Week 6 of the DevNet Grind – Cisco Security Platforms, AMP, Firepower, ISE, Threat Grid, and Umbrella reviewed for exam day!

I will be powering through the theory of Cisco Security Platforms in this post!

I don’t know that I will have time to lab these individually, but wanted to document them at a high level view for my first pass over on the topics, and try to explain how they interact with with both Automation and APIs to make it easier on myself when I do lab them!

Automation and Scripting are a large part of Cisco Security Platforms because they can digest and react to information much faster than a human consumption, and it also removes the risk of human error of typing a vulnerability into a configuration file by accident.

The products that will be reviewed in this article will be Cisco Security Platforms:

  • Advanced Malware Protection (AMP) for Endpoints
  • Cisco Firepower Management Console (FMC)
  • Cisco Firepower Threat Defense (FTD)
  • Cisco Identity Services Engine (ISE)
  • Cisco Threat Grid
  • Cisco Umbrella

Advanced Malware Protection for Endpoints – AMP

AMP Endpoints provides API Access to Automate security workflows and includes sandboxing capabilities to inspect files that look like Malware in a safe / segregated space, and work on Windows / Mac / Linux / Android / iOS devices through Public and Private Clouds

AMP Endpoints enables easy access to pull information or event info, and even move Endpoints to new security groups using REST APIs, while the AMP continuously analyzes file activity across the extended network – With this information you can detect / contain / remove advanced malware via REST API.

AMP has a collection of subscription-based product that can be managed from a centralized web-based console, AMP Endpoints can be deployed to Mobile Devices / Servers / Etc, by installing an “AMP Connector” on the device.

AMP Integrates across the entire Cisco security portfolio with many deployment options, for example with Cisco Umbrella or Cisco Meraki Firewall (MX), and scales from Small Business to Enterprise Multi-Campus deployments.

AMP works by preventing blocking the Malware before it breaches the network point of entry, then detects / contains / remediates thread that can evade front-line defenses like an ASA.

The three main categories AMP offers:

  • Prevention
  • Detection
  • Responses and Automation


AMP protects against threats in Malware files by prevent Breaches using an API to create Isolation Sessions, and preventing network connection for a set duration of time to prevent network access to potential Malware, using Global Threat Intelligent capable of block file or non-file based Malware by IP / Application / Etc.


AMP continuously monitors and records all file activity to detect Malware, ensuring visibility into endpoint file activity / incoming threads, and reporting Endpoints that may be compromised by Malware.

AMP Cloud offers lookups / signature engines / machine learning to constantly update the intelligence database, the AMP Cloud is a Service that can be queried with the AMP API, which allows for “on disk” detection before it hits the network Breach point – TETRA is an example of an antivirus engine for AMP Connector for Windows and ClamAV for Mac and Linux.

Using the AMP API you can look for devices that have associations to a particular event or query that was malicious, so you can see all devices that may have been compromised or targeted by the attack, with v1 of AMP API providing 95 event types from scans to installs.

Responses and Automation

Accelerate investigations and automatically remediate malware via advanced sandboxing that allowing you to inspect malware, allowing for execution in a safe / isolated area, which the sandbox then records those activities for later reference.

AMP API enables you to request isolation of an infected PC, isolating that device from the Network except to the AMP Cloud / Other IPs in your Isolation Allow list, which is unlocked via an API call that manages the isolation session.

AMP for Endpoints API

API Authentication

AMP API can use either Client ID with API Key Auth or Basic HTTP Auth with a Base-64 encoded string that combines the API Client ID and API Key.

API Rate Limits

The rate limits are broken down into 3 different X- headers:

  • X-Rate-Limit-Limit – Number of total requests allowed in current time period
  • X-Rate-Limit-Remaining – Number of requests left before reaching limit
  • X-Rate-Limit-Reset – Number of seconds before the limit is reset

API Pagination

AMP API uses Links to get to locations within the response, using locations such as self / next / last, also using “offset #” which provides the next # of results based on offset value.

Cisco Firepower Products – Threat Defense (FTD) / Mgmt Console (FMC) / Device Mgr (FDC)

Firepower Management Console (FMC) is a centralized Web GUI Mgmt Console for FTD Enabled Next-Gen Firewalls including access control rules (filtering) and object based policies such as network objects between multiple devices, with a REST API that provides a subset of its functionality to be configured.

The FMC works similar to a Controller in how it manages the devices and how they handle network traffic, using a centralized database to manage multiple devices traffic filtering, which these can also be managed directly on the Appliance via REST API which provides similar config subsets – However API’s can NOT be used concurrently for FMC and FDM but their are non-API options for flexible management.

