Introducing Cisco Firewall

Cisco Firewall is renowned for its industry-leading performance and comprehensive security features. This section will examine Cisco Firewall’s key features, such as stateful packet inspection, application control, VPN support, and intrusion prevention system (IPS) integration.

Unleashing the Power of Cisco IPS

As mentioned earlier, Cisco IPS integration is a notable feature that sets Cisco Firewall apart from its counterparts. This section will focus on Cisco IPS, its purpose, and how it seamlessly integrates with Cisco Firewall to provide enhanced threat detection and prevention capabilities.

Deploying Cisco Firewall in Your Network

Implementing a Cisco Firewall requires careful planning and configuration. This section will discuss best practices for deploying Cisco Firewall, including network topology considerations, rule management, and the importance of regular updates and patches.

To showcase the effectiveness of the Cisco Firewall in real-world scenarios, we will highlight success stories from organizations that have implemented it and experienced significant improvements in their network security posture. These case studies will inspire and demonstrate the tangible benefits of deploying the Cisco Firewall.

Cisco Firewall and Zero Trust

Cisco Firewall offers a robust set of features and capabilities that align with the principles of Zero Trust. These include advanced threat detection and prevention mechanisms, granular access control policies, identity-based access management, and seamless integration with other security tools.

Implementing Cisco Firewall in a Zero Trust Environment

Deploying a Cisco Firewall within a Zero Trust framework involves careful planning and configuration. Organizations must define their security policies, segment their network resources, and establish strict access controls based on user roles and least privilege principles.

Related: Before you proceed, you may find the following posts helpful for pre-information:

1. Cisco Secure Firewall
2. WAN Design Considerations
3. Routing Convergence
4. Distributed Firewalls
5. IDS IPS Azure
6. Stateful Inspection Firewall
7. Cisco Umbrella CASB

Back to basics: Cisco Firewall and Cisco IPS

Key Features and Benefits

1. Robust Threat Defense: Cisco Firewall employs various security measures, including intrusion prevention system (IPS), VPN support, URL filtering, and advanced malware protection. This multi-layered approach ensures comprehensive threat defense, effectively detecting and mitigating known and emerging threats.

2. Scalability and Performance: Cisco Firewall solutions are built to cater to the needs of organizations of all sizes. From small businesses to large enterprises, Cisco offers various firewall models with varying performance levels, ensuring scalability and optimal network performance without compromising security.

3. Simplified Management: Cisco Firewall solutions have intuitive management interfaces, allowing network administrators to configure and monitor firewall policies easily. Advanced features like centralized management platforms and automation capabilities further streamline security operations, saving time and effort.

Best Practices for Deploying Cisco Firewall

1. Comprehensive Security Policy: Establish a robust security policy that aligns with your organization’s requirements. Define and enforce rules for traffic filtering, application control, user access, and more.

2. Regular Firmware Updates: Keep your Cisco Firewall up to date by regularly installing firmware updates and security patches. This ensures your firewall has the latest threat intelligence and vulnerability fixes.

3. Access Control: Implement strict access control measures to restrict network access only to authorized personnel. For enhanced security, utilize user-based access control lists (ACLs) and two-factor authentication.

Integration with Cisco IPS

Cisco Firewall can be seamlessly integrated with Cisco Intrusion Prevention System (IPS) to enhance network security. While the firewall acts as the first line of defense, IPS adds a layer of protection by actively monitoring network traffic for suspicious activities and automatically taking action to prevent potential threats.

The Security Landscape: Key Points

Range of Attack Vectors

We are constantly under pressure to ensure mission-critical systems are thoroughly safe from bad actors that will try to penetrate your network and attack critical services with a range of attack vectors. So, we must create a reliable way to detect and prevent intruders. Adopting a threat-centric network security approach with the Cisco intrusion prevention system is viable. The Cisco IPS is an engine based on Cisco Snort that is an integral part of the Cisco Firewall, specifically, the Cisco Secure Firewall.

The Role of the Firewall

Firewalls have been around for decades and come in various sizes and flavors. The most typical idea of a firewall is a dedicated system or appliance that sits in the network and segments an “internal” network from the “external” Internet. The traditional Layer 3 firewall has baseline capabilities that generally revolve around the inside being good and the outside being bad. However, we must move from just meeting our internal requirements to meeting the dynamic threat landscape in which the bad actors are evolving.  There are various firewall security zones, each serving a specific purpose and catering to different security requirements. Let’s explore some common types:

1. DMZ (Demilitarized Zone):

The DMZ is a neutral zone between the internal and untrusted external networks, usually the Internet. It acts as a buffer zone, hosting public-facing services such as web servers, email servers, or FTP servers. By placing these services in the DMZ, organizations can mitigate the risk of exposing their internal network to potential threats.

2. Internal Zone:

The internal zone is the trusted network segment where critical resources, such as workstations, servers, and databases, reside. This zone is typically protected with strict access controls and security measures to safeguard sensitive data and prevent unauthorized access.

3. External Zone:

The external zone represents the untrusted network, which is usually the Internet. It serves as the gateway through which traffic from the external network is filtered and monitored before reaching the internal network. By maintaining a secure boundary between the internal and external zones, organizations can defend against external threats and potential attacks.

Numerous Attack Vectors

We have Malware, social engineering, supply chain attacks, advanced persistent threats, denial of service, and various man-in-the-middle attacks. And nothing inside the network should be considered safe. So, we must look beyond Layer 3 and incorporate multiple security technologies into firewalling.

We have the standard firewall that can prevent some of these attacks, but we need to add additional capabilities to its baseline. Hence, we have a better chance of detection and prevention. Some of these technologies that we layer on are provided by Cisco Snort, which enables the Cisco intrusion prevention system ( Cisco IPS ) included in the Cisco Firewall solution that we will discuss in this post.

Intrusion Detection.

An intrusion detection system (IDS) can assist in detecting intrusions and intrusion attempts within your network, allowing you to take suitable mitigation and remediation steps. However, remember that a pure IDS will not prevent these attacks; instead, it will let you know when they occur.

So they can fix half of the puzzle. An IDS will parse and interpret network traffic and host activities. This data can vary from network packet analysis to the contents of log files from routers, firewalls, and servers, local system logs, access calls, and network flow data, to name a few.

Attack Signatures

Likewise, an IDS often stores a database of known attack signatures and can compare patterns of activity, traffic, or behavior it sees in the data it’s monitoring against those signatures to recognize when a close match between a signature and current or recent behavior occurs.

It is possible to distinguish IDSes by the types of activities, traffic, transactions, or systems they monitor. For example, IDSes that monitor network links and backbones looking for attack signatures are called network-based IDSes. In contrast, those that operate on hosts and defend and monitor the operating and file systems for signs of intrusion are called host-based IDSes.

Cisco Firewall

The Cisco Firewall is a next-generation firewall that provides several compelling threat detection and prevention technologies to the security professional’s toolbox. The Cisco Firewall solution is more than just Firewall Threat Detection (FTD). We have several components that make up the security solution. Firstly, we have the Firewall Management Center (FMC), which is the device that gives you the GUI and configures the policy and operational activities for the FTD. We also include several services.

Cisco Secure Endpoint

We have two key pieces around malware. First, the Cisco Secure Endpoint cloud is a database of known bad and good files and maintains a file hash for all those entries. So, as files pass through the firewall, they can decide on known files. These hashes can be calculated at the line rate, and the Cisco firewall can do quick lookups. This allows you to hold the last packet of the file and determine whether it is good, bad, or unknown.

Cisco Secure Malware Analytics

So, we can make a policy by checking the hash if you like. However, you can extract the file if you have not seen it before, and it can be submitted to Cisco Secure Malware Analytics. This is a sandbox technology. The potentially bad file is placed in a VM-type world, and we can get a report with a score sent back. So this is a detection phase and not prevention, as it can take around 15 mins to get the score sent back to us.

These results can then be fed back into the Cisco Secure Endpoint cloud. Now, everyone, including other organizations that have signed up to the Cisco Secure Endpoint cloud, can block this file seen in just one place. So, no data is shared; it’s just the hash. Also, Talos Intel. This is the research organization’s secret source, with over 250 highly skilled researchers. It can provide intelligence such as Indicator of Compromise (IoC), bad domains, and signatures looking for exploits. And this feeds all security products.

Cisco IPS

We need several network security technologies that can work together. First, we need a Cisco IPS that provides protocol-aware deep packet inspection and detection, which Cisco Snort can provide, and which we will discuss soon. You also need a list of bad IPs, Domains, and file hashes that allow you to tune your policy based on these. For example, for networks that are the source of spam, you want a different response from networks known to host the bad actors C&C.

Also, for URL filtering. When you think about URL filtering, we think about content filtering in the sense that users should not access specific sites from work. However, the URL is valuable from a security and threat perspective. Often, transport is only over HTTP, DNS is constantly changing, and the bad actors rely only on a URL to connect to, for example, a C&C. So this is a threat intelligence area that can’t be overlooked.

