- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
Introduction to the Cisco FireSIGHT System
The Cisco FireSIGHT® System is an integrated suite of network security and traffic management products, deployed either on purpose-built platforms or as a software solution.
The system is designed to help you handle network traffic in a way that complies with your organization’s security policy—your guidelines for protecting your network. A security policy may also include an acceptable use policy (AUP), which provides employees with guidelines of how they may use your organization’s systems.
In a typical deployment, multiple traffic-sensing managed devices installed on network segments monitor traffic for analysis and report to a managing Defense Center ®. Deployed inline, devices can affect the flow of traffic.
Tip There are several models of device and Defense Center. Managed devices include physical and virtual FirePOWER appliances, Cisco NGIPS for Blue Coat X-Series, and Cisco ASA with FirePOWER Services (ASA FirePOWER). Defense Centers can also be deployed as physical or virtual appliances. When necessary, appliance models are further grouped into series and family. System capabilities often depend on model and license.
The Defense Center provides a centralized management console with web interface that you can use to perform administrative, management, analysis, and reporting tasks. Physical managed devices also have a web interface that you can use to perform initial setup and basic analysis and configuration tasks. Virtual managed devices, Cisco NGIPS for Blue Coat X-Series, and ASA FirePOWER devices do not have a FireSIGHT System web interface. For these devices, you must use a CLI to perform any tasks that you cannot complete using the managing Defense Center.
This guide provides information about the features and functionality of the FireSIGHT System. The explanatory text, diagrams, and procedures in each chapter provide detailed information to help you navigate the user interface, maximize the performance of your system, and troubleshoot complications.
The topics that follow introduce you to the FireSIGHT System, describe its key components, and help you understand how to use this guide:
Introduction to Managed Devices
Managed devices installed on network segments monitor traffic for analysis. Deployed passively, managed devices gather detailed information about your organization’s assets: hosts, operating systems, applications, users, transmitted files (including malware), vulnerabilities, and so on. The FireSIGHT System correlates this information for your analysis so you can monitor the websites your users visit and the applications they use, assess traffic patterns, and receive notifications of intrusions and other attacks.
Deployed inline, the system can affect the flow of traffic using access control, which allows you to specify, in a granular fashion, how to handle the traffic entering, exiting, and traversing your network. The data that you collect about your network traffic and all the information you glean from it can be used to filter and control that traffic based on:
- simple, easily-determined transport and network layer characteristics: source and destination, port, protocol, and so on
- the latest contextual information on the traffic, including characteristics such as reputation, risk, business relevance, application used, or URL visited
- Microsoft Active Directory LDAP users in your organization; you can grant different levels of access to different users
- characteristics of encrypted traffic; you can also decrypt this traffic for further analysis
- whether unencrypted or decrypted traffic contains a prohibited file, detected malware, or intrusion event
Each type of traffic inspection and control occurs where it makes the most sense for maximum flexibility and performance. For example, reputation-based blacklisting, because it uses simple source and destination data, can block prohibited traffic early in the process, while detecting and blocking intrusions and exploits is a last-line defense.
In addition to access control, network management features on Series 3 devices allow them to serve in switched and routed environments, perform network address translation (NAT), and to build secure virtual private network (VPN) tunnels between virtual routers you configure. You can also configure bypass interfaces, aggregated interfaces, fast-path rules, and strict TCP enforcement.
- Series 2 and Series 3 Managed Devices
- 64-Bit Virtual Managed Devices
- Cisco NGIPS for Blue Coat X-Series
- Cisco ASA with FirePOWER Services
- Configurations that Restart the Snort Process
- How Snort Restarts Affect Traffic
Series 2 and Series 3 Managed Devices
Series 3 devices, which include all Cisco FirePOWER 7000 Series and 8000 Series devices, are the third series of physical devices purpose-built for the FireSIGHT System. Series 3 devices have a range of throughputs, but share most of the same capabilities. In general, 8000 Series devices are more powerful than 7000 Series; they also support additional features such as fast-path rules, link aggregation, and stacking.
Note that both Defense Centers and Series 3 devices are in the midst of a branding transition. The Defense Center is also referred to as the FireSIGHT Management Center, and Series 3 devices are also referred to as FirePOWER devices. Product identification numbers for Defense Centers may begin with FS
rather than DC
. Similarly, product identification numbers for Series 3 devices may begin with FP
rather than 3D
. The model numbers otherwise remain unchanged. For example, a DC4000 and an FS4000 refer to the same Defense Center.
