6-12
Firepower 7000 Series Hardware Installation Guide
Chapter 6 Deploying Firepower Managed Devices
Deployment Options
•
allow all traffic to enter your network, and inspect the traffic with a network discovery policy only
•
allow all traffic to enter your network, and inspect the traffic with intrusion and network discovery
policies
Access control rules further define how traffic is handled by targeted devices, from simple IP address
matching to complex scenarios involving different users, applications, ports, and URLs. For each rule,
you specify a rule action, that is, whether to trust, monitor, block, or inspect matching traffic with an
intrusion or file policy.
Access control can filter traffic based on Security Intelligence data, a feature that allows you to specify
the traffic that can traverse your network, per access control policy, based on the source or destination
IP address. This feature can create a blacklist of disallowed IP addresses whose traffic is blocked and
not inspected.
The sample deployment illustrates common network segments. Deploying your managed devices in each
of these locations serves different purposes. The following sections describe typical location
recommendations:
•
Inside the Firewall, page 6-12
explains how access control functions on traffic that passes through
the firewall.
•
explains how access control within the DMZ can protect outward-facing
servers.
•
On the Internal Network, page 6-14
explains how access control can protect your internal network
from intentional or accidental attack.
•
On the Core Network, page 6-14
explains how an access control policy with strict rules can protect
your critical assets.
•
On a Remote or Mobile Network, page 6-15
explains how access control can monitor and protect
the network from traffic at remote locations or on mobile devices.
Inside the Firewall
Managed devices inside the firewall monitor inbound traffic allowed by the firewall or traffic that passes
the firewall due to misconfiguration. Common network segments include the DMZ, the internal network,
the core, mobile access, and remote networks.
The diagram below illustrates traffic flow through the Firepower System, and provide some details on
the types of inspection performed on that traffic. Note that the system does not inspect fast-pathed or
blacklisted traffic. For traffic handled by an access control rule or default action, flow and inspection
depend on the rule action. Although rule actions are not shown in the diagram for simplicity, the system
does not perform any kind of inspection on trusted or blocked traffic. Additionally, file inspection is not
supported with the default action.