Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Morten_Olesen1
Explorer

Threat Prevention Ruleset design

Hi,

I have discussed the following with my colleagues, and I just want to hear your opinion on this.

If a customer wants to run IPS, AV and ABOT, how is the optimal design of the TP-rulebase. IPS is only for protection of the customers public accessable servers.

 

If I use Protected Scope, it protects the defined net/group, no matter if the net/group is source or destination of the traffic.

Threat Prevention inspects traffic to and/or from all objects specified in the Protected Scope, even when the specified object did not open the connection. This is an important difference from the Source object in Firewall rules, which defines the object that opens a connection.

 

So my first thought is, that protected scope must be all internal networks (eg. RFC1918).

Hereby all the internal hosts are protected, no matter if it's trafic send to them or originating from them.

Will the public accessible servers be protected, since they are having a non-RFC1918-NAT-address?

This will however also enable TP when 2 internal on each DMZ communicates. When having a lot of DMZs, this will generate a lot of TP-detections (IPS).

 

Then I could use RFC1918 as source instead, but this will not protect my hosts from attacks from the Internet, so this it not good.

 

Then I could use RFC1918 as destination. This will still generate quite a lot of IPS-alarms (internal to internal), and again, will it protect my machines from the Internet? An attacker on the Internet generates traffic towards my servers public ip, this will not be covers by this.. or? And this would probably also make AV and ABOT useless, since it only want to use these 2 blades on trafic to the Internet.

 

Then I could use ‘Internet’/InternetZone as protected scope, which initially makes no sense (why protect the Internet!), but if I think about it, it might make sense. This will protect all my clients, when traffic is initiated from the Internet, and protect the Internet, if one of my clients tries something that TP/IPS detects. What if I don't want to protect the Internet from me?

 

So is 'Protected Scope' actually usefull?

 

Would the best be to split it into 2 rules.

1) from Internet to ANY with IPS

2) From Any to Internet with AV and ABOT?

or?

 

What is the recommended/best practice regarding Threat Prevention rules and source/destination/protected scope.

 

0 Kudos
1 Reply
G_W_Albrecht
Legend
Legend

0 Kudos