Cisco Cisco Firepower Management Center 2000
Firepower System Release Notes
New Features and Functionality
9
Expanded Threat Protection
URL and DNS-based Security Intelligence
New Security Intelligence feeds based on URLs and Domain Name System (DNS) servers are provided to enhance
the existing IP-based Security Intelligence capability. Currently, IP-based intelligence is used to control access to
known malware, phishing, command & control, and Bot sites. New attack methods designed to defeat IP-based
intelligence (e.g., fast flux) abuse DNS load balancing features in an effort to hide the actual IP address of a
malicious server. While the IP addresses associated with the attack are frequently swapped in and out, the domain
name will rarely change. The URL-based intelligence will supplement the IP-based intelligence in addressing this
kind of attack, and the DNS-based intelligence will help identify known DNS servers that are complicit in these
kinds of attacks. Access control policies can be created using these new intelligence feeds and new dashboards
provide visibility and analysis. In addition, both URL-based and DNS-based Security Intelligence events will also
feed in to the Indications of Compromise (IoC) correlation feature. These new feeds are provided through regular
updates from the Cisco Talos Security Intelligence and Research Group and, like the IP-based Security Intelligence
feature, are part of the base product and do not require a separate license.
the existing IP-based Security Intelligence capability. Currently, IP-based intelligence is used to control access to
known malware, phishing, command & control, and Bot sites. New attack methods designed to defeat IP-based
intelligence (e.g., fast flux) abuse DNS load balancing features in an effort to hide the actual IP address of a
malicious server. While the IP addresses associated with the attack are frequently swapped in and out, the domain
name will rarely change. The URL-based intelligence will supplement the IP-based intelligence in addressing this
kind of attack, and the DNS-based intelligence will help identify known DNS servers that are complicit in these
kinds of attacks. Access control policies can be created using these new intelligence feeds and new dashboards
provide visibility and analysis. In addition, both URL-based and DNS-based Security Intelligence events will also
feed in to the Indications of Compromise (IoC) correlation feature. These new feeds are provided through regular
updates from the Cisco Talos Security Intelligence and Research Group and, like the IP-based Security Intelligence
feature, are part of the base product and do not require a separate license.
DNS Inspection and Sinkholes
The same way that attackers use the SSL protocol to hide their activity, attackers use the DNS protocol with the
same intentions. For that reason, and as another way to address fast flux-type attacks, the Firepower system
provides the ability to intercept DNS traffic requests and take appropriate action based on the policy setting. A
DNS policy allows for requests to known command & control, spam, phishing, etc., sites to be blocked, to return
a
same intentions. For that reason, and as another way to address fast flux-type attacks, the Firepower system
provides the ability to intercept DNS traffic requests and take appropriate action based on the policy setting. A
DNS policy allows for requests to known command & control, spam, phishing, etc., sites to be blocked, to return
a
Domain Not Found
message, or have the traffic directed to a pre-configured sinkhole. This last option routes the
traffic directly through the Firepower managed device and gives information about the endpoint that could result
in an IoC alert.
in an IoC alert.
Enhanced Network Visibility and Control
SSL Decryption for Cisco ASA with FirePOWER Services Managed Via ASDM
Cisco’s next-generation firewall (NGFW), Cisco ASA with FirePOWER Services, now has the ability to locally
manage SSL communications and decrypt the traffic before performing attack, application, and malware detection
against it. This is the same capability we introduced in Version 5.4 for Cisco’s Firepower next-generation IPS
(NGIPS) appliances. SSL decryption can be deployed in both passive and inline modes, and supports HTTPS and
StartTLS-based applications (e.g., SMTPS, POP3S, FTPS, IMAPS, TelnetS). Decryption policies can be configured
to exert granular control over encrypted traffic logging and handling, such as limiting decryption based on URL
categories to enforce privacy concerns. It also provides the ability to block self-signed encrypted traffic, or on SSL
version, specific Cipher Suites, and/or unapproved mobile devices.
manage SSL communications and decrypt the traffic before performing attack, application, and malware detection
against it. This is the same capability we introduced in Version 5.4 for Cisco’s Firepower next-generation IPS
(NGIPS) appliances. SSL decryption can be deployed in both passive and inline modes, and supports HTTPS and
StartTLS-based applications (e.g., SMTPS, POP3S, FTPS, IMAPS, TelnetS). Decryption policies can be configured
to exert granular control over encrypted traffic logging and handling, such as limiting decryption based on URL
categories to enforce privacy concerns. It also provides the ability to block self-signed encrypted traffic, or on SSL
version, specific Cipher Suites, and/or unapproved mobile devices.
Support for OpenAppID-Defined Applications
OpenAppID is Cisco’s open source, application-focused detection language that enables users to create, share
and implement new application detection signatures for custom, localized, and cloud applications, without being
dependent upon a NGFW vendor’s release cycle or roadmap. In Version 6.0, the Firepower application detection
engine that identifies and controls access to over 3,000 applications has been enhanced to recognize
OpenAppID-defined applications. In the same way that Snort was an effort to open source the intrusion detection
game, OpenAppID is a way to open source the application detection game. Support for OpenAppId-defined
applications demonstrates Cisco’s commitment to the open source initiatives and the flexibility that it provides to
our customers.
and implement new application detection signatures for custom, localized, and cloud applications, without being
dependent upon a NGFW vendor’s release cycle or roadmap. In Version 6.0, the Firepower application detection
engine that identifies and controls access to over 3,000 applications has been enhanced to recognize
OpenAppID-defined applications. In the same way that Snort was an effort to open source the intrusion detection
game, OpenAppID is a way to open source the application detection game. Support for OpenAppId-defined
applications demonstrates Cisco’s commitment to the open source initiatives and the flexibility that it provides to
our customers.
Captive Portal and Active Authentication
In order to provide better visibility in mapping users to IP addresses and their associated network events, the
Captive Portal and Active Authentication feature can be configured to require users to enter their credentials when
prompted through a browser window. The mapping also allows policies to be based on a user or group of users.
This feature supplements the existing Sourcefire User Agent (SUA) integration with Active Directory to address
non-Windows environments, BYOD users, and guests.
Captive Portal and Active Authentication feature can be configured to require users to enter their credentials when
prompted through a browser window. The mapping also allows policies to be based on a user or group of users.
This feature supplements the existing Sourcefire User Agent (SUA) integration with Active Directory to address
non-Windows environments, BYOD users, and guests.