Scribd
Upload
40 views90 pages

Brksec-2067 FW Deply

Uploaded by

prakash1649
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
40 views90 pages

Brksec-2067 FW Deply

Uploaded by

prakash1649
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 90

#CiscoLiveAPJC

#CiscoLiveAPJC Session ID © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Critical Requirements for
Defending Government
Networks

Andrew Benhase, Federal Architect


@CyberSecOps, @ThreatCowboy
BRKSEC-2067

#CiscoLiveAPJC
Cisco Webex App

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App

2 Click “Join the Discussion”

3 Install the Webex App or go directly to the Webex space Enter your personal notes here

4 Enter messages/questions in the Webex space

Webex spaces will be moderated


by the speaker until December 22, 2023. https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-2067

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
New Things to
talk about
Quantum
Resistance and
Post Quantum
Quantum Resistance and Post-Quantum Plan
A Roadmap for Cisco Innovation

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Quantum Crypto Market

Quantum Resistance Market Post-Quantum Market

Risk Level Risk Level

Maximum Revenue Potential Unlikely to produce near term revenue

5 years 10 years

Well understood, existing market partnerships. 10 year Roadmap, market not well understood.
Current product development. Pure R&D, limited to no near term revenue.
Requires near term Engineering investments.

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
US Government (NIST) urges
maximum flexibility and caution relative
to post-quantum. Changes are likely.

Post Danger to Cisco is the distraction of


Quantum PQ – could easily hurt current solution
directions for Quantum Resistance
Direction
10 years away from broad
implementations, certifications and
substantial customer deliveries

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
The Predicate

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
QR Mandatory

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Detailed
Recommendations

BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
• Enterprise Networking Investments
IOS-XE Development
-Rotational Key Management
-Robust Quantum Key Delivery with

Forward external HSM integration

Investment -Initial option for PQ-SSH (pq-tls) cipher


integration
IOS-XE -Uses CiscoSSH as the basis for
implementation
-CiscoTLS work already underway

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
• SBG Investments
ASA Development
-SKIP Implementation
-Rotational Key Management
Forward -Robust Quantum Key Delivery
Investment with external HSM integration

ASA -Initial option for PQ-SSH (pq-tls) cipher


integration
-Uses CiscoSSH as the basis for
implementation
-CiscoTLS work already underway

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
• SBG Investments
FTD/FMC Development
-SKIP Implementation
-Rotational Key Management
Forward -Robust Quantum Key Delivery
Investment with external HSM integration

FTD/FMC -FMC must fully instrument all Lina QR


work
-Uses CiscoSSH as the basis for
implementation
-CiscoTLS work already underway

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
• SBG Investments
Secure Client Development
-SKIP Implementation

Forward -Rotational Key Management

Investment -Robust Quantum Key Delivery


with external HSM integration
AnyConnect -Must integrate with ASA and FTD
(Secure Client) for IPSec Termination
-Should invest in PQ-TLS based
tunneling

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
The Rise of Open Source
Intelligence
https://flashpoint.io/wp-
content/uploads/Flashpoint_RUS-
UK_2023-FINAL.pdf

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Curated
Collection

3rd
Threat
Country Intelligence
Nationals
cisco

Broad
Spectrum Senderbase
Government
TALOS
Threatgrid
Interface OpenDNS
Kenna
TIP
CTIA
#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Tactics,
Techniques and
Procedures
Current Trends and TTPs
• New TTPs – massive increase in scanning occurring on US networks
• C2 networks running out of Russia, Belarus to Vietnam, Ukraine and
to the US
• Looking at Federal Government related networks
• Reconnaissance taking place, probing
• Deny_All is of course super effective
• Event Load so high had to disable outside Interface of sensors
• Rolled our FMCs, had to move to 9XL Instances in Amazon to keep
up
#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Some New Observed TTPs
• Service Request Networks are a real target
• Network Time Protocol Pools are observed targets

NTP
Client
NTP Request Internet

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Interesting Denial Concept
1. If I constantly overwhelm with security events
2. And shorten the practical window of FIFO collection
3. Effectively shortening the observation windows and effective collection
4. I can real dollar cost expense out a large portion of observation outside
of possibly the Federal Government
5. Make observation so expensive, people lose interest in Monitoring
6. This is the kind of behavior we’re seeing, adaptive Recon with
overwhelming amounts of attack traffic
7. Can I cost out the monitoring?

