Meraki

Community

Vulnerability Assessments on MX

Network-Tech
Just browsing
‎Aug 24 2022 11:48 AM
‎Aug 24 2022 11:48 AM

Vulnerability Assessments on MX

This is a 2 Part Question

We Have Multiple Locations with a Mix of MX-100 and MX-64 and MX-65 and a handfull of z-1 and z-3's

We have a third Party IDS/IPS System ahead of our 2 main MX-100's

We keep firmware up to date and have both AMP Enabled as well Intrusion Detection and Prevention Enabled

In Prevention Mode using Security Rule Set

We use Client VPN to 2 of The Main Sites Sites as well as Site to Site VPN for Branch Connectivity

Question 1

We are preparing for Perimeter Vulnerability Assessment to be conducted by auditing firm, And we whitelist the source IP of the Scanning System in the External IDS system but am wondering if I need to make any changes to my Appliances for this scan? I know the there are some older articles that recommended Disabling IPS or Changing it to detection set to logging. Most posts I have seen are older and I am not seeing anything current.

What is Current Policy or Practice since Whitelisting by IP is not supported.

I / We want to prevent and lockups or other issues that were reported in the past.

 

Question 2

Auditors will also be doing aninternal scan. I/We do scan using (Nessus Pro) and we scan all Subnets / VLANs that are reachable via VPN and DMZ of Main Site Most sites have up to 3 VLANS (VOIP  Data Security (Alarm And Video)

I have had a couple issues in the past doing internal scans myself but could never prove the scan was the cause of the issue especially after I told Nessus to skip sensitive devices

Are there any know issues related to an Internal Scan?

Auditors also suggest I whitelist these for internal scan as well?

Thanks to all in advance

Au

0 Kudos
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 24 2022 2:03 PM
‎Aug 24 2022 2:03 PM

>What is Current Policy or Practice since Whitelisting by IP is not supported.

 

You say that functionality is not supported.

0 Kudos
In response to PhilipDAth
Network-Tech
Just browsing
‎Aug 24 2022 2:31 PM
‎Aug 24 2022 2:31 PM

The IDS on MX appliance uses Snort and therefore It only accepts a Snort Rule

All that I can find is suggestion to disable IPS or Change IPS to IDS in a Log Only Mode, and that was a couple of years ago from what I can find on here doing a search. Was just wondering if anyone one had anything more recent. My 3rd Party IDS at 2 main sights (Uses Solar Winds) allows whitelisting by IP which we do for external scans.

0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎Aug 24 2022 3:05 PM
‎Aug 24 2022 3:05 PM

We stopped doing perimeter assessments that cover more than the perimeter some years ago.  We now scan internal hosts from internal scanners and only use external scanners for the actual perimeter.  This way we found that we get more accurate results as well as fewer issues.  Perhaps you might be able to suggest that approach to the auditing firm (majoring on the improved accuracy element). 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.