MDS vs CMA policies

Sn00pDoug · ‎2020-01-02

Hello Community!

Is there a recommended way to manage multiple domains in terms of where best to apply any policies/objects etc, globally or on the CMA directly. Obviously some objects and access/threat policies will be relevant to single CMAs but its easier/neater to manage globally so its in one place and assign to each domain.

For example I've been doing a lot of IPS exceptions on noisy false positives, which are typically relevant to a particular CMA. Unfortunately doing so requires creating objects on the MDS, essentially duplicating the objects on the CMA just with a different name. Which got me thinking, would it be better to just have all the objects globally? Or perhaps I should just keep my IPS exceptions per CMA? Thanks

Maarten_Sjouw · ‎2020-01-03

There is no simple answer here, the thing is that it depends on how you use the MDS setup. When your environment is a 1 customer multiple security domains / areas, then it could make sense to create a lot of objects globally as they would be used in most of the domains anyway.
When you are a company servicing a lot of different customers, there is only the monitoring and management systems that are common between the domains and should be setup globally.

Hope this answers your question?

Regards, Maarten

Sn00pDoug · ‎2020-01-05

Thanks Maarten,

Its all the same company with different domains for each site. Makes sense, just want to ensure there is no performance/config dependency disadvantages (or other surprises) from managing globally.

Cheers,

Doug

Are you a member of CheckMates?

MDS vs CMA policies