Cisco Firepower

Cisco Firepower is an integrated threat-oriented firewall (ITU).

2024: A vulnerability has been discovered in a Cisco product that can trick the authentication system and execute any command

In its message dated October 28, FSTEC warned of the discovery of a critical vulnerability BDU:2024-08598^[1]is present in the web interface for managing a network of Cisco Firepower Management Center (FMC) devices. Exploiting the vulnerability could allow an attacker acting remotely to execute arbitrary commands on the underlying operating system with superuser privileges by sending specially crafted HTTP requests. The CVSSv3 vulnerability hazard level is 9.9 out of 10.

Cisco has already released fixes for it. The vulnerability was closed in the October patch set. It is associated with the failure to take measures to neutralize special elements used in the operating system command. An attacker using this vulnerability can trick the Cisco FMC authentication system and execute any command.

As a rule, such systems are not exposed to the perimeter, - explained to TAdviser Alexei Lednev, head of the attack detection department of the Positive Technologies security expert center. - In addition, a valid account in the system is required for its operation. Plus, there is no exploit in the public domain. All this suggests that it is not worth waiting for a mass attack. But the APT group may well exploit this vulnerability, since network devices are a tidbit enough for attackers.

Although the vulnerability has a level of danger according to CVSS 9.9, which implies, among other things, easy exploitation of it, in fact, in order to successfully use this error, an attacker needs to guess the user's credentials with the role of at least security analyst.

This vulnerability is associated with insufficient verification of the entry of some HTTP requests, and to exploit it, an attacker will need valid credentials for a user account with at least the role of a security analyst, said Alexey Ryabinin, a leading specialist in the technical protection department of confidential information Cloud Networks, to TAdviser. - Then it can be used by authenticating in the web control interface of the vulnerable device, and then sending the created HTTP request to the device.

Getting the user account data is not easy. To do this, it is quite possible that you will have to resort to phishing.

To exploit the vulnerability, a hacker needs to obtain user credentials that can be obtained using a phishing attack, "Andrei Yashinin, an analyst engineer for identifying R-Vision vulnerabilities, explained the attack chain to TAdviser readers. - Phishing is a common method of obtaining information, and it is often difficult to minimize due to low awareness of employees of enterprises. As a result, the vulnerability can lead to leakage of confidential data stored in the system, data changes, the introduction of malicious commands and disruption of the normal operation of the system. And an attacker can also completely restrict access to network control.

It should be noted that the product itself in Russia was once popular.

The Cisco Firepower Management Center product is quite popular on the Russian market, and many companies continue to use it, "Alexander Shilov, head of network security at K2 Cybersecurity, shared with TAdviser. - The import substitution process is in full swing and Russian analogues of the product are actively developing. But not all users are ready to quickly abandon the usual and proven Western solutions in favor of domestic ones.

FSTEC specialists propose to take the following measures to protect against the exploitation of this vulnerability:

• Disable or completely delete unused user accounts;
• Use intrusion detection and prevention systems to identify and respond to attempts to exploit a vulnerability;
• Segment the network to restrict access to the vulnerable software product.

Although it is not traditional for the council's measures proposed by FSTEC to close direct access from the Internet to a vulnerable product and organize a secure VPN connection for remote administration, this is the recommendation that would be quite appropriate here. Usually such control systems are installed inside the corporate network, and hackers cannot gain direct access to them.

Alexander Shilov also recommends using a Stealth-type rule on the internal firewall that will help prevent attacks by eliminating the possibility of unauthorized access to the web control interface. However, all experts agree that to fix the vulnerability, you need to install manufacturer updates, but this is not easy for Russian companies.

2021: Certification of the FSTEC of Russia firewall

On March 31, 2021, SATEL announced that it had received a certificate of compliance for an information security tool - a firewall implemented in Cisco Firepower 2100 series network security devices. The certificate was issued by the Federal Service for Technical and Export Control of the Russian Federation (FSTEC of Russia).

The certification of the relevant equipment was carried out by SATEL according to the "series" scheme, which provides customers with the opportunity to obtain an unlimited number of certified Cisco Firepower 2100 firewalls.

Cisco Firepower 2100 is a type "A" and "B" firewall used on the physical and logical boundary of an information system or between the physical and logical boundaries of information system segments. The firewall is designed for integration local area networks in an enterprise-wide network (Intranet) and in wide area networks of the type. Internet Integration is implemented on the basis of the rules for filtering flows in information specified directions set by the administrator, which ensure the delimitation of access of subjects of one network to objects of another. The interpretation of the rule set is carried out by a sequence of commands software firewall that allow or prohibit the transmission of data packets in one direction or another.

The Cisco Firepower 2100 series firewall is certified in the Information Security Information Security Certification System No. ROSS RU.0001.01BI00 and has a Certificate of Compliance with Information Security Requirements No. 4373. According to the certificate, this equipment meets the requirements of the documents:

• Requirements for firewalls (FSTEC of Russia, 2016);
• Type " A" firewall protection profile of the sixth class of protection. IT.ME.A6.PZ (FSTEC of Russia, 2016);
• Type B firewall protection profile of the sixth protection class. IT.ME.B6.PZ (FSTEC of Russia, 2016);
• Information security requirements establishing levels of trust in information technical protection tools and information technology security tools (approved by Order of the FSTEC of Russia dated June 2, 2020 No. 76) on the 6th level of trust.

Compliance with Russian regulations is an integral part of Cisco's strategy. We are glad that we were able to take another step in this direction together with our long-term technological partner - SATEL, - commented Mikhail Kader, Honored System Engineer of Cisco.

2017: Cisco Firepower 2100 Series

In February 2017, Cisco introduced the next generation firewall family for the Internet perimeter - the Cisco Firepower 2100 series. These firewalls are characterized by virtually constant bandwidth when enabling additional security services, and also meet the needs of today's organizations for uptime and protection of critical business functions and data.

Models of this series

• Firepower 2110 Security Appliance
• Firepower 2120 Security Appliance
• Firepower 2130 Security Appliance
• Firepower 2140 Security Appliance

When moving to digital business models, cybersecurity solutions must support scalability to add new features and counter new threats and vulnerabilities without compromising network and application performance. In reality, this, unfortunately, is not the case. Enabling firewall intrusion detection can reduce bandwidth by half or even more. As a result, web-based customer interaction applications such as Internet banking and e-commerce, which need maximum performance and are more likely than others to be targeted by cybercriminals, suffer significantly. Some enterprises disable information security functionality to improve performance, putting both themselves and their customers at risk.

The 2100 series firewalls, which feature the industry's first dual-core CPU architecture, accelerate key encryption, shielding, and security features. These models are specifically designed to meet customer needs to maintain a consistent level of security and performance. Compared to products of a similar price category, the Cisco Firepower 2100 provides higher performance even with the enabled threat analysis functionality.

2016

On February 18, 2016, Cisco announced the release of the Cisco Firepower fully integrated threat-oriented firewall.

Cisco Firepower-4100 (2016)

The solution, according to the vendor's statement, differs significantly from analogues limited to application control: Cisco's solution detects and recognizes potential hackers, ensuring security.

Together with the announcement of ITU, the company launched the Cisco Security Segmentation Service consulting service.

Her task is to help:

• improve compatibility;
• localize the source of the attack;
• Detect threats
• Monitor content security
• Prevent data leakage across your IT infrastructure.

Both innovations Cisco are aimed at protecting against dangerous and persistent threats. cyber attacks

Threat protection is a distinctive feature of ITU Cisco Firepower. Cisco Firepower combines threat analytics, security policy enforcement, and how users connect to applications. This level of transparency across the entire business environment enhances protection and reduces the time it takes to detect and respond to threats. ITU allows you to automate and adjust protective measures and almost immediately strengthen the security system due to its ability to take into account current vulnerabilities, assets and threats in the network. Consistent actions of security measures provide protection that point solutions are not able to provide.

Cisco Firepower increases the speed, simplicity, and efficiency of detecting and responding to attacks. The product integrates threat protection services and Cisco dynamic batch filtering technology into a single solution.

Among the features of the product:

• Next-generation intrusion prevention system (NGIPS)
• Advanced Malware Protection (AMP) system;
• Reputation-based URL filtering.

Integrated ITU combines Cisco and third-party solutions to distribute analytical capabilities and context. Enterprises can now establish relationships between previously disparate pieces of data, more quickly recognize and repel complex attacks wherever they occur. This increases the competitiveness of organizations looking to take advantage of new business opportunities by working with the cloud, virtual environment, the Internet of Things, and mobile devices.

Cisco has introduced the Cisco Firepower 4100 Series for high-performance applications used by medium and large businesses. This high-performance device, in its class, with optimal density of computing resources, is capable of monitoring threats with high bandwidth and low network latency and is suitable for use by high-frequency trading organizations and data center deployment. The device is equipped with built-in 40 GbE ports, the body height is one rack (1U).