cisco firepower ngips tuning and live las vegas... · 2017-09-13 · where can you get official...
TRANSCRIPT
-
Cisco Firepower NGIPS Tuning and Best Practices
John Wise, Security Instructor
High Touch Delivery, Cisco Learning Services
CTHCRT-2000
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
Cisco Spark spaces will be available until July 3, 2017.
cs.co/ciscolivebot#CTHCRT-2000
-
• Introduction
• Inspection Order
• Network Discovery
• Traffic to Not Inspect and Fast Path
• Base Intrusion Policies
• Variables
• Connection Events
Agenda
-
Introduction
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Learning ServicesWhere can you get official training on Firepower technologies? Cisco High Touch Delivery
at Learning@Cisco!
We offer a 4-day ILT or Virtual course based on Firepower, where we cover everything from the ground up. Developed and delivered by Cisco High Tough Delivery in Advanced Services, we are the official place for all Firepower security training.
Firepower Class offerings:
• Firepower200: 5-day course covering Firepower Threat Defense
• SSFIPS: 4-day course covering Firepower NGIPS
Just ask if you would like additional information!
Internet crime costs companies billions of dollars annually
Understanding how to profile attackers and defend network and data assets is essential
Cisco Learning Services Security training will help protect your business’s reputation, which is one of its most important assets
To learn more about the Cisco Learning Services Security courses, visit www.cisco.com/web/learning/learning_services/courses/security.html
CTHCRT-2000 6
http://www.cisco.com/web/learning/learning_services/courses/security.html
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ask Yourself…
“Am I sure I am properly configured?”
“Am I optimally tuned? Could I improve my system performance, security posture, and reduce false positives?”
Let’s look at a few of the most common misunderstandings and misconfigurations – save
yourself a call to support!
We have 30 minutes. Lets begin!
CTHCRT-2000 7
-
Understand The Order of Inspection
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL
Policy
Access
Control
Policy
Traffic FlowSecurity
Intelligence
Malware &
File Policy
Intrusion
Policy
Further Inspection
Firepower Order of Inspection
• Blocks: Blacklisted IPs, DNS,
and URLs before inspection by
ACP.
• Traffic blocked here never
enters the later policies.
• Decrypts SSL traffic .
• Ability to block SSL traffic
based on criteria.
• Decrypted traffic can be seen
by the later policies.
Firewall Component
• Inspect up to Layer 7.
• Make Block, Inspect, or Trust
(no further inspection)
decisions on traffic.
IPS. Traffic inspection
by Snort Rules looking
for malicious traffic.
Inspect, block, or
store files. Detect,
block, and alert on
files determined to be
malware.
“Memorize This!”
CTHCRT-2000 9
-
Define Your Network Discovery Policy
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Discovery PolicyFirepower will automatically build Host Profiles Based on your Network Discovery Policy
Firepower Management Center
Automatically Generated Host Profiles
Vulnerabilities
Operating Systems
Services
Ports
Protocols
Applications
Managed Device
Network
Discovery
Policy
CTHCRT-2000 11
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Discovery Policy Processing OrderBut this only occurs here
Therefore, If traffic does not reach this inspection point no discovery information is captured!
SSL
Policy
Access Control
Policy
Traffic
FlowSecurity
Intelligence
Malware & File
Policy
Intrusion
Policy
Further Inspection
Network
DiscoveryFast
Path
CTHCRT-2000 12
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Is Your Network Discovery Policy Defined?
… so you must go in and define this policy!
Define your network here
“Did you know? Not defining your Network Discovery Policy can cause you to exceed your host limits!”
CTHCRT-2000 13
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Define Your Network
• 2’nd, Discover to build host profiles
• Your internal network – what you are protecting
• 3’rd, Exclude to prevent host profiles for certain devices
• Load Balancers, NAT Devices, anything you are not protecting
1’st – ensure this is enabled. In 6.x this is off by default
CTHCRT-2000 14
-
Identify Traffic to Not Inspect
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Should You Inspect all Traffic? Probably Not.
