02-23-2017 07:54 AM
I have a idea to use the Palo Alto Firewall Vulnerability Protection Profile has a IDS sensor.
Here is the idea I have what to run this by anyone. Also need help to know if this will work.
Vulnerability
vulenerability Protection Profile
Create a Rule
Rule Name: IDS Test
Threat Name: any
Action: Alert
Host Type: ?
Category: brute-force, DOS, scan
create a zone for user pc and laptops
create a zone for all servers and equipment
then assign that profile to these zones
Then using the logging from the palo alto to send it to a seim where you can setup a alert to be sent out correct people to look into this issue.
Questions
If a pc is scanning a bunch of other pc's will that create a alert? Reason I ask to see if this will work inside its own zone.
03-01-2017 12:08 AM
Traffic between 2 PCs within same broadcast domain pases only through a pair of layer 2 ports on switch (if we simplify things a bit).
Options to see this traffic are:
- mirror port (which is not an option in your case),
- inline pair of ports for each host on network (which is not realistic),
- some endpoint client on these PCs (with host IPS functionality)
03-01-2017 07:18 AM
Santonic we already use HIPS on the pc too
Well best idea so far is to create a zone that is for PC so that anything that tries to cross over to any other zones will be caught.
I am still going to look into a IDS system that supports L3 inspection tap
Thank you all for the help with this.
If anyone knows of product or service palo alto offers like this please let me know
03-02-2017 12:45 AM - edited 03-02-2017 12:46 AM
You know the source where the scans are coming for? You have designated scanners? Then yeah, put them in seperate network and you will see their traffic and alerts.
I thougth the idea was to monitor your network for users which might be doing some unwanted scans.
So far I never heard about possibility of redirecting mirror traffic to a L3 tap. Nor about such devices.
There is another family of devices tho, called netwrok taps. Basically you put them in your network on interesting traffic paths and mirror that traffic to some device which can analyze the traffic. Either for troubleshooting or security checks.
Basically a TAP is a 3 port device; 2 ports are inline segment where you direct your traffic through. 3rd port is a port where all that traffic from inline ports is mirrored to. That 3rd port can then be connected to a PA TAP port. Of course these network taps are scaled and sized by throughput, number of ports... etc
03-03-2017 07:04 AM
You are right, idea was to monitor the network for users which be doing some unwanted scans.
So that is why I came up with the idea of different zones with vulnerability profile.
We looking into network taps devices, one is from cisco that works with ACI program that we will be getting.
Thank you Santonic
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
