Cisco Firepower

I’ve been working with Cisco Firepower / Firesight for about a year now and still have a lot to learn. I am sure we are only using fractions of what it can do, but it’s an interesting way to watch what is happening on the network.

The thing that has surprised me the most though, is how little it finds. Part of this is the nature of my user base. They aren’t doing a lot of web surfing and if they are it’s all major social networks. I work with the assumption that I always have at least one compromised device on the network, but if that’s the case, so far they are very subtle.

Additionally, the moment we see some unusually behavior on a user’s computer, we just swap their drive. The way we deploy, this is very easy to do. I’ve never been comfortable ‘cleaning’ a drive, preferring to just re-format and install. Since we can clone a drive very quickly off a base image and users files are stored on the server, it’s not a big deal. Someday maybe we can do this via SCCM, but for now…

Back to the topic. What I find most useful is the ability to search traffic history for an IP. This really helps with troubleshooting application and network problems.

The other feature that has been a real win is the geographic firewalling. This sort of feature is never perfect and we have to create some exceptions, but limiting outbound traffic by default to USA/Canada has been very useful.

Most of what it finds as far as IDS is false positives, things that violate http protocol, but nothing nefarious. It’s a nice add on feature to the ASA though, where I can create basic business access rules with the ASA, but add additional deep inspection to block specific applications.

This summer we will be adding SSL decrypt inspection for some traffic which has it’s own risks and rewards. This needs to happen for some traffic flows to make sure that there is nothing embedded in an encrypted URL.

We don’t have the URL Filtering feature licensed right now, but I am likely adding this. This combined with GeoIP will make our network more secure. This way I can limit a subnet to only connect to certain sites like windows update, but block all other traffic.

One tip I can give on the GeoIP though, beware office 365. It seems some Office 365 features are hosted internationally, I’m assuming for licensing reasons, so you will have to open up some areas outside the USA if you use Office 365. There are hundreds of IP blocks, so manual overrides are challenging, though URL wildcards may work if you have that feature.