Introduction
This book covers Cisco next-generation network security products and solutions. It provides detailed guidance for designing, configuring, and troubleshooting the Cisco ASA with FirePOWER Services, Cisco next-generation IPS appliances, Cisco Web Security Appliance (WSA), and Cisco Email Security Appliance (ESA) with the new Advanced Malware Protection (AMP) integration, as well as the Cisco AMP Threat Grid malware analysis and threat intelligence and Cisco Firepower Management Center (FMC).
Who Should Read This Book?
This book is a comprehensive guide for any network and/or security professional who has deployed or is planning to deploy Cisco next-generation security products, including the Cisco ASA with FirePOWER Services, Cisco AMP for Networks and Endpoints, and Cisco next-generation IPS appliances (including Firepower). Any security professional who manages or configures Cisco Web Security Appliance (WSA) and Cisco Email Security Appliance (ESA) with the Advanced Malware Protection (AMP) solution will also benefit from this book.
How This Book Is Organized
This book is organized into 12 chapters. It starts with an overview of the Cisco next- generation network security products and then dives into design, configuration, and troubleshooting of the Cisco ASA FirePOWER Services module, Cisco AMP for Networks, Cisco AMP for Endpoints, Cisco AMP for Content Security, and Cisco next-generation IPS. This book also provides an overview of the Cisco AMP Threat Grid mal-ware analysis and threat intelligence. The following are the chapters in this book:
Chapter 1, “Fundamentals of Cisco Next-Generation Security”: This chapter starts with an introduction to the new security threat landscape and attack continuum. It then provides an overview of Cisco next-generation network security products, including the Cisco ASA next-generation firewalls and the FirePOWER module; next-generation intrusion prevention systems (NGIPS); an introduction to Advanced Malware Protection (AMP) for Endpoints and AMP for Networks; an overview of AMP Threat Grid; Cisco Email Security; Cisco Web Security; Cisco Identity Services Engine (ISE); Cisco Meraki Cloud Managed MDM and Security Appliances; and the Cisco VPN solutions.
Chapter 2, “Introduction to and Design of Cisco ASA with FirePOWER Services”: This chapter covers design topics of the Cisco ASA with FirePOWER Services. It explains the inline versus promiscuous mode deployment and the Cisco ASA Firepower management options. This chapter also provides information about the Cisco ASA FirePOWER Services licensing structure and information about compatibility with other Cisco ASA features. It also covers the Cisco ASA Firepower packet processing order of operations, high-availability design topics, and how to deploy the Cisco ASA FirePOWER Services in the Internet edge, in the data center, and in different VPN scenarios.
Chapter 3, “Configuring Cisco ASA with FirePOWER Services”: This chapter starts with instructions on how to perform the initial setup of the Cisco ASA FirePOWER module in Cisco ASA appliances. Then it provides step-by-step configuration guidance on how to redirect traffic to the Cisco ASA FirePOWER module, how to configure the Cisco ASA FirePOWER module using the Adaptive Security Device Manager (ASDM), and how to configure the Cisco ASA FirePOWER module for FireSIGHT Management.
Chapter 4, “Troubleshooting Cisco ASA with FirePOWER Services and Firepower Threat Defense (FTD)”: This chapter provides tips on troubleshooting problems in the Cisco ASA and the FirePOWER Services module.
Chapter 5, “Introduction to and Architecture of Cisco AMP”: This chapter introduces the Advanced Malware Protection solution, its architectural makeup, and types of clouds. It also provides a step-by-step walk-through for installing an AMP private cloud.
Chapter 6, “Cisco AMP for Networks”: This chapter describes how AMP for Networks fits into the AMP architecture, along with the functions of AMP for Networks. It describes and walks through the configuration of malware and file policies for AMP for Networks.
Chapter 7, “Cisco AMP for Content Security”: This chapter describes how AMP for Content Security fits within the AMP architecture, describing the components and configuration of File Reputation and File Analysis Services, along with the reporting for those services.
Chapter 8, “Cisco AMP for Endpoints”: This chapter dives into Cisco AMP for Endpoints, custom detections, application control, AMP for Endpoints installation, and policy management for applicable operating systems (Windows, Mac, Linux, and Android). The chapter also reviews the usage of the AMP cloud console.
Chapter 9, “AMP Threat Grid: Malware Analysis and Threat Intelligence”: AMP Threat Grid is a malware dynamic analysis engine integrated with Cisco AMP. This chapter presents the AMP Threat Grid deployment options, which include a cloud and an on-premises appliance solution. It summarizes the differences between the two and describes when an organization would choose one over the other. It also provides example snapshots of Threat Grid configuration options in the FMC.
Chapter 10, “Introduction and Deployment of Cisco Next-Generation IPS”: This chapter presents next-generation IPS (NGIPS) and compares NGIPS to legacy IPS systems. It also describes some basic NGIPS deployment design options and locations based on an organization’s security requirements. This chapter then goes over common deployment considerations when designing an IPS deployment. Finally, it closes by going over the NGIPS deployment lifecycle that organizations should follow in order to maximize the benefits of an NGIPS deployment.
Chapter 11, “Configuring Cisco Next-Generation IPS”: This chapter introduces the configuration options available in FMC. It presents policy configuration options, IPS rules, Snort, and NGIPS preprocessors and recommendations. It uses various snapshot images to portray the wealth of available configuration options and the intuitive feel of the FMC graphical interface. Finally, it describes performance settings and redundancy configurations. This chapter does not present the ASDM IPS configuration options, which are presented in Chapter 3.
Chapter 12, “Reporting and Troubleshooting with Cisco Next-Generation IPS”: The last chapter of this book summarizes the Cisco NGIPS reporting and troubleshooting capabilities. It describes the analysis capabilities offered in FMC, which include intrusion events, custom reporting, incidents, alerting, and correlation policies. It then provides troubleshooting and health monitoring options that help administrators identify and find the root cause of potential issues in the system.
Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference:
Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command).
Italics indicate arguments for which you supply actual values.
Vertical bars ( | ) separate alternative, mutually exclusive elements.
Square brackets [ ] indicate optional elements.
Braces { } indicate a required choice.
Braces within brackets [{ }] indicate a required choice within an optional element.