https://community.cisco.com/t5/network-security/threats-from-internal-hosts/m-p/3381012#M925868 <P>We have an in-depth internal penetration testing under way at the moment and it is becoming clear that our Firepower for ASA sensors are not blocking traffic sourced from IPs within the $HOME_NET range.</P> <P>&nbsp;</P> <P>We have a Trend Micro DDI probe at each of our sites and it is raising alarms like crazy, whilst our FMC remains silent and none of the intrusive traffic is being blocked.</P> <P>&nbsp;</P> <P>Is this normal behaviour? Are all hosts within the $HOME_NET range trusted without question?</P> <P>&nbsp;</P> <P>In an act of desperation, I edited the whitelist to only include our server subnets - this has had no effect.</P> <P>&nbsp;</P> <P>How should we configure our sensors to distrust PCs, phones and printers on our internal networks, so if we have a compromised host, it won't wreak havoc?</P> <P>&nbsp;</P> <P>I thought I knew a lot about Firepower stuff and now I'm questioning my knowledge.</P> <P>&nbsp;</P> <P>Thanks in advance for your assistance.</P> Fri, 21 Feb 2020 15:44:59 GMT Christopher Liesfield 2020-02-21T15:44:59Z https://community.cisco.com/t5/network-security/threats-from-internal-hosts/m-p/3381012#M925868 <P>We have an in-depth internal penetration testing under way at the moment and it is becoming clear that our Firepower for ASA sensors are not blocking traffic sourced from IPs within the $HOME_NET range.</P> <P>&nbsp;</P> <P>We have a Trend Micro DDI probe at each of our sites and it is raising alarms like crazy, whilst our FMC remains silent and none of the intrusive traffic is being blocked.</P> <P>&nbsp;</P> <P>Is this normal behaviour? Are all hosts within the $HOME_NET range trusted without question?</P> <P>&nbsp;</P> <P>In an act of desperation, I edited the whitelist to only include our server subnets - this has had no effect.</P> <P>&nbsp;</P> <P>How should we configure our sensors to distrust PCs, phones and printers on our internal networks, so if we have a compromised host, it won't wreak havoc?</P> <P>&nbsp;</P> <P>I thought I knew a lot about Firepower stuff and now I'm questioning my knowledge.</P> <P>&nbsp;</P> <P>Thanks in advance for your assistance.</P> Fri, 21 Feb 2020 15:44:59 GMT https://community.cisco.com/t5/network-security/threats-from-internal-hosts/m-p/3381012#M925868 Christopher Liesfield 2020-02-21T15:44:59Z https://community.cisco.com/t5/network-security/threats-from-internal-hosts/m-p/3381094#M925869 <P>Hi Christopher,</P> <P>&nbsp;</P> <P>Try creating additional rule with intrusion policy and variable set where Home_net is 0.0.0.0 as well as external_net or add the internal network in external_net as well for that specific policy. Most of firepower snort rules are defined with external_net to home_net or vice-versa</P> <P>And if the home_net is defined with internal network, traffic between host on that network would not match the rules.</P> <P>&nbsp;</P> <TABLE class="entry-table" style="font-family: verdana, sans-serif; font-size: 11px; color: #333333; border-collapse: collapse; border: none; padding: 0px; margin: 0px; line-height: 16px; text-align: left; vertical-align: middle; width: 1186px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-style: initial; text-decoration-color: initial;" cellspacing="4"> <TBODY> <TR> <TD class="label" style="margin: 0px; padding: 4px 5px 4px 0px; color: #333333; font-size: 8pt; line-height: 16px; font-family: verdana, sans-serif; text-align: left;">rule</TD> <TD style="margin: 0px; padding: 4px 0px; color: #333333; font-size: 8pt; line-height: 16px; font-family: verdana, sans-serif; text-align: left;">alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"BROWSER-CHROME Google Chrome and Apple Safari Ruby before and after memory corruption"; flow:to_client,established; file_data:; content:"&lt;ruby&gt;"; fast_pattern:only; content:"ruby|3A|"; pcre:"/ruby\s*{\s*float\x3a.*?ruby\x3a(before|after).*?(display\x3atable|counter-reset\x3a)/si"; metadata:service http; reference:cve,2011-1440; classtype:attempted-user; sid:29755; rev:1; gid:1; )</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Hope it helps,</P> <P>yogesh</P> Thu, 10 May 2018 06:04:51 GMT https://community.cisco.com/t5/network-security/threats-from-internal-hosts/m-p/3381094#M925869 yogdhanu 2018-05-10T06:04:51Z https://community.cisco.com/t5/network-security/threats-from-internal-hosts/m-p/3381100#M925870 <P>Thanks, I'll give that a try and endeavour to respond with the results.</P> Thu, 10 May 2018 06:17:56 GMT https://community.cisco.com/t5/network-security/threats-from-internal-hosts/m-p/3381100#M925870 Christopher Liesfield 2018-05-10T06:17:56Z