Advanced Firepower IPS Deployment
Advanced Firepower IPS Deployment
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKSEC-3300
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
About Your Speaker
Gary Halleen
Email: [email protected]
Security Architect
Global Security Architect Team
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Your Speaker
Gary Halleen
Email: [email protected]
Security Architect
Global Security Architect Team
19 years at Cisco
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Your Speaker
Gary Halleen
Email: [email protected]
Security Architect
Global Security Architect Team
19 years at Cisco
Amateur Radio: K7TRO
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Your Speaker
Gary Halleen
Email: [email protected]
Security Architect
Global Security Architect Team
19 years at Cisco
Amateur Radio: K7TRO
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Your Speaker
Gary Halleen
Email: [email protected]
Security Architect
Global Security Architect Team
19 years at Cisco
Amateur Radio: K7TRO
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Your Speaker
Gary Halleen
Email: [email protected]
Security Architect
Global Security Architect Team
19 years at Cisco
Amateur Radio: K7TRO
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Oregon – Pacific Wonderland
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Oregon – Pacific Wonderland
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Oregon – Pacific Wonderland
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Some of My Hobbies
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Some of My Hobbies
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Some of My Hobbies
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Some of My Hobbies
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco Firepower Sessions: Building Blocks
Tuesday Wednesday Thursday Friday
11:00 08:30
11:00 08:30
11:30 09:00
BRKSEC-3035 BRKSEC-2064 BRKSEC-3455
Firepower Platform Dissecting
NGFWv and ASAv
Deep Dive Firepower FTD &
in Public Cloud
Firepower Services
14:30 11:00
BRKSEC-2112
Firepower Internet
Edge Best Practices
We Are Here!
16:30
BRKSEC-3352
Advanced Snort
Rule Writing for
Firepower
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
For Your
Reference
Introduction
For the purposes of this session, these terms are treated the same.
• Firepower
• Firepower Threat Defense
• ASA with Firepower Services
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Introduction
Centralized On-box Cloud-based Upcoming
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Firepower Management Center (FMC)
This session covers Firepower 6.2.x and later, managed with FMC.
We will NOT cover the older Cisco IPS 7.0.
Manage across many sites Control access and set policies Investigate incidents Prioritize response
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
For Your
Firepower 6.3
Reference
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
6.3
Multi-Instance for Firepower 4100/9300
• Allows organizations to deploy independent
tenants for multiple departments or
customers
FTD FTD FTD FTD
1 2 3 4 • Resource and Management Separation
• Instances are fully independent and fault
tolerant
• Smooth workflow enabling faster
provisioning
• 3-14 instances (FP9300 and FP4100s only)
• Multi-Instance is free – no SKU
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Pick from many deployment modes
NetMod
101110
101110
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Firepower Policies
Access Control Policy Malware and File Policy Network Discovery Policy
Prefilter Policy
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Policy Order of Operation
Access
Prefilter Intrusion
Control Policy
(FTD only) (for AppID)
Optional
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Intrusion Policy
The Intrusion Policy defines which Snort rules are used in packet inspection.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Intrusion Policy
The Intrusion Policy defines which Snort rules are used in packet inspection.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Intrusion Base Policy
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Intrusion Policy
You can manually Enable/Disable individual rules or configure actions.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Intrusion Policy
Several ways to search for rules…
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Intrusion Policy
Several ways to search for rules…
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Network Discovery Policy
• Used to identify which networks Firepower should “learn” from.
• Useful for applications, and especially for maintaining the Firepower Recommended Rules
in the Intrusion Policy.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tunes your Snort rules for the applications,
servers, and hosts on your network.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tunes your Snort rules for the applications,
servers, and hosts on your network.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tunes your Snort rules for the applications,
servers, and hosts on your network.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tunes your Snort rules for the applications,
servers, and hosts on your network.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Access Control Policy
• Traffic must match in the Access Control Policy in order to be Inspected
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Access Control Policy
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Access Control Policy
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Access Control Policy
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Network Analysis Policy
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Network Analysis Policy
What is this?
