cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

416
Views
10
Helpful
3
Replies
Highlighted
Beginner

Best practice for securing general Internet access - FMC - FTD

Hi Everyone,

 

I'm looking for recommendations for the best methodology you follow for a typical internet access on the firepower firewalls.  For this case people are allowed to use the internet for personal use (social, videos, email etc) so long as it is not deemed inappropriate. ACLs are obviously more locked down for access to other areas within the network, servers etc.  The goal is block them from the obvious risks but there is trust placed in the end user actions and the end user security.

 

The methodology I am thinking is best is :

 

  1. Block known malicious URLs/IP’s based on the Cisco Talos feeds in Security Intelligence
  2. Block blacklists from custom feeds in the Security Intelligence
  3. On Employee networks on a DC SSL decrypt (MIM) for non banking and non trusted URLs (What is the best practice for selecting what to decrypt)
  4. Block packets that have signatures matching what the intrusion policy matches for high or above for Balanced Security and Connectivity
  5. Interactive block certain url based on category (porn, hate, uncategorized high risk etc)
  6. Block specific applications you don’t want people using (Category high risk, games, remote access apps etc)
  7. Block specific countries that you feel have no business relevance and are high risk
  8. Block specific ports (DNS for example so everyone has to use the internal DNS)
  9. Scan file transfers for malware and block malware
  10. Allow everything else

 

Is a final allow all something typically done or do most organizing still allow specific ports and application then block everything else??

 

I appreciate any feedback you can give for what methodology you follow. 

 

Thank you,

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

Well if those applications you haven't yet allowed would normally hit a http/https rule. Create a rule at the bottom of the rule set permitting http/https with logging enabled and block everything else. This would be a kind of happy medium between manageability and security.

View solution in original post

3 REPLIES 3
Highlighted
VIP Mentor

Hi @Alex-Pr 

Thats a comprehensive list you have there. I'd consider also creating an SSL Policy and blocking revoked certificates, self-signed, invalid issuers, weak ciphers and old versions (SSL 3.0 and possibly TLS 1.0).

 

Permit only what you need and use a default deny

HTH

Highlighted

Thanks Rob,

 

That policy you mention is a good idea.

 

The part I am a bit torn about is the default allow or default deny specific to this outbound initiated traffic.  I find quite often that new application especially related to web streaming either update or change and the FTD may not have the updated VDB list so packets get blocked because it either did not recognize the application or it's an application we haven't allowed yet so it turns into a bit of a game of wack a mole.  When I look a the block list there isn't anything that jumps out at me as a risk so I wonder if changing to the model of default allow and hope that all the rest of the checks has the ability to detect and block the malicious traffic.  Having the long allow list that you constantly update with a default block is definitely the safer bet but I am curious how many people go down the route to rely on the smarts of all the steps.

 

Thanks again. 

 

 

Highlighted
VIP Mentor

Well if those applications you haven't yet allowed would normally hit a http/https rule. Create a rule at the bottom of the rule set permitting http/https with logging enabled and block everything else. This would be a kind of happy medium between manageability and security.

View solution in original post

Content for Community-Ad