Device identified as Scanning others - Can We auto quarantine or lock
Hi there
Doing a little testing and am wondering is there a way to do 2 specific things
1> can a device that is found to be attempting a scan of other devices on the network (or exhibiting other bad behaviors) be auto quarantined
2> Can you have 2 quarantines ... one for new devices (eg allows internet access) and one for devices that have exhibited concerning behaviors (completely locked down with no access to anything - and the home for devices that trigger on point 1 ^^ )?
-
1. Detect scanner and then quarantine is definitely possible, but due to how some of the devices works, the scanning part may be "normal". We have seen devices trying to find other devices using some types of scanning ... so quarantine them will likely cause problems.
2. This is also possible, you can manually do this today. An automatic way of quarantine again will cause issues. false positives + people don't ever look at their notifications, and when a problem happens, we always get a nasty note over support channel
-
Thank you for the note:
1> this could be a service that may be applied to a network and a rule could be applied to allow device/s to bypass the requirement ( could work in as in opt-in or opt out type of thing ) = Most devices alarm and quarantine and the ones allowed to scan could do so when they want
2> Yep understand... however if 1 is a multi step config that could block this type of malarkey
I think this would be a great control to catch the sudden change of a devices operating stance.... that said these are just thoughts
An thank you and the Firewall Team for you super support...
Please sign in to leave a comment.
Comments
4 comments