Do I need to do anything here?
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Network Analysis Policy
• The Network Analysis Policy (NAP) controls the Preprocessors, and
determines things such as:
o Fragmentation Reassembly
o Protocol Compliance
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Network Analysis Policy
• The Network Analysis Policy (NAP) controls the Preprocessors, and
determines things such as:
o Fragmentation Reassembly
o Protocol Compliance
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Network Analysis Policy
Security
Usability
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Network Analysis Policy
Usability
Security
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Network Analysis Policy
• By default, there are no tunable NAP policies. You’ll need to create one.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Network Analysis Policy
• By default, there are no tunable NAP policies. You’ll need to create one.
Create Policy
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Network Analysis Policy
• Give your policy a name.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Network Analysis Policy
• Give your policy a name.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Network Analysis Policy
Do these Base Policies look familiar?
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Network Analysis Policy
Do these Base Policies look familiar?
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Network Analysis Policy
Do these Base Policies look familiar?
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Network Analysis Policy
Enable/Disable Preprocessors
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Network Analysis Policy
Enable/Disable Preprocessors
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Fragmentation
Both IP and TCP can cause a stream of data to break into many parts
Both IP fragmentation and TCP segmentation may be naturally occurring or performed
intentionally to evade IPS
IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate
this evasion technique
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Fragmentation
Both IP and TCP can cause a stream of data to break into many parts
Both IP fragmentation and TCP segmentation may be naturally occurring or performed
intentionally to evade IPS
IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate
this evasion technique
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Fragmentation
Both IP and TCP can cause a stream of data to break into many parts
Both IP fragmentation and TCP segmentation may be naturally occurring or performed
intentionally to evade IPS
IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate
this evasion technique
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Fragmentation
Both IP and TCP can cause a stream of data to break into many parts
Both IP fragmentation and TCP segmentation may be naturally occurring or performed
intentionally to evade IPS
IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate
this evasion technique
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
How Bad can Fragmentation Get?
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Network Analysis Policy
TCP Stream
Tune it? YES
• Unless you are deploying IPS into a
segment containing ONLY Windows hosts,
you absolutely should tune this.
• TCP Stream determines how fragmented
TCP traffic is reassembled.
• Different operating systems handle
reassembly differently, and it is critical that
your IPS understands the hosts.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Network Analysis Policy
UDP Stream
Tune it? Probably Not
• Not much to tune.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Network Analysis Policy
IP Defragmentation
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Access Control Policy – Advanced Settings
Don’t forget to select the Network Analysis Policy from the Access Control
Policy -> Advanced Tab
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Access Control Policy – Advanced Settings
Don’t forget to select the Network Analysis Policy from the Access Control
Policy -> Advanced Tab
If you need to use multiple Network Analysis Policies
(maybe some networks have Windows servers, and
another has Linux, for example), you can create Rules to
perform the mapping.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Impact Flags
• Remember, we recommend you utilize the Network Discovery Policy…
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Impact Flags
• Remember, we recommend you utilize the Network Discovery Policy…
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Understanding Impact Flags
Intrusion Events Impact Flag
Source / Destination IP
Protocol (TCP/UDP)
Service
Snort ID
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
User IDs
Services
CVE
Snort ID Client / Server Apps
Operating System
IOC: Predefined Impact
Potential Vulnerabilities
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks
User IDs
Services
CVE
Snort ID Client / Server Apps
Operating System
IOC: Predefined Impact
Potential Vulnerabilities
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks
User IDs
4 Previously unseen host
within monitored network
Services
CVE
Snort ID Client / Server Apps
Operating System
IOC: Predefined Impact
Potential Vulnerabilities
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks
User IDs
4 Previously unseen host
within monitored network
Services
CVE
Snort ID Client / Server Apps
Operating System
IOC: Predefined Impact
Potential Vulnerabilities
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks
User IDs
4 Previously unseen host
within monitored network
CVE
Snort ID Client / Server Apps
Operating System
IOC: Predefined Impact
Potential Vulnerabilities
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks
User IDs
4 Previously unseen host
within monitored network
CVE
Snort ID Client / Server Apps
Operating System
1 Host vulnerable to attack or
showing an IOC.
IOC: Predefined Impact
Potential Vulnerabilities
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks
User IDs
4 Previously unseen host
within monitored network
CVE
Snort ID Client / Server Apps
Operating System
1 Host vulnerable to attack or
showing an IOC.
IOC: Predefined Impact
Potential Vulnerabilities
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
6.3
Contextual Cross-Launch
• New to Firepower Management Center (FMC) 6.3
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
6.3
Contextual Cross-Launch
Several tools already included
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
6.3
Contextual Cross-Launch
Do you have a favorite tool?
• Add your own: Analysis -> Advanced -> Contextual Cross-Launch
• Example for Cisco Stealthwatch:
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
6.3
Contextual Cross-Launch
Do you have a favorite tool?
• Add your own: Analysis -> Advanced -> Contextual Cross-Launch
• Example for Cisco Tetration:
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
6.3
Contextual Cross-Launch
Stealthwatch Cross-Launch Example
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
6.3
Contextual Cross-Launch
Tetration Cross-Launch Example
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
6.3
Contextual Cross-Launch
Tetration Cross-Launch Example
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Snort Rules
Firepower uses Snort Rules for Intrusion Prevention.
Third-party Snort rules can be added manually through the Rule Editor
(Objects -> Intrusion Rules -> Create Rule), or can be imported.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Snort Rule Editor
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Snort Rules
• Snort Rules are normally created on a single line, with no special
characters, and in ASCII or UTF-8 format.
• The Import file can contain many rules as long as they are one rule per-
line.
• Many of the Emerging Threat rules use deprecated syntax (”threshold”
statement). If you are importing ET rules, you’ll need to correct or remove
these rules first. Threshold has been replaced with detection_filter.
• SHOULD not have a rule SID, but is allowed.
All on ONE Line
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Snort Rules
• Snort Rules are normally created on a single line, with no special
characters, and in ASCII or UTF-8 format.
• The Import file can contain many rules as long as they are one rule per-
line.
• Many of the Emerging Threat rules use deprecated syntax (”threshold”
statement). If you are importing ET rules, you’ll need to correct or remove
these rules first. Threshold has been replaced with detection_filter.
• SHOULD not have a rule SID, but is allowed.
All on ONE Line
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Snort Rules (continued)
• Sometimes it is much more readable to spread the rule across multiple lines. Do this with
the backslash character - \
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Snort Rules (continued)
• This ET rule has a deprecated keyword – “threshold”, as well as “type limit”, so let’s fix it.
alert tcp \
[43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\
45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\
45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\
49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \
any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \
flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \
threshold: type limit, track by_src, seconds 3600, count 1; \
classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \
rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \
tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Snort Rules (continued)
• This ET rule has a deprecated keyword – “threshold”, as well as “type limit”, so let’s fix it.
alert tcp \
[43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\
45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\
45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\
49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \
any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \
flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \
threshold: type limit,
detection_filter: track track by_src,
by_src, seconds
seconds 3600,3600,
count count
1; \ 1; \
classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \
rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \
tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Importing Snort Rules
• Once your Snort rules are in a text file, navigate to Objects -> Intrusion Rules.
• Click on “Import Rules”
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Importing Snort Rules
• Click on “Browse” to locate your file, and click “Import”.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Importing Snort Rules
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Importing Snort Rules
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Importing Snort Rules
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Importing Snort Rules
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Importing Snort Rules
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Importing Snort Rules
• If successful, you will see a screen showing what has been imported.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Importing Snort Rules
• If successful, you will see a screen showing what has been imported.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Enabling Snort Rules
• Remember, all imported rules are Disabled by default. You need to enable
these.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Enabling Snort Rules
• Remember, all imported rules are Disabled by default. You need to enable
these.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
How do you Exempt Specific Servers from a
Snort Rule?
Options:
1. Look at the rule and see if you can modify the variables in use?
($EXTERNAL_NET and $HOME_NET, for example)
2. Use a different Intrusion Policy for some hosts. This could have memory
or performance impact if overused.
3. Create a Pass Rule –> Probably the Best Option
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Pass Rule Example
Pass Rule
Open the firing rule in the Rule Editor (Objects -> Intrusion Rules)
203.0.113.24
Network
Scanner
Campus
Web
Server
SSH
Server
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Pass Rule
Change Action to “pass”
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Pass Rule
Change the Message.
(add “PASS RULE – “ to the beginning)
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Pass Rule
Click “Save as New”
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Pass Rule
Finally, Edit the Intrusion Policy, and change the Rule State for your new Local Rule to
“Generate Events”. Save and Deploy the Intrusion Policy.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Pass Rule
Finally, Edit the Intrusion Policy, and change the Rule State for your new Local Rule to
“Generate Events”. Save and Deploy the Intrusion Policy.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Snort Restart and Reload Architecture
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Why does Snort Restart?
• New version of Snort in policy deploy
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Why does Snort Restart?
• New version of Snort in policy deploy
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Why does Snort Restart?
6.2.3 and later warns if any configuration change will interrupt inspection
(restart Snort):
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Mitigations
Snort Preserve-Connection
1 (6.2.0 / 6.2.3 introduction)
2 Software Bypass
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Snort Preserve-Connection
• When Snort goes down, connections with Allow verdict are preserved
in LINA
• Snort does NOT do a mid-session pickup on preserved flows on
coming up
• Does NOT protect against new flows while Snort is down
• 6.2.0.2/6.2.3 Feature Introduction. Enabled by default in 6.2.3
• Can be enabled/disabled from CLI:
configure snort preserve-connection enable/disable
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Software Bypass
• With inline Fail-Open deployments traffic is passed
uninspected on the Software bridge when Snort is
down.
• When Snort comes up, Snort does a mid-session
pickup on traffic
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Bypass Options
Software Bypass Enable traffic, uninspected, when Snort is down or busy.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Software Bypass
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Fail to Wire Interfaces
Fail-to-Wire requires:
Inline Set, Inline Pair, or Inline Tap deployment.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Automatic Application Bypass (AAB)
Detects Snort failures or degraded performance and triggers a restart of the
impacted Snort process. First available in FTD in 6.2.2.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Trust Rules
Within the Access Control Policy, defined traffic can be exempted from File
and IPS inspection, which accelerates it through the appliance. Basing the
rule on Source/Destination Port and IP addresses is most effective.
Security Intelligence feeds are still applied to Trust rules.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Trust Rules
Within the Access Control Policy, defined traffic can be exempted from File
and IPS inspection, which accelerates it through the appliance. Basing the
rule on Source/Destination Port and IP addresses is most effective.
Security Intelligence feeds are still applied to Trust rules.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
PreFilter Policy
PreFilter rules are processed prior to Intrusion Prevention or Access Control
Policies. If traffic can be defined by Zone, Network, and Port (similar to an
ASA rule), the traffic can be FastPathed. This is similar to a Trust rule, but
Security Intelligence is not applied.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
PreFilter Policy
PreFilter rules are processed prior to Intrusion Prevention or Access Control
Policies. If traffic can be defined by Zone, Network, and Port (similar to an
ASA rule), the traffic can be FastPathed. This is similar to a Trust rule, but
Security Intelligence is not applied.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Intelligent Application Bypass (IAB)
Detects degraded performance within an application. If that application is
trusted, you can configure it to automatically bypass inspection for it, and
accelerate the traffic.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options – Intelligent Application Bypass
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Intelligent Application Bypass
What is IAB?
IAB takes action when a Snort instance is Under Duress if conditions are
met:
1. Is the flow a candidate for bypass?
2. Is this a bypassable application?
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Intelligent Application Bypass
Caveats!
• When IAB works to full capability, the flow under duress is executed the
same as a PreFilter FastPath or ACP Trust rule.
• If the Access Control Policy (ACP) uses IP-based Security Intelligence,
then Snort needs to see the traffic briefly before it is FastPathed.
• If the ACP uses DNS- or URL-based Security Intelligence, then both Snort
and AppID need to see traffic before it is FastPathed. AppID sometimes
takes longer to identify the application, depending on which application it
is.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Configuring Intelligent Application Bypass
Find IAB on the Advanced tab of the Access Control Policy. In 6.2.3, it is on the
bottom left of the page. In 6.3, it is on the top right.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Configuring Intelligent Application Bypass
Set the State to On or Test.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Configuring Intelligent Application Bypass
Set the State to On or Test.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Configuring Intelligent Application Bypass
Inspection Performance Thresholds: Is the snort process under duress?
• Drop Percentage
• Processor Utilization
• Packet Latency
• Flow Rate
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?
These values are all a Logical OR
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?
I disagree with this default value. 250,000 kbytes/second will never trigger on today’s FP or ASA
hardware. A better starting value for most customers is about 40,000 or 50,000 kbytes/second.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?
45000
I disagree with this default value. 250,000 kbytes/second will never trigger on today’s FP or ASA
hardware. A better starting value for most customers is about 40,000 or 50,000 kbytes/second.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Configuring Intelligent Application Bypass
Define Applications that are Bypassable
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Configuring Intelligent Application Bypass
Define Applications that are Bypassable
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Monitoring Intelligent Application Bypass
IAB Events appear in Connection Events with reason of “Intelligent App Bypass”
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
OpenAppID
Cisco’s Open Source Application Layer Plugin for Snort and Firepower
OpenAppID uses the Lua programming language to identify applications. There are a
number of attributes it can look at, including:
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
OpenAppID
Most internal Firepower Application Detectors are included in the Snort OpenAppID rules,
including Lua source code.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
OpenAppID within Firepower
Application Detectors
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
OpenAppID within Firepower
Basic Application Detector
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
For Your
OpenAppID within Firepower Reference
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
OpenAppID Example
with Intrusion Policy
OpenAppID and the Intrusion Policy
A lot of “noise” is created in the Intrusion Logs of any IDS/IPS product by
automated scripts searching for vulnerable systems, and trying generic
attacks.
Web Server
Internet
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
OpenAppID and the Intrusion Policy
A lot of “noise” is created in the Intrusion Logs of any IDS/IPS product by
automated scripts searching for vulnerable systems, and trying generic
attacks.
Web Server
Internet
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
OpenAppID and the Intrusion Policy
An Example
These scans or attacks against your IP addresses may or may not be successfully
blocked by your IPS devices.
They generate noise in your logs.
Question:
Is there a legitimate reason for Internet users to access your server(s) by IP address
instead of FQDN?
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
OpenAppID and the Intrusion Policy
An Example
The Goal:
Block all web traffic that targets an IP Address rather than correct hostname. Use
Intrusion Policy to inspect legitimate traffic.
Web Server
Internet
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
OpenAppID and the Intrusion Policy
An Example
The Goal:
Block all web traffic that targets an IP Address rather than correct hostname. Use
Intrusion Policy to inspect legitimate traffic.
X Web Server
Internet
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
OpenAppID and the Intrusion Policy
Creating the Custom Detector
1. From Application Detectors
screen, click the button to
Create Custom Detector.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
OpenAppID and the Intrusion Policy
Creating the Custom Detector
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
OpenAppID and the Intrusion Policy
Creating the Custom Detector
3. Complete the
required fields to
name your custom
application.
4. Click OK.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
OpenAppID and the Intrusion Policy
Creating the Custom Detector
3. Complete the
required fields to
name your custom
application.
