0% found this document useful (0 votes)
375 views219 pages

Advanced Firepower IPS Deployment

BRKSEC-3300

Uploaded by

pikamau
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
375 views219 pages

Advanced Firepower IPS Deployment

BRKSEC-3300

Uploaded by

pikamau
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 219

BRKSEC-3300

Advanced Firepower IPS


Deployment

Gary Halleen, Technical Solutions Architect


Cisco Webex Teams

Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

cs.co/ciscolivebot#BRKSEC-3300

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
About Your Speaker

Gary Halleen
Email: [email protected]
Security Architect
Global Security Architect Team

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Your Speaker

Gary Halleen
Email: [email protected]
Security Architect
Global Security Architect Team
19 years at Cisco

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Your Speaker

Gary Halleen
Email: [email protected]
Security Architect
Global Security Architect Team
19 years at Cisco
Amateur Radio: K7TRO
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Your Speaker

Gary Halleen
Email: [email protected]
Security Architect
Global Security Architect Team
19 years at Cisco
Amateur Radio: K7TRO
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Your Speaker

Gary Halleen
Email: [email protected]
Security Architect
Global Security Architect Team
19 years at Cisco
Amateur Radio: K7TRO
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Your Speaker

Gary Halleen
Email: [email protected]
Security Architect
Global Security Architect Team
19 years at Cisco
Amateur Radio: K7TRO
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Oregon – Pacific Wonderland

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Oregon – Pacific Wonderland

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Oregon – Pacific Wonderland

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Some of My Hobbies

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Some of My Hobbies

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Some of My Hobbies

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Some of My Hobbies

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco Firepower Sessions: Building Blocks
Tuesday Wednesday Thursday Friday

11:00 08:30
11:00 08:30

11:30 09:00
BRKSEC-3035 BRKSEC-2064 BRKSEC-3455
Firepower Platform Dissecting
NGFWv and ASAv
Deep Dive Firepower FTD &
in Public Cloud
Firepower Services
14:30 11:00

BRKSEC-3328 BRKSEC-3300 BRKSEC-3032 BRKSEC-2020


FMC Internals: Firepower NGFW in
Advanced IPS NGFW Clustering
Making FMC Do the DC and
Deployment Deep Dive
More Enterprise

BRKSEC-2112
Firepower Internet
Edge Best Practices
We Are Here!
16:30

BRKSEC-3352
Advanced Snort
Rule Writing for
Firepower
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
For Your
Reference
Introduction
For the purposes of this session, these terms are treated the same.

• Firepower
• Firepower Threat Defense
• ASA with Firepower Services

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Introduction
Centralized On-box Cloud-based Upcoming

Firepower Management Firepower Device Cisco Defense


Center (FMC) Manager (FDM) Orchestrator (CDO)

Enables comprehensive Enables easy on- Enables cloud-based


security administration and box management of policy management of
automation of multiple common security multiple deployments
appliances and policy tasks

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Firepower Management Center (FMC)
This session covers Firepower 6.2.x and later, managed with FMC.
We will NOT cover the older Cisco IPS 7.0.

Centralized Management Firepower Management Center

Multi-domain management Firewall & AVC

Role-based access control NGIPS

High availability AMP

APIs and pxGrid integration Security Intelligence

Manage across many sites Control access and set policies Investigate incidents Prioritize response

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
For Your

Firepower 6.3
Reference

Platform Capabilities Operations Visibility & Security

Multi-Instance for 4100/9300 Airgap/Export Licensing Events direct-from-device


• Flexible approach for up to 14 • Controlled subscription licensing for • Integrate better with other Cisco
instances closed networks and 3rd party SIEMs
• Supports HA • Export licensing for government and • Connection and IPS
military customers outside the
TLS HW Accelerated Decryption United States FQDN based access control
• Higher TLS inspection throughput • Enables control for dynamic cloud
• Supported on all Firepower Local Management for FTD based apps
platforms • Onbox manager for many
commercial use-cases 2FA & RADIUS CoA for RA VPN in
Fail-to-Wire Netmods for FP2100 • Supports HA, Passive Auth with FMC
• Transition NGIPS to Firepower Audit Logging and Connection and • RA VPN Migration
2100s IPS syslogs from the device

Improved Migrations Direct-to-Device APIs (2100 and


• New migration tools below)
• Automation and Orchestration for
MSPs
• Enable Integrations

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
6.3
Multi-Instance for Firepower 4100/9300
• Allows organizations to deploy independent
tenants for multiple departments or
customers
FTD FTD FTD FTD
1 2 3 4 • Resource and Management Separation
• Instances are fully independent and fault
tolerant
• Smooth workflow enabling faster
provisioning
• 3-14 instances (FP9300 and FP4100s only)
• Multi-Instance is free – no SKU

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Pick from many deployment modes

Inline or Passive Fail-to-wire NetMods Additional options


Inline Routed

NetMod
101110

Inline Tap Transparent

101110

Passive Virtual or Physical

Available on 2100, 4100 and 9300

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Firepower Policies

How often are Policies Modified?


Frequently Little Rarely

Access Control Policy Malware and File Policy Network Discovery Policy

Intrusion Policy DNS Policy Network Analysis Policy

SSL Policy Correlation Policy

Identity Policy Health Policy

Prefilter Policy

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Policy Order of Operation

Access
Prefilter Intrusion
Control Policy
(FTD only) (for AppID)

Optional

SSL Identity SI / DNS

Access Intrusion File /


Control Rules
Malware

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Intrusion Policy
The Intrusion Policy defines which Snort rules are used in packet inspection.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Intrusion Policy
The Intrusion Policy defines which Snort rules are used in packet inspection.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Intrusion Base Policy

Policy CVSS Score Vulnerability Age

Connectivity over Security 10 Current year, plus 2 prior


(2019, 2018, and 2017)
Balanced Security and 9+ Current year, plus 2 prior
Connectivity Rule Categories: Malware-CNC, Blacklist, SQL
Injection, Exploit Kit
Security over Connectivity 8+ Current year, plus 3 prior
(2019, 2018, 2017, and 2016)
Rule Categories: Malware-CNC, Blacklist, SQL
Injection, Exploit Kit, App-Detect
Maximum Detection 7.5+ 2005 and later
Rule Categories: Malware-CNC, Exploit Kit

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Intrusion Policy
You can manually Enable/Disable individual rules or configure actions.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Intrusion Policy
Several ways to search for rules…

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Intrusion Policy
Several ways to search for rules…

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Network Discovery Policy
• Used to identify which networks Firepower should “learn” from.

• Useful for applications, and especially for maintaining the Firepower Recommended Rules
in the Intrusion Policy.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tunes your Snort rules for the applications,
servers, and hosts on your network.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tunes your Snort rules for the applications,
servers, and hosts on your network.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tunes your Snort rules for the applications,
servers, and hosts on your network.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tunes your Snort rules for the applications,
servers, and hosts on your network.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Access Control Policy
• Traffic must match in the Access Control Policy in order to be Inspected

For a simple IPS


deployment, you can use
the Default Action

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Access Control Policy

In a NGFW deployment, the Default Action


will likely be “Block All Traffic”.
Intrusion Policy needs to be defined for each
Allow Action.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Access Control Policy

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Access Control Policy

If you need, different Allow rules


can have different Intrusion
Policies assigned.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Network Analysis Policy

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Network Analysis Policy

What is this?
Do I need to do anything here?

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Network Analysis Policy
• The Network Analysis Policy (NAP) controls the Preprocessors, and
determines things such as:
o Fragmentation Reassembly
o Protocol Compliance

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Network Analysis Policy
• The Network Analysis Policy (NAP) controls the Preprocessors, and
determines things such as:
o Fragmentation Reassembly
o Protocol Compliance

“What should we tune?”

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Network Analysis Policy

Security

Usability

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Network Analysis Policy

Usability

Security

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Network Analysis Policy
• By default, there are no tunable NAP policies. You’ll need to create one.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Network Analysis Policy
• By default, there are no tunable NAP policies. You’ll need to create one.

Create Policy

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Network Analysis Policy
• Give your policy a name.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Network Analysis Policy
• Give your policy a name.

Create and Edit Policy

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Network Analysis Policy
Do these Base Policies look familiar?

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Network Analysis Policy
Do these Base Policies look familiar?

Besides the name, these Base


Policies have NOTHING in
common with the Intrusion Base
Policies.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Network Analysis Policy
Do these Base Policies look familiar?

Besides the name, these Base


Policies have NOTHING in
common with the Intrusion Base
Policies.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Network Analysis Policy
Enable/Disable Preprocessors

• Some Preprocessors are


disabled by default:
o Portscan Detection
o Rate-Based Attack
Prevention
o Inline Normalization
• Enable these if you need
them

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Network Analysis Policy
Enable/Disable Preprocessors

• Some Preprocessors are


disabled by default:
o Portscan Detection
o Rate-Based Attack
Prevention
o Inline Normalization
• Enable these if you need
them

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Fragmentation
Both IP and TCP can cause a stream of data to break into many parts
Both IP fragmentation and TCP segmentation may be naturally occurring or performed
intentionally to evade IPS
IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate
this evasion technique

If attack is: USER root

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Fragmentation
Both IP and TCP can cause a stream of data to break into many parts
Both IP fragmentation and TCP segmentation may be naturally occurring or performed
intentionally to evade IPS
IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate
this evasion technique

If attack is: USER root

TCP: HDR USER HDR root

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Fragmentation
Both IP and TCP can cause a stream of data to break into many parts
Both IP fragmentation and TCP segmentation may be naturally occurring or performed
intentionally to evade IPS
IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate
this evasion technique

If attack is: USER root

TCP: HDR USER HDR root

IP: HDR HDR US HDR ER HDR HDR ro HDR ot

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Fragmentation
Both IP and TCP can cause a stream of data to break into many parts
Both IP fragmentation and TCP segmentation may be naturally occurring or performed
intentionally to evade IPS
IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate
this evasion technique

If attack is: USER root

TCP: HDR USER HDR root

IP: HDR HDR US HDR ER HDR HDR ro HDR ot

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
How Bad can Fragmentation Get?

IP TCP SMB MSRPC Payload

Packet capture of regular attack is ~4k, after


layers of evasion 30MB or more!

Hundreds of thousands of packets


BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Network Analysis Policy
Inline Normalization
Tune it? MAYBE
• Disabled by Default
• Enforces Protocol Compliance for TCP
and IP protocols.
• Enabling normalization will block some
non-standard implementations and
many attacks. However, it potentially
can block poorly-written legitimate
traffic.
• How Risk-Averse are you?

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Network Analysis Policy
TCP Stream
Tune it? YES
• Unless you are deploying IPS into a
segment containing ONLY Windows hosts,
you absolutely should tune this.
• TCP Stream determines how fragmented
TCP traffic is reassembled.
• Different operating systems handle
reassembly differently, and it is critical that
your IPS understands the hosts.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Network Analysis Policy
UDP Stream
Tune it? Probably Not
• Not much to tune.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Network Analysis Policy
IP Defragmentation

Tune it? YES


• Similar reason as TCP Stream.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Access Control Policy – Advanced Settings
Don’t forget to select the Network Analysis Policy from the Access Control
Policy -> Advanced Tab

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Access Control Policy – Advanced Settings
Don’t forget to select the Network Analysis Policy from the Access Control
Policy -> Advanced Tab
If you need to use multiple Network Analysis Policies
(maybe some networks have Windows servers, and
another has Linux, for example), you can create Rules to
perform the mapping.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Impact Flags
• Remember, we recommend you utilize the Network Discovery Policy…

• This allows you to use Impact Flags for analysis.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Impact Flags
• Remember, we recommend you utilize the Network Discovery Policy…

• This allows you to use Impact Flags for analysis.

