Mais conteúdo relacionado Semelhante a Building Up Network Security: Intrusion Prevention and Sourcefire (20) Mais de Global Knowledge Training (20) Building Up Network Security: Intrusion Prevention and Sourcefire2. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 2
Presenter
Catherine Paquet, MBA (MIS)
CCSI, CICSI, CCNP Sec, CCNP R&S
Cisco Security Instructor
3. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 3
Catherine Paquet
Cisco security instructor
Cisco Press author
Cisco Systems emerging countries guest speaker
Graduate of Royal Military College and York University
Previously: DND WAN Manager
Lives in Toronto
4. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 4
Topics
1. Evolution of IDS / IPS
2. Sourcefire overview
3. FSMC
4. ASA FirePOWER
5. NGFW / URL Filtering
6. NGIPS
7. AMP
8. IoC and File Trajectory
6. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 6
Glossary (available from GoToWebinar handout section)
AD: Active Directory
AEGIS: Awareness, Education, Guidance, and Intelligence Sharing
AMP: Advanced Malware Protection
ASA: Adaptive Security Appliance (firewall)
CnC: Command and Control
CWA: Centralized Web Authentication
CWS: Cloud Web Security
DMZ: Demilitarized Zone
DC: Domain Controller
ESA: Email Security Appliance
FSMC: FireSIGHT Mgmt Center (formerly SFDC)
IDS: Intrusion Detection System
IoC: Indication of Compromise
IP: Internet Protocol
IPS: Intrusion Prevention System
ISE: Identity Services Engine
LAN: Local Area Network
MAC: Media Access Control
Malvertising: Malware hidden in advertisement
MPF: Modular Policy Framework
NIC: Network Interface Card
NGFW: Next Generation Firewall
NGIPS: Next Generation IPS
RNA: Real-time Network Awareness (Context)
SaaS: Security as a Service
SF: Sourcefire
SFDC: Sourcefire Defense Center (now FSMC)
SHA: Secure Hash Algorithm
SIEM: Security Information and Event Management
SIO: Security Intelligence Operations (Cisco)
SSL: Secure Socket Layer
SSM: Security Services Module
TALOS: Cisco SIO + Sourcefire VRT
TCP: Transmission Control Protocol
URL: Uniform Resource Locator
VRT: Vulnerability Research Team (Sourcefire)
WSA: Web Security Appliance
10. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 10
Passive IDS
Packet analysis
Signature-based
Promiscuous mode
.1
INTERNET
DMZ-Srv
Perim-Rtr
Management Subnet
10.10.2.0/24
L3-Switch
HQ-ASA
End User Subnet
DMZ Subnet
172.16.1.0/24
HQ Outside
HQ Inside
.1
Sensor10.10.2.200
SIEM
10.10.2.100
.15
Administrator
10.10.2.50
11. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 11
Active IDS
June 2003 Gartner announces:
Death of IDS
Recommends that firewall
blocks attacks
.1
INTERNET
DMZ-Srv
Perim-Rtr
Management Subnet
10.10.2.0/24
L3-Switch
HQ-ASA
End User Subnet
DMZ Subnet
172.16.1.0/24
HQ Inside
.1
Sensor10.10.2.200
SIEM
10.10.2.100
.15
Administrator
10.10.2.50
HQ Outside
12. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 12
IPS: inline to data flow
Powerful enough to work at
wire speed
.1
DMZ-Srv
Perim-Rtr
Management Subnet
10.10.2.0/24
L3-Switch
HQ-ASA
End User Subnet
DMZ Subnet
172.16.1.0/24
HQ Inside
.1
Sensor
10.10.2.200
SIEM
10.10.2.100
.15
Administrator
10.10.2.50
INTERNETHQ Outside
13. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 13
IPS integrated
ASA IPS SSM – traditional IPS
ASA Sourcefire SSM
DMZ-Srv
Perim-Rtr
Management Subnet
10.10.2.0/24
L3-Switch
HQ-ASA
End User Subnet
DMZ Subnet
172.16.1.0/24
HQ Inside
.1
Sensor
10.10.2.200
SIEM
10.10.2.100
.15
Administrator
10.10.2.50
INTERNETHQ Outside
14. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 14
IPS Deployment
Promiscuous vs Inline mode
Fail open vs. Fail close
Network-based
Host-based
Anomaly Detection
Finally: Context
DMZ-Srv
Perim-Rtr
Management Subnet
L3-Switch
HQ-ASA
End User Subnet
DMZ Subnet
HQ Outside
HQ Inside
.1
Sensor
SIEM Administrator
INTERNET
Endpoint Mngt Center
Endpoint
Protection
15. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 15
Context: Passive Network Detection and Context
RNA provides visibility:
IP address
OS
Services
Ports
18. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 18
Cisco acquires Sourcefire
Source: Gartner
Founded in 2001
2013: Acquired by Cisco for US$2.7B
2014: Technology integration within Cisco
Hardware and Software
ClamAV Snort
File reputation and dynamic analysis
Analysis of behaviours & containment
Retrospective protection
Visibility through dashboards
2015: EoL non-SF IPS appliances
19. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 19
Sourcefire name changes (available from GoToWebinar handout section)
Former Sourcefire Product Names Current Cisco Product Names
Sourcefire Defense Center Cisco FireSIGHT Management Center
FirePOWER Series Appliances Cisco FirePOWER Series Appliances
AMP for FirePOWER Cisco AMP for Networks
FireAMP for Endpoints Cisco AMP for Endpoints
FireAMP Private Cloud Virtual Appliance Cisco AMP Private Cloud Virtual Appliances
Sourcefire SSL Appliances Cisco SSL Appliance
Collective Security Intelligence Cloud Cisco Cloud, Cloud Services
20. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 20
The Sourcefire Advantage: NGFW – NGIPS - AMP
Real before, during, after
(+ URL filtering)
21. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 21
NGFW
Source: Cisco Live! BRKSEC-2762 San Diego 2015
22. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 22
NGFW with NGIPS
Source: Cisco Live! BRKSEC-2762 San Diego 2015
23. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 23
AMP
File Reputation
Dynamic Analysis
(Sandboxing)
Retrospective
Security
24. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 24
Cisco’s offerings
FireSIGHT platforms(NGFW, NGIPS, AMP)
AMP appliance
ASA module
AMP-only platforms:
ESA
WSA
CWS
AMP for Endpoints Desktop: AnyConnect 4.1 AMP Enabler
Cisco WSA with AMP (software)
Cisco AMP 8350
Cisco AMP for Endpoints
27. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 27
FireSIGHT Management Center:
Managing FirePOWER Appliances
29. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 29
FirePOWER integrated services in ASA
Security Services Module
Software
Hardware (5585-X)
DMZ-Srv
Perim-Rtr
Management Subnet
10.10.2.0/24
L3-Switch
HQ-ASA
End User Subnet
DMZ Subnet
172.16.1.0/24
HQ Outside
200.200.1.0/24
HQ Inside
.1
Sensor
10.10.2.200
SIEM
10.10.2.100
.15
Administrator
10.10.2.50
INTERNET
HQ-ASA# show module sfr details
Getting details from the Service Module, please wait...
Card Type: FirePOWER Services Software Module
Model: ASA5515
Hardware version: N/A
Serial Number: FCH180278XU
30. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 30
Cisco ASA and Sourcefire FirePOWER services module
31. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 31
Redirecting traffic from ASA to FirePOWER SSM
Class-map
Identify traffic flow
Policy-map
Action to be applied on traffic flow
Service-policy
Interface(s) responsible to enforce the action on traffic flow
asa(config)# access-list DMZ permit tcp any host 172.16.1.15 eq www
asa(config)# class-map TrafficDMZ
asa(config-cmap)# match access-list DMZ
asa(config)# policy-map SFR-DMZ
asa(config-pmap)# class TrafficDMZ
asa(config-pmap-c)# sfr fail-close
asa(config)# service-policy SFR-DMZ interface dmz
identify
action
enforce
33. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 33
NGFW – file processing
Source: FireSIGHT User Guide 5.4.0.1
34. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 34
Separate license: URL Filtering
36. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 36
Sourcefire NGIPS
Source: Cisco Live! BRKSEC-1030 San Diego 2015
39. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 39
AMP: File Disposition and Dynamic Analysis
Source: Cisco Live! BRKSEC-2028 Melbourne 2015
Cisco Cloud is TALOS => Cisco SIO + Sourcefire VRT
hash
hash
Retrospective Security
41. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 41
Correlation analysis with Context produces IoC
Source: Cisco Live! BRKSEC-1030 San Diego 2015
43. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 43
Network File Trajectory
45. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 45
Sourcefire Summary
Source: Cisco Live! BRKSEC-1030 San Diego 2015
46. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 46
Sources
FireSIGHT User Guide 5.4.0.1
Cisco Security Blog
Cisco SAFE Design Guide
Cisco Live 365 presentations (CCO login required)
BRKSEC-1030 San Diego 2015
BRKSEC-2139 San Diego 2015
BRKSEC-2762 San Diego 2015
BRKSEC-2028 Melbourne 2015
BRKSEC-2016 San Francisco 2014
47. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 47
Cisco Security Courses
CCNA Security e-Camp
IINS - Implementing Cisco IOS Network Security
SAEXS - Cisco ASA Express Security
SENSS - Implementing Cisco Edge Network Security
Solutions
SIMOS - Implementing Cisco Secure Mobility
Solutions
SISAS - Implementing Cisco Secure Access
Solutions
SITCS - Implementing Cisco Threat Control Solution
ASA Lab Camp v9.0
SASAA - Implementing Advanced Cisco ASA
Security
SASAC - Implementing Core Cisco ASA Security
ACS - Cisco Secure Access Control System
SISAS - Implementing Cisco Secure Access
Solutions
SISE - Implementing and Configuring Cisco Identity
Services Engine
SESA - Securing Email with Cisco Email Security
Appliance
SWSA - Securing the Web with Cisco Web Security
Appliance
Cisco FirePOWER Services and Cloud Web Security
Workshop v1.0
SSFAMP - Securing Cisco Networks with Sourcefire
FireAMP Endpoints
SSFIPS - Securing Cisco Networks with Sourcefire
Intrusion Prevention System
SSFRULES - Securing Cisco Networks with Snort
Rule Writing Best Practices
SSFSNORT - Securing Cisco Networks with Open
Source Snort
48. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 48
GK Cisco Training Exclusives
6 months of
Anytime access to Cisco Practice Labs
Anytime Access to Boson Practice Exams
On-Demand Access to Searchable Class Recordings of Your Virtual Class
Unlimited Retakes of Your Class
Free Cisco Certification Exam Voucher
49. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 49
Find Out More
www.globalknowledge.ca
On-demand & live webinars, white papers, blog...
www.globalknowledge.ca/security
Courses