Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Firewall
- and the Megatrends that impact Security
Håkan Nohre
Technical Solutions Architect,
Cisco Technical Advisory Group Cyber Security
26 oktober 2017
About Me
• hnohre@cisco.com
• Live in Sweden (Stockholm)
• Consulting Systems Engineer (EMEAR)
• With Cisco since 1997
• Before Cisco, Software
• Development, C,C++, Assembler
• Focus on Cyber Security, GIAC Pen Tester #9666, CISSP#76731
• Cisco Live Las Vegas 2017 Sessions
• It's Cats vs Rats in the Attack Kill Chain! - BRKSEC-2002
• Hacking in the Attack Kill Chain v2 - LTRSEC-3300
• Building a Practical Defence against Cyber Attacks – TECSEC-2501
• Deploying AnyConnect with ASA (and Firepower)! – BRKSEC 2005
BRKSEC-2309 2
About You
• Name
• Previous experience of Cisco Firepower
• Previous experience of other Cisco Security products
• ASA
• AnyConnect
• ISE
• Umbrella
• Stealthwatch
• AMP for Endpoints
• Email Security
• Web Security
• ……
Agenda
• Lecture Introduction to NGFW
• NGFW Basic Lab
- Add device with REST API
- Basic config, NAT, Routing
- Flexconfig
- Routing (BGP)
- Prefilter Policies
• Lecture: Troubleshooting/Internals
• NGFW Advanced Lab
- Integrated Bridge/Routing
- High Availability
- Remote Access VPN AnyConnect
- Site-to-Site VPN
- Troubleshooting
- Thread Intelligence Director
- Migration
• NGFW Attack Lab
Megatrends Impacting IT Security
Internet of Everything
Cloud Adoption
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Point-in-time Deep-packet Inspection
Perimeter Defense
– Threat Intelligence
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Strategic Acquisitions
Threat Focus
Client Security Discover threat without signatures CASB
Open Source
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Enhance Your Security Capability
Early Detection
Proper Containment
Security
Effectiveness
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Intelligence
Threat I00I III0I III00II 0II00II I0I000 0110 00 100I II0I III00II 0II00II I0I000 0II0 00
Research
Intelligence 10I000 0II0 00 0III000 II1010011 101 1100001 110 II II0000I II0 101000 0II0 00 0III000 III0I00II
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• Megatrends Impacting IT Security
• Necessary Defence in the Attack Kill Chain
– Segmentation of the Network
– Detect attacks without using signatures
– Improve client security
• Summary
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• Megatrends Impacting IT Security
• Necessary Defence in the Attack Kill Chain
– Segmentation of the Network
– Detect attacks without using signatures
– Improve client security
– Improved Perimeter Defence: A Threat Focused Next Generation Firewall
• Summary
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Segmentation Key To Good
Only 1 out of 20 customers in the
Network Hygiene
recent Cisco Strategic Secure
Access User Forum implemented
--Reuven Harrison,
NETWORKComputing, 2014
It’s a much easier to equip your organization with a segmentation, with 32,000
secure defense through proper network segmentation VLANs…
than to explain to shareholders and the media how
hackers were able to access millions of records on your
system.
--Nimmy Reichberg & Mark Wolfgang, Network
World 2014
Automatic
Logical Separation
insidan
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traditional Segmentation
• Based on VLAN
• Tied to IP addressing
3 Regent
10.1.2.0 192.168.3.0 SIP
12 La Rambla
St
10.1.3.0 10.1.3.0 SCADA
4 Oxford 15 Tottenham
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Segmentation based on Security Groups
Citrix
iPAD
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• Megatrends Impacting IT Security
• Necessary Defence in the Attack Kill Chain
– Segmentation of the Network
– Detect attacks without using signatures
– Improve client security
– Improve Perimeter Defence: Threat Focused Next Generation Firewall
• Summary
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• Megatrends Impacting IT Security
• Necessary Defence in the Attack Kill Chain
– Segmentation of the Network
– Detect attacks without using signatures
– Improve client security
– Improve Perimeter Defence: Threat Focused Next Generation Firewall
• Summary
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• Megatrends Impacting IT Security
• Necessary Defence in the Attack Kill Chain
– Segmentation of the Network
– Detect attacks without using signatures
– Improve client security
– Improve Perimeter Defence: Threat Focused Next Generation Firewall
• Summary
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco NGFW: Firepower Threat Defence
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco NGFW Platforms Up to 6x with clustering!
DDOS protection!
Firepower Threat Defense for Firepower 4100 Series
Firepower 2100 Series
ASA 5500-X and Firepower 9300
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Cisco NGFW in the Private and Public Cloud
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Threat Focused Management
Firepower Management Center (FMC)
- Previously known as FireSIGHT
NGFW/NGIPS Management
Forensics / Log Management
Visibility Categories
Network AMP / Trajectory Threats
Vulnerability Management Users
Web Applications
Incident Control System Application Protocols
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility: Firepower Discovers
• ...automatically
Host 10.1.19.4
• Hosts, OS, Logged in Users,
Applications, Vulnerabilities OS
User john
• Gives much more than just
Application Visibility and Apps
Control (AVC) Vulnerabilities
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 011
101000 01
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility: Firepower Discovers Users
• User Agent installed on Windows Host 10.1.19.4
machine OS
Active
Directory User
Agent
log on
john
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Only the Network can Identify Other Devices
§ Device authenticates to network Host 10.1.19.4
(802.1X or MAB)
OS
§ Cisco ISE shares info with User john
pxGrid
Apps
§ Works even if device is not in Vulnerabilities
Active Directory pxGrid
I
S
E
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
FirePOWER™ Services: NGIPS IPS
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility : Reduce Workload & Improve Performance IPS
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility : Reduced Workload and Risk IPS
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 011
101000 01
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Firepower Simplifies Operations IPS
It tells you which alerts are the most important!
ADMINISTRATOR
IMPACT FLAG WHY
ACTION
Event corresponds
Act Immediately,
1 Vulnerable
to vulnerability
mapped to host
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
OT Pre-Processors – Modbus command inspection
A Modbus rule
to prevent a
set point
change
limit > 50 on
RTU-0122
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL Decrypt of Outbound traffic: If Client Cooperates
• Network equipment (firewalls, proxys etc) can decrypt some traffic from client
• Where we control the client cert store and the application is cooperating
Inside Internet
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Intelligence: Reputation Based Filters IPS
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPS Block & Alert When it Detects CnC IPS
DNS?
ag0hszsew13faeda.co.uk
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Malware often use DNS to find CnC
Register
evilcnc.xyz.xyz
• Malware prefer DNS! 74.63.17.18
Inside
DNS
*Cisco Annual Security Report 2016 Server
http://www.cisco.com/go/asr
35
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS Sinkholing
• Problem: DNS request goes via internal DNS, which hides which client is infected
• Solution: Return fake “sinkhole” DNS response and note who goes there J
Q: rx444bdg.grds323.se
NGFW
Internet A: Sinkhole
10.1.42.66
A : Sinkhole
10.1.42.66
rx444bdg.grds323.se
Sinkhole 192.168.1.2
10.1.42.66 36
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Geolocation
• Possible to control based on country
• Country information, ISP information in logs
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP – Advanced Malware Protection AMP
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Value of Retrospective Security AMP
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Value of Retrospection AMP
• Petaflop processing
• Petabyte storage Never Forgets!
• Big data analytics
• Continuous analysis
• State-of-the-art AI algorithms for
vs
continuous malware targeting
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP in Action: Known Bad File AMP
File Lookup
=Malware
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 011
101000 01
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP in Action: Retrospective Security AMP
File Lookup
=Unknown
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 011
101000 01
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP in Action: Retrospective Security AMP
ALERT!catfood.
• File is later classified as malware pdf downloaded
• sandboxing by
John@10.1.19.4 AMP Cloud
• machine learning is malware
• intelligence community
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 011
101000 01
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower : Automated Responses
• Use pre-defined or custom script to initiate automatic actions
• E.g, Quarantine device with ISE API
Indications Of Compromise
- IPS event impact 1
change I - Malware
VLAN or S - Communication with BOTNET
E QUARANTINE
SGT
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IoT capabilities with NGFW
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Integrate with 3rd Party through open APIs
Vulnerability API
Import eStreamer API
Vulnerabilities Export Events
I Remediation
S Modules
E
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Threat Intelligence Director (CTID)
Step 2
2. Publish
observables to
Cisco Threat sensors
Intelligence Director
NGFW / NGIPS
Block Monitor
FMC
Step 3
Step 1
3. Detect and alert to
1. Ingest third-party
create incidents
Cyber Threat
Intelligence indicators
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower : Indications of Compromise
• Firepower Indications of Compromise identifies hacked clients
• Based on IPS alerts, Malware events, Communications with Reduced Risk
known Botnet Controllers
and Cost
• Quick and Easy to Identify Hacked Clients or Users
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Best of Breed Protection
Continuously Validated by Third Parties
Security Value Map for Next-Generation Firewall Security Value Map
Intrusion (NGFW) Security Value for Breach Detection
Prevention System (IPS) Map
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Portfolio
Firepower 9300
ASA 5516-X
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco is the ONLY NGFW with a Market Leading NGIPS
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Risk Management
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab Docs
https://cisco.box.com/v/oslobasic
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary
Megatrends
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public