manualshive.com logo in svg

Huawei AR1200-S Series, Configuration Manual, Page: 199 / 308

Share
Download
Huawei AR1200-S Series Configuration Manual Download Page 199

10.1 ACL Overview

This section describes the basic concept of ACLs.

An ACL is composed of a list of rules. Each rule contains a permit or deny clause. These rules
are defined to use information in packets to classify the packets. After these rules are applied to
the AR1200-S, the AR1200-S determines which packets to receive and reject.

ACLs can be applied to some services and functions on the AR1200-S, for example, the routing
policy, traffic classifier, firewall, and IPSec.

NOTE

An ACL is only a set of rules and cannot filter packets directly. The ACL can identify packets of a certain type
and the packets of this type are processed by the function that references the ACL.

10.2 ACL Features Supported by the AR1200-S

ACLs Supported by the AR1200-S

The AR1200-S supports different types of ACLs, as shown in 

Table 10-1

.

Table 10-1

 Classification of ACLs

Classification
Rule

Type

Function

Description

Information
defined in an
ACL

Basic
ACL

A basic ACL matches
packets based on
information such as source
IP addresses, fragment
flags, and time ranges.

The number of a basic ACL
ranges from 2000 to 2999.

Advanced
ACL

An advanced ACL
matches packets based on
information such as source
and destination IP
addresses, source and
destination port numbers,
packet priorities, and time
ranges.

The number of an advanced
ACL ranges from 3000 to
3999.

Layer 2
ACL

A Layer 2 ACL matches
packets based on Layer 2
information in packets,
such as source and
destination MAC
addresses, and Layer 2
protocol types.

The number of a Layer 2 ACL
ranges from 4000 to 4999.

Huawei AR1200-S Series Enterprise Routers
Configuration Guide - Security

10 ACL Configuration

Issue 02 (2012-03-30)

Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd.

185

Summary of Contents for AR1200-S Series

Page 1: ...Huawei AR1200 S Series Enterprise Routers V200R002C00 Configuration Guide Security Issue 02 Date 2012 03 30 HUAWEI TECHNOLOGIES CO LTD ...

Page 2: ...be within the purchase scope or the usage scope Unless otherwise specified in the contract all statements information and recommendations in this document are provided AS IS without warranties guarantees or representations of any kind either express or implied The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensu...

Page 3: ... Indicates a hazard with a high level of risk which if not avoided will result in death or serious injury WARNING Indicates a hazard with a medium or low level of risk which if not avoided could result in minor or moderate injury CAUTION Indicates a potentially hazardous situation which if not avoided could result in equipment damage data loss performance degradation or unexpected results TIP Indi...

Page 4: ...ated by vertical bars Several items or no item can be selected 1 n The parameter before the sign can be repeated 1 to n times A line starting with the sign is comments Interface Numbering Conventions Interface numbers used in this manual are examples In device configuration use the existing interface numbers on devices Change History Updates between document issues are cumulative Therefore the lat...

Page 5: ...011 12 30 Initial commercial release Huawei AR1200 S Series Enterprise Routers Configuration Guide Security About This Document Issue 02 2012 03 30 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd iv ...

Page 6: ...HWTACACS AAA 18 1 5 1 Establishing the Configuration Task 18 1 5 2 Configuring AAA Schemes 20 1 5 3 Configuring an HWTACACS Server Template 22 1 5 4 Configuring a Domain 25 1 5 5 Checking the Configuration 26 1 6 Maintaining AAA 27 1 6 1 Clearing the Statistics 27 1 7 Configuration Examples 28 1 7 1 Example for Configuring RADIUS Authentication Authorization and Accounting 28 1 7 2 Example for Con...

Page 7: ...guring the Whitelist 58 3 6 1 Establishing the Configuration Task 58 3 6 2 Adding Entries to the Whitelist Manually 59 3 6 3 Configuring Blacklist and Whitelist Using the Configuration File 60 3 6 4 Checking the Configuration 61 3 7 Configuring ASPF 61 3 7 1 Establishing the Configuration Task 61 3 7 2 Configuring ASPF Detection 62 3 7 3 Checking the Configuration 62 3 8 Configuring Port Mapping 6...

Page 8: ...affic Suppression Features Supported by the AR1200 S 91 4 3 Configuring Traffic Suppression 91 4 3 1 Establishing the Configuration Task 91 4 3 2 Configuring Traffic Suppression on an Interface 92 4 3 3 Checking the Configuration 93 4 4 Configuration Examples 93 4 4 1 Example for Setting the CIR Value for Traffic Suppression 93 4 4 2 Example for Setting the Rate Limit in pps for Traffic Suppressio...

Page 9: ...ional Re Authenticating a User with the Specified MAC Address 117 5 4 9 Checking the Configuration 117 5 5 Maintaining NAC 118 5 5 1 Clearing the Statistics on 802 1x Authentication 118 5 5 2 Clearing the Statistics on MAC Address Authentication 118 5 6 Configuration Examples 119 5 6 1 Example for Configuring 802 1x Authentication 119 5 6 2 Example for Configuring MAC Address Authentication 122 6 ...

Page 10: ...ishing the Configuration Task 153 7 4 2 Configuring the AR1200 S to Discard the ICMP Packets with TTL Value of 1 153 7 4 3 Configuring the AR1200 S to Discard the ICMP Packets with Options 154 7 4 4 Configuring the AR1200 S to Discard ICMP Destination Unreachable Packets 154 7 4 5 Checking the Configuration 155 7 5 Disabling the AR1200 S from Sending Destination Unreachable Packets 155 7 6 Maintai...

Page 11: ... 10 3 3 Creating a Basic ACL 189 10 3 4 Configuring a Basic ACL Rule 191 10 3 5 Applying a Basic ACL 192 10 3 6 Checking the Configuration 194 10 4 Configuring an Advanced ACL 194 10 4 1 Establishing the Configuration Task 195 10 4 2 Optional Creating a Time Range for an Advanced ACL 196 10 4 3 Creating an Advanced ACL 197 10 4 4 Configuring an Advanced ACL Rule 198 10 4 5 Applying an Advanced ACL...

Page 12: ...a Certificate Revocation Password 243 12 4 7 Optional Configuring the RSA Key Length of Certificates 243 12 4 8 Optional Configuring a Source IP Address for TCP Connection Setup 244 12 4 9 Checking the Configuration 244 12 5 Configuring Certificate Enrollment 245 12 5 1 Establishing the Configuration Task 245 12 5 2 Configuring Manual Certificate Enrollment 245 12 5 3 Configuring Automatic Certifi...

Page 13: ...13 5 1 Example for Configuring Keychain Authentication for Non TCP Application 277 14 Configuration of Attack Defense and Application Layer Association 280 14 1 Overview to Attack Defense and Application Layer Association 281 14 1 1 Overview of Attack Defense and Application Layer Association 281 14 1 2 Attack Defense and Application Layer Association Supported by AR1200 S 282 14 2 Configuring Abn...

Page 14: ...se and Application Layer Association 291 14 6 1 Clearing Statistics of Attack Defense and Application Layer Association 291 14 7 Configuration Example 291 14 7 1 Example of Configuring Attack Defense 291 Huawei AR1200 S Series Enterprise Routers Configuration Guide Security Contents Issue 02 2012 03 30 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd xiii ...

Page 15: ...DIUS uses the client server model and protects a network from unauthorized access It is often used in network environments that require high security and control of remote user access 1 5 Configuring HWTACACS AAA Similar to RADIUS HWTACACS uses the client server model to communicate with the HWTACACS server implementing authentication authorization and accounting AAA for access users Compared with...

Page 16: ...t wants to access the network through the Router The Router delivers authentication authorization and accounting information to an AAA server a RADIUS server or an HWTACACS server 1 2 AAA Features Supported by the AR1200 S The AR1200 S supports RADIUS and HWTACACS authentication authorization and accounting AAA and also local authentication and authorization RADIUS Authentication Authorization and...

Page 17: ...ame and password to the RADIUS server 3 The RADIUS server authenticates the user name and password If authentication succeeds the RADIUS server sends a RADIUS Access Accept packet to the AR1200 S If authentication fails the RADIUS server sends a RADIUS Access Reject packet to the AR1200 S The RADIUS Access Accept packet contains authorization information 4 The AR1200 S permits or rejects the user ...

Page 18: ...counting Access user Router HWTACACS server User logs in Authentication request packet Authentication response packet User accesses network resources Authentication response packet User exits Authentication response packet Request the user name Enter the user name Authentication request packet Request the password Enter the password Authentication request packet Authorization request packet Author...

Page 19: ... S sends an Accounting Start packet to the HWTACACS server 16 The HWTACACS server sends an accounting response packet and starts accounting 17 The user starts to access network resources 18 The user requests to disconnect from the network The AR1200 S sends an Accounting Stop packet to the HWTACACS server 19 The HWTACACS server sends an Accounting Stop response packet and stops accounting Local Au...

Page 20: ...kup of HWTACACS authorization Pre configuration Tasks Before configuring local authentication and authorization completing the following task l Configuring physical attributes for interfaces to ensure that the physical layer status of the interfaces is Up Data Preparation To configure local authentication and authorization you need the following data No Data 1 User name and password 2 Optional Loc...

Page 21: ...tional Run local user user name idle timeout minutes seconds The idle timeout interval of the local user is set Step 6 Optional Run local user user name service type 8021x bind ftp http l2tp ppp ssh telnet terminal web x25 pad The access type of the local user is set By default a local user can use any access type Step 7 Optional Run local user user name ftp directory directory The FTP directory t...

Page 22: ...lt the AR1200 S performs local authentication and authorization for access users NOTE The AR1200 S does not support local accounting Procedure l Configuring an authentication scheme 1 Run system view The system view is displayed 2 Run aaa The AAA view is displayed 3 Run authentication scheme authentication scheme name An authentication scheme is created and the authentication scheme view is displa...

Page 23: ...can be modified but it cannot be deleted 4 Run authorization mode local none The authorization mode is configured End 1 3 4 Configuring a Domain The created authentication and authorization schemes take effect only after being applied to a domain Context Before configuring a domain ensure that the authentication and authorization schemes have been created When local authentication and authorizatio...

Page 24: ...en a domain is in blocking state users in this domain cannot log in By default a domain is in active state after being created Step 7 Run quit Return to the domain view Step 8 Optional Run domain name delimiter delimiter The domain name delimiter is configured The domain name delimiter can be any of the following By default the domain name delimiter is End 1 3 5 Checking the Configuration Prerequi...

Page 25: ...uration tasks and obtain the data required for the configuration This will help you complete the configuration task quickly and accurately Applicable Environment To prevent unauthorized users from attacking a network configure AAA l Authentication checks whether a user is allowed to access a network Only authenticated users can access the network l Authorization authorizes a user to use specific s...

Page 26: ...tication mode in an authentication scheme to RADIUS and the accounting mode in an accounting scheme to RADIUS Context If RADIUS authentication is configured you can also configure local authentication or non authentication as a backup This allows local authentication or non authentication to be implemented if RADIUS authentication fails If RADIUS accounting is configured you can also configure non...

Page 27: ...ion 5 Optional Run authentication super hwtacacs super none The authentication mode used to upgrade user levels is configured 6 Optional Run quit Return to the AAA view 7 Optional Run domainname parse direction left to right right to left The direction in which the user name and domain name are parsed is configured l Configuring an accounting scheme 1 Run system view The system view is displayed 2...

Page 28: ...ers online after a real time accounting failure by default End 1 4 3 Configuring a RADIUS Server Template In a RADIUS server template you must specify the IP address port number and shared key of a specified RADIUS server Other settings such as the RADIUS user name format traffic unit and number of times RADIUS request packets are retransmitted have default values and can be changed according to n...

Page 29: ...interface number ip address ip address secondary The secondary RADIUS accounting server is configured By default the IP address of the secondary RADIUS accounting server is 0 0 0 0 and the port number is 0 Step 8 Optional Run radius server shared key cipher simple key string The shared key is configured By default the shared key of a RADIUS server is huawei Step 9 Optional Run radius server user n...

Page 30: ...4 Optional Run radius attribute nas ip The RADIUS NAS IP Address attribute is set Step 15 Optional Run return Return to the user view Step 16 Optional Run test aaa user name user password radius template template name chap pap You can test whether a user can be authenticated using RADIUS authentication End 1 4 4 Configuring a Domain The created authentication scheme accounting scheme and RADIUS se...

Page 31: ...n is disabled Step 6 Optional Run service scheme service scheme name A service scheme is applied to a domain By default no service scheme is applied to a domain Step 7 Run radius server template name A RADIUS server template is applied to a domain By default no RADIUS server template is applied to a domain Step 8 Optional Run state active block The domain status is configured When a domain is in b...

Page 32: ...ain configuration End 1 5 Configuring HWTACACS AAA Similar to RADIUS HWTACACS uses the client server model to communicate with the HWTACACS server implementing authentication authorization and accounting AAA for access users Compared with RADIUS HWTACACS is more reliable in transmission and encryption and is therefore more suitable for security control 1 5 1 Establishing the Configuration Task Bef...

Page 33: ...1 Name of an authentication scheme 2 Name of an authorization scheme 3 Name of an accounting scheme 4 Name of an HWTACACS server template 5 IP addresses and port numbers of primary and secondary HWTACACS authentication servers 6 IP addresses and port numbers of primary and secondary HWTACACS authorization servers 7 Optional IP addresses and port numbers of primary and secondary HWTACACS accounting...

Page 34: ...entication scheme view is displayed By default the default authentication scheme is used The default authentication scheme can be modified but it cannot be deleted 4 Run authentication mode hwtacacs none HWTACACS authentication is configured By default local authentication is used To configure local authentication as a backup see 1 3 Configuring Local Authentication and Authorization NOTE If multi...

Page 35: ...n modes are configured in an authorization scheme authorization modes are used in the sequence in which they were configured The AR1200 S uses the authorization mode that was configured later only after the current authorization mode fails The AR1200 S stops the authorization if the user fails to pass the authorization 5 Optional Run authorization cmd privilege level hwtacacs local Command line au...

Page 36: ... Optional Run accounting interim fail max times times online offline The maximum number of real time accounting failures is set and a policy used after a real time accounting failure is configured After real time accounting is enabled the maximum number of real time accounting failures is 3 and the AR1200 S keeps paid users online after a real time accounting failure by default End 1 5 3 Configuri...

Page 37: ...ss port public net vpn instance vpn instance name The IP address of the primary HWTACACS authorization server is specified By default the IP address of the primary HWTACACS authorization server is 0 0 0 0 and its port number is 0 and the primary HWTACACS authorization server is not bound to any VPN instance Step 7 Optional Run hwtacacs server authorization ip address port public net vpn instance v...

Page 38: ...acacs server user name domain included The AR1200 S is configured to encapsulate the domain name in the user name in HWTACACS packets to be sent to an HWTACACS server By default the AR1200 S encapsulates the domain name in the user name when sending HWTACACS packets to an HWTACACS server Step 13 Optional Run hwtacacs server traffic unit byte kbyte mbyte gbyte The traffic unit used by an HWTACACS s...

Page 39: ...4 Configuring a Domain The created authentication scheme authorization scheme accounting scheme and HWTACACS server template take effect only after being applied to a domain Context Before configuring a domain ensure that the authentication scheme authorization scheme accounting scheme and HWTACACS server template have been created Procedure Step 1 Run system view The system view is displayed Step...

Page 40: ...me is applied to a domain By default no service scheme is applied to a domain Step 8 Run hwtacacs server template name The HWTACACS server template is applied to a domain By default no HWTACACS server template is applied to a domain Step 9 Optional Run state active block The domain status is configured When a domain is in blocking state users in this domain cannot log in By default a domain is in ...

Page 41: ...d to check the HWTACACS server template configuration l Run the display domain name domain name command to check the domain configuration End 1 6 Maintaining AAA Clearing the Statistics 1 6 1 Clearing the Statistics Context CAUTION Statistics cannot be restored after being cleared Exercise caution when you run this command Run the following commands in the user view to clear the statistics Procedu...

Page 42: ...stination network through RouterB after being authenticated The remote authentication configuration on RouterB is as follows l The RADIUS server performs authentication and accounting for access users l The RADIUS server at 129 7 66 66 24 functions as the primary authentication and accounting server The RADIUS server at 129 7 66 67 24 functions as the secondary authentication and accounting server...

Page 43: ... template shiva Huawei system view Huawei radius server template shiva Configure the IP address and port numbers of the primary RADIUS authentication and accounting server Huawei radius shiva radius server authentication 129 7 66 66 1812 Huawei radius shiva radius server accounting 129 7 66 66 1813 Configure the IP address and port numbers of the secondary RADIUS authentication and accounting serv...

Page 44: ... B Shared secret key 3MQ TZ O3KCQ Q MAF4 1 Timeout interval in second 5 Primary authentication server 129 7 66 66 1812 LoopBack NULL Source IP 0 0 0 0 Primary accounting server 129 7 66 66 1813 LoopBack NULL Source IP 0 0 0 0 Secondary authentication server 129 7 66 67 1812 LoopBack NULL Source IP 0 0 0 0 Secondary accounting server 129 7 66 67 1813 LoopBack NULL Source IP 0 0 0 0 Retransmission 2...

Page 45: ...tion fails local authentication is performed l HWTACACS authorization is performed l HWTACACS accounting is performed l Real time accounting is performed every 3 minutes l The IP addresses of primary and secondary HWTACACS servers are 129 7 66 66 24 and 129 7 66 67 24 The port number for authentication accounting and authorization is 49 Figure 1 5 Networking diagram of HWTACACS authentication auth...

Page 46: ... authorization and accounting servers Huawei hwtacacs ht hwtacacs server authentication 129 7 66 66 49 Huawei hwtacacs ht hwtacacs server authorization 129 7 66 66 49 Huawei hwtacacs ht hwtacacs server accounting 129 7 66 66 49 Configure the IP addresses and port numbers of the secondary HWTACACS authentication authorization and accounting servers Huawei hwtacacs ht hwtacacs server authentication ...

Page 47: ...wtacacs server ht Huawei aaa domain huawei quit Huawei aaa quit Step 4 Verify the configuration Run the display hwtacacs server template command on RouterB You can see that the configuration of the HWTACACS server template is correct Huawei display hwtacacs server template ht HWTACACS server template name ht Primary authentication server 129 7 66 66 49 Primary authorization server 129 7 66 66 49 P...

Page 48: ...authentication scheme default authentication scheme l h authentication mode hwtacacs local authentication super hwtacacs super authorization scheme default authorization scheme hwtacacs authorization mode hwtacacs accounting scheme default accounting scheme hwtacacs accounting mode hwtacacs accounting realtime 3 domain default domain default_admin domain huawei authentication scheme l h accounting...

Page 49: ...otocol HTTP and the Secure Sockets Layer SSL protocol 2 2 HTTPS Features Supported by the AR1200 S The AR1200 S supports the HTTPS server function 2 3 Configuring the AR1200 S as an HTTPS Server The HTTPS server function allows users to securely access the AR1200 S on web pages 2 4 Configuration Examples This section provides an HTTPS configuration example Huawei AR1200 S Series Enterprise Routers...

Page 50: ...TPS server 2 2 HTTPS Features Supported by the AR1200 S The AR1200 S supports the HTTPS server function An AR1200 S functions as an HTTPS server after the HTTPS server function is configured The AR1200 S uses the SSL protocol s data encryption identity authentication and message integrity check mechanisms to protect security of data transmitted between users and the AR1200 S These mechanisms ensur...

Page 51: ...a server SSL policy For details see 11 3 Configuring a Server SSL Policy Step 3 Run http secure server ssl policy ssl policy An SSL policy is applied to the HTTPS service By default no SSL policy is applied to the HTTPS service on the AR1200 S Step 4 Optional Run http secure server port port The port number is set for the HTTPS service By default the port number of the HTTPS service is 443 Step 5 ...

Page 52: ...e Router on web pages l The administrator uses the SSL protocol s security mechanisms to authenticate the Router improving remote access security NOTE To implement certificate authentication you also need to configure a Certificate Authority CA server The CA server configuration is not mentioned here Figure 2 2 Networking diagram of HTTPS server configuration Admin 1 1 1 1 24 CA R D department Rou...

Page 53: ...Session Timeout Period adminserver 40 7200 seconds l HTTPS service port number 1278 NOTE Before starting the configuration ensure that routes between the Router user hosts and CA are reachable Procedure Step 1 Configure a PKI entity and a PKI domain Configure a PKI entity Huawei system view Huawei sysname Router Router pki entity admin Router pki entity admin common name hello Router pki entity ad...

Page 54: ...o obtain a digital certificate from the CA specified in the PKI domain Router ssl policy adminserver type server Router ssl policy adminserver pki realm admin Set the maximum number of sessions that can be saved and the timeout period of a saved session Router ssl policy adminserver session cachesize 40 timeout 7200 Router ssl policy adminserver quit Step 3 Configure the Router as an HTTPS server ...

Page 55: ... 1 1 255 255 255 0 pki entity admin common name hello country CN pki realm admin entity admin ca id ca_root enrollment url http 3 1 1 1 8080 certsrv mscep mscep dll ra fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF ssl policy adminserver type server pki realm admin session cachesize 40 timeout 7200 http secure server ssl policy adminserver http secure server enable http secure server po...

Page 56: ... the blacklist or configure a dynamic blacklist If you choose the dynamic blacklist enable IP address scanning and port scanning defense on the attack defense module of the AR1200 S When the AR1200 S detects that the connection rate of an IP address or a port exceeds the threshold the AR1200 S considers that a scanning attack occurs and adds the source IP address to the blacklist All the packets f...

Page 57: ...cked 3 11 Configuring Traffic Statistics and Monitoring The AR1200 S supports traffic statistics and monitoring at the system level zone level and IP address level 3 12 Configuring the Log Function The firewall logs include session logs statistics logs attack defense logs and blacklist logs 3 13 Maintaining the Firewall 3 14 Configuration Examples This section provides several configuration exampl...

Page 58: ...s through an ACL l ASPF filters packets at the application layer l Blacklist filters packets based on source IP addresses l Whitelist prevents the specified IP addresses from being added to the blacklist and filters packets based on source IP addresses l Port mapping defines new port numbers for different application layer protocols protecting the server against service specific attacks l Attack d...

Page 59: ...ce destination port numbers and IP protocol number The AR1200 S compares the packet information with the ACL rules and determines whether to forward or discard the packets In addition the AR1200 S can filter fragmented IP packets to prevent a non initial fragment attack ASPF ASPF is applied to the application layer that is ASPF is status based packet filtering ASPF detects the application layer se...

Page 60: ...se private networks belong to small scale enterprises Such enterprises have the following requirements l High security l Insufficient costs to afford a private security device Logically the AR1200 S can be divided into multiple virtual firewalls to serve multiple small scale private networks By using the virtual firewall function an ISP can lease the network security services to the enterprises A ...

Page 61: ...is ensures that new sessions are set up In this way a DoS attack can be prevented if the system is too busy Figure 3 1 shows an application of the firewall The IP address based statistics function is enabled for the packets from external networks to the internal network If the number of TCP sessions initiated by external networks to Web server 129 9 0 1 exceeds the threshold the AR1200 S forbids e...

Page 62: ...e higher than the traffic caused by ping of large packets An advanced Smurf attack targets hosts The attacker changes the source address of an ICMP request to the IP address of the target host The host becomes overwhelmed with ICMP replies then crashes This attack is more effective when a large volume of ICMP requests packets are generated and when there are a large number of hosts on the network ...

Page 63: ...unreachable packet After receiving the ICMP unreachable packets of a network code is 0 or a host code is 1 some systems consider the subsequent packets sent to this destination as unreachable The systems then disconnect the destination from the host Teardrop Attack The More Fragment MF bit offset field and length field in an IP packet indicate the segment of the original packet contained in this f...

Page 64: ...rough the ICMP timeout packets that is returned when Time To Live TTL value is 0 or through the returned ICMP port unreachable packets 3 3 Configuring Zones All the security policies of the firewall are enforced based on zones 3 3 1 Establishing the Configuration Task Before configuring a zone familiarize yourself with the applicable environment complete the pre configuration tasks and obtain the ...

Page 65: ...e priority of the zone is set You must configure a priority for a zone before making other configurations The priority cannot be changed The priorities of the zones cannot be the same A greater value indicates a higher priority End 3 3 3 Adding an Interface to the Zone You can add interfaces to the specified zone Prerequisites The zone has been created through the firewall zone command Procedure S...

Page 66: ... 5 Enabling Firewall in the Interzone The configured firewall functions take effect only after you enable firewall in the interzone Procedure Step 1 Run system view The system view is displayed Step 2 Run firewall interzone zone name1 zone name2 The interzone view is displayed The zones zone name1 and zone name2 have been created through the firewall zone command Step 3 Run firewall enable The fir...

Page 67: ...configuration task quickly and accurately Applicable Environment When data is transmitted between two zones the ACL based packet filtering firewall enforces the packet filtering policies according to the ACL rules The ACLs for filtering packet include basic ACLs and advanced ACLs Pre configuration Tasks Before configuring ACL based packet filtering complete the following tasks l Configuring zones ...

Page 68: ...lter default deny permit inbound outbound The default processing mode for unmatched packets is configured In the default settings of the system the outbound unmatched packets are allowed and the inbound unmatched packets are denied If an ACL is applied to the inbound or outbound packets of an interzone the packets are filtered according to the ACL rules If packets do not match the ACL the default ...

Page 69: ...able environment complete the pre configuration tasks and obtain the data required for the configuration This will help you complete the configuration task quickly and accurately Applicable Environment The blacklist can filter out packets sent from a specified IP address to a zone An IP address can be added to the blacklist manually or automatically When the attack defense module of the firewall d...

Page 70: ...vpn instance name expire time minutes An entry is added to the blacklist When adding an entry to the blacklist you can set the IP address aging time and VPN instance The aging time refers to the period in which the IP address is effective after it is added to the blacklist When the IP address expires it is released from the blacklist If the aging time is not specified the IP address is always vali...

Page 71: ...lacklist entry IPAddress An IP address in the blacklist in dotted decimal notation VPNName Optional VPN instance of the blacklist FirewallWhitelist A whitelist entry IPAddress An IP address in the whitelist in dotted decimal notation VPNName Optional VPN instance of the whitelist in dotted decimal notation A configuration file can contain multiple entries but each entry must be edited separately B...

Page 72: ...ormation about the blacklist End Example Run the display firewall blacklist command to view information about the blacklist Huawei display firewall blacklist all Firewall blacklist items IP Address Reason Expire Time m VPN Instance 10 1 1 1 Manual 100 Total number is 1 3 6 Configuring the Whitelist Whitelists are applicable to networks where devices send valid service packets that resemble IP addr...

Page 73: ...tries 3 6 2 Adding Entries to the Whitelist Manually The entries in the whitelist take effect directly and you do not need to enable the whitelist function Procedure Step 1 Run system view The system view is displayed Step 2 Run firewall whitelist ip address vpn instance vpn instance name expire time minutes An entry is added to the whitelist By running this command you can add an entry to the whi...

Page 74: ...ptional VPN instance of the whitelist in dotted decimal notation A configuration file can contain multiple entries but each entry must be edited separately Blank lines are allowed between lines FirewallBlacklist IPAddress 210 10 10 1 VPNName vpna FirewallBlacklist IPAddress 220 10 10 2 VPNName FirewallWhitelist IPAddress 10 10 10 1 VPNName vpnb FirewallWhitelist IPAddress 20 20 20 1 VPNName NOTE A...

Page 75: ...ay firewall whitelist all Firewall whitelist items IP Address Expire Time m Vpn Instance 1 1 1 1 3 vpn1 1 1 1 2 Permanent vpn2 1 1 1 3 6 Total number is 3 3 7 Configuring ASPF The ASPF function can detect sessions that attempt to traverse the application layer and deny the undesired packets In addition ASPF enables application protocols that cannot traverse firewalls to function properly 3 7 1 Est...

Page 76: ...ew The system view is displayed Step 2 Run firewall interzone zone name1 zone name2 The interzone view is displayed Step 3 Run detect aspf all ftp http activex blocking java blocking rtsp sip ASPF is configured Generally the application layer protocol packets are exchanged between the two parties in communication so the direction does not need to be configured The AR1200 S automatically checks the...

Page 77: ...on This will help you complete the configuration task quickly and accurately Applicable Environment Through port mapping the firewall can identify packets of the application layer protocols that use the non well known ports The port mapping function can be applied to features sensitive to application layer protocols such as ASPF Port mapping is applicable to the application layer protocols such as...

Page 78: ...to multiple protocols The mappings however must be distinguished by the ACL That is packets matching different ACL rules use different mapping entries NOTE Port mapping identifies the protocol type of the packets destined for an IP address such as the IP address of a WWW server therefore when configuring the basic ACL rules you need to match the destination IP addresses of the packets with the sou...

Page 79: ...UDP and ICMP to record the connection status of the protocol The aging time is set for the session table of the firewall If a record in the session table does not match any packet within the aging time the system deletes the record To change the aging time of protocol sessions set the aging time of the firewall session table Data Preparation To set the aging time of the firewall session table you ...

Page 80: ...ssion table is set you can view the aging time Procedure l Run the display firewall nat session aging time command to view the aging time of the firewall session table End Example Run the display firewall nat session aging time command to view the aging time of the firewall session table Huawei display firewall nat session aging time tcp protocol timeout 60 s tcp proxy timeout 60 s udp protocol ti...

Page 81: ...es and adding interfaces to the zones l Configuring the interzone and enabling the firewall function in the interzone Data Preparation To configure the attack defense function you need the following data No Data 1 Attack type a specified type or all types 3 Status of the TCP proxy that prevents SYN Flood attacks including always enabled always disabled or auto enabled automatically enabled when th...

Page 82: ... icmp unreachable enable The ICMP Unreachable attack defense is enabled Step 7 Run firewall defend ip fragment enable The IP Fragment attack defense is enabled Step 8 Run firewall defend ip sweep enable The IP address sweeping attack defense is enabled After the parameters for IP address sweeping attack defense are set you must enable the IP address sweeping attack defense function otherwise the A...

Page 83: ...YN Flood attack defense are set you must enable the SYN Flood attack defense function otherwise the AR1200 S does not detect the attack packets or take attack defense measures Step 15 Run firewall defend tcp flag enable The TCP flag attack defense is enabled Step 16 Run firewall defend teardrop enable The Teardrop attack defense is enabled Step 17 Run firewall defend tracert enable The Tracert att...

Page 84: ...you need to specify the zones or IP addresses to be protected otherwise the attack defense parameters are invalid You can also specify the maximum session rate When the session rate exceeds the limit the AR1200 S considers that an attack occurs and takes measures For Flood attack defense the priority of IP addresses is higher than the priority of zones If Flood attack defense is enabled for both a...

Page 85: ...rs for IP address sweep attack defense are set Step 3 Run firewall defend port scan blacklist expire time interval max rate rate value The parameters for port scanning attack defense are set For scanning attack defense the following two parameters need to be set l Maximum session rate When the session rate of an IP address or a port exceeds the limit the AR1200 S considers that a scanning attack o...

Page 86: ...lag land disable smurf disable fraggle disable winnuke disable syn flood disable udp flood disable icmp flood disable icmp redirect disable icmp unreachable disable ip sweep disable port scan disable tracert disable ping of death disable teardrop disable tcp flag disable ip fragment disable large icmp disable View the configuration of IP address sweep attack defense Huawei display firewall defend ...

Page 87: ...sessions initiated by the local zone The outbound direction means that the AR1200 S counts and monitors the sessions destined for this zone The IP address based traffic statistics and monitoring count and monitor the TCP and UDP sessions set up by an IP address in the zone When the number of sessions set up by an IP address exceeds the threshold the AR1200 S restricts the sessions until the number...

Page 88: ...one The zone level traffic statistics and monitoring is enabled By default the zone level traffic statistics and monitoring is disabled l Enabling IP address level traffic statistics and monitoring 1 Run system view The system view is displayed 2 Run firewall zone zone name The zone view is displayed 3 Run statistics ip enable inzone outzone The IP address level traffic statistics and monitoring i...

Page 89: ...ault the upper threshold and lower threshold for each type of protocol packets are 16384 and 12288 l Setting the session thresholds for zone level traffic statistics and monitoring 1 Run system view The system view is displayed 2 Run firewall zone zone name The zone view is displayed 3 Run statistics zone enable inzone outzone The zone level traffic statistics and monitoring are enabled By default...

Page 90: ...default the upper threshold and lower threshold for each type of protocol packets are 16384 and 12288 End 3 11 4 Checking the Configuration After the traffic statistics and monitoring are configured you can view information about traffic statistics and monitoring Procedure l Run the display firewall statistics system command to view information about the system level traffic statistics and monitor...

Page 91: ...es Data Preparation To configure the log function you need the following data No Data 1 Type of the log 2 IP address and port number of the session log host and the source IP address and source port number that the AR1200 S uses to communicate with the session log host 3 Conditions for recording session logs including the ACL number and the direction 4 Optional Interval for exporting the attack de...

Page 92: ... the interzone view to determine the sessions to be recorded in the logs The ACLs can be configured for incoming and outgoing traffic Procedure Step 1 Run system view The system view is displayed Step 2 Run firewall log binary log host host ip address host port source source ip address source port vpn instance vpn instance name The session log host is configured By default no session log host is c...

Page 93: ... 30 s nat session disabled binary log host host source VPN instance name 3 13 Maintaining the Firewall 3 13 1 Displaying the Firewall Configuration Procedure l Run the display firewall zone zone name interface priority command to view the configurations of all zones or the specified zone l Run the display firewall interzone zone name1 zone name2 command to view the configurations of the interzone ...

Page 94: ...pn instance name zone zone name other attack type command to view the status and configuration of the attack defense functions l Run the display firewall log configuration command to view the global configuration of the log function l Run the display firewall session command to view the session table of the firewall End 3 13 2 Clearing the Firewall Statistics Context To view the communication pack...

Page 95: ...ter the packets between the internal network and the external network The following requirements must be met l A host 202 39 2 3 on the external network is allowed to access the servers in the internal network l Other hosts are not allowed to access the servers on the internal network Figure 3 2 Network diagram for configuring ACL based packet filtering Telnet server FTP server 129 38 1 2 202 39 2...

Page 96: ...gabitEthernet0 0 1 quit Step 3 Configure the ACL on the Router Huawei acl 3102 Huawei acl adv 3102 rule permit tcp source 202 39 2 3 0 0 0 0 destination 129 38 1 2 0 0 0 0 Huawei acl adv 3102 rule permit tcp source 202 39 2 3 0 0 0 0 destination 129 38 1 3 0 0 0 0 Huawei acl adv 3102 rule permit tcp source 202 39 2 3 0 0 0 0 destination 129 38 1 4 0 0 0 0 Huawei acl adv 3102 rule deny ip Huawei ac...

Page 97: ... Router can detect the packets of the specified application layer protocols and discard the undesired packets Networking Requirements As shown in Figure 3 3 Ethernet0 0 0 of the Router is connected to a highly secure internal network and GE0 0 1 is connected to the insecure external network The Router must filter the packets and perform ASPF check between the internal network and the external netw...

Page 98: ...y 15 Huawei zone trust quit Huawei firewall zone untrust Huawei zone untrust priority 1 Huawei zone untrust quit Huawei firewall interzone trust untrust Huawei interzone trust untrust firewall enable Huawei interzone trust untrust quit Step 2 Add the interfaces of Router to zones Huawei vlan 100 Huawei vlan100 quit Huawei interface vlanif 100 Huawei Vlanif100 ip address 129 38 1 1 24 Huawei Vlanif...

Page 99: ...t untrust quit Step 5 Configure ASPF on the Router Huawei interzone trust untrust detect aspf ftp Huawei interzone trust untrust quit Step 6 Configure port mapping on the Router Huawei port mapping ftp port 2121 acl 2102 Step 7 Verify the configuration Run the display firewall interzone zone name1 zone name2 command on the Router and the result is as follows Huawei display firewall interzone trust...

Page 100: ... attacks initiated from certain IP addresses Networking Requirements As shown in Figure 3 4 Ethernet0 0 0 of the Router is connected to a highly secure internal network and GE0 0 1 is connected to the insecure external network The Router needs to apply IP address sweeping defense and blacklist policies to the packets sent from the Internet to the enterprise intranet If the Router detects that an I...

Page 101: ...priority 15 Huawei zone trust quit Huawei firewall zone untrust Huawei zone untrust priority 1 Huawei zone untrust quit Huawei firewall interzone trust untrust Huawei interzone trust untrust firewall enable Huawei interzone trust untrust quit Step 2 Add Router interfaces to zones Huawei vlan 100 Huawei vlan100 quit Huawei interface vlanif 100 Huawei Vlanif100 ip address 129 38 1 1 24 Huawei Vlanif...

Page 102: ...un the display firewall interzone zone name1 zone name2 command on the Router and the result is as follows Huawei display firewall interzone trust untrust interzone trust untrust firewall enable packet filter default deny inbound packet filter default permit outbound Run the display firewall blacklist all command on the Router and the result is as follows Huawei display firewall blacklist all Fire...

Page 103: ...ip address 129 38 1 1 255 255 255 0 zone trust firewall zone trust priority 15 firewall zone untrust priority 1 firewall interzone trust untrust firewall enable interface Ethernet0 0 0 port link type access port default vlan 100 interface GigabitEthernet0 0 1 ip address 202 39 2 1 255 255 255 0 zone untrust Huawei AR1200 S Series Enterprise Routers Configuration Guide Security 3 Firewall Configura...

Page 104: ...orted by the AR1200 S This section describes traffic suppression features supported by the AR1200 S 4 3 Configuring Traffic Suppression This section describes how to configure traffic suppression 4 4 Configuration Examples This section provides traffic suppression configuration examples Huawei AR1200 S Series Enterprise Routers Configuration Guide Security 4 Traffic Suppression Configuration Issue...

Page 105: ...ure traffic suppression 4 3 1 Establishing the Configuration Task Before configuring traffic suppression familiarize yourself with the applicable environment complete the pre configuration tasks and obtain the required data This will help you complete the configuration task quickly and accurately Applicable Environment When receiving unknown unicast packets multicast packets or broadcast packets t...

Page 106: ... an Interface This section describes how to configure traffic suppression on an interface Procedure Step 1 Run system view The system view is displayed Step 2 Run interface interface type interface number The interface view is displayed Step 3 Configure traffic suppression on an interface l Set the CIR value for traffic suppression Run the broadcast suppression cir cir value command to set the CIR...

Page 107: ... Run the display flow suppression interface interface type interface number command to check the traffic suppression configuration on the specified interface AR1200 S display flow suppression interface ethernet 2 0 1 storm type rate mode set rate value unknown unicast pps packets 1260 packets per second multicast pps packets 2520 packets per second broadcast pps packets 1260 packets per second 4 4...

Page 108: ... Procedure Step 1 Enter the interface view Huawei system view Huawei sysname RouterA RouterA interface ethernet 0 0 0 Step 2 Set the CIR value for broadcast packets RouterA Ethernet0 0 0 broadcast suppression cir 100 Step 3 Set the CIR value for multicast packets RouterA Ethernet0 0 0 multicast suppression cir 200 Step 4 Set the CIR value for unknown unicast packets RouterA Ethernet0 0 0 unicast s...

Page 109: ...2 0 0 NOTE As shown in Figure 4 2 RouterA is an enterprise router and RouterB is an aggregation router Figure 4 2 Network diagram of Setting the Rate Limit in pps for Traffic Suppression RouterA Ethernet2 0 0 L2 network L3 network RouterB Configuration Roadmap The configuration roadmap is as follows l Set the rate limit in pps for traffic suppression on Ethernet 2 0 0 Data Preparation To complete ...

Page 110: ...the configuration Run the display flow suppression interface command and you can view the traffic suppression configuration on Ethernet 2 0 0 RouterA display flow suppression interface Ethernet 2 0 0 storm type rate mode set rate value unknown unicast pps pps 12600 packet s multicast pps pps 25200 packet s broadcast pps pps 12600 packet s End Configuration Files sysname RouterA interface Ethernet ...

Page 111: ... Authentication You can configure 802 1x authentication on an interface to authenticate access devices connected to an interface of an access control device on a LAN 5 4 Configuring MAC Address Authentication After MAC address authentication is configured the AR1200 S uses the user MAC address as the user name and password for authentication 5 5 Maintaining NAC This section describes how to mainta...

Page 112: ...ks with an AAA server to prevent unauthorized terminals from accessing the network minimize the threats brought by insecure terminals prevent unauthorized access requests from authorized terminals and protect core resources l ACS Access control server ACS An ACS checks terminal security and manage policies manages user behaviors and audits rule violations and prevents malicious attacks from termin...

Page 113: ...CACS packets and sends the packets to the AAA server Guest VLAN If a user that fails to be authenticated wants to access some network resources for example the user wants to download the 802 1x client program and update the virus library add the user to a guest VLAN so that the user can access resources in the guest VLAN MAC address bypass authentication If the 802 1x client software cannot be ins...

Page 114: ... Pre configuration Tasks None Data Preparation To configure 802 1x authentication you need the following data No Data 1 Interface that will be enabled with 802 1x authentication 2 Optional Maximum number of concurrent access users on an interface 3 Optional Maximum number of times an authentication request can be retransmitted 4 Optional Interface that will be enabled with MAC address bypass authe...

Page 115: ...authentication on an interface in the interface view 1 Run system view The system view is displayed 2 Run interface interface type interface number The interface view is displayed 3 Run dot1x enable 802 1x authentication is enabled on the interface By default 802 1x authentication is disabled on an interface End 5 3 4 Optional Enabling MAC Address Bypass Authentication If the 802 1x client softwar...

