Firepower - anyone using security over connectivity or Maximum detection

evan.chadwick1 · ‎03-19-2017

Thinking to select a group of important well defined hosts and apply a stricter IPS level.
Anyone using the above policies? Moved from balanced security to a stricter policy?

Philip D'Ath · ‎03-19-2017

We have been trialling that mode for about 3 months. We get maybe 1 false positive every month to two months. Note that we are typically only using "business" web sites, with not that much variation. If your users are accessing a wider variety of sites you may get different results.

Overall, we have decided to accept that odd false positive and leave it on preferring security.

evan.chadwick1 · ‎03-20-2017

Which mode? Max detection or security over connectivity?

Thanks,

Evan

Philip D'Ath · ‎03-20-2017

Security over Connectivity.

Rahul Govindan · ‎03-20-2017

I have used the security over connectivity policy once before. I have not seen a lot of differences compared to the balanced policy. I do see more low impact signatures (not suspicious) being hit with this policy.

Marvin Rhoads · ‎03-21-2017

FYI, please see below for a high-level comparison of the options.

Source:

BRKSEC-3121 Firepower Threat Defence Advanced Capabilities Deployment and Troubleshooting Options (2017 Melbourne)

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=94771

Connectivity over Security: ~ 500 Rules
• CVSS Score of 10
• Age of Vulnerability: 2 year and newer

Balanced : ~ 7200 Rules
• CVSS Score of 9 or greater
• Age of Vulnerability: 2 year and newer
• Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit

Security over Connectivity: ~ 10000 Rules
• CVSS Score of 8 or greater
• Age of Vulnerability: 3 years and newer
• Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit, App-detect