Monitor and Fine Tune the Policy Rulebase
A best practice security policy is iterative. It is a tool for safely enabling applications, users, and content by classifying all traffic, across all ports, all the time. As soon as you Define the Initial Internet Gateway Security Policy, you must begin to monitor the traffic that matches the temporary rules designed to identify policy gaps and alarming behavior and tune your policy accordingly. By monitoring traffic hitting these rules, you can make appropriate adjustments to your rules to either make sure all traffic is hitting your whitelist application allow rules or assess whether particular applications should be allowed. As you tune your rulebase, you should see less and less traffic hitting these rules. When you no longer see traffic hitting these rules, it means that your positive enforcement whitelist rules are complete and you can Remove the Temporary Rules.
- Create custom reports that let you monitor traffic
that hits the rules designed to identify policy gaps.
- Select MonitorManage Custom Reports.
- Add a report and give it a descriptive Name that indicates the particular policy gap you are investigating, such as Best Practice Policy Tuning.
- Set the Database to Traffic Summary.
- Select the Scheduled check box.
- Add the following to the Selected Columns list: Rule, Application, Bytes, Sessions.
- Set the desired Time Frame, Sort By and Group By fields.
- Define the query to match traffic hitting the rules
designed to find policy gaps and alarming behavior. You can create
a single report that details traffic hitting any of the rules (using
the or operator), or create individual reports
to monitor each rule. Using the rule names defined in the example
policy, you would enter the corresponding queries:
- (rule eq 'Unexpected Port SSL and Web')
- (rule eq 'Unknown User SSL and Web')
- (rule eq 'Unexpected Traffic')
- (rule eq 'Unexpected Port Usage')
- Review the report regularly to make sure you understand why traffic is hitting each of the best practice policy tuning rules and either update your policy to include legitimate applications and users, or use the information in the report to assess the risk of that application usage and implement policy reforms.
Step 4: Create the Temporary Tuning Rules
Step 4: Create the Temporary Tuning Rules The temporary tuning rules are explicitly designed to help you monitor the initial best practice rulebase for gaps ...
Monitor Data Center Block Rules and Tune the Rulebase
Monitor traffic that you explicitly block so that you can investigate potential attacks and evaluate whether you should allow any of the blocked traffic. ...
Remove the Temporary Rules
Remove the Temporary Rules After several months of monitoring your initial internet gateway best practice security policy, you should see less and traffic hitting the ...
How Do I Deploy a Best Practice Internet Gateway Security P...
How Do I Deploy a Best Practice Internet Gateway Security Policy? Moving from a port-based security policy to an application-based security policy may seem like ...
Step 3: Create the Application Block Rules
Step 3: Create the Application Block Rules Although the overall goal of your security policy is to safely enable applications using application whitelist rules (also ...
Why Do I Need a Best Practice Internet Gateway Security Pol...
Why Do I Need a Best Practice Internet Gateway Security Policy? Unlike legacy port-based security policies that either block everything in the interest of network ...
What Data Center Traffic to Log and Monitor
The types of data center traffic you should log and monitor, the tools you can use to analyze the traffic, and how to best utilize ...
Step 5: Enable Logging for Traffic that Doesn’t Match Any...
Step 5: Enable Logging for Traffic that Doesn’t Match Any Rules Traffic that does not match any of the rules you defined will match the ...
Use Temporary Rules to Tune the Whitelist
Use Temporary Rules to Tune the Whitelist Although the end-goal of a best-practice application-based policy is to use positive enforcement to safely enable your whitelist ...