Upload
tranhuong
View
237
Download
4
Embed Size (px)
Citation preview
Deploying Intrusion Prevention Systems
Stijn VanveerdeghemTechnical Marketing Engineer
BRKSEC-2030
• Introduction to IPS
• Cisco NGIPS Solutions
• Deploying Cisco NGIPS
• Migrating to Firepower NGIPS
• Conclusion
Agenda
ObjectivesWhat will you learn in this session ?
• Next Generation Security and IPS Fundamentals
• Understand the basic premise of Next-Generation Firewall and IPS
• Cisco NGIPS Solutions
• Understand what different Cisco NGIPS solutions exist and how they differ
• Deploying Cisco NGIPS
• Understand the process to select the right NGIPS solution
• Understand what the important considerations are when deploying NGIPS
• Migrating to FirePOWER NGIPS
• High level understanding of the process of migrating to FirePOWER NGIPS
ObjectivesWhat is not covered (in depth) in this session ?
• Not covered in depth in this session, so check out:
• Deploying Firewalls
BRKSEC-2020 - Firewall Deployment
BRKSEC-2028 - Deploying Next Generation Firewall with ASA and Firepower Service
• Troubleshooting FirePOWERBRKSEC-3055 - Troubleshooting Cisco ASA with FirePOWER Services
• Detailed Migration to FirePOWER Services
BRKSEC-2018 - Tips and Tricks for Successful Migration to FirePOWER Solutions
• Tuning FirePOWER
BRKSEC-3126 - FirePOWER: Advanced Configuration and Tuning
Introduction to IPS
2015 Cisco Annual Security Report
2015 Cisco Annual Security Report
11101000100010010100010010010010100101001010011111010110101101011100111011010100010101001001010100010101010000101010100010100
Introduction to IPSWhat is IPS ?
Sophisticated
Attackers
Complex
Geopolitics
Boardroom
Engagement
Misaligned
Policies
Dynamic
Threats
Defenders
Complicit
Users
Why do I need IPSChallenges come from every direction
Cisco NGIPS Solutions
Legacy Cisco IPS 7.x
Traditional IPS Solution
• Supported on IPS 4200, 4300, 4500 series appliances
• Supported ASA 5500-X and previous generation ASA
Cisco FirePOWER NGIPS/NGFW
Next-Generation IPS, Firewall, and Anti-Malware Solution
• Supported on Firepower 7000 and 8000-series Appliances
• Supported on ASA5500-X
• Supported in VMware ESX
Cisco NGIPS SolutionsCisco FirePOWER NGIPS
Traditional stateful firewalls keep state of traffic flows based on L2-L4 information.
Access-Control Policies are configured based on 5-tuple
Provide limited visibility and controls into application, user and context.
Other typical features of a traditional firewall are:
• NAPT
• High Availability
• Routing and Transparent deployment options
• VPN termination
Cisco NGIPS SolutionsTraditional Stateful Firewall
access-list OutsideToInside permit tcpany host 192.168.102.5 eq 80
access-list OutsideToInside permit tcpany host 192.168.102.5 eq 443
Next-Generation Firewalls perform deep inspection of traffic and threat prevention, building on traditional firewall with
• Integrated Signature based IPS engine
• Application visibility and granular control (AVC)
• Identity awareness and control
• Capability to incorporate external information (feeds)
Cisco NGIPS SolutionsNext-Generation Firewall
Traditional IPS provides signature-based pattern matching for detection and prevention of intrusion attempts.
• Typically deployed behind a Firewall or in IDS mode
• Typically “Bump in the wire”
• Often looks for exploits rather than vulnerabilities
• Often overwhelm with irrelevant events
• Don’t give much contextual information to take action
• Requires high level of tuning
As a result, traditional IPS
• Often needs additional devices to perform FW and other tasks
• Is often minimally effective or isn’t used
• Requires massive amounts of time and resources to make it work
• May leave organizations exposed
Cisco NGIPS SolutionsTraditional IPS
Next-Generation IPS extends traditional IPS with
• Application awareness to enable visibility into new L7 threats and reduce the attack surface
• Contextual awareness, providing information to help better understand events and to provide automation and reduce cost/complexity/tuning
• Automated IPS Tuning
• Host, and User Profile and
• Impact assessment
• Content awareness, determine different file types and whether or not those can be malicious
Next-Generation IPS is often deployed as part of a Next-Generation Firewall
Cisco NGIPS SolutionsNext-Generation IPS
Cisco NGIPS SolutionsWhat does a Security Appliance offer
Base Hardware and Software
• 5585-X Bundle SKUs with FirePOWER Services Module
• 5585-X Enhanced Performance Models
• 5500-X SKUs running FirePOWER Services Software
• New 5506/8/16-X for SMB, Distributed Enterprises and Industrial Control
• Hardware includes Application Visibility and Control (AVC)
• Traffic forwarded from ASA to FirePOWER services using MPF
Security Subscription Services• IPS, URL, Advanced Malware Protection (AMP) Subscription Services
• One- and Three-Year Term Options
• Available via ELA
Management
• FireSIGHT Management Center (HW Appliance or Virtual)
• Cisco Security Manager (CSM) or ASDM to Manage ASA Features
• ASDM manages both ASA and FirePOWER Services on new ASA low/mid models
Cisco NGIPS SolutionsASA with FirePOWER Services
Cisco NGIPS SolutionsASA with FirePOWER Services Architecture
Egress after FirePOWER
Processing
FirePOWER IngressASA Ingress
CPU
Complex
Fabric
Switch
Crypto or
Regex
Engine
SFR Module
CPU
Complex
Fabric
Switch
Crypto
Engine
ASA Module
PORTS
PORTS
ASA 5585-X with FirePOWER Services
Backplane
10GE
NICs
10GE
NICs
• ASA processes all ingress/egress packets
• No packets are directly process by FirePOWERexcept for management (unless using interface forwarding mode)
• FirePOWER provides Next Generation Firewall Services
250 Mbps AVC
125 Mbps AVC+IPS
ASA 5506-X ASA 5506W-X
450 Mbps AVC
250 Mbps AVC+IPS
850 Mbps AVC
450 Mbps AVC+IPS
ASA 5506H-X
ASA 5508-X
ASA 5516-X
250 Mbps AVC
125 Mbps AVC+IPS
250 Mbps AVC
125 Mbps AVC+IPS
Integrated
Wireless AP
Ruggedized
Cisco NGIPS SolutionsASA with FirePOWER Services
300 Mbps AVC
150 Mbps AVC+IPS
ASA 5512-X
500 Mbps AVC
250 Mbps AVC+IPS
ASA 5515-X
ASA 5525-X