We also need to look at file hashing and run engines on the firewall that can identify Malware without sending it to the cloud for checking. Finally, it would help if you also had real-time network awareness and indicators of compromise. The Cisco Firewall can watch all traffic, and you tell us that here are the networks that this firewall protects, and these are the top talkers. Potentially to notice any abnormal behavior.

Cisco Snort

This is where Cisco Snort comes into play. Snort can carry out more or less all of the above with its pluggable architecture. More specifically, Snort 3. Cisco now develops and maintains Snort, known as Cisco Snort. Snort an open-source network intrusion prevention system. In its most straightforward terms, Snort monitors network traffic, examining each packet closely to detect a harmful payload or suspicious anomalies.

As an open-source prevention system, Cisco Snort can perform real-time traffic analysis and packet logging. So, the same engine runs in commercial products as in open-source development. The open-source core engine has over 5 million downloads and 500,000 registered users. Snort is a leader in its field. Before the Cisco IPS team got their hands on it, Snort was released in 1998, and the program was meant to be a packet logger. You can still download the first version. It has come a long way since then. So Snort is so much more than a Cisco IPS.

In reality, Snort is a flexible, high-performance packet processing engine. The latest version of Snort 3 is pluggable, so you can add modules to make it adaptable to cover different security aspects. Snort 2 to Snort 3 takes two years to evolve. With the release 7, Cisco Secure Firewall Threat Defence introduced Snort 3 on FMC-managed devices. Now, we can have a Snort 3 filter with the Cisco Firewall, rule groups, and rule recommendations. These combined will help you use the Cisco firewall better to improve your security posture.

Snort 2

So we started with Snort 2, even though Snort 3 has been out for a few years. Sort 2 has 4 primaries or, let’s say, essential components:

1. It starts with the decoder. So, this is where some minor decoding is performed once the packers are pulled off the wire. This is what you might see with TCPDump.
2. Then, we have the pre-processor, the secret sauce of Snort 2. These are responsible for the normalization and assembly. Their primary role is to present data to the next component, the detection agent.
3. The detection engine is where the Snort rules are, and this is where we process the regulations against the traffic to observe. 
4. Log module. Based on the rules on traffic, if something is found, we have a log module enabling you to create a unified alert.

• A key point: Snort Rule tree

When Snort looks like a rule set, it doesn’t start at the top and run a packet through; it breaks it up into what is known as rule trees based on, for example, source port or destination port. So, when it comes to a rule to evaluate a packet, a packet only goes through a few rules. So, Cisco Snort, which provides the Cisco IPS for the Cisco Firewall, is efficient because it only needs to enable packets through the rules it might be appropriate for.

• A key point: Knowledge check for Packet Sniffing

Capturing network traffic is often a task during a penetration testing engagement or while participating in a bug bounty. One of the most popular packet capture tools (sniffer) is Wireshark. If you are familiar with Linux, you know about another lightweight but powerful packet-capturing tool called tcpdump. The packet sniffing process involves a cooperative effort between software and hardware. This process can be broken down into three steps:

Collection: The packet sniffer collects raw binary data from the wire. Generally, this is accomplished by switching the selected network interface into promiscuous mode. In this mode, the network card can listen to all traffic on a network segment, not only the traffic addressed.

Conversion: The captured binary data is converted into readable form. This is as far as most developed command-line packet sniffers can go. At this point, the network data can be interpreted fundamentally, leaving most of the analysis to the end user.

Analysis: Finally, the packet sniffer analyzes the captured and converted data. The sniffer verifies the protocol of the captured network data based on the information extracted and begins its analysis of that protocol’s distinguishing features.

Snort 3

Then, we have a new edition of Cisco IPS. Snort 3.0 is an updated version with a unique design and a superset of Snort 2. Snort 3 includes additional functionality that improves efficacy, performance, scalability, usability, and extensibility. In addition, Snort 3 aimed to address some of the limitations of Snort 2. For example, Snort 2 is packet-based, so it’s a packet sniffer per packet. So it would help if you built in statefulness and awareness of fragments and the fact that HTTP GET’s boundaries are not packet boundaries, which can spread over multiple packets.

HTTP Protocol Analyzer

Snort 3 has a good HTTP protocol analyzer that can detect HTTP running over any port. Many IPS providers only look at 80, 8080, and 442. But HTTP over any port other than the Cisco IPS assumes it is TCP. However, based on Cisco Snort, Cisco IPS can detect HTTP over any port. Now that it knows HTTP, Snort can’t set up different pointers in the other parts of the packet. So when you get to the IPS rules section looking for patterns, you don’t need to do the lookup and calculation again, which is essential when you are going at a line rate.

• A key point: Snort is pluggable

Also, within the Cisco firewall, Cisco Snort is pluggable and does much more than protocol analysis. It can perform additional security functions and make network discovery, a type of passive detection. Along with advanced malware protection and application identification, not by ports and protocols but by doing deep packet inspection. Now, you can have a policy based on the application. An identity engine can also map users to IP, allowing identity-based firewalling. So, Cisco Snort does much of the heavy lifting for the Cisco Firewall.

Snort 2 architecture: The issues

Snort 3 has a modern architecture for handling all of the Snort 2 packet-based evasions. It also supports HTTP/2, whereas Snort 2 only supports HTTP/1. The process architecture is the most meaningful difference between Snort 2 and Snort 3. To go faster in Snort 2, you put more Snorts running on the box. Depending on the product, a connection arrives and is hashed based on a 5-tuple or a 6-tuple. I believe 5tuple is for open-source products and 6tuple is for commercial products.

Connections on the same hash go to the same CPU. To improve Snort 2 performance, if you had a single CPU on a box, you add another Snort CPU and get double the performance with no overhead. Snort 2 works with multiple Snort processes, each affiliated with an individual CPU core, and within each Snort process, there is a separate thread for management and data handling.

But we are loading Snorts over and over again. So, we have linear scalability, which is good, but duplicated memory structure is bad. So every time we load Cisco Snort, we load the rules, and everything runs in their isolated world.

Snort 3 architecture: Resolving the issues

On the other hand, Snort 3 is multi-threaded, unlike Snort 2. This means we have one control thread and multiple packet threads. The packet arrives at the control thread, and we have the same connection hashing with 5-tuple or 6-tuple. Snort 3 only runs on one process, with each thread affiliated with individual CPU cores, backed by one control thread that handles data for all packet-processing threads. The connections are still pinned to the core, but they are packet threads, and each one of these packet threads is running on its CPU, but they share the control thread, and this shares the rules. 

The new Snort 3 architecture eliminates the need for a control thread per process and facilitates configuration/data sharing among all threads. As a result, less overhead is required to orchestrate the collaboration among packet-processing threads. We get better memory utilization, and reloads are much faster.

Snort 3 inspectors

Snort 3 has inspectors now. In Snort 2, we had pre-processors. We have an HTTP inspector instead of a pre-processor. Packets are processed differently in Snort 3 than in Snort 2. So, in Snort 2, the packet comes linearly in specific steps. This was done with a preprocessing stage.

What has to happen is that the packet has to go through, and every field of the packet will be decoded. and if this is HTTP, they will look at the GET, the body, and the header, for example. All of this will be decoded in case a rule needs that data. In the case of RPC, there are so many fields in an RPC packet. So, it could decode fields in the packet that a rule never needs. So, you need to save time in decoding the data.

Parallel resource utilization

On the other hand, Snort 3 uses what is known as parallel resource utilization. We have plugins and a publish and subscribe model in the packet inspection process. So, when it looks at a packet, there are things it can decode. When the packet gets to the rule, the rule might say that it needs the body and not any other fields. Then, the body will only be decoded. This is referred to as just in time instead of just in case. You don’t waste time if any fields in the packet need to be translated.

Rules Group Security Levels.

With Snort 2 regarding rule sets, you have only a few options. For example, you can pick no rules active-based policy, which is not recommended. There is also a connection-based rule set ( connectivity over security). We also have balanced security and connectivity. Then, we have protection over the connectivity rules that are set. With Snort 3, you will get more than just these policy sets. We have rule groups that we can use to set the security levels individually. So, the new feature is Rule Groups, making it easier to adjust your policy.

With rule groups, we can assign security levels to each sub-group. So you can adjust based on your usage, such as a more aggressive rule set for Chrome or not for Internet Explorer. So, the security level can be set on a per-group basis. However, Snort 2 offers this only in the base policy. 

• Level 1 – Connectivity over Security 
• Level 2 – Balanced Security and Connectivity 
• Level 3 – Security over connectivity 
• Level 4 – Maximum Detection

Now, there is no need to set individual rule states. We have levels that equate to policy. With Snort 2, you would have to change the entire base policy, but with Snort 3, we can change the groups related to the rule set. What I like about this is the trade-off so you can have rules, for example, for the browser, that are not common on your network but still exist.