Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
Hello All,I'm looking for a bit of guidance or ideas on how to tackle this odd client requested approach to their security. In summary they have stated " There needs to be software integrated into the firewall infrastructure that is set to detect an attack and then effectively disconnects the network from the outside world". The Local LAN is to continue to operate in isolation until the connectivity is restored once the firewall software permits this to happen"We can agree the client doesn't appreciate the quarantine/traffic isolation capability of the Firewall and is fixated on disconnecting the physical internet. I have advised the possibility of false positives and also asked for a definition of an attack but unlikely to get anything meaningful.We have a pair of SRX1500's with SW SRX1500 IPS and AppSecure with SW. I'm thinking some sort of Alert profile that sends a trap to a destination that triggers a physical relay sitting inline to disconnect the WAN connection. How I define the criteria for this is an unknown so any ideas would be appreciated. Thanks David
Perhaps an automation that just takes the WAN port to the down mode would meet this requirement. Scripting this would be more straight forward than the physical solution and more easily restored. You would just need to insure the detection and automation platforms are behind the same SRX and not dependent on the WAN for access. Perhaps an OOB mgmt network would also be a way to connect and manage and monitor the SRX during the WAN outage. Using OOB cellular networks for that access if the control needs to be off site.
I think the harder aspect of this request is defining what an attack will be - if it's too strict (like shutdown WAN on any C&C block), internet access may seldom be available.