4. Click OK.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
OpenAppID and the Intrusion Policy
Creating the Custom Detector
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
OpenAppID and the Intrusion Policy
Creating the Custom Detector
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
OpenAppID and the Intrusion Policy
Creating the Custom Detector
8. Click “Add” to add
Detection Patterns.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
OpenAppID and the Intrusion Policy
Creating the Custom Detector
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
OpenAppID and the Intrusion Policy
Creating the Custom Detector
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
OpenAppID and the Intrusion Policy
Creating the Custom Detector
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
OpenAppID and the Intrusion Policy
Creating the Custom Detector
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
OpenAppID and the Intrusion Policy
Creating the Custom Detector
14.Click on “Save”.
15.You can find your Application Detector by selecting Custom Type in the
Filters.
16.The new Application Detector will not function until it is Activated by
clicking on the State slider.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
OpenAppID and the Intrusion Policy
Activating the Custom Detector
WARNING:
15.You can find your Application Detector by selecting Custom Type in the
When you Activate or Deactivate any Detector, it will trigger your appliances
Filters.
in the current domain or child domain to restart Snort. This will potentially
16.The new Application
be disruptive Detector
to your network will not function until it is Activated by
traffic.
clicking on the State slider.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
OpenAppID and the Intrusion Policy
Assigning Custom Detector to Access Control and Intrusion Policy
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
OpenAppID and the Intrusion Policy
Effectiveness…
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
OpenAppID and the Intrusion Policy
Effectiveness…
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
For Your
Reference
Security Intelligence Feeds
Included SI Feeds:
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Security Intelligence
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
According to Network Computing, 72% of
all internet traffic is SSL encrypted.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
SSL Inspection
The percentages of TLS/SSL traffic is increasing dramatically. IDS/IPS deployments
need to take this into consideration.
Options to consider:
1. Decryption Offload, passing decrypted traffic to the Sensor
2. Onbox Decryption
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
SSL Inspection
Firepower can decrypt TLS/SSL traffic, if you are wanting onbox.
Inbound Traffic
• Traffic is decrypted by installing the Servers’ SSL Certificate and Private Key onto
the FMC
Outbound Traffic
• Traffic is decrypted by installing a wildcard certificate and performing a “man in the
middle attack” against your users’ SSL traffic.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
SSL Inspection with Known Key
Example
You need both the host’s private key and the .crt file.
Go to Objects -> PKI -> Internal Certs to add the certificate information for
the host.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
SSL Inspection with Known Key
Example
Create an SSL Policy to decrypt traffic with this known key for the associated
host. Once this is complete, add this SSL Policy to the Access Control
Policy.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
SSL Hardware Decryption
• Firepower 6.3 enables Hardware Decryption, by default, for SSL/TLS traffic on Firepower
appliances, including the FP-2100.
• Firepower 6.2.3 enabled Hardware Decryption on FP-4100/9300 platforms, but was
disabled by default.
• Performance is dramatically improved over Software Decryption that was previously
performed.
To disable hardware decryption, you can use the following command from the FTD CLI:
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKSEC-3300
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Continue Your Education
Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Thank you
Additional Slides
These slides did not fit in the time allowed for the session.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Intelligence
Example
Security Intelligence Custom Feed
An Example
A publicly-exposed SSH Server will be continuously probed for weaknesses, as well
as brute-force login attempts.
Let’s use failed login attempts to build our own SI Feed.
SSH Server
Internet
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Security Intelligence Custom Feed
An Example
A publicly-exposed SSH Server will be continuously probed for weaknesses, as well
as brute-force login attempts.
Let’s use failed login attempts to build our own SI Feed.
SSH Server
Internet
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Security Intelligence Custom Feed
An Example
A publicly-exposed SSH Server will be continuously probed for weaknesses, as well
as brute-force login attempts.
Let’s use failed login attempts to build our own SI Feed.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Security Intelligence Custom Feed
An Example
The Goal:
Create your own Security Intelligence Feed to block hosts that attempt to login to your
SSH Server and fail authentication multiple times.
X Web Server
Internet
SSH Server
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Security Intelligence Custom Feed
Prerequisites
1. The first step is to configure your honeypot with the desired services
installed, hardened, and logged.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Security Intelligence Custom Feed
Prepare the Target
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Security Intelligence Custom Feed
Prepare the Target
3. Create a script to parse the blocked IP addresses from denyhost’s log file.
/etc/hosts.deny file looks like this:
# DenyHosts: Thu Jan 26 22:31:28 2017 | ALL: 203.0.113.4
ALL: 203.0.113.4
# DenyHosts: Sat Jan 28 10:58:51 2017 | ALL: 192.0.2.120
ALL: 192.0.2.120
# DenyHosts: Tue Jan 31 09:42:58 2017 | ALL: 198.51.100.3
ALL: 198.51.100.3
# DenyHosts: Tue Jan 31 19:50:17 2017 | ALL: 198.51.100.27
ALL: 198.51.100.27
# DenyHosts: Wed Feb 1 16:57:02 2017 | ALL: 203.0.113.230
ALL: 203.0.113.230
4. Use your favorite scripting language to parse the addresses. This simple
Bash script works:
#! /bin/bash
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Security Intelligence Custom Feed
Prepare the Target
3. Create a script to parse the blocked IP addresses from denyhost’s log file.
/etc/hosts.deny file looks like this:
# DenyHosts: Thu Jan 26 22:31:28 2017 | ALL: 203.0.113.4
ALL: 203.0.113.4
# DenyHosts: Sat Jan 28 10:58:51 2017 | ALL: 192.0.2.120
ALL: 192.0.2.120
# DenyHosts: Tue Jan 31 09:42:58 2017 | ALL: 198.51.100.3
ALL: 198.51.100.3
# DenyHosts: Tue Jan
ALL: 198.51.100.27 The output file should be in a
31 19:50:17 2017 | ALL: 198.51.100.27
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Security Intelligence Custom Feed
Prepare the Target
5. Generate some SSH traffic, with failed logins, to make sure you are capturing
the addresses. Be careful. denyhosts will by default ban your IP address in
the hosts.deny file. You will need to know how to clear the blocks.
This is a useful site:
http://www.tecmint.com/block-ssh-server-attacks-brute-force-attacks-using-denyhosts/
6. Make sure to run your script (from Step 4) on a regular basis by running a
cron job every few minutes or so.
/var/www/html/sshblock.txt
203.0.113.4
192.0.2.120
One IP Address 198.51.100.3
per line. 198.51.100.27
203.0.113.230
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Security Intelligence Custom Feed
Prepare the Target
7. Verify you can download the file with a web browser. It is a good idea to
host the file on a server reachable internally only, rather than one accessible
to the outside world.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Security Intelligence Custom Feed
Create the Feed
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Security Intelligence Custom Feed
Create the Feed
9. Select Feed, and populate the URL information and Update Frequency.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Security Intelligence Custom Feed
Create the Feed
10.In your Access Policy, click the Security Intelligence tab, and add the new
feed to the Blacklist
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Security Intelligence Custom Feed
Create the Feed
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
ASA with Firepower Services
ASA with Firepower Services uses traditional ASA software and a hardware or virtual IPS
module running Firepower software. Often referred to as ASA+SFR.
Example: ASA-5506-X, ASA-5525-X, ASA-5545-X, ASA-5585-X
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Firepower Threat Defense
Firepower Threat Defense (FTD) software combines ASA and Firepower features into a
single software image. This is available on newer Firepower appliances and most ASA-
5500-X models.
Example: ASA-5506-X, ASA-5545-X, FP-2110, FP-4140, FP-9300, NGFWv, but NOT the
ASA-5585-X
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Routed / Transparent Mode
Firepower Threat Defense
VLAN 10
VLAN 20
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Passive Mode
Firepower Threat Defense, Firepower, ASA with Firepower Services
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Inline Pair Mode
Firepower Threat Defense or Firepower
Inline Pair: Traffic passes from one
member interface to another, without
changing either VLAN or L3 network. It
functions as a smart wire.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Inline Pair Mode
Firepower Threat Defense or Firepower
Inline Set:
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Inline Pair Mode
Firepower Threat Defense or Firepower
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
The Problem with Asymmetric Traffic
Web Server
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Clustering