FireEye - Part 2. FireEye deployment practice

So, now that we know how FireEye works in theory (see part 1), how is it deployed? Is it inline? It is active or passive?

The following recommendation is an excerpt from FireEye themselves and the diagram shows a simple deployment.

FireEye has an implementation strategy much like a gateway Anti Virus product or an IDS. The deployment would be in a location that sees user traffic coming from and going to the internet. In order to prevent False Positives, we would want to be deployed behind all current defenses such as IPS, Web Filter, Gateway AV, etc, that might block attacks that we detect. In other words, we don’t want to alert on things that would later be blocked. For operational sake, we would also like to be deployed on the inside of a NAT or NAT-like device, such as a non-transparent proxy, so that we see the correct source IP of the infected system. From an analysis perspective it doesn’t affect fidelity, but from an operational standpoint this would be suggested.

We saw what FireEye ’simplified’ the deployment (they always say that, don’t they?) above. They also allude to best-practice of deploying inside NAT or similar.

Subsequent blogs follow

Part 3 : Collection of articles on how FireEye brought (or attempted to bring)  botnets down

Part 4 : What are the downsides of FireEye

You can find previous part here

Part 1: Why FireEye? How it works?

One Response to “FireEye - Part 2. FireEye deployment practice”

  1. All about IT Governance » Blog Archive » FireEye - Part 3. Collection of articles on how FireEye brought (or attempted to bring) botnets down Says:

    [...] All about IT Governance Information Security - Can’t live with it, Can’t live without it! « FireEye - Part 2. FireEye deployment practice [...]

Leave a Reply

You must be logged in to post a comment.