Cisco Cisco Firepower Management Center 4000
13-12
FireSIGHT System User Guide
Chapter 13 Using Access Control Policies
Configuring Policies
Filtering Traffic Based on Security Intelligence Data
License:
Protection
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers:
Any except DC500
The Security Intelligence feature allows you to specify the traffic that can traverse your network, per
access control policy, based on the source or destination IP address. This is especially useful if you want
to blacklist—deny traffic to and from—specific IP addresses, before the traffic is subjected to analysis
by access control rules.
access control policy, based on the source or destination IP address. This is especially useful if you want
to blacklist—deny traffic to and from—specific IP addresses, before the traffic is subjected to analysis
by access control rules.
Note that you could create access control rules that perform a similar function to Security Intelligence
filtering. However, access control rules are wider in scope, more complex to configure, and cannot
automatically update using dynamic feeds. In contrast, Security Intelligence filtering can immediately
blacklist connections based on the latest intelligence, removing the need for a more resource-intensive,
in-depth analysis.
filtering. However, access control rules are wider in scope, more complex to configure, and cannot
automatically update using dynamic feeds. In contrast, Security Intelligence filtering can immediately
blacklist connections based on the latest intelligence, removing the need for a more resource-intensive,
in-depth analysis.
Optionally, and recommended in passive deployments, you can use a “monitor-only” setting for Security
Intelligence filtering. This allows the system to analyze connections that would have been blacklisted,
but also logs the match to the blacklist.
Intelligence filtering. This allows the system to analyze connections that would have been blacklisted,
but also logs the match to the blacklist.
To help you build blacklists, Cisco provides the Cisco Intelligence Feed, which is comprised of several
regularly updated collections of IP addresses determined by the VRT to have a poor reputation. To
augment the intelligence feed, you can use third-party feeds and custom lists of IP addresses, including
a global blacklist. You can also blacklist IP addresses using network objects and groups. These
configurations are collectively called Security Intelligence objects.
regularly updated collections of IP addresses determined by the VRT to have a poor reputation. To
augment the intelligence feed, you can use third-party feeds and custom lists of IP addresses, including
a global blacklist. You can also blacklist IP addresses using network objects and groups. These
configurations are collectively called Security Intelligence objects.
Note
Although feed updates and additions to the global blacklist (or global whitelist; see below) automatically
implement changes throughout your deployment, any other change to a Security Intelligence object
requires an access control policy reapply. For more information, see the
implement changes throughout your deployment, any other change to a Security Intelligence object
requires an access control policy reapply. For more information, see the
table.
Choosing IP Addresses to Blacklist
The easiest way to construct a blacklist is to use the Cisco Intelligence Feed, which tracks IP addresses
known to be open relays, known attackers, bogus IP addresses (bogon), and so on. Because the
intelligence feed is regularly updated, using it ensures that the system uses up-to-date information to
filter your network traffic. Malicious IP addresses that represent security threats such as malware, spam,
botnets, and phishing may appear and disappear faster than you can update and apply new policies.
known to be open relays, known attackers, bogus IP addresses (bogon), and so on. Because the
intelligence feed is regularly updated, using it ensures that the system uses up-to-date information to
filter your network traffic. Malicious IP addresses that represent security threats such as malware, spam,
botnets, and phishing may appear and disappear faster than you can update and apply new policies.
To augment the intelligence feed, you can perform Security Intelligence filtering using custom or
third-party IP address lists and feeds:
third-party IP address lists and feeds:
•
a list is a static list of IP addresses that you upload to the Defense Center
•
a feed is a dynamic list of IP addresses that the Defense Center downloads from the Internet on a
regular basis; the Cisco Intelligence Feed is a special kind of feed
regular basis; the Cisco Intelligence Feed is a special kind of feed
For detailed information on configuring Security Intelligence lists and feeds, including high availability
and Internet access requirements, see
and Internet access requirements, see
.
Also, in the course of your analysis, you can build a global blacklist by selecting any IP address in an
event view, the Context Explorer, or a dashboard. For example, if you notice a set of routable IP
addresses in intrusion events associated with exploit attempts, you can immediately blacklist those IP
addresses. The Defense Center uses this global blacklist (and a related global whitelist) to perform
Security Intelligence filtering in all access control policies. For information on managing these global
event view, the Context Explorer, or a dashboard. For example, if you notice a set of routable IP
addresses in intrusion events associated with exploit attempts, you can immediately blacklist those IP
addresses. The Defense Center uses this global blacklist (and a related global whitelist) to perform
Security Intelligence filtering in all access control policies. For information on managing these global