Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
9 views29 pages

Unit 5 Protection Groups

ARBOR

Uploaded by

Sergi Eduardo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
9 views29 pages

Unit 5 Protection Groups

ARBOR

Uploaded by

Sergi Eduardo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

Pravail APS 2.

0 Certification Training
Unit 5
Protection Groups

Pravail
Objectives

At the conclusion of this unit you should be able to:


• Describe Protection Groups
• Display information relating to Protection Groups
• Describe the information that is displayed for a
Protection Group
• Configure a Protection Group

Page 2 - Company Confidential


Protection Groups

• Protection Groups
• Protection Group Pages
• Protection Group Configuration

Page 3 - Company Confidential


Protection Groups

A protection group represents one or more hosts that need


protection
• Each protection group is associated with:
– A server type
– One or more servers of that type
• Server type
– There are four server types:
• Web Server
• DNS Server
• VOIP Server
• Generic Server
– Each server type can be associated with multiple protection
groups
– The server type determines which settings are available for that
protection group and which application-specific data is collected
and displayed for that group
– All groups of the same server type share the same Protection
Settings

Page 4 - Company Confidential


Protection Groups (Cont.)

• Protection Groups are associated with the following items


– Protected Hosts
• The list of internal hosts to be protected
– Defined by IP address, prefix, a set of prefixes, or a domain
name
– Server Type
• The server type of the Group
• Defines the Protection Settings available for the group
– Protection Settings
• Each Server Type has it’s own set of Protection Settings
• The criteria by which Pravail APS distinguishes legitimate
traffic from attack traffic
– Protection Categories
• Protection Settings are organized into categories
– E.g., a Web server protection group contains the HTTP
categories of settings, which detect HTTP-based attacks

Page 5 - Company Confidential


Default Protection Group

The Default Protection Group is preconfigured and


enabled on Pravail APS out of the box
• It cannot be removed or modified
• It is configured to protect all hosts
– Protected Prefix is always 0.0.0.0/0
• The Default Protection Group is associated with the
Generic Server Type
– Contains nearly all of the protection settings and
protects against most attacks
• Use the Default Protection Group exclusively or
create custom protection groups to protect a
specific server or a group of servers

Page 6 - Company Confidential


Protection Groups

• Protection Groups
• Protection Group Pages
• Protection Group Configuration

Page 7 - Company Confidential


Protection Groups Summary
Summary: Protection Groups widget

Select a Protection Group to view from the Summary


page

Page 8 - Company Confidential


Protection Group View
Protection Groups

• Single-glance overview of protection group performance

Page 9 - Company Confidential


Protection Group View – Controls
Protection Groups

Select various settings for the display of information


for this protection group
Shows server type

Select time Select to display


period for all data bytes or packets

Page 10 - Company Confidential


Protection Group View – Custom Report Period
Protection Groups

Button for custom


report period

Default
is 1 hour

Custom report period Apply custom


report period

Page 11 - Company Confidential


Protection Group View – Group Information
Protection Groups

Amount of time that protection


group has been configured

Click to view or modify server


type protection settings

• The server type for a protection group cannot be


changed after protection group creation
• Clicking on the Server Type link brings you to the
settings for that protected service

Page 12 - Company Confidential


Traffic Details
Protection Groups

• Clearly shows relative amounts of traffic being


passed and blocked for this protection group

Page 13 - Company Confidential


Attack Preventions – Blocked Traffic
Protection Groups: Blocked Traffic

Click for more info


• Shows why traffic is blocked on Invalid Packets
– How much traffic is blocked by each
Attack Prevention
Page 14 - Company Confidential
Protection Group View – Blocked Traffic (Cont.)
Protection Groups: Blocked Traffic

