To inspect or not inspect?

[remko.de.koning]

In the past our Corporate Firewall was just capable of analyzing traffic to and from the internet and some DMZ zones. As of today we have enabled a much larger and more powerfull firewall that allows us to inspect all inter vlan traffic.
Basically every traffic that moves from one vlan to another is subject to inspection for malware, virusses, vulnerabilities, etc
We hope this will greatly reduce the risk of malware hitting and damaging our company.

An interesting discussion started with our firewall consultant during this project. As we are now also segmenting our Backup Traffic the question arrised if we need to inspect our backup traffic as well.
The Firewall (Palo Alto) nicely recognizes the traffic as "Veeam" and we have created a separate rule set just for this traffic.
The question now is; Should we inspect this traffic on malware, virusses, vulnerabilites, spyware, etc, etc.?

From a security point of view the firewall guys thinks this should be enabled.
From a backup point of view we believe we should not inspect or block this traffic in case the firewall recognizes something as malware.
Again, it is just for traffic that is identified as "Veeam" which a a very large amount of data. In our opinion it cannot even be recognized as real data as it is just blocks of disk data.

So we thought we should drop the question on this forum and see what you guys think.

Any thoughts or insights you might have are more than welcome.

Thanks and have a great weekend!

[csydas]

Heuristics are great, but they're only as strong as the cryptography they're built on. We've seen this before (and I think Veeam even has a KB) where signature based firewalls will have hash collision with the threat signatures and legitimate data blocks. The big thing to remember is that your data from hosts is essentially random, and the hashing used by signature based heuristics favors speed over uniqueness in most cases.

As is such, you end up with weak crypto where hash-collisions are not impossible, and it's actually a preferred state of being because this is just how security folk think -- better safe than sorry.

Personally, I'd leave the inspection tool on and just take the time to investigate each instance. In our shop, we're talking once every few years for a workload of about 1000 VMs, and ultimately it just means we all have to attend a 40 minute presentation from the most sociable guy on the security team.

[bdufour]

if youre encrypting all veeam network traffic (i would recommend this) its prob not going to help much.

[remko.de.koning]

Thanks both for your feedback. I was a bit afraid that by enabling inspection the backup might get corrupted if the traffic was suddenly blocked but I guess Veeam has taken precautions to prevent this.
We will go ahead and enable inspection and take it from here. See what the performance hit is on the firewall and how much problems this will eventually give.