- Table of Contents
-
- H3C SecPath Security Products FAQ(V7)-6W100
- 14-IPsec FAQ
- 15-Load balancing FAQ
- 16-Mirroring FAQ
- 17-IRF FAQ
- 18-Security policy FAQ
- 19-Security zone FAQ
- 20-ASPF FAQ
- 21-PKI FAQ
- 22-APR FAQ
- 23-DPI FAQ
- 24-Application audit and management FAQ
- 25-Data filtering FAQ
- 26-Data analysis center FAQ
- 27-WAF FAQ
- 28-AFT FAQ
- 29-SSL decryption FAQ
- 30-NetShare control FAQ
- 31-FAQ on Intranet security comprehensive scoring (Security overview)
- 32-Web operations FAQ
- Related Documents
-
Title | Size | Download |
---|---|---|
30-NetShare control FAQ | 19.75 KB |
NetShare control FAQ
Q. What are methods to detect network sharing behaviors?
A. NetShare control uses the following methods to detect network sharing behaviors:
· APR-based detection:
The device analyzes the application layer information of packets based on the Application Recognition (APR)-based packet analysis to calculate the number of endpoints attached to a host. The device extracts the account, cookie, and other information to calculate the number of endpoints attached to a host and to detect the NetShare behaviors of endpoints.
· IPID trail tracking:
The IPID field in IP packet headers is a 16-bit field to uniquely identify an IP packet. The IPID value of packets sent by the same host is contiguous and incremental. If a source IP address has multiple IPID values, the user is a NetShare user. The number of endpoints attached can be appropriately determined by the number of IPID values.
Q. What are the restrictions and guidelines for using the NetShare control module?
A. If IPID trail tracking is disabled, the device can detect an endpoint only when QQ or WeChat exist on the endpoint.
Each application has a weight. An endpoint might have multiple applications, and the number of endpoints is the number of applications multiplied by the weight (rounded up to the nearest integer). The weight of QQ is 50%, and the weight of WeChat is 80%. For example, if endpoints have five QQ accounts and two WeChat accounts, the number of endpoints is 3, which is rounded up from max[5x50%,2x80%]=2.5. This method uses the weights obtained from experience and is not inaccurate.
IPID trail tracking might degrade the device performance.
IPID trail tracking can only detect PCs can cannot detect mobile endpoints (for example, mobile phones), whose IPIDs are not contiguous.