Cisco Cisco Firepower Management Center 4000
1-12
FireSIGHT System User Guide
Chapter 1 Introduction
FireSIGHT System Components
You can include access control rules in an access control policy to further define how traffic is handled
by targeted devices, from simple IP address matching to complex scenarios involving different users,
applications, ports, and URLs. For each rule, you specify a rule action, that is, whether to trust, monitor,
block, or inspect matching traffic with an intrusion or file policy.
by targeted devices, from simple IP address matching to complex scenarios involving different users,
applications, ports, and URLs. For each rule, you specify a rule action, that is, whether to trust, monitor,
block, or inspect matching traffic with an intrusion or file policy.
For each access control policy, you can create a custom HTML page that users see when the system
blocks their HTTP requests. Optionally, you can display a page that warns users, but also allows them
to click a button to continue to the originally requested site.
blocks their HTTP requests. Optionally, you can display a page that warns users, but also allows them
to click a button to continue to the originally requested site.
As part of access control, the Security Intelligence feature allows you to blacklist—deny traffic to and
from—specific IP addresses before the traffic is subjected to analysis by access control rules. If your
system supports geolocation, you can also filter traffic based on its detected source and destination
countries and continents.
from—specific IP addresses before the traffic is subjected to analysis by access control rules. If your
system supports geolocation, you can also filter traffic based on its detected source and destination
countries and continents.
Access control includes intrusion detection and prevention, file control, and advanced malware
protection. For more information, see the next sections.
protection. For more information, see the next sections.
Intrusion Detection and Prevention
Intrusion detection and prevention allows you to monitor your network traffic for security violations and,
in inline deployments, to block or alter malicious traffic.
in inline deployments, to block or alter malicious traffic.
Intrusion prevention is integrated into access control, where you can associate an intrusion policy with
specific access control rules. If network traffic meets the conditions in a rule, you can analyze the
matching traffic with an intrusion policy. You can also associate an intrusion policy with the default
action of an access control policy.
specific access control rules. If network traffic meets the conditions in a rule, you can analyze the
matching traffic with an intrusion policy. You can also associate an intrusion policy with the default
action of an access control policy.
An intrusion policy contains a variety of components, including:
•
rules that inspect the protocol header values, payload content, and certain packet size characteristics
•
rule state configuration based on FireSIGHT recommendations
•
advanced settings, such as preprocessors and other detection and performance features
•
preprocessor rules that allow you to generate events for associated preprocessors and preprocessor
options
options
File Tracking, Control, and Malware Protection
To help you identify and mitigate the effects of malware, the FireSIGHT System’s file control, network
file trajectory, and advanced malware protection components can detect, track, capture, analyze, and
optionally block the transmission of files (including malware files) in network traffic.
file trajectory, and advanced malware protection components can detect, track, capture, analyze, and
optionally block the transmission of files (including malware files) in network traffic.
File Control
File control allows managed devices to detect and block your users from uploading (sending) or
downloading (receiving) files of specific types over specific application protocols. You configure file
control as part of your overall access control configuration; file policies associated with access control
rules inspect network traffic that meets rule conditions.
downloading (receiving) files of specific types over specific application protocols. You configure file
control as part of your overall access control configuration; file policies associated with access control
rules inspect network traffic that meets rule conditions.
Network-Based Advanced Malware Protection (AMP)
Network-based advanced malware protection (AMP) allows the system to inspect network traffic for
malware in several types of files. Appliances can store detected files for further analysis, either to their
hard drive or (for some models) a malware storage pack.
malware in several types of files. Appliances can store detected files for further analysis, either to their
hard drive or (for some models) a malware storage pack.