Cisco Cisco Firepower Management Center 4000
17-7
FireSIGHT System User Guide
Chapter 17 Introduction to Intrusion Prevention
Using Intrusion Event Responses
For more information, see
and
.
Using Intrusion Event Responses
License:
Protection
In addition to generating intrusion events based on attacks, you can use an extensive list of alerting
mechanisms to make sure that specific attacks are brought to your attention immediately. Conversely,
you can suppress events that are less likely to affect critical systems or set a threshold that the number
of events must reach before you are alerted.
mechanisms to make sure that specific attacks are brought to your attention immediately. Conversely,
you can suppress events that are less likely to affect critical systems or set a threshold that the number
of events must reach before you are alerted.
For more information about automated alerting, see
.
You can use the following tools to set up automatic responses to intrusion events:
•
automated alerting that you can configure for SNMP, email, and syslog
For more information, see
.
•
on a Defense Center, automated correlation policies that you can use to respond to and remediate
specific intrusion events
specific intrusion events
For more information, see
Understanding Intrusion Prevention Deployments
License:
Protection
You can configure a passive deployment for a managed device so the device senses traffic out of band
from the packet stream. Similarly, you can configure an inline, switched, or routed deployment where
using an intrusion policy set to drop packets allows you to drop or replace packets that you know to be
harmful.
from the packet stream. Similarly, you can configure an inline, switched, or routed deployment where
using an intrusion policy set to drop packets allows you to drop or replace packets that you know to be
harmful.
You can tailor intrusion policies for each managed device so they generate events only for the attacks
that are likely to affect the security of the hosts on specific portions of your network. You can specify
which rules do not alert, which rules generate events and, except for a passive deployment, which rules
generate events and also drop the malicious traffic.
that are likely to affect the security of the hosts on specific portions of your network. You can specify
which rules do not alert, which rules generate events and, except for a passive deployment, which rules
generate events and also drop the malicious traffic.
For either type of system, you connect sensing interfaces to the appropriate segments on your network
and add those interfaces to an interface set. These interfaces are configured in stealth mode so, to other
devices on the network, the device itself does not appear to be connected to the network at all.
Additionally, the interfaces are configured in promiscuous mode so that they detect all of the traffic on
the network segment regardless of where the traffic is going. In this configuration, the device can see all
of the traffic on the network segment, but is itself invisible.
and add those interfaces to an interface set. These interfaces are configured in stealth mode so, to other
devices on the network, the device itself does not appear to be connected to the network at all.
Additionally, the interfaces are configured in promiscuous mode so that they detect all of the traffic on
the network segment regardless of where the traffic is going. In this configuration, the device can see all
of the traffic on the network segment, but is itself invisible.
The key deployment difference between an out-of-band deployment and an inline, switched, or routed
deployment lies in the interface sets used by each system. An out-of-band deployment uses a passive
interface set; an inline, switched, or routed deployment uses an inline set. The interfaces for a passive
interface set passively analyze the traffic on the segments they monitor, while traffic flows between pairs
of interfaces in an inline set.
deployment lies in the interface sets used by each system. An out-of-band deployment uses a passive
interface set; an inline, switched, or routed deployment uses an inline set. The interfaces for a passive
interface set passively analyze the traffic on the segments they monitor, while traffic flows between pairs
of interfaces in an inline set.
The following illustration shows an example of a managed device deployed passively and with two
passive interface sets. Each interface is monitoring a different network segment.
passive interface sets. Each interface is monitoring a different network segment.