An engineer has been tasked with configuring a Cisco FTD to analyze protocol fields and detect anomalies in the traffic from industrial systems. What must be done to meet these requirements?
A.
Enable traffic analysis in the Cisco FTD.
B.
Implement pre-filter policies for the CIP preprocessor.
C.
Configure intrusion rules for the DNP3 preprocessor.
D.
Modify the access control policy to trust the industrial traffic.
I will go with C here... First of all, you need special kind of preprocessors (Modbus/DNP3/CIP) to analyze the industrial system traffic, so enabling "default" traffic analysis in FTD is not enough.
i would opt for C. DNP3 is a SCADA Protocol which in turn is widly used in the industrial network world. "The DNP3 preprocessor detects anomalies in DNP3 traffic and decodes the DNP3 protocol for processing by the rules engine, which uses DNP3 keywords to access certain protocol fields."
https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/scada_preprocessors.html
Its definitely not widely used, Id say CIP or Modbus are going to be used 90% of the time or better with CIP likely being dominant in at least the US plus cisco and Rockwell partnered to create the CIP/ethernet Ethernet/IP protocol and it is a cisco exam. Also looking at the preprocessor for CIP, "The CIP preprocessor detects CIP and ENIP traffic running on TCP or UDP and sends it to the intrusion rules engine." So id personally go with CIP preprocessor over intrusion rules with DNP3. But im not yet super familiar with the Firepower processes to be fair.
It does not matter which of the 3 you like the most.
It does not matter which one you choose between Modbus, CIP or DNP3.
What matters is where you set them to be trusted by FTD.
Policies > Access Control, then click Network Analysis Policies or Policies > Access Control > Intrusion, then click Network Analysis Policies.
Note
If your custom user role limits access to the first path listed here, use the second path to access the policy.
Step 2
Click Edit (edit icon) next to the policy you want to edit.
If View (view button) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.
Step 3
Click Settings in the navigation panel.
"D" is the correct answer.
C is correct - Configure Intrusion Rules... because IR also automatically enable required pre-processors, which handle detection of anomalies (as required in the question).
A - "enable traffic analysis" - means nothing specific
B - Pre-filter policies for CIP -> Pre-filters are used to bypass Snort engine completely, optional first step of access control, rules that match simple values like IP’s and ports (like ASA ACL). There is no deep packet inspection nor anomaly detection.[2][3]
[2] https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212700-configuration-and-operation-of-ftd-prefi.html
[3] https://networkdirection.net/articles/firewalls/firepowermanagementcentre/prefilterpolicies/
D - Set Access Control Policy to trust industrial traffic - Action TRUST = allow WITHOUT inspection & anomaly detection.
C - "configure INTRUSION RULES for DNP3" -> Documentation states, that enabling INTRUSION RULES is mandatory for CIP to work + required preprocessors (in Network Access Policy - NAP) will be enabled automatically:
"If you want the CIP preprocessor rules listed in the following table to generate events, you MUST enable them. See Setting Intrusion Rule States for information on enabling rules."
"If the Modbus, DNP3, or CIP preprocessor is disabled, and you enable and deploy an intrusion rule that requires one of these preprocessors, the system automatically uses the required preprocessor, with its current settings, although the preprocessor remains disabled in the web interface for the corresponding network analysis policy."
[1] https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/scada_preprocessors.html
SCADA: There are two supervisory control and
data acquisition (SCADA) protocols for which the
Cisco Firepower NGIPS offers preprocessors:
DNP3 and Modbus. These protocols monitor and
control industrial facilities. The SCADA
preprocessors monitor the DNP and Modbus
protocols for anomalies and decode their messages
for further rule inspection.
From the Cisco Official Cert Guide
"the system does not inspect blocked or trusted traffic"
https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/an_overview_of_network_analysis_and_intrusion_policies.html
diagram shows, in a simplified fashion, the order of traffic analysis in an inline, intrusion prevention and AMP for Networks deployment. It illustrates how the access control policy invokes other policies to examine traffic, and in which order those policies are invoked. The network analysis and intrusion policy selection phases are highlighted.
https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/an_overview_of_network_analysis_and_intrusion_policies.html
In a newly created access control policy, one default network analysis policy governs preprocessing for all traffic for all intrusion policies invoked by the same parent access control policy.
https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/scada_preprocessors.html
If the Modbus, DNP3, or CIP preprocessor is disabled, and you enable and deploy an intrusion rule that requires one of these preprocessors, the system automatically uses the required preprocessor, with its current settings...
I think the answer should be C. If you're going to detect any kind of anomalies I suppose Intrusion rules is a must.
upvoted 5 times
...
This section is not available anymore. Please use the main Exam Page.350-701 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
klu16
Highly Voted 3 years, 7 months agozeroC00L
Highly Voted 3 years, 7 months agobrownb
3 years, 5 months agoPremium_Pils
Most Recent 8 months, 2 weeks agoJessie45785
2 years agosurforlife
2 years, 9 months agoNikoNiko
2 years, 9 months agoNikoNiko
2 years, 9 months agogetafix
2 years, 10 months agopr0fectus
3 years, 3 months agoMoII
3 years, 5 months agoMoII
3 years, 5 months agoandrewj511
3 years, 7 months agofabio3wz
3 years, 7 months ago