deploying intrusion prevention systemsd2zmdbbm9feqrf.cloudfront.net/2016/usa/pdf/brksec-2030.pdf ·...

Deploying Intrusion Prevention Systems

Mike MercierConsulting Systems Engineer

BRKSEC-2030

• Introduction to IPS

• Cisco NGIPS Solutions

• Deploying Cisco NGIPS

• Migrating to Firepower NGIPS

• Conclusion

Agenda

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

ObjectivesWhat will you learn in this session?

• Next Generation Security and IPS Fundamentals

• Understand the basic premise of Next-Generation Firewalls and IPS

• Cisco NGIPS Solutions

• Understand the various Cisco NGIPS solutions offerings and how they differ

• Deploying Cisco NGIPS

• Understand the process to select the right NGIPS solution

• Understand what the important considerations are when deploying NGIPS

• Migrating to FirePOWER NGIPS

• High level understanding of the process of migrating to FirePOWER NGIPS

BRKSEC-2030 4


ObjectivesWhat is not covered (in depth) in this session?

• Not covered in depth in this session, so check out:

• Deploying Firewalls

BRKSEC-2020 - Firewall Deployment

BRKSEC-2028 - Deploying Next Generation Firewall with ASA and Firepower Service

• Troubleshooting FirePOWERBRKSEC-3055 - Troubleshooting Cisco ASA with FirePOWER Services

• Detailed Migration to FirePOWER Services

BRKSEC-2018 - Tips and Tricks for Successful Migration to FirePOWER Solutions

• Tuning FirePOWER

BRKSEC-3126 - FirePOWER: Advanced Configuration and Tuning

BRKSEC-2030 5

Introduction to IPS


2015 Cisco Annual Security Report

BRKSEC-2030 7


11101000100010010100010010010010100101001010011111010110101101011100111011010100010101001001010100010101010000101010100010100

Introduction to IPSWhat is IPS?

BRKSEC-2030 8


Sophisticated

Attackers

Complex

Geopolitics

Boardroom

Engagement

Misaligned

Policies

Dynamic

Threats

Defenders

Complicit

Users

Why do I need IPSChallenges come from every direction

BRKSEC-2030 9

Cisco NGIPS Solutions


Cisco FirePOWER Next-Generation IPS

Next-Generation IPS, Firewall and Anti-Malware Solution

• Supported on FirePOWER 7000 and 8000 series appliances

• Supported on ASA5500-X and ASA5585-X, FP4K & FP9K (FTD)

• Supported on ISRG2 and ISR4000 series (UCS-E)

• Supported in VMware, AWS and KVM (6.1)

• Supported on Meraki MX appliances

Cisco NGIPS SolutionsCisco FirePOWER NGIPS

BRKSEC-2030 11


Next-Generation Firewalls perform deep inspection of traffic and threat prevention, building on traditional firewall with

• Integrated Signature based IPS engine

• Application visibility and granular control (AVC)

• Identity awareness and control

• URL Filtering

• Capability to incorporate external information (feeds)

Cisco NGIPS SolutionsNext-Generation Firewall

BRKSEC-2030 12


Traditional IPS provides signature-based pattern matching for detection and prevention of intrusion attempts.

• Typically deployed behind a Firewall or in IDS mode

• Typically “Bump in the wire”

• Often looks for exploits rather than vulnerabilities

• Often overwhelm with irrelevant events

• Not much contextual information to take action

• Requires high level of tuning

As a result, traditional IPS

• Often needs additional devices to perform other related tasks

• Is often minimally effective or isn’t used

• Requires massive amounts of time and resources to make it work

• May leave organizations exposed

Cisco NGIPS SolutionsTraditional IPS

BRKSEC-2030 13


Next-Generation IPS extends traditional IPS with

• Application awareness to enable visibility into new L7 threats and reduce the attack surface

• Contextual awareness, providing information to help better understand events and to provide automation and reduce cost/complexity/tuning

• Content awareness, determine different file types and whether or not they are malicious

Next-Generation IPS is often deployed as part of a Next-Generation Firewall

Cisco NGIPS SolutionsNext-Generation IPS

BRKSEC-2030 14


Cisco NGIPS SolutionsWhat does a Security Appliance offer

BRKSEC-2030 15


Base Hardware and Software

• 5585-X Bundle SKUs with FirePOWER Services Module

• 5500-X SKUs running FirePOWER Services Software

• New 5506/8/16-X for SMB, Distributed Enterprises and Industrial Control

• Hardware includes Application Visibility and Control (AVC)

Security Subscription Services• FirePOWER Services Licenses separate from ASA license

• IPS, URL, Advanced Malware Protection (AMP) Subscription Services

• One- and Three-Year Term Options

• Available via ELA

Management

• Firepower Management Center (HW Appliance or Virtual)

• Cisco Security Manager (CSM) or ASDM to Manage ASA Features

• ASDM manages both ASA and FirePOWER Services on new ASA low/mid models

Cisco NGIPS SolutionsASA with FirePOWER Services

BRKSEC-2030 16


Cisco NGIPS SolutionsASA with FirePOWER Services Architecture

Egress after FirePOWER

Processing

FirePOWER IngressASA Ingress

CPU

Complex

Fabric

Switch

Crypto or

Regex

Engine

SFR Module

CPU

Complex

Fabric

Switch

Crypto

Engine

ASA Module

PORTS

PORTS

ASA 5585-X with FirePOWER Services

Backplane

10GE

NICs

10GE

NICs

• ASA processes all ingress/egress packets

• No packets are directly process by FirePOWERexcept for management

• Traffic is forwarded to the FirePOWER module using a policy-map

• FirePOWER provides Next Generation Firewall Services

BRKSEC-2030 17


250 Mbps AVC

125 Mbps AVC+IPS

ASA 5506-X ASA 5506W-X

450 Mbps AVC

250 Mbps AVC+IPS

850 Mbps AVC

450 Mbps AVC+IPS

ASA 5506H-X

ASA 5508-X

ASA 5516-X

250 Mbps AVC

125 Mbps AVC+IPS

250 Mbps AVC

125 Mbps AVC+IPS

Integrated

Wireless AP

Ruggedized

Cisco NGIPS SolutionsASA with FirePOWER Services

BRKSEC-2030 18


900 Mbps AVC

450 Mbps AVC+IPS

ASA 5516-X

ASA 5525-X

1.1 Gbps AVC

650 Mbps AVC+IPS

ASA 5545-X

1.5 Gbps AVC

1 Gbps AVC+IPS

ASA 5555-X

1.75 Gbps AVC

1.25 Gbps AVC+IPS

Cisco NGIPS SolutionsASA with FirePOWER Services – Mid-range

BRKSEC-2030 19


4.5 Gbps AVC

2 Gbps AVC+IPS

ASA 5585-X

SSP 10

10 Gbps AVC

6 Gbps AVC+IPS

15 Gbps AVC

10 Gbps AVC+IPS

ASA 5585-X

SSP 20

ASA 5585-X

SSP 40

ASA 5585-X

SSP 60

7 Gbps AVC

3.5 Gbps AVC+IPS

ASA 5585-X

SSP EP 10/40

4.5 Gbps AVC

4.5 Gbps AVC+IPS

7 Gbps AVC

7 Gbps AVC+IPS

ASA 5585-X

SSP EP 20/60

Cisco NGIPS SolutionsASA with FirePOWER Services – ASA5585

BRKSEC-2030 20


Base Hardware and Software

• Single-pass Architecture

• 8000 Series

• Modular Interface Options (Netmods), including 10 and 40 Gbps

• Clustering support for HA

• Stacking Capable for increased throughput up to 60 Gbps

• 71x5 Series with 8 Fail-Closed SFP ports

• 7000 Series with built-in 1 Gbps Copper interfaces

• Virtual FirePOWER NGIPSv for VMware ESX(I)

Security Subscription Services• IPS, URL, Advanced Malware Protection (AMP) Subscription Services

