The Firepower SSL Decryption feature allows you to block encrypted traffic without inspection or inspect encrypted that would otherwise be unable to be inspected. In order for the FTD to decrypt the traffic the FTD must resign all certificates of websites, this is achieved by a Man in the Middle (MITM) attack. An internal CA must be used to issue a certificate using the Subordinate Certificate Authority template; Firepower will then dynamically create a certificate on the fly (spoofing the real certificate) thus allowing for decryption and inspection of the website. The client computer must trust the Internal CA so as not to receive any certificate errors.
In this scenario an FTD v6.2.2 is acting as the gateway that will decrypt the traffic, all configuration will be made on the FMC v6.2.2.
In a botnet attack computers can become infected with malware, the infected hosts will attempt to contact the botnet command and control servers. When configured the Botnet filter on the Cisco ASA firewall can be leveraged to check incoming and outgoing connections against a dynamic SensorBase database (downloaded from cisco) which contains information of known bad domain names and IP addresses, and then logs/blocks any suspicious activity. In addition to the dynamic database you can define a static blacklist of domain names/IP addresses. You can make use of a whitelist to allow blacklisted addresses defined in the dynamic database downloaded from Cisco.
The ASA monitors DNS queries for known bad domain names/IP addresses; this information is added to the DNS reverse lookup cache. When a connection is made the ASA will compare DNS replies against the database, if it matches a known bad domain name/IP address the connection is dropped and a syslog message is generated.
Check Point Application Control software blade allows firewall administrators to identify traffic and allow/block based on type of application, time and bandwidth etc. When used with the Identity Awareness software blade users and groups access to sites can be controlled by the security policy. In this post I am using Check Point R75.46 running Gaia on an open server and will run through the basics of setting up Application Control to block Social Network sites and allow all other traffic.
Configuring Application Control
Login to the SmartDashboard
Click on the firewall object and enable “Application Control” by ticking the box. Click OK
The CheckPoint Mobile Access software blade is an SSL-VPN which allows a user’s PC, Smartphone or tablet connectivity to the corporate network. Most new CheckPoint appliances (2200, 4000 series etc) are licensed with the Mobile Access blade as standard. This post provides information on getting started and configuring the basics.
Configuring Mobile Access
Open SmartDashboard and create a new firewall rule permitting inbound HTTPS to the firewall. NOTE – This rules needs to be above the Stealth rule, otherwise the traffic will be dropped
Modify the properties of the firewall object and select “Mobile Access”
The “Mobile Access Configuration” wizard should automatically appear
Identity Awareness allows you to enforce access based on user and computer identity. It integrates with both Active Directory and non Active Directory networks and will authenticate employees and guests. When integrated with Active Directory the connection is clientless and authentication is transparent to the user.
There are five “identity sources” which Identity Awareness can use to acquire identities:-
Endpoint Identity Agent
Terminal Servers Identity Agent
This post describes the basics of how to configure Identity Awareness, integrate with Active Directory (AD Query method) and configure a rule to require authentication for accessing the internet.
Configuring Identity Awareness
Open the properties of the CheckPoint gateway
Tick the “Identity Awareness” software blade
Select the correct gateway that will be used to identify users
Select the “AD Query” method for acquiring identity
The information provided in this post describes the basic configuration of CheckPoint R75.40 Gaia. The software was installed in a VMware rather than a CheckPoint appliance. The ISO image file “Check_Point_R75.40_Gaia.iso” was download the CheckPoint usercenter.
Connect to the appliance/VM/server and boot from CD/ISO image
Click Ok to proceed with the installation
Select the appropriate “Keyboard” language
Modify or accept the default “Partitions Configuration”
Enter a strong password
Select the desired “Management Port”
Configure the IP address and default gateway for the “Management Interface”
Click Ok to proceed with the installation
When prompted reboot the appliance
In order to complete the configuration you need to open a web browser and connect to the web gui using the IP address previously specified
Enter the username “admin” and the password you previously specified