SANGFOR_NGAF_v8.0.47_Associate_2022_06_Security_Protection.pptx

SANGFOR NGAF v8.0.47 Associate Security Protection

Protection 1 GeoLocation Blocking 2 Arp Spoofing Prevention 3 IPS 4 5 APT 6 Correlation Address Block

1. Protection

Protection introduction Risk facing by internal user when accessing to internet : (1) Unauthorized access, illegal user traffic (2) DDOS attacks, ARP spoofing (3) Unwanted access (office hours using P2P, Streaming Video) (4) Illegal access (access to pornography, gambling sites) (5) Unwanted access (unknown script and plug ins) (6) Insecure access (web, mail-borne viruses) (7) Botnet and Backdoor attack by using vulnerabilities of PC

Protection introduction Internal User Protection Unauthorized access, illegal traffic DDOS attacks, ARP spoofing Unwanted access (P2P, Streaming Media) Illegal access (access to pornography, gambling sites) Insecure access (web, mail-borne viruses) Backdoor attack by using vulnerabilities of PC PC Infected with botnet and under the control APT Firewall Authentication Application Control Web Filtering Gateway Antivirus IPS

On October 21, 2016, DynDNS , the DynDNS which is a US-based provider of dynamic DNS services, reports a DDoS attack that causes access problems for many websites using DynDNS services. Including the collective downtime of many news websites such as the BBC, the Wall Street Journal, CNN and the New York Times. Twitter even had 0 access for nearly 24 hours! In this incident, hackers used DNS flood attack means. DoS/DDoS Background DoS Objective: 1. Bandwidth consumption 2. Consume server performance 3. Cause server downtime

DOS attack ： DOS (Denial of Service) is an attempt to make a machine or network resource unavailable to its intended users. DDOS attack ： DDOS (Distributed Denial of service) is a lot of DOS attack on a machine or network resource. DoS /DDoS NGAF anti-DOS/DDOS have two type “outside attack” and “inside attack” Inbound Attack prevention : Mainly for protect internal server not being attack from external zone, Inbound Attack prevention Close by default , enable path is [system]-[syetm]-[network] . Outbound Attack prevention : Mainly for protect internal PC attack to public servers. There is another Dos Protection for device itself.

DoS Types DOS Types Attack Characteristics and Impact ICMP Flood Attack By sending many data packets belonging to the protocol. The attacker occupies the bandwidth of the server and blocks the line, resulting in the failure of the server to provide services normally. UDP Flood Attack DNS Flood A ttack SYN Flood A ttack The attacker takes advantage of the three-time handshake characteristics of TCP protocol. Many request packets initiated by the attacker will eventually occupy the resources of the server, deplete its server resources or the resources allocated for TCP requests, so that the server cannot provide services normally.

DoS Types DOS Types Attack Characteristics and Impact DDoS Attack The attacker sends malformed attack data, which causes the system to allocate many system resources incorrectly. It will be causing the host to be suspended or even down, such as PingofDeath and TeardDop . CC Attack The attacker controls some hosts to send many data packets to each other's servers continuously, resulting in the depletion of server resources until the machine goes down and crashes. CC is mainly used to attack pages. Slow Attack Slow attack is a variant of CC attack. For any server that opens HTTP access, HTTP server first establishes a connection, specifies a relatively large content length and sends packet at a very low speed, such as sending a byte in 1-10s, and then maintains the connection. If the client continues to establish such a connection, the available connections on the server will be filled gradually, resulting in a denial of service.

DoS – SYN Flooding Attack SYN Flood Attack Diagram Free Resource + Occupied Resource MEM /CPU Server Normal Client Packet Interaction … Server under normal circumstances. The resources are not exhausted and the service is normal. Resource Exhaustion ！ + + …… + Occupied Resource MEM /CPU Server Normal Client No Packet Interaction … Under the random source address source port SYN flooding attack, the server is in SYN_ RECEIVED exhausted before received timeout X SYN Flood! SYN ACK SYN + ACK

DoS – SYN Flooding Attack (Proxy) Defend against SYN Flood attack through SYN agent. Server Normal Client Data packet convert, and the sending sequence number is converted through the firewall. Server Normal Client The server did not receive any SYN attack packets. X SYN Flood! SYN ACK SYN + ACK(Cookie) NGAF NGAF ACK SYN + ACK SYN SYN + ACK(Cookie)

DoS - SYN Flooding Attack Summary SYN Flood Attack Protection Per- Src -IP PacketThreshold , Per- Src -IP Packet Loss Threshold , what does it refer to? Activation threshold per destination IP refers to that when the syn request rate data packet initiated by an IP in the destination IP group set by the policy exceeds the set value, the syn proxy function of NGAF is triggered. Packet loss threshold per destination IP refers to that when the syn request rate data packet initiated by an IP in the destination IP group set by the policy exceeds the set value, NGAF will no longer enable the syn agent and directly discard the syn packet.

DoS Configuration Ideas Go to System > General Settings > Network , enable Enable inbound DoS protection . Got to Policies > Network Security Policy > Anti-DoS/DDoS , add In bound Attack Protection . Select the external network zone for the Source Zone. Scan Type select IP scan and Port scan. Intranet IP group select the server IP group to be protected. Attack Type choose All , normally by default. In order to reflect the test effect, the blocking threshold can be adjusted down appropriately. Advance d can check other options except Sending IP fragment . I t is not recommended to tick Sending IP fragment . If you tick it, all data packets will be discarded.

DoS /DDoS Inbound Attack Prevention: Select the attack zone All ARP packets/sec NGAF received from source zone Select the server IP or server IP group that need to be protected It is handled as a attack when packet is up to threshold from per IP from source zone Attack methods and detection methods are not the same with different packet types, you can select the attack based on demands. It is not recommended that select the Sending IP fragment. Select kind of attack detection, it is handled as a attack when packet is up to threshold.

DoS /DDoS Outbound Attack Prevention: Select the attack zone and IP group Attack methods and detection methods are not the same with different packet types, you can select the attack based on demands. It is not recommended that select the Sending IP fragment. Select kind of attack detection, it is handled as a attack when packet is up to threshold. It is handled as a attack when packet is up to threshold from per IP from source zone

DoS /DDoS Protect NGAF itself.

DoS /DDoS 1. Anti DOS/DDOS policy is execute from top to bottom. 2. When enable software bypass, Packet based attack and abnormal message probe is still effective. 3. It is recommended configure destination IP to server IP group that no more than 400 IP address. 4. Bypass mode only detect DOS/DDOS, do not protect. You can just configure inbound policy to detect it. Precautions:

DoS /DDoS View attacker sources: After NGAF detected the attacker, and then add it to locked list . Add the IP address to global blacklist Attacker IP addresses list can list at most 10000 IP address.

DoS/DDoS Go to Monitor > Security Logs , f ilter the Anti-Dos/DDoS to view the logs. Logs

DoS /DDoS If you enable this, and the IP address not in the IP group or private network segments, the packets from the selected zone will be dropped directly. Internal IP group: Select the internal zone and IP group

2. GeoLocation Blocking

GeoLocation Blocking Background: Hacker attacks are usually carried out by means of proxy servers, and overseas proxy servers are more popular with hackers. We have learned that most of the user's business systems do not actually need to provide services overseas, or only a small number of overseas need to provide services, and some special business systems only need to provide services to individual provinces. Application Scenarios: Based on the above background, after we understand the service scope of the business system with users, we can reduce the source of attacks and improve the security of related businesses through GeoLocation Blocking . GeoLocation Blocking is filtering access requests according to the IP attribution of the country / region, reducing the attack surface, and improving the background of security requirements o f intranet-related business syst ems.

GeoLocation Blocking – Configuration Idea Prefabricated condition 1. The business system has been served normally in advance, and the business system can be accessed through the external network. 2. Clarify the scope of geographical access to business systems, such as not requiring development outside the country, or only allowing access to a certain province. Configuration steps 1. Complete the network object definition of the business system. 2. Go to Policies > Access Control > GeoLocation Blocking . 3. Configure the policy based on the geographic access attributes of the business system specified in the Prefabricated Conditions. 4. Verify that the policy configured in the previous step is effective as expected. 5. Click Blocked IP Addresses on the GeoLocation Blocking interface to check whether the log records are as expected.

GeoLocation Blocking – Configuration Case A user has an external publicity website. Currently confirmed with users that this site only needs to provide services for IP addresses belonging to China, and temporarily does not need to provide services to overseas users. It is hoped that this requirement can be achieved through NG AF. The simple logic topology is as follows image: Oversea China NGAF Switch Web Portal

GeoLocation Blocking – Configuration Case 1. Define a business object . Go to Object > Network Object interface adds IP Add r es s , as sh own below:

GeoLocation Blocking – Configuration Case 2 . Configure the G e oLocation Blocking. Go to Polic ies > Access Control > GeoLocation Blocking , the configuration i s as show n i n the f igure:

GeoLocation Blocking – Configuration Case 3. Verify the validity of the policy. U se the IP address in China to request access to the business system , the expected result is normal access . 4. Verify the validity of the policy . U se the overseas IP address to request access to the business system , the expected result is that it cannot be accessed.

GeoLocation Blocking – Configuration Case 5. Verify the validity of the policy: Check the logs of the NGAF to confirm that there are log data that has been blocked from GeoLocation Blocking. Go to Policies > Access Control > GeoLocation Blocking > Blocked IP Addresses to check the logs. Th e screen s h o t is as follows:

GeoLocation Blocking – Precautions If you need to know which country / region an IP belongs to in advance, you can go through G eo Location Blocking > Location Lookup to find out after querying . The Location Lookup is fuzzy search. if the IP address is not in the database, then will match the nearest country/region. In an environment where the device can access the Internet, the address database will be automatically updated . However, it does not exclude a very small probability that the IP address identification and the real use of geographical inaccuracy, such as inaccuracy. It can be handled through the exclusion or correction of the log. The interception log query of regional access control is queried in Blocked IP Addresses in the GeoLocation Blocking interface, but cannot be queried in t he Monitor . If policy allow some region, the others region are blocked automatically.

3. Arp Spoofing Prevention

Arp Spoofing Prevention ARP spoofing is a common internal virus. Infected PC will sends fake Address Resolution Protocol (ARP) messages onto a Local Area Network and interrupt internal network communication . The entire network can cause serious disconnection. NGAF ARP Spoofing Prevention is reject abnormal ARP request or ARP reply to protect ARP cache in device itself and also will broadcast device MAC address to internal user to prevent internal user get a fake ARP record.

Arp Spoofing Prevention MAC broadcast in ARP Spoofing Prevention will broadcast non WAN attribute interface only. If want to broadcast WAN attribute interface, need to enable “gratuitous ARP” at [system] – [General] – [System]-[Network]

4. IPS

IPS NGAF had built-in rules to protect against security vulnerabilities. NGAF will compare the packet that enter to the network with the built-in vulnerability rules and determine the purpose of this packet then decide whether to allow or deny these packet enters the target area network base on user configuration. IDS ( Intrusion Detection Systems ) is i ntrusion detection system monitors the operation status of the network and system, and finds attack attempts, attack behaviors or attack results. IPS (Intrusion Prevention System) is used to discover potential threats in internal system based on packet detection . Regardless operating system or applications running on top of it are likely to have some security vulnerability, an attacker could exploit these vulnerabilities with aggressive attack packets.

IDS And IPS Comparison Comparison IDS IPS Work Principle Feature recognition to record attacks for audit purposes Feature recognition, discarding real-time attack data Deployment mode Parallel (bypass mirror) Series (routing, transparent) + Parallel Security Attributes Passive Active Blocking Attack Ability Weak Strong Safety Response Speed Hysteresis Real time Attack Data Reach The Target Yes No

IPS Common Intrusion List Worm Network device and server vulnerabilities Backdoors, Trojans, spyware, etc B rute Force Attack

IPS IPS protect objects Client protection : Used to protect the client machine and its application software system is not attacked by its own vulnerability. Server protection : Used to protect the server and its application software system is attacked by the server or the software itself existence vulnerability . Brute force attack : Prevent user login system frequently by try a lot of username and password. Malware : Prevent the attack of software contained backdoor, Trojan, worm, spyware IPS rules type Protect server and client （ such as Trojan.worm ） Protect server application （ such as mail .database ） Protect client software （ such as OA.IE ）

IPS Protection Principle IPS checks the threat characteristics of the data content in the application layer of the data packet. Compares it with the IPS rule database and rejects the data packet if it matches, to realize the protection of IPS in the application layer. Frame Header IP Header Transmission Header Malicious Code State Detection Application Characteristics Application Threat C haracteristics Deep Content Detection

IPS IPS protect objects Client protection : Used to protect the client machine and its application software system is not attacked by its own vulnerability. Server protection : Used to protect the server and its application software system is attacked by the server or the software itself existence vulnerability . Brute force attack : Prevent user login system frequently by try a lot of username and password. Malware : Prevent the attack of software contained backdoor, Trojan, worm, spyware IPS rules type Protect server and client （ such as Trojan.worm ） Protect server application （ such as mail .database ） Protect client software （ such as OA.IE ）

IPS Configuration Ideas Client Protection ： Go to Objects > Security Policy Template > Intrusion Prevention , a dd a IPS template for client protection. Template select Endpoint Protection and Anti-Malware . Go to Policies > Network Security > Policies > Policy for Internet Access Scenario , add user protection policy and reference the template of client protection. The Source Zone s elect internal client zone, source IP select the client’s IP zone that need to protect. The Destination Zone s elect WAN zone and select All. Select A llow or R eject , IP blocking or Logging , depending on the specific situation (The IP blocking function will be introduced separately in the following chapters).

IPS Configuration Demonstration 1. Go to Objects > Security Policy Template > Intrusion Prevention , add a IPS template for client protection. Select the template to protect. 2. Go to Policies > Security Policy > Policy for Internet Access Scenario , add user protection policy and reference the template of client protection.

IPS - Configuration Ideas Server Protection ： Go to Objects > Security Policy Template > Intrusion Prevention , a dd a IPS template for server protection. Template select the Server protection and Brute-force protection . Go to Policies > Network Security > Policies > Policy for Server Scenario , add server protection policy and reference the template of server protection. The Source Zone s elect WAN zone, source IP select All . The Destination Zone s elect Server zone and select S erver IP groups that need protection . Select A llow or R eject , IP blocking or Logging , depending on the specific situation (The IP blocking function will be introduced separately in the following chapters).

IPS - Configuration Demonstration 1. Go to Objects > Security Policy Template > Intrusion Prevention , add a IPS template for server protection. Select the template to protect. 2. Go to Policies > Security Policy > Policy for Server Scenario , add server protection policy and reference the template of server protection.

IPS - Logs Go to Monitor > Security Logs , filter the Intrusion Prevention to view the logs.

IPS - Misjudgment The vulnerability attack protection rules have five levels: Severe, High, Medium, Low and Info. There may be that the normal communication between the external network and the internal network is rejected by the device as an intrusion communication, or the intrusion of the external network to the internal network is released as a normal communication, resulting in a certain misjudgment. At this time, how to modify the vulnerability attack protection rules? When configuring vulnerability attack protection rules, check View for vulnerability attack protection log. According to the log of the data center, the vulnerability ID of the misjudgment rule is queried. Objects > Threat Signature Database > Security Database - In the vulnerability feature identification database, the action of modifying the corresponding vulnerability ID, such as changing to allow or disable.

Action to modify the corresponding vulnerability ID IPS - Misjudgment

IPS - Misjudgment If the normal communication is regarded as an intrusion communication and rejected by the equipment, you can also directly query the rejection log of the security log and exclude it. Exclude

IPS - Database IPS vulnerability database This is our IPS vulnerability database, we classify each vulnerability and mark the treat level.

IPS - Precautions When configuring Intrusion protection to protect clients and servers, the source region is the region initiated by the data connection. The rules for protecting client and server vulnerabilities are different from those for protecting client and server vulnerabilities in the server, because attackers will use different attack methods against the server and client.

5. APT

APT Detection A botnet is a number of Internet-connected computers communicating with other similar machines in which components located on networked computers communicate and coordinate their actions by command and control (C&C) or passing messages to one another . Botnets have been used many times to send spam email or participate in distributed denial-of-service attacks.

APT Detection Traditional firewall and anti-virus software have limited effectiveness in detecting and killing Trojans virus. In the APT (Advanced Persistent Threat) scenario, traditional firewall and anti-virus software are useless. C&C Server 1. The bot master control spreads the Trojan horse to the network to infect the terminal. 2. The host is infected, connect to the C&C server, and obtain instructions. 3. The C&C server sends instructions to the infected host, scans the network, and infects more hosts. 4. More hosts are infected, forming a botnet, connecting to the C&C server and obtaining instructions. 5. The bot master control sends new code to the C&C server to update the botnet.

APT Detection Need for an ex-post detection mechanism used to discover and locate infected client machines to reduce client security risks. Meanwhile, the logs recorded require a high degree of traceability. When a machine infected with a virus or Trojan and tries to communicate with the external network, NGAF identifies the traffic, blocks it and records logs according to user policies. C& CServer Viruses on infected hosts, Trojans communicate suspiciously with external hosts, may download more malicious code, or leak internal data Firewall detects virus communication and alerts/blocks it

APT Detection Trojan Remote Control Ex ception Process Trojan remote control security detection for both data sent from the protection area and data received from requests Includes running the corresponding protocol detection on non-standard ports, bounce detection, heuristic dos attack detection and other means Botnet Note: The malicious link fucntion in the original botnet has been integrated into the content security fucntion since version 8.0.17. By configuring the content security policy for protection, the malicious link is integrated into the URL library .

APT Detection Abnormal Traffic Detection By analyzing the deviation between the current network layer and application layer behavior and the security model. It is possible to discover hidden abnormal network behaviors, determine the attack type according to the behavior characteristics, and discover attacks that cannot be found by feature matching. The abnormal outgoing traffic function is a heuristic DOS attack detection method, which can detect syn flood, ICMP flood, DNS flood, and UDP flood attacks with the same source IP. The principle of the outgoing traffic exception function is when the outgoing packet PPS of a specific protocol exceeds the configured threshold, it detects whether packets are one-way traffic or whether there is normal response content based on packet capture samples of about 5 minutes. Draw an analysis conclusion and submit the discovered attacks to the log for display.

APT Detection Other Detection Methods Connecting to a botnet is the most basic way to determine, information sources include collection from tens of thousands of online devices, cooperation and sharing with Google and other institutions. For unknown botnets (there are large number of C&C domain names generated by DGA), determine the unknown botnets by simulating the DGA algorithm to summarize the characteristics or summarize the composition of general normal domain names. Detection of dangerous outreach methods, such as using known (IRC, HFS) botnet communication. Use standard ports to transmit non-standard protocols ( eg : transmit RDP protocol in port 80). Launch CC attack externally. Spread malicious files externally. Send shellcode externally. Detecting behaviors such as downloading malicious files, malicious PDFs, etc. The downloaded file is detected as not matching the suffix name The upstream and downstream traffic do not match.

APT Detection Signature display Over 100K botnet signatures

APT Detection Mis judgment Rule There are three ways to exclude NGAF botnet protection: If it is found that the traffic of an endpoint is misjudged by the NGAF botnet rule, the specified IP can be excluded under the botnet function module, then this IP will not be intercepted by the botnet policy. If a misjudgment caused by a rule is found to block all intranet endpoints’ traffic, you can find that the specified rule is disabled in Object > Threat Signature Database > Security Database > Malware Signature Database , and all botnet policies will not block this rule action.

APT Detection Mis judgment Rule You can also use Exclude to exclude directly after querying the botnet log in the built-in data center.

APT Detection DNS Scenario Misjudgment Elimination The honeypot technology is used to locate the real IP address of the botnet host in the intranet when there is a DNS server in the intranet. To prevent ignoring the honeypot settings during the configuration process, which would result in the subsequent failure to trace the source, a new DNS server service interface has been added to the policy configuration interface.

Notes: 1. Within the time set by the anti-virus notification push, after the risk host downloads the tool and kills it, it will not be able to access the Internet directly. It needs to wait for the specified time or the administrator cancels the push before normal website access can be resumed; 2. The redirected page is only valid for http, but not for https. At the same time, the NAT scenario push will not take effect. APT Detection Antivirus notification Push NGAF can push antivirus notifications when detected risky hosts. The redirect page supports customization and supports downloading virus scan software.

APT Detection APT configuration path: Object > Security Policy Template > Botnet Detection Shows as below: Abnormal traffic only log and don’t deny.

6. Correlation Address Block

Correlation Address Block IP Blocking Type Started from NGAF7.4 version, there are two types of IP blocking of firewalls: Block IP address initiating high-threat attack : Only block high-threat IP addresses to ensure network availability and service stability. Block IP address initiating any attacks : Block any suspicious IP address to maximize business asset and user protection capability.

Correlation Address Block IP blocking mechanism IPS /WAF/DOS module can be configured with IP blocking. Block IP address initiating high-threat attack behaviour : Only related to the high-level rules specified in IPS, WAF and DOS. Block IP address initiating any attacks : Blocking IPS, WAF and DOS "blocking" events will trigger IP blocking. The IP blocking triggered by the policy is to intercept the session (five-tuple) of the data packet. The port and destination IP of the data packet will not be intercepted if changed. The addition of IP blocking to block the attacker‘s IP or permanent blocking is to block the source IP, which is the same as the mechanism of the previous old version . The host in the IP blocking list can access the NGAF console. The capacity of IP blocking firewall is 20000. The rejection records blocked by IP are queried in the A pplication C ontrol Log .

Correlation Address Block Configuration: Intrusion protection function and web application protection function are enabled in the Network Security Policy. DOS protection, CC attack and brute force attack functions are separately configured with IO blocking function. The following configurations only take DOS protection as an example:

Correlation Address Block Configuration: SOC > Temporary Blacklist and click the Add to Global Blacklist to add attacker's IP it to permanent blacklist can achieve the effect of blocking the source IP or destination IP. Add : Adding blocking source IP will cause the source IP to access through NGAF, and all destination IP will be blocked (except the console NGAF). Adding a blocked destination IP will result in all IPS that pass through NGAF and will not be able to access this destination IP; Add to Global Blacklist: A fter using this function, it is equivalent to adding IP to the blacklist of NGAF. this IP will not be saved in the IP list of blocking attacker, but any data packet of this IP cannot pass through NGAF, including the console accessing NGAF .

Misjudgment: SOC > Temporary Blacklist , select the IP in the block list and click the unblock button. 209.99.10.45 is the address configured by the test PC in the experimental environment. Delete requires manual selection of the corresponding session in the blocked list. Correlation Address Block

Correlation Address Block Logs: From Monitor > Application Control Log , action select Integratedly Deny and check the logs.

Thank you ! [email protected] community.sangfor.com Sangfor Technologies (Headquarters) Block A1, Nanshan iPark , No.1001 Xueyuan Road, Nanshan District, Shenzhen, Guangdong Province, P. R. China (518055)

SANGFOR_NGAF_v8.0.47_Associate_2022_06_Security_Protection.pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

SANGFOR_NGAF_v8.0.47_Associate_2022_06_Security_Protection.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx