It's been a long and remarkable journey to finally complete my CCNP Security track. I started a couple of years back by passing the old CCNP Security SECURE exam. It sure feels great not being a CCNP Security wannabe anymore! This isn't the end of my network security journey as I still have more to learn and who knows perhaps pursue CCIE Security in the near future.
Doing the proof of concept (POC) for CWS and fortunate to be trained on Cisco's next-generation IPS (NGIPS) triggered me to take the SITCS 300-207 exam. There's been a slowdown in releasing the SITCS official certification guide (OCG) so I just decided to take the plunge. I was sent to Global Knowledge Singapore to get a hands-on training on both FireSight (a.k.a Defense Center) and FirePower module on a Cisco ASA 5515-X next-genration firewall (NGFW).
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.3(1) // MINIMUM ASA VERSION 9.2.2 REQUIRED TO RUN FIREPOWER
Device Manager Version 7.3(1)101
Compiled on Wed 23-Jul-14 18:16 PDT by builders
System image file is "disk0:/asa931-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 18 hours 42 mins
Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is 78da.6e98.5250, irq 11
1: Ext: GigabitEthernet0/0 : address is 78da.6e98.5254, irq 10
2: Ext: GigabitEthernet0/1 : address is 78da.6e98.5251, irq 10
3: Ext: GigabitEthernet0/2 : address is 78da.6e98.5255, irq 5
4: Ext: GigabitEthernet0/3 : address is 78da.6e98.5252, irq 5
5: Ext: GigabitEthernet0/4 : address is 78da.6e98.5256, irq 10
6: Ext: GigabitEthernet0/5 : address is 78da.6e98.5253, irq 10
7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
10: Ext: Management0/0 : address is 78da.6e98.5250, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Enabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA 5515 Security Plus license.
Serial Number: FCH174374E3
Running Permanent Activation Key: 0xa205e877 0x74bc8194 0xf1e311bc 0xedec64d0 0x4016ffac
Configuration register is 0x1
Configuration last modified by enable_15 at 14:10:22.468 UTC Thu Jul 30 2015
ciscoasa# show inventory
Name: "Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515 , VID: V02 , SN: FGL1745417T
Name: "Storage Device 1", DESCR: "Micron 128 GB SSD MLC, Model Number: C400-MTFDDAC128MAM" // 128 GB SSD REQUIRED FOR FIREPOWER TO RUN; CAN USE THIRD PARTY VENDOR
PID: N/A , VID: N/A , SN: MXA1729023Z
ciscoasa# session ?
Available module ID(s):
cxsc Module ID
ips Module ID
sfr Module ID
ciscoasa# session sfr ?
console Login to console port on another module.
do Execute a command on another module.
ip Configure Module logging port ip addresses
<cr>
ciscoasa# session sfr console // LOGIN TO FIREPOWER IPS MODULE
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
^
configure Change to Configuration mode
end Return to the default mode
exit Exit this CLI session
expert Invoke a shell
help Display an overview of the CLI syntax
history Display the current session's command line history
logout Logout of the current CLI session
show Change to Show Mode
system Change to System Mode
> show time
UTC - Thu Jul 30 12:03:36 UTC 2015
Localtime - Thu Jul 30 08:03:37 EDT 2015
> ~30
Escape Sequence detected
Console session with module sfr terminated. // USE CTRL+SHIFT+6+X TO EXIT IPS MODULE
ciscoasa# show clock
08:03:04.219 UTC Thu Jul 30 2015
ciscoasa# clock set ?
hh:mm:ss Current Time
ciscoasa# clock set 12:04:00 ?
<1-31> Day of the month
MONTH Month of the year
ciscoasa# clock set 12:04:00 30 July ?
<1993-2035> Year
ciscoasa# clock set 12:04:00 30 July 2015 // ASA CLOCK MUST BE SYNCHRONIZED WITH FIREPOWER
ciscoasa# show clock
12:04:04.779 UTC Thu Jul 30 2015
ciscoasa# write memory
Building configuration...
Cryptochecksum: db90e6c9 1fd7c39a 6eb2b08b 39694900
3521 bytes copied in 0.700 secs
[OK]
ciscoasa# sw-module ?
module Act on a module
ciscoasa# sw-module module ?
Available module ID(s):
cxsc Module ID
ips Module ID
sfr Module ID
ciscoasa# sw-module module sfr ?
recover Configure recovery of this module
reload Reload the module
reset Reset the module
shutdown Shut down the module
uninstall Uninstall the module
ciscoasa# sw-module module sfr reload // MUST RELOAD FIREPOWER MODULE
Reload module sfr? [confirm]
Reload issued for module sfr.
ciscoasa# show module ?
Available module ID(s):
0 Module ID
all show all module information for all slots
cxsc Module ID
ips Module ID
sfr Module ID
| Output modifiers
<cr>
ciscoasa# show module sfr ?
details show detailed hardware module information
log show logs for this module
recover show recover configuration for this module
| Output modifiers
<cr>
ciscoasa# show module sfr detail
Getting details from the Service Module, please wait...
Unable to read details from module sfr
Card Type: FirePOWER Services Software Module
Model: ASA5515
Hardware version: N/A
Serial Number: FCH174374E3
Firmware version: N/A
Software version: 5.3.1-152
MAC Address Range: 78da.6e98.524e to 78da.6e98.524e
App. name: ASA FirePOWER
App. Status: Not Applicable
App. Status Desc: Not Applicable
App. version: 5.3.1-152
Data Plane Status: Not Applicable
Console session: Ready
Status: Init
ciscoasa# show module sfr detail
Getting details from the Service Module, please wait...
Card Type: FirePOWER Services Software Module
Model: ASA5515
Hardware version: N/A
Serial Number: FCH174374E3
Firmware version: N/A
Software version: 5.3.1-152
MAC Address Range: 78da.6e98.524e to 78da.6e98.524e
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 5.3.1-152
Data Plane Status: Up
Console session: Ready
Status: Up // UP AFTER 3 MINS
DC addr: 192.168.48.24
Mgmt IP addr: 192.168.48.23
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 192.168.48.44
Mgmt web ports: 443
Mgmt TLS enabled: true
ciscoasa# show clock
12:10:03.879 UTC Thu Jul 30 2015
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Sourcefire3D login: admin
Password:
Last login: Thu Jul 30 11:57:50 UTC 2015 on ttyS1
Copyright 2001-2013, Sourcefire, Inc. All rights reserved. Sourcefire is
a registered trademark of Sourcefire, Inc. All other trademarks are
property of their respective owners.
Sourcefire Linux OS v5.3.1 (build 43)
Sourcefire ASA5515 v5.3.1 (build 152)
Last login: Thu Jul 30 12:11:15 on ttyS1
> show time
UTC - Thu Jul 30 12:10:19 UTC 2015
Localtime - Thu Jul 30 08:11:19 EDT 2015
ciscoasa# ping 192.168.48.100 // NTP SERVER
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.48.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
FireSight is also configured with a local NTP server in order to be synchronized with FirePower IPS.
We configure the FirePower module to apply the policies created in FireSight for all IP traffic (class-default) and traffic flow will stop if the module fails (fail-close).
A FireSight policy is created to block a website hosting a malware.
To test, I went to a website ihaveabadreputation.com/eicar.com which hosted a malware. FireSight can also detect the file trajectory and timing for spreading of the malware.
FireSight can also block URL www.poker.com based on category and reputation based filtering (RBF).
FireSight can also be granular by blocking Windows update.
Doing the proof of concept (POC) for CWS and fortunate to be trained on Cisco's next-generation IPS (NGIPS) triggered me to take the SITCS 300-207 exam. There's been a slowdown in releasing the SITCS official certification guide (OCG) so I just decided to take the plunge. I was sent to Global Knowledge Singapore to get a hands-on training on both FireSight (a.k.a Defense Center) and FirePower module on a Cisco ASA 5515-X next-genration firewall (NGFW).
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.3(1) // MINIMUM ASA VERSION 9.2.2 REQUIRED TO RUN FIREPOWER
Device Manager Version 7.3(1)101
Compiled on Wed 23-Jul-14 18:16 PDT by builders
System image file is "disk0:/asa931-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 18 hours 42 mins
Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is 78da.6e98.5250, irq 11
1: Ext: GigabitEthernet0/0 : address is 78da.6e98.5254, irq 10
2: Ext: GigabitEthernet0/1 : address is 78da.6e98.5251, irq 10
3: Ext: GigabitEthernet0/2 : address is 78da.6e98.5255, irq 5
4: Ext: GigabitEthernet0/3 : address is 78da.6e98.5252, irq 5
5: Ext: GigabitEthernet0/4 : address is 78da.6e98.5256, irq 10
6: Ext: GigabitEthernet0/5 : address is 78da.6e98.5253, irq 10
7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
10: Ext: Management0/0 : address is 78da.6e98.5250, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Enabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA 5515 Security Plus license.
Serial Number: FCH174374E3
Running Permanent Activation Key: 0xa205e877 0x74bc8194 0xf1e311bc 0xedec64d0 0x4016ffac
Configuration register is 0x1
Configuration last modified by enable_15 at 14:10:22.468 UTC Thu Jul 30 2015
ciscoasa# show inventory
Name: "Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515 , VID: V02 , SN: FGL1745417T
Name: "Storage Device 1", DESCR: "Micron 128 GB SSD MLC, Model Number: C400-MTFDDAC128MAM" // 128 GB SSD REQUIRED FOR FIREPOWER TO RUN; CAN USE THIRD PARTY VENDOR
PID: N/A , VID: N/A , SN: MXA1729023Z
ciscoasa# session ?
Available module ID(s):
cxsc Module ID
ips Module ID
sfr Module ID
ciscoasa# session sfr ?
console Login to console port on another module.
do Execute a command on another module.
ip Configure Module logging port ip addresses
<cr>
ciscoasa# session sfr console // LOGIN TO FIREPOWER IPS MODULE
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
^
configure Change to Configuration mode
end Return to the default mode
exit Exit this CLI session
expert Invoke a shell
help Display an overview of the CLI syntax
history Display the current session's command line history
logout Logout of the current CLI session
show Change to Show Mode
system Change to System Mode
> show time
UTC - Thu Jul 30 12:03:36 UTC 2015
Localtime - Thu Jul 30 08:03:37 EDT 2015
> ~30
Escape Sequence detected
Console session with module sfr terminated. // USE CTRL+SHIFT+6+X TO EXIT IPS MODULE
ciscoasa# show clock
08:03:04.219 UTC Thu Jul 30 2015
ciscoasa# clock set ?
hh:mm:ss Current Time
ciscoasa# clock set 12:04:00 ?
<1-31> Day of the month
MONTH Month of the year
ciscoasa# clock set 12:04:00 30 July ?
<1993-2035> Year
ciscoasa# clock set 12:04:00 30 July 2015 // ASA CLOCK MUST BE SYNCHRONIZED WITH FIREPOWER
ciscoasa# show clock
12:04:04.779 UTC Thu Jul 30 2015
ciscoasa# write memory
Building configuration...
Cryptochecksum: db90e6c9 1fd7c39a 6eb2b08b 39694900
3521 bytes copied in 0.700 secs
[OK]
ciscoasa# sw-module ?
module Act on a module
ciscoasa# sw-module module ?
Available module ID(s):
cxsc Module ID
ips Module ID
sfr Module ID
ciscoasa# sw-module module sfr ?
recover Configure recovery of this module
reload Reload the module
reset Reset the module
shutdown Shut down the module
uninstall Uninstall the module
ciscoasa# sw-module module sfr reload // MUST RELOAD FIREPOWER MODULE
Reload module sfr? [confirm]
Reload issued for module sfr.
ciscoasa# show module ?
Available module ID(s):
0 Module ID
all show all module information for all slots
cxsc Module ID
ips Module ID
sfr Module ID
| Output modifiers
<cr>
ciscoasa# show module sfr ?
details show detailed hardware module information
log show logs for this module
recover show recover configuration for this module
| Output modifiers
<cr>
ciscoasa# show module sfr detail
Getting details from the Service Module, please wait...
Unable to read details from module sfr
Card Type: FirePOWER Services Software Module
Model: ASA5515
Hardware version: N/A
Serial Number: FCH174374E3
Firmware version: N/A
Software version: 5.3.1-152
MAC Address Range: 78da.6e98.524e to 78da.6e98.524e
App. name: ASA FirePOWER
App. Status: Not Applicable
App. Status Desc: Not Applicable
App. version: 5.3.1-152
Data Plane Status: Not Applicable
Console session: Ready
Status: Init
ciscoasa# show module sfr detail
Getting details from the Service Module, please wait...
Card Type: FirePOWER Services Software Module
Model: ASA5515
Hardware version: N/A
Serial Number: FCH174374E3
Firmware version: N/A
Software version: 5.3.1-152
MAC Address Range: 78da.6e98.524e to 78da.6e98.524e
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 5.3.1-152
Data Plane Status: Up
Console session: Ready
Status: Up // UP AFTER 3 MINS
DC addr: 192.168.48.24
Mgmt IP addr: 192.168.48.23
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 192.168.48.44
Mgmt web ports: 443
Mgmt TLS enabled: true
ciscoasa# show clock
12:10:03.879 UTC Thu Jul 30 2015
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Sourcefire3D login: admin
Password:
Last login: Thu Jul 30 11:57:50 UTC 2015 on ttyS1
Copyright 2001-2013, Sourcefire, Inc. All rights reserved. Sourcefire is
a registered trademark of Sourcefire, Inc. All other trademarks are
property of their respective owners.
Sourcefire Linux OS v5.3.1 (build 43)
Sourcefire ASA5515 v5.3.1 (build 152)
Last login: Thu Jul 30 12:11:15 on ttyS1
> show time
UTC - Thu Jul 30 12:10:19 UTC 2015
Localtime - Thu Jul 30 08:11:19 EDT 2015
ciscoasa# ping 192.168.48.100 // NTP SERVER
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.48.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
FireSight is also configured with a local NTP server in order to be synchronized with FirePower IPS.
We configure the FirePower module to apply the policies created in FireSight for all IP traffic (class-default) and traffic flow will stop if the module fails (fail-close).
A FireSight policy is created to block a website hosting a malware.
To test, I went to a website ihaveabadreputation.com/eicar.com which hosted a malware. FireSight can also detect the file trajectory and timing for spreading of the malware.
FireSight can also block URL www.poker.com based on category and reputation based filtering (RBF).
FireSight can also be granular by blocking Windows update.