Solved

Move Malwarebytes Enterprise to perimeter of our Cisco ASA? Ideas for setup?

Posted on 2016-11-28
6
38 Views
Last Modified: 2016-12-04
Sorry for the "Generic" question but heading into a meeting shortly and want to be educated by my fellow experts. Our consultant wants me to move an enterprise version of Malwarebytes that resides inside the perimeter to the outside. IE. Hit Malwarebytes before it hits the ASA as we continue to add defense layers? Good idea? Anyone done this? How do I go about setting this up? (I know asking before I even get all the info myself, and I'm mainly a server guy)...Suggestions (besides other products, Firepower, etc.)?
0
Comment
Question by:admitech
  • 3
  • 2
6 Comments
 
LVL 61

Expert Comment

by:btan
Comment Utility
Malwarebyte enterprise is not a Perimeter defence unlike the PFW, UTM, NGFW, NIPS or breach detection appliance. It serves the endpoint or system defence.

Shifting it out from intranet to extranet is subjected to risk assessment of to protect DMZ device but do not see the need if the MBAM agent are already installed to do it and report back to the MBAM backend enterprise. Instead MBAM enterprise console should be restricted to be Internet accessible and any form of remote access should be via VPN but by default it is not advocated.

As a whole, the return of shifting MBAM out ibto the "open" still required it to be protected and the best protection is not to even "exposed" it in the first place. It is like having your active Directory putting out into the DMZ or external segment which is not recommended too.

If need to the MBAM enterprise is to be reposition to only serve those in the exterior segment.

Just my few quick cents.
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
Comment Utility
Put bluntly, putting a malware inspection device/application between a firewall device and the internet is a functionally stupid idea. It puts the malware inspection device in a position to inspect much more traffic than is necessary and in a position to be taken over by malicious attacks. Your ASA should be the first thing any traffic from the Internet hits. That's what it's designed for, and it will drop the vast majority of attacks that come in. The Malwarebytes Enterprise device/server/whatever should only be inspecting the stuff that makes it through the firewall. And that's just if this type of thing can be accomplished at all. If Malwarebytes isn't capable of NAT and routing capabilities (like the ASA is), it won't function well if it's set up to inspect traffic before the ASA.

One option you may want to look into is purchasing an IPS module for the ASA if you don't have one already. Intrusion Prevention Systems are very useful for advanced packet inspection and comparison with known attack vectors. Malwarebytes probably does some intrusion prevention, but probably not as effectively as an IPS.
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
Comment Utility
The network layer check will comes first instead of the Malwarebyte endpoint checks which will have to be the last line. Block the threat earlier e.g.
- from the ISP perspective via DDoS provider (like Cloudflare) or cleanpiping (F5 Silverline, managed services)
- from the external perimeter via on-premise appliance NGFW (PAN) and DDoS boxes (Arbor)
- from the threat detection  in perimeter via the NIPS/NIDS (FirePower - can be mirrored traffic for passive detection)
- from the breach detection in perimeter via the BDS (FireEye NX - web based etc, can be inspecting mirror traffic with network forensic using BlueCoat Security analytic)
- from the endpoint detection in perimeter for DMZ server and internal client via the HIPS (security suite like MBAM and with anti-exploit, anti-ransomware capability, application and device lockdown etc).

There are more but the line of defence will have different objective in handling the threat.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:admitech
Comment Utility
@ALL, completely agree. It seems odd to move it out to the perimeter of the network, especially since that is typically something you would only want NGFW and services such as Firepower. I think the consultants thinking was to have it knock out stuff before it hits the network and accessible to remote sites but seem like there are much better ways of doing this. NGFW and FP we have here. Need to utilize BlueCoat as that has been collecting dust. FYI: New to this environment; lots to do!
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
Comment Utility
Nice thanks for sharing. Let us know if there are further query. As a whole, the consultant should take a risk measure approach and weigh the exposure and operational running - importantly, the adequacy of the approach should address the external and internal risk collectively and not "open" another pt of penetration unnecessarily.
0
 

Author Closing Comment

by:admitech
Comment Utility
@Btan. Love that answer. Good job guys!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now