Page 1 Huawei AR1200-S Series Enterprise Routers V200R002C00 Configuration Guide - Security Issue Date 2012-03-30 HUAWEI TECHNOLOGIES CO., LTD.
Page 2 All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope.
Page 3: About This Document
About This Document Intended Audience This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the security feature supported by the AR1200-S. This document describes how to configure the security feature. This document is intended for:...
Page 4: Command Conventions
Changes in Issue 02 (2012-03-30) Based on issue 01 (2011-12-30), the document is updated as follows: The following information is modified: 2.2 HTTPS Features Supported by the AR1200-S 13.3.5 Configuring key-string of a key-id Issue 02 (2012-03-30) Huawei Proprietary and Confidential...
Page 5 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security About This Document Changes in Issue 01 (2011-12-30) Initial commercial release. Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Page 6: Table Of Contents
1.7.2 Example for Configuring HWTACACS Authentication, Authorization, and Accounting.....31 2 HTTPS Configuration.........................35 2.1 HTTPS Overview.............................36 2.2 HTTPS Features Supported by the AR1200-S....................36 2.3 Configuring the AR1200-S as an HTTPS Server.....................36 2.4 Configuration Examples...........................38 Issue 02 (2012-03-30) Huawei Proprietary and Confidential...
Page 7 Contents 2.4.1 Example for Configuring the Router as an HTTPS Server..............38 3 Firewall Configuration.......................42 3.1 Firewall Overview............................44 3.2 Firewall Features Supported by the AR1200-S....................44 3.3 Configuring Zones............................50 3.3.1 Establishing the Configuration Task.......................50 3.3.2 Creating a Zone............................51 3.3.3 Adding an Interface to the Zone......................51 3.3.4 Creating an Interzone..........................52...
Page 8 3.14.2 Example for Configuring ASPF and Port Mapping................83 3.14.3 Example for Configuring the Blacklist....................86 4 Traffic Suppression Configuration..................90 4.1 Traffic Suppression Overview..........................91 4.2 Traffic Suppression Features Supported by the AR1200-S................91 4.3 Configuring Traffic Suppression........................91 4.3.1 Establishing the Configuration Task.......................91 4.3.2 Configuring Traffic Suppression on an Interface..................92 4.3.3 Checking the Configuration........................93...
Page 9 5.3.13 (Optional) Configuring a Guest VLAN for 802.1x Authentication............109 5.3.14 (Optional) Configuring a Restrict VLAN for 802.1x Authentication..........110 5.3.15 (Optional) Enabling the Handshake Function..................111 5.3.16 (Optional) Setting the Maximum Number of Times the AR1200-S Sends Authentication Requests ..................................111 5.3.17 Checking the Configuration.........................112 5.4 Configuring MAC Address Authentication....................112...
Page 10 7.4 Configuring the AR1200-S to Discard Specified ICMP Packets..............153 7.4.1 Establishing the Configuration Task.....................153 7.4.2 Configuring the AR1200-S to Discard the ICMP Packets with TTL Value of 1........153 7.4.3 Configuring the AR1200-S to Discard the ICMP Packets with Options..........154 7.4.4 Configuring the AR1200-S to Discard ICMP Destination-Unreachable Packets.........154 7.4.5 Checking the Configuration........................155...
Page 11 9.6.1 Example for Configuring an Attack Defense Policy................178 10 ACL Configuration........................184 10.1 ACL Overview.............................185 10.2 ACL Features Supported by the AR1200-S....................185 10.3 Configuring a Basic ACL..........................188 10.3.1 Establishing the Configuration Task....................188 10.3.2 (Optional) Creating a Time Range for a Basic ACL................189 10.3.3 Creating a Basic ACL..........................189...
Page 12 Configuration Guide - Security Contents 11 SSL Configuration........................217 11.1 SSL Overview...............................218 11.2 SSL Features Supported by the AR1200-S....................220 11.3 Configuring a Server SSL Policy.........................220 11.4 Configuring a Client SSL Policy........................222 11.5 Configuration Examples..........................224 11.5.1 Example for Configuring a Server SSL Policy...................224 11.5.2 Example for Configuring a Client SSL Policy..................227...
Page 13 14 Configuration of Attack Defense and Application Layer Association......280 14.1 Overview to Attack Defense and Application Layer Association..............281 14.1.1 Overview of Attack Defense and Application Layer Association............281 14.1.2 Attack Defense and Application Layer Association Supported by AR1200-S........282 14.2 Configuring Abnormal Packet Attack Defense....................283 14.2.1 Establishing the Configuration Task....................283 14.2.2 Enabling Defense Against Abnormal Packet Attacks.................284...
Page 14 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security Contents 14.5 Configuring Application Layer Association....................289 14.5.1 Establishing the Configuration Task....................289 14.5.2 Configuring Application Layer Association..................290 14.6 Maintenance Attack Defense and Application Layer Association...............291 14.6.1 Clearing Statistics of Attack Defense and Application Layer Association.........291 14.7 Configuration Example..........................291...
Page 15: Aaa Configuration
Configuration Guide - Security 1 AAA Configuration AAA Configuration About This Chapter The AAA-capable AR1200-S checks validity of users and delivers rights to authorized users to ensure network security. 1.1 AAA Overview Authentication, Authorization, and Accounting (AAA) is a security technology.
Page 16: Aaa Overview
AAA server (a RADIUS server or an HWTACACS server). 1.2 AAA Features Supported by the AR1200-S The AR1200-S supports RADIUS and HWTACACS authentication, authorization, and accounting (AAA), and also local authentication and authorization. RADIUS Authentication, Authorization, and Accounting RADIUS uses the client/server model and protects a network from unauthorized access.
Page 17 1 AAA Configuration NOTE In RADIUS authentication for an administrator, the AR1200-S checks whether the access type of the administrator is the same as that specified in the Access-Accept packet sent from the RADIUS server. If not, administrator fails to be authenticated.
Page 18 Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is more suitable for security control. Figure 1-3 shows messages exchanged between a Telnet user, the AR1200-S, and the HWTACACS server. Figure 1-3 HWTACACS authentication, authorization, and accounting...
Page 19: Configuring Local Authentication And Authorization
The AR1200-S sends an authentication request packet to the HWTACACS server after receiving the request packet. The HWTACACS server sends an authentication response packet to request the user name. The AR1200-S sends a packet to request the user name after receiving the authentication response packet. The user enters the user name.
Page 20: Establishing The Configuration Task
Name of a domain 1.3.2 Configuring a Local User To configure local authentication and authorization, configure the authentication and authorization information on the AR1200-S, including the user name, password, and user level. Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Page 21 The FTP directory that the local user can access is configured. By default, the FTP directory of a local user is empty. When the AR1200-S functions as an FTP server, you must configure the FTP directory that FTP users can access. Otherwise, FTP users cannot access the AR1200-S.
Page 22: Configuring Authentication And Authorization Schemes
Configuration Guide - Security 1 AAA Configuration l If a local user is in active state, the AR1200-S accepts and processes the authentication request from the user. l If a local user is in blocking state, the AR1200-S rejects the authentication request from the user.
Page 23: Configuring A Domain
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration (Optional) Run: quit Return to the AAA view. (Optional) Run: domainname-parse-direction { left-to-right | right-to-left } The direction in which the user name and domain name are parsed is configured.
Page 24: Checking The Configuration
A domain is created and the domain view is displayed. The AR1200-S has two default domains: default and default_admin. The default domain is used by common access users and the default_admin domain is used by administrators. Step 4 Run: authentication-scheme authentication-scheme-name An authentication scheme is applied to the domain.
Page 25: Configuring Radius Aaa
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration Run the display authorization-scheme [ authorization-scheme-name ] command to check the authorization scheme configuration. Run the display access-user [ domain domain-name | interface interface-type interface- number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-instance instance-name ] | mac-address mac-address | slot slot-id | ssid ssid-name | user-id user- number ] command to check the summary of all online users.
Page 26: Configuring Aaa Schemes
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration Data Name of an authentication scheme Name of an accounting scheme Name of a RADIUS server template IP addresses and port numbers of the primary RADIUS authentication servers...
Page 27 NOTE If multiple authentication modes are configured in an authentication scheme, authentication modes are used according to the sequence in which they were configured. The AR1200-S uses the authentication mode that was configured later only after the current authentication mode fails.
Page 28: Configuring A Radius Server Template
If multiple accounting modes are configured in an accounting scheme, accounting modes are used according to the sequence in which they were configured. The AR1200-S uses the accounting mode that was configured later only after the current accounting mode fails.
Page 29 Step 9 (Optional) Run: radius-server user-name domain-included The AR1200-S is configured to encapsulate the domain name in the user name in RADIUS packets to be sent to a RADIUS server. By default, the AR1200-S encapsulates the domain name in the user name when sending RADIUS packets to a RADIUS server.
Page 30: Configuring A Domain
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration By default, the traffic unit is byte on the AR1200-S. Step 11 (Optional) Run: radius-server { retransmit retry-times | timeout time-value } The number of times RADIUS request packets are retransmitted and timeout interval are set.
Page 31 A domain is created and the domain view is displayed. The AR1200-S has two default domains: default and default_admin. The default domain is used by common access users and the default_admin domain is used by administrators. Step 4 Run: authentication-scheme authentication-scheme-name An authentication scheme is applied to the domain.
Page 32: Checking The Configuration
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration 1.4.5 Checking the Configuration Prerequisites The RADIUS AAA configurations are complete. Procedure Run the display aaa configuration command to check the AAA summary. Run the display authentication-scheme [ authentication-scheme-name ] command to check the authentication scheme configuration.
Page 33 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration Accounting: records all the operations performed by a user and the service type, start time, and data traffic. HWTACACS prevents unauthorized users from attacking a network and provides command line authorization.
Page 34: Configuring Aaa Schemes
NOTE If multiple authentication modes are configured in an authentication scheme, authentication modes are used according to the sequence in which they were configured. The AR1200-S uses the authentication mode that was configured later only after the current authentication mode fails.
Page 35 If multiple authorization modes are configured in an authorization scheme, authorization modes are used in the sequence in which they were configured. The AR1200-S uses the authorization mode that was configured later only after the current authorization mode fails. The AR1200- S stops the authorization if the user fails to pass the authorization.
Page 36: Configuring An Hwtacacs Server Template
If multiple accounting modes are configured in an accounting scheme, accounting modes are used according to the sequence in which they were configured. The AR1200-S uses the accounting mode that was configured later only after the current accounting mode fails.
Page 37 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration The system view is displayed. Step 2 (Optional) Run: hwtacacs enable HWTACACS is enabled. Step 3 Run: hwtacacs-server template template-name An HWTACACS server template is created and the HWTACACS server template view is displayed.
Page 38 The AR1200-S is configured to encapsulate the source IP address in HWTACACS packets to be sent to an HWTACACS server. By default, the source IP address in HWTACACS packets is 0.0.0.0. The AR1200-S uses the IP address of the actual outbound VLANIF interface as the source IP address in HWTACACS packets.
Page 39: Configuring A Domain
A domain is created and the domain view is displayed. The AR1200-S has two default domains: default and default_admin. The default domain is used by common access users and the default_admin domain is used by administrators. Step 4 Run:...
Page 40: Checking The Configuration
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration authentication-scheme authentication-scheme-name An authentication scheme is applied to the domain. By default, the default authentication scheme is applied to a domain. Step 5 (Optional) Run: authorization-scheme authorization-scheme-name An authorization scheme is applied to the domain.
Page 41: Maintaining Aaa
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration Prerequisites The HWTACACS AAA configurations are complete. Procedure Run the display aaa configuration command to check the AAA summary. Run the display authentication-scheme [ authentication-scheme-name ] command to check the authentication scheme configuration.
Page 42: Configuration Examples
1-4, users access the network through RouterA and belong to the domain huawei. RouterB functions as the network access server of the destination network. Request packets from users need to traverse the network where RouterA and RouterB are located to reach the authentication server.
Page 43 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration Configuration Roadmap The configuration roadmap is as follows: Configure a RADIUS server template. Configure an authentication scheme and an accounting scheme. Apply the RADIUS server template, authentication scheme, and accounting scheme to the domain.
Page 44 # Configure accounting scheme 1 and set the accounting method to RADIUS accounting. [Huawei-aaa] accounting-scheme 1 [Huawei-aaa-accounting-1] accounting-mode radius [Huawei-aaa-accounting-1] quit Step 4 Configure a domain huawei and apply authentication scheme 1, accounting scheme 1, and RADIUS server template shiva to the domain. [Huawei-aaa] domain huawei [Huawei-aaa-domain-huawei] authentication-scheme 1...
Page 45: Example For Configuring Hwtacacs Authentication, Authorization, And Accounting
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration accounting-mode radius domain default domain default_admin domain huawei authentication-scheme 1 accounting-scheme 1 radius-server shiva return 1.7.2 Example for Configuring HWTACACS Authentication, Authorization, and Accounting Networking Requirements As shown in...
Page 46 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration Configuration Roadmap The configuration roadmap is as follows: Configure an HWTACACS server template. Configure authentication, authorization, and accounting schemes. Apply the HWTACACS server template, authentication, authorization, and accounting schemes to the domain.
