Where to start with Cisco & SourceFire
Since Cisco announced EoX for both it’s traditional IPS and it’s CX-Modules it’s been time to start looking at the new SourceFire modules, however that can be quite an undertaking since SourceFire is a completely different beast from its predecessors. Which raises the question where do you start to begin getting familiar with this new system.
I’ve found a good place to start is with a Cisco Live Sessions BRKSEC-2018 (Link below), the reason I like this session is the fact it covers many of the initial questions for implementing or migrating to the new platforms:
- How is the new platform managed & maintained. Being able to successfully manage a platform is one of the most important aspects of deploying a technology. After you verify that technology will meet your deployment requirements of course.
- What is the best way to migrate from the traditional IPS or CX platforms. whether or not you using a software module in the 5500-X ASA Firewalls, hardware modules in the 5585-X platforms, or if you have been using dedicated IPS appliances.
- The new licensing structure. Sometimes we get lost in the technical details, however the licensing details can take our deployment and stop it dead in its tracks.
- How the new policies work. Next-Gen IPS is a much needed and drastic change from its predecessor, understanding the new capabilities and how to configure these features are detrimental to a successful and secure deployment.
Outside of the deployment considerations, this session skims the surface of a technical deep dive. However, There are a handful of other Cisco Live Sessions, (links are below) that go more in depth into other aspects of SourceFire and FireSight’s capabilities.
The next best stop is going to be reviewing the configuration guide for FireSIGHT, which is the management platform for the SourceFire platforms. Like many other configuration guides you are looking down a few hundred intimidating pages. So it might be best to start off with the topics you need and then expand.
There are also some great Configuration Examples out on Cisco.com that cover topics from the initial setup and install, URL Filtering, Active Directory Integration and required permissions, to some SNORT examples.
Small collection of SourceFire Links:
A few CiscoLive365 sessions:
- BRKSEC-2018: Tips & Tricks for Successful Migration to FirePOWER Solutions
- BRKSEC-1030: Introduction to SourceFire NGIPS
- BRKSEC-2028: Deploying Next Generation with ASA & FirePower Services
- BRKSEC-2139: Advanced Malware Protection
- BRKSEC-3034: FireSight Network Security Analytics
- BRKSEC-3055: Troubleshooting Cisco with FirePOWER Services
- BRKSEC-3126: Advanced Configuration & Tuning FirePOWER
CCIE or Null! 
Hey Steve, Check out the following free videos: http://labminutes.com/video/sec/ASA%20FirePower
They’re pretty useful for Firepower 🙂
Katherine
July 27, 2015 at 1:19 PM
Looks like some good stuff, I will definitely check out a few videos!
Thank you for the link!
Stephen J. Occhiogrosso
July 27, 2015 at 6:09 PM
[…] https://ccie-or-null.net/2015/07/27/where-to-start-with-cisco-sourcefire/ […]
FireSIGHT URL Filtering using Sourcefire User Agent and LDAP AD | Overlaid
August 6, 2015 at 12:16 PM
[…] recommend checking out CiscLive365 and going through the available sessions, small collection here but it has not updated since Cisco Live […]
SourceFire & AMP showing up on CCNP: Security | CCIE or Null!
September 22, 2016 at 9:01 AM