Threat Prevention

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search

    Threat Prevention
Other Links:
Threat Prevention Description Page
Threat Prevention Demo
Threat Prevention Forums
Threat Prevention Reports
Threat Prevention FAQs




About Threat Prevention

Threat Prevention blocks potentially harmful traffic from entering or exiting the network. This app can prevent cyber attacks to your servers (e.g. web, VoIP, and email). It is also useful to prevent data loss in case users mistakenly try to connect to a phishing site or other type of malicious host.

Threat Prevention uses Threat Intelligence technology managed by Webroot BrightCloud®. It works by performing a query to the BrighCloud® service, requesting for the reputation score and historical data of each IP address or URL. Based on the rating of the IP address or URL, the session may be blocked. By default, the Threat Prevention app blocks sessions with a "High Risk" rating. IP addresses or URLs rated as High Risk may be associated with the following types of attacks:

  • Spam Sources - IP addresses involved in tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities.
  • Windows Exploits - IP addresses participating in the distribution of malware, shell code, rootkits, worms or viruses for Windows platforms.
  • Web Attacks - IP addresses using cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force attacks to target vulnerabilities on a web server.
  • Botnets - IP addresses acting as Botnet Command and Control (C&C) centers, and infected zombie machines controlled by the C&C servers.
  • Denial of Service
 - The Denial of Service category includes DOS, DDOS, anomalous sync flood, and anomalous traffic detection.
  • Scanners - IP addresses involved in unauthorized reconnaissance activities such as probing, host scanning, port scanning and brute force login attempts.
  • Phishing - IP addresses hosting phishing sites and sites related to other kinds of fraudulent activities.
  • TOR Proxy - IP addresses acting as exit nodes for the TOR Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.
  • Proxy - IP addresses providing proxy services, including both 
VPN and open web proxy services.
  • Mobile Threats - Denial of service, packet sniffing, address impersonation, 
and session hijacking

Settings

This section reviews the different settings and configuration options available for Threat Prevention.


Status

The Status screen shows the running state of Threat Prevention and relevant Metrics such as the number of blocked sessions and high risk threats.

Threats

In the Threats tab you can specify the threshold for IP Addresses and URL Threats. The recommended and default Reputation Threshold is "High Risk". By moving the slider to the left you can choose to block more traffic however this may increase the number of false positives. As you move the slider, a description appears that provides more detail of what type of sessions apply to each threshold level.

Rules

The Rules tab allows you to specify rules to Block, Pass or Flag traffic that crosses the Untangle.

The Rules documentation describes how rules work and how they are configured. ThreatPrevention uses rules to determine to block/pass the specific session, and if the sessions is flagged. Flagging a session marks it in the logs for reviewing in the event logs or reports, but has no direct effect on the network traffic.

Typically Untangle is installed as a NAT/gateway device, or behind another NAT/gateway device in bridge mode. In this scenario all inbound sessions are blocked by NAT except those explicitly allowed with port forwards. Because of this, the ThreatPrevention does not block anything by default. It is up to you to decide to best fit for your network, whether you only want to block specific ports or you want to block everything and allow only a few services.


Rule Actions

  • Pass: Allows the traffic which matched the rule to flow.
  • Block: Blocks the traffic which matched the rule.

Additionally a session can be flagged. If Flag is checked the event is flagged for easier viewing in the event log. Flag is always enabled if the action is Block.

Reports

ThreatPrevention Reports


Related Topics

User Guide


ThreatPrevention FAQs

ThreatPrevention FAQs