Page 116: ...ystem view is displayed 2 Run interface interface type interface number The interface view is displayed 3 Run dot1x mac bypass MAC address bypass authentication is enabled on the interface By default MAC address bypass authentication is disabled on an interface End 5 3 5 Optional Setting the 802 1x Authentication Mode The AR1200 S supports CHAP authentication PAP authentication and EAP relay authe...

Page 117: ...d access method 802 1x users on an interface are authenticated independently Interface based access method All the other users on an interface can use network resources after the first user is authenticated After the first user goes offline other users cannot use network resources The access method can be configured in the system view or interface view CAUTION If there are online 802 1x users on a...

Page 118: ... users cannot access network resources After a user is authenticated on the interface the interface enters the authorized state and allows users to access network resources authorized force An interface is always in authorized state and allows users to access network resources without authentication unauthorized force An interface is always in unauthorized state and does not allow users to access ...

Page 119: ... S allows a maximum of 128 concurrent access users NOTE If the number of current online users on an interface has exceeded the maximum number that you set online users are not affected but new access users cannot access networks You can set the maximum number of concurrent access users in the system view or interface view Procedure l Setting the maximum number of concurrent access users in the sys...

Page 120: ...uthentication triggered by DHCP messages is enabled By default 802 1x authentication triggered by DHCP messages is disabled End 5 3 10 Optional Setting Values of Timers Used in 802 1x Authentication On the AR1200 S you can set the client authentication timeout timers handshake interval between the AR1200 S and the 802 1x client quiet timer value re authentication interval and interval for sending ...

Page 121: ...lue is 30s The dot1x timer command only sets the values of the timers and you need to enable the corresponding timers by running commands or adopting the default settings End 5 3 11 Optional Configuring the Quiet Timer Function If a user fails to be authenticated after the quiet timer function is enabled the AR1200 S does not process the authentication requests from the user in this period This pr...

Page 122: ...ional Run dot1x timer reauthenticate period reauthenticate period value The re authentication interval is set After 802 1x re authentication is enabled on an interface the default re authentication interval is 3600s l Enabling 802 1x re authentication in the interface view 1 Run system view The system view is displayed 2 Optional Run dot1x timer reauthenticate period reauthenticate period value Th...

Page 123: ... guest VLAN and the VLAN configured as the guest VLAN cannot be deleted Users in the guest VLAN can communicate with each other You can configure a guest VLAN in the system view and in the interface view Procedure l Configuring a guest VLAN in the system view 1 Run system view The system view is displayed 2 Run dot1x guest vlan vlan id interface interface type interface number1 to interface number...

Page 124: ...d Users in the VLAN that is the same as the restrict VLAN can communicate with users in the restrict VLAN A restrict VLAN can be configured in the system view and in the interface view Procedure l Configuring a restrict VLAN in the system view 1 Run system view The system view is displayed 2 Optional Run dot1x restrict vlan fail times fail times The maximum number of authentication failures is set...

Page 125: ...1 Run system view The system view is displayed Step 2 Run dot1x handshake The AR1200 S is enabled to send handshake packets to online users By default the AR1200 S sends handshake packets to online users Step 3 Optional Run dot1x timer handshake period handshake period value The handshake interval between the AR1200 S and the 802 1x client is set By default the handshake interval between the AR120...

Page 126: ...mand to check the 802 1x authentication configuration l Run the display mac address authen vlan vlan id command to check MAC address entries of the authen type End 5 4 Configuring MAC Address Authentication After MAC address authentication is configured the AR1200 S uses the user MAC address as the user name and password for authentication 5 4 1 Establishing the Configuration Task Before configuri...

Page 127: ... system view is displayed Step 2 Run mac authen Global MAC address authentication is enabled By default global MAC address authentication is disabled End 5 4 3 Enabling MAC Address Authentication on an Interface To perform MAC address authentication for a user enable MAC address authentication on the interface connected to the user Context CAUTION MAC address authentication cannot be used together...

Page 128: ...dress authentication is disabled on an interface End 5 4 4 Optional Setting the Format of the User Name A fixed user name or a MAC address can be used for MAC address authentication Context When the MAC address is used as the user name for MAC address authentication the MAC address is used as the authentication password Procedure Step 1 Run system view The system view is displayed Step 2 Run mac a...

Page 129: ...ace view 1 Run system view The system view is displayed 2 Run interface interface type interface number The interface view is displayed 3 Run mac authen domain domain name A domain name is configured for MAC address authentication By default the default domain is used for MAC address authentication End 5 4 6 Optional Setting Values for MAC Address Authentication Timers The following values can be ...

Page 130: ...AR1200 S and the RADIUS server expires authentication fails The default value is 30s End 5 4 7 Optional Setting the Maximum Number of Users for MAC Address Authentication When the number of access users on an interface reaches the maximum the AR1200 S does not trigger authentication for subsequent users therefore these users cannot access the network Context The maximum number of users for MAC add...

Page 131: ... is not allowed to access Procedure Step 1 Run system view The system view is displayed Step 2 Run mac authen reauthenticate mac address mac address The specified user that has been authenticated with MAC address authentication is re authenticated By default MAC address re authentication is disabled End 5 4 9 Checking the Configuration Procedure l Run the display mac authen global interface interf...

Page 132: ...on statistics End 5 5 2 Clearing the Statistics on MAC Address Authentication Before collecting statistics on MAC address authentication run the reset command to clear the existing statistics Context CAUTION Statistics cannot be restored after being cleared Exercise caution when you run the following command Run the following command in the user view to clear the statistics on MAC address authenti...

Page 133: ... Figure 5 2 Networking diagram of 802 1x authentication Router PC RADIUS server Printer Eth 2 0 0 GE0 0 1 Eth 2 0 1 Internet 192 168 2 10 24 192 168 2 30 24 Configuration Roadmap The configuration roadmap is as follows 1 Configure AAA authentication User names and passwords are sent to the RADIUS server for authentication 2 Configure 802 1x authentication to authenticate users on Ethernet2 0 0 3 C...

Page 134: ...nsmit 2 Huawei radius temp1 quit Step 2 Create an authentication scheme scheme1 and set the authentication mode to RADIUS authentication Huawei aaa Huawei aaa authentication scheme scheme1 Huawei aaa scheme1 authentication mode radius Huawei aaa scheme1 quit Step 3 Create a domain isp1 and bind the authentication scheme and RADIUS server template to the domain Huawei aaa domain isp1 Huawei aaa dom...

Page 135: ...L Start Packets 4 EAPOL LogOff Packets 3 EAPOL Response Identity Packets 4 EAPOL Response Challenge Packets 4 Huawei display dot1x interface ethernet 2 0 1 Ethernet 2 0 1 status UP 802 1x protocol is Enabled mac bypass Port control type is Auto Authentication method is MAC based Reauthentication is disabled Maximum users 128 Current users 1 Port PVID 1 Port configured PVID 1 Guest VLAN 0 Restrict ...

Page 136: ...red users can access network resources only when they are authenticated by using MAC address authentication This ensures network security Networking Requirements As shown in Figure 5 3 users access the Internet through the Router To ensure network security users must be authenticated by using MAC address authentication before accessing the Internet Figure 5 3 Networking diagram of MAC address auth...

Page 137: ...s server shared key cipher mac default Huawei radius temp1 radius server retransmit 3 Huawei radius temp1 quit Step 2 Create an authentication scheme scheme1 and set the authentication mode to RADIUS authentication Huawei aaa Huawei aaa authentication scheme scheme1 Huawei aaa scheme1 authentication mode radius Huawei aaa scheme1 quit Step 3 Configure the default domain and bind the authentication...

Page 138: ...dius server authentication 192 168 2 30 1812 aaa authentication scheme scheme1 authentication mode radius domain default authentication scheme scheme1 radius server temp1 interface GigabitEthernet0 0 1 ip address 192 168 2 10 255 255 255 0 interface Ethernet2 0 0 mac authen interface Ethernet2 0 1 port hybrid pvid vlan 20 return Huawei AR1200 S Series Enterprise Routers Configuration Guide Securit...

Page 139: ...nfiguring ARP Entry Limiting This section describes how to configure ARP Entry Limiting 6 4 Configuring ARP Anti attack The ARP anti attack function defends against attacks from bogus hosts and gateways and man in the middle attacks 6 5 Configuring ARP Suppression If the AR1200 S receives a lot of ARP attack packets the ARP table overflows or the CPU usage is high The AR1200 S prevents ARP attacks...

Page 140: ...t untrusted ARP packets checking the binding table of ARP packets and defending against ARP gateway conflicts 6 2 ARP Security Supported by the AR1200 S The ARP security features supported by the AR1200 S include limitation of ARP entry learning ARP anti spoofing defense against ARP gateway attacks source address based ARP packet suppression source address based ARP Miss packet suppression and ARP...

Page 141: ...Virtual Router Redundancy Protocol VRRP group when the VRRP group is in virtual MAC address mode In the preceding situations the AR1200 S generates ARP anti attack entries and discards the packets in a period the default value is three minutes This can prevent ARP packets with the bogus gateway address from being broadcast in a VLAN To ensure that packets sent by hosts on the internal network are ...

Page 142: ...e configuring ARP entry limiting familiarize yourself with the applicable environment complete the pre configuration tasks and obtain the data required for the configuration This will help you complete the configuration task quickly and accurately Applicable Environment After strict ARP learning is enabled the AR1200 S learns only the ARP Reply packets corresponding to the ARP Request packets that...

Page 143: ...s 3 Run arp learning strict force enable force disable trust The strict ARP entry learning function is enabled on the interface force enable enables strict ARP entry learning on an interface force disable disables strict ARP entry learning on an interface trust indicates that the configuration of strict ARP entry learning on an interface is the same as that configured globally By default the confi...

Page 144: ...e Eth Trunk sub interface 3 Run arp limit maximum maximum Sub interface based ARP entry limiting is configured End 6 3 4 Checking the Configuration The configurations of ARP entry limiting are complete Procedure l Run the display arp learning strict command to view the configuration of strict ARP learning l Run the display arp limit interface interface type interface number vlan vlan id command to...

Page 145: ...ctions at the access layer to ensure network security l To prevent attackers from forging ARP packets of authorized users and modifying the ARP entries on the gateway configure the ARP address anti spoofing function l To prevent attackers from sending gratuitous ARP packets with the source IP addresses as the forged gateway address on a LAN configure the ARP gateway anti collision function and con...

Page 146: ...ation takes effect By default ARP anti spoofing is disabled on the AR1200 S End 6 4 3 Configuring the AR1200 S to Check Source MAC Address Consistency in ARP Packets The AR1200 S checks validity of ARP packets and discards invalid ARP packets to defend against ARP attacks Context By default the AR1200 S checks the following items of ARP packets l Packet length l Validity of source and destination ...

Page 147: ...figuring ARP Gateway Anti collision If an attacker sends an ARP packet with the source IP address as the gateway address ARP entries in a VLAN are modified incorrectly ARP gateway anti collision can solve this problem Procedure Step 1 Run system view The system view is displayed Step 2 Run arp anti attack gateway duplicate enable ARP gateway anti collision is enabled After ARP gateway anti collisi...

Page 148: ...ult gratuitous ARP packet sending is disabled 3 Optional Run arp gratuitous arp send interval interval time The interval for sending gratuitous ARP packets is set By default the interval for sending gratuitous ARP packets is 90s l Configuring the AR1200 S to send gratuitous ARP packets on an interface 1 Run system view The system view is displayed 2 Run interface vlanif vlan id The VLANIF interfac...

Page 149: ...uration Global configuration arp anti attack rate limit enable arp packet drop count 0 Interface configuration ARP miss rate limit configuration Global configuration arp miss anti attack rate limit enable ARP speed limit for source MAC configuration MAC address suppress rate pps rate 0 means function disabled 0000 0000 0001 200 Others 100 1 specified MAC addresses are configured spec is 256 items ...

Page 150: ...ork security l To prevent excess ARP packets from occupying the CPU and prevent excess ARP entries configure the rate limit for ARP packets to limit the number of ARP packets sent to the SRU l To prevent a host from sending excess IP packets with destination IP addresses that cannot be resolved configure the rate limit for ARP Miss packets The AR1200 S discards these IP packets l After IP source g...

Page 151: ...onfigure source IP address based ARP packet suppression Procedure Step 1 Run system view The system view is displayed Step 2 Run arp speed limit source ip maximum maximum The rate limit of ARP packets is set Step 3 Optional Run arp speed limit source ip ip address maximum maximum The rate limit of ARP packets with a specified source IP address is set After the preceding configurations are complete...

Page 152: ...rm function for ARP packets that are discarded when the rate of ARP packets exceeds the rate limit is enabled By default the alarm function for ARP packets that are discarded when the rate of ARP packets exceeds the rate limit is disabled 5 Optional Run arp anti attack rate limit alarm threshold threshold The alarm threshold for the number of ARP packets discarded when the rate of ARP packets exce...

Page 153: ... the alarm threshold for the number of ARP packets discarded is 100 End 6 5 4 Configuring Source IP Address based ARP Miss Packet Suppression This section describes how to configure source IP address based ARP Miss packet suppression Procedure Step 1 Run system view The system view is displayed Step 2 Run arp miss speed limit source ip maximum maximum The rate limit of ARP Miss packets is set Step...

Page 154: ...e limit duration and the rate limit of ARP Miss packets are set ARP Miss packets that exceed the rate limit in the rate limit duration are discarded By default the rate limit of ARP Miss packets is 100 packets per second Step 4 Optional Run arp miss anti attack rate limit alarm enable The alarm function for the discarded ARP Miss packets that exceed the rate limit is enabled By default the alarm f...

Page 155: ... Context After the aging time of fake ARP entries is set the same ARP Miss packet is sent once in the aging time After the aging time of fake ARP entries is reached fake ARP entries are deleted If no ARP entry matches the packets forwarded by a device ARP Miss packets are re generated and reported The device generates fake ARP entries again The fake ARP entries are deleted until the device generat...

Page 156: ...s other services in a timely manner Procedure Step 1 Run system view The system view is displayed Step 2 Run arp speed limit flood rate rate The rate limit of broadcasting ARP Request packets on all the VLANIF interfaces of the super VLAN is set By default the rate limit of broadcasting ARP Request packets on all the VLANIF interfaces in a super VLAN is 1000 pps End 6 5 9 Checking the Configuratio...

Page 157: ...0 Sent ARP request packets number 4000 Dropped ARP request packets number 1100 6 6 Maintaining ARP Security This section describes how to maintain ARP security 6 6 1 Displaying the Statistics on ARP Packets This section describes how to view statistics on ARP packets Procedure l Run the display arp packet statistics command to view the statistics on ARP packets End Example Run the display arp pack...

Page 158: ... after being cleared Exercise caution when you run this command To clear the statistics on discarded ARP packets run the following commands in the user view Procedure l Run the reset arp anti attack statistics rate limit global interface interface type interface number command to clear the statistics on the ARP packets discarded because the transmission rate exceeds the limit End 6 7 Configuration...

Page 159: ...to attack the network l User 4 constructs a large number of ARP packets with an unreachable destination IP address to attack the network ARP security functions are required to be configured on the Router to prevent the preceding attacks The rate limit of ARP Miss packets on the server should be greater than the rate limit of other users Figure 6 1 Network diagram for configuring ARP security funct...

Page 160: ...ation procedure is not mentioned here Step 2 Enable strict ARP learning Huawei system view Huawei sysname Router Router arp learning strict Step 3 Configure interface based ARP entry limiting The number of limited ARP entries on Ethernet0 0 1 Ethernet0 0 2 and Ethernet0 0 3 is 20 The following lists the configuration of Ethernet0 0 1 Router interface ethernet 0 0 1 Router Ethernet0 0 1 arp limit v...

Page 161: ... the configuration run the display arp learning strict command to view information about strict ARP learning Router display arp learning strict The global configuration arp learning strict interface LearningStrictState Total 0 force enable 0 force disable 0 You can use the display arp limit command to check the maximum number of ARP entries learned by the interface Take the display on Ethernet0 0 ...

Page 162: ...Suppress sum 0 ARP Pkt Discard For Other sum 3 In addition you can also use the display arp anti attack gateway duplicate item command to view information about attacks from packets with a forged gateway address on the current network Router display arp anti attack gateway duplicate item interface IP address MAC address VLANID aging time Ethernet0 0 1 2 2 1 10 0000 0000 0002 10 153 Ethernet0 0 2 2...

Page 163: ...hybrid tagged vlan 30 arp limit vlan 30 maximum 20 interface Vlanif 10 ip address 2 2 1 10 255 255 255 0 interface Vlanif 20 ip address 2 2 4 10 255 255 255 0 interface Vlanif 30 ip address 2 2 2 10 255 255 255 0 return Huawei AR1200 S Series Enterprise Routers Configuration Guide Security 6 ARP Security Configuration Issue 02 2012 03 30 Huawei Proprietary and Confidential Copyright Huawei Technol...

Page 164: ...t the rate at which ICMP packets are received 7 4 Configuring the AR1200 S to Discard Specified ICMP Packets This section describes how to configure the AR1200 S to discard specified ICMP packets 7 5 Disabling the AR1200 S from Sending Destination Unreachable Packets This section describes how to disable the AR1200 S from sending destination unreachable packets 7 6 Maintaining ICMP Security This s...

Page 165: ...ured globally or on an interface Checking Validity of ICMP Packets and Discarding Invalid and Specified ICMP Packets By default the AR1200 S discards invalid ICMP packets such as ICMP packets with the TTL value of 0 or type 15 16 or 17 to protect CPU resources The AR1200 S can be configured to discard seldom used ICMP packets including ICMP packets with the TTL value of 1 with options or with unre...

Page 166: ...a specified interface 1 Run system view The system view is displayed 2 Run interface interface type interface number The interface view is displayed The AR1200 S can limit the rate at which ICMP packets are received on GE interfaces Ethernet interfaces and Eth Trunk interfaces 3 Run icmp rate limit enable The ICMP packet rate limiting function is enabled on the interface By default the ICMP packet...

Page 167: ...including the ICMP packets with the TTL values of 1 with options and with unreachable destinations This helps reduce the burden of processing ICMP packets that are received on the AR1200 S protecting CPU resources Pre configuration Tasks Before configuring the AR1200 S to discard specified ICMP packets complete the following task l Setting parameters for the link layer protocols on the interfaces ...

Page 168: ...resources The AR1200 S can be configured to discard the ICMP packets with options This helps reduce the burden on the AR1200 S and protect CPU resources Procedure Step 1 Run system view The system view is displayed Step 2 Run icmp with options drop The AR1200 S is enabled to discard ICMP packets with options By default the AR1200 S does not discard ICMP packets with options End 7 4 4 Configuring t...

Page 169: ...nd to check whether the AR1200 S is configured to discard specified ICMP packets Huawei display current configuration include icmp icmp unreachable drop icmp ttl exceeded drop icmp with options drop 7 5 Disabling the AR1200 S from Sending Destination Unreachable Packets This section describes how to disable the AR1200 S from sending destination unreachable packets Applicable Environment The AR1200...

Page 170: ...n include icmp command to check whether the AR1200 S is enabled to send ICMP destination unreachable packets Huawei display current configuration include icmp undo icmp port unreachable send undo icmp host unreachable send 7 6 Maintaining ICMP Security This section describes how to monitor the ICMP running status Procedure l Run the display icmp statistics command to check statistics about ICMP tr...

Page 171: ...s shown in Figure 7 1 RouterA RouterB and RouterC are connected through their layer 3 interfaces to test whether the AR1200 S can send ICMP host unreachable packets Figure 7 1 Disabling the AR1200 S from sending host unreachable packets Eth1 0 0 RouterA RouterB RouterC 1 1 1 1 24 2 2 2 2 24 1 1 1 2 24 3 3 3 1 24 Internet Eth1 0 0 Eth2 0 0 Eth1 0 0 Configuration Roadmap The configuration roadmap is...

Page 172: ...ei system view Huawei sysname RouterC RouterC interface gigabitethernet 1 0 0 RouterC GigabitEthernet1 0 0 ip address 2 2 2 2 24 RouterC GigabitEthernet1 0 0 quit Step 3 Configure RouterB Disable GE1 0 0 from sending ICMP host unreachable packets and assign an IP address to GE1 0 0 Huawei system view Huawei sysname RouterB RouterB interface gigabitethernet 1 0 0 RouterB GigabitEthernet1 0 0 undo i...

Page 173: ...turn l Configuration file of RouterC sysname RouterC interface GigabitEthernet 1 0 0 ip address 2 2 2 2 255 255 255 0 return 7 7 2 Example for Optimizing System Performance by Discarding Certain ICMP Packets This section describes how to optimize system performance by discarding specified ICMP packets Networking Requirements As shown in Figure 7 2 RouterA functions as an access device for the ente...

Page 174: ...ckets Data Preparation None Procedure Step 1 Configure RouterA to discard specified ICMP packets Configure RouterA to discard ICMP packets with TTL value of 1 Huawei system view Huawei sysname RouterA RouterA icmp ttl exceeded drop Configure RouterA to discard ICMP packets with options RouterA icmp with options drop Configure RouterA to discard ICMP destination unreachable packets Huawei AR1200 S ...

Page 175: ...guration include icmp icmp unreachable drop icmp ttl exceeded drop icmp with options drop End Configuration Files sysname RouterA icmp unreachable drop icmp ttl exceeded drop icmp with options drop return Huawei AR1200 S Series Enterprise Routers Configuration Guide Security 7 ICMP Security Configuration Issue 02 2012 03 30 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 1...

Page 176: ...Supported by the AR1200 S This section describes the IP source address based attack defense features supported by the AR1200 S 8 3 Configuring URPF This section describes how to configure URPF 8 4 Configuration Examples This topic provides IP address anti spoofing configuration examples Huawei AR1200 S Series Enterprise Routers Configuration Guide Security 8 IP Address Anti spoofing Configuration ...

Page 177: ...ess as a spoofing address and discards the packet URPF can effectively protect the AR1200 S against malicious attacks by blocking packets from bogus source addresses As shown in Figure 8 1 RouterA sends bogus packets carrying the source address 2 1 1 1 of RouterC to RouterB RouterB sends response packets to the real source address 2 1 1 1 RouterB and RouterC are attacked by the bogus packets If UR...

Page 178: ...nformation is intercepted To prevent such an attack configure URPF on the AR1200 S As shown in Figure 8 2 Network 1 and Network 2 are connected to GE1 0 0 and GE2 0 0 of RouterA URPF strict check is configured on GE1 0 0 and GE2 0 0 PC A on Network 1 sends a bogus packet with the source IP address 2 2 2 2 to the server on Network 3 After RouterA receives this packet it checks the inbound interface...

Page 179: ...em view and then the ipv6 enable command in the interface view End Checking the Configuration After the configuration run the display this command in the interface view to view the URPF configuration on the interface Huawei GigabitEthernet1 0 0 display this interface GigabitEthernet 1 0 0 urpf strict allow default route ipv6 urpf strict allow default route return 8 4 Configuration Examples This to...

Page 180: ...nfiguration roadmap is as follows Configure URPF on GE1 0 0 and GE2 0 0 and allow special processing for the default route Data Preparation l URPF check mode strict check NOTE URPF strict check is used because route symmetry is ensured on this network l Network segment on which the research and development is located 10 10 2 0 24 l Network segment on which the marketing department is located 10 10...

Page 181: ...ay this interface GigabitEthernet 1 0 0 urpf strict allow default route return Run the display this command on GE2 0 0 to view the URPF configuration RouterA GigabitEthernet2 0 0 display this interface GigabitEthernet 2 0 0 urpf strict allow default route return End Configuration Files sysname RouterA interface GigabitEthernet 1 0 0 urpf strict allow default route interface GigabitEthernet 2 0 0 u...

Page 182: ...cing The attack source tracing function checks for attack packets sent to the CPU and notifies users by sending logs or alarms 9 4 Configuring CPU Attack Defense CPU attack defense limits the rate of packets sent to the CPU to protect the CPU 9 5 Maintaining the Attack Defense Policy This section describes how to maintain the attack defense policy 9 6 Configuration Examples This section provides a...

Page 183: ...l the packets sent to the CPU It is applied to all the boards by default and cannot be modified or deleted Attack defense policies can be created on the AR1200 S The configuration in a user defined attack defense policy overrides the configuration in the default attack defense policy If no parameter is configured in the user defined attack defense policy the configuration in the default attack def...

Page 184: ...protocol The AR1200 S schedules packets sent to the CPU based on priorities of protocol packets to ensure that packets with higher protocol priorities are processed first l Rate limit The AR1200 S can limit the rate of all the packets sent to the CPU to protect the CPU l ALP Active link protection ALP protects session based application layer data including data of HTTP Sessions FTP sessions It ens...

Page 185: ...packets after attack source tracing is enabled Step 6 Optional Run auto defend trace type source ip source mac source portvlan The attack source tracing modes are specified By default the AR1200 S traces attack sources based on the source IP address source MAC address and source interface plus VLAN Step 7 Optional Run auto defend threshold threshold The threshold for attack source tracing is set B...

Page 186: ...and to view the configuration of attack source tracing Run the display cpu defend policy command to check the attack defense policy 9 4 Configuring CPU Attack Defense CPU attack defense limits the rate of packets sent to the CPU to protect the CPU 9 4 1 Establishing the Configuration Task Before configuring an attack defense policy familiarize yourself with the applicable environment complete the ...

Page 187: ...l parameters of interfaces so that the physical layer is Up Data Preparation To configure an attack defense policy you need the following data No Data 1 Name of an attack defense policy 2 Optional Description of an attack defense policy 3 Optional ACL rule and number in the blacklist 4 Optional Rate limit for packets sent to the CPU 5 Optional Priority of protocol packets 6 Optional Rate limit for...

Page 188: ... discards the packets sent from the users in the blacklist Procedure Step 1 Run system view The system view is displayed Step 2 Run cpu defend policy policy name The attack defense policy view is displayed Step 3 Run blacklist blacklist id acl acl number A blacklist is created A maximum of eight blacklists can be configured on the AR1200 S The ACL referenced by the blacklist can be a basic ACL an ...

Page 189: ...tack defense policy so that packets with higher priorities are processed first Procedure Step 1 Run system view The system view is displayed Step 2 Run cpu defend policy policy name The attack defense policy view is displayed Step 3 Run packet type packet type priority priority level The priority of protocol packets sent to the CPU is set By default the priority defined in the default attack defen...

Page 190: ...sion of these services when attacks occur Procedure Step 1 Run system view The system view is displayed Step 2 Run cpu defend policy policy name The attack defense policy view is displayed Step 3 Run application apperceive packet type ftp http rate limit rate value The rate limit for HTTP FTP packets is set NOTE During setup of an HTTP connection an FTP connection if the application apperceive com...

Page 191: ...ive ftp http enable ALP is enabled NOTE By default ALP is enabled for FTP and HTTP Step 3 Run cpu defend policy policy name global slot slot id The attack defense policy is applied If global or slot is not specified the attack defense policy is applied to the SRU If global is specified the attack defense policy is applied to all LAN side LPUs If slot is specified the attack defense policy is appli...

Page 192: ...xamples This section provides attack defense policy configuration examples 9 6 1 Example for Configuring an Attack Defense Policy This section provides an example for configuring an attack defense policy Networking Requirements As shown in Figure 9 1 users on different LANs access the Internet through RouterA To locate attacks on RouterA attack source tracing needs to be configured to trace the at...

Page 193: ...ing the network 2 Configure the rate limit for ARP Request packets sent to the CPU 3 Configure active link protection ALP for FTP so that file data can be transmitted between the administrator s host and RouterA 4 Configure a high priority for DHCP Client packets so that RouterA first processes DHCP Client packets sent to the CPU 5 Configure application layer association for Telnet so that RouterA...

Page 194: ...gure the rate limit for ARP Request packets sent to the CPU RouterA cpu defend policy devicesafety packet type arp request rate limit 64 Step 6 Configure the rate limit for FTP packets after ALP is enabled RouterA cpu defend policy devicesafety application apperceive packet type ftp rate limit 2000 Step 7 Set the priority of DHCP Client packets RouterA cpu defend policy devicesafety packet type dh...

Page 195: ...bled 256 2 fr Enabled 128 3 ftp client Disabled 256 2 ftp server Enabled 256 2 fw dns Enabled 128 2 fw ftp Enabled 128 2 fw http Enabled 128 2 fw rtsp Enabled 128 2 fw sip Enabled 128 2 gre keepalive Enabled 128 3 gvrp Enabled 48 3 hdlc Enabled 128 3 http client Enabled 256 4 http server Enabled 256 4 hw tacacs Enabled 128 2 icmp Enabled 256 2 icmpv6 Enabled 256 2 igmp Enabled 256 2 ip option Enab...

Page 196: ... indicate that the rate limit is set for ARP Request packets Huawei display cpu defend statistics Packet Type Pass Packets Drop Packets 8021X 0 0 arp miss 5 0 arp reply 8090 0 arp request 1446576 127773 bfd 0 0 bgp 0 0 bgp4plus 0 0 dhcp client 879 0 dhcp server 0 0 dhcpv6 reply 0 0 dhcpv6 request 0 0 dlsw 0 0 dns 4 0 fib hit 0 0 fr 0 0 ftp client 0 0 ftp server 0 0 fw dns 0 0 fw ftp 0 0 fw http 0 ...

Page 197: ... c0a8 0102 cpu defend policy devicesafety blacklist 1 acl 4001 packet type arp request rate limit 64 packet type dhcp client priority 3 application apperceive packet type ftp rate limit 2000 auto defend enable auto defend threshold 50 auto defend trace type source mac source ip source portvlan auto defend protocol all cpu defend policy devicesafety undo telnet server enable return Huawei AR1200 S ...

Page 198: ...An advanced ACL classifies IPv4 packets based on information such as source and destination IP addresses source and destination port numbers packet priorities and time ranges 10 5 Configuring a Layer 2 ACL A Layer 2 ACL classifies Layer 2 packets with the Ethernet protocol type of Ethernet_II based on information such as the source and destination MAC addresses and Layer 2 protocol type 10 6 Confi...

Page 199: ...orts different types of ACLs as shown in Table 10 1 Table 10 1 Classification of ACLs Classification Rule Type Function Description Information defined in an ACL Basic ACL A basic ACL matches packets based on information such as source IP addresses fragment flags and time ranges The number of a basic ACL ranges from 2000 to 2999 Advanced ACL An advanced ACL matches packets based on information suc...

Page 200: ...l over IP such as Generic Routing Encapsulation GRE Internet Group Management Protocol IGMP IPinIP Open Shortest Path First OSPF Transmission Control Protocol TCP User Datagram Protocol UDP and Internet Control Management Protocol ICMP Table 10 2 Information that can be used by different types of ACLs to define rules Information Defined in an ACL Basic ACL Advanced ACL Layer 2 ACL IP GRE IGMP IPin...

Page 201: ...1200 S The AR1200 S supports the following ACL features l Step The step value makes it possible to add a new rule between existing rules and to control the matching order of rules l Description of an ACL The description of an ACL describes the function or usage of the ACL It is used to differentiate ACLs l Description of an ACL rule The description of an ACL rule describes the function or usage of...

Page 202: ...nd traffic classifier The AR1200 S processes different types of packets based on basic ACL rules Basic ACLs are applied to all the IPv4 packets at the network layer and upper layers Basic ACLs classify packets based on source IP addresses fragment flags and time ranges in the packets Pre configuration Tasks Before configuring a basic ACL complete the following task l Setting link layer protocol pa...

Page 203: ...ame on the AR1200 S run the preceding command with the same value of time name multiple times NOTE You can configure the same name for multiple time ranges to describe a special period Assume that the same name test is configured for the following time ranges l Time range 1 2010 01 01 00 00 to 2010 12 31 23 59 absolute time range l Time range 2 8 00 to 18 00 from Monday to Friday periodic time ran...

Page 204: ...n ACL l Creating a named basic ACL 1 Run system view The system view is displayed 2 Run acl name acl name basic acl number match order auto config A basic ACL with the specified name is created and the basic ACL view is displayed acl number specifies the number of a basic ACL The value ranges from 2000 to 2999 match order specifies the matching order of basic ACL rules auto indicates that ACL rule...

Page 205: ...5 Step 2 Run rule deny permit source source address source wildcard any time range time name vpn instance vpn instance name fragment none first fragment A basic ACL rule is configured To configure multiple rules repeat this step NOTE If the rule ID is not specified the step value is used as the start rule ID If different rules are ANDed or ORed configure a correct matching order to prevent incorre...

Page 206: ...set of unauthorized users The AR1200 S uses basic ACLs to add users with a specific characteristic to a blacklist and discards the packets from the users in the blacklist For details see 9 4 3 Optional Configuring a Blacklist l Apply a basic ACL to route filtering You can configure route filtering for the Routing Information Protocol RIP Open Shortest Path First OSPF Intermediate System to Interme...

Page 207: ...ly a basic ACL to NAT Network Address Translation NAT enables hosts on a private network to access the public network A NAT address pool is a set of public IP addresses When a packet from a private network reaches the public network by using address translation one IP address in the NAT address pool is selected as the source address after translation The AR1200 S uses a basic ACL to classify IP ad...

Page 208: ...he display acl name acl name command to view the basic ACL name and number the number of rules the step value and the content of the rules Huawei display acl name qos1 Basic ACL qos1 2999 1 rule Acl s step is 5 rule 5 permit source 202 114 24 56 0 0 0 255 Run the display time range all command to view the configuration and status of the current time range Huawei display time range all Current time...

Page 209: ...information such as source and destination IP addresses packet priorities fragment flags time ranges and VPN instances in the packets ICMP packets are classified based on information such as source and destination IP addresses packet priorities fragment flags ICMP packet types and codes time ranges and VPN instances in the packets UDP packets are classified based on information such as source and ...

Page 210: ...he time range The service or function that references the advanced ACL is also started in the specified time range Procedure Step 1 Run system view The system view is displayed Step 2 Run time range time name start time to end time days from time1 date1 to time2 date2 A time range is created To configure multiple time ranges with the same name on the AR1200 S run the preceding command with the sam...

Page 211: ...h order specifies the matching order of advanced ACL rules auto indicates that ACL rules are matched based on the depth first principle config indicates that ACL rules are matched based on the sequence in which they were configured 3 Optional Run description text The description of the advanced ACL is configured The description of an ACL describes the function or usage of the ACL It is used to dif...

Page 212: ... An advanced ACL has been created and the advanced ACL view is displayed Before creating a new rule run the display acl acl number name acl name command to view all the configured ACL rules to prevent the new rule from overriding existing rules Context An advanced ACL classifies packets by matching packet information with its rules After an advanced ACL is created configure rules in the advanced A...

Page 213: ...ort eq gt lt range port time range time name vpn instance vpn instance name dscp dscp tos tos precedence precedence fragment none first fragment When the Generic Routing Encapsulation GRE Internet Group Management Protocol IGMP IPinIP or Open Shortest Path First OSPF is used run rule deny permit protocol number gre igmp ipinip ospf destination destination address destination wildcard any source so...

Page 214: ...cklist and discards the packets from the users in the blacklist For details see 9 4 3 Optional Configuring a Blacklist l Apply an advanced ACL to IP multicast Certain functions of the Internet Group Management Protocol IGMP Protocol Independent Multicast Dense Mode PIM DM and Protocol Independent Multicast Sparse Mode PIM SM need to reference advanced ACLs For details see Configuration Guide Multi...

Page 215: ... filter packets on an interface using an ACL If the action in an ACL rule is deny the AR1200 S discards all packets matching the rule If the action in an ACL rule is permit the AR1200 S forwards all packets matching the rule Perform the following steps to apply an ACL to an interface 1 Run system view The system view is displayed 2 Run interface interface type interface number The interface view i...

Page 216: ... 2 packets with the Ethernet protocol type of Ethernet_II based on information such as the source and destination MAC addresses and Layer 2 protocol type 10 5 1 Establishing the Configuration Task Before configuring a Layer 2 ACL familiarize yourself with the applicable environment complete the pre configuration tasks and obtain the data required for the configuration This will help you complete t...

Page 217: ... no time range is specified for the ACL the ACL remains effective until it is deleted or the rules of the ACL are deleted Context Some services or functions that reference Layer 2 ACLs need to be started during a specified period of time for example QoS needs to be started during peak hours You can create a time range and reference the time range in a Layer 2 ACL so that the Layer 2 ACL takes effe...

Page 218: ...uplicate Layer 2 ACLs from being configured Procedure l Creating a numbered Layer 2 ACL 1 Run system view The system view is displayed 2 Run acl number acl number match order auto config A Layer 2 ACL with the specified number is created and the Layer 2 ACL view is displayed acl number specifies the number of a Layer 2 ACL The value ranges from 4000 to 4999 match order specifies the matching order...

Page 219: ...ferentiate ACLs By default no description is configured for an ACL End Follow up Procedure Configure rules in the Layer 2 ACL 10 5 4 Configuring a Layer 2 ACL Rule A Layer 2 ACL is composed of a list of rules The ACL classifies packets by matching packet information with the ACL rules Prerequisites A Layer 2 ACL has been created and the Layer 2 ACL view is displayed Before creating a new rule run ...

Page 220: ... ACL rule It is used to differentiate ACL rules End Follow up Procedure After a Layer 2 ACL rule is configured perform the following operations as required l Run the step command to change the step value l Run the rule command with rule id specified to add a new rule between existing rules when the configuration order is used 10 5 5 Applying a Layer 2 ACL A Layer 2 ACL can be applied to some servi...

Page 221: ...he AR1200 S forwards all packets matching the rule Perform the following steps to apply a Layer 2 ACL to an interface 1 Run system view The system view is displayed 2 Run interface interface type interface number The interface view is displayed 3 Run traffic filter inbound outbound acl acl number name acl name A Layer 2 ACL is applied to the interface End 10 5 6 Checking the Configuration After a ...

Page 222: ...ng day 13 00 to 18 00 off day 10 6 Configuration Examples This section provides several configuration examples of ACLs 10 6 1 Example for Configuring a Basic ACL to Limit Access to the FTP Server In this example a basic ACL is used to limit access to the FTP server Networking Requirements As shown in Figure 10 1 the Router functions as an FTP server 172 16 104 110 24 The requirements are as follow...

Page 223: ...Configure a time range Huawei system view Huawei sysname Router Router time range ftp access from 0 0 2009 1 1 to 23 59 2011 12 31 Router time range ftp access 14 00 to 18 00 off day Step 2 Configure a basic ACL Router acl number 2001 Router acl basic 2001 rule permit source 172 16 105 0 0 0 1 255 Router acl basic 2001 rule permit source 172 16 107 0 0 0 1 255 time range ftp access Router acl basi...

Page 224: ...ced ACLs are used to configure the packet filtering firewall between the internal network and the external network Networking Requirements As shown in Figure 10 2 an enterprise that provides Web FTP and Telnet services accesses an external network through GE0 0 1 of the Router and joins a VLAN through Ethernet0 0 0 of the Router The enterprise is located on the network segment 202 169 10 0 and the...

Page 225: ...on the internal network company l Priority of the zone company 12 l Name of the zone on the external network external l Priority of the zone external 5 l VLAN that the enterprise joins VLAN 100 l IP address of VLANIF 100 202 169 10 1 24 l IP address of GE0 0 1 129 39 10 8 24 l IP address of the user that can access internal servers 202 39 2 3 24 l Number of the advanced ACL that classifies specifi...

Page 226: ... 202 169 10 6 0 0 0 0 Router acl adv 3001 rule permit tcp source 202 39 2 3 0 0 0 0 destination 202 169 10 7 0 0 0 0 Configure a rule in ACL 3001 to prevent other users from accessing any host of the enterprise Router acl adv 3001 rule deny ip Router acl adv 3001 quit Step 4 Configure ACL 3002 Create ACL 3002 Router acl 3002 Configure a rule in ACL 3002 to allow internal servers to access the exte...

Page 227: ...p source 202 39 2 3 0 0 0 0 destination 202 169 10 5 0 0 0 0 rule 10 permit tcp source 202 39 2 3 0 0 0 0 destination 202 169 10 6 0 0 0 0 rule 15 permit tcp source 202 39 2 3 0 0 0 0 destination 202 169 10 7 0 0 0 0 rule 20 deny ip acl number 3002 rule 5 permit ip source 202 169 10 5 0 0 0 0 rule 10 permit ip source 202 169 10 6 0 0 0 0 rule 15 permit ip source 202 169 10 7 0 0 0 0 rule 20 deny i...

Page 228: ...et0 0 0 Configuration Roadmap The configuration roadmap is as follows 1 Configure a Layer 2 ACL to match packets with the source MAC address 0000 0000 0003 2 Configure traffic classification based on the Layer 2 ACL 3 Configure a traffic behavior to collect statistics on the classified packets 4 Configure a traffic policy and bind the traffic classifier and traffic behavior to the traffic policy D...

Page 229: ...ff ffff Router acl L2 layer2 quit Step 3 Configure a traffic classifier Create a traffic classifier c1 on the Router to match ACL layer2 Router traffic classifier c1 Router classifier c1 if match acl layer2 Router classifier c1 quit Step 4 Configure a traffic behavior Create a traffic behavior b1 on the Router and configure the traffic statistics action in the traffic behavior Router traffic behav...

Page 230: ...olicy Information Policy p1 Classifier c1 Operator OR Behavior b1 statistic enable End Configuration Files l Configuration file of the Router sysname Router vlan batch 20 acl name layer2 4999 rule 5 permit source mac 0000 0000 0003 traffic classifier c1 operator or if match acl layer2 traffic behavior b1 statistic enable traffic policy p1 classifier c1 behavior b1 interface Ethernet0 0 0 port link...