Do you know what


these mean?

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Understanding Impact Flags
Intrusion Events Impact Flag

Source / Destination IP

Protocol (TCP/UDP)

Source / Destination Port

Service

Snort ID

IOC: Predefined Impact

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]

Protocol (TCP/UDP) IP Address

User IDs

Source / Destination Port Protocols

Server Side Ports

Service Client Side Ports

Services

CVE
Snort ID Client / Server Apps

Operating System
IOC: Predefined Impact
Potential Vulnerabilities

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks

Protocol (TCP/UDP) IP Address

User IDs

Source / Destination Port Protocols

Server Side Ports

Service Client Side Ports

Services

CVE
Snort ID Client / Server Apps

Operating System
IOC: Predefined Impact
Potential Vulnerabilities

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks

Protocol (TCP/UDP) IP Address

User IDs
4 Previously unseen host
within monitored network

Source / Destination Port Protocols

Server Side Ports

Service Client Side Ports

Services

CVE
Snort ID Client / Server Apps

Operating System
IOC: Predefined Impact
Potential Vulnerabilities

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks

Protocol (TCP/UDP) IP Address

User IDs
4 Previously unseen host
within monitored network

Source / Destination Port Protocols

Server Side Ports


3 Relevant port not open or
protocol not in use

Service Client Side Ports

Services

CVE
Snort ID Client / Server Apps

Operating System
IOC: Predefined Impact
Potential Vulnerabilities

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks

Protocol (TCP/UDP) IP Address

User IDs
4 Previously unseen host
within monitored network

Source / Destination Port Protocols

Server Side Ports


3 Relevant port not open or
protocol not in use

Service Client Side Ports


Relevant port or protocol in
Services
2 use but no vulnerability
mapped

CVE
Snort ID Client / Server Apps

Operating System
IOC: Predefined Impact
Potential Vulnerabilities

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks

Protocol (TCP/UDP) IP Address

User IDs
4 Previously unseen host
within monitored network

Source / Destination Port Protocols

Server Side Ports


3 Relevant port not open or
protocol not in use

Service Client Side Ports


Relevant port or protocol in
Services
2 use but no vulnerability
mapped

CVE
Snort ID Client / Server Apps

Operating System
1 Host vulnerable to attack or
showing an IOC.
IOC: Predefined Impact
Potential Vulnerabilities

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks

Protocol (TCP/UDP) IP Address

User IDs
4 Previously unseen host
within monitored network

Source / Destination Port Protocols

Server Side Ports


3 Relevant port not open or
protocol not in use

Service Client Side Ports


Relevant port or protocol in
Services
2 use but no vulnerability
mapped

CVE
Snort ID Client / Server Apps

Operating System
1 Host vulnerable to attack or
showing an IOC.
IOC: Predefined Impact
Potential Vulnerabilities

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
6.3
Contextual Cross-Launch
• New to Firepower Management Center (FMC) 6.3

• From any relevant event or dashboard, right-click and


launch a query into a different product.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
6.3
Contextual Cross-Launch
Several tools already included

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
6.3
Contextual Cross-Launch
Do you have a favorite tool?
• Add your own: Analysis -> Advanced -> Contextual Cross-Launch
• Example for Cisco Stealthwatch:

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
6.3
Contextual Cross-Launch
Do you have a favorite tool?
• Add your own: Analysis -> Advanced -> Contextual Cross-Launch
• Example for Cisco Tetration:

Note: The URL will


differ according to your
Tetration deployment
and tenant IDs.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
6.3
Contextual Cross-Launch
Stealthwatch Cross-Launch Example

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
6.3
Contextual Cross-Launch
Tetration Cross-Launch Example

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
6.3
Contextual Cross-Launch
Tetration Cross-Launch Example

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Snort Rules
Firepower uses Snort Rules for Intrusion Prevention.

Cisco provides regular rule updates. Most customers deploy these


automatically.

Third-party Snort rules can be added manually through the Rule Editor
(Objects -> Intrusion Rules -> Create Rule), or can be imported.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Snort Rule Editor

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Snort Rules
• Snort Rules are normally created on a single line, with no special
characters, and in ASCII or UTF-8 format.
• The Import file can contain many rules as long as they are one rule per-
line.
• Many of the Emerging Threat rules use deprecated syntax (”threshold”
statement). If you are importing ET rules, you’ll need to correct or remove
these rules first. Threshold has been replaced with detection_filter.
• SHOULD not have a rule SID, but is allowed.
All on ONE Line

alert tcp [43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Snort Rules
• Snort Rules are normally created on a single line, with no special
characters, and in ASCII or UTF-8 format.
• The Import file can contain many rules as long as they are one rule per-
line.
• Many of the Emerging Threat rules use deprecated syntax (”threshold”
statement). If you are importing ET rules, you’ll need to correct or remove
these rules first. Threshold has been replaced with detection_filter.
• SHOULD not have a rule SID, but is allowed.
All on ONE Line

600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; rev:2

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Snort Rules (continued)
• Sometimes it is much more readable to spread the rule across multiple lines. Do this with
the backslash character - \

Example Rule (from Emerging Threats):


alert tcp \
[43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\
45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\
45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\
49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \
any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \
flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \
threshold: type limit, track by_src, seconds 3600, count 1; \
classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \
rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \
tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Snort Rules (continued)
• This ET rule has a deprecated keyword – “threshold”, as well as “type limit”, so let’s fix it.

alert tcp \
[43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\
45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\
45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\
49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \
any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \
flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \
threshold: type limit, track by_src, seconds 3600, count 1; \
classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \
rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \
tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Snort Rules (continued)
• This ET rule has a deprecated keyword – “threshold”, as well as “type limit”, so let’s fix it.

alert tcp \
[43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\
45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\
45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\
49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \
any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \
flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \
threshold: type limit,
detection_filter: track track by_src,
by_src, seconds
seconds 3600,3600,
count count
1; \ 1; \
classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \
rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \
tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Importing Snort Rules
• Once your Snort rules are in a text file, navigate to Objects -> Intrusion Rules.
• Click on “Import Rules”

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Importing Snort Rules
• Click on “Browse” to locate your file, and click “Import”.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Importing Snort Rules

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Importing Snort Rules

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Importing Snort Rules

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Importing Snort Rules

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Importing Snort Rules

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Importing Snort Rules
• If successful, you will see a screen showing what has been imported.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Importing Snort Rules
• If successful, you will see a screen showing what has been imported.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Enabling Snort Rules
• Remember, all imported rules are Disabled by default. You need to enable
these.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Enabling Snort Rules
• Remember, all imported rules are Disabled by default. You need to enable
these.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
How do you Exempt Specific Servers from a
Snort Rule?
Options:
1. Look at the rule and see if you can modify the variables in use?
($EXTERNAL_NET and $HOME_NET, for example)
2. Use a different Intrusion Policy for some hosts. This could have memory
or performance impact if overused.
3. Create a Pass Rule –> Probably the Best Option

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Pass Rule Example
Pass Rule
Open the firing rule in the Rule Editor (Objects -> Intrusion Rules)

203.0.113.24

Network
Scanner

Campus

Web
Server
SSH
Server

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Pass Rule
Change Action to “pass”

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Pass Rule
Change the Message.
(add “PASS RULE – “ to the beginning)

Add the IP address or variable name


(i.e. $SCANNER_HOSTS) to the source or
destination IP.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Pass Rule
Click “Save as New”

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Pass Rule
Finally, Edit the Intrusion Policy, and change the Rule State for your new Local Rule to
“Generate Events”. Save and Deploy the Intrusion Policy.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Pass Rule
Finally, Edit the Intrusion Policy, and change the Rule State for your new Local Rule to
“Generate Events”. Save and Deploy the Intrusion Policy.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Snort Restart and Reload Architecture

Prior to Firepower 6.2.2, making the


Intrusion Rule changes just described
would have caused a Snort Restart,
and potentially disrupted network
traffic.

Significant improvements in 6.2.3, and


especially 6.3 software have
dramatically reduced the number of
things that can cause a Snort Restart.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Why does Snort Restart?
• New version of Snort in policy deploy

• Reallocate memory for pre-


processors/Security Intelligence (6.2.x)
• Reload shared objects

• Pre-processor configuration changes


(6.2.x)
• Configured to restart instead of reload

Cisco.com info on 6.2.3 Restart Conditions: http://cs.co/9006DcfbG

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Why does Snort Restart?
• New version of Snort in policy deploy

• Reallocate memory for pre-


processors/Security Intelligence (6.2.x) “No” means Snort
will restart every time
• Reload shared objects a policy changes.
• Pre-processor configuration changes
(6.2.x)
• Configured to restart instead of reload

Cisco.com info on 6.2.3 Restart Conditions: http://cs.co/9006DcfbG

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Why does Snort Restart?
6.2.3 and later warns if any configuration change will interrupt inspection
(restart Snort):

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Mitigations

Snort Preserve-Connection
1 (6.2.0 / 6.2.3 introduction)

2 Software Bypass

3 Upgrade to Firepower 6.3

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Snort Preserve-Connection
• When Snort goes down, connections with Allow verdict are preserved
in LINA
• Snort does NOT do a mid-session pickup on preserved flows on
coming up
• Does NOT protect against new flows while Snort is down
• 6.2.0.2/6.2.3 Feature Introduction. Enabled by default in 6.2.3
• Can be enabled/disabled from CLI:
configure snort preserve-connection enable/disable

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Software Bypass
• With inline Fail-Open deployments traffic is passed
uninspected on the Software bridge when Snort is
down.
• When Snort comes up, Snort does a mid-session
pickup on traffic

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Bypass Options
Software Bypass Enable traffic, uninspected, when Snort is down or busy.

Fail-to-Wire Interfaces Bypass traffic upon appliance failure, including loss of


power.

Automatic Application Bypass Restarts Snort processes upon degraded performance

Intelligent Application Bypass Application-specific acceleration of defined applications if


performance is degraded
Trust Rules Accelerate defined traffic but still apply Security
Intelligence

Prefilter Policy Bypass deep inspection and Security Intelligence based


on Port / Protocol / IP Address / Zone

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Software Bypass

Software Bypass is only available in Inline Pairing mode or


ASA with Firepower Services.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Fail to Wire Interfaces

Fail-to-wire Fail-to-Wire interfaces allow for pass-through


of traffic in case of appliance failure or loss of
NetMod
power.
• FP-9300
• FP-4100
• FP-2100 (requires 6.3)
• FP-7000, 7100, 8100, 8200, and 8300

Fail-to-Wire requires:
Inline Set, Inline Pair, or Inline Tap deployment.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Automatic Application Bypass (AAB)
Detects Snort failures or degraded performance and triggers a restart of the
impacted Snort process. First available in FTD in 6.2.2.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Trust Rules
Within the Access Control Policy, defined traffic can be exempted from File
and IPS inspection, which accelerates it through the appliance. Basing the
rule on Source/Destination Port and IP addresses is most effective.
Security Intelligence feeds are still applied to Trust rules.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Trust Rules
Within the Access Control Policy, defined traffic can be exempted from File
and IPS inspection, which accelerates it through the appliance. Basing the
rule on Source/Destination Port and IP addresses is most effective.
Security Intelligence feeds are still applied to Trust rules.

On FP-4100/9300 appliances, a Trust rule enables Dynamic Flow Offload on eligible


flows, and handles the traffic on the HW NIC. Not supported on Inline, Inline Tap, or
Passive Interfaces!

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
PreFilter Policy
PreFilter rules are processed prior to Intrusion Prevention or Access Control
Policies. If traffic can be defined by Zone, Network, and Port (similar to an
ASA rule), the traffic can be FastPathed. This is similar to a Trust rule, but
Security Intelligence is not applied.

• PreFilter rules require Firepower Threat Defense.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
PreFilter Policy
PreFilter rules are processed prior to Intrusion Prevention or Access Control
Policies. If traffic can be defined by Zone, Network, and Port (similar to an
ASA rule), the traffic can be FastPathed. This is similar to a Trust rule, but
Security Intelligence is not applied.

• PreFilter rules require Firepower Threat Defense.


On FP-4100/9300 appliances, a Fastpath rule enables Static Flow Offload on eligible
flows, and handles the traffic on the HW NIC. Static Flow Offload is not supported on
Inline, Inline Tap, or Passive interfaces.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Intelligent Application Bypass (IAB)
Detects degraded performance within an application. If that application is
trusted, you can configure it to automatically bypass inspection for it, and
accelerate the traffic.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options – Intelligent Application Bypass
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Intelligent Application Bypass
What is IAB?

IAB takes action when a Snort instance is Under Duress if conditions are
met:
1. Is the flow a candidate for bypass?
2. Is this a bypassable application?

If conditions are satisfied, then Firepower will accelerate the flow.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Intelligent Application Bypass
Caveats!

• When IAB works to full capability, the flow under duress is executed the
same as a PreFilter FastPath or ACP Trust rule.
• If the Access Control Policy (ACP) uses IP-based Security Intelligence,
then Snort needs to see the traffic briefly before it is FastPathed.
• If the ACP uses DNS- or URL-based Security Intelligence, then both Snort
and AppID need to see traffic before it is FastPathed. AppID sometimes
takes longer to identify the application, depending on which application it
is.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Configuring Intelligent Application Bypass
Find IAB on the Advanced tab of the Access Control Policy. In 6.2.3, it is on the
bottom left of the page. In 6.3, it is on the top right.

• By default, IAB is disabled.


• With 6.2.3, all fields are blank. No default values.
• With 6.3, default values are entered.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Configuring Intelligent Application Bypass
Set the State to On or Test.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Configuring Intelligent Application Bypass
Set the State to On or Test.

And set the sample period.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Configuring Intelligent Application Bypass
Inspection Performance Thresholds: Is the snort process under duress?

These fields are a Logical OR, and


refer to the Snort process rather
than overall appliance CPU.

• Drop Percentage
• Processor Utilization
• Packet Latency
• Flow Rate

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?
These values are all a Logical OR

Bytes per Flow is “How big is the flow?”

Take AMP max file size under


consideration!

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?

Flow Velocity is “Size over time of the flow”

Each snort instance can handle


approximately 1Gbps, which is 125,000
kbytes/second.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?

Flow Velocity is “Size over time of the flow”

Each snort instance can handle


approximately 1Gbps, which is 125,000
kbytes/second.

I disagree with this default value. 250,000 kbytes/second will never trigger on today’s FP or ASA
hardware. A better starting value for most customers is about 40,000 or 50,000 kbytes/second.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?

Flow Velocity is “Size over time of the flow”

Each snort instance can handle


approximately 1Gbps, which is 125,000
kbytes/second.

45000

I disagree with this default value. 250,000 kbytes/second will never trigger on today’s FP or ASA
hardware. A better starting value for most customers is about 40,000 or 50,000 kbytes/second.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Configuring Intelligent Application Bypass
Define Applications that are Bypassable

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Configuring Intelligent Application Bypass
Define Applications that are Bypassable

May be easier to just allow All Applications

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Monitoring Intelligent Application Bypass
IAB Events appear in Connection Events with reason of “Intelligent App Bypass”

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
OpenAppID
Cisco’s Open Source Application Layer Plugin for Snort and Firepower

OpenAppID uses the Lua programming language to identify applications. There are a
number of attributes it can look at, including:

• ASCII or Hex patterns and offset • SSL Organization Unit


• HTTP User Agent • SSL Common Name
• HTTP URL • SIP Server
• HTTP Content Type • SIP User Agent
• SSL Host • RTMP URL Pattern

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
OpenAppID
Most internal Firepower Application Detectors are included in the Snort OpenAppID rules,
including Lua source code.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
OpenAppID within Firepower
Application Detectors

All Application Detectors in


Firepower 6.0+ use
OpenAppID.

Custom Application Detectors


can be created here, as well.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
OpenAppID within Firepower
Basic Application Detector

FMC provides a Wizard for creation


of Basic detectors. Advanced
detectors require you to upload the
Lua file.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
For Your
OpenAppID within Firepower Reference

Advanced Application Detector

If you need an Advanced detector,


you’ll need to write it yourself, or
request one from TAC.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
OpenAppID Example
with Intrusion Policy
OpenAppID and the Intrusion Policy
A lot of “noise” is created in the Intrusion Logs of any IDS/IPS product by
automated scripts searching for vulnerable systems, and trying generic
attacks.

Web Server

Internet

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
OpenAppID and the Intrusion Policy
A lot of “noise” is created in the Intrusion Logs of any IDS/IPS product by
automated scripts searching for vulnerable systems, and trying generic
attacks.

Web Server

Internet

[blkh4t@wd40 ~]$ hackerw3bscan –v 198.51.100.33


Ports open: tcp/80, tcp/443
Server: apache 2.4.18
Vulnerabilities found: CVE-2016-4979 SSL Bypass
CVE-2016-1546 HTTP2 DOS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
OpenAppID and the Intrusion Policy
An Example

These scans or attacks against your IP addresses may or may not be successfully
blocked by your IPS devices.
They generate noise in your logs.

Question:
Is there a legitimate reason for Internet users to access your server(s) by IP address
instead of FQDN?

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
OpenAppID and the Intrusion Policy
An Example
The Goal:
Block all web traffic that targets an IP Address rather than correct hostname. Use
Intrusion Policy to inspect legitimate traffic.

Web Server

Internet

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
OpenAppID and the Intrusion Policy
An Example
The Goal:
Block all web traffic that targets an IP Address rather than correct hostname. Use
Intrusion Policy to inspect legitimate traffic.

X Web Server

Internet

[blkh4t@wd40 ~]$ hackerw3bscan –v 198.51.100.33


No web server found!

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
OpenAppID and the Intrusion Policy
Creating the Custom Detector
1. From Application Detectors
screen, click the button to
Create Custom Detector.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
OpenAppID and the Intrusion Policy
Creating the Custom Detector

2. Click the “Add”


button.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
OpenAppID and the Intrusion Policy
Creating the Custom Detector

3. Complete the
required fields to
name your custom
application.
4. Click OK.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
OpenAppID and the Intrusion Policy
Creating the Custom Detector

3. Complete the
required fields to
name your custom
application.
4. Click OK.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
OpenAppID and the Intrusion Policy
Creating the Custom Detector

5. Enter the same Name


and Description as
previous step, and
select the Application
you just created from
the pulldown menu.
6. Leave the
Detector_Type as
Basic.
7. Click OK

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
OpenAppID and the Intrusion Policy
Creating the Custom Detector

5. Enter the same Name


and Description as
previous step, and
select the Application
you just created from
the pulldown menu.
6. Leave the
Detector_Type as
Basic.
7. Click OK

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
OpenAppID and the Intrusion Policy
Creating the Custom Detector
8. Click “Add” to add
Detection Patterns.

This is where we’ll define


what the application
”looks like” to Firepower.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
OpenAppID and the Intrusion Policy
Creating the Custom Detector

9. Select HTTP from the Protocol pulldown menu,


and URL as Type.
10.Enter your domain name.
11.Click OK.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
OpenAppID and the Intrusion Policy
Creating the Custom Detector

9. Select HTTP from the Protocol pulldown menu,


and URL as Type.
10.Enter your domain name.
11.Click OK.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
OpenAppID and the Intrusion Policy
Creating the Custom Detector

12.Repeat the process to add the SSL information.


13.Click OK.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
OpenAppID and the Intrusion Policy
Creating the Custom Detector

12.Repeat the process to add the SSL information.


13.Click OK.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
OpenAppID and the Intrusion Policy
Creating the Custom Detector

14.Click on “Save”.

Remember: Basic Detectors


perform an OR operation on the
Detection Patterns.
In this example, any HTTP or HTTPS
connection destined to
*.zenbango.com will trigger the
detector.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
OpenAppID and the Intrusion Policy
Activating the Custom Detector

15.You can find your Application Detector by selecting Custom Type in the
Filters.
16.The new Application Detector will not function until it is Activated by
clicking on the State slider.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
OpenAppID and the Intrusion Policy
Activating the Custom Detector

WARNING:
15.You can find your Application Detector by selecting Custom Type in the
When you Activate or Deactivate any Detector, it will trigger your appliances
Filters.
in the current domain or child domain to restart Snort. This will potentially
16.The new Application
be disruptive Detector
to your network will not function until it is Activated by
traffic.
clicking on the State slider.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
OpenAppID and the Intrusion Policy
Assigning Custom Detector to Access Control and Intrusion Policy

15.Tie it all together by using an Allow Rule (with Intrusion Policy


assigned) for traffic matching the new application. Block all other
traffic.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
OpenAppID and the Intrusion Policy
Effectiveness…

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
OpenAppID and the Intrusion Policy
Effectiveness…

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
OpenAppID and the Intrusion Policy
Effectiveness…

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
For Your
Reference
Security Intelligence Feeds
Included SI Feeds:

IP Address: URLs: DNS:

• Attackers • URL Attackers • DNS Attackers


• Bogon • URL Bogon • DNS Bogon
• Bots • URL Bots • DNS Bots
• CnC • URL CnC • DNS CnC
• Cryptomining (NEW) • URL Cryptomining (NEW) • DNS Cryptomining (NEW)
• Dga • URL Dga • DNS Dga
• ExploitKit • URL Exploitkit • DNS Exploitkit
• Malware • URL Malware • DNS Malware
• Open_proxy • URL Open_proxy • DNS Open_proxy
• Open_relay • URL Open_relay • DNS Open_relay
• Phishing • URL Phishing • DNS Phishing
• Response • URL Response • DNS Response
• Spam • URL Spam • DNS Spam
• Suspicious • URL Suspicious • DNS Suspicious
• Tor_exit_node • URL Tor_exit_node • DNS Tor_exit_node

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Security Intelligence

Go to the Appendix for an example on creating a custom Security


Intelligence feed.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
According to Network Computing, 72% of
all internet traffic is SSL encrypted.

Is your IPS still effective?

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
SSL Inspection
The percentages of TLS/SSL traffic is increasing dramatically. IDS/IPS deployments
need to take this into consideration.
Options to consider:
1. Decryption Offload, passing decrypted traffic to the Sensor

2. Onbox Decryption

Additionally, do you decrypt Inbound, Outbound, or both traffic?

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
SSL Inspection
Firepower can decrypt TLS/SSL traffic, if you are wanting onbox.

Inbound Traffic
• Traffic is decrypted by installing the Servers’ SSL Certificate and Private Key onto
the FMC
Outbound Traffic
• Traffic is decrypted by installing a wildcard certificate and performing a “man in the
middle attack” against your users’ SSL traffic.

In this session, we will focus only at Inbound.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
SSL Inspection with Known Key
Example
You need both the host’s private key and the .crt file.
Go to Objects -> PKI -> Internal Certs to add the certificate information for
the host.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
SSL Inspection with Known Key
Example
Create an SSL Policy to decrypt traffic with this known key for the associated
host. Once this is complete, add this SSL Policy to the Access Control
Policy.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
SSL Hardware Decryption

• Firepower 6.3 enables Hardware Decryption, by default, for SSL/TLS traffic on Firepower
appliances, including the FP-2100.
• Firepower 6.2.3 enabled Hardware Decryption on FP-4100/9300 platforms, but was
disabled by default.
• Performance is dramatically improved over Software Decryption that was previously
performed.

To disable hardware decryption, you can use the following command from the FTD CLI:

FTD 6.2.3: system support ssl-hw-offload disable


FTD 6.3: system support ssl-hw-force-offload-disable

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Cisco Webex Teams

Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

cs.co/ciscolivebot#BRKSEC-3300

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations

Don’t forget: Cisco Live sessions will be available for viewing


on demand after the event at ciscolive.cisco.com

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Continue Your Education

Demos in Meet the Related


Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Thank you
Additional Slides
These slides did not fit in the time allowed for the session.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Intelligence
Example
Security Intelligence Custom Feed
An Example
A publicly-exposed SSH Server will be continuously probed for weaknesses, as well
as brute-force login attempts.
Let’s use failed login attempts to build our own SI Feed.

SSH Server

Internet

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Security Intelligence Custom Feed
An Example
A publicly-exposed SSH Server will be continuously probed for weaknesses, as well
as brute-force login attempts.
Let’s use failed login attempts to build our own SI Feed.

SSH Server

Internet

[blkh4t@wd40 ~]$ ncrack zenbango.com:22


Starting Ncrack 0.5 ( http://ncrack.org ) at 2017-01-09 12:42 PST

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Security Intelligence Custom Feed
An Example
A publicly-exposed SSH Server will be continuously probed for weaknesses, as well
as brute-force login attempts.
Let’s use failed login attempts to build our own SI Feed.

Jan 9 15:42:50 SSH Server


www unix_chkpwd[28658]: password check failed for user (root)
Jan 9 15:42:57 www unix_chkpwd[28680]: password check failed for user (root)
Jan 9 15:42:58 www sshd[10692]: Invalid user cypherpunks from 198.51.100.87
Jan 9 15:43:02 www sshd[10693]: Invalid user cdowns from 198.51.100.87
Internet
Jan 9 15:43:25 www unix_chkpwd[28886]: password check failed for user (don)
Jan 9 15:43:25 www unix_chkpwd[28887]: password check failed for user (rich)
Jan 9 15:43:31 www unix_chkpwd[28922]: password check failed for user (gary)
Jan 9 15:44:33 www unix_chkpwd[29302]: password check failed for user (daemon)
Jan 9 15:44:38 www unix_chkpwd[29341]: password check failed for user (kim)
[blkh4t@wd40 ~]$ ncrack zenbango.com:22
Jan 9 15:45:44 www unix_chkpwd[29737]: password check failed for user (operator)
Jan 9 15:45:52 www sshd[10694]: Invalid user dan from 198.51.100.87
Starting Ncrack 0.5 ( http://ncrack.org
Jan 9 15:45:54 )
wwwat 2017-01-09 12:42
unix_chkpwd[29797]: password PST
check failed for user (root)
Jan 9 15:46:02 www unix_chkpwd[29842]: password check failed for user (mail)
Jan 9 15:46:09 www unix_chkpwd[29878]: password check failed for user (nobody)
Jan 9 15:46:31 www unix_chkpwd[30019]: password check failed for user (rich)
Jan 9 15:46:31 www unix_chkpwd[30020]: password check failed for user (don)
Jan 9 15:46:38 www unix_chkpwd[30065]: password check failed for user (gary)

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Security Intelligence Custom Feed
An Example
The Goal:
Create your own Security Intelligence Feed to block hosts that attempt to login to your
SSH Server and fail authentication multiple times.

X Web Server

Internet

SSH Server

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Security Intelligence Custom Feed
Prerequisites

1. The first step is to configure your honeypot with the desired services
installed, hardened, and logged.

There are a number of tools available to dynamically block or log


connection/authentication attempts. Two that work well are fail2ban and
denyhosts.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Security Intelligence Custom Feed
Prepare the Target

2. In this example, we’re using denyhosts to dynamically block


SSH attempts after 6 failed login attempts.

/etc/denyhosts.conf file (pertinent sections):


SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 4w
BLOCK_SERVICE = ALL
DENY_THRESHOLD_INVALID = 6
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
RESET_ON_SUCCESS = yes

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Security Intelligence Custom Feed
Prepare the Target
3. Create a script to parse the blocked IP addresses from denyhost’s log file.
/etc/hosts.deny file looks like this:
# DenyHosts: Thu Jan 26 22:31:28 2017 | ALL: 203.0.113.4
ALL: 203.0.113.4
# DenyHosts: Sat Jan 28 10:58:51 2017 | ALL: 192.0.2.120
ALL: 192.0.2.120
# DenyHosts: Tue Jan 31 09:42:58 2017 | ALL: 198.51.100.3
ALL: 198.51.100.3
# DenyHosts: Tue Jan 31 19:50:17 2017 | ALL: 198.51.100.27
ALL: 198.51.100.27
# DenyHosts: Wed Feb 1 16:57:02 2017 | ALL: 203.0.113.230
ALL: 203.0.113.230

