After a hacker intrudes on the network shown in below, the hacker first scans IP addresses and service ports on the network to search for attack or spreading targets, and then uses the system or software vulnerabilities or brute force cracking measures to attack the target host. Network deception technology detects such scanning behavior on the network, and lures suspicious traffic to a Decoy for in-depth interaction and detection, protecting the service network from the hacker.
In a deception system, a switch can only be used as a DecoySensor. It is recommended that DecoySensors be deployed close to users or servers. Therefore, it is ideal to deploy DecoySensors on all switches on the network. Decoy can be deployed on the CIS flow probes.
Licensing Requirements and Limitations for Deception
The deception function needs to be used together with the Decoy.
Deception is a basic feature of a switch and is not under license control.
Only the following switch models support deception:
S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S
- You are advised to deploy DecoySensors on access switches.
- There must be reachable routes between switches and the Decoy.
- If a firewall is deployed between switches and the Decoy, you need to enable UDP ports 11514 and 10514 on the firewall.
- The following configurations must be performed on the switch. Otherwise, the deception function does not take effect.
- VLANIF interfaces are configured to send ARP packets destined for other devices to the CPU using the undo arp optimized-passby enable
- The optimized ARP reply function is disabled using the arp optimized-reply disable
- At least one of the detection network segment and the bait network segment must be configured.
- The switch can only detect scanning of IP addresses on the same network segment as the primary IP address of the VLANIF interface.
- A switch cannot use the virtual IP address of a VRRP group or the IP address of the management network interface to connect to a Decoy.
- A bait network segment cannot contain the device management address and any network segment (0.0.0.0). Otherwise, the devices cannot be managed remotely.
- To enable the Agile Controller-Campus to deliver associated policies to switches, configure the free mobility function on the switches and ensure that the switches can communicate with the Agile Controller-Campus.