• One and Three-Year Term Options

• Available via ELA

Management

• Firepower Management Center (HW Appliance or Virtual)

Cisco NGIPS SolutionsFirePOWER Appliances

BRKSEC-2030 21


• FirePOWER Applications (NGIPS, AppID, AMP)

• Application/Control Plane Processing

• L2-L7 Classification

• Stateful Flow Processing

• PKI and Bulk Cryptography

• Flow-based Load Balancing

• L2 switching / L3 Routing / NAPT

• L2-L4 Packet Classification

• Packet-based load balancing

• Physical Interfaces

• Integrated Bypass Relays

Cisco NGIPS SolutionsFirePOWER Appliances Architecture

NetMods

NFE

NMSB

CPU

BRKSEC-2030 22


7100-series

7000-series

8100-series

8300-series

50 to 250 Mbps 500 Mbps to 2

Gbps 2 to 12 Gbps 10 to 60 Gbps

Cisco NGIPS SolutionsFirePOWER Appliances

NGIPSv

~ 250 Mbps to ~ 2 Gbps

BRKSEC-2030 23


ASA with FirePOWER Services

ASA 5500-X, 5585-X

Up to 10Gbps NGIPS on a single 5585-X SSP60

Physical ASA Inline Deployment, HA, Clustering

Inline and Promiscuous NGIPS and NGFW

From ASA to FirePOWER Module

CSM/ASDM for ASA, FMC/ASDM for FirePOWERServices

FirePOWER Appliances

8000, 7000 Physical and Virtual Appliances

Up to 60Gbps on 8390

Physical or SPAN Deployment, HA

Inline and Promiscuous NGIPS and NGFW

Directly through FirePOWER Appliance

Firepower Management Center

Solution

Form Factor

Performance

Deployment

Use Case

Packet Flow

Management

Cisco NGIPS SolutionsComparing ASA with FirePOWER Services with FirePOWER Appliances

BRKSEC-2030 24



All ASA + Most FirePOWER features

Ability to apply FirePOWER policy per context and generate reports on a per-context basis

Currently only with external appliance

Multiple remote-access and site-to-site options (IPSec, SSL)

Active/Standby, Active/Active, Clustering

Static, EIGRP, OSPF, BGP, RIP, Multicast

SFUA AD Agent, CDA and TrustSec on ASA

Module Fail-Open


FirePOWER features

Ability to define Security Zones and apply policy and generate reports per zone

Integrated as well as external appliance

Limited site-to-site IPSec support

Active/Standby (Clustering)

Static, OSPF, RIP

SFUA, AD Agent, Passive Discovery

Automatic Application Bypass, HW Bypass

Solution

Features

Multi-Context

SSL Decryption

VPN

HA

Routing

Identity

Bypass

Cisco NGIPS SolutionsComparing ASA with FirePOWER Services with FirePOWER Appliances

BRKSEC-2030 25


Cisco NGFW Platforms

*5585-X management available 2H CY16

All* Managed by Cisco Firepower Management Center

Cisco Firepower™ 4100

Series and 9300

Cisco FirePOWER™ Services

on ASA 5585-X

Cisco Firepower Threat

Defense on ASA 5500-X

New

Appliances

BRKSEC-2030 26


Converged Software – Firepower Threat Defense

New Converged Software Image:Firepower Threat Defense

• Contains all Firepower Services plusselect ASA capabilities

• Single Manager:Firepower Management Center*

Same subscriptions as FirePOWER Services:• Threat (IPS + SI + DNS)

• Malware (AMP + ThreatGrid)

• URL Filtering

* Also manages Firepower Appliances, Firepower Services (not ASA Software)

BRKSEC-2030 27


High-Level Feature Comparison: ASA with FirePOWER Services, Firepower Threat Defense

Feature Firepower Services

for ASA

Firepower Threat

Defense

Notes for Firepower Threat Defense

HA, NAT ✔ ✔

Routing ✔ ✔ Multicast & EIGRP in 6.1

Unified ASA and Firepower rules/objects ✘ ✔

Local Management ✔ ✔ In 6.1, features differ

Multi-Context ✔ ✘

Inter-chassis Clustering ✔ ✘

VPN ✔ ✔ Site-to-Site VPN in 6.1

Hypervisor Support ✘ ✔ AWS, VMware; KVM in 6.1

Smart Licensing support ✘ ✔

Note: Not an exhaustive list of differences between these offerings.

BRKSEC-2030 28


What Platforms run Firepower Threat Defense?

*5585-X ASA module management being investigated for 2HCY16

All* Managed by Cisco Firepower Management Center


Defense on Firepower™ 4100

Series and 9300

Cisco FirePOWER Services

on ASA 5585-X

Cisco FirePOWER on

7000/8000 Series Appliances


Defense on ASA 5500-X

New

Appliances

BRKSEC-2030 29


Cisco Firepower 4100 SeriesIntroducing four new high-performance models

Performance and

Density OptimizationUnified Management

Multiservice

Security

• Integrated inspection engines

for FW, NGIPS, Application

Visibility and Control (AVC),

URL, Cisco Advanced

Malware Protection (AMP)

• Radware DefensePro DDoS

• ASA and other future

third party

• 10-Gbps and 40-Gbps

interfaces

• Up to 80-Gbps throughput

• 1-rack-unit (RU) form factor

• Low latency

• Single management interface

with Firepower Threat Defense

• Unified policy with inheritance

• Choice of management

deployment options

BRKSEC-2030 30


Cisco Firepower 9300 Platform

Benefits• Integration of best-in-class security• Dynamic service stitching

Features*• Cisco® ASA container• Cisco Firepower™ Threat Defense

containers:• NGIPS, AMP, URL, AVC

• Third-party containers:• Radware DDoS• Other ecosystem partners

Benefits• Standards and interoperability• Flexible architecture

Features• Template-driven security• Secure containerization for

customer apps• RESTful/JSON API• Third-party orchestration and

management

Benefits• Industry-leading performance:

• 600% higher performance• 30% higher port density

Features• Compact, 3RU form factor• 10-Gbps/40-Gbps I/O; 100-Gbps

ready• Terabit backplane• Low latency, intelligent fast path• Network Equipment-Building

System (NEBS) ready

* Contact Cisco for services availability

Modular Carrier ClassMultiservice

Security

High-speed, scalable security

BRKSEC-2030 31


Security Modules

Three security module configurations

SM36: 72 x86 CPU cores for up to 80 Gbps of

firewalled throughput

SM24: 48 x86 CPU cores for up to 60 Gbps of

firewalled throughput

(Future) NEBS: SM24 NEBS certification

Dual 800GB SSD in RAID1 by default

Built-in hardware packet and flow classifier and

crypto accelerator

Hardware VPN acceleration is targeted for a

subsequent software release

BRKSEC-2030 32


Cisco Firepower 9300 Overview

Supervisor

Application deployment and orchestration

Network attachment (10/40/100GE) and traffic distribution

Clustering base layer for Cisco® ASA, NGFW, and NGIPS

1

3

2

Security

Modules

Embedded packet and flow classifier and crypto hardware

Cisco (ASA, NGFW, and NGIPS) and third-party (DDoS, load-balancer) applications

Standalone or clustered within (up to 240 Gbps) and across (1 Tbps+) chassis

BRKSEC-2030 33


Firepower Threat Defense Packet Flow

Ingress NIC

L2/L3 Decode

L4 Decode

Flow Lookup Route Lookup

NAT Lookup

Inspection

checks

Routing

NAT

Egress NIC

Flow Update

File/AMP

IPS

AVC

FirePOWER Services

Event Database

Packet

Lib

rary

(P

DT

S)

Zero Copy Single OS

BRKSEC-2030 34


Cisco Firepower™ Management Center

Cisco Firepower Management CenterSingle Console for Event, Policy and Configuration Management

• Network-to-endpoint visibility

• Manages firewall, applications, threats, and files

• Track, contain, and recover remediation tools

Unified

• Central, role-based management

• Multitenancy

• Policy inheritance

Scalable

• Impact assessment

• Rule recommendations

• Remediation APIs

Automated

BRKSEC-2030 35

Deploying Cisco NGIPS


IPS Deployment Cycle

Policy

Planning&

Hardware Selection

Implementation&

Operation

Evaluation

BRKSEC-2030 37


PolicyNetwork Security Policy

• Outlines rules for computer network access

• Determines how policies are enforced

• Basic Architecture of the network security environment

• Keep malicious users, applications and traffic out

• Keep internal data in

• Attack Mitigation and Incident Response

• Align to business needs

BRKSEC-2030 38


IPS Deployment Cycle

Policy

Planning &

Hardware Selection

Implementation&

Operation

Evaluation

BRKSEC-2030 39


• Details how Security Policy will be met

• Write up of all requirements to prepare for implementation

• Determine places in the network to deploy

• Define the capabilities needed within each place in the network

• Determine if there are any complementary solutions in place (integration)

• Good planning will lead to a successful implementation

• Reduces complexity

• Predictability and risk awareness

• Select Devices based on requirements

Planning and Hardware SelectionDefine your requirements

BRKSEC-2030 40



Use Case

Location

Connectivity

Performance

Availability and Scaling

Management

Implementation

Features and

Licenses

Hardware

BRKSEC-2030 41


Use Case

Location

Connectivity

Performance


Management


BRKSEC-2030 42


Use CaseWhat problem are we solving?

Traditional FW

•5-tuple Access Control

•Stateful Protocol Inspection

•NAT

•Routing

NGFW

•Application Visibility and Control

•User-Based Controls

•Filtering Web Access

•Encrypted Traffic

NGIPS

• Intrusion Detection

• Intrusion Prevention

•Encrypted Traffic

•Compliance

•Network Forensics

VPN

•Remote Access

•Site-to-Site

•NAT, Routing, …

Malware

•Trojan Horses, Rootkits,..

•Scope spreading

•0-days

BRKSEC-2030 43


Use CaseInspecting Encrypted Traffic

• > 30% of Internet traffic is SSL encrypted, hiding it from inspection

• Google, Facebook, Office 365

• Continues to increase with most organization seeing 50-75%

• Google to prioritize sites using SSL

• Increasing % of malware is hiding in SSL tunnels

• Malware downloads

• CnC connections

• Data exfiltration

• Policy enforcement and threat protection

BRKSEC-2030 50


Choose external SSL

for high-bandwidth and

ability to inspect with

other solutions, e.g. DLP

Server

Client

Encrypted

Encrypted

FirePOWER

Decrypted

SSL ApplianceUse new built-in SSL inspection for

simplicity and cost-effectiveness

Use CaseInspecting Encrypted Traffic

BRKSEC-2030 51


Use CaseInspecting Encrypted Traffic with on-box decryption

• Multiple Deployment modes

• Passive Inbound (known keys)

• Inbound Inline (with or without keys)

• Outbound Inline (without keys)

• Flexible SSL support for HTTPS & StartTLSbased apps

• E.g. SMTPS, POP3S, FTPS, IMAPS, TelnetS

• Decrypt by URL category and other attributes

• Centralized enforcement of SSL certificate policies

• e.g. Blocking; self-signed encrypted traffic, SSL version, specific Cypher Suites, unapproved mobile devices

BRKSEC-2030 52


Use CaseInspecting Encrypted Traffic with external appliance

• Cisco SSL Appliance 1500, 2000, 8200 (4, 10 and 20 Gbps)

• Encrypted traffic flow

• Decrypted by SSL Appliance

• Re-encrypted by SSL appliance

• Plain text traffic flow

• Forwarded by SSL Appliance

• Sent to sensor

• Processed and returned to SSL Appliance

• Packets returning from thesensor are not re-encrypted

• Modifications made to packetsby the sensor are not presentin the encrypted traffic flow

• Non-SSL traffic is cut through

Clear text traffic

SSL Traffic with Rewritten certificate

SSL Traffic with Original certificate

Inside Network

Outside Network

BRKSEC-2030 53


• Identify and log Intrusion attempts

• Need to prioritize events based on

• Criticality of the asset

• Relevancy of the attack

• Potential for damage

• What signatures to enable?

• How to avoid noise, false positives and non-relevant events?

• How to maximize the effectiveness of the analyst?

• How to deal with encrypted traffic?

• Contextual Visibility is key!

Use CaseIntrusion Detection and Reporting (passive)

SPAN Destination Port

Passive Interface

Ethernet Switch

BRKSEC-2030 54


• Identify, log and/or prevent intrusion attempts

• All of what matters for IDS also applies to IDS

• The right tuning is even more important because

• False Positives may drop good traffic

• Inline deployment may have an impact on performance

• Often IPS is deployed as IDS, then tuned before inline deployment

• Contextual Visibility is key!

Use CaseIntrusion Prevention

BRKSEC-2030 55


Use CaseLicensing

Functionality Traditional Licensing Smart Licensing

Base License (includes

AVC)

Protect + Control Base

IPS (SI, DNS) (EULA Enforced) Threat

AMP/Threat GRID Malware Malware

URL Filtering URL Filtering URL Filtering

Management FireSIGHT Built into Firepower Management

Center

BRKSEC-2030 56



Use Case

Location

Connectivity

Performance


Management

BRKSEC-2030 57


• Internet Edge

• Data Center

• Branch

• Core

• Extranets

• Critical Network Segments

LocationWhat Network Segment do we want to protect?

BRKSEC-2030 58


• Enterprise’s GW to Cyberspace

• Serves diverse building blocks

• Allow outbound employee traffic and inbound traffic to servers

• Filter outbound employee traffic

• Need for diversified policy protecting both DMZ and users

• Expected threats include (D)DoS), Intrusion attempts, application-layer attacks

• URL and Application filtering, IPS/IDS, SSL Decryption, Anti-malware

LocationInternet Edge

BRKSEC-2030 59


• Houses the most critical applications and data

• Key to security is maintaining service availability

• Security may affect traffic flows, scalability and failures

• “Perceived” Universal DC requirements include High Availability, Ability to deal with asymmetric traffic, Scalability.

• Expected threat vectors include data loss, unauthorized access

• Some use-cases for IPS in the DC are Inter-zone inspection and VM-to-VM inspection

LocationData Center

BRKSEC-2030 60


PlanningDefine your requirements

Use Case

Location

Connectivity

Performance


Management

BRKSEC-2030 61


ConnectivityWhat Interfaces are needed

• How Many Interfaces?

• Fiber or Copper?

• Bypass or non-bypass?

• Interface Speed?

• Need for bundling Interfaces?

• Need for Wireless?

BRKSEC-2030 62


ConnectivityInterface Options on ASA with FirePOWER Services

5506 5506-H 5506-W 5508/5516 5525/45/55

Fixed 1GE Interfaces 8 4 8 8 8

Modular Interfaces NO NO NO NO6 GE Copper

or SFP

Integrated Wireless AP NO NO YES NO NO

Hardware Fast Path NO NO NO NO NO

Monitor-Only Mode YES YES YES YES YES

BRKSEC-2030 63



5585 SSP10F10

5585 SSP20F20

5585 SSP10F20

5585 SSP20F40

5585 SSP40F40

5585 SSP60F60

Fixed 1GE Interfaces 16 14 16

SFP+ Sockets 4 (1/10 GE) 6 (1/10 GE) 8 (1/10 GE)

Hardware Fast Path NO NO NO

Monitor-Only Mode YES YES YES

BRKSEC-2030 64


ConnectivityInterface Options on FirePOWER Appliances

NGIPSv 7000 7100 8100 8300

Modular Interfaces N.A NO8 GE Copper

or SFP *

Up to 3

modules

(1,10 GE)

Up to 7

modules

(1,10,40 GE)

