Scribd
Upload
298 views31 pages

Eudemon Firewall Setup Guide

Uploaded by

fahmeed.akram
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
298 views31 pages

Eudemon Firewall Setup Guide

Uploaded by

fahmeed.akram
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd

Eudemon Basic Function

and Configuration
T

www.huawei.com

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved


This section will introduce the modes of
operation for the Eudemon firewall, as
well as security area concepts, Access
Control Lists, Network Address
Translation etc, used to enhance the
defense capability of the firewall

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 2
Upon completion of this section, you should
expect to :
 Build an understanding of security areas
 Understand the operational modes of a
firewall
 Acquire the knowledge to explain and
configure ACL & NAT

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 3
Chapter 1 Security Zones

Chapter 2 Modes of Operation

Chapter 3 Access Control Lists

Chapter 4 Network Address Translation

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 4
Firewall Security Zone

Interface 2
Local Zone Trust Zone
100 85
Zone defined
by user
DMZ Zone
50 UnTrust Zone Interface 3
5

Interface 1 Interface 4

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 5
Security Zone Data Flow ---Inter-zone
inbound
Internal network

outbound

Eudemon
Local
Trust
E1/0/0 E1/0/2 External network

Eth1/0/1
Untrust
outbound
outbound
inbound
inbound
Server
Server
DMZ

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 6
Security Zone Configuration

[Eudemon] firewall zone name userzone


[Eudemon-zone-userzone] set priority 60
[Eudemon-zone-userzone] add interface Ethernet 0/0/1

[Eudemon]display zone userzone


userzone
priority is 60
interface of the zone is (1):
Ethernet0/0/1

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 7
Interzone policy configuration

[Eudemon]policy interzone trust untrust inbound


[Eudemon-interzone-trust-untrust]policy source any
[Eudemon-interzone-trust-untrust]action permit

PC PC PC
Trust Zone
Untrust Zone

Eudemon
Server Server

Internal network External network

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 8
Chapter 1 Security Zones

Chapter 2 Modes of Operation

Chapter 3 Access Control Lists

Chapter 4 Network Address Translation

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 9
Route Mode

10.110.1.254 202.10.0.1
PC PC PC
Trust Zone Untrust Zone

Eudemon
Server Server

Internal network External network


10.110.1.0/24 202.10.0.0/24

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 10
Transparent Mode

PC PC PC
Trust
Untrust

Eudemon
Server Server

Internal network 202.10.0.0/24 External network

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 11
Composite Mode

Eudemon ( active )

PC PC PC
Trust
VRRP Untrust

Server Server

Internal network Eudemon ( standby ) External network

202.10.0.0/24 202.10.0.0/24

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 12
Chapter 1 Security Zones

Chapter 2 Modes of Operation

Chapter 3 Access Control Lists

Chapter 4 Network Address Translation

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 13
ACL Application
 Packet filtering

 Determine whether to discard or forward packet according to ACL


rule
 NAT

 Determine whether to implement NAT to which packet According


to ACL
 IPSec

 Determine whether to protect which packet according to ACL


 QoS
What is ACL?
 Classify flow according to ACL
Permit
 Routing policy
Deny
 Filter routes according to ACL

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 14
ACL Classification

 Basic ACL ( range: 2000 ~ 2999 )

 Use of source address to define the data flow

 Advanced ACL ( range: 3000 ~ 3999 )

 Use of source address, destination address, source port number,

destination port number and protocol number, combined to define


the data flow.

 Firewall ACL ( range:5000 ~ 5499 )

 Use of source address, destination address, destination port number

to define the data flow

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 15
ACL Classification
acl [ number ] acl-number
rule [ rule-id ] { permit | deny } [ source { source-address
source-wildcard | any } ] [ time-range time-name ]
rule [ rule-id ] { permit | deny } protocol [ source { source-
address source-wildcard | any } ] [ destination { dest-address
dest-mask | any } ] [ source-port operator port1 [ port2 ] ] [
destination-port operator port1 [ port2 ] ] [ icmp-type
{ icmp-type icmp-code | icmp-message } ] [ precedence
precedence ] [ tos tos ] [ time-range time-name ]

Firewall ACL Advanced ACL Basic ACL

Match the route to an acl-number

Match the route to a rule-id

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 16
ACL Application Example

FTP Server Telnet Server www Server


129.38.1.1 129.38.1.2 129.38.1.3

E0/0/0 129.38.1.5
Special PC in external network
Special PC in internal network Eudemon
202.39.2.3
129.38.1.4 E1/0/0
202.38.160.1

WAN

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 17
ACL Application Example - Configuration
[Eudemon] acl number 3101
[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.4 0
[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.1 0
[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.2 0
[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.3 0
[Eudemon-acl-adv-3101] rule deny ip
[Eudemon-acl-adv-3101] quit
[Eudemon] acl number 3102
[Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.1 0
[Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.2 0
[Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.3 0
[Eudemon 200E-Ethernet1/0/0]firewall packet-filter 3101 outbound
[Eudemon 200E-Ethernet1/0/0]firewall packet-filter 3102 inbound

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 18
Chapter 1 Security Zones

Chapter 2 Modes of Operation

Chapter 3 Access Control Lists

Chapter 4 Network Address


Translation

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 19
NAT (Network Address Translation)

 NAT is used to translate IP addresses in IP data packet header


to alternative IP addresses.
 NAT can solve the following problems:

 IP address shortage

− Helps reserve public IP addresses


 Security element

− Shield private networks


 Enterprise combination

− Easy to merge networks

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 20
Public and Private Addressing

192.168.0.2
192.168.0.1
LAN2

LAN1
Internet

192.168.0.1
Private address range:
10.0.0.0-10.255.255.255 LAN3
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 21
Eudemon NAT
Data packet 1
Source 192.168.1.3
destination 202.120.10.2 Data packet 1 Server B
PC A source 202.169.10.1 202.120.10.2
Destination 202.120.10.2
192.168.1.3

Trust Eudemon Untrust


E0/0/0 E0/0/0
Internet
192.168.1.1 202.169.10.1

Data packet 2 Data packet 2


source 202.120.10.2
Source 202.120.10.2 destination 202.169.10.1
PC B
destination192.168.1.3
192.168.1.2 PC C
202.130.10.3

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 22
Eudemon NAPT
Data packet 1 Data packet 1
source 192.168.1.3 source 202.169.10.1
Source port 1357 Source port 1357

Server B
Data packet 2 Data packet2
PC A source 192.168.1.3 source 202.169.10.1 202.120.10.2
192.168.1.3 Source port 2468 Source port 2468

Trust Eudemon Untrust


E0/0/0 E0/0/0
Internet
192.168.1.1 202.169.10.1
Data packet3 Data packet3
source 192.168.1.1 source 202.169.10.1
Source port 11111 Source port 11111
PC B
192.168.1.2 PC C
Data packet4 Data packet4 202.130.10.3
source 192.168.1.2 source 202.169.10.1
Source port 11111 Source port 22222

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 23
Eudemon Internal Server NAT

Internet
Untrust Data packet 1
Data packet 2
source 202.168.0,2 source 202.168.0.11
E0/0/1 202.168.0.1/26
Destination destination 202.168.0.2
202.168.0.11
Data packet 1 Data packet 2
E1/0/0 192.168.1.1/24 source 202.168.0,2 source 192.168.0.101
ALG function destination destination 202.168.0.2
DMZ 192.168.0.101
202.168.0.11-192.168.1.101

Mail Server Web Server FTP Server


192.168.1.100/24 192.168.1.101/24 192.168.1.102/24

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 24
Eudemon NAT Implementation

Eudemon

Private
ACL Public address
address

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 25
Internal Server NAT Network

Internet
Untrust

202.168.0.1/24 E0/0/1
202.168.0.10-192.168.1.100
Internal network E0/0/0
192.168.0.0/24 202.168.0.11:80-192.168.1.101:8080
192.168.0.1/24
202.168.0.12:1021-192.168.1.102:ftp
192.168.1.1/24 E1/0/0
Trust
DMZ

Mail Server Web Server FTP Server


192.168.1.100/24 192.168.1.101/24 192.168.1.102/24

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 26
Egress Network NAT Typical Configuration
[Eudemon] acl 2000
[Eudemon-acl-basic-2000]rule permit
[Eudemon-acl-basic-2000]quit
[Eudemon] nat address-group 1 202.168.0.10 202.168.0.20
Configure address pool
[Eudemon 200E]nat-policy interzone trust untrust outbound
[Eudemon 200E-nat-policy-interzone-trust-untrust-
outbound]policy 1
[Eudemon 200E-nat-policy-interzone-trust-untrust-outbound-
1]policy source 192.168.0.0 mask 24
[Eudemon 200E-nat-policy-interzone-trust-untrust-outbound-
1]address-group 1 no-pat Enable NAT function, bind address pool
[Eudemon 200E-nat-policy-interzone-trust-untrust-outbound-
1]action source-nat

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 27
NAT Server Typical Configuration

[Eudemon] nat server global 202.168.0.10 inside 192.168.1.100


[Eudemon] nat server protocol tcp global 202.168.0.11 80 inside
192.168.1.101 8080
[Eudemon] nat server protocol tcp global 202.168.0.12 1021 inside
192.168.1.102 ftp
Configure mapping information between global
address and internal server address
[Eudemon 200E]policy interzone dmz untrust inbound
[Eudemon 200E-policy-interzone-dmz-untrust-inbound]policy 1
[Eudemon 200E-policy-interzone-dmz-untrust-inbound-1]policy
destination 192.168.1.0 mask 24
[Eudemon 200E-policy-interzone-dmz-untrust-inbound-1]policy
service service-set ftp
[Eudemon 200E-policy-interzone-dmz-untrust-inbound-1]action deny

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 28
NAT Configuration Verification

[Eudemon 200E]display nat all


16:32:49 2012/08/01
NAT information on zone:
Total 0 items on the zone If address pool is imported, it
NAT information on interzone: can not be deleted directly.

Total 0 items
NAT address-group information:
number : 1 name : ---

startaddr : 202.168.0.10 endaddr : 202.168.0.20

reference : 1 vrrp : ---

vpninstance : public
Total 1 address-groups
HUAWEI TECHNOLOGIES CO., LTD.. T
All rights reserved Page 29
---- More ----
Summary

 Which operational modes does Eudemon


support?
 What are the default Eudemon security
zones?
 What is the difference between a basic ACL
and an advanced ACL?
 Which forms of NAT does Eudemon support?

HUAWEI TECHNOLOGIES CO., LTD.. T


All rights reserved Page 30
Thank you
www.huawei.com T

You might also like