Deploying Intrusion Prevention Systems
BRKSEC-2030
Gary Halleen
Consulting Systems Engineer II
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Agenda
• Introductions
• Introduction to IPS
• Comparing Cisco IPS Solutions
• IPS Deployment Considerations
• Migration from IPS 7.x to Sourcefire NGIPS
• Conclusion
3
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Goal of this Session
1. Understand Cisco’s IDS/IPS Portfolio, including new additions from Sourcefire.
2. Understand options around deploying an IPS solution.
3. Understand options for high availability.
4. Understand strategy around migrating an IPS solution.
4
Introduction to IPS
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
What is IPS ?
6
111010001000100101000100100100101001010010100111110101101011010111001110110101000101010010010101000101010100001010101000101001010010001001010100001001010000100101000100101001001110011011010001110010100011111001010101001110001110010100110100101010000011010101111101000001111101011100101101110100100100101010101111010101010101010100101010010101010100100100100100111101000111101001011100110010101010011001100110010100100
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Intrusion Detection System (IDS)
Internet
Host
Sensing Interface received copies of network
traffic from a SPAN port, hub, tap, or VACL
Capture. It does not sit in the flow of traffic.
Sensor
No IP Address
7
Alert!
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Intrusion Prevention System (IPS)
8
Internet
Host
Sensor sits in the traffic path, and has the capability to drop traffic when desired.
Inline Interfaces Do Not Have IP Addresses.
IPS Operates at Layer 2, and Can Be Thought of as a “Smart Wire”
Sensor
No IP Address Block
Alert!
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Integrated IPS or IDS
Internet
Host
ASA in Routed
or Transparent
Mode
Traffic is passed, via ASA Backplane, to
sensor as IDS, IPS, or both.
9
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Cisco IPS Solutions
Cisco acquired Sourcefire in October, 2013
Cisco is committed to maintaining and contributing to Sourcefire Open Source Projects.
10
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Cisco IPS Solutions
Cisco IPS 7.x
• Traditional IPS Solution
• Supported on IPS 4200, 4300, 4500-series appliances, as well as ASA IPS Modules
Cisco Sourcefire IPS
• Next-Generation IPS, Firewall, and Anti-Malware Solution
• Supported on Sourcefire 7000 and 8000-series Appliances
• Supported in VMware ESX
11
Cisco anticipates many Cisco IPS 7 customers will want to migrate to Sourcefire in order to take advantage of its Next-Generation features.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Next-Generation Security
Traditional security appliances rely on 5 Tuples of information to determine traffic, source, and destination:
– (Source Address, Destination Address, Source Port, Destination Port, Protocol)
Next-Generation Security Appliances, like Sourcefire FirePower, enhance traditional security by combining it with much more information, such as:
– User Identity
– Application Protocol
– Application
– Client Application
– Operating System
– Geographic Location of Source or Destination
– URL Category
12
What does “Next-Gen” mean?
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Agenda
• Introductions
• Introduction to IPS
• Comparing Cisco IPS Solutions
• IPS Deployment Considerations
• Migration from IPS 7.x to Sourcefire NGIPS
• Conclusion
13
Comparing Cisco’s IPS Solutions
Hardware
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Cisco IPS 7.x: Dedicated IPS Family
16
Pe
rfo
rma
nc
e, S
ca
lab
ilit
y, A
da
pti
vit
y
Campus Internet Edge Branch Office
IPS 4360
IPS 4345
Data Center
IPS 4500-series
IPS 4520-XL
750 Mbps
1.25 Gbps
3 to 5 Gbps
10 Gbps
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Cisco IPS 7.x: Integrated IPS Family
17
Pe
rfo
rma
nc
e, S
ca
lab
ilit
y, A
da
pti
vit
y
Campus Internet Edge Branch Office
SOHO
Data Center
ASA5585-X
SSP-40 / SSP-60
ASA5585-X
SSP-10 / SSP-20
ASA5512-X IPS
ASA5515-X IPS ASA5525-X IPS
ASA5545-X IPS ASA5555-X IPS
250 Mbps
400 to 600 Mbps
900 Mbps to 1.3 Gbps
2 to 3 Gbps
5 to 10 Gbps
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Sourcefire: Appliance Family
18
Ne
xt-
Ge
ne
rati
on
Se
cu
rity
!
