Beruflich Dokumente
Kultur Dokumente
Copyright Huawei Technologies Co., Ltd. 2010. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Website: Email:
Issue 05 (2010-09-25)
Related Versions
The following table lists the product version related to this document. Product Name ME60 Version V100R006C05
Intended Audience
This document is intended for: l l Technical support engineers Maintenance engineers
Organization
This document is organized as follows. Chapter 1 Security Overview Content This chapter provides basic knowledge about the security service, including threats to Internet security, network security overview, and implementation of network security.
iii
Issue 05 (2010-09-25)
Content This chapter describes the configuration of the firewall, including the security zone, ACL packet filtering, ASPF, blacklist, port mapping, and firewall log. This chapter describes the concept, fundamental, configuration, and maintenance of NAT. This chapter describes the fundamentals, configuration, and maintenance of traffic statistics and monitoring. This chapter describes the fundamentals, configuration, and maintenance of attack defense. This chapter describes the fundamentals, implementation, and configuration of IPSec. This chapter describes the fundamentals, implementation, and configuration of IKE. This chapter describes the fundamentals, implementation, and configuration of URPF. This chapter describes the fundamentals of DPI and how to configure network-side DPI and user-side DPI. This chapter describes the concept, process, and configuration of lawful interception. This chapter describes the concept and configuration of user logs. This chapter describes how to configure ARP Security. This appendix provides the glossary of this document. This appendix lists the acronyms and abbreviations mentioned in this manual and provides explanation.
3 NAT Configuration 4 Traffic Statistics and Monitoring Configuration 5 Attack Defense Configuration 6 IPSec Configuration 7 IKE Configuration 8 URPF Configuration 9 DPI Configuration 10 Lawful Interception Configuration 11 User Log Configuration 12 ARP Security Configuration A Glossary B Acronyms and Abbreviations
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description
DANGER
iv
Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury.
Issue 05 (2010-09-25)
Symbol
Description Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
WARNING
CAUTION
TIP
NOTE
General Conventions
The general conventions that may be found in this document are defined as follows. Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman. Names of files, directories, folders, and users are in boldface. For example, log in as user root. Book titles are in italics. Examples of information displayed on the screen are in Courier New.
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected.
Issue 05 (2010-09-25)
Convention { x | y | ... }*
Description Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
GUI Conventions
The GUI conventions that may be found in this document are defined as follows. Convention Boldface > Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows. Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, pressing Ctrl+Alt +A means the three keys should be pressed concurrently. Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.
Mouse Operations
The mouse operations that may be found in this document are defined as follows. Action Click Description Select and release the primary mouse button without moving the pointer.
vi
Issue 05 (2010-09-25)
Description Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a certain position.
Update History
Updates between document versions are cumulative. Therefore, the latest document version contains all updates made to previous versions.
Issue 05 (2010-09-25)
vii
Contents
Contents
About This Document...................................................................................................................iii 1 Security Overview......................................................................................................................1-1
1.1 Introduction to Network Security....................................................................................................................1-2 1.1.1 Background............................................................................................................................................ 1-2 1.1.2 Network Security Service.......................................................................................................................1-2 1.2 Security Features of the ME60........................................................................................................................1-2 1.2.1 Firewall...................................................................................................................................................1-2 1.2.2 URPF......................................................................................................................................................1-3 1.2.3 DPI......................................................................................................................................................... 1-3 1.2.4 Lawful Interception................................................................................................................................1-3 1.2.5 User Log.................................................................................................................................................1-3
2 Firewall Configuration..............................................................................................................2-1
2.1 Introduction.....................................................................................................................................................2-2 2.1.1 Functions of Firewall............................................................................................................................. 2-2 2.1.2 Classification of Firewalls......................................................................................................................2-2 2.1.3 Terms Related to the Firewall................................................................................................................2-3 2.1.4 Firewall Functions of the ME60.............................................................................................................2-4 2.2 Configuring a Zone......................................................................................................................................... 2-6 2.2.1 Establishing the Configuration Task......................................................................................................2-6 2.2.2 (Optional) Configuring the VSU to Work as the SSU...........................................................................2-7 2.2.3 Creating a Zone......................................................................................................................................2-7 2.2.4 Configuring the Priority of a Zone.........................................................................................................2-7 2.2.5 Adding User Domains or Interfaces to the Zone....................................................................................2-8 2.2.6 Creating an Interzone.............................................................................................................................2-9 2.2.7 Enabling Firewall in the Interzone.........................................................................................................2-9 2.2.8 Checking the Configuration.................................................................................................................2-10 2.3 Setting the Aging Time of the Firewall Session Table.................................................................................2-10 2.3.1 Establishing the Configuration Task....................................................................................................2-10 2.3.2 (Optional) Setting the Aging Time of the Firewall Session Table.......................................................2-11 2.3.3 Checking the Configuration.................................................................................................................2-11 2.4 Configuring ACL-based Packet Filtering.....................................................................................................2-12 2.4.1 Establishing the Configuration Task....................................................................................................2-12 Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. ix
Contents
Quidway ME60 Multiservice Control Gateway Configuration Guide - Security 2.4.2 Configuring ACL-based Packet Filtering in an Interzone....................................................................2-13
2.5 Configuring ASPF.........................................................................................................................................2-13 2.5.1 Establishing the Configuration Task....................................................................................................2-13 2.5.2 Configuring ASPF in the Interzone......................................................................................................2-14 2.5.3 Checking the Configuration.................................................................................................................2-14 2.6 Configuring the Blacklist..............................................................................................................................2-15 2.6.1 Establishing the Configuration Task....................................................................................................2-15 2.6.2 Enabling the Blacklist..........................................................................................................................2-16 2.6.3 (Optional) Adding a Blacklist Entry....................................................................................................2-16 2.6.4 (Optional) Configuring the Packet Filtering Type of the Blacklist......................................................2-17 2.7 Configuring Port Mapping............................................................................................................................2-17 2.7.1 Establishing the Configuration Task....................................................................................................2-17 2.7.2 Configuring Port Mapping...................................................................................................................2-18 2.8 Configuring P2P Traffic Control...................................................................................................................2-19 2.8.1 Establishing the Configuration Task....................................................................................................2-19 2.8.2 Enabling P2P Traffic Control...............................................................................................................2-20 2.8.3 Configuring the CAR Table.................................................................................................................2-20 2.8.4 Configuring P2P Traffic Control in an Interzone.................................................................................2-21 2.8.5 Configuring P2P Traffic Control Globally...........................................................................................2-22 2.8.6 Checking the Configuration.................................................................................................................2-22 2.9 Configuring Firewall Logs............................................................................................................................2-22 2.9.1 Establishing the Configuration Task....................................................................................................2-23 2.9.2 Enabling the Firewall Log....................................................................................................................2-23 2.9.3 Configuring a Session Log...................................................................................................................2-24 2.9.4 (Optional) Configuring Output Interval of Logs..................................................................................2-24 2.9.5 Checking the Configuration.................................................................................................................2-25 2.10 Configuration Examples..............................................................................................................................2-25 2.10.1 Example for Configuring ACL-based Packet Filtering......................................................................2-25 2.10.2 Example for Configuring ASPF and Port Mapping...........................................................................2-28 2.10.3 Example for Configuring the Blacklist..............................................................................................2-30
3 NAT Configuration....................................................................................................................3-1
3.1 Introduction.....................................................................................................................................................3-2 3.1.1 NAT Overview.......................................................................................................................................3-2 3.1.2 NAT Types.............................................................................................................................................3-3 3.1.3 Advantages and Disadvantages of NAT................................................................................................3-4 3.1.4 Many-to-Many NAT and Address Pool.................................................................................................3-4 3.1.5 Internal Server........................................................................................................................................3-5 3.1.6 References..............................................................................................................................................3-5 3.2 Configuring NAT............................................................................................................................................3-5 3.2.1 Establishing the Configuration Task......................................................................................................3-6 3.2.2 (Optional) Configuring the VSU to Work as the SSU...........................................................................3-6 3.2.3 Configuring the NAT Address Pool.......................................................................................................3-7 x Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
Contents
3.2.4 Configuring NAT in an Interzone..........................................................................................................3-7 3.2.5 (Optional) Configuring the Internal NAT Server...................................................................................3-8 3.2.6 Checking the Configuration...................................................................................................................3-9 3.3 Configuration Examples..................................................................................................................................3-9 3.3.1 Example for Configuring NAT..............................................................................................................3-9
Contents
Quidway ME60 Multiservice Control Gateway Configuration Guide - Security 5.3.3 Example for Configuring IP Address Sweeping Attack Defense........................................................5-15
6 IPSec Configuration...................................................................................................................6-1
6.1 Introduction.....................................................................................................................................................6-2 6.1.1 Overview of IPSec.................................................................................................................................6-2 6.1.2 Terms Related to IPSec..........................................................................................................................6-2 6.1.3 IPSec Features Supported by the ME60.................................................................................................6-5 6.2 Defining Data Flows to Be Protected..............................................................................................................6-6 6.2.1 Establishing the Configuration Task......................................................................................................6-6 6.2.2 Defining Data Flows to Be Protected.....................................................................................................6-7 6.3 Configuring an IPSec Proposal.......................................................................................................................6-8 6.3.1 Establishing the Configuration Task......................................................................................................6-8 6.3.2 Creating an IPSec Proposal and Entering the IPSec Proposal View......................................................6-9 6.3.3 Configuring the IPSec Protocol..............................................................................................................6-9 6.3.4 Configuring the Authentication Algorithm..........................................................................................6-10 6.3.5 Configuring the Encryption Algorithm................................................................................................6-11 6.3.6 Configuring the Encapsulation Mode..................................................................................................6-11 6.3.7 Checking the Configuration.................................................................................................................6-12 6.4 Configuring an IPSec Policy.........................................................................................................................6-12 6.4.1 Establishing the Configuration Task....................................................................................................6-13 6.4.2 Creating an IPSec Policy and Entering the IPSec Policy View...........................................................6-13 6.4.3 Configuring the ACL Used in the IPSec Policy...................................................................................6-14 6.4.4 Applying the IPSec Proposal to the IPSec Policy................................................................................6-14 6.4.5 Configuring the SA Duration...............................................................................................................6-15 6.4.6 Configuring the Local and Remote IP Addresses of the Tunnel (for Manual Mode)..........................6-16 6.4.7 Configuring the SPI for an SA (for Manual Mode).............................................................................6-16 6.4.8 Configuring Key for an SA (for Manual Mode)..................................................................................6-17 6.4.9 Configuring the IKE Peer for the IPSec Policy (for IKE Negotiation Mode).....................................6-18 6.4.10 Configuring the PFS Feature Used in the IKE Negotiation...............................................................6-18 6.4.11 Configuring the Global SA Duration.................................................................................................6-19 6.4.12 Checking the Configuration...............................................................................................................6-19 6.5 Configuring IPSec Policies by Using the IPSec Policy Template................................................................6-20 6.5.1 Establishing the Configuration Task....................................................................................................6-20 6.5.2 Creating an IPSec Policy Template and Entering the IPSec Policy Template View...........................6-21 6.5.3 Configuring the ACL Used in the IPSec Policy Template...................................................................6-22 6.5.4 Applying the IPSec Proposal to the IPSec Policy Template................................................................6-22 6.5.5 Configuring the SA Duration...............................................................................................................6-22 6.5.6 Configuring the IKE Peer for the IPSec Policy Template....................................................................6-23 6.5.7 Configuring the PFS Feature Used in the IKE Negotiation.................................................................6-23 6.5.8 Configuring the Global SA Duration...................................................................................................6-24 6.5.9 Applying the IPSec Policy Template...................................................................................................6-24 6.5.10 Checking the Configuration...............................................................................................................6-25 6.6 Applying an IPSec Policy or an IPSec Policy Group to an Interface............................................................6-25 xii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
Contents
6.6.1 Establishing the Configuration Task....................................................................................................6-25 6.6.2 Configuring the IPSec Behavior in the Traffic Policy.........................................................................6-26 6.6.3 Applying an IPSec Policy or an IPSec Policy Group to an Interface...................................................6-26 6.7 Maintaining IPSec.........................................................................................................................................6-27 6.7.1 Clearing IPSec Packet Statistics...........................................................................................................6-27 6.7.2 Debugging IPSec..................................................................................................................................6-28 6.8 Configuration Examples................................................................................................................................6-28 6.8.1 Example for Establishing an SA Manually..........................................................................................6-28
7 IKE Configuration......................................................................................................................7-1
7.1 Introduction.....................................................................................................................................................7-2 7.1.1 Overview of IKE....................................................................................................................................7-2 7.1.2 NAT Traversal in IPSec.........................................................................................................................7-4 7.1.3 IKE Features of the ME60.....................................................................................................................7-4 7.2 Setting the Local ID Used in IKE Negotiation...............................................................................................7-5 7.2.1 Establishing the Configuration Task......................................................................................................7-5 7.2.2 Setting the Local ID Used in IKE Negotiation......................................................................................7-5 7.3 Configuring an IKE Security Proposal............................................................................................................7-6 7.3.1 Establishing the Configuration Task......................................................................................................7-6 7.3.2 Creating the IKE Security Proposal and Entering the IKE Security Proposal View.............................7-7 7.3.3 Specifying an Encryption Algorithm.....................................................................................................7-7 7.3.4 Specifying an Authentication Method....................................................................................................7-8 7.3.5 Configuring the Authentication Algorithm............................................................................................7-8 7.3.6 Specifying a DF Group..........................................................................................................................7-9 7.3.7 Configuring the Duration of ISAKMP SA.............................................................................................7-9 7.3.8 Checking the Configuration.................................................................................................................7-10 7.4 Configuring Attributes of the IKE Peer........................................................................................................7-10 7.4.1 Establishing the Configuration Task....................................................................................................7-11 7.4.2 Creating an IKE Peer and Entering the IKE Peer View.......................................................................7-11 7.4.3 Configuring the IKE Negotiation Mode...............................................................................................7-12 7.4.4 Configuring the IKE Security Proposal...............................................................................................7-12 7.4.5 Configuring the Local ID Type............................................................................................................7-13 7.4.6 Configuring NAT Traversal in IPSec...................................................................................................7-13 7.4.7 Configuring the Identity Authenticator................................................................................................7-14 7.4.8 Configuring the Peer IP Address or Address Segment........................................................................7-14 7.4.9 Configuring the Peer Name..................................................................................................................7-15 7.4.10 Checking the Configuration...............................................................................................................7-15 7.5 Tuning the IKE Configuration......................................................................................................................7-15 7.5.1 Establishing the Configuration Task....................................................................................................7-16 7.5.2 Setting the Interval of Keepalive Packets.............................................................................................7-16 7.5.3 Setting the Timeout Time of Keepalive Packets..................................................................................7-17 7.5.4 Setting the Interval of NAT Update Packets........................................................................................7-17 7.6 Maintaining IKE............................................................................................................................................7-18 Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xiii
Contents
Quidway ME60 Multiservice Control Gateway Configuration Guide - Security 7.6.1 Displaying the IKE Configuration....................................................................................................... 7-18 7.6.2 Clearing the Security Tunnel................................................................................................................7-18 7.6.3 Debugging IKE.................................................................................................................................... 7-19
7.7 Configuration Examples................................................................................................................................7-19 7.7.1 Example for Establishing an SA Through IKE Negotiation................................................................7-19
8 URPF Configuration..................................................................................................................8-1
8.1 Introduction.....................................................................................................................................................8-2 8.1.1 Overview of URPF.................................................................................................................................8-2 8.1.2 URPF Features of the ME60..................................................................................................................8-4 8.2 Configuring URPF..........................................................................................................................................8-5 8.2.1 Establishing the Configuration Task......................................................................................................8-5 8.2.2 Enabling URPF on an Interface.............................................................................................................8-5 8.2.3 (Optional) Configuring URPF Check for Certain Type of Packets.......................................................8-6 8.3 Configuration Examples..................................................................................................................................8-7 8.3.1 Example for Configuring URPF............................................................................................................8-7
9 DPI Configuration.....................................................................................................................9-1
9.1 Introduction.....................................................................................................................................................9-2 9.1.1 Overview of DPI....................................................................................................................................9-2 9.1.2 DPI Functions Supported by the ME60.................................................................................................9-4 9.2 Configuring Basic DPI Functions...................................................................................................................9-4 9.2.1 Establishing the Configuration Task......................................................................................................9-4 9.2.2 (Optional) Configuring the VSU to Work as the DPI Board.................................................................9-5 9.2.3 (Optional) Configuring the MAC Address of the DPI Board................................................................9-6 9.2.4 Configuring the Packet Inspection Mode...............................................................................................9-6 9.2.5 (Optional) Configuring the PTS.............................................................................................................9-7 9.2.6 Checking the Configuration...................................................................................................................9-7 9.3 Configuring Network-side DPI.......................................................................................................................9-8 9.3.1 Establishing the Configuration Task......................................................................................................9-9 9.3.2 Creating a DPI Policy.............................................................................................................................9-9 9.3.3 Configuring the DPI Policy..................................................................................................................9-10 9.3.4 Configuring a Global DPI Policy Group..............................................................................................9-10 9.3.5 Configuring a DPI Traffic Policy.........................................................................................................9-11 9.3.6 Applying the Traffic Policy to the Network Side................................................................................ 9-13 9.3.7 Checking the Configuration.................................................................................................................9-13 9.4 Configuring User-side DPI............................................................................................................................9-14 9.4.1 Establishing the Configuration Task....................................................................................................9-14 9.4.2 Creating and Configuring a DPI Policy............................................................................................... 9-15 9.4.3 Configuring a Common DPI Policy Group..........................................................................................9-15 9.4.4 Applying the User-side DPI Policy to the Domain..............................................................................9-16 9.4.5 (Optional) Enabling DPI on a BAS Interface.......................................................................................9-16 9.4.6 (Optional) Configuring the Restriction Policy.....................................................................................9-17 9.4.7 Checking the Configuration.................................................................................................................9-18 xiv Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
Contents
9.5 Configuration Examples................................................................................................................................9-18 9.5.1 Example for configuring the DPI Function..........................................................................................9-19
Contents
Quidway ME60 Multiservice Control Gateway Configuration Guide - Security 12.3.2 Configuring Speed Limit for ARP Miss Packets...............................................................................12-9 12.3.3 Enabling Alarm Functions for Potential Attack Behaviors................................................................12-9 12.3.4 Checking the Configuration...............................................................................................................12-9
12.4 Maintaining the ARP Security..................................................................................................................12-10 12.4.1 Displaying Statistics About ARP Packets........................................................................................12-10 12.4.2 Clearing Statistics About ARP Packets............................................................................................12-11 12.4.3 Debugging ARP Packets..................................................................................................................12-11 12.5 Configuration Examples............................................................................................................................12-11 12.5.1 Example for Preventing Attacks on ARP Entries............................................................................12-12 12.5.2 Example for Preventing Attacks on ARP Entries and Scanning Attacks.........................................12-14
xvi
Issue 05 (2010-09-25)
Figures
Figures
Figure 2-1 Networking of ACL-based packet filtering......................................................................................2-26 Figure 2-2 Networking of ASPF and port mapping...........................................................................................2-28 Figure 2-3 Networking of blacklist configuration..............................................................................................2-31 Figure 3-1 Schematic diagram of NAT................................................................................................................3-3 Figure 3-2 Schematic diagram of PAT.................................................................................................................3-4 Figure 3-3 Networking of NAT..........................................................................................................................3-10 Figure 4-1 Limiting the number of sessions initiated by external server.............................................................4-2 Figure 4-2 Networking of system-level traffic statistics and monitoring...........................................................4-10 Figure 4-3 Networking of zone-based traffic statistics and monitoring.............................................................4-12 Figure 4-4 Networking of IP address-based traffic statistics and monitoring....................................................4-14 Figure 5-1 Networking of Land attack defense..................................................................................................5-11 Figure 5-2 Networking of SYN Flood attack defense........................................................................................5-13 Figure 5-3 Networking of IP address sweeping attack defense.........................................................................5-15 Figure 6-1 Packets format in transport mode.......................................................................................................6-3 Figure 6-2 Packets format in tunnel mode...........................................................................................................6-4 Figure 6-3 Networking of IPSec configuration..................................................................................................6-29 Figure 7-1 Process of setting up an SA................................................................................................................7-3 Figure 7-2 Networking of IKE configuration.....................................................................................................7-20 Figure 8-1 Schematic diagram of the source address spoofing attack.................................................................8-2 Figure 8-2 URPF applied on a single-homed client.............................................................................................8-3 Figure 8-3 URPF applied on a multi-homed client..............................................................................................8-3 Figure 8-4 URPF applied on a multi-homed client with multiple ISPs...............................................................8-4 Figure 8-5 Networking of URPF configuration...................................................................................................8-7 Figure 9-1 Comparison between DPI and the common packet analysis..............................................................9-2 Figure 9-2 Networking of DPI application...........................................................................................................9-3 Figure 9-3 Networking for DPI configuration...................................................................................................9-19 Figure 10-1 Scenario for lawful interception.....................................................................................................10-3 Figure 10-2 Process of lawful interception........................................................................................................10-5 Figure 10-3 Networking of lawful interception................................................................................................10-10 Figure 11-1 Networking for configuring the user log........................................................................................11-6 Figure 12-1 ARP buffer overflow attacks..........................................................................................................12-2 Figure 12-2 ARP DoS attacks............................................................................................................................12-3 Figure 12-3 Networking diagram of preventing attacks on ARP entries.........................................................12-12 Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xvii
Figures
Quidway ME60 Multiservice Control Gateway Configuration Guide - Security Figure 12-4 Network diagram of preventing attacks on ARP entries and scanning attacks............................12-14
xviii
Issue 05 (2010-09-25)
Tables
Tables
Table 10-1 Description of interfaces for lawful interception............................................................................. 10-4 Table 11-1 Difference between the two versions of the user log packets..........................................................11-3
Issue 05 (2010-09-25)
xix
1 Security Overview
1
About This Chapter
Security Overview
This chapter provides basic knowledge about the security service, including threats to Internet security, network security overview, and implementation of network security. 1.1 Introduction to Network Security This section describes the background and concept of network security. 1.2 Security Features of the ME60 This section describes the security features supported by the ME60.
Issue 05 (2010-09-25)
1-1
1 Security Overview
1.1.1 Background
With the rapid development of the Internet, more enterprises use Internet services for development. The Internet is, however, an open network and so, confidential information and resources of enterprises face malicious threats and attacks. Various measures must be taken to minimize the risks.
1.2.1 Firewall
The firewall is introduced to avoid security risks in network transmission and to prevent external attacks. The firewall supports the following features: l l l l l l l
1-2
Packet filtering ASPF Blacklist Port mapping P2P traffic control Attack defense NAT
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
1 Security Overview
l l
1.2.2 URPF
Unicast reverse path forwarding (URPF) is used to prevent attacks of IP address spoofing. The ME60 can perform loose URPF check or strict URPF check for all IP packets on an interface.
1.2.3 DPI
Deep packet inspection (DPI) analyzes the application layer of the packet to identify services and applications. DPI provides the policies for network control and management.
Issue 05 (2010-09-25)
1-3
2 Firewall Configuration
2
About This Chapter
Firewall Configuration
This chapter describes the configuration of the firewall, including the security zone, ACL packet filtering, ASPF, blacklist, port mapping, and firewall log. 2.1 Introduction This section describes the concept and fundamentals of the firewall. 2.2 Configuring a Zone This section describes how to configure the firewall and partition the network. 2.3 Setting the Aging Time of the Firewall Session Table This section describes how to set the aging time of the firewall session table 2.4 Configuring ACL-based Packet Filtering This section describes how to filter data packets through the ACL. 2.5 Configuring ASPF This section describes how to configure the ME60 to check the application layer information about data flows to filter data packets. 2.6 Configuring the Blacklist This section describes how to configure the blacklist to filter out data packets from attackers. 2.7 Configuring Port Mapping This section describes how to configure the port mapping function so that the firewall can identify the packets of the application-layer protocols that use non-well-known port numbers. 2.8 Configuring P2P Traffic Control This section describes how to limit bandwidth of P2P sessions. 2.9 Configuring Firewall Logs This section describes how to configure firewall logs. 2.10 Configuration Examples This section provides several configuration examples of the firewall.
Issue 05 (2010-09-25)
2-1
2 Firewall Configuration
2.1 Introduction
This section describes the concept and fundamentals of the firewall. The concept of firewall originates from architecture. In a building, a firewall is used to prevent fire from spreading. In communication networks, the firewall has similar function. A firewall is a system or a group of systems that execute access control policies. A firewall monitors the channel between the internal network, which is reliable, and the external networks, which are unreliable. Thus, the risks in external networks cannot affect the internal network. 2.1.1 Functions of Firewall 2.1.2 Classification of Firewalls 2.1.3 Terms Related to the Firewall 2.1.4 Firewall Functions of the ME60
When the firewall resides between an internal network and an external network, it protects the internal network against illegal access, such as unauthorized and unauthenticated access, and malicious attacks. When the firewall resides at the ingress of important resources (such as key servers and secret databases) in an internal network, it prevents certain users from accessing the resources, even if the users are in the internal network. The firewall can also function as a gateway that controls the access right to the Internet. For example, the firewall allows certain users in the internal network to access the Internet after the users are authenticated.
2 Firewall Configuration
The packet filtering firewall is simple, easy to use, and economical, but it has the following disadvantages: l l l As the complexity and length of the ACL increase, the filtering performance degrades exponentially. The static ACL rules cannot meet the dynamic security requirements. The packet filtering firewall does not check the state of a session or analyze data and hence, the network is subject to IP address spoofing.
Proxy Firewall
A proxy firewall works at the application layer and takes over the services between the internal network and external network. The proxy firewall checks the requests of users. If the authentication is successful, the firewall connects to a genuine server and forwards the request. The firewall then forwards the response of the server to the user. The proxy firewall can completely control the exchange of network information and the session process and hence, it provides high security. The proxy firewall, however, has the following disadvantages: l l The processing speed is low because of software limitation, and the proxy firewall is subject to the denial of service (DoS) attack. The upgrade is difficult because the application proxy is required for each protocol.
NOTE
The ME60 can function as the proxy firewall for only the SYN packets of TCP.
Stateful Firewall
A stateful firewall is an extension to the packet filtering firewall. The stateful firewall not only treats each data packet as an independent unit in the ACL check and filtering, but also considers the association of the packets. The stateful firewall monitors the TCP/UDP sessions by using various state tables. The ACL then determines the sessions that can be established. Only the data packets associated with the permitted sessions are forwarded. The stateful firewall also analyzes the application layer state of the data packets in the TCP/UDP sessions, and filters out unqualified data packets. The stateful firewall has high processing speed and ensures high security because of the combined advantages of the packet filtering firewall and proxy firewall. The ME60supports the packet filtering firewall and the stateful firewall.
2 Firewall Configuration
The ME60considers the data delivery in a zone reliable, and therefore, it does not enforce any security policy. The firewall checks the data and enforces the security policies only when the data flows from one zone to another.
Security Interzone
Any two zones can form an interzone, which has an independent interzone view. Most firewall configurations are performed in the interzone view. Assume that there are two zones, namely, zone1 and zone2. In the view of the interzone, ACL packet filtering can be configured. The ACL packet filtering policy is then enforced on the data delivered between zone1 and zone2.
Direction
In an interzone, data is delivered in a certain direction: inbound or outbound. l l Inbound: indicates that data flows from a zone with lower priority to a zone with higher priority. Outbound: indicates that data flows from a zone with higher priority to a zone with lower priority.
ASPF
ASPF is applied to the application layer, namely, the status-based packet filtering. ASPF detects the application-layer sessions that attempt to pass the firewall, and denies unnecessary packets. The ACL-based packet filtering firewall detects packets at the network and transport layers. The ASPF function and the common packet filtering firewall can be used together. Thus, the ME60 can enforce the security policies on an internal network. ME60 can apply ASPF depending on the application layer protocols such as the File Transfer Protocol (FTP), H.323, Hyper Text Transport Protocol (HTTP), Huawei Conference Control
2-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
2 Firewall Configuration
Protocol (HWCC), Internet Location Service (ILS), Network Basic Input/Output System (NetBIOS), and Real Time Streaming Protocol (RTSP).
Blacklist
A blacklist filters packets based on the source IP address. Compared with the ACL, the matching fields used in the blacklist are simple and hence the packets can be filtered at a higher speed. The packets from certain IP addresses can be filtered out. The firewall can add IP addresses to the blacklist dynamically. By judging the packet behaviors, the firewall detects an attack from an IP address. The firewall adds the IP address of the attacker to the blacklist so that packets from the attacker can be filtered out and discarded.
port mapping
Application layer protocols use the well-known ports for communication. Port mapping allows you to define a set of port numbers for different applications. You can also specify the hosts that can use the non-well-known ports. Port mapping is meaningful only when it is used with service-sensitive features such as ASPF and NAT. For example, the internal FTP server 10.10.10.10 in the private network of an enterprise provides the FTP service through port 2121. Users can use only 2121 as the port number to access the FTP server through the NAT server. By default, port 21 is used for FTP packets. The FTP server cannot identify the FTP packets that use port 21. In this case, you need to map port 2121 to the FTP protocol. After port mapping, the NAT server can identify the FTP packets that use port 2121 and send the FTP packets to the FTP server. In this way, users can access the FTP server.
Firewall Log
The firewall records the behaviors and states of the firewall in real time. For example, the measures taken against IP address spoofing and the detection of malicious attacks are recorded in the firewall log. The firewall logs are categorized into the following types: l l l Session log, which is sent to the log server in real time Blacklist log, which is sent to the information center in real time Defense log and statistics log, which are sent to the information center periodically
These logs help you find out the security hole, detect the attempts to violate the security policies, and learn the type of a network attack. The real-time log is also used to detect the intrusion that is underway.
Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-5
2 Firewall Configuration
l The ME60 implements firewall features after the Versatile Service Unit (VSU) is configured to the Security Service Unit (SSU). Therefore, you need to install the VSU before configuring the firewall. For the functions of the VSU in SSU mode, refer to the Quidway ME60 Multiservice Control Gateway Product Description. l You can run the set lpu-work-mode { dpi |sbc | ssu | tsu } slot slot-id command to implement different service functions. l In this manual, the VSU operating in SSU mode is called the SSU.
Pre-configuration Task
Before configuring a zone, complete the following tasks: l l Installing the VSU Configuring the user domains or interfaces that you need to add to the zone
Data Preparation
To configure a zone, you need the following data. No. 1 2 3 Data Name of the zone Priority of the zone User domains or interfaces to be added to the zone
2-6
Issue 05 (2010-09-25)
2 Firewall Configuration
Procedure
Step 1 Run:
system-view
l The configured operation mode takes effect after the VSU is restarted. l The command for configuring the operation mode of the VSU is not recorded in the system configuration file. You can run the display device or display lpu-work-mode command to view the operation mode of the VSU. If the operation mode is configured properly, you need not configure the operation mode again.
----End
Procedure
Step 1 Run:
system-view
A zone is created. Up to 128 zones can be configured on the ME60. No default zone exists. ----End
2 Firewall Configuration
Procedure
Step 1 Run:
system-view
The priority of the zone is set. The priority must be configured; otherwise, other configurations cannot be performed. The priority of a zone ranges from 1 to 200 and is globally unique. ----End
l A user domain or an interface can be added to only one zone. If a user domain or an interface is added to multiple zones, the last zone takes effect. l When layer-3 leased line users connect to the ME60 through a layer-3 device (for example, a router), the ME60 can implement the firewall function only by adding interfaces to zones.
You can add a user domain and an interface to the same zone. That is, a zone can consist of user domains and interfaces.
Procedure
l Adding a user domain to the zone 1. Run:
system-view
2 Firewall Configuration
1.
Run:
system-view
After adding an interface to a zone, you must run the shutdown command to disable the interface first, and then run the undo shutdown command to re-enable the interface. Thus, the configuration takes effect.
----End
Procedure
Step 1 Run:
system-view
An interzone is created. You need to specify two existing zones in the interzone. ----End
2 Firewall Configuration
Procedure
Step 1 Run:
system-view
2 Firewall Configuration
Pre-configuration Task
Before setting the aging time of the firewall session table, complete the following tasks: l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See "Configuring a Zone.") Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.")
Data Preparation
To set the aging time of the firewall session table, complete the following tasks: No. 1 Data Aging time of the session table for each application layer protocol
2.3.2 (Optional) Setting the Aging Time of the Firewall Session Table
Context
Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
The aging time of the firewall session table is configured. By default, the aging times of the SYN, FIN-RST, TCP, and UDP session tables are 5 seconds, 10 seconds, 240 seconds, and 40 seconds respectively. For the aging times of other session tables, refer to the Quidway ME60 Multiservice Control Gateway Command Reference.
NOTE
In general, you do not need to change the aging time of a session table.
----End
2 Firewall Configuration
Action Check the aging time of the firewall session table. Check the aging time of the firewall session table.
Command display firewall session aging-time display firewall session table [ verbose ] [ source { inside | global } src-ip-address [ destination { inside | global } destip-address ] ]
Pre-configuration Task
Before configuring ACL-based packet filtering, complete the following tasks: l l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See "Configuring a Zone.") Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.") Creating basic ACL or advanced ACL rules (Refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.)
Data Preparation
To configure ACL-based packet filtering, you need the following data. No. 1 2 3 Data Names of the two zones ACL number Direction in which the ACL is applied
2-12
Issue 05 (2010-09-25)
2 Firewall Configuration
Procedure
Step 1 Run:
system-view
ACL-based packet filtering is configured. You can configure ACL-based packet filtering in the interzone for the inbound and outbound packets. By default, ACL-based packet filtering is not configured in the interzone.
NOTE
l The time range configured in ACL is also applicable to packet filtering. l For an ACL configured for VPN, you must configure the VPN instance name.
----End
Pre-configuration Task
Before configuring ASPF, complete the following tasks:
Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-13
2 Firewall Configuration
l l l l
Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See "Configuring a Zone.") Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.")
Data Preparation
To configure ASPF, you need the following data. No. 1 2 3 Data Names of the two zones Type of the application protocol (Optional) Aging time of the session table for each application layer protocol
Procedure
Step 1 Run:
system-view
The ASPF function is configured. The application protocols all require interaction of two parties, so the direction does not need to be configured. The ME60 checks the packets in the two directions. By default, ACL-based packet filtering is not configured in the interzone. ----End
2 Firewall Configuration
The IP address that is added to the blacklist must belong to a zone (it may be a zone with low security). The firewall can then detect the attack from this IP address.
Pre-configuration Task
Before configuring the blacklist, complete the following tasks: l l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See "Configuring a Zone.") Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.") Configuring attack defense if the auto blacklisting function is enabled (See chapter 5 "Attack Defense Configuration.")
Data Preparation
To configure the blacklist, you need the following data.
Issue 05 (2010-09-25)
2-15
2 Firewall Configuration
No. 1 2 3
Data IP address to be added to blacklist (the VPN instance can be included) (Optional) Aging time of blacklist entry (Optional) Packet filtering type of blacklist
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
A blacklist entry is added. By running this command, you can add entries to the blacklist manually. You can specify the IP address, aging time, and VPN instance when adding the entry. The aging time refers to the period during which the IP address is effective after it is added to the blacklist. When the IP
2-16 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
2 Firewall Configuration
address expires, it is released from the blacklist. If the aging time is not specified, the IP address remains in the blacklist.
NOTE
The blacklist entries without the aging time are written to the configuration file. The blacklist entries with the aging time are not written in the confirmation file, but you can view them by using the display firewall blacklist item [ ip-address ] [ vpn-instance vpn-instance-name ] command.
An IP address can be added to the blacklist regardless of whether the blacklist is enabled or not. That is, even though the blacklist is not enabled, you can also add entries, but the entries are invalid. ----End
Procedure
Step 1 Run:
system-view
The packet filtering type of the blacklist is configured. Configuring packet filtering types helps to specify the types of packets that are filtered out in the blacklist, including ICMP, TCP, and UDP. By default, all types of packets matching the blacklist are filtered out. ----End
2 Firewall Configuration
the application layer such as ASPF. Port mapping is applicable to application protocols such as FTP, H.323, HTTP, RTSP, and SMTP. Port mapping is implemented based on the ACL. Port mapping takes effect only when the packet matches an ACL rule. Port mapping employs the basic ACL (ranging from 2000 to 2999). In the ACL-based packet filtering, the ME60 matches the destination IP address of the packet with the IP address configured in the basic ACL rule.
NOTE
Port mapping is applied only to the data delivered in the interzone. Therefore, when configuring port mapping, you must configure the zones and interzone.
Pre-configuration Task
Before configuring port mapping, complete the following tasks: l l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See "Configuring a Zone.") Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.") Creating basic ACL rules (Refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.)
Data Preparation
To configure port mapping, you need the following data. No. 1 2 3 Data Type of application layer protocol User-defined port to be mapped Number of the basic ACL
Procedure
Step 1 Run:
system-view
2-18
Issue 05 (2010-09-25)
2 Firewall Configuration
Port mapping is configured. You can map multiple ports to a protocol, or map a port to multiple protocols. The mappings, however, must be distinguished by the ACL. That is, packets matching different ACL rules use different mapping entries.
NOTE
Port mapping is used to identify the protocol type of the packets destined for an IP address (such as the IP address of a WWW server). Therefore, when configuring the basic ACL rules, you need to match the destination IP addresses of the packets with the source IP addresses defined in ACL rules.
----End
Pre-configuration Task
Before configuring P2P traffic control, complete the following tasks: l l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See "Configuring a Zone.") Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.") Creating basic ACL or advanced ACL rules (Refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.)
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-19
Issue 05 (2010-09-25)
2 Firewall Configuration
Configuring the time range during which P2P traffic control takes effect (Refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.)
Data Preparation
To configure P2P traffic control, you need the following data. No. 1 2 3 4 5 Data Names of the two zones where P2P traffic control is configured Number of the ACL used for P2P traffic control Direction in which P2P traffic control is applied CAR class, CAR value, and time range (Optional) Maximum number of P2P sessions
Procedure
Step 1 Run:
system-view
P2P traffic control is enabled. Before configuring the P2P traffic control function, you must enable this function. After you run this command, P2P traffic control is enabled globally and in the interzone. By default, P2P traffic control is disabled. ----End
2 Firewall Configuration
Procedure
Step 1 Run:
system-view
The CAR table is configured. Before configuring the P2P traffic control function, you must configure a CAR table. The CAR table needs to be referenced when P2P traffic control is implemented in an interzone or the entire system. Up to 1024 classes can be configured in a CAR table. Each class is configured with a default CAR and the CARs for five time ranges. The default ACL is used if the current time is not in any configured time range. By default, the CAR table contains no CAR classes. ----End
Procedure
Step 1 Run:
system-view
P2P traffic control is configured. Within an interzone, the P2P traffic control can be configured for inbound and outbound traffic respectively. By default, the P2P bandwidth control is not configured in an interzone.
NOTE
The time range configured in ACL is also applicable to P2P traffic control.
----End
Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-21
2 Firewall Configuration
Procedure
Step 1 Run:
system-view
The maximum number of P2P sessions is set. The global P2P traffic control takes effect on all the P2P sessions. The global P2P bandwidth control allows you to set the CAR classes and limit on the total number of P2P sessions. By default, global P2P bandwidth control is not configured. ----End
2 Firewall Configuration
Pre-configuration Task
Before configuring the firewall log, complete the following tasks: l l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See "Configuring a Zone.") Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.") Creating basic ACL or advanced ACL rules (Refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.)
Data Preparation
To configure the firewall log, you need the following data. No. 1 2 3 4 Data Type of the firewall log IP address and port number of the log host, the IP address and the port number that the ME60 uses to communicate with the log host (for session log) Conditions under which the session information is logged, including the ACL number and the direction (for session log) (Optional) Interval for exporting the defense log or statistics log
Procedure
Step 1 Run:
system-view
2 Firewall Configuration
Step 2 Run:
firewall log { all | blacklist | defend | session | statistics } enable
The firewall log is enabled. If you use the all keyword in the command, all the firewall logs are enabled. You can also choose to enable logs one type after another. By default, no firewall log is enabled. ----End
Procedure
Step 1 Run:
system-view
Conditions for generating the session logs are configured. The session log is exported to a log host in real time. Therefore, you need to configure the log host first. To configure the log host, specify the IP address and port number of the log host and the IP address and port number that the ME60 uses to communicate with the log host. An ACL is referenced in the interzone view to help decide the session for which the session log is recorded. In addition, the inbound and outbound traffic is served respectively. By default, the log host is not configured, and the interzone is not configured with the conditions for generating the session log. ----End
2 Firewall Configuration
Procedure
Step 1 Run:
system-view
The output interval of the defense log or statistics log is set. The output interval, in seconds, indicates the interval during which the logs are exported. The session log is exported to the log host in real time, and the blacklist log is exported to the information center in real time. Therefore, you do not need to set the output interval for the two types of logs. The output interval needs to be set only for the defense log and statistics log. By default, the output interval for either of the two logs is 30 seconds. ----End
A host (202.39.2.3) in the external network is allowed to access the server in the internal network. Other hosts are not allowed to access the server in the internal network.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-25
2 Firewall Configuration
ME60
GE1/0/0 129.38.1.1/24 Internal network Telnet server 129.38.1.3 GE2/0/0 202.38.160.1/16 WAN PC 202.39.2.3
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Configure IP addresses of the interfaces. Configure zones and the interzone. Add the interfaces to the zones. Configure ACLs. Configure ACL-based packet filtering in the interzone view.
Data Preparation
To complete the configuration, you need the following data: l l l l Slot number of the VSU: 3 IP addresses of interfaces and servers, as shown in Figure 2-1 Network security priorities, 100 for the internal network and 1 for the external network Number of the ACLs that filter the outbound and inbound packets, ACL 3101 for the outbound packets and ACL 3102 for the inbound packets
Configuration Procedure
1. (Optional) Configure the VSU to function as the SSU.
<Quidway> [Quidway] [Quidway] <Quidway> system-view set lpu-work-mode ssu slot 3 quit reset slot 3
2.
2-26
Issue 05 (2010-09-25)
2 Firewall Configuration
3.
4.
5.
Configure ACLs.
[Quidway] acl 3102 [Quidway-acl-adv-3102] 129.38.1.2 0.0.0.0 [Quidway-acl-adv-3102] 129.38.1.3 0.0.0.0 [Quidway-acl-adv-3102] 129.38.1.4 0.0.0.0 [Quidway-acl-adv-3102] [Quidway-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination rule permit tcp source 202.39.2.3 0.0.0.0 destination rule permit tcp source 202.39.2.3 0.0.0.0 destination rule deny ip quit
6.
Configuration Files
# sysname Quidway # acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 129.38.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 202.38.160.1 255.255.0.0 # firewall zone zone1 priority 100 # firewall zone zone2 priority 1 # firewall interzone zone1 zone2 firewall enable
Issue 05 (2010-09-25)
2-27
2 Firewall Configuration
packet-filter 3102 inbound # return
ME60
GE1/0/0 129.38.1.1/24 Internal network Telnet server 129.38.1.3 GE2/0/0 202.38.160.1/16 WAN PC 202.39.2.3
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7.
2-28
Configure IP addresses of the interfaces. Configure zones and the interzone. Add the interfaces to the zones. Configure ACLs. Configure ACL-based packet filtering in the interzone view. Configure ASPF in the interzone. Map port 2121 to the FTP protocol.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
2 Firewall Configuration
Data Preparation
To complete the configuration, you need the following data: l l l l l Slot number of the VSU: 3 IP addresses of interfaces and servers, as shown in Figure 2-2 Network security priorities, 100 for the internal network and 1 for the external network Number of the ACL that filters the inbound data: 3102 Number of the ACL required in port mapping: 2102
Configuration Procedure
1. (Optional) Configure the VSU to function as the SSU.
<Quidway> [Quidway] [Quidway] <Quidway> system-view set lpu-work-mode ssu slot 3 quit reset slot 3
2.
3.
4.
5.
Configure ACLs.
[Quidway] acl 2102 [Quidway-acl-basic-2102] rule permit source 129.38.1.2 0.0.0.0 [Quidway-acl-basic-2102] quit [Quidway] acl 3102 [Quidway-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2 0.0.0.0 [Quidway-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3 0.0.0.0 [Quidway-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4 0.0.0.0 [Quidway-acl-adv-3102] rule deny ip [Quidway-acl-adv-3102] quit
Issue 05 (2010-09-25)
2-29
2 Firewall Configuration
6.
7.
Configure ASPF.
[Quidway-interzone-zone1-zone2] detect ftp [Quidway-interzone-zone1-zone2] quit
8.
Configuration Files
# sysname Quidway # acl number 2102 rule 5 permit source 129.38.1.2 0 # acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 129.38.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 202.38.160.1 255.255.0.0 # firewall zone zone1 priority 100 # firewall zone zone2 priority 1 # firewall interzone zone1 zone2 firewall enable packet-filter 3102 inbound detect ftp # port-mapping ftp port 2121 acl 2102 # return
2 Firewall Configuration
In addition, if the firewall detects that IP address 202.39.1.2 attacks the enterprise network more than once, you can add the IP address to the blacklist manually. The IP addresses added manually are always in the blacklist. Figure 2-3 Networking of blacklist configuration
Server 1.1.0.2
ME60
Enterprise network GE1/0/0 1.1.0.1/16 GE2/0/0 2.2.0.1/16 Internet
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Configure IP addresses of the interfaces. Configure zones and the interzone. Configure ACLs. Configure packet filtering. Add the interfaces to the zones. Configure the parameters for preventing the attack of IP address sweeping. Add blacklist entries manually.
Data Preparation
To complete the configuration, you need the following data: l l l Slot number of the VSU: 3 IP addresses of interfaces and servers, as shown in Figure 2-3 Network security priorities, 100 for the internal network and 1 for the external network
Configuration Procedure
1. (Optional) Configure the VSU to function as the SSU.
<Quidway> [Quidway] [Quidway] <Quidway> system-view set lpu-work-mode ssu slot 3 quit reset slot 3
2.
Issue 05 (2010-09-25)
2-31
2 Firewall Configuration
3.
4.
Configure ACLs.
[Quidway] acl 2000 [Quidway-acl-basic-2000] rule permit source any [Quidway-acl-basic-2000] quit
5.
6.
7.
8.
Configuration Files
# sysname Quidway # acl number 2000 rule 5 permit source any # firewall blacklist enable firewall blacklist item 202.39.1.2 # firewall defend ip-sweep enable firewall defend ip-sweep max-rate 5000 firewall defend ip-sweep blacklist-timeout 30 # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 1.1.0.1 255.255.0.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown
2-32
Issue 05 (2010-09-25)
2 Firewall Configuration
Issue 05 (2010-09-25)
2-33
3 NAT Configuration
3
About This Chapter
NAT Configuration
This chapter describes the concept, fundamental, configuration, and maintenance of NAT. 3.1 Introduction This section describes the concept and fundamentals of NAT. 3.2 Configuring NAT This section describes how to configure the NAT function. 3.3 Configuration Examples This section provides a configuration example of NAT.
Issue 05 (2010-09-25)
3-1
3 NAT Configuration
3.1 Introduction
This section describes the concept and fundamentals of NAT. 3.1.1 NAT Overview 3.1.2 NAT Types 3.1.3 Advantages and Disadvantages of NAT 3.1.4 Many-to-Many NAT and Address Pool 3.1.5 Internal Server 3.1.6 References
After planning the scale of the intranet, an enterprise chooses the appropriate address segment for the intranet. The private address segments of enterprises can overlap each other. Errors may occur during communication, if an intranet does not use one of the defined private address segments.
Rationale of NAT
As shown in Figure 3-1, the network address must be translated when a host on the internal network obtains access to the Internet or interworks with the hosts on a public network.
3-2
Issue 05 (2010-09-25)
3 NAT Configuration
GE1/0/0
ME60
Internal network
Internet
The internal network uses network segment 10.0.0.0 and its public IP address is 203.196.3.23. The internal host 10.1.1.48 accesses the external server 202.18.245.251 through WWW. The host sends a data packet. It uses port 6084 as the source port and port 80 as the destination port. After the address is translated, the source address/port of the packet is changed to 203.196.3.23:32814, and the destination address/port is not changed. A table of address-port mapping is configured on the router. After the WWW server responds, the router translates the destination IP address/port in the returned data packet to 10.1.1.48:6084. In this manner, the internal host obtains access to the external server.
Static NAT
Static NAT maps a private address to a public address. That is, the number of private addresses is equal to the number of public addresses. Static NAT cannot save public addresses, but can hide internal networks. When an internal network sends a packet to an external network, static NAT translates the source IP address of the packet into a public address. When the external network returns a response, static NAT translates the destination IP address of the response packet into the private address.
PAT
PAT, which is also called network address port translation (NAPT), maps a public address to multiple private addresses. Therefore, the public addresses are saved. PAT translates the source IP addresses of the packets from hosts that reside on the private network into a public address. The translated port numbers of these packets are different, and thus the private networks can share a public address.
Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-3
3 NAT Configuration
A table of private address-port mapping is configured for PAT. When the PAT server receives a packet to be transmitted to the external network, it replaces the source port with the one matching the private address of the packet by using this table. That is, packets from a private network share the same public address but have different ports. When the external networks return response packets to the internal networks, the destination IP addresses are translated to private addresses according to the port numbers. Figure 3-2 shows the sketch map of PAT. Figure 3-2 Schematic diagram of PAT
PAT
Datagram 1 Src IP: 192.168.1.3 Src Port:23 Datagram 2 Src IP: 192.168.1.3 Src Port:80 192.168.1.3 Datagram 1 Src IP: 202.169.10.1 Src Port:10023 Datagram 2 Src IP: 202.169.10.1 Src Port:10080
ME60
Internet
192.168.1.2 Datagram 3 Src IP: 192.168.1.2 Src Port:23 Datagram 4 Src IP: 192.168.1.2 Src Port:80 Datagram 3 Src IP: 202.169.10.1 Src Port:11023 Datagram 4 Src IP: 202.169.10.1 Src Port:11080
The disadvantages of NAT are as follows: l l The address of data packets need to be translated, so the headers of the data packets related to IP address cannot be encrypted. The IP addresses of hosts are hidden, so the source IP addresses cannot be traced. This hinders network debugging.
3 NAT Configuration
When all the hosts on the internal network access the external network at the same time, they share an external address. If too many hosts attempt to access the external network, it is difficult to perform NAT. To solve this problem, a private network needs multiple public addresses. In this case, a public address pool is required for the many-to-many NAT. A public address pool is a set of valid public addresses. You can configure the public address pool based on the number of public IP addresses and internal hosts. When an internal host accesses an external network, the ME60 selects an IP address from the public address pool as the source address of the packets.
3.1.6 References
For more information about NAT, refer to the following document: RFC 1631: The IP Network Address Translator (NAT)
Issue 05 (2010-09-25)
3-5
3 NAT Configuration
Pre-configuration Task
Before configuring NAT, complete the following tasks: l l l l Installing the VSU Configuring zones and adding interfaces or user domains to the zones (See chapter 2 "Firewall Configuration.") Configuring interzone and enabling firewall in the interzone (See chapter 2 "Firewall Configuration.") Creating basic ACL or advanced ACL rules (Refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.)
Data Preparation
To configure NAT, you need the following data. No. 1 2 3 Data Number of the public address pool, start IP address, and end IP address Number of the basic ACL or advanced ACL (Optional) Information about the internal server, including the protocol type, external address, external port number, internal address (the VPN instance may be included), and internal port number
Procedure
Step 1 Run:
system-view
3 NAT Configuration
Step 2 Run:
set lpu-work-mode ssu slot slot-id
l The configured operation mode takes effect after the VSU is restarted. l The command for configuring the operation mode of the VSU is not recorded in the system configuration file. You can run the display device or display lpu-work-mode command to view the operation mode of the VSU. If the operation mode is configured properly, you need not configure the operation mode again.
----End
CAUTION
When configuring a NAT address pool, ensure that the IP addresses do not conflict with the existing addresses of the device, including the interface addresses or address segment, gateway IP addresses or IP address segment, and the IP address of the internal NAT server.
Procedure
Step 1 Run:
system-view
The NAT address pool is configured. A NAT address pool is a set of public addresses. When NAT is performed on the internal data packets, the ME60 selects an IP address from the address pool as the source address. The NAT address pools are numbered with numerals. Up to 128 address pools can be configured. You can specify one or more public addresses in a NAT address pool. When start-address is the same as end-address, it indicates that only one public address is contained in the address pool. By default, no NAT address pool is configured on the ME60. ----End
3 NAT Configuration
Procedure
Step 1 Run:
system-view
NAT is configured. When configuring NAT in an interzone, you need to specify the ACL and the public address pool. The address of a packet is translated only when the packet matches the specified ACL and the behavior defined by the ACL is permit. If the behavior is deny, the packets are discarded. If the no-pat keyword is specified in the command, it indicates that the static NAT is used. That is, the one-to-one translation is performed on private and public addresses. By default, PAT is used, because it can save public addresses. By default, NAT is not configured in the interzone. ----End
CAUTION
l When configuring the internal NAT server, ensure that global-address and host-address do not conflict with the existing addresses of the device, including the interface addresses or address segment, gateway IP addresses or IP address segment, and the IP addresses in the NAT address pool. l Zones must be configured at the user side and internal server side. In the interzone, enable the firewall by running the firewall enable command.
Procedure
Step 1 Run:
system-view
3-8
Issue 05 (2010-09-25)
3 NAT Configuration
The internal NAT server is configured. After the internal server is configured, external networks can access the servers on the internal network. When an external host sends an access request to the public address (global-address) of the internal NAT server, the NAT server translates the destination address of the request into a private address (host-address). The request is then forwarded to the server on the internal network. The internal NAT server is valid for all zones. It cannot be an address in the local address pool. If multiple private networks share an internal server address, you need to configure VPN instances to distinguish them. By default, no internal NAT server is configured on the ME60. ----End
Issue 05 (2010-09-25)
3-9
3 NAT Configuration
Internet
Configuration Roadmap
The configuration roadmap is as follows: l l l l l l l l Configure IP addresses of the interfaces. Configure zones and the interzone. Add the interfaces to the zones. Configure ACLs. Configure the public address pool. Configure ACL-based packet filtering in the interzone view. Configure NAT in the interzone. Configure the internal NAT server.
Data Preparation
To complete the configuration, you need the following data: l l l l Slot number of the VSU: 3 IP addresses of interfaces and servers, as shown in Figure 3-3 Security priorities of the three zones, 100 for the staff zone, 60 for the server zone, and 20 for the zone representing external networks Number of ACL used for filtering outbound packets and NAT: 2101
Configuration Procedure
1. (Optional) Configure the VSU to function as the SSU.
<Quidway> [Quidway] [Quidway] <Quidway> system-view set lpu-work-mode ssu slot 3 quit reset slot 3
2.
3-10
Issue 05 (2010-09-25)
3 NAT Configuration
[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] ip address 192.168.20.1 255.255.255.0 [Quidway-GigabitEthernet2/0/0] quit [Quidway] interface gigabitethernet 3/0/0 [Quidway-GigabitEthernet3/0/0] ip address 202.169.10.1 255.255.0.0 [Quidway-GigabitEthernet3/0/0] quit
3.
4.
5.
Configure an ACL.
[Quidway] acl 2101 [Quidway-acl-basic-2101] rule permit source 10.110.10.0 0.0.0.255 [Quidway-acl-basic-2101] rule deny source 10.110.0.0 0.0.255.255 [Quidway-acl-basic-2101] quit
6. 7.
8.
Issue 05 (2010-09-25)
3-11
3 NAT Configuration
Configuration Files
# sysname Quidway # acl number 2101 rule 5 permit source 10.110.10.0 0.0.0.255 rule 10 deny source 10.110.0.0 0.0.255.255 # firewall zone zone1 priority 100 # firewall zone zone2 priority 60 # firewall zone zone3 priority 20 # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 10.110.0.1 255.255.0.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 192.168.20.1 255.255.255.0 # interface GigabitEthernet3/0/0 zone zone3 undo shutdown ip address 202.169.10.1 255.255.0.0 # nat address-group 1 202.169.10.2 202.169.10.6 nat server protocol tcp global 202.169.10.3 8080 inside 192.168.20.2 8080 nat server protocol tcp global 202.169.10.2 ftp inside 192.168.20.3 ftp # port-mapping http port 8080 acl 2101 # firewall interzone zone1 zone2 firewall enable detect ftp # firewall interzone zone1 zone3 firewall enable packet-filter 2101 outbound nat outbound 2101 address-group 1 detect ftp # firewall interzone zone2 zone3 firewall enable detect ftp # return
3-12
Issue 05 (2010-09-25)
Issue 05 (2010-09-25)
4-1
4.1 Introduction
This section describes the concept and rationale of traffic statistics and monitoring. A firewall not only monitors data traffic, but also detects the setup of sessions between internal and external networks, generates statistics, and analyzes the data. The firewall can analyze the logs by using special software after the event. The firewall also has certain analysis functions that enables it to analyze data in real time. By checking whether the number of TCP/UDP sessions initiated from external networks to the internal network exceeds the threshold, the firewall decides whether to restrict new sessions from external networks to the internal network or an IP address in the internal network. If the firewall finds that the number of sessions in the system exceeds the threshold, it speeds up the aging of sessions. This ensures that new sessions are set up. In this way, DoS attack can be prevented if the system is too busy. Figure 4-1 shows an application of the firewall. The IP address-based statistics function is enabled for the packets from external networks to the internal network. If the number of TCP sessions initiated by external networks to Web server 129.9.0.1 exceeds the threshold, the ME60 forbids external networks to initiate new sessions until the number of sessions is smaller than the threshold. Figure 4-1 Limiting the number of sessions initiated by external server
ME60
Ethernet Internal network TCP connection Internet
On the ME60, traffic statistics and monitoring can be configured in the system view.
Pre-configuration Task
Before configuring system-level traffic statistics and monitoring, complete the following tasks: l l l Installing the VSU Configuring zones and adding interfaces or user domains to the zones (See chapter 2 "Firewall Configuration.") Configuring interzone and enabling firewall in the interzone (See chapter 2 "Firewall Configuration.")
Data Preparation
To configure system-level traffic statistics and monitoring, you need to following data. No. 1 2 Data Type of sessions to be counted, namely TCP, UDP, ICMP, or TCP proxy Session threshold
Procedure
Step 1 Run:
system-view
l The configured operation mode takes effect after the VSU is restarted. l The command for configuring the operation mode of the VSU is not recorded in the system configuration file. You can run the display device or display lpu-work-mode command to view the operation mode of the VSU. If the operation mode is configured properly, you need not configure the operation mode again.
----End
Procedure
Step 1 Run:
system-view
The default master SSU is configured. ME60can be equipped with multiple SSUs. One is the master board, and the others are slave boards. If the default master SSU is not specified, the ME60 selects the SSU registered first as the master. By default, the master SSU is not specified. ----End
Procedure
Step 1 Run:
system-view
System-level traffic statistics and monitoring is enabled. By default, the traffic statistics and monitoring function is enabled on the ME60. ----End
4-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
Procedure
Step 1 Run:
system-view
The session threshold is set. For the system-level traffic statistics function, you can set the threshold for each type of session. For example, you can set the threshold for TCP sessions to 500000. In this case, when the number of TCP sessions in all interzones exceeds 500000, the ME60 denies new TCP sessions in all the interzones and reports an alarm to the information center. If traffic volume falls below 75% of the threshold, the ME60 generates the recovery log and sends the log to the information center. By default, the threshold for ICMP sessions is 20480, the thresholds for TCP and UDP sessions are both 500000, and the threshold for TCP-Proxy sessions is 250000. ----End
Pre-configuration Task
Before configuring zone-based traffic statistics and monitoring, complete the following tasks: l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See chapter 2 "Firewall Configuration.") Configuring interzone and enabling firewall in the interzone (See chapter 2 "Firewall Configuration.")
Data Preparation
To configure system-level traffic statistics and monitoring, you need to following data. No. 1 2 3 Data Type of sessions to be monitored, namely, TCP or UDP Direction of traffic statistics and monitoring Session threshold
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall zone zone-name
Traffic statistics and monitoring is enabled in the zone. By default, traffic statistics and monitoring function is disabled in the zones. ----End
Procedure
Step 1 Run:
system-view
The session threshold is set in the zone. You can configure the thresholds for TCP and UDP sessions in the inbound and outbound directions respectively. For example, you can set the threshold for inbound TCP sessions to 500000. In this case, when the number of TCP sessions initiated by this zone exceeds 500000, the ME60 denies new TCP sessions from this zone. By default, the thresholds for inbound and outbound TCP and UDP sessions are both 500000. ----End
Issue 05 (2010-09-25)
4-7
Pre-configuration Task
Before configuring IP address-based traffic statistics and monitoring, complete the following tasks: l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See chapter 2 "Firewall Configuration.") Configuring interzone and enabling firewall in the interzone (See chapter 2 "Firewall Configuration.")
Data Preparation
To configure IP address-based traffic statistics and monitoring, you need to following data. No. 1 2 3 Data Type of sessions to be monitored, namely, TCP or UDP Direction of traffic statistics and monitoring Session threshold
Context
Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
IP address-based traffic statistics and monitoring is enabled in the zone. By default, traffic statistics and monitoring function is disabled in the zones. ----End
Procedure
Step 1 Run:
system-view
The session threshold is set for IP address-based traffic statistics and monitoring. You can configure the thresholds for TCP and UDP sessions in the inbound and outbound directions respectively. For example, you can set the threshold for inbound TCP sessions to 10000. In this case, when the number of TCP sessions initiated from an IP address exceeds 10000, the ME60 denies new TCP sessions from this IP address. By default, the thresholds for inbound and outbound TCP and UDP sessions are both 10240. ----End
Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-9
ME60
GE1/0/1 20.10.10.1/24 GE2/0/1 10.10.10.1/24 Internet
WEB Server
Configuration Roadmap
The configuration roadmap is as follows: l l l Configure IP addresses of the interfaces. Enable system-level traffic statistics and monitoring. Set the session threshold.
Data Preparation
To complete the configuration, you need the following data: l
4-10
l l
Configuration Procedure
1. (Optional) Configure the VSU to function as the SSU.
<Quidway> [Quidway] [Quidway] <Quidway> system-view set lpu-work-mode ssu slot 3 quit reset slot 3
2.
3. 4.
Configuration Files
# sysname Quidway # interface GigabitEthernet1/0/1 undo shutdown ip address 20.10.10.1 255.255.255.0 # interface GigabitEthernet2/0/1 undo shutdown ip address 10.10.10.1 255.255.255.0 # firewall statistics system enable firewall statistics system session tcp 40000 firewall statistics system session udp 40000 #
Issue 05 (2010-09-25)
4-11
Configuration Roadmap
The configuration roadmap is as follows: l l l l l Configure IP addresses of the interfaces. Configure zones and the interzone. Add the interfaces to the zones. Configure an ACL. Configure zone-based traffic statistics and monitoring.
Data Preparation
To complete the configuration, you need the following data: l l l Slot number of the VSU: 3 IP addresses of interfaces, as shown in Figure 4-3 Network security priorities, 100 for the internal network and 1 for the external network
Configuration Procedure
1. (Optional) Configure the VSU to function as the SSU.
<Quidway> [Quidway] [Quidway] <Quidway> system-view set lpu-work-mode ssu slot 3 quit reset slot 3
2.
3.
4-12
Issue 05 (2010-09-25)
4.
5.
Configuration Files
# sysname Quidway # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 1.1.0.1 255.255.0.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 2.2.0.1 255.255.0.0 # firewall zone zone1 priority 100 statistics zone enable inzone statistics zone session inzone tcp 50000 statistics zone session inzone udp 50000 # firewall zone zone2 priority 1 # firewall interzone zone1 zone2 firewall enable # return
Issue 05 (2010-09-25)
4-13
Configuration Roadmap
The configuration roadmap is as follows: l l l l l l Configure IP addresses of the interfaces. Configure zones and the interzone. Add the interfaces to the zones. Configure an ACL. Configure zone-based traffic statistics and monitoring. Configure IP address-based traffic statistics and monitoring.
Data Preparation
To complete the configuration, you need the following data: l l l Slot number of the VSU: 3 IP addresses of interfaces, as shown in Figure 4-4 Network security priorities, 100 for the internal network and 1 for the external network
Configuration Procedure
1. (Optional) Configure the VSU to function as the SSU.
<Quidway> [Quidway] [Quidway] <Quidway> system-view set lpu-work-mode ssu slot 3 quit reset slot 3
2.
3.
4-14
Issue 05 (2010-09-25)
4.
5.
6.
Configuration Files
# sysname Quidway # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 1.1.0.1 255.255.0.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 2.2.0.1 255.255.0.0 # firewall zone zone1 priority 100 statistics zone enable inzone statistics zone session inzone tcp 50000 statistics zone session inzone udp 50000 statistics ip session inzone tcp 1000 statistics ip session inzone udp 1000 statistics ip enable inzone # firewall zone zone2 priority 1 # firewall interzone zone1 zone2 firewall enable # return
Issue 05 (2010-09-25)
4-15
5
About This Chapter
This chapter describes the fundamentals, configuration, and maintenance of attack defense. 5.1 Introduction This section describes the concept and fundamentals of attack defense. 5.2 Configuring Attack Defense This section describes how to configure the attack defense function. 5.3 Configuration Examples This section provides several configuration example of attack defense.
Issue 05 (2010-09-25)
5-1
5.1 Introduction
This section describes the concept and fundamentals of attack defense. When a network attack occurs, it interrupts services, and severely affects servers or hosts on the network to illegally obtain sensitive data. Certain network attacks also destroy the network equipment directly, and such attacks may lead to service interruption. With the attack defense feature, the ME60 firewall can detect various network attacks and protect the intranet against malicious attacks, and thus the intranet and the system can run properly. 5.1.1 Type of Network Attacks 5.1.2 Typical Attacks
DoS Attack
Denial of service (DoS) attack is an attack to a system with a large number of data packets. This prevents the system from receiving requests from authorized users or suspends the host. Typical DoS attacks are SYN flood and Fraggle. Unlike other attacks, the DoS attackers prevent authorized users from accessing resources or routers, instead of searching for the ingress of the Intranet.
Smurf Attack
Simple Smurf attack targets a network. The attacker sends an ICMP request to the broadcast address of the network. All the hosts on the network then respond to the request and the network is congested. The traffic caused by Smurf attack is one or two orders of magnitude higher than the traffic caused by ping of large packets. Advanced Smurf attack targets hosts. The attacker changes the source address of an ICMP request to the IP address of the target host. The host then stop responding. The attack occurs only when the traffic of the attack packets is large enough. Theoretically, the more the number of hosts on the network, the more effective is the attack. Fraggle attack is another form of the Smurf attack.
WinNuke Attack
WinNuke attack involves sending an out-of-band (OOB) data packet to the NetBIOS port (139) of the target host running the Windows operating system. The NetBIOS fragment then overlaps and the host stops responding. An Internet Group Management Protocol (IGMP) fragment packet can also damage the target host because the IGMP packet usually cannot be fragmented. An attack occurs when a host receives an IGMP packet.
Teardrop Attack
The More Fragment (MF) bit, offset field, and length field in an IP packet indicate the segment of the original packet contained in this fragment. Some systems running TCP/IP may stop running when receiving a forged segment containing an overlap offset. The Teardrop attack uses the flaw of some systems that do not check the validity of fragment information.
Fraggle Attack
After receiving the UDP packets, port 7 (ECHO) and port 19 (Chargen) can return responses. Port 7 responds to the received packets with ICMP Echo Reply, whereas port 19 responds with a generated character string. Similar to the large ICMP packet attack, the two UDP ports generate many ineffective response packets, which occupy the network bandwidth. The attacker can send a UDP packet to the destination network. The source address of the UDP packet is the IP address of the host to be attacked and its destination address is the broadcast address or network address of the host's subnet. The destination port number of the packet is 7 or 19. Then, all the systems enabled with this function return packets to the target host. In this case, the high traffic volume blocks the network or the host stops responding. In addition, the systems without this function generate ICMP-unreachable messages, which also consume bandwidth. If the source port is changed to Chargen and destination port is changed to ECHO, the systems generate response packets continuously and cause more serious damage.
IP-Fragment Attack
In an IP packet, some fields are relevant to flag bits and fragment, including Fragment Offset, Length, Don't Fragment (DF), and MF. If the previous fields conflict and are not processed appropriately, the equipment may stop running. In the following cases, the fields conflict: l l DF is set, and MF is also set or the value of Fragment Offset is not 0. The value of DF is 0, but the total values of Fragment Offset and Length is larger than 65535.
The fragment packets increase the cache and reassemble loads on the destination equipment. Thus, the fragment packets with the equipment address as the destination address should be discarded directly.
5-4
Issue 05 (2010-09-25)
Tracert Attack
Tracert attack traces the path of an ICMP timeout packet returned when the value of Time To Live (TTL) is 0 and an ICMP port-unreachable packet. In this way, the attacker pries the network architecture.
Pre-configuration Task
Before configuring attack defense, complete the following tasks: l l l l Installing the VSU Configuring zones and adding interfaces or user domains to the zones (See chapter 2 "Firewall Configuration.") Configuring interzone and enabling firewall in the interzone (See chapter 2 "Firewall Configuration.") Configuring zone-based or IP address-based traffic statistics and monitoring for Flood attack and scanning attack defense, because detecting Flood and scanning attacks needs the session statistics (See chapter 4 "Traffic Statistics and Monitoring.")
Data Preparation
To configure attack defense, you need the following data. No. 1 2 Data Attack type, a specified type or all types Zones or IP addresses (the VPN instance may be included) to be protected against Flood attacks (ICMP Flood, SYN Flood, and UDP Flood), maximum session rate
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-5
Issue 05 (2010-09-25)
No. 3 4 5
Data Enabling mode of TCP proxy to prevent SYN Flood attack, always enabled, always disabled, or auto enabled (that is, enabled when the session rate exceeds the threshold) Timeout of blacklist and maximum rate to prevent scanning attacks (IP address sweeping and port scanning) Maximum packet length to prevent large ICMP packet attack
Procedure
Step 1 Run:
system-view
l The configured operation mode takes effect after the VSU is restarted. l The command for configuring the operation mode of the VSU is not recorded in the system configuration file. You can run the display device or display lpu-work-mode command to view the operation mode of the VSU. If the operation mode is configured properly, you need not configure the operation mode again.
----End
Steps 2-19 are optional and can be performed in any sequence. You can select these steps to defend different types of attacks.
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall defend all enable
Issue 05 (2010-09-25)
5-7
The WinNuke attack defense is enabled. By default, attack defense is not enabled on the ME60. ----End
Procedure
Step 1 Run:
system-view
5-8
Issue 05 (2010-09-25)
Parameters of UDP Flood attack defense are configured. To prevent the Flood attacks, you need to specify the zones or IP addresses to be protected. Otherwise, the configured parameters are invalid. You can specify the maximum session rate. When the session rate exceeds this value, the ME60 considers it as an attack and takes measures.
NOTE
The maximum access rate applies to the Flood attack initiated from multiple source addresses to the same destination address. For the Flood attack to the same data flow (with the same quintuple), the maximum access rate is not configurable. The default value is 20 pps. That is, when the rate of SYN or ICMP packets reaches 20 pps, the ME60 considers it as Flood attack and discards the packets. In this case, the ratenumber parameter is invalid.
For Flood attack defense, the priority of the IP is higher than the priority of the zone. If Flood attack defense is configured for both a specified IP address and the zone where the IP address resides, then the attack defense based on IP address takes effect. If you cancel the attack defense based on IP address, the attack defense based on zone takes effect. By default, the maximum session rate for Flood attacks is 1000 pps, and the TCP proxy is enabled in the SYN Flood attack defense.
NOTE
----End
Procedure
Step 1 Run:
system-view
Parameters of port scanning attack defense are configured. For scanning attack defenses, the following two parameters need to be configured: l Maximum session rate: When the IP address-based or port-based session rate exceeds this value, the ME60 considers it as an attack, and then adds the IP address or port to the blacklist and denies new sessions.
Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-9
l Blacklist timeout: When the duration of IP address or port in the blacklist exceeds this value, the ME60 releases the IP address or port from the blacklist and allows new sessions. By default, the maximum session rate in IP address sweeping and port scanning attack defense is 4000 pps, and the blacklist timeout is 20 minutes. ----End
Procedure
Step 1 Run:
system-view
Parameters of large ICMP packet attack defense are configured. For large ICMP packet attack defense, only one parameter needs to be configured, namely, the maximum packet length. When the length of an ICMP packet exceeds this value, the ME60 considers it as an attack and discards the packet. By default, the maximum length of ICMP packet is 4000 bytes. ----End
5.3.2 Example for Configuring SYN Flood Attack Defense 5.3.3 Example for Configuring IP Address Sweeping Attack Defense
ME60
Enterprise network GE1/0/0 1.1.0.1/16 GE2/0/0 2.2.0.1/16 Internet
Configuration Roadmap
The configuration roadmap is as follows: l l l l Configure IP addresses of interfaces. Configure zones and the interzone. Add the interfaces to the zones. Configure Land attack defense.
Data Preparation
To complete the configuration, you need the following data: l l l Slot number of the VSU: 3 IP addresses of interfaces, as shown in Figure 5-1 Network security priorities, 100 for the internal network, and 1 for the external network
Configuration Procedures
1. (Optional) Configure the VSU to the SSU.
<Quidway> system-view [Quidway] set lpu-work-mode ssu slot 3
Issue 05 (2010-09-25)
5-11
2.
3.
Configure an ACL.
[Quidway] acl 2000 [Quidway-acl-basic-2000] rule permit [Quidway-acl-basic-2000] quit
4.
5.
6.
Configuration Files
# sysname Quidway # firewall defend land enable # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 1.1.0.1 255.255.0.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 2.2.0.1 255.255.0.0 # acl number 2000 rule 5 permit # firewall zone zone1 priority 100 # firewall zone zone2
5-12
Issue 05 (2010-09-25)
ME60
Enterprise network GE1/0/0 1.1.0.1/16 GE2/0/0 2.2.0.1/16 Internet
Configuration Roadmap
The configuration roadmap is as follows: l l l l Configure IP addresses of interfaces. Configure zones and the interzone. Add the interfaces to the zones. Configure SYN Flood attack defense.
Data Preparation
To complete the configuration, you need the following data: l l l
Issue 05 (2010-09-25)
Slot number of the VSU: 3 IP addresses of interfaces, as shown in Figure 5-2 Network security priorities, 100 for the internal network, and 1 for the external network
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-13
Configuration Procedures
1. (Optional) Configure the VSU to the SSU.
<Quidway> [Quidway] [Quidway] <Quidway> system-view set lpu-work-mode ssu slot 3 quit reset slot 3
2.
3.
Configure an ACL.
[Quidway] acl 2000 [Quidway-acl-basic-2000] rule permit [Quidway-acl-basic-2000] quit
4.
5.
6.
Configure SYN Flood attack defense. For the entire intranet, the maximum SYN session rate is 1000 pps and TCP proxy is automatically enabled. For server 1.1.0.2, the maximum SYN session rate is 2000 pps and TCP proxy is enabled manually.
[Quidway] firewall defend syn-flood enable [Quidway] firewall defend syn-flood zone zone1 max-rate 1000 tcp-proxy auto [Quidway] firewall defend syn-flood ip 1.1.0.2 max-rate 2000 tcp-proxy on
Configuration Files
# sysname Quidway # firewall defend syn-flood enable firewall defend syn-flood zone zone1 firewall defend syn-flood ip 1.1.0.2 max-rate 2000 tcp-proxy on # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 1.1.0.1 255.255.0.0
5-14
Issue 05 (2010-09-25)
ME60
Enterprise network GE1/0/0 1.1.0.1/16 GE2/0/0 2.2.0.1/16 Internet
Configuration Roadmap
The configuration roadmap is as follows: l l l
Issue 05 (2010-09-25)
Configure IP addresses of interfaces. Configure zones and the interzone. Add the interfaces to the zones.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-15
Data Preparation
To complete the configuration, you need the following data: l l l Slot number of the VSU: 3 IP addresses of interfaces, as shown in Figure 5-3 Network security priorities, 100 for the internal network, and 1 for the external network
Configuration Procedures
1. (Optional) Configure the VSU to the SSU.
<Quidway> [Quidway] [Quidway] <Quidway> system-view set lpu-work-mode ssu slot 3 quit reset slot 3
2.
3.
Configure an ACL.
[Quidway] acl 2000 [Quidway-acl-basic-2000] rule permit [Quidway-acl-basic-2000] quit
4.
5.
6.
5-16
Issue 05 (2010-09-25)
Configuration Files
# sysname Quidway # firewall defend ip-sweep enable firewall defend ip-sweep max-rate 5000 firewall defend ip-sweep blacklist-timeout 30 # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 1.1.0.1 255.255.0.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 2.2.0.1 255.255.0.0 # acl number 2000 rule 5 permit # firewall zone zone1 priority 100 # firewall zone zone2 priority 1 # firewall interzone zone1 zone2 firewall enable packet-filter 2000 inbound packet-filter 2000 outbound # return
Issue 05 (2010-09-25)
5-17
6 IPSec Configuration
6
About This Chapter
IPSec Configuration
This chapter describes the rationale, implementation, and configuration of IPSec. 6.1 Introduction This section describes the concept and rationale of IPSec. 6.2 Defining Data Flows to Be Protected This section describes how to define the data flows to be protected. 6.3 Configuring an IPSec Proposal This section describes how to configure an IPSec protocol. 6.4 Configuring an IPSec Policy This section describes how to configure an IPSec policy. 6.5 Configuring IPSec Policies by Using the IPSec Policy Template This section describes how use the IPSec template to configure IPSec policies. 6.6 Applying an IPSec Policy or an IPSec Policy Group to an Interface This section describes how to apply an IPSec policy or an IPSec policy group to an interface. 6.7 Maintaining IPSec This section provides the commands clearing the IPSec statistics and debugging IPSec. 6.8 Configuration Examples This section provides an configuration example of IPSec.
Issue 05 (2010-09-25)
6-1
6 IPSec Configuration
6.1 Introduction
This section describes the concept and rationale of IPSec. 6.1.1 Overview of IPSec 6.1.2 Terms Related to IPSec 6.1.3 IPSec Features Supported by the ME60
l Confidentiality is to encrypt a client data and then transmit it in cipher text. l Data integrity is to authenticate the received data to find out whether the packet is modified. l Data authentication is to authenticate the data source to make sure the data is sent from a real sender. l Anti-replay is to prevent malicious clients from repeatedly sending data packets. In other words, the receiver denies old or repeated data packets.
IPSec implements the above features using the Authentication Header (AH) security protocol and the Encapsulating Security Payload security protocol. The Internet Key Exchange (IKE) also provides auto-negotiation key exchange, Security Association setup, and maintenance services to simplify the use and management of IPSec. l l AH mainly provides data source authentication, data integrity authentication and antireplay. The AH cannot encrypt the packet. ESP provides encryption function apart from the functions provided by the AH. The data integrity authentication of the ESP does not cover the IP header. ESP can authenticate and encrypt packets at the same time or either authenticate or encrypt packets only.
NOTE
AH and ESP can be used either independently or in combination. There are two types of encapsulation modes for both AH and ESP: transport mode and tunnel mode. For details about the two modes, see "Encapsulation Modes of IPSec"
IKE is used to negotiate the key for IPSec. By exchanging the key obtained according to the cryptographic algorithms applied in AH and ESP, the peers negotiate a key.
NOTE
IKE negotiation is not necessary. The IPSec policy and algorithm can also be negotiated manually. For comparisons of these two negotiation modes, see "Negotiation Modes".
6 IPSec Configuration
A security association (SA) is a set of conventions adopted by the communication parties. The conventions include the protocol adopted (AH, ESP, or both), encapsulation mode of the protocol (transport mode or tunnel mode), password algorithm (DES or 3DES), shared key of specified data flows, and lifetime of the shared key. SA is the basis of IPSec. An SA is unidirectional. If two hosts communicate through ESP, both the hosts need two SAs. One protects outbound packets, and the other protects inbound packets. In addition, if both AH and ESP are applied to protect data flow between peers, two SAs are needed for AH and ESP respectively. Therefore, each host requires four SAs. An SA is identified uniquely by three parameters: security parameter index (SPI), destination IP address, and security protocol ID (AH or ESP). SPI is a 32-bit number that uniquely identifies an SA. SPI is contained in the AH/ESP header during transmission. An SA has a duration. The duration is calculated through either of the following methods: l l Time-based duration: updates the SA at a specific interval. Traffic-based duration: updates the SA after certain data (bytes) is transmitted.
The SA becomes invalid when any one of the duration expires. Before the duration expires, IKE negotiates a new SA for IPSec. A new SA, therefore, is prepared before the old SA becomes invalid. SA specifies the protocol encapsulation mode.
Transport
IP Header AH TCP Header data
AH ESP
IP Header ESP TCP Header data ESP Tail ESP Auth data
AH-ESP IP Header AH ESP TCP Header data ESP Tail ESP Auth data
Issue 05 (2010-09-25)
6-3
6 IPSec Configuration
Tunnel
Protocol
AH ESP
new IP Header ESP raw IP Header TCP Header data ESP Tail ESP Auth data
AH-ESP new IP Header AH ESP raw IP Header TCP Header data ESP Tail ESP Auth data
Use either of the modes according to actual situations. l The tunnel mode is safer than the transport mode. The tunnel mode can authenticate and encrypt original IP data packets completely. In addition, it can hide the client IP address by using the IP address of the IPSec peer. The tunnel mode occupies more bandwidth than the transport mode because it has an extra IP header.
The transport mode is suitable for communication between two hosts or between a host and a security gateway. In the transport mode, the two devices encrypting or decrypting packets must be the original packet sender and final receiver respectively. Most of the data flows between two security gateways (or routers) are usually not their own communication traffic. Therefore, the tunnel mode is used between security gateways. Packets encrypted by one security gateway can be decrypted only by another corresponding security gateway. That is, a new IP header must be added to a packet, and the IP packet is sent to the security gateway that can decrypt it.
The SHA-1 summary is longer than that of MD5, and so SHA-1 is safer than MD5. l
6-4
Encryption algorithms
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
6 IPSec Configuration
ESP can encrypt an IP packet to prevent disclosure of the packet contents during the transmission. The encryption algorithm is implemented by encrypting or decrypting data with the same key through a symmetric key system. IPSec uses two encryption algorithms: l l DES: encrypts a 64-bit plain text by using a 56-bit key. 3DES: encrypts a plain text by using three 56-bit DES keys (168-bit key).
The 3DES algorithm is much safer than DES; however, its encryption speed is comparatively slower.
Negotiation Modes
There are two negotiation modes for establishing an SA: manual mode (manual) and IKE autonegotiation mode (isakmp). The manual mode is a bit complex because all information about SA has to be configured manually, and it does not support some advanced features of IPSec, such as key update timer. The manual mode implements IPSec independent of IKE. The IKE auto-negotiation mode is much easier because the SA can be established and maintained through IKE auto-negotiation as long as security policies of IKE negotiation are configured. The manual mode is feasible in the case where few peer devices are deployed or in a small-sized static environment. For a medium or large-sized dynamic networking environment, IKE autonegotiation mode is recommended. IPSec allows systems, network subscribers, or administrators to control the granularity of security services between peers. For instance, IPSec policies of a group prescribe that data flows from a subnet should be protected using AH and ESP and be encrypted using 3DES. In addition, the policies prescribe that data flows from another site should be protected using ESP only and be encrypted using DES only. IPSec can provide security protection in various levels for different data flows based on SA.
Issue 05 (2010-09-25)
6 IPSec Configuration
3.
Define a security policy or a security policy group and specify the association relationship between data flow and IPSec proposal, SA negotiation mode, peer IP address, the required key, and the SA duration. Apply the IPSec policy on the interface of the ME60. For the configuration roadmap of the QoS traffic policy, see chapter 2 "Class-based QoS Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.
4.
Although their format and configuration method are the same, the IPSec ACL differs from the firewall ACL in terms of function. A common ACL is used to determine to permit or deny some data on an interface. For more information, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide IP Services.
Data flows need to be authenticated for the security purpose. Some data flows should be authenticated and encrypted for high security requirements. The IPSec policy can only provide a security protection method. You should, therefore, define various ACLs and IPSec policies for different data flows accordingly. ACLs defined on the local router and ACLs on the remote router should correspond to each other (mirroring). The encrypted data at one end can be authenticated and decrypted at the peer end. If a data flow defined by the remote ACL is not encrypted, the local router regards it as an attack packet and discards it. For example, at the local end:
[Quidway] acl number 3101 [Quidway-acl-adv-3101] rule 1 permit ip source 173.1.1.0 0.0.0.255 destination 173.2.2.0 0.0.0.255
6-6
Issue 05 (2010-09-25)
6 IPSec Configuration
l The IPSec protects data flows that only match the permit statements in the ACL. You should, therefore, define the ACL accurately. The any keyword should be used cautiously. l It is recommended that you configure a mirror relationship between the local ACL and the remote ACL. l Using the display acl command, you can view all ACLs, including ACL for communication filtering and ACL for encryption.
Pre-configuration Task
None.
Data Preparation
To define data flows to be protected, you need the following data. No. 1 2 3 4 5 6 7 8 9 10 11 12 Data ACL number (Optional) Configuration sequence of ACL rules (Optional) Numbers of the ACL rules Protocol type (Optional) Source and destination IP addresses and wildcard character (Optional) Source and destination port numbers and the operator for comparing the port numbers of the source and destination addresses (Optional) ICMPv6 packet type and message code information (Optional) Packet precedence (Optional) Service type (Optional) Name of a time range (Optional) Whether to log the packets that meet the requirements (Optional) Whether this rule takes effect only on the fragmented packets except the first fragment packet
Procedure
Step 1 Run:
system-view
Issue 05 (2010-09-25)
6-7
6 IPSec Configuration
An advanced ACL is created. Step 3 Run the following commands to configure ACL rules: l rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard |any } | destination-port operator port |dscp dscp |fragment-type fragment-type |precedence precedence |source { source-ip-address source-wildcard |any } | source-port operator port |syn-flag syn-flag-value |time-range time-name |tos tos |vpn-instance vpninstance-name ]* l rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard |any } | destination-port operator port |dscp dscp | fragment-type fragmenttype |precedence precedence |source { source-ip-address source-wildcard |any } | sourceport operator port |time-range time-name |tos tos |vpn-instance vpn-instance-name ]* l rule [ rule-id ] { deny |permit } protocol [destination { destination-ip-address destinationwildcard |any } | dscp dscp |fragment-type fragment-type | icmp-type { icmp-name | icmptype icmp-code } | precedence precedence | source { source-ip-address source-wildcard | any } | time-range time-name |tos tos |vpn-instance vpn-instance-name ]* l rule [ rule-id ] { deny |permit } protocol [destination { destination-ip-address destinationwildcard |any } | dscp dscp |fragment-type fragment-type |precedence precedence |source { source-ip-address source-wildcard |any } | time-range time-name |tos tos |vpn-instance vpn-instance-name ]* For the configuration of the advanced ACL, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services. ----End
6 IPSec Configuration
Pre-configuration Task
Before configuring an IPSec proposal, complete the following task: l Defining Data Flows to Be Protected
Data Preparation
To configure an IPSec proposal, you need the following data. No. 1 2 3 4 5 Data Name of the IPSec proposal (a character string of 1 to 15 characters ) Security protocol adopted: AH, ESP or AH-ESP Authentication algorithm adopted: MD5 or SHA-1 Encryption algorithm adopted: DES or 3DES Encapsulation mode adopted: transport mode or tunnel mode
6.3.2 Creating an IPSec Proposal and Entering the IPSec Proposal View
Context
Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
----End
6 IPSec Configuration
Procedure
Step 1 Run:
system-view
The default security protocol is ESP, that is, the ESP protocol defined in RFC 2406.
----End
Procedure
Step 1 Run:
system-view
The default authentication algorithm is adopted for the AN protocol. Step 4 Run:
esp authentication-algorithm { md5 | sha1 }
6-10
Issue 05 (2010-09-25)
6 IPSec Configuration
l By default, both ESP and AH adopt the MD5 authentication algorithm. l You can configure the authentication algorithm only after selecting a corresponding IPSec protocol by running the transform command. For example, if ESP is selected, you can only configure the authentication algorithm required for ESP.
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
Issue 05 (2010-09-25)
6-11
6 IPSec Configuration
l By default, the tunnel mode is adopted. l When the transport mode is adopted, the data flow is not protected. If you want to protect the data flow in this case, then the two ends of the data flow must be the same as those of the security tunnel.
----End
This section describes configuration of the IPSec policy in the manual negotiation mode and the IKE negotiation mode. The configuration is needed in both manual mode and IKE mode unless otherwise specified.
6.4.1 Establishing the Configuration Task 6.4.2 Creating an IPSec Policy and Entering the IPSec Policy View 6.4.3 Configuring the ACL Used in the IPSec Policy 6.4.4 Applying the IPSec Proposal to the IPSec Policy 6.4.5 Configuring the SA Duration 6.4.6 Configuring the Local and Remote IP Addresses of the Tunnel (for Manual Mode) 6.4.7 Configuring the SPI for an SA (for Manual Mode) 6.4.8 Configuring Key for an SA (for Manual Mode) 6.4.9 Configuring the IKE Peer for the IPSec Policy (for IKE Negotiation Mode) 6.4.10 Configuring the PFS Feature Used in the IKE Negotiation 6.4.11 Configuring the Global SA Duration
6-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
6 IPSec Configuration
Pre-configuration Task
Before configuring an IPSec policy, complete the following tasks: l l l 6.2 Defining Data Flows to Be Protected 6.3 Configuring an IPSec Proposal Crating an IKE peer if IKE negotiation mode is adopted (See chapter 7 "IKE Configuration.")
Data Preparation
To configure an IPSec policy, you need the following data. No. 1 2 3 4 Data Name and sequence number of the IPSec policy Negotiation mode, manual mode or IKE mode SA duration or global duration of an SA, time-based or traffic-based For manual mode, you need: local and remote IP addresses of the tunnel (only used for the policies based on interface applications), SPI of an SA, inbound or outbound direction, IPSec protocol adopted, authentication key used by an SA, and encryption key (if ESP is adopted) For IKE negotiation mode, you need: IKE peer name, and DH group used by Perfect Forward Secrecy (PFS)
6.4.2 Creating an IPSec Policy and Entering the IPSec Policy View
Context
Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
6 IPSec Configuration
Step 2 Run:
ipsec policy policy-name seq-number [ manual | isakmp [ template template-name ] ]
l Up to 100 IPSec policies can be created in the system. l By default, no IPSec policy is configured.
----End
Procedure
Step 1 Run:
system-view
An IPSec policy can use only one ACL. If multiple ACLs are configured to an IPSec policy, the latest one takes effect.
----End
Procedure
Step 1 Run:
system-view
6 IPSec Configuration
l When you set up an SA manually, an IPSec policy can apply only one IPSec proposal. You should remove the old IPSec proposal before setting up a new one. In addition, the IPSec proposals applied on the two ends of a tunnel should be configured with the same security protocol, algorithm and packet encapsulation mode. l When you set up an SA by IKE negotiation (isakmp), an IPSec policy can apply up to six IPSec proposals. IKE negotiation searches for completely matched IPSec proposals on the two ends of the tunnel. If no completely matched IPSec proposal is found, the SA cannot be set up and the packets that need protection are discarded.
----End
Procedure
Step 1 Run:
system-view
l The default time-based duration of an SA is 3600 seconds; the default traffic-based duration of an SA is 1843200 kilobytes. If the duration is set for an SA, the global duration is adopted. For details about the global SA duration, see "6.4.11 Configuring the Global SA Duration". l When IKE negotiates a new SA for IPSec, the shorter one between the local set duration and the peer proposed duration is used. l The modification of duration does not influence the existing SAs. The modified duration is used when new SAs are set up through IKE negotiation. l Configuring SA duration is effective on IKE negotiation mode and not on manual negotiation mode.
----End
Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-15
6 IPSec Configuration
6.4.6 Configuring the Local and Remote IP Addresses of the Tunnel (for Manual Mode)
Context
Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
l This configuration is actually to specify the IPSec peers. l You must configure the local address to set up the SA when implementing a manually created IPSec policy. In addition, the security tunnel can be set up only when the local address and the remote address are configured correctly.
----End
Procedure
Step 1 Run:
system-view
6 IPSec Configuration
Step 3 Run:
sa spi { inbound | outbound } { ah | esp } spi-number
l When setting up an SA, you must set the inbound and outbound parameters for the SA. l SA parameters set on the two ends of a tunnel must match with each other. The inbound SPI of the local end must the same as the outbound SPI of the remote end, and the outbound SPI of the local end must be the same as the inbound SPI of the remote end.
----End
Procedure
Step 1 Run:
system-view
The authentication key (in the format of hexadecimal numerals) of the protocol is configured. Step 4 Run:
sa string-key { inbound | outbound } { ah | esp } string-key
The authentication key (in the format of a character string) of the protocol is configured. If you enter a string, the sa string-key command generates an authentication key for the AH protocol. For the ESP protocol, this command generates an authentication key and an encrypted key. Step 5 Run:
sa encryption-hex { inbound | outbound } esp hex-key
The encryption key (in the format of hexadecimal numerals) used in ESP is configured.
Issue 05 (2010-09-25)
6-17
6 IPSec Configuration
NOTE
l SA parameters set on the two ends of a tunnel must match with each other. The inbound key of the local end must the same as the outbound key of the remote end, and the outbound key of the local end must be the same as the inbound key of the remote end. l If the character string key and the hexadecimal key are both configured, the latest configured one is adopted. l On both ends of a security tunnel, the key should be input in the same format. If the key is input in character string on one end and in hexadecimal on the other end, the security tunnel cannot be established.
----End
6.4.9 Configuring the IKE Peer for the IPSec Policy (for IKE Negotiation Mode)
Context
Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
This chapter only describes how to apply IKE peer to IPSec. In practice, you should configure certain IKE parameters in the IKE peer view, such as the negotiation mode of IKE, ID type, NAT traversal, shared key, peer address, and peer name. For more information, refer to chapter 7 "IKE Configuration."
----End
Procedure
Step 1 Run:
system-view
6-18
Issue 05 (2010-09-25)
6 IPSec Configuration
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured. PFS is a security feature. If a key is decoded, security of other keys is not affected, because these keys have no derivative relations. For details, see chapter 7 "IKE Configuration."
NOTE
l PFS exchange is performed when IPSec uses this IPSec policy to initiate a negotiation. If the local end uses PFS, the peer must adopt PFS during negotiation. The DH groups specified on the local end and the peer must be the same; otherwise, the negotiation fails. l 1024-bit Diffie-Hellman group (dh-group2) provides a higher-level security than 768-bit DiffieHellman group (dh-group1), but dh-group2 needs longer time for calculation. l By default, the PFS feature is disabled.
----End
Procedure
Step 1 Run:
system-view
l Changing the global duration does not influence the existing IPSec policies that have their own duration or the established SAs. The changed duration is used when a new SA is set up by IKE negotiation. l The default time-based global duration is 3600 seconds; the default traffic-based global duration is 1843200 kilobytes.
----End
6 IPSec Configuration
Action Check information about the IPSec policy. Check the IPSec statistics. Check information about the SA.
Command display ipsec policy [ brief | name policy-name [ seqnumber ] ] display ipsec statistics display ipsec sa [ brief | remote ip-address | policy policyname [ seq-number ] | duration ]
This configuration is optional. If the IPSec policy template is not used, you can skip this section.
6.5.1 Establishing the Configuration Task 6.5.2 Creating an IPSec Policy Template and Entering the IPSec Policy Template View 6.5.3 Configuring the ACL Used in the IPSec Policy Template 6.5.4 Applying the IPSec Proposal to the IPSec Policy Template 6.5.5 Configuring the SA Duration 6.5.6 Configuring the IKE Peer for the IPSec Policy Template 6.5.7 Configuring the PFS Feature Used in the IKE Negotiation 6.5.8 Configuring the Global SA Duration 6.5.9 Applying the IPSec Policy Template 6.5.10 Checking the Configuration
6-20
Issue 05 (2010-09-25)
6 IPSec Configuration
l The configured parameters must be consistent on both ends during negotiation. l To enable the template to receive negotiation requests from various peers in pre-shared key mode, you can specify a peer address range. You can also choose not to specify any peer address with the ikepeer command, thus allowing access by different dial-up users. l The IPSec policy is necessary on the user side. ACL rules defined through the IPSec policy must be configured with the source address range so that the server can exactly send back the encrypted response data.
Pre-configuration Task
Before configuring IPSec policies by using the IPSec policy template, complete the following tasks: l l l 6.2 Defining Data Flows to Be Protected 6.3 Configuring an IPSec Proposal Creating the IKE peer
Data Preparation
To configure IPSec policies by using the IPSec policy template, you need the following data. No. 1 2 3 Data Name and sequence number of the IPSec policy template SA duration or global duration of an SA, time-based or traffic-based Name of the IKE peer and DH groups used by PFS
6.5.2 Creating an IPSec Policy Template and Entering the IPSec Policy Template View
Context
Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
An IPSec policy template is created or modified and the IPSec policy template view is displayed. ----End
Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-21
6 IPSec Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
6 IPSec Configuration
Procedure
Step 1 Run:
system-view
6.5.6 Configuring the IKE Peer for the IPSec Policy Template
Context
Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
The IKE peer adopted in the IPSec policy template is configured. ----End
Procedure
Step 1 Run:
system-view
Issue 05 (2010-09-25)
6-23
6 IPSec Configuration
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured. ----End
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
6 IPSec Configuration
The policy created through an IPSec policy template cannot initiate negotiation of an SA, but it can respond to a negotiation.
----End
Pre-configuration Task
Before applying an IPSec policy or an IPSec policy group to an interface, complete the following tasks: l l l
Issue 05 (2010-09-25)
6.2 Defining Data Flows to Be Protected 6.3 Configuring an IPSec Proposal 6.4 Configuring an IPSec Policy
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-25
6 IPSec Configuration
Data Preparation
To apply an IPSec policy or an IPSec policy group to an interface, you need the following data. No. 1 2 3 Data Name of the QoS behavior Type and number of the interface Name of the IPSec policy
Procedure
Step 1 Run:
system-view
Here, only the configuration of the traffic behavior is described. To configure the ME60 to encrypt user packets through IPSec, you need to configure a complete traffic policy and apply the traffic policy to the entire system or an interface. For the configuration and application of the traffic policy, see chapter 2 "Classbased QoS Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide QoS.
----End
6 IPSec Configuration
Procedure
Step 1 Run:
system-view
The IPSec policy or the IPSec policy group is applied to the interface. Only one IPSec policy group can be applied to an interface. An IPSec policy group can be applied to multiple interfaces. A manually configured IPSec policy can be applied to only one interface. After the IPSec policy group is applied to an interface, the ME60 matches the packets sent from this interface with the IPSec policies according to the sequence numbers in a descending order. If a packet matches the ACL referenced by an IPSec policy, the ME60 processes the packet according to this IPSec policy. If a packet does not match any ACL referenced by the IPSec policies, the ME60 sends the packet directly, without encrypting the packet through IPSec.
NOTE
l When you change certain parameters of IPSec and IKE, such as the parameters of an IKE proposal, IKE peer and IPSec proposal, you must re-apply the IPSec policy to the corresponding interface to make the changes take effect. l If the IPSec policies are configured manually, IPSec configuration is completed after the preceding procedures. If the IPSec policies are configured in IKE negotiation mode, additional IKE configurations are needed. For details, see chapter 7 "IKE Configuration".
----End
CAUTION
IPSec statistics cannot be restored after you clear them. So, confirm the action before you use the command. To clear the IPSec statistics, run the following commands in the user view.
Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-27
6 IPSec Configuration
Command reset ipsec statistics reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] | parameters dest-address protocol spi ]
6-28
Issue 05 (2010-09-25)
6 IPSec Configuration
ME60B
Internet
Access Network
Access Network
PC A
PC B
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Configure ACL rules to define the data flows to be protected. Configure an IPSec proposal. Configure an IPSec policy and apply the ACL and the IPSec proposal to the IPSec policy. Apply the IPSec policy to the interface. Configure the QoS traffic policy to encrypt user packets.
Data Preparation
To complete the configuration, you need the following data: l l l l Data flows to be protected (defined in the ACL) Security protocol, encryption algorithm, authentication algorithm, and encapsulation mode IP addresses of the local end and peer end of the tunnel Interface where IPSec is enabled
Configuration Procedure
1. Configure ACLs on ME60 A and ME60 B and define the data flows to be protected. # Configure an ACL on ME60 A.
<ME60A> system-view [ME60A] acl number 3101 [ME60A-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [ME60A-acl-adv-3101] quit
2.
On ME60 A and ME60 B, configure static routes to the peer respectively. # Configure a static route from ME60 A to ME60 B.
[ME60A] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
Issue 05 (2010-09-25)
6-29
6 IPSec Configuration
Run the ping command on PC A to ping PC B. The ping succeeds. 3. Create IPSec proposals on ME60 A and ME60 B. # Create an IPSec proposal on ME60 A.
[ME60A] ipsec proposal tran1 [ME60A-ipsec-proposal-tran1] encapsulation-mode tunnel [ME60A-ipsec-proposal-tran1] transform esp [ME60A-ipsec-proposal-tran1] esp encryption-algorithm des [ME60A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [Quidway-ipsec-proposal-tran1] quit
Run the display ipsec proposal command on ME60 A and ME60 B to display the configuration. Take ME60 A for example.
[ME60A]display ipsec proposal IPsec proposal name: tran1 encapsulation mode: tunnel transform: esp-new ESP protocol: authentication sha1-hmac-96, encryption des
4.
Create IPSec policies on ME60 A and ME60 B. # Create an IPSec policy on ME60 A.
[ME60A] ipsec policy map1 10 manual [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] security acl 3101 proposal tran1 tunnel local 202.38.163.1 tunnel remote 202.38.162.1 sa spi outbound esp 12345 sa spi inbound esp 54321 sa string-key outbound esp abcdefg sa string-key inbound esp gfedcba quit
Run the display ipsec policy command on ME60 A and ME60 B to display the configuration. Take ME60 A for example.
[ME60A] display ipsec policy =========================================== IPsec Policy Group: "map1" Using interface: {} =========================================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: manual -----------------------------
6-30
Issue 05 (2010-09-25)
6 IPSec Configuration
5.
Apply the IPSec policies to the interfaces of ME60 A and ME60 B. Apply the IPSec policy to the interface of ME60 A.
[ME60A] interface pos1/0/1 [ME60A-Pos1/0/1] ip address 202.38.163.1 255.255.255.0 [ME60A-Pos1/0/1] ipsec policy map1 [ME60A-Pos1/0/1] undo shutdown [ME60A-Pos1/0/1] quit
Run the display ipsec sa command on ME60 A and ME60 B to display the configuration. Take ME60 A for example.
[ME60A]display ipsec sa =============================== Interface: pos1/0/1 path MTU: 1500 =============================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: manual ----------------------------encapsulation mode: tunnel tunnel local : 202.38.163.1 tunnel remote: 202.38.162.1 [inbound ESP SAs] spi: 54321 (0xd431) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa [outbound ESP SAs] spi: 12345 (0x3039) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa
6.
Configure the QoS traffic policy on ME60 A and ME60 B so that the ME60s encrypt user packets.
NOTE
For the configuration of the QoS policy, see chapter 2 "Class-based QoS Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.
Issue 05 (2010-09-25)
6-31
6 IPSec Configuration
7.
Verify the configuration. After the configuration is complete, PC A can still ping through PC B. The data transmitted between them is encrypted.
Configuration Files
The following are configuration files of the ME60s. l Configuration file of ME60 A
# sysname ME60A # acl number 3101 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy map1 10 manual security acl 3101 proposal tran1 tunnel local 202.38.163.1 tunnel remote 202.38.162.1 sa spi inbound esp 54321 sa string-key inbound esp gfedcba sa spi outbound esp 12345 sa string-key outbound esp abcdefg # traffic classifier ipsec-using operator or if-match acl 3101 # traffic behavior ipsec-using ipsec # traffic policy ipsec-using classifier ipsec-using behavior ipsec-using
6-32
Issue 05 (2010-09-25)
6 IPSec Configuration
# sysname ME60B # acl number 3101 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy use1 10 manual security acl 3101 proposal tran1 tunnel local 202.38.162.1 tunnel remote 202.38.163.1 sa spi inbound esp 12345 sa string-key inbound esp abcdefg sa spi outbound esp 54321 sa string-key outbound esp gfedcba # traffic classifier ipsec-using operator or if-match acl 3101 # traffic behavior ipsec-using ipsec # traffic policy ipsec-using classifier ipsec-using behavior ipsec-using traffic-policy ipsec-using inbound traffic-policy ipsec-using outbound # interface Pos2/0/1 undo shutdown ip address 202.38.162.1 255.255.255.0 ipsec policy use1 # ip route-static 10.1.1.0 255.255.255.0 202.38.163.1 # return
Issue 05 (2010-09-25)
6-33
7 IKE Configuration
7
About This Chapter
IKE Configuration
This chapter describes the fundamentals, implementation, and configuration of IKE. 7.1 Introduction This section describes the concept and fundamentals of IKE. 7.2 Setting the Local ID Used in IKE Negotiation This section describes how to set the local ID used in IKE negotiation. 7.3 Configuring an IKE Security Proposal This section describes how to configure an IKE security proposal. 7.4 Configuring Attributes of the IKE Peer This section describes how to configure the attributes of the IKE peer. 7.5 Tuning the IKE Configuration This section describe how to fine tune the configuration of IKE. 7.6 Maintaining IKE This section provides the commands for displaying and clearing the IKE information and debugging IKE. 7.7 Configuration Examples This section provides a configuration example of IKE.
Issue 05 (2010-09-25)
7-1
7 IKE Configuration
7.1 Introduction
This section describes the concept and fundamentals of IKE. 7.1.1 Overview of IKE 7.1.2 NAT Traversal in IPSec 7.1.3 IKE Features of the ME60
7 IKE Configuration
2.
Matched data streams are forwarded over the interface applying IPSec Trigger SA in phase1 of IKE negotiation
Router B
Step 2
Step 4
If an interface is enabled with IPSec, packets sent from this interface are matched with IPSec policies. 1. 2. 3. If a packet matches an IPSec policy, the corresponding SA is searched. If the SA has not been set up, IKE is triggered to negotiate an SA in phase 1 , that is, IKE SA. Under the protection of IKE SA, IKE continues to negotiate the SA in phase 2, that is, IPSec SA. IPSec SA is used to protect the data in communication.
Issue 05 (2010-09-25)
7 IKE Configuration
In the aggressive mode, payloads associated with SA, key exchanges, and authentication can be carried in a single message to transmit, which reduces the message round-trip times but cannot provide identity protection.
Despite the limitations of the aggressive mode, it meets the demands in a specific networking environment. For example, in remote access, the responder (the server) cannot predict the address of the initiator (the terminal user); or the address of the initiator is always changing, and both parties wish to create an IKE SA through the pre-shared key authentication. In this case, the aggressive mode without identity protection is the only available exchange method. In addition, if the initiator has learned about the responder's policy or has a comprehensive understanding of it, the aggressive mode can create the IKE SA faster.
7 IKE Configuration
1. 2. 3.
Set the local ID used in the IKE negotiation. Set attributes for the IKE peer, including the IKE negotiation mode, pre-shared key value, peer address or peer ID, and NAT traversal, to ensure the correctness of the IKE negotiation. Create an IKE proposal to determine the algorithm intension during the IKE exchange, that is, the intension of security protection (including identity authentication method, encryption algorithm, authentication algorithm, and DH group). It is difficult to decrypt the protected data if the algorithm has a higher intension; however, more calculation resources are consumed. The longer the shared key, the higher the algorithm strength. Apart from these basic procedures, IKE also has the keepalive mechanism to determine whether the peer can communicate normally. You can, therefore, also configure interval and timeout of the keepalive packets. When the NAT traversal of IPSec is configured, you can also configure the interval for sending NAT update packets.
NOTE
4.
After the preceding configuration is complete, you need to reference the IKE peer in the IPSec policy view to complete the IPSec configuration through auto-negotiation. For more information on IPSec adopting the IKE peer, see chapter 6 "IKE Configuration."
Pre-configuration Task
None.
Data Preparation
To configure the local ID used in IKE negotiation, you need the following data. No. 1 Data ID of the local router
7 IKE Configuration
Context
Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
Pre-configuration Task
None.
Data Preparation
To configure an IKE security proposal, you need the following data.
7-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
7 IKE Configuration
No. 1 2 3 4 5
Data Priority of the IKE security proposal Encryption algorithm, DES or 3DEs Authentication algorithm, MD5 or SHA DH group ID, selected from group 1 (768 bits) or group 2 (1024 bit) Duration of ISAKMP SA (ranging from 60 seconds to 604800 seconds)
7.3.2 Creating the IKE Security Proposal and Entering the IKE Security Proposal View
Context
Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
An IKE security proposal is created and the IKE security proposal view is displayed. l Multiple IKE proposals can be created for each party of IKE negotiation. During the negotiation, a proposal of the highest priority owned by both the parties is matched first. The matching rule is that both parties in negotiation must have the same encryption algorithm, authentication algorithm, authentication method, and DF group ID. l The system provides a default IKE proposal default. The default IKE proposal has the lowest priority. By default, the authentication algorithm is SHA1; the authentication is based on the shared key; the encryption algorithm is DES-CBC; the DH group ID is MODP_768; the duration of the SA is 86400 seconds. ----End
Issue 05 (2010-09-25)
7-7
7 IKE Configuration
Procedure
Step 1 Run:
system-view
The encryption algorithm is specified. Currently, the available algorithms are DES and 3DES in CBC mode. By default, the IKE proposal adopts the DES encryption algorithm in CBC mode. ----End
Procedure
Step 1 Run:
system-view
The authentication algorithm is specified. The ME60 can use only the pre-shared key authentication. By default, the IKE proposal uses the pre-shared key authentication. ----End
7 IKE Configuration
Procedure
Step 1 Run:
system-view
The authentication algorithm is specified. By default, the SHA-1 authentication algorithm is adopted. ----End
Procedure
Step 1 Run:
system-view
The DF group is specified. By default, the 768-bit DF group (group1) is specified. ----End
7 IKE Configuration
Procedure
Step 1 Run:
system-view
The duration of the ISAKMP SA is configured. l If the during expires, the ISAKMP SA is updated automatically. The duration can be set to a value ranging from 60 to 604800, in seconds. DH calculation is performed during IKE negotiation, and hence, it takes a longer period. To avoid impacts on the secure communication caused by the update of ISAKMP SA, set the duration to a value larger than 10 minutes. l A new SA is negotiated before the old one expires. The old SA is still in use before the new SA is set up. The new SA takes effect as soon as it is established and the old one is automatically deleted after its duration expires. l By default, the duration of ISAKMP SA is 86400 seconds (a day). ----End
7 IKE Configuration
7.4.8 Configuring the Peer IP Address or Address Segment 7.4.9 Configuring the Peer Name 7.4.10 Checking the Configuration
Pre-configuration Task
Before configuring the attributes of the IKE peer, complete the following tasks: l l Configuring the IKE Security Proposal Configuring the local ID used in the IKE negotiation when aggressive mode is adopted
Data Preparation
To configure the attribute of the IKE peer, you need the following data. No. 1 2 3 4 5 6 7 8 Data Name of the IKE peer IKE negotiation mode Number of the IKE proposal, ranging from 1 to 100 Type of the local ID: IP address or name of the local router Whether NAT traversal is required for IPSec Authenticator (a string of 1-127 characters) IP address of the peer, in dotted decimal notation Name of the peer (a string of 1 to 15 characters)
7.4.2 Creating an IKE Peer and Entering the IKE Peer View
Context
Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
Issue 05 (2010-09-25)
7-11
7 IKE Configuration
An IKE peer is created and the IKE peer view is displayed. ----End
Procedure
Step 1 Run:
system-view
The IKE negotiation mode is specified. By default, the main mode is used in the IKE negotiation. ----End
Procedure
Step 1 Run:
system-view
7-12
Issue 05 (2010-09-25)
7 IKE Configuration
The IKE proposal is configured. In the aggressive mode, by default, the first configured IKE proposal is used in the negotiation; in the main mode, all the IKE proposals are used in the negotiation. ----End
Procedure
Step 1 Run:
system-view
The type of the local ID is configured. The IP address or name of the local router can be used as ID in the IKE negotiation. By default, the IP address is used as the local ID. If the aggressive mode, the name is used as the local ID. In the main mode, the local ID is not necessarily configured, but the name cannot be used as the local ID. ----End
Procedure
Step 1 Run:
system-view
7 IKE Configuration
Step 3 Run:
nat traversal
The NAT traversal is enabled for IPSec. By default, NAT traversal is disabled. ----End
Procedure
Step 1 Run:
system-view
The identity authenticator is configured. If the pre-shared key authentication is selected, the pre-shared key needs to be configured for each peer. The same pre-shared key must be configured for the peers, which create security connection. ----End
Procedure
Step 1 Run:
system-view
7 IKE Configuration
Step 3 Run:
remote-address low-ip-address [ high-ip-address ]
When the address segment is configured, only the IPSec policy template can adopt this IKE peer.
----End
Procedure
Step 1 Run:
system-view
7 IKE Configuration
CAUTION
l The interval of keepalive packets and the timeout time of the keepalive packets must be set on the ME60 simultaneously. l The interval and timeout must match on the two ends. That is, if you set the timeout time of the keepalive packets on one ME60, you must set the interval of keepalive packets on the peer ME60. l The interval of keepalive packets on one end must be shorter than the timeout time set on the peer.
Pre-configuration Task
Before tuning the IKE configuration, complete the following tasks: l l l Setting the Local ID Used in IKE Negotiation Configuring the IKE Security Proposal Configuring Attributes of the IKE Peer
Data Preparation
To tune the IKE configuration, you need the following data. No. 1 2 3 Data Interval of keepalive packets Timeout time of keepalive packets Interval of NAT update packets
7 IKE Configuration
Context
Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
The interval for sending keepalive packets from the ISAKMP SA is set. By default, this function is unavailable. ----End
Procedure
Step 1 Run:
system-view
The timeout time of the keepalive packet is configured. l On a network, packet loss rarely occurs consecutively more than three times, so the timeout time can be set to be three times the interval of keepalive packets on the peer. l By default, this function is unavailable. ----End
Procedure
Step 1 Run:
system-view
Issue 05 (2010-09-25)
7-17
7 IKE Configuration
The interval for sending NAT update packets from the ISAKMP SA is set. By default, the ISAKMP SA sends NAT update packets every 20 seconds when NAT traversal is enabled. ----End
To delete a specified security channel, you need to specify connection-id of the SA. Run the display ike sa command to view the connection-id of the current SA. Information about the
7-18 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
7 IKE Configuration
same security channel (namely, with the same peer) consists information generated in phase 1 and phase 2. After the local SA is deleted, if ISAKMP SA of phase 1 still exists, the local end sends a deletion message to the peer under the protection of the ISAKMP SA so that the peer can clear the SA database. If connection-id is not specified, all SAs of phase 1 are deleted.
NOTE
Security channel is completely different from security association. A security channel is a channel whose two ends can interoperate with each other. An SA is a unidirectional connection.
CAUTION
Debugging affects the system performance. So, after debugging, run the undo debugging all command to disable it immediately. When a fault occurs during the application of IKE, run the following debugging command in the user view to locate the fault. For the procedure for displaying the debugging information, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management. Action Enable debugging of IKE. Command debugging ike { all | error | exchange | message | misc | transport }
Issue 05 (2010-09-25)
7-19
7 IKE Configuration
ME60B
Internet
Access Network
Access Network
PC A
PC B
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure the local host ID, IKE proposal, and IKE peer. Configure ACL rules to specify the data flow to be protected. Configure an IPSec proposal. Configure an IPSec policy and apply the ACL and the IPSec proposal to the IPSec policy. Apply the IPSec policy to the interface. Configure the QoS traffic policy to encrypt user packets.
Data Preparation
To complete the configuration, you need the following data: l l l l ID of the local device Encryption algorithm and authentication algorithm used in IKE negotiation IP address and name of the peer device Interface where IPSec is enabled
Configuration Procedure
1. Configure the local host ID, IKE proposal, and IKE peer on ME60 A and ME60 B. # Configure the local ID used by ME60 A in IKE negotiation.
<ME60A> system-view [ME60A] ike local-name huawei01
7-20
Issue 05 (2010-09-25)
7 IKE Configuration
ike-proposal 1 local-id-type name pre-shared-key huawei remote-name huawei02 remote-address 202.38.162.1 quit
In the aggressive mode, you need to configure remote-address on the negotiation initiator.
Run the display ike peer command on ME60 A and ME60 B to display the configuration. Take ME60 A for example.
[ME60A] display ike peer --------------------------IKE Peer: ME60b exchange mode: aggressive on phase 1 pre-shared-key: huawei proposal: 1 local id type: name peer ip address: 202.38.162.1 peer name: huawei02 nat traversal: disable ---------------------------
2.
Configure ACLs on ME60 A and ME60 B and define the data flows to be protected. # Configure an ACL on ME60 A.
[ME60A] acl number 3101 [ME60A-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [ME60A-acl-adv-3101] quit
3.
On ME60 A and ME60 B, configure static routes to the peer respectively. # Configure a static route from ME60 A to ME60 B.
[ME60A] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
4.
Issue 05 (2010-09-25)
7 IKE Configuration
Run the display ipsec proposal command on ME60 A and ME60 B to display the configuration. Take ME60 A for example.
[ME60A] display ipsec proposal IPsec proposal name: tran1 encapsulation mode: tunnel transform: esp-new ESP protocol: authentication sha1-hmac-96, encryption des
5.
Create IPSec proposals on ME60 A and ME60 B. # Create an IPSec policy on ME60 A.
[ME60A] ipsec policy map1 10 isakmp [ME60A-ipsec-policy-isakmp-map1-10] [ME60A-ipsec-policy-isakmp-map1-10] [ME60A-ipsec-policy-isakmp-map1-10] [ME60A-ipsec-policy-isakmp-map1-10] ike-peer ME60B proposal tran1 security acl 3101 quit
Run the display ipsec policy command on ME60 A and ME60 B to display the configuration. Take ME60 A for example.
[ME60A] display ipsec policy =========================================== IPsec Policy Group: "map1" Using interface: {} =========================================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: isakmp ----------------------------security data flow : 3101 ike-peer name: ME60B perfect forward secrecy: None proposal name: tran1 IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes
6.
Apply the IPSec policies to the interfaces of ME60 A and ME60 B. Apply the IPSec policy to the interface of ME60 A.
[ME60A] interface pos1/0/1 [ME60A-Pos1/0/1] ip address 202.38.163.1 255.255.255.0 [ME60A-Pos1/0/1] ipsec policy map1 [ME60A-Pos1/0/1] undo shutdown [ME60A-Pos1/0/1] quit
7 IKE Configuration
Run the display ipsec sa command on ME60 A and ME60 B to display the configuration. Take ME60 A for example.
[ME60A] display ipsec sa =============================== Interface: pos1/0/1 path MTU: 1500 =============================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: manual ----------------------------encapsulation mode: tunnel tunnel local : 202.38.163.1 tunnel remote: 202.38.162.1 [inbound ESP SAs] spi: 54321 (0xd431) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa [outbound ESP SAs] spi: 12345 (0x3039) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa
7.
Configure the QoS traffic policy on ME60 A and ME60 B so that the ME60s encrypt user packets.
NOTE
For the configuration of the QoS policy, see chapter 2 "Class-based QoS Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.
8.
Issue 05 (2010-09-25)
7 IKE Configuration
After the configuration is complete, PC A can still ping through PC B. The data transmitted between them is encrypted. Run the display ike sa command on ME60 A. The display is as follows:
[ME60A] display ike sa connection-id peer vpn flag phase doi -------------------------------------------------------------14 202.38.162.1 0 RD|ST 1 IPSEC 16 202.38.162.1 0 RD|ST 2 IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO-TIMEOUT
Configuration Files
The following are the configuration files of the ME60s. l Configuration file of ME60 A
# sysname ME60A # ike local-name huawei01 # acl number 3101 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 # ike proposal 1 encryption-algorithm 3des-cbc sa duration 43200 # ike peer ME60B exchange-mode aggressive pre-shared-key huawei ike-proposal 1 local-id-type name remote-name huawei02 remote-address 202.38.162.1 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy map1 10 isakmp security acl 3101 ike-peer ME60B proposal tran1 # traffic classifier ipsec-using operator or if-match acl 3101 # traffic behavior ipsec-using ipsec # traffic policy ipsec-using classifier ipsec-using behavior ipsec traffic-policy ipsec-using inbound traffic-policy ipsec-using outbound # interface Pos1/0/1 undo shutdown ip address 202.38.163.1 255.255.255.0 ipsec policy map1 # ip route-static 10.1.2.0 255.255.255.0 202.38.162.1 # return
# sysname ME60B
7-24
Issue 05 (2010-09-25)
7 IKE Configuration
# ike local-name huawei02 # acl number 3101 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ike proposal 1 encryption-algorithm 3des-cbc sa duration 43200 # ike peer ME60A exchange-mode aggressive pre-shared-key huawei ike-proposal 1 local-id-type name remote-name huawei01 remote-address 202.38.163.1 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy use1 10 isakmp security acl 3101 ike-peer ME60A proposal tran1 # traffic classifier ipsec-using operator or if-match acl 3101 # traffic behavior ipsec-using ipsec # traffic policy ipsec-using classifier ipsec-using behavior ipsec traffic-policy ipsec-using inbound traffic-policy ipsec-using outbound # interface Pos2/0/1 undo shutdown ip address 202.38.162.1 255.255.255.0 ipsec policy use1 # ip route-static 10.1.1.0 255.255.255.0 202.38.163.1 # return
Issue 05 (2010-09-25)
7-25
8 URPF Configuration
8
About This Chapter
URPF Configuration
This chapter describes the fundamentals, implementation, and configuration of URPF. 8.1 Introduction This section describes the fundamentals of Unicast Reverse Path Forwarding (URPF). 8.2 Configuring URPF This section describes how to configure the URPF function. 8.3 Configuration Examples This section provides a configuration example of URPF.
Issue 05 (2010-09-25)
8-1
8 URPF Configuration
8.1 Introduction
This section describes the fundamentals of Unicast Reverse Path Forwarding (URPF). 8.1.1 Overview of URPF 8.1.2 URPF Features of the ME60
RouterA
RouterB
RouterC
A host connected to Router A (customer network) generates a packet with a pseudo source IP address 2.1.1.1 and sends the packet to Router B. Router B sends a response packet to Router C whose IP address is 2.1.1.1. In this way, Router A attacks Router B and Router C by sending such packets. URPF can be applied on the upstream incoming interfaces of the router in two application environments: single-homed client and multi-homed client. l l Single-homed client Figure 8-2 shows the connection between the client and the convergence router of the ISP. URPF is enabled on GE 1/0/0 of the ISP router to protect the router and Internet against source address spoofing attacks from the client network.
8-2
Issue 05 (2010-09-25)
8 URPF Configuration
l l
Multi-homed client URPF can be applied in the networking where multiple connections are set up between the client and the ISP, as shown in Figure 8-3. To make URPF work normally, ensure that the packet from the client to the host on the Internet passes through the same link (between the client and the ISP router) with the packet from this host to the client. That is, route symmetry must be ensured; otherwise, URPF discards some normal packets because of mismatched interfaces.
RouterA
Enterprise RouterC
URPF URPF
ISP
RouterB
URPF can be applied in the networking where a client is connected to multiple ISPs, as shown in Figure 8-4. In this case, route symmetry must be ensured.
Issue 05 (2010-09-25)
8-3
8 URPF Configuration
RouterA ISP A
Internet
3. 4.
8 URPF Configuration
Pre-configuration Task
Before configuring the URPF function, complete the following tasks: l l Configuring the link-layer parameters of the interface Configuring an IP address for the interface
Data Preparation
To configure the URPF function, you need the following data. No. 1 2 Data Number of the interface where URPF is to be enabled (Optional) Name of the traffic behavior
Procedure
Step 1 Run:
system-view
8 URPF Configuration
Step 2 Run:
interface interface-type interface-number
URPF is enabled on the interface. If the loose keyword is selected, the ME60 performs loose URPF check. That is, if the forwarding table contains the entry of a packet, the packet passes the URPF check, regardless of whether the interface mapping the source address in the forwarding table is the incoming interface of the packet. If the strict keyword is selected, the ME60 performs strict URPF check. That is, a packet passes the URPF check only if the forwarding table contains the related entry and the interface mapping the source address of the packet is the incoming interface. ----End
Procedure
Step 1 Run:
system-view
For the complete procedure, see "8.2.3 (Optional) Configuring URPF Check for Certain Type of Packets." For the configuration and application of the traffic policy, refer to chapter 2 "Class-based QoS Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.
----End
8-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
8 URPF Configuration
ISP
Configuration Roadmap
The configuration roadmap is as follows: l l Configure strict URPF check for the IP packets arriving at GE1/0/0 of ME60 A. Configure loose URPF check for the IP packets arriving at GE1/0/0 of ME60 B.
Data Preparation
To complete the configuration, you need the following data: IP addresses of the interfaces
Configuration Procedure
1. Configure ME60 A. # Configure the IP address of GE 1/0/0.
<ME60A> system-view [ME60A] interface gigabitethernet 1/0/0 [ME60A-GigabitEthernet1/0/0] ip address 172.19.139.1 255.255.255.252 [ME60A-GigabitEthernet1/0/0] undo shutdown
2.
Issue 05 (2010-09-25)
Configure ME60 B.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 8-7
8 URPF Configuration
Configuration Files
The following are configuration files of the ME60s. l Configuration file of ME60 A
# sysname ME60A # interface GigabitEthernet1/0/0 undo shutdown ip address 172.19.139.1 255.255.255.252 ip urpf strict # return
# sysname ME60B # interface GigabitEthernet1/0/0 undo shutdown ip address 172.19.139.2 255.255.255.252 ip urpf loose # return
8-8
Issue 05 (2010-09-25)
9 DPI Configuration
9
About This Chapter
DPI Configuration
This chapter describes the fundamentals of DPI and how to configure network-side DPI and user-side DPI. 9.1 Introduction This section describes the concept and rational of DPI and the DPI features supported by the ME60. 9.2 Configuring Basic DPI Functions This section describes how to configure basic DPI functions. 9.3 Configuring Network-side DPI This section describes how to configure and apply the DPI policy at the network side. 9.4 Configuring User-side DPI This section describes how to configure and apply the DPI policy at the user side. 9.5 Configuration Examples This section provides a configuration example of DPI.
Issue 05 (2010-09-25)
9-1
9 DPI Configuration
9.1 Introduction
This section describes the concept and rational of DPI and the DPI features supported by the ME60. 9.1.1 Overview of DPI 9.1.2 DPI Functions Supported by the ME60
Rationale of DPI
The deep packet inspection (DPI) technology can identify network applications so that the carrier can control and manage the network. As shown in Figure 9-1, common packet analysis involves only the source address, destination address, source port, and destination port. Apart from the preceding factors, DPI analyzes the application-layer information to identify various services and applications. Figure 9-1 Comparison between DPI and the common packet analysis
Source IP
Source port
Destination IP Payload
Destination port
Operation
Source IP
Source port
Destination IP Payload
Destination port
Operation
DPI
9-2
Issue 05 (2010-09-25)
9 DPI Configuration
DPI Functions
DPI provides the following three functions: l Service identification
DPI identifies the data flow of a legal service by the quintuple. Take video on demand (VoD) service for example. The source address of the service flow belongs to a network segment configured on the VoD server; the source port number is fixed. Unauthorized users usually hides information about illegal service flows by using some techniques. For example, the P2P flow may use port 80 of HTTP. Therefore, the VoD server cannot identify the service type accurately according to the quintuple, such as the address and port. To identify an illegal service flow, DPI analyzes the contents of an IP packet to find the characteristics field or behavior of the service. l Service control
DPI controls the identified service flow based on a combination that may consist of the user name, time, bandwidth, and history traffic volume. DPI handles the service flow in the following ways: l l l l Forwards packets as usual. Blocks the service flow. Limits bandwidth of the service flow. Re-marks the priorities of packets.
For convenient service operation, all control policies are configured on the policy server. After a user logs in, the policies are delivered dynamically. l Service statistics
The statistics of service traffic distribution and usage of a service help to discover the user or the service that affects the normal operation of the network. According to the statistics, the following information can be obtained: l l l Percentage of traffic from attackers Number of online users playing an online game Services consuming bandwidth Illegal VoIP users
DPI Implementation
Figure 9-2 Networking of DPI application
Policy Server AAA Report Server
Internet BRAS
DPI Box
Issue 05 (2010-09-25)
9-3
9 DPI Configuration
NOTE
The DPI function of the ME60 can be applied in the following cases: l To control bandwidth of the users connected to the ME60, configure user-side DPI. l To control bandwidth on the network side, configure network-side DPI.
9-4
Issue 05 (2010-09-25)
9 DPI Configuration
l The ME60 implements the DPI function after the VSU is configured to the DPI board. Therefore, you need to install the VSU before configuring the DPI function. For the functions of the VSU in DPU mode, refer to the Quidway ME60 Multiservice Control Gateway Product Description. l You can run the set lpu-work-mode { dpi |sbc | ssu | tsu } slot slot-id command to implement different service functions. l In this manual, the VSU operating in DPI mode is called the DPI board.
Pre-configuration Task
Before configuring basic DPI functions, complete the following tasks: l l Installing the VSU (Optional) Connecting the PTS to the ME60 and configuring the PTS
NOTE
The ME60 and the PTS must be directly connected or connected through a layer-2 device and they cannot be connected through a layer-3 network. It is recommended that you connect the ME60 to the PTS directly.
Data Preparation
To configure the basic DPI functions, you need the following data. No. 1 2 3 Data MAC address of the DPI board IP address of the PTS management interface, namely, the interface connected to the PTS Number of the port for listening the PTS keepalive packets
Procedure
Step 1 Run:
system-view
9 DPI Configuration
NOTE
l The configured operation mode takes effect after the VSU is restarted. l The command for configuring the operation mode of the VSU is not recorded in the system configuration file. You can run the display device or display lpu-work-mode command to view the operation mode of the VSU. If the operation mode is configured properly, you need not configure the operation mode again.
----End
You need to configure the MAC address of the DPI board only when the ME60 is connected to a PTS.
Procedure
Step 1 Run:
system-view
CAUTION
If the PTS does not exist or it is disconnected from the ME60, run the undo dpi-check pts enable command to stop the packet inspection by the PTS. This ensures normal operation of the DPI function.
Procedure
Step 1 Run:
system-view
9-6
Issue 05 (2010-09-25)
9 DPI Configuration
The packet detection mode is configured. By default, the packet inspection mode is PTS. That is, packets are inspected by the PTS. The prerequisite is that the ME60 is connected to the PTS. The PTS can detect various types of packets, including P2P and VoIP packets. If the ME60 is not connected to a PTS, you can set the packet inspection mode to DSU. In this case, packets of certain P2P applications are inspected by the built-in DPI box on the DPI board. ----End
The parameters of the PTS need to be configured only when the ME60 is connected to a PTS.
Procedure
Step 1 Run:
system-view
The parameters for the connection between the ME60 and the PTS are set. Step 4 Run:
keep-alive period-value times-value
The interval at which the PTS sends keepalive packets is set. By default, the PTS sends keepalive packets at a interval of 10 seconds. If the ME60 fails to receive the keepalive packets consecutively three times, it considers that the PTS is disconnected. ----End
9 DPI Configuration
Action Check the packet detection mode. Check the MAC address of the DPI board. Check the information about the PTS.
Command display dpi global-policy display dpi dsu-mac display dpi pts
Run the display dpi global-policy command, and you can view the global configuration of DPI, including the packet inspection mode.
<Quidway> display dpi global-policy --------------------------------------------------------------------------DPI global configration --------------------------------------------------------------------------Global policy group status : active Global policy group type : user first Inspecting packets device : PTS --------------------------------------------------------------------------DPI global policy list --------------------------------------------------------------------------No. Policy Name Application type Protocal type 0 huawei p2p ---------------------------------------------------------------------------Total 1, 1 printed
CAUTION
To implement network-side DPI, you must configure the global DPI policy group and traffic policy. Classify traffic according to a certain rule and associate each traffic class with a DPI behavior, and thus a DPI traffic policy is configured. Then, apply the DPI traffic policy to inspect network-side packets. The DPI traffic policy can be applied to the entire system or an interface: l When the policy is applied to the entire system, the ME60 inspects traffic of a certain service on all the network-side interfaces.
NOTE
If you enable the DPI traffic policy globally by using the global command, the ME60 performs DPI on all network-side and user-side interfaces.
When the policy is applied to an interface, the ME60 inspects traffic of a certain service only on this interface.
9 DPI Configuration
9.3.3 Configuring the DPI Policy 9.3.4 Configuring a Global DPI Policy Group 9.3.5 Configuring a DPI Traffic Policy 9.3.6 Applying the Traffic Policy to the Network Side 9.3.7 Checking the Configuration
Pre-configuration Task
Before configuring the network-side DPI, complete the following tasks: l l 9.2 Configuring Basic DPI Functions Determining whether to apply the global DPI policy
Data Preparation
To configure the network-side DPI, you need the following data. No. 1 2 3 Data DPI policy name Services to be inspected through DPI (Optional) Number of the network-side interface
Procedure
Step 1 Run:
system-view
Issue 05 (2010-09-25)
9-9
9 DPI Configuration
A DPI policy is created and the DPI policy view is displayed. ----End
Procedure
Step 1 Run:
system-view
The service type is configured. Step 4 Configure the behavior for the service as follows: l To configure the ME60 to control CAR parameters of the service, run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] { upstream | downstream }. l To configure the ME60 to mark the DSCP value, run remark dscp dscp-value { inbound | outbound }. l To configure the ME60 to randomly discard packets, run random-drop random-dropvalue. This command is recommended for the VoIP service. l To configure the ME60 to forward all the packets of the specified service with the speed lower than the CIR, run permit. l To configure the ME60 to discard all packets of the specified service, run deny. You can configure one or more preceding behaviors. The permit and deny behaviors cannot be configured simultaneously. By default, the behavior in the DPI policy is permit. ----End
Procedure
Step 1 Run:
system-view
9-10
Issue 05 (2010-09-25)
9 DPI Configuration
After you run this command, the ME60 may match the service data with the global DPI policy, instead of the user-side DPI policy. For details, see "9.3.6 Applying the Traffic Policy to the Network Side."
