00479814-ME60 Configuration Guide - Security (V100R006C05 - 05)

Quidway ME60 Multiservice Control Gateway V100R006C05
Configuration Guide - Security

Issue Date 05 2010-09-25
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2010. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com
Website: Email:
Issue 05 (2010-09-25)
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
Quidway ME60 Multiservice Control Gateway Configuration Guide - Security
About This Document
About This Document

Purpose
This document describes the security services supported by the ME60, including the basic knowledge, configuration procedures and configuration examples. The document provides guideline for configuring the firewall, NAT, traffic statistics and monitoring, attack defense, URPF, DPI, lawful interception, and user log. In addition, the document provides the glossary and acronyms and abbreviations. For more information about the configuration commands, refer to "Security Commands" in the Quidway ME60 Multiservice Control Gateway Command Reference.
Related Versions
The following table lists the product version related to this document. Product Name ME60 Version V100R006C05
Intended Audience
This document is intended for: l l Technical support engineers Maintenance engineers
Organization
This document is organized as follows. Chapter 1 Security Overview Content This chapter provides basic knowledge about the security service, including threats to Internet security, network security overview, and implementation of network security.
iii
Issue 05 (2010-09-25)
About This Document
Chapter 2 Firewall Configuration
Content This chapter describes the configuration of the firewall, including the security zone, ACL packet filtering, ASPF, blacklist, port mapping, and firewall log. This chapter describes the concept, fundamental, configuration, and maintenance of NAT. This chapter describes the fundamentals, configuration, and maintenance of traffic statistics and monitoring. This chapter describes the fundamentals, configuration, and maintenance of attack defense. This chapter describes the fundamentals, implementation, and configuration of IPSec. This chapter describes the fundamentals, implementation, and configuration of IKE. This chapter describes the fundamentals, implementation, and configuration of URPF. This chapter describes the fundamentals of DPI and how to configure network-side DPI and user-side DPI. This chapter describes the concept, process, and configuration of lawful interception. This chapter describes the concept and configuration of user logs. This chapter describes how to configure ARP Security. This appendix provides the glossary of this document. This appendix lists the acronyms and abbreviations mentioned in this manual and provides explanation.
3 NAT Configuration 4 Traffic Statistics and Monitoring Configuration 5 Attack Defense Configuration 6 IPSec Configuration 7 IKE Configuration 8 URPF Configuration 9 DPI Configuration 10 Lawful Interception Configuration 11 User Log Configuration 12 ARP Security Configuration A Glossary B Acronyms and Abbreviations
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description
DANGER
iv
Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury.
Issue 05 (2010-09-25)
About This Document
Symbol
Description Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
WARNING
CAUTION
TIP
NOTE
General Conventions
The general conventions that may be found in this document are defined as follows. Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman. Names of files, directories, folders, and users are in boldface. For example, log in as user root. Book titles are in italics. Examples of information displayed on the screen are in Courier New.
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected.
Issue 05 (2010-09-25)
About This Document
Convention { x | y | ... }*
Description Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
GUI Conventions
The GUI conventions that may be found in this document are defined as follows. Convention Boldface > Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows. Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, pressing Ctrl+Alt +A means the three keys should be pressed concurrently. Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.
Mouse Operations
The mouse operations that may be found in this document are defined as follows. Action Click Description Select and release the primary mouse button without moving the pointer.
vi
Issue 05 (2010-09-25)
About This Document
Action Double-click Drag
Description Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a certain position.
Update History
Updates between document versions are cumulative. Therefore, the latest document version contains all updates made to previous versions.
Updates in Issue 05 (2010-09-25)

Fifth commercial release. Fixing Bugs.

Fourth commercial release. Fixing Bugs.

Third commercial release. Fixing Bugs.

Second commercial release. Fixing Bugs.

Initial commercial release.
Issue 05 (2010-09-25)
vii
Contents
Contents
About This Document...................................................................................................................iii 1 Security Overview......................................................................................................................1-1
1.1 Introduction to Network Security....................................................................................................................1-2 1.1.1 Background............................................................................................................................................ 1-2 1.1.2 Network Security Service.......................................................................................................................1-2 1.2 Security Features of the ME60........................................................................................................................1-2 1.2.1 Firewall...................................................................................................................................................1-2 1.2.2 URPF......................................................................................................................................................1-3 1.2.3 DPI......................................................................................................................................................... 1-3 1.2.4 Lawful Interception................................................................................................................................1-3 1.2.5 User Log.................................................................................................................................................1-3
2 Firewall Configuration..............................................................................................................2-1
2.1 Introduction.....................................................................................................................................................2-2 2.1.1 Functions of Firewall............................................................................................................................. 2-2 2.1.2 Classification of Firewalls......................................................................................................................2-2 2.1.3 Terms Related to the Firewall................................................................................................................2-3 2.1.4 Firewall Functions of the ME60.............................................................................................................2-4 2.2 Configuring a Zone......................................................................................................................................... 2-6 2.2.1 Establishing the Configuration Task......................................................................................................2-6 2.2.2 (Optional) Configuring the VSU to Work as the SSU...........................................................................2-7 2.2.3 Creating a Zone......................................................................................................................................2-7 2.2.4 Configuring the Priority of a Zone.........................................................................................................2-7 2.2.5 Adding User Domains or Interfaces to the Zone....................................................................................2-8 2.2.6 Creating an Interzone.............................................................................................................................2-9 2.2.7 Enabling Firewall in the Interzone.........................................................................................................2-9 2.2.8 Checking the Configuration.................................................................................................................2-10 2.3 Setting the Aging Time of the Firewall Session Table.................................................................................2-10 2.3.1 Establishing the Configuration Task....................................................................................................2-10 2.3.2 (Optional) Setting the Aging Time of the Firewall Session Table.......................................................2-11 2.3.3 Checking the Configuration.................................................................................................................2-11 2.4 Configuring ACL-based Packet Filtering.....................................................................................................2-12 2.4.1 Establishing the Configuration Task....................................................................................................2-12 Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. ix
Contents
Quidway ME60 Multiservice Control Gateway Configuration Guide - Security 2.4.2 Configuring ACL-based Packet Filtering in an Interzone....................................................................2-13
2.5 Configuring ASPF.........................................................................................................................................2-13 2.5.1 Establishing the Configuration Task....................................................................................................2-13 2.5.2 Configuring ASPF in the Interzone......................................................................................................2-14 2.5.3 Checking the Configuration.................................................................................................................2-14 2.6 Configuring the Blacklist..............................................................................................................................2-15 2.6.1 Establishing the Configuration Task....................................................................................................2-15 2.6.2 Enabling the Blacklist..........................................................................................................................2-16 2.6.3 (Optional) Adding a Blacklist Entry....................................................................................................2-16 2.6.4 (Optional) Configuring the Packet Filtering Type of the Blacklist......................................................2-17 2.7 Configuring Port Mapping............................................................................................................................2-17 2.7.1 Establishing the Configuration Task....................................................................................................2-17 2.7.2 Configuring Port Mapping...................................................................................................................2-18 2.8 Configuring P2P Traffic Control...................................................................................................................2-19 2.8.1 Establishing the Configuration Task....................................................................................................2-19 2.8.2 Enabling P2P Traffic Control...............................................................................................................2-20 2.8.3 Configuring the CAR Table.................................................................................................................2-20 2.8.4 Configuring P2P Traffic Control in an Interzone.................................................................................2-21 2.8.5 Configuring P2P Traffic Control Globally...........................................................................................2-22 2.8.6 Checking the Configuration.................................................................................................................2-22 2.9 Configuring Firewall Logs............................................................................................................................2-22 2.9.1 Establishing the Configuration Task....................................................................................................2-23 2.9.2 Enabling the Firewall Log....................................................................................................................2-23 2.9.3 Configuring a Session Log...................................................................................................................2-24 2.9.4 (Optional) Configuring Output Interval of Logs..................................................................................2-24 2.9.5 Checking the Configuration.................................................................................................................2-25 2.10 Configuration Examples..............................................................................................................................2-25 2.10.1 Example for Configuring ACL-based Packet Filtering......................................................................2-25 2.10.2 Example for Configuring ASPF and Port Mapping...........................................................................2-28 2.10.3 Example for Configuring the Blacklist..............................................................................................2-30
3 NAT Configuration....................................................................................................................3-1
3.1 Introduction.....................................................................................................................................................3-2 3.1.1 NAT Overview.......................................................................................................................................3-2 3.1.2 NAT Types.............................................................................................................................................3-3 3.1.3 Advantages and Disadvantages of NAT................................................................................................3-4 3.1.4 Many-to-Many NAT and Address Pool.................................................................................................3-4 3.1.5 Internal Server........................................................................................................................................3-5 3.1.6 References..............................................................................................................................................3-5 3.2 Configuring NAT............................................................................................................................................3-5 3.2.1 Establishing the Configuration Task......................................................................................................3-6 3.2.2 (Optional) Configuring the VSU to Work as the SSU...........................................................................3-6 3.2.3 Configuring the NAT Address Pool.......................................................................................................3-7 x Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
Contents
3.2.4 Configuring NAT in an Interzone..........................................................................................................3-7 3.2.5 (Optional) Configuring the Internal NAT Server...................................................................................3-8 3.2.6 Checking the Configuration...................................................................................................................3-9 3.3 Configuration Examples..................................................................................................................................3-9 3.3.1 Example for Configuring NAT..............................................................................................................3-9
4 Traffic Statistics and Monitoring Configuration.................................................................4-1

4.1 Introduction.....................................................................................................................................................4-2 4.2 Configuring Traffic Statistics and Monitoring................................................................................................4-2 4.2.1 Establishing the Configuration Task......................................................................................................4-3 4.2.2 (Optional) Configuring the VSU to Work as the SSU...........................................................................4-3 4.2.3 (Optional) Configuring the Default Master SSU................................................................................... 4-4 4.2.4 Enabling Traffic Statistics and Monitoring............................................................................................4-4 4.2.5 Setting the Session Threshold................................................................................................................4-5 4.2.6 Checking the Configuration...................................................................................................................4-5 4.3 Configuring Zone-based Traffic Statistics and Monitoring............................................................................4-5 4.3.1 Establishing the Configuration Task......................................................................................................4-6 4.3.2 Enabling Traffic Statistics and Monitoring in a Zone............................................................................4-6 4.3.3 Setting the Session Threshold................................................................................................................4-7 4.3.4 Checking the Configuration...................................................................................................................4-7 4.4 Configuring IP Address-based Traffic Statistics and Monitoring...................................................................4-8 4.4.1 Establishing the Configuration Task......................................................................................................4-8 4.4.2 Enabling IP Address-based Traffic Statistics and Monitoring...............................................................4-8 4.4.3 Setting the Session Threshold................................................................................................................4-9 4.5 Configuration Examples................................................................................................................................4-10 4.5.1 Example for Configuring System-Level Traffic Statistics and Monitoring.........................................4-10 4.5.2 Example for Configuring Zone-based Traffic Statistics and Monitoring............................................4-11 4.5.3 Example for Configuring IP Address-based Traffic Statistics and Monitoring...................................4-13
5 Attack Defense Configuration.................................................................................................5-1

5.1 Introduction.....................................................................................................................................................5-2 5.1.1 Type of Network Attacks.......................................................................................................................5-2 5.1.2 Typical Attacks...................................................................................................................................... 5-2 5.2 Configuring Attack Defense............................................................................................................................5-5 5.2.1 Establishing the Configuration Task......................................................................................................5-5 5.2.2 (Optional) Configuring the VSU to Work as the SSU...........................................................................5-6 5.2.3 Enabling Attack Defense........................................................................................................................5-6 5.2.4 Configuring Flood Attack Defense........................................................................................................5-8 5.2.5 (Optional) Configuring Scanning Attack Defense.................................................................................5-9 5.2.6 (Optional) Configuring Large ICMP Packet Attack Defense..............................................................5-10 5.2.7 Checking the Configuration.................................................................................................................5-10 5.3 Configuration Examples................................................................................................................................5-10 5.3.1 Example for Configuring Land Attack Defense...................................................................................5-11 5.3.2 Example for Configuring SYN Flood Attack Defense........................................................................5-13 Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xi
Contents
Quidway ME60 Multiservice Control Gateway Configuration Guide - Security 5.3.3 Example for Configuring IP Address Sweeping Attack Defense........................................................5-15
6 IPSec Configuration...................................................................................................................6-1
6.1 Introduction.....................................................................................................................................................6-2 6.1.1 Overview of IPSec.................................................................................................................................6-2 6.1.2 Terms Related to IPSec..........................................................................................................................6-2 6.1.3 IPSec Features Supported by the ME60.................................................................................................6-5 6.2 Defining Data Flows to Be Protected..............................................................................................................6-6 6.2.1 Establishing the Configuration Task......................................................................................................6-6 6.2.2 Defining Data Flows to Be Protected.....................................................................................................6-7 6.3 Configuring an IPSec Proposal.......................................................................................................................6-8 6.3.1 Establishing the Configuration Task......................................................................................................6-8 6.3.2 Creating an IPSec Proposal and Entering the IPSec Proposal View......................................................6-9 6.3.3 Configuring the IPSec Protocol..............................................................................................................6-9 6.3.4 Configuring the Authentication Algorithm..........................................................................................6-10 6.3.5 Configuring the Encryption Algorithm................................................................................................6-11 6.3.6 Configuring the Encapsulation Mode..................................................................................................6-11 6.3.7 Checking the Configuration.................................................................................................................6-12 6.4 Configuring an IPSec Policy.........................................................................................................................6-12 6.4.1 Establishing the Configuration Task....................................................................................................6-13 6.4.2 Creating an IPSec Policy and Entering the IPSec Policy View...........................................................6-13 6.4.3 Configuring the ACL Used in the IPSec Policy...................................................................................6-14 6.4.4 Applying the IPSec Proposal to the IPSec Policy................................................................................6-14 6.4.5 Configuring the SA Duration...............................................................................................................6-15 6.4.6 Configuring the Local and Remote IP Addresses of the Tunnel (for Manual Mode)..........................6-16 6.4.7 Configuring the SPI for an SA (for Manual Mode).............................................................................6-16 6.4.8 Configuring Key for an SA (for Manual Mode)..................................................................................6-17 6.4.9 Configuring the IKE Peer for the IPSec Policy (for IKE Negotiation Mode).....................................6-18 6.4.10 Configuring the PFS Feature Used in the IKE Negotiation...............................................................6-18 6.4.11 Configuring the Global SA Duration.................................................................................................6-19 6.4.12 Checking the Configuration...............................................................................................................6-19 6.5 Configuring IPSec Policies by Using the IPSec Policy Template................................................................6-20 6.5.1 Establishing the Configuration Task....................................................................................................6-20 6.5.2 Creating an IPSec Policy Template and Entering the IPSec Policy Template View...........................6-21 6.5.3 Configuring the ACL Used in the IPSec Policy Template...................................................................6-22 6.5.4 Applying the IPSec Proposal to the IPSec Policy Template................................................................6-22 6.5.5 Configuring the SA Duration...............................................................................................................6-22 6.5.6 Configuring the IKE Peer for the IPSec Policy Template....................................................................6-23 6.5.7 Configuring the PFS Feature Used in the IKE Negotiation.................................................................6-23 6.5.8 Configuring the Global SA Duration...................................................................................................6-24 6.5.9 Applying the IPSec Policy Template...................................................................................................6-24 6.5.10 Checking the Configuration...............................................................................................................6-25 6.6 Applying an IPSec Policy or an IPSec Policy Group to an Interface............................................................6-25 xii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
Contents
6.6.1 Establishing the Configuration Task....................................................................................................6-25 6.6.2 Configuring the IPSec Behavior in the Traffic Policy.........................................................................6-26 6.6.3 Applying an IPSec Policy or an IPSec Policy Group to an Interface...................................................6-26 6.7 Maintaining IPSec.........................................................................................................................................6-27 6.7.1 Clearing IPSec Packet Statistics...........................................................................................................6-27 6.7.2 Debugging IPSec..................................................................................................................................6-28 6.8 Configuration Examples................................................................................................................................6-28 6.8.1 Example for Establishing an SA Manually..........................................................................................6-28
7 IKE Configuration......................................................................................................................7-1
7.1 Introduction.....................................................................................................................................................7-2 7.1.1 Overview of IKE....................................................................................................................................7-2 7.1.2 NAT Traversal in IPSec.........................................................................................................................7-4 7.1.3 IKE Features of the ME60.....................................................................................................................7-4 7.2 Setting the Local ID Used in IKE Negotiation...............................................................................................7-5 7.2.1 Establishing the Configuration Task......................................................................................................7-5 7.2.2 Setting the Local ID Used in IKE Negotiation......................................................................................7-5 7.3 Configuring an IKE Security Proposal............................................................................................................7-6 7.3.1 Establishing the Configuration Task......................................................................................................7-6 7.3.2 Creating the IKE Security Proposal and Entering the IKE Security Proposal View.............................7-7 7.3.3 Specifying an Encryption Algorithm.....................................................................................................7-7 7.3.4 Specifying an Authentication Method....................................................................................................7-8 7.3.5 Configuring the Authentication Algorithm............................................................................................7-8 7.3.6 Specifying a DF Group..........................................................................................................................7-9 7.3.7 Configuring the Duration of ISAKMP SA.............................................................................................7-9 7.3.8 Checking the Configuration.................................................................................................................7-10 7.4 Configuring Attributes of the IKE Peer........................................................................................................7-10 7.4.1 Establishing the Configuration Task....................................................................................................7-11 7.4.2 Creating an IKE Peer and Entering the IKE Peer View.......................................................................7-11 7.4.3 Configuring the IKE Negotiation Mode...............................................................................................7-12 7.4.4 Configuring the IKE Security Proposal...............................................................................................7-12 7.4.5 Configuring the Local ID Type............................................................................................................7-13 7.4.6 Configuring NAT Traversal in IPSec...................................................................................................7-13 7.4.7 Configuring the Identity Authenticator................................................................................................7-14 7.4.8 Configuring the Peer IP Address or Address Segment........................................................................7-14 7.4.9 Configuring the Peer Name..................................................................................................................7-15 7.4.10 Checking the Configuration...............................................................................................................7-15 7.5 Tuning the IKE Configuration......................................................................................................................7-15 7.5.1 Establishing the Configuration Task....................................................................................................7-16 7.5.2 Setting the Interval of Keepalive Packets.............................................................................................7-16 7.5.3 Setting the Timeout Time of Keepalive Packets..................................................................................7-17 7.5.4 Setting the Interval of NAT Update Packets........................................................................................7-17 7.6 Maintaining IKE............................................................................................................................................7-18 Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xiii
Contents
Quidway ME60 Multiservice Control Gateway Configuration Guide - Security 7.6.1 Displaying the IKE Configuration....................................................................................................... 7-18 7.6.2 Clearing the Security Tunnel................................................................................................................7-18 7.6.3 Debugging IKE.................................................................................................................................... 7-19
7.7 Configuration Examples................................................................................................................................7-19 7.7.1 Example for Establishing an SA Through IKE Negotiation................................................................7-19
8 URPF Configuration..................................................................................................................8-1
8.1 Introduction.....................................................................................................................................................8-2 8.1.1 Overview of URPF.................................................................................................................................8-2 8.1.2 URPF Features of the ME60..................................................................................................................8-4 8.2 Configuring URPF..........................................................................................................................................8-5 8.2.1 Establishing the Configuration Task......................................................................................................8-5 8.2.2 Enabling URPF on an Interface.............................................................................................................8-5 8.2.3 (Optional) Configuring URPF Check for Certain Type of Packets.......................................................8-6 8.3 Configuration Examples..................................................................................................................................8-7 8.3.1 Example for Configuring URPF............................................................................................................8-7
9 DPI Configuration.....................................................................................................................9-1
9.1 Introduction.....................................................................................................................................................9-2 9.1.1 Overview of DPI....................................................................................................................................9-2 9.1.2 DPI Functions Supported by the ME60.................................................................................................9-4 9.2 Configuring Basic DPI Functions...................................................................................................................9-4 9.2.1 Establishing the Configuration Task......................................................................................................9-4 9.2.2 (Optional) Configuring the VSU to Work as the DPI Board.................................................................9-5 9.2.3 (Optional) Configuring the MAC Address of the DPI Board................................................................9-6 9.2.4 Configuring the Packet Inspection Mode...............................................................................................9-6 9.2.5 (Optional) Configuring the PTS.............................................................................................................9-7 9.2.6 Checking the Configuration...................................................................................................................9-7 9.3 Configuring Network-side DPI.......................................................................................................................9-8 9.3.1 Establishing the Configuration Task......................................................................................................9-9 9.3.2 Creating a DPI Policy.............................................................................................................................9-9 9.3.3 Configuring the DPI Policy..................................................................................................................9-10 9.3.4 Configuring a Global DPI Policy Group..............................................................................................9-10 9.3.5 Configuring a DPI Traffic Policy.........................................................................................................9-11 9.3.6 Applying the Traffic Policy to the Network Side................................................................................ 9-13 9.3.7 Checking the Configuration.................................................................................................................9-13 9.4 Configuring User-side DPI............................................................................................................................9-14 9.4.1 Establishing the Configuration Task....................................................................................................9-14 9.4.2 Creating and Configuring a DPI Policy............................................................................................... 9-15 9.4.3 Configuring a Common DPI Policy Group..........................................................................................9-15 9.4.4 Applying the User-side DPI Policy to the Domain..............................................................................9-16 9.4.5 (Optional) Enabling DPI on a BAS Interface.......................................................................................9-16 9.4.6 (Optional) Configuring the Restriction Policy.....................................................................................9-17 9.4.7 Checking the Configuration.................................................................................................................9-18 xiv Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
Contents
9.5 Configuration Examples................................................................................................................................9-18 9.5.1 Example for configuring the DPI Function..........................................................................................9-19
10 Lawful Interception Configuration....................................................................................10-1

10.1 Introduction.................................................................................................................................................10-2 10.1.1 Concept of Lawful Interception.........................................................................................................10-2 10.1.2 Principle of Lawful Interception........................................................................................................10-2 10.1.3 Role of the ME60 in Lawful Interception..........................................................................................10-6 10.2 Configuring Lawful Interception................................................................................................................10-7 10.2.1 Establishing the Configuration Task..................................................................................................10-7 10.2.2 Configuring the IP Address of the X3 Interface.................................................................................10-7 10.2.3 Configuring the Type and Port Number of the X3 Interface.............................................................10-8 10.2.4 Enabling Lawful Interception.............................................................................................................10-9 10.2.5 Checking the Configuration...............................................................................................................10-9 10.3 Configuration Examples............................................................................................................................10-10 10.3.1 Example for Configuring Lawful Interception.................................................................................10-10
11 User Log Configuration........................................................................................................11-1

11.1 Introduction.................................................................................................................................................11-2 11.2 Configuring the User Log...........................................................................................................................11-2 11.2.1 Establishing the Configuration Task..................................................................................................11-2 11.2.2 Configuring the User Log Host..........................................................................................................11-2 11.2.3 Configuring the Version of User Log Packets...................................................................................11-3 11.2.4 Enabling the User Log Function........................................................................................................11-4 11.2.5 Applying the User Log.......................................................................................................................11-4 11.2.6 Checking the Configuration...............................................................................................................11-5 11.3 Debugging the User Log.............................................................................................................................11-5 11.4 Configuration Examples..............................................................................................................................11-5 11.4.1 Example for Configuring the User Log..............................................................................................11-5
12 ARP Security Configuration................................................................................................12-1

12.1 Overview to ARP Security..........................................................................................................................12-2 12.1.1 Introduction to ARP Security.............................................................................................................12-2 12.1.2 ARP Security Supported by the ME60..............................................................................................12-3 12.2 Preventing Attacks on ARP Entries............................................................................................................12-3 12.2.1 Establishing the Configuration Task..................................................................................................12-4 12.2.2 Configuring Global Strict ARP Entry Learning.................................................................................12-4 12.2.3 Configuring Strict ARP Entry Learning on Interfaces.......................................................................12-5 12.2.4 Configuring Speed Limit for ARP Packets........................................................................................12-6 12.2.5 Configuring Interface-based ARP Entry Restriction..........................................................................12-6 12.2.6 Enabling Alarm Functions for Potential Attack Behaviors................................................................12-7 12.2.7 Checking the Configuration...............................................................................................................12-7 12.3 Preventing Scanning Attacks......................................................................................................................12-8 12.3.1 Establishing the Configuration Task..................................................................................................12-8 Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xv
Contents
Quidway ME60 Multiservice Control Gateway Configuration Guide - Security 12.3.2 Configuring Speed Limit for ARP Miss Packets...............................................................................12-9 12.3.3 Enabling Alarm Functions for Potential Attack Behaviors................................................................12-9 12.3.4 Checking the Configuration...............................................................................................................12-9
12.4 Maintaining the ARP Security..................................................................................................................12-10 12.4.1 Displaying Statistics About ARP Packets........................................................................................12-10 12.4.2 Clearing Statistics About ARP Packets............................................................................................12-11 12.4.3 Debugging ARP Packets..................................................................................................................12-11 12.5 Configuration Examples............................................................................................................................12-11 12.5.1 Example for Preventing Attacks on ARP Entries............................................................................12-12 12.5.2 Example for Preventing Attacks on ARP Entries and Scanning Attacks.........................................12-14
A Glossary.....................................................................................................................................A-1 B Acronyms and Abbreviations.................................................................................................B-1
xvi
Issue 05 (2010-09-25)
Figures
Figures
Figure 2-1 Networking of ACL-based packet filtering......................................................................................2-26 Figure 2-2 Networking of ASPF and port mapping...........................................................................................2-28 Figure 2-3 Networking of blacklist configuration..............................................................................................2-31 Figure 3-1 Schematic diagram of NAT................................................................................................................3-3 Figure 3-2 Schematic diagram of PAT.................................................................................................................3-4 Figure 3-3 Networking of NAT..........................................................................................................................3-10 Figure 4-1 Limiting the number of sessions initiated by external server.............................................................4-2 Figure 4-2 Networking of system-level traffic statistics and monitoring...........................................................4-10 Figure 4-3 Networking of zone-based traffic statistics and monitoring.............................................................4-12 Figure 4-4 Networking of IP address-based traffic statistics and monitoring....................................................4-14 Figure 5-1 Networking of Land attack defense..................................................................................................5-11 Figure 5-2 Networking of SYN Flood attack defense........................................................................................5-13 Figure 5-3 Networking of IP address sweeping attack defense.........................................................................5-15 Figure 6-1 Packets format in transport mode.......................................................................................................6-3 Figure 6-2 Packets format in tunnel mode...........................................................................................................6-4 Figure 6-3 Networking of IPSec configuration..................................................................................................6-29 Figure 7-1 Process of setting up an SA................................................................................................................7-3 Figure 7-2 Networking of IKE configuration.....................................................................................................7-20 Figure 8-1 Schematic diagram of the source address spoofing attack.................................................................8-2 Figure 8-2 URPF applied on a single-homed client.............................................................................................8-3 Figure 8-3 URPF applied on a multi-homed client..............................................................................................8-3 Figure 8-4 URPF applied on a multi-homed client with multiple ISPs...............................................................8-4 Figure 8-5 Networking of URPF configuration...................................................................................................8-7 Figure 9-1 Comparison between DPI and the common packet analysis..............................................................9-2 Figure 9-2 Networking of DPI application...........................................................................................................9-3 Figure 9-3 Networking for DPI configuration...................................................................................................9-19 Figure 10-1 Scenario for lawful interception.....................................................................................................10-3 Figure 10-2 Process of lawful interception........................................................................................................10-5 Figure 10-3 Networking of lawful interception................................................................................................10-10 Figure 11-1 Networking for configuring the user log........................................................................................11-6 Figure 12-1 ARP buffer overflow attacks..........................................................................................................12-2 Figure 12-2 ARP DoS attacks............................................................................................................................12-3 Figure 12-3 Networking diagram of preventing attacks on ARP entries.........................................................12-12 Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xvii
Figures
Quidway ME60 Multiservice Control Gateway Configuration Guide - Security Figure 12-4 Network diagram of preventing attacks on ARP entries and scanning attacks............................12-14
xviii
Issue 05 (2010-09-25)
Tables
Tables
Table 10-1 Description of interfaces for lawful interception............................................................................. 10-4 Table 11-1 Difference between the two versions of the user log packets..........................................................11-3
Issue 05 (2010-09-25)
xix
1 Security Overview
1
About This Chapter
Security Overview
This chapter provides basic knowledge about the security service, including threats to Internet security, network security overview, and implementation of network security. 1.1 Introduction to Network Security This section describes the background and concept of network security. 1.2 Security Features of the ME60 This section describes the security features supported by the ME60.
Issue 05 (2010-09-25)
1-1
1 Security Overview
1.1 Introduction to Network Security

This section describes the background and concept of network security. 1.1.1 Background 1.1.2 Network Security Service
1.1.1 Background
With the rapid development of the Internet, more enterprises use Internet services for development. The Internet is, however, an open network and so, confidential information and resources of enterprises face malicious threats and attacks. Various measures must be taken to minimize the risks.
1.1.2 Network Security Service

Network security service is the measure taken against security threats to protect network security. Network security service is an integrated technology that enables the security of the following: l l Intranet (against illegal access) Data exchange between internal and external networks
1.2 Security Features of the ME60

This section describes the security features supported by the ME60. 1.2.1 Firewall 1.2.2 URPF 1.2.3 DPI 1.2.4 Lawful Interception 1.2.5 User Log
1.2.1 Firewall
The firewall is introduced to avoid security risks in network transmission and to prevent external attacks. The firewall supports the following features: l l l l l l l
1-2
Packet filtering ASPF Blacklist Port mapping P2P traffic control Attack defense NAT
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
1 Security Overview
l l
Traffic statistics and monitoring Firewall log
1.2.2 URPF
Unicast reverse path forwarding (URPF) is used to prevent attacks of IP address spoofing. The ME60 can perform loose URPF check or strict URPF check for all IP packets on an interface.
1.2.3 DPI
Deep packet inspection (DPI) analyzes the application layer of the packet to identify services and applications. DPI provides the policies for network control and management.
1.2.4 Lawful Interception

Lawful interception is a law enforcement behavior carried out to monitor the communications service on the public communications network, according to the related law and the norm for the public communications network. The ME60 functions as the network equipment of the carrier to implement lawful interception. The X3 interface of the ME60 sends the content of communication (CC) to the lawful interception gateway (LIG). The X1 interface of the ME60 obtains information sent by the LIG, for example, information about the intercepted object.
1.2.5 User Log

Most countries have specific requirements for information security. An ISP must have the capability of recording activities of users, such as login, logout, and access to network resources. The ME60 provides user logs to record information about user login and logout so that carriers and security agents can manage and monitor users.
Issue 05 (2010-09-25)
1-3
2 Firewall Configuration
2
About This Chapter
Firewall Configuration
This chapter describes the configuration of the firewall, including the security zone, ACL packet filtering, ASPF, blacklist, port mapping, and firewall log. 2.1 Introduction This section describes the concept and fundamentals of the firewall. 2.2 Configuring a Zone This section describes how to configure the firewall and partition the network. 2.3 Setting the Aging Time of the Firewall Session Table This section describes how to set the aging time of the firewall session table 2.4 Configuring ACL-based Packet Filtering This section describes how to filter data packets through the ACL. 2.5 Configuring ASPF This section describes how to configure the ME60 to check the application layer information about data flows to filter data packets. 2.6 Configuring the Blacklist This section describes how to configure the blacklist to filter out data packets from attackers. 2.7 Configuring Port Mapping This section describes how to configure the port mapping function so that the firewall can identify the packets of the application-layer protocols that use non-well-known port numbers. 2.8 Configuring P2P Traffic Control This section describes how to limit bandwidth of P2P sessions. 2.9 Configuring Firewall Logs This section describes how to configure firewall logs. 2.10 Configuration Examples This section provides several configuration examples of the firewall.
Issue 05 (2010-09-25)
2-1
2.1 Introduction
This section describes the concept and fundamentals of the firewall. The concept of firewall originates from architecture. In a building, a firewall is used to prevent fire from spreading. In communication networks, the firewall has similar function. A firewall is a system or a group of systems that execute access control policies. A firewall monitors the channel between the internal network, which is reliable, and the external networks, which are unreliable. Thus, the risks in external networks cannot affect the internal network. 2.1.1 Functions of Firewall 2.1.2 Classification of Firewalls 2.1.3 Terms Related to the Firewall 2.1.4 Firewall Functions of the ME60
2.1.1 Functions of Firewall

A firewall is used at the ingress of a protected area. The firewall protects the network based on ACL policies. The firewall provides the following functions: l l l Controlling the access to the protected site, including users and information Preventing attackers from accessing other security devices Controlling the output from the protected site, including users and information
When the firewall resides between an internal network and an external network, it protects the internal network against illegal access, such as unauthorized and unauthenticated access, and malicious attacks. When the firewall resides at the ingress of important resources (such as key servers and secret databases) in an internal network, it prevents certain users from accessing the resources, even if the users are in the internal network. The firewall can also function as a gateway that controls the access right to the Internet. For example, the firewall allows certain users in the internal network to access the Internet after the users are authenticated.
2.1.2 Classification of Firewalls

Firewalls are classified into the following types: packet filtering firewall, proxy firewall, and stateful firewall.
Packet Filtering Firewall

A packet filtering firewall checks the packets at the network layer, and then forwards or discards the packets according to the security policy. The packet filtering firewall filters packets by using the access control list (ACL). Packets are filtered based on the quintuple (source and destination IP addresses, source and destination port numbers, and IP protocol number), IP flag, and delivery direction.
2-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-09-25)
The packet filtering firewall is simple, easy to use, and economical, but it has the following disadvantages: l l l As the complexity and length of the ACL increase, the filtering performance degrades exponentially. The static ACL rules cannot meet the dynamic security requirements. The packet filtering firewall does not check the state of a session or analyze data and hence, the network is subject to IP address spoofing.
Proxy Firewall
A proxy firewall works at the application layer and takes over the services between the internal network and external network. The proxy firewall checks the requests of users. If the authentication is successful, the firewall connects to a genuine server and forwards the request. The firewall then forwards the response of the server to the user. The proxy firewall can completely control the exchange of network information and the session process and hence, it provides high security. The proxy firewall, however, has the following disadvantages: l l The processing speed is low because of software limitation, and the proxy firewall is subject to the denial of service (DoS) attack. The upgrade is difficult because the application proxy is required for each protocol.
NOTE
The ME60 can function as the proxy firewall for only the SYN packets of TCP.
Stateful Firewall
A stateful firewall is an extension to the packet filtering firewall. The stateful firewall not only treats each data packet as an independent unit in the ACL check and filtering, but also considers the association of the packets. The stateful firewall monitors the TCP/UDP sessions by using various state tables. The ACL then determines the sessions that can be established. Only the data packets associated with the permitted sessions are forwarded. The stateful firewall also analyzes the application layer state of the data packets in the TCP/UDP sessions, and filters out unqualified data packets. The stateful firewall has high processing speed and ensures high security because of the combined advantages of the packet filtering firewall and proxy firewall. The ME60supports the packet filtering firewall and the stateful firewall.
2.1.3 Terms Related to the Firewall

