No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Network Management and Monitoring

S2720, S5700, and S6720 V200R013C00

This document describes the configurations of Network Management and Monitoring, including SNMP, RMON, RMON2, LLDP, Performance Management, iPCA, NQA, Service Diagnosis, Mirroring, Packet Capture, NetStream, sFlow, TWAMP Light, NETCONF, ECA, Intelligent Video O&M, eMDI, and Network Deception.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding Network Deception Technology

Understanding Network Deception Technology

System Components

A deception system is mainly composed of DecoySensors, Decoy, and baits:
  • DecoySensors are responsible for scanning behavior detection, deception, and traffic diversion.
  • Decoy performs in-depth interaction and behavior analysis to further detect attacks.
  • Baits provides auxiliary deception measures on servers.

Table 17-1 describes these components in detail.

Table 17-1  Components in a deception system
Name Function Deployment
  • Detects scanning of IP addresses and TCP ports
    • In non-strict mode, if a DecoySensor detects that the scanning frequency initiated by an IP address exceeds the specified threshold and the scanned destination IP address is not online or the TCP port is not open, the DecoySensor starts network layer deception and proactively responds to the scanning request of the hacker. In this way, the hacker incorrectly considers that the scanned destination IP address is online or the TCP port is open, and continues to the next phase of the attack.
    • In strict mode, a DecoySensor immediately performs network layer deception once detecting that the scanned destination IP address is not online or the TCP port is not open, without checking the scanning frequency.
  • Supports the detected network segments

    After such a network segment is configured, the DecoySensor detects scanning behavior only in this network segment.

  • Supports the bait network segments

    You can add some idle IP addresses to the blacklist. Once hackers scan these IP addresses or their TCP ports, they will be lured to a Decoy.

  • Supports the deception whitelist function

    • You can add the IP addresses of devices that proactively detect the network (such as the NMS) to the source IP address whitelist to prevent them from being incorrectly considered to be attackers by DecoySensors.
    • You can add the IP addresses of devices that do not respond to ARP requests and port connection requests (such as traditional printers) to the destination IP address whitelist to prevent normal traffic sent to these devices from being lured.

A DecoySensor can run on a switch, hardware firewall, or software firewall. For details about the firewall models that can act as DecoySensors, see the firewall product documentation.

The DecoySensor deployment requirements vary according to the scanning behavior:

  • IP address scanning: The DecoySensor must have at least one VLANIF interface, for which the primary IP address must be on the network segment to be detected.

  • TCP port scanning: The scanning packets and reply packets must pass through the DecoySensor.

  • Provides the HTTP, SSH, Server Message Block (SMB), and Remote Desktop Protocol (RDP) services for in-depth interaction with hackers, analyzes behavior of the hackers, and identifies attack tools.
  • Sends the interaction logs and the scanning logs provided by DecoySensors to the Cybersecurity Intelligence System (CIS) for further analysis.
  • Provides bait file download.
  • Simulates web pages in a subnet to provide a more interactive experience.
You can deploy the Decoy as software on a CIS flow probe. In this scenario, the Decoy is a component of the CIS server.
  • After the bait deployment script is executed on a server, bait files are automatically deployed in multiple sensitive locations on the server.
  • After a bait file on a device is opened, the device immediately sends a log to the Decoy.
  • A bait file also contains information for accessing the Decoy, which induces hackers to access the Decoy directly.

You can access the Decoy from a server where bait files need to be deployed, download the bait package, and run the script to automatically deploy the bait files.

Deception Process

Figure 17-2  Deception process
  1. A hacker scans an IP address or TCP port. After detecting the scanning behavior, a DecoySensor sends a scanning log to the Decoy and lures suspicious traffic to the Decoy (CIS) for attack detection.
  2. The Decoy performs in-depth interaction with the hacker and records various application layer attacking methods of the hacker.
  3. The CIS analyzes the log reported by the DecoySensor and the traffic sent from the hacker. If the log and traffic match a pre-configured rule in the CIS, the CIS determines that the suspicious traffic is an attack, generates an alarm, and provides handling suggestions. After the administrator confirms the alarm, the CIS delivers a policy to the Agile Controller-Campus.
  4. Based on the received policy, the Agile Controller-Campus delivers the associated commands to the DecoySensor to disconnect the attack source, protecting the service network.

Deception Details

Updated: 2019-04-20

Document ID: EDOC1100065680

Views: 51139

Downloads: 485

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next