Network technologies and trends


September 13, 2016  1:55 PM

What is Cisco FMW portal?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Checkpoint, Cisco, Cisco ASA, firewall, Juniper, Migration, Software

Migrating a Cisco ASA Firewall from older Cisco ASA platform to another Cisco ASA 5500 or 5500-X series platform or even from older ASA Version 7.2 (x), 8.0(x),8.1(x) or 8.2(x) to 9.1 (x) or 9.2(x) version, then one can rely on Cisco FWM portal. This web based portal provides a unified interface to migrate configuration conversions in secured manner to the desired Cisco ASA platform with very little effort.

Firewall migration tools either in form of a virtual machine or a web portal provides good review for the migration planned from one version to another or from one vendor to another. But it’s hard to completely rely on them as they might miss out few things. The Cisco FWM portal provides a good platform to plan the firewall migrations.

Cisco FMW portal

The Cisco FWM web portal is quite easy to navigate and does have a good online documentation as well to know how the portal works. Currently Cisco is offering migrations from one Cisco platform to another Cisco ASA platform and the conversion can be done from 7.2 (x), 8.0(x),8.1(x) or 8.2(x) to 9.1 (x) or 9.2(x) version

Cisco is supposed to offer migration for Juniper SRX Firewalls and Checkpoint Firewalls, however currently the its not offered, however Cisco claims this will be offered soon.

The migration process is quite easy, one simply needs to follow the instructions mentioned in the web portal to get the converted file . Based on experience, we recommend not to rely completely on the converted file as there will be few errors in conversion. However, it proves to be a good reference file one could have while planning the migration from one trial version of ASA software to another.

September 9, 2016  10:44 AM

What is Cisco Firepower Threat Defense (FTD)?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
application, ASA, BGP, Cisco, Decryption, EIGRP, filtering, firewall, Integration, ISE, malware, Multicast, OSPF, RIP, Routing, Software, SSL, Static Routing, URL, VPN

Cisco Firepower Threat Defense (FTD) is a unified software image, which includes the Cisco ASA features and FirePOWER Services. This unified software is capable of offering the function of ASA and FirePOWER in one platform, both in terms of hardware and software features. This seems to be a good approach taken by Cisco especially when most of the Next Generation Firewall Vendors are offering Next Generation Solutions on a single platform with unified image. Currently the Cisco Firepower Threat Defense (FTD) unified software image is available in the following releases

  • 6.0
  • 6.2

The Cisco Firepower Threat Defense (FTD) is capable of offering following Next-Generation Firewall Services

  • Stateful firewall Capabilities
  • Static and dynamic routing
    • Supports RIP, OSPF, BGP, Static Routing
  • Next-Generation Intrusion Prevention Systems (NGIPS)
  • URL Filtering
  • Application visibility and control (AVC)
  • Advance Malware Protection
  • ISE Integration
  • SSL Decryption
  • Captive Portal
  • Multi-Domain Management

Currently Cisco Firepower Threat Defense (FTD) unified software can be deployed on Cisco Firepower 4100 Series and the Firepower 9300 appliances as well the FTD can be also be deployed on Cisco Firepower Threat Defense (FTD) ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X. However, the Cisco Firepower Threat Defense (FTD) unified software cannot be deployed on Cisco ASA 5505 and 5585-X Series appliances.

Some of the key features which Currently Cisco Firepower Threat Defense (FTD) lacks are as follows

  • VPN Function
  • Multi Context mode
  • EIGRP and Multicast
  • Does not support Cisco ASA 5505 & 5585-X Appliances

The lack of VPN function is a major drawback which Cisco needs to overcome in upcoming release of Cisco Firepower Threat Defense image. This certainly discourages the enterprise customers to adopt the Cisco Firepower Threat Defense unified image on their supported ASA 5500- Series platforms.


August 29, 2016  3:53 PM

Cisco ASA FirePOWER Services Licensing

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Cisco, detection, firewall, License, malware, URL

In order to have the full Next Generation Features enabled on the Cisco ASA FirePOWER Module one should ensure that they have appropriate licenses. Currently Cisco is offering follow licenses for Cisco ASA FirePOWER Services

License Types

 

License Type

 

Service Subscription need to be purchased

 

Granted Capabilities

 

Requires

 

Expire Capable?

 

Protection

 

TA

intrusion detection and prevention

file control

Security Intelligence filtering

 

none

 

no

 

Control

 

none (included with module)

 

user and application control

 

Protection

 

no

 

Malware

 

TAM, TAMC, or AMP

 

advanced malware protection (network-based malware detection and blocking)

 

Protection

 

yes

 

URL Filtering

 

TAC, TAMC, or URL

 

category and reputation-based URL filtering

 

Protection

 

yes

Protection License:

The protection License is used to perform intrusion detection and prevention, file control, and security intelligence filtering.

Control License:

The Control License is used to implement user and application control. The protection license allows one to create access control polices based on user id and application setting however those rules cannot have applied unless Control license is installed and enable it in the ASA FirePOWER Module.

Malware License:

The Malware License enables Advanced Malware Protection (AMP) in the Cisco ASA FirePOWER module. Basically with this license one detect and block malware potentially transmitted over the network.

URL Filtering License:

The URL Filtering License is used allow or block the traffic passing through the ASA Firewall based on URLs categories, individual URL or group of URLs. An access control policy is created for this action.

One can really mix and match these licenses in the Cisco ASA FirePOWER module based on the business need.


August 26, 2016  6:17 AM

Shadow Brokers group and Cisco exploit

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Cisco, NSA, Security, SNMP, Software, vulnerability

The recent claims by Shadow Brokers group to have stolen hacking tools which might belong to the National Security Agency (NSA) has drawn interest of major Security vendors.  Cisco did acknowledge that there is a vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) software, which could allow an authenticated remote attacker to cause a reload of the affected ASA or simply the attacker can execute the code remotely. The only prerequisite to exploit this vulnerability is to know SNMP community string in SNMP version 1 and SNMP version 2c or a valid username and password for SNMP version 3.

Following are the affected products

Cisco ASA 5500 Series Adaptive Security Appliances

Cisco ASA 5500-X Series Next-Generation Firewalls

Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers

Cisco ASA 1000V Cloud Firewall

Cisco Adaptive Security Virtual Appliance (ASAv)

Cisco Firepower 4100 Series

Cisco Firepower 9300 ASA Security Module

Cisco Firepower Threat Defense Software

Cisco Firewall Services Module (FWSM)

Cisco Industrial Security Appliance 3000

Cisco PIX Firewalls

Initially a work around was offered by Cisco is to ensure that only trusted users to have an SNMP access to Cisco Security Products using the snmp-server host command.

The following link provides step-by-step guidance on how SNMP is configured in the Cisco ASA:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/monitor-snmp.html

Well this falls under best practices and one should always follow the recommended best security practices. Those who are following the recommended best security practice are safe. It’s worth to revisit all the Cisco Security Appliance configuration and do a thorough review.

Cisco also released the new release of the software which overcomes this vulnerability,

Fixed Releases

Cisco ASA Major Release First Fixed Release
 7.2 Affected; migrate to 9.1.7(9) or later
 8.0 Affected; migrate to 9.1.7(9) or later
8.1 Affected; migrate to 9.1.7(9) or later
8.2 Affected; migrate to 9.1.7(9) or later
8.3 Affected; migrate to 9.1.7(9) or later
8.4 Affected; migrate to 9.1.7(9) or later
8.5 Affected; migrate to 9.1.7(9) or later
8.6 Affected; migrate to 9.1.7(9) or later
8.7 Affected; migrate to 9.1.7(9) or later
9.0 9.0.4(40)
9.1 9.1.7(9)
9.2 9.2.4(14)
9.3 9.3.3(10)
9.4 9.4.3(8) ETA 8/26/2016
9.5 9.5(3) ETA 8/30/2016
9.6 (FTD) 9.6.1(11) / FTD 6.0.1(2)
9.6 (ASA) 9.6.2

The new software fix issued by Cisco ensures that major software trails of the ASA are affected and it needs an upgrade to  9.x (ASA) trail, which means one should ensure the hardware they are using have enough memory. It’s better to contact Cisco TAC to seek their advice on how to proceed on the upgrade.


August 20, 2016  11:40 AM

Cisco ASA FirePOWER deployment options – Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Cisco, Decryption, Encryption, IPsec, Security, Security policies, Ssl vpn, traffic

Cisco ASA FirePOWER module can be configured in promiscuous monitor-only mode also known as passive mode. As the name suggests, in passive mode the Cisco ASA FirePOWER module does nothing to the traffic passes through it. Rather the ASA just forwards a copy of the packet to Cisco ASA FirePOWER module.

The below figure illustrates the complete order of operation of the Cisco ASA FirePOWER module in Promiscuous monitor-only (passive) mode

Figure 1.1 - ASA FirePOWER Passive Mode

Figure 1.1 – ASA FirePOWER Module in promiscuous monitor-only mode

Suppose Host A sent a traffic to host B, it will go through the following process

  1. Traffic sent from Host A is received by an Outside interface of the ASA Firewall
  2. Suppose IPsec or SSL VPN is configured them the incoming encrypted traffic is decrypted.
  3. Firewall policies are applied to the decrypted traffic.
  4. If the received traffic is complaint and allowed by the ASA policies them a copy traffic is sent to the ASA FirePOWER module. If the traffic is not complaint with security policies or it is malicious in nature, then the Cisco ASA FirePOWER module can be configured to send an alert to Network Security Administrator, however it cannot take any action to stop the malicious or non-complainant traffic.
  5. Suppose IPsec or SSL VPN is configured them the decrypted traffic is encrypted back
  6. The processed traffic is then forwarded to respective interface, in this case its an Inside interface.

One can see the real benefit of Cisco ASA FirePOWER module in Inline mode, as the Promiscuous monitor-only (passive) mode has no capability to take any action on an infected or non-complaint traffic. Rather it might be useful for POCs and even good for capacity planning for any new deployments.


August 19, 2016  5:55 PM

Cisco ASA FirePOWER deployment options – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Cisco, Decryption, Encryption, Security policies

When it comes to deploying the Cisco ASA FirePOWER module, it can be configured in one of the following modes

  • Inline Mode
  • Promiscuous monitor-only (passive) mode

Inline Mode

In an inline mode, the traffic passes through the configured ASA firewall polices and then the traffic is sent to the ASA FirePOWER module for further action.

The below figure illustrates the complete order of operation of the Cisco ASA FirePOWER module in an Inline mode.

Figure 1.1 - ASA FirePOWER Inline Mode

Figure 1 – ASA FirePOWER in Inline Mode

Suppose Host A sent a traffic to host B, it will go through the following process

  1. Traffic sent from Host A is received by an Outside interface of the ASA Firewall.
  2. Suppose IPsec or SSL VPN is configured them the incoming encrypted traffic is decrypted.
  3. Firewall policies are applied to the decrypted traffic.
  4. If the received traffic is complaint and allowed by the ASA policies them the traffic is sent to the ASA FirePOWER module.
  5. The Cisco ASA FirePOWER module then applies its security policy to the traffic, and takes an appropriate action. If the traffic is not complaint with security policies or it is malicious in nature, then the Cisco ASA FirePOWER module send back its verdict to the ASA to block the traffic and ASA also sent an alerts to Network Security Administrator. Suppose the traffic is valid, then the ASA allows the traffic to pass though.
  6. Suppose IPsec or SSL VPN is configured them the decrypted traffic is encrypted back.
  7. The processed traffic is then forwarded to respective interface, in this case its Inside interface.

Only Cisco knows how the traffic is processed in the Cisco ASA Next Generation Firewall at the hardware level, also at the same time there are very few deployment option Cisco offers with their Next Generation Security solutions.


August 14, 2016  7:48 AM

An Introduction Cisco ASA FirePOWER Services

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCIE, Cisco, Decryption, IPS, SSL

As we all know Cisco jumped into Next Generation Firewall segment, though they are late yet they are trying sell their next-generation firewall services, including Next-Generation Intrusion Prevention System (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP) in form of Cisco ASA FirePOWER Services.

Cisco offers FirePOWER services either in the form or hardware module or software based security module.

The Cisco ASA 5585-X runs on hardware-based security module (SSP) and Cisco ASA 5506-X to 5555-X runs on software-based security module on Solid State Drives (SSD)

ASA- Firepower

Some of the key FirePOWER Security Features are as follows

  • Application Control
  • Identity Control
  • Intrusion Detection and Prevention (IPS)
  • Security Intelligence
  • URL Filtering
  • Advance Malware Protection (AMP)
  • File Blocking
  • SSL Decryption

The newly introduced features by Cisco provides a good control over the types of application one can allow based on the user identity. It’s interesting to see how decryption part going work, as it really needs good hardware to intercept the encrypted traffic and take an appropriate action.


August 2, 2016  5:35 AM

A review for “Cisco Next-Generation Security Solutions: All-in-one Cisco ASA Firepower Services, NGIPS, and AMP”

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCIE, Cisco, Cisco ASA, Cisco Press, Exam, firewall, Security, threat

The newly released Cisco Press title “Cisco Next-Generation Security Solutions” seems to be a great resource which deals with Cisco ASA FirePOWER Services, NGIPS and AMP. Thanks to Cisco Press for sharing the eBook with me. I have been eagerly waiting for this title as I was keen to know how Cisco Next-Generation Firewalls are? And how Cisco is going to bundle their Next-Generation features into the Cisco ASA firewall.

Cisco ASA-NGIF

This title deals only the new concepts, Cisco introduced with their Next-Generation Security Solutions like how Cisco ASA works with FirePOWER services? How different models of Cisco ASA 5500-X Series Firewalls can be integrated with FirePOWER modules? What is AMP? etc.

This title comes with 12 chapters focusing on the following topics

  • Fundamentals of Cisco’s Next-Generation Network Security
  • Understanding Cisco ASA with FirePOWER Services and designing solutions based on it
  • Configuring and troubleshooting Cisco ASA with FirePOWER Services
  • Implementing Cisco AMP for Networks, Cisco AMP for Endpoints, and Cisco AMP for Content Security
  • Working with AMP Threat GRID: On-Premise Malware Analysis and Threat Intelligence
  • Understanding, configuring, troubleshooting, and designing solutions with Cisco Next-Generation IPS Appliances
  • Managing Cisco FirePOWER solutions with Cisco Security Manager (CSM) and FireSIGHT Management Center (FSMC)

The introductory chapter “Fundamentals of Cisco Next-Generation Security” is well crafted by the authors as its quite simple and it does gives the brief over view of Cisco’s Next-Generation Security solutions like ASA 5500-X Series Firewalls with FirePOWER modules, Next-Generation Intrusion Prevention Systems (NGIPS), Cisco AMP for End points, Networks and for Cloud Solutions.

The design chapter is my personnel favourite chapter, as it showcases how the Cisco ASA FirePOWER modules can be deployed in real world networks, what management options one can avail to manage the Cisco ASA FirePOWER module.

Chapter 4 deals with troubleshooting Cisco ASA with FirePOWER services and Firepower Threat Defense (FTD) is interesting as it demonstrates how to troubleshoot common problems one may occur while deploying the Cisco ASA FirePOWER Service module and the Firepower Threat Defense Software.

The title is well written and does leaves up to the standards of Cisco Press titles, however I felt if little more emphasis was given to elaborate the Cisco ASA FirePOWER Packet Processing Order. I am keen to see how the packet is processed at the hard level, especially would love to see how the next-generation features are enabled. I hope this would be addressed in the next edition.

Over all the title is a great resource to understand how Cisco Press title Cisco Next-Generation Security Solutions works and one can rely on this title to have a better understanding of the newly introduced concepts by Cisco. Also this title is recommended book for the Cisco CCIE Security written and practical exam.


February 29, 2016  12:45 PM

Things to consider before introducing Palo Alto Firewall into routing domain- Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, BGP, Cisco, firewall, Network design, OSPF, Routing

In my previous post , I did mentioned Palo Alto Networks Firewall having issues in running OSPF protocol and forming an adjacency with its neighbor especially when its used as an ABR.

This issue generally occurs if a zone protection profile (ZPP) is applied on the interface which is forming an adjacency with remote routers, the moment the ZPP is removed OSPF adjacency will form and Palo Alto Firewall can be used as an ABR.

 In upcoming post I will try to talk more about Zone Protection Profile.


February 29, 2016  12:07 PM

How does Palo Alto Firewall identify an App?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
app, application, ASA, BGP, Cisco, firewall, HTTP, IP address, Network design, OSPF, Routing, Signatures, Technology

When it comes to identifying an application  Palo Alto Firewall is quite accurate and yield great results in either allowing or dropping the traffic based on security policy applied.  I believe App-ID is the strongest point of Palo Alto Firewalls and it makes them leaders in the Next Generation Firewall segment.

App-ID™ is a patented traffic classification technology of Palo Alto Next Generation firewalls and it uses multiple identification mechanisms to  identify applications traversing the network.

Pa-appid

Based on the above App-ID flow , Palo Alto Firewall applies following  mechanisms to identify the application

  1. Initially the traffic will be classified based on an IP Address and port number used.
  2. An application is identified on the allowed traffic by applying Signatures.
  3. If encryption is use and decryption policy is in use then the application is decrypted and application signatures are applied on the decrypted flow.
  4. Decoders for known protocols are then used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (for example, Yahoo! Instant Messenger used across HTTP).
  5. For applications that are particularly evasive and cannot be identified through advanced signature and protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application.

Once an application is identified , the policy check will decide how to treat the application, based on the policy defined it will either allow, block or scan for threats/files transfers/data patters, or rate-limit using QoS.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: