Move Malwarebytes Enterprise to perimeter of our Cisco ASA? Ideas for setup?

Sorry for the "Generic" question but heading into a meeting shortly and want to be educated by my fellow experts. Our consultant wants me to move an enterprise version of Malwarebytes that resides inside the perimeter to the outside. IE. Hit Malwarebytes before it hits the ASA as we continue to add defense layers? Good idea? Anyone done this? How do I go about setting this up? (I know asking before I even get all the info myself, and I'm mainly a server guy)...Suggestions (besides other products, Firepower, etc.)?
admitechAsked:
Who is Participating?
 
btanConnect With a Mentor Exec ConsultantCommented:
The network layer check will comes first instead of the Malwarebyte endpoint checks which will have to be the last line. Block the threat earlier e.g.
- from the ISP perspective via DDoS provider (like Cloudflare) or cleanpiping (F5 Silverline, managed services)
- from the external perimeter via on-premise appliance NGFW (PAN) and DDoS boxes (Arbor)
- from the threat detection  in perimeter via the NIPS/NIDS (FirePower - can be mirrored traffic for passive detection)
- from the breach detection in perimeter via the BDS (FireEye NX - web based etc, can be inspecting mirror traffic with network forensic using BlueCoat Security analytic)
- from the endpoint detection in perimeter for DMZ server and internal client via the HIPS (security suite like MBAM and with anti-exploit, anti-ransomware capability, application and device lockdown etc).

There are more but the line of defence will have different objective in handling the threat.
0
 
btanExec ConsultantCommented:
Malwarebyte enterprise is not a Perimeter defence unlike the PFW, UTM, NGFW, NIPS or breach detection appliance. It serves the endpoint or system defence.

Shifting it out from intranet to extranet is subjected to risk assessment of to protect DMZ device but do not see the need if the MBAM agent are already installed to do it and report back to the MBAM backend enterprise. Instead MBAM enterprise console should be restricted to be Internet accessible and any form of remote access should be via VPN but by default it is not advocated.

As a whole, the return of shifting MBAM out ibto the "open" still required it to be protected and the best protection is not to even "exposed" it in the first place. It is like having your active Directory putting out into the DMZ or external segment which is not recommended too.

If need to the MBAM enterprise is to be reposition to only serve those in the exterior segment.

Just my few quick cents.
0
 
Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
Put bluntly, putting a malware inspection device/application between a firewall device and the internet is a functionally stupid idea. It puts the malware inspection device in a position to inspect much more traffic than is necessary and in a position to be taken over by malicious attacks. Your ASA should be the first thing any traffic from the Internet hits. That's what it's designed for, and it will drop the vast majority of attacks that come in. The Malwarebytes Enterprise device/server/whatever should only be inspecting the stuff that makes it through the firewall. And that's just if this type of thing can be accomplished at all. If Malwarebytes isn't capable of NAT and routing capabilities (like the ASA is), it won't function well if it's set up to inspect traffic before the ASA.

One option you may want to look into is purchasing an IPS module for the ASA if you don't have one already. Intrusion Prevention Systems are very useful for advanced packet inspection and comparison with known attack vectors. Malwarebytes probably does some intrusion prevention, but probably not as effectively as an IPS.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
admitechAuthor Commented:
@ALL, completely agree. It seems odd to move it out to the perimeter of the network, especially since that is typically something you would only want NGFW and services such as Firepower. I think the consultants thinking was to have it knock out stuff before it hits the network and accessible to remote sites but seem like there are much better ways of doing this. NGFW and FP we have here. Need to utilize BlueCoat as that has been collecting dust. FYI: New to this environment; lots to do!
0
 
btanConnect With a Mentor Exec ConsultantCommented:
Nice thanks for sharing. Let us know if there are further query. As a whole, the consultant should take a risk measure approach and weigh the exposure and operational running - importantly, the adequacy of the approach should address the external and internal risk collectively and not "open" another pt of penetration unnecessarily.
0
 
admitechAuthor Commented:
@Btan. Love that answer. Good job guys!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.