elog experiment.pdf

Huawei Symantec Proprietary and Confidential Copyright Huawei Symantec Technologies Co., Ltd.

Secoway eLog

Experiment Volume

Issue 01

Date 2009-07-14


Huawei Symantec Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any assistance, please contact our local representative office, agency, or customer service center.

Huawei Symantec Technologies Co., Ltd.

Address: Building 1

The West Zone Science Park of UESTC, No.88, Tianchen Road

Chengdu, 611731

P.R.China

Website: http://www.huaweisymantec.com

Email: [email protected]

Copyright Huawei Symantec Technologies Co., Ltd. 2009. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Symantec Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei Symantec trademarks are trademarks of Huawei Symantec Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.


1 Login Before logging in to the Secoway eLog, you need to add the eLog Web site to the trusted sites.

Procedure

1. In the Internet Explorer, choose Tools > Internet Options....

2. Select Security tab.

3. Select and click sites. Pop up Trusted sites dialog.

4. Enter https://IP/ in the textbox after Add this Web site to the zone.

5. Click Add.

6. Click OK. The Internet Properties window is displayed.

7. Click OK.

Logging in to the Secoway eLog

Procedure

1. Enter https://IP/, the login address of the Secoway eLog. IP is the IP address of the log server. For example, https://10.0.0.254/.

2. Press Enter.

3. In the Secoway eLog dialog box, enter the user name, password, and authentication code, as shown in Figure 1-1. Upon initial login, the administrator account is admin and the password is null.

Figure 1-1 Login system


Introduction to the Home Page of the Secoway eLog

This section introduces the home page of the Secoway eLog. Only the valid user can log in to the

Secoway eLog.

On the Secoway eLog home page, there are the tool bar, navigation tree, and description area, as

shown in Figure 1-2. The contents of the home page vary with login users.

Figure 1-2 Secoway eLog Home Page


2 Add a Log Collector The Secoway eLog system consists of log collectors and log servers. After adding the log collector

to the system, you can set the log collector for the device management. Only the device exists in

one of the subnetworks managed by the log collector can be added to the log collector.

Procedure

1. In the navigation tree, choose System Management > Log Collector Management. The Log Collector Management window is displayed.

2. Click Add to display the Add Log Collector window.

3. Set the log collector. Table 3-1 describes the parameters related to setting the log collector.

Table 3-1 Parameters related to setting the log collector

Parameter Description

Log Collector Name Indicates the name of the log collector. You can enter a maximum of 16

characters.

IP Address Indicates the IP address of the log collector.

Standby Collector If the specified collector is in a cluster and is as standby collector, select it.

Subnet/Mask Indicates the IP addresses and masks of the subnets that the log collector can

manage.

Details Indicates the details of the log collector. You can enter a maximum of 128

characters.

4. Click OK. If the adding is successful, you can view the new information about the log collector in the lower part of the Log Collector Management window.

5. Click to change the information about the log collector. If some devices are managed by the log collector, only the name, IP address, and details can be modified. If you want to modify the subnet/mask,

you need to delete the devices first.

6. Click to delete the log collector. You need to delete the devices which are managed by the collector first, then you can delete the log collector.


3 Adding a Device You can configure all managed devices. The system can collect, analyze, and manage logs of a device only

when it is added to the system. In addition, you can export all managed devices or import them in batches.

Procedure

1. In the navigation tree, choose System Management > Device Management. The Device Management window is displayed.

2. Click Add to display the Add Device window.

3. Enter the device information in the Add Device window. Table 2-1 describes the parameters related to adding a device.

Table 2-1 Parameters related to adding a device


Device Name Indicates the device name. You can enter a maximum of 16 characters.

Device Type Indicates the device type.

Firewall Type Indicates the firewall type. Only when Device Type is selected Eudemon/USG

Firewall, this option is displayed.

Whether the UTM

features are available

Choose it if the firewall has the UTM feature. Only when Device Type is

selected Eudemon/USG Firewall, this option is displayed.

IP Address Indicates the IP address of the device.

NOTE: The IP address of the device must be selected from the IP addresses managed by the log

collector.

Details Indicates the device details. You can enter a maximum of 256 characters.

4. Click OK to finish adding a device. If the adding is successful, you can view the device information in the table at the lower part of the page.


4 User and Role Management Adding the Operator Role

This section describes how to add the operator role, and determine the authorized devices.

Context

By default, the user can perform the administrator role or the auditor role only. The system

administrator can add operator role to users. Based on the system devices, the administrator can

configure different operators, and allow them to perform on corresponding devices. Otherwise,

users who do not perform the operator roles have no authority to perform on the devices of the

system.

Procedure

1. In the navigation tree, choose System Management > User/Role Management . The User/Role Management window is displayed.

2. Click Add Role to display the Add Role window.

3. Set the operator role. Table 4-1 describes the parameters related to adding the operator role.

Table 4-1 Parameters related to adding the operator role


Role Name Indicates the role name. You can enter a maximum of 16 characters.

Role Description Indicates the role description. You can enter a maximum of 32 characters.

Role Type Indicates the role type. The default value is Operator, and this cannot be modified.

Authorized

Devices

Indicates the devices that the operator is authorized to use. Operators are authorized

to use the devices in Selected Device.

Click to add the device selected from Unselected Device to Selected

Device.

Click to add all the devices from Unselected Device to Selected Device.

Click to move the device selected from Selected Device to Unselected

Device.

Click to move all the devices from Selected Device to Unselected

Device.

4. Click OK to finish adding the operator role.


Adding Users

This section describes how to add users for the system. You can add three types of user roles,

including the administrator, auditor, and operator. The three types of user roles perform different

operations on the system.

Procedure

1. In the navigation tree, choose System Management > User/Role Management. The User/Role Management window is displayed.

2. Click Add User to display the Add User window.

3. Set the user information. Table 4-2 describes the parameters related to adding users.

Table 4-2 Parameters related to adding users


User Account Indicates the user account. You can enter a maximum of 16 characters.

User Name Indicates the user name. You can enter a maximum of 16 characters.

Mobile Phone Indicates the telephone number of the user.

Email Indicates the email address of the user.

Password Indicates the user password. The password must contain at least eight characters, but

the maximum number is 16. In addition, capitalized and small letters, numbers, and

special characters must be contained in the password concurrently.

Confirm

Password

Indicates entering the user password again.



User Information Indicates the user information. You can enter a maximum of 32 characters.

Account Status Indicates the account status. Users activated can log in to the Secoway eLog.

Role Type Indicates the role type. If you select the operator role, do as follows to allocate the

operator roles.

Click to add the operator role selected from Unselected Operator Roles

to Selected Operator Roles.

Click to add all the operator roles from Unselected Operator Roles to

Selected Operator Roles.

Click to move the operator role selected from Selected Operator Roles

to Unselected Operator Roles.

Click to move all the operator roles from Selected Operator Roles to

Unselected Operator Roles.

4. Click OK to finish adding users.


5 Configuring the Firewall A Networking Example

All the following descriptions of configuring the firewall are based on this networking example.

Analyze this example closely before configuring the firewall.

Figure 4-1 A networking example

Configuring Basic Functions of Firewall Logs

Most service logs of the firewall are sent in the Syslog form while small types of logs, including

traffic logs and session logs, are sent in the binary form. You are required to enable the functions of

collecting and sending traffic logs and session logs.

Procedure

1. Connect the firewall with the log server through serial cables.

2. Choose Start > Program Files > Accessories > Communications > Super Terminal on the log server. The interface as shown in Figure 4-2 is displayed.

Figure 4-2 Creating a connection

192.168.0.100/24

192.168.0.1/24 10.0.0.1/24

ELog 10.0.0.100/24 10.0.0.200/24

10.0.0.50/24


3. In the Name, enter a name for the connection.

4. Click OK. The interface as shown in Figure 4-3 is displayed.

Figure 4-3 Choosing a COM port for the connection

5. Select a COM port for connecting the serial port cable in For use during connections.


Figure4-4 Setting the port


7. Click Restore Defaults. The interface as shown in Figure 4-5 is displayed.

Figure 4-5 Restoring the default port settings



Figure 4-6 Main interface of the Hyper Terminal

9. Press Enter.

10. Enter the default user name and password.

The default user name is admin, and the password is Admin@123.

11. Press Enter.

The user view is displayed.

12. Change the time zone and time on the firewall to those on the log server.

#Change the time zone on the firewall to that on the log server.

clock timezone c8 add 08:00:00

NOTE: c8 is a customized time zone. The following takes Beijing time as an example. Beijing time is eight hours earlier

than the default UTC on the firewall. Therefore, you can use add 08:00:00. If the time is later than the UTC, use

minus.

#Change the time on the firewall to that on the log server. For example, set the current date on

the firewall to 00:00:00 on November 1, 2009.

clock datetime 0:0:0 2009/11/01

13. Enable the inter-zone packet-filter between Trust and Local zone

Enable the inter-domain function of recording session logs based in actual situations. Take the

domain between the trust and the untrust for example.

system-view

[Eudemon] Firewall packet-filter default permit interzone local trust all

Enable the functions of collecting and sending Syslog logs

Redirecting logs of the information center to the log server (10.0.0.100).


NOTE:

The 10.0.0.100 is the IP address of the log server. You can change it in actual situations.

system-view

[Eudemon] info-center loghost 10.0.0.100

CAUTION: The language attribute of firewall logs must be English so that the logs can be parsed by the log server

properly. Therefore, when you run the info-center loghost command, do not set the language attribute

or set it to English.

Enable the functions of collecting and sending Session logs

Enable the inter-domain function of recording session logs based in actual situations. Take the

domain between the trust and the untrust for example.

[Eudemon] acl 3000

[Eudemon-acl-basic-3000] rule permit tcp destination 10.0.0.100 0

[Eudemon-acl-basic-3000] quit

[Eudemon] firewall interzone trust untrust

[Eudemon-interzone-trust-untrust] session log enable acl-number 3000 inbound

[Eudemon-interzone-trust-untrust] session log enable acl-number 3000 outbound

[Eudemon-interzone-trust-untrust] quit

#Redirect the interzone session logs to the log server (10.0.0.100).

[Eudemon] firewall session log-type binary host 10.0.0.100 9002 source 10.0.0.1 9003

NOTE:

The 10.0.0.100 is the IP address of the log server. You can change it in actual situations. 9002 is a port occupied by

binary logs and requires no change. Session logs must be sent in a binary format and no change upon the format is

required.

(Optional) 10.0.0.1 is the source IP address used for communication between the firewall and log server. 9003 is the

source port number of the firewall for sending logs. You need to change the values based on the actual situation.

Enabling the Function of Sending Login Logs

Login logs of the firewall refer to logs that are generated when the firewall administrator logs in to

the firewall system in a specific method, including the login through the Console interface, login

through the Telnet, login through the File Transfer Protocol (FTP), and login through the Hyper

Text Transfer Protocol (HTTP). In every login method, both success logs and failure logs are

generated.

Prerequisite

The firewall has been connected to the network and basic configurations of the firewall have been

completed.


Procedure

1. Enable the Telnet function.

Enable the AAA authentication function and authenticate remote logins. For example, you can configure the

firewall as supporting five routes of remote logins at a time (the VTY numbers range from 0 to 4).

system-view

[Eudemon] user-interface vty 0 4

[Eudemon-ui-vty0-4] authentication-mode aaa

Configure the user priorities for the login method (the default priority of the user is visitor). For example,

you can configure the user priority as the management level (level 3).

[Eudemon-ui-vty0-4] user privilege level 3

Create the login user name, password, and type for the local authentication. For example, you can configure

the user name as telnetuser and password as telnetpwd for logins through the Telnet.

[Eudemon-ui-vty0-4] quit

[Eudemon] aaa

[Eudemon-aaa] local-user telnetuser password simple telnetpwd

[Eudemon-aaa] local-user telnetuser service-type telnet

Configure the password for switching over priorities of login users. For example, you may configure the

password as superpwd for switching the user priority to the management level (level 3).

[Eudemon-aaa] quit

[Eudemon] super password level 3 simple superpwd

2. Enable the FTP function.

Enable FTP services and configure the username and password for FTP-based login users and the

directory for storing FTP documents. For example, the username and password are ftpuser and

ftppassword respectively.

[Eudemon] ftp server enable

[Eudemon] aaa

[Eudemon-aaa] local-user ftpuser password simple ftppassword

[Eudemon-aaa] local-user ftpuser service-type ftp

[Eudemon-aaa] local-user ftpuser ftp-directory flash:

Initiate a FTP-based connection to the Eudemon firewall (FTP Server) from a remote PC (10.0.0.100).

a. C:\WINDOWS\Desktop> ftp 10.0.0.1 Connected to 10.0.0.1. 220 FTP service ready. User (10.0.0.1(none)): ftpuser 331 Password required for ftpuser. Password:****** 230 User logged in. ftp> bye 221 Server closing.

b. C:\WINDOWS\Desktop>

3. Enable the function of managing pages through the Web.

NOTE:

The Eudemon 8000E does not support this function.


Enable HTTP services and configure the username and password for Web-based login users. For

example, the username and password are webuser and webpassword.

[Eudemon] web-manager enable

[Eudemon] web-manager security enable

[Eudemon] aaa

[Eudemon-aaa] local-user webuser password simple webpassword

[Eudemon-aaa] local-user webuser service-type web

[Eudemon-aaa] quit

Initiate a HTTP (S)-based connection to the Eudemon firewall (FTP Server) from a remote PC

(10.0.0.100).

Enter the IP address of the firewall in the address bar of your browser and press Enter.

Enabling the Function of Sending Packet Filtering Logs

The packet filtering log refers to the log that is generated when the packet passes the

network-packet quintuple of the firewall (the source IP address, destination IP address, source port

number, destination port number, and protocol) and hits ACL rules.

Prerequisite


completed.

Context

The firewall can control the network traffic to set up policies of the security, QoS requirement, and so on. A

method for controlling the network traffic is to use the ACL. An ACL is a series of ordered rules constituted

by permit statements and deny statements.

Procedure

1. Configure basic ACL rules to allow the Extranet address 192.168.0.100 to pass the firewall and all Intranet addresses to pass the firewall.

system-view

[Eudemon] acl 2000

[Eudemon-acl-basic-2000] rule permit source 192.168.0.100 0 logging


[Eudemon] acl 2001

[Eudemon-acl-basic-2001] rule permit source any logging


2. Apply basic ACL rules to the inter-domain area of the Demilitarized Zone (DMZ) and the untrust.

[Eudemon] firewall interzone dmz untrust


[Eudemon-interzone-dmz-untrust] packet-filter 2000 inbound

[Eudemon-interzone-dmz-untrust] packet-filter 2001 outbound

[Eudemon-interzone-dmz-untrust] quit

Enabling the Function of Sending NAT Logs and ASPF Logs

This function provides log alarms for the NAT and ASPF features supported by the firewall. The

log alarms are exported in a binary form.

Prerequisite


completed.

Context

The NAT is the process in which the IP address and port number of the internal host is replaced by

the external IP address and port number of the firewall, and the external IP addresses and port

number of the firewall are translated into the IP addresses and port numbers of internal hosts.

The ASPF is a packet filtering process that is applied at the application layer. That is, it is a

state-based message filtering process. It cooperates with the common static firewall to implement

the security policies of the Intranet. The ASPF detects application layer sessions that attempt to pass

the firewall to block messages that fail to comply with the security rule.

Procedure

1. Define an ACL.

[Eudemon] acl 2000

[Eudemon-acl-basic-2000] rule permit

[Eudemon] quit

2. Configure a NAT address pool that has an ID and NAME attributes.

[Eudemon] nat address-group 1 192.168.0.200 192.168.0.200

3. Configure the NAT Outbound between the domains of the trust and the untrust. The reference to addresses from the pool is based the ID.

[Eudemon] firewall interzone trust untrust

[Eudemon-interzone-trust-untrust] nat outbound 2000 address-group 1

4. Enable the inter-domain ASPF function of the firewall.

[Eudemon-interzone-trust-untrust] detect ftp

5. Enable the inter-domain session recording function of the firewall.

[Eudemon-interzone-trust-untrust] session log enable acl-number 2000

Enabling the Function of Sending Traffic Monitoring Logs

The system makes statistics of the traffic on the firewall periodically.


1. Prerequisite


completed.

2. Context

NOTE: You do not need to configure the Eudemon 8000E. By default, the function of sending traffic monitoring logs is

enabled.

3. Procedure

1. Display the system view.

system-view

2. Enable the system statistics function.

[Eudemon] firewall statistic system enable

3. If you are using the Eudemon 1000 series firewall and Eudemon 8080, you need to configure the type for the log statistics type.

[Eudemon] firewall log stream enable

Enabling the Function of Sending Blacklist Logs

Secoway eLog provides log alarms for the blacklist features supported by the firewall. The log

alarms are generated in the Syslog form.

Prerequisite


completed.

Context

Blacklist is a method of filtering packets according to their source IP addresses. Compared with the

ACL-based packet filtering function, the blacklist function has relatively simple matching domains and is

able to filter messages at a high speed. This helps the firewall to filter messages sent from specific IP

addresses.

A major feature of the blacklist function is that blacklists can be added or deleted by the Eudemon

firewall dynamically. When the firewall detects any attack attempt of a specific IP address by

analyzing the behavior of a message, it adds the IP address to the blacklist actively and filters

messages sent from the IP address. Thus the blacklist function is an important security feature of the

firewall.

Procedure


system-view


2. Enable the blacklist function.

[Eudemon] firewall blacklist enable

3. Add 7.7.7.72 to the blacklist manually.

[Eudemon] firewall blacklist item X.X.X.X

Enabling the Function of Sending Address Binding Logs

The Secoway eLog provides log alarms for the address binding features supported by the firewall.

The log alarms are generated in the Syslog form.

Prerequisite

The firewall is connected to the network, and basic configurations of the firewall have been completed.

Context

NOTE: The Eudemon 8000E does not support this function.

The binding of the MAC address and the IP address indicates that the firewall is able to set up

associations between a specific MAC address and IP address according to the user configuration.

For a message that is claimed to be from this IP address, if its MAC address is not included in the

specified association, the message will be discarded by the firewall. The packet sent to this IP

address will be forcibly sent to the corresponding MAC address when it passes the firewall. This is

an effective protection against the IP-address Spoofing attack.

The function of binding MAC addresses and IP addresses is generally applicable to the connection

with layer-2 switches and helps to prevent attacks of the IP-address Spoofing, ARP Flood, and

DHCP Flood. Besides, it is applicable to the user authentication.

Procedure

1. The system view is displayed.

system-view

2. Enable the system statistics function.

[Eudemon] firewall mac-binding enable

3. Bind X.X.X.X with 00E0-4C77-1EF3.

[Eudemon] firewall mac-binding X.X.X.X 00E0-4C77-1EF3

Enabling the Function of Sending Attack Defending Logs

The Secoway eLog provides log alarms for the attack defending features supported by the firewall.

The log alarms are generated in the Syslog form.


Prerequisite


completed.

Procedure


system-view

2. Enable the attack-defending function

Enable the function of defending against single attacks, such as the SYN Flood .

[Eudemon] firewall defend syn-flood enable

Enable the function of defending against all types of attacks.

[Eudemon] firewall defend all enable

elog experiment.pdf

Documents