04-21-2009 07:50 AM
I have an Trust to Untrust policy that deals with HTTP traffic. I have enabled Webfiltering on this.
What is the best practices for the Deep inspection config on this outgoing Http Policy. ?? Do I just add the Attack Groups belonging to "HTTP" traffic regardless of the critical/high/medium/low status ? Is there any other recommended attack groups to add to ?
thanks for any responses
04-21-2009 10:07 AM
whey you need to set DI from trust to untrust, usually a security teams don't block attack for outgoing traffic, they are just set web filter for internet usage , however the best practice you can set policy for your web server or ftp server, smtp ...ctc from untrust to DMZ.and you can enable the logging of detected attacks frist and after that you can make action drop,
however this is just my opinion
04-22-2009 12:45 AM
Thanks for the reply.
I only have 3 incoming policies. One is for SMTP mail via a VIP. One is an incoming Dial UP user VPN and the other is an incoming VPN from our head office in Germany.
Should I only really use DI on the incoming SMTP policy ?? and not for any outgoing Policies ??
04-22-2009 07:50 AM
you can implement DI from outgoing traffic but it is not important for you to minitoring all out traffic, i idvise you to monitor and protect your DMZ services
hope help you
04-26-2009 12:24 PM
I usually turn on everything reasonable in DI. Since the number of the usable groups is limited, I use to discard completely those not needed in my network. SInce I don't have FTP, I skip all those concerning FTP.
It is wise to enable the most possible, since it does not only protect you from incoming attack, but indicates if an occasionally infected trusted zone PC-s is trying to send out malicious content!
During some days-weeks of deployment, watch for the results: you will have false positives . As for me, these were mostly HTTP-SQL patterns, since it is very easy to have words like "insert", "drop" etc. in http transactions. If you are not running an SQL server, you may turn off these separate items too.