10-19-2010 07:58 AM
Hello,
Does the Vulnerability Protection Profile provide any benefit to inbound traffic from the Internet to servers on the DMZ? Is it more for web protection from users going outbound to browse the web and not so much from outside sources accessing servers. For example will the Vuln Pro signature block a SQL injection attack against a DMZ server or an Apache vuln exploit attempt? Or would it even provide any protection to the DMZ server for plain HTTP connection attacks? Thanks!
Mike
10-20-2010 05:26 PM
Zone protection is mostly for setting traffic limits and thresholds.
Syn flood:
Alert threshold = X Packets Per Second
Activate threshold = PPS
Action = Random drop or SYN Cookie
ICMP flood
Alert Threshod = PPS
Activate threshold = PPS
UDP and Other IP flood, same as ICMP flood.
It also allows Port scan and IP scan thresholds to stop dropping packets after X scans in Y seconds.
Zone protection does not detect coss site scripting or SQL injection or any HTTP based attacks.
Steve Krall
10-21-2010 06:03 AM
I'm actually refering to applying a Vulnerability Protection Profile to say inbound http/https traffic to a server on the DMZ. Not Zone Protection. Similiar to how we setup a Profile for outbound web browsing. Would that inbound Profile offer any protection inbound to our DMZ server from becoming comprimised? Thanks!
Mike
10-21-2010 11:36 AM
I apologize for the misunderstanding.
Yes, Adding a vulnerability protection profile to a Security Policy rule that protects a DMZ is a good idea. If you would like to see some of the actual vulnerabilities do the following.
Click the OBJECTS tab
Click VULNERABILITY PROTECTION on the left edge tree.
Click NEW to create a new profile.
Change the "Rule Type" from "Simple" to "custom".
All of the threats have the following fields associated.
- ID (Paloalto threat ID)
- Name
- CVE (CVE-year-4digits)
- Host (client or server)
- Catagory (Overflow, Code-execution, dos, others)
- Severity (low, med, high, critical)
- Action (Alert, reset-client, reset-both)
Steve Krall
10-21-2010 04:30 PM
>Does the Vulnerability Protection Profile provide any benefit to inbound traffic from the Internet to servers on the DMZ? Is it more for web
Yes, we do. I think you are referring to "server-side" attacks. You can look for our protection against server attacks by either searching through signatures in "threat name" field on 'custom' vulnerability profile e.g. you can enter 'apache' and it will show you what apache related signatures we have, or to see a list of all server-side signatures, you can filter on host = server.
>protection from users going outbound to browse the web and not so much from outside sources accessing servers. For example will the
These are client-side attacks... coverage for these can be found by filtering on host = client.
>Vuln Pro signature block a SQL injection attack against a DMZ server or an Apache vuln exploit attempt? Or would it even provide any >protection to the DMZ server for plain HTTP connection attacks? Thanks!
For HTTP connection attacks, zone protection profile can be used that limit the number of TCP connections.
Let me know if you have further questions,
Thanks,
Sandeep
10-22-2010 08:27 AM
Thank you very much for the information. Very helpful and I will put the protection in place. I should of added this to the initial inquiry. How about AV protection? I would assume adding an AV profile to a DMZ server inbound - would provide no additional benefit (based on how AV scanning acts)?
Cheers,
Mike
10-22-2010 09:42 AM
>Thank you very much for the information. Very helpful and I will put the protection in place. I should of added this to the initial inquiry. >How about AV protection? I would assume adding an AV profile to a DMZ server inbound - would provide no additional benefit (based
It may... if your DMZ servers are allowing file upload or download (e.g., through HTTP, FTP etc.) then having A/V protection would be useful.
Thanks,
Sandeep
>on how AV scanning acts)?
>Cheers,
>Mike
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
