Professional Documents
Culture Documents
Sourcefire: Next-Gen IPS & FW
Sourcefire: Next-Gen IPS & FW
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Who is Sourcefire?
• Founded in 2001, based in Columbia, MD
• Security from Cloud to Core
• Market leader in (NG)IPS
• New entrant to NGFW space with strong offering
• Groundbreaking Advanced Malware Protection solution
3
• IronPort – 2007
Investment $830M
• ScanSafe - 2010
WSA ESA
Investment $183M
• Meraki - 2012
Cisco paid approximately $1.2 billion
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Market Leading Security Portfolio
Firewall & NGFW IPS & NGIPS Advanced Malware Web Security
• Cisco ASA Protection
• Meraki MX • Cisco IPS • Sourcefire AMP • Cisco WSA
• Cisco ISR Sec WAN • Cisco ASA Module • AMP Mobile • Cisco ScanSafe
• Sourcefire Next • Sourcefire Next • AMP Virtual Cloud
Generation FW Generation IPS • AMP for FirePOWER
license
Email Security NAC + VPN UTM (Firewall+)
Identity Services
• Cisco ESA • Cisco ISE • Cisco AnyConnect • Meraki MX
• Cisco Cloud • Cisco ACS • Cisco ASA
• Speed
• Accuracy
• Flexibility
• Value
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Event: Attempted Privilege Gain
Target: 96.16.242.135 (vulnerable)
Host OS: Blackberry
Apps: Mail, Browswer, Twitter
Location: Whitehouse, US
User ID: bobama
Full Name: Barack Obama
Department: Executive Office
Vulnerabilities
Passive Services
Discovery
Communications Applications
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
100,000 events
§ Sensor
→ Common
packet
acquisiHon
chain
5,000 events
→ Scalable
hardware
• Raw
compute
power
500 events
• Flow
processors
→ Rules
scale
as
log
n
§ Analysis
→ Impact
analysis
→ Contextual
data
at
source
20 events
→ Rich
pivot
interfaces
+10 events
→ CorrelaHon
Rules
§ RemediaHon
Services
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
View all application traffic…
• Works as you do
Flexible workflows match your
security processes
Complex table joins visualize your On what operating systems?
data
Rich context explorer, dashboards &
reports
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Alerting Correlation
User Interface
Presentation
Reporting engine
engine
Network
Identity Threat awareness User AwarenessAwareness
Awareness
DAQ
Sourcefire
Leadership
and
RecogniHon
Leadership* Ratings* "For
the
past
five
years,
Sourcefire
has
§ Class
leader
in
detecHon
§ 99%
detecHon
&
protecHon
consistently
achieved
excellent
results
in
§ Class
leader
in
performance
§ 34
Gbps
inspected
throughput
security
effec9veness
based
on
our
real-‐
§ Class
leader
in
vulnerability
coverage
§ 60M
concurrent
connecHons
world
evalua9ons
of
exploit
evasions,
threat
block
rate
and
protec9on
capabili9es.”
§ Completely
evasion
free
§ $15
TCO
/
protected
Mbps
Vikram
Phatak,
CTO
NSS
Labs,
Inc.
NSS
Labs
Management
CAR.
§ 120M
concurrent
connecHons
§ Class
leader
in
sessions
§ $17
TCO
/
protected
Mbps
§ Completely
evasion
free
*
NSS
Labs,
“Network
IPS
Product
Analysis
Sourcefire
3D8260
v4.10,”
April
2012
NSS
Labs,
“Next-‐Genera9on
Firewall
Product
Analysis
–
Sourcefire”
February
2013
16
The New Security Model
A T T A C K C O N T I N U U M
Point-in-Time Continuous
Cisco Security Products Mapped to New Security Model
A T T A C K C O N T I N U U M
UTM
Management
Center
APPLIANCES
|
VIRTUAL
APPLIANCES | VIRTUAL
22
LCD
Display
ConnecHvity
Choice
Quick
and
easy
headless
configura9on
Change
and
add
connec9vity
inline
with
network
requirements
Device
Stacking
Scale
monitoring
capacity
through
stacking
Hardware
AcceleraHon
For
best
in
class
throughput,
security,
Rack
size/Mbps,
and
price/Mbps
Lights
Out
Management
Minimal
opera9onal
impact
SSD
Solid
State
Drive
for
increased
reliability
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Appliances Summary
All appliances include:
• Integrated lights-out management
• Sourcefire acceleration technology
• LCD display
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
• Sourcefire’s
“Secret
Sauce”
• Passive
network
and
user
intelligence
(network
map
/
host
profiles)
aka:
contextual
awareness
• Fuels
powerful
automaHon:
Impact
Assessment
Automated
IPS
Tuning
User
IdenHficaHon
Compliance
Rules
&
White
Lists
Baseline
&
Behavioral
Monitoring
• Enterprise-‐class
management
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Sourcefire
Typical
Typical
Categories
Examples
NGIPS
&
NGFW
IPS
NGFW
Threats
Abacks,
Anomalies
✔
✔
✔
Users
AD,
LDAP,
POP3
✔
✗
✔
Web
ApplicaHons
Facebook
Chat,
Ebay
✔
✗
✔
ApplicaHon
Protocols
HTTP,
SMTP,
SSH
✔
✗
✔
File
Transfers
PDF,
Office,
EXE,
JAR
✔
✗
✔
Malware
Conficker,
Flame
✔
✗
✗
Command
&
Control
Servers
C&C
Security
Intelligence
✔
✗
✗
Client
ApplicaHons
Firefox,
IE6,
BitTorrent
✔
✗
✗
Network
Servers
Apache
2.3.1,
IIS4
✔
✗
✗
OperaHng
Systems
Windows,
Linux
✔
✗
✗
Routers
&
Switches
Cisco,
Nortel,
Wireless
✔
✗
✗
Mobile
Devices
iPhone,
Android,
Jail
✔
✗
✗
Printers
HP,
Xerox,
Canon
✔
✗
✗
VoIP
Phones
Avaya,
Polycom
✔
✗
✗
Virtual
Machines
VMware,
Xen,
RHEV
✔
✗
✗
InformaHon
Superiority
Contextual
Awareness
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Who is at the host
Client Version
Application
32
Security
and
Network
Admin
Roles
33
Flexible
Administrator
Roles
34
Security
Dashboard
35
FireSIGHT
Context
Explorer
View
all
applicaHon
traffic…
Look
for
risky
applicaHons…
Who
is
using
them?
36
Dashboard
37
Policy-‐Driven
Visibility
and
Control
Filter
A ccess
a nd
A pply
P rotecHon
b y
A pplicaHon,
U ser,
a nd
T raffic
P ath
38
URL
Filtering
§ Block
non-‐business-‐related
sites
by
category
§ Based
on
user
and
user
group
39
URL
Filtering
40
Don’t
Forget:
Apps
are
Ooen
Encrypted!
§
and
default
to
SSL
§ Benefits
of
SF
off-‐box
decrypHon
soluHon:
→ Improved
Performance
–
acceleraHon
and
policy
→ Centralized
Key
Management
→ Interoperable
with
3rd
party
products
41
Benefits
of
ApplicaHon
Control
Social:
Security:
Security
and
DLP
Reduce
Aback
Surface
Mobile:
Bandwidth:
Enforce
BYOD
Policy
Recover
Lost
Bandwidth
42
Custom
Reports
Designer
44
Security
Intelligence
on
FirePOWER
§ What is it?
• Alerts and blocks on:
• Botnet C&C Traffic / Known Attackers / Open Proxies/Relays
• Malware, Phishing, and Spam Sources
• Allows creation of custom lists.
• Download lists from Sourcefire or third parties.
§ How does it help?
• Blocks malicious communication channels.
• Continually updated to stay ahead of communication
channel changes.
45
Bad
G
u ys
GeolocaHon
46
GeolocaHon
–
Details
47
IPv6
Awareness
&
Support
49
Mobile
Device
IdenHficaHon
50
File
Type
DetecHon:
Policy
51
File
Capture:
Capturing
Files
§ What
can
be
captured?
→ Policy
based,
flexible
for
customer
need
• Example
configuraHon
shown
later
§ Supported
Protocols:
• hbp,
smtp,
pop3,
imap,
smb*,
op
– SMB
file
detecHon
is
new
for
5.3
§ If
the
policy
is
configured
to
store
the
file:
→ A
SHA-‐256
is
calculated
for
idenHficaHon
of
that
file
→ Duplicate
files
are
not
re-‐captured
to
opHmize
storage
space
(idenHfied
/de-‐duped
by
SHA-‐256)
→ De-‐duplicaHon
is
per-‐appliance
(different
appliances
may
have
the
same
file
stored)
52
Dynamic
Analysis:
Overview
§ Files
can
be
sent
for
Dynamic
Analysis
(sandbox
execuHon)
in
the
Sourcefire
VRT
Cloud
§ Based
on
the
analysis
result,
a
Threat
Score
is
calculated
→ The
higher
the
threat
score,
the
more
likely
the
file
is
malicious
→ Enhances
the
detecHon
of
zero-‐day
‘unknown’
malware
§ License
&
CompaHbility
→ MALWARE
License
required
→ All
Series
3
appliances
(7000,
8000,
and
64bit
Virtual
)
→ DC3500,
DC1500,
DC750,
DC3000,
DC1500,
Virtual
DC
53
Enhanced
IPS
Events
(Fields)
§ ApplicaHon
Protocol
§ Web
ApplicaHon
Tag
§ ApplicaHon
Protocol
Category
§ Ingress
/
Egress
Zone
§ ApplicaHon
Protocol
Tag
§ Ingress
/
Egress
Interface
§ Client
§ Intrusion
Policy
§ Client
Category
§ Access
Control
Policy
§ Client
Tag
§ Access
Control
Rule
§ Web
ApplicaHon
§ MPLS
Label
§ ApplicaHon
Risk
§ Email
Abachments
§ Business
Relevance
§ Email
Recipient
§ Web
ApplicaHon
Category
§ Email
Sender
54
Enhanced
High-‐Availability
§ Synchronizing
criHcal
“state”
informaHon
between
individual
devices
in
a
high-‐availability
cluster.
→ TCP
Strict
State
Enforcement
–
allows
TCP
sessions
to
conHnue
without
having
to
re-‐establish
the
connecHon.
→ Unidirec7onal
Rules
–
enables
a
flow
allowed
by
a
unidirecHonal
rule
to
conHnue
even
if
failover
occurs
midstream.
→ Blocking
Persistence
–
flow
state
including
verdict
(blocked
or
allowed)
is
shared
to
ensure
verdict
is
persistent
aoer
failover
→ Dynamic
Network
Address
Transla7on
(NAT)
–
dynamic
mapping
of
IP
and
ports
remains
persistent
aoer
failover
§ Supports
clustered
appliance
stacks
(8250,
8260,
8270
and
8290
55
Enhanced
High-‐Availability
§ Devices
directly
connected
via
the
HA
Link
external
interfaces
§ Clustered
devices
must
be
the
same
model
with
idenHcal
NetMods
56
Advanced
Malware
ProtecHon
SoluHon
Dedicated FirePOWER appliance for
Advanced Malware Protection with subscription
----- OR ------
Add-on subscription to any FirePOWER
appliance for NGIPS
57
Dynamic
Analysis:
Process
Overview
FirePOWER
Appliance
File
Detected
on
FirePOWER
-‐
Calculates
hashes
1892y…skQsd
FireSIGHT
Management
-‐
Saves
a
copy
if
policy
dictates*
Hash
metadata
sent
to
AMP
Cloud
Dynamic
analysis:*
-‐
Analysis
queue
Status
-‐
Error
Status
<opHonal
proxy*>
<opHonal
proxy*>
-‐
Threat
Score
61
Network
File
Trajectory
Systems infected
62
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
CollecHve
Security
Intelligence
Malware
ReputaHon
ProtecHon
Feeds
Vulnerability
IPS
Rules
Database
Sourcefire Updates
Vulnerability
Research
Team
Sandboxing
Sourcefire
AEGIS™
Private
&
Public
Machine
Learning
Threat
Feeds
Big
Data
Infrastructure
Program
Sandnets
Honeypots
File
Samples
FireAMP™
(>180,000
per
day)
Community
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Evaluate victim’s
Survey countermeasures
Accomplish
The mission: Extract data,
destroy, plant evidence,
compromise.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Dynamic Threat Protection Evolution
Automated Remediation Across
Network, Cloud, and Endpoints
(FireSIGHT & FireAMP)
File Analysis & Sandboxing
(FireAMP)
Network as a Sensor
(Lancope & Cognitive)
Web Reputation
Coverage
FY12/FY13 Unmatched
FY14 Visibility, Enforcement,
FY15 and Remediation
FY16 FY17
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank you.