Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Building Up Network Security: Intrusion Prevention and Sourcefire

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
Cisco Security Architecture
Cisco Security Architecture
Wird geladen in …3
×

Hier ansehen

1 von 49 Anzeige

Building Up Network Security: Intrusion Prevention and Sourcefire

Herunterladen, um offline zu lesen

Network security specialist Catherine Paquetl fills you in on advanced threat protection that integrates real-time contextual awareness, intelligent security automation and superior performance with industry-leading network intrusion prevention, Sourcefire.
ABOUT THE PRESENTER
Catherine Paquet, CCSI, CCNP Security, CCNP Routing and Switching, is a network security specialist. She began her internetworking career as a LAN manager, then MAN manager, and eventually became a nationwide WAN manager with the Department of National Defence. Paquet lectures around the world on security topics, including firewalls, VPNs, intrusion prevention, identity systems, email and Web security, and router and switch security. During her spare time, she authors Cisco Press books, and she volunteers as a network security analyst to nonprofit organizations. Paquet attended the Royal Military College Saint-Jean (Canada) and holds an MBA in Management Information Systems (MIS) from York University.

Network security specialist Catherine Paquetl fills you in on advanced threat protection that integrates real-time contextual awareness, intelligent security automation and superior performance with industry-leading network intrusion prevention, Sourcefire.
ABOUT THE PRESENTER
Catherine Paquet, CCSI, CCNP Security, CCNP Routing and Switching, is a network security specialist. She began her internetworking career as a LAN manager, then MAN manager, and eventually became a nationwide WAN manager with the Department of National Defence. Paquet lectures around the world on security topics, including firewalls, VPNs, intrusion prevention, identity systems, email and Web security, and router and switch security. During her spare time, she authors Cisco Press books, and she volunteers as a network security analyst to nonprofit organizations. Paquet attended the Royal Military College Saint-Jean (Canada) and holds an MBA in Management Information Systems (MIS) from York University.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Andere mochten auch (20)

Anzeige

Ähnlich wie Building Up Network Security: Intrusion Prevention and Sourcefire (20)

Weitere von Global Knowledge Training (20)

Anzeige

Aktuellste (20)