Monitoring Interfaces (Max) N.A 8 8-12 12 28

Hardware Bypass NO YES YES YES YES

Hardware Fast Path NO NO NO YES YES

* 7115, 7125, and 7150 models only

BRKSEC-2030 65


ConnectivityNetwork Modules for FirePOWER 8000 Series

Integrated Bypass NetMods Non-Bypass Netmods

1-Gbps 4-port copper 1-Gbps 4-port copper

1-Gbps 4-port fiber 1-Gbps 4-port fiber

10-Gbps 2-port fiber SR (short-reach) 10-Gbps 4-port fiber SR (short-reach)

10-Gbps 2-port fiber LR (long-reach) 10-Gbps 4-port fiber (long-reach)

40-Gbps 2-port fiber SR (8200/8300 only)

BRKSEC-2030 66



FP4100 FP9300

Fixed 10GE Interfaces 8 8

SFP+ Sockets

2 (8/10 GE SFP+)

2 (4/40 GE QSFP+)

2 (8/10 GE SFP+)

2 (4/40 GE QSFP+)

1 (2/100 GE SFP28)

Integrated Bypass Future version Future version

Flow Offload Future version Future version

Monitor-Only Mode YES YES

BRKSEC-2030 67


ConnectivityLink Aggregation for Link Redundancy and Scaling

NGIPS

ApplianceSwitch

s1p1

s1p2

s1p3

s1p4

lag0

• Combine multiple links into one aggregated link (port-channel)

• Availability and Throughput

• Manual (always on) EtherChannel or LACP

• Supported on ASA, Firepower and FirePOWER appliances

• ASA: and Firepower – multiple firewalls can be member of 1 port-channel (used in Clustering)

• FirePOWER Appliances: only supported to aggregate interfaces on the same device

BRKSEC-2030 68


FirePOWER Appliance Promiscuous

• Passive interface

• Inline Interfaces

• Virtual Switched Mode

• Virtual Routed Mode

ASA With FirePOWER Services

• Inline

• Promiscuous

• Span Port Mode

FTD

• Inline

• Inline Tap

• Passive

ConnectivityHow should the IDS/IPS be connected?

BRKSEC-2030 70


Traditional IPS Deployment

• Bump in the wire, entirely transparent to the network

• Bypass functionality

• Easy to insert into an existing network

• I.e. FirePOWER Inline Interfaces

Traditional Transparent Firewall Deployment

• No Bypass functionality

• Can actively participate in the network (i.e. keeps CAM table, can broadcast ARP request)

• State-sharing is a requirement for network continuity in HA pairs

• i.e. Virtual Switched Mode

ConnectivityFirePOWER Appliance Deployment Models

Traditional IDS Deployment

• SPAN, TAP to send a copy of traffic to IDS

• Does not impact network traffic

• Easy to insert into an existing network

• I.e. Passive Mode

Traditional Routed Firewall Deployment

• FW is a hop in the network between L3 boundaries

• Has to be aware of routing protocols

• State-sharing is a requirement for network continuity in HA pairs

• I.e. Virtual Routed Mode

BRKSEC-2030 71


SPAN Destination Port

Passive Interface

Ethernet Switch

• FirePOWER Appliances and NGIPSv

• Only copies of the packets are sent to the sensor

• One or more physical ports designated as passive

• Visibility and Detection

• Optional prevention through remediation modules

• Separate device must send copies of the packets

• Span (or monitor) from a switch

• Network Taps

ConnectivityFirePOWER Appliance Promiscuous – Passive Interface

monitor session 1 type localsource int fa4/1destination int fa2/2

BRKSEC-2030 72


• Two physical interfaces paired together

• Paired interfaces must be assigned to an inline set

• Multiple Pairs can be configured on same sensor as sets

• IPS between two access-ports on the same switch or between two different switches

• Traffic passes through the sensor

• Pass Good Traffic, and Block Bad

• Redundancy can be provided with STP or additional sensor.

• Fail-open can be provided with hardware-bypass interfaces

Transparent Interfaces

Sensor is Layer 2 Bridge

Sensor sits between two physical ports on a

switch or two different switches

ConnectivityFirePOWER Appliance Inline - Inline Interfaces

BRKSEC-2030 73


• Create an Inline Set

• Select Bypass mode

• Assign one or more interface pairs to the Inline Set

• Advanced Options:

• Tap Mode

• Propagate Link State

• Transparent Inline Mode

• Strict TCP Enforcement

ConnectivityFirePOWER Appliance Inline – Configuring Inline Interfaces

BRKSEC-2030 74


VLAN10

VLAN20

HostA

HostB

ConnectivityFirePOWER Appliance Inline – Virtual Switched Mode

• Virtual Switch is defined within the sensor

• Traditional L2 Firewall deployment model

• Two or more Physical Interfaces or VLANS are assigned to the Virtual Switch

• Traffic passes through the IPS and gets Inspected

• Incoming VLAN tag is stripped and packets leaving a re-encapsulated with egress VLAN tag when leaving

• Security Redundancy (HA) can be provided with STP deployments

• Network Availability (Fail-Open) can be provided with a redundant wire

BRKSEC-2030 75


ConnectivityFirePOWER Appliance Inline – Configuring Inline Switched Mode

• Create logical switched interfaces for each VLAN *

• Create a Virtual Switch

• Add logical or physical interfaces to the Virtual Switch


• Static MAC Entries

• Enable STP

• Strict TCP Enforcement

• Drop BPDUs

BRKSEC-2030 76


• Two or more physical or logical (VLAN) interfaces defined as routable interfaces

• Traditional L3 firewall deployment

• Route Good Traffic, and Drop Bad

• Static Routing, RIP, OSPF and BGP are supported

• Redundancy can be provided through SFRP to a standby sensor

• Fail-open is NOT supported in routed mode

Routed Interfaces

ConnectivityFirePOWER Appliance Inline – Virtual Routed Mode

BRKSEC-2030 77


ConnectivityFirePOWER Appliance Inline – Configuring Virtual Routed Mode

• Create logical routed interfaces for each VLAN *

• Assign IP addresses to logical or physical routed interfaces

• Create a Virtual Router

• Add logical or physical interfaces to the Virtual Router

• Configure Routing type


• IPv6 Support

• DHCP Relay

• Static Routing Entries

• Routing Filter

• Authentication Profile

BRKSEC-2030 78


ASA itself could be deployed in many ways:

• L2 (Transparent) / L3 (Routed mode)

• Single-Context / Multi-Context

• Active/Standby, Active/Active, Clustering

Modular Policy Framework (MPF) is used to forward traffic from ASA to FirePOWER Services:

• Inline

• Promiscuous

• Monitor-only

ConnectivityASA with FirePOWER Services Deployment Models

policy-map global_policyclass class-defaultsfr fail-open

service-policy global_policy global

BRKSEC-2030 79


• ASA is deployed Inline

• ASA Forwards selected traffic through the module

• As Defined in ASA Policy-map

• Packets and flows are not dropped by FirePOWER services directly

• Packets are marked with Drop or Drop with Resetand sent back to the ASA

• This allows for the ASA to clear the connection from the state tables and send resets if needed.

ConnectivityASA with FirePOWER Services – Inline



L3 or L2 mode ASA

BRKSEC-2030 80


• ASA is still deployed Inline

• ASA forwards a copy of the selected traffic through the module

• As Defined in ASA Policy-map

• Monitor-only option in Policy-map


• Optional prevention through remediation modules

ConnectivityASA with FirePOWER Services – Promiscuous

policy-map global_policyclass class-defaultsfr fail-open monitor-only


L3 or L2 mode ASA

+

BRKSEC-2030 81


• ASA Interface connected to a SPAN port

• ASA not in Data Path

• Monitor-only configured on interface

• This interface cannot be used for regular ASA functionality

• Other ASA interface can still be inline but cannot forward traffic to the FirePOWER module

• Only supported in transparent, single-context mode


ConnectivityASA with FirePOWER Services – Span port Mode

firewall transparentint g0/0traffic-forward sfr monitor-only

Transparent Mode ASA

+

BRKSEC-2030 82


Routed/TransparentA

B

C

D

F

G

H

I

Inline Pair 1

Inline Pair 2Inline Set

E J

Policy TablesPassive

Interfaces

Inline Tap

ConnectivityFirepower Threat Defense Interface Modes

BRKSEC-2030 83



Use Case

Location

Connectivity

Performance


Management

BRKSEC-2030 84


Sizing: Which device do I need to buy?

