Overview of Flow Probe

This section describes the basic concepts and application scenarios of the flow probe function.

The flow probe is a type of information collector that collects network-layer, transport-layer, and application-layer information of network traffic. As shown in Figure 1, on an enterprise campus network, the network administrator can use the flow probe function to collect information about traffic on a node through which traffic must pass (such as the FW device) and sends the collected information to the HiSec Insight in metadata format so as to discover abnormal behaviors in a timely manner and understand the current network usage. The HiSec Insight analyzes and evaluates the information based on the Big Data technology and threat detection model to accurately identify threats and APT attacks on the network. According to the analysis result of the HiSec Insight, the network administrator can adjust the access control policies of network resources to block possible attacks in a timely manner.

For service traffic matching a flow probe policy, the FW selectively collects network-layer, transport-layer, or application-layer information of the traffic based on the action configured in the flow probe policy. After data collection is complete, the flow probe sends the collected data to the HiSec Insight through UDP or SSL in metadata format.

Figure 1 FW flow probe application scenario

The collected traffic can be non-encrypted traffic or encrypted traffic. When collecting encrypted traffic information, you need to configure the SSL-encrypted traffic detection function to decrypt SSL-encrypted traffic, which consumes a large number of resources and delivers low performance. In addition, decrypting traffic undermines encryption integrity, violates users' privacy, and delivers low security. To solve the preceding issues, the Encrypted Communication Analytics (ECA) function is introduced. This function does not need to decrypt traffic. Instead, it collects SSL protocol negotiation information, packet statistics information, and DNS and HTTP protocol information of the traffic. Then it sends the information to the HiSec Insight in metadata format. The HiSec Insight analyzes and assesses the information to identify malicious encrypted traffic. This function consumes less resources and delivers higher performance. It does not need to decrypt traffic, which ensures encryption integrity, protects user privacy, and guarantees high security.