The document provides an overview and agenda for a presentation on Sourcefire threat detection products. The presentation covers the next generation security model focusing on detection, blocking and defending against attacks. It then discusses specific Sourcefire products including the FireSIGHT management center and features. The presentation concludes with an overview of Sourcefire hardware and deployment options when integrating with Cisco ASA products to provide integrated threat defense.

1. Sourcefire Threat Detection:
NGIPS – NGFW – Adv Malware
Tim Ryan – Security CSE – SLED East
Kevin Tracy – Security CSE – Commercial South
Sept 2014

2. Agenda
1. Next Generation Security Model
2. Product Overviews
3. ASA + Sourcefire Features & Architecture
4. Deployment Scenarios
5. Integration Roadmap and Vision
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

3. The Next Generation Security Model
Attack Continuum
DURING AFTER
BEFORE THE ATTACK: You need to know what's on your
network to be able to defend it – devices / OS / services /
applications / users (FireSight)
Access Controls, Enforce Policy, Manage Applications And
Overall Access To Assets.
Network Endpoint Mobile Virtual Cloud
Access Controls reduce the surface area of attack, but
there will still be holes that the bad guys will find.
ATTACKERS DO NOT DISCRIMINATE. They will find any
gap in defenses and exploit it to achieve their objective
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
3
BEFORE
Detect
Block
Defend
Control
Enforce
Harden
Scope
Contain
Remediate
What Device Types, Users & Applications should be on the Network?
Point in time Continuous

4. The Next Generation Security Model
DURING AFTER
DURING THE ATTACK:
Must have the highest efficacy threat detection mechanisms possible
Detection methods MUST be Multi-dimensional and correlated
Once we detect attacks, NIPGS can block them and dynamically defend the
environment
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
4
BEFORE
Detect
Block
Defend
Control
Enforce
Harden
Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous

5. Collective Security Intelligence
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
5

6. Sourcefire
NGIPS / NG Firewall Features
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

7. FireSIGHT
What are the Key FireSIGHT Components?
Network Discovery & Connection Awareness
Host discovery
Identifies OS,
protocols and
services running on
each host
Reports on potential
vulnerabilities present
on each host based
on the information it’s
gathered
Application identification
FireSIGHT can
identify over 1900
unique applications
using OpenAppID
Includes applications
that run over web
services such as
Facebook or LinkedIn
Applications can be
used as criteria for
access control
User discovery
Monitors for user IDs
transmitted as
services are used
Integrates with MS AD
servers to
authoritatively ID
users
Authoritative users
can be used as
access control criteria
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

8. Sourcefire FireSIGHT Technology
FireSIGHT Discovery
Discovery is reported
to you by way of
events
• Connection events are
recorded as every
connection in a
monitored network is
seen
• Host events are recorded
when something new on
a host is detected or a
change to a host is
detected
Information about all
the hosts in your
environment is stored
in host profiles
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

9. Sourcefire FireSIGHT Technology
FireSIGHT Discovery
By knowing the details of what’s running in your environment, the
Sourcefire System can produce a list of what vulnerabilities likely exist
This allows the Sourcefire System to put intrusion events in context for
more accurate and actionable alerting
Which would matter more to you?
• A code red attack against a host running Linux in your environment
Or
• A code red attack against a host running a vulnerable version of Windows in your
environment
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

10. Sourcefire FireSIGHT Technology
FireSIGHT Discovery
With FireSIGHT, IPS events are assigned an impact level
• 0 – host not on monitored networks
• 4 – no entry for the host in the network map
• 3 – host not running the service or protocol that was attacked
• 2 – host is running the service or protocol that was attacked
• 1 – host is running the service or protocol that was attacked an a vulnerability is
against the service or protocol is mapped to the host
FireSIGHT also lets you fine-tune your IPS polices by
recommending rules to protect against the known vulnerabilities in
your environment
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

12. FireSIGHT
Why is FireSIGHT important?
It gives you real-time information about what’s in your network
• Based on this knowledge …
• It can inform you of the vulnerabilities associated with what is running in your
environment
• You can fine-tune policies to focus on the threats specific to your environment
It can detect changes to your environment and alert you as soon as
the change is detected
• You can act dynamically with custom alerting (email, syslog, SNMP, eStreamer)
• You can take action dynamically as well with remediation modules
• Remediations are scripts you can launch from the defense center to take some
action
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

