Firepower NGFW Internet Edge Best - Session Presentation

#CLUS

Jeff Fanelli - Principal Security Architect [email protected]

Firepower NGFW Internet Edge Best Practices

#jefanell

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS

Firepower NGFW Internet Edge Best Practices

Supercharge your Firepower deployments! This session detail multiple Internet edge use cases with and without remote access and site to site VPN. Best practices and configuration examples will be provided for DUO Multi Factor Authentication integration, TLS Decrypt, AMP and 3rd party logging and monitoring. An exploration of on-box and API management options will also be covered. This is NOT an introductory session; attendees should have existing knowledge of Firepower capabilities.

BRKSEC-2112

3BRKSEC-2112

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 4

Important: Hidden Slide Alert

Look for this “For Your Reference” Symbol in your PDF’s

There is a tremendous amount of hidden content, for you to use

later!(60+ slides)

BRKSEC-2112

Questions? Use Cisco Webex Teams to chat with the speaker after the session

Find this session in the Cisco Live Mobile App

Click “Join the Discussion”

Install Webex Teams or go directly to the team space

Enter messages/questions in the team space

How

Webex Teams will be moderated by the speaker until June 16, 2019.

1

2

3

4


Cisco Webex Teams

cs.co/ciscolivebot#

5

BRKSEC-2112


About Your Speaker

Jeff Fanelli

Email: [email protected]

Principal Security Architect

Global Security Architect Team

Cisco Live U.S. Security SGM

13 years at Cisco

BRKSEC-2112 6

mailto:[email protected]


Cisco Firepower Sessions: Building Blocks

BRKSEC-3035

Firepower Platform Deep Dive

ThursdayWednesdayTuesday

BRKSEC-3300

Advanced IPS Deployment1

3:0

0

08

:00BRKSEC-2020

Firepower NGFW in the DC and Enterprise0

8:0

0

BRKSEC-3328

FMC Internals: Making FMC Do

More16

:00

BRKSEC-3032

NGFW Clustering Deep Dive0

8:0

0BRKSEC-2112

Firepower Internet Edge Best Practices8

:00

BRKSEC-2056

Threat Centric Network Security1

3:0

0

BRKSEC-2034

Cloud Management of ASA and FTD

with CDO16

:00

BRKSEC-2066

Optimizing Your Firepower / FTD

Deployment13

:00

Monday

BRKSEC-2101

Deep Dive on ASA to FTD Migration0

9:3

0

We Are Here!

BRKSEC-3300 7


Agenda

• Management Options

• Internet Edge Use Case

• Security Policy Best Practices

• DUO Multi-Factor Authentication

• Remote Access VPN Use Case

• 3rd Party Integration / monitoring

• APIs

BRKSEC-2112 8

Balancing Risk


End User Experience vs. Security vs. Horsepower

End users want a good experience!

• Fast loading applications

• Uninterrupted file downloads

• No browser errors messages

SecOps wants high security efficacy!

• Full visibility of encrypted traffic

• All network threats blocked

• All files and archives scanned for malware

Advanced Inspection Capabilities use system resources!

• TLS Decryption

• AMP File Inspection

• IPS Inspection

BRKSEC-2112 10


• Less trustworthy users and devices get more inspection

• Trustworthy apps (SaaS etc) are trusted by firewall; inspected in cloud

• Trust evaluation is continuous and can change!

• Decryption isn’t hard.. But measure twice and cut once!

Risk-based Inspection and Control

11BRKSEC-2112

Internet EdgeUse Case


Internet Edge

13BRKSEC-2112

Requirements

Network:• High Availability (Redundancy) • Routed Mode• Remote Access VPN• Dynamic Routing (OSPF / BGP) • Dynamic and Static NAT/PAT

Security:• Application Control along with URL Filtering• NGIPS and Advance Malware Protection • Visibility and Contextual Awareness• User visibility and identity• SSL decryption

Firepower NGFW + Firepower Device Manager + APIFirepower NGFW + Firepower Management Center

ISP

FW in HA

Private Network

Service

Provider

Campus/Private

Network

DMZ Network

Port-

Channel

Internet

Edge

HSRP

Solution

Management Platform Options

Management designed for the user

15BRKSEC-2112

For easy on-box management of single FTD or pair of FTDs

running in HA

For centralized cloud-based policy management of multiple

deployments*For FTD release 6.4 or higher

Cisco Firepower Device Manager

(FDM)

Cisco Defense Orchestrator

(CDO)

Helps administrators enforce consistent access policies,

rapidly troubleshoot security events, and view summarized reports across the deployment

Cisco Firepower Management Center

(FMC)

Common APIsSecurity Integrations

On premise Centralized ManagerSecOps Focused

On-box managerNetOps Focused

Cloud Based Centralized ManagerNetOps Focused


• Centralized on premise

management across multiple

firepower platforms

• Integrates multiple security

features into a single access

policy

• Reduces manual configuration

of policy through inheritance

and template use.

FMC Policy Management

BRKSEC-2112 16


• Discovers applications, users, and hosts through passive analysis of network traffic

• Provides context and helps determine the impact of attacks

• Tune IPS signature sets to devices discovered on the network

Firepower NGFW Network DiscoveryProvides the right data, at the right time, in the right format

BRKSEC-2112 17


Automate Security Response with Correlation Policy

• Automate Security Decisions

• Track Business Outcome

• Trigger Automated Response

• Email

• Syslog

• SNMP

• Remediation Module

• Integration with ISE and other

Cisco/3rd party products

100,000 events3 Events

Correlation Policy

Correlation Rule

Correlation Rule

Correlation Event

Action

BRKSEC-2112 18


Firepower Device Manager (FDM)

Set up easily Control access and set policies Automate Configuration Enhanced Control

Firepower Device Manager

Integrated on-box option for single instance deployment

Physical and virtual options

Easy set-up NAT and Routing

Role-based access controlIntrusion and Malwareprevention

High availability Device monitoring

VPN support

BRKSEC-2112 19

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKSEC-2112 20

Unified Firewall Management and PolicyCisco Defense Orchestrator (CDO)


Unifying management through APIsAchieve

operational

efficiency

Integrate with

ecosystem

Automation

scriptsEveryone can use

the APIs for automation

FDM and CDO use

the FTD APIs

FTDFDM

CDO

FMC

FTDFDM

Automate

complex tasks

at scale

FTD

FTD

Automation ScriptsOrchestration Tools:NSO, DNAC Ansible, AlgoSec, Tufin

BRKSEC-2112 21


• Close integration of FMC with AMP for Endpoints

• Standards based threat indicators (STIX/TAXII)

• Threat Intelligence Director (CTID)

• Drive down TTR with broad detection and collation

• Cisco Threat Response

• Leverage other Cisco and 3rd party product to extend visibility

• FMC External Cisco Lookups

• Leverage SEIMs with Unified Events

Visibility and Analytics Beyond Network Discovery

BRKSEC-2112 22

Access Control Policy


Access Control Policy

• Use rule groupings for separation (i.e. inbound vs. outbound rules)

• Use separate rules for highly trusted traffic

• Disable logging (per rule) where not needed

Guiding Principals

24BRKSEC-2112

Fully Qualified Domain Name Object Support


• FQDN = Fully Qualified Domain Name

• Permit/Deny Traffic based on Domain Name (FQDN)

• Ability to resolve the FQDN to IP address

• Useful for any application / protocol

FQDN Objects

26BRKSEC-2112


FQDN Objects Workflow

27BRKSEC-2112

FQDN network objects can be configured in access rules in source networks and/or destination networks fields.



28BRKSEC-2112

DNS Settings for Data and Management Interfaces configured from System Settings



Configuration

• User configures the DNS server group object parameters.

• User associates DNS Server group object to DNS Settings.

• User creates FQDN objects.

• User associates FQDN object in source and/or destination in Access Rule.

• User deploys the configuration.

29BRKSEC-2112


FQDN Workflow for Firepower Management Center

30BRKSEC-2112

Configuration

• User Configures the FQDN source and destination objects

• User configures the DNS server object parameters

• Use the DNS object in Platform Settings

• Use the FQDN in Access Rule and deploy the changes


Creating DNS Server Group

31BRKSEC-2112


Access Control Policy Rule with FQDN Objects on FMC

32BRKSEC-2112

FQDN network objects can be configured in access rules in source networks and/or destination networks fields.

Identity Requirements

Authentication and Authorization


Identity Use Cases

• Associate traffic to users and devices (IoT etc)

• Access based on users, groups and TrustSec tag

34BRKSEC-2112

Method Source LDAP/AD Authoritative?

Active Forced authentication through device

LDAP and AD yes

Passive Identity and IP mapping from ADAgent (best practice!)

AD yes

User Discovery

Username scraped from traffic. LDAP and AD, passive from the wire

no


User Discovery

• Deduces user identity bypassively analyzing networktraffic

• Considered non-authoritative

• Cannot be used in accesscontrol policies

35BRKSEC-2112


Active and Passive Authentication

• Passive authentication

• IP-to-user mappings are learned from ISE or Firepower User Agent

• Active authentication

• Also called captive portal

• Redirects user to HTTPS server running on the firewall

• User authenticates with username and password

• Identity policy

• Specifies what traffic requires active, passive or no authentication

• Attached to an access control policy

36BRKSEC-2112

Passive Authentication


Cisco Firepower User Agent

• Monitors users when they log in and out of hosts or authenticate with Active Directory credentials

• The User Agent does not report failed login attempts

• The agents associate users with IP addresses

• Can use one agent to monitor user activity• Up to five Active Directory servers

• Send encrypted data to up to five Firepower Management Centers

38BRKSEC-2112


All ISE retrieved attributes can be used in:

• Access Policies

• Decryption Policies

• QoS Policies

• FMC has 64k tested user limit

• Mappings sent to all firewalls

Identity Services Engine Integration

39BRKSEC-2112

Uses pxGrid protocol to retrieve:

• ISE username (can map to Active Directory)

• Device type profile & location

• TrustSec Scalable Group Tag (SGT)

• ISE-PIC provides username identity only


Firepower Device ManagerPassive Identity Support

• User identity mappings learned by firewall

• Each firewall forms PXGrid peering with ISE / ISE-PIC directly

• Active Directory information only, no TrustSec TAG support (*6.5!)

• Ability to filter identity mappings by subnet per firewall

Identity Services Engine – Passive Identity Connector

40BRKSEC-2112


Firepower Device Manager Identity Rule Examples

• Active Identity Rules will use ISE-PIC with HTTP authentication

• Default Passive Auth rule will use ISE-PIC and / or VPN identity sources

41BRKSEC-2112

IPS Policy


What’s in the Default IPS & Network Access Policies?

43BRKSEC-2112

Connectivity Over Security

• CVSS Score 10. 2 years

• 499 rules

• 15 preprocessors enabled

Balanced Security and Connectivity

• CVSS Score 9 or higher. 2 years

• 9250 rules


Security Over Connectivity

• CVSS Score 8 or higher. 3 years

• 12706 rules



Custom IPS Policy

44BRKSEC-2112


• Signature Details

• Ability to set event action:

• Alert

• Drop

• Disabled

IPS Policy Customization in Firepower Device Manager

45BRKSEC-2112

Advanced Malware Protection


AMP Best Practices

• Block “forbidden” file types (.exe etc)

• Block malware all know file types

• Block malware with additional “local analysis” based on Firewall sizing / load

• Detect Files “catch all” to log any file transfers we didn’t inspect

47BRKSEC-2112

Firepower Device Manager ->

Security Intelligence Policies


Network & URL-Based Security Intelligence

49BRKSEC-2112

• Block traffic to IP addresses and URLs with bad reputation

• TALOS dynamic feed, 3rd party feeds

• Multiple Actions: Allow, Monitor, Block, Interactive Block

• Policy configured via Access Rules or black-list

• IoC tags for CnC and Malware matches

• Black/White-list IP / URL with one click

• Blocked traffic not subject to additional inspection. Logged separately!

URL-SI Categories


Network & URL-Based Security Intelligence in FDM

50BRKSEC-2112

• Network (IP address) and URL categories only in Firepower Device Manager

• Part of “Threat License”

• Network (IP address) feed will act on all connections, including encrypted flows!

Network S.I. Categories

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public


Security Intelligence Network & URL Categories

51

Category Description

Attacker Active scanners and blacklisted hosts known for outbound malicious activity

Malware Sites that host malware binaries or exploit kits

Phishing Sites that host phishing pages

Spam Mail hosts that are known for sending spam

Bots Sites that host binary malware droppers

CnC Sites that host command and control servers for botnets

Open Proxy Open proxies that allow anonymous web browsing

Open Relay Open mail relays that are known to be used for spam

Tor Exit Node Tor exit nodes

Bogon Bogon networks and unallocated IP addresses

BRKSEC-2112 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public


DNS Inspection *FMC managed Firepower only

• Security Intelligence support for domains

• Addresses challenges with fast-flux domains

• Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing

• Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor

• Indications of Compromise extended with DNS Security Intelligence

52BRKSEC-2112

DNS List Action


Additional Categories for DNS Security Intelligence FeedsSame categories as Network and URL feeds plus the following:

53BRKSEC-2112

Category Description

DGA Malware algorithms used to generate a large number of domain names acting as rendezvous points with their command and control servers

Exploit Kit Software kit designed to identify software vulnerabilities in client machines

Response A list of IP/ URLs which seems to be actively participation in the malicious/ suspicious activity

Suspicious Files that appear to be suspicious and have characteristics that resembles known malware

Best Practices

Decryption Policies

Advanced Malware Protection


Why Decrypt?

• Needed for AMP, IPS and URL Security Intelligence feeds

• Not just for decryption!

• Block connections to “weak” servers

• Needed for micro-application controls (i.e. “Facebook Games”)

• Performed in hardware on Firepower 1000, 2100, 4100, and 9300

• Selective Decrypt is a Best Practice

55BRKSEC-2112

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKSEC-2112

Decrypt requirements

• Upload Certificate Authority “signing” certificate and private key to Firepower Device Manager (or FMC)

• Trust this certificate on all client devices (think MDM)

• “Decrypt Re-Sign” for Internet sites

• User Identity (optional)

56


Why selective decrypt?

• Reduced firewall throughput

• Many applications will break:

• Public Key Pinning

• Client certificate authentication

• Clients without Enterprise Certificate Authority trust will get browser errors

• Do not decrypt rules may require breaking sessions (client reset)

57BRKSEC-2112


How does Firepower know what to decrypt?

Decryption policy rules can match on:

• Zones / Networks / Protocols

• User identity

Need to see the TLS Server hello for these:

• Applications / Risk Levels / Categories

• Certificate Matching / Certificate Distinguished Name / Issuer

• Certificate attributes / expiry

• Cipher Suit & Version

58BRKSEC-2112


What changes with TLS 1.3?

Decryption policy rules can match on:

• Zones / Networks / Protocols

• User identity

Need to spoof client to match on:

• Applications / Risk Levels / Categories

• Certificate Matching / Certificate Distinguished Name / Issuer

• Certificate attributes / expiry

• Cipher Suit & Version

59BRKSEC-2112


• If we see client advertise support for TLS 1.3 and the connection MIGHT match a decrypt rule, we have to spoof

• If we don’t and server responds with TLS 1.3 we will be blind to response

What if server doesn’t advertise TLS 1.3?

60BRKSEC-2112

• After spoofed client hello, server response is seen for decrypt decision

• Spoofed client hello advertise TLS 1.2 only, called a “downgrade”

• Server certificate cached for next


Aggressive TLS 1.3 downgrade client experience?

Client with trusted CA cert installed:

• “Decrypt session” = no client problem

• “Do not decrypt session” when firewall had no cached certificate = browser error

• ERR_SSL_PROTOCOL_ERROR

• SEC_ERROR_BAD_SIGNATURE

• ERR_SSL_VERSION_INTERFERENCE

Client without trusted CA cert installed:

• Constant browser certificate errors

61BRKSEC-2112


Session matching a Decrypt rule:

• Connection is downgraded and the server responds with a TLS 1.2 session

• In some scenarios, if we did not downgrade the client hello we cannot decrypt the TLS1.3 session and will have either “Do not decrypt” the flow or block / reset the flow.

Disable Aggressive TLS 1.3 downgrade?

62BRKSEC-2112

Disabling Aggressive downgrade

• In Firepower 6.2.3-7 or later:

• “system support ssl-client-hello-enabled aggressive_tls13_downgrade false”

SecurityUsability


What should I consider excepting from decryption?

63BRKSEC-2112

• Enterprise SaaS applications

• Office 365, Cloud Backups, etc

• Cloud Infrastructure Services

• Apple / Azure / AWS / GCP

• Traffic from personal devices on guest / segregated networks

• Trusted source networks

• Trusted / managed devices


Do Not Decrypt options

1. By destination network / IP rules (i.e. 17.0.0.0/8 for Apple)

2. By source network (BYOD devices)

3. By server certificate Distinguished Name field (site you don’t want to decrypt)

4. By application / web category (banking, social media etc)

64BRKSEC-2112


What about other encrypted communications?

• There are several other encrypted transports growing in use:

• QUIC is mostly used by Google (YouTube)

• DNS over HTTP (Optionally used by Firefox) and DNS over TLS

• Blocking these will cause the clients to fall back to standard TLS / DNS

65BRKSEC-2112

DUO Multi Factor Authentication

RAVPN Use Case


Multi Factor Authentication (MFA)

Adaptive MFA

DUO Use Cases for Multi-Factor Authentication

67BRKSEC-2112

Verify

User Trust

Verify

Device Trust

Controls for

Every App

1 2 3

Mobile security without MDM

Unified Endpoint Visibility

Easier Remote Access

Zero Trust / BeyondCorp


Duo & AnyConnect Secure Remote Access

68BRKSEC-2112

● Secure AnyConnect in < 30 minutes

● User authentication in seconds

● Works with AnyConnect thick clienton ASA with (RADIUS & SAML) & SSL VPN

● Firepower & Duo (via RADIUS)


DUO RADIUS Integration with Firepower overview

69BRKSEC-2112


DUO RADIUS Proxy (Windows or Linux)

• Follow DUO portal instructions for RADIUS Proxy deployment

• Config file contains your DUO account API information

• Optionally, configure RADIUS proxy to authenticate password requests to Active Directory or RADIUS (Cisco ISE)

70BRKSEC-2112


DUO Administrative Portal

• Create new “Application” -> Cisco RADIUS VPN

• Make note of Integration Key, Secret Key, and API Hostname

• Create global Policy options to choose:

• authentication methods

• mobile device requirements

71BRKSEC-2112


Firepower Management Center + DUO for VPN

• Add DUO RADIUS Group & Server(s)

• Configure VPN Profile

• Primary authentication can be AD / ISE / 3rd party AAA

• Authorization set for DUO RADIUS

• Alternate option to use DUO for primary authentication

72BRKSEC-2112


Firepower Management Center + DUO for VPN

73BRKSEC-2112

If using DUO for Authorization only!

Anyconnect + DUOMulti-Factor Authentication Demo


Firepower Management Center Admin Login w/DUO

System->Users->External Auth

• Add RADIUS External AuthObject

• Hostname / RADIUS Secret

• Ensure “Timeout” is at least 30 seconds

• Choose “Administrator” as Default User Role

75BRKSEC-2112


Firepower Management Center + DUO Admin Login

Management access configured for DUO RADIUS Group!

Last step:

DUO RADIUS server must be configured to pass through RADIUS Attribute for login role

ISE Example:

Access Type = ACCESS_ACCEPT

cisco-av-pair = fdm.userrole.authority.admin

76BRKSEC-2112

8


Firepower Device Manager + RBAC + DUO

• RADIUS support for Management Authentication

• 3 system-defined user roles

• READ_ONLY

• READ_WRITE

• Cannot perform System critical actions like Upgrade, Restore etc.,

• ADMIN

• Ability to monitor active user sessions and delete a user session

77BRKSEC-2112


How It Works

78BRKSEC-2112

1

2

3

45


How it works (continued)

79BRKSEC-2112

7

6

8


RADIUS configuration

DUO RADIUS server must be configured to pass through RADIUS Attribute for login role. Role attribute must come from upstream RADIUS server (ISE).

ISE Example (only specify one role!):

Access Type = ACCESS_ACCEPT

cisco-av-pair = fdm.userrole.authority.admin

cisco-av-pair = fdm.userrole.authority.ro

cisco-av-pair = fdm.userrole.authority.rw

80BRKSEC-2112


Firepower Device Manager Audit Log

User Login Events as well as other user actions (deployments, etc) will show up here.

81BRKSEC-2112


Firepower VPN RADIUS AttributesUpstream attributes sent from Firepower Threat Defense to RADIUS server:

For VPN Connections:

• 146 - Tunnel Group Name or Connection Profile Name.

• 150 - Client Type (Applicable values: 2 = AnyConnect Client SSL VPN, 6 = AnyConnect Client IPsec VPN (IKEv2).

• 151 - Session Type (Applicable values: 1 = AnyConnect Client SSL VPN, 2 = AnyConnect Client IPSec VPN (IKEv2).

RADIUS attributes 146 and 150 are sent for authentication and Authorization requests. Use these to determine Authorization policy on RADIUS server (ISE etc).

All three (146, 150, and 151) for accounting start, interim-update, and stop requests.

82BRKSEC-2112

Site to Site VPNUse Case


Branch Use Case WAN Edge Firewall with Direct Internet Access

84BRKSEC-2112

Internet

NGFW

LAN

Firewall

“Outside”

Local Area

Network

MPLS WAN

Internet

Edge

OSPF Routing

VPN Tunnel

Firewall

“Inside”

Firewall

“MPLS”

Requirements

Connectivity and Availability• MPLS Primary Network Connectivity• Direct Internet Access for LAN Traffic• VPN Tunnel as WAN Backup (Hub and Spoke)• Standalone or High Availability NGFW• Will manage Firewall over VPN

Routing• OSPF Routing (or BGP) for MPLS WAN• Static or learned routes for Internet• Dynamic NAT/PAT for outbound Internet traffic

Security & Identity• Application Control + URL Acceptable Use• IPS and Malware protection

Ordered Steps for Remote Site Configuration

• Create Shared Access Policy

• Add firewalls to management console

• Configure Interfaces and static routes on each firewall

• Configure dynamic routing for dedicated WAN (optional)

• Configure Shared VPN Policy

• Deploy policies

• Re-address firewalls for remote site and bring on-line!


Headquarters and Branch NGFW ExampleShared Access Policy for all sites

• Allow traffic from all Branch and HQ LAN subnets to each other

86


Adding Firewall to Firepower Management Center

• Host = Out of band management IP

• Must be reachable by FMC

• Can add with temporary “staging” IP if ”NAT ID” field is used (don’t forget this!)

• Device can be set to “offline” in FMC. Devices -> Device Management -> Device TAB -> Management

87BRKSEC-2112 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKSEC-2112 88© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Branch NGFW Use Case – Interface ConfigurationOutside / Inside / MPLS Interfaces configuration (Static IP)

• Can have dual MPLS and multiple inside interfaces / LAN segments


Headquarters and Branch NGFW ExampleHUB (Headquarters) Static Routes:

• Note “floating static routes” for all remote branch subnets to Internet gateway!

89BRKSEC-2112


Headquarters and Branch NGFW ExampleHQ & Branch OSPF Routing Configuration for MPLS:

• Redistributing ”connected” and “static” routes to OSPF

90BRKSEC-2112


Headquarters and Branch NGFW ExampleSingle Hub & Spoke Site to Site VPN Configuration

• Static ”outside” IP Addresses on HUB and all Spoke firewalls

91BRKSEC-2112


Headquarters and Branch NGFW ExampleCreate Hub and Spoke IKEv2 VPN Topology with all default settings

• DISABLE Reverse Route Injection on IPSec Tab or OSPF routes are ignored

92BRKSEC-2112


Headquarters and Branch NGFW ExampleDynamic Endpoint option for sites with DHCP Outside Interface

• Set Crypto Map type to Dynamic in IPSec Tab. Hub + Spokes as Bi-directional

93BRKSEC-2112


Headquarters and Branch NGFW ExampleBest Practice: Disable Health Monitoring Interface Warnings

• Will prevent FMC warnings when no traffic seen on an interface

94BRKSEC-2112


Deploy Configurations To All Firewalls

• FTD configurations are pushed to firewalls via “STUNNEL” secure communications channel via management interface

• After configuration deployment, management interface can be changed for target site

95BRKSEC-2112


Manually Changing FTD Management IP Address

Serial Console connection to firewall is easiest (can be done via ssh)

• configure network ipv4 manual <IP> <MASK> <GW>

Both IPv4 and IPv6 management addresses may be configured and used for SSH to Firewall.

Only IPv4 -or- IPv6 will be used for SFTUNNEL communication to Firepower Manager Center

96BRKSEC-2112


Bring Spoke Firewalls Online

After connecting interface cables, firewall should come online (verify ICMP ping to next hop on all interfaces)

If no dedicated WAN, spoke VPN tunnel should immediately come up.

Optional: Verify with “show crypto ipsec sa” via CLI.

Don’t forget! Configure FMC with new management IP of device and turn management back on!

97BRKSEC-2112


Headquarters and Branch NGFW ExampleBest Practice: Use of Groups in FMC for organisation

• GREEN status bubble indicates firewall is online and reachable from FMC

• Same policy sets applied to all branch firewalls

98BRKSEC-2112


Headquarters and Branch NGFW Example

• OSPF routes from private WAN will always be preferred

• Routing “failover” time to VPN tunnel will depend upon OSPF Hello & Dead Interval values (must use FlexConfigto change)

• Spoke-to-spoke traffic will transit VPN hub for sites with WAN down (only for static IP spokes!)

• Use dynamic spoke option for DHCP addressed sites.

• Static spoke supports tunnel creation from hub or spoke

• Add “VPN only” network route to keep tunnels forced up

Benefits and Caveats

99BRKSEC-2112


Headquarters and Branch NGFW ExampleHQ Firewall Routing Table with all site MPLS links UP

• FTDv-A Hub Site routing table (branch site routing tables will look similar)

100BRKSEC-2112

Learned OSPF routes from MPLS WAN for Branch LANs


Headquarters and Branch NGFW ExampleHQ Firewall Routing Table with MPLS links to FTDv-C Branch DOWN

• FTDv-A Hub Site routing table

101BRKSEC-2112

OSPF route for Branch LAN replaced by “floating static” route to outside (VPN)


Headquarters and Branch NGFW ExampleHQ Firewall Routing Table with MPLS links to FTDv-C Branch DOWN

• FTDv-B Branch routing table

102BRKSEC-2112

OSPF route for Branch FTDv-C LAN now points to MPLS connected Hub firewall

FTDv-B branch will “talk” through MPLS to Hub site then VPN connection to FTDv-C

Firepower Instances


Multi-Instance for Firepower 4100/9300

104BRKSEC-2112

• Allows organizations to deploy independent tenants for multiple departments or customers

• Resource and Management Separation

• Instances are fully independent and fault tolerant

• Smooth workflow enabling faster provisioning

• 7-18 instances (FP9300 and FP4100s only)

• Up to 18 instances per module (54 per chassis) with newest FP9300 SM-56 module.

• Multi-Instance is free – no SKU

FTD1

FTD2

FTD3

FTD4

Container Instances

BRKSEC-3035

Firepower Platform Deep Dive0

8:0

0

Wednesday

Monitoring and EventIntegration

SNMP, Syslog, NetFlow or eStreamer


• Connection & IPS events can be sent directly from FTD

• Events can be sent from management or data interfaces

Unified Event Service

106BRKSEC-2112

• SIEM Integration / any syslog server

• eStreamer not required

• Offload connection events from the FMC


Fully Qualified Events / Unified Syslog• Unifying syslog output between Lina and Snort

• Data Interface support for Snort event syslogs

• Management Interface support for Lina (diagnostic) event syslogs

• Delivery of Snort event syslogs over TCP

• New event ID/category in Snort syslogs to make consumer-side filtering easier

• 430001 - Intrusion Event

• 430002 - Beginning of Connection

• 430003 - End of Connection

• Reduced the size of Snort event syslogs

107BRKSEC-2112


Syslog Integration (Pre 6.3)

108BRKSEC-2112


Syslog Integration (Pre 6.3)

109BRKSEC-2112


eStreamer APIs

FMC Syslog

FTD Syslog & NetFlow

• 5 tuple

• NAT

• Routing

• VPN

• IP

• HA

• sessions

• other stateful features

• Connection Logs

• Health

• IPS (including Impact

flags)

• Malware (network,

retrospective)

• Discovery events (Host

profiles, IOC , port, etc..)

Event output options

110BRKSEC-2112

• Intrusion Events

• Intrusion Event Packet Data (optional)

• Intrusion Event Extra DataMalware Events

• File Events- SHA, SPERO

• Connection Logs and Security Intelligence Events

• Correlation and White List Events

• Impact Flag Alerts

• Connection Events (optional)

• URL categories

• Rule ids

• AMP endpoint detectors

• Sinkhole Metadata

• SSL

• Network Analysis, Discovery events


SNMP, Syslog, NetFlow or eStreamer

SNMP support for:

• Firepower NGFW Software

• FXOS / Chassis Manager

• (2100, 4100, 9300)

• Firepower Management Center

Firepower NGFW also supports:

• NetFlow Security Event Logging

• Syslog (for all event types)

• eStreamer (full IPS and Connection details)

111BRKSEC-2112


FTD Syslog Configuration

112© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2112


FMC Syslog Alert Configuration

113BRKSEC-2112


eStreamer Overview

• Allows you to stream event data from an FMC, or 7000 or 8000 series device to a client application

• Client Server Model

• Server (FMC) accepts connection requests on port 8302

• Communicates using SSL

• Client application must support SSL-based authentication

• Waits for the client to initiate all communication sessions

• Writes all message fields in network byte order (big endian

• Encodes text in UTF-8

114BRKSEC-2112

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 115BRKSEC-2112

Configuring eStreamer


Example: QRadar Integration

116BRKSEC-2112

1. Create Client

2. Select Data Source

3. Download certificates

4. Create Log source on QRadar


Cisco Firepower app for Splunk (new)S

plu

nk



Cisco eStreamer app for Splunk


• Firepower App• Intrusion Events

by Impact

• Indicators of Compromise

• Malware Sources

• Malware Recipients

• Malware hashed

IBM

QR

adar


Firepower App for QRadar

Shows hosts that are

potentially

compromised

Which hosts on my

network have sent

the most malwareIntrusion events by

‘Impact’ or likelihood

of an attack

impacting the

targeted system

Malware observed

most often on my

network

Shows hosts that are

know to be

compromised


BRKSEC-2112 121

Liv

eA

ction


Sola

rWin

ds

Ori

on

BRKSEC-2112 122

Firepower APIs


Firepower Device Manager API

124BRKSEC-2112

https://ftd.example.com/#/api-explorer

https://ftd.example.com/#/help/g_The_API_Explorer.html

Accessing the API documentation:

https://ftd.example.com/#/api-explorer

https://ftd.example.com/#/help/g_The_API_Explorer.html


Firepower Management Center API

125BRKSEC-2112

https://fmc/api/api-explorer

API Documentation is built in to the API explorer.

Click one left side objects to view examples.

Latest full documentation available on cisco.com by searching for:

“Firepower Management Center REST API Quick Start Guide”


https://fmc.example.com/api/api-explorer


cMaple

FMC

SW

FDM

ISE

Tetration

Syslog

SNMP

???

Existing Problem:

• Export/Import from one FMC to another requires both FMCs to be on the same versions and of same model type

Solution:

• cMAPLE uses the FMC REST API to migrate configuration data between FMCs. No dependency on source or target FMC version/platform.

cMAPLE – Multipurpose API Programming Language Extension

126BRKSEC-2112


What is the cMAPLE API tool?

• Enable non-programmers/programmers to access powerful cross-platform API features

• Does not require python installed to run cli file operations

• Provide a real time bus to translate and exchange data between APIs

• Facilitate non-API sources/destinations such as syslog, db, snmp, etc.

• Currently supports AMP, TG, and FMC

• SW, ISE, ASA, SSH, Tetration in progress

• Future – Multi-threading/processor support

127BRKSEC-2112


cMAPLE for FMC Migration – How it works

• cMAPLE will migrate anything accessible on the source FMC via the API as long as the object can be created via the API on the target FMC

• If an object cannot be created on the target (i.e. the API does not yet support creation for the object such as IPS policy) it will be removed from the containing object.

• Usually the containing policy can be successfully created without the object (will need to be manually added)

• Removed objects will be logged

• This means it is possible to use cMAPLE for downgrade operations

128BRKSEC-2112


cMAPLE for FMC Migration– How it works

• cMAPLE will recursively discover from a starting API path location all top level objects and all dependent child objects

• If an object cannot be created on the target (i.e. the API does not yet support creation for the object such as IPS policy) it will be removed from the containing object.

• Usually the containing policy can be successfully created without the object (will need to be manually added)

• If an object with the same name exists on the target, it will not attempt to modify it (i.e. built-ins and other user created objects). However, it will add the existing object to any parent policies referencing it.

129BRKSEC-2112


Downloading cMAPLE for FMC-Migration• The cMAPLE github repository is located here:

https://github.com/rhindere/cmaple

• A dedicated scripts directory “scripts/FMC-Migrate_Policy” contains instructions, sample files and binaries for Mac and Windows

• Read and follow the instructions in the README.txt (key points described below)

• Use a plain text editor to modify the following files:

• cmaple_cli_parameters.parameters – common parameters such as username/password

• discover_fmc.operations – Info about the source FMC

• migrate_fmc.operations – Info about the destination FMC


https://github.com/rhindere/cmaple


cmaple_cli_parameters.parameters

• Contains common access parameters. If both FMCs use the same admin user/password, you can modify them here.

-rest_admin_user=rest_admin

-rest_admin_password=C1sc0123

-maple_working_dir=.

• Leaving “maple_working_dir = “.” will place all working files and results in the current directory. You may modify this to force creation elsewhere.

131BRKSEC-2112


discover_fmc.operations and migrate_fmc.operations

• Contains specific information about the source and target FMCs respectively.

• Minimally, the FMC_<src/dst>_host parameters need to be modified:# vars specific to the <source/destination> fmc

FMC_<src/dst>_host=<ip or fqdn of your host> #Specify your host ip or fqdn here

FMC_<src/dst>_port=443 # Modify if using a different port

FMC_<src/dst>_name=fmc_mig_src #No need to modify, recommend leaving as is

FMC_<src/dst>_user=@rest_admin_user #Change if this FMC user name different from that in parameters file

FMC_<src/dst>_pass=@rest_admin_password #Change if this FMC password is different from that in parameters file

132BRKSEC-2112


discover_fmc.operations – additional options

• Remove the ‘#’ symbol to discover additional API resource paths. Note, this could significantly increase discovery and migration time if paths with a lot of built-in objects are included (i.e. applications). By default, only NAT and Access Policies are discovered.#Discover the source objects. Remove the # symbol for elements to be discovered

### Policies

RUN accesspolicies={leaf$RUN leaf}.walk_API_path_gets(url=policy/accesspolicies)

RUN ftdnatpolicies={leaf$RUN leaf}.walk_API_path_gets(url=policy/ftdnatpolicies)

<lines omitted>

### Objects

#RUN anyprotocolportobjects={leaf$RUN leaf}.walk_API_path_gets(url=object/anyprotocolportobjects)

#RUN applicationcategories={leaf$RUN leaf}.walk_API_path_gets(url=object/applicationcategories)

<lines omitted>

#RUN applicationproductivities={leaf$RUN leaf}.walk_API_path_gets(url=object/applicationproductivities)

133BRKSEC-2112


cMAPLE Additional Information & Caveats

• Both FMCs do not need to running at the same time. cMAPLE will persist the discovery from a given FMC. It can then be applied to a migrate FMC at any time. The same discovery can be used for multiple FMCs (Gold config)

• CAVEAT: Due to the way the current API model allows multiple NAT objects with the same name, running the migrate multiple times against a migrate FMC will result in duplicated NAT policies. These will need to be removed manually. Will correct this in the future.

134BRKSEC-2112


Firepower Threat Defense Summary

Security Controls require balance!

• Advanced security capabilities and identity integration are allow for granular policies

• Decryption is an important part of a security solution

• DUO and 3rd party integrations provide powerful enhancements

135BRKSEC-2112

Unified Management

Robust NGFW Feature set

Flexible Deployment

Complete your online session evaluation

• Please complete your session survey after each session. Your feedback is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle.

• All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com.


http://ciscolive.cisco.com/us

https://ciscolive.cisco.com/


Continue your education

137BRKSEC-2112

Related sessions

Walk-in labsDemos in the Cisco campus

Meet the engineer 1:1 meetings

Thank you

#CLUS

Active Authentication (Captive Portal)


Active Authentication / Captive Portal Use Cases

• Can be used for non-domain endpoints

• Enforces authentication through the browser

• Can augment passive authentication (Fall-back to Active feature)

• Various Supported Authentication types (Basic, NTLM, Kerberos, Form)

• Guest / Non Windows Device Authentication Support

• Multi-realm Support

141BRKSEC-2112


High Level Configuration Steps

1. Configure a realm

2. Create a certificate/key pair

3. Configure an Identity Policy

4. Modify the access control policy

5. Deploy the identity and access control policy

142BRKSEC-2112


Create Certificate/Key Pair

• The redirect URL will contain an IP addressHTTP/1.1 307 Proxy Redirect

Location:

https://198.19.10.1:885/x.auth?s=Ehf2Y7FP177kbui%2B665%2BYV%2FrX3Mq9Piz8%2B

VbQsq%2FpsY%3D&u=http%3A%2F%2Foutside%2F

Connection: close

• To avoid certificate warnings on the endpoint, the IP addresses must be included either as:• The CN in the Subject

• IP Address entries in the Subject Alternative Name

143BRKSEC-2112


Sample Certificate

144


Configure an Identity Policy

1. Create an Identity Policy

2. Upload the Certificate/Key pair

3. Create a rule

Case 1: Create passive authentication rule with fall-back to active authentication

Case 2: Create active authentication rule.

4. Save the Identity Policy

145BRKSEC-2112


Configure Captive Portal

146BRKSEC-2112

Setup An identity realm (System ->Integration -> Realms) and an identity source (System -

>Integration>Identity Sources)

• To allow Kerberos authentication,

LDAPS must be enabled on domain

controllers

• No specific TLS requirements are

required. Enabling LDAPS, as

described below, is sufficient.

• Workstations must be able to resolve

the sensor's hostname in the Active

Directory domain.


Modify the Access Control Policy

1. Edit the desired access control policy

2. Select the Advanced tab

3. Under Identity Policy Settings, un-check the Inherit from base policy checkbox, if necessary

4. Under Identity Policy Settings, select the appropriate identity policy

5. Save the access control policy

147BRKSEC-2112

Connectivity and Availability


10.1.1.0/24

192.168.1.0/24

192.168.1.1

10.1.1.1

IP:192.168.1.100GW: 192.168.1.1

NAT

DRP

Firewall Design: Modes of Operation

• Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts.

• Transparent Mode is where the firewall acts as a bridge functioning at L2.

• Transparent mode firewall offers some unique benefits in the DC.

• Transparent deployment is tightly integrated with our ‘best practice’ data Center designs.

• Integrated Routing and Bridging (IRB) combines both modes. Helpful for grouping “switch ports” in routed mode.

149BRKSEC-2112


NGFW Interface Modes

150BRKSEC-2112

• Must choose routed or transparent at deployment

• Must configure IP on BVI in transparent mode

• Integrated Routing and Bridging combines both in routed mode

• Full feature set and state enforcement

• VLAN or VxLAN ID must change during traversal

inside1

inside2

Routedinside outside

FTD

DMZ

Transparent inside outsideFTD

DMZ

10.1.1.0/24 10.1.2.0/24

10.1.3.0/24 10.1.1.0/24

Routed with IRBoutside

FTD

DMZ

10.1.1.1/24

10.1.2.0/24

10.1.3.0/24

BVI:inside


FTD Deployment and Interface Modes

151BRKSEC-2112

• 2 Deployment Modes:

• Routed

• Transparent

• 6 Interface Modes

• Routed

• Switched (BVI)

• Passive

• Passive (ERSPAN)

• Inline pair

• Inline pair with tap

• Note - interface modes can be mixed on a single FTD device

Device Modes inherited from ASA}

Interface Modes inherited from ASA}

Interface Modes inherited from FirePOWER}


Link Redundancy

Resiliency with link failures

Link and Platform Redundancy Capabilities

152BRKSEC-2112

• Firewall Link Aggregation – High Availability - Clustering

Inter-chassis Clustering

Combine up to

169300 blades or 4100 chassis

Active / Standby HA

LACP Link Redundancy

LACP Link Aggregation

Control Protocol


FTD High Availability

• Full flow state replication with NGFW policy verdicts

• Active/Standby operation in all NGFW/NGIPS interface modes

• Interfaces are always up on standby, but any transit traffic is dropped

• MAC learning/spoofing on switchover in transparent NGFW, inline NGIPS

• GARP on switchover in routed NGFW

• Interface and Snort instance (at least 50%) status monitoring

• Zero-downtime upgrades for most applications

• Some packet loss is always expected with failover

153BRKSEC-2112

vPC

vPC

FTD FTD

A SHA Link


FTD High Availability

• Unlike ASA, the Management interface does not change its IP address on failover

• Data interfaces have an active address and the IP address remains with the active unit

• Standby address configuration is optional, but it is very important that you configure it

• Tune your interface monitoring configuration

• Virtual MAC address configuration avoids traffic disruption in RMA use cases

154BRKSEC-2112

Change Management

(new for Firepower Device Manager)


What’s New in Firepower Device Manager 6.3

• Deploy button now brings up Pending Changes Dialog

• Option to name a deployment (ticket number, comment)

• Audit page to display various management change events

• Download Configuration option

156BRKSEC-2112


Pending changes and actions• Display detailed

configuration changes

• Copy the current changes to clipboard in YAML format

• Download the changes in YAML format

• Discard changes

BRKSEC-2112


Name deployment job (ticket number, comment)

158BRKSEC-2112

• Deployment in Progress (can leave and return to check progress)


Audit Log• Login / logout + deployment events,

entity changes

• Audit event details, including the configuration changes

• Filter based on timestamp, Event Type, Entity Type, uuid, etc.

• Predefined Deployment History Filter

• Export config to JSON


High Availability Support&Change Management



Pre-Join Criteria

• No interface can be DCHP

• Not already in an HA pair

• No deployment pending

High Availability(new for FDM)

161BRKSEC-2112


Manage HA Configuration and Actions From UI

162BRKSEC-2112

Ability to:

• Suspect HA

• Break HA

• Switch Mode (force failover)

All ASA CLI failover show commands also available!


Order of Configuration and Join Actions

• Configure and join primary (controlled by a single button in the UI)

• Wait until primary reports it is active

• Configure and join secondary

• Wait until secondary becomes standby

• Configure failover criteria

• Do not configure the secondary first or it will become active and overwrite the primary. The device whose config you want to keep should be configured and joined first, as the primary.

163BRKSEC-2112


Features Not Shared in High Availability Mode

• Events are not synced between devices.

• Use failover history to determine if the device was active during a given period of time.

• Task history is not synced between devices.

• Backup and restore are performed independently on each device.

164BRKSEC-2112

Passive Interface Support



Introduction

• Enables passive mode on a physical interface and security zone.

• Allows to user to detect intrusions, malwares, URLs without interrupting the traffic flow.

• Allows user to monitor traffic and demonstrate abilities of appliance passively.

166BRKSEC-2112


Passive interface reporting

• All Network, User, Application, Web and URL reports available for passive traffic

• TLS (SSL) decryption is NOT POSSIBLE for passive interface

• Don’t forget to create a PERMIT rule for Passive interface(s) traffic!

167BRKSEC-2112

FlexConfig & Smart CLI



Allows configuration of advanced features

Configuration for:

• NetFlow Security Event Logging

• SNMP polling

• Advanced routing

169BRKSEC-2112


NetFlow Export & Deployment log



Feature Overview

• OSPFv2 Routing

• BGP Routing

• Routing objects

• Smart CLI Framework

• Nested duplication

• Multi selection

• Auto-correction configuration

• Delta deployment


FlexConfig

172BRKSEC-2112

• Provides a way to configure ASA features not exposed directly by Firepower Management Center

• EIGRP / ISIS Routing

• Policy Based Routing

• Equal-cost Multi-path routing

• NetFlow (NSEL) export

• VXLAN

• ALG inspections

• IPv6 header inspection

• BGP-BFD

• Platform Sysopt commands

• WCCP


FlexConfig Policies – should I use them?

• Device-level free form CLI policies that follow ASA syntax

• Supports pre-defined object templates and completely custom objects

• Natively managed feature commands are blacklisted

• Must push an object with negated commands to remove

• FlexConfig is only supported on best-effort basis

• Assume no validation and no interoperability guarantees

• When in doubt, don’t use it

• Deploy Once; Everytime is for interactions with managed features

• Always select Append rather than Prepend type

173BRKSEC-2112


FlexConfig for Internet Edge Use Case:

Prepend FlexConfig:

• Disables DNS Inspection to allow Umbrella DNSCrypt Traffic

Append FlexConfig:

• Enables ICMP and ICMP Error ASA Inspection Engines in Firepower

• Edit FlexConfig Text Object as below

174BRKSEC-2112

• Enable ICMP Inspection & Disable DNS Inspection


FlexConfig for Internet Edge Use Case:

Prepend FlexConfig:

• Clears IPv6-PD on each deployment

Append FlexConfig:

• Enables outside interface (recipient of delegated prefix) for IPv6 prefix delegation

• Assigns one or more inside interfaces with a subnet and address from delegated prefix

• Trust IPv6 default route from IPv6 DHCP Server (Neighbour Advertisement)

175BRKSEC-2112

• IPv6 Prefix Delegation (IPv6-PD)


Equal Cost Muti-Path Internet with Traffic Zones

176BRKSEC-2112

The zone creation command should be deployed only

once. Also, notice the additional “ECMP” keyword

compared to the corresponding ASA command

The zone-member command should be deployed every

time because FMC overwrites interface configurations

during each deployment.

1 2

Traffic zone

configuration can be

used for

1. Traffic Load-

balancing (ECMP)

2. Route redundancy

3. Asymmetric traffic

handling

3. Use the FlexObjects in a FlexPolicy and deploy the changes to the device

Pre-filter & Access Policies


Packet TX

Packet RX

Existing

Logical Packet Flow

178BRKSEC-2112

PrefilterPolicy

Main Access Policy

IP Reputation, SI

Flow Creation

Ingress Checks

Flow Lookup Clustering VPN

Normalization

Flow LookupAnomaly,

NGIPS, AMP

Egress Checks

Lina

Snort

New

Pointer

Verdict

FTD

New Existing

Fastpath


Prefilter Policy (Optional) – Based on L2-L4 flow Attributes

179BRKSEC-2112

• First access control phase in Data Plane for each new flow

• Block: Deny the flow without any further processing

• Fastpath: Allow and process entirely in Data Plane, attempt Flow Offload

• Analyze: Pass for evaluation in Main AP, optionally assign tunnel zone

• Use correctly -- not a “high performance” substitute to NGFW policies

• Limited early IP blacklisting

• Tunneled traffic inspection

• Allowing high-bandwidth and low latency trusted flows (Flow Offload)


Access Policy – Based on Layer 2 - Layer 7 Flow Attributes

• Primary access control phase in Snort

• Block [with reset]: Deny connection [and TCP RST]

• Interactive Block [with reset]: Show HTTP(S) block page [and TCP RST]

• Monitor: Log event and continue policy evaluation

• Trust: Push all subsequent flow processing into Data Plane only

• Allow: Permit connection to go through NGIPS/File inspection

• Appropriate place for implementing NGFW policy rules

• Full NGFW traffic selection criteria

• Decisions may need multiple packets

180


Access Control Policy Blocking Example

181BRKSEC-2112


Pre-filter Fastpath and Access Rule Trust Difference?Both methods bypass Snort Inspection!

182BRKSEC-2112

Access Policy Trust

Prefilter Policy Fastpath

Can be defined based on L4-L7 parameters


Identity Policy based on Passive Authentication

183BRKSEC-2112

Must create, attaches to Access Control Policy


Access Control Policy Identity ControlCan Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)

184BRKSEC-2112


TrustSec Scalable Group Tag based identity from ISECan also reference Identity Services Engine identified Device Profiles

185BRKSEC-2112


ISE Remediation in using pxGrid

186BRKSEC-2112


Active Directory “Realm” Configuration

• Realm configuration used in Identity Policy

• User and Group downloads used in Access Policy

• Can have Multiple Entries

• LDAP / LDAPS

187BRKSEC-2112


Identity Services Engine pxGrid Integration

• MUST install ROOT certificate (chain) on FMC that signed ISE pxGrid Cert

• MUST install ROOT certificate (chain) on ISE that signed FMC Cert

• Private keys not needed (of course!)


External Authenticationfor Administration• LDAP / AD or RADIUS

• Example allows “External Users” to be defined that exist in Active-Directory for FMC or shell login

• Can stack multiple methods

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS69

Rate limiting Cloud File Sharing TrafficQOS Policy is a new policy type with separate policy table

Not associated with an Access Control Policy – directly associated with devices

190BRKSEC-2112

Remote Access VPNUse Case


Remote User Use Case Remote Access VPN for Roaming User

192BRKSEC-2112

Requirements

Connectivity and Availability

• Secure SSL/IPsec AnyConnect access to corporate network

Routing

• Support for Split Tunnelling or Backhauling to handle traffic

from remote uses to Internet.

Security and Identity

• AMP and File inspection Policy to monitor roaming user data.

• Identity based advanced application level inspection can be

enabled to enforce security on inbound Remote Access User

data.

• Monitoring and Troubleshooting to monitor remote access

activity and simplified tool for troubleshooting

ISP

FP2100 in

HA

Private Network

Campus/Private

Network

Internet

Edge


Firepower Device Manager

• AnyConnect SSL/IPSec Support

• Active Directory or Local Auth

• API Orchestration Support

Coming soon (6.4):

• RADIUS + ISE Posture / DUO MFA

• Multiple Connection Profiles

Remote Access VPN Management Comparison

193BRKSEC-2112

Firepower Management Center

• AnyConnect SSL/IPSec Support

• Active Directory or RADIUS Auth

• Multiple Connection Profiles

• API Orchestration Support

• ISE Posture / Change of Authorization

• DUO Multi Factor Authentication

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 194BRKSEC-2112 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Local User Authentication as Primary or Fallback Identity Source


Remote Access VPN

• AnyConnect client-based VPN

• Limitations:

• No clientless VPN support (client download only)

• No legacy Cisco IPsec IKEv1 client support

• No Dynamic Access Policies

195BRKSEC-2112


Before You Start Wizard:

1. Configure Realm or RADIUS Server Group for authentication

2. Upload AnyConnect package(s) (can pull from Cisco during wizard)

Firepower AnyConnect Remote Access

196BRKSEC-2112

3. Have Firepower device interfaces and routing configured

4. Install Self-Signed Certificate or enroll device with public CA



Configuration Wizard Steps:

1. (Group) Policy Assignment

2. Connection Profile Creation

3. AnyConnect package selection

4. Access & Certificates

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2112


Connection Profile:

1. Name (mandatory)

2. Authentication Method (AAA = username + password)

3. IPv4 / IPv6 Address Pool(s)

4. Group Policy Selection (can use default)


BRKSEC-2112



AnyConnect client software selection:

• Upload from your workstation

• Download from Cisco.com using Wizard (need CCO credentials)

BRKSEC-2112



Interface Selection & Certificate:

1. Choose Interface / Zone

2. Choose Interface Identity Certificate

3. Optional: Create Self-Signed Certificate

4. Can also enroll device in public Certificate Authority *best practice

BRKSEC-2112



• Configuration Summary

• Recommended Next Steps

BRKSEC-2112



Don’t forget!

