Security Intelligence Blacklisting



Similar documents
Access Control Rules: URL Filtering

The following topics describe how to manage policies on the Management Center:

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Configuring Trend Micro Content Security

Deploying Layered Security. What is Layered Security?

Cisco IPS Tuning Overview

Installing and Configuring vcloud Connector

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

C I S C O E M A I L S E C U R I T Y A P P L I A N C E

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

the barricademx end user interface documentation for barricademx users

Next Generation IPS and Reputation Services

Zscaler Internet Security Frequently Asked Questions

Application Detection

GFI WebMonitor Administration and Configuration Manual

Deployment Guide: Transparent Mode

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training


provides several new features and enhancements, and resolves several issues reported by WatchGuard customers.


Create, Link, or Edit a GPO with Active Directory Users and Computers

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

Core Protection Suite

IBM Security QRadar Vulnerability Manager Version User Guide IBM

The PA-4000 Series can add visibility and control into your network for webmail applications to stop incoming threats and limit uploaded data.

ThreatSTOP Technology Overview

F-Secure Internet Security 2012

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

AVG Business SSO Connecting to Active Directory

STARTER KIT. Infoblox DNS Firewall for FireEye

System Administrator Guide

COMMANDS 1 Overview... 1 Default Commands... 2 Creating a Script from a Command Document Revision History... 10

Networking for Caribbean Development

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

escan SBS 2008 Installation Guide

Cisco Cloud Security Interoperability with Microsoft Office 365

Cloud Services. Anti-Spam. Admin Guide

Core Filtering Admin Guide

F-Secure Client Security. Administrator's Guide

Whose IP Is It Anyways: Tales of IP Reputation Failures

Content Filtering Client Policy & Reporting Administrator s Guide

Web Application Firewall

Barracuda Spam Firewall User s Guide

FILTERING FAQ

Important Information

Streamlining Web and Security

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

HoneyBOT User Guide A Windows based honeypot solution

The Hillstone and Trend Micro Joint Solution

IBM Security QRadar Vulnerability Manager Version User Guide

Web DLP Quick Start. To get started with your Web DLP policy

Introduction to the AirWatch Browser Guide

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Barracuda Spam Firewall Users Guide. How to Download, Review and Manage Spam

McAfee Database Activity Monitoring 5.0.0

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Secure Web Appliance. Reverse Proxy

Trend Micro OfficeScan Best Practice Guide for Malware

Managing Qualys Scanners

Release Notes for Websense Security v7.2

Quick Heal Exchange Protection 4.0

Encryption Admin & User Guide

Cisco Advanced Malware Protection

Name Services (DNS): This is Quick rule will enable the Domain Name Services on the firewall.

What Is Ad-Aware Update Server?

Unified Security Management and Open Threat Exchange

FireSIGHT System Release Notes

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

How To Integrate Hosted Security With Office 365 And Microsoft Mail Flow Security With Microsoft Security (Hes)

K7 Business Lite User Manual

DYNAMIC DNS: DATA EXFILTRATION

SonicWALL Security Quick Start Guide. Version 4.6

How To Manage Your Quarantine On A Blackberry.Com

Anti-Spyware Enterprise Module software

Configuring Security for FTP Traffic

Cisco Security Intelligence Operations

Best Practice Configurations for OfficeScan (OSCE) 10.6

BusinessObjects Enterprise XI Release 2

Quarantined Messages 5 What are quarantined messages? 5 What username and password do I use to access my quarantined messages? 5

eprism Security Suite

Comodo MyDLP Software Version 2.0. Endpoint Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

APPLICATION PROGRAMMING INTERFACE

ArcMail Technology Defender Mail Server Configuration Guide for Microsoft Exchange Server 2003 / 2000

Anti Spam Best Practices

Installing GFI MailEssentials

Configuring a Custom Load Evaluator Use the XenApp1 virtual machine, logged on as the XenApp\administrator user for this task.

Setting up Microsoft Office 365

LOG MANAGEMENT Update Log Setup Screen Update Log Options Use Update Log to track edits, adds and deletes Accept List Cancel

F-Secure Internet Gatekeeper Virtual Appliance

Setting up Microsoft Office 365

ACTIVE DIRECTORY DEPLOYMENT

ModusMail Software Instructions.

Comodo Endpoint Security Manager SME Software Version 2.1

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

GFI Product Manual. Administration and Configuration Manual

McAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version and earlier

VMware vrealize Operations for Horizon Installation

User Management Tool 1.5

Transcription:

The following topics provide an overview of Security Intelligence, including use for blacklisting and whitelisting traffic and basic configuration. Security Intelligence Basics, page 1 Security Intelligence Configuration, page 1 Security Intelligence Strategies, page 2 Security Intelligence in Access Control Policies, page 3 Security Intelligence Basics As an early line of defense against malicious internet content, the Security Intelligence feature allows you to quickly blacklist (block) connections based on the latest reputation intelligence, removing the need for a more resource-intensive, in-depth analysis. This traffic filtering takes place at the beginning of the access control process, before potentially complex rules or deep inspection. Security Intelligence works by blocking traffic to or from IP addresses, URLs, or domain names that have a known bad reputation. (You could create access control rules that perform a similar function to Security Intelligence filtering by manually restricting traffic by IP address or URL. However, access control rules are wider in scope, more complex to configure, and cannot automatically update using dynamic feeds.) Traffic blacklisted by Security Intelligence is immediately blocked and therefore is not subject to any further inspection not for intrusions, exploits, malware, and so on, but also not for network discovery. You can override blacklisting with whitelisting to force access control rule evaluation, and, recommended in passive deployments, you can use a monitor-only setting for Security Intelligence filtering. This allows the system to analyze connections that would have been blacklisted, but also logs the match to the blacklist and generates an end-of-connection security intelligence event. Security Intelligence Configuration If you want to whitelist, blacklist, or monitor specific IP addresses, URLs, or domain names, you must configure custom objects, lists, or feeds. You have the following options: To configure network, URL, or DNS feeds, see Creating Security Intelligence Feeds. 1

Security Intelligence Strategies To configure network, URL, or DNS lists, see Updating Security Intelligence Lists. To configure network objects and object groups, see Creating Network Objects. To configure URL objects and object groups, see Creating URL Objects. Blacklisting, whitelisting, or monitoring traffic based on a DNS list or feed also requires that you: Create a DNS policy. See Creating Basic DNS Policies for more information. Configure DNS rules that reference your DNS lists or feeds. See Creating and Editing DNS Rules for more information. Because you deploy the DNS policy as part of your access control policy, you must associate both policies. See DNS Policy Deploy for more information. Security Intelligence Strategies For your convenience, Cisco provides feeds containing IP addresses, domain names, and URLs with poor reputation, as determined by Talos: the Intelligence Feed, which comprises several regularly updated collections of IP addresses. the DNS and URL Intelligence Feed, which comprises several regularly updated collections of domain names and URLs. The Intelligence Feeds keep track of open relays, known attackers, bogus IP addresses (bogon), and so on. Because the Intelligence Feeds are regularly updated, using them ensures that the system uses up-to-date information to filter your network traffic. Malicious IP addresses, domain names, and URLs that represent security threats such as malware, spam, botnets, and phishing may appear and disappear faster than you can update and deploy new policies. You can also customize the feature to suit the unique needs of your organization, for example: third-party feeds you can supplement the Intelligence Feeds with third-party reputation feeds, which are dynamic lists that the Firepower Management Center downloads from the internet on a regular basis global blacklist and custom blacklists the system allows you to manually blacklist specific IP addresses, URLs, or domain names in many ways depending on your needs whitelisting to eliminate false positives when a blacklist is too broad in scope, or incorrectly blocks traffic that you want to allow (for example, to vital resources), you can override a blacklist with a custom whitelist enforcing blacklisting by security zone to improve performance, you may want to target enforcement, for example, restricting spam blacklisting to a zone that handles email traffic monitoring instead of blacklisting especially useful in passive deployments and for testing feeds before you implement them; you can merely monitor and log the violating sessions instead of blocking them, generating end-of-connection events 2

Security Intelligence in Access Control Policies Note In passive deployments, to optimize performance, Cisco recommends that you always use monitor-only settings. Managed devices that are deployed passively cannot affect traffic flow; there is no advantage to configuring the system to block traffic. Additionally, because blocked connections are not actually blocked in passive deployments, the system may report multiple beginning-of-connection events for each blocked connection. Example: Whitelisting If a reputable feed improperly blocks your access to vital resources but is overall useful to your organization, you can whitelist only the improperly classified IP addresses, rather than removing the whole feed from the blacklist. Example: Security Intelligence by Zone You can whitelist an improperly classified URL, but then restrict the whitelist object using a security zone used by those in your organization who need to access those URLs. That way, only those with a business need can access the whitelisted URLs. Or, you could use a third-party spam feed to blacklist traffic on an email server security zone. Example: Monitor-Only Blacklisting Consider a scenario where you want to test a third-party feed before you implement blocking using that feed. When you set the feed to monitor-only, the system allows connections that would have been blocked to be further analyzed by the system, but also logs a record of each of those connections for your evaluation. Security Intelligence in Access Control Policies Access control policies and their associated DNS policies use Security Intelligence whitelists and blacklists to quickly filter networks and URLs. The system provides default lists that apply to any zone. These lists are populated by your analysts, who can quickly add individual IP addresses, URLs, and domain names using the context menu. You can opt not to use these default lists on a per-policy basis. Use the Security Intelligence tab in the access control policy editor to configure network and URL Security Intelligence, and to associate the access control policy with a DNS policy. You can set network and URL blacklisted objects, including feeds and lists, to monitor-only. This allows the system to handle connections involving blacklisted IP addresses and URLs using access control, but also logs the connection s match to the blacklist. Security Intelligence Options Object, Zone, and Blacklist Icons On the Security Intelligence tab of the access control policy editor, each type of object or zone is distinguished with an different icon. 3

Security Intelligence Options In the blacklist, objects set to block are marked with the block icon ( ) while monitor-only objects are marked with the monitor icon ( ). Because the whitelist overrides the blacklist, if you add the same object to both lists, the system displays the blacklisted object with a strikethrough. Security Intelligence in a Multidomain Deployment In a multidomain deployment, the Global domain owns the Global blacklists and whitelists. Only Global administrators can add to or remove items from the Global lists. So that subdomain users can whitelist and blacklist networks, domain names, and URLs, multitenancy uses the concepts of Domain lists and Descendant Domain lists: A Domain list is a whitelist or blacklist whose contents apply to a particular subdomain only. The Global lists are Domain lists for the Global domain. A Descendant Domain list is a whitelist or blacklist that aggregates the Domain lists of the current domain. Search Syntax for Network Objects You can search on network and URL object names and on the values configured for those objects. For example, if you have an individual network object named Texas Office with the configured value 192.168.3.0/24, and the object is included in the group object US Offices, you can display both objects by typing a partial or complete search string such as Tex, or by typing a value such as 3. Security Intelligence Zone Constraints By default, Security Intelligence filtering is not constrained by zone, that is, Security Intelligence objects have an associated zone of Any. You can constrain by only one zone. To enforce Security Intelligence filtering for an object on multiple zones, you must add the object to the whitelist or blacklist separately for each zone. Also, the default whitelist or blacklist cannot be constrained by zone. Security Intelligence Logging Security Intelligence logging, enabled by default, logs all blocked and monitored connections handled by an access control policy s target devices. However, the system does not log whitelist matches; logging of whitelisted connections depends on their eventual disposition. You must enable logging for blacklisted connections before you can set blacklisted objects to monitor-only. Security Intelligence Categories Security Intelligence Category Attacker Bogon Bots CnC Description Active scanners and blacklisted hosts known for outbound malicious activity Bogon networks and unallocated IP addresses Sites that host binary malware droppers Sites that host command and control servers for botnets 4

Configuring Security Intelligence Security Intelligence Category Dga Exploitkit Malware OpenProxy OpenRelay Phishing Response Spam Suspicious TorExitNode Description Malware algorithms used to generate a large number of domain names acting as rendezvous points with their command and control servers Software kit designed to identify software vulnerabilities in client machines Sites that host malware binaries or exploit kits Open proxies that allow anonymous web browsing Open mail relays that are known to be used for spam Sites that host phishing pages A list of IP/ URLs which seems to be actively participation in the malicious/ suspicious activity Mail hosts that are known for sending spam Files that appear to be suspicious and have characteristics that resembles known malware Tor exit nodes Configuring Security Intelligence Smart License Classic License Supported Devices Supported Domains Access Threat Protection Any Any Admin/Access Admin/Network Admin Each access control policy has Security Intelligence options. You can whitelist or blacklist network objects, URL objects and lists, and Security Intelligence feeds and lists, all of which you can constrain by security zone. You can also associate a DNS policy with your access control policy, and whitelist or blacklist domain names. Caution Changing a Security Intelligence list, except with the Whitelist IP Now or Blacklist IP Now options from the right-click context menu, restarts the Snort process, which interrupts traffic inspection, when you deploy configuration changes. Whether traffic drops during this interruption or passes without further inspection depends on the model of the managed device and how it handles traffic. 5

Configuring Security Intelligence You can add up to a total of 255 network objects and 32767 URL objects and lists to the whitelists and blacklists. That is, the number of objects in the whitelists plus the number in the blacklists cannot exceed 255 network objects, or 32767 URL objects and lists. Note The system builds a separate network map for each leaf domain. In a multidomain deployment, using literal IP addresses to constrain this configuration can have unexpected results. Using override-enabled objects allows descendant domain administrators to tailor Global configurations to their local environments. Before You Begin In passive deployments, or if you want to set Security Intelligence filtering to monitor-only, enable logging; see Logging Connections with Security Intelligence. Procedure Step 1 Step 2 Step 3 In the access control policy editor, click the Security Intelligence tab. If the controls are dimmed, settings are inherited from an ancestor policy, or you do not have permission to modify the configuration. If the configuration is unlocked, uncheck Inherit from base policy to enable editing. You have the following options: Click the Networks tab to add network objects. Click the URLs tab to add URL objects. Find the Available Objects you want to add to the whitelist or blacklist. You have the following options: Search the available objects by typing in the Search by name or value field. Clear the search string by clicking reload ( ) or clear ( ). If no existing list or feed meets your needs, click the add icon ( ), select New Network List or New URL List, and proceed as described in Creating Security Intelligence Feeds or Uploading New Security Intelligence Lists to the Firepower Management Center. If no existing object meets your needs, click the add icon ( ), select New Network Object or New URL Object, and proceed as described in Creating Network Objects. Security Intelligence ignores IP address blocks using a /0 netmask. Step 4 Step 5 Step 6 Step 7 Select one or more Available Objects to add. Optionally, constrain the selected objects by zone by selecting an Available Zone. You cannot constrain system-provided Security Intelligence lists by zone. Click Add to Whitelist or Add to Blacklist, or click and drag the selected objects to either list. To remove an object from a whitelist or blacklist, click its delete icon ( them and right-click to Delete Selected. ) To remove multiple objects, select Optionally, set blacklisted objects to monitor-only by right-clicking the object under Blacklist, then selecting Monitor-only (do not block). You cannot set system-provided Security Intelligence lists to monitor only. 6

Configuring Security Intelligence Step 8 Step 9 Choose a DNS policy from the DNS Policy drop-down list. Caution Associating a custom DNS policy with Security Intelligence restarts the Snort process, which interrupts traffic inspection, when you deploy configuration changes. Whether traffic drops during this interruption or passes without further inspection depends on the model of the managed device and how it handles traffic.. Click Save. What to Do Next Deploy configuration changes; see Deploying Configuration Changes. 7

Configuring Security Intelligence 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information