Sourcefire

Next-Gen IPS & FW

Jiří Tesař, CCIE #14558
Consulting Systems Engineer - Security
jitesar@cisco.com

Cisco Connect Club

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Who is Sourcefire?
•  Founded in 2001, based in Columbia, MD
•  Security from Cloud to Core
•  Market leader in (NG)IPS
•  New entrant to NGFW space with strong offering
•  Groundbreaking Advanced Malware Protection solution

•  Innovative – 52+ patents issued or pending

•  Pioneer in IPS, context-driven security, advanced malware

•  World-class research capability

•  Owner of major Open Source security projects
•  Snort, ClamAV, Razorback

•  October 7, 2013, Cisco completed the acquisition of Sourcefire

•  $2.7B investment in security !
Leadership  –  The  Path  “Up  and  Right”  

Sourcefire  has  been  a  

leader  in  the  Gartner  
Magic  Quadrant  for  IPS  
since  2006.  

3  
 •  IronPort – 2007
Investment $830M
•  ScanSafe - 2010
WSA ESA
Investment $183M
•  Meraki - 2012
Cisco paid approximately $1.2 billion

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Market Leading Security Portfolio
Firewall & NGFW IPS & NGIPS Advanced Malware Web Security
• Cisco ASA Protection
• Meraki MX • Cisco IPS • Sourcefire AMP • Cisco WSA
• Cisco ISR Sec WAN • Cisco ASA Module • AMP Mobile • Cisco ScanSafe
• Sourcefire Next • Sourcefire Next • AMP Virtual Cloud
Generation FW Generation IPS • AMP for FirePOWER
license
Email Security NAC + VPN UTM (Firewall+)
Identity Services
• Cisco ESA • Cisco ISE • Cisco AnyConnect • Meraki MX
• Cisco Cloud • Cisco ACS • Cisco ASA

Leverage Infrastructure Consumption Options Policy-based Networking Secure Data Center

• Lancope • Cisco ELA • Cisco ISE • Cisco ASA

Stealthwatch • Meraki • Cisco TrustSec • Cisco Virtualized
• Cisco TrustSec
 •  Context

•  Speed

•  Accuracy

•  Flexibility

•  Value

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
 Event: Attempted Privilege Gain
Target: 96.16.242.135 (vulnerable)
Host OS: Blackberry
Apps: Mail, Browswer, Twitter
Location: Whitehouse, US
User ID: bobama
Full Name: Barack Obama
Department: Executive Office

Event: Attempted Privilege Gain

Target: 96.16.242.135 (vulnerable)
Host OS: Blackberry
Apps: Mail, Browser, Twitter
Location: Whitehouse, US

Event: Attempted Privilege Gain

Target: 96.16.242.135

Context has the capability of fundamentally changing the interpretation of

your event data.
 Hosts

Vulnerabilities
Passive Services

Discovery

Communications Applications

All the time

In real-time
Users
 §  Sensor    
→  Common  packet  acquisiHon  chain  
→  Scalable  hardware    
•  Raw  compute  power  
•  Flow  processors  
→  Rules  scale  as  log  n    
§  Analysis      
→  Impact  analysis  
→  Contextual  data  at  source  
→  Rich  pivot  interfaces  
→  CorrelaHon  Rules  
§  RemediaHon  Services  

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
 100,000 events
§  Sensor    
→  Common  packet  acquisiHon  chain   5,000 events
→  Scalable  hardware    
•  Raw  compute  power   500 events
•  Flow  processors  
→  Rules  scale  as  log  n    
§  Analysis      
→  Impact  analysis  
→  Contextual  data  at  source   20 events
→  Rich  pivot  interfaces  
+10 events
→  CorrelaHon  Rules  
§  RemediaHon  Services  

© 2010 Cisco and/or its affiliates. All rights reserved.

3 events Cisco Confidential 12
 •  High fidelity reassembly to prevent
evasion
•  Multiple detection methods
Simple signatures for known exploits
Complex signatures for exploits against
known vulnerabilities
Anomaly detection for 0 day.
•  The right rules must be enabled
Recommended rules system

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
 View all application traffic…

Look for risky applications

•  Snort rules are textual &

universal
“Lingua franca” for the IPS industry Who is using them?
Library of 20,000 rules for use as
templates

•  Works as you do
Flexible workflows match your
security processes
Complex table joins visualize your On what operating systems?
data
Rich context explorer, dashboards &
reports

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Alerting Correlation
User Interface

Presentation
Reporting engine
engine

“SMS me only if a valid attack

Remediation
services
Rules engine

gets through to one of our

Reputation
services Correlation engine
Geolocation
services

executives’ Android phones.” Anomaly Detection

Detection Engines Directory mapping Directory Services

Network
Identity Threat awareness User AwarenessAwareness
Awareness

DAQ
Sourcefire  Leadership  and  RecogniHon  
Leadership* Ratings* "For  the  past  five  years,  Sourcefire  has  
§  Class  leader  in  detecHon   §  99%  detecHon  &  protecHon   consistently  achieved  excellent  results  in  
§  Class  leader  in  performance   §  34  Gbps  inspected  throughput     security  effec9veness  based  on  our  real-­‐
§  Class  leader  in  vulnerability  coverage   §  60M  concurrent  connecHons   world  evalua9ons  of  exploit  evasions,  threat  
block  rate  and  protec9on  capabili9es.”  
§  Completely  evasion  free   §  $15  TCO  /  protected  Mbps  
  Vikram  Phatak,  CTO  NSS  Labs,  Inc.  

“The  overall  system  is  mature,  logging  all   Ratings* Leadership*

criHcal  data  necessary  for  forensic  and   §  98%  detecHon  &  protecHon   §  Class  leader  in  performance  
compliance  audiHng.”   §  52  Gbps  inspected  throughput   §  Class  leader  for  TCO  

NSS  Labs  Management  CAR.   §  120M  concurrent  connecHons   §  Class  leader  in  sessions  
§  $17  TCO  /  protected  Mbps   §  Completely  evasion  free  
 
 
 
  *   NSS  Labs,  “Network  IPS  Product  Analysis  Sourcefire  3D8260  v4.10,”  April  2012  
 
NSS  Labs,  “Next-­‐Genera9on  Firewall  Product  Analysis  –  Sourcefire”  February  2013  

16  
The New Security Model
A T T A C K C O N T I N U U M

Control Detect Scope

Enforce Block Contain
Harden Defend Remediate

Network Endpoint Mobile Virtual Cloud

Point-in-Time Continuous
Cisco Security Products Mapped to New Security Model
A T T A C K C O N T I N U U M

Gain visibility and Stop exploits,

hackers, and Find malware
control
other intrusions missed by other
applications and
and attacks security layers
users

Firewall NGIPS Advanced Malware Protection

NGFW Web Security Network Behavior Analysis

NAC + Identity Services Email Security

VPN

UTM
 Management  Center  
APPLIANCES  |  VIRTUAL  

NEXT- GENERATION NEXT- GENERATION ADVANCED

COLLECTIVE
FIREWALL INTRUSION MALWARE SECURITY
PREVENTION PROTECTION INTELLIGENCE

CONTEXTUAL  AWARENESS   HOSTS  |  VIRTUAL  MOBILE  

APPLIANCES  |  VIRTUAL  

22  
 LCD  Display   ConnecHvity  Choice  
Quick  and  easy  headless  configura9on   Change  and  add  connec9vity  
inline  with  network  requirements  

Configurable  Bypass  or    

Fail  Closed  Interfaces  
For  IDS,  IPS  or  Firewall    
deployments  

Device  Stacking  
Scale  monitoring  capacity  
through  stacking   Hardware  AcceleraHon  
For  best  in  class  throughput,  security,  
Rack  size/Mbps,  and  price/Mbps  
Lights  Out  Management  
Minimal  opera9onal  impact   SSD  
Solid  State  Drive  for  increased  reliability  

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
 Appliances Summary
All appliances include:
•  Integrated lights-out management
•  Sourcefire acceleration technology
•  LCD display

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
 •  Sourcefire’s  “Secret  Sauce”  
•  Passive  network  and  user  intelligence  (network  
map  /  host  profiles)  
aka:  contextual  awareness  
•  Fuels  powerful  automaHon:  
Impact  Assessment  
Automated  IPS  Tuning  
User  IdenHficaHon  
Compliance  Rules  &  White  Lists  
Baseline  &  Behavioral  Monitoring  
•  Enterprise-­‐class  management    

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
     Sourcefire     Typical     Typical  
Categories   Examples   NGIPS  &  NGFW   IPS   NGFW  
Threats   Abacks,  Anomalies   ✔   ✔   ✔  
Users   AD,  LDAP,  POP3   ✔   ✗   ✔  
Web  ApplicaHons   Facebook  Chat,  Ebay   ✔   ✗   ✔  
ApplicaHon  Protocols   HTTP,  SMTP,  SSH   ✔   ✗   ✔  
File  Transfers   PDF,  Office,  EXE,  JAR   ✔   ✗   ✔  
Malware   Conficker,  Flame   ✔   ✗   ✗  
Command  &  Control  Servers   C&C  Security  Intelligence   ✔   ✗   ✗  
Client  ApplicaHons   Firefox,  IE6,  BitTorrent   ✔   ✗   ✗  
Network  Servers   Apache  2.3.1,  IIS4   ✔   ✗   ✗  
OperaHng  Systems   Windows,  Linux   ✔   ✗   ✗  
Routers  &  Switches   Cisco,  Nortel,  Wireless   ✔   ✗   ✗  
Mobile  Devices   iPhone,  Android,  Jail   ✔   ✗   ✗  
Printers   HP,  Xerox,  Canon   ✔   ✗   ✗  
VoIP  Phones   Avaya,  Polycom   ✔   ✗   ✗  
Virtual  Machines   VMware,  Xen,  RHEV   ✔   ✗   ✗  
InformaHon  Superiority   Contextual  Awareness  
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
 Who is at the host

OS & version Identified

Server applications and

version
What other systems / IPs did
user have, when?
Client Applications

Client Version

Application

Only Sourcefire delivers complete network visibility

Visual  Device  Management  

32  
Security  and  Network  Admin  Roles  

33  
Flexible  Administrator  Roles  

34  
Security  Dashboard  

35  
 FireSIGHT  Context  Explorer  
View  all  applicaHon  traffic…   Look  for  risky  
applicaHons…   Who  is  using  them?  

What  else  have  these  users  been  up  to?  

On  what  operaHng  systems?  

What  does  their  traffic  look  like  over  Hme?  

36  
Dashboard  

37  
Policy-­‐Driven  Visibility  and  Control  
Filter   A ccess   a nd   A pply   P rotecHon   b y   A pplicaHon,   U ser,   a nd   T raffic   P ath  

38  
URL  Filtering  
§  Block  non-­‐business-­‐related  sites  by  category  
§  Based  on  user  and  user  group  

39  
URL  Filtering  

Dozens  of  Content  Categories  

URLs  Categorized  by  Risk  

40  
Don’t  Forget:  Apps  are  Ooen  Encrypted!  
§                                       and                                  default  to  SSL  
§  Benefits  of  SF  off-­‐box  decrypHon  soluHon:  
→  Improved  Performance  –  acceleraHon  and  policy  
→  Centralized  Key  Management  
→  Interoperable  with  3rd  party  products  

SSL1500   SSL2000   SSL8200  

1.5Gbps   2.5  Gbps   3.5  Gbps  

41  
Benefits  of  ApplicaHon  Control  

Social:   Security:  
Security  and  DLP   Reduce  Aback  Surface  

Mobile:   Bandwidth:  
Enforce  BYOD  Policy   Recover  Lost  Bandwidth  

42  
Custom  Reports  Designer  

44  
 Security  Intelligence  on  FirePOWER  
§  What is it?
•  Alerts and blocks on:
•  Botnet C&C Traffic / Known Attackers / Open Proxies/Relays
•  Malware, Phishing, and Spam Sources
•  Allows creation of custom lists.
•  Download lists from Sourcefire or third parties.
§  How does it help?
•  Blocks malicious communication channels.
•  Continually updated to stay ahead of communication
channel changes.

45  
 Bad  G
u ys  

GeolocaHon  

§  Visualize  and  map  countries,  ciHes  of  

hosts,  events  

46  
GeolocaHon  –  Details  

§  IP  Address  needs  to  be  routable  

§  Two  resoluHons  of  GeolocaHon  data  
→  Country  –  Included  &  on  by  default  
→  Full  –  Can  be  downloaded  aoer  install  
•  Postcode,  LaHtude/Longitude,  TZ,  ASN,  ISP,  OrganisaHon,  Domain  name,  etc  
•  Clickable  map  links  (Google,  Bing,  and  others)  

§  Country  is  saved  in  the  event  record  

→  For  both  source  &  desHnaHon  
→  Allows  accurate  historical  views  of  events  

47  
IPv6  Awareness  &  Support  

§  IPv6  support  is  fully  integrated  

→  From  policies  to  event  viewers  to  table  
views.  
§  Network  discovery  of  IPv6  hosts  
§  User  Agent,  Impact  Flag  and  rule  
recommendaHons  all  work  with  IPv6  
§  Nmap  can  scan  over  IPv6  
§  IPv6  discovery  events  can  stream  via  eStreamer  

49  
Mobile  Device  IdenHficaHon  

Build  Host  Profile  

Track  Users  
IdenHfy  ApplicaHons  
Track  VulnerabiliHes  

50  
File  Type  DetecHon:  Policy    

51  
 File  Capture:  Capturing  Files  
§  What  can  be  captured?  
→  Policy  based,  flexible  for  customer  need    
•  Example  configuraHon  shown  later  
§  Supported  Protocols:  
•  hbp,  smtp,  pop3,  imap,  smb*,  op  
–  SMB  file  detecHon  is  new  for  5.3  
§  If  the  policy  is  configured  to  store  the  file:  
→  A  SHA-­‐256  is  calculated  for  idenHficaHon  of  that  file  
→  Duplicate  files  are  not  re-­‐captured  to  opHmize  storage  space  (idenHfied  /de-­‐duped  by  
SHA-­‐256)  
→  De-­‐duplicaHon  is  per-­‐appliance  (different  appliances  may  have  the  same  file  stored)  

52  
Dynamic  Analysis:  Overview  

§  Files  can  be  sent  for  Dynamic  Analysis  (sandbox  execuHon)  in  the  
Sourcefire  VRT  Cloud  
§  Based  on  the  analysis  result,  a  Threat  Score  is  calculated  
→  The  higher  the  threat  score,  the  more  likely  the  file  is  malicious  
→  Enhances  the  detecHon  of  zero-­‐day  ‘unknown’  malware    
§  License  &  CompaHbility  
→  MALWARE  License  required  
→  All  Series  3  appliances  (7000,  8000,  and  64bit  Virtual  )  
→  DC3500,  DC1500,  DC750,  DC3000,  DC1500,  Virtual  DC  

53  
 Enhanced  IPS  Events  (Fields)  
§  ApplicaHon  Protocol   §  Web  ApplicaHon  Tag  
§  ApplicaHon  Protocol  Category   §  Ingress  /  Egress  Zone  
§  ApplicaHon  Protocol  Tag   §  Ingress  /  Egress  Interface  
§  Client   §  Intrusion  Policy    
§  Client  Category   §  Access  Control  Policy    
§  Client  Tag   §  Access  Control  Rule  
§  Web  ApplicaHon   §  MPLS  Label  
§  ApplicaHon  Risk   §  Email  Abachments    
§  Business  Relevance     §  Email  Recipient  
§  Web  ApplicaHon  Category   §  Email  Sender  

54  
Enhanced  High-­‐Availability  
§  Synchronizing  criHcal  “state”  informaHon  between  individual  devices  in  a  
high-­‐availability  cluster.  
→  TCP  Strict  State  Enforcement  –  allows  TCP  sessions  to  conHnue  without  having  to  
re-­‐establish  the  connecHon.  
→  Unidirec7onal  Rules  –  enables  a  flow  allowed  by  a  unidirecHonal  rule  to  conHnue  
even  if  failover  occurs  midstream.  
→  Blocking  Persistence  –  flow  state  including  verdict  (blocked  or  allowed)  is  shared  
to  ensure  verdict  is  persistent  aoer  failover  
→  Dynamic  Network  Address  Transla7on  (NAT)  –  dynamic  mapping  of  IP  and  ports  
remains  persistent  aoer  failover    
§  Supports  clustered  appliance  stacks  (8250,  8260,  8270  and  8290    

55  
Enhanced  High-­‐Availability  
§  Devices  directly  connected  via  the  HA  Link  external  interfaces  
§  Clustered  devices  must  be  the  same  model  with  idenHcal  NetMods  

HA  Link  interface  depends  upon  the  potenHal  

throughput  of  each  cluster  member  

56  
Advanced  Malware  ProtecHon  SoluHon  
Dedicated FirePOWER appliance for
Advanced Malware Protection with subscription
----- OR ------
Add-on subscription to any FirePOWER
appliance for NGIPS

Advanced Malware Protection subscription

for hosts, virtual and mobile devices

Complete advanced malware protection

to protect networks and devices

57  
 Dynamic  Analysis:  Process  Overview  
FirePOWER  Appliance  
File  Detected  on  FirePOWER  
-­‐  Calculates  hashes   1892y…skQsd   FireSIGHT  Management  
-­‐  Saves  a  copy  if  policy  dictates*  
 
Hash  metadata  sent  to  AMP  Cloud  

AMP  Cloud  Response:  E.g.  

 -­‐  DisposiHon  =  Unknown  
 -­‐  Threat  Score  =  Unknown  *
File  is  sent  to  VRT  Services  Cloud  for  
Dynamic  Analysis*  (if  policy  dictates)   1892y…skQsd  

Dynamic  analysis:*  
-­‐   Analysis  queue  Status  
-­‐   Error  Status  
<opHonal  proxy*>   <opHonal  proxy*>  
-­‐   Threat  Score  

VRT  Dynamic  Analysis     FireAMP  Cloud  (Metadata  /  

Cloud*  (Files)   Hashes)  
Sourcefire  Cloud  Services  

*  =  New  with  5.3   58  

Network  File  Trajectory    
Quickly  understand  the  scope  of  malware  problem

Looks  ACROSS  the  organizaHon  and  answers:  

 
§  What  systems  were  infected?  
§  Who  was  infected  first  (“paHent  0”)  and  when  did  it  happen?  
§  What  was  the  entry  point?  
§  When  did  it  happen?  
§  What  else  did  it  bring  in?  

61  
Network  File  Trajectory    

The Ume  of  entry  

Systems infected  

62  
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
CollecHve  Security  Intelligence  
Malware   ReputaHon  
ProtecHon   Feeds  
Vulnerability  
IPS  Rules   Database  
Sourcefire Updates  
Vulnerability
Research
Team
Sandboxing   Sourcefire  AEGIS™    
Private  &  Public   Machine  Learning  
Threat  Feeds   Big  Data  Infrastructure   Program  

Sandnets   Honeypots  
File  Samples   FireAMP™  
(>180,000  per  day)   Community  

Advanced  Microso]     Snort®  &  ClamAV™  

&  Industry  Disclosures   SPARK   Open  Source  CommuniUes  
Program  
 All were smart. All had security.
All were seriously compromised.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
 Evaluate victim’s
Survey countermeasures

Craft context-aware malware to

Write penetrate victim’s environment

Check malware works & evades

Test victim’s countermeasures

Deploy malware. Move laterally,

Execute establish secondary access

Accomplish
The mission: Extract data,
destroy, plant evidence,
compromise.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Dynamic Threat Protection Evolution
Automated Remediation Across
Network, Cloud, and Endpoints
(FireSIGHT & FireAMP)
File Analysis & Sandboxing
(FireAMP)
Network as a Sensor
(Lancope & Cognitive)
Web Reputation
Coverage

FY12/FY13 Unmatched
FY14 Visibility, Enforcement,
FY15 and Remediation
FY16 FY17
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank you.