{"id":1223,"date":"2022-02-03T14:32:58","date_gmt":"2022-02-03T11:32:58","guid":{"rendered":"https:\/\/wiki.volu-t.ru\/?p=1223"},"modified":"2022-02-03T14:33:27","modified_gmt":"2022-02-03T11:33:27","slug":"which-ips-rules-does-cisco-enable-on-your-firepower-system-think-you-know-youre-probably-wrong","status":"publish","type":"post","link":"https:\/\/wiki.m-network.ru\/?p=1223","title":{"rendered":"Which IPS Rules does Cisco Enable on your Firepower System? Think you know? You\u2019re probably wrong!"},"content":{"rendered":"\n

So, think you know what IPS rules are enabled on your Firepower system, and do you feel comfortable with Cisco\u2019s defaults and sleep well at night? This blog may just start keeping you up at night!<\/p>\n\n\n\n

A couple weeks ago I was training\/consulting at a very large school district outside of Columbus, Ohio. They have all 9300 NGFW\u2019s to cover hundreds of thousands of students, so I immediately got to work on tuning these already configured systems, which a consulting company installed for them. They called me because their 10Gig links were saturated and they couldn\u2019t find the problem, and also wanted additional training on their Firepower\/FTD systems.<\/p>\n\n\n\n

What I found upon arrival was the basic defaults of Balanced Security and Connectivity<\/strong> as their IPS policy, but worse, the consultants disabled the Security Intelligence (SI) completely saying it would bring down the network. That\u2019s not true obviously, and the SI was a quick fix.<\/p>\n\n\n\n

Question:<\/strong> Was their network secure because they had Cisco Firepower 6.3 code and the Cisco recommended IPS rules enabled on their systems? is your<\/em> network secure by being configured this same way?<\/p>\n\n\n\n

Let\u2019s start by answering that question, and then I\u2019ll circle back to how a Cisco FTD 9300 was brought to it\u2019s knees (Never seen that before!), and how I solved this customers issues.<\/p>\n\n\n\n

If you follow Cisco\u2019s recommendations, your system will have both the IPS and NAP policies set to Balanced Security and Connectivity<\/strong>. Sounds reasonable, but will it protect you? Let\u2019s take a look:<\/p>\n\n\n\n

First, create a policy, and then choose to Create and Edit Policy:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Notice the Drop when Inline and the default Base Policy. When you\u2019re first bringing up your system, the IPS policy needs to be tuned. I typically disable the Drop when Inline checkbox so the rules can be tweaked for the environment without dropping any traffic in the meantime. After a period of time (different for each network), I\u2019ll enable the Drop when Inline and start dropping the bad traffic. However, let\u2019s just concentrate on the Base Policy shown.<\/p>\n\n\n\n

To understand what this does, start by going into your IPS police(s), scroll down to the Cisco base policy, then click on Rules:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Now open the Rule Content in the Rule accordion and\u00a0scroll down to\u00a0Rule Overhead<\/strong>\u00a0as shown:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

What the arrows show is which rules are enabled by default with each policy \u2013 click on each Overhead (Low, Medium, High, and Very High) to see which are enabled and disabled.  I am not making this up, Cisco\u2019s way of choosing which rules are enabled is only<\/em> decided by Rule Overhead<\/strong>. They should just change the Overhead names from Low to Connectivity over Security<\/strong>, from Medium to Balanced Security and Connectivity<\/strong>, and High to Security Over Connectivity,<\/strong> and make it easier on us. (reality check here: it\u2019s unlikely they use overhead only to make a rule determination, but there is no documentation to say otherwise [yet], so here we are).<\/p>\n\n\n\n

For example, and to demonstrate what I am saying; if you choose the useless\u00a0Connectivity over Security<\/strong>\u00a0base policy, then only the\u00a0Low Overhead<\/strong>\u00a0rules are enabled as shown below, or about 500 rules, with all other 35,000+ rules disabled:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Next, the default of\u00a0Balanced Security and Connectivity<\/strong>\u00a0enables the\u00a0Low\u00a0and<\/em>\u00a0Medium Overhead\u00a0<\/strong>rules, which\u00a0again, is Cisco\u2019s recommendation. Add up the Low and Medium Overhead rules, that is the amount of rules enabled. Period.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

With\u00a0Balanced Security and Connectivity<\/strong>, the High and Very High Overhead rules are all disabled.<\/p>\n\n\n\n

Now understand that f you choose the\u00a0Security over Connectivity\u00a0<\/strong>policy, then the Low, Medium, and High rules are enabled, which gives us now 15,493 enabled rules (in this example).<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

However, none of the three policies I\u2019ve mentioned would ever enable a\u00a0Very High<\/strong>\u00a0overhead rules, which means that 21,498 rules are disabled by default.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

If you double click on any of these disabled rules, you can see they are Very High overhead<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

So if you are using the default IPS policy, you\u2019ll then ask yourself: \u201cBut what about this zero day attack that is occurring, and Cisco IPS rules just downloaded automatically; these important rules must be enabled by Cisco, so I am safe and secure, yes?\u201d No, not unless all the rules imported are\u00a0Low and Medium Overhead<\/strong>. The\u00a0High and Very High Overhead<\/strong>\u00a0rules are imported to your system, but they are disabled by default, even if the rules are all-so-important!<\/p>\n\n\n\n

So, how many rules do you have available?<\/strong><\/h3>\n\n\n\n

You can see the amount of rules on your system by going to the Rules option (click any of them) in any policy with no filter, which is 37,426 in this example:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

By looking at the IPS policy summary, I have 10,514 rules enabled by default (the amount of low and medium overhead rules found on the systems). This means over 25,000 rules are disabled. Cisco\u2019s reasoning for this default recommendation is that you need low latency. True, but my customer had $1.2M dollar NGFW\u2019s that can easily handle tens of thousands of rules enabled! Even with 2110\u2019s you can enable thousands more and be just fine.<\/p>\n\n\n\n

You may be saying \u201cWell Cisco knows what they are doing, and if they never enable a Very High Overhead rule, then neither shall I.\u201d<\/p>\n\n\n\n

Let\u2019s go take a look at something. Shown here is a Rule update that came into my FMC (Rules are released twice a week \u2013 Tuesdays and Thursdays, so on Wednesday and Friday mornings you should be checking these!).<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In this example, seven rules changed, and 35 rules were added. Seems that if Cisco added these, they might be important. So why are the first four rules here disabled? Because they are not important? No, they are very important, they are just Very High Overhead<\/strong>.<\/p>\n\n\n\n

Is your network better off with Security over Connectivity<\/strong> as a base policy? Sure, but it can still be better. \u201cCan I just forget about it then\u201d, you ask? No, but you probably will, as most of my customers do. It\u2019s better to go in twice a week and look for the new downloaded rules and enable the Very High<\/strong> overhead rules you think are needed for your network. But again, most of my customers only do this for a few weeks after I leave; just like when you go to the gym the first two weeks of January\u2026you mean to go back to the gym, but hey, you\u2019re busy!<\/p>\n\n\n\n

Can My System Handle Security Over Connectivity (SoC)?<\/strong><\/h3>\n\n\n\n

There is a caveat<\/em><\/strong> here. If you have xx40\/50 (or the new 41\u00d75\u2019s!) or even 9300, enabling another 5-6000 rules going from Balanced policy to Security over Connectivity (SoC)<\/strong> should not cause you any issues, but maybe you just don\u2019t feel comfortable changing from Cisco\u2019s recommended settings because you know you\u2019ll never login and check it.<\/p>\n\n\n\n

Regardless, there may be a use-case for enabling the larger number of rules for a short time on any system without stressing or losing sleep, just to verify your data, then set it back to Balanced if you feel this will lower your stress level.<\/p>\n\n\n\n

Understand that enabling a very large amount of rules for the long term may not be a good idea as you may see many of these rules ignored due to PPM (packet latency). This can be found in the\u00a0Advanced tab of your ACP<\/strong>:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Since the PPM will make sure you don\u2019t have latency when you enable more rules, why not just turn all the rules on? Because you will not get complete inspection, that\u2019s the key.  You think you\u2019re getting better inspection but in fact, Snort is bypassing traffic to keep the latency low. Keep this in mind, especially when using lower power systems.<\/p>\n\n\n\n

Important TIP!<\/strong> Lastly regarding enabling more rules:I always tell my customers that if you want to enable rules manually, that\u2019s great!  But, you also need a regular process, maybe once every 6 months, where you go back and disable the rules you don\u2019t need anymore.<\/p>\n\n\n\n

What about Firepower Recommendations?<\/strong><\/h3>\n\n\n\n

So, if you use Firepower recommendations, first make sure your FTD box is North-South traffic (or don\u2019t use this at all!) or Firepower will probably disable most of \u00a0your rules. To match your SoC policy go to the Advanced configuration and move the slider bar to High, so that the\u00a0Low, Medium\u00a0and<\/em>\u00a0High Overhead<\/strong>\u00a0rules will be enabled, because as usual, only the Low and Medium rules are enabled with Firepower.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Although you can still make your network more secure, this is still a lot better than the defaults.<\/p>\n\n\n\n

But There is Still One More Setting: MAXIMUM DETECTION<\/strong><\/h3>\n\n\n\n

I know this is a long post, and most of the people will never read this far, but if you did, you might as well keep going now!<\/p>\n\n\n\n

The mostly unused Maximum Detection<\/strong> is an odd bird and must be tested on your network with the Drop while Inline disabled for a quite a while.<\/p>\n\n\n\n

(UPDATE<\/strong>: This rule was update 5\/2\/19 and now has about 28k rules enabled, so I need to do a blog on just this policy soon)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

This policy is the only one that enables some<\/em> Very High Overhead<\/strong> rules; 5784 to be exact (as of this writing). However, it disables thousands of High Overhead<\/strong> rules that would normally be enabled with Security over Connectivity<\/strong>. I\u2019ve never used this policy in production, nor do I know any customers that have, but again, you can use this, but  just test it \u2013 and then please let me know what happens!<\/p>\n\n\n\n

Saturated 9300<\/strong><\/h3>\n\n\n\n

Lastly, what about my customer in Ohio and the 9300 that was brought to its knees? Yes, once we moved the IPS policy to a base of Security over Connectivity<\/strong>, we found the problems they were having quickly. The IPS events started triggering about 6000 hits a minute after we deployed, and the CPU on the 9300 spiked to over 80% as it was trying to process all the IPS events. That\u2019s a LOT of high overhead events to do that to a 9300! The FTD 9300 was no longer passing data\u2026wow<\/strong>, not only have I never seen this, I\u2019ve never even heard of this!<\/p>\n\n\n\n

After we were able to do some analysis on the new IPS events (which got to over 100,000 in just a few minutes!), I had to verify these weren\u2019t false positives and then find the culprits. Drilling down, we found that their entire server farm was infested heavily with CnC\u2019s, and only the High Overhead rules found these CnC\u2019s. Those attacks were so well drilled into these servers, they each had thousands of connections, which would explain the bandwidth issue! We immediately started blacklisting these servers and the CPU percentage dropped to less than 10%, and the bandwidth saturation went from 80% to less than 20%!<\/p>\n\n\n\n

The customer feared that they had these attacks on their systems for possibly years\u2026.and what found them? It wasn\u2019t the Cisco default settings\u2026<\/p>\n\n\n\n

The customer had some serious issues on their servers to fix, but my job here was done.<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

\u041e\u0440\u0438\u0433\u0438\u043d\u0430\u043b https:\/\/www.lammle.com\/post\/which-ips-rules-does-cisco-enable-on-your-firepower-system-think-you-know-youre-probably-wrong\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

So, think you know what IPS rules are enabled on your Firepower system, and do you feel comfortable with Cisco\u2019s defaults and sleep well at night? This blog may just start keeping you up at night! A couple weeks ago I was training\/consulting at a very large school district outside of Columbus, Ohio. They have ..<\/p>\n

<\/div>\n

Read more<\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[205,210,208],"tags":[],"_links":{"self":[{"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/posts\/1223"}],"collection":[{"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1223"}],"version-history":[{"count":2,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/posts\/1223\/revisions"}],"predecessor-version":[{"id":1239,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/posts\/1223\/revisions\/1239"}],"wp:attachment":[{"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}