close
keyboard_arrow_left
Table of Contents
- play_arrow JSA Risk Manager
- play_arrow JSA Risk Manager configuration
- play_arrow Network Device Management
- play_arrow Network Device Management
- Device Discovery Process
- Discovering Devices in your Network
- Importing Multiple Devices from a CSV File
- Adding a Network Device to JSA Risk Manager
- Deleting a Device from JSA Risk Manager
- Finding Network Devices in the Device List
- Adding Device Information to the Topology
- Collecting Neighbor Data to Update the Topology
- Configuring the Discovery Schedule to Populate Device Information
- play_arrow Device Configuration Backup Jobs
- play_arrow Network Connections Overview
- play_arrow Network Connections Overview
- play_arrow Network Device Configuration and Monitoring
- play_arrow Network Device Configuration and Monitoring
- Searching Device Rules
- Filtering Device Rules by User or Group
- Comparing the Configuration of your Network Devices
- Adding or Deleting a Device in JSA Risk Manager
- Backing up a Device to get its Configuration Data
- Discovering Devices in your Network
- play_arrow Log Source Mapping in JSA
- play_arrow Protocol Configuration for Network Devices
- play_arrow Schedules for Discovery and Backup
- play_arrow Firewall Rule Event Counts of Check Point Devices
- play_arrow Network Topology
- play_arrow Network Topology
- play_arrow CIS Benchmark Scans
- play_arrow Network Simulations in JSA Risk Manager
- play_arrow Network Simulations in JSA Risk Manager
- Simulation Tests
- Creating a Simulation
- Duplicating a Simulation
- Manually Running a Simulation
- play_arrow Network Configuration Change Simulation
- Simulating an Attack on an SSH Protocol
- Viewing Simulation Results
- Approving Simulation Results
- Revoking a Simulation Approval
- Assigning Simulations to Group for Tracking
- play_arrow Topology models
- play_arrow Reports
- play_arrow Audit Log Data
list Table of Contents
Investigating External Communications that use Untrusted Protocols
date_range
09-Aug-21
SUMMARY You can use a Policy Monitor question that is based on the known list of trusted protocols to monitor traffic in your DMZ. In most organizations, network traffic that crosses the DMZ is restricted to known and trusted protocols, such as HTTP or HTTPS on specified ports.
From a risk perspective, it is important to continuously monitor traffic in the DMZ to ensure that only trusted protocols are present. Use JSA Risk Manager to accomplish this task by creating a Policy Monitor question based on an asset test for actual communications.
Select an option to create a Policy Monitor question based on the known list of trusted protocols for the DMZ.
- Click the Risks tab.
- On the navigation menu, click Policy Monitor.
- From the Actions menu, select New Asset Question.
- In the What do you want to name this question field, type a name for the question.
- In the What type of data do you want to return drop-down list, select Assets.
- In the Evaluate On menu, select Actual Communication.
- From the Importance Factor menu, specify a level of importance to associate with your question.
- In the Time Range section, specify a time range for the question.
- In the Which tests do you want to include in your question panel, select have accepted communication to destination networks.
- In the Find Assets that panel, click destination networks to further configure this test and specify your DMZ as the destination network.
- Select and include the following inbound ports.
- In the Find Assets that panel, click include only so that it changes to exclude.
- Click ports.
- Add port 80 and 443, and then click OK.
- Click Save Question.
- Select the Policy Monitor DMZ question that you created, and then click Submit Question.
- Review the results to see whether any protocols other than port 80 and port 443 are communicating on the network.
- Monitor your DMZ question by putting the question into monitoring mode when the results are tuned.
