Академический Документы
Профессиональный Документы
Культура Документы
Tech Talk
Feature Overview
Abhishek Singh, Technical Marketing Engineer
Anant Mathur, Technical Marketing Engineer Manager
Eric Kostlan, Technical Marketing Engineer
Nanda Kumar, Technical Marketing Engineer
WWW
Advanced Malware
NGIPS Protection URL Filtering
High Availability
Analytics &
Automation
4
Cisco Firepower
Historical perspective
• Snort created
• Created by Martin Roesch in 1998
• Snort is both an engine and a language
• Open source rapidly adopted and develops Snort
(currently more that 420,000 active members
• Sourcefire founded
• Founded in 2001 by Martin Roesch
• Created a commercial version of Snort
• Sourcefire acquires Immunet cloud based anti-malware vendor
• Acquisition completed 2011
• Cisco acquires Sourcefire
• Acquisition completed 2013 for $2,700,000,000
5
Cisco Network Security Solutions
Other than FTD
• Adaptive Security Appliance (ASA)
• Best of breed traditional stateful firewall
• VPN concentrator (site-to-site, remote access and clientless)
• Managed by ASDM, CSM or CLI
• Firepower Next Generation IPS
• Best of breed IPS
• Based on open source Snort
• Managed by Firepower Management Center (aka FireSIGHT, aka Defense Center)
• ASA with Firepower services
• Combination of ASA with Firepower
• Contains all features of both products
• Requires 2 management consoles
• Packets are copied from ASA data plane to Firepower module
NGFW (FTD): ASA-Firepower Convergence
Security Application Convergence
ASA FirePOWER
• L2-L4 Stateful Firewall • Threat-centric NGIPS
• Scalable CGNAT, ACL, routing • AVC, URL Filtering for NGFW
• Application inspection • Advanced Malware Protection
Event History
What
Where
When
Talos
How
14
Lua Scripting Language
• OpenAppID preprocessor leverages the power of the Lua scripting language
• Application detectors are written using the Lua scripting language (not snort rules)
• Lua is a open-source scripting language.
• Lua is designed, implemented, and maintained by a team at PUC-Rio, the Pontifical Catholic
University of Rio de Janeiro in Brazil.
• Lua is the Portuguese word for moon.
• Benefits of Lua
• Proven – used in many industrial applications, including several Cisco products
• Powerful and fast – utilizes LuaJIT just-in-time compiler
• Portable and embeddable – well documented API
• Simple, lightweight, and small – under Linux, interpreter is 182K, libraries 244K
• See more at http://www.lua.org
Example of a Lua Script
--[[
detection_name: SampleAppDetector function DetectorInit(detectorInstance)
gDetector = detectorInstance;
version: 1
gAppId = gDetector:open_createApp("SampleApp");
description:
if gDetector.addPortPatternService then
Detects "cisco123" on port 8888 gDetector:addPortPatternService(proto,
--]] 8888,"cisco123",-1,gAppId);
end
require "DetectorCommon" end
local DC = DetectorCommon
local proto = DC.ipproto.tcp; function DetectorValidator()
DetectorPackageInfo = { end
name = "SampleAppDetector",
proto = proto, function DetectorClean()
server = { end
init = 'DetectorInit',
validate = 'DetectorValidator',
clean = 'DetectorClean',
minimum_matches = 1
}
}
Intrusion Prevention System
(IPS)
Network
network
Snort Architecture DAQ libraries
High-level Snort architecture
Packet decoder
• Packet sniffer
• Packets are read using the Data AcQuisition library (DAQ)
• Preprocessors
Detection engine
• Normalize traffic
• Detection engine
• Uses Snort rules to create signatures for threats Output module
• Output module
• Handles the task of writing and displaying events
Alert and log files
18
Preprocessors
• Preprocessors play a vital function in network traffic inspection
• Present packets to the detection engine in a contextually relevant way
• Normalize traffic
• Alert if they detect anomalous conditions as defined by their settings
• Major preprocessors include the following
• frag3 – Used to reassemble packet fragments prior to inspection
• stream5 – Used to reconstruct TCP data streams so that inspection can be done in the context of a
TCP conversation
• Protocol decoders – Normalize TCP streams including: telnet, ftp, smtp, and rpc.
• http_inspect – Normalizes http traffic
• DCE/RPC2 – Used to decode and desegment DCE traffic
• sfPortscan – Used to detect portscans
19
Network Preprocessor Execution Order
20
Detection Engine
• Consists of two components to perform inspection
• Rules builder
• Inspection component
• Rules builder
• On Snort startup, assembles rules into rule chains
• Optimizes rule matching by the inspection component
• Sources, destinations and port sources and destinations redundancies are eliminated
• Implements rules chains as linked lists
• Inspection component
• Matches traffic to a rule chain
• Further inspects traffic against the options in the matching rule chain
21
Snort Language
Overview
• A simple lightweight language for identifying
• Security policy violations
• Known network attacks and IDS/IPS evasion techniques
• Snort language supports event filters
• Limit – Alert on the a specified number of events during a specified time interval, then ignore events
for the rest of the specified time interval.
• Threshold – Only alert if the event is seen a specified number of times within a specified time
interval
• Communication between rules is accomplished using flowbits
Note: The snort engine is not restricted to the Snort language. It can use precompiled shared
objects in addition to Snort rules.
22
Snort Language
Sample Rule
Variables (set to “any” by default)
24
Host Attribute Table
• XML file associated with a particular IP address
• Affect on preprocessors
• Frag3 and Stream5 – Uses OS information to determine policy, that is, the OS to emulate in packet
re-assembly.
• Application layer preprocessors – Users the service information to determine protocol to port
mapping.
• Affect on Snort rules through metadata attribute – see next slide
25
Snort Rule Metadata
• Example:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"MALWARE-CNC Win.Spyware.Rombertik outbound connection"; … ;
metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, service http; … ; classtype:attempted-user;
sid:33161; rev:1;
• Open Source Snort
• Provides a way to annotate a rule
• Service attribute Host Attribute Table
• Sourcefire – makes additional use of
metadata attribute, including:
• Impact flag
• Action to take, based on intrusion policy
26
Life of a Flow (slide 1 of 2)
Simplified
• Packet sniffing and hardware processing
• Packet decoding
• Preprocessing
• Security Intelligence (IP blacklist and white list)
• Immediately mark flow as blocked or trusted
• Update hardware flow state
• Network layer preprocessors
• Defragmentation and stream re-assembly
• AppID
• Access control rules engine
• Network discovery
• Remaining preprocessors
27
Life of a Flow (slide 2 of 2)
Simplified
• Snort detection engine
• Leverages AppID preprocessor to select rules for relevant
applications
• Generates events
• If action is to block, mark the flow as blocked and update
hardware flow state
• File processing
28
Advanced Malware Protection
(AMP)
AMP for Networks
• Snort understands network protocols
AMP Protection Across the Extended Network Threat Intelligence AMP for Endpoints
for an Integrated Threat Defense
Cloud
Threat Grid
AMP on Firepower NGIPS Malware Analysis + Threat AMP Private Cloud
Appliance Intelligence Engine Virtual Appliance
(AMP for Networks)
CWS/CTA
FTD
Zero-copy packet inspection
Unified management (FMC/FDM)
Architecture Diagram
Modifications to ASA
Sftunnel between
FMC/FTD is
terminated on br1 ‘show network’
FTD Management interface
• FTD br1 vs diagnostic subinterface comparison
br1 diagnostic
Purpose • Used in order to assign the FTD IP that will be • Provides remote access to ASA engine CLI
used for FTD/FMC communication (sftunnel) • Used as a source for ASA syslog, AAA messages etc
• Provides SSH access to the FTD box
Mandatory Yes, since it is used for FTD/FMC communication No and it is actually not recommended to configure it. The
(sftunnel terminates on it) recommendation is to use a data interface instead*
1. A packet enters the ingress interface and it is handled by the ASA engine
2. If the policy dictates so the packet is inspected by the Snort engine
3. Snort engine returns a verdict (whitelist or blacklist) for the packet
4. The ASA engine drops or forwards the packet based on Snort’s verdict
• Snort engine runs 6.x code
• ASA engine runs 9.X.x code
High Level Packet Processing on FTD
Trust
? Yes
No
R1 S1 D1 Trust
R2 S2 D2 Deny Log
R2 S2 D2 Deny, Log
R3 … App=Google+ Permit IPS-1, File-1
R3 S3 D3 Permit
R4 S4 D4 Permit R4 … URL=Games Warn File-2
• In case route lookup is taking place the ‘in’ entries of the ASP routing table will be checked to
determine the egress interface:
firepower# show asp table routing
route table timestamp: 449
in 192.168.75.0 255.255.255.0 inside
in 192.168.76.0 255.255.255.0 dmz
in 192.168.77.0 255.255.255.0 outside
in 5.5.5.5 255.255.255.255 via 192.168.77.1, outside
out 255.255.255.255 255.255.255.255 outside
out 5.5.5.5 255.255.255.255 via 192.168.77.1, outside
out 10.1.1.0 255.255.255.0 via 192.168.77.1, outside
FTD Packet Processing: Prefilter Policy
• Navigate to Policies > Access Control > Prefilter and create a Prefilter Policy
• Add one or more Tunnel or/and Prefilter (Early Access Control) rules and attach the Policy to ACP
FTD Packet Processing: Prefilter Policy
(tunneled)
• Prefilter Rules are deployed to ASA as L3/L4 ACEs and are placed above the normal L3/L4 ACEs
firepower# show access-list
access-list CSM_FW_ACL_; 7 elements; name hash: 0x4a69e3f3
access-list CSM_FW_ACL_ line 1 remark rule-id 268434457: PREFILTER POLICY: FTD_Prefilter_Policy
access-list CSM_FW_ACL_ line 2 remark rule-id 268434457: RULE: Fastpath_Rule1
}
access-list CSM_FW_ACL_ line 3 advanced trust ip host 192.168.75.16 any rule-id 268434457 event-log both (hitcnt=0)
access-list CSM_FW_ACL_ line 4 remark rule-id 268434456: PREFILTER POLICY: FTD_Prefilter_Policy
access-list CSM_FW_ACL_ line 5 remark rule-id 268434456: RULE: DEFAULT TUNNEL ACTION RULE
EAC Prefilter
Rules
access-list CSM_FW_ACL_ line 6 advanced permit ipinip any any rule-id 268434456 (hitcnt=0) 0xf5b597d6
access-list CSM_FW_ACL_ line 7 advanced permit 41 any any rule-id 268434456 (hitcnt=0) 0x06095aba
access-list CSM_FW_ACL_ line 8 advanced permit gre any any rule-id 268434456 (hitcnt=2) 0x52c7a066
access-list CSM_FW_ACL_ line 9 advanced permit udp any any eq 3544 rule-id 268434456 (hitcnt=0) 0xcf6309bc
} Tunnel Prefilter
Rules
}
access-list CSM_FW_ACL_ line 10 remark rule-id 268434445: ACCESS POLICY: FTD5506-1 - Mandatory/1
access-list CSM_FW_ACL_ line 11 remark rule-id 268434445: L4 RULE: Block ICMP
access-list CSM_FW_ACL_ line 12 advanced deny ip host 10.1.1.1 any rule-id 268434445 event-log flow-start (hitcnt=0) 0x8bf72c63 L3/L4
access-list CSM_FW_ACL_ line 13 remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1 ACEs
access-list CSM_FW_ACL_ line 14 remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE
access-list CSM_FW_ACL_ line 15 advanced permit ip any any rule-id 268434434 (hitcnt=410) 0xa1d3780e
FTD Packet Processing: L3/L4 ACL
• Advanced L3/L4 ASA ACL is an Access Control Policy (ACP) that is configured on FMC.
• Pushed as a global ACL (CSM_FW_ACL_) to ASA engine and as AC rules in
/var/sf/detection_engines/UUID/ngfw.rules file in Snort engine
firepower# show run access-list
access-list CSM_FW_ACL_ advanced deny ip host 10.1.1.1 any rule-id 268434445 event-log flow-start
firepower# show run access-group
access-group CSM_FW_ACL_ global
• Allow Rule will be pushed to ASA engine as permit action and to Snort engine as allow action. The
rule ID correlates the ASA rules with the Snort rules
firepower# show access-list
access-list CSM_FW_ACL_ line 8 remark rule-id 268435456: L7 RULE: ACP_Rule1_Allow_ICMP_App
access-list CSM_FW_ACL_ line 9 advanced permit ip host 1.1.1.1 host 2.2.2.2 rule-id 268435456
access-list CSM_FW_ACL_ line 11 remark rule-id 268435457: L4 RULE: ACP_Rule2_Allow_ICMP_Type
access-list CSM_FW_ACL_ line 12 advanced permit icmp host 2.2.2.2 host 3.3.3.3 echo rule-id 268435457
• packet-tracer shows that ASA engine will send the packet to Snort engine for a Verdict
> packet-tracer input inside icmp 1.1.1.1 8 0 2.2.2.2
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 1.1.1.1 host 2.2.2.2 rule-id 268435456
access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: FTD5506-1 - Mandatory/1
access-list CSM_FW_ACL_ remark rule-id 268435456: L7 RULE: ACP_Rule1_Allow_ICMP_App
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
FTD Packet Processing: L3/L4 ACL - Allow
Phase: 14
Type: SNORT
...
