Great video Jason! I've been working with Firepower for over a year and this is the best resource I've found on the SSL policy feature. The current cisco press books provide very little information, hopefully that is changing with the new cert refresh.
Great video jason. Would be great to see similar detailed video on the malware analysis checks on firepower i.e. fireamp, clamav, dynamic analysis. Keep more videos coming :)
Thanks Vaibhav, I will create a couple using FMC shortly. In the meantime I do have some on the endpoint side - Check out the following playlist - ruclips.net/p/PLyf18hdY22ERMGwsca4ZpHYWBC_7zQkZ9
Thanks Jason, on the certificate subject, wanted to confirm that it would it be the same or similar process when generating and installing 3rd party SSL Certificates for external access?
Great videos all around as I've been looking to tweak the security settings of my FP deployment. I deployed for testing, currently with my own user account, i noticed that Chrome seems to override the SSL policy for anything related to Google, RUclips, Etc. i assume there is a way to prevent this within the policy settings, potentially in the list of undecryptable actions? but i'm also assuming that'll cause the browser to throw errors. Is there a work around for this? or is that going to be a standard expected behavior for browsers going forward?
Hi Karl, can you expand on this? If you are saying that Chrome is switching to QUIC you can block it on Firepower and force it to drop down to TLS. You can look into GPO to invoke your will on the windows asset.
Hi James, that depends on whether you leverage software or hardware based decryption. I would recommend that you reach out to your local Cisco Security CSE for specific details.
How would you get inspection on PC's on your network that are not part of the domain? Like a guest user or someone with their phone joined to the wireless network. Since they would not have your CA in their trusted root CA's they would receive cert errors correct?
Hi Justin, not a use case I see often especially when decrypting guest traffic - alot of privacy elements to consider when doing so. You are correct, there are challenges around cert warnings when you do not have the cert signed by a trusted CA. You may consider when onboarding the device to push the cert into the trusted store - perhaps MDM or things like ByoD and ISE. I would have to peal the onion back on this a little more but hope this gives you things to consider.
@@jasonmaynard8773 That does give me some things to consider. So far I have only set this up for Social Networking sites and it is being applied only to a Security Group with the majority of the domain users in it. Seems to be working but they are getting cert errors in Chrome and Firefox, IE works fine. I created a GPO to add the CA to the PC's and even added it to Firefox on one PC but it still gets the errors. Not sure I really like this very much so far. My other question is don't we basically need to decrypt everything for inspection because they may just connect to a random https site and get malware, if it isn't being inspected. How would you setup that policy?
You should not get cert warnings if you followed the setup in the video the first bit talks about the creation of the certificates using MS enterprise CA - I am using Chrome in the example. Look at the example on the client at 16:25 - you can see that no warning as the certificate is trusted. If you continue to have issues I would open a TAC case. In regards to what to decrypt - that depends on the security and HR policy. HR may state that health and finance cannot be decrypted. Also, you may block sites that are bad earlier on in the connection such as through security intelligence or web reputation. Again, it comes down to your security policy and acceptable risk. Hope this helps.
@@justinmanship5431 Check the Hashing algorithm of your root CA.. If it's SHA1, Chrome/Firefox will have issues. You'll need to migrate to SHA256 OR rebuild with SHA256. Once that's done, you need to regen all certificates to get them also to SHA256 (like the subordinate FMC). I ran into this recently and was what I needed to do. yes IE worked with SHA1.. for now.
Thanks MIke! Please note: @ 1:43 ish I talk about what the environment looks like and it is a default installation with nothing more but confirm what Mike provided just in case your environment is slightly different. Let us know how it goes and thanks again MIke for the support!!
Thanks Marcela! Check out the following in regards to supported and unsupported features (latest version) www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/getting_started_with_ssl_rules.html?bookSearch=true#id_103862 TLS/SSL Rule Unsupported Features: RC4 cipher suite is unsupported - The Rivest Cipher 4 (also referred to as RC4 or ARC4) cipher suite is known to have vulnerabilities and is considered insecure. SSL policies identify the RC4 cipher suite as unsupported; you should configure the Unsupported Cipher Suite action in the policy's Undecryptable Actions tab page to match your organization’s requirements. For more information, see Default Handling Options for Undecryptable Traffic. -Passive and inline tap mode interfaces not supported
Decrypt-Known Key method is used to perform inbound SSL/TLS decryption. The core use case is for inbound SSL/TLS traffic to an internal Web Server or device. This allows Firepower to detects malicious content, threats, malware flowing over this secure channel.
Damn! I learned SO MUCH in just 51 mins! Thanks Jason!
Great video Jason! I've been working with Firepower for over a year and this is the best resource I've found on the SSL policy feature. The current cisco press books provide very little information, hopefully that is changing with the new cert refresh.
Thanks for the feedback Celeb Beaver
Hi Jason
I attended the live session and thank you for sharing this as it was very helpful!
Thanks for attending and appreciate the comments. Cheers Yazeed
Great video jason. Would be great to see similar detailed video on the malware analysis checks on firepower i.e. fireamp, clamav, dynamic analysis. Keep more videos coming :)
Thanks Vaibhav, I will create a couple using FMC shortly. In the meantime I do have some on the endpoint side - Check out the following playlist - ruclips.net/p/PLyf18hdY22ERMGwsca4ZpHYWBC_7zQkZ9
Great tutorial and clear speech! like it.
Thanks for the feedback Felix
Very much informative!
Thanks Vikas!
Awesome video. Thanks a lot for sharing!
Thanks Sergei!
Great video... Thanks a lot
Thanks for the feedback Ameer!
Awesome video.
Thanks for the comment Technical Ustad!
Thanks Jason, on the certificate subject, wanted to confirm that it would it be the same or similar process when generating and installing 3rd party SSL Certificates for external access?
Correct.
Additional Details
www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/decryption_tuning_using_ssl_rules.html#ID-2255-00000582
Trusting External Certificate Authorities
www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/decryption_tuning_using_ssl_rules.html#ID-2255-00000623
External Certificate Objects www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/reusable_objects.html#ID-2243-00000d4a
Great videos all around as I've been looking to tweak the security settings of my FP deployment. I deployed for testing, currently with my own user account, i noticed that Chrome seems to override the SSL policy for anything related to Google, RUclips, Etc. i assume there is a way to prevent this within the policy settings, potentially in the list of undecryptable actions? but i'm also assuming that'll cause the browser to throw errors. Is there a work around for this? or is that going to be a standard expected behavior for browsers going forward?
Hi Karl, can you expand on this? If you are saying that Chrome is switching to QUIC you can block it on Firepower and force it to drop down to TLS. You can look into GPO to invoke your will on the windows asset.
Thanks for the comments as well :)
What's the performance impact on the Firepower device from using it for SSL/TLS decryption and inspection?
Hi James, that depends on whether you leverage software or hardware based decryption. I would recommend that you reach out to your local Cisco Security CSE for specific details.
How would you get inspection on PC's on your network that are not part of the domain? Like a guest user or someone with their phone joined to the wireless network. Since they would not have your CA in their trusted root CA's they would receive cert errors correct?
Hi Justin, not a use case I see often especially when decrypting guest traffic - alot of privacy elements to consider when doing so. You are correct, there are challenges around cert warnings when you do not have the cert signed by a trusted CA. You may consider when onboarding the device to push the cert into the trusted store - perhaps MDM or things like ByoD and ISE. I would have to peal the onion back on this a little more but hope this gives you things to consider.
@@jasonmaynard8773 That does give me some things to consider. So far I have only set this up for Social Networking sites and it is being applied only to a Security Group with the majority of the domain users in it. Seems to be working but they are getting cert errors in Chrome and Firefox, IE works fine. I created a GPO to add the CA to the PC's and even added it to Firefox on one PC but it still gets the errors. Not sure I really like this very much so far. My other question is don't we basically need to decrypt everything for inspection because they may just connect to a random https site and get malware, if it isn't being inspected. How would you setup that policy?
You should not get cert warnings if you followed the setup in the video the first bit talks about the creation of the certificates using MS enterprise CA - I am using Chrome in the example. Look at the example on the client at 16:25 - you can see that no warning as the certificate is trusted. If you continue to have issues I would open a TAC case.
In regards to what to decrypt - that depends on the security and HR policy. HR may state that health and finance cannot be decrypted. Also, you may block sites that are bad earlier on in the connection such as through security intelligence or web reputation. Again, it comes down to your security policy and acceptable risk. Hope this helps.
@@justinmanship5431 Check the Hashing algorithm of your root CA.. If it's SHA1, Chrome/Firefox will have issues. You'll need to migrate to SHA256 OR rebuild with SHA256. Once that's done, you need to regen all certificates to get them also to SHA256 (like the subordinate FMC). I ran into this recently and was what I needed to do. yes IE worked with SHA1.. for now.
Thanks MIke! Please note: @ 1:43 ish I talk about what the environment looks like and it is a default installation with nothing more but confirm what Mike provided just in case your environment is slightly different. Let us know how it goes and thanks again MIke for the support!!
Hi. Great video. I have 2 questions. Can i use a self Signed certificate? All this works if my sensor is in inline mode? (I mean layer 2)
Thanks Marcela! Check out the following in regards to supported and unsupported features (latest version) www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/getting_started_with_ssl_rules.html?bookSearch=true#id_103862
TLS/SSL Rule Unsupported Features:
RC4 cipher suite is unsupported
- The Rivest Cipher 4 (also referred to as RC4 or ARC4) cipher suite is known to have vulnerabilities and is considered insecure. SSL policies identify the RC4 cipher suite as unsupported; you should configure the Unsupported Cipher Suite action in the policy's Undecryptable Actions tab page to match your organization’s requirements. For more information, see Default Handling
Options for Undecryptable Traffic.
-Passive and inline tap mode interfaces not supported
What other use cases would you decrypt with known key?
Decrypt-Known Key method is used to perform inbound SSL/TLS decryption. The core use case is for inbound SSL/TLS traffic to an internal Web Server or device.
This allows Firepower to detects malicious content, threats, malware flowing over this secure channel.