Do I still need a Firewall - Cisco€¦ · •Fast stateful firewall, segmentation, advanced NAT and VPN functionalities. •Deep inspection: IPS, anti-malware, DLP. •IPS rules

Do I still need a Firewall?

Szilard CsordasIT Security Consultant

Cisco Connect Slovenija 2019

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cat And Mouse Game

3

Time

Computer OS

Internet Browser

BrowserPlugins

PowershellIoT

PhishingEtc.


Vulnerabilities – Low hanging fruit is on the decline


High Severity Vulnerabilities and Patch Management


Why Tuning Matters

6

Default Detection Your Vulnerabilities

Vendor Feeds

IPS Detection Capabilities Enabled

Recon / Protocol Abuse / etc.

Vendor Signatures

Heart Bleed / General Java Vuln / Exploit Kit

Flash Vuln, et.

50% - 75% Effective

Your Vulnerabilities

Server, Host, Configuration Issues

Requires Tuning

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2010

We Can Always Patch

7

Right?


Weak Software Engineering

8

One device, one engineer, 14 day study – how many vulnerabilities?

• Crypto error led to…

• Full console access, which led to…

• Remote code execution, which discovered…

• Hard-coded backdoor credentials.7 new vulnerabilities identified(plus susceptible to 4 known vulns)

Source: https://blog.talosintelligence.com/2017/04/moxa-box.html

40758, 40820-40822, 40880, 40916, 41085, 41097, 41102-41105, 41220-41223, 41352


TOP snort rule in 2018https://blog.talosintelligence.com/2019/02/2018-in-snort-signatures.html

• No. 1: 1:46237:1 "PUA-OTHER Cryptocurrency Miner outbound connection attempt" & "1:45549:4 PUA-OTHER XMRig cryptocurrency mining pool connection attempt"

• No. 2: 1:35030:1 & 1:23493:6 "Win.Trojan.Zeus variant outbound connection"

• No. 3: 1:39867:4 "Suspicious .tk dns query"

• No. 4: 1:41978:5 "Microsoft Windows SMB remote code execution attempt"

• No. 5: 1:43687:2 "suspicious .top dns query"

https://blog.talosintelligence.com/2019/02/2018-in-snort-signatures.html


New players

• Evolution of Endpoint Protection

• Improvement in Network telemetry (behavior based detection)

• Leverage Cloud intelligence and machine learning

• Fabric integrated security services (ACI, SDA, NSX, AWS SG…)

• Statistical model

• Fast stateful firewall, segmentation, advanced NAT and VPN functionalities.

• Deep inspection: IPS, anti-malware, DLP.• IPS rules are still the fastest mitigation

• Patching, EDR deployment etc, it takes time.

• We still need them, but it has to evolve:• Integration capabilities (vuln, authentication systems. SIEM)• Correlate data;• Leverage cloud intelligence;• Local analytics• Enhanced NetFlow (Cisco Encrypted Traffic Analytics);

Why do we still need firewalls?

• Based on Snort 2.9 IPS (3.0 is coming with big improvements)• Rules are written by Cisco Talos (community and own rules are

supported as well)• IPS events have ‘impact score’ – calculated automatically• “Out of the box” IPS rules:

• Connectivity over Security: CVSS 10 this year and 2 previous years;• Balanced: CVSS 9+ this and 2 previous years (+ more categories: e.g. CnC);• Security over Connectivity: CVSS 8+ this and 3 previous years + additional categories;• Maximum Detection: CVSS 7.5+, almost everything from 2005• Automatic rule tuning – Firepower Recommendation

Firepower Intrusion Prevention System (IPS)

Impact Assessment

• Prevents information overload

How Relevant is the Attack ?

ADMINISTRATOR ACTION WHY

Event occurred outside profiled networks

General info†† Event outside profiled networks

Neither the Source or Destination IP address is within the range of your IP addresses0

IMPACT FLAG INTRUSION EVENT

Relevant port not open or protocol not in use

Good to Know, Currently Not Vulnerable

IP address of a host in within the defined IP range of your network, but no connection was made3

Good to Know, Unknown Target

Monitored network, but unknown host4 IP address of a host in within the defined IP range of your network,

but no current host profile for the device

Event corresponds to vulnerability mapped to host

Act Immediately, Host vulnerable or Compromised Event that is launched from a compromised host 1

Investigate, Potentially Vulnerable

Relevant port open or protocol in use, but no vulnerability mapped2 IP address of a host in within the defined IP range of your

network, and connection was made to a working service

†† If you have a fully profiled network this may be a critical event!

