Scribd
Upload
74 views186 pages

FTD Ips

The document discusses advanced Firepower IPS deployment. It describes a presentation by Gary Halleen on advanced Firepower IPS topics. The agenda includes discussing policy interaction and recommendations, TLS inspection, advanced tuning, IPS events, importing Snort rules, exempting hosts from rules, bypass options, and asymmetric traffic. The appendix covers using OpenAppID and custom security intelligence feeds.

Uploaded by

Mos Chang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
74 views186 pages

FTD Ips

The document discusses advanced Firepower IPS deployment. It describes a presentation by Gary Halleen on advanced Firepower IPS topics. The agenda includes discussing policy interaction and recommendations, TLS inspection, advanced tuning, IPS events, importing Snort rules, exempting hosts from rules, bypass options, and asymmetric traffic. The appendix covers using OpenAppID and custom security intelligence feeds.

Uploaded by

Mos Chang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 186

#CiscoLive

Advanced Firepower IPS


Deployment

Gary Halleen, Senior Security Architect

DGTL-BRKSEC-3300

#CiscoLive
About Your Speaker
Gary Halleen
Email: gary@cisco.com
Senior Security Architect
Global Security Architect Team
Amateur (Ham) Radio Extra license: K7TRO
20 years at Cisco Security
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Oregon – Pacific Wonderland

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Oregon – Pacific Wonderland

Silver Falls State Park


#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Oregon – Pacific Wonderland

Silver Falls State Park View of Mt. Hood from Portland


#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Some of my Hobbies

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Some of my Hobbies

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Some of my Hobbies

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Some of my Hobbies

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Agenda
• Policy Interaction and Firepower
Recommendations
• TLS Inspection
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• Exempting a Host from a Snort Rule
• Bypass Options
• Asymmetric Traffic
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
About this Session

Firepower 1100
ASA 5516-X
Firepower 9300
ASA 5508-X Firepower 4100
Firepower 1000

ASA 5545-X
ASA 5555-X
Firepower FirePOWER 7000/8000 NGIPS
ASA 5525-X 2100

ISA3000 NGFWv

In this session, the terms Firepower, Firepower Threat Defense (FTD) and
ASA with Firepower Services (ASA+SFR) are treated mostly the same.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Firepower Management Center (FMC)
FMC offers the best management capabilities
for an Intrusion Prevention Device, and this Firepower Management Center
session will focus on it.

We will cover 6.2.3 software, and greater,


through 6.6. Where possible, screenshots
and demos will show 6.6.

We will not cover older (EOL) Cisco IPS 7.0.

Manage across many sites Control access and set policies Investigate incidents Prioritize response

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
In the Appendix
• OpenAppID
• Using OpenAppID to create new applications, and use them to
reduce your attack surface.
• Using custom Security Intelligence feeds
• TLS crypto acceleration information

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
FMC Themes
FMC 6.5 introduces an optional light-colored theme.

6.4 and earlier


6.5 and later

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Firepower Deployment Modes

IPS or IDS Mode Firewall Mode


Inline Routed

101110

Inline Tap Transparent

101110

Passive Virtual or Physical

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
6.4
IPS Events into Cisco Threat Response
1. FMC or FTD sends IPS events to CTR
2. Query anything: IP address, Domain,
File Hash, IOC, or more.
3. See where it is reported by your
other security products.

4. Remediate on other device or


service, if desired.

See BRKSEC-2433 for more information


#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Enable Cisco Threat Response

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Agenda
• Policy Interaction and Firepower
Recommendations
• TLS Inspection
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• Exempting a Host from a Snort Rule
• Bypass Options
• Asymmetric Traffic
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Firepower Policies

How often are Policies Modified?


Frequently Occasionally Rarely
Access Control Policy Malware and File Policy Network Discovery Policy

Intrusion Policy DNS Policy Network Analysis Policy

SSL Policy Correlation Policy

Identity Policy Health Policy

Prefilter Policy

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Packets and Policies: Know What’s Happening Where
Prefilter
Policy ASA (“LINA”)
Fastpathed

Ingres Existing N Egress L3/L4 ALG L3, L2 Egress


RX Pre-Filter NAT TX
Interface Conn Interface ACL Checks Hops Interface
VPN
Decrypt
Y QoS
VPN VPN Encrypt
Config DAQ

Discovery L7 ACL File/AMP IPS


SI:
NAP App
SI (IP) SSL Pre-proc DNS ID
IPS Pasv ID
URL
Host L7 ACL File/AMP IPS

ACP Rule Chain

Firepower
SSL Network DNS Identity Intrusion Network Access Malware Intrusion
Policy Analysis Policy Policy Policy Discovery Control & File Policy
Policy (NAP) Policy Policy Policy

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Packets and Policies: Know What’s Happening Where
ASA (“LINA”)
Fastpathed

Ingres Existing N Egress PrefilterL3/L4 ALG L3, L2 Egress


RX Pre-Filter NAT TX
Interface Conn Interface ACL Checks Hops Interface
(FTD)
Y
DAQ

Discovery L7 ACL File/AMP IPS


SI:
NAP App
SI (IP) SSL Pre-proc DNS ID
IPS Pasv ID
URL
Host L7 ACL File/AMP IPS

ACP Rule Chain

Firepower
Network Intrusion Network Access Malware
SSL DNS Identity Intrusion
Analysis Policy Discovery Control & File
Policy Policy Policy Policy
Policy (NAP) Policy Rules Policy

Access Control Policy

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Prefilter Policy
FTD-Only Feature

The Prefilter policy is the


first set of rules that can
act on traffic, and
controls what traffic is
sent for additional
Fastpath is same as ASA inspection.
Permit rule. This traffic is
accelerated through the
appliance without IPS, AMP, L7
firewall rules, or Security
Intelligence.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Prefilter Policy
FTD-Only Feature

The Prefilter policy is the


first set of rules that can
act on traffic, and
Block is same as ASA Deny controls what traffic is
rule. This traffic dropped sent for additional
immediately. inspection.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Prefilter Policy
FTD-Only Feature

The Prefilter policy is the


Analyze send traffic to Firepower first set of rules that can
for additional inspection: act on traffic, and
application firewall rules, IPS, controls what traffic is
AMP, Security Intelligence, etc. sent for additional
inspection.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Intrusion Policy
The Intrusion Policy defines which Snort rules are used in packet inspection.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Intrusion Base Policy

Policy CVSS Score Vulnerability Age

Connectivity over Security 10 Current year, plus 2 prior


(2020, 2019, and 2018)
Balanced Security and 9+ Current year, plus 2 prior
Connectivity Rule Categories: Malware-CNC, Blacklist, SQL
Injection, Exploit Kit
Security over Connectivity 8+ Current year, plus 3 prior
(2020, 2019, 2018, and 2017)
Rule Categories: Malware-CNC, Blacklist, SQL
Injection, Exploit Kit, App-Detect
Maximum Detection 7.5+ 2005 and later
Rule Categories: Malware-CNC, Exploit Kit

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Intrusion Policy
You can manually Enable/Disable individual rules or configure actions.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Intrusion Policy
Several ways to search for rules…

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Network Discovery Policy
• Defines which networks Firepower should “learn” from.
• Used for maintaining the Firepower Recommended Rules in the
Intrusion Policy.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tune your Snort rules for the
applications, servers, and hosts on your network.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tunes your Snort rules for the
applications, servers, and hosts on your network.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Access Control Policy
Traffic must match in the Access Control Policy in order to be Inspected

For a simple IPS deployment, you


can use the Default Action

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Access Control Policy

In a NGFW deployment, the Default Action


will likely be “Block All Traffic”.
Intrusion Policy needs to be defined for each
Allow Action.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Access Control Policy

If you need, different Allow rules


can have different Intrusion
Policies assigned.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Things to watch
out for
Access Control Policy

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Access Control Policy
Expected nmap results: Actual nmap results:
Nmap scan report for nomad Nmap scan report for nomad
Host is up (0.20s latency). Host is up (0.20s latency).
Not shown: 997 filtered ports Not shown: 989 closed ports
PORT STATE SERVICE PORT STATE SERVICE
22/tcp open ssh 22/tcp open ssh
80/tcp open http 53/tcp open domain
443/tcp open https 80/tcp open http
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https
What is wrong here? Any ideas? 445/tcp filtered microsoft-ds
1443/tcp open ies-lm
5060/tcp filtered sip
“nmap nomad” run from Internet. 8080/tcp open http-proxy
10000/tcp open snet-sensor-mgmt

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Access Control Policy

A Monitor rule allows a TCP three-way handshake for all ports to


take place, and then passes the traffic to the rest of the ruleset.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Access Control Policy

Application rules can cause a similar issue.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Agenda
• Policy Interaction and Firepower
Recommendations
• TLS Inspection
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• Exempting a Host from a Snort Rule
• Bypass Options
• Asymmetric Traffic
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
According to Network
Computing, 72% of all internet
traffic is SSL encrypted.
(November 2018)

Is your IPS still effective?


#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
TLS / SSL Inspection
The percentages of TLS/SSL traffic is increasing dramatically. IDS and IPS
deployments need to take this into consideration.
Options to consider:
1. Decryption Offload, passing decrypted traffic to the Sensor
2. Onbox Decryption

Additionally, do you decrypt Inbound, Outbound, or both traffic?

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Why Decrypt?
• Needed for most Snort HTTP signatures, and many
others also
• Advanced Malware Detection (AMP) file inspection
• Security Intelligence URL Feed matching
• Threat Intelligence Director STIX / TAXII URL
indicators

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
TLS Inspection on Passive Interface
no longer supported
ABC

ABC
ABC #$* #$*

Client TAP Server

Perfect Forward Secrecy makes passive decryption of flows


impractical. Must be in inline!
• Not supported in Passive Interface or Inline Tap

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
TLS / SSL Inspection

Inbound Traffic
• Traffic is decrypted by installing the Servers’ SSL Certificate
and Private Key onto the FMC. Action = Decrypt-Known Key
Outbound Traffic
• Traffic is decrypted by installing a wildcard certificate and
performing a “man in the middle attack” against your users’
SSL traffic. Action = Decrypt-Resign

In this session, we will focus only at Inbound.

For an in-depth discussion of TLS Inspection, with a focus on Outbound


(Decrypt-Resign) see Jeff Fanelli’s BRKSEC-3063 session.
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
TLS / SSL Decryption with Known Key
Example

You need both the host’s private


key and the .crt file.
Go to Objects -> PKI -> Internal
Certs to add the certificate
information for the host.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
TLS / SSL Decryption with Known Key
Example
Create an SSL Policy to decrypt traffic with this known key for the associated host.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
TLS / SSL Decryption with Known Key
Example
Assign the SSL Policy to your Access Control Policy:

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
TLS / SSL Decryption with Known Key

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Alert when Certificate Changes

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
SSL Hardware Decryption
• Firepower 6.2.3 enabled Hardware Decryption on FP-4100/9300 platforms, but was disabled
by default.
FTD 6.2.3: system support ssl-hw-offload (enable/disable)

• Firepower 6.3 enabled Hardware Decryption, by default, on Firepower appliances: FP-2100,


4100, and 9300.
FTD 6.3: system support ssl-hw-force-offload-(enable/disable)

• Firepower 6.4 and greater uses Hardware Decryption on Firepower appliances: FP-1000,
2100, 4100, and 9300.
FTD 6.4+: hardware decryption can not be disabled without TAC

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Agenda
• Policy Interaction and Firepower
Recommendations
• TLS Inspection
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• Exempting a Host from a Snort Rule
• Bypass Options
• Asymmetric Traffic
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Variable Sets
Variable Sets

What is a Variable Set, and why do


I need it?

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Variable Sets
The variable set defines commonly-
used IP addresses and ports

You can either edit the default-set,


or you can create a new one.

It is easy to revert any values back


to default.

My Recommendation: Default-Set

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Variable Sets
Most variables don’t need to
be changed.

Consider these as the most


important (or maybe controversial):

• HOME_NET
• EXTERNAL_NET

By default, these are both defined


as “any”.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Variable Sets Sample Rule
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 \
How are they used? (msg:"PROTOCOL-IMAP login brute force attempt";
flow:to_server,established,no_stream; \
content:"LOGIN"; fast_pattern:only; \
detection_filter:track by_dst, count 30, seconds 30; \
metadata:ruleset community, service imap;\
reference:url,attack.mitre.org/techniques/T1110; \
classtype:suspicious-login; sid:2273; rev:12;)

Variables provide Directionality, especially in Passive Deployments.

This sample rule is written to watch for attempted IMAP (email) logins from outside
your network, to a server inside your network:
• Looking for 30 attempts in 30 seconds

However, this might also be useful to detect events WITHIN your network, especially
if your IPS is deployed separating different network segments.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Variable Sets Sample Snort Rule
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 \
How are they used? (msg:"PROTOCOL-IMAP login brute force attempt";
flow:to_server,established,no_stream; \
content:"LOGIN"; fast_pattern:only; \
detection_filter:track by_dst, count 30, seconds 30; \
metadata:ruleset community, service imap;\
reference:url,attack.mitre.org/techniques/T1110; \
classtype:suspicious-login; sid:2273; rev:12;)

So, how should you define EXTERNAL_NET and HOME_NET?


If you leave them default, the detection will work without
regard for direction.
• This MAY be what you want – BUT, it’ll cause your IPS to
generate more alerts.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Variable Sets
Thinking about HOME_NET…

If you choose to modify HOME_NET, what should it look like?


If you only include your used IP space, you’ll have to
remember to update it as you add more networks.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Variable Sets
Thinking about HOME_NET…

If you choose to modify HOME_NET, what should it look like?


So, maybe it should be all RFC-1918 addresses, and any
Internet-routable IP space.

Oh, and maybe also multicast and automatic private IP


addresses (169.254.x.x)

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Variable Sets
Thinking about HOME_NET…

BUT, what am I forgetting?


Do you have IPv6 on your network today, or will you EVER use it?

Maybe you need to add your IPv6 address space, as well.

If you don’t, attacks will often not be detected because Snort will
only be looking for IPv4.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Variable Sets
Now, what about EXTERNAL_NET?

- or -

If I’ve modified HOME_NET, what do I do with EXTERNAL_NET?


1. You can leave it as “any”, or
2. You can set it as the opposite of HOME_NET

Which is best?

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Variable Sets
My Recommendations
SecOps-managed or Internal IPS Internet Perimeter Deployment

If your staff is interested in Threat If your staff wants a simple IPS


Hunting, and is willing to spend deployment, with a minimal
time tuning: amount of alerts:
1. Leave EXTERNAL_NET as “any”. 1. Configure HOME_NET to match all
RFC-1918 IPv4 addresses, your
2. Make an internal decision on how to Internet-routable addresses, and
configure, or not configure, your IPv6 space.
HOME_NET.
2. Configure EXTERNAL_NET as
!HOME_NET.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
The Network Analysis
Policy
Network Analysis Policy

What is this?
Do I need to do anything here?

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Network Analysis Policy
The Network Analysis Policy (NAP) controls the Preprocessors, and determines things such as:
o Fragmentation Reassembly
o Protocol Compliance
o Inline Normalization
o SCADA Preprocessors

“What should we tune?”


#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Network Analysis Policy

Security Usability

Security Usability

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Network Analysis Policy
By default, there are no tunable NAP policies.
You’ll need to create one.

Create Policy

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Network Analysis Policy
• Give your policy a name.

Select Base Policy, as


well as whether this is
for Inline traffic

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Network Analysis Policy

Create and Edit Policy

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Network Analysis Policy
Do these Base Policies look familiar? Besides the name, these Base
Policies have NOTHING in
common with the Intrusion Base
Policies.

However, default settings are


different in each, and matching
this to your Intrusion Policy is a
good place to start, but not
required.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Network Analysis Policy
Enable/Disable Preprocessors

Some Preprocessors disabled


by default:
o Portscan Detection
o Rate-Based Attack Prevention
o Inline Normalization (enabled only in
Security over Connectivity)

o SCADA (Modbus, DNP3,


and SIP)
Enable these if you need them

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Fragmentation
Both IP and TCP can cause a stream of data to break into many parts
Both IP fragmentation and TCP segmentation may be naturally occurring or performed
intentionally to evade IPS
IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate
this evasion technique

If attack is: USER root

TCP: HDR USER HDR root

IP: HDR HDR US HDR ER HDR HDR ro HDR ot

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
How Bad can Fragmentation Get?

IP TCP SMB MSRPC Payload

Packet capture of regular attack is ~4k, after


layers of evasion 30MB or more!

