manualshive.com logo in svg

Solida systems SL-1000, Руководство пользователя

Поделиться
Скачать
Solida systems SL-1000 Скачать руководство пользователя страница 24

 

 

 

 

 

24 

©

 SOLIDA SYSTEMS INTERNATIONAL 

2016 

 

7.2.1 Low severity (colored green in the GUI) 

 

These events are typically generated by trying to visit known phishing sites, or sites containing 

various types of malware. The appliance will automatically drop these network packets. This will 

prevent malware from infecting the protected network. 

 

These events require no further action from the user. 

 

7.2.2 Medium severity (colored orange in the GUI) 

 

Events with a medium severity rating include known C2 domains, domains with severe drive-by 

malware, Trojans and more. Network packets destined to these domains will be automatically 

dropped, in an effort to maintain network integrity.  

 

These events require no further action from the user.  

 

7.2.3 Critical severity (colored red in the GUI) 

 
Critical events will be generated if the appliance detects malicious activities occurring inside the 

network. This would indicate the network has been compromised. Where malware is already 

present that requires user intervention to remove. Examples of such events are DNS queries 

generated by a ransomware DGA engine, or malwares trying to connect with a C2 server.  

 

All network packets resulting in critical events will be automatically dropped, to mitigate further 

infection to the network. The event includes the source and destination IP addresses of the 

offending packets. Which allows for prompt identification of the infected computer on the 

network. The user will be required to remove the malware from the infected computer using a 

suitable removal tool. 

 

All events can be viewed using the monitor application, included with the appliances. Optionally, 

emails containing the event count and severity can be automatically generated and sent out. A 

mobile phone application is also available, that allows the user to monitor events in real time.  

 

 

7.3 Source and Destination IP Addresses 

 

Each rule event includes the source and destination IP addresses, of the packet that generated the 

rule hit. Logging these IP addresses allows for a more detailed examination of the source of the 

threat. The Internet offers many “whois” services where an IP address can be entered for analysis. 

This information also includes geographical information regarding an IP address.  

 

 

Содержание SL-1000

Страница 1: ...USER MANUAL Version 1 0 January 2017 WWW SOLIDASYSTEMS COM SL 1000 Security Appliance ...

Страница 2: ...Email Addr 12 4 4 6 Event Notification Emails 12 4 4 REPUTATION THREAT LIST UPDATES 13 4 4 1 About Tor Exit Nodes 14 4 5 SET MOBILE APPLICATION PASSWORD 14 4 5 SETTING THE TIME ZONE 15 5 REPUTATION BASED DETECTION 16 5 1 OVERVIEW 16 5 2 DGA LIST 16 5 3 LIST UPDATES 17 6 INTRUSION DETECTION AND PREVENTION RULES 19 6 1 RULE OVERVIEW 19 6 2 RULE LIST 19 6 3 RULE SETS 20 6 4 ACTIVATING A RULE SET 20 6...

Страница 3: ... 10 2 DOWNLOADING A SUPPORT BUNDLE 28 11 DATA LOGGING 30 11 1 PACKET LOGGING 30 11 2 DROPPED PACKET LOGGING 30 11 3 EVENT LOGGING 30 11 4 HTTP LOGGING 31 11 5 DOWNLOADING LOG FILES 31 11 8 DELETING LOG FILES 32 12 REMOTE MONITORING 33 12 1 SOLIDA MULTI INTRODUCTION 33 12 2 SETTING UP REMOTE MONITORING 33 ...

Страница 4: ...rm of a data feed hosted in the cloud This threat feed is updated hourly and includes malicious URLs domain names and IP addresses These are harvested from various international threat intelligence sources The threat feed includes information about current threats such as ransomware phishing sites trojans and many other threat categories 1 2 Intrusion Detection and Prevention Intrusion detection a...

Страница 5: ...the SL 1000 The management port is marked MGNT The default factory configuration for the high speed Ethernet ports is Port 0 WAN WAN side Internet connected router Port 1 LAN1 LAN side LAN side network switch Port 2 LAN2 MGNT Configuration and monitoring Port 3 LAN3 Unused The default factory settings can be changed through the web configuration utility that is accessed through a browser over the ...

