Everything you want to know about source fire

Sourcefire Threat Detection:NGIPS – NGFW – Adv MalwareTim Ryan – Security CSE – SLED EastKevin Tracy – Security CSE – Commercial South

Sept 2014

Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.

1. Next Generation Security Model2. Product Overviews3. ASA + Sourcefire Features & Architecture4. Deployment Scenarios5. Integration Roadmap and Vision

Agenda


3

BEFOREDetect Block Defend

DURING AFTERControlEnforce Harden

ScopeContain

Remediate

What Device Types, Users & Applications should be on the Network?

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Point in time Continuous

BEFORE THE ATTACK: You need to know what's on your network to be able to defend it – devices / OS / services / applications / users (FireSight)

Access Controls, Enforce Policy, Manage Applications And Overall Access To Assets.

Access Controls reduce the surface area of attack, but there will still be holes that the bad guys will find. ATTACKERS DO NOT DISCRIMINATE. They will find any gap in defenses and exploit it to achieve their objective

The Next Generation Security Model


4

BEFOREDetect Block Defend

DURING AFTERControlEnforce Harden

ScopeContain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Point in time Continuous

DURING THE ATTACK:Must have the highest efficacy threat detection mechanisms possibleDetection methods MUST be Multi-dimensional and correlatedOnce we detect attacks, NIPGS can block them and dynamically defend the environment

The Next Generation Security Model


Collective Security Intelligence

5


SourcefireNGIPS / NG Firewall Features


Network Discovery & Connection Awareness

Host discovery

Identifies OS, protocols and

services running on each host

Reports on potential

vulnerabilities present on each

host based on the information it’s

gathered

Application identification

FireSIGHT can identify over 1900

unique applications using

OpenAppID

Includes applications that

run over web services such as

Facebook or LinkedIn

Applications can be used as criteria for access control

User discovery

Monitors for user IDs transmitted as services are used

Integrates with MS AD servers to

authoritatively ID users

Authoritative users can be used as access control

criteria

FireSIGHTWhat are the Key FireSIGHT Components?


Discovery is reported to you by way of events• Connection events are recorded as every connection in a monitored network is seen

• Host events are recorded when something new on a host is detected or a change to a host is detectedInformation about all the hosts in your environment is stored in host profiles

Sourcefire FireSIGHT TechnologyFireSIGHT Discovery


By knowing the details of what’s running in your environment, the Sourcefire System can produce a list of what vulnerabilities likely exist This allows the Sourcefire System to put intrusion events in context for more accurate and actionable alerting

Which would matter more to you?• A code red attack against a host running Linux in your environment

Or• A code red attack against a host running a vulnerable version of Windows in

your environment



With FireSIGHT, IPS events are assigned an impact level

• 0 – host not on monitored networks• 4 – no entry for the host in the network map• 3 – host not running the service or protocol that was attacked• 2 – host is running the service or protocol that was attacked• 1 – host is running the service or protocol that was attacked an a

vulnerability is against the service or protocol is mapped to the hostFireSIGHT also lets you fine-tune your IPS polices by recommending rules to protect against the known vulnerabilities in your environment


Firesight Management Center - FMCIntrusion Events with Impact Levels


It gives you real-time information about what’s in your network• Based on this knowledge …

• It can inform you of the vulnerabilities associated with what is running in your environment

• You can fine-tune policies to focus on the threats specific to your environmentIt can detect changes to your environment and alert you as

soon as the change is detected• You can act dynamically with custom alerting (email, syslog, SNMP,

eStreamer)• You can take action dynamically as well with remediation modules

• Remediations are scripts you can launch from the defense center to take some action

FireSIGHTWhy is FireSIGHT important?


FireSIGHTHow is FireSIGHT information used?

Fine-tuning IPS policies• You can automatically select the rules and preprocessor configurations

that apply to your environment• You can protect hosts running services on non-standard ports (ie. HTTP

running on port 1080 on a host and 8080 on antother)Enforce an organization’s security/usage policies• Block or alert on use of unauthorized applications for example

Monitor and act on unusual network behavior• Alert on new hosts showing up in restricted network spaces or detect

unusually high utilizationAct on user activity

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

CATEGORIES EXAMPLESFirePOWER APPLIANCE

TYPICAL IPS

TYPICAL NGFW

Threats Attacks, Anomalies ✔ ✔ ✔

Users AD, LDAP, POP3 ✔ ✗ ✔

Web Applications Facebook Chat, Ebay ✔ ✗ ✔

Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔

File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔

Malware Conficker, Flame ✔ ✗ ✗Command & Control Servers C&C Security Intelligence ✔ ✗ ✗Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗Operating Systems Windows, Linux ✔ ✗ ✗Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗Mobile Devices iPhone, Android, Jail ✔ ✗ ✗Printers HP, Xerox, Canon ✔ ✗ ✗VoIP Phones Avaya, Polycom ✔ ✗ ✗Virtual Machines VMware, Xen, RHEV ✔ ✗ ✗

Contextual AwarenessInformation Superiority

FireSIGHT Management Center

Cisco Restricted 15© 2013-2014 Cisco and/or its affiliates. All rights reserved.

• When a host in the network map is seen to exhibit signs of compromise

Host and Event Correlation (v5.3)Security Intelligence

Events

C&C Detection via Protocol Analysis

Contextual NGIPS Events (Impact 1)

FireAMP Endpoint Malware Events

Firesight Management Center – Threat Information

Malware Detected & Blocked

Cisco Restricted 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.

1) File Capture

Malware Detection: File Extraction & Sandbox Execution

Malware Alert!

2) File Storage

4) Execution Report Available In Defense Center

Network Traffic

Collective Security Intelligence Sandbox

3) Send to Sandbox

Anti Malware Process - Infected File Tracking


BEFOREControlEnforceHarden

DURINGDetectBlock

Defend

AFTERScope

ContainRemediate

Network

Endpoint

Anti-Malware Protection & the Attack Continuum

File RetrospectionFile Trajectory

Contextual AwarenessControl Automation

File RetrospectionFile TrajectoryDevice TrajectoryFile Analysis

Indications of CompromiseOutbreak Control

In-line Threat Detection and Prevention

File Execution Blocking


Hardware & Deployment Options

23© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Sourcefire ArchitecturePort /

Direction Purpose

22 / Bidirectional SSH to and from devices

443 / Bidirectional

Defense Center interface, URL Filtering service, security intelligence feeds and FireAMP events

1500, 2000 / Inbound

To Defense Center / FMC for external database access

8302, 8305, 8307 / Bidirectional

eStreamer, device management, host input API

DC3500 DC3500

3D8250

ASA / Sourcefire Svcs ASA / Sourcefire Svcs

Defense Centers in High Availability Configuration

Managed Devices in Clustered Configuration

Managed Devices in Stacked Configuration

Management Network

3D8250

Monitored Networks

Internet / Other resources

HA Interface

Monitored traffic

Stacking Cable

Management Traffic

24© 2013-2014 Cisco and/or its affiliates. All rights reserved. 24

8270/8360* 8260 8250 8140

8120/ (8150 > AMP) 7120 7115

7030 70207010

20 Gbps10 Gbps

6 Gbps

4 Gbps2 Gbps

1 Gbps750Mbps

250 Mbps100 Mbps50 Mbps

Fixe

d In

terfa

ces

Mod

ular

Inte

rface

s

IPS Throughput

Sta

ckab

le

8130

40 Gbps30 Gbps

8290

Sourcefire Hardware Appliances

60Gbps 8390*45 Gbps 8370*

15Gbps 8350*

1.25Gbps 7125

7110/ (7150 > AMP)

500 MbpsAll appliances Managed via Defense Center aka FireSight Management Console – Available in Appliances or VM for 2, 10 or 25 device support

SSL2000SSL1500

SSL8200

All Appliances Managed via Defense Center aka FireSight Management Console – Appliance or VM - 2, 10 or 25 device support

AMP optimized Appliances8150 – 2 Gbps AMP7150 – 500 Mbps AMP

Model #


Perfo

rman

ce a

nd S

cala

bilit

y

1 RU Platforms

Branch Office/Internet Edge

200Mbps - 2 Gbps: Firewall

100 – 725 Mbs: Next Gen IPS

30-160 Mbps: NGIPS, AVC, AMP* Performance numbers to be finalized

Cisco ASA Product Family - Sourcefire Services Performance Specifications

2 RU Platforms - 5585

Internet Edge/Campus/Data Center

2 – 20 Gbps: Firewall

1.2 – 6 Gbps: Next Gen IPS

650Mbps – 2.4 Gbps:NGIPS, AVC, AMP

ASA 5512-X ASA 5515-XASA 5525-X

ASA 5545-XASA 5555-X

ASA 5585-SSP10

ASA 5585-SSP20

ASA 5585-SSP40

ASA 5585-SSP60

Deploying ASA w/ FirePOWER Services

• Available on all ASA platforms

• State-sharing between Firewalls for high availability

• L2 Transparent or L3 Routed deployment options

• Failover Link

• ASA provides valid, normalized flows to FirePOWER module

• State sharing does not occur between FirePOWER Services Modules

High Availability with ASA Failover

Deploying ASA w/ FirePOWER Services

• Up to 8 ASA5585-X IPS

• Stateless load balancing by external switch

• L2 Transparent or L3 Routed deployment options

• Support for vPC, VSS and LACP

• Cluster Control Protocol/Link

• State-sharing between Firewalls for symmetry and high availability

• Every session has a primary and secondary owner ASA

• ASA provides traffic symmetry to FirePOWER module

Scaling IPS with ASA5585-X Clustering

Multi-Context ASA Deployments

• ASA can be configured in multi context mode such that traffic going through the ASA can be assigned different policies

• These interfaces are reported to the FirePOWER blade and can be assigned to security zones that can be used in differentiated policies.

• In this example, you could create one policy for traffic going from Context A Outside to Context A Inside. And then a different policy for Context B Outside to Context B Inside.

• Note: There is no management segmentation inside the FirePOWER module similar to the context idea inside ASA configuration.

Context A Context B

Outside

Inside

Multi-Context ASA Deployments

Admin Context Context-1

Monitor Mode allows FirePOWER Services to analyze traffic without being placed in the data path. The ASA is connected to a SPAN port on a switch or router, and copies of both inbound and outbound packets are sent to the FirePOWER Service. This copied traffic bypasses the ASA policy and goes directly to the FirePOWER Services which will apply policies to determine what traffic would have been blocked. After analysis of the traffic, the packets are discarded.

https://communities.cisco.com/docs/DOC-50586

FirePOWER Services DemonstrationMonitor-Only Mode (Demonstration Purposes Only currently)

SPAN FirePOWER Services for ASAin Monitor-Only Mode




Integrated Threat Defense Across the Attack Continuum

Firewall/VPN NGIPS

Security Intelligence

Web Security

Advanced MalwareProtection

BEFOREDiscoverEnforceHarden

DURINGDetectBlock

Defend

AFTERScope

ContainRemediate

Attack Continuum

Visibility and Automation

Granular App Control

Modern Threat Control

Retrospective Security

IoCs/IncidentResponse


Collective Security Intelligence (CSI)

Contextual Device, Network and End-Point Visibility

Classic Stateful FirewallGen1 IPS

Application VisibilityWeb—URL Controls

AV and Basic Protections

NGIPS

Vulnerability Management *Client Anti-

Malware (AMP)

Correlated SIEM Eventing

Incident Control System

Network Anti-Malware

Controls (AMP)

Behavioral Indications of Compromise

User Identity

NGFW

Open APP-ID SNORT Open IPSHost Trajectory Retrospective Analysis

NG Sandbox for Evasive Malware Auto-Remediation / Dynamic

Policies

Integrated Threat Defense System *Agent

Adaptive Security

Sandboxing

Classic Stateful Firewall

Retrospective DetectionMalware File Trajectory

Threat Hunting

Forensics and Log Management

Dynamic Outbreak ControlsURL and IP Reputation

1

2

Cisco Threat Defense System – 5000 Foot ViewBEFORE DURING AFTER Cisco OnlyCisco and OthersManagement Interfacesn

Thank you.

Everything you want to know about source fire

Technology

Transcript of Everything you want to know about source fire