Algorithm Activation Strategy

Algorithm Name Internal / Core Routers Edge Routers Public Facing IP Addresses Defined In IP Groups
BotNet Detection FlowPro Defender FlowPro Defender N/A
Breach Attempt Detection Yes Yes Yes
DDoS Detection No Yes Yes
Denied Flows Firewall Yes No No
DNS Command and Control FlowPro Defender FlowPro Defender N/A
DNS Data Link FlowPro Defender FlowPro Defender N/A
DNS Hits Yes Yes Yes
Domain Reputation FlowPro Defender FlowPro Defender N/A
DRDoS Detection No Yes Yes
FIN Scan Yes Yes No
Host Reputation No Yes Yes
ICMP Destination Unreachable Yes No No
ICMP Port Unreachable Yes No No
IP Address Violations Yes Yes Yes
Malware Behavior Detection FlowPro Defender FlowPro Defender N/A
Multicast Violations Yes Yes Yes
Null Scan Yes Yes No
Odd TCP Flags Scan Yes Yes No
Persistent Flow Risk Yes Yes No
P2P Detection Yes Yes No
RST/ACK Detection Yes Yes No
SYN Scan Yes Yes No
TCP Scan Yes Yes No
UDP Scan Yes Yes No
XMAS Scan Yes Yes No

Algorithms for Public Facing IP Addresses: These addresses should be defined as an IP Group, which will cause these addresses to be treated as part of a protected network. Algorithms such as DDoS will not trigger an alarm unless the target of the DDoS is an internal address (defined within an IP Group).

If the primary concern is ‘internal to internal’ and ‘internal to external’ monitoring, then enable algorithms on the core routers and ensure that any routable IP Addresses that should be monitored as part of the internal network are defined within an IP Group. Monitoring ‘internal to internal’ and ‘internal to external’ traffic is highly recommended for identification of traffic patterns that may indicate a compromised asset and to assist with incident response.

If the primary concern is monitoring public facing assets, ensure that all public-facing IP Addresses are contained within an IP Group, and add the edge routers to most algorithms.