Страница 6: ...c The SL 1000 appliance operates in stealth mode It does not require any IP addresses for its ports other than for the MGNT management port Figure 2 2 Typical Installation For larger networks it might be necessary to protect multiple sections of the network with dedicated security appliances For those installations make sure that the WAN port is connected upwards towards the Internet router side C...

Страница 7: ...page will appear in the browser window Enter the supplied user name and password to log in Some networks might use another IP address range other than 192 168 x x for example 10 32 x x If this is the case it will be required to change the management ports IP address before the appliance is connected to the LAN side switch To change the default IP address direct connect a computer with the applianc...

Страница 8: ...applications Creating and managing the user credentials is done through the configuration application First navigate to the Configuration page and then locate the box named Manage Users To create a new user press the button named Add User and enter the new credentials in the indicated fields Figure 3 2 Add new user box The drop down menu at the top of the Add New User window contains two options M...

Страница 9: ...to keep the factory default setting Figure 4 1 Ethernet Port Configuration Operating Mode The only supported operation mode is Single LAN WAN ports Port 0 usage Selects if port 0 should be facing the Internet side or the LAN side Port 1 usage Selects if port 0 should be facing the Internet side or the LAN side 4 2 Appliance Name An appliance should be given a name The name can be used as an identi...

Страница 10: ...ts Only under very special circumstances should the factory default be changed Changing the factory default will prohibit the appliance from detecting all possible malwares and other threats To change the factory default setting start the configuration utility and navigate to Configuration Locate the block titled Deep Packet Inspection Configuration It will look as shown in the picture below Figur...

Страница 11: ... support for sending regular emails containing information about the number of events in the system and their severity This is a useful feature since it will not be required to constantly monitor the appliance through the monitoring application 4 4 1 Setting Up Email Notification To set up email notification login to the configuration application and navigate to Admin Configuration Locate the box ...

Страница 12: ...nt Email Addr This text box shows the current email address in use assuming this feature is enabled This address will be the recipient for the event status emails 4 4 5 New Email Addr Enter a valid email address into this box This is the new address that will be used to receive these emails Once the above fields have been filled in press the Activate button This will activate the new configuration...

Страница 13: ...he factory default is to allow for all these lists to be included in the cloud updates Changing this factory default should only be done in very special cases Disabling a list results in the possibility of malicious packets being able to penetrate the network and cause escalating damage To change the factory default setting start the configuration utility and navigate to Configuration Locate the b...

Страница 14: ...s would be in countries that censor their citizens Internet traffic In those circumstances the Tor network can be used to circumvent such censorship Then it is recommended to disable the inclusion of Tor endpoints in the IP blacklist 4 5 Set Mobile Application Password The appliance can be monitored with a mobile phone application This application requires a password to log into the cloud server t...

Страница 15: ...etting The Time Zone The appliance use time stamps for various events Therefore it is required to set the time zone which the appliance is operating in Figure 4 7 Setting the time zone Select the desired time zone and press the Activate button ...

Страница 16: ...eputation lists might not yet have registered this 5 2 DGA List The most important data in the threat feed is the list of Domain Generation Algorithm DGA generated domain names Many ramsomware and other serious malware use DGAs to generate a large number of domain names These domain names are used to try and connect with their command and control servers C2 The large number of auto generated domai...

Страница 17: ...iance automatically connects with this cloud service once every hour to download new updated versions of the lists This guarantees that the appliance always contains information about the latest threats seen in the wild To monitor the list update process and the list sizes start the configuration application and navigate to Threat Intelligence Threat Lists A similar page is available at the same l...

Страница 18: ...ion Entries The number of domain names in this list IP Reputation Entries The number of IP addresses both IPv4 and IPv6 in this list TOR endpoints The number of Tor endpoints provided this list is included The above threat lists are not user modifiable ...

Страница 19: ... the packets and what action to take if a pattern match is detected Solida provides a set of system rules that includes protection from many types of penetration attempts An expert user can also create custom rules Writing custom rules requires detailed knowledge of rule writing and the different types of packets flowing over a network Such custom rules can be created using the rule editor in the ...

