1
00:00:00,760 --> 00:00:07,660
One very effective way to protect endpoints is to stop external connections before malicious files can

2
00:00:07,660 --> 00:00:09,600
be downloaded.

3
00:00:09,760 --> 00:00:15,790
If a user cannot connect to bad sites then in theory they are secured even if their endpoint protection

4
00:00:15,790 --> 00:00:24,030
software is not running while listing and blacklisting destinations can be used for this type of protection.

5
00:00:25,100 --> 00:00:33,740
Centralized databases are used to maintain lists to identify if a network you are l or domain name is

6
00:00:33,740 --> 00:00:35,020
good or bad.

7
00:00:35,450 --> 00:00:43,310
So basically onepoint sends traffic on the network your security devices can check these lists to know

8
00:00:43,310 --> 00:00:49,490
if it should permit or deny traffic to show you how whitelist and blacklist can be used to secure your

9
00:00:49,490 --> 00:00:54,470
network will hop into the lab and I'll show you Cisco's security intelligence feature.

10
00:00:54,680 --> 00:00:59,300
Ok so here we are in my Firepower management center in the lab.

11
00:00:59,300 --> 00:01:05,060
First I'll show you how you can apply the security intelligence feature for waitlists and blacklists

12
00:01:05,750 --> 00:01:10,840
by going to the Access Control Policy that ties everything together.

13
00:01:14,280 --> 00:01:20,080
So here in my Access Control Policy you'll notice there's a security intelligence tab.

14
00:01:20,980 --> 00:01:23,510
We're going to click on that right.

15
00:01:23,610 --> 00:01:27,270
We have a whitelist and blacklist column.

16
00:01:27,490 --> 00:01:33,700
If I add a list of IPs are your Elle's to the blacklist column that is going to tell firepower devices

17
00:01:33,700 --> 00:01:40,420
on my network to block any destinations that match IPs or your L's that are blacklisted.

18
00:01:40,800 --> 00:01:46,570
And if we want things to be excluded from being blocked from a blacklist then we would add those destinations

19
00:01:46,570 --> 00:01:47,940
to a white list.

20
00:01:49,610 --> 00:01:56,580
I've added some of the malicious categories in here but really just by adding the global blacklist or

21
00:01:56,580 --> 00:02:02,870
a global white list you can dynamically block things that are considered to be bad out on the Internet.

22
00:02:03,170 --> 00:02:09,770
So of Cisco's security intelligence database determine that some IP out on the Internet is sending out

23
00:02:09,770 --> 00:02:16,430
malware or that there's been reports of attacks from a certain destination that no add that IP to their

24
00:02:16,430 --> 00:02:23,530
blacklist which will be dynamically downloaded to firepower.

25
00:02:23,530 --> 00:02:28,930
OK so now that you see how the white list and blacklist are applied with our policy now will take you

26
00:02:28,930 --> 00:02:34,830
into our object page to show you where we can configure whitelist and blacklist objects.

27
00:02:36,210 --> 00:02:41,550
So we'll go to the objects tab and object management and then we'll go to our security intelligence

28
00:02:41,550 --> 00:02:46,030
objects and we have our network DNS and your Alphie.

29
00:02:46,050 --> 00:02:52,920
So not only is my Firepower device using security intelligence to see what networks and IPs are blacklisted

30
00:02:52,950 --> 00:02:57,530
out on the Internet but it will also check for blacklisted DNS entries.

31
00:02:57,540 --> 00:03:00,160
And you are Elle's.

32
00:03:00,320 --> 00:03:06,560
So here you can see I have the security intelligence feed that's pulling down any updates to my global

33
00:03:06,830 --> 00:03:13,120
blacklist or whitelist so you can see here my feed was updated a little over an hour ago.

34
00:03:14,500 --> 00:03:20,530
And if you want to make a custom blacklist maybe there is IPs out there that you've found to be malicious

35
00:03:20,580 --> 00:03:25,470
that aren't updated to the dynamic feed and you can go to network objects.

36
00:03:25,630 --> 00:03:31,120
And then I could create my own blacklist group of IPs we'll call us custom blacklist

37
00:03:34,870 --> 00:03:42,420
and then any IPs that find are malicious I can just type and men here and click and maybe I want to

38
00:03:42,420 --> 00:03:43,320
add networks

39
00:03:48,390 --> 00:03:52,600
and save and then I can add this custom blacklist to our blacklist.

40
00:03:52,620 --> 00:03:59,130
Security intelligence column and I'll go back to our Access Control Policy

41
00:04:02,270 --> 00:04:10,480
good our security intelligence tab and then I can add my custom list over to the blacklist column telling

42
00:04:10,810 --> 00:04:14,640
firepower to block anything that's on that list.

43
00:04:14,770 --> 00:04:20,530
But really the primary purpose of the security intelligence whitelist and Blacklist is the dynamic feeds

44
00:04:20,530 --> 00:04:24,900
that you're downloading from Cisco's security intelligence database.