Hundreds of thousands of packets


#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Network Analysis Policy
Inline Normalization

Enable and Tune it? Probably


• Disabled by Default in most base policies.

• Enforces Protocol Compliance for TCP and


IP protocols.
• Enabling normalization will block some
non-standard implementations and many
attacks. However, it might block poorly-
written legitimate traffic.
• How Risk-Averse are you?

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Network Analysis Policy
Inline Normalization
If Enabled:
• FMC will learn the Operating System and
version automatically, and apply the correct
fragmentation reassembly policy so the IPS
detects attacks in the same order as the
host they’re directed to.
• If unable to determine the OS, it will enforce
the “First” fragmentation reassembly.
• If Adaptive Profile Updates is enabled in the
Access Control Policy, this capability will
extend even to passive deployments.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Detection Enhancement Settings
Enable Profile Updates

These settings are on the Advanced Tab of the Access Control Policy.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Network Analysis Policy
TCP Stream
Tune it?
If Passive Deployment, and you did
not Enable Profile Updates.
• TCP Stream determines how
fragmented TCP traffic is
reassembled.
• Different operating systems
handle reassembly differently,
and it is critical that your IPS
understands the hosts.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Network Analysis Policy
IP Defragmentation

Tune it?
If Passive Deployment, and you
did not Enable Profile Updates.
• Similar reason as TCP Stream.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Access Control Policy – Advanced Settings
Don’t forget to select the Network Analysis Policy from the Access Control Policy -> Advanced

If you need to use multiple Network Analysis Policies


(maybe some networks have Windows servers, and
another has Linux, for example), you can create Rules to
perform the mapping.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Network Analysis Policy
Recommendations
Inline Deployment Passive Deployment

1. Enable Inline Normalization 1. Enable Adaptive Profile Updates


2. Enable Adaptive Profile Updates 2. Verify Network Discovery Policy is
correct
3. Verify Network Discovery Policy is
correct. 3. Take a look at TCP Stream settings
4. Take a look at IP Defragmentation
settings

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Agenda
• Policy Interaction and Firepower
Recommendations
• TLS Inspection
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• Exempting a Host from a Snort Rule
• Bypass Options
• Asymmetric Traffic
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
For an in-depth discussion of Impact Flags,
Impact Flags see Will Young’s BRKSEC-3328 session.

Remember, we recommend you utilize the Network Discovery Policy…

This enables Impact Flags for analysis.

Do you know what these mean?

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks

Protocol (TCP/UDP) IP Address

User IDs
4 Previously unseen host
within monitored network

Source / Destination Port Protocols

Server Side Ports If Impact 4 events start to


Service
increase, it is a good
Client Side Ports
indication your FMC is
Services undersized, and the host
database is overflowing.
CVE
Snort ID Client / Server Apps

Operating System
IOC: Predefined Impact
Potential Vulnerabilities

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks

Protocol (TCP/UDP) IP Address

User IDs
4 Previously unseen host
within monitored network

Source / Destination Port Protocols

Server Side Ports


3 Relevant port not open or
protocol not in use

Service Client Side Ports


Relevant port or protocol in
Services
2 use but no vulnerability
mapped

CVE
Snort ID Client / Server Apps

Operating System
1 Host vulnerable to attack or
showing an IOC.
IOC: Predefined Impact
Potential Vulnerabilities

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
6.3
Contextual Cross-Launch
• New to Firepower Management Center (FMC) 6.3

• From any relevant event or dashboard, right-click and


launch a query into a different product.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
6.3
Contextual Cross-Launch
Several tools already included

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
6.3
Contextual Cross-Launch
• Do you have a favorite tool?

• Add your own: Analysis -> Advanced -> Contextual Cross-Launch

• Example for Cisco Stealthwatch:

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
6.3
Contextual Cross-Launch
• Do you have a favorite tool?

• Add your own: Analysis -> Advanced -> Contextual Cross-Launch

• Example for Cisco Tetration:

Note: The URL will


differ according to your
Tetration deployment
and tenant IDs.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
6.3
Contextual Cross-Launch
Stealthwatch Cross-Launch Example

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
6.3
Contextual Cross-Launch
Tetration Cross-Launch Example

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Agenda
• Policy Interaction and Firepower
Recommendations
• TLS Inspection
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• Exempting a Host from a Snort Rule
• Bypass Options
• Asymmetric Traffic
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Snort Rules
Firepower uses Snort Rules for Intrusion Prevention.

Cisco provides regular rule updates. Most customers deploy these automatically.

Third-party Snort rules can be added manually through the Rule Editor (Objects -> Intrusion
Rules -> Create Rule), or can be imported.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Snort Rule Editor

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Snort Rules
• Snort Rules are normally created on a single line, with no special
characters, and in ASCII or UTF-8 format.
• The Import file can contain many rules as long as they are one rule per-
line.
• Many of the Emerging Threat rules use deprecated syntax (”threshold”
statement). If you are importing ET rules, you’ll need to correct or remove
these rules first. Threshold has been replaced with detection_filter.
• SHOULD not have a rule SID, but is allowed. All on ONE Line

alert tcp [43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,45.43.128.0/18,45.65.188.0/22

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Snort Rules (continued)
• Sometimes it is much more readable to spread the rule across
multiple lines. Do this with the backslash character - \
Example Rule (from Emerging Threats):
alert tcp \
[43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\
45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\
45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\
49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \
any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \
flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \
threshold: type limit, track by_src, seconds 3600, count 1; \
classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \
rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \
tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Snort Rules (continued)
• This ET rule has a deprecated keyword – “threshold”, as well as
“type limit”, so let’s fix it.

alert tcp \
[43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\
45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\
45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\
49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \
any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \
flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \
threshold: type limit,
detection_filter: tracktrack
by_src,
by_src,
seconds
seconds
3600,3600,
countcount
1; \ 1; \
classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \
rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \
tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Importing Snort Rules
• Once your Snort rules are in a text file, navigate to Objects -> Intrusion
Rules.
• Click on “Import Rules”

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Importing Snort Rules
• Click on “Browse” to locate your file, and click “Import”.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Importing Snort Rules
• If successful, you will see a screen showing what has been imported.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Importing Snort Rules

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Importing Snort Rules

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Importing Snort Rules

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Enabling Snort Rules
• Remember, imported rules are Disabled by default. Must enable these.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Agenda
• Policy Interaction and Firepower
Recommendations
• TLS Inspection
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• Exempting a Host from a Snort Rule
• Bypass Options
• Asymmetric Traffic
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
How do you Exempt Specific Servers from a Snort Rule?

Options:
1. Use a different Intrusion Policy for some hosts.
(This could have memory or performance impact if overused.)

2. Use a Trust Rule or Fastpath action.


3. Create a Pass Rule

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
How do you Exempt Specific Hosts from a Snort Rule?

Preprocessor Rule or a Text Rule?


Look at the Generator ID (GID) – that’s the number before the :

In this example, the GID is 1, meaning this is a Standard Text Rule.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
How do you Exempt Specific Hosts from a Snort Rule?
GID Type of Rule Method to Use Can Use Pass Rule?

1 Standard Text Rule Any YES

3 Shared Object Rule Any YES

1000 – 2000 Custom Text Rule Any YES

100+ (3 digits) Preprocessor Trust Rule or Fastpath NO

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Pass Rule Example
Pass Rule
Open the firing rule in the Rule Editor (Objects -> Intrusion Rules)

203.0.113.24

Network
Scanner

Campus

Web
Server
SSH
Server

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Pass Rule

Change Action to “pass”

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Pass Rule

Change the Message.


(add “PASS RULE – “ to the beginning)
$SCANNER_HOSTS

Add the IP address or variable name


(i.e. $SCANNER_HOSTS) to the source or
destination IP.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Pass Rule

Click “Save as New”

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Pass Rule

Finally, Edit the Intrusion Policy, and change the Rule State for your new Local Rule to
“Generate Events”. Save and Deploy the Intrusion Policy.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Agenda
• Policy Interaction and Firepower
Recommendations
• TLS Inspection
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• Exempting a Host from a Snort Rule
• Bypass Options
• Asymmetric Traffic
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Bypass Options
Software Bypass Enable traffic, uninspected, when Snort is down or busy.

Fail-to-Wire Interfaces Bypass traffic upon appliance failure, including loss of


power.

Automatic Application Bypass Restarts Snort processes upon degraded performance

Intelligent Application Bypass Application-specific acceleration of defined applications if


performance is degraded
Trust Rules Accelerate defined traffic but still apply Security
Intelligence

Prefilter Policy Bypass deep inspection and Security Intelligence based


on Port / Protocol / IP Address / Zone

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Software Bypass

Supported Deployment:
• Inline Set, Inline TAP
• ASA with Firepower Services
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Fail-to-Wire Interfaces

Fail-to-wire Fail-to-Wire interfaces allow for pass-through


of traffic in case of appliance failure or loss of
NetMod
power.
• FP-9300
• FP-4100
• FP-2100 (requires 6.3 or later)
• FP-7000, 7100, 8100, 8200, and 8300

Supported Deployment:
• Inline Set, Inline TAP

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Automatic Application Bypass (AAB)
Detects Snort failures or degraded performance and triggers a restart
of the impacted Snort process. First available in FTD in 6.2.2.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Trust Rules
Within the Access Control Policy, defined traffic can be exempted from File and IPS
inspection, which accelerates it through the appliance. Basing the rule on
Source/Destination Port and IP addresses is most effective.
Security Intelligence feeds and SSL/TLS Decryption are still applied to Trust rules.

On FP-4100/9300 appliances, a Trust rule enables Dynamic Flow Offload on eligible


flows, and handles the traffic on the HW NIC. Not supported on Inline, Inline Tap, or
Passive Interfaces.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
PreFilter Policy
PreFilter rules are processed prior to Intrusion Prevention or Access Control Policies. If
traffic can be defined by Zone, Network, and Port (similar to an ASA rule), the traffic can be
FastPathed. This is similar to a Trust rule, but Security Intelligence is not applied.

On FP-4100/9300 appliances, a Fastpath rule enables Static Flow Offload on eligible


• PreFilter rules require Firepower Threat Defense.
flows, and handles the traffic on the HW NIC. Static Flow Offload is not supported on
Inline, Inline Tap, or Passive interfaces.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Intelligent Application Bypass (IAB)
Detects degraded performance
within an application.
If that application is trusted,
you can configure it to
automatically bypass the
inspection, and accelerate the
traffic.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Snort Restart and Reload Architecture

Prior to Firepower 6.2.2, making


Intrusion Rule or Access Control Rule
changes would have caused a Snort
Restart, and potentially disrupted
network traffic.

Significant improvements in 6.2.3, and


especially 6.3 and later versions have
dramatically reduced the number of
things that can cause a Snort Restart.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Why does Snort Restart?
• New version of Snort in policy deploy

• Reallocate memory for pre-


processors/Security Intelligence (6.2.x)
• Reload shared objects “No” means Snort
will restart every time
• Pre-processor configuration changes a policy changes.
(6.2.x)
• Configured to restart instead of reload

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Why does Snort Restart?
6.2.3 and later warns if any configuration change will interrupt inspection
(restart Snort):

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
When does Snort Restart?
sudo egrep “Initializing Snort|Reloading Snort” /ngfw/var/log/messages

Reloading Snort = New configuration deployed without a restart


Initializing Snort = Snort stopped and restarted

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Mitigations

Snort Preserve-Connection
1 (6.2.0 / 6.2.3 introduction)

2 Software Bypass

Upgrade to Firepower 6.3 or later


3 (6.4.0.7 is currently the recommended software release)

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Snort Preserve-Connection
Enabled by default in 6.2.3 and later
If Snort goes down:
• Connections with Allow verdict are preserved in LINA
• Snort does NOT do a mid-session pickup on preserved flows
• Does NOT protect against new flows while Snort is down
• Can be disabled from CLI:
configure snort preserve-connection enable/disable

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Intelligent Application
Bypass
Intelligent Application Bypass
What is IAB?

IAB takes action when a Snort instance is Under Duress if conditions are
met:
1. Is the flow a candidate for bypass?
2. Is this a bypassable application?

If conditions are satisfied, then Firepower will accelerate the flow.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Configuring Intelligent Application Bypass
Find IAB on the Advanced tab of the Access Control Policy. In 6.2.3, it is on the
bottom left of the page. In 6.3 and later, it is on the top right.

• By default, IAB is disabled.


• With 6.2.3, all fields are blank. No default values.
• With 6.3 and later, default values are entered, but should be adjusted.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Configuring Intelligent Application Bypass
Set the State to On or Test.

And set the sample period.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Configuring Intelligent Application Bypass
Inspection Performance Thresholds

“Is a snort process under duress?”

(6.3 - 6.6 default values)

These fields are a Logical OR, and


refer to the Snort process rather
than overall appliance CPU.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Configuring Intelligent Application Bypass
Flow Bypass Thresholds

“Is the flow a candidate for bypass?”

(6.3 - 6.6 default values)


500 MB
Bytes per Flow is “How big is the flow?”

These fields are a Logical OR.

2 Gbps

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?

Flow Velocity is “Size over time (6.3 - 6.6 default values)


of the flow”

Each snort instance can handle


approximately 1Gbps, which is
125,000 kbytes/second.

75000

I disagree with this default value. 250,000 kbytes/second will never trigger on today’s FTD or ASA
hardware. A better starting value for most customers is about 75,000 kbytes/second.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Configuring Intelligent Application Bypass
Define Applications that are Bypassable

May be easier to just allow all Applications

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Monitoring Intelligent Application Bypass
IAB Events appear in Connection Events with reason of “Intelligent App Bypass”

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Agenda
• Policy Interaction and Firepower
Recommendations
• TLS Inspection
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• Exempting a Host from a Snort Rule
• Bypass Options
• Asymmetric Traffic
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
The Problem with Asymmetric Traffic

Asymmetric traffic flows prevent a


security device from seeing the full
traffic flow.

For best results, design your network


to force symmetry.

Web Server

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
High-Availability

Internet
A high-availability firewall pair can provide
redundancy in the case of a device failure.

Active Only one device is active. The second is


listening, and ready to assume the role of
Primary if there is a failure.

Passive

Web Server
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Clustering

Internet
Clustering is supported on FP-4100 and
9300 appliances, as well as several larger
ASA appliances.

Clustering enables multiple security


appliances to function as a single device,
and support asymmetric traffic flows, while
also providing N+1 redundancy.

Web Server
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Extend PBR Inter-site Cluster to ACI Multi-Pod
Localize Firewall Inspection and Apply Policy Only to Master
Inter-Pod
Network
Pod1 Pod2

App EPGs App EPGs

DB EPGs DB EPGs

Spanned Port-Channel
ASA or FTD Image
FW PBR IP 10.1.0.1 FW PBR IP 10.1.0.1

ACI fabric tracks local and remote Anycast Service IPs of the firewall cluster units. Fabric always prefers a
local firewall IP. If local Anycast Service IP fails, fabric will send to the remote firewall IP.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Firepower Cluster Resiliency
Firewalls Sync the State of Workload Connections
Inter-Pod
Network
Pod1 Pod2

App EPGs App EPGs

DB EPGs DB EPGs

Failure Spanned Port-Channel 3- FPR4100


ASA or FTD Image New Master
FW PBR IP 10.1.0.1 FW PBR IP 10.1.0.1

In case of failure of both firewalls in Pod1, fabric forwards traffic for PBR service graph inspection to Pod2
firewalls. Pod1 App to DB connections continue because Firepower cluster syncs connection state.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
• Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
Complete your survey (starting on Thursday) to
online session receive your Cisco Live socks.
evaluation • All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.com/us.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Thank you

#CiscoLive
#CiscoLive
Appendix
NGFW: Crypto
Acceleration
TLS Crypto Acceleration Status in FMC
FP1000 & FP2000 TLS Crypto Acceleration:
• FP1000 uses Quick Assist Technology

• FP2100 uses Cavium Hardware Assist

• These platforms will show TLS Crypto


Acceleration: DISABLED in FMC.
FP4100 & FP9300 TLS Crypto Acceleration:
• Hardware acceleration permanently
enabled by default for “non-instances”
• Multi-Instance instances enabled by default
(up to 16).

