06-05-2015 02:20 PM
We're having a vulnerability assessment done, and want to make sure that the IDS/IPS part doesn't disable all attempts from the vendors IP addresses, just the application blocking/service blocking.
Can I whitelist the 4 IP addresses and put them in a policy saying that for these addresses, do everything normally besides shutdown all communications from these addresses?
06-08-2015 09:18 AM
We started with the standard policies / vulnerability profiles to see how effective the current state is. If your IPS is set to deliver a Block-IP response they the test may be a short one. We then created a rule above the standard rule that handles the traffic to white list the tester with a profile that was alert only. This way you get to see how effective your policies are and the tester gets to test the underlying servers to see how effectively you have them patched and configured.
Regards,
Phil
06-06-2015 05:51 AM
I'm not sure I understand your question. But I think you want to have the vendor scanner addresses on the internet untrust zone have access to your network and turn off the layer 4-7 inspection profiles for these devices but have all the normal application or port access remain the same.
If this is correct, you need to essentially duplicate ALL your untrust to trust policies with the copy having the scanner addresses as the source and removing the profiles but leaving everything else the same. This needs to the the first of the two rules.
06-08-2015 07:07 AM
Yes, taht's exactly what I meant. Helpful, but not fun. 😉
So, basically make a rule that encompasses all of my untrust to dmz policies, but turn off the profiles?
Thank you!
06-08-2015 07:30 AM
Personally, I would rather do an assessment with the regular security profiles, or else the results won't be realistic. The only thing I would do is add exemptions to the vulnerability protection exceptions where I block the source IP.
I guess it depends on what you want to achieve.
Benjamin
06-08-2015 07:32 AM
@baudy - How do I do that?
06-08-2015 08:00 AM
Oops, I just checked and the IP Address Exemptions list is to restrict the exemption I configured to a particular set of addresses. In your case, you would want to specify a set of addresses where the exception would NOT apply. I guess the only way is to do like Steven said, but like I said I'm not sure I would turn off all the security profiles or else it won't be realistic.
06-08-2015 09:18 AM
We started with the standard policies / vulnerability profiles to see how effective the current state is. If your IPS is set to deliver a Block-IP response they the test may be a short one. We then created a rule above the standard rule that handles the traffic to white list the tester with a profile that was alert only. This way you get to see how effective your policies are and the tester gets to test the underlying servers to see how effectively you have them patched and configured.
Regards,
Phil
06-08-2015 09:25 AM
@phil So, the only thing in the whitelist policy is a different profile, and a source (specified addresses)? Otherwise any/any?
thanks!
Rich
06-08-2015 09:35 AM
Rich,
Yes if you trust your tester, otherwise limit the rule to the apps and/or ports in the original rule.
Phil
06-08-2015 11:20 AM
That's a lot of apps and ports...
I'll run this by the sec analyst.
Thanks!
Rich
06-08-2015 03:50 PM
Just to add to what Phil is saying about trusting your tester. make sure that if you do create these wide open access for his scanner that the report format he generates will not be "punishing" you for having lots of exposed and open systems. When we open firewall rules for full access to the scanner some of these automated reports that go to management will make it look like your systems are far more exposed to internet threats than they actually are.
But at the same time allowing the scanner automatically past all the defenses will give your server admins a good solid list of all the missing patches on their systems that would be hidden by the firewall protection.
It all depends on what your goal for the test is. Do you want to see your true exposure to internet threats?
Or do you want a full list of all possible vulnerabilities that need to be remediated?
06-08-2015 07:21 PM
Steve,
We generally wait for the tester to cry "Uncle" as our IPS has a block IP response action for many of the threat signatures. If they are paying attention, they will notice a lack of responses and get in touch with their contact. If they just run the script then the will have very little to report on. If they are professional they will report on their success with the IPS enabled and also report on the vulnerabilities on the underlying server (without IPS protection). That way you get two useful reports.
Phil
06-09-2015 06:48 AM
Since the PAN was new last year, and they didn't ask for us to disable, and we got a genuine report, going to leave it alone. If they flag it, we'll worry about it. We alos have ingress rules with our ISP, so our web servers only talk what we want, even without the PAN.
Part of the assessment is a direct scan of the servers internally, so if we have vulnerabilities, that should get it.
Thanks everyone!
Rich
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
