HP Load Balancing Module Security Configuration Guide Part number: 5998-4219 Software version: Feature 3221 Document version: 6PW100-20130326
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Security overview ························································································································································· 1 Network security threats ··················································································································································· 1 Network security services ································································································································
Enabling ACL acceleration for an IPv4 basic or IPv4 advanced ACL ····························································· 33 Displaying and maintaining ACLs ······················································································································· 33 IPv4 advanced ACL configuration examples······································································································ 34 IPv6 advanced ACL configuration example ·········································
Importing a public key from a public key file··································································································· 105 Configuring SSL ······················································································································································· 108 Overview······································································································································································· 108 SSL securi
Configuring RSH ····················································································································································· 149 Configuration prerequisites ········································································································································· 149 Configuration procedure ············································································································································· 149 RS
Applying an attack protection policy to a security zone ················································································ 207 Configuring TCP proxy ······································································································································· 207 Configuring the blacklist function ······················································································································ 208 Configuring connection limits······················
Security overview Network security threats are happened or potential threats to data confidentiality, data integrity, data availability or authorized usage of some resource in a network system. Network security services provide solutions to solve or reduce those threats to different extents. Network security threats • Information disclosure—Information is leaked to an unauthorized person or entity. • Damaging data integrity—Data integrity is damaged by unauthorized changing or destroying.
• Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device. • Accounting—Records all network service usage information, including service type, start time, and traffic. The accounting function provides information required for charging, and allows for network security surveillance.
ALG ALG can work with NAT to process payload information for application layer packets and implement address translation in packet payloads. Session management Session management is a common feature designed to implement session-based services such as NAT and intrusion protection.
RSH Remote shell (RSH) allows users to execute OS commands on a remote host that runs the RSH daemon. The RSH daemon supports authentication of the privileged port on a trusted host. The device works as an RSH client, and you can use the rsh command to execute an OS command on a remote host.
Configuring security zones Overview In traditional firewall security policy applications, a firewall connects an internal network and an external network and firewall security policies are deployed on inbound and outbound interfaces. With the development of firewall technologies, a firewall is now connecting the DMZ as well as the internal network and external network, and tends to provide more interfaces (for example, over ten physical interfaces) to connect more network segments.
Figure 1 Network diagram Configuring a security zone in the Web interface Recommended configuration procedure Step Remarks Optional. 1. Creating a security zone By default, the default VD Root has the following security zones: Management, Local, Trust, DMZ, and Untrust, and no security zone exists on user-defined VDs. Required. 2. Adding members to the security zone Add Layer 3 interfaces and Layer 2 interfaces with their VLANs to the security zone.
Figure 2 Security zone management page 2. Click Add. Figure 3 Creating a security zone 3. Configure the security zone as described in Table 1. 4. Click Apply. Table 1 Configuration items Item Description Zone ID Specify the zone ID. Zone Name Specify the zone name, which cannot be any. Set the preference of the security zone.
Figure 4 Modifying a security zone 3. Modify the zone as described in Table 2. 4. Click Apply. Table 2 Configuration items Item Description Zone ID Display the zone ID. Zone Name Display the zone name. Set the preference of the specified security zone. Preference By default, packets from a high priority security zone to a low priority security zone are allowed to pass. Share Set whether the specified security zone can be referenced by other VDs.
Security zone configuration example Network requirements A company deploys a device (LB in Figure 5) to connect its internal network to the Internet, and it needs to provide WWW service and FTP service for external users. The security policy is to allow internal users to access the WWW and FTP servers and the Internet and to allow external users to access only the servers. Prepare LB for zone-based security policy deployment.
Figure 6 Configuring the Trust zone 2. Add interface GigabitEthernet 0/2 to security zone DMZ: a. Click the icon for security zone DMZ. b. Select interface GigabitEthernet0/2. c. Click Apply. d. Click Back to return to the security zone management page.
Figure 7 Configuring the DMZ zone 3. Add interface GigabitEthernet 0/3 to security zone Untrust: a. Click the icon for security zone Untrust. b. Select interface GigabitEthernet0/3. c. Click Apply. d. Click Back to return to the security zone management page.
Figure 8 Configuring the Untrust zone Configuring a security zone at the CLI Security zone configuration task list Task Remarks Creating a security zone Optional. Setting the priority of a security zone Optional. Enabling the share attribute of a security zone Optional. Adding interfaces to a security zone Required. Creating an interzone instance Optional. Configuring a security zone To configure a security zone for a VD, create the VD first.
Creating a security zone When creating a security zone, you must specify a security zone name and a security zone ID that are respectively unique on the device. To enter the view of an existing security zone, you can specify the security zone name, or specify both the security zone name and security zone ID. If you specify both the security zone name and security zone ID, make sure the two arguments identify the same security zone.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VD system view. switchto vd vd-name Required for a security zone of a non-default VD. 3. Enter security zone view. zone name zone-name [ id zone-id ] N/A 4. Enable the share attribute of the security zone. share enable By default, the share attribute of a security zone is disabled, and only the native VD can use the security zone.
If the destination zone belongs to a different VD than the source zone, specify the destination zone in this format: vd-name-zone-id. For example, to use security zone named 2 on VD test as the destination zone, you must enter test-2. To create an interzone instance: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VD system view. switchto vd vd-name Required for a security zone of a non-default VD. 3. Create an interzone instance and enter interzone instance view.
Configuring a time range A time range resource defines a time range, which can be referenced by an ACL to control when a rule is effective. You can create a maximum of 256 time ranges, each having a maximum of 32 periodic statements and 12 absolute statements. If a time range has multiple statements, its active period is calculated as follows: 1. Combining all periodic statements. 2. Combining all absolute statements. 3.
4. Click Apply. Table 3 Configuration items Item Description Name Enter the name for the time range resource. If a time range resource with the specified name already exists, you can add time ranges to the time range resource. Otherwise, you can add a new time range resource. Periodic Time Range Start Time Set the start time of the periodic time range, in the hh:mm format (24-hour clock). End Time Set the end time of the periodic time range, in the hh:mm format (24-hour clock).
Configuring ACLs An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. The Web interface does not support IPv6 ACL configuration. Overview You can use ACLs in routing and other feature modules for identifying traffic. The packet drop or forwarding decisions varies with the modules that use ACLs.
• auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule is always matched before the rule. Table 4 lists the sequence of tie breakers that depth-first ordering uses to sort rules for each type of ACL. Table 4 Sorting ACL rules in depth-first order ACL category IPv4 basic ACL IPv4 advanced ACL IPv6 basic ACL IPv6 advanced ACL Ethernet frame header ACL Sequence of tie breakers 1. VPN instance 2.
Rule numbering step If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The rule numbering step sets the increment by which the system automatically numbers rules. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules.
Configuring ACLs in the Web interface Recommended configuration procedure Step Remarks Required. Creating an ACL. 1. The category of the created ACL depends on the ACL number that you specify. Configuring an ACL rule: 2. { Configuring a basic ACL rule { Configuring an advance ACL rule { Configuring an Ethernet frame header ACL rule Required. Complete one of the tasks according to the ACL category. Optional. Necessary only when the ACL contains a large number of ACL rules. 3.
Figure 12 ACL configuration page 3. Configure an ACL as described in Table 5. 4. Click Apply. Table 5 Configuration items Item Description ACL Number Enter a number for the ACL. Select a match order for the ACL. Available values are: Match Order • Config—Sorts ACL rules in ascending order of rule ID. • Auto—Sorts ACL rules in depth-first order. Description Enter a description for the ACL. Configuring a basic ACL rule 1. Select Security > ACL from the navigation tree. 2.
Figure 14 Basic ACL rule configuration page 4. Configure a rule as described in Table 6. 5. Click Apply. Table 6 Configuration items Item Description Select the Rule ID box, and enter a number for the rule. If you do not specify a rule ID, the system automatically assigns one to the rule. Rule ID If the rule already exists, the configuration overwrites the old rule. Select the operation to be performed for matching packets: Operation • Permit—Allows matching packets to pass.
Figure 15 Rules of an advanced ACL 3. Click Add to enter the advanced ACL rule configuration page. Figure 16 Advanced ACL rule configuration page 4. Configure an advanced ACL rule as described in Table 7. 5. Click Apply. Table 7 Configuration items Item Description Select the Rule ID box, and enter a number for the rule. Rule ID If you do not specify the rule ID, the system assigns one automatically. If the rule already exists, the configuration overwrites the old rule.
Item Description Select the action to be performed on matching packets: Operation • Permit—Allows matching packets to pass. • Deny—Denies matching packets. Select a time range for the rule. If you select None, the rule is always effective. Time Range Available time ranges are configured by selecting Security > Time Range from the navigation tree. Non-first Fragments Only Select this box to apply the rule to only non-first fragments.
Item Description ToS Specify the ToS preference. Precedence Specify the IP precedence. DSCP Specify the DSCP priority. If you configure the IP precedence or ToS precedence and the DSCP priority, the DSCP priority takes effect. Configuring an Ethernet frame header ACL rule 1. Select Security > ACL from the navigation tree. 2. Click the icon for an Ethernet frame header ACL to list its rules. Figure 17 Rules of an Ethernet frame header ACL 3.
Table 8 Configuration items Item Description Select the Rule ID box, and enter a number for the rule. Rule ID If you do not specify the rule ID, the system assigns one automatically. If the rule already exists, the configuration overwrites the old rule. Select the operation to be performed for matching packets: Operation • Permit—Allows matching packets to pass. • Deny—Denies matching packets. Select a time range for the rule.
Configuring ACLs at the CLI Configuration task list Task Remarks Configuring a basic ACL Required. Configuring an advanced ACL Configure at least one task. Configuring an Ethernet frame header ACL Applicable to IPv4 and IPv6. Optional. Copying an ACL Applicable to IPv4 and IPv6. Enabling ACL acceleration for an IPv4 basic or IPv4 advanced ACL Optional. Configuring a basic ACL Configuring an IPv4 basic ACL IPv4 basic ACLs match packets based only on source IP addresses.
Step 7. Command Add or edit a rule range remark. Remarks Optional. rule [ rule-id ] remark text By default, no rule range remarks are configured. Configuring an IPv6 basic ACL IPv6 basic ACLs match packets based only on source IP addresses. To configure an IPv6 basic ACL: Step 1. Enter system view. Command Remarks system-view N/A By default, no ACL exists. 2. 3. 4. 5. 6. 7. Create an IPv6 basic ACL view and enter its view.
Step 1. Enter system view. Command Remarks system-view N/A By default, no ACL exists. 2. Create an IPv4 advanced ACL and enter its view. acl number acl-number [ name acl-name ] [ match-order { auto | config } ] description text Set the rule numbering step. step step-value 5. Create or edit a rule.
Step 1. Enter system view. Command Remarks system-view N/A By default, no ACL exists. Create an IPv6 advanced ACL and enter its view. acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ] Configure a description for the IPv6 advanced ACL. description text Set the rule numbering step. step step-value 5. Create or edit a rule.
Step Command Create an Ethernet frame header ACL and enter its view. 2. Remarks acl number acl-number [ name acl-name ] [ match-order { auto | config } ] Configure a description for the Ethernet frame header ACL. description text Set the rule numbering step. step step-value 5. Create or edit a rule.
Copying an IPv6 basic or IPv6 advanced ACL Step Command 1. Enter system view. system-view 2. Copy an existing IPv6 basic or IPv6 advanced ACL to create a new ACL. acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name dest-acl6-name } Enabling ACL acceleration for an IPv4 basic or IPv4 advanced ACL CAUTION: • ACL acceleration is not available for ACLs that contain a non-contiguous wildcard mask.
Task Command Remarks Display configuration and match statistics for IPv6 basic and IPv6 advanced ACLs. display acl ipv6 { acl6-number | all | name acl6-name } [ | { begin | exclude | include } regular-expression ] Available in any view. Display the configuration and status of one or all time ranges. display time-range { time-range-name | all } [ | { begin | exclude | include } regular-expression ] Available in any view.
[LB] time-range work 8:0 to 18:0 working-day # Create an IPv6 advanced ACL numbered 3000 and configure three rules in the ACL. One rule permits access from the President's office to the database server, one rule permits access from the Financial department to the database server during working hours, and one rule denies access from other departments to the database server.
The output shows the database server cannot be pinged. # Display configuration and match statistics for IPv6 advanced ACL 3000 on Device A during working hours.
Configuring AAA The feature can be configured only at the CLI. Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: • Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants user rights and controls user access to resources and services.
AAA can be implemented through multiple protocols. The device supports RADIUS and HWTACACS, of which RADIUS is most often used. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.
Figure 22 Basic RADIUS message exchange process RADIUS operates in the following manner: 1. The host initiates a connection request that carries the user's username and password to the RADIUS client. 2. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the MD5 algorithm and the shared key. 3. The RADIUS server authenticates the username and password.
Figure 23 RADIUS packet format 0 7 Code 15 31 7 Length Identifier Authenticator Attributes Descriptions of the fields are as follows: The Code field (1 byte long) indicates the type of the RADIUS packet. • Table 9 Main values of the Code field Packet type Description 1 Access-Request From the client to the server. A packet of this type carries user information for the server to authenticate the user.
{ { { Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. Table 10 shows a list of the attributes. For more information, see "Commonly used standard RADIUS attributes." Length—(1 byte long) Length of the attribute in bytes, including the Type, Length, and Value sub-fields. Value—(Up to 253 bytes) Value of the attribute. Its format and content depend on the Type and Length sub-fields.
No. Attribute No.
HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for terminal users. In a typical HWTACACS scenario, some terminal users need to log in to the NAS for operations.
Figure 25 Basic HWTACACS message exchange process for a Telnet user HWTACACS operates in the following manner: 1. A Telnet user sends an access request to the HWTACACS client. 2. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the HWTACACS server. 3. The HWTACACS server sends back an authentication response to request the username. 4. Upon receiving the response, the HWTACACS client asks the user for the username. 5. The user enters the username. 6.
9. The user enters the password. 10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. 11. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12. The HWTACACS client sends the user authorization request packet to the HWTACACS server. 13. The HWTACACS server sends back the authorization response, indicating that the user is now authorized. 14.
• Command accounting—Allows the accounting server to record all commands executed on the device or all authorized commands successfully executed. For more information about command accounting, see System Management Configuration Guide. • Level switching authentication—Allows the authentication server to authenticate users who perform privilege level switching.
Commonly used standard RADIUS attributes No. Attribute Description 1 User-Name Name of the user to be authenticated. 2 User-Password User password for PAP authentication, only present in Access-Request packets when PAP authentication is used. 3 CHAP-Password Digest of the user password for CHAP authentication, only present in Access-Request packets when CHAP authentication is used. 4 NAS-IP-Address IP address for the server to use to identify a client.
No. Attribute Description Type of the physical port of the NAS that is authenticating the user. Possible values include: 61 NAS-Port-Type • • • • • • 15—Ethernet. 16—Any type of ADSL. 17—Cable (with cable for cable TV). 19—WLAN-IEEE 802.11. 201—VLAN. 202—ATM. If the port is an ATM or Ethernet one and VLANs are implemented on it, the value of this attribute is 201. 79 EAP-Message Used to encapsulate EAP packets to allow RADIUS to support EAP authentication.
No. Sub-attribute Description 25 Result_Code Result of the Trigger-Request or SetPolicy operation, zero for success and any other value for failure. 26 Connect_ID Index of the user connection. 28 Ftp_Directory FTP user working directory. When the RADIUS client acts as the FTP server, this attribute is used to set the FTP directory for an FTP user on the RADIUS client. 29 Exec_Privilege EXEC user priority.
2. Configure AAA methods for the ISP domain. { { { Authentication method—No authentication (none), local authentication (local), or remote authentication (scheme) Authorization method—No authorization (none), local authorization (local), or remote authorization (scheme) Accounting method—No accounting (none), local accounting (local), or remote accounting (scheme) See Figure 28 for the configuration procedure.
Configuring AAA schemes Configuring local users To implement local AAA, you must create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by a username. Configurable local user attributes are as follows: • Service type. Services that the user can use. Local authentication checks the service types of a local user.
Every configurable authorization attribute has its definite application environments and purposes. When you configure authorization attributes for a local user, consider which attributes are needed and which are not. You can configure an authorization attribute in user group view or local user view to make the attribute effective for all local users in the group or for only the local user. The setting of an authorization attribute in local user view takes precedence over that in user group view.
Step Command Remarks Optional. 5. Place the local user to the active or blocked state. state { active | block } By default, a created local user is in active state and can request network services. Optional. 6. Set the maximum number of concurrent users of the local user account. access-limit max-user-number The limit is effective only for local accounting, and is not effective for FTP users. • Set the password aging time: password-control aging aging-time • Set the minimum password 7.
Configuring user group attributes User groups simplify local user configuration and management. A user group comprises a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group. Configurable user attributes include password control attributes and authorization attributes.
Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can cooperate with and defines a set of parameters that the device uses to exchange information with the RADIUS servers. There might be authentication/authorization servers and accounting servers, or primary servers and secondary servers. The parameters include the IP addresses of the servers, the shared keys, and the RADIUS server type.
You can specify one primary authentication/authorization server and up to 16 secondary authentication/authorization servers for a RADIUS scheme. When the primary server is not available, a secondary server is used. If no redundancy is needed, specify only the primary server. A RADIUS authentication/authorization server can function as the primary authentication/authorization server for one scheme and a secondary authentication/authorization server for another scheme at the same time.
If you delete an accounting server that is serving users, the device no longer sends real-time accounting requests or stop-accounting requests for the users to that server, or buffers the stop-accounting requests. RADIUS does not support accounting for FTP users. To specify RADIUS accounting servers and set relevant parameters for a scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A • Specify the primary RADIUS 3.
Step 3. Command Specify a shared key for secure RADIUS authentication/authorization or accounting communication. Remarks key { accounting | authentication } [ cipher | simple ] key By default, no shared key is specified. The shared key configured on the device must be the same as that configured on the RADIUS server. Specifying a VPN for the RADIUS scheme You can specify a VPN for all the AAA servers in a RADIUS scheme.
Setting the supported RADIUS server type The supported RADIUS server type determines the type of the RADIUS protocol that the device uses to communicate with the RADIUS server. It can be standard or extended: • Standard—Uses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later. • Extended—Uses the proprietary RADIUS protocol of HP. When the RADIUS server runs on IMC, you must set the RADIUS server type to extended.
functioning as the backup of the primary servers. Typically, the device chooses servers based on these rules: When the primary server is in active state, the device communicates with the primary server. • If the primary server fails, the device changes the server's status to blocked, starts a quiet timer for the server, and tries to communicate with a secondary server in active state (a secondary server configured earlier has a higher priority).
Step Command Remarks • Set the status of the primary RADIUS authentication/authorization server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: state primary accounting { active | block } Set the RADIUS server status. 3. • Set the status of a secondary RADIUS authentication/authorization server: state secondary authentication [ ip ipv4-address | ipv6 ipv6-address ] { active | block } Optional.
To specify a source IP address for a specific RADIUS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Specify a source IP address for outgoing RADIUS packets. nas-ip { ip-address | ipv6 ipv6-address } By default, the IP address of the outbound interface is used as the source IP address.
To set RADIUS timers: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A Optional. 3. Set the RADIUS server response timeout timer. timer response-timeout seconds 4. Set the server quiet timer. timer quiet minutes 5. Set the real-time accounting interval. timer realtime-accounting minutes The default RADIUS server response timeout timer is 3 seconds. Optional. The default server quiet timer is 5 minutes. Optional.
To configure the IP address of the security policy server for a scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A Specify a security policy server. 3. security-policy-server ip-address No security policy server is specified by default. You can specify up to eight security policy servers for a RADIUS scheme.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the trap function for RADIUS. radius trap { accounting-server-down | authentication-error-threshold | authentication-server-down } Disabled by default. Enabling the RADIUS client service To receive and send RADIUS packets, enable the RADIUS client service on the device. If RADIUS is not required, disable the RADIUS client service to avoid attacks that exploit RADIUS packets.
HWTACACS configuration task list Task Remarks Creating an HWTACACS scheme Required Specifying the HWTACACS authentication servers Required Specifying the HWTACACS authorization servers Optional Specifying the HWTACACS accounting servers and the relevant parameters Optional Specifying the shared keys for secure HWTACACS communication Required Specifying a VPN for the HWTACACS scheme Optional Setting the username format and traffic statistics units Optional Specifying the source IP address for
Step Command Remarks • Specify the primary HWTACACS authentication server: primary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * 3. Specify HWTACACS authentication servers. • Specify the secondary HWTACACS authentication server: secondary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * Configure at least one command. No authentication server is specified by default.
enable buffering of non-responded stop-accounting requests to allow the device to buffer and resend a stop-accounting request until it receives a response or the number of stop-accounting attempts reaches the configured limit. In the latter case, the device discards the packet. An HWTACACS server can function as the primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time.
Specifying a VPN for the HWTACACS scheme You can specify a VPN for all the AAA servers in an HWTACACS scheme. However, the VPN has a lower priority than those configured for individual HWTACACS servers. To specify a VPN for an HWTACACS scheme: Step Command 1. Enter system view. system-view 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name 3. Specify a VPN for the HWTACACS scheme.
The source address of outgoing HWTACACS packets is typically the IP address of an egress interface on the NAS to communicate with the HWTACACS server. In some cases, however, you must change the source IP address. For example, if a NAT device is present between the NAS and the HWTACACS server, the source IP address of outgoing HWTACACS packets must be a public IP address of the NAS.
real-time accounting, the device must send periodically real-time accounting packets to the accounting server for online users. Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting interval. A shorter interval requires higher performance. To set HWTACACS timers: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A Optional. 3. Set the HWTACACS server response timeout timer.
Creating an ISP domain In a networking scenario with multiple ISPs, the device can connect users of different ISPs. Different ISP users can have different user attributes (such as username and password structures), different service types, and different rights. To manage these ISP users, you need to create ISP domains and then configure AAA methods and domain attributes for each ISP domain. The device can accommodate up to 16 ISP domains, including the system predefined ISP domain system.
Self-service server location—Allows users to access the self-service server to manage their own accounts and passwords. • An ISP domain attribute applies to all users in the domain. A self-service RADIUS server running on IMC is required for the self-service server location function to work. To configure ISP domain attributes: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter ISP domain view. domain isp-name N/A Optional. 3.
Configuration prerequisites Before configuring authentication methods, complete the following tasks: • For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to be referenced first. Local and none authentication methods do not require a scheme. • Determine the access type or service type to be configured. With AAA, you can configure an authentication method for each access type and service type to limit the authentication protocols that users can use for access.
Step 5. Specify the authentication method for privilege level switching. Command Remarks authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } Optional. The default authentication method is used by default. Configuring authorization methods for an ISP domain In AAA, authorization is a separate process at the same level as authentication and accounting.
• You can configure local authorization (local) or no authorization (none) as the backup for remote authorization that is used when the remote authorization server is unavailable. • Local authorization (local) and no authorization (none) cannot have a backup method. Configuration procedure To configure authorization methods for an ISP domain: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter ISP domain view. domain isp-name N/A 3.
Configuration guidelines When configuring accounting methods, follow these guidelines: • You can configure a default accounting method for an ISP domain. This method will be used for all users who support the accounting method and have no specific accounting method configured. • You can configure local accounting (local) or no accounting (none) as the backup for remote accounting that is used when the remote accounting server is unavailable.
Task Command Remarks Display information about user connections. display connection [ domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Select the access device type HP (General). Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2). c. Click OK. The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the device, which is chosen in the following order: { IP address specified with the nas-ip command on the device. { IP address specified with the radius nas-ip command on the device.
Figure 31 Adding an account for device management Configuring LB module # Assign an IP address to interface GigabitEthernet 0/1, the Telnet user access interface. system-view [LB] interface gigabitethernet 0/1 [LB-GigabitEthernet0/1] ip address 192.168.1.70 255.255.255.0 [LB-GigabitEthernet0/1] quit # Configure the IP address of interface GigabitEthernet 0/2, through which LB module communicates with the server. [LB] interface gigabitethernet 0/2 [LB-GigabitEthernet0/2] ip address 10.1.1.2 255.255.
# Set the shared key for secure authentication communication to expert. [LB-radius-rad] key authentication expert # Specify the service type for the RADIUS server, which must be extended when the server runs on IMC. [LB-radius-rad] server-type extended # Include the domain names in usernames sent to the RADIUS server. [LB-radius-rad] user-name-format with-domain [LB-radius-rad] quit # Configure the AAA methods for domain bbb.
# Enable the Telnet server on the device. [LB] telnet server enable # Configure LB module to use AAA for Telnet users. [LB] user-interface vty 0 4 [LB-ui-vty0-4] authentication-mode scheme [LB-ui-vty0-4] quit # Create local user named telnet. [LB] local-user telnet [LB-luser-telnet] service-type telnet [LB-luser-telnet] password simple aabbcc [LB-luser-telnet] quit # Configure the AAA methods for the ISP domain as local authentication and authorization.
Figure 33 Network diagram Configuration considerations 1. Configure LB module to use AAA, particularly, local authentication for Telnet users: { { 2. Create a local user account, configure the password, and assign the privilege level for the user to enjoy after login. On LB module, configure the authentication method for user privilege level switching: { { { 3. Create ISP domain bbb and configure it to use local authentication for Telnet users.
[LB-ui-vty0-4] authentication-mode scheme [LB-ui-vty0-4] quit # Use RADIUS authentication for user privilege level switching authentication and, if RADIUS authentication is not available, use local authentication. [LB] super authentication-mode scheme local # Create RADIUS scheme rad. [LB] radius scheme rad # Specify the IP address of the primary authentication server as 10.1.1.1, and the port for authentication as 1812. [LB-radius-rad] primary authentication 10.1.1.
A username configured on the RADIUS server is in the format $enablevel$, where level specifies the privilege level to which the user wants to switch. \ Figure 34 Configuring a username for privilege level switching (take $enab1$ for example) Figure 35 List of the usernames for privilege level switching 3. Verify the configuration.
* Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed.
• The user is not configured on the RADIUS server. • The password entered by the user is incorrect. • The RADIUS server and the NAS are configured with different shared keys. Solution Check that: • The NAS and the RADIUS server can ping each other. • The username is in the userid@isp-name format and the ISP domain is correctly configured on the NAS. • The user is configured on the RADIUS server. • The correct password is entered.
• The accounting server IP address is correctly configured on the NAS. Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See "Troubleshooting RADIUS.
Configuring password control Password control can be configured only at the CLI. Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes password control functions in detail. • Minimum password length By setting a minimum password length, you can enforce users to use passwords long enough for system security.
With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the used ones. The new password must be different from the used ones by at least four characters and the four characters must not be the same. Otherwise, the user will fail to change the password and the system displays an error message.
• Password complexity checking A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to make sure that all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password.
Task Remarks Enabling password control Required. Setting global password control parameters Optional. Setting user group password control parameters Optional. Setting local user password control parameters Optional. Setting super password control parameters Optional. Setting a local user password in interactive mode Optional. Enabling password control 1. Enable the global password control feature in system view.
Step Command 2. Set the password aging time. password-control aging aging-time 3. Set the minimum password update interval. password-control password update interval interval Set the minimum password length. password-control length length Configure the password composition policy. password-control composition type-number type-number [ type-length type-length ] 6. Configure the password complexity checking policy. password-control complexity { same-character | user-name } check 7.
Step Command Remarks Optional. 3. Configure the password aging time for the user group. 4. Configure the minimum password length for the user group. password-control aging aging-time By default, the password aging time of the user group equals the global password aging time. Optional. password-control length length By default, the minimum password length of the user group equals the global minimum password length. Optional. 5. Configure the password composition policy for the user group.
Setting super password control parameters CLI commands fall into four levels: visit, monitor, system, and manage, in ascending order. Accordingly, login users fall into four levels, each corresponding to a command level. A user of a certain level can only use the commands at that level or lower levels. To switch from a lower user level to a higher one, a user needs to enter a password for authentication. This password is called a super password.
Task Command Remarks Display information about users in the password control blacklist. display password-control blacklist [ user-name name | ip ipv4-address | ipv6 ipv6-address ] [ | { begin | exclude | include } regular-expression ] Available in any view. Delete users from the password control blacklist. reset password-control blacklist [ user-name name ] Available in user view. Available in user view. Clear history password records.
[LB] password-control password update interval 36 # Specify that a user can log in five times within 60 days after the password expires. [LB] password-control expired-user-login delay 60 times 5 # Set the maximum account idle time to 30 days. [LB] password-control login idle-time 30 # Refuse any password that contains the username or the reverse of the username. [LB] password-control complexity user-name check # Specify that no character of the password can be repeated three or more times consecutively.
Login attempt-failed action: Lock Minimum password update time: 36 hours User account idle-time: 30 days Login with aged password: 5 times in 60 day(s) Password complexity: Enabled (username checking) Enabled (repeated characters checking) # Display the password control configuration for super passwords.
Managing public keys To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out. The receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure 36.
Task Remarks Configuring a local asymmetric key pair on the local device Creating a local asymmetric key pair Displaying or exporting the local host public key Destroying a local asymmetric key pair Choose one or more tasks. Specifying the peer public key on the local device Creating a local asymmetric key pair When you create an asymmetric key pair on the local device, follow these guidelines: • Create an asymmetric key pair of the proper type to work with a target application.
Displaying and recording the host public key information Task Command Remarks Display the local RSA public keys display public-key local rsa public [ | { begin | exclude | include } regular-expression ] Available in any view. The display public-key local rsa public command displays both the RSA server and host public keys. Recording the RSA host public key is enough. After you display the host public key, record the key information for manually configuration of the key on the peer device.
To destroy a local asymmetric key pair: Step Command 1. Enter system view. system-view 2. Destroy a local asymmetric key pair. public-key local destroy rsa Specifying the peer public key on the local device In SSH, to enable the local device to authenticate a peer device, specify the peer public key on the local device. The device supports up to 20 peer public keys. For information about displaying or exporting the host public key, see "Displaying or exporting the local host public key.
Step Command Remarks 5. Return to public key view. public-key-code end When you exit public key code view, the system automatically saves the public key. 6. Return to system view. peer-public-key end N/A Displaying public keys Task Command Remarks Display the local public keys display public-key local rsa public [ | { begin | exclude | include } regular-expression ] Available in any view. Display the specified or all peer public keys on the local device.
++++++ ++++++++ ++++++++ # Display the public keys of the local RSA key pairs.
[DeviceB-pkey-public-key] peer-public-key end # Display the host public key of Device A saved on Device B.
++++++ ++++++++ ++++++++ # Display the public keys of the local RSA key pairs.
Connected to 10.1.1.1. 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. [ftp] binary 200 Type set to I. [ftp] get devicea.pub 227 Entering Passive Mode (10,1,1,1,5,148). 125 BINARY mode data connection already open, transfer starting for /devicea.pub. 226 Transfer complete. FTP: 299 byte(s) received in 0.189 second(s), 1.00Kbyte(s)/sec. [ftp] quit 221 Server closing. 4.
Configuring SSL Secure Sockets Layer (SSL) can be configured only at the CLI. Overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTP. It is widely used in e-business and online banking to provide secure data transmission over the Internet.
Figure 40 SSL protocol stack • SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and encrypts the data before transmitting it to the peer end. • SSL handshake protocol—Negotiates the cipher suite to be used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), securely exchanges the key between the server and client, and implements identity authentication of the server and client.
Step Command Remarks Optional. By default, no PKI domain is specified for an SSL server policy, and the SSL server generates and signs a certificate for itself and does not obtain a certificate from a CA server. 3. Specify a PKI domain for the SSL server policy. pki-domain domain-name If SSL clients authenticate the server through a digital certificate, you must use this command to specify a PKI domain and request a local certificate for the SSL server in the PKI domain.
Figure 41 Network diagram Configuration considerations To achieve the goal, perform the following configurations: • Configure LB module to work as the HTTPS server and request a certificate for LB module. • Request a certificate for Host so LB module can authenticate the identity of Host. • Configure a CA server to issue certificates to LB module and Host. Configuration procedure In this example, the CA server runs Windows Server and has the SCEP plug-in installed.
# Specify the PKI domain for the SSL server policy as 1. [LB-ssl-server-policy-myssl] pki-domain 1 # Enable client authentication. [LB-ssl-server-policy-myssl] client-verify enable [LB-ssl-server-policy-myssl] quit # Configure HTTPS service to use SSL server policy myssl. [LB] ip https ssl-server-policy myssl # Enable HTTPS service. [LB] ip https enable # Create a local user named usera, and set the password to 123, user privilege level to 3, and service type to web.
Step Command Remarks Optional. No PKI domain is specified by default. Specify a PKI domain for the SSL client policy. 3. pki-domain domain-name If the SSL server authenticates the SSL client through a digital certificate, you must use this command to specify a PKI domain and request a local certificate for the SSL client in the PKI domain. For information about how to configure a PKI domain, see "Configuring PKI." 4. 5. 6. Specify the preferred cipher suite for the SSL client policy.
Solution 1. Issue the debugging ssl command and view the debugging information to locate the problem: { { { 2. If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate, request one for it. If the server’s certificate cannot be trusted, install the root certificate of the CA that issued the local certificate to the SSL server on the SSL client, or let the server request a certificate from the CA that the SSL client trusts.
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH implements remote login and file transfer securely over an insecure network. SSH uses the typical client/server model, establishing a channel to protect data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible. SSH2 is better than SSH1 in performance and security.
Stages Description Algorithm negotiation SSH supports multiple algorithms. Based on the local algorithms, the two parties determine the key exchange algorithm for generating session keys, the encryption algorithm for encrypting data, public key algorithm for digital signature and authentication, and the HMAC algorithm for protecting data integrity.
• Password-publickey authentication—The server requires clients that run SSH2 to pass both password authentication and publickey authentication. However, if a client runs SSH1, it only needs to pass either authentication. • Any authentication—The server requires the client to pass either of password authentication and publickey authentication.
SSH server configuration task list Task Remarks Generating local RSA key pairs Required. Enabling the SSH server function Required for Stelnet, SFTP and SCP servers. Enabling the SFTP server function Required only for SFTP server. Configuring the user interfaces for SSH clients Required. Configuring a client's host public key Required if publickey authentication is configured for users and the clients directly send the public keys to the server for validity check. See "Configuring PKI.
To enable the SSH server function: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the SSH server function. ssh server enable Disabled by default. Enabling the SFTP server function This SFTP server function enables clients to log in to the SFTP server through SFTP. When the device functions as the SFTP server, only one client can access the SFTP server at one time and the SFTP server does not have restrictions on the user privilege.
Step Command Remarks Optional. Configure the user interface to support SSH login. 4. By default, Telnet and SSH are supported. protocol inbound { all | ssh } For more information about this command, see System Management Command Reference. Configuring a client's host public key This configuration task is only necessary if publickey authentication is configured for users and the clients directly send the public key to the server for authentication.
Step 5. 6. Command Remarks Return to public key view and save the configured host public key. public-key-code end When you exit public key code view, the system automatically saves the public key. Return to system view. peer-public-key end N/A Importing a client public key from a public key file Step Command 1. Enter system view. system-view 2. Import the public key from a public key file.
• If publickey authentication, whether with password authentication or not, is used, the command level accessible to the user is set by the user privilege level command on the user interface. If only password authentication is used, the command level accessible to the user is authorized by AAA. • SSH1 does not support SFTP or SCP. For an SSH1 client, you must set the service type to stelnet or all.
Step Command Remarks Optional. 2. Enable the SSH server to support SSH1 clients. ssh server compatible-ssh1x enable 3. Set the RSA server key pair update interval. ssh server rekey-interval hours By default, the interval is 0, and the RSA server key pair is not updated. 4. Set the SSH user authentication timeout period. ssh server authentication-timeout time-out-value Optional. By default, the SSH server supports SSH1 clients. Optional. 60 seconds by default. Optional. 3 by default. 5.
Step Enter system view. 1. Command Remarks system-view N/A • Specify a source IPv4 address or source Specify a source IP address or source interface for the Stelnet client. 2. interface for the Stelnet client: ssh client source { interface interface-type interface-number | ip ip-address } • Specify a source IPv6 address or source Use either approach.
Establishing a connection to an Stelnet server You can launch the Stelnet client to establish a connection to an Stelnet server, and specify the public key algorithm, the preferred encryption algorithm, the preferred HMAC algorithm, and the preferred key exchange algorithm. To establish a connection to an Stelnet server: Task Command Remarks • Establish a connection to an IPv4 server: Establish a connection to an Stelnet server.
Specifying a source IP address or source interface for the SFTP client By default, an SFTP client uses the IP address of the outbound interface specified by the route to the SFTP server as the source IP address to communicate with the SFTP server. You can change the source IP address or specify a source interface for the client.
Task Command Remarks • Establish a connection to an IPv4 SFTP server: Establish a connection to an SFTP server and enter SFTP client view.
Step Delete one or more directories from the SFTP server. 8. Command Remarks rmdir remote-path&<1-10> Optional. Command Remarks Working with SFTP files SFTP file operations include: • Changing the name of a file • Downloading a file • Uploading a file • Displaying a list of the files • Deleting a file To work with SFTP files: Step 1. Enter SFTP client view. For more information, see "Establishing a connection to an SFTP server." N/A 2.
Terminating the connection with the SFTP server Step Command Remarks N/A 1. Enter SFTP client view. For more information, see "Establishing a connection to an SFTP server." 2. Terminate the connection with the SFTP server and return to user view. • bye • exit • quit Use any of the commands. These three commands function in the same way. Configuring the device as an SCP client This section describes how to configure the device as an SCP client.
Displaying and maintaining SSH Task Command Remarks Display the source IP address or interface configured for the SFTP client. display sftp client source [ | { begin | exclude | include } regular-expression ] Available in any view. Display the source IP address or interface information configured for the Stelnet client. display ssh client source [ | { begin | exclude | include } regular-expression ] Available in any view.
# Generate the RSA key pairs. system-view [LB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Enable the SSH server function.
Figure 44 Specifying the host name (or IP address) c. Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the command-line interface of the server.
Configuration considerations In the server configuration, the client public key is required. Use the client software to generate the RSA key pair on the client before configuring the Stelnet server. The device supports a variety of Stelnet client software, such as PuTTY, and OpenSSH. The following example takes PuTTY Version 0.58 on the Stelnet client. Configuration procedure 1. Generate an RSA key pair on the Stelnet client: a. Launch PuTTYGen.exe, select SSH-2 RSA and click Generate.
Figure 47 Generating process b. After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key.
c. Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. d. Click Yes and enter the name of the file for saving the key (private.ppk in this case). e. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) 2. Configure the Stelnet server: # Generate the RSA key pairs. system-view [LB] public-key local create rsa The range of public key size is (512 ~ 2048).
Figure 49 Specifying the host name (or IP address) c. Select Connection > SSH > Auth from the navigation tree. d. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk) and click OK.
Figure 50 Specifying the private key file e. Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the command-line interface of the server. When the LB module acts as an Stelnet client for password authentication Network requirements As shown in Figure 51, you can log in to the router through the Stelnet client running on the LB module.
The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Enable the SSH server function. [Router] ssh server enable # Configure an IP address for interface GigabitEthernet 0/1, which the Stelnet client will use as the destination address of the SSH connection.
Connected to 192.168.1.40 ... The Server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n Enter password: After you enter the correct password, you can log in to the router successfully. { If the client does not support first-time authentication, perform the following configurations. # Disable first-time authentication. [LB] undo ssh client first-time # Configure the host public key of the SSH server.
Enter password: After you enter the correct username and password, you can log in to the router successfully. When the LB module acts as an Stelnet client for publickey authentication Network requirements As shown in Figure 52, you can log in to the router through the Stelnet client that runs on LB module. The router acts as the Stelnet server, adopting publickey authentication and the RSA public key algorithm.
system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Enable SSH server function. [Router] ssh server enable # Configure an IP address for interface GigabitEthernet 0/1, which the Stelnet client will use as the destination address of the SSH connection.
SFTP configuration examples When the LB module acts as an SFTP server for password authentication Network requirements As shown in Figure 53, you can log in to the LB module through the SFTP client that runs on the host. The LB module acts as the SFTP server and uses password authentication. The username and password of the client are saved on the LB module. Figure 53 Network diagram Configuration procedure 1. Configure the SFTP server: # Generate the RSA key pairs.
[LB-ui-vty0-4] quit # Configure a local user named client002 with the password aabbcc and the service type ssh. [LB] local-user client002 [LB-luser-client002] password simple aabbcc [LB-luser-client002] service-type ssh [LB-luser-client002] quit # Configure the user authentication method as password and service type as SFTP. [LB] ssh user client002 service-type sftp authentication-type password 2. Establish a connection to the SFTP server: The device supports a variety of SFTP client software.
Figure 55 Network diagram Configuration considerations In the server configuration, the client public key is required. Use the client software to generate an RSA key pair on the client before configuring the SFTP server. Configuration procedure 1. Configure the SFTP client: # Configure an IP address for interface GigabitEthernet 0/1. system-view [LB] interface gigabitethernet 0/1 [LB-GigabitEthernet0/1] ip address 192.168.0.2 255.255.255.0 [LB-GigabitEthernet0/1] quit # Generate the RSA key pairs.
++++++++ # Enable the SSH server function. [Router] ssh server enable # Enable the SFTP server function. [Router] sftp server enable # Configure an IP address for interface GigabitEthernet 0/1, which the client will use as the destination address of the SSH connection. [Router] interface gigabitethernet 0/1 [Router-GigabitEthernet0/1] ip address 192.168.0.1 255.255.255.0 [Router-GigabitEthernet0/1] quit # Set the authentication mode of the user interface to AAA.
This operation might take a long time.Please wait... File successfully Removed sftp-client> dir -rwxrwxrwx 1 noone nogroup -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub # Add a directory named new1 and check that it has been created successfully.
# Exit SFTP client view. sftp-client> quit Connection closed. SCP configuration example This section provides an example of configuring SCP for file transfer with the password authentication. Network requirements As shown in Figure 56, the LB module acts as an SCP client and the router acts as an SCP server. A user can securely transfer files with the router through LB module. The router uses the password authentication method and the client's username and password are saved on the router.
[Router-ui-vty0-4] protocol inbound ssh [Router-ui-vty0-4] quit # Create a local user named client001 with the password as aabbcc and service type as ssh. [Router] local-user client001 [Router-luser-client001] password simple aabbcc [Router-luser-client001] service-type ssh [Router-luser-client001] quit # (Optional.) Configure the SSH user client001 with service type as scp and authentication method as password. [Router] ssh user client001 service-type scp authentication-type password 2.
Configuring RSH The feature can be configured only at the CLI. Remote shell (RSH) allows users to execute OS commands on a remote host that runs the RSH daemon. Windows NT, 2000, XP, and 2003 are shipped with no RSH daemon. The RSH daemon must be separately obtained and installed on the remote host. The RSH daemon supports authentication of an RSH client by the username. Figure 57 shows a network diagram for the typical RSH application.
Figure 58 Network diagram Configuration Procedure 1. Check that the RSH daemon has been installed and started properly on the remote host: a. From the Windows Control Panel, open the Administrative Tools folder. (For Windows XP, if you use the category view of the Control Panel window, select Administrative Tools from Performance and Maintenance.) Figure 59 Administrative Tools folder b. Double-click the Services icon to display the Services window. Figure 60 Services window c.
d. Look at the Status column to check whether the Remote Shell Daemon service is started. In this example, the service is not started yet. e. Double-click the Remote Shell Daemon service row, and then in the popped up Remote Shell Daemon Properties window, click Start to start the service, as shown in Figure 61. Figure 61 Remote Shell Daemon Properties window 2. Configure LB module: # Configure a route to the remote host. (Details not shown.) # Set the time of the host remotely. rsh 192.168.1.
