ScreenOS Firewalls (NOT SRX)
Reply
Visitor
JasonBlake7
Posts: 3
Registered: ‎04-21-2009
0

Recommended Deep Inspection Configuration for outgoing HTTP Policy.

Hi Guys.

 

I have an Trust to Untrust policy that deals with HTTP traffic. I have enabled Webfiltering on this.

 

What is the best practices for the Deep inspection config on this outgoing Http Policy. ?? Do I just add the Attack Groups belonging to "HTTP" traffic regardless of the critical/high/medium/low status ? Is there any other recommended attack groups to add to ?

 

thanks for any responses

 

 

Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008
0

Re: Recommended Deep Inspection Configuration for outgoing HTTP Policy.

Hello Jason 

 

whey you need to set DI from trust to untrust, usually a security teams don't block  attack for outgoing traffic, they are  just set web filter for internet usage , however the best practice you can set policy  for your web server or ftp server, smtp ...ctc from untrust to DMZ.and you  can enable the logging of detected attacks frist and after that you can make action drop,

however this is just  my opinion

 

     

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Visitor
JasonBlake7
Posts: 3
Registered: ‎04-21-2009
0

Re: Recommended Deep Inspection Configuration for outgoing HTTP Policy.

Thanks for the reply.

 

I only have 3 incoming policies. One is for SMTP mail via a VIP. One is an incoming Dial UP user VPN and the other is an incoming VPN from our head office in Germany.

 

Should I only really use DI on the incoming SMTP policy ?? and not for any outgoing Policies ??

 

Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008
0

Re: Recommended Deep Inspection Configuration for outgoing HTTP Policy.

Hi, 

 

 you can implement DI from outgoing traffic but it is not important for you to minitoring all out traffic, i idvise you to monitor and protect your DMZ services 

hope help you

 

   

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Contributor
Posts: 33
Registered: ‎02-14-2009
0

Re: Recommended Deep Inspection Configuration for outgoing HTTP Policy.

Hi!

 

I usually turn on everything reasonable in DI. Since the number of the usable groups is limited, I use to discard completely those not needed in my network. SInce I don't have FTP, I skip all those concerning FTP.

 

It is wise to enable the most possible, since it does not only protect you from incoming attack, but indicates if an occasionally infected trusted zone PC-s is trying to send out malicious content!

 

During some days-weeks of deployment, watch for the results: you will have false positives . As for me, these were mostly HTTP-SQL patterns, since it is very easy to have words like "insert", "drop" etc. in http transactions. If you are not running an SQL server, you may turn off these separate items too.

 

Akos 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.