This document describes how to use the remediation module on a Cisco FireSight appliance in order to detect attacks and automatically remediate the attacker with the use of the Cisco Identity Service Engine (ISE) as a policy server. The example that is provided in this document describes the method that is used for remediation of a remote VPN user who authenticates via the ISE, but it can also be used for an 802.1x/MAB/WebAuth wired or wireless user.
Note: The remediation module that is referenced in this document is not officially supported by Cisco. It is shared on a community portal and can be used by anyone. In Versions 5.4 and later, there is also a newer remediation module available that is based on the pxGrid protocol. This module is not supported in Version 6.0 but is planned to be supported in future versions.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
Microsoft Windows 7
Cisco ASA Version 9.3 or later
Cisco ISE software Versions 1.3 and later
Cisco AnyConnect Secure Mobility Client Versions 3.0 and later
Cisco FireSight Management Center Version 5.4
Cisco FirePower Version 5.4 (Virtual Machine (VM))
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Use the information that is provided in this section in order to configure your system.
The example that is described in this document uses this network setup:
Here is the flow for this network setup:
The user initiates a remote VPN session with the ASA (via Cisco AnyConnect Secure Mobility Version 4.0).
The user attempts to access http://172.16.32.1. (The traffic moves via FirePower, which is installed on the VM and is managed by FireSight.)
FirePower is configured so that it blocks (inline) that specific traffic (access policies), but it also has a Correlation Policy that is triggered. As a result, it initiates the ISE remediation via REST Application Programming Interface (API) (the QuarantineByIP method).
Once the ISE receives the REST API call, it looks up for the session and sends a RADIUS Change of Authorization (CoA) to the ASA, which terminates that session.
The ASA disconnects the VPN user. Since AnyConnect is configured with Always-on VPN access, a new session is established; however, this time a different ISE Authorization rule is matched (for quarantined hosts) and limited network access is provided. At this stage, it does not matter how the user connects and authenticates to the network; as long as the ISE is used for authentication and authorization, the user has limited network access due to quarantine.
As previously mentioned, this scenario works for any type of authenticated session (VPN, wired 802.1x/MAB/Webauth, wireless 802.1x/MAB/Webauth) as long as the ISE is used for authentication and the network access device supports the RADIUS CoA (all modern Cisco devices).
Tip: In order to move the user out of quarantine, you can use the ISE GUI. Future versions of the remediation module might also support it.
Note: A VM appliance is used for the example that is described in this document. Only the initial configuration is performed via the CLI. All of the policies are configured from Cisco Defence Center. For more details, refer to the Related Information section of this document.
The VM has three interfaces, one for management and two for inline inspection (internal/external).
All of the traffic from the VPN users moves via FirePower.
FireSight Management Center (Defence Center)
Access Control Policy
After you install the correct licenses and add the FirePower device, navigate to Policies > Access Control and create the Access Policy that is used in order to drop the HTTP traffic to 172.16.32.1:
All other traffic is accepted.
ISE Remediation Module
The current version of the ISE module that is shared on the community portal is ISE 1.2 Remediation Beta 1.3.19:
Navigate to Policies > Actions > Remediations > Modules and install the file:
The correct instance should then be created. Navigate to Policies > Actions > Remediations > Instances and provide the IP address of the Policy Administration Node (PAN), along with the ISE administrative credentials that are needed for the REST API (a separate user with the ERS Admin role is recommended):
The source IP address (attacker) should also be used for remediation:
You must now configure a specific correlation rule. This rule is triggered at the start of the connection that matches the previously configured access control rule (DropTCP80). In order to configure the rule, navigate to Policies > Correlation > Rule Management:
This rule is used in the Correlation Policy. Navigate to Policies > Correlation > Policy Management in order to create a new policy, and then add the configured rule. Click Remediate on the right and add two actions: remediation for sourceIP (configured earlier) and syslog:
Ensure that you enable the correlation policy:
An ASA that acts as a VPN gateway is configured in order to use the ISE for authentication. It is also necessary to enable accounting and the RADIUS CoA:
tunnel-group SSLVPN-FIRESIGHT general-attributes address-pool POOL-VPN authentication-server-group ISE accounting-server-group ISE default-group-policy POLICY
aaa-server ISE protocol radius interim-accounting-update periodic 1 dynamic-authorization aaa-server ISE (inside) host 172.16.31.202 key *****
Navigate to Administration > Network Devices and add the ASA that acts as a RADIUS client.
Enable Adaptive Network Control
Navigate to Administration > System > Settings > Adaptive Network Control in order to enable quarantine API and functionality:
Note: In Versions 1.3 and earlier, this feature is called Endpoint Protection Service.
In order to create a Downloadable Access Control List (DACL) that is used for the quarantined hosts, navigate to Policy > Results > Authorization > Downloadable ACL.
Authorization Profile for Quarantine
Navigate to Policy > Results > Authorization > Authorization Profile and create an authorization profile with the new DACL:
You must create two authorization rules. The first rule (ASA-VPN) provides full access for all of the VPN sessions that are terminated on the ASA. The rule ASA-VPN_quarantine is hit for the reauthenticated VPN session when the host is already in quarantine (limited network access is provided).