Page 231: ...SSL server uses in SSL handshakes including the PKI domain name maximum number of sessions that can be saved timeout period of a saved session and cipher suite Among these parameters the PKI domain name is mandatory and the others are optional 11 4 Configuring a Client SSL Policy A client SSL policy defines the parameters that an SSL client uses in SSL handshakes including the PKI domain name SSL ...

Page 232: ...tegrity l Defines an access control policy on a device based on certificate attributes to control access rights of clients This access control policy prevents unauthorized users from attacking the device Terms l Certificate Authority CA A CA is an entity that issues manages and abolishes digital certificates A CA checks validity of digital certificate owners signs digital certificates to prevent e...

Page 233: ...air defined in the certificate cannot be used After a certificate in a CRL expires the certificate is deleted from the CRL to shorten the CRL Information in a CRL includes the issuer and serial number of each certificate the issuing date of the CRL certificate revocation date and time when the next CRL will be issued Clients use CRLs to check validity of certificates When verifying a server s digi...

Page 234: ... HTTP to provide secure connections The AR1200 S can use a server SSL policy to ensure security of Hypertext Transfer Protocol Secure HTTPS Client SSL Policy A client SSL policy defines the parameters that an SSL client uses in SSL handshakes including the PKI domain name SSL protocol version and cipher suite To use an AR1200 S as an SSL client configure a client SSL policy on the AR1200 S During ...

Page 235: ...TE When functioning as an SSL server the AR1200 S can communicate with SSL clients running SSL3 0 TLS1 0 or TLS 1 1 The AR1200 S determines the SSL protocol version used for this communication and sends a Server Hello message to notify the client Procedure Step 1 Run system view The system view is displayed Step 2 Run ssl policy policy name type server A server SSL policy is created Step 3 Run pki...

Page 236: ...onfiguring a Client SSL Policy A client SSL policy defines the parameters that an SSL client uses in SSL handshakes including the PKI domain name SSL protocol version and cipher suite Prerequisites The PKI domain has been configured Applicable Environment The SSL protocol uses data encryption identity authentication and message integrity check to ensure security of TCP based application layer prot...

Page 237: ...or the client SSL policy By default no PKI domain is specified for a client SSL policy on the AR1200 S NOTE The AR1200 S obtains a CA certificate chain from CAs in the specified PKI domain The AR1200 S authenticates an SSL server by checking the server certificate and CA certificates against the CA certificate chain Step 5 Optional Run version ssl3 0 tls1 0 tls1 1 The SSL protocol version is speci...

Page 238: ...rver SSL policy on an AR1200 S functioning as an HTTPS server After the configuration is complete users can use a web browser to log in to and manage the Router Networking Environment As shown in Figure 11 4 enterprise users use a web browser to connect to the Router To prevent eavesdropping and tampering during data transmission a network administrator requires users to use HTTPS to access the Ro...

Page 239: ...s organization name huawei l Entity s department name info PKI domain PKI domain name users l Trusted CA ca_root l Certificate s enrollment URL http 11 137 145 158 8080 certsrv mscep mscep dll ra l Bound PKI entity users l CA s fingerprint algorithm secure hash algorithm SHA Fingerprint 7bb05ada0482273388ed4ec228d79f77309ea3f4 l SSL parameters as shown in the following table Policy Name Maximum Nu...

Page 240: ...alm users auto enroll regenerate Router pki realm users quit Step 2 Configure a server SSL policy sslserver Create a server SSL policy and specify PKI domain users in the policy This allows the Router to obtain a digital certificate from the CA specified in the PKI domain Router ssl policy sslserver type server Router ssl policy sslserver pki realm users Set the maximum number of sessions that can...

Page 241: ...rint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4 ssl policy sslserver type server pki realm users session cachesize 40 timeout 7200 http secure server ssl policy sslserver http secure server enable http secure server port 1278 return 11 5 2 Example for Configuring a Client SSL Policy This example shows how to configure a client SSL policy on the AR1200 S functioning as the customer premises equi...

Page 242: ...le SSL server authentication in the policy 3 Apply the client SSL policy to the CWMP service so that the Router authenticates the ACS to ensure data privacy and integrity 4 Enable the Router to automatically initiate connections to the ACS and set the CWMP parameters This enables the ACS to manage and control the Router using CWMP Data Preparation To complete the configuration you need the followi...

Page 243: ...ki entity cwmp0 state jiangsu Router pki entity cwmp0 organization huawei Router pki entity cwmp0 organization unit info Router pki entity cwmp0 quit Configure a PKI domain and enable the automatic certificate enrollment and update function Router pki realm cwmp0 Router pki realm cwmp0 entity cwmp0 Router pki realm cwmp0 ca id ca_root Router pki realm cwmp0 enrollment url http 11 137 145 158 8080 ...

Page 244: ...tiate connections to the ACS Configure the URL used by the Router to connect to the ACS Router cwmp cwmp acs url https www acs com 80 acs Enable the Router to send Inform messages Router cwmp cwmp cpe inform interval enable Set the interval at which the Router sends Inform messages to 1000 seconds Router cwmp cwmp cpe inform interval 1000 Configure the Router to send an Inform message at 2011 01 0...

Page 245: ... the display cwmp configuration command The command output shows that CWMP is enabled and the Router is configured to send Inform packets at intervals Router display cwmp configuration CWMP is enabled ACS URL https www acs com 80 acs ACS username newacsname ACS password newacspsw Inform enable status enabled Inform interval 1000s Inform time 2011 01 01T20 00 00 Wait timeout 100s Reconnection times...

Page 246: ... ssl client ssl policy sslclient pki entity cwmp0 country CN state jiangsu organization huawei organization unit info common name hello pki realm cwmp0 ca id ca_root enrollment url http 11 137 145 158 8080 certsrv mscep mscep dll ra entity cwmp0 auto enroll regenerate fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4 ssl policy sslclient type client server verify enable pki realm cwmp0 ret...

Page 247: ...icant 12 4 Configuring a PKI Domain Before an entity applies for a PKI certificate registration information needs to be configured for the entity A set of the registration information is the PKI domain of the entity 12 5 Configuring Certificate Enrollment Certificate enrollment is a process in which an entity registers with a CA and obtains a certificate from the CA During this process the entity ...

Page 248: ...ty CA and binds a public key to user identity The signature of the CA ensures the validity and authority of the digital certificate A digital certificate must comply with the ITU T X 509 standard Currently the X 509 v3 digital certificates are mostly used A digital certificate contains multiple fields including the certificate issuer name entity public key signature of the issuing CA and certifica...

Page 249: ...ction Outband certificate loading Management interaction PKI end entity PKI management entity Management interaction Management interaction Issue certificate Issue certificate and CRL Issue CRL Certificate Outband issuing The public key infrastructure PKI system consists of the following components l PKI entity A PKI entity refers to an end entity or a PKI management entity An end entity is a cert...

Page 250: ... to the PKCS family but PKCS uses encoding rules in these protocols to describe objects These protocols include Abstract Syntax Notation One ASN 1 Distinguished Encoding Rules DER Basic Encoding Rules BER and Base64 ASN 1 also called X 208 defines rules for describing the structure of objects and data structures in representing encoding transmitting and decoding data PKI Working Process On a PKI n...

Page 251: ...hase the following license from the Huawei local office l AR1200 Value Added Security Package 12 3 Configuring a PKI Entity A certificate binds a public key to a set of information that uniquely identifies a PKI entity A PKI entity identifies a certificate applicant 12 3 1 Establishing the Configuration Task Before configuring a PKI entity familiarize yourself with the applicable environment compl...

Page 252: ...ng commands to configure the PKI entity identifiers l Run the common name common name command to configure the common name for the PKI entity By default no PKI entity name is configured on the AR1200 S l Run the fqdn fqdn name command to configure the FQDN for the PKI entity By default no FQDN is configured on the AR1200 S Either common name or fqdn name can identify a PKI entity To identify a PKI...

Page 253: ...nization name is configured for a PKI entity Step 6 Run organization unit organization unit name A department name is configured for the PKI entity By default no department name is configured for a PKI entity Step 7 Run ip address ip address An IP address is configured for the PKI entity By default no IP address is configured for a PKI entity End 12 3 4 Checking the Configuration After a PKI entit...

Page 254: ...a device is unavailable to CAs or other devices Each PKI domain has its own domain parameters Pre configuration Tasks Before creating a PKI domain complete the following task l Creating a PKI entity Data Preparation To configure a PKI domain you need the following data No Data 1 PKI domain name 2 Bound PKI entity name 3 Trusted CA name and enrollment URL 4 Optional CA root certificate fingerprint ...

Page 255: ...e A PKI domain is configured By default no PKI domain is configured on the AR1200 S Step 3 Run entity entity name A PKI entity is specified By default no PKI entity is specified on the AR1200 S End 12 4 4 Configuring the Trusted CA Name and Enrollment URL A trusted authentication authority enrolls and issues certificates to entities Therefore a trusted CA name and enrollment URL must be configured...

Page 256: ...ment url url interval minutes times count ra An enrollment URL is configured By default no enrollment URL is configured on the AR1200 S End 12 4 5 Optional Configuring CA Certificate Fingerprint Before the AR1200 S obtains a root certificate from a CA the AR1200 S needs to check the CA root certificate fingerprint The CA root certificate fingerprint is the hash value of the root certificate and is...

Page 257: ...gured By default no certificate revocation password is configured on the AR1200 S End 12 4 7 Optional Configuring the RSA Key Length of Certificates After the RSA key length of certificates is set the AR1200 S generates the RSA key of the specified length when requesting a certificate Context An RSA key pair contains a public key and a private key When host A requests a certificate the certificate...

Page 258: ...ep 2 Run pki realm realm name A PKI domain is configured By default no PKI domain is configured on the AR1200 S Step 3 Run source interface interface name The source interface is specified The AR1200 S uses the IP address of this interface to set up a TCP connection By default the AR1200 S uses an outbound interface s IP address as the source IP address for TCP connection setup End 12 4 9 Checking...

Page 259: ...from a CA when the configuration required for certificate enrollment is complete but no local certificate is available l Self signed certificate enrollment A PKI device issues a self signed certificate to itself Pre configuration Tasks Before configuring certificate enrollment complete the following tasks l Creating a PKI entity l Creating a PKI domain Data Preparation To configure certificate enr...

Page 260: ...d local certificate are downloaded and saved in the default path automatically If the CA certificate or local certificate is deleted unexpectedly run the pki get certificate command to obtain the CA certificate or device certificate again End 12 5 3 Configuring Automatic Certificate Enrollment and Update When the certificates are unavailable will expire or have expired an entity automatically requ...

Page 261: ... Checking the Configuration After a certificate is obtained from a CA or a self signed certificate or local certificate is created you can view certificate information Procedure l Run the display pki certificate local ca pki realm name verbose command to check certificate information l Run the display pki certificate enroll status pki realm name command to view the certificate enrollment status En...

Page 262: ...ration To configure certificate authentication you need the following data No Data 1 PKI domain name 2 Optional CDP URL and interval at which a PKI entity downloads a CRL from the CRL storage server 3 Optional OCSP server URL 12 6 2 Configuring the Certificate Check Mode There are three certificate check modes CRL OCSP or none Procedure Step 1 Run system view The system view is displayed Step 2 Ru...

Page 263: ...e interval at which a PKI entity downloads a CRL from a CRL storage server is configured Run quit Return to the system view If the PKI entity suspects that the CRL expires run pki get crl pki realm name The AR1200 S is configured to download the latest CRL from the CA l To use OCSP for certificate check perform the following operation Run ocsp url ocsp url The OCSP server s URL is configured This ...

Page 264: ...user wants to request a new certificate you can delete the existing certificate Procedure Step 1 Run system view The system view is displayed Step 2 Run pki delete certificate ca local ocsp pki realm name The certificate is deleted End 12 7 2 Importing a Certificate To use an external certificate copy it to a storage device in an outband way and import it to the AR1200 S Procedure Step 1 Run syste...

Page 265: ...al dir The default path and directory where the CA certificate local certificate and private key are stored are configured By default the CA certificate local certificate and private key are stored in flash End 12 8 Configuration Examples 12 8 1 Example for Configuring Manual Certificate Enrollment Networking Requirements This section describes how to configure a PKI entity a router to request a l...

Page 266: ... name bound entity name enrollment URL and root certificate fingerprint 3 Obtain a local certificate manually Procedure Step 1 Configure interface IP addresses and routes to enable the PKI entity and CA to communicate Step 2 Configure a PKI entity to identify a certificate applicant Configure a PKI entity user01 Huawei system view Huawei pki entity user01 Huawei pki entity user01 common name hello...

Page 267: ...ssful You will be prompted to enter the password during certificate enrollment If you do not have a password press Enter Step 5 Verify the configuration After the preceding configurations are complete the CA issues a certificate to the PKI entity In the certificate information the issued to field value is the entity common name hello Run the display pki certificate local ca pki realm name verbose ...

Page 268: ... transmitted between subnet 1 at 10 1 1 0 24 and subnet at 11 1 1 0 24 l Establish a security tunnel between the two gateways using Internet Key Exchange IKE negotiation During IKE negotiation PKI certificates are used for identity authentication Figure 12 4 Configuring PKI in IPSec Internet Internet 10 1 1 2 24 11 1 1 2 24 10 1 1 1 24 11 1 1 1 24 Eth2 0 0 Eth2 0 0 CA GE0 0 1 GE0 0 1 IPSec Tunnel ...

Page 269: ...CBF6D763C4A67035D5B578E AF IKE proposal l Encryption algorithm 3DES CBC l Authentication algorithm SHA1 l Authentication mode Rivest Shamir and Adelman RSA signature IKE peer l IKE peer name routera l Local peer s ID type IP address l Local IP address 1 1 1 1 l Remote IP address 2 2 2 1 l Negotiation mode main IPSec proposal l Transport protocol ESP l Authentication algorithm SHA1 l Encryption alg...

Page 270: ...erb l Negotiation mode main l Local peer s ID type IP address l Local IP address 2 2 2 1 l Remote IP address 1 1 1 1 IPSec proposal l Transport protocol ESP l Authentication algorithm SHA1 l Encryption algorithm 3DES l Encapsulation mode tunnel IPSec policy SA triggering mode automatic Configuration Roadmap 1 Configure a PKI entity to identify a certificate applicant 2 Configure a PKI domain and s...

Page 271: ...alm testa fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF Huawei pki realm testa certificate check none Huawei pki realm testa quit Configure RouterB Huawei pki realm testb Huawei pki realm testb ca id ca_root Huawei pki realm testb entity routerb Huawei pki realm testb enrollment url http 10 137 145 158 8080 certsrv mscep mscep dll ra Huawei pki realm testb fingerprint sha1 7A34D94624B1...

Page 272: ...rm esp Huawei ipsec proposal routera esp authentication algorithm sha1 Huawei ipsec proposal routera esp encryption algorithm 3des Huawei ipsec proposal routera quit Huawei ipsec policy routera 1 isakmp Huawei ipsec policy isakmp routera 1 security acl 3000 Huawei ipsec policy isakmp routera 1 ike peer routera Huawei ipsec policy isakmp routera 1 proposal routera Huawei ipsec policy isakmp routera...

Page 273: ...password please enter the enter key Please enter Password Start certificate enrollment Certificate is enrolling now It will take a few minutes or more Please waiting The certificate enroll successful Step 9 Verify the configuration Run the display ike sa v2 command on RouterA and RouterB to view IKE SA information The command output shows that RouterA and RouterB have established an IKE SA and can...

Page 274: ... rule 5 permit ip source 1 1 1 1 0 destination 2 2 2 1 0 rule 15 permit ip source 10 1 1 1 0 destination 11 1 1 1 0 ipsec proposal routera esp authentication algorithm sha1 esp encryption algorithm 3des ike proposal 1 encryption algorithm 3des cbc authentication method rsa signature ike peer routera v2 ike proposal 1 local address 1 1 1 1 remote address 2 2 2 1 pki realm testa ipsec policy routera...

Page 275: ...roposal 1 local address 2 2 2 1 remote address 1 1 1 1 pki realm testb ipsec policy routerb 1 isakmp security acl 3000 ike peer routerb proposal routerb interface Ethernet2 0 0 ip address 11 1 1 1 255 255 255 0 interface GigabitEthernet0 0 1 ip address 2 2 2 1 255 255 255 0 ipsec policy routerb ospf 1 area 0 0 0 0 network 2 2 2 0 0 0 0 255 network 11 1 1 0 0 0 0 255 pki entity routerb country CN s...

Page 276: ... return Huawei AR1200 S Series Enterprise Routers Configuration Guide Security 12 PKI Configuration Issue 02 2012 03 30 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 262 ...

Page 277: ...tions This section descries how to configure the basic functions of keychain module 13 4 Configuring TCP Authentication parameters This section descries how to configure the TCP Authentication parameters of Keychain module 13 5 Configuration Examples This section provides configuration examples of the keychain module Huawei AR1200 S Series Enterprise Routers Configuration Guide Security 13 Keychai...

Page 278: ...res authentication support has to quote a keychain A keychain can have one or multiple key ids Key id comprises of authentication algorithm and the key string secret shared key Each key id is associated with send and receive lifetime based on which it will be send active or receive active or both at an instant of time Key id that is send active at one end should be receive active at the other end ...

Page 279: ...nfiguring Basic Keychain Functions This section descries how to configure the basic functions of keychain module 13 3 1 Establishing the Configuration Task Applicable Environment Keychain is used to provide authentication support to the applications A keychain can have one or multiple key ids Key id comprises of authentication algorithm and the key string secret shared key Each key id is associate...

Page 280: ...a keychain timing mode is mandatory Once a keychain is created to enter the keychain view timing mode need not be specified End 13 3 3 Configuring Receive Tolerance of a Keychain Procedure Step 1 Run system view The system view is entered Step 2 Run keychain keychain name Keychain view is entered Step 3 Run receive tolerance value infinite The receive tolerance period for the keychain is configure...

Page 281: ...NOTE To configure a key id in a keychain a unique id within the keychain is required This id should be an integer and the value ranges from 0 to 63 End 13 3 5 Configuring key string of a key id Procedure Step 1 Run system view The system view is entered Step 2 Run keychain keychain name The keychain view is entered Step 3 Run key id key id Key id is created and key id view is entered Step 4 Run ke...

Page 282: ...un key id key id Key id is created and key id view is entered Step 4 Run algorithm hmac md5 hmac sha1 12 hmac sha1 20 md5 sha 1 simple The authentication algorithm for the key id is configured NOTE Key id will be inactive if the authentication algorithm is not configured End 13 3 7 Configuring a key id as the Default send key id Procedure Step 1 Run system view The system view is entered Step 2 Ru...

Page 283: ...date duration duration value infinite to end time end date The send time for the key id is configured l Daily Periodic Timing Mode 1 Run system view The system view is entered 2 Run keychain keychain name mode periodic daily The keychain is created in daily periodic timing mode and keychain view is entered 3 Run key id key id The key id is created and key id view is entered 4 Run send time daily s...

Page 284: ...n key id key id The key id is created and key id view is entered 4 Run send time date start date value 1 31 to end date value The send time for the key id is configured l Yearly Periodic Timing Mode 1 Run system view The system view is entered 2 Run keychain keychain name mode periodic yearly The keychain is created in yearly periodic timing mode and keychain view is entered 3 Run key id key id Th...

Page 285: ...nd key id view is entered 4 Run receive time utc start time start date duration duration value infinite to end time end date The receive time for the key id is configured l Daily Periodic Timing Mode 1 Run system view The system view is entered 2 Run keychain keychain name mode periodic daily The keychain is created in daily periodic timing mode and keychain view is entered 3 Run key id key id The...

Page 286: ...entered 2 Run keychain keychain name mode periodic yearly The keychain is created in yearly periodic timing mode and keychain view is entered 3 Run key id key id The key id is created and key id view is entered 4 Run receive time month start month name 1 12 to end month name The receive time for the key id is configured NOTE Receive time for a key id is configured in accordance with the timing mod...

Page 287: ... Algorithm IDs HMAC MD5 5 HMAC SHA1 12 2 HMAC SHA1 20 6 MD5 3 SHA1 4 Number of Key IDs 0 Active Send Key ID None Active Receive Key IDs None Default send Key ID Not configured The configurations of the keycahin are complete Run the display keychain keychain name key id key id command to view the current configuration of a key id inside a keychain for example Huawei display keychain earth key id 1 ...

Page 288: ...r vendors kind value should be made configurable based on the type of vendor to which it is connected Similarly TCP Enhanced Authentication Option has a field named algorithm ID which represents the authentication algorithm type As algorithm IDs are not defined by IANA Internet Assigned Numbers Authority Currently different vendor uses different algorithm ID to represent the same algorithm In orde...

Page 289: ...End 13 4 3 Configuring TCP Algorithm id in a Keychain Procedure Step 1 Run system view The system view is displayed Step 2 Run keychain keychain name Keychain view is entered Step 3 Run tcp algorithm id md5 sha 1 hmac md5 hmac sha1 12 hmac sha1 20 algorithm id The range of the algorithm id can be 1 to 63 NOTE The algorithm id used to represent authentication algorithm type in TCP Enhanced Authenti...

Page 290: ...A1 4 Number of Key IDs 0 Active Send Key ID None Active Receive Key IDs None Default send Key ID Not configured The configurations of the keycahin are complete Run the display keychain keychain name key id key id command to view the current configuration of a key id inside a keychain for example Huawei display keychain earth key id 1 Keychain Information Keychain Name earth Timer Mode Absolute Rec...

Page 291: ...etworking diagram of keychain GE0 0 1 192 168 1 1 24 GE0 0 1 192 168 1 2 24 RouterA RouterB Configuration Roadmap The configuration roadmap is as follows 1 Configure keychain basic functions 2 Configure the application RIP on both the Routers to use keychain Data Preparation To complete the configuration you need the following data l keychain name l key id l algorithm and key string l send and rec...

Page 292: ...10 to 14 50 2008 10 10 RouterB keychain keyid 1 receive time utc 14 30 2008 10 10 to 14 50 2008 10 10 RouterB keychain keyid 1 quit Configuring the basic function of RIP RouterB interface gigabitethernet 0 0 1 RouterB GigabitEthernet0 0 1 ip address 192 168 1 2 24 RouterB GigabitEthernet0 0 1 rip authentication mode md5 nonstandard keychain huawei RouterB GigabitEthernet0 0 1 quit End Configuratio...

Page 293: ...nd time utc 14 40 2008 10 10 to 14 50 2008 10 10 receive time utc 14 30 2008 10 10 to 14 50 2008 10 10 return Huawei AR1200 S Series Enterprise Routers Configuration Guide Security 13 Keychain Configuration Issue 02 2012 03 30 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 279 ...

Page 294: ...4 Configuring Flood Attack Defense Flood attacks include SYN flood attacks UDP flood attacks and ICMP flood attacks 14 5 Configuring Application Layer Association Application layer association controls forwarding and discarding of protocol packets by enabling or disabling application layer protocols In this manner application layer association can defense attacks 14 6 Maintenance Attack Defense an...

Page 295: ...the network through ping scanning ICMP and TCP and thus accurately obtain the potential victims TCP and UDP port scanning can be used to detect the type of operating system and potential services Through scanning the attacker can learn the service types provided by the target system and the latent security loopholes thus getting ready to attack the system l Abnormal packet attack Abnormal packet a...

Page 296: ...ackets without any higher layer data are considered useless and directly discarded IGMP null packet attacks If the length of the IGMP packets is smaller than 28 bytes the packets are considered null and thus discarded LAND attacks The router detects whether the source address and the destination address in the TCP SYN packet are consistent and whether the source interface and the destination inter...

Page 297: ... supports application layer association The application layer association module controls some protocols and functions l When a protocol is disabled the AR1200 S directly discards packets of this protocol to prevent attacks l When a protocol is enabled the AR1200 S limits the rate of protocol packets sent to the CPU to protect the CPU The application layer association module supports SNMP HW TACAC...

Page 298: ...acket attacks The defense against abnormal packet attacks is enabled by default If defense against abnormal packet attacks is disabled run the command to enable it End 14 2 3 Checking the Configuration After configuring defense against attacks from malformed packets you can view statistics about defense against malformed packets Prerequisites The configurations of the abnormal packet attack defens...

Page 299: ...fense against packet fragment attacks must be configured Pre configuration Tasks Before configuring defense against packet fragment attacks complete the following tasks l Setting the link layer protocol parameters and the IP address for the interface to make the status of link protocol Up Data Preparation To configure defense against packet fragment attacks you need the following data No Data 1 Re...

Page 300: ...se are complete Procedure Step 1 Run the display anti attck statistics fragment command to check the statistics of defense against packet fragment attacks on the interface board End Example After the configuration is complete run the display anti attck statistics fragment command to check the statistics of defense against packet fragment attacks on the interface board Huawei display anti attck sta...

Page 301: ...flood attacks you need the following data No Data 1 Rate restricted by TCP SYN packets and rate restricted by ICMP flood packets 14 4 2 Configuring Defense Against SYN Flood Attacks The major measure to defend SYN flood attacks is to limit the rate of TCP SYN packets Context Do as follows on the router Procedure Step 1 Run system view The system view is displayed Step 2 Run anti attack tcp syn ena...

Page 302: ...re to defend ICMP flood attacks is to limit the rate of ICMP packets Context Configure router as follows Procedure Step 1 Run system view The system view is displayed Step 2 Run anti attack icmp flood enable Defense against ICMP flood attacks is enabled Defense against ICMP flood attacks is enabled by default Thus you need to configure the restricted rate only If defense against ICMP flood attacks...

Page 303: ...ei display anti attack statistics udp flood Packets Statistic Information AntiAtkType TotalPacketNum DropPacketNum PassPacketNum H L H L H L Udp flood 0 0 0 0 0 0 Huawei display anti attack statistics icmp flood Packets Statistic Information AntiAtkType TotalPacketNum DropPacketNum PassPacketNum H L H L H L Icmp flood 0 0 0 0 0 0 14 5 Configuring Application Layer Association Application layer ass...

Page 304: ...carded depends on the configuration of the device Context The application layer association module uses the switch to control whether the application layer association is enabled If the protocol is enabled the packets of the protocol are sent If the protocol is disabled the packets of the protocol are directly discarded To prevent the attacks from the packets of idle protocols the protocol module ...

Page 305: ...etworking diagram Each configuration example consists of the networking requirements configuration precautions configuration roadmap configuration procedures and configuration files 14 7 1 Example of Configuring Attack Defense This section describes the applications of attack defense on an actual network including defense against malformed packet attacks fragmented packet attacks and flood attacks...

Page 306: ... flood packets from using excessive CPU resources Figure 14 1 Networking diagram of configuring Attack Defense hacker user user VLAN100 VLAN300 VLAN200 RouterB GE1 0 0 100 111 1 1 24 GE1 0 0 100 111 1 2 24 Internet RouterA Configuration Roadmap The configuration roadmap is as follows 1 Configure the IP addresses and routes of each interface to guarantee internetworking 2 Enable defense against abn...

Page 307: ...s RouterA anti attack udp flood enable Enable defense against ICMP flood attacks on Router A and restrict the rate for sending ICMP flood packets to 15000 bit s RouterA anti attack icmp flood enable RouterA anti attack icmp flood car cir 15000 Step 5 Verify the configuration After the configuration is complete run the display anti attack statistics abnormal fragment tcp syn udp flood icmp flood co...

Page 308: ...000 return l Configuration file of Router B sysname RouterB interface GigabitEthernet2 0 0 ip address 100 111 1 2 255 255 255 252 return Huawei AR1200 S Series Enterprise Routers Configuration Guide Security 14 Configuration of Attack Defense and Application Layer Association Issue 02 2012 03 30 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 294 ...

Reviews:

No comments