00479814-me60 configuration guide - security(v100r006c05_05)

Quidway ME60 Multiservice Control GatewayV100R006C05

Configuration Guide - Security

Issue 05

Date 2010-09-25

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2010. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 05 (2010-09-25) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

About This Document

PurposeThis document describes the security services supported by the ME60, including the basicknowledge, configuration procedures and configuration examples. The document providesguideline for configuring the firewall, NAT, traffic statistics and monitoring, attack defense,URPF, DPI, lawful interception, and user log. In addition, the document provides the glossaryand acronyms and abbreviations.

For more information about the configuration commands, refer to "Security Commands" in theQuidway ME60 Multiservice Control Gateway Command Reference.

Related VersionsThe following table lists the product version related to this document.

Product Name Version

ME60 V100R006C05

Intended AudienceThis document is intended for:

l Technical support engineersl Maintenance engineers

OrganizationThis document is organized as follows.

Chapter Content

1 Security Overview This chapter provides basic knowledge about the securityservice, including threats to Internet security, networksecurity overview, and implementation of network security.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security About This Document


iii

Chapter Content

2 Firewall Configuration This chapter describes the configuration of the firewall,including the security zone, ACL packet filtering, ASPF,blacklist, port mapping, and firewall log.

3 NAT Configuration This chapter describes the concept, fundamental,configuration, and maintenance of NAT.

4 Traffic Statistics andMonitoring Configuration

This chapter describes the fundamentals, configuration, andmaintenance of traffic statistics and monitoring.

5 Attack DefenseConfiguration

This chapter describes the fundamentals, configuration, andmaintenance of attack defense.

6 IPSec Configuration This chapter describes the fundamentals, implementation,and configuration of IPSec.

7 IKE Configuration This chapter describes the fundamentals, implementation,and configuration of IKE.

8 URPF Configuration This chapter describes the fundamentals, implementation,and configuration of URPF.

9 DPI Configuration This chapter describes the fundamentals of DPI and how toconfigure network-side DPI and user-side DPI.

10 Lawful InterceptionConfiguration

This chapter describes the concept, process, andconfiguration of lawful interception.

11 User Log Configuration This chapter describes the concept and configuration of userlogs.

12 ARP SecurityConfiguration

This chapter describes how to configure ARP Security.

A Glossary This appendix provides the glossary of this document.

B Acronyms andAbbreviations

This appendix lists the acronyms and abbreviationsmentioned in this manual and provides explanation.

Conventions

Symbol Conventions

The symbols that may be found in this document are defined as follows.

Symbol Description

DANGERIndicates a hazard with a high level of risk, which if notavoided, will result in death or serious injury.

About This DocumentQuidway ME60 Multiservice Control Gateway


iv Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-09-25)

Symbol Description

WARNINGIndicates a hazard with a medium or low level of risk, whichif not avoided, could result in minor or moderate injury.

CAUTIONIndicates a potentially hazardous situation, which if notavoided, could result in equipment damage, data loss,performance degradation, or unexpected results.

TIP Indicates a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize or supplementimportant points of the main text.

General ConventionsThe general conventions that may be found in this document are defined as follows.

Convention Description

Times New Roman Normal paragraphs are in Times New Roman.

Boldface Names of files, directories, folders, and users are inboldface. For example, log in as user root.

Italic Book titles are in italics.

Courier New Examples of information displayed on the screen are inCourier New.

Command ConventionsThe command conventions that may be found in this document are defined as follows.


Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.



v


{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

GUI Conventions

The GUI conventions that may be found in this document are defined as follows.


Boldface Buttons, menus, parameters, tabs, window, and dialog titlesare in boldface. For example, click OK.

> Multi-level menus are in boldface and separated by the ">"signs. For example, choose File > Create > Folder.

Keyboard Operations

The keyboard operations that may be found in this document are defined as follows.

Format Description

Key Press the key. For example, press Enter and press Tab.

Key 1+Key 2 Press the keys concurrently. For example, pressing Ctrl+Alt+A means the three keys should be pressed concurrently.

Key 1, Key 2 Press the keys in turn. For example, pressing Alt, A meansthe two keys should be pressed in turn.

Mouse Operations

The mouse operations that may be found in this document are defined as follows.

Action Description

Click Select and release the primary mouse button without movingthe pointer.

About This DocumentQuidway ME60 Multiservice Control Gateway


vi Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-09-25)

Action Description

Double-click Press the primary mouse button twice continuously andquickly without moving the pointer.

Drag Press and hold the primary mouse button and move thepointer to a certain position.

Update HistoryUpdates between document versions are cumulative. Therefore, the latest document versioncontains all updates made to previous versions.

Updates in Issue 05 (2010-09-25)Fifth commercial release.

Fixing Bugs.

Updates in Issue 04 (2010-06-01)Fourth commercial release.

Fixing Bugs.

Updates in Issue 03 (2009-07-01)Third commercial release.

Fixing Bugs.

Updates in Issue 02 (2009-03-01)Second commercial release.

Fixing Bugs.

Updates in Issue 01 (2008-11-15)Initial commercial release.



vii

Contents

About This Document...................................................................................................................iii

1 Security Overview......................................................................................................................1-11.1 Introduction to Network Security....................................................................................................................1-2

1.1.1 Background............................................................................................................................................ 1-21.1.2 Network Security Service.......................................................................................................................1-2

1.2 Security Features of the ME60........................................................................................................................1-21.2.1 Firewall...................................................................................................................................................1-21.2.2 URPF......................................................................................................................................................1-31.2.3 DPI......................................................................................................................................................... 1-31.2.4 Lawful Interception................................................................................................................................1-31.2.5 User Log.................................................................................................................................................1-3

2 Firewall Configuration..............................................................................................................2-12.1 Introduction.....................................................................................................................................................2-2

2.1.1 Functions of Firewall............................................................................................................................. 2-22.1.2 Classification of Firewalls......................................................................................................................2-22.1.3 Terms Related to the Firewall................................................................................................................2-32.1.4 Firewall Functions of the ME60.............................................................................................................2-4

2.2 Configuring a Zone......................................................................................................................................... 2-62.2.1 Establishing the Configuration Task......................................................................................................2-62.2.2 (Optional) Configuring the VSU to Work as the SSU...........................................................................2-72.2.3 Creating a Zone......................................................................................................................................2-72.2.4 Configuring the Priority of a Zone.........................................................................................................2-72.2.5 Adding User Domains or Interfaces to the Zone....................................................................................2-82.2.6 Creating an Interzone.............................................................................................................................2-92.2.7 Enabling Firewall in the Interzone.........................................................................................................2-92.2.8 Checking the Configuration.................................................................................................................2-10

2.3 Setting the Aging Time of the Firewall Session Table.................................................................................2-102.3.1 Establishing the Configuration Task....................................................................................................2-102.3.2 (Optional) Setting the Aging Time of the Firewall Session Table.......................................................2-112.3.3 Checking the Configuration.................................................................................................................2-11

2.4 Configuring ACL-based Packet Filtering.....................................................................................................2-122.4.1 Establishing the Configuration Task....................................................................................................2-12

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security Contents


ix

2.4.2 Configuring ACL-based Packet Filtering in an Interzone....................................................................2-132.5 Configuring ASPF.........................................................................................................................................2-13

2.5.1 Establishing the Configuration Task....................................................................................................2-132.5.2 Configuring ASPF in the Interzone......................................................................................................2-142.5.3 Checking the Configuration.................................................................................................................2-14

2.6 Configuring the Blacklist..............................................................................................................................2-152.6.1 Establishing the Configuration Task....................................................................................................2-152.6.2 Enabling the Blacklist..........................................................................................................................2-162.6.3 (Optional) Adding a Blacklist Entry....................................................................................................2-162.6.4 (Optional) Configuring the Packet Filtering Type of the Blacklist......................................................2-17

2.7 Configuring Port Mapping............................................................................................................................2-172.7.1 Establishing the Configuration Task....................................................................................................2-172.7.2 Configuring Port Mapping...................................................................................................................2-18

2.8 Configuring P2P Traffic Control...................................................................................................................2-192.8.1 Establishing the Configuration Task....................................................................................................2-192.8.2 Enabling P2P Traffic Control...............................................................................................................2-202.8.3 Configuring the CAR Table.................................................................................................................2-202.8.4 Configuring P2P Traffic Control in an Interzone.................................................................................2-212.8.5 Configuring P2P Traffic Control Globally...........................................................................................2-222.8.6 Checking the Configuration.................................................................................................................2-22

2.9 Configuring Firewall Logs............................................................................................................................2-222.9.1 Establishing the Configuration Task....................................................................................................2-232.9.2 Enabling the Firewall Log....................................................................................................................2-232.9.3 Configuring a Session Log...................................................................................................................2-242.9.4 (Optional) Configuring Output Interval of Logs..................................................................................2-242.9.5 Checking the Configuration.................................................................................................................2-25

2.10 Configuration Examples..............................................................................................................................2-252.10.1 Example for Configuring ACL-based Packet Filtering......................................................................2-252.10.2 Example for Configuring ASPF and Port Mapping...........................................................................2-282.10.3 Example for Configuring the Blacklist..............................................................................................2-30

3 NAT Configuration....................................................................................................................3-13.1 Introduction.....................................................................................................................................................3-2

3.1.1 NAT Overview.......................................................................................................................................3-23.1.2 NAT Types.............................................................................................................................................3-33.1.3 Advantages and Disadvantages of NAT................................................................................................3-43.1.4 Many-to-Many NAT and Address Pool.................................................................................................3-43.1.5 Internal Server........................................................................................................................................3-53.1.6 References..............................................................................................................................................3-5

3.2 Configuring NAT............................................................................................................................................3-53.2.1 Establishing the Configuration Task......................................................................................................3-63.2.2 (Optional) Configuring the VSU to Work as the SSU...........................................................................3-63.2.3 Configuring the NAT Address Pool.......................................................................................................3-7

ContentsQuidway ME60 Multiservice Control Gateway


x Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-09-25)

3.2.4 Configuring NAT in an Interzone..........................................................................................................3-73.2.5 (Optional) Configuring the Internal NAT Server...................................................................................3-83.2.6 Checking the Configuration...................................................................................................................3-9

3.3 Configuration Examples..................................................................................................................................3-93.3.1 Example for Configuring NAT..............................................................................................................3-9

4 Traffic Statistics and Monitoring Configuration.................................................................4-14.1 Introduction.....................................................................................................................................................4-24.2 Configuring Traffic Statistics and Monitoring................................................................................................4-2

4.2.1 Establishing the Configuration Task......................................................................................................4-34.2.2 (Optional) Configuring the VSU to Work as the SSU...........................................................................4-34.2.3 (Optional) Configuring the Default Master SSU................................................................................... 4-44.2.4 Enabling Traffic Statistics and Monitoring............................................................................................4-44.2.5 Setting the Session Threshold................................................................................................................4-54.2.6 Checking the Configuration...................................................................................................................4-5

4.3 Configuring Zone-based Traffic Statistics and Monitoring............................................................................4-54.3.1 Establishing the Configuration Task......................................................................................................4-64.3.2 Enabling Traffic Statistics and Monitoring in a Zone............................................................................4-64.3.3 Setting the Session Threshold................................................................................................................4-74.3.4 Checking the Configuration...................................................................................................................4-7

4.4 Configuring IP Address-based Traffic Statistics and Monitoring...................................................................4-84.4.1 Establishing the Configuration Task......................................................................................................4-84.4.2 Enabling IP Address-based Traffic Statistics and Monitoring...............................................................4-84.4.3 Setting the Session Threshold................................................................................................................4-9

4.5 Configuration Examples................................................................................................................................4-104.5.1 Example for Configuring System-Level Traffic Statistics and Monitoring.........................................4-104.5.2 Example for Configuring Zone-based Traffic Statistics and Monitoring............................................4-114.5.3 Example for Configuring IP Address-based Traffic Statistics and Monitoring...................................4-13

5 Attack Defense Configuration.................................................................................................5-15.1 Introduction.....................................................................................................................................................5-2

5.1.1 Type of Network Attacks.......................................................................................................................5-25.1.2 Typical Attacks...................................................................................................................................... 5-2

5.2 Configuring Attack Defense............................................................................................................................5-55.2.1 Establishing the Configuration Task......................................................................................................5-55.2.2 (Optional) Configuring the VSU to Work as the SSU...........................................................................5-65.2.3 Enabling Attack Defense........................................................................................................................5-65.2.4 Configuring Flood Attack Defense........................................................................................................5-85.2.5 (Optional) Configuring Scanning Attack Defense.................................................................................5-95.2.6 (Optional) Configuring Large ICMP Packet Attack Defense..............................................................5-105.2.7 Checking the Configuration.................................................................................................................5-10

5.3 Configuration Examples................................................................................................................................5-105.3.1 Example for Configuring Land Attack Defense...................................................................................5-115.3.2 Example for Configuring SYN Flood Attack Defense........................................................................5-13



xi

5.3.3 Example for Configuring IP Address Sweeping Attack Defense........................................................5-15

6 IPSec Configuration...................................................................................................................6-16.1 Introduction.....................................................................................................................................................6-2

6.1.1 Overview of IPSec.................................................................................................................................6-26.1.2 Terms Related to IPSec..........................................................................................................................6-26.1.3 IPSec Features Supported by the ME60.................................................................................................6-5

6.2 Defining Data Flows to Be Protected..............................................................................................................6-66.2.1 Establishing the Configuration Task......................................................................................................6-66.2.2 Defining Data Flows to Be Protected.....................................................................................................6-7

6.3 Configuring an IPSec Proposal.......................................................................................................................6-86.3.1 Establishing the Configuration Task......................................................................................................6-86.3.2 Creating an IPSec Proposal and Entering the IPSec Proposal View......................................................6-96.3.3 Configuring the IPSec Protocol..............................................................................................................6-96.3.4 Configuring the Authentication Algorithm..........................................................................................6-106.3.5 Configuring the Encryption Algorithm................................................................................................6-116.3.6 Configuring the Encapsulation Mode..................................................................................................6-116.3.7 Checking the Configuration.................................................................................................................6-12

6.4 Configuring an IPSec Policy.........................................................................................................................6-126.4.1 Establishing the Configuration Task....................................................................................................6-136.4.2 Creating an IPSec Policy and Entering the IPSec Policy View...........................................................6-136.4.3 Configuring the ACL Used in the IPSec Policy...................................................................................6-146.4.4 Applying the IPSec Proposal to the IPSec Policy................................................................................6-146.4.5 Configuring the SA Duration...............................................................................................................6-156.4.6 Configuring the Local and Remote IP Addresses of the Tunnel (for Manual Mode)..........................6-166.4.7 Configuring the SPI for an SA (for Manual Mode).............................................................................6-166.4.8 Configuring Key for an SA (for Manual Mode)..................................................................................6-176.4.9 Configuring the IKE Peer for the IPSec Policy (for IKE Negotiation Mode).....................................6-186.4.10 Configuring the PFS Feature Used in the IKE Negotiation...............................................................6-186.4.11 Configuring the Global SA Duration.................................................................................................6-196.4.12 Checking the Configuration...............................................................................................................6-19

6.5 Configuring IPSec Policies by Using the IPSec Policy Template................................................................6-206.5.1 Establishing the Configuration Task....................................................................................................6-206.5.2 Creating an IPSec Policy Template and Entering the IPSec Policy Template View...........................6-216.5.3 Configuring the ACL Used in the IPSec Policy Template...................................................................6-226.5.4 Applying the IPSec Proposal to the IPSec Policy Template................................................................6-226.5.5 Configuring the SA Duration...............................................................................................................6-226.5.6 Configuring the IKE Peer for the IPSec Policy Template....................................................................6-236.5.7 Configuring the PFS Feature Used in the IKE Negotiation.................................................................6-236.5.8 Configuring the Global SA Duration...................................................................................................6-246.5.9 Applying the IPSec Policy Template...................................................................................................6-246.5.10 Checking the Configuration...............................................................................................................6-25

6.6 Applying an IPSec Policy or an IPSec Policy Group to an Interface............................................................6-25



xii Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-09-25)

6.6.1 Establishing the Configuration Task....................................................................................................6-256.6.2 Configuring the IPSec Behavior in the Traffic Policy.........................................................................6-266.6.3 Applying an IPSec Policy or an IPSec Policy Group to an Interface...................................................6-26

6.7 Maintaining IPSec.........................................................................................................................................6-276.7.1 Clearing IPSec Packet Statistics...........................................................................................................6-276.7.2 Debugging IPSec..................................................................................................................................6-28

6.8 Configuration Examples................................................................................................................................6-286.8.1 Example for Establishing an SA Manually..........................................................................................6-28

7 IKE Configuration......................................................................................................................7-17.1 Introduction.....................................................................................................................................................7-2

7.1.1 Overview of IKE....................................................................................................................................7-27.1.2 NAT Traversal in IPSec.........................................................................................................................7-47.1.3 IKE Features of the ME60.....................................................................................................................7-4

7.2 Setting the Local ID Used in IKE Negotiation...............................................................................................7-57.2.1 Establishing the Configuration Task......................................................................................................7-57.2.2 Setting the Local ID Used in IKE Negotiation......................................................................................7-5

7.3 Configuring an IKE Security Proposal............................................................................................................7-67.3.1 Establishing the Configuration Task......................................................................................................7-67.3.2 Creating the IKE Security Proposal and Entering the IKE Security Proposal View.............................7-77.3.3 Specifying an Encryption Algorithm.....................................................................................................7-77.3.4 Specifying an Authentication Method....................................................................................................7-87.3.5 Configuring the Authentication Algorithm............................................................................................7-87.3.6 Specifying a DF Group..........................................................................................................................7-97.3.7 Configuring the Duration of ISAKMP SA.............................................................................................7-97.3.8 Checking the Configuration.................................................................................................................7-10

7.4 Configuring Attributes of the IKE Peer........................................................................................................7-107.4.1 Establishing the Configuration Task....................................................................................................7-117.4.2 Creating an IKE Peer and Entering the IKE Peer View.......................................................................7-117.4.3 Configuring the IKE Negotiation Mode...............................................................................................7-127.4.4 Configuring the IKE Security Proposal...............................................................................................7-127.4.5 Configuring the Local ID Type............................................................................................................7-137.4.6 Configuring NAT Traversal in IPSec...................................................................................................7-137.4.7 Configuring the Identity Authenticator................................................................................................7-147.4.8 Configuring the Peer IP Address or Address Segment........................................................................7-147.4.9 Configuring the Peer Name..................................................................................................................7-157.4.10 Checking the Configuration...............................................................................................................7-15

7.5 Tuning the IKE Configuration......................................................................................................................7-157.5.1 Establishing the Configuration Task....................................................................................................7-167.5.2 Setting the Interval of Keepalive Packets.............................................................................................7-167.5.3 Setting the Timeout Time of Keepalive Packets..................................................................................7-177.5.4 Setting the Interval of NAT Update Packets........................................................................................7-17

7.6 Maintaining IKE............................................................................................................................................7-18



xiii

7.6.1 Displaying the IKE Configuration....................................................................................................... 7-187.6.2 Clearing the Security Tunnel................................................................................................................7-187.6.3 Debugging IKE.................................................................................................................................... 7-19

7.7 Configuration Examples................................................................................................................................7-197.7.1 Example for Establishing an SA Through IKE Negotiation................................................................7-19

8 URPF Configuration..................................................................................................................8-18.1 Introduction.....................................................................................................................................................8-2

8.1.1 Overview of URPF.................................................................................................................................8-28.1.2 URPF Features of the ME60..................................................................................................................8-4

8.2 Configuring URPF..........................................................................................................................................8-58.2.1 Establishing the Configuration Task......................................................................................................8-58.2.2 Enabling URPF on an Interface.............................................................................................................8-58.2.3 (Optional) Configuring URPF Check for Certain Type of Packets.......................................................8-6

8.3 Configuration Examples..................................................................................................................................8-78.3.1 Example for Configuring URPF............................................................................................................8-7

9 DPI Configuration.....................................................................................................................9-19.1 Introduction.....................................................................................................................................................9-2

9.1.1 Overview of DPI....................................................................................................................................9-29.1.2 DPI Functions Supported by the ME60.................................................................................................9-4

9.2 Configuring Basic DPI Functions...................................................................................................................9-49.2.1 Establishing the Configuration Task......................................................................................................9-49.2.2 (Optional) Configuring the VSU to Work as the DPI Board.................................................................9-59.2.3 (Optional) Configuring the MAC Address of the DPI Board................................................................9-69.2.4 Configuring the Packet Inspection Mode...............................................................................................9-69.2.5 (Optional) Configuring the PTS.............................................................................................................9-79.2.6 Checking the Configuration...................................................................................................................9-7

9.3 Configuring Network-side DPI.......................................................................................................................9-89.3.1 Establishing the Configuration Task......................................................................................................9-99.3.2 Creating a DPI Policy.............................................................................................................................9-99.3.3 Configuring the DPI Policy..................................................................................................................9-109.3.4 Configuring a Global DPI Policy Group..............................................................................................9-109.3.5 Configuring a DPI Traffic Policy.........................................................................................................9-119.3.6 Applying the Traffic Policy to the Network Side................................................................................ 9-139.3.7 Checking the Configuration.................................................................................................................9-13

9.4 Configuring User-side DPI............................................................................................................................9-149.4.1 Establishing the Configuration Task....................................................................................................9-149.4.2 Creating and Configuring a DPI Policy............................................................................................... 9-159.4.3 Configuring a Common DPI Policy Group..........................................................................................9-159.4.4 Applying the User-side DPI Policy to the Domain..............................................................................9-169.4.5 (Optional) Enabling DPI on a BAS Interface.......................................................................................9-169.4.6 (Optional) Configuring the Restriction Policy.....................................................................................9-179.4.7 Checking the Configuration.................................................................................................................9-18



xiv Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-09-25)

9.5 Configuration Examples................................................................................................................................9-189.5.1 Example for configuring the DPI Function..........................................................................................9-19

10 Lawful Interception Configuration....................................................................................10-110.1 Introduction.................................................................................................................................................10-2

10.1.1 Concept of Lawful Interception.........................................................................................................10-210.1.2 Principle of Lawful Interception........................................................................................................10-210.1.3 Role of the ME60 in Lawful Interception..........................................................................................10-6

10.2 Configuring Lawful Interception................................................................................................................10-710.2.1 Establishing the Configuration Task..................................................................................................10-710.2.2 Configuring the IP Address of the X3 Interface.................................................................................10-710.2.3 Configuring the Type and Port Number of the X3 Interface.............................................................10-810.2.4 Enabling Lawful Interception.............................................................................................................10-910.2.5 Checking the Configuration...............................................................................................................10-9

10.3 Configuration Examples............................................................................................................................10-1010.3.1 Example for Configuring Lawful Interception.................................................................................10-10

11 User Log Configuration........................................................................................................11-111.1 Introduction.................................................................................................................................................11-211.2 Configuring the User Log...........................................................................................................................11-2

11.2.1 Establishing the Configuration Task..................................................................................................11-211.2.2 Configuring the User Log Host..........................................................................................................11-211.2.3 Configuring the Version of User Log Packets...................................................................................11-311.2.4 Enabling the User Log Function........................................................................................................11-411.2.5 Applying the User Log.......................................................................................................................11-411.2.6 Checking the Configuration...............................................................................................................11-5

11.3 Debugging the User Log.............................................................................................................................11-511.4 Configuration Examples..............................................................................................................................11-5

11.4.1 Example for Configuring the User Log..............................................................................................11-5

12 ARP Security Configuration................................................................................................12-112.1 Overview to ARP Security..........................................................................................................................12-2

12.1.1 Introduction to ARP Security.............................................................................................................12-212.1.2 ARP Security Supported by the ME60..............................................................................................12-3

12.2 Preventing Attacks on ARP Entries............................................................................................................12-312.2.1 Establishing the Configuration Task..................................................................................................12-412.2.2 Configuring Global Strict ARP Entry Learning.................................................................................12-412.2.3 Configuring Strict ARP Entry Learning on Interfaces.......................................................................12-512.2.4 Configuring Speed Limit for ARP Packets........................................................................................12-612.2.5 Configuring Interface-based ARP Entry Restriction..........................................................................12-612.2.6 Enabling Alarm Functions for Potential Attack Behaviors................................................................12-712.2.7 Checking the Configuration...............................................................................................................12-7

12.3 Preventing Scanning Attacks......................................................................................................................12-812.3.1 Establishing the Configuration Task..................................................................................................12-8



xv

12.3.2 Configuring Speed Limit for ARP Miss Packets...............................................................................12-912.3.3 Enabling Alarm Functions for Potential Attack Behaviors................................................................12-912.3.4 Checking the Configuration...............................................................................................................12-9

12.4 Maintaining the ARP Security..................................................................................................................12-1012.4.1 Displaying Statistics About ARP Packets........................................................................................12-1012.4.2 Clearing Statistics About ARP Packets............................................................................................12-1112.4.3 Debugging ARP Packets..................................................................................................................12-11

12.5 Configuration Examples............................................................................................................................12-1112.5.1 Example for Preventing Attacks on ARP Entries............................................................................12-1212.5.2 Example for Preventing Attacks on ARP Entries and Scanning Attacks.........................................12-14

A Glossary.....................................................................................................................................A-1

B Acronyms and Abbreviations.................................................................................................B-1



xvi Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-09-25)

Figures

Figure 2-1 Networking of ACL-based packet filtering......................................................................................2-26Figure 2-2 Networking of ASPF and port mapping...........................................................................................2-28Figure 2-3 Networking of blacklist configuration..............................................................................................2-31Figure 3-1 Schematic diagram of NAT................................................................................................................3-3Figure 3-2 Schematic diagram of PAT.................................................................................................................3-4Figure 3-3 Networking of NAT..........................................................................................................................3-10Figure 4-1 Limiting the number of sessions initiated by external server.............................................................4-2Figure 4-2 Networking of system-level traffic statistics and monitoring...........................................................4-10Figure 4-3 Networking of zone-based traffic statistics and monitoring.............................................................4-12Figure 4-4 Networking of IP address-based traffic statistics and monitoring....................................................4-14Figure 5-1 Networking of Land attack defense..................................................................................................5-11Figure 5-2 Networking of SYN Flood attack defense........................................................................................5-13Figure 5-3 Networking of IP address sweeping attack defense.........................................................................5-15Figure 6-1 Packets format in transport mode.......................................................................................................6-3Figure 6-2 Packets format in tunnel mode...........................................................................................................6-4Figure 6-3 Networking of IPSec configuration..................................................................................................6-29Figure 7-1 Process of setting up an SA................................................................................................................7-3Figure 7-2 Networking of IKE configuration.....................................................................................................7-20Figure 8-1 Schematic diagram of the source address spoofing attack.................................................................8-2Figure 8-2 URPF applied on a single-homed client.............................................................................................8-3Figure 8-3 URPF applied on a multi-homed client..............................................................................................8-3Figure 8-4 URPF applied on a multi-homed client with multiple ISPs...............................................................8-4Figure 8-5 Networking of URPF configuration...................................................................................................8-7Figure 9-1 Comparison between DPI and the common packet analysis..............................................................9-2Figure 9-2 Networking of DPI application...........................................................................................................9-3Figure 9-3 Networking for DPI configuration...................................................................................................9-19Figure 10-1 Scenario for lawful interception.....................................................................................................10-3Figure 10-2 Process of lawful interception........................................................................................................10-5Figure 10-3 Networking of lawful interception................................................................................................10-10Figure 11-1 Networking for configuring the user log........................................................................................11-6Figure 12-1 ARP buffer overflow attacks..........................................................................................................12-2Figure 12-2 ARP DoS attacks............................................................................................................................12-3Figure 12-3 Networking diagram of preventing attacks on ARP entries.........................................................12-12

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security Figures


xvii

Figure 12-4 Network diagram of preventing attacks on ARP entries and scanning attacks............................12-14

FiguresQuidway ME60 Multiservice Control Gateway


xviii Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-09-25)

Tables

Table 10-1 Description of interfaces for lawful interception............................................................................. 10-4Table 11-1 Difference between the two versions of the user log packets..........................................................11-3

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security Tables


xix

1 Security Overview

About This Chapter

This chapter provides basic knowledge about the security service, including threats to Internetsecurity, network security overview, and implementation of network security.

1.1 Introduction to Network SecurityThis section describes the background and concept of network security.

1.2 Security Features of the ME60This section describes the security features supported by the ME60.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security 1 Security Overview


1-1

1.1 Introduction to Network SecurityThis section describes the background and concept of network security.

1.1.1 Background

1.1.2 Network Security Service

1.1.1 Background

With the rapid development of the Internet, more enterprises use Internet services fordevelopment. The Internet is, however, an open network and so, confidential information andresources of enterprises face malicious threats and attacks. Various measures must be taken tominimize the risks.

1.1.2 Network Security Service

Network security service is the measure taken against security threats to protect network security.

Network security service is an integrated technology that enables the security of the following:

l Intranet (against illegal access)l Data exchange between internal and external networks

1.2 Security Features of the ME60This section describes the security features supported by the ME60.

1.2.1 Firewall

1.2.2 URPF

1.2.3 DPI

1.2.4 Lawful Interception

1.2.5 User Log

1.2.1 Firewall

The firewall is introduced to avoid security risks in network transmission and to prevent externalattacks. The firewall supports the following features:

l Packet filteringl ASPFl Blacklistl Port mappingl P2P traffic controll Attack defensel NAT

1 Security OverviewQuidway ME60 Multiservice Control Gateway


1-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-09-25)

l Traffic statistics and monitoringl Firewall log

1.2.2 URPF

Unicast reverse path forwarding (URPF) is used to prevent attacks of IP address spoofing.

The ME60 can perform loose URPF check or strict URPF check for all IP packets on an interface.

1.2.3 DPI

Deep packet inspection (DPI) analyzes the application layer of the packet to identify servicesand applications. DPI provides the policies for network control and management.

1.2.4 Lawful Interception

Lawful interception is a law enforcement behavior carried out to monitor the communicationsservice on the public communications network, according to the related law and the norm forthe public communications network.

The ME60 functions as the network equipment of the carrier to implement lawful interception.The X3 interface of the ME60 sends the content of communication (CC) to the lawfulinterception gateway (LIG). The X1 interface of the ME60 obtains information sent by the LIG,for example, information about the intercepted object.

1.2.5 User Log

Most countries have specific requirements for information security. An ISP must have thecapability of recording activities of users, such as login, logout, and access to network resources.

The ME60 provides user logs to record information about user login and logout so that carriersand security agents can manage and monitor users.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security 1 Security Overview


1-3

2 Firewall Configuration

About This Chapter

This chapter describes the configuration of the firewall, including the security zone, ACL packetfiltering, ASPF, blacklist, port mapping, and firewall log.

2.1 IntroductionThis section describes the concept and fundamentals of the firewall.

2.2 Configuring a ZoneThis section describes how to configure the firewall and partition the network.

2.3 Setting the Aging Time of the Firewall Session TableThis section describes how to set the aging time of the firewall session table

2.4 Configuring ACL-based Packet FilteringThis section describes how to filter data packets through the ACL.

2.5 Configuring ASPFThis section describes how to configure the ME60 to check the application layer informationabout data flows to filter data packets.

2.6 Configuring the BlacklistThis section describes how to configure the blacklist to filter out data packets from attackers.

2.7 Configuring Port MappingThis section describes how to configure the port mapping function so that the firewall can identifythe packets of the application-layer protocols that use non-well-known port numbers.

2.8 Configuring P2P Traffic ControlThis section describes how to limit bandwidth of P2P sessions.

2.9 Configuring Firewall LogsThis section describes how to configure firewall logs.

2.10 Configuration ExamplesThis section provides several configuration examples of the firewall.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security 2 Firewall Configuration


2-1

2.1 IntroductionThis section describes the concept and fundamentals of the firewall.

The concept of firewall originates from architecture. In a building, a firewall is used to preventfire from spreading.

In communication networks, the firewall has similar function. A firewall is a system or a groupof systems that execute access control policies. A firewall monitors the channel between theinternal network, which is reliable, and the external networks, which are unreliable. Thus, therisks in external networks cannot affect the internal network.

2.1.1 Functions of Firewall

2.1.2 Classification of Firewalls

2.1.3 Terms Related to the Firewall

2.1.4 Firewall Functions of the ME60

2.1.1 Functions of Firewall

A firewall is used at the ingress of a protected area. The firewall protects the network based onACL policies. The firewall provides the following functions:

l Controlling the access to the protected site, including users and informationl Preventing attackers from accessing other security devicesl Controlling the output from the protected site, including users and information

When the firewall resides between an internal network and an external network, it protects theinternal network against illegal access, such as unauthorized and unauthenticated access, andmalicious attacks.

When the firewall resides at the ingress of important resources (such as key servers and secretdatabases) in an internal network, it prevents certain users from accessing the resources, even ifthe users are in the internal network.

The firewall can also function as a gateway that controls the access right to the Internet. Forexample, the firewall allows certain users in the internal network to access the Internet after theusers are authenticated.

2.1.2 Classification of Firewalls

Firewalls are classified into the following types: packet filtering firewall, proxy firewall, andstateful firewall.

Packet Filtering FirewallA packet filtering firewall checks the packets at the network layer, and then forwards or discardsthe packets according to the security policy. The packet filtering firewall filters packets by usingthe access control list (ACL). Packets are filtered based on the quintuple (source and destinationIP addresses, source and destination port numbers, and IP protocol number), IP flag, and deliverydirection.

2 Firewall ConfigurationQuidway ME60 Multiservice Control Gateway



Issue 05 (2010-09-25)

The packet filtering firewall is simple, easy to use, and economical, but it has the followingdisadvantages:

l As the complexity and length of the ACL increase, the filtering performance degradesexponentially.

l The static ACL rules cannot meet the dynamic security requirements.l The packet filtering firewall does not check the state of a session or analyze data and hence,

the network is subject to IP address spoofing.

Proxy FirewallA proxy firewall works at the application layer and takes over the services between the internalnetwork and external network. The proxy firewall checks the requests of users. If theauthentication is successful, the firewall connects to a genuine server and forwards the request.The firewall then forwards the response of the server to the user.

The proxy firewall can completely control the exchange of network information and the sessionprocess and hence, it provides high security. The proxy firewall, however, has the followingdisadvantages:

l The processing speed is low because of software limitation, and the proxy firewall is subjectto the denial of service (DoS) attack.

l The upgrade is difficult because the application proxy is required for each protocol.

NOTE

The ME60 can function as the proxy firewall for only the SYN packets of TCP.

Stateful FirewallA stateful firewall is an extension to the packet filtering firewall. The stateful firewall not onlytreats each data packet as an independent unit in the ACL check and filtering, but also considersthe association of the packets.

The stateful firewall monitors the TCP/UDP sessions by using various state tables. The ACLthen determines the sessions that can be established. Only the data packets associated with thepermitted sessions are forwarded. The stateful firewall also analyzes the application layer stateof the data packets in the TCP/UDP sessions, and filters out unqualified data packets.

The stateful firewall has high processing speed and ensures high security because of thecombined advantages of the packet filtering firewall and proxy firewall.

The ME60supports the packet filtering firewall and the stateful firewall.

2.1.3 Terms Related to the Firewall

Security ZoneThe security zone, also referred to as a zone, is a basic concept of firewall. All the securitypolicies are enforced based on the zones.

A security zone consists of more than one interface or user domain. The interfaces and users ina zone have the same security attributes. The security priority of a zone is globally unique. Thatis, the priorities of any two zones are different.



2-3

The ME60considers the data delivery in a zone reliable, and therefore, it does not enforce anysecurity policy. The firewall checks the data and enforces the security policies only when thedata flows from one zone to another.

Security InterzoneAny two zones can form an interzone, which has an independent interzone view. Most firewallconfigurations are performed in the interzone view.

Assume that there are two zones, namely, zone1 and zone2. In the view of the interzone, ACLpacket filtering can be configured. The ACL packet filtering policy is then enforced on the datadelivered between zone1 and zone2.

DirectionIn an interzone, data is delivered in a certain direction: inbound or outbound.

l Inbound: indicates that data flows from a zone with lower priority to a zone with higherpriority.

l Outbound: indicates that data flows from a zone with higher priority to a zone with lowerpriority.

2.1.4 Firewall Functions of the ME60

ME60supports the following firewall functions: ACL-based packet filtering, application specificpacket filtering (ASPF), blacklist, port mapping, NAT, traffic statistics and monitoring, andattack defense.

This chapter describes only the functions of ACL-based packet filtering, ASPF, blacklist, P2Ptraffic control, and firewall logs. The other features are described in the following chapters:

l Chapter 3 "NAT Configuration"l Chapter 4 "Traffic Statistics and Monitoring Configuration"l Chapter 5 "Attack Defense Configuration"

ACL-based Packet FilteringACL-based packet filtering is used to analyze the quintuple of packets to be forwarded. TheME60 compares the packet information with the ACL rules and determines whether to forwardor discard the packets.

In addition, the ME60 can filter the fragmented IP packets. Thus the attacker cannot attack thenetwork by using a non-first fragment packet.

ASPFASPF is applied to the application layer, namely, the status-based packet filtering. ASPF detectsthe application-layer sessions that attempt to pass the firewall, and denies unnecessary packets.

The ACL-based packet filtering firewall detects packets at the network and transport layers. TheASPF function and the common packet filtering firewall can be used together. Thus, theME60 can enforce the security policies on an internal network.

ME60 can apply ASPF depending on the application layer protocols such as the File TransferProtocol (FTP), H.323, Hyper Text Transport Protocol (HTTP), Huawei Conference Control




Issue 05 (2010-09-25)

Protocol (HWCC), Internet Location Service (ILS), Network Basic Input/Output System(NetBIOS), and Real Time Streaming Protocol (RTSP).

Blacklist

A blacklist filters packets based on the source IP address. Compared with the ACL, the matchingfields used in the blacklist are simple and hence the packets can be filtered at a higher speed.The packets from certain IP addresses can be filtered out.

The firewall can add IP addresses to the blacklist dynamically. By judging the packet behaviors,the firewall detects an attack from an IP address. The firewall adds the IP address of the attackerto the blacklist so that packets from the attacker can be filtered out and discarded.

port mapping

Application layer protocols use the well-known ports for communication. Port mapping allowsyou to define a set of port numbers for different applications. You can also specify the hosts thatcan use the non-well-known ports.

Port mapping is meaningful only when it is used with service-sensitive features such as ASPFand NAT. For example, the internal FTP server 10.10.10.10 in the private network of anenterprise provides the FTP service through port 2121. Users can use only 2121 as the portnumber to access the FTP server through the NAT server. By default, port 21 is used for FTPpackets. The FTP server cannot identify the FTP packets that use port 21. In this case, you needto map port 2121 to the FTP protocol. After port mapping, the NAT server can identify the FTPpackets that use port 2121 and send the FTP packets to the FTP server. In this way, users canaccess the FTP server.

P2P Traffic Control

Common point-to-point (P2P) applications, such as BitTorrent (BT), eMule, and eDonkeyusually occupy a great amount of bandwidth and lead to a bandwidth shortage. Therefore,bandwidth must be controlled for the P2P applications.

The firewall of the ME60can identify the packets from a P2P application by the characteristicstring in the packets and controls the bandwidth assigned to a P2P session. In this manner, theME60 ensures the provisioning of other services.

Firewall Log

The firewall records the behaviors and states of the firewall in real time. For example, themeasures taken against IP address spoofing and the detection of malicious attacks are recordedin the firewall log.

The firewall logs are categorized into the following types:

l Session log, which is sent to the log server in real time

l Blacklist log, which is sent to the information center in real time

l Defense log and statistics log, which are sent to the information center periodically

These logs help you find out the security hole, detect the attempts to violate the security policies,and learn the type of a network attack. The real-time log is also used to detect the intrusion thatis underway.



2-5

2.2 Configuring a ZoneThis section describes how to configure the firewall and partition the network.

2.2.1 Establishing the Configuration Task

2.2.2 (Optional) Configuring the VSU to Work as the SSU

2.2.3 Creating a Zone

2.2.4 Configuring the Priority of a Zone

2.2.5 Adding User Domains or Interfaces to the Zone

2.2.6 Creating an Interzone

2.2.7 Enabling Firewall in the Interzone

2.2.8 Checking the Configuration


Applicable EnvironmentBefore configuring the firewall, you need to configure the zones. You can then configure thefirewall based on zones or interzones.

NOTE

l The ME60 implements firewall features after the Versatile Service Unit (VSU) is configured to theSecurity Service Unit (SSU). Therefore, you need to install the VSU before configuring the firewall.For the functions of the VSU in SSU mode, refer to the Quidway ME60 Multiservice Control GatewayProduct Description.

l You can run the set lpu-work-mode { dpi |sbc | ssu | tsu } slot slot-id command to implement differentservice functions.

l In this manual, the VSU operating in SSU mode is called the SSU.

Pre-configuration TaskBefore configuring a zone, complete the following tasks:

l Installing the VSUl Configuring the user domains or interfaces that you need to add to the zone

Data PreparationTo configure a zone, you need the following data.

No. Data

1 Name of the zone

2 Priority of the zone

3 User domains or interfaces to be added to the zone




Issue 05 (2010-09-25)


ContextDo as follows on the ME60.

ProcedureStep 1 Run:

system-view

The system view is displayed.

Step 2 Run:set lpu-work-mode ssu slot slot-id

The operation mode of the VSU is set to TSU.

NOTE

l The configured operation mode takes effect after the VSU is restarted.l The command for configuring the operation mode of the VSU is not recorded in the system

configuration file. You can run the display device or display lpu-work-mode command to view theoperation mode of the VSU. If the operation mode is configured properly, you need not configure theoperation mode again.

----End

2.2.3 Creating a Zone



system-view


Step 2 Run:firewall zone zone-name

A zone is created.

Up to 128 zones can be configured on the ME60. No default zone exists.

----End

2.2.4 Configuring the Priority of a Zone




2-7

Procedure

Step 1 Run:system-view



The zone view is displayed.

Step 3 Run:priority security-priority

The priority of the zone is set.

The priority must be configured; otherwise, other configurations cannot be performed. Thepriority of a zone ranges from 1 to 200 and is globally unique.

----End

2.2.5 Adding User Domains or Interfaces to the Zone

ContextNOTE

l A user domain or an interface can be added to only one zone. If a user domain or an interface is addedto multiple zones, the last zone takes effect.

l When layer-3 leased line users connect to the ME60 through a layer-3 device (for example, a router),the ME60 can implement the firewall function only by adding interfaces to zones.

You can add a user domain and an interface to the same zone. That is, a zone can consist of userdomains and interfaces.

Procedurel Adding a user domain to the zone

1. Run:system-view

The system view is displayed.2. Run:

aaa

The AAA view is displayed.3. Run:

domain domain-name

The domain view is displayed.4. Run:

zone zone-name

The domain is added to the zone.l Adding an interface to the zone




Issue 05 (2010-09-25)

1. Run:system-view

The system view is displayed.2. Run:

interface interface-type interface-number

The interface view is displayed.3. Run:

zone zone-name

The interface is added to the zone.4. Run:

shutdown

The interface is disabled.5. Run:

undo shutdown

The interface is enabled.NOTE

After adding an interface to a zone, you must run the shutdown command to disable the interfacefirst, and then run the undo shutdown command to re-enable the interface. Thus, the configurationtakes effect.

----End

2.2.6 Creating an Interzone


Procedure



Step 2 Run:firewall interzone zone-name1 zone-name2

An interzone is created.

You need to specify two existing zones in the interzone.

----End

2.2.7 Enabling Firewall in the Interzone




2-9

Procedure




The interzone view is displayed.

Step 3 Run:firewall enable

The firewall is enabled.

----End

2.2.8 Checking the ConfigurationRun the following commands to check the previous configuration.

Action Command

Check theconfiguration of theinterzone.

display firewall interzone [ zone-name1 zone-name2 ]

Check theconfiguration of thezone.

display firewall zone [ zone-name ] [ domain | interface |priority ]

2.3 Setting the Aging Time of the Firewall Session TableThis section describes how to set the aging time of the firewall session table


2.3.2 (Optional) Setting the Aging Time of the Firewall Session Table



Applicable Environment

The ME60 establishes a session table for data flows of each protocol, such as TCP, UDP, andICMP, to record the connection status of the protocol. The aging time is set for the session table.If a record in the session table does not match any packet within the aging time, the systemdeletes the record.

To change the session duration of a protocol, set the aging time of the firewall session table.




Issue 05 (2010-09-25)

Pre-configuration Task

Before setting the aging time of the firewall session table, complete the following tasks:

l Installing the VSUl (Optional) Configuring the VSU to Work as the SSUl Configuring zones and adding interfaces or user domains to the zones (See "Configuring

a Zone.")l Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.")

Data Preparation

To set the aging time of the firewall session table, complete the following tasks:

No. Data

1 Aging time of the session table for each application layer protocol

2.3.2 (Optional) Setting the Aging Time of the Firewall SessionTable

Context

Do as follows on the ME60.

Procedure



Step 2 Run:firewall session aging-time session-type aging-time

The aging time of the firewall session table is configured.

By default, the aging times of the SYN, FIN-RST, TCP, and UDP session tables are 5 seconds,10 seconds, 240 seconds, and 40 seconds respectively. For the aging times of other session tables,refer to the Quidway ME60 Multiservice Control Gateway Command Reference.

NOTE

In general, you do not need to change the aging time of a session table.

----End

2.3.3 Checking the ConfigurationRun the following commands in any view to check the previous configuration.



2-11

Action Command

Check the aging time of thefirewall session table.

display firewall session aging-time

Check the aging time of thefirewall session table.

display firewall session table [ verbose ] [ source { inside |global } src-ip-address [ destination { inside | global } dest-ip-address ] ]

2.4 Configuring ACL-based Packet FilteringThis section describes how to filter data packets through the ACL.


2.4.2 Configuring ACL-based Packet Filtering in an Interzone



When data is delivered between two zones, the ACL-based packet filtering firewall enforces thefiltering policies according to the ACL rules. The ACLs for filtering packet are classified intothe basic ACL and the advanced ACL.


Before configuring ACL-based packet filtering, complete the following tasks:

l Installing the VSU

l (Optional) Configuring the VSU to Work as the SSUl Configuring zones and adding interfaces or user domains to the zones (See "Configuring

a Zone.")

l Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.")

l Creating basic ACL or advanced ACL rules (Refer to the Quidway ME60 MultiserviceControl Gateway Configuration Guide - IP Services.)

Data Preparation

To configure ACL-based packet filtering, you need the following data.

No. Data

1 Names of the two zones

2 ACL number

3 Direction in which the ACL is applied




Issue 05 (2010-09-25)

2.4.2 Configuring ACL-based Packet Filtering in an Interzone


Procedure





Step 3 Run:packet-filter acl-number { inbound | outbound }

ACL-based packet filtering is configured.

You can configure ACL-based packet filtering in the interzone for the inbound and outboundpackets.

By default, ACL-based packet filtering is not configured in the interzone.

NOTE

l The time range configured in ACL is also applicable to packet filtering.l For an ACL configured for VPN, you must configure the VPN instance name.

----End

2.5 Configuring ASPFThis section describes how to configure the ME60 to check the application layer informationabout data flows to filter data packets.


2.5.2 Configuring ASPF in the Interzone



Applicable EnvironmentWhen data is delivered between two zones, ASPF checks the packets at the application layerand discards the unmatched packets.

Pre-configuration TaskBefore configuring ASPF, complete the following tasks:



2-13


a Zone.")l Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.")

Data Preparation

To configure ASPF, you need the following data.

No. Data

1 Names of the two zones

2 Type of the application protocol

3 (Optional) Aging time of the session table for each application layer protocol

2.5.2 Configuring ASPF in the Interzone

Context


Procedure





Step 3 Run:detect { all | ftp | http | pptp }

The ASPF function is configured.

The application protocols all require interaction of two parties, so the direction does not need tobe configured. The ME60 checks the packets in the two directions.

By default, ACL-based packet filtering is not configured in the interzone.

----End

2.5.3 Checking the ConfigurationRun the following command to check the previous configuration.




Issue 05 (2010-09-25)

Action Command

Check the ASPFconfiguration of thefirewall interzone.

display firewall interzone [ zone-name1 zone-name2 ]

2.6 Configuring the BlacklistThis section describes how to configure the blacklist to filter out data packets from attackers.


2.6.2 Enabling the Blacklist

2.6.3 (Optional) Adding a Blacklist Entry

2.6.4 (Optional) Configuring the Packet Filtering Type of the Blacklist



The blacklist can filter out the packets sent from a specified IP address. An IP address can beadded to the blacklist manually or automatically.

When the attack defense module of the firewall detects an attack through the packet behavior,the firewall adds the source IP address of the packet to the blacklist. Thus, all the packets fromthis IP address are filtered out.

NOTE

The IP address that is added to the blacklist must belong to a zone (it may be a zone with low security).The firewall can then detect the attack from this IP address.


Before configuring the blacklist, complete the following tasks:


l (Optional) Configuring the VSU to Work as the SSU

l Configuring zones and adding interfaces or user domains to the zones (See "Configuringa Zone.")

l Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.")

l Configuring attack defense if the auto blacklisting function is enabled (See chapter 5"Attack Defense Configuration.")

Data Preparation

To configure the blacklist, you need the following data.



2-15

No. Data

1 IP address to be added to blacklist (the VPN instance can be included)

2 (Optional) Aging time of blacklist entry

3 (Optional) Packet filtering type of blacklist

2.6.2 Enabling the Blacklist


Procedure



Step 2 Run:firewall blacklist enable

The blacklist is enabled.

By default, the blacklist is disabled.

----End

2.6.3 (Optional) Adding a Blacklist Entry


Procedure



Step 2 Run:firewall blacklist item ip-address [ timeout minutes ] [ vpn-instance vpn-instance-name ]

A blacklist entry is added.

By running this command, you can add entries to the blacklist manually. You can specify theIP address, aging time, and VPN instance when adding the entry. The aging time refers to theperiod during which the IP address is effective after it is added to the blacklist. When the IP




Issue 05 (2010-09-25)

address expires, it is released from the blacklist. If the aging time is not specified, the IP addressremains in the blacklist.

NOTE

The blacklist entries without the aging time are written to the configuration file. The blacklist entries withthe aging time are not written in the confirmation file, but you can view them by using the display firewallblacklist item [ ip-address ] [ vpn-instance vpn-instance-name ] command.

An IP address can be added to the blacklist regardless of whether the blacklist is enabled or not.That is, even though the blacklist is not enabled, you can also add entries, but the entries areinvalid.

----End

2.6.4 (Optional) Configuring the Packet Filtering Type of theBlacklist



system-view


Step 2 Run:firewall blacklist filter-type { icmp | others | tcp | udp }

The packet filtering type of the blacklist is configured.

Configuring packet filtering types helps to specify the types of packets that are filtered out inthe blacklist, including ICMP, TCP, and UDP.

By default, all types of packets matching the blacklist are filtered out.

----End

2.7 Configuring Port MappingThis section describes how to configure the port mapping function so that the firewall can identifythe packets of the application-layer protocols that use non-well-known port numbers.


2.7.2 Configuring Port Mapping


Applicable EnvironmentThrough port mapping, the firewall can identify packets of the application-layer protocols thatuse the non-well-known port numbers. This function can be applied to the sensitive features at



2-17

the application layer such as ASPF. Port mapping is applicable to application protocols such asFTP, H.323, HTTP, RTSP, and SMTP.

Port mapping is implemented based on the ACL. Port mapping takes effect only when the packetmatches an ACL rule. Port mapping employs the basic ACL (ranging from 2000 to 2999). Inthe ACL-based packet filtering, the ME60 matches the destination IP address of the packet withthe IP address configured in the basic ACL rule.

NOTE

Port mapping is applied only to the data delivered in the interzone. Therefore, when configuring portmapping, you must configure the zones and interzone.

Pre-configuration TaskBefore configuring port mapping, complete the following tasks:


a Zone.")l Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.")l Creating basic ACL rules (Refer to the Quidway ME60 Multiservice Control Gateway

Configuration Guide - IP Services.)

Data PreparationTo configure port mapping, you need the following data.

No. Data

1 Type of application layer protocol

2 User-defined port to be mapped

3 Number of the basic ACL

2.7.2 Configuring Port Mapping


Procedure



Step 2 Run:port-mapping protocol-name port port acl acl-number




Issue 05 (2010-09-25)

Port mapping is configured.

You can map multiple ports to a protocol, or map a port to multiple protocols. The mappings,however, must be distinguished by the ACL. That is, packets matching different ACL rules usedifferent mapping entries.

NOTE

Port mapping is used to identify the protocol type of the packets destined for an IP address (such as the IPaddress of a WWW server). Therefore, when configuring the basic ACL rules, you need to match thedestination IP addresses of the packets with the source IP addresses defined in ACL rules.

----End

2.8 Configuring P2P Traffic ControlThis section describes how to limit bandwidth of P2P sessions.


2.8.2 Enabling P2P Traffic Control

2.8.3 Configuring the CAR Table

2.8.4 Configuring P2P Traffic Control in an Interzone

2.8.5 Configuring P2P Traffic Control Globally



Applicable EnvironmentThe P2P traffic control function can be deployed to limit the bandwidth assigned to the P2Papplications like BT. P2P traffic control can be deployed globally or in an interzone.

The global P2P traffic control is applicable to all the P2P sessions. You can configure the limitof P2P sessions on the equipment.

ACLs are used to control bandwidth of P2P applications between zones. The equipment controlsbandwidth of the P2P sessions matching the ACL rules. Basic ACLs (numbered from 2000 to2999) or advanced ACLs (numbered from 3000 to 3999) are used for P2P traffic control.

Pre-configuration TaskBefore configuring P2P traffic control, complete the following tasks:


a Zone.")l Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.")l Creating basic ACL or advanced ACL rules (Refer to the Quidway ME60 Multiservice

Control Gateway Configuration Guide - IP Services.)



2-19

l Configuring the time range during which P2P traffic control takes effect (Refer to theQuidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.)

Data Preparation

To configure P2P traffic control, you need the following data.

No. Data

1 Names of the two zones where P2P traffic control is configured

2 Number of the ACL used for P2P traffic control

3 Direction in which P2P traffic control is applied

4 CAR class, CAR value, and time range

5 (Optional) Maximum number of P2P sessions

2.8.2 Enabling P2P Traffic Control

Context


Procedure



Step 2 Run:firewall p2p-car enable

P2P traffic control is enabled.

Before configuring the P2P traffic control function, you must enable this function. After yourun this command, P2P traffic control is enabled globally and in the interzone.

By default, P2P traffic control is disabled.

----End

2.8.3 Configuring the CAR Table

Context





Issue 05 (2010-09-25)

Procedure



Step 2 Run:firewall car-class class-id cir cir [ time-range range-name ]

The CAR table is configured.

Before configuring the P2P traffic control function, you must configure a CAR table. The CARtable needs to be referenced when P2P traffic control is implemented in an interzone or the entiresystem.

Up to 1024 classes can be configured in a CAR table. Each class is configured with a defaultCAR and the CARs for five time ranges. The default ACL is used if the current time is not inany configured time range.

By default, the CAR table contains no CAR classes.

----End

2.8.4 Configuring P2P Traffic Control in an Interzone


Procedure





Step 3 Run:p2p-car acl-number class class-id { inbound | outbound }

P2P traffic control is configured.

Within an interzone, the P2P traffic control can be configured for inbound and outbound trafficrespectively.

By default, the P2P bandwidth control is not configured in an interzone.

NOTE

The time range configured in ACL is also applicable to P2P traffic control.

----End



2-21

2.8.5 Configuring P2P Traffic Control Globally


Procedure



Step 2 Run:firewall p2p-car class class-id

P2P traffic control is configured globally.

Step 3 (Optional) Run:firewall p2p-car session-limit session-number

The maximum number of P2P sessions is set.

The global P2P traffic control takes effect on all the P2P sessions. The global P2P bandwidthcontrol allows you to set the CAR classes and limit on the total number of P2P sessions.

By default, global P2P bandwidth control is not configured.

----End


Action Command

Check the CAR table configured for P2Ptraffic control.

display firewall car-class

Check the configuration of global P2Pbandwidth control.

display firewall p2p-car

2.9 Configuring Firewall LogsThis section describes how to configure firewall logs.


2.9.2 Enabling the Firewall Log

2.9.3 Configuring a Session Log

2.9.4 (Optional) Configuring Output Interval of Logs





Issue 05 (2010-09-25)


Applicable EnvironmentThe firewall logs record the behaviors and states of the firewall. These logs help you find outthe security hole, analyze the attempts to violate the security policies, and detect the networkattacks.

Pre-configuration TaskBefore configuring the firewall log, complete the following tasks:


a Zone.")l Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.")l Creating basic ACL or advanced ACL rules (Refer to the Quidway ME60 Multiservice


Data PreparationTo configure the firewall log, you need the following data.

No. Data

1 Type of the firewall log

2 IP address and port number of the log host, the IP address and the port number thatthe ME60 uses to communicate with the log host (for session log)

3 Conditions under which the session information is logged, including the ACL numberand the direction (for session log)

4 (Optional) Interval for exporting the defense log or statistics log

2.9.2 Enabling the Firewall Log


Procedure





2-23

Step 2 Run:firewall log { all | blacklist | defend | session | statistics } enable

The firewall log is enabled.

If you use the all keyword in the command, all the firewall logs are enabled. You can also chooseto enable logs one type after another.

By default, no firewall log is enabled.

----End

2.9.3 Configuring a Session Log

Context


Procedure



Step 2 Run:firewall session log-type binary host host-ip-address host-port source src-ip-address src-port

The log host is configured for session logs.



Step 4 Run:session-log acl-number { inbound | outbound }

Conditions for generating the session logs are configured.

The session log is exported to a log host in real time. Therefore, you need to configure the loghost first. To configure the log host, specify the IP address and port number of the log host andthe IP address and port number that the ME60 uses to communicate with the log host.

An ACL is referenced in the interzone view to help decide the session for which the session logis recorded. In addition, the inbound and outbound traffic is served respectively.

By default, the log host is not configured, and the interzone is not configured with the conditionsfor generating the session log.

----End

2.9.4 (Optional) Configuring Output Interval of Logs




Issue 05 (2010-09-25)

Procedure



Step 2 Run:firewall { defend | statistics} log-time time

The output interval of the defense log or statistics log is set.

The output interval, in seconds, indicates the interval during which the logs are exported.

The session log is exported to the log host in real time, and the blacklist log is exported to theinformation center in real time. Therefore, you do not need to set the output interval for the twotypes of logs. The output interval needs to be set only for the defense log and statistics log.

By default, the output interval for either of the two logs is 30 seconds.

----End


Action Command

Check the output interval for the defenselog or statistics log.

display firewall log-time [ defend | statistics ]

2.10 Configuration ExamplesThis section provides several configuration examples of the firewall.

2.10.1 Example for Configuring ACL-based Packet Filtering

2.10.2 Example for Configuring ASPF and Port Mapping

2.10.3 Example for Configuring the Blacklist

2.10.1 Example for Configuring ACL-based Packet Filtering

Networking RequirementsAs shown in Figure 2-1, GE1/0/0 of the ME60 is connected to an internal network with a highsecurity priority; GE2/0/0 of the ME60 is connected to an external network with a low securitypriority. The firewall needs to filter the packets between internal and external networks. Therequirements are as follows:

l A host (202.39.2.3) in the external network is allowed to access the server in the internalnetwork.

l Other hosts are not allowed to access the server in the internal network.



2-25

Figure 2-1 Networking of ACL-based packet filtering

FTP server129.38.1.2

ME60

WANGE1/0/0 GE2/0/0

129.38.1.1/24 202.38.160.1/16

Internalnetwork

Telnet server129.38.1.3

WWW server129.38.1.4

PC202.39.2.3

Configuration RoadmapThe configuration roadmap is as follows:

1. Configure IP addresses of the interfaces.2. Configure zones and the interzone.3. Add the interfaces to the zones.4. Configure ACLs.5. Configure ACL-based packet filtering in the interzone view.

Data PreparationTo complete the configuration, you need the following data:

l Slot number of the VSU: 3l IP addresses of interfaces and servers, as shown in Figure 2-1l Network security priorities, 100 for the internal network and 1 for the external networkl Number of the ACLs that filter the outbound and inbound packets, ACL 3101 for the

outbound packets and ACL 3102 for the inbound packets

Configuration Procedure1. (Optional) Configure the VSU to function as the SSU.

<Quidway> system-view[Quidway] set lpu-work-mode ssu slot 3[Quidway] quit<Quidway> reset slot 3

2. Configure IP addresses of the interfaces.<Quidway> system-view[Quidway] interface gigabitethernet 1/0/0[Quidway-GigabitEthernet1/0/0] ip address 129.38.1.1 255.255.255.0[Quidway-GigabitEthernet1/0/0] quit[Quidway] interface gigabitethernet 2/0/0[Quidway-GigabitEthernet2/0/0] ip address 202.38.160.1 255.255.0.0[Quidway-GigabitEthernet2/0/0] quit




Issue 05 (2010-09-25)

3. Configure zones and the interzone.[Quidway] firewall zone zone1[Quidway-zone-zone1] priority 100[Quidway-zone-zone1] quit[Quidway] firewall zone zone2[Quidway-zone-zone2] priority 1[Quidway-zone-zone2] quit[Quidway] firewall interzone zone1 zone2[Quidway-interzone-zone1-zone2] firewall enable[Quidway-interzone-zone1-zone2] quit

4. Add the interfaces to the zones.[Quidway] interface gigabitethernet 1/0/0[Quidway-GigabitEthernet1/0/0] zone zone1[Quidway-GigabitEthernet1/0/0] shutdown[Quidway-GigabitEthernet1/0/0] undo shutdown[Quidway-GigabitEthernet1/0/0] quit[Quidway] interface gigabitethernet 2/0/0[Quidway-GigabitEthernet2/0/0] zone zone2[Quidway-GigabitEthernet2/0/0] shutdown[Quidway-GigabitEthernet2/0/0] undo shutdown[Quidway-GigabitEthernet2/0/0] quit

5. Configure ACLs.[Quidway] acl 3102[Quidway-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2 0.0.0.0[Quidway-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3 0.0.0.0[Quidway-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4 0.0.0.0[Quidway-acl-adv-3102] rule deny ip[Quidway-acl-adv-3102] quit

6. Configure packet filtering.[Quidway] firewall interzone zone1 zone2[Quidway-interzone-zone1-zone2] packet-filter 3102 inbound[Quidway-interzone-zone1-zone2] quit

Configuration Files# sysname Quidway#acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip#interface GigabitEthernet1/0/0zone zone1undo shutdown ip address 129.38.1.1 255.255.255.0#interface GigabitEthernet2/0/0zone zone2undo shutdown ip address 202.38.160.1 255.255.0.0#firewall zone zone1 priority 100#firewall zone zone2 priority 1#firewall interzone zone1 zone2 firewall enable



2-27

packet-filter 3102 inbound#return

2.10.2 Example for Configuring ASPF and Port Mapping

Networking Requirements

As shown in Figure 2-2, GE1/0/0 of the ME60 is connected to an internal network with a highsecurity priority; GE2/0/0 of the ME60 is connected to an external network with a low securitypriority. The firewall needs to filter the packets between internal and external networks andperform ASPF check. The requirements are as follows:

l A host (202.39.2.3) in the external network is allowed to access the server in the internalnetwork.

l Other hosts are not allowed to access the server in the internal network.

l The firewall checks the FTP state of the connections and filters the unqualified packets.

l The packets sent from the external host to the FTP server through port 2121 are consideredas FTP packets.

Figure 2-2 Networking of ASPF and port mapping


ME60

WANGE1/0/0 GE2/0/0

129.38.1.1/24 202.38.160.1/16

Internalnetwork

Telnet server129.38.1.3


PC202.39.2.3

Configuration Roadmap

The configuration roadmap is as follows:

1. Configure IP addresses of the interfaces.

2. Configure zones and the interzone.

3. Add the interfaces to the zones.

4. Configure ACLs.

5. Configure ACL-based packet filtering in the interzone view.

6. Configure ASPF in the interzone.

7. Map port 2121 to the FTP protocol.




Issue 05 (2010-09-25)

Data Preparation

To complete the configuration, you need the following data:

l Slot number of the VSU: 3l IP addresses of interfaces and servers, as shown in Figure 2-2l Network security priorities, 100 for the internal network and 1 for the external networkl Number of the ACL that filters the inbound data: 3102l Number of the ACL required in port mapping: 2102






5. Configure ACLs.[Quidway] acl 2102[Quidway-acl-basic-2102] rule permit source 129.38.1.2 0.0.0.0[Quidway-acl-basic-2102] quit[Quidway] acl 3102[Quidway-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2 0.0.0.0[Quidway-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3 0.0.0.0[Quidway-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4 0.0.0.0[Quidway-acl-adv-3102] rule deny ip[Quidway-acl-adv-3102] quit



2-29

6. Configure packet filtering.[Quidway] firewall interzone zone1 zone2[Quidway-interzone-zone1-zone2] packet-filter 3102 inbound

7. Configure ASPF.[Quidway-interzone-zone1-zone2] detect ftp[Quidway-interzone-zone1-zone2] quit

8. Configure port mapping.[Quidway] port-mapping ftp port 2121 acl 2102

Configuration Files# sysname Quidway#acl number 2102 rule 5 permit source 129.38.1.2 0#acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip#interface GigabitEthernet1/0/0zone zone1undo shutdown ip address 129.38.1.1 255.255.255.0#interface GigabitEthernet2/0/0zone zone2undo shutdown ip address 202.38.160.1 255.255.0.0#firewall zone zone1 priority 100#firewall zone zone2 priority 1#firewall interzone zone1 zone2 firewall enable packet-filter 3102 inbound detect ftp#port-mapping ftp port 2121 acl 2102#return

2.10.3 Example for Configuring the Blacklist


As shown in Figure 2-3, GE1/0/0 of the ME60 is connected to an enterprise network with a highsecurity priority; GE2/0/0 of the ME60 is connected to the Internet with a low security priority.

The firewall needs to apply the attack defense and blacklist to packets from the Internet to theenterprise network. If the firewall finds that an IP address attacks the enterprise network throughIP address sweeping, it blacklists the IP address. The maximum number of sessions is 5000 pps,and the timeout time of the blacklist is 30 minutes.




Issue 05 (2010-09-25)

In addition, if the firewall detects that IP address 202.39.1.2 attacks the enterprise network morethan once, you can add the IP address to the blacklist manually. The IP addresses added manuallyare always in the blacklist.

Figure 2-3 Networking of blacklist configuration

Server1.1.0.2

ME60InternetGE1/0/0 GE2/0/0

1.1.0.1/16 2.2.0.1/16Enterprisenetwork


1. Configure IP addresses of the interfaces.2. Configure zones and the interzone.3. Configure ACLs.4. Configure packet filtering.5. Add the interfaces to the zones.6. Configure the parameters for preventing the attack of IP address sweeping.7. Add blacklist entries manually.


l Slot number of the VSU: 3l IP addresses of interfaces and servers, as shown in Figure 2-3l Network security priorities, 100 for the internal network and 1 for the external network



2. Configure IP addresses of the interfaces.<Quidway> system-view[Quidway] interface gigabitethernet 1/0/0[Quidway-GigabitEthernet1/0/0] ip address 1.1.0.1 255.255.0.0



2-31

[Quidway-GigabitEthernet1/0/0] quit[Quidway] interface gigabitethernet 2/0/0[Quidway-GigabitEthernet2/0/0] ip address 2.2.0.1 255.255.0.0[Quidway-GigabitEthernet2/0/0] quit


4. Configure ACLs.[Quidway] acl 2000[Quidway-acl-basic-2000] rule permit source any[Quidway-acl-basic-2000] quit

5. Configure packet filtering.[Quidway] firewall interzone zone1 zone2[Quidway-interzone-zone1-zone2] packet-filter 2000 inbound


7. Configure the parameters for preventing the attack of IP address sweeping.[Quidway] firewall defend ip-sweep enable[Quidway] firewall defend ip-sweep blacklist-timeout 30[Quidway] firewall defend ip-sweep max-rate 5000

8. Configure the blacklist.[Quidway] firewall blacklist enable[Quidway] firewall blacklist item 202.39.1.2

Configuration Files# sysname Quidway#acl number 2000 rule 5 permit source any# firewall blacklist enable firewall blacklist item 202.39.1.2# firewall defend ip-sweep enablefirewall defend ip-sweep max-rate 5000 firewall defend ip-sweep blacklist-timeout 30#interface GigabitEthernet1/0/0zone zone1undo shutdownip address 1.1.0.1 255.255.0.0#interface GigabitEthernet2/0/0 zone zone2 undo shutdown




Issue 05 (2010-09-25)

ip address 2.2.0.1 255.255.0.0#firewall zone zone1 priority 100#firewall zone zone2 priority 1#firewall interzone zone1 zone2 firewall enable packet-filter 2000 inbound#return



2-33

3 NAT Configuration

About This Chapter

This chapter describes the concept, fundamental, configuration, and maintenance of NAT.

3.1 IntroductionThis section describes the concept and fundamentals of NAT.

3.2 Configuring NATThis section describes how to configure the NAT function.

3.3 Configuration ExamplesThis section provides a configuration example of NAT.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security 3 NAT Configuration


3-1

3.1 IntroductionThis section describes the concept and fundamentals of NAT.

3.1.1 NAT Overview

3.1.2 NAT Types

3.1.3 Advantages and Disadvantages of NAT

3.1.4 Many-to-Many NAT and Address Pool

3.1.5 Internal Server

3.1.6 References

3.1.1 NAT Overview

Network address translation (NAT) enables hosts in a private network to access the publicnetwork.

Private Address and Public AddressA private network address, referred to as a private address, is the IP address of an internal networkor a host. A public network address, referred to as a public address, is a unique IP address onthe Internet. As specified by the Internet Assigned Number Authority (IANA), the following IPaddresses are reserved as private addresses:

l Class A: 10.0.0.0-10.255.255.255l Class B: 172.16.0.0-172.31.255.255l Class C: 192.168.0.0-192.168.255.255

After planning the scale of the intranet, an enterprise chooses the appropriate address segmentfor the intranet. The private address segments of enterprises can overlap each other. Errors mayoccur during communication, if an intranet does not use one of the defined private addresssegments.

Rationale of NATAs shown in Figure 3-1, the network address must be translated when a host on the internalnetwork obtains access to the Internet or interworks with the hosts on a public network.

3 NAT ConfigurationQuidway ME60 Multiservice Control Gateway



Issue 05 (2010-09-25)

Figure 3-1 Schematic diagram of NAT

PC WWW client PC10.1.1.10 10.1.1.48 ........

GE1/0/0ME60 Internal network

External network203.196.3.23 POS2/0/0

WWW Server

202.18.245.251

Internet

The internal network uses network segment 10.0.0.0 and its public IP address is 203.196.3.23.The internal host 10.1.1.48 accesses the external server 202.18.245.251 through WWW.

The host sends a data packet. It uses port 6084 as the source port and port 80 as the destinationport. After the address is translated, the source address/port of the packet is changed to203.196.3.23:32814, and the destination address/port is not changed. A table of address-portmapping is configured on the router.

After the WWW server responds, the router translates the destination IP address/port in thereturned data packet to 10.1.1.48:6084. In this manner, the internal host obtains access to theexternal server.

3.1.2 NAT Types

NAT is classified into types: static NAT and port address translation (PAT).

Static NAT

Static NAT maps a private address to a public address. That is, the number of private addressesis equal to the number of public addresses. Static NAT cannot save public addresses, but canhide internal networks.

When an internal network sends a packet to an external network, static NAT translates the sourceIP address of the packet into a public address. When the external network returns a response,static NAT translates the destination IP address of the response packet into the private address.

PAT

PAT, which is also called network address port translation (NAPT), maps a public address tomultiple private addresses. Therefore, the public addresses are saved. PAT translates the sourceIP addresses of the packets from hosts that reside on the private network into a public address.The translated port numbers of these packets are different, and thus the private networks canshare a public address.



3-3

A table of private address-port mapping is configured for PAT. When the PAT server receivesa packet to be transmitted to the external network, it replaces the source port with the onematching the private address of the packet by using this table. That is, packets from a privatenetwork share the same public address but have different ports. When the external networksreturn response packets to the internal networks, the destination IP addresses are translated toprivate addresses according to the port numbers. Figure 3-2 shows the sketch map of PAT.

Figure 3-2 Schematic diagram of PAT

Internet

192.168.1.2

Datagram 1Src IP: 192.168.1.3Src Port:23








192.168.1.3 ME60

PAT

3.1.3 Advantages and Disadvantages of NAT

The advantages of NAT are as follows:

l Hosts on the internal networks can access external resources, and the public addresses canbe saved.

l Privacy of internal hosts is protected.

The disadvantages of NAT are as follows:

l The address of data packets need to be translated, so the headers of the data packets relatedto IP address cannot be encrypted.

l The IP addresses of hosts are hidden, so the source IP addresses cannot be traced. Thishinders network debugging.

3.1.4 Many-to-Many NAT and Address Pool

As shown in Figure 3-1, when an internal host accesses the external network, the source IPaddress is translated to a public address, which can be selected from the address pool of theME60.




Issue 05 (2010-09-25)

When all the hosts on the internal network access the external network at the same time, theyshare an external address. If too many hosts attempt to access the external network, it is difficultto perform NAT. To solve this problem, a private network needs multiple public addresses. Inthis case, a public address pool is required for the many-to-many NAT.

A public address pool is a set of valid public addresses. You can configure the public addresspool based on the number of public IP addresses and internal hosts. When an internal hostaccesses an external network, the ME60 selects an IP address from the public address pool asthe source address of the packets.

3.1.5 Internal Server

NAT can shield the internal hosts. In actual situations, external networks may need to access theinternal hosts. For example, the users on the external networks need to access a WWW serveror an FTP server on the internal network.

You can add internal servers flexibly through NAT. For example, use 202.110.10.10 as the publicaddress of the Web server, 202.110.10.11 as the public address of the FTP server, and addresseslike 202.110.10.12:8080 as the public address of the Web server. You can also provide multipleidentical servers (such as Web servers) for external users.

By configuring internal servers, you can map the public addresses and ports to the internalservers. The external hosts can then access internal servers.

The NAT function of the ME60supports multi-instance of internal servers, so external networkscan access the hosts in an MPLS VPN. For example, host 10.110.1.1 in VPN1 provides WWWservice, and the public address of the host is 202.110.10.20. External users can access the WWWservice provided by MPLS VPN1 by using 202.110.10.20.

3.1.6 ReferencesFor more information about NAT, refer to the following document:

RFC 1631: The IP Network Address Translator (NAT)

3.2 Configuring NATThis section describes how to configure the NAT function.



3.2.3 Configuring the NAT Address Pool

3.2.4 Configuring NAT in an Interzone

3.2.5 (Optional) Configuring the Internal NAT Server




3-5


Applicable EnvironmentNAT needs to be configured at the juncture between the private network and the public network.The addresses can be translated through NAT.

NAT is configured based on the interzone. NAT is applied to the data from the high-securityzone to the low-security zone. The ACL type, namely, basic ACL or advanced ACL, also needsto be specified. NAT is implemented only on the packets that match ACL rules.

Pre-configuration TaskBefore configuring NAT, complete the following tasks:

l Installing the VSUl Configuring zones and adding interfaces or user domains to the zones (See chapter 2

"Firewall Configuration.")l Configuring interzone and enabling firewall in the interzone (See chapter 2 "Firewall

Configuration.")l Creating basic ACL or advanced ACL rules (Refer to the Quidway ME60 Multiservice


Data PreparationTo configure NAT, you need the following data.

No. Data

1 Number of the public address pool, start IP address, and end IP address

2 Number of the basic ACL or advanced ACL

3 (Optional) Information about the internal server, including the protocol type, externaladdress, external port number, internal address (the VPN instance may be included),and internal port number



Procedure






Issue 05 (2010-09-25)



NOTE

l The configured operation mode takes effect after the VSU is restarted.l The command for configuring the operation mode of the VSU is not recorded in the system

configuration file. You can run the display device or display lpu-work-mode command to view theoperation mode of the VSU. If the operation mode is configured properly, you need not configure theoperation mode again.

----End

3.2.3 Configuring the NAT Address Pool

Context

CAUTIONWhen configuring a NAT address pool, ensure that the IP addresses do not conflict with theexisting addresses of the device, including the interface addresses or address segment, gatewayIP addresses or IP address segment, and the IP address of the internal NAT server.

Procedure



Step 2 Run:nat address-group group-index start-address end-address

The NAT address pool is configured.

A NAT address pool is a set of public addresses. When NAT is performed on the internal datapackets, the ME60 selects an IP address from the address pool as the source address.

The NAT address pools are numbered with numerals. Up to 128 address pools can be configured.You can specify one or more public addresses in a NAT address pool. When start-address is thesame as end-address, it indicates that only one public address is contained in the address pool.

By default, no NAT address pool is configured on the ME60.

----End

3.2.4 Configuring NAT in an Interzone




3-7

Procedure





Step 3 Run:nat outbound acl-number address-group group-index [ no-pat ]

NAT is configured.

When configuring NAT in an interzone, you need to specify the ACL and the public addresspool. The address of a packet is translated only when the packet matches the specified ACL andthe behavior defined by the ACL is permit. If the behavior is deny, the packets are discarded.

If the no-pat keyword is specified in the command, it indicates that the static NAT is used. Thatis, the one-to-one translation is performed on private and public addresses. By default, PAT isused, because it can save public addresses.

By default, NAT is not configured in the interzone.

----End

3.2.5 (Optional) Configuring the Internal NAT Server

Context

CAUTIONl When configuring the internal NAT server, ensure that global-address and host-address do

not conflict with the existing addresses of the device, including the interface addresses oraddress segment, gateway IP addresses or IP address segment, and the IP addresses in theNAT address pool.

l Zones must be configured at the user side and internal server side. In the interzone, enablethe firewall by running the firewall enable command.

Procedure



Step 2 Run:nat server protocol { tcp | udp } global global-address { global-protocol | begin-port } inside host-address { host-protocol | begin-port } [ vpn-instance vpn-instance-name ] or nat server [ protocol { protocol-number | icmp } ] global global-address inside host-address [ vpn-instance vpn-instance-name ]




Issue 05 (2010-09-25)

The internal NAT server is configured.

After the internal server is configured, external networks can access the servers on the internalnetwork. When an external host sends an access request to the public address (global-address)of the internal NAT server, the NAT server translates the destination address of the request intoa private address (host-address). The request is then forwarded to the server on the internalnetwork.

The internal NAT server is valid for all zones. It cannot be an address in the local address pool.If multiple private networks share an internal server address, you need to configure VPNinstances to distinguish them.

By default, no internal NAT server is configured on the ME60.

----End


Action Command

Check the configuration of NAT. display nat { address-group [ group-index ] |all | outbound | server }

3.3 Configuration ExamplesThis section provides a configuration example of NAT.

3.3.1 Example for Configuring NAT

3.3.1 Example for Configuring NAT

Networking RequirementsAs shown in Figure 3-3, a company is divided into two zones. The staff zone has a high securitypriority, and is allocated a private address segment 10.110.0.0/16. The server zone has a mediumsecurity priority, and is allocated a private address segment 192.168.20.0/24. This zone can beaccessed by staff and external users.

l In the staff zone, the users in 10.110.10.0/24 are allowed to access the Internet, but otherscannot. The public addresses range from 202.169.10.2 to 202.169.10.6. PAT is used to savepublic addresses.

l Two internal servers can be accessed by external users. The internal IP address of the WWWserver is 192.168.20.2:8080 and its public address is 202.169.10.3. The internal IP addressof the FTP server is 192.168.20.3 and its public address is 202.169.10.2.



3-9

Figure 3-3 Networking of NAT

ME60

Internet

GE3/0/0202.169.10.1/16

GE1/0/010.110.0.1/16

GE2/0/0192.168.20.1/24




l Configure IP addresses of the interfaces.l Configure zones and the interzone.l Add the interfaces to the zones.l Configure ACLs.l Configure the public address pool.l Configure ACL-based packet filtering in the interzone view.l Configure NAT in the interzone.l Configure the internal NAT server.


l Slot number of the VSU: 3l IP addresses of interfaces and servers, as shown in Figure 3-3l Security priorities of the three zones, 100 for the staff zone, 60 for the server zone, and 20

for the zone representing external networksl Number of ACL used for filtering outbound packets and NAT: 2101



2. Assign an IP address to each interface.<Quidway> system-view[Quidway] interface gigabitethernet 1/0/0[Quidway-GigabitEthernet1/0/0] ip address 10.110.0.1 255.255.0.0[Quidway-GigabitEthernet1/0/0] quit




Issue 05 (2010-09-25)

[Quidway] interface gigabitethernet 2/0/0[Quidway-GigabitEthernet2/0/0] ip address 192.168.20.1 255.255.255.0[Quidway-GigabitEthernet2/0/0] quit[Quidway] interface gigabitethernet 3/0/0[Quidway-GigabitEthernet3/0/0] ip address 202.169.10.1 255.255.0.0[Quidway-GigabitEthernet3/0/0] quit

3. Configure zones and the interzone.[Quidway] firewall zone zone1[Quidway-zone-zone1] priority 100[Quidway-zone-zone1] quit[Quidway] firewall zone zone2[Quidway-zone-zone2] priority 60[Quidway-zone-zone2] quit[Quidway] firewall zone zone3[Quidway-zone-zone3] priority 20[Quidway-zone-zone3] quit[Quidway] firewall interzone zone1 zone2[Quidway-interzone-zone1-zone2] firewall enable[Quidway-interzone-zone1-zone2] detect ftp[Quidway-interzone-zone1-zone2] quit[Quidway] firewall interzone zone1 zone3[Quidway-interzone-zone1-zone3] firewall enable[Quidway-interzone-zone1-zone3] detect ftp[Quidway-interzone-zone1-zone3] quit[Quidway] firewall interzone zone2 zone3[Quidway-interzone-zone2-zone3] firewall enable[Quidway-interzone-zone2-zone3] detect ftp[Quidway-interzone-zone2-zone3] quit

4. Add the interfaces to the zones.[Quidway] interface gigabitethernet 1/0/0[Quidway-GigabitEthernet1/0/0] zone zone1[Quidway-GigabitEthernet1/0/0] shutdown[Quidway-GigabitEthernet1/0/0] undo shutdown[Quidway-GigabitEthernet1/0/0] quit[Quidway] interface gigabitethernet 2/0/0[Quidway-GigabitEthernet2/0/0] zone zone2[Quidway-GigabitEthernet2/0/0] shutdown[Quidway-GigabitEthernet2/0/0] undo shutdown[Quidway-GigabitEthernet2/0/0] quit[Quidway] interface gigabitethernet 3/0/0[Quidway-GigabitEthernet3/0/0] zone zone3[Quidway-GigabitEthernet3/0/0] shutdown[Quidway-GigabitEthernet3/0/0] undo shutdown[Quidway-GigabitEthernet3/0/0] quit

5. Configure an ACL.[Quidway] acl 2101[Quidway-acl-basic-2101] rule permit source 10.110.10.0 0.0.0.255[Quidway-acl-basic-2101] rule deny source 10.110.0.0 0.0.255.255[Quidway-acl-basic-2101] quit

6. Configure the public address pool.[Quidway] nat address-group 1 202.169.10.2 202.169.10.6

7. Configure NAT and ACL packet filtering.[Quidway] firewall interzone zone1 zone3[Quidway-interzone-zone1-zone3] packet-filter 2101 outbound[Quidway-interzone-zone1-zone3] nat outbound 2101 address-group 1[Quidway-interzone-zone1-zone3] quit

8. Configure internal servers.[Quidway] nat server protocol tcp global 202.169.10.3 www inside 192.168.20.2 8080[Quidway] nat server protocol tcp global 202.169.10.2 ftp inside 192.168.20.3 ftp



3-11

Configuration Files# sysname Quidway#acl number 2101 rule 5 permit source 10.110.10.0 0.0.0.255 rule 10 deny source 10.110.0.0 0.0.255.255#firewall zone zone1 priority 100#firewall zone zone2 priority 60#firewall zone zone3 priority 20#interface GigabitEthernet1/0/0 zone zone1 undo shutdownip address 10.110.0.1 255.255.0.0#interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 192.168.20.1 255.255.255.0#interface GigabitEthernet3/0/0zone zone3 undo shutdownip address 202.169.10.1 255.255.0.0#nat address-group 1 202.169.10.2 202.169.10.6 nat server protocol tcp global 202.169.10.3 8080 inside 192.168.20.2 8080 nat server protocol tcp global 202.169.10.2 ftp inside 192.168.20.3 ftp# port-mapping http port 8080 acl 2101#firewall interzone zone1 zone2 firewall enabledetect ftp#firewall interzone zone1 zone3 firewall enablepacket-filter 2101 outbound nat outbound 2101 address-group 1detect ftp#firewall interzone zone2 zone3 firewall enabledetect ftp#return




Issue 05 (2010-09-25)

4 Traffic Statistics and MonitoringConfiguration

About This Chapter

This chapter describes the fundamentals, configuration, and maintenance of traffic statistics andmonitoring.

4.1 IntroductionThis section describes the concept and rationale of traffic statistics and monitoring.

4.2 Configuring Traffic Statistics and MonitoringThis section describes how to configure traffic statistics and monitoring in the entire system.

4.3 Configuring Zone-based Traffic Statistics and MonitoringThis section describes how to configure zone-based traffic statistics and monitoring.

4.4 Configuring IP Address-based Traffic Statistics and MonitoringThis section describes how to configure traffic statistics and monitoring based on IP addresses.

4.5 Configuration ExamplesThis section provides several configuration examples of traffic statistics and monitoring.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security 4 Traffic Statistics and Monitoring Configuration


4-1

4.1 IntroductionThis section describes the concept and rationale of traffic statistics and monitoring.

A firewall not only monitors data traffic, but also detects the setup of sessions between internaland external networks, generates statistics, and analyzes the data. The firewall can analyze thelogs by using special software after the event. The firewall also has certain analysis functionsthat enables it to analyze data in real time.

By checking whether the number of TCP/UDP sessions initiated from external networks to theinternal network exceeds the threshold, the firewall decides whether to restrict new sessionsfrom external networks to the internal network or an IP address in the internal network. If thefirewall finds that the number of sessions in the system exceeds the threshold, it speeds up theaging of sessions. This ensures that new sessions are set up. In this way, DoS attack can beprevented if the system is too busy.

Figure 4-1 shows an application of the firewall. The IP address-based statistics function isenabled for the packets from external networks to the internal network. If the number of TCPsessions initiated by external networks to Web server 129.9.0.1 exceeds the threshold, theME60 forbids external networks to initiate new sessions until the number of sessions is smallerthan the threshold.

Figure 4-1 Limiting the number of sessions initiated by external server

Ethernet

Internal network

Web server129.9.0.1

ME60

TCP connection

Internet

On the ME60, traffic statistics and monitoring can be configured in the system view.

4.2 Configuring Traffic Statistics and MonitoringThis section describes how to configure traffic statistics and monitoring in the entire system.



4.2.3 (Optional) Configuring the Default Master SSU

4.2.4 Enabling Traffic Statistics and Monitoring

4.2.5 Setting the Session Threshold

4 Traffic Statistics and Monitoring ConfigurationQuidway ME60 Multiservice Control Gateway



Issue 05 (2010-09-25)




System-level traffic statistics and monitoring applies to all the data flows in interzones that areenabled with the firewall feature. That is, the ME60 collects statistics of the ICMP, TCP, TCPproxy, and UDP sessions in the interzones. When the number of sessions exceeds the threshold,the ME60 restricts the sessions until the number is less than the threshold.


Before configuring system-level traffic statistics and monitoring, complete the following tasks:


l Configuring zones and adding interfaces or user domains to the zones (See chapter 2"Firewall Configuration.")

l Configuring interzone and enabling firewall in the interzone (See chapter 2 "FirewallConfiguration.")

Data Preparation

To configure system-level traffic statistics and monitoring, you need to following data.

No. Data

1 Type of sessions to be counted, namely TCP, UDP, ICMP, or TCP proxy

2 Session threshold


Context


Procedure







4-3

NOTE

l The configured operation mode takes effect after the VSU is restarted.l The command for configuring the operation mode of the VSU is not recorded in the system configuration

file. You can run the display device or display lpu-work-mode command to view the operation mode ofthe VSU. If the operation mode is configured properly, you need not configure the operation mode again.

----End

4.2.3 (Optional) Configuring the Default Master SSU



system-view


Step 2 Run:ssu master default slot-id slot-id

The default master SSU is configured.

ME60can be equipped with multiple SSUs. One is the master board, and the others are slaveboards.

If the default master SSU is not specified, the ME60 selects the SSU registered first as the master.

By default, the master SSU is not specified.

----End

4.2.4 Enabling Traffic Statistics and Monitoring



system-view


Step 2 Run:firewall statistics system enable

System-level traffic statistics and monitoring is enabled.

By default, the traffic statistics and monitoring function is enabled on the ME60.

----End




Issue 05 (2010-09-25)


Context


Procedure



Step 2 Run:firewall statistics system session { icmp | tcp | tcp-proxy | udp } session-limit

The session threshold is set.

For the system-level traffic statistics function, you can set the threshold for each type of session.For example, you can set the threshold for TCP sessions to 500000. In this case, when the numberof TCP sessions in all interzones exceeds 500000, the ME60 denies new TCP sessions in all theinterzones and reports an alarm to the information center. If traffic volume falls below 75% ofthe threshold, the ME60 generates the recovery log and sends the log to the information center.

By default, the threshold for ICMP sessions is 20480, the thresholds for TCP and UDP sessionsare both 500000, and the threshold for TCP-Proxy sessions is 250000.

----End


Action Command

Check the traffic statistics of the system. display firewall statistics system { discard |normal }

4.3 Configuring Zone-based Traffic Statistics andMonitoring

This section describes how to configure zone-based traffic statistics and monitoring.


4.3.2 Enabling Traffic Statistics and Monitoring in a Zone





4-5


Applicable EnvironmentThe zone-based traffic statistics and monitoring applies to the data flows between zones. Thatis, the ME60 counts the total TCP and UDP sessions between the local zone and other zones.When the number of sessions exceeds the threshold, the ME60 restricts the sessions until thenumber is less than the threshold.

The zone-based traffic statistics and monitoring can be configured in the inbound or outbounddirection. The inbound direction means that the ME60 counts and monitors the sessions initiatedby local zone. The outbound direction means that the ME60 counts and monitors the sessionsdestined for this zone.

Pre-configuration TaskBefore configuring zone-based traffic statistics and monitoring, complete the following tasks:

l Installing the VSUl (Optional) Configuring the VSU to Work as the SSUl Configuring zones and adding interfaces or user domains to the zones (See chapter 2


Configuration.")

Data PreparationTo configure system-level traffic statistics and monitoring, you need to following data.

No. Data

1 Type of sessions to be monitored, namely, TCP or UDP

2 Direction of traffic statistics and monitoring

3 Session threshold

4.3.2 Enabling Traffic Statistics and Monitoring in a Zone


Procedure






Issue 05 (2010-09-25)



Step 3 Run:statistics zone enable { inzone | outzone }

Traffic statistics and monitoring is enabled in the zone.

By default, traffic statistics and monitoring function is disabled in the zones.

----End



Procedure





Step 3 Run:statistics zone session { inzone | outzone } { tcp | udp } session-limit

The session threshold is set in the zone.

You can configure the thresholds for TCP and UDP sessions in the inbound and outbounddirections respectively. For example, you can set the threshold for inbound TCP sessions to500000. In this case, when the number of TCP sessions initiated by this zone exceeds 500000,the ME60 denies new TCP sessions from this zone.

By default, the thresholds for inbound and outbound TCP and UDP sessions are both 500000.

----End


Action Command

Check the traffic statistics of the zone. display firewall statistics zone zone-name{ inzone | outzone }



4-7

4.4 Configuring IP Address-based Traffic Statistics andMonitoring

This section describes how to configure traffic statistics and monitoring based on IP addresses.


4.4.2 Enabling IP Address-based Traffic Statistics and Monitoring



Applicable EnvironmentThe IP address-based traffic statistics and monitoring is to count and monitor the TCP and UDPsessions set up on an IP address in the zone. When the number of sessions set up on an IP addressexceeds the threshold, the ME60 restricts the sessions until the number is less than the threshold.

The IP address-based traffic statistics and monitoring can be configured in the inbound oroutbound direction. The inbound direction means that the ME60 counts and monitors thesessions initiated on the IP address. The outbound direction means that the ME60 counts andmonitors the sessions destined for this IP address.

Pre-configuration TaskBefore configuring IP address-based traffic statistics and monitoring, complete the followingtasks:

l Installing the VSUl (Optional) Configuring the VSU to Work as the SSUl Configuring zones and adding interfaces or user domains to the zones (See chapter 2


Configuration.")

Data PreparationTo configure IP address-based traffic statistics and monitoring, you need to following data.

No. Data

1 Type of sessions to be monitored, namely, TCP or UDP

2 Direction of traffic statistics and monitoring

3 Session threshold

4.4.2 Enabling IP Address-based Traffic Statistics and Monitoring




Issue 05 (2010-09-25)


Procedure





Step 3 Run:statistics ip enable { inzone | outzone }

IP address-based traffic statistics and monitoring is enabled in the zone.

By default, traffic statistics and monitoring function is disabled in the zones.

----End



Procedure





Step 3 Run:statistics ip session { inzone | outzone } { tcp | udp } session-limit

The session threshold is set for IP address-based traffic statistics and monitoring.

You can configure the thresholds for TCP and UDP sessions in the inbound and outbounddirections respectively. For example, you can set the threshold for inbound TCP sessions to10000. In this case, when the number of TCP sessions initiated from an IP address exceeds10000, the ME60 denies new TCP sessions from this IP address.

By default, the thresholds for inbound and outbound TCP and UDP sessions are both 10240.

----End



4-9

4.5 Configuration ExamplesThis section provides several configuration examples of traffic statistics and monitoring.

4.5.1 Example for Configuring System-Level Traffic Statistics and Monitoring

4.5.2 Example for Configuring Zone-based Traffic Statistics and Monitoring

4.5.3 Example for Configuring IP Address-based Traffic Statistics and Monitoring

4.5.1 Example for Configuring System-Level Traffic Statistics andMonitoring


GE2/0/1 of the ME60 is connected to the Internet; GE1/0/1 of the ME60 is connected to the FTPserver and the Web server of an enterprise Intranet. The TCP and UDP sessions from the Internetto the enterprise Intranet are monitored. The session threshold is 40000.

Figure 4-2 Networking of system-level traffic statistics and monitoring

WEB Server

ME60

Internet

FTP Server

10.10.10.1/24

GE1/0/1 GE2/0/1

20.10.10.1/24



l Configure IP addresses of the interfaces.l Enable system-level traffic statistics and monitoring.l Set the session threshold.

Data Preparation


l Slot number of the VSU: 3




Issue 05 (2010-09-25)

l IP addresses of interfaces, as shown in Figure 4-2l Session threshold



2. Configure IP addresses of the interfaces.<Quidway> system-view[Quidway] interface gigabitethernet 1/0/1[Quidway-GigabitEthernet1/0/1] ip address 20.10.10.1 255.255.255.0[Quidway-GigabitEthernet1/0/1] undo shutdown[Quidway-GigabitEthernet1/0/1] quit[Quidway] interface gigabitethernet 2/0/1[Quidway-GigabitEthernet2/0/1] ip address 10.10.10.1 255.255.255.0[Quidway-GigabitEthernet2/0/1] undo shutdown[Quidway-GigabitEthernet2/0/1] quit

3. Enable system-level traffic statistics and monitoring.[Quidway] firewall statistics system enable

4. Set the session threshold.[Quidway] firewall statistics system session tcp 40000[Quidway] firewall statistics system session udp 40000

Configuration Files# sysname Quidway#interface GigabitEthernet1/0/1 undo shutdown ip address 20.10.10.1 255.255.255.0#interface GigabitEthernet2/0/1 undo shutdown ip address 10.10.10.1 255.255.255.0#firewall statistics system enablefirewall statistics system session tcp 40000firewall statistics system session udp 40000#

4.5.2 Example for Configuring Zone-based Traffic Statistics andMonitoring

Networking RequirementsGE1/0/0 of the ME60 is connected to an enterprise network with a high security priority; GE2/0/0of the ME60 is connected to the Internet with a low security priority. The TCP and UDP sessionsfrom the Internet to enterprise networks are monitored. The session threshold is 50000.



4-11

Figure 4-3 Networking of zone-based traffic statistics and monitoring

GE1/0/01.1.0.1/16

GE2/0/02.2.0.1/16

InternetEnterprisenetwork

ME60


l Configure IP addresses of the interfaces.l Configure zones and the interzone.l Add the interfaces to the zones.l Configure an ACL.l Configure zone-based traffic statistics and monitoring.


l Slot number of the VSU: 3l IP addresses of interfaces, as shown in Figure 4-3l Network security priorities, 100 for the internal network and 1 for the external network








Issue 05 (2010-09-25)


5. Configure zone-based traffic statistics and monitoring.[Quidway] firewall zone zone1[Quidway-zone-zone1] statistics zone enable inzone[Quidway-zone-zone1] statistics zone session inzone tcp 50000[Quidway-zone-zone1] statistics zone session inzone udp 50000[Quidway-zone-zone1] quit

Configuration Files# sysname Quidway#interface GigabitEthernet1/0/0 zone zone1 undo shutdown ip address 1.1.0.1 255.255.0.0#interface GigabitEthernet2/0/0 zone zone2 undo shutdown ip address 2.2.0.1 255.255.0.0#firewall zone zone1 priority 100 statistics zone enable inzone statistics zone session inzone tcp 50000 statistics zone session inzone udp 50000#firewall zone zone2 priority 1#firewall interzone zone1 zone2 firewall enable#return

4.5.3 Example for Configuring IP Address-based Traffic Statisticsand Monitoring

Networking RequirementsGE1/0/0 of the ME60 is connected to an enterprise network with a high security priority; GE2/0/0of the ME60 is connected to the Internet with a low security priority. The TCP and UDP sessionsfrom the Internet to enterprise networks are monitored. The session threshold is 50000. Inaddition, the TCP or UDP sessions to each IP address in the enterprise networks cannot exceed1000.



4-13

Figure 4-4 Networking of IP address-based traffic statistics and monitoring

GE1/0/01.1.0.1/16

GE2/0/02.2.0.1/16

InternetEnterprisenetwork

ME60(firewall)


l Configure IP addresses of the interfaces.l Configure zones and the interzone.l Add the interfaces to the zones.l Configure an ACL.l Configure zone-based traffic statistics and monitoring.l Configure IP address-based traffic statistics and monitoring.


l Slot number of the VSU: 3l IP addresses of interfaces, as shown in Figure 4-4l Network security priorities, 100 for the internal network and 1 for the external network




3. Configure zones and the interzone.[Quidway] firewall zone zone1[Quidway-zone-zone1] priority 100[Quidway-zone-zone1] quit[Quidway] firewall zone zone2[Quidway-zone-zone2] priority 1[Quidway-zone-zone2] quit[Quidway] firewall interzone zone1 zone2[Quidway-interzone-zone1-zone2] firewall enable




Issue 05 (2010-09-25)

[Quidway-interzone-zone1-zone2] quit4. Add the interfaces to the zones.

[Quidway] interface gigabitethernet 1/0/0[Quidway-GigabitEthernet1/0/0] zone zone1[Quidway-GigabitEthernet1/0/0] shutdown[Quidway-GigabitEthernet1/0/0] undo shutdown[Quidway-GigabitEthernet1/0/0] quit[Quidway] interface gigabitethernet 2/0/0[Quidway-GigabitEthernet2/0/0] zone zone2[Quidway-GigabitEthernet2/0/0] shutdown[Quidway-GigabitEthernet2/0/0] undo shutdown[Quidway-GigabitEthernet2/0/0] quit

5. Configure zone-based traffic statistics and monitoring.[Quidway] firewall zone zone1[Quidway-zone-zone1] statistics zone enable inzone[Quidway-zone-zone1] statistics zone session inzone tcp 50000[Quidway-zone-zone1] statistics zone session inzone udp 50000[Quidway-zone-zone1] quit

6. Configure IP address-based traffic statistics and monitoring.[Quidway] firewall zone zone1[Quidway-zone-zone1] statistics ip enable inzone[Quidway-zone-zone1] statistics ip session inzone tcp 1000[Quidway-zone-zone1] statistics ip session inzone udp 1000

Configuration Files# sysname Quidway#interface GigabitEthernet1/0/0zone zone1undo shutdownip address 1.1.0.1 255.255.0.0#interface GigabitEthernet2/0/0zone zone2undo shutdownip address 2.2.0.1 255.255.0.0#firewall zone zone1 priority 100 statistics zone enable inzone statistics zone session inzone tcp 50000 statistics zone session inzone udp 50000 statistics ip session inzone tcp 1000 statistics ip session inzone udp 1000 statistics ip enable inzone#firewall zone zone2 priority 1#firewall interzone zone1 zone2 firewall enable#return



4-15

5 Attack Defense Configuration

About This Chapter

This chapter describes the fundamentals, configuration, and maintenance of attack defense.

5.1 IntroductionThis section describes the concept and fundamentals of attack defense.

5.2 Configuring Attack DefenseThis section describes how to configure the attack defense function.

5.3 Configuration ExamplesThis section provides several configuration example of attack defense.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security 5 Attack Defense Configuration


5-1

5.1 IntroductionThis section describes the concept and fundamentals of attack defense.

When a network attack occurs, it interrupts services, and severely affects servers or hosts on thenetwork to illegally obtain sensitive data. Certain network attacks also destroy the networkequipment directly, and such attacks may lead to service interruption.

With the attack defense feature, the ME60 firewall can detect various network attacks and protectthe intranet against malicious attacks, and thus the intranet and the system can run properly.

5.1.1 Type of Network Attacks

5.1.2 Typical Attacks

5.1.1 Type of Network Attacks

Network attacks are divided into three types: DoS attack, scanning and snooping attack, anddefective packet attack.

DoS AttackDenial of service (DoS) attack is an attack to a system with a large number of data packets. Thisprevents the system from receiving requests from authorized users or suspends the host. TypicalDoS attacks are SYN flood and Fraggle. Unlike other attacks, the DoS attackers preventauthorized users from accessing resources or routers, instead of searching for the ingress of theIntranet.

Scanning and Snooping AttackScanning and snooping attack involves identifying the existing systems on the network throughping scanning (including ICMP and TCP scanning), and then finding potential targets. ThroughTCP scanning, the attackers can find out the operating system and the monitored services.Through scanning and snooping, the attacker can learn the service type and potential securityhole, which facilitates further intrusion.

Defective Packet AttackDefective packet attack involves sending defective IP packets to the system. Under such anattack. the system quits abnormally when processing the packets. The typical defective packetattacks include Ping of Death and Teardrop.

5.1.2 Typical Attacks

Land AttackLand attack involves setting the source and destination addresses of a TCP SYN packet to theIP address of the attacked target. The target then sends the SYN-ACK message to its own IPaddress, and an ACK message is sent back to the target. This forms a null session. Every nullsession exists until it times out. The responses to the Land attack vary according to the targets.For instance, many UNIX hosts step responding while Windows NT hosts slow down.

5 Attack Defense ConfigurationQuidway ME60 Multiservice Control Gateway



Issue 05 (2010-09-25)

Smurf AttackSimple Smurf attack targets a network. The attacker sends an ICMP request to the broadcastaddress of the network. All the hosts on the network then respond to the request and the networkis congested. The traffic caused by Smurf attack is one or two orders of magnitude higher thanthe traffic caused by ping of large packets.

Advanced Smurf attack targets hosts. The attacker changes the source address of an ICMPrequest to the IP address of the target host. The host then stop responding. The attack occursonly when the traffic of the attack packets is large enough. Theoretically, the more the numberof hosts on the network, the more effective is the attack. Fraggle attack is another form of theSmurf attack.

WinNuke AttackWinNuke attack involves sending an out-of-band (OOB) data packet to the NetBIOS port (139)of the target host running the Windows operating system. The NetBIOS fragment then overlapsand the host stops responding. An Internet Group Management Protocol (IGMP) fragment packetcan also damage the target host because the IGMP packet usually cannot be fragmented. Anattack occurs when a host receives an IGMP packet.

SYN Flood AttackDue to resource limitation, the TCP/IP stack limits the number of TCP sessions. The attackerforges an SYN packet, whose source address is fraudulent or nonexistent, and then sends thepacket to the server to initiate a session. After receiving the packet, the server responds with anSYN-ACK packet. The server cannot receive the ACK, and a semi-connection is created. If theattacker sends a large number of forged SYN packets to the server, the created semi-connectionsexhaust the system resources and users cannot access the network until these semi-connectionstime out. In certain applications where the number of sessions is not limited, the SYN Floodattack can also exhaust the system resources such as the memory.

ICMP and UDP Flood AttackICMP and UDP Flood attacker sends a large number of ICMP packets (such as ping packets)and UDP packets to the target host in a short time and requests for responses. The host is thenoverloaded and cannot process legal tasks.

IP Address Sweeping and Port Scanning AttackIP address sweeping and port scanning attacker detects the IP addresses and ports of the targethosts by using scanning tools. The attacker then determines the hosts that exist on the targetnetwork according to the response. The attacker can then find the ports that are used to provideservices.

Ping of Death AttackThe length field of an IP packet contains 16 bits, so the maximum length of an IP packet is 65535bytes. If the data length of an ICMP packet is greater than 65507 bytes, then:

ICMP data + IP header (20) + ICMP header (8) > 65535

After receiving such large packets, some routers or systems may stop responding or rebootbecause of inappropriate processing. Ping of Death attack is an attack to the system initiated byICMP large packets.



5-3

ICMP-Redirect and ICMP-Unreachable AttackNetwork equipment requests a host in the same subnet to change the route by sending an ICMP-redirect packet to the host. Malicious attackers may, however, send forged redirect packets tothe hosts in other subnets. The hosts may then change the routes and the IP packet forwardingmay be abnormal.

Another type of attack is sending an ICMP-unreachable packet. After receiving the ICMPunreachable packets of a network (code is 0) or a host (code is 1), some systems consider thesubsequent packets sent to this destination as unreachable. The system then disconnects thedestination from the host.

Teardrop AttackThe More Fragment (MF) bit, offset field, and length field in an IP packet indicate the segmentof the original packet contained in this fragment. Some systems running TCP/IP may stoprunning when receiving a forged segment containing an overlap offset. The Teardrop attack usesthe flaw of some systems that do not check the validity of fragment information.

Fraggle AttackAfter receiving the UDP packets, port 7 (ECHO) and port 19 (Chargen) can return responses.Port 7 responds to the received packets with ICMP Echo Reply, whereas port 19 responds witha generated character string. Similar to the large ICMP packet attack, the two UDP ports generatemany ineffective response packets, which occupy the network bandwidth.

The attacker can send a UDP packet to the destination network. The source address of the UDPpacket is the IP address of the host to be attacked and its destination address is the broadcastaddress or network address of the host's subnet. The destination port number of the packet is 7or 19. Then, all the systems enabled with this function return packets to the target host. In thiscase, the high traffic volume blocks the network or the host stops responding. In addition, thesystems without this function generate ICMP-unreachable messages, which also consumebandwidth. If the source port is changed to Chargen and destination port is changed to ECHO,the systems generate response packets continuously and cause more serious damage.

IP-Fragment AttackIn an IP packet, some fields are relevant to flag bits and fragment, including Fragment Offset,Length, Don't Fragment (DF), and MF.

If the previous fields conflict and are not processed appropriately, the equipment may stoprunning. In the following cases, the fields conflict:

l DF is set, and MF is also set or the value of Fragment Offset is not 0.l The value of DF is 0, but the total values of Fragment Offset and Length is larger than

65535.

The fragment packets increase the cache and reassemble loads on the destination equipment.Thus, the fragment packets with the equipment address as the destination address should bediscarded directly.




Issue 05 (2010-09-25)

Tracert AttackTracert attack traces the path of an ICMP timeout packet returned when the value of Time ToLive (TTL) is 0 and an ICMP port-unreachable packet. In this way, the attacker pries the networkarchitecture.

5.2 Configuring Attack DefenseThis section describes how to configure the attack defense function.



5.2.3 Enabling Attack Defense

5.2.4 Configuring Flood Attack Defense

5.2.5 (Optional) Configuring Scanning Attack Defense

5.2.6 (Optional) Configuring Large ICMP Packet Attack Defense



Applicable EnvironmentOn the ME60, you can enable the attack defense for an area to be protected. The area to beprotected may be user domains, interfaces, or specified IP addresses.

Pre-configuration TaskBefore configuring attack defense, complete the following tasks:

l Installing the VSUl Configuring zones and adding interfaces or user domains to the zones (See chapter 2


Configuration.")l Configuring zone-based or IP address-based traffic statistics and monitoring for Flood

attack and scanning attack defense, because detecting Flood and scanning attacks needsthe session statistics (See chapter 4 "Traffic Statistics and Monitoring.")

Data PreparationTo configure attack defense, you need the following data.

No. Data

1 Attack type, a specified type or all types

2 Zones or IP addresses (the VPN instance may be included) to be protected againstFlood attacks (ICMP Flood, SYN Flood, and UDP Flood), maximum session rate



5-5

No. Data

3 Enabling mode of TCP proxy to prevent SYN Flood attack, always enabled, alwaysdisabled, or auto enabled (that is, enabled when the session rate exceeds the threshold)

4 Timeout of blacklist and maximum rate to prevent scanning attacks (IP addresssweeping and port scanning)

5 Maximum packet length to prevent large ICMP packet attack



Procedure





NOTE

l The configured operation mode takes effect after the VSU is restarted.

l The command for configuring the operation mode of the VSU is not recorded in the systemconfiguration file. You can run the display device or display lpu-work-mode command to view theoperation mode of the VSU. If the operation mode is configured properly, you need not configure theoperation mode again.

----End

5.2.3 Enabling Attack Defense

ContextNOTE

Steps 2-19 are optional and can be performed in any sequence. You can select these steps to defend differenttypes of attacks.

Procedure






Issue 05 (2010-09-25)

Step 2 Run:firewall defend all enable

All types of attack defense are enabled.

Step 3 Run:firewall defend fraggle enable

The Fraggle attack defense is enabled.

Step 4 Run:firewall defend icmp-flood enable

The ICMP Flood attack defense is enabled.

Step 5 Run:firewall defend icmp-redirect enable

The ICMP redirect attack defense is enabled.

Step 6 Run:firewall defend icmp-unreachable enable

The ICMP unreachable attack defense is enabled.

Step 7 Run:firewall defend ip-fragment enable

The IP-Fragment attack defense is enabled.

Step 8 Run:firewall defend ip-sweep enable

The IP address sweeping attack defense is enabled.

Step 9 Run:firewall defend land enable

The Land attack defense is enabled.

Step 10 Run:firewall defend large-icmp enable

The large ICMP packet attack defense is enabled.

Step 11 Run:firewall defend ping-of-death enable

The Ping of Death attack defense is enabled.

Step 12 Run:firewall defend port-scan enable

The port scanning attack defense is enabled.

Step 13 Run:firewall defend smurf enable

The Smurf attack defense is enabled.

Step 14 Run:firewall defend syn-flood enable



5-7

The SYN Flood attack defense is enabled.

Step 15 Run:firewall defend tcp-flag enable

The TCP flag attack defense is enabled.

Step 16 Run:firewall defend teardrop enable

The Teardrop attack defense is enabled.

Step 17 Run:firewall defend tracert enable

The Tracert attack defense is enabled.

Step 18 Run:firewall defend udp-flood enable

The UDP Flood attack defense is enabled.

Step 19 Run:firewall defend winnuke enable

The WinNuke attack defense is enabled.

By default, attack defense is not enabled on the ME60.

----End

5.2.4 Configuring Flood Attack Defense

ContextSteps 2-4 are optional and can be performed in any sequence. You can select these steps to defenddifferent types of attacks.


system-view


Step 2 Run:firewall defend icmp-flood { zone zone-name | ip ip-address [ vpn-instance vpn-instance-name ] } [ max-rate rate-number ]

Parameters of ICMP Flood attack defense are configured.

Step 3 Run:firewall defend syn-flood { zone zone-name | ip ip-address [ vpn-instance vpn-instance-name ] } [ max-rate rate-number ] [ tcp-proxy { auto | on | off } ]

Parameters of SYN Flood attack defense are configured.

Step 4 Run:firewall defend udp-flood { zone zone-name | ip ip-address [ vpn-instance vpn-instance-name ] } [ max-rate rate-number ]




Issue 05 (2010-09-25)

Parameters of UDP Flood attack defense are configured.

To prevent the Flood attacks, you need to specify the zones or IP addresses to be protected.Otherwise, the configured parameters are invalid. You can specify the maximum session rate.When the session rate exceeds this value, the ME60 considers it as an attack and takes measures.

NOTE

The maximum access rate applies to the Flood attack initiated from multiple source addresses to the samedestination address. For the Flood attack to the same data flow (with the same quintuple), the maximumaccess rate is not configurable. The default value is 20 pps. That is, when the rate of SYN or ICMP packetsreaches 20 pps, the ME60 considers it as Flood attack and discards the packets. In this case, the rate-number parameter is invalid.

For Flood attack defense, the priority of the IP is higher than the priority of the zone. If Floodattack defense is configured for both a specified IP address and the zone where the IP addressresides, then the attack defense based on IP address takes effect. If you cancel the attack defensebased on IP address, the attack defense based on zone takes effect.

By default, the maximum session rate for Flood attacks is 1000 pps, and the TCP proxy is enabledin the SYN Flood attack defense.

NOTE

In Flood attack defense, you can specify up to 4096 IP addresses to be protected.

----End

5.2.5 (Optional) Configuring Scanning Attack Defense

Context

Step 2 and step 3 are optional and can be performed in any sequence. You can select these stepsto defend different types of attacks.

Procedure



Step 2 Run:firewall defend ip-sweep { max-rate rate-number | blacklist-timeout interval }

Parameters of IP address sweeping attack defense are configured.

Step 3 Run:firewall defend port-scan { max-rate rate-number | blacklist-timeout interval }

Parameters of port scanning attack defense are configured.

For scanning attack defenses, the following two parameters need to be configured:

l Maximum session rate: When the IP address-based or port-based session rate exceeds thisvalue, the ME60 considers it as an attack, and then adds the IP address or port to the blacklistand denies new sessions.



5-9

l Blacklist timeout: When the duration of IP address or port in the blacklist exceeds this value,the ME60 releases the IP address or port from the blacklist and allows new sessions.

By default, the maximum session rate in IP address sweeping and port scanning attack defenseis 4000 pps, and the blacklist timeout is 20 minutes.

----End

5.2.6 (Optional) Configuring Large ICMP Packet Attack Defense


Procedure



Step 2 Run:firewall defend large-icmp max-length length

Parameters of large ICMP packet attack defense are configured.

For large ICMP packet attack defense, only one parameter needs to be configured, namely, themaximum packet length. When the length of an ICMP packet exceeds this value, the ME60considers it as an attack and discards the packet.

By default, the maximum length of ICMP packet is 4000 bytes.

----End


Action Command

Check the enabled attack defenses. display firewall defend flag

Check the configuration of Flood attackdefenses.

display firewall defend { icmp-flood | syn-flood | udp-flood } [ zone [ zone-name ] | ip [ ip-address ] [ vpn-instance vpn-instance-name ] ]

Check the configurations of other types ofattack defense.

display firewall defend attack-type

5.3 Configuration ExamplesThis section provides several configuration example of attack defense.

5.3.1 Example for Configuring Land Attack Defense




Issue 05 (2010-09-25)

5.3.2 Example for Configuring SYN Flood Attack Defense

5.3.3 Example for Configuring IP Address Sweeping Attack Defense

5.3.1 Example for Configuring Land Attack Defense

Networking RequirementsAs shown in Figure 5-1, GE1/0/0 of the ME60 is connected to an intranet with a high priority.GE2/0/0 of the ME60 is connected to the Internet with a low priority. You need to configureLand attack defense for the traffic from the Internet to the intranet.

Figure 5-1 Networking of Land attack defense

Server

ME60

InternetGE1/0/0 GE2/0/0



l Configure IP addresses of interfaces.l Configure zones and the interzone.l Add the interfaces to the zones.l Configure Land attack defense.


l Slot number of the VSU: 3l IP addresses of interfaces, as shown in Figure 5-1l Network security priorities, 100 for the internal network, and 1 for the external network

Configuration Procedures1. (Optional) Configure the VSU to the SSU.

<Quidway> system-view[Quidway] set lpu-work-mode ssu slot 3



5-11

[Quidway] quit<Quidway> reset slot 3

2. Configure IP addresses of interfaces.<Quidway> system-view[Quidway] interface gigabitethernet 1/0/0[Quidway-GigabitEthernet1/0/0] ip address 1.1.0.1 255.255.0.0[Quidway-GigabitEthernet1/0/0] quit[Quidway] interface gigabitethernet 2/0/0[Quidway-GigabitEthernet2/0/0] ip address 2.2.0.1 255.255.0.0[Quidway-GigabitEthernet2/0/0] quit

3. Configure an ACL.[Quidway] acl 2000[Quidway-acl-basic-2000] rule permit[Quidway-acl-basic-2000] quit

4. Configure zones and the interzone.[Quidway] firewall zone zone1[Quidway-zone-zone1] priority 100[Quidway-zone-zone1] quit[Quidway] firewall zone zone2[Quidway-zone-zone2] priority 1[Quidway-zone-zone2] quit[Quidway] firewall interzone zone1 zone2[Quidway-interzone-zone1-zone2] firewall enable[Quidway-interzone-zone1-zone2] packet-filter 2000 inbound[Quidway-interzone-zone1-zone2] packet-filter 2000 outbound[Quidway-interzone-zone1-zone2] quit


6. Configure Land attack defense.[Quidway] firewall defend land enable

Configuration Files# sysname Quidway# firewall defend land enable#interface GigabitEthernet1/0/0zone zone1undo shutdown ip address 1.1.0.1 255.255.0.0#interface GigabitEthernet2/0/0zone zone2undo shutdown ip address 2.2.0.1 255.255.0.0#acl number 2000 rule 5 permit#firewall zone zone1 priority 100#firewall zone zone2




Issue 05 (2010-09-25)

priority 1#firewall interzone zone1 zone2 firewall enable packet-filter 2000 inboundpacket-filter 2000 outbound#return

5.3.2 Example for Configuring SYN Flood Attack Defense


As shown in Figure 5-2, GE1/0/0 of the ME60 is connected to an intranet with a high priority.GE2/0/0 of the ME60 is connected to the Internet with a low priority. You need to configureSYN Flood attack defense for the traffic from the Internet to the intranet.

Figure 5-2 Networking of SYN Flood attack defense

Server1.1.0.2

ME60





l Configure IP addresses of interfaces.

l Configure zones and the interzone.

l Add the interfaces to the zones.

l Configure SYN Flood attack defense.

Data Preparation



l IP addresses of interfaces, as shown in Figure 5-2

l Network security priorities, 100 for the internal network, and 1 for the external network



5-13







6. Configure SYN Flood attack defense. For the entire intranet, the maximum SYN sessionrate is 1000 pps and TCP proxy is automatically enabled. For server 1.1.0.2, the maximumSYN session rate is 2000 pps and TCP proxy is enabled manually.[Quidway] firewall defend syn-flood enable[Quidway] firewall defend syn-flood zone zone1 max-rate 1000 tcp-proxy auto[Quidway] firewall defend syn-flood ip 1.1.0.2 max-rate 2000 tcp-proxy on

Configuration Files# sysname Quidway# firewall defend syn-flood enable firewall defend syn-flood zone zone1 firewall defend syn-flood ip 1.1.0.2 max-rate 2000 tcp-proxy on #interface GigabitEthernet1/0/0zone zone1undo shutdown ip address 1.1.0.1 255.255.0.0




Issue 05 (2010-09-25)

#interface GigabitEthernet2/0/0zone zone2undo shutdown ip address 2.2.0.1 255.255.0.0#acl number 2000 rule 5 permit#firewall zone zone1 priority 100#firewall zone zone2 priority 1#firewall interzone zone1 zone2 firewall enablepacket-filter 2000 inboundpacket-filter 2000 outbound#return

5.3.3 Example for Configuring IP Address Sweeping AttackDefense

Networking RequirementsAs shown in Figure 5-3, GE1/0/0 of the ME60 is connected to an intranet with a high priority.GE2/0/0 of the ME60 is connected to the Internet with a low priority. You need to configure IPaddress sweeping attack defense for the traffic from the Internet to the intranet. The maximumnumber of sessions is 5000 pps, and the blacklist timeout is 30 minutes.

Figure 5-3 Networking of IP address sweeping attack defense

Server

ME60




l Configure IP addresses of interfaces.l Configure zones and the interzone.l Add the interfaces to the zones.



5-15

l Configure IP address sweeping attack defense.

Data Preparation



l IP addresses of interfaces, as shown in Figure 5-3

l Network security priorities, 100 for the internal network, and 1 for the external network







6. Configure IP address sweeping attack defense.[Quidway] firewall defend ip-sweep enable[Quidway] firewall defend ip-sweep blacklist-timeout 30[Quidway] firewall defend ip-sweep max-rate 5000




Issue 05 (2010-09-25)

Configuration Files# sysname Quidway# firewall defend ip-sweep enable firewall defend ip-sweep max-rate 5000 firewall defend ip-sweep blacklist-timeout 30#interface GigabitEthernet1/0/0zone zone1undo shutdown ip address 1.1.0.1 255.255.0.0#interface GigabitEthernet2/0/0zone zone2undo shutdown ip address 2.2.0.1 255.255.0.0#acl number 2000 rule 5 permit#firewall zone zone1 priority 100#firewall zone zone2 priority 1#firewall interzone zone1 zone2firewall enablepacket-filter 2000 inboundpacket-filter 2000 outbound#return



5-17

6 IPSec Configuration

About This Chapter

This chapter describes the rationale, implementation, and configuration of IPSec.

6.1 IntroductionThis section describes the concept and rationale of IPSec.

6.2 Defining Data Flows to Be ProtectedThis section describes how to define the data flows to be protected.

6.3 Configuring an IPSec ProposalThis section describes how to configure an IPSec protocol.

6.4 Configuring an IPSec PolicyThis section describes how to configure an IPSec policy.

6.5 Configuring IPSec Policies by Using the IPSec Policy TemplateThis section describes how use the IPSec template to configure IPSec policies.

6.6 Applying an IPSec Policy or an IPSec Policy Group to an InterfaceThis section describes how to apply an IPSec policy or an IPSec policy group to an interface.

6.7 Maintaining IPSecThis section provides the commands clearing the IPSec statistics and debugging IPSec.

6.8 Configuration ExamplesThis section provides an configuration example of IPSec.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security 6 IPSec Configuration


6-1

6.1 IntroductionThis section describes the concept and rationale of IPSec.

6.1.1 Overview of IPSec

6.1.2 Terms Related to IPSec

6.1.3 IPSec Features Supported by the ME60

6.1.1 Overview of IPSec

The IP Security (IPSec) protocol family is a series of protocols defined by the InternetEngineering Task Force (IETF). This protocol family provides high quality, interoperable, andcryptology-based security for IP packets. The two communicating parties can encrypt data andauthenticate the data source at the IP layer to ensure confidentiality, data integrity, data sourceauthentication, and anti-replay for packets during transmission on the network.

NOTE

l Confidentiality is to encrypt a client data and then transmit it in cipher text.l Data integrity is to authenticate the received data to find out whether the packet is modified.l Data authentication is to authenticate the data source to make sure the data is sent from a real sender.l Anti-replay is to prevent malicious clients from repeatedly sending data packets. In other words, the

receiver denies old or repeated data packets.

IPSec implements the above features using the Authentication Header (AH) security protocoland the Encapsulating Security Payload security protocol. The Internet Key Exchange (IKE)also provides auto-negotiation key exchange, Security Association setup, and maintenanceservices to simplify the use and management of IPSec.

l AH mainly provides data source authentication, data integrity authentication and anti-replay. The AH cannot encrypt the packet.

l ESP provides encryption function apart from the functions provided by the AH. The dataintegrity authentication of the ESP does not cover the IP header. ESP can authenticate andencrypt packets at the same time or either authenticate or encrypt packets only.

NOTE

AH and ESP can be used either independently or in combination. There are two types of encapsulationmodes for both AH and ESP: transport mode and tunnel mode. For details about the two modes, see"Encapsulation Modes of IPSec"

l IKE is used to negotiate the key for IPSec. By exchanging the key obtained according tothe cryptographic algorithms applied in AH and ESP, the peers negotiate a key.

NOTE

IKE negotiation is not necessary. The IPSec policy and algorithm can also be negotiated manually. Forcomparisons of these two negotiation modes, see "Negotiation Modes".

6.1.2 Terms Related to IPSec

Security AssociationIPSec provides secure communication between IPSec peers (two communication ends).

6 IPSec ConfigurationQuidway ME60 Multiservice Control Gateway



Issue 05 (2010-09-25)

A security association (SA) is a set of conventions adopted by the communication parties. Theconventions include the protocol adopted (AH, ESP, or both), encapsulation mode of the protocol(transport mode or tunnel mode), password algorithm (DES or 3DES), shared key of specifieddata flows, and lifetime of the shared key. SA is the basis of IPSec.

An SA is unidirectional. If two hosts communicate through ESP, both the hosts need two SAs.One protects outbound packets, and the other protects inbound packets.

In addition, if both AH and ESP are applied to protect data flow between peers, two SAs areneeded for AH and ESP respectively. Therefore, each host requires four SAs.

An SA is identified uniquely by three parameters: security parameter index (SPI), destinationIP address, and security protocol ID (AH or ESP). SPI is a 32-bit number that uniquely identifiesan SA. SPI is contained in the AH/ESP header during transmission.

An SA has a duration. The duration is calculated through either of the following methods:

l Time-based duration: updates the SA at a specific interval.l Traffic-based duration: updates the SA after certain data (bytes) is transmitted.

The SA becomes invalid when any one of the duration expires. Before the duration expires, IKEnegotiates a new SA for IPSec. A new SA, therefore, is prepared before the old SA becomesinvalid.

SA specifies the protocol encapsulation mode.

Encapsulation Modes of IPSecIPSec has two encapsulation modes:

l Transport mode: AH/ESP is inserted behind the IP header but before all transport layerprotocols or all other IPSec protocols. Figure 6-1 shows transport mode.

l Tunnel mode: AH/ESP is inserted before the original IP header but behind the new IPheader. Figure 6-2 shows tunnel mode.

Figure 6-1 Packets format in transport mode

Mode

ProtocolTransport

AH

ESP

AH-ESP

ESP data ESP Tail ESP Auth data

IP Header AH dataTCP Header

IP Header TCP Header

ESP data ESP Tail ESP Auth dataIP Header TCP HeaderAH



6-3

Figure 6-2 Packets format in tunnel mode

Mode

ProtocolTunnel

AH

ESP

AH-ESP

new IP Header AH dataTCP Header

ESP data ESP Tail ESP Auth datanew IP Header TCP HeaderAH

raw IP Header

new IP Header ESP dataTCP Headerraw IP Header ESP Tail ESP Auth data

raw IP Header

Use either of the modes according to actual situations.

l The tunnel mode is safer than the transport mode. The tunnel mode can authenticate andencrypt original IP data packets completely. In addition, it can hide the client IP addressby using the IP address of the IPSec peer.

l The tunnel mode occupies more bandwidth than the transport mode because it has an extraIP header.

The transport mode is suitable for communication between two hosts or between a host and asecurity gateway. In the transport mode, the two devices encrypting or decrypting packets mustbe the original packet sender and final receiver respectively.

Most of the data flows between two security gateways (or routers) are usually not their owncommunication traffic. Therefore, the tunnel mode is used between security gateways. Packetsencrypted by one security gateway can be decrypted only by another corresponding securitygateway. That is, a new IP header must be added to a packet, and the IP packet is sent to thesecurity gateway that can decrypt it.

Authentication Algorithms and Encryption Algorithmsl Authentication algorithms

The AH and ESP can authenticate the integrity of an IP packet to determine whether the packetis modified during transmission. The authentication is implemented based on the hash function.The hash function is an algorithm that does not limit the length of input messages but alwayssends out messages of a certain length. The output message is called message summary. Toauthenticate the integrity, IPSec peers calculate the packet based on the hash function. If themessage summary is the same at both the ends, it indicates the packet is integrated and notmodified. There are two IPSec authentication algorithms:

l Message Digest 5 (MD5): receives a message of any length and generates a 128-bit messagesummary.

l Secure Hash Algorithm (SHA-1): receives a message of less than 264 bits and generates a160-bit message summary.

The SHA-1 summary is longer than that of MD5, and so SHA-1 is safer than MD5.

l Encryption algorithms




Issue 05 (2010-09-25)

ESP can encrypt an IP packet to prevent disclosure of the packet contents during the transmission.The encryption algorithm is implemented by encrypting or decrypting data with the same keythrough a symmetric key system. IPSec uses two encryption algorithms:

l DES: encrypts a 64-bit plain text by using a 56-bit key.l 3DES: encrypts a plain text by using three 56-bit DES keys (168-bit key).

The 3DES algorithm is much safer than DES; however, its encryption speed is comparativelyslower.

Negotiation Modes

There are two negotiation modes for establishing an SA: manual mode (manual) and IKE auto-negotiation mode (isakmp).

The manual mode is a bit complex because all information about SA has to be configuredmanually, and it does not support some advanced features of IPSec, such as key update timer.The manual mode implements IPSec independent of IKE.

The IKE auto-negotiation mode is much easier because the SA can be established and maintainedthrough IKE auto-negotiation as long as security policies of IKE negotiation are configured.

The manual mode is feasible in the case where few peer devices are deployed or in a small-sizedstatic environment. For a medium or large-sized dynamic networking environment, IKE auto-negotiation mode is recommended.

IPSec allows systems, network subscribers, or administrators to control the granularity ofsecurity services between peers. For instance, IPSec policies of a group prescribe that data flowsfrom a subnet should be protected using AH and ESP and be encrypted using 3DES. In addition,the policies prescribe that data flows from another site should be protected using ESP only andbe encrypted using DES only. IPSec can provide security protection in various levels for differentdata flows based on SA.

6.1.3 IPSec Features Supported by the ME60

The ME60 implements the previously mentioned functions of IPSec.

Through IPSec, the peers can perform various security protections (authentication, encryptionor both) on data flows that are differentiated based on the ACL.

To implement the IPSec function, you need to configure the IPSec policy and QoS traffic policyon the ME60. Apply the QoS traffic policy configured with the IPSec behavior to the entireequipment or the incoming interface, and then apply the IPSec policy or IPSec policy group tothe outgoing interface. After the configuration, user packets can be encrypted.

For the packets sent by a user, the ME60 checks whether the packets need to be encrypted throughIPSec according to the QoS traffic policy. If the packets need to be encrypted, the ME60determines whether to encrypt the packets and how to encrypt the packets according to the IPSecpolicy configured on the outgoing interface of the packets.

The configuration roadmap of IPSec is as follows:

1. Define data flows to be protected and use ACL rules to differentiate them.2. Define a security proposal and specify the security protocol, authentication algorithm,

encryption algorithm, and encapsulation mode.



6-5

3. Define a security policy or a security policy group and specify the association relationshipbetween data flow and IPSec proposal, SA negotiation mode, peer IP address, the requiredkey, and the SA duration.

4. Apply the IPSec policy on the interface of the ME60.

For the configuration roadmap of the QoS traffic policy, see chapter 2 "Class-based QoSConfiguration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide- QoS.

6.2 Defining Data Flows to Be ProtectedThis section describes how to define the data flows to be protected.


6.2.2 Defining Data Flows to Be Protected



Packets that need protection are defined based on the pre-defined advanced ACL.

Packets are first matched with the rules in the ACL. Packets that only match permit statementsin the ACL are protected through IPSec. Packets that match deny statements in the ACL aresent out directly without protection.

NOTE

Although their format and configuration method are the same, the IPSec ACL differs from the firewallACL in terms of function. A common ACL is used to determine to permit or deny some data on an interface.For more information, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide -IP Services.

Data flows need to be authenticated for the security purpose. Some data flows should beauthenticated and encrypted for high security requirements. The IPSec policy can only providea security protection method. You should, therefore, define various ACLs and IPSec policiesfor different data flows accordingly.

ACLs defined on the local router and ACLs on the remote router should correspond to each other(mirroring). The encrypted data at one end can be authenticated and decrypted at the peer end.If a data flow defined by the remote ACL is not encrypted, the local router regards it as an attackpacket and discards it.

For example, at the local end:

[Quidway] acl number 3101[Quidway-acl-adv-3101] rule 1 permit ip source 173.1.1.0 0.0.0.255 destination 173.2.2.0 0.0.0.255

At the remote end:

[Quidway] acl number 3101[Quidway-acl-adv-3101] rule 1 permit ip source 173.2.2.0 0.0.0.255 destination 173.1.1.0 0.0.0.255




Issue 05 (2010-09-25)

NOTE

l The IPSec protects data flows that only match the permit statements in the ACL. You should, therefore,define the ACL accurately. The any keyword should be used cautiously.

l It is recommended that you configure a mirror relationship between the local ACL and the remote ACL.

l Using the display acl command, you can view all ACLs, including ACL for communication filteringand ACL for encryption.

Pre-configuration TaskNone.

Data PreparationTo define data flows to be protected, you need the following data.

No. Data

1 ACL number

2 (Optional) Configuration sequence of ACL rules

3 (Optional) Numbers of the ACL rules

4 Protocol type

5 (Optional) Source and destination IP addresses and wildcard character

6 (Optional) Source and destination port numbers and the operator for comparing theport numbers of the source and destination addresses

7 (Optional) ICMPv6 packet type and message code information

8 (Optional) Packet precedence

9 (Optional) Service type

10 (Optional) Name of a time range

11 (Optional) Whether to log the packets that meet the requirements

12 (Optional) Whether this rule takes effect only on the fragmented packets except thefirst fragment packet

6.2.2 Defining Data Flows to Be Protected


Procedure




6-7


Step 2 Run:acl [ number ] acl-number [ match-order { auto | config } ]

An advanced ACL is created.

Step 3 Run the following commands to configure ACL rules:l rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-

wildcard |any } | destination-port operator port |dscp dscp |fragment-type fragment-type|precedence precedence |source { source-ip-address source-wildcard |any } | source-portoperator port |syn-flag syn-flag-value |time-range time-name |tos tos |vpn-instance vpn-instance-name ]*

l rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard |any } | destination-port operator port |dscp dscp | fragment-type fragment-type |precedence precedence |source { source-ip-address source-wildcard |any } | source-port operator port |time-range time-name |tos tos |vpn-instance vpn-instance-name ]*

l rule [ rule-id ] { deny |permit } protocol [destination { destination-ip-address destination-wildcard |any } | dscp dscp |fragment-type fragment-type | icmp-type { icmp-name | icmp-type icmp-code } | precedence precedence | source { source-ip-address source-wildcard |any } | time-range time-name |tos tos |vpn-instance vpn-instance-name ]*

l rule [ rule-id ] { deny |permit } protocol [destination { destination-ip-address destination-wildcard |any } | dscp dscp |fragment-type fragment-type |precedence precedence |source{ source-ip-address source-wildcard |any } | time-range time-name |tos tos |vpn-instancevpn-instance-name ]*

For the configuration of the advanced ACL, refer to the Quidway ME60 Multiservice ControlGateway Configuration Guide - IP Services.

----End

6.3 Configuring an IPSec ProposalThis section describes how to configure an IPSec protocol.


6.3.2 Creating an IPSec Proposal and Entering the IPSec Proposal View

6.3.3 Configuring the IPSec Protocol

6.3.4 Configuring the Authentication Algorithm

6.3.5 Configuring the Encryption Algorithm

6.3.6 Configuring the Encapsulation Mode




The IPSec proposal needs to be configured during configuring IPSec.




Issue 05 (2010-09-25)

Pre-configuration TaskBefore configuring an IPSec proposal, complete the following task:

l Defining Data Flows to Be Protected

Data PreparationTo configure an IPSec proposal, you need the following data.

No. Data

1 Name of the IPSec proposal (a character string of 1 to 15 characters )

2 Security protocol adopted: AH, ESP or AH-ESP

3 Authentication algorithm adopted: MD5 or SHA-1

4 Encryption algorithm adopted: DES or 3DES

5 Encapsulation mode adopted: transport mode or tunnel mode

6.3.2 Creating an IPSec Proposal and Entering the IPSec ProposalView


Procedure



Step 2 Run:ipsec proposalproposal-name

An IPSec proposal is created and the IPSec proposal view is displayed.

NOTE

You can configure up to 50 IPSec proposals.

----End

6.3.3 Configuring the IPSec Protocol




6-9

Procedure



Step 2 Run:ipsec proposal proposal-name

The IPSec proposal view is displayed.

Step 3 Run:transform { ah | ah-esp | esp }

The IPSec proposal is configured.

NOTE

The default security protocol is ESP, that is, the ESP protocol defined in RFC 2406.

----End



Procedure





Step 3 Run:ah authentication-algorithm { md5 | sha1 }

The authentication algorithm adopted by AH is configured.

Or run:

undo ah authentication-algorithm

The default authentication algorithm is adopted for the AN protocol.

Step 4 Run:esp authentication-algorithm { md5 | sha1 }

The authentication algorithm adopted by ESP is configured.

Or run:

undo esp authentication-algorithm




Issue 05 (2010-09-25)

The default authentication algorithm is adopted for the ESP protocol.

NOTE

l By default, both ESP and AH adopt the MD5 authentication algorithm.

l You can configure the authentication algorithm only after selecting a corresponding IPSec protocol byrunning the transform command. For example, if ESP is selected, you can only configure theauthentication algorithm required for ESP.

----End

6.3.5 Configuring the Encryption Algorithm


Procedure





Step 3 Run:esp encryption-algorithm { 3des | des }

The encryption algorithm adopted by ESP is configured.

Or run:

undo esp encryption-algorithm

The default encryption algorithm is adopted for the ESP protocol.

NOTE

By default, both ESP and AH adopt the MD5 encryption algorithm.

----End

6.3.6 Configuring the Encapsulation Mode


Procedure




6-11




Step 3 Run:encapsulation-mode { transport | tunnel }

The encapsulation mode is configured.

NOTE

l By default, the tunnel mode is adopted.

l When the transport mode is adopted, the data flow is not protected. If you want to protect the data flowin this case, then the two ends of the data flow must be the same as those of the security tunnel.

----End


Action Command

Check information about theIPSec proposal.

display ipsec proposal [ name proposal-name ]

6.4 Configuring an IPSec PolicyThis section describes how to configure an IPSec policy.

NOTE

This section describes configuration of the IPSec policy in the manual negotiation mode and the IKEnegotiation mode. The configuration is needed in both manual mode and IKE mode unless otherwisespecified.


6.4.2 Creating an IPSec Policy and Entering the IPSec Policy View

6.4.3 Configuring the ACL Used in the IPSec Policy

6.4.4 Applying the IPSec Proposal to the IPSec Policy

6.4.5 Configuring the SA Duration

6.4.6 Configuring the Local and Remote IP Addresses of the Tunnel (for Manual Mode)

6.4.7 Configuring the SPI for an SA (for Manual Mode)

6.4.8 Configuring Key for an SA (for Manual Mode)

6.4.9 Configuring the IKE Peer for the IPSec Policy (for IKE Negotiation Mode)

6.4.10 Configuring the PFS Feature Used in the IKE Negotiation

6.4.11 Configuring the Global SA Duration




Issue 05 (2010-09-25)




The IPSec policy needs to be configured during configuring IPSec.


Before configuring an IPSec policy, complete the following tasks:

l 6.2 Defining Data Flows to Be Protectedl 6.3 Configuring an IPSec Proposall Crating an IKE peer if IKE negotiation mode is adopted (See chapter 7 "IKE

Configuration.")

Data Preparation

To configure an IPSec policy, you need the following data.

No. Data

1 Name and sequence number of the IPSec policy

2 Negotiation mode, manual mode or IKE mode

3 SA duration or global duration of an SA, time-based or traffic-based

4 For manual mode, you need: local and remote IP addresses of the tunnel (only usedfor the policies based on interface applications), SPI of an SA, inbound or outbounddirection, IPSec protocol adopted, authentication key used by an SA, and encryptionkey (if ESP is adopted)

5 For IKE negotiation mode, you need: IKE peer name, and DH group used by PerfectForward Secrecy (PFS)

6.4.2 Creating an IPSec Policy and Entering the IPSec Policy View

Context


Procedure





6-13

Step 2 Run:ipsec policy policy-name seq-number [ manual | isakmp [ template template-name ] ]

An IPSec policy is created and the IPSec policy view is displayed.

NOTE

l Up to 100 IPSec policies can be created in the system.

l By default, no IPSec policy is configured.

----End

6.4.3 Configuring the ACL Used in the IPSec Policy


Procedure




The IPSec policy view is displayed.

Step 3 Run:security acl acl-number

The ACL used in the IPSec policy is configured.

NOTE

An IPSec policy can use only one ACL. If multiple ACLs are configured to an IPSec policy, the latest onetakes effect.

----End

6.4.4 Applying the IPSec Proposal to the IPSec Policy


Procedure



Step 2 Run:




Issue 05 (2010-09-25)

ipsec policy policy-name seq-number [ manual | isakmp [ template template-name ] ]


Step 3 Run:proposal proposal-name &<1-6>

The IPSec proposal is adopted by the IPSec policy.

NOTE

l When you set up an SA manually, an IPSec policy can apply only one IPSec proposal. You shouldremove the old IPSec proposal before setting up a new one. In addition, the IPSec proposals appliedon the two ends of a tunnel should be configured with the same security protocol, algorithm and packetencapsulation mode.

l When you set up an SA by IKE negotiation (isakmp), an IPSec policy can apply up to six IPSecproposals. IKE negotiation searches for completely matched IPSec proposals on the two ends of thetunnel. If no completely matched IPSec proposal is found, the SA cannot be set up and the packets thatneed protection are discarded.

----End


Context


Procedure





Step 3 Run:sa duration { traffic-based kilobytes | time-based seconds }

The SA duration is configured.

NOTE

l The default time-based duration of an SA is 3600 seconds; the default traffic-based duration of an SAis 1843200 kilobytes. If the duration is set for an SA, the global duration is adopted. For details aboutthe global SA duration, see "6.4.11 Configuring the Global SA Duration".

l When IKE negotiates a new SA for IPSec, the shorter one between the local set duration and the peerproposed duration is used.

l The modification of duration does not influence the existing SAs. The modified duration is used whennew SAs are set up through IKE negotiation.

l Configuring SA duration is effective on IKE negotiation mode and not on manual negotiation mode.

----End



6-15

6.4.6 Configuring the Local and Remote IP Addresses of the Tunnel(for Manual Mode)


Procedure





Step 3 Run:tunnel local ip-address

The local IP address of the tunnel is configured.

Step 4 Run:tunnel remote ip-address

The remote IP address of the tunnel is configured.

NOTE

l This configuration is actually to specify the IPSec peers.

l You must configure the local address to set up the SA when implementing a manually created IPSecpolicy. In addition, the security tunnel can be set up only when the local address and the remote addressare configured correctly.

----End

6.4.7 Configuring the SPI for an SA (for Manual Mode)


Procedure








Issue 05 (2010-09-25)

Step 3 Run:sa spi { inbound | outbound } { ah | esp } spi-number

The SPI of the SA is configured.

NOTE

l When setting up an SA, you must set the inbound and outbound parameters for the SA.

l SA parameters set on the two ends of a tunnel must match with each other. The inbound SPI of thelocal end must the same as the outbound SPI of the remote end, and the outbound SPI of the local endmust be the same as the inbound SPI of the remote end.

----End

6.4.8 Configuring Key for an SA (for Manual Mode)

Context


Procedure





Step 3 Run:sa authentication-hex { inbound | outbound } { ah | esp } hex-key

The authentication key (in the format of hexadecimal numerals) of the protocol is configured.

Step 4 Run:sa string-key { inbound | outbound } { ah | esp } string-key

The authentication key (in the format of a character string) of the protocol is configured.

If you enter a string, the sa string-key command generates an authentication key for the AHprotocol. For the ESP protocol, this command generates an authentication key and an encryptedkey.

Step 5 Run:sa encryption-hex { inbound | outbound } esp hex-key

The encryption key (in the format of hexadecimal numerals) used in ESP is configured.



6-17

NOTE

l SA parameters set on the two ends of a tunnel must match with each other. The inbound key of thelocal end must the same as the outbound key of the remote end, and the outbound key of the local endmust be the same as the inbound key of the remote end.

l If the character string key and the hexadecimal key are both configured, the latest configured one isadopted.

l On both ends of a security tunnel, the key should be input in the same format. If the key is input incharacter string on one end and in hexadecimal on the other end, the security tunnel cannot beestablished.

----End

6.4.9 Configuring the IKE Peer for the IPSec Policy (for IKENegotiation Mode)


Procedure





Step 3 Run:ike-peer peer-name

The IKE peer adopted in the IPSec policy is configured.

NOTE

This chapter only describes how to apply IKE peer to IPSec. In practice, you should configure certain IKEparameters in the IKE peer view, such as the negotiation mode of IKE, ID type, NAT traversal, shared key,peer address, and peer name. For more information, refer to chapter 7 "IKE Configuration."

----End



Procedure





Issue 05 (2010-09-25)




Step 3 Run:pfs { dh-group1 | dh-group2 }

The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.

PFS is a security feature. If a key is decoded, security of other keys is not affected, because thesekeys have no derivative relations. For details, see chapter 7 "IKE Configuration."

NOTE

l PFS exchange is performed when IPSec uses this IPSec policy to initiate a negotiation. If the local enduses PFS, the peer must adopt PFS during negotiation. The DH groups specified on the local end andthe peer must be the same; otherwise, the negotiation fails.

l 1024-bit Diffie-Hellman group (dh-group2) provides a higher-level security than 768-bit Diffie-Hellman group (dh-group1), but dh-group2 needs longer time for calculation.

l By default, the PFS feature is disabled.

----End


Context


Procedure



Step 2 Run:ipsec sa global-duration { traffic-based kilobytes | time-based seconds }

The global SA duration is configured.

NOTE

l Changing the global duration does not influence the existing IPSec policies that have their own durationor the established SAs. The changed duration is used when a new SA is set up by IKE negotiation.

l The default time-based global duration is 3600 seconds; the default traffic-based global duration is1843200 kilobytes.

----End




6-19

Action Command

Check information about theIPSec policy.

display ipsec policy [ brief | name policy-name [ seq-number ] ]

Check the IPSec statistics. display ipsec statistics

Check information about theSA.

display ipsec sa [ brief | remote ip-address | policy policy-name [ seq-number ] | duration ]

6.5 Configuring IPSec Policies by Using the IPSec PolicyTemplate

This section describes how use the IPSec template to configure IPSec policies.

NOTE

This configuration is optional. If the IPSec policy template is not used, you can skip this section.


6.5.2 Creating an IPSec Policy Template and Entering the IPSec Policy Template View

6.5.3 Configuring the ACL Used in the IPSec Policy Template

6.5.4 Applying the IPSec Proposal to the IPSec Policy Template


6.5.6 Configuring the IKE Peer for the IPSec Policy Template



6.5.9 Applying the IPSec Policy Template



Applicable EnvironmentIndefinite factors may exist in networks. For example, the IP address assigned for a dial-upmobile user is not fixed. In such cases, the endpoint addresses of an IPSec tunnel and the dataflow to be protected cannot be decided.

In this case, you can configure an IPSec policy template on the receiver side. The security policytemplate is a template with certain parameters specified. For the unspecified parameters,parameters, the values set on the initiator side are adopted.




Issue 05 (2010-09-25)

NOTE

l The configured parameters must be consistent on both ends during negotiation.

l To enable the template to receive negotiation requests from various peers in pre-shared key mode, youcan specify a peer address range. You can also choose not to specify any peer address with the ike-peer command, thus allowing access by different dial-up users.

l The IPSec policy is necessary on the user side. ACL rules defined through the IPSec policy must beconfigured with the source address range so that the server can exactly send back the encrypted responsedata.

Pre-configuration TaskBefore configuring IPSec policies by using the IPSec policy template, complete the followingtasks:

l 6.2 Defining Data Flows to Be Protectedl 6.3 Configuring an IPSec Proposall Creating the IKE peer

Data PreparationTo configure IPSec policies by using the IPSec policy template, you need the following data.

No. Data

1 Name and sequence number of the IPSec policy template

2 SA duration or global duration of an SA, time-based or traffic-based

3 Name of the IKE peer and DH groups used by PFS

6.5.2 Creating an IPSec Policy Template and Entering the IPSecPolicy Template View


Procedure



Step 2 Run:ipsec policy-template template-name seq-number

An IPSec policy template is created or modified and the IPSec policy template view is displayed.

----End



6-21

6.5.3 Configuring the ACL Used in the IPSec Policy Template



system-view



The IPSec policy template view is displayed.

Step 3 Run:security acl acl-number

The ACL used in the IPSec policy template is configured.

----End

6.5.4 Applying the IPSec Proposal to the IPSec Policy Template



system-view




Step 3 Run:proposal proposal-name1 [ proposal-name2... proposal-name6 ]

The IPSec proposal is adopted by the IPSec policy template.

----End






Issue 05 (2010-09-25)

Procedure





Step 3 Run:sa duration { traffic-based kilobytes | time-based seconds }

The SA duration is configured.

----End

6.5.6 Configuring the IKE Peer for the IPSec Policy Template


Procedure





Step 3 Run:ike-peer peer-name

The IKE peer adopted in the IPSec policy template is configured.

----End



Procedure




6-23




Step 3 Run:pfs { dh-group1 | dh-group2 }

The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.

----End


Context


Procedure



Step 2 Run:ipsec sa global-duration { traffic-based kilobytes | time-based seconds }

The global SA duration is configured.

----End

6.5.9 Applying the IPSec Policy Template

Context


Procedure



Step 2 Run:ipsec policy policy-name seq-number isakmp template template-name

The IPSec policy template is adopted.




Issue 05 (2010-09-25)

NOTE

The policy created through an IPSec policy template cannot initiate negotiation of an SA, but it can respondto a negotiation.

----End


Action Command

Check information about the IPSecpolicy template.

display ipsec policy-template [ brief | name policy-name [ seq-number ] ]

Check the IPSec statistics. display ipsec statistics

Check information about the SA. display ipsec sa [ brief | remote ip-address | policypolicy-name [ seq-number ] | duration ]

6.6 Applying an IPSec Policy or an IPSec Policy Group to anInterface

This section describes how to apply an IPSec policy or an IPSec policy group to an interface.


6.6.2 Configuring the IPSec Behavior in the Traffic Policy

6.6.3 Applying an IPSec Policy or an IPSec Policy Group to an Interface


Applicable EnvironmentTo protect security of different flows, you need to apply the QoS traffic policy configured withthe IPSec behavior to the entire equipment or the incoming interface of packets, and then applythe IPSec policy or IPSec policy group to the outgoing interface.

If the SA is established manually, the SA is created immediately after the IPSec policy is applied.If the SA is established through auto negotiation, the IKE peers negotiate the SA only when theflow that conforms to the IPSec policy passes through the outgoing interface.

Pre-configuration TaskBefore applying an IPSec policy or an IPSec policy group to an interface, complete the followingtasks:

l 6.2 Defining Data Flows to Be Protectedl 6.3 Configuring an IPSec Proposall 6.4 Configuring an IPSec Policy



6-25

Data PreparationTo apply an IPSec policy or an IPSec policy group to an interface, you need the following data.

No. Data

1 Name of the QoS behavior

2 Type and number of the interface

3 Name of the IPSec policy

6.6.2 Configuring the IPSec Behavior in the Traffic Policy

ContextTo configure the ME60 to encrypt packets through IPSec, you need to configure a traffic policy,configure the traffic behavior in the traffic policy, and then apply the traffic policy.

Procedure



Step 2 Run:traffic behavior behavior-name

The behavior view is displayed.

Step 3 Run:ipsec

The traffic behavior is configured to IPSec.

NOTE

Here, only the configuration of the traffic behavior is described. To configure the ME60 to encrypt userpackets through IPSec, you need to configure a complete traffic policy and apply the traffic policy to theentire system or an interface. For the configuration and application of the traffic policy, see chapter 2 "Class-based QoS Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide -QoS.

----End

6.6.3 Applying an IPSec Policy or an IPSec Policy Group to anInterface





Issue 05 (2010-09-25)

Procedure



Step 2 Run:interface interface-type interface-number

The interface view is displayed.

Step 3 Run:ipsec policy policy-name

The IPSec policy or the IPSec policy group is applied to the interface.

Only one IPSec policy group can be applied to an interface. An IPSec policy group can be appliedto multiple interfaces. A manually configured IPSec policy can be applied to only one interface.

After the IPSec policy group is applied to an interface, the ME60 matches the packets sent fromthis interface with the IPSec policies according to the sequence numbers in a descending order.If a packet matches the ACL referenced by an IPSec policy, the ME60 processes the packetaccording to this IPSec policy. If a packet does not match any ACL referenced by the IPSecpolicies, the ME60 sends the packet directly, without encrypting the packet through IPSec.

NOTE

l When you change certain parameters of IPSec and IKE, such as the parameters of an IKE proposal,IKE peer and IPSec proposal, you must re-apply the IPSec policy to the corresponding interface tomake the changes take effect.

l If the IPSec policies are configured manually, IPSec configuration is completed after the precedingprocedures. If the IPSec policies are configured in IKE negotiation mode, additional IKE configurationsare needed. For details, see chapter 7 "IKE Configuration".

----End

6.7 Maintaining IPSecThis section provides the commands clearing the IPSec statistics and debugging IPSec.

6.7.1 Clearing IPSec Packet Statistics

6.7.2 Debugging IPSec

6.7.1 Clearing IPSec Packet Statistics

CAUTIONIPSec statistics cannot be restored after you clear them. So, confirm the action before you usethe command.

To clear the IPSec statistics, run the following commands in the user view.



6-27

Action Command

Clear IPSec packet statistics. reset ipsec statistics

Clear the SA. reset ipsec sa [ remote ip-address | policy policy-name[ seq-number ] | parameters dest-address protocol spi ]

6.7.2 Debugging IPSec

CAUTIONDebugging affects the system performance. So, after debugging, run the undo debugging allcommand to disable it immediately.

When a fault occurs during the application of IPSec, run the following debugging command inthe user view to locate the fault. For the procedure for displaying the debugging information,refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - SystemManagement.

Action Command

Enable IPSec debugging. debugging ipsec { all | sa | packet [ policy policy-name[ seq-number ] | parameters ip-address protocol spi-number ] | misc }

6.8 Configuration ExamplesThis section provides an configuration example of IPSec.

6.8.1 Example for Establishing an SA Manually

6.8.1 Example for Establishing an SA Manually

Networking RequirementsAs shown in Figure 6-3, a security tunnel is configured between ME60 A and ME60 B. Dataflow transmitted between subnet 10.1.1.x represented by PC A and subnet 10.1.2.x representedby PC B are under protection. The security protocol is ESP; the encryption algorithm is DES;the authentication algorithm is SHA-1.




Issue 05 (2010-09-25)

Figure 6-3 Networking of IPSec configuration

Pos1/0/1202.38.163.1/24

Pos2/0/1202.38.162.1/24

ME60B

PC BPC A

ME60A

Internet

AccessNetwork

AccessNetwork


1. Configure ACL rules to define the data flows to be protected. Configure an IPSec proposal.2. Configure an IPSec policy and apply the ACL and the IPSec proposal to the IPSec policy.3. Apply the IPSec policy to the interface.4. Configure the QoS traffic policy to encrypt user packets.


l Data flows to be protected (defined in the ACL)l Security protocol, encryption algorithm, authentication algorithm, and encapsulation model IP addresses of the local end and peer end of the tunnell Interface where IPSec is enabled

Configuration Procedure1. Configure ACLs on ME60 A and ME60 B and define the data flows to be protected.

# Configure an ACL on ME60 A.<ME60A> system-view[ME60A] acl number 3101[ME60A-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255[ME60A-acl-adv-3101] quit# Configure an ACL on ME60 B.<ME60B> system-view[ME60B] acl number 3101[ME60B-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255[ME60B-acl-adv-3101] quit

2. On ME60 A and ME60 B, configure static routes to the peer respectively.# Configure a static route from ME60 A to ME60 B.[ME60A] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1



6-29

# Configure a static route from ME60 B to ME60 A.[ME60B] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1Run the ping command on PC A to ping PC B. The ping succeeds.

3. Create IPSec proposals on ME60 A and ME60 B.# Create an IPSec proposal on ME60 A.[ME60A] ipsec proposal tran1[ME60A-ipsec-proposal-tran1] encapsulation-mode tunnel[ME60A-ipsec-proposal-tran1] transform esp[ME60A-ipsec-proposal-tran1] esp encryption-algorithm des[ME60A-ipsec-proposal-tran1] esp authentication-algorithm sha1[Quidway-ipsec-proposal-tran1] quit# Create an IPSec proposal on ME60 B.[ME60B] ipsec proposal tran1[ME60B-ipsec-proposal-tran1] encapsulation-mode tunnel[ME60B-ipsec-proposal-tran1] transform esp[ME60B-ipsec-proposal-tran1] esp encryption-algorithm des[ME60B-ipsec-proposal-tran1] esp authentication-algorithm sha1[ME60B-ipsec-proposal-tran1] quitRun the display ipsec proposal command on ME60 A and ME60 B to display theconfiguration. Take ME60 A for example.[ME60A]display ipsec proposal IPsec proposal name: tran1encapsulation mode: tunneltransform: esp-newESP protocol: authentication sha1-hmac-96, encryption des

4. Create IPSec policies on ME60 A and ME60 B.# Create an IPSec policy on ME60 A.[ME60A] ipsec policy map1 10 manual[ME60A-ipsec-policy-manual-map1-10] security acl 3101[ME60A-ipsec-policy-manual-map1-10] proposal tran1[ME60A-ipsec-policy-manual-map1-10] tunnel local 202.38.163.1[ME60A-ipsec-policy-manual-map1-10] tunnel remote 202.38.162.1[ME60A-ipsec-policy-manual-map1-10] sa spi outbound esp 12345[ME60A-ipsec-policy-manual-map1-10] sa spi inbound esp 54321[ME60A-ipsec-policy-manual-map1-10] sa string-key outbound esp abcdefg[ME60A-ipsec-policy-manual-map1-10] sa string-key inbound esp gfedcba[ME60A-ipsec-policy-manual-map1-10] quit# Create an IPSec policy on ME60 B.[ME60B] ipsec policy use1 10 manual[ME60B-ipsec-policyl-manual-use1-10] security acl 3101[ME60B-ipsec-policyl-manual-use1-10] proposal tran1[ME60B-ipsec-policyl-manual-use1-10] tunnel local 202.38.162.1[ME60B-ipsec-policyl-manual-use1-10] tunnel remote 202.38.163.1[ME60B-ipsec-policyl-manual-use1-10] sa spi outbound esp 54321[ME60B-ipsec-policyl-manual-use1-10] sa spi inbound esp 12345[ME60B-ipsec-policyl-manual-use1-10] sa string-key outbound esp gfedcba[ME60B-ipsec-policyl-manual-use1-10] sa string-key inbound esp abcdefg[ME60B-ipsec-policyl-manual-use1-10] quitRun the display ipsec policy command on ME60 A and ME60 B to display theconfiguration. Take ME60 A for example.[ME60A] display ipsec policy===========================================IPsec Policy Group: "map1"Using interface: {}===========================================-----------------------------IPsec policy name: "map1"sequence number: 10mode: manual-----------------------------




Issue 05 (2010-09-25)

security data flow : 3101 tunnel local address: 202.38.163.1 tunnel remote address: 202.38.162.1 proposal name:tran1 inbound AH setting: AH spi: AH string-key: AH authentication hex key: inbound ESP setting: ESP spi: 54321 (0xd431) ESP string-key: gfedcba ESP encryption hex key: ESP authentication hex key: outbound AH setting: AH spi: AH string-key: AH authentication hex key: outbound ESP setting: ESP spi: 12345 (0x3039) ESP string-key: abcdefg ESP encryption hex key: ESP authentication hex key:

5. Apply the IPSec policies to the interfaces of ME60 A and ME60 B.

Apply the IPSec policy to the interface of ME60 A.[ME60A] interface pos1/0/1[ME60A-Pos1/0/1] ip address 202.38.163.1 255.255.255.0[ME60A-Pos1/0/1] ipsec policy map1[ME60A-Pos1/0/1] undo shutdown[ME60A-Pos1/0/1] quit

# Apply the IPSec policy to the interface of ME60 A.[ME60B] interface pos2/0/1[ME60B-Pos2/0/1] ip address 202.38.162.1 255.255.255.0[ME60B-Pos2/0/1] ipsec policy use1[ME60B-Pos2/0/1] undo shutdown[ME60B-Pos2/0/1] quit

Run the display ipsec sa command on ME60 A and ME60 B to display the configuration.Take ME60 A for example.[ME60A]display ipsec sa===============================Interface: pos1/0/1 path MTU: 1500===============================-----------------------------IPsec policy name: "map1"sequence number: 10mode: manual----------------------------- encapsulation mode: tunnel tunnel local : 202.38.163.1 tunnel remote: 202.38.162.1 [inbound ESP SAs] spi: 54321 (0xd431) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa [outbound ESP SAs] spi: 12345 (0x3039) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa

6. Configure the QoS traffic policy on ME60 A and ME60 B so that the ME60s encrypt userpackets.

NOTE

For the configuration of the QoS policy, see chapter 2 "Class-based QoS Configuration" of theQuidway ME60 Multiservice Control Gateway Configuration Guide - QoS.



6-31

# Configure the QoS policy on ME60 A.[ME60A] traffic classifier ipsec-using[ME60A-classifier-ipsec-using] if-match acl 3101[ME60A-classifier-ipsec-using] quit[ME60A] traffic behavior ipsec-using[ME60A-behavior-ipsec-using] ipsec[ME60A-behavior-ipsec-using] quit[ME60A] traffic policy ipsec-using[ME60A-trafficpolicy-ipsec-using] classifier ipsec-using behavior ipsec-using[ME60A-trafficpolicy-ipsec-using] quit# Configure the QoS policy on ME60 B.[ME60B] traffic classifier ipsec-using[ME60B-classifier-ipsec-using] if-match acl 3101[ME60B-classifier-ipsec-using] quit[ME60B] traffic behavior ipsec-using[ME60B-behavior-ipsec-using] ipsec[ME60B-behavior-ipsec-using] quit[ME60B] traffic policy ipsec-using[ME60B-trafficpolicy-ipsec-using] classifier ipsec-using behavior ipsec-using[ME60B-trafficpolicy-ipsec-using] quit# Apply the QoS policy to ME60 A globally.[ME60A] traffic-policy ipsec-using inbound[ME60A] traffic-policy ipsec-using outbound# Apply the QoS policy to ME60 B globally.[ME60B] traffic-policy ipsec-using inbound[ME60B] traffic-policy ipsec-using outbound

7. Verify the configuration.After the configuration is complete, PC A can still ping through PC B. The data transmittedbetween them is encrypted.

Configuration FilesThe following are configuration files of the ME60s.

l Configuration file of ME60 A#sysname ME60A#acl number 3101 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255# ipsec proposal tran1 esp authentication-algorithm sha1#ipsec policy map1 10 manual security acl 3101 proposal tran1 tunnel local 202.38.163.1 tunnel remote 202.38.162.1 sa spi inbound esp 54321 sa string-key inbound esp gfedcba sa spi outbound esp 12345 sa string-key outbound esp abcdefg#traffic classifier ipsec-using operator or if-match acl 3101#traffic behavior ipsec-using ipsec#traffic policy ipsec-using classifier ipsec-using behavior ipsec-using




Issue 05 (2010-09-25)

traffic-policy ipsec-using inboundtraffic-policy ipsec-using outbound#interface Pos1/0/1 undo shutdown ip address 202.38.163.1 255.255.255.0 ipsec policy map1# ip route-static 10.1.2.0 255.255.255.0 202.38.162.1#returnl Configuration file of ME60 B#sysname ME60B#acl number 3101 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255#ipsec proposal tran1 esp authentication-algorithm sha1#ipsec policy use1 10 manual security acl 3101 proposal tran1 tunnel local 202.38.162.1 tunnel remote 202.38.163.1 sa spi inbound esp 12345 sa string-key inbound esp abcdefg sa spi outbound esp 54321 sa string-key outbound esp gfedcba#traffic classifier ipsec-using operator or if-match acl 3101#traffic behavior ipsec-using ipsec#traffic policy ipsec-using classifier ipsec-using behavior ipsec-usingtraffic-policy ipsec-using inboundtraffic-policy ipsec-using outbound#interface Pos2/0/1 undo shutdown ip address 202.38.162.1 255.255.255.0 ipsec policy use1# ip route-static 10.1.1.0 255.255.255.0 202.38.163.1#return



6-33

7 IKE Configuration

About This Chapter

This chapter describes the fundamentals, implementation, and configuration of IKE.

7.1 IntroductionThis section describes the concept and fundamentals of IKE.

7.2 Setting the Local ID Used in IKE NegotiationThis section describes how to set the local ID used in IKE negotiation.

7.3 Configuring an IKE Security ProposalThis section describes how to configure an IKE security proposal.

7.4 Configuring Attributes of the IKE PeerThis section describes how to configure the attributes of the IKE peer.

7.5 Tuning the IKE ConfigurationThis section describe how to fine tune the configuration of IKE.

7.6 Maintaining IKEThis section provides the commands for displaying and clearing the IKE information anddebugging IKE.

7.7 Configuration ExamplesThis section provides a configuration example of IKE.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security 7 IKE Configuration


7-1

7.1 IntroductionThis section describes the concept and fundamentals of IKE.

7.1.1 Overview of IKE

7.1.2 NAT Traversal in IPSec

7.1.3 IKE Features of the ME60

7.1.1 Overview of IKE

IKE ProtocolIPSec security association (SA) can be set up manually. If the number of nodes on the networkincreases, it is difficult to perform manual configuration and ensure network security. In suchcases, you can use the Internet Key Exchange (IKE) protocol to automatically set up an SA andperform key exchange.

IKE is based on the framework defined by the Internet Security Association and KeyManagement Protocol (ISAKMP). It simplifies the use and management of IPSec byautomatically negotiating the key exchange and setting up SA for IPSec.

IKE has a self-protection mechanism to safely distribute keys, authenticate IDs, and establishIPSec SAs even on insecure networks.

Security Mechanism of IKEl Diffie-Hellman (DH) exchange and shared key distribution

The DF algorithm is a common key algorithm. The parties in communication can exchangedata without transmitting the shared key but calculate the shared key. The condition forencryption is that both the parties have a shared key. The merit of IKE is that it nevertransmits the shared key directly on insecure networks, but calculates the shared key byexchanging a series of data. Even if a third party (a hacker for example) captures all theexchanged data used to calculate the shared key, the third party cannot figure out the realshared key.

l PFSIn Perfect Forward Secrecy (PFS), the decryption of a key has no impact on the security ofother keys, because the keys do not have a derivative relationship. PFS feature isimplemented by performing key exchange during IKE Phase 2 negotiation. PFS is ensuredby the DH algorithm.

l Identity authenticationIdentity authentication is the process of authenticating both parties in communication. Inthe pre-shared key authentication method, an authenticator is used to generate a shared key.It is impossible for different authenticators to generate the same shared key between thetwo parties. The authenticator is, therefore, the key in identity authentication for bothparties.

l Identity protectionOnce the shared key is generated, the identity data is sent in encrypted mode, thus protectingthe identity data.

7 IKE ConfigurationQuidway ME60 Multiservice Control Gateway



Issue 05 (2010-09-25)

IKE Exchange Phases

IKE undergoes the following two phases to implement IPSec shared key negotiation and SAsetup:

1. Parties in communication establish a channel that passes the identity authentication andsecurity protection. An ISAKMP security association (ISAKMP SA or IKE SA) isestablished through exchange in this phase.

2. The IKE SA established in phase 1 serves IPSec negotiation security, that is, to negotiatea specific SA for IPSec and establish an IPSec SA. The IPSec SA is used for securetransmission of final IP data.

The process of setting up an SA is as follows.

Figure 7-1 Process of setting up an SA

Matched data streams are forwardedover the interface applying IPSecStep 1

Step 2

Step 3

Step 4

Communicate under theprotection of SA in phase2

Negotiate IPSec SA in phase2 of IKE negotiation underthe protection of SA in phase1

Trigger SA in phase1 of IKEnegotiation

Router A Router B

If an interface is enabled with IPSec, packets sent from this interface are matched with IPSecpolicies.

1. If a packet matches an IPSec policy, the corresponding SA is searched. If the SA has notbeen set up, IKE is triggered to negotiate an SA in phase 1 , that is, IKE SA.

2. Under the protection of IKE SA, IKE continues to negotiate the SA in phase 2, that is, IPSecSA.

3. IPSec SA is used to protect the data in communication.

IKE Negotiation Modes

As defined in RFC 2409 (The Internet Key Exchange), in phase 1 of IKE, the two negotiationmodes that can be adopted are the main mode and the aggressive mode.

l In the main mode, information to be exchanged is separated from the identity andauthentication information to protect the identity information. The generated DF sharedkey protects the exchanged identity information; however, it takes three extra messages tocomplete the process.



7-3

l In the aggressive mode, payloads associated with SA, key exchanges, and authenticationcan be carried in a single message to transmit, which reduces the message round-trip timesbut cannot provide identity protection.

Despite the limitations of the aggressive mode, it meets the demands in a specific networkingenvironment. For example, in remote access, the responder (the server) cannot predict theaddress of the initiator (the terminal user); or the address of the initiator is always changing, andboth parties wish to create an IKE SA through the pre-shared key authentication. In this case,the aggressive mode without identity protection is the only available exchange method. Inaddition, if the initiator has learned about the responder's policy or has a comprehensiveunderstanding of it, the aggressive mode can create the IKE SA faster.

7.1.2 NAT Traversal in IPSec

NAT TraversalOne of the main applications of IPSec is to create VPNs. In actual networking, if the initiatorresides on a private network and intends to create an IPSec tunnel directly with the remoteresponder, the initiator requires IPSec and NAT. The main problem is that IKE has to discoverwhere a NAT gateway between the two endpoints during negotiation is and that IKE can makeESP packets normally traverse the NAT gateway.

In the first step, the two ends between which the IPSec tunnel is created need to negotiate theNAT traversal capability. This is done in the first two messages of IKE negotiation by identifyinga set of data indicated by vendor ID payload. The definition of the payload data caries accordingto the adopted draft version.

The NAT gateway discovery is implemented through the NAT-D payload. The payload is usedto discover the NAT gateway between IKE peers and also to determine which side of the peerthe NAT device resides. As the initiator, the peer on NAT side needs to send NAT keepalivepackets periodically so that the NAT gateway can ensure the security tunnel is in active state.

NAT Traversal in IPSecNAT traversal in IPSec is to add a standard UDP header between the IP and ESP headers of theoriginal packet (regardless of the AH mode). When an ESP packet traverses the NAT gateway,NAT translates the address and port number in the external layer IP header of the packet and theadded UDP header. When the translated packet reaches the remote end of the IPSec tunnel, it isprocessed in the same method as that of the common IPSec. A UDP header, however, also needsto be added between the IP and ESP headers when the response packet is sent.

7.1.3 IKE Features of the ME60

The ME60 supports the main mode and the aggressive mode of IKE and implements them basedon RFC 2408 and RFC 2409; therefore, the ME60 can work with the equipment of other majorvendors.

To implement the NAT traversal of IPSec on the ME60, you should use the aggressive modeduring the first phase of the IKE negotiation and the peer ID type is the peer name. In addition,you should also adopt ESP and encapsulate packets in tunnel mode when configuring the IPSecproposal.

On the ME60, do as follows to implement IKE:




Issue 05 (2010-09-25)

1. Set the local ID used in the IKE negotiation.

2. Set attributes for the IKE peer, including the IKE negotiation mode, pre-shared key value,peer address or peer ID, and NAT traversal, to ensure the correctness of the IKE negotiation.

3. Create an IKE proposal to determine the algorithm intension during the IKE exchange, thatis, the intension of security protection (including identity authentication method, encryptionalgorithm, authentication algorithm, and DH group). It is difficult to decrypt the protecteddata if the algorithm has a higher intension; however, more calculation resources areconsumed. The longer the shared key, the higher the algorithm strength.

4. Apart from these basic procedures, IKE also has the keepalive mechanism to determinewhether the peer can communicate normally. You can, therefore, also configure intervaland timeout of the keepalive packets. When the NAT traversal of IPSec is configured, youcan also configure the interval for sending NAT update packets.

NOTE

After the preceding configuration is complete, you need to reference the IKE peer in the IPSec policy viewto complete the IPSec configuration through auto-negotiation. For more information on IPSec adoptingthe IKE peer, see chapter 6 "IKE Configuration."

7.2 Setting the Local ID Used in IKE NegotiationThis section describes how to set the local ID used in IKE negotiation.


7.2.2 Setting the Local ID Used in IKE Negotiation



The local router ID needs to be configured in the IKE negotiation when aggressive mode isadopted. It is not necessary when the main mode is adopted.


None.

Data Preparation

To configure the local ID used in IKE negotiation, you need the following data.

No. Data

1 ID of the local router

7.2.2 Setting the Local ID Used in IKE Negotiation



7-5

Context


Procedure



Step 2 Run:ike local-name router-name

The local ID used in the IKE negotiation is specified.

----End

7.3 Configuring an IKE Security ProposalThis section describes how to configure an IKE security proposal.


7.3.2 Creating the IKE Security Proposal and Entering the IKE Security Proposal View

7.3.3 Specifying an Encryption Algorithm

7.3.4 Specifying an Authentication Method


7.3.6 Specifying a DF Group

7.3.7 Configuring the Duration of ISAKMP SA




An IKE security proposal needs to be configured in the IKE negotiation. The IKE securityproposal is used to establish a security channel. Users can create multiple IKE security proposalsbased on priority, but the two parties in negotiation must have at least one matched IKE securityproposal to ensure successful negotiation.


None.

Data Preparation

To configure an IKE security proposal, you need the following data.




Issue 05 (2010-09-25)

No. Data

1 Priority of the IKE security proposal

2 Encryption algorithm, DES or 3DEs

3 Authentication algorithm, MD5 or SHA

4 DH group ID, selected from group 1 (768 bits) or group 2 (1024 bit)

5 Duration of ISAKMP SA (ranging from 60 seconds to 604800 seconds)

7.3.2 Creating the IKE Security Proposal and Entering the IKESecurity Proposal View

Context


Procedure



Step 2 Run:ike proposal priority-level

An IKE security proposal is created and the IKE security proposal view is displayed.

l Multiple IKE proposals can be created for each party of IKE negotiation. During thenegotiation, a proposal of the highest priority owned by both the parties is matched first. Thematching rule is that both parties in negotiation must have the same encryption algorithm,authentication algorithm, authentication method, and DF group ID.

l The system provides a default IKE proposal default. The default IKE proposal has the lowestpriority. By default, the authentication algorithm is SHA1; the authentication is based on theshared key; the encryption algorithm is DES-CBC; the DH group ID is MODP_768; theduration of the SA is 86400 seconds.

----End

7.3.3 Specifying an Encryption Algorithm

Context




7-7

Procedure




The IKE security proposal view is displayed.

Step 3 Run:encryption-algorithm { des-cbc | 3des-cbc }

The encryption algorithm is specified.

Currently, the available algorithms are DES and 3DES in CBC mode.

By default, the IKE proposal adopts the DES encryption algorithm in CBC mode.

----End

7.3.4 Specifying an Authentication Method


Procedure





Step 3 Run:authentication-method pre-share

The authentication algorithm is specified.

The ME60 can use only the pre-shared key authentication. By default, the IKE proposal usesthe pre-shared key authentication.

----End






Issue 05 (2010-09-25)

Procedure





Step 3 Run:authentication-algorithm { md5 | sha }

The authentication algorithm is specified.

By default, the SHA-1 authentication algorithm is adopted.

----End

7.3.6 Specifying a DF Group

Context


Procedure





Step 3 Run:dh { group1 | group2 }

The DF group is specified.

By default, the 768-bit DF group (group1) is specified.

----End

7.3.7 Configuring the Duration of ISAKMP SA

Context




7-9

Procedure





Step 3 Run:sa duration seconds

The duration of the ISAKMP SA is configured.

l If the during expires, the ISAKMP SA is updated automatically. The duration can be set toa value ranging from 60 to 604800, in seconds. DH calculation is performed during IKEnegotiation, and hence, it takes a longer period. To avoid impacts on the securecommunication caused by the update of ISAKMP SA, set the duration to a value larger than10 minutes.

l A new SA is negotiated before the old one expires. The old SA is still in use before the newSA is set up. The new SA takes effect as soon as it is established and the old one isautomatically deleted after its duration expires.

l By default, the duration of ISAKMP SA is 86400 seconds (a day).

----End


Action Command

Check the parameter of IKEproposals.

display ike proposal

7.4 Configuring Attributes of the IKE PeerThis section describes how to configure the attributes of the IKE peer.


7.4.2 Creating an IKE Peer and Entering the IKE Peer View

7.4.3 Configuring the IKE Negotiation Mode

7.4.4 Configuring the IKE Security Proposal

7.4.5 Configuring the Local ID Type

7.4.6 Configuring NAT Traversal in IPSec

7.4.7 Configuring the Identity Authenticator




Issue 05 (2010-09-25)

7.4.8 Configuring the Peer IP Address or Address Segment

7.4.9 Configuring the Peer Name




The attributes of the IKE peer to be configured before the IKE negotiation.


Before configuring the attributes of the IKE peer, complete the following tasks:

l Configuring the IKE Security Proposall Configuring the local ID used in the IKE negotiation when aggressive mode is adopted

Data Preparation

To configure the attribute of the IKE peer, you need the following data.

No. Data

1 Name of the IKE peer

2 IKE negotiation mode

3 Number of the IKE proposal, ranging from 1 to 100

4 Type of the local ID: IP address or name of the local router

5 Whether NAT traversal is required for IPSec

6 Authenticator (a string of 1-127 characters)

7 IP address of the peer, in dotted decimal notation

8 Name of the peer (a string of 1 to 15 characters)

7.4.2 Creating an IKE Peer and Entering the IKE Peer View

Context


Procedure




7-11


Step 2 Run:ike peer peer-name

An IKE peer is created and the IKE peer view is displayed.

----End

7.4.3 Configuring the IKE Negotiation Mode


Procedure




The IKE peer view is displayed.

Step 3 Run:exchange-mode { main | aggressive }

The IKE negotiation mode is specified.

By default, the main mode is used in the IKE negotiation.

----End

7.4.4 Configuring the IKE Security Proposal


Procedure





Step 3 Run:ike-proposal proposal-number




Issue 05 (2010-09-25)

The IKE proposal is configured.

In the aggressive mode, by default, the first configured IKE proposal is used in the negotiation;in the main mode, all the IKE proposals are used in the negotiation.

----End

7.4.5 Configuring the Local ID Type


Procedure





Step 3 Run:local-id-type { ip | name }

The type of the local ID is configured.

The IP address or name of the local router can be used as ID in the IKE negotiation. By default,the IP address is used as the local ID.

If the aggressive mode, the name is used as the local ID. In the main mode, the local ID is notnecessarily configured, but the name cannot be used as the local ID.

----End

7.4.6 Configuring NAT Traversal in IPSec


Procedure







7-13

Step 3 Run:nat traversal

The NAT traversal is enabled for IPSec.

By default, NAT traversal is disabled.

----End

7.4.7 Configuring the Identity Authenticator


Procedure





Step 3 Run:pre-shared-key key

The identity authenticator is configured.

If the pre-shared key authentication is selected, the pre-shared key needs to be configured foreach peer. The same pre-shared key must be configured for the peers, which create securityconnection.

----End

7.4.8 Configuring the Peer IP Address or Address Segment


Procedure








Issue 05 (2010-09-25)

Step 3 Run:remote-address low-ip-address [ high-ip-address ]

The IP address or the address segment of the peer is configured.

NOTE

When the address segment is configured, only the IPSec policy template can adopt this IKE peer.

----End

7.4.9 Configuring the Peer Name



system-view




Step 3 Run:remote-name name

The name of the peer is configured.

----End


Action Command

Check the configuration of the IKEpeer.

display ike peer [ name peer-name ]

7.5 Tuning the IKE ConfigurationThis section describe how to fine tune the configuration of IKE.


7.5.2 Setting the Interval of Keepalive Packets

7.5.3 Setting the Timeout Time of Keepalive Packets

7.5.4 Setting the Interval of NAT Update Packets



7-15


Applicable EnvironmentIKE maintains the ISAKMP SA link state by sending keepalive packets at a certain interval. Ifyou set the timeout time of keepalive packets on the peer, you must set the interval of keepalivepackets on the local end. If the peer does not receive the keepalive packet within the timeouttime, the ISAKMP SA with a timeout tag is deleted along with its corresponding IPSec SA. Ifthe ISAKMP SA does not have a timeout tag, it is marked timeout. The timeout time, therefore,must be longer than the interval of keepalive packets.

You need to set the interval for sending NAT update packets from an ISAKMP SA. As theinitiator, the peer on the NAT side needs to send NAT keepalive packets periodically to ensurethat the security tunnel is in active state.

CAUTIONl The interval of keepalive packets and the timeout time of the keepalive packets must be set

on the ME60 simultaneously.l The interval and timeout must match on the two ends. That is, if you set the timeout time of

the keepalive packets on one ME60, you must set the interval of keepalive packets on thepeer ME60.

l The interval of keepalive packets on one end must be shorter than the timeout time set onthe peer.

Pre-configuration TaskBefore tuning the IKE configuration, complete the following tasks:

l Setting the Local ID Used in IKE Negotiationl Configuring the IKE Security Proposall Configuring Attributes of the IKE Peer

Data PreparationTo tune the IKE configuration, you need the following data.

No. Data

1 Interval of keepalive packets

2 Timeout time of keepalive packets

3 Interval of NAT update packets

7.5.2 Setting the Interval of Keepalive Packets




Issue 05 (2010-09-25)


Procedure



Step 2 Run:ike sa keepalive-timer interval seconds

The interval for sending keepalive packets from the ISAKMP SA is set.

By default, this function is unavailable.

----End

7.5.3 Setting the Timeout Time of Keepalive Packets


Procedure



Step 2 Run:ike sa keepalive-timer timeout seconds

The timeout time of the keepalive packet is configured.

l On a network, packet loss rarely occurs consecutively more than three times, so the timeouttime can be set to be three times the interval of keepalive packets on the peer.

l By default, this function is unavailable.

----End

7.5.4 Setting the Interval of NAT Update Packets


Procedure




7-17


Step 2 Run:ike sa nat-keepalive-timer interval seconds

The interval for sending NAT update packets from the ISAKMP SA is set.

By default, the ISAKMP SA sends NAT update packets every 20 seconds when NAT traversalis enabled.

----End

7.6 Maintaining IKEThis section provides the commands for displaying and clearing the IKE information anddebugging IKE.

7.6.1 Displaying the IKE Configuration

7.6.2 Clearing the Security Tunnel

7.6.3 Debugging IKE

7.6.1 Displaying the IKE ConfigurationTo check the configuration of IKE, run the following command in any view.

Action Command

Display information about theestablished security channel.

display ike sa

7.6.2 Clearing the Security Tunnel

CAUTIONClearing the security channel allows data transmission without protection. Confirm the actionbefore you run the command.

To clear the established security tunnel, run the following command in the user view.

Action Command

Clear established securitychannel.

reset ike sa [ connection-id ]

To delete a specified security channel, you need to specify connection-id of the SA. Run thedisplay ike sa command to view the connection-id of the current SA. Information about the




Issue 05 (2010-09-25)

same security channel (namely, with the same peer) consists information generated in phase 1and phase 2.

After the local SA is deleted, if ISAKMP SA of phase 1 still exists, the local end sends a deletionmessage to the peer under the protection of the ISAKMP SA so that the peer can clear the SAdatabase.

If connection-id is not specified, all SAs of phase 1 are deleted.

NOTE

Security channel is completely different from security association. A security channel is a channel whosetwo ends can interoperate with each other. An SA is a unidirectional connection.

7.6.3 Debugging IKE


When a fault occurs during the application of IKE, run the following debugging command inthe user view to locate the fault. For the procedure for displaying the debugging information,refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - SystemManagement.

Action Command

Enable debugging of IKE. debugging ike { all | error | exchange | message | misc |transport }

7.7 Configuration ExamplesThis section provides a configuration example of IKE.

7.7.1 Example for Establishing an SA Through IKE Negotiation

7.7.1 Example for Establishing an SA Through IKE Negotiation


As shown in Figure 7-2, a security tunnel is configured between ME60 A and ME60 B. Dataflow transmitted between subnet 10.1.1.x represented by PC A and subnet 10.1.2.x representedby PC B are under protection. The security protocol is ESP; the encryption algorithm is DES;the authentication algorithm is SHA-1.



7-19

Figure 7-2 Networking of IKE configuration

Pos1/0/1202.38.163.1/24

Pos2/0/1202.38.162.1/24

ME60B

PC BPC A

ME60A

Internet

AccessNetwork

AccessNetwork


1. Configure the local host ID, IKE proposal, and IKE peer.2. Configure ACL rules to specify the data flow to be protected.3. Configure an IPSec proposal.4. Configure an IPSec policy and apply the ACL and the IPSec proposal to the IPSec policy.5. Apply the IPSec policy to the interface.6. Configure the QoS traffic policy to encrypt user packets.


l ID of the local devicel Encryption algorithm and authentication algorithm used in IKE negotiationl IP address and name of the peer devicel Interface where IPSec is enabled

Configuration Procedure1. Configure the local host ID, IKE proposal, and IKE peer on ME60 A and ME60 B.

# Configure the local ID used by ME60 A in IKE negotiation.<ME60A> system-view[ME60A] ike local-name huawei01# Configure the IKE proposal of ME60 A.[ME60A] ike proposal 1[ME60A-ike-proposal-1] encryption-algorithm 3des-cbc[ME60A-ike-proposal-1] dh group1[ME60A-ike-proposal-1] sa duration 43200[ME60A-ike-proposal-1] quit# Configure the IKE peer of ME60 A.[ME60A] ike peer ME60B[ME60A-ike-peer-ME60B] exchange-mode aggressive




Issue 05 (2010-09-25)

[ME60A-ike-peer-ME60B] ike-proposal 1[ME60A-ike-peer-ME60B] local-id-type name[ME60A-ike-peer-ME60B] pre-shared-key huawei[ME60A-ike-peer-ME60B] remote-name huawei02[ME60A-ike-peer-ME60B] remote-address 202.38.162.1[ME60A-ike-peer-ME60B] quit

NOTE

In the aggressive mode, you need to configure remote-address on the negotiation initiator.

# Configure the local ID used by ME60 B in IKE negotiation.<ME60B> system-view[ME60B] ike local-name huawei02

# Configure the IKE proposal of ME60 B.[ME60B] ike proposal 1[ME60B-ike-proposal-1] encryption-algorithm 3des-cbc[ME60B-ike-proposal-1] dh group1[ME60B-ike-proposal-1] sa duration 43200[ME60B-ike-proposal-1] quit

# Configure the IKE peer of ME60 B.[ME60B] ike peer ME60A[ME60B-ike-peer-ME60A] exchange-mode aggressive[ME60B-ike-peer-ME60A] ike-proposal 1[ME60B-ike-peer-ME60A] local-id-type name[ME60B-ike-peer-ME60A] pre-shared-key huawei[ME60B-ike-peer-ME60A] remote-name huawei01[ME60B-ike-peer-ME60A] remote-address 202.38.163.1[ME60B-ike-peer-ME60A] quit

Run the display ike peer command on ME60 A and ME60 B to display the configuration.Take ME60 A for example.[ME60A] display ike peer--------------------------- IKE Peer: ME60b exchange mode: aggressive on phase 1 pre-shared-key: huawei proposal: 1 local id type: name peer ip address: 202.38.162.1 peer name: huawei02 nat traversal: disable---------------------------

2. Configure ACLs on ME60 A and ME60 B and define the data flows to be protected.# Configure an ACL on ME60 A.[ME60A] acl number 3101[ME60A-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255[ME60A-acl-adv-3101] quit

# Configure an ACL on ME60 B.[ME60B] acl number 3101[ME60B-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255[ME60B-acl-adv-3101] quit

3. On ME60 A and ME60 B, configure static routes to the peer respectively.# Configure a static route from ME60 A to ME60 B.[ME60A] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1

# Configure a static route from ME60 B to ME60 A.[ME60B] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1

4. Create IPSec proposals on ME60 A and ME60 B.



7-21

# Create an IPSec proposal on ME60 A.[ME60A] ipsec proposal tran1[ME60A-ipsec-proposal-tran1] encapsulation-mode tunnel[ME60A-ipsec-proposal-tran1] transform esp[ME60A-ipsec-proposal-tran1] esp encryption-algorithm des[ME60A-ipsec-proposal-tran1] esp authentication-algorithm sha1[ME60A-ipsec-proposal-tran1] quit# Create an IPSec proposal on ME60 B.[ME60B] ipsec proposal tran1[ME60B-ipsec-proposal-tran1] encapsulation-mode tunnel[ME60B-ipsec-proposal-tran1] transform esp[ME60B-ipsec-proposal-tran1] esp encryption-algorithm des[ME60B-ipsec-proposal-tran1] esp authentication-algorithm sha1[ME60B-ipsec-proposal-tran1] quitRun the display ipsec proposal command on ME60 A and ME60 B to display theconfiguration. Take ME60 A for example.[ME60A] display ipsec proposal IPsec proposal name: tran1encapsulation mode: tunneltransform: esp-newESP protocol: authentication sha1-hmac-96, encryption des

5. Create IPSec proposals on ME60 A and ME60 B.# Create an IPSec policy on ME60 A.[ME60A] ipsec policy map1 10 isakmp[ME60A-ipsec-policy-isakmp-map1-10] ike-peer ME60B[ME60A-ipsec-policy-isakmp-map1-10] proposal tran1[ME60A-ipsec-policy-isakmp-map1-10] security acl 3101[ME60A-ipsec-policy-isakmp-map1-10] quit# Create an IPSec policy on ME60 B.[ME60B] ipsec policy use1 10 isakmp[ME60B-ipsec-policy-isakmp-use1-10] ike-peer ME60A[ME60B-ipsec-policy-isakmp-use1-10] proposal tran1[ME60B-ipsec-policy-isakmp-use1-10] security acl 3101[ME60B-ipsec-policy-isakmp-use1-10] quitRun the display ipsec policy command on ME60 A and ME60 B to display theconfiguration. Take ME60 A for example.[ME60A] display ipsec policy===========================================IPsec Policy Group: "map1"Using interface: {}===========================================-----------------------------IPsec policy name: "map1"sequence number: 10mode: isakmp----------------------------- security data flow : 3101 ike-peer name: ME60B perfect forward secrecy: None proposal name: tran1 IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes

6. Apply the IPSec policies to the interfaces of ME60 A and ME60 B.Apply the IPSec policy to the interface of ME60 A.[ME60A] interface pos1/0/1[ME60A-Pos1/0/1] ip address 202.38.163.1 255.255.255.0[ME60A-Pos1/0/1] ipsec policy map1[ME60A-Pos1/0/1] undo shutdown[ME60A-Pos1/0/1] quit# Apply the IPSec policy to the interface of ME60 A.




Issue 05 (2010-09-25)

[ME60B] interface pos2/0/1[ME60B-Pos2/0/1] ip address 202.38.162.1 255.255.255.0[ME60B-Pos2/0/1] ipsec policy use1[ME60B-Pos2/0/1] undo shutdown[ME60B-Pos2/0/1] quit

Run the display ipsec sa command on ME60 A and ME60 B to display the configuration.Take ME60 A for example.[ME60A] display ipsec sa===============================Interface: pos1/0/1 path MTU: 1500===============================-----------------------------IPsec policy name: "map1"sequence number: 10mode: manual----------------------------- encapsulation mode: tunnel tunnel local : 202.38.163.1 tunnel remote: 202.38.162.1 [inbound ESP SAs] spi: 54321 (0xd431) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa [outbound ESP SAs] spi: 12345 (0x3039) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa

7. Configure the QoS traffic policy on ME60 A and ME60 B so that the ME60s encrypt userpackets.

NOTE

For the configuration of the QoS policy, see chapter 2 "Class-based QoS Configuration" of theQuidway ME60 Multiservice Control Gateway Configuration Guide - QoS.

# Configure the QoS policy on ME60 A.[ME60A] traffic classifier ipsec-using[ME60A-classifier-ipsec-using] if-match acl 3101[ME60A-classifier-ipsec-using] quit[ME60A] traffic behavior ipsec-using[ME60A-behavior-ipsec-using] ipsec[ME60A-behavior-ipsec-using] quit[ME60A] traffic policy ipsec-using[ME60A-trafficpolicy-ipsec-using] classifier ipsec-using behavior ipsec-using[ME60A-trafficpolicy-ipsec-using] quit

# Configure the QoS policy on ME60 B.[ME60B] traffic classifier ipsec-using[ME60B-classifier-ipsec-using] if-match acl 3101[ME60B-classifier-ipsec-using] quit[ME60B] traffic behavior ipsec-using[ME60B-behavior-ipsec-using] ipsec[ME60B-behavior-ipsec-using] quit[ME60B] traffic policy ipsec-using[ME60B-trafficpolicy-ipsec-using] classifier ipsec-using behavior ipsec-using[ME60B-trafficpolicy-ipsec-using] quit

# Apply the QoS policy to ME60 A globally.[ME60A] traffic-policy ipsec-using inbound[ME60A] traffic-policy ipsec-using outbound

# Apply the QoS policy to ME60 B globally.[ME60B] traffic-policy ipsec-using inbound[ME60B] traffic-policy ipsec-using outbound

8. Verify the configuration.



7-23

After the configuration is complete, PC A can still ping through PC B. The data transmittedbetween them is encrypted.Run the display ike sa command on ME60 A. The display is as follows:[ME60A] display ike saconnection-id peer vpn flag phase doi-------------------------------------------------------------- 14 202.38.162.1 0 RD|ST 1 IPSEC 16 202.38.162.1 0 RD|ST 2 IPSECflag meaningRD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO-TIMEOUT

Configuration FilesThe following are the configuration files of the ME60s.

l Configuration file of ME60 A#sysname ME60A# ike local-name huawei01#acl number 3101 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255#ike proposal 1 encryption-algorithm 3des-cbc sa duration 43200#ike peer ME60B exchange-mode aggressive pre-shared-key huaweiike-proposal 1 local-id-type name remote-name huawei02 remote-address 202.38.162.1#ipsec proposal tran1 esp authentication-algorithm sha1#ipsec policy map1 10 isakmp security acl 3101 ike-peer ME60B proposal tran1#traffic classifier ipsec-using operator or if-match acl 3101#traffic behavior ipsec-using ipsec#traffic policy ipsec-using classifier ipsec-using behavior ipsectraffic-policy ipsec-using inboundtraffic-policy ipsec-using outbound#interface Pos1/0/1 undo shutdown ip address 202.38.163.1 255.255.255.0 ipsec policy map1# ip route-static 10.1.2.0 255.255.255.0 202.38.162.1#returnl Configuration file of ME60 B#sysname ME60B




Issue 05 (2010-09-25)

# ike local-name huawei02#acl number 3101 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255#ike proposal 1 encryption-algorithm 3des-cbc sa duration 43200#ike peer ME60A exchange-mode aggressive pre-shared-key huawei ike-proposal 1 local-id-type name remote-name huawei01 remote-address 202.38.163.1#ipsec proposal tran1 esp authentication-algorithm sha1#ipsec policy use1 10 isakmp security acl 3101 ike-peer ME60A proposal tran1#traffic classifier ipsec-using operator or if-match acl 3101#traffic behavior ipsec-using ipsec#traffic policy ipsec-using classifier ipsec-using behavior ipsectraffic-policy ipsec-using inboundtraffic-policy ipsec-using outbound#interface Pos2/0/1 undo shutdownip address 202.38.162.1 255.255.255.0 ipsec policy use1# ip route-static 10.1.1.0 255.255.255.0 202.38.163.1#return



7-25

8 URPF Configuration

About This Chapter

This chapter describes the fundamentals, implementation, and configuration of URPF.

8.1 IntroductionThis section describes the fundamentals of Unicast Reverse Path Forwarding (URPF).

8.2 Configuring URPFThis section describes how to configure the URPF function.

8.3 Configuration ExamplesThis section provides a configuration example of URPF.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security 8 URPF Configuration


8-1

8.1 IntroductionThis section describes the fundamentals of Unicast Reverse Path Forwarding (URPF).

8.1.1 Overview of URPF

8.1.2 URPF Features of the ME60

8.1.1 Overview of URPF

URPF is used to prevent attacks against IP address spoofing.

Generally, when a router receives a packet, it searches for the route according to the destinationaddress of the packet. If the matching route is found, the router forwards the packet; otherwise,the router discards the packet. Unlike general routing process, URPF obtains the source addressand incoming interface of the packet. Taking the source address as the destination address, URPFchecks whether the interface corresponding to the source address in the forwarding table is theincoming interface of the packet. If not, the source address is taken as spoofing and the packetis discarded. In this way, URPF can keep the network away from vicious attacks initiated bymodifying the source address. The model of source address spoofing attack is as follows.

Figure 8-1 Schematic diagram of the source address spoofing attack

RouterA

Source Address

1.1.1.1/24

RouterC

2.1.1.1/242.1.1.1/24

RouterB

A host connected to Router A (customer network) generates a packet with a pseudo source IPaddress 2.1.1.1 and sends the packet to Router B. Router B sends a response packet to Router Cwhose IP address is 2.1.1.1. In this way, Router A attacks Router B and Router C by sendingsuch packets.

URPF can be applied on the upstream incoming interfaces of the router in two applicationenvironments: single-homed client and multi-homed client.

l Single-homed clientl Figure 8-2 shows the connection between the client and the convergence router of the ISP.

URPF is enabled on GE 1/0/0 of the ISP router to protect the router and Internet againstsource address spoofing attacks from the client network.

8 URPF ConfigurationQuidway ME60 Multiservice Control Gateway



Issue 05 (2010-09-25)

Figure 8-2 URPF applied on a single-homed client

URPF

GE1/0/0GE2/0/0

GE3/0/0

Aggregation

Sourceaddress

169.1.1.1/24

ISP

169.1.1.1/24

l Multi-homed clientl URPF can be applied in the networking where multiple connections are set up between the

client and the ISP, as shown in Figure 8-3. To make URPF work normally, ensure that thepacket from the client to the host on the Internet passes through the same link (between theclient and the ISP router) with the packet from this host to the client. That is, route symmetrymust be ensured; otherwise, URPF discards some normal packets because of mismatchedinterfaces.

Figure 8-3 URPF applied on a multi-homed client

routepath

URPF

URPF

RouterC

RouterA

RouterB

URPFpacketpath

EnterpriseISP

l Multi-homed client with multiple ISPs

URPF can be applied in the networking where a client is connected to multiple ISPs, as shownin Figure 8-4. In this case, route symmetry must be ensured.



8-3

Figure 8-4 URPF applied on a multi-homed client with multiple ISPs

ISP BURPF

URPF

RouterA

RouterB

URPF

Internet

RouterC

Enterprise

ISP A

8.1.2 URPF Features of the ME60

The ME60 performs URPF check for all the IP packets on an interface in any of the followingmodes:

l Loose check

For the IP packets arriving at the interface, the ME60 checks whether the forwarding tablecontains the entry with the source address of the IP packets. If the entry exists, the IP packetspass the URPF check.

l Strict check

For the IP packets arriving at the interface, the ME60 checks whether the forwarding tablecontains the entry with the source address of the IP packets. If the entry does not exist, theIP packets cannot pass the URPF check. If the entry exists, the ME60 checks whether theoutgoing interface specified in this entry is the incoming interface of the IP packets. If theoutgoing interface specified in the entry is the incoming interface of the IP packets, the IPpackets pass the URPF check.

The ME60 can also perform URPF check for the packets that meet certain conditions. Thisfunction is implemented through the class-based QoS. The procedure for configuring theME60 to perform URPF check for the packets meeting certain conditions is as follows:

1. Create a traffic classifier on the ME60. Configure the traffic classifier to identify the packetsthat meet certain conditions.

2. Create a traffic behavior on the ME60 and configure the traffic behavior to URPF check.For details, see "8.2.3 (Optional) Configuring URPF Check for Certain Type ofPackets."

3. Create a traffic policy on the ME60. Configure the ME60 to perform URPF check for acertain type of packets.

4. Apply the traffic policy to an interface or a service policy. The traffic policy can also beapplied to the entire equipment. In this case, the ME60 performs URPF check for all packetsthat meet the conditions.

For details, see chapter 2 "Class-based QoS Configuration" of the Quidway ME60Multiservice Control Gateway Configuration Guide - QoS.




Issue 05 (2010-09-25)

8.2 Configuring URPFThis section describes how to configure the URPF function.


8.2.2 Enabling URPF on an Interface

8.2.3 (Optional) Configuring URPF Check for Certain Type of Packets


Applicable EnvironmentTo prevent source address spoofing attacks on the network, configure URPF to check whethersource IP addresses of packets match the incoming interfaces. If the source IP address of a packetmatches the incoming interface, the source IP address is considered as legal and the packet isallowed to pass; otherwise, the source IP address is considered as a pseudo one and the packetis discarded.

Pre-configuration TaskBefore configuring the URPF function, complete the following tasks:

l Configuring the link-layer parameters of the interfacel Configuring an IP address for the interface

Data PreparationTo configure the URPF function, you need the following data.

No. Data

1 Number of the interface where URPF is to be enabled

2 (Optional) Name of the traffic behavior

8.2.2 Enabling URPF on an Interface


Procedure





8-5



Step 3 Run:ip urpf { loose | strict }

URPF is enabled on the interface.

If the loose keyword is selected, the ME60 performs loose URPF check. That is, if the forwardingtable contains the entry of a packet, the packet passes the URPF check, regardless of whetherthe interface mapping the source address in the forwarding table is the incoming interface of thepacket.

If the strict keyword is selected, the ME60 performs strict URPF check. That is, a packet passesthe URPF check only if the forwarding table contains the related entry and the interface mappingthe source address of the packet is the incoming interface.

----End

8.2.3 (Optional) Configuring URPF Check for Certain Type ofPackets

Context

To configure the ME60 to perform URPF check for packets of a certain type, you need toconfigure a traffic policy, configure the traffic behavior in the traffic policy, and then apply thetraffic policy.

Procedure




The behavior view is displayed.

Step 3 Run:ip urpf { strict | loose }

The traffic behavior is configured to URPF check.

NOTE

For the complete procedure, see "8.2.3 (Optional) Configuring URPF Check for Certain Type ofPackets." For the configuration and application of the traffic policy, refer to chapter 2 "Class-based QoSConfiguration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.

----End




Issue 05 (2010-09-25)

8.3 Configuration ExamplesThis section provides a configuration example of URPF.

8.3.1 Example for Configuring URPF

8.3.1 Example for Configuring URPF

Networking RequirementsYou need to enable URPF on the ISP router, namely, ME60 B. As shown in Figure 8-5, ME60A and ME60 B are directly connected. Enable URPF on interface GE1/0/0 of ME60 B. LooseURPF check is required for the IP packets arriving at this interface. Enable URPF on interfaceGE1/0/0 of ME60 A. Strict URPF check is required for the IP packets arriving at this interface.

Figure 8-5 Networking of URPF configuration

ME60A

ISP

ME60B

GE1/0/0172.19.139.1/30

GE1/0/0172.19.139.2/30


l Configure strict URPF check for the IP packets arriving at GE1/0/0 of ME60 A.l Configure loose URPF check for the IP packets arriving at GE1/0/0 of ME60 B.


IP addresses of the interfaces

Configuration Procedure1. Configure ME60 A.

# Configure the IP address of GE 1/0/0.<ME60A> system-view[ME60A] interface gigabitethernet 1/0/0[ME60A-GigabitEthernet1/0/0] ip address 172.19.139.1 255.255.255.252[ME60A-GigabitEthernet1/0/0] undo shutdown# Enable strict URPF on GE1/0/0.[RouterA-GigabitEthernet1/0/0] ip urpf strict

2. Configure ME60 B.



8-7

# Configure the IP address of GE 1/0/0.<ME60B> system-view[ME60B] interface gigabitethernet 1/0/0[ME60B-GigabitEthernet1/0/0] ip address 172.19.139.2 255.255.255.252[ME60B-GigabitEthernet1/0/0] undo shutdown# Enable strict loose on GE1/0/0.[ME60B-GigabitEthernet1/0/0] ip urpf loose

Configuration FilesThe following are configuration files of the ME60s.

l Configuration file of ME60 A# sysname ME60A#interface GigabitEthernet1/0/0 undo shutdown ip address 172.19.139.1 255.255.255.252 ip urpf strict#returnl Configuration file of ME60 B# sysname ME60B#interface GigabitEthernet1/0/0 undo shutdown ip address 172.19.139.2 255.255.255.252 ip urpf loose#return




Issue 05 (2010-09-25)

9 DPI Configuration

About This Chapter

This chapter describes the fundamentals of DPI and how to configure network-side DPI anduser-side DPI.

9.1 IntroductionThis section describes the concept and rational of DPI and the DPI features supported by theME60.

9.2 Configuring Basic DPI FunctionsThis section describes how to configure basic DPI functions.

9.3 Configuring Network-side DPIThis section describes how to configure and apply the DPI policy at the network side.

9.4 Configuring User-side DPIThis section describes how to configure and apply the DPI policy at the user side.

9.5 Configuration ExamplesThis section provides a configuration example of DPI.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security 9 DPI Configuration


9-1

9.1 IntroductionThis section describes the concept and rational of DPI and the DPI features supported by theME60.

9.1.1 Overview of DPI

9.1.2 DPI Functions Supported by the ME60

9.1.1 Overview of DPI

Background of DPI

With the extensive use of the bandwidth network, more bandwidth-related applications are beingdeveloped, and are maturing. This encourages users to use bandwidth services such as P2P,online games, and VoIP. These services attract many users; however, they also bring troubles.For example, many P2P applications maliciously occupy network resources, and thus networkcongestion occurs. Carriers need to control the illegal network applications.

Rationale of DPI

The deep packet inspection (DPI) technology can identify network applications so that the carriercan control and manage the network.

As shown in Figure 9-1, common packet analysis involves only the source address, destinationaddress, source port, and destination port. Apart from the preceding factors, DPI analyzes theapplication-layer information to identify various services and applications.

Figure 9-1 Comparison between DPI and the common packet analysis

Source IP OperationDestination IPSource port Destination port

Source IP OperationDestination IPSource port Destination port

Common packet analysis

DPI

Payload

Payload

9 DPI ConfigurationQuidway ME60 Multiservice Control Gateway



Issue 05 (2010-09-25)

DPI FunctionsDPI provides the following three functions:

l Service identification

DPI identifies the data flow of a legal service by the quintuple. Take video on demand (VoD)service for example. The source address of the service flow belongs to a network segmentconfigured on the VoD server; the source port number is fixed.

Unauthorized users usually hides information about illegal service flows by using sometechniques. For example, the P2P flow may use port 80 of HTTP. Therefore, the VoD servercannot identify the service type accurately according to the quintuple, such as the address andport.

To identify an illegal service flow, DPI analyzes the contents of an IP packet to find thecharacteristics field or behavior of the service.

l Service control

DPI controls the identified service flow based on a combination that may consist of the username, time, bandwidth, and history traffic volume. DPI handles the service flow in the followingways:

l Forwards packets as usual.l Blocks the service flow.l Limits bandwidth of the service flow.l Re-marks the priorities of packets.

For convenient service operation, all control policies are configured on the policy server. Aftera user logs in, the policies are delivered dynamically.

l Service statistics

The statistics of service traffic distribution and usage of a service help to discover the user orthe service that affects the normal operation of the network. According to the statistics, thefollowing information can be obtained:

l Percentage of traffic from attackersl Number of online users playing an online gamel Services consuming bandwidth Illegal VoIP users

DPI Implementation

Figure 9-2 Networking of DPI application

AAA

DPI Box

User

Internet

Policy Server Report Server

BRAS

AccessNetwork



9-3

NOTE

The user in the figure represents the access network.

9.1.2 DPI Functions Supported by the ME60

When the operation mode of the Versatile Service Unit (VSU) is set to DPI, the DPI engineidentifies P2P applications and enforces service policies for the applications. The ME60 can beequipped with an external DPI box. The DPI box identifies the service type of a packet and theME60 controls the service policy. The DPI box can identify various services including the P2Pand VoIP services.

NOTE

The DPI function of the ME60 can be applied in the following cases:

l To control bandwidth of the users connected to the ME60, configure user-side DPI.

l To control bandwidth on the network side, configure network-side DPI.

9.2 Configuring Basic DPI FunctionsThis section describes how to configure basic DPI functions.


9.2.2 (Optional) Configuring the VSU to Work as the DPI Board

9.2.3 (Optional) Configuring the MAC Address of the DPI Board

9.2.4 Configuring the Packet Inspection Mode

9.2.5 (Optional) Configuring the PTS



Applicable EnvironmentTo use DPI to detect packets, you must configure the basic DPI functions.

If only some of the P2P applications need to be inspected, DPI can be performed by the DPI boxon the DPI board of the ME60. In this case, you must set the packet inspection mode to DataService Unit (DSU). That is, packets are inspected by the DSU, namely, the built-in DPI box.

If many types of applications need to be inspected, the ME60 can be connected to an externalDPI box. The external DPI box for the ME60 is called the Policy Traffic Switch (PTS). In thiscase, you must configure the MAC address of the DPI board and information about theconnection between the PTS and the ME60.




Issue 05 (2010-09-25)

NOTE

l The ME60 implements the DPI function after the VSU is configured to the DPI board. Therefore, youneed to install the VSU before configuring the DPI function. For the functions of the VSU in DPUmode, refer to the Quidway ME60 Multiservice Control Gateway Product Description.

l You can run the set lpu-work-mode { dpi |sbc | ssu | tsu } slot slot-id command to implement differentservice functions.

l In this manual, the VSU operating in DPI mode is called the DPI board.

Pre-configuration TaskBefore configuring basic DPI functions, complete the following tasks:

l Installing the VSUl (Optional) Connecting the PTS to the ME60 and configuring the PTS

NOTE

The ME60 and the PTS must be directly connected or connected through a layer-2 device and theycannot be connected through a layer-3 network. It is recommended that you connect the ME60 to thePTS directly.

l Configuring the ME60 so that it can communicate with other routers

Data PreparationTo configure the basic DPI functions, you need the following data.

No. Data

1 MAC address of the DPI board

2 IP address of the PTS management interface, namely, the interface connected to thePTS

3 Number of the port for listening the PTS keepalive packets

9.2.2 (Optional) Configuring the VSU to Work as the DPI Board


Procedure



Step 2 Run:set lpu-work-mode dpi slot slot-id

The operation mode of the VSU is set to DPI.



9-5

NOTE

l The configured operation mode takes effect after the VSU is restarted.

l The command for configuring the operation mode of the VSU is not recorded in the systemconfiguration file. You can run the display device or display lpu-work-mode command to view theoperation mode of the VSU. If the operation mode is configured properly, you need not configure theoperation mode again.

----End

9.2.3 (Optional) Configuring the MAC Address of the DPI Board

ContextNOTE

You need to configure the MAC address of the DPI board only when the ME60 is connected to a PTS.

Procedure



Step 2 Run:dpi dsu-mac

The view for configuring the DSU is displayed.

Step 3 Run:dsu-slot slot-id mac mac-address

The MAC address of the DPI board is configured.

----End

9.2.4 Configuring the Packet Inspection Mode

Context

CAUTIONIf the PTS does not exist or it is disconnected from the ME60, run the undo dpi-check ptsenable command to stop the packet inspection by the PTS. This ensures normal operation of theDPI function.

Procedure





Issue 05 (2010-09-25)


Step 2 Run:dpi-check { dsu |pts }* enable

The packet detection mode is configured.

By default, the packet inspection mode is PTS. That is, packets are inspected by the PTS. Theprerequisite is that the ME60 is connected to the PTS. The PTS can detect various types ofpackets, including P2P and VoIP packets.

If the ME60 is not connected to a PTS, you can set the packet inspection mode to DSU. In thiscase, packets of certain P2P applications are inspected by the built-in DPI box on the DPI board.

----End

9.2.5 (Optional) Configuring the PTS

ContextNOTE

The parameters of the PTS need to be configured only when the ME60 is connected to a PTS.

Procedure



Step 2 Run:dpi pts

The PTS configuration view is displayed.

Step 3 Run:pts-id pts-id ip-address ip-address port-number subscriber-side interface-type interface-number [ internet-side interface-type interface-number ]

The parameters for the connection between the ME60 and the PTS are set.

Step 4 Run:keep-alive period-value times-value

The interval at which the PTS sends keepalive packets is set.

By default, the PTS sends keepalive packets at a interval of 10 seconds. If the ME60 fails toreceive the keepalive packets consecutively three times, it considers that the PTS is disconnected.

----End

9.2.6 Checking the ConfigurationRun the following command in any view to check the previous configuration.



9-7

Action Command

Check the packet detection mode. display dpi global-policy

Check the MAC address of the DPIboard.

display dpi dsu-mac

Check the information about thePTS.

display dpi pts

Run the display dpi global-policy command, and you can view the global configuration of DPI,including the packet inspection mode.

<Quidway> display dpi global-policy --------------------------------------------------------------------------- DPI global configration --------------------------------------------------------------------------- Global policy group status : active Global policy group type : user first Inspecting packets device : PTS --------------------------------------------------------------------------- DPI global policy list --------------------------------------------------------------------------- No. Policy Name Application type Protocal type 0 huawei p2p -- --------------------------------------------------------------------------- Total 1, 1 printed

9.3 Configuring Network-side DPIThis section describes how to configure and apply the DPI policy at the network side.

CAUTIONTo implement network-side DPI, you must configure the global DPI policy group and trafficpolicy. Classify traffic according to a certain rule and associate each traffic class with a DPIbehavior, and thus a DPI traffic policy is configured. Then, apply the DPI traffic policy to inspectnetwork-side packets.

The DPI traffic policy can be applied to the entire system or an interface:

l When the policy is applied to the entire system, the ME60 inspects traffic of a certain serviceon all the network-side interfaces.

NOTE

If you enable the DPI traffic policy globally by using the global command, the ME60 performs DPIon all network-side and user-side interfaces.

l When the policy is applied to an interface, the ME60 inspects traffic of a certain serviceonly on this interface.


9.3.2 Creating a DPI Policy




Issue 05 (2010-09-25)

9.3.3 Configuring the DPI Policy

9.3.4 Configuring a Global DPI Policy Group

9.3.5 Configuring a DPI Traffic Policy

9.3.6 Applying the Traffic Policy to the Network Side




Large amount of service flows may cause network congestion. To avoid this, you need toconfigure the DPI function to identify various services and limit their traffic volumes.


Before configuring the network-side DPI, complete the following tasks:

l 9.2 Configuring Basic DPI Functionsl Determining whether to apply the global DPI policy

Data Preparation

To configure the network-side DPI, you need the following data.

No. Data

1 DPI policy name

2 Services to be inspected through DPI

3 (Optional) Number of the network-side interface

9.3.2 Creating a DPI Policy

Context


Procedure



Step 2 Run:dpi policy dpi-policy-name



9-9

A DPI policy is created and the DPI policy view is displayed.

----End

9.3.3 Configuring the DPI Policy


Procedure



Step 2 Run:dpi policy dpi-policy-name

The DPI policy view is displayed.

Step 3 Run:service-type service-type [ sub-service-type ]

The service type is configured.

Step 4 Configure the behavior for the service as follows:l To configure the ME60 to control CAR parameters of the service, run car cir cir-value [

pir pir-value ] [ cbs cbs-value pbs pbs-value ] { upstream | downstream }.l To configure the ME60 to mark the DSCP value, run remark dscp dscp-value { inbound |

outbound }.l To configure the ME60 to randomly discard packets, run random-drop random-drop-

value. This command is recommended for the VoIP service.l To configure the ME60 to forward all the packets of the specified service with the speed

lower than the CIR, run permit.l To configure the ME60 to discard all packets of the specified service, run deny.

You can configure one or more preceding behaviors. The permit and deny behaviors cannot beconfigured simultaneously. By default, the behavior in the DPI policy is permit.

----End

9.3.4 Configuring a Global DPI Policy Group


Procedure





Issue 05 (2010-09-25)


Step 2 Run:dpi global-policy

The global DPI policy group view is displayed.

Step 3 Run:dpi-policy dpi-policy-name

The DPI policy is configured as a global policy.

Step 4 (Optional) Run:global

The DPI policy is applied to the entire system.

NOTE

After you run this command, the ME60 may match the service data with the global DPI policy, instead ofthe user-side DPI policy. For details, see "9.3.6 Applying the Traffic Policy to the Network Side."

Step 5 Run:active

The global DPI policy is activated.

The global DPI policy group is used to inspect packets on a network-side interface. You canalso configure DPI on a user-side interface by using the global command. A common DPI policygroup is used to inspect packets on a user-side interface but cannot be applied to a network-sideinterface.

NOTE

For the configuration of a common policy, see "9.4.3 Configuring a Common DPI Policy Group."

By default, the DPI policy is not applied to the entire system, and the global DPI policy is active.

----End

9.3.5 Configuring a DPI Traffic Policy


Procedure



Step 2 Run:traffic classifier traffic-classifier-name [ operator { and | or } ]

A traffic classifier is created and the traffic classifier view is displayed.

Step 3 Define the rule for matching data packets as follows:



9-11

l To match the 802.1p field in a packet, run the if-match 8021p 8021p-code command.l To match the source MAC address of a packet, run the if-match source-mac mac-address

command.l To match the destination MAC address of a packet, run the if-match destination-mac mac-

address command.l To match packets with an ACL, run the if-match acl acl-number command.l To match the DSCP field of a packet, run the if-match dscp dscp-value command.l To match the IP precedence of a packet, run the if-match ip-precedence ip-precedence-

value command.l To match the TCP SYN flag of a packet, run the if-match tcp syn-flag flag-value command.l To specify that all IPv4 packets are matching, run the if-match any command.

Step 4 Run:quit

The system exits from the traffic classifier view.


A behavior is created and the behavior view is displayed.

Step 6 Run:dpi

DPI is enabled.

NOTE

After the traffic behavior is configured to DPI, you cannot configure the behavior to redirect in thisbehavior view.

Step 7 Run:quit

The system exits from the behavior view.

Step 8 Run:traffic policy traffic-policy-name

The traffic policy view is displayed.

Step 9 Run:classifier traffic-classifier-name behavior behavior-name

The traffic classifier is associated with the behavior.

Configure the traffic classifier according to the network requirement so that DPI can beperformed for the specified flow. The behavior name specified in this command must be thesame as behavior-name you specify in step 5.

NOTE

For the configuration of a traffic policy, refer to the Quidway ME60 Multiservice Control GatewayConfiguration Guide - QoS.

----End




Issue 05 (2010-09-25)

9.3.6 Applying the Traffic Policy to the Network Side

Procedurel Applying the traffic policy globally

1. Run:system-view


2. Run:traffic-policy traffic-policy-name inbound

The traffic policy is applied to the inbound direction.

NOTE

A DPI traffic policy cannot be applied to the outbound direction.

If you apply the traffic policy globally and run the global command in the global DPIpolicy view at the same time, the DPI policy takes effect on all network-side and user-side interfaces. The common DPI policies configured on the user-side interfacesbecome invalid. If you do not run the global command, the global DPI takes effectonly on all the network-side interfaces.

l Applying the traffic policy to an interface

1. Run:system-view


2. Run:interface interface-type interface-number


3. Run:traffic-policy traffic-policy-name { inbound | outbound } [ link-layer ]

The traffic policy is applied to the interface.

----End


Action Command

Check information about theglobal DPI policy.

display dpi global-policy [ verbose ]

Check information about the DPIpolicy.

display dpi policy [ dpi-policy-name ]



9-13

9.4 Configuring User-side DPIThis section describes how to configure and apply the DPI policy at the user side.

NOTE

The user-side DPI policy functions on each user individually. For example, you run the car cir commandto set bandwidth for a user to 1 Mbit/s. The ME60 then checks bandwidth of each user. If bandwidth of auser exceeds 1 Mbit/s, the ME60 limits traffic volume of this user.


9.4.2 Creating and Configuring a DPI Policy

9.4.3 Configuring a Common DPI Policy Group

9.4.4 Applying the User-side DPI Policy to the Domain

9.4.5 (Optional) Enabling DPI on a BAS Interface

9.4.6 (Optional) Configuring the Restriction Policy



Applicable EnvironmentSome applications may malicious occupy the network resource, which causes networkcongestion. To avoid network congestion, you need to configure the DPI function to identifyvarious applications and limit the traffic of these applications.

Use one of the following methods to configure the user-side DPI policy:

l To inspect the users that go online through a BAS interface, configure a restriction policyon the ME60 and enable DPI on the BAS interface.

l To inspect the users that go online from a domain, configure a common DPI policy groupand bind the policy group to the domain.

l Configure the policy server to deliver the DPI policy for users.

The DPI policy delivered by the policy server has the highest priority, and the DPI policyconfigured on a BAS interface has the lowest priority.

If the DPI policy is delivered by the policy server, the ME60 dynamically matches the userpackets with the DPI policy after a user goes online. If the user packets do not match the deliveredpolicy, the ME60 matches the packets with the DPI policy bound to the domain. If no DPI policyis bound to the domain, or the user packets do not match the service type specified by the DPIpolicy, the ME60 performs DPI according to the restriction DPI policy configured on the BASinterface.

NOTE

For the method of configuring the policy server to deliver the DPI policy, refer to the Quidway ME60Multiservice Control Gateway Configuration Guide - BRAS Services.

Pre-configuration TaskBefore configuring the user-side DPI, complete the following tasks:




Issue 05 (2010-09-25)

l 9.2 Configuring Basic DPI Functionsl Enabling users to connect to the Internet through the ME60l Enabling the value-added service

NOTE

The DPI service is a value-added service. Therefore, you must enable value-added services beforeconfiguring DPI. For the method of enabling value-added services, refer to the Quidway ME60 MultiserviceControl Gateway Configuration Guide - BRAS Services.

Data Preparation

To configure the user-side DPI, you need the following data.

No. Data

1 DPI policy name

2 Name of the common DPI policy group

3 Domain where the DPI policy is to be configured

4 (Optional) BAS interface where the DPI policy is to be configured

9.4.2 Creating and Configuring a DPI Policy

See "9.3.2 Creating a DPI Policy" and "9.3.3 Configuring the DPI Policy".

9.4.3 Configuring a Common DPI Policy Group

Context


Procedure



Step 2 Run:dpi policy-group policy-group-name

A common DPI policy group is created and the common DPI policy group view is displayed.

Step 3 Run:dpi-policy dpi-policy-name

A common DPI policy is bound to the policy group.

----End



9-15

9.4.4 Applying the User-side DPI Policy to the Domain


Procedure



Step 2 Run:aaa

The AAA view is displayed.

Step 3 Run:domain domain-name

The domain view is displayed.

Step 4 Run:dpi-policy-group policy-group-name

A common DPI policy group is applied to the domain.

The common DPI policy group must be an existing one.

When the common DPI policy is applied to the domain, the ME60 can identify whether a domainuser uses the DPI service. The ME60 can then limit the traffic of this user.

----End

9.4.5 (Optional) Enabling DPI on a BAS Interface

Context

CAUTIONAfter DPI is enabled on a BAS interface, if no DPI policy is bound to the domain, or the userpackets do not match the service type specified by the DPI policy, the ME60 performs DPIaccording to the restriction DPI policy configured on the BAS interface. Therefore, you mustconfigure a restriction DPI policy when enabling DPI on a BAS interface; otherwise, DPI doesnot take effect on the BAS interface.

Procedure





Issue 05 (2010-09-25)




Step 3 Run:bas

The BAS interface view is displayed.

Step 4 Run:access-type layer2-subscriber [ bas-interface-name name | default-domain { pre-authentication domain-name | authentication [ force | replace ] domain-name } * | accounting-copy radius-server radius-name ] *

The access type of the interface is set to layer-2 subscriber.

Or run:

access-type layer2-leased-line user-name username password [ bas-interface-name name | default-domain authentication domain-name | accounting-copy radius-server radius-name | nas-port-type type ] *

The access type of the interface is to layer-2 leased line.

Or run:

access-type layer3-leased-line user-name username password [ bas-interface-name name | default-domain authentication domain-name | accounting-copy radius-server radius-name | nas-port-type type ] *

The access type of the interface is to layer-3 leased line.

Step 5 Run:dpi-enable

DPI is enabled.

Step 6 Run:authentication-method { { ppp | dot1x | { web | fast } } * | bind }

The authentication method of the user is set.

After DPI is enabled on the BAS interface, the ME60 performs the following:

l If a common DPI policy group is bound to the domain, the ME60 matches packets of theusers going online from the domain with the common DPI policy. If the user packets do notmatch any service type specified by the common DPI policy, the ME60 matches the userpackets with the restriction DPI policy.

l If no common DPI policy group is bound to the domain, the ME60 matches the user packetswith the restriction DPI policy directly.

----End

9.4.6 (Optional) Configuring the Restriction Policy




9-17

Procedure



Step 2 Run:dpi restricted-policy

The restriction policy view is displayed.

Step 3 Run:service-type service-type

The service type is configured.

Step 4 Configure the behavior for the service as follows:l To configure the ME60 to control the CAR parameters, run car cir cir-value [ pir pir-

value ] [ cbs cbs-value pbs pbs-value ] { upstream | downstream }.l To configure the ME60 to forward all the packets of the specified service with the speed

lower than the CIR, run permit.l To configure the ME60 to discard all packets of the specified service, run deny.

You can configure one or more preceding behaviors. The permit and deny behaviors cannot beconfigured simultaneously. By default, the behavior in the DPI policy is permit.

The restriction policy is applied to a BAS interface. The ME60 controls traffic of each user onthe DPI-enabled BAS interface according to the restriction policy.

By default, no restricted policy is configured.

----End


Action Command

Check information about the DPIpolicy.

display dpi policy [ dpi-policy-name ]

Check information about therestriction DPI policy.

display dpi restricted-policy

Check information about thecommon DPI policy group.

display dpi policy-group [ policy-group-name ]

9.5 Configuration ExamplesThis section provides a configuration example of DPI.

9.5.1 Example for configuring the DPI Function




Issue 05 (2010-09-25)

9.5.1 Example for configuring the DPI Function

Networking RequirementAs shown in Figure 9-3, the ME60 functions as the broadband access device. The GE1/0/0interface is connected to the Internet. The GE2/0/0 interface provides the broadband accessservice for users. The user in the figure represents the access network. The ME60 is connectedto the PTS through GE3/0/0. The PTS performs DPI for service packets. When the P2P trafficon GE1/0/0 exceeds 100 Mbit/s, the ME60 limits the traffic. When the P2P traffic of a user indomain isp1 on GE2/0/0 exceeds 10 Mbit/s, the ME60 limits the traffic.

Figure 9-3 Networking for DPI configuration

ME60GE1/0/0 GE2/0/0

Internet User

PTS

GE3/0/0


l Configure the basic DPI information.l Configure the PTS.l Configure the network-side DPI.l Configure the user-side DPI.


l Slot number and MAC address of the DPI boardl IP address of the PTS, port number used to monitor the keepalive packets, interface

connected to the ME60, interval of keepalive packets, and number of keepalive timeoutevents on the PTS

Configuration ProcedureNOTE

This configuration example describes only the commands used to configure DPI.

1. Configure the basic DPI information.# (Optional) Configure the VSU to function as the DPI board.<Quidway> system-view[Quidway] set lpu-work-mode dpi slot 3[Quidway] quit<Quidway> reset slot 3



9-19

# Configure the MAC address of the DPI board.<Quidway> system-view[Quidway] dpi dsu-mac[Quidway-dpi-dsu-mac] dsu-slot 3 mac 00e0-abcd-abcd[Quidway-dpi-dsu-mac] quit# Configure information about the PTS on the DPI board.[Quidway] dpi pts[Quidway-dpi-pts] pts-id 1234 ip-address 100.1.1.1 4000 subscriber-side gigabitethernet 3/0/0[Quidway-dpi-pts] keep-alive 5 3

2. Configure the PTS.After the PTS is connected to the ME60, you can log in to the configuration window froma personal computer to set the following parameters.

Parameter Value

system_id 1234

Servername 100.1.1.1

peer_etherAddress 00e0-abcd-abcd

port_etherAddress MAC address of the PTS interface connected to the ME60

port_ipAddress IP address of the PTS interface connected to the ME60

port_udpPort 4000

NOTE

The preceding parameters may vary on different PTSs. Set the parameters according to the actualsituation.

You need to set other parameters of the PTS, such as the user name and password of thelogin user, and service type. For the configuration procedure, refer to documents about theLIG. The ME60 works with PTSs of other vendors to provide the DPI function for variousservices. Huawei does not provide the PTS.

3. Configure the network-side DPI.# Configure a DPI policy. Specify that the ME60 limits the P2P traffic when the P2P trafficvolume on GE1/0/0 exceeds 100 Mbit/s.[Quidway] dpi policy dpi1[Quidway-dpi-policy-dpi1] service-type p2p[Quidway-dpi-policy-dpi1] car cir 102400 upstream[Quidway-dpi-policy-dpi1] quit# Configure the global DPI policy group.[Quidway] dpi global-policy[Quidway-dpi-global-policy] dpi-policy dpi1[Quidway-dpi-global-policy] active[Quidway-dpi-global-policy] quit# Configure an ACL.[Quidway] acl 3000[Quidway-acl-adv-3000] rule permit ip[Quidway-acl-adv-3000] quit# Configure the traffic classifier and define the ACL-based traffic classification rules.[Quidway] traffic classifier a




Issue 05 (2010-09-25)

[Quidway-classifier-a] if-match acl 3000[Quidway-classifier-a] quit# Configure the behavior to DPI.[Quidway] traffic behavior e[Quidway-behavior-e] car cir 112640[Quidway-behavior-e] dpi[Quidway-behavior-e] quit# Define a traffic policy and associate the traffic classifier with the behavior.[Quidway] traffic policy 1[Quidway-trafficpolicy-1] classifier a behavior e[Quidway-trafficpolicy-1] quit# Apply the traffic policy to GE1/0/0.[Quidway] interface gigabitethernet 1/0/0[Quidway-gigabitethernet1/0/0] traffic-policy 1 inbound[Quidway-gigabitethernet1/0/0] undo shutdown[Quidway-gigabitethernet1/0/0] quit

4. Configure the user-side DPI.# Enable value-added services.[Quidway] value-added-service enable# Configure a DPI policy. Specify that the ME60 limits the P2P traffic when the P2P trafficvolume of a user exceeds 10 Mbit/s.[Quidway] dpi policy dpi2[Quidway-dpi-policy-dpi2] service-type p2p[Quidway-dpi-policy-dpi2] car cir 10240 downstream[Quidway-dpi-policy-dpi2] quit# Configure a common DPI policy group.[Quidway] dpi policy-group dpi_user[Quidway-dpi-policy-group-text] dpi-policy dpi2[Quidway-dpi-policy-group-text] quit# Users go online from domain isp1. Bind the DPI policy to domain isp1 to control the P2Ptraffic of the users in this domain.[Quidway] aaa[Quidway-aaa] domain isp1[Quidway-aaa-domain-isp1] dpi-policy-group dpi_user# Configure the authentication method on the interface to binding authentication.[Quidway] interface gigabitethernet2/0/0[Quidway-gigabitethernet2/0/0] undo shutdown[Quidway-gigabitethernet2/0/0] bas[Quidway-gigabitethernet2/0/0-bas] access-type layer2-subscriber [Quidway-gigabitethernet2/0/0-bas] authentication-method bind

Configuration Files# sysname Quidway#value-added-service enable#radius-server group rd1 radius-server authentication 192.168.7.249 1645 weight 0 radius-server accounting 192.168.7.249 1646 weight 0 radius-server shared-key itellin radius-server type plus11 radius-server traffic-unit kbyte#acl number 3000 rule 5 permit ip#traffic classifier a operator or



9-21

if-match acl 3000#traffic behavior e dpi car cir 112640 cbs 14080000 pbs 35256320 green pass yellow pass red discard#traffic policy 1 classifier a behavior e#interface Virtual-Template1#interface gigabitethernet1/0/0 undo shutdowntraffic-policy 1 inbound #interface gigabitethernet2/0/0 undo shutdown pppoe-server bind Virtual-Template 1 basaccess-type layer2-subscriberauthentication-method bind#ip pool pool1 local gateway 172.82.0.1 255.255.255.0 section 0 172.82.0.2 172.82.0.200 dns-server 192.168.7.252#dpi policy dpi1 service-type p2p car cir 102400 upstream#dpi policy dpi2 service-type p2p car cir 10240 downstream#dpi policy-group dpi_user dpi-policy dpi2#dpi pts keep-alive 5 3pts-id 1234 ip-address 100.1.1.1 4000 subscriber-side gigabitethernet 3/0/0#dpi global-policy dpi-policy dpi1#dpi dsu-mac dsu-slot 1 mac 00e0-abcd-abcd#aaaauthentication-scheme auth1accounting-scheme acct1domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 ip-pool pool1 dpi-policy-group dpi_user#return




Issue 05 (2010-09-25)

10 Lawful Interception Configuration

About This Chapter

This chapter describes the concept, process, and configuration of lawful interception.

10.1 IntroductionThis section describes the concept and principle of lawful interception and the lawful interceptionfunction supported by the ME60.

10.2 Configuring Lawful InterceptionThis section describes how to configure lawful interception.

10.3 Configuration ExamplesThis section provides a configuration example of lawful interception.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security 10 Lawful Interception Configuration


10-1

10.1 IntroductionThis section describes the concept and principle of lawful interception and the lawful interceptionfunction supported by the ME60.

10.1.1 Concept of Lawful Interception

10.1.2 Principle of Lawful Interception

10.1.3 Role of the ME60 in Lawful Interception

10.1.1 Concept of Lawful Interception

Lawful interception is a law enforcement behavior carried out to monitor the communicationservices on the public communications network according to the related law and the norm forthe public communications network. Lawful interception must be authorized by the authorizationdepartment of the law enforcement agency.

Lawful interception requires the support of communication service providers (telecom carriers)and the permission granted by the law enforcement agency. Therefore, lawful interception isimplemented jointly by the service providers and the law enforcement agency.

10.1.2 Principle of Lawful Interception

Intercepted InformationIn lawful interception, the following information is intercepted:

l CC: the content of the communication, for example, email, and VoIP packetsl IRI: the information related to the communication, including the address, time, and network

location

The content of communication (CC) and intercepted related information (IRI) can be providedby the network devices of the carrier. The IRI is generally provided by the AAA server. The CCis provided by the edge router, for example, the ME60.

Scenario for Lawful InterceptionFigure 10-1 shows the scenario for lawful interception.

NOTE

In this scenario, the IRI is provided by the AAA server and the CC is provided by the ME60.

10 Lawful Interception ConfigurationQuidway ME60 Multiservice Control Gateway



Issue 05 (2010-09-25)

Figure 10-1 Scenario for lawful interception

Carrier

Interceptionmanagement center

LIG management system

LIG

L1HI1

HI2

HI3

X1,X2

X1,X3

AAA server

ME60

Interceptioncenter

Lawful interception involves the following roles:

l Interception center: is the device through which the law enforcement agencies intercept theactivities of online users. The interception center initiates the interception and receives theinterception result. The functions of the interception center are as follows:

– Defining the intercepted target

– Initiating or terminating the interception

– Receiving and recording the interception results

– Analyzing the interception result

l Interception management center: is the agent of the interception center. The interceptionmanagement center receives interception requests from the interception center andinterprets the requests into identifiers of the location and service in the network. Then itdelivers the interception configuration to the devices of the carrier on the network.

l LIG: functions as the agent between the interception management center and the carrierdevice. The functions of the Lawful interception Gateway (LIG) are as follows:

– Receiving the interception request from the interception management center throughthe L1 and HI1 interfaces

– Delivering the configuration of interception to network devices and obtainingintercepted contents through the X interfaces

– Sending the intercepted contents to the interception management center through the HI2and HI3 interfaces

l LIG management system: receives the interception requests from the interceptionmanagement center and delivers them to LIGs. An LIG management system can managemultiple LIGs.

NOTE

The LIG management system delivers the configuration to the LIG through the L1 interface. TheLIG is located on the network of the carrier, and the LIG management system is managed by theinterception management center.

l The carrier deploys the lawful interception function on the network devices on the carriernetwork. The devices that support lawful interception receive the configuration from the



10-3

interception management center, and then send the intercepted traffic to the interceptionmanagement center.

Interfaces for Lawful InterceptionLawful interception involves seven interfaces, as shown in Figure 10-1. Table 10-1 providesthe description of these interfaces.

Table 10-1 Description of interfaces for lawful interception

Interface Description

L1 Connects the LIG management system to the LIG. The LI interface deliversthe interception control command from the interception managementcenter to the LIG.NOTE

If multiple LIGs are distributed on the carrier network, the interception controlcommand can be delivered through multiple L1 interfaces so that the LIGs arecontrolled uniformly.

HI1 Connects the interception management center to the LIG managementsystem. The interception management system delivers managementcommands to the LIG and receives response through the HI1 interface.

HI2 Connects the interception management center to the LIG. The LIG sendsthe IRI to the interception management center through the HI2 interface.

HI3 Connects the interception management center to the LIG. The LIG sendsthe CC to the interception management center through the HI3 interface.

X1 Connects the LIG to the signaling interface of the network device of thecarrier. Through the X1 interface, the LIG delivers the interceptionconfiguration, including the intercepted user and the interception task, tothe network devices of the carrier.

X2 Connects the LIG to the data interface of the network device of the carrier.The network device of the carrier sends the IRI to the LIG through the X2interface. This interface must guarantee reliability and privacy of the data.

X3 Connects the LIG to the data interface of the network device of the carrier.The network device of the carrier sends the CC and heartbeat informationto the LIG through the X3 interface.NOTE

The network device and the LIG send heartbeat messages to each other to check theconnection between them. If the network device does not receive the heartbeatresponse message within a certain period, the network device deletes informationabout all intercepted targets delivered by the LIG. After the heartbeat connectionrecovers, the LIG delivers information about the interception object again.




Issue 05 (2010-09-25)

NOTE

The ME60 provides the X1 and X3 interfaces. The implementation on the two interfaces is as follows:

l The ME60 supports the X1 interface through the Simple Network Management Protocol version 3(SNMPv3). To create the X1 interface, you must configure the SNMP information on the ME60.

l ME60The ME60 provides the command lines for configuring the X3 interface to set up the connectionwith the LIG.

Process of Lawful Interception

Figure 10-2 shows the process of lawful interception.

Figure 10-2 Process of lawful interception

Accessserver

ME60

LIGAAA/DHCP server

3.Sets interceptedtarget

User

4.Intercepts user logininformation

6. Interception rules are seton the LIG

7. The user accesses theInternet

8.Copies user traffic and sentsthe traffic to the LIG

Internet

Interception centerInterceptionmanagement center

1.Sends lawful interception authorization

2.Delivers interceptionconfiguration

5. Reports target userinformation 5.Reports intercepted

traffic

The process of lawful interception is as follows:

1. The law enhancement agency sends the lawful interception authorization to the interceptionmanagement center through the electrical interface of the interception center or sendswritten authorization.

2. The interception management center finds the location of the target user according to theinterception request, and then sends the location information to the LIG.

3. The LIG sends the required information to the AAA server according to the interceptionrequest. The interception device (such as the IP Probe or Sniffer) of the AAA server setsthe interception object according to the received information.



10-5

4. The interception device of the AAA server intercepts the AAA traffic according to theinterception object. When a target user goes online, the AAA server generates the IRI ofthe user and sends the IRI to the LIG.

5. The LIG processes the IRI, and then sends the IRI to the interception center.6. The LIG sends the information about the interception object and the interception task to

the ME60 to initiate an interception request.7. The user connects to the Internet through the ME60. The ME60 sends the accounting

information to the AAA server.8. The ME60 duplicates the upstream traffic of the user, generates the CC, and then sends the

CC to the LIG.9. The LIG sends the CC to the interception center.

NOTE

When the user logs out, the interception device of the AAA server notifies the LIG. The LIG thenrequests the ME60 to delete information about the interception object delivered by the LIG. TheME60 stops intercepting the traffic.

10.1.3 Role of the ME60 in Lawful Interception

The ME60 functions as the network device of the carrier during lawful interception. It sendsinterception information through the X3 interface to the LIG, and at the same time, it receivesthe information about the interception objects sent by the LIG through the X1 interface.

The LIG sends the information about the interception objects through the X 1 interface. TheME60 generates the interception rule according to the information about interception object.The ME60 copies the data matching the interception rule and encapsulates the data in UDPpackets as the CC, and then sends the CC to the LIG through the X3 interface. When theinformation about the target user changes, the ME60 updates the interception rule. When theLIG stops intercepting the user activities, the ME60 deletes the related interception rule.

NOTE

The interception rules generated by the ME60 are not recorded in the configuration file. When the ME60is restarted, the LIG must send the information about the interception object to the ME60 again so that theinterception rule can be generated again.

The ME60 intercepts user activities based on the IP address but it does not differentiate services.During lawful interception, performance of the ME60 may be affected if the intercepted trafficis too high. Therefore, do not set too many interception objects. The ME60can intercept up to 4kbit/s one-way traffic or 2 kbit/s two-way traffic.

NOTE

When the ME60 is configured to intercept one-way flows based on the IP address, it intercepts only theflows with specified source address and destination address. For two-way flows, if the source address ofthe intercepted flow is set on the LIG, the ME60 intercepts the flows from this address and the flows tothis address.

An ME60 can be connected to up to 10 LIGs, but the LIGs cannot deliver the same interceptionobject to the ME60. If multiple LIGs deliver the same interception target, the ME60 sends theinterception information to the first matching LIG.

The availability of the lawful interception function on the ME60 is controlled by the license. Touse this function, you must buy the license for lawful interception and activate the license. Formore information about the license, refer to the Quidway ME60 Multiservice Control GatewayConfiguration Guide - System Management..




Issue 05 (2010-09-25)

10.2 Configuring Lawful InterceptionThis section describes how to configure lawful interception.


10.2.2 Configuring the IP Address of the X3 Interface

10.2.3 Configuring the Type and Port Number of the X3 Interface

10.2.4 Enabling Lawful Interception




On the IP network, lawful interception must be configured to guarantee network security andmonitor activities of online users.


Before configuring lawful interception, complete the following tasks:

l Connecting the ME60 to the LIG through the X1 interface

l Buying and activating the license for lawful interception

NOTE

The configuration of the X1 interface is delivered to the ME60 through SNMPv3, so you mustconfigure the SNMP agent on the ME60. For the configuration of the SNMP agent, refer to theQuidway ME60 Multiservice Control Gateway Configuration Guide - System Management.

Data Preparation

To configure lawful interception, you need the following data.

No. Data

1 Port number used on the X3 interface

2 IP address of the X3 interface

10.2.2 Configuring the IP Address of the X3 Interface

Context

Do as follows on the router where lawful interception is deployed.



10-7

Procedure



Step 2 Run:interface { gigabitethernet | pos | loopback | eth-trunk | ip-trunk } interface-number


NOTE

Since the loopback interface is always Up, it is recommended that you use a loopback interface improvethe configuration reliability.

Step 3 Run:ip address ip-address { mask | mask-length }

The IP address of the X3 interface is configured.

----End

10.2.3 Configuring the Type and Port Number of the X3 Interface

Context


Procedure



Step 2 Run:lawful-interception x3-interface interface-type interface-number port port-number

The type of the X3 interface for lawful interception and the port number used on the X3 interfaceare configured.

NOTE

l An ME60 can be connected to a maximum of 10 LIGs. All the LIGs are connected to the same X3interface based on the IP address of the X3 interface.

l Use a non-well-known port number larger than 2000 for the X3 interface, and thus this port does notconflict with ports of other programs.

Before configuring the type and port number of the X3 interface, you must configure the IPaddress of the X3 interface.

By default, no X3 interface is configured on the ME60.

----End




Issue 05 (2010-09-25)

10.2.4 Enabling Lawful Interception

Context


Procedure



Step 2 Run:lawful-interception enable

Lawful interception is enabled.

When enabling lawful interception, note the following:

l Before enabling lawful interception, you must configure the X3 interface for lawfulinterception.

l After lawful interception is enabled, the IP address of the X3 interface cannot be deleted orchanged. To change the IP address of the X3 interface, run the undo lawful-interceptionenable command to disable lawful interception.

l After you run the undo lawful-interception enable command, the ME60 deletes theinformation delivered by the LIG, including:

– IP address of the LIG

– Information about the intercepted user

By default, lawful interception is disabled.

----End

10.2.5 Checking the ConfigurationRun the following command in the system view to check the previous configuration.

Action Command

Check the configuration of lawfulinterception.

display lawful-interception

The display information of the preceding command is as follows:

[Quidway] display lawful-interceptionLawful Interception: Lawful Interception function is : Enabled Lawful Interception X3 interface is GigabitEthernet9/0/4 Lawful Interception X3 port is 3000



10-9

10.3 Configuration ExamplesThis section provides a configuration example of lawful interception.

10.3.1 Example for Configuring Lawful Interception

10.3.1 Example for Configuring Lawful Interception

NOTE

Only the configuration of lawful interception is provided in this example.


As shown in Figure 10-3, the ME60 functions as the network device of the carrier. Loopback0is the X3 interface connected to the LIG. Based on this network, the ME60 performs lawfulinterception through the X3 interface. The PPPoE user connects to the ME60 through GE8/0/1.RADIUS authentication and RADIUS accounting are adopted for the user. The RADIUS serverprovides the IRI for the LIG.

The LIG delivers information required for lawful interception to the ME60 through the SNMPprotocol. The ME60 sends the interception information to the LIG through the X3 interface.

Figure 10-3 Networking of lawful interception

InternetLan switch ME60

LIG

RADIUS server

User

100.100.100.1/24Loopback0 100.100.1.100/24

GE8/0/1

NOTE

In this example, the RADIUS server performs authentication and accounting for the user. You need alsoto install the interception software, such as IP Probe and Sniffer, to enable the RADIUS server to providethe IRI for the KIG.



l Configure the SNMP Agent and the LIG to ensure the normal communication between theME60 and the LIG.

l Configure the IP address of the X3 interface.




Issue 05 (2010-09-25)

l Configure the address and port number of the X3 interface.l Enable lawful interceptionl Configure user access.


l User name and password of the SNMP user and the authentication protocoll IP address and port number of the X3 interface

Configuration Procedure1. Configure the SNMP agent.

NOTE

In this example, only the basic configuration of SNMP is described. For details, refer to the QuidwayME60 Multiservice Control Gateway Configuration Guide - System Management.

<Quidway> system-view[Quidway] snmp-agent[Quidway] snmp-agent sys-info version all[Quidway] snmp-agent community read public[Quidway] snmp-agent community write private[Quidway] snmp-agent group v3 huawei authentication read-view snmpv3 write-view snmpv3[Quidway] snmp-agent mib-view included snmpv3 iso[Quidway] snmp-agent usm-user v3 usera huawei authentication-mode md5 123456789

NOTE

After configuring the SNMP agent, you must configure the LIG so that the ME60 can communicatewith the LIG. You need to configure the SNMP information, addresses of the X2 and X3 interfaces,port numbers used on the X2 and X3 interfaces, and information about the intercepted flows. For theconfiguration procedure, refer to documents about the LIG. The ME60 works with the LIGs of othervendors to implement lawful interception. Huawei does not provide the LIG.

2. Configure IP addresses of the interfaces.[Quidway] interface loopback0[Quidway-LoopBack0] ip address 100.100.100.1 24[Quidway-LoopBack0] quit

3. Configure the address and port number of the X3 interface.[Quidway] lawful-interception x3-interface loopback0 port 3000

4. Enable lawful interception[Quidway] lawful-interception enable

5. Configure access of the PPPoE user.For the configuration procedure, refer to the Quidway ME60 Multiservice Control GatewayConfiguration Guide - BRAS services.

Configuration Files# sysname Quidway#lawful-interception x3-interface loopback port 3000 lawful-interception enable#radius-server group rd1 radius-server authentication 192.168.7.249 1645 weight 0 radius-server accounting 192.168.7.249 1646 weight 0



10-11

radius-server shared-key itellin radius-server type plus11 radius-server traffic-unit kbyte#interface Virtual-Template1#interface GigabitEthernet8/0/1 pppoe-server bind Virtual-Template 1 bas access-type layer2-subscriber#interface LoopBack0 ip address 100.100.100.1 255.255.255.0#ip pool pool1 local gateway 172.82.0.1 255.255.255.0 section 0 172.82.0.2 172.82.0.200 dns-server 192.168.7.252#aaaauthentication-scheme auth1accounting-scheme acct1domain default0domain default1domain default_admindomain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 ip-pool pool1# snmp-agent snmp-agent community read publicsnmp-agent community write privatesnmp-agent sys-info version allsnmp-agent group v3 huawei authentication read-view snmpv3 write-view snmpv3 snmp-agent mib-view included snmpv3 iso snmp-agent usm-user v3 usera huawei authentication-mode md5 F;MZ0<T2Z.R:_-XWOWW!L1!!#return




Issue 05 (2010-09-25)

11 User Log Configuration

About This Chapter

This chapter describes the concept and configuration of user logs.

11.1 IntroductionThis section describes the concept and classification of user logs.

11.2 Configuring the User LogThis section describes how to configure the user log.

11.3 Debugging the User LogThis section provides the command for enabling debugging of the user log.

11.4 Configuration ExamplesThis section provides a configuration example of user log.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security 11 User Log Configuration


11-1

11.1 IntroductionThis section describes the concept and classification of user logs.

Most countries have specific requirements for information security. An ISP must have thecapability of recording activities of users, such as login, logout, and access to network resources.

The ME60 provides user logs to record information about user login and logout so that carriersand security agents can manage and monitor users.

The user log on the ME60 contains the user name, operation type (login and logout), login andlogout time, VLAN/PVC, access interface, IP address, and MAC address of the user.

11.2 Configuring the User LogThis section describes how to configure the user log.


11.2.2 Configuring the User Log Host

11.2.3 Configuring the Version of User Log Packets

11.2.4 Enabling the User Log Function

11.2.5 Applying the User Log



Applicable EnvironmentWhen you need to record the information about user login and logout, you need to configure theuser log.


Data PreparationTo configure the user log, you need the following data.

No. Data

1 IP address and port number of the log host

2 Version of the user log packet

11.2.2 Configuring the User Log Host

11 User Log ConfigurationQuidway ME60 Multiservice Control Gateway



Issue 05 (2010-09-25)

ContextNOTE

The user log host receives the user log packets sent by the ME60 and analyzes the packets. Before enablingthe user log function, you must configure the user log host.

Procedure



Step 2 Run:ip userlog [ access ] export host ip-address udp-port

The user log host is configured.

----End

11.2.3 Configuring the Version of User Log Packets

ContextNOTE

The version configured on the ME60 must be the same as the version configured on the user log host. Bydefault, the version of user log packets is not configured in the system. Therefore, before enabling the userlog function, you must configure the version of user log packets.

Procedure



Step 2 Run:ip userlog [ access ] export version version

The version of the user log packets is configured.

The format of the user log packets has two versions: version 1 and version 2. The two versionsare different in the format of the VLAN/PVC field in the packets, as shown in Table 11-1.

Table 11-1 Difference between the two versions of the user log packets

Version

VLAN PVC

1 A common VLAN number of two bytes A PVC number of two bytes

2 A stack VLAN number of two bytes (0bytes if there is no stack VLAN number)and a common VLAN number of twobytes

A VPI number of two bytes and a VCInumber of two bytes



11-3

----End

11.2.4 Enabling the User Log Function


Procedure



Step 2 Run:ip userlog

The user log function is enabled.

----End

11.2.5 Applying the User Log


Procedure




A behavior is created and the behavior view is displayed.

Step 3 Run:userlog

The user log behavior is defined.

After the version of user log packets and the log host are configured and the log function isenabled, the system records the information about login and logout activities of each user in thelog.

For the configurations of the traffic classifier, traffic behavior, and traffic policy, refer to theQuidway ME60 Multiservice Control Gateway Configuration Guide - QoS.

----End




Issue 05 (2010-09-25)


Action Command

Check the configuration of the userlog.

display ip userlog [ access ] config

Display the statistics of the user log. display ip userlog [ access ] statistic

11.3 Debugging the User LogThis section provides the command for enabling debugging of the user log.


When a fault occurs in the user log function, run the following debugging command in the userview to locate the fault. For the procedure for displaying the debugging information, refer to theQuidway ME60 Multiservice Control Gateway Configuration Guide - System Management.

Action Command

Enable the debugging of the user log. debugging ip userlog { access | all |error | packet }

11.4 Configuration ExamplesThis section provides a configuration example of user log.

11.4.1 Example for Configuring the User Log

11.4.1 Example for Configuring the User Log


As shown in Figure 11-1, users on the local network connect to the Internet through GE1/0/0.1of the ME60. The information about login and logout of users on the local network 1.1.1.0/24needs to be recorded. The IP address of the log host is 10.10.10.1; the port number is 1200; theversion number of user log packets is 1.



11-5

Figure 11-1 Networking for configuring the user log

ME60

1.1.1.0 GE1/0/0.1

Userlog Host10.10.10.1


1. Configure user access.2. Configure the user log.3. Define an ACL.4. Configure the traffic classifier that is based on the ACL rules.5. Configure the traffic behavior of recording the user log.6. Configure a traffic policy and associate the traffic behavior with the traffic classifier.7. Apply the traffic policy to the interface.

Data PreparationNone.

Configuration Procedure# Configure the user log function.

<Quidway> system-view[Quidway] ip userlog access export version 1[Quidway] ip userlog access export host 10.10.10.1 1200[Quidway] ip userlog

# Create a user group.

[Quidway] user-group access

# Configure user access.

The configuration procedure is not mentioned here. For the configuration procedure andconfiguration file, refer to the Quidway ME60 Multiservice Control Gateway ConfigurationGuide - BRAS Services.

NOTE

When configuring user access, run the user-group group-name command to set the user group name toaccess.

# Define an ACL rule to identify the Internet access service with the source IP address.




Issue 05 (2010-09-25)

[Quidway] acl number 6000[Quidway-acl-ucl-6000] rule permit ip source user-group access[Quidway-acl-ucl-6000] quit

# Configure the traffic classifier that is based on the ACL rule.

[Quidway] traffic classifier class1[Quidway-classifier-class1] if-match acl 6000[Quidway-classifier-class1] quit

# Configure the traffic behavior of recording the user log.

[Quidway] traffic behavior behav1[Quidway-behavior-behav1] userlog[Quidway-behavior-behav1] quit

# Configure the policy, in which the traffic classifier is associated with the behavior.

[Quidway] traffic policy policy1[Quidway-trafficpolicy-policy1] classifier class1 behavior behav1[Quidway-trafficpolicy-policy1] quit

# Apply the traffic policy to the interface.

[Quidway] interface gigabitethernet 1/0/0.1[Quidway-GigabitEthernet1/0/0.1] traffic-policy policy1 inbound

Configuration Files# sysname Quidway# user-group access#acl number 6000 rule 5 permit ip source user-group access#traffic classifier class1 operator or if-match acl 6000#traffic behavior behav1 userlog#traffic policy policy1 classifier class1 behavior behav1# #interface GigabitEthernet1/0/0.1 traffic-policy policy1 inbound#ip userlog access export version 1 ip userlog access export host 10.10.10.1 1200 ip userlog access#return



11-7

12 ARP Security Configuration

About This Chapter

This chapter describes how to configure ARP Security.

12.1 Overview to ARP SecurityThis section describes the principle and concepts of ARP security features.

12.2 Preventing Attacks on ARP EntriesThis section describes how to prevent attacks on ARP entries.

12.3 Preventing Scanning AttacksThis section describes how to prevent scanning attacks.

12.4 Maintaining the ARP SecurityThis section describes how to display and remove statistics about ARP packets and debug ARPpackets.

12.5 Configuration ExamplesThis section provides several configuration examples of ARP security features.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security 12 ARP Security Configuration


12-1

12.1 Overview to ARP SecurityThis section describes the principle and concepts of ARP security features.

12.1.1 Introduction to ARP Security

12.1.2 ARP Security Supported by the ME60

12.1.1 Introduction to ARP SecurityThe Address Resolution Protocol (ARP) security is a feature based on ARP. It filters outuntrusted ARP packets and limits the speed of ARP packets to guarantee the security androbustness of network devices.

ARP security avoids not only the attacks on the ARP protocol but also the ARP-based attacks,such as the network scanning attack.

Attacks on ARP Entries

In a network, ARP entries are easily attacked. Attackers generate abundant ARP Request andResponse packets to attack network devices. Attacks fall into two kinds: ARP buffer overflowattack and ARP Denial of Service (DoS) attack.

l ARP buffer overflow attacks

Figure 12-1 ARP buffer overflow attacks

IP:192.168.0.10/24MAC:???

IP:192.168.0.1/24MAC:0000-0000-00aa

IP:192.168.0.10/24MAC:???

ME60

IP:192.168.0.10/24MAC:0018-8200-000f

PC A(attacker)IP:192.168.0.1/24

MAC:0000-0000-00aa

PC BIP:192.168.0.2/24

MAC:0000-0000-00ab

PC CIP:192.168.0.3/24

MAC:0000-0000-00ac

As shown in Figure 12-1, the attacker PC A sends abundant bogus ARP Request packetsand gratuitous ARP packets (only VLANIF interfaces learn gratuitous ARP packets), whichresults in ARP buffer overflow. Therefore, normal ARP entries cannot be cached and packetforwarding is interrupted.

l ARP DoS attacks

12 ARP Security ConfigurationQuidway ME60 Multiservice Control Gateway



Issue 05 (2010-09-25)

Figure 12-2 ARP DoS attacks

IP:192.168.0.10/24MAC:???

IP:192.168.0.1/24MAC:???

IP:192.168.0.10/24MAC:???

ME60IP:192.168.0.10/24

MAC:0018-8200-000f

PC A(attacker)

IP:192.168.0.1/24MAC:0000-0000-00aa

PC B

IP:192.168.0.2/24MAC:0000-0000-00ab

PC C

IP:192.168.0.3/24MAC:0000-0000-00ac

As shown in Figure 12-2, the attacker PC A sends abundant bogus ARP Request andResponse packets or other packets that can trigger the ARP processing on Router. Routeris then busy with ARP processing during a long period and ignores other services. Normalpacket forwarding is thus interrupted.

Scanning AttacksThe attacker scans hosts in local network segment or hosts in other network segments throughsome tools. Before returning Response packets, the router should search ARP entries. If theMAC address corresponding to the destination IP address does not exist, the ARP module onthe router sends ARP Miss packets to the upper layer and requires the upper layer to send ARPRequest messages to obtain the MAC address of the destination.

A great number of scanning packets generate abundant ARP Miss packets. Most resources ofthe router are wasted in processing ARP Miss packets. This affects the processing of otherservices and hence is called scanning attacks.

12.1.2 ARP Security Supported by the ME60The ME60 has realized the following ARP security features to ensure the security and robustnessof devices:

l Configuring strict ARP entry learning in the system view or the interface viewl Interface-based ARP entry restrictionl Speed limit for ARP packetsl Speed limit for ARP Miss packetsl Generating and logging alarms for potential attack behaviors

12.2 Preventing Attacks on ARP EntriesThis section describes how to prevent attacks on ARP entries.



12-3


12.2.2 Configuring Global Strict ARP Entry Learning

12.2.3 Configuring Strict ARP Entry Learning on Interfaces

12.2.4 Configuring Speed Limit for ARP Packets

12.2.5 Configuring Interface-based ARP Entry Restriction

12.2.6 Enabling Alarm Functions for Potential Attack Behaviors



Applicable EnvironmentIn an Ethernet Metropolitan Area Network (MAN), ARP entries are easily attacked. So, ARPsecurity features need to be configured on the access layer or convergence layer to ensurenetwork security.

NOTE

To configure ARP attack defense, you can configure four features (strict ARP entry learning, speed limitfor ARP packets, interface-based ARP entry restriction, and logging potential attack behaviors) respectivelyor in conjunction.

You are recommended to configure the four features in conjunction to guarantee network security moreeffectively.


Data PreparationTo prevent attacks on ARP entries, you need the following data.

No. Data

1 Limited speed of ARP packets

12.2.2 Configuring Global Strict ARP Entry Learning

ContextDo as follows on the router that needs to be configured with ARP security features:

Procedure





Issue 05 (2010-09-25)

The system view is displayed

Step 2 Run:arp learning strict

Strict ARP learning is configured.

By default, strict ARP learning is disabled.

After the arp learning strict command is run, the ME60 learns only reply packets for the ARPrequest packets sent itself.

----End

12.2.3 Configuring Strict ARP Entry Learning on Interfaces

ContextStrict ARP entry learning adopts the following longest-match rules:l If strict ARP entry learning is configured both on the interface and globally, strict ARP

entry learning on the interface is preferred.l If strict ARP entry learning is not configured on the interface, the global strict ARP entry

learning is enabled.

Do as follows on the ME60 whose ARP entries are to be prevented from being attacked:

Procedure





ME60 supports strict ARP entry learning on the following interfaces:

l Ethernet interfaces and their sub-interfacesl Eth-trunk interfaces and their sub-interfacesl VLANIF interfaces

Step 3 Run:arp learning strict { force-enable | force-disable | trust }

Strict ARP entry learning is configured on the interface.



12-5

NOTE

l If the key word force-enable of the command is selected, the interface ME60 learns only reply packetsfor the ARP request packets sent itself.

l If the key word force-disable of the command is selected, the strict ARP entry learning function onthe interface is disabled.

l If the key word trust of the command is selected, the strict ARP entry learning function on the interfaceis disabled and the global ARP entry learning function is enabled.

----End

12.2.4 Configuring Speed Limit for ARP Packets

ContextDo as follows on the ME60 that needs to be configured with ARP security features:

Procedure



Step 2 Run:arp speed-limit destination-ip maximum maximum slot slot-id

Speed limit for ARP packets is configured.

----End

12.2.5 Configuring Interface-based ARP Entry Restriction

ContextDo as follows on the ME60 that needs to be configured with ARP security features:

Procedure





The following interfaces are supported:

l Layer 3 Ethernet interfaces and sub-interfacesl Layer 3 GE interfaces and sub-interfacesl Layer 3 Eth-Trunk interfaces and sub-interfacesl Layer 3 virtual Ethernet interfaces




Issue 05 (2010-09-25)

l Ethernet sub-interfaces, GE sub-interfaces, and Eth-Trunk sub-interfaces that are configuredas QinQ sub-interfaces

l Layer 2 Ethernet portsl Layer 2 GE portsl Layer 2 Eth-Trunk portsl Layer 2 virtual Ethernet portsl VLANIF interfaces

NOTE

If the interface is a Layer 2 port, the port must join a Virtual Local Area Network (VLAN).

Step 3 Run:arp-limit[ vlan vlan-id [ to vlan-id2 ]] maximum maximum

Interface-based ARP entry restriction is configured.

vlan-id can be configured in the view of the Layer 2 interface or QinQ sub-interface. If youconfigure vlan-id in the QinQ sub-interface view, vlan-id specifies the external VLAN ID of theQinQ sub-interface.

----End


Context

Do as follows on the ME60 that needs to be configured with ARP attack defense:

Procedure



Step 2 Run:arp anti-attack log-trap-timer time

Generating and logging alarms for the potential attack behaviors are configured.

----End


Prerequisite

The configurations of the peventing atacks on ARP etries are complete.

Procedurel Run the display arp speed-limit destination-ip [ slot slot-id ] command to check the

limited speed of ARP packets.



12-7

l Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ]command to check the limited number of ARP entries on the interface.

----End

Example

Run the display arp speed-limit destination-ip [ slot slot-id ] command, and you can checkthe timestamp suppression rate configured for the ARP packets. For example:

<Quidway> display arp speed-limit destination-ip slot 3Slot SuppressType SuppressValue --------------------------------------------------- 3 ARP 500

Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ]command, and you can check the limited number of ARP entries configured on the interface.

<Quidway> display arp-limitinterface LimitNum VlanID LearnedNum(Mainboard)--------------------------------------------------------------------------- Eth-Trunk0 100 124 0 Eth-Trunk0 100 125 0 GigabitEthernet2/0/1 16384 0 0 GigabitEthernet4/0/1 100 0 0 GigabitEthernet4/0/2 16384 124 0---------------------------------------------------------------------------

12.3 Preventing Scanning AttacksThis section describes how to prevent scanning attacks.


12.3.2 Configuring Speed Limit for ARP Miss Packets





In an Ethernet MAN, scanning attacks may occur. So, ARP security features need to beconfigured on the access layer or convergence layer to restrict ARP Miss packets and hence toensure network security.


None

Data Preparation

To prevent scanning attacks, you need the following data:




Issue 05 (2010-09-25)

No. Data

1 Limited speed of ARP Miss packets

12.3.2 Configuring Speed Limit for ARP Miss Packets

Context

Do as follows on the ME60 that needs to be configured with scanning attack defense:

Procedure



Step 2 Run:arp-miss speed-limit source-ip maximum maximum slot slot-id

The speed of ARP Miss packets is limited.

----End


Context

Do as follows on the ME60 that needs to be configured with scanning attack defense:

Procedure



Step 2 Run:arp anti-attack log-trap-timer time

Generating and logging alarms for the potential attack behaviors are configured.

----End


Prerequisite

The configurations of the peventing sanning atacks are complete.



12-9

Procedure

Step 1 Run the display arp-miss speed-limit source-ip [ slot slot-id ] command to check the limitedspeed of ARP Miss packets.

----End

ExampleRun the display arp-miss speed-limit source-ip [ slot slot-id ] command, and you can checkthe timestamp suppression rate configured to the ARP Miss packets. For example:

<Quidway> display arp-miss speed-limit source-ip slot 3Slot Supp-type Source-ip --------------------------------------------------- 3 ARP-miss 500

12.4 Maintaining the ARP SecurityThis section describes how to display and remove statistics about ARP packets and debug ARPpackets.

12.4.1 Displaying Statistics About ARP Packets

12.4.2 Clearing Statistics About ARP Packets

12.4.3 Debugging ARP Packets

12.4.1 Displaying Statistics About ARP Packets

Procedure

Step 1 Run the display arp packet statistic [ slot slot-id ] command to check statistics about ARPpackets.

----End

ExampleRun the display arp packet statistics [ slot slot-id ] command, and you can check the statisticsabout ARP packets. For example:

<Quidway> display arp packet statisticsARP Pkt Received: sum 23ARP-Miss Msg Received: sum 0ARP Learnned Count: sum 8ARP Pkt Discard For Limit: sum 5ARP Pkt Discard For SpeedLimit: sum 0ARP Pkt Discard For Other: sum 10ARP-Miss Msg Discard For SpeedLimit: sum 0ARP-Miss Msg Discard For Other: sum 0




Issue 05 (2010-09-25)

12.4.2 Clearing Statistics About ARP Packets

Context

CAUTIONStatistics about ARP packets cannot be restored after you clear it. So, confirm the action beforeyou use the command.

Procedurel Run the reset arp packet statistic [ slot slot-id ] command in the user view to clear statistics

about ARP packets.

----End

12.4.3 Debugging ARP Packets

Context

CAUTIONDebugging affects the performance of the system. So, after debugging, execute the undodebugging all command to disable it immediately.

For the procedure of displaying the debugging information, refer to the chapter Maintenanceand Debugging in the Quidway ME60 Multiservice Control Gateway Configuration Guide -System Management.

For explanations of the debugging commands, refer to the ME60 Multiservice Control GatewayCommand Reference.

Procedurel Run the debugging arp packet [slot slot-id | interface interface-type interface-number ]

command in the user view to debug ARP packet.l Run the debugging arp process [ slot slot-id | interface interface-type interface-

number ] command in the user view to debug ARP packet processing.

----End

12.5 Configuration ExamplesThis section provides several configuration examples of ARP security features.

12.5.1 Example for Preventing Attacks on ARP Entries

12.5.2 Example for Preventing Attacks on ARP Entries and Scanning Attacks



12-11

12.5.1 Example for Preventing Attacks on ARP Entries


As shown in Figure 12-3, a carrier accesses the core network through two ME60s. ARP securityfeatures need to be configured on the two ME60s to prevent the devices attached to the ME60sfrom attacking ARP entries.

Figure 12-3 Networking diagram of preventing attacks on ARP entries

core network

ME60A ME60B



1. Configure strict ARP entry learning.2. Configure speed limit for ARP packets.3. Configure interface-based ARP entry restriction.4. Enable log and alarm functions for potential attack behaviors.

Data Preparations


l Timestamp suppression rate of ARP packets and slot numbersl Limited number of ARP entriesl Interval for sending alarms




Issue 05 (2010-09-25)

Procedure

Step 1 Configure strict ARP entry learning.<ME60A> system-view[ME60A] arp learning strict

Step 2 Configure destination-based speed limit for ARP packets on each slot of the attached device.The speed is limited to 50 packets per second. Take slot 1 as an example.[ME60A] arp speed-limit destination-ip maximum 50 slot 1

Step 3 Restrict the number of ARP entries on each interface of the attached device to 20. Take GE 1/0/0as an example.[ME60A] interface Gigabitethernet 1/0/0[ME60A-GigabitEthernet1/0/0] arp-limit maximum 20[ME60A-GigabitEthernet1/0/0] quit

Step 4 Set the interval for logging and generating alarms for potential attack behaviors to 20 seconds.[ME60A] arp anti-attack log-trap-timer 20

Step 5 Verify the configuration.

Use certain tools to send ARP request packets to ME60 A and then run the display arp allcommand on ME60 A. You can find that the actively sent ARP request packets are not learntby ME60 A.

<ME60A> display arp allIP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------100.1.1.200 00e0-fc7f-7258 I - GE0/0/0100.1.1.180 000d-88f4-d06b 9 D-0 GE0/0/0100.1.1.24 0013-d326-ab88 9 D-0 GE0/0/0100.1.1.166 0014-2afd-7376 10 D-0 GE0/0/0100.1.1.37 00e0-4c77-a2f9 12 D-0 GE0/0/0100.1.1.168 000d-88f8-332c 14 D-0 GE0/0/0100.1.1.48 0015-e9ac-7a30 16 D-0 GE0/0/032.1.1.1 0088-0010-000a I - GE3/0/924.1.1.1 0088-0010-0009 I - GE3/0/810.1.1.1 0088-0010-0003 I - GE3/0/210.1.1.2 00e0-fc22-18d5 9 D-3 GE3/0/2------------------------------------------------------------------------------Total:11 Dynamic:7 Static:0 Interface:4

Run the display arp speed-limit command on ME60s. You can view the limited speed.

<ME60A> display arp speed-limit destination-ip slot 1Slot SuppressType SuppressValue --------------------------------------------------- 1 ARP 50

Run the display arp packet statistics command on ME60s. You can view the number of thediscarded ARP packets and the learnt ARP entries.

<ME60A> display arp packet statisticsARP Pkt Received: sum 23ARP-Miss Msg Received: sum 0ARP Learnned Count: sum 8ARP Pkt Discard For Limit: sum 5ARP Pkt Discard For SpeedLimit: sum 0ARP Pkt Discard For Other: sum 10ARP-Miss Msg Discard For SpeedLimit: sum 0ARP-Miss Msg Discard For Other: sum 0

----End



12-13

Configuration FilesThe configuration file of ME60 A is as follows:

# sysname ME60A# arp learning strict arp speed-limit destination-ip maximum 50 slot 1 arp anti-attack log-trap-timer 20#interface GigabitEthernet1/0/0 arp-limit maximum 20return

12.5.2 Example for Preventing Attacks on ARP Entries and ScanningAttacks

Networking RequirementsAs shown in Figure 12-4, a cyber cafe accesses ME60 through the Internet. ARP securityfeatures need to be configured to protect the cyber cafe from the ARP entry attack and scanningattack.

Figure 12-4 Network diagram of preventing attacks on ARP entries and scanning attacks

InternetME60


1. Configure as follows to prevent attacks on ARP entries:l Configure strict ARP entry learning.l Configure speed limit for ARP packets.l Configure interface-based ARP entry restriction.l Enable log and alarm functions for potential attack behaviors.

2. Configure as follows to prevent ARP scanning attacks:




Issue 05 (2010-09-25)

l Configure speed limit for ARP Miss packets.

Data PreparationsTo complete the configuration, you need the following data:

l Timestamp suppression rate of ARP packets and slot numbersl Limited number of ARP entriesl Interval for sending alarmsl Timestamp suppression rate of ARP Miss packets and slot numbers

ProcedureStep 1 Configure strict ARP entry learning.

<Quidway> system-view[Quidway] arp learning strict

Step 2 Configure destination-based speed limit for ARP packets on each slot of the attached device.The speed is limited to 50 packets per second. Take slot 1 as an example.[Quidway] arp speed-limit destination-ip maximum 50 slot 1

Step 3 Restrict the number of ARP entries on each interface of the attached device to 20. Take GE 1/0/0as an example.[Quidway] interface gigabitethernet 1/0/0[Quidway-GigabitEthernet1/0/0] arp-limit maximum 20[Quidway-GigabitEthernet1/0/0] quit

Step 4 Set the interval for logging and generating alarms for potential attack behaviors to 20 seconds.[Quidway] arp anti-attack log-trap-timer 20

Step 5 Configure destination-based speed limit for ARP Miss packets on each slot of the attacheddevice. The speed is limited to 50 ARP Miss packets per second. Take slot 1 as an example.[Quidway] arp-miss speed-limit source-ip maximum 50 slot 1

Step 6 Verify the configuration.

Use certain tools to send ARP request packets to ME60 A and then run the display arp allcommand on ME60 A. You can find that the actively sent ARP request packets are not learntby ME60 A.<Quidway> display arp allIP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------100.1.1.200 00e0-fc7f-7258 I - GE0/0/0100.1.1.180 000d-88f4-d06b 9 D-0 GE0/0/0100.1.1.24 0013-d326-ab88 9 D-0 GE0/0/0100.1.1.166 0014-2afd-7376 10 D-0 GE0/0/0100.1.1.37 00e0-4c77-a2f9 12 D-0 GE0/0/0100.1.1.168 000d-88f8-332c 14 D-0 GE0/0/0100.1.1.48 0015-e9ac-7a30 16 D-0 GE0/0/032.1.1.1 0088-0010-000a I - GE3/0/924.1.1.1 0088-0010-0009 I - GE3/0/810.1.1.1 0088-0010-0003 I - GE3/0/210.1.1.2 00e0-fc22-18d5 9 D-3 GE3/0/2------------------------------------------------------------------------------Total:11 Dynamic:7 Static:0 Interface:4

Run the display arp speed-limit command on ME60s. You can view the limited speed. Run thedisplay arp-miss speed-limit command on ME60s. You can view the limited speed of ARPMiss packets.



12-15

<Quidway> display arp speed-limit destination-ip slot 1Slot SuppressType SuppressValue --------------------------------------------------- 1 ARP 50<Quidway> display arp-miss speed-limit source-ip slot 1Slot SuppressType SuppressValue --------------------------------------------------- 1 ARP-miss 50

Use certain tools to scan ME60 A and then run the display arp packet statistics commandME60 A. You can view the number of the discarded ARP Miss messages.

<Quidway> display arp packet statisticsARP Pkt Received: sum 23ARP-Miss Msg Received: sum 0ARP Learnned Count: sum 8ARP Pkt Discard For Limit: sum 5ARP Pkt Discard For SpeedLimit: sum 0ARP Pkt Discard For Other: sum 10ARP-Miss Msg Discard For SpeedLimit: sum 0ARP-Miss Msg Discard For Other: sum 0

----End

Configuration Files# sysname Quidway# arp learning strict arp speed-limit destination-ip maximum 50 slot 1 arp-miss speed-limit destination-ip maximum 50 slot 1arp anti-attack log-trap-timer 20#interface GigabitEthernet1/0/0 arp-limit maximum 20return




Issue 05 (2010-09-25)

A Glossary

This appendix lists the glossary of terms in this manual.

A

attack defense A function of detecting various network attacks and protecting theintranet against malicious attacks.

authenticate To verify the legality of a user before the user visits the Internet oraccesses the Internet service.

C

CC Contents of communication that the lawful interception device intercepts,such as the email contents and VoIP voice packets.

D

data juggle A security thread that an attacker selectively changes, deletes, delays,rearranges system data or message stream and inserts false messages,thus destroying the consistency of data.

denial of service A security thread that the servers denies the request of a legal user whowants to get access to the information or resources.

DPI Deep packet inspection, a function of sensing the data application andproviding policies for network control and management through analysisof the packet application layer.

E

encrypt To transform a readable message to an unreadable text. Unauthorizedusers cannot obtain the content of the message even through they obtainthe encrypted signal.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security A Glossary


A-1

F

firewall A system or a group of systems that monitors the channel between thetrusty internal network and the untrusty external networks to prevent therisks of external networks from affecting the internal network.

I

illegal use A security thread that an unauthorized user uses the network resource.

inbound Pertaining to transmission that data flows from a zone with lower priorityto a zone with higher priority.

information theft A security thread that an attacker obtains important data or informationby wiretapping the network, instead of directly attacking the targetsystem.

IPSec The floorboard of a set of network security protocols, including securityprotocol and encryption protocol, which provides communication partieswith access control, connectionless integrality, data sourceauthentication, anti-replay, encryption, classification and encryption ofdata stream.

IRI User information that the lawful interception device intercepts, such asthe location and login time of a user.

L

lawfulinterception

A law enforcement behavior carried out to monitor the communicationservices on the public communications network, according to the relatedlaw and the norm for the public communications network.

LIG A device used for transfer and adaptation on the interception commandissuing interface and event report interface. An LIG serves as a core ofthe entire interception system and is responsible for settings ofinterception services and actual interception.

N

NAT A mechanism for transforming private addresses into globally routableaddresses, which enables private networks to access public networks.

network securityservice

The measure taken against security threats on a network.

O

outbound Pertaining to transmission that data flows from a zone with higher priorityto a zone with lower priority.

A GlossaryQuidway ME60 Multiservice Control Gateway


A-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-09-25)

P

packet filteringfirewall

A firewall that filters packets by using the ACL. See also firewall.

proxy firewall A firewall working at the application layer. It checks the requests of usersand connects a server and forwards the request if the authenticationsucceeds, and then forwards the response of the server to user.

S

security zone A combination of multiple interfaces or user domains with the samesecurity attributes.

stateful firewall A firewall that monitors the TCP/UDP sessions by using state tables andforwards the packets associated with the allowed sessions. It alsoanalyzes the application layer state of the packets in the TCP/UDPsessions, and filters the unsatisfied data packets.

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security A Glossary


A-3

B Acronyms and Abbreviations

This appendix lists the acronyms and abbreviations mentioned in this manual.

Numeric

3DES Triple DES

A

AAA Authentication, Authorization and Accounting

ACL Access Control List

AH Authentication Header

ALG Application Layer Gateway

API Application Program Interface

ASPF Application Specific Packet Filter

ATM Asynchronous Transfer Mode

AUCX Audit Connection

AUEP Audit End Point

B

BICC Bearer Independent Call Control Protocol

C

CAC Call Admission Control

CAR Committed Access Rate

CCB Call Control Block

Quidway ME60 Multiservice Control GatewayConfiguration Guide - Security B Acronyms and Abbreviations


B-1

D

DES Data Encryption Standard

DF Don't Fragment

DH Diffie-Hellman

DoS Deny of Service

DPI Deep Packet Inspection

E

ESP Encapsulating Security Payload

F

FTP File Transfer Protocol

G

GRE Generic Routing Encapsulation

GSM Global System for Mobile communications

H

HTTP Hyper Text Transport Protocol

HWCC Huawei Conference Control Protocol

I

IAD Integrated Access Device

IADMS IAD Management System

IANA Internet Assigned Number Authority

ICMP Internet Control Message Protocol

IETF Internet Engineering Task Force

IGMP Internet Group Management Protocol

IKE Internet Key Exchange

ILS Internet Location Service

IP Internet Protocol

IPSec IP Security

B Acronyms and AbbreviationsQuidway ME60 Multiservice Control Gateway


B-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-09-25)

ISAKMP Internet Security Association and Key ManagementProtocol

ISDN Integrated Services Digital Network

ITU International Telecommunications Union

J

JAIN Java APIs for Integrated Networks

L

L2TP Layer 2 Tunneling Protocol

LI Lawful Interception

LIG Lawful interception Gateway

M

MAC Media Access Control

MD5 Message Digest 5

MF More Fragment

MGCP Media Gateway Control Protocol

MIB Management Information Base

MPLS Multi-Protocol Label Switching

N

NAPT Network Address Port Translation

NAT Network Address Translation

NetBIOS Network Basic Input/Output System

NGN Next Generation Network

NMS Network Management System

NTP Network Time Protocol

O

OID Object ID

OOB Out-of-Band



B-3

P

P2P Point to Point

PAT Port Address Translation

PC Personal Computer

PDU Protocol Data Unit

PFS Perfect Forward Secrecy

POS Packet Over SDH

PPTP Point-to-Point Tunneling Protocol

PSTN Public Switched Telephony Network

Q

QoS Quality of Service

R

RADIUS Remote Authentication Dial in User Service

RAS Registration, Admission and Status

RFC Requirement for Comments

RSA Rivest-Shamir-Adleman cryptographic algorithms

RSTP Real Time Streaming Protocol

RTCP Real-time Transport Control Protocol

RTP Real-time Transport Protocol

S

SA Security Association

SBC Session Border Controller

SDP Session Description Protocol

SHA Secure Hash Algorithm

SIP Session Initiation Protocol

SMTP Simple Mail Transfer Protocol

SNMP Simple Network Management Protocol

SPI Security Parameter Index

SSH Secure Shell

B Acronyms and AbbreviationsQuidway ME60 Multiservice Control Gateway


B-4 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-09-25)

SSL Secure Socket Layer

SSU Security Service Unit

T

TCP Transmission Control Protocol

TTL Time to Live

U

UDP User Datagram Protocol

V

VoIP Voice over IP

VPN Virtual Private Network

W

WWW World Wide Web



B-5

00479814-me60 configuration guide - security(v100r006c05_05)

Documents