Snort Verdict: (pass-packet) allow this packet
FTD Packet Processing: L3/L4 ACL - Allow
Packet Counters:
Passed Packets 5
Blocked Packets 0
Injected Packets 0
Flow Counters:
Fast-Forwarded Flows 0
Blacklisted Flows 0
Flows bypassed (Snort Down) 0
Flows bypassed (Snort Busy) 0
FTD Packet Processing: L3/L4 ACL - Trust
• Trust Rule will be pushed to ASA engine as trust action and to Snort engine as fastpath action
firepower# show access-list
access-list CSM_FW_ACL_ line 17 remark rule-id 268435477: L4 RULE: ACP_Rule4_Trust_DNS_Port
access-list CSM_FW_ACL_ line 18 advanced trust udp host 4.4.4.4 host 5.5.5.5 eq domain rule-id 268435477
Packet-tracer shows that ASA engine will not send any packets to Snort engine
> packet-tracer input inside udp 4.4.4.4 1111 5.5.5.5 53
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust udp host 4.4.4.4 host 5.5.5.5 eq domain rule-id 268435477 No Additional Information means
event-log flow-end
the packet is not going to be
access-list CSM_FW_ACL_ remark rule-id 268435477: ACCESS POLICY: FTD5506-1 - Mandatory/4
access-list CSM_FW_ACL_ remark rule-id 268435477: L4 RULE: ACP_Rule4_Trust_DNS_Port redirected to Snort engine
Additional Information:
FTD Packet Processing: L3/L4 ACL - Trust
• Tracing real packets shows that no packets are going to be sent to Snort
> show capture CAPI packet-number 1 trace > show snort statistics
1: 19:46:23.626386 192.168.75.14.50152 > 192.168.76.14.53: udp 34
Packet Counters:
Phase: 4 Passed Packets 0
Type: ACCESS-LIST Blocked Packets 0
Subtype: log Injected Packets 0
Result: ALLOW
Config: Flow Counters:
access-group CSM_FW_ACL_ global Fast-Forwarded Flows 0
access-list CSM_FW_ACL_ advanced trust udp host 192.168.75.14 host 192.168.76.14 eq domain Blacklisted Flows 0
access-list CSM_FW_ACL_ remark rule-id 268435477: ACCESS POLICY: FTD5506-1 - Mandatory/4 Flows bypassed (Snort Down) 0
access-list CSM_FW_ACL_ remark rule-id 268435477: L4 RULE: ACP_Rule4_Trust_DNS_Port Flows bypassed (Snort Busy) 0
Additional Information:
Miscellaneous Counters:
Start-of-Flow events 23
End-of-Flow events 49
FTD Packet Processing: L3/L4 ACL - Trust
In case one or more of the following is true the Trust Rule will be pushed to ASA engine as permit action:
• Application is used as a condition and/or SI, QoS, Identity Policy, SSL Policy
firepower# show access-list
access-list CSM_FW_ACL_ line 14 remark rule-id 268435458: L7 RULE: ACP_Rule3_Trust_DNS_App
access-list CSM_FW_ACL_ line 15 advanced permit ip host 3.3.3.3 host 4.4.4.4 rule-id 268435458
In that case packet-tracer shows that ASA engine will send the packet to Snort engine for a Verdict
> packet-tracer input inside udp 3.3.3.3 1111 4.4.4.4 53
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 3.3.3.3 host 4.4.4.4 rule-id 268435458
access-list CSM_FW_ACL_ remark rule-id 268435458: ACCESS POLICY: FTD5506-1 - Mandatory/3
access-list CSM_FW_ACL_ remark rule-id 268435458: L7 RULE: ACP_Rule3_Trust_DNS_App
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
FTD Packet Processing: L3/L4 ACL - Trust
• Tracing real packets shows that the first few packets of the flow are being sent to Snort, but the
remaining bypass the Snort engine. Snort statistics also reflect this.
> show capture CAPI packet-number 1 trace > show snort statistics
Phase: 4
Few packets to
Type: EXTERNAL-INSPECT Packet Counters:
Application: 'SNORT Inspect' Snort engine Passed Packets 2
Phase: 5 Blocked Packets 0
Type: SNORT Injected Packets 0
Snort Verdict: (pass-packet) allow this packet
Flow Counters:
> show capture CAPI packet-number 10 trace Fast-Forwarded Flows 7
Phase: 3 Blacklisted Flows 0
Type: FLOW-LOOKUP Flows bypassed (Snort Down) 0
Found flow with id 23429, using existing flow Flows bypassed (Snort Busy) 0
Phase: 4
Type: SNORT The remaining packets
Snort Verdict: (fast-forward) fast forward this flow bypass the Snort engine
FTD Packet Processing: L3/L4 ACL - Monitor
• Monitor Rule will be pushed to ASA engine as a permit action and to Snort engine as an audit action
firepower# show access-list
access-list CSM_FW_ACL_ line 17 remark rule-id 268435459: L7 RULE: ACP_Rule4_Monitor_HTTP
access-list CSM_FW_ACL_ line 18 advanced permit ip host 4.4.4.4 host 5.5.5.5 rule-id 268435459
• Monitor Rule doesn’t drop or permit traffic, but it generates a Connection Event. The packet is
checked against subsequent rules and it is either allowed or dropped
• FMC Connection Events show that the packet matched 2 rules including the Monitor Rule
FTD Packet Processing: L3/L4 ACL - Monitor
• CLISH Snort debug shows that the packet matches 2 rules (audit + block in this case)
> system support firewall-engine-debug
• Block Rule will be pushed to ASA engine as a permit or deny action depending on the rule conditions
and to Snort engine as deny rule. If both applied, Application takes precedence over Dest Ports.
firepower# show access-list Packet matching this rule will
access-list CSM_FW_ACL_ line 20 remark rule-id 268435460: L7 RULE: ACP_Rule5_Block_Telnet_App be dropped by Snort engine
access-list CSM_FW_ACL_ line 21 advanced permit ip host 5.5.5.5 host 6.6.6.6 rule-id 268435460
access-list CSM_FW_ACL_ line 23 remark rule-id 268435464: L4 RULE: ACP_Rule6_Block_Telnet_Port
access-list CSM_FW_ACL_ line 24 advanced deny tcp host 6.6.6.6 host 7.7.7.7 eq telnet rule-id 268435464 Packet matching this
rule will be dropped
root@FTD5506-1:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules by ASA engine
268435460 deny any 5.5.5.5 32 any any 6.6.6.6 32 any any any (appid 861:1)
268435464 deny any 6.6.6.6 32 any any 7.7.7.7 32 23 any 6
FTD Packet Processing: L3/L4 ACL - Block
• In case traffic matches an ASA deny rule tracing of a real packet shows that the packet is dropped by
ASA engine and it is not being forwarded to Snort
firepower# show capture CAPI packet-number 1 trace
1: 12:29:00.844438 6.6.6.6.18791 > 7.7.7.7.23: S 2574076177:2574076177(0) win 4128 <mss 536>
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny tcp host 6.6.6.6 host 7.7.7.7 eq telnet rule-id 268435464 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268435464: ACCESS POLICY: FTD5506-1 - Mandatory/6
access-list CSM_FW_ACL_ remark rule-id 268435464: L4 RULE: ACP_Rule6_Block_Telnet_Port
Additional Information:
FTD Packet Processing: L3/L4 ACL - Block
• For Block Rule that uses Application the tracing of a real packet shows that the packet is dropped by
ASA due to Snort engine verdict
firepower# show capture CAPI packet-number 7 trace
7: 13:42:53.655971 192.168.75.14.36775 > 192.168.76.14.23: P 4147441466:4147441487(21) ack 884051486 win 16695
Type: SNORT
Subtype: Snort needs to process few packets before
Result: DROP
determines the Application type
Additional Information:
Snort Verdict: (black-list) black list this flow
• Block Rule will be pushed to ASA engine as a permit or deny action depending on the rule conditions
and to Snort engine as reset rule
firepower# show access-list
access-list CSM_FW_ACL_ line 26 remark rule-id 268435461: L7 RULE: ACP_Rule7_Block_RST_Youtube
access-list CSM_FW_ACL_ line 27 advanced permit ip host 7.7.7.7 host 8.8.8.8 rule-id 268435461
• When matching Block with Reset rule FTD sends a TCP Reset packet or an ICMP Type 3 Code 13
Destination Unreachable (Administratively filtered) message
• Snort engine debug shows the Reset action
> system support firewall-engine-debug
7.7.7.7-36778 > 8.8.8.8-80 6 AS 1 I 0 match rule order 7, 'ACP_Rule7_Block_RST_Youtube', action Reset
7.7.7.7-36778 > 8.8.8.8-80 6 AS 1 I 0 reset action
• Interactive Block Rule will be pushed to ASA engine as a permit or deny action depending on the rule
conditions and to Snort engine as bypass rule
firepower# show access-list
access-list CSM_FW_ACL_ line 29 remark rule-id 268435462: L7 RULE: ACP_Rule8_Interactive_Block
access-list CSM_FW_ACL_ line 30 advanced permit ip host 8.8.8.8 host 9.9.9.9 rule-id 268435462
• Interactive Block Rule will prompt the user that the destination is forbidden
• Snort debug shows that the rule was matched and an interactive response was sent
> system support firewall-engine-debug
8.8.8.8-36793 > 9.9.9.9-80 6 AS 1 I 0 match rule order 8, 'ACP_Rule8_Interactive_Block', action Interactive
8.8.8.8-36793 > 9.9.9.9-80 6 AS 1 I 0 bypass action sending interactive response of 1093 bytes
FTD Packet Processing: L3/L4 ACL - Inter.
Block
• The user can click on Continue button or Refresh the brower page to bypass and continue
• If the user clicks on Continue button the Snort debug shows that the traffic is allowed by the same rule
> system support firewall-engine-debug
8.8.8.8-36794 > 9.9.9.9-80 6 AS 1 I 0 New session
8.8.8.8-36794 > 9.9.9.9-80 6 AS 1 I 0 match rule order 8, 'ACP_Rule8_Interactive_Block', action Interactive
8.8.8.8-36794 > 9.9.9.9-80 6 AS 1 I 0 bypass action interactive bypass The rule mimics
8.8.8.8-36794 > 9.9.9.9-80 6 AS 1 I 0 allow action an Allow action
FTD Packet Processing: L3/L4 ACL - IB
w/RST
• Interactive Block Rule will be pushed to ASA engine as a permit action depending on the rule
conditions and to Snort engine as intreset rule
firepower# show access-list
access-list CSM_FW_ACL_ line 32 remark rule-id 268435463: L7 RULE: ACL_Rule9_Interactive_Blck_RST
access-list CSM_FW_ACL_ line 33 advanced permit ip host 9.9.9.9 host 10.10.10.10 rule-id 268435463
• Similar to Block with Reset, the user can click on Continue button
• Data Acquisition Library (DAQ) is the interface between ASA engine and Snort engine
• DAQ communicates with ASA Datapath processes through Packet Data Transport System (PDTS)
1. A packet is placed into DMA Memory
2. Datapath processes the packet
3. If requires Snort inspection a pointer to the packet is added
to PDTS TX Queue of a specific Snort instance
4. Snort instances periodically read the TX Rings and process the
packets in the DMA Memory
5. When a Snort instance finishes the processing puts to PDTS RX
queue a PDTS Notification (Verdict or SSL Decrypted packet)
6. Datapath processes reads the Verdict or copies the Decrypted
packet to DMA memory
FTD Packet Processing: DAQ
• To see the queue utilization and the utilization of PDTS queues from CLISH
> show asp inspect-dp snort queues > show asp inspect-dp snort
SNORT Inspect Instance Queue Configuration SNORT Inspect Instance Status Info
• Security Intelligence (SI) can Blacklist (drop) or Whitelist (allow) IP addresses early in the packet
processing lifetime within the Snort engine
• Whitelist overwrites the Blacklist
• The Blacklist can be populated in 2 ways:
1. Manually by the FMC administrator
2. Automatically by Intelligence Feed (Talos or custom) or List
• Snort returns to ASA a verdict about a packet being blacklisted
FTD Packet Processing: SI (IP)
• The files containing the IPs from Talos SI Feed are in /ngfw/var/sf/iprep_download directory
root@FTD5506-1:/ngfw/var/sf/iprep_download# ls -alt | grep blf
-rw-r--r-- 1 root root 1252278 Jun 12 16:06 3e2af68e-5fc8-4b1c-b5bc-b4e7cab598ba.blf
-rw-r--r-- 1 root root 227696 Jun 12 16:05 032ba433-c295-11e4-a919-d4ae5275a468.blf
• If a packet is being dropped by Snort SI the ASA capture trace shows the Verdict
> show capture CAPI packet-number 1 trace
1: 16:07:45.147743 192.168.75.14 > 38.229.186.248: icmp: echo request
Phase: 14
Type: SNORT
Subtype:
Result: DROP
Additional Information:
Snort Verdict: (black-list) black list this flow
FTD Packet Processing: SSL Decryption
• SSL Inspection Policy controls which traffic will be decrypted by FTD so that other policies (ACP, File,
Snort) can inspect the traffic.
• Can be configured in the Firepower Management Center, under Policies > SSL.
• FTD provides 2 Decryption modes:
1. Decrypt - Know Key - SSL/TLS server owned by us
2. Decrypt - Resign - 3rd party SSL/TLS server. The FTD does man-in-the-middle and for that
reason requires Internal CA
• SSL Policy is attached to Access Control Policy (ACP)
• Client Hello features (enabled by default) allows FTD to modify (TLS ver, Ciphers) the Client Hello
message (Required for Safe Search and YouTube EDU)
FTD Packet Processing: SI (DNS/URL)
• In case Talos URL Feed is used part of the db is stored locally and updated daily
• For non-cached URLs a Cloud lookup is done
FTD Packet Processing: Identity Policy
Identity Policy enables user-based authentication. The user info can be obtain in various ways:
1. Passive Authentication
• Integration with LDAP Requires User Agent
SafeSearch
Interfaces are defined by Destination Interface Objects - The interface facing the Responder
usage of Security Zones
or Interface Groups
Download - Rate limit of traffic flowing to the devices connected to the source interfaces
and from the devices connected to the destination interfaces
Upload - Rate limit of traffic leaving devices connected to the source interfaces
FTD Packet Processing: Network Discovery
Malware Cloud Lookup = Sends the SHA-256 hash of a file to the cloud for analysis
and depending on the answer generates a log if the file is bad. Optionally, Local
Analysis can analyze the file and Dynamic Analysis Capable files can be sent to cloud for
Dynamic Analysis and/or SPERO analysis
Block Malware = Sends the SHA-256 hash of a file to the cloud for analysis and
depending on the answer blocks it if the file is bad. Optionally, Local Analysis can
block the file and/or Dynamic Analysis Capable files can be sent to cloud for Dynamic
Analysis and/or SPERO analysis.
FTD Packet Processing: Intrusion Policy
• Tracing a real packet shows the Snort engine verdict when a Snort Rule is being matched
firepower# show capture CAPO packet-number 2 trace
2: 12:16:09.232776 192.168.77.40 > 192.168.75.39: icmp: echo reply
Phase: 5
Type: SNORT
Subtype:
Result: DROP
Config:
Additional Information:
Snort Verdict: (black-list) black list this flow
..
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (snort-drop) Snort requested to drop the frame
FTD Packet Processing: ALG Checks
• ASA Application Layer Gateway (ALG) are the classic Modular Policy Framework (MPF) rules applied
on ASA engine
• Currently on FTD the configuration MPF is not tunable (With 6.2 you can tune using Flexconfig)
• You can use classic ASA MPF commands to verify the existing MPF configuration
firepower# show run class-map
firepower# show run policy-map
firepower# show run service-policy
!
firepower# show service-policy flow tcp host 192.168.75.14 host 192.168.77.40 eq 80
FTD Packet Processing: NAT, VPN, L3, L2
• The remaining checks on ASA engine are the same as on classic ASA
• NAT IP header
• VPN Encrypt
• L3 Route
• L2 Resolution of next hop
Thank You