Which of the following is the best reason to enforce blacklisting by security zone on a Cisco device that uses the Security Intelligence IP Address Reputation feature? (Select the best answer.)
- to streamline performance of the IPS device
- to ensure that local hosts can communicate with a given IP address
- to validate a blacklist feed that has been obtained from a third party
- to manually control which networks are blocked by the IPS
Most likely, you would enforce blacklisting by security zone to streamline performance of the intrusion prevention system (IPS) device. Enforcing blacklisting by security zone can be used to enhance the performance of a Security Intelligence device by limiting the blacklisting to the specific security zones that process the given traffic. For example, the blacklisting of IP addresses that send email traffic could be restricted to a Security Zone that handles only email traffic.
You would configure the monitoronly setting if you wanted to validate a blacklist feed that has been obtained from a third party. Security Intelligence devices, such as a Cisco Sourcefire IPS, are capable of accepting manually imported lists of network addresses or feeds from third parties. Such devices can block IP addresses or networks based on their reputation, which mitigates device overhead that comes from having to analyze traffic from those networks. The monitoronly setting enables traffic from networks that are listed within a given feed to be analyzed by the Security Intelligence device, but also logs the fact that the given network matches the thirdparty feed. This enables an administrator to review the logs and the analysis of traffic from networks on the feed to determine the validity of the feed.
You would add IP addresses to a custom whitelist to ensure that local hosts can communicate with a given IP address. On Security Intelligence devices, whitelists can be used to override blacklisted IP addresses. Whitelists can thus be used to enable communication with legitimate IP addresses that are listed on thirdparty feeds or other blacklists that might be too broadly defined. From an administrative overhead standpoint, you should first validate the feed, then implement the feed, and finally add IP addresses or networks to the whitelist as necessary.
You would configure a custom blacklist to manually control which networks are blocked by the IPS. Security Intelligence devices allow the creation of custom blacklists so that you can manually block specific IP addresses or networks.