Series 2 is the second series of physical managed devices. Series 2 devices automatically have most of the capabilities associated with a Protection license: intrusion detection and prevention, file control, and simple network-based access control.
However, because of resource and architecture limitations, Series 2 devices support a restricted set of features granted by the Protection license. Series 2 devices cannot perform Security Intelligence filtering or file control for nested files inside archive files. Also, Series 2 devices cannot perform geolocation-based access control, even with a FireSIGHT-licensed Defense Center. You cannot enable other licensed capabilities on a Series 2 device.
Although Cisco no longer ships new Series 2 appliances, you can update or reimage Series 2 devices running earlier versions of the system to Version 5.4.1. Note that reimaging results in the loss of almost all configuration and event data on the appliance. For more information, see the FireSIGHT System Installation Guide.
Tip You can migrate specific configuration and event data from a Version 4.10.3 deployment to a Version 5.2 deployment, which you can then update to Version 5.4.1. For more information, see the FireSIGHT System Migration Guide for Version 5.2.
64-Bit Virtual Managed Devices
You can deploy 64-bit virtual devices as ESXi hosts using the VMware vSphere Hypervisor or vCloud Director environment. You can also enable VMware Tools on all supported ESXi versions. For a list of supported versions, see the FireSIGHT System Virtual Installation Guide. For information on the full functionality of VMware Tools, see the VMware website ( http://www.vmware.com/).
Virtual appliances use e1000 (1 Gbit/s) interfaces, or you can use the VMware vSphere Client to replace the default sensing and management interfaces with vmxnet3 (10 Gbit/s) interfaces. You can also use the VMware vSphere Client to create additional management interfaces on the virtual Defense Center. For more information, see the FireSIGHT System Virtual Installation Guide.
Regardless of the licenses installed and applied, virtual appliances do not support any of the system’s hardware-based features: redundancy and resource sharing, switching, routing, and so on. Also, virtual devices do not have a FireSIGHT System web interface.
Cisco NGIPS for Blue Coat X-Series
You can install Cisco NGIPS for Blue Coat X-Series on a Blue Coat X-Series platform. This software-based appliance functions similarly to a virtual managed device. Regardless of the licenses installed and applied, Cisco NGIPS for Blue Coat X-Series does not support any of the following FireSIGHT System features:
- Cisco NGIPS for Blue Coat X-Series does not support features granted by the Malware or Control licenses, including advanced malware protection (AMP), application control, user control, and any of the system’s hardware-based features (clustering, stacking, switching, routing, VPN, NAT, and so on).
- You cannot use Cisco NGIPS for Blue Coat X-Series to decrypt or inspect encrypted traffic (SSL inspection).
- You cannot use Cisco NGIPS for Blue Coat X-Series to filter network traffic based on its country or continent of origin or destination (geolocation-based access control).
- You cannot use the Defense Center web interface to configure Cisco NGIPS for Blue Coat X-Series interfaces.
- You cannot use the Defense Center to shut down, restart, or otherwise manage Cisco NGIPS for Blue Coat X-Series processes.
- You cannot use the Defense Center to create backups from or restore backups to Cisco NGIPS for Blue Coat X-Series.
- You cannot apply health or system policies to Cisco NGIPS for Blue Coat X-Series. This includes managing time settings.
Cisco NGIPS for Blue Coat X-Series does not have a web interface. However, it has a command line interface (CLI) unique to the X-Series platform. You use this CLI to install the system and to perform other platform-specific administrative tasks, such as:
- creating Virtual Appliance Processor (VAP) groups, which allow you to take advantage of the X-Series platform’s load balancing and redundancy benefits (comparable to Cisco physical device clustering)
- configuring passive and inline sensing interfaces, including configuring the interface’s maximum transmission unit (MTU)
- managing processes
- managing time settings, including NTP settings
Cisco ASA with FirePOWER Services
Cisco ASA with FirePOWER Services (ASA FirePOWER devices) functions similarly to a managed device. In this deployment, the ASA device provides the first-line system policy and passes traffic to the FireSIGHT System for access control, intrusion detection and prevention, discovery, and advanced malware protection.
Regardless of the licenses installed and applied, ASA FirePOWER devices do not support any of the following FireSIGHT System features:
- ASA FirePOWER devices do not support the FireSIGHT System’s hardware-based features: clustering, stacking, switching, routing, VPN, NAT, and so on. However, the ASA platform does provide these features, which you can configure using the ASA CLI and ASDM. See the ASA documentation for more information.
- ASA FirePOWER devices do not support SSL inspection.
- You cannot use the Defense Center web interface to configure ASA FirePOWER interfaces.
- You cannot use the Defense Center to shut down, restart, or otherwise manage ASA FirePOWER processes.
- You cannot use the Defense Center to create backups from or restore backups to ASA FirePOWER devices.
- You cannot write access control rules to match traffic using VLAN tag conditions.
The ASA FirePOWER device does not have a FireSIGHT web interface. However, it has software and a command line interface (CLI) unique to the ASA platform. You use these ASA-specific tools to install the system and to perform other platform-specific administrative tasks. For more information, see the ASA FirePOWER module documentation.
You can manage ASA5506-X, ASA5506H-X, ASA5506W-X, ASA5508-X, ASA5516-X, and ISA 3000 devices as standalone devices or managed devices. You manage standalone ASA FirePOWER modules through ASA FirePOWER Configuration in ASDM and managed ASA FirePOWER modules with a Defense Center. You cannot manage an ASA FirePOWER module with ASDM when the device is registered to a Defense Center.
Note that if you edit an ASA FirePOWER device and switch from multiple context mode to single context mode (or visa versa), the device renames all of its interfaces. You must reconfigure all FireSIGHT System security zones, correlation rules, and related configurations to use the updated ASA FirePOWER interface names.
Note The Defense Center does not display ASA interfaces when the ASA FirePOWER device is deployed in SPAN port mode.
Cisco ISA 3000
The Cisco ISA 3000 is a DIN Rail mounted ruggedized industrial security appliance that provides firewall, threat defense, and VPN services. It is low-power, fan-less, with Gigabit Ethernet and a dedicated management port. There are two SKUs:
• Copper SKU with 4x10/100/1000Base-T with a management port
• Fiber SKU with 2x1GbE SFP and 2x10/100/1000Base-T with a management port.
The Cisco ISA 3000 comes with Cisco ASA firewall protection, combined with industry-leading threat and advanced malware protection.The Cisco ISA 3000 runs Cisco ASA with FirePOWER Services. For more information, see Cisco ASA with FirePOWER Services.
Summary of Supported Capabilities by Managed Device Model
When running Version 5.4.1, FireSIGHT System devices have varying throughputs and capabilities, which depend on model and license.
Note that both Defense Centers and Series 3 devices are in the midst of a branding transition. The Defense Center is also referred to as the FireSIGHT Management Center, and Series 3 devices are also referred to as FirePOWER devices. Product identification numbers for Defense Centers may begin with FS
rather than DC
. Similarly, product identification numbers for Series 3 devices may begin with FP
rather than 3D
. The model numbers otherwise remain unchanged. For example, a DC4000 and an FS4000 refer to the same Defense Center.
Although you can use any Version 5.4.1 Defense Center to manage any Version 5.4.1 device, the DC500 (and to a lesser extent, the DC750) supports a restricted set of FireSIGHT System features. For more information, see Summary of Supported Capabilities by Defense Center Model.
The following tables match the major access control and network management capabilities of the system with the managed devices that support those capabilities, and the licenses you must enable. For brief descriptions of these capabilities, see FireSIGHT System Components.
|
Device |
Device |
Device |
Device |
Device |
|
---|---|---|---|---|---|---|
Configurations that Restart the Snort Process
The Snort® process always restarts when applying any of the configurations listed below.
- apply a policy for the first time
- add or remove a URL category and reputation condition on the URLs tab in an access control rule
- associate an intrusion policy or file policy on the Inspection tab in an access control rule, or subsequently remove the policy by selecting None
Access Control Policy Advanced Setting
- disable Inspect Traffic During Policy Apply under General Settings
- change a value under Files and Malware Settings
- associate an SSL policy under SSL Policy Settings, or subsequently remove the policy by selecting None
- enable or disable adaptive profiles under Detection Enhancement Settings
- change a Security Intelligence list, except via the Whitelist Now or Blacklist Now option on the right-click menu
- enable or disable archive file inspection
- add a file type or file category to a file rule, or subsequently remove it from the rule
- change a file rule action to or from Detect Files or Block Malware
- enable or disable Store Files in a file rule
– change the value for an IMAP, POP, or SMTP preprocessor Base64 Decoding Depth, 7-Bit/8-Bit/Binary Decoding Depth, Quoted-Printable Decoding Depth, or Unix-to-Unix Decoding Depth
- Routing—add a Series 3 routed interface or virtual router
- VPN—add or remove a VPN
- MTU—change the MTU value (Series 2) or the highest MTU value (Series 3) for a non-management interface
- Device high availability—change a high-availability state sharing option
- AAB— activate AAB
Note Automatic Application Bypass (AAB) is activated only when it is enabled and an excessive amount of time is spent processing a single packet. If AAB engages, the Snort process restarts.
- apply an access control or intrusion policy after importing an intrusion rule update that includes a new or updated shared object rule
- apply an access control policy after installing a vulnerability database (VDB) update
Installing a system update or patch that includes a binary change. Binary changes can include changes to Snort, a preprocessor, the vulnerability database (VDB), or a shared object rule. Note that in the case of a managed device, a patch that does not include a binary change can sometimes require a Snort restart.
How Snort Restarts Affect Traffic
As seen in the following table, the effect of Snort restarts on traffic depends on the model of the managed device and how the device handles traffic.
Introduction to the Defense Center
A Defense Center provides a centralized management console and database repository for your FireSIGHT System deployment. Defense Centers aggregate and correlate intrusion, file, malware, discovery, connection, and performance data, assessing the impact of events on particular hosts and tagging hosts with indications of compromise. This allows you to monitor the information that your devices report in relation to one another, and to assess and control the overall activity that occurs on your network. Defense Centers also control the network management features on your devices: switching, routing, NAT, VPN, and so on.
Key features of the Defense Center include:
- device, license, and policy management
- event and contextual information displayed in tables, graphs, and charts
- health and performance monitoring
- external notification and alerting
- correlation, indications of compromise, and remediation features for real-time threat response
- custom and template-based reporting
- a high availability (redundancy) feature to ensure continuity of operations
Series 2 and Series 3 Defense Centers are fault-tolerant, purpose-built physical network appliances available from Cisco. You can also deploy 64-bit virtual Defense Centers as ESXi hosts using the VMware vSphere Hypervisor or vCloud Director environment. Any Defense Center can manage any type of device: physical, virtual, Cisco ASA with FirePOWER Services, and Cisco NGIPS for Blue Coat X-Series.
Defense Centers have a range of device management, event storage, host monitoring, and user monitoring capabilities. Note that because of resource and architecture limitations, the DC500 (and to a lesser extent, the DC750) supports a restricted set of FireSIGHT System features.
Note that both Defense Centers and Series 3 devices are in the midst of a branding transition. The Defense Center is also referred to as the FireSIGHT Management Center, and Series 3 devices are also referred to as FirePOWER devices. Product identification numbers for Defense Centers may begin with FS
rather than DC
. Similarly, product identification numbers for Series 3 devices may begin with FP
rather than 3D
. The model numbers otherwise remain unchanged. For example, a DC4000 and an FS4000 refer to the same Defense Center.
Note Although Cisco no longer ships new Series 2 Defense Centers, you can update or reimage them to Version 5.4.1. Note that reimaging results in the loss of almost all configuration and event data on the appliance. For more information, see the FireSIGHT System Installation Guide.
Summary of Supported Capabilities by Defense Center Model
When running Version 5.4.1, all Defense Centers have similar capabilities, with the primary differences being capacity and speed. Defense Center models vary in terms of how many devices they can manage, how many events they can store, and how many hosts and users they can monitor. For more information, see:
- Managing Devices
- Configuring Database Event Limits
- Understanding FireSIGHT Host and User License Limits
Although you can use any Version 5.4.1 Defense Center to manage any Version 5.4.1 device, the DC500 (and to a lesser extent, the DC750) supports a restricted set of FireSIGHT System features. Also, many system capabilities are limited by your devices’ license and model; see Summary of Supported Capabilities by Managed Device Model.
The DC 2000 and DC4000 introduce Cisco's Unified Computing System (UCS) platform into the FireSIGHT System system. Note that the DC2000 and DC4000 do not support Cisco functionality that uses tools on the baseboard management controller (BMC), such as the UCS Manager or the Cisco Integrated Management Controller (CIMC). The following tables match the major access control and network management capabilities of the system with the Defense Centers that support those capabilities, and the licenses you must enable. For brief descriptions of these capabilities, see FireSIGHT System Components.
Defense Centers and Devices Delivered with Version 5.4.X
The following table lists the Defense Centers and managed devices that Cisco delivers with Version 5.4.X of the FireSIGHT System.
|
|
|
|
---|---|---|---|
Note that both Defense Centers and Series 3 devices are in the midst of a branding transition. The Defense Center is also referred to as the FireSIGHT Management Center, and Series 3 devices are also referred to as FirePOWER devices. Product identification numbers for Defense Centers may begin with FS
rather than DC
. Similarly, product identification numbers for Series 3 devices may begin with FP
rather than 3D
. The model numbers otherwise remain unchanged. For example, a DC4000 and an FS4000 refer to the same Defense Center.
Although Cisco no longer ships new Series 2 appliances, you can update or reimage Series 2 devices and Defense Centers running earlier versions of the system to Version 5.4.1. Note that reimaging results in the loss of almost all configuration and event data on the appliance. For more information, see the FireSIGHT System Installation Guide.
Tip You can migrate specific configuration and event data from a Version 4.10.3 deployments to a Version 5.2 deployment, which you can then update to Version 5.4.1. For more information, see the FireSIGHT System Migration Guide for Version 5.2.
FireSIGHT System Components
The topics that follow describe some of the key capabilities of the FireSIGHT System that contribute to your organization’s security, acceptable use policy, and traffic management strategy:
- Redundancy and Resource Sharing
- Network Traffic Management
- FireSIGHT
- Access Control
- SSL Inspection
- Intrusion Detection and Prevention
- Advanced Malware Protection and File Control
- Application Programming Interfaces
Tip Many FireSIGHT System features are appliance model, license, and user role dependent. This documentation includes information about which FireSIGHT System licenses and devices are required for each feature, and which user roles have permission to complete each procedure. For more information, see Documentation Conventions.
Redundancy and Resource Sharing
The redundancy and resource-sharing features of the FireSIGHT System allow you to ensure continuity of operations and to combine the processing resources of multiple physical devices.
Defense Center High Availability
To ensure continuity of operations, a Defense Center high availability feature allows you to designate redundant DC1000, DC1500, DC2000, DC3000, DC3500, or DC4000 Defense Centers to manage devices. Event data streams from managed devices to both Defense Centers; certain configuration elements are maintained on both Defense Centers. If one Defense Center fails, you can monitor your network without interruption using the other Defense Center.
Device stacking allows you to increase the amount of traffic inspected on a network segment by connecting two to four physical devices in a stacked configuration. When you establish a stacked configuration, you combine the resources of each stacked device into a single, shared configuration.
Device clustering (sometimes called device high availability) allows you to establish redundancy of networking functionality and configuration data between two or more Series 3 devices or stacks. Clustering two or more peer devices or stacks results in a single logical system for policy applies, system updates, and registration. With device clustering, the system can fail over either manually or automatically.
In most cases, you can achieve Layer 3 redundancy without clustering devices by using SFRP. SFRP allows devices to act as redundant gateways for specified IP addresses. With network redundancy, you can configure two or more devices or stacks to provide identical network connections, ensuring connectivity for other hosts on the network.
Load Balancing with Cisco NGIPS for Blue Coat X-Series
You can take advantage of the X-Series platform’s load balancing and redundancy benefits (comparable to Cisco physical device clustering) by deploying Cisco NGIPS for Blue Coat X-Series as individual VAPs in a multi-member VAP group on the X-Series platform. You then manage these VAP groups using the Defense Center. For more information, see the Cisco NGIPS for Blue Coat X-Series Installation and Configuration Guide.
Network Traffic Management
The FireSIGHT System’s network traffic management features allow managed devices to act as part of your organization’s network infrastructure. You can configure Series 3 devices to serve in a switched, routed, or hybrid (switched and routed) environment; to perform network address translation (NAT); and to build secure virtual private network (VPN) tunnels.
You can configure the FireSIGHT System in a Layer 2 deployment so that it provides packet switching between two or more network segments. In a Layer 2 deployment, you configure switched interfaces and virtual switches on managed devices to operate as standalone broadcast domains. A virtual switch uses the MAC address from a host to determine where to send packets. You can also group multiple physical interfaces into a single logical link that provides packet switching between two endpoints in your network. The endpoints can be two FirePOWER managed devices, or a FirePOWER managed device connected to a third-party access switch.
You can configure the FireSIGHT System in a Layer 3 deployment so that it routes traffic between two or more interfaces. In a Layer 3 deployment, you configure routed interfaces and virtual routers on managed devices to receive and forward traffic. The system routes packets by making packet forwarding decisions according to the destination IP address. Routers obtain the destination from the outgoing interface based on the forwarding criteria, and access control rules designate the security policies to apply.
When you configure virtual routers, you can define static routes. In addition, you can configure Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) dynamic routing protocols. You can also configure a combination of static routes and RIP or static routes and OSPF. You can set up DHCP relay for each virtual router you configure.
If you use both virtual switches and virtual routers in your Cisco appliance configuration, you can configure associated hybrid interfaces to bridge traffic between them. These utilities analyze traffic to determine its type and the appropriate response (route, switch, or otherwise). You can also group multiple physical interfaces into a single logical link that routes traffic between two endpoints in your network. The endpoints can be two FirePOWER managed devices, or a FirePOWER managed device connected to a third-party router.
In a Layer 3 deployment, you can configure network address translation (NAT). You can expose an internal server to an external network, or allow an internal host or server to connect to an external application. You can also configure NAT to hide private network addresses from an external network by using a block of IP addresses, or by using a limited block of IP addresses and port translation.
A virtual private network (VPN) is a network connection that establishes a secure tunnel between endpoints via a public source, such as the Internet or other network. You can configure the FireSIGHT System to build secure VPN tunnels between the virtual routers of Series 3 devices.
FireSIGHT
FireSIGHT ™ is Cisco’s discovery and awareness technology that collects information about hosts, operating systems, applications, users, files, networks, geolocation information, and vulnerabilities, in order to provide you with a complete view of your network.
You can use the Defense Center’s web interface to view and analyze data collected by the system. You can also use this data to help you perform access control and modify intrusion rule states. In addition, you can generate and track indications of compromise on hosts on your network based on correlated event data for the hosts.
Access Control
Access control is a policy-based feature that allows you to specify, inspect, and log the traffic that can traverse your network. An access control policy determines how the system handles traffic on your network.
The simplest access control policy directs its target devices to handle all traffic using its default action. You can set this default action to block or trust all traffic without further inspection, or to inspect traffic for intrusions and discovery data.
A more complex access control policy can blacklist traffic based on Security Intelligence data, as well as use access control rules to exert granular control over network traffic logging and handling. These rules can be simple or complex, matching and inspecting traffic using multiple criteria; you can control traffic by security zone, network or geographical location, VLAN, port, application, requested URL, and user. Advanced access control options include decryption, preprocessing, and performance.
Each access control rule also has an action, which determines whether you monitor, trust, block, or allow matching traffic. When you allow traffic, you can specify that the system first inspect it with intrusion or file policies to block any exploits, malware, or prohibited files before they reach your assets or exit your network.
SSL Inspection
SSL inspection is a policy-based feature that allows you to handle encrypted traffic without decryption, or decrypt encrypted traffic for further access control inspection. You can choose to block a source of untrusted encrypted traffic without decrypting or further analyzing the traffic, or you can choose to not decrypt encrypted traffic and inspect it with access control instead.
For further insight into encrypted traffic, you can use public key certificates and paired private keys you upload to the system to decrypt encrypted traffic traversing your network, then inspect the decrypted traffic with access control as if it was never encrypted. If the system does not block the decrypted traffic post-analysis, it reencrypts the traffic before passing it to the destination host. The system can log details about encrypted connections as it acts on them.
Intrusion Detection and Prevention
Intrusion detection and prevention is the system’s last line of defense before traffic is allowed to its destination. Intrusion policies are defined sets of intrusion detection and prevention configurations invoked by your access control policy. Using intrusion rules and other settings, these policies inspect traffic for security violations and, in inline deployments, can block or alter malicious traffic.
Cisco delivers several intrusion policies with the FireSIGHT System. By using system-provided policies you can take advantage of the experience of the Cisco Vulnerability Research Team (VRT). For these policies, the VRT sets intrusion and preprocessor rule states (enabled or disabled), as well as provides the initial configurations for other advanced settings. An enabled rule causes the system to generate intrusion events for (and optionally block) traffic matching the rule.
If the system-provided policies do not fully address the security needs of your organization, custom policies can improve the performance of the system in your environment and can provide a focused view of the malicious traffic and policy violations occurring on your network. By creating and tuning custom policies you can configure, at a very granular level, how the system processes and inspects the traffic on your network for intrusions.
Advanced Malware Protection and File Control
To help you identify and mitigate the effects of malware, the FireSIGHT System’s file control, network file trajectory, and advanced malware protection components can detect, track, capture, analyze, and optionally block the transmission of files (including malware files and nested files inside archive files) in network traffic.
File control allows managed devices to detect and block your users from uploading (sending) or downloading (receiving) files of specific types over specific application protocols. You configure file control as part of your overall access control configuration; file policies associated with access control rules inspect network traffic that meets rule conditions.
Network-Based Advanced Malware Protection (AMP)
Network-based advanced malware protection (AMP) allows the system to inspect network traffic for malware in several types of files. Appliances can store detected files for further analysis, either to their hard drive or (for some models) a malware storage pack.