1.1 Gbps AVC
650 Mbps AVC+IPS
ASA 5545-X
1.5 Gbps AVC
1 Gbps AVC+IPS
ASA 5555-X
1.75 Gbps AVC
1.25 Gbps AVC+IPS
Cisco NGIPS SolutionsASA with FirePOWER Services
4.5 Gbps AVC
2 Gbps AVC+IPS
ASA 5585-X
SSP 10
10 Gbps AVC
6 Gbps AVC+IPS15 Gbps AVC
10 Gbps AVC+IPS
ASA 5585-X
SSP 20
ASA 5585-X
SSP 40
ASA 5585-X
SSP 60
7 Gbps AVC
3.5 Gbps AVC+IPS
ASA 5585-X
SSP EP 10/40
4.5 Gbps AVC
4.5 Gbps AVC+IPS
7 Gbps AVC
7 Gbps AVC+IPS
ASA 5585-X
SSP EP 20/60
Cisco NGIPS SolutionsASA with FirePOWER Services
Base Hardware and Software
• Single-pass Architecture
• 8000 Series with
• Modular Interface Options (Netmods), including 10 and 40 Gbps
• Clustering support for HA
• Stacking Capable for increased throughput up to 60 Gbps
• 71x5 Series with 8 Fail-Closed SFP ports
• 7000 Series with build-in 1 Gbps Copper interfaces
• Virtual FirePOWER NGIPSv for VMware ESX(I)
Security Subscription Services• IPS, URL, Advanced Malware Protection (AMP) Subscription Services
• One- and Three-Year Term Options
• Available via ELA
Management
• FireSIGHT Management Center (HW Appliance or Virtual)
Cisco NGIPS SolutionsFirePOWER Appliances
• FirePOWER Applications (NGIPS, AppID, AMP)
• Application/Control Plane Processing
• L2-L7 Classification
• Stateful Flow Processing
• PKI and Bulk Cryptography
• Flow-based Load Balancing
• L2 switching / L3 Routing / NAPT
• L2-L4 Packet Classification
• Packet-based load balancing
• Physical Interfaces
• Integrated Bypass Relays
Cisco NGIPS SolutionsFirePOWER Appliances Architecture
NetMods
NFE
NMSB
CPU
25
7100-series
7000-series
8100-series
8200 and
8300-series
50 to 250 Mbps 500 Mbps to 2
Gbps 2 to 12 Gbps 10 to 60 Gbps
Cisco NGIPS SolutionsFirePOWER Appliances
NGIPSv
~ 250 Mbps to ~ 2 Gbps
ASA with FirePOWER Services
ASA 5500-X, 5585-X
Up to 10Gbps NGIPS on a single 5585-X SSP60
Physical ASA Inline Deployment, HA, Clustering
Inline and Promiscuous NGIPS and NGFW
From ASA to FirePOWER Module
CSM/ASDM for ASA, FMC/ASDM* for FirePOWER Services
FirePOWER Appliances
8000, 7000 Physical and Virtual Appliances
Up to 60Gbps on 8390
Physical or SPAN Deployment, HA
Inline and Promiscuous NGIPS and NGFW
Directly through FirePOWER Appliance
Firesight Management Center
Solution
Form Factor
Performance
Deployment
Use Case
Packet Flow
Management
Cisco NGIPS SolutionsComparing ASA with FirePOWER Services with FirePOWER Appliances
ASA with FirePOWER Services
All ASA + Most FirePOWER features
Ability to apply FirePOWER policy per context and generate reports on a per-context basis
Currently only with external appliance
Multiple remote-access and site-to-site options (IPSec, SSL)
Active/Standby, Active/Active, Clustering
Static, EIGRP, OSPF, BGP, RIP, Multicast
SFUA AD Agent, CDA And TrustSec on ASA
Module Fail-Open
FirePOWER Appliances
FirePOWER features
Ability to define Security Zones and apply policy and generate reports per zone
Integrated as well as external appliance
Limited site-to-site IPSec support
Active/Standby (Clustering)
Static, OSPF, RIP
SFUA, AD Agent, Passive Discovery
Automatic Application Bypass, HW Bypass
Solution
Features
Multi-Context
SSL Decryption
VPN
HA
Routing
Identity
Bypass
Cisco NGIPS SolutionsComparing ASA with FirePOWER Services with FirePOWER Appliances
Cisco FireSIGHT Management ConsoleSingle Console for Event, Policy and Configuration Management
Deploying Cisco NGIPS
IPS Deployment Cycle
Policy
Planning&
Hardware Selection
Implementation&
Operation
Evaluation
PolicyNetwork Security Policy
• Outlines rules for computer network access
• Determines how policies are enforced
• Basic Architecture of the network security environment
• Keep malicious users out
• Exert control over potentially risky internal users
• Attack Mitigation and Incident Response
• Align to business needs
IPS Deployment Cycle
Policy
Planning &
Hardware Selection
Implementation&
Operation
Evaluation
• Details how Security Policy will be met
• Write up of all requirements to prepare for implementation
• Good planning will lead to a successful implementation
• Reduces complexity
• Predictability and risk awareness
• Select Devices based on requirements
Planning and Hardware SelectionDefine your requirements
Planning and Hardware SelectionDefine your requirements
Use Case
Location
Connectivity
Performance
Availability and Scaling
Management
Implementation
Features and
Licenses
Hardware
Use Case
Location
Connectivity
Performance
Availability and Scaling
Management
Planning and Hardware SelectionDefine your requirements
Use CaseWhat problem are we solving ?
Traditional FW
•5-tuple Access Control
•Stateful Protocol Inspection
•NAT
•Routing
NGFW
•Application Visibility and Control
•User-Based Controls
•Filtering Web Access
•Encrypted Traffic
NGIPS
• Intrusion Detection
• Intrusion Prevention
•Encrypted Traffic
•Compliance
•Network Forensics
VPN
•Remote Access
•Site-to-Site
•NAT, Routing, …
Malware
•Trojan Horses, Rootkits,..
•Scope spreading
•0-days
• Deep visibility into App usage, regardless of port/protocol
• Reduce Attack Surface and Inspection Requirements
• Reclaim bandwidth from streaming/sharing Apps
• Restrict Mobile Apps in BYOD environments
• Limit Social Media to control malware and data leakage
Use CaseApplication Visibility and Control
Policies enforced by
user/group, network,
zone, or VLAN
Use CaseApplication Visibility and Control
Fully integrated with
NGIPS
> 2300 Apps and Sub-
Apps
Apps classified by risk,
relevance, type,
category and tag
• Today’s networks are designed to be highly flexible and promote information sharing and collaboration
• This flexibility can also be the source of substantial risk if traffic is allowed to flow freely without some form of monitoring and control
• Viruses, Worms, Spyware, Adware and the like are all connected pieces of crimeware infrastructure designed to ensure that breaches are difficult to catch, allow for continuous access, while remaining hidden in plain sight.
• Security personnel struggle to understand the broader impact, context and spread of malware across the network and endpoints.
Use CaseMalware
To mitigate these risks, the Cisco NGIPS with AMP detects the movement and disposition of files and the network and allows for the appropriate action to be taken
Use CaseMalware – File based malware prevention with AMP
Reputation Filtering and File Sandboxing
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-Printing
Advanced
Analytics
One-to-One
Signature
To mitigate these risks, the Cisco NGIPS with AMP detects the movement and disposition of files and the network and allows for the appropriate action to be taken
Use CaseMalware – AMP Provides Continuous Retrospective Security
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
Continuous Feed
Continuous Analysis
Telemetry
Stream
Web
WWW
Endpoints NetworkEmail DevicesIPS
File Fingerprint and
Metadata
File and Network I/O
Process Information
Breadth of
Control Points
Inspection verdicts
• Block non-business-related sites by category or reputation
• Ability to apply URL filtering policy on a per-user or per-user-group basis
• Apply specific other policies base don URL category (file, IPS, decryption)
Use CaseURL Filtering
Use CaseInspecting Encrypted Traffic
• > 30% of Internet traffic is SSL encrypted, hiding it from inspection
• Google, Facebook, Office 365
• Expected to increase by 50% in 2015
• Google to prioritize sites using SSL
• Increasing % of malware is hiding in SSL tunnels
• Malware downloads
• CnC connections
• Data exfiltration
• Policy enforcement and threat protection
Choose external SSL
for high-bandwidth and
ability to inspect with
other solutions, e.g.
DLP
Server
Client
Encrypted
Encrypted
FirePOWER
Decrypted
SSL Appliance
Use new built-in SSL
inspection for simplicity and
cost-effectiveness
Use CaseInspecting Encrypted Traffic
Use CaseInspecting Encrypted Traffic with on-box decryption
• Multiple Deployment modes
• Passive Inbound (known keys)
• Inbound Inline (with or without keys)
• Outbound Inline (without keys)
• Flexible SSL support for HTTPS & StartTLSbased apps
• E.g. SMTPS, POP3S, FTPS, IMAPS, TelnetS
• Decrypt by URL category and other attributes
• Centralized enforcement of SSL certificate policies
• e.g. Blocking; self-signed encrypted traffic, SSL version, specific Cypher Suites, unapproved mobile devices
Use CaseInspecting Encrypted Traffic with external appliance
• Cisco SSL Appliance 1500, 2000, 8200 (4, 10 and 20 Gbps)
• Encrypted traffic flow
• Decrypted by SSL Appliance
• Re-encrypted by SSL appliance
• Plain text traffic flow
• Decrypted by SSL Appliance
• Sent to sensor
• Processed and returned to SSL Appliance
• Packets returning from thesensor are not re-encrypted
• Modifications made to packetsby the sensor are not presentin the encrypted traffic flow
• Non-SSL traffic is cut through
Clear text traffic
SSL Traffic with Rewritten certificate
SSL Traffic with Original certificate
Inside Network
Outside Network
• Identify and log Intrusion attempts
• Need to prioritize events based on
• Criticality of the asset
• Relevancy of the attack
• Potential for damage
• What signatures to enable ?
• How to avoid noise, false positives and non-relevant events ?
• How to maximize the effectiveness of the analyst ?
• How to deal with encrypted traffic ?
• Contextual Visibility is key !
Use CaseIntrusion Detection and Reporting (passive)
SPAN Destination Port
Passive Interface
Ethernet Switch
• Identify, log and/or prevent intrusion attempts
• All of what matters for IDS also applies to IDS
• The right tuning is even more important because
• False Positives may drop good traffic
• Inline deployment may have an impact on performance
• Often IPS is deployed as IDS, then tuned before inline deployment
• Contextual Visibility is key !
Use CaseIntrusion Prevention
Component License Name and Features Enabled
FirePOWER Appliances or
FirePOWER Services
ProtectIDS/IPS Functionality; File Control (Detect/Block); Security
Intelligence
ControlUser/App Control; Virtual Routing/Switching/NAT;
Stacking; Clustering (Physical Appliances)
URL Filtering URL Filtering based on Category and Reputation
Malware
Protection
Detect and Block Malware transmitted through
FirePOWER’s AMP capabilities
FireSIGHT Management
CenterFireSIGHT
Network Discovery of Host, Apps, Users; Geo-Location
Based Filtering
Use CaseLicensing FirePOWER Appliances and Services
• Five (5) feature license packages are available
• AVC is part of the default offering
• One (1) and three (3) year terms are available
• SMARTnet is ordered separately with the appliance
URL
IPS
URL IPS
AMP
IPS
AMP
URL
IPS
URLURL TAC TAMC TA TAM
Use CaseLicensing Packages for ASA with FirePOWER Services
Planning and Hardware SelectionDefine your requirements
Use Case
Location
Connectivity
Performance
Availability and Scaling
Management
• Internet Edge
• Data Center
• Branch
• Core
• Extranets
• Critical Network Segments
LocationWhat Network Segment do we want to protect ?
• Enterprise’s GW to Cyberspace
• Serves diverse building blocks
• Allow outbound employee traffic and inbound traffic to servers
• Filter outbound employee traffic
• Need for diversified policy protecting both DMZ and users
LocationInternet Edge
• Houses the most critical applications and data
• Key to security is maintaining service availability
• Security may affect traffic flows, scalability and failures
• “Perceived” Universal DC requirementsincludeHigh Availability, Ability to deal with asymmetric traffic, Scalability.
LocationData Center
PlanningDefine your requirements
Use Case
Location
Connectivity
Performance
Availability and Scaling
Management
ConnectivityWhat Interfaces are needed
• How Many Interfaces ?
• Fiber or Copper ?
• Bypass or non-bypass
• Interface Speed ?
• Need for bundling Interfaces ?
• Need for Wireless ?
ConnectivityInterface Options on ASA with FirePOWER Services
5506 5506-H 5506-W 5508/5516 5512/15 5525/45/55
Fixed 1GE Interfaces 8 4 8 8 6 8
Modular Interfaces NO NO NO NO6 GE Copper
or SFP
6 GE Copper
or SFP
Integrated Wireless AP NO NO YES NO NO NO
Hardware Fast Path NO NO NO NO NO NO
Monitor-Only Mode YES YES YES YES YES YES
ConnectivityInterface Options on ASA with FirePOWER Services
5585 SSP10F10
5585 SSP20F20
5585 SSP10F20
5585 SSP20F40
5585 SSP40F40
5585 SSP60F60
Fixed 1GE Interfaces 16 14 16
SFP+ Sockets 4 (1/10 GE) 6 (1/10 GE) 8 (1/10 GE)
Hardware Fast Path NO NO NO
Monitor-Only Mode YES YES YES
ConnectivityInterface Options on ASA with FirePOWER Services
NGIPSv 7000 7100 8100 8200/8300
Modular Interfaces NO NO8 GE Copper
or SFP *
Up to 3
modules
(1,10 GE)
Up to 7
modules
(1,10,40 GE)
Monitoring Interfaces (Max) NO 8 8-12 12 28
Hardware Bypass NO YES YES YES YES
Hardware Fast Path NO NO NO YES YES
* 7115, 7125, and 7150 models only
ConnectivityNetwork Modules for FirePOWER 8000 Series
Integrated Bypass NetMods Non-Bypass Netmods
1-Gbps 4-port copper 1-Gbps 4-port copper
1-Gbps 4-port fiber 1-Gbps 4-port fiber
10-Gbps 2-port fiber SR (short-reach) 10-Gbps 4-port fiber SR (short-reach)
10-Gbps 2-port fiber LR (long-reach) 10-Gbps 4-port fiber (long-reach)
40-Gbps 2-port fiber SR (8200/8300 only)
ConnectivityLink Aggregation for Link Redundancy and Scaling
NGIPS
ApplianceSwitch
s1p1
s1p2
s1p3
s1p4
lag0
• Combine multiple links into one aggregated link (port-channel)
• Availability and Throughput
• Manual (always on) EtherChannel or LACP
• Supported on ASA and FirePOWER appliances
• ASA: multiple firewalls can be member of 1 port-channel (used in Clustering)
• Firepower Appliances: only supported to aggregate interfaces on the same device
ConnectivityLink Aggregation on FirePOWER Appliances
• Managed under Interface Configuration
• Supports switched & routed deployments
• Not supported on clustered devices today
• Not supported to load-balance across multiple devices
• FirePOWER appliances can also pass-through LACP when deployed between two LACP speakers
FirePOWER Appliance Promiscuous Mode
• Passive interface
FirePOWER ApplianceInline Mode
• Inline Interfaces
• Virtual Switched Mode
• Virtual Routed Mode
ASA With FirePOWER Services
• Inline
• Promiscuous
• Span Port Mode
ConnectivityHow should the sensor be connected ?
