sunhux
asked on
Best practice : Block at proxy or perimeter firewall or IPS ?
If I've spotted a number of "suspicious" (ie those source IP has no legitimate reason to access our servers,
possibly from places like N Korea or Russia) in our firewall & IPS logs, what is usually the best practice?
Block at the proxy server facing the internet, or block at the outermost (ie perimeter) firewall, block at
our network IPS or at the innermost endpoint IPS (ie IPS software running inside our servers) ?
Q1:
Taking analogy from traditional warfare, I would attempt to block invaders at the outermost forts rather
than attempting to defend when invaders have come closer to us ie I'm inclined to block at the outermost
defense ie the proxy & perimeter firewalls. By blocking at outer defenses, we won't see so much logs
in the inner defenses (ie IPSes). Am I in the right direction?
Q2:
Are proxy server (eg Bluecoat) usually placed at the outer most or the perimeter firewall?
Q3:
I felt Inner defenses are more for granular defenses like certain signatures
Q4:
Can CDN providers (ie those that provide clean pipes) block blacklisted source IP?
possibly from places like N Korea or Russia) in our firewall & IPS logs, what is usually the best practice?
Block at the proxy server facing the internet, or block at the outermost (ie perimeter) firewall, block at
our network IPS or at the innermost endpoint IPS (ie IPS software running inside our servers) ?
Q1:
Taking analogy from traditional warfare, I would attempt to block invaders at the outermost forts rather
than attempting to defend when invaders have come closer to us ie I'm inclined to block at the outermost
defense ie the proxy & perimeter firewalls. By blocking at outer defenses, we won't see so much logs
in the inner defenses (ie IPSes). Am I in the right direction?
Q2:
Are proxy server (eg Bluecoat) usually placed at the outer most or the perimeter firewall?
Q3:
I felt Inner defenses are more for granular defenses like certain signatures
Q4:
Can CDN providers (ie those that provide clean pipes) block blacklisted source IP?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I guess the purpose is to identify illegitimate access attempts esp from countries
which has the remotest reasons for accessing VMs that are hosted by us.
Robtex, Trendmicro & McAfee's blacklisting sites fail to blacklist many source
IPs but DShield (used by one provider but I don't know what's its URL) listed
many of those source IP that made access & trigger our IPS (both network &
endpoint/server) signatures are actually blacklisted by one provider (which
I shall not name here).
However, we can't possibly activate (not even in Detect) all signatures that are
available as it's going to slow down the network & our endpoint servers
tremendously, so I'm thinking after we've blocked those illegit source IP,
we'll see less logs & hopefully replace those signatures that don't trigger
anymore (after observing for a couple of months) with new signatures:
possibly rotating signatures around. That could be some malicious
activities which till date have not been detected as we load in only about
a quarter of all available IPS signatures (as loading too many will hog the
network & endpoint servers)