Страница 20: ...ppliance will start its packet scanning using all the rules included in the rule set To display and create rule sets start the configuration utility and navigate to Rule Sets This will show a list over all available rule sets Figure 6 2 Rule set list in the GUI configuration utility 6 4 Activating a Rule Set To activate a rule set select the rule set by clicking on its row in the GUI Then click th...

Страница 21: ... 6 6 Creating Custom Rules It is beyond this manual to explain in detail how to write custom rules Please refer to the many tutorials and documentation available on the Internet on how to write detection rules A rule is created using the configuration application Start the application and navigate to the Rule List page This page will display a list of all rules currently available in the appliance...

Страница 22: ... a unique rule id that identifies the rule The rule id consists of 9 numbers It is common practice to group rules into categories As an example the first thee numbers identifies the general type of rule For example UDP rules TCP rules ICMP rules The next three digits identify the type of threat the rule concerns The last three digits could be a general identifier that is incremented by one for eac...

Страница 23: ...Events are stored in a database in the appliance to allow for tracking and statistics gathering Events are also written to log files that can easily be downloaded from the appliance through the GUI These event files can then be correlated with other down loadable packet log files so that a security analyst can investigate the root cause of the event Events can be monitored using the built in monit...

Страница 24: ...les of such events are DNS queries generated by a ransomware DGA engine or malwares trying to connect with a C2 server All network packets resulting in critical events will be automatically dropped to mitigate further infection to the network The event includes the source and destination IP addresses of the offending packets Which allows for prompt identification of the infected computer on the ne...

Страница 25: ...mportant to remove the infected computer from the rest of the network Some advanced ransomwares are capable of propagate through the network and infect additional computers The critical events will be listed with the source and destination IP addresses visible Use the destination IP address from the event and match that with a computer in the LAN that uses this IP address This is the computer that...

Страница 26: ... update start the configuration application and navigate to Software Updates in the menu side bar This will present the following window Figure 9 1 Software update GUI window The upper System Control Center box contains the following Firmware version Displays the currently active internal firmware version number JSOSD version Displays the version of the current security OS daemon The button named ...

Страница 27: ...w version Please note it will take as long as 5 minutes for a software update to complete During this time no network traffic will be able to flow through the appliance After the update has completed please reset the browser history to guarantee the browser will display the latest version of the web utilities ...

Страница 28: ...n the appliance experiencing a problem Navigate to Software Updates This will display a window that contains a blue button with the text Generate Support Bundle Pressing this button and answering Yes in the confirmation box will start generating a support bundle Note that it might take up to 5 minutes or more for the bundle generation to complete 10 2 Downloading a Support Bundle Once a support bu...

Страница 29: ...29 SOLIDA SYSTEMS INTERNATIONAL 2016 available support bundles that are ready to be downloaded Please note it will take up to 5 minutes for a new support bundle to appear in this directory ...

Страница 30: ...e resulting log files can become very large so it is important to select an appropriate rollover option to avoid filling up the disk space in the appliance Packet logging should be disabled during normal usage 11 2 Dropped Packet Logging This option will log all network packets that are dropped by the appliance Packets will be dropped by the rule engine as well as by the reputation detection engin...

Страница 31: ... Figure 11 2 HTTP logging configuration window 11 5 Downloading Log Files Log files can be downloaded using either the configuration application or the monitoring application To download a log file navigate to the Log File Management menu option This will open up a file management interface as shown in the picture below Figure 11 3 Log file management window ...

Страница 32: ...og file directory To delete a file within the directory right click on the file and select Delete The file will be permanently deleted from the appliance It is also possible to rename a log file Right click on the file to rename it Even though possible never delete a log file directory Please note that some log files become very large The appliance has limited space for log files Therefore always ...

Страница 33: ... Multi all security related events will be pushed up to the reporting server Log files including the system log file will also be pushed up to allow the user to download these files remotely 12 2 Setting Up Remote Monitoring Enabling remote monitoring in an appliance is a simple operation The below picture shows the configuration window and its options Figure 12 1 Remote monitoring configuration S...

Страница 34: ...MS INTERNATIONAL CO LTD 1000 19 20 Liberty Plaza Building Floor 12A Thonglor Sukhumvit Soi 55 Klongtan Nua Wattana Bangkok Thailand 10110 Tel 66 2 714 8900 Email info solidasystems com Website www solidasystems com ...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды