Friday, July 5, 2019

Configuring Cisco FMC Application Filtering

There are three types of applications that the Firepower system detects:
  • application protocols such as HTTP and SSH, which represent communications between hosts 

  • clients such as web browsers and email clients, which represent software running on the host 

  • web applications such as MPEG video and Facebook, which represent the content or requested URL for HTTP traffic
The system identifies applications in your network traffic according to the characteristics specified in the detector. For example, the system can identify an application by an ASCII pattern in the packet header. In addition, Secure Socket Layers (SSL) protocol detectors use information from the secured session to identify the application from the session.

There are two sources of application detectors in the Firepower System:
  • System-provided detectors detect web applications, clients, and application protocols.
    The availability of system-provided detectors for applications (and operating systems) depends on the version of the Firepower System and the version of the VDB you have installed. Release notes and advisories contain information on new and updated detectors. You can also import individual detectors authored by Professional Services. 

  • Custom application protocol detectors are user-created and detect web applications, clients, and application protocols.
You can also detect application protocols through implied application protocol detection, which infers the existence of an application protocol based on the detection of a client.

The system identifies only those application protocols running on hosts in your monitored networks, as defined in the network discovery policy. For example, if an internal host accesses an FTP server on a remote site that you are not monitoring, the system does not identify the application protocol as FTP. On the other hand, if a remote or internal host accesses an FTP server on a host you are monitoring, the system can positively identify the application protocol.

If the system can identify the client used by a monitored host to connect to a non-monitored server, the system identifies the client's corresponding application protocol, but does not add the protocol to the network map. Note that client sessions must include a response from the server for application detection to occur. 

The system characterizes each application that it detects. The system uses these characteristics to create groups of applications, called application filters. Application filters are used to perform access control and to constrain search results and data used in reports and dashboard widgets.
You can also supplement application detector data using exported NetFlow records, Nmap active scans, and the host input feature.


The Application Filtering is often used to create ACP Rules that will Block or Allow traffic aside from the usual packet's 5-Tuple. You can also use Application Filtering if an Application uses a non-standard or customized port, i.e. Instant Messaging and peer-to-peer tunneled via HTTP/HTTPS protocol or a dynamic range of ports, i.e. file sharing or peer-to-peer protocol (Torrent).

You can view the Applications supported by default in FMC under Policies > Application Detectors.


Notice there are 6,789 Detectors (Application Visibility and Control) supported in FMC 6.2.3 and mostly have a State of enabled (checked) by default. There are some Detectors that you can manually Deactivate (tick to toggle to the left).


Deactivating or reactivating Detectors will temporarily restart Snort traffic inspection (IPS).



Type and search the Name of the Application and it will display the flavors or its related Applications.


Create an Application Object under Objects > Application Filters.


Click Add Application Filter.


Type a Name > search for the Application under Application Filters > tick the specific Application (BitTorrent) > you can either choose individual Application under Available (to be more granular) or just click Add to Rule (for Any) > click Save.



Configure an Application Object for Facebook.



Configure an Application Object for other Social Networking sites.



Configure an Application Object for Instant Messaging.



Create ACP Rule under Policies > Access Control.


Edit the existing ACP (click the pencil icon on the far right).


Create a new Category by clicking Add Category.


Type a Name > choose Insert: above category > FMC_LAB_RULES (this is currently the only Category).



Click Add Rule (blue hyperlink) inside the FMC_LAB_APP Category.


These are the Application Filtering Rules configured in my FMCv lab.


I initially visited the websites to test Facebook, Instagram (for Social Networking), Skype for Web (for Instant Messaging) and uTorrent (for File Sharing/P2P) before applying the new ACP Rules.

I used my Windows 7 wired machine (192.168.1.130) for testing the Application Filtering ACP Rules.





For Application Rule #1, we'll Block (with reset) Any Facebook Application (including FB micro app: chat, games, etc) sourcing on the INSIDE-WIRED network (192.168.1.0/24).

Under Zones tab > select INSIDE-WIRED > click Add to Source > select OUTSIDE-WAN > click Add to Destination.
 

Under Networks tab > select LAB-WIRED > click Add to Source Networks.


Under Applications tab > select LAB_FACEBOOK > click Add to Rule.


Under Logging tab > click Log at Beginning of Connection (the only selection available) > click Add.


For Application Rule #2, we'll Block (with reset) other Social Networking websites sourcing on the INSIDE-WIRED network (192.168.1.0/24) and Insert into FMC_LAB_APP Category.







For Application Rule #3, we'll Block (with reset) Instant Messaging Application sourcing on the INSIDE-WIRED network (192.168.1.0/24) and Insert into FMC_LAB_APP Category.






For Application Rule #4, we'll Block (with reset) file sharing or Peer-to-Peer (P2P) Application sourcing on the INSIDE-WIRED network (192.168.1.0/24) and Insert into FMC_LAB_APP Category.





Click Save and Deploy.



I visited the websites again and notice an Error Connection Reset (due to ACP Block with Reset).




You can view Blocked Event Logs under Analysis > Events.


 Notice the Skype IM Application is tunneled via HTTPS/SSL on TCP port 443.


This is the Event Log for Facebook Application and Instagram.




I tried downloading the uTorrent desktop client but was blocked by Firepower ACP.




No comments:

Post a Comment