Page 47 # Set the interval of real-time accounting to 3 minutes. [Huawei-aaa-accounting-hwtacacs] accounting realtime 3 [Huawei-aaa-accounting-hwtacacs] quit Step 3 Configure a domain huawei, and apply the authentication scheme l-h, authorization scheme HWTACACS, accounting scheme HWTACACS, and the HWTACACS server template ht to the domain.
Page 48 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 1 AAA Configuration Service-scheme-name RADIUS-server-group HWTACACS-server-template : ht ----End Configuration Files hwtacacs-server template ht hwtacacs-server authentication 129.7.66.66 hwtacacs-server authentication 129.7.66.67 secondary hwtacacs-server authorization 129.7.66.66 hwtacacs-server authorization 129.7.66.67 secondary hwtacacs-server accounting 129.7.66.66 hwtacacs-server accounting 129.7.66.67 secondary...
Page 49: Https Configuration
2.2 HTTPS Features Supported by the AR1200-S The AR1200-S supports the HTTPS server function. 2.3 Configuring the AR1200-S as an HTTPS Server The HTTPS server function allows users to securely access the AR1200-S on web pages. 2.4 Configuration Examples This section provides an HTTPS configuration example.
Page 50: Https Overview
2.2 HTTPS Features Supported by the AR1200-S The AR1200-S supports the HTTPS server function. An AR1200-S functions as an HTTPS server after the HTTPS server function is configured. The AR1200-S uses the SSL protocol's data encryption, identity authentication, and message integrity check mechanisms to protect security of data transmitted between users and the AR1200-S.
Page 51 Configuration Guide - Security 2 HTTPS Configuration Applicable Environment When users access a remote AR1200-S functioning as an HTTP server, the following problems exist: Users cannot authenticate the AR1200-S. Privacy of data transmitted between users and the AR1200-S cannot be protected.
Page 52: Configuration Examples
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 2 HTTPS Configuration 2.4 Configuration Examples This section provides an HTTPS configuration example. 2.4.1 Example for Configuring the Router as an HTTPS Server This section describes how to configure an HTTPS server to allow the administrator of an enterprise to remotely log in to a gateway.
Page 53 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 2 HTTPS Configuration Router's interface connected to the Internet: Ethernet1/0/0 IP address of Ethernet1/0/0: 2.1.1.1/24 IP address of the CA: 3.1.1.1/24 PKI parameters, as shown in the following table Item Data...
Page 54 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 2 HTTPS Configuration mscep.dll ra [Router-pki-realm-admin] fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF [Router-pki-realm-admin] quit # Enroll the certificate manually. [Router] pki enroll-certificate admin Info: Start certificate enrollment ... Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.
Page 55 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 2 HTTPS Configuration Server certificate load status loaded Bind number SSL connection number ----------------------------------------------------------------------------- # Start the web browser on the host Admin, enter https://2.1.1.1:1278 in the address box. The web management system of the Router is displayed, and the administrator can securely access and manage the Router on web pages.
Page 56: Firewall Configuration
IP address scanning and port scanning defense on the attack defense module of the AR1200-S. When the AR1200-S detects that the connection rate of an IP address or a port exceeds the threshold, the AR1200-S considers that a scanning attack occurs, and adds the source IP address to the blacklist.
Page 57 3.9 Configuring the Aging Time of the Firewall Session Table 3.10 Configuring the Attack Defense Function The AR1200-S attack defense function prevents attacks to the CPU. It ensures that the server operates normally even when it is attacked. 3.11 Configuring Traffic Statistics and Monitoring The AR1200-S supports traffic statistics and monitoring at the system level, zone level, and IP address level.
Page 58: Firewall Overview
3.2 Firewall Features Supported by the AR1200-S The firewall features supported by the AR1200-S include ACL-based packet filtering, blacklist, whitelist, application specific packet filter (ASPF), port mapping, virtual firewall, attack defense, traffic statistics and monitoring, and logs.
Page 59 Configuration Guide - Security 3 Firewall Configuration The AR1200-S considers that the data transmission within a zone is reliable; therefore, it does not enforce any security policy on the intra-zone data transmission. The AR1200-S verifies the data and enforces the security policies only when the data flows from one zone to another.
Page 60: Port Mapping
High security Insufficient costs to afford a private security device Logically, the AR1200-S can be divided into multiple virtual firewalls to serve multiple small- scale private networks. By using the virtual firewall function, an ISP can lease the network security services to the enterprises.
Page 61: Attack Defense
If the number of TCP sessions initiated by external networks to Web server 129.9.0.1 exceeds the threshold, the AR1200-S forbids external networks to initiate new sessions until the number of sessions is smaller than the threshold.
Page 62: Land Attack
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration other attacks because DoS attackers do not search for the ingress of a network but prevent authorized users from accessing resources or routers. Scanning and snooping attack Scanning and snooping attacks identify the existing systems on the network through ping scanning (including ICMP and TCP scanning), and then discover potential targets.
Page 63: Ping Of Death Attack
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration ICMP and UDP Flood Attack ICMP and UDP Flood attacks send a large number of ICMP packets (such as ping packets) and UDP packets to the target host in a short time and request responses. The host is then overloaded and cannot process valid tasks.
Page 64: Configuring Zones
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration bandwidth. If the source port is changed to Chargen and destination port is changed to ECHO, the systems generate response packets continuously and cause serious damage. IP-Fragment Attack In an IP packet, some fields are relevant to flag bits and fragments, including Fragment Offset, Length, Don't Fragment (DF), and MF.
Page 65: Creating A Zone
The system view is displayed. Step 2 Run: firewall zone zone-name A zone is created. The AR1200-S can be configured with up to 255 zones, and no default zone is provided. Step 3 Run: priority security-priority The priority of the zone is set.
Page 66: Creating An Interzone
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration The interface view is displayed. Step 3 Run: zone zone-name The interface is added to the zone. ----End 3.3.4 Creating an Interzone Create the interzone so you can enable the firewall to filter packets or application-layer services in the specified interzone.
Page 67: Checking The Configuration
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration 3.3.6 Checking the Configuration After configuring the zones and interzone, you can view information about the zones and interzone. Procedure Run the display firewall zone [ zone-name ] [ interface | priority ] command to view information about the zones.
Page 68: Configuring Acl-Based Packet Filtering In An Interzone
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration 3.4.2 Configuring ACL-based Packet Filtering in an Interzone The packet filtering firewall filters packets through ACLs. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl [ number ] acl-number [ match-order { config | auto }] An ACL is created and the ACL view is displayed.
Page 69: Checking The Configuration
IP address scanning and port scanning defense on the attack defense module of the AR1200-S. When the AR1200-S detects that the connection rate of an IP address or a port exceeds the threshold, the AR1200-S considers that a scanning attack occurs, and adds the source IP address to the blacklist.
Page 70: Enabling The Blacklist Function
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Data (Optional) Aging time of blacklist entries 3.5.2 Enabling the Blacklist Function To make the entries added to the blacklist manually or dynamically effective, you must first enable the blacklist function.
Page 71: Configuring Blacklist And Whitelist Using The Configuration File
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration NOTE The blacklist entries without the aging time are added to the configuration file. The entries configured with the aging time are not added to the configuration file, but you can view them by using the display firewall blacklist command.
Page 72: Checking The Configuration
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Step 2 Run: firewall black-white-list load configuration-file configuration-file-name The blacklist and whitelist configuration file is loaded. The configured blacklist takes effect only after you run the firewall blacklist enable command to enable the blacklist.
Page 73: Adding Entries To The Whitelist Manually
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Applicable Environment Whitelists are applicable to networks where some devices send valid service packets that resemble IP address scanning attack or port scanning attack. Whitelists prevent these devices from being added to the blacklist.
Page 74: Configuring Blacklist And Whitelist Using The Configuration File
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Follow-up Procedure Run the firewall black-white-list save command to save the blacklist and whitelist to the specified configuration file to load next time. 3.6.3 Configuring Blacklist and Whitelist Using the Configuration File You can configure blacklist and whitelist entries in a batch by loading the configuration file.
Page 75: Checking The Configuration
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration The entries in the whitelist take effect directly and you do not need to enable the whitelist function. A blacklist supports up to 32 entries, and a whitelist supports up to 32 entries.
Page 76: Configuring Aspf Detection
ASPF is configured. Generally, the application-layer protocol packets are exchanged between the two parties in communication, so the direction does not need to be configured. The AR1200-S automatically checks the packets in both directions. By default, ASPF is not configured in the interzone.
Page 77: Configuring Port Mapping
Port mapping is implemented based on the ACL. Only the packets matching an ACL rule are mapped. Port mapping employs the basic ACL (2000 to 2999). In the ACL-based packet filtering, the AR1200-S matches the destination IP address of the packet with the IP address configured in the basic ACL rule.
