Introduction to Threat Protection

Threat protection, that device can detect and block network threats occur. By configuring the threat protection function, Hillstone device can defense network attacks, and reduce losses caused by internal network.

Threat protection includes:

• Network Layer Attack Protection: can detect and protect against common DoS / DDoS attack, malicious scanning attacks, spoofing attacks, etc.;
• Application Layer Protection: can detect and protect against mainstream application layer protocols (DNS, FTP, POP3, SMTP, TELNET, MYSQL, MSSQL, ORACLE, NETBIOS);
• Web Protection: can detect and protect against web-based attacks, such as: SQL injection attacks, XSS attacks, protocol anomaly analysis, CC attacks, etc.;
• Trojan Attack Protection: can detect and protect common Trojan attacks;
• Malware Download Protection: can detect the common file types and protocol types which are most likely to carry the virus and protect. Hillstone device can detect protocol types of POP3, HTTP, SMTP, IMAP4 and FTP, and the file types of archives (including GZIP, BZIP2, TAR, ZIP and RAR-compressed archives), PE (supported packing: ASPack 2.12, UPack 0.399, UPX (all versions), FSG v1.3, 1.31, 1.33, 2.0), HTML, Mail, RIFF, CryptFF and JPEG.
• Malicious Website Access Control: can detect malicious URL and specify its response actions.

Hillstone device supports threat protection configurations based on security zones and policies. If a security zone is configured with the threat protection function, the system will perform detection on the traffic that is destined to the binding zone specified in the rule, and then do according to what you specified. If a policy rule is configured with the threat protection function, the system will perform detection on the traffic that is destined to the policy rule you specified, and then response. The threat protection configurations in a policy rule is superior to that in a zone rule if specified at the same time, and the threat protection configurations in a destination zone is superior to that in a source zone if specified at the same time.

Hillstone device supports license-controlled threat protection, i.e., the function will not work unless the license has been installed.

Threat Protection Signature Database

Threat protection signature database includes a variety of attack signatures, virus signatures, malicious URL signatures, Trojans signatures, etc. By default system updates the threat protection signature database everyday automatically. You can change the update configuration as needed. Hillstone devices provide two default update servers: update1.hillstonenet.com and update2.hillstonenet.com. Hillstone device supports auto update and local update.

According to the severity, signatures can be divided into three security levels: critical, warning and informational. Each level is described as follows:

• Critical: Critical attacking events, such as buffer overflows.
• Warning: Aggressive events, such as over-long URLs.
• Informational: General events, such as login failures.