Cisco Next-Generation FW and Cisco Next Generation IPS Flashcards
Difference between FirePOWER and firepower
- FirePOWER is referring to CISCO ASA FirePower service module
- Firepower is referring to Firepower Threat Defense (FTD) unified image and newer software
Is unified software that includes Cisco ASA features, legacy FirePOWER Services and new features. Can be deployed to Cisco Firepower 1000 Series, 2100 Series, 4100 Series and 9000 Series.
Cisco Firepower Threat Defense (FTD)
Cisco Firepower 1000 Series Model (Designed for small business and small offices)
- Cisco Firepower 1010: A desktop firewall with eight 1 Gigabit Ethernet ports, and scales up to 650 Mbps of NGFW througput
- Cisco Firepower 1120: A rack-mount firewall with eight 1 Gigabit Ethernet ports and four SFP ports. The firepower 1120 scales up to 1.5 Gbps of throughput
- Cisco Firepower 1140: A rack-mount firewall with eight 1 Gigabit Ethernet ports and four SFP ports. The firepower 1120 scales up to 2.2 Gbps of throughput
Cisco Firepower 2100 Series Four Models
-Use for Internet Edge and Data Centre
- Cisco Firepower 2110: (1 RU, with 12 1Gbps Ports and 4 SPF Ports, 2Gbps NGFW througput)
- Cisco Firepower 2120 (1 RU, with 12 1Gbps Ports and 4 SPF Ports, 3Gbps NGFW througput)
- Cisco Firepower 2130 (1 RU, with 24 1Gbps Ports or 12 1Gbps and 12 10Gbps Ports, 5Gbps NGFW througput)
- Cisco Firepower 2140 (1 RU, with 24 1Gbps Ports or 12 1Gbps and 12 10Gbps Ports, 8.5Gbps NGFW througput)
Cisco Firepower 4100 Series
- Cisco Firepower 4110 (1RU, with 1,10 or 40 Gbps interfaces with 35Gbps firewall throughput and 11Gbps threat inspection)
- Cisco Firepower 4120 (1RU, with 1,10 or 40 Gbps interfaces with 60Gbps firewall throughput and 19Gbps threat inspection)
- Cisco Firepower 4140 (1RU, with 1,10 or 40 Gbps interfaces with 70Gbps firewall throughput and 27Gbps threat inspection)
- Cisco Firepower 4150 (1RU, with 1,10 or 40 Gbps interfaces with 75Gbps firewall throughput and 39Gbps threat inspection)
- Cisco Firepower 4115 (1RU, with 1,10 or 40 Gbps interfaces with 80Gbps firewall throughput and 26Gbps threat inspection)
- Cisco Firepower 4125 (1RU, with 1,10 or 40 Gbps interfaces with 80Gbps firewall throughput and 35Gbps threat inspection)
- Cisco Firepower 4145 (1RU, with 1,10 or 40 Gbps interfaces with 80Gbps firewall throughput and 45Gbps threat inspection)
Designed for very large enterprises or service providers. Can scaled beyond 1.2Tbps and are designed in a modular way.
Cisco Firepower 9300 Series
Characteristics of Legacy IPS
- They are deployed behind a firewall when providing IPS Functionality (Inline). Often an IPS is also placed in the network without a firewall in front of it.
- They often look for attempts to exploit a vulnerability and not for the existence of a vulnerability
- Generates large amounts of event
- focus on individual indicators/events without focusing on contextual info to take action.
- legacy IPS require manual tuning for better efficacy
Legacy IPS shortcomings
- they often need to be operated in conjuciton with other products or tools (firewall, analytics and correlation tools)
- sometimes not very effective and may be ignored
- operations cost and operating resource is high
- can leave infrastructures imperfectly covered against attackers.
NextGeneration IPS capabilities
- Application awareness and control: provide visibility into layer 7 application and can protect against layer 7 threats.
- content awareness of the information traversing the infrastructure
- contextual awareness
- host and user awareness
- automated tuning and recommendations
- impact and vulnerability assessment of the events taking place
Most important capabilities of Cisco NGIPS
- threat containment and remediation
- application visibility
- identity management
- security automation
- logging and traceability management
- high availability and stacking
- network behavioral analysis
- access control and segmentation
- real-time contextual awareness
What is needed when adding a device to CIsco Firepower Management Center
IP Address
NAT ID and registration key if you dont know the iP
Is used to configure small Cisco FTD deployments
Cisco Firepower Device Manager (FDM)
Is a solution that allows you to manage your firewalls from the cloud. You can write a policy once and enforce it consistently across multiple Cisco ASA and Cisco FTD devices.
Cisco Defense Orchestrator (CDO)
Cisco FTD Devices, Cisco Firepower NGIPS and Cisco ASA FirePower modules can be managed by?
Firepower Management Centre (FMC)
Is a stateful firewall used in Cisco IOS Devices. Is the successor of the legacy IOS Firewall or the context-based access control (CBAC) feature.
Cisco IOS Zone-Based Firewall (ZBFW)
Components of SD-WAN configuration,zone deployments
- Source Zone
- Destination Zone
- Firewall Policy
- Zone Pair
Cisco ASA global commands that enables communications between the hosts on interfaces at the same security level
same-security-traffic permit interface
Cisco ASA interface level of security
100 - safest (usually named inside interface)
0- unsafe ( usually outside interface
between 100-0 (DMZ)
Cisco ASA deployment mode
Routed or Transparent
Enable a physical firewall to be partitioned into multiple standalone firewalls. each standalone firewalls acts and behaves as an independent entity with its own configuration, interfaces,security policies, routing tables and administrators.
Security Contexts
In this mode- Cisco ASA acts as a secured bridge that switches traffic from one interface to anothers
Single-Mode Transparent Firewall (SMTF)
A virtual firewall supports this features that are available in a standalone firewall
- IPS Functionality
- Dynamic Routing
- Packet Filtering
- Network Address Translation (NAT)
- Site-to-site VPN
- IPv6 and device management
Cisco FTD Deployment modes
- routed mode
- transparent mode
Cisco FTD interface modes
- routed
- switched (BVI)
- passive
- passive (ERSPAN)
- inline pair
- inline pair with TAP
As in legacy, Cisco NGFW and Cisco NGIPS can operate in two main modes
Inline and passive (monitoring) mode
Inline modes offer two modes
Routed and switched mode
Interface mode where you have two physical interfaces internally bridged
Inline pair with TAP
Interface mode where Cisco NGFW and NGIPS device does not usually prevents attacks. The devices uses one interface to silently inspect traffic and identify malicious activity without interrupting traffic flow
Passive mode
Interface mode that you can configure one physical interface operating as sniffer
Passive with ERSPAN Mode
Additonal Cisco FTD deployment design considerations
- Management
- Standalone or resilient
- Link speeds/types
- routed or transparent mode
- number of interfaces
- traffic profile
- application control
- URL filtering
- deep inspection
- file and malware protection
Types of information being exchange on Cisco ASA failover links
- the firewall state (active or standby)
- hello messages
- network link status
- mac address exchange
- configuration replication and synchornization
Requirements for Cisco ASA failover configuration
- same mode (router or transparent)
- same software versions
- same domain or group on the cisco FMC
- same NTP
- DHCP or PPPoE must not be configured on any devices
Lets you group multiple Cisco FTD units together as a single logical devices
Clustering
Is a collection of security rules or policies that allow or denies packetts after looking at the packet headers and other attributes
ACL
Each permit or deny statement is referred to as?
Access control entry (ACE)
ACL includes a five-tuple
- source ip address
- source port
- destination ip address
- destination port
- protocol
Cisco ASA supports 4 types of ACL
- standard ACL
- extended ACL
- EtherTypes ACL
- WebTypes ACL
Provided by Cisco ASA to provide application security or perform QoS functions. It offers a consitent and flexible way to configure the Cisco ASA application inspection and other features in a manner similar to the used for the Cisco IOS software modular QOS CLI
Modular Policy Framework
three main commands of Modular policy framework
- class-map (classifies the traffic to be inspected)
- policy-map (configures security or QoS policies)
- service policy (active policy globally)
Also known as a management access rules, applies to traffic that terminates on the Cisco ASA.
to-the-box traffic filtering
Cisco ASA supports the following four methods of translation
Static NAT/PAT
Dynamic NAT/PAT
Policy NAT/PAT
Identity NAT
Is helpful when you want to translate the source address of an object regardless of the destination address. In this mode you define an object and address translation policy within the object definition
Auto NAT
Talos provided base policy
- Connectivity over security
- balanced security and connectivity
- security over connectivity
- no rules active
- maximum detection
- Talos provided base policy
- This policy is built for organizations where connectivity take precendece over network infrastructure security. Enable far fewer rules than those enabled in security over conectivity policy
-Connectivity over security
- Talos provided base policy
- This policy is designed to balance overall network performance with network infrastructure and security.
-Balanced security and connectivity
- -Talos provided base policy
- This policy is built for organizations where network infrastructure security takes precedence over user convenience.
-Security over connectivity
- -Talos provided base policy
- No rules active at this point
-No rules active
- -Talos provided base policy
- This policy is built for organizations where network infrastructure security is give even more emphasis that is given by the security over connectivity policy, with potential for even greater operation impact
-Maximum Detection
Two types of variables
-System default variables (preconfigured in the system, these include $AIM_SERVERS, $DNS_SERVERS, $EXTERNAL_NET, $FILE_DATA_PORTS, $GTP_PORTS, $HOME_NET, $HTTP_PORTS
-Policy variables (override default variables)
ex. [192.168.1.1, 10.1.1.1, 172.16.1.1] or [192.168.1.1, 10.1.1.1, 172.16.1.0/24]
ports range [25-121]
ports less than a number [-1024]
ports more than a number [1024-]
exclude ports [!25]
list ports [21, !25, 80-]
Cisco Firepower can take advantage of this policies. These policies are shared set of parameters that define the aspects of a Cisco Firepower device that are likely to be similar to other managed devices.
Platform Settings Policy
Preprocessors availabe in Cisco Firepower NGIPS
- DCE/RPC
- DNS
- FTP and Telnet
- HTTP
- Sun RPC
- SIP
- GTP
- IMAP and POP
- SMTP
- SSH
- SSL
- SCADA
- Network
- Threat Detection
Enables you to detect and block malware , continiously analyze for malware and get retrospective alerts.
Cisco Advanced Malware Protection (AMP)
Cisco AMP Features
- File reputation
- File Sandboxing
- File retrospection
Example of threat inteligence sources
- Snort, ClamAV and Immunet AV open source communities
- Talos
- Threat Grid
AMP clouds prevention framework is made up of seven core componets
- Signatures
- Ethos (fuzzy fingerprinting that uses static or passive heuristics)
- Spero ( a machine learning technology that proactively identifies threats that were previously unknown
- IOC (indicator of compromise)
- Device flow correlation
- Advance analytics
- Dynamic analysis
This means taking a look at what has already transpired, it involves tracking system behavior regardless of disposition, focusing on uncovering malicious acitivty.
Retrospection
Cisco ASA Point to Point ASA Configuration
- Enable IKE on the interface
2.Create Connection profile
Specify VPN Peer
Specify local and remote protected networks
Configure IKE authentication and IKE policy
Configure IPSec proposal (transform set)
- (Situationally) configure NAT exemption
- (Situationally) configure VPN traffic with an ACL
- (Situationally) configure static routing
