Which of the following is the best reason to enforce blacklisting by security zone on a Cisco device that uses
the Security Intelligence IP Address Reputation feature? (Select the best answer.)

A.
to streamline performance of the IPS device

B.
to ensure that local hosts can communicate with a given IP address

C.
to validate a blacklist feed that has been obtained from a third party

D.
to manually control which networks are blocked by the IPS

Explanation:
Most likely, you would enforce blacklisting by security zone to streamline performance of the intrusion
prevention system (IPS) device. Enforcing blacklisting by security zone can be used to enhance the
performance of a Security Intelligence device by limiting the blacklisting to the specific security zones that
process the given traffic. For example, the blacklisting of IP addresses that send email traffic could be restricted
to a Security Zone that handles only email traffic.
You would configure the monitoronly setting if you wanted to validate a blacklist feed that has been obtained
from a third party. Security Intelligence devices, such as a Cisco Sourcefire IPS, are capable of accepting
manually imported lists of network addresses or feeds from third parties. Such devices can block IP addresses
or networks based on their reputation, which mitigates device overhead that comes from having to analyze
traffic from those networks. The monitoronly setting enables traffic from networks that are listed within a given
feed to be analyzed by the Security Intelligence device, but also logs the fact that the given network matches
the thirdparty feed. This enables an administrator to review the logs and the analysis of traffic from networks on
the feed to determine the validity of the feed.
You would add IP addresses to a custom whitelist to ensure that local hosts can communicate with a given IP
address. On Security Intelligence devices, whitelists can be used to override blacklisted IP addresses.
Whitelists can thus be used to enable communication with legitimate IP addresses that are listed on thirdparty
feeds or other blacklists that might be too broadly defined. From an administrative overhead standpoint, you
should first validate the feed, then implement the feed, and finally add IP addresses or networks to the whitelist
as necessary.
You would configure a custom blacklist to manually control which networks are blocked by the IPS. Security
Intelligence devices allow the creation of custom blacklists so that you can manually block specific IP
addresses or networks.

Cisco: Blacklisting Using Security Intelligence IP Address Reputation: Choosing a Security Intelligence Strategy