Transition Safely to Best Practice Security Profiles
Apply Security profiles to allow rules to protect against
malicious traffic without risking application availability.
Security profiles enable you to inspect network traffic
for threats such as vulnerability exploits, malware, command-and-control
(C2) communication, and even unknown threats, and prevent them from
compromising your network using various types of threat signatures
(some protections require a
subscription).
The end goal is to reach a best practice state for all of your
Security profiles. However, to ensure the availability of business-critical
applications, it may not be feasible to implement a full best practice
Security profile configuration from the start. In most cases, you
can safely block some signatures, file types, or protocols while
alerting on others until you gain the information and confidence
to finish a safe transition to best practice Security profiles without affecting
availability.
The path to implementing best practice Security profiles is:
Use the following safe transition steps to move toward the
best practice state for
your Security profiles.
Ask yourself the following questions to help determine the right
approach to enabling Security profiles for a given network segment
or set of Security policy rules:
Do I already have Security profiles enabled on rules
that protect similar applications or network segments? If the answer
is yes, you may be able to duplicate those profile settings, including
block actions you already deem to be safe to enable.
Is the network segment I’m protecting critical for my business?
If the answer is yes and you don’t have proven profiles enabled
in similar segments, you may prefer to alert first and examine the
traffic that causes the alerts before blocking to ensure the profile
won’t block critical applications.
Am I deploying Security profiles to counter an immediate
threat? If the answer is yes, you may want to block as the initial
action instead of alerting.
Is there a firewall change process in place that allows investigation
and remediation of false positives in a timely manner? If the answer
is yes, you may be able to block as the initial action instead of
alerting.
The majority of “false positives” are attempted
attacks against a vulnerability that doesn’t exist in your network.
The attack is real, but the danger is not because the vulnerability
isn’t present, so the attack is often seen as a false positive.
Brute Force attack signatures can also cause false positives if
the attack threshold is set too low.
Consider your current security posture in combination with the
guidance for each type of Security profile to decide how to deploy
the profiles initially and then move to the best practice guidance.