To ease administrative overhead, you want to add a third party feed to a Security Intelligence device so that the IP addresses of known malicious hosts are automatically blacklisted. However, you have not determined whether the feed is valid.Which of the following are you most likely to do? (Select the best answer.)

Last Updated on August 3, 2021 by Admin 3

To ease administrative overhead, you want to add a third party feed to a Security Intelligence device so that the IP addresses of known malicious hosts are automatically blacklisted. However, you have not determined whether the feed is valid.Which of the following are you most likely to do? (Select the best answer.)

  • Implement the feed, and add IP addresses to a custom whitelist as necessary.
  • Enforce Security Intelligence filtering by Security Zone.
  • Configure the monitor-only setting, and examine the logs.
  • Configure a custom blacklist that contains only malicious IP addresses.
Explanation:
Most likely, you will configure the monitor-only setting and examine the logs if you want to add a thirdparty feed to a Security Intelligence device but you have not determined whether the feed is valid. Security Intelligence devices, such as a Cisco Sourcefire Intrusion Prevention System (IPS), are capable of accepting manually imported lists of network addresses or feeds from third parties. Such devices can block IP addresses or networks based on their reputation, which mitigates device overhead that comes from having to analyze traffic from those networks.
The monitor-only setting enables traffic from networks that are listed within a given feed to be analyzed by the Security Intelligence device but also logs the fact that the given network matches the thirdparty feed. This enables an administrator to review the logs and the analysis of traffic from networks on the feed to determine the validity of the feed.
Although you could implement the feed and add IP addresses to a custom whitelist as necessary, doing so might increase administrative overhead if the feed turns out to be invalid. On Security Intelligence devices, whitelists can be used to override blacklisted IP addresses. Whitelists can thus be used to enable communication with legitimate IP addresses that are listed on third-party feeds or other blacklists that might be too broadly defined. From an administrative overhead standpoint, you are more likely to validate the feed, then implement the feed, and finally add IP addresses or networks to the whitelist as necessary.
You are less likely to enforce Security Intelligence filtering by Security Zone than configure the monitor only setting in this scenario, because doing so would neither validate nor invalidate the IP addresses that are contained on the third-party feed. Enforcing blacklisting by security zone can be used to enhance the performance of a Security Intelligence device by limiting the blacklisting to the specific security zones that process the given traffic. For example, the blacklisting of IP addresses that send email traffic could be restricted to a Security Zone that handles only email traffic.
You are not likely to configure a custom blacklist that contains only malicious IP addresses, because doing so defeats the purpose of easing administrative overhead in this scenario. Security Intelligence devices allow the creation of custom blacklists so that you can manually block specific IP addresses or networks. However, compiling and validating such a list would require more administrative overhead in this scenario than simply validating a third-party feed prior to implementing it.
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments