Saturday, September 26, 2015

Cisco FireSight and FirePower Next-Generation IPS (NGIPS)

It's been a long and remarkable journey to finally complete my CCNP Security track. I started a couple of years back by passing the old CCNP Security SECURE exam. It sure feels great not being a CCNP Security wannabe anymore! This isn't the end of my network security journey as I still have more to learn and who knows perhaps pursue CCIE Security in the near future.

Doing the proof of concept (POC) for CWS and fortunate to be trained on Cisco's next-generation IPS (NGIPS) triggered me to take the SITCS 300-207 exam. There's been a slowdown in releasing the SITCS official certification guide (OCG) so I just decided to take the plunge. I was sent to Global Knowledge Singapore to get a hands-on training on both FireSight (a.k.a Defense Center) and FirePower module on a Cisco ASA 5515-X next-genration firewall (NGFW).


ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.3(1)    // MINIMUM ASA VERSION 9.2.2 REQUIRED TO RUN FIREPOWER
Device Manager Version 7.3(1)101

Compiled on Wed 23-Jul-14 18:16 PDT by builders
System image file is "disk0:/asa931-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 18 hours 42 mins

Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-T020
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is 78da.6e98.5250, irq 11
 1: Ext: GigabitEthernet0/0  : address is 78da.6e98.5254, irq 10
 2: Ext: GigabitEthernet0/1  : address is 78da.6e98.5251, irq 10
 3: Ext: GigabitEthernet0/2  : address is 78da.6e98.5255, irq 5
 4: Ext: GigabitEthernet0/3  : address is 78da.6e98.5252, irq 5
 5: Ext: GigabitEthernet0/4  : address is 78da.6e98.5256, irq 10
 6: Ext: GigabitEthernet0/5  : address is 78da.6e98.5253, irq 10
 7: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
 8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
 9: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
10: Ext: Management0/0       : address is 78da.6e98.5250, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Enabled        perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA 5515 Security Plus license.

Serial Number: FCH174374E3
Running Permanent Activation Key: 0xa205e877 0x74bc8194 0xf1e311bc 0xedec64d0 0x4016ffac
Configuration register is 0x1
Configuration last modified by enable_15 at 14:10:22.468 UTC Thu Jul 30 2015

ciscoasa# show inventory
Name: "Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515           , VID: V02     , SN: FGL1745417T

Name: "Storage Device 1", DESCR: "Micron 128 GB SSD MLC, Model Number: C400-MTFDDAC128MAM"   // 128 GB SSD REQUIRED FOR FIREPOWER TO RUN; CAN USE THIRD PARTY VENDOR
PID: N/A               , VID: N/A     , SN: MXA1729023Z

ciscoasa# session ?

Available module ID(s):
  cxsc  Module ID
  ips   Module ID
  sfr   Module ID
ciscoasa# session sfr ?

  console  Login to console port on another module.
  do       Execute a command on another module.
  ip       Configure Module logging port ip addresses
  <cr>
ciscoasa# session sfr console     // LOGIN TO FIREPOWER IPS MODULE
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

  ^
configure  Change to Configuration mode
end        Return to the default mode
exit       Exit this CLI session
expert     Invoke a shell
help       Display an overview of the CLI syntax
history    Display the current session's command line history
logout     Logout of the current CLI session
show       Change to Show Mode
system     Change to System Mode

> show time
UTC -       Thu Jul 30 12:03:36 UTC 2015
Localtime - Thu Jul 30 08:03:37 EDT 2015

> ~30
Escape Sequence detected
Console session with module sfr terminated.    // USE CTRL+SHIFT+6+X TO EXIT IPS MODULE

ciscoasa# show clock
08:03:04.219 UTC Thu Jul 30 2015
ciscoasa# clock set ?

  hh:mm:ss  Current Time
ciscoasa# clock set 12:04:00 ?

  <1-31>  Day of the month
  MONTH   Month of the year
ciscoasa# clock set 12:04:00 30 July ?

  <1993-2035>  Year
ciscoasa# clock set 12:04:00 30 July 2015     // ASA CLOCK MUST BE SYNCHRONIZED WITH FIREPOWER
ciscoasa# show clock
12:04:04.779 UTC Thu Jul 30 2015
ciscoasa# write memory
Building configuration...
Cryptochecksum: db90e6c9 1fd7c39a 6eb2b08b 39694900

3521 bytes copied in 0.700 secs
[OK]
ciscoasa# sw-module ?

  module  Act on a module
ciscoasa# sw-module module ?

Available module ID(s):
  cxsc  Module ID
  ips   Module ID
  sfr   Module ID
ciscoasa# sw-module module sfr ?

  recover    Configure recovery of this module
  reload     Reload the module
  reset      Reset the module
  shutdown   Shut down the module
  uninstall  Uninstall the module
ciscoasa# sw-module module sfr reload    // MUST RELOAD FIREPOWER MODULE

Reload module sfr? [confirm]
Reload issued for module sfr.

ciscoasa# show module ?

Available module ID(s):
  0     Module ID
  all   show all module information for all slots
  cxsc  Module ID
  ips   Module ID
  sfr   Module ID
  |     Output modifiers
  <cr>
ciscoasa# show module sfr ?

  details  show detailed hardware module information
  log      show logs for this module
  recover  show recover configuration for this module
  |        Output modifiers
  <cr>
ciscoasa# show module sfr detail
Getting details from the Service Module, please wait...
Unable to read details from module sfr

Card Type:          FirePOWER Services Software Module
Model:              ASA5515
Hardware version:   N/A
Serial Number:      FCH174374E3
Firmware version:   N/A
Software version:   5.3.1-152
MAC Address Range:  78da.6e98.524e to 78da.6e98.524e
App. name:          ASA FirePOWER
App. Status:        Not Applicable
App. Status Desc:   Not Applicable
App. version:       5.3.1-152
Data Plane Status:  Not Applicable
Console session:    Ready
Status:             Init  

ciscoasa# show module sfr detail
Getting details from the Service Module, please wait...

Card Type:          FirePOWER Services Software Module
Model:              ASA5515
Hardware version:   N/A
Serial Number:      FCH174374E3
Firmware version:   N/A
Software version:   5.3.1-152
MAC Address Range:  78da.6e98.524e to 78da.6e98.524e
App. name:          ASA FirePOWER
App. Status:        Up
App. Status Desc:   Normal Operation
App. version:       5.3.1-152
Data Plane Status:  Up
Console session:    Ready
Status:             Up      // UP AFTER 3 MINS
DC addr:            192.168.48.24                                              
Mgmt IP addr:       192.168.48.23                                              
Mgmt Network mask:  255.255.255.0                                              
Mgmt Gateway:       192.168.48.44                                              
Mgmt web ports:     443                                                        
Mgmt TLS enabled:   true     

ciscoasa# show clock
12:10:03.879 UTC Thu Jul 30 2015
ciscoasa# session sfr console           
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

Sourcefire3D login: admin
Password:
Last login: Thu Jul 30 11:57:50 UTC 2015 on ttyS1

Copyright 2001-2013, Sourcefire, Inc. All rights reserved. Sourcefire is
a registered trademark of Sourcefire, Inc. All other trademarks are
property of their respective owners.

Sourcefire Linux OS v5.3.1 (build 43)
Sourcefire ASA5515 v5.3.1 (build 152)

Last login: Thu Jul 30 12:11:15 on ttyS1
> show time
UTC -       Thu Jul 30 12:10:19 UTC 2015
Localtime - Thu Jul 30 08:11:19 EDT 2015


ciscoasa# ping 192.168.48.100    // NTP SERVER
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.48.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms


FireSight is also configured with a local NTP server in order to be synchronized with FirePower IPS.



We configure the FirePower module to apply the policies created in FireSight for all IP traffic (class-default) and traffic flow will stop if the module fails (fail-close).





A FireSight policy is created to block a website hosting a malware.











To test, I went to a website ihaveabadreputation.com/eicar.com which hosted a malware. FireSight can also detect the file trajectory and timing for spreading of the malware.










FireSight can also block URL www.poker.com based on category and reputation based filtering (RBF).







FireSight can also be granular by blocking Windows update.





No comments:

Post a Comment