Page 78: Configuring Port Mapping
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Creating the basic ACL and configuring ACL rules Data Preparation To configure port mapping, you need the following data.
Page 79: Configuring The Aging Time Of The Firewall Session Table
This will help you complete the configuration task quickly and accurately. Applicable Environment The AR1200-S creates a session table for data flows of each protocol, such as TCP, UDP, and ICMP, to record the connection status of the protocol. The aging time is set for the session table of the firewall.
Page 80: Checking The Configuration
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Step 2 Run: firewall-nat session { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media } aging-time time-value The aging time of the firewall session table is set.
Page 81: Configuring The Attack Defense Function
: 120 --------------------------------------------- 3.10 Configuring the Attack Defense Function The AR1200-S attack defense function prevents attacks to the CPU. It ensures that the server operates normally even when it is attacked. 3.10.1 Establishing the Configuration Task Before configuring the attack defense function, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration.
Page 82 The ICMP Flood attack defense is enabled. After the parameters for ICMP Flood attack defense are set, you must enable the ICMP Flood attack defense function; otherwise, the AR1200-S does not detect the attack packets or take attack defense measures.
Page 83 Configuration Guide - Security 3 Firewall Configuration After the maximum length of ICMP packets is set, you must enable the large ICMP packet attack defense function; otherwise, the AR1200-S does not detect the attack packets or take attack defense measures. Step 11 Run: firewall defend ping-of-death enable The Ping of Death attack defense is enabled.
Page 84: Setting The Parameters For Flood Attack Defense
To prevent Flood attacks, you need to specify the zones or IP addresses to be protected; otherwise, the attack defense parameters are invalid. You can also specify the maximum session rate. When the session rate exceeds the limit, the AR1200-S considers that an attack occurs and takes measures.
Page 85: Setting Parameters For Scanning Attack Defense
Maximum session rate: When the session rate of an IP address or a port exceeds the limit, the AR1200-S considers that a scanning attack occurs, and then adds the IP address to the blacklist and denies new sessions from the IP address or port.
Page 86: Checking The Configuration
: 4000 (pps) blacklist-expire-time : 20 3.11 Configuring Traffic Statistics and Monitoring The AR1200-S supports traffic statistics and monitoring at the system level, zone level, and IP address level. Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Page 87: Establishing The Configuration Task
The zone-based traffic statistics and monitoring take effect on the data flows between zones. That is, the AR1200-S counts the total number of TCP and UDP sessions between the local zone and other zones. When the number of sessions exceeds the threshold, the AR1200-S restricts the sessions until the number of sessions is less than the threshold.
Page 88: Enabling Traffic Statistics And Monitoring
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration 3.11.2 Enabling Traffic Statistics and Monitoring You can enable traffic statistics and monitoring at the system level, zone level, or IP address level as needed. Procedure Enabling system-level traffic statistics and monitoring...
Page 89 12000. When the number of TCP sessions in all interzones exceeds 15000, the AR1200-S denies all new TCP sessions in the interzone and reports an alarm to the information center. If traffic volume falls to 12000 below the lower threshold, the AR1200-S generates the recovery log and sends the log to the information center.
Page 90: Checking The Configuration
When the number of TCP sessions initiated from an IP address in the local zone exceeds 10000, the AR1200-S denies new TCP sessions from this IP address. By default, the upper threshold and lower threshold for each type of protocol packets are 16384 and 12288.
Page 91: Establishing The Configuration Task
Type of the log IP address and port number of the session log host, and the source IP address and source port number that the AR1200-S uses to communicate with the session log host Conditions for recording session logs, including the ACL number and the...
Page 92: Setting The Log Parameters
The session logs are exported to a log host in real time; therefore, you need to configure the log host first. To configure the log host, you need to configure the IP address and port number of the log host and the IP address and port number that the AR1200-S uses to communicate with the log host.
Page 93: Checking The Configuration
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration By default, no condition is configured in an interzone for recording session logs. ----End 3.12.4 Checking the Configuration After the log function is configured on the firewall, you can view information about the logs.
Page 94: Clearing The Firewall Statistics
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name } command to view the whitelist entries. Run the display firewall statistics system command to view the system-level traffic statistics.
Page 95: Configuration Examples
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration 3.14 Configuration Examples This section provides several configuration examples of firewall. 3.14.1 Example for Configuring the ACL-based Packet Filtering Firewall This example shows the configuration of the ACL-based packet filtering firewall on a network.
Page 96 [Huawei-GigabitEthernet0/0/1] quit Step 3 Configure the ACL on the Router . [Huawei] acl 3102 [Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2 0.0.0.0 [Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3 0.0.0.0 [Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4 0.0.0.0...
Page 97: Example For Configuring Aspf And Port Mapping
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration packet-filter default permit outbound packet-filter 3102 inbound ----End Configuration Files vlan 100 acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0...
Page 98: Telnet Server
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Figure 3-3 Network diagram for configuring ASPF and port mapping FTP server Web server 129.38.1.2 129.38.1.4 Ethernet0/0/0 GE0/0/1 Router 202.39.2.3 Internal network Telnet server 129.38.1.3 Configuration Roadmap The configuration roadmap is as follows: Configure zones and an interzone.
Page 99 [Huawei] acl 2102 [Huawei-acl-basic-2102] rule permit source 129.38.1.2 0.0.0.0 [Huawei-acl-basic-2102] quit [Huawei] acl 3102 [Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2 0.0.0.0 [Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3 0.0.0.0 [Huawei-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4 0.0.0.0...
Page 100: Example For Configuring The Blacklist
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0...
Page 101 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration Figure 3-4 Network diagram for configuring the blacklist Server Ethernet0/0/0 GE0/0/1 Enterprise network Router Configuration Roadmap The configuration roadmap is as follows: Configure zones and an interzone. Add interfaces to the zones.
Page 102 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration [Huawei-Vlanif100] quit [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] ip address 202.39.2.1 24 [Huawei-GigabitEthernet0/0/1] zone untrust [Huawei-GigabitEthernet0/0/1] quit Step 3 Enable the blacklist function. [Huawei] firewall blacklist enable Step 4 Add an entry to the blacklist.
Page 103 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 3 Firewall Configuration firewall defend port-scan enable firewall defend ip-sweep max-rate 5000 firewall defend ip-sweep blacklist-expire-time 30 firewall defend port-scan max-rate 5000 firewall defend port-scan blacklist-expire-time 30 firewall blacklist enable firewall blacklist 202.39.1.2...
Page 104: Traffic Suppression Configuration
4.1 Traffic Suppression Overview This section describes the traffic suppression function. 4.2 Traffic Suppression Features Supported by the AR1200-S This section describes traffic suppression features supported by the AR1200-S. 4.3 Configuring Traffic Suppression This section describes how to configure traffic suppression.
Page 105: Traffic Suppression Overview
This section describes traffic suppression features supported by the AR1200-S. Traffic suppression can be configured on Ethernet interfaces of the AR1200-S. You can set the rate limit in bit/s or pps for broadcast packets, multicast packets, or unknown unicast packets on an interface.
Page 106: Configuring Traffic Suppression On An Interface
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 4 Traffic Suppression Configuration Connecting interfaces and setting the physical parameters of interfaces so that the physical layer is in Up state Data Preparation To configure traffic suppression, you need the following data.
Page 107: Checking The Configuration
– Run the unicast-suppression packets packets-per-second command to set the rate limit in pps for unknown unicast traffic. NOTE The SRU on the AR1200-S does not support the rate limit in pps. The rate limit in pps can be set on LAN-side GE interfaces and LPU Ethernet interfaces. ----End 4.3.3 Checking the Configuration...
Page 108 As shown in Figure 4-1, RouterA is the AR1200-S and RouterB is an aggregation router. The CIR Value for Traffic Suppression can be set only on LAN-side Ethernet interfaces of the SRU on theAR1200-S. Figure 4-1 Network diagram of setting the CIR value for traffic suppression...
Page 109: Example For Setting The Rate Limit In Pps For Traffic Suppression
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 4 Traffic Suppression Configuration broadcast cir: 100(kbit/s) ------------------------------------------------------------------------------- ----End Configuration Files sysname RouterA interface Ethernet 0/0/0 unicast-suppression cir 100 multicast-suppression cir 200 broadcast-suppression cir 100 return 4.4.2 Example for Setting the Rate Limit in pps for Traffic Suppression This section describes how to set the rate limit in pps for traffic suppression.
Page 110 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 4 Traffic Suppression Configuration Rate limit for multicast packets: 25200 pps Procedure Step 1 Enter the interface view. <Huawei> system-view [Huawei] sysname RouterA [RouterA] interface ethernet 2/0/0 Step 2 Set the rate limit in pps for broadcast packets.