In order to create these rules, navigate to Policy > Authorization:
Use the information that is provided in this section in order to verify that your configuration works properly.
AnyConnect Initiates ASA VPN Session
The ASA creates the session without any DACL (full network access):
asav# show vpn-sessiondb details anyconnect
Session Type: AnyConnect
Username : cisco Index : 37 Assigned IP : 172.16.50.50 Public IP : 192.168.10.21 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Essentials Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1 Bytes Tx : 18706 Bytes Rx : 14619 Group Policy : POLICY Tunnel Group : SSLVPN-FIRESIGHT Login Time : 03:03:17 UTC Wed May 20 2015 Duration : 0h:01m:12s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : ac10206400025000555bf975 Security Grp : none
...... DTLS-Tunnel: <some output omitted for clarity>
User Attempts Access
Once the user attempts to access http://172.16.32.1, the access policy is hit, the traffic that corresponds is blocked inline, and the syslog message is sent from the FirePower management IP address:
The FireSight management (Defence Center) Correlation Policy is hit, which is reported by the syslog message that is sent from Defence Center:
May 24 09:37:10 172.16.31.206 SFIMS: Correlation Event: CorrelateTCP80Block/CorrelationPolicy at Sun May 24 09:37:10 2015 UTCConnection Type: FireSIGHT 172.16.50.50:49415 (unknown) -> 172.16.32.1:80 (unknown) (tcp)
At this stage, Defence Center uses the REST API (quarantine) call to the ISE, which is an HTTPS session and can be decrypted in Wireshark (with the Secure Sockets Layer (SSL) plugin and the private key of the PAN administrative certificate):
In GET request for the IP address of the attacker is passed (172.16.50.50), and that host is quarantined by the ISE.
Navigate to Analysis > Correlation > Status in order to confirm the successful remediation:
ISE Performs Quarantine and Sends CoA
At this stage, the ISE prrt-management.log notifies that the CoA should be sent:
When you navigate to Operations > Authentication, it should show Dynamic Authorization succeeded.
VPN Session is Disconnected
The end user sends a notification in order to indicate that the session is disconnected (for 802.1x/MAB/guest wired/wireless, this process is transparent):
Details from the Cisco AnyConnect logs show:
10:48:05 AM Establishing VPN... 10:48:05 AM Connected to 172.16.31.100. 10:48:20 AM Disconnect in progress, please wait... 10:51:20 AM The secure gateway has terminated the VPN connection. The following message was received from the secure gateway: COA initiated
VPN Session with Limited Access (Quarantine)
Because always-on VPN is configured, the new session is built immediately. This time, the ISE ASA-VPN_quarantine rule is hit, which provides the limited network access:
Note: The DACL is downloaded in a separate RADIUS request.
A session with limited access can be verified on the ASA with the show vpn-sessiondb detail anyconnect CLI command:
asav# show vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : cisco Index : 39 Assigned IP : 172.16.50.50 Public IP : 192.168.10.21 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Essentials Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1 Bytes Tx : 11436 Bytes Rx : 4084 Pkts Tx : 8 Pkts Rx : 36 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : POLICY Tunnel Group : SSLVPN-FIRESIGHT Login Time : 03:43:36 UTC Wed May 20 2015 Duration : 0h:00m:10s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : ac10206400027000555c02e8 Security Grp : none
...... DTLS-Tunnel: <some output ommited for clarity> Filter Name : #ACSACL#-IP-DENY_ALL_QUARANTINE-5561da76
This section provides information that you can use in order to troubleshoot your configuration.
FireSight (Defence Center)
The ISE remediation script resides in this location:
root@Defence:/var/sf/remediations/ISE_1.3.19# ls _lib_ ise-instance ise-test.pl ise.pl module.template
This is a simple perl script that uses the standard SourceFire (SF) logging subsystem. Once remediation is executed, you can confirm the results via the /var/log/messages:
May 24 19:30:13 Defence SF-IMS: ise.pl:SourceIP-Remediation [INFO]  quar_ip:172.16.50.50 (1->3 sid:1) Starting remediation May 24 19:30:13 Defence SF-IMS: ise.pl:SourceIP-Remediation [INFO]  quar_ip:172.16.50.50 (1->3 sid:1) 172.16.31.202 - Success 200 OK - Quarantined 172.16.50.50 as admin
It is important that you enable the Adaptive Network Control service on the ISE. In order to view the detailed logs in a runtime process (prrt-management.log and prrt-server.log), you must enable the DEBUG level for Runtime-AAA. Navigate to Administration > System > Logging > Debug Log Configuration in order to enable the debugs.
You can also navigate to Operations > Reports > Endpoint and Users > Adaptive Network Control Audit in order to view the information for every attempt and result of a quarantine request:
Refer to Cisco bug ID CSCuu41058 (ISE 1.4 Endpoint Quarantine inconsistency and VPN failure) for information about an ISE bug that is related to VPN session failures (802.1x/MAB works fine).