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Overt Ops
Chat about current Ops

CHAT TIME

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Critical Network
Defenses
Critical Network Defenses

Detailed Egress Granular Ingress Map out Cloud


ACLs ACLs access points

Establish Cloud Process VPC


Employ CSP tools
Only Access with Flow Logs, know
such as AWS
no CSP Pivot your CSP traffic
GuardDuty
Points patterns

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Critical Protocols to Block
IPv6 – if you are not prepared, deny_all
• IP in IP (Protocol 4): IP in IPv4/IPv6 (requires a smart firewall)
• SIT/IPv6 (Protocol 41): IPv6 in IPv4/IPv6
• GRE (Protocol 47): Generic Routing Encapsulation
• OpenVPN (UDP port 1194): Openvpn
• SSTP (TCP port 443): Secure Socket Tunneling Protocol (requires a proxy)
• IPSec (Protocol 50 and 51): Internet Protocol Security
• L2TP (Protocol 115): Layer 2 Tunneling Protocol
• PPTP (TCP Port 1723): RFC 2637
• VXLAN (UDP port 4789): Virtual Extensible Local Area Network
• LISP udp port 4341 encapsulated user data
• LISP udp port 4342 control plane packets
• OTV: tcp/udp 8472 (per the RFC, but practically is IP/47)

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Why Block them?

Because no DPI solutions inspect them

They *may be natively dropped (maybe not)

Most likely they are explicitly forwarded

Minimally establish monitor rules for these protocols

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Airgapping the
Attack Surface
Do you need to be connected to
the Internet 100% of the time?

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
What would do you do if you had to
immediately disconnect from the
Internet?

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Can you disconnect all of your
networks from the Internet in less
than 5 minutes?

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
If it took you 60 minutes to find
“the guy” to disconnect your networks, how
much damage would have occurred?

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Is this really the practical option?

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Scenario #1
Security Emergency
Security Emergency

• Large volumes of data being actively exfiltrated from network

• Containment measures unsuccessful

• 70 minutes have passed since flow detection has occurred

• Must stop data exfiltration at all costs, immediately

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Internet
You can probably find the
person to disconnect this….
External Screening Router Standard Perimeter
Stateful Firewall
Flow Inspection Application Inspection
Policing / Rate Limiting
Security Model v2.1
Protocol Inspection

Content Inspection

SPA
Firewall/IDS Access Audit and
N
Management Server Control Configuration Control
MX Record Owner External IDS
Email Content Inspection

Virtual Sensor A

VLAN
A
VLAN A
https://www.* http://www.*
B
VLAN VLAN B
URL Authorization
VLAN C
Decrypted SSL
C
VL AN
Virtual Sensor C
VPN Termination

Primary Site Address


Record Owner

SPA Split-DNS
N

Internal IDS

WAN Screening Router


Secondary Site Address
Stateful Firewall Internal Screening Router Record Owner
Application Inspection Stateful Firewall
Policing / Rate Limiting Application Inspection
Policing / Rate Limiting

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
External Screening Router Standard Perimeter
Stateful Firewall
Flow Inspection Application Inspection
Security Model v2.1

Internet
Policing / Rate Limiting

Protocol Inspection
External Screening Router Standard Perimeter
Content Inspection Stateful Firewall
Flow Inspection Application Inspection
Policing / Rate Limiting
Security Model v2.1
Protocol Inspection

Can you find this person?


SPA
Firewall/IDS Access Audit and
Content Inspection
N
Management Server Control Configuration Control
MX Record Owner External IDS
Email Content Inspection

Virtual Sensor A
SPA
Firewall/IDS Access Audit and
N
Management Server Control Configuration Control
VLAN
A MX Record Owner External IDS
VLAN A
Email Content Inspection
https://www.* http://www.*
B
VLAN VLAN B
URL Authorization
Virtual Sensor A
VLAN C
Decrypted SSL
C
VLAN VLAN
A
Virtual Sensor C VLAN A
VPN Termination https://www.* http://www.*
B
VLAN VLAN B
URL Authorization
VLAN C
Decrypted SSL
Primary Site Address C
Record Owner VLAN
Virtual Sensor C
VPN Termination
SPA Split-DNS
N

Internal IDS Primary Site Address


Record Owner

WAN Screening Router


Secondary Site Address
Stateful Firewall Internal Screening Router Record Owner SPA Split-DNS
Application Inspection Stateful Firewall N
Policing / Rate Limiting Application Inspection
Policing / Rate Limiting Internal IDS

WAN Screening Router


Secondary Site Address
Stateful Firewall Internal Screening Router Record Owner
Application Inspection Stateful Firewall
Policing / Rate Limiting Application Inspection
Policing / Rate Limiting

External Screening Router Standard Perimeter


Stateful Firewall
Flow Inspection Application Inspection
Policing / Rate Limiting
Security Model v2.1
Protocol Inspection

Content Inspection

MX Record Owner
Email Content Inspection

VLAN
Virtual Sensor A
External IDS
SPA
N
Firewall/IDS
Management Server
Access
Control
Audit and
Configuration Control

MPLS Core
A
VLAN A
https://www.* http://www.*
B
VLAN VLAN B

C
VLAN C
URL Authorization
Decrypted SSL External Screening Router Standard Perimeter
VLAN Stateful Firewall

Virtual Sensor C
Flow Inspection Application Inspection
Policing / Rate Limiting
Security Model v2.1
VPN Termination
Protocol Inspection

Primary Site Address Content Inspection


Record Owner

SPA Split-DNS
N

Internal IDS SPA


Firewall/IDS Access Audit and
N
Management Server Control Configuration Control
WAN Screening Router MX Record Owner External IDS
Secondary Site Address
Stateful Firewall Internal Screening Router Record Owner Email Content Inspection
Application Inspection Stateful Firewall
Policing / Rate Limiting Application Inspection
Policing / Rate Limiting Virtual Sensor A

VLAN
A
VLAN A
https://www.* http://www.*
B
VLAN VLAN B
URL Authorization
VLAN C
Decrypted SSL
C
VLAN
Virtual Sensor C
VPN Termination

Primary Site Address


Record Owner

External Screening Router Standard Perimeter SPA


N
Split-DNS

Stateful Firewall
Flow Inspection Application Inspection
Policing / Rate Limiting
Security Model v2.1 Internal IDS

Protocol Inspection External Screening Router Standard Perimeter WAN Screening Router

External Screening Router Standard Perimeter Flow Inspection


Stateful Firewall
Application Inspection
Security Model v2.1 Stateful Firewall
Application Inspection
Internal Screening Router
Stateful Firewall
Secondary Site Address
Record Owner
Stateful Firewall Policing / Rate Limiting
Content Inspection Flow Inspection Application Inspection
Policing / Rate Limiting
Security Model v2.1 Protocol Inspection
Policing / Rate Limiting Application Inspection
Policing / Rate Limiting

Protocol Inspection
Content Inspection

SPA
Content Inspection
Firewall/IDS Access Audit and
N
Management Server Control Configuration Control
MX Record Owner External IDS
Email Content Inspection
SPA
Firewall/IDS Access Audit and
N
Management Server Control Configuration Control
Virtual Sensor A SPA
Firewall/IDS Access Audit and
N MX Record Owner External IDS
Management Server Control Configuration Control
Email Content Inspection
VLAN MX Record Owner
A External IDS
VLAN A Email Content Inspection
Virtual Sensor A
https://www.* http://www.*
B
VLAN VLAN B
URL Authorization Virtual Sensor A
VLAN C VLAN
Decrypted SSL A
C VLAN A
VLAN VLAN
A
https://www.* http://www.*
VLAN A B
Virtual Sensor C VLAN VLAN B
URL Authorization
VPN Termination https://www.* http://www.*
B VLAN C
VLAN VLAN B
URL Authorization
Decrypted SSL
C
VLAN C VLAN
Decrypted SSL
C Virtual Sensor C
Primary Site Address VLAN
Record Owner VPN Termination
Virtual Sensor C
VPN Termination
SPA Split-DNS
N Primary Site Address
Record Owner
Primary Site Address
Internal IDS Record Owner
SPA Split-DNS
WAN Screening Router N
Secondary Site Address SPA
Stateful Firewall Internal Screening Router Record Owner Split-DNS
N
Application Inspection Internal IDS
Stateful Firewall
Policing / Rate Limiting Application Inspection
Policing / Rate Limiting Internal IDS
WAN Screening Router
Secondary Site Address
Stateful Firewall Internal Screening Router Record Owner
WAN Screening Router Application Inspection
Secondary Site Address Stateful Firewall
Stateful Firewall Internal Screening Router Record Owner Policing / Rate Limiting Application Inspection
Application Inspection Stateful Firewall Policing / Rate Limiting
Policing / Rate Limiting Application Inspection
Policing / Rate Limiting

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
External Screening Router Standard Perimeter
Stateful Firewall
Flow Inspection Application Inspection
Security Model v2.1

Internet
Policing / Rate Limiting

Protocol Inspection
External Screening Router Standard Perimeter
Content Inspection Stateful Firewall
Flow Inspection Application Inspection
Policing / Rate Limiting
Security Model v2.1
Protocol Inspection

Or this person?
SPA
Firewall/IDS Access Audit and
Content Inspection
N
Management Server Control Configuration Control
MX Record Owner External IDS
Email Content Inspection

Virtual Sensor A
SPA
Firewall/IDS Access Audit and
N
Management Server Control Configuration Control
VLAN
A MX Record Owner External IDS
VLAN A
Email Content Inspection
https://www.* http://www.*
B
VLAN VLAN B
URL Authorization
Virtual Sensor A
VLAN C
Decrypted SSL
C
VLAN VLAN
A
Virtual Sensor C VLAN A
VPN Termination https://www.* http://www.*
B
VLAN VLAN B
URL Authorization
VLAN C
Decrypted SSL
Primary Site Address C
Record Owner VLAN
Virtual Sensor C
VPN Termination
SPA Split-DNS
N

Internal IDS Primary Site Address


Record Owner

WAN Screening Router


Secondary Site Address
Stateful Firewall Internal Screening Router Record Owner SPA Split-DNS
Application Inspection Stateful Firewall N
Policing / Rate Limiting Application Inspection
Policing / Rate Limiting Internal IDS

WAN Screening Router


Secondary Site Address
Stateful Firewall Internal Screening Router Record Owner
Application Inspection Stateful Firewall
Policing / Rate Limiting Application Inspection
Policing / Rate Limiting

External Screening Router Standard Perimeter


Stateful Firewall
Flow Inspection Application Inspection
Policing / Rate Limiting
Security Model v2.1
Protocol Inspection

Content Inspection

MX Record Owner
Email Content Inspection

VLAN
Virtual Sensor A
External IDS
SPA
N
Firewall/IDS
Management Server
Access
Control
Audit and
Configuration Control

MPLS Core
A
VLAN A
https://www.* http://www.*
B
VLAN VLAN B

C
VLAN C
URL Authorization
Decrypted SSL External Screening Router Standard Perimeter
VLAN Stateful Firewall

Virtual Sensor C
Flow Inspection Application Inspection
Policing / Rate Limiting
Security Model v2.1
VPN Termination
Protocol Inspection

Primary Site Address Content Inspection


Record Owner

SPA Split-DNS
N

Internal IDS SPA


Firewall/IDS Access Audit and
N
Management Server Control Configuration Control
WAN Screening Router MX Record Owner External IDS
Secondary Site Address
Stateful Firewall Internal Screening Router Record Owner Email Content Inspection
Application Inspection Stateful Firewall
Policing / Rate Limiting Application Inspection
Policing / Rate Limiting Virtual Sensor A

VLAN
A
VLAN A
https://www.* http://www.*
B
VLAN VLAN B
URL Authorization
VLAN C
Decrypted SSL
C
VLAN
Virtual Sensor C
VPN Termination

Primary Site Address


Record Owner

External Screening Router Standard Perimeter SPA


N
Split-DNS

Stateful Firewall
Flow Inspection Application Inspection
Policing / Rate Limiting
Security Model v2.1 Internal IDS

Protocol Inspection External Screening Router Standard Perimeter WAN Screening Router

External Screening Router Standard Perimeter Flow Inspection


Stateful Firewall
Application Inspection
Security Model v2.1 Stateful Firewall
Application Inspection
Internal Screening Router
Stateful Firewall
Secondary Site Address
Record Owner
Stateful Firewall Policing / Rate Limiting
Content Inspection Flow Inspection Application Inspection
Policing / Rate Limiting
Security Model v2.1 Protocol Inspection
Policing / Rate Limiting Application Inspection
Policing / Rate Limiting

Protocol Inspection
Content Inspection

SPA
Content Inspection
Firewall/IDS Access Audit and
N
Management Server Control Configuration Control
MX Record Owner External IDS
Email Content Inspection
SPA
Firewall/IDS Access Audit and
N
Management Server Control Configuration Control
Virtual Sensor A SPA
Firewall/IDS Access Audit and
N MX Record Owner External IDS
Management Server Control Configuration Control
Email Content Inspection
VLAN MX Record Owner
A External IDS
VLAN A Email Content Inspection
Virtual Sensor A
https://www.* http://www.*
B
VLAN VLAN B
URL Authorization Virtual Sensor A
VLAN C VLAN
Decrypted SSL A
C VLAN A
VLAN VLAN
A
https://www.* http://www.*
VLAN A B
Virtual Sensor C VLAN VLAN B
URL Authorization
VPN Termination https://www.* http://www.*
B VLAN C
VLAN

CSP
VLAN B Decrypted SSL
URL Authorization C
VLAN C VLAN
Decrypted SSL
C Virtual Sensor C
Primary Site Address VLAN
Record Owner VPN Termination
Virtual Sensor C
VPN Termination
SPA Split-DNS
N Primary Site Address
Record Owner
Primary Site Address
Internal IDS Record Owner

Connection
SPA Split-DNS
WAN Screening Router N
Secondary Site Address SPA
Stateful Firewall Internal Screening Router Record Owner Split-DNS
N
Application Inspection Internal IDS
Stateful Firewall
Policing / Rate Limiting Application Inspection
Policing / Rate Limiting Internal IDS
WAN Screening Router
Secondary Site Address
Stateful Firewall Internal Screening Router Record Owner
WAN Screening Router Application Inspection
Secondary Site Address Stateful Firewall
Stateful Firewall Internal Screening Router Record Owner Policing / Rate Limiting Application Inspection
Application Inspection Stateful Firewall Policing / Rate Limiting
Policing / Rate Limiting Application Inspection
Policing / Rate Limiting

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Scenario #2
Asset Based Risk Reduction
Asset Based Threat Risk Reduction
• Breach containment is failing

• Clear signs that database access is the goal

• Brute force failed login attempts from lateral assets

• Decision is made to disconnect primary databases

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Critical Systems Disconnect
• Understanding that database operations are generally the target of any
successful cyber heist, a planned disconnect for database operations
could yield significant attack surface reduction during scheduled
periods

• This is not an INTERNET disconnect use case, it is a critical


systems disconnect only

• Strategically placed disconnect appliances could be employed within


the network to offer a critical protect function, while maintaining a
primary internet connection which may be needed for triage, assistance
and remote access

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Standard Data Center
Active/Active Failover
Security Model v2.1

Lateral
Server Risk
Reduction

Emergency
Database
Protection
#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Government Cross Domain Use Case

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
AUTOMATED AIRGAP

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Hardware
based Airgap
Drawbridge –physical disconnect
• Physical Relay Ports
• Cellular or Local Admin controlled
• No IP on the physical interfaces
• Allows for Executive Disconnect Option
• Can be scheduled for relay closed operations based on time schedule

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Physical Relay based Disconnect

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Highly Secured Airgapping

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
OTP

Highly Secured Airgap


Management S
SM

Disable Port 1

Enable Port 12

Enterprise Network

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
OTP Highly Secured
VPN
Airgap Management

Enterprise Network

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Scenario Details
1 Cell/OTP pair is for MGMT port access enablement only

Enables MGMT port to FPR1010

Establishes AnyConnect VPN to FPR1010

Logs into WebUI with OTP

Disable Internet Access on Port 1-10

Automatic schedule resets MGMT port to closed on each hour

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Security Details
• Inbound number is whitelisted
• Duo/Google/MFA Client is linked to a specific user
• All other inbound SMS messages are ignored
• Inbound number is only provided access to certain ports
• 321-555-1212 is allowed access to Port 12 only
• 321-555-2222 is allowed access to enable Port 1 only

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
>>Hey, I can do all of this with
software/scripts….<<
• sudo /kill/disconnect.pl
• sudo /kill/db_disconnect_all.pl

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Secured DNS
Secured DNS Slides

Block Outbound DNS to known DNS providers

Use Security Policy as DNS Overlay

Use Encrypted DNS Requests

Be sure to include IPv6 DNS Destinations

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
I’m not saying use OpenDNS, but use OpenDNS
or Commercial Umbrella or some Secured DNS
provider

FREE

https://www.opendns.com/hom
e-internet-security/
It is free, don’t be a victim!

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Secured Time
In any conflict, time is a critical asset
In cyber secops, trusted time is the single most
important asset

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Why is Time so important?

Correlation of security events

Forensic replay - Investigations

Sequence of packet times

All Simulations require synchronized time

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Secured NTP Slides
NTP
Pool
1

NTP
Give me Time! Pool
2

NTP
Pool
3

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Secured NTP Slides
List of Source IP addresses
requesting time:

{"ipvAPrefix": "157.55.39.0/24"),
{"ipv4Prefix": "207.46.13.0/24"),
f"ipv4Prefix":"40.77.167.0/24"3,
{"ipv4Prefix": "13.66.139.0/24"),
NTP
f"ipv4Prefix":"13.66.144.0/24"3,
Give me Time! Pool
{"ipvaPrefix": "52.167.144.0/24"),
f"ipv4Prefix":"13.67.10.16/28"3,
2
{"ipv4Prefix": "13.69.66.240/28"},
{"ipv4Prefix":"13.71.172.224/28"3,
{"ipv4Prefix": "139.217.52.0/28"),
{"ipv4Prefix": "191.233.204.224/28"},
Slips in to unsecured
{"ipv4Prefix": "20.36.108.32/28"},
NTP Server or is added
f"ipv4Prefix":"20.43.120.16/28"3,
{"ipv4Prefix": "40.79.131.208/28"},
to Pool
{"ipv4Prefix": "40.79.186.176/28"),
{"ipv4Prefix": "52.231.148.0/28"},
and monitors source
{"ipv4Prefix": "51.8.235.176/28"),
{"ipv4Prefix": "51.105.67.0/28")
flows
#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Secured NTP Slides
List of Source IP addresses
requesting time:

