Security Intelligence Blacklisting

The following topics provide an overview of Security Intelligence, including use for blacklisting and whitelisting traffic and basic configuration.

About Security Intelligence

As an early line of defense against malicious internet content, Security Intelligence uses reputation intelligence to quickly block connections to or from IP addresses, URLs, and domain names. This is called Security Intelligence blacklisting.

Security Intelligence is the first phase of access control, before the system performs more resource-intensive evaluation. Blacklisting improves performance by quickly excluding traffic that does not require inspection.

Note

You cannot blacklist fastpathed traffic. 8000 Series fastpathing occurs before Security Intelligence filtering. Fastpathed traffic bypasses all further evaluation, including Security Intelligence.

Although you can configure custom blacklists, Cisco provides access to regularly updated intelligence feeds. Sites representing security threats such as malware, spam, botnets, and phishing appear and disappear faster than you can update and deploy custom configurations.

You can refine Security Intelligence blacklisting with whitelists and monitor-only blacklists. These mechanisms exempt traffic from being blacklisted, but do not automatically trust or fastpath matching traffic. Traffic whitelisted or monitored at the Security Intelligence stage is intentionally subject to further analysis with the rest of access control.

Requirements for Security Intelligence

If you want to whitelist, blacklist, or monitor specific IP addresses, URLs, or domain names, you must configure custom objects, lists, or feeds. You have the following options:

To configure network, URL, or DNS feeds, see Creating Security Intelligence Feeds.
To configure network, URL, or DNS lists, see Updating Security Intelligence Lists.
To configure network objects and object groups, see Creating Network Objects.
To configure URL objects and object groups, see Creating URL Objects.

Blacklisting, whitelisting, or monitoring traffic based on a DNS list or feed also requires that you:

Create a DNS policy. See Creating Basic DNS Policies for more information.
Configure DNS rules that reference your DNS lists or feeds. See Creating and Editing DNS Rules for more information.

Because you deploy the DNS policy as part of your access control policy, you must associate both policies. See DNS Policy Deploy for more information.

Guidelines for Security Intelligence

Security Intelligence strategies include using:

Cisco-provided feeds—Cisco provides access to regularly updated intelligence feeds. Sites representing security threats such as malware, spam, botnets, and phishing appear and disappear faster than you can update and deploy custom configurations.
Third-party feeds—Supplement Cisco-provided feeds with third-party reputation feeds, which are dynamic lists that the Firepower Management Center downloads from the internet on a regular basis.
Global and custom blacklists—Blacklist specific IP addresses, URLs, or domain names. To improve performance, you may want to target enforcement, for example, restricting spam blacklisting to a security zone that handles email traffic.
Whitelists to eliminate false positives—When a blacklist is too broad in scope, or preemptively blocks traffic that you want to further analyze with the rest of access control, you can override a blacklist with a custom whitelist.
Monitoring instead of blacklisting—Especially useful in passive deployments and for testing feeds before you implement them; you can merely monitor and log the violating sessions instead of blocking them, generating end-of-connection events.

Note

In passive deployments, to optimize performance, we recommend that you use monitor-only settings. Managed devices that are deployed passively cannot affect traffic flow; there is no advantage to configuring the system to block traffic. Additionally, because blocked connections are not actually blocked in passive deployments, the system may report multiple beginning-of-connection events for each blocked connection.

Example: Whitelisting

If a reputable feed improperly blocks your access to vital resources but is overall useful to your organization, you can whitelist only the improperly classified IP addresses, rather than removing the whole feed from the blacklist.

Example: Security Intelligence by Zone

You can whitelist an improperly classified URL, but then restrict the whitelist object using a security zone used by those in your organization who need to access those URLs. That way, only those with a business need can access the whitelisted URLs. Or, you could use a third-party spam feed to blacklist traffic on an email server security zone.

Example: Monitor-Only Blacklisting

Consider a scenario where you want to test a third-party feed before you implement blocking using that feed. When you set the feed to monitor-only, the system allows connections that would have been blocked to be further analyzed by the system, but also logs a record of each of those connections for your evaluation.

Configure Security Intelligence


Smart License	Classic License	Supported Devices	Supported Domains	Access
Threat	Protection	Any	Any	Admin/Access Admin/Network Admin

Each access control policy has Security Intelligence options. You can whitelist or blacklist network objects, URL objects and lists, and Security Intelligence feeds and lists, all of which you can constrain by security zone. You can also associate a DNS policy with your access control policy, and whitelist or blacklist domain names.

The number of objects in the whitelists plus the number in the blacklists cannot exceed 255 network objects, or 32767 URL objects and lists.

Note

The system builds a separate network map for each leaf domain. In a multidomain deployment, using literal IP addresses to constrain this configuration can have unexpected results. Using override-enabled objects allows descendant domain administrators to tailor Global configurations to their local environments.

Caution

From the Security Intelligence tab in an access control policy, adding multiple objects to a whitelist or blacklist, or deleting multiple objects, sometimes restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information. Note that whether the Snort process restarts can vary by device, depending on the memory available for inspection.

Before you begin

In passive deployments, or if you want to set Security Intelligence filtering to monitor-only, enable logging; see Logging Connections with Security Intelligence.

