Do I still need a Firewall - Cisco€¦ · •Fast stateful firewall, segmentation, advanced NAT...
Transcript of Do I still need a Firewall - Cisco€¦ · •Fast stateful firewall, segmentation, advanced NAT...
Do I still need a Firewall?
Szilard CsordasIT Security Consultant
Cisco Connect Slovenija 2019
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cat And Mouse Game
3
Time
Computer OS
Internet Browser
BrowserPlugins
PowershellIoT
PhishingEtc.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Vulnerabilities – Low hanging fruit is on the decline
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
High Severity Vulnerabilities and Patch Management
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Tuning Matters
6
Default Detection Your Vulnerabilities
Vendor Feeds
IPS Detection Capabilities Enabled
Recon / Protocol Abuse / etc.
Vendor Signatures
Heart Bleed / General Java Vuln / Exploit Kit
Flash Vuln, et.
50% - 75% Effective
Your Vulnerabilities
Server, Host, Configuration Issues
Requires Tuning
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2010
We Can Always Patch
7
Right?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2010
Weak Software Engineering
8
One device, one engineer, 14 day study – how many vulnerabilities?
• Crypto error led to…
• Full console access, which led to…
• Remote code execution, which discovered…
• Hard-coded backdoor credentials.7 new vulnerabilities identified(plus susceptible to 4 known vulns)
Source: https://blog.talosintelligence.com/2017/04/moxa-box.html
40758, 40820-40822, 40880, 40916, 41085, 41097, 41102-41105, 41220-41223, 41352
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2010
TOP snort rule in 2018https://blog.talosintelligence.com/2019/02/2018-in-snort-signatures.html
• No. 1: 1:46237:1 "PUA-OTHER Cryptocurrency Miner outbound connection attempt" & "1:45549:4 PUA-OTHER XMRig cryptocurrency mining pool connection attempt"
• No. 2: 1:35030:1 & 1:23493:6 "Win.Trojan.Zeus variant outbound connection"
• No. 3: 1:39867:4 "Suspicious .tk dns query"
• No. 4: 1:41978:5 "Microsoft Windows SMB remote code execution attempt"
• No. 5: 1:43687:2 "suspicious .top dns query"
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2010
New players
• Evolution of Endpoint Protection
• Improvement in Network telemetry (behavior based detection)
• Leverage Cloud intelligence and machine learning
• Fabric integrated security services (ACI, SDA, NSX, AWS SG…)
• Statistical model
• Fast stateful firewall, segmentation, advanced NAT and VPN functionalities.
• Deep inspection: IPS, anti-malware, DLP.• IPS rules are still the fastest mitigation
• Patching, EDR deployment etc, it takes time.
• We still need them, but it has to evolve:• Integration capabilities (vuln, authentication systems. SIEM)• Correlate data;• Leverage cloud intelligence;• Local analytics• Enhanced NetFlow (Cisco Encrypted Traffic Analytics);
Why do we still need firewalls?
• Based on Snort 2.9 IPS (3.0 is coming with big improvements)• Rules are written by Cisco Talos (community and own rules are
supported as well)• IPS events have ‘impact score’ – calculated automatically• “Out of the box” IPS rules:
• Connectivity over Security: CVSS 10 this year and 2 previous years;• Balanced: CVSS 9+ this and 2 previous years (+ more categories: e.g. CnC);• Security over Connectivity: CVSS 8+ this and 3 previous years + additional categories;• Maximum Detection: CVSS 7.5+, almost everything from 2005• Automatic rule tuning – Firepower Recommendation
Firepower Intrusion Prevention System (IPS)
Impact Assessment
• Prevents information overload
How Relevant is the Attack ?
ADMINISTRATOR ACTION WHY
Event occurred outside profiled networks
General info†† Event outside profiled networks
Neither the Source or Destination IP address is within the range of your IP addresses0
IMPACT FLAG INTRUSION EVENT
Relevant port not open or protocol not in use
Good to Know, Currently Not Vulnerable
IP address of a host in within the defined IP range of your network, but no connection was made3
Good to Know, Unknown Target
Monitored network, but unknown host4 IP address of a host in within the defined IP range of your network,
but no current host profile for the device
Event corresponds to vulnerability mapped to host
Act Immediately, Host vulnerable or Compromised Event that is launched from a compromised host 1
Investigate, Potentially Vulnerable
Relevant port open or protocol in use, but no vulnerability mapped2 IP address of a host in within the defined IP range of your
network, and connection was made to a working service
†† If you have a fully profiled network this may be a critical event!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
ISE
Switches Routers Wireless
EndpointsIOT PhonesPrinters
FMC SMC
TALOS AMP/TG UmbrellaCTA
SIEM
VMC
Net Protocols
pxGrid
AMP/TG API
Firepower API
Syslog
Talos API
Cloud Services
Infrastructure & Devices
pxGrid
Generic APIRadiusNetflow
DNS
Legend
WSA ESA
3rd party
Threat Response
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
ISE (identity)
FirePower
AMP4 Endpoints
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example 1
17
FirePowerISE (identity)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Address: 192.168.2.101 BOB (Employee)
Unknown Windows Workstation
Unknown Building-A Floor-1
Unknown 10:30 AM EST on APR 27
Unknown Wireless
Unknown No Threats/Vulnerabilities
Visibility and Context Is Everything in SecurityPoor context awareness Rich context awareness
Result Result
Unknown Known
?
18
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Address: 192.168.2.101 BOB (Employee)
Unknown Windows Workstation
Unknown Building-A Floor-1
Unknown 10:30 AM EST on APR 27
Unknown Wireless
Unknown No Threats/Vulnerabilities
Visibility and Context Is Everything in SecurityPoor context awareness Rich context awareness
Result Result
Unknown Known
?
19
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
FMC – pxGrid IntegrationSystem > Integration > Identity Sources > Identity Services Engine FirePower
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Create Correlation RulePolicies > Correlation > Rule Management > Create Rule
Connection EventSec Intelligence matching CnC, Malware or Exploitkit
22
FirePower
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Create Correlation RulePolicies > Correlation > Rule Management > Create Rule
23
FirePower
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Remediation
Threat Containment
Quarantine
Remediation that triggers EPS Quarantine via pxGrid
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Test Configuration
25
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example 2
26
Cisco ISE (identity)3rd party and Endpoint Protection
AMP4 Endpoints
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Vulnerability based access control High-level flow
Network Access Device
Cisco ISE 2.1+Qualys ScanGuard
Endpoint
1Endpoint connects to the network
Initial limited Authorization(VA-Scan)
2CoA based on scan status (Full Access / Quarantine)
6
ISE requests a VA scan for Endpoint
3
Qualys scans the Endpoint for Vulnerabilities
4
Qualys reports the CVSS score
5
For Your Reference For Your Reference
28
• Threat and• Vulnerability
missing
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Integrating Tenable VMS with ISEAdministration > Threat Centric NAC > Vendor Instances
ISE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Integrating Tenable VMS with ISE
30
ISE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example 3
31
3rd party and Endpoint ProtectionFirePower
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Integrating Security Center and FMC• Give FMC the Vulnerabilities
Tenable Security Center retrieved from Active Scans• Credentialed or Uncredentialed Scans
• More Accurate Impact Flags and AutoTuning on FMC
• Leverage the Investment in Vulnerability Management
32
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add New Host Input ClientSystem > Integration > Host Input Client > Create Client
Download Cert
BRKSEC-3889 34
FirePower
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Run Script• python query_vuln.py
• Takes Vulns from SC
• Imports them into FMC
• Schedule through Cron
or other tool
http://cs.co/ats-apis
BRKSEC-3889 35
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
View VulnerabilitiesAnalysis > Vulnerabilities > Third-Party Vulnerabilities > Detail
36
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
View VulnerabilitiesAnalysis > Vulnerabilities > Third-Party Vulnerabilities > Detail
BRKSEC-3889 37
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Profile
Security Center Vulnerabilities
BRKSEC-3889 38
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example 4Integrating AMP Vulnerability Data into FMC
39
FirePower
AMP4 Endpoints
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Vulnerability information fromendpoint agent
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add New Host Input ClientSystem > Integration > Host Input Client > Create Client
Then Download Cert
42
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Run Script• python amphost2csv.py
• Takes Vulns from AMP
• Imports them into FMC
• Schedule through Cron
or other tool
43
http://cs.co/ats-apis
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
View VulnerabilitiesAnalysis > Vulnerabilities > Third-Party Vulnerabilities > Detail
44
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
View VulnerabilitiesAnalysis > Vulnerabilities > Third-Party Vulnerabilities > Detail
45
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Profile
AMP OS Data
AMP Vuln Data
46
Firepower 6.3new features
• Extending deployment opportunities• Multi-Instance• Air-gapped licensing• Unified Eventing and Contextual Cross-
launch• New Network Modules• ISA 3000 FTD enhancements
Unlocking the mid-market• On-box Firepower Device Manage (FDM) HA• Other FDM enhancements• TLS in Hardware for the 2100
Key Features of the 6.3 Releasehttps://www.cisco.com/c/en/us/td/docs/security/firepower/630/relnotes/firepower-release-notes-630/new_features.html
• CoA for RA VPN (needed for posture)
• FQDN based network objects
• New migration tool
• Other Enhancements• Dynamic Flow Offload• Clustering enhancements• Backup and restore for RMA• Snort restart improvements• FMC REST API enhancements
Management Options Motivate
Cisco Defense Orchestrator (CDO)
Enables cloud-based policy management of multiple deployments
Cloud-based multi-deviceBuild on REST API
• Firepower Threat Defense support post 6.3.
Enables comprehensive security administration and
automation of multiple appliances
Firepower Management Center (FMC)
Multi-device advanced integration and analytics
Firepower Device Manager (FDM)
Enables easy on-box management of
common security and policy tasks
On-box single deviceBuild on REST API
Multi-Instance Approach
• NGFW approach for providing multiple contexts
• Install multiple FTD logical devices on a single module or appliance• Each application instance represents a tenant• Complete traffic processing and management
separation• CPU/memory/disk resources are dedicated to an
instance at provisioning• Physical and logical interface and VLAN
separation at Supervisor
• Firepower 4100 and 9300 only• Instantiate multiple logical devices on a single module or appliance
• FTD application first, a combination of FTD and ASA instances in the future• Leverage Docker infrastructure and application packaging
• Complete traffic processing and management separation• CPU/memory/disk resources are dedicated to an instance at provisioning• Physical and logical interface and VLAN separation at Supervisor
Multi-Instance Solution Summary
Firepower 4100 or Firepower 9300 module
FTD Instance A10 CPU
FTD Instance B6 CPU
FTD Instance C18 CPU
FTD Instance D12 CPU
ASA Instance A (Future)12 CPU
Ethernet1/1-3 Ethernet1/4-5 Port-Channel1.100-101 Port-Channel1.101-102Port-Channel2
Contextual Cross-Launch
• Allows administrator to pivot off of afield in an event to cross-launch another product• Bundled with many useful product integrations• URL based custom product integrations can be added.
52
Five New Modules for FPR 2100• Four new Hardware-Bypass capable modules that will be supported starting with the 6.3.0
release (FXOS 2.4.1).
PID Supported Speeds Ports FTW
CapableFPR-NM-8X10G 1G/10G 8 No
FPR-NM-8X1G 1G 8 No
FPR-NM-6X10SR-F
10G-SR 6 Yes
FPR-NM-6X10LR-F
10G-LR 6 Yes
FPR-NM-6X1SX-F 1G-SR 6 Yes
FPR-NM-8X1G-F 10/100/1000 (Cu)8 Yes
• Hardware Bypass is only supported on a fixed set of port pairs.
• Port 1 can be paired with Port 2, Port 3 can be paired with Port 4, and so on.
• Existing 100G Netmod is a Double Wide, 2-port card• Double wide form factor limits flexibility • Does not support 4x25G breakout
• New 4 X 100G Netmods for 9300• Provides up to eight 100G ports for use as
Clustering inside, outside and CCL links• Single wide form factor allows flexibility to
mix-match with other Network modules• Support for 4x25G breakout planned for
subsequent release
New 100G Interfaces for 9300
4x100G
4 Port, Single Wide 100G NM
Firepower 9300 Chassis with 4x100G and 8x10G Netmods
8x10G
• ISA 3000 extends the Cisco IoT portfolio• Two models of ISA 3000
• Copper interfaces• Fiber interfaces
• In 6.2.3.0, ISA 3000 supportedASA and ASA with FP 5.4• Support for FTD was introduced in 6.2.3.1
• 6.3 extended several features from ASA with FP to FTD• Alarm port – configured using FlexConfig, 2 x alarm input, 1 x alarm output• SD card auto backup/restore• Hardware Bypass for transparent mode firewall (FDM managed devices only)• CIP preprocessor for FTD – not validated in 6.3
FTD for Cisco Industrial Security Appliance (ISA3000)
• Enable TLS hardware offload by default on all platforms
• Can still be manually disabled
• Enable TLS hardware offload on 2100 series appliances
TLS Hardware Offload
Hardware TLS decryption?
• FQDN based network objects are available in Firepower 6.3• Essentially the same as ASA FQDN based objects• Not available in NGIPS appliances or ASA with FP
• FQDNs are converted to IP through DNS lookups• Administrator can select IPv4, IPv6, or both• A single FQDN may resolve to multiple IPs• DNS resolution is performed in Lina
• Available on both the FMC and FDM• Included in API for FMC and FDM
• FQDN based network objects can be used in:• Access control policy rule• Prefilter or tunnel rules in prefilter policies
FQDN Type Network Objects
Firepower
Migration Tool
ASA
Configuration
Firepower
Management Center
Firepower
Threat Defense
Upload API Calls Deploy
Migration tool
Post-migration summary
• Snort restarts can disrupt traffic.• Over several releases most Snort
restart scenarios have been eliminated• To achieve this, Snort restarts are often
replaced by Snort reloads.• Reloads use a separate reload thread to
rebuild the snort configuration
• In 6.3, Snort restarts are eliminated 3 scenarios
• FMC must be 6.3. FMC managed devices can by any supported release
• Locally managed devices (FDM) must be 6.3
Feature Overview
FMC enables following new REST APIs in version 6.3• S2S VPN tunnel REST API• FTD High Availability REST API• REST APIs for Bulk POST
• network, port, vlan-tag, urls• security zone, interface groups• SLA monitoring objects• GET/PUT/(bulk)POST/DELETE for object override support on overridable
objects
• REST APIs for FTD upgrade(available for upgrading from 6.3.0 and above)
FMC REST API Enhancements for 6.3