Solved

Move Malwarebytes Enterprise to perimeter of our Cisco ASA? Ideas for setup?

Posted on 2016-11-28
6
116 Views
Last Modified: 2016-12-04
Sorry for the "Generic" question but heading into a meeting shortly and want to be educated by my fellow experts. Our consultant wants me to move an enterprise version of Malwarebytes that resides inside the perimeter to the outside. IE. Hit Malwarebytes before it hits the ASA as we continue to add defense layers? Good idea? Anyone done this? How do I go about setting this up? (I know asking before I even get all the info myself, and I'm mainly a server guy)...Suggestions (besides other products, Firepower, etc.)?
0
Comment
Question by:admitech
  • 3
  • 2
6 Comments
 
LVL 63

Expert Comment

by:btan
ID: 41905151
Malwarebyte enterprise is not a Perimeter defence unlike the PFW, UTM, NGFW, NIPS or breach detection appliance. It serves the endpoint or system defence.

Shifting it out from intranet to extranet is subjected to risk assessment of to protect DMZ device but do not see the need if the MBAM agent are already installed to do it and report back to the MBAM backend enterprise. Instead MBAM enterprise console should be restricted to be Internet accessible and any form of remote access should be via VPN but by default it is not advocated.

As a whole, the return of shifting MBAM out ibto the "open" still required it to be protected and the best protection is not to even "exposed" it in the first place. It is like having your active Directory putting out into the DMZ or external segment which is not recommended too.

If need to the MBAM enterprise is to be reposition to only serve those in the exterior segment.

Just my few quick cents.
0
 
LVL 40

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
ID: 41905153
Put bluntly, putting a malware inspection device/application between a firewall device and the internet is a functionally stupid idea. It puts the malware inspection device in a position to inspect much more traffic than is necessary and in a position to be taken over by malicious attacks. Your ASA should be the first thing any traffic from the Internet hits. That's what it's designed for, and it will drop the vast majority of attacks that come in. The Malwarebytes Enterprise device/server/whatever should only be inspecting the stuff that makes it through the firewall. And that's just if this type of thing can be accomplished at all. If Malwarebytes isn't capable of NAT and routing capabilities (like the ASA is), it won't function well if it's set up to inspect traffic before the ASA.

One option you may want to look into is purchasing an IPS module for the ASA if you don't have one already. Intrusion Prevention Systems are very useful for advanced packet inspection and comparison with known attack vectors. Malwarebytes probably does some intrusion prevention, but probably not as effectively as an IPS.
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 41905544
The network layer check will comes first instead of the Malwarebyte endpoint checks which will have to be the last line. Block the threat earlier e.g.
- from the ISP perspective via DDoS provider (like Cloudflare) or cleanpiping (F5 Silverline, managed services)
- from the external perimeter via on-premise appliance NGFW (PAN) and DDoS boxes (Arbor)
- from the threat detection  in perimeter via the NIPS/NIDS (FirePower - can be mirrored traffic for passive detection)
- from the breach detection in perimeter via the BDS (FireEye NX - web based etc, can be inspecting mirror traffic with network forensic using BlueCoat Security analytic)
- from the endpoint detection in perimeter for DMZ server and internal client via the HIPS (security suite like MBAM and with anti-exploit, anti-ransomware capability, application and device lockdown etc).

There are more but the line of defence will have different objective in handling the threat.
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 

Author Comment

by:admitech
ID: 41907300
@ALL, completely agree. It seems odd to move it out to the perimeter of the network, especially since that is typically something you would only want NGFW and services such as Firepower. I think the consultants thinking was to have it knock out stuff before it hits the network and accessible to remote sites but seem like there are much better ways of doing this. NGFW and FP we have here. Need to utilize BlueCoat as that has been collecting dust. FYI: New to this environment; lots to do!
0
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points
ID: 41907387
Nice thanks for sharing. Let us know if there are further query. As a whole, the consultant should take a risk measure approach and weigh the exposure and operational running - importantly, the adequacy of the approach should address the external and internal risk collectively and not "open" another pt of penetration unnecessarily.
0
 

Author Closing Comment

by:admitech
ID: 41908847
@Btan. Love that answer. Good job guys!
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Resource timeout across a VPN 9 31
80072efd error while checking for updates. 20 52
Cisco SRST questions 5 27
pfsense upgrade from 2.2.6 to 2.3.3 28 29
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question