ADVANCED MALWARE PROTECTION
Cisco provides advanced malware protection (AMP) capabilities for endpoint and network security devices. In the following sections, we will look at the details about AMP for Endpoints and the integration of AMP in several Cisco security products.
AMP FOR ENDPOINTS
Numerous antivirus and antimalware solutions on the market are designed to detect, analyze, and protect against both known and emerging endpoint threats.
The following are the most common types of malicious software:
1. Computer virus
3. Mailer or mass-mailer worm
4. Logic bomb
5. Trojan horse
6. Back door
10. Key logger
The following are just a few examples of the commercial and free antivirus software options available today:
2. AVG Internet Security Bitdefender Antivirus Free.
3. ZoneAlarm PRO Antivirus+, ZoneAlarm PRO Firewall, and ZoneAlarm Extreme Security
4. F-Secure Anti-Virus
5. Kaspersky Anti-Virus
6. McAfee AntiVirus
7. Panda Antivirus
8. Sophos Antivirus
9. Norton AntiVirus
11. Immunet AntiVirus
Personal firewalls and host intrusion prevention systems (HIPSs) are software applications that you can install on end-user machines or servers to protect them from external security threats and intrusions. The term personal firewall typically applies to basic software that can control Layer 3 and Layer 4 access to client machines.
HIPS provides several features that offer more robust security than a traditional personal firewall, such as host intrusion prevention and protection against spyware, viruses, worms, Trojans, and other types of malware.
Today, more sophisticated software makes basic personal firewalls and HIPS obsolete. For example, Cisco Advanced Malware Protection (AMP) for Endpoints provides granular visibility and control to stop advanced threats missed by other security layers.
Cisco AMP for Endpoints takes advantage of telemetry from big data, continuous analysis, and advanced analytics provided by Cisco threat intelligence to be able to detect, analyze, and stop advanced malware across endpoints.
AMP FOR NETWORKS
Cisco AMP for Networks provides next-generation security services that go beyond point-in-time detection. It provides continuous analysis and tracking of files and also retrospective security alerts so that a security administrator can take action during and after an attack. The file trajectory feature of Cisco AMP for Networks tracks file transmissions across the network, and the file capture feature enables a security administrator to store and retrieve files for further analysis.
The network provides unprecedented visibility into activity at a macro-analytical level. However, to remediate malware, in most cases you need to be on the host. This is why AMP has the following connectors: AMP for Networks, AMP for Endpoints, and AMP for Content Security Appliances.
You can install AMP for Networks on any Cisco Firepower security appliance right alongside the firewall and IPS; however, there are dedicated AMP appliances as well. When it comes down to it, though, AMP appliances and Firepower appliances are actually the same.
They can all run all the same services. Are you thoroughly confused? Stated a different way, Cisco AMP for Networks is the AMP service that runs on the appliance examining traffic flowing through a network. It can be installed in a standalone form or as a service on a Firepower IPS or even a Cisco ASA with FirePOWER Services.
AMP for Networks and all the AMP connectors are designed to find malicious files, provide retrospective analysis, illustrate trajectory, and point out how far malicious files may have spread.
The AMP for Networks connector examines, records, tracks, and sends files to the cloud. It creates an SHA-256 hash of the file and compares it to the local file cache. If the hash is not in the local cache, it queries the Firepower Management Center (FMC). The FMC has its own cache of all the hashes it has seen before, and if it hasn’t previously seen this hash, the FMC queries the cloud. Unlike with AMP for Endpoints, when a file is new, it can be analyzed locally and doesn’t have to be sent to the cloud for all analysis. Also, the file is examined and stopped in flight, as it is traversing the appliance.
AMP can also provide retrospective analysis. The AMP for Networks appliance keeps data from what occurred in the past. When a file’s disposition is changed, AMP provides an historical analysis of what happened, tracing the incident/infection. With the help of AMP for Endpoints, retrospection can reach out to that host and remediate the bad file, even though that file was permitted in the past.
FIREPOWER MANAGEMENT CENTER
Cisco Firepower Management Center (FMC) provides a centralized management and analysis platform for the Cisco NGIPS appliances, the Cisco ASA with FirePOWER Services, and Cisco FTD. It provides support for role-based policy management and includes a fully customizable dashboard with advanced reports and analytics. The following are the models of the Cisco FMC appliances:
■ FS750: Supports a maximum of ten managed devices (NGIPS or Cisco ASA appliances) and a total of 20 million IPS events.
■ FS2000: Supports a maximum of 70 managed devices and up to 60 million IPS events.
■ FS4000: Supports a maximum of 300 managed devices and a total of 300 million IPS events.
■ FMC virtual appliance: Allows you to conveniently provision on your existing virtual infrastructure. It supports a maximum of 25 managed devices and up to 10 million IPS events.
INTRUSION DETECTION SYSTEMS AND INTRUSION PREVENTION SYSTEMS
Intrusion detection systems (IDSs) are devices that detect (in promiscuous mode) attempts from an attacker to gain unauthorized access to a network or a host, to create performance degradation, or to steal information. They also detect distributed denial-of-service (DDoS) attacks, worms, and virus outbreaks.
Intrusion prevention system (IPS) devices, on the other hand, are capable of not only detecting all these security threats, but also dropping malicious packets inline. IPS devices may be initially configured in promiscuous mode (monitoring mode) when you are first deploying them in the network. This is done to analyze the impact to the network infrastructure. Then they are deployed in inline mode to be able to block any malicious traffic in your network.
A few different types of IPSs exist:
1. Traditional network-based IPSs (NIPSs)
2. Next-generation IPS systems (NGIPSs)
3. Host-based IPSs (HIPSs)
Examples of traditional NIPSs are the Cisco IPS 4200 sensors and the Catalyst 6500
IPS module. These devices have been in the end-of-life (EoL) stage for quite some time.
Examples of Next-Generation IPS (NGIPSs) are the Cisco Firepower IPS systems.
The Cisco ASA 5500 Series FirePOWER Services provide intrusion prevention, firewall, and VPN services in a single, easy-to-deploy platform. Intrusion prevention services enhance firewall protection by looking deeper into the flows to provide protection against threats and vulnerabilities. The Cisco Firepower Threat Defense (FTD) provides these capabilities in a combined software package.
NEXT-GENERATION INTRUSION PREVENTION SYSTEMS
As a result of the Sourcefire acquisition, Cisco expanded its NGIPS portfolio with the following products:
Cisco Firepower 8000 Series appliances: These high-performance appliances running Cisco FirePOWER Next-Generation IPS Services support throughput speeds from 2 Gbps up to 60 Gbps.
Cisco Firepower 7000 Series appliances: These appliances comprise the base platform for the Cisco FirePOWER NGIPS software. The base platform supports throughput speeds from 50 Mbps up to 1.25 Gbps.
Virtual next-generation IPS (NGIPSv) appliances for VMware: These appliances can be deployed in virtualized environments. By deploying these virtual appliances, security administrators can maintain network visibility that is often lost in virtual environments.
CISCO FTD FOR CISCO INTEGRATED SERVICES ROUTERS (ISRS)
The Cisco FTD can run on Cisco Unified Computing System (UCS) E-Series blades installed on Cisco ISR routers. Both the FMC and FTD are deployed as virtual machines. There are two internal interfaces that connect a router to a UCS E-Series blade.
On ISR G2, Slot0 is a Peripheral Component Interconnect Express (PCIe) internal interface, and UCS E-Series Slot1 is a switched interface connected to the backplane Multi Gigabit Fabric (MGF). In Cisco ISR 4000 Series routers, both internal interfaces are connected to the MGF.
A hypervisor is installed on the UCS E-Series blade, and the Cisco FTD software runs as a virtual machine on it. FTD for ISRs is supported on the following platforms:
1. Cisco ISR G2 Series: 2911, 2921, 2951, 3925, 3945, 3925E, and 3945E
2. Cisco ISR 4000 Series: 4331, 4351, 4451, 4321, and 4431
CISCO FIREPOWER THREAT DEFENSE, 4100 AND 9300 SERIES
The Cisco Firepower Threat Defense (FTD) is unified software that includes Cisco ASA features, legacy FirePOWER Services, and new features. FTD can be deployed on Cisco Firepower 4100 and 9300 appliances to provide next-generation firewall (NGFW) services.
In addition to being able to run on the Cisco Firepower 4100 Series and the Firepower 9300 appliances, FTD can also run natively on the ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X. It is not supported in the ASA 5505 or the 5585-X. FTD can also run as a virtual machine (Cisco Firepower Threat Defense Virtual, or FTDv).
CISCO FIREPOWER 4100 SERIES
The Cisco Firepower 4100 Series appliances are next-generation firewalls that run the Cisco FTD software and features. There are four models:
1. Cisco Firepower 4110, which supports up to 20 Gbps of firewall throughput
2. Cisco Firepower 4120, which supports up to 40 Gbps of firewall throughput
3. Cisco Firepower 4140, which supports up to 60 Gbps of firewall throughput
4. Cisco Firepower 4150, which supports over 60 Gbps of firewall throughput
All of the Cisco Firepower 4100 Series models are one rack-unit (1 RU) appliances and are managed by the Cisco Firepower Management Center.
CISCO FIREPOWER 9300 SERIES
The Cisco Firepower 9300 appliances are designed for very large enterprises or service providers. They can scale beyond 1 Tbps and are designed in a modular way, supporting Cisco ASA software, Cisco FTD software, and Radware DefensePro DDoS mitigation software. Radware DefensePro DDoS mitigation software is provided by Radware, a Cisco partner.
Radware’s DefensePro DDoS mitigation software provides real-time analysis to protect the enterprise or service provider infrastructure against network and application downtime due to distributed denial of service (DDoS) attacks.