SOCFortress Integrations — Sangfor Next Generation Firewalls (NGFW)

SOCFortress Integrations — Sangfor Next Generation Firewalls (NGFW)

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Intro

SOCFortress integration and visualisation tools allow security analysts the virtualisation and triage of Sangfor Next Generation Firewalls (NGFW) logs and events using a single pane of glass.

About Sangfor NGFW

Sangfor firewalls, particularly their Next-Generation Firewalls (NGFW), are designed to provide comprehensive network security by integrating multiple security features into one platform.

Sangfor’s firewalls are well-suited for businesses that need robust security without the complexity and costs of larger, enterprise-grade solutions.

The NGFWs are also popular among MSPs due to their ease of management, multi-tenancy features, and affordability.

Main features and capabilities

  • Application Control: Sangfor firewalls provide deep visibility into applications and allow granular control over which apps can be used, helping to reduce shadow IT risks.
  • Intrusion Prevention System (IPS): Their firewalls include an advanced IPS to detect and block malicious traffic, such as zero-day exploits, by using signature-based and behaviour-based techniques.
  • Web Filtering: Sangfor offers customisation web filtering policies, blocking access to harmful or unproductive websites, which is useful for corporate environments looking to enforce policies.
  • Integrated VPN: It offers VPN services, including SSL VPN and IPSec VPN, which are crucial for secure remote access and inter-branch communication.
  • Sandboxing: Sangfor integrates sandbox technology, isolating suspicious files and executables in a controlled environment to analyse potential threats without compromising the network.
  • Threat Intelligence Integration: The firewall is capable of utilising global threat intelligence feeds to keep up with the latest threats and block suspicious IPs, domains, or files based on real-time information.
  • Advanced Threat Detection (APT Protection): Sangfor firewalls can detect and mitigate advanced persistent threats (APTs) by continuously monitoring for unusual or unauthorised behaviours within the network.
  • User and Device Awareness: These firewalls can identify and manage traffic based on user identities and devices, allowing for more precise policy enforcement.
  • High Availability & Load Balancing: Sangfor firewalls support clustering and load balancing to ensure high availability and performance across complex network environments.
  • Cost-Effective: Compared to some competitors, Sangfor’s solutions are often more cost-effective, making them an attractive option for small to medium-sized enterprises (SMEs) and managed service providers (MSPs).
  • Integration with Other Sangfor Products: Sangfor firewalls often integrate well with other Sangfor solutions, such as their Endpoint Detection and Response (EDR) tools and Virtual Desktop Infrastructure (VDI). This makes it easier to deploy a unified security strategy across both the network and endpoints.

Ingesting Sangfor NGFW Security Logs and Events

Reference: https://docs.trendmicro.com/en-us/documentation/article/trend-micro-web-security-online-help-cloud-syslog-forward

If the selected log format is CEF:

<source> fwlog[3411740]: CEF:0|Sangfor|NGAF|AF8.0.85|7|Service Control or Application Control

Analysing Sangfor firewall logs can provide valuable insights into network security, performance, and user activity. Below is an overview of some log types and what to look for in each category to identify potential issues or risks (in the exmaple above, “Service Control or Application Control”).

  1. Traffic Audit Logs:

— Identify Anomalies: High volumes of data from unexpected IPs or unusual times can indicate unauthorised access or data exfiltration attempts.
 — Protocol and Port Usage: Find unexpected protocols or ports being used, which may indicate potential security risks.
 — Top Communicating IPs: Check for unusual patterns, such as spikes in connections from a single IP or communication with foreign IPs.

2. Service Control / Application Control Logs:
 — Unapproved Applications: Detect unauthorised applications being used within the network. For example, VPNs or file-sharing apps may indicate data leakage risks.
 — Blocked Attempts: Frequent blocks on specific applications or services could suggest users are attempting to bypass policies.
 — Usage Patterns: Track which applications are most used, aiding in resource allocation and policy adjustments for critical applications.
 — Policy Violations: Monitor repeated violations to assess if policy adjustments are needed for more effective controls.

3. APT (Advanced Persistent Threat) Detection Logs
 — Suspicious Patterns: Look for signs of APTs, like unusual authentication attempts, escalated privileges, or lateral movement across the network.
 — Detection of Known Signatures: Sangfor APT detection may use threat intelligence to detect known APT tactics and methods.
 — Long-term Attack Evidence: APTs often involve consistent, low-key activity. Patterns of repeated small data transfers, consistent communication with unusual IPs, or rare protocols can indicate APT presence.

4. User Authentication Logs
 — Failed Login Attempts: Repeated failures may indicate a brute-force attack or unauthorized access attempts.
 — Access Times: Identify any users logging in at unusual times, which might indicate compromised accounts.
 — Source of Authentication: Monitor the IPs and devices used for login attempts, which can help detect unusual access points or potential spoofing.

5. IPS (Intrusion Prevention System) Logs
 — Exploit Attempts: Identify attempts to exploit known vulnerabilities within your infrastructure, such as SQL injection or buffer overflow attempts.
 — Attack Types: Sangfor IPS logs categorise attacks (e.g., network scan, brute-force, malware). Understanding these categories helps in assessing immediate risk and planning mitigation.
 — Frequent Targets: Identifying commonly targeted assets (e.g., specific servers or IPs) can guide where to reinforce security measures.
 — False Positives: Some alerts may be false positives; analyzing patterns over time can help refine IPS rules to minimize noise.

6. DoS (Denial of Service) Logs
 — Unusual Traffic Spikes: Look for massive amounts of traffic targeting a specific server or IP, especially if using protocols prone to DoS abuse (e.g., HTTP, DNS).
 — Source IP Patterns: Repeated connections from a single IP, or multiple IPs targeting the same service, might indicate a coordinated DoS or DDoS attack.

7. System Failure Logs
 — Hardware/Software Failures
 — Service Interruptions

Unexpected Reboots

Regularly reviewing these logs and correlating patterns across different log types can enhance your threat detection capabilities and give a holistic view of network security health. Automated alerts and regular audits can also streamline monitoring and help address issues proactively.

Visualisations

SOCFortress Landing Page:

Events received and logs by firewall:

Detected protocols and applications:

Log types:

(see previous section for log analysis cases)

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

原始链接: https://socfortress.medium.com/socfortress-integrations-sangfor-next-generation-firewalls-ngfw-72b161594fa0?source=rss-36613248f635------2
侵权请联系站方: [email protected]

相关推荐

换一批