Video Screencast Help

Automatic IDS to Firewall Rule (or host group) creation

Created: 09 Apr 2010
jeffwichman's picture
3 Agree
0 Disagree
+3 3 Votes
Login to vote

Here's an idea to run past everyone who wants to enhance their endpoint protection.  On occassion I run into SEP IDS alerts showing blocked traffic for web-based threats (ie FakeAV and other) and it usually shows up multiple times (and across multiple clients). 

Now if the IDS component could insert the offending IP Address into a Host Group, adminstrators could have a firewall rule set to perform one of the many options permitted by the SEP firewall.  Block, prompt, log, capture packet, send email alert... Now the enterprise (administrators) have more knowledge of what is going on the endpoints and have the option to protect clients across the enterprise rather than simply one host (Active Response). 

This could help enterprises reduce the infections of these FakeAv (or other annoyances) and slow down the rate at which these malware authors spread this junk.  Many times I see clients block some of the infections only for another infection to slip past the IDS by mutation.  The only downside I can see to this type of control is how clear out stale IP addresses (after the host is no longer a threat) and the possiblity of spoofed packets DoSing a specific IP Address.

The best part is with the various options available in the firewall, administrators can choose how hard they want these rules enforced.