Configuring an Intrusion Policy – Cisco Network Analysis and Intrusion Policies

Configuring an Intrusion Policy
Intrusion policy configuration is the key part of an IPS deployment. This is where you select an intrusion ruleset and define the rule actions. You can start with one of the system-provided base policies and build your own ruleset on top of it. An intrusion policy pairs with the variable sets that define the network environment. Variable sets are critical to the efficacy and performance. Speaking of performance, you can also take advantage of the system-generated intrusion rule recommendations feature to improve system performance. You learn all these key elements of the IPS functionality in the following sections.

Creating a Policy with a Default Ruleset
To create an intrusion policy, follow these steps:
Step 1. Navigate to Policies > Access Control > Intrusion, and select the Intrusion Policies tab. The intrusion policy configuration page appears.
Step 2. Click the Create Policy button. The Create Intrusion Policy window appears (see Figure 15-22).

Figure 15-22 Configuration Window to Create an Intrusion Policy

Step 3. Name the policy.
Step 4. Select the Prevention inspection mode. Selecting this option can drop packets in inline, routed, or transparent mode. Enabling this option, however, does not affect the traffic flow if you configure the threat defense interfaces in inline tap or passive mode.
Step 5. Select Balanced Security and Connectivity as the base policy. This policy provides the best system performance without compromising the detection of the latest and critical vulnerabilities.
Step 6. Click the Save button to create an intrusion policy using the default settings. When this policy is created, you return to the Intrusion Policies tab.

Incorporating Intrusion Rule Recommendations
The intrusion rule recommendations feature is disabled, by default. However, you should leverage this feature to optimize the ruleset in your intrusion policy. It enables your Secure Firewall to analyze your network discovery data, correlates them with any associated vulnerabilities found in the Vulnerability Database, and then recommends intrusion rules that are relevant only to your network environment. The data is gathered as a result of the deployed network discovery policy, which enables Secure Firewall to identify the operating systems, services, and applications running in a network environment (Chapter 9, “Network Discovery Policy,” describes this policy in detail).
Caution
Generate and use intrusion rule recommendations after the majority of the hosts in your network are discovered. If you apply recommendations prematurely, Secure Firewall may recommend disabling many intrusion rules, which can result in diminishing protections against critical vulnerabilities.
To generate and use intrusion rule recommendations, edit the intrusion policy where you want to enable this feature. You can edit an intrusion policy using either Snort 2 or Snort 3 versions. Click your desired Snort version (see Figure 15-23). Depending on the Snort version you select, the intrusion policy editor looks different.

Figure 15-23 Available Snort Versions to Edit an Intrusion Policy

If you selected Snort 3 Version, perform the following tasks in the intrusion policy editor:
Step 1. On the intrusion policy editor page, select the Recommendations button on the left panel. The Rule Recommendations window appears (see Figure 15-24).

Figure 15-24 Rule Recommendations Setup—Based on the Snort 3 Intrusion Policy Editor

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *