Re: Firepower awareness - user, appl

cadet · ‎11-28-2019

Hello!

"Cisco Firepower provides full contextual threat analysis and protection, with awareness into users, user history on every machine, mobile devices, client-side applications, operating systems, virtual machine-to-machine communications, vulnerabilities, threats, and URLs." - https://www.cisco.com/c/m/en_us/products/security/firewalls/competitive-comparison.html#~competitive=0

What products do customers need to offer to implement the "User, network, and endpoint awareness" features?

It seems to me that in addition to Firepower + FMC, Network Visibility module for Anyconnect is also needed?

Or please explain how Firepower, which is located on the external edge of the network, receives information about "a user working on a workstation + client-side applications" in the local network behind a proxy server ?

Thanks!

Marvin Rhoads · ‎11-28-2019

If Firepower is only sitting on the network edge then you might not see intra-network visibility. It can be architected instead to also cover "east-west" traffic and provide the visibility mentioned in the data sheet without any additional products.

If you don't put it into the east-west path then other products such as Stealthwatch can provide this sort of visibility. It can ingest Netflow records from many locations, including the Anyconnect Network Visibility module. Generally though it suffices to gather flow records from the network equipment.

cadet · ‎11-28-2019

Thanks, Marvin!

As I understand, is the same situation with the "Network file trajectory" ?

"Cisco maps how hosts transfer files, including malware files, across your network. It can see if a file transfer was blocked or the file was quarantined. This provides a means to scope, provide outbreak controls, and identify patient zero." - https://www.cisco.com/c/m/en_us/products/security/firewalls/competitive-comparison.html#~competitive=0

If we don't put Firepower into the east-west path of the traffic than we can not see file trajectory across customer network without additional products such as, for example, AMP for Endpoint ?

So, in design (case 1 in attach) without AMP for Endpoint do I not see file trajectory between host B and C ?

Or do I need additional Firepower between host B and C (case 2 in attach) or AMP for Endpoint on both hosts ?

Could you correct me if I am wrong?

Marvin Rhoads · ‎11-29-2019

In the hypothetical use case #2 you describe, Malware traffic that was exclusively between B and C would never transit the firewall so of course the firewall would have to way to detect or provide insight into that particular flow.

However in the real world, the malware would often be making calls to the Internet. In that case Firepower would see those calls from both B and C and thus be able to report that the same malware was seen on two hosts.

See this example:

https://popravak.wordpress.com/2015/07/11/sourcefire-file-policies-aka-advanced-malware-protection/

cadet · ‎01-15-2020

@Marvin Rhoads wrote:
However in the real world, the malware would often be making calls to the Internet. In that case Firepower would see those calls from both B and C and thus be able to report that the same malware was seen on two hosts.

Hi!

@Marvin Rhoads, Thanks! I missed your answer.

I agree with you. But also in real-world scenarios, the customer often uses a proxy server that hides the IP addresses of users when they access to the Internet. And again we come back to a solution that requires additional software (for example, AMP for Endpoint on hosts) for Network file trajectory functionality.

Could you correct me if I am wrong?

Marvin Rhoads · ‎01-15-2020

@cadet If the proxy follows the conventional method of including the X-Forwarded-For (XFF) or similar field in the packets, Firepower can extract and display that information. It's a non-displayed by default so you would have to enable it in your Connection events table viewer.

The option for it is under Policies > Intrusion > Network Analysis Policy