Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Brksec 2364 PDF

    Загружено:

    prakashrjsekar
    18 просмотров83 страницы

    Оригинальное название

    BRKSEC-2364.pdf

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    18 просмотров83 страницы

    Brksec 2364 PDF

    Загружено:

    prakashrjsekar

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 83

    CHAOS

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
    #CLMEL
    Troubleshooting
    Issues on FTD like
    TAC

    Raghunath Kulkarni - TAC


    BRKSEC-2364

    #CLMEL
    Cisco Webex Teams

    Questions?
    Use Cisco Webex Teams (formerly Cisco Spark)
    to chat with the speaker after the session

    How
    1 Open the Cisco Events Mobile App
    2 Find your desired session in the “Session Scheduler”
    3 Click “Join the Discussion”
    4 Install Webex Teams or go directly to the team space
    5 Enter messages/questions in the team space
    cs.co/ciscolivebot#BRKSEC-2364

    © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
    Agenda

    • Introduction
    • Architecture Overview
    • Packet Flow
    • Commands
    • Case Study

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
    Your Presenter
    Raghunath Kulkarni

    • SME for Firepower TAC


    • 10 Years experience with TAC
    • 7 Years experience with Sourcefire and Firepower
    • Core Architect for Security Experience Centre
    • Security Evangelist @ University and Schools

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
    Architecture Overview
    ASA/Virtual FTD

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
    SSP (2100/4100/9300)

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
    Packet Flow
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
    Capacity
    • An FTD is like an Elevator.
    • At any given time, the elevator can only hold so much weight.

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
    Capacity
    • Each “person” in elevator consumes different amount of space.
    • Unfortunately they don’t look like this:

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
    Factors
    • Small or Large Sessions
    • Packet Size
    • Asynchronous traffic
    • Features enabled
    • Snort Load Balancing
    • Traffic Profile

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
    Let the Games begin

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
    Packet Ingress

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
    Packet Ingress (Optional)

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
    Packet Ingress

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
    Packet Ingress

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
    Packet Ingress

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
    Packet Ingress

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
    DAQ (Data Acquisition)

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
    DAQ (Data Acquisition) (Optional)

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
    DAQ (Data Acquisition)

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
    DAQ (Data Acquisition)

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
    DAQ (Data Acquisition)

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
    Security Intelligence

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
    Access Control Policy

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
    SSL Policy

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
    Authentication

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
    Intrusion Policy

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
    Network Analysis Policy

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
    Snort Troubleshooting

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
    Automatic Application Bypass

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
    Intelligent Application Bypass
    • On
    • Identifies the traffic to be trusted.
    • Labels the identified flow and Fastpath.
    • Generates a “bypass” tag for everything.

    • Test
    • Identifies the traffic to be trusted.
    • Labels the identified flow but does not Fastpath.
    • Generates a “would bypass” tag for everything.

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
    Asymmetric Traffic
    • Missed Detections
    • Snort can’t detect what it can’t see.
    • Snort can’t inspect the traffic correctly.
    • “Would have dropped” events generated.

    • Performance Problems
    • High memory use.

    • Unexpected Behavior
    • Misidentified applications.
    • Missing connection events.
    • Misidentified client and server.

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
    Asymmetric Traffic
    • TCP Stream Preprocessor detects asymmetric traffic.
    • S5 messages generated under /var/log

    • How does Snort identify sessions?


    • Source and Destination IP.
    • Source and Destination Port.
    • VLAN.
    • MPLS Label.
    • Domain (Inline set, vRouter, vSwitch, Security Zone, ASA Context)

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
    Asymmetric Traffic (Known Problems)
    • Problem
    • Different VLANs on each side of session
    (VLAN50) 192.168.1.2 -> 10.8.0.2
    (VLAN51) 10.8.0.2 -> 192.168.1.2

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
    Asymmetric Traffic (Known Problems)
    • Problem
    • Traffic from same session traversing multiple inline sets
    (Inline Set A) 192.168.1.2 -> 10.8.0.2
    (Inline Set B) 10.8.0.2 -> 192.168.1.2

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
    Rule Profiling

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
    Traffic Profile

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
    Traffic Profile

    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
    Q&A

    #CLMEL
    Visit the Customer Experience booth in the World of Solutions and
    donate for charity!
    Step 1: pick up your token $$ at
    this session or, the Customer Step 2: visit the Customer Experience Booth in the World
    Experience Booth in the World of of Solutions, chat with one of our experts and donate to
    the charity of your choice.
    Solutions.

    #CLMEL Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
    Donate to
    Charity!

    #CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
    #CLMEL BRKSEC-2364 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
    Complete Your Online Session Evaluation
    • Give us your feedback and receive a
    complimentary Cisco Live 2019 Power
    Bank after completing the overall
    event evaluation and 5 session
    evaluations.
    • All evaluations can be completed via
    the Cisco Live Melbourne Mobile App.
    • Don’t forget: Cisco Live sessions will
    be available for viewing on demand
    after the event at:
    https://ciscolive.cisco.com/on-demand-library/

    #CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
    Thank you

    #CLMEL
    #CLMEL

    Вам также может понравиться