Professional Documents
Culture Documents
2020
1
1 Anti Virus
Contents
2 Intrusion Prevention
3 Sandbox
6
Threat Prevention
• Threat prevention is a device that can detect and block network threats. By
configuring the threat prevention function, Hillstone devices can defend
network attacks and reduce losses of the internal network.
3 www.hillstonenet.com
Threat Protection Signature Database
• Threat protection signature database includes AV Signature Database, IPS Signature
Database, IP Reputation Database, Sandbox Whitelist Database, Botnet C&C
Prevention Signature Database etc. By default system automatically updates the
threat prevention database by daily base. The device supports online remote update
and local update.
• The threat protection configuration is supported under security zone and policy.
• According to the severity, signature can be divided into three security levels: critical,
warning and information. User could take actions for the specific signature attack
according to its severity.
– Critical: Critical attacking events, such as buffer overflows.
– Warning: Aggressive events, such as over-long URLs.
– Informational: General events, such as login failures.
4 www.hillstonenet.com
Signature Database Update
System> Upgrade management. > Signature Database update
5 www.hillstonenet.com
Anti Virus
6
Anti Virus Function
• Hillstone devices can detect various Threats including worms, Trojans,
malware, malicious websites, etc.
• Supported protocol types: POP3, HTTP, HTTPS, SMTP, IMAP4, FTP, SMB
• Supported file types: archives (including GZIP, BZIP2, TAR, ZIP and
RAR-compressed archives), PE , MS OFFICE, PDF, HTML, MAIL, RIFF and
JPEG.
• Support malicious website detection function
• Support to update AV signatures
• Controlled by licenses
7 www.hillstonenet.com
Pre-defined AV Profile
3 pre-defined AV profile templates: low, middle, high, coming with different actions
8 www.hillstonenet.com
User-defined AV Profile
Object > Anti-Virus, click『New』to create AV profile,click『Configuration』to
enable/disable AV function
9 www.hillstonenet.com
Apply AV Profile
10 www.hillstonenet.com
AV Log
11 www.hillstonenet.com
Intrusion Prevention
12
Intrusion Prevention System(IPS)
• IPS working mode
- Log only mode
- IPS mode (works in IPS mode by default)
www.hillstonenet.com
IPS Detecting Procedure
• Signature Matching
IPS abstracts the interested protocol elements of the traffic for signature matching. If
the elements are matched to the items in the signature database, system will process
the traffic according to the action configuration. This part of detection is configured in
the Select Signature section.
• Protocol parse
IPS analyzes the protocol part of the traffic. If the analysis results show the protocol
part containing abnormal contents, system will process the traffic according to the
action configuration. This part of detection is configured in the Protocol Configuration
section.
www.hillstonenet.com
IPS Pre-defined Profile
Object > Intrusion Prevention System > Profile,click『Configuration』 to
enable/disable IPS function
15 www.hillstonenet.com
IPS User-defined Profile
1、Select IPS signature
2、Protocol Configuration
16 www.hillstonenet.com
IPS User-defined Profile (1)
17 www.hillstonenet.com
IPS User-defined Profile (2)
StoneOS provides the way to configure each protocol and set action for difference attack level. Such as
HTTP protocol, IPS is able to prevent SQL injection, XSS injection, External link, cc attacks etc.
18 www.hillstonenet.com
Apply IPS Profile
19 www.hillstonenet.com
IPS Log
20 www.hillstonenet.com
CVE
Check the vulnerability information based on CVE ID
21 www.hillstonenet.com
Sandbox
22
Cloud Sandbox
• Cloud Sandbox function consists:
- Firewall detection
- Cloud detection
- Cloud sandbox detection
• Hillstone Cloud
Store the MD5 for detected files
• Cloud Sanbox
File analysis
23 www.hillstonenet.com
Sandbox Global Configuration
• Need to reboot the device after
enabling/disabling the function
• Supported files:
- PE
- APK
- JAR
- MS-Office
- PDF
- SWF
- RAR
- ZIP
24 www.hillstonenet.com
Pre-defined Profile
25 www.hillstonenet.com
User-defined Profile
26 www.hillstonenet.com
Apply Sandbox
27 www.hillstonenet.com
Sandbox Log
28 www.hillstonenet.com
Botnet C&C Prevention
29
Botnet
• Bot is an automatically running Trojan that can execute external
commands. Hackers can arbitrarily take advantage of these Trojans in
the infected computers, e.g. theft of data, the use of infected machines
to attack other computers, anonymous spam.
www.hillstonenet.com
C&C detection
• C&C detection is an effective Botnet detection method. It scans traffic at the network
perimeter and performs C&C detection. By comparing the obtained information with
the C&C address database, it can effectively discover intranet broilers and prevent
further attacks of advanced threats.
• The C&C address database is divided into two parts: the IP address database
(excluding IPv6 addresses) and the domain database.
31 www.hillstonenet.com
Protocol Types
• TCP:Match based on IP address library, and check by matching IP address when
session is established
• DNS:Check by matching domain name and IP address in DNS decoder. The DNS
query message matches the domain name, and the DNS answer message matches
the domain name and IP address of the response area.
When matching C&C address library, generating threat log and triggerring
corresponding action:log-only or reset connection
32 www.hillstonenet.com
User-defined Profile
• Object > Botnet C&C Prevention > Profile,click『New』to create profile, click
『Configuration』 to enable/disable Botnet C&C Prevention function
33 www.hillstonenet.com
Apply the C&C Prevention
34 www.hillstonenet.com
C&C Log
35 www.hillstonenet.com
Perimeter Traffic Filtering
36
Perimeter Traffic Filtering
• More and more malicious IP
- There are a large number of malicious IP in the network, which constantly send
spam, botnet and other attacks on the public network
Traditional Firewall:attacked,detect,defend
PTF:Block the malicious IP directly and prevent it from happening
www.hillstonenet.com
Configure Perimeter Traffic Filtering
Network > Zone
38 www.hillstonenet.com
Question
1. Which threat protection function need to reboot the device to take effect after enabling?
2. What file type can be supported by sandbox?
3. What is the URL for signature database update?
4. There are two ways to apply IPS/AV profile, what is the difference?
5. Is that possible to update the IPS and AV signature database if corresponding service license
expired?
39 www.hillstonenet.com
Thanks