{"ipvAPrefix": "157.55.39.0/24"),
{"ipv4Prefix": "207.46.13.0/24"),
f"ipv4Prefix":"40.77.167.0/24"3,
{"ipv4Prefix": "13.66.139.0/24"),
NTP
f"ipv4Prefix":"13.66.144.0/24"3,
Pool
{"ipvaPrefix": "52.167.144.0/24"),
f"ipv4Prefix":"13.67.10.16/28"3,
2
{"ipv4Prefix": "13.69.66.240/28"},
{"ipv4Prefix":"13.71.172.224/28"3,
Thanks for adding to {"ipv4Prefix": "139.217.52.0/28"),
{"ipv4Prefix": "191.233.204.224/28"},
my list of known host Slips in to unsecured
{"ipv4Prefix": "20.36.108.32/28"},

addresses NTP Server or is added


f"ipv4Prefix":"20.43.120.16/28"3,
{"ipv4Prefix": "40.79.131.208/28"},
to Pool
{"ipv4Prefix": "40.79.186.176/28"),
{"ipv4Prefix": "52.231.148.0/28"},
and monitors source
{"ipv4Prefix": "51.8.235.176/28"),
{"ipv4Prefix": "51.105.67.0/28")
flows
#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Secured NTP Slides

NMA
P

Collect Results
NMAP to JSON

Attacks Results

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Secured NTP Slides

Attack
Scripts
Launche
d

Collect Results
NMAP to JSON

Attacks Results

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Secured NTP – What you should do
NTP
Pool
1

NTP
Give me Time! Pool
2

NTP
Pool
3

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Secured NTP – What you should do

Trusted
Time
Give me Time!
Source

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Secured NTP – Most Secure Option

RFC8573 + RFC 4493


Message Authentication
Give me Time!
Code for the Network
Time Protocol
NTP Router

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
RFC 4493, RFC 8573, RFC 5905
• RFC 5905 – defines NTPv4
https://www.rfc-editor.org/rfc/rfc5905

• RFC 4493 – defines AES-CMAC (128 bit)


https://www.rfc-editor.org/rfc/rfc4493

• RFC 8573 – defines AES-CMAC in place of MD5 for NTPv4


https://www.rfc-editor.org/rfc/rfc8573

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
If you need to
run Certified
Firewalls
#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Dashboard 7.4
Cert/Project FIPS CC DoDIN APL USGv6

ASA 9.20.x Level 2 and CR In Planning


Level 2 and CR In Planning In Planning In Planning
ASAv 9.20.x

Level 2 and CR In Planning


ASA 9.20.x and FX-OS 2.14.x on 4k/9k In Planning N/A
In Planning

Level 2 and CR In Planning N/A


ASA 9.20.x and FX-OS 2.14.x on 2k and 1k In Planning
Level 2 In Test – on IUT list
ASA 9.20.x and FX-OS 2.14.x on 3k
CR in Planning In Test In Planning

ASA 9.20.x and FX-OS 2.14.x on 4200s Level 2 and CR In Planning In Planning In Planning

FTD 7.4.x and FX-OS 2.14.x on 4k/9k Level 2 and CR In Planning


In Planning FX-OS – In Planning
In Planning
Level 2 and CR In Planning 1K – In Planning
FTD 7.4.x and FX-OS 2.14.x on 2k/1k In Planning
2K – In Planning
Level 2 In Test – on IUT list
FTD 7.4.x and FX-OS 2.14.x on 3k In Test
CR in planning In Planning 3k - In Planning

FTD 7.4.x and FX-OS 2.14.x on 4200s Level 2 and CR In Planning In Planning
In Planning 4200s – In Planning

Level 2 and CR In Planning In Planning FTD


FTDv 7.4.x In Planning

Level 2 and CR In Planning


FMC 7.4.x
In Planning In Planning USGv6 and Ready Logo
FMCv 7.4.x Level 2 and CR In Planning
N/A

Green = Submitted
Red = Gap in coverage, not submitted; off track Yellow = In progress
Blue = Completed

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Firewall Certification Plan – 2021 and beyond
Spring 2021 Fall 2021 Spring 2022 Fall 2022 Spring 2023 Fall 2023 Spring 2024

Certified FIPS,
Certified FIPS, CC,
Skip Skip Skip CC, DoDIN APL, Skip Skip
DoDIN APL, USGv6
USGv6

ASA 9.16.x 9.17.x 9.18.x 9.19.x 9.20.x 9.21.x 9.22.x


FTD 7.0.x (was 6.8.x) 7.1.x 7.2.x 7.3.x 7.4.x 7.5.x 7.6.x
FMC 7.0.x(was 6.8.x) 7.1.x 7.2.x 7.3.x 7.4.x 7.5.x 7.6.x
FDM 7.0.x(was 6.8.x) 7.1.x 7.2.x 7.3.x 7.4.x 7.5.x 7.6.x
FX-OS 2.10.x 2.11.x 2.12.x 2.13.x 2.14.x 2.15.x 2.16.x

FPR 4k refresh Certify Warwick


FPR 2k refresh
available ** Avenue (FPR 42xx)
HW *Certify FPR1150 and available** (Tufnell Park
(Warwick Avenue – and Tufnell Park (FPR
FPR4112 – FPR 3k)
FPR 42xx) 31xx)
FPR3105 available Also FMC M6

RFC 6668, RFC 8268,


RFC7030, RFC8573, IPv6 RFC8784 available, but
Key Fed RFC 8332, RFC 8784,
RFC8200, DoD IN IPv6 only, TBD will be matched with TBD TBD TBD
Features RFC 8996, PLR 3.0,
TLS 1.3 AnyConnect in 7.4
FLT on FDM

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Cisco CSfC Product Tracking Table – Security Products

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Hardening
Reference Slides
Cisco Hardening
Cisco Guide to Hardening IOS Devices
https://www.cisco.com/c/en/us/support/docs/ip/access-
lists/13608-21.html
Guide to Harden Cisco Firepower Management Center
https://www.cisco.com/c/en/us/td/docs/security/firepower/640/hard
ening/fmc/FMC_Hardening_Guide_v64.html
Guide to Harden Cisco ASA Firewalls
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-
series-next-generation-firewalls/200150-Cisco-Guide-to-Harden-
Cisco-ASA-Firewall.html
#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Cisco Hardening
Cisco Firepower Threat Defense Hardening Guide
https://www.cisco.com/c/en/us/td/docs/security/firepower/640/harden
ing/ftd/FTD_Hardening_Guide_v64.html
Cisco FXOS Hardening Guide
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/harde
ning/b_FXOS_4100_9300_Hardening/introduction.html
Cisco Guide to Hardening NX-OS
https://tools.cisco.com/security/center/resources/securing_nx_os.html

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
US National Security Agency Guides
https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/

Network Infrastructure Security Guide


https://media.defense.gov/2022/Mar/01/2002947139/-1/-
1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDANCE_2022030
1.PDF

Guide to Cisco Password Best Practices


https://media.defense.gov/2022/Feb/17/2002940795/-1/-
1/0/CSI_CISCO_PASSWORD_TYPES_BEST_PRACTICES_20220217.PDF

Adopting Encrypted DNS in Enterprise Networks


https://media.defense.gov/2021/Jan/14/2002564889/-1/-
1/0/CSI_ADOPTING_ENCRYPTED_DNS_U_OO_102904_21.PDF

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Session Surveys
We would love to know your feedback on this session!
• Complete a minimum of four session surveys and the overall event surveys to claim
a Cisco Live T-Shirt

#CiscoLiveAPJC BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
• Visit the Cisco Showcase for
related demos

• Book your one-on-one


Meet the Expert meeting

• Attend the interactive education


with DevNet, Capture the Flag,
Continue and Walk-in Labs

your education • Visit the On-Demand Library


for more sessions at
www.CiscoLive.com/on-demand

BRKSEC-2067 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Thank you

#CiscoLiveAPJC
#CiscoLiveAPJC

You might also like