This document explains how to use the latest security technology, called Next-Generation IPS, which helps protect computer networks. It focuses on setting up a specific version of this technology called Firepower version 6.X. It teaches you step-by-step how to install Firepower devices directly into your network to keep it safe from online threats. It also shows how to connect these devices to a central control system called the Cisco Firepower Management Center. By following these instructions, you'll learn how to better protect your network from cyber attacks in a simple and straightforward way.
2. OBJECTIVES
• Next-Gen IPS technologies
• Document covers Firepower deployment of 6.X versions
• Firepower managed device inline deployment
• Traffic flow through various security features in IPS
• Firepower registration to Cisco Firepower Management Center
3. Next-Gen Firewall
Below diagram depicts traditional firewall deployment where the firewall protects an organization based on 5 tuples. Firewall can react to traffic until layer 4
.
• Source IP
• Destination IP
• Source port
• Destination port
• Protocol
To protect any traffic on an application level, firewall won’t be of much help. Attacks on application level is growing exponentially. Ex: Command and Control (CnC), reconnaissance,
lateral movement, data exfiltration, botnet activities all goes unnoticed. Solution: Next Gen IPS offers a various solution to protect your organization from DNS, URL blacklisting, file
blocking, malware protection, IPS etc.…
4.
5. NGIPS
➔ Application layer protection
➔ Packet payloads are examined
➔ Deep packet inspection up to OSI layer 7
➔ Matches attacks based on signatures
➔ Traffic Analysis
➔ Malware protection
➔ Security Intelligence
➔ Action on App ID / User ID
➔ Suspicious behaviour
6. Firepower Security Policies
This is a high-level overview of how a traffic is passed inside Firepower.
There are the policies which can be applied to a firepower device
• Access Control Policy
• Network Access Policy
• Intrusion Policy
• Anti-Malware and File Protection Policy
• SSL Policy
• DNS Policy
7.
8. Security Intelligence: First level if filtering based on backlisted IPs, known malicious DNS/URL
records, custom DNS/URL records. If a packet is dropped here it is not sent to Access Control
Policy for DPI.
SSL Policy: If your organization decides to decrypt all outbound/inbound traffic, you can use the SSL
policy and use certificate based on your internal PKI distribution. Traffic which is decrypted is sent to
ACP and AMP, once the verdict is good – traffic is re-encrypted and sent out.
Access Control Policy: Here is where you define all your rules. You can define rules which you don’t
want to do DPI by setting action to “trust”. Also, you can define traffic which needs to be inspected
with intrusion and malware policy.
Intrusion Policy: IPS signature attacks are defined here. SNORT rules are used to block malicious
traffic. You can have custom signatures defined or inherit signature database from Cisco.
Malware & File Policy: Here you can act to allow/ block certain file types and scan for malware of set
of file types which you consider can be infected.
9. Cisco FMC and Firepower Design considerations
Consider you have below setup in your company. You wish to integrate NGIPS.
Things to consider:
• Do not make any routing changes
• Do no disrupt configurations on the router and switch
Solution: Integrate Firepower physically inline between switch and router.
10. Design:
• Break the connection between switch and router.
• Connect switch to one interface of Firepower and Router to
another interface.
• Connect the management port of firepower to your
management switch.
• Plan to have Firepower and FMC on the same plan.
11.
12. Cisco Firepower configuration
• Login to the console of firepower
• Enter default username and password – admin/Admin123. Press “Enter” for End User License Agreement (EULA).
15. • Enter the management IP, netmask, gateway, fully qualified domain name as per your design
for firepower. Choose Inline deployment
16. • Wait for 1-2 minutes for the firepower to load the settings. Next step would be to configure the manager.
Command => configure manager add <fmc_mgmt_ip> <registration_key>
You can have registration key set to anything you like. Please do not forget the registration key you use here as this
will be used on FMC to add the appliance.
17. NOTE: If you entered wrong info and would like to correct it, you can always
reconfigure the network settings using the below command Command =>
configure network ipv4 manual <firepower_mgmt_ip> <subnet_mask>
19. Cisco FMC configuration
• To add a device on FMC, go to Devices -> Device
Management -> click Add -> select Add Device
20. Now in the next screen, click on Access Control Policy
dropdown and select new. Give a policy name and set default
action to “Intrusion Prevention”
21. Once you have Access Control Policy created, fill in the details of your firepower manager
22. Select the license based on your purchase and
requirement
Firepower Licensing
Protection
License
IPS, File Control - Detect or block files, Security
Intelligence filtering
Control
License
User & Application control, switching & Routing, need to
have protection license
Malware
License
AMP, ThreatGrid, requires protection license
URL Filtering
License
URL filtering, categories & reputation, requires protection
license
23. • FMC will start the registration process. You should see the status as below
• If the details you entered is correct, you should see FMC successfully registering the Firepower
• Now login to Firepower and check if the Firepower registration is complete as a verification step
24. Create Inline Set for Firepower
Configure the inline network pair to define the ingress and egress interfaces. These interfaces should be paired to let the Firepower know the packet which
enters from one interface should leave the counterpart interface.
Firepower can have multiple interfaces and to pair the interfaces you need to configure the inline sets.
Click the pencil icon the device you just added.
Define the ingress and egress interface by assigning a security zone
Create an inline set for the interface
o Note: Failsafe option allows the traffic to bypass the system if the buffers are full. No inspection at this point.
Depending on your needs select the option in the advanced section.
Once the inline set is defined, deploy the config by selecting deploy icon and select the device and click Deploy
25. Health Policy and Platform settings deployment
• Health policy applies to FMC querying FTD for health checks. Here you can define if FMC should monitor the interface,
CPU, Disk etc. status of Firepower. • Go to -> System -> Health -> Policy -> Create Policy
• Please concentrate on the options you have on the left. Based on the health policy you can have alerting configured on
FMC to send SNMP traps or emails in case of health check error or warning
• Once you have defined the settings as per your needs, click on apply and select the firepower
device and click apply
• Now, to control the system settings of Firepower go to Device -> Platform Settings ->
Create New Policy.
• Select the Firepower appliance and move it to the right.
• You can change the available settings as per your needs and click save
• Deploy the policy the device