Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Move Malwarebytes Enterprise to perimeter of our Cisco ASA? Ideas for setup?

Posted on 2016-11-28
6
Medium Priority
?
155 Views
Last Modified: 2016-12-04
Sorry for the "Generic" question but heading into a meeting shortly and want to be educated by my fellow experts. Our consultant wants me to move an enterprise version of Malwarebytes that resides inside the perimeter to the outside. IE. Hit Malwarebytes before it hits the ASA as we continue to add defense layers? Good idea? Anyone done this? How do I go about setting this up? (I know asking before I even get all the info myself, and I'm mainly a server guy)...Suggestions (besides other products, Firepower, etc.)?
0
Comment
Question by:admitech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 65

Expert Comment

by:btan
ID: 41905151
Malwarebyte enterprise is not a Perimeter defence unlike the PFW, UTM, NGFW, NIPS or breach detection appliance. It serves the endpoint or system defence.

Shifting it out from intranet to extranet is subjected to risk assessment of to protect DMZ device but do not see the need if the MBAM agent are already installed to do it and report back to the MBAM backend enterprise. Instead MBAM enterprise console should be restricted to be Internet accessible and any form of remote access should be via VPN but by default it is not advocated.

As a whole, the return of shifting MBAM out ibto the "open" still required it to be protected and the best protection is not to even "exposed" it in the first place. It is like having your active Directory putting out into the DMZ or external segment which is not recommended too.

If need to the MBAM enterprise is to be reposition to only serve those in the exterior segment.

Just my few quick cents.
0
 
LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 1000 total points
ID: 41905153
Put bluntly, putting a malware inspection device/application between a firewall device and the internet is a functionally stupid idea. It puts the malware inspection device in a position to inspect much more traffic than is necessary and in a position to be taken over by malicious attacks. Your ASA should be the first thing any traffic from the Internet hits. That's what it's designed for, and it will drop the vast majority of attacks that come in. The Malwarebytes Enterprise device/server/whatever should only be inspecting the stuff that makes it through the firewall. And that's just if this type of thing can be accomplished at all. If Malwarebytes isn't capable of NAT and routing capabilities (like the ASA is), it won't function well if it's set up to inspect traffic before the ASA.

One option you may want to look into is purchasing an IPS module for the ASA if you don't have one already. Intrusion Prevention Systems are very useful for advanced packet inspection and comparison with known attack vectors. Malwarebytes probably does some intrusion prevention, but probably not as effectively as an IPS.
0
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 41905544
The network layer check will comes first instead of the Malwarebyte endpoint checks which will have to be the last line. Block the threat earlier e.g.
- from the ISP perspective via DDoS provider (like Cloudflare) or cleanpiping (F5 Silverline, managed services)
- from the external perimeter via on-premise appliance NGFW (PAN) and DDoS boxes (Arbor)
- from the threat detection  in perimeter via the NIPS/NIDS (FirePower - can be mirrored traffic for passive detection)
- from the breach detection in perimeter via the BDS (FireEye NX - web based etc, can be inspecting mirror traffic with network forensic using BlueCoat Security analytic)
- from the endpoint detection in perimeter for DMZ server and internal client via the HIPS (security suite like MBAM and with anti-exploit, anti-ransomware capability, application and device lockdown etc).

There are more but the line of defence will have different objective in handling the threat.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 

Author Comment

by:admitech
ID: 41907300
@ALL, completely agree. It seems odd to move it out to the perimeter of the network, especially since that is typically something you would only want NGFW and services such as Firepower. I think the consultants thinking was to have it knock out stuff before it hits the network and accessible to remote sites but seem like there are much better ways of doing this. NGFW and FP we have here. Need to utilize BlueCoat as that has been collecting dust. FYI: New to this environment; lots to do!
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1000 total points
ID: 41907387
Nice thanks for sharing. Let us know if there are further query. As a whole, the consultant should take a risk measure approach and weigh the exposure and operational running - importantly, the adequacy of the approach should address the external and internal risk collectively and not "open" another pt of penetration unnecessarily.
0
 

Author Closing Comment

by:admitech
ID: 41908847
@Btan. Love that answer. Good job guys!
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question