Scribd Logo
Upload

Welcome to Scribd!

  • 9 Chapter9 Threat Prevention v5.5r2

    Uploaded by

    Robson Peripolli Rodrigues
    4 views33 pages
    Here are the answers to your questions: 1. Threat prevention consists of 7 attack detections: ARP Defense, Network Attack Defense, Anti-Virus, Intrusion Prevention System, Abnormal Behavior Detection, Advanced Threat Detection, and Perimeter Traffic Filtering. 2. There are 6 ARP defense methods supported: IP-MAC Binding, ARP Authentication, ARP Inspection, DHCP Snooping, Host Defense, and Host Blacklist. 3. The signature database can be updated automatically daily or manually via remote or local update. 4. IPS and AV profiles can be referenced in policies or zones. Referencing in policies applies them to specific traffic flows, while referencing in zones applies them globally to all

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Here are the answers to your questions: 1. Threat prevention consists of 7 attack detections: ARP Defense, Network Attack Defense, Anti-Virus, Intrusion Prevention System, Abnormal Behavior Detection, Advanced Threat Detection, and Perimeter Traffic Filtering. 2. There are 6 ARP defense methods supported: IP-MAC Binding, ARP Authentication, ARP Inspection, DHCP Snooping, Host Defense, and Host Blacklist. 3. The signature database can be updated automatically daily or manually via remote or local update. 4. IPS and AV profiles can be referenced in policies or zones. Referencing in policies applies them to specific traffic flows, while referencing in zones applies them globally to all

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    4 views33 pages

    9 Chapter9 Threat Prevention v5.5r2

    Uploaded by

    Robson Peripolli Rodrigues
    Here are the answers to your questions: 1. Threat prevention consists of 7 attack detections: ARP Defense, Network Attack Defense, Anti-Virus, Intrusion Prevention System, Abnormal Behavior Detection, Advanced Threat Detection, and Perimeter Traffic Filtering. 2. There are 6 ARP defense methods supported: IP-MAC Binding, ARP Authentication, ARP Inspection, DHCP Snooping, Host Defense, and Host Blacklist. 3. The signature database can be updated automatically daily or manually via remote or local update. 4. IPS and AV profiles can be referenced in policies or zones. Referencing in policies applies them to specific traffic flows, while referencing in zones applies them globally to all

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 33

    Goals

    • After this chapter, you will:


    – Understand the threat prevention
    – Configure TP functions
    Agenda: Threat Prevention

     Introduction of Threat Prevention


    • ARP Defense
    • Network Attack Defense
    • Anti-Virus (AV)
    • Intrusion Prevention System (IPS)
    • Perimeter Traffic Filtering (PTF)
    Threat Prevention

    • By configuring the threat prevention, the device can


    detect and block network threats, defense network
    attacks, and reduce Intranet losses.

    • Threat protection includes:


    – ARP Defense
    – Attack Defense
    – Anti Virus
    – Intrusion Prevention System
    – Abnormal Behavior Detection
    – Advanced Threat Detection
    – Perimeter Traffic Filtering
    How iNGFW Handle Attacks?

    Reconnaissance Weaponization Delivery Exploitation Installation C2 Action on objectives

    Preparation Intrusion Active Breach

    Traditional FW

    NGFW

    Malware Detection Products


    AD/IPS/AV ATD/ABD
    iNGFW
    Threat Prevention Signature Database

    • Threat prevention signature database includes AV signature


    database, IPS signature database, PTF database, Abnormal
    Behavior Model Database and Malware Behavior Model
    Database. By default system updates the threat prevention
    database by daily automatically. The device supports remote
    update and local update.

    • The threat protection configuration is supported by security zone


    and policy.

    • According to the severity, signature can be divided into three


    security levels: critical, warning and information. User could take
    actions for the specific signature attack according to its severity.
    – Critical: Critical attacking events, such as buffer overflows.
    – Warning: Aggressive events, such as over-long URLs.
    – Informational: General events, such as login failures.
    Signature Database Update
    System> Upgrade management. > Signature Database update
    Agenda: ARP Defense

    • Introduction of Threat Prevention


     ARP Defense
    • Network Attack Defense
    • Anti-Virus (AV)
    • Intrusion Prevention System (IPS)
    • Perimeter Traffic Filtering (PTF)
    ARP Defense

    • ARP defense is using ARP technology to defend ARP


    attack from Intranet. Including:

    – IP-MAC Binding
    – ARP Authentication
    – ARP Inspection
    – DHCP Snooping
    – Host Defense
    – Host Blacklist
    IP-MAC Binding

    • IP-MAC Binding (ARP binding). The binding information


    can be obtained statically or dynamically
    • After manual binding need configure at interface
    configuration mode:
    - no arp-learning, disable ARP learning
    - arp-disable-dynamic-entry, disable dynamic entry
    ARP Authentication

    • ARP authentication protects the system from ARP


    spoofing attack. You need to install an ARP client
    Hillstone Secure Defender in order to use ARP
    authentication.
    • Only support Windows client, and interface must be
    gateway.
    • ARP authentication supports authentication for
    individual host
    Host Blacklist

    • With this host blacklist function, device could control


    the user who is not able to access Internet in specific
    period
    • Block host IP or Service

    • CLI – support MAC address at host blacklist


    Agenda: Network Attack Defense

    • Introduction of Threat Prevention


    • ARP Defense
     Network Attack Defense
    • Anti-Virus (AV)
    • Intrusion Prevention System (IPS)
    • Perimeter Traffic Filtering (PTF)
    Attack Defense

    • There are various attacks in networks, such as


    compromise or sabotage of servers, sensitive data
    theft, or even direct network device sabotage that
    causes service anomaly or interruption. Security
    Gateways must be designed with attack defense
    functions to detect various types of network attacks,
    and take appropriate actions to protect Intranet
    against malicious attacks, thus ensuring the normal
    operation of the Intranet and systems.

    • Hillstone devices provide attack defense functions


    based on security zone.
    Threat Protection

    Network > Zone > Threat Protection


    Configuring Attack Defense 1
    At the zone configuration dialog, select Threat Protection tab, and click
    Configure of “Attack Defense”
    Configuring Attack Defense 2
    Agenda: AV

    • Introduction of Threat Prevention


    • ARP Defense
    • Network Attack Defense
     Anti-Virus (AV)
    • Intrusion Prevention System (IPS)
    • Perimeter Traffic Filtering (PTF)
    Configure AV Profile
    Object > Antivirus. Click New to create an AV rule.
    Apply AV-Profile

    • AV profile can be referenced by zone or policy


    Agenda: IPS

    • Introduction of Threat Prevention


    • ARP Defense
    • Network Attack Defense
    • Anti-Virus (AV)
     Intrusion Prevention System (IPS)
    • Perimeter Traffic Filtering (PTF)
    IPS

    • Protocol detection procedure of IPS consists two stages:


    - Protocol parsing
    - Engine matching

    • IPS working mode


    - Log only mode
    - IPS mode (works in IPS mode by default)

    • Two configuration methods:


    - Policy
    - Zone(Ingress、Egress and bidirectional)
    Configure an IPS Profile
    Object > Intrusion Prevention System, click New
    to create an IPS rule.
    Configuring IPS Protocol
    StoneOS provides the way to configure each protocol and set action for
    difference attack level
    Apply IPS Profile
    IPS profile can be referenced by policy or zone.
    Agenda: PTF

    • Introduction of Threat Prevention


    • ARP Defense
    • Network Attack Defense
    • Anti-Virus (AV)
    • Intrusion Prevention System (IPS)
     Perimeter Traffic Filtering (PTF)
    Perimeter Traffic Filtering

    • Perimeter Traffic Filtering can filter the perimeter traffic


    based on known IP of black/white list, and take block
    action on the malicious traffic that hits the blacklist.

    • Black/White list includes the following three types:


    − Predefined black list: Retrieve the IP of black/white list from the
    Perimeter Traffic Filtering signature database.
    − User-defined black/white list : According to the actual needs of
    users, the specified IP address is added to a user-defined
    black/white list.
    − Third-party black list: Make a linkage with Trend Micro TDA, to
    get blacklist from the trend TDA devices regularly.
    Configure PTF

    1. Network>Zone>Threat Protection enable PTF


    2. Object>Perimeter Traffic Filtering customize blacklist
    自定义黑名单
    Threat Log

    Monitor > Log > Threat


    Example: IPS Log
    Log Details
    Questions

    1. How many attack detections are consisted by Threat


    prevention, and what are they?
    2. How many ARP defense methods are supported at
    Hillstone device and what are they?
    3. How to update signature database?
    4. There are two ways to reference IPS and AV, what is the
    difference?
    5. What are the seven steps of Kill Chain?
    6. Is the IPS and AV signature database able to be
    updated if service license expired?

    You might also like