Scribd
Upload
634 views86 pages

Eudemon Firewall Basic Function Features and Configuration ISSUE1.00

Uploaded by

Sergio Saenz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
634 views86 pages

Eudemon Firewall Basic Function Features and Configuration ISSUE1.00

Uploaded by

Sergio Saenz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Eudemon Firewall Basic Function

Features and Configurations

www.huawei.com

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved.


Overview
⚫ The Eudemon firewalls are Huawei's new-generation carrier-class
firewalls intended for large- and medium-sized enterprises and
telecom networks. They are widely used at network borders of carriers,
enterprises, governments, financial and energy organizations, and
schools. In addition, the firewalls offer GE and 10GE throughputs.

⚫ This document describes the main security technologies and features


of the Eudemon firewalls, and the related configurations. The security
technologies and features include the security zone, ASPF, and MAC
address binding.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page2
Objectives
⚫ Upon completion of this course, you will be able to:
 Master main security technologies and features of the Eudemon
firewalls.

 Master the configurations of the security features.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page3
Contents
1. Basic firewall technologies

2. Key firewall technologies

3. Basic firewall functions

4. Extend firewall functions

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page4
Contents
1. Basic firewall technologies

2. Key firewall technologies

3. Basic firewall functions

4. Extend firewall functions

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page5
Security Zone
⚫ The firewall divide different network based on security zones, After interfaces
are added to security zones, the firewall security check (security policy) will be
enabled between the security zones to filter the data flows that pass through
the security zone.

⚫ A security zone is a set of the networks connected by interfaces. Users on these


networks have the same security attributes.

⚫ There are four default security zones on the Eudemon firewalls.

 Untrust zone

 Demilitarized zone(DMZ zone)

 Trust zone

 Local zone

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page6
Data Flow Direction
⚫ The inter-zone data flows in the following two directions :
 Inbound

 Outbound outbound

Eudemon
......
Local
Internal
network External
Eth0/0/0 Eth2/0/0
network
Untrust
Trust
Eth1/0/0

inbound outbound outbound


inbound

......
Server Server

DMZ

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page7
Configuration of Security Zone-Topology
Description
Trust Huawei

GE 0/0/1 GE 0/0/2
172.1.1.1 10.0.0.1

PC1 Eudemon PC2


172.1.1.2 10.0.0.2

⚫ as shown in the preceding ,the GE 0/0/1 interface is added to the Trust zone,
and the GE 0/0/2 interface is added to the Huawei zone. The Trust zone is a
default security zone and the Huawei zone is a user-defined security zone with
the priority of 60.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page8
Configuration of Security Zone-Configuration
Procedure

step task description

1 Create user-defined zone Include : zone name, zone priority

2 Set priority Priority ranges : 1-100

3 Add interface into zone The interface only belong to one zone at
same time

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page9
Configuration of Security-Configuration
Example
⚫ Create a user-defined zone.

[Eudemon] firewall zone name Huawei

⚫ Set priority
[Eudemon-zone-huawei] set priority 60 //user-defined zone must set
prority
⚫ Add interfaces to the security zone

[[Eudemon]firewall zone huawei


[Eudemon-zone-huawei]add interface GigabitEthernet 0/0/2 //add
interface GE0/0/2 into user-defined zone ”huawei”
[Eudemon-zone-huawei]quit
[Eudemon]firewall zone trust
[Eudemon-zone-trust]add interface GigabitEthernet 0/0/1

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page10
Configuration of Security-Configuration
Verification
⚫ View configuration of firewall security zone

[Eudemon]display zone trust


trust
priority is 85 //The priority is 85.
interface of the zone is (1):
GigabitEthernet0/0/1 //One GE0/0/1 interface is added to the zone.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page11
Packet Filtering
⚫ Currently, packet filtering mainly checks the following fields in IP packets: source
IP address, destination IP address, source MAC address, destination MAC address,
protocol, packet priority, and service type. To perform packet filtering, match
data flows with different rules.
 Interzone packet filtering: Match the packets with the firewall policy.

 MAC address-based packet filtering: Match the packets with the MAC address-based
ACL.

⚫ For packet filtering, there are two methods for processing the matched packets:
 permit:allows the packet to pass the check of packet filtering. Then the packet is
processed by other security policies

 deny:discards the packet

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page12
Interzone Packet Filtering and Default
Interzone Packet Filtering
⚫ Interzone packet filtering of Eudemon firewalls controls the data flows
transmitted between security zones at different security levels. The following two
policies apply:
 Interzone firewall policy

 Default interzone packet filtering policy

Action
Condition
packets matche The policy permits the packet through The device forwards the
interzone policys
packet.
The policy blocks the packet. The device discards the
packet.

