Idea to use Palo Alto for IDS replacement

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Idea to use Palo Alto for IDS replacement

L3 Networker

I have a idea to use the Palo Alto Firewall Vulnerability Protection Profile has a IDS sensor. 

Here is the idea I have what to run this by anyone. Also need help to know if this will work. 

 

Vulnerability
vulenerability Protection Profile
Create a Rule
Rule Name: IDS Test
Threat Name: any
Action: Alert
Host Type: ?
Category: brute-force, DOS, scan

create a zone for user pc and laptops

create a zone for all servers and equipment 

then assign that profile to these zones

 

Then using the logging from the palo alto to send it to a seim where you can setup a alert to be sent out correct people to look into this issue.

 

Questions

If a pc is scanning a bunch of other pc's will that create a alert? Reason I ask to see if this will work inside its own zone.

 

 

18 REPLIES 18

@AdamCoombs

Traffic between 2 PCs within same broadcast domain pases only through a pair of layer 2 ports on switch (if we simplify things a bit).

Options to see this traffic are:

- mirror port (which is not an option in your case),

- inline pair of ports for each host on network (which is not realistic),

- some endpoint client on these PCs (with host IPS functionality)

 

 

Santonic we already use HIPS on the pc too

Well best idea so far is to create a zone that is for PC so that anything that tries to cross over to any other zones will be caught. 

I am still going to look into a IDS system that supports L3 inspection tap 

Thank you all for the help with this.

If anyone knows of product or service palo alto offers like this please let me know 

You know the source where the scans are coming for? You have designated scanners? Then yeah, put them in seperate network and you will see their traffic and alerts.

I thougth the idea was to monitor your network for users which might be doing some unwanted scans.

 

So far I never heard about possibility of redirecting mirror traffic to a L3 tap. Nor about such devices.

 

There is another family of devices tho, called netwrok taps. Basically you put them in your network on interesting traffic paths and mirror that traffic to some device which can analyze the traffic. Either for troubleshooting or security checks.

Basically a TAP is a 3 port device; 2 ports are inline segment where you direct your traffic through. 3rd port is a port where all that traffic from inline ports is mirrored to. That 3rd port can then be connected to a PA TAP port. Of course these network taps are scaled and sized by throughput, number of ports... etc

 

 

 

You are right, idea was to monitor the network for users which be doing some unwanted scans. 

So that is why I came up with the idea of different zones with vulnerability profile.

We looking into network taps devices, one is from cisco that works with ACI program that we will be getting. 

Thank you Santonic 

  • 6659 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!