Cisco 7010 Installation Manual page 43

Firepower 7000 series; firepower 8000 series

Hide thumbs Also See for 7010:

Product user manual (151 pages)

Help manual (132 pages)

Replacement instructions manual (23 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

page of 204

/ 204
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 3

Deploying Firepower Managed Devices

Deployment Options

An incoming packet is first checked against any fast-path rules. If there is a match, the traffic is

fast-pathed. If there is no match, Security Intelligence-based filtering determines if the packet is

blacklisted. If not, any access control rules are applied. If the packet meets the conditions of a rule, traffic

flow and inspection depend on the rule action. If no rules match the packet, traffic flow and inspection

depend on the default policy action. (An exception occurs with Monitor rules, which allow traffic to

continue to be evaluated.) The default action on each access control policy manages traffic that has not

been fast-pathed or blacklisted, or matched by any non-Monitor rule. Note that fast-path is available only

for 8000 Series devices.

You can create access control rules to provide more granular control over how you handle and log

network traffic. For each rule, you specify an action (trust, monitor, block, or inspect) to apply to traffic

that meets specific criteria.

On the DMZ

The DMZ contains outward-facing servers (for example, web, FTP, DNS, and mail), and may also

provide services such as mail relay and web proxy to users on the internal network.

Content stored in the DMZ is static, and changes are planned and executed with clear communication

and advance notice. Attacks in this segment are typically inbound and become immediately apparent

because only planned changes should occur on the servers in the DMZ. An effective access control

policy for this segment tightly controls access to services and searches for any new network events.

Servers in the DMZ can contain a database that the DMZ can query via the network. Like the DMZ, there

should be no unexpected changes, but the database content is more sensitive and requires greater

protection than a web site or other DMZ service. A strong intrusion policy, in addition to the DMZ access

control policy, is an effective strategy.

A managed device deployed on this segment can detect attacks directed to the Internet that originate

from a compromised server in the DMZ. Monitoring network traffic using Network Discovery can help

you monitor these exposed servers for changes (for example, an unexpected service suddenly appearing)

that could indicate a compromised server in the DMZ.

Firepower 7000 and 8000 Series Installation Guide

3-13

Table of Contents

Show Quick Links

Hide quick links:

Chapters

Table of Contents

This manual is also suitable for:

7120 7115 7125 Amp7150 7020 7030 ... Show all

Cisco 7010 Installation Manual page 43

Hide quick links:

Chapters

Related Manuals for Cisco 7010

Related Products for Cisco 7010

This manual is also suitable for:

Table of Contents