Professional Documents
Culture Documents
05-Attack Protection Configuration Guide-Book
05-Attack Protection Configuration Guide-Book
ESS 5132
Feature 3722
Feature 3722
Feature 3722
Feature 3211
A3801
Feature 3174
Demo 5132P01
Feature 3174
ESS 3807
ESS 5132
ESS 5132
Copyright 2012, Hangzhou H3C Technologies Co., Ltd. and its licensors
Preface
The H3C SecPath Series Firewalls and UTM Devices documentation set includes 10 configuration guides,
which describe the software features for the H3C SecPath Series Firewalls and UTM Devices and guide
you through the software configuration procedures. These configuration guides also provide
configuration examples to help you apply software features to different network scenarios.
The Attack Protection Configuration Guide describes how to configure attack detection and protection,
ARP attack protection, TCP attack protection, ND attack protection, firewall, content filtering, URPF, IDS
collaboration, and advanced security protection.
This preface includes:
Audience
Conventions
Obtaining documentation
Technical support
Documentation feedback
Audience
This documentation is intended for:
Network planners
Network administrators working with the H3C SecPath Series Firewalls and UTM Devices
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention
Description
Boldface
Bold text represents commands and keywords that you enter literally as shown.
Italic
Italic text represents arguments that you replace with actual values.
[]
Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select at least one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
Convention
Description
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For
example, the New User window appears; click OK.
>
Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Convention
Description
Symbols
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
NOTE
TIP
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web
at http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] Provides the documentation released with the
software version.
Technical support
service@h3c.com
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Contents
Configuring attack detection and protection 1
Overview 1
Types of network attacks the device can defend against 1
Connection limit 3
Blacklist function 3
Traffic statistics function 4
TCP proxy 4
Intrusion detection statistics 6
Configuring attack detection and protection in the Web interface 7
Configuring packet inspection 7
Packet inspection configuration example 8
Configuring traffic abnormality detection 9
Traffic abnormality detection configuration example 18
Configuring TCP proxy 22
TCP proxy configuration example 25
Configuring blacklist 27
Blacklist configuration example 29
Displaying intrusion detection statistics 32
Configuring the attack detection and protection at the CLI 34
Attack detection and protection configuration task list 34
Creating an attack protection policy 35
Enabling attack protection logging 35
Configuring an attack protection policy 35
Applying an attack protection policy to a security zone 39
Configuring TCP proxy 40
Configuring the blacklist function 40
Displaying and maintaining attack detection and protection 41
Attack protection functions on security zones configuration example 42
Blacklist configuration example 44
Traffic statistics configuration example 45
TCP proxy configuration example 47
Configuring ARP attack protection 49
Overview 49
ARP attack protection configuration task list 49
Configuring unresolvable IP attack protection 50
Configuring ARP source suppression 50
Enabling ARP black hole routing 50
Displaying and maintaining ARP source suppression 51
Unresolvable IP attack protection configuration example 51
Configuring source MAC based ARP attack detection 52
Displaying and maintaining source MAC based ARP attack detection 53
Source MAC based ARP attack detection configuration example 53
Configuring ARP packet source MAC consistency check 54
Configuring ARP active acknowledgement 55
Configuring periodic sending of gratuitous ARP packets 56
Configuration restrictions and guidelines 57
Configuring periodic sending of gratuitous ARP packets 57
Configuring ARP detection 58
i
Index 172
iv
Single-packet attack
Single-packet attack is also called malformed packet attack because many single-packet attacks use
defective IP packets, such as overlapping IP fragments and packets with illegal TCP flags.
A single-packet attack occurs when:
An attacker sends defective IP packets to a target, causing the target system to malfunction or crash.
An attacker sends large quantities of junk packets to the network, using up the network bandwidth.
Table 1 lists the single-packet attacks that can be prevented by the device.
Table 1 Types of single-packet attacks
Single-packet attack
Description
Fraggle
An attacker sends large amounts of UDP echo requests with the UDP port number
being 7 or Chargen packets with the UDP port number being 19, resulting in a large
quantity of junk replies and eventually exhausting the bandwidth of the target
network.
ICMP Redirect
An attacker sends ICMP redirect messages to a user host to modify the host's routing
table, interfering with the normal forwarding of IP packets.
ICMP Unreachable
Upon receiving an ICMP unreachable response, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the
destination. By sending ICMP unreachable packets, an attacker can cut off the
connection between the target host and the network.
Land
An attacker sends a great number of TCP SYN packets using the target IP address as
both the source and destination IP addresses, exhausting the half-open connection
resources of the target and thereby making the target unable to provide services
normally.
Large ICMP
For some hosts and devices, large ICMP packets cause memory allocation error and
thus crash down the protocol stack. A large ICMP attacker sends large ICMP packets
to a target to make it crash down.
1
Single-packet attack
Description
Route Record
An attacker exploits the route record option in the IP header to probe the topology of
a network.
Smurf
An attacker sends an ICMP echo request to the broadcast address or the network
address of the target network. As a result, all hosts on the target network reply to the
request, causing the network congested and hosts on the target network unable to
provide services.
Source Route
An attacker exploits the source route option in the IP header to probe the topology of
a network.
TCP Flag
Some TCP flags are processed differently on different operating systems. A TCP flag
attacker sends TCP packets with such TCP flags to a target host to probe its operating
system. If the operating system cannot process such packets properly, the attacker
successfully makes the host crash down.
An attacker exploits the Tracert program to probe the network topology.
Tracert
WinNuke
The Tracert program sends batches of UDP packets with a large destination port
number and an increasing TTL (starting from 1). The TTL of a packet is decreased by
1 when the packet passes each router. Upon receiving a packet with a TTL of 0, a
router must send an ICMP time exceeded message back to the source IP address of the
packet. The Tracert program uses these returning packets to figure out the hosts that
the packets have traversed from the source to the destination.
An attacker sends Out-of-Band (OOB) data with the pointer field values overlapped to
the NetBIOS port (139) of a Windows system with an established connection to
introduce a NetBIOS fragment overlap, causing the system to crash.
Scanning attack
An attacker uses some scanning tools to scan host addresses and ports in a network, so as to find
possible targets and the services enabled on the targets and figure out the network topology, preparing
for further attacks to the target hosts.
Scanning detection detects scanning attempts by tracking the rates at which connections are initiated to
protected systems. Usually, it is deployed on the device for the external security zone and takes effect for
packets from the security zone.
If detecting that a connection rate of an IP address has reached or exceeded the threshold, the device
outputs an attack alarm log, blocks the subsequent connection requests from the IP address, and
blacklists the IP address, depending on your configuration.
Flood attack
An attacker sends a large number of forged requests to the targets in a short time, so that the target
systems are too busy to provide services for legal users, resulting in denial of services.
The device can effectively defend against the following types of flood attacks:
Flood detection mainly protects servers against flood attacks. It detects flood attacks by tracking the
connection rates at which certain types of connection establishment requests are initiated to a server.
Usually, flood detection is deployed on the device for an internal security zone, and takes effect for
packets entering the security zone when an attack detection policy is configured for the security zone.
After you configure flood detection for a device, the device enters the attack detection state, and starts to
track the sending rates of packets destined for certain servers. If the sending rate of a certain type of
packets destined for a server constantly reaches or exceeds the protection action threshold, the device
considers the server is under attack, transitions to the attack protection state, logs the event, and takes
attack protection actions as configured. Later, if the sending rate drops below the silent threshold, the
device considers the attack is over, returns to the attack detection state, and stops the attack protection
actions.
Connection limit
When an internal user initiates a large number of connections to a host on the external network in a short
period of time, system resources on the device are used up soon. This will make the device unable to
service other users. In addition, if an internal server receives large number of connection requests in a
short period of time, the server is not able to process normal connection requests from other hosts.
To protect internal network resources (including hosts and servers) and distribute resources of the device
reasonably, you can set connection limits based on source or destination IP addresses for security zones.
When a limit based on source or destination IP address is reached or exceeded, the device will output
an alarm log and discard subsequent connection requests from or to the IP address.
Blacklist function
The blacklist function is an attack protection measure that filters packets by source IP address. Compared
with ACL packet filtering, blacklist filtering is simpler in matching packets and therefore can filter packets
at a high speed. Blacklist filtering is very effective in filtering packets from certain IP addresses.
Working in conjunction with the scanning attack protection function or the user login authentication
function, the device can add blacklist entries automatically and can age such blacklist entries. More
specifically:
When the device detects a scanning attack from an IP address according to the packet behavior, it
adds the IP address to the blacklist. Thus, packets from the IP address are filtered.
When the device detects that an FTP, Telnet, SSH, SSL, or web user has failed to provide the correct
username, password, or verification code (for a web login user) after the maximum number of
attempts, it considers the user an attacker, adds the IP address of the user to the blacklist, and filters
subsequent login requests from the user. This mechanism can effectively prevent attackers from
cracking login passwords through repeated login attempts. The maximum number of login failures
is six, the blacklist entry aging time is 10 minutes, and they are not configurable.
The device also allows you to add and delete blacklist entries manually. Blacklist entries added manually
can be permanent blacklist entries or non-permanent blacklist entries. A permanent entry always exists in
the blacklist unless you delete it manually. You can configure the aging time of a non-permanent entry.
After the timer expires, the device automatically deletes the blacklist entry, allowing packets from the
corresponding IP address to pass.
The device collects statistics to calculate the session establishment rates at an interval of 5 seconds.
Therefore, the session establishment rates displayed on the device are based on the statistics collected
during the latest 5-second interval.
The traffic statistics function does not concern about the session status (except the TCP half-open and
half-close states). As long as a session is established, the count increases by 1. As long as a session is
deleted, the count decreases by 1.
TCP proxy
The TCP proxy function can protect servers from SYN flood attacks. A device enabled with the TCP proxy
function can function as a TCP proxy between TCP clients and servers. Upon detecting a SYN flood
attack, the device can add a protected IP address entry for the attacked server and use the TCP proxy
function to inspect and process all subsequent TCP requests destined to the server.
TCP proxy can operate in two modes:
Bidirectional proxyProcesses packets from both TCP clients and TCP servers.
4
You can choose a proper mode according to your network scenario. For example, if packets from TCP
clients to a server go through the TCP proxy but packets from the server to clients do not, as shown
in Figure 1, configure unidirectional proxy.
Figure 1 Network diagram for unidirectional proxy
If all packets between TCP clients and a server go through the TCP proxy, as shown in Figure 2, you can
configure unidirectional proxy or bidirectional proxy as desired.
Figure 2 Network diagram for unidirectional/bidirectional proxy
Unidirectional proxy
TCP proxy
TCP server
1) SYN
2) SYN ACK (invalid sequence
number)
3) RST
4) SYN (retransmitting)
5) SYN (forwarding)
6) SYN ACK
7) ACK
8) ACK (forwarding)
When the TCP proxy receives a SYN message sent from a client to a protected server, it sends back a
SYN ACK message that uses a wrong sequence number on behalf of the server. The client, if legitimate,
responds with an RST message. If the TCP proxy receives an RST message from the client, it considers the
client legitimate, and forwards SYN messages that the client sends to the server during a period of time
so that the client can establish a TCP connection to the server. After the TCP connection is established, the
TCP proxy forwards the subsequent packets of the connection without any processing.
Unidirectional proxy mode can satisfy the requirements of most environments. Generally, servers do not
initiate attacks to clients, and packets from servers to clients do not need to be inspected by the TCP proxy.
In this case, you can configure a TCP proxy to inspect only packets that clients send to servers. To filter
packets destined to clients, you can deploy a firewall as required.
The unidirectional proxy mode requires that the clients use the standard TCP protocol suite. Legitimate
clients that use non-standard TCP protocol suites may be considered illegitimate by the TCP proxy. In
addition, when the TCP proxy function works, a client takes more time to establish a TCP connection to
a server because the client must send an RST message to the server to reinitiate a TCP connection request.
Bidirectional proxy
After receiving a SYN message from a client to a protected server, the TCP proxy sends back a SYN ACK
message with the window size of 0 on behalf of the server. If the client is legitimate, the TCP proxy
receives an ACK message. Upon receiving an ACK message from the client, the TCP proxy sets up a
connection between itself and the server through a three-way handshake on behalf of the client. Thus,
two TCP connections are established, and the two connections use different sequence numbers.
In bidirectional proxy mode, the TCP proxy plays two roles: a virtual server that communicates with
clients and a virtual client that communicates with servers. To use this mode, you must deploy the TCP
proxy on the key path that passes through the ingress and egress of the protected servers, and make sure
all packets that the clients send to the server and all packets that the servers send to the clients pass
through the TCP proxy device.
From the navigation tree, select Intrusion Detection > Packet Inspection.
2.
3.
Click Apply.
Description
Zone
Item
Description
Configuring Firewall
1.
2.
Enable Land attack detection and Smurf attack detection for the untrusted zone:
a. From the navigation tree, select Intrusion Detection > Packet Inspection.
b. The packet inspection configuration page appears, as shown in Figure 7.
c.
Select Untrust from the Zone list. Then select Discard Packets when the specified attack is
detected, Enable Land Attack Detection, and Enable Smurf Attack Detection.
d. Click Apply.
Figure 7 Enabling Land and Smurf attack detection for the untrusted zone
From the navigation tree, select Intrusion Detection > Traffic Abnormality > ICMP Flood.
The ICMP flood detection configuration page appears, as shown in Figure 8.
2.
3.
In the Attack Prevention Policy area, select the Discard packets when the specified attack is
detected box. Click Apply.
If you do not select the box, the device only collects ICMP flood attack statistics.
4.
5.
6.
Click Apply.
10
Description
IP Address
Action
Threshold
Protected Host
Configuration
Silent
Threshold
Action
Threshold
Global
Configuration of
Security Zone
Silent
Threshold
NOTE:
Host-specific settings take precedence over the global settings for security zones.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > UDP Flood.
The UDP flood detection configuration page appears.
11
2.
3.
In the Attack Prevention Policy area, select the Discard packets when the specified attack is
detected box. Click Apply.
If you do not select the box, the device only collects UDP flood attack statistics.
4.
5.
6.
Click Apply.
12
Description
IP Address
Action
Threshold
Protected Host
Configuration
Silent
Threshold
Action
Threshold
Global
Configuration of
Security Zone
Silent
Threshold
NOTE:
Host-specific settings take precedence over the global settings for security zones.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > DNS Flood.
The DNS flood detection configuration page appears.
13
2.
3.
In the DNS Flood Attack Prevention Policy area, select Enable DNS Flood Attack Detection, and
then click Apply.
The device will collect DNS flood attack statistics of the specified security zone, and output logs
upon detecting DNS flood attacks.
4.
5.
6.
Click Apply.
Description
IP Address
Protected Host
Configuration
Action Threshold
14
Item
Description
Global Configuration
of Security Zone
Set the protection action threshold for DNS flood attacks that
target a host in the protected security zone.
Action Threshold
NOTE:
Host-specific settings take precedence over the global settings for security zones.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood.
The SYN flood detection configuration page appears.
2.
3.
In the Attack Prevention Policy area, specify the protection actions to be taken upon detection of a
SYN flood attack for the specified security zone. Click Apply.
If you do not select any option, the device only collects SYN flood attack statistics depending on
your configuration. The available protection actions include:
{
4.
Discard packets when the specified attack is detected. If detecting that a protected object in the
security zone is under SYN flood attack, the device drops the TCP connection requests to the
protected host to block subsequent TCP connections.
Add protected IP entry to TCP Proxy. If detecting that a protected object in the security zone is
under SYN flood attack, the device adds the target IP address to the protected IP list on the TCP
proxy as a dynamic one, setting the port number as any. If TCP proxy is configured for the
security zone, all TCP connection requests to the IP address will be processes by the TCP proxy
until the protected IP entry gets aged out. If you select this option, configure the TCP proxy
feature on the page you can enter after selecting Intrusion Detection > TCP Proxy.
5.
6.
Click Apply.
Description
IP Address
Action
Threshold
Protected Host
Configuration
Silent
Threshold
Global
Configuration of
Security Zone
Action
Threshold
16
Item
Description
Set the silent threshold for actions that
protect against SYN flood attacks targeting
a host in the protected security zone.
Silent
Threshold
NOTE:
Host-specific settings take precedence over the global settings for security zones.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > Connection Limit.
The connection limit configuration page appears.
2.
Configure the connection limits for the security zone, as described in Table 7.
3.
Click Apply.
Description
Security Zone
1.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > Scanning Detection.
The scanning detection configuration page appears.
2.
Configure the scanning detection rule for the security zone, as described in Table 8.
3.
Click Apply.
Description
Security Zone
Select this option to enable scanning detection for the security zone.
Scanning Threshold
If this option is selected, you can then set the lifetime of the blacklisted source IP
addresses.
IMPORTANT:
Only when the blacklist feature is enabled, can the scanning detection function
blacklist a suspect and discard subsequent packets from the suspect.
Lifetime
Protect the internal network against scanning attacks from the external network.
Protect the internal server against SYN flood attacks from the external network.
18
Configuration considerations
To satisfy the requirements, perform the following configurations on the firewall:
Configure scanning detection for the untrusted zone, enable the function to add entries to the
blacklist, and set the scanning threshold to 4500 connections per second.
Configure source IP address-based connection limit for the trusted zone, and set the number of
connections each host can initiate to 100.
Configure destination IP address-based connection limit for the DMZ, and set the number of
connections the server can accommodate to 10000.
Configure SYN flood detection for the DMZ, and set the action threshold for attacks targeting the
internal server (for example, to 5000 packets per second) and the silent threshold (for example, to
1000 packets per second). Set the attack protection action to blocking subsequent packets destined
for the server.
2.
Click Apply.
19
3.
Click Apply.
4.
d. Select Enable connection limit per source IP and set the threshold to 100.
e. Click Apply.
20
5.
Configure connection limits for the DMZ on the connection limit configuration page:
a. Select the security zone DMZ.
b. Select Discard packets when the specified attack is detected.
c.
Select Enable connection limit per dest IP and set the threshold to 10000.
d. Click Apply.
6.
The SYN flood detection confirmation page appears, as shown in Figure 23.
b. Select the security zone DMZ.
c.
In the Attack Prevention Policy area, select Discard packets when the specified attack is
detected.
d. Click Apply.
21
The SYN flood attack detection page appears, as shown in Figure 24.
g. Select Protected Host Configuration. Enter the IP address 10.1.1.2. Set the action threshold to
5000 packets per second and the silent threshold to 1000 packets per second.
h. Click Apply.
Figure 24 Configuring a SYN flood attack detection rule for the server
After a scanning attack packet is received from zone Untrust, the firewall outputs alarm logs and
adds the IP address of the attacker to the blacklist. You can select Intrusion Detection > Blacklist
from the navigation tree to view whether the attacker's IP address is on the blacklist.
If a host in zone Trust initiates 100 or more connections, the firewall outputs alarm logs and discards
subsequent connection request packets from the host. You can select Intrusion Detection > Statistics
from the navigation tree to view how many times that a connection limit per source IP address has
been exceeded and the number of packets dropped.
If the number of connections to the server in the DMZ reaches or exceeds 10000, the firewall
outputs alarm logs and discards subsequent connection request packets. You can select Intrusion
Detection > Statistics from the navigation tree to view how many times that a connection limit per
destination IP address has been exceeded and the number of packets dropped.
If a SYN flood attack is initiated to the DMZ, the firewall outputs alarm logs and discards the attack
packets. You can select Intrusion Detection > Statistics from the navigation tree to view the number
of SYN flood attacks and the number of packets dropped.
Remarks
Performing global TCP
proxy setting
Optional.
By default, bidirectional proxy is used.
22
Task
Remarks
Required.
2.
3.
Adding a protected IP
address entry
5.
Configure to
automatically add a
protected IP address entry
Displaying information
about protected IP
address entries
and then select the Add protected IP entry to TCP Proxy check box. After
the configuration, the TCP proxy-enabled device automatically adds
protected IP address entries when detecting SYN flood attacks. For more
information, see "Configuring traffic abnormality detection."
You can configure a maximum of 250 protected IP addresses for each
security zone through Web.
Optional.
From the navigation tree, select Intrusion Detection > TCP Proxy > TCP Proxy Configuration to enter
the page shown in Table 8Figure 26.
2.
In the Global Configuration area, select Unidirection or Bidirection for TCP proxy.
3.
Click Apply.
From the navigation tree, select Intrusion Detection > TCP Proxy > TCP Proxy Configuration to enter
the page as shown in Table 8Figure 26.
23
2.
In the Zone Configuration area, click Enable to enable the TCP proxy feature for a target zone.
The icon in the Status column changes to , which indicates that the TCP proxy feature is enabled.
You can click Disable to disable the feature.
The
Select Intrusion Detection > TCP Proxy > Protected IP Configuration to enter the page shown
in Figure 27.
The page lists information about protected IP address entries and the relative statistics.
2.
Click Add to enter the page for configuring a protected IP address entry.
3.
Enter the destination IP address and select the port number of the TCP connection.
To protect all TCP connection requests to any port of the server at the destination IP address, select
Any from the Port Number list.
NOTE:
The Web performance is degraded if the IP address and port number of the administrator's host are set as
the protected IP entry.
Description
Protected IP
Port Number
The option any specifies that TCP proxy services TCP connection requests to
any port of the server at the destination IP address.
24
Item
Description
Type
Lifetime(min)
Lifetime for the IP address entry under protection. This item is displayed as
for static IP address entries.
When the time reaches 0, the protected IP address entry is deleted.
Number of Rejected
Configuring Firewall
1.
Assign IP addresses for the interfaces and then add interface GigabitEthernet 1/1 to zone Untrust,
and GigabitEthernet 1/2 to zone Trust. (Details not shown.)
2.
Set the TCP proxy mode to bidirectional and enable TCP proxy for zone Untrust:
a. From the navigation tree, select Intrusion Detection > TCP Proxy > TCP Proxy Configuration.
25
Figure 31 Select the bidirectional mode and enable TCP proxy for zone Untrust
In the Zone Configuration area, click Enable for the Untrust zone.
d. Click Apply.
e. Configure the SYN flood detection feature, specifying to automatically add protected IP
address entries:
i
From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood.
ii
In the Attack Prevention Policy area, select Trust from the Security Zone list.
iii Select the Add protected IP entry to TCP Proxy box in the Attack Prevention Policy area.
iv Click Apply.
26
Configuring blacklist
Recommended configuration procedure
Step
1.
2.
Remarks
Enabling the blacklist
function
Required.
Optional.
27
Step
3.
4.
Remarks
Configuring the scanning
detection feature to add
blacklist entries
automatically
Viewing the blacklist
Optional.
For more information about scanning detection configuration, see
"Configuring traffic abnormality detection."
By default, the scanning detection feature is disabled.
Optional.
2.
3.
Click Apply.
2.
Click Add to enter the blacklist entry configuration page as shown in Figure 36.
3.
4.
Click Apply.
28
Description
IP Address
Hold Time
Configure the entry to be a non-permanent one and specify a lifetime for it.
Permanence
Description
IP Address
Blacklisted IP address.
Add Method
IMPORTANT:
Once modified manually, an auto entry becomes a manual one.
Start Time
Hold Time
Dropped Count
Block packets from Host D forever (it is assumed that Host D is an attack source).
Block packets from Host C within 50 minutes, so as to control access of the host.
Perform scanning detection for traffic from the untrusted zone and, upon detecting a scanning
attack, blacklist the source. The scanning threshold is 4500 connections per second.
29
Host B
GE0/2
192.168.1.1/16
Trust
GE0/1
202.1.0.1/16
Internet
Untrust
Firewall
Host D
5.5.5.5/24
Host C
192.168.1.5/16
Assign IP addresses and security zones to the interfaces. (Details not shown.)
2.
In the Global Configuration area, select Enable Blacklist, and click Apply.
d. Click Apply.
3.
Click Apply.
30
f.
Click Apply.
5.
Configure scanning detection for the untrusted zone, as shown in Figure 42:
a. From the navigation tree, select Intrusion Detection > Traffic Abnormality > Scanning
Detection.
b. Select the security zone Untrust.
c.
Click Apply.
The firewall discards all packets from Host D before you remove the blacklist entry for the host. If the
firewall receives packets from Host C, the firewall discards all packets from Host C within 50 minutes.
After 50 minutes, the firewall forwards packets from Host C normally.
The firewall outputs an alarm log and adds the IP address to the blacklist when detecting a scanning
attack from the untrusted zone. You can select Intrusion Detection > Blacklist from the navigation tree to
view the blacklist entry automatically added by scanning attack protection.
From the navigation tree, select Intrusion Detection > Statistics to enter the intrusion detection
statistics page, as shown in Figure 44.
2.
Select a zone to view the counts of attacks and the counts of dropped packets in the security zone.
Descriptions of attack types are shown in Table 12.
Description
Fraggle
A Fraggle attack occurs when an attacker sends a large number of UDP echo requests
with the UDP port number of 7 or Chargen packets with the UDP port number of 19.
This results in a large quantity of junk replies, and finally exhausts the bandwidth of the
target network.
ICMP Redirect
An ICMP redirect attacker sends ICMP redirect messages to a target to modify its
routing table. This interferes with the normal forwarding of IP packets.
32
Attack type
Description
ICMP Unreachable
Upon receiving an ICMP unreachable response, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the
destination. By sending ICMP unreachable packets, an ICMP unreachable attacker
can cut off the connection between the target host and the network.
Land
A Land attack occurs when an attacker sends a great number of TCP SYN packets with
both the source and destination IP addresses specified as the IP address of the target.
This exhausts the half-open resources of the victim, and disables the target from
working properly.
Large ICMP
For some hosts and devices, large ICMP packets cause a memory allocation error and
crash down the protocol stack. A large ICMP attacker sends large ICMP packets to a
target to make it crash down.
Route Record
A route record attack exploits the route record option in the IP header to probe the
topology of a network.
Scan
A scanning attack probes the addresses and ports on a network to identify the hosts
attached to the network and the application ports available on the hosts. Then, it
figures out the topology of the network, enabling it to prepare for further attacks.
Source Route
A source route attack exploits the source route option in the IP header to probe the
topology of a network.
Smurf
A Smurf attacker sends large quantities of ICMP echo requests to the broadcast
address or the network address of the target network. As a result, all hosts on the target
network will reply to the requests. This causes network congestions, and hosts on the
target network cannot provide services.
TCP Flag
Some TCP flags are processed differently on different operating systems. A TCP flag
attacker sends TCP packets with such TCP flags to a target to probe its operating
system. If the operating system cannot process such packets properly, the attacker will
successfully make the host crash down.
Tracert
The Tracert program usually sends UDP packets with a large destination port number
and an increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when the
packet passes each router. When a router gets a packet with a TTL of 0, the router must
send an ICMP time exceeded message back to the source IP address of the packet. A
Tracert attacker exploits the Tracert program to figure out the network topology.
WinNuke
A WinNuke attacker sends out-of-band data with the pointer field values overlapped to
the NetBIOS port (139) of a Windows system with an established connection to
introduce a NetBIOS fragment overlap. This causes the system to crash.
SYN Flood
A SYN flood attack exploits TCP SYN packets. Due to resource limitation, the number
of TCP connections that can be created on a device is limited. A SYN flood attacker
sends a barrage of spurious SYN packets to a victim to initiate TCP connections. As the
SYN_ACK packets that the victim sends in response can never get acknowledgments,
large amounts of half-open connections are created and retained on the victim. This
makes the victim inaccessible before the number of half-open connections drops to a
reasonable level due to timeout of half-open connections. In this way, a SYN flood
attack exhausts system resources such as memory on a system whose implementation
does not limit creation of connections.
ICMP Flood
An ICMP flood attack overwhelms the victim with an enormous number of ICMP echo
requests (such as ping packets) in a short period. This prevents the victim from
providing normal services.
UDP Flood
A UDP flood attack overwhelms the victim with an enormous number of UDP packets in
a short period. This disables the victim from providing normal services.
33
Attack type
Description
DNS Flood
A DNS flood attack overwhelms the victim with an enormous number of DNS query
requests in a short period. This disables the victim from providing normal services.
Number of
connections per
source IP exceeds the
threshold
When an internal user initiates a large number of connections to a host on the external
network in a short period of time, system resources on the device are used up soon.
This makes the device unable to service other users.
Number of
connections per dest
IP exceeds the
threshold
Configuring attack protection functions for a security zone. To do so, you need to create an attack
protection policy, configure the required attack protection functions (such as Smurf attack protection,
scanning attack protection, and flood attack protection) in the policy, and then apply the policy to
the security zone. There is no specific configuration order for the attack functions, and you can
configure them as needed.
Configuring a TCP proxy when the SYN flood attack protection policy specifies the processing
method for SYN flood attack packets as TCP proxy.
Configuring the blacklist function. This function can be used independently or used in conjunction
with the scanning attack protection function on a security zone.
Enabling the traffic statistics function. This function can be used independently.
Configuring attack
protection functions for
a security zone
Remarks
Creating an attack protection policy
Required.
Optional.
Required.
Configure one or more
policies as needed.
Required.
Optional.
Optional.
Optional.
34
Command
Remarks
1.
system-view
N/A
2.
switchto vd vd-name
3.
attack-defense policy
policy-number [ zone zone-name ]
Command
Remarks
1.
system-view
N/A
2.
Enable attack
protection logging.
attack-defense
logging enable
Optional.
By default, attack protection logging is disabled.
Command
Remarks
system-view
N/A
35
Step
Command
Remarks
2.
switchto vd vd-name
3.
attack-defense policy
policy-number
N/A
4.
signature-detect { fraggle |
icmp-redirect | icmp-unreachable
| land | large-icmp |
route-record | smurf |
source-route | tcp-flag | tracert |
winnuke } enable
5.
signature-detect large-icmp
max-length length
Optional.
4000 bytes by default.
Optional.
6.
signature-detect action
drop-packet
Command
Remarks
1.
system-view
N/A
2.
switchto vd vd-name
3.
attack-defense policy
policy-number
N/A
4.
Disabled by default.
5.
Optional.
36
Step
Command
Remarks
6.
7.
8.
Optional.
By default:
quit
N/A
blacklist enable
Command
Remarks
1.
system-view
N/A
2.
switchto vd vd-name
3.
attack-defense policy
policy-number
N/A
4.
Disabled by default.
37
Step
Command
Remarks
Optional.
5.
6.
Optional.
7.
Command
Remarks
1.
system-view
N/A
2.
switchto vd vd-name
3.
attack-defense policy
policy-number
N/A
4.
Disabled by default.
5.
6.
Optional.
7.
Optional.
Command
Remarks
1.
system-view
N/A
2.
switchto vd vd-name
3.
attack-defense policy
policy-number
N/A
4.
Disabled by default.
38
Step
Command
Remarks
Optional.
5.
6.
Optional.
7.
Command
Remarks
1.
system-view
N/A
2.
switchto vd vd-name
3.
attack-defense policy
policy-number
N/A
4.
Disabled by default.
5.
6.
Optional.
Optional.
Command
Remarks
1.
system-view
N/A
2.
switchto vd vd-name
3.
N/A
39
Step
4.
Command
Remarks
By default, no attack protection
policy is applied to any security
zone.
Command
Remarks
system-view
N/A
Unidirectional mode:
2.
Optional.
Bidirectional mode:
3.
switchto vd vd-name
4.
Configure an IP address
protected by TCP proxy.
tcp-proxy protected-ip
destination-ip-address [ port-number
| port any ]
Optional.
5.
N/A
6.
tcp-proxy enable
Command
Remarks
system-view
N/A
40
Step
Command
Remarks
2.
switchto vd vd-name
3.
blacklist enable
Disabled by default.
blacklist ip
source-ip-address
[ timeout minutes ]
Optional.
4.
You can add blacklist entries manually, or configure the device to automatically add the IP addresses of
detected scanning attackers to the blacklist. For the latter purpose, enable the blacklist function for the
device, the scanning attack protection function, and the blacklist function for scanning attack protection.
The blacklist entries added by the scanning attack protection function will be aged after the aging time,
which is configurable. For the configuration of scanning attack protection, see "Configuring a scanning
attack protection policy."
Command
Remarks
1.
system-view
N/A
2.
switchto vd vd-name
3.
N/A
4.
flow-statistics enable
{ destination-ip | inbound |
outbound | source-ip }
Disabled by default.
Command
Remarks
41
Task
Command
Remarks
42
Configuration procedure
# Specify IP address for interfaces and add them into security zones. (Details not shown.)
# Enable blacklist function.
<Firewall> system-view
[Firewall] blacklist enable
# Set the connection rate threshold that triggers scanning attack protection to 4500 connections per
second.
[Firewall-attack-defense-policy-1] defense scan max-rate 4500
# Configure SYN flood attack protection for the internal server 10.1.1.2, and set the action threshold to
5000 and silence threshold to 1000.
[Firewall-attack-defense-policy-2] defense syn-flood ip 10.1.1.2 rate-threshold high 5000
low 1000
43
# Configure the policy to drop the subsequent packets after a SYN flood attack is detected.
[Firewall-attack-defense-policy-2] defense syn-flood action drop-packet
[Firewall-attack-defense-policy-2] quit
Configuration procedure
# Specify IP addresses for interfaces and add them into security zones. (Details not shown.)
# Enable the blacklist function.
<Firewall> system-view
[Firewall] blacklist enable
# Add Host D's IP address 5.5.5.5 to the blacklist without configuring an aging time for it.
[Firewall] blacklist ip 5.5.5.5
# Add Host C's IP address 192.168.1.4 to the blacklist and configure the aging time as 50 minutes.
44
: enabled
Blacklist items
: 2
-----------------------------------------------------------------------------IP
Type
Aging started
Aging finished
Dropped packets
192.168.1.4
Always drop packets from Host D unless you delete Host D's IP address from the blacklist by using
the undo blacklist ip 5.5.5.5 command.
Configuration procedure
# Specify IP addresses to interfaces and add them into security zones. (Details not shown.)
# Create attack protection policy 1.
<Firewall> system-view
[Firewall] attack-defense policy 1
# Set the global action threshold that triggers UDP flood attack protection to 100 packets per second.
[Firewall-attack-defense-policy-1] defense udp-flood rate-threshold high 100
# Configure the policy to drop the subsequent packets after a UDP flood attack is detected.
[Firewall-attack-defense-policy-1] defense udp-flood action drop-packet
[Firewall-attack-defense-policy-1] quit
# Enable the traffic statistics function for packets sourced from security zone trust.
[Firewall-zone-trust] flow-statistic enable outbound
: 10.1.1.2
: 13676
: 2735/s
TCP sessions
: 0
: 0
: 0
: 0/s
UDP sessions
: 13676
: 2735/s
ICMP sessions
: 0
: 0/s
RAWIP sessions
: 0
: 0/s
: 0
: 0
: 194
: 12264
: 0
: 0
: 0
: 0
: Trust
------------------------------------------------------------
46
: 13676
: 2735/s
TCP sessions
: 0
: 0
: 0
: 0/s
UDP sessions
: 13676
: 2735/s
ICMP sessions
: 0
: 0/s
RAWIP sessions
: 0
: 0/s
The output shows that in security zone trust, a large number of UDP packets are destined for 10.1.1.2, and
the session establishment rate has exceeded the specified threshold. Therefore, you can determine that
the server is under a UDP flood attack. You can use the display attack-defense statistics command to
view the related statistics collected after the UDP flood protection function takes effect.
Server B
GE0/1
192.168.1.1/16
Firewall
GE0/2
202.1.0.1/16
Internet
Untrust
Trust
Server C
Configuration procedure
# Specify IP addresses for interfaces and add them into security zones. (Details not shown.)
# Configure the operating mode of TCP Proxy as bidirectional.
[Firewall] undo tcp-proxy mode unidirection
# Configure TCP proxy for IP address 192.168.1.10 and port number 21.
[Firewall] tcp-proxy protected-ip 192.168.1.10 21
<Firewall> system-view
[Firewall] attack-defense policy 1
# Set the global action threshold for SYN flood attack protection to 100 packets per second.
[Firewall-attack-defense-policy-1] defense syn-flood rate-threshold high 100
# Configure the device to use the TCP proxy for subsequent packets after a SYN flood attack is detected.
[Firewall-attack-defense-policy-1] defense syn-flood action trigger-tcp-proxy
[Firewall-attack-defense-policy-1] quit
Port number
Type
Lifetime(min)
Rejected packets
192.168.1.10
21
Static
20
192.168.1.11
any
Dynamic
30
The output shows that Server A's IP address is a static entry and a dynamic entry has been added for the
attacked server.
48
Overview
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP
entries.
Sends a large number of unresolvable IP packets (ARP cannot find MAC addresses for those
packets) to keep the receiving device busy with resolving destination IP addresses until the CPU is
overloaded.
Sends a large number of ARP packets to overload the CPU of the receiving device.
For more information about ARP attack features and types, see ARP Attack Protection Technology White
Paper.
Remarks
Configuring ARP
source suppression
Optional.
Optional.
Remarks
Optional.
Configure this function on gateways (recommended).
Optional.
Task
Remarks
Optional.
Configure this function on gateways (recommended).
The device sends a large number of ARP requests, overloading the target subnets.
The device keeps trying to resolve target IP addresses, overloading its CPU.
To protect the device from such IP packet attacks, you can configure the following features:
ARP source suppressionIf the attack packets have the same source address, you can enable the
ARP source suppression function, and set the maximum number of unresolvable IP packets that a
host can send within five seconds. If the threshold is reached, the device stops resolving packets
from the host until the five seconds elapse.
ARP black hole routingYou can enable the ARP black hole routing function regardless of whether
the attack packets have the same source address. After receiving an unresolveble IP packet, the
device creates a black hole route destined for that IP address and drops all the matching packets
until the black hole route ages out.
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
3.
Optional.
10 by default.
Command
Remarks
N/A
1.
system-view
2.
50
Optional.
Disabled by default.
Command
Remarks
Configuration considerations
If the attack packets have the same source address, you can enable the ARP source suppression function
as follows:
1.
2.
Set the threshold to 100. If the number of unresolvable IP packets received from a host within five
seconds exceeds 100, the device stops resolving packets from the host until the five seconds
elapse.
51
If the attack packets have different source addresses, enable the ARP black hole routing function on the
firewall.
Configuration procedure
# Enable ARP source suppression and set the threshold to 100.
<Firewall> system-view
[Firewall] arp source-suppression enable
[Firewall] arp source-suppression limit 100
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
No
F1000-S-EI
Yes
F100-C-G/F100-S-G
Yes
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
No
Firewall module
No
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
Yes
This feature checks the number of ARP packets received from the same MAC address within five seconds
against a specific threshold. If the threshold is exceeded, the device adds the MAC address in an ARP
attack entry.
Before the entry is aged out, the device handles the attack by using either of the following methods:
FilterGenerates log messages and filters out subsequent ARP packets from that MAC address.
After an ARP attack detection entry expires, ARP packets sourced from the MAC address in the entry can
be processed normally.
You can exclude the MAC addresses of some gateways and servers from detection. This feature does not
inspect ARP packets from those devices even if they are attackers.
To configure source MAC address based ARP attack detection:
52
Step
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
3.
Optional.
4.
Optional.
5.
50 by default.
300 seconds by default.
Optional.
No MAC address is excluded
by default.
Command
Remarks
Available in any
view.
53
IP network
Host A
Host B
Host C
Host D
Configuration considerations
An attacker may forge a large number of ARP packets by using the MAC address of a valid host as the
source MAC address. To prevent such attacks, configure the gateway as follows:
1.
Enable source MAC address based ARP attack detection and specify the handling method.
2.
3.
4.
Configuration procedure
# Enable source MAC address based ARP attack detection and specify the handling method.
<Firewall> system-view
[Firewall] arp source-mac filter
54
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
No
F1000-S-EI
Yes
F100-C-G/F100-S-G
Yes
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
No
Firewall module
No
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
Yes
This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet
header is different from the sender MAC address in the message body, so that the gateway can learn
correct ARP entries.
To enable ARP packet source MAC address consistency check:
Step
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
No
F1000-S-EI
Yes
F100-C-G/F100-S-G
Yes
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
No
Firewall module
No
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
Yes
55
ARP active acknowledgement prevents a gateway from generating incorrect ARP entries. For more
information about its working mechanism, see ARP Attack Protection Technology White Paper.
To configure ARP active acknowledgement:
Step
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
Prevent the virtual IP address of a VRRP group from being used by a host.
The master router of a VRRP group can periodically send gratuitous ARP packets to the hosts on the
local network, so that the hosts can update local ARP entries and avoid using the virtual IP address
of the VRRP group.
If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender
MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router. If the
virtual IP address of the VRRP group is associated with the real MAC address of an interface, the
sender MAC address in the gratuitous ARP packet is the MAC address of the interface on the
master router in the VRRP group.
Update MAC entries of devices in the VLANs having ambiguous VLAN termination configured.
In VRRP configuration, if ambiguous VLAN termination is configured for many VLANs and VRRP
groups, interfaces configured with VLAN termination need to be disabled from transmitting
56
broadcast/multicast packets and a VRRP control VLAN needs to be configured so that VRRP
advertisements can be transmitted within the control VLAN only. In such cases, you can enable
periodic sending of gratuitous ARP packets containing the VRRP virtual IP address, and the primary
IP address or a manually configured secondary IP address of the sending interface on the
subinterfaces. In this way, when a VRRP failover occurs, devices in the VLANs having ambiguous
VLAN termination configured can use the gratuitous ARP packets to update their corresponding
MAC entries in time.
For more information about VRRP, see High Availability Web-based Configuration Guide.
You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces.
Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface
goes up and an IP address has been assigned to the interface.
If you change the interval for sending gratuitous ARP packets, the configuration is effective at the
next sending interval.
The frequency of sending gratuitous ARP packets may be much lower than the sending interval set
by the user if this function is enabled on multiple interfaces, if each interface is configured with
multiple secondary IP addresses, or if a small sending interval is configured when the previous two
conditions exist.
From the navigation tree, select Firewall > ARP Anti-Attack > Send Gratuitous ARP to enter the
Send Gratuitous ARP page.
2.
Specify on interface and interval for periodically sending gratuitous ARP packets.
Select an interface from the Standby Interface list, set its sending interval, and then click << to add
it to the Sending Interface list box.
To delete the combination of an interface and its sending interval, select it from the Sending
Interface list and click >>.
57
3.
Click Apply.
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
No
F1000-S-EI
Yes
F100-C-G/F100-S-G
Yes
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
No
Firewall module
No
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
Yes
ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user
spoofing and gateway spoofing attacks.
ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding
functions.
Command
Remarks
system-view
N/A
3.
vlan vlan-id
N/A
4.
5.
quit
N/A
1.
2.
58
Optional.
By default, no rule is configured.
Step
6.
7.
Command
Remarks
interface interface-type
interface-number
N/A
Optional.
By default, an interface is untrusted.
src-macChecks whether the sender MAC address in the message body is identical to the source
MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the
packet is discarded.
dst-macChecks the target MAC address of ARP replies. If the target MAC address is all-zero,
all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is
considered invalid and discarded.
ipChecks the sender and target IP addresses of ARP replies, and the sender IP address of ARP
requests. All-zero, all-one, or multicast IP addresses are considered invalid and the corresponding
packets are discarded.
Command
Remarks
1.
system-view
N/A
2.
vlan vlan-id
N/A
3.
4.
quit
N/A
5.
6.
interface interface-type
interface-number
N/A
7.
Optional.
By default, an interface is untrusted.
If the packets are ARP requests, they are forwarded through the trusted interface.
If the packets are ARP replies, they are forwarded according to their destination MAC address. If no
match is found in the MAC address table, they are forwarded through the trusted interface.
59
Command
Remarks
1.
system-view
N/A
2.
vlan vlan-id
N/A
3.
Command
Remarks
Configuration guidelines
Follow these guidelines when you configure ARP automatic scanning and fixed ARP:
With ARP automatic scanning enabled on an interface, the device automatically scans neighbors
on the interface, sends ARP requests to the neighbors, obtains their MAC addresses, and creates
dynamic ARP entries.
60
Fixed ARP allows the device to change the existing dynamic ARP entries (including those generated
through ARP automatic scanning) into static ARP entries. The fixed ARP feature effectively prevents
ARP entries from being modified by attackers.
The static ARP entries changed from dynamic ARP entries have the same attributes as the manually
configured static ARP entries.
The number of static ARP entries changed from dynamic ARP entries is restricted by the number of
static ARP entries that the device supports. As a result, the device may fail to change all dynamic
ARP entries into static ARP entries.
The fixing process may take some time, during which some dynamic entries may be added or be
aged out. The newly added dynamic entries are fixed and the aged ones are not.
Use both ARP automatic scanning and fixed ARP in small-scale networks such as a cybercafe.
From the navigation tree, select Firewall > ARP Anti-Attack > Scan.
The ARP scanning configuration page appears.
2.
3.
Description
Interface
61
Item
Description
Specify the start and end IP addresses of the IP address range for ARP automatic
scanning.
Start IP Address
To reduce the scanning time, you can specify the IP address range for scanning if
you know the IP address range assigned to the neighbors in a LAN. The specified
start and end IP addresses must be in the same network segment as the primary IP
address or manually configured secondary IP address of the interface. If the
specified address range covers multiple network segments of the interface, the
source IP address in the ARP request is the interface address on the smallest
network segment.
IMPORTANT:
End IP address
Specify the start and end IP addresses in pair. When neither is specified,
the device scans only the network segment of the primary IP address of the
interface for neighbors. The source IP address of the sent ARP request is
the primary IP address of the interface.
The start and end IP addresses must be in the same network segment as
the primary IP address or manually configured secondary IP address of
the interface, and the start IP address must be lower than or equal to the
end IP address.
Set whether to scan the IP addresses of the existing dynamic ARP entries.
From the navigation tree, select Firewall > ARP Anti-Attack > Fix.
The fixed ARP page appears. The page lists all static ARP entries, including manually configured
ones and fixed ones, and all dynamic ARP entries.
2.
Click Fix All to convert all dynamic ARP entries to static ones.
3.
4.
Select the box before dynamic ARP entries, and click Fix to convert the selected ARP entry to a
static ARP entry.
62
5.
Select the box before static ARP entries, and click Del Fixed to delete the selected static ARP entry.
If you select a dynamic one and click Del Fixed, the entry is not deleted.
ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic
ARP entries are created based on ARP replies received before the scan is terminated.
The static ARP entries changed from dynamic ARP entries have the same attributes as the manually
configured static ARP entries.
Use the arp fixup command to change the existing dynamic ARP entries into static ARP entries. You
can use this command again to change the dynamic ARP entries learned later into static ARP
entries.
The number of static ARP entries changed from dynamic ARP entries is restricted by the number of
static ARP entries that the device supports. As a result, the device may fail to change all dynamic
ARP entries into static ARP entries.
To delete a specific static ARP entry changed from a dynamic one, use the undo arp ip-address
[ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset
arp static command.
Configuration procedure
To configure ARP automatic scanning and fixed ARP:
Step
Command
1.
system-view
2.
3.
4.
quit
5.
arp fixup
63
Overview
Attackers can attack the device during the process of TCP connection establishment. To prevent such
attacks, the device provides the following features:
SYN Cookie
This chapter describes the attacks that these features can prevent, working mechanisms of these features,
and configuration procedures.
2.
After receiving the SYN message, the target server establishes a TCP connection in
SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response.
3.
After receiving the SYN ACK message, the originator returns an ACK message, establishing the
TCP connection.
Attackers may mount SYN Flood attacks during TCP connection establishment. They send a large number
of SYN messages to the server to establish TCP connections, but they never make any response to SYN
ACK messages. As a result, a large number of incomplete TCP connections are established, resulting in
heavy resource consumption and making the server unable to handle services normally.
The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the
server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection. Only
after receiving an ACK message from the client can the server establish a connection, and then enter the
ESTABLISHED state. In this way, incomplete TCP connections could be avoided to protect the server
against SYN Flood attacks.
To enable the SYN Cookie feature:
Step
Command
Remarks
1.
system-view
N/A
2.
Enabled by default.
If you enable MD5 authentication for TCP connections, the SYN Cookie configuration is ineffective. Then,
if you disable MD5 authentication for TCP connections, the SYN Cookie configuration automatically
becomes effective. For more information about MD5 authentication, see Network Management
Configuration Guide.
With the SYN Cookie feature enabled, only the maximum segment size (MSS), is negotiated during TCP
connection establishment, instead of the window's zoom factor and timestamp.
64
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
Optional.
3.
4.
5 by default.
If the maximum number of TCP
connections in a state is 0, the aging of
TCP connections in this state is not
accelerated.
Optional.
30 seconds by default.
Command
Remarks
65
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
Yes
F1000-S-EI
Yes
F100-C-G/F100-S-G
No
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
Yes
Firewall module
Yes
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
No
Overview
The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor
reachability detection, duplicate address detection, router/prefix discovery and address
autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can
easily exploit the ND protocol to attack hosts and gateways by sending forged packets.
The ND protocol implements its function by using five types of ICMPv6 messages:
Redirect (RR)
An attacker can attack a network by sending forged ICMPv6 messages, as shown in Figure 29:
Sending forged NS/NA/RS packets with the IPv6 address of a victim host. The gateway and other
hosts update the ND entry for the victim host with incorrect address information. As a result, all
packets intended for the victim host are sent to the attacking host.
Sending forged RA packets with the IPv6 address of a victim gateway. As a result, all hosts attached
to the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.
66
The Ethernet frame header and the source link layer address option of the ND packet contain
different source MAC addresses.
The mapping between the source IPv6 address and the source MAC address in the Ethernet frame
header is invalid.
To identify forged ND packets, H3C developed the source MAC consistency check feature.
For more information about the five functions of the ND protocol, see Network Management
Configuration Guide.
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
67
Configuring firewall
The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices.
Overview
A firewall blocks unauthorized Internet access to a protected network while allowing internal network
users to access the Internet through WWW, or to send and receive e-mails. A firewall can also be used
to control access to the Internet, for example, to permit only specific hosts within the organization to
access the Internet. Many of today's firewalls offer additional features, such as identity authentication
and encryption.
Another application of firewall is to protect the mainframe and important resources (such as data) on
internal networks. Any access to protected data is filtered by the firewall, even if the access is initiated by
a user within the internal network.
Source address
Destination address
The firewall compares the head information against the preset ACL rules and processes the packet based
on the comparison result.
IPv4 packet-filter firewalls are configured mainly through interzone policy and interzone policy group
configurations. For more information about interzone policies and interzone policy groups, see Access
Control Configuration Guide. This chapter mainly describes the IPv6 packet-filter firewall configuration.
For multi-channel application layer protocols, such as FTP and H.323, the values of some security
policy parameters are unpredictable.
Some attacks from the transport layer and application layer, such as TCP SYN flooding, cannot be
detected.
ICMP attacks cannot be prevented because not all faked ICMP error messages from the network
can be recognized.
For a TCP connection, the first packet must be a SYN packet. Any non-SYN packet that is the first
packet over the TCP connection is dropped. If a packet-filter firewall is deployed in a network, the
non-SYN packets of existing TCP connections passing the firewall for the first time are dropped,
breaking the existing TCP connections.
68
ASPF
Application Specific Packet Filter (ASPF) was proposed to address the issues that a static firewall cannot
solve. An ASPF implements application layer and transport specific, namely status-based, packet filtering.
An ASPF can detect application layer protocols including FTP, GTP, HTTP, SMTP, Real RTSP, SCCP, SIP,
H.323 (Q.931, H.245, and RTP/RTCP), and transport layer protocols TCP and UDP.
ASPF functions
An ASPF provides the following main functions:
Application layer protocol inspectionASPF checks the application layer information of packets,
such as the protocol type and port number, and monitors the application layer protocol status for
each connection. ASPF maintains the status information of each connection, and based on the
status information, determines whether to permit a packet to pass through the firewall into the
internal network, thus defending the internal network against attacks.
Transport layer protocol inspection (generic TCP and UDP inspection)ASPF checks a TCP/UDP
packet's source and destination addresses and port numbers to determine whether to permit the
packet to pass through the firewall into the internal network.
Enhanced session loggingASPF can record the information of each connection, including the
duration, source and destination addresses and port numbers of the connection, and number of
bytes transmitted.
Port to Application Mapping (PAM)Allows you to specify port numbers other than the standard
ones for application layer protocols.
ICMP error message inspectionASPF checks the connection information carried in an ICMP error
message. If the information does not match the connection, the ASPF processes the packet as
configured, for example, it discards the packet.
First packet inspection for TCP connectionASPF checks the first packet over a TCP connection. If
the first packet over a TCP connection is not a SYN packet, the ASPF will discard the packet.
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide the
network with a security policy that is more comprehensive and better satisfies the actual needs.
PAM
While application layer protocols use the standard port numbers for communication, PAM allows
you to define a set of new port numbers for different applications, and provides mechanisms to
maintain and use the configuration information of user-defined ports.
PAM supports two types of port mapping mechanisms: general port mapping and host port
mapping.
{
69
WAN
Return packets of
the session are
permitted to pass
Client B
Router
Server
Protected network
ASPF implements the application layer protocol detection function in cooperation with the session
management and ALG features. After detecting the first packet of a session, ASPF matches the packet
with the configured policy and sends the result to the session management feature, which is responsible
for session information database establishment and session status maintenance. Then, the ASPF
processes subsequent packets of the session based on session status information returned by the session
management feature.
For information about session management, see Access Control Configuration Guide. For information
about ALG, see NAT and ALG Configuration Guide.
70
multi-channel application layer protocols like FTP and H.323, the deployment of TCP detection without
application layer detection will lead to failure of establishing a data connection.
Feature compatible
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
Yes
F1000-S-EI
Yes
F100-C-G/F100-S-G
No
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
Yes
Firewall module
Yes
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
No
Remarks
Required.
Optional.
Required.
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
Command
Remarks
system-view
N/A
71
Step
Command
Specify the default filtering
action of the firewall.
2.
Remarks
Optional.
permit (permit packets to pass the
firewall) by default.
Exact matchMatches all advanced ACL rules. For this reason, you must enable fragment
inspection for the firewall to record the status of the first fragment of each packet and obtain the
match information of the subsequent fragments. The exact match mode is not supported on the
device.
You can neither enable packet filtering on an interface in an aggregation group, nor add an interface
with packet filtering enabled to an aggregation group.
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
3.
4.
72
Step
Clear the packet filtering
statistics of the IPv6 firewall.
5.
Command
Remarks
Configuring an ASPF
ASPF can be configured at the CLI and in the Web interface. This section describes only the CLI
configuration for ASPF. For ASPF configuration in the Web interface, see Access Control Configuration
Guide.
Remarks
Optional.
Required.
Command
Remarks
1.
system-view
N/A
2.
Configure mapping
between the port and the
application protocol.
port-mapping
application-name port
port-number [ acl
acl-number ]
73
Step
Command
Remarks
1.
system-view
N/A
2.
switchto vd vd-name
3.
N/A
4.
Disabled by default.
For more information about security zones, see Access Control Configuration Guide..
Displaying ASPF
Task
Command
Remarks
Configuration procedure
# Add interface GigabitEthernet 0/1 and GigabitEthernet 0/2 to zone Trust and Untrust, respectively.
<Firewall> system-view
[Firewall] zone name Trust
[Firewall-zone-Trust] import interface gigabitethernet 0/1
[Firewall-zone-Trust] quit
[Firewall] zone name Untrust
[Firewall-zone-Untrust] import interface gigabitethernet 0/2
[Firewall-zone-Untrust] quit
# Create an interzone instance, with the source zone being Trust and the destination zone being Untrust.
[Firewall] interzone source Trust destination Untrust
74
75
Uniform Resource Locator (URL) hostname filteringChecks the hostname in the required URL of an
HTTP request to block internal users from accessing specific websites.
Header filteringThe Header field in an HTTP response usually contains the type of the current web
page (such as text and figure), the content length, the basic server information (such as server type
and response time), and the HTTP version. Using header filtering, the device can block HTTP
responses with specified information carried in the header.
Body filteringFilters the message body in an HTTP packet from a server to a client, which is the
content to be displayed by the browser. In this way, the device can block HTTP packets with
specified body contents, to prevent illegal contents from spreading over the internal network.
URL IP blockingBlocks all HTTP requests that carry an IP address in the URL, to prevent internal
users from using IP addresses to access websites.
URL parameter filteringProtects websites against attacks that use URL parameters. For example,
URL parameter filtering matches each HTTP request against the keywords of Structured Query
Language (SQL) statements and other characters that may constitute an SQL statement. If they match,
the device considers the request an SQL injection attack packet and drops it. The device supports
URL parameter filtering of HTTP requests for the Get, Post, or Put operation. Web pages are usually
dynamic and connected with a database. HTTP allows web requests to query or modify data in the
database. This makes it possible for attackers to fabricate special SQL statements in web requests
to obtain confidential data from the database or break down the database by modifying database
information repeatedly. Such attacks are known as SQL injection attacks.
ActiveX blockingBlocks ActiveX plugin requests to untrusted websites, protecting the network
from being attacked by malicious ActiveX plugins.
Java applet blockingBlocks java applet requests to untrusted websites, protecting the network
from being attacked by malicious java applets.
76
Sender filteringFilters sender addresses in SMTP requests, to prevent specified senders from
sending emails.
Receiver filteringFilters receiver addresses (including recipients and carbon copy or named CC
recipients) in SMTP requests, to prevent internal users from sending emails to the specified receiver
addresses.
Subject filteringFilters email subjects in SMTP requests, to prevent users from sending emails that
contain specified subject keywords.
Body filteringFilters email bodies in SMTP requests, to prevent users from sending emails that
contain specified body keywords.
Attachment filteringChecks the names and contents of the attachments in SMTP requests, to
prevent users from sending emails that carry attachments with specified names or content keywords.
Illegal command blockingBlocks SMTP requests that carry illegal command words. Legal
command words considered by content filtering include HELO, EHLO, RSET, QUIT, DATA, NOOP,
HELP, EXPN, TURN, VRFY, SOML, SAML, SEND, MAIL, RCPT, and AUTH.
Oversize email blockingLimits the size of the emails from internal users and blocks oversized
emails.
Sender filteringFilters sender addresses in POP3 responses, to prevent users from receiving
emails from the specified senders.
Subject filteringFilters email subjects in POP3 responses, to prevent users from receiving emails
that contain specified subject keywords.
Body filteringFilters email bodies in POP3 responses, to prevent users from receiving emails that
contain specified body keywords.
Attachment filteringChecks the names and contents of the attachments in POP3 responses, to
prevent users from receiving emails that carry attachments with specified names or content
keywords.
Command word filteringBlocks FTP requests that carry the specified command words. FTP
command words refer to the command words carried in the FTP requests rather than the command
words in command lines. They include RETR, STOR, APPE, USER, PASS, PORT, PASV, RNFR, RNTO,
DELE, LIST, and QUIT. For example, to upload a file named 123.txt, you enter command put 123.txt.
In this case, the FTP command word to be filtered is not put but STOR.
Upload filename filteringFilters filenames carried in FTP upload requests, to prevent clients from
uploading files with the specified names to the server.
77
Download filename filteringFilters filenames carried in FTP download requests, to prevent clients
from downloading files with the specified names from the server.
Configuration guidelines
The caret (^) matches the beginning of the string. It can be used only once in a keyword and
must be at the beginning.
The dollar sign ($) matches the end of the string. It can be used only once in a keyword and
must be at the end.
The ampersand (&) matches a single character other than dot (.) and space. It can be used for
multiple times in a keyword, consecutively or non-consecutively. It can appear at any position
of a keyword, but cannot be used next to asterisk (*).
The asterisk (*) matches any number of characters excluding dot (.). It can be used only once
in a keyword and must be at the beginning or in the middle. It cannot be used at the end or next
to ^ or dollar sign ($).
A keyword with caret (^) at the beginning or dollar sign ($) at the end indicates an exact match.
For example, keyword ^webfilter matches website addresses starting with webfilter (such as
webfilter.com.cn) or containing webfilter at the beginning of a string after a dot (such as
cmm.webfilter-any.com). Keyword ^webfilter$ matches website addresses containing
standalone word webfilter like www.webfilter.com; it does not match website addresses like
www.webfilter-china.com.
A keyword with no wildcard used at the beginning and end indicates a fuzzy match, and
matches website addresses containing the keyword.
A filtering keyword with only numerals is invalid. To filter a website address like www.123.com,
you can define a keyword like ^123$, www.123.com, or 123.com, instead of 123. H3C
recommends you to use exact match to filter such website addresses.
The caret (^) matches the beginning of the string. It can be used only once in a keyword and
must be at the beginning.
The dollar sign ($) matches the end of the string. It can be used only once in a keyword and
must be at the end.
The ampersand (&) matches any single character. It can be used for multiple times in a keyword,
consecutively or non-consecutively. It can appear at any position of a keyword, but cannot be
used next to asterisk (*).
78
The asterisk (*) matches any string of up to 4 characters, including spaces. It can be used only
once in a keyword and must not be at the beginning or end.
A keyword with caret (^) at the beginning or dollar sign ($) at the end indicates an exact match.
For example, keyword ^webfilter$ matches URLs containing standalone word webfilter, like
www.abc.com/webfilter any; it does not match URLs like www.abc.com/webfilterany.
A keyword with no wildcard used at the beginning and end indicates a fuzzy match, and
matches URLs containing the keyword.
Description
1.
Required.
2.
Required.
3.
Required.
Required.
4.
Optional.
79
Step
Description
Keyword filtering entries include:
Configuring a keyword
filtering entry
The system provides the following predefined URL parameter filtering keywords:
^select$, ^insert$, ^update$, ^delete$, ^drop$, --, , ^exec$, and %27.
By default, the predefined URL parameter filtering keywords are not used. In this
case, you can define the same URL parameter filtering keywords as the system
predefined ones, and, these keywords are still used as user-defined keywords
even after you enable the predefined keywords.
Configuring ActiveX
blocking keywords
By default, the following java suffix keywords exist: .class and .jar.
By default, the system has the ActiveX suffix keyword: .ocx.
From the navigation tree, select Identification > Content Filtering > Filtering Entry.
The keyword filtering entry list page appears.
80
2.
Click Add to enter the page for adding a keyword filtering entry, as shown in Figure 33.
3.
4.
Click Apply.
Description
Name
Keyword
From the navigation tree, select Identification > Content Filtering > Filtering Entry.
2.
Select the URL Hostname tab to enter the URL hostname filtering entry list page, as shown in Figure
34.
3.
Click Add to enter the page for adding a URL hostname filtering entry, as shown in Figure 35.
81
4.
5.
Click Apply.
Description
Name
URL Hostname
From the navigation tree, select Identification > Content Filtering > Filtering Entry.
2.
Select the Filename tab to enter the filename filtering entry list page, as shown in Figure 36.
3.
Click Add to enter the page for adding a filename filtering entry, as shown in Figure 37.
4.
5.
Click Apply.
Description
Name
If you specify a filename keyword in the format of filename.extension, the device will perform
exact match for this keyword. You can use a wildcard (*) to stand for the filename part, the
extension, or a string of up to 6 characters in the filename or extension. In each keyword,
wildcard * can be present only once in the filename and once in the extension. If multiple
dots (.) are present in the keyword, the content following the last dot is regarded as the
extension.
Filename
If you specify a filename keyword containing no dots, the device will perform fuzzy match for
this keyword. You can use wildcard * to stand for a string of up to 6 characters in the
keyword. In each keyword, wildcard * can be present only once.
From the navigation tree, select Identification > Content Filtering > Filtering Entry.
2.
Select the Email Address tab to enter the email address filtering entry list page, as shown in Figure
38.
3.
Click Add to enter the page for adding an email address filtering entry, as shown in Figure 39.
4.
5.
Click Apply.
Description
Name
83
Item
Description
Specify email address keywords for the email address filtering entry, in the
format of username@domain name.
Email Address
From the navigation tree, select Identification > Content Filtering > Filtering Entry.
2.
Click the URL Parameter tab to enter the URL parameter filtering keyword list page, as shown
in Figure 40.
3.
Select the Use the Default Filtering Keywords box and click Apply to enable the system predefined
URL parameter filtering keywords, as shown in Figure 41.
4.
Click Add to enter the page for adding a URL parameter filtering keyword, as shown in Figure 42.
5.
See Figure 42 for the requirements on a keyword. See "Configuration guidelines" for the rules of
using wildcards. A keyword string can contain spaces, but consecutive spaces are not allowed.
6.
Click Apply.
From the navigation tree, select Identification > Content Filtering > Filtering Entry.
2.
Select the Java tab to enter the java blocking keyword list page, as shown in Figure 43.
3.
Click Add to enter the page for adding a java blocking keyword, as shown in Figure 44.
4.
5.
Click Apply.
From the navigation tree, select Identification > Content Filtering > Filtering Entry.
2.
Select the ActiveX tab to enter the ActiveX blocking keyword list page, as shown in Figure 45.
85
3.
Click Add to enter the page for adding an ActiveX blocking keyword, as shown in Figure 46.
4.
5.
Click Apply.
Remarks
From the navigation tree, select Identification > Content Filtering > Filtering Policy.
The HTTP filtering policy list page appears, as shown in Figure 47.
86
2.
Click Add to enter the page for adding an HTTP filtering policy, as shown in Figure 48.
3.
4.
Click Apply.
Description
Name
URL Filtering
Header Filtering
Body Filtering
URL IP Blocking
IMPORTANT:
Item
Description
Specify whether to enable URL parameter filtering.
ActiveX Blocking
Enable Logging
The logging function takes effect only when it is enabled in both the content filtering
policy and the interzone policy.
From the navigation tree, select Identification > Content Filtering > Filtering Policy.
2.
Select the SMTP Policy tab to enter the SMTP filtering policy list page, as shown in Figure 49.
3.
Click Add to enter the page for adding an SMTP filtering policy, as shown in Figure 50.
4.
5.
Click Apply.
88
Description
Name
Sender Filtering
Receiver Filtering
Subject Filtering
Body Filtering
Attachment Content
Filtering
Attachment Filtering
IllegalCmd Blocking
IMPORTANT:
Item
Description
Specify whether to log packet matching events.
IMPORTANT:
Enable Logging
From the navigation tree, select Identification > Content Filtering > Filtering Policy.
2.
Select the POP3 Policy tab to enter the POP3 filtering policy list page, as shown in Figure 51.
3.
Click Add to enter the page for adding a POP3 filtering policy, as shown in Figure 52.
4.
5.
Click Apply.
Description
Name
Item
Description
Sender Filtering
Receiver Filtering
Subject Filtering
Body Filtering
Attachment
Filtering
Attachment
Name Filtering
Attachment
Content Filtering
IMPORTANT:
IMPORTANT:
The logging function takes effect only when it is enabled in both the
content filtering policy and the interzone policy.
From the navigation tree, select Identification > Content Filtering > Filtering Policy.
2.
Select the FTP Policy tab to enter the FTP filtering policy list page, as shown in Figure 53.
3.
Click Add to enter the page for adding an FTP filtering policy, as shown in Figure 54.
91
4.
5.
Click Apply.
Description
Name
Command Filtering
IMPORTANT:
Enable Logging
The logging function takes effect only when it is enabled in both the content
filtering policy and the interzone policy.
From the navigation tree, select Identification > Content Filtering > Filtering Policy.
2.
Select the Telnet Policy tab to enter the Telnet filtering policy list page, as shown in Figure 55.
92
3.
Click Add to enter the page for adding a Telnet filtering policy, as shown in Figure 56.
4.
5.
Click Apply.
Description
Name
Command Filtering
IMPORTANT:
IMPORTANT:
The logging function takes effect only when it is enabled in both the content
filtering policy and the interzone policy.
From the navigation tree, select Identification > Content Filtering > Policy Template.
The policy template list page appears, as shown in Figure 57.
93
2.
Click Add to enter the page for adding a content filtering policy template, as shown in Figure 58.
3.
4.
Click Apply.
Description
Name
94
IMPORTANT:
You must specify at least one
filtering policy.
Enable HTTP body filtering to block HTTP responses that carry keyword abc.
Enable HTTP java applet blocking to block java applet requests to all websites except the one with
IP address 5.5.5.5.
Enable SMTP attachment name filtering to block all emails that carry .exe attachments.
Enable FTP upload filename filtering to prevent users from uploading files that carry system in the
filenames.
95
Enable Telnet command word filtering to prevent users from executing commands that carry the
command keyword reboot.
Configure IP addresses for the interfaces of the device and assign the interfaces to security zones.
(Details not shown.)
2.
Enter the entry name abc, and the keyword abc as shown in Figure 61.
d. Click Apply.
3.
Click Apply.
96
4.
Enter the entry name exe, and the filename keyword *.exe as shown in Figure 63.
d. Click Apply.
5.
Click Apply.
6.
Click Apply.
97
7.
d. Select body filtering entry abc in the available filtering entry list, and then click << to add it to
Click Apply.
98
8.
filtering entry list, and then click << to add it to the selected filtering entry list.
f.
Click Apply.
99
9.
Click Apply.
100
10.
Click Apply.
101
11.
d. Select HTTP filtering policy http_policy1, SMTP filtering policy smtp_policy, FTP filtering policy
e. Click Apply.
Figure 70 Configuring a content filtering policy template without java applet blocking
12.
d. Select HTTP filtering policy http_policy2, SMTP filtering policy smtp_policy, FTP filtering policy
e. Click Apply.
Figure 71 Configuring a content filtering policy template with java applet blocking
13.
Configure an interzone policy for traffic from security zone Trust to destination 5.5.5.5 in security
zone Untrust, referencing the content filtering policy template without java applet blocking:
a. From the navigation tree, select Firewall > Security Policy > Interzone Policy.
b. Click Add.
c.
Select Trust as the source zone and Untrust as the destination zone.
d. Select any_address as the source IP address. In the Destination IP Address area, select the New
Click Apply.
103
Figure 72 Configuring the interzone policy referencing the template without java applet blocking
14.
Configure an interzone policy for traffic from security zone Trust to security zone Untrust,
referencing the content filtering policy template with java applet blocking:
a. Select Trust as the source zone and Untrust as the destination zone.
b. Select any_address as the source IP address and destination IP address.
c.
Select any_service as the service name and Permit as the filter action.
Click Apply.
104
Figure 73 Configuring the interzone policy referencing the template with java applet blocking
105
Configure keyword filtering entries and add keywords, URL hostnames, file names, and email
addresses to be filtered to each entry. You can also configure URL parameter filtering keywords,
java blocking keywords, and ActiveX blocking keywords in system view. These keywords take
effect without being applied to a content filtering policy or a content filtering policy template.
2.
Configure a content filtering policy and apply the keyword filtering entries to the policy.
3.
Configure a content filtering policy template and apply the content filtering policy to the template.
4.
Configure an interzone policy rule, and apply the content filtering policy template to the interzone
policy rule. For information about interzone policy rule and interzone policy, see Access Control
Configuration Guide.
106
Tasks at a glance
(Required.) Configure filtering entries and keywords:
Command
Remarks
1.
system-view
N/A
2.
switchto vd vd-name
3.
Create a keyword
filtering entry and
enter its view.
content-filtering keyword-entry
keyword-entry-name
4.
Optional.
By default, a keyword filtering entry
does not have any keyword.
NOTE:
Keyword filtering entries created in system view belong to the default VD.
Keyword filtering entries created in VD view belong to the corresponding VD.
Commands
Remarks
1.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
content-filtering
url-hostname-entry
url-hostname-entry-name
4.
url-hostname fix-string
url-hostname
Optional.
By default, a URL hostname filtering entry
does not have any URL hostname.
NOTE:
URL hostname filtering entries created in system view belong to the default VD.
URL hostname filtering entries created in VD view belong to the corresponding VD.
Command
Remarks
1.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
content-filtering filename-entry
filename-entry-name
4.
filename filename
Optional.
By default, a filename filtering entry
does not have any filename.
NOTE:
Filename filtering entries created in system view belong to the default VD.
Filename filtering entries created in VD view belong to the corresponding VD.
108
Step
Command
Remarks
1.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
content-filtering
email-address-entry
email-entry-name
4.
Optional.
email-address mail-address
NOTE:
Email address filtering entries created in system view belong to the default VD.
Email address filtering entries created in VD view belong to the corresponding VD.
Command
Remarks
1.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
content-filtering url-filter
parameter { default | keywords
keywords }
3.
Configure URL
parameter filtering
keywords.
Command
Remarks
1.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
Configure java
blocking keywords.
Command
Remarks
1.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
Configure ActiveX
blocking keywords.
109
Command
Remarks
1.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
Create an HTTP
filtering policy and
enter its view.
content-filtering http-policy
policy-name
Specify a URL
hostname filtering
entry for URL filtering.
url-filtering url-hostname-entry
url-hostname-entry-name
Specify a keyword
filtering entry for
header filtering.
head-filtering keyword-entry
keyword-entry-name
Specify a keyword
filtering entry for
body filtering.
body-filtering keyword-entry
keyword-entry-name
7.
Enable URL IP
address blocking.
url-ip-blocking enable
8.
Enable URL
parameter blocking.
url-parameter-filtering enable
9.
Enable ActiveX
blocking.
activex-blocking enable
4.
5.
6.
Optional.
By default, no URL hostname filtering entry
is specified for URL filtering.
Optional.
By default, no keyword filtering entry is
specified for header filtering.
Optional.
By default, no keyword filtering entry is
specified for body filtering.
Optional.
By default, URL IP address blocking is
disabled.
Optional.
By default, URL parameter blocking is
disabled.
Optional.
By default, ActiveX blocking is disabled.
Optional.
java-applet-blocking enable
logging enable
NOTE:
HTTP filtering policies created in system view belong to the default VD.
HTTP filtering policies created in VD view belong to the corresponding VD.
110
Command
Remarks
1.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
Create a SMTP
filtering policy and
enter its view.
content-filtering smtp-policy
policy-name
Specify an email
address filtering entry
for sender filtering.
sender-filtering email-entry
email-entry-name
Specify an email
address filtering entry
for receiver filtering.
receiver-filtering email-entry
email-entry-name
Specify a keyword
filtering entry for
subject filtering.
subject-filtering keyword-entry
keyword-entry-name
Specify a keyword
filtering entry for
body filtering.
body-filtering keyword-entry
keyword-entry-name
Specify a filename
filtering entry for
attachment name
filtering.
attachment-name-filtering
filename-entry
filename-entry-name
Optional.
Specify a keyword
filtering entry for
attachment content
filtering.
attachment-body-filtering
keyword-entry
keyword-entry-name
Optional.
4.
5.
6.
7.
8.
9.
Optional.
By default, no email address filtering entry is
specified for sender filtering.
Optional.
By default, no email address filtering entry is
specified for receiver filtering.
Optional.
By default, no keyword filtering entry is
specified for subject filtering.
Optional.
By default, no keyword filtering entry is
specified for body filtering.
illegal-command-blocking enable
oversize-mail-blocking enable
[ maxsize max-bytes ]
logging enable
111
NOTE:
SMTP filtering policies created in system view belong to the default VD.
SMTP filtering policies created in VD view belong to the corresponding VD.
Command
Remarks
1.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
Create a POP3
filtering policy and
enter its view.
content-filtering pop3-policy
policy-name
Specify an email
address filtering entry
for sender filtering.
sender-filtering email-entry
email-entry-name
Specify an email
address filtering entry
for receiver filtering.
receiver-filtering email-entry
email-entry-name
Specify a keyword
filtering entry for
subject filtering.
subject-filtering keyword-entry
keyword-entry-name
Specify a keyword
filtering entry for
body filtering.
body-filtering keyword-entry
keyword-entry-name
Specify a filename
filtering entry for
attachment name
filtering.
attachment-name-filtering
filename-entry filename-entry-name
Specify a keyword
filtering entry for
attachment content
filtering.
attachment-body-filtering
keyword-entry
keyword-entry-name
4.
5.
6.
7.
8.
9.
Optional.
By default, no email address filtering entry
is specified for sender filtering.
Optional.
By default, no email address filtering entry
is specified for receiver filtering.
Optional.
By default, no keyword filtering entry exists
is specified for subject filtering.
Optional.
By default, no keyword filtering entry is
specified for body filtering.
Optional.
By default, no filename filtering entry is
specified for attachment name filtering.
Optional.
By default, no keyword filtering entry is
specified for attachment content filtering.
Optional.
logging enable
112
NOTE:
POP3 filtering policies created in system view belong to the default VD.
POP3 filtering policies created in VD view belong to the corresponding VD.
Command
Remarks
1.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
Create an FTP
filtering policy and
enter its view.
content-filtering ftp-policy
policy-name
Specify a keyword
filtering entry for
command word
filtering.
command-filtering
keyword-entry
keyword-entry-name
Optional.
Specify a filename
filtering entry for
upload filename
filtering.
upload-filename-filtering
filename-entry
filename-entry-name
Optional.
Specify a filename
filtering entry for
download filename
filtering.
download-filename-filtering
filename-entry
filename-entry-name
Optional.
4.
5.
6.
7.
logging enable
NOTE:
FTP filtering policies created in system view belong to the default VD.
FTP filtering policies created in VD view belong to the corresponding VD.
Step
Command
Remarks
1.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
Create a Telnet
filtering policy and
enter its view.
content-filtering telnet-policy
policy-name
Specify a keyword
filtering entry for
command word
filtering.
command-filtering
keyword-entry
keyword-entry-name
4.
Optional.
By default, no keyword filtering entry is
specified for command word filtering.
Optional.
5.
logging enable
NOTE:
Telnet filtering policies created in system view belong to the default VD.
Telnet filtering policies created in VD view belong to the corresponding VD.
Command
Remarks
1.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
Create a content
filtering policy template
and enter its view.
content-filtering policy-template
policy-template-name
4.
114
NOTE:
Content filtering policy templates created in system view belong to the default VD.
Content filtering policy templates created in VD view belong to the corresponding VD.
Command
Configure HTTP body filtering to block HTTP responses with keyword abc.
Enable HTTP java applet blocking to permit java applet requests only sent to the web server with IP
address 5.5.5.5.
Configure SMTP attachment name filtering to block emails with .exe attachment.
Configure FTP upload filename filtering to block uploaded files with name abc.
Configure Telnet command word filtering to block commands with keyword reboot.
115
Configuration procedure
1.
Specify the IP addresses for the interfaces and assign the interfaces to appropriate zones. (Details
not shown.)
2.
3.
# Specify the keyword filtering entry kwd1 for HTTP body filtering.
[Firewall-contflt-http-policy-http_policy1] body-filtering keyword-entry kwd1
[Firewall-contflt-http-policy-http_policy1] quit
# Specify the keyword filtering entry kwd1 for HTTP body filtering.
[Firewall-contflt-http-policy-http_policy2] body-filtering keyword-entry kwd1
# Specify the filename filtering entry file1 for SMTP attachment name filtering.
[Firewall-contflt-smtp-policy-smtp_policy1] attachment-name-filtering
filename-entry file1
[Firewall-contflt-smtp-policy-smtp_policy1] quit
116
# Specify the filename filtering entry file2 for FTP upload filename filtering.
[Firewall-contflt-ftp-policy-ftp_policy] upload-filename-filtering filename-entry
file2
[Firewall-contflt-ftp-policy-ftp_policy] quit
# Specify the keyword filtering entry kwd2 for Telnet command word filtering.
[Firewall-contflt-telnet-policy-telnet_policy1] command-filtering keyword-entry
kwd2
[Firewall-contflt-telnet-policy-telnet_policy1] quit
4.
# Apply the filtering policies http_policy1, smtp_policy1, ftp_policy1, and telnet_policy1 to the
policy template template1.
[Firewall-contflt-policy-template-template1] http-policy http_policy1
[Firewall-contflt-policy-template-template1] smtp-policy smtp_policy1
[Firewall-contflt-policy-template-template1] ftp-policy ftp_policy1
[Firewall-contflt-policy-template-template1] telnet-policy telnet_policy1
[Firewall-contflt-policy-template-template1] quit
# Apply the filtering policies http_policy2, smtp_policy1, ftp_policy1, and telnet_policy1 to the
policy template template2.
[Firewall-contflt-policy-template-template2] http-policy http_policy2
[Firewall-contflt-policy-template-template2] smtp-policy smtp_policy1
[Firewall-contflt-policy-template-template2] ftp-policy ftp_policy1
[Firewall-contflt-policy-template-template2] telnet-policy telnet_policy1
[Firewall-contflt-policy-template-template2] quit
5.
Configure an interzone policy that uses the content filtering policy templates:
# Create a subnet object private and specify its subnet 192.168.1.0/24.
[Firewall] object network subnet private
[Firewall-object-network-private] subnet 192.168.1.0 0.0.0.255
[Firewall-object-network-private] quit
# Configure an interzone instance for traffic from the Trust zone to the Untrust zone.
[Firewall] interzone source Trust destination Untrust
# Configure an interzone policy rule that uses the content filtering policy template 1 without java
Applet blocking enabled to filter HTTP packets from subnet 192.168.1.0/24 to the web server
5.5.5.5.
[Firewall-interzone-Trust-Untrust] rule permit content-filter template1
117
# Configure another interzone policy rule that uses the content filtering policy template 2 with java
Applet blocking enabled to filter HTTP packets from subnet 192.168.1.0/24 to external networks.
[Firewall-interzone-Trust-Untrust] rule permit content-filter template2
[Firewall-interzone-Trust-Untrust-rule-1] source-ip private
[Firewall-interzone-Trust-Untrust-rule-1] destination-ip any_address
[Firewall-interzone-Trust-Untrust-rule-1] service any_service
[Firewall-interzone-Trust-Untrust-rule-1] rule enable
[Firewall-interzone-Trust-Untrust-rule-1] quit
[Firewall-interzone-Trust-Untrust] quit
Dropped packets
118
Configuring URPF
The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices.
Overview
Unicast Reverse Path Forwarding (URPF) protects a network against source spoofing attacks, such as
denial of service (DoS) and distributed denial of service (DDoS) attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication,
in the name of authorized users or even the administrator. Even if the attackers cannot receive any
response packets, the attacks are still disruptive to the attacked target.
Figure 76 Source address spoofing attack
As shown in Figure 76, an attacker on Router A sends the server (Router B) requests with a forged source
IP address 2.2.2.1, and Router B sends response packets to IP address 2.2.2.1 (Router C). Consequently,
both Router B and Router C are attacked. URPF can prevent such attacks.
The term router in this document refers to both routers and firewalls.
Strict URPFTo pass strict URPF check, the source address of a packet and the receiving interface
must match the destination address and output interface of a forwarding information base (FIB)
entry. In some scenarios such as asymmetrical routing, strict URPF may discard valid packets. Strict
URPF is often deployed between a provider edge (PE) device and a customer edge (CE) device.
Loose URPFTo pass loose URPF check, the source address of a packet must match the destination
address of a FIB entry. Loose URPF can avoid discarding valid packets, but may let go attack
packets. Loose URPF is often deployed between ISPs, especially in asymmetrical routing.
URPF features
Default routeWhen a default route exists, all packets that fail to match a specific FIB entry can
match the default route during URPF check and are permitted to pass. To avoid this situation, you
can disable URPF from using any default route to discard such packets. By default, URPF discards
packets that can only match a default route.
Link layer checkStrict URPF check can further perform link layer check on a packet. It uses the next
hop address in the matching FIB entry to look up the ARP table for a matching entry. If the source
MAC address of the packet matches the MAC address in the matching ARP entry, the packet passes
strict URPF check. Link layer check is applicable to ISP devices where a Layer 3 Ethernet interface
connects a large number of users. Loose URPF does not support link layer check.
119
ACLTo identify specific packets as valid packets, you can use an ACL to match these packets.
Even if the packets do not pass URPF check, they are still forwarded normally.
Yes
A broadcast
source address?
No
Yes
An all-zero
source address?
Yes
No
Does
the source
address match a
FIB entry?
No
A broadcast
destination address?
Discard
No
Yes
A default route?
No
Does
the receiving
interface match the
output interface of
the matching FIB
entry?
Yes
Is
the default route
allowed for URPF
check?
No
Yes
No
No
Loose URPF?
Yes
Yes
Check passed
1.
Does the
ACL permit the
packet?
Yes
120
No
2.
3.
If yes, URPF checks whether the allow-default-route keyword is configuredIf yes, proceeds to
step 4. If not, proceeds to step 5.
If not, proceeds to step 4.
URPF checks whether the receiving interface matches the output interface of the matching FIB entry:
{
{
5.
4.
Discards packets with an all-zero source address but a non-broadcast destination address. (A
packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a
DHCP or BOOTP packet and cannot be discarded.)
If yes, the packet is forwarded (such a packet is displayed in the URPF information as a
"suppressed drop").
If not, the packet is discarded.
Network application
Figure 78 Network diagram
Configure strict URPF check between an ISP network and a customer network, and loose URPF
check between ISPs.
121
From the navigation tree, select Intrusion Detection > URPF Check to enter the URPF check
configuration page, as shown in Figure 79.
2.
Configure URPF settings for the security zone, as shown in Table 20.
3.
Click Apply.
Description
Security zone where the URPF check is to be configured. URPF configuration takes
effect on all the interfaces in the security zone.
Security Zone
IMPORTANT:
URPF configuration takes effect on the packets received by the interfaces in the security
zone only.
Enable/disable URPF check.
Enable URPF
If this box is not selected, URPF check is disabled and the following parameters are
not configurable.
ACL
Reference an ACL.
Type of Check
122
Network requirements
As shown in Figure 80, Device A (CE) directly connects to Device B (PE). Enable strict URPF check in Zone
B of Device B to allow packets whose source addresses match ACL 2010 to pass. Enable strict URPF
check in Zone A of Device A and allow use of the default route for URPF check.
Figure 80 Network diagram
Configuring Device B
1.
Configure the interface IP addresses and security zones they belong to. (Details not shown.)
2.
d. Click Apply.
e. Click
f.
Click Add.
The page ACL configuration page appears, as shown in Figure 82.
j.
Click Apply.
123
3.
Click Apply.
Configuring Device A
1.
Configure the interface IP addresses and security zones they belong to. (Details not shown.)
2.
Click Apply.
Command
Remarks
system-view
N/A
Optional.
2.
3.
125
Network requirements
As shown in Figure 85, configure strict URPF check for zoneB on Device B to permit packets from network
10.1.1.0/24.
Enable strict URPF check for zoneA on Device A and allow using the default route for URPF check.
Figure 85 Network diagram
Configuration procedure
1.
Assign IP addresses for interfaces and add them into security zones. (Details not shown.)
2.
Configure Device B:
# Define ACL 2010 to permit traffic from network 10.1.1.0/24 to pass.
<DeviceB> system-view
[DeviceB] acl number 2010
[DeviceB-acl-basic-2010] rule permit source 10.1.1.0 0.0.0.255
[DeviceB-acl-basic-2010] quit
3.
Configure Device A:
# Enable strict URPF check for security zone zone A and allow use of the default route for URPF
check.
[DeviceA] zone name zoneA
[DeviceA-zone-zoneA] ip urpf strict allow-default-route
126
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
Yes
F1000-S-EI
Yes
F100-C-G/F100-S-G
Yes
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
No
Firewall module
Yes
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
Yes
As shown in Figure 86, IDS collaboration is introduced for firewalls to work with an Intrusion detection
system (IDS) device. The collaboration process occurs:
1.
2.
When the IDS device detects an attack, it sends an SNMP trap message to the firewall device. The
trap message may carry attack information such as source IP address of the attacker, target IP
address to be attacked, source port and destination port.
3.
When a firewall with IDS collaboration enabled receives the trap message, it retrieves the attack
information, generates a blocking entry, and blocks subsequent traffic from the source.
127
From the navigation tree, select Intrusion Detection > IDS Collaboration.
The IDS collaboration configuration page appears.
2.
3.
Click Apply.
Configuration guidelines
When you configure IDS collaboration, follow these guidelines:
Both the firewall devices and IDS devices must support and have SNMPv2c configured.
The aging time for an IDS blocking entry is five minutes. The timer restarts if the firewall receives an
SNMP trap with the same attack information before the timer expires.
A blocking entry is effective only to subsequent connections matching this entry. To make entries
apply to the current connections, disable the fast forwarding function of the firewall.
Disabling IDS collaboration removes the generated blocking entries from the firewall.
128
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
No
F1000-S-EI
No
F100-C-G/F100-S-G
Yes
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
No
Firewall module
No
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
Yes
When the device is operating in UTM mode, the device provides advanced security protection functions
such as IPS, AV, content monitoring, bandwidth management, and protocol audit, and basic security
functions such as VPN and firewall. For more information about the system operating modes, see Getting
Started Guide.
Configuration guidelines
When you configure advanced security protection, follow these guidelines:
Advanced security protection cannot be configured in these zones: Management, Any, and Local.
Advance security protection policies (IPS, antivirus, content filtering, bandwidth management, and
protocol audit) cannot be configured on virtual devices.
Advanced security protection logs (IPS, antivirus, content filtering, bandwidth management, and
protocol audit) do not contain virtual device information, system logs, and host logs about IPv6 and
VPN instances.
Time tables
Time tables define time ranges. Bandwidth management policies reference time tables, so that they can
take different actions to the matching packets in different time ranges.
A time table can define up to ten periodic time ranges, such as 8:30 to 18:00 every Monday through
Friday. If you define multiple time ranges in a time table, the time table takes effect as long as one of the
time ranges takes effect.
129
Select Advanced Security Prevention > Time Table from the navigation tree.
The time table list page appears, as shown in Figure 88.
2.
Click Add to enter the time table configuration page, as shown in Figure 89.
3.
4.
effect.
b. Select the days in a week for the time range to take effect.
c.
5.
Click Add.
Repeat step 4 to add multiple time ranges for the time table.
You can define ten time ranges at most.
6.
Click Apply.
Licenses
Licenses control whether you can upgrade signature databases and use time-sensitive features. Signature
databases define which attacks the device can detect and defend against. They must be upgraded in
time to ensure security. When its license expires, a signature database cannot be upgraded and you
must recharge to get a new license for the signature database.
The license module allows you to view the license information, import licenses, and export licenses.
130
Importing a license
1.
Select Advanced Security Prevention > License from the navigation tree.
The license information page appears, as shown in Figure 90.
2.
In the Import License tab, browse to a license file saved on the local host.
3.
Exporting a license
1.
Select Advanced Security Prevention > License from the navigation tree.
The license information page appears, as shown in Figure 90.
2.
3.
On the popup file download dialog box, perform operations as prompted to save the license to a
file on the local host.
Signature upgrade
Signature databases define which signatures the device can recognize. For example, they recognize the
attack signatures and virus signatures. You must upgrade them in time to ensure security.
Use the following methods to upgrade signature databases:
131
Auto upgradeOnline upgrade mode. In this mode, the device periodically gets the most current
signature database file from a specific signature database server to upgrade the local database.
Manual upgradeOnline upgrade mode. In this mode, you can get the most current signature
database file from a specific signature database server and upgrade the local database by a single
click.
Local upgradeOffline upgrade mode. You can get a signature database file in offline mode, save
the file to the local host, and import the file to the device to upgrade the signature database with the
file. Local upgrade is usually used in a LAN and it allows you to use any signature database version
that is compatible with the device.
To upgrade signature database file online, you must first navigate to page Network > DNS >
Dynamic to configure the DNS server (see Access Control Configuration Guide).
For successful signature database upgrade, make sure the current license file is valid and not
expired, the new signature database version is compatible with the device's software version, and
you perform no other operations during the upgrade.
If you upgrade the software to a version that contains a new feature and the new feature requires
the cooperation of a certain signature database version, you must also upgrade the signature
database to the required version.
To upgrade the signature database, select Advanced Security Prevention > Signature Upgrade from the
navigation tree. The signature upgrade page appears.
Figure 91 Signature upgrade
Signature database upgrade modes include automatic online upgrade, manual online upgrade, and
local upgrade.
132
The following uses the IPS signature database to describe the signature database upgrade process.
Upgrade of the antivirus signature database is similar.
Automatic online upgradeIn the IPS Signature area, select the Upgrade Automatically box, select
the day of the week and the time, and then click Apply at the bottom of the page. For example, if
you select the day as Every Monday and the time as 03:00, the device upgrades the IPS signature
database in online mode automatically at 03:00 every Monday.
Manual online upgradeIn the IPS Signature area, click the Upgrade Now button to upgrade the
database immediately.
Local upgradeIn the IPS Signature area, click Browse to locate the IPS signature database
upgrade file, and then click Upgrade.
IPS
The IPS typically runs on a network trunk. Based on IPS policies, IPS can implement real-time traffic
analysis and anomaly detection, and trigger predefined actions in response. For example, IPS can block
abnormal traffic to prevent suspicious codes from being injected into target hosts and executed.
Remarks
Optional.
1.
2.
3.
Specify whether to send logs to remote log hosts and whether to send logs
through emails.
By default, logs are not sent to remote log hosts and are not sent through
emails.
Required.
No IPS policy exists by default.
Required.
No IPS policy is applied by default.
Select Advanced Security Prevention > IPS from the navigation tree.
The IPS Policies tab is displayed, as shown in Figure 92.
133
NOTE:
IPS policies that have been referenced cannot be deleted. The delete icon (
policies.
2.
At the top of the page, you can set the IPS log output parameters, as describe in Table 21.
3.
Click Apply.
Description
Select this option to send IPS logs to the specified remote log hosts.
Navigate to page Log Report > Syslog to specify the remote log host addresses.
Select this option to send IPS logs to the specified recipients through emails.
Navigate to page Log Report > Log Email to specify the email parameters.
Select Advanced Security Prevention > IPS from the navigation tree.
The IPS Policies tab is displayed, as shown in Figure 92.
2.
134
3.
4.
Click Apply.
Description
Name
Severity
IMPORTANT:
To ensure the device performance, H3C recommends detecting and preventing only attacks
of the critical level.
Action
Select the actions to be taken to the detected attacks, including logging the attacks (Log)
and blocking the attack packets (Block).
Attack Type
This field displays the types of attacks that the device can detect and prevent.
Select Advanced Security Prevention > IPS from the navigation tree.
2.
135
3.
4.
5.
Click Apply.
Description
Source Zone
IMPORTANT:
136
Items
Description
Select the IPS policy to be applied.
IPS Policy
Protected Zones
Source IP List
Destination IP List
Excluded IP List
To add an IPS policy to the IPS Policy list, click the following Add button (see "Creating
an IPS policy").
Specify the zones to be protected by the IPS policy, which can be the destination zone,
or both the destination and source zones.
Add the source IP addresses to be matched by the IPS policy.
You can add up to ten host addresses or network segment addresses.
Add the destination IP addresses to be matched by the IPS policy.
You can add up to ten host addresses or network segment addresses.
Add IP addresses to be excluded from the source or destination IP list of the IPS policy.
The IPS policy does not match excluded IP addresses.
You can add up to ten host addresses or network segment addresses that are included on
the source or destination IP list.
Antivirus
You can configure antivirus policies on a device and then apply them so that the device can identify
traffic with viruses and take actions to prevent viruses from infecting the network.
Remarks
Optional.
1.
2.
3.
Specify whether to send logs to remote log hosts and whether to send
logs through emails.
By default, logs are not sent to remote log hosts and are not sent through
emails.
Required.
No antivirus policy exists by default.
Required.
No antivirus policy is applied by default.
137
Antivirus policies that have been referenced cannot be deleted. The delete icon (
such antivirus policies.
2.
At the top of the page, set the antivirus log output parameters as described in Table 24.
Description
Select this option to send antivirus logs to the specified remote log hosts.
Navigate to page Log Report > Syslog to specify the remote log host addresses.
Select this option to send antivirus logs to the specified recipients through emails.
Navigate to page Log Report > Log Email to specify the recipients.
2.
138
3.
4.
Click Apply.
Description
Name
Action
Select the actions to be taken to the detected virus attacks, including logging the attacks
(Log) and blocking the attack packets (Block).
Virus Category
This field displays the categories of viruses that the device can detect and prevent.
2.
3.
4.
Click Apply.
Description
Source Zone
IMPORTANT:
To add an antivirus policy to the AV Policy list, click the following Add button (see
"Creating an antivirus policy").
140
Item
Description
Protected Zones
Specify the zones to be protected by the antivirus policy, which can be the destination
zone, or both the destination and source zones.
Source IP List
Destination IP List
Excluded IP List
Content monitoring
In conventional network security solutions, network attack defense focuses on attacks from external
networks. However, with the popularity of networks in every walk of life, attacks from LANs are
increasing, which requires network devices to accommodate internal network security features. The
content monitoring feature is developed to meet this requirement.
The content monitoring feature monitors, filters, and logs user network access behaviors, including:
Remarks
Configuring the content monitoring log output
parameter
2.
3.
Optional.
Specify whether to send logs to remote log hosts
By default, logs are not sent to remote log hosts.
Required.
No content monitoring policy exists by default.
Required.
No content filtering policy is applied.
Select Advanced Security Prevention > Content Monitoring from the navigation tree.
The Content Monitoring Policies tab is displayed, as shown in Figure 100.
141
Content monitoring policies that have been referenced cannot be deleted. The delete icon (
provided for such content monitoring policies.
2.
) is not
At the top of the page, set whether to send content monitoring logs to the specified remote log
hosts.
If you select the Send logs to remote log hosts option, you need to navigate to page Log Report >
Syslog to specify the remote log host addresses.
3.
Click Apply.
Select Advanced Security Prevention > Content Monitoring from the navigation tree.
The Content Monitoring Policies tab is displayed, as shown in Figure 100.
2.
142
3.
4.
Click Apply.
Description
Name
IM
Applications
MSN
Effective Time
143
Item
Remote
Access
Applications
Database
Applications
Description
FTP
Effective Time
Set the effective time for monitoring the selected FTP operations.
Oracle
Sybase
SQL Server
MySQL
Effective Time
Set the effective time for monitoring the selected database access behaviors.
Select Advanced Security Prevention > Content Monitoring from the navigation tree.
2.
Click the Content Monitoring Policy Applications tab, as shown in Figure 102.
3.
Click Add to enter the content monitoring policy application configuration page, as shown
in Figure 103.
144
4.
5.
Click Apply.
Description
Source Zone
IMPORTANT:
Destination Zone
Content
Monitoring Policy
145
Item
Description
Monitored Zones
Specify the zones to be monitored by the content monitoring policy, which can be the
destination zone, or both the destination and source zones.
Source IP List
Destination IP List
Excluded IP List
Bandwidth management
Network traffic can be divided into multiple types of services, such as the email service and VoIP service.
Bandwidth management refers to performing different management and control behaviors for different
service types. Bandwidth management includes two major components: service and service-specific
control behavior.
A service is system-defined or user-defined. All services are organized into a tree, which is called a
service tree. A node of the service tree represents a service.
The device determines the service type of a received packet by its application protocol and IP address,
and then performs the corresponding action for the packet according to the user-defined rule for the
service.
An interzone instance specifies the source zone and destination zone of the packets to be inspected by
a security policy. You can apply different bandwidth management policies to different interzone
instances for more flexible control of the network traffic.
By performing flexible bandwidth controls for applications and limiting non-critical applications,
bandwidth management guarantees bandwidth for mission-critical applications of the user network.
A service is a set of match rules. All network behaviors conforming to the match rules belong to the
service.
A match rule consists of protocol, node, and direction, where protocol indicates the network protocol,
node indicates a certain device or devices in a certain network segment, and direction indicates the
probe direction. The three factors together determine that packets of a certain protocol sent or received
by a specific device (or devices in a specific network segment) match the rule.
The service itself does not manage or control the network. A service can be referenced by a policy in the
system. Then, the policy cooperates with the service to manage and control the network.
In the system, services are organized into a tree with only one root node. Except the root node, any other
service can be appended to another service, with the first service as the child service and the second one
as the father service.
146
Remarks
Optional.
1.
Configuring a protocol
2.
Configuring a service
3.
4.
5.
Configuring bandwidth
management log output
parameters
Specify whether to send logs to remote log hosts and whether to send
logs through emails.
Creating a bandwidth
management policy
Required.
Applying a bandwidth
management policy
Required.
By default, logs are not sent to remote log hosts and are not sent
through emails.
No bandwidth management policy exists by default.
No bandwidth management policy is applied by default.
Configuring a protocol
1.
Select Advanced Security Prevention > Bandwidth Management from the navigation tree.
2.
{
{
Selecting a protocol in the protocol tree, the right part of the page displays the information of
the protocol. You can modify the information of all user-defined protocols and the port number
information of some system-defined protocols.
To restore the default settings of a system-defined protocol, click the Restore button.
To delete a user-defined protocol, select the protocol in the protocol tree and then click the
Delete Protocol button under the tree.
147
3.
4.
5.
Click Apply.
148
Description
Enter a name for the protocol.
IMPORTANT:
Name
After the device updates its IPS signature database, new system-defined protocols may be
added. If a new system-defined protocol has the same name as that of an existing user-defined
protocol, the user-defined protocol is deleted when the device is restarted. Therefore, H3C
recommends that you specify a characteristic name for each user-defined protocol.
Description
Configure the description information for the protocol, helping memorizing different
protocols.
Type
Select a transport layer protocol that carries the protocol. Options include TCP and UDP.
Specify the TCP or UDP port numbers to be used by the protocol.
IMPORTANT:
The port number range to be specified cannot overlap with existing port number ranges.
You can add up to eight port number ranges to the port number list. Each port number
range can contain 32 ports at most.
Configuring a service
1.
Select Advanced Security Prevention > Bandwidth Management from the navigation tree.
2.
Selecting a service in the service tree, you can view and modify the information of the service
on the right part of the page. The description of a system-defined service cannot be modified.
The default match rule of a system-defined service cannot be modified or deleted.
To delete a user-defined service, select the service in the service tree and click Delete Service.
User-defined services that are referenced by bandwidth management policy rules and the
system-defined services cannot be deleted.
Deleting the protocol used by a match rule of a service also deletes the match rule.
149
3.
Select a service in the service tree and then click the Add Service button to enter the service
configuration page, as shown in Figure 107.
On the page, you can add a service that uses the selected service as the father service.
4.
5.
Click Apply.
Description
Displays the father service of the service to be added.
Father Service
Father service is the service you selected in the service tree before clicking the Add Service
button.
Enter a name for the service.
IMPORTANT:
Service Name
After the device updates its IPS signature database, new system-defined services may be
added. If a new system-defined service has the same name as that of an existing user-defined
service, the user-defined service is deleted when the device is restarted. Therefore, H3C
recommends that you specify a characteristic name for each user-defined service.
150
Item
Description
Description
Configure the description information for the service, helping memorizing different services.
6.
In the service tree, select a service for which you want to add a match rule.
7.
Click Add Match Rule to enter the match rule configuration page, as shown in Figure 108.
8.
9.
Click Apply.
Description
Protocol
Server IP
Initiator
151
Select Advanced Security Prevention > Bandwidth Management from the navigation tree.
The Bandwidth Management Policies tab is displayed, as shown in Figure 109.
{
The bandwidth management policies that have been referenced cannot be deleted. The delete
icon (
) is not provided for such bandwidth management policies.
2.
At the top of the page, set the bandwidth management log output parameters, as shown in Table
32.
3.
Click Apply.
Description
Select this option to send bandwidth management logs to the specified remote log
hosts.
Navigate to page Log Report > Syslog to specify the remote log host addresses.
Select this option to send bandwidth management logs to the specified recipients
through emails.
Navigate to page Log Report > Log Email to specify the recipients.
Select Advanced Security Prevention > Bandwidth Management from the navigation tree.
The Bandwidth Management Policies tab is displayed, as shown in Figure 109.
2.
Click Add to enter the bandwidth management policy configuration page, as shown in Figure
110.
152
3.
Description
Name
Working mode
Group ModeLimits the total bandwidth of all users matching the policy.
User ModeLimits the bandwidth of each user matching the policy
independently.
Set the total bandwidth for all upstream (destination zone to source zone) traffic
that matches the policy.
Set the total bandwidth for all downstream (source zone to destination zone)
traffic that matches the policy.
4.
Click Add to add a new rule to the rule list, as shown in Figure 111.
By default, there is a rule for all services, which cannot be deleted.
5.
153
Description
Specify the service that the rule matches. On the rule's advanced configuration page,
this field only displays the service name.
Click the
Service Name
icon of the rule, and a page appears, where you can select a service.
IMPORTANT:
In one policy, you cannot specify the same service for different rules.
If you configure a rule for a child service and a rule for its child service, the rule for the
child service takes effect.
Configure the system to take different actions to the traffic matching the rule at different
time ranges.
Valid Time
Action
Upstream
Bandwidth
Upstream
Bandwidth
6.
IMPORTANT:
The two configuration items
are configurable when you
select the Bandwidth Control
action, and you must
configure at least one item.
Click the
icon for a rule to configure the rule on the advanced rule setup page, as shown
in Figure 112.
7.
Click the
icon to add a time table-action association for the service of the rule.
You can add up to six time table-action associations for a rule. If multiple time tables overlap in
time range, the action corresponding to the one on the top is executed.
For configuration guidelines for adding a time table-action association, see the Valid Time, Action,
Upstream Bandwidth, Downstream Bandwidth fields in Table 34.
8.
9.
Select Advanced Security Prevention > Bandwidth Management from the navigation tree.
2.
Click the Bandwidth Management Policy Applications tab, as shown in Figure 113.
3.
Click Add to enter the bandwidth management policy application configuration page, as shown
in Figure 114.
4.
5.
Click Apply.
155
Description
Source Zone
Destination Zone
IMPORTANT:
Bandwidth
Management
Policy
Source IP List
Destination IP List
Excluded IP List
Protocol audit
You can configure protocol audit to audit the following protocols:
HTTPAudits the URI that users have accessed and the host field.
SMTP and POP3Audits receivers (including recipients, CC recipients, and BCC recipients),
senders, and subjects of the mails that are sent or received through SMTP or POP3.
FTPAudits information of the file that users upload or download, such as the file name.
156
Remarks
Required.
Configure the device to send protocol audit logs to remote log hosts.
1.
For this function to work, navigate to page Log Report > Syslog to
specify the remote log host addresses (see System Management and
Maintenance).
By default, logs are not sent to remote log hosts.
2.
3.
Required.
No protocol audit policy exists by default.
Required.
No protocol audit policy is applied by default.
Select Advanced Security Prevention > Protocol Audit from the navigation tree.
The Protocol Audit Policies tab is displayed, as shown in Figure 115.
Protocol audit policies that have been referenced cannot be deleted. The delete icon (
provided for such protocol audit policies.
2.
) is not
At the top of the page, set whether to send protocol audit logs to the specified remote log hosts.
If you select the Send logs to remote log hosts option, you need to navigate to page Log Report >
Syslog to specify the remote log host addresses.
3.
Click Apply.
Select Advanced Security Prevention > Protocol Audit from the navigation tree.
The Protocol Audit Policies tab is displayed, as shown in Figure 115.
157
2.
3.
4.
Click Apply.
Description
Name
Protocol Type
Select the protocols to be audited, including HTTP, FTP, SMTP, and POP3.
Select Advanced Security Prevention > Protocol Audit from the navigation tree.
2.
Click the Protocol Audit Policy Applications tab, as shown in Figure 117.
3.
Click Add to enter the protocol audit policy application configuration page, as shown in Figure
118.
158
4.
5.
Click Apply.
Description
Source Zone
IMPORTANT:
Protocol Audit
Policy
Item
Description
Audited Zones
Source IP List
Destination IP List
Excluded IP List
Block and log traffic from the Internet that carries viruses or is abnormal.
Monitor QQ and MSN applications of the internal users every Monday to Friday.
Limit the bandwidth occupied by the Internet BitTorrent traffic of the internal users, setting the
maximum upstream bandwidth and downstream bandwidth to 1500 kbps, respectively.
Audit the HTTP and FTP traffic generated by internal users and send protocol audit logs to the
remote log host whose IP address is 10.1.1.2.
160
Configuring IPS
1.
Click Apply.
2.
g. Click Apply.
161
Configuring antivirus
1.
162
2.
g. Click Apply.
163
Friday.
f.
Click Apply.
164
2.
g. Click Apply.
165
Click the
g. On the pop-up page, select BitTorrent under the P2P service node, and click Apply.
h. Select the action Bandwidth Control for the service BitTorrent, and enter 1500 for the upstream
Click Apply.
166
2.
Click Apply.
167
Click Apply.
168
2.
Configure the firewall to send protocol audit logs to the remote log host:
a. Select Advanced Security Prevention > Protocol Audit from the navigation tree.
Click Apply.
169
3.
4.
g. Click Apply.
170
171
Index
ABCDEFILOPSTU
A
Antivirus,137
ARP attack protection configuration task list,49
Bandwidth management,146
Configuration guidelines,78
Configuration guidelines,129
Configuration guidelines,128
Configuring an ASPF,73
IPS,133
Licenses,130
Overview,76
Overview,64
Overview,68
Overview,119
Overview,49
Overview,1
Overview,66
Protocol audit,156
S
Signature upgrade,131
Time tables,129
172