Deploying Intrusion Prevention Systems

Stijn VanveerdeghemTechnical Marketing Engineer

BRKSEC-2030

• Introduction to IPS

• Cisco NGIPS Solutions

• Deploying Cisco NGIPS

• Migrating to Firepower NGIPS

• Conclusion

Agenda

ObjectivesWhat will you learn in this session ?

• Next Generation Security and IPS Fundamentals

• Understand the basic premise of Next-Generation Firewall and IPS

• Cisco NGIPS Solutions

• Understand what different Cisco NGIPS solutions exist and how they differ

• Deploying Cisco NGIPS

• Understand the process to select the right NGIPS solution

• Understand what the important considerations are when deploying NGIPS

• Migrating to FirePOWER NGIPS

• High level understanding of the process of migrating to FirePOWER NGIPS

ObjectivesWhat is not covered (in depth) in this session ?

• Not covered in depth in this session, so check out:

• Deploying Firewalls

BRKSEC-2020 - Firewall Deployment

BRKSEC-2028 - Deploying Next Generation Firewall with ASA and Firepower Service

• Troubleshooting FirePOWERBRKSEC-3055 - Troubleshooting Cisco ASA with FirePOWER Services

• Detailed Migration to FirePOWER Services

BRKSEC-2018 - Tips and Tricks for Successful Migration to FirePOWER Solutions

• Tuning FirePOWER

BRKSEC-3126 - FirePOWER: Advanced Configuration and Tuning

Introduction to IPS

2015 Cisco Annual Security Report

2015 Cisco Annual Security Report

11101000100010010100010010010010100101001010011111010110101101011100111011010100010101001001010100010101010000101010100010100

Introduction to IPSWhat is IPS ?

Sophisticated

Attackers

Complex

Geopolitics

Boardroom

Engagement

Misaligned

Policies

Dynamic

Threats

Defenders

Complicit

Users

Why do I need IPSChallenges come from every direction

Cisco NGIPS Solutions

Legacy Cisco IPS 7.x

Traditional IPS Solution

• Supported on IPS 4200, 4300, 4500 series appliances

• Supported ASA 5500-X and previous generation ASA

Cisco FirePOWER NGIPS/NGFW

Next-Generation IPS, Firewall, and Anti-Malware Solution

• Supported on Firepower 7000 and 8000-series Appliances

• Supported on ASA5500-X

• Supported in VMware ESX

Cisco NGIPS SolutionsCisco FirePOWER NGIPS

Traditional stateful firewalls keep state of traffic flows based on L2-L4 information.

Access-Control Policies are configured based on 5-tuple

Provide limited visibility and controls into application, user and context.

Other typical features of a traditional firewall are:

• NAPT

• High Availability

• Routing and Transparent deployment options

• VPN termination

Cisco NGIPS SolutionsTraditional Stateful Firewall

access-list OutsideToInside permit tcpany host 192.168.102.5 eq 80

access-list OutsideToInside permit tcpany host 192.168.102.5 eq 443

Next-Generation Firewalls perform deep inspection of traffic and threat prevention, building on traditional firewall with

• Integrated Signature based IPS engine

• Application visibility and granular control (AVC)

• Identity awareness and control

• Capability to incorporate external information (feeds)

Cisco NGIPS SolutionsNext-Generation Firewall

Traditional IPS provides signature-based pattern matching for detection and prevention of intrusion attempts.

• Typically deployed behind a Firewall or in IDS mode

• Typically “Bump in the wire”

• Often looks for exploits rather than vulnerabilities

• Often overwhelm with irrelevant events

• Don’t give much contextual information to take action

• Requires high level of tuning

As a result, traditional IPS

• Often needs additional devices to perform FW and other tasks

• Is often minimally effective or isn’t used

• Requires massive amounts of time and resources to make it work

• May leave organizations exposed

Cisco NGIPS SolutionsTraditional IPS

Next-Generation IPS extends traditional IPS with

• Application awareness to enable visibility into new L7 threats and reduce the attack surface

• Contextual awareness, providing information to help better understand events and to provide automation and reduce cost/complexity/tuning

• Automated IPS Tuning

• Host, and User Profile and

• Impact assessment

• Content awareness, determine different file types and whether or not those can be malicious

Next-Generation IPS is often deployed as part of a Next-Generation Firewall

Cisco NGIPS SolutionsNext-Generation IPS

Cisco NGIPS SolutionsWhat does a Security Appliance offer

Base Hardware and Software

• 5585-X Bundle SKUs with FirePOWER Services Module

• 5585-X Enhanced Performance Models

• 5500-X SKUs running FirePOWER Services Software

• New 5506/8/16-X for SMB, Distributed Enterprises and Industrial Control

• Hardware includes Application Visibility and Control (AVC)

• Traffic forwarded from ASA to FirePOWER services using MPF

Security Subscription Services• IPS, URL, Advanced Malware Protection (AMP) Subscription Services

• One- and Three-Year Term Options

• Available via ELA

Management

• FireSIGHT Management Center (HW Appliance or Virtual)

• Cisco Security Manager (CSM) or ASDM to Manage ASA Features

• ASDM manages both ASA and FirePOWER Services on new ASA low/mid models

Cisco NGIPS SolutionsASA with FirePOWER Services

Cisco NGIPS SolutionsASA with FirePOWER Services Architecture

Egress after FirePOWER

Processing

FirePOWER IngressASA Ingress

CPU

Complex

Fabric

Switch

Crypto or

Regex

Engine

SFR Module

CPU

Complex

Fabric

Switch

Crypto

Engine

ASA Module

PORTS

PORTS

ASA 5585-X with FirePOWER Services

Backplane

10GE

NICs

10GE

NICs

• ASA processes all ingress/egress packets

• No packets are directly process by FirePOWERexcept for management (unless using interface forwarding mode)

• FirePOWER provides Next Generation Firewall Services

250 Mbps AVC

125 Mbps AVC+IPS

ASA 5506-X ASA 5506W-X

450 Mbps AVC

250 Mbps AVC+IPS

850 Mbps AVC

450 Mbps AVC+IPS

ASA 5506H-X

ASA 5508-X

ASA 5516-X

250 Mbps AVC

125 Mbps AVC+IPS

250 Mbps AVC

125 Mbps AVC+IPS

Integrated

Wireless AP

Ruggedized

Cisco NGIPS SolutionsASA with FirePOWER Services

300 Mbps AVC

150 Mbps AVC+IPS

ASA 5512-X

500 Mbps AVC

250 Mbps AVC+IPS

ASA 5515-X

ASA 5525-X

1.1 Gbps AVC

650 Mbps AVC+IPS

ASA 5545-X

1.5 Gbps AVC

1 Gbps AVC+IPS

ASA 5555-X

1.75 Gbps AVC

1.25 Gbps AVC+IPS

Cisco NGIPS SolutionsASA with FirePOWER Services

4.5 Gbps AVC

2 Gbps AVC+IPS

ASA 5585-X

SSP 10

10 Gbps AVC

6 Gbps AVC+IPS15 Gbps AVC

10 Gbps AVC+IPS

ASA 5585-X

SSP 20

ASA 5585-X

SSP 40

ASA 5585-X

SSP 60

7 Gbps AVC

3.5 Gbps AVC+IPS

ASA 5585-X

SSP EP 10/40

4.5 Gbps AVC

4.5 Gbps AVC+IPS

7 Gbps AVC

7 Gbps AVC+IPS

ASA 5585-X

SSP EP 20/60

Cisco NGIPS SolutionsASA with FirePOWER Services

Base Hardware and Software

• Single-pass Architecture

• 8000 Series with

• Modular Interface Options (Netmods), including 10 and 40 Gbps

• Clustering support for HA

• Stacking Capable for increased throughput up to 60 Gbps

• 71x5 Series with 8 Fail-Closed SFP ports

• 7000 Series with build-in 1 Gbps Copper interfaces

• Virtual FirePOWER NGIPSv for VMware ESX(I)

Security Subscription Services• IPS, URL, Advanced Malware Protection (AMP) Subscription Services

• One- and Three-Year Term Options

• Available via ELA

Management

• FireSIGHT Management Center (HW Appliance or Virtual)

Cisco NGIPS SolutionsFirePOWER Appliances

• FirePOWER Applications (NGIPS, AppID, AMP)

• Application/Control Plane Processing

• L2-L7 Classification

• Stateful Flow Processing

• PKI and Bulk Cryptography

• Flow-based Load Balancing

• L2 switching / L3 Routing / NAPT

• L2-L4 Packet Classification

• Packet-based load balancing

• Physical Interfaces

• Integrated Bypass Relays

Cisco NGIPS SolutionsFirePOWER Appliances Architecture

NetMods

NFE

NMSB

CPU

25

7100-series

7000-series

8100-series

8200 and

8300-series

50 to 250 Mbps 500 Mbps to 2

Gbps 2 to 12 Gbps 10 to 60 Gbps

Cisco NGIPS SolutionsFirePOWER Appliances

NGIPSv

~ 250 Mbps to ~ 2 Gbps

ASA with FirePOWER Services

ASA 5500-X, 5585-X

Up to 10Gbps NGIPS on a single 5585-X SSP60

Physical ASA Inline Deployment, HA, Clustering

Inline and Promiscuous NGIPS and NGFW

From ASA to FirePOWER Module

CSM/ASDM for ASA, FMC/ASDM* for FirePOWER Services

FirePOWER Appliances

8000, 7000 Physical and Virtual Appliances

Up to 60Gbps on 8390

Physical or SPAN Deployment, HA

Inline and Promiscuous NGIPS and NGFW

Directly through FirePOWER Appliance

Firesight Management Center

Solution

Form Factor

Performance

Deployment

Use Case

Packet Flow

Management

Cisco NGIPS SolutionsComparing ASA with FirePOWER Services with FirePOWER Appliances

ASA with FirePOWER Services

All ASA + Most FirePOWER features

Ability to apply FirePOWER policy per context and generate reports on a per-context basis

Currently only with external appliance

Multiple remote-access and site-to-site options (IPSec, SSL)

Active/Standby, Active/Active, Clustering

Static, EIGRP, OSPF, BGP, RIP, Multicast

SFUA AD Agent, CDA And TrustSec on ASA

Module Fail-Open

FirePOWER Appliances

FirePOWER features

Ability to define Security Zones and apply policy and generate reports per zone

Integrated as well as external appliance

Limited site-to-site IPSec support

Active/Standby (Clustering)

Static, OSPF, RIP

SFUA, AD Agent, Passive Discovery

Automatic Application Bypass, HW Bypass

Solution

Features

Multi-Context

SSL Decryption

VPN

HA

Routing

Identity

Bypass

Cisco NGIPS SolutionsComparing ASA with FirePOWER Services with FirePOWER Appliances

Cisco FireSIGHT Management ConsoleSingle Console for Event, Policy and Configuration Management

Deploying Cisco NGIPS

IPS Deployment Cycle

Policy

Planning&

Hardware Selection

Implementation&

Operation

Evaluation

PolicyNetwork Security Policy

• Outlines rules for computer network access

• Determines how policies are enforced

• Basic Architecture of the network security environment

• Keep malicious users out

• Exert control over potentially risky internal users

• Attack Mitigation and Incident Response

• Align to business needs

IPS Deployment Cycle

Policy

Planning &

Hardware Selection

Implementation&

Operation

Evaluation

• Details how Security Policy will be met

• Write up of all requirements to prepare for implementation

• Good planning will lead to a successful implementation

• Reduces complexity

• Predictability and risk awareness

• Select Devices based on requirements

Planning and Hardware SelectionDefine your requirements

Planning and Hardware SelectionDefine your requirements

Use Case

Location

Connectivity

Performance

Availability and Scaling

Management

Implementation

Features and

Licenses

Hardware

Use Case

Location

Connectivity

Performance

Availability and Scaling

Management

Planning and Hardware SelectionDefine your requirements

Use CaseWhat problem are we solving ?

Traditional FW

•5-tuple Access Control

•Stateful Protocol Inspection

•NAT

•Routing

NGFW

•Application Visibility and Control

•User-Based Controls

•Filtering Web Access

•Encrypted Traffic

NGIPS

• Intrusion Detection

• Intrusion Prevention

•Encrypted Traffic

•Compliance

•Network Forensics

VPN

•Remote Access

•Site-to-Site

•NAT, Routing, …

Malware

•Trojan Horses, Rootkits,..

•Scope spreading

•0-days

• Deep visibility into App usage, regardless of port/protocol

• Reduce Attack Surface and Inspection Requirements

• Reclaim bandwidth from streaming/sharing Apps

• Restrict Mobile Apps in BYOD environments

• Limit Social Media to control malware and data leakage

Use CaseApplication Visibility and Control

Policies enforced by

user/group, network,

zone, or VLAN

Use CaseApplication Visibility and Control

Fully integrated with

NGIPS

> 2300 Apps and Sub-

Apps

Apps classified by risk,

relevance, type,

category and tag

• Today’s networks are designed to be highly flexible and promote information sharing and collaboration

• This flexibility can also be the source of substantial risk if traffic is allowed to flow freely without some form of monitoring and control

• Viruses, Worms, Spyware, Adware and the like are all connected pieces of crimeware infrastructure designed to ensure that breaches are difficult to catch, allow for continuous access, while remaining hidden in plain sight.

• Security personnel struggle to understand the broader impact, context and spread of malware across the network and endpoints.

Use CaseMalware

To mitigate these risks, the Cisco NGIPS with AMP detects the movement and disposition of files and the network and allows for the appropriate action to be taken

Use CaseMalware – File based malware prevention with AMP

Reputation Filtering and File Sandboxing

Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-Printing

Advanced

Analytics

One-to-One

Signature

To mitigate these risks, the Cisco NGIPS with AMP detects the movement and disposition of files and the network and allows for the appropriate action to be taken

Use CaseMalware – AMP Provides Continuous Retrospective Security

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

Continuous Feed

Continuous Analysis

Telemetry

Stream

Web

WWW

Endpoints NetworkEmail DevicesIPS

File Fingerprint and

Metadata

File and Network I/O

Process Information

Breadth of

Control Points

Inspection verdicts

• Block non-business-related sites by category or reputation

• Ability to apply URL filtering policy on a per-user or per-user-group basis

• Apply specific other policies base don URL category (file, IPS, decryption)

Use CaseURL Filtering

Use CaseInspecting Encrypted Traffic

• > 30% of Internet traffic is SSL encrypted, hiding it from inspection

• Google, Facebook, Office 365

• Expected to increase by 50% in 2015

• Google to prioritize sites using SSL

• Increasing % of malware is hiding in SSL tunnels

• Malware downloads

• CnC connections

• Data exfiltration

• Policy enforcement and threat protection

Choose external SSL

for high-bandwidth and

ability to inspect with

other solutions, e.g.