The default packet-filtering rule of this The device forwards the


packet.
Packets fail to match interzone allows all packets through
interzone policies. The default packet-filtering rule of this The device discards the
interzone blocks all packets. packet.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page13
Configuring Interzone Packet Filtering -
Topology Description
Trust Huawei

GE 0/0/1 GE 0/0/2
172.1.1.1 10.0.0.1

PC1 Eudemon PC2


172.1.1.2 10.0.0.2
⚫ As shown in the preceding figure, the GE 0/0/1 interface is added to the Trust zone, and
the GE 0/0/2 interface is added to the Huawei zone. The Trust zone is a default security
zone and the Huawei zone is a user-defined security zone with the priority of 60. Perform
proper configurations to enable PC1 to access PC2 and prevent PC2 from accessing PC1.
The security zones have been configured.(The security zones have been configured. )

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page14
Configuring Interzone Packet Filtering -
Configuration Procedure
Step Activity Dscription

1 Enter the interzone packet filtering policy Ignore the sequence of security
view. zones.
2 Create a policy and enter the A policy created earlier has a higher
configuration view. priority.
3 Specify the source address of the packets Optional
to match.
4 Specify the destination address of the Optional
packets to match.
5 Configure the action after packet The action can be permit or deny.
matching.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page15
Configuring Interzone Packet Filtering –
Configuration Example
⚫ Enter the interzone packet filtering policy view:
[Eudemon]policy interzone trust huawei outbound //The data flow direction is
outbound. To modify the data flow direction, change outbound to inbound.
⚫ Create a policy and enter the configuration view:

[Eudemon-policy-interzone-trust-huawei-outbound]policy 0

⚫ Specify the source address of the packets to match :


[Eudemon-policy-interzone-trust-huawei-outbound-0]policy source
172.1.0.0 mask 16

⚫ Specify the destination address of the packets to match :


[Eudemon-policy-interzone-trust-huawei-outbound-0]policy destination
10.0.0.0 mask 8
⚫ Configure the action after packet matching :
[Eudemon-policy-interzone-trust-huawei-outbound-0]action permit

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page16
Configuring Interzone Packet Filtering-
Configuration Verification
⚫ Query the policy configured for interzone packet filtering :
[Eudemon]display policy interzone trust huawei outbound
policy interzone trust huawei outbound //The following contents display the interzone packet
filtering policy in the outbound direction.
firewall default packet-filter is deny //The action of default interzone packet filtering is set to
deny.
policy 0 (12 times matched) //User-defined packet filtering policy
action permit
policy service service-set ip
policy source 172.1.0.0 mask 16
policy destination 10.0.0.0 mask 8

⚫ Ping PC2 from PC1:


C:\Documents and Settings\user>ping 10.0.0.2
Pinging 10.0.0.2 with 32 bytes of data:
Reply from 10.0.0.2: bytes=32 time<1ms TTL=128
Reply from 10.0.0.2: bytes=32 time<1ms TTL=128
……

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page17
Configuring Default Interzone Packet Filtering
- Example(1/2)
⚫ Run the display firewall packet-filter default all command to query the default
packet filtering policies:
<Eudemon>display firewall packet-filter default all
Firewall default packet-filter action is:
------------------------------------------------------------
packet-filter in public:
local -> trust :
inbound : default: permit; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
local -> untrust :
inbound : default: deny; || IPv6-acl: null
outbound : default: deny; || IPv6-acl: null
local -> dmz :
inbound : default: deny; || IPv6-acl: null
outbound : default: deny; || IPv6-acl: null
trust -> untrust :
inbound : default: deny; || IPv6-acl: null
outbound : default: deny; || IPv6-acl: null
trust -> dmz :
inbound : default: deny; || IPv6-acl: null
outbound : default: deny; || IPv6-acl: null
dmz -> untrust :
inbound : default: deny; || IPv6-acl: null
outbound : default: deny; || IPv6-acl: null

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page18
Configuring Default Interzone Packet Filtering
- Example (2/2)
⚫ query the default packet filtering action configured for the two specific security
zones:

[Eudemon]display policy interzone trust huawei outbound


policy interzone trust huawei outbound //The following contents display the
interzone packet filtering policy in the outbound direction.
firewall default packet-filter is deny //The action of default interzone packet
filtering is set to deny.
policy 0 (12 times matched) //User-defined packet filtering policy
action permit
policy service service-set ip
policy source 172.1.0.0 mask 16
policy destination 10.0.0.0 mask 8

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page19
Configuring Default Interzone Packet Filtering
- Configuration Procedure and Example
⚫ See the following figure for the steps to modify the default packet filtering
policies :

Step Activity Description

1 Enter the system view

2 Configure the default packet Set the data flow direction to inbound
filtering policies or outbound.

⚫ Modify the default interzone rules

<Eudemon>system-view
[Eudemon]firewall packet-filter default permit interzone trust huawei
direction inbound // //The word following direction indicates the direction of the data
flow that is inbound or outbound.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page20
Configuring Default Interzone Packet Filtering-
Configuration Verification
⚫ Query the packet filtering policies configured for the inbound direction.

[Eudemon]display policy interzone trust huawei inbound


policy interzone trust huawei inbound
firewall default packet-filter is permit //The default packet filtering action is
modified to permit.

⚫ Ping PC2 from PC1 again:

C:\Documents and Settings\user>ping 172.1.1.2


Pinging 172.1.1.2 with 32 bytes of data:
Reply from 172.1.1.2: bytes=32 time<1ms TTL=128
Reply from 172.1.1.2: bytes=32 time<1ms TTL=128
……

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page21
Session Table
⚫ A session table is established to record the source IP address, source
port, destination IP address, destination port, and protocol number. If
the firewall has the virtual firewall (VFW) function, the VPN-ID is also
included.

