Cisco Cisco Firepower Management Center 4000
C H A P T E R
17-1
FireSIGHT System User Guide
17
Introduction to Intrusion Prevention
You can deploy your FireSIGHT System both to detect and protect against network traffic that could
threaten the availability, integrity, and confidentiality of hosts and their data. The term intrusion
detection generally refers to the process of passively analyzing network traffic for potential intrusions
and storing attack data for security analysis. The term intrusion prevention includes the concept of
intrusion detection, but adds the ability to block or alter malicious traffic as it travels across your
network.
threaten the availability, integrity, and confidentiality of hosts and their data. The term intrusion
detection generally refers to the process of passively analyzing network traffic for potential intrusions
and storing attack data for security analysis. The term intrusion prevention includes the concept of
intrusion detection, but adds the ability to block or alter malicious traffic as it travels across your
network.
The FireSIGHT System can perform as both an intrusion detection system and an intrusion prevention
system depending on:
system depending on:
•
how you attach managed devices to your network: inline or out of band
•
how you configure the devices’ interface sets: passive, inline, switched, or routed
•
the drop behavior of rules set to Drop and Generate Events: enabled or disabled
After you deploy your devices and configure them according to your needs, the FireSIGHT System uses
several mechanisms to look for the broad range of exploits that attackers have developed. You can then
use a broad range of tools to analyze and respond to the intrusion events.
several mechanisms to look for the broad range of exploits that attackers have developed. You can then
use a broad range of tools to analyze and respond to the intrusion events.
Sensing Intrusions
Packet decoders and preprocessors detect anomalous traffic that might signal an intrusion attempt and,
when you have enabled accompanying decoder and preprocessor rules, report on detected anomalies.
Next, intrusion rules examine the decoded packets for attacks based on patterns. Used together, intrusion
rules and preprocessors provide broader and deeper packet inspection than a signature-based system and
help to identify intrusions more effectively.
when you have enabled accompanying decoder and preprocessor rules, report on detected anomalies.
Next, intrusion rules examine the decoded packets for attacks based on patterns. Used together, intrusion
rules and preprocessors provide broader and deeper packet inspection than a signature-based system and
help to identify intrusions more effectively.
The Cisco Vulnerability Research Team (VRT) regularly sends out updates, called Cisco rule updates,
that may contain new intrusion rules, so you can be sure that you are detecting the most recently released
attacks.
that may contain new intrusion rules, so you can be sure that you are detecting the most recently released
attacks.
Responding to Intrusions
When a packet travels over a segment, the managed device captures and analyzes it using a series of
decoders and preprocessors and then a rules engine. When the device identifies a possible intrusion, it
generates an intrusion event, which is a record indicating the date, time, the type of exploit, and
contextual information about the source of the attack and its target. Unless your device is deployed
passively, the system can block possible intrusions or replace harmful content in a packet. For
packet-based events, a copy of the packet or packets that triggered the event is also recorded.
decoders and preprocessors and then a rules engine. When the device identifies a possible intrusion, it
generates an intrusion event, which is a record indicating the date, time, the type of exploit, and
contextual information about the source of the attack and its target. Unless your device is deployed
passively, the system can block possible intrusions or replace harmful content in a packet. For
packet-based events, a copy of the packet or packets that triggered the event is also recorded.