Cisco Firepower NGIPS Deployment

This document is to understand the concepts in deploying Cisco Firepower NGIPS.

OBJECTIVES

• Next-Gen IPS technologies

• Document covers Firepower deployment of 6.X versions
• Firepower managed device inline deployment
• Traffic flow through various security features in IPS
• Firepower registration to Cisco Firepower Management Center

1
Next-Gen Firewall

Below diagram depicts traditional firewall deployment where the firewall protects an organization based on 5 tuples. Firewall can react to traffic until layer 4.

• Source IP
• Destination IP
• Source port
• Destination port
• Protocol

To protect any traffic on an application level, firewall won’t be of much help. Attacks on application level is growing exponentially.

Ex: Command and Control (CnC), reconnaissance, lateral movement, data exfiltration, botnet activities all goes unnoticed.

Solution: Next Gen IPS offers a various solution to protect your organization from DNS, URL blacklisting, file blocking, malware protection, IPS etc.…

2
NGIPS

➔ Application layer protection

➔ Packet payloads are examined
➔ Deep packet inspection up to OSI layer 7
➔ Matches attacks based on signatures
➔ Traffic Analysis
➔ Malware protection
➔ Security Intelligence
➔ Action on App ID / User ID
➔ Suspicious behaviour

3
Firepower Security Policies

This is a high-level overview of how a traffic is passed inside Firepower.

There are the policies which can be applied to a firepower device

• Access Control Policy
• Network Access Policy
• Intrusion Policy
• Anti-Malware and File Protection Policy
• SSL Policy
• DNS Policy

4
Security Intelligence: First level if filtering based on backlisted IPs, known malicious DNS/URL records, custom DNS/URL
records. If a packet is dropped here it is not sent to Access Control Policy for DPI.

SSL Policy: If your organization decides to decrypt all outbound/inbound traffic, you can use the SSL policy and use certificate
based on your internal PKI distribution. Traffic which is decrypted is sent to ACP and AMP, once the verdict is good – traffic is
re-encrypted and sent out.

Access Control Policy: Here is where you define all your rules. You can define rules which you don’t want to do DPI by setting
action to “trust”. Also, you can define traffic which needs to be inspected with intrusion and malware policy.

Intrusion Policy: IPS signature attacks are defined here. SNORT rules are used to block malicious traffic. You can have custom
signatures defined or inherit signature database from Cisco.

Malware & File Policy: Here you can act to allow/ block certain file types and scan for malware of set of file types which you
consider can be infected.

5
Cisco FMC and Firepower Design considerations

Consider you have below setup in your company. You wish to integrate NGIPS.

Things to consider:

• Do not make any routing changes

• Do no disrupt configurations on the router and switch

Solution: Integrate Firepower physically inline between switch and router.

6
Design:

• Break the connection between switch and router.

• Connect switch to one interface of Firepower and Router to another interface.
• Connect the management port of firepower to your management switch.
• Plan to have Firepower and FMC on the same plan.

7
Cisco Firepower configuration

• Login to the console of firepower

• Enter default username and password – admin/Admin123. Press “Enter” for End User License Agreement (EULA).

8
• Type “YES” to continue

• Enter the management IP, netmask, gateway, fully qualified domain name as per your design for firepower. Choose Inline deployment

9
 • Wait for 1-2 minutes for the firepower to load the settings. Next step would be to configure the manager.
Command => configure manager add <fmc_mgmt_ip> <registration_key>
You can have registration key set to anything you like. Please do not forget the registration key you use here as this will be used on FMC to add the
appliance.

NOTE: If you entered wrong info and would like to correct it, you can always reconfigure the network settings using the below command

Command => configure network ipv4 manual <firepower_mgmt_ip> <subnet_mask>

• Execute below command to view the manager you added on firepower

10
Cisco FMC configuration

• To add a device on FMC, go to Devices -> Device Management -> click Add -> select Add Device

• Now in the next screen, click on Access Control Policy dropdown and select new. Give a policy name and set default action to “Intrusion Prevention”

11
 • Once you have Access Control Policy created, fill in the details of your firepower manager

Select the license based on your purchase and requirement

Firepower Licensing
Protection License IPS, File Control - Detect or block files, Security Intelligence filtering
Control License User & Application control, switching & Routing, need to have protection license
Malware License AMP, ThreatGrid, requires protection license
URL Filtering License URL filtering, categories & reputation, requires protection license

12
• FMC will start the registration process. You should see the status as below

• If the details you entered is correct, you should see FMC successfully registering the Firepower

• Now login to Firepower and check if the Firepower registration is complete as a verification step

13
Create Inline Set for Firepower

• Configure the inline network pair to define the ingress and egress interfaces. These interfaces should be paired to let the Firepower know the packet
which enters from one interface should leave the counterpart interface.
• Firepower can have multiple interfaces and to pair the interfaces you need to configure the inline sets.

• Click the pencil icon the device you just added

• Define the ingress and egress interface by assigning a security zone

14
• Create an inline set for the interfaces

Note: Failsafe option allows the traffic to bypass the system if the buffers are full. No inspection at this point.

• Depending on your needs select the option in the advanced section

15
• Once the inline set is defined, deploy the config by selecting deploy icon and select the device and click Deploy

16
Health Policy and Platform settings deployment

• Health policy applies to FMC querying FTD for health checks. Here you can define if FMC should monitor the interface, CPU, Disk etc. status of Firepower.

• Go to -> System -> Health -> Policy -> Create Policy

• Please concentrate on the options you have on the left. Based on the health policy you can have alerting configured on FMC to send SNMP traps or
emails in case of health check error or warning

17
• Once you have defined the settings as per your needs, click on apply and select the firepower device and click apply

18
• Now, to control the system settings of Firepower go to Device -> Platform Settings -> Create New Policy.
• Select the Firepower appliance and move it to the right.

• You can change the available settings as per your needs and click save

19
• Deploy the policy the device

20