Tuning Preprocessing in Passive Deployments
Typically, the system uses the static settings in your network analysis policy to preprocess and analyze traffic. With the adaptive profiles feature, however, the system can adapt to network traffic by associating traffic with host information from the network map and then processing the traffic accordingly.
When a host receives traffic, the operating system running on the host reassembles IP fragments. The order used for that reassembly depends on the operating system. Similarly, each operating system may implement TCP in different ways, and therefore reassemble TCP streams differently. If preprocessors reassemble data using a format other than that used for the operating system of the destination host, the system may miss content that could be malicious when reassembled on the receiving host.
Tip In a passive deployment, Cisco recommends that you configure adaptive profiles. In an inline deployment, Cisco recommends that you configure the inline normalization preprocessor with the Normalize TCP Payload option enabled. For more information, see Normalizing Inline Traffic.
For more information on using adaptive profiles to improve reassembly of packet fragments and TCP streams, see the following topics:
Understanding Adaptive Profiles
Adaptive profiles enable use of the most appropriate operating system profiles for IP defragmentation and TCP stream preprocessing. For more information on the aspects of the network analysis policy affected by adaptive profiles, see Defragmenting IP Packets and Using TCP Stream Preprocessing.
The system can use host information detected by network discovery, obtained through an Nmap scan, or added through the host input feature to adapt processing behavior.
Note When you input host information from a third-party application using the command line import utility or the host input API, you must first map the data to product definitions so the system can use it for adaptive profiles. For more information, see Managing Third-Party Product Mappings.
Using Adaptive Profiles with Preprocessors
Adaptive profiles, like the target-based profiles you can configure in a network analysis policy, help to defragment IP packets and reassemble streams in the same way as the operating system on the target host. The intrusion rules engine then analyzes the data in the same format as that used by the destination host.
Manually configured target-based profiles only apply the default operating system profile you select or profiles you bind to specific hosts. Adaptive profiles, however, switch to the appropriate operating system profile based on the operating system in the host profile for the target host, as illustrated in the following diagram.
For example, you configure adaptive profiles for the 10.6.0.0/16 subnet and set the default IP Defragmentation target-based policy to Linux. The Defense Center where you configure the settings has a network map that includes the 10.6.0.0/16 subnet.
When a device detects traffic from Host A, which is not in the 10.6.0.0/16 subnet, it uses the Linux target-based policy to reassemble IP fragments. However, when it detects traffic from Host B, which is in the 10.6.0.0/16 subnet, it retrieves Host B’s operating system data from the network map, where Host B is listed as running Microsoft Windows XP Professional. The system uses the Windows target-based profile to do the IP defragmentation for the traffic destined for Host B.
See Defragmenting IP Packets for information on the IP Defragmentation preprocessor. See Using TCP Stream Preprocessing for information on the stream preprocessor.
Adaptive Profiles and FireSIGHT Recommended Rules
The adaptive profiles feature is an advanced setting in an access control policy that applies globally to all intrusion policies invoked by that access control policy. The FireSIGHT recommended rules feature applies to the individual intrusion policy where you configure it.
Like FireSIGHT recommended rules, adaptive profiles compare metadata in a rule to host information to determine whether a rule should apply for a particular host. However, while FireSIGHT recommended rules provide recommendations for enabling or disabling rules using that information, adaptive profiles use the information to apply specific rules to specific traffic.
FireSIGHT recommended rules require your interaction to implement suggested changes to rule states. Adaptive profiles, on the other hand, do not modify intrusion policies. Adaptive treatment of rules happens on a packet-by-packet basis.
Additionally, FireSIGHT recommended rules can result in enabling disabled rules. Adaptive profiles, in contrast, only affect the application of rules that are already enabled in intrusion policies. Adaptive profiles never change the rule state.
You can use adaptive profiles and FireSIGHT recommended rules in combination. Adaptive profiles use the rule state for a rule when your intrusion policy is applied to determine whether to include it as a candidate for applying, and your choices to accept or decline recommendations are reflected in that rule state. You can use both features to ensure that you have enabled or disabled the most appropriate rules for each network you monitor, and then to apply enabled rules most efficiently for specific traffic.
See Tailoring Intrusion Protection to Your Network Assets for more information.
Configuring Adaptive Profiles
To use host information to determine which target-based profiles are used for IP defragmentation and TCP stream preprocessing, you can configure adaptive profiles.
When you configure adaptive profiles, you need to bind the adaptive profile setting to a specific network or networks. To successfully use adaptive profiles, that network must exist in the network map and must be in the segment monitored by the devices where you apply the access control policy.
Note To use adaptive profiles, you must enable host discovery in the network discovery policy for the networks you want to protect, then reapply the network discovery policy. For more information, see Creating a Network Discovery Policy.
You can indicate the hosts in the network map where adaptive profiles should be used to process traffic by specifying an IP address, a block of addresses, or a network variable with the desired value configured in the variable set linked to the default intrusion policy for your access control policy. See Setting the Default Intrusion Policy for Access Control for more information.
You can use any of these addressing methods alone or in any combination as a list of IP addresses, address blocks, or variables separated by commas, as shown in the following example:
192.168.1.101, 192.168.4.0/24, $HOME_NET
For information on specifying address blocks in the FireSIGHT System, see IP Address Conventions.
Tip You can apply adaptive profiles to all hosts in the network map by using a variable with a value of
any or by specifying
0.0.0.0/0 as the network value.
You can also control how frequently network map data is synced from the Defense Center to its managed devices. The system uses the data to determine what profiles should be used when processing traffic.
Enabling or disabling adaptive profiles restarts the Snort process when you apply your access control policy, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on the model of the managed device and how it handles traffic. See How Snort Restarts Affect Traffic
for more information.
To configure adaptive profiles:
Admin/Access Admin/Network Admin
Step 1 Select
Policies > Access Control.
The Access Control Policy page appears.
Step 2 Click the edit icon (
) next to the access control policy you want to edit.
The access control policy editor appears.
Step 3 Select the
The access control policy advanced settings page appears.
Step 4 Click the edit icon (
) next to
Detection Enhancement Settings
The Detection Enhancement Settings pop-up window appears.
Step 5 Select
Adaptive Profiles - Enabled
to enable adaptive profiles.
Step 6 Optionally, in the
Adaptive Profiles - Attribute Update Interval
field, type the number of minutes that should elapse between synchronization of network map data from the Defense Center to its managed devices.
Note Increasing the value for this option could improve performance in a large network.
Step 7 In the
Adaptive Profiles - Networks
field, type the specific IP address, address block, or variable, or a list that includes any of these addressing methods separated by commas, to identify any host in the network map for which you want to use adaptive profiles.
See Working with Variable Sets for information on configuring variables. See Creating a Network Discovery Policy for information on configuring the network map.
Step 8 Click
to retain your settings.