Vulnerability Protection - inbound traffic to DMZ Servers

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Vulnerability Protection - inbound traffic to DMZ Servers

L4 Transporter

Hello,

Does the Vulnerability Protection Profile provide any benefit to inbound traffic from the Internet to servers on the DMZ? Is it more for web protection from users going outbound to browse the web and not so much from outside sources accessing servers.  For example will the Vuln Pro signature block a SQL injection attack against a DMZ server or an Apache vuln exploit attempt?  Or would it even provide any protection to the DMZ server for plain HTTP connection attacks?  Thanks!

Mike

6 REPLIES 6

L3 Networker

Zone protection is mostly for setting traffic limits and thresholds.

Syn flood:

Alert threshold  =  X Packets Per Second

Activate threshold = PPS

Action =  Random drop or SYN Cookie

ICMP flood

Alert Threshod = PPS

Activate threshold = PPS

UDP and Other IP flood, same as ICMP flood.

It also allows Port scan and IP scan thresholds to stop dropping packets after X scans in Y seconds.

Zone protection does not detect coss site scripting or SQL injection or any HTTP based attacks.

Steve Krall

I'm actually refering to applying a Vulnerability Protection Profile to say inbound http/https traffic to a server on the DMZ.  Not Zone Protection.  Similiar to how we setup a Profile for outbound web browsing.  Would that inbound Profile offer any protection inbound to our DMZ server from becoming comprimised? Thanks!

Mike

I apologize for the misunderstanding.

Yes, Adding a vulnerability protection profile to a Security Policy rule that protects a DMZ is a good idea. If you would like to see some of the actual vulnerabilities do the following.

Click the OBJECTS tab

Click VULNERABILITY PROTECTION on the left edge tree.

Click NEW to create a new profile.

Change the "Rule Type" from "Simple"  to "custom".

All of the threats have the following fields associated.

- ID (Paloalto threat ID)

- Name

- CVE  (CVE-year-4digits)

- Host (client or server)

- Catagory (Overflow, Code-execution, dos, others)

- Severity  (low, med, high, critical)

- Action (Alert, reset-client, reset-both)

Steve Krall

L0 Member

>Does the Vulnerability Protection Profile provide any benefit to inbound traffic from the Internet to servers on the DMZ? Is it more for web

Yes, we do. I think you are referring to "server-side" attacks. You can look for our protection against server attacks by either searching through signatures in "threat name" field on 'custom' vulnerability profile e.g. you can enter 'apache' and it will show you what apache related signatures we have, or to see a list of all server-side signatures, you can filter on host = server.

>protection from users going outbound to browse the web and not so much from outside sources accessing servers.  For example will the

These are client-side attacks... coverage for these can be found by filtering on host  = client.

>Vuln Pro signature block a SQL injection attack against a DMZ server or an Apache vuln exploit attempt?  Or would it even provide any >protection to the DMZ server for plain HTTP connection attacks?  Thanks!

For HTTP connection attacks, zone protection profile can be used that limit the number of TCP connections.

Let me know if you have further questions,

Thanks,
Sandeep

Thank you very much for the information.  Very helpful and I will put the protection in place.  I should of added this to the initial inquiry.  How about AV protection? I would assume adding an AV profile to a DMZ server inbound - would provide no additional benefit (based on how AV scanning acts)?


Cheers,

Mike

>Thank you very much for the information.  Very helpful and I will put the protection in place.  I should of added this to the initial inquiry. >How about AV protection? I would assume adding an AV profile to a DMZ server inbound - would provide no additional benefit (based

It may... if your DMZ servers are allowing file upload or download (e.g., through HTTP, FTP etc.) then having A/V protection would be useful.

Thanks,
Sandeep

>on how AV scanning acts)?


>Cheers,

>Mike

  • 4089 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!