Traditional IPS Deployment
• Bump in the wire, entirely transparent to the network
• Bypass functionality
• Easy to insert into an existing network
• I.e. FirePOWER Inline Interfaces
Traditional Transparent Firewall Deployment
• No Bypass functionality
• Can actively participate in the network (i.e. keeps CAM table, can broadcast ARP request)
• State-sharing is a requirement for network continuity in HA pairs
• i.e. Virtual Switched Mode
ConnectivityFirePOWER Appliance Deployment Models
Traditional IDS Deployment
• SPAN, TAP to send a copy of traffic to IDS
• Does not impact network traffic
• Easy to insert into an existing network
• I.e. Passive Mode
Traditional Routed Firewall Deployment
• FW is a hop in the network between L3 boundaries
• Has to be aware of routing protocols
• State-sharing is a requirement for network continuity in HA pairs
• I.e. Virtual Routed Mode
SPAN Destination Port
Passive Interface
Ethernet Switch
• FirePOWER Appliances and NGIPSv
• Only copies of the packets are sent to the sensor
• One ore more physical ports designated as passive
• Visibility and Detection
• Optional prevention through remediation modules
• Separate device must send copies of the packets
• Span (or monitor) from a switch
• Network Taps
ConnectivityFirePOWER Appliance Promiscuous – Passive Interface
monitor session 1 type localsource int fa4/1destination int fa2/2
• Two physical interfaces paired together
• Paired interfaces must be assigned to an inline set
• Multiple Pairs can be configured on same sensor as sets
• IPS between two access-ports on the same switch or between two different switches
• Traffic passes through the sensor
• Pass Good Traffic, and Block Bad
• Redundancy can be provided with STP or additional sensor.
• Fail-open can be provided with hardware-bypass interfaces
Transparent Interfaces
Sensor is Layer 2 Bridge
Sensor sits between two physical ports on a
switch or two different switches
ConnectivityFirePOWER Appliance Inline - Inline Interfaces
• Create an Inline Set
• Select Bypass mode
• Assign one or more interface pairs to the Inline Set
• Advanced Options:
• Tap Mode
• Propagate Link State
• Transparent Inline Mode
• Strict TCP Enforcement
ConnectivityFirePOWER Appliance Inline – Configuring Inline Interfaces
VLAN10
VLAN20
HostA
HostB
ConnectivityFirePOWER Appliance Inline – Virtual Switched Mode
• Virtual Switch is defined within the sensor
• Traditional L2 Firewall deployment model
• Two or more Physical Interfaces or VLANS are assigned to the Virtual Switch
• Traffic passes through the IPS and gets Inspected
• Incoming VLAN tag is stripped and packets leaving a re-encapsulated with egress VLAN tag when leaving
• Security Redundancy (HA) can be provided with STP deployments
• Network Availability (Fail-Open) can be provided with a redundant wire
69
ConnectivityFirePOWER Appliance Inline – Configuring Inline Switched Mode
• Create logical switched interfaces for each VLAN *
• Create a Virtual Switch
• Add logical or physical interfaces to the Virtual Switch
• Advanced Options:
• Static MAC Entries
• Strict TCP Enforcement
• Drop BPDUs
• Two or more physical or logical (VLAN) interfaces defined as routable interfaces
• Traditional L3 firewall deployment
• Route Good Traffic, and Drop Bad
• Static Routing, RIP and OSPF are supported
• Redundancy can be provided through SFRP to a standby sensor
• Fail-open is NOT supported in routed mode
Routed Interfaces
ConnectivityFirePOWER Appliance Inline – Virtual Routed Mode
ConnectivityFirePOWER Appliance Inline – Configuring Virtual Routed Mode
• Create logical routed interfaces for each VLAN *
• Assign IP addresses to logical or physical routed interfaces
• Create a Virtual Router
• Add logical or physical interfaces to the Virtual Router
• Configure Routing type
• Advanced Options:
• IPv6 Support
• DHCP Relay
• Static Routing Entries
• Routing Filter
• Authentication Profile
ASA itself could be deployed in many ways:
• L2 (Transparent) / L3 (Routed mode)
• Single-Context / Multi-Context
• Active/Standby, Active/Active, Clustering
Modular Policy Framework (MPF) is used to forward traffic from ASA to FirePOWER Services:
• Inline
• Promiscuous
• Monitor-only
ConnectivityASA with FirePOWER Services
policy-map global_policyclass class-default
sfr fail-openservice-policy global_policy global
• ASA is deployed Inline
• ASA Forwards selected traffic through the module
• As Defined in ASA Policy-map
• Packets and flows are not dropped by FirePOWER services directly
• Packets are marked with Drop or Drop with Resetand sent back to the ASA
• This allows for the ASA to clear the connection from the state tables and send resets if needed.
ConnectivityASA with FirePOWER Services – Inline
policy-map global_policyclass class-default
sfr fail-open service-policy global_policy global
L3 or L2 mode ASA
• ASA is still deployed Inline
• ASA forwards a copy of the selected traffic through the module
• As Defined in ASA Policy-map
• Monitor-only option in Policy-map
• Visibility and Detection
• Optional prevention through remediation modules
ConnectivityASA with FirePOWER Services – Promiscuous
policy-map global_policyclass class-default
sfr fail-open monitor-onlyservice-policy global_policy global
L3 or L2 mode ASA
+
• ASA Interface connected to a SPAN port
• ASA not in Data Path
• Monitor-only configured on interface
• This interface cannot be used for regular ASA functionality
• Other ASA interface can still be inline but cannot forward traffic to the FirePOWER module
• Only supported in transparent, single-context mode
• Visibility and Detection
ConnectivityASA with FirePOWER Services – Span port Mode
firewall transparentint g0/0traffic-forward sfr monitor-only
Transparent Mode ASA
+
PlanningDefine your requirements
Use Case
Location
Connectivity
Performance
Availability and Scaling
Management
Sizing: Which device do I need to buy?
Upgrade of existing or new device?
Features: What features am I going to need or want to run?
Firewall, IPS, Application Control, URL, Malware?
Location: Where is the device in the network?
In front of a DNS only datacenter with millions of very small very fast transactions or in front of HTTP web servers serving normal web pages?
Datacenter looking at only internal traffic or Internet Edge looking at the wild Internet?
As with all performance discussions, YOUR MILEAGE MAY VARY!!
PerformanceHow to measure and why it matters ?
• How does your traffic mix look like ?
• What is your peak throughput ?
• What Features will you need ?
• What is your peak conn/s and max conn ?
• How much latency is acceptable ?
• Can we exclude traffic from inspection ?
• Use Netflow, NBAR, AVC, ASA Stats
• Plan for the future !
PerformanceDetermining your IPS Performance needs
Datasheets generally have some indication of performance. In most cases this includes the infamous “throughput” measurement. Different product spaces have different typical “throughput” tests.
The firewall industry almost always publishes a max throughput number, usually based on a traffic type that is never helpful in determining sizing of the product. UDP 1518 byte packet size is fairly common.
The IPS industry has generally been more conservative about throughput estimates on their datasheets, partly because their performance range is much more variable than firewalls, and partly because of industry choice. TCP 440 byte HTTP is fairly common.
PerformanceThroughput testing methodology
ASA with FirePOWER Services
Maximum Stateful Firewall Throughput
Maximum VPN Throughput
Maximum AVC Throughput
Maximum AVC And NGIPS Throughput
AVC or IPS Sizing Throughput (440B)
Maximum Concurrent Sessions
Maximum New Connections / Second
FirePOWER Appliances
FW Throughput
IPS Throughput (440B)
Maximum Concurrent Sessions
Maximum New Connections / Second
PerformanceWhat Metrics do we provide ?
Solution
Throughput
Connections
If you run AVC or AVC+AMP on top of IPS, reduce the Datasheet IPS throughput by:
30-45% for IPS + AVC
50-65% for IPS + AVC + AMP
PerformanceMultiple-Services Performance Guideline
IPS + AVC +AMP
IPS + AVC
IPS
Model 5506-X 5508-X 5512-X 5515-X 5516-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60
Max Stateful
FW
Throughput
750
Mbps
1
Gbps
1
Gbps
1,2
Gbps
1.8
Gbps
2
Gbps
3
Gbps
4
Gbps
4
Gbps
10
Gbps
20
Gbps
40
Gbps
VPN
Throughput
100
Mbps
175
Mbps
200
Mbps
250
Mbps
250
Mbps
300
Mbps
400
Mbps700 Mbps
1
Gbps
2
Gbps
3
Gbps4 Gbps
Max AVC
Throughput
250
Mbps
450
Mbps
200
Mbps
500
Mbps
850
Mbps
1,1
Gbps
1,5
Gbps
1,75
Gbps
4,5
Gbps
7
Gbps
10
Gbps15 Gbps
Max AVC
and IPS
Throughput
125
Mbps
250
Mbps
150
Mbps
250
Mbps
450
Mbps
650
Mbps
1
Gbps
1,25
Gbps
2
Gbps
3,5
Gbps
6
Gbps
10
Gbps
AVC or IPS
Sizing
Throughput
90
Mbps
180
Mbps
100
Mbps
150
Mbps
300
Mbps
375
Mbps
575
Mbps
725
Mbps
1,2
Gbps
2
Gbps
3,5
Gbps
6
Gbps
Max
Connections50,000 100,000 100,000 250,000 250,000 500,000 750,000 1,000,000 500,000 1,000,000 1,800,000 4,000,000
Max CPS 5,000 10,000 10,000 15,000 20,000 20,000 30,000 50,000 40,000 75,000 120,000 160,000
PerformanceFirePOWER Services for ASA
Model 7030 7115 7125 8120 8140 8250 8350 8360 8370 8390
Firewall
Throughput
500
Mbps
1,5
Gbps
2,5
Gbps
4
Gbps
10
Gbps
20
Gbps
30
Gbps
60
Gbps
90
Gbps
120
Gbps
IPS Throughput250
Mbps
750
Mbps
1,25
Gbps
2
Gbps
6
Gbps
10
Gbps
15
Gbps
30
Gbps
45
Gbps
60
Gbps
Max Connections 500,000 1,500,000 2,500,000 3,000,000 7,000,000 12,000,000 12,000,000 24,000,000 36,000,000 48,000,0000
Max CPS5,000 27,500 42,500 45,000 100,000 180,000 180,000 360,000 540,000 720,000
PerformanceFirePOWER Appliances
PlanningDefine your requirements
Use Case
Location
Connectivity
Performance
Availability and Scaling
Management
ASA with FirePOWER
Services
FirePOWER Appliance -
Promiscuous
FirePOWER Appliance –
Inline
Network
Availability
• ASA w/ Firepower Fail-
Open
• N.A. • Automatic Application Bypass
• Hardware Bypass
• Alternate Path
Security
Availability
• ASA A/S Failover • FirePOWER Clustering –
Passive Redundancy
• FirePOWER Clustering – Inline
• FirePOWER Clustering - Switched
• FirePOWER Clustering - Routed
Availability and ScalingWhat should happen if the IPS fails
• Fail-Open and Fail-Closed configured in ASA Policy-map
• Determines what ASA does when the FirePOWER module has failed
• With Fail-Closed, traffic will be blocked when the module is unavailable
• With Fail-Open, traffic will be allowed and not inspected when the module is unavailable
• Only used if the ASA cannot failover
Network AvailabilityFail-Open for ASA with FirePOWER Services
Data
FlowASA
Firepower Module (HW or SW)
Data
FlowASA
Firepower Module (HW or SW)
Health Check Failurepolicy-map global_policy
class class-defaultsfr fail-open
service-policy global_policy global
• AAB Limits the time allowed to process packets through an interface.
• Increased processing time may be due to misconfiguration or a SW issue
• Not the same as Packet / Rule Latency Thresholding
• Inspection is bypassed if time is processing time is exceeded. It causes all Snort processes to terminate
• AAB will restart the Snort IPS engine within 10 minutes after failure
• Bypass threshold: 250ms – 6 s (3s default)
• Generates Health Monitoring Alert
• Supported on FirePOWER Hardware appliances and NGIPS
• Not supported on ASA with FirePOWER services
Network AvailabilityAutomatic Application Bypass (AAB) for FirePOWER IPS
Data
Flow
Firepower Appliance
Data
Flow
Processing Time Exceeded
• Fail-to-wire
• Traffic bypasses appliance on power-failure
• Supported on Physical FirePOWER appliances only
• Supported on both Copper and Fiber Interfaces
• Hardware Bypass Network Modules available for 8000 series
• Inline Interfaces Mode Only
Eth
ern
et
Sw
itc
h
Eth
ern
et S
witc
h
Link
Network AvailabilityHardware Bypass for FirePOWER IPS
Link
Eth
ern
et
Sw
itc
h
Eth
ern
et S
witc
h
Power Loss
No Link
Eth
ern
et
Sw
itc
h
Eth
ern
et S
witc
h
Link
Normal
Hardware Bypass Activated
• Sensor and alternate path between 2 switches or 2 VLANS on the same switch
• STP determines Forwarding/Blocking path
• Sensor failure cause STP to place alternate path in forwarding state
Network AvailabilityAlternate Path for FirePOWER IPS
Blocked by Spanning Tree
Data Flow
Data Flow
• For locations where high availability is the primary concern
• ASA’s sync connection table
• ASA configuration automatically synched.
• FirePOWER Configuration should be synched using FireSight Management Centers
• FirePOWER Modules do not synchronize their connection tables
• Mid-session pickup on FirePOWER modules
• Supported in both Routed and Transparent mode
Eth
ern
et
Sw
itc
h
Eth
ern
et S
witc
h
Data Flow
Security AvailabilityA/S Failover for ASA with FirePOWER Services
ACTIVE
STANDBY
Eth
ern
et
Sw
itc
h
Eth
ern
et S
witc
h
Data FlowACTIVE
FAILED
• Not the same as ASA Clustering
• FirePOWER Clustering (HA) establishes resiliency between 2 appliances or 2 stacks
• Clustered devices can synchronize state via HA link
• Single logical system In FireSIGHT Management Center for policy application
• Both devices must me the same model, identical interfaces, same software and licenses
• Automatic failover happens with appliance health failure, hardware failure, during a system update or device shutdown
• Multiple Clustered Redundancy Deployment Models: Passive, Inline, Routed, Switched
Security AvailabilityClustering (HA) for FirePOWER Appliances
• TAP or SPAN feed to multiple appliances in passive mode
• Standby Appliance brings interfaces up if Active Appliance fails health checks
• Same as having multiple standalone IDS appliances, except duplicate events are suppressed.
Security AvailabilityClustering for FirePOWER Appliances – Passive Deployment Redundancy
Da
ta F
low
SPAN’ed
Traffic
Active
Standby
Data
Flo
w
SPAN’ed
Traffic
Failed
Active
• Sensors between 2 switches
• STP determines Forwarding/Blocking path
• Sensor failure cause STP to place other sensor in forwarding state
Security AvailabilityClustering for FirePOWER Appliances – Inline Deployment Redundancy
Blocked by Spanning Tree
Data Flow
Data Flow
• Sensors between switches or VLANs on the same switch
• Virtual Switch Configuration
• STP determines Forwarding/Blocking path
• Sensor failure cause STP to place other sensor in forwarding state
• Clustering does State Push for session state to ensure flow continuity on failover
Security AvailabilityClustering for FirePOWER Appliances – Switched Deployment Redundancy
VLAN
20
VLAN
200
Active STP Path
VLAN
20
VLAN
200
Path Blocked by STP
• Virtual Router Configuration
• Hosts typically have a statically defined GW
• Redundancy in a routed deployment requires routed interfaces to share a GW IP Address
• SFRP (similar to VRRP) creates an Active/Passive deployment by advertising the active IP only on 1 interface
• If that interface goes down, the backup interface begins advertising the IP address
• Clustering does State Push for session state to ensure flow continuity on failover
Security AvailabilityClustering for FirePOWER Appliances – Routed Deployment Redundancy
Eth
ern
et
Sw
itc
h
Eth
ern
et S
witc
h
Data Flow
ACTIVE
STANDBY
Eth
ern
et
Sw
itc
h
Eth
ern
et S
witc
h
Data FlowACTIVE
FAILED
ASA with
FirePOWER Services
FirePOWER Appliance - Passive FirePOWER Appliance –
Inline
Scaling
• N.A. • Stacking • Stacking
Scaling +
Availability
• ASA Clustering * • Passive Clustered Stack
• FirePOWER Passive Appliances
with Etherchannel RSPAN *
• Clustered Stack
• ASA with FirePOWER Appliances *
Availability and ScalingHow to scale beyond what 1 Appliance can do ?
* Can be deployed in asymmetric traffic environments
4x Stacking supported 8300, 8200 2x Stacking on 8100 Series
8350 8360 8370 8390
15 Gbps 30 Gbps 45 Gbps 60 Gbps
ScalingStacking for FirePOWER 8000 Series
• Scaling and Availability for FirePOWER Services
• Can be deployed in an asymmetric environment
• Up to 16 ASA5585-X or two ASA5500-X with FirePOWER services
• Stateless load balancing by external switch
• Support for VPC and LACP
• Cluster Control Protocol/Link
• State-sharing between Firewalls for concerted operation and high availability
• Every session has a primary and secondary owner ASA
• ASA provides traffic symmetry to FirePOWER modules
Scaling + AvailabilityClustering for ASA5500-X
vPC
vPC
ASA Cluster
• Stack-to-Stack High Availability
• Supported on 8000 Series
• Scaling and Availability for FirePOWER Services
• Supported for passive, inline, switched and routed clustered deployment
• Not suggested for asymmetric environment
• Stacks must have identical hardware
Scaling + AvailabilityClustered Stack of FirePOWER Appliances
Da
ta F
low
SPAN’ed
Traffic
Active
Standby
Blocked by Spanning Tree
Data Flow
• Provides IDS Scaling and Availability
• No FirePOWER Clustering
• Can be deployed in an asymmetric environment
• Asymmetric traffic flow through the DC switching infrastructure
• Switches mirror traffic at key intersection points into an RSPAN VLAN
• RSPAN collection switch aggregates flows and feeds them into an Etherchannel.
• FiePOWER appliances process aggregated SPAN traffic in passive mode
Scaling + AvailabilityEtherchannel RSPAN with FirePOWER Passive Appliances
vPC
vPC
• Provides IPS Scaling and Availability
• Can be deployed in an asymmetric environment
• ASA appliances deployed as a cluster in multi-context mode
• In-Line FirePOWER Appliances attached in between the contexts
• ASA Clustering Automatically redirects asymmetrically received packets to ASA connection owner
• Local FirePOWER Appliances have full visibility into the flow due to localized processing
• Cisco Validated Design
Scaling + AvailabilityASA with Inline FirePOWER Appliances
vPC
vPC
ASA Cluster
Availability and ScalingAvailability and Scaling Options on ASA with FirePOWER Services
5506 5506-H 5506-W 5508/5516 5512/15 5525/45/55 5585-X
Multi-Context NO NO NO YES YES YES YES
High Availability A/S A/S A/S A/S, A/A A/S, A/A A/S, A/A A/S, A/A
Clustering NO NO NO NO YES (2) YES (2) YES (16)
Module Fail-Open YES YES YES YES YES YES YES
Automatic
Application BypassNO NO NO NO NO NO NO
Availability and ScalingAvailability and Scaling Options on FirePOWER Appliances
NGIPSv 7000 7100 8100 8200/8300
FirePOWER Stacking NO NO NO YES (2) YES (4)
FirePOWER Clustering NO YES YES YES YES
Clustered Stacks NO NO NO YES YES
Automatic Application
BypassYES YES YES YES YES
Hardware Bypass NO YES YES YES YES
* 7115, 7125, and 7150 models only
PlanningDefine your requirements
Use Case
Location
Connectivity
Performance
Availability and Scaling
Management
• Management Platforms: FireSIGHTManagement Center, ASDM *
• FireSIGHT Management Center can be an appliance or a VM
• FireSIGHT Manager Appliances can be deployed in HA
• Determining factors: device type, deployment size, cost, other security devices, scaling requirements, responsibilities
ManagementFireSIGHT Management Center
FMC ASDM
Model Server, web-
based UI
On-box
Form Factor VM or Appliance Runs on ASA
# devices Up to 300 1
Cost $ No Charge
Manages FirePOWER,
FirePOWER
services
ASA, FirePOWER
services on select
platforms
Contextual Awareness
and Visibility
Detailed Basic, no IoC or
Impact Assessment
Event Collection Extensive Basic
Reporting Extensive Basic
Health Monitoring Basic: CPU,
Memory
Extensive* ASDM currently only manages FirePOWER Services on5506/8/16
750 1500 * 2000 3500 4000 Virtual
Maximum
devices
managed*
10 35 70 150 300Virtual FireSIGHT®
Management Center
Up to 25 managed devices
ASA or FirePOWER appliancesEvent storage 100 GB 125 GB 1.8 TB 400 GB 4.8/6.3 TB
Maximum
network map
(hosts/users)
2000/200050,000/
50,000
150,000/
150,000
300,000/
300,000
600,000/
600,000
Virtual FireSIGHT®
Management for 2 or 10 ASA
devices only!