4. Use your favorite scripting language to parse the addresses. This simple
Bash script works:
#! /bin/bash

blocklist=` cat /etc/hosts.deny | grep -v \# | awk '{print $2}' > /var/www/html/sshblock.txt`

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Security Intelligence Custom Feed
Prepare the Target
3. Create a script to parse the blocked IP addresses from denyhost’s log file.
/etc/hosts.deny file looks like this:
# DenyHosts: Thu Jan 26 22:31:28 2017 | ALL: 203.0.113.4
ALL: 203.0.113.4
# DenyHosts: Sat Jan 28 10:58:51 2017 | ALL: 192.0.2.120
ALL: 192.0.2.120
# DenyHosts: Tue Jan 31 09:42:58 2017 | ALL: 198.51.100.3
ALL: 198.51.100.3
# DenyHosts: Tue Jan
ALL: 198.51.100.27 The output file should be in a
31 19:50:17 2017 | ALL: 198.51.100.27

# DenyHosts: Wed Feb


ALL: 203.0.113.230 directory accessible to your web
1 16:57:02 2017 | ALL: 203.0.113.230

server. Consider placing it on a


different
4. Use your favorite scripting language to parse theserver.
addresses. This simple
Bash script works:
#! /bin/bash

blocklist=` cat /etc/hosts.deny | grep -v \# | awk '{print $2}' > /var/www/html/sshblock.txt`

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Security Intelligence Custom Feed
Prepare the Target

5. Generate some SSH traffic, with failed logins, to make sure you are capturing
the addresses. Be careful. denyhosts will by default ban your IP address in
the hosts.deny file. You will need to know how to clear the blocks.
This is a useful site:
http://www.tecmint.com/block-ssh-server-attacks-brute-force-attacks-using-denyhosts/

6. Make sure to run your script (from Step 4) on a regular basis by running a
cron job every few minutes or so.
/var/www/html/sshblock.txt
203.0.113.4
192.0.2.120
One IP Address 198.51.100.3
per line. 198.51.100.27
203.0.113.230
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Security Intelligence Custom Feed
Prepare the Target

7. Verify you can download the file with a web browser. It is a good idea to
host the file on a server reachable internally only, rather than one accessible
to the outside world.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Security Intelligence Custom Feed
Create the Feed

8. On Firepower Management Center (FMC), navigate to Objects -> Security


Intelligence -> Network Lists and Feeds. Click “Add Network Lists and
Feeds” in the upper right corner.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Security Intelligence Custom Feed
Create the Feed

9. Select Feed, and populate the URL information and Update Frequency.

In the current software release, updates are limited to no shorter than


every 30 minutes.
Click Save.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Security Intelligence Custom Feed
Create the Feed

10.In your Access Policy, click the Security Intelligence tab, and add the new
feed to the Blacklist

SSH-Blacklist should be placed here.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Security Intelligence Custom Feed
Create the Feed

11.Verify the blocks are occurring.

Reason for block is SSH-Blacklist

Blocks are protecting ALL hosts –


not just those running Denyhosts
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Firepower
Traditional Firepower appliances use Firepower software.
Example: FP-7050, FP-7125, FP-8130, FP-8250, FP-8370, Firepower Virtual IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
ASA with Firepower Services
ASA with Firepower Services uses traditional ASA software and a hardware or virtual IPS
module running Firepower software. Often referred to as ASA+SFR.
Example: ASA-5506-X, ASA-5525-X, ASA-5545-X, ASA-5585-X

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Firepower Threat Defense
Firepower Threat Defense (FTD) software combines ASA and Firepower features into a
single software image. This is available on newer Firepower appliances and most ASA-
5500-X models.
Example: ASA-5506-X, ASA-5545-X, FP-2110, FP-4140, FP-9300, NGFWv, but NOT the
ASA-5585-X

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Routed / Transparent Mode
Firepower Threat Defense

VLAN 10

VLAN 20

The appliance will be installed in either


Routed or Transparent mode. This is
a global setting.

Routed: Interfaces belong to different


L3 networks.

Transparent: Interfaces belong to


different L2 networks (different
VLANs).

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Passive Mode
Firepower Threat Defense, Firepower, ASA with Firepower Services

Passive: A Promiscuous Interface


receives copies of traffic from a SPAN
port or TAP.

Passive interfaces are available


regardless of whether the appliance is
installed in Transparent or Routed mode.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Inline Pair Mode
Firepower Threat Defense or Firepower
Inline Pair: Traffic passes from one
member interface to another, without
changing either VLAN or L3 network. It
functions as a smart wire.

VLAN 10 VLAN 10 Inline Pairs are available regardless of


whether the appliance is installed in
Transparent or Routed mode.

Interfaces can also be 802.1q trunks.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Inline Pair Mode
Firepower Threat Defense or Firepower

Inline Set:

A grouping of two or more Inline Pairs.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Inline Pair Mode
Firepower Threat Defense or Firepower

Inline TAP: Traffic passes from one member


interface to another, without changing either
VLAN or L3 network. As traffic passed, it is
copied to the inspection engine, so traffic
cannot be blocked.

Inline Pairs are available regardless of whether


the appliance is installed in Transparent or
Routed mode.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
The Problem with Asymmetric Traffic

Asymmetric traffic flows


prevent a security device from
seeing the full traffic flow.

For best results, design your


network to force symmetry.

Web Server
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Clustering

If you are using Firepower Threat Defense


(FTD) or ASA with Firepower Services
Internet (ASA+SFR), Inter-Chassis Clustering is a
great option.

Clustering enables multiple security


appliances to function as a single device,
and support asymmetric traffic flows, while
also providing N+1 redundancy.

FTD supports Inter-Chassis Clustering in


6.2 and later software, on FP-4100 and
FP-9300 appliances.
Web Server
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Thank you

You might also like