BRKSEC 31s26

FirePOWER: Advanced
Configuration and Tuning

BRKSEC-3126
Charlie Stokes
Security Technical Marketing Engineer
Agenda
• Introduction
• FirePOWER Appliances and Modules
• Before: Changes to Policy
• During: Changing how the system responds
• After: Changing how data is viewed
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Introduction
• The goal of this session is to highlight selected areas of FirePOWER Systems
that might not be understood as well or utilized to their fullest.
• Understanding how these features work can make FirePOWER deployments
work faster and better.
• This is not a comprehensive guide to such changes as we will see!
What platforms support FirePOWER Services as a software module?
Maximum AVC and IPS throughput
1.25 Gbps NGFW
1 MM Connections
1 Gbps NGFW 50,000 CPS
750K Connections
650Mbps NGFW 30,000 CPS
500K Connections
20,000 CPS ASA 5555-X
250Mbps NGFW
300 Mbps NGFW 250K Connections
15,000 CPS ASA 5545-X
100K Connections
10,000 CPS ASA 5525-X
ASA 5515-X
ASA 5512-X
Branch Locations Small/Medium Internet Edge
What platforms support FP Hardware Module?
Maximum AVC and IPS throughput
ASA 5585-SSP60
ASA 5585-SSP40 10 Gbps NGFW
ASA 5585-SSP20 4 M Connections
ASA 5585-SSP10 6 Gbps NGFW 160,000 CPS
3.5 Gbps NGFW 1.8 M Connections
2 Gbps NGFW 1 M Connections
500K Connections 120,000 CPS
75,000 CPS
40,000 CPS
Campus / Data Center Enterprise Internet Edge
IPS Throughput
Appliances (440Byte HTTP)
60 Gbps 8390
NGIPS / App Control / NGFW / AMP

Summary 45 Gbps 8370
30 Gbps 8360
All appliances include:
● Integrated lights-out management 15 Gbps 8350
● Sourcefire acceleration technology 10 Gbps 8250
● LCD display
6 Gbps 8140
SSL8200 4 Gbps 8130

SSL2000 2 Gbps 8120 AMP 8150
SSL1500 1.5 Gbps

1.25 Gbps 7125
1 Gbps 7120
750 Mbps 7115
500 Mbps 7110 AMP 7150
500 Mbps 7050
250 Mbps 7030
100 Mbps 7020
50 Mbps 7010
Sourcefire Proprietary & Confidential

BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Series 3/3.5 - FirePOWER Appliance Architecture
Intel – 1 or 2 sockets, 4-
10 Cores per CPU
• Firepower Applications (NGIPS, AppID, Network AMP)
• Application/control plane processing
• L2-L7 classification
• Stateful flow processing
• PKI & Bulk Cryptography PCIe-based NFE
(qty. 1-4)
• Flow-based load balancing
• L2 switching / L3 routing / NAPT
• L2-L4 packet classification NMSB (10 or 40G)

for multiple NFP’s
• Packet-based load balancing
• Physical Interfaces
• Integrated bypass relays NetMods
Detailed ASA FirePOWER Services Packet Flow
FirePOWER does not drop flows, it

marks them for drop by the ASA FirePOWER
YES
1 2 3 4 5 6
Receive Ingress Existing ACL Match Inspections

PKT Interface Conn Permit Xlate sec checks
NO YES YES
NO NO NO
DROP DROP DROP
7 8 9 10 11
NAT IP Egress L3 L2 XMIT
Header Interface Route YES Addr YES PKT
NO NO
DROP DROP
IPS Technology In FirePOWER Devices
Soft NFE
ASA Only
Verdict
ASA Backplane
FirePOWER
Appliance
Only
10
Introduction to FirePOWER
• Differences between FirePOWER modules and
appliances
– Because the Appliances have a hardware frontend (NetMods,
NFPs and NFEs), there are certain capabilities that exist on the
appliances that do not on the FirePOWER services modules for
ASA currently:
• Application Bypass
• Fast Path Rules (Superseded by Trust Rules)
• SSL Decrypt on Appliances in 5.4 is done in the NFE
• Hardware Failopen Interfaces
FirePOWER
• FirePOWER offers a wide
range of customization
options and is very
flexible.
• There are times it might
feel like this!
FirePOWER
• Some options are
more relevant and
important than
others.
• With experience, you
can make it feel more
like this!
Integrated Threat Defense Across the Attack Continuum
Attack Continuum
BEFORE DURING AFTER

