Firepower Access Control Policies

0:00There are a lot of really cool features

0:01that we can implement on the FirePOWER appliances.

0:04And the overarching tool that we're

0:06going to use to coordinate those efforts

0:07and those features is something called the Access Control

0:10Policy.

0:11And in this Nugget, we're going to look

0:13at the overview of policy and how

0:14the pieces fit in to that Access Control Policy.

0:18And let's use this topology and this FTD appliance

0:21right here for our discussion regarding an Access Control

0:25Policy to kind of be the coordinator of all the features

0:27or functions that we want to inject or impose on our network

0:31traffic.

0:32And speaking of network traffic, let's go ahead

0:34and just logically talk together about a user like Bob

0:38here at this computer, who's trying

0:40to access a resource on the internet,

0:41or actually anywhere through the firewall would be perfect.

0:45So as that traffic comes into the firewall--

0:46let's call this ingress traffic--

0:48the firewall is going to make some intelligent decisions

0:50right off the bat.

0:51If that ingress traffic, that traffic coming

0:53into the firewall, is part of an existing connection,

0:55the firewall is going to take some shortcuts based

0:57on already having tested that traffic and so forth

1:00as it speeds that packet and that traffic along its way.

1:02So for this discussion, let's imagine that the ingress

1:05traffic is brand new.

1:06It's a new session that Bob just created

1:08or is attempting to create.

1:09Now, one of the first things that the firewall is

1:11going to do it's going to check something called a pre-filter.

1:15Now a pre-filter is a great thing to do early on.

1:18For example, if you and I decided,

1:20hey, let's get a career in XYZ, some brand new career,

1:24and then we realized, oh, there's

1:26no way that could ever ever, ever happen,

1:28let's cut our losses right now and not

1:30wait till the end of three or four

1:32years of training or schooling to realize

1:34that we can't do that.

1:35And that's what the pre-filter does on the firewall itself.

1:38The pre-filter takes an early stab

1:40at seeing what traffic could be dropped.

1:43Case in point, if we know that we don't want to allow tunnel

1:46traffic through the firewall, the pre-filter can look at that

1:48and say, oh, look at the protocol, look at the ports,

1:50I'm going to go and drop this traffic.

1:52I don't even want to process it.

1:53I'm going to save my time right here.

1:55Now, assuming the traffic passes the pre-filter, the next thing

1:58the firewall does it takes a look at Layer 3

2:01and Layer 4 ACLs.

2:04Now, I'm doing an abbreviated version of this entire path,

2:07because there's a few dozen more steps in between,

2:09but this is the big picture.

2:11And as part of our policy, if there's Layer 3, Layer 4 access

2:14control lists that say, drop the traffic, well, if they match,

2:17it's going to go ahead and drop the traffic.

2:19And access control lists on a firewall

2:21are processed like they are on most other networking devices.

2:24They are processed from top down,

2:26going through the list of rules.

2:27When there's a match, then there's an action taken.

2:30And one of those actions could be dropping the traffic.

2:32Another action would be allow.

2:34And if it's allowed, then that traffic

2:35would continue on its way.

2:37But the goal of these two elements

2:38here is to drop traffic early if we

2:40know we don't want to deal with it or forward it for sure.

2:43We can drop it early in the process.

2:45So assuming that traffic is allowed, one of the next steps

2:48is security intelligence--

2:50I'll put SI for short--

2:51based on IP address and reputation.

2:54So from the cloud, if we have IP addresses that

2:57have been identified as malicious or bad,

2:59those can be blacklisted.

3:01So that could cause traffic to be dropped right there,

3:03so we don't have to continue--

3:05I say, we-- so the firewall does not

3:07have to continue processing it any further.

3:10If the IP address involved has been blacklisted,

3:12we can just drop it right here.

3:13And if the IP address has not been blacklisted

3:15and we're still forwarding traffic,

3:17says the firewall in its brain, then

3:19if we have an SSL policy that says

3:21we need to decrypt the traffic, so we

3:23can analyze it and inspect it, the SSL policy would do that.

3:26And that's presuming it's an SSL session.

3:29And if we had an SSL policy and that was decrypted,

3:31and the traffic is then forwarded on

3:33to the next piece, which is security intelligence again.

3:36And the benefit of doing security intelligence again now

3:38after the SSL decryption is that we now

3:40have a better view of what's really

3:42being carried in that traffic.

3:43And now we can use security intelligence,

3:45and we can get security intelligence based on the URL

3:48that the actual customer is really going to,

3:50as well as DNS related information.

3:52So if there's any hanky panky or a malicious DNS or URL

3:55information, the firewall can then

3:56make the decision to drop it right there based on the rules.

3:59And assuming the traffic is still

4:01being forwarded by the firewall, the next thing we do

4:03is our application or Layer 7 filtering

4:08based on what type of user applications

4:11are being allowed through.

4:12For example, Bob could be using dozens of Google apps, Google

4:16mail or other apps.

4:18And based on our policy, we can see what those are.

4:21And then we can choose to permit them or allow them or deny

4:23them.

4:24So traffic could be dropped there as well.

4:26And if traffic continues-- and I'll go ahead and wrap this up,

4:28going back the other direction now--

4:30if the app filtering allowed the application

4:32that Bob's trying to use, we could then go ahead

4:34and do file and malware analysis,

4:36looking for malicious files or files

4:39that have malware in them to drop them and stop them

4:42from proceeding through the network,

4:43as well as we could feed the traffic to the intrusion

4:46prevention system aspect of this next generation firewall

4:49and next generation IPS, this FirePOWER appliance.

4:51So those are both options.

4:53And so what we would do is we'd have file and malware policies

4:56and/or IPS policies.

4:58And then in our access policy, we would point to those IPS

5:02and file and malware policies as additional inspections

5:05that we want to perform on the traffic.

5:08And if everything passes, if the traffic doesn't get dropped

5:10at anyone of these points, it could then

5:11be forwarded out the egress interface of the firewall

5:14onto its destination.

5:16So let's take a look at the interface on the FirePOWER

5:19Management Center and discuss it for a moment.

5:21And to see our Access Control Policies,

5:23we'd click on Policies, and then select Access Control

5:26from the dropdown or sub-tab.

5:27And we're currently looking at the details

5:29of our starter policy, which we created when we deployed

5:33our first FTD appliance.

5:35Now, currently, we have no rules.

5:36But we'd want to add rules to this policy.

5:39And they are processed in a top-down fashion.

5:41So the first rule is looked at, then the second rule, then

5:43the third rule.

5:44And then when that rule is matched,

5:46the action associated with that rule is taken.

5:48Here, we have a link that would take us

5:50to the pre-filter policy.

5:52Now, one question that comes up is

5:53that if we have rules and none of a match--

5:56let's say we have 20 or 30 rules and a packet comes in

5:59on an initial connection, and all the rules are checked

6:02and there's no match, what happens?

6:03Well, it takes the default action that we've specified.

6:06And currently, we said network discovery only.

6:09And we set up network discovery only because we want to traffic

6:11to flow through the firewall.

6:13So there are other options that we can

6:14choose for the default action.

6:16And that's what's being used if none of the other rules

6:19match the traffic as they're going through the firewall.

6:22So we're going to leave network discovery only as the default

6:24action until we get more granular and more controlling

6:27with the access control policy.

6:29There's also an option for each of our rules

6:31as well as the default action to do logging.

6:33And in a previous Nugget, we actually

6:35turned on logging for the default action.

6:38But we have that same feature, that same option,

6:40of doing logging on individual rules

6:42as we create them in our Access Control Policy.

6:45And as we create our rules, if we

6:47do want to have further inspections done for file

6:50and malware analysis and/or IPS, we

6:53can add those as file and IPS policies.

6:56And they would show up in these columns right here.

6:58So this icon represents intrusion policy.

7:01We can tack that onto one of our access control policy rules.

7:04And next to that, we have the file policy,

7:06which would be looking for malicious software,

7:08malicious files as they're being moved or attempted

7:11to be moved through the firewall.

7:13And for security intelligence, learning information

7:15from the cloud regarding IP addresses

7:17and URLs and DNS that have poor or bad reputations,

7:21we go to this tab, Security Intelligence in the Access

7:23Control Policy to see what's currently in place regarding

7:26security intelligence.

7:27In this Nugget, we've taken a look

7:29at the packet flow of traffic going through the firewall

7:32for the first time, including some of the decisions

7:34it gets to act on regarding should this traffic be allowed

7:37or not.

7:37We also identified that the overarching controlling

7:40mechanism that coordinates all those efforts

7:42is the Access Control Policy.

7:44In the next Nugget, we'll take a look at the actions

7:47that we can have in the Access Control Policy

7:49and their intended results.

7:51So we'll take a look at that in the very next Nugget.

7:53Meanwhile, I hope this has been informative for you,

7:55and I'd like to thank you for viewing.

0:00In our access control policies, in our rules,

0:02we can specify the action we want to have taken place when

0:05there is a rule that's matched.

0:06In this Nugget, we're going to take a look

0:07at what those action options are and what

0:09they mean to the traffic that may or may not

0:12make it through the firewall.

0:14And the Carpenter's Rule is a good one

0:15to follow when employing access control policies.

0:18Let's make a plan that will implement that plan.

0:20And along the way, we'll take a look at each of the actions

0:23as part of our rules to help reinforce what they do.

0:26So let's get our bearings here.

0:28Here's our FTD appliance, FTD1.

0:33And let's set up a rule that says, if traffic is coming

0:36in on an interface associated with the inside zone, then

0:39that traffic will be routed out an interface associated

0:42with the outside zone, and if the protocol is ICMP,

0:47and the destination is 8.8.8.8, let's go ahead

0:52and use the action of block.

0:58Which means if Bob right here at this computer

1:00is trying to do an ICMP, and that means-- you know what?

1:04Let's make it more granular, because ICMP

1:06may be important for other things with that address.

1:09Let's make it an ICMP echo request, a ping request.

1:16So if a ping request is seen coming in this interface

1:20and going out the outside zone on an interface there,

1:22and it's destined to 8.8.8.8, then we'll

1:24go ahead and block it.

1:25And basically, to the firewall, block means drop it.

1:29And let's also consider the implications of doing a block.

1:32The traffic gets dropped, yes, but what it also

1:34means is that we can't hand it off to further file inspections

1:39and intrusion prevention system inspections,

1:41because if we block the traffic, it pretty much, at that point,

1:44is done.

1:45We're not sending it to any further processing

1:47for analysis.

1:48So that would be one negative of doing a block.

1:50But the good news is, it's enforcing our policy,

1:52stopping the traffic from making it any further

1:55if it matches that.

1:56So if this is the first entry in our access control policy,

1:59and traffic is something other than this--

2:01maybe it's Bob doing a ping request

2:03to cisco.com or some other IP address, not this one.

2:07That traffic that doesn't match this--

2:09it would go down looking further in the policy,

2:11and it will look for line 2 and 3 and 4, in that order.

2:14And if there is no matches, it would then

2:15take a look at the default action

2:17at the bottom of our policy and act on that.

2:20And currently our default is discovery,

2:22which means it's going to go ahead and do discovery

2:25for host profiles and continue to let the packet go forward.

2:29So with this policy in place, the only thing

2:31that should be dropped is ICMP echo requests going

2:34to that specific IP address.

2:37And when it comes to the actions,

2:39here are the four basic actions that we can specify

2:42in our access control policies.

2:44The first one is Allow.

2:46And what that basically means is,

2:47allow this traffic to continue, and allow it to go on

2:51to further inspections.

2:53So if we have a policy for file and malware analysis,

2:56and/or if we have a policy for IPS that's

2:58included as part of our access control policy,

3:01any rules that say Allow are permitting that traffic

3:04to make it to those additional inspections.

3:06And upon further analysis, it may

3:08be IPS that drops it based on malicious traffic or something

3:10else.

3:11But from an access control policy, the Allow is meaning,

3:13go ahead and forward it to the next thing in the path,

3:16as far as processing that packet.

3:17Another action that we can specify for a rule is Trust.

3:21And this basically is saying to the firewall, dear Mr.

3:24Firewall, you've had a long day.

3:26You've got a lot of stuff that you

3:27can do as far as processing and analyzing inspecting traffic.

3:31For this traffic that matches this rule

3:34with the action of Trust, just do your basic routing

3:37and forwarding.

3:38Forget any of that analysis.

3:40Just go ahead and forward it.

3:41Now, this might be a great application

3:43for a backup server.