Security Zone
The security zone, also referred to as a zone, is a basic concept of firewall. All the security policies are enforced based on the zones. A security zone consists of more than one interface or user domain. The interfaces and users in a zone have the same security attributes. The security priority of a zone is globally unique. That is, the priorities of any two zones are different.
Issue 05 (2010-09-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-3
The ME60considers the data delivery in a zone reliable, and therefore, it does not enforce any security policy. The firewall checks the data and enforces the security policies only when the data flows from one zone to another.
Security Interzone
Any two zones can form an interzone, which has an independent interzone view. Most firewall configurations are performed in the interzone view. Assume that there are two zones, namely, zone1 and zone2. In the view of the interzone, ACL packet filtering can be configured. The ACL packet filtering policy is then enforced on the data delivered between zone1 and zone2.
Direction
In an interzone, data is delivered in a certain direction: inbound or outbound. l l Inbound: indicates that data flows from a zone with lower priority to a zone with higher priority. Outbound: indicates that data flows from a zone with higher priority to a zone with lower priority.
2.1.4 Firewall Functions of the ME60

ME60supports the following firewall functions: ACL-based packet filtering, application specific packet filtering (ASPF), blacklist, port mapping, NAT, traffic statistics and monitoring, and attack defense. This chapter describes only the functions of ACL-based packet filtering, ASPF, blacklist, P2P traffic control, and firewall logs. The other features are described in the following chapters: l l l Chapter 3 "NAT Configuration" Chapter 4 "Traffic Statistics and Monitoring Configuration" Chapter 5 "Attack Defense Configuration"
ACL-based Packet Filtering

ACL-based packet filtering is used to analyze the quintuple of packets to be forwarded. The ME60 compares the packet information with the ACL rules and determines whether to forward or discard the packets. In addition, the ME60 can filter the fragmented IP packets. Thus the attacker cannot attack the network by using a non-first fragment packet.
ASPF
ASPF is applied to the application layer, namely, the status-based packet filtering. ASPF detects the application-layer sessions that attempt to pass the firewall, and denies unnecessary packets. The ACL-based packet filtering firewall detects packets at the network and transport layers. The ASPF function and the common packet filtering firewall can be used together. Thus, the ME60 can enforce the security policies on an internal network. ME60 can apply ASPF depending on the application layer protocols such as the File Transfer Protocol (FTP), H.323, Hyper Text Transport Protocol (HTTP), Huawei Conference Control
Protocol (HWCC), Internet Location Service (ILS), Network Basic Input/Output System (NetBIOS), and Real Time Streaming Protocol (RTSP).
Blacklist
A blacklist filters packets based on the source IP address. Compared with the ACL, the matching fields used in the blacklist are simple and hence the packets can be filtered at a higher speed. The packets from certain IP addresses can be filtered out. The firewall can add IP addresses to the blacklist dynamically. By judging the packet behaviors, the firewall detects an attack from an IP address. The firewall adds the IP address of the attacker to the blacklist so that packets from the attacker can be filtered out and discarded.
port mapping
Application layer protocols use the well-known ports for communication. Port mapping allows you to define a set of port numbers for different applications. You can also specify the hosts that can use the non-well-known ports. Port mapping is meaningful only when it is used with service-sensitive features such as ASPF and NAT. For example, the internal FTP server 10.10.10.10 in the private network of an enterprise provides the FTP service through port 2121. Users can use only 2121 as the port number to access the FTP server through the NAT server. By default, port 21 is used for FTP packets. The FTP server cannot identify the FTP packets that use port 21. In this case, you need to map port 2121 to the FTP protocol. After port mapping, the NAT server can identify the FTP packets that use port 2121 and send the FTP packets to the FTP server. In this way, users can access the FTP server.
P2P Traffic Control

Common point-to-point (P2P) applications, such as BitTorrent (BT), eMule, and eDonkey usually occupy a great amount of bandwidth and lead to a bandwidth shortage. Therefore, bandwidth must be controlled for the P2P applications. The firewall of the ME60can identify the packets from a P2P application by the characteristic string in the packets and controls the bandwidth assigned to a P2P session. In this manner, the ME60 ensures the provisioning of other services.
Firewall Log
The firewall records the behaviors and states of the firewall in real time. For example, the measures taken against IP address spoofing and the detection of malicious attacks are recorded in the firewall log. The firewall logs are categorized into the following types: l l l Session log, which is sent to the log server in real time Blacklist log, which is sent to the information center in real time Defense log and statistics log, which are sent to the information center periodically
These logs help you find out the security hole, detect the attempts to violate the security policies, and learn the type of a network attack. The real-time log is also used to detect the intrusion that is underway.
2.2 Configuring a Zone

This section describes how to configure the firewall and partition the network. 2.2.1 Establishing the Configuration Task 2.2.2 (Optional) Configuring the VSU to Work as the SSU 2.2.3 Creating a Zone 2.2.4 Configuring the Priority of a Zone 2.2.5 Adding User Domains or Interfaces to the Zone 2.2.6 Creating an Interzone 2.2.7 Enabling Firewall in the Interzone 2.2.8 Checking the Configuration
2.2.1 Establishing the Configuration Task

Applicable Environment
Before configuring the firewall, you need to configure the zones. You can then configure the firewall based on zones or interzones.
NOTE
l The ME60 implements firewall features after the Versatile Service Unit (VSU) is configured to the Security Service Unit (SSU). Therefore, you need to install the VSU before configuring the firewall. For the functions of the VSU in SSU mode, refer to the Quidway ME60 Multiservice Control Gateway Product Description. l You can run the set lpu-work-mode { dpi |sbc | ssu | tsu } slot slot-id command to implement different service functions. l In this manual, the VSU operating in SSU mode is called the SSU.
Pre-configuration Task
Before configuring a zone, complete the following tasks: l l Installing the VSU Configuring the user domains or interfaces that you need to add to the zone
Data Preparation
To configure a zone, you need the following data. No. 1 2 3 Data Name of the zone Priority of the zone User domains or interfaces to be added to the zone
2-6
Issue 05 (2010-09-25)
2.2.2 (Optional) Configuring the VSU to Work as the SSU

Context
Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run:

set lpu-work-mode ssu slot slot-id
The operation mode of the VSU is set to TSU.

NOTE
l The configured operation mode takes effect after the VSU is restarted. l The command for configuring the operation mode of the VSU is not recorded in the system configuration file. You can run the display device or display lpu-work-mode command to view the operation mode of the VSU. If the operation mode is configured properly, you need not configure the operation mode again.
----End
2.2.3 Creating a Zone

Context
Procedure
Step 1 Run:
system-view

firewall zone zone-name
A zone is created. Up to 128 zones can be configured on the ME60. No default zone exists. ----End
2.2.4 Configuring the Priority of a Zone

Context
Procedure
Step 1 Run:
system-view

The zone view is displayed. Step 3 Run:

priority security-priority
The priority of the zone is set. The priority must be configured; otherwise, other configurations cannot be performed. The priority of a zone ranges from 1 to 200 and is globally unique. ----End
2.2.5 Adding User Domains or Interfaces to the Zone

Context
NOTE
l A user domain or an interface can be added to only one zone. If a user domain or an interface is added to multiple zones, the last zone takes effect. l When layer-3 leased line users connect to the ME60 through a layer-3 device (for example, a router), the ME60 can implement the firewall function only by adding interfaces to zones.
You can add a user domain and an interface to the same zone. That is, a zone can consist of user domains and interfaces.
Procedure
l Adding a user domain to the zone 1. Run:
system-view
The system view is displayed. 2. Run:

aaa
The AAA view is displayed. 3. Run:

domain domain-name
The domain view is displayed. 4. Run:

zone zone-name
The domain is added to the zone. l

2-8
Adding an interface to the zone

1.
Run:
system-view

interface interface-type interface-number
The interface view is displayed. 3. Run:

zone zone-name
The interface is added to the zone. 4. Run:

shutdown
The interface is disabled. 5. Run:

undo shutdown
The interface is enabled.

NOTE
After adding an interface to a zone, you must run the shutdown command to disable the interface first, and then run the undo shutdown command to re-enable the interface. Thus, the configuration takes effect.
----End
2.2.6 Creating an Interzone

Context
Procedure
Step 1 Run:
system-view

firewall interzone zone-name1 zone-name2
An interzone is created. You need to specify two existing zones in the interzone. ----End
2.2.7 Enabling Firewall in the Interzone

Context
Procedure
Step 1 Run:
system-view

The interzone view is displayed. Step 3 Run:

firewall enable
The firewall is enabled. ----End
2.2.8 Checking the Configuration

Run the following commands to check the previous configuration. Action Check the configuration of the interzone. Check the configuration of the zone. Command display firewall interzone [ zone-name1 zone-name2 ]
display firewall zone [ zone-name ] [ domain | interface | priority ]
2.3 Setting the Aging Time of the Firewall Session Table

This section describes how to set the aging time of the firewall session table 2.3.1 Establishing the Configuration Task 2.3.2 (Optional) Setting the Aging Time of the Firewall Session Table 2.3.3 Checking the Configuration

The ME60 establishes a session table for data flows of each protocol, such as TCP, UDP, and ICMP, to record the connection status of the protocol. The aging time is set for the session table. If a record in the session table does not match any packet within the aging time, the system deletes the record. To change the session duration of a protocol, set the aging time of the firewall session table.
Before setting the aging time of the firewall session table, complete the following tasks: l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See "Configuring a Zone.") Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.")
Data Preparation
To set the aging time of the firewall session table, complete the following tasks: No. 1 Data Aging time of the session table for each application layer protocol
2.3.2 (Optional) Setting the Aging Time of the Firewall Session Table
Context
Procedure
Step 1 Run:
system-view

firewall session aging-time session-type aging-time
The aging time of the firewall session table is configured. By default, the aging times of the SYN, FIN-RST, TCP, and UDP session tables are 5 seconds, 10 seconds, 240 seconds, and 40 seconds respectively. For the aging times of other session tables, refer to the Quidway ME60 Multiservice Control Gateway Command Reference.
NOTE
In general, you do not need to change the aging time of a session table.
----End

Run the following commands in any view to check the previous configuration.
Action Check the aging time of the firewall session table. Check the aging time of the firewall session table.
Command display firewall session aging-time display firewall session table [ verbose ] [ source { inside | global } src-ip-address [ destination { inside | global } destip-address ] ]
2.4 Configuring ACL-based Packet Filtering

This section describes how to filter data packets through the ACL. 2.4.1 Establishing the Configuration Task 2.4.2 Configuring ACL-based Packet Filtering in an Interzone

When data is delivered between two zones, the ACL-based packet filtering firewall enforces the filtering policies according to the ACL rules. The ACLs for filtering packet are classified into the basic ACL and the advanced ACL.
Before configuring ACL-based packet filtering, complete the following tasks: l l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See "Configuring a Zone.") Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.") Creating basic ACL or advanced ACL rules (Refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.)
Data Preparation
To configure ACL-based packet filtering, you need the following data. No. 1 2 3 Data Names of the two zones ACL number Direction in which the ACL is applied
2-12
Issue 05 (2010-09-25)
2.4.2 Configuring ACL-based Packet Filtering in an Interzone

Context
Procedure
Step 1 Run:
system-view


packet-filter acl-number { inbound | outbound }
ACL-based packet filtering is configured. You can configure ACL-based packet filtering in the interzone for the inbound and outbound packets. By default, ACL-based packet filtering is not configured in the interzone.
NOTE
l The time range configured in ACL is also applicable to packet filtering. l For an ACL configured for VPN, you must configure the VPN instance name.
----End
2.5 Configuring ASPF

This section describes how to configure the ME60 to check the application layer information about data flows to filter data packets. 2.5.1 Establishing the Configuration Task 2.5.2 Configuring ASPF in the Interzone 2.5.3 Checking the Configuration

When data is delivered between two zones, ASPF checks the packets at the application layer and discards the unmatched packets.
Before configuring ASPF, complete the following tasks:
l l l l
Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See "Configuring a Zone.") Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.")
Data Preparation
To configure ASPF, you need the following data. No. 1 2 3 Data Names of the two zones Type of the application protocol (Optional) Aging time of the session table for each application layer protocol
2.5.2 Configuring ASPF in the Interzone

Context
Procedure
Step 1 Run:
system-view


detect { all | ftp | http | pptp }
The ASPF function is configured. The application protocols all require interaction of two parties, so the direction does not need to be configured. The ME60 checks the packets in the two directions. By default, ACL-based packet filtering is not configured in the interzone. ----End

Run the following command to check the previous configuration.
Action Check the ASPF configuration of the firewall interzone.
Command display firewall interzone [ zone-name1 zone-name2 ]
2.6 Configuring the Blacklist

This section describes how to configure the blacklist to filter out data packets from attackers. 2.6.1 Establishing the Configuration Task 2.6.2 Enabling the Blacklist 2.6.3 (Optional) Adding a Blacklist Entry 2.6.4 (Optional) Configuring the Packet Filtering Type of the Blacklist

The blacklist can filter out the packets sent from a specified IP address. An IP address can be added to the blacklist manually or automatically. When the attack defense module of the firewall detects an attack through the packet behavior, the firewall adds the source IP address of the packet to the blacklist. Thus, all the packets from this IP address are filtered out.
NOTE
The IP address that is added to the blacklist must belong to a zone (it may be a zone with low security). The firewall can then detect the attack from this IP address.
Before configuring the blacklist, complete the following tasks: l l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See "Configuring a Zone.") Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.") Configuring attack defense if the auto blacklisting function is enabled (See chapter 5 "Attack Defense Configuration.")
Data Preparation
To configure the blacklist, you need the following data.
Issue 05 (2010-09-25)
2-15
No. 1 2 3
Data IP address to be added to blacklist (the VPN instance can be included) (Optional) Aging time of blacklist entry (Optional) Packet filtering type of blacklist
2.6.2 Enabling the Blacklist

Context
Procedure
Step 1 Run:
system-view

firewall blacklist enable
The blacklist is enabled. By default, the blacklist is disabled. ----End
2.6.3 (Optional) Adding a Blacklist Entry

Context
Procedure
Step 1 Run:
system-view

firewall blacklist item ip-address [ timeout minutes ] [ vpn-instance vpn-instancename ]
A blacklist entry is added. By running this command, you can add entries to the blacklist manually. You can specify the IP address, aging time, and VPN instance when adding the entry. The aging time refers to the period during which the IP address is effective after it is added to the blacklist. When the IP
address expires, it is released from the blacklist. If the aging time is not specified, the IP address remains in the blacklist.
NOTE
The blacklist entries without the aging time are written to the configuration file. The blacklist entries with the aging time are not written in the confirmation file, but you can view them by using the display firewall blacklist item [ ip-address ] [ vpn-instance vpn-instance-name ] command.
An IP address can be added to the blacklist regardless of whether the blacklist is enabled or not. That is, even though the blacklist is not enabled, you can also add entries, but the entries are invalid. ----End
2.6.4 (Optional) Configuring the Packet Filtering Type of the Blacklist

Context
Procedure
Step 1 Run:
system-view

firewall blacklist filter-type { icmp | others | tcp | udp }
The packet filtering type of the blacklist is configured. Configuring packet filtering types helps to specify the types of packets that are filtered out in the blacklist, including ICMP, TCP, and UDP. By default, all types of packets matching the blacklist are filtered out. ----End
2.7 Configuring Port Mapping

This section describes how to configure the port mapping function so that the firewall can identify the packets of the application-layer protocols that use non-well-known port numbers. 2.7.1 Establishing the Configuration Task 2.7.2 Configuring Port Mapping

Through port mapping, the firewall can identify packets of the application-layer protocols that use the non-well-known port numbers. This function can be applied to the sensitive features at
the application layer such as ASPF. Port mapping is applicable to application protocols such as FTP, H.323, HTTP, RTSP, and SMTP. Port mapping is implemented based on the ACL. Port mapping takes effect only when the packet matches an ACL rule. Port mapping employs the basic ACL (ranging from 2000 to 2999). In the ACL-based packet filtering, the ME60 matches the destination IP address of the packet with the IP address configured in the basic ACL rule.
NOTE
Port mapping is applied only to the data delivered in the interzone. Therefore, when configuring port mapping, you must configure the zones and interzone.
Before configuring port mapping, complete the following tasks: l l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See "Configuring a Zone.") Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.") Creating basic ACL rules (Refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.)
Data Preparation
To configure port mapping, you need the following data. No. 1 2 3 Data Type of application layer protocol User-defined port to be mapped Number of the basic ACL
2.7.2 Configuring Port Mapping

Context
Procedure
Step 1 Run:
system-view

port-mapping protocol-name port port acl acl-number
2-18
Issue 05 (2010-09-25)
Port mapping is configured. You can map multiple ports to a protocol, or map a port to multiple protocols. The mappings, however, must be distinguished by the ACL. That is, packets matching different ACL rules use different mapping entries.
NOTE
Port mapping is used to identify the protocol type of the packets destined for an IP address (such as the IP address of a WWW server). Therefore, when configuring the basic ACL rules, you need to match the destination IP addresses of the packets with the source IP addresses defined in ACL rules.
----End
2.8 Configuring P2P Traffic Control

This section describes how to limit bandwidth of P2P sessions. 2.8.1 Establishing the Configuration Task 2.8.2 Enabling P2P Traffic Control 2.8.3 Configuring the CAR Table 2.8.4 Configuring P2P Traffic Control in an Interzone 2.8.5 Configuring P2P Traffic Control Globally 2.8.6 Checking the Configuration

The P2P traffic control function can be deployed to limit the bandwidth assigned to the P2P applications like BT. P2P traffic control can be deployed globally or in an interzone. The global P2P traffic control is applicable to all the P2P sessions. You can configure the limit of P2P sessions on the equipment. ACLs are used to control bandwidth of P2P applications between zones. The equipment controls bandwidth of the P2P sessions matching the ACL rules. Basic ACLs (numbered from 2000 to 2999) or advanced ACLs (numbered from 3000 to 3999) are used for P2P traffic control.
Before configuring P2P traffic control, complete the following tasks: l l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See "Configuring a Zone.") Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.") Creating basic ACL or advanced ACL rules (Refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.)
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-19
Issue 05 (2010-09-25)
Configuring the time range during which P2P traffic control takes effect (Refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.)
Data Preparation
To configure P2P traffic control, you need the following data. No. 1 2 3 4 5 Data Names of the two zones where P2P traffic control is configured Number of the ACL used for P2P traffic control Direction in which P2P traffic control is applied CAR class, CAR value, and time range (Optional) Maximum number of P2P sessions
2.8.2 Enabling P2P Traffic Control

Context
Procedure
Step 1 Run:
system-view

firewall p2p-car enable
P2P traffic control is enabled. Before configuring the P2P traffic control function, you must enable this function. After you run this command, P2P traffic control is enabled globally and in the interzone. By default, P2P traffic control is disabled. ----End
2.8.3 Configuring the CAR Table

Context
Procedure
Step 1 Run:
system-view

firewall car-class class-id cir cir [ time-range range-name ]
The CAR table is configured. Before configuring the P2P traffic control function, you must configure a CAR table. The CAR table needs to be referenced when P2P traffic control is implemented in an interzone or the entire system. Up to 1024 classes can be configured in a CAR table. Each class is configured with a default CAR and the CARs for five time ranges. The default ACL is used if the current time is not in any configured time range. By default, the CAR table contains no CAR classes. ----End
2.8.4 Configuring P2P Traffic Control in an Interzone

Context
Procedure
Step 1 Run:
system-view


p2p-car acl-number class class-id { inbound | outbound }
P2P traffic control is configured. Within an interzone, the P2P traffic control can be configured for inbound and outbound traffic respectively. By default, the P2P bandwidth control is not configured in an interzone.
NOTE
The time range configured in ACL is also applicable to P2P traffic control.
----End
2.8.5 Configuring P2P Traffic Control Globally

Context
Procedure
Step 1 Run:
system-view

firewall p2p-car class class-id
P2P traffic control is configured globally. Step 3 (Optional) Run:

firewall p2p-car session-limit session-number
The maximum number of P2P sessions is set. The global P2P traffic control takes effect on all the P2P sessions. The global P2P bandwidth control allows you to set the CAR classes and limit on the total number of P2P sessions. By default, global P2P bandwidth control is not configured. ----End

Run the following commands to check the previous configuration. Action Check the CAR table configured for P2P traffic control. Check the configuration of global P2P bandwidth control. Command display firewall car-class display firewall p2p-car
2.9 Configuring Firewall Logs

This section describes how to configure firewall logs. 2.9.1 Establishing the Configuration Task 2.9.2 Enabling the Firewall Log 2.9.3 Configuring a Session Log 2.9.4 (Optional) Configuring Output Interval of Logs 2.9.5 Checking the Configuration

The firewall logs record the behaviors and states of the firewall. These logs help you find out the security hole, analyze the attempts to violate the security policies, and detect the network attacks.
Before configuring the firewall log, complete the following tasks: l l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See "Configuring a Zone.") Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.") Creating basic ACL or advanced ACL rules (Refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.)
Data Preparation
To configure the firewall log, you need the following data. No. 1 2 3 4 Data Type of the firewall log IP address and port number of the log host, the IP address and the port number that the ME60 uses to communicate with the log host (for session log) Conditions under which the session information is logged, including the ACL number and the direction (for session log) (Optional) Interval for exporting the defense log or statistics log
2.9.2 Enabling the Firewall Log

Context
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
firewall log { all | blacklist | defend | session | statistics } enable
The firewall log is enabled. If you use the all keyword in the command, all the firewall logs are enabled. You can also choose to enable logs one type after another. By default, no firewall log is enabled. ----End
2.9.3 Configuring a Session Log

Context
Procedure
Step 1 Run:
system-view

firewall session log-type binary host host-ip-address host-port source src-ipaddress src-port
The log host is configured for session logs. Step 3 Run:


session-log acl-number { inbound | outbound }
Conditions for generating the session logs are configured. The session log is exported to a log host in real time. Therefore, you need to configure the log host first. To configure the log host, specify the IP address and port number of the log host and the IP address and port number that the ME60 uses to communicate with the log host. An ACL is referenced in the interzone view to help decide the session for which the session log is recorded. In addition, the inbound and outbound traffic is served respectively. By default, the log host is not configured, and the interzone is not configured with the conditions for generating the session log. ----End
2.9.4 (Optional) Configuring Output Interval of Logs

Procedure
Step 1 Run:
system-view

firewall { defend | statistics} log-time time
The output interval of the defense log or statistics log is set. The output interval, in seconds, indicates the interval during which the logs are exported. The session log is exported to the log host in real time, and the blacklist log is exported to the information center in real time. Therefore, you do not need to set the output interval for the two types of logs. The output interval needs to be set only for the defense log and statistics log. By default, the output interval for either of the two logs is 30 seconds. ----End

Run the following command to check the previous configuration. Action Check the output interval for the defense log or statistics log. Command display firewall log-time [ defend | statistics ]
2.10 Configuration Examples

This section provides several configuration examples of the firewall. 2.10.1 Example for Configuring ACL-based Packet Filtering 2.10.2 Example for Configuring ASPF and Port Mapping 2.10.3 Example for Configuring the Blacklist
2.10.1 Example for Configuring ACL-based Packet Filtering

Networking Requirements
As shown in Figure 2-1, GE1/0/0 of the ME60 is connected to an internal network with a high security priority; GE2/0/0 of the ME60 is connected to an external network with a low security priority. The firewall needs to filter the packets between internal and external networks. The requirements are as follows: l l
Issue 05 (2010-09-25)
A host (202.39.2.3) in the external network is allowed to access the server in the internal network. Other hosts are not allowed to access the server in the internal network.
Figure 2-1 Networking of ACL-based packet filtering

FTP server 129.38.1.2 WWW server 129.38.1.4
ME60
GE1/0/0 129.38.1.1/24 Internal network Telnet server 129.38.1.3 GE2/0/0 202.38.160.1/16 WAN PC 202.39.2.3
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Configure IP addresses of the interfaces. Configure zones and the interzone. Add the interfaces to the zones. Configure ACLs. Configure ACL-based packet filtering in the interzone view.
Data Preparation
To complete the configuration, you need the following data: l l l l Slot number of the VSU: 3 IP addresses of interfaces and servers, as shown in Figure 2-1 Network security priorities, 100 for the internal network and 1 for the external network Number of the ACLs that filter the outbound and inbound packets, ACL 3101 for the outbound packets and ACL 3102 for the inbound packets
Configuration Procedure
1. (Optional) Configure the VSU to function as the SSU.
<Quidway> [Quidway] [Quidway] <Quidway> system-view set lpu-work-mode ssu slot 3 quit reset slot 3
2.
Configure IP addresses of the interfaces.

<Quidway> system-view [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] ip address 129.38.1.1 255.255.255.0 [Quidway-GigabitEthernet1/0/0] quit [Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] ip address 202.38.160.1 255.255.0.0 [Quidway-GigabitEthernet2/0/0] quit
2-26
Issue 05 (2010-09-25)
3.
Configure zones and the interzone.

[Quidway] firewall zone zone1 [Quidway-zone-zone1] priority 100 [Quidway-zone-zone1] quit [Quidway] firewall zone zone2 [Quidway-zone-zone2] priority 1 [Quidway-zone-zone2] quit [Quidway] firewall interzone zone1 zone2 [Quidway-interzone-zone1-zone2] firewall enable [Quidway-interzone-zone1-zone2] quit
4.
Add the interfaces to the zones.

[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] zone zone1 [Quidway-GigabitEthernet1/0/0] shutdown [Quidway-GigabitEthernet1/0/0] undo shutdown [Quidway-GigabitEthernet1/0/0] quit [Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] zone zone2 [Quidway-GigabitEthernet2/0/0] shutdown [Quidway-GigabitEthernet2/0/0] undo shutdown [Quidway-GigabitEthernet2/0/0] quit
5.
Configure ACLs.
[Quidway] acl 3102 [Quidway-acl-adv-3102] 129.38.1.2 0.0.0.0 [Quidway-acl-adv-3102] 129.38.1.3 0.0.0.0 [Quidway-acl-adv-3102] 129.38.1.4 0.0.0.0 [Quidway-acl-adv-3102] [Quidway-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination rule permit tcp source 202.39.2.3 0.0.0.0 destination rule permit tcp source 202.39.2.3 0.0.0.0 destination rule deny ip quit
6.
Configure packet filtering.

[Quidway] firewall interzone zone1 zone2 [Quidway-interzone-zone1-zone2] packet-filter 3102 inbound [Quidway-interzone-zone1-zone2] quit
Configuration Files
# sysname Quidway # acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 129.38.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 202.38.160.1 255.255.0.0 # firewall zone zone1 priority 100 # firewall zone zone2 priority 1 # firewall interzone zone1 zone2 firewall enable
Issue 05 (2010-09-25)
2-27
packet-filter 3102 inbound # return
2.10.2 Example for Configuring ASPF and Port Mapping

As shown in Figure 2-2, GE1/0/0 of the ME60 is connected to an internal network with a high security priority; GE2/0/0 of the ME60 is connected to an external network with a low security priority. The firewall needs to filter the packets between internal and external networks and perform ASPF check. The requirements are as follows: l l l l A host (202.39.2.3) in the external network is allowed to access the server in the internal network. Other hosts are not allowed to access the server in the internal network. The firewall checks the FTP state of the connections and filters the unqualified packets. The packets sent from the external host to the FTP server through port 2121 are considered as FTP packets.
Figure 2-2 Networking of ASPF and port mapping

FTP server 129.38.1.2 WWW server 129.38.1.4
ME60
GE1/0/0 129.38.1.1/24 Internal network Telnet server 129.38.1.3 GE2/0/0 202.38.160.1/16 WAN PC 202.39.2.3
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7.
2-28
Configure IP addresses of the interfaces. Configure zones and the interzone. Add the interfaces to the zones. Configure ACLs. Configure ACL-based packet filtering in the interzone view. Configure ASPF in the interzone. Map port 2121 to the FTP protocol.
Data Preparation
To complete the configuration, you need the following data: l l l l l Slot number of the VSU: 3 IP addresses of interfaces and servers, as shown in Figure 2-2 Network security priorities, 100 for the internal network and 1 for the external network Number of the ACL that filters the inbound data: 3102 Number of the ACL required in port mapping: 2102
2.

3.

4.

5.
Configure ACLs.
[Quidway] acl 2102 [Quidway-acl-basic-2102] rule permit source 129.38.1.2 0.0.0.0 [Quidway-acl-basic-2102] quit [Quidway] acl 3102 [Quidway-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2 0.0.0.0 [Quidway-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3 0.0.0.0 [Quidway-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4 0.0.0.0 [Quidway-acl-adv-3102] rule deny ip [Quidway-acl-adv-3102] quit
Issue 05 (2010-09-25)
2-29
6.

[Quidway] firewall interzone zone1 zone2 [Quidway-interzone-zone1-zone2] packet-filter 3102 inbound
7.
Configure ASPF.
[Quidway-interzone-zone1-zone2] detect ftp [Quidway-interzone-zone1-zone2] quit
8.
Configure port mapping.

[Quidway] port-mapping ftp port 2121 acl 2102
Configuration Files
# sysname Quidway # acl number 2102 rule 5 permit source 129.38.1.2 0 # acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 129.38.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 202.38.160.1 255.255.0.0 # firewall zone zone1 priority 100 # firewall zone zone2 priority 1 # firewall interzone zone1 zone2 firewall enable packet-filter 3102 inbound detect ftp # port-mapping ftp port 2121 acl 2102 # return
2.10.3 Example for Configuring the Blacklist

As shown in Figure 2-3, GE1/0/0 of the ME60 is connected to an enterprise network with a high security priority; GE2/0/0 of the ME60 is connected to the Internet with a low security priority. The firewall needs to apply the attack defense and blacklist to packets from the Internet to the enterprise network. If the firewall finds that an IP address attacks the enterprise network through IP address sweeping, it blacklists the IP address. The maximum number of sessions is 5000 pps, and the timeout time of the blacklist is 30 minutes.
In addition, if the firewall detects that IP address 202.39.1.2 attacks the enterprise network more than once, you can add the IP address to the blacklist manually. The IP addresses added manually are always in the blacklist. Figure 2-3 Networking of blacklist configuration
Server 1.1.0.2
ME60
Enterprise network GE1/0/0 1.1.0.1/16 GE2/0/0 2.2.0.1/16 Internet
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Configure IP addresses of the interfaces. Configure zones and the interzone. Configure ACLs. Configure packet filtering. Add the interfaces to the zones. Configure the parameters for preventing the attack of IP address sweeping. Add blacklist entries manually.
Data Preparation
To complete the configuration, you need the following data: l l l Slot number of the VSU: 3 IP addresses of interfaces and servers, as shown in Figure 2-3 Network security priorities, 100 for the internal network and 1 for the external network
2.

<Quidway> system-view [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] ip address 1.1.0.1 255.255.0.0
Issue 05 (2010-09-25)
2-31

[Quidway-GigabitEthernet1/0/0] quit [Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] ip address 2.2.0.1 255.255.0.0 [Quidway-GigabitEthernet2/0/0] quit
3.

4.
Configure ACLs.
[Quidway] acl 2000 [Quidway-acl-basic-2000] rule permit source any [Quidway-acl-basic-2000] quit
5.

[Quidway] firewall interzone zone1 zone2 [Quidway-interzone-zone1-zone2] packet-filter 2000 inbound
6.

7.
Configure the parameters for preventing the attack of IP address sweeping.

[Quidway] firewall defend ip-sweep enable [Quidway] firewall defend ip-sweep blacklist-timeout 30 [Quidway] firewall defend ip-sweep max-rate 5000
8.
Configure the blacklist.

[Quidway] firewall blacklist enable [Quidway] firewall blacklist item 202.39.1.2
Configuration Files
# sysname Quidway # acl number 2000 rule 5 permit source any # firewall blacklist enable firewall blacklist item 202.39.1.2 # firewall defend ip-sweep enable firewall defend ip-sweep max-rate 5000 firewall defend ip-sweep blacklist-timeout 30 # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 1.1.0.1 255.255.0.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown
2-32
Issue 05 (2010-09-25)

ip address 2.2.0.1 255.255.0.0 # firewall zone zone1 priority 100 # firewall zone zone2 priority 1 # firewall interzone zone1 zone2 firewall enable packet-filter 2000 inbound # return
Issue 05 (2010-09-25)
2-33
3 NAT Configuration
3
About This Chapter
NAT Configuration
This chapter describes the concept, fundamental, configuration, and maintenance of NAT. 3.1 Introduction This section describes the concept and fundamentals of NAT. 3.2 Configuring NAT This section describes how to configure the NAT function. 3.3 Configuration Examples This section provides a configuration example of NAT.
Issue 05 (2010-09-25)
3-1
3 NAT Configuration
3.1 Introduction
This section describes the concept and fundamentals of NAT. 3.1.1 NAT Overview 3.1.2 NAT Types 3.1.3 Advantages and Disadvantages of NAT 3.1.4 Many-to-Many NAT and Address Pool 3.1.5 Internal Server 3.1.6 References
3.1.1 NAT Overview

Network address translation (NAT) enables hosts in a private network to access the public network.
Private Address and Public Address

A private network address, referred to as a private address, is the IP address of an internal network or a host. A public network address, referred to as a public address, is a unique IP address on the Internet. As specified by the Internet Assigned Number Authority (IANA), the following IP addresses are reserved as private addresses: l l l Class A: 10.0.0.0-10.255.255.255 Class B: 172.16.0.0-172.31.255.255 Class C: 192.168.0.0-192.168.255.255
After planning the scale of the intranet, an enterprise chooses the appropriate address segment for the intranet. The private address segments of enterprises can overlap each other. Errors may occur during communication, if an intranet does not use one of the defined private address segments.
Rationale of NAT
As shown in Figure 3-1, the network address must be translated when a host on the internal network obtains access to the Internet or interworks with the hosts on a public network.
3-2
Issue 05 (2010-09-25)
3 NAT Configuration
Figure 3-1 Schematic diagram of NAT

PC 10.1.1.10 WWW client 10.1.1.48 PC ........
GE1/0/0
ME60
Internal network
203.196.3.23 POS2/0/0 External network
WWW Server 202.18.245.251
Internet
The internal network uses network segment 10.0.0.0 and its public IP address is 203.196.3.23. The internal host 10.1.1.48 accesses the external server 202.18.245.251 through WWW. The host sends a data packet. It uses port 6084 as the source port and port 80 as the destination port. After the address is translated, the source address/port of the packet is changed to 203.196.3.23:32814, and the destination address/port is not changed. A table of address-port mapping is configured on the router. After the WWW server responds, the router translates the destination IP address/port in the returned data packet to 10.1.1.48:6084. In this manner, the internal host obtains access to the external server.
3.1.2 NAT Types

NAT is classified into types: static NAT and port address translation (PAT).
Static NAT
Static NAT maps a private address to a public address. That is, the number of private addresses is equal to the number of public addresses. Static NAT cannot save public addresses, but can hide internal networks. When an internal network sends a packet to an external network, static NAT translates the source IP address of the packet into a public address. When the external network returns a response, static NAT translates the destination IP address of the response packet into the private address.
PAT
PAT, which is also called network address port translation (NAPT), maps a public address to multiple private addresses. Therefore, the public addresses are saved. PAT translates the source IP addresses of the packets from hosts that reside on the private network into a public address. The translated port numbers of these packets are different, and thus the private networks can share a public address.
3 NAT Configuration
A table of private address-port mapping is configured for PAT. When the PAT server receives a packet to be transmitted to the external network, it replaces the source port with the one matching the private address of the packet by using this table. That is, packets from a private network share the same public address but have different ports. When the external networks return response packets to the internal networks, the destination IP addresses are translated to private addresses according to the port numbers. Figure 3-2 shows the sketch map of PAT. Figure 3-2 Schematic diagram of PAT
PAT
Datagram 1 Src IP: 192.168.1.3 Src Port:23 Datagram 2 Src IP: 192.168.1.3 Src Port:80 192.168.1.3 Datagram 1 Src IP: 202.169.10.1 Src Port:10023 Datagram 2 Src IP: 202.169.10.1 Src Port:10080
ME60
Internet
192.168.1.2 Datagram 3 Src IP: 192.168.1.2 Src Port:23 Datagram 4 Src IP: 192.168.1.2 Src Port:80 Datagram 3 Src IP: 202.169.10.1 Src Port:11023 Datagram 4 Src IP: 202.169.10.1 Src Port:11080
3.1.3 Advantages and Disadvantages of NAT

The advantages of NAT are as follows: l l Hosts on the internal networks can access external resources, and the public addresses can be saved. Privacy of internal hosts is protected.
The disadvantages of NAT are as follows: l l The address of data packets need to be translated, so the headers of the data packets related to IP address cannot be encrypted. The IP addresses of hosts are hidden, so the source IP addresses cannot be traced. This hinders network debugging.
3.1.4 Many-to-Many NAT and Address Pool

As shown in Figure 3-1, when an internal host accesses the external network, the source IP address is translated to a public address, which can be selected from the address pool of the ME60.
3 NAT Configuration
When all the hosts on the internal network access the external network at the same time, they share an external address. If too many hosts attempt to access the external network, it is difficult to perform NAT. To solve this problem, a private network needs multiple public addresses. In this case, a public address pool is required for the many-to-many NAT. A public address pool is a set of valid public addresses. You can configure the public address pool based on the number of public IP addresses and internal hosts. When an internal host accesses an external network, the ME60 selects an IP address from the public address pool as the source address of the packets.
3.1.5 Internal Server

NAT can shield the internal hosts. In actual situations, external networks may need to access the internal hosts. For example, the users on the external networks need to access a WWW server or an FTP server on the internal network. You can add internal servers flexibly through NAT. For example, use 202.110.10.10 as the public address of the Web server, 202.110.10.11 as the public address of the FTP server, and addresses like 202.110.10.12:8080 as the public address of the Web server. You can also provide multiple identical servers (such as Web servers) for external users. By configuring internal servers, you can map the public addresses and ports to the internal servers. The external hosts can then access internal servers. The NAT function of the ME60supports multi-instance of internal servers, so external networks can access the hosts in an MPLS VPN. For example, host 10.110.1.1 in VPN1 provides WWW service, and the public address of the host is 202.110.10.20. External users can access the WWW service provided by MPLS VPN1 by using 202.110.10.20.
3.1.6 References
For more information about NAT, refer to the following document: RFC 1631: The IP Network Address Translator (NAT)
3.2 Configuring NAT

This section describes how to configure the NAT function. 3.2.1 Establishing the Configuration Task 3.2.2 (Optional) Configuring the VSU to Work as the SSU 3.2.3 Configuring the NAT Address Pool 3.2.4 Configuring NAT in an Interzone 3.2.5 (Optional) Configuring the Internal NAT Server 3.2.6 Checking the Configuration
Issue 05 (2010-09-25)
3-5
3 NAT Configuration

NAT needs to be configured at the juncture between the private network and the public network. The addresses can be translated through NAT. NAT is configured based on the interzone. NAT is applied to the data from the high-security zone to the low-security zone. The ACL type, namely, basic ACL or advanced ACL, also needs to be specified. NAT is implemented only on the packets that match ACL rules.
Before configuring NAT, complete the following tasks: l l l l Installing the VSU Configuring zones and adding interfaces or user domains to the zones (See chapter 2 "Firewall Configuration.") Configuring interzone and enabling firewall in the interzone (See chapter 2 "Firewall Configuration.") Creating basic ACL or advanced ACL rules (Refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.)
Data Preparation
To configure NAT, you need the following data. No. 1 2 3 Data Number of the public address pool, start IP address, and end IP address Number of the basic ACL or advanced ACL (Optional) Information about the internal server, including the protocol type, external address, external port number, internal address (the VPN instance may be included), and internal port number

Context
Procedure
Step 1 Run:
system-view

3 NAT Configuration
Step 2 Run:

NOTE
----End
3.2.3 Configuring the NAT Address Pool

Context
CAUTION
When configuring a NAT address pool, ensure that the IP addresses do not conflict with the existing addresses of the device, including the interface addresses or address segment, gateway IP addresses or IP address segment, and the IP address of the internal NAT server.
Procedure
Step 1 Run:
system-view

nat address-group group-index start-address end-address
The NAT address pool is configured. A NAT address pool is a set of public addresses. When NAT is performed on the internal data packets, the ME60 selects an IP address from the address pool as the source address. The NAT address pools are numbered with numerals. Up to 128 address pools can be configured. You can specify one or more public addresses in a NAT address pool. When start-address is the same as end-address, it indicates that only one public address is contained in the address pool. By default, no NAT address pool is configured on the ME60. ----End
3.2.4 Configuring NAT in an Interzone

Context
3 NAT Configuration
Procedure
Step 1 Run:
system-view


nat outbound acl-number address-group group-index [ no-pat ]
NAT is configured. When configuring NAT in an interzone, you need to specify the ACL and the public address pool. The address of a packet is translated only when the packet matches the specified ACL and the behavior defined by the ACL is permit. If the behavior is deny, the packets are discarded. If the no-pat keyword is specified in the command, it indicates that the static NAT is used. That is, the one-to-one translation is performed on private and public addresses. By default, PAT is used, because it can save public addresses. By default, NAT is not configured in the interzone. ----End
3.2.5 (Optional) Configuring the Internal NAT Server

Context
CAUTION
l When configuring the internal NAT server, ensure that global-address and host-address do not conflict with the existing addresses of the device, including the interface addresses or address segment, gateway IP addresses or IP address segment, and the IP addresses in the NAT address pool. l Zones must be configured at the user side and internal server side. In the interzone, enable the firewall by running the firewall enable command.
Procedure
Step 1 Run:
system-view

nat server protocol { tcp | udp } global global-address { global-protocol | beginport } inside host-address { host-protocol | begin-port } [ vpn-instance vpninstance-name ] or nat server [ protocol { protocol-number | icmp } ] global globaladdress inside host-address [ vpn-instance vpn-instance-name ]
3-8
Issue 05 (2010-09-25)
3 NAT Configuration
The internal NAT server is configured. After the internal server is configured, external networks can access the servers on the internal network. When an external host sends an access request to the public address (global-address) of the internal NAT server, the NAT server translates the destination address of the request into a private address (host-address). The request is then forwarded to the server on the internal network. The internal NAT server is valid for all zones. It cannot be an address in the local address pool. If multiple private networks share an internal server address, you need to configure VPN instances to distinguish them. By default, no internal NAT server is configured on the ME60. ----End

Run the following command to check the previous configuration. Action Check the configuration of NAT. Command display nat { address-group [ group-index ] | all | outbound | server }

This section provides a configuration example of NAT. 3.3.1 Example for Configuring NAT
3.3.1 Example for Configuring NAT

As shown in Figure 3-3, a company is divided into two zones. The staff zone has a high security priority, and is allocated a private address segment 10.110.0.0/16. The server zone has a medium security priority, and is allocated a private address segment 192.168.20.0/24. This zone can be accessed by staff and external users. l In the staff zone, the users in 10.110.10.0/24 are allowed to access the Internet, but others cannot. The public addresses range from 202.169.10.2 to 202.169.10.6. PAT is used to save public addresses. Two internal servers can be accessed by external users. The internal IP address of the WWW server is 192.168.20.2:8080 and its public address is 202.169.10.3. The internal IP address of the FTP server is 192.168.20.3 and its public address is 202.169.10.2.
Issue 05 (2010-09-25)
3-9
3 NAT Configuration
Figure 3-3 Networking of NAT

GE1/0/0 ME60 GE3/0/0 10.110.0.1/16 202.169.10.1/16 GE2/0/0 192.168.20.1/24 WWW server 192.168.20.2 FTP server 192.168.20.3
Internet
The configuration roadmap is as follows: l l l l l l l l Configure IP addresses of the interfaces. Configure zones and the interzone. Add the interfaces to the zones. Configure ACLs. Configure the public address pool. Configure ACL-based packet filtering in the interzone view. Configure NAT in the interzone. Configure the internal NAT server.
Data Preparation
To complete the configuration, you need the following data: l l l l Slot number of the VSU: 3 IP addresses of interfaces and servers, as shown in Figure 3-3 Security priorities of the three zones, 100 for the staff zone, 60 for the server zone, and 20 for the zone representing external networks Number of ACL used for filtering outbound packets and NAT: 2101
2.
Assign an IP address to each interface.

<Quidway> system-view [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] ip address 10.110.0.1 255.255.0.0 [Quidway-GigabitEthernet1/0/0] quit
3-10
Issue 05 (2010-09-25)
3 NAT Configuration
[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] ip address 192.168.20.1 255.255.255.0 [Quidway-GigabitEthernet2/0/0] quit [Quidway] interface gigabitethernet 3/0/0 [Quidway-GigabitEthernet3/0/0] ip address 202.169.10.1 255.255.0.0 [Quidway-GigabitEthernet3/0/0] quit
3.

[Quidway] firewall zone zone1 [Quidway-zone-zone1] priority 100 [Quidway-zone-zone1] quit [Quidway] firewall zone zone2 [Quidway-zone-zone2] priority 60 [Quidway-zone-zone2] quit [Quidway] firewall zone zone3 [Quidway-zone-zone3] priority 20 [Quidway-zone-zone3] quit [Quidway] firewall interzone zone1 zone2 [Quidway-interzone-zone1-zone2] firewall enable [Quidway-interzone-zone1-zone2] detect ftp [Quidway-interzone-zone1-zone2] quit [Quidway] firewall interzone zone1 zone3 [Quidway-interzone-zone1-zone3] firewall enable [Quidway-interzone-zone1-zone3] detect ftp [Quidway-interzone-zone1-zone3] quit [Quidway] firewall interzone zone2 zone3 [Quidway-interzone-zone2-zone3] firewall enable [Quidway-interzone-zone2-zone3] detect ftp [Quidway-interzone-zone2-zone3] quit
4.

[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] zone zone1 [Quidway-GigabitEthernet1/0/0] shutdown [Quidway-GigabitEthernet1/0/0] undo shutdown [Quidway-GigabitEthernet1/0/0] quit [Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] zone zone2 [Quidway-GigabitEthernet2/0/0] shutdown [Quidway-GigabitEthernet2/0/0] undo shutdown [Quidway-GigabitEthernet2/0/0] quit [Quidway] interface gigabitethernet 3/0/0 [Quidway-GigabitEthernet3/0/0] zone zone3 [Quidway-GigabitEthernet3/0/0] shutdown [Quidway-GigabitEthernet3/0/0] undo shutdown [Quidway-GigabitEthernet3/0/0] quit
5.
Configure an ACL.
[Quidway] acl 2101 [Quidway-acl-basic-2101] rule permit source 10.110.10.0 0.0.0.255 [Quidway-acl-basic-2101] rule deny source 10.110.0.0 0.0.255.255 [Quidway-acl-basic-2101] quit
6. 7.
Configure the public address pool.

[Quidway] nat address-group 1 202.169.10.2 202.169.10.6
Configure NAT and ACL packet filtering.

[Quidway] firewall interzone zone1 zone3 [Quidway-interzone-zone1-zone3] packet-filter 2101 outbound [Quidway-interzone-zone1-zone3] nat outbound 2101 address-group 1 [Quidway-interzone-zone1-zone3] quit
8.
Configure internal servers.

[Quidway] nat server protocol tcp global 202.169.10.3 www inside 192.168.20.2 8080 [Quidway] nat server protocol tcp global 202.169.10.2 ftp inside 192.168.20.3 ftp
Issue 05 (2010-09-25)
3-11
3 NAT Configuration
Configuration Files
# sysname Quidway # acl number 2101 rule 5 permit source 10.110.10.0 0.0.0.255 rule 10 deny source 10.110.0.0 0.0.255.255 # firewall zone zone1 priority 100 # firewall zone zone2 priority 60 # firewall zone zone3 priority 20 # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 10.110.0.1 255.255.0.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 192.168.20.1 255.255.255.0 # interface GigabitEthernet3/0/0 zone zone3 undo shutdown ip address 202.169.10.1 255.255.0.0 # nat address-group 1 202.169.10.2 202.169.10.6 nat server protocol tcp global 202.169.10.3 8080 inside 192.168.20.2 8080 nat server protocol tcp global 202.169.10.2 ftp inside 192.168.20.3 ftp # port-mapping http port 8080 acl 2101 # firewall interzone zone1 zone2 firewall enable detect ftp # firewall interzone zone1 zone3 firewall enable packet-filter 2101 outbound nat outbound 2101 address-group 1 detect ftp # firewall interzone zone2 zone3 firewall enable detect ftp # return
3-12
Issue 05 (2010-09-25)
4 Traffic Statistics and Monitoring Configuration
Traffic Statistics and Monitoring Configuration
About This Chapter

This chapter describes the fundamentals, configuration, and maintenance of traffic statistics and monitoring. 4.1 Introduction This section describes the concept and rationale of traffic statistics and monitoring. 4.2 Configuring Traffic Statistics and Monitoring This section describes how to configure traffic statistics and monitoring in the entire system. 4.3 Configuring Zone-based Traffic Statistics and Monitoring This section describes how to configure zone-based traffic statistics and monitoring. 4.4 Configuring IP Address-based Traffic Statistics and Monitoring This section describes how to configure traffic statistics and monitoring based on IP addresses. 4.5 Configuration Examples This section provides several configuration examples of traffic statistics and monitoring.
Issue 05 (2010-09-25)
4-1
4.1 Introduction
This section describes the concept and rationale of traffic statistics and monitoring. A firewall not only monitors data traffic, but also detects the setup of sessions between internal and external networks, generates statistics, and analyzes the data. The firewall can analyze the logs by using special software after the event. The firewall also has certain analysis functions that enables it to analyze data in real time. By checking whether the number of TCP/UDP sessions initiated from external networks to the internal network exceeds the threshold, the firewall decides whether to restrict new sessions from external networks to the internal network or an IP address in the internal network. If the firewall finds that the number of sessions in the system exceeds the threshold, it speeds up the aging of sessions. This ensures that new sessions are set up. In this way, DoS attack can be prevented if the system is too busy. Figure 4-1 shows an application of the firewall. The IP address-based statistics function is enabled for the packets from external networks to the internal network. If the number of TCP sessions initiated by external networks to Web server 129.9.0.1 exceeds the threshold, the ME60 forbids external networks to initiate new sessions until the number of sessions is smaller than the threshold. Figure 4-1 Limiting the number of sessions initiated by external server
ME60
Ethernet Internal network TCP connection Internet
Web server 129.9.0.1
On the ME60, traffic statistics and monitoring can be configured in the system view.
4.2 Configuring Traffic Statistics and Monitoring

This section describes how to configure traffic statistics and monitoring in the entire system. 4.2.1 Establishing the Configuration Task 4.2.2 (Optional) Configuring the VSU to Work as the SSU 4.2.3 (Optional) Configuring the Default Master SSU 4.2.4 Enabling Traffic Statistics and Monitoring 4.2.5 Setting the Session Threshold

System-level traffic statistics and monitoring applies to all the data flows in interzones that are enabled with the firewall feature. That is, the ME60 collects statistics of the ICMP, TCP, TCP proxy, and UDP sessions in the interzones. When the number of sessions exceeds the threshold, the ME60 restricts the sessions until the number is less than the threshold.
Before configuring system-level traffic statistics and monitoring, complete the following tasks: l l l Installing the VSU Configuring zones and adding interfaces or user domains to the zones (See chapter 2 "Firewall Configuration.") Configuring interzone and enabling firewall in the interzone (See chapter 2 "Firewall Configuration.")
Data Preparation
To configure system-level traffic statistics and monitoring, you need to following data. No. 1 2 Data Type of sessions to be counted, namely TCP, UDP, ICMP, or TCP proxy Session threshold

Context
Procedure
Step 1 Run:
system-view



NOTE
----End
4.2.3 (Optional) Configuring the Default Master SSU

Context
Procedure
Step 1 Run:
system-view

ssu master default slot-id slot-id
The default master SSU is configured. ME60can be equipped with multiple SSUs. One is the master board, and the others are slave boards. If the default master SSU is not specified, the ME60 selects the SSU registered first as the master. By default, the master SSU is not specified. ----End
4.2.4 Enabling Traffic Statistics and Monitoring

Context
Procedure
Step 1 Run:
system-view

firewall statistics system enable
System-level traffic statistics and monitoring is enabled. By default, the traffic statistics and monitoring function is enabled on the ME60. ----End
4.2.5 Setting the Session Threshold

Context
Procedure
Step 1 Run:
system-view

firewall statistics system session { icmp | tcp | tcp-proxy | udp } session-limit
The session threshold is set. For the system-level traffic statistics function, you can set the threshold for each type of session. For example, you can set the threshold for TCP sessions to 500000. In this case, when the number of TCP sessions in all interzones exceeds 500000, the ME60 denies new TCP sessions in all the interzones and reports an alarm to the information center. If traffic volume falls below 75% of the threshold, the ME60 generates the recovery log and sends the log to the information center. By default, the threshold for ICMP sessions is 20480, the thresholds for TCP and UDP sessions are both 500000, and the threshold for TCP-Proxy sessions is 250000. ----End

Run the following command to check the previous configuration. Action Check the traffic statistics of the system. Command display firewall statistics system { discard | normal }
4.3 Configuring Zone-based Traffic Statistics and Monitoring

This section describes how to configure zone-based traffic statistics and monitoring. 4.3.1 Establishing the Configuration Task 4.3.2 Enabling Traffic Statistics and Monitoring in a Zone 4.3.3 Setting the Session Threshold 4.3.4 Checking the Configuration

The zone-based traffic statistics and monitoring applies to the data flows between zones. That is, the ME60 counts the total TCP and UDP sessions between the local zone and other zones. When the number of sessions exceeds the threshold, the ME60 restricts the sessions until the number is less than the threshold. The zone-based traffic statistics and monitoring can be configured in the inbound or outbound direction. The inbound direction means that the ME60 counts and monitors the sessions initiated by local zone. The outbound direction means that the ME60 counts and monitors the sessions destined for this zone.
Before configuring zone-based traffic statistics and monitoring, complete the following tasks: l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See chapter 2 "Firewall Configuration.") Configuring interzone and enabling firewall in the interzone (See chapter 2 "Firewall Configuration.")
Data Preparation
To configure system-level traffic statistics and monitoring, you need to following data. No. 1 2 3 Data Type of sessions to be monitored, namely, TCP or UDP Direction of traffic statistics and monitoring Session threshold
4.3.2 Enabling Traffic Statistics and Monitoring in a Zone

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

statistics zone enable { inzone | outzone }
Traffic statistics and monitoring is enabled in the zone. By default, traffic statistics and monitoring function is disabled in the zones. ----End

Context
Procedure
Step 1 Run:
system-view


statistics zone session { inzone | outzone } { tcp | udp } session-limit
The session threshold is set in the zone. You can configure the thresholds for TCP and UDP sessions in the inbound and outbound directions respectively. For example, you can set the threshold for inbound TCP sessions to 500000. In this case, when the number of TCP sessions initiated by this zone exceeds 500000, the ME60 denies new TCP sessions from this zone. By default, the thresholds for inbound and outbound TCP and UDP sessions are both 500000. ----End

Run the following command to check the previous configuration. Action Check the traffic statistics of the zone. Command display firewall statistics zone zone-name { inzone | outzone }
Issue 05 (2010-09-25)
4-7
4.4 Configuring IP Address-based Traffic Statistics and Monitoring

This section describes how to configure traffic statistics and monitoring based on IP addresses. 4.4.1 Establishing the Configuration Task 4.4.2 Enabling IP Address-based Traffic Statistics and Monitoring 4.4.3 Setting the Session Threshold

The IP address-based traffic statistics and monitoring is to count and monitor the TCP and UDP sessions set up on an IP address in the zone. When the number of sessions set up on an IP address exceeds the threshold, the ME60 restricts the sessions until the number is less than the threshold. The IP address-based traffic statistics and monitoring can be configured in the inbound or outbound direction. The inbound direction means that the ME60 counts and monitors the sessions initiated on the IP address. The outbound direction means that the ME60 counts and monitors the sessions destined for this IP address.
Before configuring IP address-based traffic statistics and monitoring, complete the following tasks: l l l l Installing the VSU (Optional) Configuring the VSU to Work as the SSU Configuring zones and adding interfaces or user domains to the zones (See chapter 2 "Firewall Configuration.") Configuring interzone and enabling firewall in the interzone (See chapter 2 "Firewall Configuration.")
Data Preparation
To configure IP address-based traffic statistics and monitoring, you need to following data. No. 1 2 3 Data Type of sessions to be monitored, namely, TCP or UDP Direction of traffic statistics and monitoring Session threshold
4.4.2 Enabling IP Address-based Traffic Statistics and Monitoring

Context
Procedure
Step 1 Run:
system-view


statistics ip enable { inzone | outzone }
IP address-based traffic statistics and monitoring is enabled in the zone. By default, traffic statistics and monitoring function is disabled in the zones. ----End

Context
Procedure
Step 1 Run:
system-view


statistics ip session { inzone | outzone } { tcp | udp } session-limit
The session threshold is set for IP address-based traffic statistics and monitoring. You can configure the thresholds for TCP and UDP sessions in the inbound and outbound directions respectively. For example, you can set the threshold for inbound TCP sessions to 10000. In this case, when the number of TCP sessions initiated from an IP address exceeds 10000, the ME60 denies new TCP sessions from this IP address. By default, the thresholds for inbound and outbound TCP and UDP sessions are both 10240. ----End

This section provides several configuration examples of traffic statistics and monitoring. 4.5.1 Example for Configuring System-Level Traffic Statistics and Monitoring 4.5.2 Example for Configuring Zone-based Traffic Statistics and Monitoring 4.5.3 Example for Configuring IP Address-based Traffic Statistics and Monitoring
4.5.1 Example for Configuring System-Level Traffic Statistics and Monitoring

GE2/0/1 of the ME60 is connected to the Internet; GE1/0/1 of the ME60 is connected to the FTP server and the Web server of an enterprise Intranet. The TCP and UDP sessions from the Internet to the enterprise Intranet are monitored. The session threshold is 40000. Figure 4-2 Networking of system-level traffic statistics and monitoring
FTP Server
ME60
GE1/0/1 20.10.10.1/24 GE2/0/1 10.10.10.1/24 Internet
WEB Server
The configuration roadmap is as follows: l l l Configure IP addresses of the interfaces. Enable system-level traffic statistics and monitoring. Set the session threshold.
Data Preparation
To complete the configuration, you need the following data: l
4-10
Slot number of the VSU: 3

l l
IP addresses of interfaces, as shown in Figure 4-2 Session threshold
2.

<Quidway> system-view [Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] ip address 20.10.10.1 255.255.255.0 [Quidway-GigabitEthernet1/0/1] undo shutdown [Quidway-GigabitEthernet1/0/1] quit [Quidway] interface gigabitethernet 2/0/1 [Quidway-GigabitEthernet2/0/1] ip address 10.10.10.1 255.255.255.0 [Quidway-GigabitEthernet2/0/1] undo shutdown [Quidway-GigabitEthernet2/0/1] quit
3. 4.
Enable system-level traffic statistics and monitoring.

[Quidway] firewall statistics system enable
Set the session threshold.

[Quidway] firewall statistics system session tcp 40000 [Quidway] firewall statistics system session udp 40000
Configuration Files
# sysname Quidway # interface GigabitEthernet1/0/1 undo shutdown ip address 20.10.10.1 255.255.255.0 # interface GigabitEthernet2/0/1 undo shutdown ip address 10.10.10.1 255.255.255.0 # firewall statistics system enable firewall statistics system session tcp 40000 firewall statistics system session udp 40000 #
4.5.2 Example for Configuring Zone-based Traffic Statistics and Monitoring

GE1/0/0 of the ME60 is connected to an enterprise network with a high security priority; GE2/0/0 of the ME60 is connected to the Internet with a low security priority. The TCP and UDP sessions from the Internet to enterprise networks are monitored. The session threshold is 50000.
Issue 05 (2010-09-25)
4-11
Figure 4-3 Networking of zone-based traffic statistics and monitoring

ME60
The configuration roadmap is as follows: l l l l l Configure IP addresses of the interfaces. Configure zones and the interzone. Add the interfaces to the zones. Configure an ACL. Configure zone-based traffic statistics and monitoring.
Data Preparation
To complete the configuration, you need the following data: l l l Slot number of the VSU: 3 IP addresses of interfaces, as shown in Figure 4-3 Network security priorities, 100 for the internal network and 1 for the external network
2.

3.

4-12
Issue 05 (2010-09-25)
4.

5.
Configure zone-based traffic statistics and monitoring.

[Quidway] firewall zone zone1 [Quidway-zone-zone1] statistics zone enable inzone [Quidway-zone-zone1] statistics zone session inzone tcp 50000 [Quidway-zone-zone1] statistics zone session inzone udp 50000 [Quidway-zone-zone1] quit
Configuration Files
# sysname Quidway # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 1.1.0.1 255.255.0.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 2.2.0.1 255.255.0.0 # firewall zone zone1 priority 100 statistics zone enable inzone statistics zone session inzone tcp 50000 statistics zone session inzone udp 50000 # firewall zone zone2 priority 1 # firewall interzone zone1 zone2 firewall enable # return
4.5.3 Example for Configuring IP Address-based Traffic Statistics and Monitoring

GE1/0/0 of the ME60 is connected to an enterprise network with a high security priority; GE2/0/0 of the ME60 is connected to the Internet with a low security priority. The TCP and UDP sessions from the Internet to enterprise networks are monitored. The session threshold is 50000. In addition, the TCP or UDP sessions to each IP address in the enterprise networks cannot exceed 1000.
Issue 05 (2010-09-25)
4-13
Figure 4-4 Networking of IP address-based traffic statistics and monitoring

ME60 (firewall)
The configuration roadmap is as follows: l l l l l l Configure IP addresses of the interfaces. Configure zones and the interzone. Add the interfaces to the zones. Configure an ACL. Configure zone-based traffic statistics and monitoring. Configure IP address-based traffic statistics and monitoring.
Data Preparation
To complete the configuration, you need the following data: l l l Slot number of the VSU: 3 IP addresses of interfaces, as shown in Figure 4-4 Network security priorities, 100 for the internal network and 1 for the external network
2.

3.

[Quidway] firewall zone zone1 [Quidway-zone-zone1] priority 100 [Quidway-zone-zone1] quit [Quidway] firewall zone zone2 [Quidway-zone-zone2] priority 1 [Quidway-zone-zone2] quit [Quidway] firewall interzone zone1 zone2 [Quidway-interzone-zone1-zone2] firewall enable
4-14
Issue 05 (2010-09-25)

[Quidway-interzone-zone1-zone2] quit
4.

5.
Configure zone-based traffic statistics and monitoring.

[Quidway] firewall zone zone1 [Quidway-zone-zone1] statistics zone enable inzone [Quidway-zone-zone1] statistics zone session inzone tcp 50000 [Quidway-zone-zone1] statistics zone session inzone udp 50000 [Quidway-zone-zone1] quit
6.
Configure IP address-based traffic statistics and monitoring.

[Quidway] firewall zone zone1 [Quidway-zone-zone1] statistics ip enable inzone [Quidway-zone-zone1] statistics ip session inzone tcp 1000 [Quidway-zone-zone1] statistics ip session inzone udp 1000
Configuration Files
# sysname Quidway # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 1.1.0.1 255.255.0.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 2.2.0.1 255.255.0.0 # firewall zone zone1 priority 100 statistics zone enable inzone statistics zone session inzone tcp 50000 statistics zone session inzone udp 50000 statistics ip session inzone tcp 1000 statistics ip session inzone udp 1000 statistics ip enable inzone # firewall zone zone2 priority 1 # firewall interzone zone1 zone2 firewall enable # return
Issue 05 (2010-09-25)
4-15
5 Attack Defense Configuration
5
About This Chapter
Attack Defense Configuration
This chapter describes the fundamentals, configuration, and maintenance of attack defense. 5.1 Introduction This section describes the concept and fundamentals of attack defense. 5.2 Configuring Attack Defense This section describes how to configure the attack defense function. 5.3 Configuration Examples This section provides several configuration example of attack defense.
Issue 05 (2010-09-25)
5-1
5.1 Introduction
This section describes the concept and fundamentals of attack defense. When a network attack occurs, it interrupts services, and severely affects servers or hosts on the network to illegally obtain sensitive data. Certain network attacks also destroy the network equipment directly, and such attacks may lead to service interruption. With the attack defense feature, the ME60 firewall can detect various network attacks and protect the intranet against malicious attacks, and thus the intranet and the system can run properly. 5.1.1 Type of Network Attacks 5.1.2 Typical Attacks
5.1.1 Type of Network Attacks

Network attacks are divided into three types: DoS attack, scanning and snooping attack, and defective packet attack.
DoS Attack
Denial of service (DoS) attack is an attack to a system with a large number of data packets. This prevents the system from receiving requests from authorized users or suspends the host. Typical DoS attacks are SYN flood and Fraggle. Unlike other attacks, the DoS attackers prevent authorized users from accessing resources or routers, instead of searching for the ingress of the Intranet.
Scanning and Snooping Attack

Scanning and snooping attack involves identifying the existing systems on the network through ping scanning (including ICMP and TCP scanning), and then finding potential targets. Through TCP scanning, the attackers can find out the operating system and the monitored services. Through scanning and snooping, the attacker can learn the service type and potential security hole, which facilitates further intrusion.
Defective Packet Attack

Defective packet attack involves sending defective IP packets to the system. Under such an attack. the system quits abnormally when processing the packets. The typical defective packet attacks include Ping of Death and Teardrop.
5.1.2 Typical Attacks

Land Attack
Land attack involves setting the source and destination addresses of a TCP SYN packet to the IP address of the attacked target. The target then sends the SYN-ACK message to its own IP address, and an ACK message is sent back to the target. This forms a null session. Every null session exists until it times out. The responses to the Land attack vary according to the targets. For instance, many UNIX hosts step responding while Windows NT hosts slow down.
Smurf Attack
Simple Smurf attack targets a network. The attacker sends an ICMP request to the broadcast address of the network. All the hosts on the network then respond to the request and the network is congested. The traffic caused by Smurf attack is one or two orders of magnitude higher than the traffic caused by ping of large packets. Advanced Smurf attack targets hosts. The attacker changes the source address of an ICMP request to the IP address of the target host. The host then stop responding. The attack occurs only when the traffic of the attack packets is large enough. Theoretically, the more the number of hosts on the network, the more effective is the attack. Fraggle attack is another form of the Smurf attack.
WinNuke Attack
WinNuke attack involves sending an out-of-band (OOB) data packet to the NetBIOS port (139) of the target host running the Windows operating system. The NetBIOS fragment then overlaps and the host stops responding. An Internet Group Management Protocol (IGMP) fragment packet can also damage the target host because the IGMP packet usually cannot be fragmented. An attack occurs when a host receives an IGMP packet.
SYN Flood Attack

Due to resource limitation, the TCP/IP stack limits the number of TCP sessions. The attacker forges an SYN packet, whose source address is fraudulent or nonexistent, and then sends the packet to the server to initiate a session. After receiving the packet, the server responds with an SYN-ACK packet. The server cannot receive the ACK, and a semi-connection is created. If the attacker sends a large number of forged SYN packets to the server, the created semi-connections exhaust the system resources and users cannot access the network until these semi-connections time out. In certain applications where the number of sessions is not limited, the SYN Flood attack can also exhaust the system resources such as the memory.
ICMP and UDP Flood Attack

ICMP and UDP Flood attacker sends a large number of ICMP packets (such as ping packets) and UDP packets to the target host in a short time and requests for responses. The host is then overloaded and cannot process legal tasks.
IP Address Sweeping and Port Scanning Attack

IP address sweeping and port scanning attacker detects the IP addresses and ports of the target hosts by using scanning tools. The attacker then determines the hosts that exist on the target network according to the response. The attacker can then find the ports that are used to provide services.
Ping of Death Attack

The length field of an IP packet contains 16 bits, so the maximum length of an IP packet is 65535 bytes. If the data length of an ICMP packet is greater than 65507 bytes, then: ICMP data + IP header (20) + ICMP header (8) > 65535 After receiving such large packets, some routers or systems may stop responding or reboot because of inappropriate processing. Ping of Death attack is an attack to the system initiated by ICMP large packets.
ICMP-Redirect and ICMP-Unreachable Attack

Network equipment requests a host in the same subnet to change the route by sending an ICMPredirect packet to the host. Malicious attackers may, however, send forged redirect packets to the hosts in other subnets. The hosts may then change the routes and the IP packet forwarding may be abnormal. Another type of attack is sending an ICMP-unreachable packet. After receiving the ICMP unreachable packets of a network (code is 0) or a host (code is 1), some systems consider the subsequent packets sent to this destination as unreachable. The system then disconnects the destination from the host.
Teardrop Attack
The More Fragment (MF) bit, offset field, and length field in an IP packet indicate the segment of the original packet contained in this fragment. Some systems running TCP/IP may stop running when receiving a forged segment containing an overlap offset. The Teardrop attack uses the flaw of some systems that do not check the validity of fragment information.
Fraggle Attack
After receiving the UDP packets, port 7 (ECHO) and port 19 (Chargen) can return responses. Port 7 responds to the received packets with ICMP Echo Reply, whereas port 19 responds with a generated character string. Similar to the large ICMP packet attack, the two UDP ports generate many ineffective response packets, which occupy the network bandwidth. The attacker can send a UDP packet to the destination network. The source address of the UDP packet is the IP address of the host to be attacked and its destination address is the broadcast address or network address of the host's subnet. The destination port number of the packet is 7 or 19. Then, all the systems enabled with this function return packets to the target host. In this case, the high traffic volume blocks the network or the host stops responding. In addition, the systems without this function generate ICMP-unreachable messages, which also consume bandwidth. If the source port is changed to Chargen and destination port is changed to ECHO, the systems generate response packets continuously and cause more serious damage.
IP-Fragment Attack
In an IP packet, some fields are relevant to flag bits and fragment, including Fragment Offset, Length, Don't Fragment (DF), and MF. If the previous fields conflict and are not processed appropriately, the equipment may stop running. In the following cases, the fields conflict: l l DF is set, and MF is also set or the value of Fragment Offset is not 0. The value of DF is 0, but the total values of Fragment Offset and Length is larger than 65535.
The fragment packets increase the cache and reassemble loads on the destination equipment. Thus, the fragment packets with the equipment address as the destination address should be discarded directly.
5-4
Issue 05 (2010-09-25)
Tracert Attack
Tracert attack traces the path of an ICMP timeout packet returned when the value of Time To Live (TTL) is 0 and an ICMP port-unreachable packet. In this way, the attacker pries the network architecture.
5.2 Configuring Attack Defense

This section describes how to configure the attack defense function. 5.2.1 Establishing the Configuration Task 5.2.2 (Optional) Configuring the VSU to Work as the SSU 5.2.3 Enabling Attack Defense 5.2.4 Configuring Flood Attack Defense 5.2.5 (Optional) Configuring Scanning Attack Defense 5.2.6 (Optional) Configuring Large ICMP Packet Attack Defense 5.2.7 Checking the Configuration

On the ME60, you can enable the attack defense for an area to be protected. The area to be protected may be user domains, interfaces, or specified IP addresses.
Before configuring attack defense, complete the following tasks: l l l l Installing the VSU Configuring zones and adding interfaces or user domains to the zones (See chapter 2 "Firewall Configuration.") Configuring interzone and enabling firewall in the interzone (See chapter 2 "Firewall Configuration.") Configuring zone-based or IP address-based traffic statistics and monitoring for Flood attack and scanning attack defense, because detecting Flood and scanning attacks needs the session statistics (See chapter 4 "Traffic Statistics and Monitoring.")
Data Preparation
To configure attack defense, you need the following data. No. 1 2 Data Attack type, a specified type or all types Zones or IP addresses (the VPN instance may be included) to be protected against Flood attacks (ICMP Flood, SYN Flood, and UDP Flood), maximum session rate
Issue 05 (2010-09-25)
No. 3 4 5
Data Enabling mode of TCP proxy to prevent SYN Flood attack, always enabled, always disabled, or auto enabled (that is, enabled when the session rate exceeds the threshold) Timeout of blacklist and maximum rate to prevent scanning attacks (IP address sweeping and port scanning) Maximum packet length to prevent large ICMP packet attack

Context
Procedure
Step 1 Run:
system-view


NOTE
----End
5.2.3 Enabling Attack Defense

Context
NOTE
Steps 2-19 are optional and can be performed in any sequence. You can select these steps to defend different types of attacks.
Procedure
Step 1 Run:
system-view

Step 2 Run:
firewall defend all enable
All types of attack defense are enabled. Step 3 Run:

firewall defend fraggle enable
The Fraggle attack defense is enabled. Step 4 Run:

firewall defend icmp-flood enable
The ICMP Flood attack defense is enabled. Step 5 Run:

firewall defend icmp-redirect enable
The ICMP redirect attack defense is enabled. Step 6 Run:

firewall defend icmp-unreachable enable
The ICMP unreachable attack defense is enabled. Step 7 Run:

firewall defend ip-fragment enable
The IP-Fragment attack defense is enabled. Step 8 Run:

firewall defend ip-sweep enable
The IP address sweeping attack defense is enabled. Step 9 Run:

firewall defend land enable
The Land attack defense is enabled. Step 10 Run:

firewall defend large-icmp enable
The large ICMP packet attack defense is enabled. Step 11 Run:

firewall defend ping-of-death enable
The Ping of Death attack defense is enabled. Step 12 Run:

firewall defend port-scan enable
The port scanning attack defense is enabled. Step 13 Run:

firewall defend smurf enable
The Smurf attack defense is enabled. Step 14 Run:

firewall defend syn-flood enable
Issue 05 (2010-09-25)
5-7
The SYN Flood attack defense is enabled. Step 15 Run:

firewall defend tcp-flag enable
The TCP flag attack defense is enabled. Step 16 Run:

firewall defend teardrop enable
The Teardrop attack defense is enabled. Step 17 Run:

firewall defend tracert enable
The Tracert attack defense is enabled. Step 18 Run:

firewall defend udp-flood enable
The UDP Flood attack defense is enabled. Step 19 Run:

firewall defend winnuke enable
The WinNuke attack defense is enabled. By default, attack defense is not enabled on the ME60. ----End
5.2.4 Configuring Flood Attack Defense

Context
Steps 2-4 are optional and can be performed in any sequence. You can select these steps to defend different types of attacks.
Procedure
Step 1 Run:
system-view

firewall defend icmp-flood { zone zone-name | ip ip-address [ vpn-instance vpninstance-name ] } [ max-rate rate-number ]
Parameters of ICMP Flood attack defense are configured. Step 3 Run:

firewall defend syn-flood { zone zone-name | ip ip-address [ vpn-instance vpninstance-name ] } [ max-rate rate-number ] [ tcp-proxy { auto | on | off } ]
Parameters of SYN Flood attack defense are configured. Step 4 Run:

firewall defend udp-flood { zone zone-name | ip ip-address [ vpn-instance vpninstance-name ] } [ max-rate rate-number ]
5-8
Issue 05 (2010-09-25)
Parameters of UDP Flood attack defense are configured. To prevent the Flood attacks, you need to specify the zones or IP addresses to be protected. Otherwise, the configured parameters are invalid. You can specify the maximum session rate. When the session rate exceeds this value, the ME60 considers it as an attack and takes measures.
NOTE
The maximum access rate applies to the Flood attack initiated from multiple source addresses to the same destination address. For the Flood attack to the same data flow (with the same quintuple), the maximum access rate is not configurable. The default value is 20 pps. That is, when the rate of SYN or ICMP packets reaches 20 pps, the ME60 considers it as Flood attack and discards the packets. In this case, the ratenumber parameter is invalid.
For Flood attack defense, the priority of the IP is higher than the priority of the zone. If Flood attack defense is configured for both a specified IP address and the zone where the IP address resides, then the attack defense based on IP address takes effect. If you cancel the attack defense based on IP address, the attack defense based on zone takes effect. By default, the maximum session rate for Flood attacks is 1000 pps, and the TCP proxy is enabled in the SYN Flood attack defense.
NOTE
In Flood attack defense, you can specify up to 4096 IP addresses to be protected.
----End
5.2.5 (Optional) Configuring Scanning Attack Defense

Context
Step 2 and step 3 are optional and can be performed in any sequence. You can select these steps to defend different types of attacks.
Procedure
Step 1 Run:
system-view

firewall defend ip-sweep { max-rate rate-number | blacklist-timeout interval }
Parameters of IP address sweeping attack defense are configured. Step 3 Run:

firewall defend port-scan { max-rate rate-number | blacklist-timeout interval }
Parameters of port scanning attack defense are configured. For scanning attack defenses, the following two parameters need to be configured: l Maximum session rate: When the IP address-based or port-based session rate exceeds this value, the ME60 considers it as an attack, and then adds the IP address or port to the blacklist and denies new sessions.
l Blacklist timeout: When the duration of IP address or port in the blacklist exceeds this value, the ME60 releases the IP address or port from the blacklist and allows new sessions. By default, the maximum session rate in IP address sweeping and port scanning attack defense is 4000 pps, and the blacklist timeout is 20 minutes. ----End
5.2.6 (Optional) Configuring Large ICMP Packet Attack Defense

Context
Procedure
Step 1 Run:
system-view

firewall defend large-icmp max-length length
Parameters of large ICMP packet attack defense are configured. For large ICMP packet attack defense, only one parameter needs to be configured, namely, the maximum packet length. When the length of an ICMP packet exceeds this value, the ME60 considers it as an attack and discards the packet. By default, the maximum length of ICMP packet is 4000 bytes. ----End

Run the following commands to check the previous configuration. Action Check the enabled attack defenses. Check the configuration of Flood attack defenses. Check the configurations of other types of attack defense. Command display firewall defend flag display firewall defend { icmp-flood | synflood | udp-flood } [ zone [ zone-name ] | ip [ ipaddress ] [ vpn-instance vpn-instance-name ] ] display firewall defend attack-type

This section provides several configuration example of attack defense. 5.3.1 Example for Configuring Land Attack Defense
5.3.2 Example for Configuring SYN Flood Attack Defense 5.3.3 Example for Configuring IP Address Sweeping Attack Defense
5.3.1 Example for Configuring Land Attack Defense

As shown in Figure 5-1, GE1/0/0 of the ME60 is connected to an intranet with a high priority. GE2/0/0 of the ME60 is connected to the Internet with a low priority. You need to configure Land attack defense for the traffic from the Internet to the intranet. Figure 5-1 Networking of Land attack defense
Server
ME60
The configuration roadmap is as follows: l l l l Configure IP addresses of interfaces. Configure zones and the interzone. Add the interfaces to the zones. Configure Land attack defense.
Data Preparation
To complete the configuration, you need the following data: l l l Slot number of the VSU: 3 IP addresses of interfaces, as shown in Figure 5-1 Network security priorities, 100 for the internal network, and 1 for the external network
Configuration Procedures
1. (Optional) Configure the VSU to the SSU.
<Quidway> system-view [Quidway] set lpu-work-mode ssu slot 3
Issue 05 (2010-09-25)
5-11

[Quidway] quit <Quidway> reset slot 3
2.
Configure IP addresses of interfaces.

3.
Configure an ACL.
[Quidway] acl 2000 [Quidway-acl-basic-2000] rule permit [Quidway-acl-basic-2000] quit
4.

[Quidway] firewall zone zone1 [Quidway-zone-zone1] priority 100 [Quidway-zone-zone1] quit [Quidway] firewall zone zone2 [Quidway-zone-zone2] priority 1 [Quidway-zone-zone2] quit [Quidway] firewall interzone zone1 zone2 [Quidway-interzone-zone1-zone2] firewall enable [Quidway-interzone-zone1-zone2] packet-filter 2000 inbound [Quidway-interzone-zone1-zone2] packet-filter 2000 outbound [Quidway-interzone-zone1-zone2] quit
5.

6.
Configure Land attack defense.

[Quidway] firewall defend land enable
Configuration Files
# sysname Quidway # firewall defend land enable # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 1.1.0.1 255.255.0.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 2.2.0.1 255.255.0.0 # acl number 2000 rule 5 permit # firewall zone zone1 priority 100 # firewall zone zone2
5-12
Issue 05 (2010-09-25)

priority 1 # firewall interzone zone1 zone2 firewall enable packet-filter 2000 inbound packet-filter 2000 outbound # return
5.3.2 Example for Configuring SYN Flood Attack Defense

As shown in Figure 5-2, GE1/0/0 of the ME60 is connected to an intranet with a high priority. GE2/0/0 of the ME60 is connected to the Internet with a low priority. You need to configure SYN Flood attack defense for the traffic from the Internet to the intranet. Figure 5-2 Networking of SYN Flood attack defense
Server 1.1.0.2
ME60
The configuration roadmap is as follows: l l l l Configure IP addresses of interfaces. Configure zones and the interzone. Add the interfaces to the zones. Configure SYN Flood attack defense.
Data Preparation
To complete the configuration, you need the following data: l l l
Issue 05 (2010-09-25)
Slot number of the VSU: 3 IP addresses of interfaces, as shown in Figure 5-2 Network security priorities, 100 for the internal network, and 1 for the external network
2.

3.
Configure an ACL.
4.

5.

6.
Configure SYN Flood attack defense. For the entire intranet, the maximum SYN session rate is 1000 pps and TCP proxy is automatically enabled. For server 1.1.0.2, the maximum SYN session rate is 2000 pps and TCP proxy is enabled manually.
[Quidway] firewall defend syn-flood enable [Quidway] firewall defend syn-flood zone zone1 max-rate 1000 tcp-proxy auto [Quidway] firewall defend syn-flood ip 1.1.0.2 max-rate 2000 tcp-proxy on
Configuration Files
# sysname Quidway # firewall defend syn-flood enable firewall defend syn-flood zone zone1 firewall defend syn-flood ip 1.1.0.2 max-rate 2000 tcp-proxy on # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 1.1.0.1 255.255.0.0
5-14
Issue 05 (2010-09-25)

# interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 2.2.0.1 255.255.0.0 # acl number 2000 rule 5 permit # firewall zone zone1 priority 100 # firewall zone zone2 priority 1 # firewall interzone zone1 zone2 firewall enable packet-filter 2000 inbound packet-filter 2000 outbound # return
5.3.3 Example for Configuring IP Address Sweeping Attack Defense

As shown in Figure 5-3, GE1/0/0 of the ME60 is connected to an intranet with a high priority. GE2/0/0 of the ME60 is connected to the Internet with a low priority. You need to configure IP address sweeping attack defense for the traffic from the Internet to the intranet. The maximum number of sessions is 5000 pps, and the blacklist timeout is 30 minutes. Figure 5-3 Networking of IP address sweeping attack defense
Server
ME60
The configuration roadmap is as follows: l l l
Issue 05 (2010-09-25)
Configure IP addresses of interfaces. Configure zones and the interzone. Add the interfaces to the zones.
Configure IP address sweeping attack defense.
Data Preparation
To complete the configuration, you need the following data: l l l Slot number of the VSU: 3 IP addresses of interfaces, as shown in Figure 5-3 Network security priorities, 100 for the internal network, and 1 for the external network
2.

3.
Configure an ACL.
4.

5.

6.
Configure IP address sweeping attack defense.

[Quidway] firewall defend ip-sweep enable [Quidway] firewall defend ip-sweep blacklist-timeout 30 [Quidway] firewall defend ip-sweep max-rate 5000
5-16
Issue 05 (2010-09-25)
Configuration Files
# sysname Quidway # firewall defend ip-sweep enable firewall defend ip-sweep max-rate 5000 firewall defend ip-sweep blacklist-timeout 30 # interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 1.1.0.1 255.255.0.0 # interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 2.2.0.1 255.255.0.0 # acl number 2000 rule 5 permit # firewall zone zone1 priority 100 # firewall zone zone2 priority 1 # firewall interzone zone1 zone2 firewall enable packet-filter 2000 inbound packet-filter 2000 outbound # return
Issue 05 (2010-09-25)
5-17
6 IPSec Configuration
6
About This Chapter
IPSec Configuration
This chapter describes the rationale, implementation, and configuration of IPSec. 6.1 Introduction This section describes the concept and rationale of IPSec. 6.2 Defining Data Flows to Be Protected This section describes how to define the data flows to be protected. 6.3 Configuring an IPSec Proposal This section describes how to configure an IPSec protocol. 6.4 Configuring an IPSec Policy This section describes how to configure an IPSec policy. 6.5 Configuring IPSec Policies by Using the IPSec Policy Template This section describes how use the IPSec template to configure IPSec policies. 6.6 Applying an IPSec Policy or an IPSec Policy Group to an Interface This section describes how to apply an IPSec policy or an IPSec policy group to an interface. 6.7 Maintaining IPSec This section provides the commands clearing the IPSec statistics and debugging IPSec. 6.8 Configuration Examples This section provides an configuration example of IPSec.
Issue 05 (2010-09-25)
6-1
6.1 Introduction
This section describes the concept and rationale of IPSec. 6.1.1 Overview of IPSec 6.1.2 Terms Related to IPSec 6.1.3 IPSec Features Supported by the ME60
6.1.1 Overview of IPSec

The IP Security (IPSec) protocol family is a series of protocols defined by the Internet Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and cryptology-based security for IP packets. The two communicating parties can encrypt data and authenticate the data source at the IP layer to ensure confidentiality, data integrity, data source authentication, and anti-replay for packets during transmission on the network.
NOTE
l Confidentiality is to encrypt a client data and then transmit it in cipher text. l Data integrity is to authenticate the received data to find out whether the packet is modified. l Data authentication is to authenticate the data source to make sure the data is sent from a real sender. l Anti-replay is to prevent malicious clients from repeatedly sending data packets. In other words, the receiver denies old or repeated data packets.
IPSec implements the above features using the Authentication Header (AH) security protocol and the Encapsulating Security Payload security protocol. The Internet Key Exchange (IKE) also provides auto-negotiation key exchange, Security Association setup, and maintenance services to simplify the use and management of IPSec. l l AH mainly provides data source authentication, data integrity authentication and antireplay. The AH cannot encrypt the packet. ESP provides encryption function apart from the functions provided by the AH. The data integrity authentication of the ESP does not cover the IP header. ESP can authenticate and encrypt packets at the same time or either authenticate or encrypt packets only.
NOTE
AH and ESP can be used either independently or in combination. There are two types of encapsulation modes for both AH and ESP: transport mode and tunnel mode. For details about the two modes, see "Encapsulation Modes of IPSec"
IKE is used to negotiate the key for IPSec. By exchanging the key obtained according to the cryptographic algorithms applied in AH and ESP, the peers negotiate a key.
NOTE
IKE negotiation is not necessary. The IPSec policy and algorithm can also be negotiated manually. For comparisons of these two negotiation modes, see "Negotiation Modes".
6.1.2 Terms Related to IPSec

Security Association
IPSec provides secure communication between IPSec peers (two communication ends).
A security association (SA) is a set of conventions adopted by the communication parties. The conventions include the protocol adopted (AH, ESP, or both), encapsulation mode of the protocol (transport mode or tunnel mode), password algorithm (DES or 3DES), shared key of specified data flows, and lifetime of the shared key. SA is the basis of IPSec. An SA is unidirectional. If two hosts communicate through ESP, both the hosts need two SAs. One protects outbound packets, and the other protects inbound packets. In addition, if both AH and ESP are applied to protect data flow between peers, two SAs are needed for AH and ESP respectively. Therefore, each host requires four SAs. An SA is identified uniquely by three parameters: security parameter index (SPI), destination IP address, and security protocol ID (AH or ESP). SPI is a 32-bit number that uniquely identifies an SA. SPI is contained in the AH/ESP header during transmission. An SA has a duration. The duration is calculated through either of the following methods: l l Time-based duration: updates the SA at a specific interval. Traffic-based duration: updates the SA after certain data (bytes) is transmitted.
The SA becomes invalid when any one of the duration expires. Before the duration expires, IKE negotiates a new SA for IPSec. A new SA, therefore, is prepared before the old SA becomes invalid. SA specifies the protocol encapsulation mode.
Encapsulation Modes of IPSec

IPSec has two encapsulation modes: l l Transport mode: AH/ESP is inserted behind the IP header but before all transport layer protocols or all other IPSec protocols. Figure 6-1 shows transport mode. Tunnel mode: AH/ESP is inserted before the original IP header but behind the new IP header. Figure 6-2 shows tunnel mode.
Figure 6-1 Packets format in transport mode

Mode Protocol
Transport
IP Header AH TCP Header data
AH ESP
IP Header ESP TCP Header data ESP Tail ESP Auth data
AH-ESP IP Header AH ESP TCP Header data ESP Tail ESP Auth data
Issue 05 (2010-09-25)
6-3
Figure 6-2 Packets format in tunnel mode

Mode
Tunnel
Protocol
AH ESP
new IP Header AH raw IP Header TCP Header data
new IP Header ESP raw IP Header TCP Header data ESP Tail ESP Auth data
AH-ESP new IP Header AH ESP raw IP Header TCP Header data ESP Tail ESP Auth data
Use either of the modes according to actual situations. l The tunnel mode is safer than the transport mode. The tunnel mode can authenticate and encrypt original IP data packets completely. In addition, it can hide the client IP address by using the IP address of the IPSec peer. The tunnel mode occupies more bandwidth than the transport mode because it has an extra IP header.
The transport mode is suitable for communication between two hosts or between a host and a security gateway. In the transport mode, the two devices encrypting or decrypting packets must be the original packet sender and final receiver respectively. Most of the data flows between two security gateways (or routers) are usually not their own communication traffic. Therefore, the tunnel mode is used between security gateways. Packets encrypted by one security gateway can be decrypted only by another corresponding security gateway. That is, a new IP header must be added to a packet, and the IP packet is sent to the security gateway that can decrypt it.
Authentication Algorithms and Encryption Algorithms

l Authentication algorithms The AH and ESP can authenticate the integrity of an IP packet to determine whether the packet is modified during transmission. The authentication is implemented based on the hash function. The hash function is an algorithm that does not limit the length of input messages but always sends out messages of a certain length. The output message is called message summary. To authenticate the integrity, IPSec peers calculate the packet based on the hash function. If the message summary is the same at both the ends, it indicates the packet is integrated and not modified. There are two IPSec authentication algorithms: l l Message Digest 5 (MD5): receives a message of any length and generates a 128-bit message summary. Secure Hash Algorithm (SHA-1): receives a message of less than 264 bits and generates a 160-bit message summary.
The SHA-1 summary is longer than that of MD5, and so SHA-1 is safer than MD5. l
6-4
Encryption algorithms
ESP can encrypt an IP packet to prevent disclosure of the packet contents during the transmission. The encryption algorithm is implemented by encrypting or decrypting data with the same key through a symmetric key system. IPSec uses two encryption algorithms: l l DES: encrypts a 64-bit plain text by using a 56-bit key. 3DES: encrypts a plain text by using three 56-bit DES keys (168-bit key).
The 3DES algorithm is much safer than DES; however, its encryption speed is comparatively slower.
Negotiation Modes
There are two negotiation modes for establishing an SA: manual mode (manual) and IKE autonegotiation mode (isakmp). The manual mode is a bit complex because all information about SA has to be configured manually, and it does not support some advanced features of IPSec, such as key update timer. The manual mode implements IPSec independent of IKE. The IKE auto-negotiation mode is much easier because the SA can be established and maintained through IKE auto-negotiation as long as security policies of IKE negotiation are configured. The manual mode is feasible in the case where few peer devices are deployed or in a small-sized static environment. For a medium or large-sized dynamic networking environment, IKE autonegotiation mode is recommended. IPSec allows systems, network subscribers, or administrators to control the granularity of security services between peers. For instance, IPSec policies of a group prescribe that data flows from a subnet should be protected using AH and ESP and be encrypted using 3DES. In addition, the policies prescribe that data flows from another site should be protected using ESP only and be encrypted using DES only. IPSec can provide security protection in various levels for different data flows based on SA.
6.1.3 IPSec Features Supported by the ME60

The ME60 implements the previously mentioned functions of IPSec. Through IPSec, the peers can perform various security protections (authentication, encryption or both) on data flows that are differentiated based on the ACL. To implement the IPSec function, you need to configure the IPSec policy and QoS traffic policy on the ME60. Apply the QoS traffic policy configured with the IPSec behavior to the entire equipment or the incoming interface, and then apply the IPSec policy or IPSec policy group to the outgoing interface. After the configuration, user packets can be encrypted. For the packets sent by a user, the ME60 checks whether the packets need to be encrypted through IPSec according to the QoS traffic policy. If the packets need to be encrypted, the ME60 determines whether to encrypt the packets and how to encrypt the packets according to the IPSec policy configured on the outgoing interface of the packets. The configuration roadmap of IPSec is as follows: 1. 2. Define data flows to be protected and use ACL rules to differentiate them. Define a security proposal and specify the security protocol, authentication algorithm, encryption algorithm, and encapsulation mode.
Issue 05 (2010-09-25)
3.
Define a security policy or a security policy group and specify the association relationship between data flow and IPSec proposal, SA negotiation mode, peer IP address, the required key, and the SA duration. Apply the IPSec policy on the interface of the ME60. For the configuration roadmap of the QoS traffic policy, see chapter 2 "Class-based QoS Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.
4.
6.2 Defining Data Flows to Be Protected

This section describes how to define the data flows to be protected. 6.2.1 Establishing the Configuration Task 6.2.2 Defining Data Flows to Be Protected

Packets that need protection are defined based on the pre-defined advanced ACL. Packets are first matched with the rules in the ACL. Packets that only match permit statements in the ACL are protected through IPSec. Packets that match deny statements in the ACL are sent out directly without protection.
NOTE
Although their format and configuration method are the same, the IPSec ACL differs from the firewall ACL in terms of function. A common ACL is used to determine to permit or deny some data on an interface. For more information, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide IP Services.
Data flows need to be authenticated for the security purpose. Some data flows should be authenticated and encrypted for high security requirements. The IPSec policy can only provide a security protection method. You should, therefore, define various ACLs and IPSec policies for different data flows accordingly. ACLs defined on the local router and ACLs on the remote router should correspond to each other (mirroring). The encrypted data at one end can be authenticated and decrypted at the peer end. If a data flow defined by the remote ACL is not encrypted, the local router regards it as an attack packet and discards it. For example, at the local end:
[Quidway] acl number 3101 [Quidway-acl-adv-3101] rule 1 permit ip source 173.1.1.0 0.0.0.255 destination 173.2.2.0 0.0.0.255
At the remote end:

[Quidway] acl number 3101 [Quidway-acl-adv-3101] rule 1 permit ip source 173.2.2.0 0.0.0.255 destination 173.1.1.0 0.0.0.255
6-6
Issue 05 (2010-09-25)

NOTE
l The IPSec protects data flows that only match the permit statements in the ACL. You should, therefore, define the ACL accurately. The any keyword should be used cautiously. l It is recommended that you configure a mirror relationship between the local ACL and the remote ACL. l Using the display acl command, you can view all ACLs, including ACL for communication filtering and ACL for encryption.
None.
Data Preparation
To define data flows to be protected, you need the following data. No. 1 2 3 4 5 6 7 8 9 10 11 12 Data ACL number (Optional) Configuration sequence of ACL rules (Optional) Numbers of the ACL rules Protocol type (Optional) Source and destination IP addresses and wildcard character (Optional) Source and destination port numbers and the operator for comparing the port numbers of the source and destination addresses (Optional) ICMPv6 packet type and message code information (Optional) Packet precedence (Optional) Service type (Optional) Name of a time range (Optional) Whether to log the packets that meet the requirements (Optional) Whether this rule takes effect only on the fragmented packets except the first fragment packet
6.2.2 Defining Data Flows to Be Protected

Context
Procedure
Step 1 Run:
system-view
Issue 05 (2010-09-25)
6-7

acl [ number ] acl-number [ match-order { auto | config } ]
An advanced ACL is created. Step 3 Run the following commands to configure ACL rules: l rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard |any } | destination-port operator port |dscp dscp |fragment-type fragment-type |precedence precedence |source { source-ip-address source-wildcard |any } | source-port operator port |syn-flag syn-flag-value |time-range time-name |tos tos |vpn-instance vpninstance-name ]* l rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard |any } | destination-port operator port |dscp dscp | fragment-type fragmenttype |precedence precedence |source { source-ip-address source-wildcard |any } | sourceport operator port |time-range time-name |tos tos |vpn-instance vpn-instance-name ]* l rule [ rule-id ] { deny |permit } protocol [destination { destination-ip-address destinationwildcard |any } | dscp dscp |fragment-type fragment-type | icmp-type { icmp-name | icmptype icmp-code } | precedence precedence | source { source-ip-address source-wildcard | any } | time-range time-name |tos tos |vpn-instance vpn-instance-name ]* l rule [ rule-id ] { deny |permit } protocol [destination { destination-ip-address destinationwildcard |any } | dscp dscp |fragment-type fragment-type |precedence precedence |source { source-ip-address source-wildcard |any } | time-range time-name |tos tos |vpn-instance vpn-instance-name ]* For the configuration of the advanced ACL, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services. ----End
6.3 Configuring an IPSec Proposal

This section describes how to configure an IPSec protocol. 6.3.1 Establishing the Configuration Task 6.3.2 Creating an IPSec Proposal and Entering the IPSec Proposal View 6.3.3 Configuring the IPSec Protocol 6.3.4 Configuring the Authentication Algorithm 6.3.5 Configuring the Encryption Algorithm 6.3.6 Configuring the Encapsulation Mode 6.3.7 Checking the Configuration

The IPSec proposal needs to be configured during configuring IPSec.
Before configuring an IPSec proposal, complete the following task: l Defining Data Flows to Be Protected
Data Preparation
To configure an IPSec proposal, you need the following data. No. 1 2 3 4 5 Data Name of the IPSec proposal (a character string of 1 to 15 characters ) Security protocol adopted: AH, ESP or AH-ESP Authentication algorithm adopted: MD5 or SHA-1 Encryption algorithm adopted: DES or 3DES Encapsulation mode adopted: transport mode or tunnel mode
6.3.2 Creating an IPSec Proposal and Entering the IPSec Proposal View
Context
Procedure
Step 1 Run:
system-view

ipsec proposalproposal-name
An IPSec proposal is created and the IPSec proposal view is displayed.

NOTE
You can configure up to 50 IPSec proposals.
----End
6.3.3 Configuring the IPSec Protocol

Context
Procedure
Step 1 Run:
system-view

ipsec proposal proposal-name
The IPSec proposal view is displayed. Step 3 Run:

transform { ah | ah-esp | esp }
The IPSec proposal is configured.

NOTE
The default security protocol is ESP, that is, the ESP protocol defined in RFC 2406.
----End
6.3.4 Configuring the Authentication Algorithm

Context
Procedure
Step 1 Run:
system-view


ah authentication-algorithm { md5 | sha1 }
The authentication algorithm adopted by AH is configured. Or run:

undo ah authentication-algorithm
The default authentication algorithm is adopted for the AN protocol. Step 4 Run:
esp authentication-algorithm { md5 | sha1 }
The authentication algorithm adopted by ESP is configured. Or run:

undo esp authentication-algorithm
6-10
Issue 05 (2010-09-25)
The default authentication algorithm is adopted for the ESP protocol.

NOTE
l By default, both ESP and AH adopt the MD5 authentication algorithm. l You can configure the authentication algorithm only after selecting a corresponding IPSec protocol by running the transform command. For example, if ESP is selected, you can only configure the authentication algorithm required for ESP.
----End
6.3.5 Configuring the Encryption Algorithm

Context
Procedure
Step 1 Run:
system-view


esp encryption-algorithm { 3des | des }
The encryption algorithm adopted by ESP is configured. Or run:

undo esp encryption-algorithm
The default encryption algorithm is adopted for the ESP protocol.

NOTE
By default, both ESP and AH adopt the MD5 encryption algorithm.
----End
6.3.6 Configuring the Encapsulation Mode

Context
Procedure
Step 1 Run:
system-view
Issue 05 (2010-09-25)
6-11


encapsulation-mode { transport | tunnel }
The encapsulation mode is configured.

NOTE
l By default, the tunnel mode is adopted. l When the transport mode is adopted, the data flow is not protected. If you want to protect the data flow in this case, then the two ends of the data flow must be the same as those of the security tunnel.
----End

Run the following command to check the previous configuration. Action Check information about the IPSec proposal. Command display ipsec proposal [ name proposal-name ]
6.4 Configuring an IPSec Policy

This section describes how to configure an IPSec policy.
NOTE
This section describes configuration of the IPSec policy in the manual negotiation mode and the IKE negotiation mode. The configuration is needed in both manual mode and IKE mode unless otherwise specified.
6.4.1 Establishing the Configuration Task 6.4.2 Creating an IPSec Policy and Entering the IPSec Policy View 6.4.3 Configuring the ACL Used in the IPSec Policy 6.4.4 Applying the IPSec Proposal to the IPSec Policy 6.4.5 Configuring the SA Duration 6.4.6 Configuring the Local and Remote IP Addresses of the Tunnel (for Manual Mode) 6.4.7 Configuring the SPI for an SA (for Manual Mode) 6.4.8 Configuring Key for an SA (for Manual Mode) 6.4.9 Configuring the IKE Peer for the IPSec Policy (for IKE Negotiation Mode) 6.4.10 Configuring the PFS Feature Used in the IKE Negotiation 6.4.11 Configuring the Global SA Duration

The IPSec policy needs to be configured during configuring IPSec.
Before configuring an IPSec policy, complete the following tasks: l l l 6.2 Defining Data Flows to Be Protected 6.3 Configuring an IPSec Proposal Crating an IKE peer if IKE negotiation mode is adopted (See chapter 7 "IKE Configuration.")
Data Preparation
To configure an IPSec policy, you need the following data. No. 1 2 3 4 Data Name and sequence number of the IPSec policy Negotiation mode, manual mode or IKE mode SA duration or global duration of an SA, time-based or traffic-based For manual mode, you need: local and remote IP addresses of the tunnel (only used for the policies based on interface applications), SPI of an SA, inbound or outbound direction, IPSec protocol adopted, authentication key used by an SA, and encryption key (if ESP is adopted) For IKE negotiation mode, you need: IKE peer name, and DH group used by Perfect Forward Secrecy (PFS)
6.4.2 Creating an IPSec Policy and Entering the IPSec Policy View
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipsec policy policy-name seq-number [ manual | isakmp [ template template-name ] ]
An IPSec policy is created and the IPSec policy view is displayed.

NOTE
l Up to 100 IPSec policies can be created in the system. l By default, no IPSec policy is configured.
----End
6.4.3 Configuring the ACL Used in the IPSec Policy

Context
Procedure
Step 1 Run:
system-view

The IPSec policy view is displayed. Step 3 Run:

security acl acl-number
The ACL used in the IPSec policy is configured.

NOTE
An IPSec policy can use only one ACL. If multiple ACLs are configured to an IPSec policy, the latest one takes effect.
----End
6.4.4 Applying the IPSec Proposal to the IPSec Policy

Context
Procedure
Step 1 Run:
system-view


proposal proposal-name &<1-6>
The IPSec proposal is adopted by the IPSec policy.

NOTE
l When you set up an SA manually, an IPSec policy can apply only one IPSec proposal. You should remove the old IPSec proposal before setting up a new one. In addition, the IPSec proposals applied on the two ends of a tunnel should be configured with the same security protocol, algorithm and packet encapsulation mode. l When you set up an SA by IKE negotiation (isakmp), an IPSec policy can apply up to six IPSec proposals. IKE negotiation searches for completely matched IPSec proposals on the two ends of the tunnel. If no completely matched IPSec proposal is found, the SA cannot be set up and the packets that need protection are discarded.
----End
6.4.5 Configuring the SA Duration

Context
Procedure
Step 1 Run:
system-view


sa duration { traffic-based kilobytes | time-based seconds }
The SA duration is configured.

NOTE
l The default time-based duration of an SA is 3600 seconds; the default traffic-based duration of an SA is 1843200 kilobytes. If the duration is set for an SA, the global duration is adopted. For details about the global SA duration, see "6.4.11 Configuring the Global SA Duration". l When IKE negotiates a new SA for IPSec, the shorter one between the local set duration and the peer proposed duration is used. l The modification of duration does not influence the existing SAs. The modified duration is used when new SAs are set up through IKE negotiation. l Configuring SA duration is effective on IKE negotiation mode and not on manual negotiation mode.
----End
6.4.6 Configuring the Local and Remote IP Addresses of the Tunnel (for Manual Mode)
Context
Procedure
Step 1 Run:
system-view


tunnel local ip-address
The local IP address of the tunnel is configured. Step 4 Run:

tunnel remote ip-address
The remote IP address of the tunnel is configured.

NOTE
l This configuration is actually to specify the IPSec peers. l You must configure the local address to set up the SA when implementing a manually created IPSec policy. In addition, the security tunnel can be set up only when the local address and the remote address are configured correctly.
----End
6.4.7 Configuring the SPI for an SA (for Manual Mode)

Context
Procedure
Step 1 Run:
system-view

The IPSec policy view is displayed.

Step 3 Run:
sa spi { inbound | outbound } { ah | esp } spi-number
The SPI of the SA is configured.

NOTE
l When setting up an SA, you must set the inbound and outbound parameters for the SA. l SA parameters set on the two ends of a tunnel must match with each other. The inbound SPI of the local end must the same as the outbound SPI of the remote end, and the outbound SPI of the local end must be the same as the inbound SPI of the remote end.
----End
6.4.8 Configuring Key for an SA (for Manual Mode)

Context
Procedure
Step 1 Run:
system-view


sa authentication-hex { inbound | outbound } { ah | esp } hex-key
The authentication key (in the format of hexadecimal numerals) of the protocol is configured. Step 4 Run:
sa string-key { inbound | outbound } { ah | esp } string-key
The authentication key (in the format of a character string) of the protocol is configured. If you enter a string, the sa string-key command generates an authentication key for the AH protocol. For the ESP protocol, this command generates an authentication key and an encrypted key. Step 5 Run:
sa encryption-hex { inbound | outbound } esp hex-key
The encryption key (in the format of hexadecimal numerals) used in ESP is configured.
Issue 05 (2010-09-25)
6-17
NOTE
l SA parameters set on the two ends of a tunnel must match with each other. The inbound key of the local end must the same as the outbound key of the remote end, and the outbound key of the local end must be the same as the inbound key of the remote end. l If the character string key and the hexadecimal key are both configured, the latest configured one is adopted. l On both ends of a security tunnel, the key should be input in the same format. If the key is input in character string on one end and in hexadecimal on the other end, the security tunnel cannot be established.
----End
6.4.9 Configuring the IKE Peer for the IPSec Policy (for IKE Negotiation Mode)
Context
Procedure
Step 1 Run:
system-view


ike-peer peer-name
The IKE peer adopted in the IPSec policy is configured.

NOTE
This chapter only describes how to apply IKE peer to IPSec. In practice, you should configure certain IKE parameters in the IKE peer view, such as the negotiation mode of IKE, ID type, NAT traversal, shared key, peer address, and peer name. For more information, refer to chapter 7 "IKE Configuration."
----End
6.4.10 Configuring the PFS Feature Used in the IKE Negotiation

Context
Procedure
Step 1 Run:
system-view
6-18
Issue 05 (2010-09-25)


pfs { dh-group1 | dh-group2 }
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured. PFS is a security feature. If a key is decoded, security of other keys is not affected, because these keys have no derivative relations. For details, see chapter 7 "IKE Configuration."
NOTE
l PFS exchange is performed when IPSec uses this IPSec policy to initiate a negotiation. If the local end uses PFS, the peer must adopt PFS during negotiation. The DH groups specified on the local end and the peer must be the same; otherwise, the negotiation fails. l 1024-bit Diffie-Hellman group (dh-group2) provides a higher-level security than 768-bit DiffieHellman group (dh-group1), but dh-group2 needs longer time for calculation. l By default, the PFS feature is disabled.
----End
6.4.11 Configuring the Global SA Duration

Context
Procedure
Step 1 Run:
system-view

ipsec sa global-duration { traffic-based kilobytes | time-based seconds }
The global SA duration is configured.

NOTE
l Changing the global duration does not influence the existing IPSec policies that have their own duration or the established SAs. The changed duration is used when a new SA is set up by IKE negotiation. l The default time-based global duration is 3600 seconds; the default traffic-based global duration is 1843200 kilobytes.
----End

Run the following commands to check the previous configuration.
Action Check information about the IPSec policy. Check the IPSec statistics. Check information about the SA.
Command display ipsec policy [ brief | name policy-name [ seqnumber ] ] display ipsec statistics display ipsec sa [ brief | remote ip-address | policy policyname [ seq-number ] | duration ]
6.5 Configuring IPSec Policies by Using the IPSec Policy Template

This section describes how use the IPSec template to configure IPSec policies.
NOTE
This configuration is optional. If the IPSec policy template is not used, you can skip this section.
6.5.1 Establishing the Configuration Task 6.5.2 Creating an IPSec Policy Template and Entering the IPSec Policy Template View 6.5.3 Configuring the ACL Used in the IPSec Policy Template 6.5.4 Applying the IPSec Proposal to the IPSec Policy Template 6.5.5 Configuring the SA Duration 6.5.6 Configuring the IKE Peer for the IPSec Policy Template 6.5.7 Configuring the PFS Feature Used in the IKE Negotiation 6.5.8 Configuring the Global SA Duration 6.5.9 Applying the IPSec Policy Template 6.5.10 Checking the Configuration

Indefinite factors may exist in networks. For example, the IP address assigned for a dial-up mobile user is not fixed. In such cases, the endpoint addresses of an IPSec tunnel and the data flow to be protected cannot be decided. In this case, you can configure an IPSec policy template on the receiver side. The security policy template is a template with certain parameters specified. For the unspecified parameters, parameters, the values set on the initiator side are adopted.
6-20
Issue 05 (2010-09-25)

NOTE
l The configured parameters must be consistent on both ends during negotiation. l To enable the template to receive negotiation requests from various peers in pre-shared key mode, you can specify a peer address range. You can also choose not to specify any peer address with the ikepeer command, thus allowing access by different dial-up users. l The IPSec policy is necessary on the user side. ACL rules defined through the IPSec policy must be configured with the source address range so that the server can exactly send back the encrypted response data.
Before configuring IPSec policies by using the IPSec policy template, complete the following tasks: l l l 6.2 Defining Data Flows to Be Protected 6.3 Configuring an IPSec Proposal Creating the IKE peer
Data Preparation
To configure IPSec policies by using the IPSec policy template, you need the following data. No. 1 2 3 Data Name and sequence number of the IPSec policy template SA duration or global duration of an SA, time-based or traffic-based Name of the IKE peer and DH groups used by PFS
6.5.2 Creating an IPSec Policy Template and Entering the IPSec Policy Template View
Context
Procedure
Step 1 Run:
system-view

ipsec policy-template template-name seq-number
An IPSec policy template is created or modified and the IPSec policy template view is displayed. ----End
6.5.3 Configuring the ACL Used in the IPSec Policy Template

Context
Procedure
Step 1 Run:
system-view

The IPSec policy template view is displayed. Step 3 Run:

security acl acl-number
The ACL used in the IPSec policy template is configured. ----End
6.5.4 Applying the IPSec Proposal to the IPSec Policy Template

Context
Procedure
Step 1 Run:
system-view


proposal proposal-name1 [ proposal-name2... proposal-name6 ]
The IPSec proposal is adopted by the IPSec policy template. ----End
6.5.5 Configuring the SA Duration

Context
Procedure
Step 1 Run:
system-view


sa duration { traffic-based kilobytes | time-based seconds }
The SA duration is configured. ----End
6.5.6 Configuring the IKE Peer for the IPSec Policy Template
Context
Procedure
Step 1 Run:
system-view


ike-peer peer-name
The IKE peer adopted in the IPSec policy template is configured. ----End
6.5.7 Configuring the PFS Feature Used in the IKE Negotiation

Context
Procedure
Step 1 Run:
system-view
Issue 05 (2010-09-25)
6-23


pfs { dh-group1 | dh-group2 }
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured. ----End
6.5.8 Configuring the Global SA Duration

Context
Procedure
Step 1 Run:
system-view

ipsec sa global-duration { traffic-based kilobytes | time-based seconds }
The global SA duration is configured. ----End
6.5.9 Applying the IPSec Policy Template

Context
Procedure
Step 1 Run:
system-view

ipsec policy policy-name seq-number isakmp template template-name
The IPSec policy template is adopted.


NOTE
The policy created through an IPSec policy template cannot initiate negotiation of an SA, but it can respond to a negotiation.
----End

Run the following commands to check the previous configuration. Action Check information about the IPSec policy template. Check the IPSec statistics. Check information about the SA. Command display ipsec policy-template [ brief | name policyname [ seq-number ] ] display ipsec statistics display ipsec sa [ brief | remote ip-address | policy policy-name [ seq-number ] | duration ]
6.6 Applying an IPSec Policy or an IPSec Policy Group to an Interface

This section describes how to apply an IPSec policy or an IPSec policy group to an interface. 6.6.1 Establishing the Configuration Task 6.6.2 Configuring the IPSec Behavior in the Traffic Policy 6.6.3 Applying an IPSec Policy or an IPSec Policy Group to an Interface

To protect security of different flows, you need to apply the QoS traffic policy configured with the IPSec behavior to the entire equipment or the incoming interface of packets, and then apply the IPSec policy or IPSec policy group to the outgoing interface. If the SA is established manually, the SA is created immediately after the IPSec policy is applied. If the SA is established through auto negotiation, the IKE peers negotiate the SA only when the flow that conforms to the IPSec policy passes through the outgoing interface.
Before applying an IPSec policy or an IPSec policy group to an interface, complete the following tasks: l l l
Issue 05 (2010-09-25)
6.2 Defining Data Flows to Be Protected 6.3 Configuring an IPSec Proposal 6.4 Configuring an IPSec Policy
Data Preparation
To apply an IPSec policy or an IPSec policy group to an interface, you need the following data. No. 1 2 3 Data Name of the QoS behavior Type and number of the interface Name of the IPSec policy
6.6.2 Configuring the IPSec Behavior in the Traffic Policy

Context
To configure the ME60 to encrypt packets through IPSec, you need to configure a traffic policy, configure the traffic behavior in the traffic policy, and then apply the traffic policy.
Procedure
Step 1 Run:
system-view

traffic behavior behavior-name
The behavior view is displayed. Step 3 Run:

ipsec
The traffic behavior is configured to IPSec.

NOTE
Here, only the configuration of the traffic behavior is described. To configure the ME60 to encrypt user packets through IPSec, you need to configure a complete traffic policy and apply the traffic policy to the entire system or an interface. For the configuration and application of the traffic policy, see chapter 2 "Classbased QoS Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide QoS.
----End
6.6.3 Applying an IPSec Policy or an IPSec Policy Group to an Interface

Context
Procedure
Step 1 Run:
system-view

The interface view is displayed. Step 3 Run:

ipsec policy policy-name
The IPSec policy or the IPSec policy group is applied to the interface. Only one IPSec policy group can be applied to an interface. An IPSec policy group can be applied to multiple interfaces. A manually configured IPSec policy can be applied to only one interface. After the IPSec policy group is applied to an interface, the ME60 matches the packets sent from this interface with the IPSec policies according to the sequence numbers in a descending order. If a packet matches the ACL referenced by an IPSec policy, the ME60 processes the packet according to this IPSec policy. If a packet does not match any ACL referenced by the IPSec policies, the ME60 sends the packet directly, without encrypting the packet through IPSec.
NOTE
l When you change certain parameters of IPSec and IKE, such as the parameters of an IKE proposal, IKE peer and IPSec proposal, you must re-apply the IPSec policy to the corresponding interface to make the changes take effect. l If the IPSec policies are configured manually, IPSec configuration is completed after the preceding procedures. If the IPSec policies are configured in IKE negotiation mode, additional IKE configurations are needed. For details, see chapter 7 "IKE Configuration".
----End
6.7 Maintaining IPSec

This section provides the commands clearing the IPSec statistics and debugging IPSec. 6.7.1 Clearing IPSec Packet Statistics 6.7.2 Debugging IPSec
6.7.1 Clearing IPSec Packet Statistics
CAUTION
IPSec statistics cannot be restored after you clear them. So, confirm the action before you use the command. To clear the IPSec statistics, run the following commands in the user view.
Action Clear IPSec packet statistics. Clear the SA.
Command reset ipsec statistics reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] | parameters dest-address protocol spi ]
6.7.2 Debugging IPSec

CAUTION
Debugging affects the system performance. So, after debugging, run the undo debugging all command to disable it immediately. When a fault occurs during the application of IPSec, run the following debugging command in the user view to locate the fault. For the procedure for displaying the debugging information, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management. Action Enable IPSec debugging. Command debugging ipsec { all | sa | packet [ policy policy-name [ seq-number ] | parameters ip-address protocol spinumber ] | misc }

This section provides an configuration example of IPSec. 6.8.1 Example for Establishing an SA Manually
6.8.1 Example for Establishing an SA Manually

As shown in Figure 6-3, a security tunnel is configured between ME60 A and ME60 B. Data flow transmitted between subnet 10.1.1.x represented by PC A and subnet 10.1.2.x represented by PC B are under protection. The security protocol is ESP; the encryption algorithm is DES; the authentication algorithm is SHA-1.
6-28
Issue 05 (2010-09-25)
Figure 6-3 Networking of IPSec configuration

ME60A
Pos1/0/1 202.38.163.1/24 Pos2/0/1 202.38.162.1/24
ME60B
Internet
Access Network
Access Network
PC A
PC B
The configuration roadmap is as follows: 1. 2. 3. 4. Configure ACL rules to define the data flows to be protected. Configure an IPSec proposal. Configure an IPSec policy and apply the ACL and the IPSec proposal to the IPSec policy. Apply the IPSec policy to the interface. Configure the QoS traffic policy to encrypt user packets.
Data Preparation
To complete the configuration, you need the following data: l l l l Data flows to be protected (defined in the ACL) Security protocol, encryption algorithm, authentication algorithm, and encapsulation mode IP addresses of the local end and peer end of the tunnel Interface where IPSec is enabled
1. Configure ACLs on ME60 A and ME60 B and define the data flows to be protected. # Configure an ACL on ME60 A.
<ME60A> system-view [ME60A] acl number 3101 [ME60A-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [ME60A-acl-adv-3101] quit
# Configure an ACL on ME60 B.

<ME60B> system-view [ME60B] acl number 3101 [ME60B-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [ME60B-acl-adv-3101] quit
2.
On ME60 A and ME60 B, configure static routes to the peer respectively. # Configure a static route from ME60 A to ME60 B.
[ME60A] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
Issue 05 (2010-09-25)
6-29
# Configure a static route from ME60 B to ME60 A.

[ME60B] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1
Run the ping command on PC A to ping PC B. The ping succeeds. 3. Create IPSec proposals on ME60 A and ME60 B. # Create an IPSec proposal on ME60 A.
[ME60A] ipsec proposal tran1 [ME60A-ipsec-proposal-tran1] encapsulation-mode tunnel [ME60A-ipsec-proposal-tran1] transform esp [ME60A-ipsec-proposal-tran1] esp encryption-algorithm des [ME60A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [Quidway-ipsec-proposal-tran1] quit
# Create an IPSec proposal on ME60 B.

[ME60B] ipsec proposal tran1 [ME60B-ipsec-proposal-tran1] [ME60B-ipsec-proposal-tran1] [ME60B-ipsec-proposal-tran1] [ME60B-ipsec-proposal-tran1] [ME60B-ipsec-proposal-tran1] encapsulation-mode tunnel transform esp esp encryption-algorithm des esp authentication-algorithm sha1 quit
Run the display ipsec proposal command on ME60 A and ME60 B to display the configuration. Take ME60 A for example.
[ME60A]display ipsec proposal IPsec proposal name: tran1 encapsulation mode: tunnel transform: esp-new ESP protocol: authentication sha1-hmac-96, encryption des
4.
Create IPSec policies on ME60 A and ME60 B. # Create an IPSec policy on ME60 A.
[ME60A] ipsec policy map1 10 manual [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] [ME60A-ipsec-policy-manual-map1-10] security acl 3101 proposal tran1 tunnel local 202.38.163.1 tunnel remote 202.38.162.1 sa spi outbound esp 12345 sa spi inbound esp 54321 sa string-key outbound esp abcdefg sa string-key inbound esp gfedcba quit
# Create an IPSec policy on ME60 B.

[ME60B] ipsec policy use1 10 manual [ME60B-ipsec-policyl-manual-use1-10] [ME60B-ipsec-policyl-manual-use1-10] [ME60B-ipsec-policyl-manual-use1-10] [ME60B-ipsec-policyl-manual-use1-10] [ME60B-ipsec-policyl-manual-use1-10] [ME60B-ipsec-policyl-manual-use1-10] [ME60B-ipsec-policyl-manual-use1-10] [ME60B-ipsec-policyl-manual-use1-10] [ME60B-ipsec-policyl-manual-use1-10] security acl 3101 proposal tran1 tunnel local 202.38.162.1 tunnel remote 202.38.163.1 sa spi outbound esp 54321 sa spi inbound esp 12345 sa string-key outbound esp gfedcba sa string-key inbound esp abcdefg quit
Run the display ipsec policy command on ME60 A and ME60 B to display the configuration. Take ME60 A for example.
[ME60A] display ipsec policy =========================================== IPsec Policy Group: "map1" Using interface: {} =========================================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: manual -----------------------------
6-30
Issue 05 (2010-09-25)

security data flow : 3101 tunnel local address: 202.38.163.1 tunnel remote address: 202.38.162.1 proposal name:tran1 inbound AH setting: AH spi: AH string-key: AH authentication hex key: inbound ESP setting: ESP spi: 54321 (0xd431) ESP string-key: gfedcba ESP encryption hex key: ESP authentication hex key: outbound AH setting: AH spi: AH string-key: AH authentication hex key: outbound ESP setting: ESP spi: 12345 (0x3039) ESP string-key: abcdefg ESP encryption hex key: ESP authentication hex key:
5.
Apply the IPSec policies to the interfaces of ME60 A and ME60 B. Apply the IPSec policy to the interface of ME60 A.
[ME60A] interface pos1/0/1 [ME60A-Pos1/0/1] ip address 202.38.163.1 255.255.255.0 [ME60A-Pos1/0/1] ipsec policy map1 [ME60A-Pos1/0/1] undo shutdown [ME60A-Pos1/0/1] quit
# Apply the IPSec policy to the interface of ME60 A.

[ME60B] interface pos2/0/1 [ME60B-Pos2/0/1] ip address 202.38.162.1 255.255.255.0 [ME60B-Pos2/0/1] ipsec policy use1 [ME60B-Pos2/0/1] undo shutdown [ME60B-Pos2/0/1] quit
Run the display ipsec sa command on ME60 A and ME60 B to display the configuration. Take ME60 A for example.
[ME60A]display ipsec sa =============================== Interface: pos1/0/1 path MTU: 1500 =============================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: manual ----------------------------encapsulation mode: tunnel tunnel local : 202.38.163.1 tunnel remote: 202.38.162.1 [inbound ESP SAs] spi: 54321 (0xd431) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa [outbound ESP SAs] spi: 12345 (0x3039) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa
6.
Configure the QoS traffic policy on ME60 A and ME60 B so that the ME60s encrypt user packets.
NOTE
For the configuration of the QoS policy, see chapter 2 "Class-based QoS Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.
Issue 05 (2010-09-25)
6-31
# Configure the QoS policy on ME60 A.

[ME60A] traffic classifier ipsec-using [ME60A-classifier-ipsec-using] if-match acl 3101 [ME60A-classifier-ipsec-using] quit [ME60A] traffic behavior ipsec-using [ME60A-behavior-ipsec-using] ipsec [ME60A-behavior-ipsec-using] quit [ME60A] traffic policy ipsec-using [ME60A-trafficpolicy-ipsec-using] classifier ipsec-using behavior ipsec-using [ME60A-trafficpolicy-ipsec-using] quit
# Configure the QoS policy on ME60 B.

[ME60B] traffic classifier ipsec-using [ME60B-classifier-ipsec-using] if-match acl 3101 [ME60B-classifier-ipsec-using] quit [ME60B] traffic behavior ipsec-using [ME60B-behavior-ipsec-using] ipsec [ME60B-behavior-ipsec-using] quit [ME60B] traffic policy ipsec-using [ME60B-trafficpolicy-ipsec-using] classifier ipsec-using behavior ipsec-using [ME60B-trafficpolicy-ipsec-using] quit
# Apply the QoS policy to ME60 A globally.

[ME60A] traffic-policy ipsec-using inbound [ME60A] traffic-policy ipsec-using outbound
# Apply the QoS policy to ME60 B globally.

[ME60B] traffic-policy ipsec-using inbound [ME60B] traffic-policy ipsec-using outbound
7.
Verify the configuration. After the configuration is complete, PC A can still ping through PC B. The data transmitted between them is encrypted.
Configuration Files
The following are configuration files of the ME60s. l Configuration file of ME60 A
# sysname ME60A # acl number 3101 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy map1 10 manual security acl 3101 proposal tran1 tunnel local 202.38.163.1 tunnel remote 202.38.162.1 sa spi inbound esp 54321 sa string-key inbound esp gfedcba sa spi outbound esp 12345 sa string-key outbound esp abcdefg # traffic classifier ipsec-using operator or if-match acl 3101 # traffic behavior ipsec-using ipsec # traffic policy ipsec-using classifier ipsec-using behavior ipsec-using
6-32
Issue 05 (2010-09-25)

traffic-policy ipsec-using inbound traffic-policy ipsec-using outbound # interface Pos1/0/1 undo shutdown ip address 202.38.163.1 255.255.255.0 ipsec policy map1 # ip route-static 10.1.2.0 255.255.255.0 202.38.162.1 # return
Configuration file of ME60 B
# sysname ME60B # acl number 3101 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy use1 10 manual security acl 3101 proposal tran1 tunnel local 202.38.162.1 tunnel remote 202.38.163.1 sa spi inbound esp 12345 sa string-key inbound esp abcdefg sa spi outbound esp 54321 sa string-key outbound esp gfedcba # traffic classifier ipsec-using operator or if-match acl 3101 # traffic behavior ipsec-using ipsec # traffic policy ipsec-using classifier ipsec-using behavior ipsec-using traffic-policy ipsec-using inbound traffic-policy ipsec-using outbound # interface Pos2/0/1 undo shutdown ip address 202.38.162.1 255.255.255.0 ipsec policy use1 # ip route-static 10.1.1.0 255.255.255.0 202.38.163.1 # return
Issue 05 (2010-09-25)
6-33
7 IKE Configuration
7
About This Chapter
IKE Configuration
This chapter describes the fundamentals, implementation, and configuration of IKE. 7.1 Introduction This section describes the concept and fundamentals of IKE. 7.2 Setting the Local ID Used in IKE Negotiation This section describes how to set the local ID used in IKE negotiation. 7.3 Configuring an IKE Security Proposal This section describes how to configure an IKE security proposal. 7.4 Configuring Attributes of the IKE Peer This section describes how to configure the attributes of the IKE peer. 7.5 Tuning the IKE Configuration This section describe how to fine tune the configuration of IKE. 7.6 Maintaining IKE This section provides the commands for displaying and clearing the IKE information and debugging IKE. 7.7 Configuration Examples This section provides a configuration example of IKE.
Issue 05 (2010-09-25)
7-1
7 IKE Configuration
7.1 Introduction
This section describes the concept and fundamentals of IKE. 7.1.1 Overview of IKE 7.1.2 NAT Traversal in IPSec 7.1.3 IKE Features of the ME60
7.1.1 Overview of IKE

IKE Protocol
IPSec security association (SA) can be set up manually. If the number of nodes on the network increases, it is difficult to perform manual configuration and ensure network security. In such cases, you can use the Internet Key Exchange (IKE) protocol to automatically set up an SA and perform key exchange. IKE is based on the framework defined by the Internet Security Association and Key Management Protocol (ISAKMP). It simplifies the use and management of IPSec by automatically negotiating the key exchange and setting up SA for IPSec. IKE has a self-protection mechanism to safely distribute keys, authenticate IDs, and establish IPSec SAs even on insecure networks.
Security Mechanism of IKE

l Diffie-Hellman (DH) exchange and shared key distribution The DF algorithm is a common key algorithm. The parties in communication can exchange data without transmitting the shared key but calculate the shared key. The condition for encryption is that both the parties have a shared key. The merit of IKE is that it never transmits the shared key directly on insecure networks, but calculates the shared key by exchanging a series of data. Even if a third party (a hacker for example) captures all the exchanged data used to calculate the shared key, the third party cannot figure out the real shared key. l PFS In Perfect Forward Secrecy (PFS), the decryption of a key has no impact on the security of other keys, because the keys do not have a derivative relationship. PFS feature is implemented by performing key exchange during IKE Phase 2 negotiation. PFS is ensured by the DH algorithm. l Identity authentication Identity authentication is the process of authenticating both parties in communication. In the pre-shared key authentication method, an authenticator is used to generate a shared key. It is impossible for different authenticators to generate the same shared key between the two parties. The authenticator is, therefore, the key in identity authentication for both parties. l Identity protection Once the shared key is generated, the identity data is sent in encrypted mode, thus protecting the identity data.
7 IKE Configuration
IKE Exchange Phases

IKE undergoes the following two phases to implement IPSec shared key negotiation and SA setup: 1. Parties in communication establish a channel that passes the identity authentication and security protection. An ISAKMP security association (ISAKMP SA or IKE SA) is established through exchange in this phase. The IKE SA established in phase 1 serves IPSec negotiation security, that is, to negotiate a specific SA for IPSec and establish an IPSec SA. The IPSec SA is used for secure transmission of final IP data. The process of setting up an SA is as follows. Figure 7-1 Process of setting up an SA
Router A
Step 1
2.
Matched data streams are forwarded over the interface applying IPSec Trigger SA in phase1 of IKE negotiation
Router B
Step 2
Negotiate IPSec SA in phase2 of IKE negotiation under the protection of SA in phase1

Step 3
Step 4
Communicate under the protection of SA in phase2
If an interface is enabled with IPSec, packets sent from this interface are matched with IPSec policies. 1. 2. 3. If a packet matches an IPSec policy, the corresponding SA is searched. If the SA has not been set up, IKE is triggered to negotiate an SA in phase 1 , that is, IKE SA. Under the protection of IKE SA, IKE continues to negotiate the SA in phase 2, that is, IPSec SA. IPSec SA is used to protect the data in communication.
IKE Negotiation Modes

As defined in RFC 2409 (The Internet Key Exchange), in phase 1 of IKE, the two negotiation modes that can be adopted are the main mode and the aggressive mode. l In the main mode, information to be exchanged is separated from the identity and authentication information to protect the identity information. The generated DF shared key protects the exchanged identity information; however, it takes three extra messages to complete the process.
Issue 05 (2010-09-25)
7 IKE Configuration
In the aggressive mode, payloads associated with SA, key exchanges, and authentication can be carried in a single message to transmit, which reduces the message round-trip times but cannot provide identity protection.
Despite the limitations of the aggressive mode, it meets the demands in a specific networking environment. For example, in remote access, the responder (the server) cannot predict the address of the initiator (the terminal user); or the address of the initiator is always changing, and both parties wish to create an IKE SA through the pre-shared key authentication. In this case, the aggressive mode without identity protection is the only available exchange method. In addition, if the initiator has learned about the responder's policy or has a comprehensive understanding of it, the aggressive mode can create the IKE SA faster.
7.1.2 NAT Traversal in IPSec

NAT Traversal
One of the main applications of IPSec is to create VPNs. In actual networking, if the initiator resides on a private network and intends to create an IPSec tunnel directly with the remote responder, the initiator requires IPSec and NAT. The main problem is that IKE has to discover where a NAT gateway between the two endpoints during negotiation is and that IKE can make ESP packets normally traverse the NAT gateway. In the first step, the two ends between which the IPSec tunnel is created need to negotiate the NAT traversal capability. This is done in the first two messages of IKE negotiation by identifying a set of data indicated by vendor ID payload. The definition of the payload data caries according to the adopted draft version. The NAT gateway discovery is implemented through the NAT-D payload. The payload is used to discover the NAT gateway between IKE peers and also to determine which side of the peer the NAT device resides. As the initiator, the peer on NAT side needs to send NAT keepalive packets periodically so that the NAT gateway can ensure the security tunnel is in active state.
NAT Traversal in IPSec

NAT traversal in IPSec is to add a standard UDP header between the IP and ESP headers of the original packet (regardless of the AH mode). When an ESP packet traverses the NAT gateway, NAT translates the address and port number in the external layer IP header of the packet and the added UDP header. When the translated packet reaches the remote end of the IPSec tunnel, it is processed in the same method as that of the common IPSec. A UDP header, however, also needs to be added between the IP and ESP headers when the response packet is sent.
7.1.3 IKE Features of the ME60

The ME60 supports the main mode and the aggressive mode of IKE and implements them based on RFC 2408 and RFC 2409; therefore, the ME60 can work with the equipment of other major vendors. To implement the NAT traversal of IPSec on the ME60, you should use the aggressive mode during the first phase of the IKE negotiation and the peer ID type is the peer name. In addition, you should also adopt ESP and encapsulate packets in tunnel mode when configuring the IPSec proposal. On the ME60, do as follows to implement IKE:
7 IKE Configuration
1. 2. 3.
Set the local ID used in the IKE negotiation. Set attributes for the IKE peer, including the IKE negotiation mode, pre-shared key value, peer address or peer ID, and NAT traversal, to ensure the correctness of the IKE negotiation. Create an IKE proposal to determine the algorithm intension during the IKE exchange, that is, the intension of security protection (including identity authentication method, encryption algorithm, authentication algorithm, and DH group). It is difficult to decrypt the protected data if the algorithm has a higher intension; however, more calculation resources are consumed. The longer the shared key, the higher the algorithm strength. Apart from these basic procedures, IKE also has the keepalive mechanism to determine whether the peer can communicate normally. You can, therefore, also configure interval and timeout of the keepalive packets. When the NAT traversal of IPSec is configured, you can also configure the interval for sending NAT update packets.
NOTE
4.
After the preceding configuration is complete, you need to reference the IKE peer in the IPSec policy view to complete the IPSec configuration through auto-negotiation. For more information on IPSec adopting the IKE peer, see chapter 6 "IKE Configuration."
7.2 Setting the Local ID Used in IKE Negotiation

This section describes how to set the local ID used in IKE negotiation. 7.2.1 Establishing the Configuration Task 7.2.2 Setting the Local ID Used in IKE Negotiation

The local router ID needs to be configured in the IKE negotiation when aggressive mode is adopted. It is not necessary when the main mode is adopted.
None.
Data Preparation
To configure the local ID used in IKE negotiation, you need the following data. No. 1 Data ID of the local router
7.2.2 Setting the Local ID Used in IKE Negotiation

7 IKE Configuration
Context
Procedure
Step 1 Run:
system-view

ike local-name router-name
The local ID used in the IKE negotiation is specified. ----End
7.3 Configuring an IKE Security Proposal

This section describes how to configure an IKE security proposal. 7.3.1 Establishing the Configuration Task 7.3.2 Creating the IKE Security Proposal and Entering the IKE Security Proposal View 7.3.3 Specifying an Encryption Algorithm 7.3.4 Specifying an Authentication Method 7.3.5 Configuring the Authentication Algorithm 7.3.6 Specifying a DF Group 7.3.7 Configuring the Duration of ISAKMP SA 7.3.8 Checking the Configuration

An IKE security proposal needs to be configured in the IKE negotiation. The IKE security proposal is used to establish a security channel. Users can create multiple IKE security proposals based on priority, but the two parties in negotiation must have at least one matched IKE security proposal to ensure successful negotiation.
None.
Data Preparation
To configure an IKE security proposal, you need the following data.
7 IKE Configuration
No. 1 2 3 4 5
Data Priority of the IKE security proposal Encryption algorithm, DES or 3DEs Authentication algorithm, MD5 or SHA DH group ID, selected from group 1 (768 bits) or group 2 (1024 bit) Duration of ISAKMP SA (ranging from 60 seconds to 604800 seconds)
7.3.2 Creating the IKE Security Proposal and Entering the IKE Security Proposal View
Context
Procedure
Step 1 Run:
system-view

ike proposal priority-level
An IKE security proposal is created and the IKE security proposal view is displayed. l Multiple IKE proposals can be created for each party of IKE negotiation. During the negotiation, a proposal of the highest priority owned by both the parties is matched first. The matching rule is that both parties in negotiation must have the same encryption algorithm, authentication algorithm, authentication method, and DF group ID. l The system provides a default IKE proposal default. The default IKE proposal has the lowest priority. By default, the authentication algorithm is SHA1; the authentication is based on the shared key; the encryption algorithm is DES-CBC; the DH group ID is MODP_768; the duration of the SA is 86400 seconds. ----End
7.3.3 Specifying an Encryption Algorithm

Context
Issue 05 (2010-09-25)
7-7
7 IKE Configuration
Procedure
Step 1 Run:
system-view

The IKE security proposal view is displayed. Step 3 Run:

encryption-algorithm { des-cbc | 3des-cbc }
The encryption algorithm is specified. Currently, the available algorithms are DES and 3DES in CBC mode. By default, the IKE proposal adopts the DES encryption algorithm in CBC mode. ----End
7.3.4 Specifying an Authentication Method

Context
Procedure
Step 1 Run:
system-view


authentication-method pre-share
The authentication algorithm is specified. The ME60 can use only the pre-shared key authentication. By default, the IKE proposal uses the pre-shared key authentication. ----End
7.3.5 Configuring the Authentication Algorithm

Context
7 IKE Configuration
Procedure
Step 1 Run:
system-view


authentication-algorithm { md5 | sha }
The authentication algorithm is specified. By default, the SHA-1 authentication algorithm is adopted. ----End
7.3.6 Specifying a DF Group

Context
Procedure
Step 1 Run:
system-view


dh { group1 | group2 }
The DF group is specified. By default, the 768-bit DF group (group1) is specified. ----End
7.3.7 Configuring the Duration of ISAKMP SA

Context
7 IKE Configuration
Procedure
Step 1 Run:
system-view


sa duration seconds
The duration of the ISAKMP SA is configured. l If the during expires, the ISAKMP SA is updated automatically. The duration can be set to a value ranging from 60 to 604800, in seconds. DH calculation is performed during IKE negotiation, and hence, it takes a longer period. To avoid impacts on the secure communication caused by the update of ISAKMP SA, set the duration to a value larger than 10 minutes. l A new SA is negotiated before the old one expires. The old SA is still in use before the new SA is set up. The new SA takes effect as soon as it is established and the old one is automatically deleted after its duration expires. l By default, the duration of ISAKMP SA is 86400 seconds (a day). ----End

Run the following command to check the previous configuration. Action Check the parameter of IKE proposals. Command display ike proposal
7.4 Configuring Attributes of the IKE Peer

This section describes how to configure the attributes of the IKE peer. 7.4.1 Establishing the Configuration Task 7.4.2 Creating an IKE Peer and Entering the IKE Peer View 7.4.3 Configuring the IKE Negotiation Mode 7.4.4 Configuring the IKE Security Proposal 7.4.5 Configuring the Local ID Type 7.4.6 Configuring NAT Traversal in IPSec 7.4.7 Configuring the Identity Authenticator
7 IKE Configuration
7.4.8 Configuring the Peer IP Address or Address Segment 7.4.9 Configuring the Peer Name 7.4.10 Checking the Configuration

The attributes of the IKE peer to be configured before the IKE negotiation.
Before configuring the attributes of the IKE peer, complete the following tasks: l l Configuring the IKE Security Proposal Configuring the local ID used in the IKE negotiation when aggressive mode is adopted
Data Preparation
To configure the attribute of the IKE peer, you need the following data. No. 1 2 3 4 5 6 7 8 Data Name of the IKE peer IKE negotiation mode Number of the IKE proposal, ranging from 1 to 100 Type of the local ID: IP address or name of the local router Whether NAT traversal is required for IPSec Authenticator (a string of 1-127 characters) IP address of the peer, in dotted decimal notation Name of the peer (a string of 1 to 15 characters)
7.4.2 Creating an IKE Peer and Entering the IKE Peer View
Context
Procedure
Step 1 Run:
system-view
Issue 05 (2010-09-25)
7-11
7 IKE Configuration

ike peer peer-name
An IKE peer is created and the IKE peer view is displayed. ----End
7.4.3 Configuring the IKE Negotiation Mode

Context
Procedure
Step 1 Run:
system-view

ike peer peer-name
The IKE peer view is displayed. Step 3 Run:

exchange-mode { main | aggressive }
The IKE negotiation mode is specified. By default, the main mode is used in the IKE negotiation. ----End
7.4.4 Configuring the IKE Security Proposal

Context
Procedure
Step 1 Run:
system-view

ike peer peer-name

ike-proposal proposal-number
7-12
Issue 05 (2010-09-25)
7 IKE Configuration
The IKE proposal is configured. In the aggressive mode, by default, the first configured IKE proposal is used in the negotiation; in the main mode, all the IKE proposals are used in the negotiation. ----End
7.4.5 Configuring the Local ID Type

Context
Procedure
Step 1 Run:
system-view

ike peer peer-name

local-id-type { ip | name }
The type of the local ID is configured. The IP address or name of the local router can be used as ID in the IKE negotiation. By default, the IP address is used as the local ID. If the aggressive mode, the name is used as the local ID. In the main mode, the local ID is not necessarily configured, but the name cannot be used as the local ID. ----End
7.4.6 Configuring NAT Traversal in IPSec

Context
Procedure
Step 1 Run:
system-view

ike peer peer-name
The IKE peer view is displayed.

7 IKE Configuration
Step 3 Run:
nat traversal
The NAT traversal is enabled for IPSec. By default, NAT traversal is disabled. ----End
7.4.7 Configuring the Identity Authenticator

Context
Procedure
Step 1 Run:
system-view

ike peer peer-name

pre-shared-key key
The identity authenticator is configured. If the pre-shared key authentication is selected, the pre-shared key needs to be configured for each peer. The same pre-shared key must be configured for the peers, which create security connection. ----End
7.4.8 Configuring the Peer IP Address or Address Segment

Context
Procedure
Step 1 Run:
system-view

ike peer peer-name
The IKE peer view is displayed.

7 IKE Configuration
Step 3 Run:
remote-address low-ip-address [ high-ip-address ]
The IP address or the address segment of the peer is configured.

NOTE
When the address segment is configured, only the IPSec policy template can adopt this IKE peer.
----End
7.4.9 Configuring the Peer Name

Context
Procedure
Step 1 Run:
system-view

ike peer peer-name

remote-name name
The name of the peer is configured. ----End

Run the following command to check the previous configuration. Action Check the configuration of the IKE peer. Command display ike peer [ name peer-name ]
7.5 Tuning the IKE Configuration

This section describe how to fine tune the configuration of IKE. 7.5.1 Establishing the Configuration Task 7.5.2 Setting the Interval of Keepalive Packets 7.5.3 Setting the Timeout Time of Keepalive Packets 7.5.4 Setting the Interval of NAT Update Packets
7 IKE Configuration

IKE maintains the ISAKMP SA link state by sending keepalive packets at a certain interval. If you set the timeout time of keepalive packets on the peer, you must set the interval of keepalive packets on the local end. If the peer does not receive the keepalive packet within the timeout time, the ISAKMP SA with a timeout tag is deleted along with its corresponding IPSec SA. If the ISAKMP SA does not have a timeout tag, it is marked timeout. The timeout time, therefore, must be longer than the interval of keepalive packets. You need to set the interval for sending NAT update packets from an ISAKMP SA. As the initiator, the peer on the NAT side needs to send NAT keepalive packets periodically to ensure that the security tunnel is in active state.
CAUTION
l The interval of keepalive packets and the timeout time of the keepalive packets must be set on the ME60 simultaneously. l The interval and timeout must match on the two ends. That is, if you set the timeout time of the keepalive packets on one ME60, you must set the interval of keepalive packets on the peer ME60. l The interval of keepalive packets on one end must be shorter than the timeout time set on the peer.
Before tuning the IKE configuration, complete the following tasks: l l l Setting the Local ID Used in IKE Negotiation Configuring the IKE Security Proposal Configuring Attributes of the IKE Peer
Data Preparation
To tune the IKE configuration, you need the following data. No. 1 2 3 Data Interval of keepalive packets Timeout time of keepalive packets Interval of NAT update packets
7.5.2 Setting the Interval of Keepalive Packets

7 IKE Configuration
Context
Procedure
Step 1 Run:
system-view

ike sa keepalive-timer interval seconds
The interval for sending keepalive packets from the ISAKMP SA is set. By default, this function is unavailable. ----End
7.5.3 Setting the Timeout Time of Keepalive Packets

Context
Procedure
Step 1 Run:
system-view

ike sa keepalive-timer timeout seconds
The timeout time of the keepalive packet is configured. l On a network, packet loss rarely occurs consecutively more than three times, so the timeout time can be set to be three times the interval of keepalive packets on the peer. l By default, this function is unavailable. ----End
7.5.4 Setting the Interval of NAT Update Packets

Context
Procedure
Step 1 Run:
system-view
Issue 05 (2010-09-25)
7-17
7 IKE Configuration

ike sa nat-keepalive-timer interval seconds
The interval for sending NAT update packets from the ISAKMP SA is set. By default, the ISAKMP SA sends NAT update packets every 20 seconds when NAT traversal is enabled. ----End
7.6 Maintaining IKE

This section provides the commands for displaying and clearing the IKE information and debugging IKE. 7.6.1 Displaying the IKE Configuration 7.6.2 Clearing the Security Tunnel 7.6.3 Debugging IKE
7.6.1 Displaying the IKE Configuration

To check the configuration of IKE, run the following command in any view. Action Display information about the established security channel. Command display ike sa
7.6.2 Clearing the Security Tunnel

CAUTION
Clearing the security channel allows data transmission without protection. Confirm the action before you run the command. To clear the established security tunnel, run the following command in the user view. Action Clear established security channel. Command reset ike sa [ connection-id ]
To delete a specified security channel, you need to specify connection-id of the SA. Run the display ike sa command to view the connection-id of the current SA. Information about the
7 IKE Configuration
same security channel (namely, with the same peer) consists information generated in phase 1 and phase 2. After the local SA is deleted, if ISAKMP SA of phase 1 still exists, the local end sends a deletion message to the peer under the protection of the ISAKMP SA so that the peer can clear the SA database. If connection-id is not specified, all SAs of phase 1 are deleted.
NOTE
Security channel is completely different from security association. A security channel is a channel whose two ends can interoperate with each other. An SA is a unidirectional connection.
7.6.3 Debugging IKE
CAUTION
Debugging affects the system performance. So, after debugging, run the undo debugging all command to disable it immediately. When a fault occurs during the application of IKE, run the following debugging command in the user view to locate the fault. For the procedure for displaying the debugging information, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management. Action Enable debugging of IKE. Command debugging ike { all | error | exchange | message | misc | transport }

This section provides a configuration example of IKE. 7.7.1 Example for Establishing an SA Through IKE Negotiation
7.7.1 Example for Establishing an SA Through IKE Negotiation

As shown in Figure 7-2, a security tunnel is configured between ME60 A and ME60 B. Data flow transmitted between subnet 10.1.1.x represented by PC A and subnet 10.1.2.x represented by PC B are under protection. The security protocol is ESP; the encryption algorithm is DES; the authentication algorithm is SHA-1.
Issue 05 (2010-09-25)
7-19
7 IKE Configuration
Figure 7-2 Networking of IKE configuration

ME60A
Pos1/0/1 202.38.163.1/24 Pos2/0/1 202.38.162.1/24
ME60B
Internet
Access Network
Access Network
PC A
PC B
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure the local host ID, IKE proposal, and IKE peer. Configure ACL rules to specify the data flow to be protected. Configure an IPSec proposal. Configure an IPSec policy and apply the ACL and the IPSec proposal to the IPSec policy. Apply the IPSec policy to the interface. Configure the QoS traffic policy to encrypt user packets.
Data Preparation
To complete the configuration, you need the following data: l l l l ID of the local device Encryption algorithm and authentication algorithm used in IKE negotiation IP address and name of the peer device Interface where IPSec is enabled
1. Configure the local host ID, IKE proposal, and IKE peer on ME60 A and ME60 B. # Configure the local ID used by ME60 A in IKE negotiation.
<ME60A> system-view [ME60A] ike local-name huawei01
# Configure the IKE proposal of ME60 A.

[ME60A] ike proposal 1 [ME60A-ike-proposal-1] [ME60A-ike-proposal-1] [ME60A-ike-proposal-1] [ME60A-ike-proposal-1] encryption-algorithm 3des-cbc dh group1 sa duration 43200 quit
# Configure the IKE peer of ME60 A.

[ME60A] ike peer ME60B [ME60A-ike-peer-ME60B] exchange-mode aggressive
7-20
Issue 05 (2010-09-25)

[ME60A-ike-peer-ME60B] [ME60A-ike-peer-ME60B] [ME60A-ike-peer-ME60B] [ME60A-ike-peer-ME60B] [ME60A-ike-peer-ME60B] [ME60A-ike-peer-ME60B]
NOTE
7 IKE Configuration
ike-proposal 1 local-id-type name pre-shared-key huawei remote-name huawei02 remote-address 202.38.162.1 quit
In the aggressive mode, you need to configure remote-address on the negotiation initiator.
# Configure the local ID used by ME60 B in IKE negotiation.

<ME60B> system-view [ME60B] ike local-name huawei02
# Configure the IKE proposal of ME60 B.

[ME60B] ike proposal 1 [ME60B-ike-proposal-1] [ME60B-ike-proposal-1] [ME60B-ike-proposal-1] [ME60B-ike-proposal-1] encryption-algorithm 3des-cbc dh group1 sa duration 43200 quit
# Configure the IKE peer of ME60 B.

[ME60B] ike peer ME60A [ME60B-ike-peer-ME60A] [ME60B-ike-peer-ME60A] [ME60B-ike-peer-ME60A] [ME60B-ike-peer-ME60A] [ME60B-ike-peer-ME60A] [ME60B-ike-peer-ME60A] [ME60B-ike-peer-ME60A] exchange-mode aggressive ike-proposal 1 local-id-type name pre-shared-key huawei remote-name huawei01 remote-address 202.38.163.1 quit
Run the display ike peer command on ME60 A and ME60 B to display the configuration. Take ME60 A for example.
[ME60A] display ike peer --------------------------IKE Peer: ME60b exchange mode: aggressive on phase 1 pre-shared-key: huawei proposal: 1 local id type: name peer ip address: 202.38.162.1 peer name: huawei02 nat traversal: disable ---------------------------
2.
Configure ACLs on ME60 A and ME60 B and define the data flows to be protected. # Configure an ACL on ME60 A.
[ME60A] acl number 3101 [ME60A-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [ME60A-acl-adv-3101] quit
# Configure an ACL on ME60 B.

[ME60B] acl number 3101 [ME60B-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [ME60B-acl-adv-3101] quit
3.
On ME60 A and ME60 B, configure static routes to the peer respectively. # Configure a static route from ME60 A to ME60 B.
[ME60A] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
# Configure a static route from ME60 B to ME60 A.

[ME60B] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1
4.
Issue 05 (2010-09-25)
Create IPSec proposals on ME60 A and ME60 B.

7 IKE Configuration
# Create an IPSec proposal on ME60 A.

[ME60A] ipsec proposal tran1 [ME60A-ipsec-proposal-tran1] [ME60A-ipsec-proposal-tran1] [ME60A-ipsec-proposal-tran1] [ME60A-ipsec-proposal-tran1] [ME60A-ipsec-proposal-tran1] encapsulation-mode tunnel transform esp esp encryption-algorithm des esp authentication-algorithm sha1 quit
# Create an IPSec proposal on ME60 B.

[ME60B] ipsec proposal tran1 [ME60B-ipsec-proposal-tran1] [ME60B-ipsec-proposal-tran1] [ME60B-ipsec-proposal-tran1] [ME60B-ipsec-proposal-tran1] [ME60B-ipsec-proposal-tran1] encapsulation-mode tunnel transform esp esp encryption-algorithm des esp authentication-algorithm sha1 quit
Run the display ipsec proposal command on ME60 A and ME60 B to display the configuration. Take ME60 A for example.
[ME60A] display ipsec proposal IPsec proposal name: tran1 encapsulation mode: tunnel transform: esp-new ESP protocol: authentication sha1-hmac-96, encryption des
5.
Create IPSec proposals on ME60 A and ME60 B. # Create an IPSec policy on ME60 A.
[ME60A] ipsec policy map1 10 isakmp [ME60A-ipsec-policy-isakmp-map1-10] [ME60A-ipsec-policy-isakmp-map1-10] [ME60A-ipsec-policy-isakmp-map1-10] [ME60A-ipsec-policy-isakmp-map1-10] ike-peer ME60B proposal tran1 security acl 3101 quit
# Create an IPSec policy on ME60 B.

[ME60B] ipsec policy use1 10 isakmp [ME60B-ipsec-policy-isakmp-use1-10] [ME60B-ipsec-policy-isakmp-use1-10] [ME60B-ipsec-policy-isakmp-use1-10] [ME60B-ipsec-policy-isakmp-use1-10] ike-peer ME60A proposal tran1 security acl 3101 quit
Run the display ipsec policy command on ME60 A and ME60 B to display the configuration. Take ME60 A for example.
[ME60A] display ipsec policy =========================================== IPsec Policy Group: "map1" Using interface: {} =========================================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: isakmp ----------------------------security data flow : 3101 ike-peer name: ME60B perfect forward secrecy: None proposal name: tran1 IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes
6.
Apply the IPSec policies to the interfaces of ME60 A and ME60 B. Apply the IPSec policy to the interface of ME60 A.
[ME60A] interface pos1/0/1 [ME60A-Pos1/0/1] ip address 202.38.163.1 255.255.255.0 [ME60A-Pos1/0/1] ipsec policy map1 [ME60A-Pos1/0/1] undo shutdown [ME60A-Pos1/0/1] quit
# Apply the IPSec policy to the interface of ME60 A.


[ME60B] interface pos2/0/1 [ME60B-Pos2/0/1] ip address 202.38.162.1 255.255.255.0 [ME60B-Pos2/0/1] ipsec policy use1 [ME60B-Pos2/0/1] undo shutdown [ME60B-Pos2/0/1] quit
7 IKE Configuration
Run the display ipsec sa command on ME60 A and ME60 B to display the configuration. Take ME60 A for example.
[ME60A] display ipsec sa =============================== Interface: pos1/0/1 path MTU: 1500 =============================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: manual ----------------------------encapsulation mode: tunnel tunnel local : 202.38.163.1 tunnel remote: 202.38.162.1 [inbound ESP SAs] spi: 54321 (0xd431) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa [outbound ESP SAs] spi: 12345 (0x3039) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa
7.
Configure the QoS traffic policy on ME60 A and ME60 B so that the ME60s encrypt user packets.
NOTE
For the configuration of the QoS policy, see chapter 2 "Class-based QoS Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.
# Configure the QoS policy on ME60 A.

[ME60A] traffic classifier ipsec-using [ME60A-classifier-ipsec-using] if-match acl 3101 [ME60A-classifier-ipsec-using] quit [ME60A] traffic behavior ipsec-using [ME60A-behavior-ipsec-using] ipsec [ME60A-behavior-ipsec-using] quit [ME60A] traffic policy ipsec-using [ME60A-trafficpolicy-ipsec-using] classifier ipsec-using behavior ipsec-using [ME60A-trafficpolicy-ipsec-using] quit
# Configure the QoS policy on ME60 B.

[ME60B] traffic classifier ipsec-using [ME60B-classifier-ipsec-using] if-match acl 3101 [ME60B-classifier-ipsec-using] quit [ME60B] traffic behavior ipsec-using [ME60B-behavior-ipsec-using] ipsec [ME60B-behavior-ipsec-using] quit [ME60B] traffic policy ipsec-using [ME60B-trafficpolicy-ipsec-using] classifier ipsec-using behavior ipsec-using [ME60B-trafficpolicy-ipsec-using] quit
# Apply the QoS policy to ME60 A globally.

[ME60A] traffic-policy ipsec-using inbound [ME60A] traffic-policy ipsec-using outbound
# Apply the QoS policy to ME60 B globally.

[ME60B] traffic-policy ipsec-using inbound [ME60B] traffic-policy ipsec-using outbound
8.
Issue 05 (2010-09-25)
Verify the configuration.

7 IKE Configuration
After the configuration is complete, PC A can still ping through PC B. The data transmitted between them is encrypted. Run the display ike sa command on ME60 A. The display is as follows:
[ME60A] display ike sa connection-id peer vpn flag phase doi -------------------------------------------------------------14 202.38.162.1 0 RD|ST 1 IPSEC 16 202.38.162.1 0 RD|ST 2 IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO-TIMEOUT
Configuration Files
The following are the configuration files of the ME60s. l Configuration file of ME60 A
# sysname ME60A # ike local-name huawei01 # acl number 3101 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 # ike proposal 1 encryption-algorithm 3des-cbc sa duration 43200 # ike peer ME60B exchange-mode aggressive pre-shared-key huawei ike-proposal 1 local-id-type name remote-name huawei02 remote-address 202.38.162.1 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy map1 10 isakmp security acl 3101 ike-peer ME60B proposal tran1 # traffic classifier ipsec-using operator or if-match acl 3101 # traffic behavior ipsec-using ipsec # traffic policy ipsec-using classifier ipsec-using behavior ipsec traffic-policy ipsec-using inbound traffic-policy ipsec-using outbound # interface Pos1/0/1 undo shutdown ip address 202.38.163.1 255.255.255.0 ipsec policy map1 # ip route-static 10.1.2.0 255.255.255.0 202.38.162.1 # return
# sysname ME60B
7-24
Issue 05 (2010-09-25)
7 IKE Configuration
# ike local-name huawei02 # acl number 3101 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ike proposal 1 encryption-algorithm 3des-cbc sa duration 43200 # ike peer ME60A exchange-mode aggressive pre-shared-key huawei ike-proposal 1 local-id-type name remote-name huawei01 remote-address 202.38.163.1 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy use1 10 isakmp security acl 3101 ike-peer ME60A proposal tran1 # traffic classifier ipsec-using operator or if-match acl 3101 # traffic behavior ipsec-using ipsec # traffic policy ipsec-using classifier ipsec-using behavior ipsec traffic-policy ipsec-using inbound traffic-policy ipsec-using outbound # interface Pos2/0/1 undo shutdown ip address 202.38.162.1 255.255.255.0 ipsec policy use1 # ip route-static 10.1.1.0 255.255.255.0 202.38.163.1 # return
Issue 05 (2010-09-25)
7-25
8 URPF Configuration
8
About This Chapter
URPF Configuration
This chapter describes the fundamentals, implementation, and configuration of URPF. 8.1 Introduction This section describes the fundamentals of Unicast Reverse Path Forwarding (URPF). 8.2 Configuring URPF This section describes how to configure the URPF function. 8.3 Configuration Examples This section provides a configuration example of URPF.
Issue 05 (2010-09-25)
8-1
8.1 Introduction
This section describes the fundamentals of Unicast Reverse Path Forwarding (URPF). 8.1.1 Overview of URPF 8.1.2 URPF Features of the ME60
8.1.1 Overview of URPF

URPF is used to prevent attacks against IP address spoofing. Generally, when a router receives a packet, it searches for the route according to the destination address of the packet. If the matching route is found, the router forwards the packet; otherwise, the router discards the packet. Unlike general routing process, URPF obtains the source address and incoming interface of the packet. Taking the source address as the destination address, URPF checks whether the interface corresponding to the source address in the forwarding table is the incoming interface of the packet. If not, the source address is taken as spoofing and the packet is discarded. In this way, URPF can keep the network away from vicious attacks initiated by modifying the source address. The model of source address spoofing attack is as follows. Figure 8-1 Schematic diagram of the source address spoofing attack
1.1.1.1/24 2.1.1.1/24 Source Address 2.1.1.1/24
RouterA
RouterB
RouterC
A host connected to Router A (customer network) generates a packet with a pseudo source IP address 2.1.1.1 and sends the packet to Router B. Router B sends a response packet to Router C whose IP address is 2.1.1.1. In this way, Router A attacks Router B and Router C by sending such packets. URPF can be applied on the upstream incoming interfaces of the router in two application environments: single-homed client and multi-homed client. l l Single-homed client Figure 8-2 shows the connection between the client and the convergence router of the ISP. URPF is enabled on GE 1/0/0 of the ISP router to protect the router and Internet against source address spoofing attacks from the client network.
8-2
Issue 05 (2010-09-25)
Figure 8-2 URPF applied on a single-homed client

ISP
Aggregation GE1/0/0 GE2/0/0 Source address 169.1.1.1/24 GE3/0/0 URPF 169.1.1.1/24
l l
Multi-homed client URPF can be applied in the networking where multiple connections are set up between the client and the ISP, as shown in Figure 8-3. To make URPF work normally, ensure that the packet from the client to the host on the Internet passes through the same link (between the client and the ISP router) with the packet from this host to the client. That is, route symmetry must be ensured; otherwise, URPF discards some normal packets because of mismatched interfaces.
Figure 8-3 URPF applied on a multi-homed client

packet path route path URPF
RouterA
Enterprise RouterC
URPF URPF
ISP
RouterB
Multi-homed client with multiple ISPs
URPF can be applied in the networking where a client is connected to multiple ISPs, as shown in Figure 8-4. In this case, route symmetry must be ensured.
Issue 05 (2010-09-25)
8-3
Figure 8-4 URPF applied on a multi-homed client with multiple ISPs

URPF
RouterA ISP A
RouterC Enterprise RouterB ISP B

URPF URPF
Internet
8.1.2 URPF Features of the ME60

The ME60 performs URPF check for all the IP packets on an interface in any of the following modes: l Loose check For the IP packets arriving at the interface, the ME60 checks whether the forwarding table contains the entry with the source address of the IP packets. If the entry exists, the IP packets pass the URPF check. l Strict check For the IP packets arriving at the interface, the ME60 checks whether the forwarding table contains the entry with the source address of the IP packets. If the entry does not exist, the IP packets cannot pass the URPF check. If the entry exists, the ME60 checks whether the outgoing interface specified in this entry is the incoming interface of the IP packets. If the outgoing interface specified in the entry is the incoming interface of the IP packets, the IP packets pass the URPF check. The ME60 can also perform URPF check for the packets that meet certain conditions. This function is implemented through the class-based QoS. The procedure for configuring the ME60 to perform URPF check for the packets meeting certain conditions is as follows: 1. 2. Create a traffic classifier on the ME60. Configure the traffic classifier to identify the packets that meet certain conditions. Create a traffic behavior on the ME60 and configure the traffic behavior to URPF check. For details, see "8.2.3 (Optional) Configuring URPF Check for Certain Type of Packets." Create a traffic policy on the ME60. Configure the ME60 to perform URPF check for a certain type of packets. Apply the traffic policy to an interface or a service policy. The traffic policy can also be applied to the entire equipment. In this case, the ME60 performs URPF check for all packets that meet the conditions. For details, see chapter 2 "Class-based QoS Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.
3. 4.
8.2 Configuring URPF

This section describes how to configure the URPF function. 8.2.1 Establishing the Configuration Task 8.2.2 Enabling URPF on an Interface 8.2.3 (Optional) Configuring URPF Check for Certain Type of Packets

To prevent source address spoofing attacks on the network, configure URPF to check whether source IP addresses of packets match the incoming interfaces. If the source IP address of a packet matches the incoming interface, the source IP address is considered as legal and the packet is allowed to pass; otherwise, the source IP address is considered as a pseudo one and the packet is discarded.
Before configuring the URPF function, complete the following tasks: l l Configuring the link-layer parameters of the interface Configuring an IP address for the interface
Data Preparation
To configure the URPF function, you need the following data. No. 1 2 Data Number of the interface where URPF is to be enabled (Optional) Name of the traffic behavior
8.2.2 Enabling URPF on an Interface

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

ip urpf { loose | strict }
URPF is enabled on the interface. If the loose keyword is selected, the ME60 performs loose URPF check. That is, if the forwarding table contains the entry of a packet, the packet passes the URPF check, regardless of whether the interface mapping the source address in the forwarding table is the incoming interface of the packet. If the strict keyword is selected, the ME60 performs strict URPF check. That is, a packet passes the URPF check only if the forwarding table contains the related entry and the interface mapping the source address of the packet is the incoming interface. ----End
8.2.3 (Optional) Configuring URPF Check for Certain Type of Packets

Context
To configure the ME60 to perform URPF check for packets of a certain type, you need to configure a traffic policy, configure the traffic behavior in the traffic policy, and then apply the traffic policy.
Procedure
Step 1 Run:
system-view

The behavior view is displayed. Step 3 Run:

ip urpf { strict | loose }
The traffic behavior is configured to URPF check.

NOTE
For the complete procedure, see "8.2.3 (Optional) Configuring URPF Check for Certain Type of Packets." For the configuration and application of the traffic policy, refer to chapter 2 "Class-based QoS Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.
----End

This section provides a configuration example of URPF. 8.3.1 Example for Configuring URPF
8.3.1 Example for Configuring URPF

You need to enable URPF on the ISP router, namely, ME60 B. As shown in Figure 8-5, ME60 A and ME60 B are directly connected. Enable URPF on interface GE1/0/0 of ME60 B. Loose URPF check is required for the IP packets arriving at this interface. Enable URPF on interface GE1/0/0 of ME60 A. Strict URPF check is required for the IP packets arriving at this interface. Figure 8-5 Networking of URPF configuration
GE1/0/0 172.19.139.1/30 ME60A
GE1/0/0 172.19.139.2/30 ME60B
ISP
The configuration roadmap is as follows: l l Configure strict URPF check for the IP packets arriving at GE1/0/0 of ME60 A. Configure loose URPF check for the IP packets arriving at GE1/0/0 of ME60 B.
Data Preparation
To complete the configuration, you need the following data: IP addresses of the interfaces
1. Configure ME60 A. # Configure the IP address of GE 1/0/0.
<ME60A> system-view [ME60A] interface gigabitethernet 1/0/0 [ME60A-GigabitEthernet1/0/0] ip address 172.19.139.1 255.255.255.252 [ME60A-GigabitEthernet1/0/0] undo shutdown
# Enable strict URPF on GE1/0/0.

[RouterA-GigabitEthernet1/0/0] ip urpf strict
2.
Issue 05 (2010-09-25)
Configure ME60 B.
# Configure the IP address of GE 1/0/0.

<ME60B> system-view [ME60B] interface gigabitethernet 1/0/0 [ME60B-GigabitEthernet1/0/0] ip address 172.19.139.2 255.255.255.252 [ME60B-GigabitEthernet1/0/0] undo shutdown
# Enable strict loose on GE1/0/0.

[ME60B-GigabitEthernet1/0/0] ip urpf loose
Configuration Files
The following are configuration files of the ME60s. l Configuration file of ME60 A
# sysname ME60A # interface GigabitEthernet1/0/0 undo shutdown ip address 172.19.139.1 255.255.255.252 ip urpf strict # return
# sysname ME60B # interface GigabitEthernet1/0/0 undo shutdown ip address 172.19.139.2 255.255.255.252 ip urpf loose # return
8-8
Issue 05 (2010-09-25)
9 DPI Configuration
9
About This Chapter
DPI Configuration
This chapter describes the fundamentals of DPI and how to configure network-side DPI and user-side DPI. 9.1 Introduction This section describes the concept and rational of DPI and the DPI features supported by the ME60. 9.2 Configuring Basic DPI Functions This section describes how to configure basic DPI functions. 9.3 Configuring Network-side DPI This section describes how to configure and apply the DPI policy at the network side. 9.4 Configuring User-side DPI This section describes how to configure and apply the DPI policy at the user side. 9.5 Configuration Examples This section provides a configuration example of DPI.
Issue 05 (2010-09-25)
9-1
9 DPI Configuration
9.1 Introduction
This section describes the concept and rational of DPI and the DPI features supported by the ME60. 9.1.1 Overview of DPI 9.1.2 DPI Functions Supported by the ME60
9.1.1 Overview of DPI

Background of DPI
With the extensive use of the bandwidth network, more bandwidth-related applications are being developed, and are maturing. This encourages users to use bandwidth services such as P2P, online games, and VoIP. These services attract many users; however, they also bring troubles. For example, many P2P applications maliciously occupy network resources, and thus network congestion occurs. Carriers need to control the illegal network applications.
Rationale of DPI
The deep packet inspection (DPI) technology can identify network applications so that the carrier can control and manage the network. As shown in Figure 9-1, common packet analysis involves only the source address, destination address, source port, and destination port. Apart from the preceding factors, DPI analyzes the application-layer information to identify various services and applications. Figure 9-1 Comparison between DPI and the common packet analysis
Source IP
Source port
Destination IP Payload
Destination port
Operation
Common packet analysis
Source IP
Source port
Destination IP Payload
Destination port
Operation
DPI
9-2
Issue 05 (2010-09-25)
9 DPI Configuration
DPI Functions
DPI provides the following three functions: l Service identification
DPI identifies the data flow of a legal service by the quintuple. Take video on demand (VoD) service for example. The source address of the service flow belongs to a network segment configured on the VoD server; the source port number is fixed. Unauthorized users usually hides information about illegal service flows by using some techniques. For example, the P2P flow may use port 80 of HTTP. Therefore, the VoD server cannot identify the service type accurately according to the quintuple, such as the address and port. To identify an illegal service flow, DPI analyzes the contents of an IP packet to find the characteristics field or behavior of the service. l Service control
DPI controls the identified service flow based on a combination that may consist of the user name, time, bandwidth, and history traffic volume. DPI handles the service flow in the following ways: l l l l Forwards packets as usual. Blocks the service flow. Limits bandwidth of the service flow. Re-marks the priorities of packets.
For convenient service operation, all control policies are configured on the policy server. After a user logs in, the policies are delivered dynamically. l Service statistics
The statistics of service traffic distribution and usage of a service help to discover the user or the service that affects the normal operation of the network. According to the statistics, the following information can be obtained: l l l Percentage of traffic from attackers Number of online users playing an online game Services consuming bandwidth Illegal VoIP users
DPI Implementation
Figure 9-2 Networking of DPI application
Policy Server AAA Report Server
Internet BRAS
Access Network User
DPI Box
Issue 05 (2010-09-25)
9-3
9 DPI Configuration
NOTE
The user in the figure represents the access network.
9.1.2 DPI Functions Supported by the ME60

When the operation mode of the Versatile Service Unit (VSU) is set to DPI, the DPI engine identifies P2P applications and enforces service policies for the applications. The ME60 can be equipped with an external DPI box. The DPI box identifies the service type of a packet and the ME60 controls the service policy. The DPI box can identify various services including the P2P and VoIP services.
NOTE
The DPI function of the ME60 can be applied in the following cases: l To control bandwidth of the users connected to the ME60, configure user-side DPI. l To control bandwidth on the network side, configure network-side DPI.
9.2 Configuring Basic DPI Functions

This section describes how to configure basic DPI functions. 9.2.1 Establishing the Configuration Task 9.2.2 (Optional) Configuring the VSU to Work as the DPI Board 9.2.3 (Optional) Configuring the MAC Address of the DPI Board 9.2.4 Configuring the Packet Inspection Mode 9.2.5 (Optional) Configuring the PTS 9.2.6 Checking the Configuration

To use DPI to detect packets, you must configure the basic DPI functions. If only some of the P2P applications need to be inspected, DPI can be performed by the DPI box on the DPI board of the ME60. In this case, you must set the packet inspection mode to Data Service Unit (DSU). That is, packets are inspected by the DSU, namely, the built-in DPI box. If many types of applications need to be inspected, the ME60 can be connected to an external DPI box. The external DPI box for the ME60 is called the Policy Traffic Switch (PTS). In this case, you must configure the MAC address of the DPI board and information about the connection between the PTS and the ME60.
9-4
Issue 05 (2010-09-25)

NOTE
9 DPI Configuration
l The ME60 implements the DPI function after the VSU is configured to the DPI board. Therefore, you need to install the VSU before configuring the DPI function. For the functions of the VSU in DPU mode, refer to the Quidway ME60 Multiservice Control Gateway Product Description. l You can run the set lpu-work-mode { dpi |sbc | ssu | tsu } slot slot-id command to implement different service functions. l In this manual, the VSU operating in DPI mode is called the DPI board.
Before configuring basic DPI functions, complete the following tasks: l l Installing the VSU (Optional) Connecting the PTS to the ME60 and configuring the PTS
NOTE
The ME60 and the PTS must be directly connected or connected through a layer-2 device and they cannot be connected through a layer-3 network. It is recommended that you connect the ME60 to the PTS directly.
Configuring the ME60 so that it can communicate with other routers
Data Preparation
To configure the basic DPI functions, you need the following data. No. 1 2 3 Data MAC address of the DPI board IP address of the PTS management interface, namely, the interface connected to the PTS Number of the port for listening the PTS keepalive packets
9.2.2 (Optional) Configuring the VSU to Work as the DPI Board

Context
Procedure
Step 1 Run:
system-view

set lpu-work-mode dpi slot slot-id
The operation mode of the VSU is set to DPI.

9 DPI Configuration
NOTE
----End
9.2.3 (Optional) Configuring the MAC Address of the DPI Board

Context
NOTE
You need to configure the MAC address of the DPI board only when the ME60 is connected to a PTS.
Procedure
Step 1 Run:
system-view

dpi dsu-mac
The view for configuring the DSU is displayed. Step 3 Run:

dsu-slot slot-id mac mac-address
The MAC address of the DPI board is configured. ----End
9.2.4 Configuring the Packet Inspection Mode

Context
CAUTION
If the PTS does not exist or it is disconnected from the ME60, run the undo dpi-check pts enable command to stop the packet inspection by the PTS. This ensures normal operation of the DPI function.
Procedure
Step 1 Run:
system-view
9-6
Issue 05 (2010-09-25)
9 DPI Configuration

dpi-check { dsu |pts }* enable
The packet detection mode is configured. By default, the packet inspection mode is PTS. That is, packets are inspected by the PTS. The prerequisite is that the ME60 is connected to the PTS. The PTS can detect various types of packets, including P2P and VoIP packets. If the ME60 is not connected to a PTS, you can set the packet inspection mode to DSU. In this case, packets of certain P2P applications are inspected by the built-in DPI box on the DPI board. ----End
9.2.5 (Optional) Configuring the PTS

Context
NOTE
The parameters of the PTS need to be configured only when the ME60 is connected to a PTS.
Procedure
Step 1 Run:
system-view

dpi pts
The PTS configuration view is displayed. Step 3 Run:

pts-id pts-id ip-address ip-address port-number subscriber-side interface-type interface-number [ internet-side interface-type interface-number ]
The parameters for the connection between the ME60 and the PTS are set. Step 4 Run:
keep-alive period-value times-value
The interval at which the PTS sends keepalive packets is set. By default, the PTS sends keepalive packets at a interval of 10 seconds. If the ME60 fails to receive the keepalive packets consecutively three times, it considers that the PTS is disconnected. ----End

Run the following command in any view to check the previous configuration.
9 DPI Configuration
Action Check the packet detection mode. Check the MAC address of the DPI board. Check the information about the PTS.
Command display dpi global-policy display dpi dsu-mac display dpi pts
Run the display dpi global-policy command, and you can view the global configuration of DPI, including the packet inspection mode.
<Quidway> display dpi global-policy --------------------------------------------------------------------------DPI global configration --------------------------------------------------------------------------Global policy group status : active Global policy group type : user first Inspecting packets device : PTS --------------------------------------------------------------------------DPI global policy list --------------------------------------------------------------------------No. Policy Name Application type Protocal type 0 huawei p2p ---------------------------------------------------------------------------Total 1, 1 printed
9.3 Configuring Network-side DPI

This section describes how to configure and apply the DPI policy at the network side.
CAUTION
To implement network-side DPI, you must configure the global DPI policy group and traffic policy. Classify traffic according to a certain rule and associate each traffic class with a DPI behavior, and thus a DPI traffic policy is configured. Then, apply the DPI traffic policy to inspect network-side packets. The DPI traffic policy can be applied to the entire system or an interface: l When the policy is applied to the entire system, the ME60 inspects traffic of a certain service on all the network-side interfaces.
NOTE
If you enable the DPI traffic policy globally by using the global command, the ME60 performs DPI on all network-side and user-side interfaces.
When the policy is applied to an interface, the ME60 inspects traffic of a certain service only on this interface.
9.3.1 Establishing the Configuration Task 9.3.2 Creating a DPI Policy

9 DPI Configuration
9.3.3 Configuring the DPI Policy 9.3.4 Configuring a Global DPI Policy Group 9.3.5 Configuring a DPI Traffic Policy 9.3.6 Applying the Traffic Policy to the Network Side 9.3.7 Checking the Configuration

Large amount of service flows may cause network congestion. To avoid this, you need to configure the DPI function to identify various services and limit their traffic volumes.
Before configuring the network-side DPI, complete the following tasks: l l 9.2 Configuring Basic DPI Functions Determining whether to apply the global DPI policy
Data Preparation
To configure the network-side DPI, you need the following data. No. 1 2 3 Data DPI policy name Services to be inspected through DPI (Optional) Number of the network-side interface
9.3.2 Creating a DPI Policy

Context
Procedure
Step 1 Run:
system-view

dpi policy dpi-policy-name
Issue 05 (2010-09-25)
9-9
9 DPI Configuration
A DPI policy is created and the DPI policy view is displayed. ----End
9.3.3 Configuring the DPI Policy

Context
Procedure
Step 1 Run:
system-view

dpi policy dpi-policy-name
The DPI policy view is displayed. Step 3 Run:

service-type service-type [ sub-service-type ]
The service type is configured. Step 4 Configure the behavior for the service as follows: l To configure the ME60 to control CAR parameters of the service, run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] { upstream | downstream }. l To configure the ME60 to mark the DSCP value, run remark dscp dscp-value { inbound | outbound }. l To configure the ME60 to randomly discard packets, run random-drop random-dropvalue. This command is recommended for the VoIP service. l To configure the ME60 to forward all the packets of the specified service with the speed lower than the CIR, run permit. l To configure the ME60 to discard all packets of the specified service, run deny. You can configure one or more preceding behaviors. The permit and deny behaviors cannot be configured simultaneously. By default, the behavior in the DPI policy is permit. ----End
9.3.4 Configuring a Global DPI Policy Group

Context
Procedure
Step 1 Run:
system-view
9-10
Issue 05 (2010-09-25)
9 DPI Configuration

dpi global-policy
The global DPI policy group view is displayed. Step 3 Run:

dpi-policy dpi-policy-name
The DPI policy is configured as a global policy. Step 4 (Optional) Run:

global
The DPI policy is applied to the entire system.

NOTE
After you run this command, the ME60 may match the service data with the global DPI policy, instead of the user-side DPI policy. For details, see "9.3.6 Applying the Traffic Policy to the Network Side."
Step 5 Run:
active
The global DPI policy is activated. The global DPI policy group is used to inspect packets on a network-side interface. You can also configure DPI on a user-side interface by using the global command. A common DPI policy group is used to inspect packets on a user-side interface but cannot be applied to a network-side interface.
NOTE
For the configuration of a common policy, see "9.4.3 Configuring a Common DPI Policy Group."
By default, the DPI policy is not applied to the entire system, and the global DPI policy is active. ----End
9.3.5 Configuring a DPI Traffic Policy

Context
Procedure
Step 1 Run:
system-view

traffic classifier traffic-classifier-name [ operator { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed. Step 3 Define the rule for matching data packets as follows:
9 DPI Configuration
l To match the 802.1p field in a packet, run the if-match 8021p 8021p-code command. l To match the source MAC address of a packet, run the if-match source-mac mac-address command. l To match the destination MAC address of a packet, run the if-match destination-mac macaddress command. l To match packets with an ACL, run the if-match acl acl-number command. l To match the DSCP field of a packet, run the if-match dscp dscp-value command. l To match the IP precedence of a packet, run the if-match ip-precedence ip-precedencevalue command. l To match the TCP SYN flag of a packet, run the if-match tcp syn-flag flag-value command. l To specify that all IPv4 packets are matching, run the if-match any command. Step 4 Run:
quit
The system exits from the traffic classifier view. Step 5 Run:
A behavior is created and the behavior view is displayed. Step 6 Run:

dpi
DPI is enabled.
NOTE
After the traffic behavior is configured to DPI, you cannot configure the behavior to redirect in this behavior view.
Step 7 Run:
quit
The system exits from the behavior view. Step 8 Run:

traffic policy traffic-policy-name
The traffic policy view is displayed. Step 9 Run:

classifier traffic-classifier-name behavior behavior-name
The traffic classifier is associated with the behavior. Configure the traffic classifier according to the network requirement so that DPI can be performed for the specified flow. The behavior name specified in this command must be the same as behavior-name you specify in step 5.
NOTE
For the configuration of a traffic policy, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.
----End
9 DPI Configuration
9.3.6 Applying the Traffic Policy to the Network Side

Procedure
l Applying the traffic policy globally 1. Run:
system-view

traffic-policy traffic-policy-name inbound
The traffic policy is applied to the inbound direction.

NOTE
A DPI traffic policy cannot be applied to the outbound direction.
If you apply the traffic policy globally and run the global command in the global DPI policy view at the same time, the DPI policy takes effect on all network-side and userside interfaces. The common DPI policies configured on the user-side interfaces become invalid. If you do not run the global command, the global DPI takes effect only on all the network-side interfaces. l Applying the traffic policy to an interface 1. Run:
system-view

The interface view is displayed. 3. Run:

traffic-policy traffic-policy-name { inbound | outbound } [ link-layer ]
The traffic policy is applied to the interface. ----End

Run the following commands in any view to check the previous configuration. Action Check information about the global DPI policy. Check information about the DPI policy. Command display dpi global-policy [ verbose ] display dpi policy [ dpi-policy-name ]
Issue 05 (2010-09-25)
9-13
9 DPI Configuration
9.4 Configuring User-side DPI

This section describes how to configure and apply the DPI policy at the user side.
NOTE
The user-side DPI policy functions on each user individually. For example, you run the car cir command to set bandwidth for a user to 1 Mbit/s. The ME60 then checks bandwidth of each user. If bandwidth of a user exceeds 1 Mbit/s, the ME60 limits traffic volume of this user.
9.4.1 Establishing the Configuration Task 9.4.2 Creating and Configuring a DPI Policy 9.4.3 Configuring a Common DPI Policy Group 9.4.4 Applying the User-side DPI Policy to the Domain 9.4.5 (Optional) Enabling DPI on a BAS Interface 9.4.6 (Optional) Configuring the Restriction Policy 9.4.7 Checking the Configuration

Some applications may malicious occupy the network resource, which causes network congestion. To avoid network congestion, you need to configure the DPI function to identify various applications and limit the traffic of these applications. Use one of the following methods to configure the user-side DPI policy: l l l To inspect the users that go online through a BAS interface, configure a restriction policy on the ME60 and enable DPI on the BAS interface. To inspect the users that go online from a domain, configure a common DPI policy group and bind the policy group to the domain. Configure the policy server to deliver the DPI policy for users.
The DPI policy delivered by the policy server has the highest priority, and the DPI policy configured on a BAS interface has the lowest priority. If the DPI policy is delivered by the policy server, the ME60 dynamically matches the user packets with the DPI policy after a user goes online. If the user packets do not match the delivered policy, the ME60 matches the packets with the DPI policy bound to the domain. If no DPI policy is bound to the domain, or the user packets do not match the service type specified by the DPI policy, the ME60 performs DPI according to the restriction DPI policy configured on the BAS interface.
NOTE
For the method of configuring the policy server to deliver the DPI policy, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services.
Before configuring the user-side DPI, complete the following tasks:
9 DPI Configuration
l l l
9.2 Configuring Basic DPI Functions Enabling users to connect to the Internet through the ME60 Enabling the value-added service
NOTE
The DPI service is a value-added service. Therefore, you must enable value-added services before configuring DPI. For the method of enabling value-added services, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services.
Data Preparation
To configure the user-side DPI, you need the following data. No. 1 2 3 4 Data DPI policy name Name of the common DPI policy group Domain where the DPI policy is to be configured (Optional) BAS interface where the DPI policy is to be configured
9.4.2 Creating and Configuring a DPI Policy

See "9.3.2 Creating a DPI Policy" and "9.3.3 Configuring the DPI Policy".
9.4.3 Configuring a Common DPI Policy Group

Context
Procedure
Step 1 Run:
system-view

dpi policy-group policy-group-name
A common DPI policy group is created and the common DPI policy group view is displayed. Step 3 Run:
dpi-policy dpi-policy-name
A common DPI policy is bound to the policy group. ----End

9 DPI Configuration
9.4.4 Applying the User-side DPI Policy to the Domain

Context
Procedure
Step 1 Run:
system-view

aaa
The AAA view is displayed. Step 3 Run:

domain domain-name
The domain view is displayed. Step 4 Run:

dpi-policy-group policy-group-name
A common DPI policy group is applied to the domain. The common DPI policy group must be an existing one. When the common DPI policy is applied to the domain, the ME60 can identify whether a domain user uses the DPI service. The ME60 can then limit the traffic of this user. ----End
9.4.5 (Optional) Enabling DPI on a BAS Interface

Context
CAUTION
After DPI is enabled on a BAS interface, if no DPI policy is bound to the domain, or the user packets do not match the service type specified by the DPI policy, the ME60 performs DPI according to the restriction DPI policy configured on the BAS interface. Therefore, you must configure a restriction DPI policy when enabling DPI on a BAS interface; otherwise, DPI does not take effect on the BAS interface.
Procedure
Step 1 Run:
system-view
9-16
Issue 05 (2010-09-25)
9 DPI Configuration


bas
The BAS interface view is displayed. Step 4 Run:

access-type layer2-subscriber [ bas-interface-name name | default-domain { preauthentication domain-name | authentication [ force | replace ] domain-name } * | accounting-copy radius-server radius-name ] *
The access type of the interface is set to layer-2 subscriber. Or run:

access-type layer2-leased-line user-name username password [ bas-interface-name name | default-domain authentication domain-name | accounting-copy radius-server radius-name | nas-port-type type ] *
The access type of the interface is to layer-2 leased line. Or run:

access-type layer3-leased-line user-name username password [ bas-interface-name name | default-domain authentication domain-name | accounting-copy radius-server radius-name | nas-port-type type ] *
The access type of the interface is to layer-3 leased line. Step 5 Run:
dpi-enable
DPI is enabled. Step 6 Run:

authentication-method { { ppp | dot1x | { web | fast } } * | bind }
The authentication method of the user is set. After DPI is enabled on the BAS interface, the ME60 performs the following: l If a common DPI policy group is bound to the domain, the ME60 matches packets of the users going online from the domain with the common DPI policy. If the user packets do not match any service type specified by the common DPI policy, the ME60 matches the user packets with the restriction DPI policy. l If no common DPI policy group is bound to the domain, the ME60 matches the user packets with the restriction DPI policy directly. ----End
9.4.6 (Optional) Configuring the Restriction Policy

Context
9 DPI Configuration
Procedure
Step 1 Run:
system-view

dpi restricted-policy
The restriction policy view is displayed. Step 3 Run:

service-type service-type
The service type is configured. Step 4 Configure the behavior for the service as follows: l To configure the ME60 to control the CAR parameters, run car cir cir-value [ pir pirvalue ] [ cbs cbs-value pbs pbs-value ] { upstream | downstream }. l To configure the ME60 to forward all the packets of the specified service with the speed lower than the CIR, run permit. l To configure the ME60 to discard all packets of the specified service, run deny. You can configure one or more preceding behaviors. The permit and deny behaviors cannot be configured simultaneously. By default, the behavior in the DPI policy is permit. The restriction policy is applied to a BAS interface. The ME60 controls traffic of each user on the DPI-enabled BAS interface according to the restriction policy. By default, no restricted policy is configured. ----End

Run the following commands in any view to check the previous configuration. Action Check information about the DPI policy. Check information about the restriction DPI policy. Check information about the common DPI policy group. Command display dpi policy [ dpi-policy-name ] display dpi restricted-policy display dpi policy-group [ policy-group-name ]

This section provides a configuration example of DPI. 9.5.1 Example for configuring the DPI Function
9 DPI Configuration
9.5.1 Example for configuring the DPI Function

Networking Requirement
As shown in Figure 9-3, the ME60 functions as the broadband access device. The GE1/0/0 interface is connected to the Internet. The GE2/0/0 interface provides the broadband access service for users. The user in the figure represents the access network. The ME60 is connected to the PTS through GE3/0/0. The PTS performs DPI for service packets. When the P2P traffic on GE1/0/0 exceeds 100 Mbit/s, the ME60 limits the traffic. When the P2P traffic of a user in domain isp1 on GE2/0/0 exceeds 10 Mbit/s, the ME60 limits the traffic. Figure 9-3 Networking for DPI configuration
ME60
Internet GE1/0/0 GE2/0/0 GE3/0/0 User
PTS
The configuration roadmap is as follows: l l l l Configure the basic DPI information. Configure the PTS. Configure the network-side DPI. Configure the user-side DPI.
Data Preparation
To complete the configuration, you need the following data: l l Slot number and MAC address of the DPI board IP address of the PTS, port number used to monitor the keepalive packets, interface connected to the ME60, interval of keepalive packets, and number of keepalive timeout events on the PTS
NOTE
This configuration example describes only the commands used to configure DPI.
1.
Configure the basic DPI information. # (Optional) Configure the VSU to function as the DPI board.
<Quidway> [Quidway] [Quidway] <Quidway> system-view set lpu-work-mode dpi slot 3 quit reset slot 3
Issue 05 (2010-09-25)
9-19
9 DPI Configuration
# Configure the MAC address of the DPI board.

<Quidway> system-view [Quidway] dpi dsu-mac [Quidway-dpi-dsu-mac] dsu-slot 3 mac 00e0-abcd-abcd [Quidway-dpi-dsu-mac] quit
# Configure information about the PTS on the DPI board.

[Quidway] dpi pts [Quidway-dpi-pts] pts-id 1234 ip-address 100.1.1.1 4000 subscriber-side gigabitethernet 3/0/0 [Quidway-dpi-pts] keep-alive 5 3
2.
Configure the PTS. After the PTS is connected to the ME60, you can log in to the configuration window from a personal computer to set the following parameters. Parameter system_id Servername peer_etherAddress port_etherAddress port_ipAddress port_udpPort Value 1234 100.1.1.1 00e0-abcd-abcd MAC address of the PTS interface connected to the ME60 IP address of the PTS interface connected to the ME60 4000
NOTE
The preceding parameters may vary on different PTSs. Set the parameters according to the actual situation.
You need to set other parameters of the PTS, such as the user name and password of the login user, and service type. For the configuration procedure, refer to documents about the LIG. The ME60 works with PTSs of other vendors to provide the DPI function for various services. Huawei does not provide the PTS. 3. Configure the network-side DPI. # Configure a DPI policy. Specify that the ME60 limits the P2P traffic when the P2P traffic volume on GE1/0/0 exceeds 100 Mbit/s.
[Quidway] dpi policy dpi1 [Quidway-dpi-policy-dpi1] service-type p2p [Quidway-dpi-policy-dpi1] car cir 102400 upstream [Quidway-dpi-policy-dpi1] quit
# Configure the global DPI policy group.

[Quidway] dpi global-policy [Quidway-dpi-global-policy] dpi-policy dpi1 [Quidway-dpi-global-policy] active [Quidway-dpi-global-policy] quit
# Configure an ACL.
[Quidway] acl 3000 [Quidway-acl-adv-3000] rule permit ip [Quidway-acl-adv-3000] quit
# Configure the traffic classifier and define the ACL-based traffic classification rules.
[Quidway] traffic classifier a
9-20
Issue 05 (2010-09-25)

[Quidway-classifier-a] if-match acl 3000 [Quidway-classifier-a] quit
9 DPI Configuration
# Configure the behavior to DPI.

[Quidway] traffic behavior e [Quidway-behavior-e] car cir 112640 [Quidway-behavior-e] dpi [Quidway-behavior-e] quit
# Define a traffic policy and associate the traffic classifier with the behavior.
[Quidway] traffic policy 1 [Quidway-trafficpolicy-1] classifier a behavior e [Quidway-trafficpolicy-1] quit
# Apply the traffic policy to GE1/0/0.

[Quidway] interface gigabitethernet 1/0/0 [Quidway-gigabitethernet1/0/0] traffic-policy 1 inbound [Quidway-gigabitethernet1/0/0] undo shutdown [Quidway-gigabitethernet1/0/0] quit
4.
Configure the user-side DPI. # Enable value-added services.

[Quidway] value-added-service enable
# Configure a DPI policy. Specify that the ME60 limits the P2P traffic when the P2P traffic volume of a user exceeds 10 Mbit/s.
[Quidway] dpi policy dpi2 [Quidway-dpi-policy-dpi2] service-type p2p [Quidway-dpi-policy-dpi2] car cir 10240 downstream [Quidway-dpi-policy-dpi2] quit
# Configure a common DPI policy group.

[Quidway] dpi policy-group dpi_user [Quidway-dpi-policy-group-text] dpi-policy dpi2 [Quidway-dpi-policy-group-text] quit
# Users go online from domain isp1. Bind the DPI policy to domain isp1 to control the P2P traffic of the users in this domain.
[Quidway] aaa [Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] dpi-policy-group dpi_user
# Configure the authentication method on the interface to binding authentication.

[Quidway] interface gigabitethernet2/0/0 [Quidway-gigabitethernet2/0/0] undo shutdown [Quidway-gigabitethernet2/0/0] bas [Quidway-gigabitethernet2/0/0-bas] access-type layer2-subscriber [Quidway-gigabitethernet2/0/0-bas] authentication-method bind
Configuration Files
# sysname Quidway # value-added-service enable # radius-server group rd1 radius-server authentication 192.168.7.249 1645 weight 0 radius-server accounting 192.168.7.249 1646 weight 0 radius-server shared-key itellin radius-server type plus11 radius-server traffic-unit kbyte # acl number 3000 rule 5 permit ip # traffic classifier a operator or
Issue 05 (2010-09-25)
9-21
9 DPI Configuration

if-match acl 3000 # traffic behavior e dpi car cir 112640 cbs 14080000 pbs 35256320 green pass yellow pass red discard # traffic policy 1 classifier a behavior e # interface Virtual-Template1 # interface gigabitethernet1/0/0 undo shutdown traffic-policy 1 inbound # interface gigabitethernet2/0/0 undo shutdown pppoe-server bind Virtual-Template 1 bas access-type layer2-subscriber authentication-method bind # ip pool pool1 local gateway 172.82.0.1 255.255.255.0 section 0 172.82.0.2 172.82.0.200 dns-server 192.168.7.252 # dpi policy dpi1 service-type p2p car cir 102400 upstream # dpi policy dpi2 service-type p2p car cir 10240 downstream # dpi policy-group dpi_user dpi-policy dpi2 # dpi pts keep-alive 5 3 pts-id 1234 ip-address 100.1.1.1 4000 subscriber-side gigabitethernet 3/0/0 # dpi global-policy dpi-policy dpi1 # dpi dsu-mac dsu-slot 1 mac 00e0-abcd-abcd # aaa authentication-scheme auth1 accounting-scheme acct1 domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 ip-pool pool1 dpi-policy-group dpi_user # return
9-22
Issue 05 (2010-09-25)
10 Lawful Interception Configuration
10
Lawful Interception Configuration
About This Chapter

This chapter describes the concept, process, and configuration of lawful interception. 10.1 Introduction This section describes the concept and principle of lawful interception and the lawful interception function supported by the ME60. 10.2 Configuring Lawful Interception This section describes how to configure lawful interception. 10.3 Configuration Examples This section provides a configuration example of lawful interception.
Issue 05 (2010-09-25)
10-1
10.1 Introduction
This section describes the concept and principle of lawful interception and the lawful interception function supported by the ME60. 10.1.1 Concept of Lawful Interception 10.1.2 Principle of Lawful Interception 10.1.3 Role of the ME60 in Lawful Interception
10.1.1 Concept of Lawful Interception

Lawful interception is a law enforcement behavior carried out to monitor the communication services on the public communications network according to the related law and the norm for the public communications network. Lawful interception must be authorized by the authorization department of the law enforcement agency. Lawful interception requires the support of communication service providers (telecom carriers) and the permission granted by the law enforcement agency. Therefore, lawful interception is implemented jointly by the service providers and the law enforcement agency.
10.1.2 Principle of Lawful Interception

Intercepted Information
In lawful interception, the following information is intercepted: l l CC: the content of the communication, for example, email, and VoIP packets IRI: the information related to the communication, including the address, time, and network location
The content of communication (CC) and intercepted related information (IRI) can be provided by the network devices of the carrier. The IRI is generally provided by the AAA server. The CC is provided by the edge router, for example, the ME60.
Scenario for Lawful Interception

Figure 10-1 shows the scenario for lawful interception.
NOTE
In this scenario, the IRI is provided by the AAA server and the CC is provided by the ME60.
10-2
Issue 05 (2010-09-25)
Figure 10-1 Scenario for lawful interception

LIG management system AAA server HI1 L1 HI2 HI3 Interception Interception center management center X1,X2 Carrier
X1,X3 LIG ME60
Lawful interception involves the following roles: l Interception center: is the device through which the law enforcement agencies intercept the activities of online users. The interception center initiates the interception and receives the interception result. The functions of the interception center are as follows: Defining the intercepted target Initiating or terminating the interception Receiving and recording the interception results Analyzing the interception result l Interception management center: is the agent of the interception center. The interception management center receives interception requests from the interception center and interprets the requests into identifiers of the location and service in the network. Then it delivers the interception configuration to the devices of the carrier on the network. LIG: functions as the agent between the interception management center and the carrier device. The functions of the Lawful interception Gateway (LIG) are as follows: Receiving the interception request from the interception management center through the L1 and HI1 interfaces Delivering the configuration of interception to network devices and obtaining intercepted contents through the X interfaces Sending the intercepted contents to the interception management center through the HI2 and HI3 interfaces l LIG management system: receives the interception requests from the interception management center and delivers them to LIGs. An LIG management system can manage multiple LIGs.
NOTE
The LIG management system delivers the configuration to the LIG through the L1 interface. The LIG is located on the network of the carrier, and the LIG management system is managed by the interception management center.
The carrier deploys the lawful interception function on the network devices on the carrier network. The devices that support lawful interception receive the configuration from the
Issue 05 (2010-09-25)
interception management center, and then send the intercepted traffic to the interception management center.
Interfaces for Lawful Interception

Lawful interception involves seven interfaces, as shown in Figure 10-1. Table 10-1 provides the description of these interfaces. Table 10-1 Description of interfaces for lawful interception Interface L1 Description Connects the LIG management system to the LIG. The LI interface delivers the interception control command from the interception management center to the LIG.
NOTE If multiple LIGs are distributed on the carrier network, the interception control command can be delivered through multiple L1 interfaces so that the LIGs are controlled uniformly.
HI1
Connects the interception management center to the LIG management system. The interception management system delivers management commands to the LIG and receives response through the HI1 interface. Connects the interception management center to the LIG. The LIG sends the IRI to the interception management center through the HI2 interface. Connects the interception management center to the LIG. The LIG sends the CC to the interception management center through the HI3 interface. Connects the LIG to the signaling interface of the network device of the carrier. Through the X1 interface, the LIG delivers the interception configuration, including the intercepted user and the interception task, to the network devices of the carrier. Connects the LIG to the data interface of the network device of the carrier. The network device of the carrier sends the IRI to the LIG through the X2 interface. This interface must guarantee reliability and privacy of the data. Connects the LIG to the data interface of the network device of the carrier. The network device of the carrier sends the CC and heartbeat information to the LIG through the X3 interface.
NOTE The network device and the LIG send heartbeat messages to each other to check the connection between them. If the network device does not receive the heartbeat response message within a certain period, the network device deletes information about all intercepted targets delivered by the LIG. After the heartbeat connection recovers, the LIG delivers information about the interception object again.
HI2 HI3 X1
X2
X3
10-4
Issue 05 (2010-09-25)

NOTE
The ME60 provides the X1 and X3 interfaces. The implementation on the two interfaces is as follows: l l The ME60 supports the X1 interface through the Simple Network Management Protocol version 3 (SNMPv3). To create the X1 interface, you must configure the SNMP information on the ME60. ME60The ME60 provides the command lines for configuring the X3 interface to set up the connection with the LIG.
Process of Lawful Interception

Figure 10-2 shows the process of lawful interception. Figure 10-2 Process of lawful interception
1.Sends lawful interception authorization Interception management center 2.Delivers interception configuration 5. Reports target user information Interception center 5.Reports intercepted traffic
3.Sets intercepted target AAA/DHCP server 4.Intercepts user login information ME60 8.Copies user traffic and sents the traffic to the LIG LIG 6. Interception rules are set on the LIG
7. The user accesses the Internet Access server Internet
User
The process of lawful interception is as follows: 1. The law enhancement agency sends the lawful interception authorization to the interception management center through the electrical interface of the interception center or sends written authorization. The interception management center finds the location of the target user according to the interception request, and then sends the location information to the LIG. The LIG sends the required information to the AAA server according to the interception request. The interception device (such as the IP Probe or Sniffer) of the AAA server sets the interception object according to the received information.
2. 3.
Issue 05 (2010-09-25)
4.
The interception device of the AAA server intercepts the AAA traffic according to the interception object. When a target user goes online, the AAA server generates the IRI of the user and sends the IRI to the LIG. The LIG processes the IRI, and then sends the IRI to the interception center. The LIG sends the information about the interception object and the interception task to the ME60 to initiate an interception request. The user connects to the Internet through the ME60. The ME60 sends the accounting information to the AAA server. The ME60 duplicates the upstream traffic of the user, generates the CC, and then sends the CC to the LIG. The LIG sends the CC to the interception center.
NOTE
5. 6. 7. 8. 9.
When the user logs out, the interception device of the AAA server notifies the LIG. The LIG then requests the ME60 to delete information about the interception object delivered by the LIG. The ME60 stops intercepting the traffic.
10.1.3 Role of the ME60 in Lawful Interception

The ME60 functions as the network device of the carrier during lawful interception. It sends interception information through the X3 interface to the LIG, and at the same time, it receives the information about the interception objects sent by the LIG through the X1 interface. The LIG sends the information about the interception objects through the X 1 interface. The ME60 generates the interception rule according to the information about interception object. The ME60 copies the data matching the interception rule and encapsulates the data in UDP packets as the CC, and then sends the CC to the LIG through the X3 interface. When the information about the target user changes, the ME60 updates the interception rule. When the LIG stops intercepting the user activities, the ME60 deletes the related interception rule.
NOTE
The interception rules generated by the ME60 are not recorded in the configuration file. When the ME60 is restarted, the LIG must send the information about the interception object to the ME60 again so that the interception rule can be generated again.
The ME60 intercepts user activities based on the IP address but it does not differentiate services. During lawful interception, performance of the ME60 may be affected if the intercepted traffic is too high. Therefore, do not set too many interception objects. The ME60can intercept up to 4 kbit/s one-way traffic or 2 kbit/s two-way traffic.
NOTE
When the ME60 is configured to intercept one-way flows based on the IP address, it intercepts only the flows with specified source address and destination address. For two-way flows, if the source address of the intercepted flow is set on the LIG, the ME60 intercepts the flows from this address and the flows to this address.
An ME60 can be connected to up to 10 LIGs, but the LIGs cannot deliver the same interception object to the ME60. If multiple LIGs deliver the same interception target, the ME60 sends the interception information to the first matching LIG. The availability of the lawful interception function on the ME60 is controlled by the license. To use this function, you must buy the license for lawful interception and activate the license. For more information about the license, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management..
10.2 Configuring Lawful Interception

This section describes how to configure lawful interception. 10.2.1 Establishing the Configuration Task 10.2.2 Configuring the IP Address of the X3 Interface 10.2.3 Configuring the Type and Port Number of the X3 Interface 10.2.4 Enabling Lawful Interception 10.2.5 Checking the Configuration

On the IP network, lawful interception must be configured to guarantee network security and monitor activities of online users.
Before configuring lawful interception, complete the following tasks: l l Connecting the ME60 to the LIG through the X1 interface Buying and activating the license for lawful interception
NOTE
The configuration of the X1 interface is delivered to the ME60 through SNMPv3, so you must configure the SNMP agent on the ME60. For the configuration of the SNMP agent, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management.
Data Preparation
To configure lawful interception, you need the following data. No. 1 2 Data Port number used on the X3 interface IP address of the X3 interface
10.2.2 Configuring the IP Address of the X3 Interface

Context
Do as follows on the router where lawful interception is deployed.
Procedure
Step 1 Run:
system-view

interface { gigabitethernet | pos | loopback | eth-trunk | ip-trunk } interfacenumber
The interface view is displayed.

NOTE
Since the loopback interface is always Up, it is recommended that you use a loopback interface improve the configuration reliability.
Step 3 Run:
ip address ip-address { mask | mask-length }
The IP address of the X3 interface is configured. ----End
10.2.3 Configuring the Type and Port Number of the X3 Interface

Context
Procedure
Step 1 Run:
system-view

lawful-interception x3-interface interface-type interface-number port port-number
The type of the X3 interface for lawful interception and the port number used on the X3 interface are configured.
NOTE
l An ME60 can be connected to a maximum of 10 LIGs. All the LIGs are connected to the same X3 interface based on the IP address of the X3 interface. l Use a non-well-known port number larger than 2000 for the X3 interface, and thus this port does not conflict with ports of other programs.
Before configuring the type and port number of the X3 interface, you must configure the IP address of the X3 interface. By default, no X3 interface is configured on the ME60. ----End
10.2.4 Enabling Lawful Interception

Context
Procedure
Step 1 Run:
system-view

lawful-interception enable
Lawful interception is enabled. When enabling lawful interception, note the following: l Before enabling lawful interception, you must configure the X3 interface for lawful interception. l After lawful interception is enabled, the IP address of the X3 interface cannot be deleted or changed. To change the IP address of the X3 interface, run the undo lawful-interception enable command to disable lawful interception. l After you run the undo lawful-interception enable command, the ME60 deletes the information delivered by the LIG, including: IP address of the LIG Information about the intercepted user By default, lawful interception is disabled. ----End

Run the following command in the system view to check the previous configuration. Action Check the configuration of lawful interception. Command display lawful-interception
The display information of the preceding command is as follows:

[Quidway] display lawful-interception Lawful Interception: Lawful Interception function is : Enabled Lawful Interception X3 interface is GigabitEthernet9/0/4 Lawful Interception X3 port is 3000
Issue 05 (2010-09-25)
10-9

This section provides a configuration example of lawful interception. 10.3.1 Example for Configuring Lawful Interception
10.3.1 Example for Configuring Lawful Interception

NOTE
Only the configuration of lawful interception is provided in this example.
As shown in Figure 10-3, the ME60 functions as the network device of the carrier. Loopback0 is the X3 interface connected to the LIG. Based on this network, the ME60 performs lawful interception through the X3 interface. The PPPoE user connects to the ME60 through GE8/0/1. RADIUS authentication and RADIUS accounting are adopted for the user. The RADIUS server provides the IRI for the LIG. The LIG delivers information required for lawful interception to the ME60 through the SNMP protocol. The ME60 sends the interception information to the LIG through the X3 interface. Figure 10-3 Networking of lawful interception
LIG
100.100.1.100/24
100.100.100.1/24 Loopback0 GE8/0/1
User
Lan switch
ME60 Internet
RADIUS server
NOTE
In this example, the RADIUS server performs authentication and accounting for the user. You need also to install the interception software, such as IP Probe and Sniffer, to enable the RADIUS server to provide the IRI for the KIG.
The configuration roadmap is as follows: l l
10-10
Configure the SNMP Agent and the LIG to ensure the normal communication between the ME60 and the LIG. Configure the IP address of the X3 interface.
l l l
Configure the address and port number of the X3 interface. Enable lawful interception Configure user access.
Data Preparation
To complete the configuration, you need the following data: l l User name and password of the SNMP user and the authentication protocol IP address and port number of the X3 interface
1. Configure the SNMP agent.
NOTE
In this example, only the basic configuration of SNMP is described. For details, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management.
<Quidway> system-view [Quidway] snmp-agent [Quidway] snmp-agent sys-info version all [Quidway] snmp-agent community read public [Quidway] snmp-agent community write private [Quidway] snmp-agent group v3 huawei authentication read-view snmpv3 writeview snmpv3 [Quidway] snmp-agent mib-view included snmpv3 iso [Quidway] snmp-agent usm-user v3 usera huawei authentication-mode md5 123456789
NOTE
After configuring the SNMP agent, you must configure the LIG so that the ME60 can communicate with the LIG. You need to configure the SNMP information, addresses of the X2 and X3 interfaces, port numbers used on the X2 and X3 interfaces, and information about the intercepted flows. For the configuration procedure, refer to documents about the LIG. The ME60 works with the LIGs of other vendors to implement lawful interception. Huawei does not provide the LIG.
2.

[Quidway] interface loopback0 [Quidway-LoopBack0] ip address 100.100.100.1 24 [Quidway-LoopBack0] quit
3. 4. 5.
Configure the address and port number of the X3 interface.

