Typical Networking of a DecoySensor

The deployment position of a DecoySensor determines which deception functions are supported and the attack paths that can be defended against.

A DecoySensor can be a firewall or a switch. It can be flexibly combined with existing devices based on user requirements.

This section describes the networking scenarios related to DecoySensor functions. Ensure that the Decoy is reachable to the DecoySensor network.

Networking Scenarios

A DecoySensor needs to be aware of IP address scanning and port scanning. Therefore, it is recommended that the DecoySensor be deployed close to the user server. To achieve so, when the switch is used as a DecoySensor, S-series switches are recommended for deployment on the entire network.

If the switches on the network do not support the deception function, you can deploy a software firewall or dedicated deception firewalls to detect scanning.

**Table 1** Deception networking scenarios
Networking Scenario	Networking Diagram	Description
A firewall is connected to the core switch in bypass mode as a DecoySensor.		Advantages: Reuses the firewall in the core switching area as a DecoySensor, and reuses other firewall functions. Deceives inter-zone attacks. Has no requirements for switch models. Disadvantages: Cannot deceive intra-zone attacks.
A firewall is connected to the access or aggregation switch in bypass mode as a DecoySensor.		Advantages: Has low requirements on firewall performance. (Low-end and mid-range hardware firewalls and software firewalls can be used.) Has minimum impacts on service traffic on the existing network. Deceives both intra- and inter-zone attacks. Disadvantages: Requires separate dedicated firewalls. If all IP addresses in the subnet are used, the deception function fails.

Relationship Between the Networking and Deception Functions

To use the deception function for IP address scanning, a DecoySensor need to have a Layer 3 IP address in the service subnet. To use the deception function for SYN packet scanning, both scanning packets and response packets need to pass through the same DecoySensor. Therefore, the networking is closely related to deception functions.

**Table 2** Deception functions supported in various networking modes
Deception Function	A firewall is connected to the core switch in bypass mode as a DecoySensor	A firewall is connected to the access or aggregation switch in bypass mode as a DecoySensor
Deception against attacks targeting specific static IP addresses	Applicable	Applicable
Deception against attacks targeting specific static ports	Applicable	Not applicable
Deception against attacks targeting nonexistent IP addresses	Not applicable	Applicable
Deception against attacks targeting unopened ports	Applicable	Not applicable
Route-Miss deception	Applicable	Not applicable
ARP-Miss deception	Not applicable	Not applicable
Security-policy-deny deception	Applicable	Not applicable
Deception against unknown domain name attacks	Applicable	Not applicable
ACI deception	Applicable	Not applicable