- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
- Understanding Compliance White Lists
- Creating Compliance White Lists
- Surveying Your Network
- Providing Basic White List Information
- Configuring Compliance White List Targets
- Configuring Compliance White List Host Profiles
- Configuring the Global Host Profile
- Creating Host Profiles for Specific Operating Systems
- Adding an Application Protocol to a Host Profile
- Adding a Client to a Host Profile
- Adding a Web Application to a Host Profile
- Adding a Protocol to a Host Profile
- Adding a Shared Host Profile to a Compliance White List
- Modifying Existing Host Profiles
- Deleting Existing Host Profiles
Using the FireSIGHT System as a Compliance Tool
A compliance white list (or white list ) is a set of criteria that allows you to specify the operating systems, applications, and protocols that are allowed to run on a specific subnet, and automatically generate an event if a host on the subnet violates the white list. For example, your security policy might state that while your web servers are allowed to run HTTP, none of the other hosts on your network are. You could create a white list that evaluates your entire network, excluding your web farm, to determine which hosts are running HTTP.
Note that you could create a correlation rule that performs this function by configuring the rule so that it triggers when:
- the system discovers new information about an application protocol
- the application protocol name is http
- the IP address of the host involved in the event is not in your web farm
However, correlation rules, which provide you with a more flexible way of alerting you and responding to policy violations on your network, are more complex to configure and maintain than white lists. Correlation rules are also wider in scope, allowing you to generate a correlation event when one of many types of event meets any criteria that you specify. On the other hand, white lists are specifically meant to help you evaluate the operating systems, application protocols, clients, web applications, and protocols that are running on your network and whether that violates your organization’s policies.
You can create custom white lists that meet your specific needs, or you can use the default white list created by the Cisco Vulnerability Research Team (VRT) that contains recommended settings for allowed operating systems, application protocols, clients, web applications, and protocols. You may also want to customize the default white list for your network environment.
If you add a white list to an active correlation policy, when the system detects that a host is violating the white list, the system logs a white list event — which is a special kind of correlation event — to the database. Further, you can configure the system to trigger responses (remediations and alerts) automatically when it detects a white list violation.
Note Although you can configure the network discovery policy to add hosts and application protocols to the network map based on data exported by NetFlow-enabled devices, the available information about these hosts and application protocols is limited. For example, there is no operating system data available for these hosts, unless you provide it using the host input feature. This may affect the way you build compliance white lists. For more information, see Differences Between NetFlow and FireSIGHT Data.
Because the system creates a host attribute for each host that indicates whether it is in compliance with any white lists you create, you can obtain an at-a-glance summary of the compliance of your network. In just a few seconds, you can determine exactly which hosts in your organization are running HTTP in violation of your policy, and take appropriate action.
Then, using the correlation feature, you can configure the system to alert you whenever a host that is not in your web farm starts running HTTP.
In addition, the system allows you to use host profiles to determine whether an individual host is violating any of the white lists you have configured, and in which way it is violating the white list. The FireSIGHT System also includes workflows that allow you to view each of the individual white list violations, as well as the number of violations per host.
Finally, you can use the dashboard to monitor recent system-wide compliance activity, including white list events and summary views of the overall white list compliance of your network.
For more information on creating and managing compliance white lists and on interpreting white list events and violations, see the following sections:
- Understanding Compliance White Lists
- Creating Compliance White Lists
- Managing Compliance White Lists
- Working with Shared Host Profiles
- Working with White List Events
- Working with White List Violations
In addition, see the following chapters and sections for more information:
- Creating Correlation Policies explains how to create and configure correlation policies that include compliance white lists, and explains how to assign responses and priorities to the white lists.
- Using Host Profiles explains how to use a host’s profile to determine whether it is violating any white lists.
- Using Dashboards explains how to obtain an at-a-glance view of your current system status, including white list compliance activity.
Understanding Compliance White Lists
A compliance white list is a set of criteria that specify the operating systems, clients, application protocols, web applications, and protocols that are allowed to run on your network. You can create custom white lists that meet your specific needs, or you can use the default white list created by the VRT that contains recommended settings.
Custom white list criteria can be simple; you can specify that only hosts running a certain operating system are allowed. Your criteria can also be complex; you can specify that while all operating systems are allowed, only hosts running a certain operating system are allowed to run a certain application protocol on a specific port.
White lists comprise two main parts: targets and host profiles . The targets are the specific hosts that are evaluated by the white list, while the host profiles specify the operating systems, clients, application protocols, web applications, and protocols that are allowed to run on the targets.
After you create a white list and add it to an active correlation policy, the system evaluates the white list’s targets against its host profiles to determine whether the targets are in compliance with the white list. After this initial evaluation, the system generates a white list event when it detects that a valid target is violating the white list.
For more information, see the following sections:
- Understanding White List Targets explains how white lists only target the hosts that you specify.
- Understanding White List Host Profiles explains the different kinds of profiles that describe which clients, application protocols, web applications, and protocols are allowed to run on your network.
- Understanding White List Evaluations explains how the system evaluates the hosts on your network against white lists, and how you can tell which hosts are in compliance and which are not.
- Understanding White List Violations explains how the system detects and notifies you of white list violations.
Understanding White List Targets
When you create a white list, you first specify the portions of your network it applies to. You can use a white list to evaluate all the hosts on your monitored network, or you can restrict the white list to evaluate only certain network segments or even individual hosts. You can further restrict the white list so that it evaluates only hosts that have a certain host attribute or that belong to a certain VLAN. A host that is eligible to be evaluated by a white list is called a valid target (or target ). A valid target:
- must be in one of the IP address blocks you specify. You can also exclude blocks of IP addresses.
- must have at least one of the host attributes you specify.
For example, you could configure a white list to evaluate only hosts that have a high host criticality. For information on host attributes, including host criticality, see Working with User-Defined Host Attributes and Working with the Predefined Host Attributes.
If a host does not meet all of these criteria, it is not evaluated against the white list, regardless of whether its host profile is in violation of the white list.
If your white list contains more than one target, a host must meet the criteria specified in only one of them to be considered valid. For example, if you create a target that includes the 10.10.x.x network and one that excludes the 10.10.x.x network, a host in that network is considered a valid target. Note that if your white list does not contain any targets, none of the hosts on your network will be evaluated against the white list.
The target networks for your white list are listed on the left of the Create White List page. Note that the default white list uses targets of 0.0.0.0/0 and ::/0, which represent the entire monitored network. If you choose to use this white list, you can leave the target network as-is or modify it to reflect your network environment.
For information on creating white list targets, see Configuring Compliance White List Targets.
Understanding White List Host Profiles
After you specify which targets the white list evaluates, the next step is to configure host profiles . Host profiles in a white list specify which operating systems, clients, application protocols, web applications, and protocols are allowed to run on the target hosts.
There are three kinds of host profiles you can configure in a white list: global host profiles, host profiles for specific operating systems, and shared host profiles. Each type of host profile appears differently when you are creating a white list.
The following table explains how to identify and access the different kinds of host profiles.
Understanding the Global Host Profile
Every white list contains a global host profile, which specifies the application protocols, clients, web applications, and protocols that are allowed to run on target hosts, regardless of the host’s operating system.
For example, instead of editing multiple Microsoft Windows and Linux host profiles to allow Internet Explorer, you can configure the global host profile to allow it regardless of the operating system on which it was detected. Note that the ARP, IP, TCP, and UDP protocols are always allowed to run on every host; you cannot disallow them. For more information, see Configuring the Global Host Profile.
Understanding Host Profiles for Specific Operating Systems
You must create one host profile for each operating system you want to allow on your network. To disallow an operating system on your network, do not create a host profile for that operating system. For example, to make sure that all the hosts on your network are running Microsoft Windows, configure the white list to only contain host profiles for that operating system.
When you create a host profile for an operating system, you can also require that it have a particular version. For example, you could require that compliant hosts run Windows 7 or Server 2008 R2.
After you create a host profile for a particular operating system, you can specify the application protocols, clients, web applications, and protocols that are allowed to run on target hosts running that operating system. For example, you could allow SSH to run on Linux hosts on port 22. You could also restrict the particular vendor and version to OpenSSH 4.2.
Note that unidentified hosts remain in compliance with all white lists until they are identified. You can, however, create a white list host profile for unknown hosts.
Note Unidentified hosts are not the same as unknown hosts. Unidentified hosts are hosts about which the system has not yet gathered enough information to identify their operating systems. Unknown hosts are hosts whose traffic has been analyzed by the system, but whose operating systems do not match any of the known fingerprints.
For more information, see Creating Host Profiles for Specific Operating Systems.
Understanding Shared Host Profiles
Shared host profiles are tied to specific operating systems, but you can use each shared host profile in more than one white list. That is, if you create multiple white lists but want to use the same host profile to evaluate hosts running a particular operating system across the white lists, use a shared host profile.
For example, if you have offices worldwide and you want to create a separate white list for each location, but always want to use the same profile for all hosts running Apple Mac OS X, you can create a shared profile for that operating system and use it in all your white lists.
The default white list represents recommended “best practices” settings for allowed operating systems, clients, application protocols, web applications, and protocols. This white list uses a special category of shared host profiles, called
built-in host profiles
. Note that built-in host profiles are marked with the built-in host profile icon (
).
Built-in host profiles use built-in application protocols, protocols, and clients. You can use these elements as-is in both the default white list and in any custom white list that you create or you can modify them to suit your needs. They are displayed in italics within the built-in host profile and in any other host profile that uses them.
Keep in mind that like all shared host profiles, if you modify a built-in host profile, it affects every white list that uses it. Likewise, if you modify a built-in application protocol, protocol, or client, it affects every white list that uses it.
For more information on shared host profiles, Working with Shared Host Profiles.
Understanding White List Evaluations
After you create white list host profiles and save the white list, you can add the white list to a correlation policy, just as you would a correlation rule. For more information, see Configuring Correlation Policies and Rules.
After you activate the correlation policy, the system evaluates the targets of the white list against the white list criteria.You can then use the host attributes network map to gain an overall view of the white list compliance of the hosts on your network.
Every host on the network is assigned a host attribute that has the same name as the white list. This host attribute has one of the following values:
- Compliant , for valid targets that are compliant with the white list
- Non-Compliant , for valid targets that violate the white list
- Not Evaluated , for invalid targets and hosts that have not yet been evaluated for any reason
Note that if your network is large and the system is in the process of evaluating all the valid targets in the network map against the white list, targets that have not yet been evaluated are marked as
Not Evaluated
. As the system completes its processing, more hosts move from
Not Evaluated
to either
Compliant
or
Non-Compliant
. The system can evaluate approximately 100 hosts per second.
Additionally, a host may be marked as
Not Evaluated
if the system has insufficient information to determine whether the host is in compliance. For example, this may occur if the system has detected a new host but has not yet gathered relevant information on the operating system, clients, application protocols, web applications, or protocols running on the host.
Note If you change or delete a host attribute from a host and that change or deletion means that the host is no longer a valid target, the host changes from either Compliant or Non-Compliant to Not Evaluated.
For more information on host attributes, see Working with the Host Attributes Network Map.
Understanding White List Violations
After the initial white list evaluation, the system generates a white list event when it detects that a valid target is violating the white list. White list events are a special kind of correlation event, and are logged to the Defense Center correlation event database. You can view white list events in a workflow, or search for specific white list events. For more information, see Working with White List Events.
White list violations occur when the system generates an event that indicates that a host is out of compliance. Similarly, discovery events may indicate that a previously non-compliant host is now compliant, although the system does not generate a white list event when this occurs.
The following events can change the compliance of a host:
- the system detects a change in a host’s operating system
- the system detects an identity conflict for a host’s operating system or an application protocol on the host
- the system detects a new TCP server port (for example, a port used by SMTP or web servers) active on a host, or a new UDP server running on a host
- the system detects a change in a discovered TCP or UDP server running on a host, for example, a version change due to an upgrade
- the system detects a new client running on a host
- the system drops a client from its database due to inactivity
- the system detects a new web application running on a host
- the system drops a web application from a host profile due to inactivity
- the system detects that a host is communicating with a new network protocol, such as Novell Netware or IPv6, or a new transport protocol, such as ICMP or EGP
- the system detects a new mobile device that is jailbroken
- the system detects that a TCP or UDP port has closed or timed out on a host
In addition, you can trigger a compliance change for a host by using the host input feature or the host profile to:
- add a client, protocol, or server to a host
- delete a client, protocol, or server from a host
- set the operating system definition for a host
- change a host attribute for a host so that the host is no longer a valid target
For example, if your white list specifies that only Microsoft Windows hosts are allowed on your network, and the system detects that the host is now running Mac OS X, the system generates a white list event. In addition, the host attribute associated with the white list changes its value from
Compliant
to
Non-Compliant
for that host.
For the host in this example to come back into compliance, one of the following must occur:
- you edit the white list so that the Mac OS X operating system is allowed
- you manually change the operating system definition of the host to Microsoft Windows
- the system detects that the operating system has changed back to Microsoft Windows
In any case, the host attribute associated with the white list changes its value from N
on-Compliant
to
Compliant
for that host.
As another example, if your compliance white list disallows the use of FTP, and you then delete FTP from the application protocols network map or from an event view, hosts running FTP become compliant. However, if the system detects the application protocol again, the system generates a white list event and the hosts become non-compliant.
Note that if the system generates an event that contains insufficient information for the white list, the white list does not trigger. For example, consider a scenario where your white list specifies that you allow only TCP FTP traffic on port 21. Then, the system detects that port 21, using the TCP protocol, has become active on one of the white list targets, but the system is unable to determine whether the traffic is FTP. In this scenario, the white list does not trigger until either the system identifies the traffic as something other than FTP traffic or you use the host input feature to designate the traffic as non-FTP traffic.
Note During the initial evaluation of a white list, the system does not generate white list events for non-compliant hosts. If you want to generate white list events for all non-compliant targets, you must purge the Defense Center database. This causes the hosts on your network and their associated clients, application protocols, web applications, and protocols to be rediscovered, which may trigger white list events. For more information, see Purging Discovery Data from the Database.
Finally, you can configure the system to trigger responses automatically when it detects a white list violation. Responses include remediations (such as running an Nmap scan), alerts (email, SNMP, and syslog alerts), or combination of alerts and remediations. For more information, see Adding Responses to Rules and White Lists.
Creating Compliance White Lists
When you create a white list, you can survey either your entire network or a specific network segment. Surveying the network populates the white list with one host profile for each operating system that the system has detected on the network segment. By default, these host profiles allow all of the clients, application protocols, web applications, and protocols that the system has detected on the applicable operating systems.
Then, you must specify the targets of the white list. You can configure a white list to evaluate all the hosts on your monitored network, or you can restrict the white list to evaluate only certain network segments or even individual hosts. You can further restrict the white list so that it evaluates only hosts that have a certain host attribute or that belong to a certain VLAN. If you surveyed your network, by default the network segment that you surveyed represents the white list targets. You can edit or delete the surveyed network, or you can add new targets.
Next, create host profiles that represent compliant hosts. Host profiles in a white list specify which operating systems, clients, application protocols, web applications, and protocols are allowed to run on the target hosts. You can configure the global host profile, edit the host profiles created by any network survey your performed, as well as add new host profiles, and add and edit shared host profiles.
Finally, save the white list and add it to an active correlation policy. The system begins evaluating the target hosts for compliance, generating white list events when a host violates the white list, and triggering any responses you have configured to white list violations. For a more detailed introduction to compliance white lists, see Understanding Compliance White Lists.
Tip You can also create a white list from a table view of hosts. For more information, see Creating a Compliance White List Based on Selected Hosts.
To create a compliance white list:
Step 1 Select Policies > Correlation , then click White List .
The Survey Network page appears.
Step 3 Optionally, survey your network:
- To survey your network, see Surveying Your Network.
- To create a white list without surveying your network, click Skip and continue with the next step.
The Create White List page appears.
Step 4 In the Name field, type a name for the new white list.
Step 5 In the Description field, type a short description of the white list.
Step 6 To allow jailbroken mobile devices on your network, enable Allow Jailbroken Mobile Devices . To cause all jailbroken devices evaluated by the white list to generate a white list violation, disable the option.
Step 7 Specify the targets for the white list. You can edit or delete the targets created by a network survey as well as add new targets. Optionally, further restrict targets based on host attributes or VLAN ID. For more information, see Configuring Compliance White List Targets.
Step 8 Create host profiles that represent compliant hosts. You can configure the global host profile, edit the host profiles created by a network survey, as well as add new host profiles and add and edit shared host profiles. For more information, see Configuring Compliance White List Host Profiles.
Step 9 Click Save White List to save your white list.
The white list is saved. You can now add it to an active correlation policy to begin evaluating the target hosts for compliance, generating white list events when a host violated the white list, and, optionally triggering responses to white list violations. For more information, see Creating Correlation Policies.
Surveying Your Network
When you begin creating a compliance white list, you can survey either your entire network or a specific network segment.
Surveying your network gathers data from the database about the application protocols, clients, web applications, and protocols running on the different detected operating systems. Then, the system creates one host profile within the white list for each detected operating system. By default, these host profiles allow all of the detected clients, application protocols, web applications, and protocols that the system has detected on each applicable operating systems.
This creates a baseline white list so that you do not have to manually create and configure multiple host profiles. After you survey your network, you can then edit or delete the host profiles that the survey created to suit your needs; you can also add any other host profiles you might need.
Note that you can survey your network at any time during the white list creation process. This can add additional allowed clients, application protocols, web applications, and protocols to the host profiles that already exist, and can create additional host profiles if the survey detects hosts running operating systems that were not detected during the initial survey. If you resurvey your network within a white list that is used within an active correlation policy, and the survey changes either your targets or host profiles, the target hosts are re-evaluated when you save the white list. Although this re-evaluation may bring some hosts into compliance, it does not generate any white list events.
To begin creating a compliance white list by surveying your network:
Step 1 Select Policies > Correlation , then click White List .
The Survey Network page appears.
Step 3 Do you want to survey your network?
The Create White List page appears and displays a blank white list. Continue with the procedure in the next section, Providing Basic White List Information.
Step 4 In the IP Address and Netmask fields, enter the IP address and network mask (in special notation such as CIDR) that represent the hosts you want to survey.
Make sure to specify a network that you configured the system to monitor in the network discovery policy. For information on using IP address notation in the FireSIGHT System, see IP Address Conventions.
Tip To survey the entire monitored network, use the default values of 0.0.0.0/0 and ::/0.
The Create White List page appears.
The white list is pre-populated; its targets are the hosts in the network you surveyed and its allowed host profiles are those of the targets.
Step 6 To survey additional networks, click Target Network and repeat steps 4 and 5 for each additional network you want to survey.
Surveying an additional network can add additional allowed clients, application protocols, web applications, and protocols to the host profiles that already exist, and can create additional host profiles if the survey detects hosts running operating systems that were not detected during the initial survey. Surveying an additional network also adds a target to the white list that represents the hosts in the network segment that you surveyed. You can then edit or delete this target.
Step 7 Continue with the next section, Providing Basic White List Information.
Providing Basic White List Information
You must give each white list a name, and, optionally, a short description. In addition, you can choose whether jailbroken mobile devices should cause a white list violation.
To provide basic white list information:
Step 1 In the Name field, type a name for the new white list.
Step 2 In the Description field, type a short description of the white list.
Step 3 To allow jailbroken mobile devices on your network, enable Allow Jailbroken Mobile Devices . To cause all jailbroken devices evaluated by the white list to generate a white list violation, disable the option.
Step 4 Continue with the next section, Configuring Compliance White List Targets.
Configuring Compliance White List Targets
When you create a compliance white list, you must specify the portions of your network it applies to. You can use a white list to evaluate all the hosts on your monitored network, or you can restrict the white list to evaluate only certain network segments or even individual hosts. You can further restrict the white list so that it evaluates only hosts that have a certain host attribute or that belong to a certain VLAN. A host that is eligible to be evaluated by a white list is called a target . For a more detailed introduction to white list targets, see Understanding White List Targets.
When you are finished creating compliance white list targets, continue with Configuring Compliance White List Host Profiles.
Note If you change or delete a host attribute from a host and that modification means that the host is no longer a valid target, the host is no longer evaluated by the white list and is considered neither compliant nor non-compliant.
For information on how to modify and delete targets, see:
When you create a target for a compliance white list, you specify the criteria a host must meet to be evaluated against the white list. A valid target:
- must be in one of the IP address blocks you specify. You can also exclude blocks of IP addresses.
- must have at least one of the host attributes you specify.
- must belong to one of the VLANs you specify.
Note that if you add a target to a white list that is used by an active correlation policy, after you save the white list, the new target hosts are evaluated for compliance. However, this evaluation does not generate white list events.
To create a compliance white list target:
Step 1 On the Create White List Page, next to
Target Networks
, click the add icon (
).
The settings for the new target appear.
Tip You can also create a new target by surveying a network segment. On the Create White List page, click Target Network, then follow steps 4 and 5 in Surveying Your Network. The new target is created and is named according to the IP addresses you specified. Click the target you just created and continue with the rest of this procedure to rename the target, add or exclude additional networks, and add host attribute or VLAN restrictions.
Step 2 In the Name field, type a name for the new target.
Step 3 Target a specific set of IP addresses by clicking the add icon (
) next to
Targeted Networks
.
Step 4 In the IP Address and Netmask fields, enter the IP address and network mask (in special notation, such as CIDR) that represent the hosts you want to target or exclude from targeting.
You should make sure that you specify a network that you configured the system to monitor in your network discovery policy. For information on using IP address notation in the FireSIGHT System, see IP Address Conventions.
Tip To target the entire monitored network, use 0.0.0.0/0 and ::/0.
Step 5 If you want to exclude the network from monitoring, select Exclude .