[Quidway] lawful-interception x3-interface loopback0 port 3000
Enable lawful interception

[Quidway] lawful-interception enable
Configure access of the PPPoE user. For the configuration procedure, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS services.
Configuration Files
# sysname Quidway # lawful-interception x3-interface loopback port 3000 lawful-interception enable # radius-server group rd1 radius-server authentication 192.168.7.249 1645 weight 0 radius-server accounting 192.168.7.249 1646 weight 0
Issue 05 (2010-09-25)
10-11
radius-server shared-key itellin radius-server type plus11 radius-server traffic-unit kbyte # interface Virtual-Template1 # interface GigabitEthernet8/0/1 pppoe-server bind Virtual-Template 1 bas access-type layer2-subscriber # interface LoopBack0 ip address 100.100.100.1 255.255.255.0 # ip pool pool1 local gateway 172.82.0.1 255.255.255.0 section 0 172.82.0.2 172.82.0.200 dns-server 192.168.7.252 # aaa authentication-scheme auth1 accounting-scheme acct1 domain default0 domain default1 domain default_admin domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 ip-pool pool1 # snmp-agent snmp-agent community read public snmp-agent community write private snmp-agent sys-info version all snmp-agent group v3 huawei authentication read-view snmpv3 write-view snmpv3 snmp-agent mib-view included snmpv3 iso snmp-agent usm-user v3 usera huawei authentication-mode md5 F;MZ0<T2Z.R:_-XWOW W!L1!! # return
10-12
Issue 05 (2010-09-25)
11 User Log Configuration
11
About This Chapter
User Log Configuration
This chapter describes the concept and configuration of user logs. 11.1 Introduction This section describes the concept and classification of user logs. 11.2 Configuring the User Log This section describes how to configure the user log. 11.3 Debugging the User Log This section provides the command for enabling debugging of the user log. 11.4 Configuration Examples This section provides a configuration example of user log.
Issue 05 (2010-09-25)
11-1
11.1 Introduction
This section describes the concept and classification of user logs. Most countries have specific requirements for information security. An ISP must have the capability of recording activities of users, such as login, logout, and access to network resources. The ME60 provides user logs to record information about user login and logout so that carriers and security agents can manage and monitor users. The user log on the ME60 contains the user name, operation type (login and logout), login and logout time, VLAN/PVC, access interface, IP address, and MAC address of the user.
11.2 Configuring the User Log

This section describes how to configure the user log. 11.2.1 Establishing the Configuration Task 11.2.2 Configuring the User Log Host 11.2.3 Configuring the Version of User Log Packets 11.2.4 Enabling the User Log Function 11.2.5 Applying the User Log 11.2.6 Checking the Configuration

When you need to record the information about user login and logout, you need to configure the user log.
None.
Data Preparation
To configure the user log, you need the following data. No. 1 2 Data IP address and port number of the log host Version of the user log packet
11.2.2 Configuring the User Log Host

Context
NOTE
The user log host receives the user log packets sent by the ME60 and analyzes the packets. Before enabling the user log function, you must configure the user log host.
Procedure
Step 1 Run:
system-view

ip userlog [ access ] export host ip-address udp-port
The user log host is configured. ----End
11.2.3 Configuring the Version of User Log Packets

Context
NOTE
The version configured on the ME60 must be the same as the version configured on the user log host. By default, the version of user log packets is not configured in the system. Therefore, before enabling the user log function, you must configure the version of user log packets.
Procedure
Step 1 Run:
system-view

ip userlog [ access ] export version version
The version of the user log packets is configured. The format of the user log packets has two versions: version 1 and version 2. The two versions are different in the format of the VLAN/PVC field in the packets, as shown in Table 11-1. Table 11-1 Difference between the two versions of the user log packets Versi on 1 2 VLAN A common VLAN number of two bytes A stack VLAN number of two bytes (0 bytes if there is no stack VLAN number) and a common VLAN number of two bytes PVC A PVC number of two bytes A VPI number of two bytes and a VCI number of two bytes
Issue 05 (2010-09-25)
11-3
----End
11.2.4 Enabling the User Log Function

Context
Procedure
Step 1 Run:
system-view

ip userlog
The user log function is enabled. ----End
11.2.5 Applying the User Log

Context
Procedure
Step 1 Run:
system-view

A behavior is created and the behavior view is displayed. Step 3 Run:

userlog
The user log behavior is defined. After the version of user log packets and the log host are configured and the log function is enabled, the system records the information about login and logout activities of each user in the log. For the configurations of the traffic classifier, traffic behavior, and traffic policy, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS. ----End

Run the following commands in any view to check the previous configuration. Action Check the configuration of the user log. Display the statistics of the user log. Command display ip userlog [ access ] config display ip userlog [ access ] statistic
11.3 Debugging the User Log

This section provides the command for enabling debugging of the user log.
CAUTION
Debugging affects the system performance. So, after debugging, run the undo debugging all command to disable it immediately. When a fault occurs in the user log function, run the following debugging command in the user view to locate the fault. For the procedure for displaying the debugging information, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management. Action Enable the debugging of the user log. Command debugging ip userlog { access | all |error | packet }

This section provides a configuration example of user log. 11.4.1 Example for Configuring the User Log
11.4.1 Example for Configuring the User Log

As shown in Figure 11-1, users on the local network connect to the Internet through GE1/0/0.1 of the ME60. The information about login and logout of users on the local network 1.1.1.0/24 needs to be recorded. The IP address of the log host is 10.10.10.1; the port number is 1200; the version number of user log packets is 1.
Issue 05 (2010-09-25)
11-5
Figure 11-1 Networking for configuring the user log

Userlog Host 10.10.10.1
1.1.1.0
GE1/0/0.1
ME60
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Configure user access. Configure the user log. Define an ACL. Configure the traffic classifier that is based on the ACL rules. Configure the traffic behavior of recording the user log. Configure a traffic policy and associate the traffic behavior with the traffic classifier. Apply the traffic policy to the interface.
Data Preparation
None.
# Configure the user log function.
<Quidway> [Quidway] [Quidway] [Quidway] system-view ip userlog access export version 1 ip userlog access export host 10.10.10.1 1200 ip userlog
# Create a user group.

[Quidway] user-group access
# Configure user access. The configuration procedure is not mentioned here. For the configuration procedure and configuration file, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services.
NOTE
When configuring user access, run the user-group group-name command to set the user group name to access.
# Define an ACL rule to identify the Internet access service with the source IP address.
[Quidway] acl number 6000 [Quidway-acl-ucl-6000] rule permit ip source user-group access [Quidway-acl-ucl-6000] quit
# Configure the traffic classifier that is based on the ACL rule.

[Quidway] traffic classifier class1 [Quidway-classifier-class1] if-match acl 6000 [Quidway-classifier-class1] quit
# Configure the traffic behavior of recording the user log.

[Quidway] traffic behavior behav1 [Quidway-behavior-behav1] userlog [Quidway-behavior-behav1] quit
# Configure the policy, in which the traffic classifier is associated with the behavior.
[Quidway] traffic policy policy1 [Quidway-trafficpolicy-policy1] classifier class1 behavior behav1 [Quidway-trafficpolicy-policy1] quit
# Apply the traffic policy to the interface.

[Quidway] interface gigabitethernet 1/0/0.1 [Quidway-GigabitEthernet1/0/0.1] traffic-policy policy1 inbound
Configuration Files
# sysname Quidway # user-group access # acl number 6000 rule 5 permit ip source user-group access # traffic classifier class1 operator or if-match acl 6000 # traffic behavior behav1 userlog # traffic policy policy1 classifier class1 behavior behav1 # # interface GigabitEthernet1/0/0.1 traffic-policy policy1 inbound # ip userlog access export version 1 ip userlog access export host 10.10.10.1 1200 ip userlog access # return
Issue 05 (2010-09-25)
11-7
12 ARP Security Configuration
12
About This Chapter
ARP Security Configuration
This chapter describes how to configure ARP Security. 12.1 Overview to ARP Security This section describes the principle and concepts of ARP security features. 12.2 Preventing Attacks on ARP Entries This section describes how to prevent attacks on ARP entries. 12.3 Preventing Scanning Attacks This section describes how to prevent scanning attacks. 12.4 Maintaining the ARP Security This section describes how to display and remove statistics about ARP packets and debug ARP packets. 12.5 Configuration Examples This section provides several configuration examples of ARP security features.
Issue 05 (2010-09-25)
12-1
12.1 Overview to ARP Security

This section describes the principle and concepts of ARP security features. 12.1.1 Introduction to ARP Security 12.1.2 ARP Security Supported by the ME60
12.1.1 Introduction to ARP Security

The Address Resolution Protocol (ARP) security is a feature based on ARP. It filters out untrusted ARP packets and limits the speed of ARP packets to guarantee the security and robustness of network devices. ARP security avoids not only the attacks on the ARP protocol but also the ARP-based attacks, such as the network scanning attack.
Attacks on ARP Entries

In a network, ARP entries are easily attacked. Attackers generate abundant ARP Request and Response packets to attack network devices. Attacks fall into two kinds: ARP buffer overflow attack and ARP Denial of Service (DoS) attack. l ARP buffer overflow attacks Figure 12-1 ARP buffer overflow attacks
IP:192.168.0.10/24 MAC:??? IP:192.168.0.1/24 MAC:0000-0000-00aa IP:192.168.0.10/24 MAC:??? ME60 IP:192.168.0.10/24 MAC:0018-8200-000f PC A(attacker) PC B PC C IP:192.168.0.1/24 IP:192.168.0.2/24 IP:192.168.0.3/24 MAC:0000-0000-00aaMAC:0000-0000-00ab MAC:0000-0000-00ac
As shown in Figure 12-1, the attacker PC A sends abundant bogus ARP Request packets and gratuitous ARP packets (only VLANIF interfaces learn gratuitous ARP packets), which results in ARP buffer overflow. Therefore, normal ARP entries cannot be cached and packet forwarding is interrupted. l
12-2
ARP DoS attacks

Figure 12-2 ARP DoS attacks
IP:192.168.0.10/24 MAC:??? IP:192.168.0.1/24 MAC:??? IP:192.168.0.10/24 MAC:???
ME60 IP:192.168.0.10/24 MAC:0018-8200-000f PC A(attacker) PC B PC C
IP:192.168.0.3/24 IP:192.168.0.2/24 IP:192.168.0.1/24 MAC:0000-0000-00aa MAC:0000-0000-00ab MAC:0000-0000-00ac
As shown in Figure 12-2, the attacker PC A sends abundant bogus ARP Request and Response packets or other packets that can trigger the ARP processing on Router. Router is then busy with ARP processing during a long period and ignores other services. Normal packet forwarding is thus interrupted.
Scanning Attacks
The attacker scans hosts in local network segment or hosts in other network segments through some tools. Before returning Response packets, the router should search ARP entries. If the MAC address corresponding to the destination IP address does not exist, the ARP module on the router sends ARP Miss packets to the upper layer and requires the upper layer to send ARP Request messages to obtain the MAC address of the destination. A great number of scanning packets generate abundant ARP Miss packets. Most resources of the router are wasted in processing ARP Miss packets. This affects the processing of other services and hence is called scanning attacks.
12.1.2 ARP Security Supported by the ME60

The ME60 has realized the following ARP security features to ensure the security and robustness of devices: l l l l l Configuring strict ARP entry learning in the system view or the interface view Interface-based ARP entry restriction Speed limit for ARP packets Speed limit for ARP Miss packets Generating and logging alarms for potential attack behaviors
12.2 Preventing Attacks on ARP Entries

This section describes how to prevent attacks on ARP entries.
12.2.1 Establishing the Configuration Task 12.2.2 Configuring Global Strict ARP Entry Learning 12.2.3 Configuring Strict ARP Entry Learning on Interfaces 12.2.4 Configuring Speed Limit for ARP Packets 12.2.5 Configuring Interface-based ARP Entry Restriction 12.2.6 Enabling Alarm Functions for Potential Attack Behaviors 12.2.7 Checking the Configuration

In an Ethernet Metropolitan Area Network (MAN), ARP entries are easily attacked. So, ARP security features need to be configured on the access layer or convergence layer to ensure network security.
NOTE
To configure ARP attack defense, you can configure four features (strict ARP entry learning, speed limit for ARP packets, interface-based ARP entry restriction, and logging potential attack behaviors) respectively or in conjunction. You are recommended to configure the four features in conjunction to guarantee network security more effectively.
None.
Data Preparation
To prevent attacks on ARP entries, you need the following data. No. 1 Data Limited speed of ARP packets
12.2.2 Configuring Global Strict ARP Entry Learning

Context
Do as follows on the router that needs to be configured with ARP security features:
Procedure
Step 1 Run:
system-view
12-4
Issue 05 (2010-09-25)
The system view is displayed Step 2 Run:

arp learning strict
Strict ARP learning is configured. By default, strict ARP learning is disabled. After the arp learning strict command is run, the ME60 learns only reply packets for the ARP request packets sent itself. ----End
12.2.3 Configuring Strict ARP Entry Learning on Interfaces

Context
Strict ARP entry learning adopts the following longest-match rules: l l If strict ARP entry learning is configured both on the interface and globally, strict ARP entry learning on the interface is preferred. If strict ARP entry learning is not configured on the interface, the global strict ARP entry learning is enabled.
Do as follows on the ME60 whose ARP entries are to be prevented from being attacked:
Procedure
Step 1 Run:
system-view

The interface view is displayed. ME60 supports strict ARP entry learning on the following interfaces: l Ethernet interfaces and their sub-interfaces l Eth-trunk interfaces and their sub-interfaces l VLANIF interfaces Step 3 Run:
arp learning strict { force-enable | force-disable | trust }
Strict ARP entry learning is configured on the interface.
Issue 05 (2010-09-25)
12-5

NOTE
l If the key word force-enable of the command is selected, the interface ME60 learns only reply packets for the ARP request packets sent itself. l If the key word force-disable of the command is selected, the strict ARP entry learning function on the interface is disabled. l If the key word trust of the command is selected, the strict ARP entry learning function on the interface is disabled and the global ARP entry learning function is enabled.
----End
12.2.4 Configuring Speed Limit for ARP Packets

Context
Do as follows on the ME60 that needs to be configured with ARP security features:
Procedure
Step 1 Run:
system-view

arp speed-limit destination-ip maximum maximum slot slot-id
Speed limit for ARP packets is configured. ----End
12.2.5 Configuring Interface-based ARP Entry Restriction

Context
Do as follows on the ME60 that needs to be configured with ARP security features:
Procedure
Step 1 Run:
system-view

The interface view is displayed. The following interfaces are supported: l Layer 3 Ethernet interfaces and sub-interfaces l Layer 3 GE interfaces and sub-interfaces l Layer 3 Eth-Trunk interfaces and sub-interfaces l Layer 3 virtual Ethernet interfaces
l Ethernet sub-interfaces, GE sub-interfaces, and Eth-Trunk sub-interfaces that are configured as QinQ sub-interfaces l Layer 2 Ethernet ports l Layer 2 GE ports l Layer 2 Eth-Trunk ports l Layer 2 virtual Ethernet ports l VLANIF interfaces
NOTE
If the interface is a Layer 2 port, the port must join a Virtual Local Area Network (VLAN).
Step 3 Run:
arp-limit[ vlan vlan-id [ to vlan-id2 ]] maximum maximum
Interface-based ARP entry restriction is configured. vlan-id can be configured in the view of the Layer 2 interface or QinQ sub-interface. If you configure vlan-id in the QinQ sub-interface view, vlan-id specifies the external VLAN ID of the QinQ sub-interface. ----End
12.2.6 Enabling Alarm Functions for Potential Attack Behaviors

Context
Do as follows on the ME60 that needs to be configured with ARP attack defense:
Procedure
Step 1 Run:
system-view

arp anti-attack log-trap-timer time
Generating and logging alarms for the potential attack behaviors are configured. ----End

Prerequisite
The configurations of the peventing atacks on ARP etries are complete.
Procedure
l Run the display arp speed-limit destination-ip [ slot slot-id ] command to check the limited speed of ARP packets.
Issue 05 (2010-09-25)
Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command to check the limited number of ARP entries on the interface.
----End
Example
Run the display arp speed-limit destination-ip [ slot slot-id ] command, and you can check the timestamp suppression rate configured for the ARP packets. For example:
<Quidway> display arp speed-limit destination-ip slot 3 Slot SuppressType SuppressValue --------------------------------------------------3 ARP 500
Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command, and you can check the limited number of ARP entries configured on the interface.
<Quidway> display arp-limit interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------Eth-Trunk0 100 124 0 Eth-Trunk0 100 125 0 GigabitEthernet2/0/1 16384 0 0 GigabitEthernet4/0/1 100 0 0 GigabitEthernet4/0/2 16384 124 0 ---------------------------------------------------------------------------
12.3 Preventing Scanning Attacks

This section describes how to prevent scanning attacks. 12.3.1 Establishing the Configuration Task 12.3.2 Configuring Speed Limit for ARP Miss Packets 12.3.3 Enabling Alarm Functions for Potential Attack Behaviors 12.3.4 Checking the Configuration

In an Ethernet MAN, scanning attacks may occur. So, ARP security features need to be configured on the access layer or convergence layer to restrict ARP Miss packets and hence to ensure network security.
None
Data Preparation
To prevent scanning attacks, you need the following data:
No. 1
Data Limited speed of ARP Miss packets
12.3.2 Configuring Speed Limit for ARP Miss Packets

Context
Do as follows on the ME60 that needs to be configured with scanning attack defense:
Procedure
Step 1 Run:
system-view

arp-miss speed-limit source-ip maximum maximum slot slot-id
The speed of ARP Miss packets is limited. ----End
12.3.3 Enabling Alarm Functions for Potential Attack Behaviors

Context
Do as follows on the ME60 that needs to be configured with scanning attack defense:
Procedure
Step 1 Run:
system-view

arp anti-attack log-trap-timer time
Generating and logging alarms for the potential attack behaviors are configured. ----End

Prerequisite
The configurations of the peventing sanning atacks are complete.
Procedure
Step 1 Run the display arp-miss speed-limit source-ip [ slot slot-id ] command to check the limited speed of ARP Miss packets. ----End
Example
Run the display arp-miss speed-limit source-ip [ slot slot-id ] command, and you can check the timestamp suppression rate configured to the ARP Miss packets. For example:
<Quidway> display arp-miss speed-limit source-ip slot 3 Slot Supp-type Source-ip --------------------------------------------------3 ARP-miss 500
12.4 Maintaining the ARP Security

This section describes how to display and remove statistics about ARP packets and debug ARP packets. 12.4.1 Displaying Statistics About ARP Packets 12.4.2 Clearing Statistics About ARP Packets 12.4.3 Debugging ARP Packets
12.4.1 Displaying Statistics About ARP Packets

Procedure
Step 1 Run the display arp packet statistic [ slot slot-id ] command to check statistics about ARP packets. ----End
Example
Run the display arp packet statistics [ slot slot-id ] command, and you can check the statistics about ARP packets. For example:
<Quidway> display arp packet statistics ARP Pkt Received: sum 23 ARP-Miss Msg Received: sum 0 ARP Learnned Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum 0 ARP Pkt Discard For Other: sum 10 ARP-Miss Msg Discard For SpeedLimit: sum ARP-Miss Msg Discard For Other: sum 0
12-10
Issue 05 (2010-09-25)
12.4.2 Clearing Statistics About ARP Packets

Context
CAUTION
Statistics about ARP packets cannot be restored after you clear it. So, confirm the action before you use the command.
Procedure
l Run the reset arp packet statistic [ slot slot-id ] command in the user view to clear statistics about ARP packets.
----End
12.4.3 Debugging ARP Packets

Context
CAUTION
Debugging affects the performance of the system. So, after debugging, execute the undo debugging all command to disable it immediately. For the procedure of displaying the debugging information, refer to the chapter Maintenance and Debugging in the Quidway ME60 Multiservice Control Gateway Configuration Guide System Management. For explanations of the debugging commands, refer to the ME60 Multiservice Control Gateway Command Reference.
Procedure
l l Run the debugging arp packet [slot slot-id | interface interface-type interface-number ] command in the user view to debug ARP packet. Run the debugging arp process [ slot slot-id | interface interface-type interfacenumber ] command in the user view to debug ARP packet processing.
----End

This section provides several configuration examples of ARP security features. 12.5.1 Example for Preventing Attacks on ARP Entries 12.5.2 Example for Preventing Attacks on ARP Entries and Scanning Attacks
12.5.1 Example for Preventing Attacks on ARP Entries

As shown in Figure 12-3, a carrier accesses the core network through two ME60s. ARP security features need to be configured on the two ME60s to prevent the devices attached to the ME60s from attacking ARP entries. Figure 12-3 Networking diagram of preventing attacks on ARP entries
core network
ME60A
ME60B
The configuration roadmap is as follows: 1. 2. 3. 4. Configure strict ARP entry learning. Configure speed limit for ARP packets. Configure interface-based ARP entry restriction. Enable log and alarm functions for potential attack behaviors.
Data Preparations
To complete the configuration, you need the following data: l l l
12-12
Timestamp suppression rate of ARP packets and slot numbers Limited number of ARP entries Interval for sending alarms
Procedure
Step 1 Configure strict ARP entry learning.
<ME60A> system-view [ME60A] arp learning strict
Step 2 Configure destination-based speed limit for ARP packets on each slot of the attached device. The speed is limited to 50 packets per second. Take slot 1 as an example.
[ME60A] arp speed-limit destination-ip maximum 50 slot 1
Step 3 Restrict the number of ARP entries on each interface of the attached device to 20. Take GE 1/0/0 as an example.
[ME60A] interface Gigabitethernet 1/0/0 [ME60A-GigabitEthernet1/0/0] arp-limit maximum 20 [ME60A-GigabitEthernet1/0/0] quit
Step 4 Set the interval for logging and generating alarms for potential attack behaviors to 20 seconds.
[ME60A] arp anti-attack log-trap-timer 20
Step 5 Verify the configuration. Use certain tools to send ARP request packets to ME60 A and then run the display arp all command on ME60 A. You can find that the actively sent ARP request packets are not learnt by ME60 A.
<ME60A> display arp all IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------100.1.1.200 00e0-fc7f-7258 I GE0/0/0 100.1.1.180 000d-88f4-d06b 9 D-0 GE0/0/0 100.1.1.24 0013-d326-ab88 9 D-0 GE0/0/0 100.1.1.166 0014-2afd-7376 10 D-0 GE0/0/0 100.1.1.37 00e0-4c77-a2f9 12 D-0 GE0/0/0 100.1.1.168 000d-88f8-332c 14 D-0 GE0/0/0 100.1.1.48 0015-e9ac-7a30 16 D-0 GE0/0/0 32.1.1.1 0088-0010-000a I GE3/0/9 24.1.1.1 0088-0010-0009 I GE3/0/8 10.1.1.1 0088-0010-0003 I GE3/0/2 10.1.1.2 00e0-fc22-18d5 9 D-3 GE3/0/2 -----------------------------------------------------------------------------Total:11 Dynamic:7 Static:0 Interface:4
Run the display arp speed-limit command on ME60s. You can view the limited speed.
<ME60A> display arp speed-limit destination-ip slot 1 Slot SuppressType SuppressValue --------------------------------------------------1 ARP 50
Run the display arp packet statistics command on ME60s. You can view the number of the discarded ARP packets and the learnt ARP entries.
<ME60A> display arp packet statistics ARP Pkt Received: sum 23 ARP-Miss Msg Received: sum 0 ARP Learnned Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum 0 ARP Pkt Discard For Other: sum 10 ARP-Miss Msg Discard For SpeedLimit: sum ARP-Miss Msg Discard For Other: sum 0
----End
Configuration Files
The configuration file of ME60 A is as follows:
# sysname ME60A # arp learning strict arp speed-limit destination-ip maximum 50 slot 1 arp anti-attack log-trap-timer 20 # interface GigabitEthernet1/0/0 arp-limit maximum 20 return
12.5.2 Example for Preventing Attacks on ARP Entries and Scanning Attacks
As shown in Figure 12-4, a cyber cafe accesses ME60 through the Internet. ARP security features need to be configured to protect the cyber cafe from the ARP entry attack and scanning attack. Figure 12-4 Network diagram of preventing attacks on ARP entries and scanning attacks
ME60
Internet
The configuration roadmap is as follows: 1. Configure as follows to prevent attacks on ARP entries: l Configure strict ARP entry learning. l Configure speed limit for ARP packets. l Configure interface-based ARP entry restriction. l Enable log and alarm functions for potential attack behaviors. 2.
12-14
Configure as follows to prevent ARP scanning attacks:

l Configure speed limit for ARP Miss packets.
Data Preparations
To complete the configuration, you need the following data: l l l l Timestamp suppression rate of ARP packets and slot numbers Limited number of ARP entries Interval for sending alarms Timestamp suppression rate of ARP Miss packets and slot numbers
Procedure
Step 1 Configure strict ARP entry learning.
<Quidway> system-view [Quidway] arp learning strict
Step 2 Configure destination-based speed limit for ARP packets on each slot of the attached device. The speed is limited to 50 packets per second. Take slot 1 as an example.
[Quidway] arp speed-limit destination-ip maximum 50 slot 1
Step 3 Restrict the number of ARP entries on each interface of the attached device to 20. Take GE 1/0/0 as an example.
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] arp-limit maximum 20 [Quidway-GigabitEthernet1/0/0] quit
Step 4 Set the interval for logging and generating alarms for potential attack behaviors to 20 seconds.
[Quidway] arp anti-attack log-trap-timer 20
Step 5 Configure destination-based speed limit for ARP Miss packets on each slot of the attached device. The speed is limited to 50 ARP Miss packets per second. Take slot 1 as an example.
[Quidway] arp-miss speed-limit source-ip maximum 50 slot 1
Step 6 Verify the configuration. Use certain tools to send ARP request packets to ME60 A and then run the display arp all command on ME60 A. You can find that the actively sent ARP request packets are not learnt by ME60 A.
<Quidway> display arp all IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------100.1.1.200 00e0-fc7f-7258 I GE0/0/0 100.1.1.180 000d-88f4-d06b 9 D-0 GE0/0/0 100.1.1.24 0013-d326-ab88 9 D-0 GE0/0/0 100.1.1.166 0014-2afd-7376 10 D-0 GE0/0/0 100.1.1.37 00e0-4c77-a2f9 12 D-0 GE0/0/0 100.1.1.168 000d-88f8-332c 14 D-0 GE0/0/0 100.1.1.48 0015-e9ac-7a30 16 D-0 GE0/0/0 32.1.1.1 0088-0010-000a I GE3/0/9 24.1.1.1 0088-0010-0009 I GE3/0/8 10.1.1.1 0088-0010-0003 I GE3/0/2 10.1.1.2 00e0-fc22-18d5 9 D-3 GE3/0/2 -----------------------------------------------------------------------------Total:11 Dynamic:7 Static:0 Interface:4
Run the display arp speed-limit command on ME60s. You can view the limited speed. Run the display arp-miss speed-limit command on ME60s. You can view the limited speed of ARP Miss packets.
<Quidway> display arp speed-limit destination-ip slot 1 Slot SuppressType SuppressValue --------------------------------------------------1 ARP 50 <Quidway> display arp-miss speed-limit source-ip slot 1 Slot SuppressType SuppressValue --------------------------------------------------1 ARP-miss 50
Use certain tools to scan ME60 A and then run the display arp packet statistics command ME60 A. You can view the number of the discarded ARP Miss messages.
<Quidway> display arp packet statistics ARP Pkt Received: sum 23 ARP-Miss Msg Received: sum 0 ARP Learnned Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum 0 ARP Pkt Discard For Other: sum 10 ARP-Miss Msg Discard For SpeedLimit: sum ARP-Miss Msg Discard For Other: sum 0
----End
Configuration Files
# sysname Quidway # arp learning strict arp speed-limit destination-ip maximum 50 slot 1 arp-miss speed-limit destination-ip maximum 50 slot 1 arp anti-attack log-trap-timer 20 # interface GigabitEthernet1/0/0 arp-limit maximum 20 return
12-16
Issue 05 (2010-09-25)
A Glossary
A
This appendix lists the glossary of terms in this manual. A attack defense authenticate C CC
Glossary
A function of detecting various network attacks and protecting the intranet against malicious attacks. To verify the legality of a user before the user visits the Internet or accesses the Internet service.
Contents of communication that the lawful interception device intercepts, such as the email contents and VoIP voice packets.
D data juggle A security thread that an attacker selectively changes, deletes, delays, rearranges system data or message stream and inserts false messages, thus destroying the consistency of data. A security thread that the servers denies the request of a legal user who wants to get access to the information or resources. Deep packet inspection, a function of sensing the data application and providing policies for network control and management through analysis of the packet application layer.
denial of service DPI
E encrypt To transform a readable message to an unreadable text. Unauthorized users cannot obtain the content of the message even through they obtain the encrypted signal.
Issue 05 (2010-09-25)
A-1
A Glossary
F firewall A system or a group of systems that monitors the channel between the trusty internal network and the untrusty external networks to prevent the risks of external networks from affecting the internal network.
I illegal use inbound A security thread that an unauthorized user uses the network resource. Pertaining to transmission that data flows from a zone with lower priority to a zone with higher priority.
information theft A security thread that an attacker obtains important data or information by wiretapping the network, instead of directly attacking the target system. IPSec The floorboard of a set of network security protocols, including security protocol and encryption protocol, which provides communication parties with access control, connectionless integrality, data source authentication, anti-replay, encryption, classification and encryption of data stream. User information that the lawful interception device intercepts, such as the location and login time of a user.
IRI
L lawful interception LIG A law enforcement behavior carried out to monitor the communication services on the public communications network, according to the related law and the norm for the public communications network. A device used for transfer and adaptation on the interception command issuing interface and event report interface. An LIG serves as a core of the entire interception system and is responsible for settings of interception services and actual interception.
N NAT network security service A mechanism for transforming private addresses into globally routable addresses, which enables private networks to access public networks. The measure taken against security threats on a network.
O outbound Pertaining to transmission that data flows from a zone with higher priority to a zone with lower priority.
A-2
Issue 05 (2010-09-25)
A Glossary
P packet filtering firewall proxy firewall A firewall that filters packets by using the ACL. See also firewall. A firewall working at the application layer. It checks the requests of users and connects a server and forwards the request if the authentication succeeds, and then forwards the response of the server to user.
S security zone stateful firewall A combination of multiple interfaces or user domains with the same security attributes. A firewall that monitors the TCP/UDP sessions by using state tables and forwards the packets associated with the allowed sessions. It also analyzes the application layer state of the packets in the TCP/UDP sessions, and filters the unsatisfied data packets.
Issue 05 (2010-09-25)
A-3
B Acronyms and Abbreviations
B
Numeric 3DES A AAA ACL AH ALG API ASPF ATM AUCX AUEP
Acronyms and Abbreviations
This appendix lists the acronyms and abbreviations mentioned in this manual.
Triple DES
Authentication, Authorization and Accounting Access Control List Authentication Header Application Layer Gateway Application Program Interface Application Specific Packet Filter Asynchronous Transfer Mode Audit Connection Audit End Point
B BICC Bearer Independent Call Control Protocol
C CAC CAR CCB Call Admission Control Committed Access Rate Call Control Block
Issue 05 (2010-09-25)
B-1
D DES DF DH DoS DPI Data Encryption Standard Don't Fragment Diffie-Hellman Deny of Service Deep Packet Inspection
E ESP Encapsulating Security Payload
F FTP File Transfer Protocol
G GRE GSM Generic Routing Encapsulation Global System for Mobile communications
H HTTP HWCC Hyper Text Transport Protocol Huawei Conference Control Protocol
I IAD IADMS IANA ICMP IETF IGMP IKE ILS IP IPSec Integrated Access Device IAD Management System Internet Assigned Number Authority Internet Control Message Protocol Internet Engineering Task Force Internet Group Management Protocol Internet Key Exchange Internet Location Service Internet Protocol IP Security
B-2
Issue 05 (2010-09-25)
ISAKMP ISDN ITU
Internet Security Association and Key Management Protocol Integrated Services Digital Network International Telecommunications Union
J JAIN Java APIs for Integrated Networks
L L2TP LI LIG Layer 2 Tunneling Protocol Lawful Interception Lawful interception Gateway
M MAC MD5 MF MGCP MIB MPLS Media Access Control Message Digest 5 More Fragment Media Gateway Control Protocol Management Information Base Multi-Protocol Label Switching
N NAPT NAT NetBIOS NGN NMS NTP Network Address Port Translation Network Address Translation Network Basic Input/Output System Next Generation Network Network Management System Network Time Protocol
O OID OOB Object ID Out-of-Band
Issue 05 (2010-09-25)
B-3
P P2P PAT PC PDU PFS POS PPTP PSTN Point to Point Port Address Translation Personal Computer Protocol Data Unit Perfect Forward Secrecy Packet Over SDH Point-to-Point Tunneling Protocol Public Switched Telephony Network
Q QoS Quality of Service
R RADIUS RAS RFC RSA RSTP RTCP RTP Remote Authentication Dial in User Service Registration, Admission and Status Requirement for Comments Rivest-Shamir-Adleman cryptographic algorithms Real Time Streaming Protocol Real-time Transport Control Protocol Real-time Transport Protocol
S SA SBC SDP SHA SIP SMTP SNMP SPI SSH Security Association Session Border Controller Session Description Protocol Secure Hash Algorithm Session Initiation Protocol Simple Mail Transfer Protocol Simple Network Management Protocol Security Parameter Index Secure Shell
B-4
Issue 05 (2010-09-25)
SSL SSU
Secure Socket Layer Security Service Unit
T TCP TTL Transmission Control Protocol Time to Live
U UDP User Datagram Protocol
V VoIP VPN Voice over IP Virtual Private Network
W WWW World Wide Web
Issue 05 (2010-09-25)
B-5

00479814-ME60 Configuration Guide - Security (V100R006C05 - 05)

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

00479814-ME60 Configuration Guide - Security (V100R006C05 - 05)

Hochgeladen von

Copyright:

Verfügbare Formate

Quidway ME60 Multiservice Control Gateway V100R006C05

Configuration Guide - Security

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

About This Document

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

About This Document

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

Chapter 2 Firewall Configuration

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

About This Document

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

About This Document

Action Double-click Drag

Updates in Issue 05 (2010-09-25)

Updates in Issue 04 (2010-06-01)

Updates in Issue 03 (2009-07-01)

Updates in Issue 02 (2009-03-01)

Updates in Issue 01 (2008-11-15)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

4 Traffic Statistics and Monitoring Configuration.................................................................4-1

5 Attack Defense Configuration.................................................................................................5-1

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

10 Lawful Interception Configuration....................................................................................10-1

11 User Log Configuration........................................................................................................11-1

12 ARP Security Configuration................................................................................................12-1

A Glossary.....................................................................................................................................A-1 B Acronyms and Abbreviations.................................................................................................B-1

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

1.1 Introduction to Network Security

1.1.2 Network Security Service

1.2 Security Features of the ME60

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

Traffic statistics and monitoring Firewall log

1.2.4 Lawful Interception

1.2.5 User Log

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security

2.1.1 Functions of Firewall

2.1.2 Classification of Firewalls

Packet Filtering Firewall

Quidway ME60 Multiservice Control Gateway Configuration Guide - Security