Unorthodox use of vulnerability signatures, data filtering for URL blocking. Please advise.

Reply
L0 Member

Unorthodox use of vulnerability signatures, data filtering for URL blocking. Please advise.

Ok so I'd really like to skip the part about why my organization does this and get to the part about what should I be concerned about... :smileyhappy:

Our PA is set up to block many many many URL's using URL Filtering, just as you'd expect any org to do, but there have also been many Data Filtering regex signatures created solely to block URLs as well.  Often times the regex expressions are created by someone who wants a URL blocked but only has permissions to create vuln signatures and not URL filters. I don't want to go into the local "reason" for this, but my question for the experts is: what sort of performance impact can this cause? They are also using this style of signature to kill the DNS query for these URLs, so that's as many as two data filtering sigs for each of these URLs that are being blocked via a "work around". If there are say, a few hundred of these regex signatures that exist to simply block domain names found in http headers, will this cause a hit to PA performance? What about as that list of signatures grows? What other concerns should I have about this method?

I'm pushing my org to stop misusing the data filters this way and to rely solely on the URL filtering function, but lets just say there's a lot of red tape involved. Going into it with some smart information might help my argument.

L4 Transporter

Eric,

Using data or vulnerability signatures allows for a harsh response (block IP) but does not allow you to deliver a response page (telling the user they have been blocked and why).  The opposite for using custom URL categories.  We tend to use vulnerability signatures for malware /spyware blocking and also for malicious web requests directed to our public presence.  We use custom url categories for URL blocking. Not sure how you manage the signatures (url blocking vs other purpose) keeping them organised.

Phil

L0 Member

Phil,

Thanks for your reply! Yes, I see your points. They fully support my argument to convince my organization to stop using data filtering to block DNS/HTTP requests and instead use URL blocking. We have no special reason to be doing it otherwise other than the permissions issue I mentioned above which is a terrible excuse. If anyone else has further input, I'm open to it!

L4 Transporter

You could use your own Dynamic IP Blocklist. Create a file somewhere on a webserver and the PAN Firewall reads the content of this block list every hour,day,month,week. This way the people do not need to access the FW GUI at all just the block list on your webserver.

L4 Transporter

External block lists are useful for blocking access to or from an IP address, the caveat is that a hosting company may host many websites on one IP address.  You may end up blocking more than you really want to.  We make use of the Dynamic block lists as it is quick and easy to add entries especially if you have many values to add. (as opposed to creating objects on the firewall)

Phil

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!