- Cisco ASA with FirePOWER Services Local Management Configuration Guide
- Introduction to the Cisco ASA FirePOWER Module
- Managing Reusable Objects
- Managing Device Configuration
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Intelligent Application Bypass
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Network Analysis and Intrusion Policies
- Using Layers in a Network Analysis or Intrusion Policy
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Policies Using Rules
- Detecting Specific Threats
- Globally Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Introduction to Identity Data
- Realms and Identity Policies
- User Identity Sources
- DNS Policies
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Viewing Events
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Using the ASA FirePOWER Dashboard
- Using ASA FirePOWER Reporting
- Scheduling Tasks
- Managing System Policies
- Configuring ASA FirePOWER Module Settings
- Licensing the FireSIGHT System ASA FirePOWER Module
- Updating ASA FirePOWER Module Software
- Monitoring the System
- Using Backup and Restore
- Generating Troubleshooting Files
- Importing and Exporting Configurations
- Viewing the Status of Long-Running Tasks
- Security, Internet Access, and Communication Ports
Getting Started with Network Analysis Policies
Network analysis policies govern many traffic preprocessing options, and are invoked by advanced settings in your access control policy. Network analysis-related preprocessing occurs after Security Intelligence blacklisting, but before access control rules inspect packets in detail, and before any intrusion or file inspection begins.
By default, the system uses the Balanced Security and Connectivity network analysis policy to preprocess all traffic handled by an access control policy. However, you can choose a different default network analysis policy to perform this preprocessing. For your convenience, the system provides a choice of several non-modifiable network analysis policies, which are tuned for a specific balance of security and connectivity by the Vulnerability Research Team (VRT). You can also replace this default policy with a custom network analysis policy with custom preprocessing settings.
Tip System-provided intrusion and network analysis policies are similarly named but contain different configurations. For example, the Balanced Security and Connectivity network analysis policy and the Balanced Security and Connectivity intrusion policy work together and can both be updated in intrusion rule updates. However, the network analysis policy governs mostly preprocessing options, whereas the intrusion policy governs mostly intrusion rules. Understanding Network Analysis and Intrusion Policies provides an overview of how network analysis and intrusion policies work together to examine your traffic, as well as some basics on using the navigation panel, resolving conflicts, and committing changes.
You can also tailor traffic preprocessing options to specific security zones, and networks by creating multiple custom network analysis policies, then assigning them to preprocess different traffic.
Note Tailoring preprocessing, especially using multiple custom network analysis policies, is an advanced task. Because preprocessing and intrusion inspection are so closely related, the network analysis and intrusion policies examining a single packet must complement each other. The system does not coordinate the policies for you, and uses default options in cases of misconfiguration. For more information, see Limitations of Custom Policies.
This chapter explains how to create a simple custom network analysis policy. This chapter also contains basic information on managing network analysis policies: editing, comparing, and so on. For more information, see:
Creating a Custom Network Analysis Policy
When you create a new network analysis policy you must give it a unique name, specify a base policy, and choose an inline mode .
The base policy defines the network analysis policy’s default settings. Modifying a setting in the new policy overrides—but does not change—the settings in the base policy. You can use either a system-provided or custom policy as your base policy. For more information, see Understanding the Base Layer.
The network analysis policy’s inline mode allows preprocessors to modify (normalize) and drop traffic to minimize the chances of attackers evading detection. Note that in passive deployments, the system cannot affect traffic flow regardless of the inline mode. For more information, see Allowing Preprocessors to Affect Traffic in Inline Deployments.
To create a network analysis policy:
Step 1 Select Configuration > ASA FirePOWER Configuration > Policies > Access Control Policy .
The Access Control Policy page appears.
Step 2 Click the edit icon (
) next to the access control policy you want to edit.
The access control policy editor appears.
Step 3 Select the Advanced tab.
The access control policy advanced settings page appears.
Step 4 Click the edit icon (
) next to
Network Analysis and Intrusion Policies
.
The Network Analysis and Intrusion Policies pop-up window appears.
Step 5 Click Network Analysis Policy List .
The Network Analysis Policy List pop-up window appears.
If you have unsaved changes in another policy, click Cancel when prompted to return to the Network Analysis Policy page. See Resolving Conflicts and Committing Policy Changes for information on saving unsaved changes in another policy.
The Create Network Analysis Policy pop-up window appears.
Step 7 Give the policy a unique Name and, optionally, a Description .
Step 8 Specify the initial Base Policy .
You can either use either a system-provided or custom policy as your base policy.
Caution Do not use
Experimental Policy 1 unless instructed to do so by a Cisco representative. Cisco uses this policy for testing.Step 9 Specify whether you want to allow preprocessors to affect traffic in an inline deployment:
- Click Create Policy to create the new policy and return to the Network Analysis Policy page. The new policy has the same settings as its base policy.
- Click Create and Edit Policy to create the policy and open it for editing in the advanced network analysis policy editor; see Editing Network Analysis Policies.
Managing Network Analysis Policies
On the Network Analysis Policy page you can view your current custom network analysis policies, along with the following information:
- the time and date the policy was last modified (in local time) and the user who modified it
- whether the Inline Mode setting is enabled, which allows preprocessors to affect traffic
- which access control policies are using the network analysis policy to preprocess traffic
- whether a policy has unsaved changes, as well as information about who (if anyone) is currently editing the policy
Options on the Network Analysis Policy page allow you to take the actions in the following table.
), then confirm that you want to delete the policy. You cannot delete a network analysis policy if an access control policy references it.Editing Network Analysis Policies
When you create a new network analysis policy, it has the same settings as its base policy. The following table lists the most common actions you can take to tailor the new policy to your needs:
select the Inline Mode check box on the Policy Information page. |
Allowing Preprocessors to Affect Traffic in Inline Deployments |
|
select a base policy from the Base Policy drop-down list on the Policy Information page. |
||
When tailoring a network analysis policy, especially when disabling preprocessors, keep in mind that some preprocessors and intrusion rules require that traffic first be decoded or preprocessed in a certain way. If you disable a required preprocessor, the system automatically uses it with its current settings, although the preprocessor remains disabled in the network analysis policy module interface.
Note Because preprocessing and intrusion inspection are so closely related, the network analysis and intrusion policies examining a single packet must complement each other. Tailoring preprocessing, especially using multiple custom network analysis policies, is an advanced task. For more information, see Limitations of Custom Policies.
The system caches one network analysis policy per user. While editing a network analysis policy, if you select any menu or other path to another page, your changes stay in the system cache even if you leave the page. In addition to the actions you can perform in the table above, Understanding Network Analysis and Intrusion Policies provides information on using the navigation panel, resolving conflicts, and committing changes.
To edit a network analysis policy:
Step 1 Select Configuration > ASA FirePOWER Configuration > Policies > Access Control Policy .
The Access Control Policy page appears.
Step 2 Click the edit icon (
) next to the access control policy you want to edit.
The access control policy editor appears.
Step 3 Select the Advanced tab.
The access control policy advanced settings page appears.
Step 4 Click the edit icon (
) next to
Network Analysis and Intrusion Policies
.
The Network Analysis and Intrusion Policies pop-up window appears.
Step 5 Click Network Analysis Policy List .
The Network Analysis Policy List pop-up window appears.
Step 6 Click the edit icon (
) next to the network analysis policy you want to configure.
The network analysis policy editor appears, focused on the Policy Information page and with a navigation panel on the left.
Step 7 Edit your policy. Take any of the actions summarized above.
Step 8 Save your policy, continue editing, discard your changes, or exit while leaving your changes in the system cache. For more information, see Resolving Conflicts and Committing Policy Changes.
Allowing Preprocessors to Affect Traffic in Inline Deployments
In an inline deployment, some preprocessors can modify and block traffic. For example:
- The inline normalization preprocessor normalizes packets to prepare them for analysis by other preprocessors and the intrusion rules engine. You can also use the preprocessor’s Block Unrecoverable TCP Header Anomalies and Allow These TCP Options options to block certain packets. For more information, see Normalizing Inline Traffic.
- The system can drop packets with invalid checksums; see Verifying Checksums.
- The system can drop packets matching rate-based attack prevention settings; see Preventing Rate-Based Attacks.
For a preprocessor configured in the network analysis policy to affect traffic, you must also enable and correctly configure the preprocessor, as well as correctly deploy the device inline. Finally, you must enable the network analysis policy’s Inline Mode setting.
If you want to assess how your configuration would function in an inline deployment without actually modifying traffic, you can disable inline mode. Note that in passive deployments, the system cannot affect traffic regardless of the inline mode.
Tip In an inline deployment, Cisco recommends that you enable inline mode and configure the inline normalization preprocessor with the Normalize TCP Payload option enabled. In a passive deployment,Cisco recommends you configure adaptive profiles.
To allow preprocessors to affect traffic in an inline deployment:
Step 1 Select Configuration > ASA FirePOWER Configuration > Policies > Access Control Policy .
The Access Control Policy page appears.
Step 2 Click the edit icon (
) next to the access control policy you want to edit.
The access control policy editor appears.
Step 3 Select the Advanced tab.
The access control policy advanced settings page appears.
Step 4 Click the edit icon (
) next to
Network Analysis and Intrusion Policies
.
The Network Analysis and Intrusion Policies pop-up window appears.
Step 5 Click Network Analysis Policy List .
The Network Analysis Policy List pop-up window appears.
Step 6 Click the edit icon (
) next to the policy you want to edit.
The Policy Information page appears.
Step 7 Specify whether you want to allow preprocessors to affect traffic:
Step 8 Save your policy, continue editing, discard your changes, or exit while leaving your changes in the system cache. For more information, see Resolving Conflicts and Committing Policy Changes.
Configuring Preprocessors in a Network Analysis Policy
Preprocessors
prepare traffic to be further inspected by normalizing traffic and identifying protocol anomalies. Preprocessors generate preprocessor event when packets trigger preprocessor options that you configure. The base policy for your network analysis policy determines which preprocessors are enabled by default and the default configuration for each.
When you select Settings in the navigation panel of a network analysis policy, the policy lists its preprocessors by type. On the Settings page, you can enable or disable preprocessors in your network analysis policy, as well as access preprocessor configuration pages.
A preprocessor must be enabled for you to configure it. When you enable a preprocessor, a sublink to the configuration page for the preprocessor appears beneath the Settings link in the navigation panel, and an Edit link to the configuration page appears next to the preprocessor on the Settings page.
Tip To revert a preprocessor’s configuration to the settings in the base policy, click Revert to Defaults on a preprocessor configuration page. When prompted, confirm that you want to revert.
When you disable a preprocessor, the sublink and Edit link no longer appear, but your configurations are retained. Note that to perform their particular analysis, many preprocessors and intrusion rules require that traffic first be decoded or preprocessed in a certain way. If you disable a required preprocessor, the system automatically uses it with its current settings, although the preprocessor remains disabled in the network analysis policy module interface.
Note In most cases, preprocessors require specific expertise to configure and typically require little or no modification. Tailoring preprocessing, especially using multiple custom network analysis policies, is an advanced task. Because preprocessing and intrusion inspection are so closely related, the network analysis and intrusion policies examining a single packet must complement each other. For more information, see Limitations of Custom Policies.
Modifying a preprocessor configuration requires an understanding of the configuration and its potential impact on your network. The following sections provide links to specific configuration details for each preprocessor.
Application Layer Preprocessors
Application-layer protocol decoders normalize specific types of packet data into formats that the intrusion rules engine can analyze.
The Modbus and DNP3 preprocessors detect traffic anomalies and provide data to the intrusion rules engine for inspection.
Transport/Network Layer Preprocessors
Network and transport layers preprocessors detect exploits at the network and transport layers. Before packets are sent to preprocessors, the packet decoder converts packet headers and payloads into a format that can be easily used by the preprocessors and the intrusion rules engine; it also detects various anomalous behaviors in packet headers.
Note that some advanced transport and network preprocessor settings apply globally to all networks and zones where you apply your access control policy. You configure these advanced settings in an access control policy rather than in a network analysis policy; see Configuring Advanced Transport/Network Settings.
The Back Orifice preprocessor analyzes UDP traffic for the Back Orifice magic cookie. The portscan detector can be configured to report scan activity. Rate-based attack prevention can help you protect your network against SYN floods and an extreme number of simultaneous connections designed to overwhelm your network.
Note that you configure the sensitive data preprocessor, which detects sensitive data such as credit card numbers and Social Security numbers in ASCII text, in intrusion policies. For more information, see Detecting Sensitive Data.
Generating a Report of Current Network Analysis Settings
A network analysis policy report is a record of the policy configuration at a specific point in time. The system combines the settings in the base policy with the settings of the policy layers, and makes no distinction between which settings originated in the base policy or policy layer.
You can use the report, which contains the following information, for auditing purposes or to inspect the current configuration.
You can also generate a comparison report that compares two network analysis policies, or two revisions of the same policy. For more information, see Comparing Two Network Analysis Policies or Revisions.
To view a network analysis policy report:
Step 1 Select Configuration > ASA FirePOWER Configuration > Policies > Access Control Policy .
The Access Control Policy page appears.
Step 2 Click the edit icon (
) next to the access control policy you want to edit.
The access control policy editor appears.
Step 3 Select the Advanced tab.
