firepower for ccie security candidates · firepower for ccie security candidates rafael leiva-ochoa...

FirePower for CCIE Security Candidates

Rafael Leiva-Ochoa

BRKCCIE-3200

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCCIE-3200

• Introduction

• ASA 5500-X and FirePower Platform

• FirePower Technology Overview• FMC (FirePower Management Center)

• Host Discovery

• Traffic Processing Flow

• ACP (Access Control Policy)

• User Identity

• SSL

• Lab Ideas

• FirePower Classes

Agenda


Introduction

• Rafael Leiva-Ochoa

• @Cisco since Oct 2000

• Works in the TS Training Group (Part of Learning@Cisco)

• Delivers courses on Security to Global TAC Centers

• CCIE 19322 Security since 2007

5BRKCCIE-3200

CCIE Security Program Overview


Topics Covered in the CCIE SecurityCCIE Security Overview

BRKCCIE-3200 7


Perimeter Security and Intrusion Prevention Topics Covered in CCIE SecurityCCIE Security Topics

• 1.1 Describe, implement, and troubleshoot HA features on Cisco ASA and Cisco FirePOWER Threat Defense (FTD)

• 1.2 Describe, implement, and troubleshoot clustering on Cisco ASA and Cisco FTD

• 1.3 Describe, implement, troubleshoot, and secure routing protocols on Cisco ASA and Cisco FTD

• 1.4 Describe, implement, and troubleshoot different deployment modes such as routed, transparent, single, and multicontext on Cisco ASA and Cisco FTD

• 1.5 Describe, implement, and troubleshoot firewall features such as NAT (v4,v6), PAT, application inspection, traffic zones, policy-based routing, traffic redirection to service modules, and identity firewall on Cisco ASA and Cisco FTD

• 1.6 Describe, implement, and troubleshoot IOS security features such as Zone-Based Firewall (ZBF), application layer inspection, NAT (v4,v6), PAT and TCP intercept on Cisco IOS/IOS-XE

• 1.7 Describe, implement, optimize, and troubleshoot policies and rules for traffic control on Cisco ASA, Cisco FirePOWER and Cisco FTD

• 1.8 Describe, implement, and troubleshoot Cisco Firepower Management Center (FMC) features such as alerting, logging, and reporting

• 1.9 Describe, implement, and troubleshoot correlation and remediation rules on Cisco FMC

• 1.10 Describe, implement, and troubleshoot Cisco FirePOWER and Cisco FTD deployment such as in-line, passive, and TAP modes

• 1.11 Describe, implement, and troubleshoot Next Generation Firewall (NGFW) features such as SSL inspection, user identity, geolocation, and AVC (Firepower appliance)

• 1.12 Describe, detect, and mitigate common types of attacks such as DoS/DDoS, evasion techniques, spoofing, man-in-the-middle, and botnet

BRKCCIE-3200 8

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9BRKCCIE-3200

Cisco Virtual Machines Used on CCIE Security


Cisco Hardware Gear Used on CCIE Security

BRKCCIE-3200 10

ASA and 5500-X and FirePower Platform


Cisco ASA 5500-X Series Next-Generation Firewalls

• Supports Cisco ASA Software Release 8.6.1 and later images; four times the firewall throughput of Cisco ASA 5500 Series platforms.

12BRKCCIE-3200


Cisco FirePower NGFW

FirePower VM

ASA 5500x

FirePower 4100

FirePower 8000/7000

FirePower 9300

BRKCCIE-3200 13

FirePower Technology Overview

FirePower Management Center (FMC)


FirePower Management Center- Overview

FirePower

VM

FMC

Windows 7

Mac Sierra

Internet

APPS

BRKCCIE-3200 16

Configuration

Logging


FMC - Interface

Host Discovery


Host Discovery - Overview

FirePower

VM

FMC

Windows 7

Mac Sierra

Internet

APPS

APPS

BRKCCIE-3200 19


Host Discovery – Passive (Default)

FirePower

VM

Windows 7

Mac Sierra

Internet

APPS

APPS

FMC

BRKCCIE-3200 20


Host Discovery - Passive (Setup)

Applications Only

(Default)

All IPv4, and IPv6

(Default)

BRKCCIE-3200 21


Host Discovery – Passive (Setup) (continue)

BRKCCIE-3200 22


Host Discovery – Passive (Setup) (continue)

FMC

FirePower

VM

Deployment

BRKCCIE-3200 23


Host Discovery – Host Profile

Windows 7 =

192.168.2.2

BRKCCIE-3200 24


Host Discovery – Active

FirePower

VM

Windows 7

Mac Sierra

Internet

APPS

APPS

FMC

BRKCCIE-3200 25


Host Discovery – Active (Setup) (continue)

BRKCCIE-3200 26



BRKCCIE-3200 27



BRKCCIE-3200 28



BRKCCIE-3200 29



BRKCCIE-3200 30



BRKCCIE-3200 31



Windows 7 =

192.168.2.2

BRKCCIE-3200 32

Traffic Processing Flow


FirePower Appliance, or VM

Security

IntelligenceSSL Policy

Network

Analysis

Policy

Access

Control

Policy

Objects

Malware

and File

Policy

Intrusion

Policy

Traffic

BRKCCIE-3200 34


FirePower on ASA

Ingress

Interface

Existing

Conn

ACL

Check

Match

Xlate

Inspect,

and Sec

NAT

Header

Egress

InterfaceLayer 3 Layer 2 TX

RX

Drop Drop Drop

Drop Drop The FirePower does

not do the drop the ASA

does!

Yes

NO

FirePower

BRKCCIE-3200 35

ACP (Access Control Policy)


ACP (Access Control Policy) - Overview

FirePower

VM

ACP Policy

ACP Rule_______________________Drop

ACP Rule_______________________Allow

ACP Rule_______________________Allow

ACP Rule_______________________Allow

FMC

Top

Bottom

ACP ACP

Policy Deployment


ACP (Access Control Policy) – Policy Structure

Malware

and File

Policy

Intrusion

Policy

Security

IntelligenceSSL Policy

Network

Analysis

Policy

ACP Policy - SSL Policy - Identity Policy –

Security Intelligence – Network Analysis

ACP Rule_______________________ Drop

ACP Rule________Intrustion Malware Allow

ACP Rule________________Malware Allow

ACP Rule________________Malware Allow

Default______________________Intrustion

Identity

Policy

Global to ACP Per Rule

Rule must be set to: Allow, Interactive Block

BRKCCIE-3200 38


ACP (Access Control Policy) – When Adding New FirePower

FirePower

VM

FMC

BRKCCIE-3200 39


ACP (Access Control Policy) – After Adding New FirePower

BRKCCIE-3200 40


ACP (Access Control Policy) – Policy Structure

BRKCCIE-3200 41


ACP (Access Control Policy) – Policy Assignments

BRKCCIE-3200 42



BRKCCIE-3200 43



BRKCCIE-3200 44



BRKCCIE-3200 45


ACP (Access Control Policy) – Policy Rule Structure

BRKCCIE-3200 46


ACP (Access Control Policy) – Policy Rule Structure (continue)

47BRKCCIE-3200



BRKCCIE-3200 48



• Allow = Matching traffic is allowed; however, prohibited files, malware, intrusions, and exploits within that traffic are detected and blocked. Remaining non-prohibited, non-malicious traffic is allowed to its destination.

• Trust = Matching traffic is allowed to pass to its destination without further inspection. Traffic that does not match continues to the next rule.

• Monitor = Monitor rules track and log network traffic but do not affect traffic flow. The system continues to match traffic against additional rules to determine whether to permit or deny it.

• Block = Matching traffic is blocked without further inspection

• Block with Reset = Matching traffic is blocked without further inspection. It will also reset the connection.

• Interactive Block = Give users a chance to bypass a website block by clicking through a customizable warning page, called an HTTP response page. If user bypasses, it will acted as a Allow rule.

• Interactive Block with Reset = Give users a chance to bypass a website block by clicking through a customizable warning page, called an HTTP response page. It will also reset the connection. If user bypasses, it will acted as a Allow rule.

BRKCCIE-3200 49



BRKCCIE-3200 50



BRKCCIE-3200 51


ACP (Access Control Policy) – Connection Events

BRKCCIE-3200 52

User Identity


User Identity - Overview

FirePower

VM

Windows 7

Mac Sierra

Internet

Users

FMC

Users

AD

LDAP

ISE

BRKCCIE-3200 54


User IdentityUser Identify - Passive

FirePower

VM

Windows 7

Mac Sierra

Internet

Users

FMC

Users

AD

LDAP

User Auth

ACP ACP

UAUser Auth Exchange


User Identity - Passive – Configuration Process

Realm Identity Policy ACP Policy

• User Agent: Is used to share authentication information from the identity store to the FMC in real time, which then shares it with the FP.

• Realm: Is used to setup the Identity stores that will be used for authentication, and to download the User, and Group information to use on the ACP’s.

• Identity Policy: Is used to setup who is going to require authentication for ACP policies to work.

• ACP Policy: Is used to enable the Identity Policy, and configure ACP’s that have user identity information.

User Agent

(UA)

BRKCCIE-3200 56


User Identity - Passive – User Agent

The Active Directory server must be

running Windows Server 2008 or

Windows Server 2012.

You can install an agent on any

Microsoft Windows Vista, Microsoft

Windows 7, Microsoft Windows 8,

Microsoft Windows Server 2008, or

Microsoft Windows Server 2012

computer with TCP/IP access to the

Microsoft Active Directory servers

you want to monitor. You can also

install on an Active Directory server

running one of the supported

operating systems.

BRKCCIE-3200 57



BRKCCIE-3200 58



BRKCCIE-3200 59


User Identity - Passive – Realm

FMC

BRKCCIE-3200 60


User Identity - Passive – Realm (continue)

BRKCCIE-3200 61


User Identity - Passive – Identity Policy

BRKCCIE-3200 62



BRKCCIE-3200 63



BRKCCIE-3200 64



BRKCCIE-3200 65



BRKCCIE-3200 66


User Identity - Passive – ACP Rule

BRKCCIE-3200 67


SSL - Overview

FirePower

VM

Windows 7

Mac Sierra

Internet

FMC

AD

LDAP

ACP ACP

Decryption/Re-encryptionBRKCCIE-3200 69


SSL - Resign

CA Cert

keyCertSign

FirePower

VMACP ACP

CA Cert

ResignResigned

Root CA Pub

BRKCCIE-3200 70


SSL – Resign Example

keyCertSign

Digital Signature, Non-Repudiation, Key Encipherment

BRKCCIE-3200 71


SSL – Known Key

FirePower

VMACP ACP

SRV 1- Private Key

Company ServersPublic Key

Private Key

Public Key

Private Key

Public Key

Private Key

SRV1 SRV2 SRV3

SRV1

SRV2

SRV3

SRV1

Root CA Pub

BRKCCIE-3200 72


SSL- Resign - Configuration Process

SSL Policy ACP Policy

• SSL Certificate Creation: Is used to resign the server certificate that the user is accessing via SSL

• SSL Policy: Is used to configure which traffic is going to be decrypted, and how.

• ACP Policy: Is used to enable the SSL Policy, and configure ACP’s that have user identity information.

SSL CA

Certificate

Creation

BRKCCIE-3200 73


SSL- Resign – SSL CA Certificate Creation

BRKCCIE-3200 74



BRKCCIE-3200 75



BRKCCIE-3200 76



BRKCCIE-3200 77



BRKCCIE-3200 78



BRKCCIE-3200 79


SSL- Resign – SSL CA Certificate Creation (continue)

• Technically, you can use the same CA Certificate on all the FP’s, but it is not recommended, since you will need to assign a CN that is typically the FP FQDN.

• Also revocation becomes an issue with all FP’s have the same CA Certificate

BRKCCIE-3200 80


SSL- Resign – SSL Policy

BRKCCIE-3200 81


SSL- Resign – SSL Policy (continue)

BRKCCIE-3200 82



BRKCCIE-3200 83


SSL Resign - SSL Policy (continue)

• Decrypt – Resign = Use a resign certificate to do a man-in-the-middle and resign the server certificate that is being sent from the server that the client is trying to connect.

• Decrypt – Known Key = Use a know private key to decrypt the communication with the server the client is trying to connect.

• Do not Decrypt = inspect the encrypted traffic with access control policy

• Block = block the SSL session without further inspection

• Block with Reset = block the SSL session without further inspection and reset the TCP connection

• Monitor = Monitor rules track and log network traffic but do not affect traffic flow. The system continues to match traffic against additional rules to determine whether to decrypt, do not decrypt, or block it.

BRKCCIE-3200 84



BRKCCIE-3200 85



BRKCCIE-3200 86



BRKCCIE-3200 87



BRKCCIE-3200 88



BRKCCIE-3200 89



BRKCCIE-3200 90



BRKCCIE-3200 91


SSL- Resign – ACP Policy

BRKCCIE-3200 92



BRKCCIE-3200 93



BRKCCIE-3200 94


Challenges with SSL Resign

• RFC 7469 Public Key Pinning Extension for HTTP: Is a security mechanism administered on the HTTP header that allows a HTTPS website from being taken over by attackers using mis-issued, or otherwise fraudulent certificates.


SSL- Known Key - Configuration Process

SSL Policy ACP Policy

• SSL Public, and Private Key: Is used for the FMC to share the Private key with the FP that will be used to decrypt SSL traffic from the server that is protecting the information using the public key.

• SSL Policy: Is used to configure which traffic is going to be decrypted, and how.

• ACP Policy: Is used to enable the SSL Policy, and configure ACP’s that have user identity information.c

SSL

Public, and

Private

Key

BRKCCIE-3200 96


SSL- Known Key – SSL Public, and Private Key

Company Servers

SRV1 SRV2 SRV3

PEM Format

BRKCCIE-3200 97



Public PEM

Private PEM

BRKCCIE-3200 98



BRKCCIE-3200 99



BRKCCIE-3200 100



BRKCCIE-3200 101

Lab Ideas


Lab Gear Needed

Cisco C Series Server

700 GB HD

128 GB RAM

4 Port Gigbit Ethernet

Cisco C3560X 24 port

Internet

Internet Connection

Free Version of vSphere

Hypervisor 6.x

BRKCCIE-3200 103


FirePower TopologyInternet

FPDNS

DHCP

AD

LDAP

Cert Server

Mac

PC

VMvSphere

Hypervisor 6.x


Overall TopologyInternet

FPDNS

DHCP

AD

LDAP

Cert Server

Mac

PC

ISE WSA ESAACS vWLC

BRKCCIE-3200 105


Lab Gear Needed for Budget Topology

Raspberry PI 3

Internet

Internet Connection

Cisco 2960C 10 port

Intel Compute Stick

Free Version of vSphere

Hypervisor 6.x

Spare PC

BRKCCIE-3200 106


Raspberry PI Setup at Home

Cisco 2960C 10 port

Sabrent 60 Watt

GeauxRobot

BRKCCIE-3200 108

FirePower Classes


SSFIPS - Securing Networks with Cisco FirePower Next-Generation IPS

• This lab-intensive course introduces you to the basic next-generation intrusion prevention system (NGIPS) and firewall security concepts. The course then leads you through the Cisco Firepower system. Among other powerful features, you will become familiar with:

• In-depth event analysis

• NGIPS tuning and configuration

• Snort® rules language

• 4 Day ILT

• 5 Day Virtual Training

BRKCCIE-3200 110


FIREPOWER200 – Securing Networks with Cisco FirePowerThreat Defense NGFW

• This lab-intensive course introduces you to the basic next-generation intrusion prevention system (NGIPS) and next-generation firewall (NGFW) security concepts. The course then leads you through the Cisco Firepower system. Among other powerful features, you become familiar with:

• Firepower Threat Defense configuration

• In-depth event analysis

• NGIPS tuning and configuration

• 5 Day ILT

• 5 Day Virtual Training

BRKCCIE-3200 111


DSACI – Deploying Security in Cisco ACI

• You learn a brief overview of Cisco ACI architecture, including an examination of the Cisco Nexus 9000 Series Switches for data centers. Also, you have the opportunity to discover how to implement security mechanisms in the operational infrastructure with the Cisco ACI environment. You also explore the process for provisioning security services in Cisco ACI, including external Cisco Adaptive Security Appliance (ASA), Adaptive Security Virtual Appliance (ASAv) instances, and Cisco Firepower capabilities.

• This course combines lecture materials and hands-on labs throughout to make sure you are able to successfully deploy, configure, and maintain Cisco ACI security.

• 5 Day ILT

BRKCCIE-3200 112


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCCIE-3200


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

115BRKCCIE-3200

Thank you

firepower for ccie security candidates · firepower for ccie security candidates rafael leiva-ochoa...

Documents