Collaborative Detection & Response (CDR) keeps your network more secured and healthy

Nebula_Yvonne

In recent years, rapidly-expanding attacks surface. More and more companies are encountering a higher risk of transgression than ever before as they are unable to retain security expertise to keep their network away from current threats.

Collaborative Detection and Response is a feature enhancement that further improves the function of regular UTM service. It can block all the client IP traffic when it detects an unsafe connection or when it reaches the pre-set threshold.

When a client’s traffic hits its threshold in CDR, the device will block the client routing traffic.

Moreover, it protects and secures the network all the way up to the access layer by “collaborating” gateway with Access Points.

Scenario as below:

*Note: CDR is only supported by ATP/USG FLEX series.

To use the CDR feature, it requires GSP/UTM Security Pack license and Nebula Pro Pack license; without valid licenses, CDR will discontinue its full or partial functionality.

CDR	Without UTM Security Pack	With UTM Security Pack	After UTM Security Pack Expires
With Nebula Pro Pack	CDR will not function: - Grey out all settings in the CDR GUI page	CDR full functionality	CDR will discontinue its full functionality:​ 1. For “Enabled” state, it will show “Enabled” and being grey out​. 2. For “Disabled” state, it will show “Disabled” and being grey out. 3. The rule settings including Exempt List ​will remain kept. 4. Will release all stations, including those being quarantined. 5. Quarantine VLAN will remain kept, not being changed​.
With Nebula Base/Plus Pack	CDR will not function: - Grey out all settings in the CDR GUI page	CDR partially functions: 1. Every GUI page of CDR feature is still configurable including block/quarantine. Configuration should be saved.​ 2. Print notification message to inform the user that CDR will not be fully function​al 3.CDR event detection is still functional 4. CDR triggered events still log in the cloud intelligent log. 5. Block/quarantine/Alert will discontinue its function​. 6. Will release all block/quarantine clients.	CDR will discontinue its full  functionality:​ 1. For “Enabled” state, it will show “Enabled” and being grey out.​ 2. For “Disabled” state, it will show “Disabled” and being grey out.​ 3. The rule settings including Exempt List​ will remain kept. 4. Will release all stations, including those being quarantined.​ 5. Quarantine VLAN will remain kept, not being changed.

How to configure CDR?

1. Go to Site-wide > Configure > Collaborative detection & response, click on “Enable” to activate CDR feature.

                                    Figure 1. Collaborative detection & response

2. Here is the policy table where you could configure the criteria and the actions, as the figure below:

                                          Figure 2. Collaborative detection & response

Occurrence: how many times of threat hit[HW1]  by a client.
Duration: Within the time duration, CDR detects a threat.
Containment: the action when both criteria have been triggered.

Containment have 3 options:

1. Alert: NCC sends an alert email to administrators when triggered. Illegal traffic will blocked by security service function.
2. Block: NCC sends an alert email to administrators. Gateway or AP will block the traffic and redirect it to the block page

Note: Block wireless client is only supported on AP. The client cannot connect to the wifi during the block duration.

    3. Quarantine: NCC sends an alert email to administrators. AP will disconnect client’s

        wifi connection and then when the client connects to the wifi again, it will get the

        quarantine vlan IP.

Note: Quarantine function only work on AP.

CDR database includes:

IDP Signatures:

• CVE-2019-0708(117760, 130797, 130801),CVE-2020-0796(130822,130823,130824,130825), 117723, 117724, 117726

Anti-Malware Signature:

• All Signatures

URL Threat Filter Categories:

• Browser Exploits, Malicious Downloads, Malicious Sites, Phishing

3. The containment field, where you could customize the pop-out message for the client who has been blocked by CDR and the containment time interval.

4. As figure 3 below:
Block is to prevent malicious client to access wireless network
Quarantine is for AP (that supports CDR) that uses dynamic VLAN assignment to isolate clients.

            Figure 3. Containment

5. Exempt list is a white list where you could input the IP or MAC of the device which you don’t want to be blocked by CDR.

                                  Figure 4. Exempt list

Example of a client blocked by CDR
1. When a client had surfed a malicious website and the act triggered the CDR criteria, the client browser will pop-out a warning message as the figure shown below:

                              Figure 5. CDR warning message

How can the administrator release the client?
1. Go to Site-wide > Monitor > Containment list, you may choose to “Release” or “Add to Exempt list”.

                                             Figure 6. Containment list