Procedure

Step 1	In the access control policy editor, click the Security Intelligence tab. If the controls are dimmed, settings are inherited from an ancestor policy, or you do not have permission to modify the configuration. If the configuration is unlocked, uncheck Inherit from base policy to enable editing.
Step 2	You have the following options: Click the Networks tab to add network objects. Click the URLs tab to add URL objects.
Step 3	Find the Available Objects you want to add to the whitelist or blacklist. You have the following options: Search the available objects by typing in the Search by name or value field. Clear the search string by clicking reload () or clear (). If no existing list or feed meets your needs, click the add icon (), select New Network List or New URL List, and proceed as described in Creating Security Intelligence Feeds or Uploading New Security Intelligence Lists to the Firepower Management Center. If no existing object meets your needs, click the add icon (), select New Network Object or New URL Object, and proceed as described in Creating Network Objects. Security Intelligence ignores IP address blocks using a `/0` netmask.
Step 4	Choose one or more Available Objects to add.
Step 5	(Optional) Choose an Available Zone to constrain the selected objects by zone. You cannot constrain system-provided Security Intelligence lists by zone.
Step 6	Click Add to Whitelist or Add to Blacklist, or click and drag the selected objects to either list. To remove an object from a whitelist or blacklist, click its delete icon () To remove multiple objects, choose the objects and right-click to Delete Selected.
Step 7	(Optional) Set blacklisted objects to monitor-only by right-clicking the object under Blacklist, then choosing Monitor-only (do not block). You cannot set system-provided Security Intelligence lists to monitor only.
Step 8	Choose a DNS policy from the DNS Policy drop-down list; see DNS Policy Overview.
Step 9	Click Save.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.

Security Intelligence Options

Use the Security Intelligence tab in the access control policy editor to configure network (IP address) and URL Security Intelligence, and to associate the access control policy with a DNS policy.

Object, Zone, and Blacklist Icons

On the Security Intelligence tab of the access control policy editor, each type of object or zone is distinguished with an different icon.

In the blacklist, objects set to block are marked with the block icon () while monitor-only objects are marked with the monitor icon (). Monitor-only allows the system to handle connections involving blacklisted IP addresses and URLs using access control, but also logs the connection’s match to the blacklist.

Because the whitelist overrides the blacklist, if you add the same object to both lists, the system displays the blacklisted object with a strikethrough.

Zone Constraints

Except for the system-provded Global lists, you can constrain Security Intelligence filtering by zone. To enforce Security Intelligence filtering for an object on multiple zones, you must add the object to the whitelist or blacklist separately for each zone.

Logging

Security Intelligence logging, enabled by default, logs all blocked and monitored connections handled by an access control policy’s target devices. However, the system does not log whitelist matches; logging of whitelisted connections depends on their eventual disposition. You must enable logging for blacklisted connections before you can set blacklisted objects to monitor-only.

Security Intelligence Categories


Security Intelligence Category	Description
Attacker	Active scanners and blacklisted hosts known for outbound malicious activity
Bogon	Bogon networks and unallocated IP addresses
Bots	Sites that host binary malware droppers
CnC	Sites that host command-and-control servers for botnets
Dga	Malware algorithms used to generate a large number of domain names acting as rendezvous points with their command-and-control servers
Exploitkit	Software kits designed to identify software vulnerabilities in clients
Malware	Sites that host malware binaries or exploit kits
OpenProxy	Open proxies that allow anonymous web browsing
OpenRelay	Open mail relays that are known to be used for spam
Phishing	Sites that host phishing pages
Response	IP addresses and URLs that are actively participating in malicious or suspicious activity
Spam	Mail hosts that are known for sending spam
Suspicious	Files that appear to be suspicious and have characteristics that resemble known malware
TorExitNode	Tor exit nodes

Troubleshooting Security Intelligence

Troubleshooting Memory Use

Symptoms: Connections that should be blacklisted by Security Intelligence are instead evaluated by access control rules. The Security Intelligence health module alerts that it is out of memory.

Cause: Memory limitations. Cisco Intelligence Feeds are based on the latest threat intelligence from Cisco Talos Security Intelligence and Research Group (Talos). These feeds tend to get larger as time passes. When a Firepower device receives a feed update, it loads as many entries as it can into the memory it has allocated for Security Intelligence. When a device cannot load all the entries, it may not block traffic as expected. Some connections that should be blacklisted instead continue to be evaluated by access control rules.

Affected platforms: Lower-memory devices are most likely to have this issue, especially if you blacklist a lot of Security Intelligence categories or are also filtering URLs based on category and reputation. These devices include Firepower 7010, 7020, and 7030; ASA 5506-X, 5508-X, 5516-X, 5512-X, 5515-X, and 5525-X; NGIPSv.

Workaround: If you think this is happening, redeploy configurations to the affected devices. This can allocate more memory to Security Intelligence. If the issue persists, contact Cisco Technical Assistance Center (TAC), who can help you verify the issue and propose a solution appropriate to your deployment.

Firepower Management Center Configuration Guide, Version 6.0.1

Book Title

Chapter Title

Results

Chapter: Security Intelligence Blacklisting

Security Intelligence Blacklisting

About Security Intelligence

Requirements for Security Intelligence