Signaruless detection based on Network Behavior Analysis provided by Flowmon ADS allows security teams to detect insider threats and breaches undetectable by traditional security solutions. Combining this technology with perimeter protection - firewalls- it is possible to proactively block all attempts of malicious communications flowing from & into the network infrastructure and get maximum value from both technologies. Integration can be done pretty simply using integration script.
Following steps shows how to configure Hillstone iNGFW and Flowmon ADS using the script. The script extracts source IP address from event information, connects NGFW via SSH and notifies NGFW to block the IP address for a given time. The integration script is available on request.
1. Create a user on Hillstone iNGFW
First step is to create user and set permissions using following CLI commands on Hillstone iNGFW.
SG-6000# configure
SG-6000(config)# admin user flowmon
SG-6000(config-admin)# password flowmon
SG-6000(config-admin)# role operator
SG-6000(config-admin)# access ssh
SG-6000(config-admin)# end
2. Upload integration script to ADS and set reporting
Second step is to insert integration script in Flowmon ADS - Settings - Custom scripts.
The script has six parameters to configure:
Required parameters:
--fw-ip : IP address of the Hillstone NGFW
--user : Hillstone NGFW user
--passwd : Hillstone NGFW password
Optional parameters:
--fw-port : SSH service port to connect to on the Hillstone NGFW
--ssh-timeout : Maximum time allowed for SSH connection [1-5 seconds]
--block-timeout : Timeout for IP blocking [60-3600 seconds]
Next step is to set event reporting in Flowmon ADS - Processing - Event reporting - Custom scripts. Click on the “plus” icon and in pop-up for choose the integration script. You can change the prefilled parameters. Selection of perspective and minimal priority determines what detected events will used for reporting the IP addresses to the Hillstone iNGFW.
3. Check the integration on NGFW
After the event detected, you can check whether the script works as expect by running “show block-ip” on the Hillstone NGFW. IPs in the list will be blocked for block timeout period defined in Flowmon ADS.
With this simple integration Hillstone Networks iNGFW and Flowmon ADS constitute a network security protection solution, which effectively intercept the threats from the Internet and internal networks. Check out Hillstone Networks products page and Flowmon ADS to get more information about joint solution components or Flowmon & Hillstone whitepaper to learn more about the joint solution.