The access control policy advanced settings page appears.
Step 4 Click the edit icon (
) next to
Network Analysis and Intrusion Policies
.
The Network Analysis and Intrusion Policies pop-up window appears.
Step 5 Click Network Analysis Policy List .
The Network Analysis Policy List pop-up window appears.
Step 6 Click the report icon (
) next to the policy for which you want to generate a report. Remember to commit any changes before you generate a network analysis policy report; only committed changes appear in the report.
The system generates the report. You are prompted to save the report to your computer.
Comparing Two Network Analysis Policies or Revisions
To review policy changes for compliance with your organization’s standards or to optimize system performance, you can examine the differences between two network analysis policies. You can compare any two network analysis policies or two revisions of the same network analysis policy. Optionally, after you compare, you can then generate a PDF report to record the differences between the two policies or policy revisions.
There are two tools you can use to compare network analysis policies or policy revisions:
- The comparison view displays only the differences between two network analysis policies or network analysis policy revisions in a side-by-side format; the name of each policy or policy revision appears in the title bar on the left and right sides of the comparison view.
You can use this to view and navigate both policy revisions on the module interface, with their differences highlighted.
- The comparison report creates a record of only the differences between two network analysis policies or network analysis policy revisions in a format similar to the network analysis policy report, but in PDF format.
You can use this to save, copy, print and share your policy comparisons for further examination.
For more information on understanding and using the policy comparison tools, see:
- Using the Network Analysis Policy Comparison View
- Using the Network Analysis Policy Comparison Report
Using the Network Analysis Policy Comparison View
The comparison view displays both policies or policy revisions in a side-by-side format, with each policy or policy revision identified by name in the title bar on the left and right sides of the comparison view. The time of last modification and the last user to modify are displayed with the policy name.
Differences between the two policies are highlighted:
- Blue indicates that the highlighted setting is different in the two policies, and the difference is noted in red text.
- Green indicates that the highlighted setting appears in one policy but not the other.
You can perform any of the actions in the following table.
click Previous or Next above the title bar.
The double-arrow icon ( |
|
|
The Select Comparison window appears. See Using the Network Analysis Policy Comparison Report for more information. |
|
|
The policy comparison report creates a PDF document that lists only the differences between the two policies or policy revisions. |
) centered between the left and right sides moves, and the
Difference
number adjusts to identify which difference you are viewing.Using the Network Analysis Policy Comparison Report
A network analysis policy comparison report is a record of all differences between two network analysis policies or two revisions of the same network analysis policy identified by the network analysis policy comparison view, presented as a PDF. You can use this report to further examine the differences between two network analysis policy configurations and to save and disseminate your findings.
You can generate a network analysis policy comparison report from the comparison view for any policies to which you have access. Remember to save any changes before you generate a policy report; only saved changes appear in the report.
The format of the policy comparison report is the same as the policy report with one exception: the policy report contains all configurations in the policy, and the policy comparison report lists only those configurations that differ between the policies. A network analysis policy comparison report contains the sections described in Table 15-7.
Tip You can use a similar procedure to compare access control, intrusion, or file policies.
To compare two network analysis policies or policy revisions:
Step 1 Select Configuration > ASA FirePOWER Configuration > Policies > Access Control Policy .
The Access Control Policy page appears.
Step 2 Click the edit icon (
) next to the access control policy you want to edit.
The access control policy editor appears.
Step 3 Select the Advanced tab.
The access control policy advanced settings page appears.
Step 4 Click the edit icon (
) next to
Network Analysis and Intrusion Policies
.
The Network Analysis and Intrusion Policies pop-up window appears.
Step 5 Click Network Analysis Policy List .
The Network Analysis Policy List pop-up window appears.
Step 6 Click Compare Policies .
The Select Comparison window appears.
Step 7 From the Compare Against drop-down list, select the type of comparison you want to make:
The page refreshes and the Policy A and Policy B drop-down lists appear.
The page refreshes and the Policy, Revision A, and Revision B drop-down lists appear.
Step 8 Depending on the comparison type you selected, you have the following choices:
- If you are comparing two different policies, select the policies you want to compare from the Policy A and Policy B drop-down lists.
- If you are comparing two revision of the same policy, select the Policy, then select the timestamped revisions you want to compare from the Revision A and Revision B drop-down lists.
Step 9 Click OK to display the policy comparison view.
Step 10 Optionally, click Comparison Report to generate the network analysis policy comparison report.
The network analysis policy comparison report appears. You are prompted to save the report to your computer.
Feedback