Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 14 - Threat Protection

    Uploaded by

    ch zhu
    17 views23 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17 views23 pages

    Chapter 14 - Threat Protection

    Uploaded by

    ch zhu

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    Chapter 14 – Threat Protection

    HCSA-NGFW 2022
    1 Anti Virus
    Contents
    2 Intrusion Prevention
    Threat Prevention
    • Threat prevention is a device that can detect and block network threats. By
    configuring the threat prevention function, Hillstone devices can defend
    network attacks and reduce losses of the internal network.

    • Threat protections include:


    – ARP Defense
    – Attack Defense
    – Anti Virus
    – Intrusion Prevention System
    – Cloud Sandbox
    – Botnet C&C Prevention
    – Perimeter Traffic Filtering (IP Reputation)
    – Anti-spam

    www.hillstonenet.com
    Threat Protection Signature Database
    • Threat protection signature database includes AV Signature Database, IPS Signature
    Database, IP Reputation Database, Sandbox Whitelist Database, Botnet C&C
    Prevention Signature Database etc. By default system automatically updates the
    threat prevention database by daily base. The device supports online remote update
    and local update.

    • The threat protection configuration is supported under security zone and policy.

    • According to the severity, signature can be divided into three security levels: critical,
    warning and information. User could take actions for the specific signature attack
    according to its severity.
    – Critical: Critical attacking events, such as buffer overflows.
    – Warning: Aggressive events, such as over-long URLs.
    – Informational: General events, such as login failures.

    • Local update: http://update1.hillstonenet.com/ / http://update2.hillstonenet.com/


    www.hillstonenet.com
    Signature Database Update
    System> Upgrade management. > Signature Database update

    www.hillstonenet.com
    Anti Virus
    Anti Virus Function
    • Hillstone devices can detect various Threats including worms, Trojans,
    malware, malicious websites, etc.
    • Supported protocol types: POP3, HTTP, HTTPS, SMTP, IMAP4, FTP, SMB
    • Supported file types: archives (including GZIP, BZIP2, TAR, ZIP and
    RAR-compressed archives), PE , MS OFFICE, PDF, HTML, MAIL, RIFF and
    JPEG.
    • Support malicious website detection function
    • Support to update AV signatures
    • Controlled by licenses

    www.hillstonenet.com
    Pre-defined AV Profile
    3 pre-defined AV profile templates: low, middle, high, coming with different actions

    www.hillstonenet.com
    User-defined AV Profile
    Object > Anti-Virus, click『New』to create AV profile,click『Configuration』to
    enable/disable AV function

    www.hillstonenet.com
    Apply AV Profile
    • Multiple calls, one match;
    • The AV priority of policy is higher than that in zone.

    www.hillstonenet.com
    AV Log

    www.hillstonenet.com
    Intrusion Prevention
    Intrusion Prevention System(IPS)
    • IPS (Intrusion Prevention System) is designed to monitor various network attacks in
    real time and take appropriate actions (like block) against the attacks according to
    your configuration. StoneOS supports license-controlled IPS, i.e., the IPS function
    will not work unless an IPS license has been installed on a StoneOS that supports
    IPS.
    • IPS working mode
    - Log only mode
    - IPS mode (works in IPS mode by default)

    • Two configuration methods:


    - Policy
    - Zone(Ingress、Egress and bidirectional)

    www.hillstonenet.com
    IPS Detecting Procedure
    • Signature Matching
    IPS abstracts the interested protocol elements of the traffic for signature matching. If
    the elements are matched to the items in the signature database, system will process
    the traffic according to the action configuration. This part of detection is configured in
    the Select Signature section.

    • Protocol parse
    IPS analyzes the protocol part of the traffic. If the analysis results show the protocol
    part containing abnormal contents, system will process the traffic according to the
    action configuration. This part of detection is configured in the Protocol Configuration
    section.

    www.hillstonenet.com
    IPS Pre-defined Profile
    Object > Intrusion Prevention System > Profile,click『Configuration』 to
    enable/disable IPS function

    www.hillstonenet.com
    IPS User-defined Profile
    1、Select IPS signature
    2、Protocol Configuration

    www.hillstonenet.com
    IPS User-defined Profile (1)

    www.hillstonenet.com
    IPS User-defined Profile (2)
    StoneOS provides the way to configure each protocol and set action for difference attack level. Such as
    HTTP protocol, IPS is able to prevent SQL injection, XSS injection, External link, cc attacks etc. , domain
    must be set

    www.hillstonenet.com
    Apply IPS Profile
    • Multiple calls, one match;
    • The IPS priority of policy is higher than that in zone.

    www.hillstonenet.com
    IPS Log

    www.hillstonenet.com
    CVE
    Check the vulnerability information based on CVE ID

    www.hillstonenet.com
    Question
    1. Which threat protection function need to reboot the device to take effect after enabling?
    2. What file type can be supported by sandbox?
    3. What is the URL for signature database update?
    4. There are two ways to apply IPS/AV profile, what is the difference?
    5. Is that possible to update the IPS and AV signature database if corresponding service license
    expired?

    www.hillstonenet.com
    Thanks

    You might also like