  • FDM can be used to Manage FTD’s with APIs directly to CDO’s
  • FMC by itself – As a single Controller it offers great functionality as API capabilities between the two are very similar

Benefits and Purpose

The products bring the Application Layer filtering capability to Cisco Security Appliances, as most next-gen ASA’s (x-series) come with Firepower Modules, which allow for centralized management / security policies / traffic redirection / etc to protect the network.

Firepower takes these following actions for traffic control:

  • Inspect, log, and take action on traffic
  • Use security intelligence data to filter traffic, which can be site by domains / geographical locations / URLs / Applications
  • Control Website Access on the network
  • Filter files based on lists containing data about the files
  • Rate limit network traffic based on access control
  • Redirect known malicious traffic to a sinkhole server where the firewall fakes a DNS Query response to the malicious domain, which you can configure to log or display warnings


  • Track, backup, and protect CA Certs
  • Manage, backup, encrypt and protect private keys
  • IKE Key Management for site-to-site IPSec VPN
  • Enabling Extended and Standard IPv4 and IPv6 ACL’s


FMC can run on VMware vSphere and AWS, along with Physical Boxes including Cisco FMC 1000 / 1600 / 2000 / 2500 / 2600 / 4000 / 4500 / 4600, with the VMware / AWS options allowing a multi-device instance of FMC to run and single device deployments of FDM instances that contain the FDM Next Gen Firewall API.

In addition to supporting Next-Gen FTD Appliances, Cisco ASA X-Series are also considered “Next Gen” Appliances that come with a Firepower Module built into the Appliance.


FMC and FDM integrate with Cisco ISE which allows you to move users in / out of quarantine areas after starting a VPN Session, though this is an FMC feature as FDM has a slightly less feature rich integration with ISE, these both also Integrate with Umbrella / Threat Grid to assist in blocking malicious domains from being accessed by the network.

Environment and Scale

FMC is meant for large scale deployments where automation is critical for rapid threat response time and configuration accuracy, whereas FTD Appliances / FDM / Next Gen Cisco ASA’s are more suited for small to medium sized business usage.

API Information

FMC actually has an “API-Explorer” built in by going to “https://mgmtIP:mgmtPort/api/api-explorer” and the FTD REST API also includes a trial capability hosted on the device, this can be accessed via the Cisco DevNet Sandbox as well for labbing / trial if you are considering it.


APIs include FMC REST API and FTD REST API, the FMC giving access to network endpoint security event data and host information, while the FTD API is used to configure the device via POST Call via the REST API.

API Authentication

The FMC API Token is required to authenticate the REST API, it has a lifetime of 30 minutes before it expires, and it uses “X-auth-access-token:<token>” in the Header when making the API Call, and to refresh the token “X-auth-refresh-token:<refresh token value>” on next call.

FTD Appliances use OAuth 2.0 workflows to Authenticate API Calls, using JSON Web Tokens which are provided by providing username / password and receiving a normal token, and you can define additional custom tokens named things that make sense to facilitate management – Tokens can also be revoked using the API. These token are “Bearer” Auth tokens in the Header.

API Limits

FMC API Limits the work load by accepting a max of 120 messages per minute from an individual IP, and will not accept a payload of more than about 20.5mb in size, whereas with FTD uses a default limit of 1000 responses per minute but can be adjusted by sending a parameter defining the limit it will accept.

Cisco Identity Services Engine (ISE)

ISE provides a rule-based engine for enabling policy-based network access to users and devices by enabling you to enforce compliance and streamline user network access operations, and using the ISE APIs you can Automate threat containment when detected (Integrates with several existing Identity Deployments as well).


Cisco ISE architecture consists of nodes with defined node types, a node being an individual physical or Virtual ISE Appliance, taking one of four roles:

  • Administration – Performs all admin tasks on Cisco ISE, handling all system related configuration / authentication / authorization / accounting
  • Policy Service – This node or “Persona” type provides Network Access / Posture / Guest Access / Client Provisioning / Profiling Services, the Policy Info point represents the point at which external info is communicated to Policy Service Persona like LDAP for example
  • Monitoring – An ISE node with Monitoring Persona as the log collector, storing logs from both Admin and Policy Service nodes in the network
  • pxGrid – The pxGrid Framework integration enables the system to exchange policy and configuration data between nodes, which is how 3rd party vendors can share tags / policy objects / integrate in ISE itself

The rest of the ISE Architecture is the network devices and endpoints, ISE nodes can be configured for High Availability / Load Balancing / Automatic Failover (depending on the size of the deployment).

There is also a single node deployment option where a single ISE Node runs all services / personas described above by itself.


To get the most out of ISE, there are multiple integrations available for it including some that are in the format of information and data sharing, remediation and Certificate Revocation. It also integrates with SAML / SSO / LDAP / AD / RBAC methods of Authentication.

Environment and Scale

ISE can be deployed to an sized environments, from the single node doing all roles for a small network, to at largest scale providing support for 250k active endpoints and 1 million devices!


  • Asset Visibility – BYOD (Bring your own device) with both guest and secure wireless access for employees, using the ISE Posture Assessment functionality to allow personal mobile devices on the network
  • Policy Compliance – ISE and enforced consistent security policy integrate with Cisco TrustSec for Software-Defined segmentation for the network
  • Secure Wired Access – ISE Identifies every device and user accessing the network whether it is wired / wireless / remotely, and once identified the device and user are then placed into the proper secured segment of the network going forward, this is almost like dynamically assigning devices to a VLAN + Port Security + AAA + asset visibility + SECURITY!!!
  • Segmentation – This doesn’t just work for secured access but also traffic direction, where ISE can drive large traffic flows away from the ISE network for better user experience

Cisco Threat Grid

Threat Grid is a Malware Analysis platform that combines static and dynamic Malware Analysis with threat intelligence from global sources, which can be added to the network as a Threat Grid Appliance or as a Service delivered via Cloud technology and also can integrate with the Technology AMP for an extra layer of security.

The purpose of Threat Grid is to Analyze and Review potential threats and malware, where a local appliance can perform on-prem analysis / analytics by submitting malware samples to the appliance, while Cloud Services user API Workflows designed for SOC Analysts / Malware Analysts / Security Specialists / Forensic Investigators.

Integrations / Environment and Scale / Capabilities

Thread Grid Integrates with AMP / Next-Gen Firewalls / ASA FirePOWER modules as a sort of threat hunting tool, the scale is license driven as to how many samples it can analyze in a 24 hour period.

Capabilities include the two mentioned types of Analysis:

  • Static – Provide identifying information about the file / headers / contents
  • Dynamic – Executes the Malware in a safe / specialized environment called a “glovebox” which enables you to interact with the malware without harming production to observe behaviors / process calls / network connections / etc

Threat Grid can really be seen as a compliment to AMP or Firepower, as its Malware Analysis information can be fed into these Security Systems to enhance their capabilities, and Threat Grid can have the front end / dash board / workflows built per Organization specifications.

Cisco Umbrella

Umbrella uses DNS to enforce security on the network, configuring your local DNS to point to Umbrella to apply security settings based on Organization Policies.

Umbrella blocks malicious domains / IPs / files / URLs, using a large scale threat intelligence repository of historical data about threats to classify DNS requests and deem them safe, or deemed risky and dropped or sent to a Proxy Server for further scrutiny.

Umbrella data includes a Cisco Talos feed, which is a team of researchers / analysts / engineers who create accurate and actionable threat data and keep it updated for Cisco products, which includes information about malicious domains / IPs / DNS Data / contains 120 billion requests per day.


APIs and data-driven architecture provide the base of the Umbrella Serve via some APIs:

  • The Enforcement API – Integrates Security events with Umbrella
  • The Network Devices API – Integrates Hardware devices with Umbrella
  • The Investigate API – Provides Data to find more about security incidents
  • The Reporting API – Enables Orgs to run several reports

Integrations / Environment and Scale

Umbrella can utilize hardware devices for management by Umbrella Security, use API Integration Points, and even integrate with Cisco Meraki MR (Wireless) for protection. APIs are used both to utilize the Umbrella Enforcement API to take actions, or Investigate API to pull threat intelligence data programmatically.

Umbrella is so simply to Integrate that it can be used at any scale, service hundreds to hundreds of thousands of endpoints at a time.


  • Wifi protection when Guests are on your network – To mitigate legal risks of illegal actions on your guest network or to prevent network infiltration / identity theft / ad-ware
  • Selective Application Blocking – This will dynamically assess threats in the workflow, blocking just portions of it if the rest can proceed, so you may see blocks of a webpage that were ads show up as “Blocked by Umbrella”
  • Endpoint Security for off-network (non-VPN) devices – Umbrella provides off network Roaming protection for the network security perimeter for multiple OS platforms
  • Web Filtering – This can be manually configured, it will run checks against global blacklists to prevent non-manually entered malicious traffic, works off a security score system of how trusted the domain is considered by Umbrella (which is sometimes tripped as a false positive by SIEM solutions that ship malicious traffic events within or outside of the network), and if the Investigative API cannot find any score for a domain (score = 0) it is blocked

And that is it for the Cisco Security Platform overview!

I will be labbing these (or trying to as much as possible) once this class is up, but for now I am going to keep hammering out the theory and baseline info, until next time!!! 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s