Chapter 10 - Threat Protection - 5.5R7

Threat Protection
2020
1
1 Anti Virus
Contents
2 Intrusion Prevention
3 Sandbox
4 Botnet C&C Prevention
5 Perimeter Traffic Filtering
6
Threat Prevention
• Threat prevention is a device that can detect and block network threats. By
configuring the threat prevention function, Hillstone devices can defend
network attacks and reduce losses of the internal network.
• Threat protections include:

– ARP Defense
– Attack Defense
– Anti Virus
– Intrusion Prevention System
– Cloud Sandbox
– Botnet C&C Prevention
– Perimeter Traffic Filtering
3 www.hillstonenet.com
Threat Protection Signature Database
• Threat protection signature database includes AV Signature Database, IPS Signature
Database, IP Reputation Database, Sandbox Whitelist Database, Botnet C&C
Prevention Signature Database etc. By default system automatically updates the
threat prevention database by daily base. The device supports online remote update
and local update.
• The threat protection configuration is supported under security zone and policy.
• According to the severity, signature can be divided into three security levels: critical,
warning and information. User could take actions for the specific signature attack
according to its severity.
– Critical: Critical attacking events, such as buffer overflows.
– Warning: Aggressive events, such as over-long URLs.
– Informational: General events, such as login failures.
Signature Database Update
System> Upgrade management. > Signature Database update
Anti Virus
6
Anti Virus Function
• Hillstone devices can detect various Threats including worms, Trojans,
malware, malicious websites, etc.
• Supported protocol types: POP3, HTTP, HTTPS, SMTP, IMAP4, FTP, SMB
• Supported file types: archives (including GZIP, BZIP2, TAR, ZIP and
RAR-compressed archives), PE , MS OFFICE, PDF, HTML, MAIL, RIFF and
JPEG.
• Support malicious website detection function
• Support to update AV signatures
• Controlled by licenses
Pre-defined AV Profile
3 pre-defined AV profile templates: low, middle, high, coming with different actions
User-defined AV Profile
Object > Anti-Virus, click『New』to create AV profile，click『Configuration』to
enable/disable AV function
Apply AV Profile
AV Log
Intrusion Prevention
12
Intrusion Prevention System（IPS）
• IPS working mode
- Log only mode
- IPS mode (works in IPS mode by default)
• Two configuration methods:

- Policy
- Zone（Ingress、Egress and bidirectional）
www.hillstonenet.com
IPS Detecting Procedure
• Signature Matching
IPS abstracts the interested protocol elements of the traffic for signature matching. If
the elements are matched to the items in the signature database, system will process
the traffic according to the action configuration. This part of detection is configured in
the Select Signature section.
• Protocol parse
IPS analyzes the protocol part of the traffic. If the analysis results show the protocol
part containing abnormal contents, system will process the traffic according to the
action configuration. This part of detection is configured in the Protocol Configuration
section.
IPS Pre-defined Profile
Object > Intrusion Prevention System > Profile，click『Configuration』 to
enable/disable IPS function
IPS User-defined Profile
1、Select IPS signature
2、Protocol Configuration
IPS User-defined Profile (1)
IPS User-defined Profile (2)
StoneOS provides the way to configure each protocol and set action for difference attack level. Such as
HTTP protocol, IPS is able to prevent SQL injection, XSS injection, External link, cc attacks etc.
Apply IPS Profile
IPS Log
CVE
Check the vulnerability information based on CVE ID
Sandbox
22
Cloud Sandbox
• Cloud Sandbox function consists:
- Firewall detection
- Cloud detection
- Cloud sandbox detection
• Hillstone Cloud
Store the MD5 for detected files
• Cloud Sanbox
File analysis
Sandbox Global Configuration
• Need to reboot the device after
enabling/disabling the function
• Supported files:
- PE
- APK
- JAR
- MS-Office
- PDF
- SWF
- RAR
- ZIP
Pre-defined Profile
User-defined Profile
Apply Sandbox
Sandbox Log
Botnet C&C Prevention
29
Botnet
• Bot is an automatically running Trojan that can execute external
commands. Hackers can arbitrarily take advantage of these Trojans in
the infected computers, e.g. theft of data, the use of infected machines
to attack other computers, anonymous spam.
• Earthlink statistics show that 20% of the world's computers contain

"Bot“.
• Botnet refers to the use of one or more spreading means to infect a

large number of hosts with bot program, thus forming a one-to-multi
control network between the controller and the infected hosts.
C&C detection
• C&C detection is an effective Botnet detection method. It scans traffic at the network
perimeter and performs C&C detection. By comparing the obtained information with
the C&C address database, it can effectively discover intranet broilers and prevent
further attacks of advanced threats.
• The C&C address database is divided into two parts: the IP address database
(excluding IPv6 addresses) and the domain database.
Protocol Types
• TCP：Match based on IP address library, and check by matching IP address when
session is established
• HTTP：It is processed in HTTP decoder, mainly through host content parsing
• DNS：Check by matching domain name and IP address in DNS decoder. The DNS
query message matches the domain name, and the DNS answer message matches
the domain name and IP address of the response area.
When matching C&C address library, generating threat log and triggerring
corresponding action：log-only or reset connection
User-defined Profile
• Object > Botnet C&C Prevention > Profile，click『New』to create profile, click
『Configuration』 to enable/disable Botnet C&C Prevention function
Apply the C&C Prevention
C&C Log
Perimeter Traffic Filtering
36
Perimeter Traffic Filtering
• More and more malicious IP
- There are a large number of malicious IP in the network, which constantly send
spam, botnet and other attacks on the public network
Traditional Firewall：attacked，detect，defend
PTF：Block the malicious IP directly and prevent it from happening
Configure Perimeter Traffic Filtering
Network > Zone
Question
1. Which threat protection function need to reboot the device to take effect after enabling?
2. What file type can be supported by sandbox？
3. What is the URL for signature database update？
4. There are two ways to apply IPS/AV profile, what is the difference?
5. Is that possible to update the IPS and AV signature database if corresponding service license
expired?
Thanks

Chapter 10 - Threat Protection - 5.5R7

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 10 - Threat Protection - 5.5R7

Uploaded by

Copyright:

Available Formats

Threat Protection

4 Botnet C&C Prevention

5 Perimeter Traffic Filtering

• Threat protections include:

• Two configuration methods:

• Earthlink statistics show that 20% of the world's computers contain

• Botnet refers to the use of one or more spreading means to infect a

• HTTP：It is processed in HTTP decoder, mainly through host content parsing

You might also like