Web Example: Configuring APT Defense With Cloud Sandbox Inspection Enabled

This section provides an example for configuring APT defense with cloud sandbox inspection enabled.

Networking Requirements

As shown in Figure 1, the enterprise intranet is connected to the Internet through a FW and a router, and a cloud sandbox is deployed. The FW interworks with the cloud sandbox to send risky traffic identified by the FW to the cloud sandbox for detection. The FW periodically obtains detection results from the cloud sandbox and updates the list of malicious files or URLs in the cache based on the detection results. When subsequent traffic with the same features matches the malicious file or URL list, the specified action, such as block, is performed to protect users on the intranet from APT attacks.

Figure 1 Networking diagram for configuring APT defense with cloud sandbox inspection enabled

Data Planning

Item	Data	Description
Cloud sandbox	Cloud sandbox information: Cloud account: huawei Maximum sizes of files to be detected: Executable file: 1024 KB Compressed file: 1024 KB Microsoft Office file: 1024 KB PDF file: 1024 KB	Sandbox Deployment Region indicates the region to which the cloud sandbox service is deployed. The value is determined by the country set for the device in the global configuration or a manually set deployment region. In this example, the device is in China. Cloud Account is requested on isecurity.huawei.com.
FW	GE0/0/1: connected to the enterprise network; IP address 10.3.0.1/24; added to the Trust zone GE0/0/2: connected to the Internet; IP address 1.1.2.1/24; added to the Untrust zone GE0/0/3: connected to the Internet; IP address 1.1.1.1/24; added to the Untrust zone	-

Configuration Roadmap

Obtain and activate the license of the cloud sandbox and load the cloud sandbox component.
Set interface IP addresses and assign the interfaces to security zones.
Configure the DNS server and ensure that the FW can correctly resolve domain name sec.huawei.com.
Configure security policies so that the enterprise intranet users, cloud sandbox, and FW can properly communicate.
Configure the cloud sandbox on the FW.
Configure an APT defense profile on the FW.
- Configure malicious URL detection.
  
  When this function is enabled, the device matches traffic against cached malicious URLs. If the traffic matches a malicious URL, the device blocks the URL, and the traffic does not need to be sent to the sandbox for inspection. If the traffic does not match a malicious URL, the traffic is sent to the sandbox for inspection.
- Configure file reputation detection.
  
  When this function is enabled, the device matches traffic against cached malicious files. If the traffic matches a malicious file, the device performs the specified action, and the traffic does not need to be sent to the sandbox for inspection. If the traffic does not match a malicious file, the traffic is sent to the sandbox for inspection.
- Configure sandbox inspection.
  
  Configure the protocol type, transfer direction, and type of files sent to the sandbox for inspection.
Reference the APT defense profile in security policies.

Procedure

Obtain and activate the license of the cloud sandbox. For details, see License Management.
Load the cloud sandbox component. For details, see System Upgrade.
Apply for cloud account huawei on isecurity.huawei.com. For details, see Huawei Cloud Sandbox Guide.
Set interface IP addresses and assign the interfaces to security zones.
1. Choose Network > Interface.
2. Click of GE0/0/1 and set the parameters as follows:
  
  IP address
  
  10.3.0.1
  
  Subnet mask
  
  255.255.255.0
  
  Security zone
  
  trust
3. Click OK.
4. Repeat the preceding steps to configure GE0/0/2.
  
  IP address
  
  1.1.2.1
  
  Subnet mask
  
  255.255.255.0
  
  Security zone
  
  untrust
5. Repeat the preceding steps to configure GE0/0/3.
  
  IP address
  
  1.1.1.1
  
  Subnet mask
  
  255.255.255.0
  
  Security zone
  
  untrust
Configure the DNS server and ensure that the FW can correctly resolve domain name sec.huawei.com.
1. Choose Network > DNS > DNS.
2. In DNS Server List, click Add.
3. Configure the DNS server as follows:
  
  DNS server address
  
  10.2.0.70
4. Click OK.
Configure security policies so that the enterprise intranet users, cloud sandbox, and FW can properly communicate.
1. Configure a security policy for allowing the FW to transmit files from the Local zone to the Untrust zone where the cloud sandbox resides.
  1. Choose Policy > Security Policy > Security Policy.
  2. Click Add Security Policy.
  3. Set the parameters for the security policy as listed in the following table.
    Name
    
    policy_to_sandbox
    
    Source zone
    
    local
    
    Destination zone
    
    untrust
    
    Action
    
    Allow
  4. Click OK.
2. Repeat the preceding steps to configure the security policy for the Internet to access the intranet.
  
  Name
  
  policy_to_Enterprise
  
  Source zone
  
  untrust
  
  Destination zone
  
  trust
  
  Action
  
  Allow
Set the country in which the device resides.
1. Choose Object > Security Profiles > Global Configuration.
2. Set the country in which the device resides.
Configure the cloud sandbox.
1. Choose Object > Security Profiles > APT Defense > Sandbox Collaboration Settings.
2. Configure the cloud sandbox based on the following parameters:
3. Click Apply.
Configure the APT defense profile.
1. Choose Object > Security Profiles > APT Defense.
2. Click Add in the APT Defense Profile List page.
3. Configure the name and description of the APT defense profile.
4. Enable malicious URL detection.
5. Enable file reputation detection and specify the protocol, traffic direction, and action for malicious file detection. The default settings are used in this example.
6. Configure sandbox inspection parameters.
7. Click OK.
Reference the content security profile in security policies.
1. Choose Policy > Security Policy > Security Policy.
2. In Security Policy List, search for the security policy for the Internet to access the intranet (policy name: policy_to_Enterprise) and click . Choose Modify Security Policy > Content Security > APT Defense and select sandbox_cloud.
3. Click OK.

IP address	10.3.0.1
Subnet mask	255.255.255.0
Security zone	trust

IP address	1.1.2.1
Subnet mask	255.255.255.0
Security zone	untrust

IP address	1.1.1.1
Subnet mask	255.255.255.0
Security zone	untrust

DNS server address	10.2.0.70

Name	policy_to_sandbox
Source zone	local
Destination zone	untrust
Action	Allow

Name	policy_to_Enterprise
Source zone	untrust
Destination zone	trust
Action	Allow

Verification

Check the interworking between the FW and cloud sandbox as follows:

Choose Object > Security Profiles > APT Defense > Sandbox Collaboration Settings > Cloud Sandbox. The connection status is Connection succeeded.
Log in to isecurity.huawei.com with cloud account huawei and check the detection results of the files sent by the FW to the cloud sandbox.

Configuration Scripts

#                                                                               
 dns resolve                                                                    
 dns server 10.2.0.70                                                           
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/2
 add interface GigabitEthernet0/0/3
#
country CN
#
profile type aapt name sandbox_cloud
 description AAPT profile of cloud sandbox
 file-reputation enable
 malicious-url enable
 file-type BAT CLASS PE32 SWF
 sandbox-type cloud
#
sandbox cloud
 linkage enable
 cloud account-name huawei
 file-set EXE max-size 1024
 file-set GZIP max-size 1024
 file-set OFFICE max-size 1024
 file-set PDF max-size 1024
#
security-policy
 rule name policy_to_sandbox
  source-zone local
  destination-zone untrust
  action permit
 rule name policy_to_Enterprise
  source-zone untrust
  destination-zone trust
  profile aapt sandbox_cloud
  action permit
#
return