For those following Cisco security, you probably know Cisco acquired Sourcefire last year (more found HERE). The most anticipated release has been adding Sourcefire’s flagship Firepower offering inside Cisco’s most popular firewall offering the Adaptive Security Appliance (ASA). As of September 16th, this offering is officially available. You can find data sheets, configuration guides and more on the new release HERE. This post will cover steps I used to build my ASA with Soucefire lab.
You will need a version of the 2nd generation ASA with a SSD drive (NOTE: Sourcefire is not available in 1st generation ASAs). See HERE for the model numbers. NOTE The ASA 5505 is a first gen ASA but there are new models coming out shortly for small business). There are versions of Sourcefire that don’t require an ASA such as a dedicated appliance and virtual Sourcefire appliance however this post will cover running sourcefire within a ASAX or in this case, a ASA5515X. You will also need a management appliance to manage the firepower services. My lab uses a virtualized version of this called FireSIGHT ran via ESXI 5.1. Your ASA must be running at least 9.2 or later as specified on the release page.
NOTE: You can only run one additional feature package on the ASA. Options today are an older dedicated IPS, ASA CX or Sourcefire. If you have one version already installed, you will have to stop that service and uninstall before moving forward. For example, if you have the dedicated IPS installed on the ASA, you would have to issue the following commands to kill it
hostname# sw-module module ips shutdown
hostname# sw-module module ips uninstall
Many of the initial steps are similar to how ASA CX is installed on an ASA (see my post HERE). The first step is getting the software image. Download the boot image from Cisco. I suggest using ASDM and installing it under file management like explained in my ASA CX post found HERE. An example boot image file is asasfr-5500x-boot-5.3.1-58.img. Next you will need to get the Firepower system software from cisco.com and FTP that to the ASA once the image is running. Again, the steps are similar to the ASA CX post aka I suggest using dropbox to host it. In summary, you set the boot image using
hostname# sw-module module sfr recover configure image disk0:file_path
hostname# sw-module module sfr recover configure image
Load the image using
hostname# sw-module module sfr recover boot
Session to the image to get the Sourcefire command line (login in with user admin and password Admin123)
hostname# session sfr console
Type setup and configure the basic settings.
Install the system package using
system install http://asasfr-sys-5.3.1-44.pkg (I suggest using dropbox instead of this example. So your link would be a dropbox share link. Make sure to put the file in your public folder or it won’t be able to be seen by the ASA. Also make sure to delete it off dropbox after you are done!)
Session to the Sourcefire within ASA console using session sfr in the ASA command line (similar to ASA CX). Login with user admin and password Sourcefire. Complete the system configuration.
Specify the FireSIGHT management IP address (installation process below) using the following command. Note you need the IP address and make up any key. It can by whatever you want such as happy123 or for my example, thesecurityblogger. You will need this later when you add this to the FireSIGHT management.
configure manager add 10.89.133.202 thesecurityblogger (NOTE the ip is 10.89.133.202 and made up key is thesecurityblogger in this example)
At this point, all future steps are done within the FireSIGHT management.
Now you need to build the FireSIGHT management. You will need to download Virtual FireSIGHT / Defense center for VMWare, which will be a .tar.gz files. I used 7-zip for my windows VM to uncompressed the file since I need windows to access my ESX system (VMware needs to developed a MAC agent!). Have to unzip the .gz followed by untaring it. You should end up with a .vmdk file. Deploy the .OVF file in ESXI and set basic network configuration. Once complete, you should be able to access your FireSIGHT management GUI using the IP addressed you specified during the basic network setup. Open FireSIGHT in a standard browser and use admin for the user name and Sourcefire for the password. From the GUI, you will be asked to change the password. You can modify the network, time and other basics from the GUI if they weren’t done during the initial setup found under System->Local-> Configuration.
Basic System Setup Options in FireSIGHT
Its recommended to enable rule updates, check for software updates and enable geolocation updates. You do this by going to System-> Updates then select Download Updates. Update will appear and state if they require a reboot. Select the present picture to install. NOTE: A reboot will not reboot the core ASA. Sourcefire has its own processing, CPU, etc and runs inside the ASA similar to a separate virtual machine inside a server.
Updating software in FireSIGHT
The ASA with Sourcefire has three license offerings installed under System->Licenses. The default system gives you Application Visibility and Controls (identifying a iPad, windows system running firefox, etc.) however there is a separate URL license. The URL license gives you all categories such as the need to block adult websites, micro apps in Facebook and reputation security meaning blocking bad websites. For example, most attackers wouldn’t launch attacks from their home network. They would attack you from a new / rouge IP address that based on negative reputation would be blocked by this feature (aka pre attack blocking the traffic before it can hit your network). This typically stops 80% or more daily attacks since malicious attacks must come from a established trusted source. The second license option is IPS/IDS for blocking attacks. The last license is enabling Advance Malware Prevention (AMP) used to identify infected files on the network and endpoints (more on this HERE for only endpoint. The ASA with Sourcefire version is network and endpoint if you include the optional agents). Add a license by clicking add feature license, pasting your license key and submitting the license.
At this point, you should be able to add the Firepower services from the ASA. Go in the management GUI to Devices->Device Management, click the Add button and select Add Device. You will be asked to give the IP address of the Sourcefire IP inside the ASA and the key you made up (example shows thesecurityblogger) for the Registration Key spot. You can check which licenses you want to apply assuming you loaded some in prior to this and click add.
There are other steps to setting up FireSIGHT such as building access control policies, enabling network discovery to see whats on the network and so on (discovery found under Policies-> Network Discovery then adding a rule to specify the entire network). Before doing that, you should go back to your ASA and configure traffic to redirect through the firepower component of the ASA. NOTE: Without redirecting traffic through Sourcefire, the ASA will just act as a firewall meaning traffic will not be seen by the Sourcefire software inside.
Access ASDM and select Configuration > Firewall > Service Policy Rules. Next select Add > Add Service Policy Rule. Click Next. The Add Service Policy Rule Wizard – Traffic Classification Criteria dialog box appears. Provide the basic info and on the next page select the ASA FirePOWER Inspection tab. Check the Enable ASA FirePOWER for this traffic flow check box. Select if you want to permit traffic if Sourcefire fails. Click finish.
FirePower service inspection policy tab
At this point, you should see basic data in the FireSIGHT management GUI. Check out the FireSIGHT management overview post HERE to get an idea of things to configure. At this point, you have a basic lab. Enjoy
SourceFire tab in ASA ASDM