Re: Ask the expert- Best practices on Cisco FirePOWER - Page 4

Cisco Moderador · ‎03-12-2018

This topic is a chance to discuss more about all you need to know about Cisco FirePOWER security solution. On this session, Marvin Rhoads will be answering all kind of questions about FirePOWER Management Center (FMC), FirePOWER Threat Defense (FTD) and FirePOWER service modules to FirePOWER appliances. All kind of topics related to this solution, such as operation, configuration, design architecture, troubleshooting, installation and licensing will be covered.

Centralize, integrate, and simplify security management on your network

To participate in this event, please use the button below to ask your questions

Ask questions from Monday, March 19th to Friday 30th 2018

Featured Expert

Marvin Rhoads is a network security engineer with over 3 decades of experience. He focuses on Cisco network security solutions in his work as an independent consultant performing client-facing design and deployment services for several Cisco Partners. In addition to his 25 years of experience as a Cisco customer, Marvin has worked with Cisco partners for the past 7 years. Marvin holds several security and professional certifications, including a CCNP Security. He holds a Master’s Degree in Systems Engineering and a Bachelor’s Degree in Electronics Engineering Technology. He’s currently pursuing a CCIE Security certification.

Marvin is passionate about helping and learning from his peers in the industry. He has been an active Cisco Support Community contributor since 2001. He has been named as a Cisco Designated VIP for 6 years in a row. In 2017 he was recognized as a member of the elite Cisco Support Community Hall of Fame program.

Marvin might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation at the Security Category.

Find other events or open new discussions https://supportforums.cisco.com/t5/community-ideas/bd-p/5911-discussions-community-ideas

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

Marvin Rhoads · ‎03-26-2018

@Gallifrean,

Can you clarify your requirements a bit? Are you looking to use the devices for instructional purposes or operationally?

What exactly did you purchase (exact SKUs and licenses)?

Gallifrean · ‎03-28-2018

to reiterate
We are an educational institution teaching CCNA security with Cisco certified instructors.
We recently purchased three ASA 5506X.
My question was do I need to register them (to access Firepower) if they are only to be used in isolated labs within the institution.
If they are to be registered how do I do that so that different classes, across the years that we will be using the devices
can gain access to Firepower.
Currently we have
3 cisco 5506x each with a control licence PAK

Thanks Peter

Marvin Rhoads · ‎03-29-2018

@Gallifrean,

The Firepower module on an ASA 55000 series requires a license be assigned to it. At a minimum you need the Control license (free) which you already have.

For it to be fully useful and illustrate all of the available features you would add the IPS subscription, URL Filtering and Malware licenses.

You can use either a local manager (ASDM running on a PC or Mac) or remote manager (Firepower Management Center or FMC server) to assign licenses to the systems.

robinson · ‎03-29-2018

Marvin,

Can FTD make internal to external route decisions based on Layer 4 - 7 critera? If so, can you direct me to a configuration good example online? An example of this would be a customer directing business related internet out their 100Mbps ISP, and social media traffic out their lower cost ISP or backup ISP, or SIP traffic out a dedicated ISP and all other traffic out another.

The secret to succeeding at technology is to say yes you can, and to not be afraid of change. Forget the words, "That's how we always do it"

Marvin Rhoads · ‎03-29-2018

@robinson,

That's not possible as far as I know.

Routing decisions are based solely on classic routing criteria (IP address, best match based on prefix length, administrative distance etc.) and not on any of the L4-7 criteria that we have available in Access Control Policies.

What's available is described in the configuration guide here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/routing_overview_for_firepower_threat_defense.html

robinson · ‎03-29-2018

That's so disappointing, Cisco Meraki can do it, so can most other firewall brands. (PA, and those FortiGuys), I would have that that going to FTD would have created a new paradigm on Cisco's position regarding that type of traffic manipulation.

The secret to succeeding at technology is to say yes you can, and to not be afraid of change. Forget the words, "That's how we always do it"

Nick Currie · ‎03-25-2018

Good morning Marvin

I have a question regarding FTD devices and crypto mining. What is the recommended method of stopping applications on the internal network that may communicate with mining pools?

Marvin Rhoads · ‎03-26-2018

@Nick Currie,

Cisco's security intelligence organization Talos has a pretty comprehensive article here:

http://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html

They note the following:

COVERAGE

There are different ways to address miners and there is detection built in to Cisco security products to detect this activity. There is a specific detection name in AMP for coin miners, W32.BitCoinMiner. However, as these miners can be added as modules to various other threats, the detection names may vary. Additionally there are a couple NGIPS signatures designed to detect mining activity as well. However, these rules may not be enabled by default in your environment depending on the importance of potentially unwanted applications (PUA) in your network. The signatures that detect this type of activity includes, but isn't limited to: 40841-40842, 45417, and 45548-45550.

Also, technologies like Threat Grid have created indicators to clearly identify when mining activity is present when a sample is submitted.

Most of the common miner apps and related indicators will be blocked by a default Intrusion Policy

If you look at your FMC, you can see the signatures they reference (and enable them if you wish) in your intrusion policy as follows (example subset only, a few more searches would be necessary to display them all as the search terms must be distinct since they are Boolean ANDed if you use multiple terms):

dan.letkeman · ‎03-26-2018

I have setup dynamic feed lists for O365 and other Microsoft Services via these instructions:

https://www.staffeldt.net/cisco-fmc-intelligence-feeds-and-objects/

Using Minemeld I have pulled an generated the two lists needed to whitelist all of the Microsoft IP's and URL's.

However, the URL list that is generated by these feeds includes wildcards in the url list. eg:

*.office.com
*.office365.com
account.office.net
api.office.com
appsforoffice.microsoft.com

Are these wildcards supported in a network feed?

Thanks,

Dan.

Marvin Rhoads · ‎03-26-2018

@dan.letkeman,

Yes, your whitelist can include wildcard URL objects.

In a DNS list entry, you can specify an asterisk (*) wildcard character for a domain label. All labels match the wildcard. For example, an entry of www.example.* matches both www.example.com and www.example.co.

Source:

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/reusable_objects.html

I tested it using the local blacklist feature (easier to test) and it works.

First under Objects > Object Management > Security Intelligence > URL Lists and Feeds add the text file you created. I named mine "test_blacklist".

Then make sure you have it referenced in your active access control policy under the Security Intelligence tab. (Mine is a blacklist, obviously yours would be under whitelist)

Finally deploy your policy. You should then see the hits (assuming you are logging connection events) in your event viewer.

JEFF SPRADLING · ‎03-28-2018

Hi Marvin,

I know you could write a book about best practices for installing and operating Firepower, but do you have a checklist of sorts that you could share that would identify the top things to ensure are set correctly (i.e. - modify default discovery process, logging at the end instead of beginning, etc.) ?

Thanks,

Jeff

Marvin Rhoads · ‎03-28-2018

@JEFF SPRADLING,

Actually a book has been written just recently by an author more qualified than me. Please refer to Nazmul Rajib's "Cisco Firepower Threat Defense". It's published by Cisco Press and available via the usual channels. He includes several best practices.

There are also several good Cisco Live presentations.

Personally I use a combination of those plus some training guides that I'm unfortunately not at liberty to share as they contain copyrighted and/or NDA-protected material .

Basavaraj Ningappa · ‎03-29-2018

Hi Marvin,

Can we block mobile devices accessing anyconnect vpn in FTD firewall, we dont have ISE, we are looking this option in firewall if this is possible ? and also if you can share one example of FTD anyconnect vpn with certificate authentication ?

Thanks

Basavaraj

Basavaraj Ningappa · ‎03-29-2018

Hi Marvin,

Can you please explain the architecture of IPS snort rules and how can we edit existing snort rule or if i want to create custom snort is it possible ?

Thanks

Basavaraj

Marvin Rhoads · ‎03-29-2018

@Basavaraj Ningappa,

Snort rules are a very deep subject. I'd recommend you start with something like one of the excellent Cisco Live presentations to get started. For example, BRKSEC-3300, which you can find here:

https://www.ciscolive.com/global/on-demand-library/?search.event=ciscoliveemea2018&search.event=ciscoliveanz2018&search=snort#/session/BRKSEC-3300

As noted there (specifically see slide 35 onwards), Firepower Intrusion rules are Snort rules. You can enable or disable specific ones or create / import your own if the ones provided don't meet all of your needs.