10-31-2022 10:25 AM
I can't find the exact answer to this and have read mixed opinions. We used to use Firepower with ASA. The previous network engineer simply left the default value for both the HOME_NET and EXTERNAL_NET variables (which is "any.") I took over the position, replaced the ASAs with FTDs, and left the values the same simply because that's the way we've been running for years. With that said, everything I have read, including Cisco's best practices, notes that the HOME_NET and EXTERNAL_NET variables should be configured for your environment. I do understand the purpose of configuring these, but am I missing something? Doesn't the default settings simply cause all traffic to be "inspected" by SNORT regardless of where it originates? Are there any detrimental effects to leaving both as "any" besides utilizing more CPU / memory or more false positives? Sometimes inspecting traffic from the "protected network" destined to the "unprotected network" can be beneficial. Any insight is appreciated! Thanks!
10-31-2022 10:29 AM - edited 10-31-2022 10:30 AM
Always security best practice to tweak the objects come with default to right value, rather leave as it is - since that is security Risk.
the example provided as reference only - you can not leave as it is, especially any (that will be any so it has more risk and CPU intentsive)
some reference for tbe objects.
10-31-2022 12:00 PM
11-01-2022 09:21 AM
@brettp you are correct in that it broadens the potential flows that could be considered an IPS event. However most of the intent of the IPS is to protect your inside network, not the public side. Many Snort rules do not have directional component so you get those either way.
Do make sure that your network discovery policy correctly discovers only the protected networks. Otherwise you may run out of host licenses and fail to profile hosts that should be profiled, thus reducing the efficacy of the system.
11-01-2022 09:37 AM
Depends on which Snort rule is going to be used, if those variables are not accurate you might end up in a scenario where Snort will be totally blind and accordingly not protect against potential attacks. Please take a look at this post of mine where it shows you that potential scenario and how to fix it:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide