Page 1
Huawei AR1200-S Series Enterprise Routers V200R002C00 Configuration Guide - Security Issue Date 2012-03-30 HUAWEI TECHNOLOGIES CO., LTD.
Page 2
All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope.
About This Document Intended Audience This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the security feature supported by the AR1200-S. This document describes how to configure the security feature. This document is intended for:...
Changes in Issue 02 (2012-03-30) Based on issue 01 (2011-12-30), the document is updated as follows: The following information is modified: 2.2 HTTPS Features Supported by the AR1200-S 13.3.5 Configuring key-string of a key-id Issue 02 (2012-03-30) Huawei Proprietary and Confidential...
1.7.2 Example for Configuring HWTACACS Authentication, Authorization, and Accounting.....31 2 HTTPS Configuration.........................35 2.1 HTTPS Overview.............................36 2.2 HTTPS Features Supported by the AR1200-S....................36 2.3 Configuring the AR1200-S as an HTTPS Server.....................36 2.4 Configuration Examples...........................38 Issue 02 (2012-03-30) Huawei Proprietary and Confidential...
Page 7
Contents 2.4.1 Example for Configuring the Router as an HTTPS Server..............38 3 Firewall Configuration.......................42 3.1 Firewall Overview............................44 3.2 Firewall Features Supported by the AR1200-S....................44 3.3 Configuring Zones............................50 3.3.1 Establishing the Configuration Task.......................50 3.3.2 Creating a Zone............................51 3.3.3 Adding an Interface to the Zone......................51 3.3.4 Creating an Interzone..........................52...
Page 8
3.14.2 Example for Configuring ASPF and Port Mapping................83 3.14.3 Example for Configuring the Blacklist....................86 4 Traffic Suppression Configuration..................90 4.1 Traffic Suppression Overview..........................91 4.2 Traffic Suppression Features Supported by the AR1200-S................91 4.3 Configuring Traffic Suppression........................91 4.3.1 Establishing the Configuration Task.......................91 4.3.2 Configuring Traffic Suppression on an Interface..................92 4.3.3 Checking the Configuration........................93...
Page 9
5.3.13 (Optional) Configuring a Guest VLAN for 802.1x Authentication............109 5.3.14 (Optional) Configuring a Restrict VLAN for 802.1x Authentication..........110 5.3.15 (Optional) Enabling the Handshake Function..................111 5.3.16 (Optional) Setting the Maximum Number of Times the AR1200-S Sends Authentication Requests ..................................111 5.3.17 Checking the Configuration.........................112 5.4 Configuring MAC Address Authentication....................112...
Page 10
7.4 Configuring the AR1200-S to Discard Specified ICMP Packets..............153 7.4.1 Establishing the Configuration Task.....................153 7.4.2 Configuring the AR1200-S to Discard the ICMP Packets with TTL Value of 1........153 7.4.3 Configuring the AR1200-S to Discard the ICMP Packets with Options..........154 7.4.4 Configuring the AR1200-S to Discard ICMP Destination-Unreachable Packets.........154 7.4.5 Checking the Configuration........................155...
Page 11
9.6.1 Example for Configuring an Attack Defense Policy................178 10 ACL Configuration........................184 10.1 ACL Overview.............................185 10.2 ACL Features Supported by the AR1200-S....................185 10.3 Configuring a Basic ACL..........................188 10.3.1 Establishing the Configuration Task....................188 10.3.2 (Optional) Creating a Time Range for a Basic ACL................189 10.3.3 Creating a Basic ACL..........................189...
Page 12
Configuration Guide - Security Contents 11 SSL Configuration........................217 11.1 SSL Overview...............................218 11.2 SSL Features Supported by the AR1200-S....................220 11.3 Configuring a Server SSL Policy.........................220 11.4 Configuring a Client SSL Policy........................222 11.5 Configuration Examples..........................224 11.5.1 Example for Configuring a Server SSL Policy...................224 11.5.2 Example for Configuring a Client SSL Policy..................227...
Page 13
14 Configuration of Attack Defense and Application Layer Association......280 14.1 Overview to Attack Defense and Application Layer Association..............281 14.1.1 Overview of Attack Defense and Application Layer Association............281 14.1.2 Attack Defense and Application Layer Association Supported by AR1200-S........282 14.2 Configuring Abnormal Packet Attack Defense....................283 14.2.1 Establishing the Configuration Task....................283 14.2.2 Enabling Defense Against Abnormal Packet Attacks.................284...
Page 14
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security Contents 14.5 Configuring Application Layer Association....................289 14.5.1 Establishing the Configuration Task....................289 14.5.2 Configuring Application Layer Association..................290 14.6 Maintenance Attack Defense and Application Layer Association...............291 14.6.1 Clearing Statistics of Attack Defense and Application Layer Association.........291 14.7 Configuration Example..........................291...
Configuration Guide - Security 1 AAA Configuration AAA Configuration About This Chapter The AAA-capable AR1200-S checks validity of users and delivers rights to authorized users to ensure network security. 1.1 AAA Overview Authentication, Authorization, and Accounting (AAA) is a security technology.
AAA server (a RADIUS server or an HWTACACS server). 1.2 AAA Features Supported by the AR1200-S The AR1200-S supports RADIUS and HWTACACS authentication, authorization, and accounting (AAA), and also local authentication and authorization. RADIUS Authentication, Authorization, and Accounting RADIUS uses the client/server model and protects a network from unauthorized access.
Page 17
1 AAA Configuration NOTE In RADIUS authentication for an administrator, the AR1200-S checks whether the access type of the administrator is the same as that specified in the Access-Accept packet sent from the RADIUS server. If not, administrator fails to be authenticated.
Page 18
Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is more suitable for security control. Figure 1-3 shows messages exchanged between a Telnet user, the AR1200-S, and the HWTACACS server. Figure 1-3 HWTACACS authentication, authorization, and accounting...
The AR1200-S sends an authentication request packet to the HWTACACS server after receiving the request packet. The HWTACACS server sends an authentication response packet to request the user name. The AR1200-S sends a packet to request the user name after receiving the authentication response packet. The user enters the user name.
Page 21
The FTP directory that the local user can access is configured. By default, the FTP directory of a local user is empty. When the AR1200-S functions as an FTP server, you must configure the FTP directory that FTP users can access. Otherwise, FTP users cannot access the AR1200-S.
Configuration Guide - Security 1 AAA Configuration l If a local user is in active state, the AR1200-S accepts and processes the authentication request from the user. l If a local user is in blocking state, the AR1200-S rejects the authentication request from the user.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration (Optional) Run: quit Return to the AAA view. (Optional) Run: domainname-parse-direction { left-to-right | right-to-left } The direction in which the user name and domain name are parsed is configured.
A domain is created and the domain view is displayed. The AR1200-S has two default domains: default and default_admin. The default domain is used by common access users and the default_admin domain is used by administrators. Step 4 Run: authentication-scheme authentication-scheme-name An authentication scheme is applied to the domain.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration Data Name of an authentication scheme Name of an accounting scheme Name of a RADIUS server template IP addresses and port numbers of the primary RADIUS authentication servers...
Page 27
NOTE If multiple authentication modes are configured in an authentication scheme, authentication modes are used according to the sequence in which they were configured. The AR1200-S uses the authentication mode that was configured later only after the current authentication mode fails.
If multiple accounting modes are configured in an accounting scheme, accounting modes are used according to the sequence in which they were configured. The AR1200-S uses the accounting mode that was configured later only after the current accounting mode fails.
Page 29
Step 9 (Optional) Run: radius-server user-name domain-included The AR1200-S is configured to encapsulate the domain name in the user name in RADIUS packets to be sent to a RADIUS server. By default, the AR1200-S encapsulates the domain name in the user name when sending RADIUS packets to a RADIUS server.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration By default, the traffic unit is byte on the AR1200-S. Step 11 (Optional) Run: radius-server { retransmit retry-times | timeout time-value } The number of times RADIUS request packets are retransmitted and timeout interval are set.
Page 31
A domain is created and the domain view is displayed. The AR1200-S has two default domains: default and default_admin. The default domain is used by common access users and the default_admin domain is used by administrators. Step 4 Run: authentication-scheme authentication-scheme-name An authentication scheme is applied to the domain.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration 1.4.5 Checking the Configuration Prerequisites The RADIUS AAA configurations are complete. Procedure Run the display aaa configuration command to check the AAA summary. Run the display authentication-scheme [ authentication-scheme-name ] command to check the authentication scheme configuration.
Page 33
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration Accounting: records all the operations performed by a user and the service type, start time, and data traffic. HWTACACS prevents unauthorized users from attacking a network and provides command line authorization.
NOTE If multiple authentication modes are configured in an authentication scheme, authentication modes are used according to the sequence in which they were configured. The AR1200-S uses the authentication mode that was configured later only after the current authentication mode fails.
Page 35
If multiple authorization modes are configured in an authorization scheme, authorization modes are used in the sequence in which they were configured. The AR1200-S uses the authorization mode that was configured later only after the current authorization mode fails. The AR1200- S stops the authorization if the user fails to pass the authorization.
If multiple accounting modes are configured in an accounting scheme, accounting modes are used according to the sequence in which they were configured. The AR1200-S uses the accounting mode that was configured later only after the current accounting mode fails.
Page 37
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration The system view is displayed. Step 2 (Optional) Run: hwtacacs enable HWTACACS is enabled. Step 3 Run: hwtacacs-server template template-name An HWTACACS server template is created and the HWTACACS server template view is displayed.
Page 38
The AR1200-S is configured to encapsulate the source IP address in HWTACACS packets to be sent to an HWTACACS server. By default, the source IP address in HWTACACS packets is 0.0.0.0. The AR1200-S uses the IP address of the actual outbound VLANIF interface as the source IP address in HWTACACS packets.
A domain is created and the domain view is displayed. The AR1200-S has two default domains: default and default_admin. The default domain is used by common access users and the default_admin domain is used by administrators. Step 4 Run:...
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration authentication-scheme authentication-scheme-name An authentication scheme is applied to the domain. By default, the default authentication scheme is applied to a domain. Step 5 (Optional) Run: authorization-scheme authorization-scheme-name An authorization scheme is applied to the domain.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration Prerequisites The HWTACACS AAA configurations are complete. Procedure Run the display aaa configuration command to check the AAA summary. Run the display authentication-scheme [ authentication-scheme-name ] command to check the authentication scheme configuration.
1-4, users access the network through RouterA and belong to the domain huawei. RouterB functions as the network access server of the destination network. Request packets from users need to traverse the network where RouterA and RouterB are located to reach the authentication server.
Page 43
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration Configuration Roadmap The configuration roadmap is as follows: Configure a RADIUS server template. Configure an authentication scheme and an accounting scheme. Apply the RADIUS server template, authentication scheme, and accounting scheme to the domain.
Page 44
# Configure accounting scheme 1 and set the accounting method to RADIUS accounting. [Huawei-aaa] accounting-scheme 1 [Huawei-aaa-accounting-1] accounting-mode radius [Huawei-aaa-accounting-1] quit Step 4 Configure a domain huawei and apply authentication scheme 1, accounting scheme 1, and RADIUS server template shiva to the domain. [Huawei-aaa] domain huawei [Huawei-aaa-domain-huawei] authentication-scheme 1...
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration accounting-mode radius domain default domain default_admin domain huawei authentication-scheme 1 accounting-scheme 1 radius-server shiva return 1.7.2 Example for Configuring HWTACACS Authentication, Authorization, and Accounting Networking Requirements As shown in...
Page 46
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration Configuration Roadmap The configuration roadmap is as follows: Configure an HWTACACS server template. Configure authentication, authorization, and accounting schemes. Apply the HWTACACS server template, authentication, authorization, and accounting schemes to the domain.
Page 47
# Set the interval of real-time accounting to 3 minutes. [Huawei-aaa-accounting-hwtacacs] accounting realtime 3 [Huawei-aaa-accounting-hwtacacs] quit Step 3 Configure a domain huawei, and apply the authentication scheme l-h, authorization scheme HWTACACS, accounting scheme HWTACACS, and the HWTACACS server template ht to the domain.
2.2 HTTPS Features Supported by the AR1200-S The AR1200-S supports the HTTPS server function. 2.3 Configuring the AR1200-S as an HTTPS Server The HTTPS server function allows users to securely access the AR1200-S on web pages. 2.4 Configuration Examples This section provides an HTTPS configuration example.
2.2 HTTPS Features Supported by the AR1200-S The AR1200-S supports the HTTPS server function. An AR1200-S functions as an HTTPS server after the HTTPS server function is configured. The AR1200-S uses the SSL protocol's data encryption, identity authentication, and message integrity check mechanisms to protect security of data transmitted between users and the AR1200-S.
Page 51
Configuration Guide - Security 2 HTTPS Configuration Applicable Environment When users access a remote AR1200-S functioning as an HTTP server, the following problems exist: Users cannot authenticate the AR1200-S. Privacy of data transmitted between users and the AR1200-S cannot be protected.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 2 HTTPS Configuration 2.4 Configuration Examples This section provides an HTTPS configuration example. 2.4.1 Example for Configuring the Router as an HTTPS Server This section describes how to configure an HTTPS server to allow the administrator of an enterprise to remotely log in to a gateway.
Page 53
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 2 HTTPS Configuration Router's interface connected to the Internet: Ethernet1/0/0 IP address of Ethernet1/0/0: 2.1.1.1/24 IP address of the CA: 3.1.1.1/24 PKI parameters, as shown in the following table Item Data...
Page 54
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 2 HTTPS Configuration mscep.dll ra [Router-pki-realm-admin] fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF [Router-pki-realm-admin] quit # Enroll the certificate manually. [Router] pki enroll-certificate admin Info: Start certificate enrollment ... Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.
Page 55
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 2 HTTPS Configuration Server certificate load status loaded Bind number SSL connection number ----------------------------------------------------------------------------- # Start the web browser on the host Admin, enter https://2.1.1.1:1278 in the address box. The web management system of the Router is displayed, and the administrator can securely access and manage the Router on web pages.
IP address scanning and port scanning defense on the attack defense module of the AR1200-S. When the AR1200-S detects that the connection rate of an IP address or a port exceeds the threshold, the AR1200-S considers that a scanning attack occurs, and adds the source IP address to the blacklist.
Page 57
3.9 Configuring the Aging Time of the Firewall Session Table 3.10 Configuring the Attack Defense Function The AR1200-S attack defense function prevents attacks to the CPU. It ensures that the server operates normally even when it is attacked. 3.11 Configuring Traffic Statistics and Monitoring The AR1200-S supports traffic statistics and monitoring at the system level, zone level, and IP address level.
3.2 Firewall Features Supported by the AR1200-S The firewall features supported by the AR1200-S include ACL-based packet filtering, blacklist, whitelist, application specific packet filter (ASPF), port mapping, virtual firewall, attack defense, traffic statistics and monitoring, and logs.
Page 59
Configuration Guide - Security 3 Firewall Configuration The AR1200-S considers that the data transmission within a zone is reliable; therefore, it does not enforce any security policy on the intra-zone data transmission. The AR1200-S verifies the data and enforces the security policies only when the data flows from one zone to another.
High security Insufficient costs to afford a private security device Logically, the AR1200-S can be divided into multiple virtual firewalls to serve multiple small- scale private networks. By using the virtual firewall function, an ISP can lease the network security services to the enterprises.
If the number of TCP sessions initiated by external networks to Web server 129.9.0.1 exceeds the threshold, the AR1200-S forbids external networks to initiate new sessions until the number of sessions is smaller than the threshold.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration other attacks because DoS attackers do not search for the ingress of a network but prevent authorized users from accessing resources or routers. Scanning and snooping attack Scanning and snooping attacks identify the existing systems on the network through ping scanning (including ICMP and TCP scanning), and then discover potential targets.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration ICMP and UDP Flood Attack ICMP and UDP Flood attacks send a large number of ICMP packets (such as ping packets) and UDP packets to the target host in a short time and request responses. The host is then overloaded and cannot process valid tasks.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration bandwidth. If the source port is changed to Chargen and destination port is changed to ECHO, the systems generate response packets continuously and cause serious damage. IP-Fragment Attack In an IP packet, some fields are relevant to flag bits and fragments, including Fragment Offset, Length, Don't Fragment (DF), and MF.
The system view is displayed. Step 2 Run: firewall zone zone-name A zone is created. The AR1200-S can be configured with up to 255 zones, and no default zone is provided. Step 3 Run: priority security-priority The priority of the zone is set.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration The interface view is displayed. Step 3 Run: zone zone-name The interface is added to the zone. ----End 3.3.4 Creating an Interzone Create the interzone so you can enable the firewall to filter packets or application-layer services in the specified interzone.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration 3.3.6 Checking the Configuration After configuring the zones and interzone, you can view information about the zones and interzone. Procedure Run the display firewall zone [ zone-name ] [ interface | priority ] command to view information about the zones.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration 3.4.2 Configuring ACL-based Packet Filtering in an Interzone The packet filtering firewall filters packets through ACLs. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl [ number ] acl-number [ match-order { config | auto }] An ACL is created and the ACL view is displayed.
IP address scanning and port scanning defense on the attack defense module of the AR1200-S. When the AR1200-S detects that the connection rate of an IP address or a port exceeds the threshold, the AR1200-S considers that a scanning attack occurs, and adds the source IP address to the blacklist.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Data (Optional) Aging time of blacklist entries 3.5.2 Enabling the Blacklist Function To make the entries added to the blacklist manually or dynamically effective, you must first enable the blacklist function.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration NOTE The blacklist entries without the aging time are added to the configuration file. The entries configured with the aging time are not added to the configuration file, but you can view them by using the display firewall blacklist command.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Step 2 Run: firewall black-white-list load configuration-file configuration-file-name The blacklist and whitelist configuration file is loaded. The configured blacklist takes effect only after you run the firewall blacklist enable command to enable the blacklist.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Applicable Environment Whitelists are applicable to networks where some devices send valid service packets that resemble IP address scanning attack or port scanning attack. Whitelists prevent these devices from being added to the blacklist.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Follow-up Procedure Run the firewall black-white-list save command to save the blacklist and whitelist to the specified configuration file to load next time. 3.6.3 Configuring Blacklist and Whitelist Using the Configuration File You can configure blacklist and whitelist entries in a batch by loading the configuration file.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration The entries in the whitelist take effect directly and you do not need to enable the whitelist function. A blacklist supports up to 32 entries, and a whitelist supports up to 32 entries.
ASPF is configured. Generally, the application-layer protocol packets are exchanged between the two parties in communication, so the direction does not need to be configured. The AR1200-S automatically checks the packets in both directions. By default, ASPF is not configured in the interzone.
Port mapping is implemented based on the ACL. Only the packets matching an ACL rule are mapped. Port mapping employs the basic ACL (2000 to 2999). In the ACL-based packet filtering, the AR1200-S matches the destination IP address of the packet with the IP address configured in the basic ACL rule.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Creating the basic ACL and configuring ACL rules Data Preparation To configure port mapping, you need the following data.
This will help you complete the configuration task quickly and accurately. Applicable Environment The AR1200-S creates a session table for data flows of each protocol, such as TCP, UDP, and ICMP, to record the connection status of the protocol. The aging time is set for the session table of the firewall.
: 120 --------------------------------------------- 3.10 Configuring the Attack Defense Function The AR1200-S attack defense function prevents attacks to the CPU. It ensures that the server operates normally even when it is attacked. 3.10.1 Establishing the Configuration Task Before configuring the attack defense function, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration.
Page 82
The ICMP Flood attack defense is enabled. After the parameters for ICMP Flood attack defense are set, you must enable the ICMP Flood attack defense function; otherwise, the AR1200-S does not detect the attack packets or take attack defense measures.
Page 83
Configuration Guide - Security 3 Firewall Configuration After the maximum length of ICMP packets is set, you must enable the large ICMP packet attack defense function; otherwise, the AR1200-S does not detect the attack packets or take attack defense measures. Step 11 Run: firewall defend ping-of-death enable The Ping of Death attack defense is enabled.
To prevent Flood attacks, you need to specify the zones or IP addresses to be protected; otherwise, the attack defense parameters are invalid. You can also specify the maximum session rate. When the session rate exceeds the limit, the AR1200-S considers that an attack occurs and takes measures.
Maximum session rate: When the session rate of an IP address or a port exceeds the limit, the AR1200-S considers that a scanning attack occurs, and then adds the IP address to the blacklist and denies new sessions from the IP address or port.
The zone-based traffic statistics and monitoring take effect on the data flows between zones. That is, the AR1200-S counts the total number of TCP and UDP sessions between the local zone and other zones. When the number of sessions exceeds the threshold, the AR1200-S restricts the sessions until the number of sessions is less than the threshold.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration 3.11.2 Enabling Traffic Statistics and Monitoring You can enable traffic statistics and monitoring at the system level, zone level, or IP address level as needed. Procedure Enabling system-level traffic statistics and monitoring...
Page 89
12000. When the number of TCP sessions in all interzones exceeds 15000, the AR1200-S denies all new TCP sessions in the interzone and reports an alarm to the information center. If traffic volume falls to 12000 below the lower threshold, the AR1200-S generates the recovery log and sends the log to the information center.
When the number of TCP sessions initiated from an IP address in the local zone exceeds 10000, the AR1200-S denies new TCP sessions from this IP address. By default, the upper threshold and lower threshold for each type of protocol packets are 16384 and 12288.
Type of the log IP address and port number of the session log host, and the source IP address and source port number that the AR1200-S uses to communicate with the session log host Conditions for recording session logs, including the ACL number and the...
The session logs are exported to a log host in real time; therefore, you need to configure the log host first. To configure the log host, you need to configure the IP address and port number of the log host and the IP address and port number that the AR1200-S uses to communicate with the log host.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration By default, no condition is configured in an interzone for recording session logs. ----End 3.12.4 Checking the Configuration After the log function is configured on the firewall, you can view information about the logs.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name } command to view the whitelist entries. Run the display firewall statistics system command to view the system-level traffic statistics.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration 3.14 Configuration Examples This section provides several configuration examples of firewall. 3.14.1 Example for Configuring the ACL-based Packet Filtering Firewall This example shows the configuration of the ACL-based packet filtering firewall on a network.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Figure 3-3 Network diagram for configuring ASPF and port mapping FTP server Web server 129.38.1.2 129.38.1.4 Ethernet0/0/0 GE0/0/1 Router 202.39.2.3 Internal network Telnet server 129.38.1.3 Configuration Roadmap The configuration roadmap is as follows: Configure zones and an interzone.
Page 101
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Figure 3-4 Network diagram for configuring the blacklist Server Ethernet0/0/0 GE0/0/1 Enterprise network Router Configuration Roadmap The configuration roadmap is as follows: Configure zones and an interzone. Add interfaces to the zones.
Page 102
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration [Huawei-Vlanif100] quit [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] ip address 202.39.2.1 24 [Huawei-GigabitEthernet0/0/1] zone untrust [Huawei-GigabitEthernet0/0/1] quit Step 3 Enable the blacklist function. [Huawei] firewall blacklist enable Step 4 Add an entry to the blacklist.
4.1 Traffic Suppression Overview This section describes the traffic suppression function. 4.2 Traffic Suppression Features Supported by the AR1200-S This section describes traffic suppression features supported by the AR1200-S. 4.3 Configuring Traffic Suppression This section describes how to configure traffic suppression.
This section describes traffic suppression features supported by the AR1200-S. Traffic suppression can be configured on Ethernet interfaces of the AR1200-S. You can set the rate limit in bit/s or pps for broadcast packets, multicast packets, or unknown unicast packets on an interface.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 4 Traffic Suppression Configuration Connecting interfaces and setting the physical parameters of interfaces so that the physical layer is in Up state Data Preparation To configure traffic suppression, you need the following data.
– Run the unicast-suppression packets packets-per-second command to set the rate limit in pps for unknown unicast traffic. NOTE The SRU on the AR1200-S does not support the rate limit in pps. The rate limit in pps can be set on LAN-side GE interfaces and LPU Ethernet interfaces. ----End 4.3.3 Checking the Configuration...
Page 108
As shown in Figure 4-1, RouterA is the AR1200-S and RouterB is an aggregation router. The CIR Value for Traffic Suppression can be set only on LAN-side Ethernet interfaces of the SRU on theAR1200-S. Figure 4-1 Network diagram of setting the CIR value for traffic suppression...
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 4 Traffic Suppression Configuration broadcast cir: 100(kbit/s) ------------------------------------------------------------------------------- ----End Configuration Files sysname RouterA interface Ethernet 0/0/0 unicast-suppression cir 100 multicast-suppression cir 200 broadcast-suppression cir 100 return 4.4.2 Example for Setting the Rate Limit in pps for Traffic Suppression This section describes how to set the rate limit in pps for traffic suppression.
Page 110
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 4 Traffic Suppression Configuration Rate limit for multicast packets: 25200 pps Procedure Step 1 Enter the interface view. <Huawei> system-view [Huawei] sysname RouterA [RouterA] interface ethernet 2/0/0 Step 2 Set the rate limit in pps for broadcast packets.
LAN. 5.4 Configuring MAC Address Authentication After MAC address authentication is configured, the AR1200-S uses the user MAC address as the user name and password for authentication. 5.5 Maintaining NAC This section describes how to maintain NAC.
5.2 NAC Features Supported by the AR1200-S The AR1200-S supports multiple authentication and control methods to control user authorities and access areas. The AR1200-S functions as a network access device (NAD) and supports 802.1x authentication, MAC address authentication, and Web authentication. 802.1x Authentication The Institute of Electrical and Electronics Engineers (IEEE) 802.1x standard, 802.1x for short,...
MAC address bypass authentication. After MAC address bypass authentication is enabled, when the AR1200-S initiates 802.1x authentication but does not receive the response from the terminal, the AR1200-S sends the MAC address of the user terminal as the user name and password to the authentication server.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration 5.3 Configuring 802.1x Authentication You can configure 802.1x authentication on an interface to authenticate access devices connected to an interface of an access control device on a LAN.
MAC address bypass authentication. After MAC address bypass authentication is enabled, when the AR1200-S initiates 802.1x authentication but does not receive the response from the terminal, the AR1200-S sends the MAC address of the user terminal as the user name and password to the authentication server.
CHAP is a three-way handshake authentication protocol and transmits passwords in cipher text. It has higher security than PAP. EAP supports multiple authentication mechanisms. The AR1200-S transparently transmits EAP Request packets and Response packets to the authentication server. The AR1200-S determines Issue 02 (2012-03-30) Huawei Proprietary and Confidential...
By default, the AR1200-S uses CHAP to authenticate 802.1x users. ----End 5.3.6 (Optional) Setting the Access Method on an Interface The AR1200-S provides interface-based access method and MAC address-based access method. Context MAC address-based access method: 802.1x users on an interface are authenticated independently.
----End 5.3.7 (Optional) Configuring the Authorization Status of an Interface The AR1200-S supports the auto, authorized-force, and unauthorized-force modes. Context auto: An interface is initially in unauthorized state and sends and receives only EAPoL packets. Therefore, users cannot access network resources. After a user is authenticated on the interface, the interface enters the authorized state and allows users to access network resources.
Access Users on an Interface After the maximum number of concurrent access users is set on an interface, if the number of access users on the interface reaches the maximum, the AR1200-S does not authenticate subsequent access users and these users cannot access networks.
5.3.10 (Optional) Setting Values of Timers Used in 802.1x Authentication On the AR1200-S, you can set the client authentication timeout timers, handshake interval between the AR1200-S and the 802.1x client, quiet timer value, re-authentication interval, and interval for sending authentication requests.
----End 5.3.11 (Optional) Configuring the Quiet Timer Function If a user fails to be authenticated after the quiet timer function is enabled, the AR1200-S does not process the authentication requests from the user in this period. This prevents frequent authentication on the system.
By default, an 802.1x user enters the quiet state after three authentication failures within 60 seconds. ----End 5.3.12 (Optional) Configuring 802.1x Re-authentication The AR1200-S re-authenticates users who have been authenticated after a period of time to ensure validity of users. Context 802.1x re-authentication can be enabled in the system view or interface view.
Authentication Context When the guest VLAN is enabled, the AR1200-S broadcasts authentication request packets to all the interfaces enabled with 802.1x authentication. If an interface does not return a response when the maximum number of re-authentication times is reached, the AR1200-S adds the interface to the guest VLAN.
VLAN. Context If a user fails to be authenticated after the restrict VLAN function is enabled, the AR1200-S adds the access interface of the user to the restrict VLAN. Users in the restrict VLAN can access resources in the restrict VLAN without authentication but must be authenticated when they access external resources.
Context If a client does not support the handshake function, the AR1200-S will not receive handshake response packets within the handshake interval and considers that the user is offline. Therefore, if the client does not support the handshake function, disable the handshake function on the AR1200-S.
5 NAC Configuration Context If the AR1200-S does not receive a response after sending an authentication request to a user, it retransmits the authentication request to the user. If the AR1200-S still fails to receive the response when the maximum number of times for sending authentication requests is reached, it does not send the authentication request to the user any more.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration Pre-configuration Tasks None. Data Preparation To configure MAC address authentication, you need the following data. Data Interface that will be enabled with MAC address authentication (Optional) Domain for MAC address authentication (Optional) Maximum number of access users who use MAC address authentication 5.4.2 Enabling Global MAC Address Authentication...
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration Procedure Enabling MAC address authentication in the system view Run: system-view The system view is displayed. Run: mac-authen interface { interface-type interface-number1 [ to interface- number2 ] } &<1-10>...
5.4.6 (Optional) Setting Values for MAC Address Authentication Timers The following values can be set on the AR1200-S: re-authentication interval, interval for detecting whether users are online, value of the quiet timer, and value of the timeout timer of the authentication server.
5.4.7 (Optional) Setting the Maximum Number of Users for MAC Address Authentication When the number of access users on an interface reaches the maximum, the AR1200-S does not trigger authentication for subsequent users; therefore, these users cannot access the network.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration Run: system-view The system view is displayed. Run: interface interface-type interface-number The interface view is displayed. Run: mac-authen max-user user-number The maximum number of users for MAC address authentication is set on the interface.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration 5.5 Maintaining NAC This section describes how to maintain NAC. 5.5.1 Clearing the Statistics on 802.1x Authentication Before collecting 802.1x authentication statistics, run the reset command to clear the existing statistics.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration 5.6 Configuration Examples This section provides several NAC configuration examples. 5.6.1 Example for Configuring 802.1x Authentication After 802.1x authentication is configured, a user that is not authenticated can access limited network resources.
Page 134
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration Data Preparation To complete the configuration, you need the following data: IP address 192.168.2.30 and port number 1812 of the RADIUS authentication server RADIUS server key dot1x-isp and retransmission count 2...
Page 135
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration Step 5 Configure MAC address bypass authentication. [Huawei] interface ethernet 2/0/1 [Huawei-Ethernet2/0/1] dot1x mac-bypass Step 6 Verify the configuration. Run the display dot1x interface command on the Router to view the 802.1x authentication configuration and statistics.
Page 137
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration Configure AAA authentication. User names and passwords are sent to the RADIUS server for authentication. Configure MAC address authentication to authenticate users on Ethernet2/0/0. Data Preparation To complete the configuration, you need the following data: IP address 192.168.2.30 and port number 1812 of the RADIUS server...
Page 138
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration <Huawei> display mac-authen interface ethernet 2/0/0 Ethernet2/0/0 state: UP. MAC address authentication is enabled Maximum users: 128 Current users: 1 Authentication success: 1 Authentication failure: 0 ----End Configuration Files...
6.5 Configuring ARP Suppression If the AR1200-S receives a lot of ARP attack packets, the ARP table overflows or the CPU usage is high. The AR1200-S prevents ARP attacks by discarding attack packets and limiting the rate of attack packets.
ARP flood attack: An attacker sends a large number of bogus ARP Request packets or gratuitous ARP packets. The AR1200-S is busy with ARP processing for a long period and cannot process other services. The rate of ARP packets may exceed the limit and ARP entries may overflow.
Page 141
AR1200-S and the bandwidth reserved for sending ARP packets are occupied. The AR1200-S can limit the rate of ARP packets with a specified source IP address. If the number of ARP packets with a specified source IP address received by the AR1200-S within a specified period exceeds the threshold, the AR1200-S does not process the excessive ARP request packets.
AR1200-S considers that an attack occurs. When the AR1200-S detects an attack, configure the rate limit for ARP Miss packets to limit the rate of ARP Miss packets so that the CPU is protected and other services can be processed by the CPU.
----End 6.3.3 Configuring Interface-based ARP Entry Limiting If attackers occupy a large number of ARP entries, the AR1200-S cannot learn ARP entries of authorized users. To prevent such attacks, set the maximum number of ARP entries that can be dynamically learned by an interface.
The system view is displayed. Run: interface interface-type interface-number.subnumber The sub-interface view is displayed. On the AR1200-S, sub-interface-based ARP entry limiting can be enabled on GE sub- interface,Ethernet sub-interface, Eth-Trunk sub-interface. Run: arp-limit maximum maximum Sub-interface-based ARP entry limiting is configured.
To prevent attackers from sending gratuitous ARP packets with the source IP addresses as the forged gateway address on a LAN, configure the ARP gateway anti-collision function and configure the AR1200-S to send gratuitous ARP packets. To prevent unauthorized users from accessing external networks by sending ARP packets to the AR1200-S, configure the ARP packet checking function.
----End 6.4.3 Configuring the AR1200-S to Check Source MAC Address Consistency in ARP Packets The AR1200-S checks validity of ARP packets and discards invalid ARP packets to defend against ARP attacks. Context By default, the AR1200-S checks the following items of ARP packets:...
6 ARP Security Configuration By default, the AR1200-S checks the source and destination MAC addresses of all ARP packets. If an ARP packet has an all-0 source or destination MAC address, the AR1200-S discards the ARP packet. Generally, the Ethernet header and ARP header of an ARP packet contain the same source MAC address.
Page 148
6 ARP Security Configuration Context The AR1200-S periodically sends ARP Request packets with the destination IP address as the gateway address to update the gateway MAC address in ARP entries on the network. By doing this, the AR1200-S sends user packets to the correct gateway and prevents attackers from intercepting these packets.
There are 1 records in gateway conflict table 6.5 Configuring ARP Suppression If the AR1200-S receives a lot of ARP attack packets, the ARP table overflows or the CPU usage is high. The AR1200-S prevents ARP attacks by discarding attack packets and limiting the rate of attack packets.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration Data Rate limit for ARP packets with a specified source IP address Rate limit for ARP Miss packets with a specified source IP address Rate limit duration and rate limit for sending ARP packets.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration 6.5.3 Configuring Rate Limit of ARP Packets This section describes how to configure the rate limit for ARP packets. Procedure Configuring the rate limit of ARP packets in the system view...
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration By default, rate limiting of ARP packets is disabled. Run: arp anti-attack rate-limit packet-number [ interval-value ] The rate limit duration and the rate limit of ARP packets are set.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration 6.5.5 Configuring Rate Limiting of ARP Miss Packets This section describes how to configure rate limiting for ARP Miss packets. Context If many ARP Miss packets are triggered, the system is busy in broadcasting ARP request packets and its performance deteriorates.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration system-view The system view is displayed. Step 2 Run: arp speed-limit source-mac maximum maximum The rate limit of ARP packets is set. Step 3 (Optional)Run: arp speed-limit source-mac ip-address maximum maximum The rate limit of ARP packets with a specified source MAC address is set.
ARP entries. If a large number of sub-VLANs are configured for the super-VLAN, the AR1200-S generates a large number of ARP Request packets. As a result, the CPU is busy in processing ARP Request packets and cannot process other services in a timely manner.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration Context CAUTION Statistics cannot be restored after being cleared. Exercise caution when you run this command. Run the following command in the user view to clear the statistics.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration Networking Requirements As shown in Figure 6-1, the Router is connected to a server through Ethernet0/0/3 that is added to VLAN 30 and is connected to users in VLAN 10 and VLAN 20 through Ethernet0/0/1 and Ethernet0/0/2.
Page 160
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration Configure the rate limit for ARP packets with the specified source IP address. Configure the rate limit for ARP Miss packets. Enable log and alarm functions for potential attacks.
Page 161
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration # Set the rate limit for ARP packets sent by user 4 to 10 pps. To prevent all users from sending a large number of ARP packets incorrectly, set the rate limit for ARP packets of the system to 15 pps.
Page 162
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration ARP speed-limit for source-MAC configuration: MAC-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- 0 specified MAC addresses are configured, spec is 256 items. ARP speed-limit for source-IP configuration:...
Page 163
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration port hybrid tagged vlan 10 arp-limit vlan 10 maximum 20 interface Ethernet0/0/2 port hybrid pvid vlan 20 port hybrid tagged vlan 20 arp-limit vlan 20 maximum 20...
This section describes ICMP security principles. 7.2 ICMP Security Features Supported by the AR1200-S The AR1200-S can limit the rate at which ICMP packets are received, check the validity of ICMP packets, discard invalid and specified ICMP packets, and ignore destination-unreachable packets.
The AR1200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. Therefore, the AR1200-S needs to check the validity of ICMP packets, discard specified ICMP packets, and limit the rate at which ICMP packets are received.
Page 166
CPU, ensuring nonstop service transmission. After this function is configured, the AR1200-S discards excess packets. NOTE After rate limiting of ICMP packets is configured, the AR1200-S may fail to respond to ping packets. Procedure Configuring the global rate limit for ICMP packets...
The AR1200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. The AR1200-S can be configured to discard the ICMP packets with the TTL value of 1. This helps reduce the burden on the AR1200-S and protect CPU resources.
This section describes how to configure the AR1200-S to discard the ICMP packets with options. Context The AR1200-S is busy in processing tasks defined in options in the IP header of ICMP packets. For example, the AR1200-S calculates the hop count. As a result, normal services are not processed immediately.
By default, the AR1200-S does not discard ICMP destination-unreachable packets. ----End 7.4.5 Checking the Configuration After configuring the AR1200-S to discard specified ICMP packets, you can use the following commands to verify the configuration. Procedure Run the display current-configuration command to check whether the AR1200-S is configured to discard specified ICMP packets.
By default, the AR1200-S is enabled to send ICMP port-unreachable packets. Step 3 Run: interface interface-type interface-number The interface view is displayed. The AR1200-S cannot be configured to send the ICMP host-unreachable packets on a Layer 2 interface. Step 4 Run: undo icmp host-unreachable send The interface is disabled from sending the ICMP host-unreachable packets.
This section provides ICMP security configuration examples. 7.7.1 Example for Disabling the AR1200-S from Sending Host- Unreachable Packets This section provides an example to illustrate how to disable the AR1200-S from sending host- unreachable packets. Networking Requirements As shown in...
Page 172
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 7 ICMP Security Configuration NOTE By default, an interface is enabled to send ICMP host-unreachable packets. If this function is enabled, skip this step. Disable GE1/0/0 on Router B from sending ICMP host-unreachable packets so that...
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 7 ICMP Security Configuration There is no reachable route from RouterB to RouterC; therefore RouterB should respond to ping packets received from RouterA with ICMP host-unreachable packets. Because GE1/0/0 of Router B is disabled from sending ICMP host-unreachable packets, RouterB does not respond to ping packets received from RouterA.
Page 174
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 7 ICMP Security Configuration Figure 7-2 Networking diagram of ICMP security configurations Internet RouterB RouterA user network Individual Enterprise user Configuration Roadmap The configuration roadmap is as follows: Configure RouterA to discard ICMP packets with the TTL value of 1.
Page 175
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 7 ICMP Security Configuration [RouterA] icmp unreachable drop Step 2 Verify the configuration. # Run the display current-configuration command in the user view. You can view the ICMP security configuration. <RouterA> display current-configuration | include icmp...
To protect authorized users from source IP address spoofing attacks, configure URPF. 8.1 IP Address Anti-spoofing Overview This function defends against source address spoofing attacks. 8.2 IP Source Address-based Attack Defense Features Supported by the AR1200-S This section describes the IP source address-based attack defense features supported by the AR1200-S.
(URPF). URPF When the AR1200-S receives a packet, it searches for the route to the destination address of the packet. If the route is found, the AR1200-S forwards the packet. Otherwise, the AR1200-S discards the packet. After URPF is configured, the AR1200-S obtains the source address and inbound interface of the packet.
Unmatched packets are discarded. Loose check: A packet can pass the check as long as the FIB table of the AR1200-S has a routing entry with the destination address being the source address of the packet.
Step 2 Run: interface interface-type interface-number The interface view is displayed. URPF cannot be configured on Layer 2 interfaces of the AR1200-S. Step 3 Configure URPF check for packets on the interface. Configure URPF check for IPv4 packets on the interface.
Page 180
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 8 IP Address Anti-spoofing Configuration through RouterA. RouterA is required to prevent staff in different departments from accessing the server without permission. NOTE RouterA is an enterprise router and RouterB is an aggregation router.
Page 181
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 8 IP Address Anti-spoofing Configuration Procedure Step 1 Configure the URPF check mode on the interface. <Huawei> system-view [Huawei] sysname RouterA [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] urpf strict allow-default-route [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] urpf strict allow-default-route Step 2 Verify the configuration.
This section describes the background and functions of local attack defense. 9.2 Local Attack Defense Features Supported by the AR1200-S This section describes local attack defense features supported by the AR1200-S. 9.3 Configuring Attack Source Tracing The attack source tracing function checks for attack packets sent to the CPU and notifies users by sending logs or alarms.
As a result, the CPU performance deteriorates and services are interrupted. To protect the CPU and ensure that it can process services, the AR1200-S provides the local attack defense function. The local attack defense functions protect the AR1200-S against attacks, ensure service transmission in the case of attacks, and minimize the impact on the services in the case of attacks by limiting the rate of packets sent to the CPU.
Rate limit The AR1200-S can limit the rate of all the packets sent to the CPU to protect the CPU. Active link protection (ALP) protects session-based application layer data, including data of HTTP Sessions, FTP sessions.
Page 185
| telnet | ttl- expired } The types of traced packets are specified. By default, the AR1200-S traces sources of ARP, DHCP, ICMP, IGMP, TCP, Telnet, and TTL- expired packets after attack source tracing is enabled. Step 6 (Optional) Run:...
This will help you complete the configuration task quickly and accurately. Applicable Environment When a large number of users connect to the AR1200-S, the AR1200-S may be attacked by the packets sent to the CPU or needs to process a large of number of these packets. The AR1200- S can limit the rate of all the packets sent to the CPU to protect the CPU.
Configuration Guide - Security 9 Local Attack Defense Configuration Level 2: The AR1200-S limits the rate of packets sent to the CPU based on the protocol type to prevent excess packets of a particular protocol from being sent to the CPU.
By default, no blacklist is configured on the AR1200-S. ----End 9.4.4 (Optional) Configuring the Rate Limit for Packets Sent to the The AR1200-S sets different rate limits for packets of different types or discards packets of a certain type to protect the CPU. Procedure...
Run: deny packet-type packet-type The AR1200-S is configured to discard packets of a specified type sent to the CPU. That is, the rate limit for packets of the specified type to be sent to the CPU is 0. By default, the AR1200-S applies the rate limit defined in the default attack defense policy to the packets sent to the CPU.
The rate limit for all packets sent to the CPU is set. The AR1200-S then randomly discards the packets that exceed the rate limit to protect the CPU. ----End 9.4.7 (Optional) Configuring the Rate Limit for Packets After ALP Is Enabled You can set the rate limit for packets in the attack defense policy after ALP is enabled.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 9 Local Attack Defense Configuration 9.4.8 Applying the Attack Defense Policy An attack defense policy takes effect only when it is applied to a board. Prerequisites To protect session-based application layer data, including data of HTTP Sessions, FTP sessions andand ensure non-stop transmission of these services when attacks occur, enable active link protection (ALP) before you create an attack defense policy.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 9 Local Attack Defense Configuration Run the display cpu-defend configuration [ packet-type packet-type ] { all | slot slot- id | sru } command to check the rate limit configuration for protocol packets sent to the CPU.
Page 193
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 9 Local Attack Defense Configuration Most LAN users obtain IP addresses using DHCP, whereas RouterA does not first process DHCP Client packets sent to the CPU. The Telnet server is not enabled on RouterA, whereas RouterA often receives a large number of Telnet packets.
Page 194
Priority of DHCP Client packets: 3 NOTE This section provides only the configuration procedure for the local attack defense function supported by the AR1200-S. For details about the routing configuration, see the Huawei AR1200-S Series Enterprise Routers Configuration Guide - IP Routing. Procedure Step 1 Configure an ACL to be referenced by the blacklist.
Page 195
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 9 Local Attack Defense Configuration Packet-type arp-request rate-limit : 64(pps) Packet-type dhcp-client priority : 3 Rate-limit all-packets : 2000(pps) (default) Application-apperceive packet-type ftp : 2000(pps) Application-apperceive packet-type tftp : 2000(pps) # View the rate limit configuration on the SRU. You can see that application layer association for Telnet, the rate limit for ARP Request packets sent to the CPU, and the priority for DHCP client packets are configured successfully.
Page 196
Disabled ----------------------------------------------------------------- # The log for attack source tracing of Net1 indicates that attack source tracing has taken effect. Dec 18 2010 09:55:50-05:13 AR1200-S %%01SECE/4/USER_ATTACK(l)[0]:User attack occurred.(Slot=MPU, SourceAttackInterface=Ethernet0/0/1, OuterVlan/ InnerVlan=0/0, UserMacAddress=0001-c0a8-0102, AttackPackets=48 packets per second) # View the statistics on packets sent to the SRU. The discarded packets indicate that the rate limit is set for ARP Request packets.
10 ACL Configuration ACL Configuration About This Chapter This chapter explains how to filter data packets on an AR1200-S by defining an Access Control List (ACL) to determine allowed packet types. 10.1 ACL Overview This section describes the basic concept of ACLs.
After these rules are applied to the AR1200-S, the AR1200-S determines which packets to receive and reject. ACLs can be applied to some services and functions on the AR1200-S, for example, the routing policy, traffic classifier, firewall, and IPSec.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Classification Type Function Description Rule Naming mode Numbered A numbered ACL is identified by a number, which can be specified to reference the ACL. Named A named ACL is identified...
Page 201
Other Time range information Other ACL Features Supported by the AR1200-S The AR1200-S supports the following ACL features: Step: The step value makes it possible to add a new rule between existing rules and to control the matching order of rules.
Basic ACLs can be referenced by many services and functions such as the routing policy and traffic classifier. The AR1200-S processes different types of packets based on basic ACL rules. Basic ACLs are applied to all the IPv4 packets at the network layer and upper layers. Basic ACLs classify packets based on source IP addresses, fragment flags, and time ranges in the packets.
{ start-time to end-time days | from time1 date1 [ to time2 date2 ] } A time range is created. To configure multiple time ranges with the same name on the AR1200-S, run the preceding command with the same value of time-name multiple times. NOTE You can configure the same name for multiple time ranges to describe a special period.
Page 204
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Procedure Creating a numbered basic ACL Run: system-view The system view is displayed. Run: acl [ number ] acl-number [ match-order { auto | config } ] A basic ACL with the specified number is created and the basic ACL view is displayed.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Follow-up Procedure Configure rules in the basic ACL. 10.3.4 Configuring a Basic ACL Rule A basic ACL is composed of a list of rules. The ACL classifies packets by matching packet information with the ACL rules.
Apply a basic ACL to add specified users to the blacklist for local attack defense. A blacklist is a set of unauthorized users. The AR1200-S uses basic ACLs to add users with a specific characteristic to a blacklist and discards the packets from the users in the blacklist.
Page 207
Apply an ACL to an interface to filter packets on the interface. The AR1200-S can filter packets on an interface using an ACL. – If the action in an ACL rule is deny, the AR1200-S discards all packets matching the rule.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration 10.3.6 Checking the Configuration After a basic ACL is configured, you can view information about the basic ACL and time range. Prerequisites The basic ACL configurations are complete.
Applicable Environment Advanced ACLs are applied to multiple services and functions, for example, traffic classifiers and multicast. The AR1200-S processes different types of packets based on advanced ACL rules. Advanced ACLs can be applied to: All the IPv4 packets at the network layer and upper layers. Advanced ACLs classify IPv4 packets based on information such as source and destination IP addresses, packet priorities, fragment flags, time ranges, and VPN instances in the packets.
{ start-time to end-time days | from time1 date1 [ to time2 date2 ] } A time range is created. To configure multiple time ranges with the same name on the AR1200-S, run the preceding command with the same value of time-name multiple times. NOTE You can configure the same name for multiple time ranges to describe a special period.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Follow-up Procedure Reference the time range in an advanced ACL rule. 10.4.3 Creating an Advanced ACL Before using an advanced ACL, ensure that the advanced ACL has been created. You can create a named or numbered advanced ACL.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration acl-number specifies the number of an advanced ACL. The value ranges from 3000 to 3999. match-order specifies the matching order of advanced ACL rules: – auto: indicates that ACL rules are matched based on the depth first principle.
Page 213
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] ] | [ fragment | none- first-fragment ] ] l Configure an advanced ACL rule based on the protocol over IP.
Apply an advanced ACL to add specified users to the blacklist for local attack defense. A blacklist is a set of unauthorized users. The AR1200-S uses advanced ACLs to add users with a specific characteristic to a blacklist and discards the packets from the users in the blacklist.
Apply an advanced ACL to an interface to filter packets on the interface. The AR1200-S can filter packets on an interface using an ACL. – If the action in an ACL rule is deny, the AR1200-S discards all packets matching the rule.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Run the display time-range { all | time-name } command to view information about the time range. ----End Example # Run the display acl acl-number command to view the advanced ACL number, the number of rules, the step value, and the content of the rules.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration NOTE You can configure the same name for multiple time ranges to describe a special period. Assume that the same name test is configured for the following time ranges:...
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Creating a named Layer 2 ACL Run: system-view The system view is displayed. Run: acl name acl-name { link | acl-number } [ match-order { auto | config } ] A Layer 2 ACL with the specified name is created and the Layer 2 ACL view is displayed.
Apply a Layer 2 ACL to add users to the blacklist for local attack defense. A blacklist is a set of unauthorized users. The AR1200-S uses Layer 2 ACLs to add users with a specific characteristic to a blacklist and discards the packets from the users in the blacklist.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Example # Run the display acl acl-number command to view the Layer 2 ACL number, the number of rules, the step value, and the content of the rules.
Page 223
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Figure 10-1 Configuring a basic ACL to limit user access to the FTP server PC A 172.16.105.111 FTP Server PC B 172.16.107.111 Network Router PC C 172.16.104.110 10.10.10.1...
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Run the ftp 172.16.104.110 command on PC B (172.16.107.111/24) in subnet 2 on Monday in 2010. PC B cannot connect to the FTP server. Run the ftp 172.16.104.110 command on PC B (172.16.107.111/24) in subnet 2 at 15:00 on Saturday in 2010.
Page 225
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Figure 10-2 Using advanced ACLs to configure the firewall function FTP server Web server 202.169.10.6 202.169.10.5 Eth0/0/0 GE0/0/1 Internet Router 202.39.2.3 Internal network Telnet server 202.169.10.7 Configuration Roadmap The configuration roadmap is as follows: Configure zones on the internal and external networks.
Page 226
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration [Router-zone-company] priority 12 [Router-zone-company] quit # Add VLANIF 100 to the zone company. [Router] interface vlanif 100 [Router-Vlanif100] zone company [Router-Vlanif100] quit # Configure a zone on the external network.
Page 227
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration [Router-interzone-company-external] packet-filter 3002 outbound [Router-interzone-company-external] quit Step 6 Verify the configuration. After the configuration is complete, only the host at 202.39.2.3 can access internal servers and only internal servers can access the external network.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration ip address 129.39.10.8 255.255.255.0 zone external return 10.6.3 Example for Using a Layer 2 ACL to Configure Traffic Classification A Layer 2 ACL is used to configure traffic classification to collect statistics on packets with the specified source MAC address.
Page 229
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Procedure Step 1 Create a VLAN and configure each interface. # Create VLAN 20. <Huawei> system-view [Huawei] sysname Router [Router] vlan 20 [Router-vlan20] quit # Configure Ethernet0/0/0 as a trunk interface and add Ethernet0/0/0 to VLAN 20.
Page 230
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Step 6 Verify the configuration. # View the ACL configuration. <Router> display acl name layer2 L2 ACL layer2 4999, 1 rule Acl's step is 5 rule 5 permit source-mac 0000-0000-0003 # View the traffic classifier configuration.
TCP-based application layer protocols. 11.2 SSL Features Supported by the AR1200-S The AR1200-S supports server SSL policies and client SSL policies. 11.3 Configuring a Server SSL Policy A server SSL policy defines parameters that an SSL server uses in SSL handshakes, including the PKI domain name, maximum number of sessions that can be saved, timeout period of a saved session, and cipher suite.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration 11.1 SSL Overview The Secure Sockets Layer (SSL) protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols. Introduction to SSL SSL is a cryptographic protocol that provides communication security over the Internet.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration Figure 11-1 Certificate issuing and authentication Certificate issuing Server … certificate … Certificate verification Digital certificate A digital certificate is an electronic document issued by a CA to bind a public key with a certificate subject (an applicant that has obtained a certificate).
To use an AR1200-S as an SSL server, configure a server SSL policy on the AR1200-S. During an SSL handshake, the AR1200-S uses the SSL parameters in the server SSL policy to negotiate session parameters with an SSL client.
Page 235
When functioning as an SSL server, the AR1200-S can communicate with SSL clients running SSL3.0, TLS1.0, or TLS 1.1. The AR1200-S determines the SSL protocol version used for this communication and sends a Server Hello message to notify the client.
TCP-based application layer protocols. To use an AR1200-S as an SSL client, configure a client SSL policy on the AR1200-S. A client SSL policy can be applied to application layer protocols such as the CPE WAN Management Protocol (CWMP) to provide secure connections.
Page 237
AR1200-S establishes a session with the server. When functioning as an SSL client, the AR1200-S does not allow SSL servers to authenticate it, but it can authenticate SSL servers. When the AR1200-S functions as an SSL client, enable it to authenticate servers to ensure secure communication.
11.5.1 Example for Configuring a Server SSL Policy This example shows how to configure a server SSL policy on an AR1200-S functioning as an HTTPS server. After the configuration is complete, users can use a web browser to log in to and manage the Router.
Page 239
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration Configuration Roadmap The configuration roadmap is as follows: Configure a PKI entity and a PKI domain. Configure a server SSL policy. Configure the Router as an HTTPS server.
Page 240
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration Procedure Step 1 Configure a PKI entity and a PKI domain. # Configure a PKI entity. <Huawei> system-view [Huawei] sysname Router [Router] pki entity users [Router-pki-entity-users] common-name hello...
11.5.2 Example for Configuring a Client SSL Policy This example shows how to configure a client SSL policy on the AR1200-S functioning as the customer premises equipment (CPE). After the configuration is complete, the AR1200-S can authenticate the auto-configuration server (ACS) and communicate with the ACS securely.
Page 242
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration The ACS functions as an SSL server and has obtained a digital certificate from the CA. You need to configure the Router as an SSL client to authenticate the ACS. This ensures privacy and integrity of data exchanged between the Router and the ACS.
Page 243
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration Item Data PKI entity PKI entity name: cwmp0 l Entity's common name: hello l Entity's country code: CN l Entity's province name: jiangsu l Entity's organization name: huawei...
Page 244
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration For security reasons your password will not be saved in the configuration. Plea se make a note of it. Choice no password ,please enter the enter-key. Please enter Password: Start certificate enrollment ...
Page 245
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration # Set the maximum number of connection attempts to 5. [Router-cwmp] cwmp cpe connect retry 5 # Set the close-wait timer of the Router to 100 seconds. If no data is transmitted within 100 seconds, the connection is torn down.
IP Security (IPSec) protocol and Secure Sockets Layer (SSL) protocol. 12.2 PKI Features Supported by the AR1200-S On the AR1200-S, you can configure PKI entities, PKI domains, manually or automatically enroll certificates, authenticate certificate validity, manage certificates, import or export certificates, and delete expired certificates.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration 12.1 PKI Overview The Public Key Infrastructure (PKI) is a system that generates public keys and digital certificates, and verifies identities of certificate subjects to ensure information security. PKI provides a certificate management mechanism for the IP Security (IPSec) protocol and Secure Sockets Layer (SSL) protocol.
(CDPs) to indicate the location of these CRLs. 12.2 PKI Features Supported by the AR1200-S On the AR1200-S, you can configure PKI entities, PKI domains, manually or automatically enroll certificates, authenticate certificate validity, manage certificates, import or export certificates, and delete expired certificates.
Page 250
PKI Working Process On a PKI network, PKI is configured on the AR1200-S to allow the AR1200-S to obtain a local certificate from a CA and verify certificate validity. The PKI working process is as follows: An entity applies for a certificate from a registration authority (RA).
Export a certificate License Support The PKI function is used with a license. To use the PKI function, apply for and purchase the following license from the Huawei local office: AR1200 Value-Added Security Package 12.3 Configuring a PKI Entity A certificate binds a public key to a set of information that uniquely identifies a PKI entity. A PKI entity identifies a certificate applicant.
Run the common-name common-name command to configure the common name for the PKI entity. By default, no PKI entity name is configured on the AR1200-S. l Run the fqdn fqdn-name command to configure the FQDN for the PKI entity.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: pki entity entity-name The PKI entity view is displayed. Step 3 Run: country country-code A country code is configured for the PKI entity.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration 12.4 Configuring a PKI Domain Before an entity applies for a PKI certificate, registration information needs to be configured for the entity. A set of the registration information is the PKI domain of the entity.
Step 2 Run: pki realm realm-name A PKI domain is created. By default, no PKI domain is configured on the AR1200-S. ----End 12.4.3 Configuring a PKI Entity Name In a PKI domain, configure a name for the PKI entity applying for a certificate. A PKI entity name binds to only one PKI entity.
----End 12.4.5 (Optional) Configuring CA Certificate Fingerprint Before the AR1200-S obtains a root certificate from a CA, the AR1200-S needs to check the CA root certificate fingerprint. The CA root certificate fingerprint is the hash value of the root certificate and is unique to each certificate. If the CA root certificate fingerprint is different from the fingerprint configured in a specified PKI domain, the AR1200-S refuses the issued root certificate.
By default, no certificate revocation password is configured on the AR1200-S. ----End 12.4.7 (Optional) Configuring the RSA Key Length of Certificates After the RSA key length of certificates is set, the AR1200-S generates the RSA key of the specified length when requesting a certificate. Context An RSA key pair contains a public key and a private key.
Step 3 Run: source interface interface-name The source interface is specified. The AR1200-S uses the IP address of this interface to set up a TCP connection. By default, the AR1200-S uses an outbound interface's IP address as the source IP address for TCP connection setup.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration 12.5 Configuring Certificate Enrollment Certificate enrollment is a process in which an entity registers with a CA and obtains a certificate from the CA. During this process, the entity provides the identity information and public key, which will be added to the certificate issued to the entity.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration Prerequisites A PKI domain has been created and configured. For details, see 12.4 Configuring a PKI Domain. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: pki enroll-certificate pki-realm-name [ pkcs10 [ filename filename ] ] Manual certificate enrollment is configured.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration By default, no PKI domain is configured on the AR1200-S. Step 3 Run: auto-enroll [ percent ] [ regenerate ] The automatic certificate enrollment and update function is enabled.
The system view is displayed. Step 2 Run: pki realm realm-name A PKI domain is configured. By default, no PKI domain is configured on the AR1200-S. Step 3 Run: certificate-check { crl | none | ocsp } The certificate check mode is configured.
If the CDP URL is configured in the PKI domain, the PKI entity obtains the CRL from the specified URL. – Run: crl cache The AR1200-S is configured to use the buffered CRL for certificate check, without having to download the CRL from the CA. – Run: crl update-period hours The interval at which a PKI entity downloads a CRL from a CRL storage server is configured.
The system view is displayed. Step 2 Run: pki import-certificate { ca | local | ocsp } pki-realm-name { der | pkcs12 | pem } The external certificate is imported to the AR1200-S. ----End Issue 02 (2012-03-30) Huawei Proprietary and Confidential...
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration 12.7.3 Exporting a Certificate To provide a certificate for another device, export the certificate. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: pki export-certificate { ca | local | ocsp } pki-realm-name { der | pkcs12 | pem } The certificate is exported and saved in a file.
Page 266
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration Table 12-1 Data plan Item Data PKI entity PKI entity name: user01 l Entity's common name: hello l Entity's country code: CN l Entity's province name: jiangsu l Entity's organization name: huawei...
Page 267
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration # Configure the trusted CA, bound entity, enrollment URL, and root certificate fingerprint. [Huawei] pki realm test [Huawei-pki-realm-test] ca id ca_root [Huawei-pki-realm-test] entity user01 [Huawei-pki-realm-test] enrollment-url http://10.137.145.158:8080/certsrv/mscep/ mscep.dll ra...
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf return 12.8.2 Example for Configuring PKI in IPSec Networking Requirements As shown in Figure 12-4, devices in two subnets communicate with the Internet using respective gateways and need to establish an IPSec tunnel to transmit data flows.
Page 269
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration Table 12-2 Data plan of RouterA Item Data PKI entity PKI entity name: routera l Entity's common name: helloa l Entity's country code: CN l Entity's province name: jiangsu...
Page 270
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration Table 12-3 Data plan of RouterB Item Data PKI entity PKI entity name: routerb l Entity's common name: hellob l Entity's country code: CN l Entity's province name: jiangsu...
Page 271
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration Procedure Step 1 Configure interface IP addresses and routes to enable IPSec peers and CA to communicate. Step 2 Configure a PKI entity. # Configure RouterA. <Huawei> system-view...
Page 272
Step 5 Configure access control lists (ACLs) and define the data flows to be protected in the ACLs. # Configure RouterA. [Huawei] acl 3000 [Huawei-acl-adv-3000] rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.1 [Huawei-acl-adv-3000] rule 15 permit ip source 10.1.1.1 0 destination 11.1.1.1 0 [Huawei-acl-adv-3000] quit # Configure RouterB. [Huawei] acl 3000 [Huawei-acl-adv-3000] rule 5 permit ip source 2.2.2.1 0 destination 1.1.1.1 0...
Page 273
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] ipsec policy routerb [Huawei-GigabitEthernet0/0/1] quit Step 8 Configure devices to request a certificate and download it for IKE negotiation. # Configure RouterA. [Huawei] pki enroll-certificate testa Create a challenge password.
Page 274
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration [Huawei] ping 2.2.2.1 PING 2.2.2.1: 56 data bytes, press CTRL_C to break Reply from 2.2.2.1: bytes=56 Sequence=1 ttl=255 time=3 ms Reply from 2.2.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 2.2.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms...
Page 275
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration country CN state jiangsu organization huawei organization-unit info common-name helloa pki realm testa ca id ca_root enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra entity routera fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf certificate-check none return Configuration file of RouterB router id 3.3.3.3...
This chapter describes the keychain fundamentals. It also provides keychain configuration steps based on different parameters along with typical example. 13.1 Introduction to Keychain 13.2 Keychain Features Supported by the AR1200-S 13.3 Configuring Basic Keychain Functions This section descries how to configure the basic functions of keychain module.
Thus the system needs a mechanism to achieve centralization of all authentication processing and dynamic changes of authentication algorithm and keys without much human intervention. To achieve this functionality the keychain module is used. 13.2 Keychain Features Supported by the AR1200-S The AR1200-S supports the following keychain features: Authentication for applications Application that requires authentication support has to quote a keychain.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration send-key-id. There can be only one default send-key-id in a keychain. When any key-id becomes active, the application uses the new active key-id instead of the default send-key- id.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration Data Key-string for each key-id Authentication algorithm for each key-id Send and Receive time for each key-id Receive tolerance if required 13.3.2 Creating a Keychain Procedure Step 1 Run: system-view The system view is displayed.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration NOTE Receive tolerance can be configured in the following two ways: l Specifying a particular receive tolerance value in minutes, which can be a maximum of 10 days (14400 minutes).
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration Key-string is the authentication string used while sending and receiving the packets. In case of plain text the password string is displayed as un-encrypted text. In case of Cipher text the password string is displayed in encrypted form.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration Step 4 Run: default send-key-id The key-id is set as the default send-key-id. NOTE Only one key-id in a keychain can be configured as the default send-key-id. ----End 13.3.8 Configuring send-time of a key-id...
Page 284
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration The system view is entered. Run: keychain keychain-name mode periodic weekly The keychain is created in weekly periodic timing mode and keychain view is entered. Run: key-id key-id The key-id is created and key-id view is entered.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration NOTE Send-time for a key-id is configured according to the timing mode defined for the keychain. Only one send key-id in a keychain can be active at a time. The send-time of different key-ids in a keychain must not overlap each other.
Page 286
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration Run: keychain keychain-name mode periodic weekly The keychain is created in weekly periodic timing mode and keychain view is entered. Run: key-id key-id The key-id is created and key-id view is entered.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration 13.3.10 Checking the Configuration Prerequisites The configurations of the keycahin are complete. Procedure Run the display keychain keychain-name command to view the current configuration of a keychain. Run the display keychain keychain-name key-id key-id command to view the current configuration of a key-id inside a keychain.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration SEND TIMER Start time : 2012-03-14 00:00 End time : 2012-08-08 23:59 Status : Active RECEIVE TIMER Start time : 2012-03-14 00:00 End time : 2012-08-08 23:59 Status...
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration 13.4.2 Configuring TCP Kind of a Keychain Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: keychain keychain-name Keychain view is entered Step 3 Run: tcp-kind kind-value The TCP kind value for the keychain is configured.
Page 290
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration Prerequisites The configurations of the keycahin are complete. Procedure Run the display keychain keychain-name command to view the current configuration of a keychain. Run the display keychain keychain-name key-id key-id command to view the current configuration of a key-id inside a keychain.
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration Start time : 2012-03-14 00:00 End time : 2012-08-08 23:59 Status : Active DEFAULT SEND KEY ID INFORMATION Default : Not configured 13.5 Configuration Examples This section provides configuration examples of the keychain module.
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association Configuration of Attack Defense and Application Layer Association About This Chapter Attack defense and application layer association can prevent the attack of packets to the CPU, which ensures that the device runs normally when it is attacked.
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association 14.1 Overview to Attack Defense and Application Layer Association Attacks on TCP/IP networks increase steadily. Attacks to network devices may cause the network to be disabled or unavailable.
Supported by AR1200-S The AR1200-S supports defense against various attacks such as malformed packet attacks, fragmented packet attacks, and flooding attacks. In addition, the AR1200-S offers the application layer association module to implement association with the application layer and packet filtering at the application layer.
When a protocol is disabled, the AR1200-S directly discards packets of this protocol to prevent attacks. When a protocol is enabled, the AR1200-S limits the rate of protocol packets sent to the CPU to protect the CPU. The application layer association module supports SNMP, HW-TACACS, NTP, SSH, DHCP, 802.1x, and PIM protocols and supports HTTP server, Telnet server, STelnet server, FTP server,...
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association To prevent the network devices from being attacked and to ensure normal network services, defense against abnormal packet attacks must be configured.
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: anti-attack fragment enable Defense against packet fragment attacks is enabled.
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association 14.4.1 Establishing the Configuration Task This section describes the applicable environment, required tasks, and data for configuring defense against flood attacks. Applicable Environment Different types of attacks on a network cause network devices overused, and even failed, thus affecting network services.
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association The rate of sending TCP SYN packets is restricted. ----End 14.4.3 Configuring Defense Against UDP Flood Attacks The major measure to defend UDP flood attacks is to limit the rate of UDP packets.
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association 14.4.5 Checking the Configuration After configuring defense against flood attacks, you can view statistics about defense against flood attacks on the interface board.
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association Applicable Environment To prevent network devices from being attacked by the packets of idle protocols and to prevent the network from running busily, overhigh usage of CPU, and DoS attack, the application layer association is required and the protocol module must be disabled.
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association 14.6 Maintenance Attack Defense and Application Layer Association This section describes how to clear statistics about attack defense. 14.6.1 Clearing Statistics of Attack Defense and Application Layer...
Page 306
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association Enable defense against packet fragment attacks and restrict the rate for sending packet fragments to 15000 bit/s to prevent packet fragments from attacking the CPU and using excessive CPU and system resources.
Page 307
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association IP address of each interface Restricted rate of sending packets to the CPU Procedure Step 1 Configure the IP addresses and routes of each interface to guarantee internetworking (omitted).
Page 308
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association interface GigabitEthernet1/0/0 ip address 100.111.1.1 255.255.255.252 anti-attack fragment car cir 15000 anti-attack tcp-syn car cir 15000 anti-attack icmp-flood car cir 15000 return...