Upload
cisco-public-sector
View
344
Download
5
Embed Size (px)
DESCRIPTION
CLLE FL 092014
Citation preview
Sourcefire Threat Detection:NGIPS – NGFW – Adv MalwareTim Ryan – Security CSE – SLED EastKevin Tracy – Security CSE – Commercial South
Sept 2014
Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.
1. Next Generation Security Model2. Product Overviews3. ASA + Sourcefire Features & Architecture4. Deployment Scenarios5. Integration Roadmap and Vision
Agenda
Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
3
BEFOREDetect Block Defend
DURING AFTERControlEnforce Harden
ScopeContain
Remediate
What Device Types, Users & Applications should be on the Network?
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
BEFORE THE ATTACK: You need to know what's on your network to be able to defend it – devices / OS / services / applications / users (FireSight)
Access Controls, Enforce Policy, Manage Applications And Overall Access To Assets.
Access Controls reduce the surface area of attack, but there will still be holes that the bad guys will find. ATTACKERS DO NOT DISCRIMINATE. They will find any gap in defenses and exploit it to achieve their objective
The Next Generation Security Model
Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved.
4
BEFOREDetect Block Defend
DURING AFTERControlEnforce Harden
ScopeContain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
DURING THE ATTACK:Must have the highest efficacy threat detection mechanisms possibleDetection methods MUST be Multi-dimensional and correlatedOnce we detect attacks, NIPGS can block them and dynamically defend the environment
The Next Generation Security Model
Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Collective Security Intelligence
5
Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
SourcefireNGIPS / NG Firewall Features
Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network Discovery & Connection Awareness
Host discovery
Identifies OS, protocols and
services running on each host
Reports on potential
vulnerabilities present on each
host based on the information it’s
gathered
Application identification
FireSIGHT can identify over 1900
unique applications using
OpenAppID
Includes applications that
run over web services such as
Facebook or LinkedIn
Applications can be used as criteria for access control
User discovery
Monitors for user IDs transmitted as services are used
Integrates with MS AD servers to
authoritatively ID users
Authoritative users can be used as access control
criteria
FireSIGHTWhat are the Key FireSIGHT Components?
Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Discovery is reported to you by way of events• Connection events are recorded as every connection in a monitored network is seen
• Host events are recorded when something new on a host is detected or a change to a host is detectedInformation about all the hosts in your environment is stored in host profiles
Sourcefire FireSIGHT TechnologyFireSIGHT Discovery
Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
By knowing the details of what’s running in your environment, the Sourcefire System can produce a list of what vulnerabilities likely exist This allows the Sourcefire System to put intrusion events in context for more accurate and actionable alerting
Which would matter more to you?• A code red attack against a host running Linux in your environment
Or• A code red attack against a host running a vulnerable version of Windows in
your environment
Sourcefire FireSIGHT TechnologyFireSIGHT Discovery
Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
With FireSIGHT, IPS events are assigned an impact level
• 0 – host not on monitored networks• 4 – no entry for the host in the network map• 3 – host not running the service or protocol that was attacked• 2 – host is running the service or protocol that was attacked• 1 – host is running the service or protocol that was attacked an a
vulnerability is against the service or protocol is mapped to the hostFireSIGHT also lets you fine-tune your IPS polices by recommending rules to protect against the known vulnerabilities in your environment
Sourcefire FireSIGHT TechnologyFireSIGHT Discovery
Firesight Management Center - FMCIntrusion Events with Impact Levels
Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
It gives you real-time information about what’s in your network• Based on this knowledge …
• It can inform you of the vulnerabilities associated with what is running in your environment
• You can fine-tune policies to focus on the threats specific to your environmentIt can detect changes to your environment and alert you as
soon as the change is detected• You can act dynamically with custom alerting (email, syslog, SNMP,
eStreamer)• You can take action dynamically as well with remediation modules
• Remediations are scripts you can launch from the defense center to take some action
FireSIGHTWhy is FireSIGHT important?
Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
FireSIGHTHow is FireSIGHT information used?
Fine-tuning IPS policies• You can automatically select the rules and preprocessor configurations
that apply to your environment• You can protect hosts running services on non-standard ports (ie. HTTP
running on port 1080 on a host and 8080 on antother)Enforce an organization’s security/usage policies• Block or alert on use of unauthorized applications for example
Monitor and act on unusual network behavior• Alert on new hosts showing up in restricted network spaces or detect
unusually high utilizationAct on user activity
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CATEGORIES EXAMPLESFirePOWER APPLIANCE
TYPICAL IPS
TYPICAL NGFW
Threats Attacks, Anomalies ✔ ✔ ✔
Users AD, LDAP, POP3 ✔ ✗ ✔
Web Applications Facebook Chat, Ebay ✔ ✗ ✔
Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔
File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔
Malware Conficker, Flame ✔ ✗ ✗Command & Control Servers C&C Security Intelligence ✔ ✗ ✗Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗Operating Systems Windows, Linux ✔ ✗ ✗Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗Mobile Devices iPhone, Android, Jail ✔ ✗ ✗Printers HP, Xerox, Canon ✔ ✗ ✗VoIP Phones Avaya, Polycom ✔ ✗ ✗Virtual Machines VMware, Xen, RHEV ✔ ✗ ✗
Contextual AwarenessInformation Superiority
FireSIGHT Management Center
Cisco Restricted 15© 2013-2014 Cisco and/or its affiliates. All rights reserved.
• When a host in the network map is seen to exhibit signs of compromise
Host and Event Correlation (v5.3)Security Intelligence
Events
C&C Detection via Protocol Analysis
Contextual NGIPS Events (Impact 1)
FireAMP Endpoint Malware Events
Firesight Management Center – Threat Information
Malware Detected & Blocked
Cisco Restricted 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
1) File Capture
Malware Detection: File Extraction & Sandbox Execution
Malware Alert!
2) File Storage
4) Execution Report Available In Defense Center
Network Traffic
Collective Security Intelligence Sandbox
3) Send to Sandbox
Anti Malware Process - Infected File Tracking
Cisco Confidential 20© 2013-2014 Cisco and/or its affiliates. All rights reserved.
BEFOREControlEnforceHarden
DURINGDetectBlock
Defend
AFTERScope
ContainRemediate
Network
Endpoint
Anti-Malware Protection & the Attack Continuum
File RetrospectionFile Trajectory
Contextual AwarenessControl Automation
File RetrospectionFile TrajectoryDevice TrajectoryFile Analysis
Indications of CompromiseOutbreak Control
In-line Threat Detection and Prevention
File Execution Blocking
21© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 22© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Hardware & Deployment Options
23© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sourcefire ArchitecturePort /
Direction Purpose
22 / Bidirectional SSH to and from devices
443 / Bidirectional
Defense Center interface, URL Filtering service, security intelligence feeds and FireAMP events
1500, 2000 / Inbound
To Defense Center / FMC for external database access
8302, 8305, 8307 / Bidirectional
eStreamer, device management, host input API
DC3500 DC3500
3D8250
ASA / Sourcefire Svcs ASA / Sourcefire Svcs
Defense Centers in High Availability Configuration
Managed Devices in Clustered Configuration
Managed Devices in Stacked Configuration
Management Network
3D8250
Monitored Networks
Internet / Other resources
HA Interface
Monitored traffic
Stacking Cable
Management Traffic
24© 2013-2014 Cisco and/or its affiliates. All rights reserved. 24
8270/8360* 8260 8250 8140
8120/ (8150 > AMP) 7120 7115
7030 70207010
20 Gbps10 Gbps
6 Gbps
4 Gbps2 Gbps
1 Gbps750Mbps
250 Mbps100 Mbps50 Mbps
Fixe
d In
terfa
ces
Mod
ular
Inte
rface
s
IPS Throughput
Sta
ckab
le
8130
40 Gbps30 Gbps
8290
Sourcefire Hardware Appliances
60Gbps 8390*45 Gbps 8370*
15Gbps 8350*
1.25Gbps 7125
7110/ (7150 > AMP)
500 MbpsAll appliances Managed via Defense Center aka FireSight Management Console – Available in Appliances or VM for 2, 10 or 25 device support
SSL2000SSL1500
SSL8200
All Appliances Managed via Defense Center aka FireSight Management Console – Appliance or VM - 2, 10 or 25 device support
AMP optimized Appliances8150 – 2 Gbps AMP7150 – 500 Mbps AMP
Model #
Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Perfo
rman
ce a
nd S
cala
bilit
y
1 RU Platforms
Branch Office/Internet Edge
200Mbps - 2 Gbps: Firewall
100 – 725 Mbs: Next Gen IPS
30-160 Mbps: NGIPS, AVC, AMP* Performance numbers to be finalized
Cisco ASA Product Family - Sourcefire Services Performance Specifications
2 RU Platforms - 5585
Internet Edge/Campus/Data Center
2 – 20 Gbps: Firewall
1.2 – 6 Gbps: Next Gen IPS
650Mbps – 2.4 Gbps:NGIPS, AVC, AMP
ASA 5512-X ASA 5515-XASA 5525-X
ASA 5545-XASA 5555-X
ASA 5585-SSP10
ASA 5585-SSP20
ASA 5585-SSP40
ASA 5585-SSP60
Deploying ASA w/ FirePOWER Services
• Available on all ASA platforms
• State-sharing between Firewalls for high availability
• L2 Transparent or L3 Routed deployment options
• Failover Link
• ASA provides valid, normalized flows to FirePOWER module
• State sharing does not occur between FirePOWER Services Modules
High Availability with ASA Failover
Deploying ASA w/ FirePOWER Services
• Up to 8 ASA5585-X IPS
• Stateless load balancing by external switch
• L2 Transparent or L3 Routed deployment options
• Support for vPC, VSS and LACP
• Cluster Control Protocol/Link
• State-sharing between Firewalls for symmetry and high availability
• Every session has a primary and secondary owner ASA
• ASA provides traffic symmetry to FirePOWER module
Scaling IPS with ASA5585-X Clustering
Multi-Context ASA Deployments
• ASA can be configured in multi context mode such that traffic going through the ASA can be assigned different policies
• These interfaces are reported to the FirePOWER blade and can be assigned to security zones that can be used in differentiated policies.
• In this example, you could create one policy for traffic going from Context A Outside to Context A Inside. And then a different policy for Context B Outside to Context B Inside.
• Note: There is no management segmentation inside the FirePOWER module similar to the context idea inside ASA configuration.
Context A Context B
Outside
Inside
Multi-Context ASA Deployments
Admin Context Context-1
Monitor Mode allows FirePOWER Services to analyze traffic without being placed in the data path. The ASA is connected to a SPAN port on a switch or router, and copies of both inbound and outbound packets are sent to the FirePOWER Service. This copied traffic bypasses the ASA policy and goes directly to the FirePOWER Services which will apply policies to determine what traffic would have been blocked. After analysis of the traffic, the packets are discarded.
https://communities.cisco.com/docs/DOC-50586
FirePOWER Services DemonstrationMonitor-Only Mode (Demonstration Purposes Only currently)
SPAN FirePOWER Services for ASAin Monitor-Only Mode
Cisco Confidential 31© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Integrated Threat Defense Across the Attack Continuum
Firewall/VPN NGIPS
Security Intelligence
Web Security
Advanced MalwareProtection
BEFOREDiscoverEnforceHarden
DURINGDetectBlock
Defend
AFTERScope
ContainRemediate
Attack Continuum
Visibility and Automation
Granular App Control
Modern Threat Control
Retrospective Security
IoCs/IncidentResponse
Cisco Confidential 32© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Collective Security Intelligence (CSI)
Contextual Device, Network and End-Point Visibility
Classic Stateful FirewallGen1 IPS
Application VisibilityWeb—URL Controls
AV and Basic Protections
NGIPS
Vulnerability Management *Client Anti-
Malware (AMP)
Correlated SIEM Eventing
Incident Control System
Network Anti-Malware
Controls (AMP)
Behavioral Indications of Compromise
User Identity
NGFW
Open APP-ID SNORT Open IPSHost Trajectory Retrospective Analysis
NG Sandbox for Evasive Malware Auto-Remediation / Dynamic
Policies
Integrated Threat Defense System *Agent
Adaptive Security
Sandboxing
Classic Stateful Firewall
Retrospective DetectionMalware File Trajectory
Threat Hunting
Forensics and Log Management
Dynamic Outbreak ControlsURL and IP Reputation
1
2
Cisco Threat Defense System – 5000 Foot ViewBEFORE DURING AFTER Cisco OnlyCisco and OthersManagement Interfacesn
Thank you.