Before we begin
Products concerned: SNS 3.0 and higher versions - SES 7.2 and higher versions
Last udpate: April 2017
The aim of this document is to show how host reputation management on a Stormshield network Security firewall (SNS) interacts with the level of security that Stormshield Endpoint Security (SES) applies to an infected host.
When internal host reputation management is enabled, and if the reputation of a host exceeds a certain value, the workstation's level of security can be increased locally using SES.
The example illustrated in this technical note uses the scenario of an infected internal workstation. As Stormshield Network Vulnerability Manager has detected vulnerabilities on this host, its reputation score will naturally go up. The level of security assigned to the workstation will automatically increase via SES in order to prevent the infection from spreading to the rest of the internal network.
Understanding how SES and the SNS firewall interact
For this configuration, you will need to create:
- a filter rule based on the reputation of source hosts and ICMP. This rule prohibits pings to a target that is ordinarily contactable at all times as soon as the reputation of source hosts exceeds a certain level.
- SES scripts that generate ICMP requests to the destination defined in the filter rule. When the firewall no longer allows a host with a high reputation score to contact this destination, failed pings will cause the behavior of the SES agent to change in order to increase the workstation's level of security.
Refer to the rest of this document for the setup details of each stage. This serves as an example that you may adapt to similar situations.