In my opinion core protections are becoming obsolete as they are meant to protect your servers (to fully benefit of them you should define web, mail and DNS server objects in SmartConsole, but haven't seen any customer do that). We have to remember that there are only 39 core protections vs over 11K Threat Cloud protections. I agree with all of you that it is not very clear how core protections are used. The last fact agrees that the Core Protections profile is in fact separate from any Threat Prevention profiles, even though they appear to be the same profile. They seem to use a Threat Prevention profile, don't use the Threat Prevention rulebase, they require the IPS blade be enabled on the gateway if you want to assign a Core Protections profile to it, and the Core Protections are installed with the Access Control policy. I agree Core protections are in such a "no man's land". I would guess that in most cases, a little extra policy compilation time would outweigh the extra complexity of using 2 separate profiles (especially when not all admins are necessarily experts) should compilation time be affected. It's neat to know that all the profile signatures get mashed together like that, so we might not expect any gateway performance gains by following the suggestion. It would be very interesting to know that although Core Protections and ThreatCloud protections appear to share the same Threat Prevention profiles, that might not be the case under the hood, and that would also affect the recommendation from the SK significantly. You aren't thinking of how Inspection Settings profiles have separate profiles from Threat Prevention, right? I just wanted to double check. Hmmm, In SmartConsole it looks to me like IPS Core Protections and IPS ThreatCloud can use the same profile.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |