Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 39 subscribers
  • Views 31893 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Guidelines for using Pre-defined IPS policies

BrianCarp

I'm wondering how the modifiable IPS policies relate to the non-modifiable policies and what the recommendations are for using them. The first six seem clear enough (DMZ TO LAN, LAN TO WAN, etc.), assuming you have these standard zones set up, and I assume the policies have been written to perform security according to average traffic patterns between these zones.

However there is not much in the way of description or documentation for the other pre-defined policies: "generalpolicy", "lantowan strict policy", "lantowan general policy", and "dmzpolicy". What is the "general" policy? How do the "lantowan" policies compare to the basic "LAN to WAN" policy? And is the "dmzpolicy" like a "DMZ TO ANY" or something else? I'm assuming the lantowan "strict" simply looks for more signatures than the "general", but I'm wondering which of these is equivalent or closer to "LAN TO WAN" or what the other differences might be.

Also what is the recommendation for troubleshooting and tweaking IPS behavior with respect to false positives? I'm most concerned with LAN-WAN traffic, which is almost exclusively initiated by LAN users, and so I assume the various lan-to-wan policies are the appropriate policies to use. However they seem to overperform by causing legitimate traffic to prohibited and for users to receive HTTP errors. I notice this especially when communicating with servers in Amazon EC2. Is the solution to try using a modifiable lan-to-wan policy, monitor the IPS log for false positives, and then tweak the policy to disable those signature checks? Do the logs report sufficiently verbose information to do this kind of tuning?



This thread was automatically locked due to age.
Parents
  • 0

    I look at my IPS rules last night for the first time.  When I created my firewall policies initially, I used the standard IPS profiles, matching the to->from zone names to use the appropriate filter.

    So then I started thinking about all those rules.  My first step last night was to create new IPS policies for each type of business policy (read: port forwarding) in place based on what port was open to the internet.  For my SSH business rule, I added any rules related to SSH.  For the rule that exposes my internal Apache web server, I only took the Apache rules.  Basically create a new policy for business rule that exposes ports to the internet, then when you add rules, use the search (you need to hit "Select Individual Signature" to get the search box open) to find rules that apply to your ports.  You can use also use the filters on the right to help find what you need.  For instance, do you have WebAdmin exposed?  Then search for webadmin, and you will find there is a rule that you can add to your policy.

    For the outgoing traffic, I only added IPS policies to rules that originate from users.  I didn't bother with rules that allow my servers to go to the internet since there is a low chance they will have issues.  For the users I simply used the default LAN to WAN policy.

    If you do that basic step, you will streamline your IPS policies.  As best I can tell, there 2900 server rules and 4577 client rules.  You don't need to run all those rules on a firewall rule if that rule only exposes one specific service.

Reply
  • 0

    I look at my IPS rules last night for the first time.  When I created my firewall policies initially, I used the standard IPS profiles, matching the to->from zone names to use the appropriate filter.

    So then I started thinking about all those rules.  My first step last night was to create new IPS policies for each type of business policy (read: port forwarding) in place based on what port was open to the internet.  For my SSH business rule, I added any rules related to SSH.  For the rule that exposes my internal Apache web server, I only took the Apache rules.  Basically create a new policy for business rule that exposes ports to the internet, then when you add rules, use the search (you need to hit "Select Individual Signature" to get the search box open) to find rules that apply to your ports.  You can use also use the filters on the right to help find what you need.  For instance, do you have WebAdmin exposed?  Then search for webadmin, and you will find there is a rule that you can add to your policy.

    For the outgoing traffic, I only added IPS policies to rules that originate from users.  I didn't bother with rules that allow my servers to go to the internet since there is a low chance they will have issues.  For the users I simply used the default LAN to WAN policy.

    If you do that basic step, you will streamline your IPS policies.  As best I can tell, there 2900 server rules and 4577 client rules.  You don't need to run all those rules on a firewall rule if that rule only exposes one specific service.

Children
No Data