< Home

Application Scenario for APT Defense

This section describes the typical application scenario of APT defense.

APT Defense Through the Interworking Between the FW and a Local Sandbox

As shown in Figure 1, the FW serves as the security gateway of the enterprise intranet. Outgoing traffic shall be sent to the local sandbox deployed on the intranet for detection. The FW periodically reads detection results from the local sandbox and updates the cached malicious URL and malicious file entries accordingly. If subsequent traffic matches the malicious file or malicious URL list, the block or alert action is performed.

Figure 1 FW interworking with the local sandbox

The FireHunter serves as the local sandbox and detects files on the enterprise network, saving the efforts of transmitting files to the extranet. This guarantees file security and privacy. In addition, the FireHunter provides services only for the enterprise and therefore delivers good performance. However, the detection capability of the local sandbox is updated relatively slowly and therefore limited. The local sandbox service requires the purchase of the FireHunter, which is costly and does not apply to small and medium-sized enterprises.

APT Defense Through the Interworking Between the FW and a Cloud Sandbox

In this era of cloud, here comes the cloud sandbox. The cloud sandbox updates threat information in real time, delivering a better security detection capability and better protection over the enterprise network. In addition, the cloud sandbox service requires only the purchase of the cloud sandbox license but not the purchase of a physical sandbox device, which reduces the investment.

As shown in Figure 2, the FW serves as the security gateway of the enterprise network. It inspects the traffic from the Internet to the enterprise intranet and identifies the traffic to be inspected by the sandbox, and sends the traffic to the sandbox for inspection. The FW periodically reads detection results from the cloud sandbox and updates the cached malicious URL and malicious file entries accordingly. If subsequent traffic matches the malicious file or malicious URL list, the block or alert action is performed.

Figure 2 FW interworking with the cloud sandbox

The biggest difference between the local and cloud sandboxes lies in the deployment location. The user can deploy either a local or a cloud sandbox or both. If both are deployed, they are independent from each other. That is, in a scenario where an attacker initiates an APT attack towards the enterprise network, the FW identifies and extracts files that shall be sent to the sandbox for detection from network traffic. The FW sends files to the local or cloud sandbox for detection based on the configuration. The FW obtains the detection result from the local or cloud sandbox.

Parent Topic: APT Defense
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >