Hello everyone,
Today, I'd like to share with you the method for firewalls and security sandboxes to defend against globeImposter 3.0
1. Method for Firewalls and Security Sandboxes to Defend Against GlobeImposter 3.0
1.1 Use a USG series firewall to block ports.
Block ports 445, 3389, 135, and 139 on the firewall. The following uses port 445 as an example:
1.1.1 Log
in to the firewall, choose Object > Service > Service, and click Add to
create a service.
1.1.2 Name
the service and set the destination port to 445. Configure other ports in the
same way.
1.1.3
Choose Policy > Security Policy > Security Policy and click Add Security
Policy to create a security policy.
1.1.4 Reference the created service in the policy and set the action to Deny.
1.1.5 Enable the security policy and move it to the top of the policy list.
1.1.6 Save the policy configuration. Otherwise, the configuration may be lost after the firewall restarts.
1.2 Use a USG series firewall for content security protection.
1.2.1 Update the IPS and antivirus signature databases to the latest versions (20190306 or later versions).
(1) Online update: If the firewall is connected to Huawei security center (sec.huawei.com), update the signature databases online. Choose System> Update Center and click Update Immediately.
(2) Local update: If the firewall is not connected to Huawei security center (sec.huawei.com), update the signature databases locally.
(a) Log in to Huawei security center and download the IPS and antivirus signature databases based on the firewall model and version.
(b) On the firewall, choose System > Update Center, click Update Locally, and import the corresponding signature databases.
1.2.2 Reference the IPS and antivirus functions in the security policy.
Choose Policy> Security Policy and reference the default antivirus and intrusion prevention profiles in the corresponding rule.
1.2.3
Submit and save the policy configuration. The defense functions take effect.
1.3 Use a sandbox to collaborate with the USG series firewall for content security protection.
1.3.1 Sandbox configuration
(1) Template download
Download the OS template from https://support.huawei.com/enterprisesoftware/SoftwareVersionActionNew!showVDetailNew?idAbsPath=fixnode01|7919710|9856724|21782134|21450977|21264217&pid=21264217&vrcid=22893894&lang=en.
(2) Template import
Import a sandbox VM template using commands.
Run the FTP command to import the template. For example, store the template in /data/win_cn_64.zip.
Run the cd $SEC_HOME/engineering/kvm/windows/script command.
Run the ./install_template.sh /data/win_cn_64.zip command.
Import a sandbox VM template on the web UI.
Prerequisites: The OS template has been uploaded to the required FTP/SFTP server.
Connect to the file server. After the template is downloaded, import the template. If the download fails or the downloaded file is not the required one, you can delete the template, and then download and import the template again.
The import process and result are displayed in the Import Result list.
(3) Template configuration
Prerequisites: The OS template has been imported to the detection node.
The maximum number of configured OS templates varies according to host models (4 for FireHunter6100, 12 for FireHunter6200, and 30 for FireHunter6300). In the cluster scenario, configure templates for each host.
(4) Signature database update
Log in to Huawei security center (sec.huawei.com) and download
the signature database for manual update.
(5) Template application
1.3.2 Configure interworking between the sandbox and firewall.
(1) Log in to the sandbox and configure it.
(2) Log in to the firewall and configure it.
Note: If only sandbox interworking is required, configure and apply only the APT defense profile.
This is what I want to share with you today, thank you!