Building Up Network Security: Intrusion Prevention and Sourcefire

  1. 1. Building Up Network Security: Intrusion Prevention and Sourcefire Overview
  2. 2. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 2 Presenter Catherine Paquet, MBA (MIS) CCSI, CICSI, CCNP Sec, CCNP R&S Cisco Security Instructor
  3. 3. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 3 Catherine Paquet  Cisco security instructor  Cisco Press author  Cisco Systems emerging countries guest speaker  Graduate of Royal Military College and York University  Previously: DND WAN Manager  Lives in Toronto
  4. 4. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 4 Topics 1. Evolution of IDS / IPS 2. Sourcefire overview 3. FSMC 4. ASA FirePOWER 5. NGFW / URL Filtering 6. NGIPS 7. AMP 8. IoC and File Trajectory
  5. 5. Terminology
  6. 6. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 6 Glossary (available from GoToWebinar handout section) AD: Active Directory AEGIS: Awareness, Education, Guidance, and Intelligence Sharing AMP: Advanced Malware Protection ASA: Adaptive Security Appliance (firewall) CnC: Command and Control CWA: Centralized Web Authentication CWS: Cloud Web Security DMZ: Demilitarized Zone DC: Domain Controller ESA: Email Security Appliance FSMC: FireSIGHT Mgmt Center (formerly SFDC) IDS: Intrusion Detection System IoC: Indication of Compromise IP: Internet Protocol IPS: Intrusion Prevention System ISE: Identity Services Engine LAN: Local Area Network MAC: Media Access Control Malvertising: Malware hidden in advertisement MPF: Modular Policy Framework NIC: Network Interface Card NGFW: Next Generation Firewall NGIPS: Next Generation IPS RNA: Real-time Network Awareness (Context) SaaS: Security as a Service SF: Sourcefire SFDC: Sourcefire Defense Center (now FSMC) SHA: Secure Hash Algorithm SIEM: Security Information and Event Management SIO: Security Intelligence Operations (Cisco) SSL: Secure Socket Layer SSM: Security Services Module TALOS: Cisco SIO + Sourcefire VRT TCP: Transmission Control Protocol URL: Uniform Resource Locator VRT: Vulnerability Research Team (Sourcefire) WSA: Web Security Appliance
  7. 7. Security Roadmap Topology
  8. 8. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 8
  9. 9. Once upon a time, there was… Intrusion Detection
  10. 10. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 10 Passive IDS  Packet analysis  Signature-based  Promiscuous mode .1 INTERNET DMZ-Srv Perim-Rtr Management Subnet 10.10.2.0/24 L3-Switch HQ-ASA End User Subnet DMZ Subnet 172.16.1.0/24 HQ Outside HQ Inside .1 Sensor10.10.2.200 SIEM 10.10.2.100 .15 Administrator 10.10.2.50
  11. 11. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 11 Active IDS  June 2003 Gartner announces: Death of IDS  Recommends that firewall blocks attacks .1 INTERNET DMZ-Srv Perim-Rtr Management Subnet 10.10.2.0/24 L3-Switch HQ-ASA End User Subnet DMZ Subnet 172.16.1.0/24 HQ Inside .1 Sensor10.10.2.200 SIEM 10.10.2.100 .15 Administrator 10.10.2.50 HQ Outside
  12. 12. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 12 IPS: inline to data flow  Powerful enough to work at wire speed .1 DMZ-Srv Perim-Rtr Management Subnet 10.10.2.0/24 L3-Switch HQ-ASA End User Subnet DMZ Subnet 172.16.1.0/24 HQ Inside .1 Sensor 10.10.2.200 SIEM 10.10.2.100 .15 Administrator 10.10.2.50 INTERNETHQ Outside
  13. 13. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 13 IPS integrated  ASA IPS SSM – traditional IPS  ASA Sourcefire SSM DMZ-Srv Perim-Rtr Management Subnet 10.10.2.0/24 L3-Switch HQ-ASA End User Subnet DMZ Subnet 172.16.1.0/24 HQ Inside .1 Sensor 10.10.2.200 SIEM 10.10.2.100 .15 Administrator 10.10.2.50 INTERNETHQ Outside
  14. 14. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 14 IPS Deployment  Promiscuous vs Inline mode  Fail open vs. Fail close  Network-based  Host-based  Anomaly Detection  Finally: Context DMZ-Srv Perim-Rtr Management Subnet L3-Switch HQ-ASA End User Subnet DMZ Subnet HQ Outside HQ Inside .1 Sensor SIEM Administrator INTERNET Endpoint Mngt Center Endpoint Protection
  15. 15. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 15 Context: Passive Network Detection and Context  RNA provides visibility:  IP address  OS  Services  Ports
  16. 16. Sourcefire Overview
  17. 17. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 17
  18. 18. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 18 Cisco acquires Sourcefire Source: Gartner  Founded in 2001  2013: Acquired by Cisco for US$2.7B  2014: Technology integration within Cisco  Hardware and Software  ClamAV Snort  File reputation and dynamic analysis  Analysis of behaviours & containment  Retrospective protection  Visibility through dashboards  2015: EoL non-SF IPS appliances
  19. 19. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 19 Sourcefire name changes (available from GoToWebinar handout section) Former Sourcefire Product Names Current Cisco Product Names Sourcefire Defense Center Cisco FireSIGHT Management Center FirePOWER Series Appliances Cisco FirePOWER Series Appliances AMP for FirePOWER Cisco AMP for Networks FireAMP for Endpoints Cisco AMP for Endpoints FireAMP Private Cloud Virtual Appliance Cisco AMP Private Cloud Virtual Appliances Sourcefire SSL Appliances Cisco SSL Appliance Collective Security Intelligence Cloud Cisco Cloud, Cloud Services
  20. 20. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 20 The Sourcefire Advantage: NGFW – NGIPS - AMP  Real before, during, after (+ URL filtering)
  21. 21. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 21 NGFW Source: Cisco Live! BRKSEC-2762 San Diego 2015
  22. 22. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 22 NGFW with NGIPS Source: Cisco Live! BRKSEC-2762 San Diego 2015
  23. 23. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 23 AMP  File Reputation  Dynamic Analysis (Sandboxing)  Retrospective Security
  24. 24. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 24 Cisco’s offerings  FireSIGHT platforms(NGFW, NGIPS, AMP)  AMP appliance  ASA module  AMP-only platforms:  ESA  WSA  CWS  AMP for Endpoints Desktop: AnyConnect 4.1 AMP Enabler Cisco WSA with AMP (software) Cisco AMP 8350 Cisco AMP for Endpoints
  25. 25. FireSIGHT Management Centre
  26. 26. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 26
  27. 27. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 27 FireSIGHT Management Center: Managing FirePOWER Appliances
  28. 28. ASA FirePOWER
  29. 29. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 29 FirePOWER integrated services in ASA  Security Services Module  Software  Hardware (5585-X) DMZ-Srv Perim-Rtr Management Subnet 10.10.2.0/24 L3-Switch HQ-ASA End User Subnet DMZ Subnet 172.16.1.0/24 HQ Outside 200.200.1.0/24 HQ Inside .1 Sensor 10.10.2.200 SIEM 10.10.2.100 .15 Administrator 10.10.2.50 INTERNET HQ-ASA# show module sfr details Getting details from the Service Module, please wait... Card Type: FirePOWER Services Software Module Model: ASA5515 Hardware version: N/A Serial Number: FCH180278XU
  30. 30. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 30 Cisco ASA and Sourcefire FirePOWER services module
  31. 31. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 31 Redirecting traffic from ASA to FirePOWER SSM  Class-map  Identify traffic flow  Policy-map  Action to be applied on traffic flow  Service-policy  Interface(s) responsible to enforce the action on traffic flow asa(config)# access-list DMZ permit tcp any host 172.16.1.15 eq www asa(config)# class-map TrafficDMZ asa(config-cmap)# match access-list DMZ asa(config)# policy-map SFR-DMZ asa(config-pmap)# class TrafficDMZ asa(config-pmap-c)# sfr fail-close asa(config)# service-policy SFR-DMZ interface dmz identify action enforce
  32. 32. NGFW
  33. 33. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 33 NGFW – file processing Source: FireSIGHT User Guide 5.4.0.1
  34. 34. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 34 Separate license: URL Filtering
  35. 35. NGIPS
  36. 36. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 36 Sourcefire NGIPS Source: Cisco Live! BRKSEC-1030 San Diego 2015
  37. 37. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 37 IPS Automation
  38. 38. AMP
  39. 39. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 39 AMP: File Disposition and Dynamic Analysis Source: Cisco Live! BRKSEC-2028 Melbourne 2015 Cisco Cloud is TALOS => Cisco SIO + Sourcefire VRT hash hash Retrospective Security
  40. 40. Indication of Compromise File Trajectory
  41. 41. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 41 Correlation analysis with Context produces IoC Source: Cisco Live! BRKSEC-1030 San Diego 2015
  42. 42. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 42 Host Profile
  43. 43. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 43 Network File Trajectory
  44. 44. Conclusion
  45. 45. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 45 Sourcefire Summary Source: Cisco Live! BRKSEC-1030 San Diego 2015
  46. 46. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 46 Sources  FireSIGHT User Guide 5.4.0.1  Cisco Security Blog  Cisco SAFE Design Guide  Cisco Live 365 presentations (CCO login required)  BRKSEC-1030 San Diego 2015  BRKSEC-2139 San Diego 2015  BRKSEC-2762 San Diego 2015  BRKSEC-2028 Melbourne 2015  BRKSEC-2016 San Francisco 2014
  47. 47. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 47 Cisco Security Courses  CCNA Security e-Camp  IINS - Implementing Cisco IOS Network Security  SAEXS - Cisco ASA Express Security  SENSS - Implementing Cisco Edge Network Security Solutions  SIMOS - Implementing Cisco Secure Mobility Solutions  SISAS - Implementing Cisco Secure Access Solutions  SITCS - Implementing Cisco Threat Control Solution  ASA Lab Camp v9.0  SASAA - Implementing Advanced Cisco ASA Security  SASAC - Implementing Core Cisco ASA Security  ACS - Cisco Secure Access Control System  SISAS - Implementing Cisco Secure Access Solutions  SISE - Implementing and Configuring Cisco Identity Services Engine  SESA - Securing Email with Cisco Email Security Appliance  SWSA - Securing the Web with Cisco Web Security Appliance  Cisco FirePOWER Services and Cloud Web Security Workshop v1.0  SSFAMP - Securing Cisco Networks with Sourcefire FireAMP Endpoints  SSFIPS - Securing Cisco Networks with Sourcefire Intrusion Prevention System  SSFRULES - Securing Cisco Networks with Snort Rule Writing Best Practices  SSFSNORT - Securing Cisco Networks with Open Source Snort
  48. 48. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 48 GK Cisco Training Exclusives  6 months of  Anytime access to Cisco Practice Labs  Anytime Access to Boson Practice Exams  On-Demand Access to Searchable Class Recordings of Your Virtual Class  Unlimited Retakes of Your Class  Free Cisco Certification Exam Voucher
  49. 49. © Global Knowledge Training LLC. All rights reserved. 9/1/2015 Page 49 Find Out More www.globalknowledge.ca On-demand & live webinars, white papers, blog... www.globalknowledge.ca/security Courses

×