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Crypto Acceleration in hardware
• Assists with VPN and decryption crypto functions

Datasheet AVC + SSL Throughput


ASA ASA ASA ASA ASA FPR FPR FPR FPR FPR FPR FPR FPR
5508 5516 5525 5545 5555 1010 1120 1140 1150 2110 2120 2130 2140
250 265 270 290 370 150 700 1000 1400 365 475 735 1400
MB MB MB MB MB MB MB MB MB MB MB MB MB

• 5506/08/16/25/45/55: Cavium Octeon (TLS offload not supported)


• FTD 1000 platforms include Intel Quick Assist Technology (QAT) Crypto
acceleration onboard with 6 accelerators.
• FTD 2100 platforms perform TLS operations in software.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Crypto Acceleration in hardware
• Assists with VPN and decryption crypto functions

Datasheet AVC + SSL Throughput

4110 4115 4120 4125 4140 4145 4150 9300 9300 9300 9300 9300 9300

SM-12 SM-24S SM-24 SM-32S SM-36 SM-44S SM-44 SM-24 SM-36 SM-40 SM-44 SM-48 SM-56

4.5 6.5 7.1 8 7.3 10 7.5 7.5 8.5 10 10 11 12


Gb Gb Gb Gb Gb Gb Gb Gb Gb Gb Gb Gb Gb

• FTD 4100 and 9300 platforms perform offloading TLS operations onto its Nitrox chipset
• 4120/40/50 & 9300 SM24/36/44 - Two Nitrox processors (4110 has only ONE)
• 4115/25/45 + 9300 SM40/48/56 - Two Nitrox processors (4112 has only ONE)

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Security Intelligence
Example
Security Intelligence Custom Feed
An Example
A publicly-exposed SSH Server will be continuously probed for
weaknesses, as well as brute-force login attempts.
Let’s use failed login attempts to build our own SI Feed.

Jan 9 15:42:50 SSH Server


www unix_chkpwd[28658]: password check failed for user (root)
Jan 9 15:42:57 www unix_chkpwd[28680]: password check failed for user (root)
Jan 9 15:42:58 www sshd[10692]: Invalid user cypherpunks from 198.51.100.87
Internet Jan 9 15:43:02 www sshd[10693]: Invalid user cdowns from 198.51.100.87
Jan 9 15:43:25 www unix_chkpwd[28886]: password check failed for user (don)
Jan 9 15:43:25 www unix_chkpwd[28887]: password check failed for user (rich)
Jan 9 15:43:31 www unix_chkpwd[28922]: password check failed for user (gary)
Jan 9 15:44:33 www unix_chkpwd[29302]: password check failed for user (daemon)
Jan 9 15:44:38 www unix_chkpwd[29341]: password check failed for user (kim)
[blkh4t@wd40 ~]$ ncrack zenbango.com:22
Jan 9 15:45:44 www unix_chkpwd[29737]: password check failed for user (operator)
Jan 9 15:45:52 www sshd[10694]: Invalid user dan from 198.51.100.87
Starting Ncrack 0.5 ( http://ncrack.org
Jan 9 15:45:54 )
wwwat 2017-01-09 12:42
unix_chkpwd[29797]: password PST
check failed for user (root)
Jan 9 15:46:02 www unix_chkpwd[29842]: password check failed for user (mail)
Jan 9 15:46:09 www unix_chkpwd[29878]: password check failed for user (nobody)
Jan 9 15:46:31 www unix_chkpwd[30019]: password check failed for user (rich)
Jan 9 15:46:31 www unix_chkpwd[30020]: password check failed for user (don)
Jan 9 15:46:38 www unix_chkpwd[30065]: password check failed for user (gary)

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Security Intelligence Custom Feed
An Example
The Goal:
Create your own Security Intelligence Feed to block hosts that attempt to
login to your SSH Server and fail authentication multiple times.

X Web Server

Internet

SSH Server

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Security Intelligence Custom Feed
Prerequisites

1. The first step is to configure your honeypot with the desired services
installed, hardened, and logged.

There are a number of tools available to dynamically block or log


connection/authentication attempts. Two that work well are fail2ban and
denyhosts.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Security Intelligence Custom Feed
Prepare the Target

2. In this example, we’re using denyhosts to dynamically block


SSH attempts after 6 failed login attempts.

/etc/denyhosts.conf file (pertinent sections):


SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 4w
BLOCK_SERVICE = ALL
DENY_THRESHOLD_INVALID = 6
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
RESET_ON_SUCCESS = yes

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Security Intelligence Custom Feed
Prepare the Target
3. Create a script to parse the blocked IP addresses from denyhost’s log file.
/etc/hosts.deny file looks like this:
# DenyHosts: Thu Jan 26 22:31:28 2017 | ALL: 203.0.113.4
ALL: 203.0.113.4
# DenyHosts: Sat Jan 28 10:58:51 2017 | ALL: 192.0.2.120
ALL: 192.0.2.120
# DenyHosts: Tue Jan 31 09:42:58 2017 | ALL: 198.51.100.3
ALL: 198.51.100.3
# DenyHosts: Tue Jan
ALL: 198.51.100.27 The output file should be in a
31 19:50:17 2017 | ALL: 198.51.100.27

# DenyHosts: Wed Feb


ALL: 203.0.113.230 directory accessible to your web
1 16:57:02 2017 | ALL: 203.0.113.230

server. Consider placing it on a


different
4. Use your favorite scripting language to parse theserver.
addresses. This simple
Bash script works:
#! /bin/bash

blocklist=` cat /etc/hosts.deny | grep -v \# | awk '{print $2}' > /var/www/html/sshblock.txt`

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Security Intelligence Custom Feed
Prepare the Target

5. Generate some SSH traffic, with failed logins, to make sure you are capturing
the addresses. Be careful. denyhosts will by default ban your IP address in
the hosts.deny file. You will need to know how to clear the blocks.
This is a useful site:
http://www.tecmint.com/block-ssh-server-attacks-brute-force-attacks-using-denyhosts/

6. Make sure to run your script (from Step 4) on a regular basis by running a
cron job every few minutes or so.
/var/www/html/sshblock.txt
203.0.113.4
192.0.2.120
One IP Address 198.51.100.3
per line. 198.51.100.27
203.0.113.230
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Security Intelligence Custom Feed
Prepare the Target

7. Verify you can download the file with a web browser. It is a good idea to
host the file on a server reachable internally only, rather than one accessible
to the outside world.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Security Intelligence Custom Feed
Create the Feed

8. On Firepower Management Center (FMC), navigate to Objects -> Security


Intelligence -> Network Lists and Feeds. Click “Add Network Lists and
Feeds” in the upper right corner.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
Security Intelligence Custom Feed
Create the Feed

9. Select Feed, and populate the URL information and Update Frequency.

In the current software release, updates are limited to no shorter than


every 30 minutes.
Click Save.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Security Intelligence Custom Feed
Create the Feed

10.In your Access Policy, click the Security Intelligence tab, and add the new
feed to the Blacklist

SSH-Blacklist should be placed here.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Security Intelligence Custom Feed
Create the Feed

11.Verify the blocks are occurring.

Reason for block is SSH-Blacklist

Blocks are protecting ALL hosts –


not just those running Denyhosts
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
OpenAppID
OpenAppID
Cisco’s Open Source Application Layer Plugin for Snort and Firepower

OpenAppID uses the Lua programming language to identify applications.


There are a number of attributes it can look at, including:

• ASCII or Hex patterns and offset • SSL Organization Unit


• HTTP User Agent • SSL Common Name
• HTTP URL • SIP Server
• HTTP Content Type • SIP User Agent
• SSL Host • RTMP URL Pattern

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
OpenAppID
Most internal Firepower Application Detectors are included in the Snort OpenAppID rules,
including Lua source code.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
OpenAppID within Firepower
• Application Detectors

• All Application Detectors


in Firepower use
OpenAppID.

• Custom Application
Detectors can be created
here, as well.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
OpenAppID within Firepower
Basic Application Detector

FMC provides a Wizard for


creation of Basic detectors.
Advanced detectors require
you to upload the Lua file.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
For Your
OpenAppID within Firepower Reference

Advanced Application Detector

If you need an Advanced


detector, you’ll need to
write it yourself, or
request one from TAC.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
OpenAppID Example
with Intrusion Policy
OpenAppID and the Intrusion Policy
A lot of “noise” is created in the Intrusion Logs of any IDS/IPS
product by automated scripts searching for vulnerable systems, and
trying generic attacks.

Web Server

Internet

[blkh4t@wd40 ~]$ hackerw3bscan –v 198.51.100.33


Ports open: tcp/80, tcp/443
Server: apache 2.4.18
Vulnerabilities found: CVE-2016-4979 SSL Bypass
CVE-2016-1546 HTTP2 DOS

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
OpenAppID and the Intrusion Policy
An Example

These scans or attacks against your IP addresses may or may not be successfully
blocked by your IPS devices.
They generate noise in your logs.

Question:
Is there a legitimate reason for Internet users to access your server(s) by IP address
instead of FQDN?

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
OpenAppID and the Intrusion Policy
An Example
The Goal:
Block all web traffic that targets an IP Address rather than correct hostname.
Use Intrusion Policy to inspect legitimate traffic.

X Web Server

Internet

[blkh4t@wd40 ~]$ hackerw3bscan –v 198.51.100.33


No web server found!

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
OpenAppID and the Intrusion Policy
Creating the Custom Detector
1. From Application Detectors
screen, click the button to
Create Custom Detector.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
OpenAppID and the Intrusion Policy
Creating the Custom Detector

2. Click the “Add”


button.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
OpenAppID and the Intrusion Policy
Creating the Custom Detector

3. Complete the
required fields to
name your custom
application.
4. Click OK.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
OpenAppID and the Intrusion Policy
Creating the Custom Detector

5. Enter the same Name


and Description as
previous step, and
select the Application
you just created from
the pulldown menu.
6. Leave the
Detector_Type as
Basic.
7. Click OK

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
OpenAppID and the Intrusion Policy
Creating the Custom Detector
8. Click “Add” to add
Detection Patterns.

This is where we’ll define


what the application
”looks like” to Firepower.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 179
OpenAppID and the Intrusion Policy
Creating the Custom Detector

9. Select HTTP from the Protocol pulldown menu,


and URL as Type.
10.Enter your domain name.
11.Click OK.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 180
OpenAppID and the Intrusion Policy
Creating the Custom Detector

12.Repeat the process to add the SSL information.


13.Click OK.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 181
OpenAppID and the Intrusion Policy
Creating the Custom Detector

14.Click on “Save”.

Remember: Basic Detectors


perform an OR operation on the
Detection Patterns.
In this example, any HTTP or HTTPS
connection destined to
*.zenbango.com will trigger the
detector.
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
OpenAppID and the Intrusion Policy
Activating the Custom Detector

WARNING:
15.You can find your Application Detector by selecting Custom Type in the
When you Activate or Deactivate any Detector, it will trigger your appliances
Filters.
in the current domain or child domain to restart Snort. This will potentially
16.The new Application
be disruptive Detector
to your network will not function until it is Activated by
traffic.
clicking on the State slider.

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
OpenAppID and the Intrusion Policy
Assigning Custom Detector to Access Control and Intrusion Policy

15.Tie it all together by using an Allow Rule (with Intrusion Policy


assigned) for traffic matching the new application. Block all other
traffic.
#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
OpenAppID and the Intrusion Policy
Effectiveness…

#CiscoLive DGTL-BRKSEC-3300 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
#CiscoLive

You might also like