Get a CSR (Certificate Signing Request) Signed from Windows CA

Now I am going to use my own Root CA to sign a CSR which I got from a Cisco ISE server. My Root CA is based on Windows 2016 server as you can see on the following post.

Create Your Own Root CA (Certificate Authority) Server

This will come in handy when you need free certificates to use in labs etc. OK let's start..

I am going to http://10.1.1.150/certsrv and click on Request a certificate

Click on advanced certificate request on the next page.

Now right click and open the certificate request .pem file in a note pad and copy the content paste it on the dialog box and select the Certificate Template to be Web Server and click on Submit.

Now select Base 64 encoded and click on Download certificate on the next page to download the signed certificate.

Create Your Own Root CA (Certificate Authority) Server

This is just about Windows Server CA service related configuration. This helped me to practice certificate involved configuration in firewalls etc. Windows guys know these but to help networking guys carry out their labs, I am sharing what I did to create my CA server.

I am using Windows 2016 Server..

Go to Server Manager > Manage > Add Roles & Features

Next Next Next until you get Server Roles

Tick Active Directory Certificate Services

Again Hit Next Next Next until the following selection page and tick the following four items like I have done.

Then again Next Next Next and Install..

Now after the configuration finished, you can see the following blue highlighted line (Configure Active Directory Certificate Services on the destination server) on the results.

Hit Next on the optout window (credentials) and select the following 2 items only and hit Next.

(last 2 items should also be configured but because they reply on the 1st 2 items, they are only selected at the moment)

I selected Enterprise CA on the next window, and Root CA on the next window..

Selected Create a new private key on the next window and selected SHA 256 on the Cryptography window (most newer servers prefer this). 

Renamed the CA name to WIN-CA just because it is easy to remember and didn't change the other defaults on the following window.

Now I hit only Next Next Next without changing anything until I met Configure button on Confirmation page..

After the configuration succeeded it will ask "Do you want to configure additional role services?" This is just asking you whether you want to configure the 2 items which we skipped on the Role Services window.

Hit Yes..

Hit Next on the optout window and select the remaining 2 items and hit Next..

I selected CA name on the next page and hit Next, selected Windows Integration Authentication on the next window and hit Next again, selected Use the built-in application pool identity on Service Account for CES window.

Again selected Windows Integration Authentication on the next window and hit Next..

Select the Certificate we just created on the next window by clicking on it and hit Next..

Next window will configure them all..

Now the CA services configuration is over..

Go to the IP address of the server from a web browser and type http://ip-address/certsrv

You will be asked to give credentials, I used the administrator credentials.

Now here we can download the CA certificate from the last link.

Click on it and select Base 64 and click on Download CA Certificate on the next page.

On the right side of the snap I have pasted here the CA certificate from the CA server I created..

Application and Interrelationship of Cisco FMC Policies

There are many policies we hear when we deal with Cisco FMC which makes it confusing where to find and where to apply. In this post, I'm going to make a brief note on all of them and and their interrelationship.

Policies are reusable set of rules/conditions. The different kinds of policies in FMC are Access Control Policy, Intrusion Policy, Malware & File Policy, DNS Policy, Identity Policy, SSL Policy, Prefilter Policy, Network Analysis Policy, Network Discovery Policy, NAT Policy, QoS Policy,  Settings Policy, Correlation Policy and Health Policy. 😵 I think I named all..

Following are short descriptions for the above rules.

Access Control Policy - From all of above, the Access Control Policy (ACP) is the main type of policy which most of other policies are packaged in.

1 FTD can only have 1 Access Control Policy

Access Control Policy rules have it's legacy firewall rule functionality with added next-generation features which are defined in most of other types of polices.

Intrusion Policy - This defines set of intrusion detection and prevention configurations which inspect traffic for security violations and, in inline deployments, can block or alter malicious traffic.

Malware & File Policy - This is a set of configurations that the system uses to perform malware protection and file control, as part of your overall access control configuration.

DNS Policy - DNS based Security Intelligence allows you to whitelist or blacklist traffic based on the domain name requested by a client.

Identity Policy - Identity policies contain identity rules. Identity rules associate sets of traffic with a realm and an authentication method: passive authentication, active authentication, or no authentication.
This is a requirement when we plan to use the users or group in our Access Control Policy

SSL Policy - An SSL policy determines how the system handles encrypted SSL traffic (https etc) on your network. 

Prefilter Policy - This is basically to drop traffic or bypass the firewall inspections totally which is unwanted even to go through the FTD.

Network Analysis Policy - These are for traffic preprocessing options. Cisco is saying that Network analysis-related preprocessing occurs after Security Intelligence blacklisting and SSL decryption, but before intrusion or file inspection begins.

Network Discovery Policy -  This is there to identify what are attached to the network.
It is used to build Host Profiles of devices including information like OS, services, web apps, protocols, users, IOC tags, VLAN tags, malware events, vulnerabilities, scan results, hostname, mac address, scan results and much more..

NAT Policy - This is to configure the Network Address Translation settings of a FTD.

QoS Policy - This is to configure the QoS settings for a FTD.

Settings Policy - This is where you configure the basic settings of a FTD like ARP Inspection, Banner etc.

Correlation Policy - This is basically If This --> Then That functionality of the FMC. It can be used to respond in real-time to threats / specific event types/ specific hosts / specific users or network traffic conditions.

Health Policy - This is to monitor overall functionality and performance of the whole Firepower system. So this policy can apply to both FMC itself and to FTDs.

Now let's look the interrelationship of the above polices.

When you click on Policies tab, the 1st menu is the Access Control and the default selection is Access Control menu item. In line to Access Control, you can see Network Discovery and Correlation are there. Those 2 are also types of policies you can configure in FMC which is for FMC.

"in FMC which is for FMC" means the policies used in FMC itself, not to deploy in FTDs..

The items you can see in the Access Control drop down are the policies which can be attached to Access Control Policies or to Access Control Policy rules.

Following is an example output in Access Control Page where the ACPs are listed.

(click on the image to view in full size)

Here you can see that there are 4 Access Control Polices created on the FMC and the ACPs can be configured hierarchically. Also notice the rounded tab which is the place to create Network Analysis Policies. 

Let's go inside the ACP.

Shield is for IPS Policy (Intrusion) and Files mark is for Malware & File Policy.. So you can see that they are attached to the Rule 01 but Prefilter, SSL & Identity Policies are attached to whole Access Control Policy not to a particular Access Control Rule. 

If you go to Edit rule (via pencil) you will find the places to add the IPS and Malware & File Policy.

You can see the place to attach DNS Policy under Security Intelligence tab in ACP.

In Advanced Tab, you can see the place to bind the Network Analysis Policy.

You can find the Settings Policy under Devices > Platform Settings

Following are the things you can change in it.

Health Policy is bit different from other policies because it can be used to monitor both FMC and FTDs. You can find it on System > Health > Policy and assign it to a device by clicking the  in front of the policy. Also you can do the same thing by Devices > Choose the device then click Device, there you will see the applied Health Policy.

Summary