To ease administrative overhead, you want to add a third party feed to a Security Intelligence device so that the
IP addresses of known malicious hosts are automatically blacklisted. However, you have not determined
whether the feed is valid.
Which of the following are you most likely to do? (Select the best answer.)

A.
Implement the feed, and add IP addresses to a custom whitelist as necessary.

B.
Enforce Security Intelligence filtering by Security Zone.

C.
Configure the monitor-only setting, and examine the logs.

D.
Configure a custom blacklist that contains only malicious IP addresses.

Explanation:
Most likely, you will configure the monitor-only setting and examine the logs if you want to add a thirdparty feed
to a Security Intelligence device but you have not determined whether the feed is valid. Security Intelligence
devices, such as a Cisco Sourcefire Intrusion Prevention System (IPS), are capable of accepting manually
imported lists of network addresses or feeds from third parties. Such devices can block IP addresses or
networks based on their reputation, which mitigates device overhead that comes from having to analyze traffic
from those networks.
The monitor-only setting enables traffic from networks that are listed within a given feed to be analyzed by the
Security Intelligence device but also logs the fact that the given network matches the thirdparty feed. This
enables an administrator to review the logs and the analysis of traffic from networks on the feed to determine
the validity of the feed.
Although you could implement the feed and add IP addresses to a custom whitelist as necessary, doing so
might increase administrative overhead if the feed turns out to be invalid. On Security Intelligence devices,
whitelists can be used to override blacklisted IP addresses. Whitelists can thus be used to enable
communication with legitimate IP addresses that are listed on third-party feeds or other blacklists that might be
too broadly defined. From an administrative overhead standpoint, you are more likely to validate the feed, then
implement the feed, and finally add IP addresses or networks to the whitelist as necessary.
You are less likely to enforce Security Intelligence filtering by Security Zone than configure the monitor only
setting in this scenario, because doing so would neither validate nor invalidate the IP addresses that are
contained on the third-party feed. Enforcing blacklisting by security zone can be used to enhance the
performance of a Security Intelligence device by limiting the blacklisting to the specific security zones that
process the given traffic. For example, the blacklisting of IP addresses that send email traffic could be restricted
to a Security Zone that handles only email traffic.
You are not likely to configure a custom blacklist that contains only malicious IP addresses, because doing sodefeats the purpose of easing administrative overhead in this scenario. Security Intelligence devices allow the
creation of custom blacklists so that you can manually block specific IP addresses or networks. However,
compiling and validating such a list would require more administrative overhead in this scenario than simply
validating a third-party feed prior to implementing it.

Cisco: Blacklisting Using Security Intelligence IP Address Reputation: Choosing a Security Intelligence Strategy