System-Provided Base Policies
To help you with initial deployment, Secure Firewall software comes with several preconfigured network analysis and intrusion policies. You can deploy one of them directly, or use one as a baseline for your custom intrusion policy:
Balanced Security and Connectivity: This base policy is the best starting point to create your own intrusion policy that can address the critical vulnerabilities while maintaining system performance.
Connectivity over Security: This policy prioritizes connection speed by reducing the detection of older or less critical vulnerabilities.
Security over Connectivity: This policy prioritizes network security over connectivity by enabling a greater number of rules and setting more rules to drop offending traffic over the other default policies.
Maximum Detection: Security has supreme priority over business continuity. Due to the deeper inspection of packets with this policy, end users may experience latency, and a threat defense may drop some legitimate traffic.
Figure 15-10 shows the system-provided base policies that you can find in Secure Firewall out of the box. Each management center comes with four network analysis policies and five intrusion policies. The No Rules Active base policy allows you to create an empty intrusion policy with all the intrusion rules disabled. This policy can be used as a tool to investigate any technical issues with the Snort engine.
Figure 15-10 System-Provided Built-in Base Policies
The number of rules enabled by default in a system-provided policy varies. Cisco uses the Common Vulnerability Scoring System (CVSS) score to determine whether a rule should be enabled in a system-provided policy. See Table 15-3 to understand the eligibility criteria for including a Snort rule in a system-provided policy.
Table 15-3 CVSS Scores of the System-Provided Policies
Intrusion Policy
CVSS Score
Age of Vulnerability
Connectivity over Security
10
Current year plus two prior years
Balanced Security and Connectivity
9 or higher
Current year plus two prior years
Security over Connectivity
8 or higher
Current year plus three prior years
Maximum Detection
7.5 or higher
All the years since 2005
Figure 15-11 shows the correlation among the system-provided intrusion policies, their detection coverages, and processing overheads. The higher the threat coverage, the higher the utilization of the threat defense resources.
Figure 15-11 Differences Between the System-Provided Policies, Coverages, and Processing Overheads
Cisco releases rule updates periodically. You can configure the management center to download the latest ruleset automatically from the cloud and install it through a scheduled task. You can also manually download a rule update file and upload it to the management center for installation. Each rule update comes with a unique ruleset. Although the total number of available rules on a specific rule update package is unpredictable, the proportions of enabled to disabled rules in different base policies are almost identical. In general, the Maximum Detection policy and Security over Connectivity policy have more intrusion rules enabled than the Connectivity over Security policy and Balanced Security and Connectivity policy.
Figure 15-12 shows the number of rules in various categories on a newly deployed Secure Firewall running software version 7.0. The images are taken from the intrusion policy editor based on Snort 3.
Figure 15-12 Determining the Number of Rules on a Base Policy and Their Status
Leave a Reply