Firepower Access Control Policies
The Firepower ecosystem is a powerful NGIPS/NGFW solution. At that heart of the configuration construct is what is known as the Access Control Policy. Comparing this to something familiar is possible by thinking about the much simpler filtering feature in the ASA. For comparison, an ASA’s access-list (ACL) has multiple access-control entries (ACE’s). Each of these entries can refer to object-groups, networks, and protocols and can apply a permit or deny action.
The Access Control Policy in Firepower is a similar concept, but there are many additional facets that are pulled together to provide a more comprehensive policy application mechanism. This article only covers the major areas of this policy control construct. There are items which are beyond the scope including variable sets and manipulating the behavior of http response pages.
Specific to the policy application, there are two main areas of the the Access Control Policy. The first area is what is known as Security Intelligence. In the policy, this is found on the second tab from the left and provides a framework for blacklisting. There are many feeds provided directly from Cisco’s Talos organization and are ready for consumption by the security policy.
The action for each feed that is Continue reading
Performance Review of Overlay Tunnels with Open vSwitch
In my previous article I presented various encapsulation techniques used to extend Layer 2 reachability across separate networks using tunnels created with Open vSwitch. Although the initial intention was to include some iperf test results, I decided to leave these for a separate post (this one!) because I hit few problems.
BRKIOT-2109 — Connecting Oil and Gas Pipelines
Presenters:
- Rick Irons-Mclean, Oil & Gas and Energy Architecture Lead
- Jason Greengrass, IoT Solution Architect
BRKEWN-2019 — 7 Ways to Fail as a Wireless Expert
Presenter: Steven Heinsius, Product Manager, Enterprise Networking Group
I'm hoping the title of this session could also be “7 Ways to not be a TOTAL Wireless Noob” since that's more my level. ?
CCIE DCv2 Techtorial @ Cisco Live US 2016
This morning I’m in Las Vegas for Cisco Live 2016, and am attending TECCCIE-3644 – CCIE DC Techtorial which focuses on the new CCIE Data Center v2 updates.
I’m live blogging the session so please feel free to submit your questions for the CCIE team as a comment here and I’ll try to get an answer for you.
Slides from the session are available here.
Update 6 – 13:55PDT - UCS will be running 3.x, not 2.x as currently listed on the blueprint.
Update 5 – 11:30PDT - Starting Storage Networking now. Interested to see what the scope is going to be now with the MDSes removed and the N9K’s added.
Update 4 – 09:15PDT - One major format change for the CCIE DCv2 Lab Exam is the introduction of the Diagnostics section, similar to other tracks such as RSv5. Here are some highlights and demo questions illustrating the format of the Diag section.
- Diag section consists of one or more independent Tasks.
- Each Task can have one or more Questions.
- Questions are typically 1 point apiece, but could be 2 or 3 points.
- Each Question within a task is graded individually. It is possible to get Task Continue reading
Pseudowire Headend Termination (PWHT) For Juniper MX
I’ve been doing quite a lot of MX BNG stuff this year, so I thought I’d run through another quite flexible way of terminating broadband subscribers onto a Juniper MX router.
The feature is called Psuedowire headend termination, “PWHT” or simply Psuedowire head-end “PWHE” depending on whether you work for Cisco or Juniper? but it essentially solves a relatively simple problem.
In traditional broadband designs – especially in DSL “FTTC” or Fibre Ethernet “FTTP” we’re used to seeing large numbers of subscribers, connecting into the ISP edge at layer-2 with PPPoE or plain Ethernet. This is normally performed with VLANS, either via an MSAN (DSL/FTTC) or as is the case with Ethernet FTTP subscribers – a plain switched infrastructure or some form of passive-optical (PON/GPON) presentation:
These subscribers then terminate on a BNG node on the edge of the network, which would historically have been a Cisco 7200, GSR10k, Juniper ERX or Redback router, which essentially bridges the gap between the access network and the internet.
For very large service providers with millions of subscribers this sort of approach normally works well, because their customer base is so large; it makes sense for them to provision a full-size BNG node Continue reading
Saving Money with IOT Water Heater
About six months ago I installed an Energy Efficient water heater. This unit is what is known as a heat pump water heater. For those not familiar with refrigeration, this works by moving heat instead of creating heat. By contrast, traditional electric water heaters use resistance coils to heat the water. This new unit also has traditional coils that can be used for high demand or high temperature settings as well.
I guess by now everyone is wondering what this has to do with the topics we discussed at PacketU. To better understand the relationship, you can see that this Water Heater is also Connected to the Internet. The primary reasons I wanted to connect it to the Internet was to schedule the modes around my family’s usage patterns and control vacation mode from a mobile phone. When purchasing this unit I was quite skeptical and was concerned about transitioning from a simple conventional model to a mode that literally has moving parts.
I wanted to follow up and share my experience and why I now believe this was a good decision. I have been tracking my energy usage since installation and the results are promising. Without changing any other habits Continue reading
Docker Security presentation at Bangalore meetup
This link captures the slides on “Docker Security Overview as of release 1.12” that I presented at Docker Meetup, Bangalore on July 9, 2016.
Firepower Indications of Compromise
Several days ago I wrote an article about Firepower Sinkhole rules. While I was confirming this in a lab, I temporarily created a custom DNS sinkhole rule. That rule classified requests for temp.packetu.com as Command and Control and returned an IP address of 1.1.1.1. What I later noticed is that this caused my laptop to be classified with an IOC.
Indications of Compromise (IOCs) can be thought of as reasons why Firepower Management Console believes a host cannot be trusted or is otherwise affected by malware. These can be found in multiple places in the UI. I find the Context Explorer to be a good middle ground for most SecOps team members and a good place to notice whether current IOC’s exist.
My network is rather simple and I only currently have one IOC. In any case, I can use the Context Explorer to launch the host information for the impacted host.
Once the Host Profile screen is launched, I can get a little more about information about the activity that causes Firepower to believe that this is a compromised host.
Also notice that there is a garbage can icon to the right of the Indication of Compromise that was Continue reading