Hey all,
Sorry if this is possibly a basic question, but I can't seem to find the answer in my searching. Cisco Firepower allows for feed based filtering of networks (IP addresses), as well as URLs, and DNS requests through security intelligence polices.
From my understanding, network feeds when applied block traffic with the destination IP addresses, and DNS feeds inspect DNS requests inline and drop traffic to flagged domains.
Would DNS filtering not cover malicious URL filtering? If DNS filtering does cover malicious URL filtering, why can I configure a DNS inspection policy targeting categories such as DNS_CnC_Server and and apply it in the security intelligence, the same place where I can apply URL blacklists for CnC_Servers?
My best guess is that DNS filtering is the broad brush strokes and blocks all traffic from a flagged domain, and URL filtering only blocks the specific URL/path/socket.
I am not sure if I am googling the wrong things, but I can't seem to find any relevant info how these two functions differ from each other.
Thanks for any insight!
Relevant Reference Material:
http://www.labminutes.com/sec0226_asa_firepower_60_url_dns_security_intelligence_2
No comments:
Post a Comment