- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
Tailoring Intrusion Protection to Your Network Assets
You can use the FireSIGHT Recommended Rules feature to associate the operating systems, servers, and client application protocols detected on your network (see Introduction to Network Discovery) with rules specifically written to protect those assets, per intrusion policy. This allows you to tailor your intrusion policy to the specific needs of your monitored network. The FireSIGHT Recommended Rules feature requires FireSIGHT and Protection licenses.
When you configure the FireSIGHT Recommended Rules feature, the system searches your base policy for rules that protect against vulnerabilities associated with your network assets, and identifies the current state of rules in your base policy. The system then recommends rule states and, optionally, sets the rules to the recommended states using the criteria in the following table.
The Cisco Vulnerability Research Team (VRT) determines the appropriate state of each rule in the default policies provided by Cisco. Thus, when your base policy is a default policy provided by Cisco, the net effect of allowing the system to set your rules to the FireSIGHT recommended rule states is that the rules in your intrusion policy match the settings recommended by Cisco for your network assets. See Understanding the System-Provided Policies for more information.
Generating rule state recommendations can be as simple as choosing whether to use the recommended rule states, either when you generate recommendations or at a later time. Advanced recommendations options allow you to tailor your configuration further. Note that choosing to use recommended rule states adds a read-only FireSIGHT Recommendations layer to your intrusion policy, and subsequently choosing not to use recommended rule states removes the layer. See Using Layers in a Network Analysis or Intrusion Policy for information on using policy layers to more efficiently manage multiple intrusion policies.
Note that while the system typically recommends rule state changes for standard text rules and shared object rules, it can also recommend changes for preprocessor and decoder rules.
You can schedule a task to generate recommendations automatically based on the most recently saved configuration settings in your intrusion policy. For information on scheduling a task to generate recommended rule states, see Automating FireSIGHT Recommendations.
Understanding Basic Rule State Recommendations
License: Protection + FireSIGHT
You can generate recommendations without using the recommended rule states in your policy. You can then display any of three filtered views of the Rules page to show rules that the system recommends you set to Generate Events, Drop and Generate Events, or Disable. This allows you to see beforehand which rules would be modified when you choose to use the recommended rule states. You can also choose to generate recommendations and immediately use them.
While displaying the recommendation-filtered Rules page, or after accessing the Rules page directly from the navigation panel or the Policy Information page, you can manually set rule states, sort rules, and take any of the other actions available on the Rules page, such as suppressing rules, setting rule thresholds, and so on. See Setting Rule States for information on manually changing the state of selected rules. See Tuning Intrusion Policies Using Rules for information on other actions available on the Rules page for tailoring the rules in your intrusion policy.
The system does not change rule states that you set manually. When you choose to use the recommended rule states while generating recommendations:
- manually setting the states of specified rules before you generate recommendations prevents the system from modifying the states of those rules in the future
- manually setting the states of specified rules after you generate recommendations overrides the recommended states of those rules
Tip You can include a list in the intrusion policy report of rules whose rule states differ from the recommended state. See Generating a Report of Current Intrusion Settings for more information.
Note also that when you generate recommendations without changing the advanced settings for FireSIGHT recommended rules, the system recommends rule state changes for all hosts in your entire discovered network. Note also that, by default, the system generates recommendations only for rules with low or medium overhead, and generates recommendations to disable rules. See Understanding Advanced Rule State Recommendations for more information.
Understanding Advanced Rule State Recommendations
License: Protection or Protection + FireSIGHT
Advanced settings allow you to redefine which hosts on your network the system monitors for vulnerabilities, to influence which rules the system recommends based on rule overhead, and to specify whether to generate recommendations to disable rules.
If you want to dynamically adapt active rule processing for specific packets based on host information, you can also enable adaptive profiles. For more information, see Adaptive Profiles and FireSIGHT Recommended Rules.
See the following sections for more information:
Understanding the Networks to Examine
License: Protection + FireSIGHT
You configure the FireSIGHT Recommended Rules feature by identifying networks to examine in the network map. The system then recommends the rules you can activate to protect your network. For information on the network map, see Using the Network Map.
You configure the Networks field with the hosts to examine for recommendations. You can specify a single IP address or address block, or a comma-separated list comprised of either or both.
Lists of addresses within the hosts that you specify are linked with an OR operation except for negations, which are linked with an AND operation after all OR operations are calculated.
Understanding Rule Overhead
Cisco rates the overhead of each intrusion rule as none, low, medium, or high, based on the rule’s potential impact on system performance and the likelihood that the rule may generate false positives. You can view the overhead rating for a rule in the rule detail view on the Rules page. See Viewing Rule Details for more information.
You can set the system to make rule state recommendations based on all rules up to and including a specified overhead rating. For example, when you generate recommendations for rules with medium overhead, the system makes recommendations based on all rules with an overhead rating of none, low, or medium, and does not make any recommendations for rules with high overhead.
Note that the system factors rule overhead into recommendations to generate events or to drop and generate events. The system does not factor rule overhead into recommendations to disable rules. Note also that local rules have no overhead, unless they are mapped to a third-party vulnerability. See Importing Local Rule Files and Managing Third-Party Product Mappings for more information.
Generating recommendations for rules with the overhead rating at a particular setting does not preclude you from generating recommendations with different overhead, then generating recommendations again for the original overhead setting. You get the same rule state recommendations for each overhead setting each time you generate recommendations for the same rule set, regardless of the number of times you generate recommendations or how many different overhead settings you generate with. For example, you can generate recommendations with overhead set to medium, then to high, then finally to medium again; if the hosts and applications on your network have not changed, both sets of recommendations with overhead set to medium are then the same for that rule set.
Using FireSIGHT Recommendations
License: FireSIGHT + Protection
You can generate recommendations with or without using the recommended rule states, and with or without modifying the advanced settings for generating recommendations. See Understanding Basic Rule State Recommendations and Understanding Advanced Rule State Recommendations for more information.
After generating recommendations, you can use the recommended rule states; you can also view recommended states and use any features available on the Rules page.
To use FireSIGHT rule state recommendations:
Step 1 Select Policies > Intrusion > Intrusion Policy .
The Intrusion Policy page appears.
Step 2 Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click OK to discard those changes and continue. See Resolving Conflicts and Committing Policy Changes for information on saving unsaved changes in another policy.
The Policy Information page appears.
The FireSIGHT Recommended Rules Configuration page appears.
Step 4 You have the following choices:
- To have the corresponding intrusion policy report list the rule message, recommended state, and actual state for all rules whose actual states differ from the recommended state, select Include all differences between recommendations and rule states in policy reports . See Generating a Report of Current Intrusion Settings for more information.
- To generate recommendations using the default settings, go to step 9 .
- To modify the advanced recommendations options, go to step 5 .
Step 5 Click the plus icon (
) to expand the
Advanced Settings
section.
The advanced FireSIGHT recommendations options appear.
Step 6 In the Networks field under Networks to Examine , specify the network to examine for recommendations.
For information on using IP address notation in the FireSIGHT System, see IP Address Conventions.
Note that lists of addresses are linked with an OR operation except for negations, which are linked with an AND operation after all OR operations are calculated. See Understanding the Networks to Examine for more information.
Step 7 Optionally, under FireSIGHT Recommended Rules Configuration , drag the Recommendation Threshold (By Rule Overhead) slide bar to specify the amount of overhead a rule must have to be included in the recommendations you generate.
Dragging the slide bar to the right includes rules with higher overhead and will likely result in more recommendations, but may increasingly affect system performance. See Understanding Rule Overhead for more information.
Step 8 You have the following options:
Note that accepting recommendations to disable rules restricts your rule coverage.
Note that omitting recommendations to disable rules augments your rule coverage.
Step 9 You have several options:
The system generates recommended rule state changes and automatically sets rules to the recommended states.
The system generates recommended rule state changes.
The system generates recommended rule state changes and, if recommendations are in use, automatically sets rules to the recommended states. The status updates for the number of recommendations, the number of hosts with recommended rule state changes, and the number of recommendations to generate events, drop and generate events, or disable rules.
The system automatically sets rules to the recommended states.
The system automatically resets rules to the default rule states unless a specific rule state was applied to the rule before using recommendations; in that case, the rule reverts to the specific rule state.
Note that the system does not recommend a rule state for an intrusion rule that is based on a vulnerability that you disable using the Impact Qualification feature. For more information, see Setting the Vulnerability Impact Qualification.
Note also that updating the policy to use or not use recommendations may take several minutes, depending on the size of your network and rule set.
Note The system always recommends that you enable a local rule associated with a third-party vulnerability mapped to a host. The system does not make state recommendations for unmapped local rules. For more information, see Managing Third-Party Product Mappings.
Step 10 Optionally, click View next to a recommendation type to display a recommendations-filtered view of the Rules page for the type of recommendation you selected.
Step 11 Save your policy, continue editing, discard your changes, or exit while leaving your changes in the system cache. See Resolving Conflicts and Committing Policy Changes for more information.
Feedback