Step 6 To add additional networks, repeat steps 4 and 5.
Step 7 Target hosts that have a specific host attribute by clicking Add next to Targeted Host Attributes .
Step 8 From the Attribute and Value drop-down lists, specify the host attribute.
Step 9 To add additional host attributes, repeat steps 7 and 8.
A host must have at least one of the host attributes you specify to be evaluated against the white list.
Step 10 Target hosts that belong to a specific VLAN by clicking Add next to Targeted VLANs .
Step 11 In the VLAN ID field, specify the VLAN IDs of the hosts you want to evaluate against the white list. This can be any integer between 0 and 4095 for 802.1q VLANs.
Step 12 To add additional VLAN IDs, repeat steps 10 and 11.
The host must be a member of one of the VLANs you specify to be evaluated against the white list.
Tip To remove a network, host attribute restriction, or VLAN restriction, click the delete icon (
) next to the element you want to delete.
Modifying Existing Targets
After you modify a target, you must save the white list for your changes to take effect. Note that if you modify a target in a white list that is used by an active correlation policy, after you save the white list, any new target hosts are evaluated for compliance. However, this evaluation does not generate white list events. In addition, the system changes the white list host attribute of previously valid targets to
Not Evaluated
.
Step 1 On the Create White List page, under Targets , click the target you want to modify.
The settings for the target appear.
Step 2 Make changes as needed.
You can rename the target, add or exclude additional networks, and add host attribute or VLAN restrictions. For more information, see Configuring Compliance White List Targets.
Deleting Existing Targets
After you delete a target, you must save the white list for your changes to take effect. Note that if you delete a target from a white list that is used by an active correlation policy, the system changes the white list host attribute of previously valid targets to
Not Evaluated
.
To delete a white list target:
Step 1 Next to the target you want to delete, click the delete icon (
).
Step 2 When prompted, confirm that you want to delete the target.
Configuring Compliance White List Host Profiles
Host profiles in a compliance white list specify which operating systems, clients, application protocols, web applications, and protocols are allowed to run on the target hosts. There are three kinds of host profiles you can configure in a white list:
- global host profiles, which specify the application protocols, clients, web applications, and protocols that are allowed to run on target hosts, regardless of the host’s operating system
- host profiles for specific operating systems, which specify not only which operating systems are allowed to run on your network, but also the application protocols, clients, web applications, and protocols that are allowed to run on those operating systems
- shared host profiles, which function exactly like the host profiles for specific operating systems, except they are not tied to a single white list; you can use them across multiple white lists
For a more detailed introduction to compliance white list host profiles, see Understanding White List Host Profiles.
When you are finished creating compliance white list host profiles, you can add the white list to an active correlation policy to begin evaluating the target hosts for compliance, generating white list events when a host violated the white list, and optionally, triggering responses based on white list violations.
For information on how to create, modify, and delete compliance white list host profiles, see:
Configuring the Global Host Profile
Every white list contains a global host profile, which specifies the application protocols, clients, web applications, and protocols that are allowed to run on target hosts, regardless of the host’s operating system. For a more detailed introduction to the global host profile, see Understanding the Global Host Profile.
To configure the global host profile:
Step 1 On the Create White List page, under Allowed Host Profiles , click Any Operating System .
The settings for the global host profile appear.
Step 2 To specify the application protocols you want to allow, follow the directions in Adding an Application Protocol to a Host Profile.
Step 3 To specify the clients you want to allow, follow the directions in Adding a Client to a Host Profile.
Step 4 To specify the web applications you want to allow, follow the directions in Adding a Web Application to a Host Profile.
Step 5 To specify the protocols you want to allow, follow the directions in Adding a Protocol to a Host Profile.
Note that ARP, IP, TCP, and UDP are always allowed.
Creating Host Profiles for Specific Operating Systems
Host profiles for specific operating systems indicate not only which operating systems are allowed to run on your network, but also the application protocols, clients, web applications, and protocols that are allowed to run on those operating systems. For a more detailed introduction, see Understanding Host Profiles for Specific Operating Systems.
To create a new compliance white list host profile for a specific operating system:
Step 1 Next to
Allowed Host Profiles
, click the add icon (
).
The settings for the new host profile appear.
Step 2 In the Name field, type a descriptive name for the host profile.
Step 3 From the OS Vendor , OS Name , and Version drop-down lists, pick the operating system and version for which you want to create a host profile.
Step 4 Specify the application protocols you want to allow. You have three options:
- To allow all application protocols, leave the Allow all Application Protocols check box selected.
- To allow no application protocols, clear the Allow all Application Protocols check box.
- To allow specific application protocols, follow the directions in Adding an Application Protocol to a Host Profile.
Step 5 Specify the clients you want to allow. You have three options:
- To allow all clients, leave the Allow all Clients check box selected.
- To allow no clients, clear the Allow all Clients check box.
- To allow specific clients, follow the directions in Adding a Client to a Host Profile.
Step 6 Specify the web applications you want to allow. You have three options:
- To allow all web applications, leave the Allow all Web Applications check box selected.
- To allow no web applications, clear the Allow all Web Applications check box.
- To allow specific web applications, follow the directions in Adding a Web Application to a Host Profile.
Step 7 Specify the protocols you want to allow.
To add a protocol, next to Allowed Protocols , follow the directions in Adding a Protocol to a Host Profile. Note that ARP, IP, TCP, and UDP are always allowed.
Adding an Application Protocol to a Host Profile
You can configure a compliance white list, using either a shared host profile or a host profile that belongs to a single white list, to allow certain application protocols to run on specific operating systems. You can also configure a white list to allow certain application protocols to run on any valid target; these are called globally allowed application protocols.
For any allowed application protocol, you can either specify the type of application protocol that you want to allow — FTP and SSH are examples of application protocol types — or you can allow a custom application protocol by specifying an application protocol type of
any
. You must also specify the protocol the allowed application protocol uses (TCP or UDP). You can allow the application protocol on any port, or restrict it to a port that you specify.
Optionally, you can require that the application protocol server have a specific vendor or version. For example, you could allow SSH to run on Linux hosts on port 22. You could also restrict the particular vendor and version to OpenSSH 4.2.
To add an application protocol to a compliance white list host profile:
Step 1 While you are creating or modifying a white list host profile, click the add icon (
)next to
Allowed Application Protocols
(or next to
Globally Allowed Application Protocols
if you are modifying the Any Operating System host profile).
A pop-up window appears. The application protocols listed are:
- application protocols that you created within the white list
- application protocols that existed in the network map when you surveyed your networks as described in Surveying Your Network
- application protocols that are used by other host profiles in the white list, which may include built-in application protocols created by the VRT for use in the default white list
The application protocol is added. Note that if you added a built-in application protocol, its name appears in italics. You can skip the rest of the procedure, or optionally, to change any of the application protocol’s values (such as the port or protocol), click the application protocol you just added to display the application protocol editor.
The application protocol editor appears.
Step 3 From the Type drop-down list, select the application protocol type. For custom application protocols, select any .
Step 4 Specify the application protocol port. You have two options:
Step 5 From the Protocol drop-down list, select the protocol: TCP or UDP .
Step 6 Optionally, in the Vendor and Version fields, specify a vendor and version for the application protocol.
If you do not specify a vendor or version, the white list allows all vendors and versions as long as the type and protocol match. Note that if you restrict the vendor and version, you must make sure to specify them exactly as they would appear in an event view or in the application protocols network map.
The application protocol is added. Note that you must save the white list for your changes to take effect.
If you added an application protocol to a white list that is used by an active correlation policy, after you save the white list, the target hosts are re-evaluated. Although this re-evaluation may bring some hosts into compliance, it does not generate any white list events.
Adding a Client to a Host Profile
You can configure a compliance white list, using either a shared host profile or a host profile that belongs to a single white list, to allow certain client applications to run on specific operating systems. You can also configure a white list to allow certain clients to run on any valid target; these are called globally allowed clients.
Optionally, you can require that the client be a specific version. For example, you could allow only Microsoft Internet Explorer 8.0 to run on Microsoft Windows hosts.
To add a client to a compliance white list host profile:
Step 1 While you are creating or modifying a white list host profile, click the add icon (
) next to
Allowed Clients
(or next to
Globally Allowed Clients
if you are modifying the Any Operating System host profile).
A pop-up window appears. The clients listed are:
- clients that you created within the white list
- clients that were running on hosts in the network map when you surveyed your networks as described in Surveying Your Network
- clients that are used by other host profiles in the white list, which may include built-in clients created by the VRT for use in the default white list
The client is added. Note that if you added a built-in client, its name appears in italics. You can skip the rest of the procedure, or optionally, to change any of the client’s values (such as its version), click the client you just added to display the client editor.
Step 3 From the Client drop-down list, select the client.
Step 4 Optionally, in the Version field, specify a version for the client.
If you do not specify a version, the white list allows all versions as long as the name matches. Note that if you restrict the version, you must specify it exactly as it would appear in a table view of clients.
The client is added. Note that you must save the white list for your changes to take effect.
If you added a client to a white list that is used by an active correlation policy, after you save the white list, the target hosts are re-evaluated. Although this re-evaluation may bring some hosts into compliance, it does not generate any white list events.
Adding a Web Application to a Host Profile
You can configure a compliance white list, using either a shared host profile or a host profile that belongs to a single white list, to allow certain web applications to run on specific operating systems. You can also configure a white list to allow certain web applications to run on any valid target; these are called globally allowed web applications.
To add a web application to a compliance white list host profile:
Step 1 While you are creating or modifying a white list host profile, click the add icon (
) next to
Allowed Web Applications
(or next to
Globally Allowed Web Applications
if you are modifying the Any Operating System host profile).
A pop-up window appears, listing all web applications detected by the system.
Step 2 Select a web application and click OK . Use Ctrl or Shift while clicking to select multiple web applications. You can also click and drag to select multiple adjacent web applications.
The web application is added. Note that you must save the white list for your changes to take effect.
If you added a web application to a white list that is used by an active correlation policy, after you save the white list, the target hosts are re-evaluated. Although this re-evaluation may bring some hosts into compliance, it does not generate any white list events.
Adding a Protocol to a Host Profile
You can configure a compliance white list, using either a shared host profile or a host profile that belongs to a single white list, to allow certain protocols to run on specific operating systems. You can also configure a white list to allow certain protocols to run on any valid target; these are called globally allowed protocols. Note that ARP, IP, TCP, and UDP are always allowed to run on any host; you cannot disallow them.
For any allowed protocol, you must specify its type (Network or Transport) and number.
To add a protocol to a compliance white list host profile:
Step 1 While you are creating or modifying a white list host profile, click the add icon (
) next to
Allowed Protocols
(or next to
Globally Allowed Protocols
if you are modifying the Any Operating System host profile).
A pop-up window appears. The protocols listed are:
- protocols that you created within the white list
- protocols that were running on hosts in the network map when you surveyed your networks as described in Surveying Your Network
- protocols that are used by other host profiles in the white list, which may include built-in protocols created by the VRT for use in the default white list
The protocol is added. Note that if you added a built-in protocol, its name appears in italics. You can skip the rest of the procedure, or optionally, to change any of the protocol’s values (such as the type or number) click the protocol you just added to display the protocol editor.
Step 3 From the Type drop-down list, select the protocol type: Network or Transport .
Step 4 Specify the protocol. You have two options:
- Select a protocol from the drop-down list.
- Select Other (manual entry) to specify a protocol that is not in the list. For network protocols, type the appropriate number as listed in http://www.iana.org/assignments/ethernet-numbers/ . For transport protocols, type the appropriate number as listed in http://www.iana.org/assignments/protocol-numbers/ .
The protocol is added. Note that you must save the white list for your changes to take effect.
If you added a protocol to a white list that is used by an active correlation policy, after you save the white list, the target hosts are re-evaluated. Although this re-evaluation may bring some hosts into compliance, it does not generate any white list events.
Adding a Shared Host Profile to a Compliance White List
Shared host profiles are also tied to specific operating systems, but you can use them across white lists. That is, if you create multiple white lists but want to use the same host profile to evaluate hosts running a particular operating system across the white lists, use a shared host profile.
You can add any of the built-in shared host profiles to your compliance white lists, or you can add shared host profiles that you created. For more information, see Understanding Shared Host Profiles and Creating Shared Host Profiles.
To add a shared host profile to a compliance white list:
Step 1 On the Create White List page, click Add Shared Host Profile .
The Add Shared Host Profile page appears.
Step 2 From the Name drop-down list, select the shared host profile you want to add to your white list, and click OK .
The shared host profile is added to your white list and the Create White List page appears again. The shared host profile’s name appears in italics under Allowed Host Profiles.
Tip You can edit a shared host profile from within a white list that uses it by clicking on the profile name under Allowed Host Profiles. For more information, see Modifying Existing Host Profiles.
Modifying Existing Host Profiles
After you modify a host profile within a compliance white list, you must save the white list for your changes to take effect.
If a host profile you modify belongs to a white list used in an active correlation policy, modifying the profile may bring hosts into or out of compliance but does not generate white list events. Further, modifying a shared host profile affects every white list that uses it. This may bring hosts into or out of compliance not only in the white list you are working with, but in other white lists as well.
Tip As with other shared host profiles, you can edit the built-in host profiles used by the default white list. You can also reset them to their factory defaults. For more information, see Resetting Built-In Host Profiles to Their Factory Defaults.
To modify an existing host profile:
Step 1 On the Create White List page, click the name of the host profile you want to modify.
The settings for the host profile appear. Note that if you are editing a shared host profile, an
Edit
link appears next to the name of the host profile. If you are editing a built-in host profile, the built-in host profile icon (
) also appears.
A pop-up window appears. Make changes as needed as described in the table below. Click Save All Profiles to save the profile, then click Done to close the pop-up window.
For more information editing shared host profiles, see Modifying a Shared Host Profile.
Step 1 Type a new name in the Name field.
To change the operating system for the host profile:
Step 1 Select the new operating system and version from the OS Vendor , OS Name , and Version drop-down lists.
If you change these values, you may also want to rename the host profile. Note that a white list’s global host profile has no operating system associated with it, so you cannot change it.
To add an application protocol:
Step 1 Follow the directions in Adding an Application Protocol to a Host Profile.
Step 1 Follow the directions in Adding a Client to a Host Profile.
Step 1 Follow the directions in Adding a Web Application to a Host Profile.
Step 1 Follow the directions in Adding a Protocol to a Host Profile.
To allow all application protocols:
Step 1 Under Allowed Application Protocols , select the Allow all Application Protocols check box.
Note that the check box does not appear until you delete any application protocols you have previously allowed.
Step 1 Under Allowed Clients , select the Allow all Clients check box.
Note that the check box does not appear until you delete any clients you have previously allowed.
To allow all web applications:
Step 1 Under Allowed Web Applications , select the Allow all Web Applications check box.
Note that the check box does not appear until you delete any web applications you have previously allowed.
To modify an application protocol, client, web application, or protocol:
Step 1 Click the element you want to modify.
For more information on the properties you can change, see:
Note The changes you make to an application protocol, client, web application, or protocol are reflected in every host profile that uses that element.
To delete an application protocol, client, web application, or protocol:
Step 1 Next to the element you want to delete, click the delete icon (
).
Step 1 Click Survey Network . Surveying your network can add additional allowed clients, application protocols, and protocols to the host profiles that already exist, and can create additional host profiles if the survey detects hosts running operating systems that were not detected during any initial survey. For more information, see Surveying Your Network.
Deleting Existing Host Profiles
After you delete a host profile from a compliance white list, you must save the white list for your changes to take effect. Note that deleting a shared host profile removes it from the white list, but does not delete the profile or remove it from any other white lists that use it. You cannot delete a white list’s global host profile.
If the host profile you delete belongs to one or more white lists used in an active correlation policy, deleting the profile may force hosts out of compliance, but does not generate white list events.
To delete a compliance white list host profile:
Step 1 On the Create White List page, next to the host profile you want to delete, click the delete icon (
).
Step 2 When prompted, confirm that you want to delete the host profile.
Managing Compliance White Lists
Use the White List page to manage compliance white lists. You can create, modify, and delete white lists, including the default white list. You can also edit any shared host profiles you have created, as well as the built-in shared host profiles, and add new shared host profiles. For more information, see:
- Creating Compliance White Lists
- Modifying a Compliance White List
- Deleting a Compliance White List
- Working with Shared Host Profiles
Modifying a Compliance White List
When you modify a compliance white list that is included in an active correlation policy, the system re-evaluates the target hosts. Note that the system does not generate white list events — and therefore does not trigger any responses you associated with the white list — during this re-evaluation, even if the white list is included in an active correlation policy and a previously compliant host becomes non-compliant with the updated white list.
To modify an existing compliance white list:
Step 1 Select Policies > Correlation , then click White List .
Step 2 Next to the white list you want to modify, click the edit icon (
).
The Create White List page appears.
Step 3 Make modifications as necessary and click Save White List .
Deleting a Compliance White List
You cannot delete a compliance white list that you are using in one or more correlation policies; you must first delete the white list from all policies where it is used. For information on deleting a white list from a policy, see Editing a Correlation Policy.
Deleting a white list also removes the host attribute associated with the white list from all hosts on your network.
To delete an existing compliance white list:
Step 1 Select Policies > Correlation , then click White List .
Step 2 Next to the white list you want to delete, click the delete icon (
).
Working with Shared Host Profiles
Shared host profiles specify which operating systems, clients, application protocols, web applications, and protocols are allowed to run on target hosts across multiple white lists. That is, if you create multiple white lists but want to use the same host profile to evaluate hosts running a particular operating system across the white lists, use a shared host profile. Note that the default white list uses a special category of shared host profiles, called built-in host profiles .
For a more detailed introduction to shared host profiles, see Understanding Shared Host Profiles.
You can create, modify, and delete shared host profiles. In addition, if you modify or delete any of the built-in shared host profiles, or modify or delete any of the built-in application protocols, protocols, or clients, you can reset them to their factory defaults. For more information, see:
- Creating Shared Host Profiles
- Modifying a Shared Host Profile
- Deleting a Shared Host Profile
- Resetting Built-In Host Profiles to Their Factory Defaults
After you create a shared host profile, you can add it to multiple white lists. For more information, see Adding a Shared Host Profile to a Compliance White List.
Creating Shared Host Profiles
Create a shared host profile if you want to use the same host profile to evaluate hosts running a particular operating system across multiple white lists.
Tip You can also create a shared host profile for your compliance white lists using the host profile of a specific host. For more information, see Creating a White List Host Profile from a Host Profile.
To create a shared host profile:
Step 1 Select Policies > Correlation , then click White List .
Step 2 Click Edit Shared Profiles .
The Edit Shared Profiles page appears.
Step 3 Optionally, survey your network.
Surveying your network creates several baseline shared white lists based on the data the system has accumulated about your network. This saves you from manually creating and configuring multiple shared host profiles. You have two options:
- To survey your network, click Survey Network . For more information, see Surveying Your Network.
The system creates one or more baseline shared host profiles. You can edit or delete these shared host profiles as described in Modifying a Shared Host Profile and Deleting a Shared Host Profile. To add any other shared host profiles you might need, continue with the next step.
Step 4 Next to
Shared Host Profiles
, click the add icon (
).
The settings for the new shared host profile appear.
Step 5 In the Name field, type a descriptive name for the shared host profile.
Step 6 From the OS Vendor , OS Name , and Version drop-down lists, pick the operating system and version for which you want to create a shared host profile.
Step 7 Specify the application protocols you want to allow. You have three options:
- To allow all application protocols, select the Allow all Application Protocols check box.
- To allow no application protocols, leave the Allow all Application Protocols check box cleared.
- To allow specific application protocols, next to Allowed Application Protocols , follow the directions in Adding an Application Protocol to a Host Profile.
Step 8 Specify the clients you want to allow. You have three options:
- To allow all clients, select the Allow all Clients check box.
- To allow no clients, leave the Allow all Clients check box cleared.
- To allow specific clients, follow the directions in Adding a Client to a Host Profile.
Step 9 Specify the web applications you want to allow. You have three options:
- To allow all web applications, select the Allow all Web Applications check box.
- To allow no web applications, leave the Allow all Web Applications check box cleared.
- To allow specific web applications, follow the directions in Adding a Web Application to a Host Profile.
Step 10 Specify the protocols you want to allow.
To add a protocol, next to Allowed Protocols , follow the directions in Adding a Protocol to a Host Profile. Note that ARP, IP, TCP, and UDP are always allowed.
Step 11 Click Save all Profiles to save your changes.
The shared host profile is created. You can now add the shared host profile to any compliance white list.
Modifying a Shared Host Profile
Modifying a shared host profile changes the profile for all the white lists it belongs to. For the white lists that use the shared host profile and are also used in an active correlation policy, modifying a shared host profile may bring hosts into or out of compliance, but does not generate white list events.
The following table describes the actions you can take to modify a shared host profile.
select the new operating system and version from the OS Vendor , OS Name , and Version drop-down lists. If you change these values, you may also want to rename the host profile. |
|
follow the directions in Adding an Application Protocol to a Host Profile. |
|
follow the directions in Adding a Client to a Host Profile. |
|
follow the directions in Adding a Web Application to a Host Profile. |
|
follow the directions in Adding a Protocol to a Host Profile. |
|
under Allowed Application Protocols , select the Allow all Application Protocols check box. Note that the check box does not appear until you delete any application protocols you have previously allowed. |
|
under Allowed Clients , select the Allow all Clients check box. Note that the check box does not appear until you delete any clients you have previously allowed. |
|
under Allowed Web Applications , select the Allow all Web Applications check box. Note that the check box does not appear until you delete any clients you have previously allowed. |
|
modify an application protocol, client, web application, or protocol |
click the element you want to modify. For more information on the properties you can change, see:
Note The changes you make to an application protocol, client, or protocol are reflected in every host profile that uses that element. |
delete an application protocol, client, web application, or protocol |
next to the element you want to delete, click the delete icon ( |
click Survey Network . Surveying your network can add additional allowed clients, application protocols, web applications, and protocols to the host profiles that already exist, and can create additional host profiles if the survey detects hosts running operating systems that were not detected during any initial survey. For more information, see Surveying Your Network. |
To modify a shared host profile:
Step 1 Select Policies > Correlation , then click White List .
Step 2 Click Edit Shared Profiles .
The Edit Shared Profiles page appears.
Step 3 Do you want to edit one of the built-in shared host profiles?
Step 4 Click the name of the shared host profile you want to modify.
Step 5 Perform any of the actions described in Table 52-2.
Step 6 Click Save all Profiles to save your changes.
The shared host profile is saved.
Deleting a Shared Host Profile
If the shared host profile you delete belongs to one or more white lists used in an active correlation policy, deleting the profile may force hosts out of compliance, but does not generate white list events.
Tip If you delete a built-in shared host profile that is used by the default white list, you can restore it by resetting the built-in profiles to their factory defaults. For more information, see Resetting Built-In Host Profiles to Their Factory Defaults.
To delete a shared host profile:
Step 1 Select Policies > Correlation , then click White List .
Step 2 Click Edit Shared Profiles .
The Edit Shared Profiles page appears.
Step 3 Do you want to delete one of the built-in shared host profiles?
Step 4 Next to the shared host profile you want to delete, click the delete icon (
).
Confirm that you want to delete the shared host profile.
Step 5 Click Save all Profiles to save your changes.
The shared host profile is deleted and removed from all compliance white lists that use it.
Resetting Built-In Host Profiles to Their Factory Defaults
The default white list uses a special category of shared host profiles, called built-in host profiles . Built-in host profiles use built-in application protocols, protocols, and clients. You can use any these elements as-is in both the default white list and in any custom white list that you create, or you can modify them to suit your needs. For more information, see Understanding Shared Host Profiles.
If you make changes to the built-in profiles, application protocols, protocols, web applications, or clients that you need to undo, you can reset to factory defaults. When you reset to factory defaults, the following things occur:
- All built-in host profiles, application protocols, protocols, and clients that you modified are reset to their factory defaults.
- All built-in host profiles, application protocols, protocols, and clients that you deleted are restored.
- All white lists (including the default white list) that are used by active correlation policies and that used any of the reset built-in host profiles, application protocols, protocols, or clients are re-evaluated. Although this re-evaluation may change the compliance of some hosts into compliance, it does not generate any white list events.
To reset built-in host profiles, application protocols, protocols, and clients:
Step 1 Select Policies > Correlation , then click White List .
Step 2 Click Edit Shared Profiles .
The Edit Shared Profiles page appears.
Step 3 Click Built-in Host Profiles .
The Built-in Host Profiles page appears.
Step 4 Click Reset to Factory Defaults .
Step 5 Confirm that you want to reset to factory defaults by clicking OK .
All built-in host profiles, application protocols, protocols, and clients are reset to factory defaults. Any white list that is used by an active correlation policy and that used any of the reset built-in host profiles, application protocols, protocols, or clients is re-evaluated.
Working with White List Events
When the system generates a discovery event that indicates that a host is out of compliance with a white list that is included in an activated correlation policy, a white list event is generated. White list events are a special kind of correlation event, and are logged to the correlation event database. You can search, view, and delete white list events.
Tip For information on configuring the number of events saved in the database, see Configuring Database Event Limits. Note that white list events are stored in the correlation event database.
For more information, see the following sections:
- Viewing White List Events
- Understanding the White List Events Table
- Searching for Compliance White List Events
Viewing White List Events
You can use the Defense Center to view a table of compliance white list events. Then, you can manipulate the event view depending on the information you are looking for.
The page you see when you access white list events differs depending on the workflow you use. You can use the predefined workflow, which includes the table view of white list events. You can also create a custom workflow that displays only the information that matches your specific needs. For information on creating a custom workflow, see Creating Custom Workflows.
The following table describes some of the specific actions you can perform on an white list events workflow page.
click the host profile icon ( |
|
click the user icon ( |
|
find more information in Sorting Drill-Down Workflow Pages. |
|
find more information in Navigating to Other Pages in the Workflow. |
|
navigate between pages in the current workflow, keeping the current constraints |
click the appropriate page link at the top left of the workflow page. For more information, see Using Workflow Pages. |
find more information in Understanding the White List Events Table. |
|
find more information in see Setting Event Time Constraints. |
|
drill down to the next page in the workflow, constraining on a specific value |
use one of the following methods:
For more information, see Constraining Events. |
find more information in Navigating Between Workflows. |
) that appears next to the IP address.
)that appears next to the user identity. For more information, see To view compliance white list events:
Access: Admin/Any Security Analyst/Discovery Admin
Step 1 Select Analysis > Correlation > White List Events .
The first page of the default white list events workflow appears. To use a different workflow, including a custom workflow, click (switch workflow) .by the workflow title. For information on specifying a different default workflow, see Configuring Event View Settings. If no events appear, you may need to adjust the time range; see Setting Event Time Constraints.
Understanding the White List Events Table
You can use the correlation policy feature to build correlation policies that let the system respond in real time to threats on your network. Correlation policies describe the type of activity that constitutes a policy violation, which include compliance white list violations. For more information on correlation policies, see Configuring Correlation Policies and Rules.
When a compliance white list is violated, the system generates a white list event. The fields in the white list events table are described in the following table.
The identity of any known user logged in to the non-compliant host. |
|
The port, if any, associated with the event that triggered an application protocol white list violation (a violation that occurred as a result of a non-compliant application protocol). For other types of white list violations, this field is blank. |
|
A description of how the white list was violated. For example: Client “AOL Instant Messenger” is not allowed. Violations that involve an application protocol indicate the application protocol name and version, as well as the port and protocol (TCP or UDP) it is using. If you restrict prohibitions to a particular operating system, the description includes the operating system name. For example:
Server "ssh / 22 TCP ( OpenSSH 3.6.1p2 )" is not |
|
The name of the correlation policy that was violated, that is, the correlation policy that includes the white list. |
|
The priority specified by the policy or white list that triggered the policy violation. For information on setting correlation rule and policy priorities, see Providing Basic Policy Information and Setting Rule and White List Priorities. |
|
The user-assigned host criticality of the host that is out of compliance with the white list: |
|
The name of the managed device that detected the white list violation. |
|
The number of events that match the information that appears in each row. Note that the Count field appears only after you apply a constraint that creates two or more identical rows. |
Searching for Compliance White List Events
You can search for specific compliance white list events. You may want to create searches customized for your network environment, then save them to re-use later. The following table describes the search criteria you can use.
Enter the name of a correlation policy to return all events caused by violations of white lists included in that policy. |
|
Enter the name of a white list to return all events caused by violations of that white list. |
|
Specify the priority of the white list event, which is determined either by the priority of the white list in a correlation policy or by the priority of the correlation policy itself. Note that the white list priority overrides the priority of its policy. Enter For information on setting correlation rule and policy priorities, see Providing Basic Policy Information and Setting Rule and White List Priorities. |
|
Specify an IP address of a host that has become non-compliant with a white list. |
|
Specify the identity of the user logged in to a host that has become non-compliant with a white list. |
|
Specify the port, if any, associated with the discovery event that triggered an application protocol white list violation (a violation that occurred as a result of a non-compliant application protocol). |
|
Specify the host criticality of the source host involved in the white list event: |
|
Type the device name or IP address, or a device group, stack, or cluster name to restrict the search to specific devices that detected the white list violation. For detailed information on how the FireSIGHT System treats the device field in searches, see Specifying Devices in Searches. |
To search for compliance white list events:
Access: Admin/Any Security Analyst
Step 1 Select Analysis > Search .
Step 2 Select White List Events from the table drop-down list.
The page updates with the appropriate constraints.
Step 3 Enter your search criteria in the appropriate fields, as described in Table 52-5, and keeping in mind the following additional points:
– For fields that may contain only a single value, records with the specified field containing the exact string specified within the quotation marks match the search criteria. For instance, a search for
A, B, "C, D, E"
will match records where the specified field contains
"A"
or
"B"
or
"C, D, E"
. This permits matching on fields that include the comma in possible values.
– For fields that may contain multiple values at the same time, records with the specified fields containing all of the values in the quote-enclosed comma-separated list match that search criteria.
– For fields that may contain multiple values at the same time, search criteria may include single values as well as quote-enclosed comma-separated lists. For instance, a search for
A, B, "C, D, E"
on a field that may contain one of more of these letters matches records where the specified field contains
A
or
B
, or all of
C
,
D
, and
E
.
- Searches return only records that match the search criteria specified for all fields.
-
Many fields accept one or more asterisks (
*) as wild cards. -
Specify
n/ain any field to identify events where information is not available for that field; use!n/ato identify the events where that field is populated. - Click the add object icon (
) that appears next to a search field to use an object as a search criterion.For more information on search syntax, including using objects in searches, see Searching for Events.
Step 4 Optionally, if you plan to save the search, you can select the Private check box to save the search as private so only you can access it. Otherwise, leave the check box clear to save the search for all users.
Tip If you want to use the search as a data restriction for a custom user role, you must save it as a private search.
Step 5 Optionally, you can save the search to be used again in the future. You have the following options:
For a new search, a dialog box appears prompting for the name of the search; enter a unique search name and click Save . If you save new criteria for a previously-existing search, no prompt appears. The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.
A dialog box appears prompting for the name of the search; enter a unique search name and click Save . The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.
Step 6 Click Search to start the search.
Your search results appear in the default white list events workflow, constrained by the current time range. To use a different workflow, including a custom workflow, click (switch workflow) by the workflow title. For information on specifying a different default workflow, see Configuring Event View Settings.
Working with White List Violations
The system keeps track of the ways in which hosts on your network violate the compliance white lists in active correlation policies. You can search and view these records.
For more information, see the following sections:
- Viewing White List Violations
- Understanding the White List Violations Table
- Searching for White List Violations
Viewing White List Violations
You can use the Defense Center to view a table of white list violations. Then, you can manipulate the event view depending on the information you are looking for. The page you see when you access white list violations differs depending on the workflow you use. There are two predefined workflows:
- The Host Violation Count workflow provides a series of pages that list all the hosts that violate at least one white list. The first page sorts the hosts based on the number of violations per host, with the hosts with the greatest number of violations at the top of the list. If a host violates more than one white list, there is a separate row for each violated white list. The workflow also contains a table view of white list violations that lists all violations with the most recently detected violation at the top of the list. Each row in the table contains a single detected violation.
- The White List Violations workflow includes a table view of white list violations that lists all violations with the most recently detected violation at the top of the list. Each row in the table contains a single detected violation.
Both predefined workflows terminate in a host view, which contains a host profile for every host that meets your constraints. You can also create a custom workflow that displays only the information that matches your specific needs. For more information, see Creating Custom Workflows.
The following table describes some of the specific actions you can perform on a white list violations workflow page.
click the host profile icon ( |
|
find more information in Sorting Drill-Down Workflow Pages. |
|
find more information in Navigating to Other Pages in the Workflow. |
|
navigate between pages in the current workflow, keeping the current constraints |
click the appropriate page link at the top left of the workflow page. For more information, see Using Workflow Pages. |
find more information in Understanding the White List Violations Table. |
|
use one of the following methods:
For more information, see Constraining Events. |
|
find more information in Navigating Between Workflows. |
To view compliance white list violations:
Access: Admin/Any Security Analyst/Discovery Admin
Step 1 Select Analysis > Correlation > White List Violations .
The first page of the default white list violations workflow appears. To use a different workflow, including a custom workflow, click (switch workflow) by the workflow title. For information on specifying a different default workflow, see Configuring Event View Settings.
Understanding the White List Violations Table
You can use the correlation policy feature to build correlation policies that let the system respond in real time to threats on your network. Correlation policies describe the type of activity that constitutes a policy violation, which include compliance white list violations. For more information on correlation policies, see Configuring Correlation Policies and Rules.
When a compliance white list is violated, the system records the violation. Note that you can not set event time constraints in the table view because the table view displays only the current host violations on your network. The fields in the white list violations table are described in the following table.
Searching for White List Violations
You can search for specific compliance white list violations. You may want to create searches customized for your network environment, then save them to re-use later. The following table describes the search criteria you can use.
To search for compliance white list violations:
Access: Admin/Any Security Analyst
Step 1 Select Analysis > Search .
Step 2 Select White List Violations from the table drop-down list.
The page updates with the appropriate constraints.
Step 3 Enter your search criteria in the appropriate fields, as described in the Compliance White List Event Search Criteria table, and keeping in mind the following additional points:
– For fields that may contain only a single value, records with the specified field containing the exact string specified within the quotation marks match the search criteria. For instance, a search for
A, B, "C, D, E"
will match records where the specified field contains
"A"
or
"B"
or
"C, D, E"
. This permits matching on fields that include the comma in possible values.
– For fields that may contain multiple values at the same time, records with the specified fields containing all of the values in the quote-enclosed comma-separated list match that search criteria.
– For fields that may contain multiple values at the same time, search criteria may include single values as well as quote-enclosed comma-separated lists. For instance, a search for
A, B, "C, D, E"
on a field that may contain one of more of these letters matches records where the specified field contains
A
or
B
, or all of
C
,
D
, and
E
.
- Searches return only records that match the search criteria specified for all fields.
-
Many fields accept one or more asterisks (
*) as wild cards. -
Specify
n/ain any field to identify events where information is not available for that field; use!n/ato identify the events where that field is populated. - Click the add object icon (
) that appears next to a search field to use an object as a search criterion.For more information on search syntax, including using objects in searches, see Searching for Events.
Step 4 Optionally, if you plan to save the search, you can select the Private check box to save the search as private so only you can access it. Otherwise, leave the check box clear to save the search for all users.
Tip If you want to use the search as a data restriction for a custom user role, you must save it as a private search.
Step 5 Optionally, you can save the search to be used again in the future. You have the following options:
For a new search, a dialog box appears prompting for the name of the search; enter a unique search name and click Save . If you save new criteria for a previously-existing search, no prompt appears. The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.
A dialog box appears prompting for the name of the search; enter a unique search name and click Save . The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.
Step 6 Click Search to start the search.
Your search results appear in the default white list violations workflow. To use a different workflow, including a custom workflow, click (switch workflow) by the workflow title. For information on specifying a different default workflow, see Configuring Event View Settings.
Feedback