Solved: AMP and AMP for endpoint differences and HTTPS/encryption question

Ralphy006 · ‎02-02-2017

With that said, when downloading a file via HTTPS through AMP on an ASA/Firepower, will AMP be able to see the file?

If I have AMP for endpoint on a client, when downloading a file via HTTPS on the client be able to see the file and stop it if it's malware?

How does AMP for endpoint handle file transfer via USB?

Any other benefits of AMP for endpoint outside of protecting an asset when outside of the network?

Marvin Rhoads · ‎02-03-2017

[@Vincent.Low3] ,

You are correct re the benefits.

AMP for Endpoints can also report on outdated and vulnerable software on your endpoints in great detail and help you manage that in your installed base.

Having it on the firewall as well lets you stop it as it comes in (as long as it's not within an encrypted protocol like SSL).

Given a choice, I always recommend endpoints. That said, there may be endpoints on your network that don't have the client software for some reason. That's where I like to leverage something like ISE with posture services. There we can check for the AMP for endpoints software process to be running prior to granting network access.

View solution in original post

Farhan Mohamed · ‎02-02-2017

Network amp run on network. It scans the traffic for malicious files when the traffic is passing through a firepower device. So it can detect /prevent file based threats on the network.

AMP for endpoint as the name suggests is an endpoint client which can be installed on windows,mac etc. Its like a security software which scans the end PC and is independent of AMP service on Firepower network device.

AMP for endpoint is managed by separate console cloud account.

Check this out

http://www.cisco.com/c/dam/en/us/td/docs/security/sourcefire/fireamp/fir...

and

http://www.cisco.com/c/en/us/products/security/amp-appliances/index.html

network AMP can be used on any firepower appliance along with its IPS capability (subject to licensing )

Ralphy006 · ‎02-02-2017

Thanks Farhan. That documumentation is for FireAMP. FireAMP = AMP For endpoints?

I'm still trying to determine the benefit of running both.

Right now, it seems like the biggest benefits are:

protection when outside the Firepower network
protection from files downloaded via https (Firepower can't do this unless running SSL decryption, which most people don't)

I'm just trying to confirm my thoughts and wondering if there are other additional benefits.

Also, if I have AMP For endpoints on everything, is there a point of having Firepower AMP At the same time on my Firewalls?

Marvin Rhoads · ‎02-03-2017

[@Vincent.Low3] ,

You are correct re the benefits.

AMP for Endpoints can also report on outdated and vulnerable software on your endpoints in great detail and help you manage that in your installed base.

Having it on the firewall as well lets you stop it as it comes in (as long as it's not within an encrypted protocol like SSL).

Given a choice, I always recommend endpoints. That said, there may be endpoints on your network that don't have the client software for some reason. That's where I like to leverage something like ISE with posture services. There we can check for the AMP for endpoints software process to be running prior to granting network access.

Ralphy006 · ‎02-03-2017

[@mrhoads-cco]

Thanks.

When you say ISE with posture services, I'm guessing that would be in the form of wired/wireless 802.1x?

Marvin Rhoads · ‎02-04-2017

Yes ISE most commonly uses 802.1x as part of the solution. The posture agent runs in addition to the 802.1x supplicant to inform ISE in making its assessment which informs the Authorization policy decision.

Both the posture agent and supplicant can be deployed as separate AnyConnect modules or as a temporal agent (for posture) and a native supplicant (for 802.1x).