Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
638
Introduction to Sourcefire Intrusion Prevention
The Benefits of Custom Intrusion Policies
Chapter 16
Compare this result with the result when the same traffic is inspected passively.
In that scenario, the same rule detects the exploit, but instead of having an option
to drop the packet, you can only alert on its presence.
As you consider the benefits of deploying intrusion protection and prevention, you
As you consider the benefits of deploying intrusion protection and prevention, you
should weigh some of the trade-offs. First, you must choose a managed device
model that matches or exceeds the traffic bandwidth of the network segment.
Also, depending on the criticality of the hosts on the network segment, you
should consider deploying the managed device with the optional bypass network
card. The bypass card ensures that traffic continues to pass through the
interfaces even if the appliance itself fails or loses power (although you may lose a
few packets when you reboot the appliance). For more information on inline sets,
on page 316. You can learn more about deployment
options in your managed device’s installation guide.
The Benefits of Custom Intrusion Policies
L
ICENSE
: Protection
The system provides default intrusion policies suitable for both passive and inline
deployments. However, you may find that the rules, preprocessor options, and
other advanced settings configured in those policies do not address the security
needs of your network. You can tune a policy by enabling, disabling, and setting
specific configuration options for advanced settings and rules. Tuning advanced
settings and rule sets allows you to configure, at a very granular level, how the
system processes and inspects the traffic on your network.
For example, intrusion policies provide the following ways to tune preprocessors:
For example, intrusion policies provide the following ways to tune preprocessors:
•
Disable preprocessors that do not apply to the traffic on the subnet you are
monitoring.
•
Specify ports, where appropriate, to focus the activity of the preprocessor.
•
Configure preprocessors to generate events when they encounter certain
features in packets, for example, state problems or certain combinations of
TCP flags.
•
Configure adaptive profiles in combination with network discovery to use
information about host operating systems from the network discovery map
to switch to the most appropriate target-based profile for IP
defragmentation and TCP stream preprocessing.
Note that the tuning options available vary by preprocessor or other advanced
setting. For details on the available advanced settings, their options, and how to
tune them, see