• Traffic not requiring inspection
• VOIP
• Backup
• Scanner
• Elephant flows can cause performance issues!
• Backup traffic is a prime example
• How? You use an ACP rule with the ‘trust’ action to not inspect traffic
CTHCRT-2000 16
You can usually tell you have an elephant flow when you see just one CPU core spike!
-
Can You Fast Path Any Traffic?
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fast Pathing Traffic is Fast!
• Fast Pathing traffic is the fastest way to not inspect certain traffic
• Can also be used to block in certain hardware and configurations
Fast
Path
SSL
Policy
Access Control
PolicyTraffic
Flow
Security
Intelligence
Malware & File
Policy
Intrusion
Policy
Further Inspection
Network
Discovery
This is where fast pathed traffic is processed
CTHCRT-2000 18
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fast Pathing Based On Firepower Platform
Cisco ASA with FirePOWER
ServicesFirePOWER 7000/8000 Firepower Threat Defense Image for
ASA 5500-X*,
Firepower 2100, 4100, 9300, VMware, and
Amazon Web Services
*Excludes AS5585-X
You fast path differently in each of these three platforms!
CTHCRT-2000 19
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
No
Drop
No
Drop
No
Drop
Yes
No Yes Yes
No
Drop
Fast Pathing With ASA Firepower Services
Receive Packet Ingress InterfaceInspections
Sec. Checks
Existing
Conn.
ACL
Permit
Match
Xlate
L3
Route
L2 AddressNAT IP
HeaderEgress Interface
XMIT
Packet
FirePOWER
No
Drop
Yes Yes
Fast Path on the ASA, not in Firepower
CTHCRT-2000 20
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fast Pathing With Firepower 8000 Series
• 8000 Series devices can use ‘Fast Path Rules’ defined in ‘Devices’ tab
“Fast path rules are slowly going away however – use promoted rules instead”
CTHCRT-2000 21
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fast Pathing With Firepower 7000/8000 Series
• 7000/8000 use ‘Promoted ACP Rules’ to fast path traffic
• Create ACP rules that:
1. Are Trust, Block, or Block with Reset
2. Have only:
VLAN
IP
Security Zone
Port
3. Be placed above all other ACP Rules
CTHCRT-2000 22
If the ACP rule meets all these conditions, the rule will be ‘promoted’
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Rule Promotion Example
These two rules will automatically be promoted to fast path
Notice both are using Port and IP for identifying the traffic, and are placed above all other rules!
“You wont see this occur in the GUI! This is an automatic system process”
CTHCRT-2000 23
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL
Policy
Access Control
Policy
Traffic
FlowSecurity
Intelligence
Malware & File
Policy
Intrusion
Policy
Further Inspection
Network
Discovery
Promoted ACP Rule Processing – 7000/8000
• The promoted rules are written in ACP
When applied to your Sensor they get automatically pushed to here
Fast
Path
CTHCRT-2000 24
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fast Pathing With Firepower Threat Defense
• FTD Code has a new policy called ‘Prefilter’
• Prefilter Policy uses limited outer-header criteria to quickly process traffic
Access Control
Policy
Further Inspection
Fast Pathing occurs here
SSL
Policy
Access Control
Policy
Traffic
FlowSecurity
Intelligence
Malware & File
Policy
Intrusion
Policy
Further Inspection
Network
Discovery
Prefilter
Policy
CTHCRT-2000 25
-
Base Intrusion Policies
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use One of These 3 Base Intrusion Policies
• Cisco Talos provides and updates Base Polices for you – Choose the security approach you wish to have
• Talos provides updates at least twice a week, and respond to ever-changing security threats in real time
Base Policies
Connectivity
over
Security
Balanced Security
and
Connectivity
Security
over
Connectivity
Increasing Protection Level
CTHCRT-2000 27
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Are You Using One of These Base Policies?
• Maximum Detection• Not for use in deployment – Do Not Use unless directed to do so!
• No Rules Active• Often used if planning to use Firepower Recommendations to turn rules on based on your
environment
• Tip! If you plan to use ‘Firepower Recommendations’ to adjust SNORT rule states, it is best to start with Security Over Conn and use the recommendations to adjust these in a layer
• “Note: Talos rule updates do not automatically affect ‘no rules active’, and you will no longer have the advantage of Talos’ input for the rule states”
CTHCRT-2000 28
-
Define Your HOME_NET Variable
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Did You Define HOME_NET?
• HOME_NET is used in the majority of your SNORT rules
• Defining HOME_NET will significantly tune your system and reduce false positives
• This is one of the most important settings to configure!
“Look! This is defined as ‘any’ – you need to go in and define this with your internal and protected networks”
CTHCRT-2000 30
-
EXTERNAL_NET
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Did You Define EXTERNAL_NET?
• EXTERNAL_NET — defines what is outside your network – This is ‘any’ by default
You have two options:
• Define as not HOME_NET (!HOME_NET)
Or
• Leave as ’any’
CTHCRT-2000 32
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Defining EXTERNAL_NET as !HOME_NET is Popular, But Not Always Appropriate
• If you define EXTERNAL_NET as !HOME_NET you will miss some internally-based attacks, but will notice a significant performance gain
“Be careful If you defined EXTERNAL_NET as !HOME_NET and associated it to traffic originating from inside your network”
CTHCRT-2000 33
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Remember, Variables Are Assigned to Intrusion Policies in ACP Rules
• And therefore you can have multiple definitions!
You choose the variable set here!
CTHCRT-2000 34
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access Control
Policy
Traffic
Flow
So Consider Using Multiple EXTERNAL_NET Definitions
• Create a definition of EXTERNAL_NET as !HOME_NET for traffic from outside your network to the inside of your network
• Leave EXTERNAL_NET as any for traffic that is Internal to Internal• You can do this with ‘Security Zones’ in your ACP rules!
ACP Rule 1
ACP Rule 2
ACP Rule 3
Sec over Conn
Balanced
EXTERNAL_NET set to ‘any’
EXTERNAL_NET set to !HOME_NET
EXTERNAL_NET set to ‘any’
CTHCRT-2000 35
-
Tune Your Connection Events
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Remember The Logging Flow
Traffic Flow
Connection
Events sent to
Firepower
Management
Center
“Did you know ‘Event Viewer’
refers to your Firepower
Management Center?”
Note: If connection logging is not enabled,
no connection events are sent to the
Firepower Management Center!
CTHCRT-2000 37
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
But Should You Log All Connection Events? Probably Not.
If you are logging all traffic, you will likely have poor retention times and could overwork your FMC
So, create ACP rules to identify traffic you do not wish to log on!
The best way to do this… create a DNS query ACP rule that does not log connection events!
CTHCRT-2000 38
-
Final Considerations!
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Are You Aware?
• Security Intelligence ‘Whitelists’ are only for overriding a Blacklist entry
• Whitelisted traffic is NOT trusted
• This traffic will continue through inspection!
• “Did you know?” In order to take advantage of DNS Security Intelligence (New in 6.x) you must first create a DNS Policy and associate that policy to your ACP Policy”
CTHCRT-2000 40
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
And Lastly…
• Use ‘Adaptive Profiles’
• This will reassemble IP fragments and Streams based on the OS seen in the Host Profile’
• Do not modify or change your ‘Network Analysis Policy’ unless under guidance
Turn it on here
Leave this alone unless under expert guidance!
CTHCRT-2000 41
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.
• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.
http://www.ciscolive.com/ushttp://ciscolive.com/Onlinehttp://ciscolive.com/Onlinehttp://www.ciscolive.com/Online
-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
CTHCRT-2000 43
-
Thank you