topic Re: Ask the expert- Best practices on Cisco FirePOWER in Network Security

Ask the expert- Best practices on Cisco FirePOWER

Cisco Moderador — Fri, 21 Feb 2020 15:30:25 GMT

This topic is a chance to discuss more about all you need to know about Cisco FirePOWER security solution. On this session, Marvin Rhoads will be answering all kind of questions about FirePOWER Management Center (FMC), FirePOWER Threat Defense (FTD) and FirePOWER service modules to FirePOWER appliances. All kind of topics related to this solution, such as operation, configuration, design architecture, troubleshooting, installation and licensing will be covered.

Centralize, integrate, and simplify security management on your network

To participate in this event, please use the button below to ask your questions

Ask questions from Monday, March 19th to Friday 30th 2018

Featured Expert

Marvin Rhoads is a network security engineer with over 3 decades of experience. He focuses on Cisco network security solutions in his work as an independent consultant performing client-facing design and deployment services for several Cisco Partners. In addition to his 25 years of experience as a Cisco customer, Marvin has worked with Cisco partners for the past 7 years. Marvin holds several security and professional certifications, including a CCNP Security. He holds a Master’s Degree in Systems Engineering and a Bachelor’s Degree in Electronics Engineering Technology. He’s currently pursuing a CCIE Security certification.

Marvin is passionate about helping and learning from his peers in the industry. He has been an active Cisco Support Community contributor since 2001. He has been named as a Cisco Designated VIP for 6 years in a row. In 2017 he was recognized as a member of the elite Cisco Support Community Hall of Fame program.

Marvin might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation at the Security Category.

Find other events or open new discussions https://supportforums.cisco.com/t5/community-ideas/bd-p/5911-discussions-community-ideas

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

Re: Ask the expert- Best practices on Cisco FirePOWER

Basavaraj Ningappa — Thu, 22 Mar 2018 04:45:12 GMT

Hi Team,

thanks for hosting expert event on FTD

we are trying to integrate FMC and FTD to Windows NPS radius server for centralized administration, we tried to find some Cisco docs to configure FMC and FTD radius attributes but we were not successful yet.

can you share any write up with step by step instructions how can I integrate FMC and FTD to windows radius for the management access authentication

thanks

Basavaraj

Re: Ask the expert- Best practices on Cisco FirePOWER

Marvin Rhoads — Thu, 22 Mar 2018 08:48:01 GMT

@Basavaraj Ningappa,

Please refer to the Firepower Management Center configuration guide section on RADIUS authentication for system users here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/firepower_system_user_management.html#ID-2263-0000052e

It gives a step-by-step guide from the perspective of the FMC end. I'm not aware of any guide that will also cover the NPS server side.

Are you trying to add specific attributes not already included in the not included in the dictionary file in /etc/radiusclient/ ? If so, note that any new attributes must be distinct from those included in the built-in dictionary.

Re: Ask the expert- Best practices on Cisco FirePOWER

Basavaraj Ningappa — Thu, 22 Mar 2018 11:34:05 GMT

Hi Marvin,

Thanks for your reference, we have added FMC IP as a radius client on the NPS side and in the FMC we have configured external authentication in fmc, but for some reason it didn't work, then we have raised the TAC case and TAC told that they are not supporting radius now. below is the message from TAC

We had a discussion with our BU and they concluded that FMC and microsoft NPS integration hasn’t been tested by the BU and there’s no relevant documentation for that as of now but they might test it and publish the documentation for the it in future.

If you have any questions or doubts, please do not hesitate to send me an e-mail. I'll be more than glad to help with your issue. Hope to hear from you soon."

If there is any solution now for this now, if you can share it with me that will be great.

Thanks

Basavaraj

Re: Ask the expert- Best practices on Cisco FirePOWER

Marvin Rhoads — Thu, 22 Mar 2018 12:24:35 GMT

While TAC might not support NPS integration per se, you should be able to make RADIUS work as an external authentication method. I use ISE as my external RADIUS server in my lab FMC and it works fine.

RADIUS is (mostly) clear text so you should be able to perform some packet captures to isolate and troubleshoot where the failure is occurring.

Re: Ask the expert- Best practices on Cisco FirePOWER

antienho — Thu, 22 Mar 2018 16:53:23 GMT

Hi All,

A design question, an FTD-HA set in front of a DC/server farm.

We need to implement a transparent FTD FW - in pair of ports. The question is this connection is a trunk port, and will carry 5+ VLANs through this north-south traffic. I cannot find a solid document for this type of design. l find lots about layer1, layer2, and layer3 in separate documentation. Layer 1 does support trunk port. Layer2 does support VLAN, layer3 does support route mode with BVI or transparent mode.

But I cannot find one that stated layer1/2 as trunk port with multiple VLANs and supported in transparent mode.

I/we believe it should work. But don't want to test it in production.

Thanks

Antien

Re: Ask the expert- Best practices on Cisco FirePOWER

Jorge Neyton Avila Pacheco — Thu, 22 Mar 2018 17:11:14 GMT

Hi Marvin,

First of all, congratulations to have the spirit to alwayls help people, this is something that in the technology side isn´t easy to find. Go ahead! You are in the right path! 🙂

About questions for Cisco Firepower, I have a couple below:

1.- It is recommended in a regular implementation with ASA FTD or ASA with FirePOWER to add ALL traffic to be inspected by IPS & AMP engines? I know that security rules recommend to always verify every packet that comes from Internet to our internal network, but probably there are some best practices that can consider to isolate traffic from Guest Users, Some specific Applications like: Microsoft Update, Anti-Virus/Malware clients, etc. in order to improve the performance in the box.

2.- For SSL decryption: Which are the best practices considering the first question, in where probably we don´t need to inspect ALL SSL traffic in the networks? Is evident that all ASA´s or Firepower appliance have a degradation of their performance, so I would like to know your inputs about this point due encryption traffic is something that is here as a day to day operation and we need to consider it due the amount of traffic that uses this kind of cipher.

Thanks for your inputs and comments,

Best regards.

Neyton Avila

Re: Ask the expert- Best practices on Cisco FirePOWER

Marvin Rhoads — Thu, 22 Mar 2018 17:41:48 GMT

@Jorge Neyton Avila Pacheco,

Thanks for the encouraging words.

Regarding your questions:

1. In the context of your sensor being an Internet edge device, there are cases where you may not want to inspect incoming traffic. For instance, I have had scenarios where a significant amount of the incoming traffic was IPsec that terminated on a "behind the firewall" device. In that case we exempted all of that traffic from IPS inspection and got back a lot of capacity. For deployments other than the Internet edge there may be similar exemptions that are appropriate - for instance, bulk data transfers like backups between trusted hosts in a data center deployment.

2. SSL decryption is increasingly problematic for many reasons. The best use case for is is incoming SSL traffic to a server where you have the certificate and private key. For outbound traffic you not only have the challenges of being a "man-in-the-middle" and needing to decrypt and re-sign but also an increasing number of applications (iTunes, Dropbox etc.) and sites are resistant to this approach because of techniques like certificate pinning and related ones. The performance impact of trying to decrypt all SSL are significant as well. I usually advocate an approach that puts inspection of that sort of traffic closer to the user - things like Cisco AMP for Endpoints and Umbrella are my favored solutions as they will see the traffic in its unencrypted form by nature of where they sit.

Re: Ask the expert- Best practices on Cisco FirePOWER

Marvin Rhoads — Thu, 22 Mar 2018 17:55:02 GMT

@antienho,

You can do what you are asking about by using subinterfaces and tagging the VLANs on each side of the firewall.

Remember you can always lab it using an FTDv and a free evaluation license.

Re: Ask the expert- Best practices on Cisco FirePOWER

Jorge Neyton Avila Pacheco — Thu, 22 Mar 2018 17:59:00 GMT

Thanks @Marvin Rhoads for your answer, I will consider all your comments in future implementations and designs.

Have a great day! 🙂

Best regards,

Neyton Avila

Re: Ask the expert- Best practices on Cisco FirePOWER

Mark DeLong — Thu, 22 Mar 2018 18:32:46 GMT

Marvin,

When will the FP 2100 support SSL/TLS Decryption in hardware? The majority of my clients (I'm with a Partner) are bringing up the trend of Malware being transported in TLS to get around the inspections of FirePower and other IPS devices. The Cisco 2018 Annual Cyber Security Report also highlighted this trend. Palo Alto has been doing hardware decryption in many of their models for some time now and it is hard to for FirePower to complete against PA in the face of this obvious discrepancy. Also, are the FP 4100 models every going to have hardware decryption chipsets? It is my knowledge that they don't ship with the chipset at all. Also, is there any plan for the FTD line of ASA 5500X's to get TLS descryption chipsets? Or will there future replacement models with them?

I know that CPU based decryption is possible but the few (very few) Cisco documents I've seen referencing this option in FTD say that there is a 50-80% performance decrease on the FTD if you use CPU based decryption so this doesn't seem like a viable alternative.

Thanks,

Mark DeLong

Re: Ask the expert- Best practices on Cisco FirePOWER

Mark DeLong — Thu, 22 Mar 2018 18:34:11 GMT

Marvin,

When will FTD based AnyConnect VPN support local usernames for authentication? Also, when will it support LDAP attribute maps and LDAP based authorization?

Thanks!

Mark DeLong

Re: Ask the expert- Best practices on Cisco FirePOWER

Anton Hinterleitner — Thu, 22 Mar 2018 21:14:14 GMT

Hi Marvin,

what are your best practices for deploying branch FTDs with a centralized management if a public IP is used for the FTD mgmt Port?

Just restricting e.g SSH etc... in Devices > Platform Settings?

Thanks,

Anton

Best practices on Cisco FirePOWER - FTDv

Anton Hinterleitner — Thu, 22 Mar 2018 21:50:40 GMT

Hi Marvin,

may I ask another question regarding FTDv?

Do you have some experience or best practices using it in a production environment?

From my perspective, due to the performance limitations and license costs it isn't really an option at the moment.

Thanks,

Anton

Re: Ask the expert- Best practices on Cisco FirePOWER

Marvin Rhoads — Fri, 23 Mar 2018 02:04:16 GMT

@Mark DeLong,

You make very good points about the challenges of protecting against threats in SSL/TLS payloads. Cisco is acutely aware of them as well and currently addresses them with several shipping products such as AMP for Endpoints, Umbrella and the recently announced Encrypted Traffic Analytics (ETA) technology.

I'm not authorized to comment on non-publicly-announced future releases from Cisco. I suggest contacting your local Cisco account manager or partner (moot for you since you're already a partner, but useful for the larger audience) to arrange for briefings under non-disclosure agreement which may shed light on future plans. As a partner you also have avenues via the partner enablement team (Partner Security community, SEVT etc.) by which to get roadmap information.

I can say as a general industry observation that decrypting all outbound traffic at the Internet edge is falling out of favor. It is problematic in the best of cases even with dedicated hardware appliances, whether from Cisco or other vendors. Products (iTunes, Dropbox, others) and protocols (e.g., http/2) are increasing rightly resistant to man-in-the-middle technologies that fundamentally break the chain of trust between client and server.

Re: Ask the expert- Best practices on Cisco FirePOWER

Marvin Rhoads — Fri, 23 Mar 2018 01:34:20 GMT

@Mark DeLong,

I'm not authorized to comment on non-publicly-announced future releases from Cisco. I suggest contacting your local Cisco account manager or partner to arrange for briefings under non-disclosure agreement which may shed light on future plans.

That said, Cisco's general direction is to advance the FTD platform towards parity with the rich features already available with ASA-based remote access VPN. Some features may be left behind but the ones you cited are by no means corner cases. I see them commonly used among my customers. I would expect them to be currently under development within Cisco.

Re: Ask the expert- Best practices on Cisco FirePOWER

Marvin Rhoads — Fri, 23 Mar 2018 01:47:39 GMT

@Anton Hinterleitner,

What you suggest is currently the best available practice on the appliance itself. If you have an upstream router, you can layer in some ACL protection on it as well.

Many of us are hesitant placing control plane interfaces on a publicly exposed address. While some of that is rooted in practice drawn from historically unhardened protocols and implementations, I believe it's a valid concern that remains even with current technologies such as Firepower which uses only the relatively secure ssh and the sftunnel (a proprietary implementation of ssl/tls over tcp/8305) protocols as you alluded.

I would hope to see a more robust implementation from Cisco in future releases but, for now, what we have is a limited set of choices for hardening the branch deployments.

Re: Best practices on Cisco FirePOWER - FTDv

Marvin Rhoads — Fri, 23 Mar 2018 01:54:17 GMT

@Anton Hinterleitner,

FTDv is a viable option for many customers as there are a very broad set of requirements out there.

I agree that it does have limitations that go along with its capabilities. However the ability to spin it up quickly in a virtual environment (including public cloud) are attractive to many customers. Not everybody needs the performance (throughput mostly) that's available on the hardware-based appliances.

Licensing costs can be a challenge; but we normally defer that discussion to outside the support community.

Re: Best practices on Cisco FirePOWER - FTDv

Nick Currie — Fri, 23 Mar 2018 02:48:34 GMT

Hi Marvin - thanks for taking the time to answer these questions . I have also posted this in the firewall section so apologies for doubling up:

I am about to pull the trigger on refreshing our old ASA's with 2110 FTD devices however I was just wanting to double check that they will support Site to site IKEv1 VPN to 3rd party equipment? (not sure if its cisco etc)

I read on the firewall.cx site its only supported between FTD and ASA devices? Is this outdated information? I cant find anything specifying this limitation in the current cisco documentation.

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/1197-cisco-asa-firepower-threat-defense-ftd-installation-management.html

"Site-to-Site VPN. Only supports Site-to-Site VPN between FTD appliances and FTD to ASA"

Re: Best practices on Cisco FirePOWER - FTDv

Marvin Rhoads — Fri, 23 Mar 2018 03:09:39 GMT

Site-to-site IPsec IKEv1 VPN is standards-based so there's no reason why it shouldn't work in principle.

My experience is that as long as you're using a common implementation (single link, pre-shared key, the usual transform sets, basic routing with NAT exemption for interesting traffic etc.) that multi-vendor interoperability is not an issue.

Some of the very obscure features may not be currently available but other than that you shouldn't have any problem. The underlying Lina code in FTD uses the same bits as the traditional ASA operating system for this feature.