< Home

Web Example: Configuring APT Defense With Local Sandbox Inspection Enabled

This section provides an example for configuring APT defense with local sandbox inspection enabled.

Networking Requirements

As shown in Figure 1, the enterprise intranet connects to the Internet through the FW and router and has a local sandbox deployed. The local sandbox has a reachable route to the FW. The FW interworks with the local sandbox to send risky traffic identified by the FW to the local sandbox for detection. The FW periodically obtains detection results from the local sandbox and updates the list of malicious files or URLs in the cache based on the detection results. When subsequent traffic with the same features matches the malicious file or URL list, the specified action, such as block, is performed to protect users on the intranet from APT attacks.

Figure 1 Networking diagram for configuring APT defense with local sandbox inspection enabled

Data Planning

Item

Data

Local sandbox
Local sandbox information:
  • Sandbox address: 10.1.2.2
  • Peer device certificate: huawei_ca.cer
  • API-KEY: Admin@1234
Profile size:
  • Executable file: 1024 KB
  • Compressed file: 1024 KB
  • Microsoft Office file: 1024 KB
  • PDF file: 1024 KB
  • Image file: 200 KB
  • Web page file: 200 KB
  • Media file: 1024 KB
  • Other files: 200 KB

FW
  • GE0/0/1: connected to the enterprise intranet; IP address 10.3.0.1/24; added to the Trust zone
  • GE0/0/2: connected to the local sandbox; IP address 10.1.2.1/24; added to the DMZ zone
  • GE0/0/3: connected to the Internet; IP address 1.1.1.1/24; added to the Untrust zone

Configuration Roadmap

  1. Set interface IP addresses and assign the interfaces to security zones.

  2. Configure security policies so that the enterprise intranet users, local sandbox, and FW can properly communicate.

  3. Configure the local sandbox on the FW.
  4. Configure an APT defense profile on the FW.

    • Configure malicious URL detection.

      When this function is enabled, the device matches traffic against cached malicious URLs. If the traffic matches a malicious URL, the device blocks the URL, and the traffic does not need to be sent to the sandbox for inspection. If the traffic does not match a malicious URL, the traffic is sent to the sandbox for inspection.

    • Configure file reputation detection.

      When this function is enabled, the device matches traffic against cached malicious files. If the traffic matches a malicious file, the device performs the specified action, and the traffic does not need to be sent to the sandbox for inspection. If the traffic does not match a malicious file, the traffic is sent to the sandbox for inspection.

    • Configure sandbox inspection.

      Configure the protocol type, transfer direction, and type of files sent to the sandbox for inspection.

  5. Reference the APT defense profile in security policies.

Procedure

  1. Set interface IP addresses and assign the interfaces to security zones.
    1. Choose Network > Interface.
    2. Click of GE0/0/1 and set the parameters as follows:

      IP address

      10.3.0.1

      Subnet mask

      255.255.255.0

      Security zone

      trust

    3. Click OK.
    4. Repeat the preceding steps to configure GE0/0/2.

      IP address

      10.1.2.1

      Subnet mask

      255.255.255.0

      Security zone

      dmz

    5. Repeat the preceding steps to configure GE0/0/3.

      IP address

      1.1.1.1

      Subnet mask

      255.255.255.0

      Security zone

      untrust

  2. Configure security policies so that the enterprise intranet users, local sandbox, and FW can properly communicate.
    1. Configure a security policy for the FW to transmit files from the Local zone to the security zone where the local sandbox resides.

      1. Choose Policy > Security Policy > Security Policy.
      2. Click Add Security Policy.
      3. Set the parameters for the security policy as listed in the following table.

        Name

        policy_to_sandbox

        Source zone

        local

        Destination zone

        dmz

        Action

        Allow
      4. Click OK.

    2. Repeat the preceding steps to configure the security policy for intranet users to access the Internet.

      Name

      policy_to_Internet

      Source zone

      trust

      Destination zone

      untrust

      Action

      Allow

  3. Configure the local sandbox.
    1. Choose Object > Security Profiles > APT Defense > Sandbox Collaboration Settings.

    2. Configure the local sandbox based on the following parameters:

    3. Click Apply.
  4. Configure the APT defense profile.
    1. Choose Object > Security Profiles > APT Defense.
    2. Click Add in the APT Defense Profile List page.

    3. Configure the name and description of the APT defense profile.

    4. Enable malicious URL detection.

    5. Enable file reputation detection and specify the protocol, traffic direction, and action for malicious file detection. The default settings are used in this example.

    6. Configure sandbox inspection parameters.

    7. Click OK.
  5. Reference the APT defense profile in security policies.
    1. Choose Policy > Security Policy > Security Policy.
    2. In Security Policy List, search for the security policy for the intranet to access the Internet (policy name: policy_to_Internet) and click . Choose Modify Security Policy > Content Security > APT Defense and select sandbox_local.

    3. Click OK.
  6. Log in to the local FireHunter (https://10.1.2.2:32229), choose Configuration > Device, and add an interworking device.

Verification

  1. Choose Object > Security Profiles > APT Defense > Sandbox Collaboration Settings > Local Sandbox. You can find that the status of the connection with the local sandbox is Connection succeeded.

  2. Click Login at the right side of Connection Status. After logging in to the local sandbox, check the files submitted to the local sandbox and detection results.

    You can view the detailed detection information by clicking the proportion chart.

Configuration Scripts

#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/3
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
#
sandbox default
 type FireHunter
 ip 10.1.2.2 port 5002
 server-certificate huaweica.cer
 api-key %^%#f=m6Gr>@I,'B\BIZ)9z%\Kq|Ly&^Y3Ewc#$&#\p1%^%#
 linkage enable
 file-set EXE max-size 1024
 file-set GZIP max-size 1024
 file-set OFFICE max-size 1024
 file-set PDF max-size 1024
 file-set PICTURE max-size 200
 file-set WEB max-size 200
#
profile type aapt name sandbox_local
 description AAPT profile of local sandbox
 file-reputation enable
 malicious-url enable
 file-type BAT CLASS PE32 SWF DOC XLS PPT DOCX
 sandbox-type local
#
security-policy
  rule name policy_to_sandbox
  source-zone local
  destination-zone dmz
  action permit
 rule name policy_to_Internet
  source-zone trust
  destination-zone untrust
  profile aapt sandbox_local
  action permit
#
return
Parent Topic: Content Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >