Rapid Threat Containment: Configuring Quarantine Rules in Cisco Firepower and ISE

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello welcome back in this video I'm going to go ahead and integrate firepower and ice and create some rules to Auto quarantine and auto remediate so now we're getting into some fun stuff let's go ahead and open up ice first and the first place I'm going to have you guys go to is a administration system deployment and I've already done this but I want to go ahead and walk you through the steps because you might if you're starting from scratch or if you haven't watched any of the previous videos you may miss this and I don't want you guys have any issues with that give me a moment all this actually I'm going to change over to to Firefox really quickly all right okay so go back here we're going to go to administration system deployment and make sure that the PX grid service is enabled which I already have next thing I want to do while I'm here is go to administration the X grid services and go to settings automatically approve new certificate-based accounts go ahead and save that now I'm using a CA Microsoft Microsoft CA cert so bear this in mind it might be a little different if you're doing self-signed certificates but to me I know that CA signed is pretty much the easiest for me to do so it's kind of why I'm going with it the reason being is if your CA space if your ice know it ever get blows up or you need to read you know create a new one you don't have to reissue and reshare search gifts between ice and fire power you pretty much just have to make sure firepower trusts the same route and you're good to go so let me go ahead and get into both fire power and ice and a couple things and one other thing I'm going to also open up my CA route so let me take care of that too and I think it's actually just so you guys recall it's not much we did we haven't done much with the firepower services yet we just kind of installed it and got a virtual STD set up so we're going to you know start from scratch pretty much here except for there's something in line and it's not really doing much except except essentially sitting there and recording traffic I don't have it blocking anything I just want to use it for the purposes of triggering something on P X grid so first and foremost I'm going to go ahead and go to let's see I want to make sure that I am I'm doing all the certificate work first so give me a moment why pull that up so the first thing I'm going to do is I'm going to go ahead and SSH over to my FMC which hopefully it's going to do all right I'm going to have to do a couple things for the certificate to create a CA certificate signing request so let's go ahead and use it's basically a few open SSL commands so it's going to be pseudo open SSL gen RSA out source you can name it anything you want I'm just going to go with source fire agent key 4 0 9 6 our root password alright perfect a pseudo open SSL request new key source fire agent key and out is going to be source fire agent dot CSR country code is us CA Irvine Cisco engineering FMC there we go that's pretty much all I have to do in the fire power CLI so I'm going to go ahead and open winscp and transfer that that's that request over so give me a moment I move so they try to do from Advan said okay perfect I must put these on the desktop really quickly perfect that's all I really need to do I move my CSR and my Mikey over there and I'm going to open the CSR over here in notepad more options notepad I'm good to go copy and paste this and request a certificate we're going to use that that px grade certificate we created before and for anyone who didn't watch the video before it's it's a simple certificate request template we created in windows the windows PKI so let me go ahead and pull that up for you guys so you can take a look again I don't want to assume that anyone's watched all the videos so I'll just kind of do a recap but check out the early videos if you need a step-by-step guide on how to create this so I go to my certificate templates are going to manage and there's that little guy right there so the important things here were the extensions were clients authentication and server authentication and the subject name was supply request I think I actually I essentially copied the web server one and I duplicated the template and I used a change the extensions there so if you want to do that good to go okay so let's go ahead and grab that and download the certificate in base64 save and the other thing I'm going to do is download this the CA cert which is going to be download CA base and then 64 download that as well alright so next I'm going to have to upload the trusted root two to firepower so I go over to objects object management it can be sick on second let's go back there take my roots my servers running a little hot with all the VMS I've got on there right now all right now it's up now I've got a PK I trusted TAS we're going to add a trusted CA so it's going to be ca root CA root and we're going to go ahead and pick the CA certificate we just downloaded the the CA root one not the one that we created for you specifically from the CSR so I'm going to add that and then we're going to go ahead and let's see we're going to go ahead and go to system integration good identity sources by the way on on ice make sure you guys all trust under I mean we write down this in previous previous labs but you want to make sure under certificates that you your trusted root certificate from the CA server is trusted and that the P x-rayed certificate that you're using for this is a CA cert signed one so are that in mind so systems integration identity sources I didn't do service engine so I'm going to go ahead and put my ice certain our ice IP address in there I'm going to go ahead and take the ca root that we just added in there which is somewhere down here CA there we go let's just thought say root and also pick that for my say root and then we're going to go ahead and pick the firepower one so this is going to be ca signed and let's go ahead and grab that other cert we just created and a key that we we sent over so that's the source fire agent key click save now now let's go over to px red services really quickly before we let's test this out success hooray alright we're not done yet but if you refresh over here you should see this guy pop up so that's that's good and you see it automatically gets the client group of ANSI and EPS that's a adaptive network controls you can see here and endpoint protection service basically says it has the ability to quarantine not quite there yet though but let's go ahead and save that and then the next thing we're going to want to do is we're going to want to configure our realm so our ad integration so let's go ahead and create a new realm and this is going to be a ad one so the primary join domain is going to be security demo Nets administrator at security demo net super secret password administrator at security demo net ok so CN users DC goals security demo DC equals net it's actually both my groups are in the same place I'm just going to do essentially the same thing so test this out make sure it works who it works alright so we'll go ahead and let that join or perfect and let's go ahead and add a domain controller so that's going to be 40 test that out works see if we can download users and groups add to that the included and it will automatically download users and groups every day let's enable the ad realm and let's make sure that we can download the users and groups let's and it shows here that it's queued so let's see looks like it array did so so that's perfect let's see if there's anything let's go ahead and also create our I didn't our ice policy so first we're going to do is go to an identity policy and create an identity policy this is going to be I'm just going to call this ice this is going to be our identity policy for the security demo lab done wait for it to pop up over here is go ahead and close that cuz I don't need that so I brought a little bit at the leg eyes my my system is lagging today and I'm well aware of the reason all right so we're going to go ahead and create a passive identity rule so let me go ahead and just call it passive and make sure that the realms and settings are just going to be 81 and add I'll be just affect everything essentially add and let's see I don't want any active authentication I'll just click Save and I'm going to tie this to my access control policy really quickly so you see that identity policy right there we'll just go ahead and drop down and save it to ice and let's see I will go ahead and ignore I don't think there's going to be any VLAN headers coming through but we'll just go ahead and put that down and maximum active responses sure all right so if I go over to analysis users should be able to see my users populate from Active Directory and ice so that's good if you go to to access access control policy you should also be able to create rules based on attributes that ice provides so let me go ahead and do so right now at a rule and so you see there's this sgt /ice attribute so if i could say yeah i could essentially create rule you know defining you know some profile device so my raspberry pi profiles I created before or a security group ID or you know a location IP so there's a quite a few things I can create the policies based off of which nice little add-on but I think the rapid threat contain a containment part is pretty awesome as well so that's why what I'm going to go ahead and start configuring next for you so next up let's go ahead and go to policies actions then we're going to go to instances and first instance we're going to create is going to be px grid mitigation version one so let's go ahead and create that and this is going to be ice P X grid great and there's only going to be two two remediation types we're going to create here so this is going to be remediates or s-- and go ahead and quarantine by source IP the mitigation action is going to be quarantine then we're done with that we're going to add one more this one's going to be uncorrelated say this now I'll kind of walk through some of the different things you can create as far as correlation rules to trigger quarantine and on quarantine but the reality is like I'm just going to create a really base ICMP uh ICMP snort rule and just have that trigger it but I'll go through some of the cooler things you can do with it so let's go ahead and create like a custom snort role really quickly so go to objects intrusion rules and create rule now I'm by no means in my master of a snort rules