Partner Technical Training

Outbound Threat Protection

Partner • Sales • Engineering

APS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY Release 5.12
Objectives
At the conclusion of this unit you should understand:
• Outbound Threat Protection Benefits
• How to Configure Outbound Threat Protection
• How Outbound Threat Protection is Reported in the UI
• How to Configure Outbound Black / Whitelists

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 2

SCENARIO:
OUTBOUND THREAT
PROTECTION

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 3

Issue & Context
• Due to recent and highly publicized DDoS attacks which utilize botnets
capable of generating mass amounts of DDoS traffic, Management is
asking for confirmation that none of these attacks are being sourced from
our network
• Management is concerned about
• Leaking of company proprietary information via botnet command-and-control
traffic
• Outbound network flooding if an attack is sourced internally toward an external
target
• Liability issues if our network is used as a launch point of an attack
• Performing due diligence to not only protect our company legally but also
to protect others which may be the target of an attack

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 4

Issue: Outbound Threat Protection
• Management is concerned with outbound traffic to known Botnet C&C
infrastructure
DATA
ISP 1 CENTER

ISP
ISP 2
IPS
Firewall
Load
Balancer

Target
Applications
ISP ‘n’ Botnet C&C & Services

Good Traffic

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 5

Action: Utilize APS’s Outbound Blocking
• Discuss possible solution design to mitigate the attack using Arbor APS’s
outbound traffic blocking capabilities
• Initially configure Outbound Threat Protection and set it’s Protection Mode
to Inactive
• Review the UI to determine if there is an issue
• Blacklist and/or Whitelist specific hosts
• If desired, set the Protection Mode to Active to begin blocking outbound
malicious traffic

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 6

OUTBOUND ADVANCED
THREAT PROTECTION

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 7

Outbound Advanced Threat Protection
• Arbor APS can monitor outbound traffic for threats and block malicious
traffic, such as communication with a known botnet command-and-control
center.
• This outbound threat filter provides protection from threats that can affect
the traffic that originates from within the network.
• Unlike the protection groups, which protect specific hosts, a single
outbound threat filter protects all of the outbound traffic that flows through
the Arbor APS

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 8

Outbound Advanced Threat Protection
• The outbound threat filter
contains the categories of
protection settings that are
most appropriate for outbound
traffic. You configure these
protection settings on the
Outbound Threat Filter page

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 9

Outbound Threat Filter
• Single “Protection Group”
reporting traffic seen on
internal interfaces
• Aggregate blocked traffic
and sources over time are
reported
• Note: Protection settings that block
hosts for inbound traffic do not block
those hosts for outbound traffic.

Built-in
workflow

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 10

CONFIGURING ADVANCED
OUTBOUND THREAT
PROTECTION

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 11

Outbound Threat Filter
• Configure the outbound threat filter by clicking the settings icon

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 12

Outbound Threat Filter Configuration
Enable / Disable

• Protection Mode determines if malicious outbound traffic is blocked

• Active = Outbound traffic is mitigated as well as monitored
• Inactive = Threats in outbound traffic are monitored only
• A good way to test outbound threat filtering while keeping the rest of the system
in the active mode
• Protection Level
• Determines which protection settings are in use for outbound traffic

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 13

Outbound Threat Filter Configuration
• All mitigations work the same as the
inbound protections – except that they
are applied to outbound traffic
• The AIF license determines which
ATLAS Intelligence Feed categories
are available

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 14

Outbound Threat Filter Configuration

IP reputation feed, DNS reputation feed

& countermeasures

Filter list

Payload Regular
Expression

DNS Rate Limiting

Malformed
HTTP Filtering

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 15

HOW OUTBOUND
THREAT TRAFFIC IS
REPORTED IN THE UI

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 16

ATLAS Threat Categories - Summary Page
• Blocked outbound threats identified by the ATLAS Threat Categories
are displayed on the Summary page

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 17

Packet Capture - Outbound Threats
• Packet Capture has a Filter
option

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 18

Blocked Hosts Log – Outbound Direction

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 19

BLACK / WHITELISTING
OF OUTBOUND TRAFFIC

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 20

Blacklisting / Whitelisting – Outbound
• Both lists are applied
to packets entering
the appliance via
internal interfaces

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 21

Outbound Blacklist Configuration
Hosts that have Search for
already been added specific host

IP address, Move host to Remove host

CIDR address, Outbound Whitelist from Blacklist
or hostname

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 22

Outbound Whitelist Configuration
Hosts that have Search for
already been added specific host

IP address, Move host to Remove host

CIDR address, Outbound Blacklist from Whitelist
or hostname

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 23

Outbound Black / Whitelist Notes
• Outbound traffic from hosts on either list will immediately be passed
or blocked with no further inspection
• Arbor APS in Monitor mode does not process outbound traffic
• If a list contains an IP address and a CIDR that overlaps that IP address,
the most specific address always takes precedence
• If 10.2.3.141 is on the outbound whitelist, and the CIDR 10.2.3.0/24 is added
to the outbound blacklist, 10.2.3.141 remains whitelisted
• Removal from the Temporarily Blocked Sources list:
• Removal of a specific IP address is immediate
• Removal of a CIDR may take up to 5 minutes

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 24

Lab Exercise
• Preview Lab 7
• Outbound Attack Protection
• Perform Lab 7
• Estimated Time 20 Minutes
• Review Lab Questions

https://portal.training.arbor.net

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 25

Unit Summary
In this unit we have learned about:
• Outbound Threat Protection Benefits
• How to Configure Outbound Threat Protection
• How Outbound Threat Protection is Reported in the UI
• How to Configure Outbound Black / Whitelists

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 26

Q&A / THANK YOU

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 27