📘CompTIA Security+ (SY0-701)
Filtering, Malware Protection, and Intrusion Policies
This topic focuses on how Cisco security devices protect networks by controlling traffic, identifying applications, blocking malicious content, and detecting attacks.
Most of these features are implemented on next-generation firewalls (NGFW) such as Cisco Firepower, Cisco Secure Firewall, and Firepower Threat Defense (FTD).
1. Network Segmentation
What Is Network Segmentation?
Network segmentation means dividing a network into smaller, isolated parts so that:
- Not all users or devices can communicate with each other
- A security issue in one part does not affect the entire network
Segmentation reduces the attack surface and limits lateral movement of attackers.
Why Segmentation Is Important
- Prevents unauthorized access between network areas
- Limits the spread of malware
- Improves security policy enforcement
- Makes monitoring and troubleshooting easier
Common Segmentation Methods (Exam-Relevant)
1. VLAN-Based Segmentation
- Devices are separated into different VLANs
- Traffic between VLANs must pass through a Layer 3 device or firewall
- Example:
- VLAN 10: Users
- VLAN 20: Servers
- VLAN 30: Management
2. Firewall Zone-Based Segmentation
- Firewalls divide the network into security zones
- Policies control traffic between zones
- Example zones:
- Inside
- Outside
- DMZ
- Management
3. VRF (Virtual Routing and Forwarding)
- Creates multiple routing tables on the same device
- Traffic in one VRF is isolated from another
- Used in service provider and enterprise networks
4. Microsegmentation (Conceptual)
- Very fine-grained segmentation
- Controls traffic at the workload or application level
- Often combined with identity-based policies
Key Exam Point
👉 Segmentation limits access and reduces the impact of security breaches
2. Access Control Policies (ACP)
What Is an Access Control Policy?
An Access Control Policy (ACP) defines:
- Who can access the network
- What traffic is allowed or denied
- Which security inspections are applied
In Cisco Firepower, ACPs are the main policy framework.
How Access Control Policies Work
Traffic is evaluated using rules, processed top to bottom:
- Match conditions (IP, user, application, URL, zone)
- Apply action (allow, block, trust, monitor)
- Apply security inspection (IPS, malware, URL filtering)
Components of an Access Control Rule
- Source zone
- Destination zone
- Source IP / network
- Destination IP / network
- User or group (identity-based)
- Application
- URL category
- Action (Allow / Block / Trust / Monitor)
- Security policies (IPS, file, malware)
Rule Actions (Very Important for Exam)
| Action | Meaning |
|---|---|
| Allow | Permit traffic with inspection |
| Block | Drop traffic and log |
| Trust | Allow traffic without inspection |
| Monitor | Allow traffic and log only |
Default Action
- Applied when traffic does not match any rule
- Usually set to block
- Critical for security posture
3. Application Visibility and Control (AVC)
What Is AVC?
Application Visibility and Control (AVC) allows the firewall to:
- Identify applications regardless of port
- Control applications instead of just IP addresses
Traditional firewalls only look at IP and port.
AVC uses deep packet inspection (DPI).
Why AVC Is Needed
- Applications use dynamic ports
- Some applications hide inside allowed ports (like TCP 443)
- Port-based rules are no longer enough
How AVC Works
- Uses application signatures
- Identifies applications like:
- Web browsing
- File transfer
- Remote access tools
- Can detect application sub-functions (example: file upload vs download)
What AVC Can Do
- Allow or block specific applications
- Limit risky applications
- Apply different security levels per application
- Improve visibility and reporting
Key Exam Point
👉 AVC identifies applications regardless of port number
4. URL Filtering
What Is URL Filtering?
URL filtering controls access to websites based on:
- Website category
- Reputation
- URL content
This feature is often integrated with Cisco Talos intelligence.
URL Categories
Websites are grouped into categories such as:
- Business
- Education
- Social media
- Gambling
- Malware
- Phishing
- Newly registered domains
How URL Filtering Works
- User requests a website
- Firewall checks URL category
- Policy decision is applied:
- Allow
- Block
- Monitor
- Warn user
Use Cases in IT Environments
- Block malicious and phishing websites
- Enforce acceptable use policies
- Reduce exposure to web-based attacks
URL Filtering Modes
- Category-based filtering
- Reputation-based filtering
- Dynamic content filtering
Key Exam Point
👉 URL filtering prevents access to malicious and inappropriate web content
5. Malware Protection
What Is Malware Protection?
Malware protection detects and blocks:
- Viruses
- Worms
- Trojans
- Ransomware
- Malicious files
Cisco uses Advanced Malware Protection (AMP).
How Cisco Malware Protection Works
- File inspection using:
- Hash comparison
- File reputation
- Behavioral analysis
- Uses cloud-based intelligence
- Supports retrospective security
File Types Commonly Inspected
- Executables (EXE)
- PDFs
- Office documents
- Archives (ZIP)
Malware Policy Actions
| Action | Description |
|---|---|
| Block | Stop malicious file |
| Detect | Allow but log |
| Malware Cloud Lookup | Check file reputation |
| Retrospective Alert | Alert if file becomes malicious later |
Retrospective Security (Important)
- A file may be unknown today
- Later identified as malicious
- System generates alerts and enables response
Key Exam Point
👉 AMP provides continuous file analysis and retrospective detection
6. Intrusion Policies (IPS)
What Is an Intrusion Prevention System (IPS)?
IPS detects and blocks:
- Network attacks
- Exploits
- Vulnerabilities
- Reconnaissance attempts
Cisco IPS is based on Snort engine.
IDS vs IPS (Must Know)
| IDS | IPS |
|---|---|
| Detects only | Detects and blocks |
| Out-of-band | Inline |
| Alerts only | Drops malicious traffic |
How IPS Works
- Uses signatures
- Monitors traffic patterns
- Matches known attack behaviors
Types of IPS Rules
- Exploit detection
- Malware communication detection
- OS and application vulnerability protection
- Protocol abuse detection
IPS Policy Modes
- Balanced Security and Connectivity
- Security Over Connectivity
- Connectivity Over Security
(Exam expects understanding, not memorization of names)
False Positives
- Legitimate traffic mistakenly blocked
- IPS tuning is important
- Rules can be disabled or modified
Key Exam Point
👉 IPS blocks known attacks using signatures and inspection
7. How These Features Work Together
In a real Cisco security deployment:
- Segmentation limits where traffic can go
- Access Control Policies decide allowed traffic
- AVC identifies applications
- URL filtering controls web access
- Malware protection scans files
- IPS blocks attacks
All are applied in a single security policy flow.
Exam-Focused Summary
You must understand:
- Why segmentation is critical for security
- How access control policies work and their actions
- The purpose of AVC and application-based control
- How URL filtering blocks malicious websites
- How malware protection detects and stops malicious files
- The role of IPS and difference from IDS
One-Line Memory Aids for Students
- Segmentation = isolate network parts
- ACP = main firewall decision policy
- AVC = control apps, not ports
- URL filtering = control website access
- Malware protection = block malicious files
- IPS = stop attacks in real time