Not upgradeable
FS-VMW-2-SW-K9
FS-VMW-10-SW-K9
Events per
second (EPS)2000 6000 12,000 10,000 20,000
Max number of devices is dependent upon sensor type and event rate
ManagementFireSIGHT Management Center Appliances
IPS Deployment Process
Policy
Planning&
Hardware Selection
Implementation&
Operation
Evaluation
ImplementationInstallation, Basic Configuration and Insertion into the network
1. Installation of FireSIGHT Management Center
2. Installing FirePOWER appliance or FirePOWER Services for ASA
3. Adding FirePOWER appliance/module into FireSIGHT Management Center
4. Apply Basic Configuration
5. Insertion into the network
6. Tuning
7. Optional: Move from Audit mode to inline mode
8. Operation
ImplementationInstallation of FirePOWER Services for ASA
Verify Pre-
requisites
Download
FirePOWER
image file and pkg
file
Install the boot
image
Install the
system software
package file
Configure ASA
and
FirePOWER
Traffic
Redirection
Configure
ASA
Configure
FirePOWER
Initial
Configuration for
system software
package file
Verify
Installation
Choose Device
Manager, import
devices and
licenses
ImplementationAdding a FirePOWER device into FireSIGHT Management Center
1. On the FirePOWER device, identify the FireSIGHT Management Center that will be managing the device. This can be done via CLI or LCD panel * or GUI *
2. On the FireSIGHT Manager, navigate to Device Manager to add the new device
> Configure manager add 10.89.145.102 cisco123Manager successfully configured.
CLI: FMC IP address
and key
Device IP address and
registration key
Licenses applied to
FireSIGHT MC
* LCD Panel/GUI option only apply to physical FirePOWER appliances
Default Access Control
Policy
GU
I: F
MC
IP
addre
ss
and k
ey
ImplementationBasic Configuration
Access Control Policy
IPS policy
Default Action
ImplementationPolicies
• System Policy: manages system-level settings such as audit logs, mail relay, etc
• Health Policy: a collection of health module settings to check the health of devices
• Network Discovery Policy: defines how the system collects data of network assets
• File Policy: used to perform AMP and file filtering
• Intrusion Policy: defines IPS rules to be enabled for inspection
• SSL Policy: defines what traffic to decrypt and how to decrypt it
• Access Control Policy: permits/denies traffic through the device, defines which Intrusion/File policies are applied to traffic flows
Connectivity over Security: ~ 800 Rules
• CVSS Score of 10
• Age of Vulnerability: year before last and newer
Balanced : ~ 6300 Rules
• CVSS Score of 9 or greater
• Age of Vulnerability: year before last and newer]
• Or: Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit
Security over Connectivity: ~ 9000 Rules
• CVSS Score of 8 or greater
• Age of Vulnerability: 2 years before last and newer
• Or: Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit, App-detect
ImplementationWhat are the different Base IPS Policies ?
ImplementationAudit Mode
• Inline deployment without actually affecting traffic
• Disable “Drop when inline” when creating IPS Policy
• In passive deployments, the system cannot affect traffic regardless of the drop behavior
• Events will show “Would have dropped” when the sensor is deployed passively or when “drop when inline” is disabled
Audit Mode
OperationFeatures for more effective operation
• Host, User Discovery and Application Identification
• Host Profiles
• Impact Levels
• FireSIGHT Recommendations
• Indications of Compromise
Host discovery
Identifies OS, protocols and
services running on each host
Reports on potential
vulnerabilities present on each host based on the information
it’s gathered
Application identification
FireSIGHT can identify over 1900 unique applications
using OpenAppID
Includes applications that
run over web services such
as Facebook or LinkedIn
Applications can be used as
criteria for access control
User discovery
Monitors for user IDs
transmitted as services are
used
Integrates with MS AD servers
to authoritatively
ID users
Authoritative users can be
used as access control criteria
OperationNetwork Discovery
Host ProfileWhat have we learned ?
• All information we know about each host we monitor
• Current and historic users
• Indications of Compromise
• OS, Servers, Applications
• Indications of Compromise
• Malware Detections
• Vulnerabilities
FireSIGHT Recommendations
• Users information we learned about each host
• Automatically selection of rules that apply to your environment
Impact Assessment
• Correlation of IPS Events with Impact on the Target host
Indications of Compromise
• Tags that indicate a likely host infection has occurred
• FireSIGHT tracks and correlations IoCs across all sensor points with Security Intelligence and Malware Active.
Network DiscoveryHow is the Information used ?
1
2
3
4
0
IMPACT FLAGADMINISTRATOR
ACTIONWHY
Act Immediately,
Vulnerable
Event corresponds
to vulnerability
mapped to host
Investigate,
Potentially
Vulnerable
Relevant port open
or protocol in use,
but no vuln mapped
Good to Know,
Currently Not
Vulnerable
Relevant port not
open or protocol not
in use
Good to Know,
Unknown Target
Monitored network,
but unknown host
Good to Know,
Unknown Network
Unmonitored
network
Impact AssessmentHow Relevant is the Attack ?
FireSIGHT RecommendationsAutomatic tuning based on your environment
• IPS Rule Recommendations based on what is learned from Network Discovery
• Associates the OS, server, applications detected with rules specific to those assets
• Identifies the current state of rules in your base policy and recommends and/or sets rule state changes
• Combining a Cisco provided default Policy with FireSIGHT recommendations results in an IPS policy matching the TALOS recommended settings for your assets.
Recommendations
Indications of Compromise (IoCs)
IPS Events
Malware Backdoors
CnC Connections
Exploit KitsAdmin Privilege
Escalations
Web App Attacks
SI Events
Connections to Known CnC IPs
MalwareEvents
Malware Detections
Malware Executions
Office/PDF/Java Compromises
Dropper Infections
IPS Deployment Process
Policy
Planning&
Hardware Selection
Implementation&
Operation
Evaluation
• Initially:
• (Fine)tuning
• Continuously:
• Signature Updates
• FireSIGHT Recommendations
• Periodically:
• Vulnerability scan
• Penetration testing
EvaluationIs the IPS Deployment Effective ?
Migrating to Firepower NGIPS
• Additional hardware needs
• New software, licensing and Management needs
• Can the current hardware deliver the required performance
• What additional features will we be using ?
• Not a 1:1 Migration
• Migration Strategy to use
• How to install a new FirePOWER module on an existing ASA
• How will you migrate your policies and rules
Migrating to FirePOWER NGIPSThings to Consider when migrating
• Any existing CX or Legacy IPS SW-Module needs to be uninstalled first
• FireSIGHT Management is required
• Installation for FirePOWER services on a ASA5500-X platform requires an SSD drive• ASA5500-X-SSD120= SKU
ciscoasa# show inventory
Name: "Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515 , VID: V01 , SN: FGL1620413M
Name: "Storage Device 1", DESCR: "Unigen 128 GB SSD MLC, Model Number:
UGB88RRA128HM3-EMY-DID"
PID: N/A , VID: N/A , SN: 11000046630
Migrating to FirePOWER Services for ASAMigrating the ASA5500-X
• Existing 5585-X Legacy IPS or CX modules cannot be converted to FirePOWER services
• ASA needs to be shut down when replacing the module
• FireSIGHT Management is required
• SFR SSP Modules are pre-installed with FirePOWER Service• ASA5585-X SSP10 SFR10 (ASA5585-S10F10-K9)
• ASA5585-X SSP20 SFR20 (ASA5585-S20F20-K9)
• ASA5585-X SSP40 SFR40 (ASA5585-S40F40-K9)
• ASA5585-X SSP60 SFR60 (ASA5585-S60F60-K9)
• Mixed Bundles are available• ASA5585-X SSP10 SFR40 (ASA5585-S10F40-K9)
• ASA5585-SSP20 SFR60 (ASA5585-S20F60-K9)
Migrating to FirePOWER Services for ASAMigrating the ASA5585-X
AVC
ASA
IPS
AMP
URL
ASA
Legacy
IPS
ASA
CX
ASA
Post Migration Pre Migration
CLI/ASD
M
FirePOWER
Services
Fire
SIGHT
CLI/ASD
M
PRSMCSM CSM
Migrating to FirePOWER Services for ASANot the same Feature Set
When replacing an existing service module like Cisco CX or the classic IPS module:
Understand the traffic load the device is seeing
Understand the inspection load the current device is under
Compare the current inspection load if possible, to the expected load on the new module, reducing available throughput based on the features required
If you run more features, the performance will be impacted (more work is harder than less work!).
Migrating to FirePOWER Services for ASASizing Guidance when Migrating
Comparing FirePOWER Services to CX on ASA 5525-X using EMIX (ASA multiprotocol test)
AVC URL: matched applications and HTTP URLs on both platforms
ASA-CX IPS: Around 1000 threats
FirePOWER Services IPS:
Balanced policy with ~6000 sigs
AVC URLAVC URL
IPS
FirePOWER
Services on
5525
750 400
CX on 5525 675 260
Migrating to FirePOWER Services for ASASizing Guidance when Migrating from ASA-CX
IPS-only test comparing throughput of FirePOWER Services for ASA to the Legacy IPS module.
Tested using the same 440 byte HTTP Transactional test that was the benchmark for legacy IPS.
5506 5508 5512 5515 5516 5525 5545 5555 5585-10 5585-20 5585-40 5585-60
FirePOWER
Services
On ASA
90 180 100 150 300 375 575 725 1200 2000 3500 6000
Classic IPS
on ASANA NA 150 250 NA 400 600 850 1150 1500 3000 5000
Migrating to FirePOWER Services for ASASizing Guidance when Migrating from Legacy Cisco IPS
When upgrading from classic IPS to FirePOWER services, adding new features can require a platform change. Generally each new major feature is a step up, assuming the box is near capacity.
Model 5506-X 5508-X 5512-X 5515-X 5516-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60
Classic IPS
Module NA NA 150 250 NA 400 600 850 1150 1500 3000 5000
FirePOWER
AVC or IPS 90 180 100 150 300 375 575 725 1200 2000 3500 6000
FirePOWER
IPS + AVC 65 115 75 100 200 255 360 450 800 1200 2100 3500
FirePOWER
IPS + AVC +
AMP40 85 60 85 150 205 310 340 550 850 1500 2300
Migrating to FirePOWER Services for ASASizing Guidance when Migrating from Legacy Cisco IPS
1. Cut over to FirePOWER in Inline IPS Mode
• Replace legacy IPS with FirePOWER in IPS mode. Monitor closely, and adjust the policy. Most risky option for Legitimate Traffic.
2. Cut over to FirePOWER in Inline Audit Mode
• Replace legacy IPS with FirePOWER in Audit mode. Monitor traffic and alerts, and then put sensor in IPS mode. Most risky option vs malicious traffic and for compliance.
3. Run Both Legacy IPS and FirePOWER IPS in Audit Mode Temporarily
• Connect FirePOWER IPS in Audit mode to the untrusted side of the existing Legacy IPS. Monitor traffic and tune where needed, then complete migration by removing the Legacy IPS and turning off Audit mode. FirePOWER may miss what is blocked by the legacy IPS
4. Run Both Legacy IPS and FirePOWER IDS Temporarily
• Install FirePOWER in IDS Mode, connected to a SPAN port or other method of capturing network traffic. Monitor the sensor and adjust policy accordingly. When sensor is tuned, complete migration with either option 1 or 2, above.
Migrating to FirePOWER NGIPS AppliancesMigration Strategies based on Risk Assessment
Migrating to FirePOWER NGIPS AppliancesBoth Legacy IPS and FirePOWER IPS in Audit mode Temporarily
Audit Mode
Migrating to FirePOWER NGIPS AppliancesBoth Legacy IPS and FirePOWER IDS Temporarily
• Cisco Legacy IPS to FirePOWER NGIPS Migration Guidance Tool
• Consumes a Cisco IPS configuration file and generates a recommendations document
• Standalone IPS appliances as well as ASA IPS Modules
• Areas of focus: Network Insertion, Policies and Signatures/rules
• Matches Snort rules to Cisco IPS signatures
• https://fwm.cisco.com
• Cisco Legacy IPS to FirePOWER NGIPS Migration Guide
• Focused on standalone Appliances
• Explains FirePOWER in Cisco terminology
• BRKSEC-2018 - Tips and Tricks for Successful Migration to FirePOWER Solutions
Migrating to FirePOWER NGIPS AppliancesMigration Tool, Guide and Training
Conclusion
• NGIPS extends classic IPS with Application awareness, Contextual awareness and Content awareness to provide automation and reduce complexity
• Cisco NGIPS is Available as FirePOWER appliances, Virtual form factor and FirePOWER Services for the ASA
• Multiple Deployment Options to address a multitude of
• Use Cases / Locations
• Connection Needs
• Performance Requirements
• High Availability and Scaling
• Management Requirements
• Migrating to FirePOWER Appliances involves determining additional hardware, software, licensing and management needs
Deploying IPSConclusion
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle <@Stijn_Cisco>
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could be a Winner
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
Thank you