Solida systems SL-6000 User manual

Brand: Solida systems

Model: SL-6000

Type: User manual

! !

USER!MANUAL!

Version!2.1!

October!2017!

WWW.SOLIDASYSTEMS.COM

SL-2000!/!SL-4000!/!SL-6000!!Security!Appliances!

©!SOLIDA!SYSTEMS!INTERNATIONAL!2017!

"#$%&!'(!)'*+&*+,!

1.#Introduction#........................................................................................................................................#4!

1.1#Reputation#Based#Detection#and#Prevention#..................................................................................#4!

1.2#Intrusion#Detection#and#Prevention#...................................................................................................#4!

1.3#Monitoring#and#Logging#..........................................................................................................................#4!

2.#Hardware#Installation#.....................................................................................................................#5!

2.1#Physical#Installation#.................................................................................................................................#5!

2.2#Port#Location#..............................................................................................................................................#6!

2.3#Management#Port#......................................................................................................................................#7!

2.4#Required#Open#Network#Ports#.............................................................................................................#8!

Threat!Intelligence!Updates!........................................................................................................................................!8!

Solida!Monitor!...................................................................................................................................................................!8!

Solida!Multi!.........................................................................................................................................................................!9!

Solida!Notify!and!Email!Notifications!.....................................................................................................................!9!

2.5#Powering#On#The#Appliance#..................................................................................................................#9!

2.6#Powering#Off#The#Appliance#..................................................................................................................#9!

3.#Accessing#The#Web#Applications#..............................................................................................#10!

3.1!Management!Ethernet!Port#....................................................................................................................#10!

3.2#Managing#Users#.......................................................................................................................................#11!

4.#Reputation#Based#Detection#.......................................................................................................#13!

4.1#Overview#...................................................................................................................................................#13!

4.2#DGA#List#.....................................................................................................................................................#13!

4.3#List#Updates#..............................................................................................................................................#14!

5.#Reputation#Threat#List#Updates#................................................................................................#16!

5.1#About#Tor#Exit#Nodes#............................................................................................................................#17!

6.#Deep#Packet#Inspection#Configuration#...................................................................................#18!

7.#User#Black#and#White#Listing#.....................................................................................................#19!

7.1#Overview#...................................................................................................................................................#19!

7.2#Blacklisting#Domain#Names#................................................................................................................#19!

7.3#Blacklisting#IP#Addresses#....................................................................................................................#20!

7.4#Whitelisting#IP#Addresses#...................................................................................................................#20!

7.5#Uploading#a#Blacklist#File#....................................................................................................................#20!

8.#Intrusion#Detection#and#Prevention#Rules#............................................................................#21!

8.1#Rule#Overview#.........................................................................................................................................#21!

8.2#Rule#List#.....................................................................................................................................................#21!

8.3#Export#Rule#File#......................................................................................................................................#22!

8.4#Import#Rule#File#......................................................................................................................................#22!

8.5#Rule#Sets#....................................................................................................................................................#22!

8.6#Activating#a#Rule#Set#..............................................................................................................................#23!

8.7#Operating#Mode#......................................................................................................................................#23!

8.8#Creating#Custom#Rules#.........................................................................................................................#23!

8.9#Rule#Id#........................................................................................................................................................#24!

9.#Events#and#Event#Severity#...........................................................................................................#25!

9.1#Event#Overview#.......................................................................................................................................#25!

9.2#Event#Severity#..........................................................................................................................................#26!

9.2.1!Low!severity!(colored!green!in!the!GUI)!.................................................................................................!26!

9.2.2!Medium!severity!(colored!orange!in!the!GUI)!.......................................................................................!26!

©!SOLIDA!SYSTEMS!INTERNATIONAL!2017!

9.2.3!Critical!severity!(colored!red!in!the!GUI)!................................................................................................!27!

9.3#Source#and#Destination#IP#Addresses#.............................................................................................#27!

10.#Responding#To#Critical#Events#................................................................................................#28!

11.#Remote#Monitoring#.....................................................................................................................#29!

11.1#Multi#Appliance#Remote#Monitoring#.............................................................................................#29!

11.2#Mobile#Phone#Application#Remote#Monitoring#.........................................................................#30!

11.3#Netflow#Logging#....................................................................................................................................#30!

11.3#Remote#Logging#To#Syslog#Server#..................................................................................................#30!

12.#Single#Appliance#High#Availability#........................................................................................#32!

12.1#Configuration#........................................................................................................................................#32!

13.#Multi#Appliance#High#Availability#..........................................................................................#33!

13.1.#Master#Slave#Configuration#.............................................................................................................#33!

14.#Email#Notification#........................................................................................................................#34!

14.1#Setting#Up#Email#Notification#...........................................................................................................#34!

14.1.1!Email!Notification!...........................................................................................................................................!34!

14.1.2!Instant!Critical!..................................................................................................................................................!34!

14.1.3!Current!Email!Address!.................................................................................................................................!34!

14.1.4!New!Email!Address!........................................................................................................................................!35!

14.2#Event#Notification#Emails#..................................................................................................................#35!

15.#Data#Logging#..................................................................................................................................#36!

15.1#Packet#Logging#......................................................................................................................................#36!

15.2#Dropped#Packet#Logging#...................................................................................................................#36!

15.3#Event#Logging#........................................................................................................................................#37!

15.4#IP#Address#Logging#..............................................................................................................................#37!

15.5#HTTP#Logging#........................................................................................................................................#37!

15.6#Downloading#Log#Files#.......................................................................................................................#38!

15.7#Deleting#Log#Files#................................................................................................................................#38!

16.#System#Software#Updates#.........................................................................................................#39!

17.#Support#Bundle#Generation#.....................................................................................................#41!

17.1#Generating#a#support#bundle#...........................................................................................................#41!

17.2#Downloading#a#support#bundle#......................................................................................................#41!

18.#Report#Generation#......................................................................................................................#43!

Appendix#A.#VoIP#Caller#Blocking#.................................................................................................#44!

A.1#Appliance#Setup#......................................................................................................................................#44!

A.2#Blocked#Numbers#List#..........................................................................................................................#44!

A.3#System#VoIP#Rules#.................................................................................................................................#45!

A.4#Event#Generation#...................................................................................................................................#46!

Appendix#B.#Direct#Access#of#Log#Files#........................................................................................#47!

B.1#Logging#In#To#The#Log#File#Directories#...........................................................................................#47!

B.2#Copying#Out#Log#Files#...........................................................................................................................#47!

B.3#Log#File#Formats#.....................................................................................................................................#47!

Appendix#C.#Solida#Multi#Remote#Monitoring#...........................................................................#48!

C.1#Setting#Up#The#Solida#Multi#Sever#.....................................................................................................#48!

C.2#Configuring#The#Appliance#for#Solida#Multi#..................................................................................#48!

C.3#Required#Network#Ports.#.....................................................................................................................#48!

C.4#Communication#.......................................................................................................................................#48!

©!SOLIDA!SYSTEMS!INTERNATIONAL!2017!

-.!/*+0'123+4'*!

This!manual!contains!instructions!for!how!to!configure!and!use!the!following!Solida!Systems!

network!security!appliances:!

!SL-2000! Dual!1!Gigabit!Ethernet!ports!

!SL-4000! Quad!1!Gigabit!Ethernet!ports!

!SL-6000! Dual!10!Gigabit!Ethernet!ports!

The!SL-2000,!SL-4000!and!SL-6000!appliances!represent!the!latest!in!network!security!

technology.!They!combine!functionality!that!would!otherwise!require!several!different!devices.!

These!intrusion!detection!and!prevention!systems!offer!reputation!based!detection,!intrusion!

detection!and!prevention,!network!traffic!monitoring!and!packet!logging.!

The!next!sections!will!describe!what!some!of!these!features!mean!for!your!network.!

-.-!5&62+#+4'*!7#,&1!8&+&3+4'*!#*1!90&:&*+4'*!

Solida!Systems!provides!reputational!threat!intelligence!in!the!form!of!a!data!feed!hosted!in!the!

cloud.!This!threat!feed!is!updated!hourly!and!includes!malicious!URLs,!domain!names!and!IP!

addresses.!These!are!harvested!from!various!international!threat!intelligence!sources.!!

The!threat!feed!includes!information!about!current!threats!such!as!ransomware,!phishing!sites,!

trojans!and!many!other!threat!categories.!

-.;!/*+02,4'*!8&+&3+4'*!#*1!90&:&*+4'*!

Intrusion!detection!and!prevention!is!implemented!through!a!rule!engine!and!deep!packet!

inspection!(DPI).!Solida!Systems!provides!pre-defined!rules!and!rule!sets!through!the!cloud!

based!threat!feed.!A!simple!and!intuitive!configuration!page!is!provided!for!users!interested!in!

writing!custom!rules.!

-.<!='*4+'04*>!#*1!?'>>4*>!

!!!

Tools!are!available!to!facilitate!monitoring!and!evidence!collection.!Logs!and!evidence!files!are!

written!in!PCAP!format!and!are!compatible!with!most!industry!standard!analysis!tools.!

©!SOLIDA!SYSTEMS!INTERNATIONAL!2017!

;.!@#01A#0&!/*,+#%%#+4'*!

;.-!9BC,43#%!/*,+#%%#+4'*!

For the appliance to work as designed it must be installed immediately after the Internet router

and in front of any firewall. It is very important that the appliance is installed IN FRONT of any

firewall. This way the appliance will be able to see all incoming and outgoing packets on the

Internet and gain full exposure to the threat environment.

Figure 2.1 Typical Installation

For networks with high availability requirements it is possible to install two identical appliances

next to each other and configure them in a high availability mode. Please refer to the chapter

Multi Appliance High Availability for instructions on how to configure the appliances in this

mode.

In some rare cases the main switch in the network might use PPPoE for its communication with

the Internet router. All Solida System appliances have support for this type of configuration.

"B&!/*+&0*&+

DE+&0*#%!5'2+&0

F*'!(4%+&04*>G

H'%41#!8&:43&

I40&A#%%

HA4+3B

J'0K,+#+4'*,

H&0:&0,

©!SOLIDA!SYSTEMS!INTERNATIONAL!2017!

;.;!9'0+!?'3#+4'*!

The!appliances!include!two!different!sets!of!Ethernet!ports.!One!set!is!located!on!the!server!

motherboard.!The!other!set!on!a!high-speed!network!interface!adapter.!

Figure 2.1 SL-2000 back view.

! !

Figure 2.2 SL-4000 back view.

Figure 2.3 SL-6000 back view.

Located!in!the!upper!row!of!the!Ethernet!ports!are!the!ports!used!for!high-speed!network!

traffic.!The!bottom!left!Ethernet!port!on!the!SL-2000!and!SL-4000!is!used!for!device!

management.!The!bottom!right!port!is!currently!unused.!The!bottom!left!port!on!the!SL-6000!

High-speed ports

Port1 Port0

High-speed ports

Port0 Port1

Management Port

High-speed ports

Port3 Port2 Port1 Port0

Management Port

©!SOLIDA!SYSTEMS!INTERNATIONAL!2017!

appliance!is!used!for!the!device!management.!The!right!side!ports!are!unused.!

The!high-speed!Ethernet!ports!are!named!Port!0!and!Port!1!on!the!SL-2000!and!SL-6000!and!

Port!0!to!Port!3!on!the!SL-4000.!

The!default!factory!configuration!for!the!high-speed!Ethernet!ports!is:!

! Port!0! ! WAN!side! Internet!connected!router!

! Port!1! ! LAN!side!

! Port!2! ! Unused! (for!the!SL-4000!only)!

! Port!3! ! Unused! (for!the!SL-4000!only)!

The!default!factory!settings!can!be!changed!through!the!web!configuration!utility!that!is!

accessed!through!a!browser.!

The!most!common!setup!is!using!the!Solida!appliance!as!an!endpoint!device.!This!allows!for!all!

incoming!and!outgoing!data!packets!to!be!inspected.!This!offers!the!best!protection!against!any!

type!of!malicious!traffic!

For!larger!networks!it!might!be!necessary!to!protect!multiple!sections!of!the!network!with!

dedicated!security!appliances.!For!those!installations!make!sure!that!the!WAN!port!is!connected!

upwards!(towards!the!Internet!router!side).!Conversely!make!sure!the!LAN!side!is!connected!to!

the!sub-partitioned!network.!!

;.<!=#*#>&L&*+!9'0+!

The!management!port!is!used!for!two!purposes:!Accessing!the!configuration!utility!and!the!

monitoring!utility!is!done!through!this!port.!The!management!port!is!also!used!for!updating!the!

threat!list!data!and!for!communicating!with!other!appliances!in!a!high!availability!configuration.!

/+!4,!:&0C!4L6'0+#*+!+B#+!+B&!L#*#>&L&*+!6'0+!#%A#C,!B#,!/*+&0*&+!#33&,,.!This!is!typically!

accomplished!by!connecting!the!management!port!to!a!switch!in!the!LAN!side!of!the!network!

being!protected.!The!default!IP!address!for!the!management!port!is!192.168.1.250.!Please!refer!

to!the!following!chapter!on!how!to!change!this!IP!address.!

The!management!port!IP!settings!configuration!window!includes!a!button!labeled!“Test!

Connection”.!Pressing!this!button!will!generate!a!ping!to!an!IP!address!on!the!Internet.!If!this!

ping!receives!a!response!it!can!be!assumed!the!management!port!has!proper!access!to!the!

Internet.!If!no!response!to!this!ping!is!detected,!the!management!port!does!not!have!the!

required!access!to!the!Internet.!!In!this!case!it!will!be!necessary!to!troubleshoot!the!installation!

and!retry!this!test!until!a!proper!connection!is!made.!

©!SOLIDA!SYSTEMS!INTERNATIONAL!2017!

;.M!5&N240&1!O6&*!P&+A'0K!9'0+,!

The!appliance!needs!to!be!able!to!connect!with!Solida!Systems!cloud!server!to!retrieve!threat!

intelligence!updates!and!occasional!software!updates.!It!is!very!important!that!this!connection!

is!working!correctly.!Without!a!proper!connection,!the!appliance!will!still!function,!but!the!

threat!intelligence!will!not!be!updated!and!the!remote!monitoring!tools!will!not!be!functional.!

The!domain!name!for!this!cloud!server!is!3%'21B',+.,'%41#,C,+&L,.3'L.!The!server!is!set!up!

with!a!fixed!IP!address.!This!IP!address!can!be!obtained!by!using!nslookup!(windows)!or!the!dig!

tool!(Linux),!if!it!needs!to!be!provided!to!a!firewall.!!

In!case!a!firewall!is!deployed!in!the!network,!it!is!not!required!to!open!up!any!ports!for!incoming!

traffic!from!the!Internet.!All!communication!is!initiated!from!within!the!appliance.!The!only!

exception!to!this!would!be!if!the!user!elects!to!access!the!GUI!applications!from!outside!the!

network!over!the!Internet!without!the!use!of!a!VPN!connection.!This!is!possible!but!not!

recommended.!When!several!ports!are!opened!up!in!the!firewall!it!might!result!in!a!security!

weakness.!!

The!“reputation!threat!list!updates”!configuration!window!includes!a!button!labeled!“Test!

Connection”.!When!pressing!this!button,!the!appliance!will!try!to!connect!with!Solida’s!cloud!

server!the!exact!same!way!it!would!do!for!an!update!of!the!threat!intelligence.!If!this!test!fails,!

the!installation!must!be!checked!to!identify!the!cause!of!the!failure.!This!test!must!complete!

successfully!for!the!appliance!to!be!able!to!download!the!threat!intelligence!data!and!function!

as!designed.!

"B0&#+!/*+&%%4>&*3&!Q61#+&,!

The!threat!intelligence!updates!are!performed!as!follows:!

If!port!22!(SSH!port)!is!opened!in!the!network!for!outgoing!traffic!towards!the!Internet,!all!

threat!intelligence!data!will!be!downloaded!over!this!port.!

If!outgoing!traffic!over!port!22!is!blocked!by!a!firewall,!then!the!appliance!will!default!to!using!

port!443!(HTTPS)!port!for!its!threat!intelligence!download.!

It!is!VERY!IMPORTANT!that!one!of!these!two!paths!are!opened.!Otherwise!the!appliance!will!not!

be!able!to!perform!its!hourly!threat!feed!updates.!

H'%41#!='*4+'0!

Solida!Monitor!GUI!application!is!using!port!443!for!its!communication!with!the!appliance.!It!

supports!an!option!that!performs!a!WhoIs!lookup!of!a!selected!IP!address.!!These!WhoIs!

accesses!are!initiated!from!within!the!appliance!and!take!place!over!port!43.!Port!43!must!be!

opened!for!outgoing!requests!to!the!Internet!for!the!WhoIs!feature!to!work!properly.!

©!SOLIDA!SYSTEMS!INTERNATIONAL!2017!

H'%41#!=2%+4!

The!multi!appliance!remote!monitoring!tool,!Solida!Multi,!also!requires!either!port!22!or!port!

443!to!be!opened!for!outgoing!communication!towards!the!Internet.!The!appliance!will!also!use!

one!of!these!ports!when!it!pushes!event!data!and!log!files!to!the!server!that!is!hosting!Solida!

Multi.!!

H'%41#!P'+4(C!#*1!DL#4%!P'+4(43#+4'*,!

The!mobile!phone!application,!Solida!Notify,!uses!either!outgoing!port!22!or!port!443!for!its!

event!data!push!needs.!If!email!notification!is!enabled,!this!communication!also!takes!place!on!

either!outgoing!port!22!or!port!443!towards!the!Internet.!

;.R!9'A&04*>!O*!"B&!S66%4#*3&!

The!appliance!is!powered!on!by!pushing!the!button!at!the!front!of!the!appliance.!To!do!this!it!is!

necessary!to!first!remove!the!security!bezel.!Once!powered!on!it!will!take!up!to!4!minutes!or!

more!for!the!appliance!to!become!fully!operational.!!

;.T!9'A&04*>!O((!"B&!S66%4#*3&!

To!power!off!the!appliance,!remove!the!security!bezel!and!push!the!power!button!once.!This!

will!initiate!the!shut-down!procedure!inside!the!appliance.!It!will!take!about!30!seconds!for!the!

appliance!to!properly!shut!itself!down.!It!is!not!advised!to!pull!out!the!power!cord!as!a!way!to!

shut!down!an!appliance.!This!could!result!in!log!data!loss.!

©!SOLIDA!SYSTEMS!INTERNATIONAL!2017!

<.!S33&,,4*>!"B&!J&$!S66%43#+4'*,!

The!appliances!contain!two!different!software!applications.!One!application!is!used!for!system!

configuration!and!another!for!monitoring.!Both!applications!are!password!protected!to!prevent!

unauthorized!use.!These!applications!are!both!accessed!through!the!appliance!management!

port.!Both!applications!are!accessed!over!HTTPS.!This!makes!it!secure!in!case!a!user!wants!to!

monitor!an!application!from!outside!the!LAN!or!over!the!Internet.!!

3.1!Management!Ethernet!Port!

To!access!the!configuration!and!monitoring!applications,!connect!the!management!port!to!a!

switch!on!the!LAN!side!of!the!network.!Open!a!browser!on!a!computer!connected!to!the!same!

network.!Enter!the!MGNT!port!IP!address!in!the!browser!as!follows:!

! https://192.168.1.250/config! for!the!configuration!application!

! https://192.168.1.250! ! for!the!monitoring!application!

If!everything!is!configured!correctly,!a!login!page!will!appear!in!the!browser!window.!Enter!the!

supplied!user!name!and!password!to!log!in.!Some!networks!might!use!another!IP!address!range!

other!than!192.168.x.x,!for!example!10.32.x.x.!If!this!is!the!case!it!will!be!required!to!change!the!

management!port's!IP!address!before!the!appliance!is!connected!to!the!LAN!side!switch.!!

To!change!the!default!IP!address,!directly!connect!a!computer!with!the!appliance!through!an!

Ethernet!cable.!Make!sure!the!computer's!IP!address!is!set!manually!since!direct!connecting!

bypasses!any!DHCP!server.!Start!the!configuration!utility!by!entering!the!default!IP!address!into!

the!browser!followed!by!/config!(https://192.168.1.250/config).!

Log!into!the!application!and!then!navigate!to!the!page!named!“Configuration”.!Locate!the!box!

labeled!“Change!Management!Port!IP!Settings”.!Change!the!IP!address,!netmask!and!gateway!

fields!to!match!the!ones!used!in!the!network.!In!some!networks!it!might!be!required!to!use!a!

local!corporate!DNS!server!rather!than!a!public!one.!In!these!cases,!enter!the!IP!address!for!the!

local!DNS!server!in!the!DNS!server!field.!!The!appliance!will!use!this!IP!address!for!resolving!the!

domain!for!the!cloud!based!threat!intelligence!data!feed.!!

Once!the!“Activate”!button!is!pressed,!the!appliance!will!be!reconfigured!with!this!new!address!

information.!Note!that!it!will!take!up!to!a!minute!for!this!reconfiguration!to!complete.!A!

countdown!timer!pop-up!window!will!appear!and!show!a!60!second!countdown!after!a!change!

is!activated.!

An!example!is!shown!below:!

©!SOLIDA!SYSTEMS!INTERNATIONAL!2017!

Figure 3.1 Change management port IP setting box.

Once!the!configuration!of!the!new!IP!addresses!is!complete,!remove!the!directly!connected!

computer!and!connect!the!appliance!to!the!LAN!side!switch.!

The!configuration!window!includes!a!button!labeled!“Test!Connection”.!Pressing!this!button!will!

generate!a!ping!to!an!IP!address!on!the!Internet.!If!this!ping!receives!a!response!it!can!be!

assumed!the!management!port!has!proper!access!to!the!Internet.!If!no!response!to!this!ping!is!

detected,!the!management!port!does!not!have!the!required!access!to!the!Internet.!!In!this!case!

it!will!be!necessary!to!troubleshoot!the!installation!and!retry!this!test!until!a!proper!connection!

is!made.!

<.;!=#*#>4*>!Q,&0,!

The!first!time!the!user!logs!into!either!Web!application,!a!default!factory!username!and!

password!will!be!used.!After!the!first!login!it!is!recommended!to!create!new!users!that!will!be!

allowed!to!log!in!to!the!applications.!Creating!and!managing!the!user!credentials!is!done!

through!the!configuration!application.!First!navigate!to!the!“Configuration”!page!and!then!

locate!the!box!named!“Manage!Users”..!!

Figure 3.2 Add new user box.

©!SOLIDA!SYSTEMS!INTERNATIONAL!2017!

To!create!a!new!user,!press!the!button!labeled!“Add!User”!and!enter!the!new!credentials!in!the!

indicated!fields.!

The!drop!down!menu!at!the!top!of!the!“Add!New!User”!window!contains!two!options:!

“Monitoring!Only”!and!“Configuration!&!Monitoring”.!Select!“Monitoring!Only”!for!users!that!

are!only!allowed!to!log!into!the!monitoring!application.!The!monitoring!application!does!not!

allow!for!changing!any!configuration!parameters!or!modifying!the!detection!rules.!

©!SOLIDA!SYSTEMS!INTERNATIONAL!2017!

M.!5&62+#+4'*!7#,&1!8&+&3+4'*!

M.-!O:&0:4&A!

The!most!basic!form!of!intrusion!and!malware!detection!goes!under!the!category!of!reputation-

based!detection.!This!type!of!detection!is!performed!by!attempting!to!identify!communication!

with!unfriendly!hosts!on!the!Internet.!These!are!ones!that!are!believed!to!be!malicious,!based!

upon!a!reputation!for!previous!or!ongoing!malicious!activities.!

Reputation!based!detection!is!performed!by!comparing!requested!IP!addresses!or!domain!

names,!against!a!reputation!list!of!hosts!with!negative!reputations.!Solida!appliances!allow!for!

downloading!lists!based!on!domain!names!and!IP!addresses.!The!data!in!these!lists!are!

processed!and!stored!in!hash!tables,!so!that!fast!lookups!can!be!performed!against!them!in!real!

time.!These!lists!are!automatically!downloaded!from!a!cloud-based!service!provided!by!Solida!

Systems.!

Both!DNS!queries!and!HTTP!requests!are!monitored!and!compared!against!the!reputation!list.!If!

a!hit!is!detected,!the!request!can!be!either!flagged!as!suspicious!or!completely!dropped.!It!is!

important!to!recognize!that!a!hit!in!a!reputation!blacklist!doesn’t!always!mean!a!host!is!

malicious.!Hosts!that!were!previously!infected!might!have!been!cleaned!up,!and!the!maintainers!

of!the!reputation!lists!might!not!yet!have!registered!this.!

M.;!8US!?4,+!

The!most!important!data!in!the!threat!feed!is!the!list!of!Domain!Generation!Algorithm!(DGA)!

generated!domain!names.!Many!ransomware!and!other!serious!malware,!use!DGAs!to!generate!

a!large!number!of!domain!names.!These!domain!names!are!used!to!try!and!connect!with!their!

command!and!control!servers!(C2).!The!large!number!of!auto!generated!domain!names!makes!it!

difficult!to!track!and!shut!down!these!C2!servers.!

Most!DGA!engines!use!time!as!the!deciding!factor!for!what!domain!name!to!generate.!Using!

this!method,!a!hacker!will!be!able!to!predict!what!domain!names!their!malware!will!generate,!

so!they!can!be!ready!when!the!malware!attempts!to!connect!to!it!at!any!given!time.!When!the!

hacker!decides!it!is!time!to!provide!C2!access!to!his!malware,!the!hacker!simply!registers!a!

domain!name!with!a!commercial!DNS!service,!for!a!domain!that!the!malware!DGA!will!generate!

in!the!near!future.!When!the!malware!tries!this!specific!DGA!generated!domain,!a!connection!

will!suddenly!be!made.!At!that!point!the!malware!knows!it!has!found!its!C2!server.!

The!Solida!threat!list!contains!a!very!large!amount!of!DGA!domain!names.!These!domain!names!

are!generated!from!actual!DGA!engines,!harvested!from!malwares!collected!from!the!Internet.!

These!DGA!engines!are!running!in!a!server,!generating!their!time!based!domain!names.!This!

way!it!is!possible!to!know!in!advance!what!domain!names!similar!malwares!will!generate!in!the!

wild!at!any!given!point!in!time.!The!threat!feed!contains!on!average!750,000!domain!names,!

covering!a!time!window!of!UTC!–!48!hours!to!UTC!+!24!hours.!This!gives!a!72-hour!sliding!

window!that!covers!all!time!zones!worldwide.!These!domain!names!are!written!to!a!blacklist!in!

the!security!appliances.!All!outgoing!DNS!queries!and!URLs!are!verified!against!this!list!and!

dropped!if!a!match!is!found.!

M.<!?4,+!Q61#+&,!

The!reputation!lists!are!constantly!being!updated!through!a!cloud!based!threat!feed!offered!by!

Solida.!The!appliance!automatically!connects!with!this!cloud!service!once!every!hour,!to!

download!new!updated!versions!of!the!lists.!This!guarantees!that!the!appliance!always!contains!

information!about!the!latest!threats!seen!in!the!wild.!!

To!monitor!the!list!update!process!and!the!list!sizes,!start!the!configuration!application!and!

navigate!to!“Threat!Intelligence!–!Threat!Lists”.!A!similar!page!is!available!at!the!same!location!

in!the!monitoring!application.!The!page!looks!as!follows:!

Figure 4.1 Threat lists overview.

In!the!top!field!named!“Reputation!List!Control!Center”!the!following!information!is!provided:!

P&E+!3%'21!261#+&!–!Shows!the!time!at!which!the!next!list!update!will!be!performed.!

8US!5#*,'LA#0&!D*+04&,!–!The!number!of!DGA!generated!domain!names!in!this!list.!

8'L#4*!5&62+#+4'*!D*+04&,!–!The!number!of!domain!names!in!this!list.!

/9!5&62+#+4'*!D*+04&,!–!The!number!of!IP!addresses!(both!IPv4!and!IPv6)!in!this!list.!

"O5!&*16'4*+,!–!The!number!of!Tor!endpoints!provided!in!this!list!is!included.!

The!above!threat!lists!are!not!user!modifiable.!

The!window!titled!“My!Domain!Name!Blacklist!Entries”!contains!a!button!called!Q6%'#1!I4%&.!

This!button!allows!for!uploading!user!created!lists!to!the!blacklist!engine.!Currently!it!is!only!

possible!to!upload!a!file!containing!a!VoIP!style!telephone!number,!which!is!being!used!for!the!

VoIP!caller-blocking!feature.!Please!refer!to!the!appendix!in!this!document!for!further!

information!about!VoIP!caller!blocking.!

R.!5&62+#+4'*!"B0&#+!?4,+!Q61#+&,!

The!Solida!appliances!obtain!their!threat!information!by!downloading!proprietary!threat!lists!

from!a!cloud-based!server.!There!are!three!categories!of!lists,!which!are!domain!reputation!

blacklist,!IP!reputation!blacklist!and!Tor!exit!node!list.!The!factory!default!is!to!allow!for!all!these!

lists!to!be!included!in!the!cloud!updates.!Changing!this!factory!default!should!only!be!done!in!

very!special!cases.!Disabling!a!list!results!in!the!possibility!of!malicious!packets!being!able!to!

penetrate!the!network!and!cause!escalating!damage.!

To!change!the!factory!default!setting,!start!the!configuration!utility!and!navigate!to!

“Configuration”.!Locate!the!block!titled!“Reputation!Threat!List!Updates”.!It!will!look!as!shown!

in!the!picture!below.!

Figure 5.1 Reputation threat list updates window.

The!following!settings!are!available:!

! Domain!Reputation!Blacklist! !! -! Enabled!–!update!once!per!hour!(default)!

! ! ! ! ! ! -! Disabled!

! IP!Reputation!Blacklist! ! -! Enabled!–!update!once!per!hour!(default)!

! ! ! ! ! ! -! Disabled!

! Tor!Exit!Nodes!! ! ! -! Enabled!–!update!once!per!hour!(default)!

- Disabled!

The!“reputation!threat!list”!updates!configuration!window!includes!a!button!labeled!“Test!

Connection”.!When!pressing!this!button,!the!appliance!will!try!to!connect!with!Solida’s!cloud!

server!the!exact!same!way!it!would!do!for!an!update!of!the!threat!intelligence.!If!this!test!fails,!

the!installation!must!be!checked!to!identify!the!cause!of!the!failure.!This!test!must!complete!

successfully!for!the!appliance!to!be!able!to!download!the!threat!intelligence!data!and!function!

as!designed.!

R.-!S$'2+!"'0!DE4+!P'1&,!

The!Tor!exit!nodes!list!contains!IP!addresses!of!known!Tor!network!end!point!IP!addresses.!It!is!

common!for!hackers!to!use!Tor!exit!nodes!for!their!attack!traffic!to!mask!its!origin.!In!some!rare!

cases,!the!use!of!the!Tor!network!is!valid.!Examples!would!be!in!countries!that!censor!their!

citizens'!Internet!traffic.!In!those!circumstances!the!Tor!network!can!be!used!to!circumvent!such!

censorship.!Then!it!is!recommended!to!disable!the!inclusion!of!Tor!endpoints!in!the!IP!blacklist.!

T.!8&&6!9#3K&+!/*,6&3+4'*!)'*(4>20#+4'*!

Deep!packet!inspection!(DPI)!refers!to!the!process!that!inspects!all!incoming!and!outgoing!

network!packets.!The!factory!default!setting!applies!DPI!on!all!packets,!including!incoming!and!

outgoing!packets.!Only!under!very!special!circumstances!should!the!factory!default!be!changed.!

Changing!the!factory!default!will!prohibit!the!appliance!from!detecting!all!possible!malwares!

and!other!threats.!

To!change!the!factory!default!setting,!start!the!configuration!utility!and!navigate!to!

“Configuration”.!Locate!the!block!titled!“Deep!Packet!Inspection!Configuration”.!It!will!look!as!

shown!in!the!picture!below.!

Figure 6.1 Deep packet inspection configuration window.

The!following!settings!are!available:!

! Packets!from!the!Internet! -! Inspect!all!packets!(Factory!default)!

- Disable!Inspection!

Packets!from!the!LAN!! -! Inspect!all!packets!(Factory!default)!

- Disable!Inspection!

Malformed!Packets! ! -! Drop!all!malformed!packets!(Factory!default)!

- Do!not!drop!malformed!packets!

Hackers!sometimes!intentionally!generate!network!packets!that!are!malformed.!The!reason!

might!be!to!try!and!confuse,!or!even!crash!the!system!stacks!in!the!computers!connected!to!the!

network.!Letting!the!appliances!drop!these!packets!guarantees!that!they!will!not!cause!any!

damage!in!the!protected!LAN.!

V.!Q,&0!7%#3K!#*1!JB4+&!?4,+4*>!

V.-!O:&0:4&A!

The!configuration!application!allows!for!a!user!to!enter!additional!blacklist!and!whitelist!IP!

addresses!and!domain!names.!These!addresses!will!be!appended!to!the!internal!threat!lists!and!

all!network!packets!will!be!checked!against!these!user-entered!addresses.!

PO"DW!NEVER!whitelist!an!IP!address!for!a!Domain!Name!Server!(DNS!server).!Doing!so!will!

cause!the!blacklist!engine!to!skip!checking!DNS!lookup!packets.!Checking!DNS!queries!against!

the!blacklists!is!an!essential!part!of!the!scanning!process.!Bypassing!this!will!allow!malicious!

packets!to!flow!freely!in!and!out!of!the!appliance!without!being!noticed!or!blocked.!

V.;!7%#3K%4,+4*>!8'L#4*!P#L&,!

The!user!can!enter!any!domain!name!into!the!user!managed!blacklist!entry!table.!The!picture!

below!shows!three!different!domain!names!having!been!blacklisted!by!a!user.!

Figure'7.1'User'managed'black'and'white'lists.'

To!blacklist!a!domain,!press!the!button!labeled!“+!Add!Domain!Name”.!Enter!the!domain!name!

and!select!the!action!and!severity!level.!!

Testing!that!the!new!entry!is!blacklisted!can!be!done!by!entering!the!domain!in!a!web!browser!

and!confirming!that!an!event!is!generated!for!the!domain.!

V.<!7%#3K%4,+4*>!/9!S110&,,&,!

IP!addresses!can!be!entered!into!an!IP!address!blacklist!in!a!similar!way!a!domain!name!is!

blacklisted.!To!add!an!IP!address!to!the!user!blacklist,!press!the!button!labeled!“+!Add!IP!

Address”.!Enter!the!IP!address,!IPv4!or!IPv6.!Select!the!desired!action!and!severity!level!and!

press!the!“Save”!button.!The!new!IP!address!will!be!added!to!the!user!blacklist.!

V.M!JB4+&%4,+4*>!/9!S110&,,&,!

It!is!possible!to!add!an!IP!address!to!a!whitelist.!If!this!is!done,!the!security!engine!will!ignore!all!

packets!containing!this!IP!address.!!

PO"DW!NEVER!whitelist!an!IP!address!for!a!Domain!Name!Server!(DNS!server).!Doing!so!will!

cause!the!blacklist!engine!to!skip!checking!DNS!lookup!packets.!Checking!DNS!queries!against!

the!blacklists!is!an!essential!part!of!the!scanning!process.!Bypassing!this!will!allow!malicious!

packets!to!flow!freely!in!and!out!of!the!appliance!without!being!noticed!or!blocked.!

Whitelisting!of!IP!addresses!should!only!be!done!in!very!specific!situations.!Solida!Systems!

strongly!suggests!never!whitelisting!any!IP!addresses.!The!unwanted!side!effect!might!be!that!

the!LAN!side!is!left!unprotected!or!only!performs!a!limited!amount!of!protection.!

V.R!Q6%'#14*>!#!7%#3K%4,+!I4%&!

The!window!titled!“My!Domain!Name!Blacklist!Entries”!contains!a!button!called!Q6%'#1!I4%&.!

This!button!allows!for!uploading!user!created!lists!to!the!blacklist!engine.!Currently!it!is!only!

possible!to!upload!a!file!containing!a!VoIP!style!telephone!number,!which!is!being!used!for!the!

VoIP!caller-blocking!feature.!Please!refer!to!the!appendix!in!this!document!for!further!

information!about!VoIP!caller!blocking.!

Page is loading ...

Solida systems SL-6000 User manual

Brand: Solida systems

Model: SL-6000

Type: User manual

Download PDF

report

Solida systems SL-6000 User manual

Solida systems SL-6000 User manual

Other documents