Scribd
Upload
449 views

Advanced FTD Lab

Advanced FTD Lab (2)

Uploaded by

Alecsandro Queiroz
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
449 views

Advanced FTD Lab

Advanced FTD Lab (2)

Uploaded by

Alecsandro Queiroz
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

Advanced FTD Lab

Lab Introduction
Eric Kostlan
Technical Marketing Engineer
October 15th, 2017
Key Learning Objectives

At the end of the Lab session, you should be able to:


• Perform basic configuration of the NGFW with the REST
API and FMC
• Configure new feature provided by the 6.2.2 release
• Remote Access VPN with AnyConnect
• Cisco Threat Intelligence Director (CTID)
• Configure selected features from earlier releases

#WWST #CISCOVT #CISCOSE


Cisco Firepower Next-Generation Firewall
Also known as Firepower Threat Defense or FTD

FP 6.2.1 /
FP 6.0.1
FP 6.1 FP 6.2 FP 6.2.2
(ASA 9.6.1) (ASA 9.7.1) (ASA 9.8.1 /
ASA 9.8.2)

6.0.1 CCO Post 6.2.2 CCO Post


March 20th, 2016 September 5th, 2017

#WWST #CISCOVT #CISCOSE


Remote Access VPN
Customer Use Case
Provide advanced security for remote users ISP
• Secure SSL/IPsec AnyConnect access to corporate
network
• Support for Split Tunneling or Backhauling to Internet
handle traffic from remote uses to Internet. Edge

• AMP and File inspection Policy to monitor roaming


user data.
• Easy RA VPN Wizard to configure AnyConnect
Remote Access VPN
• Advanced Application level inspection can be FP2100 in
enabled to enforce security on inbound Remote HA
Access User data.
• Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Campus/Priv
ate Network
Private Network
#WWST #CISCOVT #CISCOSE
RA VPN on FTD Versus ASA
Features provided in FTD (and ASA) Features only supported by ASA
• Both SSL and IPsec with AnyConnect • Advanced AAA
• Kerberos, TACACS, SAM, RSA SDI,
• Basic AAA
Local Authentication, RADIUS CoA
• LDAP/AD, client certificate, RADIUS
attributes, DACLs, Time ranges • Hostscan/Endpoint assessment
• Time Ranges • AnyConnect client customization
• AnyConnect client • Dynamic Access Policies (DAP)
• Proxy/DNS/WINS server assignment • LDAP attribute map
• Simple configuration • VPN Load Balancing
• Session monitoring and control • Clientless RA VPN

#WWST #CISCOVT #CISCOSE


RA VPN Components
• Access interfaces – determine interfaces to be used by RA VPN
• SSL settings, such as access ports
• IKEv2 settings such as certificate

• AnyConnect image – client package to be installed on the endpoint

• AnyConnect client profile – XML can be uploaded into the FMC as file object.
• Referenced in the group policy and downloaded to the endpoint while the VPN connection is initiating
• Includes may parameters for the AnyConnect client.

• Connection profiles – determine how authentication is performed

• Group policies -- a set of user-oriented attribute/value pairs for RA VPN users


• DNS/WINS, SSL/DTLS, timeouts, client bypass protocol and DHCP network scope
• Split tunnel and split DNS configuration
• VPN filter , egress VLAN and client firewall rules
• AnyConnect client profile, SSL/DTLS settings and connection settings

#WWST #CISCOVT #CISCOSE


Objects Associated with RA VPN

#WWST #CISCOVT #CISCOSE


RA VPN Configuration Wizard (FMC)

#WWST #CISCOVT #CISCOSE


Modifying Remaining RA VPN Components

#WWST #CISCOVT #CISCOSE


Cisco Threat Intelligence
Director (CTID)
Customer Use Case
• Increasing proportion
of customers are consuming cyber
threat intelligence from third parties
• Customers need to operationalize
cyber threat intelligence

March 2017 SANS™ Institute


Written by Dave Shackleford
#WWST #CISCOVT #CISCOSE
Cyber Threat Intelligence Today
• Security Buyers with Cisco Firepower/AMP
• Financial Institutions/FS-ISAC who are mandated to
Targeted at ingest and share CTI in STIX and TAXII
• Enterprises with mature security programs that have
made the investment into intelligence sources

• Problems with cyber threat intelligence today


• Provides operationalization challenges
• Requires an analyst to make sense and relate to the organization
• Focuses on threats but does not answer whether or not the user is
vulnerable or protected
• Requires multiple intelligence sources, both free and paid
• Utilizes no single machine readable format

#WWST #CISCOVT #CISCOSE


Cisco Threat Intelligence Director (CTID)
• Security Buyers with Cisco Firepower/AMP
• Financial Institutions/FS-ISAC who are mandated to
Targeted at ingest and share CTI in STIX and TAXII
• Enterprises with mature security programs that have
made the investment into intelligence sources

• The solution: Cisco Threat Intelligence Director


(CTID)
• Uses customer CTI to identify threats using sophisticated correlation across
Firepower NGFW/AMP
• Automatically blocks supported indicators on Cisco NGFW using added context
from intelligence sources
• Provides a single integration point for all STIX and CSV intelligence sources
Note: The Department of Homeland Security (DHS) and Financial Services
Information Sharing and Analysis Center (FS-ISAC) have promoted the adoption
of STIX and TAXII as standards for sharing CTI

#WWST #CISCOVT #CISCOSE


Target Customer Using CTID Third Parties

• Intelligence Vendors • Threat Intelligence


• AlienVault Platforms (TIP) Vendors
• Crowdstrike • Anomali
• EclecticIQ
• FireEye/iSIGHT Partners
• Lookingglass
• Flashpoint • ThreatConnect
• Symantec DeepSight • ThreatQuotient

Note: These are the tested third parties. The architecture supports any
third party that provides indicators in STIX or flat file format.

#WWST #CISCOVT #CISCOSE


Cisco Threat Intelligence Director (CTID)
Step 2
2. Publish
observables to
sensors
Cisco Threat NGFW / NGIPS
Intelligence Director Block Monitor

ESA / WSA / AMP


FMC
Step 3
Step 1 3. Detect and alert to
1. Ingest third-party create incidents
Cyber Threat
Intelligence indicators

#WWST #CISCOVT #CISCOSE


Structured Threat Information eXpression (STIX™)

• A structured
language for
cyber threat
intelligence
• Designed to
convey data
about cybersecurity
threats
• XML based
• Standardized

#WWST #CISCOVT #CISCOSE


Structured Threat Information eXpression (STIX™)

• A structured
language for
cyber threat
intelligence
• Designed to
convey data
about cybersecurity
threats
• XML based
• Standardized

#WWST #CISCOVT #CISCOSE


Structured Threat Information eXpression (STIX™)

• A structured
language for
cyber threat
intelligence
• Designed to
convey data
about cybersecurity
threats
• XML based
• Standardized

#WWST #CISCOVT #CISCOSE


Structured Threat Information eXpression (STIX™)

• Indicators
Definition of the threat

• Observables
Components of a threat that can
be observed by a network device

• Incidents
Events triggered when the indicator
is observed

#WWST #CISCOVT #CISCOSE


Getting Started with STIX™

§ Visit the STIX Project Website


• URL: https://stixproject.github.io/
§ Create sample STIX files
• URL: https://generator.cosive.com/

#WWST #CISCOVT #CISCOSE


Trusted Automated eXchange of Indicator
Information (TAXII™)

§ Transport mechanism for STIX


§ Standardizes the automated exchange of cyber
threat information
§ Free
§ Open Source

#WWST #CISCOVT #CISCOSE


Hail a TAXII !!

§ Free source of TAXII feeds


§ Website URL: http://hailataxii.com
§ Multiple feeds
§ To configure the TAXII intelligence source
• URL: http://hailataxii.com/taxii-discovery-service
• USERNAME: guest
• PASSWORD: guest

#WWST #CISCOVT #CISCOSE


Lab Topology
Lab Topology

#WWST #CISCOVT #CISCOSE


Lab Topology

#WWST #CISCOVT #CISCOSE


Lab Outline
Lab Table of Context – Core

• Scenario 1: Device Deployment with the REST API


• Scenario 2: Basic Configuration
• Scenario 3: AnyConnect Remote Access VPN
• Scenario 4: AnyConnect with RADIUS Attributes
• Scenario 5: AnyConnect with Client Certificates
• Scenario 6: Monitoring and Troubleshooting
• Scenario 7: Cisco Threat Intelligence Director (CTID)

#WWST #CISCOVT #CISCOSE


Lab Table of Context – Auxiliary

• Scenario 8: FlexConfig
• Scenario 9: ASA to NGFW Migration
• Scenario 10: NAT and Routing
• Scenario 11: Site-to-Site VPN
• Scenario 12: Web Proxy Integration
• Scenario 13: Prefilter Policies
• Scenario 14: Integrate Routing and Bridging (IRB)

#WWST #CISCOVT #CISCOSE


Lab Dependencies

• All scenarios rely on Scenario 1 and Scenario 2. These must be done,


and must be done in order.
• Scenarios 3 through 6 cover RA VPN in detail, and must be done in
order. But you can stop at any point and go on to other scenarios.
• Scenario 13 uses the static NAT configuration from Scenario 10.

#WWST #CISCOVT #CISCOSE


Sample Lab Exercise Set

• Scenario 1: Device Deployment with the REST API


• Scenario 2: Basic Configuration
• Scenario 3: AnyConnect Remote Access VPN
• Scenario 4: AnyConnect with RADIUS Attributes
• Scenario 7: Cisco Threat Intelligence Director (CTID)
• Scenario 8: FlexConfig
• Scenario 10: NAT and Routing
• Scenario 11: Site-to-Site VPN
#WWST #CISCOVT #CISCOSE
Additional Resources

• Firepower Management Center Configuration Guide, Version 6.2.2


• Firepower Release Notes, Version 6.2.2
• Firepower REST API Quick Start Guide, Version 6.2
• Search for Cisco NGFW on YouTube

#WWST #CISCOVT #CISCOSE

You might also like