[Chin] 新世代防火牆處理流量的工作流程說明 - 以Firepower為例 @ Chin Blog

首先感謝讀者願意與我一同分享防火牆技術，在此我將分享具有Cisco原廠授權的Firepower Threat Defense一書，其中處理封包的部份。

實體書如拍攝圖片

我在Google雲端有儲存電子書(74.6 MB)，連結：https://drive.google.com/file/d/172a0tCTMgoa4SgrG-nWek9_inDviaJQB/view?usp=sharing

md5sum：69f97ed52a21076c5aa4ecb60892866f

讓我們進入主題，在PDF page 491顯示了封包通過Firepower的工作流程，我將其整理如下

Firepower engine.PNG

(1)

與所有網通設備相同，封包進入入方向介面(Packet -> Ingress Interface)。

(2)

若連線已存在，走捷徑(Fast Path)到資料蒐集(Data Acquisition)；若不存在，走VPN解密(如果這是VPN連線)與UN-NAT出方向轉換。

UN-NAT是為目標IP地址轉換的必須階段，事實上防火牆會先取消NAT轉換再檢查ACL，若基於NAT的ACL為真，防火牆將使用NAT規則來確認出方向介面，而非路由表。

(3)

經由ASA engine蒐集資料後，進入Firepower engine。

(4)

對封包結構進行解碼，首先是L2-L4，重點是L3、L4。

(5)

解碼後對L3進行安全情報查詢(Security Intelligence)。

安全情報可理解是思科提供的資料庫，來源是思科Talos；您為Firepower初始化時，其中階段是使用思科預配DNS服務器地址且不建議變更，安全情報的更新方式就是它。安全情報也可以自定義。

安全情報使用來源 / 目標IP地址、URL，且順序優於其他策略。

[安全情報技術架構]

security intelligence.jpg

官方文件：https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/security_intelligence_blacklisting.html

(6)

處理IP碎片，當某些封包大於MTU會被分割。

處理TCP，Firepower檢查完整已重組的TCP流，而非單一TCP封包。

處理UDP，Firepower使用IP表頭、UDP表頭的port欄位來確認UDP流的方向以識別會話。

官方文件：https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/transport_network_layer_preprocessors.html#ID-2169-000004b3

(7)

辨別應用程式，如FTP、Telnet、SMTP或SSH。

(8)

對URL、DNS進行安全情報查詢。

(9)

辨別使用者身分(Identity policy)。

(10)

用ACL核對應用程式、URL。

我認為(7)使用安全情報，(10)使用管理員定義。

(11)

QoS分類。該操作需要FMC，目前FDM尚不支援QoS。

(12)

辨別主機與使用者。

(13)

辨別檔案類型。

(14)

勒索軟體分析。

(15)

生成辨識碼，如後孔(105)、port掃描(122)、基於速率的連線探測(135)、敏感資料(138、139)。

官方文件：https://www.cisco.com/c/en/us/td/docs/security/firepower/670/fdm/fptd-fdm-config-guide-670/fptd-fdm-intrusion.html

(16)

Snort規則檢查，Firepower engine的最後流程。

wiki：https://zh.wikipedia.org/wiki/Snort

(17)

流更新(Flow update)。

(18)

ALG檢測，應用層閘道是L7的NAT穿越技術並在多數路由器預設啟用。

wiki：https://zh.wikipedia.org/wiki/%E6%87%89%E7%94%A8%E5%B1%A4%E9%96%98%E9%81%93

(19)

NAT封裝。

(20)

QoS執行。該操作需要FMC，目前FDM尚不支援QoS。

(21)

VPN加密(如果必要)。

(22)

若路由表有比對目標IP地址。

(23)

若MAC表有比對目標MAC地址。尚未MAC沖刷的環境並不影響ASA engine機制。

(24)

封包經由出方向介面離開設備(Egress interface -> Packet)。

First, thanks readers for sharing firewall technology with me. I will share Firepower Threat Defense with Cisco authorization, and how process packet.
The physical book as this
[Image of physical book]
I have ebook(74.6 MB) in Google driver, link: https://drive.google.com/file/d/172a0tCTMgoa4SgrG-nWek9_inDviaJQB/view?usp=sharing
md5sum：69f97ed52a21076c5aa4ecb60892866f

Let's into topic. In PDF page 491, shows workflow that packet through Firepower, organized as this.
[Image, flows of Packets through the Firewall and Firepower Engines]

(1)
It is same as any network device. packet entering ingress interface(Packet -> Ingress Interface).
(2)
If connection is existing, go Fast Path to Data Acquisition.
If not existing, go to VPN decryption(if it is) and UN-NAT egress translation.
UN-NAT is the necessary step to translate destination IP address. In fact, firewall will cancel NAT and then check ACL. If NAT-based ACL is true, firewall will use NAT rule to ensure egress interface, not routing table.

(3)
After acquisition data by ASA engine, enter Firepower engine.
(4)
Decoding packet structure with L2-L4. L3、L4 especially.

(5)
When finish decode, to detect L3 by Security Intelligence.
Security Intelligence is some-antivirus database by Cisco provide, source is Cisco Talos. You are initialing Firepower, among step is to set Cisco pre-DNS server address and not recommend change. The database update by DNS address.
Security Intelligence can define by administrator. Security Intelligence used source / destination IP address, URL. And its priority is better then other policy.
[Image, architecture of the Security Intelligence Technology]
Official doc：https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/security_intelligence_blacklisting.html

(6)

IP defragment. Some packets maybe more than MTU.
TCP. Firepower checks TCP flow that complete re-fragment, not individual TCP packet.
Official doc：https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/transport_network_layer_preprocessors.html#ID-2169-000004b3
(7)
Verify application, such as FTP, Telnet, SMTP or SSH.
(8)
Security Intelligence checks URL, DNS.
(9)
Verify user identity by identity policy.
(10)
ACL checks application, URL. I think (7) used Security Intelligence, (10) used administrator define.

(11)
QoS classify. This operating needs FMC. FDM have not support currently.

(12)

Verify host and user.
(13)
Verify file type.
(14)
Malware analysis.
(15)

Generator identifiers, such as back orifice(105), portscan(122), rate-based(135), sensitive data(138,139).
Official doc：https://www.cisco.com/c/en/us/td/docs/security/firepower/670/fdm/fptd-fdm-config-guide-670/fptd-fdm-intrusion.html
(16)
Snort rule check, is Firepower engine that last step.
wiki：https://zh.wikipedia.org/wiki/Snort
(17)

Flow update.
(18)
ALG check. Application Layer Gateway is a NAT traverse technology and working L7. In most routers is default enable.
wiki：https://zh.wikipedia.org/wiki/%E6%87%89%E7%94%A8%E5%B1%A4%E9%96%98%E9%81%93
(19)
NAT encapulation.
(20)
QoS enforce. This operating needs FMC. FDM have not support currently.

(21)

VPN encrypt. If need.

(22)
If routing table has match target entry.
(23)
If MAC-address table has match target entry. Not yet MAC flood that environment, not affect working of ASA engine.
(24)
Packet leaves device by egress interface((Egress interface -> Packet)).