CH-8-Quarantine.pdf

Full Transcript

Lesson 8: Quarantine Lesson 8: Quarantine Lesson Objectives: After completing this lesson, participants will be able to: Recall Quarantine Functionality Describe Quarantine Concepts Review Quarantine Considerations Apply a Quarantine Action Set Quarantine Concept (Blocking) Quarantine Concepts By extending protection down to the endpoint, TippingPoint Quarantine blocks insider threats and walk-in worms, and can then communicate with switching infrastructures to isolate offending endpoints with remediation VLANs that prevent network infection. Quarantine works with the source IP address in the packets that the inspection device is inspecting. The source IP in the packet is added to the Quarantine list. Blocking Quarantine can be used to prevent an infected machine from spreading worms, or leaking confidential information due to spyware infection. It can also be used to inform the user that something has gone wrong. © 2022 Trend Micro Inc. Education 127 Lesson 8: Quarantine Traffic matches against a Filter with configured for Block + Quarantine - Spyware Filters are a great example Immediately blocks the malicious flow (due to the block) Optionally blocks other traffic Optionally intercepts web requests redirects to external server or displays Quarantine Block page Thresholds Quarantine occurs after excessive filter hits Ideal for failed login attempts Configure threshold of permitted traffic Threshold is defined by hit count within a certain period Quarantine actions can also occur at a user-defined threshold. You can configure permit and trust actions to take effect before the threshold is triggered. For example, you can display a Quarantine web page to notify a quarantined user of the problem and provide instructions for fixing it, or the action may redirect all traffic from the quarantined IP address to a quarantine serve that provides instructions to correct the problem. 128 © 2022 Trend Micro Inc. Education Lesson 8: Quarantine Considerations Block immediately or Threshold? Supported devices? Web Requests: What do you want displayed? Have the device display the Quarantine Block page Hosts that you do or do not want to be Quarantined Quarantine Access Addresses which can be reached by hosts in Quarantine How do hosts get released from Quarantine? Redirect web requests to an external server Restrictions / Exceptions Nothing, ie just block web requests Other Traffic: Block other non-web traffic? How many hits over what time period Manual or Automatically (timeout) Which filters should trigger IPS Quarantine? Action Set Creation Quarantine is configured as a Filter Action Set: Profiles > Shared Settings > Action Sets > IPS Quarantine After you have clicked New, you must provide a name and select Quarantine for the flow control. © 2022 Trend Micro Inc. Education 129 Lesson 8: Quarantine Flow Control After you click New, you must provide a name and select Quarantine for the flow control. Quarantine Settings Use Thresholds to respond to excessive numbers of hits. Set thresholds to 1 and 1 for immediate block. Note: 130 TCP Reset is available as part of Quarantine Actions when necessary for things such as SMTP virus filters. © 2022 Trend Micro Inc. Education Lesson 8: Quarantine Restrictions Source IP addresses that quarantine will only apply to. Apply Action Set to Filter To use your newly created Quarantine action set, you must apply it to a filter. We will use 0164: ICMP Echo Request (Ping) in our DMZ Profile to test our quarantine. © 2022 Trend Micro Inc. Education 131 Lesson 8: Quarantine Automatic Timeout We can optionally configure quarantine to automatically timeout in the TSE settings. Monitoring When the Action Set is configured for Block + Quarantine and a threshold is not set, a host will appear in the Quarantined Hosts table, as well as generate a blocked stream for the flow which triggered the filter. When a Threshold is used, only a Quarantined Host entry will be created.Remember both of these values are synchronized to the partner IPS when configured using Transparent Network High Availability (TRHA). 132 © 2022 Trend Micro Inc. Education Lesson 8: Quarantine Quarantine Block Web Page Hands-on Labs Lab 8: Quarantine Estimated time to complete this lab: 45 minutes © 2022 Trend Micro Inc. Education 133 Lesson 8: Quarantine 134 © 2022 Trend Micro Inc. Education