Documente Academic
Documente Profesional
Documente Cultură
Contact Information:
US Headquarters:
Hillstone Networks
5201 Great America Pkwy, #420
Santa Clara, CA 95054
Phone: 1-408-508-6750
https://www.hillstonenet.com/about-us/contact/
Hillstone Networks
TWNO: TW-DPL-BDS-1.0-CN-V1.0-2019/10/15
Contents
Contents 1
Introduction 1
About This Guide 1
Deployment Requirements 2
User Endpoint System Requirements 2
Server System Requirements 2
Server Hardware Requirements 2
Server Software Requirements 2
Network Environment Requirements 2
Installing sBDS ThreatTrace Client on User Endpoint (Stand-alone Installation Mode) 4
Preparation 4
Insalling the sBDS ThreatTrace Client 4
Step 1: Update the installer with the UpdateMsi tool 4
Step 2: Run the installer to complete the installation 5
Step 3: Confirm the process 5
Uninstalling the sBDS ThreatTrace Client 6
Updating the sBDS ThreatTrace Client 6
Installing sBDS ThreatTrace Client on User Endpoint (Domain Installation Mode) 7
Preparation 7
Assigning the sBDS ThreatTrace Client via Group Policy 7
Assigning to the Domain Users 8
Step 1: Create a group policy object 8
Step 2: User Configuration- Edit group policy and deploy software 8
Step 3: Apply Group Policy to User Organizational Units 11
Step 4: Force the group policy to update 12
Assigning to computers in the domain 12
Step 1: Create a group policy object 12
Step 2: Computer Configuration- Edit group policy and deploy software 13
Step 3: Apply Group Policy to Computer Organizational Units 14
Step 4: Force the group policy to update 15
Uninstalling the Assigned Client via Group Policy 15
Updating the Assigned Client via Group Policy 16
Deploying the Threat Trace Server 18
Preparation 18
Deploying the Threat Trace Server 18
TOC - 1
Starting and Visiting the sBDS Threat Trace Server 22
Configuring the sBDS Threat Trace Server 23
Connecting the sBDS Device to the Threat Trace Server 25
Viewing the Threat Trace Results on the sBDS Device 25
Command Line Index 27
Threat Trace Server Commands 27
Viewing Help 27
Configuration Commands 27
Show Commands 28
TOC - 2
Introduction
In order to trace the network threat behavior detected by the sBDS device in the user endpoint process, Hillstone
provides the threat trace function. The deployment of the function includes three parts: the user endpoint, the server,
and the sBDS device.
First, install the sBDS ThreatTrace Client on the user endpoint of the internal network, so as to collect the endpoint
related behaviors such as process creation, network access, file operation, and registry modification.
Then, deploy a threat trace server to store the collected endpoint information.
Finally, the sBDS device will obtain the collected information by connecting to the threat trace server, so as to trace
threat behaviors.
To deploy the device, refer to the following deployment scenarios.
"Installing sBDS ThreatTrace Client on User Endpoint (Stand-alone Installation Mode)" on Page 4
"Installing sBDS ThreatTrace Client on User Endpoint (Domain Installation Mode)" on Page 7
Introduction 1
Deployment Requirements
The requirements for the installation and deployment of the sBDS Threat Trace function include the following three
aspects:
Have the Ethernet compatible network card and support TCP/IP protocol.
Note: At present, the sBDS Threat Trace function does not support changing the port. Please
ensure that the above ports will not be used by other devices.
Ensure that the network between the sBDS device and the server is reachable.
Deployment Requirements 2
The server needs to have a long-term fixed IP address or domain name.
3 Deployment Requirements
Installing sBDS ThreatTrace Client on User Endpoint
(Stand-alone Installation Mode)
Install the sBDS ThreatTrace Client on the user endpoint through the stand-alone installation mode, that is, run and
install the installer in msi format directly on the user endpoint, including the following aspects:
Preparation
Preparation
Before installing the sBDS ThreatTrace Client, make the following preparations:
2. Download the msi format installer package (32-bit or 64-bit) and the UpdateMsi tool package from the Hillstone
sales.
Note: Please select the corresponding client installer according to the user's actual envir-
onment, such as 64-bit system to select 64-bit client installation program.
3. Open the UpdateMsi tool and click Load msi. After the loading is successful, enter the obtained fixed IP address
or domain name of the Threat Trace server and then click Update.
2. According to the prompt, click the Next button, after confirming the installation location, click the Install button,
and then wait for the installation.
Method 1: Run the installer again, click the Remove button as prompted.
Method 2: Go to the Windows Control Panel, select Programs and Features, and select the installed sBDS
ThreatTrace Client in the list, and then click Uninstall.
On the user endpoint, you can install the sBDS ThreatTrace client through the domain installation mode. That is, the
domain server sends the sBDS ThreatTrace Client to the domain user.
Install the the sBDS ThreatTrace client (domain installation mode) on the user endpoint, including the following
aspects:
Preparation
Preparation
Before installing the sBDS ThreatTrace Client, make the following preparations:
1. Download the msi format installer package (32-bit or 64-bit) and the UpdateMsi tool package from the Hillstone
sales.
2. Create a shared folder on the domain server, store the installer in the shared folder, and ensure that the user has
"Read" permission and the computer in the domain can access to the shared folder.
3. Update the installer with the UpdateMsi tool (For details, see Update the installer with the UpdateMsi tool).
Assign to domain users: When the sBDS ThreatTrace client is assigned to domain users via group policy, the cli-
ent will be installed automatically after the domain user logs on to the computer.
2. Expand the node in the left navigation bar, right click on Group Policy Object, select New to open the New
GPO dialog.
3. In the New GPO dialog, type the group policy name into the Name textbox.
4. Click OK.
3. Select the sBDS ThreatTrace Client installer that is already stored in the shared folder.
4. In the Deployment Software dialog , select the Assigned, and then click OK to complete the package creation
and deployment.
7. In the Properties dialog, select the Deployment tab, in the Deployment options section, check the Install
this application at logon check box.
8. Select the Security tab and make sure the user group has Read permission.
9. Click OK to save the configuration and return to the Group Policy Management dialog.
Please select the corresponding client installer according to the user's actual environment,
such as 64-bit system to select 64-bit client installation program.
2. In the Security Filtering section, click Add to add a user group to install the sBDS ThreatTrace Client.
3. In the left navigation bar, select the user organization unit that needs to deploy the group policy, right-click the
user organization name, select Link an Existing GPO to open the Select GPO dialog.
4. In the Group Policy objects section, select the created group policy object name.
5. Click OK to save the configuration and return to the Group Policy Management dialog.
6. To ensure that the group policy can be enforced in the user organizational unit and its sub-organizational units,
the group policy can be specified as mandatory. In the Linked Group Policy Objects tab, right click the group
policy name and select Enforced.
1. On the domain server, select Start > Control Panel > System and Security > Administrative Tools,
double-click the Windows PowerShell.
3. After the prompt "user policy update has completed successfully", close the dialog box.
2. Expand the node in the left navigation bar, right click on Group Policy Object, select New to open the New
GPO dialog.
4. Click OK.
Step 2: Com puter Configura tion- Edit group polic y a nd deploy s oftw a re
1. Right click on the created Group Policy object and select Edit to open the Group Policy Management Editor dia-
log.
2. In the left navigation bar, select Computer Configuration > Policies > Software Settings > Software
Installation, right-click Software Installation, and select New > Packets.
3. Select the sBDS ThreatTrace Client installer that is already stored in the shared folder.
4. In the Deployment Software dialog , select the Assigned, and then click OK to complete the package creation
and deployment.
Note:
When selecting the client installer, please use the network path of the shared folder, oth-
erwise the file will not be read.
Please select the corresponding client installer according to the user's actual environment,
such as 64-bit system to select 64-bit client installation program.
Step 3: Apply Group Polic y to Com puter Orga niz a tiona l Units
1. In the Group Policy Management dialog, double-click the created group policy name.
2. In the Security Filtering section, click Add to add a computer group to install the sBDS ThreatTrace Client.
3. In the left navigation bar, select the computer organization unit that needs to deploy the group policy, right-click
the user organization name, select Link an Existing GPO to open the Select GPO dialog.
5. Click OK to save the configuration and return to the Group Policy Management dialog.
6. To ensure that the group policy can be enforced in the computer organizational unit and its sub-organizational
units, the group policy can be specified as mandatory. In the Linked Group Policy Objects tab, right click the
group policy name and select Enforced.
Note: Before linking a group policy, you need to ensure that the computer organizational unit
has been created in the domain.
1. On the domain server, select Start > Control Panel > System and Security > Administrative Tools,
double-click the Windows PowerShell.
3. After the prompt "user policy update has completed successfully", close the dialog box.
1. In the domain server, select Start > Control Panel > System and Security > Administrative Tools,
double-click the Group Policy Management to open the Group Policy Management dialog.
2. Expand the node in the left navigation bar, right click on the created Group Policy object and select Edit to open
the Group Policy Management Editor dialog.
3. In the left navigation bar, select Computer Configuration > Policies > Software Settings > Software
Installation.
5. In the Remove Software dialog, select Immediately uninstall the software from users and computers.
After completing the above steps, when the computer matching the group policy is restarted, the installed sBDS
ThreatTrace Client will be uninstalled.
1. In the domain server, select Start > Control Panel > System and Security > Administrative Tools,
double-click the Group Policy Management to open the Group Policy Management dialog.
2. Expand the node in the left navigation bar, right click on the created Group Policy object and select Edit to open
the Group Policy Management Editor dialog.
4. Select the sBDS ThreatTrace Client installer that is already stored in the shared folder.
5. In the Deployment Software dialog , select the Assigned, and then click OK to complete the new version of
package creation and deployment.
6. After the new version of the data package is created, perform the "Force the group policy to update" step to make
the updated group policy take effect. (For details, see Step 4: Force the group policy to update)
After completing the above steps, when the computer matching the group policy is restarted, the client will be
updated to the new version.
The sBDS threat trace server is packed in an OVF file, and can be installed on a VMware ESXi server. We suggest you
to use vCenter and vSphere Client to manage ESXi servers.
Preparation
Before deploying the sBDS threat trace server, make the following preparations:
2. Before installation of sBDS threat trace server, please set up your ESXi Server, vCenter Server and vSphere Client
host, then get the disk.
2. In vSphere Client, enter the IP address or name of vCenter Server, then username and password, click Login.
3. After logging in vCenter, from left list, click the "localhost" root node, then select File > Deploy OVF Template.
7. Select the resource pool to run the OVF template in it, click Next.
Wait for a while, and the sBDS threat trace server will be deployed successfully.
1. In the list on the left side of the vSphere Client, right-click the virtual machine and select Open Console.
2. Click the green button to start the sBDS threat trace server.
1. Collect necessary information from your network administrator. You need to have eth0's IP address, network
mask, and gateway IP address.
2. Modify eth0's default IP address to a static IP address you collected from administrator(192.168.1.2 by default).
To modify IP address for eth0, use the following command:
ThreatTraceServer# ifconfig eth0 –ipaddr ip-address –netmask netmask
3. Add a static route. Use the command below to add a route whose next hop is the gateway, and specify the gateway
IP address.
ThreatTraceServer# route add -net -target default –gw gw-ip-address
For an introduction to all commands supported by the threat trace server, see "Command Line Index" on Page 27.
To connect the sBDS device to the threat trace server, take the following steps:
4. Type the threat trace server IP address into the Server IP text box.
5. The default port number (9200) is displayed after the Server Port.
6. Click OK.
After the connection is successful, you can see that the connection status is Connected after the Status of the page.
1. Click Threat Analysis> Server > Threat, and click the intranet asset name in the list to open the Server
Detail dialog.
2. Select Server Applications tab to view the relevant executable information of the server.
3. Or click Threat Analysis >Endpoint, and click endpoint name in the list to open the Endpoint Detail dialog.
5. Click Threat Analysis > Threat Event, enter the threat monitor page.
6. Click a threat event name in the list to open the Details dialog for the selected threat , and select the Process
Information tab to view the details of the process information associated with the selected threat event.
command -h
In the specific command, when you type -h, the system will display the help information of all parameters of the
command and the command line usage format.
Co nfiguratio n Co mmands
password
You must change the default login password on first use.
route add [-net | -host] -target target [-netmask netmask] [-gw gateway] [-metric metric] [-dev dev]
Configure the route.
route del [-net | -host] -target target [-netmask netmask] [-gw gateway] [-metric metric] [-dev dev]
Delete the route.
set zone
Configure the time zone.
unmount device
Unmount the disk.
clear
Clear the screen.
Sho w Co mmands
show interface
View the interface information.
show route
View the route information.
show dns
View the DNS information.
route print
View the routing table information.
show ntp
View the NTP server information.
show time
View the system date and time.
show disk
View the disk usage.
show version
View version information.