Regardless of whether you store a detected file, you can submit it to the Collective Security Intelligence Cloud for a simple known-disposition lookup using the file’s SHA-256 hash value. You can also submit files for dynamic analysis, which produces a threat score. Using this contextual information, you can configure the system to block or allow specific files.
You configure malware protection as part of your overall access control configuration; file policies associated with access control rules inspect network traffic that meets rule conditions.
FireAMP is Cisco’s enterprise-class, advanced malware analysis and protection solution that discovers, understands, and blocks advanced malware outbreaks, advanced persistent threats, and targeted attacks.
If your organization has a FireAMP subscription, individual users install FireAMP Connectors on their computers and mobile devices (also called endpoints). These lightweight agents communicate with the Cisco cloud, which in turn communicates with the Defense Center.
If your organization’s security policy does not allow for the use of a traditional cloud server connection, you can acquire and configure Cisco’s private, on-premises cloud solution, the FireAMP Private Cloud, which is a virtual machine that acts as a compressed, local version of the public Cisco cloud.
After you configure the Defense Center to connect to the cloud, you can use the Defense Center web interface to view endpoint-based malware events generated as a result of scans, detections, and quarantines on the endpoints in your organization. The Defense Center also uses FireAMP data to generate and track indications of compromise on hosts, as well as display network file trajectories.
Use the FireAMP portal ( http://amp.sourcefire.com/) to configure your FireAMP deployment. The portal helps you quickly identify and quarantine malware. You can identify outbreaks when they occur, track their trajectories, understand their effects, and learn how to successfully recover. You can also use FireAMP to create custom protections, block execution of certain applications based on group policy, and create custom whitelists.
The network file trajectory feature allows you to track a file’s transmission path across a network. The system uses SHA-256 hash values to track files; so, to track a file, the system must either:
- calculate the file’s SHA-256 hash value and perform a malware cloud lookup using that value
- receive endpoint-based threat and quarantine data about that file, using the Defense Center’s integration with your organization’s FireAMP subscription
Each file has an associated trajectory map, which contains a visual display of the file’s transfers over time as well as additional information about the file.
Application Programming Interfaces
There are several ways to interact with the system using application programming interfaces (APIs). For detailed information, you can download additional documentation from either of the following Support Sites:
The Event Streamer (eStreamer) allows you to stream several kinds of event data from a Cisco appliance to a custom-developed client application. After you create a client application, you can connect it to an eStreamer server (Defense Center or physical managed device), start the eStreamer service, and begin exchanging data.
eStreamer integration requires custom programming, but allows you to request specific data from an appliance. If, for example, you display network host data within one of your network management applications, you could write a program to retrieve host criticality or vulnerability data from the Defense Center and add that information to your display.
The database access feature allows you to query several database tables on a Defense Center, using a third-party client that supports JDBC SSL connections.
You can use an industry-standard reporting tool such as Crystal Reports, Actuate BIRT, or JasperSoft iReport to design and submit queries. Or, you can configure your own custom application to query Cisco data. For example, you could build a servlet to report intrusion and discovery event data periodically or refresh an alert dashboard.
The host input feature allows you to augment the information in the network map by importing data from third-party sources using scripts or command-line files.
The web interface also provides some host input functionality; you can modify operating system or application protocol identities, validate or invalidate vulnerabilities, and delete various items from the network map, including clients and server ports.
The system includes an API that allows you to create remediations that your Defense Center can automatically launch when conditions on your network violate an associated correlation policy or compliance white list. This can not only automatically mitigate attacks when you are not immediately available to address them, but can also ensure that your system remains compliant with your organization’s security policy. In addition to remediations that you create, the Defense Center ships with several predefined remediation modules.
Documentation Resources
The FireSIGHT System documentation set includes online help and PDF files. You can reach the online help from the web interface in the following ways:
The online help includes information about the tasks you can complete using a Defense Center or device’s web interface, including system management, policy management, and event analysis.
You can access the most up-to-date versions of the PDF documentation on either of the following Support Sites:
- the FireSIGHT System User Guide, which includes the same content as the online help, but in an easy-to-print format
- the FireSIGHT System Installation Guide, which includes information about installing Cisco appliances as well as hardware specifications and safety information
- the FireSIGHT System Virtual Installation Guide, which includes information about installing, managing, and troubleshooting virtual devices and virtual Defense Centers
- the Cisco NGIPS for Blue Coat X-Series Installation and Configuration Guide, which includes information about installing, managing, and troubleshooting Cisco NGIPS for Blue Coat X-Series
- various API guides and supplementary material
Documentation Conventions
This documentation includes information about which FireSIGHT System licenses and appliance models are required for each feature, and which user roles have permission to complete each procedure. For more information, see the following sections:
License Conventions
The License statement at the beginning of a section indicates the license required to use the feature described in the section, as follows:
A FireSIGHT license is included with your Defense Center and is required to perform host, application, and user discovery. The FireSIGHT license on your Defense Center determines how many individual hosts and users you can monitor with the Defense Center and its managed devices, as well as how many users you can use to perform user control.
A Protection license allows managed devices to perform intrusion detection and prevention, file control, and Security Intelligence filtering. This license corresponds to the Protection (TA) subscription, which is automatically included in the purchase of any managed device.
A Control license allows managed devices to perform user and application control. It also allows devices to perform switching and routing (including DHCP relay), NAT, and to cluster devices and stacks. A Control license requires a Protection license. This license is included automatically when you purchase any managed device.
A URL Filtering license allows managed devices to use regularly updated cloud-based category and reputation data to determine which traffic can traverse your network, based on the URLs requested by monitored hosts. A URL Filtering license requires a Protection license. You can purchase this license as a service subscription combined with Protection (TAC or TAMC) or as an add-on subscription (URL) for a device where Protection (TA) is already enabled.
A Malware license allows managed devices to perform network-based advanced malware protection (AMP), that is, to detect, capture, and block malware in files transmitted over your network and to submit those files for dynamic analysis. It also allows you to view trajectories, which track files transmitted over your network. A Malware license requires a Protection license. You can purchase the Malware license as a service subscription combined with Protection (TAM or TAMC) or as an add-on subscription (AMP) for a device where Protection (TA) is already enabled.
A VPN license allows you to build secure VPN tunnels between the virtual routers of Cisco managed devices. A VPN license requires Protection and Control licenses. To purchase a VPN license, contact Sales.
Because licensed capabilities are often additive, this documentation only provides the highest required license for each feature. For example, if a feature requires FireSIGHT, Protection, and Control licenses, only Control is listed.
An “or” statement in a License statement indicates that a particular license is required to use the feature described in the section, but an additional license can add functionality. For example, within a file policy, some file rule actions require a Protection license while others require a Malware license. So, the License statement for the documentation on file rules lists “Protection or Malware.”
Note that because of architecture and resource limitations, not all licenses can be applied to all managed devices. In general, you cannot license a capability that a device does not support; see Summary of Supported Capabilities by Managed Device Model. For more information, see Understanding Licensing.
Supported Device and Defense Center Conventions
The Supported Devices statement at the beginning of a section indicates that a feature is supported only on the specified device series, family, or model. For example, stacking is only supported on Series 3 devices. If a section does not have a Supported Devices statement, the feature is supported on all devices, or the section does not apply to managed devices.
For more information on platforms supported by this release, see Introduction to the Defense Center.
Access Conventions
The Access statement at the beginning of each procedure in this documentation indicates the predefined user role required to perform the procedure. A forward slash separating roles indicates that any of the listed roles can perform the procedure. The following table defines common terms that appear in the Access statement.
Users with custom roles may have permission sets that differ from those of the predefined roles. When a predefined role is used to indicate access requirements for a procedure, a custom role with similar permissions also has access. Some users with custom roles may use slightly different menu paths to reach configuration pages. For example, users who have a custom role with only intrusion policy privileges access the network analysis policy via the intrusion policy instead of the standard path through the access control policy. For more information on custom user roles, see Managing Custom User Roles.
IP Address Conventions
You can use IPv4 Classless Inter-Domain Routing (CIDR) notation and the similar IPv6 prefix length notation to define address blocks in many places in the FireSIGHT System.
CIDR notation uses a network IP address combined with a bit mask to define the IP addresses in the specified block of addresses. For example, the following table lists the private IPv4 address spaces in CIDR notation.
|
|
|
|
---|---|---|---|
Similarly, IPv6 uses a network IP address combined with a prefix length to define the IP addresses in a specified block. For example, 2001:db8::/32 specifies the IPv6 addresses in the 2001:db8:: network with a prefix length of 32 bits, that is, 2001:db8:: through 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff.
When you use CIDR or prefix length notation to specify a block of IP addresses, the FireSIGHT System uses only the portion of the network IP address specified by the mask or prefix length. For example, if you type 10.1.2.3/8, the FireSIGHT System uses 10.0.0.0/8.
In other words, although Cisco recommends the standard method of using a network IP address on the bit boundary when using CIDR or prefix length notation, the FireSIGHT System does not require it.