Overview of the firewall and intrusion prevention system of a new generation of SourceFire FirePower
Good day dear readers. In this article, I would like to introduce you to Cisco's flagship information security solution.
The discussion will focus on the SourceFire Firepower product, which is an integrated intrusion protection system, a new generation firewall and Malware protection.
SourceFire was acquired by Cisco in October 2013 and currently its solutions are the leader according to the Gartner rating agency in the field of intrusion prevention systems.
')
About SourceFire
A few words about the company SourceFire. The company was founded in January 2001 in the state of Colombia by Martin Roesch (Martin Roesch) creator of the world famous opensource intrusion prevention system Snort IPS, which is currently the most widely used IPS system in the world (more than 4 million copies are currently loaded) . In addition to Snort, the company develops such well-known opensource community as ClamAV and Razorback. In addition to the very successful opensource projects that the company is very proud of, the commercial product of the company under the brand SourceFire, which has earned its place as a leader in the field of intrusion detection and prevention systems in the information security market according to the results of the Gartner rating agency (unchanged leader of the last 6 years!), Is also developing. NSS Labs testing lab and others . A separate group of experts - the VRT team (Vulnerability Research Team) - is responsible for developing the rules for detecting attacks and their timely updating. The SourceFire commercial line is represented by two products:
SourceFire FirePower is a new-generation intrusion prevention system with integrated firewalling of application level, content filtering and Malware protection at the network level.
SourceFire FireAmp is a system for protecting against Malware threats at the host level running under Windows / MAC OSX, Android. It can integrate with Malware protection at the network level - SourceFire FirePower.
FirePower Platform Overview
The product is presented in two deployment options: as a 64-bit virtual (VMWare hypervisor) and hardware complexes. The functionality of the virtual platform does not support routing, switching and fault tolerance. At the same time, the virtual appliance works fine as an inline bridge or IDS system on the SPAN port.
A large number of hardware models with different performance, modular interface cards, functions of stacking and clustering are produced. The performance of the models starts with the younger lines - 50 Mb / s, ending with the solutions of the class of large data centers - 60 Gbit / s (Fig. 1).
Fig. one
The performance of the virtual model is 100-150 Mbit / s per core.
The 7000/7100 series models have RJ45 / SFP ports fixed on board, depending on the specific model.
The 8100 series models have modular interface cards with supported interface types 1 Gb / s copper / optics and 10 Gb / s MM-SR and SM-LR optics. The 8200 and 8300 Series models also support the 40 Gb / s MM-SR optical interfaces. Most interface modules have the ability to configure the hardware bypass (including optical) in case of failure of the device.
The older lineup of the FirePower 8200/8300 complexes supports the function of flexible performance enhancement by means of stacking. For example, you can purchase a 8350 sensor with an IPS performance of 15 Gbit / s (platform performance of 30 Gbit / s) and at a time when you need to increase system performance, simply purchase another 8350, stack them and get a performance of 30 Gbit / s IPS and such This way you can stack up to 4 devices with IPS performance up to 60 Gbit / s.
Fault tolerance features are implemented by clustering complexes into Active / Standby bundle with synchronization of session statuses.
FirePower hardware solutions built on the RISC architecture, optimized code and a powerful computing platform with specialized network processors make it possible to achieve and exceed the performance declared by the manufacturer. The declared performance characteristics are the real performance figures that the customer will receive in heavy load tests with fully enabled functionality. This fact is confirmed by the annual testing of NSS Labs.
Defense Center Management System
FirePower is built using a centralized control system - Defense Center. Locally, only the initial settings are available on the FirePower complexes themselves, which allow you to connect the device to the network and set up communication with the control center. All further settings, reporting and monitoring are performed centrally in the Defense Center administration console.
The Defense Center is presented both in the form of hardware platforms (see Fig. 2) with the maximum number of connected sensors — 150 pieces, and in the form of a virtual machine under the VMWare hypervisor with the maximum number of sensors — 25 pieces.
Fig. 2
The control system in its hardware version has fault tolerance functions for models DC1500 and DC3500.
Available deployment topologies
For a virtual sensor, configurations are available both inline placement (see Fig. 3) with inspection and filtering of active traffic, as well as placement in IDS mode on a copy of traffic (SPAN) (see Fig. 4).
Fig. 3
Fig. four
In the case of using a hardware platform, more complex topologies become available to us, since hardware complexes support switching functions at the hardware level with the support of the Spanning Tree Protocol (STP) and have routing functions using OSPF and RIP protocols.
The platform allows you to build hybrid topologies (see Fig. 5).
Fig. five
For proper processing by the IPS engine of an asymmetric traffic flow in the customer's network, the concept of Inline Set is introduced; for an example of such a configuration, see Fig. 6
Fig. 6
Let's not forget that many interface cards make it possible to configure bypass in the event of a reboot or failure on the platform, thus avoiding the interruption of services in the network.
Functional overview
Firesight
“ You can’t protect what you don’t know ” is one of SourceFire’s slogans and it's hard to disagree. With huge corporate networks under management, the IS service finds it increasingly difficult to track the emergence of new vulnerabilities on the company's resources, such as:
As these networks grow, it becomes more and more difficult to monitor all these and other changes, and every day the process of tracking incidents and responding to them takes more and more time, and the effectiveness of dealing with real threats decreases. It is good if periodic active scanning is performed on vulnerabilities by the information security team, but besides scanning, it is necessary to block the possibility of using detected vulnerabilities on the side of the intrusion prevention system. Unfortunately, practice shows that the vast majority of administrators do not have the ability to tune the IPS signature set as often as the changing network requires. After all, one can only assess the level of possible implementation of an attack on a target if one understands whether the target is vulnerable to a given attack, and for this one needs to know:
What if the CIO itself can sit behind the attacked host ?! Knowing all these and many other characteristics of the objects of attack or possible objects of attack, you can more effectively filter non-dangerous attacks and block with a necessary escalation of really dangerous invasions.
SourceFire is fundamentally different from competing solutions, including the approach to the analysis of characteristic vulnerabilities in the protected network with the ability to automatically adjust the signature set ! The technology under the brand name FireSight allows you to visualize the network and get visibility (see Fig. 7):
Fig. 7
The sensor analyzes traffic that is actively passing through it or traffic from a SPAN session, looks into traffic headers down to the application level and builds a “map” of the protected network with all its typical vulnerabilities based on the collected data. This map is updated in real time. The settings allow the complex to activate / deactivate signatures in the active signature sets that correspond to detectable vulnerabilities in the network. Datacenter IPS 2014 NSS Labs testing results in an attack blocking efficiency of 99.4%, and 100% protection against evasion techniques.
In addition to passively analyzed traffic, the solution supports uploading active scan results from it, for example, from Nessus.
As an example of the information collected, I will give a profile of one of the hosts (see Fig. 8.9, 10.11).
Fig. eight
List of applications on the host:
Fig. 9
List of host vulnerabilities:
Fig. ten
An example of the description of one of the identified vulnerabilities with links to patches:
Fig. eleven
An example of recommended changes to the signature set based on the results of analytics of vulnerabilities and systems in the internal network is shown in Figure 12.
Fig. 12
Next-Generation Firewall (NGFW)
Firewall of the new generation, as it is now called, content-based ITU applications is implemented in SourceFire FirePower and uses signatures to determine the types of applications provided by the intrusion detection system engine. NGFW is designed to filter not only at the level of ports and protocols, as it is classically implemented in ITU with stateful connection monitoring, but at the level of application-level protocols and functions of the applications themselves, thus looking deeper into transactions and stopping, for example, such activities like sending a file via Skype or accessing the functions of games on Facebook (see Fig 13,14). Note, for example, that Facebook and Google work through the protocol of the 7th level of the OSI model - HTTP. However, these “portals” provide a huge number of functions in the form of web applications that cannot be controlled by classical ITU.
NGFW Access Policy:
Fig. 13
An example of the Skype File Transfer blocking rule:
Fig. 14
As can be seen from Figure 13, we form our application filtering policy and intrusion detection policy in the access policy. Each line of the access policy operates as an access control list entry (governing the access rule with the appropriate conditions).
ACL conditions can be of the following types:
All these conditions can simultaneously appear in one rule and will be used as a logical AND (AND).
After each ACL, you can see three icons (see Figure 15), which mean associated policies from left to right:
Fig. 15
If your network contains applications of its own design and they are not in the application database for filtering, you can easily add your own application to the application database. Import the corresponding Pattern ASCII / HEX to search, or download an example of the application's network activity from the PCAP file.
Fig. sixteen
For each access policy, which can be set, you can assign a Security Intelligence filtering policy (Fig. 17). This policy contains constantly updated lists of IP addresses of spammers, C & C centers of botnets, open proxies, etc. You can choose from the available lists, or load your own filtering lists from a file, or tell the system the URL where these lists are taken from.
Fig. 17
FireAMP Malware Protection
FirePower solutions provide Malware protection at the network level. The system analyzes the files passing through the device specified in the file policy (Fig. 18) formats and transmitted via the specified types of protocols. About the features of solutions to protect against Malware can be found in the article by Alexey Lukatsky ( alukatsky ).
Fig. 18
The principle of the Malware protection is as follows. The SHA-256 hash is removed from the file sent through the device and sent to the Defense Center, which in turn produces a query (Cloud Lookup) in the SourceFire cloud, finding out the disposition of this file (whether the file is clean or Malware) on the basis of the well-known Malware in the cloud . For customers who do not want to send any data to the cloud, the server with the Malware database can be deployed directly on the corporate network, this configuration is called Private Cloud.
If, as a result of removing the hash and the query into the database, the file disposition cannot be established, the device can be sent to the cloud-based sandbox, where the behavior of the file, its survival after reboot, generated network traffic, testing to run in the virtual environment will be analyzed , created processes, files, registry entries and techniques for hiding processes, attempts at self-reproduction, and so on. According to the results of this testing, indices of malicious behavior are calculated, a small excerpt of the report is shown in Figure 19.
Fig. nineteen
If the file is executable (executable), FirePower removes more than 400 variables from the file (links to plug-in libraries, library names, icons used, environment variables, compiler settings, etc.) for analysis by the Spero engine using fuzzy prints algorithm ( Fuzzy fingerprinting). The algorithm, referring to logical self-learning trees of signs and behavior of various kinds of Malware, located in the SourceFire cloud, gets a decision about the disposition of the file.
A very important difference from classic anti-virus protection systems is that classic systems work at a specific point in time. For example, a file is addressed for execution (execution), it is checked against the signature database and / or sandbox, and is forgotten after its conclusion about its purity / infection. However, one should not forget that more than 65,000 (SourceFire statistics) copies of the new Malware appear for the world today, for which there are no signatures yet. Malware can use launch delay techniques to avoid detection in sandboxes. In view of the above considerations, Malware can pass by the network anti-virus and settle on the end nodes, where, as time passes, the distribution and operation of Malware will begin. From the side of the antivirus, there will be no records of the past file, the time of its appearance and the source. According to statistics, up to 30% of the unknown Malware carry with them and download up to 70% of the known Malware and vice versa.
The FireAMP system provides a new approach with retrospective analysis, in which all paths of file distribution and their attributes are remembered. In the case of a FireAMP host-based solution, all associated process activities, network activities, all I / O operations on the local host are remembered. And when, say, 4 days later, it turns out that the downloaded file was previously unknown by Malware, a notification will be received from the SourceFire cloud and the file will be centrally blocked both at the network level and at the level of all Endpoint-infected systems. Moreover, the system will show the file distribution path both over the network and on the host system, all additional components downloaded by the file and Malware programs, process calls and the parent process, which made it possible to become infected and initiate the spread of the threat.
Malware detection example at the network level, Figure 20a, 21
Fig. 20a
Fig. 20b
In particular, in Figure 21 you can see the path of entry and further distribution of the file over the network, affected hosts, the moment of infection, the ports and protocols used.
In Figure 20b, you can see more detailed information about the distribution and method of getting the threat directly to the host with all associated I / O operations.
Fig. 21
Compliance Whitelist function
Separately, I would like to note the useful feature of the white list of systems in the network. Since FirePower can passively see the activity of users and applications on the network in real time, the system makes it possible to build profiles of Compliant systems. Thus, you can specify which operating systems with which patches, client programs and applications we want to see in them in our network. In the case of a deviation from the pattern, you can notify the administrator and use correlation methods (see the next chapter), including executing your own scripts and commands, and carry out actions to quarantine / correct problems.
It should be noted that FirePower provides the ability to create and assign attributes of various types to hosts and set attributes as a result of a correlation action. Attributes can be used when generating automatic notifications, including to increase the level of attack criticality and much more. For example, increase the criticality of the attack when it is detected in the direction of the host with the value of the base attribute - non-compliant.
Created attributes can be of the following types:
By default, each WhiteList has only one attribute that takes on the value:
Each host will have a WhiteList attribute assigned to it with the value of this attribute from the above list.
An example of creating a WhiteList can be seen in Figure 22. You select the allowed types and versions of the operating systems, in each operating system you select the allowed client applications, web applications and the allowed protocols of the transport and network layers.
Fig. 22
Traffic profiles
As you may remember, FireSight technology also monitors connection parameters set by hosts on a network. Based on the collected statistical data, and at least 29 connection parameters are collected, a so-called basic connection profile is compiled for each host. In the configuration, it is possible to set which specific types of connections or application traffic will be profiled and for how long to build the base profile (Example Fig. 23).
Fig. 23
The example in Figure 23 shows that it is possible both to base profiles on the basis of all transmitted traffic and to more subtly distinguish the necessary flows.
Event correlation
A very powerful function for tracking, escalating and responding to events is embedded in the system - this is a correlation function. Especially this function will appeal to enthusiasts and security professionals.
In fact, this function provides an opportunity for an event to expose sets of conditions with their logical bundles for generating reactive effects (for an example of the correlation condition, see figure 24).
Fig. 24
As a result of applying the above correlation condition, there will be an intrusion event:
In the form of a small example, correlation conditions can be created for the following types of events (see Fig. 25, 26):
Fig. 25
Fig. 26
We have considered the possibility of setting correlation conditions, and now we will see how we can respond to the fulfillment of these conditions.
The result of the execution of the correlation rule can be one or more actions, such as:
Fig. 27
Monitoring and reporting system
The Defense Center control system provides very visual statistical information on the system as a whole, as well as the ability to delve into the details of detectable activities from any graph.
To familiarize the administrator with the current picture of the use of network services, applications, operating systems, analysis of the relevance of activities to business processes and risks, the Summary Dashboard overview screen is available (see Fig. 28).
Fig. 28
To start analyzing the past information security incidents, you can go to the Intrusion Events tab and see the aggregated information on detected and blocked attacks, statistics and go to a detailed review of each event of interest separately (see Figure 29).
Fig. 29
Each incident can be studied in detail, including the contents of the packet that caused the signature to trigger, see Fig. 30. From the information window about the event, you can see the text of the signatures that worked, the attack signatures are written in the language of SNORT, which de facto has already become for many IS administrators the standard for writing IPS rules. In the same window, you can perform tuning of the signature, configure filtering and summaries of events, change the action associated with the detection of this activity.
Fig. thirty
In addition to information about attacks, you can analyze and filter information of interest received by the system about the network as a whole. To obtain general information about the network, or, if necessary, about its specific segments, there is the Context Explorer interface (see Fig. 31).
Fig. 31
In figure 31 you can see the statistical information:
The system provides the ability to generate your own reports using pre-defined templates as well as create templates yourself. For making your own report templates, there is a whole Wizard (see Fig. 32), which allows you to include various types of graphical statistics objects, tabular data and directly the contents of packages with suspicious activity. For the purpose of more flexible report generation, it is possible to set your own variables for substituting them into a template when generating a report. Reports can be scheduled and sent to responsible persons.
Fig. 32
Conclusion
In conclusion, I would like to note that the comprehensive system for protecting the network from attacks, managing application policies and fighting the spread of Malware based on products of the acquired SourceFire company organically complement and strengthen Cisco's portfolio in the field of information security products. We single out this class of solutions as promising and will actively develop them. The company allocates major investments in the development of the technological branch of information security solutions, which undoubtedly is one of the strategic ones for the company. In the near future, we are looking forward to an ever closer integration of SourceFire technologies with Cisco's classic architecture solutions and the company's product solutions. Separately, I would like to dispel the concerns of industry colleagues regarding the development of free opensource products from the SourceFire company, all opensource initiatives will be preserved and they will have further active development.
The discussion will focus on the SourceFire Firepower product, which is an integrated intrusion protection system, a new generation firewall and Malware protection.
SourceFire was acquired by Cisco in October 2013 and currently its solutions are the leader according to the Gartner rating agency in the field of intrusion prevention systems.
')
About SourceFire
A few words about the company SourceFire. The company was founded in January 2001 in the state of Colombia by Martin Roesch (Martin Roesch) creator of the world famous opensource intrusion prevention system Snort IPS, which is currently the most widely used IPS system in the world (more than 4 million copies are currently loaded) . In addition to Snort, the company develops such well-known opensource community as ClamAV and Razorback. In addition to the very successful opensource projects that the company is very proud of, the commercial product of the company under the brand SourceFire, which has earned its place as a leader in the field of intrusion detection and prevention systems in the information security market according to the results of the Gartner rating agency (unchanged leader of the last 6 years!), Is also developing. NSS Labs testing lab and others . A separate group of experts - the VRT team (Vulnerability Research Team) - is responsible for developing the rules for detecting attacks and their timely updating. The SourceFire commercial line is represented by two products:
SourceFire FirePower is a new-generation intrusion prevention system with integrated firewalling of application level, content filtering and Malware protection at the network level.
SourceFire FireAmp is a system for protecting against Malware threats at the host level running under Windows / MAC OSX, Android. It can integrate with Malware protection at the network level - SourceFire FirePower.
FirePower Platform Overview
The product is presented in two deployment options: as a 64-bit virtual (VMWare hypervisor) and hardware complexes. The functionality of the virtual platform does not support routing, switching and fault tolerance. At the same time, the virtual appliance works fine as an inline bridge or IDS system on the SPAN port.
A large number of hardware models with different performance, modular interface cards, functions of stacking and clustering are produced. The performance of the models starts with the younger lines - 50 Mb / s, ending with the solutions of the class of large data centers - 60 Gbit / s (Fig. 1).
Fig. one
The performance of the virtual model is 100-150 Mbit / s per core.
The 7000/7100 series models have RJ45 / SFP ports fixed on board, depending on the specific model.
The 8100 series models have modular interface cards with supported interface types 1 Gb / s copper / optics and 10 Gb / s MM-SR and SM-LR optics. The 8200 and 8300 Series models also support the 40 Gb / s MM-SR optical interfaces. Most interface modules have the ability to configure the hardware bypass (including optical) in case of failure of the device.
The older lineup of the FirePower 8200/8300 complexes supports the function of flexible performance enhancement by means of stacking. For example, you can purchase a 8350 sensor with an IPS performance of 15 Gbit / s (platform performance of 30 Gbit / s) and at a time when you need to increase system performance, simply purchase another 8350, stack them and get a performance of 30 Gbit / s IPS and such This way you can stack up to 4 devices with IPS performance up to 60 Gbit / s.
Fault tolerance features are implemented by clustering complexes into Active / Standby bundle with synchronization of session statuses.
FirePower hardware solutions built on the RISC architecture, optimized code and a powerful computing platform with specialized network processors make it possible to achieve and exceed the performance declared by the manufacturer. The declared performance characteristics are the real performance figures that the customer will receive in heavy load tests with fully enabled functionality. This fact is confirmed by the annual testing of NSS Labs.
Defense Center Management System
FirePower is built using a centralized control system - Defense Center. Locally, only the initial settings are available on the FirePower complexes themselves, which allow you to connect the device to the network and set up communication with the control center. All further settings, reporting and monitoring are performed centrally in the Defense Center administration console.
The Defense Center is presented both in the form of hardware platforms (see Fig. 2) with the maximum number of connected sensors — 150 pieces, and in the form of a virtual machine under the VMWare hypervisor with the maximum number of sensors — 25 pieces.
Fig. 2
The control system in its hardware version has fault tolerance functions for models DC1500 and DC3500.
Available deployment topologies
For a virtual sensor, configurations are available both inline placement (see Fig. 3) with inspection and filtering of active traffic, as well as placement in IDS mode on a copy of traffic (SPAN) (see Fig. 4).
Fig. 3
Fig. four
In the case of using a hardware platform, more complex topologies become available to us, since hardware complexes support switching functions at the hardware level with the support of the Spanning Tree Protocol (STP) and have routing functions using OSPF and RIP protocols.
The platform allows you to build hybrid topologies (see Fig. 5).
Fig. five
For proper processing by the IPS engine of an asymmetric traffic flow in the customer's network, the concept of Inline Set is introduced; for an example of such a configuration, see Fig. 6
Fig. 6
Let's not forget that many interface cards make it possible to configure bypass in the event of a reboot or failure on the platform, thus avoiding the interruption of services in the network.
Functional overview
Firesight
“ You can’t protect what you don’t know ” is one of SourceFire’s slogans and it's hard to disagree. With huge corporate networks under management, the IS service finds it increasingly difficult to track the emergence of new vulnerabilities on the company's resources, such as:
- New patches in client applications that carry new vulnerabilities;
- Uncontrolled installation of applications by users;
- The ability to bring your device to the network and its uncontrolled connection;
- Exit and install operating system updates that treat old vulnerabilities and open new ones;
- The emergence of new network segments with new types of operating systems, such as, for example, equipment for automated process control systems, etc .;
As these networks grow, it becomes more and more difficult to monitor all these and other changes, and every day the process of tracking incidents and responding to them takes more and more time, and the effectiveness of dealing with real threats decreases. It is good if periodic active scanning is performed on vulnerabilities by the information security team, but besides scanning, it is necessary to block the possibility of using detected vulnerabilities on the side of the intrusion prevention system. Unfortunately, practice shows that the vast majority of administrators do not have the ability to tune the IPS signature set as often as the changing network requires. After all, one can only assess the level of possible implementation of an attack on a target if one understands whether the target is vulnerable to a given attack, and for this one needs to know:
- what service is subject to attack;
- what version of the operating system is installed on the attacked host and the version of its patch;
- what version of the patch for the attacked service is used;
- a list of known vulnerabilities for the above options, etc .;
What if the CIO itself can sit behind the attacked host ?! Knowing all these and many other characteristics of the objects of attack or possible objects of attack, you can more effectively filter non-dangerous attacks and block with a necessary escalation of really dangerous invasions.
SourceFire is fundamentally different from competing solutions, including the approach to the analysis of characteristic vulnerabilities in the protected network with the ability to automatically adjust the signature set ! The technology under the brand name FireSight allows you to visualize the network and get visibility (see Fig. 7):
- current hosts / systems;
- operating systems with versions and patches on hosts;
- client software and its versions;
- users behind hosts;
- inherent vulnerabilities;
- data exchange between hosts in the passive mode;
Fig. 7
The sensor analyzes traffic that is actively passing through it or traffic from a SPAN session, looks into traffic headers down to the application level and builds a “map” of the protected network with all its typical vulnerabilities based on the collected data. This map is updated in real time. The settings allow the complex to activate / deactivate signatures in the active signature sets that correspond to detectable vulnerabilities in the network. Datacenter IPS 2014 NSS Labs testing results in an attack blocking efficiency of 99.4%, and 100% protection against evasion techniques.
In addition to passively analyzed traffic, the solution supports uploading active scan results from it, for example, from Nessus.
As an example of the information collected, I will give a profile of one of the hosts (see Fig. 8.9, 10.11).
Fig. eight
List of applications on the host:
Fig. 9
List of host vulnerabilities:
Fig. ten
An example of the description of one of the identified vulnerabilities with links to patches:
Fig. eleven
An example of recommended changes to the signature set based on the results of analytics of vulnerabilities and systems in the internal network is shown in Figure 12.
Fig. 12
Next-Generation Firewall (NGFW)
Firewall of the new generation, as it is now called, content-based ITU applications is implemented in SourceFire FirePower and uses signatures to determine the types of applications provided by the intrusion detection system engine. NGFW is designed to filter not only at the level of ports and protocols, as it is classically implemented in ITU with stateful connection monitoring, but at the level of application-level protocols and functions of the applications themselves, thus looking deeper into transactions and stopping, for example, such activities like sending a file via Skype or accessing the functions of games on Facebook (see Fig 13,14). Note, for example, that Facebook and Google work through the protocol of the 7th level of the OSI model - HTTP. However, these “portals” provide a huge number of functions in the form of web applications that cannot be controlled by classical ITU.
NGFW Access Policy:
Fig. 13
An example of the Skype File Transfer blocking rule:
Fig. 14
As can be seen from Figure 13, we form our application filtering policy and intrusion detection policy in the access policy. Each line of the access policy operates as an access control list entry (governing the access rule with the appropriate conditions).
ACL conditions can be of the following types:
- The zones between which filtering will be performed are logical zones to which a device interface may belong;
- Networks between which the traffic will be filtered;
- VLAN between which traffic is filtered;
- AD users whose traffic we want to filter;
- Applications that we want to restrict / allow access to;
- Ports tcp / udp, which will be filtered from / to;
- URLs broken down by category and reputation;
All these conditions can simultaneously appear in one rule and will be used as a logical AND (AND).
After each ACL, you can see three icons (see Figure 15), which mean associated policies from left to right:
- Intrusion Prevention Policy;
- File Filtering and Malware Protection Policy;
- Logging policy;
Fig. 15
If your network contains applications of its own design and they are not in the application database for filtering, you can easily add your own application to the application database. Import the corresponding Pattern ASCII / HEX to search, or download an example of the application's network activity from the PCAP file.
Fig. sixteen
For each access policy, which can be set, you can assign a Security Intelligence filtering policy (Fig. 17). This policy contains constantly updated lists of IP addresses of spammers, C & C centers of botnets, open proxies, etc. You can choose from the available lists, or load your own filtering lists from a file, or tell the system the URL where these lists are taken from.
Fig. 17
FireAMP Malware Protection
FirePower solutions provide Malware protection at the network level. The system analyzes the files passing through the device specified in the file policy (Fig. 18) formats and transmitted via the specified types of protocols. About the features of solutions to protect against Malware can be found in the article by Alexey Lukatsky ( alukatsky ).
Fig. 18
The principle of the Malware protection is as follows. The SHA-256 hash is removed from the file sent through the device and sent to the Defense Center, which in turn produces a query (Cloud Lookup) in the SourceFire cloud, finding out the disposition of this file (whether the file is clean or Malware) on the basis of the well-known Malware in the cloud . For customers who do not want to send any data to the cloud, the server with the Malware database can be deployed directly on the corporate network, this configuration is called Private Cloud.
If, as a result of removing the hash and the query into the database, the file disposition cannot be established, the device can be sent to the cloud-based sandbox, where the behavior of the file, its survival after reboot, generated network traffic, testing to run in the virtual environment will be analyzed , created processes, files, registry entries and techniques for hiding processes, attempts at self-reproduction, and so on. According to the results of this testing, indices of malicious behavior are calculated, a small excerpt of the report is shown in Figure 19.
Fig. nineteen
If the file is executable (executable), FirePower removes more than 400 variables from the file (links to plug-in libraries, library names, icons used, environment variables, compiler settings, etc.) for analysis by the Spero engine using fuzzy prints algorithm ( Fuzzy fingerprinting). The algorithm, referring to logical self-learning trees of signs and behavior of various kinds of Malware, located in the SourceFire cloud, gets a decision about the disposition of the file.
A very important difference from classic anti-virus protection systems is that classic systems work at a specific point in time. For example, a file is addressed for execution (execution), it is checked against the signature database and / or sandbox, and is forgotten after its conclusion about its purity / infection. However, one should not forget that more than 65,000 (SourceFire statistics) copies of the new Malware appear for the world today, for which there are no signatures yet. Malware can use launch delay techniques to avoid detection in sandboxes. In view of the above considerations, Malware can pass by the network anti-virus and settle on the end nodes, where, as time passes, the distribution and operation of Malware will begin. From the side of the antivirus, there will be no records of the past file, the time of its appearance and the source. According to statistics, up to 30% of the unknown Malware carry with them and download up to 70% of the known Malware and vice versa.
The FireAMP system provides a new approach with retrospective analysis, in which all paths of file distribution and their attributes are remembered. In the case of a FireAMP host-based solution, all associated process activities, network activities, all I / O operations on the local host are remembered. And when, say, 4 days later, it turns out that the downloaded file was previously unknown by Malware, a notification will be received from the SourceFire cloud and the file will be centrally blocked both at the network level and at the level of all Endpoint-infected systems. Moreover, the system will show the file distribution path both over the network and on the host system, all additional components downloaded by the file and Malware programs, process calls and the parent process, which made it possible to become infected and initiate the spread of the threat.
Malware detection example at the network level, Figure 20a, 21
Fig. 20a
Fig. 20b
In particular, in Figure 21 you can see the path of entry and further distribution of the file over the network, affected hosts, the moment of infection, the ports and protocols used.
In Figure 20b, you can see more detailed information about the distribution and method of getting the threat directly to the host with all associated I / O operations.
Fig. 21
Compliance Whitelist function
Separately, I would like to note the useful feature of the white list of systems in the network. Since FirePower can passively see the activity of users and applications on the network in real time, the system makes it possible to build profiles of Compliant systems. Thus, you can specify which operating systems with which patches, client programs and applications we want to see in them in our network. In the case of a deviation from the pattern, you can notify the administrator and use correlation methods (see the next chapter), including executing your own scripts and commands, and carry out actions to quarantine / correct problems.
It should be noted that FirePower provides the ability to create and assign attributes of various types to hosts and set attributes as a result of a correlation action. Attributes can be used when generating automatic notifications, including to increase the level of attack criticality and much more. For example, increase the criticality of the attack when it is detected in the direction of the host with the value of the base attribute - non-compliant.
Created attributes can be of the following types:
- INTEGER
- TEXT
- Leaf
- URL
By default, each WhiteList has only one attribute that takes on the value:
- Compliant
- Non-compliant
- Not evaluated
Each host will have a WhiteList attribute assigned to it with the value of this attribute from the above list.
An example of creating a WhiteList can be seen in Figure 22. You select the allowed types and versions of the operating systems, in each operating system you select the allowed client applications, web applications and the allowed protocols of the transport and network layers.
Fig. 22
Traffic profiles
As you may remember, FireSight technology also monitors connection parameters set by hosts on a network. Based on the collected statistical data, and at least 29 connection parameters are collected, a so-called basic connection profile is compiled for each host. In the configuration, it is possible to set which specific types of connections or application traffic will be profiled and for how long to build the base profile (Example Fig. 23).
Fig. 23
The example in Figure 23 shows that it is possible both to base profiles on the basis of all transmitted traffic and to more subtly distinguish the necessary flows.
Event correlation
A very powerful function for tracking, escalating and responding to events is embedded in the system - this is a correlation function. Especially this function will appeal to enthusiasts and security professionals.
In fact, this function provides an opportunity for an event to expose sets of conditions with their logical bundles for generating reactive effects (for an example of the correlation condition, see figure 24).
Fig. 24
As a result of applying the above correlation condition, there will be an intrusion event:
- addressed to a vulnerable platform (Impact 1);
- according to the rules of signatures not blocked;
- aimed at the Anroid or IPhone platform with Jailbrake;
- owned by a member of the Executives department (in Active Directory);
In the form of a small example, correlation conditions can be created for the following types of events (see Fig. 25, 26):
- Security event (alert);
- Discovery event;
- User activity event (user activity);
- The host profile has changed or a vulnerability has been added (host input) (example of events Fig. 26);
- Connection established;
- The traffic profile has changed;
- Malware event detection;
Fig. 25
Fig. 26
We have considered the possibility of setting correlation conditions, and now we will see how we can respond to the fulfillment of these conditions.
The result of the execution of the correlation rule can be one or more actions, such as:
- Run NMAP scanning with the specified parameters on the source / direction of the attack;
- blocking an attacker on a Cisco router (RTBH);
- SHUN blocking on ITU Cisco ASA;
- setting the required attribute on the host;
- administrator notification via Email / SNMP / Syslog;
- execution of a self-written program written in C / BASH / TCSH / PERL with the ability to transfer variables from the event.
Fig. 27
Monitoring and reporting system
The Defense Center control system provides very visual statistical information on the system as a whole, as well as the ability to delve into the details of detectable activities from any graph.
To familiarize the administrator with the current picture of the use of network services, applications, operating systems, analysis of the relevance of activities to business processes and risks, the Summary Dashboard overview screen is available (see Fig. 28).
Fig. 28
To start analyzing the past information security incidents, you can go to the Intrusion Events tab and see the aggregated information on detected and blocked attacks, statistics and go to a detailed review of each event of interest separately (see Figure 29).
Fig. 29
Each incident can be studied in detail, including the contents of the packet that caused the signature to trigger, see Fig. 30. From the information window about the event, you can see the text of the signatures that worked, the attack signatures are written in the language of SNORT, which de facto has already become for many IS administrators the standard for writing IPS rules. In the same window, you can perform tuning of the signature, configure filtering and summaries of events, change the action associated with the detection of this activity.
Fig. thirty
In addition to information about attacks, you can analyze and filter information of interest received by the system about the network as a whole. To obtain general information about the network, or, if necessary, about its specific segments, there is the Context Explorer interface (see Fig. 31).
Fig. 31
In figure 31 you can see the statistical information:
- correlation of data from the Security Intelligence database, security events, traffic and Malware events to assess possible threats within the network;
- the activity of specific users and their applications, detailing the level of risk applications;
- network operating systems and information exchange activities;
- assessment of safety events by impact level and priority level;
- statistics on the detection of malware activity and transmission of infected files;
- geolocation characteristic of hosts distributing malware, realizing hostile activity and the most intensive information exchange;
- statistics of the most frequently visited categories of sites, including the reputation and the most visited URLs;
The system provides the ability to generate your own reports using pre-defined templates as well as create templates yourself. For making your own report templates, there is a whole Wizard (see Fig. 32), which allows you to include various types of graphical statistics objects, tabular data and directly the contents of packages with suspicious activity. For the purpose of more flexible report generation, it is possible to set your own variables for substituting them into a template when generating a report. Reports can be scheduled and sent to responsible persons.
Fig. 32
Conclusion
In conclusion, I would like to note that the comprehensive system for protecting the network from attacks, managing application policies and fighting the spread of Malware based on products of the acquired SourceFire company organically complement and strengthen Cisco's portfolio in the field of information security products. We single out this class of solutions as promising and will actively develop them. The company allocates major investments in the development of the technological branch of information security solutions, which undoubtedly is one of the strategic ones for the company. In the near future, we are looking forward to an ever closer integration of SourceFire technologies with Cisco's classic architecture solutions and the company's product solutions. Separately, I would like to dispel the concerns of industry colleagues regarding the development of free opensource products from the SourceFire company, all opensource initiatives will be preserved and they will have further active development.
Source: https://habr.com/ru/post/229195/
All Articles