Campus Internet Edge Branch Office
7100-series
7000-series
Data Center
8100-series
8200 and
8300-series
50 to 250 Mbps
500 Mbps to 2 Gbps
2 to 12 Gbps
10 to 60 Gbps
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Flexible in Software
– NGIPS, NGFW, AMP
– All of the above (just size appropriately)
Flexible in Hardware
– Modular for options in Interfaces, including 10GE and 40GE
– High-Performance: • 10Gbps with 8250 • 15Gbps with 8350
Cost Effective
– Best in class for IPS by NSS Labs
– Best in class for NGFW by NSS Labs
– Best in class for Breach Detection by NSS Labs
FirePower 8200/8300 Single-pass, high-performance, low-latency
19
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
8200-series
– 8250 10Gbps
– 2x 8250 = 8260 20Gbps
– 3x 8250 = 8270 30Gbps
– 4x 8250 = 8290 40Gbps
8300-series
– 8350 15Gbps
– 2x 8350 = 8360 30Gbps
– 3x 8350 = 8370 45Gbps
– 4x 8350 = 8390 60Gbps
FirePower 8200/8300 Single-pass, high-performance, low-latency
20
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Sourcefire: Virtual Appliance (VMware ESX)
21
Virtual Appliance performance is entirely dependent on the CPU resources and RAM that is allocated it in VMware.
Performance range is typically between 250 Mbps and 2 Gbps.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Cisco IPS Platform Features
22
IPS-4200* IPS-4300 IPS-4500
1GE Interfaces YES YES YES
10GE Interfaces NO NO YES
40GE Interfaces NO NO NO
SFP Ports NO NO YES
Hardware Bypass NO YES NO
Software Bypass YES YES YES
Hardware Fast Pass NO NO NO
L3 Mode NO NO NO
* IPS-4200 series is End of Sale
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Sourcefire IPS Platform Features
23
Virtual 7000 7100 8100 8200+
1GE Interfaces YES YES YES YES
10GE Interfaces NO NO YES YES
40GE Interfaces NO NO NO YES
SFP Ports NO YES * YES ** YES **
Hardware Bypass YES YES YES YES
Software Bypass YES YES YES YES YES
Hardware Fast Pass NO NO YES YES
L3 Mode NO YES YES YES YES
* 7115, 7125, and 7150 models only ** Fiber-to-SFP Tranceiver
Management
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
IPS Management Comparison
25
Cisco Security Manager (CSM)
for Enterprise Management
Cisco IPS 7.x
Features and Limitations:
• Client/Server Windows Application
• Java Application
• Supports Out-of-Band Change Detection
• Manages, Monitors, and Reports for hundreds of Sensors
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
IPS Management Comparison
26
IPS Manager Express (IME)
for Individual or Small Network Management
Cisco IPS 7.x
Features and Limitations:
• Windows Desktop Application
• Written in Java
• Functional for Small Deployments, only
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
IPS Management Comparison
27
Defense Center
for All Deployment Sizes
Sourcefire 5.3
Features and Limitations:
• HTML5 Application
• FireSIGHT provides network visibility and contextual information
• eStreamer Support for 3rd Party Integration
• Available as Hardware Appliance or VM (ESX)
• Manage up to 150 Sourcefire Sensors
• Also Manages Next-Gen Firewall Features!
Sourcefire Defense Center GUI Walkthrough
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public 29
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public 30
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public 31
32
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public 33
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public 34
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public 35
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public 36
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public 37
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public 38
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public 39
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public 40
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public 41
Software
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Software Feature Comparison
43
IPS 7.x SF 5.3
Open IPS Signatures or Rules YES YES
Passive OS Fingerprinting YES YES
User Identity Reporting within Events NO YES
Integrated Firewalling Capability NO YES
Application Control Limited YES
Visibility and Control of Client Applications NO YES
Geo-Location Reporting and Policies NO YES
3rd Party API NO YES
URL Filtering Capability NO YES
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Cisco IPS 7.x Risk Rating
RR (ASR TVR SFR)
10,000 ARR PDGC
If relevant added by 10
If irrelevant reduced by 10 only in promiscuous
Ris
k R
atin
g
Alert Severity
Signature
Fidelity
Attack
Relevancy
Promiscuous
Delta
Informational = 25 , Low = 50, Medium = 75, High = 100
Given by Cisco per signature
Low value = 75, Medium = 100
High value = 150, Mission Critical = 200 Target Value
Between 0 and 30
Global
Correlation Depending on the reputation
44
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Risk Rating and IPS Policy
Event
Severity
Signature
Fidelity
Attack
Relevancy
Asset
Value of
Target
Urgency of threat?
How Prone to false
positive?
Important to attack
target?
How critical is this
destination host?
+
+
+
Risk Rating IPS Policy Action
RR < 34 Default Action
35 <RR< 90 Verbose Alert
RR > 90 Deny Packet Inline
Global
Correlation + What is the Attacker’s
Reputation?
45
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Sourcefire Priority Levels
46
Priority Level:
“How Dangerous is the Attack?”
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Sourcefire Impact Levels
47
Impact Level:
“Are my hosts VULNERABLE to the attack?”
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Sourcefire Impact Levels
48
Impact
Level
Vulnerable
? Definition
0 Unknown Neither the Source or Destination Hosts exists on a network monitored by network
discovery.
1 Vulnerable Either the Source or Destination is vulnerable to the attack, or a Host is
compromised by Malware.
2 Potentially
Vulnerable Either the Source or Destination is running the Port or Protocol used in the Attack.
3 Not
Vulnerable The Port or Protocol used in the Attack is not running on the Host.
4 Unknown The Host is on a monitored network, but doesn’t appear to exist.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Sourcefire search Levels and Impacts
49
Indicators of Compromise
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Sourcefire IOC
51
Indicators of Compromise: New to SF 5.3
Wouldn’t it be nice if your IPS console could tell you if you appeared to have a compromised host?
For example:
oHas the host connected to an exploit kit?
oHas the host been involved in an Impact 1 event?
oHas the host downloaded malware?
oDid the malware execute?
oHas the host connected to a CNC server?
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Sourcefire IOC
52
Configurable Settings
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
• Because IOCs enable a quick way of classifying a host’s potentially compromised state, having this data on a dashboard is desirable
IOC Dashboard Widget
Host Number of IOCs set against the host
Click to expand
53
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
IOC Host Profile View
54
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Agenda
• Introductions
• Introduction to IPS
• Comparing Cisco IPS Solutions
• IPS Deployment Considerations
• Migration from IPS 7.x to Sourcefire NGIPS
• Conclusion
55
IPS Deployment Considerations
Connectivity
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Connectivity
58
Promiscuous Mode IDS
– Promiscuous interface
Inline Mode IPS
– Inline Interface Pairs
– Inline VLAN Pairs
Integrated IPS/IDS
– Inline
– Promiscuous
How should the Sensor be Connected?
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
SPAN Destination Port
or VACL Capture
Promiscuous Interface
Ethernet Switch
Connectivity
59
• Only copies of the packets are sent to the sensor
• Mostly detection, limited protection
• Optional prevention through external blocking
• Separate device must send copies of the packets
– Span (or monitor) from a switch
– VACL capture from a switch
– Network Taps
Promiscuous Interface
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Connectivity
60
o Two physical interfaces paired together
o Multiple Pairs can be configured on same sensor
o IPS between two access-ports on the same switch or between two different switches
o Traffic passes through the sensor
o Pass Good Traffic, and Block Bad
o Redundancy can be provided with STP or additional sensor.
o Fail-open can be provided with hardware-bypass interfaces
Transparent Interfaces
Sensor is Layer 2 Bridge
Sensor sits between two physical ports on a
switch or two different switches
Inline Interface Pairs
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Connectivity
61
o Two or more physical or VLAN interfaces defined as routable interfaces
o Traffic passes through the sensor
o Pass Good Traffic, and Drop Bad
o Redundancy can be provided through SFRP to a standby sensor
o Fail-open can is NOT supported with hardware-bypass interfaces
o Routed Interfaces are most commonly used in a NGFW deployment
Routed Interfaces
Sensor is Layer 3 Router
Inline Routed Interfaces (Sourcefire)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Connectivity
62
o IPS sits on a trunk between two VLANs on switch, if using Cisco IPS.
o Traffic passes through IPS and gets inspected and retagged or dropped.
o Supported with ECLB high-availability deployments.
o Redundancy can be provided with STP deployments.
o Fail open can be provided with a redundant wire.
VLAN10
VLAN20
HostA
HostB
Trunk Sensor rewrites 802.1Q header
Inline VLAN Pairs (Cisco IPS 7.x)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Connectivity
63
o Virtual Switch is defined within Sensor
o Two or more Physical Interfaces or VLANs are assigned to the Virtual Switch
o Traffic passes through IPS and gets inspected
o Redundancy can be provided with STP deployments.
o Fail open can be provided with a redundant wire.
VLAN10
VLAN20
HostA
HostB
Switched Deployment Mode (Sourcefire)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Connectivity
64
o Dedicated IPS behind the firewall
o Dedicated IPS in front of the firewall
o Integrated IPS inside the firewall
Relationship to the Firewall
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
+ Most organizations place the IPS behind the Firewall.
+ Firewall blocks all inbound traffic unless addressed to server or response to an earlier request.
- IPS’s visibility is limited to what the Firewall allows in.
+ Best of breed functionality.
Connectivity
65 65
Intranet Internet
Dedicated IPS Behind the Firewall
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
+ Provides better visibility into attacks from the internet
- Increases Noise
- IPS handles more state and may become a bottleneck during DDoS attack
Connectivity
Intranet Internet
Dedicated IPS In Front of the Firewall
66
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Integrated IPS inside the Firewall
+ Placing IPS inside the firewall provides all the benefits of ASA + full IPS functionality
+ Flexible IPS/IDS Policy selection based on 5-tuple, User-ID, SXP
+ ASA Provides traffic symmetry, normalization resiliency (failover) and scaling (clustering) to IPS
+ IPS inspection of traffic from VPN-tunnels terminated on ASA
Connectivity
Intranet Internet
67
Performance
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Performance
Interface Types and Speeds:
o 1GE, 10GE, 40GE?
o Fiber or Copper?
Connections:
o Interface speed is important, but traffic type is more important.
oHow many CONNECTIONS do you need to support?
69
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Fixed Interface Models
70
Model Firewall (w/o Inspection)
IPS Connections CPS Size (Rack Units)
3D7030 500 Mbps 250 Mbps 500,000 5,000 1
IPS-4345 750 Mbps 750,000 30,000 1
3D7115 1.5 Gbps 750 Mbps 1,500,000 27,500 1
IPS-4360 1.25 Gbps 1,700,000 45,000 1
3D7125 2.5 Gbps 1.25 Gbps 2,500,000 42,500 1
AMP-7150 * 500 Mbps * 500 Mbps * 2,500,000 42,500 1
IPS-4510 3 Gbps 3,800,000 72,000 2
IPS-4520 5 Gbps 8,400,000 100,000 2
IPS-4520-XL 10 Gbps 16,800,000 200,000 2
* AMP Appliances are sized with ALL features enabled Not All Models are Listed
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Modular Models
71
Model Firewall (w/o Inspection)
IPS Connections CPS Size (Rack Units)
3D8120 4 Gbps 2 Gbps 3,000,000 45,000 1
3D8150 * 2 Gbps * 2 Gbps * 3,000,000 45,000 1
3D8130 8 Gbps 4 Gbps 4,500,000 70,000 1
3D8140 10 Gbps 6 Gbps 7,000,000 100,000 1
3D8250 20 Gbps 10 Gbps 12,000,000 180,000 2
3D8350 30 Gbps 15 Gbps 12,000,000 180,000 2
3D8360 60 Gbps 30 Gbps 24,000,000 360,000 4
3D8370 90 Gbps 45 Gbps 36,000,000 540,000 6
3D8390 120 Gbps 60 Gbps 48,000,000 720,000 8
* AMP Appliances are sized with ALL features enabled Not All Models are Listed
Availability
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Availability
73
Integrated ASA+IPS IDS Appliance IPS Appliance
Network
Availability ASA/IPS Fail-Open N/A
• Software Bypass
• Hardware Bypass
• STP and redundant cable
Security
Availability ASA Failover
Multiple IDS connected to
multiple Monitor Ports
• STP and redundant sensor
• Port-channel with 2 or more
sensors
• IPS Clustering (Sourcefire)
What should happen if the IPS fails?
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Availability
74
Description
Interface Pairing
Inline Deployment Redundancy
Traffic passes through either Sensor. Mid-Session Pickup allows established
flows to pass. Spanning-Tree typically places one in Blocking state.
VLAN Pairing
Switched Deployment Redundancy Spanning-Tree Protocol is used to determine redundancy.
Layer 3 Mode
Routed Deployment Redundancy SFRP (similar to VRRP) creates an Active/Passive deployment.
IDS Mode
Passive Deployment Redundancy
Same as having multiple standalone IDS appliances, except duplicate events
are suppressed.
What is Sourcefire’s Clustering?
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Availability
75
o Sensors between 2 switches or 2 VLANs on the same switch
o STP determines FW/Blocking path
o SW-bypass configured to off for “always inspect” requirement
o Sensor failure cause STP to place other sensor in forwarding state
o UDLD supported for failure-detection
Eth
ern
et
Sw
itch
Eth
ern
et S
witc
h
Data Flow
Sensors with Spanning-Tree Protocol
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Availability
• Active/Active, Active/Standby, and Clustering
• ASA synchronizes connection table
• ASA configuration automatically synched.
• IPS Configuration Synchronization using CSM Policy-bundle, or through Sourcefire Defense Center.
ASA Failover
76
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Agenda
• Introductions
• Introduction to IPS
• Comparing Cisco IPS Solutions
• IPS Deployment Considerations
• Migration from IPS 7.x to Sourcefire NGIPS
• Conclusion
82
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Migrating from Cisco IPS 7 to Sourcefire
Think about the existing deployment:
o Speed and latency needs?
o Interface needs?
oHave HA needs been considered?
oHave you backed up any custom IPS signatures?
83
Before the Migration
oWhich migration strategy makes sense to your organization?
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Migrating from Cisco IPS 7 to Sourcefire
1. Cut over to Inline IPS Mode
• Replace Cisco IPS 7 with Sourcefire in IPS mode. Monitor closely, and adjust the policy. Most risky option for Legitimate Traffic.
2. Cut over to Inline Audit Mode
• Replace Cisco IPS 7 with Sourcefire in Audit mode. Monitor traffic and alerts, and then put sensor in IPS mode. Most risky option vs malicious traffic and for compliance.
3. Run Both Temporarily
• Install Sourcefire in IDS Mode, connected to a SPAN port or other method of capturing network traffic. Sourcefire should be placed on the UNTRUSTED side of the Cisco IPS sensor, while leaving Cisco IPS in place. Monitor the sensor and adjust policy accordingly. When sensor is tuned, complete migration with either Step 1 or 2, above. This is the best option for most organizations.
84
Migration Strategies, based on Risk Assessment
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Migrating from Cisco IPS 7 to Sourcefire
1. Before Migration: Running Cisco IPS 7
2. During Migration: Running both Cisco IPS 7 and Sourcefire
3. After Migration: Running only Sourcefire
85
For most organizations…
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Agenda
• Introductions
• Introduction to IPS
• Comparing Cisco IPS Solutions
• IPS Deployment Considerations
• Migration from IPS 7.x to Sourcefire NGIPS
• Conclusion
86
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
– Your favorite speaker’s Twitter handle <@GaryHalleen>
– Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could be a Winner
87
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Complete Your Online Session Evaluation
• Give us your feedback and you could win fabulous prizes. Winners announced daily.
• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
88
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
89