Upgrade of existing or new device?

Features: What features am I going to need or want to run?

Firewall, IPS, Application Control, URL, Malware?

Location: Where is the device in the network?

In front of a DNS only datacenter with millions of very small very fast transactions or in front of HTTP web servers serving normal web pages?

Datacenter looking at only internal traffic or Internet Edge looking at the wild Internet?

As with all performance discussions, YOUR MILEAGE MAY VARY!!

PerformanceHow to measure and why it matters?

BRKSEC-2030 85


• What does your traffic mix look like?

• What is your peak throughput?

• What features will you need?

• What is your peak conn/s and max conn?

• What is acceptable latency?

• Is there traffic excluded from inspection?

• Use Netflow, NBAR, AVC, ASA Stats

• Expected future growth

PerformanceDetermining your IPS Performance needs

BRKSEC-2030 86


Datasheets generally have some indication of performance. In most cases this includes the infamous “throughput” measurement. Different product spaces have different typical “throughput” tests.

The firewall industry almost always publishes a max throughput number, usually based on a traffic type that is never helpful in determining sizing of the product. UDP 1518 byte packet size is fairly common.

The IPS industry has generally been more conservative about throughput estimates on their datasheets, partly because their performance range is much more variable than firewalls, and partly because of industry choice. TCP 440 byte HTTP is fairly common.

PerformanceThroughput testing methodology

BRKSEC-2030 87



Maximum Stateful Firewall Throughput

Maximum VPN Throughput

Maximum AVC Throughput

Maximum AVC And NGIPS Throughput

AVC or IPS Sizing Throughput (440B)

Maximum Concurrent Sessions

Maximum New Connections / Second


FW Throughput

IPS Throughput (440B)

Maximum Concurrent Sessions

Maximum New Connections / Second

PerformanceWhat Metrics do we provide?

Solution

Throughput

Connections

BRKSEC-2030 88


If you run AVC or AVC+AMP on top of IPS, reduce the Datasheet IPS throughput by:

30-45% for IPS + AVC

50-65% for IPS + AVC + AMP

PerformanceMultiple-Services Performance Guideline

IPS + AVC +AMP

IPS + AVC

IPS

BRKSEC-2030 89


Model 5506-X 5508-X 5516-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60

Max Stateful

FW

Throughput

750

Mbps

1

Gbps

1.8

Gbps

2

Gbps

3

Gbps

4

Gbps

4

Gbps

10

Gbps

20

Gbps

40

Gbps

VPN

Throughput

100

Mbps

175

Mbps

250

Mbps

300

Mbps

400

Mbps700 Mbps

1

Gbps

2

Gbps

3

Gbps4 Gbps

Max AVC

Throughput

250

Mbps

450

Mbps

850

Mbps

1,1

Gbps

1,5

Gbps

1,75

Gbps

4,5

Gbps

7

Gbps

10

Gbps15 Gbps

Max AVC

and IPS

Throughput

125

Mbps

250

Mbps

450

Mbps

650

Mbps

1

Gbps

1,25

Gbps

2

Gbps

3,5

Gbps

6

Gbps

10

Gbps

AVC or IPS

Sizing

Throughput

90

Mbps

180

Mbps

300

Mbps

375

Mbps

575

Mbps

725

Mbps

1,2

Gbps

2

Gbps

3,5

Gbps

6

Gbps

Max

Connections50,000 100,000 250,000 500,000 750,000 1,000,000 500,000 1,000,000 1,800,000 4,000,000

Max CPS 5,000 10,000 20,000 20,000 30,000 50,000 40,000 75,000 120,000 160,000

PerformanceFirePOWER Services for ASA

BRKSEC-2030 90


Model 7030 7115 7125 8120 8140 8350 8360 8370 8390

Firewall

Throughput

500

Mbps

1,5

Gbps

2,5

Gbps

4

Gbps

10

Gbps

30

Gbps

60

Gbps

90

Gbps

120

Gbps

IPS

Throughput

250

Mbps

750

Mbps

1,25

Gbps

2

Gbps

6

Gbps

15

Gbps

30

Gbps

45

Gbps

60

Gbps

Max

Connections500,000 1,500,000 2,500,000 3,000,000 7,000,000 12,000,000 24,000,000 36,000,000 48,000,0000

Max CPS5,000 27,500 42,500 45,000 100,000 180,000 360,000 540,000 720,000

PerformanceFirePOWER Appliances

BRKSEC-2030 91


PerformanceFirepower Appliances

Model 4110 4120 4140 SM-24 SM-36 SM-36x3

Max Throughput: Application Control (AVC)

12G 20G 25G 25G 35G 100G

Max Throughput: Application Control (AVC) and IPS

10G 15G 20G 20G 30G 90G

Sizing Throughput: AVC (450B) 4G 8G 10G 9G 12.5G 30G

Sizing Throughput: AVC+IPS (450B)

3G 5G 6G 6G 8G 20G

Maximum concurrent sessions w/AVC

4.5M 11M 14M 28M 29M 57M

BRKSEC-2030 92


Cisco FMCv/FTDv in AWS

AWS FMCv is optional as many organizations like to use their on premises FMC.

• Cisco Smart Licensing, AWS hourly coming soon

• AWS Security Group Access control must permit SSH/HTTPs access to your instances

• Create and attach Network interfaces and add Route table entry for Internet access

• An Elastic IP (Static persistent Public IP) is required for either FTDv or FMCv remote admin access

• * 2 management interfaces required for AWS FTDv

Instance Type Interf. Subnets vCPUs RAM (GB)

FMCv m3.large 3 2 7.5

FMCv m3.xlarge 3 4 15

FMCv & FTDv* c3.xlarge 2 4 7.5

FMCv c3.2xlarge 8 4 15

BRKSEC-2030 93



Use Case

Location

Connectivity

Performance


Management

BRKSEC-2030 94


ASA with FirePOWER

Services

FirePOWER Appliance -

Promiscuous

FirePOWER Appliance –

Inline

Network

Availability

• ASA w/ Firepower Fail-

Open

• N.A. • Automatic Application Bypass

• Hardware Bypass

• Alternate Path

Security

Availability

• ASA A/S Failover • FirePOWER Clustering –

Passive Redundancy

• FirePOWER Clustering – Inline

• FirePOWER Clustering - Switched

• FirePOWER Clustering - Routed

Availability and ScalingWhat should happen if the IPS fails?

BRKSEC-2030 95


• Fail-Open and Fail-Closed configured in ASA Policy-map

• Determines what ASA does when the FirePOWER module has failed

• With Fail-Closed, traffic will be blocked when the module is unavailable

• With Fail-Open, traffic will be allowed and not inspected when the module is unavailable

• Only used if the ASA cannot failover

Network AvailabilityFail-Open for ASA with FirePOWER Services

Data

Flow

ASA

Firepower Module (HW or SW)

Data

FlowASA

Firepower Module (HW or SW)

Health Check Failure



BRKSEC-2030 96


• AAB Limits the time allowed to process packets through an interface.

• Increased processing time may be due to misconfiguration or a SW issue

• Not the same as Packet / Rule Latency Thresholding

• Inspection is bypassed if the processing time is exceeded causing all Snort processes to terminate

• AAB will restart the Snort IPS engine within 10 minutes after failure

• Bypass threshold: 250ms – 6s (3s default)

• Generates Health Monitoring Alert

• Supported on FirePOWER Hardware appliances and NGIPS

• Not supported on ASA with FirePOWER services

Network AvailabilityAutomatic Application Bypass (AAB) for FirePOWER IPS

Data

Flow

Firepower Appliance

Data

Flow

Processing Time Exceeded

BRKSEC-2030 97


• Fail-to-wire

• Traffic bypasses appliance on power-failure

• Supported on Physical FirePOWER appliances only

• Supported on both Copper and Fiber Interfaces

• Hardware Bypass Network Modules available for 8000 series

• Inline Interfaces Mode Only

Eth

ern

et

Sw

itc

h

Eth

ern

et S

witc

h

Link

Network AvailabilityHardware Bypass for FirePOWER IPS

Link

Eth

ern

et

Sw

itc

h

Eth

ern

et S

witc

h

Power Loss

No Link

Eth

ern

et

Sw

itc

h

Eth

ern

et S

witc

h

Link

Normal

Hardware Bypass Activated

BRKSEC-2030 98


• Sensor and alternate path between 2 switches or 2 VLANS on the same switch

• STP determines Forwarding/Blocking path

• Sensor failure cause STP to place alternate path in forwarding state

Network AvailabilityAlternate Path for FirePOWER IPS

Blocked by Spanning Tree

Data Flow

Data Flow

BRKSEC-2030 99


• For locations where high availability is the primary concern

• ASA’s sync connection table

• ASA configuration automatically synched.

• FirePOWER Configuration should be synched using Firepower Management Center

• FirePOWER Modules do not synchronize their connection tables

• Mid-session pickup on FirePOWER modules

• Supported in both Routed and Transparent mode

Eth

ern

et

Sw

itc

h

Eth

ern

et S

witc

h

Data Flow

Security AvailabilityA/S Failover for ASA with FirePOWER Services

ACTIVE

STANDBY

Eth

ern

et

Sw

itc

h

Eth

ern

et S

witc

h

Data FlowACTIVE

FAILED

BRKSEC-2030 100


• Not the same as ASA Clustering

• FirePOWER Clustering (HA) establishes resiliency between 2 appliances or 2 stacks

• Clustered devices can synchronize state via HA link

• Single logical system In Firepower Management Center for policy application

• Both devices must me the same model, identical interfaces, same software and licenses

• Automatic failover happens with appliance health failure, hardware failure, during a system update or device shutdown

• Multiple Clustered Redundancy Deployment Models: Passive, Inline, Routed, Switched

Security AvailabilityClustering (HA) for FirePOWER Appliances

BRKSEC-2030 101


• TAP or SPAN feed to multiple appliances in passive mode

• Standby Appliance brings interfaces up if Active Appliance fails health checks

• Same as having multiple standalone IDS appliances, except duplicate events are suppressed.

Security AvailabilityClustering for FirePOWER Appliances – Passive Deployment Redundancy

Da

ta F

low

SPAN’ed

Traffic

Active

Standby

Data

Flo

w

SPAN’ed

Traffic

Failed

ActiveBRKSEC-2030 102


• Sensors between 2 switches


• Sensor failure cause STP to place other sensor in forwarding state

• Clustering does State Push for session state to ensure flow continuity on failover

Security AvailabilityClustering for FirePOWER Appliances – Inline Deployment Redundancy


Data Flow

Data Flow

BRKSEC-2030 103


• Sensors between switches or VLANs on the same switch

• Virtual Switch Configuration


• Sensor failure cause STP to place other sensor in forwarding state


Security AvailabilityClustering for FirePOWER Appliances – Switched Deployment Redundancy

VLAN

20

VLAN

200

Active STP Path

VLAN

20

VLAN

200

Path Blocked by STP

BRKSEC-2030 104


• Virtual Router Configuration

• Hosts typically have a statically defined GW

• Redundancy in a routed deployment requires routed interfaces to share a GW IP Address

• SFRP (similar to VRRP) creates an Active/Passive deployment by advertising the active IP only on 1 interface

• If that interface goes down, the backup interface begins advertising the IP address


Security AvailabilityClustering for FirePOWER Appliances – Routed Deployment Redundancy

Eth

ern

et

Sw

itc

h

Eth

ern

et S

witc

h

Data Flow

ACTIVE

STANDBY

Eth

ern

et

Sw

itc

h

Eth

ern

et S

witc

h

Data FlowACTIVE

FAILED

BRKSEC-2030105


ASA with

FirePOWER

Services

FirePOWER

Appliance -

Passive

FirePOWER

Appliance –

Inline

Firepower with

NGFW (FTD)

Scaling

• NA • Stacking • Stacking • NA

Scaling +

Availability

• ASA Clustering * • Passive

Clustered Stack

• FirePOWER

Passive

Appliances with

Etherchannel

RSPAN *

• Clustered Stack

• ASA with FirePOWER

Appliances *

• Clustering

Availability and ScalingHow to scale beyond what 1 Appliance can do?

* Can be deployed in asymmetric traffic environments

BRKSEC-2030 106


4x Stacking supported 8300, 8200 2x Stacking on 8100 Series

8350 8360 8370 8390

15 Gbps 30 Gbps 45 Gbps 60 Gbps

ScalingStacking for FirePOWER 8000 Series

BRKSEC-2030 107


• Scaling and Availability for FirePOWER Services

• Can be deployed in an asymmetric environment

• Up to 16 ASA5585-X or two ASA5500-X with FirePOWER services

• Stateless load balancing by external switch

• Support for VPC and LACP

• Cluster Control Protocol/Link

• State-sharing between Firewalls for concerted operation and high availability

• Every session has a primary and secondary owner ASA

• ASA provides traffic symmetry to FirePOWER modules

Scaling + AvailabilityClustering for ASA5500-X

vPC

vPC

ASA Cluster

BRKSEC-2030 108


• Stack-to-Stack High Availability

• Supported on 8000 Series

• Scaling and Availability for FirePOWER Services

• Supported for passive, inline, switched and routed clustered deployment

• Not suggested for asymmetric environment

• Stacks must have identical hardware

Scaling + AvailabilityClustered Stack of FirePOWER Appliances

Data

Flo

w

SPAN’ed

Traffic

Active

Standby


Data Flow

BRKSEC-2030 109


• Provides IDS Scaling and Availability

• No FirePOWER Clustering


• Asymmetric traffic flow through the DC switching infrastructure

• Switches mirror traffic at key intersection points into an RSPAN VLAN

• RSPAN collection switch aggregates flows and feeds them into an Etherchannel.

• FiePOWER appliances process aggregated SPAN traffic in passive mode

Scaling + AvailabilityEtherchannel RSPAN with FirePOWER Passive Appliances

vPC

vPC

BRKSEC-2030 110


• Provides IPS Scaling and Availability


• ASA appliances deployed as a cluster in multi-context mode

• In-Line FirePOWER Appliances attached in between the contexts

• ASA Clustering Automatically redirects asymmetrically received packets to ASA connection owner

• Local FirePOWER Appliances have full visibility into the flow due to localized processing

• Cisco Validated Design

Scaling + AvailabilityASA with Inline FirePOWER Appliances

vPC

vPC

ASA Cluster

BRKSEC-2030 111


Availability and ScalingAvailability and Scaling Options on ASA with FirePOWER Services

5506 5506-H 5506-W 5508/5516 5525/45/55 5585-X

Multi-Context NO NO NO YES YES YES

High Availability A/S A/S A/S A/S, A/A A/S, A/A A/S, A/A

Clustering NO NO NO NO YES (2) YES (16)

Module Fail-Open YES YES YES YES YES YES

Automatic

Application BypassNO NO NO NO NO NO

BRKSEC-2030 112


Availability and ScalingAvailability and Scaling Options on FirePOWER Appliances

NGIPSv 7000 7100 8100 8200/8300

FirePOWER Stacking NO NO NO YES (2) YES (4)

FirePOWER Clustering NO YES YES YES YES

Clustered Stacks NO NO NO YES YES

Automatic Application

BypassYES YES YES YES YES

Hardware Bypass NO YES YES YES YES

* 7115, 7125, and 7150 models only

BRKSEC-2030 113


Availability and ScalingAvailability and Scaling Options on Firepower NGFW (FTD)

FP4100 FP9300

Multi-Context NO NO

High Availability A/S, A/A A/S, A/A

Clustering YES (5) * YES (5) *

Module Fail-Open NO ** NO **

Automatic

Application BypassNO NO

* Clustering will be available in a future release

** Interfaces with built-in bypass available in a future release

BRKSEC-2030 114



Use Case

Location

Connectivity

Performance


Management

BRKSEC-2030 115


• Management Platforms: Firepower Management Center, ASDM *

• Firepower Management Center can be an appliance or a VM

• Firepower Manager Center Appliances can be deployed in HA

• Determining factors: device type, deployment size, cost, other security devices, scaling requirements, responsibilities

ManagementFirepower Management Center

FMC ASDM

Model Server, web-

based UI

On-box

Form Factor VM or Appliance Runs on ASA

# devices Up to 300 1

Cost $ No Charge

Manages FirePOWER,

FirePOWER

services

ASA, FirePOWER

services on select

platforms

Contextual Awareness

and Visibility

Detailed Basic, no IoC or

Impact Assessment

Event Collection Extensive Basic

Reporting Extensive Basic

Health Monitoring Basic: CPU,

Memory

Extensive* ASDM currently only manages FirePOWER Services on5506/8/16

BRKSEC-2030 116


750 2000 4000 Virtual

Maximum

devices

managed*

10 70 300Virtual FireSIGHT®

Management Center

Up to 25 managed devices

ASA or FirePOWER appliancesEvent storage 100 GB 1.8 TB 3.2 TB

Maximum

network map

(hosts/users)

2000/2000150,000/

150,000

600,000/

600,000

Virtual FireSIGHT®

Management for 2 or 10 ASA

devices only!

Not upgradeable

FS-VMW-2-SW-K9

FS-VMW-10-SW-K9

Events per

second (EPS)2000 12,000 20,000

Max number of devices is dependent upon sensor type and event rate

ManagementFirepower Management Center Appliances

BRKSEC-2030 117


IPS Deployment Process

Policy

Planning&

Hardware Selection

Implementation&

Operation

Evaluation

BRKSEC-2030 118


ImplementationInstallation, Basic Configuration and Insertion into the network

1. Installation of Firepower Management Center

2. Installing FirePOWER appliance or FirePOWER Services for ASA

3. Adding FirePOWER appliance/module into Firepower Management Center

4. Apply Basic Configuration

5. Insertion into the network

6. Tuning

7. Optional: Move from Audit mode to inline mode

8. Operation

BRKSEC-2030 119


ImplementationAdding a FirePOWER device into Firepower Management Center

1. On the FirePOWER device, identify the Firepower Management Center that will be managing the device. This can be done via CLI or LCD panel * or GUI *

2. On the Firepower Manager, navigate to Device Manager to add the new device

> Configure manager add 10.89.145.102 cisco123Manager successfully configured.

CLI: FMC IP address

and key

Device IP address and

registration key

Licenses applied to

FireSIGHT MC

* LCD Panel/GUI option only apply to physical FirePOWER appliances

Default Access Control

Policy

GU

I: F

MC

IP

addre

ss

and k

ey

BRKSEC-2030 120


ImplementationBasic Configuration

Access Control Policy

IPS policy

Default Action

BRKSEC-2030 122


ImplementationPolicies

• Platform and System Policy: manages system-level settings such as audit logs, mail relay, etc

• Health Policy: a collection of health module settings to check the health of devices

• Network Discovery Policy: defines how the system collects data of network assets

• Malware & File Policy: used to perform AMP and file filtering

• Intrusion Policy: defines IPS rules to be enabled for inspection

• SSL Policy: defines what traffic to decrypt and how to decrypt it

• Access Control Policy: permits/denies traffic through the device, defines which Intrusion/File policies are applied to traffic flows

• DNS Policy: defines custom DNS policies and the system provided default policy

• Identity Policy: associates traffic with an authoritative identity source (LDAP, AD or ISE)

BRKSEC-2030 123


Connectivity over Security: ~ 500 Rules

• CVSS Score of 10

• Age of Vulnerability: 1 year and newer

Balanced : ~ 7700 Rules

• CVSS Score of 9 or greater

• Age of Vulnerability: 1 year and newer

• Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit

Security over Connectivity: ~ 10700 Rules

• CVSS Score of 8 or greater

• Age of Vulnerability: 2 years and newer

• Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit, App-detect

Maximum Detection: ~ 5600 Rules

• CVSS Score of 7.5 since 2005 with critical rules malware and exploit kit rules

ImplementationWhat are the different Base IPS Policies?

BRKSEC-2030 124


ImplementationAudit Mode

• Inline deployment without actually affecting traffic

• Disable “Drop when inline” when creating IPS Policy

• In passive deployments, the system cannot affect traffic regardless of the drop behavior

• Events will show “Would have dropped” when the sensor is deployed passively or when “drop when inline” is disabled

Audit Mode

BRKSEC-2030 125


OperationFeatures for more effective operation

• Host, User Discovery and Application Identification

• Host Profiles

• Impact Levels

• FireSIGHT Recommendations

• Indications of Compromise

BRKSEC-2030 126


Host discovery

Identifies OS, protocols and

services running on each host

Reports on potential

vulnerabilities present on each host based on the information

it’s gathered

Application identification

FireSIGHT can identify over 1900 unique applications

using OpenAppID

Includes applications that

run over web services such

as Facebook or LinkedIn

Applications can be used as

criteria for access control

User discovery

Monitors for user IDs

transmitted as services are

used

Integrates with MS AD servers

to authoritatively

ID users

Authoritative users can be

used as access control criteria

OperationNetwork Discovery

BRKSEC-2030 127


Host ProfileWhat have we learned?

• All information we know about each host we monitor

• Current and historic users


• OS, Servers, Applications


• Malware Detections

• Vulnerabilities

BRKSEC-2030 128


FireSIGHT Recommendations

• Users information we learned about each host

• Automatically selection of rules that apply to your environment

Impact Assessment

• Correlation of IPS Events with Impact on the Target host

Indications of Compromise

• Tags that indicate a likely host infection has occurred

• FireSIGHT tracks and correlations IoCs across all sensor points with Security Intelligence and Malware Active.

Network DiscoveryHow is the Information used?

BRKSEC-2030 129


1

2

3

4

0

IMPACT FLAGADMINISTRATOR

ACTIONWHY

Act Immediately,

Vulnerable

Event corresponds

to vulnerability

mapped to host

Investigate,

Potentially

Vulnerable

Relevant port open

or protocol in use,

but no vuln mapped

Good to Know,

Currently Not

Vulnerable

Relevant port not

open or protocol not

in use

Good to Know,

Unknown Target

Monitored network,

but unknown host

Good to Know,

Unknown Network

Unmonitored

network

Impact AssessmentHow Relevant is the Attack?

BRKSEC-2030 130


FireSIGHT RecommendationsAutomatic tuning based on your environment

• IPS Rule Recommendations based on what is learned from Network Discovery

• Associates the OS, server, applications detected with rules specific to those assets

• Identifies the current state of rules in your base policy and recommends and/or sets rule state changes

• Combining a Cisco provided default Policy with FireSIGHT recommendations results in an IPS policy matching the TALOS recommended settings for your assets.

Recommendations

BRKSEC-2030 131


Indications of Compromise (IoCs)

IPS Events

Malware Backdoors

CnC Connections

Exploit KitsAdmin Privilege

Escalations

Web App Attacks

SI Events

Connections to Known CnC IPs

MalwareEvents

Malware Detections

Malware Executions

Office/PDF/Java Compromises

Dropper Infections

BRKSEC-2030 132


IPS Deployment Process

Policy

Planning&

Hardware Selection

Implementation&

Operation

Evaluation

BRKSEC-2030 133


• Initially:

• (Fine) tuning

• Continuously:

• Signature Updates

• FireSIGHT Recommendations

• Periodically:

• Vulnerability scan

• Penetration testing

EvaluationIs the IPS Deployment Effective?

