Best Practices for Intrusion Policy Deployment
Consider the following best practices when you deploy Secure Firewall to protect your network from intrusion attempts. They can help you to achieve an optimal experience. The configuration details of these items are described in later sections of this chapter.
If you want to match and filter packets based on 5-tuple—source port, destination port, source address, destination address, and protocol—you should consider using an access control rule or prefilter rule, but not an intrusion rule. The purpose of a Snort-based intrusion rule is to perform advanced deep packet inspection.
Select the Balanced Security and Connectivity policy as the base policy when you create a new network analysis policy and intrusion policy. The ruleset in this policy provides greater security coverage against the latest threats while ensuring optimized performance. This base policy is also recommended by Cisco.
Figure 15-13 shows the selection of Balanced Security and Connectivity as the base policy for both the network analysis policy (left) and intrusion policy (right).
Figure 15-13 Separate Policy Creation Windows for the Network Analysis and Intrusion Policies
Use the intrusion rule recommendations feature within the intrusion policy. It utilizes the network discovery data, correlates that data with any associated vulnerabilities that are recorded in the Vulnerability Database (VDB), and recommends Snort rules that are developed to address those vulnerabilities. The steps to enable rule recommendations are described in detail in the “Incorporating Intrusion Rule Recommendations” section later in this chapter.
Furthermore, you can automate the rule recommendation generation and policy deployment processes using the task scheduling feature of the management center. It ensures periodic enablement of intrusion rules based on the recently discovered applications and hosts in your network.
Figure 15-14 shows the task scheduling feature on the management center. You can schedule recurring or one-time tasks to generate rule recommendations, deploy policies, and perform many more jobs.
Figure 15-14 Task Scheduling Functionality for Intrusion Rule Recommendations
Enhance detection by selecting both advanced options, Adaptive Profiles and Enable Profile Update. These options allow a Secure Firewall to leverage service metadata and intelligently apply enabled intrusion rules to relevant traffic.
Figure 15-15 shows the detection enhancement settings in an access control policy where you can configure the Adaptive Profiles and Enable Profile Update settings. To implement an intrusion policy based on Snort 3, you must select both Enable and Enable Profile Updates options, as shown in this figure.
Figure 15-15 Adaptive Profile Configurations
Table 15-4 shows the differences between the intrusion rule recommendations and enable profile update features. Although both features work together to enable traffic-specific intrusion rules, there are some differences between them.
Table 15-4 Intrusion Rule Recommendations Versus Enable Profile Update
Intrusion Rule Recommendations
Enable Profile Update
Recommends enabling and disabling intrusion rules, based on the discovered applications and hosts.
Compares rule metadata with the applications and operating systems of a host and determines whether the threat defense should apply a certain rule to certain traffic from that host.
Can enable a disabled rule if the rule relates to a host and application in the network.
Does not change the state of a disabled rule. Works only on the enabled rules in an intrusion policy.
Configured within an intrusion policy.
Configured within an access control policy.
Tip
Enable both features—enable profile update and intrusion rule recommendations—at the same time. Doing so allows a threat defense to enable or disable the intrusion rules that are related to the hosts, applications, and services running on a network and then apply the enabled rules to relevant traffic from those hosts.
Some of the best practices are applicable to a particular deployment mode and depend on your traffic handling policy. For example:
If you want to prevent cyber attacks by blocking intrusion attempts, you need to deploy the threat defense as a bump in the wire (BITW). The BITW deployment requires an inline interface pair. You include the ingress and egress interfaces of an inline interface pair and then assign the interface pair to an inline set. To learn more about inline mode, see Chapter 6, “IPS-Only Deployment in Inline Mode.”
If your goal is to deploy a threat defense for detection-only purposes—because you do not want to block intrusion attempts in real time—consider deploying the threat defense in inline tap mode instead of in passive mode. Doing so enables you to switch to inline mode faster, without the need for a cabling change. This is critical in case of an emergency. To learn more, read Chapter 7, “Deployment in Detection-Only Mode.”
If you choose to deploy your threat defense in passive mode, make sure the Adaptive Profiles option is enabled in the advanced settings section of the access control policy. This option enables a threat defense to adapt intrusion rules dynamically based on the metadata of the service, client application, and host traffic.
When a threat defense prompts you to select a firewall mode (during initialization after a reimage), choose routed mode. Although transparent mode can block intrusion attempts, you could accomplish the same goal—transparency or a bump in the wire—by using inline mode, which has less configuration overhead. Using the threat defense CLI, you can switch between routed mode and transparent mode. To learn more about routed mode, read Chapter 4, “Firewall Deployment in Routed Mode.”
Leave a Reply