NG-UTM employs Collaborative Protection between Abnormal IP Analysis and Switches to monitor the status of internal machines in real-time.
When abnormal packets are detected within the internal network, NG-UTM blocks the transmission of such packets, assisting administrators in promptly resolving abnormal situations.
This allows administrators to immediately identify which computer is causing the issue on which switch port, preventing network paralysis.
The concept of Collaborative Protection is simple: allowing UTM and switches to communicate with each other, providing their respective excellent functions.
In essence, when security issues detected by UTM lead to actions like blocking, SNMP or TELNET/SSH commands are sent to the switch for simple port blocking/control.
This approach ensures that user habits remain unchanged while problematic computers are isolated within a small range as soon as abnormalities are detected.
Figure 7-1 Basic Concept of Collaborative Defense¶
Generally, Layer 2 switches supporting SNMP protocol are affordable in the market.
Therefore, our solution is not hindered by cost or deployment issues.
Even if comprehensive deployment of such switches is not feasible due to cost constraints,
chaotic areas within the intranet can still be contained within a limited range.
Choosing switches for Collaborative Protection allows for the execution of IP-PORT-MAC locking functionality.
When NG-UTM detects abnormal levels of network packet transmission between interfaces,
actions such as recording, notification, and blocking can be taken to ensure the normal operation of the network.
1. Recording:
When the number of connections or upload/download traffic exceeds the set value between interfaces,
NG-UTM records the triggered event and the source IP address.
2. Notification:
When the number of connections or upload/download traffic exceeds the set value between interfaces,
NG-UTM records the triggered event and the source IP address, and notifies administrators according to the configured method.
3. Blocking:
When the number of connections or upload/download traffic exceeds the set value between interfaces,
NG-UTM records the triggered event and the source IP address and blocks the behavior from continuing according to the configured method.
From the perspective of network packet transmission, regardless of the software used, several phenomena can be observed: connection sessions, flow, and duration.
By detecting combinations of these quantities, it is possible to estimate whether users are using the network normally or exhibiting abnormal behavior.
For example, when streaming videos, approximately 5Mbps of download bandwidth is typically used for a sustained period, but it does not occupy upload bandwidth or create excessive connection sessions.
Administrators can set values that are not triggered under normal network behavior, for NG-UTM to act as the first line of defense.
Upon detecting abnormal user behavior, administrators can implement bandwidth restrictions, blocking, or notify switches to close the PORT, among other measures, based on their requirements.
For instance, in a dormitory network, which requires strict enforcement, bandwidth can be reduced for users violating regulations, allowing them to use the network “slowly.”
In terms of settings, record setting ≤ notification setting ≤ blocking setting.
When events occur where network packets exceed the set value, NG-UTM records the source IP address, trigger count, and duration at the time for later reference by administrators.
This setting applies to all interfaces (ZONES) of NG-UTM.
Figure 7-2 Record settings for abnormal IP analysis¶
【Session Exceeds】: When the number of network connection sessions from any source IP address exceeds the set value and continues for some time on the outgoing interface (ZONE),
NG-UTM records the source IP address and the exceeded value.
【Zone Out (TX) Exceeds】: When the Zone Out (TX) traffic from any source IP address exceeds the set value and continues for some time on the outgoing interface (ZONE),
NG-UTM records the source IP address and the exceeded value.
【Zone In (RX) Exceeds】: When the Zone In (RX) traffic from any source IP address exceeds the set value and continues for a period on the outgoing interface (ZONE),
NG-UTM records the source IP address and the exceeded value.
When events occur where network packets exceed the set value, NG-UTM not only records the source IP address, trigger count, and duration,
but also, immediately sends out a notification to inform administrators of the abnormal traffic. This setting applies to all interfaces (ZONES) of NG-UTM.
Figure 7-3 Notification settings for abnormal IP analysis¶
【Connection Session Exceeds】: When the number of network connection sessions from any source IP address exceeds the set value and continues for a period of time on the outgoing interface (ZONE),
NG-UTM records the source IP address and the exceeded value and sends a notification to administrators.
【Zone Out (TX) Exceeds】: When the Zone Out (TX) traffic from any source IP address exceeds the set value and continues for a period on the outgoing interface (ZONE),
NG-UTM records the source IP address and the exceeded value and sends a notification to administrators.
【Zone In (RX) Exceeds】: When the Zone In (RX) traffic from any source IP address exceeds the set value and continues for a period on the outgoing interface (ZONE),
NG-UTM records the source IP address and the exceeded value and sends a notification to administrators.
Figure 7-4 Blocking settings for abnormal IP analysis¶
【Connection Session Exceeds】: When the number of network connection sessions from any source IP address exceeds the set value and continues for a period on the outgoing interface (ZONE),
NG-UTM records the source IP address and the exceeded value and triggers the default blocking action.
【Zone Out (TX) Exceeds】: When the Zone Out (TX) traffic from any source IP address exceeds the set value and continues for a period on the outgoing interface (ZONE),
NG-UTM records the source IP address and the exceeded value and triggers the default blocking action.
【Zone In (RX) Exceeds】: When the Zone In (RX) traffic from any source IP address exceeds the set value and continues for a period on the outgoing interface (ZONE),
NG-UTM records the source IP address and the exceeded value and triggers the default blocking action.
• Action
When the set value is triggered, administrators can take actions against computers with abnormal behavior.
There are 6 default disposal methods, described as follows:
Figure 7-5 Blocking actions for abnormal IP analysis¶
【Block for Minutes】:
Abnormal traffic may be sporadic; after blocking for a few minutes, the situation will automatically disappear. Therefore, temporarily block the source IP address for a few minutes,
preventing it from accessing the outgoing interface (ZONE), but without affecting inter-interface packet communication.
【Block All Day】:
The abnormal behavior has severely violated network usage regulations; block the source IP address for one day (24 H), prohibiting access to the outgoing interface (ZONE), but without affecting inter-interface packet communication.
【Block Until Administrator to unlock】:
The abnormal behavior has severely violated network usage regulations; block the source IP address from accessing the outgoing interface (ZONE) until cleared by the manager, but without affecting inter-interface packet communication.
【Bandwidth Limit Minutes】:
Abnormal traffic has caused unfair distribution of network traffic; therefore, limit the network bandwidth usage for the source IP address for a few minutes. The quantity of bandwidth restriction is set in Other Settings.
【Bandwidth Limited All Day】:
Abnormal traffic has caused unfair distribution of network traffic; therefore, limit the network bandwidth usage for the source IP address for the entire day (24 H). The quantity of bandwidth restriction is set in Other Settings.
【Bandwidth Limited Until Administrator to Disable】:
Abnormal traffic has caused unfair distribution of network traffic; therefore, limit the network bandwidth usage for the source IP address until cleared by the manager. The quantity of bandwidth restriction is set in Other Settings.
• Advanced Setup
When the set value in Basic Settings is triggered, and the selected action is bandwidth limitation, the bandwidth quantity set here will automatically apply to the problematic computer.
Figure 7-6 Bandwidth limitation for abnormal IP analysis¶
【Bandwidth Limit】: When the set value is triggered for any source IP address, NG-UTM will reduce the bandwidth usage of this source IP address to the set value.
【Block Message】: When implementing bandwidth limitation, this message appears on the user’s browsing page to inform them that they are currently under speed restriction.
NG-UTM can record, notify, and block abnormal sessions, upload traffic, and download traffic. However, it can also exclude specific users from being monitored.
By using the exception IP setting method, administrators can specify which IP addresses should not undergo abnormal IP analysis.
For all abnormal behaviors, the system records detailed information including time, source IP address, control action, triggered event, actual quantity, duration, and control time.
Administrators can query abnormal records based on conditions:
NG-UTM can monitor the status of internal machines in real-time through switches, block the transmission of large amounts of abnormal packets within the internal network,
and assist administrators in quickly resolving abnormal states to prevent network paralysis.
Regarding the management of internal networks, each administrator has different needs. Some want to track the traffic of each IP address, while others are concerned about the actual location of each computer.
Coupled with the complexity of internal network wiring, this can be challenging for administrators.
ShareTech switch management simplifies everything. Starting from the LAN or DMZ of UTM, it labels the Uplink and Downlink of each switch with a hierarchical concept, displaying all switches in layers as shown in Figure 7-9.
When searching for the actual location of a problematic computer, you can simply follow the diagram.
Displaying each IP addresses switch PORT in a graphical interface makes the true structure of the internal network clear, such as the interconnection between several switches.
At this point, when combined with UTM’s address table management graphics, network management is no longer just about virtual management of IP addresses. Each IP address’s connection to a switch PORT,
whether it can change its own IP address, every management action comes with “a picture is worth a thousand words.”
• Supported Switch Types by NG-UTM
NG-UTM supports 2 types of switches according to different functional requirements and on-site environments: General Standard SNMP Network Management Type and Core Switches Supporting Advanced Collaborative Defense.
General standard SNMP switches can display network status diagrams.
Core switches supporting collaborative defense can not only display network status diagrams but also automatically block problematic computers on the switches according to the administrator’s settings.
NG-UTM configures different switches according to different interfaces (ZONES) and requirements,
for example: ZONE 1 is the internal network area with numerous computers, so it is configured with core switches supporting collaborative defense and general standard SNMP switches.
ZONE2 is the internal server usage area, which only requires general standard SNMP switches to meet the requirements.
【Model】: NG-UTM lists general SNMP switches that have been tested and are operational for administrators to choose from.
If the switch to be added is not in the supported list, select “General SNMP.” Generally, any switch that supports network management type can meet NG-UTM requirements.
【Name】: A recognizable name for the switch for administrators, can be entered in any language, for example: Engineering Department on 2F.
【Remarks】: Comments about the switch for easy identification by administrators, can be entered in any language. For example, testing area for the Engineering Department.
【IP Address】: IP address of the switch. For example, 192.168.1.66.
【Port】: Number of ports on this switch.
【SNMP Read Community】: The name with read permission used by NG-UTM to communicate with the switch using SNMP protocol. For general SNMP switches, the default is usually “public.”
After configuration, you can press the “Connection Test” button to verify if the switch accepts queries for read permission information under this name.
【SNMP Write Community 】: The name with write permission used by NG-UTM to communicate with the switch using SNMP protocol. For general SNMP switches, the default is “private.”
After configuration, you can press the “Connection Test” button to verify if the switch accepts queries for write permission information under this name.
【Web Management】: Port number used to access the switch’s management interface, usually 80.
【Model】: NG-UTM lists collaborative defense switches that have been tested and are operational, currently supporting brands like Zyxel, Cisco, Juniper, and H3C.
【Name】: A recognizable name for the switch for administrators, can be entered in any language, for example: 1F.
【Remarks】: Comments about the switch for easy identification by administrators, can be entered in any language such as Core switch.
【IP Address】: IP address of the switch such as 192.168.2.55.
【Port】: Number of ports on this switch.
【SNMP Login Name (Read)】: The name with read permission used by NG-UTM to communicate with the switch using SNMP protocol. The default value for the switch is “public.”
After configuration, you can press the “Connection Test” button to verify if the switch accepts queries for read permission information under this name.
【SNMP Login Name (Write)】: The name with write permission used by NG-UTM to communicate with the switch using SNMP protocol. The default value for the switch is “private.”
After configuration, you can press the “Connection Test” button to verify if the switch accepts queries for write permission information under this name.
【Manager Communication Port】: Port number used to access the switch’s management interface, usually 80.
【Command Mode】: Specifies the communication protocol used by NG-UTM to communicate with the collaborative defense switch. It supports 2 modes: Telnet and encrypted SSH.
【Command Port】: Based on the selected communication mode in the previous step, for example: 23 for Telnet and 22 for encrypted SSH. This value cannot be changed.
【Login Account】: Account used to log into the collaborative defense switch in command mode, for example: root or admin.
【Login Password】: Password used to log into the collaborative defense switch in command mode, for example: password.
【Configuration Mode Password】: Whether there is an additional layer of password protection when logging into the collaborative defense switch for configuration in command mode.
If yes, it needs to be entered here, otherwise the correct configuration values cannot be added to the collaborative defense switch.
【Binding Mode】: NG-UTM and the collaborative defense switch can have 3 types of bindings: IP+MAC+PORT, MAC+PORT, and IP Source Guard.
Not all types of collaborative defense switches necessarily support these 3 modes. When selecting the switch model, NG-UTM will list the supported modes for that model for administrators to choose.
Detailed mode explanations are as follows:
· IP + MAC + PORT
In this mode, the user’s IP and MAC addresses are bound to the collaborative defense switch PORT. Computers that are not bound cannot access the internet through the collaborative defense switch.
For example: a computer with IP address 192.168.2.99 and MAC address 00:01:02:03:04:05 can only access the internet through Port 21 of the collaborative defense switch.
If this computer changes its IP address or is connected to other ports of this switch, the network connection will be interrupted.
· MAC + PORT
In this mode, the user’s MAC address is bound to the collaborative defense switch PORT. Computers that are not bound cannot access the internet through the collaborative defense switch.
For example: a computer with MAC address 00:01:02:03:04:05 can only access the internet through Port 21 of the collaborative defense switch.
If this computer is connected to other ports of this switch, the network connection will be interrupted.
· IP Source Guard
This mode currently only supports Zyxel brand switches. In addition to traditional IP+MAC+PORT binding, it can also combine with VLAN operation, making the binding operation more flexible.
Switches with IP Source Guard have the function of prohibiting internal private DHCP servers (DHCP Snooping),
Private DHCP servers often become one of the unstable network security threats in internal networks. Switches with IP Source Guard can specify the ports used by DHCP servers.
When there are DHCP servers on other ports, their broadcast packets will all be blocked.
• Automatic Switch Search
NG-UTM provides the functionality to automatically search for switches. In the Switch list, pressing the “Auto Search” button allows NG-UTM to automatically search for all SNMP switches under each interface (ZONE).
The search results will open in a separate window. Find the switch to be managed and press in the action column to enter the switch’s configuration mode.
After completing the switch configuration, NG-UTM will list all switches. Administrators can check here to ensure the configuration information is correct.
Clicking will, based on the mode set by the administrator, open another window directly into the switch’s management interface.
This feature allows administrators to manage all internal switches through a unified interface.
For many enterprise network administrators, querying lines is cumbersome and labor-intensive, especially when the line environment is messy, it is relatively difficult to determine which PC is connected to which switch.
NG-UTM combines collaborative defense with general SNMP network management switches to display the internal network status in real time, including the stacking relationship between switches,
while allowing administrators to clearly understand the connection status of current internal users, including which computer is connected to which switch, and whether it is powered on. It even displays clearly if connected to a second-layer switch.
: Different tiers must be paired by Up Link + Down Link combinations, and NG-UTM displays the stacking relationship between switches.
: This switch port is connected to one or more unmanaged switches.
: This switch port is connected to a PC and is currently powered on.
: Pressing the “Update Immediately” button will update all statuses.
Clicking will display detailed icon and name explanations.
• Display Modes:
To view the combination of switches and computers, 3 display modes are available: by diagram (Figure 7-15), by list, or by IP display, and you can choose the interface (ZONE) you want to view.
Set the scheduled update time to ensure timely updates of the network status, while also providing a search function. After entering an IP address in the search field, you can query which switch and which PORT the IP address is connected to.
Figure 7-15 Display Options for Switches and Computers¶
In the diagram display, double-clicking orwill open a new window in the NG-UTM interface showing detailed information about this PORT in the switch.
Figure 7-16 Detailed Information for Individual PORT¶
【Up Link Port】: Specifies the UP link PORT for this PORT.
【Enable/Disable】: Enables or disables this PORT entirely.
【In / Out】: Flow of traffic into/out of this PORT.
【Binding】: When the switch is in collaborative defense mode, administrators can lock this IP/MAC to this PORT.
【Zone Out (TX)/Zone In (RX)(bps)】: Traffic flow to/from the internet for this IP address.
For network security reasons or for the convenience of internal network management, NG-UTM’s collaborative defense mechanism allows the binding of specific computers to ports on switches, ensuring that unauthorized computers cannot connect to the network.
When configuring the switch attributes as “Collaborative Defense” and the binding mode as IP + MAC + Port or MAC + Port, further settings can be made in the binding list.
When using the IP + MAC + Port mode, an additional field for entering the bound IP address is required, while the other settings remain the same. The following explanation will use IP + MAC + Port for illustration.
【IP Address】: The IP address to be bound, for example: 192.168.2.96.
It’s important to note that regardless of whether this computer is configured with DHCP or a static IP, any change in the IP address will result in the inability to access network resources.
【MAC Address】: The MAC address to be bound, for example: 02:03:04:05:06:07. Only computers with this MAC address can connect to the network.
【Collaborative Defense】: Specify which collaborative defense switch this computer is bound to.
【Port】: Specify which port on the collaborative defense switch this computer is bound to.
【VLAN】: Specify the VLAN to which the binding IP belongs.
【Binding Mode】: Indicate the current binding mode being used, either IP + MAC + Port or MAC + Port.
NG-UTM, in conjunction with Zyxel switches, provides another binding mode, IP Source Guard, which operates in an IP + MAC + Port configuration. In addition to performing IP + MAC + Port bindings, it also provides a mechanism for DHCP snooping to ensure that internally deployed DHCP servers cannot operate.
When configuring the switch attributes as “Collaborative Defense” and the binding mode as IP Source Guard, further settings can be made.
• Adding IP Source Guard
Click to add an IP + MAC + Port binding:
Figure 7-18 Adding an IP Source Guard IP+MAC+Port Binding¶
【Collaborative Defense】: Selects the IP address of the collaborative defense switch where the IP + MAC + Port binding will be executed. Currently, only Zyxel switches are supported, for example: 192.168.14.2.
【VLAN】: IP Source Guard operation requires VLAN configuration. Select the VLAN to which the IP + MAC + Port binding will be applied, and the system will list all active VLANs for administrators to choose from.
【Trusted Ports】: Specifies which ports in this VLAN will not execute the IP + MAC + Port binding.
Any IP and MAC addresses can use the network on Trusted Ports.
Clicking on the 【Assist】 button will display a schematic of the switch for administrators to choose from,
and clicking on the belonging to this VLAN will toggle the port to the Trusted Port status.
【Assisted Selection】: Previously connected IP + MAC + Port data on VLANs of the switch can be automatically imported by NG-UTM, saving the need for re-entry.
• Adding DHCP Snooping Configuration
IP Source Guard ensures that DHCP servers deployed under each VLAN cannot operate. Only DHCP servers authorized by the company can assign IP addresses.
Therefore, administrators need to know which physical port each DHCP server for different VLANs is connected to on the switch.
In “IP Source Guard > DHCP Snooping Configuration,” select the desired IP address and click 【Configure】 to enter the configuration screen (Figure 7-19).
Click on the box before selecting the VLAN, and NG-UTM will highlight the physical ports belonging to this VLAN, with red boxes indicating Untagged Ports and green indicating Tagged Ports.
Ports that do not execute IP + MAC + Port binding are referred to as Trusted Ports. On Trusted Ports, any IP and MAC addresses can use the network.
When enabling DHCP Snooping, it’s essential to ensure that there is at least one Trusted Port in this VLAN.
Clicking on the belonging to this VLAN will toggle the port to the Trusted Port status.
In the realm of internal network security, the most challenging type of attack to detect is the broadcast type of packet, such as ARP spoofing and rogue DHCP servers.
Due to inherent flaws in communication protocols, these types of attacks are difficult to detect.
Even if the attacker is identified, detection mechanisms cannot communicate directly with frontline UTMs or switches to immediately block the threat.
Traditionally, when issues arise, technicians would physically test each switch by disconnecting cables. However, NG-UTM provides tools to prevent similar attacks.
When enabling collaborative defense on switches, NG-UTM offers advanced internal network protection mechanisms to safeguard internal network security.
These mechanisms include ARP protection, IP forgery detection, MAC forgery detection, and abnormal IP blocking linkage, which can be applied to interfaces (ZONES) based on selection.
Select the network interfaces (ZONES) to which internal network protection will be applied. Administrators can choose one or more interfaces to implement detection mechanisms.
note
Options in “Block Options” - “Automatic Block by Switch” and “Advanced Block”:
When the switch supports intelligent collaborative defense, checking “Automatic Block” means that when the detection mechanism is triggered, the computer on the default-controlled Port of the switch is blocked directly.
If “Advanced Block” is also checked, because non-intelligent switches cannot manage ports in detail, it may lead to other computers under this Port being erroneously blocked.
• ARP Packet Alert Threshold
ARP attacks pose difficulties for UTM devices because ARP packets are broadcast, existing as a means of network communication before establishing TCP/UDP connections.
ShareTech ARP detection mechanism can identify excessive ARP message transmissions in real-time, indicating preparatory stages of ARP attacks. This information, when combined with collaborative defense switch devices, can pinpoint the physical location of the attacking IP, rendering them unable to hide.
【Exceeding】: NG-UTM considers behavior abnormal if a source IP address sends more ARP requests per second than this threshold. Default is 100. A higher value reduces sensitivity, but also increases the likelihood of false positives.
【Automatic Block】: NG-UTM actively blocks the switch port of the attacker when abnormal ARP behavior is detected.
【Trusted Addresses】: Enter IP addresses that are exempt from ARP abnormal behavior detection. Additional addresses can be added on new lines.
The built-in detection mechanism of NG-UTM alleviates issues related to internal IP or MAC conflicts.
【IP Address Conflict Detection】: Enable or disable this feature. Default is off.
【Automatic Block】: NG-UTM actively blocks computers with forged IP addresses when an IP address conflict is detected.
【Trusted Addresses】: Enter IP addresses exempt from IP address conflict detection. Additional addresses can be added on new lines.
【MAC Address Conflict Detection Frequency】: Frequency of MAC address detection, default is once every 3 hours.
【Automatic Block】: NG-UTM actively blocks computers with forged MAC addresses when a MAC address conflict is detected.
【Trusted Addresses】: Enter MAC addresses exempt from MAC address conflict detection. Additional addresses can be added on new lines.
• Collaborative Defense
Combined with settings in “Advanced Protection > Abnormal IP Analysis > 7-1-4. Block Anomaly”.
Collaborative defense on internal network protection can execute linkage mechanisms. When internal users exceed the connection limit or TX/RX traffic, NG-UTM automatically notifies switches to execute blocking actions, rendering affected computers unable to continue using the network.
Figure 7-23 Abnormal IP Analysis and Collaborative Switch Linkage¶
【Linkage Abnormal IP Blocking List Port Closure】: If an IP in the detection interface appears on the “Abnormal IP Blocking List,” the port is blocked.
【Linkage IPS Port Closure】: If an IP in the detection interface appears in “IPS Logs,” the port is blocked. The triggering frequency for blocking can be configured.
• Notification Items
Administrators are notified immediately when protection settings events occur.
Selectable items: Linkage Abnormal IP Blocking, Linkage IPS Port Blocking, ARP Protection, IP Conflict, MAC Conflict.
Records of ARP attack detection include timestamps, IP addresses, MAC addresses, events, access locations, status, and actions, distinguishing attackers from victims.
NG-UTM provides advanced internal network protection mechanisms to safeguard the security of the internal network, including ARP protection, detection of forged IP addresses, detection of forged MAC addresses, and linkage with abnormal IP blocking. If any IP/MAC violates access rules and gets blocked, all information will be displayed here, and administrators can also perform unblocking actions here.
to add an exception IP setting:
in the action column to enter the switch’s configuration mode.
will, based on the mode set by the administrator, open another window directly into the switch’s management interface.
: Different tiers must be paired by Up Link + Down Link combinations, and NG-UTM displays the stacking relationship between switches.
: This switch port is connected to one or more unmanaged switches.
: This switch port is connected to a PC and is currently powered on.
: Pressing the “Update Immediately” button will update all statuses.
will display detailed icon and name explanations.
or
will open a new window in the NG-UTM interface showing detailed information about this PORT in the switch.
belonging to this VLAN will toggle the port to the Trusted Port 
status.
of the switch is blocked directly.
If “Advanced Block”is also checked, because non-intelligent switches cannot manage ports in detail, it may lead to other computers under this Port being erroneously blocked.