BRKSEC-2030 134

Migrating to Firepower NGIPS


• Additional hardware needs

• New software, licensing and Management needs

• Can the current hardware deliver the required performance

• What additional features will we be using?

• Not a 1:1 Migration

• Migration Strategy to use

• How to install a new FirePOWER module on an existing ASA

• How will you migrate your policies and rules

Migrating to FirePOWER NGIPSThings to Consider when migrating

BRKSEC-2030 136


When replacing an existing service module like Cisco CX or the classic IPS module:

Understand the traffic load the device is seeing

Understand the inspection load the current device is under

Compare the current inspection load if possible, to the expected load on the new module, reducing available throughput based on the features required

If you run more features, the performance will be impacted

Migrating to FirePOWER Services for ASASizing Guidance when Migrating

BRKSEC-2030 137


IPS-only test comparing throughput of FirePOWER Services for ASA to the Legacy IPS module.

Tested using the same 440 byte HTTP Transactional test that was the benchmark for legacy IPS.

5506 5508 5516 5525 5545 5555 5585-10 5585-20 5585-40 5585-60

FirePOWER

Services

On ASA

90 180 300 375 575 725 1200 2000 3500 6000

Classic IPS

on ASANA NA NA 400 600 850 1150 1500 3000 5000

Migrating to FirePOWER Services for ASASizing Guidance when Migrating from Legacy Cisco IPS

BRKSEC-2030 138


When upgrading from classic IPS to FirePOWER services, adding new features can require a platform change. Generally each new major feature is a step up, assuming the box is near capacity.

Model 5506-X 5508-X 5512-X 5516-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60

Classic IPS

Module NA NA 150 NA 400 600 850 1150 1500 3000 5000

FirePOWER

AVC or IPS 90 180 100 300 375 575 725 1200 2000 3500 6000

FirePOWER

IPS + AVC 65 115 75 200 255 360 450 800 1200 2100 3500

FirePOWER

IPS + AVC +

AMP40 85 60 150 205 310 340 550 850 1500 2300

Migrating to FirePOWER Services for ASASizing Guidance when Migrating from Legacy Cisco IPS

BRKSEC-2030 139


1. Cut over to FirePOWER in Inline IPS Mode

• Replace legacy IPS with FirePOWER in IPS mode. Monitor closely, and adjust the policy. Most risky option for Legitimate Traffic.

2. Cut over to FirePOWER in Inline Audit Mode

• Replace legacy IPS with FirePOWER in Audit mode. Monitor traffic and alerts, and then put sensor in IPS mode. Most risky option vs malicious traffic and for compliance.

3. Run Both Legacy IPS and FirePOWER IPS in Audit Mode Temporarily

• Connect FirePOWER IPS in Audit mode to the untrusted side of the existing Legacy IPS. Monitor traffic and tune where needed, then complete migration by removing the Legacy IPS and turning off Audit mode. FirePOWER may miss what is blocked by the legacy IPS

4. Run Both Legacy IPS and FirePOWER IDS Temporarily

• Install FirePOWER in IDS Mode, connected to a SPAN port or other method of capturing network traffic. Monitor the sensor and adjust policy accordingly. When sensor is tuned, complete migration with either option 1 or 2, above.

Migrating to FirePOWER NGIPS AppliancesMigration Strategies based on Risk Assessment

BRKSEC-2030 140


Migrating to FirePOWER NGIPS AppliancesBoth Legacy IPS and FirePOWER IPS in Audit mode Temporarily

Audit Mode

BRKSEC-2030 141


Migrating to FirePOWER NGIPS AppliancesBoth Legacy IPS and FirePOWER IDS Temporarily

BRKSEC-2030 142


• Cisco Legacy IPS to FirePOWER NGIPS Migration Guidance Tool

• Consumes a Cisco IPS configuration file and generates a recommendations document

• Standalone IPS appliances as well as ASA IPS Modules

• Areas of focus: Network Insertion, Policies and Signatures/rules

• Matches Snort rules to Cisco IPS signatures

• https://fwm.cisco.com

• Cisco Legacy IPS to FirePOWER NGIPS Migration Guide

• Focused on standalone Appliances

• Explains FirePOWER in Cisco terminology

• BRKSEC-2018 - Tips and Tricks for Successful Migration to FirePOWER Solutions

Migrating to FirePOWER NGIPS AppliancesMigration Tool, Guide and Training

BRKSEC-2030 143

https://fwm.cisco.com/

Conclusion


• NGIPS extends classic IPS with Application awareness, Contextual awareness and Content awareness to provide automation and reduce complexity

• Cisco NGIPS is Available as FirePOWER appliances, Virtual form factor and FirePOWER Services for the ASA

• Multiple Deployment Options to address a multitude of

• Use Cases / Locations

• Connection Needs

• Performance Requirements

• High Availability and Scaling

• Management Requirements

• Migrating to FirePOWER Appliances involves determining additional hardware, software, licensing and management needs

Deploying IPSConclusion

BRKSEC-2030 145


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.

BRKSEC-2030 146

CiscoLive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/us

http://ciscolive.com/us


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

BRKSEC-2030 147

Thank you


Security Cisco Education OfferingsCourse Description Cisco Certification

CCIE Security Expert Level certification in Security, for comprehensive understanding of security

architectures, technologies, controls, systems, and risks.

CCIE® Security

Implementing Cisco Edge Network Security Solutions

(SENSS)

Implementing Cisco Threat Control Solutions (SITCS)

Implementing Cisco Secure Access Solutions (SISAS)

Implementing Cisco Secure Mobility Solutions

(SIMOS)

Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco

Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls

Deploy Cisco’s Next Generation Firewall (NGFW) as well as Web Security, Email

Security and Cloud Web Security

Deploy Cisco’s Identity Services Engine and 802.1X secure network access

Protect data traversing a public or shared infrastructure such as the Internet by

implementing and maintaining Cisco VPN solutions

CCNP® Security

Implementing Cisco Network Security (IINS 3.0) Focuses on the design, implementation, and monitoring of a comprehensive

security policy, using Cisco IOS security features

CCNA® Security

Securing Cisco Networks with Threat Detection and

Analysis (SCYBER)

Designed for security analysts who work in a Security Operations Center, the

course covers essential areas of security operations competency, including event

monitoring, security event/alarm/traffic analysis (detection), and incident response

Cisco Cybersecurity Specialist

Network Security Product Training For official product training on Cisco’s latest security products, including Adaptive

Security Appliances, NGIPS, Advanced Malware Protection, Identity Services

Engine, Email and Web Security Appliances.

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]

BRKSEC-2030 150

http://www.cisco.com/go/securitytraining

http://learningnetwork.cisco.com/

mailto:[email protected]

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 151BRKSEC-2030

Security Joins the Customer Connection ProgramCustomer User Group Program

19,000+

Members

Strong• Who can join: Cisco customers, service

providers, solution partners and training partners

• Private online community to connect with peers & Cisco’s Security product teams

• Monthly technical & roadmap briefings via WebEx

• Opportunities to influence product direction

• Local in-person meet ups starting Fall 2016

• New member thank you gift* & badge ribbon when you join in the Cisco Security booth

• Other CCP tracks: Collaboration & Enterprise Networks

Join in World of Solutions

Security zone Customer Connection stand

Learn about CCP and Join

New member thank-you gift*

Customer Connection Member badge ribbon

Join Online

www.cisco.com/go/ccp

Come to Security zone to get your new member gift*

and ribbon

* While supplies last

http://www.cisco.com/go/ccp

deploying intrusion prevention systemsd2zmdbbm9feqrf.cloudfront.net/2016/usa/pdf/brksec-2030.pdf ·...

Documents