About Advanced Access Control Settings for Network Analysis and Intrusion Policies

Similar documents
Access Control Using Intrusion and File Policies

Getting Started with Access Control Policies

Access Control Using Intrusion and File Policies

Intrusion Prevention Performance Tuning

Connection Logging. Introduction to Connection Logging

Connection Logging. About Connection Logging

Getting Started with Network Analysis Policies

Start Creating SSL Policies

Access Control Rules: Network-Based

Prefiltering and Prefilter Policies

Access Control Using Intelligent Application Bypass

The following topics describe how to manage various policies on the Firepower Management Center:

User Identity Sources

DNS Policies. DNS Policy Overview. The following topics explain DNS policies, DNS rules, and how to deploy DNS policies to managed devices.

Device Management Basics

Aggregate Interfaces and LACP

User Identity Sources

IPS Device Deployments and Configuration

Intelligent Application Bypass

Device Management Basics

Globally Limiting Intrusion Event Logging

Realms and Identity Policies

Rule Management: Common Characteristics

Sensitive Data Detection

The following topics describe how to configure correlation policies and rules.

Device Management Basics

Access Control Rules: Realms and Users

File Policies and AMP for Firepower

SCADA Preprocessors. Introduction to SCADA Preprocessors. The Modbus Preprocessor

File Policies and Advanced Malware Protection

Realms and Identity Policies

Task Scheduling. Introduction to Task Scheduling. Configuring a Recurring Task

Application Detection

Realms and Identity Policies

Detecting Specific Threats

The following topics describe how to configure traffic profiles:

Working with Reports

* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).

Licensing the Firepower System

Configuration Import and Export

Configuration Import and Export

Access Control. Access Control Overview. Access Control Rules and the Default Action

The following topics describe how to work with reports in the Firepower System:

The following topics describe how to use dashboards in the Firepower System:

Monitoring the Device

Network Discovery Policies

The following topics explain how to get started configuring Firepower Threat Defense. Table 1: Firepower Device Manager Supported Models

Quality of Service (QoS) for Firepower Threat Defense

System Software Updates

Setting Up Virtual Routers

Host Identity Sources

Application Layer Preprocessors

Classic Device Management Basics

The Intrusion Rules Editor

The Intrusion Rules Editor

The Intrusion Rules Editor

Access Control. Access Control Overview. Access Control Rules and the Default Action

SOURCEFIRE 3D SYSTEM RELEASE NOTES

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

Cisco Threat Intelligence Director (TID)

SOURCEFIRE 3D SYSTEM RELEASE NOTES

Platform Settings for Classic Devices

Licensing the Firepower System

Interfaces for Firepower Threat Defense

Licensing the Firepower System

Cisco Firepower NGIPS Tuning and Best Practices

Upgrade the ASA FirePOWER Module

IBM Proventia Management SiteProtector Policies and Responses Configuration Guide

SOURCEFIRE 3D SYSTEM RELEASE NOTES

SOURCEFIRE 3D SYSTEM RELEASE NOTES

Security and Permissions in the Orchestrator System

Updating to Version 6.2.2

Configuring Access Rules

External Alerting with Alert Responses

Interfaces for Firepower Threat Defense

Cisco Threat Intelligence Director (TID)

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Palo Alto Networks PAN-OS

SOURCEFIRE 3D SYSTEM RELEASE NOTES

Deployment Guide: Routing Mode with No DMZ

Managing Site-to-Site VPNs

Configuring Tap Aggregation and MPLS Stripping

Firepower Management Center High Availability

SOURCEFIRE 3D SYSTEM RELEASE NOTES

Company. Business Online Banking Admin - Company. Company - Profile. Company - BAI Settings

Cisco Service Control Usage Analysis and Reporting Solution Guide,

Cisco Security Policy Engine Administration Server User Interface Topics

BIG-IP TMOS : Implementations. Version 13.0

Configuring Client Posture Policies

intelop Stealth IPS false Positive

ControlPoint. Managing ControlPoint Users, Permissions, and Menus. February 05,

Activating Intrusion Prevention Service

SOURCEFIRE 3D SYSTEM RELEASE NOTES

Protection! User Guide. A d m i n i s t r a t o r G u i d e. v L i c e n s i n g S e r v e r. Protect your investments with Protection!

Configuring Firewall Filters (J-Web Procedure)

Quick Start Guide (SDN)

Check Point 4800 with Gigamon Inline Deployment Guide

Configuring Anomaly Detection

External Alerting for Intrusion Events

User Management in Resource Manager

Transcription:

Advanced Access Control Settings for Network Analysis and Intrusion Policies The following topics describe how to configure advanced settings for network analysis and intrusion policies: About Advanced Access Control Settings for Network Analysis and Intrusion Policies, page 1 The Default Intrusion Policy, page 1 Advanced Settings for Network Analysis Policies, page 3 About Advanced Access Control Settings for Network Analysis and Intrusion Policies Many of the advanced settings in an access control policy govern intrusion detection and prevention configurations that require specific expertise to configure. Advanced settings typically require little or no modification and are not common to every deployment. The Default Intrusion Policy Each access control policy uses its default intrusion policy to initially inspect traffic before the system can determine exactly how to inspect that traffic. This is needed because sometimes the system must process the first few packets in a connection, allowing them to pass, before it can decide which access control rule (if any) will handle the traffic. However, so that these packets do not reach their destination uninspected, you can use an intrusion policy called the default intrusion policy to inspect them and generate intrusion events. By default, the default intrusion policy uses the default variable set. A default intrusion policy is especially useful when performing application control and URL filtering, because the system cannot identify applications or filter URLs before a connection is fully established between the client and the server. For example, if a packet matches all the other conditions in an access control rule with an application or URL condition, it and subsequent packets are allowed to pass until the connection is established and application or URL identification is complete, usually 3 to 5 packets. The system inspects these allowed packets with the default intrusion policy, which can generate events and, if placed inline, block malicious traffic. After the system identifies the access control rule or default action 1

Setting the Default Intrusion Policy Advanced Access Control Settings for Network Analysis and Intrusion Policies that should handle the connection, the remaining packets in the connection are handled and inspected accordingly. When you create an access control policy, its default intrusion policy depends on the default action you first chose. Initial default intrusion policies for access control are as follows: Balanced Security and Connectivity (a system-provided policy) is the default intrusion policy for an access control policy where you first chose the Intrusion Prevention default action. No Rules Active is the default intrusion policy for an access control policy where you first chose the Block all traffic or Network Discovery default action. Although choosing this option disables intrusion inspection on the allowed packets described above, it can improve performance if you are not interested in intrusion data. Note If you are not performing intrusion inspection (for example, in a discovery-only deployment), keep the No Rules Active policy as your default intrusion policy. If you change your default action after you create the access control policy, the default intrusion policy does not automatically change. To change it manually, use the access control policy s advanced options. You can choose a system- or user-created policy. Note The network analysis policy associated with the first matching network analysis rule preprocesses traffic for the default intrusion policy. If there are no network analysis rules, or none match, the default network analysis policy is used. Setting the Default Intrusion Policy Smart License Classic License Supported Devices Supported Domains Access Admin/Access Admin/Network Admin Caution Changing the total number of intrusion policies used by an access control policy restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information. You change the the total number of intrusion policies by adding an intrusion policy that is not currently used, or by removing the last instance of an intrusion policy. You can use an intrusion policy in an access control rule, as the default action, or as the default intrusion policy. 2

Advanced Access Control Settings for Network Analysis and Intrusion Policies Advanced Settings for Network Analysis Policies Procedure Step 1 Step 2 Step 3 Step 4 Step 5 In the access control policy editor, click the Advanced tab, then click the edit icon ( Analysis and Intrusion Policies section. ) next to the Network If a view icon ( ) appears instead, settings are inherited from an ancestor policy, or you do not have permission to modify the settings. If the configuration is unlocked, uncheck Inherit from base policy to enable editing. Select an intrusion policy from the Intrusion Policy used before Access Control rule is determined drop-down list. If you choose a user-created policy, you can click an edit icon ( cannot edit system-provided policies. ) to edit the policy in a new window. You Optionally, select a different variable set from the Intrusion Policy Variable Set drop-down list. You can also select the edit icon ( ) next to the variable set to create and edit variable sets. If you do not change the variable set, the system uses a default set. Click OK. Click Save to save the policy. What to Do Next Deploy configuration changes; see Deploy Configuration Changes. Advanced Settings for Network Analysis Policies Network analysis policies govern how traffic is decoded and preprocessed so that it can be further evaluated, especially for anomalous traffic that might signal an intrusion attempt. This traffic preprocessing occurs after Security Intelligence blacklisting and traffic decryption, but before intrusion policies inspect packets in detail. By default, the system-provided Balanced Security and Connectivity network analysis policy is the default network analysis policy. Tip The system-provided Balanced Security and Connectivity network analysis policy and the Balanced Security and Connectivity intrusion policy work together and can both be updated in intrusion rule updates. However, the network analysis policy governs mostly preprocessing options, whereas the intrusion policy governs mostly intrusion rules. A simple way to tune preprocessing is to create and use a custom network analysis policy as the default. For advanced users with complex deployments, you can create multiple network analysis policies, each tailored to preprocess traffic differently. Then, you can configure the system to use those policies to govern the preprocessing of traffic using different security zones, networks, or VLANs. To accomplish this, you add custom network analysis rules to your access control policy. A network analysis rule is simply a set of configurations and conditions that specifies how you preprocess traffic that matches those qualifications. You create and edit network analysis rules in the advanced options in an existing access control policy. Each rule belongs to only one policy. Each rule has: 3

Setting the Default Network Analysis Policy Advanced Access Control Settings for Network Analysis and Intrusion Policies a set of rule conditions that identifies the specific traffic you want to preprocess an associated network analysis policy that you want to use to preprocess traffic that meets all the rules conditions When it is time for the system to preprocess traffic, it matches packets to network analysis rules in top-down order by rule number. Traffic that does not match any network analysis rules is preprocessed by the default network analysis policy. Setting the Default Network Analysis Policy Smart License Classic License Supported Devices Supported Domains Access Admin/Access Admin/Network Admin You can choose a system- or user-created policy. Note If you disable a preprocessor but the system needs to evaluate preprocessed packets against an enabled intrusion or preprocessor rule, the system automatically enables and uses the preprocessor although it remains disabled in the network analysis policy web interface. Tailoring preprocessing, especially using multiple custom network analysis policies, is an advanced task. Because preprocessing and intrusion inspection are so closely related, you must be careful that you allow the network analysis and intrusion policies examining a single packet to complement each other. Procedure Step 1 Step 2 In the access control policy editor, click the Advanced tab, then click the edit icon ( Analysis and Intrusion Policies section. ) next to the Network If a view icon ( ) appears instead, settings are inherited from an ancestor policy, or you do not have permission to modify the settings. If the configuration is unlocked, uncheck Inherit from base policy to enable editing. From the Default Network Analysis Policy drop-down list, select a default network analysis policy. If you choose a user-created policy, you can click an edit icon ( cannot edit system-provided policies. Caution ) to edit the policy in a new window. You Changing the total number of network analysis policies used by an access control policy restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information.you change the total number of network analysis policies by adding a policy that is not currently used, or by removing the last instance of a network analysis policy. You can use a network analysis policy with network analysis rules or as the default network analysis policy. 4

Advanced Access Control Settings for Network Analysis and Intrusion Policies Network Analysis Rules Step 3 Step 4 Click OK. Click Save to save the policy. What to Do Next Deploy configuration changes; see Deploy Configuration Changes. Network Analysis Rules Within your access control policy s advanced settings, you can use network analysis rules to tailor preprocessing configurations to network traffic. Network analysis rules are numbered, starting at 1. When it is time for the system to preprocess traffic, it matches packets to network analysis rules in top-down order by ascending rule number, and preprocesses traffic according to the first rule where all the rule s conditions match. You can add zone, network, and VLAN tag conditions to a rule. If you do not configure a particular condition for a rule, the system does not match traffic based on that criterion. For example, a rule with a network condition but no zone condition evaluates traffic based on its source or destination IP address, regardless of its ingress or egress interface. Traffic that does not match any network analysis rules is preprocessed by the default network analysis policy. Configuring Network Analysis Rules Smart License Classic License Supported Devices Supported Domains Access Admin/Access Admin/Network Admin Procedure Step 1 Step 2 Step 3 Step 4 Step 5 In the access control policy editor, click the Advanced tab, then click the edit icon ( Analysis and Intrusion Policies section. ) next to the Network If a view icon ( ) appears instead, settings are inherited from an ancestor policy, or you do not have permission to modify the settings.if the configuration is unlocked, uncheck Inherit from base policy to enable editing. Tip Click Network Analysis Policy List to view and edit existing custom network analysis policies. Next to Network Analysis Rules, click the statement that indicates how many custom rules you have. Click Add Rule. Configure the rule's conditions by clicking the tabs corresponding to the conditions you want to add; see Rule Condition Types. Click the Network Analysis tab and choose the Network Analysis Policy you want to use to preprocess the traffic matching this rule. 5

Network Analysis Rules Advanced Access Control Settings for Network Analysis and Intrusion Policies Step 6 Click the edit icon ( Caution Click Add. ) to edit a custom policy in a new window. You cannot edit system-provided policies. Changing the total number of network analysis policies used by an access control policy restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information.you change the total number of network analysis policies by adding a policy that is not currently used, or by removing the last instance of a network analysis policy. You can use a network analysis policy with network analysis rules or as the default network analysis policy. What to Do Next Deploy configuration changes; see Deploy Configuration Changes. Managing Network Analysis Rules Smart License Classic License Supported Devices Supported Domains Access Admin/Access Admin/Network Admin A network analysis rule is simply a set of configurations and conditions that specifies how you preprocess traffic that matches those qualifications. You create and edit network analysis rules in the advanced options in an existing access control policy. Each rule belongs to only one policy. Procedure Step 1 Step 2 Step 3 In the access control policy editor, click the Advanced tab, then click the edit icon ( and Network Analysis Policies section. ) next to the Intrusion If a view icon ( ) appears instead, settings are inherited from an ancestor policy, or you do not have permission to modify the settings.if the configuration is unlocked, uncheck Inherit from base policy to enable editing. Next to Network Analysis Rules, click the statement that indicates how many custom rules you have. Edit your custom rules. You have the following options: To edit a rule s conditions, or change the network analysis policy invoked by the rule, click the edit icon ( ) next to the rule. To change a rule s order of evaluation, click and drag the rule to the correct location. To select multiple rules, use the Shift and Ctrl keys. To delete a rule, click the delete icon ( ) next to the rule. 6

Advanced Access Control Settings for Network Analysis and Intrusion Policies Network Analysis Rules Step 4 Step 5 Tip Click OK. Right-clicking a rule displays a context menu that allows you to cut, copy, paste, edit, delete, and add new network analysis rules. Click Save to save the policy. What to Do Next Deploy configuration changes; see Deploy Configuration Changes. 7

Network Analysis Rules Advanced Access Control Settings for Network Analysis and Intrusion Policies 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback