IDS/AMP still scanning client even if white-listed - broke remote desktop connection

LV_MW_MSP
Getting noticed

IDS/AMP still scanning client even if white-listed - broke remote desktop connection

We have an MX 100 on the front, tagged a WAN IP with 1:1 NAT to a MX64 (for a second business in same network) and the second business has some remote desktop servers.

 

On January 30th 2019 in the morning, SNORT released the following rule:

- OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt

- Rule ID 1-49040

 

What I just learned from Meraki support, even though the client was white-listed, they are telling me white listing only affects outbound traffic initiated from that device. White listing has nothing to do with external traffic hitting an internal device. I guess not many people are doing what we are doing, and we will be using a layer 3 switch in front moving forward to prevent the 1:1NAT rule.

 

It did peak my curiosity, can anyone confirm this. It seems that white listing doesn't disable AMP or IDS. Secondly, if you create a custom group policy, it is possible to disable AMP, but you can't disable IDS for a specific device.

 

In any event, the fix was to white-list the new rule the SNORT released, and everything is working again.

3 REPLIES 3
Cmiller
Building a reputation

Thanks for all the heavy lifting on this solution, this may come is handy
BrechtSchamp
Kind of a big deal

I'm all for options and this sound like a valid feature request! Thanks for posting the workaround.

 

Edit: Would it be related to the problem @jdsilva experienced. Basically for him the rule is triggered if you use a non-standard port for the RDP session. So another solution would be to keep the port internally and externally the same:

https://community.meraki.com/t5/Security-SD-WAN/IDS-AMP-still-scanning-client-even-if-white-listed-b...

 

 

Ignore me. I'm confusing things and quoting the wrong rule. Our problem is the same as the rule quoted in this thread.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels