Cisco Cisco Firepower Management Center 4000
27-5
FireSIGHT System User Guide
Chapter 27 Using the FireSIGHT System as a Compliance Tool
Understanding Compliance White Lists
After you create a host profile for a particular operating system, you can specify the application
protocols, clients, web applications, and protocols that are allowed to run on target hosts running that
operating system. For example, you could allow SSH to run on Linux hosts on port 22. You could also
restrict the particular vendor and version to OpenSSH 4.2.
protocols, clients, web applications, and protocols that are allowed to run on target hosts running that
operating system. For example, you could allow SSH to run on Linux hosts on port 22. You could also
restrict the particular vendor and version to OpenSSH 4.2.
Note that unidentified hosts remain in compliance with all white lists until they are identified. You can,
however, create a white list host profile for unknown hosts.
however, create a white list host profile for unknown hosts.
Note
Unidentified hosts are not the same as unknown hosts. Unidentified hosts are hosts about which the
system has not yet gathered enough information to identify their operating systems. Unknown hosts are
hosts whose traffic has been analyzed by the system, but whose operating systems do not match any of
the known fingerprints.
system has not yet gathered enough information to identify their operating systems. Unknown hosts are
hosts whose traffic has been analyzed by the system, but whose operating systems do not match any of
the known fingerprints.
For more information, see
.
Understanding Shared Host Profiles
License:
FireSIGHT
Shared host profiles are tied to specific operating systems, but you can use each shared host profile in
more than one white list. That is, if you create multiple white lists but want to use the same host profile
to evaluate hosts running a particular operating system across the white lists, use a shared host profile.
more than one white list. That is, if you create multiple white lists but want to use the same host profile
to evaluate hosts running a particular operating system across the white lists, use a shared host profile.
For example, if you have offices worldwide and you want to create a separate white list for each location,
but always want to use the same profile for all hosts running Apple Mac OS X, you can create a shared
profile for that operating system and use it in all your white lists.
but always want to use the same profile for all hosts running Apple Mac OS X, you can create a shared
profile for that operating system and use it in all your white lists.
The default white list represents recommended “best practices” settings for allowed operating systems,
clients, application protocols, web applications, and protocols. This white list uses a special category of
shared host profiles, called built-in host profiles. Note that built-in host profiles are marked with the
built-in host profile icon (
clients, application protocols, web applications, and protocols. This white list uses a special category of
shared host profiles, called built-in host profiles. Note that built-in host profiles are marked with the
built-in host profile icon (
).
Built-in host profiles use built-in application protocols, protocols, and clients. You can use these
elements as-is in both the default white list and in any custom white list that you create or you can modify
them to suit your needs. They are displayed in italics within the built-in host profile and in any other host
profile that uses them.
elements as-is in both the default white list and in any custom white list that you create or you can modify
them to suit your needs. They are displayed in italics within the built-in host profile and in any other host
profile that uses them.
Keep in mind that like all shared host profiles, if you modify a built-in host profile, it affects every white
list that uses it. Likewise, if you modify a built-in application protocol, protocol, or client, it affects every
white list that uses it.
list that uses it. Likewise, if you modify a built-in application protocol, protocol, or client, it affects every
white list that uses it.
For more information on shared host profiles,
.
Understanding White List Evaluations
License:
FireSIGHT
After you create white list host profiles and save the white list, you can add the white list to a correlation
policy, just as you would a correlation rule. For more information, see
policy, just as you would a correlation rule. For more information, see
.
After you activate the correlation policy, the system evaluates the targets of the white list against the
white list criteria.You can then use the host attributes network map to gain an overall view of the white
list compliance of the hosts on your network.
white list criteria.You can then use the host attributes network map to gain an overall view of the white
list compliance of the hosts on your network.