3:45So if we know we're doing certain backups

3:47and large amounts of volumes, we could

3:49specify that traffic in a rule, and then

3:51say to trust it between this IP address and that IP

3:54address and these protocols.

3:55And that way, we're going to save our firewall

3:57a lot of effort, in the fact that it doesn't have to analyze

4:01all that traffic from those two devices or those sets of IP

4:04addresses because of a backup that

4:06happens every night, or twice a week, or whenever it happens.

4:08Another great application of that

4:10would be Voice Over IP traffic.

4:12We don't want to slow down the data plane

4:14for traffic for Voice Over IP.

4:16So we could go ahead and set that up

4:18as a rule to match on that traffic and say Trust.

4:21And that way, the firewall wouldn't

4:22have to waste any energy or time or slow that traffic down,

4:25as Voice Over IP devices communicate directly

4:27with each other going through the firewall.

4:29Another action we can specify for a rule is Monitor.

4:32Now, Monitor is almost passive in nature.

4:35And all it says is, I'm going to go ahead and log this.

4:38So it's logging the end of connections

4:40whenever that rule is matched.

4:41So this is above and beyond and separate from the fact

4:44that we can do logging on each and every rule.

4:47We can have a separate action of just Monitor

4:50that allows us to collect log information for a thing that

4:53matches that rule.

4:53This is really handy in testing or troubleshooting,

4:56if we want to get log information on certain types

4:58of traffic that may be causing a problem on our network,

5:01or we're not sure why it's not working.

5:02We could set up a rule that matches on that traffic

5:05and set an action of Monitor to make

5:07sure we get the log messages regarding that traffic.

5:09And then the last one is Block.

5:11And Block has additional options as well.

5:13We can block with a reset.

5:15So if we have TCP traffic, it'll send a TCP reset.

5:18There's also options regarding block

5:19with or without a reset that include interactivity.

5:22So if a user is going to our website, or trying to,

5:26and they get stopped, if we specify an interactive block,

5:29you'll give the user an opportunity

5:30to receive a custom web page from us, or from the firewall,

5:34I should say, that says, hey, we just killed your traffic,

5:37and here's why.

5:38But at the end of the day, a block is a block.

5:41The customer's traffic is not going

5:42any further, which includes no further inspections

5:45on that traffic.

5:46In this Nugget, we've taken a look

5:48at several of the actions that are

5:49available as part of the rules in an access control policy.

5:52And in the next video, we'll do a demonstration

5:55of implementing a policy to verify

5:57the response and the actions that we set in that policy.

5:59So I'll see you in that next Nugget.

6:01Meanwhile, I hope this has been informative for you,

6:04and I'd like to thank you for viewing.

0:00In the previous Nugget, we took a look at some of the actions

0:02that we can set up as part of an axis control policy

0:05and what they do and what they mean.

0:06And just for good measure before we implement the rule let's

0:09go to our client who's on that inside network.

0:11We'll do an ifconfig just to confirm.

0:13So this client's at 0.103, and if we do a ping out

0:18to 8.8.8.8--

0:20that works, great.

0:21Control C to stop that.

0:22Let's ping something else.

0:24Www.cisco.com, that looks great.

0:28Great.

0:28Great.

0:29Great.

0:29I just wanted to make sure that we

0:30had full connectivity before we start restricting

0:33some of that traffic.

0:34So let's go to the FMC next.

0:36All right.

0:37So here at the FMC we'll go ahead

0:39and we'll modify our access control policy

0:41by adding a new rule to it.

0:43We'll do that by clicking on the Policies tab here at the top,

0:46and then from below that if it isn't already selected

0:49we'll click on Access Control.

0:51And that's where we are.

0:52Fantastic.

0:52And here's our starter policy that's currently

0:54being used on FTD-1, and we'll click on the pencil icon

0:58to edit that policy.

0:59Now, why are these all policies is

1:01that we can only have one access control

1:03policy applied to a given firewall at any given time.

1:07So we get lots of different policies

1:09and we could swap them out, but only one access control policy

1:13per firewall at any given time.

1:16So with the Starter Policy selected and the Rules tab

1:19selected, let's go ahead and click here to Add a New Rule.

1:24And let's call this No Ping to 8.8.8.8.

1:27And instead of saying from any zone to any zone,

1:29let's specify that traffic from an interface associated

1:31with the inside zone where the traffic's

1:33coming into the firewall and being ratted

1:35out the outside zone or an interface associated

1:37with the outside zone, and we could

1:40click on the Networks tab.

1:41We could be very granular here about the source

1:43and destination networks.

1:45For the source I don't really care.

1:46We could add 10 if we wanted to, but I'm really concerned

1:49about the destination.

1:50We want to focus on the destination for this access

1:52control rule to be 8.8.8.8.

1:55So there is an object right here, Google at 8.8.8.8,

1:59and if there wasn't an object that represented our target

2:01we could click on the plus symbol

2:03and go ahead and create it and then use it.

2:05So here I'll just drag and drop Google 8.8.8.8

2:08over to the destination.

2:09Our next thing we want to match on is ports.

2:12So we'll click on Ports.

2:14Now, even though ICMP really isn't a port,

2:17it's really a protocol.

2:19This is where we'd specify that that's

2:21what we want to match on.

2:22So for the destination we'll go ahead

2:24and let's create a new object that represents

2:26an ICMP echo request.

2:28So we'll click on plus to create new object.

2:31Click on Add Object and we'll call this ICMP_Request_IPv4,

2:40and it is going to be ICMP and it

2:43is going to be an echo request, which is type 8.

2:46Looks great.

2:47All right.

2:47And we'll click on Save.

2:48We called this ICMP_Request_IPv4.

2:51Click on Save and then we'd go ahead and grab that and select

2:57that for the destination.

2:59So if we have traffic that's coming in on the inside,

3:01going to the outside and it's destined for 8.8.8.8

3:04and it's ICMP and in that ICMP payload

3:07there's an echo request, then it's going to be a match.

3:10Now the question is, what do we want to do as an action

3:13if this is matched?

3:15And that's what we're supposed to have right here

3:17in the dropdown for actions.

3:19Do we want to allow it, which allows for the processing?

3:22Do we want to trust it, which means

3:23no further processing forward?

3:25Or do we want to monitor it, meaning at a log entry for it,

3:28or do we want to block that sucker?

3:30And that's exactly what we're going to choose.

3:32There's block right there.

3:34And also, while we're here I'm going

3:36to click on the Logging tab and let's go ahead

3:38and also do logging at the beginning of this connection,

3:42and that way we can see that it happened in our events log.

3:46So once that's all set we'll click on Add.

3:48We can also resize the columns to see all the wording

3:50if we want to as well.

3:51But there's our policy.

3:52So we're going to click on Save.

3:54That's step number one, and then step number two,

3:56we're going to go ahead and deploy it

3:57so it actually takes effect on the Firepower Threat Defense

4:00appliance.

4:01So we'll do that now.

4:02We'll click on Save, click on Deploy,

4:06and then make sure that FTD-1 is selected.

4:09There's the access control policies.

4:10It's going to be modified in this new policy

4:12and we'll click on Deploy and then

4:14we'll give that like, I don't know, a minute and a half.

4:1690 seconds to go ahead and do its magic,

4:19push that policy out to FTD-1, verify that it's good,

4:22and then you and I will verify that the policy is working

4:25by trying a few more pings from our client

4:28on the inside network.

4:29All righty.

4:30Under Status it says that the task of deployment is done.

4:34And so let's go ahead and try it.

4:36Let's go over to our client.

4:37So here in our client let me hit the up arrow

4:39key a couple of times, leaving our ping to 8.8.8.8,

4:42and that's great.

4:44It's failing.

4:46Now, the fact that it's failing is good

4:49and what we want to make sure is that the other pings

4:51to anywhere besides that direction or that IP address

4:53also work.

4:55So we'll do a Control C, hit the upper arrow key

4:57a couple of times, we'll ping cisco.com,

4:59and that indeed is working.

5:01That is great news.

5:02And we can go verify some of the details of that

5:04by looking at the log information

5:06back on the Firepower Management Center.

5:09So back on the FMC, if we click on the Analysis tab

5:13here at the top, and then from the sub-tab select Connections,

5:18then from that menu select Events.

5:20So the breadcrumbs is analysis, connections, events.

5:24And that looks great.

5:25So here we have a block of this client trying to go to 8.8.8.8

5:30and that was the echo request.

5:32This little allow right here is using UDP, great,

5:35so that should have been permitted.

5:36And that UDP as I look at the port number

5:38right there, that's a DNS requests because right after we

5:41did our ping to cisco.com so that DNS request to resolve

5:45cisco.com to an IP address, and then

5:47it proceeded with the pings right here to cisco.com

5:50So it was between DNS requests and ICMP

5:54echo requests that were all here allowed,

5:56but the block happened exactly as we expected it to.

5:59In the previous Nugget, we took a look at some of the actions

6:02that we can set up as part of an access control policy

6:04and what they do and what they mean, and in this Nugget

6:07we implemented an example policy rule

6:09and then verified the results based

6:11on the action we assigned in that policy.

6:13I hope this has been informative for you

6:15and I'd like to thank you for viewing.

0:00Imagine Bob, an innocent user on his lunch

0:03break trying to go out to a website.

0:05What's the problem with that?

0:06Well, if we have a company policy that

0:08says you are not allowed to go to certain types of websites

0:11like pornography sites or gaming websites or sporting websites

0:16or whatever it is, it'd be nice to both have the users agreed

0:19to that with part of the acceptable policy

0:21for how they're using the system,

0:23and secondly to enforce it with technical controls

0:26at the FirePOWER appliance so that if Bob

0:29tries to go to one of those sites

0:30in one of these categories, we can block it.

0:33So in this Nugget, I'd like to talk about and demonstrate

0:36URL filtering capabilities on the FirePOWER appliance.

0:39For our demonstration, testing, and verification

0:42of URL filtering based on URL categories,

0:44let's imagine Bob sitting at this computer right

0:47here on the inside of our network.

0:49We'll set up the policy on the FTD appliance,

0:52and for our demonstration let's create a policy as part

0:54of our access control policy.

0:56It says no websites that are in the category of sports.

1:00I don't know.

1:01Maybe we have an anti sports company or something.

1:04In any event, we can set up that policy here, have the FirePOWER

1:07appliance, identify if Bob is ever

1:09trying to go to a website that's categorized as sports,

1:13and if so we can have the FirePOWER appliance drop

1:15that traffic.

1:16And one technique that I think we'll

1:18find very effective in life as we work with computers

1:20and networks and systems is test before, implement our policy,

1:25and test after to make sure that we got the results that we're

1:28expecting.

1:29So let's bring up a browser on Bob's computer.

1:32And if somebody's asking the question, how come

1:34Bob is running like Kali Linux?

1:36That's a good question to ask.

1:38In my lab environment it's just really

1:39convenient for a lot of tools.

1:41But an end user certainly should not

1:43be using Kali Linux as their primary operating system.

1:46That's a huge red flag.

1:47All right.

1:48And I've got to bookmark that we can use,

1:49and that bookmark is for the top 15

1:51most popular sports websites.

1:53Yay.

1:54And before we implement the URL filtering

1:56policy against these types of websites,

1:59I just want to pick a few and make sure that they work.

2:01So let's go ahead and let's bring up Yahoo in a new tab.

2:06Great.

2:07That looks like it's working.

2:08Fantastic.

2:10And let's go ahead and grab ESPN, and that's working.

2:15I love his face.

2:16And I'll do one more.

2:17I'll scroll down a little ways, and let's do NBC Sports.

2:21OK, super.

2:22So we're three for three.

2:23All three of those sports websites come up, no problem

2:26whatsoever from Bob's computer.

2:28So now that we know that URLs based on sports

2:31can be reached by Bob, let's go configure a policy

2:34that's going to say otherwise.

2:37So here at the FMC on the Overview tab

2:42I was doing a little bit of testing

2:43based on some euro filtering earlier and as

2:46far as me sending traffic through the network,

2:48it identified it and it's right here on this summary dashboard.

2:52All right, FirePOWER.

2:53Good job.

2:53Way to keep track.

2:54All right.

2:55So what we're going to do is we're

2:56going to click on Policies at the top

2:58and then we're going to go to the access control policy

3:00that FTD-1 is currently using, and that is our Starter Policy.

3:04So we'll go ahead and click on Edit on the Starter Policy

3:08and we're going to edit this access control policy

3:11and we're going to add a new rule.

3:13Now, to do that what we do is we can

3:15take the first rule that's already there,

3:17right click on it, and then simply select Insert New Rule.

3:20And over here it tells us where it's going to put it.

3:22So it's going to put the new rule below the line number one

3:25or rule number one.

3:26So that'll be the second position.

3:28That'll work for us no problem.

3:29And we'll call this rule No Sports.

3:33And for the action we're going to go ahead and block it

3:36and we're going to include a TCP reset for those HTTP sessions

3:40that are trying to go to sports based websites.

3:42And for the zones instead of saying from anywhere

3:44to anywhere we'll say traffic starting on the inside zone

3:48and being routed out with interface in the outside zone.

3:51And we can get granular, we can specify just Bob's computer,

3:54or we could say anywhere in the 10 network.

3:57So let's go ahead and do that.

3:58So we'll say if it's coming from 10 anything

4:01and going to any IP address--

4:03and what we're really after here is this tab right here

4:05for URLs.

4:07So if we want to scroll down this list of categories, what

4:09we're looking for is sports.

4:15All right, there we go.

4:17And we'll go ahead and click on Add.

4:19So that's going to reflect any website based

4:21on sports is going to match this rule,

4:24and the action is going to be block.

4:26It's also going to do a TCP reset back to Bob's computer

4:29whenever he tries to go to a website in this category.

4:32And also for good measure let's do logging.

4:34So I'll click on the Logging tab and let's enable logging

4:37as well so we can have those as connection events in our log

4:40file.

4:41And we'll click on Add.

4:42All right.

4:43So rule number two, no sports.

4:45Looks great.

4:46So we need to go ahead and save it.

4:47So we'll click on Save and then we'll click on Deploy.

4:51Make sure that FTD-1 is selected for deployment.

4:54Right here it mentions what's going

4:56to be changing on that device and we'll click on Deploy.

4:59And then we'll give it a minute or two,

5:01however long it takes for it to deploy that policy,

5:04and we can check on the status any time

5:06we want by clicking right here on the status icon

5:08and then going to Tasks.

5:10It's working on it.

5:11And if we go to deployments here,

5:12it also indicates that it's working on it.

5:14So we'll let that finish, and once it's

5:16done we'll go back to Bob's computer

5:18and we'll see how many sports websites we can get to.

5:21All right.

5:22So this data says that it's currently deployed.

5:24Let's go to Bob's computer.

5:26Okie doke.

5:27Here on Bob's computer I have the 15 most popular sports

5:30websites based on this website saying what those top 15 are.

5:34And let's try the same ones we tried before.

5:36I know we tried Yahoo.

5:38So we'll try Yahoo.

5:39Wah.

5:40Wah.

5:40Wah.

5:41And let's go back and try ESPN.

5:45Wah.

5:45Wah.

5:46Wah.

5:48And what was the other one?

5:50NBC Sports I believe.

5:51We'll try that one too, and that is not working.

5:54That's fantastic.

5:55Now, just for grins let's see if we

5:57go to some other site like cisco.com, and that works.

6:01Fantastic.

6:02And if we wanted to try like a educational site like CBT

6:05Nuggets we could try cbtnuggets.com,

6:08and that's working.

6:09So that's great verification that the URL filtering

6:13that we figure out that is part of a rule in our access control

6:15policy is actually working.

6:18In this video, we configured and verified

6:20URL filtering in FirePOWER.

6:23I hope this has been informative for you,

6:25and I'd like to thank you for viewing.

0:00If somebody came up to us today and said,

0:02hey, it is malware a huge problem?

0:04We'd say yes.

0:04It's a really big problem today.

0:06And there are several ways we can help restrict or mitigate

0:09the effectiveness of malware.

0:10One is user training.

0:12Secondly is limited rights for users on those computers.

0:15Third is virus and anti-malware software

0:17on those systems that's being kept up to date and so forth.

0:20And if you have a Firepower appliance,

0:23we can also implement a malware and file

0:25policy that can look for files that

0:27are being sent with people's sessions going back and forth.

0:30And based on what that file is, we

0:33can have the Firepower appliance drop it, make a copy of it,

0:36or analyze it.

0:37So in this Nugget, I'd like to walk you through two steps.

0:40Number one, creating a malware and file policy

0:43and then including that policy in the access control policy.

0:47And we'll do that right now.

0:48So to create a malware and file policy, what we'll do

0:51is we'll go ahead and click on Policies tab right here.

0:55And then if we bring the mouse down just a little bit,

0:58we can go ahead and from the dropdown,

0:59select malware and file.

1:01So we'll click on malware and file.

1:05And by default, there isn't any malware and file policies.

1:07So we can create one by clicking on this icon

1:10on the upper right-hand corner over here, new file policy.

1:14We'll call it malware and file policy, click on Save.

1:18And now that we have this policy,

1:20the problem is it's empty.

1:21It doesn't have a rules as far as what it should do.

1:24So what we'll do is we'll click on Add Rule over here

1:26on this malware and file policy.

1:29And for our demonstration, let's go ahead and have it look just

1:31for PDFs, but we can see there's tons and tons of other options

1:35here as well.

1:36And we'll have it look on any protocol,

1:38and we'll also specify either direction,

1:40whether it's an upload or download

1:41from a user to the cloud or from the cloud to the user.

1:44And then for the action, to make this pretty dramatic,

1:47we won't just detect files.

1:48Let's go ahead and block files.

1:50So it sees a PDF that the user is

1:52trying to upload or download.

1:53It will go ahead and block it.

1:55There's also some options here for blocking if it's malware.

1:58And over here under the file types,

2:00even though I put a check there, I

2:01need to click on Add to add it to the selected file

2:04categories and type.

2:05So I'll click on Add, and then once it's there,

2:07I'll click on Save.

2:09So this policy called malware and file policy

2:12has one rule looking for PDFs.

2:14And if it sees them, it's going to drop them.

2:16So we'll click on Save.

2:17And then the second step is to include this

2:20in our access control policy.

2:22So to do that once again, we'll hover up here on policies,

2:25bring our mouse down a little bit,

2:27and then from the dropdown, select Access Control

2:30because we need to include that option for the malware

2:33and file policy as a subset or part of our access control

2:37policy.

2:38So here we're looking at our starter policy.

2:40And if we click on the little Edit icon,

2:42it can open up the details of that starter policy.

2:45And here's our options.

2:46This little icon right here represents

2:48that we have a file policy associate with the rule.

2:50So in rule number one, it's grayed out,

2:52meaning we don't have one associated with it.

2:54Rule two, it's grayed out, meaning

2:56we don't have a file policy associate with that rule.

2:59And all you do is either add the file policy

3:01to one of these rules or create a new rule.

3:03Now the challenge here is because the action for--

3:06this is block-- the traffic would never make it or never

3:10be allowed to be forwarded to the file policy

3:13because we're killing the traffic on both these rules.

3:15So let's do this.

3:16Let's create a brand new rule that won't

3:18kill the traffic outright.

3:20So we'll go ahead and right-click on rule two.

3:22We'll specify we want to insert new rule.

3:25And then we'll go ahead and put it below.

3:27So our new rule, which will be number three, which

3:29will go below rule two, and we'll

3:31call that's looking for PDFs, and we

3:36want the action of allow.

3:37And that's really important because if we

3:38don't allow the traffic, the traffic

3:40won't be able to even make it to the point

3:43where it gets further inspections with the malware,

3:45and file and IP policies.

3:47So for our policy, we're going to go ahead and say

3:49for any zone to any zone, but for networks, we

3:52will say it has to be coming from the source network of 10.

3:56And that will be great.

3:58So if traffic is coming from 10:00 going to anywhere,

4:02regardless of the application, regardless

4:04of the ports, what we're going to do

4:06is we are going to go ahead and inspect it.

4:08So on this Inspection tab, under File policy,

4:11we use the dropdown, and there's our malware and file policy.

4:14And that is how we include our malware and file policy as part

4:18of our access control policy.

4:20And let's also go ahead and click on logging,

4:22and let's go ahead and log at the beginning

4:24of the connections.

4:25And then it'll be great.

4:26We'll click on Add.

4:27And notice here how this is no longer great

4:31out for that specific rule, implying

4:32that we have a file policy associated with that rule.

4:36So we'll click on Save.

4:39And oh, yeah, I almost forgot.

4:40Before we deploy this, let's go to Bob's computer

4:44just to make sure that he can download a PDF before we

4:47implement the file policy.

4:49And then we'll compare and contrast that

4:50to after the policy's in force.

4:53So we won't to play it quite yet.

4:55Let's go to Bob's computer first.

4:57All right, so here we are Bob's computer.

4:58We'll open up a browser.

5:00And I have bookmarked a site for us,

5:03and that is the manual testing material.pdf.

5:07It is just basically a website where we can download a PDF,

5:12so it opened this PDF.

5:13And there it is.

5:15So we're looking at it.

5:16And if we wanted to download this,

5:18we'd click on the little link for download,

5:22and we'll save it and great, 5.3 megs.

5:26And we've saved that file, fantastic.

5:29So I'm going to go ahead and close this browser.

5:31And now let's go back.

5:33We'll deploy the policy, and we'll come back

5:35and compare the results.

5:37All right, so we'll click on Deploy.

5:40We'll make sure FTD 1 is included,

5:42and it's getting a modified access control policy, which

5:45includes the malware and file policy and also

5:48the file policy called malware and file, great.

5:50So we'll click on Deploy, and then we'll

5:54give that just a minute or two.

5:55We can click on status and verify when it's done.

5:58And when it's done, we'll make a road trip back

6:00to Bob's computer and see how well

6:02he does in downloading a PDF.

6:07All right, if you check status, it says it's complete.

6:10No tasks currently in process.

6:12That's fantastic.

6:13Let's go to Bob's computer.

6:15So here at Bob's computer, we'll go ahead

6:17and open up the browser.

6:19We'll go back to that bookmark as a consistent test

6:23and manualtestingmaterial.pdf.

6:26And survey says, oh, no.

6:29Maybe it's cached.

6:30Let me go ahead, and let me close the browser.

6:34And let's open it again.

6:36And I will clear the cache on this browser.

6:39All right, so I'm going to click on Clear history here

6:42and I'm going to say everything, including offline website data

6:48and clear now.

6:50Fantastic, I'll close the browser,

6:53and then let's launch it again.

6:55Go back to my bookmarks and that wiped out my bookmarks too.

6:59All right, so let's do a search real quick.

7:02So I'm going to search for download PDF test,

7:04and I don't see the same one I used.

7:08Let's try this one here.

7:11There we go.

7:11The connection was reset.

7:13So I had it cached from earlier.

7:16And here's another one.

7:17We'll try that one.

7:19And that's reset.

7:20That's good news.

7:20But I want to show you one other thing as a good segue

7:23to another video that we'll do.

7:25And that is the benefit and curse of encrypted connections.

7:29If we go to any of these sites that

7:31are using SSL, which are going to be many like this one right

7:34here.

7:35This is an HTTPS:// a dummy PDF file.

7:39If we download that or try to, that puppy's going to fly,

7:43and the reason for that is because we're using HTTPS.

7:46The firewall, because it's an encrypted session,

7:49doesn't know what we're doing at the application layer.

7:51It can't see the actual data.

7:53It's all encrypted.

7:54So to compensate for that, we also

7:56have an option for SSL decryption as a feature

7:59that we can implement on the firewall

8:01to help overcome this problem.

8:02So we'll cover that separately, that SSL decryption,

8:05in a separate Nugget.

8:06In this Nugget, we took a look at creating a malware and file

8:09policy, implementing it as part of our access control policy,

8:13and then verify that it's working, at least with HTTP.

8:17I hope this has been informative for you,

8:19and I'd like to thank you for viewing.

0:00I bet some things are pretty frustrating for network

0:02devices.

0:03Consider the FirePOWER appliance.

0:05If we have traffic that's going through,

0:07and we have a policy that says look at the application layer

0:10information and permit this or deny that based on the layer 7

0:13information-- well, if that data is encrypted,

0:17where they're using SSL or TLS for encrypted sessions between

0:21clients and servers--

0:22because it's encrypted, that's really tough for the FirePOWER

0:24appliance to do its job.

0:26So a solution to that is to do SSL/TLS decryption

0:31and how the FirePOWER appliance act

0:33as a sort of man in the middle so that, for a few moments,

0:36it has the naked data, so it can do its proper inspections,

0:40analysis, and traffic control based on what's

0:42really going on.

0:43In this Nugget, I'd like to talk with you

0:45about the concept of SSL decryption,

0:48where we would go to create the policies,

0:50and how to include those policies as part

0:52of our overarching access control policy.

0:55So let's use this topology, and let's use Bob once again.

0:58And let's put Bob here at computer 1.

1:01Now, Bob, if he wants to go out to a website--

1:04let's imagine he wants to go to a gaming website,

1:07and we have a policy on the FirePOWER appliance that says,

1:10hey, any websites in the gaming category are not allowed.

1:14So Bob's frustrated.

1:15And what does Bob do?

1:16Bob does a Google search and says, wow,

1:18I can set up a tunnel?

1:19So Bob sets up a tunnel, and he goes out

1:22to a website via tunnel.

1:24And then from that tunneled site,

1:25he then goes out to his gaming website,

1:28and the reply traffic goes back this direction

1:31and this direction.

1:33And the FirePOWER appliance is none the wiser

1:35because, while the traffic was in that tunnel,

1:37it was encrypted.

1:38And if we're using SSL or TLS, the FirePOWER appliance cannot

1:42see the application layer data to see where that traffic was

1:46really going to.

1:46Now, what the firewall could do is also

1:49have a policy saying, hey, no tunneling sites allowed.

1:52So the initial connection possibly could be stopped.

1:55However, that's just the beginning of our challenges

1:57because, even without Bob being malicious,

1:59there's lots and lots of traffic that

2:01is being sent using SSL, Secure Sockets Layer,

2:04or the new and improved flavor of security for HTTPS sessions.

2:08That's TLS, Transport Layer Security, using HTTPS.

2:12So even if Bob is doing innocent things and going using HTTPS,

2:16if the traffic is encrypted, the firewall

2:19is going to have a hard time looking at layer 7 application

2:22information because it's encrypted.

2:24So to solve that, what we can do is we can have the firewall

2:29play the role of a man-in-the-middle attack.

2:32And it would go something like this.

2:33Bob makes his request going out to the internet,

2:37and it's going to be an HTTPS session.

2:39And the FirePOWER appliance intercepts that

2:41and has this whole little conversation between Bob

2:44and the FirePOWER appliance while,

2:46virtually simultaneously, the FirePOWER appliance

2:49is actually going out and building

2:51a session out to the server that Bob was trying to get to.

2:54And the session is actually being built here.

2:56So we have two sessions.

2:57We have session 1 between Bob and the appliance

2:59and another one between the appliance and the actual server

3:02that Bob was trying to go to.

3:03So it's encrypted on this journey and this journey.

3:06But here, for a moment, it's not encrypted.

3:08And that's when the FirePOWER appliance can

3:10look at the application layer information and say, oh, yeah,

3:13gee, he's trying to use Gmail.

3:15Great.

3:15No problem.

3:16I'm going to let that.

3:17Oh, he's trying to use a file transfer

3:18app or peer-to-peer software or something else.

3:21I'm going to deny that based on policy.

3:24And when we do it in this fashion, where Bob is going out

3:26to the internet, what we're doing

3:28is the actual firewall is resigning.

3:31Not resigning, but re-signing, where internal users are

3:34going to external resources.

3:36And if we have users on the internet-- let's go ahead

3:38and put Lois out here.

3:40So Lois is on the internet, and she

3:41wants to go to server B right here, one

3:43of our public-facing servers.

3:45As her traffic comes in, we could also play that man

3:48in the middle at the firewall.

3:50I guess I should draw this arrow down here at the firewall.

3:52And when Lois is going to one of our servers,

3:54we have these private keys.

3:56And so the inbound traffic to internal servers

3:59from external users is using a known key.

4:04But whether we're resigning as traffic goes out,

4:06or we're using a known key that's

4:08on the server for the inbound traffic,

4:10the idea is that we want the firewall to have

4:12a few moments of time to be able to analyze that naked traffic,

4:16so it can implement the inspections and traffic

4:19control that we want to have happen in our network.

4:21Now, there are a couple of times--

4:23actually, several times-- when we do not

4:26want to do any kind of SSL or TLS

4:29decryption-- for example, financial.

4:33If Bob is going out to a financial website,

4:36we do not want the liability of decrypting that

4:40during that session.

4:42So in our rules and our policies for SSL decryption,

4:45we could have categories of URLs,

4:47like banking websites, financial services,

4:50and so forth, that we are not going

4:52to decrypt the traffic on.

4:54Another example of a good time to not do this

4:57would be medical information.

4:59There's huge fines involved for leaking or not

5:02protecting data, especially personally

5:04identifiable information and medical information.

5:07So in our rules for SSL decryption,

5:10we could set up these rules at the beginning saying

5:12don't do any decryption for these categories

5:15or other specific sites while, at the same time,

5:18having some rules in place that are

5:19going to do the SSL decryption.

5:21Now, also be aware that if this firewall Threat Defense

5:24appliance is doing SSL/TLS decryption and re-encryption--

5:28that takes a whole bunch of CPU.

5:31So you'd want to make sure that we have enough horsepower,

5:34and we're not just breaking it by trying

5:36to have it do too much processor-intensive activity

5:39above and beyond what it was designed to do.

5:42So if we have a certain flavor or model of FirePOWER Threat

5:45Defense appliance, perhaps we need

5:47to get a bigger one in order to handle

5:49the actual load that we're going to place on it.

5:51Also, this is where a virtual FirePOWER Threat Defense

5:55appliance is a really poor choice because there just

5:58isn't that much CPU available in a virtualized space

6:01on that appliance for thousands and thousands of SSL

6:04encryptions and decryptions that all might

6:06need to happen simultaneously.

6:08So I'd like to take a moment and show you

6:10where we could go in the interface on the FMC

6:13to both configure an SSL decryption policy and then how

6:17to link that or tie that into a firewall Threat Defense

6:20appliance.

6:21So here in the FMC, we're going to click on Policies.

6:24From the dropdown list, we have an option for SSL.

6:27And this is where we would configure our SSL policy.

6:30This also is going to assume that we

6:32have a certificate or two lying around with keys in them

6:36or a certificate authority that is trusted

6:39by our organization that can hand out certificates,

6:42and we have those certificates available.

6:44So I just created this little sample SSL policy

6:46a few moments ago.

6:47And in the policy, we'd simply create rules.

6:50So once we have our SSL policy in place,

6:52including rules that also include

6:54the certificates involved and the traffic that we do not

6:58want to decrypt and the traffic that we do want to decrypt,

7:00and that's all in place, the next step

7:02is to include that as part of our access control policy.

7:06And to do that, we're going to go back to Policies

7:08and then go back to Access Control.

7:10That's our overarching umbrella of how

7:12we implement and enforce most of our policies here in FirePOWER.

7:17So then from here, we can take our starter policy, our access

7:20control policy, click on Edit.

7:22And then right here on this starter policy,

7:24we have a link for SSL Policy.

7:27And, currently, we have none assigned.

7:28If we wanted to assign an SSL policy to this access control

7:32policy, we simply click here where it says None,

7:36use the dropdown, select the SSL policy, and then click on OK.

7:42And now we have this SSL policy associated with this access

7:46control policy.

7:47So the following steps would be to save it and then deploy it,

7:50so our FirePOWER appliances could then implement that SSL

7:53decryption feature.

7:55In this Nugget, we've identified that, even if users

7:57are using HTTPS, the FirePOWER appliance, based on an SSL

8:01policy, can decrypt those sessions and, based on that,

8:04have a peek at the application layer information,

8:07so it can go ahead and enforce the control that we want.

8:10I hope this has been informative for you,

8:12and I'd like to thank you for viewing.

0:00The Firepower system has a lot of great features,

0:02including deep packet inspection,

0:04the ability look at application layer data,

0:06URL filtering, SSL decryption, and it

0:10has the ability to do IPS intrusion prevention

0:13systems as well.

0:14In this Nugget, what I'd like to do

0:15is walk you through where we would

0:17go to create an IPS policy.

0:19We can use some of the defaults so we

0:21don't have to tune or tweak thousands of signatures,

0:23and then I'll walk you through how we can incorporate that IPS

0:25policy as part of our access control policy

0:28associated either with a rule or associated with a default

0:31action.

0:32So here on the FMC to create a FirePOWER IPS policy,

0:36we would go ahead and click on the Policies tab,

0:39and then bring our mouse down a little bit.

0:41And then from the dropdown, select Intrusion.

0:43And that's where we configure our intrusion policies.

0:47Now, behind the scenes, there are thousands and thousands

0:50of signatures.

0:51And what Cisco did when they acquired Sourcefire was

0:54they also got the license for Snort.

0:56So we're using a lot of Snort technology in the background

1:00for implementing-- or Cisco's implanting

1:02a lot of the IPS functionality courtesy of the Snort

1:05signatures and Snort technology that's being used.

1:08So there's no IPS policy by default. So what we'll do

1:11is click on the Create button over here on the right.

1:13And we'll create one.

1:15And we'll call this our IPS policy.

1:17And for the base policy we're going to pull from,

1:20we'll go ahead and grab Balanced Security and Connectivity.

1:24And then we'll click on Create and Edit.

1:25And one of the cool things is that we can--

1:27instead of having to start from scratch,

1:29we can start from a baseline that's been given to us.

1:32And then we can build or modify or edit

1:34from there for the policy that we want to apply.

1:37So for this demo, let's go ahead and leave all the defaults,

1:40but just be aware that in a production environment, if we

1:43start getting false positives or need to tighten something up,

1:46we can tune and tweak this anyway

1:47we need to for our environment.

1:49So I'm going to go ahead and click on Commit Changes.

1:52And then click on OK again.

1:54And so now we have this IPS policy.

1:56But the only problem with it is that it shows us

1:58right here that the policy is not applied on any devices.

2:02So we need to embed this IPS policy as part

2:06of an access control policy.

2:08And to do that, we'll click on Policies.

2:10And then bring our mouse down a little bit for the dropdown,

2:12and then go back to Access Control.

2:14So here's our starter policy.

2:16And we'll go ahead and click on Edit to edit that policy.

2:19And as part of integrating our IPS policy,

2:22we have several options.

2:23We could add it to any one of our rules here.

2:26And when we have it added, this icon right here, which

2:28represents IPS inspection, that will no longer be grayed out.

2:32It will be active.

2:33So we could add it to an existing

2:34rule that currently has Allow.

2:35Any time, just as a reminder, if we are blocking traffic,

2:39it is being dropped and it is not being passed on

2:42for further inspection.

2:43It's not going on to malware and file inspection.

2:45It's not going on to IPS.

2:47It's just being dropped.

2:48So our only choice out of these three rules

2:50is either right here by adding it to that one or--

2:53check this out-- we could go down to the default action

2:56if none of these are matched.

2:58And for the default action, we could also

3:00go ahead and specify our IPS policy right here.

3:03So I'm going to leave Network Discovery Only

3:05to allow all traffic.

3:07And then let's go ahead and modify rule number three.

3:09And we'll specify that for rule number three,

3:11we want to add the IPS policy that we just created.

3:15So we'll click on Edit for rule three.

3:17And all we're going to do is we're

3:18going to go to the Inspection tab right here.

3:21And on the Inspection tab under Intrusion Policy,

3:23we'll click the dropdown.

3:24And for the dropdown, we'll click on Our IPS Policy.

3:27And bada bing, bada boom.

3:29We're almost done.

3:30We click on Save.

3:31We click on Save again.

3:33And then we click on Deploy.

3:35And then make sure FTD-1 is included in that list.

3:38And here it indicates it's getting an intrusion policy

3:40as a change.

3:41And also the access control policy

3:42is changing because rule number three

3:44is including the IPS policy.

3:47So we'll go ahead and click on Deploy.

3:49And then in a couple minutes, in addition to the other features

3:51that we've been looking at on these FirePOWER appliances,

3:54we're now going to add the feature of Intrusion Prevention

3:57System or IPS.

3:59And I should also point out that for the features that we want

4:01to use, we'd also want to ensure that we

4:03have the appropriate license so that those features will work.

4:07And if we click on the Status icon,

4:10it is still pushing out that policy.

4:11So it should be done shortly.

4:13In this Nugget, we've taken a look at

4:15where we would go to create an IPS policy,

4:17and then where we'd go to include that IPS

4:19policy as part of our overarching access control

4:22policy.

4:23I hope this has been informative for you.

4:25And I'd like to thank you for viewing.