Rules

• And therefore you can have multiple definitions!

You choose the variable set here!

CTHCRT-2000 34


Access Control

Policy

Traffic

Flow

So Consider Using Multiple EXTERNAL_NET Definitions

• Create a definition of EXTERNAL_NET as !HOME_NET for traffic from outside your network to the inside of your network

• Leave EXTERNAL_NET as any for traffic that is Internal to Internal• You can do this with ‘Security Zones’ in your ACP rules!

ACP Rule 1

ACP Rule 2

ACP Rule 3

Sec over Conn

Balanced

EXTERNAL_NET set to ‘any’

EXTERNAL_NET set to !HOME_NET

EXTERNAL_NET set to ‘any’

CTHCRT-2000 35

Tune Your Connection Events


Remember The Logging Flow

Traffic Flow

Connection

Events sent to

Firepower

Management

Center

“Did you know ‘Event Viewer’

refers to your Firepower

Management Center?”

Note: If connection logging is not enabled,

no connection events are sent to the

Firepower Management Center!

CTHCRT-2000 37


But Should You Log All Connection Events? Probably Not.

If you are logging all traffic, you will likely have poor retention times and could overwork your FMC

So, create ACP rules to identify traffic you do not wish to log on!

The best way to do this… create a DNS query ACP rule that does not log connection events!

CTHCRT-2000 38

Final Considerations!


Are You Aware?

• Security Intelligence ‘Whitelists’ are only for overriding a Blacklist entry

• Whitelisted traffic is NOT trusted

• This traffic will continue through inspection!

• “Did you know?” In order to take advantage of DNS Security Intelligence (New in 6.x) you must first create a DNS Policy and associate that policy to your ACP Policy”

CTHCRT-2000 40


And Lastly…

• Use ‘Adaptive Profiles’

• This will reassemble IP fragments and Streams based on the OS seen in the Host Profile’

• Do not modify or change your ‘Network Analysis Policy’ unless under guidance

Turn it on here

Leave this alone unless under expert guidance!

CTHCRT-2000 41


• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.

• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.

http://www.ciscolive.com/ushttp://ciscolive.com/Onlinehttp://ciscolive.com/Onlinehttp://www.ciscolive.com/Online


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

CTHCRT-2000 43

Thank you

cisco firepower ngips tuning and live las vegas... · 2017-09-13 · where can you get official...

Documents