but I'll go ahead and kind of make a play at doing one so this one's pretty easy I think it's just going to be like a connection attempt miscellaneous activity protocol is going to be ICMP ICMP to internet host and for the purposes of this lab let's just go ahead and say source port was actually I don't really care what the source IP is I'm just going to make sure it's at the definition I think it's an ICMP event and it's going to this guy then go ahead that's going to be my trigger my rule and uh let's make sure that my firewall is off on that that device so I can go ahead and ping it okay perfect it lives save and let's go ahead and go to enable that on the intrusion policy I don't want it to drop it I just want it to trigger it a vet saying it happened so go to policies access control intrusion and since this intrusion rule from our previous videos is very tied to our existing access control policy I just need to configure it here and deploy it and it's good to go so let me wait for that to pull up and let's go to rules CMP should be in the ten thousand range yet there so we're going to enable that rule right here I'm going to I want the SID numbers because I'm going to is going to be important later when I go ahead and use this as part of the rule so it's going to be that's the SID value so let's go ahead and hide details and rule state is going to be generative ents perfect save this commit changes now let's go ahead and deploy it to the FTD really quickly so while that's happening let's go ahead and start creating our correlation policy so policies correlation and this is what where we define you know what our rules what's going to trigger this event this this automatic quarantine and then what's going to trigger a remediation on quarantine so first and foremost it's good it's a little weird because I feel like rule management should be the first tab you go to and then policy management the second but it's a little backwards I have no power on how that's created but it's kind of funny so you first go to rule management that's where you create your rules I'm going to create a little group here I'll call it px grid click click Save and create rules so this is going to be our quarantine rule essentially if you trigger CID whatever it's going to we're going to have this feed of what triggers our quarantine group it with our PX grid and this is going to be if intrusion event occurs and it meets the following conditions so that was going to be rule cid equals 1000 or was it 1 million yeah it's 1 million all right that's going to be our quarantine rules doesn't take effect yet until I actually tie it to a policy but this is where we define their could those conditions those rules and then we tie it to a policy afterwards now we're going to do on quarantine on quarantine rule we're going to also group that with the X rid and then we're going to do a connection event occurs and let's go ahead and I'm going to I created a little bit of a I created a fun little rule that's going to are a fun little webpage that essentially is going to be our mitigation page and just to show you what that looks like going you can essentially do it any way you want in your lab but I might have to change the rules pause and change the rules on this make sure I can access the let's see o remediate perfect that's going to be that it snorts remediation but in reality this could be it could be going to a page that does not like a remote scan of the desktop or the device and makes sure that the the the endpoint has been cleaned of viruses or malware but this is just kind of you know my demonstration right here is just to give you the idea of the possibilities you know there's a lot of things you can quarantine on not just just one Sid rule one of the cool things is just the flexibility of how many how many different ways you can you can figure out Auto remediation so for example I can say malware event occurs and it meets the you know it's an end point based malware detection and the event type was quarantine failed so something that's obviously on your network and it's a and if it was not quarantine so you you want to prevent it from spreading to the rest of your network that'd be a good use case to potentially quarantine something automatically or a retrospective based malware network based malware event so what that what happens with that is if let's say something was downloaded originally and it was it was a file that was seen as clean or or unknown but later on it's determined to be malware or sandbox and after ten minutes or seven or ten minutes and officially declares it as a malicious piece of software well it can block all future feature downloads but what happens to the person that already downloaded it so this you know if an for endpoint gets it that would be amazing if you have it but if you don't you still want to control your risk so that that be it ability you'd have that ability to kind of quarantine that endpoint and you know redirect them maybe to a splash page saying it go ahead mediate here so let's go ahead and tie these rules with a policy really quickly so going to create up for the first one is going to be our quarantine policy which we're going to create here and I'm going to call this quarantine I'm very creative with names as you can tell we're going to add the rule which is going to be the rules that we created before so it's a quarantine rule add that and we're going to tire this little button right here it says responses it's going to be quarantined by source IP now we're gonna save that and we can enable it now and then we're going to go ahead and create our own quarantine policy and let's add that rules on quarantine and go ahead and add that response click Save and enables now the next thing I want to do is I want to alter my my policy is ice really quickly and make sure that my quarantine result is going to allow them to to get to that webpage to remediate so let's go ahead and go to think the special quarantine one don't die let's see what I have configured so if you guys just watched the previous video I basically added a a out there we go I don't have one specifically so let's go ahead and create one so it's going to be you have to create a global exception and I put session equals EPS that our session EPS status equals quarantine set or session a and C policy equals quarantine and then edit it deny access I'm going to get a little bit better than that that I'm going to go ahead and create a special one that result that allows them access to get an IP address DNS and go to the remediation page and nothing else so just go ahead and I'm lazy so I'm going to go ahead and just copy from my existing a CL real quickly so let's go back here okay add PNE host actually permit tcp any host host 1095 61 71 equal 80s deny IP de new IP any Eddie's check the deckle syntax decals valid let's go ahead and go up here and create our quarantine teens create the deckle or add the dackel click Submit and go back to policy sets let's go ahead and change that really quickly to quarantine done save alright let's wait for the magic to happen so let's go to analysis and correlation events so we're going to have to watch this happened so first thing first I'm going to go ahead and sign into my endpoint get on the network and I'm going to ping that that endpoint so let's see make sure over here P expert services everything is looking good perfect hindi I think I'm still getting postured so we look for that finish you okay so I'm going to make sure my network proxy doesn't get in the way and try to redirect me to anything so it's just PN or HTTP 1095 61 71 remediates m8 HT I'm not going to go there yet first I'm going to get myself kicked off the network isn't bad see how long it takes up three pings and I'm gone what happened don't know quarantined nice alright so let's go ahead and uncorking me and if you want to see what it looks like over here let's go ahead and get these events refreshed whole second just refresh now there we go you see there there's a infinite gets quarantined and we hit that rule so let's go ahead and uncor entombed me because I should have just enough access to go here and nothing else come on snort East save my bacon soiled by Internet Explorer's being glitchy so why we call it Internet exploder folks you wonderful seen the remediation yet all were waiting for in and exploits exploder to do its thing restart the program because internet explorer is kind of sucking fire powers and see anything yet probably because it hasn't even tried okay let's try this again as I said I was I'm running it a little bit hot in my lab I don't even want to look at the statistics for for a CPU utilization right now yay snort saved by bacon now let's see if I have network access again give it a second still a nun quarantined might need to change around the rules a little bit but that's okay let's go back to the policies relation let's go to the rural management really quickly px RIT and quarantine rules okay let's say it just contains a string remediate and let's save so general for most purposes but I just want to make it a snag so we can view it remediating so I'm going to hit copy I'm going to clear the catch cache really quickly because I don't want it to go to the same page delete browsing history just kill everything all right let's see if this will knock it off knock the roll off this time can't see go over to analysis correlation events not yet that's fine let's go ahead and play around with this a little bit more apologies making everyone watch me troubleshoot in live but I probably mess something up full disclosure but that's okay so I'm quarantined let's go ahead and make it a little more specific then URL contains is HTTP 1090 561 70 71 cream maybe a MHT let's just double-check that in our browser yep fine save it's enabled corne tunas is a there so let's make sure that we snag it this time let's try it over here you this time it hit it I guess I just that needed to get more specific son quarantine happened and pray I went back to client provisioning which is essentially gaining access to the network my pre posture state and I should be compliant now so thank you guys for watching I hope you guys enjoyed this I was sweating a little bit when it didn't room idiot but I'm glad we finally figured it out thank you so much for watching
Info
Channel: Cisco ISE - Identity Services Engine
Views: 4,474
Rating: undefined out of 5
Keywords: ise, security, rtc, cisco, firepower, fireandise
Id: ZRs9nka8y5A
Channel Id: undefined
Length: 40min 34sec (2434 seconds)
Published: Fri Mar 31 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.