⚫ currently, the major firewalls adopt the status-based packet control


mechanism to detect the first packet or a few packets to determine the
status of one connection. In this way, a large number of packets are
controlled according to the status of this connection. This status check
mechanism rapidly improves the detection and forwarding efficiency of
firewalls.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page22
Session Table-Example
⚫ For example, server A at 192.168.1.1 sends a TCP connection request through
port 20000 to server B at 1.1.1.1 which uses port 30000 to provide services. A
session table is established when the initial packet is sent. The following table
lists related information :
Source ip address Source port Destination ip address Destination port protocol

192.168.1.1 20000 1.1.1.1 30000 TCP

⚫ Server B sends a response packet after receiving the TCP connection request
from server A. The following table lists the quintuple of such packet:

Source ip address Source port Destination ip address Destination port protocol

1.1.1.1 30000 192.168.1.1 20000 TCP

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page23
Querying a Session Table(1/2)
Trust Huawei

GE 0/0/1 GE 0/0/2
172.1.1.1 10.0.0.1

PC1 Eudemon PC2


172.1.1.2 10.0.0.2

⚫ After the configuration is complete, PC1 and PC2 can normally communicate
with each other. After the first connection is established, the information about
the session table can be queried.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page24
Querying a Session Table (2/2)
⚫ run the display firewall session table verbose command on the firewall to query the
information about the session table:
<Eudemon>display firewall session table verbose
Current Total Sessions : 1
icmp VPN:public --> public // protocol
Zone: trust--> huawei TTL: 00:00:20 Left: 00:00:15 //Data flow direction
and aging time
Interface: GigabitEthernet0/0/2 NextHop: 10.0.0.2 MAC: 90-fb-a6-09-
0f-6d //Outbound interface, next hop, and MAC address
<--packets:4 bytes:240 -->packets:4 bytes:240 /Number of passed packets
172.1.1.2:768-->10.0.0.2:2048 //Source IP address, source port, destination IP, and
destination port
⚫ The query results show the quintuple and other information contained in the session table
and show that the data flow from PC1 to PC2 matches the session table.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page25
Persistent Connection
⚫ A persistent connection means that a longer aging time is configured for
some sessions to ensure that they will not be deleted in a long time.

⚫ In practice, the interval between two consecutive packets of a TCP


session is extremely long. For example:
 When users download a large-sized file using FTP, it takes a long time to
send the second packet through the control channel.

 When users need to query the data on the database server, the time
required is much longer than the aging time set for the TCP session .

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page26
Persistent Connection-Topology Description
Trust Huawei

GE 0/0/1 GE 0/0/2
172.1.1.1 10.0.0.1

PC1 Eudemon PC2


172.1.1.2 10.0.0.2

⚫ Enable the FTP service on PC2, and set persistent connection for PC1 access to
FTP services on PC2. The aging time is set to two hours.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page27
Configuring the Persistent Connection-
Configuration Procedure

Step Activity Description


1 Set the aging time for the Aging time: 1–480 h; 168 h by default.
persistent connection.

2 Configure the ACL. The ACL must be an advanced ACL.

3 Enable the persistent Specify the data flow direction.


connection function.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page28
Configuring the Persistent Connection-
Configuration Example
⚫ Set the aging time for the persistent connection:
[Eudemon]firewall long-link aging-time 2

⚫ Configure the ACL:

[Eudemon]acl number 3000


[Eudemon-acl-adv-3000]rule permit tcp source 172.1.0.0 0.0.255.255
destination 10.0.0.0 0.0.0.255 destination-port eq ftp
⚫ Enable the persistent connection function:

[Eudemon]firewall interzone trust huawei


[Eudemon-interzone-trust-huawei]long-link 3000

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page29
Configuring the Persistent Connection-
Configuration verification
⚫ After PC1 accesses the FTP services on PC2, query the session table:

[Eudemon]display firewall session table verbose


17:35:20 2012/02/13
Current Total Sessions : 1
ftp VPN:public --> public
Zone: trust--> huawei TTL: 02:00:00 Left: 01:59:48
Interface: GigabitEthernet0/0/2 NextHop: 10.0.0.2 MAC: 90-fb-a6-09-
0f-6d
<--packets:4 bytes:238 -->packets:7 bytes:304
172.1.1.2:1215-->10.0.0.2:21(LongLink)

⚫ The query results include the LongLink field, and the TTL is modified to two
hours

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page30
Hands-on Exercises
Untrust DMZ

GE 0/0/1 GE 0/0/2
172.1.1.1/16 10.0.0.1/8

PC1 Server
172.1.1.2/16 Eudemon 10.0.0.2/8

⚫ The PC1 belongs to the Untrust zone and the server belongs to the DMZ zone.
The figure shows corresponding interfaces and IP addresses. Configure PC1
telnet server and the persistent connection of one hour. Then query the
information about the session table.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page31
Interface Mode
⚫ The Ethernet interfaces are classified as follows according to the
location:
 Layer 2 Ethernet interfaces: on the data link layer. These interfaces identify
the data frame according to the MAC address, and support layer 2 features
such as VLA.

 Layer 3 Ethernet interfaces: on the network layer. These interfaces identify


the data packet according to the IP address, and support layer 3 features
such as routing.

⚫ All interfaces on firewalls are layer 3 interfaces by default.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page32
Changing the Interface Mode
-Configuration Example
⚫ In the interface view, run the portswitch command to change layer 3 interfaces
to layer 2 interfaces.
[Eudemon]interface GigabitEthernet 0/0/8
[Eudemon-GigabitEthernet0/0/8]portswitch
⚫ Change the interface mode in batches in the system view
<Eudemon>system-view
[Eudemon]portswitch batch GigabitEthernet 0/0/5 to 0/0/7
⚫ Run the undo command to change layer 2 interfaces to layer 3 interfaces

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page33
Changing the Interface Mode
-Configuration Verification
⚫ Run the display interface command to query the interface state:

[Eudemon]display interface GigabitEthernet 0/0/8


GigabitEthernet0/0/8 current state : DOWN
Line protocol current state : DOWN
Description : Huawei, Eudemon 1000E serials, GigabitEthernet0/0/8
Interface, Switch Port
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
PVID:1
Port link-type:access //The interfaces are changed to layer 2 interface.
VLAN ID:1

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page34
Contents
1. Basic firewall technologies

2. Key firewall technologies

3. Basic firewall functions

4. Extend firewall functions

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page35
ASPF Concept
⚫ Application Specific Packet Filter (ASPF) is a function that the system
analyzes the packet payload, identifies a negotiated port according to
the multi-channel protocol, and establishes a record in the server-map
automatically to forward multi-channel protocol packets.

⚫ Commonly used multi-channel protocols include DNS, FTP, H323, MSN,


QQ, NETBIOS, ICQ, RTSP, PPTP, and MMS.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page36
ASPF Example
⚫ If the file is transferred through the FTP port, select a data channel port
ID (such as 2165) on the FTP client, and send the selected port ID over
the control channel to the FTP server. Then the FTP server initiates a
data connection to this port. If the ASPF function is configured, the
following server-map record is established.

ASPF: 40.0.0.5 -> 40.0.0.10:2165 , Zone: --


Protocol: tcp(Appro: ftp-data), Left-Time: 00:00:05,Addr-Pool:--
Vpn: public -> public

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page37
Server-map Table
⚫ The server-map table introduces only a few key fields to indicate the
connection state of some special services.

⚫ The server-map table saves the mapping information about data


connection by means of negotiation or the mapping of addresses
configured using the NAT function to enable users on the external
network to access the internal network through the firewall.

⚫ Run the display firewall server-map command to query a server-map


table.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page38
Importance of the Server-map Table to Data
Forwarding
⚫ If a packet which matches no record in the session table passes the
security policy check, the system queries the server-map table before
configuring a route for the packet. Querying the server-map table is
intended to:
 Check and confirm the connection state of the packet again.

 Translate the information contained in the packets according to the server-


map table.

⚫ he server-map table is used only to establish a new connection record,


while subsequent packets are still forwarded after they match the
session table.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page39
Example of the Server-map Table to Data
Forwarding(1/2)
⚫ If the file is transferred through the FTP port, the IP address of server A is
192.168.1.1, and server A sends an FTP connection request to server B through
port 20000. The IP address of server B is 1.1.1.1, and the port ID of server B is
21. The configured packet filtering policy permits the connection request from
server A at 192.168.1.1 to server B at 1.1.1.1 through port 21.

⚫ After the packet passes the security policy check, the system establishes a
record in the session table.

Type Source ip Source port Destination ip Destination port protocol

Session table 192.168.1.1 20000 1.1.1.1 21 FTP

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page40
Example of the Server-map Table to Data
Forwarding (2/2)
⚫ server A randomly select the data channel port 2165, and sends the port ID to
the FTP server through the control channel. After receiving the packet, the
system establishes a record in the server-map table.

Type Source ip Destination ip Destination port Protocol type


Server-map table 1.1.1.1 192.168.1.1 2165 FTP-data Server-map table

⚫ When server B receives the negotiation packet from server A, it initiates a


connection to port 2165 of server A through port 20. the system queries the
server-map table, if the packet is matched the record, the system permits this
packet to be forwarded, and establishes a session table

Type Source ip Source port Destination ip Destination port Protoco


session table 1.1.1.1 20 192.168.1.1 2165 FTP-data

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page41
Relationship Between ASPF and Server-map
Table
⚫ The ASPF is mainly used to parse the application layer data to identify all
information contained in the payload, and provide basis for the system to
establish access rules.

⚫ Because the packet structure and negotiation mode vary with various protocols,
the Eudemon firewalls currently identify only certain types of protocols .

⚫ After the information identified using ASPF, the record will be established in
server-map commonly.

⚫ a corresponding record in the session table is established when the system


receives the initial packet .

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page42
Configuring ASPF-Topology Description
FTP Server
10.0.0.2/24

DMZ
10.0.0.0/24

PC1

GE 0/0/1 GE 0/0/2
Trust Untrust
192.168.1.0/24 1.0.0.0/24

Eudemon

⚫ The Eudemon firewalls are connected to the outbound interface on the internal
network that provides the FTP services. The interzone packet filtering policy and
ASPF function are configured to ensure that employees can access the FTP
server.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page43
Configuring ASPF-Configuration
Procedure

Step Activity description

1 Configure interzone policies. Ensure that the Trust zone can


access the DMZ.

2 Access the FTP server. Check for smooth access.

3 Enable the ASPF function. Enable the ASPF function between


the DMZ and Trust zones.

4 Access the FTP server again. Check for smooth access.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page44
Configuring ASPF-Configuration Example
⚫ After the security policy is configured, access the FTP server. The PC can
successfully access the FTP server, but fails to read the data on the
server because the security policy does not permit the establishment of
the data channel.

⚫ Enable the ASPF function:

[Eudemon] firewall interzone trust dmz


[Eudemon-interzone-trust-dmz] detect ftp

⚫ Access the FTP server again. The PC can read the data on the FTP server

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page45
Configuring ASPF-Configuration Example
⚫ Query the server-map table on the firewall:
[Eudemon]display firewall server-map
server-map item(s) ------------------------------------------------
ASPF, 10.1.1.2 -> 192.168.1.2:1255[ANY], Zone: ---
Protocol: tcp(Appro: ftp-data), Left-Time: 00:00:25, Addr-Pool:
VPN: public -> public
⚫ Query the session table on the firewall:
<Eudemon>display firewall session table verbose
Current Total Sessions : 2
ftp VPN:public --> public
Zone: trust--> dmz TTL: 00:10:00 Left: 00:10:00
Interface: GigabitEthernet0/0/3 NextHop: 10.1.1.2 MAC: 90-fb-a6-09-0f-6d
<--packets:7 bytes:471 -->packets:11 bytes:492
192.168.1.2:1256+->10.1.1.2:21

ftp-data VPN:public --> public


Zone: dmz--> trust TTL: 00:00:10 Left: 00:00:05
Interface: GigabitEthernet0/0/1 NextHop: 192.168.1.2 MAC: 90-fb-a6-09-07-93
<--packets:3 bytes:128 -->packets:5 bytes:353
10.1.1.2:1221-->192.168.1.2:1258

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page46
Questions
⚫ SINGLE-CHOICE QUESTIONS:
 Which command is used to query the aging time of the session
( ).

A.display firewall session table

B.display firewall session table verbose

C.display firewall packet-filter default all

D.display firewall server-map

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page47
Contents
1. Basic firewall technologies

2. Key firewall technologies

3. Basic firewall functions

4. Extend firewall functions

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page48
Blacklist
⚫ The blacklist is a set of IP addresses. The firewall discards all packets
from the IP addresses in the blacklist.
 Static blacklist: The administrator can manually add IP addresses to the
blacklist one by one by using command lines or Web.

 Dynamic blacklist: Some security mechanisms of the firewall can


automatically identify the packets that may attack the network and add
corresponding IP addresses to the blacklist.

⚫ the blacklist function with high matching and processing efficiencies.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page49
Configuring Blacklist-Topology Description
Trust Untrust

LAN Internet
GE 0/0/1 GE 0/0/2

Eudemon

⚫ The Eudemon firewalls are connected to the outbound interface on the internal
network. Currently, different IP addresses have done a port scanning against
the internal network. Measures need to be taken to defend the attack. The IP
address 1.1.1.3 attacks the internal network for many times. The system is
expected to block all packets from this IP address.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page50
Configuring Backlist-Configuration Procedure

Step Activity Description

1 Configure prerequisites Configure the interface, security zone,


and interzone policies
2 Configure a static blacklist.

3 Configure a dynamic
blacklist

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page51
Configuring Backlist-Configuration Example
⚫ Configuring static blacklist
[Eudemon] firewall blacklist enable //enable the blacklist function first
[Eudemon] firewall blacklist item 1.1.1.3

⚫ Configuring dynamic blacklist


 Enable the function of port scanning attack defense

[Eudemon] firewall defend port-scan enable //Enable the function of port scanning
attack defense.

 Set the threshold of port scanning rate to 5000 pps.

[Eudemon] firewall defend port-scan max-rate 5000

 Set the blacklist timeout period to 30 minutes.


[Eudemon] firewall defend port-scan blacklist-timeout 30

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page52
Configuring Backlist-Configuration
Verification
⚫ Query the blacklist:

[[Eudemon]display firewall blacklist item


Total:1 Manual:1 IP Sweep:0 Port Scan:0
IDS:0 Login Failed:0
TIS(tcp-illegal-session):0 Unknown:0
IP Reason Insert Time Age Time Vpn-instance
--------------------------------------------------------------
1.1.1.3 Manual 2012/02/15 10:54:22 Permanent public
 Age Time refers to the aging time of a blacklist (unit: minute). Permanent
indicates that the blacklist is permanently valid.

 Insert Time refers to the time when a blacklist is generated.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page53
MAC Address Binding
⚫ IP address and MAC address binding means that the firewall establishes
mapping between IP addresses and MAC addresses.
 After receiving a packet, the firewall queries the MAC address in the
mapping table according to the source IP address of the packets, and
compares it with the source MAC address contained in the packet header. If
they are inconsistent, the packet is deemed as an invalid packet and should
be discarded.

⚫ IP address and MAC address binding is generally used in the situation


that the firewall is directly connected to the layer 2 switch, to prevent
illegal use of the IP address, ARP Flood, and DHCP Flood. This function
also supports user authentication.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page54
Configuring MAC Address Binding
-Configuration Example
⚫ Enable the MAC address binding.

[Eudemon] firewall mac-binding enable

⚫ Bind an IP address and a MAC address.

[Eudemon] firewall mac-binding 10.1.1.1 0001-0002-0003

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page55
MAC Address Binding-Configuration
Verification
⚫ Check whether the MAC address binding is enabled
[Eudemon]display firewall mac-binding enable
Mac-binding is enabled //The MAC address binding is enabled
⚫ Query the current binding on the firewall

[Eudemon]display firewall mac-binding item


Firewall mac-binding items :
Current items : 2
IP ADDRESS MAC ADDRESS VLAN-ID VPN-INSTANCE
1.1.1.1 0000-0002-0003 0
10.1.1.2 0001-0002-0003 0

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page56
Port Mapping
⚫ Port mapping allows a user to identify the packets destined for non-
well-known ports as well-known protocol packets.

⚫ The two multi-mappings supported are as follows:


 One protocol can be mapped to multiple ports.
◼ For example, packets destined for port 20001, port 20002, and port 20003 are
identified as FTP packets by means of configuration.

 One port can be mapped to multiple protocols.


◼ For example, packets transmitted from PC A to port 20001 can be identified as
FTP packets, while packets transmitted from PC B to port 20001 can be identified
as HTTP packets by means of configuration

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page57
Configuring Port Mapping-Topology
Description B:Web Server A:FTP Server
10.0.0.2/24 10.0.0.3/24

DMZ
10.0.0.0/24

PC1
GE 0/0/3
10.0.0.1/24

Trust Untrust
192.168.1.0/24 GE 0/0/1 GE 0/0/2 1.0.0.0/24
192.168.1.1/24 1.0.0.1/24
Eudemon
⚫ The internal server A of a company wants to provide FTP services for the external network
by using port 21000. The data packets transmitted from the Trust zone to port 21000 at
10.1.1.0 are regarded as FTP packets for accessing the internal server. In this way, the
security level is improved to a certain extent.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page58
Configuring Port Mapping-Configuration
Procedure and Example
⚫ Configuration procedure

Step Activity Description


1 Configure interzone policies. Enable the Trust zone to access the DMZ
normally.
2 Configure port mapping. Configure the mapping between ACL rules
and ports.

⚫ Configuration example
 Configure the port mapping function to process the packets transmitted to port
21000 at 10.1.1.1 as FTP packets.

[Eudemon] acl 2005


[Eudemon-acl-basic-2005] rule permit source 10.1.1.1 0
[Eudemon-acl-basic-2005] quit
[Eudemon] port-mapping ftp port 21000 acl 2005

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page59
Configuring Port Mapping-Configuration
Verification
⚫ Run the display port-mapping command to view the current port mapping
table configured in the system.

[Eudemon] display port-mapping


SERVICE PORT ACL TYPE
-------------------------------------------------
ftp 21 system defined
smtp 25 system defined
http 80 system defined
rtsp 554 system defined
h323 1719 system defined
sqlnet 1521 system defined
pptp 1723 system defined
sip 5060 system defined
ftp 21000 2005 user defined

 system defined refers to the system-defined port.

 user defined refers to the user-defined port.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page60
IDS
⚫ Intrusion detection system (IDS) functions:
 Monitor and analyze all data packets on the network in real time.

 Discover and process data packets captured in real time.

 Summarize and analyze network events recorded by the system.

 Discover exceptions and automatically cut off connections to the network or interact
with the firewalls to call other programs for exception handling.

⚫ IDS advantages:
 Monitor and analyze all data packets on the network in real time. Discover and
process data packets captured in real time.

 Summarize and analyze network events recorded by the system. Discover exceptions
and automatically cut off connections to the network or interact with the firewalls to
call other programs for exception handling.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page61
Interacting With IDS
⚫ the Eudemon firewalls open related interfaces for interacting with other
security software for the purpose of building a secure network.

⚫ IDSs which can interact with Eudemon firewalls include: Venustech IDS,
LinkTrust IDS, KINGNET IDS, and Huawei NIP IDS.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page62
Interacting With IDS -Topology Description
(1/2)
Eudemon

Internal network GE0/0/1 GE0/0/2


INTERNET

Management port Response port


Data flow DMZ zone
NIP NIDS Monitoring port
Managing information,
logs, and alarms

Protected server cluster

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page63
Interacting With IDS-Topology Description
(2/2)
⚫ The firewalls define security zones (as shown in the preceding figure),
and the IDS monitors the data destined for the DMZ. Based on the
traffic mirrored to the NIP IDS by using the port mirroring
technology,the IDS detects exceptions and notifies the system manager
by reporting an alarm or interacts with the firewalls which can block the
related attack stream.

⚫ The specific requirements are as follows:


 The IP address of the IDS server is 192.168.10.10.

 The authentication type and authentication key of Eudemon firewalls and the IDS
server are MD5 and abcdef123 respectively。

 Eudemon firewalls communicate with the IDS server through port 30000.。

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page64
Interacting With IDS-Configuration Procedure

Step Activity description

1 Configure the IP address of the IDS server

2 Configure the communication port number Port number range: 1025–65535;


Default value: 40000
3 Configure the authentication type and the
authentication key
4 Enable the interaction between the This function must be enabled.
firewalls and the IDS

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page65
Interacting With IDS-Configuration Example
⚫ Configure the IP address of the IDS server

[Eudemon] firewall ids server 192.168.10.10

⚫ Configure the port number for communication between Eudemon firewalls and
the IDS server

[Eudemon] firewall ids port 30000

⚫ Configure the authentication type and the authentication key for Eudemon
firewalls:

[Eudemon] firewall ids authentication type md5 key abcdef123

⚫ Enable the interaction between the firewalls and the IDS:

[Eudemon] firewall ids enable

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page66
Interacting With IDS-Configuration
Verification
⚫ View the IDS configuration:

[Eudemon] display firewall ids


Firewall IDS information:
firewall IDS: enable
debug flag: off
server port: 30000
authentication type: md5
authentication string: abcdef123
client address 0: 192.168.10.10

⚫ A firewall can interact with multiple IDS servers

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page67
Hands-on Exercises(1/2)
Server
10.0.0.2/24

DMZ
10.0.0.0/24 Web Server
10.0.0.2/24
PC1
GE 0/0/3
10.0.0.1/24

Trust Untrust
192.168.1.0/24 GE 0/0/1 GE 0/0/2 1.0.0.0/24
192.168.1.1/24 1.0.0.1/24
Eudemon

⚫ On the internal network of a company, the Eudemon firewall separates three


security zones, namely, Trust, DMZ, and Untrust zones. In the DMZ, one FTP
server and one web server are configured to provide services for users on the
internal network. To ensure network security, the following security policies are
specified by the NMS :

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page68
Hands-on Exercises(2/2)
 Bind IP addresses to MAC addresses to prevent ARP attacks;

 Configure the dynamic blacklist and set the threshold of the port scanning
rate to 6000 pps. Add PCs with the IP address scanning rate greater than
4000 pps to the blacklist. The blacklist timeout period is 20 minutes;

 If the PC at 1.0.0.10 often sends attack packets to the server, add it to the
blacklist ;

 Servers in the DMZ provide FTP services through port 2121 and provide
HTTP services through port 8080 。

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page69
Contents
1. Basic firewall technologies

2. Key firewall technologies

3. Basic firewall functions

4. Extend firewall functions

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page70
SLB
⚫ Server load balancing (SLB) assigns the user traffic for accessing the same IP
address among different servers according to the pre-configured load balancing
algorithm.

⚫ This function resolves the problem of limited processing capability of one server.
The load balancing algorithms used include source hashing scheduling, round-
robin scheduling, and weighted round robin scheduling.

⚫ In typical application scenarios, the firewalls are connected to the outbound


interface on the internal network. Apart from the SLB function, the firewalls can
prevent common attacks and ensure server security.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page71
Configuring SLB-Topology Description
server 1
10.1.1.3/24

GE0/0/1 GE0/0/2
202.2.2.1/24 10.1.1.1/24

PC
Eudemon
202.2.2.3/24 vip 202.2.2.2 Switch

server2 server3
10.1.1.4/24 10.1.1.5/24

⚫ In the internal DMZ, there are three real servers which can provide FTP services for the
external network. The IP addresses are 10.1.1.3/24, 10.1.1.4/24, and 10.1.1.5/24
respectively. The external virtual IP address is 202.2.2.2. PCs are in the Untrust zone on the
external network and configured with the SLB function for ensuring load balancing among
servers

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page72
Configuring SLB-Configuration Procedure
Step Acticity Dscription
1 Configure IP addresses, security See the preceding sections for related contents.
zones and interzone policies.

2 Enable the SLB function. Enable the SLB function and configure the IP
addresses for real servers.

3 Configure real servers and add Configure the group name and add real servers to
them to the load balancing group. the group.

4 Configure virtual servers. Configure IP addresses and ports for virtual servers
and ports for real servers.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page73
Configuring SLB-Configuration Example
⚫ Enable the SLB function :
[Eudemon] slb enable
[Eudemon] slb
[Eudemon-slb] rserver 1 rip 10.1.1.3 //Configure the IP addresses for real servers
[Eudemon-slb] rserver 2 rip 10.1.1.4
[Eudemon-slb] rserver 3 rip 10.1.1.5

⚫ Configure real servers and add them to the load balancing group :
[Eudemon-slb] group test //The group name is test
[Eudemon-slb-group-test] addrserver 1
[Eudemon-slb-group-test] addrserver 2
[Eudemon-slb-group-test] addrserver 3 //Add server 1, server 2, and server 3 to the
test group.

⚫ Configure IP addresses and ports for virtual servers and ports for real servers

[Eudemon-slb] vserver test vip 202.2.2.2 group test tcp vport 21 rport
21
Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page74
Configuring SLB-Configuration Verification
⚫ After the configuration is complete, when a PC in the Untrust zone
accesses the server in the DMZ by using the IP address of 202.2.2.2/24
of the virtual server, information about the session table can be queried
by running the following command. The query results that there are
three sessions on the real server show that Eudemon firewalls assign
the traffic destined for the FTP server to multiple servers。

[<Eudemon> display firewall session table


Current total sessions : 3
ftp VPN:public --> public 202.2.2.3:3327-->202.2.2.2:21[10.1.1.4:21]
ftp VPN:public --> public 202.2.2.3:3327-->202.2.2.2:21[10.1.1.5:21]
ftp VPN:public --> public 202.2.2.3:3327-->202.2.2.2:21[10.1.1.6:21]

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page75
VFW
⚫ One Eudemon firewall is logically divided into multiple VPN instances
based on VFW(virtual-firewall) technology to provide independent
security services for multiple small internal networks.

After the VFW is configured, the firewalls are


logically categorized into the following two
Rfw types:
root firewall and VFW.
Vfw1 corresponding to the firewall not configured
with the VFW function, and all VFWs constitute
Vfw2 a super firewall.
The super firewall users have the right to
Vfw3
manage the root firewall and all VFWs.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page76
Configuring VFW-Topology Description(1/2)

VFW1 VFW1
Trust Untrust

VFW2 VFW2
Trust
Eudemon Untrust

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page77
Configuring VFW-Topology Description (2/2)
⚫ The Eudemon firewall can lease VFWs to multiple enterprises. For
example, it leases VFW1 to enterprise A and VFW2 to enterprise B .

⚫ The specific requirements are as follows :


 Enterprise A and enterprise B use the same overlaid address .

 Both the two internal networks can be divided into the Trust zone and the
Untrust zone. Users on the internal network are grouped into the Trust zone
while users on the external network are grouped into the Untrust zone .

 Users in the Trust zone access the external network by using public IP
addresses .

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page78
Configuring VFW-Configuration Procedure

Step Activity Dscription


1 Configure VFW1 The route distinguisher should be specified.

2 Bind interfaces to VFWs. Bind interfaces,and configure IP addresses

3 Add interfaces to the security Interfaces and security zones should be connected
zone on VFW1. to the same firewall
4 Configure interzone packet similar to that of common interzone policies
filtering policies for the VFW.
5 Configure the NAT. The VFW can only use addresses in its address pool
when communication with each other. Therefore,
the address pool and VFW1 should be bound during
the configuration of the address pool

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page79
Configuring VFW-Configuration Example
(1/3)
⚫ Configure VFW1:

[Eudemon] ip vpn-instance vfw1


[Eudemon-vpn-vfw1] route-distinguisher 100:1

⚫ Bind interfaces to VFWs:

[Eudemon] interface GigabitEthernet 0/0/1


[Eudemon-GigabitEthernet0/0/1] ip binding vpn-instance vfw1
[Eudemon-GigabitEthernet0/0/1] ip address 10.1.1.1 24
[Eudemon] interface GigabitEthernet0/0/4
[Eudemon-GigabitEthernet0/0/4] ip binding vpn-instance vfw1
[Eudemon-GigabitEthernet0/0/4] ip address 2.1.1.1 24

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page80
Configuring VFW-Configuration Example
(2/3)
⚫ Add interfaces to the security zone on VFW1 :

[Eudemon] firewall zone vpn-instance vfw1 trust


[Eudemon-zone-trust-vfw1] add interface GigabitEthernet 0/0/1
[Eudemon] firewall zone vpn-instance vfw1 untrust
[Eudemon-zone-untrust-vfw1] add interface GigabitEthernet 0/0/4

⚫ Configure interzone packet filtering policies for the VFW :

[Eudemon] policy interzone vpn-instance vfw1 trust untrust outbound


[Eudemon-policy-interzone-trust-untrust-vfw1-outbound] policy 0
[Eudemon-policy-interzone-trust-untrust-vfw1-outbound-0] policy source
10.1.1.0 0.0.0.255
[Eudemon-policy-interzone-trust-untrust-vfw1-outbound-0] action permit

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page81
Configuring VFW-Configuration Example
(3/3)
⚫ Configure NAT Outbound to enable users in the Trust zone to access the
networks deployed in the Untrust zone with the public IP address
ranging from 2.1.1.5 to 2.1.1.10:

[Eudemon] nat address-group 1 2.1.1.5 2.1.1.10 vpn-instance vfw1


[Eudemon] nat-policy interzone vpn-instance vfw1 trust untrust outbound
[Eudemon-nat-policy-interzone-trust-untrust-vfw1-outbound] policy 0
[Eudemon-nat-policy-interzone-trust-untrust-vfw1-outbound-0] policy
source 10.1.1.0 0.0.0.255
[Eudemon-nat-policy-interzone-trust-untrust-vfw1-outbound-0] action
source-nat
[Eudemon-nat-policy-interzone-trust-untrust-vfw1-outbound-0] address-
group 1

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page82
Configuring VFW-Configuration Verification
⚫ Ping the PC at 2.1.1.2/24 in the Untrust zone from the PC at 10.1.1.2/24
in the Trust zone on VFW1 and VFW2 and query the information about
the session table
<Eudemon> display firewall session table verbose
Current total sessions : 2
icmp VPN:vfw1 --> vfw1
Zone: trust--> untrust TTL: 00:00:20 Left: 00:00:05
Interface: GigabitEthernet 0/0/4 NextHop: 2.1.1.1 MAC: 00-e0-4c-83-
8c-5c
<--packets:4 bytes:240 -->packets:4 bytes:240
10.1.1.2:768[2.1.1.5:2048]-->2.1.1.2:2048

icmp VPN:vfw2 --> vfw2


Zone: trust--> untrust TTL: 00:00:20 Left: 00:00:05
Interface: GigabitEthernet 0/0/3 NextHop: 2.1.1.1 MAC: 00-e0-4c-83-
8c-5d
<--packets:4 bytes:240 -->packets:4 bytes:240
10.1.1.2:752[2.1.1.6:2048]-->2.1.1.2:2046

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page83
Questions
⚫ Why is the nat address-group 1 address- pool vpn-instance vfw-name
command executed in the system view during the configuration of NAT
Outbound for a VFW? ( )。
A. Enable different VFWs to use one public address pool.

B. Specify the address pool for VFWs.

C. The VFW can only use addresses in its address pool in the case of communication with
the external network. Therefore, the address pool and VFW1 should be bound during
the configuration of the address pool.

D. Configure a proper address pool for VFWs so that VFWs can find the corresponding
public IP address during the NAT.

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page84
Summary
⚫ What is a security zone?

⚫ How to define the data flow direction?

⚫ What are the two kinds of interzone packet filtering?

⚫ What are the basic functions of the firewall?

⚫ VFW to separate routes based on VPN instance

Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page85
Thank you
www.huawei.com

You might also like