Vulnerability assessment question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Vulnerability assessment question

L1 Bithead

We're having a vulnerability assessment done, and want to make sure that the IDS/IPS part doesn't disable all attempts from the vendors IP addresses, just the application blocking/service blocking.

Can I whitelist the 4 IP addresses and put them in a policy saying that for these addresses, do everything normally besides shutdown all communications from these addresses?

1 accepted solution

Accepted Solutions

L4 Transporter

We started with the standard policies / vulnerability profiles to see how effective the current state is.  If your IPS is set to deliver a Block-IP response they the test may be a short one.  We then created a rule above the standard rule that handles the traffic to white list the tester with a profile that was alert only.  This way you get to see how effective your policies are and the tester gets to test the underlying servers to see how effectively you have them patched and configured.

Regards,

Phil

View solution in original post

12 REPLIES 12

L7 Applicator

I'm not sure I understand your question.  But I think you want to have the vendor scanner addresses on the internet untrust zone have access to your network and turn off the layer 4-7 inspection profiles for these devices but have all the normal application or port access remain the same.

If this is correct, you need to essentially duplicate ALL your untrust to trust policies with the copy having the scanner addresses as the source and removing the profiles but leaving everything else the same.  This needs to the the first of the two rules.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Yes, taht's exactly what I meant.  Helpful, but not fun. 😉

So, basically make a rule that encompasses all of my untrust to dmz policies, but turn off the profiles?

Thank you!

L4 Transporter

Personally, I would rather do an assessment with the regular security profiles, or else the results won't be realistic. The only thing I would do is add exemptions to the vulnerability protection exceptions where I block the source IP.

I guess it depends on what you want to achieve.

Benjamin

@baudy - How do I do that?

Oops, I just checked and the IP Address Exemptions list is to restrict the exemption I configured to a particular set of addresses. In your case, you would want to specify a set of addresses where the exception would NOT apply. I guess the only way is to do like Steven said, but like I said I'm not sure I would turn off all the security profiles or else it won't be realistic.

Exemptions.PNG

L4 Transporter

We started with the standard policies / vulnerability profiles to see how effective the current state is.  If your IPS is set to deliver a Block-IP response they the test may be a short one.  We then created a rule above the standard rule that handles the traffic to white list the tester with a profile that was alert only.  This way you get to see how effective your policies are and the tester gets to test the underlying servers to see how effectively you have them patched and configured.

Regards,

Phil

@phil So, the only thing in the whitelist policy is a different profile, and a source (specified addresses)?  Otherwise any/any?

thanks!

Rich

Rich,

Yes if you trust your tester, otherwise limit the rule to the apps and/or ports in the original rule.

Phil

That's a lot of apps and ports...Smiley Happy

I'll run this by the sec analyst.         

Thanks!

Rich

Just to add to what Phil is saying about trusting your tester.  make sure that if you do create these wide open access for his scanner that the report format he generates will not be "punishing" you for having lots of exposed and open systems.  When we open firewall rules for full access to the scanner some of these automated reports that go to management will make it look like your systems are far more exposed to internet threats than they actually are.

But at the same time allowing the scanner automatically past all the defenses will give your server admins a good solid list of all the missing patches on their systems that would be hidden by the firewall protection.

It all depends on what your goal for the test is.  Do you want to see your true exposure to internet threats?

Or do you want a full list of all possible vulnerabilities that need to be remediated?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Steve,

We generally wait for the tester to cry "Uncle" as our IPS has a block IP response action for many of the threat signatures.  If they are paying attention, they will notice a lack of responses and get in touch with their contact.  If they just run the script then the will have very little to report on.  If they are professional they will report on their success with the IPS enabled and also report on the vulnerabilities on the underlying server (without IPS protection).  That way you get two useful reports.

Phil

L1 Bithead

Since the PAN was new last year, and they didn't ask for us to disable, and we got a genuine report, going to leave it alone.  If they flag it, we'll worry about it. We alos have ingress rules with our ISP, so our web servers only talk what we want, even without the PAN.

Part of the assessment is a direct scan of the servers internally, so if we have vulnerabilities, that should get it.

Thanks everyone!

Rich

  • 1 accepted solution
  • 6032 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!