SourceFire Next-Generation IPS

D Ů V Ě Ř U J T E
S I L N Ý M
SourceFire Next-Generation IPS
Petr Salač – CCNP Security, CCNP, CICSP, CCSI #33835
petr.salac@alefnula.com
Need Both Breadth and Depth
BREADTH
Network
Endpoint
Mobile
Virtual
Cloud
Who
What
Where
When
How
DEPTH
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
Covering the Entire Attack Continuum
Attack Continuum
BEFORE
DURING
AFTER
Discover
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
Firewall
VPN
NGIPS
Advanced Malware Protection
NGFW
UTM
Web Security
Network Behavior Analysis
NAC + Identity Services
Email Security
Visibility and Context
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
• Founded in 2001
Led by cyber-security-focused individuals
Gartner MQ Leader
since 2006.
• Security from Network to Endpoint to Cloud
Market leader in (NG)IPS
Groundbreaking Advanced Malware Protection solution
• Innovative – 52+ patents issued or pending
Pioneer in NGIPS, context-driven security, advanced malware protection
• World-class research capability
• Owner of major Open Source security projects
Snort, ClamAV, Razorback
© 2014 Cisco and/or its affiliates. All rights reserved.
6
How it’s done
Attack Continuum
NGFW
Network
NGIPS
Endpoint
AMP
Virtual
FireSIGHT Management Center
Cloud
Sourcefire Agile Security Solutions
Management Center
APPLIANCES | VIRTUAL
NEXT- GENERATION
FIREWALL
NEXT- GENERATION
INTRUSION
PREVENTION
CONTEXTUAL AWARENESS
ADVANCED
MALWARE
PROTECTION
COLLECTIVE
SECURITY
INTELLIGENCE
HOSTS | VIRTUAL MOBILE
APPLIANCES | VIRTUAL
14
FirePOWER Benefits
LCD Display
Connectivity Choice
Quick and easy headless configuration
Change and add connectivity
inline with network requirements
Configurable Bypass or
Fail Closed Interfaces
For IDS, IPS or Firewall
deployments
Device Stacking
Scale monitoring capacity
through stacking
Hardware Acceleration
For best in class throughput, security,
Rack size/Mbps, and price/Mbps
Lights Out Management
Minimal operational impact
SSD
Solid State Drive for increased reliability
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
Appliances Summary
All appliances include:
• Integrated lights-out management
• Sourcefire acceleration technology
• LCD display
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
IPS Performance and Scalability
FirePOWER Places in the Network
FirePOWER 8300 Series
15 Gbps – 60 Gbps
FirePOWER 8100/8200
2 Gbps - 10 Gbps
FirePOWER 7120/7125/8120
1 Gbps - 2 Gbps
FirePOWER 7000 Series
50 Mbps – 250 Mbps
Small Office
FirePOWER 7100 Series
500 Mbps – 1 Gbps
Branch Office
Internet Edge
17
Campus
Data Center
17
Virtual Defense Center/Virtual Sensor
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
SF integration With Cisco
Sourcefire on 5500-X
(Software)
Sourcefire on 5585-X
(Blade)
Subscriptions: Threat: IPS, AVC, URL Filtering, AMP
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
AMP Everywhere
Adding AMP to your network
Advanced Malware Protection Integrated with Cisco
Content Security
• AMP Available on E-mail and Web Security Devices
• Industry leading advanced malware protection covering the broadest
range of attack vectors.
Simple license add-on
Reputation
File Sandboxing
Preventative
blocking of
suspicious files
Behavioral analysis
of unknown files
File Retrospection
Retrospective
alerting after an
attack
•
Cisco Email Security Appliances
•
Cisco Web Security Appliances
•
Cisco Cloud Web Security
Cisco Delivers Intelligent Cybersecurity for the Real World
22
DURING
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
23
Hosts
Vulnerabilities
Passive
Discovery
Communications
Services
Applications
All the time
In real-time
Users
What does their traffic look like over time?
What operating systems?
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
View all application traffic…
© 2010 Cisco and/or its affiliates. All rights reserved.
Look for risky applications…
Cisco Confidential
28
Geolocation for source and destination
URL …
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
29
Intrusion events by impact, priority, hosts, users …
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
30
File analysis
Malware detection
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
31
Security Dashboard
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
32
Awareness
Who is at the host
OS & version Identified
Server applications and
version
What other systems / IPs did
user have, when?
Client Applications
Client Version
Application
Only Sourcefire delivers complete network visibility
FireSIGHT
FireSIGHT implements three primary types of detection to
derive an understanding of the network Sourcefire System
products are protecting:
• Discovery
• Connection
• Users
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
36
FireSIGHT
The combination of intrusion activity, network behavior and detailed knowledge of the
environment allows the Sourcefire System to perform correlation activities to achieve
the following results:
• Impact-based IPS alerting
• Automated tuning
• Anomaly detection
• Detection of compliance with your organization’s policies
• User awareness
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
41
100,000 events
5,000 events
500 events
20 events
+10 events
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
3 events
Cisco Confidential
42
Alerting
User
Interface
Correlation
Presentation
engine
Reporting engine
“Email me only if a valid attack
gets through to one of our
executives’ Android phones.”
Remediation
services
Rules engine
Reputation
services
Correlation engine
Geolocation
services
Anomaly Detection
Detection Engines
Identity
Network
Awareness
Threat awareness
Directory mapping
Directory Services
User Awareness
Awareness
DAQ
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
44
By IPS Impact Flag
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
45
By Discovery Events
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
46
By Malware
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
47
Remediation Modules
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
48
Remediation API
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
49
Custom Remediation Module
A remediation module is a program or script, packaged with associated files, that is
written to perform specific actions or responses to conditions on your network that
violate correlation policies.
Custom remediation scripts can be written in either of the following languages:
• bash
• tcsh
• Perl
• C - If you write your remediation module program in C, it must be pre-compiled and statically
linked, with the exception of links to routines in glibc.
Additionally, you must create an XML document called module.template to define the
information your module requires from the Remediation subsystem.
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
50
EPS REST API
Threat Detection
•
•
•
•
•
IDS Sig
Malware
Traffic
Application
And Many More..
Quarantine Action
•
•
•
•
VLAN Assignment
dACLs
SGT
QoS TAG
Automagical, Dynamic, Squirrely Threat/Malware/Attack Response/Defense
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
51
Replicate Modules in Remediation Instances
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
52
Definition for Remediation Instance
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
53
Creating the Rule For DoS Mitigation
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
54
Rule together with mitigation instance for DoS blocking
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
55
Summary
Universal Remediation Module
Correlation Rule: “if DoS detected”
Specific Remediation Instance
Correlation Policy
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
56
Summary
Traffic Profile
Correlation Rule: “if anomaly detected”
Generate alert
Correlation Policy
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
57
Traffic Profile
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
58
Rule Creation
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
59
Policy Creation
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
60
Policy Creation
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
61
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
63
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
64
Enhanced High-Availability
• Synchronizing critical “state” information between individual devices in a
high-availability cluster.
• TCP Strict State Enforcement – allows TCP sessions to continue without having to reestablish the connection.
• Unidirectional Rules – enables a flow allowed by a unidirectional rule to continue even
if failover occurs midstream.
• Blocking Persistence – flow state including verdict (blocked or allowed) is shared to
ensure verdict is persistent after failover
• Dynamic Network Address Translation (NAT) – dynamic mapping of IP and ports
remains persistent after failover
• Supports clustered appliance stacks (8250, 8260, 8270 and 8290
65
Enhanced High-Availability
Devices directly connected via the HA Link external interfaces
Clustered devices must be the same model with identical NetMods
HA Link interface depends upon the potential
throughput of each cluster member
66
IPv6 Awareness & Support
• IPv6 support is fully integrated
• From policies to event viewers to table views.
• Network discovery of IPv6 hosts
• User Agent, Impact Flag and rule
recommendations all work with IPv6
• Nmap can scan over IPv6
• IPv6 discovery events can stream via eStreamer
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
67
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
68
The Solution
SSL can be decrypted at wire speed
• “Known-server key” for SSL v2
• Requires access to the server key
• Decrypts inbound SSL
communication
• “Certificate resign” for SSL v3
Known server key method
• Requires Intermediate certificate in
browsers
• Decrypts outbound SSL
communication
Certificate resign method
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
69
Don’t Forget: Apps are Often Encrypted!
•
and
default to SSL
• Benefits of SF off-box decryption solution:
• Improved Performance – acceleration and policy
• Centralized Key Management
• Interoperable with 3rd party products
SSL1500
SSL2000
SSL8200
1.5Gbps
2.5 Gbps
3.5 Gbps
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
71
BEFORE
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
72
FW integration
with IPS
Only a license
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
73
Policy-Driven Visibility and Control
Filter Access and Apply Protection by Application, User, and Traffic Path
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
74
Policy-Driven Visibility and Control
Filter Access and Apply Protection by Application, User, and Traffic Path
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
75
Policy-Driven Visibility and Control
Filter Access and Apply Protection by Application, User, and Traffic Path
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
76
Policy-Driven Visibility and Control
Filter Access and Apply Protection by Application, User, and Traffic Path
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
77
Updates from Cloud (VRT)
IPS SW, vulnerabilities with platforms
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
78
Chaining FW with IPS and File Analysis
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
80
Chaining FW with IPS and File Analysis
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
81
AFTER
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
83
File Type Detection: Policy
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
84
Advanced Malware Protection Solution
Dedicated FirePOWER appliance for
Advanced Malware Protection with subscription
----- OR -----Add-on subscription to any FirePOWER
appliance for NGIPS
Advanced Malware Protection subscription
for hosts, virtual and mobile devices
Complete advanced malware protection
to protect networks and devices
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
87
Dynamic Analysis: Process Overview
File Detected on FirePOWER
- Calculates hashes
- Saves a copy if policy dictates*
FirePOWER Appliance
1892y…skfhsd
FireSIGHT Management
Hash metadata sent to AMP Cloud
AMP Cloud Response: E.g.
- Disposition = Unknown
- Threat Score = Unknown *
File is sent to VRT Services Cloud for
Dynamic Analysis* (if policy dictates)
Dynamic analysis:*
- Analysis queue Status
- Error Status
- Threat Score
1892y…skfhsd
<optional proxy*>
VRT Dynamic Analysis
Cloud* (Files)
<optional proxy*>
FireAMP Cloud (Metadata /
Hashes)
Sourcefire Cloud Services
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
* = New with 5.3
88
Finding patient 0: Trajectory analysis
Look wide (AMP for Networks), look deep (AMP for Endpoints)
Look wide: Network trajectory
When did it happen?
Where is patient 0?
What else did it bring in?
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Look Deep: Device trajectory
What systems were infected?
Cisco Confidential
90
Network
File Trajectory
The time of entry
Systems infected
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
92
Can be launched directly from dashboard
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
98
Template created from the dashboard
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
99
Templates can be customized or created
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
101
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
102
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
103
Collective Security Intelligence
Malware
Protection
Reputation
Feeds
IPS Rules
Sourcefire
Vulnerability
Research
Team
Private & Public
Threat Feeds
Sandnets
Advanced Microsoft
& Industry Disclosures
Sandboxing
Machine Learning
Big Data Infrastructure
Sourcefire AEGIS™
Program
File Samples
FireAMP™
(>180,000 per day)
Community
SPARK
Program
Vulnerability
Database
Updates
Honeypots
Snort® & ClamAV™
Open Source Communities
D Ů V Ě Ř U J T E
Děkuji za pozornost
S I L N Ý M