About Network Analysis and Intrusion Policies
The ASA FirePOWER module handles the intrusion detection and prevention feature where, it uses network analysis and intrusion policies.
In an intrusion prevention deployment, when the system examines packets:
-
network analysis policy governs how traffic is decoded and preprocessed so that it can be further evaluated, especially for anomalous traffic that might signal an intrusion attempt.
-
An intrusion policy uses intrusion and preprocessor rules (sometimes referred to collectively as intrusion rules ) to examine the decoded packets for attacks based on patterns. Intrusion policies are paired with variable sets , which allow you to use named values to accurately reflect your network environment.
Both network analysis and intrusion policies are invoked by a parent access control policy, but at different times. As the system analyzes traffic, the network analysis (decoding and preprocessing) phase occurs before and separately from the intrusion prevention (additional preprocessing and intrusion rules) phase. Together, network analysis and intrusion policies provide broad and deep packet inspection. They can help you detect, alert on, and protect against network traffic that could threaten the availability, integrity, and confidentiality of hosts and their data.
The ASA FirePOWER moduleis delivered with several similarly named network analysis and intrusion policies (for example, Balanced Security and Connectivity) that complement and work with each other. By using system-provided policies, you can take advantage of the experience of the Cisco Vulnerability Research Team (VRT). For these policies, the VRT sets intrusion and preprocessor rule states, as well as provides the initial configurations for preprocessors and other advanced settings.
You can also create custom network analysis and intrusion policies. You can tune settings in custom policies to inspect traffic in the way that matters most to you.
You create, edit, save, and manage network analysis and intrusion policies using similar policy editors. When you are editing either type of policy, a navigation panel appears on the left side of the user interface; the right side displays various configuration pages.
This chapter contains a brief overview of the types of configurations the network analysis and intrusion policies govern, explains how the policies work together to examine traffic and generate records of policy violations, and provides basic information on navigating the policy editors. This chapter also explains the benefits and limitations of using custom versus system-provided policies. To customize your intrusion deployment, see the following for your next steps:
-
Working with Variable Sets explains how to configure the system’s intrusion variables to accurately reflect your network environment. Even if you do not use custom policies, Cisco strongly recommends that you modify the default variables in the default variable set. Advanced users can create and use custom variable sets for pairing with one or more custom intrusion policies.
-
About Intrusion Policies explains how to create and edit a simple custom intrusion policy.
-
Controlling Traffic Using Intrusion and File Policies explains how to configure the system to use intrusion policies to examine only the traffic you are interested in by associating intrusion policies with a parent access control policy. It also explains how to configure advanced intrusion policy performance options.
-
Using Layers in a Network Analysis or Intrusion Policy Layers explain how, in larger organizations or complex deployments, you can use building blocks called policy layers to more efficiently manage multiple network analysis or intrusion policies.