1. Allow VPN traffic from Outside zone in your Access Policy!

2. Exempt traffic to and from your VPN subnet from NAT!

3. Disable proxy ARP in your NAT Exempt rule

BRKSEC-2112


RA VPN Wizard Summary (FMC)

203BRKSEC-2112


RA VPN Configuration Wizard (FDM)

204BRKSEC-2112


RA VPN Licensing

• Smart License support is provided for the following RA VPN license types and combinations

• VPN-only

• Apex

• Plus

• Apex and Plus

• A valid Smart license token is required for any of the RA VPN licenses

• RA VPN deployment is not be supported in Smart license evaluation mode

• Configuration cannot be deployed to a device unless the device has entitlement for at least oneRA VPN license

• Health events and licensing alerts are shown when licenses go out of compliance

205BRKSEC-2112


Licencing in FMC Device Management Page

206BRKSEC-2112


RA VPN Components• Access interfaces – determine interfaces to be used by RA VPN

• SSL settings, such as access ports

• IKEv2 settings such as certificate

• AnyConnect image – client package to be installed on the endpoint

• AnyConnect client profile – XML can be uploaded into the FMC as file object.

• Referenced in the group policy and downloaded to the endpoint while the VPN connection is initiating

• Includes may parameters for the AnyConnect client.

• Connection profiles – determine how authentication is performed

• Group policies -- a set of user-oriented attribute/value pairs for RA VPN users

• DNS/WINS, SSL/DTLS, timeouts, client bypass protocol and DHCP network scope

• Split tunnel and split DNS configuration

• VPN filter , egress VLAN and client firewall rules

• AnyConnect client profile, SSL/DTLS settings and connection settings

207BRKSEC-2112


Objects Associated with RA VPN

208BRKSEC-2112


Modifying Other RA VPN Components

209BRKSEC-2112


Dashboard Widgets

210BRKSEC-2112


Remote Access VPN User Activity

211BRKSEC-2112


Troubleshooting

212BRKSEC-2112


Advanced Troubleshooting

213BRKSEC-2112


Remote Access VPN: Feature Differences Between NGFW & ASA

214BRKSEC-2112

• Next generation security

• Basic AAA (authentication, Authorization, accounting)

• LDAP/AD, client certificate, RADIUS attributes, DACLs, Time ranges

• Time Ranges

• AnyConnect client

• Proxy/DNS/WINS server assignment

• Simple configuration

• Session monitoring and control

Includes Features Provided In NGFW

Additional Advanced Features Supported By ASA

• Advanced AAA

• Kerberos, TACACS, SAM, RSA SDI, Local Authentication, RADIUS CoA

• Host scan/Endpoint assessment

• AnyConnect client customisation

• Dynamic Access Policies (DAP)

• LDAP attribute map

• VPN Load Balancing

• Clientless RA VPN

TLS Decryption


Customer Use Case

• Protect the network from threats from remote TLS servers

• Called the outbound or unknown key case

• Example: Malware downloaded over HTTPS by users surfing the web.

• Protect the network from attacks on internal TLS servers

• Called the inbound or known key case

• Example: Protect DMZ HTTPS servers from intrusion attacks

216BRKSEC-2112


Challenges

• Inspection fails for some applications

• No end-user notifications unless traffic is decrypted

• Inspection fails for some client/server combinations

• Load on firewall creates throughput degradation• Currently TLS is being performed in software

• TLS decryption will be in hardware (roadmap / release beta)

217BRKSEC-2112


Best Practices

• Block TLS traffic without decrypting• Block URL categories

• Block Application (approx. 400 applications can be identified)

• Block based on certificate status, TLS version or cipher suite

• Use Replace Key Only feature

• Enable loggingto helptroubleshooting

218


Granular TLS DecryptCan specify by application, certificate fields / status, ciphers, etc.

219BRKSEC-2112

Decrypt Cert required!


Transport Layer Security

220BRKSEC-2112

• Secure Sockets Layer (SSL) is broken, obsolete and no longer in use

• Transport Layer Security (TLS) is the current generic protocol layer

• Some detectors do not need decryption without Diffie-Hellman (DH)

• Cleartext SNI extension indicates where client may be going – spoofable

• ServerCertificate contains server identity – legitimate if CA is trusted

• Man-in-the-Middle (MITM) inspection is inevitable with TLS 1.3

Client Server

ClientHello, Server Name Identifier (SNI)

ServerHello, ServerCertificate, ServerHelloDone

ClientKeyExchange, ChangeCipherSpec, Finished

ChangeCipherSpec, Finished

ApplicationData

PKI Phase

Bulk Data Phase


Transport Layer Security

221BRKSEC-2112

• MITM TLS inspection is two separate sessions with client and server

• Resign mode breaks with Public Key Pinning, not Certificate Pinning

• Client certificate authentication or custom encryption always break MITM

• Hardware acceleration of PKI and Bulk Data phases still leans on x86

• 3-4 times performance improvement with large transfers (Bulk Data)

• 7-8 times performance improvement with a transactional profile (PKI)

Client Public Key FTD Public Key

Server Public KeyFTD (Resign) or Server (Known) Public Key

x86Crypto Engine

CPU Bus


Crypto

Hardware Data Plane

NGFW Inspection and Policy Enforcement

TLS

Endpoints

TLS

Endpoints

Hardware Data Plane

NGFW Inspection and Policy Enforcement

TLS

Endpoints

TLS

Endpoints

Software SSL

Hardware Accelerated SSL

Crypto

Decrypted

TLS Hardware Acceleration Architecture

222BRKSEC-2112


Limitations and Workarounds

• At 6.3 FCS, SSL Hardware Acceleration IS officially released / supported, and enabled by default.

• Must use CLI to enable in 6.2.3.

• If a customer encounters a blocking issue that only shows up in Hardware Acceleration mode, they should toggle back to Software mode until the engineering team can provide a Hardware mode workaround or fix.

223BRKSEC-2112


Lina Debug CLI• For live troubleshooting of traffic going through the box, new Lina debug CLI commands.

• Log into the enable mode of the lina terminal on FTD:> ssh admin@[ftd]

> expert

$ sudo su

# lina_cli

> en

• #debug snort tls-offload

• This will print out error debug logs for proxy, tracker, and dispatcher (packetizer) modules.

• # debug snort tls-offload [all | tracker | proxy | dispatcher] [error | event | packet]

• This allows you to specify which lina component to print out errors, events, or packet data to the terminal.

• To turn these commands off, run # no debug snort tls-offload

• # show snort tls-offload

• This will display statistics related to packets encrypted and decrypted by Snort in HW acceleration mode.

• # clear snort tls-offload

• This will clear the statistics.

224BRKSEC-2112

Firepower NGFW Internet Edge Best - Session Presentation

Documents

Transcript of Firepower NGFW Internet Edge Best - Session Presentation