Create the Data Center Best Practice File Blocking Profile
Protect you data center from file types that you don’t
use and that don’t belong there.
Use the predefined strict File Blocking profile to block files that
are commonly included in malware attack campaigns and that have
no real use case for upload/download. Blocking these files reduces
the attack surface. The predefined strict profile blocks batch files,
DLLs, Java class files, help files, Windows shortcuts (.lnk), BitTorrent
files, .rar files, .tar files, encrypted-rar and encrypted-zip files,
multi-level encoded files (files encoded or compressed up to four
times), .hta files, and Windows Portable Executable (PE) files,
which include .exe, .cpl, .dll, .ocx, .sys, .scr, .drv, .efi, .fon,
and .pif files. The predefined strict profile alerts on all other
file types for visibility into other file transfers so that you
can determine if you need to make policy changes.
In some cases, the need to support critical applications
may prevent you from blocking all of the strict profile’s file types.
Follow the safe transition advice to
help determine whether you need to make exceptions in different
areas of the network. Review the data filtering logs () to identify file types used
in the data center and talk with business stakeholders about the
file types their applications require. Based on this information,
if necessary, clone the strict profile and modify it as needed to
allow only the other file type(s) that you need to support the critical
applications. You can also use the Direction setting to restrict
files types from flowing in both directions or block files in one
direction but not in the other direction.
The reason to attach the best practice File Blocking profile
to all security policy rules that allow traffic is to help prevent
attackers from delivering malicious files to the data center through
file sharing applications and exploit kits, or by infecting users
who access the data center, or on USB sticks.
- Traffic from users to the data center—Attach the strict File Blocking profile to security policy rules for applications that don’t entail file sharing or collaboration to block dangerous file types that can deliver exploits and malware.
- Intra data center traffic—Attach the strict File Blocking profile to security policy rules to prevent a compromised server from sharing a malicious file with other servers in the data center. This isolates the infection and prevents the spread of malware through the data center.
- Traffic from the data center to the internet—Limit file transfers to the file types required by the application in use.
If you don’t block all Windows PE files, send all unknown files
to WildFire for analysis. For user accounts, set the
Action
to continue
to
help prevent drive-by downloads where malicious web sites, emails,
or pop-ups cause users to inadvertently download malicious files.
Educate users that a continue prompt for a file transfer they didn’t
knowingly initiate may mean they are subject to a malicious download.