SourceFire & AMP showing up on CCNP: Security
Looks like the SITCS Exam, that is part of the CCNP: Security exam is going from v1.0 to v1.5. SITCS is the exam oriented around ‘Implementing Cisco Threat Control Soluation’. Now, it only makes sense as the original version of this exam was more geared towards Cisco IPS & CX which has since been EoX’ed some time ago. If you have been studying for your CCNP: Security and are getting ready for SITCS v1.0 exam you still have time, Cisco kept the original exam available till December 31st of 2016 so you have until the end of year.
Cisco has published a dedicated PDF regarding the charges between the exams, which can be found here.
In a nutshell though:
- EoX – Cisco IPS and CX software have been removed.
- SourceFire & AMP Software has been added in as the replacement topics.
- The exam code will be changed to 300-210 from 300-207
In my opinion, SourceFire documentation is still a little scarce even nowadays (Finding the proper version of User Agent on Cisco.com is still a bit of scavenger hunt) but hopefully this push for SourceFire knowledge will change that! (In the meantime I highly recommend checking out CiscLive365 and going through the available sessions, small collection here but it has not updated since Cisco Live 2016.)
As always, happy hunti…I mean studying!
Wireshark Tid-bit: De-crypt SNMPv3 in Wireshark
I recently found myself troubleshooting some SNMP connectivity between a particular set of devices and an NMS. Connectivity did not appear to be the problem as IP Connectivity was there and MIB walks were successful, however some interesting errors were still getting reported on the NMS. As I captured the packets to verify this connectivity, I said to myself ‘If only I can see what the NMS was asking for specifically and what device in question was replying back with’. This led me to check out the SNMP protocol settings in Wireshark, I mean Wireshark can de-crypt HTTPS traffic (with the private key) and wireless WPA traffic surely it can de-crypt SNMPv3. Behold it was true!! I was able to de-crypt SNMPv3 packets, and see what was really going on.
To add SNMPv3 information into Wireshark:
Access your Wireshark preferences: Edit -> Preferences -> Protocols -> SNMP
Where you see ‘Users table’ choose edit:
From here we can enter the SNMPv3 settings we need:
- Engine ID
- SNMP USer
- Authentication & Password – MD5 or SHA1
- Privacy & Password- DES, AES-128, AES-192, or AES-256
Once you enter the correct information and choose ‘ok‘ Wireshark will automatically de-crypt any relevant packets.
I feel like this is something I should have known about for a while now, but I supposed I don’t find myself troubleshooting SNMP connectivity too often. Figured I would get the word out there!
Enter the ring: Engineering Deathmatch!!
What happens when you combine the old celebrity deathmatch meets Cisco networking? Well, you get Engineering Deathmatch! Two engineers enter the console and only one gets out! (You’ve seen Tron right!!?)
Well….. it’s almost that dramatic. Have you ever wanted to go head to head against a fellow engineer, put your wits to the test, and see who can fix the network quicker? Engineering Deathmatch let’s you do just that. I went up against Daniel Dib and while I did not arise victorious it was a still a very fun scenario! Major kudos and props to a good friend of mine Jon Major (pun intended) for building out the crazy scenario that had both Dan and myself stumped for quite some time. It certainly wasn’t your typical network mis-configuration.
I really do recommend this deathmatch to anyone looking for a good challenge, regardless of your level (CCNA/CCNP/CCIE) or your networking interest (Collaboration/RouteSwitch/DevOps) there could be a deathmatch with your name on it! Especially if you got a good co-worker, friend, or study buddy who doesn’t mind some friendly competition.
I know I’ve been quiet for a bit lately, but now that I’ve gotten a few things in order I’m coming back!
(Now, to tackle all those drafts that have been piling up)
Till next time, happy hunting.. I mean labbing!
Cisco ASA presents self-signed cert in certain SSL negotiations – CSCuu02848 / CSCuw02001
Just kind of a shout-out to those running ASA’s, be careful when you upgrade to v9.4+ or v9.5+, and beyond.
In v9.4+ when the ASA attempts to negotiate an SSL connection it will attempt to use an ECDSA Cipher as part of TLS v1.2 if the client supports Elliptic Curve ciphers. In this situation the ASA will present it’s self-signed certificate regardless of it’s configuration.
You’ve got 2x Options to fix this:
- Use an ECDSA Certificate
- Disabled ECDSA Cipher with the following command: (Might want to cut-out some of those weaker ciphers)
ssl cipher tlsv1.2 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5”
Funny thing is, this is mentioned in the v9.4 release notes. However, it is not mentioned in the v9.5 release notes, so if you were to say upgrade from v9.2 or v9.3 and hop directly to v9.5 (A fully supported upgrade path) this could be something that creeps up on you. After all why you read through the release notes of release you are completely skipping!
Direct Link to the bug can be found here.
You can easily verify this by capturing the SSL Negotiation and checking the Client Hello for TLSv1.2 and EC Ciphers:
Of course the Browser Certificate error will be a dead giveaway but sometimes it’s nice to check.
Do keep in mind though, in order to be affected by this you must be doing the following:
- SSL Services running the ASA
- Running v9.4 or beyond
- Running the default SSL Ciphers for TLSv1.2
- Be running an RSA only certificate for SSL negotiation.
Happy hunting, I mean Labbing!
It’s been 5 years!!
Hard to believe I have been blogging for 5 years! If I didn’t have a record of it I probably wouldn’t believe it!
Last year saw another 30 new blogs posts published, and that doesn’t count my 4 posts for the SolarWinds Thwack Ambassador program or my blog post or two for the Cisco Champion program! And here I thought I’ve been slacking on my blog posts, but I still got over 30 different posts published out there on the web last year! In the last year I am ecstatic to say this blog is seeing around 18k+ visitors a month!
Some of the top posts for 2015. (It’s the recent overhaul to WordPress I can’t see my overall ‘Top’ Stats)
- CCIE: Data Center Study Links Page
- Routing on a Cisco 2960 Catalyst Switch
- Verifying IPSec Tunnels
- IKE Main Mode, Aggressive Mode, & Phase 2
- Understanding a Wi-Fi Connection
Well, here is to another year! Like all my previous years I’ve got a handful of posts in my drafts pile getting ready to get published! SourceFire, More Wireshark Tid-bits, Wireless, and more Route/Switch topics!
Where to start with Cisco & SourceFire
Since Cisco announced EoX for both it’s traditional IPS and it’s CX-Modules it’s been time to start looking at the new SourceFire modules, however that can be quite an undertaking since SourceFire is a completely different beast from its predecessors. Which raises the question where do you start to begin getting familiar with this new system.
I’ve found a good place to start is with a Cisco Live Sessions BRKSEC-2018 (Link below), the reason I like this session is the fact it covers many of the initial questions for implementing or migrating to the new platforms:
- How is the new platform managed & maintained. Being able to successfully manage a platform is one of the most important aspects of deploying a technology. After you verify that technology will meet your deployment requirements of course.
- What is the best way to migrate from the traditional IPS or CX platforms. whether or not you using a software module in the 5500-X ASA Firewalls, hardware modules in the 5585-X platforms, or if you have been using dedicated IPS appliances.
- The new licensing structure. Sometimes we get lost in the technical details, however the licensing details can take our deployment and stop it dead in its tracks.
- How the new policies work. Next-Gen IPS is a much needed and drastic change from its predecessor, understanding the new capabilities and how to configure these features are detrimental to a successful and secure deployment.
Outside of the deployment considerations, this session skims the surface of a technical deep dive. However, There are a handful of other Cisco Live Sessions, (links are below) that go more in depth into other aspects of SourceFire and FireSight’s capabilities.
The next best stop is going to be reviewing the configuration guide for FireSIGHT, which is the management platform for the SourceFire platforms. Like many other configuration guides you are looking down a few hundred intimidating pages. So it might be best to start off with the topics you need and then expand.
There are also some great Configuration Examples out on Cisco.com that cover topics from the initial setup and install, URL Filtering, Active Directory Integration and required permissions, to some SNORT examples.
Small collection of SourceFire Links:
A few CiscoLive365 sessions:
- BRKSEC-2018: Tips & Tricks for Successful Migration to FirePOWER Solutions
- BRKSEC-1030: Introduction to SourceFire NGIPS
- BRKSEC-2028: Deploying Next Generation with ASA & FirePower Services
- BRKSEC-2139: Advanced Malware Protection
- BRKSEC-3034: FireSight Network Security Analytics
- BRKSEC-3055: Troubleshooting Cisco with FirePOWER Services
- BRKSEC-3126: Advanced Configuration & Tuning FirePOWER
CCIE or Null! 