< Home

CLI Example: Configuring APT Defense With Local Sandbox Inspection Enabled

This section provides an example for configuring APT defense with local sandbox inspection enabled.

Networking Requirements

As shown in Figure 1, the enterprise intranet connects to the Internet through the FW and router and has a local sandbox deployed. The local sandbox has a reachable route to the FW. The FW interworks with the local sandbox to send risky traffic identified by the FW to the local sandbox for detection. The FW periodically obtains detection results from the local sandbox and updates the list of malicious files or URLs in the cache based on the detection results. When subsequent traffic with the same features matches the malicious file or URL list, the specified action, such as block, is performed to protect users on the intranet from APT attacks.

Figure 1 Networking diagram for configuring APT defense with local sandbox inspection enabled

Data Planning

Item

Data

Local sandbox
Local sandbox information:
  • Sandbox address: 10.1.2.2
  • Protocol: HTTPS
  • Peer device certificate: huaweica.cer
  • API-KEY: Admin@1234
Profile size:
  • Executable file: 1024 KB
  • Compressed file: 1024 KB
  • Microsoft Office file: 1024 KB
  • PDF file: 1024 KB
  • Picture file: 200 KB
  • Web page file: 200 KB

FW
  • GE0/0/1: connected to the enterprise network; IP address 10.3.0.1/24; added to the Trust zone.
  • GE0/0/2: connected to the local sandbox; IP address 10.1.2.1/24; added to the DMZ zone.
  • GE0/0/3: connected to the Internet; IP address 1.1.1.1/24; added to the Untrust zone.

Configuration Procedure

  1. Set interface IP addresses and assign the interfaces to security zones.

  2. Configure security policies so that the enterprise intranet users, local sandbox, and FW can properly communicate.

  3. Configure the local sandbox on the FW.
  4. Configure an APT defense profile on the FW.

    • Configure malicious URL detection.

      When this function is enabled, the device matches traffic against cached malicious URLs. If the traffic matches a malicious URL, the device blocks the URL, and the traffic does not need to be sent to the sandbox for inspection. If the traffic does not match a malicious URL, the traffic is sent to the sandbox for inspection.

    • Configure file reputation detection.

      When this function is enabled, the device matches traffic against cached malicious files. If the traffic matches a malicious file, the device performs the specified action, and the traffic does not need to be sent to the sandbox for inspection. If the traffic does not match a malicious file, the traffic is sent to the sandbox for inspection.

    • Configure sandbox inspection.

      Configure the protocol type, transfer direction, and type of files sent to the sandbox for inspection.

  5. Reference the APT defense profile in security policies.

Procedure

  1. Set interface IP addresses and assign the interfaces to security zones.
    1. Set the IP address of interface GigabitEthernet0/0/1 and add it to the Trust zone.

      <sysname> system-view
[sysname] interface GigabitEthernet0/0/1
[sysname-GigabitEthernet0/0/1] ip address 10.3.0.1 24
[sysname-GigabitEthernet0/0/1] quit
[sysname] firewall zone trust
[sysname-zone-trust] add interface GigabitEthernet 0/0/1
[sysname-zone-trust] quit

    2. Set the IP address of interface GigabitEthernet0/0/2 and add it to the DMZ zone.

      [sysname] interface GigabitEthernet0/0/2
[sysname-GigabitEthernet0/0/2] ip address 10.1.2.1 24
[sysname-GigabitEthernet0/0/2] quit
[sysname] firewall zone dmz
[sysname-zone-dmz] add interface GigabitEthernet0/0/2
[sysname-zone-dmz] quit

    3. Set the IP address of interface GigabitEthernet0/0/3 and add it to the DMZ zone.

      [sysname] interface GigabitEthernet0/0/3
[sysname-GigabitEthernet0/0/3] ip address 1.1.1.1 24
[sysname-GigabitEthernet0/0/3] quit
[sysname] firewall zone untrust
[sysname-zone-untrust] add interface GigabitEthernet0/0/3
[sysname-zone-untrust] quit

  2. Configure security policies so that the enterprise intranet users, local sandbox, and FW can properly communicate.

    # Configure a security policy in the direction from intranet users to the local sandbox.

    [sysname] security-policy
[sysname-policy-security] rule name policy_to_sandbox
[sysname-policy-security-rule-policy_to_sandbox] source-zone local
[sysname-policy-security-rule-policy_to_sandbox] destination-zone dmz
[sysname-policy-security-rule-policy_to_sandbox] action permit
[sysname-policy-security-rule-policy_to_sandbox] quit

    # Configure a security policy in the direction from intranet users to the Internet.

    [sysname-policy-security] rule name policy_to_Internet
[sysname-policy-security-rule-policy_to_Internet] source-zone trust
[sysname-policy-security-rule-policy_to_Internet] destination-zone untrust
[sysname-policy-security-rule-policy_to_Internet] action permit
[sysname-policy-security-rule-policy_to_Internet] quit
[sysname-policy-security] quit

  3. Configure the local sandbox.

    [sysname] sandbox default
[sysname-sandbox-default] ip 10.1.2.2
[sysname-sandbox-default] server-certificate huaweica.cer
[sysname-sandbox-default] api-key Admin@1234
[sysname-sandbox-default] file-set exe max-size 1024
[sysname-sandbox-default] file-set gzip max-size 1024
[sysname-sandbox-default] file-set office max-size 1024
[sysname-sandbox-default] file-set pdf max-size 1024
[sysname-sandbox-default] file-set picture max-size 200
[sysname-sandbox-default] file-set web max-size 200
[sysname-sandbox-default] quit

  4. Configure the name and description of the APT defense profile.

    [sysname] profile type aapt name sandbox_local
[sysname-profile-aapt-sandbox_local] description AAPT profile of local sandbox

  5. Enable malicious URL detection.

    [sysname-profile-aapt-sandbox_local] malicious-url enable

  6. Enable file reputation detection and specify the protocol, traffic direction, and action for malicious file detection. The default settings are used in this example.

    [sysname-profile-aapt-sandbox_local] file-reputation enable

  7. Configure sandbox inspection parameters.

    [sysname-profile-aapt-sandbox_local] file-type BAT CLASS PE32 MSI HLP HTML JAR DOC
[sysname-profile-aapt-sandbox_local] sandbox-type local
[sysname-profile-aapt-sandbox_local] quit

  8. Reference the APT defense profile in security policies.

    [sysname] security-policy
[sysname-policy-security] rule name policy_to_Internet
[sysname-policy-security-rule-policy_to_Internet] profile aapt sandbox_local
[sysname-policy-security] quit
[sysname] quit

  9. Log in to the local FireHunter (https://10.1.2.2:32229), choose Configuration > Device, and add an interworking device.

Verification

  1. Run the linkage try command. The command output shows that the FW interworks with the local sandbox.
    <sysname> system-view
[sysname] sandbox default
[sysname-sandbox-default] linkage try
Info: try link to sandbox success!
[sysname-sandbox-default] quit
  2. Run the display aapt file submit information command to check the information on the files submitted to the sandbox for detection recently.
    [sysname] display aapt file submit information
Slot 11 Cpu 0:
 File Name: eicar.123.docx
 Hash: 225e966e4b109096e938e7136a558b83
 Type: docx
 Size: 960 Bytes
 Submit Result: Success
 Sandbox Type: Local sandbox
 Submit Time: 2017-01-10 14:32:20

Configuration Scripts

#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/3
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
#
sandbox default
 type FireHunter
 ip 10.1.2.2 port 5002
 server-certificate huaweica.cer
 api-key %^%#f=m6Gr>@I,'B\BIZ)9z%\Kq|Ly&^Y3Ewc#$&#\p1%^%#
 linkage enable
 file-set EXE max-size 1024
 file-set GZIP max-size 1024
 file-set OFFICE max-size 1024
 file-set PDF max-size 1024
 file-set PICTURE max-size 200
 file-set WEB max-size 200
#
profile type aapt name sandbox_local
 description AAPT profile of local sandbox
 file-reputation enable
 malicious-url enable
 file-type BAT CLASS PE32 MSI HLP HTML JAR DOC
 sandbox-type local
#
security-policy
 rule name policy_to_sandbox
  source-zone local
  destination-zone dmz
  action permit
 rule name policy_to_Internet
  source-zone trust
  destination-zone untrust
  profile aapt sandbox_local
  action permit
#
return
Parent Topic: Content Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >