1
00:00:01,860 --> 00:00:08,280
Intrusion prevention systems provide an additional layer of security to catch traffic that firewall

2
00:00:08,310 --> 00:00:17,450
features cannot IPX devices can inspect data and check if anything in the payload matches an IP signature.

3
00:00:20,380 --> 00:00:28,400
IP signatures are sets of rules that look for malicious traffic patterns if traffic matches an IP signature

4
00:00:28,840 --> 00:00:33,830
it can be dropped and an alert can be sent to a monitoring system.

5
00:00:33,830 --> 00:00:38,660
Now happened to into Cisco's fire power management center that I have running in the lab so that you

6
00:00:38,660 --> 00:00:46,010
can see what the IPX signature list looks like to give you a better idea of what type of traffic IP

7
00:00:46,170 --> 00:00:53,560
signatures are identifying So here we are on the web page for the firepower Management Center.

8
00:00:53,560 --> 00:01:00,220
The Cisco fire power management center is a central management point for any fire power security device

9
00:01:00,400 --> 00:01:03,930
so far and multiple security devices running on my network.

10
00:01:04,020 --> 00:01:12,370
I can actually push IPX policies to all of my devices right from the central management Googie as well

11
00:01:12,370 --> 00:01:17,340
as look at reports and data that's been collected from my devices.

12
00:01:17,710 --> 00:01:22,780
So here under the summary dashboard intrusion the About page you can see there's widgets that show the

13
00:01:22,780 --> 00:01:30,670
top attackers for intrusion events as well as what applications were used for the different IP signature

14
00:01:30,670 --> 00:01:32,170
hits.

15
00:01:32,260 --> 00:01:40,030
If I want to look at specific intrusion events I can go to the analysis intrusions events page gives

16
00:01:40,030 --> 00:01:47,480
us a nice cist log looking list of intrusion events that have been captured by our security devices.

17
00:01:47,500 --> 00:01:54,580
So here are a few IP signatures that have been matched from traffic traversing my security devices.

18
00:01:54,580 --> 00:01:59,320
I'm going to go hide and Right-Click one of these events and I can actually go to rule documentation.

19
00:01:59,350 --> 00:02:04,480
So this is going to give me detailed information about this signature so I can determine if this is

20
00:02:04,480 --> 00:02:09,540
a false positive or if this should have actually been blocked.

21
00:02:09,550 --> 00:02:15,850
So here this tells us that this event is generated when they inspect preprocessor detax a request for

22
00:02:15,850 --> 00:02:20,140
a URL that is longer than a specified length.

23
00:02:20,140 --> 00:02:27,990
This may indicate an attack or an attempt to evade an idea as and then it goes into more detail if you

24
00:02:27,990 --> 00:02:30,140
want to really get into it.

25
00:02:33,310 --> 00:02:40,120
Now I'm going to go to policies and intrusion just to show you what type of signatures can be enabled

26
00:02:40,120 --> 00:02:40,970
or disabled.

27
00:02:44,390 --> 00:02:52,230
So this is where I would configure all of the IP signatures for my security devices.

28
00:02:52,250 --> 00:02:55,740
There's categories you can go through.

29
00:02:55,860 --> 00:03:01,990
Let's check out exploit kit.

30
00:03:02,040 --> 00:03:10,390
So I have signature IDs message giving a brief description of what the signature is matching.

31
00:03:10,540 --> 00:03:18,960
And here's a column to configure the rule to be disabled dropped or generate events.

32
00:03:18,960 --> 00:03:26,160
Once we're happy with which IPX rules are enabled or disabled then we would add this IP policy to our

33
00:03:26,160 --> 00:03:34,320
Access Control Policy and then deploy it out to our security devices so that they could inspect traffic

34
00:03:34,620 --> 00:03:37,080
based on these IPF signatures

35
00:03:41,260 --> 00:03:44,050
next generation solutions like firepower.

36
00:03:44,110 --> 00:03:53,860
Also include an anti-malware feature Cisco's Ampe solution is another layer on top of IPX scanning Ampe

37
00:03:53,860 --> 00:03:58,390
scans files and checks to see if they are considered to be malicious.

38
00:03:58,390 --> 00:04:05,410
By the Cisco security cloud if the cloud says the file is clean then the file is sent to the destination

39
00:04:05,410 --> 00:04:05,840
home.

40
00:04:08,500 --> 00:04:16,310
But if the cloud determines that the file is malicious then it can be dropped.

41
00:04:16,310 --> 00:04:23,360
Now let's take a tour of a fire power amp so that you can have a better idea of what type of configuration

42
00:04:23,360 --> 00:04:26,820
can be applied for preventing malware.

43
00:04:27,320 --> 00:04:29,770
So here I'm back in the fire power management center.

44
00:04:29,780 --> 00:04:30,860
Gooey.

45
00:04:30,860 --> 00:04:36,020
First I'm going to show you the configuration options for AM.

46
00:04:36,050 --> 00:04:43,820
So if I go to policies access control malware and file that will take me to the network amp configuration

47
00:04:43,820 --> 00:04:44,610
area.

48
00:04:46,010 --> 00:04:51,510
Ball that's floating I want to point out that there's two different types of amp with firepower.

49
00:04:51,530 --> 00:05:00,500
There's a network amp and amp for endpoints also known as fire amp network Gambas when you have a hardware

50
00:05:00,500 --> 00:05:07,200
or virtual device that's actually scanning files as they go in and out of your network.

51
00:05:07,340 --> 00:05:14,240
While M for N points or fire up as the endpoint solution and actually runs on your computer or mobile

52
00:05:14,240 --> 00:05:17,960
device and scans files locally.

53
00:05:18,200 --> 00:05:24,460
So here on my FMC I have a file policy that is being applied to my security devices.

54
00:05:24,710 --> 00:05:28,100
And just like an access list you're creating rules.

55
00:05:28,100 --> 00:05:33,920
So I have one rule that defines what types of files I'm going to scan and then the action I'm going

56
00:05:33,920 --> 00:05:37,040
to take based on if the file is malicious.

57
00:05:38,200 --> 00:05:43,050
So it's go out of this so you can see what type of options you have.

58
00:05:43,240 --> 00:05:49,060
Here are the different file type categories that you can select and if you want you can actually select

59
00:05:49,210 --> 00:05:51,450
specific file types.

60
00:05:51,790 --> 00:05:56,890
Since this is a lab environment I just have all the categories selected.

61
00:05:56,890 --> 00:06:04,660
And then there's also some additional scanning that you can have applied to your security system with

62
00:06:04,720 --> 00:06:13,860
dynamic analysis or Spiro and then I'm saying what's my action so I can say just the text files to just

63
00:06:13,860 --> 00:06:17,210
get log information for file transfers.

64
00:06:17,310 --> 00:06:21,840
I could block specific file types regardless if there were malware or not.

65
00:06:22,990 --> 00:06:30,550
Maybe my company has a policy that says no executables are allowed to be transfer externally.

66
00:06:30,760 --> 00:06:37,780
I could match on the executables and just say block files and then we have malware cloud look up and

67
00:06:37,780 --> 00:06:44,560
block malware malware cloud look up would be if I wanted to just monitor if I had malware traversing

68
00:06:44,570 --> 00:06:53,260
my network and this would check the amp cloud to see if files were malicious or not and it would just

69
00:06:53,260 --> 00:07:01,540
give me a log event so that I could be aware that there was malware on my system or your best bet.

70
00:07:01,780 --> 00:07:10,650
Which is what I'm doing and my policy is to block malware So this means buying a file traverses my or

71
00:07:10,650 --> 00:07:15,850
your power device when it checks the cloud to see if the file is malicious or not.

72
00:07:15,850 --> 00:07:22,240
If the cloud moves back and says it's malware then I'm going to block the file transfer.

73
00:07:22,540 --> 00:07:30,200
If we want to monitor our malware events we can go to analysis files and malware events.

74
00:07:30,700 --> 00:07:39,020
And here is a list of the malware events that have been triggered in my networking environment.

75
00:07:39,520 --> 00:07:46,960
One really cool thing about amp with fire power is something called the file trajectory.

76
00:07:47,590 --> 00:07:54,720
So if I go to network file trajectory it's going to show us how a file entered the network and then

77
00:07:54,960 --> 00:07:57,500
hosts it was transferred between.

78
00:07:57,630 --> 00:07:59,720
And if it was allowed or blocked

79
00:08:03,550 --> 00:08:11,090
can there slacked recently viewed files from your file trajectory or pasting a file hash IP address

80
00:08:11,120 --> 00:08:13,070
or a file name.

81
00:08:13,070 --> 00:08:18,310
I'm going to paste in file name that I know was triggered as malware

82
00:08:23,790 --> 00:08:28,260
and here's the file trajectory for that malware.

83
00:08:28,280 --> 00:08:34,880
So here you can see how and when the malware entered the network as well as if it was transferred and

84
00:08:34,880 --> 00:08:35,420
blocked.