Nebula - Collaborative Detection & Response (CDR)

Created - Updated
Serhii Boiarynov
Print Friendly and PDF
Have more questions? Submit a request

In recent years, rapidly expanding attacks surface. More and more companies are encountering a higher risk of a transgression than ever before as they are unable to retain security expertise to keep their network away from current threats.

Collaborative Detection and Response is a feature enhancement that further improves the function of regular UTM service. It can block all the client IP traffic when it detects an unsafe connection or when it reaches the pre-set threshold.

When a client’s traffic hits its threshold in CDR, the device will block the client routing traffic.

Moreover, it protects and secures the network all the way up to the access layer by “collaborating” gateway with Access Points.
Scenario as below:
vof3a6t9opyx.png
*Note: CDR is only supported by the USG FLEX series.

Using the CDR feature requires a UTM Security Pack license and Nebula Pro Pack license; without valid licenses, CDR will discontinue its full or partial functionality.

 

CDR

Without

UTM Security Pack

With

UTM Security Pack

After

UTM Security Pack Expires

With


Nebula Pro Pack

CDR will not function:

- Grey out all settings in the CDR GUI page

CDR full functionality

CDR will discontinue its full functionality:​

1. For “Enabled” state, it will show “Enabled” and being grey out​.
2. For “Disabled” state, it will show “Disabled” and being grey out.
3. The rule settings including Exempt List ​will remain kept.
4. Will release all stations, including those being quarantined.
5. Quarantine VLAN will remain kept, not being changed​.

With


Nebula Base/Plus Pack

CDR will not function:

- Grey out all settings in the CDR GUI page

CDR partially functions:

1. Every GUI page of CDR feature is still configurable including block/quarantine. Configuration should be saved.​
2. Print notification message to inform the user that CDR will not be fully function​al
3.CDR event detection is still functional
4. CDR triggered events still log in the cloud intelligent log.
5. Block/quarantine/Alert will discontinue its function​.
6. Will release all block/quarantine clients.

 

CDR will discontinue its full  functionality:​

1. For “Enabled” state, it will show “Enabled” and being grey out.​
2. For “Disabled” state, it will show “Disabled” and being grey out.​
3. The rule settings including Exempt List​ will remain kept.
4. Will release all stations, including those being quarantined.​

5. Quarantine VLAN will remain kept, not being changed.



How to configure CDR?

1. Go to Site-wide > Configure > Collaborative detection & response, click on “Enable” to activate CDR feature.
bozg8iq8jhff.png
                                    Figure 1. Collaborative detection & response

2. Here is the policy table where you could configure the criteria and the actions, as the figure below:
6ag05l5v4sq3.png
                                          Figure 2. Collaborative detection & response

Occurrence: how many times of threat hit[HW1]  by a client.
Duration: Within the time duration, CDR detects a threat.
Containment: the action when both criteria have been triggered.

Containment has 3 options:

  1. Alert: NCC sends an alert email to administrators when triggered. Illegal traffic will be blocked by the security service function.
  2. Block: NCC sends an alert email to administrators. Gateway or AP will block the traffic and redirect it to the block page
Note: Block wireless client is only supported on AP. The client cannot connect to the wifi during the block duration.
    3. Quarantine: NCC sends an alert email to administrators. AP will disconnect client’s
        wifi connection and then when the client connects to the wifi again, it will get the
        quarantine VLAN IP.

Note: Quarantine function only work on AP.

 

CDR database includes:

IDP Signatures:

  • CVE-2019-0708(117760, 130797, 130801),CVE-2020-0796(130822,130823,130824,130825), 117723, 117724, 117726

Anti-Malware Signature:

  • All Signatures

URL Threat Filter Categories:

  • Browser Exploits, Malicious Downloads, Malicious Sites, Phishing

 

3. The containment field, where you could customize the pop-out message for the client who has been blocked by CDR and the containment time interval.
b6w7dtcs8qf0.png
4. As figure 3 below:
Block is to prevent the malicious clients to access the wireless network
Quarantine is for AP (that supports CDR) that uses dynamic VLAN assignment to isolate clients.
oqppsoxayieu.png
            Figure 3. Containment

5. Exempt list is a white list where you could input the IP or MAC of the device which you don’t want to be blocked by CDR.
asha8n588375.png
                                  Figure 4. Exempt list

Example of a client blocked by CDR
1. When a client had surfed a malicious website and the act triggered the CDR criteria, the client browser will pop out a warning message as the figure shown below:
6bgq5cggd2rs.png
                              Figure 5. CDR warning message

How can the administrator release the client?
1. Go to Site-wide > Monitor > Containment list, you may choose “Release” or “Add to Exempt list”.

atqmswy8ufwr.png
                                             Figure 6. Containment list

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful
Share