{{ secondMenu.name }}
Policy for server scenarios mainly protects users' services to prevent the service server from being attacked and improve network security. It mainly includes these functional modules: passive vulnerability scan, intrusion prevention, content security, web app firewall, website tamper protection, botnet detection, and correlated block.
Click Add and select Policy for Server Scenario, as shown in the following figure.
Name: Specify the name of the policy.
Description: Specify custom description.
Status: Specify whether to enable the policy.
Source
Src Zone: Select the zone where the attack data is initiated.
Src Address: Select the source IP address of the zone where the attack data is initiated.
Destination
Dst Zone: Select the destination zone where the data access direction is located.
Dst Address: Select the destination IP address of the zone where the data access direction is located.
For more information about network configuration, see Chapter 6.3.1 Security Protection Policy.
Options:
Server Scenario: Determine in advance whether there will be proxy scenarios, such as SNAT or CDN, during access. Two options are available: Source is not processed via SNAT or CDN and Source is processed via SNAT or CDN. The setting is mainly for the reference of the subsequent anti-scanning policy. If you select Source is not processed via SNAT or CDN, an alert message will appear when you select Default Template II(Scanner Blocker enabled for non-proxy access) in the Risk Assessment step.
Content Distribution Network (CDN) is an intelligent virtual network based on the existing network. It relies on the edge servers deployed in various places and enables users to obtain the required contents nearby through functional modules such as load balancing, content distribution, and scheduling of the central platform. It will reduce network congestion and improve user access response speed and hit rate. If the edge server cannot provide this service, it will act as a proxy and use the local IP address to send a resource request to the central server.
Click Next to go to the Risk Assessment step, and check Passive Vulnerability Scan, as shown in the following figure.
Passive Vulnerability Scan: Scan passive traffic observation to detect risks such as vulnerabilities, improper configurations, and weak passwords in the service system in real time before an event occurs. Real-time analysis is conducted on the specified data in the network based on the part of built-in vulnerability rules. This function is to discover security vulnerabilities in the user's network and present users with a report of the potential risks and solutions to the vulnerabilities. You can navigate to SOC > Business Asset Security > Passive Vulnerability Scan to view the reports.
Click Next to go to the Protection step. See the figure below.
Basic Protection (For All Scenarios):
Intrusion Prevention: Select whether to enable Intrusion Prevention, for which the intrusion prevention template can be called. Identify attacks against system vulnerabilities, application vulnerabilities, and brute-force attacks of accounts.
Content Security (AI-based Engine Zero file verification): Select whether to enable Content Security, for which the content security policy template can be called. This option includes three functions: mail security, URL filtering, and file security, based on which threats in network communication content can be effectively identified and defended.
Action: Set whether to allow or deny the data packets that meet the defined rules. If you select Allow, the data packets will be tested only and not be denied. If you select Deny, the data packets will be denied or allowed according to the action defined in the rule database.
Advanced Protection (For Server Scenario):
Web App Firewall: Select to enable Web App Firewall and select the related default template. It is a website protection policy specially designed for web servers and can prevent attacks targeting web apps such as system command injections, SQL injections, and XSS attacks.
Click Next to go to the Detection and Response step. See the figure below.
Detection (For All Scenarios):
Botnet Detection: Select to enable Botnet Detection and select the default template.
Local DNS Server Exists: If a local DNS server exists, the detected malicious domain name will be redirected. The IP address obtained by parsing the malicious domain name will be replaced by the following redirected IP address to monitor the access to the IP address, and to locate the IP address of a real host infected by the botnet virus in the LAN.
Response (For All Scenarios):
Log events: Check Log events. Then, the triggered attacks will be logged in the security logs.
IP Blocking: Click Settings, and select Enable IP blocking to enable this parameter. Then, if an attack is detected, the intrusion prevention rules, WAF rules, or content security module will block the source IP address of the attack.
1. Block IP addresses initiating high-threat attacks: It is a high-level rule specified for intrusion prevention, WAF, and DoS.
2. Block IP addresses initiating any attacks: The correlated block will be triggered by the "blocking" event in intrusion prevention, WAF, and DOS.
3. Triggering IPS password blasting, WAF vulnerability anti-scanning, CC attack, backdoor anti-scanning, and DDoS attack will be automatically blocked, without enabling IP blocking.
6.3.1.1.1.1Configuration Example of Passive Vulnerability Scan, WAF, IPS, and LAN Security
An enterprise uses a web server to provide services to the internet and often suffers from malicious attacks from the internet, resulting in service exceptions. Therefore, for service continuity, you must deploy a Network Secure device to prevent internet attacks and ensure the security of services. You must carry out a risk analysis on the server's vulnerabilities to detect the risk problems existing in the server.
Step 1.Optional. Create intrusion prevention, content security, web application firewall, botnet detection, and network object templates to facilitate the call of policies for server scenarios and subsequent adjustment of policies.
Step 2.On the Policies page, click Add and select Policy for Server Scenario. In the Add Policy for Server Scenario dialog box, enter the source IP address, zone, and other information, as shown in the following figure.
Step 3.Click Next to go to the Risk Assessment step, as shown in the following figure.
Step 4.Click Next, set the Instruction Prevention, Content Security (AI-based Engine Zero file verification), and Web App Firewall parameters, and block the attack behavior, as shown in the following figure.
Step 5.Click Next to set the Botnet Detection and IP Blocking parameters, as shown in the following figure.
Step 6.After the configuration is complete, view the result on the Policies page.
Step 7.Use the Xhack tool to attack the LAN server via the internet.
Step 8.View the Security Logs page for the detected malicious attacks such as WAF, IPS, and botnet, as shown in the following figure.
Step 9.To view the passive vulnerability scan result, navigate to SOC > Business Asset Security > Passive Vulnerability Scan, as shown in the following figure.
{{ $t('index.defaultHeader.chromeBrowserTip') }}