- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
Getting Started with Network Analysis Policies
Network analysis policies govern many traffic preprocessing options, and are invoked by advanced settings in your access control policy. Network analysis-related preprocessing occurs after Security Intelligence blacklisting and SSL decryption, but before intrusion or file inspection begins.
By default, the system uses the Balanced Security and Connectivity network analysis policy to preprocess all traffic handled by an access control policy. However, you can choose a different default network analysis policy to perform this preprocessing. For your convenience, the system provides a choice of several non-modifiable network analysis policies, which are tuned for a specific balance of security and connectivity by the Cisco Vulnerability Research Team (VRT). You can also replace this default policy with a custom network analysis policy with custom preprocessing settings.
Tip System-provided intrusion and network analysis policies are similarly named but contain different configurations. For example, the Balanced Security and Connectivity network analysis policy and the Balanced Security and Connectivity intrusion policy work together and can both be updated in intrusion rule updates. However, the network analysis policy governs mostly preprocessing options, whereas the intrusion policy governs mostly intrusion rules. Understanding Network Analysis and Intrusion Policies provides an overview of how network analysis and intrusion policies work together to examine your traffic, as well as some basics on using the navigation panel, resolving conflicts, and committing changes.
You can also tailor traffic preprocessing options to specific security zones, networks, and VLANs by creating multiple custom network analysis policies, then assigning them to preprocess different traffic. (Note that ASA FirePOWER devices cannot restrict preprocessing by VLAN.)
Note Tailoring preprocessing, especially using multiple custom network analysis policies, is an advanced task. Because preprocessing and intrusion inspection are so closely related, the network analysis and intrusion policies examining a single packet must complement each other. The system does not coordinate the policies for you. For more information, see Limitations of Custom Policies.
This chapter explains how to create a simple custom network analysis policy. This chapter also contains basic information on managing network analysis policies: editing, comparing, and so on. For more information, see:
Creating a Custom Network Analysis Policy
When you create a new network analysis policy you must give it a unique name, specify a base policy, and choose an inline mode .
The base policy defines the network analysis policy’s default settings. Modifying a setting in the new policy overrides—but does not change—the settings in the base policy. You can use either a system-provided or custom policy as your base policy. For more information, see Understanding the Base Layer.
The network analysis policy’s inline mode allows preprocessors to modify (normalize) and drop traffic to minimize the chances of attackers evading detection. Note that in passive deployments, the system cannot affect traffic flow regardless of the inline mode. For more information, see Allowing Preprocessors to Affect Traffic in Inline Deployments.
To create a network analysis policy:
Step 1 Select Policies > Access Control to display the Access Control Policy page, then click Network Analysis Policy .
The Network Analysis Policy page appears.
You can create and edit network analysis as well as intrusion policies if your FireSIGHT System user account’s role is restricted to Intrusion Policy or Modify Intrusion Policy. To access the Network Analysis Policy page, select Policies > Intrusion , then click Network Analysis Policy . For more information, see Managing Custom User Roles.
If you have unsaved changes in another policy, click Cancel when prompted to return to the Network Analysis Policy page. See Resolving Conflicts and Committing Policy Changes for information on saving unsaved changes in another policy.
The Create Network Analysis Policy pop-up window appears.
Step 3 Give the policy a unique Name and, optionally, a Description .
Step 4 Specify the initial Base Policy .
You can use either a system-provided or custom policy as your base policy.
Step 5 Specify whether you want to allow preprocessors to affect traffic in an inline deployment:
- Click Create Policy to create the new policy and return to the Network Analysis Policy page. The new policy has the same settings as its base policy.
- Click Create and Edit Policy to create the policy and open it for editing in the advanced network analysis policy editor; see Editing Network Analysis Policies.
Managing Network Analysis Policies
On the Network Analysis Policy page ( Policies > Access Control , then click Network Analysis Policy ) you can view your current custom network analysis policies, along with the following information:
- the time and date the policy was last modified (in local time) and the user who modified it
- whether the Inline Mode setting is enabled, which allows preprocessors to affect traffic
- which access control policies and devices are using the network analysis policy to preprocess traffic
- whether a policy has unsaved changes, as well as information about who (if anyone) is currently editing the policy
In addition to custom policies that you create, the system provides two custom policies: Initial Inline Policy and Initial Passive Policy. These two network analysis policies use the Balanced Security and Connectivity network analysis policy as their base. The only difference between them is their inline mode, which allows preprocessors to affect traffic in the inline policy and disables it in the passive policy. You can edit and use these system-provided custom policies.
Options on the Network Analysis Policy page allow you to take the actions in the following table.
), then confirm that you want to delete the policy. You cannot delete a network analysis policy if an access control policy references it.Note that you can create and edit network analysis as well as intrusion policies if your FireSIGHT System user account’s role is restricted to Intrusion Policy or Modify Intrusion Policy. To access the Network Analysis Policy page, select Policies > Intrusion , then click Network Analysis Policy . For more information, see Managing Custom User Roles.
Editing Network Analysis Policies
When you create a new network analysis policy, it has the same settings as its base policy. The following table lists the most common actions you can take to tailor the new policy to your needs:
select the Inline Mode check box on the Policy Information page. |
Allowing Preprocessors to Affect Traffic in Inline Deployments |
|
select a base policy from the Base Policy drop-down list on the Policy Information page. |
||
When tailoring a network analysis policy, especially when disabling preprocessors, keep in mind that some preprocessors and intrusion rules require that traffic first be decoded or preprocessed in a certain way. If you disable a required preprocessor, the system automatically uses it with its current settings, although the preprocessor remains disabled in the network analysis policy web interface.
Note Because preprocessing and intrusion inspection are so closely related, the network analysis and intrusion policies examining a single packet must complement each other. Tailoring preprocessing, especially using multiple custom network analysis policies, is an advanced task. For more information, see Limitations of Custom Policies.
The system caches one network analysis policy per user. While editing a network analysis policy, if you select any menu or other path to another page, your changes stay in the system cache even if you leave the page. In addition to the actions you can perform in the table above, Understanding Network Analysis and Intrusion Policies provides information on using the navigation panel, resolving conflicts, and committing changes.
To edit a network analysis policy:
Step 1 Select Policies > Access Control to display the Access Control Policy page, then click Network Analysis Policy .
The Network Analysis Policy page appears.
Step 2 Click the edit icon (
) next to the network analysis policy you want to configure.
The network analysis policy editor appears, focused on the Policy Information page and with a navigation panel on the left.
Step 3 Edit your policy. Take any of the actions summarized above.
Step 4 Save your policy, continue editing, discard your changes, or exit while leaving your changes in the system cache. For more information, see Resolving Conflicts and Committing Policy Changes.
Allowing Preprocessors to Affect Traffic in Inline Deployments
In an inline deployment, some preprocessors can modify and block traffic. For example:
- The inline normalization preprocessor normalizes packets to prepare them for analysis by other preprocessors and the intrusion rules engine. You can also use the preprocessor’s Allow These TCP Options and Block Unrecoverable TCP Header Anomalies options to block certain packets. For more information, see Normalizing Inline Traffic.
- The system can drop packets with invalid checksums; see Verifying Checksums.
- The system can drop packets matching rate-based attack prevention settings; see Preventing Rate-Based Attacks.
For a preprocessor configured in the network analysis policy to affect traffic, you must enable and correctly configure the preprocessor, as well as correctly deploy managed devices inline, that is, with inline interface sets. Finally, you must enable the network analysis policy’s Inline Mode setting.
If you want to assess how your configuration would function in an inline deployment without actually modifying traffic, you can disable inline mode. In passive deployments or inline deployments in tap mode, the system cannot affect traffic regardless of the inline mode.
Note that disabling inline mode can affect intrusion event performance statistics graphs. With inline mode enabled in an inline deployment, the Intrusion Event Performance page ( Overview > Summary > Intrusion Event Performance ) displays graphs that represent normalized and blocked packets. If you disable inline mode, or in a passive deployment, many of the graphs display data about the traffic the system would have normalized or dropped. For more information, see Generating Intrusion Event Performance Statistics Graphs.
Tip In an inline deployment, Cisco recommends that you enable inline mode and configure the inline normalization preprocessor with the Normalize TCP Payload option enabled. In a passive deployment,Cisco recommends you configure adaptive profiles.
To allow preprocessors to affect traffic in an inline deployment:
Step 1 Select Policies > Access Control to display the Access Control Policy page, then click Network Analysis Policy .
The Network Analysis Policy page appears.
Step 2 Click the edit icon (
) next to the policy you want to edit.
The Policy Information page appears.
Step 3 Specify whether you want to allow preprocessors to affect traffic:
Step 4 Save your policy, continue editing, discard your changes, or exit while leaving your changes in the system cache. For more information, see Resolving Conflicts and Committing Policy Changes.
Configuring Preprocessors in a Network Analysis Policy
Preprocessors
prepare traffic to be further inspected by normalizing traffic and identifying protocol anomalies. Preprocessors can generate preprocessor events (see Reading Preprocessor Events) when packets trigger preprocessor options that you configure. The base policy for your network analysis policy determines which preprocessors are enabled by default and the default configuration for each.
When you select Settings in the navigation panel of a network analysis policy, the policy lists its preprocessors by type. On the Settings page, you can enable or disable preprocessors in your network analysis policy, as well as access preprocessor configuration pages.
A preprocessor must be enabled for you to configure it. When you enable a preprocessor, a sublink to the configuration page for the preprocessor appears beneath the Settings link in the navigation panel, and an Edit link to the configuration page appears next to the preprocessor on the Settings page.
Tip To revert a preprocessor’s configuration to the settings in the base policy, click Revert to Defaults on a preprocessor configuration page. When prompted, confirm that you want to revert.
When you disable a preprocessor, the sublink and Edit link no longer appear, but your configurations are retained. Note that to perform their particular analysis, many preprocessors and intrusion rules require that traffic first be decoded or preprocessed in a certain way. If you disable a required preprocessor, the system automatically uses it with its current settings, although the preprocessor remains disabled in the network analysis policy web interface.
Note In most cases, preprocessors require specific expertise to configure and typically require little or no modification. Tailoring preprocessing, especially using multiple custom network analysis policies, is an advanced task. Because preprocessing and intrusion inspection are so closely related, the network analysis and intrusion policies examining a single packet must complement each other. For more information, see Limitations of Custom Policies.
Modifying a preprocessor configuration requires an understanding of the configuration and its potential impact on your network. The following sections provide links to specific configuration details for each preprocessor.
Application Layer Preprocessors
Application-layer protocol decoders normalize specific types of packet data into formats that the intrusion rules engine can analyze.
The Modbus and DNP3 preprocessors detect traffic anomalies and provide data to the intrusion rules engine for inspection.
Transport/Network Layer Preprocessors
Network and transport layers preprocessors detect exploits at the network and transport layers. Before packets are sent to preprocessors, the packet decoder converts packet headers and payloads into a format that can be easily used by the preprocessors and the intrusion rules engine; it also detects various anomalous behaviors in packet headers.
Note that some advanced transport and network preprocessor settings apply globally to all networks, zones, and VLANs where you apply your access control policy. You configure these advanced settings in an access control policy rather than in a network analysis policy; see Configuring Advanced Transport/Network Settings.
The Back Orifice preprocessor analyzes UDP traffic for the Back Orifice magic cookie. The portscan detector can be configured to report scan activity. Rate-based attack prevention can help you protect your network against SYN floods and an extreme number of simultaneous connections designed to overwhelm your network.
Note that you configure the sensitive data preprocessor, which detects sensitive data such as credit card numbers and Social Security numbers in ASCII text, in intrusion policies. For more information, see Detecting Sensitive Data.
Generating a Report of Current Network Analysis Settings
A network analysis policy report is a record of the policy configuration at a specific point in time. The system combines the settings in the base policy with the settings of the policy layers, and makes no distinction between which settings originated in the base policy or policy layer.
You can use the report, which contains the following information, for auditing purposes or to inspect the current configuration.
You can also generate a comparison report that compares two network analysis policies, or two revisions of the same policy. For more information, see Comparing Two Network Analysis Policies or Revisions.
To view a network analysis policy report:
Step 1 Select Policies > Access Control to display the Access Control Policy page, then click Network Analysis Policy .
The Network Analysis Policy page appears.
Step 2 Click the report icon (
) next to the policy for which you want to generate a report. Remember to commit any changes before you generate a network analysis policy report; only committed changes appear in the report.
The system generates the report. Depending on your browser settings, the report may appear in a pop-up window, or you may be prompted to save the report to your computer.
Comparing Two Network Analysis Policies or Revisions
To review policy changes for compliance with your organization’s standards or to optimize system performance, you can examine the differences between two network analysis policies. You can compare any two network analysis policies or two revisions of the same network analysis policy. Optionally, after you compare, you can then generate a PDF report to record the differences between the two policies or policy revisions.
There are two tools you can use to compare network analysis policies or policy revisions:
- The comparison view displays only the differences between two network analysis policies or network analysis policy revisions in a side-by-side format; the name of each policy or policy revision appears in the title bar on the left and right sides of the comparison view.
You can use this to view and navigate both policy revisions on the web interface, with their differences highlighted.
- The comparison report creates a record of only the differences between two network analysis policies or network analysis policy revisions in a format similar to the network analysis policy report, but in PDF format.
You can use this to save, copy, print and share your policy comparisons for further examination.
For more information on understanding and using the policy comparison tools, see:
- Using the Network Analysis Policy Comparison View
- Using the Network Analysis Policy Comparison Report
Using the Network Analysis Policy Comparison View
The comparison view displays both policies or policy revisions in a side-by-side format, with each policy or policy revision identified by name in the title bar on the left and right sides of the comparison view. The time of last modification and the last user to modify are displayed with the policy name.
Differences between the two policies are highlighted:
- Blue indicates that the highlighted setting is different in the two policies, and the difference is noted in red text.
- Green indicates that the highlighted setting appears in one policy but not the other.
You can perform any of the actions in the following table.
click Previous or Next above the title bar.
The double-arrow icon ( |
|
determine which layer contains the configuration for a specific preprocessor |
hover your pointer over the advanced configuration icon ( The window displays the name of the layer that contains the preprocessor configuration. |
|
The Select Comparison window appears. See Using the Network Analysis Policy Comparison Report for more information. |
|
|
The policy comparison report creates a PDF document that lists only the differences between the two policies or policy revisions. |
) centered between the left and right sides moves, and the
Difference
number adjusts to identify which difference you are viewing.
) next to the configuration you want to view.Using the Network Analysis Policy Comparison Report
A network analysis policy comparison report is a record of all differences between two network analysis policies or two revisions of the same network analysis policy identified by the network analysis policy comparison view, presented as a PDF. You can use this report to further examine the differences between two network analysis policy configurations and to save and disseminate your findings.
You can generate a network analysis policy comparison report from the comparison view for any policies to which you have access. Remember to save any changes before you generate a policy report; only saved changes appear in the report.
The format of the policy comparison report is the same as the policy report with one exception: the policy report contains all configurations in the policy, and the policy comparison report lists only those configurations that differ between the policies. A network analysis policy comparison report contains the sections described in Table 26-7.
Tip You can use a similar procedure to compare SSL, access control, intrusion, file, system, or health policies.
To compare two network analysis policies or policy revisions:
Step 1 Select Policies > Access Control to display the Access Control Policy page, then click Network Analysis Policy .
The Network Analysis Policy page appears.
Step 2 Click Compare Policies .
The Select Comparison window appears.
Step 3 From the Compare Against drop-down list, select the type of comparison you want to make:
The page refreshes and the Policy A and Policy B drop-down lists appear.
The page refreshes and the Policy, Revision A, and Revision B drop-down lists appear.
Step 4 Depending on the comparison type you selected, you have the following choices:
- If you are comparing two different policies, select the policies you want to compare from the Policy A and Policy B drop-down lists.
- If you are comparing two revision of the same policy, select the Policy, then select the timestamped revisions you want to compare from the Revision A and Revision B drop-down lists.
Step 5 Click OK to display the policy comparison view.
Step 6 Optionally, click Comparison Report to generate the network analysis policy comparison report.
The network analysis policy comparison report appears. Depending on your browser settings, the report may appear in a pop-up window, or you may be prompted to save the report to your computer.
Feedback