Hello. I am very strict when it comes to applying UTM profiles and in some cases I wonder if it is necessary or if I am doing it wrong. Specially when I talk about IPS sensor. In some cases I double analyze the traffic that enters (and comes out) the network that I manage and I am going to give you some examples in which I have doubts if I am doing it correctly.
1)Internet to DMZ server web A--> In this case I have no doubt. I apply IPS sensors, HTTP antivirus deep inspection etc.
2)Intranet to DMZ server web A-->In this case I apply too IPS Sensor, HTTP antivirus. I apply an IPS sensor in case the server, although it is protected as indicated in example 1 for the internet connections, has been infected by a worm in the DMZ itself. Does it seem correct to you or do you think that in this case IPS would no longer be necessary
3)User networks to DMZ server web A--> I apply IPS and Antivirus. I apply an IPS sensor in case the server, although it is protected as indicated in example 1, has been infected by a worm in the DMZ itself. Does it seem correct to you or do you think that in this case I can do it better this?
4)DMZ server SQL to SQL intranet server-->I apply IPS sensor with SQL signatures. ¿This is correct or an IPS exploit cannot by pass witouth user interaction?
5)Finally I protect all direct connections from intranet user/servers to internet. For example SMTP connection to Office365 server. Even if the connection originates from my network. I use IPS sensor and Antivirus, in case the destination to which we make the TCP connection had a problem and could enter through that tcp connection to my network.
Could you give me your opinion about the use I make, especially of the IPS sensors in the examples that I indicate?
Thank you for your help ¡¡¡¡
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
Hello,
For questions 1) and 2):
consider using a FortiWEB - Web Application Firewall as it is dedicated to protection for HTTP applications.
For 3):
You can have a look in these documents:
https://community.fortinet.com/t5/Support-Forum/Best-Practices-of-IPS-Using/m-p/8815?m=162609
Thanks for your help Antony. I will read carefully everything you say.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.