Day1 PDF

The Next Generation
Firewall
- and the Megatrends that impact Security
Håkan Nohre
Technical Solutions Architect,
Cisco Technical Advisory Group Cyber Security
26 oktober 2017
About Me
• hnohre@cisco.com
• Live in Sweden (Stockholm)
• Consulting Systems Engineer (EMEAR)
• With Cisco since 1997
• Before Cisco, Software
• Development, C,C++, Assembler
• Focus on Cyber Security, GIAC Pen Tester #9666, CISSP#76731
• Cisco Live Las Vegas 2017 Sessions
• It's Cats vs Rats in the Attack Kill Chain! - BRKSEC-2002
• Hacking in the Attack Kill Chain v2 - LTRSEC-3300
• Building a Practical Defence against Cyber Attacks – TECSEC-2501
• Deploying AnyConnect with ASA (and Firepower)! – BRKSEC 2005
BRKSEC-2309 2
About You
• Name
• Previous experience of Cisco Firepower
• Previous experience of other Cisco Security products
• ASA
• AnyConnect
• ISE
• Umbrella
• Stealthwatch
• AMP for Endpoints
• Email Security
• Web Security
• ……
Agenda
• Lecture Introduction to NGFW
• NGFW Basic Lab
- Add device with REST API
- Basic config, NAT, Routing
- Flexconfig
- Routing (BGP)
- Prefilter Policies
• Lecture: Troubleshooting/Internals
• NGFW Advanced Lab
- Integrated Bridge/Routing
- High Availability
- Remote Access VPN AnyConnect
- Site-to-Site VPN
- Troubleshooting
- Thread Intelligence Director
- Migration
• NGFW Attack Lab
Megatrends Impacting IT Security
“Internet is going dark”
Internet of Everything
Cloud Adoption
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Point-in-time Deep-packet Inspection
Perimeter Defense
Segment the Detect anomalies Endpoint

network Telemetry Security
Signature-less
Cisco arkitektur för säkerhet
Integrated Threat Defense
– Threat Intelligence
Network Endpoint Cloud

Services
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Strategic Acquisitions
Threat Focus
Client Security Discover threat without signatures CASB
Open Source
Enhance Your Security Capability
Early Detection
Reassess Defences Accurate Scoping
Proper Containment
Security
Effectiveness
Security Intelligence
Threat I00I III0I III00II 0II00II I0I000 0110 00 100I II0I III00II 0II00II I0I000 0II0 00
Research
Intelligence 10I000 0II0 00 0III000 II1010011 101 1100001 110 II II0000I II0 101000 0II0 00 0III000 III0I00II
110000III000III0 I00I II0I III0011 0110011 101000 0110 00

Response
[Talos]
I00I II0I III00II 0II00II 101000 0110 00 1100001110001III0
WWW Advanced Industry Disclosures

Email Endpoints Web Networks IPS Devices
Outreach Activities
AEGIS™ & SPARK Dynamic Analysis
100 TB Intelligence Open Source
Communities Threat Centric Detection Content
1.6M sensors
150 million+
180,000+ Files per SEU/SRU
Day
endpoints Sandbox
1B SBRS Queries
35%
per Day VDB
email world wide
3.6PB Monthly
FireAMP™, 3+
though CWS
Security Intelligence
million
Email & Web Reputation
14B web req
Agenda
• Megatrends Impacting IT Security
• Necessary Defence in the Attack Kill Chain
– Segmentation of the Network
– Detect attacks without using signatures
– Improve client security
• Summary
Agenda
– Improved Perimeter Defence: A Threat Focused Next Generation Firewall
• Summary
Network Segmentation Key To Good
Only 1 out of 20 customers in the
Network Hygiene
recent Cisco Strategic Secure
Access User Forum implemented
--Reuven Harrison,
NETWORKComputing, 2014
It’s a much easier to equip your organization with a segmentation, with 32,000
secure defense through proper network segmentation VLANs…
than to explain to shareholders and the media how
hackers were able to access millions of records on your
system.
--Nimmy Reichberg & Mark Wolfgang, Network
World 2014
“Effective network segmentation…

restricts communication between
networks and reduces the extent to
which an adversary can move across
the network.”
Segmentation (Network Access Control)
Automatic
Logical Separation
insidan
Traditional Segmentation
• Based on VLAN
• Tied to IP addressing
Source User Dest Application ?
Rules change with 10.1.1.0 192.168.1.0 HTTPS

Network changes! 1 Tasman Everywhere
Expensive to maintain! 15 King St

HR 192.168.2.10
25 Oxford St
HTTPS
3 Regent
10.1.2.0 192.168.3.0 SIP
12 La Rambla
St
10.1.3.0 10.1.3.0 SCADA
4 Oxford 15 Tottenham
Segmentation based on Security Groups
Citrix
iPAD
• Alla clients associated with Gateway

Security Group TAG
– Based on ICSserver
• Identity, IPphone
• Device type
Sensor
• Posture requirements
Rule table independent of Source User Dest Application ?

addressing!
iPAD
iPAD HR Citrix
Citrix HTTPS
Simple to maintain!
Increased granularity IPphone PhoneServer
Gateway SIP
taking into account device
Sensor ICSserver SCADA
type etc. Sensor ICSserver
Agenda
– Improve Perimeter Defence: Threat Focused Next Generation Firewall
• Summary
Agenda
• Summary
Agenda
• Summary
Cisco NGFW: Firepower Threat Defence
Cisco NGFW Platforms Up to 6x with clustering!
DDOS protection!
Firepower Threat Defense for Firepower 4100 Series
Firepower 2100 Series
ASA 5500-X and Firepower 9300
250 Mb -> 1.75 Gb 2 Gb -> 8 GB 41xx = 10 Gb -> 24 Gb

(NGFW + IPS Throughput) (NGFW + IPS Throughput) 93xx = 24 Gb -> 53Gb
NGFW capabilities all managed by Firepower Management Center
Cisco NGFW in the Private and Public Cloud
Threat Focused Management
Firepower Management Center (FMC)
- Previously known as FireSIGHT
NGFW/NGIPS Management
Forensics / Log Management
Visibility Categories
Network AMP / Trajectory Threats
Vulnerability Management Users
Web Applications
Incident Control System Application Protocols
Adaptive Security Policy File Transfers

Malware
Retrospective Analysis Command & Control
Servers
Correlated SIEM Eventing Client Applications
Network Servers
Network-Wide / Client Visibility
Operating Systems
Routers & Switches
Mobile Devices
Printers
VoIP Phones
Virtual Machines
Visibility: Firepower Discovers
• ...automatically
Host 10.1.19.4
• Hosts, OS, Logged in Users,
Applications, Vulnerabilities OS
User john
• Gives much more than just
Application Visibility and Apps
Control (AVC) Vulnerabilities
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 011
101000 01
Visibility: Firepower Discovers Users
• User Agent installed on Windows Host 10.1.19.4
machine OS
• Reads Active Directory logon and User john

logoff events Apps
• Informs Firepower Vulnerabilities
Active
Directory User
Agent
log on
john
Only the Network can Identify Other Devices
§ Device authenticates to network Host 10.1.19.4
(802.1X or MAB)
OS
§ Cisco ISE shares info with User john
pxGrid
Apps
§ Works even if device is not in Vulnerabilities
Active Directory pxGrid
I
S
E
FirePOWER™ Services: NGIPS IPS
• IPS Engine based on Open Source Snort ™

• Best Threat Effectiveness
• Best Value (lowest TCO/protected Mbps)
• Subscription License
OpenAppID
Visibility : Reduce Workload & Improve Performance IPS
• Firepower recommends IPS tuning

• Reduces Workload
• Improves Performance
Reduced Risk and Cost
Adapt IPS tuning to

environment
Visibility : Reduced Workload and Risk IPS
• Increased IPS efficacy

• Focus on Relevant Alerts Host 192.168.3.1
OS
Reduced Risk and Cost User john
Apps
Act Immediately Vulnerabilities

Vulnerable
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 011
101000 01
Cisco Firepower Simplifies Operations IPS
It tells you which alerts are the most important!
ADMINISTRATOR
IMPACT FLAG WHY
ACTION
Event corresponds
Act Immediately,
1 Vulnerable
to vulnerability
mapped to host
Investigate, Relevant port open

2 Potentially
Vulnerable
or protocol in use,
but no vuln mapped
Good to Know, Relevant port not

3 Currently Not
Vulnerable
open or protocol not
in use
Good to Know, Monitored network,

4 Unknown Target but unknown host
Correlates all intrusion events to an 0

Good to Know, Unmonitored
Unknown Network network
impact of the attack against the target
OT Pre-Processors – Modbus command inspection
A Modbus rule
to prevent a
set point
change
limit > 50 on
RTU-0122
SSL Decrypt of Outbound traffic: If Client Cooperates
• Network equipment (firewalls, proxys etc) can decrypt some traffic from client
• Where we control the client cert store and the application is cooperating
I trust this cert

We Control because issuer is Server on
client in my trusted store! Internet
cert store
Inside Internet
Security Intelligence: Reputation Based Filters IPS
§ Detects communication to known CnCs, Malware Sites

§ Complements Signature based detections
ALERT!
John tried to
connect to
known CnC
Reduced Risk
100 0111100 011 1010011101 1000111010011101 10001110 10011 101

010011101 1100001110001110 1001 1101 1110011 0110011 101000
0110 00
IPS Block & Alert When it Detects CnC IPS
§ Known CnC Patterns

§ Suspicious DNS Requests ALERT!
DNS tries to
resolve a DGA-
like name
DNS?
ag0hszsew13faeda.co.uk
Malware often use DNS to find CnC
Register
evilcnc.xyz.xyz
• Malware prefer DNS! 74.63.17.18
– 91.3% of malware use DNS* DNS

Server
• Malware may not know the IP of its .
.20
C2C server Internet
– Dynamic IP (home computer) .
.18
– May not have compromised it yet!
NGFW
Q:
Calling home to evilcnc.xyz.xyz
evilcnc.xyz.xyz
Inside
DNS
*Cisco Annual Security Report 2016 Server
http://www.cisco.com/go/asr
35
DNS Sinkholing
• Problem: DNS request goes via internal DNS, which hides which client is infected
• Solution: Return fake “sinkhole” DNS response and note who goes there J
Scratchy Internal DNS

(192.168.1.2) to
Sinkhole!
Q: rx444bdg.grds323.se
Q: rx444bdg.grds323.se
NGFW
Internet A: Sinkhole
10.1.42.66
A : Sinkhole
10.1.42.66
rx444bdg.grds323.se
Sinkhole 192.168.1.2
10.1.42.66 36
Geolocation
• Possible to control based on country
• Country information, ISP information in logs
100 0111100 011 1010011101 1000111010011101 10001110 10011 101

010011101 1100001110001110 1001 1101 1110011 0110011 101000
0110 00
AMP – Advanced Malware Protection AMP
• Analyses files to block and detect malware

• Cloud based lookup of File Reputation
• Cloud based Dynamic Analysis with Sandboxing
• Retrospective Security
Subscription License AMP
The Value of Retrospective Security AMP
• If a malicious file slips through

the Anti-Malware controls...
• ...because it was a new
malware
The Value of Retrospection AMP
• If a malicious file slips through

the Anti-Malware controls...
• ...because it was a new malware
• And the next day when the
malware is known...
• Wouldn't you want to know
- Who downloaded it?
- Where has it spread?

Advantage Cloud?
• Petaflop processing
• Petabyte storage Never Forgets!
• Big data analytics
• Continuous analysis
• State-of-the-art AI algorithms for
vs
continuous malware targeting
AMP in Action: Known Bad File AMP
• File look-up returns "malware"

• File dropped immediately AMP Cloud
File Lookup
=Malware
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 011
101000 01
AMP in Action: Retrospective Security AMP
• File look-up returns "Unknown"

• File is allowed AMP Cloud
File Lookup
=Unknown
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 011
101000 01
AMP in Action: Retrospective Security AMP
ALERT!catfood.
• File is later classified as malware pdf downloaded
• sandboxing by
John@10.1.19.4 AMP Cloud
• machine learning is malware
• intelligence community
• Alert on who downloaded the file

• Visibility and Containment
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 011
101000 01

Firepower : Detecting Anomalies
• Detects if new application appears or traffic profile changes

• Identify Hacked Hosts
• Useful in static environments: Scada, DMZ, MEDTEC...
Reduced Risk and Cost ALERT

Host has suddenly
started to use SSH
client and outgoing
ssh traffic volume has
increased by 3
Firepower : Automated Responses
• Use pre-defined or custom script to initiate automatic actions
• E.g, Quarantine device with ISE API
Indications Of Compromise
- IPS event impact 1
change I - Malware
VLAN or S - Communication with BOTNET
E QUARANTINE
SGT
IoT capabilities with NGFW
Identity Integration Segmentation Application control

• ISE • ISA-99 • Industrial apps
• pxGrid • IEC 62264/62443 • EtherNet/IP, CIP,
• VDI • IDMZ Protection Modbus
• Control of DMZ
Enforce standards and best
Target threats accurately Analyze headers in more depth
practice
Rate limiting Tunnel Policy

• Rule-based limits • Pre-filtering
• Reports • Priority policy
• QoS rules • Policy migration
Control application usage Block unwanted traffic early
Integrate with 3rd Party through open APIs
Vulnerability API
Import eStreamer API
Vulnerabilities Export Events
I Remediation
S Modules
E
Cisco Threat Intelligence Director (CTID)
Step 2
2. Publish
observables to
Cisco Threat sensors
Intelligence Director
NGFW / NGIPS
Block Monitor
FMC
Step 3
Step 1
3. Detect and alert to
1. Ingest third-party
create incidents
Cyber Threat
Intelligence indicators
Firepower : Indications of Compromise
• Firepower Indications of Compromise identifies hacked clients
• Based on IPS alerts, Malware events, Communications with Reduced Risk
known Botnet Controllers
and Cost
• Quick and Easy to Identify Hacked Clients or Users
Best of Breed Protection
Continuously Validated by Third Parties
Security Value Map for Next-Generation Firewall Security Value Map
Intrusion (NGFW) Security Value for Breach Detection
Prevention System (IPS) Map
Portfolio
Firepower 9300

ASA 5506-X
ASA 5508-X
ASA 5516-X
SMB/SOHO Branch Internet Edge Data Center Service Provider
Cisco is the ONLY NGFW with a Market Leading NGIPS
This graphic was published by Gartner,

Inc. as part of a larger research
document and should be evaluated in
the context of the entire document. The
Gartner document is available upon
request from Cisco.
Gartner does not endorse any vendor, product or service
depicted in its research publications, and does not advise
technology users to select only those vendors with the highest
ratings. Gartner research publications consist of the opinions
of Gartner's research organization and should not be
construed as statements of fact. Gartner disclaims all
warranties, expressed or implied, with respect to this research,
including any warranties of merchantability or fitness for a
particular purpose.
Gartner’s Magic Quadrant for Intrusion Prevention Systems
Craig Lawson, Adam Hils, Claudio Neiva 16 November 2015
Risk Management
• The value of what we protect?

• The threat?
• How should we improve defence?
Lab Docs
https://cisco.box.com/v/oslobasic
Summary
Megatrends

Day1 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Day1 PDF

Caricato da

Copyright:

Formati disponibili

The Next Generation

“Internet is going dark”

Segment the Detect anomalies Endpoint

Integrated Threat Defense

Network Endpoint Cloud

Reassess Defences Accurate Scoping

110000III000III0 I00I II0I III0011 0110011 101000 0110 00

WWW Advanced Industry Disclosures

“Effective network segmentation…

Source User Dest Application ?

Rules change with 10.1.1.0 192.168.1.0 HTTPS

Expensive to maintain! 15 King St

• Alla clients associated with Gateway

Rule table independent of Source User Dest Application ?

250 Mb -> 1.75 Gb 2 Gb -> 8 GB 41xx = 10 Gb -> 24 Gb

NGFW capabilities all managed by Firepower Management Center

Adaptive Security Policy File Transfers

• Reads Active Directory logon and User john

• Informs Firepower Vulnerabilities

• IPS Engine based on Open Source Snort ™

• Firepower recommends IPS tuning

Reduced Risk and Cost

Adapt IPS tuning to

• Increased IPS efficacy

Act Immediately Vulnerabilities

Investigate, Relevant port open

Good to Know, Relevant port not

Good to Know, Monitored network,

Correlates all intrusion events to an 0

I trust this cert

§ Detects communication to known CnCs, Malware Sites

100 0111100 011 1010011101 1000111010011101 10001110 10011 101

§ Known CnC Patterns

– 91.3% of malware use DNS* DNS

Scratchy Internal DNS

100 0111100 011 1010011101 1000111010011101 10001110 10011 101

• Analyses files to block and detect malware

Subscription License AMP

• If a malicious file slips through

• If a malicious file slips through

Reduced Risk and Cost

• File look-up returns "malware"

• File look-up returns "Unknown"

• Alert on who downloaded the file

Reduced Risk and Cost

• Detects if new application appears or traffic profile changes

Reduced Risk and Cost ALERT

Reduced Risk and Cost

Identity Integration Segmentation Application control

Rate limiting Tunnel Policy

Control application usage Block unwanted traffic early

Firepower 4100 Series

SMB/SOHO Branch Internet Edge Data Center Service Provider

This graphic was published by Gartner,

• The value of what we protect?

Potrebbero piacerti anche