Cisco Firepower NGFW (FTD) Integration with Cisco Identity Services Engine (ISE)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
my name is eric costlin technical marketing engineer for cisco systems and i will present and demonstrate how the cisco next generation firewall can be integrated with the cisco identity services engine three points of integration will be covered in this presentation using the identity services engine is a passive identity provider for the next generation firewall rapid threat containment and the use of security group tags notice that posture assessment another important role of ice with anyconnect will not be covered in this presentation ice is the access controller for the network and communicates with the switches and wireless lan controllers the fmc or firepower management center it manages the firewalls and a key thing that ice can do is send information to the fmc that can be used in policies such as the ipd user mappings and ice metadata including the device type and something called security group tags that we'll cover in depth the device type allows you for example to have a policy that only applies to say apple devices or samsung devices so what are these security group tags they are metadata that's actually embedded in the frame of the traffic for supported switch infrastructures and starting with 6.5 these can be used for both a source and destination in a matching criteria for access policy rules now the tag doesn't actually have to make it to the firewall it's possible that your infrastructure doesn't support tags on all of the intermediate switches so ice can use something called the sgt exchange protocol or sxp to communicate the ipd user mappings to the fmc the fmc with its forensic and analytic capabilities can also direct ice to take action based upon its conclusions for example it can have ice direct a switch to shut down a switch switchboard or to start tagging traffic from a device with a quarantine systems sgt let's drill down on the passive identity provider configuration so here you can see that we have a rule in our access policy that says members of the hr group are not allowed to use ssh and let's show how we can integrate with ice to get the identity of the endpoints users so let's go to the identity sources and you'll notice that we're deprecating the older sourcefire user agent or cisco active directory agent and you will get a warning with 6.5 eventually it will not be supported so let's go to identity services engine and tell the fmc where ice is of course an authentication is done by using a certificate we need to trust the certificate that ice will provide so let's upload the ca certificate for the certificate authority that ice will be using in this lab typically we use the same certificate for m and t m t is beyond the scope of this presentation we also need a client certificate for the fmc it has to be signed by a certificate authority that ice trusts and of course we need both the certificate and the private key now let's perform the test and the logs here are very useful particularly if you have a failure so you should maybe get used to what they look like but in the case of a success they don't really provide much critical information notice we're getting a warning that the user agent will no longer be available now that we've configured ice all right so now we've convinced ice that this jump box is a switch so i'm going to send a bunch of radius messages to ice about logging in and logging out and let's actually look on the fmc and see if that information was communicated from ice and you can see that it is we have four users and we have both login and log out information now as a test let's see if we can actually block the hr group from using ssh so first let's try ira ira is not in the hr group so he should be allowed to use ssh and sure enough we can see that we are being permitted there's no reason to log in but let's become harry harry is a member of the hr group so let's change the ip address and try logging in as harry you can see that ssh is blocked let's move on to rapid threat containment this is where the fmc will tell ice to take action based upon certain information now if you look we have a malware correlation policy and this will be triggered if an endpoint encounters malware we won't go into the details of the remediation configuration since it's a bit lengthy so let's now add a rule four quarantined systems and for convenience we'll do ssh again ssh is being very easy to test so what we're going to basically say is if you're quarantined and you will be quarantined if you encountered malware let's block ssh as an application which means it doesn't matter what port you try to use ssh on so here's the key point we only wanted this rule to match if the security group tagged notice some we could also do it based upon device id or some combination of those criteria but if the security group tag is set to quarantined systems so we'll block block with reset is better for the purpose of demonstrations and will log the information all right so there's our rule and we do have to deploy because it's a policy change to the appropriate device or devices and i will use a bit of time lapse you could say to make sure that we don't wait too long for the deployment but we'll get the information about how long the deployment's taking and it's not so bad it's a minute in 27 seconds all right let's see if this works so for this i need to have a switch listening to ice so i'm going to open up a radius listener on the jump box which ice thinks is a switch so ice has someone to talk to i'm going to become ira again and as before ira is allowed to use ssh but what if ira encounters malware so let's go try to download some malware naturally the malware was blocked but something much more important happened you see i sent a radius message to the switch and now if we do a coa change of authorization on the switch i ios should no longer be able to use ssh and you can see the quarantine system tag has been assigned you can also see the device types of the various users this was achieved by having the radio simulator send certain mac addresses to ice let's move on to security group tags and let's go back to the integration of ice and as you can see just to remind you we are configured to use the session directory topic but we are not currently using sxp now i don't want to turn this into an ice configuration demo but i wanted to show some key things that you have to change on ice to get this feature to work so we have to publish the sxp mappings to the topic so that will be required and we need a policy services node psn since this is a standalone deployment of ice ice will be itself the policy services node and we have to enable sxp on it in that role of being a node we also need a device even if it's a dummy device so that we can have a device that's enabling the ssp publication even though they're static mappings so we create a dummy device here and now if we look at the ip mappings notice the device is offline but that doesn't matter we can actually see that we're publishing the mappings for the contractor and for the development server now on the fmc we can subscribe to sxp topic and as you can see it was successful we could analyze the logs if there was a problem with that and let's save all right well let's create a policy rule using those tags the policy rule is going to be quite simple we're just going to say contractors can't go to the development servers so we can call this block contractors we can put it right at the top so it's easier to troubleshoot and here's the key point we're going to use these tags for the source and destination criteria for matching this rule so something from the contractors going to the development servers should be blocked and we might as well log it while we're blocking it and let's deploy that policy so again a little bit of time lapse to get through the policy deployment and now let's test this so we're going to run some wgets with various sources and destinations this is a sanity test this should go through because that's not a development server here's the traffic that should be blocked and we see it is blocked but if we go to 202 we will see that we are allowed to go there now we want to change that we want to say what if 202 becomes a development server or what if we've got a new contractor coming in or some other change so let's go to the static mappings and let's add a new mapping for a new development server that 202. and what we will see is that it does get published since fmc is subscribing to sxp topic it will immediately receive that information and reprogram the firewall to block that traffic as you can see the same request is now being blocked and here you can actually see the blocks and if we scroll over to the right we can actually see the security group tags for both the source and destination for those connections thank you very much for your time you
Info
Channel: Cisco Secure Firewall
Views: 4,036
Rating: undefined out of 5
Keywords:
Id: WM58CwvcQJo
Channel Id: undefined
Length: 16min 8sec (968 seconds)
Published: Thu Jul 30 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.