Step 5 Run:
active
The global DPI policy is activated. The global DPI policy group is used to inspect packets on a network-side interface. You can also configure DPI on a user-side interface by using the global command. A common DPI policy group is used to inspect packets on a user-side interface but cannot be applied to a network-side interface.
NOTE
For the configuration of a common policy, see "9.4.3 Configuring a Common DPI Policy Group."
By default, the DPI policy is not applied to the entire system, and the global DPI policy is active. ----End
Procedure
Step 1 Run:
system-view
A traffic classifier is created and the traffic classifier view is displayed. Step 3 Define the rule for matching data packets as follows:
Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 9-11
9 DPI Configuration
l To match the 802.1p field in a packet, run the if-match 8021p 8021p-code command. l To match the source MAC address of a packet, run the if-match source-mac mac-address command. l To match the destination MAC address of a packet, run the if-match destination-mac macaddress command. l To match packets with an ACL, run the if-match acl acl-number command. l To match the DSCP field of a packet, run the if-match dscp dscp-value command. l To match the IP precedence of a packet, run the if-match ip-precedence ip-precedencevalue command. l To match the TCP SYN flag of a packet, run the if-match tcp syn-flag flag-value command. l To specify that all IPv4 packets are matching, run the if-match any command. Step 4 Run:
quit
The system exits from the traffic classifier view. Step 5 Run:
traffic behavior behavior-name
DPI is enabled.
NOTE
After the traffic behavior is configured to DPI, you cannot configure the behavior to redirect in this behavior view.
Step 7 Run:
quit
The traffic classifier is associated with the behavior. Configure the traffic classifier according to the network requirement so that DPI can be performed for the specified flow. The behavior name specified in this command must be the same as behavior-name you specify in step 5.
NOTE
For the configuration of a traffic policy, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.
----End
9-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
9 DPI Configuration
If you apply the traffic policy globally and run the global command in the global DPI policy view at the same time, the DPI policy takes effect on all network-side and userside interfaces. The common DPI policies configured on the user-side interfaces become invalid. If you do not run the global command, the global DPI takes effect only on all the network-side interfaces. l Applying the traffic policy to an interface 1. Run:
system-view
Issue 05 (2010-09-25)
9-13
9 DPI Configuration
The user-side DPI policy functions on each user individually. For example, you run the car cir command to set bandwidth for a user to 1 Mbit/s. The ME60 then checks bandwidth of each user. If bandwidth of a user exceeds 1 Mbit/s, the ME60 limits traffic volume of this user.
9.4.1 Establishing the Configuration Task 9.4.2 Creating and Configuring a DPI Policy 9.4.3 Configuring a Common DPI Policy Group 9.4.4 Applying the User-side DPI Policy to the Domain 9.4.5 (Optional) Enabling DPI on a BAS Interface 9.4.6 (Optional) Configuring the Restriction Policy 9.4.7 Checking the Configuration
The DPI policy delivered by the policy server has the highest priority, and the DPI policy configured on a BAS interface has the lowest priority. If the DPI policy is delivered by the policy server, the ME60 dynamically matches the user packets with the DPI policy after a user goes online. If the user packets do not match the delivered policy, the ME60 matches the packets with the DPI policy bound to the domain. If no DPI policy is bound to the domain, or the user packets do not match the service type specified by the DPI policy, the ME60 performs DPI according to the restriction DPI policy configured on the BAS interface.
NOTE
For the method of configuring the policy server to deliver the DPI policy, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services.
Pre-configuration Task
Before configuring the user-side DPI, complete the following tasks:
9-14 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
9 DPI Configuration
l l l
9.2 Configuring Basic DPI Functions Enabling users to connect to the Internet through the ME60 Enabling the value-added service
NOTE
The DPI service is a value-added service. Therefore, you must enable value-added services before configuring DPI. For the method of enabling value-added services, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services.
Data Preparation
To configure the user-side DPI, you need the following data. No. 1 2 3 4 Data DPI policy name Name of the common DPI policy group Domain where the DPI policy is to be configured (Optional) BAS interface where the DPI policy is to be configured
Procedure
Step 1 Run:
system-view
A common DPI policy group is created and the common DPI policy group view is displayed. Step 3 Run:
dpi-policy dpi-policy-name
9 DPI Configuration
Procedure
Step 1 Run:
system-view
A common DPI policy group is applied to the domain. The common DPI policy group must be an existing one. When the common DPI policy is applied to the domain, the ME60 can identify whether a domain user uses the DPI service. The ME60 can then limit the traffic of this user. ----End
CAUTION
After DPI is enabled on a BAS interface, if no DPI policy is bound to the domain, or the user packets do not match the service type specified by the DPI policy, the ME60 performs DPI according to the restriction DPI policy configured on the BAS interface. Therefore, you must configure a restriction DPI policy when enabling DPI on a BAS interface; otherwise, DPI does not take effect on the BAS interface.
Procedure
Step 1 Run:
system-view
9-16
Issue 05 (2010-09-25)
9 DPI Configuration
The access type of the interface is to layer-3 leased line. Step 5 Run:
dpi-enable
The authentication method of the user is set. After DPI is enabled on the BAS interface, the ME60 performs the following: l If a common DPI policy group is bound to the domain, the ME60 matches packets of the users going online from the domain with the common DPI policy. If the user packets do not match any service type specified by the common DPI policy, the ME60 matches the user packets with the restriction DPI policy. l If no common DPI policy group is bound to the domain, the ME60 matches the user packets with the restriction DPI policy directly. ----End
9 DPI Configuration
Procedure
Step 1 Run:
system-view
The service type is configured. Step 4 Configure the behavior for the service as follows: l To configure the ME60 to control the CAR parameters, run car cir cir-value [ pir pirvalue ] [ cbs cbs-value pbs pbs-value ] { upstream | downstream }. l To configure the ME60 to forward all the packets of the specified service with the speed lower than the CIR, run permit. l To configure the ME60 to discard all packets of the specified service, run deny. You can configure one or more preceding behaviors. The permit and deny behaviors cannot be configured simultaneously. By default, the behavior in the DPI policy is permit. The restriction policy is applied to a BAS interface. The ME60 controls traffic of each user on the DPI-enabled BAS interface according to the restriction policy. By default, no restricted policy is configured. ----End
9 DPI Configuration
PTS
Configuration Roadmap
The configuration roadmap is as follows: l l l l Configure the basic DPI information. Configure the PTS. Configure the network-side DPI. Configure the user-side DPI.
Data Preparation
To complete the configuration, you need the following data: l l Slot number and MAC address of the DPI board IP address of the PTS, port number used to monitor the keepalive packets, interface connected to the ME60, interval of keepalive packets, and number of keepalive timeout events on the PTS
Configuration Procedure
NOTE
This configuration example describes only the commands used to configure DPI.
1.
Configure the basic DPI information. # (Optional) Configure the VSU to function as the DPI board.
<Quidway> [Quidway] [Quidway] <Quidway> system-view set lpu-work-mode dpi slot 3 quit reset slot 3
Issue 05 (2010-09-25)
9-19
9 DPI Configuration
2.
Configure the PTS. After the PTS is connected to the ME60, you can log in to the configuration window from a personal computer to set the following parameters. Parameter system_id Servername peer_etherAddress port_etherAddress port_ipAddress port_udpPort Value 1234 100.1.1.1 00e0-abcd-abcd MAC address of the PTS interface connected to the ME60 IP address of the PTS interface connected to the ME60 4000
NOTE
The preceding parameters may vary on different PTSs. Set the parameters according to the actual situation.
You need to set other parameters of the PTS, such as the user name and password of the login user, and service type. For the configuration procedure, refer to documents about the LIG. The ME60 works with PTSs of other vendors to provide the DPI function for various services. Huawei does not provide the PTS. 3. Configure the network-side DPI. # Configure a DPI policy. Specify that the ME60 limits the P2P traffic when the P2P traffic volume on GE1/0/0 exceeds 100 Mbit/s.
[Quidway] dpi policy dpi1 [Quidway-dpi-policy-dpi1] service-type p2p [Quidway-dpi-policy-dpi1] car cir 102400 upstream [Quidway-dpi-policy-dpi1] quit
# Configure an ACL.
[Quidway] acl 3000 [Quidway-acl-adv-3000] rule permit ip [Quidway-acl-adv-3000] quit
# Configure the traffic classifier and define the ACL-based traffic classification rules.
[Quidway] traffic classifier a
9-20
Issue 05 (2010-09-25)
9 DPI Configuration
# Define a traffic policy and associate the traffic classifier with the behavior.
[Quidway] traffic policy 1 [Quidway-trafficpolicy-1] classifier a behavior e [Quidway-trafficpolicy-1] quit
4.
# Configure a DPI policy. Specify that the ME60 limits the P2P traffic when the P2P traffic volume of a user exceeds 10 Mbit/s.
[Quidway] dpi policy dpi2 [Quidway-dpi-policy-dpi2] service-type p2p [Quidway-dpi-policy-dpi2] car cir 10240 downstream [Quidway-dpi-policy-dpi2] quit
# Users go online from domain isp1. Bind the DPI policy to domain isp1 to control the P2P traffic of the users in this domain.
[Quidway] aaa [Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] dpi-policy-group dpi_user
Configuration Files
# sysname Quidway # value-added-service enable # radius-server group rd1 radius-server authentication 192.168.7.249 1645 weight 0 radius-server accounting 192.168.7.249 1646 weight 0 radius-server shared-key itellin radius-server type plus11 radius-server traffic-unit kbyte # acl number 3000 rule 5 permit ip # traffic classifier a operator or
Issue 05 (2010-09-25)
9-21
9 DPI Configuration
9-22
Issue 05 (2010-09-25)
10
Issue 05 (2010-09-25)
10-1
10.1 Introduction
This section describes the concept and principle of lawful interception and the lawful interception function supported by the ME60. 10.1.1 Concept of Lawful Interception 10.1.2 Principle of Lawful Interception 10.1.3 Role of the ME60 in Lawful Interception
The content of communication (CC) and intercepted related information (IRI) can be provided by the network devices of the carrier. The IRI is generally provided by the AAA server. The CC is provided by the edge router, for example, the ME60.
In this scenario, the IRI is provided by the AAA server and the CC is provided by the ME60.
10-2
Issue 05 (2010-09-25)
Lawful interception involves the following roles: l Interception center: is the device through which the law enforcement agencies intercept the activities of online users. The interception center initiates the interception and receives the interception result. The functions of the interception center are as follows: Defining the intercepted target Initiating or terminating the interception Receiving and recording the interception results Analyzing the interception result l Interception management center: is the agent of the interception center. The interception management center receives interception requests from the interception center and interprets the requests into identifiers of the location and service in the network. Then it delivers the interception configuration to the devices of the carrier on the network. LIG: functions as the agent between the interception management center and the carrier device. The functions of the Lawful interception Gateway (LIG) are as follows: Receiving the interception request from the interception management center through the L1 and HI1 interfaces Delivering the configuration of interception to network devices and obtaining intercepted contents through the X interfaces Sending the intercepted contents to the interception management center through the HI2 and HI3 interfaces l LIG management system: receives the interception requests from the interception management center and delivers them to LIGs. An LIG management system can manage multiple LIGs.
NOTE
The LIG management system delivers the configuration to the LIG through the L1 interface. The LIG is located on the network of the carrier, and the LIG management system is managed by the interception management center.
The carrier deploys the lawful interception function on the network devices on the carrier network. The devices that support lawful interception receive the configuration from the
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 10-3
Issue 05 (2010-09-25)
interception management center, and then send the intercepted traffic to the interception management center.
HI1
Connects the interception management center to the LIG management system. The interception management system delivers management commands to the LIG and receives response through the HI1 interface. Connects the interception management center to the LIG. The LIG sends the IRI to the interception management center through the HI2 interface. Connects the interception management center to the LIG. The LIG sends the CC to the interception management center through the HI3 interface. Connects the LIG to the signaling interface of the network device of the carrier. Through the X1 interface, the LIG delivers the interception configuration, including the intercepted user and the interception task, to the network devices of the carrier. Connects the LIG to the data interface of the network device of the carrier. The network device of the carrier sends the IRI to the LIG through the X2 interface. This interface must guarantee reliability and privacy of the data. Connects the LIG to the data interface of the network device of the carrier. The network device of the carrier sends the CC and heartbeat information to the LIG through the X3 interface.
NOTE The network device and the LIG send heartbeat messages to each other to check the connection between them. If the network device does not receive the heartbeat response message within a certain period, the network device deletes information about all intercepted targets delivered by the LIG. After the heartbeat connection recovers, the LIG delivers information about the interception object again.
HI2 HI3 X1
X2
X3
10-4
Issue 05 (2010-09-25)
The ME60 provides the X1 and X3 interfaces. The implementation on the two interfaces is as follows: l l The ME60 supports the X1 interface through the Simple Network Management Protocol version 3 (SNMPv3). To create the X1 interface, you must configure the SNMP information on the ME60. ME60The ME60 provides the command lines for configuring the X3 interface to set up the connection with the LIG.
3.Sets intercepted target AAA/DHCP server 4.Intercepts user login information ME60 8.Copies user traffic and sents the traffic to the LIG LIG 6. Interception rules are set on the LIG
User
The process of lawful interception is as follows: 1. The law enhancement agency sends the lawful interception authorization to the interception management center through the electrical interface of the interception center or sends written authorization. The interception management center finds the location of the target user according to the interception request, and then sends the location information to the LIG. The LIG sends the required information to the AAA server according to the interception request. The interception device (such as the IP Probe or Sniffer) of the AAA server sets the interception object according to the received information.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 10-5
2. 3.
Issue 05 (2010-09-25)
4.
The interception device of the AAA server intercepts the AAA traffic according to the interception object. When a target user goes online, the AAA server generates the IRI of the user and sends the IRI to the LIG. The LIG processes the IRI, and then sends the IRI to the interception center. The LIG sends the information about the interception object and the interception task to the ME60 to initiate an interception request. The user connects to the Internet through the ME60. The ME60 sends the accounting information to the AAA server. The ME60 duplicates the upstream traffic of the user, generates the CC, and then sends the CC to the LIG. The LIG sends the CC to the interception center.
NOTE
5. 6. 7. 8. 9.
When the user logs out, the interception device of the AAA server notifies the LIG. The LIG then requests the ME60 to delete information about the interception object delivered by the LIG. The ME60 stops intercepting the traffic.
The interception rules generated by the ME60 are not recorded in the configuration file. When the ME60 is restarted, the LIG must send the information about the interception object to the ME60 again so that the interception rule can be generated again.
The ME60 intercepts user activities based on the IP address but it does not differentiate services. During lawful interception, performance of the ME60 may be affected if the intercepted traffic is too high. Therefore, do not set too many interception objects. The ME60can intercept up to 4 kbit/s one-way traffic or 2 kbit/s two-way traffic.
NOTE
When the ME60 is configured to intercept one-way flows based on the IP address, it intercepts only the flows with specified source address and destination address. For two-way flows, if the source address of the intercepted flow is set on the LIG, the ME60 intercepts the flows from this address and the flows to this address.
An ME60 can be connected to up to 10 LIGs, but the LIGs cannot deliver the same interception object to the ME60. If multiple LIGs deliver the same interception target, the ME60 sends the interception information to the first matching LIG. The availability of the lawful interception function on the ME60 is controlled by the license. To use this function, you must buy the license for lawful interception and activate the license. For more information about the license, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management..
10-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
Pre-configuration Task
Before configuring lawful interception, complete the following tasks: l l Connecting the ME60 to the LIG through the X1 interface Buying and activating the license for lawful interception
NOTE
The configuration of the X1 interface is delivered to the ME60 through SNMPv3, so you must configure the SNMP agent on the ME60. For the configuration of the SNMP agent, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management.
Data Preparation
To configure lawful interception, you need the following data. No. 1 2 Data Port number used on the X3 interface IP address of the X3 interface
Procedure
Step 1 Run:
system-view
Since the loopback interface is always Up, it is recommended that you use a loopback interface improve the configuration reliability.
Step 3 Run:
ip address ip-address { mask | mask-length }
Procedure
Step 1 Run:
system-view
The type of the X3 interface for lawful interception and the port number used on the X3 interface are configured.
NOTE
l An ME60 can be connected to a maximum of 10 LIGs. All the LIGs are connected to the same X3 interface based on the IP address of the X3 interface. l Use a non-well-known port number larger than 2000 for the X3 interface, and thus this port does not conflict with ports of other programs.
Before configuring the type and port number of the X3 interface, you must configure the IP address of the X3 interface. By default, no X3 interface is configured on the ME60. ----End
10-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
Procedure
Step 1 Run:
system-view
Lawful interception is enabled. When enabling lawful interception, note the following: l Before enabling lawful interception, you must configure the X3 interface for lawful interception. l After lawful interception is enabled, the IP address of the X3 interface cannot be deleted or changed. To change the IP address of the X3 interface, run the undo lawful-interception enable command to disable lawful interception. l After you run the undo lawful-interception enable command, the ME60 deletes the information delivered by the LIG, including: IP address of the LIG Information about the intercepted user By default, lawful interception is disabled. ----End
Issue 05 (2010-09-25)
10-9
Networking Requirements
As shown in Figure 10-3, the ME60 functions as the network device of the carrier. Loopback0 is the X3 interface connected to the LIG. Based on this network, the ME60 performs lawful interception through the X3 interface. The PPPoE user connects to the ME60 through GE8/0/1. RADIUS authentication and RADIUS accounting are adopted for the user. The RADIUS server provides the IRI for the LIG. The LIG delivers information required for lawful interception to the ME60 through the SNMP protocol. The ME60 sends the interception information to the LIG through the X3 interface. Figure 10-3 Networking of lawful interception
LIG
100.100.1.100/24
User
Lan switch
ME60 Internet
RADIUS server
NOTE
In this example, the RADIUS server performs authentication and accounting for the user. You need also to install the interception software, such as IP Probe and Sniffer, to enable the RADIUS server to provide the IRI for the KIG.
Configuration Roadmap
The configuration roadmap is as follows: l l
10-10
Configure the SNMP Agent and the LIG to ensure the normal communication between the ME60 and the LIG. Configure the IP address of the X3 interface.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
l l l
Configure the address and port number of the X3 interface. Enable lawful interception Configure user access.
Data Preparation
To complete the configuration, you need the following data: l l User name and password of the SNMP user and the authentication protocol IP address and port number of the X3 interface
Configuration Procedure
1. Configure the SNMP agent.
NOTE
In this example, only the basic configuration of SNMP is described. For details, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management.
<Quidway> system-view [Quidway] snmp-agent [Quidway] snmp-agent sys-info version all [Quidway] snmp-agent community read public [Quidway] snmp-agent community write private [Quidway] snmp-agent group v3 huawei authentication read-view snmpv3 writeview snmpv3 [Quidway] snmp-agent mib-view included snmpv3 iso [Quidway] snmp-agent usm-user v3 usera huawei authentication-mode md5 123456789
NOTE
After configuring the SNMP agent, you must configure the LIG so that the ME60 can communicate with the LIG. You need to configure the SNMP information, addresses of the X2 and X3 interfaces, port numbers used on the X2 and X3 interfaces, and information about the intercepted flows. For the configuration procedure, refer to documents about the LIG. The ME60 works with the LIGs of other vendors to implement lawful interception. Huawei does not provide the LIG.
2.
3. 4. 5.
Configure access of the PPPoE user. For the configuration procedure, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS services.
Configuration Files
# sysname Quidway # lawful-interception x3-interface loopback port 3000 lawful-interception enable # radius-server group rd1 radius-server authentication 192.168.7.249 1645 weight 0 radius-server accounting 192.168.7.249 1646 weight 0
Issue 05 (2010-09-25)
10-11
radius-server shared-key itellin radius-server type plus11 radius-server traffic-unit kbyte # interface Virtual-Template1 # interface GigabitEthernet8/0/1 pppoe-server bind Virtual-Template 1 bas access-type layer2-subscriber # interface LoopBack0 ip address 100.100.100.1 255.255.255.0 # ip pool pool1 local gateway 172.82.0.1 255.255.255.0 section 0 172.82.0.2 172.82.0.200 dns-server 192.168.7.252 # aaa authentication-scheme auth1 accounting-scheme acct1 domain default0 domain default1 domain default_admin domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 ip-pool pool1 # snmp-agent snmp-agent community read public snmp-agent community write private snmp-agent sys-info version all snmp-agent group v3 huawei authentication read-view snmpv3 write-view snmpv3 snmp-agent mib-view included snmpv3 iso snmp-agent usm-user v3 usera huawei authentication-mode md5 F;MZ0<T2Z.R:_-XWOW W!L1!! # return
10-12
Issue 05 (2010-09-25)
11
About This Chapter
This chapter describes the concept and configuration of user logs. 11.1 Introduction This section describes the concept and classification of user logs. 11.2 Configuring the User Log This section describes how to configure the user log. 11.3 Debugging the User Log This section provides the command for enabling debugging of the user log. 11.4 Configuration Examples This section provides a configuration example of user log.
Issue 05 (2010-09-25)
11-1
11.1 Introduction
This section describes the concept and classification of user logs. Most countries have specific requirements for information security. An ISP must have the capability of recording activities of users, such as login, logout, and access to network resources. The ME60 provides user logs to record information about user login and logout so that carriers and security agents can manage and monitor users. The user log on the ME60 contains the user name, operation type (login and logout), login and logout time, VLAN/PVC, access interface, IP address, and MAC address of the user.
Pre-configuration Task
None.
Data Preparation
To configure the user log, you need the following data. No. 1 2 Data IP address and port number of the log host Version of the user log packet
Context
NOTE
The user log host receives the user log packets sent by the ME60 and analyzes the packets. Before enabling the user log function, you must configure the user log host.
Procedure
Step 1 Run:
system-view
The version configured on the ME60 must be the same as the version configured on the user log host. By default, the version of user log packets is not configured in the system. Therefore, before enabling the user log function, you must configure the version of user log packets.
Procedure
Step 1 Run:
system-view
The version of the user log packets is configured. The format of the user log packets has two versions: version 1 and version 2. The two versions are different in the format of the VLAN/PVC field in the packets, as shown in Table 11-1. Table 11-1 Difference between the two versions of the user log packets Versi on 1 2 VLAN A common VLAN number of two bytes A stack VLAN number of two bytes (0 bytes if there is no stack VLAN number) and a common VLAN number of two bytes PVC A PVC number of two bytes A VPI number of two bytes and a VCI number of two bytes
Issue 05 (2010-09-25)
11-3
----End
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
The user log behavior is defined. After the version of user log packets and the log host are configured and the log function is enabled, the system records the information about login and logout activities of each user in the log. For the configurations of the traffic classifier, traffic behavior, and traffic policy, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS. ----End
11-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
CAUTION
Debugging affects the system performance. So, after debugging, run the undo debugging all command to disable it immediately. When a fault occurs in the user log function, run the following debugging command in the user view to locate the fault. For the procedure for displaying the debugging information, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management. Action Enable the debugging of the user log. Command debugging ip userlog { access | all |error | packet }
Issue 05 (2010-09-25)
11-5
1.1.1.0
GE1/0/0.1
ME60
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Configure user access. Configure the user log. Define an ACL. Configure the traffic classifier that is based on the ACL rules. Configure the traffic behavior of recording the user log. Configure a traffic policy and associate the traffic behavior with the traffic classifier. Apply the traffic policy to the interface.
Data Preparation
None.
Configuration Procedure
# Configure the user log function.
<Quidway> [Quidway] [Quidway] [Quidway] system-view ip userlog access export version 1 ip userlog access export host 10.10.10.1 1200 ip userlog
# Configure user access. The configuration procedure is not mentioned here. For the configuration procedure and configuration file, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services.
NOTE
When configuring user access, run the user-group group-name command to set the user group name to access.
# Define an ACL rule to identify the Internet access service with the source IP address.
11-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
[Quidway] acl number 6000 [Quidway-acl-ucl-6000] rule permit ip source user-group access [Quidway-acl-ucl-6000] quit
# Configure the policy, in which the traffic classifier is associated with the behavior.
[Quidway] traffic policy policy1 [Quidway-trafficpolicy-policy1] classifier class1 behavior behav1 [Quidway-trafficpolicy-policy1] quit
Configuration Files
# sysname Quidway # user-group access # acl number 6000 rule 5 permit ip source user-group access # traffic classifier class1 operator or if-match acl 6000 # traffic behavior behav1 userlog # traffic policy policy1 classifier class1 behavior behav1 # # interface GigabitEthernet1/0/0.1 traffic-policy policy1 inbound # ip userlog access export version 1 ip userlog access export host 10.10.10.1 1200 ip userlog access # return
Issue 05 (2010-09-25)
11-7
12
About This Chapter
This chapter describes how to configure ARP Security. 12.1 Overview to ARP Security This section describes the principle and concepts of ARP security features. 12.2 Preventing Attacks on ARP Entries This section describes how to prevent attacks on ARP entries. 12.3 Preventing Scanning Attacks This section describes how to prevent scanning attacks. 12.4 Maintaining the ARP Security This section describes how to display and remove statistics about ARP packets and debug ARP packets. 12.5 Configuration Examples This section provides several configuration examples of ARP security features.
Issue 05 (2010-09-25)
12-1
IP:192.168.0.10/24 MAC:??? IP:192.168.0.1/24 MAC:0000-0000-00aa IP:192.168.0.10/24 MAC:??? ME60 IP:192.168.0.10/24 MAC:0018-8200-000f PC A(attacker) PC B PC C IP:192.168.0.1/24 IP:192.168.0.2/24 IP:192.168.0.3/24 MAC:0000-0000-00aaMAC:0000-0000-00ab MAC:0000-0000-00ac
As shown in Figure 12-1, the attacker PC A sends abundant bogus ARP Request packets and gratuitous ARP packets (only VLANIF interfaces learn gratuitous ARP packets), which results in ARP buffer overflow. Therefore, normal ARP entries cannot be cached and packet forwarding is interrupted. l
12-2
As shown in Figure 12-2, the attacker PC A sends abundant bogus ARP Request and Response packets or other packets that can trigger the ARP processing on Router. Router is then busy with ARP processing during a long period and ignores other services. Normal packet forwarding is thus interrupted.
Scanning Attacks
The attacker scans hosts in local network segment or hosts in other network segments through some tools. Before returning Response packets, the router should search ARP entries. If the MAC address corresponding to the destination IP address does not exist, the ARP module on the router sends ARP Miss packets to the upper layer and requires the upper layer to send ARP Request messages to obtain the MAC address of the destination. A great number of scanning packets generate abundant ARP Miss packets. Most resources of the router are wasted in processing ARP Miss packets. This affects the processing of other services and hence is called scanning attacks.
12.2.1 Establishing the Configuration Task 12.2.2 Configuring Global Strict ARP Entry Learning 12.2.3 Configuring Strict ARP Entry Learning on Interfaces 12.2.4 Configuring Speed Limit for ARP Packets 12.2.5 Configuring Interface-based ARP Entry Restriction 12.2.6 Enabling Alarm Functions for Potential Attack Behaviors 12.2.7 Checking the Configuration
To configure ARP attack defense, you can configure four features (strict ARP entry learning, speed limit for ARP packets, interface-based ARP entry restriction, and logging potential attack behaviors) respectively or in conjunction. You are recommended to configure the four features in conjunction to guarantee network security more effectively.
Pre-configuration Task
None.
Data Preparation
To prevent attacks on ARP entries, you need the following data. No. 1 Data Limited speed of ARP packets
Procedure
Step 1 Run:
system-view
12-4
Issue 05 (2010-09-25)
Strict ARP learning is configured. By default, strict ARP learning is disabled. After the arp learning strict command is run, the ME60 learns only reply packets for the ARP request packets sent itself. ----End
Do as follows on the ME60 whose ARP entries are to be prevented from being attacked:
Procedure
Step 1 Run:
system-view
The interface view is displayed. ME60 supports strict ARP entry learning on the following interfaces: l Ethernet interfaces and their sub-interfaces l Eth-trunk interfaces and their sub-interfaces l VLANIF interfaces Step 3 Run:
arp learning strict { force-enable | force-disable | trust }
Issue 05 (2010-09-25)
12-5
l If the key word force-enable of the command is selected, the interface ME60 learns only reply packets for the ARP request packets sent itself. l If the key word force-disable of the command is selected, the strict ARP entry learning function on the interface is disabled. l If the key word trust of the command is selected, the strict ARP entry learning function on the interface is disabled and the global ARP entry learning function is enabled.
----End
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
The interface view is displayed. The following interfaces are supported: l Layer 3 Ethernet interfaces and sub-interfaces l Layer 3 GE interfaces and sub-interfaces l Layer 3 Eth-Trunk interfaces and sub-interfaces l Layer 3 virtual Ethernet interfaces
12-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
l Ethernet sub-interfaces, GE sub-interfaces, and Eth-Trunk sub-interfaces that are configured as QinQ sub-interfaces l Layer 2 Ethernet ports l Layer 2 GE ports l Layer 2 Eth-Trunk ports l Layer 2 virtual Ethernet ports l VLANIF interfaces
NOTE
If the interface is a Layer 2 port, the port must join a Virtual Local Area Network (VLAN).
Step 3 Run:
arp-limit[ vlan vlan-id [ to vlan-id2 ]] maximum maximum
Interface-based ARP entry restriction is configured. vlan-id can be configured in the view of the Layer 2 interface or QinQ sub-interface. If you configure vlan-id in the QinQ sub-interface view, vlan-id specifies the external VLAN ID of the QinQ sub-interface. ----End
Procedure
Step 1 Run:
system-view
Generating and logging alarms for the potential attack behaviors are configured. ----End
Procedure
l Run the display arp speed-limit destination-ip [ slot slot-id ] command to check the limited speed of ARP packets.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 12-7
Issue 05 (2010-09-25)
Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command to check the limited number of ARP entries on the interface.
----End
Example
Run the display arp speed-limit destination-ip [ slot slot-id ] command, and you can check the timestamp suppression rate configured for the ARP packets. For example:
<Quidway> display arp speed-limit destination-ip slot 3 Slot SuppressType SuppressValue --------------------------------------------------3 ARP 500
Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command, and you can check the limited number of ARP entries configured on the interface.
<Quidway> display arp-limit interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------Eth-Trunk0 100 124 0 Eth-Trunk0 100 125 0 GigabitEthernet2/0/1 16384 0 0 GigabitEthernet4/0/1 100 0 0 GigabitEthernet4/0/2 16384 124 0 ---------------------------------------------------------------------------
Pre-configuration Task
None
Data Preparation
To prevent scanning attacks, you need the following data:
12-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
No. 1
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Generating and logging alarms for the potential attack behaviors are configured. ----End
Procedure
Step 1 Run the display arp-miss speed-limit source-ip [ slot slot-id ] command to check the limited speed of ARP Miss packets. ----End
Example
Run the display arp-miss speed-limit source-ip [ slot slot-id ] command, and you can check the timestamp suppression rate configured to the ARP Miss packets. For example:
<Quidway> display arp-miss speed-limit source-ip slot 3 Slot Supp-type Source-ip --------------------------------------------------3 ARP-miss 500
Example
Run the display arp packet statistics [ slot slot-id ] command, and you can check the statistics about ARP packets. For example:
<Quidway> display arp packet statistics ARP Pkt Received: sum 23 ARP-Miss Msg Received: sum 0 ARP Learnned Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum 0 ARP Pkt Discard For Other: sum 10 ARP-Miss Msg Discard For SpeedLimit: sum ARP-Miss Msg Discard For Other: sum 0
12-10
Issue 05 (2010-09-25)
CAUTION
Statistics about ARP packets cannot be restored after you clear it. So, confirm the action before you use the command.
Procedure
l Run the reset arp packet statistic [ slot slot-id ] command in the user view to clear statistics about ARP packets.
----End
CAUTION
Debugging affects the performance of the system. So, after debugging, execute the undo debugging all command to disable it immediately. For the procedure of displaying the debugging information, refer to the chapter Maintenance and Debugging in the Quidway ME60 Multiservice Control Gateway Configuration Guide System Management. For explanations of the debugging commands, refer to the ME60 Multiservice Control Gateway Command Reference.
Procedure
l l Run the debugging arp packet [slot slot-id | interface interface-type interface-number ] command in the user view to debug ARP packet. Run the debugging arp process [ slot slot-id | interface interface-type interfacenumber ] command in the user view to debug ARP packet processing.
----End
core network
ME60A
ME60B
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Configure strict ARP entry learning. Configure speed limit for ARP packets. Configure interface-based ARP entry restriction. Enable log and alarm functions for potential attack behaviors.
Data Preparations
To complete the configuration, you need the following data: l l l
12-12
Timestamp suppression rate of ARP packets and slot numbers Limited number of ARP entries Interval for sending alarms
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
Procedure
Step 1 Configure strict ARP entry learning.
<ME60A> system-view [ME60A] arp learning strict
Step 2 Configure destination-based speed limit for ARP packets on each slot of the attached device. The speed is limited to 50 packets per second. Take slot 1 as an example.
[ME60A] arp speed-limit destination-ip maximum 50 slot 1
Step 3 Restrict the number of ARP entries on each interface of the attached device to 20. Take GE 1/0/0 as an example.
[ME60A] interface Gigabitethernet 1/0/0 [ME60A-GigabitEthernet1/0/0] arp-limit maximum 20 [ME60A-GigabitEthernet1/0/0] quit
Step 4 Set the interval for logging and generating alarms for potential attack behaviors to 20 seconds.
[ME60A] arp anti-attack log-trap-timer 20
Step 5 Verify the configuration. Use certain tools to send ARP request packets to ME60 A and then run the display arp all command on ME60 A. You can find that the actively sent ARP request packets are not learnt by ME60 A.
<ME60A> display arp all IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------100.1.1.200 00e0-fc7f-7258 I GE0/0/0 100.1.1.180 000d-88f4-d06b 9 D-0 GE0/0/0 100.1.1.24 0013-d326-ab88 9 D-0 GE0/0/0 100.1.1.166 0014-2afd-7376 10 D-0 GE0/0/0 100.1.1.37 00e0-4c77-a2f9 12 D-0 GE0/0/0 100.1.1.168 000d-88f8-332c 14 D-0 GE0/0/0 100.1.1.48 0015-e9ac-7a30 16 D-0 GE0/0/0 32.1.1.1 0088-0010-000a I GE3/0/9 24.1.1.1 0088-0010-0009 I GE3/0/8 10.1.1.1 0088-0010-0003 I GE3/0/2 10.1.1.2 00e0-fc22-18d5 9 D-3 GE3/0/2 -----------------------------------------------------------------------------Total:11 Dynamic:7 Static:0 Interface:4
Run the display arp speed-limit command on ME60s. You can view the limited speed.
<ME60A> display arp speed-limit destination-ip slot 1 Slot SuppressType SuppressValue --------------------------------------------------1 ARP 50
Run the display arp packet statistics command on ME60s. You can view the number of the discarded ARP packets and the learnt ARP entries.
<ME60A> display arp packet statistics ARP Pkt Received: sum 23 ARP-Miss Msg Received: sum 0 ARP Learnned Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum 0 ARP Pkt Discard For Other: sum 10 ARP-Miss Msg Discard For SpeedLimit: sum ARP-Miss Msg Discard For Other: sum 0
----End
Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 12-13
Configuration Files
The configuration file of ME60 A is as follows:
# sysname ME60A # arp learning strict arp speed-limit destination-ip maximum 50 slot 1 arp anti-attack log-trap-timer 20 # interface GigabitEthernet1/0/0 arp-limit maximum 20 return
12.5.2 Example for Preventing Attacks on ARP Entries and Scanning Attacks
Networking Requirements
As shown in Figure 12-4, a cyber cafe accesses ME60 through the Internet. ARP security features need to be configured to protect the cyber cafe from the ARP entry attack and scanning attack. Figure 12-4 Network diagram of preventing attacks on ARP entries and scanning attacks
ME60
Internet
Configuration Roadmap
The configuration roadmap is as follows: 1. Configure as follows to prevent attacks on ARP entries: l Configure strict ARP entry learning. l Configure speed limit for ARP packets. l Configure interface-based ARP entry restriction. l Enable log and alarm functions for potential attack behaviors. 2.
12-14
Data Preparations
To complete the configuration, you need the following data: l l l l Timestamp suppression rate of ARP packets and slot numbers Limited number of ARP entries Interval for sending alarms Timestamp suppression rate of ARP Miss packets and slot numbers
Procedure
Step 1 Configure strict ARP entry learning.
<Quidway> system-view [Quidway] arp learning strict
Step 2 Configure destination-based speed limit for ARP packets on each slot of the attached device. The speed is limited to 50 packets per second. Take slot 1 as an example.
[Quidway] arp speed-limit destination-ip maximum 50 slot 1
Step 3 Restrict the number of ARP entries on each interface of the attached device to 20. Take GE 1/0/0 as an example.
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] arp-limit maximum 20 [Quidway-GigabitEthernet1/0/0] quit
Step 4 Set the interval for logging and generating alarms for potential attack behaviors to 20 seconds.
[Quidway] arp anti-attack log-trap-timer 20
Step 5 Configure destination-based speed limit for ARP Miss packets on each slot of the attached device. The speed is limited to 50 ARP Miss packets per second. Take slot 1 as an example.
[Quidway] arp-miss speed-limit source-ip maximum 50 slot 1
Step 6 Verify the configuration. Use certain tools to send ARP request packets to ME60 A and then run the display arp all command on ME60 A. You can find that the actively sent ARP request packets are not learnt by ME60 A.
<Quidway> display arp all IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------100.1.1.200 00e0-fc7f-7258 I GE0/0/0 100.1.1.180 000d-88f4-d06b 9 D-0 GE0/0/0 100.1.1.24 0013-d326-ab88 9 D-0 GE0/0/0 100.1.1.166 0014-2afd-7376 10 D-0 GE0/0/0 100.1.1.37 00e0-4c77-a2f9 12 D-0 GE0/0/0 100.1.1.168 000d-88f8-332c 14 D-0 GE0/0/0 100.1.1.48 0015-e9ac-7a30 16 D-0 GE0/0/0 32.1.1.1 0088-0010-000a I GE3/0/9 24.1.1.1 0088-0010-0009 I GE3/0/8 10.1.1.1 0088-0010-0003 I GE3/0/2 10.1.1.2 00e0-fc22-18d5 9 D-3 GE3/0/2 -----------------------------------------------------------------------------Total:11 Dynamic:7 Static:0 Interface:4
Run the display arp speed-limit command on ME60s. You can view the limited speed. Run the display arp-miss speed-limit command on ME60s. You can view the limited speed of ARP Miss packets.
Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 12-15
<Quidway> display arp speed-limit destination-ip slot 1 Slot SuppressType SuppressValue --------------------------------------------------1 ARP 50 <Quidway> display arp-miss speed-limit source-ip slot 1 Slot SuppressType SuppressValue --------------------------------------------------1 ARP-miss 50
Use certain tools to scan ME60 A and then run the display arp packet statistics command ME60 A. You can view the number of the discarded ARP Miss messages.
<Quidway> display arp packet statistics ARP Pkt Received: sum 23 ARP-Miss Msg Received: sum 0 ARP Learnned Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum 0 ARP Pkt Discard For Other: sum 10 ARP-Miss Msg Discard For SpeedLimit: sum ARP-Miss Msg Discard For Other: sum 0
----End
Configuration Files
# sysname Quidway # arp learning strict arp speed-limit destination-ip maximum 50 slot 1 arp-miss speed-limit destination-ip maximum 50 slot 1 arp anti-attack log-trap-timer 20 # interface GigabitEthernet1/0/0 arp-limit maximum 20 return
12-16
Issue 05 (2010-09-25)
A Glossary
A
This appendix lists the glossary of terms in this manual. A attack defense authenticate C CC
Glossary
A function of detecting various network attacks and protecting the intranet against malicious attacks. To verify the legality of a user before the user visits the Internet or accesses the Internet service.
Contents of communication that the lawful interception device intercepts, such as the email contents and VoIP voice packets.
D data juggle A security thread that an attacker selectively changes, deletes, delays, rearranges system data or message stream and inserts false messages, thus destroying the consistency of data. A security thread that the servers denies the request of a legal user who wants to get access to the information or resources. Deep packet inspection, a function of sensing the data application and providing policies for network control and management through analysis of the packet application layer.
E encrypt To transform a readable message to an unreadable text. Unauthorized users cannot obtain the content of the message even through they obtain the encrypted signal.
Issue 05 (2010-09-25)
A-1
A Glossary
F firewall A system or a group of systems that monitors the channel between the trusty internal network and the untrusty external networks to prevent the risks of external networks from affecting the internal network.
I illegal use inbound A security thread that an unauthorized user uses the network resource. Pertaining to transmission that data flows from a zone with lower priority to a zone with higher priority.
information theft A security thread that an attacker obtains important data or information by wiretapping the network, instead of directly attacking the target system. IPSec The floorboard of a set of network security protocols, including security protocol and encryption protocol, which provides communication parties with access control, connectionless integrality, data source authentication, anti-replay, encryption, classification and encryption of data stream. User information that the lawful interception device intercepts, such as the location and login time of a user.
IRI
L lawful interception LIG A law enforcement behavior carried out to monitor the communication services on the public communications network, according to the related law and the norm for the public communications network. A device used for transfer and adaptation on the interception command issuing interface and event report interface. An LIG serves as a core of the entire interception system and is responsible for settings of interception services and actual interception.
N NAT network security service A mechanism for transforming private addresses into globally routable addresses, which enables private networks to access public networks. The measure taken against security threats on a network.
O outbound Pertaining to transmission that data flows from a zone with higher priority to a zone with lower priority.
A-2
Issue 05 (2010-09-25)
A Glossary
P packet filtering firewall proxy firewall A firewall that filters packets by using the ACL. See also firewall. A firewall working at the application layer. It checks the requests of users and connects a server and forwards the request if the authentication succeeds, and then forwards the response of the server to user.
S security zone stateful firewall A combination of multiple interfaces or user domains with the same security attributes. A firewall that monitors the TCP/UDP sessions by using state tables and forwards the packets associated with the allowed sessions. It also analyzes the application layer state of the packets in the TCP/UDP sessions, and filters the unsatisfied data packets.
Issue 05 (2010-09-25)
A-3
B
Numeric 3DES A AAA ACL AH ALG API ASPF ATM AUCX AUEP
This appendix lists the acronyms and abbreviations mentioned in this manual.
Triple DES
Authentication, Authorization and Accounting Access Control List Authentication Header Application Layer Gateway Application Program Interface Application Specific Packet Filter Asynchronous Transfer Mode Audit Connection Audit End Point
C CAC CAR CCB Call Admission Control Committed Access Rate Call Control Block
Issue 05 (2010-09-25)
B-1
D DES DF DH DoS DPI Data Encryption Standard Don't Fragment Diffie-Hellman Deny of Service Deep Packet Inspection
G GRE GSM Generic Routing Encapsulation Global System for Mobile communications
H HTTP HWCC Hyper Text Transport Protocol Huawei Conference Control Protocol
I IAD IADMS IANA ICMP IETF IGMP IKE ILS IP IPSec Integrated Access Device IAD Management System Internet Assigned Number Authority Internet Control Message Protocol Internet Engineering Task Force Internet Group Management Protocol Internet Key Exchange Internet Location Service Internet Protocol IP Security
B-2
Issue 05 (2010-09-25)
Internet Security Association and Key Management Protocol Integrated Services Digital Network International Telecommunications Union
L L2TP LI LIG Layer 2 Tunneling Protocol Lawful Interception Lawful interception Gateway
M MAC MD5 MF MGCP MIB MPLS Media Access Control Message Digest 5 More Fragment Media Gateway Control Protocol Management Information Base Multi-Protocol Label Switching
N NAPT NAT NetBIOS NGN NMS NTP Network Address Port Translation Network Address Translation Network Basic Input/Output System Next Generation Network Network Management System Network Time Protocol
Issue 05 (2010-09-25)
B-3
P P2P PAT PC PDU PFS POS PPTP PSTN Point to Point Port Address Translation Personal Computer Protocol Data Unit Perfect Forward Secrecy Packet Over SDH Point-to-Point Tunneling Protocol Public Switched Telephony Network
R RADIUS RAS RFC RSA RSTP RTCP RTP Remote Authentication Dial in User Service Registration, Admission and Status Requirement for Comments Rivest-Shamir-Adleman cryptographic algorithms Real Time Streaming Protocol Real-time Transport Control Protocol Real-time Transport Protocol
S SA SBC SDP SHA SIP SMTP SNMP SPI SSH Security Association Session Border Controller Session Description Protocol Secure Hash Algorithm Session Initiation Protocol Simple Mail Transfer Protocol Simple Network Management Protocol Security Parameter Index Secure Shell
B-4
Issue 05 (2010-09-25)
SSL SSU
Issue 05 (2010-09-25)
B-5