Vulnerability assessment question

cancel
Showing results for 
Search instead for 
Did you mean: 

Vulnerability assessment question

L1 Bithead

We're having a vulnerability assessment done, and want to make sure that the IDS/IPS part doesn't disable all attempts from the vendors IP addresses, just the application blocking/service blocking.

Can I whitelist the 4 IP addresses and put them in a policy saying that for these addresses, do everything normally besides shutdown all communications from these addresses?

1 ACCEPTED SOLUTION

Accepted Solutions

L4 Transporter

We started with the standard policies / vulnerability profiles to see how effective the current state is.  If your IPS is set to deliver a Block-IP response they the test may be a short one.  We then created a rule above the standard rule that handles the traffic to white list the tester with a profile that was alert only.  This way you get to see how effective your policies are and the tester gets to test the underlying servers to see how effectively you have them patched and configured.

Regards,

Phil

View solution in original post

12 REPLIES 12

L7 Applicator

I'm not sure I understand your question.  But I think you want to have the vendor scanner addresses on the internet untrust zone have access to your network and turn off the layer 4-7 inspection profiles for these devices but have all the normal application or port access remain the same.

If this is correct, you need to essentially duplicate ALL your untrust to trust policies with the copy having the scanner addresses as the source and removing the profiles but leaving everything else the same.  This needs to the the first of the two rules.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Yes, taht's exactly what I meant.  Helpful, but not fun. 😉

So, basically make a rule that encompasses all of my untrust to dmz policies, but turn off the profiles?

Thank you!

L4 Transporter

Personally, I would rather do an assessment with the regular security profiles, or else the results won't be realistic. The only thing I would do is add exemptions to the vulnerability protection exceptions where I block the source IP.

I guess it depends on what you want to achieve.

Benjamin

@baudy - How do I do that?

Oops, I just checked and the IP Address Exemptions list is to restrict the exemption I configured to a particular set of addresses. In your case, you would want to specify a set of addresses where the exception would NOT apply. I guess the only way is to do like Steven said, but like I said I'm not sure I would turn off all the security profiles or else it won't be realistic.

Exemptions.PNG

L4 Transporter

We started with the standard policies / vulnerability profiles to see how effective the current state is.  If your IPS is set to deliver a Block-IP response they the test may be a short one.  We then created a rule above the standard rule that handles the traffic to white list the tester with a profile that was alert only.  This way you get to see how effective your policies are and the tester gets to test the underlying servers to see how effectively you have them patched and configured.

Regards,

Phil

@phil So, the only thing in the whitelist policy is a different profile, and a source (specified addresses)?  Otherwise any/any?

thanks!

Rich

Rich,

Yes if you trust your tester, otherwise limit the rule to the apps and/or ports in the original rule.

Phil

That's a lot of apps and ports...Smiley Happy

I'll run this by the sec analyst.         

Thanks!

Rich

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!