< Home

Example for Configuring Deception

Networking Requirements

On the network shown in Figure 1:

  • A DecoySensor protects IP addresses on the 192.168.1.0/24 network segment from being scanned.
  • The DecoySensor protects TCP ports of devices on the 10.10.10.0/24 network segment from being scanned.
  • If a hacker scans the 192.168.1.0/28 network segment, traffic sent by the hacker is immediately lured to the Decoy.
  • The NMS device with IP address 10.10.11.11 periodically scans whether devices on the entire network are online. Therefore, its IP address needs to be added to the source IP address whitelist.
  • The traditional device with IP address 10.10.10.22 does not respond to IP address scanning or TCP port scanning. Therefore, its IP address needs to be added to the destination IP address whitelist.
Figure 1 Networking diagram of a deception system

Deployment Guidelines

  • You are advised to deploy DecoySensors on access switches.
  • There must be reachable routes between switches and the Decoy.
  • If a firewall is deployed between switches and the Decoy, you need to enable UDP ports 11514 and 10514 on the firewall.
  • The following configurations must be performed on the switch. Otherwise, the deception function does not take effect.
    • VLANIF interfaces are configured to send ARP packets destined for other devices to the CPU using the undo arp optimized-passby enable command.
    • The optimized ARP reply function is disabled using the arp optimized-reply disable command.
    • At least one of the detection network segment and the bait network segment must be configured.
  • The switch can only detect scanning of IP addresses on the same network segment as the primary IP address of the VLANIF interface.
  • A switch cannot use the virtual IP address of a VRRP group or the IP address of the management network interface to connect to a Decoy.
  • A bait network segment cannot contain the device management address and any network segment (0.0.0.0). Otherwise, the devices cannot be managed remotely.
  • To enable the Agile Controller-Campus to deliver associated policies to switches, configure the free mobility function on the switches and ensure that the switches can communicate with the Agile Controller-Campus.
  • You can add the IP addresses of devices that proactively detect the network (such as the NMS) to the source IP address whitelist to prevent them from being incorrectly considered to be attackers by DecoySensors.
  • You can add the IP addresses of devices that do not respond to ARP requests and port connection requests (such as traditional printers) to the destination IP address whitelist to prevent normal traffic sent to these devices from being lured.

Procedure

  1. Deploy DecoySensors on Switches. The following uses SwitchA as an example. The configuration on other switches is similar to that on SwitchA, and is not mentioned here.
    1. Create a VLAN and add interfaces to the VLAN. 

      <HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface GigabitEthernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 10
[SwitchA-GigabitEthernet0/0/1] quit

    2. Create a VLANIF interface and configure it to send ARP packets destined for other devices to the CPU. 

      [SwitchA] interface Vlanif 10
[SwitchA-Vlanif10] ip address 10.10.10.1 24
[SwitchA-Vlanif10] undo arp optimized-passby enable
[SwitchA-Vlanif10] quit

    3. Disable the optimized ARP reply function. 

      [SwitchA] arp optimized-reply disable

    4. Configure an IP address for the Decoy. 

      [SwitchA] deception
[SwitchA-deception] deception decoy destination 10.10.11.10 source 10.10.10.1

    5. Configure a detected network segment. 

      [SwitchA-deception] deception detect-network id 1 192.168.1.0 255.255.255.0
[SwitchA-deception] deception detect-network id 2 10.10.10.0 255.255.255.0

    6. Configure a bait network segment and a deception whitelist. 

      [SwitchA-deception] deception decoy-network id 1 destination 192.168.1.0 255.255.255.240
[SwitchA-deception] deception whitelist id 1 source 10.10.11.11
[SwitchA-deception] deception whitelist id 2 destination 10.10.10.22

    7. Verify the deception configuration.

      # If the configuration is incorrect, normal network traffic may be affected. Therefore, verify the deception configuration before enabling the deception function.

      [HUAWEI-deception] display this
#                                                                                                                                   
deception                                                                                                                           
 deception whitelist id 1 source 10.10.11.11                                                                                        
 deception whitelist id 2 destination 10.10.10.22                                                                                   
 deception decoy-network id 1 destination 192.168.1.0 255.255.255.240                                                                   
 deception detect-network id 1 192.168.1.0 255.255.255.0                                                                            
 deception detect-network id 2 10.10.10.0 255.255.255.0                                                                             
 deception decoy destination 10.10.11.10 source 10.10.10.1                                                                          
#

    8. Enable the deception function. 

      [SwitchA-deception] deception enable
[SwitchA-deception] quit

    9. Configure the free mobility function. 

      [SwitchA] group-policy controller 10.10.11.12 password Huawei@2018 src-ip 10.10.10.1

  2. Configure the Decoy in the CIS.
    1. Configure the deception service.

      1. Log in to the CIS using an administrator account.
      2. Choose System > System Management > Service, and click Deception to expand the list of deception service instances.

      3. Click in the Operation column of the Decoy host. The Deception CisServer page is displayed. On the Basic configuration tab page, set parameters and click Save.

        Parameter Description
        Deception Service IP/MASK IP address and subnet mask of the Decoy.
        Log Server IP Acquisition Mode The Auto mode is recommended, because deception information is transmitted to the collector through an internal interface more quickly in this mode. If you select the Manual mode, enter the IP address of the collector.
        Destination IP/MASK IP address and subnet mask of the DecoySensor.
        NOTE:

        The Destination IP/MASK and Gateway IP parameters need to be set only when IP addresses of the DecoySensor and Decoy are on different network segments.
        Gateway IP Gateway IP address used by the Decoy to access the DecoySensor.

    2. Enable the corresponding deception rule.

      # Return to the CIS homepage, choose Correlation Analysis > Correlation Rule, select the target rule, and click Enable. You can enable an existing rule or create and enable a new rule.

    3. Configure the log source.

      1. Choose System > System Management > Log Source.

      2. Click Log Source addition, configure the DecoySensor as the log source, and click OK. In the dialog box that is displayed, click OK.

      3. Choose System > System Management > Service.
      4. Click Collector to view the running status of the host where the collector service resides.
      5. Click in the Operation column of the Decoy host. The collector configuration page is displayed.

      6. Click Add, select the log source to be associated, and click Next.

      7. Set the log collection mode to SYSLOG for the log source, click Add, and then click Finish.

  3. Configure parameters used by the CIS to deliver associated policies to the Agile Controller-Campus.
    1. Configure the Agile Controller-Campus.

      1. Log in to the Agile Controller-Campus using an administrator account.
      2. Choose System > Terminal Configuration > Global Parameters > Third-Party Interconnection.

      3. Click Configure Restful Webservice Authentication, enable HTTP protocol and HTTPS protocol, set Account to admin, and set Authentication password and Confirm password to Huawei@2018. After setting the parameters, click OK.

    2. Configure the CIS.

      1. Return to the CIS homepage and choose Security Response > Linkage Device Conf. On the Device tab page, click Add and configure the Agile Controller-Campus information. The user name and password must be the same as those configured on the Agile Controller-Campus. After setting the parameters, click Save.

      2. Choose Linkage Rule Conf from the navigation tree. On the Linkage Rule tab page, click Create to create an associated rule. Configure the rule based on your networking requirements and click OK.

      3. Select the new associated rule and click On.

  4. Configure parameters used by the Agile Controller-Campus to deliver associated policies to the DecoySensor.

    # Choose Resource > Device > Device Management, click Add, click XMPP, specify the name and IP address of the DecoySensor, select Enable XMPP, and configure the Configuration mode to Manual. The IP address and password must be the same as those in the free mobility configuration on the switch. After setting the parameters, click OK.

  5. Verify the configuration.
    1. View the lured traffic.

      # Log in to the CIS and choose Intelligent Retrieval > Event Retrieval to view the deception events.

    2. Check whether the CIS has delivered the associated rule to the Agile Controller-Campus.

      # Log in to the CIS, choose Security Response > Linkage Device Conf, and click the Results tab. If Linkage Status is displayed Linkage Success, the CIS has successfully delivered the associated rule to the Agile Controller-Campus. The following figure is for reference only.

    3. Check whether the Agile Controller-Campus has delivered the associated rule to the DecoySensor.

      # Run the display current-configuration command on the switch. If information similar to the following is displayed, the Agile Controller-Campus has delivered the ACL rules for blocking attack traffic to the switch.

      [SwitchA] display current-configuration
...
#
acl name Auto_PGM_OPEN_POLICY 3999
 rule 1 deny ip source 10.10.10.35 0 destination 10.10.10.2 0
#
...
#
traffic-secure inbound acl name Auto_PGM_OPEN_POLICY
#
...

Parent Topic: Network Deception Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic