A best practice security policy is iterative.
It is a tool for safely enabling applications, users, and content
by classifying all traffic, across all ports, all the time. As soon
as you Define
the Initial Internet Gateway Security Policy, you must begin
to monitor the traffic that matches the temporary rules designed
to identify policy gaps and alarming behavior and tune your policy
accordingly. By monitoring traffic hitting these rules, you can
make appropriate adjustments to your rules to either make sure all
traffic is hitting your whitelist application allow rules or assess whether
particular applications should be allowed. As you tune your rulebase,
you should see less and less traffic hitting these rules. When you
no longer see traffic hitting these rules, it means that your positive enforcement
whitelist rules are complete and you can Remove
the Temporary Rules.
Create custom reports that let you monitor traffic
that hits the rules designed to identify policy gaps.
Manage Custom Reports
a report and give it a
that indicates the particular
policy gap you are investigating, such as Best Practice Policy Tuning.
Add the following to the Selected Columns list:
Set the desired
Define the query to match traffic hitting the rules
designed to find policy gaps and alarming behavior. You can create
a single report that details traffic hitting any of the rules (using
operator), or create individual reports
to monitor each rule. Using the rule names defined in the example
policy, you would enter the corresponding queries:
(rule eq 'Unexpected Port SSL and Web')
(rule eq 'Unknown User SSL and Web')
(rule eq 'Unexpected Traffic')
(rule eq 'Unexpected Port Usage')
Review the report regularly to make sure you understand
why traffic is hitting each of the best practice policy tuning rules
and either update your policy to include legitimate applications
and users, or use the information in the report to assess the risk
of that application usage and implement policy reforms.