13. FireSIGHT
How is FireSIGHT information used?
Fine-tuning IPS policies
• You can automatically select the rules and preprocessor configurations that apply
to your environment
• You can protect hosts running services on non-standard ports (ie. HTTP running on
port 1080 on a host and 8080 on antother)
Enforce an organization’s security/usage policies
• Block or alert on use of unauthorized applications for example
Monitor and act on unusual network behavior
• Alert on new hosts showing up in restricted network spaces or detect unusually
high utilization
Act on user activity
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

14. FireSIGHT Management Center
CATEGORIES EXAMPLES
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
FirePOWER
APPLIANCE
TYPICAL
IPS
TYPICAL
NGFW
Threats Attacks, Anomalies ✔ ✔ ✔
Users AD, LDAP, POP3 ✔ ✗ ✔
Web Applications Facebook Chat, Ebay ✔ ✗ ✔
Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔
File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔
Malware Conficker, Flame ✔ ✗ ✗
Command & Control Servers C&C Security Intelligence ✔ ✗ ✗
Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗
Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗
Operating Systems Windows, Linux ✔ ✗ ✗
Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗
Mobile Devices iPhone, Android, Jail ✔ ✗ ✗
Printers HP, Xerox, Canon ✔ ✗ ✗
VoIP Phones Avaya, Polycom ✔ ✗ ✗
Virtual Machines VMware, Xen, RHEV ✔ ✗ ✗
Contextual
Awareness Information Superiority

15. • When a host in the network map is
seen to exhibit signs of compromise Host and Event Correlation (v5.3)
Security Intelligence Events
C&C Detection
via Protocol Analysis
Contextual NGIPS
Events (Impact 1)
FireAMP Endpoint
Malware Events
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 15

18. Malware Detection: File Extraction & Sandbox Execution
Malware Alert!
Available In Defense Center
1) File Capture
Collective Security
Intelligence Sandbox
3) Send to Sandbox
2) File Storage
4) Execution Report
Network Traffic
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 18

20. Anti-Malware Protection & the Attack Continuum
BEFORE
Control
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
Network
Endpoint
File Retrospection
File Trajectory
Contextual Awareness
Control Automation
File Retrospection
File Trajectory
Device Trajectory
File Analysis
Indications of
Compromise
Outbreak Control
In-line Threat Detection
and Prevention
File Execution Blocking
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

21. © 2013-2014 Cisco and/or its affiliates. All rights reserved. 21

22. Hardware & Deployment Options
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

23. Sourcefire Architecture
Port / Direction Purpose
22 / Bidirectional
SSH to and from
devices
443 / Bidirectional
Defense Center
interface, URL
Filtering service,
security intelligence
feeds and FireAMP
events
1500, 2000 / Inbound
To Defense Center /
FMC for external
database access
8302, 8305, 8307 /
Bidirectional
eStreamer, device
management, host
input API
Defense Centers in High Availability Configuration
DC3500 DC3500
Internet / Other
resources
Managed Devices in Stacked Configuration
3D8250
Management Network
ASA / Sourcefire Svcs ASA / Sourcefire Svcs
Managed Devices in Clustered Configuration
3D8250
Monitored Networks
Management Traffic
Stacking Cable
Monitored traffic
HA Interface
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 23

24. Model #
60Gbps 8390*
45 Gbps 8370*
8290
8270/8360*
8260
8250
8140
15Gbps 8350*
8130
8120/ (8150 > AMP)
1.25Gbps 7125
7120
7115
500 Mbps 7110/ (7150 > AMP)
7030
7020
7010
Sourcefire Hardware Appliances
IPS Throughput
40 Gbps
30 Gbps
20 Gbps
10 Gbps
6 Gbps
4 Gbps
2 Gbps
1 Gbps
750Mbps
250 Mbps
100 Mbps
50 Mbps
Fixed
Interfaces Modular Interfaces
Stackable
All Appliances Managed via
Defense Center aka
FireSight Management
Console – Appliance or VM
- 2, 10 or 25 device support
AMP optimized Appliances
8150 – 2 Gbps AMP
7150 – 500 Mbps AMP
SSL8200
SSL2000
SSL1500
All appliances Managed via Defense
Center aka FireSight Management
Console – Available in Appliances or
VM for 2, 10 or 25 device support
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 2424

