table of Contents
1. Terminal Security Risk
For an enterprise, more than 90 percent of employees need to use the office every day PC terminal, and the terminal and the Internet is an important node "data exchange", the level of staff and uneven, so 80% of the enterprise network security incidents come from terminal. Terminal has become a strategic point of attack by hackers. The purpose is to obtain valuable hacking "data." After they control terminal, the virus can be planted directly blackmail blackmail customers, more seriously, hackers often target those stores important "data" server. Controlled terminal will become a springboard for hackers, hackers will fall by the host horizontal scanning internal networks, we found that the internal organization of the network-critical servers, and then launch attacks on these critical internal servers.
Internet exports to achieve the logical separation of the internal network and the Internet organizations. For internal users, network access, botnets is the most serious security problems, hackers use Trojan virus worms, so a variety of means to control the invasion of the terminal, to form botnets to further realize the information stored in the terminal is stolen, the terminal is accessible fishing guide website, terminal being used as a springboard to attack other hazards of all types of resources and other issues.
Hackers can use botnets to carry out more acts of harm, such as a springboard for attacks APT is the most commonly used botnets. Hackers use botnets to achieve infiltration, surveillance, steal sensitive data such purposes, the harm is very great.
The main hazards botnets are:
1. Local penetration and diffusion
2. steal sensitive information
3. fragile information collected
4. advanced persistent threat
5. unseen risks
2. The security detection terminal and Defense Technology
Seemingly normal network, hidden many security risks, only to see IP / port / feature has been unable to distinguish whether it is safe
Terminal security detection and Defense Technology
Seven deep packet inspection application may be implemented based on the terminal security control
2.1 application control policy
Application control policy can do bi-directional control access to applications / services.
NGAF there is a default deny all services / application control policy.
1. The control strategy based on the application:
is performed by matching a packet filtering operation characteristics, in order to determine the type of application requires a certain amount of packet traffic, then the determination of the tackle.
2. Based on the control strategy and services:
to filter operation by the five-tuple matches the packet (source address, destination address, source port, destination port, protocol number), an operation can be determined immediately intercept any packet
WEB filtering means filter on data access pages Sorry, the.
Including URL filtering, file filtering. The HTTP distinguish different actions. You can filter for HTTPS URL
3. Gateway antivirus technology
3.1 computer virus
3.1.1 Computer virus definitions
Computer virus definitions:
1994 February 18 promulgated the "Regulations on Protection of Computer Information System Security People's Republic of China" clearly states: "computer virus, or is compiled in a computer program can be inserted into the destruction of computer functions or destroy data, influence computer, and a set of self-replicating instructions or computer program code. "
3.1.2 Computer Viruses feature
计算机病毒的特征
1.传染性
2.不可预见性
3.繁殖性
4.潜伏性
5.破坏性
6.隐蔽性
3.1.3 Computer Viruses work steps
Mechanism of Circular
3.2 anti-virus defense product
3.2.1 anti-virus defense product development and compare
Stand-alone antivirus software "" "network version of antivirus software" "" antivirus software + antivirus gateway
-based defense antivirus software is a relatively passive solution, especially vulnerable to viruses whenever new virus appears, management members tend to find them everywhere at once, you need to make sure that the network each terminal device must upgrade to the latest virus database, which if a node is not updated as required, it will become a short board network, the virus will take advantage of infiltration, rapid impact on our system.
Antivirus gateway for inbound enterprise data scanned for viruses, the virus completely intercepted outside the enterprise, in order to reduce the harm caused by the virus to penetrate the enterprise, and build three-dimensional anti-virus system, from the past, the traditional stand-alone anti-virus, network version of the antivirus transitioning to the full three-dimensional network virus protection
3.2.2 gateway antivirus
(1) functional advantages
1.基于应用层过滤病毒
2.过滤出入网关的数据
3.网关阻断病毒传输,主动防御病毒于网络之外
4.部署简单,方便管理,维护成本低
5.与杀毒软件联动,建立多层防护
(2) implementation
a proxy scanning
After all the data packets through the gateway for virus detection needs transparent forwarded to the gateway itself protocol stack, stack all cached files through Gateway's own protocol, and then into the virus detection engine for virus detection.
b flow scanning mode
It depends on the state detection technology and protocol analysis techniques, simple features extracted files matching the local signature database.
(3) Configuration Roadmap
(4) Display effects
E-mail virus
HTTP antivirus
4. Botnet detection and Defense Technology
4.1 Botnets
Definitions 4.1.1 botnet
Botnets (Botnet, also translated as zombie networks, robotics network) refers to the hackers use distributed denial of service attacks have written procedures will fall tens of thousands of machines that hackers often said that the zombie computers organized into a broiler or control a node for transmitting packet forgery or junk data, so that a predetermined target paralysis and "denial of service." Usually worm can also be used botnets.
4.1.2 Network formation zombie
OfficeScan and limited traditional antivirus software killing the virus, Trojan horse effect, under the APT (advanced persistent threat) scene, traditional antivirus walls and antivirus software is useless.
4.2 Botnet detection and Defense Technology
Need for a post-detection mechanism for customers to find and locate the infected machine end, to reduce the client security risks. At the same time, demands for higher recording log traceability. Infected with a virus, Trojan machine, viruses, Trojans attempt to communicate with an external network, the AF identify the traffic, and the user block and logging policy
4.2.1 Defense Technology
(1) Trojan remote control
data sent to the protected area and receives the requested data are Trojan remote control security detection
(2) mobile security
comprising sanitizer apk packet network and the mobile bot detection function
(3) an abnormal traffic
comprises non-standard port run the corresponding protocol detection, rebound detection, heuristic dos attack detection means
(4) a malicious link
for the URL may lead to threats, such as web pages linked to horse, virus detection to intercept the download link
a malicious link in the matching process
1.匹配白名单 (匹配上直接 放行)
2.匹配黑名单(规 则库),匹配上根据策略配置执行动作。
3.黑白名单都匹配不上则上报云端分析。 如检测出恶意行为, 由云端下发给AF按照策略执行动作。
4.云端扩充黑名单到新版本恶意链接库
Drive testing procedure b sandbox
1.可疑流量上报
2.沙盒执行检测
3.生成安全规则
4.云同步更新 同时安全规则下发
Sandbox environment detection:
• dangerous behavior
• Process operations
• File operations
• Network behavior
• registry operations
4.2.2 abnormal traffic detection
1. Through the current network layer and the application layer security model deviation behavior analysis, it is possible to find the hidden network abnormal behavior, and determines the type of attack based on the behavior characteristics, attacks can not find matching features found.
2. outgoing traffic abnormality dos function is a heuristic attack detecting means capable of detecting the same source IP syn flood, icmp flood, dns flood and udp flood attack.
3. outgoing traffic anomaly function principle:
when the outer particular protocol when pps contract exceeds the threshold based on a sample of about 5 minutes capture detection data packet is a unidirectional flow, whether there is a normal response to the content, the analysis results findings and discovered attacks commit log display.
4.2.3 Other detection
1. botnet connection determination is the most basic way, information sources include: thousands of on-line device collects, and google and other means cooperative sharing
2. For unknown zombie network (the presence of C & C domain is large DGA generated) by simulating DGA algorithm summarizes features / configuration summary the normal mode of the domain name to determine the unknown botnets
3. risk outreach mode detector, such as a known (IRC, HFS) to communicate with botnet
4. nonstandard transport protocol standard port (example: 80 port RDP protocol transmission)
5. External attack launched CC
6. the external communication malicious file
7. sends out the shellcode
8. the detected download malicious files, PDF and other malicious behavior
9. detected download file does not match with the extension
10. does not match upstream and downstream traffic
4.2.4 exclude false positives
AF botnet protection exclude three ways:
1. Discover a traffic terminal is AF botnet rules miscarriage of justice, may exclude specific IP in the botnet function module, then this will not be intercepted botnet IP strategy
2. found a miscarriage of justice arising from the rules to block all traffic within the network terminal, you can target [security] - [botnet] to find the specified rule base rule is disabled, all zombie network policy rules will not do this any interception action
3 It is also possible directly in the built-in data centers, after inquiry botnet log using the "Add exception" excluded.