Control Detect Scope
Enforce Block Contain
Harden Defend Remediate
Advanced Malware
Firewall/VPN NGIPS
Protection
Granular App Control Security Intelligence Retrospective Security
IoCs/Incident
Modern Threat Control Web Security Response
Visibility and Automation

Before During and After
• Before: Changing the policy of the sensor
• Normalizer and Preprocessor Settings
• IPS Policy Layering
• Custom Application Detection: OpenAppID
• Custom Rules and Performance Tuning
• During: Changing the way the sensor responds to an attack

• Creating and using Correlation Rules
• Creating and using Remediation Rules
• After: Changing the way data is displayed and how users interact with that data
• Custom Block Responses
• Host attributes
• Custom tables
• Custom workflows
Security Techniques and Analysis
• Advanced Security Techniques
– These changes affect the posture of the sensor and the way it performs, analyzes
or responds to attacks:
• Custom Rules and Rule Performance Tuning
• Custom Application Detection
• Correlation Rules: Creating and using
• Remediation Rules: Creating and using
• Advanced Analysis Techniques

– These change the way data is displayed and how users interact with that data
• Correlation Rules for alerting or event logging
• Host attributes
• Custom tables
Before
17
• Before: Change the policy of the sensor
• Custom Application Detection: OpenAppID
• Custom Rules and Performance Tuning
• During: Change the way the sensor responds to an attack

• After: Change the way data is displayed and how users interact with that data
Normalizer and Preprocessor Settings
Preprocessors
Handle the task of presenting packets and packet data
in a contextually relevant way to the detection engine.
For example: HTTP header seen on non-standard port
Packet
Maintaining TCP Stream Protocol
fragment
TCP state reassemble normalization
reassembly
Preprocessors
• Inline normalization preprocessor identifies abnormal traffic and normalizes it in order to minimize
chance of attackers evading detection in inline deployments.
• IPv4, IPv6, ICMPv4, ICMPv6 and TCP protocol normalization
• Normalization only is applied when both conditions are met:
– Drop when inline enabled
– Policy applied using an Inline set
• Some Preprocessors to be aware of:

– frag3 – Used to reassemble packet fragments prior to inspection
– stream5 – Used to reconstruct TCP data streams so that inspection can be done in the context of a TCP conversation
– Protocol decoders – Normalize TCP streams including: telnet, ftp, smtp, and rpc.
– http_inspect – Normalizes http traffic
• Pre-processor configuration consists of both global settings and per-policy settings, the latter allows
for specific configuration for a specific network segment
Preprocessors – Execution Order
Preprocessors – IP Defragmentation
I T P P P P P P P P P P P
Fragmentation: A simple
context based evasion
I T P P P
I P P P P
I P P P P
P P P P P P
P P P P P
P P
P Target:
malloc(size)
Time
I T P P P
I P P P P
I P P P P
Increasing Byte Offset
• Reassembles fragmented datagrams for the rule
engines.
• Rules will not execute against unreassembled
fragmented datagrams
• Global IP Defragmentation Option:
– Preallocated Fragments specifies the maximum
number of fragments the preprocessor can process at
once
• Some Per-policy Defragmentation Options:

– Network specifies the IP address of the host(s) you want
to apply the defragmentation policy to.
– Policy defines the defragmentation policy you want to
use for a set of hosts on the network segment (based on
OS)
– Minimum Fragment Size specifies that when a non-last
fragment smaller than the configured number has been
detected, the packet is considered malicious.
• Helps to detect fragmentation exploits such as
Teardrop, Jolt2
• Different OS reassemble the same overlapping
fragments in different ways allowing attackers
to evade detection by “hiding” exploit code in
overlapping fragments
• Target-Based Defragmentation Policies can be
configured to be aware of the OS running on
the network segment in order to reassemble
packets the same way the OS would which will
identify an attack hidden in overlapping
fragments
• IP Defragmentation preprocessor rules (GID
#123) need to be enabled to generate events
Preprocessors – TCP Stream
• TCP stream preprocessor collects and reassembles all
packets that are part of a TCP session, allowing the rule
engine to inspect the stream a single entity versus
inspecting individual packets
• Global IP Defragmentation Option:
– Packet Type Performance Boost causes the IPS to ignore TCP
traffic for all ports/services that are not specified in enabled rules.
• Some TCP Stream Options of interest:

– Require TCP 3-Way Handshake specifies that sessions are
treated as established only upon completion of a 3-way handshake
– 3-Way Handshake Timeout specifies the number of seconds by
which a handshake must be completed
– TCP Session Hijacking detects session hijacking by validating the
MAC address detected from both sides of a connection during the
handshake against subsequent packets
– Asynchronous Network – with this option enabled, the system
does not reassemble TCP streams
Preprocessors – TCP Stream
• TCP stream preprocessor rules (GID #129) need to
be enabled to generate events
• Certain preprocessors require the TCP Stream
preprocessor to be enable in order to work:
– DCE/RPC Preprocessor
– DNS Preprocessor
– HTTP Inspect Preprocessor
– IMAP/POP/SMTP Preprocessor
– SSL Preprocessor
– MODBUS/DNP3 Preprocessor
• Any port you add to the server-level port list for the
above preprocessors should also be added to the
appropriate list of TCP reassembly ports
Preprocessors – HTTP
• HTTP Inspect Preprocessor is responsible for
– Decoding and normalizing HTTP requests/responses
– Separating HTTP request messages into components:
URI, header, method and body
– Separating HTTP response messages into components:
status code, status message, header, body
– Detecting possible URI-encoding attacks
– Making the normalized data available for additional rule
processing
• Decodes 14 types of HTTP encoding

• HTTP preprocessor rules (GID #119) need to be
enabled to generate events
• Global HTTP normalization options:
– Detect Anomalous HTTP Servers can be used to
detect HTTP traffic traversing ports not explicitly
specified as web server ports
– Detect HTTP Proxy Servers detects HTTP traffic using
proxy servers not defined by the Allow HTTP Proxy Use
option
– Max Compressed Data Depth defines the maximum
size of compressed data to decompress when Inspect
Compressed Data is enabled
– Max Decompressed Data Depth defines the maximum
size of normalized decompressed data when Inspect
Compressed Data is enabled
• Some server-level HTTP normalization options:
– Networks can be used to specify the IP addresses of the
servers this configuration applies to
– Ports defines which ports HTTP normalization is applied
to
– Client/Server Flow Depth specifies # of bytes to inspect
in client-side and server-side traffic (including header and
payload)
– Inspect HTTP Responses enables extended inspection
of HTTP responses and extraction of response header,
body, status code and so on. (Ex: looking for 404 Not
Found)
– Profile specifies the types of encoding that are
normalized. Default profiles for Apache and IIS servers
are provided or a custom default setting can be tailored
Preprocessors – Changes in 5.4
• < 5.4 : Base policy determines the global normalization settings applied to all rules, regardless of what
IPS policy is associated with an access control rule
• ≥ 5.4 : Global Normalization settings defined in Network Analysis Policy
Preprocessors – Changes in 5.4
– Simplifies use and makes configuration more intuitive
– Simply associated a Network Analysis policy with an Access Control Policy
– Multiple Network Analysis Policies can be selected based on VLAN, Network Address, Zone
IPS Policy Layering
IPS Policy Layering
• Allows Users to create Policy Components that can be added to individual
inspection policies
• IE: Base inspection to be added to the Edge, DMZ, PCI, or Guest inspection policies
• Allows single point updates/changes that are automatically applied to additional policies.
• Can use multiple layers, and allows for layer mergers. IE: My Changes merges into Base Shared
Policy Layer
IPS Policy Layering
IPS Policy Layering
IPS Policy Layering
Application Detection
FirePOWER Application Detection
• FirePOWER can detect and block
thousands of applications using simple
rules for User defined filters, Security
Risk, Business Relevance, Type,
Categories or Tags.
FirePOWER Application Detection
• FirePOWER configured to block Very High Risk Applications
Custom Application Detection: Currently
• Adding Application Detection
rules in the product today is a
manual process, time consuming
and is not trivial.
• You either have to know enough
to define the detection pattern
yourself, or you have to have a
complete packet capture.
• If not done correctly, false
positives or false negatives can
result.
• Most importantly there is no
way to share these definitions
easily.
The Problem with Custom Application Detection
Volume Closed Isolation

There are more With a closed Without an open
‘apps’ today than approach, it’s hard approach
ever before; it’s an for a network security collaboration is
impossible task for team to extend
any one vendor to detection to bespoke impossible. Therefore
develop all apps that only exist the sharing and
detections and within that customers validation of
keep pace with app network or detection content is
innovation geography stymied
Little User Benefit From A Closed Approach
OpenAppID Overview
What is OpenAppID?
An open source application-focused detection language that
enables users to create, share and implement custom application
detection.
Key Advantages:
• New simple language to detect apps
• Reduces dependency on vendor release cycles
• Build custom detections for new or specific (ex. Geo-based) app-based threats
• Easily engage and strengthen detector solutions
• Application-specific detail with security events
Goals and Benefits
• Market Defining
– Application Visibility and Control will be done the right way, and Cisco will be leading.
• Snort community ready
– A widely-used engine with a lot of attention and expert users to multiply efforts
• Crowdsourcing detection model
– Scales where needed
– Enable users to build and share content
– Great for geo-specific apps & custom internal apps
– Creates a single de facto standard for application identification
• Roadmap to enable Cisco products to benefit
network
Snort Architecture DAQ libraries
Packet Decoder
• Packet Decoder
– Packets are read using the Data AcQuisition library (DAQ)
(e.g. afpacket)
Preprocessors
– Decodes datalink protocols
– Decodes network protocols
– Decodes transport protocols
Detection Engine
• Preprocessors
– Examine packets
– Modify packets Logging and
– Normalize traffic Alerting System
----------------------
• Detection Engine Output Modules
– Uses Snort rules to create signatures for threats
– Wide range of detection capabilities
– Modular detection elements
Alert and log files
The AppID Preprocessor
• Leverages Snort HTTP preprocessor for header extraction
• Identifies application
• Generates appid attributes (payload, misc, client, service) that can be used in snort rules.
alert tcp any any -> any any (msg:"openAppId: FTP CWD to root attack";
appid: ftp; pcre: "/cwd.*root/i" ; sid:1018758; rev:4; )
• Generates application statistics

[root@OpenAppID snort.log]# u2openappid appstats-unified.log.1392582000
statTime="1392581980",appName="openssh",txBytes="4351",rxBytes="4575“
statTime="1392581980",appName="ssh",txBytes="4351",rxBytes="4575“
statTime="1392581980",appName=“cnn.com",txBytes="1746",rxBytes="17030“
statTime="1392581980",appName="http",txBytes="475",rxBytes="423“
statTime="1392581980",appName="mdns",txBytes="108",rxBytes="0“
• AppID preprocessor leverages the power of the Lua scripting language to create
application detectors
AppID Preprocessor Configuration
• Configured in the snort.conf file
• Syntax:
preprocessor appid : [memcap <memsize> ,] [app_stats_filename <filename>, ]
[app_stats_period <time>,] [app_stats_rollover_size <size>,]
[app_stats_rollover_time <time>,] app_detrector_dir <path>
memcap – upper bound for memory use in bytes [256 MB]
app_stats_filename – name of application statistics file [appstats-unified.log]
app_stats_period – bucket size for statistics in seconds [300]
app_stats_rollover_size – file size that will cause rollover in bytes [20 MB]
app_stats_rollover_time – time duration that will cause rollover in seconds [1 day]
app_detector_dir – name of applicaton statistics file [mandatory attribute, no default]
• Example:
preprocessor appid : app_stats_filename appstats-detectorA.log,
app_stats_period 60, app_detector_dir /root/openAppId/applications
Custom Rules and Performance Tuning
Custom Rules
• What are we trying to detect?
• How to detect it?
• Basic rule configuration components
• X example custom rules:
– String based rule: looking for “xxxx” in http (admin login)
– Is this activity happening more than x times per y (somebody using a script to brute
force a login) event rate filtering (section 2-4 under event processing)
– Regex rule with a content anchor to start with (and why we do this vs #1) (expanding on
1 and 2)
• Small primer on regex
• Rule revision keywork as part of best practices
Rule Performance Monitoring and Tuning
• When dealing with custom rules (and sometimes default rule sets), performance
profiling allows a user to configure a sensor to get statistics on rule and
preprocessor utilization. These statistics can be of benefit when it comes to
tuning your installation and determining how well your rule set is performing.
• There are 2 types of profiling that can be configured:
– Rule Profiling
– Preprocessor Profiling
During
52
• Creating and using Correlation Rules
• Creating and using Remediation Rules
Correlation Policies and Rules
• Correlation Policies and Rules allow users to take additional actions and
show events on very specific event chains.
• Can use multiple event types within a single rule
– Intrusion event with a Host Profile qualification
– Intrusion event with a Flow track
– Discovery event with Host Track
Correlation Example Rule:
Remediation Modules
Remediation Modules
• Remediation Modules allow the sensor to take an

action based upon specific conditions.
• These actions can be external like creating NULL
routes on an IOS Router or Shunning on a PIX, or in
the future possibly using PXGrid to change the status of
a user in ISE.
FirePOWER + ISE == Better Together
• Once an abnormality is
detected, is deny my only
option?
• What if I want to be able
to just clamp it down and
keep monitoring it
• What if I want to be able
to do more security
inspection before I make
a decision?
Threat-Centric Security with TrustSec, ISE, FirePOWER
Re-classify the network traffic

• Once a abnormality is based on behavior:
detected, is deny my only  Invoke new service policy
actions like IPS
option? Cisco  Modify network access for a
• What if I want to be able TrustSec host transparently – with no
to just clamp it down and VLAN change
Cisco  Prevent user to user flows to
keep monitoring it ISE restrict malware propagation
• What if I want to be able without blocking Internet
to do more security Cisco access
inspection before I make FirePOWER  More - QoS, re-route in the
future …
a decision?
FirePOWER Remediation to ISE 1.2
Example Walkthrough using ISE 1.2 Remediation Module Beta
Cisco TrustSec, ISE, and FirePOWER
ISE
Database
Server
Data Center Defense Center

1. In-house auditor connects using her Ipad
2. ISE authenticates the user
3. ISE authorizes and assigns the Auditor SGT
PCI SGT Sensor based on user profile and device type
Auditor SGT
4. Traffic monitored by sensor
Quarantine SGT Quarantine/
Remediation 5. Ipad is compromised
6. Firesight detects anomalous behavior
7. Firesight notifies ISE via EPS (Endpoint
Protection Service)
8. ISE sends a CoA, SGT is changed to
quarantine, restricted access granted
PCI Client (POS) In-House Compliance

Expert/Auditor
PCI Auditor Conn
PCI Credit Card Data
The PCI Auditor has
access to credit card
database records as part of
their job.
Infection
While at home or off
campus, the iPAD gets
infected with some type of
malware.
FirePOWER Detects Propagation
While on campus, a FirePOWER device detects malware propagation or
exploitation attempts.
Instead of just blocking the Malware or Exploit, tell ISE
Using a Remediation Module, FirePOWER can tell ISE to quarantine the host
ISE with TrustSec
ISE with TrustSec controls who can access the network and how they access it.
PCI Assets Protected
Instead of just blocking
the one attack that was
detected, the host was
moved to a quarantine
VLAN and until cleaned
cannot access any
important assets.
FirePOWER and ISE 1.3 w/ pxGrid
A proof of concept project was created to show FirePOWER remediation using
ISE 1.3 and pxGrid
* Proof of Concept Only

pxGrid Components
pxGrid (Cisco Platform Exchange Grid)
http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/at_a_glance_c45-728420.pdf
ISE ISE pxGrid Client
pxGrid pxGrid Sourcefire-

Publisher Controller Agent*

FirePOWER-agent* Registration and Subscription to pxGrid
• SessionDirectory – exposes the existing attributes in the ISE Session directory for pxGrid session objects:
Session State, IP Address, UserName, User AD domain, MAC, NAS IP Address, Trustsec Security Group Name
• EndPointProtectionService - exposes the EPS quarantine/unquarantine pxGrid objects

epstatus=quarantine

Cisco FirePOWER and pxGrid Integration* Data Flow
FirePOWER Remediation
FirePOWER pxGrid Agent
Module ISE pxGrid Node
Connection parameters:
IP Address ISE pxGrid node
Identity (Host certificate)
CA Root Certificate
Private key password
External Authentication Complete
Register SourcefireAgent & subscribe to SessionDirectory

and **EndpointProtectionService
Authenticated SASL successfully
Successfully Subscribed
Send Mitigation Action Request
Mitigation action=quarantine; IP=10.0.0.18
Processes request GLC libraries, and sends information
Mitigation successful
* Proof of Concept Only **EndpointProtectionService- must manually move into EPS client group
Walk-through Download suspicious executable - ‘putty.exe’
Violation of
Intrusion Policy

Correlation

Mitigation Mitigation action = quarantine destination IP

Walk-through Remediation - Browse to Web site
UnQuarantine

Correlation

Mitigation Mitigation action = unquarantine destination IP

Action

After
79
• Custom Block Responses
• Host attributes
• Custom tables
Custom Block Response Pages
• Simple update that can be leveraged for existing
infrastructure.
• Example: Use a Google Docs Spreadsheet and
Web form for user access requests.
– Created a Google Spreadsheet and added a web

form to the spreadsheet.
– Added either the url or the iframe to the default block
page
Custom Block Response Pages
• Modify the existing Custom Block Page.
Host Attributes
• Host Profile based
• Allows the user to alert and perform
analysis on events as they pertain
not only to the chance of success
but also on the severity of success.
• Become key in Correlation Rules
• Allows the user to alert based on
location or division
• Integer, List, Text, URL options for
use
Host Attributes
• List Option as an Example:
• Can use multiple Attributes on a
single host.
– IE: Location and Criticality or
Location and PCI/HIPPA/DMZ
• URL Option can be used to call
back to asset database or other
web enabled tool for additional
device history or options.
Custom Tables
• Combination of events types into a single table
• Allows users the ability to focus reporting and analysis across multiple tables
• Can be used in Custom Widgets, gives widget visibility to previous un-available tables
• Can be extremely flexible in providing custom visualization of event data and correlations within the
management console
– For example the next screen has a sample custom table that uses data elements from
three tables:
• Connection Events
• Host Attributes
• Indications of Compromise.
Custom Tables
Custom Workflows
• Custom Workflows allow Users to customize, per user, on how they want to view
data.
• Can be created or changed on multiple Event Type Table (Intrusion, Connection, Malware, etc.)
• Allows multiple pages with 5 columns per page.
• Allows Table view of all columns available within the event table specified.
Custom Workflows
• Use any Column in the table and apply sort order for
clarity.
• Add Multiple pages with the expectation that each
lower page will be constrained by selection(s) on the
preceding page.
Call to Action
Visit the World of Solutions for
– Cisco Campus
• Cisco ASA with FirePOWER Services
• Cisco Next-Generation IPS/FireSight
• Fire and ISE demo in the ISE 1.3 pxGrid with Technology Partners
• Use Cases: ISE/IDS/ASA Ipad Demo and AnyC/ISE/ASA Demo
Complete Your Online Session Evaluation
• Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
• All surveys can be completed via

the Cisco Live Mobile App or the
Communication Stations

BRKSEC 31s26

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

BRKSEC 31s26

Caricato da

Copyright:

Formati disponibili

FirePOWER: Advanced

Configuration and Tuning

Campus / Data Center Enterprise Internet Edge

NGIPS / App Control / NGFW / AMP

SSL8200 4 Gbps 8130

SSL1500 1.5 Gbps

Sourcefire Proprietary & Confidential

• L2-L4 packet classification NMSB (10 or 40G)

FirePOWER does not drop flows, it

Receive Ingress Existing ACL Match Inspections

BEFORE DURING AFTER

Granular App Control Security Intelligence Retrospective Security

Visibility and Automation

• During: Changing the way the sensor responds to an attack

• Advanced Analysis Techniques

• During: Change the way the sensor responds to an attack

For example: HTTP header seen on non-standard port

• Some Preprocessors to be aware of:

• Some Per-policy Defragmentation Options:

• Some TCP Stream Options of interest:

• Decodes 14 types of HTTP encoding

• FirePOWER configured to block Very High Risk Applications

Volume Closed Isolation

• Generates application statistics

• Remediation Modules allow the sensor to take an

Re-classify the network traffic

Data Center Defense Center

PCI Client (POS) In-House Compliance

* Proof of Concept Only

ISE ISE pxGrid Client

pxGrid pxGrid Sourcefire-

* Proof of Concept Only

• EndPointProtectionService - exposes the EPS quarantine/unquarantine pxGrid objects

* Proof of Concept Only

External Authentication Complete

Register SourcefireAgent & subscribe to SessionDirectory

* Proof of Concept Only

* Proof of Concept Only

Mitigation Mitigation action = quarantine destination IP

* Proof of Concept Only

* Proof of Concept Only

* Proof of Concept Only

Mitigation Mitigation action = unquarantine destination IP

* Proof of Concept Only

– Created a Google Spreadsheet and added a web

• All surveys can be completed via

Potrebbero piacerti anche