Investigating External Communications that use Untrusted Protocols
SUMMARY You can use a Policy Monitor question that is based on the known list of trusted protocols to monitor traffic in your DMZ. In most organizations, network traffic that crosses the DMZ is restricted to known and trusted protocols, such as HTTP or HTTPS on specified ports.
From a risk perspective, it is important to continuously monitor traffic in the DMZ to ensure that only trusted protocols are present. Use JSA Risk Manager to accomplish this task by creating a Policy Monitor question based on an asset test for actual communications.
Select an option to create a Policy Monitor question based on the known list of trusted protocols for the DMZ.
- Click the Risks tab.
- On the navigation menu, click Policy Monitor.
- From the Actions menu, select New Asset Question.
- In the What do you want to name this question field, type a name for the question.
- In the What type of data do you want to return drop-down list, select Assets.
- In the Evaluate On menu, select Actual Communication.
- From the Importance Factor menu, specify a level of importance to associate with your question.
- In the Time Range section, specify a time range for the question.
- In the Which tests do you want to include in your question panel, select have accepted communication to destination networks.
- In the Find Assets that panel, click destination networks to further configure this test and specify your DMZ as the destination network.
- Select and include the following inbound ports.
- In the Find Assets that panel, click include only so that it changes to exclude.
- Click ports.
- Add port 80 and 443, and then click OK.
- Click Save Question.
- Select the Policy Monitor DMZ question that you created, and then click Submit Question.
- Review the results to see whether any protocols other than port 80 and port 443 are communicating on the network.
- Monitor your DMZ question by putting the question into monitoring mode when the results are tuned.