Recommended Solution for ARs to Defend Against GlobeImposter 3.0

Solution for ARs to defend against GlobeImposter 3.0

Product Family: Enterprise network products

Product Model: Enterprise gateway AR

Release Date: 2019-03-11

Severity: Major

Versions Involved: V200R005, V200R006, V200R007, V200R008, V200R009, and V200R010

Note: Before the configuration, ensure that no service is using ports 135, 137, 139, 445, and 3389. Otherwise, the services are affected.

1. Create ACL rules for high-risk ports.
acl number 3000
 rule 5 permit tcp destination-port eq 135
 rule 10 permit tcp destination-port eq 137
 rule 15 permit tcp destination-port eq 139
 rule 20 permit tcp destination-port eq 445
 rule 25 permit udp destination-port eq 135
 rule 30 permit udp destination-port eq 137
 rule 35 permit udp destination-port eq 139
 rule 40 permit udp destination-port eq 445
 rule 45 permit tcp destination-port eq 3389
 rule 50 permit udp destination-port eq 3389

2. Create a traffic policy.

traffic classifier virus operator or
 if-match acl 3000
traffic behavior virus
 deny
traffic policy virus
 classifier virus behavior virus

3. Apply the traffic policy to the interface connecting to the intranet.

 interface VlanifXXX           //The intranet gateway uses a VLANIF interface.

   traffic-policy virus outbound     //Apply the traffic policy to the outbound direction.

 interface GigabitEthernetX/X/X  //The intranet gateway uses a physical interface.

   traffic-policy virus outbound    //Apply the traffic policy to the outbound direction.

If there are multiple intranet interfaces, apply the traffic policy one by one.