Click again to hide details

• Amount of detailed information varies for different


protection types
– Some preventions have no details

Page 15 - Company Confidential


Protection Group View – Blocking Breakdown
Protection Groups: Blocked Traffic

• AIF preventions appear in same breakdown format


• “Details” include stats for low / medium / high matching
– AIF is always matching all rules at all protection levels
– Only way to know how protection level affects AIF matching
– AIF differs from other protections by having cumulative level enabling
• All rules at set level and below are active

Page 16 - Company Confidential


Web Traffic by URL – Top URLs
Protection Groups: Web Traffic by URL

Protection Group
Web traffic
breakdown by URL
• Hover cursor over
any part of URL for
full URL
• Block buttons can
be used to block
specific URLs
• “Other” is sum of
traffic not shown
by other entries
not “unknown”
– Appears at
bottom of many
traffic
breakdowns

Page 17 - Company Confidential


Web Traffic by Domain – Top Domains
Protection Groups: Web Traffic by Domain

Protection Group
Web traffic
breakdown by
domain
• Displays the 10
domain
destinations with
the highest
amounts of traffic
• Block buttons can
be used to block
specific domains
– May have been
identified as part
of an attack
vector

Page 18 - Company Confidential


IP Location – Top Countries
Protection Groups: IP Location

• Traffic Breakdown by
Country
– Passed Traffic
– Blocked Traffic
– Percent of total
represented by this
Country
• Hover over Graph to
expand
• Use Block buttons to
block specific Country
sources
– A specific Country
may have been
identified as part of
an attack
– Before blocking
you should
understand typical
volume of
legitimate traffic
from that country

Page 19 - Company Confidential


IP Location – Blocked Country
Protection Groups: IP Location

Those two countries are now blocked

• If there is typically some legitimate traffic from these


countries they can be unblocked after the attack has
ended
Page 20 - Company Confidential
IP Location – Blocked Country (Cont.)
Administration > Protection Groups

While blocked, those two countries now appear on the


permanent blacklist

• The countries can be unblocked from here

Page 21 - Company Confidential


Services – Top Services
Protection Groups: Services

Top Services displays the 10 destination services/


protocols/ports that have the highest amounts of traffic

Traffic that is unexpected could represent


a part of an attack

Page 22 - Company Confidential


Temporarily Blocked Sources – Top Blocked Hosts
Protection Groups: Top Temporarily Blocked Hosts

• Top 10 offenders are listed


• Temporarily Blocked
Sources are dynamically
added and removed by
preventions
– Host will automatically
be removed from the list
when/if it behaves
normally
• While a host is temporarily
blocked, all traffic from that
source is blocked for ALL
Protection Groups
– Manual additions to
temporary blocking not
supported
– Permanent blocking
requires manual
interaction
– Legitimate hosts can be
unblocked here
• Adds host to the
permanent whitelist

Page 23 - Company Confidential


Protection Groups

• Protection Groups
• Protection Group Pages
• Protection Group Configuration

Page 24 - Company Confidential


Configure a Protection Group
Protection Groups

From the List Protection Groups page you can


• View Configured Protection Groups
– Group Name
– Traffic Passed and Blocked
– Protected Prefixes
– Server Type
– Status

• Configure a new Protection Group


– Click on Add Protection Group
Page 25 - Company Confidential
Configure a Protection Group (Cont.)
Protection Groups

To Add a Protection
Group:
• Enter a meaningful
Group Name and
Group Description
• Enter Protected
Hosts prefix(es)
• Select the Server
Type
– Web Server
– DNS Server
– VOIP Server
– Generic Server
• Click Add

Page 26 - Company Confidential


Configure a Protection Group (Cont.)
Protection Groups

The View Protection


Group page for the
new group is displayed
• The new group
inherits the Server-
specific protections
– In this example, the
new group will have
DNS Protections
– Server-specific
protection settings
will be covered later

Page 27 - Company Confidential


Configure a Protection Group (Cont.)
Summary

The new group appears on the Summary page as well

Page 28 - Company Confidential


Page 29 - Company Confidential

You might also like