01-07 Security Deployment

Campus Networks Typical Configuration Examples 7 Security Deployment
7 Security Deployment
7.1 Key Points of Security Deployment

7.2 Campus Internal Network Security
7.3 Campus Egress Security
7.1 Key Points of Security Deployment

Campus network security includes campus internal network security and campus
egress security. Campus internal network security covers login security (for
example, preventing unauthorized users from logging in to devices), data security
(data not being intercepted or tampered with during forwarding), and other
aspects. For campus egress security, professional security devices (such as
firewalls) are deployed at the campus egress to implement network border
protection and effectively prevent security threats from external networks.
● Campus internal network security

– Device login security
It is recommended that the user name and password be used for local
device login through the console port and a secure SSH protocol (for
example, STelnet) be used for remote device login.
– Security at different network layers
As the border of the campus network, access devices need to prevent
unauthorized users and terminals from accessing the network and control
Layer 2 traffic forwarding. Core devices are located at the key position of
the network, and the security of the core devices is critical. When a core
device is configured as a centralized authentication point, the CPU
performance must meet protocol packet processing requirements when a
large number of users access the network. When a core device is
configured as a gateway, ARP security must be considered.
– Wireless service security
Intrusion devices and attack users can be detected and contained to
ensure the border security of wireless networks. In addition, the validity
and security of user access need to be authenticated to ensure the
security of user service data.
Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 580

● Campus egress security

– Online behavior management
If enterprise employees need to access external networks, functions such
as URL filtering, file filtering, data filtering, application behavior control,
and antivirus need to be enabled to protect internal hosts from external
threats and prevent information leaks to ensure network security.
– Border protection
Employees, servers, and external networks can be assigned to different
security zones for inter-zone traffic inspection and protection.
The content security protection functions need to be enabled according
to types of network services to be provided for external users. For
example, file filtering and data filtering are enabled on the file server,
mail filtering is enabled on the mail server, and antivirus and intrusion
prevention are enabled on all servers.
7.2 Campus Internal Network Security

This section describes deployment suggestions and configuration examples of
internal network security policies in terms of device login security, security at
different network layers, and wireless service security. You can deploy functions
based on service requirements.
7.2.1 Deployment Roadmap

Table 7-1 Recommended security policy deployment for device login
Function Description Application Scenario
Local device You need to configure an You want to log in to the device
login through authentication mode and through the console port while
the console port a user level for the improving local login security.
console user interface.
Remote device You need to configure a You want to remotely log in to

login using protocol type, an the device while ensuring remote
STelnet authentication mode, and login security, especially on an
a user level for the VTY insecure network through SSH.
user interface.

Table 7-2 Recommended security policy deployment for access devices

Function Description Application Deployme Default
Scenario nt Setting
Location
Traffic Discards or You are advised Downlink ● Traffic

suppression blocks to configure interface or suppression
broadcast, this function on VLAN for
unknown internal broadcast
multicast, or connection packets:
unknown interfaces of a enabled
unicast packets network to ● Traffic
when their rate reduce suppression
exceeds the network-wide for
specified service impact unknown
threshold. of broadcast multicast
storms caused and
by loops. unknown
unicast
packets:
disabled
Storm Blocks or On a tree Downlink Disabled

control disables network with a interface
interfaces for downstream
broadcast, user network,
unknown you are advised
multicast, or to configure
unknown this function to
unicast packets prevent storms
when their rate on the user
exceeds the network from
specified spreading over
threshold. the entire
network.


Scenario nt Setting
Location
DHCP Enables a DHCP When a host Downlink Disabled

snooping snooping- obtains an IP interface or
enabled device address VLAN
to exchange through DHCP, NOTE
valid DHCP you are advised An uplink
packets with a to configure interface
DHCP server this function on directly or
indirectly
through the the upper-layer
connected
trusted interface access device of to a DHCP
and generate the DHCP client server is
DHCP snooping to ensure that configured
binding entries, the DHCP client as a
check DHCP obtains the IP trusted
interface.
packets received address from a
from the valid DHCP
untrusted server. This
interface, and prevents bogus
discard the DHCP server
DHCP packets attacks, bogus
against the DHCP packet
binding entries. attacks, and
DHCP flood
attacks.
IP Source Checks IP When a host Downlink Disabled

Guard packets against obtains an IP interface or
(IPSG) a static binding address VLAN
table, DHCP through DHCP
snooping or uses a static
binding table, or IP address, you
ND snooping are advised to
binding table, configure this
and enables the function on the
device to discard access device
the IP packets directly
that do not connected to
match the users to prevent
binding table. unauthorized
hosts from
forging IP
address of
authorized
hosts or
changing the IP
addresses to
attack the
network.


Scenario nt Setting
Location
ND Checks neighbor If no DHCPv6 Downlink Disabled

snooping discovery (ND) server is interface or
packets by using deployed on VLAN
neighbor the network
solicitation (NS) and hosts
packets in the obtain IPv6
duplicate addresses only
address through
detection (DAD) stateless
process based address
on ND snooping autoconfigurati
binding entries, on, you are
and enables the advised to
device to discard configure this
the ND packets function to
that do not prevent address
match the spoofing
binding entries. attacks and RA
attacks.
Dynamic Checks ARP To prevent Downlink Disabled

ARP packets against man-in-the- interface or
inspection DHCP snooping middle attacks VLAN
(DAI) binding entries by forging ARP
and enables the packets and
device to discard theft of data
the ARP packets between
that do not communication
match the parties, you are
binding entries. advised to
configure this
function.
Port Changes the To enhance Downlink Disabled

security dynamic MAC host access interface
addresses security, you
learned on an are advised to
interface into configure this
secure MAC function to
addresses to limit the
prevent number of
unauthorized access hosts or
users from prevent attacks
communicating initiated by
with switches bogus hosts
using the through other
interface. interfaces.


Scenario nt Setting
Location
Port Adds interfaces To implement Downlink Disabled

isolation to an isolation Layer 2 interface
group and isolation or
configures the both Layer 2
isolation mode and Layer 3
and isolation
unidirectional or between
bidirectional interfaces in the
port isolation. same VLAN,
you are advised
to configure
this function.
Table 7-3 Recommended security policy deployment for aggregation devices

Suggestion Description
If a core device functions as the Port isolation allows terminals connected to

user gateway and an different access devices to communicate
aggregation device connects to with each other at Layer 2.
multiple access devices for Layer
2 forwarding of service traffic,
you only need to configure port
isolation.
If an aggregation device -
functions as the user gateway,
you can deploy security policies
by referring to security policy
deployment for core devices.
If an aggregation device connect -

to terminals, you can deploy
security policies by referring to
security policy deployment for
access devices.

Table 7-4 Recommended security policy deployment for core devices

Dimensi Function Description Application Default
on Scenario Setting
CPU CPU Limits the number If a large number Enabled

security attack of packets sent to of packets are sent
(Local defense the CPU within a to the CPU or
attack specified period of malicious packet
defense) time to protect the attacks occur, the
CPU. CPU usage becomes
high and the
Attack Finds the source performance Enabled
source user address or deteriorates,
tracing interface of the affecting other
attack packets and services. In this
sends logs or case, you are
alarms to the advised to
administrator, configure local
instructing the attack defense.
administrator to
take measures
based on
configurations to
defend against the
attack.
Port Traces the source Enabled

attack and limits the rate
defense of packets if the
packet rate
exceeds the
threshold,
preventing a
failure to send
packets from
normal ports to
the CPU, as
protocol packets
from attacked
ports may exhaust
the bandwidth.
User-level Rate-limits packets Enabled

rate sent from specified
limiting users to the CPU
based on MAC
addresses,
protecting other
users from an
attack initiated by
one user.


on Scenario Setting
ARP Rate Prevents the CPU ● Network access ● Rate

security limiting from being speed is slow, limiting
(Defens on ARP overloaded when a users are on ARP
e packets device is busy with disconnected, packets
against a large number of network access based on
ARP ARP packets. is frequently source IP
flood interrupted, addresses:
attacks) users cannot A device
access the allows a
network, or maximum
services are of 30 ARP
interrupted. packets
● The device fails from the
to learn ARP same
entries due to source IP
high CPU usage, address to
it is disconnected pass
from the NMS, it through
frequently within 1s.
alternates ● Rate
between master limiting
and slave states, on ARP
its interface packets
indicators blink based on
fast red, or source
attached devices MAC
are disconnected addresses:
from the disabled
network. ● Rate
● Ping responses limiting
are delayed, on ARP
packets are lost, packets
or the ping globally,
operation fails. in a VLAN,
or on an
interface:
disabled


on Scenario Setting
Rate Prevents a device ● Rate

limiting from processing a limiting
on ARP large number of on ARP
Miss packets that Miss
messages contain messages
unresolvable based on
destination IP source IP
addresses and addresses:
generating a large A device
number of ARP can
Miss messages. process a
maximum
of 30 ARP
Miss
messages
triggered
by the
same
source IP
address
per
second.
● Rate
limiting
on ARP
Miss
messages
globally,
in a VLAN,
or on an
interface:
disabled
Temporar Reduces the Aging time

y ARP frequency of of temporary
entry triggering ARP ARP entries:
aging Miss messages. 3s
Prohibitin Enables the device Enabled

g the to directly forward
device ARP packets
from destined for other
sending devices without
ARP sending them to
packets the CPU,
destined improving the
for other device's capability
devices to of defending
the CPU against ARP flood
attacks.


on Scenario Setting
Optimize Enables the Enabled

d ARP standby or slave
reply switch in a stack to
directly return an
ARP Reply packet
when receiving an
ARP Request
packet of which
the destination IP
address is the local
interface address,
improving the
stack's capability
of defending
against ARP flood
attacks.
Strict ARP Enables the device Disabled

learning to learn only ARP
entries for ARP
Reply packets in
response to ARP
Request packets
that it has sent,
preventing ARP
entry resources
from being fully
occupied by invalid
ARP entries of a
large number of
ARP attack
packets.
ARP entry Limits the The

limiting maximum number maximum
of dynamic ARP number of
entries that can be ARP entries
learned on an that an
interface, interface can
preventing ARP dynamically
entries from being learn is the
consumed by ARP same as the
attack packets sent number of
by a host ARP entries
connected to the supported by
interface. the device.


on Scenario Setting
Disabling Prevents ARP Enabled

ARP entries from being
learning consumed by ARP
on an attack packets by a
interface host connected to
the interface.
ARP ARP entry Disables the device ● Users are Enabled

security fixing from updating an disconnected,
(Defens entry, or enables network
e the device to connections are
against update only part frequently
ARP of the entry or interrupted,
spoofing send a unicast ARP users cannot
attacks) Request packet to access the
check the validity network, or
of the ARP packet services are
that triggers the interrupted.
entry update when ● Ping packets are
the device learns lost, or the ping
an ARP entry for operation fails.
the first time,
ensuring that valid
ARP entries are not
replaced by
attackers using
forged ARP
packets.


on Scenario Setting
ARP Prevents users ● Users are Disabled

gateway from forging a disconnected,
anti- gateway address network
collision to send ARP connections are
packets and frequently
modifying ARP interrupted,
entries of other users cannot
users on the access the
network. network, or
services are
interrupted.
● The device is
disconnected
from an NMS,
an attached
device is
disconnected, or
the gateway
address conflicts
occur.
● Ping packets are
lost, or the ping
operation fails.
ARP Protects a gateway ● Users are Disabled

gateway address, disconnected,
protectio preventing users network
n from forging the connections are
gateway address frequently
to send ARP interrupted,
packets and users cannot
modifying ARP access the
entries of other network, or
users on the services are
network. interrupted.
● The device is
disconnected
from an NMS,
an attached
device is
disconnected, or
the gateway
address conflicts
occur.
● Ping packets are
lost, or the ping
operation fails.


on Scenario Setting
Gratuitou Allows the device ● Network access Disabled

s ARP used as the speed is slow,
packet gateway to users are
sending periodically send disconnected,
ARP Request network access
packets whose is frequently
destination IP interrupted,
address is the users cannot
device IP address access the
to update the network, or
gateway MAC services are
address in ARP interrupted.
entries, ensuring ● Ping responses
that packets of are delayed,
authorized users packets are lost,
are forwarded to or the ping
the gateway and operation fails.
preventing hackers
from intercepting
these packets.
MAC Prevents attacks ● Network access Disabled

address from bogus ARP speed is slow,
consisten packets in which users are
cy check the source and disconnected,
in an ARP destination MAC network access
packet addresses are is frequently
different from interrupted,
those in the users cannot
Ethernet frame access the
header. network, or
services are
ARP Enables the device interrupted. Disabled
packet to filter out
● The device is
validity packets with
disconnected
check invalid MAC
from an NMS,
addresses or IP
an attached
addresses.
device is
disconnected, or
the gateway
address conflicts
occur.
● Ping responses
are delayed,
packets are lost,
or the ping
operation fails.


on Scenario Setting
Strict ARP Enables the device Disabled

learning to learn only ARP
entries for ARP
Reply packets in
response to ARP
Request packets
that it has sent,
preventing ARP
entry resources
from being fully
occupied by invalid
ARP entries of a
large number of
ARP attack
packets.
ARP Enables the device ● Network access Disabled

learning to generate ARP speed is slow,
triggered entries based on users are
by DHCP the received DHCP disconnected,
ACK packets, network access
preventing the is frequently
aging and learning interrupted,
of many ARP users cannot
entries from access the
impacting the network, or
device services are
performance and interrupted.
the network when ● Ping responses
many DHCP users are delayed,
connect to a packets are lost,
network device. or the ping
operation fails.

Table 7-5 Recommended security policy deployment for wireless services

Function Description Application Scenario Default
Setting
Wireless ● Enables the device To protect enterprises ● Device

Intrusion to detect and and users against detection
Detection counter rogue or unauthorized access and
System interference from wireless networks containm
(WIDS) and devices, preventing and detect ent:
Wireless unauthorized STAs unauthorized users or disabled
Intrusion from accessing the APs, you are advised to ● Attack
Prevention network. configure this function. detection
System (WIPS) ● Configures attack and
detection and dynamic
dynamic blacklisti
blacklisting ng:
functions, detecting disabled
and blacklisting
devices that initiate
flooding attacks,
weak IV attacks,
spoofing attacks, or
brute force key
cracking attacks.
Security policy Authenticates STAs You are advised to Open

and encrypts user configure this function system
packets through to ensure security of authenticati
WLAN security wireless users, on
policies, including implementing link
open system authentication when a
authentication, WEP, wireless link is
WPA/WPA2-PSK, established, user
WPA/WPA2-802.1X, authentication when
WAPI-PSK, and WAPI- users attempt to
certificate. connect to a wireless
network, and data
encryption during data
transmission.
STA blacklist Enables the device to You are advised to Disabled

and whitelist configure a blacklist configure this function
or whitelist to to control access of
manage the access of wireless users, ensuring
STAs. that authorized users
can access the WLAN
and preventing
unauthorized users
from forcibly accessing
the WLAN.

Function Description Application Scenario Default

Setting
User isolation Prevents packets of To allow users on the Disabled

on a VAP users on a VAP from same VAP to isolate
being forwarded to with each other at
each other. Layer 2 and
communicate at Layer
3 and improve
communication
security, you are
advised to configure
this function.
Port isolation Adds interfaces to an To allow WLAN users Disabled

isolation group and on different APs in the
configures the same VLAN to
isolation mode and communicate at Layer
unidirectional or 2 and improve
bidirectional isolation. communication
security, you are
advised to configure
this function on the
switch connected to
APs.
7.2.2 Example for Configuring Device Login Security

You can locally log in to a device through the console port or remotely log in using
STelnet.
Configuring Security for Local Device Login Through the Console Port
Logging in to a switch through the console port (also called serial port) is a basic
login mode and forms the basis of other login modes such as Telnet and STelnet.
Once an attacker accesses the console port on a switch, the switch is exposed to
the attacker, causing security risks. You can configure the authentication mode,
user authentication information, and user level for the console user interface to
ensure security of switch login through the console port.
Deployment Precautions
● If you configure the console user interface after login through the console
port, the configuration takes effect at your next login.
● To ensure device security, you are required to change the default password
upon the first login and change the password periodically.
Procedure
Step 1 Configure an authentication mode for the console user interface.

<HUAWEI> system-view
[HUAWEI] user-interface console 0 //Enter the console user interface view.
[HUAWEI-console0] authentication-mode aaa //Set AAA authentication for the console user interface.

The default authentication mode is AAA.

[HUAWEI-console0] quit
Step 2 Configure authentication information and user level for the console user interface.
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher abcd@123 //Create local user
admin123 and set the login password to abcd@123.
[HUAWEI-aaa] local-user admin123 privilege level 15 //Set the level of the local user admin123 to 15.
Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N]y
[HUAWEI-aaa] local-user admin123 service-type terminal //Set the access type of local user admin123
to terminal user, that is, console user.
Step 3 Connect to the switch through the console port and enter the user name and
password as prompted to log in to the switch. (In this example, the user name is
admin123 and the password is abcd@123.)
Login authentication
Username:admin123
Password:
<HUAWEI>
----End
Configuring Security for Remote Device Login Using STelnet

You can remotely log in to a switch using Telnet and STelnet. Telnet poses security
risks. However, STelnet, based on the SSH protocol, implements secure remote
login on insecure networks and provides powerful authentication functions to
ensure information security and protect switches against attacks, such as IP
spoofing attacks.
Deployment Precautions
● Before configuring STelnet login, ensure that the PC and the switch are
routable to each other.
● STelnet V2 is more secure than STelnet V1, and is therefore recommended.
● Ensure that the user terminal has SSH server login software installed before
configuring STelnet login. This example uses the third-party software PuTTY
as the SSH server login software.
● STelnet login requires virtual type terminal (VTY) user interfaces to support
SSH. Therefore, the VTY user interfaces must use AAA authentication.
● For device security purposes, change the password periodically.
Procedure
Step 1 Configure a protocol type, an authentication mode, and a user level for the VTY
user interface.
[HUAWEI] user-interface vty 0 4
[HUAWEI-ui-vty0-4] authentication-mode aaa //Configure AAA authentication for the VTY user
interface.
[HUAWEI-ui-vty0-4] protocol inbound ssh //Configure the VTY user interface to support SSH. By default,
SSH is used.
[HUAWEI-ui-vty0-4] user privilege level 15 //Set the level of the VTY user interface to 15.
[HUAWEI-ui-vty0-4] quit
Step 2 Enable the STelnet server function and create an SSH user.
[HUAWEI] stelnet server enable //Enable the STelnet server function on the switch.
[HUAWEI] ssh user admin123 //Create SSH user admin123.
[HUAWEI] ssh user admin123 service-type stelnet //Set the service mode of the SSH user to STelnet.

Step 3 Configure an authentication mode for the SSH user.
# Set the authentication mode for the SSH user to password.
To use password authentication, create a local user with the same name as the
SSH user in the AAA view.
[HUAWEI] ssh user admin123 authentication-type password //Configure password authentication for
the SSH user.
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher abcd@123 //Create a local user with
the same user name as the SSH user and set a login password for the local user.
[HUAWEI-aaa] local-user admin123 privilege level 15 //Set the level of the local user to 15.
[HUAWEI-aaa] local-user admin123 service-type ssh //Set the service type of the local user to SSH.
[HUAWEI-aaa] quit
# Set the authentication mode for the SSH user to RSA, DSA, or ECC. (The
following uses ECC authentication as an example. Steps for configuring RSA and
DSA authentication are similar to those for configuring ECC authentication.)
To use RSA, DSA, or ECC authentication, you need to configure the public key of
the SSH client on the SSH server. When the SSH client connects to the SSH server,
the SSH client passes the authentication if the private key of the client matches
the configured public key. For details about the public key on the client, see the
help document of the SSH client software.
[HUAWEI] ssh user admin123 authentication-type ecc //Configure ECC authentication for the SSH user.
[HUAWEI] ecc peer-public-key key01 encoding-type pem //Configure the encoding format of ECC
public key key01 and enter the ECC public key view.
Enter "ECC public key" view, return system view with "peer-public-key end".
[HUAWEI-ecc-public-key] public-key-code begin //Enter the public key editing view.
Enter "ECC key code" view, return last view with "public-key-code end".
[HUAWEI-dsa-key-code] 308188 //Copy the public key of the client, which is a hexadecimal character
string.
[HUAWEI-dsa-key-code] 028180
[HUAWEI-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[HUAWEI-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[HUAWEI-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[HUAWEI-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[HUAWEI-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[HUAWEI-ecc-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[HUAWEI-ecc-key-code] 171896FB 1FFC38CD
[HUAWEI-ecc-key-code] 0203
[HUAWEI-ecc-key-code] 010001
[HUAWEI-ecc-key-code] public-key-code end //Return to the public key view.
[HUAWEI-ecc-public-key] peer-public-key end //Return to the system view.
[HUAWEI] ssh user admin123 assign ecc-key key01 //Assign an existing public key key01 to user
admin123.
Step 4 Generate a local key pair on the server.

[HUAWEI] ecc local-key-pair create
Info: The key name will be: HUAWEI_Host_ECC.
Info: The key modulus can be any one of the following: 256, 384, 521.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=521]:521
Info: Generating keys..........
Info: Succeeded in creating the ECC host keys.
Step 5 Log in to the switch through STelnet.
On the PC, connect to the SSH server through password authentication.
Log in to the switch using PuTTY, enter the switch's IP address, and select the SSH
protocol.

Click Open. Enter the user name and password as prompted and press Enter to
log in to the SSH server. (The following information is for reference only.)
login as: admin123
Sent username "admin123"
admin123@10.10.10.20's password:
Info: The max number of VTY users is 8, and the number

of current VTY users on line is 5.
The current login time is 2018-12-22 09:35:28+00:00.
<HUAWEI>
----End
7.2.3 Example for Configuring Access Device Security

As the border of the campus network, access devices need to prevent
unauthorized users and terminals from accessing the network. In addition, the
access devices need to control Layer 2 traffic forwarding.
Table 7-2 describes the security policy deployment suggestions for access devices.
You can configure functions based on service requirements.
Configuration Examples
● Configure traffic suppression.
[HUAWEI] suppression mode by-bits //Configure the global traffic
suppression mode.
[HUAWEI] interface gigabitethernet 0/0/1

[HUAWEI-GigabitEthernet0/0/1] broadcast-suppression cir 1000 //Configure suppression of

unknown broadcast traffic in the inbound direction of the interface.
[HUAWEI-GigabitEthernet0/0/1] multicast-suppression cir 1000 //Configure suppression of
unknown multicast traffic in the inbound direction of the interface.
[HUAWEI-GigabitEthernet0/0/1] unicast-suppression cri 1000 //Configure suppression of
unknown unicast traffic in the inbound direction of the interface.
[HUAWEI-GigabitEthernet0/0/1] broadcast-suppression block outbound //Block outgoing
broadcast traffic on the interface.
[HUAWEI-GigabitEthernet0/0/1] multicast-suppression block outbound //Block outgoing
multicast traffic on the interface.
[HUAWEI-GigabitEthernet0/0/1] unicast-suppression block outbound //Block outgoing unicast
traffic on the interface.
● Configure storm control.

[HUAWEI-GigabitEthernet0/0/1] storm-control broadcast min-rate 1000 max-rate 2000 //
Configure storm control for broadcast packets.
[HUAWEI-GigabitEthernet0/0/1] storm-control multicast min-rate 1000 max-rate 2000 //
Configure storm control for unknown multicast packets.
[HUAWEI-GigabitEthernet0/0/1] storm-control unicast min-rate 1000 max-rate 2000 //
Configure storm control for unknown unicast packets.
[HUAWEI-GigabitEthernet0/0/1] storm-control action block //Configure the
action for storm control.
[HUAWEI-GigabitEthernet0/0/1] storm-control enable log //Configure the
system to record logs during storm control.
[HUAWEI-GigabitEthernet0/0/1] storm-control interval 90 //Configure the
interval for detecting storms.
● Configure DHCP snooping.

[HUAWEI] dhcp enable //Enable DHCP.
[HUAWEI] dhcp snooping enable //Enable DHCP snooping globally.
[HUAWEI] interface gigabitethernet 0/0/1 //Access the user-side interface.
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable //Enable DHCP snooping.
[HUAWEI-GigabitEthernet0/0/1] quit
[HUAWEI] interface gigabitethernet 0/0/2 //Access the interface directly or indirectly
connected to the DHCP server.
[HUAWEI-GigabitEthernet0/0/2] dhcp snooping trusted //Configure the interface as a trusted
interface.
● Configure IPSG.
# Configure IPSG against static binding entries.
[HUAWEI] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 //Create a static
binding entry.
[HUAWEI] user-bind static ip-address 10.0.0.11 mac-address 0002-0002-0002 //Create a static
binding entry.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable //Enable IP packet
check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm enable //Enable the alarm
function of IP packet check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 100 //Set the alarm
threshold for IP packet check.
# Configure IPSG against dynamic DHCP snooping binding entries. Before the
configuration, you need to configure DHCP snooping and generate dynamic
DHCP snooping binding entries.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable //Enable IP packet
check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm enable //Enable the alarm
function of IP packet check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 100 //Set the alarm
threshold for IP packet check.
● Configure ND snooping.

[HUAWEI] nd snooping enable //Enable ND snooping globally.
[HUAWEI] interface gigabitethernet 0/0/1 //Access the user-side interface.
[HUAWEI-GigabitEthernet0/0/1] nd snooping enable //Enable ND snooping.
[HUAWEI-GigabitEthernet0/0/1] quit
[HUAWEI] interface gigabitethernet 0/0/2 //Access the interface directly or indirectly
connected to the gateway.
[HUAWEI-GigabitEthernet0/0/2] nd snooping trusted //Configure the interface as a trusted
interface.
● Configure DAI.
Before the configuration, you need to configure DHCP snooping and generate
dynamic DHCP snooping binding entries or manually configure static DHCP
snooping binding entries.
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind enable //Enable DAI.
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind check-item ip-address //
Configure the device to check only IP addresses in ARP packets based on binding entries.
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm enable //Enable
the alarm function for ARP packets discarded by DAI.
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm threshold 100 //Set
the alarm threshold for ARP packets discarded by DAI.
● Configure port security.

# If access users frequently change locations, you can configure port security
to change dynamic MAC addresses to secure dynamic MAC addresses. This
ensures that bound MAC address entries are deleted immediately after users
change locations.
[HUAWEI-GigabitEthernet0/0/1] port-security enable //Enable port security.
[HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 1 //Set the maximum
number of secure MAC addresses that can be learned on the interface.
[HUAWEI-GigabitEthernet0/0/1] port-security protect-action restrict //Configure the action for
port security protection.
[HUAWEI-GigabitEthernet0/0/1] port-security aging-time 100 //Set the aging time of
secure dynamic MAC addresses on the interface.
# If access users seldom change locations, you can configure port security to
change dynamic MAC addresses to sticky MAC addresses. This ensures that
bound MAC address entries are not lost after a device resets.
[HUAWEI-GigabitEthernet0/0/1] port-security mac-address sticky //Enable the sticky MAC
function on the interface.
# If there are only a few access users and they seldom change locations, you
can configure secure static MAC addresses.
[HUAWEI] port-security static-flapping protect //Enable static MAC address
flapping detection.
● Configure port isolation.

[HUAWEI-GigabitEthernet0/0/1] port-isolate enable //Enable port isolation.
7.2.4 Example for Configuring Core Device Security

Core devices are located at the key position of the network, and the security of
the core devices is critical. When a core device is configured as a centralized
authentication point, the CPU performance must meet requirements of processing
protocol packets when a large number of users access the network. When a core
device is configured as a gateway, ARP security must be considered.
Table 7-4 describes the security policy deployment suggestions for core devices.
You can configure functions based on service requirements.
● Configure CPU attack defense.

[HUAWEI] acl number 2001
[HUAWEI-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255
[HUAWEI-acl-basic-2001] quit
[HUAWEI] cpu-defend policy test //Create an attack defense policy and
enter the attack defense policy view.
[HUAWEI-cpu-defend-policy-test] car packet-type http cir 120 //Set the CPCAR value for
packets when no protocol connection is established.
[HUAWEI-cpu-defend-policy-test] linkup-car packet-type http cir 120 //Set the CPCAR value for
packets of a specified protocol upon the establishment of the protocol connection.
[HUAWEI-cpu-defend-policy-test] deny packet-type icmp //Set the action for packets
sent to the CPU to deny.
[HUAWEI-cpu-defend-policy-test] blacklist 1 acl 2001 //Configure the blacklist for CPU
attack defense.
[HUAWEI-cpu-defend-policy-test] quit
[HUAWEI] cpu-defend application-apperceive enable //Enable dynamic link
protection globally.
[HUAWEI] cpu-defend application-apperceive http enable //Enable dynamic link
protection for protocol packets.
● Configure attack source tracing.

[HUAWEI-cpu-defend-policy-test] auto-defend enable //Enable attack source tracing.
[HUAWEI-cpu-defend-policy-test] auto-defend alarm enable //Enable the event reporting
function for attack source tracing.
[HUAWEI-cpu-defend-policy-test] auto-defend whitelist 1 acl 2001 //Configure a whitelist for
attack source tracing.
[HUAWEI-cpu-defend-policy-test] auto-defend action deny //Enable the punishment
function of attack source tracing and specify the punishment action for attack packets.
● Configure port attack defense.

[HUAWEI-cpu-defend-policy-test] auto-port-defend enable //Enable port attack defense.
[HUAWEI-cpu-defend-policy-test] auto-port-defend alarm enable //Enable the function of
reporting port attack defense events.
[HUAWEI-cpu-defend-policy-test] auto-defend whitelist 1 acl 2001 //Configure a whitelist for
attack source tracing.
● Configure user-level rate limiting.

[HUAWEI] cpu-defend host-car enable //Enable user-level rate limiting.
● Configure rate limiting on ARP packets.

[HUAWEI] arp anti-attack rate-limit enable //Enable rate limiting on ARP
packets globally.
[HUAWEI] arp speed-limit source-mac 0001-0001-0001 maximum 20 //Set the maximum rate
of ARP packets based on source MAC addresses.
[HUAWEI] arp speed-limit source-ip 10.1.1.1 maximum 20 //Set the maximum rate of
ARP packets based on source IP addresses.
● Configure rate limiting on ARP Miss messages.

[HUAWEI] arp-miss anti-attack rate-limit enable //Enable rate limiting on ARP Miss
messages globally.
[HUAWEI] arp-miss speed-limit source-mac 0001-0001-0001 maximum 20 //Set the maximum
rate of ARP Miss messages based on source MAC addresses.
[HUAWEI] arp-miss speed-limit source-ip 10.1.1.1 maximum 20 //Set the maximum rate of
ARP Miss messages based on source IP addresses.
● Configure the aging time of temporary ARP entries.

[HUAWEI-GigabitEthernet0/0/1] arp-fake expire-time 3 //Set the aging time of
temporary ARP entries.
● Configure the device not to send ARP packets destined for other devices to
the CPU.
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp optimized-passby enable //Configure the device not to
send ARP packets destined for other devices to the CPU.
● Configure optimized ARP reply.

[HUAWEI] arp optimized-reply disable //Enable optimized ARP reply.
● Configure strict ARP learning.

[HUAWEI] arp learning strict //Enable strict ARP learning globally.
[HUAWEI] quit
● Configure ARP entry limiting.

[HUAWEI-GigabitEthernet0/0/1] arp-limit maximum 20 //Configure the maximum
number of dynamic ARP entries that the interface can learn.
● Disable ARP learning on an interface.

[HUAWEI-Vlanif10] arp learning disable //Disable the interface from learning
dynamic ARP entries.
● Configure ARP entry fixing.

[HUAWEI] arp anti-attack entry-check fixed-mac enable //Enable ARP entry fixing
globally.
● Configure ARP gateway anti-collision.

[HUAWEI] arp anti-attack gateway-duplicate enable //Enable ARP gateway anti-
collision.
● Configure ARP gateway protection.

[HUAWEI-GigabitEthernet0/0/1] arp trust source 10.1.1.1 //Enable ARP gateway
protection.
● Configure gratuitous ARP packet sending.

[HUAWEI] arp gratuitous-arp send enable //Enable the device to send
gratuitous ARP packets.
[HUAWEI] arp gratuitous-arp send interval 60 //Set the interval for sending
gratuitous ARP packets.
● Configure MAC address consistency check in an ARP packet.

[HUAWEI-GigabitEthernet0/0/1] arp validate source-mac destination-mac //Enable MAC address
consistency check in an ARP packet.
● Configure ARP packet validity check.

[HUAWEI] arp anti-attack packet-check ip dst-mac sender-mac //Enable ARP packet validity
check.
● Configure ARP learning triggered by DHCP.

[HUAWEI-Vlanif10] arp learning dhcp-trigger //Enable ARP learning triggered by
DHCP.
7.2.5 Example for Configuring Wireless Service Security

Intrusion devices and attack users can be detected and contained to ensure the
border security of wireless networks. In addition, the validity and security of user
access need to be authenticated to ensure the security of user wireless service
data.
Table 7-5 describes the security policy deployment suggestions for wireless
services. You can configure functions based on service requirements.
● Configure WIDS and WIPS functions.

# Configure device detection and containment.
<Huawei> system-view
[Huawei] wlan
[Huawei-wlan-view] ap-id 0
[Huawei-wlan-ap-0] radio 0
[Huawei-wlan-radio-0/0] wids device detect enable //Enable device detection.
[Huawei-wlan-radio-0/0] wids contain enable //Enable device containment.
[Huawei-wlan-radio-0/0] quit
[Huawei-wlan-ap-0] quit
[Huawei-wlan-view] wids-profile name wlan-wids //Create a WIDS profile.
[Huawei-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap //Set the containment mode
against rogue or interference devices.
[Huawei-wlan-wids-prof-wlan-wids] quit
[Huawei-wlan-ap-0] wids-profile wlan-wids //Bind a WIDS profile to an AP.
# Configure attack detection and dynamic blacklist functions.

[Huawei] wlan
[Huawei-wlan-ap-0] radio 0
[Huawei-wlan-radio-0/0] wids attack detect enable all //Enable attack detection.
[Huawei-wlan-radio-0/0] quit
[Huawei-wlan-ap-0] quit
[Huawei-wlan-view] wids-profile name wlan-wids //Create a WIDS profile.
[Huawei-wlan-wids-prof-wlan-wids] dynamic-blacklist enable //Enable the dynamic blacklist
function.
[Huawei-wlan-wids-prof-wlan-wids] quit
[Huawei-wlan-ap-0] wids-profile wlan-wids //Bind a WIDS profile to an AP.

● Configure security policies.

WLAN security policies are configured in security profiles, and only one
security policy can be configured in a security profile. You can create multiple
security profiles with different security policies and apply the profiles to
different VAPs as required. The following uses WPA2-PSK-AES as an example.
[Huawei] wlan
[Huawei-wlan-view] security-profile name wlan-security //Create a security profile.
[HUAWEI-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes //Set the
security policy to WPA2-PSK-AES.
[HUAWEI-wlan-sec-prof-wlan-security] quit
[Huawei-wlan-view] vap-profile name vap1 //Create a VAP profile.
[HUAWEI-wlan-vap-prof-vap1] security-profile wlan-security //Bind a security profile to a VAP
profile.
● Configure STA blacklist and whitelist.

[Huawei] wlan
[Huawei-wlan-view] sta-whitelist-profile name sta-whitelist //Create a STA whitelist profile.
[Huawei-wlan-whitelist-prof-sta-whitelist] sta-mac 0001-0001-0001 //Add the MAC address of a
STA to the whitelist.
[Huawei-wlan-whitelist-prof-sta-whitelist] quit
[Huawei-wlan-view] sta-blacklist-profile name sta-blacklist //Create a STA blacklist profile.
[Huawei-wlan-blacklist-prof-sta-blacklist] sta-mac 0002-0002-0002 //Add the MAC address of a
STA to the blacklist.
● Configure user isolation on a VAP.

[Huawei] wlan
[Huawei-wlan-view] traffic-profile name traff1 //Create a traffic profile.
[HUAWEI-wlan-traffic-prof-traff1] user-isolate l2 //Configure user isolation.
Warning: Enabling user isolation may interrupt services. Are you sure you want to continue? [Y/N]:y
[HUAWEI-wlan-traffic-prof-traff1] quit
[Huawei-wlan-view] vap-profile name vap1 //Create a VAP profile.
[HUAWEI-wlan-vap-prof-vap1] traffic-profile traff1 //Bind a traffic profile to a VAP profile.
● Configure port isolation.

[HUAWEI-GigabitEthernet0/0/1] port-isolate enable //Configure port isolation.
7.3 Campus Egress Security

This section uses a typical campus network as an example to describe how to
deploy campus egress security. Service security requirements are as follows:
● Internal network users can access Internet resources but only education/
science and search/portal websites.
● To prevent information leaks, employees are not allowed to upload common
documents, R&D files (such as C, CPP, and JAVA files), and compressed files to
the Internet.
● To reduce the risk of viruses transferred to internal networks, employees are
not allowed to download executable files from the Internet.
● To ensure the work efficiency, employees are not allowed to download videos
from the Internet.
● To prevent disclosure of confidential information and transmission of violation
information, filter out uploaded files, sent emails, published ports and
microblogs, and searched web pages and contents of internal network users.

● External network users can access the HTTP server on the internal network.
To ensure the proper running of the server, defend against SYN flood, UDP
flood, and HTTP flood attacks.
● To prevent viruses from being introduced by emails, perform antivirus
detection on emails using HTTP and POP3 protocols.
● Defend against attacks such as worms, Trojan horses, and botnets.
● To ensure normal services, restrict P2P and online video traffic within 30
Mbit/s at any time. To better control P2P and online video traffic, restrict
connections of related applications within 10,000. To ensure the proper
running of email and ERP applications, assign a minimum of 60 Mbit/s
bandwidth for such traffic.
● Record employees' online behaviors to implement more refined security policy
control.
Figure 7-1 Networking diagram of campus egress security
GE1/0/0 GE1/0/0
GE1/0/3 HSB GE1/0/3

Egress FWA FWB
GE1/0/2 GE1/0/2
GE1/0/1 GE1/0/1
Eth-Trunk 1 Eth-Trunk 1
Eth-Trunk 10 Eth-Trunk 20
GE1/1/1/0 GE2/1/1/0
HTTP server GE1/1/1/1 GE2/1/1/1
GE1/1/0/10 CORE
Core layer
CSS
GE1/2/0/0 GE2/2/0/0
Eth-Trunk 30
GE1/0/1 GE2/0/1
Aggregation layer
AGG
Device Requirements and Versions

Location Device Device Used in Version Used in
Requirement This Example This Example
Egress - USG6650 V500R001C30
Core layer - S7706 V200R010C00

Location Device Device Used in Version Used in

Requirement This Example This Example
Aggregation layer - S5720-EI V200R011C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
1 Configure security zones and security Egress firewall

policies to ensure that internal network
users can access Internet resources and
external network users can access the HTTP
server.
2 Configure the filtering functions. Egress firewall

● URL filtering: Allows users to access only
education/science and search/portal
websites.
● File filtering: Prevents employees from
uploading common documents, R&D
files (such as C, CPP, and JAVA files), and
compressed files to the Internet as well
as downloading executable files and
video files from the Internet.
● Data filtering: Prevents disclosure of
confidential information and
transmission of violation information.
3 Configure antivirus and intrusion Egress firewall

prevention to prevent viruses from being
introduced by emails and defend against
attacks such as worms, Trojan horses, and
botnets.
4 Configure DDoS attack defense to defend Egress firewall

against SYN flood, UDP flood, and HTTP
flood attacks.
5 Configure traffic policies to ensure that Egress firewall

applications such as email and ERP work
properly.
6 Configure online behavior audit and Egress firewall

management and record employees' online
behaviors, implementing more refined
security policy control.

Data Plan
Device Interface Member VLANIF IP Address
Number Interface
FWA GE1/0/0 - - 202.1.1.1/24
GE1/0/3 - - 10.4.0.1/24
Eth-Trunk 1 GE1/0/1 - 10.3.0.1/24
GE1/0/2
FWB GE1/0/0 - - 202.1.1.2/24
GE1/0/3 - - 10.4.0.2/24
Eth-Trunk 1 GE1/0/1 - 10.3.0.2/24
GE1/0/2
CORE GE1/1/0/10 - VLANIF 50 10.7.0.1/24
Eth-Trunk 10 GE1/1/1/0 VLANIF 20 10.3.0.254/24
GE2/1/1/1
Eth-Trunk 20 GE2/1/1/0
GE1/1/1/1
Eth-Trunk 30 GE1/2/0/0 VLANIF 30 10.5.0.1/24
GE2/2/0/0
AGG Eth-Trunk 30 GE1/0/1 - -
GE2/0/1
HTTP Ethernet - - 10.7.0.2/24

server interface
Procedure
This section mainly describes security configurations of firewalls. For details about other
configurations, see 4 Campus Egress Deployment.
To configure URL filtering, you need to activate the license and ensure that the license is
within the validity period.
Ensure that the content security package has been loaded before configuring file and data
filtering.
Assume that the user in this example already exists on the firewall, and the authentication
configuration is complete.
Step 1 Configure security zones and security policies.

1. Configure security zones.

The system has four security zones by default. If the default security zones do
not meet your service requirements, you can create security zones and define
their security levels. After creating a security zone, add interfaces to it. Then
all packets sent and received on the interfaces are considered in the security
zone. By default, an interface does not belong to any security zone and is
unable to communicate with interfaces in other security zones.
# Assign interfaces to security zones.
[FWA] firewall zone trust
[FWA-zone-trust] set priority 85
[FWA-zone-trust] add interface eth-trunk 1 //Add Eth-Trunk 1 connected to the internal network to
the trusted zone.
[FWA-zone-trust] quit
[FWA] firewall zone name untrust //Add the interface connected to the external
network to the untrusted zone.
[FWA-zone-untrust] set priority 5
[FWA-zone-untrust] add interface gigabitethernet 1/0/0
[FWA-zone-untrust] quit
[FWA] firewall zone dmz
[FWA-zone-dmz] set priority 50
[FWA-zone-dmz] add interface gigabitethernet 1/0/3 //Add the heartbeat interface to the DMZ.
[FWA-zone-dmz] quit
[FWB] firewall zone trust
[FWB-zone-trust] set priority 85
[FWB-zone-trust] add interface eth-trunk 1 //Add Eth-Trunk 1 connected to the internal network to
the trusted zone.
[FWB-zone-trust] quit
[FWB] firewall zone name untrust //Add the interface connected to the external network to
the untrusted zone.
[FWB-zone-untrust] set priority 5
[FWB-zone-untrust] add interface gigabitethernet 1/0/0
[FWB-zone-untrust] quit
[FWB] firewall zone dmz
[FWB-zone-dmz] set priority 50
[FWB-zone-dmz] add interface gigabitethernet 1/0/3 //Add the heartbeat interface to the DMZ.
[FWB-zone-dmz] quit
2. Configure security policies.

# After a hot standby group is successfully established between the active and
standby firewalls, the security policies configured on FWA will be
automatically backed up to FWB. For details about how to configure hot
backup, see 4.5 Deploying IPSec on Firewalls for Secure Communication
with the Headquarters.
HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_dmz //Allow mutual access between the local
zone and DMZ.
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone local
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone dmz
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone local
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone dmz
HRP_M[FWA-policy-security-rule-policy_dmz] action permit
HRP_M[FWA-policy-security-rule-policy_dmz] quit
HRP_M[FWA-policy-security] rule name trust_to_untrust //Allow internal network users to access
the Internet.
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FWA-policy-security-rule-trust_to_untrust] destination-zone untrust
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-address 10.6.0.0 24
HRP_M[FWA-policy-security-rule-trust_to_untrust] action permit
HRP_M[FWA-policy-security-rule-trust_to_untrust] quit
HRP_M[FWA-policy-security] rule name untrust_to_trust //Allow external network users to access
the HTTP server.
HRP_M[FWA-policy-security-rule-untrust_to_trust] source-zone untrust
HRP_M[FWA-policy-security-rule-untrust_to_trust] destination-zone trust
HRP_M[FWA-policy-security-rule-untrust_to_trust] destination-address 10.7.0.0 24
HRP_M[FWA-policy-security-rule-untrust_to_trust] action permit

HRP_M[FWA-policy-security-rule-untrust_to_trust] quit
HRP_M[FWAA-policy-security] quit
Step 2 Configure the filtering functions.

1. Configure URL filtering.
# Configure a URL filtering profile.
HRP_M[FWA] profile type url-filter name profile_url_research
HRP_M[FWA-profile-url-filter-profile_url_research] category user-defined action block
HRP_M[FWA-profile-url-filter-profile_url_research] category pre-defined action block
HRP_M[FWA-profile-url-filter-profile_url_research] category pre-defined category-id 15 action
allow //Allow users to access search/portal websites.
HRP_M[FWA-profile-url-filter-profile_url_research] category pre-defined category-id 17 action
allow //Allow users to access education/science websites.
HRP_M[FWA-profile-url-filter-profile_url_research] quit
# Configure a security policy.
HRP_M[FWA-policy-security] rule name policy_sec_research
HRP_M[FWA-policy-security-rule-policy_sec_research] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_research] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_sec_research] user user-group /default/priuser
HRP_M[FWA-policy-security-rule-policy_sec_research] action permit
HRP_M[FWA-policy-security-rule-policy_sec_research] profile url-filter profile_url_research
HRP_M[FWA-policy-security-rule-policy_sec_research] quit
# Commit the content security profile.
HRP_M[FWA] engine configuration commit
Info: The operation may last for several minutes, please wait.
Info: URL submitted configurations successfully.-
Info: Finish committing engine compiling.
2. Configure file filtering.
# Create profile profile_file_user1 to prevent users from uploading
documents, R&D files, and decompressed files as well as downloading
executable files, audios, and videos from the Internet.
HRP_M[FWA] profile type file-block name profile_file_user1
HRP_M[FWA-profile-file-block-profile_file_user1] rule name rule1
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] application all
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] file-type pre-defined name DOC PPT
XLS MSOFFICE DOCX PPTX XLSX PDF VSD MPP
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] file-type pre-defined name ODS ODT
ODP EML UOF RAR TAR ZIP GZIP CAB
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] file-type pre-defined name BZ2 Z 7ZIP
JAR C CPP JAVA VBS
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] direction upload
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] action block
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] quit
HRP_M[FWA-profile-file-block-profile_file_user1] rule name rule2
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] application all
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] file-type pre-defined name EXE MSI
RPM OCX A ELF DLL PE SYS MDI
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] file-type pre-defined name MOV MPEG
AVI RMVB ASF SWF MP3 MP4 MIDI
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] direction download
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] action block
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] quit
HRP_M[FWA-profile-file-block-profile_file_user1] quit
# Configure security policy policy_sec_user1 for traffic from the trusted zone
to the untrusted zone and reference profile profile_file_user1.
HRP_M[FWA-policy-security] rule name policy_sec_user1
HRP_M[FWA-policy-security-rule-policy_sec_user1] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_user1] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_sec_user1] user user-group /default/priuser
HRP_M[FWA-policy-security-rule-policy_sec_user1] profile file-block profile_file_user1

HRP_M[FWA-policy-security-rule-policy_sec_user1] action permit

HRP_M[FWA-policy-security-rule-policy_sec_user1] quit

Info: DLP submitted configurations successfully.
3. Configure data filtering.

# Configure keyword group keyword1.
HRP_M[FWA] keyword-group name keyword1
HRP_M[FWA-keyword-group-keyword1] pre-defined-keyword name confidentiality weight 1
HRP_M[FWA-keyword-group-keyword1] user-defined-keyword name abc
HRP_M[FWA-keyword-group-keyword1-keyword-abc] expression match-mode text "abcd" //Define
keyword abcd.
HRP_M[FWA-keyword-group-keyword1-keyword-abc] weight 1
HRP_M[FWA-keyword-group-keyword1-keyword-abc] quit
# Create profile profile_data_research.

HRP_M[FWA] profile type data-filter name profile_data_research
HRP_M[FWA-profile-data-filter-profile_data_research] rule name rule1
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] keyword-group name keyword1
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] application all
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] file-type all
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] direction upload
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] action block
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] quit
# Configure security policy policy_sec_research and reference profile

profile_data_research.
HRP_M[FWA-policy-security] rule name policy_sec_research
HRP_M[FWA-policy-security-rule-policy_sec_research] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_research] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_sec_research] user user-group /default/priuser
HRP_M[FWA-policy-security-rule-policy_sec_research] profile data-filter profile_data_research
HRP_M[FWA-policy-security-rule-policy_sec_research] action permit
HRP_M[FWA-policy-security-rule-policy_sec_research] quit

Step 3 Configure antivirus and intrusion prevention.

1. Configure antivirus.
When an internal network user attempts to download virus-infected files
using HTTP, the download connection is blocked. When an internal network
user attempts to download a virus-infected mail using POP3, the attachments
in the mail are deleted.
# Configure an antivirus profile for HTTP and POP3.
HRP_M[FWA] profile type av name av_http_pop3
HRP_M[FWA-profile-av-av_http_pop3] http-detect direction download action block
HRP_M[FWA-profile-av-av_http_pop3] pop3-detect action delete-attachment
HRP_M[FWA-profile-av-av_http_pop3] exception application name Netease_Webmail
HRP_M[FWA-profile-av-av_http_pop3] exception av-signature-id 1000
HRP_M[FWA-profile-av-av_http_pop3] quit
# Configure a security policy for traffic from the internal network to the
external network (from the trusted zone to the untrusted zone).
HRP_M[FWA-policy-security] rule name policy_av_1

HRP_M[FWA-policy-security-rule-policy_av_1] source-zone trust

HRP_M[FWA-policy-security-rule-policy_av_1] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_av_1] action permit
HRP_M[FWA-policy-security-rule-policy_av_1] profile av av_http_pop3
HRP_M[FWA-policy-security-rule-policy_av_1] quit
2. Configure intrusion prevention.

# Create intrusion prevention profile profile_ips_pc to protect internal
network users.
HRP_M[FWA] profile type ips name profile_ips_pc
HRP_M[FWA-profile-ips-profile_ips_pc] description profile for intranet users
HRP_M[FWA-profile-ips-profile_ips_pc] capture-packet enable
HRP_M[FWA-profile-ips-profile_ips_pc] signature-set name filter1
HRP_M[FWA-profile-ips-profile_ips_pc-sigset-filter1] target client
HRP_M[FWA-profile-ips-profile_ips_pc-sigset-filter1] severity high
HRP_M[FWA-profile-ips-profile_ips_pc-sigset-filter1] protocol HTTP
HRP_M[FWA-profile-ips-profile_ips_pc-sigset-filter1] quit
HRP_M[FWA-profile-ips-profile_ips_pc] quit
# Commit the configuration.

# Configure a security policy for traffic from the trusted zone to the untrusted
zone and reference intrusion prevention profile profile_ips_pc.
HRP_M[FWA-policy-security] rule name policy_sec_1
HRP_M[FWA-policy-security-rule-policy_sec_1] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_1] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_sec_1] source-address 10.6.0.0 24
HRP_M[FWA-policy-security-rule-policy_sec_1] profile ips profile_ips_pc
HRP_M[FWA-policy-security-rule-policy_sec_1] action permit
HRP_M[FWA-policy-security-rule-policy_sec_1] quit
Step 4 Configure DDoS attack defense.
Servers often suffer from SYN flood, UDP flood, and HTTP flood attacks. To ensure
the normal running of the servers, enable the anti-DDoS function on the firewall
to defend against the three types of DDoS attacks.
# Configure anti-DDoS parameters.

HRP_M[FWA] interface GigabitEthernet1/0/0
HRP_M[FWA-GigabitEthernet1/0/0] anti-ddos flow-statistic enable
HRP_M[FWA-GigabitEthernet1/0/0] quit
HRP_M[FWA] ddos-mode detect-clean
# Configure the threshold learning function.

HRP_M[FWA] anti-ddos baseline-learn start
HRP_M[FWA] anti-ddos baseline-learn tolerance-value 100
HRP_M[FWA] anti-ddos baseline-learn apply
# Enable the anti-DDoS function.

HRP_M[FWA] anti-ddos syn-flood source-detect
HRP_M[FWA] anti-ddos udp-flood dynamic-fingerprint-learn
HRP_M[FWA] anti-ddos udp-frag-flood dynamic-fingerprint-learn
HRP_M[FWA] anti-ddos http-flood defend alert-rate 2000
HRP_M[FWA] anti-ddos http-flood source-detect mode basic
Step 5 Configure traffic policies.
# Configure a traffic profile for P2P and online video services.

HRP_M[FWA] traffic-policy
HRP_M[FWA-policy-traffic] profile profile_p2p
HRP_M[FWA-policy-traffic-profile-profile_p2p] bandwidth maximum-bandwidth whole both 30000
HRP_M[FWA-policy-traffic-profile-profile_p2p] bandwidth connection-limit whole both 10000
HRP_M[FWA-policy-traffic-profile-profile_p2p] quit
# Configure a traffic policy for P2P and online video services.
The following example describes the bandwidth management configuration for BitTorrent
(BT) and YouTube services. You can specify other P2P services as required.
HRP_M[FWA-policy-traffic] rule name policy_p2p
HRP_M[FWA-policy-traffic-rule-policy_p2p] source-zone trust
HRP_M[FWA-policy-traffic-rule-policy_p2p] destination-zone untrust
HRP_M[FWA-policy-traffic-rule-policy_p2p] application app BT YouKu
HRP_M[FWA-policy-traffic-rule-policy_p2p] action qos profile profile_p2p
HRP_M[FWA-policy-traffic-rule-policy_p2p] quit
# Configure a traffic profile for email and ERP applications.

HRP_M[FWA-policy-traffic] profile profile_email
HRP_M[FWA-policy-traffic-profile-profile_email] bandwidth guaranteed-bandwidth whole both 60000
HRP_M[FWA-policy-traffic-profile-profile_email] quit
# Configure a traffic policy for email and ERP applications.
The following example describes the bandwidth management configuration for Outlook
Web Access (OWA) and Lotus Notes. You can specify other applications as required.
HRP_M[FWA-policy-traffic] rule name policy_email
HRP_M[FWA-policy-traffic-rule-policy_email] source-zone trust
HRP_M[FWA-policy-traffic-rule-policy_email] destination-zone untrust
HRP_M[FWA-policy-traffic-rule-policy_email] application app LotusNotes OWA
HRP_M[FWA-policy-traffic-rule-policy_email] action qos profile profile_email
HRP_M[FWA-policy-traffic-rule-policy_email] quit
Step 6 Configure online behavior audit and management.

# Configure an audit profile to audit HTTP, FTP, and mail behaviors.
HRP_M[FWA] profile type audit name profile_audit_1
HRP_M[FWA-profile-audit-profile_audit_1] http-audit url all
HRP_M[FWA-profile-audit-profile_audit_1] http-audit url recorded-title
HRP_M[FWA-profile-audit-profile_audit_1] http-audit file direction download
HRP_M[FWA-profile-audit-profile_audit_1] ftp-audit file direction download
HRP_M[FWA-profile-audit-profile_audit_1] http-audit bbs-content
HRP_M[FWA-profile-audit-profile_audit_1] http-audit micro-blog
HRP_M[FWA-profile-audit-profile_audit_1] quit
# Configure an audit policy and reference the audit profile.

HRP_M[FWA] audit-policy
HRP_M[FWA-policy-audit] rule name policy_audit_1
HRP_M[FWA-policy-audit-rule-policy_audit_1] description Policy of auditing for priuser.
HRP_M[FWA-policy-audit-rule-policy_audit_1] source-zone trust
HRP_M[FWA-policy-audit-rule-policy_audit_1] destination-zone untrust
HRP_M[FWA-policy-audit-rule-policy_audit_1] user user-group /default/priuser
HRP_M[FWA-policy-audit-rule-policy_audit_1] action audit profile profile_audit_1
HRP_M[FWA-policy-audit-rule-policy_audit_1] quit
# Commit the configuration.

Info: Audit submitted configurations successfully.

# Follow-up procedure
By viewing various reports, audit logs, and user activity logs, you can obtain the
online behavior of employees to implement more refined security policy control.
----End
Verifying the Deployment

● Internal network users can access education/science and search/portal
websites, but cannot access other websites.
● Internal network users fail to upload documents, compressed files, and code
files from the Internet, as well as download executable files and video files
from the Internet.
● When an internal network user sends confidential information to the Internet
or browse and search content that contains violation information, the content
is blocked.
● When an internal network user attempts to download virus-infected files
using HTTP, the download connection is blocked.
● When an internal network user attempts to download a virus-infected mail
using POP3, the attachments in the mail are deleted.
● The system blocks attacks such as worms, Trojan horses, and botnets.
● External network users can access the HTTP server on the internal network.
When the server receives SYN flood, UDP flood, or HTTP flood attack, the
attack is blocked.
Configuration Files
● FWA configuration file
#
sysname FWA
#
interface GigabitEthernet1/0/0
anti-ddosflow-statistic enable
#
keyword-group name keyword1
pre-defined-keyword name confidentiality weight 1
user-defined-keyword name abc
expression match-mode text "abcd"
weight 1
#
profile type audit name profile_audit_1
description Profile of auditing for research.
http-audit url all
http-audit url recorded-title
http-audit bbs-content
http-audit micro-blog
http-audit file direction download
ftp-audit file direction download
profile type av name av_http_pop3
http-detect direction download
pop3-detect action delete-attachment
exception application name Netease_WebMail action allow
exception av-signature-id 1000
profile type data-filter name profile_data_research
rule name rule1
file-type all
application all
direction upload

action block
profile type file-block name profile_file_user1
rule name rule1
file-type pre-defined name DOC PPT XLS MSOFFICE DOCX PPTX XLSX PDF VSD MPP
file-type pre-defined name ODS ODT ODP EML UOF RAR TAR ZIP GZIP CAB
file-type pre-defined name BZ2 C CPP JAVA
application all
direction upload
action block
rule name rule2
file-type pre-defined name EXE MSI RPM OCX A ELF DLL PE MDI MOV
file-type pre-defined name MPEG AVI RMVB ASF SWF MP3 MP4 MIDI
application all
direction download
action block
profile type ips name profile_ips_pc
description profile for intranet users
collect-attack-evidence enable
signature-set name filter1
target client
severity high
protocol HTTP
#
profile type url-filter name profile_url_research
category pre-defined subcategory-id 101 action block




#
firewall zone trust
set priority 85
add interface Eth-Trunk1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/3
#
firewall zone name untrust
set priority 5
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
security-policy
rule name policy_dmz
source-zone local
source-zone dmz
destination-zone local
destination-zone dmz
action permit
rule name trust_to_untrust
source-zone trust
destination-zone untrust
source-address 10.6.0.0 mask 255.255.255.0
action permit
rule name untrust_to_trust
source-zone untrust
destination-zone trust
destination-address 10.7.0.0 mask 255.255.255.0
action permit
rule name policy_av_1
source-zone trust
profile av av_http_pop3
action permit
rule name policy_sec_1
source-zone trust
profile ips profile_ips_pc
action permit
rule name policy_sec_research
source-zone trust
user user-group /default/priuser
profile url-filter profile_url_research

action permit
rule name policy_sec_user1
source-zone trust
profile file-block profile_file_user1
action permit
source-zone trust
profile data-filter profile_data_research
action permit
#
audit-policy
rule name policy_audit_1
description Policy of auditing for research.
source-zone trust
action audit profile profile_audit_1
#
traffic-policy
profile profile_p2p
bandwidth maximum-bandwidth whole both 30000
bandwidth connection-limit whole both 10000
profile profile_email
bandwidth guaranteed-bandwidth whole both 60000
rule name policy_p2p
source-zone trust
application app BT
application app YouKu
action qos profile profile_p2p
rule name policy_email
source-zone trust
application app LotusNotes
application app OWA
action qos profile profile_email
#
return
● FWB configuration file

#
sysname FWB
#
interface GigabitEthernet1/0/0
anti-ddosflow-statistic enable
#
pre-defined-keyword name confidentiality weight 1
user-defined-keyword name abc
expression match-mode text "abcd"
weight 1
#
profile type audit name profile_audit_1
description Profile of auditing for research.
http-audit url all
http-audit url recorded-title
http-audit bbs-content
http-audit micro-blog
http-audit file direction download
ftp-audit file direction download
profile type av name av_http_pop3
http-detect direction download
pop3-detect action delete-attachment
exception application name Netease_WebMail action allow
exception av-signature-id 1000
profile type data-filter name profile_data_research

rule name rule1

file-type all
application all
direction upload
action block
profile type file-block name profile_file_user1
rule name rule1
file-type pre-defined name DOC PPT XLS MSOFFICE DOCX PPTX XLSX PDF VSD MPP
file-type pre-defined name ODS ODT ODP EML UOF RAR TAR ZIP GZIP CAB
file-type pre-defined name BZ2 C CPP JAVA
application all
direction upload
action block
rule name rule2
file-type pre-defined name EXE MSI RPM OCX A ELF DLL PE MDI MOV
file-type pre-defined name MPEG AVI RMVB ASF SWF MP3 MP4 MIDI
application all
direction download
action block
profile type ips name profile_ips_pc
description profile for intranet users
collect-attack-evidence enable
signature-set name filter1
target client
severity high
protocol HTTP
#
profile type url-filter name profile_url_research




#
firewall zone trust
set priority 85
add interface Eth-Trunk1
#
firewall zone dmz
set priority 50
#
firewall zone name untrust
set priority 5
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
security-policy
rule name policy_dmz
source-zone local
source-zone dmz
destination-zone local
destination-zone dmz
action permit
rule name trust_to_untrust
source-zone trust
action permit
rule name untrust_to_trust
source-zone untrust
destination-zone trust
destination-address 10.7.0.0 mask 255.255.255.0
action permit
rule name policy_av_1
source-zone trust
profile av av_http_pop3
action permit
rule name policy_sec_1
source-zone trust
profile ips profile_ips_pc
action permit


source-zone trust
profile url-filter profile_url_research
action permit
rule name policy_sec_user1
source-zone trust
profile file-block profile_file_user1
action permit
source-zone trust
profile data-filter profile_data_research
action permit
#
audit-policy
rule name policy_audit_1
description Policy of auditing for research.
source-zone trust
action audit profile profile_audit_1
#
traffic-policy
profile profile_p2p
bandwidth maximum-bandwidth whole both 30000
bandwidth connection-limit whole both 10000
profile profile_email
bandwidth guaranteed-bandwidth whole both 60000
rule name policy_p2p
source-zone trust
application app BT
application app YouKu
action qos profile profile_p2p
rule name policy_email
source-zone trust
application app LotusNotes
application app OWA
action qos profile profile_email
#
return

01-07 Security Deployment

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-07 Security Deployment

Uploaded by

Copyright:

Available Formats

Campus Networks Typical Configuration Examples 7 Security Deployment

7.1 Key Points of Security Deployment

7.1 Key Points of Security Deployment

● Campus internal network security

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 580

● Campus egress security

7.2 Campus Internal Network Security

7.2.1 Deployment Roadmap

Remote device You need to configure a You want to remotely log in to

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 581

Table 7-2 Recommended security policy deployment for access devices

Traffic Discards or You are advised Downlink ● Traffic

Storm Blocks or On a tree Downlink Disabled

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 582

Function Description Application Deployme Default

DHCP Enables a DHCP When a host Downlink Disabled

IP Source Checks IP When a host Downlink Disabled

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 583

Function Description Application Deployme Default

ND Checks neighbor If no DHCPv6 Downlink Disabled

Dynamic Checks ARP To prevent Downlink Disabled

Port Changes the To enhance Downlink Disabled

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 584

Function Description Application Deployme Default

Port Adds interfaces To implement Downlink Disabled

Table 7-3 Recommended security policy deployment for aggregation devices

If a core device functions as the Port isolation allows terminals connected to

If an aggregation device connect -

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 585

Table 7-4 Recommended security policy deployment for core devices

CPU CPU Limits the number If a large number Enabled

Port Traces the source Enabled

User-level Rate-limits packets Enabled

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 586

Dimensi Function Description Application Default

ARP Rate Prevents the CPU ● Network access ● Rate

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 587

Dimensi Function Description Application Default

Rate Prevents a device ● Rate

Temporar Reduces the Aging time

Prohibitin Enables the device Enabled

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 588

Dimensi Function Description Application Default

Optimize Enables the Enabled

Strict ARP Enables the device Disabled

ARP entry Limits the The

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 589

Dimensi Function Description Application Default

Disabling Prevents ARP Enabled

ARP ARP entry Disables the device ● Users are Enabled

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 590

Dimensi Function Description Application Default

ARP Prevents users ● Users are Disabled

ARP Protects a gateway ● Users are Disabled

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 591

Dimensi Function Description Application Default

Gratuitou Allows the device ● Network access Disabled

MAC Prevents attacks ● Network access Disabled

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 592

Dimensi Function Description Application Default

Strict ARP Enables the device Disabled

ARP Enables the device ● Network access Disabled

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 593

Table 7-5 Recommended security policy deployment for wireless services