Threat Prevention Policy (AKA Vulnerability Protection)

This policy is designed to inspect traffic and protect against brute force attacks, buffer overflows, illegal code execution, and other attempts to exploit client and server­ side vulnerabilities and/or compromise end­ users or applications. The policy will block (reset) connections that are identified as threats and will trigger a packet capture (PCAP) and produce an alert in the logs. The packet capturing will allow the Security team the possibility of tracking down the source of the attack. The policy will accomplish its role by means of a traffic inspection profile made up of two sections: client and server. the first section affects client based connections and the second, server connections. During traffic inspection, issues will be categorized following the NIST based CVE/CVSS severity classification. For Critical and High severity, connection attempts will be blocked and the traffic captured via PCAP. For Medium and Low, detected issues are set to only alert but not block.

In detail, the policy will behave as follows (Server and Client):

  • Critical Vulnerabilities: Block (reset both sides of the connection) and capture packets from session
  • High Vulnerabilities: Block (reset both sides of the connection) and capture packets from session
  • Medium Vulnerabilities: Alert (generate a log entry) and capture packets from session
  • Low Vulnerabilities: Alert (generate a log entry) and capture single (trigger) packet from session
  • Informational Vulnerabilities: Alert (generate a log entry)

The traffic inspection profile relies on a multi-pronged detection mechanism to catch issues and these include a signature-based approach, a heuristics-based (bot detection) approach, a sandbox-based (WildFire) approach [not active yet but will be activated during step2-3], and Layer 7 protocol analysis-based (App-ID) approach. This multi-layered approach allows the box to detect well known “commodity” threats and APT (advanced persistent) threats. Further to detection, the profile will produce visibility of the issue by means of alerts and packet capturing for detailed analysis.

Considerations for Systems Administrators

This rule will have a significant effect on server activity. Keep in mind that only traffic to/from external networks will pass through the box and if malicious, get blocked. Also, it is important to note that for inbound traffic, most malicious activity will be coming from Internet BOTs automatically searching for vulnerabilities and indexing purposes so this type of activity will be most likely blocked if deemed malicious. Resources such as login and/or payment portals are prime targets for this type of attack. For client systems, if they become compromised either by malware of some sort and if that activity involves some form of communication with external networks, that traffic will pass through the NGFW appliance and will, if malicious, be flagged/blocked depending on the severity of it. Despite this new layer of protection to our environment, it is still important for system administrators to continue ensuring and maintaining proper configuration of server/s and environment.