Cisco Cisco FirePOWER Appliance 7110
13-13
FireSIGHT System User Guide
Chapter 13 Using Access Control Policies
Configuring Policies
lists, see
Finally, a simple way to construct a blacklist is to use network objects or network object groups that
represent an IP address, IP address block, or collection of IP addresses. For information on creating and
modifying network objects, see
represent an IP address, IP address block, or collection of IP addresses. For information on creating and
modifying network objects, see
Note
Although they have all other Protection capabilities by default, Series 2 devices cannot perform Security
Intelligence filtering. You cannot apply an access control policy that uses a populated global whitelist or
blacklist to Series 2 devices (or to unlicensed Series 3 devices). If you added IP addresses to either
global list, you must remove the non-empty list from the policy’s Security Intelligence configuration
before you can apply the policy.
Intelligence filtering. You cannot apply an access control policy that uses a populated global whitelist or
blacklist to Series 2 devices (or to unlicensed Series 3 devices). If you added IP addresses to either
global list, you must remove the non-empty list from the policy’s Security Intelligence configuration
before you can apply the policy.
Security Intelligence Whitelists
In addition to a blacklist, each access control policy has an associated whitelist, which you can also
populate with Security Intelligence objects. A policy’s whitelist overrides its blacklist. That is, the
system evaluates traffic with a whitelisted source or destination IP address using access control rules,
even if the IP address is also blacklisted. In general, use the whitelist if a blacklist is still useful, but is
too broad in scope and incorrectly blocks traffic that you want to inspect.
populate with Security Intelligence objects. A policy’s whitelist overrides its blacklist. That is, the
system evaluates traffic with a whitelisted source or destination IP address using access control rules,
even if the IP address is also blacklisted. In general, use the whitelist if a blacklist is still useful, but is
too broad in scope and incorrectly blocks traffic that you want to inspect.
For example, if a reputable feed improperly blocks your access to vital resources but is overall useful to
your organization, you can whitelist only the improperly classified IP addresses, rather than removing
the whole feed from the blacklist.
your organization, you can whitelist only the improperly classified IP addresses, rather than removing
the whole feed from the blacklist.
Enforcing Security Intelligence Filtering by Security Zone
For added granularity, you can enforce Security Intelligence filtering based on whether the source or
destination IP address in a connection resides in a particular security zone.
destination IP address in a connection resides in a particular security zone.
To extend the whitelist example above, you could whitelist the improperly classified IP addresses, but
then restrict the whitelist object using a security zone used by those in your organization who need to
access those IP addresses. That way, only those with a business need can access the whitelisted IP
addresses. As another example, you might want to use a third-party spam feed to blacklist traffic on an
email server security zone.
then restrict the whitelist object using a security zone used by those in your organization who need to
access those IP addresses. That way, only those with a business need can access the whitelisted IP
addresses. As another example, you might want to use a third-party spam feed to blacklist traffic on an
email server security zone.
Monitoring — Rather than Blacklisting — Connections
If you are not sure whether you want to blacklist a particular IP address or set of addresses, you can use
a “monitor-only” setting, which allows the system to pass the matching connection to access control
rules, but also logs the match to the blacklist. Note that you cannot set the global blacklist to
monitor-only.
a “monitor-only” setting, which allows the system to pass the matching connection to access control
rules, but also logs the match to the blacklist. Note that you cannot set the global blacklist to
monitor-only.
Consider a scenario where you want to test a third-party feed before you implement blocking using that
feed. When you set the feed to monitor-only, the system allows connections that would have been
blocked to be further analyzed by the system, but also logs a record of each of those connections for your
evaluation.
feed. When you set the feed to monitor-only, the system allows connections that would have been
blocked to be further analyzed by the system, but also logs a record of each of those connections for your
evaluation.
In passive deployments, to optimize performance, Cisco recommends that you always use monitor-only
settings. This is because managed devices that are deployed passively cannot affect traffic flow; there is
no advantage to configuring the system to block traffic.
settings. This is because managed devices that are deployed passively cannot affect traffic flow; there is
no advantage to configuring the system to block traffic.