As a first line of defense against malicious Internet content, the Firepower System includes the Security Intelligence feature, which allows you to immediately blacklist (block) connections based on the latest reputation intelligence, removing the need for a more resource-intensive, in-depth analysis.

Security Intelligence works by blocking traffic to or from IP addresses, URLs, or domain names that have a known bad reputation. This traffic filtering takes place before any other policy-based inspection, analysis, or traffic handling (although it does occur after hardware-level handling, such as fast-pathing).

Note that you could create access control rules that perform a similar function to Security Intelligence filtering by manually restricting traffic by IP address or URL. However, access control rules are wider in scope, more complex to configure, and cannot automatically update using dynamic feeds.

Traffic blacklisted by Security Intelligence is immediately blocked and therefore is not subject to any further inspection—not for intrusions, exploits, malware, and so on, but also not for network discovery. You can override blacklisting with whitelisting to force access control rule evaluation, and, recommended in passive deployments, you can use a “monitor-only” setting for Security Intelligence filtering. This allows the system to analyze connections that would have been blacklisted, but also logs the match to the blacklist and generates an end-of-connection security intelligence event.

Caution

For traffic handled by many devices, the system processes certain Trust rules before an access control policy’s Security Intelligence blacklist, which can allow blacklisted traffic to pass uninspected. For more information, see Limitations to Trusting or Blocking Traffic.

If you want to whitelist, blacklist, or monitor specific IP addresses, URLs, or domain names, you must configure custom objects, lists, or feeds. You have the following options:

• To configure network, URL, or DNS feeds, see Creating Security Intelligence Feeds.

• To configure network, URL, or DNS lists, see Updating Security Intelligence Lists.

• To configure network objects and object groups, see Creating Network Objects.

• To configure URL objects and object groups, see Creating URL Objects.

Blacklisting, whitelisting, or monitoring traffic based on a DNS list or feed also requires that you:

• Create a DNS policy. See Creating Basic DNS Policies for more information.

• Configure DNS rules that reference your DNS lists or feeds. See Creating and Editing DNS Rules for more information.

Because you deploy the DNS policy as part of your access control policy, you must associate both policies. See DNS Policy Deploy for more information.

For your convenience, Cisco provides feeds containing IP addresses, domain names, and URLs with poor reputation, as determined by Talos:

• the Intelligence Feed, which comprises several regularly updated collections of IP addresses.

• the DNS and URL Intelligence Feed, which comprises several regularly updated collections of domain names and URLs.

The Intelligence Feeds keep track of open relays, known attackers, bogus IP addresses (bogon), and so on. Because the Intelligence Feeds are regularly updated, using them ensures that the system uses up-to-date information to filter your network traffic. Malicious IP addresses, domain names, and URLs that represent security threats such as malware, spam, botnets, and phishing may appear and disappear faster than you can update and deploy new policies.

You can also customize the feature to suit the unique needs of your organization, for example:

• third-party feeds—you can supplement the Intelligence Feeds with third-party reputation feeds, which are dynamic lists that the Firepower Management Center downloads from the internet on a regular basis

• global blacklist and custom blacklists—the system allows you to manually blacklist specific IP addresses, URLs, or domain names in many ways depending on your needs

• whitelisting to eliminate false positives—when a blacklist is too broad in scope, or incorrectly blocks traffic that you want to allow (for example, to vital resources), you can override a blacklist with a custom whitelist

• enforcing blacklisting by security zone—to improve performance, you may want to target enforcement, for example, restricting spam blacklisting to a zone that handles email traffic

• monitoring instead of blacklisting—especially useful in passive deployments and for testing feeds before you implement them; you can merely monitor and log the violating sessions instead of blocking them, generating end-of-connection events

Note

In passive deployments, to optimize performance, Cisco recommends that you always use monitor-only settings. Managed devices that are deployed passively cannot affect traffic flow; there is no advantage to configuring the system to block traffic. Additionally, because blocked connections are not actually blocked in passive deployments, the system may report multiple beginning-of-connection events for each blocked connection.

Access control policies and their associated DNS policies use Security Intelligence whitelists and blacklists to quickly filter networks and URLs. The system provides default lists that apply to any zone. These lists are populated by your analysts, who can quickly add individual IP addresses, URLs, and domain names using the context menu. You can opt not to use these default lists on a per-policy basis.

Use the Security Intelligence tab in the access control policy editor to configure network and URL Security Intelligence, and to associate the access control policy with a DNS policy.

You can set network and URL blacklisted objects, including feeds and lists, to monitor-only. This allows the system to handle connections involving blacklisted IP addresses and URLs using access control, but also logs the connection’s match to the blacklist.