Friday, July 19, 2019

FirePOWER administration

Hi Guys,

I work at a relatively small company so each of the IT staff members has multiple responsibilities. Mine include network administration, but I cannot commit more than one day a week to it, so I am not really a skilled network admin.

Anyway, as someone responsible for networking I was tasked a couple of years ago to deploy FirePOWER on top of our ASA firewalls to give us more security and visibility into the network. I managed to install the VM and SFR modules to all the firewalls and configure everything with the help of official documentation, ITPRo TV video series and a book. It has been working without big issues since, I keep updating the software, definitions, rules and recommendations.

But making it work is one thing, and actually using it for what it is intended to is another. I mostly rely on Cisco recommendations when it comes to which rules to enable, and which should drop traffic. When I look at the list of "intrusion events" from time to time and actually analyse them I mostly see false positives. Attacks related to Apache on the servers not running Apache at all. Servers flagged as infected with CnC that as far as I can tell are not infected with anything.

So my question here is... are there any resources to help me manage this properly? Ideally FirePOWER related, but could also be more general resources that I could apply to FirePOWER.

Thanks in advance!



No comments:

Post a Comment