The project aims to implement intrusion prevention systems (IPS) to protect critical servers exposed to external networks. This will be done in three parts:
1) Create a network diagram and install IPS licenses in scope locations. Adjust firewall profiles to monitor for threats.
2) Collect IPS data sent to the security information and event management system over two weeks. Configure regular IPS reports.
3) Analyze data to identify top noise generators, false positives, and true positives. Make exceptions or fine-tune signatures as needed.
The project aims to implement intrusion prevention systems (IPS) to protect critical servers exposed to external networks. This will be done in three parts:
1) Create a network diagram and install IPS licenses in scope locations. Adjust firewall profiles to monitor for threats.
2) Collect IPS data sent to the security information and event management system over two weeks. Configure regular IPS reports.
3) Analyze data to identify top noise generators, false positives, and true positives. Make exceptions or fine-tune signatures as needed.
The project aims to implement intrusion prevention systems (IPS) to protect critical servers exposed to external networks. This will be done in three parts:
1) Create a network diagram and install IPS licenses in scope locations. Adjust firewall profiles to monitor for threats.
2) Collect IPS data sent to the security information and event management system over two weeks. Configure regular IPS reports.
3) Analyze data to identify top noise generators, false positives, and true positives. Make exceptions or fine-tune signatures as needed.
• Scope of the project is to implement protection for the
most critical part of Vaillant Network • Servers that are exposed to the outside network are attractive target since they can serve as an entry point for a hackers to enter into organization if they manage to exploit vulnerability. • Once in the network bad guy can masquerade itself and perform requests on behalf of the bridged system. • There are several locations that have DMZ server exposure First part of the project • Create a logical site diagram that illustrate each Network within the site and DMZ service exposure. • Install IPS license on each location that is in project scope. • Communicate with Local ITs in China, Ukraine and Turkey and advise them to order the correct Licenses since they have special treatments. • Describe licenses in CMDB+ and make sure that monitoring rules take place – notifications when license is about to expire. • Update signature database on the firewalls to receive latest threats available from FortiGuard Network. • Enable auto-push option to receive new updates as soon as they are released from FortiGuard cloud. • Adjust the default IPS profile by changing action to Monitor (Essentially IDS) • Install the profile on every policy that is related with access from the outside for firewalls in scope. Second part of the project
• Collect IPS data
• All Firewalls are sending their logs to FortiAnalyzer appliance as per requirements defined in CRxxxx • FortiAnalyzer is forwarding everything it receives from its managed devices towards SIEM • Two weeks data gathering period after last IPS profile installation. • Configure IPS report to be executed on regular basis. • Automation: Connect FortiAnalyzer system with mail server, so the system can send report to intended recipients every time when its executed. Third part of the project • Data analysis and fine tunning • Verify top 5 noise generators. (top 5 most triggered signatures) • Who is triggering those signatures ? • Is it a single source? • Is this legitimate traffic ? • Provide packet example to customer which triggered the signature and wait for feedback.
• False positives • In case they are confirmed create exceptions from the signature triggered by legitimate sources. • True positives