Cisco Cisco Firepower Management Center 2000
17-9
FireSIGHT System User Guide
Chapter 17 Introduction to Intrusion Prevention
The Benefits of Custom Intrusion Policies
In an inline deployment, you can also replace a portion of the payload with content of your own
choosing. Consider a simple example where the device detects a packet that contains
choosing. Consider a simple example where the device detects a packet that contains
bin/sh
, which
often indicates a shellcode attack. You can write a custom intrusion rule that replaces all or part of this
string with exactly the same number of characters. For example, replacing
string with exactly the same number of characters. For example, replacing
bin/sh
with
foo/sh
and then
passing the packet on to its destination causes the shellcode attack to fail without tipping off the attacker
that the packet was altered.
that the packet was altered.
Compare this result with the result when the same traffic is inspected passively. In that scenario, the same
rule detects the exploit, but instead of having an option to drop the packet, you can only alert on its
presence.
rule detects the exploit, but instead of having an option to drop the packet, you can only alert on its
presence.
As you consider the benefits of deploying intrusion protection and prevention, you should weigh some
of the trade-offs. First, you must choose a managed device model that matches or exceeds the traffic
bandwidth of the network segment. Also, depending on the criticality of the hosts on the network
segment, you should consider deploying the managed device with the optional bypass network card. The
bypass card ensures that traffic continues to pass through the interfaces even if the appliance itself fails
or loses power (although you may lose a few packets when you reboot the appliance). For more
information on inline sets, see
of the trade-offs. First, you must choose a managed device model that matches or exceeds the traffic
bandwidth of the network segment. Also, depending on the criticality of the hosts on the network
segment, you should consider deploying the managed device with the optional bypass network card. The
bypass card ensures that traffic continues to pass through the interfaces even if the appliance itself fails
or loses power (although you may lose a few packets when you reboot the appliance). For more
information on inline sets, see
. You can learn more about deployment
options in your managed device’s installation guide.
The Benefits of Custom Intrusion Policies
License:
Protection
The system provides default intrusion policies suitable for both passive and inline deployments.
However, you may find that the rules, preprocessor options, and other advanced settings configured in
those policies do not address the security needs of your network. You can tune a policy by enabling,
disabling, and setting specific configuration options for advanced settings and rules. Tuning advanced
settings and rule sets allows you to configure, at a very granular level, how the system processes and
inspects the traffic on your network.
However, you may find that the rules, preprocessor options, and other advanced settings configured in
those policies do not address the security needs of your network. You can tune a policy by enabling,
disabling, and setting specific configuration options for advanced settings and rules. Tuning advanced
settings and rule sets allows you to configure, at a very granular level, how the system processes and
inspects the traffic on your network.
For example, intrusion policies provide the following ways to tune preprocessors:
•
Disable preprocessors that do not apply to the traffic on the subnet you are monitoring.
•
Specify ports, where appropriate, to focus the activity of the preprocessor.
•
Configure preprocessors to generate events when they encounter certain features in packets, for
example, state problems or certain combinations of TCP flags.
example, state problems or certain combinations of TCP flags.
•
Configure adaptive profiles in combination with network discovery to use information about host
operating systems from the network discovery map to switch to the most appropriate target-based
profile for IP defragmentation and TCP stream preprocessing.
operating systems from the network discovery map to switch to the most appropriate target-based
profile for IP defragmentation and TCP stream preprocessing.
Note that the tuning options available vary by preprocessor or other advanced setting. For details on the
available advanced settings, their options, and how to tune them, see
available advanced settings, their options, and how to tune them, see
.
Additionally, within each intrusion policy, you can tune rules in the following ways:
•
Improve performance by using fewer rules; disable rules that are not applicable to your environment.
•
Verify that all rules applicable to your environment are enabled.
•
For inline deployments, specify which rules should drop malicious packets from the packet stream.
Tip
You can use network discovery to identify the operating systems on your network. This allows you to
more easily identify which rules are applicable to your environment.
more easily identify which rules are applicable to your environment.