Cisco Firepower IPS is to detect and prevent intrusions in the network. This is the topic of this section to be discussed.

Cisco Firepower IPS Rules Fundamental

Cisco Firepower IPS detection main methods

there are two main methods that IPS detects intrusions in the network.

In the signature based detection, all knows attacks and intrusions are already encoded in the signatures like what we have in anti-virus. We have to regularly update signatures to detect latest known attacks.

Cisco Firepower IPS detection methods
Cisco Firepower IPS detection methods

in signature based detection, we are not able to detect zero-day attacks, which are new and there is no signature still written for them.

In anomaly based detection, all traffic violating normal traffic are assumed to be attack. In this method, Firepower is always learning and updating normal traffic pattern of the Enterprise. Any traffic violating normal profiled pattern is assumed to be anomaly.

With anomaly based detection, we can detect zero-based attack but is has mostly false positive.

False positive is normal traffic incorrectly labeled as intrusion traffic.

Cisco Firepower IPS and Snort

Cisco Firepower IPS rules are based on open source Snort IDS software. before Firepower version 6.7, Snort version 2 was used, but after Firepower version 6.7, Snort version 3 is also supported.

Snort Version 2 and Snort Version 3 are not compatible. there is a snort convertor feature in new firepower versions to change snort rules from version 2 to version 3.

Firepower and Snort Version
Firepower and Snort Version

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html

throughout this course we are configuring IPS rules based on Snort version 3.

Cisco Firepower IPS Rules

In “Devices -> Device Management”, you can check if the Firepower is using the new Snort version 3. You can also change it to old Snort version 2 if you want.

check current version of snort rules used in firepower
check current version of snort rules used in firepower
revert firepower to use old snort version 2
revert firepower to use old snort version 2

In “Objects -> Intrusion Rules”, you can check all Firepower IPS rules in both old Snort version 2 and new Snort version 3 format.

Let’s check IPS rules based on Snort version 3, since our firepower is using Snort Version 3.

Cisco Firepower IPS Rules based on Snort Version 3
Cisco Firepower IPS Rules based on Snort Version 3

As you can see, we have 44.960 firepower rules which are grouped in 9 parent group and 67 final groups. As an example in group “Server -> Apache”, we have 161 rules

In the right section you have the capability to search rules based on many options including name and CVE number.

For each rule you can see the Snort version 3 syntax, which is mostly similar but with a few differences compare to  Snort version 2.

In the right top corner of Firepower rules we can convert old Snort version rules to Snort version 3 rules and import them into Firepower or download them to your computer.

Cisco Firepower IPS Variable Set

if we check the Snort syntax of a rule in the “Server -> Apache” group, we can see that there are some variables called in the Snort rule, like $EXTERNAL_NET, $HOME_NET or $HHTP_PORTS.

Variable Set in Cisco Firepower IPS Rules
Variable Set in Cisco Firepower IPS Rules

These variables are defined in a default variable set and we can configure them based on our topology and environment. You can also create a new variable set to be used in your IPS policy.

In “Objects -> Object Management -> Variable Set”, you can change the variable set or configure a new one.

Here you can see that the value of HOME_NET variable is any. You can for example include you real internal network as a value for HOME_NET variable.

Edit or create Variable Set in Cisco Firepower to be used in IPS Policy
Edit or create Variable Set in Cisco Firepower to be used in IPS Policy
include your real internal subnets as a value in HOME_NET variable in IPS Variable Set
include your real internal subnets as a value in HOME_NET variable in IPS Variable Set

Cisco Firepower IPS Policy configuration

In “Policies -> Intrusion”, we are able to create new policies.

The option “All IPS Rules” is a shortcut for “Objects -> Intrusion Rules” which we have discussed earlier.

With “Create Policy”, we can create new policy.

when we create a new policy, we have to choose the option detection mode or prevention mode. in detection mode all rules with drop action will be alerted only and the connection will not be blocked. Normally we use prevention mode except for some specific cases.

We also have to choose a based policy. In the based policy, you must decide whether security is more important to you or connectivity is preferred in your network.

Create new IPS Policy
Create new IPS Policy

If security is more a priority, we will choose the option “security over connectivity”. In this option, you’re likely to have some false positives that  recognize normal connections as intrusions.

If connectivity is preferred, , we will choose the option “connectivity over security”. In this option, we’ll likely have more false negatives that can’t detect intrusions, and they’ll be recognized as normal traffic.

We also have an option in the middle, “Balance security and connectivity”, which try to minimize both false positive and false negative.

The option “Maximum Detection” has more emphasis on the security even more than “security over connectivity”.

After creating policy, you have the option to configure the rules based on Snort Version 2 or Snort Version 3. I choose Snort Version 3 to configure the rules.

configure firepower IPS Policy based on Snort Version 2 or Version 3
configure firepower IPS Policy based on Snort Version 2 or Version 3

After configuring IPS policy, now we have the capability to change the action of any of IPS rules for this policy.

If we go to Server -> Apache” group. We can see that in “Balanced Security and Connectivity” mode, there are 135 “Disabled” rules. 26 rules with action “Block” and no rule with alert action.

show Cisco Firepower Server Apache Group Rules
show Cisco Firepower Server Apache Group Rules

One advantage of Snort version 3 is that we can change the mode of security for each group independently. With creation of IPS policy, we have  selected default “Balanced Security and Connectivity” for all group rules.

With clicking “Security Level Description”, we can change the level of security. By default the level of security is 2 from 4. I change the level of security from 2 to 3. Now we can see that the action of 61 rules are “Blocked” and 100 rules “Disabled” which is more aggressive compare to 26 and 135 rules.

change Cisco Firepower Server Apache Group rules Severity
change Cisco Firepower Server Apache Group rules Severity
Cisco Firepower Apache Group Rules with more aggresive security
Cisco Firepower Apache Group Rules with more aggresive security

For each rule we have the option to change the action to “Block”, “Alert” or “Disable”.

change the action of each rule in Cisco firepower IPS policy
change the action of each rule in Cisco firepower IPS policy

For a test I want to change the action of “ICMP Echo Reply” rule which is “Disable” by default. I change it to “Block” to block any icmp traffic from EXTERNAL_NET to HOME_NET.

change icmp echo reply IPS rule from disable to block
change icmp echo reply IPS rule from disable to block

After changing IPS rules, we have to apply it to an access control rule. I will apply IPS Policy1 to “permit_all” rule in access control with default variable set.

As you have noticed we have the option to select a different variable set for our IPS policy.

applying IPS Policy to Access Control Rule
applying IPS Policy to Access Control Rule

Now we expect that our ICMP traffic from inside to outside will not receive any reply. We can monitor the result in “Analysis -> Intrusion -> Events”.

monitor IPS policy result
monitor IPS policy result
Cisco Firepower Intrusion Event
Cisco Firepower Intrusion Event
Back to: Cisco FTD Design and Implementation > Cisco Firepower IPS Policy

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment