You are here: Webhelp > Chapter 11 Threat Prevention

Chapter 11 Threat Prevention

Threat prevention is a device that can detect and block network threats. By configuring the threat prevention function, Hillstone devices can defend network attacks and reduce losses of the internal network.

Threat protections include:

  • Anti Virus: It can detect the common file types and protocol types which are most likely to carry the virus and protect the network from them.. Hillstone devices can detect protocol types of POP3, HTTP, SMTP, IMAP4 and FTP, and the file types of archives (including GZIP, BZIP2, TAR, ZIP and RAR-compressed archives), PE , HTML, MAIL, RIFF and JPEG.
  • Intrusion Prevention: It can detect and protect mainstream application layer protocols (DNS, FTP, POP3, SMTP, TELNET, MYSQL, MSSQL, ORACLE, NETBIOS), against web-based attacks and common Trojan attacks.
  • Attack Defense: It can detect various types of network attacks, and take appropriate actions to protect the Intranet against malicious attacks, thus assuring the normal operation of the Intranet and systems.
  • Abnormal Behavior Detection: Traffic of sessions is detected based on the abnormal behavior detection signature database. When one detected object has multiple abnormal parameters, system will analyze the relationship among the abnormal parameters to see whether an abnormal behavior was formed.
  • Perimeter Traffic Filtering: It can filter the perimeter traffic based on known IP of black/white list, and take block action on the malicious traffic that hits the blacklist.
  • Advanced Threat Detection: It can intelligent analysis the suspicious traffic of Host, to detect malicious behavior and to identify APT (Advanced Persistent Threat) attack.
  • Anti-Spam: It can filter the mails transmitted by SMTP and POP3 protocol through the cloud server, and discover the mail threats.
  • Botnet Prevention: It can detect botnet host in the internal network timely, as well as locate and take other actions according to the configuration, so as to avoid further threat attacks.

The threat protection configurations are based on security zones and policies.

  • If a security zone is configured with the threat protection function, system will perform detection on the traffic that is matched to the binding zone specified in the rule, and then do according to what you specified.
  • If a policy rule is configured with the threat protection function, system will perform detection on the traffic that is matched to the policy rule you specified, and then respond.
  • The threat protection configurations in a policy rule is superior to that in a zone rule if specified at the same time, and the threat protection configurations in a destination zone is superior to that in a source zone if specified at the same time.
  • Threat protection is controlled by a license. To use Threat protection, apply and install the Threat Protection(TP) license, 、Anti Virus(AV)license orIntrusion Prevention System(IPS)license.

Threat Protection Signature Database

The threat protection signature database includes a variety of virus signatures, Intrusion prevention signatures, Perimeter traffic filtering signatures, Abnormal behavior detection signature, and Advanced threat detection signatures. By default system updates the threat protection signature database everyday automatically. You can change the update configuration as needed. Hillstone devices provide two default update servers: and Hillstone devices support auto updates and local updates.

According to the severity, signatures can be divided into three security levels: critical, warning and informational. Each level is described as follows:

  • Critical: Critical attacking events, such as buffer overflows.
  • Warning: Aggressive events, such as over-long URLs.
  • Informational: General events, such as login failures.