How to exclude traffic from vulnerability scanners with Symantec Data Center Security Server (DCS-S) and avoid false positive detection

book

Article ID: 172607

calendar_today

Updated On:

Products

Data Center Security Server

Issue/Introduction

If you are using vulnerability scanner on your network, like Control Compliance Suite Vulnerability Manager (CCSVM), and want to avoid the network IPS to generate false positive alerts.

Environment

This apply to DCS-S using Network IPS protection on virtual machine protected with Symantec Virtual Appliance (SVA)

This is limited to traffic inside the same vCenter/NSX only. (if traffic source is external it can't be excluded.)

Resolution

To exclude traffic from the vulnerabiliy scanners do the following :

In the vSphere Web Client go to the Home -> Networking & Security -> Service Composer :

In Security Groups tab, create a new group: Name = "Vulnerability Scanners"

Add the Vulnerabiluty scanners machine in the membership of the group:

Save the group. (If definition is correct the table should indicates how many virutal machine are found.)

Now go to "Security Policies" tab

Edit/create new policy : For example "Symantec AV + IPS"

In Network introspection services, you need to have 2 entries :

First one to exclude traffic from scanners: Make sure to select "Do not redirect" and Source the group you created earlier

Then create a second rule to redirect all traffic:

After that the policy view should be as follow (make sure the order is right to exclude first)

 

After that apply your policy to your group of protected VMwares and the scanning traffic from scanners will be excluded.

Attachments