FTD - Leaving HOME_NET and EXTERNAL_NET variables as any

brettp · ‎10-31-2022

I can't find the exact answer to this and have read mixed opinions. We used to use Firepower with ASA. The previous network engineer simply left the default value for both the HOME_NET and EXTERNAL_NET variables (which is "any.") I took over the position, replaced the ASAs with FTDs, and left the values the same simply because that's the way we've been running for years. With that said, everything I have read, including Cisco's best practices, notes that the HOME_NET and EXTERNAL_NET variables should be configured for your environment. I do understand the purpose of configuring these, but am I missing something? Doesn't the default settings simply cause all traffic to be "inspected" by SNORT regardless of where it originates? Are there any detrimental effects to leaving both as "any" besides utilizing more CPU / memory or more false positives? Sometimes inspecting traffic from the "protected network" destined to the "unprotected network" can be beneficial. Any insight is appreciated! Thanks!

balaji.bandi · ‎10-31-2022

Always security best practice to tweak the objects come with default to right value, rather leave as it is - since that is security Risk.

the example provided as reference only - you can not leave as it is, especially any (that will be any so it has more risk and CPU intentsive)

some reference for tbe objects.

https://community.cisco.com/t5/security-blogs/how-to-work-with-variable-sets-and-why-are-they-so-important-to/ba-p/3676102

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/reusable_objects.html#ID-2243-000000f2

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

brettp · ‎10-31-2022

Thank you for the reply. I understand leaving defaults in most cases is a security risk, but how is it a security risk in this case? It’s even more stringent than configuring the variables for each specific environment because it essentially causes everything to be inspected regardless of where the traffic is coming from and where it is going. This Cisco presentation says you can keep them as “any” if that’s what you want… https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/BRKSEC-3300.pdf. I am asking specifically if I am missing something here, because there is so much emphasis on changing them. Well, what if I want to inspect all traffic in all directions? I understand this will consume more resources on the device and could present more false positives. What other detrimental effects does keeping it “any” present?

Marvin Rhoads · ‎11-01-2022

@brettp you are correct in that it broadens the potential flows that could be considered an IPS event. However most of the intent of the IPS is to protect your inside network, not the public side. Many Snort rules do not have directional component so you get those either way.

Do make sure that your network discovery policy correctly discovers only the protected networks. Otherwise you may run out of host licenses and fail to profile hosts that should be profiled, thus reducing the efficacy of the system.

Aref Alsouqi · ‎11-01-2022

Depends on which Snort rule is going to be used, if those variables are not accurate you might end up in a scenario where Snort will be totally blind and accordingly not protect against potential attacks. Please take a look at this post of mine where it shows you that potential scenario and how to fix it:

Snort HOME_NET and EXTERNAL_NET Variables (bluenetsec.com)