To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Whitelist IP on Intrusion Prevention

Nebbiolo
Nebbiolo Posts: 2 Security Scout
in Business Suite

Hello all,

we're planning to deploy a vulnerability assessment tool on our network that will scan all PCs periodically. 

Is there a way to configure FSecure in order that it doesn't run intrusion prevention checks on the traffic coming from the IP address of the VA tool? If not, users would receive lots of Intrusion Prevention alerts cause of the activity of the VA tool. 

Our policy manager version is 12.00. Client version is 12 premium.

Paolo 

Comments

  • etomcat
    etomcat Posts: 1,172 Firewall Master

    Hello Paolo,

     

    > Client version is 12 premium.

     

    FSAV CS 12.00 Premium edition includes the "Software Updater" module, which is not just a "vulnerability assessment tool" but also recommends hotfixes to patch the vulnerabilities and even installs them centrally if you allow it to do so.

     

    Therefore, external VA tools are not really necessary anymore.

     

    Yours Sincerely: Tamas Feher, Hungary.

  • Nebbiolo
    Nebbiolo Posts: 2 Security Scout

    Hello Tamas,

    thanks for your reply. The feature you mentioned is great and we already use it. Anyway it is not the answer to my need.

    We also need to assess clients with a Vulnerability Assessment tool.

    To put it simple, if for example from the VA tool I run a nmap scan on a target client, Fsecure shows a popup alert to the user. I absolutely don't want this behaviour. I need that the VA tool scan is transparent to the user.

    Paolo

  • NickJ
    NickJ Posts: 29 Junior Protector

    Nebbiolo - we use F-Secure PSB, and a firewall rule to allow any traffic in both directions from/to the IP address of the scanner suppresses any popups in our case.

     

    I agree that a VA tool is still very important. Not all vulnerabilities can be fixed by applying a software patch. Sometimes a configuration issue can result in a vulnerability, and sometimes a software vendor does not patch a vulnerability quickly so it is good to have full visibility of exactly what vulnerabilities exist so you can put adequate controls in place.

     

     

  • etomcat
    etomcat Posts: 1,172 Firewall Master

    Dear Paolo,

     

    I agree an IP address / DNS name based exclusion list would be nice for F-Secure IPS/IDS.

     

    As a workaround you could maybe use Policy Manager and go to:

    F-Secure Internet Shield / Settings / Intrusion Prevention / Alert Severity then chose a custom tier.

     

    Then modify the table in F-Secure Management Agent  / Settings / Alerting / Alert forwarding, so that "Local User Interface" in unticked for the corresponding severity tier.

     

    or

     

    F-Secure Internet Shield / Settings / User Interface Settings / Pop up alerts = enabled / disabled

     

    Best Regards: Tamas Feher.

  • etomcat
    etomcat Posts: 1,172 Firewall Master

    Hello NickJ,

     

    > F-Secure PSB, and a firewall rule to allow any traffic in both directions from/to the IP address of the scanner suppresses any popups in our case.

     

    I would call that a security hole! The "allow any traffic in both directions" packet filter rule shall concern normal day-to-day operations, but IPS/IDS defence is there for extraordinary events, e.g. your trusted server is breached and starts scanning the LAN on hacker's command. The exception list for IPS/IDS should be separate from packet filter configuration.

     

    Best Regards: Tamas Feher.

This discussion has been closed.

Categories