The Evolution of Cisco’s Firepower

July 7, 2018 at 12:25 am

firepower

If you read the post here on the blog regarding a short history of Cisco Firepower, you recall that Cisco acquired a successful company named Sourcefire and this brought the Firepower technology into the company.

Let’s take a look at the progression of products that have resulted from this acquisition, and provide some more details on the latest technology (as of this writing) which is Firepower Threat Defense (FTD).

2013

  • Classic FirePOWER 7000 Series Appliances
  • Classic FirePOWER 8000 Series Appliances
  • VMware

2014

  • FirePOWER Services on ASA 5500-X
    • ASA5506-X, ASA5506H-X, ASA5506W-X
    • ASA5508-X
    • ASA5516-X
    • ASA5512-X
    • ASA5515-X
    • ASA5525-X
    • ASA5545-X
    • ASA5555-X

2015

  • Firepower Threat Defense on ASA 5500-X
  • Firepower 9300
  • VMware
  • AWS

2016

  • Firepower Threat Defense on Firepower 4100 Series
    • 4110, 4120, 4140, 4150
  • Azure

2017

  • Firepower Threat Defense on Firepower 2100 Series
    • 2110, 2120, 2130, 2140

Remember, FTD is so exciting because it represents the convergence of code from the Sourcefire FirePOWER software and the Cisco ASA software as well as the code representing new features.

The Sourcefire code is actually implemented as multiple software components inside the system and includes:

  • Firepower core software – includes Snort, Web server, database, and firmware
  • Software patches and hotfixes 
  • Snort rules
  • Vulnerability database (VDB)
  • Geolocation database (GDB)
  • URL filtering database
  • Security Intelligence Feed 
  • Local malware detection 
  • Integration components – might include ISE integration, AD integration, etc.

Cisco Firepower – A Brief History

July 5, 2018 at 11:24 am

Firepower

Sourcefire is a Hit

Sourcefire was founded in 2001 by Martin Roesch, the creator of Snort. The company created a commercial version of the Snort software, the Sourcefire 3D System, which evolved into the company’s Firepower line of network security products. Sourcefire was acquired by Cisco for $2.7 billion in July 2013.

What is Snort?

Snort’s open source network-based intrusion detection system (IDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol networks. Snort performs protocol analysis, content searching and matching.

The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, semantic URL attacks, buffer overflows, server message block probes, and stealth port scans.

Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection.

  • In sniffer mode, the program will read network packets and display them on the console.
  • In packet logger mode, the program will log packets to the disk.
  • In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified.

The Cisco Sourcefire Integration

Cisco began integrating the Sourcefire technology into various Cisco appliances as soon as possible. For example, the ASA 5500-X and ISR routers began offering Sourcefire capabilities soon after the acquisition.

Cisco also began releasing new hardware platforms to showcase the technology including the:

  • Firepower 2100 Series
  • Firepower 4100 Series
  • Firepower 9300 Series

Today, the excitement revolved around the latest implementation of the Sourcefire technology in what Cisco has named Firepower Threat Defense (FTD). FTD represents the convergence of the Cisco ASA software and the Sourcefire technology into a central code base.

Get ready for more detailed posts on this exciting technology!

VIRL ASAv with ASDM

April 16, 2018 at 6:10 pm

VIRL

I had many requests to demonstrate how to use the ASDM GUI to manage an ASAv running inside of VIRL. Here is the video demonstration of how to do it. Enjoy!

Basic Setup of the ASAv in EVE-NG

April 11, 2018 at 8:09 pm

ASAv

In this video, we will examine the configuration of the ASAv for basic practice that would be appropriate for training such as CCNA Security.

An Example of a Security Exploit Due to the Native VLAN

January 18, 2018 at 8:24 pm

Native VLAN

In many of our Cisco courses, we learn that networking best practices often point to the non-use of the Native VLAN. But why is this?

It turns out there are security vulnerabilities that could result from having a VLAN not tagged across your trunk links. For example, there is the VLAN hopping attack.

Here is how this attack could work:

Step 1: A bad person at a customer site wants to send frames into a VLAN that they are not part of.

Step 2: This person double tags the frame (Q-in-Q) with the outer frame matching the native VLAN in use at the provider edge switch.

Step 3: The provider edge switch strips off the outer tag (because it matches the native VLAN), and send this frame across the trunk.

Step 4: The next switch in the path examines the frame and reads the inner VLAN tag and forwards the frame accordingly.

Notice this attack is unidirectional. The attacker can send traffic into the VLAN, but traffic will not return. Even still, this is obviously not something we want taking place.

What are possible solutions?

  • Use ISL trunks in the cloud – this becomes less and less possible as ISL trunks fade away.
  • Use a Native VLAN that is outside of the range permitted for the customer.
  • Tag the native VLAN in the cloud.