FireSIGHT Virtual Installation Guide Version 5.4.1

Guidelines and Limitations

The following limitations exist when deploying virtual Defense Center or devices on VMware:

• vMotion is not supported.
• Cloning a virtual machine is not supported.
• Restoring a virtual machine with a snapshot is not supported.
• Restoring a backup is not supported.

Virtual Defense Centers

A Defense Center provides a centralized management point and event database for your FireSIGHT System deployment. Virtual Defense Centers aggregate and correlate intrusion, file, malware, discovery, connection, and performance data, assessing the impact of events on particular hosts and tagging hosts with indications of compromise. This allows you to monitor the information that your devices report in relation to one another, and to assess and control the overall activity that occurs on your network.

Key features of the virtual Defense Center include:

• device, license, and policy management
• event and contextual information displayed in tables, graphs, and charts
• health and performance monitoring
• external notification and alerting
• correlation, indications of compromise, and remediation features for real-time threat response
• custom and template-based reporting

Virtual Managed Devices

Virtual devices deployed on network segments within your organization monitor traffic for analysis. Virtual devices deployed passively help you gain insight into your network traffic. Deployed inline, you can use virtual devices to affect the flow of traffic based on multiple criteria. Depending on model and license, devices:

• gather detailed information about your organization’s hosts, operating systems, applications, users, files, networks, and vulnerabilities
• block or allow network traffic based on various network-based criteria, as well as other criteria including applications, users, URLs, IP address reputations, and the results of intrusion or malware inspections

Virtual devices do not have a web interface. You must configure them via console and command line, and you must manage them with a Defense Center.

Understanding Virtual Defense Center Capabilities

Supported Capabilities for Virtual Defense Centers matches the major capabilities of the system with virtual Defense Centers, assuming you are managing devices that support those features and have the correct licenses installed and applied.

For a brief summary of the features and licenses supported with virtual appliances, see FireSIGHT System Components and Licensing Virtual Appliances.

Keep in mind that virtual Defense Centers can manage Series 2, Series 3, ASA FirePOWER, and X-Series devices. Similarly, Series 2 and Series 3 Defense Centers can manage virtual devices. The Defense Center column for device-based capabilities (such as stacking, switching, and routing) indicates whether a virtual Defense Center can manage and configure devices to perform those functions. For example, although you cannot configure VPN on a virtual device, you can use a virtual Defense Center to manage Series 3 devices in a VPN deployment.

Understanding Virtual Managed Device Capabilities

Supported Capabilities for Virtual Managed Devices matches the major capabilities of the system with virtual managed devices, assuming you have the correct licenses installed and applied from the managing Defense Center.

Keep in mind that although you can use any model of Defense Center running Version 5.4.1 of the system to manage any Version 5.4.1 virtual device, a few system capabilities are limited by the Defense Center model. For example, you cannot use the Series 2 DC500 to manage virtual managed devices performing Security Intelligence filtering, even though virtual managed devices support that capability. For more information, see Understanding Virtual Defense Center Capabilities.

Operating Environment Prerequisites

You can host 64-bit virtual appliances on the following hosting environments:

• VMware ESXi 5.5 (vSphere 5.5)
• VMware ESXi 5.1 (vSphere 5.1)
• VMware vCloud Director 5.1

You can also enable VMware Tools on all supported ESXi versions. For information on the full functionality of VMware Tools, see the VMware website (http://www.vmware.com/). For help creating a hosting environment, see the VMware ESXi documentation, including VMware vCloud Director and VMware vCenter.

Virtual appliances use Open Virtual Format (OVF) packaging. VMware Workstation, Player, Server, and Fusion do not recognize OVF packaging and are not supported. Additionally, virtual appliances are packaged as virtual machines with Version 7 of the virtual hardware.

The computer that serves as the ESXi host must meet the following requirements:

• It must have a 64-bit CPU that provides virtualization support, either Intel® Virtualization Technology (VT) or AMD Virtualization™ (AMD-V™) technology.
• Virtualization must be enabled in the BIOS settings
• To host virtual devices, the computer must have network interfaces compatible with Intel e1000 drivers (such as PRO 1000MT dual port server adapters or PRO 1000GT desktop adapters).

For more information, see the VMware website: http://www.vmware.com/resources/guides.html.

Each virtual appliance you create requires a certain amount of memory, CPUs, and hard disk space on the ESXi host. Do not decrease the default settings, as they are the minimum required to run the system software. However, to improve performance, you can increase a virtual appliance’s memory and number of CPUs, depending on your available resources. The following table lists the default appliance settings.

Virtual Appliance Performance

It is not possible to accurately predict throughput and processing capacity for virtual appliances. A number of factors heavily influence performance, such as the:

• amount of memory and CPU capacity of the ESXi host
• number of total virtual machines running on the ESXi host
• number of sensing interfaces, network performance, and interface speed
• amount of resources assigned to each virtual appliance
• level of activity of other virtual appliances sharing the host
• complexity of policies applied to a virtual device

Tip VMware provides a number of performance measurement and resource allocation tools. Use these tools on the ESXi host while you run your virtual appliance to monitor traffic and determine throughput. If the throughput is not satisfactory, adjust the resources assigned to the virtual appliances that share the ESXi host.

You can enable VMware Tools to improve the performance and management of your virtual appliances. Alternatively, you can install tools (such as esxtop or VMware/third-party add-ons) on the host or in the virtualization management layer (not the guest layer) on the ESXi host to examine virtual performance. To enable VMware Tools, see the FireSIGHT System User Guide.

FireSIGHT

FireSIGHT ™ is Cisco’s discovery and awareness technology that collects information about hosts, operating systems, applications, users, files, networks, geolocation information, and vulnerabilities, in order to provide you with a complete view of your network.

You can use the Defense Center’s web interface to view and analyze data collected by FireSIGHT. You can also use this data to help you perform access control and modify intrusion rule states. In addition, you can generate and track indications of compromise on hosts on your network based on correlated event data for the hosts.

Access Control

Access control is a policy-based feature that allows you to specify, inspect, and log the traffic that can traverse your network. An access control policy determines how the system handles traffic on your network. You can use a policy that does not include access control rules to handle traffic in one of the following ways, using what is called the default action :

• block all traffic from entering your network
• trust all traffic to enter your network without further inspection
• allow all traffic to enter your network, and inspect the traffic with a network discovery policy only
• allow all traffic to enter your network, and inspect the traffic with intrusion and network discovery policies

You can include access control rules in an access control policy to further define how traffic is handled by targeted devices, from simple IP address matching to complex scenarios involving different users, applications, ports, and URLs. For each rule, you specify a rule action, that is, whether to trust, monitor, block, or inspect matching traffic with an intrusion or file policy.

For each access control policy, you can create a custom HTML page that users see when the system blocks their HTTP requests. Optionally, you can display a page that warns users, but also allows them to click a button to continue to the originally requested site.

As part of access control, the Security Intelligence feature allows you to blacklist—deny traffic to and from—specific IP addresses before the traffic is subjected to analysis by access control rules. If your system supports geolocation, you can also filter traffic based on its detected source and destination countries and continents.

Access control includes intrusion detection and prevention, file control, and advanced malware protection. For more information, see the next sections.

Intrusion Detection and Prevention

Intrusion detection and prevention allows you to monitor your network traffic for security violations and, in inline deployments, to block or alter malicious traffic.

Intrusion prevention is integrated into access control, where you can associate an intrusion policy with specific access control rules. If network traffic meets the conditions in a rule, you can analyze the matching traffic with an intrusion policy. You can also associate an intrusion policy with the default action of an access control policy.

An intrusion policy contains a variety of components, including:

• rules that inspect the protocol header values, payload content, and certain packet size characteristics
• rule state configuration based on FireSIGHT recommendations
• advanced settings, such as preprocessors and other detection and performance features
• preprocessor rules that allow you to generate events for associated preprocessors and preprocessor options

File Tracking, Control, and Malware Protection

To help you identify and mitigate the effects of malware, the FireSIGHT System’s file control, network file trajectory, and advanced malware protection components can detect, track, capture, analyze, and optionally block the transmission of files (including malware files) in network traffic.

File Control

File control allows managed devices to detect and block your users from uploading (sending) or downloading (receiving) files of specific types over specific application protocols. You configure file control as part of your overall access control configuration; file policies associated with access control rules inspect network traffic that meets rule conditions.

Network-Based Advanced Malware Protection (AMP)

Network-based advanced malware protection (AMP) allows the system to inspect network traffic for malware in several types of files. Virtual devices can store detected files for further analysis to a hard drive.

Regardless of whether you store a detected file, you can submit it to the Collective Security Intelligence Cloud for a simple known-disposition lookup using the file’s SHA-256 hash value. You can also submit files for dynamic analysis, which produces a threat score. Using this contextual information, you can configure the system to block or allow specific files.

You configure malware protection as part of your overall access control configuration; file policies associated with access control rules inspect network traffic that meets rule conditions.

FireAMP Integration

FireAMP is Cisco’s enterprise-class, advanced malware analysis and protection solution that discovers, understands, and blocks advanced malware outbreaks, advanced persistent threats, and targeted attacks.

If your organization has a FireAMP subscription, individual users install FireAMP Connectors on their computers and mobile devices (also called endpoints). These lightweight agents communicate with the Collective Security Intelligence Cloud, which in turn communicates with the Defense Center.

After you configure the Defense Center to connect to the cloud, you can use the Defense Center web interface to view endpoint-based malware events generated as a result of scans, detections, and quarantines on the endpoints in your organization. The Defense Center also uses FireAMP data to generate and track indications of compromise on hosts, as well as display network file trajectories.

Use the FireAMP portal to configure your FireAMP deployment. The portal helps you quickly identify and quarantine malware. You can identify outbreaks when they occur, track their trajectories, understand their effects, and learn how to successfully recover. You can also use FireAMP to create custom protections, block execution of certain applications based on group policy, and create custom whitelists.

See http://amp.sourcefire.com/ for more information.

Network File Trajectory

The network file trajectory feature allows you to track a file’s transmission path across a network. The system uses SHA-256 hash values to track files; so, to track a file, the system must either:

– calculate the file’s SHA-256 hash value and perform a malware cloud lookup using that value

– receive endpoint-based threat and quarantine data about that file, using the Defense Center’s integration with your organization’s FireAMP subscription

Each file has an associated trajectory map, which contains a visual display of the file’s transfers over time as well as additional information about the file.

Application Programming Interfaces

There are several ways to interact with the system using application programming interfaces (APIs). For detailed information, you can download additional documentation from the Support Site.

eStreamer

The Event Streamer (eStreamer) allows you to stream several kinds of event data from a Cisco appliance to a custom-developed client application. After you create a client application, you can connect it to an eStreamer server (Defense Center or managed device), start the eStreamerservice, and begin exchanging data.

eStreamer integration requires custom programming, but allows you to request specific data from an appliance. If, for example, you display network host data within one of your network management applications, you could write a program to retrieve host criticality or vulnerability data from the Defense Center and add that information to your display.

External Database Access

The database access feature allows you to query several database tables on a Defense Center, using a third-party client that supports JDBC SSL connections.

You can use an industry-standard reporting tool such as Crystal Reports, Actuate BIRT, or JasperSoft iReport to design and submit queries. Or, you can configure your own custom application to query Cisco data. For example, you could build a servlet to report intrusion and discovery event data periodically or refresh an alert dashboard.

Host Input

The host input feature allows you to augment the information in the network map by importing data from third-party sources using scripts or command-line files.

The web interface also provides some host input functionality; you can modify operating system or application protocol identities, validate or invalidate vulnerabilities, and delete various items from the network map, including clients and server ports.

Remediation

The system includes an API that allows you to create remediations that your Defense Center can automatically launch when conditions on your network violate an associated correlation policy or compliance white list. This can not only automatically mitigate attacks when you are not immediately available to address them, but can also ensure that your system remains compliant with your organization’s security policy. In addition to remediations that you create, the Defense Center ships with several predefined remediation modules.

Multiple Management Interfaces

You can use multiple management interfaces on Series 3 appliances and the virtual Defense Center to improve performance by separating traffic into two traffic channels: management traffic channel to carry inter-device communication and event traffic channel to carry event traffic such as web access. Both traffic channels can be carried on the same management interface or split between two management interfaces, each interface carrying one traffic channel.

You can create a route from a specific management interface on your Defense Center to a different network, allowing your Defense Center to manage traffic from devices on one network separately from traffic from devices on another network.

Additional management interfaces function the same as the default management interface (such as using high availability between the Defense Centers) with the following exceptions:

• You can configure DHCP on the default ( eth0) management interface only. Additional ( eth1 and so on) interfaces require unique static IP addresses and hostnames.
• You must configure both traffic channels to use the same management interface when you use a non-default management interface to connect your Defense Center and managed device and those appliances are separated by a NAT device.
• On the 70xx Family, you can separate traffic into two channels and configure those channels to send traffic to one or more management interfaces on the virtual Defense Center. However, because the 70xx Family contains only one management interface, the device receives traffic sent from the Defense Center on only one management interface.

After your appliance is installed, use the web browser to configure multiple management interfaces. To add a management interface to your virtual Defense Center, see Adding and Configuring Interfaces. See Multiple Management Interfaces in the FireSIGHT System User Guide for more information.

Internet Access Requirements

Virtual Defense Centers are configured to directly connect to the Internet on ports 443/tcp (HTTPS) and 80/tcp (HTTP), which are open by default. On virtual devices, port 443 is open only if you enable a Malware license, so the device can submit files for dynamic analysis. For more information, see Communication Ports Requirements. FireSIGHT virtual appliances support use of a proxy server; for more information see the FireSIGHT System User Guide. Note also that a proxy server cannot be used for whois access.

The following table describes the Internet access requirements of specific features of the FireSIGHT System.

Communication Ports Requirements

FireSIGHT System appliances communicate using a two-way, SSL-encrypted communication channel, which by default uses port 8305/tcp. The system requires this port remain open for basic intra-appliance communication. Other open ports allow:

• access to an appliance’s web interface
• secure remote connections to an appliance
• certain features of the system to access the local or Internet resources they need to function correctly

In general, feature-related ports remain closed until you enable or configure the associated feature. For example, until you connect the Defense Center to a User Agent, the agent communications port (3306/tcp) remains closed. As another example, port 623/udp remains closed on Series 3 appliances until you enable LOM.

Caution Do not close an open port until you understand how this action will affect your deployment.

---

For example, closing port 25/tcp (SMTP) outbound on a manage device blocks the device from sending email notifications for individual intrusion events (see the FireSIGHT System User Guide). As another example, you can disable access to a physical managed device’s web interface by closing port 443/tcp (HTTPS), but this also prevents the device from submitting suspected malware files to the Collective Security Intelligence Cloud for dynamic analysis.

Note that the system allows you to change some of its communication ports:

• You can specify custom ports for LDAP and RADIUS authentication when you configure a connection between the system and the authentication server; see the FireSIGHT System User Guide.
• You can change the management port (8305/tcp); see the FireSIGHT System User Guide. However, Cisco strongly recommends that you keep the default setting. If you change the management port, you must change it for all appliances in your deployment that need to communicate with each other.
• You can use port 32137/tcp to allow upgraded Defense Centers to communicate with the Collective Security Intelligence Cloud. However, Cisco recommends you switch to port 443, which is the default for fresh installations of Version 5.3 and later. For more information, see the FireSIGHT System User Guide.

The following table lists the open ports required by each appliance type so that you can take full advantage of FireSIGHT System features.