Professional Documents
Culture Documents
HCSA-NGFW 2022
1 ARP Defense
Contents
2 Attack Defense
6
Cyber Kill Chain
Traditional FW
NGFW
iNGFW
www.hillstonenet.com
ARP Defense
ARP Defense
• ARP defense is using ARP technology to defend ARP attack from Intranet.
Including:
– IP-MAC Binding
– ARP Authentication
– ARP Inspection
– DHCP Snooping
– Host Defense
– Host Blacklist
www.hillstonenet.com
IP-MAC Binding
• IP-MAC Binding (ARP binding). The binding information can be obtained statically or
dynamically
• After manual binding need configure at interface configuration mode:
- no arp-learning \\disable ARP learning
- arp-disable-dynamic-entry \\disable dynamic entry, only check static entry
www.hillstonenet.com
Host Blacklist
• With this blacklist function, device could control the user who is not able to access
Internet in specific period
• Block host IP or Service
• WebUI can block max 3600s,CLI can block permanently
• SG-6000# configure
• SG-6000(config)# schedule working
• SG-6000(config-schedule)# periodic daily 9:00 to 18:00
• SG-6000(config-schedule)# exit
• SG-6000(config)# host-blacklist mac 001c.5cff.acbd schedule working
www.hillstonenet.com
Matching Sequence
8 www.hillstonenet.com
Attack Defense
9
Attack Defense
There are various inevitable attacks in networks, such as compromise or sabotage of
servers, sensitive data theft, service intervention, or even direct network device
sabotage that causes service anomaly or interruption. Security gates, belonging to a
category of network security devices, must be designed with attack defense functions
to detect various types of network attacks, and take appropriate actions to protect the
Intranet against malicious attacks, thus assuring the normal operation of the Intranet
and systems.
www.hillstonenet.com
Attack Protocol Category
AD
www.hillstonenet.com
Attack Types
AD
www.hillstonenet.com
Attack Defense
Network > Zone > Threat Protection, click『Configure』of Attack Defense
www.hillstonenet.com
Configuring Attack Defense
www.hillstonenet.com
SYN Flood
• The attacker can send large amount of SYN packets of forged source IP to the attacked host and establish
equally large number of half-open connections until timeout. As a result, resources will be exhausted and
normal accesses will be blocked.
Client Server
SYN
SYN/ACK
ACK
SYN
SYN/ACK
SYN
SYN/ACK
www.hillstonenet.com
SYN Flood Attack Defense – SYN Flood
www.hillstonenet.com
SYN Flood Attack Defense - SYN Proxy
SYN
Create session
SYN/ACK
ACK
Find session
SYN
SYN/ACK
Find session
ACK
www.hillstonenet.com
SYN Flood Attack Defense – SYN cookie
SYN
SYN/ACK
ACK
Create session
SYN
SYN/ACK
Find session
ACK
www.hillstonenet.com
Flood Attack
An ICMP Flood/UDP Flood attack sends huge amount of ICMP messages (such as
ping)/UDPpackets to a target within a short period and requests for response. Due to
the heavy load, the attacked target cannot complete its normal transmission task.
ICMP ECHO
ICMP REPLY
ICMP ECHO
ICMP REPLY
ICMP ECHO
ICMP ECHO
ICMP ECHO
ICMP ECHO
www.hillstonenet.com
Flood Attack Defense
www.hillstonenet.com
Scan Attack
This kind of attack makes a reconnaissance of the destination address and port via scanners, and
determines the existence from the response. By IP address sweep or port scan, an attacker can
determine which systems are alive and connected to the target network, and which ports are
used by the hosts to provide services.
www.hillstonenet.com
Scan/Spoof Defense
www.hillstonenet.com
IP Address Spoof
IP address spoofing is a technology used to gain unauthorized access to computers. An
attacker sends packets with a forged IP address to a computer, and the packets are
disguised as if they were from a real host.
www.hillstonenet.com
ARP Spoofing Defense
IP Address Spoof Defense:
• After the packet enters the device, Stoneos will query reverse routing for its
source IP address. If any IP address spoof attack has been detected, StoneOS
will drop the packets and give an alarm.
www.hillstonenet.com
Questions
1. How many ARP defense methods are supported at Hillstone device and what are they?
2. How to configure the Whitelist of Attack Defense?
3. Common AD attacks.
www.hillstonenet.com
Thanks