Best Practices query for Security settings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Best Practices query for Security settings

L4 Transporter

Hi ,

 

I have a customer who has Threat prevention , AV, Wildfire ,licesne

 

The Network is divided into various Security Zones - like Users , Printers, Voip , Front end servers , Backend Servers , there are around 15 zones

 

Now we have the BPA report and a lot in terms of APP ID and Service needs to be fixed

 

Customer wants a kind of matrix as a Industry Best Practice about from which zone to which zone below needs to be enabled

URL Filtering

Threat Prevention- AV, Antispyware

Malware Anlysis

SSL Decryption

 

 

Do we have any Best Pratice Matrix so that once we fix the rulebase to specific zones with APP ID , we have to be sure where to enable these security features

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

I like to have the following:

URL filtering: only for outbound web traffic (not inbound or internal)

Threat Prevention- AV, Antispyware:  On all policies, if something breaks, add an exception for just hat one policy, i.e. a ssh brute for due to a monitoring solution, just create a special policy that ignores that and only for that traffic policy)

Malware Anlysis: On all policies, same reasoning as above.

SSL Decryption: Where practical, external traffic is a must, inbound and internal traffic at your discretion. 

 

In addition to this use policies that have Applications instead of Services(ports), where applicable. This will help as well. i.e. only DNS application traffic from your internal DNS servers and only to a public DNS server that is secure (such as OpenDNS, cloudflare, etc.). This will prevent internal clients bypassing your internal DNS and/or exfiltrating data out using the DNS protocol.

 

Hope that helps.

@OtakarKlier  Thanks . this will certainly help

 

Regarding points such as Threat prevention and Wildfire : 

 

For eg : There is a rule from a User zone to Printer zone : Does it make sense to enable Threat and Wildfire .

 

I mean doesnot it cause more process utilization ? I am just asking from functionality point of view .

 

The other points for URL , APP ID and SSL Decryption is understandable .

Hello,

While yes it does increase load on the system, I try my best to follow the Zero Trust approach. So yes I will enable those features for the internal traffic as well. This can indicate a malicious actor on the network attempting to get a foothold somehow. It will also potentially stop lateral movement.

 

Hope that helps.

@OtakarKlier

 

The thing is i have to define the KPI for each of the Security feature ; I have got the BPA report and now

 

what should be the required KPI once we implement all the security features

  • 2258 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!