The Security Intelligence feature allows you to specify the
traffic that can traverse your network based on the source or destination IP
address, domain name, or URL. You configure Security Intelligence in access
control policies, separate from access control rules. This is especially useful
if you want to blacklist — deny traffic to and from — specific IP addresses or
URLs, before the traffic is analyzed by access control rules. You can also add
IP addresses, URLs, and domain names to a whitelist to force the system to
handle their connections using access control.
If you are not sure whether you want to blacklist a particular
IP address or URL, a monitor-only setting allows the system to handle a
connection using access control, but also logs the connection’s match to the
blacklist.
By default, access
control policies use Global whitelists and blacklists for IP addresses and
URLs. Similarly, DNS policies use the Global DNS whitelist and blacklist.
In a multidomain
deployment, access control policies can also use:
-
Descendant
whitelists and blacklists. In ancestor domains, descendant lists represent
items whitelisted or blacklisted in subdomains. Descendant lists can also
contain items added for lower-level domains by higher-level domain
administrators. From an ancestor domain, you cannot view the contents of
descendant lists.
-
Domain-specific
whitelists and blacklists. In subdomains, domain-specific lists represent items
whitelisted or blacklisted in or for the named domain. You can view the
contents of domain-specific lists for ancestor domains, and edit the contents
of the domain-specific list for your domain.
Global, Descendant,
and Domain-specific lists apply to any zone, and you can disable them on a
per-policy basis.
Finally, you can
build custom whitelists and blacklists for IP addresses, URLs, or domain names,
using:
-
network or URL
objects
-
network, URL, or
DNS categories
-
Security
Intelligence lists and feeds
You can constrain
these by security zone. In a DNS policy, you can also constrain DNs based on
network or VLAN.
Comparing Feeds
and Lists
A Security Intelligence
feed is a dynamic collection of IP addresses, URLs, or
domain names that the
Firepower Management
Center
downloads from an HTTP or HTTPS server at the interval you configure. Because
feeds are regularly updated, the system can use up-to-date information to
filter your network traffic.
Note |
The system does
not perform peer SSL certificate verification when
downloading custom feeds, nor does the system support the use of certificate
bundles or self-signed certificates to verify the remote peer.
|
To help you build
blacklists, the Firepower System provides:
-
the
Intelligence Feed, which represents IP addresses determined
by
Talos
to have a poor reputation
-
the
DNS and URL
Intelligence Feed, comprised of domain names and URLs with a poor
reputation
When the
Firepower Management
Center
downloads updated feed information, it automatically updates its managed
devices. Although it may take a few minutes for a feed update to take effect
throughout your deployment, you do not have to re-deploy access control
policies after you create or modify a feed, or after a scheduled feed update.
Note |
If you want strict control over when the system downloads a feed
from the Internet, you can disable automatic updates for that feed. However,
Cisco recommends that you allow automatic updates. Although you can manually
perform on-demand updates, allowing the system to download feeds on a regular
basis provides you with the most up-to-date, relevant data.
|
A Security Intelligence
list, contrasted with a feed, is a simple static list of IP
addresses, domain names, or URLs that you manually upload to the system. Use
custom lists to augment and fine-tune feeds and default whitelists and
blacklists. Note that editing custom lists (as well as editing network objects
and removing entries from a whitelist or blacklist) require an access control
policy deploy for your changes to take effect.
Formatting and
Corrupt Feed Data
Feed and list source must be a simple text file no larger than
500MB, with one IP address, address block, URL, or domain name per line. Each
source must contain only IP addresses, or URLs, or domain names. List source
files must use the
.txt extension.
In a DNS list
entry, you can specify an asterisk (*) wildcard
character for a domain label. All labels match the wildcard. For example, an
entry of
www.example.* matches both
www.example.com and
www.example.co.
If you add comment
lines within the source file, they must start with the pound (#) character. If you upload a source file with
comments, the system removes your comments during upload. Source files you
download contain all your entries without your comments.
If the system downloads a corrupt feed or a feed with no
recognizable entries, the system continues using the old feed data (unless it
is the first download). However, if the system can recognize even one entry in
the feed, it uses the entries it can recognize.
The default health policy includes the Security Intelligence
module, which alerts in a few situations involving Security Intelligence
filtering, including if the system cannot update a feed, or if a feed is
corrupt or contains no recognizable entries.
Managing Feeds
and Lists
You create and manage Security Intelligence lists and feeds,
collectively called Security Intelligence objects, using the object manager’s
Security Intelligence page.
Note that you cannot delete a custom list or feed that is
currently being used in a saved or deployed access control policy. In a
multidomain deployment, you also cannot delete a Global list or the default
domain-associated lists. You can, however, remove individual items from these
lists if the lists belong to the current domain. Similarly, although you cannot
delete Intelligence Feeds, editing them allows you to disable or change the
update frequency.