SCC Help >> SCC Typical Application

SCC Typical Application

Scenario

A network is under IP spoofing attacks. Although the firewall has blocked the attacks, it cannot prevent the attacker from initiating attacks. Therefore, it is necessary to use other methods to find out the attack source and deal with it accordingly.

Scenario Analysis

Based on the alarms received, SCC can take actions accordingly, such as adding the attack source users into the blacklist or logging them out. At the same time, SCC allows you to view the network locations (the connected network devices) of the attack sources and to isolate the attack sources.

In a word, SCC can not only notify administrators of potential threats in the network, but also automatically take actions to remove the threats.

Operation Procedure

• Add a security control policy
  1. Click the Alarm tab, and then select SCC > Security Control Policy from the navigation tree to enter the Security Control Policy page.
  2. Click Add to enter the Add Security Control Policy page.
  3. Specify Policy Name as IP-Spoofing-Strategy.
  4. Select Auto from the drop-down list of Execution Type. For Event to Process, click the Select Event button, and then select Attack Defense > IP Spoofing on the pop-up page.
  5. As attacks may come from anywhere in the network, select Set it as the default policy to take effect on the whole network.
  6. In the Action and Order area, click the Select Action button, and then select Deny attack device (which is available only after the ACLM component is installed), Send Email, and Device interface - DOWN.
  7. Click OK.

• View the received the attack alarms and the result reports
1. Click the Alarm tab, and then select SCC > Browse Attack Alarm from the navigation tree to enter the Browse Attack Alarm page, or select SCC > Realtime Attack Alarm from the navigation tree to enter the Realtime Attack Alarm page.
2. When SCC receives IP Spoofing attack alarms, the correlated policy IP-Spoofing-Strategy is executed automatically.
3. View the result reports, from which you can see that the system can isolate the attack sources, inform you of attacks online, and add users into the backlist.

• View attack paths
  1. Click the Alarm tab, and then select SCC > Browse Attack Alarm from the navigation tree to enter the Browse Attack Alarm page, or select SCC > Realtime Attack Alarm from the navigation tree to enter the Realtime Attack Alarm page.
  2. Click the attack path link of an alarm to view the attack path.