25. Cisco ASA Product Family - Sourcefire Services
Performance Specifications
Performance and Scalability
ASA 5515-X
ASA 5525-X
1 RU Platforms
ASA 5585-SSP60
ASA 5585-SSP40
ASA 5585-SSP20
ASA 5585-SSP10
ASA 5555-X
ASA 5545-X
Branch Office/Internet Edge
200Mbps - 2 Gbps: Firewall
100 – 725 Mbs: Next Gen IPS
30-160 Mbps: NGIPS, AVC, AMP
2 RU Platforms - 5585
Internet Edge/Campus/Data Center
2 – 20 Gbps: Firewall
1.2 – 6 Gbps: Next Gen IPS
* Performance numbers to be finalized
650Mbps – 2.4 Gbps:NGIPS, AVC, AMP
ASA 5512-X
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25

26. High Availability with ASA Failover
• Available on all ASA platforms
• State-sharing between Firewalls for high availability
• L2 Transparent or L3 Routed deployment options
• Failover Link
• ASA provides valid, normalized flows to FirePOWER module
• State sharing does not occur between FirePOWER Services
Modules

27. Scaling IPS with ASA5585-X Clustering
• Up to 8 ASA5585-X IPS
• Stateless load balancing by external switch
• L2 Transparent or L3 Routed deployment options
• Support for vPC, VSS and LACP
• Cluster Control Protocol/Link
• State-sharing between Firewalls for symmetry and high
availability
• Every session has a primary and secondary owner ASA
• ASA provides traffic symmetry to FirePOWER module

28. • ASA can be configured in multi context mode such that
traffic going through the ASA can be assigned different
policies
• These interfaces are reported to the FirePOWER blade and
can be assigned to security zones that can be used in
differentiated policies.
• In this example, you could create one policy for traffic going
from Context A Outside to Context A Inside. And then a
different policy for Context B Outside to Context B Inside.
• Note: There is no management segmentation inside the
FirePOWER module similar to the context idea inside ASA
configuration.
Outside
Context A Context B
Inside

29. Admin
Context
Context-1

30. FirePOWER Services Demonstration
Monitor-Only Mode (Demonstration Purposes Only currently)
 Monitor Mode allows FirePOWER Services to
analyze traffic without being placed in the data
path. The ASA is connected to a SPAN port on a
switch or router, and copies of both inbound and
outbound packets are sent to the FirePOWER
Service. This copied traffic bypasses the ASA
policy and goes directly to the FirePOWER
Services which will apply policies to determine
what traffic would have been blocked. After
analysis of the traffic, the packets are discarded.
 https://communities.cisco.com/docs/DOC-50586
SPAN
FirePOWER
Services for ASA
in Monitor-Only
Mode

31. Integrated Threat Defense Across the Attack Continuum
BEFORE
Discover
Enforce
Harden
Attack Continuum
DURING
Detect
Block
Defend
Firewall/VPN NGIPS
Security Intelligence
Web Security
AFTER
Scope
Contain
Remediate
Advanced Malware
Protection
Visibility and Automation
Granular App Control
Modern Threat Control
Retrospective Security
IoCs/Incident
Response
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

32. Cisco Threat Defense System – 5000 Foot View BEFORE DURING AFTER Cisco Only
Sandboxing
NG Sandbox for Evasive Malware Auto-Remediation / Dynamic
Collective Security
Intelligence (CSI)
Policies
URL and IP Reputation Dynamic Outbreak Controls
Malware File Trajectory Retrospective Detection
Adaptive Security
Host Trajectory Retrospective Analysis
NGIPS
Open APP-ID SNORT Open IPS
Threat Hunting
User Identity
AV and Basic Protections
Web—URL Controls
Application Visibility
Gen1 IPS
Classic Stateful Firewall
Correlated SIEM
Eventing
Incident Control
System
Vulnerability
Management
Behavioral
Indications of
Compromise
Network Anti-
Malware Controls
(AMP)
*Client Anti-
Malware (AMP)
NGFW
Forensics and Log Management
1
Contextual Device, Network and End-Point Visibility
Cisco and
Others
Management
Interfaces
n
*Agent
2
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32

33. Thank you.