D Ů V Ě Ř U J T E S I L N Ý M SourceFire Next-Generation IPS Petr Salač – CCNP Security, CCNP, CICSP, CCSI #33835 petr.salac@alefnula.com Need Both Breadth and Depth BREADTH Network Endpoint Mobile Virtual Cloud Who What Where When How DEPTH © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Covering the Entire Attack Continuum Attack Continuum BEFORE DURING AFTER Discover Enforce Harden Detect Block Defend Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web Security Network Behavior Analysis NAC + Identity Services Email Security Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 • Founded in 2001 Led by cyber-security-focused individuals Gartner MQ Leader since 2006. • Security from Network to Endpoint to Cloud Market leader in (NG)IPS Groundbreaking Advanced Malware Protection solution • Innovative – 52+ patents issued or pending Pioneer in NGIPS, context-driven security, advanced malware protection • World-class research capability • Owner of major Open Source security projects Snort, ClamAV, Razorback © 2014 Cisco and/or its affiliates. All rights reserved. 6 How it’s done Attack Continuum NGFW Network NGIPS Endpoint AMP Virtual FireSIGHT Management Center Cloud Sourcefire Agile Security Solutions Management Center APPLIANCES | VIRTUAL NEXT- GENERATION FIREWALL NEXT- GENERATION INTRUSION PREVENTION CONTEXTUAL AWARENESS ADVANCED MALWARE PROTECTION COLLECTIVE SECURITY INTELLIGENCE HOSTS | VIRTUAL MOBILE APPLIANCES | VIRTUAL 14 FirePOWER Benefits LCD Display Connectivity Choice Quick and easy headless configuration Change and add connectivity inline with network requirements Configurable Bypass or Fail Closed Interfaces For IDS, IPS or Firewall deployments Device Stacking Scale monitoring capacity through stacking Hardware Acceleration For best in class throughput, security, Rack size/Mbps, and price/Mbps Lights Out Management Minimal operational impact SSD Solid State Drive for increased reliability © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Appliances Summary All appliances include: • Integrated lights-out management • Sourcefire acceleration technology • LCD display © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 IPS Performance and Scalability FirePOWER Places in the Network FirePOWER 8300 Series 15 Gbps – 60 Gbps FirePOWER 8100/8200 2 Gbps - 10 Gbps FirePOWER 7120/7125/8120 1 Gbps - 2 Gbps FirePOWER 7000 Series 50 Mbps – 250 Mbps Small Office FirePOWER 7100 Series 500 Mbps – 1 Gbps Branch Office Internet Edge 17 Campus Data Center 17 Virtual Defense Center/Virtual Sensor © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 SF integration With Cisco Sourcefire on 5500-X (Software) Sourcefire on 5585-X (Blade) Subscriptions: Threat: IPS, AVC, URL Filtering, AMP © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 AMP Everywhere Adding AMP to your network Advanced Malware Protection Integrated with Cisco Content Security • AMP Available on E-mail and Web Security Devices • Industry leading advanced malware protection covering the broadest range of attack vectors. Simple license add-on Reputation File Sandboxing Preventative blocking of suspicious files Behavioral analysis of unknown files File Retrospection Retrospective alerting after an attack • Cisco Email Security Appliances • Cisco Web Security Appliances • Cisco Cloud Web Security Cisco Delivers Intelligent Cybersecurity for the Real World 22 DURING © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Hosts Vulnerabilities Passive Discovery Communications Services Applications All the time In real-time Users What does their traffic look like over time? What operating systems? © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 View all application traffic… © 2010 Cisco and/or its affiliates. All rights reserved. Look for risky applications… Cisco Confidential 28 Geolocation for source and destination URL … © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Intrusion events by impact, priority, hosts, users … © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 File analysis Malware detection © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Security Dashboard © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 Awareness Who is at the host OS & version Identified Server applications and version What other systems / IPs did user have, when? Client Applications Client Version Application Only Sourcefire delivers complete network visibility FireSIGHT FireSIGHT implements three primary types of detection to derive an understanding of the network Sourcefire System products are protecting: • Discovery • Connection • Users © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 FireSIGHT The combination of intrusion activity, network behavior and detailed knowledge of the environment allows the Sourcefire System to perform correlation activities to achieve the following results: • Impact-based IPS alerting • Automated tuning • Anomaly detection • Detection of compliance with your organization’s policies • User awareness © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 100,000 events 5,000 events 500 events 20 events +10 events © 2013-2014 Cisco and/or its affiliates. All rights reserved. 3 events Cisco Confidential 42 Alerting User Interface Correlation Presentation engine Reporting engine “Email me only if a valid attack gets through to one of our executives’ Android phones.” Remediation services Rules engine Reputation services Correlation engine Geolocation services Anomaly Detection Detection Engines Identity Network Awareness Threat awareness Directory mapping Directory Services User Awareness Awareness DAQ © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44 By IPS Impact Flag © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45 By Discovery Events © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46 By Malware © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47 Remediation Modules © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48 Remediation API © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49 Custom Remediation Module A remediation module is a program or script, packaged with associated files, that is written to perform specific actions or responses to conditions on your network that violate correlation policies. Custom remediation scripts can be written in either of the following languages: • bash • tcsh • Perl • C - If you write your remediation module program in C, it must be pre-compiled and statically linked, with the exception of links to routines in glibc. Additionally, you must create an XML document called module.template to define the information your module requires from the Remediation subsystem. © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50 EPS REST API Threat Detection • • • • • IDS Sig Malware Traffic Application And Many More.. Quarantine Action • • • • VLAN Assignment dACLs SGT QoS TAG Automagical, Dynamic, Squirrely Threat/Malware/Attack Response/Defense © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51 Replicate Modules in Remediation Instances © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52 Definition for Remediation Instance © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53 Creating the Rule For DoS Mitigation © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54 Rule together with mitigation instance for DoS blocking © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55 Summary Universal Remediation Module Correlation Rule: “if DoS detected” Specific Remediation Instance Correlation Policy © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56 Summary Traffic Profile Correlation Rule: “if anomaly detected” Generate alert Correlation Policy © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57 Traffic Profile © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58 Rule Creation © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59 Policy Creation © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60 Policy Creation © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64 Enhanced High-Availability • Synchronizing critical “state” information between individual devices in a high-availability cluster. • TCP Strict State Enforcement – allows TCP sessions to continue without having to reestablish the connection. • Unidirectional Rules – enables a flow allowed by a unidirectional rule to continue even if failover occurs midstream. • Blocking Persistence – flow state including verdict (blocked or allowed) is shared to ensure verdict is persistent after failover • Dynamic Network Address Translation (NAT) – dynamic mapping of IP and ports remains persistent after failover • Supports clustered appliance stacks (8250, 8260, 8270 and 8290 65 Enhanced High-Availability Devices directly connected via the HA Link external interfaces Clustered devices must be the same model with identical NetMods HA Link interface depends upon the potential throughput of each cluster member 66 IPv6 Awareness & Support • IPv6 support is fully integrated • From policies to event viewers to table views. • Network discovery of IPv6 hosts • User Agent, Impact Flag and rule recommendations all work with IPv6 • Nmap can scan over IPv6 • IPv6 discovery events can stream via eStreamer © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68 The Solution SSL can be decrypted at wire speed • “Known-server key” for SSL v2 • Requires access to the server key • Decrypts inbound SSL communication • “Certificate resign” for SSL v3 Known server key method • Requires Intermediate certificate in browsers • Decrypts outbound SSL communication Certificate resign method © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69 Don’t Forget: Apps are Often Encrypted! • and default to SSL • Benefits of SF off-box decryption solution: • Improved Performance – acceleration and policy • Centralized Key Management • Interoperable with 3rd party products SSL1500 SSL2000 SSL8200 1.5Gbps 2.5 Gbps 3.5 Gbps © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71 BEFORE © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72 FW integration with IPS Only a license © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73 Policy-Driven Visibility and Control Filter Access and Apply Protection by Application, User, and Traffic Path © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74 Policy-Driven Visibility and Control Filter Access and Apply Protection by Application, User, and Traffic Path © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75 Policy-Driven Visibility and Control Filter Access and Apply Protection by Application, User, and Traffic Path © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76 Policy-Driven Visibility and Control Filter Access and Apply Protection by Application, User, and Traffic Path © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77 Updates from Cloud (VRT) IPS SW, vulnerabilities with platforms © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78 Chaining FW with IPS and File Analysis © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80 Chaining FW with IPS and File Analysis © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81 AFTER © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83 File Type Detection: Policy © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84 Advanced Malware Protection Solution Dedicated FirePOWER appliance for Advanced Malware Protection with subscription ----- OR -----Add-on subscription to any FirePOWER appliance for NGIPS Advanced Malware Protection subscription for hosts, virtual and mobile devices Complete advanced malware protection to protect networks and devices © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87 Dynamic Analysis: Process Overview File Detected on FirePOWER - Calculates hashes - Saves a copy if policy dictates* FirePOWER Appliance 1892y…skfhsd FireSIGHT Management Hash metadata sent to AMP Cloud AMP Cloud Response: E.g. - Disposition = Unknown - Threat Score = Unknown * File is sent to VRT Services Cloud for Dynamic Analysis* (if policy dictates) Dynamic analysis:* - Analysis queue Status - Error Status - Threat Score 1892y…skfhsd <optional proxy*> VRT Dynamic Analysis Cloud* (Files) <optional proxy*> FireAMP Cloud (Metadata / Hashes) Sourcefire Cloud Services © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential * = New with 5.3 88 Finding patient 0: Trajectory analysis Look wide (AMP for Networks), look deep (AMP for Endpoints) Look wide: Network trajectory When did it happen? Where is patient 0? What else did it bring in? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Look Deep: Device trajectory What systems were infected? Cisco Confidential 90 Network File Trajectory The time of entry Systems infected © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 92 Can be launched directly from dashboard © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 98 Template created from the dashboard © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 99 Templates can be customized or created © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 101 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 102 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 103 Collective Security Intelligence Malware Protection Reputation Feeds IPS Rules Sourcefire Vulnerability Research Team Private & Public Threat Feeds Sandnets Advanced Microsoft & Industry Disclosures Sandboxing Machine Learning Big Data Infrastructure Sourcefire AEGIS™ Program File Samples FireAMP™ (>180,000 per day) Community SPARK Program Vulnerability Database Updates Honeypots Snort® & ClamAV™ Open Source Communities D Ů V Ě Ř U J T E Děkuji za pozornost S I L N Ý M
© Copyright 2024