Same vulnerability profile for dns and web servers security policies

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Same vulnerability profile for dns and web servers security policies

L3 Networker

Hi

 

I am wondering, firewall does not have the option to make vulnerability protection profiles based on signature categories like vulnerability signatures for dns server and web server and then used them in security policies realted to dns only or web server only.

 

in firewall, I can see I have just only one vulnerability protection profile and use in all polices either its for dns or web server. Is there any performance impact for this?

2 accepted solutions

Accepted Solutions

Hi @faizankhurshid

 

No

 

The packet is handed over to the content scanning engine and it will inspect the packet as efficiently as possible, it uses protocol specific decoders, so if dns is detected it will be inspected by the dns decoder, if http is detected, it will be processed by the http decoder

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

yes, for dns related vulnerabilities

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

Hi @faizankhurshid

 

No

 

The kind of application your profile touches is controlled by the security policy, but the content scanning process is the same for all your sessions. (the presense of a profile sends the packets to the content scanning engine and it will scan the session appropriately)

 

The security profiles control the decission making process (alert, drop, block ip, ...) but not how the applications are scanned

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi @reaper

 

Thanks for the reply. Sorry for late for coming back to this discussion. 

 

So you mean, regardless of the application, the session is scanned for all vulerability signatures by content engine? Its not like if application is identified as DNS then only DNS specific sigantures are checked against the session? 

Hi @faizankhurshid

 

No

 

The packet is handed over to the content scanning engine and it will inspect the packet as efficiently as possible, it uses protocol specific decoders, so if dns is detected it will be inspected by the dns decoder, if http is detected, it will be processed by the http decoder

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper thanks 

 

Just last thing, if decoder is identified as DNS then still it will inspect all vulnerability signatures right?

yes, for dns related vulnerabilities

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks 

 

@reaper I also observed for the application unknown-tcp, all vulnerabilities were checked in logs like IIS realted etc

hi @faizankhurshid

 

unknown-tcp does not have a decoder (because it is unknown) so is checked for all vulnerabilities

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2 accepted solutions
  • 2913 Views
  • 7 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!