Note: Security Intelligence filtering requires a Protection license.
The information in this document is based on these software and hardware versions:
ASA FirePOWER modules (ASA 5506X/5506H-X/5506W-X, ASA 5508-X, ASA 5516-X ) running software version 5.4.1 and above
ASA FirePOWER module (ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X) running software version 6.0.0 and above
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Cisco Security Intelligence comprises of several regularly updated collections of IP addresses that are determined to have a poor reputation by the Cisco TALOS Team. Cisco TALOS team determines the low reputation if any malicious activity is originated from those IP addresses such as spams, malware, phishing attacks etc.
Cisco IP Security Intelligence feed tracks the database of Attackers, Bogon, Bots, CnC, Dga, ExploitKit, Malware, Open_proxy, Open_relay, Phishing, Response, Spam, Suspicious. Firepower module does provide the option to create the custom feed of low repute IP address.
Overview of Security Intelligence feed
Here is some more information about the type of IP address collections which can be classified as different categories in the Security Intelligence.
Attackers: Collection of IP addresses that are continually scanning for vulnerabilities or attempting to exploit other systems.
Malware: Collection of IP addresses that are attempting to propagate malware or are actively attacking anyone who visits them.
Phishing: Collection of hosts that are actively attempting to trick end users into entering confidential information like usernames and passwords.
Spam: Collection of hosts that have been identified as the source of sending spam email messages.
Bots: Collection of hosts that are actively participating as part of a botnet, and are being controlled by a known bot net controller.
CnC: Collection of hosts that have been identified as the controlling servers for a known Botnet.
OpenProxy: Collection of hosts that are known to run Open Web Proxies and offer anonymous web browsing services.
OpenRelay: Collection of hosts that are known to offer anonymous email relaying services used by spam and phishing attackers.
TorExitNode: Collection of hosts that are known to offer exit node services for the Tor Anonymizer network.
Bogon: Collection of IP Addresses that are not allocated but are sending traffic.
Suspicious: Collection of IP Addresses that are displaying suspicious activity and are under active investigation.
Response: Collection of IP Addresses that have been repeatedly observed engaged in the suspicious or malicious behavior.
Manually add IP addresses to Global-Blacklist and Global-Whitelist
Firepower module allows you to add certain IP addresses to Global-Blacklist when you know that they are part of some malicious activity. IP addresses can also be added to Global-Whitelist, if you want to allow the traffic to certain IP addresses which are blocked by blacklist IP addresses. If you add any IP address to Global-Blacklist/Global-Whitelist, it takes effect immediately without the need to apply the policy.
In order to add the IP address to Global-Blacklist/ Global-Whitelist, navigate to Monitoring > ASA FirePOWER Monitoring > Real Time Eventing, hover the mouse on connection events and select View Details.
You can add either source or destination IP address to the Global-Blacklist/ Global-Whitelist. Click on Edit button and select Whitelist Now/Blacklist Now to add the IP address to the respective list, as shown in the image.
In order to verify that source or destination IP address is added to the Global-Blacklist/ Global-Whitelist, navigate to Configuration > ASA Firepower Configuration > Object Management > Security Intelligence > Network Lists and Feeds and edit Global-Blacklist/ Global Whitelist. You can also use the delete button to remove any IP address from the list.
Create the Custom list of blacklist IP Address
Firepower allows you to create custom Network/IP addresses list which can be used in blacklisting (blocking). There are three option to do this:
You can write the IP addresses to a text file (One IP address per line) and can upload the file to Firepower Module. In order to upload the file, navigate to Configuration > ASA FirePOWER Configuration > Object Management > Security Intelligence > Network Lists and Feeds and then click Add Network Lists and Feeds
Name: Specify the name of Custom list.
Type: Select List from the drop-down list.
Upload List: Choose Browse to locate the text file in your system. Select option Upload to upload the file.
You can use any third-party IP database for the custom list for which Firepower module contacts the third party server to fetch the IP address list. In order to configure this, navigate to Configuration > ASA FirePOWER Configuration > Object Management > Security Intelligence > Network Lists and Feeds and then click Add Network Lists and Feeds
Name: Specify the name of the Custom Feed.
Type: Select option Feed from the drop-down list.
Feed URL: Specify the URL of the server to which Firepower module should connect and download the feed.
MD5 URL: Specify the hash value to validate the Feed URL path.
Update Frequency: Specify the time interval in which system connect to URL Feed server.
Configure the Security Intelligence
In order to Configure Security Intelligence, navigate to Configuration > ASA Firepower Configuration > Policies > Access Control Policy, select Security Intelligence tab.
Choose the feed from the Network Available Object, move to Whitelist/ Blacklist column to allow/block the connection to the malicious IP address.
You can click the icon and enable logging as specified in the image.
If you just want to generate the event for malicious IP connections instead of blocking the connection, then right-click on the feed, choose Monitor-only (do not block), as shown in the image:
Choose option Store ASA Firepower Changes to save the AC policy changes.
Deploy Access Control Policy
For the changes to take effect, you must deploy the Access Control policy. Before you apply the policy, see an indication that whether the Access Control Policy is out-of-date on the device or not.
To deploy the changes to the sensor, click Deploy and choose Deploy FirePOWER Changes then select Deploy in the pop-up window to deploy the changes.
Note: In version 5.4.x, To apply the Access policy to the sensor, you need to clickApply ASA FirePOWER Changes
Note: Navigate to Monitoring > ASA Firepower Monitoring > Task Status. Ensure that task must complete in order to apply the configuration changes.
Security Intelligence’s events Monitoring
In order to see the Security Intelligence by the Firepower Module, navigate to Monitoring > ASA Firepower Monitoring > Real Time Eventing. Select the Security Intelligence tab. This will show up the events as shown in the image:
There is currently no verification procedure available for this configuration.
In order to ensure that Security Intelligence Feeds is up to date, navigate to Configuration > ASA FirePOWER Configuration > Object Management > Security Intelligence > Network Lists and Feeds and check the time when the feed was last updated. You can choose the Edit button to set the frequency of feed update.
Ensure that Access Control Policy deployment has completed successfully.
Monitor the security intelligence to see if traffic is blocking or not.