Can I put my External Facing Servers in EXTERNAL_NET of a Firepower's VARIABLE SET?

nemanas · ‎06-12-2020

I have a range of IP's which are assigned for Internet facing servers. I had already defined all of my HOME_NET in which I also included publicly addressable internal IPs which I would like to monitor. However I had not added these external facing network ranges to the HOME_NET. I rather thought of adding them in the EXTERNAL_NET's excluded category. This ensures that, these IP's are not part of the internal network and are also not part of the external networks either. I believe it is safe to say that anything in the excluded category of EXTERNAL_NET can be called as an unprotected network.

The question is, did I configured it right? If there is an attack on one of the external facing server which is open on 80 and 443, for a signature such as "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS" I should be triggered only when the attack reaches an IP from the HOME_NET (159.x.x.x -> 192.168.x.x). Will this cause any conflicts? Is this even the right way of defining our external facing/internet facing networks?

JohnLong3 · ‎06-12-2020

Hello,

It sounds like this is North-South traffic, in which case you will actually want to include your public facing servers in the HOME_NET so that the Snort signatures can detect inbound attacks against your servers. Basically, HOME_NET should contain everything you want to protect and EXTERNAL_NET should be viewed as where an attack might come from.

I suggest including all the subnets you own in HOME_NET and then setting the EXTERNAL_NET to exclude HOME_NET.

Here is a link to a Cisco Live presentation which contains some good information on variable sets:

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKSEC-2066.pdf