topic Re: Vulnerability assessment question in General Topics

Vulnerability assessment question

rivkin — Fri, 05 Jun 2015 21:20:58 GMT

We're having a vulnerability assessment done, and want to make sure that the IDS/IPS part doesn't disable all attempts from the vendors IP addresses, just the application blocking/service blocking.

Can I whitelist the 4 IP addresses and put them in a policy saying that for these addresses, do everything normally besides shutdown all communications from these addresses?

Re: Vulnerability assessment question

pulukas — Sat, 06 Jun 2015 12:51:01 GMT

I'm not sure I understand your question. But I think you want to have the vendor scanner addresses on the internet untrust zone have access to your network and turn off the layer 4-7 inspection profiles for these devices but have all the normal application or port access remain the same.

If this is correct, you need to essentially duplicate ALL your untrust to trust policies with the copy having the scanner addresses as the source and removing the profiles but leaving everything else the same. This needs to the the first of the two rules.

Re: Vulnerability assessment question

rivkin — Mon, 08 Jun 2015 14:07:34 GMT

Yes, taht's exactly what I meant. Helpful, but not fun. 😉

So, basically make a rule that encompasses all of my untrust to dmz policies, but turn off the profiles?

Thank you!

Re: Vulnerability assessment question

BenjAudy.MTL — Mon, 08 Jun 2015 14:30:02 GMT

Personally, I would rather do an assessment with the regular security profiles, or else the results won't be realistic. The only thing I would do is add exemptions to the vulnerability protection exceptions where I block the source IP.

I guess it depends on what you want to achieve.

Benjamin

Re: Vulnerability assessment question

rivkin — Mon, 08 Jun 2015 14:32:26 GMT

@baudy - How do I do that?

Re: Vulnerability assessment question

BenjAudy.MTL — Mon, 08 Jun 2015 15:00:25 GMT

Oops, I just checked and the IP Address Exemptions list is to restrict the exemption I configured to a particular set of addresses. In your case, you would want to specify a set of addresses where the exception would NOT apply. I guess the only way is to do like Steven said, but like I said I'm not sure I would turn off all the security profiles or else it won't be realistic.

Re: Vulnerability assessment question

HITSSEC — Mon, 08 Jun 2015 16:18:53 GMT

We started with the standard policies / vulnerability profiles to see how effective the current state is. If your IPS is set to deliver a Block-IP response they the test may be a short one. We then created a rule above the standard rule that handles the traffic to white list the tester with a profile that was alert only. This way you get to see how effective your policies are and the tester gets to test the underlying servers to see how effectively you have them patched and configured.

Regards,

Phil

Re: Vulnerability assessment question

rivkin — Mon, 08 Jun 2015 16:25:56 GMT

@phil So, the only thing in the whitelist policy is a different profile, and a source (specified addresses)? Otherwise any/any?

thanks!

Rich

Re: Vulnerability assessment question

HITSSEC — Mon, 08 Jun 2015 16:35:43 GMT

Rich,

Yes if you trust your tester, otherwise limit the rule to the apps and/or ports in the original rule.

Phil

Re: Vulnerability assessment question

rivkin — Mon, 08 Jun 2015 18:20:36 GMT

That's a lot of apps and ports...

I'll run this by the sec analyst.

Thanks!

Rich

Re: Vulnerability assessment question

pulukas — Mon, 08 Jun 2015 22:50:43 GMT

Just to add to what Phil is saying about trusting your tester. make sure that if you do create these wide open access for his scanner that the report format he generates will not be "punishing" you for having lots of exposed and open systems. When we open firewall rules for full access to the scanner some of these automated reports that go to management will make it look like your systems are far more exposed to internet threats than they actually are.

But at the same time allowing the scanner automatically past all the defenses will give your server admins a good solid list of all the missing patches on their systems that would be hidden by the firewall protection.

It all depends on what your goal for the test is. Do you want to see your true exposure to internet threats?

Or do you want a full list of all possible vulnerabilities that need to be remediated?

Re: Vulnerability assessment question

HITSSEC — Tue, 09 Jun 2015 02:21:52 GMT

Steve,

We generally wait for the tester to cry "Uncle" as our IPS has a block IP response action for many of the threat signatures. If they are paying attention, they will notice a lack of responses and get in touch with their contact. If they just run the script then the will have very little to report on. If they are professional they will report on their success with the IPS enabled and also report on the vulnerabilities on the underlying server (without IPS protection). That way you get two useful reports.

Phil

Re: Vulnerability assessment question

rivkin — Tue, 09 Jun 2015 13:48:49 GMT

Since the PAN was new last year, and they didn't ask for us to disable, and we got a genuine report, going to leave it alone. If they flag it, we'll worry about it. We alos have ingress rules with our ISP, so our web servers only talk what we want, even without the PAN.

Part of the assessment is a direct scan of the servers internally, so if we have vulnerabilities, that should get it.

Thanks everyone!

Rich