Please enable JavaScript.
Coggle requires JavaScript to display documents.
SCOR 350-701 Firepower NGFW - Coggle Diagram
SCOR 350-701 Firepower NGFW
Cisco FTD OS
Combo of ASA and Firepower
Runs both ASA and FTD
Management
FMC
Cloud Defense Orchestrator (Cloud)
FDM
Deployment Modes
NGFW mode
Transparatmt
Routed
IPS mode
Passive
Inline
Deals with original traffic
IDS
Passive
SPAN
Inline Tap Mode
Inline, but passive
Good for planning before deployment
Packet Processing
Two Main Engines
LINA (ASA)
Snort (Cisco Firepower)
Process
Packet on RX
Existing Conn?
No
Go to NAT
Yes
Snort Inspection
Flow Update
NA IP HEADER
VPN Encrypt
L3 ROUTE
L2 Address
TX
Ingress Interface
Policies
DNS
Access
Files
Intrustion
Security Intelligence
SSL Decryption
Requires X.509 Cert Upload
NGFW Policies
PreFilter Policy
Match conditions
Pre-Filter Rules
Source and Dest IP
VLAN
Protocol / Port
Security Zones
Tunnel Rules
Types
GRE
IP in IP
IP v6
Teredo
Conditions
Tunnel endpoints
Security Zones
VLAN
Encapsulation Type
Port
Actions
Block
Fastpath
Analyze
SI (IP Address)
SSL Policy
Access Control Policy
Further Inspection
File POlicy
IPS Policy
Discovery policy
Config
Move to ASA (LINA) CLI
system support diagnostic-cli
Good for ASA debugs on CLI
Access Control Policies
Rule Components
Rules
Prefilter Policy
Default Action
Security Intelligence
Port vs Application
ASA
Port Only
Snort
Application Detectors
Needs 3-5 packets to identify App
Actions
Allow
Trust
Block
Block with Reset
Block
Interactive Block
Interactive Block with Reset
Interactive Block
Monitor
Default action
not blocked
not dropped by sec intel
mateches no rules in pollcy
Further Inspection Options
IPS Policy
File and Malware Policy
Security Intelligence
Objects
Feed Objects
CnC
: Sites that host command and control servers for botnets.
OpenProxy
: Open proxies that allow anonymous web browsing.
OpenRelay
: Open mail relays that are known to be used for spam.
TorExitNode: Tor Exit nodes.
Bogon
: Bogon networks and unallocated IP addresses.
Bots
: Sites that host binary malware droppers.
Spam
: Mail hosts that are known for sending spam.
Phishing
: Sites that host phishing pages.
Malware
: Sites that host malware binaries or exploit kits.
Attacker
: Active scanners and blocked hosts known for outbound malicious activity.
Cryptomining
: sites that are related to cryptomining.
Dga
: sites with malware algorithms used to generate a large number of domain names acting as rendezvous points with their command and control servers.
Exploitkit
: sites that host exploit kits.
Response
: A list of IP/ URLs which seems to be actively participation in the malicious/ suspicious activity.
Suspicious
: Sites that host files that appear to be suspicious and have characteristics that resembles known malware.
List Objects
Geenral network or URL objects and Groups
Global whitelist/blacklist
Discovery Policy
Collects Data Network Assets
Network Discovery Policy
Indicator of Compromise (IOC)
Host Profiles
The Nmap scan results for a host.
The vulnerabilities associated with a host.
The most recent malware events for a host.
The last 24 hours of user activity on your network.
The VLAN tags on a host.
The IOC tags on a host.
The protocols running on a host.
The clients and web applications running on a host.
The servers running on a host.
The operating system running on a host.
IP address of the host.
Intrusion policy
Intrusion Detection & Prevention
Inspects Traffic for Security Violations
Blocks Malicious Traffic
Intrusion Rules
Snort
2 Logical Sections
Rule Header
Action or Type
Protocol
Source & Dest IP & Ports
Direction indicator
Shows src to dest traffic flow
Rule Body
Event Message
Keywords
Parameters
Arguments
Patterns
Packet Payload match
Specification
Which part of packet to inspect
Unique Rule Number
Snort ID
Intrusion Policy States
Generate Events
Drop and Generate Events
Only Drop s when Inline
Must Enable Drop When Inline
Disable
Base Intrusion policies
Connectivity over Security
, Balanced Security and Connectivity
Security over Connectivity
Cisco irepower REccomendations
Apply IPS in ACP
Umder Inspection tab of edit 'rule'
Only Assign To
Allow or Interactive Block Actions
Malware and File Policies
ACP to Malware/File Policy
Assigns Disposition
Malware
1 hr
Clean
4 hrs
Unknown
1 Hr
Unavailable
Scan done in cloud
SHA-256 Has
Architecture
FP NGFW Cache
FMC Cache
AMP Cloud
FP NGFW Creates SHA-256 Hash
Network based file detection
Creates SHA-256 hash of file
Keeps last part of file
Endpoint has incomplete file until disposition established
Caclulates file disposition
IF malware, last piece is dropped
endpoint does not get complete file
Additional Engines
Spero Analysis
Uses AMP Cloud
Examines more than SHA-256 Hash
Spero Feature Print is sent NOT whole file
Local lookup
No Cloud Lookup
Still needs to download definitions files
AMP Cloud Lookup
Dynamic Analysis
Cisco Thread Grid
Sandbox
Rules
Actions
Allow or block files based on simple file-type matching.
Block files based on disposition.
Store captured files to the Firepower device
Submit captured files for local malware, Spero, or dynamic analysis.