Cisco Cisco Firepower Management Center 4000
C H A P T E R
27-1
FireSIGHT System User Guide
27
Using the FireSIGHT System as a Compliance
Tool
Tool
A compliance white list (or white list) is a set of criteria that allows you to specify the operating systems,
applications, and protocols that are allowed to run on a specific subnet, and automatically generate an
event if a host on the subnet violates the white list. For example, your security policy might state that
while your web servers are allowed to run HTTP, none of the other hosts on your network are. You could
create a white list that evaluates your entire network, excluding your web farm, to determine which hosts
are running HTTP.
applications, and protocols that are allowed to run on a specific subnet, and automatically generate an
event if a host on the subnet violates the white list. For example, your security policy might state that
while your web servers are allowed to run HTTP, none of the other hosts on your network are. You could
create a white list that evaluates your entire network, excluding your web farm, to determine which hosts
are running HTTP.
Note that you could create a correlation rule that performs this function by configuring the rule so that
it triggers when:
it triggers when:
•
the system discovers new information about an application protocol
•
the application protocol name is http
•
the IP address of the host involved in the event is not in your web farm
However, correlation rules, which provide you with a more flexible way of alerting you and responding
to policy violations on your network, are more complex to configure and maintain than white lists.
Correlation rules are also wider in scope, allowing you to generate a correlation event when one of many
types of event meets any criteria that you specify. On the other hand, white lists are specifically meant
to help you evaluate the operating systems, application protocols, clients, web applications, and
protocols that are running on your network and whether that violates your organization’s policies.
to policy violations on your network, are more complex to configure and maintain than white lists.
Correlation rules are also wider in scope, allowing you to generate a correlation event when one of many
types of event meets any criteria that you specify. On the other hand, white lists are specifically meant
to help you evaluate the operating systems, application protocols, clients, web applications, and
protocols that are running on your network and whether that violates your organization’s policies.
You can create custom white lists that meet your specific needs, or you can use the default white list
created by the Cisco Vulnerability Research Team (VRT) that contains recommended settings for
allowed operating systems, application protocols, clients, web applications, and protocols. You may also
want to customize the default white list for your network environment.
created by the Cisco Vulnerability Research Team (VRT) that contains recommended settings for
allowed operating systems, application protocols, clients, web applications, and protocols. You may also
want to customize the default white list for your network environment.
If you add a white list to an active correlation policy, when the system detects that a host is violating the
white list, the system logs a white list event — which is a special kind of correlation event — to the
database. Further, you can configure the system to trigger responses (remediations and alerts)
automatically when it detects a white list violation.
white list, the system logs a white list event — which is a special kind of correlation event — to the
database. Further, you can configure the system to trigger responses (remediations and alerts)
automatically when it detects a white list violation.
Note
Although you can configure the network discovery policy to add hosts and application protocols to the
network map based on data exported by NetFlow-enabled devices, the available information about these
hosts and application protocols is limited. For example, there is no operating system data available for
these hosts, unless you provide it using the host input feature. This may affect the way you build
compliance white lists. For more information, see
network map based on data exported by NetFlow-enabled devices, the available information about these
hosts and application protocols is limited. For example, there is no operating system data available for
these hosts, unless you provide it using the host input feature. This may affect the way you build
compliance white lists. For more information, see