Está en la página 1de 75

User/Admin Training Inline Mitigation

3-1 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-2 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-3 Pravail APS 5.6


User/Admin Training Inline Mitigation

With the Pravail APS in Monitor mode, it is reporting what traffic and hosts that would be blocked.
Recall that in Monitor mode, the APS does not block traffic. The

3-4 Pravail APS 5.6


User/Admin Training Inline Mitigation

It is decided to put Pravail APS Inline in order to mitigate the attack traffic. Also, for the first hour, to
check for any additional issues that could arise by adding the new box in the data path, the Pravail APS
will still not block any traffic. That is, the mitigation capability will be inactive. You can use the
resulting information to set your policies for attack detection and mitigation. Once the configuration and
impact are verified, the APS then can be made active, in order to mitigate the attack

3-5 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-6 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-7 Pravail APS 5.6


User/Admin Training Inline Mitigation

The Pravail APS appliance is bypass capable. If power failures, hardware failures, or software issues
affect the Pravail APS appliance, the network traffic can pass through the appliance unaffected.
Though an IP address is assigned to the management interfaces in order to mange the appliance, the
protection interfaces do not have an IP address. This makes the protection interfaces behave like a wire,
there is no MAC addressing or IP-layer interaction, the APS is transparent to the end network devices.

3-8 Pravail APS 5.6


User/Admin Training Inline Mitigation

The Inline mode is typically used in an active implementation, in which Pravail APS mitigates attacks
in addition to monitoring traffic and detecting attacks. However, you can run Pravail APS in an inactive
protection mode, in which it analyzes traffic and detects attacks without
performing mitigations. The inactive protection mode is similar to the Monitor mode.

3-9 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-10 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-11 Pravail APS 5.6


User/Admin Training Inline Mitigation

Pravail APS monitors your network traffic and mitigates attacks by using the protection settings that are
defined for one or more Protection Groups (PGs).
A protection group represents one or more hosts that you need to protect. Each protection group is
associated with a Server Type and one or more host servers of that type. For example, a protection group
can represent a single Web server or a specific group of DNS servers.

3-12 Pravail APS 5.6


User/Admin Training Inline Mitigation

The default protection group provides protection for all of the hosts in your enterprise as soon as you put
Pravail APS into an active protection mode. The default protection group is preconfigured to protect all
hosts and is associated with the generic server type, which contains nearly all of the protection settings
categories.
You can edit the default protection group, but only to configure its protection mode, protection level,
and bandwidth alert thresholds. You cannot delete the default protection group.
A custom protection group protects a specific host or group of hosts and allows you to configure the
most appropriate protection settings for those hosts. Throughout Pravail APS, you can monitor traffic
and mitigate attacks by protection group, so that you can focus your attention on your most critical
hosts.
Arbor recommends that you create a custom protection group for each of the services that you want to
protect.
The default protection group continues to protect any of the hosts that are not protected by the custom
protection groups. When you delete a custom protection group, the hosts that were in that protection
group are protected by the default protection group.

3-13 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-14 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-15 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-16 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-17 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-18 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-19 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-20 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-21 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-22 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-23 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-24 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-25 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-26 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-27 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-28 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-29 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-30 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-31 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-32 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-33 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-34 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-35 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-36 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-37 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-38 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-39 Pravail APS 5.6


User/Admin Training Inline Mitigation

The server type represents a class of hosts that a specific protection group protects. The server type
determines which protection settings are available for a protection group and which application-specific
data is collected and displayed for that group.
Each protection group is associated with a server type; multiple protection groups can be associated
with the same server type.

3-40 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-41 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-42 Pravail APS 5.6


User/Admin Training Inline Mitigation

Certain protection settings are available for all of the standard server types. Other settings include
application-specific behavior and are available only for the server type that is associated with the
application. For example, the HTTP Rate Limiting settings are available for a Web Server server type
but not for a DNS Server server type.

3-43 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-44 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-45 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-46 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-47 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-48 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-49 Pravail APS 5.6


User/Admin Training Inline Mitigation

Inactive is the default when entering Inline mode.

3-50 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-51 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-52 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-53 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-54 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-55 Pravail APS 5.6


User/Admin Training Inline Mitigation

Traffic dropped for any reason by APS protection processing will cause the source host to be recorded in
the Blocked Hosts log.

3-56 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-57 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-58 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-59 Pravail APS 5.6


User/Admin Training Inline Mitigation

Pravail APS uses blacklisting to protect your network from malicious traffic, and it uses whitelisting to
allow trusted traffic. Pravail APS uses the blacklists and whitelists as filters to block or pass traffic
without further inspection, regardless of the current protection level.
You can create blacklists and whitelists for both inbound traffic and outbound traffic.
• Inbound blacklist blocks the inbound traffic that originates from specific hosts or countries, or from
the clients that access specific domains or URLs in your network.
• Outbound blacklist blocks the traffic that originates from your network and is sent from specific hosts
or to specific hosts.
• Inbound whitelist Passes the inbound traffic that originates from specific hosts.
• Outbound whitelist Passes the traffic that originates from your network and is sent from specific hosts
or to specific hosts.
The blacklists and whitelists are configurable by users only; Pravail APS does not blacklist or whitelist
hosts automatically.
The capability to manage Pravail APS blacklists and whitelists from the Pravail NSI Threat Console was
added in the Pravail 5.5 release.

3-60 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-61 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-62 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-63 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-64 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-65 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-66 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-67 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-68 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-69 Pravail APS 5.6


User/Admin Training Inline Mitigation

How can you know that the mitigation is working and the service is back?

3-70 Pravail APS 5.6


User/Admin Training Inline Mitigation

The best way is to monitor the protected service from a customer’s perspective. For example, opening in
a browser the website that was reported down.

But, in order to know for sure, you need to do it from outside, not from inside the datacenter. Any ideas
how you can do that?

3-71 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-72 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-73 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-74 Pravail APS 5.6


User/Admin Training Inline Mitigation

3-75 Pravail APS 5.6