No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Operation Guide 09

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Content Security Detection Principle

Content Security Detection Principle

The NGFW provides a content security detection mechanism to check traffic content based on conditions in security profiles and perform actions specified in security profiles based on the detection result.

Antivirus

Antivirus is a security mechanism. It can identify and process virus files to ensure network security and avoid data corruption, permission change, and system crash caused by virus files.

The NGFW employs the advanced Intelligent Awareness Engine (IAE) and constantly updated virus signature database to detect and remove viruses. Figure 12-34 shows the antivirus mechanism.

Figure 12-34 Antivirus mechanism
  • Virus Detection by the IAE
    1. After traffic enters the IAE, the IAE: Analyzes the traffic and identifies its protocol type and file transfer direction.
    2. Checks whether antivirus applies to this protocol type and file transfer direction.

      The antivirus function of the device applies to the following protocols:

      • File Transfer Protocol (FTP)
      • Hypertext Transfer Protocol (HTTP)
      • Post Office Protocol - Version 3 (POP3)
      • Simple Mail Transfer Protocol (SMTP)
      • Internet Message Access Protocol (IMAP)
      • Network File System (NFS)
      • Server Message Block (SMB)

        The device supports antivirus in upload and download directions:

      • Upload: Indicates file transfer from a client to a server.
      • Download: Indicates file transfer from a server to a client.
      NOTE:

      Connection requests are initiated by clients. Therefore, when configuring security policies, set the security zone where the client resides as the source zone and that where the server is located as the destination zone.

      Example 1: A user in the Trust zone needs to download files from the FTP server in the Untrust zone. In this case, set the Trust zone as the source security zone and the Untrust zone as the destination security zone on the security policy configuration page and set the FTP inspection direction to Download on the antivirus configuration page.

      Example 2: A user in the Trust zone needs to upload emails to the SMTP server in the DMZ. In this case, set the Trust zone as the source security zone and the DMZ as the destination security zone on the security policy configuration page and set the SMTP inspection direction to Upload on the antivirus configuration page.

    3. Checks whether the whitelist is matched.

      The NGFW does not perform virus detection on whitelisted files.

      NOTE:

      The whitelist can be configured only on the CLI.

      A whitelist comprises whitelist rules. Administrators can configure whitelist rules for trusted domain names, URLs, IP addresses, and IP address ranges to improve antivirus detection ratio. A whitelist rule applies only to the corresponding antivirus profile because each antivirus profile has its own whitelist.

      • Prefix match: When host-text or url-text is set to the example* format, the whitelist rule is matched as long as the prefix of the domain or URL is example.
      • Suffix match: When host-text or url-text is set to the *example format, the whitelist rule is matched as long as the suffix of the domain or URL is example.
      • Keyword match: When host-text or url-text is set to the *example* format, the whitelist rule is matched as long as the domain or URL contains example.
      • Exact match: The domain name or URL must be the same as host-text or url-text to match the whitelist rule.
    4. Performs virus detection.

      The IAE extracts signatures of applicable files and compares the extracted features with virus signatures in the virus signature database. If a match is found, the file is considered infected and processed according to the action specified in the profile. If no match is found, the file is permitted.

      Huawei relevant personnel analyze and summarize common virus signatures to construct the virus signature database. This database defines common virus signatures and assigns a unique virus ID to each signature. After the database is loaded, the device can identify viruses that match the signatures defined in the database. To identify new viruses, the virus signature database must be constantly updated from the security center (sec.huawei.com).

      NOTE:

      Signature database update requires a license.

  • Antivirus processing

    After viruses are identified in a file in transfer, the NGFW:

    1. Checks whether this virus is an exception. If yes, the file is permitted.

      Virus exceptions refer to whitelisted viruses, which are false-positive viruses. To prevent file transfer failures resulting from false positives, whitelist virus IDs that users identify as false positives are added to exceptions to disable the virus rules. If it is detected to be exception, it is permitted to transfer.

    2. If the virus does not match any virus exception, check whether it matches an application exception. If it matches an application exception, it is processed according to actions (permit, alert, or block) for application exceptions.

      The action of an application exception can be different from that for the protocol used by the application. Multiple applications may use a same protocol. For example, traffic of 163.com and yahoo.com is transmitted over HTTP.

      Actions for applications and protocols have different priorities:

      • If the action for a protocol is defined but no action is defined for any application, the action for the protocol applies to all applications that use the protocol.
      • If the action for a protocol is defined and the action for an application that uses the protocol is defined, the action for the application takes precedence over that for the protocol.

        For example, traffic of 163.com and yahoo.com is transmitted over HTTP.

      • If the response action for HTTP is Block, response actions for 163.com and yahoo.com are also Block.
      • If you need to configure an exception for 163.com, configure the response action for 163.com as Alert in Application Exception. In this case, the response action of yahoo.com inherits the block action of the HTTP protocol, and the response action of 163.com uses the alarm action of the application exception.
    3. If the virus matches neither virus exceptions nor application exceptions, the action for protocol and transfer direction specified in the profile applies.

      The following table shows actions of the NGFW for different protocols in different directions.

      Protocol

      Transfer Direction

      Response Action

      Description

      HTTP

      Upload/Download

      Alert/Block. The default action is Block.

      • Alert: The device permits the files and generates virus logs.
      • Block: The device blocks the files and generates virus logs.
      • Declare: For virus-infected email messages, the device permits them but adds information to their subjects to announce the detection of viruses and generates virus logs. This action applies only to SMTP and POP3.
      • Delete Attachment: For virus-infected email messages, the device deletes their attachments, adds information to their subjects to announce the detection of viruses, permits them, and generates virus logs. This action applies only to SMTP and POP3.

      FTP

      Upload/Download

      Alert/Block. The default action is Block.

      NFS

      Upload/Download

      Alert.

      SMB

      Upload/Download

      Alert/Block. The default action is Block.

      SMTP

      Upload

      Alert/Declare/Delete Attachment. The default action is Alert.

      POP3

      Download

      Alert/Declare/Delete Attachment. The default action is Alert.

      IMAP

      Upload/Download

      Alert/Declare/Delete Attachment. The default action is Alert.

IPS

The intrusion prevention function detects and analyzes all packets and allows or blocks the packets accordingly.

  • Mechanism

    1. Application data reassembly

    Some attacks attempt to evade intrusion prevention by fragmenting packets. To prevent such attacks, an NGFW reassembles IP fragments and TCP flows before inspecting.

    2. Protocol identification and analysis

    The NGFW identifies multiple types of application-layer protocols based on packet contents.

    The NGFW implements refined analysis and extracts packet features based on the identified protocol.

    Compared with the traditional firewall that identifies protocols only by IP address and port, the NGFW increases the detection ratio of application-layer attacks.

    3. Feature matching

    The NGFW compares the extracted features with the intrusion prevention signatures. If a match is found, the packets are processed according to the configured action.

    For details about the matching order of signatures, see Traffic Processing Flow.

    4. Action

    After the detection, the NGFW processes the packets that match the signature based on the configured action.

    Figure 12-36 illustrates the flow for processing packets.

  • Signature

    Signatures describe the features of attacks on the network. The NGFW detects and prevents attacks by comparing data flow contents with intrusion prevention signatures.

    The intrusion prevention signatures of the NGFW fall into two types:

    Pre-defined signature

    Signatures pre-defined on the NGFW. After purchasing the license with the intrusion prevention upgrade function, you can obtain the signature database that contains predefined signatures, and continuously gain new intrusion prevention versions from the Security Center Platform to update the signature database. The pre-defined signatures cannot be created or modified.

    A pre-defined signature has a default action, and the action can be:

    • Allow: The NGFW permits the packet matching the signature and does not generate a log.
    • Alert: The NGFW permits the packet matching the signature and generates a log.
    • Block: The NGFW discards the packet matching the signature, blocks the data flow to which the packet belongs, and generates a log.

    User-defined signature

    NOTE:

    You are advised to configure user-defined signatures only when you understand the attack features. Incorrect signatures may be useless, cause packet loss, or interrupt services.

    User-defined signatures refer to those that are created by administrators. The signature database may not have a signature for a new type of attack. If you understand the attack, you can create a user-defined signature for the attack. In addition, you can customize signatures for such purposes as enhancing the defense capability of the signature database. After user-defined signatures are created, the system automatically checks the regular expressions (see Regular expressions) and the validity of the rules to prevent inefficient signatures from wasting resources.

    Rules of Regular Expressions

    Regular expressions contain dedicated characters that have special meaning, that is, metacharacters. Table 2 describes the regular expression metacharacters.

    NOTE:

    Note the following items when you configure regular expressions:

    • Regular expressions in user-defined signature rules are case-sensitive.
    • The character string must start with at least three consecutive exact characters. For example, character string abcd* meets the requirement, but ab* does not meet the requirement because * is not an exact character.
    • {} can be applied only to {n, m} and {n}.
    • A comma (,) can be used only in {} or follow a backslash (\) if the comma appears in any other place.
    • Modifiers include +, *, ?, and {} and follow normal characters.
    • (), [], and {} must be used in pair.
    Table 12-69 Metacharacter

    Symbol

    Meaning

    Description

    ^

    Matches the beginning of the entered string in single line mode.

    Matches all strings behind newline character \n in multi-line mode.

    For example, if the entered regular expression is ^abcdefg and a packet containing the abcdefg\nabcdefgxxx field is detected:

    • In single line mode, the first abcdefg, that is, the bold characters in abcdefg\nabcdefgxxx, is matched.
    • In multi-line mode, the abcdefg behind \n, that is, the bold characters in abcdefg\nabcdefgxxx, is matched.

    $

    Matches the end of the entered string in single line mode.

    Matches the string prior to \n.

    For example, if the entered regular expression is abcdefg$ and a packet contains a defabcdefg\nxxabcdefg field, the regular expression matches the following bold characters:

    • defabcdefg\nxxabcdefg in single line mode
    • defabcdefg\nxxabcdefg in multi-line mode

    []

    Matches any single character that is contained within the brackets.

    A hyphen (-) can be used to specify a range of characters. Special characters described in Table 12-70 are not supported.

    • [xyz] is a positive character set. For example, regular expression abcdefg[abc] matches abcdefga, abcdefgb or abcdefgc.
    • [^xyz] is an invert character set. For example, regular expression abcdefg[^ab] matches any character, but not abcdefga or bcdefgb.
    • [x-y] is a range character set. For example, regular expression abcdefg[a-c] can match abcdefga, abcdefgb, and abcdefgc.
    • A maximum of 64 characters can be entered in [ ].
    • The regular expression cannot contain "[[:".
    • The regular expression does not support the [xyz]* and [xyz]+ formats.

    ()

    Indicates the beginning and end of a subexpression.

    • The regular expression cannot contain character strings, such as (?=), (?!), (?<=), (?<!), (?i), (?s), (?m), (?x), (?@0), (?s), (?:), or (?.=[xyz]).
    • The regular expression cannot be in (xyz)*, (xyz){...}, or (xyz)+ format.

    .

    Matches any single character, but not \n.

    For example, regular expression abcdefg.h matches abcdefgah, abcdefgbh, and abcdefgch, but not abcdefgaah.

    |

    Indicates that characters on both sides of the vertical bar (|) are logically ORed.

    Characters or expressions must exist before and after the vertical bar (|). For example, ab| is incorrect. For example, regular expression abcdefg[a|b] can match abcdefga and abcdefgb.

    \

    Indicates an escape character.

    Added prior to metacharacters to be matched. For example, regular expression \\ matches a backslash (\).

    • An escape character cannot be followed by b, B, Q, E, 1, 2, 3, 4, 5, 6, 7, 8, or 9.
    • If an escape character is followed by character x, \x{ cannot be used. If an escape character is followed by a hexadecimal value, the format must be \xhh.
    • If an escape character is followed by character d, D, h, H, s, S, v, V, w, or W, these characters are not used for matching as exact characters.

    -

    A hyphen (-) can be used to specify a range of characters.

    For example, regular expression abcdefg[a-c] can match abcdefga, abcdefgb, and abcdefgc.

    *

    Matches zero or more occurrences of the preceding character in the target object.

    The following restrictions apply to the preceding character or character string:

    • The preceding string cannot be a subexpression. For example, (abcdefg)* is not supported.
    • The numbers of characters in {} and [] are less than or equal to 64.
    • .*, *?, and *+ are not supported.

    For example, regular expression abcdefg* matches abcdef, abcdefg, and abcdefggg.

    +

    Matches one or more occurrences of the preceding character in the target object.

    The following restrictions apply to the preceding character or character string:

    • The preceding string cannot be a subexpression. For example, (abcdefg)+ is not supported.
    • The numbers of characters in {} and [] are less than or equal to 64.
    • .+, +?, and ++ are not supported.

    For example, regular expression abcdefg+ matches abcdefg, abcdefgg, and abcdefggg.

    ?

    Matches zero or one occurrence of the preceding character in the target object.

    For example, regular expression abcdefg? matches abcdef, and abcdefg.

    ?? and ?+ are not supported.

    {n}

    Matches a specific number (n) of instances of the preceding character.

    Requirements are as follows:

    • n must be less than or equal to 64.
    • The preceding string cannot be a subexpression. For example, (abcdefg){n} is not supported.

    For example, regular expression abcdefg{3} matches abcdefggg.

    {n,m}

    Matches a specific range (n through m) of instances of the preceding character.

    Requirements are as follows:

    • n must be less than or equal to m.
    • m must be less than or equal to 64.
    • The preceding string cannot be a subexpression. For example, (abcdefg){n,m} is not supported.

    For example, regular expression abcdefg{0,8} has a minimum of 0 gs and a maximum of 8 gs.

    Table 12-70 Special characters

    Character

    Meaning

    Description

    \a

    Bell character (hex 07)

    -

    \d

    Decimal digits 0 through 9

    Matches 0, 1, 2, 3, 4, 5, 6,7, 8, and 9.

    \D

    Characters except for decimal digits

    -

    \e

    Escape character (hex 1B)

    -

    \f

    Form feed character (hex 0C)

    -

    \h

    SPACE or TAB character

    -

    \H

    Characters except for SPACE and TAB characters

    -

    \n

    Newline character (hex 0A)

    -

    \r

    Carriage return (CR) character (hex 0D)

    -

    \s

    SPACE, TAB, carriage return (CR), or line feed (LF) character

    -

    \S

    Characters except for SPACE, TAB, CR, and LF characters

    -

    \t

    Tab character (hex 09)

    -

    \v

    CR or LF character

    -

    \V

    Characters except for CR and LF characters

    -

    \w

    underscore (_), a-z, A-Z, 0-9

    -

    \W

    Characters except for underscore (_), a-z, A-Z, and 0-9

    -

    \xhh

    Hexadecimal digits hh

    \x5A can match Z.

    \x20 can match space characters.

    \x22 can match double quotation marks.

  • Signature Filter

    A large number of signatures flood the signature database after updates. By analyzing the features of common threats, you can summarize signatures that contain these features and add these signatures to a signature filter. Administrators can analyze the features of threats on their networks and configure a signature filter to filter out signatures containing the features, preventing potential intrusions.

    A signature filter is a set of signatures matching the specified filtering conditions. A signature filter is a set of signatures matching the specified filtering conditions, including the type of signatures, object, protocol, severity, and operating system. Only signatures that match all the filtering conditions can be added to a signature filter. For example, to apply intrusion prevention only on HTTP packets, set filtering condition protocol only to HTTP.

    The action of the signature filter can be default, block, or alarm. By default, the default signature action is used. The action of a signature filter enjoys a higher priority than the default action of a signature.

    Signature filters configured earlier have higher priorities. If two signature filters in one security profile contain the same signature, packets matching the signature are processed according to the signature filter configured earlier.

  • Signature Exception

    To facilitate management, all signatures in a signature filter have the same action. If administrators need to configure actions for some signatures different from the actions of the signature filter, they can add the signatures to exception signatures and configure actions for the signatures independently.

    The action of a signature exception can be Block, Alert, Allow, Block+Isolation (Source IP), or Block+Isolation (Destination IP). The action of a signature exception has a higher priority than that of a signature filter. If a signature matches a signature exception and a signature filter, the action of the signature exception takes effect.

    For example, the actions for a batch of signatures in the signature filter are block. Then the NGFW blocks an R&D software requested by an employee. The log indicates that the R&D software matches a signature in the signature filter and is blocked because of false positive. In such cases, add the signature as an exception and set the action to Allow.

  • Traffic Processing Flow

    An intrusion prevention profile contains multiple signature filters and exception signatures.

    Figure 12-35 shows the relationship between signatures, signature filters, and exception signatures. In this example, a01, a02, and a03 are pre-defined signatures. a04 and a05 are user-defined signatures. Two signature filters are configured in the profile. Signature filter 1 filters signatures a01 and a02 whose protocol set is set to HTTP and other filtering conditions are set to XXX. The action for signature filter 1 is set to the default action for signatures. Signature filter 2 filters a03 and a05 whose protocol set is set to HTTP or UDP and other filtering conditions are set to YYY. The action for signature filter 2 is set to block. Besides, two exception signatures are configured in the profile. In exception signature 1, set the action for a02 to alert. In exception signature 2, set the action for a04 to block.

    The actual action for a signature is jointly determined by the default action for the signature, action for the signature filter, and action for the exception signature. For details, see Actual action in Figure 12-35.
    Figure 12-35 Relationship between signatures, signature filters, and exception signatures
    When a data flow matches the intrusion prevention profile, the NGFW sends the data flow to the intrusion prevention module to match the signatures referenced by the profile one by one. Figure 12-36 shows the traffic processing flow.
    Figure 12-36 Traffic processing flow
    NOTE:

    When a packet matches multiple signatures, the actual action for the packet is as follows:

    • If the actions for all the matched signatures are Alert, the action for the packet is Alert.
    • If the action for any matched signature is Block, the action for the packet is Block.

      When a data flow matches multiple signature filters, the action for the signature filter with the highest priority is performed on the data flow.

  • Detection Directions

    If a security policy references an intrusion prevention profile, the direction in the security policy is determined by the node that initiates a session, not the node that sends attack packets.

    As shown in Figure 12-37, when an Internet user accesses an intranet, the intranet PC or server runs the risk of attacks launched by Internet devices. Internet user access traffic destined for the intranet is sent from the Untrust zone to the Trust zone. The security policy takes effect on Internet-to-intranet traffic, which means that the source zone is the Untrust zone, and the destination zone is the Trust zone.

    Figure 12-37 Protecting intranet server traffic
    As shown in Figure 12-38, when a PC accesses an Internet server, the intranet PC runs the risk of attacks launched by Internet devices. The PC sends traffic to the Internet server, and the traffic travels from the Trust zone to the Untrust zone. Attack traffic originates from the Internet, and the traffic travels from the Untrust zone to the Trust zone. The security policy takes effect on PC-to-Internet traffic, which means that the source zone is the Trust zone, and the destination zone is the Untrust zone. The direction defined in the security policy is different from the attack traffic direction.
    Figure 12-38 Protecting intranet client traffic

URL Filtering

URL filtering is generally deployed on the enterprise gateway to accurately manage users behaviors to access network resources using HTTP or HTTPS.

If URL filtering is enabled on NGFW and a user accesses a network resource using HTTP or HTTPS through the NGFW, the NGFW performs URL filtering. Figure 12-39 shows the handling process.

Figure 12-39 URL filtering flow

  1. A user initiates a URL access request. If the data flow matches a security policy and the action of the policy is permit, the system implements URL filtering.
  2. The NGFW matches the URL with the whitelist.
    • If the URL matches the whitelist, the NGFW permits the URL access request.
    • If the URL does not match the whitelist, the NGFW goes to the next step.
  3. The NGFW matches the URL with the blacklist.
    • If URL information matches the blacklist, the NGFW blocks the URL access request.
    • If the URL does not match the blacklist, the NGFW goes to the next step.
  4. The device matches the URL with user-defined categories.
    • If the URL matches a user-defined category, the NGFW processes the request based on the action for this user-defined category.
    • If the URL does not match user-defined categories, the NGFW goes to the next step.
  5. The NGFW matches the URL with malicious URLs.
    • If the URL matches a malicious URL, the NGFW blocks the URL request.
    • If the URL does not match any malicious URL, the NGFW proceeds to the next step.
  6. The NGFW matches the URL with pre-defined categories in the cache.
    • If a pre-defined category is matched, the NGFW processes the request based on the action for this pre-defined category.
    • If no pre-defined category is matched, the device starts category query on a remote server.
    • If the remote server is available, the NGFW continues to query URL categories on the remote server.
    • If the remote server is unavailable, the NGFW processes the request based on the default action.
  7. Enable the query of URL categories on a remote server.
    1. If URL category query on the remote server times out, the NGFW processes the query based on the action for timeout query of pre-defined categories configured by the administrator.
    2. If a category for the URL is found on the server, the device takes the action for the category.

File filtering

File filtering reduces the risks of confidential information leakage and virus files transferred to enterprise internal networks, prevents file transfer that occupies bandwidth and affects employees' working efficiency. The NGFW can identify types of files transferred through itself, and perform the block or alert action on files of specific types.

If the traffic that passes the NGFW matches a security rule, the action is set to permit, and the file filtering profile is referenced, file filtering must be implemented on the traffic. The mechanism of file filtering is as follows:

  1. The NGFW identifies the following file attributes:
    • Application: Files are transferred over application or protocols such as HTTP, FTP, SMTP, POP3, NFS, SMB, and IMAP.
    • File transfer direction: The value can be upload or download.
    • File type: The NGFW can identify the real file type. For example, the file type of the Word document whose name is changed from file.doc to file.exe is still doc.
    • File name extension: The value is the suffix of a file name. For example, the file name extensions of file.doc and file.exe are doc and exe, respectively.
  2. The NGFW determines the matching of file filtering rules and matching conditions according to the results of file identification and global configuration, as described in Table 12-71.

    To implement the matching of file filtering rules, the NGFW matches file attributes (application, direction, file type, and file name extension) with the rules defined in the file filtering profile.

    If the attributes of a file meet all conditions in a file filtering rule, the file matches the rule successfully. Otherwise, the next rule is matched. If a file does not match any rule, the NGFW allows the file transfer.

    If a file matches a rule, the NGFW implements the action defined in the rule. If the action is Block, the NGFW blocks the file. If the action is Alert, the NGFW allows the file transfer and generates a log.

    Table 12-71 File identification, and rule matching

    File Identification

    Rule Matching

    The file type and file name extension are consistent.

    If the device matches the file with file filtering rules by type, the matching conditions are Application, Pre-defined file type, and Direction.

    The file type and file name extension are inconsistent.

    If the device matches the file with file filtering rules by type, the matching conditions are Application, Pre-defined file type, and Direction.

    The file type cannot be identified, but the file name extension exists.

    If the device matches the file with file filtering rules by name extension, the matching conditions are Application, File Extension, and Direction.

Data Filtering

Data filtering prevents confidential information leaks, transmission of illegal information, and employees' browsing or searching for non-work-related content. The device implements in-depth identification of traffic content and blocks or alerts on traffic containing specified keywords.

  • Data filtering

    Data filtering falls into two types: file data filtering and application data filtering.

    File data filtering filters the uploaded and downloaded files by keyword. You can specify the protocols for file transfer or the types of files to be filtered.

    Application data filtering filters application content by keyword. Table 1-4 describes the application filtering coverage for different applications.
    Table 12-72 Application data filtering

    Application

    Filter By

    Protocol

    HTTP

    • In the upload direction
      • Content posted on microblogs
      • Content posted on forums
      • Search keyword
      • Submitted information, such as registration information
      • Name of the file to be uploaded
    • In the download direction
      • Content of web pages
      • Name of the file to be downloaded using HTTP

    FTP

    Name of the file to be uploaded or downloaded

    SMTP

    Title, body, and attachment name of the sent email

    POP3

    Title, body, and attachment name of the received email

    NFS

    Uploaded and downloaded file

    SMB

    Uploaded and downloaded file

    IMAP

    Title, body, and attachment name of the received email

    RTMPT

    Name of the file transferred using RTMPT

    FLASH

    Flash file name

    File sharing

    Shared file name

  • Keyword

    Keyword refers to the content to be identified by the device in data filtering. The device performs the specified action for the files or applications containing the keyword. Generally, the keyword is confidential or illegal information.

    The keyword includes pre-defined keywords and user-defined keywords.

    • Pre-defined keywords include bank card numbers, credit card numbers, social security numbers, ID card numbers, and confidentiality (including confidential, secret, and top secret information).
    • User-defined keywords can be texts or regular expressions.
  • For a text keyword, you only need to enter the exact keywords to be filtered. Text keywords are easy to configure and are used for an exact match.
  • The regular expression mode indicates that the keywords to be identified are defined in regular expressions. Different from the text mode, a regular expression can represent multiple keywords. Regular expression keywords provide fuzzy matching capability. For example, "." in "abc.de" can represent any single character. Therefore, "abc.de" can match "abcxde", "abcyde", or "abc8de".

    Keywords in a regular expression can be flexibly and efficiently matched, but the configuration must observe the rules of regular expressions. Table 12-73 describes the rules of regular expressions.

    Table 12-73 Rules of regular expressions

    Character

    Description

    \

    Add the escape character \ before the special characters to literally match them, such as, \., \(, and \).

    .

    Matches any single ASCII character or Chinese character. For example, abc.de can match abcade, abcyde, and abc8de.

    Logically, a regular expression cannot start or end with a dot (.). For example, .abc|def, abc.|def, abc|.def, abc|def., and abc|def.|ghi are invalid inputs.

    ( )

    Indicates the beginning and end of a subexpression. For example, (abc)+ can match abc and abcabc.

    ?

    Matches the previous character or expression zero or one time. For example, abcd? can match abc and abcd.

    Note that the regular expression cannot be set to abc?. For example, if the match count is 0, the keyword must be ab, but the keyword that a regular expression can match must contain at least three bytes. Therefore, there must be at least four characters in front of ?.

    *

    Matches the previous character or expression zero or more times. For example, abcd* can match abc, abcd, and abcddd.

    Note that the regular expression cannot be set to abc*. For example, if the match count is 0, the keyword must be ab, but the keyword that a regular expression can match must contain at least three bytes. Therefore, there must be at least four characters in front of *.

    +

    Matches the previous character or expression one or more times. For example, abc+ can match abc and abcc, but not ab.

    |

    Matches the expression either before or after the operator. For example. abc|defg can match abc or defg. (a|b)cde can match acde or bcde.

    -

    Creates an expression range. For example, [c-z] can match any single character from c to z, including c and z.

    [ ]

    Matches any single character that is contained within the brackets. For example, abc[def] can match abcd, abce, or abcf.

    • [] must enclose at least one character.
    • [] cannot enclose ASCII characters and Chinese characters at the same time.
    • [] can enclose the escape character (\).
    • [] can enclose a hyphen (-), but the characters must be from A to Z, a to z, or 0 to 9. For example, [b-d], [A-Q], and [2-9] are valid inputs, but [b-A], [k-a], and [k-] are invalid inputs.

    {n}

    n is a non-negative integer smaller than 10. Matches the previous character n times. For example, abc{2} cannot match abc in oabco, but can match the abcc in oabcco.

    {n,m}

    Matches the previous character larger than or equal to n times but smaller than or equal to m times. Both n and m are non-negative integers smaller than or equal to 10, and n is smaller than m. For example, abcd{0,3} can match abc, abcd{1,3} can match abcdd, and (abc){1,5} can match abcabcabc.

    \d

    Matches a digit character. It equals to [0-9]. For example, abc\d can match abc0 and abc9.

    \w

    Matches any digit, letter, and underscore. For example, abc\w can match abc2, abcd, abcA, and abc_.

  • Response action

    If a keyword is identified in data filtering, the device performs the action in Table 12-74.

Table 12-74 Response actions

Action

Description

Alert

The device generates logs but does not block the content.

Block

The device blocks the content and generates logs. For users, the web pages cannot be displayed, files cannot be uploaded or downloaded, and emails cannot be sent or received.

By Weight

Each keyword has a weight. The device adds the weights of identified keywords by matching count. If the sum of weights is less than the block threshold and greater than or equal to the alert threshold, the device generates an alarm. If the sum of weights is greater than or equal to the block threshold, the device blocks the traffic.

For example, two keywords are defined on the device. The weight of keyword a is 1, and that of keyword b is 2. The alert threshold for data filtering is 1, and the block threshold is 5. Assume that keyword a appears once on the web page browsed by a user, the sum of weights is 1, which is equal to the alert threshold. The device generates a log, but the user can continue browsing the web page. If keyword a appears three times and keyword b appears twice on the web page browsed by a user, the sum of weights is 7 (3 x 1 + 2 x 2 = 7), which is greater than block threshold 5. The device blocks the web page and generates a log, and the web page cannot be displayed for the user.

  • Data filtering process

    If traffic passing through the device matches a security rule, the action is permit, and the data filtering profile is referenced in the security policy, data filtering must be implemented on the traffic.

    The data filtering process is as follows:

  1. The device detects and identifies the traffic content.

    For an application, the identified content includes the application type and transmission direction. For a file, the identified content includes the protocol used for transmitting the file, file type, and transmission direction.

  2. The device compares the traffic features with the conditions in the data filtering rule. If all conditions are matched, the traffic matches the data filtering rule. Otherwise, the next rule is compared. If no data filtering rule is matched, the device permits the traffic.
  3. If the traffic matches a data filtering rule, the device checks whether any keyword defined in the data filtering rule exists in the traffic content. If a keyword is identified, the device performs the specified action. If no keyword is identified, the device permits the traffic.

Application Behavior Control

The NGFW provides the application behavior control function to accurately control users' HTTP and FTP behaviors. This function is commonly used to manage enterprise internal users' network access behaviors using HTTP and file transfer behaviors using FTP.

Multiple application behavior control profiles are created on the NGFW. Each profile is used to grant different HTTP and FTP permissions to intranet users. Then objects such as the profiles, users, and schedules (working hours and non-working hours) are referenced in security policies to deliver differentiated and fine-grained control on HTTP and FTP behavior of intranet users.

Traditional devices control HTTP and FTP behaviors by protocol or port. However, the NGFW can implement more refined control over HTTP and FTP behaviors. For example, you can disable FTP file upload and deletion, but enable FTP file download by configuring application behavior control. Table 12-75 describes the control options of application behavior control.

Control options of application behavior control

Table 12-75 Control options of application behavior control

Type of Behavior

Control Option

Description

Action

HTTP behavior

POST

The POST method of HTTP is commonly used to send information to the server through web pages. For example, you are using this method when you post on BBS, submit forms, and use your user name and password to log in to a specific system.

Permit/Deny

Web browsing

You can use a web browser to browse web pages.

Internet access using a proxy

You can use a proxy server to access specified websites. To implement this function, you must deploy the device between the intranet and the proxy server.

File upload

-

File download

-

Size of the posted content in HTTP POST operations (Alarming/Blocking Threshold)

You can set alert threshold a and block threshold b to limit the size of the posted content if HTTP POST is allowed.

Alert/Block

Upload file size (Alarming/Blocking Threshold)

You can set alert threshold a and block threshold b to limit the size of the upload file if file upload is allowed.

Download file size (Alarming/Blocking Threshold)

You can set alert threshold a and block threshold b to limit the size of the download file if file download is allowed.

This control option is used to control file download through HTTP. However, dedicated download software such as BT and eMule selected on the file download page cannot be controlled.

FTP behavior

File upload

-

Permit/Deny

File download

-

File deletion

-

Upload file size (Alarming/Blocking Threshold)

You can set alert threshold a and block threshold b to limit the size of the upload file if file upload is allowed.

Alert/Block

Download file size (Alarming/Blocking Threshold)

You can set alert threshold a and block threshold b to limit the size of the download file if file download is allowed.

  • When the size of the upload or download file or the size of the posted content hits the alert threshold, the system generates a log to notify the device administrator.
  • When the size of the upload or download file or the size of the posted content hits the block threshold, the system blocks the upload or download file or POST operation and generates a log to notify the device administrator.

When you create security policies, you can combine the application behavior control profile and objects such as the user and schedule to implement differentiated management of users in different schedules.

Mail Filtering

Email filtering checks IP addresses and filters email data to help LAN users improve the email system security.

  • Junk Email Defense
    Figure 12-40 Working mechanism of junk email defense

The NGFW extracts the IP address of the SMTP server that sends SMTP messages and checks the IP address as follows:

  • If the source IP address matches the local whitelist, the SMTP email is valid and permitted.
  • If the source IP address matches the local blacklist, the SMTP email is a junk email and blocked.
  • If the source IP address does not match the local whitelist or blacklist, the NGFW binds the extracted IP address and the RBL service name specified by the third-party RBL server into one message and sends the message to the DNS server. For example, if the source IP address of the SMTP server is 1.2.3.4 and the RBL service name is sbl.spamhaus.org, the NGFW sends 4.3.2.1.sbl.spamhaus.org to the DNS server. The DNS server reads the RBL service name in the received message, parses the IP address of the RBL server, and forwards the query request to the RBL server. After receiving the query request, the RBL server returns an IP address as a reply code to the DNS server. The reply code indicates whether an IP address is found for this RBL query. The DNS server forwards the reply code to the NGFW. The NGFW checks whether the obtained reply code is the same as the local reply code. If they are the same, the SMTP email is a junk email and blocked. If they are different, the SMTP email is valid and permitted.
  • Email data filtering
    Figure 12-41 Working mechanism of email data filtering

After data reaches the NGFW, the NGFW identifies email data needs to be filtered based on matching conditions, such as the source security zone, destination security zone, source IP address, and destination IP address. Then, the NGFW analyzes the traffic that contains the email content, checks the email address and attachment size, identifies illegitimate emails, and discards illegitimate emails.

APT Defense

The Advanced Persistent Threat (APT) is a new attack mode that persistently attacks a specific target or system.

A typical APT has the following features:

  • Persistence

    An attacker often spends a lot of time on tracing and collecting information about network operating environments of the target system as well as exploring the vulnerabilities in the trusted system and application programs of the attacked. The attacker may not break through the defense system of the target within a short period of time. However, the attacker may discover vulnerabilities in the target or find the opportunity to attack the target as time goes by, especially when the devices are upgraded or applications are updated in the defense system.

  • Terminal

    The attacker does not directly attack the target. Instead, the attacker first compromises a terminal device (such as a smartphone, PAD, or USB device) related to the target system to steal the user account and password. That is, the terminal device serves as a transfer station for the attack to the target system.

  • Pertinence

    Based on the collected information about frequently used software, defense policies and products, and internal network deployment of the target system, the attacker establishes a specific environment to discover vulnerabilities and test whether there are methods to bypass inspections.

  • Unknown

    Traditional security products defend against attacks based only on known viruses and vulnerabilities. APT attackers may exploit 0-day vulnerabilities to launch attacks, which can easily pass through the defense system.

  • Concealment

    Upon the access to an important asset, the attacker uses a controlled client to steal information through a validly encrypted data channel. In this case, the audit system and anomaly detection system cannot detect the attack.

With the previous attack features, APT attacks are more advanced, concealed, and devastating. Thanks to these features, they have become a major network security threat nowadays.

The most effective method for APT attack defense is the sandbox technology. The NGFW employs the advanced Intelligent Awareness Engine (IAE) and APT defense to interwork with sandboxes to detect and process network traffic. Figure 12-42 shows the working mechanism of APT defense.

Figure 12-42 Working mechanism of APT defense

With the APT defense function, the NGFW processes network traffic as follows:

  1. The NGFW forwards the received network traffic matching the configured security policy to the IAE for content security inspection.

    The IAE can identify the application protocol of the network traffic. If the traffic matches the matching conditions, such as the application protocol, of the APT defense profile, the IAE restores the traffic to the original file.

  2. The IAE sends the original file to the APT defense module.

    The IAE stores the original file in a cache. The APT defense module periodically scans the cache. When detecting a new file, the APT defense module requests the file from the IAE.

  3. The APT defense module sends the original file to the sandbox.

    Before sending the original file to the sandbox, the APT defense module records the MD5 value in the file.

  4. After receiving the file, the sandbox runs it. By matching the file behavior with a behavior pattern library, the sandbox determines whether the file is malicious. Then, the sandbox sends the detection result to the APT defense module.
  5. The APT defense module sends the detection result and MD5 value to the IAE.

    Based on the MD5 value and detection result, the IAE determines whether to block the subsequent traffic.

    By default, the system blocks traffic if the detection result returned by the sandbox indicates malicious traffic. Otherwise, the system permits the traffic.

Download
Updated: 2019-05-17

Document ID: EDOC1100011877

Views: 284859

Downloads: 546

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next