Sangfor NGAF v8.0.

47 Associate

Server Security
1 Server Protection

2 Web App Protection

3 DLP

4 Server Access Verification

5 Ransomware Protection

6 Server Protection Case Study

1. Server Protection
Server Protection

Risk facing by Server

(1) Unwanted access (such as only allow HTTP )

(2) DDOS attacks, IP or port scanning , packet attacks.
(3)Vulnerabilities (for the server operating system,
software vulnerabilities)
(4)Brute force passwords, access privileges; SQL
injection, etc.
(5) Website scanning and weak password
(6) Website defacement
Server Protection

(1) Unwanted access (such as only allow HTTP ) Application Control

(2) DDOS attacks, IP or port scanning , packet attacks. Firewall

(3) Vulnerabilities (for the server operating system,

IPS
software vulnerabilities)

(4) Brute force passwords, access privileges; SQL

injection, etc.
SG 代理
Server Security
Server Protection
Server protection mainly used to prevent attack from un-trusted zone (such as the Internet) on the
target server. Currently NGFW focused on providing protection on Web and FTP applications

Server protection contain:

 Web App Protection, SQL injection, XSS attack, Trojan horse, Website scan, WEBSHELL,
CSRF, OS command injection, File inclusion, Path traversal, Information disclosure, Web site
vulnerabilities
 Application hiding, Hide application server version to prevent the attacker found the
appropriate holes from the version information
 Password Protection, prevent attacker brute force user passwords
 Privilege control, prevent malicious files uploaded to the protected URL path.
 DLP, provides scanning on sensitive data (plain text) in HTTP server, block when data leak is
found and filter downloading file type
2. Web App Protection
Web App Protection Background
Taking the top 10 project of OWASP as an example, it lists the 10 most serious web application security risks
faced by enterprise organizations. As can be seen from the figure below, injection and XSS attacks have
always ranked among the top from 2007 to 2017.
OWASP Top 10-2017
A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Broken Access Control (Originally Classified in 2003/2004
Edition)
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Insufficient Attack Detection and Protection (New)
A8 – Cross-Site Request Forgery (CSRF)
A9 – Components Using Unknown Vulnerabilities
A10- Unprotected API (New)
Web App Protection Definition
Web Application Firewall(WAF), as known as Web Application Protection. Mainly used to protect the web
server from attack, prevent software service interruption or remote control.

What are the common attack methods of WAF?

1. SQL Injection 2. XSS Attack
3. Web Trojon Horse 4. Website Scanning
5. WEBSHELL 6. CSRF
7. System Command Injection 8. File Inclusion Attack
9. Directory Traversal Attack 10. Information Leakage Attack
And so on.
Web App Protection - SQL Injection
SQL injection:
By inserting the SQL command into the web form to submit or enter the query string of the domain name or
page request, to deceive the server to execute the malicious SQL command.

Where does the attack data appear?

There are generally two forms of Web data submission, one is get and the other is post.

1. The feature of get is that the submitted content is directly displayed in the URL column after URI
encoding.

2. The feature of post is that the submitted content will not be directly displayed in the URL part, but in the
data field of the post packet.
Web App Protection
DLP:
The information disclosure vulnerability is due to the improper handling of some special files. By accessing
these files or paths, some sensitive information of the web server such as username, password, source code,
server information and configuration information, can be disclosed.
Common data leaks include:
1. Application error information disclosure
2. Leakage of backup file information
3. Web server default page information disclosure
4. Information disclosure of sensitive documents
5. Directory information disclosure

Several reasons for information disclosure:

1. There is a problem with the web server configuration
2. There is a vulnerability in the web server itself
3. There are some problems in the scripting of Web sites
4. Personnel issues
Common Attack Type
There are some top common attack type, enabled by default.

NGAF has been predefined the rules for these attack,

updating every week.
Web App Protection
Application hiding: Hide the FTP information

• Anti-scanning
• FTP, HTTP application
hiding
• Hide specified fields in
HTTP response header
• Replace server error
page
• Replace request error
page

Add fields that need

to be hidden
Web App Protection
Password protection:

• Prevent against password cracking threats NGAF only detect, don’t deny.

• Reduce security incident and risks caused by

weak password
• Regulate password management
Web App Protection
Privilege Control

For some of the maintenance of the sub directory on the server, you
can protect them to prohibit user access. For some URL denied by
NGAF WAF, you can add here to allow them.
URL directory only support up to the 3 directory, if more than 3
directory must be written on the full path of the URL.
Filter the file type that the client upload to the server
Web App Protection
HTTP Request Anomaly
There are some abnormal request
protections for HTTP server.

Request Method:
HTTP defines a set of request methods to
indicate the desired action to be performed
for a given resource. Two commonly used
methods for a request-response between a
client and server are: GET and POST.
Some of others may be potential risk for
Web server, like delete, move, etc.
Web App Protection Configuration Ideas
1. Go to Objects > Security Policy Template > Web App Firewall, add a new web application protection policy
template.
2. The Port select the default. If the web server uses non-standard port 80, fill the corresponding port into the
HTTP option.
3. Protection Features select all, other by default.
4. Go to Policies > Network Security Policy > Policy for Server Scenario, add a server protection policy and
reference the Web App Policy template.
5. The Source Zone select the external network zone, and select ALL for the source IP group.
6. The Destination Zone select the zone where the server is located, and the destination IP selects the server IP
group to be protected.

7. Action, Local DNS Server Exists, Log event are depending on the situation. (The Local DNS Server function
will be introduced separately in the following chapters)

Note: If traffic are HTTPS, Encryption must be configured in order to decrypt HTTPS packets.
Web App Protection - Configuration Demonstration
1. Access to Objects > Security Policy Template > Web App Firewall, add a new web application policy
template.

2. Access to Policies > Network Security Policy Policy for Server Scenario, add a server protection
policy and reference the Web App Policy template.
Web App Protection - Logs
Go to Monitor > Security Log, and click on View to check the details log.
Web App Protection - Misjudgment
Method 1: Add URL parameters in Policies > Network Security Policy > Advanced. After exclusion, the
web application protection will skip the detection of these parameters. It is mainly used in the case that some
request parameters are detected as attacks due to carrying special strings in normal business production. It can
be excluded only for these parameters.
Web App Protection - Misjudgment
Method 2: Query the log in Security Logs, find out the misjudgment log and then click Exclude to excludes
the false positive rules detected by the web.
Web App Protection - Misjudgment
If need to cancel the exclusion of misjudgment, you can edit it in the following interface to cancel the
exclusion.
3. DLP
DLP
Scenario:
1. Finance : Traffic of normal user can’t contain No. ATM , No. HP , No.IC
2. ISP : Not allow a lot of email address in HTTP traffic
3. Normal user: Allow certain file format to be download

Path: Objects > Web App Protection

Click the template and click the Advance button
DLP
Sensitive Data Protection

The sensitive keyword is base on “and” logic,

means must have both keywords appear in same
The Sensitive Keyword Group is based on traffic will be blocked.
“or” logic, means meet one policy in same
traffic will be blocked.
DLP
File download restriction:
select the file want to filter. This rules is check on file extension.
DLP
Sensitive Data Precaution ：
1. DLP take effect on the traffic from server but not the traffic submitted from client.
2. DLP need enable in multifunction license.
3. Support encoding UTF-8 、 GBK 、 GB2312.
4. Support compression format gzip, deflate, chunk.
5. Policy matching in between group and group is from top to bottom.
6. File download restriction matching on file extension only
7. File download restriction not support non-extension file. Exp:/etc/passwd
8. New File download restriction rules by default will checked
.config/.inc/.ini./mdb/.MYD/.frm /.log etc.
9. Jboss Struts2 website file format is .action/.do etc, need enable exclusion.
4. Server Access Verification
Server Access Verification
This function used to strengthen Web or FTP server, avoid core directory attacked by hacker.
System core directory only can be viewed by specify IP or use Email authentication before
view.
This function make hackers can not access the website management URL even they get the
username and password of the website management URL, and also can prevent hackers brute
force to website management URL.
1. Send the request:
http://172.17.1.10/admin.php
2. Verification request

WAN LAN
3. Verification pass

server: 172.17.1.10

4. Access success http://172.17.1.10/admin.php

 Server Access Verification
Configuration Path: Policies > Network Security > Server Accss
Verification
Set the IP address of server that
need to be protected

URL of server that need to

be protected

For mail authentication, you need set Authentication way:

the authentication mail address. Based on IP address means IP
whitelist, Based on email means need
to do mail authentication
Server Access Verification
Website admin wants anyone to access the management website with the second authentication
by NGAF.

Here is a network diagram.

Eth3: 192.168.1.105 Eth4: 172.17.1.1

WAN LAN

server: 172.17.1.10
Server Access Verification
Server verification settings
Server Access Verification
A verification page will pop up after Accessing.

Submit your
email address.

Email receive a OTP

Fill in the OTP

Server Access Verification
1. If the site has multiple URL can access management page, you will need to add multiple
URL to website protection.
2. If two types of authentications are not selected, no one can access the management URL;
3. If only select based on IP authentication, the IP group selected can access the management
URL;
4. If only select based on email authentication, everyone access the management need mail
authentication;
5. If select both, the whitelist IP can be accessed management URL, the outside whitelist IP
need mail authentication.
5. Ransomware Protection
Ransomware Protection
1. What is
Ransomware?
Ransomware is a new type of computer virus. After the host is infected with a ransomware file,
it will run a ransomware program on the host, traverse all local disks of specified types of files
for encryption operations, and the encrypted files cannot be read. Then a ransom message is
generated, requiring the victim to pay a certain value of virtual currency within a specified time
to restore the data, otherwise the data will be destroyed. In terms of intuitive phenomena, the
phenomenon of ransomware mainly includes the following two scenarios. ​

1. The server file is encrypted. For example, it is encrypted into a .java suffix or other strange
suffix name, and the desktop prompts that you need to pay a bitcoin ransom to an account. If
you do not pay, the file will never be available, as shown in the following figure:
Ransomware Protection
What is Ransomware?
2. Many hosts on the intranet are experiencing blue screens. The code of the blue screen
indicates that there is a problem with the srv.sys driver, as shown in the following figure:

Note:
Many host blue screens on the intranet is usually a variant type of ransomware virus, which has a strong
spread.
Ransomware Protection
Impacts of Ransomware
Ransomware can cause tremendous impacts that can disrupt business operations and
lead to data loss. The impacts of ransomware attacks include:
 Loss or destruction of crucial information
 Business downtime
 Productivity loss
 Business disruption in the post-attack period
 Damage of hostage systems, data, and files
 Loss of reputation of the victimized company
Ransomware Protection
Protection Against Ransomware
1. Reinforcement in advance: Ransomware risk assessment, accurate assessment of
the risk of ransomware entry points, configuration of special strategies for
ransomware, and comprehensive protection of ransomware risks​.

2. Active defense in the event: Comprehensive protection against ransomware risks

through the configured special strategy for ransomware virus​.

3. Post-event quick response and disposal: Isolate and identify the host that has
been compromised and use special tools for anti-virus​.
Ransomware Protection
The principle of ransomware infection
1. First, hacker will perform password brute force cracking through SMB and RDP port. It is the
port that ransomware commonly used. Besides, the hacker will exploit the vulnerabilities of server
and the ransomware will try to find a way to infect the host.
2. After the host in infected by ransomware, the ransom process will be executed in the host. At the
same time, the hacker will manually use SMB or RDP to spread the ransomware in order to get
more host infected.
3. When the ransomware process runs on one or more host, the ransomware will search through
local disk and will encrypt a specific file type. Encrypted file will not be able to read.
4. It will prompt a ransom message to the victim of the computer which has been infected by
ransomware. Besides, it also require the victim to make payment by using bitcoin within a period
of time in order to recover the encrypted data, or else the ransom will be double or will not decrypt
the encrypted file.
5. Normally the encrypted data is not able to decrypt by itself because ransomware is using strong
encryption method which makes the victim unable to decrypt the encrypted data if the victim does
not have private key.
Ransomware Protection
The value of NGAF in Ransomware protection
(1) Risk assessment of ransomware, accurately assessing the risk of entry points of
ransomware.
(2) Special protection configuration for ransomware, comprehensive protection
against ransomware risks.
(3) Special blackmail protection area, visual recognition and rapid handling of
blackmail risk.
Ransomware Protection
Reinforcement In Advanced
Sort out the exposure of assets and block the entry points of ransomware. Identify common ports of
ransomware, common vulnerabilities of ransomware, weak passwords in advance and give corresponding
treatment suggestions.
Ransomware Protection
Defense In Event
1. The special protection policy for ransomware is automatically generated to comprehensively protect
against ransomware hacker attacks. Configuration path: SOC > Specialized Protection > Ransomware
Protection.​
2. Through in-depth detection of intrusion methods through security policies, against covert ransomware
attacks, and comprehensive intrusion defense against ransomware viruses through web application
protection, vulnerability protection, content security, and slow blasting detection, the ransomware can be
further analyzed according to the log display of ransomware analysis. Detailed analysis​
Ransomware Protection
Post-event Response and Disposal
1. Correlate with ES to detect and scan, quarantine lost assets and quickly dispose of ransomware.

2. Further analysis of the ransom based on the ransom analysis log.

Path: SOC > Specialized Protection > Ransomware Protection​
Ransomware Protection
Post-event Response and Disposal
3. Ransomware analysis, ransomware event analysis:
Go to SOC > User Security > Click on a ransomware event > Malicious files. It need to correlate the
NGAF with CC only can detect the malicious file.
Ransomware Protection
5. Ransomware Protection Guide
(1) Block or close unnecessary SMB(139,445) and RDP(3389) port.
(2) Go to SOC > Specialized Protection > Ransomware Protection configure
Related security policy.
(3) The best ransomware protection method is NGAF + Endpoint.
Note: The Ransomware Protect maximum support 1024 IP for the protection.
6. Server Protection Case Study
Security Protection Case Study
There is a customer’s network topology.
19.200.19.0/24 is a server farm, 192.200.19.10 is a WEB
server, 192.200.19.51 is a FTP server;
Eth1:
192.200.19.0/24 is a internal network, used for office 115.132.227.114/24 Eth3:
192.200.19.1/24
GW: 115.132.227.1
network.
Customer have purchased a Sangfor NGAF to deploy as
their network gateway. They want to implement the Eth2: 192.168.0.1/24

192.200.19.0/24
following functions: 192.168.0.2/24
GW: 192.200.19.1

1. Control the employees’ network behavior;

2. Protect the employees’ network accessing; 192.168.1.1/24

3. Protect the server group, to prevent the attack from

the internal or Internet visiting.

192.168.1.0/24
GW: 192.168.1.1
Security Protection Case Study
Detailed Requirements

1. For Clients
(1) Forbid to play games at working time;
(2) Forbid to access the porn, drugs, malicious websites;
(3) Detect the HTTP, FTP, SMTP, POP3, IMAP protocol, to prevent internal network users infected
by the virus;
(4) Do intrusion detection on users’ traffic, to prevent attackers using the existing loopholes in the
client or implanted Trojans, backdoors in the intranet computer and other attacks.
2. For Servers
(1) Hide the version information of the server;
(2) Prevent server from SQL injection, XSS, CSRF, system command injection attack and so on.
Security Protection Case Study
1. Network configuration
1.1 Interface Configuration
Path: Network > Interfaces
Security Protection Case Study
1.2 Routing Configuration
Path: Network > Routing
Security Protection Case Study
2. Objects
2.1 Network Objects
Path: Objects > Network Objects
Security Protection Case Study
2.2 Schedule
Security Protection Case Study
3. NAT
Security Protection Case Study
4. Application Control
Security Protection Case Study
5. Policy template Path: Object > Security Policy Template > Content Security
Security Protection Case Study
WAF
Path: Objects > Security Policy Template > Web App Protection
Security Protection Case Study
Path: Objects > Security Policy Template > Intrusion Prevention
IPS(Use the default template) APT (Use the default template)
Security Protection Case Study
6. Network Security Policy
6.1 Internet access scenario
Path: Policies > Network Security Policy > Policies
Security Protection Case Study
6.2 Server Scenario
Path: Policies > Network Security Policy > Policies
Thank you !

[email protected]
www.sangfor.com

Sangfor Technologies (Headquarters)

Block A1, Nanshan iPark, No.1001
Xueyuan Road, Nanshan District,
Shenzhen, Guangdong Province,
P. R. China (518055)