This help contains the following topics:
Deception is a cooperative attack prevention approach that protects intranet users from further attacks when the attacker has intruded into the intranet. The device cooperates with a decoy server to provide deception functions.
A decoy server is a threat perception and traceability system, which can decoy attackers to interact with it deeply through well-constructed simulation environment, analyze and trace the attack behaviors, and protect the real network from attacks.
After deception is enabled, the device acts as the agent of the decoy server to interact the attacker, decoy the attack traffic to the decoy server for analysis, and forward the response traffic from the decoy server to the attacker.
Decoy networks are used for static deception. When the device detects that an attacker initiates scanning or any form of access to an IP address in a decoy network, no matter whether the IP address is online or not, the device will immediately enter the deception state and lure the attacker's subsequent traffic to the decoy server for in-depth analysis.
Detection networks are used for offline IP deception. The device continuously monitors the ARP requests sent to the detection networks. The device has the following deception modes:
In strict mode, once the device detects that an attacker sends an ARP request for an offline IP address on a detection network, it immediately decoys the attacker's subsequent traffic destined for the IP address to the decoy server for in-depth analysis.
In non-strict mode, the device periodically detects the rate of ARP messages sent by attackers to a detection network. When the rate reaches the ARP scan defense threshold, the subsequent traffic sent from the attackers to the offline IP addresses in the detection network will be lured to the decoy server for further analysis.
The deception allowlist specifies the deception exceptions. It can contain source address allowlist entries and destination address allowlist entries.
For the IP addresses in the source address allowlist entries, the device will not decoy the traffic initiated by these IP addresses.
For the IP addresses in the destination address allowlist entries, the device will not decoy the traffic accessing these IP addresses.
Make sure the device can reach the detection networks.
On a network where devices use static ARP entries instead of sending ARP requests, you can enable strict deception mode. On a network where devices use dynamic ARP entries, do not enable strict deception mode as a best practice.
For devices that do not respond to ARP requests (some old printers for example), you can add their IP addresses to the destination address allowlist to prevent normal access traffic from being decoyed. For devices that will periodically send probe packets (some NMS devices for example), you can add their IP addresses to the source address allowlist to prevent their traffic from being decoyed as attack traffic.
If a decoy network or detection network overlaps with the addresses in the allowlist, the device will treat the overlapping IP addresses as allowlisted IP addresses. If a detection network overlaps with a decoy network, the device will treat the overlapping IP addresses as the IP addresses in the decoy network.
If the online IP scanning rate is too big, the scanning might affect the internal network. If the online IP scanning rate is too small, the device might take a long time to know the online status of the IP addresses in the detection networks. Please set a proper online IP scanning rate according to your network conditions.
Configure a security policy to permit packets from the security zone where the source IP address resides to the security zone where the decoy server IP address resides.
Create a deception allowlist (optional)
Click the Policies tab.
In the navigation pane, select Active Defense > Deception.
Click the Allowlist tab.
Click Create.
In the dialog box that opens, configure allowlist entry parameters, and then click OK.
Table-1 Deception allowlist configuration items
Item | Description |
IPv4 address/mask | IPv4 address and mask of the allowlist entry. The IPv4 address cannot be 0.0.0.0 or 255.255.255.255. |
Address type | Type of the IP address of the deception allowlist entry.
|
VRF | VPN instance to which the deception allowlist belongs. By default, the value is Public network, which means the IP address belongs to the public network. |
Create a decoy network (optional)
Click the Policies tab.
In the navigation pane, select Active Defense > Deception.
Click the Decoy Network tab.
Click Create.
In the dialog box that opens, configure decoy network parameters, and then click OK.
Table-2 Decoy network configuration items
Item | Description |
IPv4 address/mask | IPv4 address and mask of the decoy network. The IPv4 address cannot be 0.0.0.0 or 255.255.255.255. |
VRF | VPN instance to which the decoy network segment belongs. By default, the value is Public network, which means the decoy network segment belongs to the public network. |
Create a detection network
Click the Policies tab.
In the navigation pane, select Active Defense > Deception.
Click the Detection Network tab.
Click Create.
In the dialog box that opens, configure detection network parameters, and then click OK.
Table-3 Detection network configuration items
Item | Description |
IPv4 address/mask | IPv4 address and mask of the detection network. The IPv4 address cannot be 0.0.0.0 or 255.255.255.255. |
VRF | VPN instance to which the detection network segment belongs. By default, the value is Public network, which means the detection network segment belongs to the public network. |
Configure the deception function
Click the Policies tab.
In the navigation pane, select Active Defense > Deception.
Configure deception parameters, and then click OK.
Table-4 Deception configuration items
Item | Description | |
Deception | Enable the deception function | |
Decoy server settings | Trapping and drainage mode | TCP proxy: The deception device uses the TCP proxy mode to direct suspicious traffic to the decoy server. UDP tunneling: The deception device uses a UDP tunnel to direct suspicious traffic to the decoy server. |
Decoy server IP | IP address of the decoy server. The address cannot be 0.0.0.0 or 255.255.255.255. | |
Decoy server VRF | VPN to which the decoy server belongs. By default, this field uses Public network, which means that the decoy server does not belong to a VPN. | |
Destination port | Port number of the decoy server. | |
Source address | IP address or interface used by the device to connect the decoy server. The address cannot be 0.0.0.0 or 255.255.255.255. | |
Source port | Source port used to send traffic to the decoy server when the trapping and drainage mode is UDP tunneling. | |
VRF | VPN instance to which the decoy server belongs. By default, the value is Public network, which means the decoy server belongs to the public network. | |
Deception settings | Strict mode | Enable the strict mode for deception.
|
Online IP scanning rate | Rate at which the device scans the IP addresses in the detection networks. The device periodically scans the IP addresses in the detection networks to detect the online status of the addresses. | |
ARP scan defense threshold | ARP sending rate threshold that triggers the deception function. This threshold applies only to non-strict mode of deception. | |