Login
- Table of Contents
-
- 04-DPI Configuration Guide
- 00-Preface
- 01-DPI overview
- 02-DPI engine configuration
- 03-IPS configuration
- 04-URL filtering configuration
- 05-Data filtering configuration
- 06-File filtering configuration
- 07-Anti-virus configuration
- 08-Data analysis center configuration
- 09-Proxy policy configuration
- 10-WAF configuration
- 11-IP reputation configuration
- 12-APT defense configuration
- 13-Domain reputation configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 12-APT defense configuration | 103.22 KB |
Collaboration with the anti-virus feature
Configuring the linkage to the sandbox
Configuring APT defense policy
Applying an APT defense policy to a DPI application profile
Applying a DPI application profile to a security policy rule
Display and maintenance commands for APT defense
APT defense configuration examples
Example: Applying an APT defense policy to a security policy rule
Configuring APT defense
About APT defense
An advanced persistent threat (APT) is a prolonged and targeted cyberattack. One of the most effective methods to defend against APT attacks is the sandbox technology. The sandbox technology creates an isolated threat inspection environment to analyze traffic that is delivered to it. If the traffic is malicious, the device will take the actions such as blocking.
APT defense implementation
As shown in Figure 1, when an external attacker initiates an APT attack towards the enterprise network, the APT defense is implemented as follows:
1. The device identifies the application layer protocol of the traffic and the file type, extracts the file content from the traffic. The device reconstructs the file when the following conditions are met:
¡ The attack traffic matches the APT defense policy, if any, on the device.
¡ The file size is within the file size limit defined by the sandbox inspection.
¡ The device has established a connection to the sandbox successfully.
2. The device sends the reconstructed file to the sandbox for threat analysis.
3. The sandbox executes the file and analyzes the file behavior to determine if the file is malicious. After the inspection completes, the sandbox sends the file inspection result back to the device, and the device saves the result in its APT defense cache.
¡ If the traffic is malicious, the device will execute the block or alert actions for subsequent traffic based on the specified anti-virus policy.
¡ If the traffic is not malicious, the device permits it to pass.
Figure 1 APT defense implementation
Sandbox inspection mechanism
The sandbox is a virtual inspection system that simulates actual networks to run unknown files and record the file behaviors. The sandbox compares file behaviors with its exclusive behavior signature library. If a match is found, the sandbox determines that the file is malicious.
The sandbox builds its behavior signature library by analyzing signatures of various viruses, vulnerabilities, and threats, extracting the patterns of the malicious behaviors, and forming a set of rules.
Unlike the signature-based inspection (such as anti-virus inspection), the sandbox inspection identifies attacks based on behaviors and can provide protection against unknown attacks.
Collaboration with the anti-virus feature
The sandbox only identifies whether the traffic is malicious or not, but it does not provides processing actions. If you want to process the malicious traffic, the device needs collaborate with the anti-virus feature. With the anti-virus feature configured, the device identifies the application layer protocol of the malicious traffic, and then compares the traffic with the anti-virus policy. If a match is found, the device takes actions on the traffic.
For more information about the anti-virus feature, see "Configuring anti-virus."
APT defense tasks at a glance
To configure APT defense, perform the following tasks:
1. Configuring the linkage to the sandbox
2. Configuring APT defense policy
3. Applying an APT defense policy to a DPI application profile
4. Applying a DPI application profile to a security policy rule
Configuring the linkage to the sandbox
About this task
The device can collaborate with the sandbox when the following conditions are met:
· Sandbox parameters (including sandbox address, username, and password) are configured.
· The linkage to the sandbox is enabled.
· The connection between the device and sandbox is established.
After you change sandbox parameters, enable or disable the linkage to the sandbox, the device terminates the connection to the sandbox. You have to re-establish a connection to the sandbox.
Procedure
1. Enter system view.
system-view
2. Enter sandbox view.
Sandbox
3. Specify the sandbox address.
sandbox-address address-string
By default, no sandbox address is specified.
4. Set the username for logging in to the sandbox.
username user-name
By default, no login username is set.
5. Set the password for logging in to the sandbox.
password { cipher | simple } string
By default, no login password is set.
6. (Optional.) Set the maximum file size on a per-file type basis supported in the sandbox inspection.
file file-type max-size max-file-size
By default, no maximum file size is set for sandbox inspection, and the system uses the default file size limit on a per-file type basis.
The device only sends files within the size limit to the sandbox, which can ensure the sandbox processing capability.
7. Enable the linkage to the sandbox.
linkage enable
By default, the linkage to the sandbox is disabled.
8. Establish a connection between the device and sandbox.
linkage try
9. Return to system view.
quit
10. (Optional.) Set the APT defense cache size.
apt cache size cache-size
By default, the APT defense cache can cache a maximum of 100000 entries.
Configuring APT defense policy
About this task
An APT defense policy sends files to the sandbox only when the files meet the file filtering criteria, including the application layer protocol, file type, and file transfer direction.
Procedure
1. Enter system view.
system-view
2. Create an APT defense policy.
apt policy policy-name
3. (Optional.) Configure a description for an APT defense policy.
description description-string
By default, an APT defense policy does not have a description.
4. Specify the application layer protocols for sandbox inspection.
application { all | type { ftp | http | https | imap | nfs | pop3 | smb | smtp } * }
By default, no application layer protocols are specified for sandbox inspection.
5. Specify the file type for sandbox inspection.
file-type { all | name &<1-8> }
By default, no file type is specified for sandbox inspection.
6. Specify a file transfer direction for sandbox inspection.
file-direction { both | download | upload }
By default, both the uploaded and downloaded files are sent to the sandbox.
Applying an APT defense policy to a DPI application profile
About this task
The DPI application profile contains configuration of DPI security services. For an APT defense policy to take effect, you must apply it to a DPI application profile.
A DPI application profile can use only one APT defense policy. If you apply different APT defense policies to the same DPI application profile, only the most recent configuration takes effect.
Restrictions and guidelines
To collaborate with an anti-virus policy, you must apply an APT defense policy and the anti-virus policy to the same DPI application profile.
Procedure
1. Enter system view.
system-view
2. Enter DPI application profile view.
app-profile profile-name
For more information about this command, see DPI engine commands in DPI Command Reference.
3. Apply an APT defense policy to the DPI application profile.
apt apply policy policy-name
By default, no APT defense policy is applied to a DPI application profile.
Applying a DPI application profile to a security policy rule
1. Enter system view.
system-view
2. Enter security policy view.
security-policy { ip | ipv6 }
3. Enter security policy rule view.
rule { rule-id | [ rule-id ] name rule-name }
4. Set the action to pass for the security policy rule.
action pass
The default rule action is drop.
5. Apply a DPI application profile to the security policy rule.
profile app-profile-name
By default, no DPI application profile is applied to a security policy rule.
Display and maintenance commands for APT defense
Execute the display commands in any view.
|
Task |
Command |
|
Display APT defense cache information. |
display apt cache [ slot slot-number ] |
|
Display the connection status between the device and sandbox. |
display apt linkage state |
APT defense configuration examples
Example: Applying an APT defense policy to a security policy rule
Network configuration
As shown in Figure 2, LAN users in security zone Trust can access the following resources:
· Internet resources in security zone Untrust.
· The sandbox at 192.168.2.4/24 in security zone DMZ.
Procedure
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures static routes, and the next hop in the routes is 2.2.2.2.
[Device] ip route-static 5.5.5.0 24 2.2.2.2
3. Add interfaces to security zones.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
[Device] security-zone name dmz
[Device-security-zone-DMZ] import interface gigabitethernet 1/0/3
[Device-security-zone-DMZ] quit
4. Configure the collaboration between the device and the sandbox.
[Device] sandbox
[Device-sandbox] sandbox-address 192.168.2.4
[Device-sandbox] username admin
[Device-sandbox] password simple 123456abc
[Device-sandbox] linkage enable
[Device-sandbox] linkage try
5. Configure the APT defense policy.
# Create an APT defense policy named apt1, and specify the HTTP protocol, the pe file type, and the upload file transfer direction for sandbox inspection.
[Device] apt policy apt1
[Device-apt-policy-apt1] application type http
[Device-apt-policy-apt1] file-type pe
[Device-apt-policy-apt1] file-direction upload
[Device-apt-policy-apt1] quit
6. Configure a DPI application profile and apply an APT defense policy and anti-virus policy to the DPI application profile.
In this example, an anti-virus policy named antivirus1 has been created and the anti-virus policy uses the block action. For more information about anti-virus, see "Configuring anti-virus."
# Create a DPI application profile named sec and apply APT defense policy apt1 and anti-virus policy antivirus1 to the DPI application profile.
[Device] app-profile sec
[Device-app-profile-sec] apt apply policy apt1
[Device-app-profile-sec] anti-virus apply policy antivirus1 mode protect
[Device-app-profile-sec] quit
7. Configure a security policy:
# Create a security policy rule named trust-untrust to allow the internal users to access the network and to allow the device to perform APT defense on the traffic.
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-10-trust-untrust] source-zone trust
[Device-security-policy-ip-10-trust-untrust] source-ip-subnet 192.168.1.0 24
[Device-security-policy-ip-10-trust-untrust] destination-zone untrust
[Device-security-policy-ip-10-trust-untrust] action pass
[Device-security-policy-ip-10-trust-untrust] profile sec
[Device-security-policy-ip-10-trust-untrust] quit
# Create a security policy rule named sandboxlocalout to allow the device to send the traffic to the sandbox server for inspection.
[Device-security-policy-ip] rule name sandboxlocalout
[Device-security-policy-ip-11-sandboxlocalout] source-zone local
[Device-security-policy-ip-11-sandboxlocalout] destination-zone dmz
[Device-security-policy-ip-11-sandboxlocalout] destination-ip-subnet 192.168.2.0 24
[Device-security-policy-ip-11-sandboxlocalout] action pass
[Device-security-policy-ip-11-sandboxlocalout] quit
# Create a security policy rule named sandboxlocalin to allow the sandbox server to issue the inspection results to the device.
[Device-security-policy-ip] rule name sandboxlocalin
[Device-security-policy-ip-12-sandboxlocalin] source-zone dmz
[Device-security-policy-ip-12-sandboxlocalin] destination-zone local
[Device-security-policy-ip-12-sandboxlocalin] source-ip-subnet 192.168.2.0 24
[Device-security-policy-ip-12-sandboxlocalin] action pass
[Device-security-policy-ip-12-sandboxlocalin] quit
# Activate rule matching acceleration.
[Device-security-policy-ip] accelerate enhanced enable
[Device-security-policy-ip] quit
Verifying the configuration
# Verify that the device can collaborate with the sandbox and anti-virus feature to protect the internal users against APT attacks. (Details not shown.)
