ASM staging in Transparent and Blocking - what is difference
Hi,
I was reading some post related to this subject but I am still not sure if I got it right. So here it is:
Scenario 1
- Enforcement Mode: Transparent
- Enforcement Readiness Period: 7 days
- Signature Staging: Enabled
- Attack signature detected: Learn, Alarm, Block - all enabled
Scenario 2
- Enforcement Mode: Blocking - rest same as for Scenario 1
My understanding of staging is that when it's enabled then during Enforcement Readiness Period (ERP) ASM is learning what signatures are triggered (so discovers signature based violations).
After ERP is over learning stops - or maybe not depending on mode or for both modes?
Then signatures can be Enforced - so all not triggered signatures are no more in staging, signatures that was triggered has to be reviewed and either enforced or disabled (false positive avoidance).
Now is there any difference how this process is performed depending on Enforcement Mode?
For example in case of Blocking not triggered signatures are enforced automatically?
Or there is no automatic enforcement for both modes, in both cases signatures not learned have to be manually enforced?
Is difference in how enforced signatures are handled in both modes?
- In Blocking, violations are blocked for enforced signatures
- In Transparent, violations are in fact not blocked even when signatures are enforced (so only Alarms are generated for enforced signatures)
Or I am completely wrong? If so what are differences and which mode is preferred in real life deployments (as opposite to lab setups)?
Piotr