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

ISE

Switches Routers Wireless

EndpointsIOT PhonesPrinters

FMC SMC

TALOS AMP/TG UmbrellaCTA

SIEM

VMC

Net Protocols

pxGrid

AMP/TG API

Firepower API

Syslog

Talos API

Cloud Services

Infrastructure & Devices

pxGrid

Generic APIRadiusNetflow

DNS

Legend

WSA ESA

3rd party

Threat Response


ISE (identity)

FirePower

AMP4 Endpoints


Example 1

17

FirePowerISE (identity)


IP Address: 192.168.2.101 BOB (Employee)

Unknown Windows Workstation

Unknown Building-A Floor-1

Unknown 10:30 AM EST on APR 27

Unknown Wireless

Unknown No Threats/Vulnerabilities

Visibility and Context Is Everything in SecurityPoor context awareness Rich context awareness

Result Result

Unknown Known

?

18


IP Address: 192.168.2.101 BOB (Employee)

Unknown Windows Workstation

Unknown Building-A Floor-1

Unknown 10:30 AM EST on APR 27

Unknown Wireless

Unknown No Threats/Vulnerabilities

Visibility and Context Is Everything in SecurityPoor context awareness Rich context awareness

Result Result

Unknown Known

?

19



FMC – pxGrid IntegrationSystem > Integration > Identity Sources > Identity Services Engine FirePower


Create Correlation RulePolicies > Correlation > Rule Management > Create Rule

Connection EventSec Intelligence matching CnC, Malware or Exploitkit

22

FirePower


Create Correlation RulePolicies > Correlation > Rule Management > Create Rule

23

FirePower


The Remediation

Threat Containment

Quarantine

Remediation that triggers EPS Quarantine via pxGrid


Test Configuration

25


Example 2

26

Cisco ISE (identity)3rd party and Endpoint Protection

AMP4 Endpoints


Vulnerability based access control High-level flow

Network Access Device

Cisco ISE 2.1+Qualys ScanGuard

Endpoint

1Endpoint connects to the network

Initial limited Authorization(VA-Scan)

2CoA based on scan status (Full Access / Quarantine)

6

ISE requests a VA scan for Endpoint

3

Qualys scans the Endpoint for Vulnerabilities

4

Qualys reports the CVSS score

5

For Your Reference For Your Reference

28

• Threat and• Vulnerability

missing


Integrating Tenable VMS with ISEAdministration > Threat Centric NAC > Vendor Instances

ISE


Integrating Tenable VMS with ISE

30

ISE


Example 3

31

3rd party and Endpoint ProtectionFirePower


Integrating Security Center and FMC• Give FMC the Vulnerabilities

Tenable Security Center retrieved from Active Scans• Credentialed or Uncredentialed Scans

• More Accurate Impact Flags and AutoTuning on FMC

• Leverage the Investment in Vulnerability Management

32


Add New Host Input ClientSystem > Integration > Host Input Client > Create Client

Download Cert

BRKSEC-3889 34

FirePower


Run Script• python query_vuln.py

• Takes Vulns from SC

• Imports them into FMC

• Schedule through Cron

or other tool

http://cs.co/ats-apis

BRKSEC-3889 35


View VulnerabilitiesAnalysis > Vulnerabilities > Third-Party Vulnerabilities > Detail

36



BRKSEC-3889 37


Host Profile

Security Center Vulnerabilities

BRKSEC-3889 38


Example 4Integrating AMP Vulnerability Data into FMC

39

FirePower

AMP4 Endpoints


Vulnerability information fromendpoint agent


Add New Host Input ClientSystem > Integration > Host Input Client > Create Client

Then Download Cert

42


Run Script• python amphost2csv.py

• Takes Vulns from AMP

• Imports them into FMC

• Schedule through Cron

or other tool

43

http://cs.co/ats-apis



44



45


Host Profile

AMP OS Data

AMP Vuln Data

46

Firepower 6.3new features

• Extending deployment opportunities• Multi-Instance• Air-gapped licensing• Unified Eventing and Contextual Cross-

launch• New Network Modules• ISA 3000 FTD enhancements

Unlocking the mid-market• On-box Firepower Device Manage (FDM) HA• Other FDM enhancements• TLS in Hardware for the 2100

Key Features of the 6.3 Releasehttps://www.cisco.com/c/en/us/td/docs/security/firepower/630/relnotes/firepower-release-notes-630/new_features.html

• CoA for RA VPN (needed for posture)

• FQDN based network objects

• New migration tool

• Other Enhancements• Dynamic Flow Offload• Clustering enhancements• Backup and restore for RMA• Snort restart improvements• FMC REST API enhancements

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/relnotes/firepower-release-notes-630/new_features.html

Management Options Motivate

Cisco Defense Orchestrator (CDO)

Enables cloud-based policy management of multiple deployments

Cloud-based multi-deviceBuild on REST API

• Firepower Threat Defense support post 6.3.

Enables comprehensive security administration and

automation of multiple appliances

Firepower Management Center (FMC)

Multi-device advanced integration and analytics

Firepower Device Manager (FDM)

Enables easy on-box management of

common security and policy tasks

On-box single deviceBuild on REST API

Multi-Instance Approach

• NGFW approach for providing multiple contexts

• Install multiple FTD logical devices on a single module or appliance• Each application instance represents a tenant• Complete traffic processing and management

separation• CPU/memory/disk resources are dedicated to an

instance at provisioning• Physical and logical interface and VLAN

separation at Supervisor

• Firepower 4100 and 9300 only• Instantiate multiple logical devices on a single module or appliance

• FTD application first, a combination of FTD and ASA instances in the future• Leverage Docker infrastructure and application packaging

• Complete traffic processing and management separation• CPU/memory/disk resources are dedicated to an instance at provisioning• Physical and logical interface and VLAN separation at Supervisor

Multi-Instance Solution Summary

Firepower 4100 or Firepower 9300 module

FTD Instance A10 CPU

FTD Instance B6 CPU

FTD Instance C18 CPU

FTD Instance D12 CPU

ASA Instance A (Future)12 CPU

Ethernet1/1-3 Ethernet1/4-5 Port-Channel1.100-101 Port-Channel1.101-102Port-Channel2

Contextual Cross-Launch

• Allows administrator to pivot off of afield in an event to cross-launch another product• Bundled with many useful product integrations• URL based custom product integrations can be added.

52

Five New Modules for FPR 2100• Four new Hardware-Bypass capable modules that will be supported starting with the 6.3.0

release (FXOS 2.4.1).

PID Supported Speeds Ports FTW

CapableFPR-NM-8X10G 1G/10G 8 No

FPR-NM-8X1G 1G 8 No

FPR-NM-6X10SR-F

10G-SR 6 Yes

FPR-NM-6X10LR-F

10G-LR 6 Yes

FPR-NM-6X1SX-F 1G-SR 6 Yes

FPR-NM-8X1G-F 10/100/1000 (Cu)8 Yes

• Hardware Bypass is only supported on a fixed set of port pairs.

• Port 1 can be paired with Port 2, Port 3 can be paired with Port 4, and so on.

• Existing 100G Netmod is a Double Wide, 2-port card• Double wide form factor limits flexibility • Does not support 4x25G breakout

• New 4 X 100G Netmods for 9300• Provides up to eight 100G ports for use as

Clustering inside, outside and CCL links• Single wide form factor allows flexibility to

mix-match with other Network modules• Support for 4x25G breakout planned for

subsequent release

New 100G Interfaces for 9300

4x100G

4 Port, Single Wide 100G NM

Firepower 9300 Chassis with 4x100G and 8x10G Netmods

8x10G

• ISA 3000 extends the Cisco IoT portfolio• Two models of ISA 3000

• Copper interfaces• Fiber interfaces

• In 6.2.3.0, ISA 3000 supportedASA and ASA with FP 5.4• Support for FTD was introduced in 6.2.3.1

• 6.3 extended several features from ASA with FP to FTD• Alarm port – configured using FlexConfig, 2 x alarm input, 1 x alarm output• SD card auto backup/restore• Hardware Bypass for transparent mode firewall (FDM managed devices only)• CIP preprocessor for FTD – not validated in 6.3

FTD for Cisco Industrial Security Appliance (ISA3000)

• Enable TLS hardware offload by default on all platforms

• Can still be manually disabled

• Enable TLS hardware offload on 2100 series appliances

TLS Hardware Offload

Hardware TLS decryption?

• FQDN based network objects are available in Firepower 6.3• Essentially the same as ASA FQDN based objects• Not available in NGIPS appliances or ASA with FP

• FQDNs are converted to IP through DNS lookups• Administrator can select IPv4, IPv6, or both• A single FQDN may resolve to multiple IPs• DNS resolution is performed in Lina

• Available on both the FMC and FDM• Included in API for FMC and FDM

• FQDN based network objects can be used in:• Access control policy rule• Prefilter or tunnel rules in prefilter policies

FQDN Type Network Objects

Firepower

Migration Tool

ASA

Configuration

Firepower

Management Center

Firepower

Threat Defense

Upload API Calls Deploy

Migration tool

Post-migration summary

• Snort restarts can disrupt traffic.• Over several releases most Snort

restart scenarios have been eliminated• To achieve this, Snort restarts are often

replaced by Snort reloads.• Reloads use a separate reload thread to

rebuild the snort configuration

• In 6.3, Snort restarts are eliminated 3 scenarios

• FMC must be 6.3. FMC managed devices can by any supported release

• Locally managed devices (FDM) must be 6.3

Feature Overview

FMC enables following new REST APIs in version 6.3• S2S VPN tunnel REST API• FTD High Availability REST API• REST APIs for Bulk POST

• network, port, vlan-tag, urls• security zone, interface groups• SLA monitoring objects• GET/PUT/(bulk)POST/DELETE for object override support on overridable

objects

• REST APIs for FTD upgrade(available for upgrading from 6.3.0 and above)

FMC REST API Enhancements for 6.3

Documents

Do I still need a Firewall - Cisco€¦ · •Fast stateful firewall, segmentation, advanced NAT and VPN functionalities. •Deep inspection: IPS, anti-malware, DLP. •IPS rules