I have a customer who has Threat prevention , AV, Wildfire ,licesne
The Network is divided into various Security Zones - like Users , Printers, Voip , Front end servers , Backend Servers , there are around 15 zones
Now we have the BPA report and a lot in terms of APP ID and Service needs to be fixed
Customer wants a kind of matrix as a Industry Best Practice about from which zone to which zone below needs to be enabled
Threat Prevention- AV, Antispyware
Do we have any Best Pratice Matrix so that once we fix the rulebase to specific zones with APP ID , we have to be sure where to enable these security features
I like to have the following:
URL filtering: only for outbound web traffic (not inbound or internal)
Threat Prevention- AV, Antispyware: On all policies, if something breaks, add an exception for just hat one policy, i.e. a ssh brute for due to a monitoring solution, just create a special policy that ignores that and only for that traffic policy)
Malware Anlysis: On all policies, same reasoning as above.
SSL Decryption: Where practical, external traffic is a must, inbound and internal traffic at your discretion.
In addition to this use policies that have Applications instead of Services(ports), where applicable. This will help as well. i.e. only DNS application traffic from your internal DNS servers and only to a public DNS server that is secure (such as OpenDNS, cloudflare, etc.). This will prevent internal clients bypassing your internal DNS and/or exfiltrating data out using the DNS protocol.
Hope that helps.
@OtakarKlier Thanks . this will certainly help
Regarding points such as Threat prevention and Wildfire :
For eg : There is a rule from a User zone to Printer zone : Does it make sense to enable Threat and Wildfire .
I mean doesnot it cause more process utilization ? I am just asking from functionality point of view .
The other points for URL , APP ID and SSL Decryption is understandable .
While yes it does increase load on the system, I try my best to follow the Zero Trust approach. So yes I will enable those features for the internal traffic as well. This can indicate a malicious actor on the network attempting to get a foothold somehow. It will also potentially stop lateral movement.
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!