DLP

Server

Client

Encrypted

Encrypted

FirePOWER

Decrypted

SSL Appliance

Use new built-in SSL

inspection for simplicity and

cost-effectiveness

Use CaseInspecting Encrypted Traffic

Use CaseInspecting Encrypted Traffic with on-box decryption

• Multiple Deployment modes

• Passive Inbound (known keys)

• Inbound Inline (with or without keys)

• Outbound Inline (without keys)

• Flexible SSL support for HTTPS & StartTLSbased apps

• E.g. SMTPS, POP3S, FTPS, IMAPS, TelnetS

• Decrypt by URL category and other attributes

• Centralized enforcement of SSL certificate policies

• e.g. Blocking; self-signed encrypted traffic, SSL version, specific Cypher Suites, unapproved mobile devices

Use CaseInspecting Encrypted Traffic with external appliance

• Cisco SSL Appliance 1500, 2000, 8200 (4, 10 and 20 Gbps)

• Encrypted traffic flow

• Decrypted by SSL Appliance

• Re-encrypted by SSL appliance

• Plain text traffic flow

• Decrypted by SSL Appliance

• Sent to sensor

• Processed and returned to SSL Appliance

• Packets returning from thesensor are not re-encrypted

• Modifications made to packetsby the sensor are not presentin the encrypted traffic flow

• Non-SSL traffic is cut through

Clear text traffic

SSL Traffic with Rewritten certificate

SSL Traffic with Original certificate

Inside Network

Outside Network

• Identify and log Intrusion attempts

• Need to prioritize events based on

• Criticality of the asset

• Relevancy of the attack

• Potential for damage

• What signatures to enable ?

• How to avoid noise, false positives and non-relevant events ?

• How to maximize the effectiveness of the analyst ?

• How to deal with encrypted traffic ?

• Contextual Visibility is key !

Use CaseIntrusion Detection and Reporting (passive)

SPAN Destination Port

Passive Interface

Ethernet Switch

• Identify, log and/or prevent intrusion attempts

• All of what matters for IDS also applies to IDS

• The right tuning is even more important because

• False Positives may drop good traffic

• Inline deployment may have an impact on performance

• Often IPS is deployed as IDS, then tuned before inline deployment

• Contextual Visibility is key !

Use CaseIntrusion Prevention

Component License Name and Features Enabled

FirePOWER Appliances or

FirePOWER Services

ProtectIDS/IPS Functionality; File Control (Detect/Block); Security

Intelligence

ControlUser/App Control; Virtual Routing/Switching/NAT;

Stacking; Clustering (Physical Appliances)

URL Filtering URL Filtering based on Category and Reputation

Malware

Protection

Detect and Block Malware transmitted through

FirePOWER’s AMP capabilities

FireSIGHT Management

CenterFireSIGHT

Network Discovery of Host, Apps, Users; Geo-Location

Based Filtering

Use CaseLicensing FirePOWER Appliances and Services

• Five (5) feature license packages are available

• AVC is part of the default offering

• One (1) and three (3) year terms are available

• SMARTnet is ordered separately with the appliance

URL

IPS

URL IPS

AMP

IPS

AMP

URL

IPS

URLURL TAC TAMC TA TAM

Use CaseLicensing Packages for ASA with FirePOWER Services

Planning and Hardware SelectionDefine your requirements

Use Case

Location

Connectivity

Performance

Availability and Scaling

Management

• Internet Edge

• Data Center

• Branch

• Core

• Extranets

• Critical Network Segments

LocationWhat Network Segment do we want to protect ?

• Enterprise’s GW to Cyberspace

• Serves diverse building blocks

• Allow outbound employee traffic and inbound traffic to servers

• Filter outbound employee traffic

• Need for diversified policy protecting both DMZ and users

LocationInternet Edge

• Houses the most critical applications and data

• Key to security is maintaining service availability

• Security may affect traffic flows, scalability and failures

• “Perceived” Universal DC requirementsincludeHigh Availability, Ability to deal with asymmetric traffic, Scalability.

LocationData Center

PlanningDefine your requirements

Use Case

Location

Connectivity

Performance

Availability and Scaling

Management

ConnectivityWhat Interfaces are needed

• How Many Interfaces ?

• Fiber or Copper ?

• Bypass or non-bypass

• Interface Speed ?

• Need for bundling Interfaces ?

• Need for Wireless ?

ConnectivityInterface Options on ASA with FirePOWER Services

5506 5506-H 5506-W 5508/5516 5512/15 5525/45/55

Fixed 1GE Interfaces 8 4 8 8 6 8

Modular Interfaces NO NO NO NO6 GE Copper

or SFP

6 GE Copper

or SFP

Integrated Wireless AP NO NO YES NO NO NO

Hardware Fast Path NO NO NO NO NO NO

Monitor-Only Mode YES YES YES YES YES YES

ConnectivityInterface Options on ASA with FirePOWER Services

5585 SSP10F10

5585 SSP20F20

5585 SSP10F20

5585 SSP20F40

5585 SSP40F40

5585 SSP60F60

Fixed 1GE Interfaces 16 14 16

SFP+ Sockets 4 (1/10 GE) 6 (1/10 GE) 8 (1/10 GE)

Hardware Fast Path NO NO NO

Monitor-Only Mode YES YES YES

ConnectivityInterface Options on ASA with FirePOWER Services

NGIPSv 7000 7100 8100 8200/8300

Modular Interfaces NO NO8 GE Copper

or SFP *

Up to 3

modules

(1,10 GE)

Up to 7

modules

(1,10,40 GE)

Monitoring Interfaces (Max) NO 8 8-12 12 28

Hardware Bypass NO YES YES YES YES

Hardware Fast Path NO NO NO YES YES

* 7115, 7125, and 7150 models only

ConnectivityNetwork Modules for FirePOWER 8000 Series

Integrated Bypass NetMods Non-Bypass Netmods

1-Gbps 4-port copper 1-Gbps 4-port copper

1-Gbps 4-port fiber 1-Gbps 4-port fiber

10-Gbps 2-port fiber SR (short-reach) 10-Gbps 4-port fiber SR (short-reach)

10-Gbps 2-port fiber LR (long-reach) 10-Gbps 4-port fiber (long-reach)

40-Gbps 2-port fiber SR (8200/8300 only)

ConnectivityLink Aggregation for Link Redundancy and Scaling

NGIPS

ApplianceSwitch

s1p1

s1p2

s1p3

s1p4

lag0

• Combine multiple links into one aggregated link (port-channel)

• Availability and Throughput

• Manual (always on) EtherChannel or LACP

• Supported on ASA and FirePOWER appliances

• ASA: multiple firewalls can be member of 1 port-channel (used in Clustering)

• Firepower Appliances: only supported to aggregate interfaces on the same device

ConnectivityLink Aggregation on FirePOWER Appliances

• Managed under Interface Configuration

• Supports switched & routed deployments

• Not supported on clustered devices today

• Not supported to load-balance across multiple devices

• FirePOWER appliances can also pass-through LACP when deployed between two LACP speakers

FirePOWER Appliance Promiscuous Mode

• Passive interface

FirePOWER ApplianceInline Mode

• Inline Interfaces

• Virtual Switched Mode

• Virtual Routed Mode

ASA With FirePOWER Services

• Inline

• Promiscuous

• Span Port Mode

ConnectivityHow should the sensor be connected ?

Traditional IPS Deployment

• Bump in the wire, entirely transparent to the network

• Bypass functionality

• Easy to insert into an existing network

• I.e. FirePOWER Inline Interfaces

Traditional Transparent Firewall Deployment

• No Bypass functionality

• Can actively participate in the network (i.e. keeps CAM table, can broadcast ARP request)

• State-sharing is a requirement for network continuity in HA pairs

• i.e. Virtual Switched Mode

ConnectivityFirePOWER Appliance Deployment Models

Traditional IDS Deployment

• SPAN, TAP to send a copy of traffic to IDS

• Does not impact network traffic

• Easy to insert into an existing network

• I.e. Passive Mode

Traditional Routed Firewall Deployment

• FW is a hop in the network between L3 boundaries

• Has to be aware of routing protocols

• State-sharing is a requirement for network continuity in HA pairs

• I.e. Virtual Routed Mode

SPAN Destination Port

Passive Interface

Ethernet Switch

• FirePOWER Appliances and NGIPSv

• Only copies of the packets are sent to the sensor

• One ore more physical ports designated as passive

• Visibility and Detection

• Optional prevention through remediation modules

• Separate device must send copies of the packets

• Span (or monitor) from a switch

• Network Taps

ConnectivityFirePOWER Appliance Promiscuous – Passive Interface

monitor session 1 type localsource int fa4/1destination int fa2/2

• Two physical interfaces paired together

• Paired interfaces must be assigned to an inline set

• Multiple Pairs can be configured on same sensor as sets

• IPS between two access-ports on the same switch or between two different switches

• Traffic passes through the sensor

• Pass Good Traffic, and Block Bad

• Redundancy can be provided with STP or additional sensor.

• Fail-open can be provided with hardware-bypass interfaces

Transparent Interfaces

Sensor is Layer 2 Bridge

Sensor sits between two physical ports on a

switch or two different switches

ConnectivityFirePOWER Appliance Inline - Inline Interfaces

• Create an Inline Set

• Select Bypass mode

• Assign one or more interface pairs to the Inline Set

• Advanced Options:

• Tap Mode

• Propagate Link State

• Transparent Inline Mode

• Strict TCP Enforcement

ConnectivityFirePOWER Appliance Inline – Configuring Inline Interfaces

VLAN10

VLAN20

HostA

HostB

ConnectivityFirePOWER Appliance Inline – Virtual Switched Mode

• Virtual Switch is defined within the sensor

• Traditional L2 Firewall deployment model

• Two or more Physical Interfaces or VLANS are assigned to the Virtual Switch

• Traffic passes through the IPS and gets Inspected

• Incoming VLAN tag is stripped and packets leaving a re-encapsulated with egress VLAN tag when leaving

• Security Redundancy (HA) can be provided with STP deployments

• Network Availability (Fail-Open) can be provided with a redundant wire

69

ConnectivityFirePOWER Appliance Inline – Configuring Inline Switched Mode

• Create logical switched interfaces for each VLAN *

• Create a Virtual Switch

• Add logical or physical interfaces to the Virtual Switch

• Advanced Options:

• Static MAC Entries

• Strict TCP Enforcement

• Drop BPDUs

• Two or more physical or logical (VLAN) interfaces defined as routable interfaces

• Traditional L3 firewall deployment

• Route Good Traffic, and Drop Bad

• Static Routing, RIP and OSPF are supported

• Redundancy can be provided through SFRP to a standby sensor

• Fail-open is NOT supported in routed mode

Routed Interfaces

ConnectivityFirePOWER Appliance Inline – Virtual Routed Mode

ConnectivityFirePOWER Appliance Inline – Configuring Virtual Routed Mode

• Create logical routed interfaces for each VLAN *

• Assign IP addresses to logical or physical routed interfaces

• Create a Virtual Router

• Add logical or physical interfaces to the Virtual Router

• Configure Routing type

• Advanced Options:

• IPv6 Support

• DHCP Relay

• Static Routing Entries

• Routing Filter

• Authentication Profile

ASA itself could be deployed in many ways:

• L2 (Transparent) / L3 (Routed mode)

• Single-Context / Multi-Context

• Active/Standby, Active/Active, Clustering

Modular Policy Framework (MPF) is used to forward traffic from ASA to FirePOWER Services:

• Inline

• Promiscuous

• Monitor-only

ConnectivityASA with FirePOWER Services

policy-map global_policyclass class-default

sfr fail-openservice-policy global_policy global

• ASA is deployed Inline

• ASA Forwards selected traffic through the module

• As Defined in ASA Policy-map

• Packets and flows are not dropped by FirePOWER services directly

• Packets are marked with Drop or Drop with Resetand sent back to the ASA

• This allows for the ASA to clear the connection from the state tables and send resets if needed.

ConnectivityASA with FirePOWER Services – Inline

policy-map global_policyclass class-default

sfr fail-open service-policy global_policy global

L3 or L2 mode ASA

• ASA is still deployed Inline

• ASA forwards a copy of the selected traffic through the module

• As Defined in ASA Policy-map

• Monitor-only option in Policy-map

• Visibility and Detection

• Optional prevention through remediation modules

ConnectivityASA with FirePOWER Services – Promiscuous

policy-map global_policyclass class-default

sfr fail-open monitor-onlyservice-policy global_policy global

L3 or L2 mode ASA

+

• ASA Interface connected to a SPAN port

• ASA not in Data Path

• Monitor-only configured on interface

• This interface cannot be used for regular ASA functionality

• Other ASA interface can still be inline but cannot forward traffic to the FirePOWER module

• Only supported in transparent, single-context mode

• Visibility and Detection

ConnectivityASA with FirePOWER Services – Span port Mode

firewall transparentint g0/0traffic-forward sfr monitor-only

Transparent Mode ASA

+

PlanningDefine your requirements

Use Case

Location

Connectivity

Performance

Availability and Scaling

Management

Sizing: Which device do I need to buy?

Upgrade of existing or new device?

Features: What features am I going to need or want to run?

Firewall, IPS, Application Control, URL, Malware?

Location: Where is the device in the network?

In front of a DNS only datacenter with millions of very small very fast transactions or in front of HTTP web servers serving normal web pages?

Datacenter looking at only internal traffic or Internet Edge looking at the wild Internet?

As with all performance discussions, YOUR MILEAGE MAY VARY!!

PerformanceHow to measure and why it matters ?

• How does your traffic mix look like ?

• What is your peak throughput ?

• What Features will you need ?

• What is your peak conn/s and max conn ?

• How much latency is acceptable ?

• Can we exclude traffic from inspection ?

• Use Netflow, NBAR, AVC, ASA Stats

• Plan for the future !

PerformanceDetermining your IPS Performance needs

Datasheets generally have some indication of performance. In most cases this includes the infamous “throughput” measurement. Different product spaces have different typical “throughput” tests.

The firewall industry almost always publishes a max throughput number, usually based on a traffic type that is never helpful in determining sizing of the product. UDP 1518 byte packet size is fairly common.

The IPS industry has generally been more conservative about throughput estimates on their datasheets, partly because their performance range is much more variable than firewalls, and partly because of industry choice. TCP 440 byte HTTP is fairly common.

PerformanceThroughput testing methodology

ASA with FirePOWER Services

Maximum Stateful Firewall Throughput

Maximum VPN Throughput

Maximum AVC Throughput

Maximum AVC And NGIPS Throughput

AVC or IPS Sizing Throughput (440B)

Maximum Concurrent Sessions

Maximum New Connections / Second

FirePOWER Appliances

FW Throughput

IPS Throughput (440B)

Maximum Concurrent Sessions

Maximum New Connections / Second

PerformanceWhat Metrics do we provide ?

Solution

Throughput

Connections

If you run AVC or AVC+AMP on top of IPS, reduce the Datasheet IPS throughput by:

30-45% for IPS + AVC

50-65% for IPS + AVC + AMP

PerformanceMultiple-Services Performance Guideline

IPS + AVC +AMP

IPS + AVC

IPS

Model 5506-X 5508-X 5512-X 5515-X 5516-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60

Max Stateful

FW

Throughput

750

Mbps

1

Gbps

1

Gbps

1,2

Gbps

1.8

Gbps

2

Gbps

3

Gbps

4

Gbps

4

Gbps

10

Gbps

20

Gbps

40

Gbps

VPN

Throughput

100

Mbps

175

Mbps

200

Mbps

250

Mbps

250

Mbps

300

Mbps

400

Mbps700 Mbps

1

Gbps

2

Gbps

3

Gbps4 Gbps

Max AVC

Throughput

250

Mbps

450

Mbps

200

Mbps

500

Mbps

850

Mbps

1,1

Gbps

1,5

Gbps

1,75

Gbps

4,5

Gbps

7

Gbps

10

Gbps15 Gbps

Max AVC

and IPS

Throughput

125

Mbps

250

Mbps

150

Mbps

250

Mbps

450

Mbps

650

Mbps

1

Gbps

1,25

Gbps

2

Gbps

3,5

Gbps

6

Gbps

10

Gbps

AVC or IPS

Sizing

Throughput

90

Mbps

180

Mbps

100

Mbps

150

Mbps

300

Mbps

375

Mbps

575

Mbps

725

Mbps

1,2

Gbps

2

Gbps

3,5

Gbps

6

Gbps

Max

Connections50,000 100,000 100,000 250,000 250,000 500,000 750,000 1,000,000 500,000 1,000,000 1,800,000 4,000,000

Max CPS 5,000 10,000 10,000 15,000 20,000 20,000 30,000 50,000 40,000 75,000 120,000 160,000

PerformanceFirePOWER Services for ASA

Model 7030 7115 7125 8120 8140 8250 8350 8360 8370 8390

Firewall

Throughput

500

Mbps

1,5

Gbps

2,5

Gbps

4

Gbps

10

Gbps

20

Gbps

30

Gbps

60

Gbps

90

Gbps

120

Gbps

IPS Throughput250

Mbps

750

Mbps

1,25

Gbps

2

Gbps

6

Gbps

10

Gbps

15

Gbps

30

Gbps

45

Gbps

60

Gbps

Max Connections 500,000 1,500,000 2,500,000 3,000,000 7,000,000 12,000,000 12,000,000 24,000,000 36,000,000 48,000,0000

Max CPS5,000 27,500 42,500 45,000 100,000 180,000 180,000 360,000 540,000 720,000

PerformanceFirePOWER Appliances

PlanningDefine your requirements

Use Case

Location

Connectivity

Performance

Availability and Scaling

Management

ASA with FirePOWER

Services

FirePOWER Appliance -

Promiscuous

FirePOWER Appliance –

Inline

Network

Availability

• ASA w/ Firepower Fail-

Open

• N.A. • Automatic Application Bypass

• Hardware Bypass

• Alternate Path

Security

Availability

• ASA A/S Failover • FirePOWER Clustering –

Passive Redundancy

• FirePOWER Clustering – Inline

• FirePOWER Clustering - Switched

• FirePOWER Clustering - Routed

Availability and ScalingWhat should happen if the IPS fails

• Fail-Open and Fail-Closed configured in ASA Policy-map

• Determines what ASA does when the FirePOWER module has failed

• With Fail-Closed, traffic will be blocked when the module is unavailable

• With Fail-Open, traffic will be allowed and not inspected when the module is unavailable

• Only used if the ASA cannot failover

Network AvailabilityFail-Open for ASA with FirePOWER Services

Data

FlowASA

Firepower Module (HW or SW)

Data

FlowASA

Firepower Module (HW or SW)

Health Check Failurepolicy-map global_policy

class class-defaultsfr fail-open

service-policy global_policy global

• AAB Limits the time allowed to process packets through an interface.

• Increased processing time may be due to misconfiguration or a SW issue

• Not the same as Packet / Rule Latency Thresholding

• Inspection is bypassed if time is processing time is exceeded. It causes all Snort processes to terminate

• AAB will restart the Snort IPS engine within 10 minutes after failure

• Bypass threshold: 250ms – 6 s (3s default)

• Generates Health Monitoring Alert

• Supported on FirePOWER Hardware appliances and NGIPS

• Not supported on ASA with FirePOWER services

Network AvailabilityAutomatic Application Bypass (AAB) for FirePOWER IPS

Data

Flow

Firepower Appliance

Data

Flow

Processing Time Exceeded

• Fail-to-wire

• Traffic bypasses appliance on power-failure

• Supported on Physical FirePOWER appliances only

• Supported on both Copper and Fiber Interfaces

• Hardware Bypass Network Modules available for 8000 series

• Inline Interfaces Mode Only

Eth

ern

et

Sw

itc

h

Eth

ern

et S

witc

h

Link

Network AvailabilityHardware Bypass for FirePOWER IPS

Link

Eth

ern

et

Sw

itc

h

Eth

ern

et S

witc

h

Power Loss

No Link

Eth

ern

et

Sw

itc

h

Eth

ern

et S

witc

h

Link

Normal

Hardware Bypass Activated

• Sensor and alternate path between 2 switches or 2 VLANS on the same switch

• STP determines Forwarding/Blocking path

• Sensor failure cause STP to place alternate path in forwarding state

Network AvailabilityAlternate Path for FirePOWER IPS

Blocked by Spanning Tree

Data Flow

Data Flow

• For locations where high availability is the primary concern

• ASA’s sync connection table

• ASA configuration automatically synched.

• FirePOWER Configuration should be synched using FireSight Management Centers

• FirePOWER Modules do not synchronize their connection tables

• Mid-session pickup on FirePOWER modules

• Supported in both Routed and Transparent mode

Eth

ern

et

Sw

itc

h

Eth

ern

et S

witc

h

Data Flow

Security AvailabilityA/S Failover for ASA with FirePOWER Services

ACTIVE

STANDBY

Eth

ern

et

Sw

itc

h

Eth

ern

et S

witc

h

Data FlowACTIVE

FAILED

• Not the same as ASA Clustering

• FirePOWER Clustering (HA) establishes resiliency between 2 appliances or 2 stacks

• Clustered devices can synchronize state via HA link

• Single logical system In FireSIGHT Management Center for policy application

• Both devices must me the same model, identical interfaces, same software and licenses

• Automatic failover happens with appliance health failure, hardware failure, during a system update or device shutdown

• Multiple Clustered Redundancy Deployment Models: Passive, Inline, Routed, Switched

Security AvailabilityClustering (HA) for FirePOWER Appliances

• TAP or SPAN feed to multiple appliances in passive mode

• Standby Appliance brings interfaces up if Active Appliance fails health checks

• Same as having multiple standalone IDS appliances, except duplicate events are suppressed.

Security AvailabilityClustering for FirePOWER Appliances – Passive Deployment Redundancy

Da

ta F

low

SPAN’ed

Traffic

Active

Standby

Data

Flo

w

SPAN’ed

Traffic

Failed

Active

• Sensors between 2 switches

• STP determines Forwarding/Blocking path

• Sensor failure cause STP to place other sensor in forwarding state

Security AvailabilityClustering for FirePOWER Appliances – Inline Deployment Redundancy

Blocked by Spanning Tree

Data Flow

Data Flow

• Sensors between switches or VLANs on the same switch

• Virtual Switch Configuration

• STP determines Forwarding/Blocking path

• Sensor failure cause STP to place other sensor in forwarding state

• Clustering does State Push for session state to ensure flow continuity on failover

Security AvailabilityClustering for FirePOWER Appliances – Switched Deployment Redundancy

VLAN

20

VLAN

200

Active STP Path

VLAN

20

VLAN

200

Path Blocked by STP

• Virtual Router Configuration

• Hosts typically have a statically defined GW

• Redundancy in a routed deployment requires routed interfaces to share a GW IP Address

• SFRP (similar to VRRP) creates an Active/Passive deployment by advertising the active IP only on 1 interface

• If that interface goes down, the backup interface begins advertising the IP address

• Clustering does State Push for session state to ensure flow continuity on failover

Security AvailabilityClustering for FirePOWER Appliances – Routed Deployment Redundancy

Eth

ern

et

Sw

itc

h

Eth

ern

et S

witc

h

Data Flow

ACTIVE

STANDBY

Eth

ern

et

Sw

itc

h

Eth

ern

et S

witc

h

Data FlowACTIVE

FAILED

ASA with

FirePOWER Services

FirePOWER Appliance - Passive FirePOWER Appliance –

Inline

Scaling

• N.A. • Stacking • Stacking

Scaling +

Availability

• ASA Clustering * • Passive Clustered Stack

• FirePOWER Passive Appliances

with Etherchannel RSPAN *

• Clustered Stack

• ASA with FirePOWER Appliances *

Availability and ScalingHow to scale beyond what 1 Appliance can do ?

* Can be deployed in asymmetric traffic environments

4x Stacking supported 8300, 8200 2x Stacking on 8100 Series

8350 8360 8370 8390

15 Gbps 30 Gbps 45 Gbps 60 Gbps

ScalingStacking for FirePOWER 8000 Series

• Scaling and Availability for FirePOWER Services

• Can be deployed in an asymmetric environment

• Up to 16 ASA5585-X or two ASA5500-X with FirePOWER services

• Stateless load balancing by external switch

• Support for VPC and LACP

• Cluster Control Protocol/Link

• State-sharing between Firewalls for concerted operation and high availability

• Every session has a primary and secondary owner ASA

• ASA provides traffic symmetry to FirePOWER modules

Scaling + AvailabilityClustering for ASA5500-X

vPC

vPC

ASA Cluster

• Stack-to-Stack High Availability

• Supported on 8000 Series

• Scaling and Availability for FirePOWER Services

• Supported for passive, inline, switched and routed clustered deployment

• Not suggested for asymmetric environment

• Stacks must have identical hardware

Scaling + AvailabilityClustered Stack of FirePOWER Appliances

Da

ta F

low

SPAN’ed

Traffic

Active

Standby

Blocked by Spanning Tree

Data Flow

• Provides IDS Scaling and Availability

• No FirePOWER Clustering

• Can be deployed in an asymmetric environment

• Asymmetric traffic flow through the DC switching infrastructure

• Switches mirror traffic at key intersection points into an RSPAN VLAN

• RSPAN collection switch aggregates flows and feeds them into an Etherchannel.

• FiePOWER appliances process aggregated SPAN traffic in passive mode

Scaling + AvailabilityEtherchannel RSPAN with FirePOWER Passive Appliances

vPC

vPC

• Provides IPS Scaling and Availability

• Can be deployed in an asymmetric environment

• ASA appliances deployed as a cluster in multi-context mode

• In-Line FirePOWER Appliances attached in between the contexts

• ASA Clustering Automatically redirects asymmetrically received packets to ASA connection owner

• Local FirePOWER Appliances have full visibility into the flow due to localized processing

• Cisco Validated Design

Scaling + AvailabilityASA with Inline FirePOWER Appliances

vPC

vPC

ASA Cluster

Availability and ScalingAvailability and Scaling Options on ASA with FirePOWER Services

5506 5506-H 5506-W 5508/5516 5512/15 5525/45/55 5585-X

Multi-Context NO NO NO YES YES YES YES

High Availability A/S A/S A/S A/S, A/A A/S, A/A A/S, A/A A/S, A/A

Clustering NO NO NO NO YES (2) YES (2) YES (16)

Module Fail-Open YES YES YES YES YES YES YES

Automatic

Application BypassNO NO NO NO NO NO NO

Availability and ScalingAvailability and Scaling Options on FirePOWER Appliances

NGIPSv 7000 7100 8100 8200/8300

FirePOWER Stacking NO NO NO YES (2) YES (4)

FirePOWER Clustering NO YES YES YES YES

Clustered Stacks NO NO NO YES YES

Automatic Application

BypassYES YES YES YES YES

Hardware Bypass NO YES YES YES YES

* 7115, 7125, and 7150 models only

PlanningDefine your requirements

Use Case

Location

Connectivity

Performance

Availability and Scaling

Management

• Management Platforms: FireSIGHTManagement Center, ASDM *

• FireSIGHT Management Center can be an appliance or a VM

• FireSIGHT Manager Appliances can be deployed in HA

• Determining factors: device type, deployment size, cost, other security devices, scaling requirements, responsibilities

ManagementFireSIGHT Management Center

FMC ASDM

Model Server, web-

based UI

On-box

Form Factor VM or Appliance Runs on ASA

# devices Up to 300 1

Cost $ No Charge

Manages FirePOWER,

FirePOWER

services

ASA, FirePOWER

services on select

platforms

Contextual Awareness

and Visibility

Detailed Basic, no IoC or

Impact Assessment

Event Collection Extensive Basic

Reporting Extensive Basic

Health Monitoring Basic: CPU,

Memory

Extensive* ASDM currently only manages FirePOWER Services on5506/8/16

750 1500 * 2000 3500 4000 Virtual

Maximum

devices

managed*

10 35 70 150 300Virtual FireSIGHT®

Management Center

Up to 25 managed devices

ASA or FirePOWER appliancesEvent storage 100 GB 125 GB 1.8 TB 400 GB 4.8/6.3 TB

Maximum

network map

(hosts/users)

2000/200050,000/

50,000

150,000/

150,000

300,000/

300,000

600,000/

600,000

Virtual FireSIGHT®

Management for 2 or 10 ASA

devices only!

Not upgradeable

FS-VMW-2-SW-K9

FS-VMW-10-SW-K9

Events per

second (EPS)2000 6000 12,000 10,000 20,000

Max number of devices is dependent upon sensor type and event rate

ManagementFireSIGHT Management Center Appliances

IPS Deployment Process

Policy

Planning&

Hardware Selection

Implementation&

Operation

Evaluation

ImplementationInstallation, Basic Configuration and Insertion into the network

1. Installation of FireSIGHT Management Center

2. Installing FirePOWER appliance or FirePOWER Services for ASA

3. Adding FirePOWER appliance/module into FireSIGHT Management Center

4. Apply Basic Configuration

5. Insertion into the network

6. Tuning

7. Optional: Move from Audit mode to inline mode

8. Operation

ImplementationInstallation of FirePOWER Services for ASA

Verify Pre-

requisites

Download

FirePOWER

image file and pkg

file

Install the boot

image

Install the

system software

package file

Configure ASA

and

FirePOWER

Traffic

Redirection

Configure

ASA

Configure

FirePOWER

Initial

Configuration for

system software

package file

Verify

Installation

Choose Device

Manager, import

devices and

licenses

ImplementationAdding a FirePOWER device into FireSIGHT Management Center

1. On the FirePOWER device, identify the FireSIGHT Management Center that will be managing the device. This can be done via CLI or LCD panel * or GUI *

2. On the FireSIGHT Manager, navigate to Device Manager to add the new device

> Configure manager add 10.89.145.102 cisco123Manager successfully configured.

CLI: FMC IP address

and key

Device IP address and

registration key

Licenses applied to

FireSIGHT MC

* LCD Panel/GUI option only apply to physical FirePOWER appliances

Default Access Control

Policy

GU

I: F

MC

IP

addre

ss

and k

ey

ImplementationBasic Configuration

Access Control Policy

IPS policy

Default Action

ImplementationPolicies

• System Policy: manages system-level settings such as audit logs, mail relay, etc

• Health Policy: a collection of health module settings to check the health of devices

• Network Discovery Policy: defines how the system collects data of network assets

• File Policy: used to perform AMP and file filtering

• Intrusion Policy: defines IPS rules to be enabled for inspection

• SSL Policy: defines what traffic to decrypt and how to decrypt it

• Access Control Policy: permits/denies traffic through the device, defines which Intrusion/File policies are applied to traffic flows

Connectivity over Security: ~ 800 Rules

• CVSS Score of 10

• Age of Vulnerability: year before last and newer

Balanced : ~ 6300 Rules

• CVSS Score of 9 or greater

• Age of Vulnerability: year before last and newer]

• Or: Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit

Security over Connectivity: ~ 9000 Rules

• CVSS Score of 8 or greater

• Age of Vulnerability: 2 years before last and newer

• Or: Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit, App-detect

ImplementationWhat are the different Base IPS Policies ?

ImplementationAudit Mode

• Inline deployment without actually affecting traffic

• Disable “Drop when inline” when creating IPS Policy

• In passive deployments, the system cannot affect traffic regardless of the drop behavior

• Events will show “Would have dropped” when the sensor is deployed passively or when “drop when inline” is disabled

Audit Mode

OperationFeatures for more effective operation

• Host, User Discovery and Application Identification

• Host Profiles

• Impact Levels

• FireSIGHT Recommendations

• Indications of Compromise

Host discovery

Identifies OS, protocols and

services running on each host

Reports on potential

vulnerabilities present on each host based on the information

it’s gathered

Application identification

FireSIGHT can identify over 1900 unique applications

using OpenAppID

Includes applications that

run over web services such

as Facebook or LinkedIn

Applications can be used as

criteria for access control

User discovery

Monitors for user IDs

transmitted as services are

used

Integrates with MS AD servers

to authoritatively

ID users

Authoritative users can be

used as access control criteria

OperationNetwork Discovery

Host ProfileWhat have we learned ?

• All information we know about each host we monitor

• Current and historic users

• Indications of Compromise

• OS, Servers, Applications

• Indications of Compromise

• Malware Detections

• Vulnerabilities

FireSIGHT Recommendations

• Users information we learned about each host

• Automatically selection of rules that apply to your environment

Impact Assessment

• Correlation of IPS Events with Impact on the Target host

Indications of Compromise

• Tags that indicate a likely host infection has occurred

• FireSIGHT tracks and correlations IoCs across all sensor points with Security Intelligence and Malware Active.

Network DiscoveryHow is the Information used ?

1

2

3

4

0

IMPACT FLAGADMINISTRATOR

ACTIONWHY

Act Immediately,

Vulnerable

Event corresponds

to vulnerability

mapped to host

Investigate,

Potentially

Vulnerable

Relevant port open

or protocol in use,

but no vuln mapped

Good to Know,

Currently Not

Vulnerable

Relevant port not

open or protocol not

in use

Good to Know,

Unknown Target

Monitored network,

but unknown host

Good to Know,

Unknown Network

Unmonitored

network

Impact AssessmentHow Relevant is the Attack ?

FireSIGHT RecommendationsAutomatic tuning based on your environment

• IPS Rule Recommendations based on what is learned from Network Discovery

• Associates the OS, server, applications detected with rules specific to those assets

• Identifies the current state of rules in your base policy and recommends and/or sets rule state changes

• Combining a Cisco provided default Policy with FireSIGHT recommendations results in an IPS policy matching the TALOS recommended settings for your assets.

Recommendations

Indications of Compromise (IoCs)

IPS Events

Malware Backdoors

CnC Connections

Exploit KitsAdmin Privilege

Escalations

Web App Attacks

SI Events

Connections to Known CnC IPs

MalwareEvents

Malware Detections

Malware Executions

Office/PDF/Java Compromises

Dropper Infections

IPS Deployment Process

Policy

Planning&

Hardware Selection

Implementation&

Operation

Evaluation

• Initially:

• (Fine)tuning

• Continuously:

• Signature Updates

• FireSIGHT Recommendations

• Periodically:

• Vulnerability scan

• Penetration testing

EvaluationIs the IPS Deployment Effective ?

Migrating to Firepower NGIPS

• Additional hardware needs

• New software, licensing and Management needs

• Can the current hardware deliver the required performance

• What additional features will we be using ?

• Not a 1:1 Migration

• Migration Strategy to use

• How to install a new FirePOWER module on an existing ASA

• How will you migrate your policies and rules

Migrating to FirePOWER NGIPSThings to Consider when migrating

• Any existing CX or Legacy IPS SW-Module needs to be uninstalled first

• FireSIGHT Management is required

• Installation for FirePOWER services on a ASA5500-X platform requires an SSD drive• ASA5500-X-SSD120= SKU

ciscoasa# show inventory

Name: "Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"

PID: ASA5515 , VID: V01 , SN: FGL1620413M

Name: "Storage Device 1", DESCR: "Unigen 128 GB SSD MLC, Model Number:

UGB88RRA128HM3-EMY-DID"

PID: N/A , VID: N/A , SN: 11000046630

Migrating to FirePOWER Services for ASAMigrating the ASA5500-X

• Existing 5585-X Legacy IPS or CX modules cannot be converted to FirePOWER services

• ASA needs to be shut down when replacing the module

• FireSIGHT Management is required

• SFR SSP Modules are pre-installed with FirePOWER Service• ASA5585-X SSP10 SFR10 (ASA5585-S10F10-K9)

• ASA5585-X SSP20 SFR20 (ASA5585-S20F20-K9)

• ASA5585-X SSP40 SFR40 (ASA5585-S40F40-K9)

• ASA5585-X SSP60 SFR60 (ASA5585-S60F60-K9)

• Mixed Bundles are available• ASA5585-X SSP10 SFR40 (ASA5585-S10F40-K9)

• ASA5585-SSP20 SFR60 (ASA5585-S20F60-K9)

Migrating to FirePOWER Services for ASAMigrating the ASA5585-X

AVC

ASA

IPS

AMP

URL

ASA

Legacy

IPS

ASA

CX

ASA

Post Migration Pre Migration

CLI/ASD

M

FirePOWER

Services

Fire

SIGHT

CLI/ASD

M

PRSMCSM CSM

Migrating to FirePOWER Services for ASANot the same Feature Set

When replacing an existing service module like Cisco CX or the classic IPS module:

Understand the traffic load the device is seeing

Understand the inspection load the current device is under

Compare the current inspection load if possible, to the expected load on the new module, reducing available throughput based on the features required

If you run more features, the performance will be impacted (more work is harder than less work!).

Migrating to FirePOWER Services for ASASizing Guidance when Migrating

Comparing FirePOWER Services to CX on ASA 5525-X using EMIX (ASA multiprotocol test)

AVC URL: matched applications and HTTP URLs on both platforms

ASA-CX IPS: Around 1000 threats

FirePOWER Services IPS:

Balanced policy with ~6000 sigs

AVC URLAVC URL

IPS

FirePOWER

Services on

5525

750 400

CX on 5525 675 260

Migrating to FirePOWER Services for ASASizing Guidance when Migrating from ASA-CX

IPS-only test comparing throughput of FirePOWER Services for ASA to the Legacy IPS module.

Tested using the same 440 byte HTTP Transactional test that was the benchmark for legacy IPS.

5506 5508 5512 5515 5516 5525 5545 5555 5585-10 5585-20 5585-40 5585-60

FirePOWER

Services

On ASA

90 180 100 150 300 375 575 725 1200 2000 3500 6000

Classic IPS

on ASANA NA 150 250 NA 400 600 850 1150 1500 3000 5000

Migrating to FirePOWER Services for ASASizing Guidance when Migrating from Legacy Cisco IPS

When upgrading from classic IPS to FirePOWER services, adding new features can require a platform change. Generally each new major feature is a step up, assuming the box is near capacity.

Model 5506-X 5508-X 5512-X 5515-X 5516-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60

Classic IPS

Module NA NA 150 250 NA 400 600 850 1150 1500 3000 5000

FirePOWER

AVC or IPS 90 180 100 150 300 375 575 725 1200 2000 3500 6000

FirePOWER

IPS + AVC 65 115 75 100 200 255 360 450 800 1200 2100 3500

FirePOWER

IPS + AVC +

AMP40 85 60 85 150 205 310 340 550 850 1500 2300

Migrating to FirePOWER Services for ASASizing Guidance when Migrating from Legacy Cisco IPS

1. Cut over to FirePOWER in Inline IPS Mode

• Replace legacy IPS with FirePOWER in IPS mode. Monitor closely, and adjust the policy. Most risky option for Legitimate Traffic.

2. Cut over to FirePOWER in Inline Audit Mode

• Replace legacy IPS with FirePOWER in Audit mode. Monitor traffic and alerts, and then put sensor in IPS mode. Most risky option vs malicious traffic and for compliance.

3. Run Both Legacy IPS and FirePOWER IPS in Audit Mode Temporarily

• Connect FirePOWER IPS in Audit mode to the untrusted side of the existing Legacy IPS. Monitor traffic and tune where needed, then complete migration by removing the Legacy IPS and turning off Audit mode. FirePOWER may miss what is blocked by the legacy IPS

4. Run Both Legacy IPS and FirePOWER IDS Temporarily

• Install FirePOWER in IDS Mode, connected to a SPAN port or other method of capturing network traffic. Monitor the sensor and adjust policy accordingly. When sensor is tuned, complete migration with either option 1 or 2, above.

Migrating to FirePOWER NGIPS AppliancesMigration Strategies based on Risk Assessment

Migrating to FirePOWER NGIPS AppliancesBoth Legacy IPS and FirePOWER IPS in Audit mode Temporarily

Audit Mode

Migrating to FirePOWER NGIPS AppliancesBoth Legacy IPS and FirePOWER IDS Temporarily

• Cisco Legacy IPS to FirePOWER NGIPS Migration Guidance Tool

• Consumes a Cisco IPS configuration file and generates a recommendations document

• Standalone IPS appliances as well as ASA IPS Modules

• Areas of focus: Network Insertion, Policies and Signatures/rules

• Matches Snort rules to Cisco IPS signatures

• https://fwm.cisco.com

• Cisco Legacy IPS to FirePOWER NGIPS Migration Guide

• Focused on standalone Appliances

• Explains FirePOWER in Cisco terminology

• BRKSEC-2018 - Tips and Tricks for Successful Migration to FirePOWER Solutions

Migrating to FirePOWER NGIPS AppliancesMigration Tool, Guide and Training

Conclusion

• NGIPS extends classic IPS with Application awareness, Contextual awareness and Content awareness to provide automation and reduce complexity

• Cisco NGIPS is Available as FirePOWER appliances, Virtual form factor and FirePOWER Services for the ASA

• Multiple Deployment Options to address a multitude of

• Use Cases / Locations

• Connection Needs

• Performance Requirements

• High Availability and Scaling

• Management Requirements

• Migrating to FirePOWER Appliances involves determining additional hardware, software, licensing and management needs

Deploying IPSConclusion

Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

• Your favorite speaker’s Twitter handle <@Stijn_Cisco>

• Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could be a Winner

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.

Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

Thank you