Managing sessions Overview Session management is a common feature designed to implement session-based services such as NAT and intrusion protection. Session management regards packet exchanges at transport layer as sessions and updates the session status, or ages sessions out according to information in the initiator or responder packet. Session management allows multiple features to process the same service packet.
deleted only when the session initiator or responder sends a request to close it or you clear it manually. • Supporting both control channels and dynamic data channels of application layer protocols such as FTP. • Supporting limiting the number of session-based connections. For more information, see "Configuring attack detection and protection." • Supporting both unidirectional and bidirectional traffic (the hybrid mode).
Figure 62 Session configuration 2. Configure the parameters as described in Table 15. 3. Click Apply.
Table 15 Configuration items Item Description Enable or disable unidirectional traffic detection. • When unidirectional traffic detection is enabled, the session management feature processes both the unidirectional and bidirectional traffic. Enable unidirectional traffic detection • When unidirectional traffic detection is disabled, the session management feature processes only the bidirectional traffic. Set the ID of an ACL.
Figure 63 Session table Table 16 Field description Field Description Init Src IP Source IP address and port number of packets from the session initiator. Init Dest IP Destination IP address and port number of packets from the session initiator. Init VPN VPN/VLAN/INLINE VPN that packets (from the initiator to responder) belong to and the VLAN and INLINE that the packets belong to during Layer 2 forwarding. Resp Src IP Source IP address and port number of packets from the session responder.
Figure 64 Detailed information of a session Table 17 Field description Field Description Transport layer protocol: Protocol • • • • TCP. UDP. ICMP. RAWIP. Session status: State • • • • • • • • • • Accelerate. SYN. TCP-EST. FIN. UDP-OPEN. UDP-READY. ICMP-OPEN. ICMP-CLOSED. RAWIP-OPEN. RAWIP-READY. TTL Remaining lifetime of the session. Initiator: VD / ZONE / VPN / IP / PORT Initiator's virtual device/security zone/VPN instance/IP address/port number.
Managing sessions in the CLI Session management task list Task Remarks Setting session aging times based on protocol state Optional. Configuring session aging time based on application layer protocol type Optional. Enabling checksum verification Optional. Specifying persistent sessions Optional. Configuring the operating mode for session management Optional. Enabling session synchronization for stateful failover Optional. Clearing sessions manually Optional.
To set session aging times based on application layer protocol type: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the aging time for sessions of an application layer protocol. application aging-time { dns | ftp | msn | qq | sip } time-value Aging times set in this command applies to only the sessions in the READY/ESTABLISH state.
If you configure the hybrid mode, some features cannot work properly and system security is adversely affected. You must configure the operating mode for session management according to whether unidirectional sessions exist. If yes, configure the hybrid mode to ensure the normal processing of unidirectional sessions. If no, configure the bidirectional mode to protect system security. To configure the operating mode for session management: Step 1. Enter system view. 2.
Enabling session logging Step Command Remarks 1. Enter system view. system-view N/A 2. Enter system view of the virtual device. switchto vd vd-name Required for non-default virtual devices. 3. Create an interzone instance and enter interzone view. interzone source source-zone-name destination destination-zone-name By default, no interzone instances exist. 4. Enable session logging. session log enable [ acl acl-number ] Disabled by default.
Step 2. 3. 4. 5. Command Specify the flow log version. Remarks userlog flow export version version-number Optional. 1.0 by default. Optional. Specify the source IP address for UDP packets carrying flow logs. userlog flow export source-ip ip-address IP address of the interface sending UDP packets by default. Specify the IP address and UDP port number of the flow log server. userlog flow export host ip-address udp-port Not specified by default.
Task Command Remarks Clear sessions. reset session [ vd-name vd-name ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type { icmp | raw-ip | tcp | udp } ] [ source-port source-port ] [ destination-port destination-port ] Available in user view. Clear session statistics. reset session statistics [ vd-name vd-name ] Available in user view. Available in user view. Clear flow logs in the buffer.
Configuring session acceleration Overview In some specific applications, session acceleration helps improve system performance for setting up sessions. If the outbound interface of the session initiator is not the same as the inbound interface of the session responder, and the service configurations on the two interfaces are not the same, session acceleration is not available. Session acceleration can be configured only in the Web interface. Configuring session acceleration 1.
Configuring virtual fragment reassembly Overview To prevent service modules (such as NAT) from processing packet fragments that arrive out of order, you can enable the virtual fragment reassembly feature. This feature can virtually reassemble the fragments of a datagram through fragment checking, sequencing and caching so as to make sure fragments arrive at service modules in order.
3. Click Apply. Table 18 Configuration items Item Description Specify a security zone to be configured with virtual fragment reassembly. Security Zone Enable Virtual Fragment Reassembly Specify max number of concurrent reassemblies The virtual fragment reassembly feature is effective in only the inbound direction of a security zone. Click the box to enable the virtual fragment reassembly feature. Specify the maximum number of concurrent reassemblies.
2. Configure a static address mapping: a. From the navigation tree, select Security > NAT Policy > Static NAT. b. Click Add in the Static Address Mapping area. c. Enter 1.1.1.1 for Internal IP Address and enter 2.2.2.3 for Global IP Address. d. Click Apply. Figure 68 Adding a static address mapping 3. Enable static NAT on GigabitEthernet 0/1: a. Click Add in the Interface Static Translation area. b. Select interface GigabitEthernet0/1. c. Click Apply.
Figure 70 Configuring virtual fragment reassembly After the configuration, if the LB module receives disordered fragments from security zone Trust, it examines and reassembles them. Configuring virtual fragment reassembly at the CLI Configuration guidelines • The IP virtual fragment reassembly feature only applies to incoming packets on an interface. • The IP virtual fragment reassembly feature does not support load sharing. The fragments of an IP datagram cannot arrive through different interfaces.
Configuration example Network requirements As shown in Figure 71, configure devices as follows: • LB module connects to Host and Router. • NAT is enabled on GigabitEthernet 0/2 of LB module. • Configure IP virtual fragment reassembly on security zone Trust of LB module. Figure 71 Network diagram Configuration procedure 1. As shown in Figure 71, assign IP addresses to the interfaces and add them into security zones. (Details not shown.) 2.
Configuring attack detection and protection The term "router" in this document refers to both routers and LB modules. Overview Attack detection and protection is an important network security feature. It determines whether received packets are attack packets according to the packet contents and behaviors and, if detecting an attack, take measures to deal with the attack, such as recording alarm logs, dropping packets, and blacklisting the source IP address.
Single-packet attack Description Large ICMP For some hosts and devices, large ICMP packets cause memory allocation error and thus crash down the protocol stack. A large ICMP attacker sends large ICMP packets to a target to make it crash down. Route Record An attacker exploits the route record option in the IP header to probe the topology of a network. Smurf An attacker sends an ICMP echo request to the broadcast address or the network address of the target network.
receive the expected ACK packets, and thus have to maintain large amounts of half-open connections. In this way, the attacker exhausts the system resources of the server, making the server unable to service normal clients. • ICMP flood attack An attacker sends a large number of ICMP requests to the target in a short time by, for example, using the ping program, causing the target too busy to process normal services.
• When the device detects that an FTP, Telnet, SSH, SSL, or web user has failed to provide the correct username, password, or verification code (for a web login user) after the maximum number of attempts, it considers the user an attacker, adds the IP address of the user to the blacklist, and filters subsequent login requests from the user. This mechanism can effectively prevent attackers from cracking login passwords through repeated login attempts.
attack, the device can add a protected IP address entry for the attacked server and use the TCP proxy function to inspect and process all subsequent TCP requests destined to the server. TCP proxy can operate in two modes: • Unidirectional proxy—Processes only packets from TCP clients. • Bidirectional proxy—Processes packets from both TCP clients and TCP servers. You can choose a proper mode according to your network scenario.
When the TCP proxy receives a SYN message sent from a client to a protected server, it sends back a SYN ACK message that uses a wrong sequence number on behalf of the server. The client, if legitimate, responds with an RST message. If the TCP proxy receives an RST message from the client, it considers the client legitimate, and forwards SYN messages that the client sends to the server during a period of time so that the client can establish a TCP connection to the server.
accordingly, as configured. Supported actions include outputting alarm logs, discarding packets, and adding the attacker to the blacklist. The intrusion detection statistics reflect the counts of attacks as per attack type, and the counts of attack packets dropped. This helps you analyze the intrusion types and quantities present to generate better network security policies.
Item Description Enable WinNuke Attack Detection Enable or disable detection of WinNuke attacks. Enable TCP Flag Attack Detection Enable or disable detection of TCP flag attacks. Enable ICMP Unreachable Packet Attack Detection Enable or disable detection of ICMP unreachable attacks. Enable ICMP Redirect Packet Attack Detection Enable or disable detection of ICMP redirect attacks. Enable Tracert Packet Attack Detection Enable or disable detection of Tracert attacks.
Figure 78 Enabling Land and Smurf attack detection for the untrusted zone Verifying the configuration Check that the device can detect Land and Smurf attacks from the untrusted zone, output alarm logs accordingly, and drop the attack packets. You can select Security > Intrusion Detection > Statistics from the navigation tree to view the counts of Land and Smurf attacks and the counts of dropped attack packets.
Figure 79 ICMP flood detection configuration page 2. Select a security zone. 3. In the Attack Prevention Policy area, select the Discard packets when the specified attack is detected box. Click Apply. If you do not select the box, the device only collects ICMP flood attack statistics. 4. In the ICMP Flood Configuration area, click Add. Figure 80 Adding an ICMP flood detection rule 5. Configure an ICMP flood detection rule, as described in Table 21. 6. Click Apply.
Table 21 Configuration items Item Description IP Address Specify the IP address of the protected host. Set the protection action threshold for ICMP flood attacks that target the protected host. Action Threshold Protected Host Configuration If the sending rate of ICMP packets destined for the specified IP address constantly reaches or exceeds this threshold, the device enters the attack protection state and takes attack protection actions as configured.
Figure 81 UDP flood detection configuration page 2. Select a security zone. 3. In the Attack Prevention Policy area, select the Discard packets when the specified attack is detected box. Click Apply. If you do not select the box, the device only collects UDP flood attack statistics. 4. In the UDP Flood Configuration area, click Add. Figure 82 Adding a UDP flood detection rule 5. Configure a UDP flood detection rule, as described in Table 22. 6. Click Apply.
Table 22 Configuration items Item Description IP Address Specify the IP address of the protected host. Set the protection action threshold for UDP flood attacks that target the protected host. Action Threshold Protected Host Configuration If the sending rate of UDP packets destined for the specified IP address constantly reaches or exceeds this threshold, the device enters the attack protection state and takes attack protection actions as configured.
Figure 83 SYN flood detection configuration page 2. Select a security zone. 3. In the Attack Prevention Policy area, specify the protection actions to be taken upon detection of a SYN flood attack for the specified security zone. Click Apply. If you do not select any option, the device only collects SYN flood attack statistics depending on your configuration. The available protection actions include: { { 4. Discard packets when the specified attack is detected.
6. Click Apply. Table 23 Configuration items Item Description IP Address Specify the IP address of the protected host. Set the protection action threshold for SYN flood attacks that target the protected host. Action Threshold Protected Host Configuration If the sending rate of SYN packets destined for the specified IP address constantly reaches or exceeds this threshold, the device enters the attack protection state and takes attack protection actions as configured.
Figure 85 Connection limit configuration page 2. Configure the connection limits for the security zone, as described in Table 24. 3. Click Apply. Table 24 Configuration items Item Description Security Zone Select a security zone to perform connection limit configuration for it.
Table 25 Configuration items Item Description Security Zone Select a security zone to perform scanning detection configuration for it. Enable Scanning Detection Select this option to enable scanning detection for the security zone. Scanning Threshold Set the maximum connection rate for a source IP address. Select this option to allow the system to blacklist a suspicious source IP address.
• Configure source IP address-based connection limit for the trusted zone, and set the number of connections each host can initiate to 100. • Configure destination IP address-based connection limit for the DMZ, and set the number of connections the server can accommodate to 10000. • Configure SYN flood detection for the DMZ, and set the action threshold for attacks targeting the internal server (for example, to 5000 packets per second) and the silent threshold (for example, to 1000 packets per second).
Figure 89 Configuring scanning detection for the untrusted zone 4. Configure connection limits for the trusted zone: a. From the navigation tree, select Security > Intrusion Detection > Connection Limit. The connection limit configuration page appears, as shown in Figure 90. b. Select the security zone Trust. c. Select Discard packets when the specified attack is detected. d. Select Enable connection limit per source IP and set the threshold to 100. e. Click Apply.
c. In the Attack Prevention Policy area, select Discard packets when the specified attack is detected. Click Apply. Figure 92 Configuring SYN flood detection for the DMZ d. In the SYN Flood Configuration area, click Add. The SYN flood attack detection page appears, as shown in Figure 93. e. Select Protected Host Configuration. Enter the IP address 10.1.1.2. Set the action threshold to 5000 packets per second and the silent threshold to 1000 packets per second. f. Click Apply.
Detection > Statistics from the navigation tree to view how many times that a connection limit per destination IP address has been exceeded and the number of packets dropped. If a SYN flood attack is initiated to the DMZ, the device outputs alarm logs and discards the attack packets. You can select Security > Intrusion Detection > Statistics from the navigation tree to view the number of SYN flood attacks and the number of packets dropped.
Figure 94 TCP proxy configuration Enabling TCP Proxy for a Security Zone 1. From the navigation tree, select Security > Intrusion Detection > TCP Proxy Configuration to enter the page as shown in Figure 94. 2. In the Zone Configuration area, click Enable to enable the TCP proxy feature for a target zone. The icon in the Status column changes to , which indicates that the TCP proxy feature is enabled. You can click Disable to disable the feature.
Figure 96 Protected IP address entry configuration page 3. Enter the destination IP address and select the port number of the TCP connection. To protect all TCP connection requests to any port of the server at the destination IP address, select Any from the Port Number list. NOTE: The Web performance is degraded if the IP address and port number of the administrator's host are set as the protected IP entry.
Figure 97 Network diagram Configuring the LB module 1. Assign IP addresses for the interfaces and then add interface GigabitEthernet 0/1 to zone Untrust, and GigabitEthernet 0/2 to zone Trust. (Details not shown.) 2. Set the TCP proxy mode to bidirectional and enable TCP proxy for zone Untrust: a. From the navigation tree, select Security > Intrusion Detection > TCP Proxy Configuration. Figure 98 Selecting the bidirectional mode and enabling TCP proxy for zone Untrust b.
Figure 99 Adding an IP address entry for protection 4. Configure the SYN flood detection feature, specifying to automatically add protected IP address entries: a. From the navigation tree, select Security > Intrusion Detection > SYN Flood. b. In the Attack Prevention Policy area, select Trust from the Security Zone list. c. Select the Add protected IP entry to TCP Proxy box in the Attack Prevention Policy area. d. Click Apply. Figure 100 Configuring the action to be taken upon detecting a SYN flood e.
Figure 101 Configuring global settings Configuring blacklist Recommended configuration procedure Task Remarks Required. 1. Enabling the blacklist function 2. Adding a blacklist entry manually 3. Configuring the scanning detection feature to add blacklist entries automatically Optional. Viewing the blacklist Optional. 4. By default, the blacklist function is disabled. Optional. By default, no blacklist entries exist. By default, the scanning detection feature is disabled.
Figure 102 Blacklist management page Adding a blacklist entry manually 1. From the navigation tree, select Security > Intrusion Detection > Blacklist. 2. Click Add to enter the blacklist entry configuration page as shown in Figure 103. Figure 103 Adding a blacklist entry manually 3. Configure a blacklist entry, as described in Table 27. 4. Click Apply. Table 27 Configuration items Item Description IP Address Specify the IP address to be blacklisted.
field Description Type of the blacklist entry. Possible values include: • Auto—Added by the scanning detection feature automatically. • Manual—Added manually or modified manually. Add Method IMPORTANT: Once modified manually, an auto entry becomes a manual one. Start Time Time when the blacklist entry is added. Hold Time Lifetime of the blacklist entry. Dropped Count Number of packets dropped based on the blacklist entry.
Figure 105 Enabling the blacklist feature 3. Add a blacklist entry for Host D: a. In the Blacklist Configuration area, click Add. b. On the page that appears (see Figure 106), enter the IP address 5.5.5.5, select Permanence. c. Click Apply. Figure 106 Adding a blacklist entry for Host D d. In the Blacklist Configuration area, click Add again. e. On the page that appears (see Figure 107), enter the IP address 192.168.1.5, select Hold Time and set the lifetime of the entry to 50 minutes. f.
d. Set the scanning threshold to 4500. e. Select Add the source IP to the blacklist. f. Click Apply. Figure 108 Configuring scanning detection for the untrusted zone Verifying the configuration Select Security > Intrusion Detection > Blacklist from the navigation tree to view the manually added blacklist entries. The device discards all packets from Host D before you remove the blacklist entry for the host.
Figure 109 Intrusion detection statistics Table 29 Attack types description Attack type Description Fraggle A Fraggle attack occurs when an attacker sends a large number of UDP echo requests with the UDP port number of 7 or Chargen packets with the UDP port number of 19. This results in a large quantity of junk replies, and finally exhausts the bandwidth of the target network. ICMP Redirect An ICMP redirect attacker sends ICMP redirect messages to a target to modify its routing table.
Attack type Description Source Route A source route attack exploits the source route option in the IP header to probe the topology of a network. Smurf A Smurf attacker sends large quantities of ICMP echo requests to the broadcast address of the target network. As a result, all hosts on the target network will reply to the requests. This causes network congestions, and hosts on the target network cannot provide services. TCP Flag Some TCP flags are processed differently on different operating systems.
Configuring attack detection and protection at the CLI Attack detection and protection configuration task list • Configure attack protection functions for a security zone. To do so, you need to create an attack protection policy, configure the required attack protection functions (such as Smurf attack protection, scanning attack protection, and flood attack protection) in the policy, and then apply the policy to the security zone.
Step 3. Create an attack protection policy and enter attack protection policy view. Command Remarks attack-defense policy policy-number [ zone zone-name ] By default, no attack protection policy is created. Enabling attack protection logging After the attack protection policy is created, you can enable the device to log single-packet attacks, scanning attacks, and flood attacks for adjusting network management strategies. To enable attack protection logging: Step 1. Enter system view. 2.
Step Command Remarks Optional. 6. Configure the device to drop single-packet attack packets. signature-detect action drop-packet By default, the device only outputs alarm logs if detecting a single-packet attack. Configuring a scanning attack protection policy The scanning attack protection function detects scanning attacks by monitoring the establishment rate of connections to the target systems.
is usually applied to the security zones connecting the internal network and inspects only the outbound packets of the security zones. With flood attack protection enabled, the device is in attack detection state. When the device detects that the rate of sending connection requests to a server constantly reaches or exceeds the specified action threshold, the device considers the server is under attack and enters the attack protection state.
Step Command Remarks Optional. 5. Configure the global action and silence thresholds for ICMP flood attack protection. defense icmp-flood rate-threshold high rate-number [ low rate-number ] By default, the action threshold is 1000 packets per second and the silence threshold is 750 packets per second. 6. Configure the action and silence thresholds for ICMP flood attack protection of a specific IP address.
Step Command Remarks Optional. 5. Configure the global action and silence thresholds for DNS flood attack protection. defense dns-flood rate-threshold high rate-number [ low rate-number ] By default, the action threshold is 1000 packets per second and the silence threshold is 750 packets per second. 6. Configure the action and silence thresholds for DNS flood attack protection of a specific IP address. defense dns-flood ip ip-address rate-threshold high rate-number [ low rate-number ] Optional.
Step Command Remarks 3. Enter VD system view. switchto vd vd-name Required for a non-default VD. 4. Configure an IP address protected by TCP proxy. tcp-proxy protected-ip destination-ip-address port [ port-number | any ] Optional. 5. Enter security zone view. zone name zone-name id zone-id N/A 6. Enable the TCP proxy function for the security zone. tcp-proxy enable By default, TCP proxy is disabled for a security zone. By default, no IP address is protected by TCP proxy.
Task Remarks Applying the connection limit policy Required. Creating a connection limit policy A connection limit policy is a set of connection limit rules that define the valid range and parameters for the policy. To create a connection limit policy: Step Command 1. Enter system view. system-view 2. Create a connection limit policy and enter its view.
Step Apply a connection limit policy. 2. Command Remarks connection-limit apply policy policy-number Only one connection limit policy can be applied globally. Displaying and maintaining connection limiting Task Command Remarks Display information about one or all connection limit policies. display connection-limit policy { policy-number | all } [ | { begin | exclude | include } regular-expression ] Available in any view.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VD system view. switchto vd vd-name Required for a non-default VD. 3. Enter security zone view. zone name zone-name id zone-id N/A 4. Enable traffic statistics for the security zone. flow-statistics enable { destination-ip | inbound | outbound | source-ip } Disabled by default. Displaying and maintaining attack detection and protection Task Command Remarks Display the attack protection statistics of a security zone.
• In security zone Untrust, configure Smurf attack protection and scanning attack protection, enable the blacklist function for scanning attack protection, and set the connection rate threshold that triggers the scanning attack protection to 4500 connections per second.
[LB] attack-defense policy 2 # Enable SYN flood attack protection. [LB-attack-defense-policy-2] defense syn-flood enable # Configure SYN flood attack protection for the internal server 10.1.1.2, and set the action threshold to 5000 and silence threshold to 1000. [LB-attack-defense-policy-2] defense syn-flood ip 10.1.1.2 rate-threshold high 5000 low 1000 # Configure the policy to drop the subsequent packets after a SYN flood attack is detected.
Configuration procedure # Configure IP addresses for interfaces. (Details not shown.) # Enable the blacklist function. system-view [LB] blacklist enable # Add Host D's IP address 5.5.5.5 to the blacklist without configuring an aging time for it. [LB] blacklist ip 5.5.5.5 # Add Host C's IP address 192.168.1.4 to the blacklist and configure the aging time as 50 minutes. [LB] blacklist ip 192.168.1.
Figure 112 Network diagram Configuration procedure The following describes only connection limit configuration. For more information about NAT configuration and internal server configuration, see Network Management Configuration Guide. # Create a connection limit policy and enter its view. system-view [LB] connection-limit policy 0 # Configure connection limit rule 0 to limit connections from hosts on segment 192.168.0.
Configuring traffic statistics Network requirements As shown in Figure 113, configure traffic statistics in security zone Trust, and configure UDP flood attack protection to protect the internal server against UDP flood attacks. Figure 113 Network diagram Host A Host B LB GE0/2 192.168.1.1/16 GE0/3 202.1.0.1/16 GE0/4 10.1.1.1/24 Trust Internet Untrust DMZ Host C Server 10.1.1.2/24 Configuration procedure # Assign IP addresses to the interfaces. (Details not shown.
# Apply attack protection policy 1 to security zone Trust. [LB] zone name Trust id 2 [LB-zone-Trust] attack-defense apply policy 1 # Enable the traffic statistics function for packets sourced from security zone Trust. [LB-zone-Trust] flow-statistic enable outbound # Enable the traffic statistics function based on packet destination IP address.
UDP session establishment rate : 2735/s ICMP sessions : 0 ICMP session establishment rate : 0/s RAWIP sessions : 0 RAWIP session establishment rate : 0/s The output shows that in security zone Trust, a large number of UDP packets are destined for 10.1.1.2, and the session establishment rate has exceeded the specified threshold. Therefore, you can determine that the server is under a UDP flood attack.
[LB-attack-defense-policy-1] defense syn-flood rate-threshold high 100 # Configure LB module to use the TCP proxy for subsequent packets after a SYN flood attack is detected. [LB-attack-defense-policy-1] defense syn-flood action trigger-tcp-proxy [LB-attack-defense-policy-1] quit # Apply policy 1 to security zone Trust.
Configuring TCP attack protection TCP attack protection can be configured only at the CLI. Overview Attackers can attack the device during the process of TCP connection establishment. To prevent such attacks, the device provides the following features: • SYN Cookie • Protection against Naptha attacks This chapter describes the attacks that these features can prevent, working mechanisms of these features, and configuration procedures.
With the SYN Cookie feature enabled, only the maximum segment size (MSS), is negotiated during TCP connection establishment, instead of the window's zoom factor and timestamp. Enabling protection against Naptha attacks Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and SYN_RECEIVED), and SYN Flood attacks by using only SYN_RECEIVED state.
Configuring ND attack defense ND attack defense can be configured only at the CLI. Overview The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery and address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.
All forged ND packets have two common features: • The Ethernet frame header and the source link layer address option of the ND packet contain different source MAC addresses. • The mapping between the source IPv6 address and the source MAC address in the Ethernet frame header is invalid. To identify forged ND packets, HP developed the source MAC consistency check feature. For more information about the five functions of the ND protocol, see Network Management Configuration Guide.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a security product, such as a firewall, a UTM, or a load-balancing or security card that is installed in a device.
Index ACDEMNOPRST Displaying and maintaining AAA,77 A Displaying and maintaining password control,95 AAA configuration considerations and task list,49 Displaying and maintaining SSH,130 AAA configuration examples,78 Displaying and maintaining SSL,113 C Displaying and maintaining TCP attack protection,221 Configuration guidelines,20 Displaying and recording the host public key information,101 Configuration guidelines,164 Displaying or exporting the local host public key,100 Configuration prerequ
Setting a local user password in interactive mode,95 Overview,37 Setting global password control parameters,92 P Setting local user password control parameters,94 Password control configuration example,96 Setting super password control parameters,95 Password control configuration task list,91 Setting user group password control parameters,93 Public key configuration examples,103 SFTP configuration examples,142 R Specifying the peer public key on the local device,102 Related information,224 Ste
