HP VPN Firewall Appliances Attack Protection Configuration Guide Part number: 5998-4167 Software version: F1000-A-EI/F1000-S-EI (Feature 3726) F1000-E (Release 3177) F5000 (Feature 3211) F5000-S/F5000-C (Release 3808) VPN firewall modules (Release 3177) 20-Gbps VPN firewall modules (Release 3817) Document version: 6PW101-20130923
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring attack detection and protection ············································································································· 1 Overview············································································································································································ 1 Types of network attacks the device can defend against ···················································································· 1 Connection limit ·····
Configuring ARP detection ············································································································································ 57 Configuring user validity check ··························································································································· 57 Configuring ARP packet validity check ··············································································································· 58 Configuring ARP restricted for
URPF check modes ·············································································································································· 117 URPF features ······················································································································································· 117 URPF work flow···················································································································································· 118 Network app
Overview ······························································································································································ 147 Recommended configuration procedure ··········································································································· 148 Configuring a protocol ······································································································································· 148 Configuring a service········
Configuring attack detection and protection Overview Attack detection and protection is an important network security feature. It determines whether received packets are attack packets according to the packet contents and behaviors and, if detecting an attack, take measures to deal with the attack, such as recording alarm logs, dropping packets, and blacklisting the source IP address.
Single-packet attack Description Large ICMP For some hosts and devices, large ICMP packets cause memory allocation error and thus crash down the protocol stack. A large ICMP attacker sends large ICMP packets to a target to make it crash down. Route Record An attacker exploits the route record option in the IP header to probe the topology of a network. Smurf An attacker sends an ICMP echo request to the broadcast address or the network address of the target network.
receive the expected ACK packets, and thus have to maintain large amounts of half-open connections. In this way, the attacker exhausts the system resources of the server, making the server unable to service normal clients. • ICMP flood attack An attacker sends a large number of ICMP requests to the target in a short time by, for example, using the ping program, causing the target too busy to process normal services.
• When the device detects that an FTP, Telnet, SSH, SSL, or web user has failed to provide the correct username, password, or verification code (for a web login user) after the maximum number of attempts, it considers the user an attacker, adds the IP address of the user to the blacklist, and filters subsequent login requests from the user. This mechanism can effectively prevent attackers from cracking login passwords through repeated login attempts.
TCP proxy can operate in two modes: • Unidirectional proxy—Processes only packets from TCP clients. • Bidirectional proxy—Processes packets from both TCP clients and TCP servers. You can choose a proper mode according to your network scenario. For example, if packets from TCP clients to a server go through the TCP proxy but packets from the server to clients do not, as shown in Figure 1, configure unidirectional proxy.
client, it considers the client legitimate, and forwards SYN messages that the client sends to the server during a period of time so that the client can establish a TCP connection to the server. After the TCP connection is established, the TCP proxy forwards the subsequent packets of the connection without any processing. Unidirectional proxy mode can meet the requirements of most environments.
The intrusion detection statistics reflect the counts of attacks as per attack type, and the counts of attack packets dropped. This helps you analyze the intrusion types and quantities to generate better network security policies. For information about packet inspection, see "Configuring packet inspection." For information about traffic abnormality detection, see "Types of network attacks the device can defend against.
Item Description Enable ICMP Unreachable Packet Attack Detection Enable or disable detection of ICMP unreachable attacks. Enable ICMP Redirect Packet Attack Detection Enable or disable detection of ICMP redirect attacks. Enable Tracert Packet Attack Detection Enable or disable detection of Tracert attacks. Enable Smurf Attack Detection Enable or disable detection of Smurf attacks. Enable IP Packet Carrying Source Route Attack Detection Enable or disable detection of source route attacks.
Figure 7 Enabling Land and Smurf attack detection for the untrusted zone Verifying the configuration Check that the firewall can detect Land and Smurf attacks from the untrusted zone, output alarm logs accordingly, and drop the attack packets. You can select Intrusion Detection > Statistics from the navigation tree to view the counts of Land and Smurf attacks and the counts of dropped attack packets.
Figure 8 ICMP flood detection configuration page 2. Select a security zone. 3. In the Attack Prevention Policy area, select the Discard packets when the specified attack is detected box. Click Apply. If you do not select the box, the device only collects ICMP flood attack statistics. 4. In the ICMP Flood Configuration area, click Add. Figure 9 Adding an ICMP flood detection rule 5. Configure an ICMP flood detection rule, as described in Table 3. 6. Click Apply.
Item Description Set the protection action threshold for ICMP flood attacks that target the protected host. Action Threshold If the sending rate of ICMP packets destined for the specified IP address constantly reaches or exceeds this threshold, the device enters the attack protection state and takes attack protection actions as configured. Set the silent threshold for actions that protect against ICMP flood attacks targeting the protected host.
Figure 10 UDP flood detection configuration page 2. Select a security zone. 3. In the Attack Prevention Policy area, select the Discard packets when the specified attack is detected box. Click Apply. If you do not select the box, the device only collects UDP flood attack statistics. 4. In the UDP Flood Configuration area, click Add. Figure 11 Adding a UDP flood detection rule 5. Configure a UDP flood detection rule, as described in Table 4. 6. Click Apply.
Item Description Set the protection action threshold for UDP flood attacks that target the protected host. Action Threshold If the sending rate of UDP packets destined for the specified IP address constantly reaches or exceeds this threshold, the device enters the attack protection state and takes attack protection actions as configured. Set the silent threshold for actions that protect against UDP flood attacks targeting the protected host.
Figure 12 DNS flood detection configuration page 2. Select a security zone. 3. In the DNS Flood Attack Prevention Policy area, select Enable DNS Flood Attack Detection, and then click Apply. The device will collect DNS flood attack statistics of the specified security zone, and output logs upon detecting DNS flood attacks. 4. In the DNS Flood Configuration area, click Add. Figure 13 Adding a DNS flood detection rule 5. Configure a DNS flood detection rule, as described in Table 5. 6. Click Apply.
Item Description Global Configuration of Security Zone Set the protection action threshold for DNS flood attacks that target a host in the protected security zone. Action Threshold If the sending rate of DNS query requests destined for a host in the security zone constantly reaches or exceeds this threshold, the device enters all extra requests and logs the event. NOTE: Host-specific settings take precedence over the global settings for security zones.
Figure 15 Adding a SYN flood detection rule 5. Configure a SYN flood detection rule, as described in Table 6. 6. Click Apply. Table 6 Configuration items Description Item IP Address Specify the IP address of the protected host. Set the protection action threshold for SYN flood attacks that target the protected host.
Item Description Silent Threshold Set the silent threshold for actions that protect against SYN flood attacks targeting a host in the protected security zone. If the sending rate of SYN packets destined for a host in the security zone drops below this threshold, the device returns to the attack detection state and stops the protection actions. NOTE: Host-specific settings take precedence over the global settings for security zones. Configuring connection limits 1.
1. From the navigation tree, select Intrusion Detection > Traffic Abnormality > Scanning Detection. The scanning detection configuration page appears. Figure 17 Scanning detection configuration page 2. Configure the scanning detection rule for the security zone, as described in Table 8. 3. Click Apply. Table 8 Configuration items Item Description Security Zone Select a security zone to perform scanning detection configuration for it.
Figure 18 Network diagram Configuration considerations To meet the requirements, perform the following configurations on the firewall: • Configure scanning detection for the untrusted zone, enable the function to add entries to the blacklist, and set the scanning threshold to 4500 connections per second. • Configure source IP address-based connection limit for the trusted zone, and set the number of connections each host can initiate to 100.
3. Configure scanning detection for the untrusted zone: a. From the navigation tree, select Intrusion Detection > Traffic abnormality > Scanning Detection. The scanning detection configuration page appears, as shown in Figure 20. b. Select the security zone Untrust. c. Select Enable Scanning Detection. d. Set the scanning threshold to 4500 connections per second. e. Select Add the source IP to the blacklist. f. Click Apply. Figure 20 Configuring scanning detection for the untrusted zone 4.
Figure 22 Configuring connection limit for the DMZ 6. Configure SYN flood detection for the DMZ: a. From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood. The SYN flood detection confirmation page appears, as shown in Figure 23. b. Select the security zone DMZ. c. In the Attack Prevention Policy area, select Discard packets when the specified attack is detected. d. Click Apply. Figure 23 Configuring SYN flood detection for the DMZ e.
Figure 24 Configuring a SYN flood attack detection rule for the server Verifying the configuration • After a scanning attack packet is received from zone Untrust, the firewall outputs alarm logs and adds the IP address of the attacker to the blacklist. You can select Intrusion Detection > Blacklist from the navigation tree to view whether the attacker's IP address is on the blacklist.
Task Remarks At least one method is required. 3. Adding a protected IP address entry You can add protected IP address entries by either of the methods: • Static—Add entries manually. By default, no such entries are configured in the system. • Dynamic—Select Intrusion Detection > Traffic Abnormality > SYN 4. Configure to automatically add a protected IP address entry Flood, and then select the Add protected IP entry to TCP Proxy check box.
Adding a protected IP address entry 1. Select Intrusion Detection > TCP Proxy > Protected IP Configuration to enter the page shown in Figure 26. The page lists information about protected IP address entries and the relative statistics. Figure 26 Protected IP address entries 2. Click Add to enter the page for configuring a protected IP address entry. Figure 27 Protected IP address entry configuration page 3. Enter the destination IP address and select the port number of the TCP connection.
Item Description Number of Rejected Amount of requests for TCP connection requests matching the protected IP address entry but were proved to be illegitimate. TCP proxy configuration example Network requirements As shown in Figure 28, configure bidirectional TCP proxy on Firewall to protect Server A, Server B, and Server C against SYN flood attacks. Add a protected IP address entry for Server A manually and configure dynamic TCP proxy for the other servers.
3. Add an IP address entry manually for protection: a. From the navigation tree, select Intrusion Detection > TCP Proxy > Protected IP Configuration. b. Click Add. c. Enter 20.0.0.10 in the Protected IP Address field. d. Click Apply. Figure 30 Adding an IP address entry for protection 4. Configure SYN flood detection, and enable the system to add protected IP address entries automatically: a. From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood. b.
Figure 32 Configuring global settings Configuring blacklist Recommended configuration procedure Step 1. 2. 3. 4. Remarks Enabling the blacklist function Required. Adding a blacklist entry manually Optional. Configuring the scanning detection feature to add blacklist entries automatically Optional. Viewing the blacklist By default, the blacklist function is disabled. By default, no blacklist entries exist.
Figure 33 Blacklist management page Adding a blacklist entry manually 1. From the navigation tree, select Intrusion Detection > Blacklist. 2. Click Add to enter the blacklist entry configuration page as shown in Figure 34. Figure 34 Adding a blacklist entry manually 3. Configure a blacklist entry, as described in Table 10. 4. Click Apply. Table 10 Configuration items Item Description IP Address Specify the IP address to be blacklisted.
field Description Type of the blacklist entry. Possible values include: • Auto—Added by the scanning detection feature automatically. • Manual—Added manually or modified manually. Add Method IMPORTANT: Once modified manually, an auto entry becomes a manual one. Start Time Time when the blacklist entry is added. Hold Time Lifetime of the blacklist entry. Dropped Count Number of packets dropped based on the blacklist entry.
Figure 36 Enabling the blacklist feature 3. Add a blacklist entry for Host D: a. In the Blacklist Configuration area, click Add. b. On the page that appears (see Figure 37), enter the IP address 5.5.5.5, select Permanence. c. Click Apply. Figure 37 Adding a blacklist entry for Host D d. In the Blacklist Configuration area, click Add again. e. On the page that appears (see Figure 38), enter the IP address 192.168.1.5, select Hold Time and set the lifetime of the entry to 50 minutes. f. Click Apply.
d. Set the scanning threshold to 4500. e. Select Add the source IP to the blacklist. f. Click Apply. Figure 39 Configuring scanning detection for the untrusted zone Verifying the configuration Select Intrusion Detection > Blacklist from the navigation tree to view manually added blacklist entries. The firewall discards all packets from Host D before you remove the blacklist entry for the host. If the firewall receives packets from Host C, the firewall discards all packets from Host C within 50 minutes.
Figure 40 Intrusion detection statistics Table 12 Attack types description Attack type Description Fraggle A Fraggle attack occurs when an attacker sends a large number of UDP echo requests with the UDP port number of 7 or Chargen packets with the UDP port number of 19. This results in a large quantity of junk replies, and finally exhausts the bandwidth of the target network. ICMP Redirect An ICMP redirect attacker sends ICMP redirect messages to a target to modify its routing table.
Attack type Description Source Route A source route attack exploits the source route option in the IP header to probe the topology of a network. Smurf A Smurf attacker sends large quantities of ICMP echo requests to the broadcast address or the network address of the target network. As a result, all hosts on the target network will reply to the requests. This causes network congestions, and hosts on the target network cannot provide services.
Configuring the attack detection and protection at the CLI Attack detection and protection configuration task list The attack detection and protection configuration tasks include the following categories: • Configuring attack protection functions for a security zone.
Step Command Remarks 2. Enter VD system view. switchto vd vd-name Required for a non-default VD. 3. Create an attack protection policy and enter attack protection policy view. attack-defense policy policy-number [ zone zone-name ] By default, no attack protection policy is created.
Step 5. Configure the ICMP packet length threshold that triggers large ICMP attack protection. Command Remarks signature-detect large-icmp max-length length Optional. 4000 bytes by default. Optional. 6. Configure the device to drop single-packet attack packets. signature-detect action drop-packet By default, the device only outputs alarm logs if detecting a single-packet attack. You can configure a maximum of 250 protected IP addresses for each security zone.
Configuring a flood attack protection policy The flood attack protection function is mainly used to protect servers. It detects various flood attacks by monitoring the rate at which connection requests are sent to a server. The flood attack protection function is typically applied to the security zones connecting the internal network and inspects only the outbound packets of the security zones. With flood attack protection enabled, the device is in attack detection state.
Step Command Remarks Optional. 5. Configure the global action and silence thresholds for ICMP flood attack protection. defense icmp-flood rate-threshold high rate-number [ low rate-number ] By default, the action threshold is 1000 packets per second and the silence threshold is 750 packets per second. 6. Configure the action and silence thresholds for ICMP flood attack protection of a specific IP address.
Step Command Remarks Optional. 5. Configure the global action and silence thresholds for DNS flood attack protection. defense dns-flood rate-threshold high rate-number [ low rate-number ] By default, the action threshold is 1000 packets per second and the silence threshold is 750 packets per second. 6. Configure the action and silence thresholds for DNS flood attack protection of a specific IP address. defense dns-flood ip ip-address rate-threshold high rate-number [ low rate-number ] Optional.
Step Command Remarks 3. Enter VD system view. switchto vd vd-name Required for a non-default VD. 4. Configure an IP address protected by TCP proxy. tcp-proxy protected-ip destination-ip-address [ port-number | port any ] Optional. 5. Enter security zone view. zone name zone-name id zone-id N/A 6. Enable the TCP proxy function for the security zone. tcp-proxy enable By default, TCP proxy is disabled for a security zone. By default, no IP address is protected by TCP proxy.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VD system view. switchto vd vd-name Required for a non-default VD. 3. Enter security zone view. zone name zone-name id zone-id N/A 4. Enable traffic statistics for the security zone. flow-statistics enable { destination-ip | inbound | outbound | source-ip } Disabled by default. Displaying and maintaining attack detection and protection Task Command Remarks Display the attack protection statistics of a security zone.
In security zone Untrust, configure Smurf attack protection and scanning attack protection, enable the blacklist function for scanning attack protection, and set the connection rate threshold that triggers the scanning attack protection to 4500 connections per second.
# Enable SYN flood attack protection. [Firewall-attack-defense-policy-2] defense syn-flood enable # Configure SYN flood attack protection for the internal server 10.1.1.2, and set the action threshold to 5000 and silence threshold to 1000. [Firewall-attack-defense-policy-2] defense syn-flood ip 10.1.1.2 rate-threshold high 5000 low 1000 # Configure the policy to drop the subsequent packets after a SYN flood attack is detected.
# Enable the blacklist function. system-view [Firewall] blacklist enable # Add Host D's IP address 5.5.5.5 to the blacklist without configuring an aging time for it. [Firewall] blacklist ip 5.5.5.5 # Add Host C's IP address 192.168.1.4 to the blacklist and configure the aging time as 50 minutes. [Firewall] blacklist ip 192.168.1.4 timeout 50 Verifying the configuration Use the display blacklist all command to display the added blacklist entries.
Configuration procedure # Specify IP addresses to interfaces and add them into security zones. (Details not shown.) # Create attack protection policy 1. system-view [Firewall] attack-defense policy 1 # Enable UDP flood attack protection. [Firewall-attack-defense-policy-1] defense udp-flood enable # Set the global action threshold that triggers UDP flood attack protection to 100 packets per second.
RAWIP packet count : 0 RAWIP byte count : 0 [Firewall-zone-trust] display flow-statistics statistics zone trust outbound Flow Statistics Information -----------------------------------------------------------Zone : Trust -----------------------------------------------------------Total number of existing sessions : 13676 Session establishment rate : 2735/s TCP sessions : 0 Half-open TCP sessions : 0 Half-close TCP sessions : 0 TCP session establishment rate : 0/s UDP sessions : 13676 UDP
# Configure TCP proxy for IP address 192.168.1.10 and port number 21. [Firewall] tcp-proxy protected-ip 192.168.1.10 21 # Enable TCP proxy for security zone untrust. [Firewall] zone name untrust [Firewall-zone-untrust] tcp-proxy enable [Firewall-zone-untrust] quit # Create attack protection policy 1. system-view [Firewall] attack-defense policy 1 # Enable SYN flood attack protection.
Configuring ARP attack protection ARP attacks and viruses threaten LAN security. This chapter describes multiple features used to detect and prevent such attacks. Overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways: • Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries.
Task Remarks Optional. Configuring ARP detection Configure this function on gateways (recommended). Optional. Configuring ARP automatic scanning and fixed ARP Configure this function on gateways (recommended). Configuring unresolvable IP attack protection Unresolvable IP attack protection can be configured only at the CLI.
Displaying and maintaining ARP source suppression Task Command Remarks Display the ARP source suppression configuration information. display arp source-suppression [ | { begin | exclude | include } regular-expression ] Available in any view. Unresolvable IP attack protection configuration example Network requirements As shown in Figure 45, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20.
Configuration procedure # Enable ARP source suppression and set the threshold to 100. system-view [Firewall] arp source-suppression enable [Firewall] arp source-suppression limit 100 # Enable ARP blackhole routing. system-view [Firewall] arp resolving-route enable Configuring source MAC-based ARP attack detection Source MAC-based ARP attack detection can be configured only at the CLI.
Step Command Remarks 3. Configure the threshold. arp anti-attack source-mac threshold threshold-value Optional. 4. Configure the lifetime for ARP attack entries. arp anti-attack source-mac aging-time time Optional. Configure excluded MAC addresses. arp anti-attack source-mac exclude-mac mac-address&<1-n> 5. 50 by default. 300 seconds by default. Optional. No MAC address is excluded by default.
Figure 46 Network diagram IP network ARP attack protection Gateway Firewall Server 0012-3f86-e94c Host A Host B Host C Host D Configuration considerations An attacker might forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address. To prevent such attacks, configure the gateway as follows: 1. Enable source MAC-based ARP attack detection and specify the handling method. 2. Set the threshold. 3. Set the lifetime for ARP attack entries. 4.
The following matrix shows the feature and hardware compatibility: Hardware Compatibility F1000-A-EI/F1000-S-EI Yes F1000-E No F5000 No F5000-S/F5000-C No VPN firewall modules No 20-Gbps VPN firewall modules No This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body, so that the gateway can learn correct ARP entries.
Step 2. Enable the ARP active acknowledgement function. Command Remarks arp anti-attack active-ack enable Disabled by default. Configuring periodic sending of gratuitous ARP packets Periodic sending of gratuitous ARP packet can be configured only in the Web interface. Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their corresponding ARP entries or MAC entries in time.
VLAN termination configured can use the gratuitous ARP packets to update their corresponding MAC entries in time. For more information about VRRP, see High Availability Web-based Configuration Guide. Configuration restrictions and guidelines When you configure periodic sending of gratuitous ARP packets, follow these restrictions and guidelines: • You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces.
Configuring ARP detection The following matrix shows the feature and hardware compatibility: Hardware Compatibility F1000-A-EI/F1000-S-EI Yes F1000-E No F5000 No F5000-S/F5000-C No VPN firewall modules No 20-Gbps VPN firewall modules No ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding functions.
Step Command Configure the interface as a trusted interface excluded from ARP detection. 7. Remarks arp detection trust Optional. By default, an interface is untrusted. Configuring ARP packet validity check Enable validity check for ARP packets received on untrusted ports and specify the following objects to be checked: • src-mac—Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VLAN view. vlan vlan-id N/A 3. Enable ARP restricted forwarding. arp restricted-forwarding enable By default, ARP restricted forwarding is disabled. Displaying and maintaining ARP detection Task Command Remarks Display the VLANs enabled with ARP detection. display arp detection [ | { begin | exclude | include } regular-expression ] Available in any view. Display the ARP detection statistics.
• The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries. • The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports. As a result, the device might fail to change all dynamic ARP entries into static ARP entries. • The fixing process might take some time, during which some dynamic entries might be added or be aged out.
Table 13 Configuration items Item Description Interface Select the interface to be configured to perform ARP automatic scanning. Specify the start and end IP addresses of the IP address range for ARP automatic scanning. Start IP Address To reduce the scanning time, you can specify the IP address range for scanning if you know the IP address range assigned to the neighbors in a LAN.
4. Select the box before dynamic ARP entries, and click Fix to convert the selected ARP entry to a static ARP entry. 5. Select the box before static ARP entries, and click Del Fixed to delete the selected static ARP entry. If you select a dynamic one and click Del Fixed, the entry is not deleted.
Configuring TCP attack protection TCP attack protection can be configured only at the CLI. Overview Attackers can attack the device during the process of TCP connection establishment. To prevent such attacks, the device provides the following features: • SYN Cookie • Protection against Naptha attacks This chapter describes the attacks that these features can prevent, working mechanisms of these features, and configuration procedures.
With the SYN Cookie feature enabled, only the maximum segment size (MSS), is negotiated during TCP connection establishment, instead of the window's zoom factor and timestamp. Enabling protection against Naptha attacks Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and SYN_RECEIVED), and SYN Flood attacks by using only SYN_RECEIVED state.
Configuring ND attack defense ND attack defense can be configured only at the CLI. Overview The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery and address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.
• The Ethernet frame header and the source link layer address option of the ND packet contain different source MAC addresses. • The mapping between the source IPv6 address and the source MAC address in the Ethernet frame header is invalid. To identify forged ND packets, HP developed the source MAC consistency check feature. For more information about the five functions of the ND protocol, see Network Management Configuration Guide.
Configuring firewall The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. Overview A firewall blocks unauthorized Internet access to a protected network while allowing internal network users to access the Internet through WWW, or to send and receive e-mails. A firewall can also be used to control access to the Internet, for example, to permit only specific hosts within the organization to access the Internet.
non-SYN packets of existing TCP connections passing the firewall for the first time are dropped, breaking the existing TCP connections. ASPF Application Specific Packet Filter (ASPF) was proposed to address the issues that a static firewall cannot solve. An ASPF implements application layer and transport specific, namely status-based, packet filtering. An ASPF can detect application layer protocols including FTP, GTP, HTTP, SMTP, Real RTSP, SCCP, SIP, H.323 (Q.931, H.
network segment are regarded as HTTP packets. The hosts can be specified by means of a basic ACL. • Single-channel protocol and multi-channel protocol { { • Single-channel protocol—A single-channel protocol establishes only one channel to exchange both control messages and data for a user. SMTP and HTTP are examples of single-channel protocols.
inspection requires a full match between the packets returned to the external interface of the ASPF and the packets previously sent out from the external interface of ASPF, namely a perfect match of the source and destination address and port number. Otherwise, the return packets will be blocked. Therefore, for multi-channel application layer protocols like FTP and H.323, the deployment of TCP detection without application layer detection will lead to failure of establishing a data connection.
The effective range for advanced ACL numbers is 3000 to 3999. An advanced ACL defines rules according to the source and destination IP addresses of packets, the type of protocol over IP, TCP/UDP source and destination ports, and so on. An advanced ACL supports the following match modes: • Normal match—Matches Layer 3 information. Non-layer 3 information is ignored. The default mode is normal match mode. • Exact match—Matches all advanced ACL rules.
ASPF configuration task list Task Remarks Configuring port mapping Optional. Enabling ASPF for an interzone instance Required. Configuring port mapping Two mapping mechanisms exist: general port mapping and basic ACL–based host port mapping. • General port mapping—Refers to a mapping of a user-defined port number to an application layer protocol. If port 8080 is mapped to HTTP, for example, all TCP packets the destination port of which is port 8080 are regarded as HTTP packets.
Step 4. Enable ASPF for the interzone instance. Command Remarks firewall aspf enable [ icmp-error drop | tcp syn-check ] Disabled by default. For more information about security zones, see Access Control Configuration Guide.. Displaying ASPF Task Command Remarks Display the port mapping information. display port-mapping [ application-name | port port-number ] [ vd vd-name ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Configuring content filtering Overview Content filtering enables the device to filter contents carried in HTTP packets, SMTP packets, POP3 packets, FTP packets, and Telnet packets, to prevent internal users from accessing illegal websites or sending junk emails and prevent packets carrying illegal contents from entering the internal network. Upon receiving HTTP, SMTP, POP3, FTP, or Telnet packets, the device first matches the packets against interzone policies.
SMTP packet content filtering The SMTP packet content filtering, hereafter referred to as SMTP filtering, provides the following functions: • Sender filtering—Filters sender addresses in SMTP requests, to prevent specified senders from sending emails. • Receiver filtering—Filters receiver addresses (including recipients and carbon copy or named CC recipients) in SMTP requests, to prevent internal users from sending emails to the specified receiver addresses.
• Upload filename filtering—Filters filenames carried in FTP upload requests, to prevent clients from uploading files with the specified names to the server. • Download filename filtering—Filters filenames carried in FTP download requests, to prevent clients from downloading files with the specified names from the server. Telnet packet content filtering Telnet packet content filtering, hereafter referred to as Telnet filtering, filters command words in Telnet requests.
{ { { { The ampersand (&) matches any single character. It can be used for multiple times in a keyword, consecutively or non-consecutively. It can appear at any position of a keyword, but cannot be used next to asterisk (*). The asterisk (*) matches any string of up to 4 characters, including spaces. It can be used only once in a keyword and must not be at the beginning or end. A keyword with caret (^) at the beginning or dollar sign ($) at the end indicates an exact match.
Step Description Keyword filtering entries include: • HTTP keyword filtering entries—For header filtering and body filtering in HTTP filtering policies. • SMTP keyword filtering entries—For subject filtering, body filtering, and attachment content filtering in SMTP filtering policies. Configuring keyword filtering entries • POP3 keyword filtering entries—For subject filtering, body filtering, and attachment content filtering in POP3 filtering policies.
Figure 53 Keyword filtering entry list 2. Click Add to enter the page for adding a keyword filtering entry. Figure 54 Adding a keyword filtering entry 3. Configure the keyword filtering entry, as described in Table 14. 4. Click Apply. Table 14 Configuration items Item Description Name Specify the name of the keyword filtering entry. Specify the keywords for the keyword filtering entry. Keyword You can specify up to 16 keywords separated by commas.
Figure 56 Adding a URL hostname filtering entry 4. Configure the URL hostname filtering entry as described in Table 15. 5. Click Apply. Table 15 Configuration items Item Description Name Specify the name of the URL hostname filtering entry. Specify URL hostname keywords for the URL hostname filtering entry. URL Hostname You can specify up to 16 keywords separated by commas. See "Configuration guidelines" for the rules of using wildcards. Configuring filename filtering entries 1.
Table 16 Configuration items Item Description Name Specify the name of the filename filtering entry. Specify filename keywords for the filename filtering entry. You can specify up to 16 filename keywords separated by commas. • If you specify a filename keyword in the format of filename.extension, the device will perform exact match for this keyword. You can use a wildcard (*) to stand for the filename part, the extension, or a string of up to 6 characters in the filename or extension.
Item Description Specify email address keywords for the email address filtering entry, in the format of username@domain name. Email Address You can specify up to 16 email address keywords separated by commas. You can use a wildcard (*) to stand for any number of characters excluding dot (.) and use it only in the format of *@domain name or *@*domain name. Configuring URL parameter filtering keywords 1. From the navigation tree, select Identification > Content Filtering > Filtering Entry. 2.
5. Specify a URL parameter filtering keyword. See Figure 63 for the requirements on a keyword. See "Configuration guidelines" for the rules of using wildcards. A keyword string can contain spaces, but consecutive spaces are not allowed. 6. Click Apply. Figure 63 Adding a URL parameter filtering keyword Configuring java blocking keywords 1. From the navigation tree, select Identification > Content Filtering > Filtering Entry. 2. Select the Java tab to enter the java blocking keyword list page.
Figure 66 ActiveX blocking keywords setup 3. Click Add to enter the page for adding an ActiveX blocking keyword, as shown in Figure 67. 4. Specify a suffix keyword for ActiveX blocking. See Figure 67 for the requirements on a keyword. 5. Click Apply. Figure 67 Adding an ActiveX blocking keyword Configuring a content filtering policy Content filtering policies include HTTP filtering policies, SMTP filtering policies, POP3 filtering policies, FTP filtering policies, and Telnet filtering policies.
Figure 68 HTTP filtering policy list 2. Click Add to enter the page for adding an HTTP filtering policy. Figure 69 Adding an HTTP filtering policy 3. Configure the HTTP filtering policy as described in Table 18. 4. Click Apply. Table 18 Configuration items Item Description Name Specify the name for the HTTP filtering policy. URL Filtering Select the filtering entries to be used for URL hostname filtering. Header Filtering Select the filtering entries to be used for header filtering.
Item Description Specify whether to enable URL parameter filtering. URL Parameter Filtering If you select this item, all URL parameter filtering keywords are effective. Specify whether to enable ActiveX blocking. ActiveX Blocking If you select this item, all ActiveX blocking keywords are effective. Specify whether to enable java applet blocking. Java Applet Blocking If you select this item, all java blocking keywords are effective. Specify whether to log packet matching events.
Figure 71 Adding an SMTP filtering policy Table 19 Configuration items Item Description Name Specify the name for the SMTP filtering policy. Sender Filtering Select the filtering entries to be used for sender filtering. Receiver Filtering Select the filtering entries to be used for receiver filtering. Subject Filtering Select the filtering entries to be used for subject filtering. Body Filtering Select the filtering entries to be used for body filtering.
Item Description Specify whether to log packet matching events. IMPORTANT: Enable Logging The logging function takes effect only when it is enabled in both the content filtering policy and the interzone policy. Configuring a POP3 filtering policy 1. From the navigation tree, select Identification > Content Filtering > Filtering Policy. 2. Select the POP3 Policy tab to enter the POP3 filtering policy list page. Figure 72 POP3 filtering policy list 3.
Item Description Sender Filtering Select the filtering entries to be used for sender filtering. Receiver Filtering Select the filtering entries to be used for receiver filtering. Subject Filtering Select the filtering entries to be used for subject filtering. Body Filtering Select the filtering entries to be used for body filtering. Attachment Filtering Attachment Name Filtering Select the filtering entries to be used for attachment name filtering.
4. Configure the FTP filtering policy, as described in Table 21. 5. Click Apply. Table 21 Configuration items Item Description Name Specify the name for the FTP filtering policy. Command Filtering Select the filtering entries to be used for command word filtering. Upload Filename Filtering Select the filtering entries to be used for upload filename filtering. Download Filename Filtering Select the filtering entries to be used for download filename filtering.
Table 22 Configuration items Item Description Name Specify the name for the Telnet filtering policy. Select the filtering entries to be used for command word filtering. Command Filtering IMPORTANT: • Packets that match these filtering conditions will be dropped. • You must select at least one command word filtering entry for the Telnet filtering policy. Specify whether to log packet matching events.
Figure 79 Adding a content filtering policy template 3. Configure the content filtering policy template, as described in Table 23. 4. Click Apply. Table 23 Configuration items Item Description Name Enter the name of the content filtering policy template. HTTP Filtering Policy Select the HTTP filtering policy to be used in the content filtering policy template. SMTP Filtering Policy Select the SMTP filtering policy to be used in the content filtering policy template.
Figure 80 Statistic information Content filtering configuration example Network requirements As shown in Figure 81, hosts in LAN segment 192.168.1.0/24 access the Internet through the firewall. Security zones Trust and Untrust are configured on the device for the LAN and the Internet. On the firewall: • Enable HTTP body filtering to block HTTP responses that carry keyword abc. • Enable HTTP java applet blocking to block java applet requests to all websites except the one with IP address 5.5.5.5.
Figure 81 Network diagram Configuring the firewall 1. Configure IP addresses for the interfaces of the device and assign the interfaces to security zones. (Details not shown.) 2. Configure a keyword filtering entry named abc: a. From the navigation tree, select Identification > Content Filtering > Filtering Entry. The keyword filtering entry list page appears. b. Click Add. c. Enter the entry name abc, and the keyword abc as shown in Figure 82. d. Click Apply.
a. Select the Filename tab. b. Click Add. c. Enter the entry name exe, and the filename keyword *.exe as shown in Figure 84. d. Click Apply. Figure 84 Configuring a filename filtering entry *.exe 5. Configure an FTP filename filtering entry system: a. Select the Filename tab, and then click Add b. Enter the entry name system, and the filename keyword system as shown in Figure 85. c. Click Apply. Figure 85 Configuring a filename filtering entry system 6.
Figure 86 Configuring an HTTP filtering policy without java applet blocking 7. Configure an HTTP filtering policy with java applet blocking: a. On the HTTP filtering policy list page, click Add. b. Enter the policy name http_policy2. c. Click Body Filtering. d. Select body filtering entry abc in the available filtering entry list, and then click << to add it to the selected filtering entry list. e. Select the box before Java Applet Blocking. f. Click Apply.
Figure 87 Configuring an HTTP filtering policy with java applet blocking 8. Configure an SMTP filtering policy: a. Select the SMTP Policy tab. b. Click Add. c. Enter the policy name smtp_policy. d. Click Attachment Filtering. e. In the Attachment Name Filtering area, select filename filtering entry exe in the available filtering entry list, and then click << to add it to the selected filtering entry list. f. Click Apply.
Figure 88 Configuring an SMTP filtering policy 9. Configure an FTP filtering policy: a. Select the FTP Policy tab. b. Click Add. c. Enter the policy name ftp_policy. d. Click Upload Filename Filtering. e. Select filename filtering entry system in the available filtering entry list, and then click << to add it to the selected filtering entry list. f. Click Apply.
Figure 89 Configuring an FTP filtering policy 10. Configure a Telnet filtering policy: a. Select the Telnet tab. b. Click Add. c. Enter the policy name telnet_policy. d. Click Command Filtering. e. Select command filtering entry reboot in the available filtering entry list, and then click << to add it to the selected filtering entry list. f. Click Apply.
11. Configure a content filtering policy template without java applet blocking: a. From the navigation tree, select Identification > Content Filtering > Policy Template. b. Click Add. c. Enter the template name template1. d. Select HTTP filtering policy http_policy1, SMTP filtering policy smtp_policy, FTP filtering policy ftp_policy, and Telnet filtering policy telnet_policy. e. Click Apply. Figure 91 Configuring a content filtering policy template without java applet blocking 12.
a. From the navigation tree, select Firewall > Security Policy > Interzone Policy. b. Click Add. c. Select Trust as the source zone and Untrust as the destination zone. d. Select any_address as the source IP address. In the Destination IP Address area, select the New IP Address option and then enter destination IP address 5.5.5.5/0.0.0.0. e. Select any_service as the service name and Permit as the filter action. f. Select content filtering policy template template1. g.
Figure 94 Configuring the interzone policy referencing the template with java applet blocking Verifying the configuration After the previous configurations, LAN users cannot receive HTTP responses that carry keyword abc, send java applet requests to Web servers except server 5.5.5.5, send emails with .exe attachments, upload files named abc through FTP, or execute Telnet command reboot.
Figure 95 Content filtering statistics Configuring content filtering at the CLI Content filtering configuration task list 1. Configure keyword filtering entries and add keywords, URL hostnames, file names, and email addresses to be filtered to each entry. You can also configure URL parameter filtering keywords, java blocking keywords, and ActiveX blocking keywords in system view. These keywords take effect without being applied to a content filtering policy or a content filtering policy template. 2.
Tasks at a glance (Required.) Configure filtering entries and keywords: • • • • • • • Configuring a keyword filtering entry Configuring a URL hostname filtering entry Configuring a filename filtering entry Configuring an email address filtering entry Configuring URL parameter filtering keywords Configuring java blocking keywords Configuring ActiveX blocking keywords (Required.
To configure a URL hostname filtering entry: Step Commands Remarks 1. Enter system view. system-view N/A 2. Enter VD view. switchto vd vd-name Required for a non-default VD. 3. Create a URL hostname filtering entry and enter its view. content-filtering url-hostname-entry url-hostname-entry-name By default, no URL hostname filtering entry exists. 4. Add a URL hostname to the URL hostname filtering entry. url-hostname fix-string url-hostname Optional.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VD view. switchto vd vd-name Required for a non-default VD. 3. Create an email address filtering entry and enter its view. content-filtering email-address-entry email-entry-name By default, no email address filtering entry exists. 4. Add an email address to the email address filtering entry. Optional. email-address mail-address By default, an email address filtering entry does not have any email address.
Configuring an HTTP filtering policy You can specify multiple filtering entries for filtering HTTP packets in an HTTP filtering policy. Packets that match any filtering entry are dropped. An HTTP filtering policy can contain different types of filtering entries and each type can contain multiple filtering entries. To configure an HTTP filtering policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VD view.
Configuring an SMTP filtering policy You can specify multiple filtering entries for filtering SMTP packets in an SMTP filtering policy. Packets that match any filtering entry are dropped. An SMTP filtering policy can contain different types of filtering entries and each type can contain multiple filtering entries. To configure an SMTP filtering policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VD view.
NOTE: • SMTP filtering policies created in system view belong to the default VD. • SMTP filtering policies created in VD view belong to the corresponding VD. Configuring a POP3 filtering policy You can specify multiple filtering entries for filtering POP3 packets in a POP3 filtering policy. Packets that match any filtering entry are dropped. A POP3 filtering policy can contain different types of filtering entries and each type can contain multiple filtering entries.
NOTE: • POP3 filtering policies created in system view belong to the default VD. • POP3 filtering policies created in VD view belong to the corresponding VD. Configuring an FTP filtering policy You can specify multiple filtering entries for filtering FTP packets in an FTP filtering policy. Packets that match any filtering entry are dropped. An FTP filtering policy can contain different types of filtering entries and each type can contain multiple filtering entries.
A Telnet filtering policy can contain different types of filtering entries and each type can contain multiple filtering entries. To configure a Telnet filtering policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VD view. switchto vd vd-name This command is required for entering the system view of a non-default VD. 3. Create a Telnet filtering policy and enter its view. content-filtering telnet-policy policy-name By default, no Telnet filtering policy exists.
Step Command Remarks • Apply an HTTP filtering policy: http-policy policy-name • Apply an SMTP filtering policy: smtp-policy policy-name Apply a content filtering policy. 4. • Apply a POP3 filtering policy: pop3-policy policy-name • Apply an FTP filtering policy: Configure at least one command. By default, no content filtering policy is applied in a policy template.
Figure 96 Network diagram Configuration procedure 1. Specify the IP addresses for the interfaces and assign the interfaces to appropriate zones. (Details not shown.) 2. Configure filtering entries: # Create a keyword filtering entry kwd1 and enter its view. system-view [Firewall] content-filtering keyword-entry kwd1 # Add a keyword abc to the entry kwd1.
# Specify the keyword filtering entry kwd1 for HTTP body filtering. [Firewall-contflt-http-policy-http_policy2] body-filtering keyword-entry kwd1 # Enable java applet blocking for http_policy2. [Firewall-contflt-http-policy-http_policy2] java-applet-blocking enable [Firewall-contflt-http-policy-http_policy2] quit # Create an SMTP filtering policy smtp_policy1 and enter its view.
[Firewall-object-network-private] quit # Create an IP address object webserver and specify its IP address 5.5.5.5. [Firewall] object network host webserver [Firewall-object-network-webserver] host address 5.5.5.5 [Firewall-object-network-webserver] quit # Configure an interzone instance for traffic from the Trust zone to the Untrust zone.
SMTP attachment body filtering 0 POP3 sender filtering 0 POP3 receiver filtering 0 POP3 subject filtering 0 POP3 body filtering 0 POP3 attachment name filtering 0 POP3 attachment body filtering 0 FTP command filtering 0 FTP upload filename filtering 3 FTP download filename filtering 0 Telnet command filtering 5 116
Configuring URPF Overview Unicast Reverse Path Forwarding (URPF) protects a network against source spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers cannot receive any response packets, the attacks are still disruptive to the attacked target.
• ACL—To identify specific packets as valid packets, you can use an ACL to match these packets. Even if the packets do not pass URPF check, they are still forwarded correctly. URPF work flow URPF does not check multicast packets. Figure 98 shows how URPF works.
{ { 2. 3. { If yes, proceeds to step 3. { If not, proceeds to step 5. URPF checks whether the matching route is a default route: { If yes, URPF checks whether the allow-default-route keyword is configured—If yes, proceeds to step 4. If not, proceeds to step 5. If not, proceeds to step 4. URPF checks whether the receiving interface matches the output interface of the matching FIB entry: { { 5. Proceeds to step 2 for other packets.
Configure ACLs for special packets or users. • Configuring the URPF in the Web interface Configuring URPF 1. From the navigation tree, select Intrusion Detection > URPF Check to enter the URPF check configuration page, as shown in Figure 100. Figure 100 URPF check configuration page 2. Configure URPF settings for the security zone, as shown in Table 24. 3. Click Apply. Table 24 Configuration items Item Description Security zone where the URPF check is to be configured.
Network requirements As shown in Figure 101, Device A (CE) directly connects to Device B (PE). Enable strict URPF check in Zone B of Device B to allow packets whose source addresses match ACL 2010 to pass. Enable strict URPF check in Zone A of Device A and allow use of the default route for URPF check. Figure 101 Network diagram Configuring Device B 1. Configure the interface IP addresses and security zones they belong to. (Details not shown.) 2. Define ACL 2010 to permit traffic from network 10.1.1.
Figure 103 Configuring ACL 2010 3. Enable strict URPF check in Zone B: a. From the navigation tree, select Intrusion Detection > URPF Check. The URPF configuration page appears, as shown in Figure 104. b. Select zoneB in Security Zone. c. Select Enable URPF. d. Select ACL and type 2010 in the field. e. Select Strict in Type of Check. f. Click Apply. Figure 104 Configuring URPF in zoneB Configuring Device A 1. Configure the interface IP addresses and security zones they belong to. (Details not shown.
f. Click Apply. Figure 105 Configuring URPF on zoneA Configuring the URPF at the CLI Configuring URPF Perform this task to configure URPF for a security zone. URPF checks only incoming packets on a zone Do not configure the allow-default-route keyword for loose URPF check. Otherwise, URPF might fail to work. To enable URPF: Step 1. Enter system view. Command Remarks system-view N/A Optional. 2. Create a security zone and enter its view. zone name zone-name [ id zone-id ] 3.
Enable strict URPF check for zoneA on Device A and allow using the default route for URPF check. Figure 106 Network diagram Configuration procedure 1. Assign IP addresses for interfaces and add them into security zones. (Details not shown.) 2. Configure Device B: # Define ACL 2010 to permit traffic from network 10.1.1.0/24 to pass. system-view [DeviceB] acl number 2010 [DeviceB-acl-basic-2010] rule permit source 10.1.1.0 0.0.0.
Configuring IDS collaboration The firewall device can collaborate with only Venusense IDS devices. IDS collaboration can be configured only in the Web interface. IDS collaboration overview Figure 107 Network diagram for IDS collaboration As shown in Figure 107, IDS collaboration is introduced for firewalls to work with an Intrusion detection system (IDS) device. The collaboration process occurs: 1. The IDS device examines network traffic for attacks. 2.
• The aging time for an IDS blocking entry is five minutes. The timer restarts if the firewall receives an SNMP trap with the same attack information before the timer expires. • A blocking entry is effective only to subsequent connections matching this entry. To make entries apply to the current connections, disable the fast forwarding function of the firewall. • Disabling IDS collaboration removes the generated blocking entries from the firewall.
Configuring advanced security protection Advanced security protection can be configured only in the Web interface. When the device is operating in UTM mode, the device provides advanced security protection functions such as IPS, AV, content monitoring, bandwidth management, protocol audit, and URL filtering, and basic security functions such as VPN and firewall. For more information about the system operating modes, see Getting Started Guide.
Overview Time tables define time ranges. Bandwidth management policies reference time tables, so that they can take different actions to the matching packets in different time ranges. A time table can define up to ten periodic time ranges, such as 8:30 to 18:00 every Monday through Friday. If you define multiple time ranges in a time table, the time table takes effect as long as one of the time ranges takes effect. Creating a time table 1.
Licenses Feature and hardware compatibility Hardware License compatibility F1000-A-EI/F1000-E-SI/F1000-S-AI Yes F1000-C-G/F1000-S-G/F1000-A-G Yes F1000-E No F1000-S-EI No F100-C-G/F100-S-G Yes F100-M-G/F100-A-G/F100-E-G Yes F5000-A5 No F5000-S/F5000-C No Firewall modules No U200-A/U200-M/U200-CA Yes U200-S/U200-CS/U200-CM Yes Overview Licenses control whether you can upgrade signature databases and use time-sensitive features.
Figure 111 License Importing a license 1. Select Advanced Security Prevention > License from the navigation tree. The license information page appears, as shown in Figure 111. 2. In the Import License tab, browse to a license file saved on the local host. 3. Click Import to import the license to the device. Exporting a license 1. Select Advanced Security Prevention > License from the navigation tree. The license information page appears, as shown in Figure 111. 2.
Hardware Signature upgrade compatibility F1000-S-EI No F100-C-G/F100-S-G Yes F100-M-G/F100-A-G/F100-E-G Yes F5000-A5 No F5000-S/F5000-C No Firewall modules No U200-A/U200-M/U200-CA Yes U200-S/U200-CS/U200-CM Yes Overview Signature databases define which signatures the device can recognize. For example, they recognize the attack signatures and virus signatures. You must upgrade them promptly to ensure security.
Figure 112 Signature upgrade Signature database upgrade modes include automatic online upgrade, manual online upgrade, and local upgrade. The following uses the IPS signature database to describe the signature database upgrade process. Upgrade of the antivirus signature database is similar. • Automatic online upgrade—In the IPS Signature area, select the Upgrade Automatically box, select the day of the week and the time, and then click Apply at the bottom of the page.
Hardware IPS compatibility F100-C-G/F100-S-G Yes F100-M-G/F100-A-G/F100-E-G Yes F5000-A5 No F5000-S/F5000-C No Firewall modules No U200-A/U200-M/U200-CA Yes U200-S/U200-CS/U200-CM Yes Overview The IPS typically runs on a network trunk. Based on IPS policies, IPS can implement real-time traffic analysis and anomaly detection, and trigger predefined actions in response. For example, IPS can block abnormal traffic to prevent suspicious codes from being injected into target hosts and executed.
Figure 113 IPS policies NOTE: IPS policies that have been referenced cannot be deleted. The delete icon ( policies. ) is not provided for such IPS 2. At the top of the page, you can set the IPS log output parameters, as describe in Table 25. 3. Click Apply. Table 25 Configuration items Item Send logs to remote log hosts Send logs through emails Description Select this option to send IPS logs to the specified remote log hosts.
Figure 114 Adding an IPS policy 3. Configure the IPsec policy, as described in Table 26. 4. Click Apply. Table 26 Configuration items Item Description Name Enter a name for the IPS policy. Select the severity levels of attacks to be detected and prevented. Severity levels include critical, major, minor, and warning, in descending order. Severity IMPORTANT: To ensure the device performance, H3C recommends detecting and preventing only attacks of the critical level.
Figure 116 Applying an IPS policy 4. Configure the IPsec policy application as described in Table 27. 5. Click Apply. Table 27 Configuration items Items Description Source Zone Select the source zone to which to apply the IPS policy. IMPORTANT: • You can configure only one IPS policy application for a pair of source and destination security zones. • When the source zone and the destination Destination Zone Select the destination zone to which to apply the IPS policy.
Items Description Protected Zones Specify the zones to be protected by the IPS policy, which can be the destination zone, or both the destination and source zones. Source IP List Destination IP List Excluded IP List Add the source IP addresses to be matched by the IPS policy. You can add up to ten host addresses or network segment addresses. Add the destination IP addresses to be matched by the IPS policy. You can add up to ten host addresses or network segment addresses.
Recommended configuration procedure Step Remarks Optional. 1. Configuring antivirus log output parameters 2. Creating an antivirus policy 3. Applying an antivirus policy Specify whether to send logs to remote log hosts and whether to send logs through emails. By default, logs are not sent to remote log hosts and are not sent through emails. Required. No antivirus policy exists by default. Required. No antivirus policy is applied by default. Configuring antivirus log output parameters 1.
Item Description Send logs through emails Select this option to send antivirus logs to the specified recipients through emails. Navigate to page Log Report > Log Email to specify the recipients. Creating an antivirus policy 1. Select Advanced Security Prevention > AV from the navigation tree. The AV Policies tab is displayed, as shown in Figure 117. 2. Click Add and add an antivirus policy. Figure 118 Adding an antivirus policy 3. Configure the antivirus policy as describe in Table 29. 4.
Click the AV Policy Applications tab, as shown in Figure 119. Figure 119 Antivirus policy applications 2. Click Add to enter the antivirus policy application configuration page. Figure 120 Applying an antivirus policy 3. Configure the antivirus policy application as describe in Table 30. 4. Click Apply.
Table 30 Configuration items Item Description Source Zone Select the source zone to which to apply the antivirus policy. IMPORTANT: • You can configure only one antivirus policy application for a pair of source and destination security zones. • When the source zone and the destination Destination Zone zone are different zones, specify the internal trusted zone as the destination zone and the external untrusted zone as the source zone.
Hardware Content monitoring compatibility U200-A/U200-M/U200-CA Yes U200-S/U200-CS/U200-CM Yes Overview In conventional network security solutions, network attack defense focuses on attacks from external networks. However, with the popularity of networks in every walk of life, attacks from LANs are increasing, which requires network devices to accommodate internal network security features. The content monitoring feature is developed to meet this requirement.
Figure 121 Content monitoring policies Content monitoring policies that have been referenced cannot be deleted. The delete icon ( provided for such content monitoring policies. 2. ) is not At the top of the page, set whether to send content monitoring logs to the specified remote log hosts. If you select the Send logs to remote log hosts option, you need to navigate to page Log Report > Syslog to specify the remote log host addresses. 3. Click Apply. Creating a content monitoring policy 1.
Figure 122 Adding a content monitoring policy 3. Configure the content monitoring policy as describe in Table 31. 4. Click Apply. Table 31 Configuration items Item Description Name Enter a name for the content monitoring policy. IM Applications Remote Access Applications QQ Select the types of QQ applications to be monitored. MSN Select the types of MSN applications to be monitored. Effective Time Set the effective time for monitoring the selected IM applications.
Item Database Applications Description Oracle Select the types of Oracle access behaviors to be monitored. Sybase Select the types of Sybase access behaviors to be monitored. SQL Server Select the types of SQL server access behaviors to be monitored. MySQL Select the types of MySQL access behaviors to be monitored. Effective Time Set the effective time for monitoring the selected database access behaviors. Applying a content monitoring policy 1.
Figure 124 Applying a content monitoring policy 4. Configure the content monitoring policy application as described in Table 32. 5. Click Apply. Table 32 Configuration items Item Description Source Zone Select the source zone to which to apply the content monitoring policy. IMPORTANT: • You can configure only one content monitoring policy application for a pair of source and destination security zones.
Item Source IP List Destination IP List Excluded IP List Description Add the source IP addresses to be matched by the content monitoring policy. You can add up to ten host addresses or network segment addresses. Add the destination IP addresses to be matched by the content monitoring policy. You can add up to ten host addresses or network segment addresses. Add IP addresses to be excluded from the source or destination IP list of the content monitoring policy.
An interzone instance specifies the source zone and destination zone of the packets to be inspected by a security policy. You can apply different bandwidth management policies to different interzone instances for more flexible control of the network traffic. By performing flexible bandwidth controls for applications and limiting non-critical applications, bandwidth management guarantees bandwidth for mission-critical applications of the user network. A service is a set of match rules.
{ { To restore the default settings of a system-defined protocol, click the Restore button. To delete a user-defined protocol, select the protocol in the protocol tree and then click the Delete Protocol button under the tree. Figure 125 Protocol management 3. Click Add Protocol. On the popup page, as shown in Figure 126, you can specify an application layer protocol carried over TCP or UDP. Figure 126 Adding a protocol 4. Configure the protocol as describe in Table 33. 5. Click Apply.
Table 33 Configuration items Item Description Enter a name for the protocol. IMPORTANT: Name After the device updates its IPS signature database, new system-defined protocols may be added. If a new system-defined protocol has the same name as that of an existing user-defined protocol, the user-defined protocol is deleted when the device is restarted. Therefore, H3C recommends that you specify a characteristic name for each user-defined protocol.
Figure 127 Service management 3. Select a service in the service tree and then click the Add Service button to enter the service configuration page, as shown in Figure 128. On the page, you can add a service that uses the selected service as the father service. Figure 128 Adding a service 4. Configure the service as described in Table 34. 5. Click Apply. Table 34 Configuration items Item Description Displays the father service of the service to be added.
Item Description Description Configure the description information for the service, helping memorizing different services. 6. In the service tree, select a service for which you want to add a match rule. 7. Click Add Match Rule to enter the match rule configuration page, as shown in Figure 129. Figure 129 Adding a match rule 8. Configure a match rule for the service, as described in Table 35. 9. Click Apply.
Configuring bandwidth management log output parameters 1. Select Advanced Security Prevention > Bandwidth Management from the navigation tree. The Bandwidth Management Policies tab is displayed, as shown in Figure 130. { { On the bandwidth management policy list, you can click the rules of the policy. icon for a policy to view the The bandwidth management policies that have been referenced cannot be deleted. The delete icon ( ) is not provided for such bandwidth management policies.
Figure 131 Adding a bandwidth management policy 3. Configure the bandwidth management policy as described in Table 37. Table 37 Configuration items Item Description Name Enter a name for the bandwidth management policy. Set the working mode for the policy: Working mode • Group Mode—Limits the total bandwidth of all users matching the policy. • User Mode—Limits the bandwidth of each user matching the policy independently. 4.
Table 38 Configuration items Item Description Specify the service that the rule matches. On the rule's advanced configuration page, this field only displays the service name. Click the Service Name icon of the rule, and a page appears, where you can select a service. IMPORTANT: • In one policy, you cannot specify the same service for different rules. • If you configure a rule for a child service and a rule for its child service, the rule for the child service takes effect.
9. Click Apply on the Add Bandwidth Management Policy page. Applying a bandwidth management policy 1. Select Advanced Security Prevention > Bandwidth Management from the navigation tree. 2. Click the Bandwidth Management Policy Applications tab, as shown in Figure 134. Figure 134 Bandwidth management policy applications 3. Click Add to enter the bandwidth management policy application configuration page, as shown in Figure 135. Figure 135 Applying a bandwidth management policy 4.
Table 39 Configuration items Item Description Source Zone Select the source zone to which to apply the bandwidth management policy. Destination Zone IMPORTANT: • Bandwidth management policies can be applied only to interzone instances (source-destination zone pairs), and in the same zone, only one bandwidth management policy can be applied. • When the source zone and the destination Select the destination zone to which to apply the bandwidth management policy.
Hardware Protocol audit compatibility Firewall modules No U200-A/U200-M/U200-CA Yes U200-S/U200-CS/U200-CM Yes Overview You can configure protocol audit to audit the following protocols: • HTTP—Audits the URI that users have accessed and the host field. • SMTP and POP3—Audits receivers (including recipients, CC recipients, and BCC recipients), senders, and subjects of the mails that are sent or received through SMTP or POP3.
Figure 136 Protocol audit policies Protocol audit policies that have been referenced cannot be deleted. The delete icon ( provided for such protocol audit policies. 2. ) is not At the top of the page, set whether to send protocol audit logs to the specified remote log hosts. If you select the Send logs to remote log hosts option, you need to navigate to page Log Report > Syslog to specify the remote log host addresses. 3. Click Apply. Creating a protocol audit policy 1.
2. Click the Protocol Audit Policy Applications tab, as shown in Figure 138. Figure 138 Protocol audit policy applications 3. Click Add to enter the protocol audit policy application configuration page, as shown in Figure 139. Figure 139 Applying a protocol audit policy 4. Configure the protocol audit policy application as described in Table 41. 5. Click Apply.
Table 41 Configuration items Item Description Source Zone Select the source zone to which to apply the protocol audit policy. IMPORTANT: • You can configure only one protocol audit policy application for a pair of source and destination security zones. • When the source zone and the destination Destination Zone Select the destination zone to which to apply the protocol audit policy.
Hardware URL filtering compatibility U200-S/U200-CS/U200-CM Yes Overview The Uniform Resource Locator (URL) filtering function filters HTTP requests. The device supports only user-defined URL filtering policies. To define a user-define URL filtering policy, you may specify the domain name and uniform resource identifier (URI) as the filtering criteria as well as the filtering and logging time. Recommended configuration procedure Step Remarks Required. 1. 2. 3.
3. Select Enable user-defined URL filtering. 4. Select one of the following processing methods for HTTP requests: { Drop HTTP request { Redirect to URL—Redirects HTTP requests to the specified URL. You need to manually configure the target URL for redirection. { Return a page—Sends a response webpage to the device that sends the HTTP request. You need to configure the webpage content to be sent by using either of the flowing methods: 5. − Enter the content in the field below.
Item User-Defined URL Rule Default URL Filtering Rule Description Configure rules for the user-defined URL filtering policy. For more information, see "Configuring user-defined URL filtering rules." Configure the time for blocking and logging the HTTP requests that do not match the user-defined URL filtering rules. For more information, see "Configuring default URL filtering rules." Configuring user-defined URL filtering rules 1.
Item Description Optional. URI Configure the URI as the filtering criterion. You can specify a URI string or regular expression. For information about filtering criteria, see Table 44. Block at Select the time for blocking the HTTP requests that match the rule. Log at Select the time for logging the HTTP requests that match the rule. Table 44 Filtering criteria combinations Domain name string Domain name regular expression URI string URI regular expression Filtering effect www.abc.
Table 45 Configuration items Item Description Block at Select the time for blocking the HTTP requests that do not match the user-defined URL filtering rules. Log at Select the time for logging the HTTP requests that do not match the user-defined URL filtering rules. Applying the URL filtering policy 1. Select Advanced Security Prevention > URL Filtering from the navigation tree. 2. Click the URL Filtering Applications tab, as shown in Figure 146. Figure 146 URL Filtering Applications tab 3.
Figure 147 Configuring URL filtering policy application 4. Configure URL filtering policy application as described in Table 46. URL filtering examines the HTTP requests from the destination domain to the source domain. Table 46 Configuration items Item Description Source Zone Specify the source zone to which the URL filtering policy is to be applied. NOTE: • You can configure only one URL filtering policy application for a pair of source and destination security zones.
Item Description Configure IP addresses that the URL filtering policy will filter. IP List You may configure a maximum of 10 IP addresses, including host addresses and network segment addresses. NOTE: Only IP addresses of the destination domain are configured in this field. Configure IP addresses that the URL filtering policy will not filter. Excluded IP List You may configure a maximum of 10 IP addresses, including host addresses and network segment addresses.
• Limit the bandwidth occupied by the Internet BitTorrent traffic of the internal users, setting the maximum upstream bandwidth and downstream bandwidth to 1500 kbps, respectively. • Audit the HTTP and FTP traffic generated by internal users and send protocol audit logs to the remote log host whose IP address is 10.1.1.2. Figure 148 Network diagram Configuring IPS 1. Create an IPS policy: a. Select Advanced Security Prevention > IPS from the navigation tree. The IPS Policies tab is displayed. b.
2. Apply the IPS policy: a. Click the IPS Policy Applications tab. b. Click Add. c. Select Untrust as the source zone. d. Select Trust as the destination zone. e. Select the IPS policy ips_policy. f. Select Both as the protected zones. g. Click Apply. Figure 150 Applying the IPS policy Configuring antivirus 1. Create an antivirus policy: a. Select Advanced Security Prevention > AV from the navigation tree. The AV Policies tab is displayed. b. Click Add. c. Enter av_policy as the policy name. d.
Figure 151 Adding an antivirus policy 2. Apply the antivirus policy: a. Click the AV Policy Applications tab. b. Click Add. c. Select Untrust as the source zone. d. Select Trust as the destination zone. e. Select the antivirus policy av_policy. f. Select Both as the protected zones. g. Click Apply.
Figure 152 Applying the antivirus policy Configuring content monitoring 1. Create a content monitoring policy: a. Select Advanced Security Prevention > Content Monitoring from the navigation tree. The Content Monitoring Policies tab is displayed. b. Click Add. c. Enter content_policy as the policy name. d. In the IM Applications area, select the All box. e. Select Periodically from the effective time list, and then select the boxes before Monday through Friday. f. Click Apply.
Figure 153 Adding a content monitoring policy 2. Apply the content monitoring policy: a. Click the Content Monitoring Policy Applications tab. b. Click Add. c. Select Untrust as the source zone. d. Select Trust as the destination zone. e. Select the content monitoring policy content_policy. f. Select Both as the monitored zones. g. Click Apply.
Figure 154 Applying the content monitoring policy Configuring bandwidth management 1. Create a bandwidth management policy: a. Select Advanced Security Prevention > Bandwidth Management from the navigation tree. The Bandwidth Management Policies tab is displayed. b. Click Add. c. Enter bandwidth_policy as the policy name. d. Select Group Mode as the policy working mode. e. Click Add under the rule list to add a rule. f. Click the icon at the Service Name column of the added rule. g.
Figure 155 Adding a bandwidth management policy 2. Apply the bandwidth management policy: a. Click the Bandwidth Management Policy Applications tab. b. Click Add. c. Select Untrust as the source zone. d. Select Trust as the destination zone. e. Select the bandwidth management policy bandwidth_policy. f. Click Apply.
Configuring protocol audit 1. Configure the remote log host: a. Select Log Report > Syslog from the navigation tree. b. Enter the IP address of log host 1, 10.1.1.2. c. Click Apply. Figure 157 Configuring the remote log host 2. Configure the firewall to send protocol audit logs to the remote log host: a. Select Advanced Security Prevention > Protocol Audit from the navigation tree. The Protocol Audit Policies tab is displayed. b. Select the Send logs to remote log hosts box. c. Click Apply.
Figure 158 Sending protocol logs to the remote log host 3. Add a protocol audit policy: a. Click the Protocol Audit Policies tab. b. Click Add. c. Enter audit as the policy name. d. Clear the boxes before SMTP and POP3. e. Click Apply. Figure 159 Adding a protocol audit policy 4. Apply the protocol audit policy: a. Click the Protocol Audit Policy Applications tab. b. Click Add. c. Select Untrust as the source zone. d. Select Trust as the destination zone. e. Select the protocol audit policy audit. f.
Figure 160 Applying the protocol audit policy 178
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a security product, such as a firewall, a UTM, or a load-balancing or security card that is installed in a device.
Index ABCDEILOPRSTU A Displaying and maintaining TCP attack protection,64 Advanced security prevention configuration example,168 E Antivirus,137 Enabling protection against Naptha attacks,64 ARP attack protection configuration task list,48 Enabling source MAC consistency check for ND packets,66 Enabling IDS collaboration,125 B Enabling the SYN Cookie feature,63 Bandwidth management,147 I C IDS collaboration overview,125 Configuration guidelines,76 IPS,132 Configuration guidelines,125 Config