Page 111: Nac Configuration
LAN. 5.4 Configuring MAC Address Authentication After MAC address authentication is configured, the AR1200-S uses the user MAC address as the user name and password for authentication. 5.5 Maintaining NAC This section describes how to maintain NAC.
Page 112: Nac Overview
5.2 NAC Features Supported by the AR1200-S The AR1200-S supports multiple authentication and control methods to control user authorities and access areas. The AR1200-S functions as a network access device (NAD) and supports 802.1x authentication, MAC address authentication, and Web authentication. 802.1x Authentication The Institute of Electrical and Electronics Engineers (IEEE) 802.1x standard, 802.1x for short,...
Page 113: Mac Address Authentication
MAC address bypass authentication. After MAC address bypass authentication is enabled, when the AR1200-S initiates 802.1x authentication but does not receive the response from the terminal, the AR1200-S sends the MAC address of the user terminal as the user name and password to the authentication server.
Page 114: Configuring 802.1X Authentication
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration 5.3 Configuring 802.1x Authentication You can configure 802.1x authentication on an interface to authenticate access devices connected to an interface of an access control device on a LAN.
Page 115: Enabling 802.1X Authentication On An Interface
MAC address bypass authentication. After MAC address bypass authentication is enabled, when the AR1200-S initiates 802.1x authentication but does not receive the response from the terminal, the AR1200-S sends the MAC address of the user terminal as the user name and password to the authentication server.
Page 116: Optional) Setting The 802.1X Authentication Mode
CHAP is a three-way handshake authentication protocol and transmits passwords in cipher text. It has higher security than PAP. EAP supports multiple authentication mechanisms. The AR1200-S transparently transmits EAP Request packets and Response packets to the authentication server. The AR1200-S determines Issue 02 (2012-03-30) Huawei Proprietary and Confidential...
Page 117: Optional) Setting The Access Method On An Interface
By default, the AR1200-S uses CHAP to authenticate 802.1x users. ----End 5.3.6 (Optional) Setting the Access Method on an Interface The AR1200-S provides interface-based access method and MAC address-based access method. Context MAC address-based access method: 802.1x users on an interface are authenticated independently.
Page 118: Optional) Configuring The Authorization Status Of An Interface
----End 5.3.7 (Optional) Configuring the Authorization Status of an Interface The AR1200-S supports the auto, authorized-force, and unauthorized-force modes. Context auto: An interface is initially in unauthorized state and sends and receives only EAPoL packets. Therefore, users cannot access network resources. After a user is authenticated on the interface, the interface enters the authorized state and allows users to access network resources.
Page 119: Optional) Setting The Maximum Number Of Concurrent Access Users On An Interface
Access Users on an Interface After the maximum number of concurrent access users is set on an interface, if the number of access users on the interface reaches the maximum, the AR1200-S does not authenticate subsequent access users and these users cannot access networks.
Page 120: Optional) Enabling 802.1X Authentication Triggered By Dhcp Messages
5.3.10 (Optional) Setting Values of Timers Used in 802.1x Authentication On the AR1200-S, you can set the client authentication timeout timers, handshake interval between the AR1200-S and the 802.1x client, quiet timer value, re-authentication interval, and interval for sending authentication requests.
Page 121: Optional) Configuring The Quiet Timer Function
----End 5.3.11 (Optional) Configuring the Quiet Timer Function If a user fails to be authenticated after the quiet timer function is enabled, the AR1200-S does not process the authentication requests from the user in this period. This prevents frequent authentication on the system.
Page 122: Optional) Configuring 802.1X Re-Authentication
By default, an 802.1x user enters the quiet state after three authentication failures within 60 seconds. ----End 5.3.12 (Optional) Configuring 802.1x Re-authentication The AR1200-S re-authenticates users who have been authenticated after a period of time to ensure validity of users. Context 802.1x re-authentication can be enabled in the system view or interface view.
Page 123: Optional) Configuring A Guest Vlan For 802.1X Authentication
Authentication Context When the guest VLAN is enabled, the AR1200-S broadcasts authentication request packets to all the interfaces enabled with 802.1x authentication. If an interface does not return a response when the maximum number of re-authentication times is reached, the AR1200-S adds the interface to the guest VLAN.
Page 124: Optional) Configuring A Restrict Vlan For 802.1X Authentication
VLAN. Context If a user fails to be authenticated after the restrict VLAN function is enabled, the AR1200-S adds the access interface of the user to the restrict VLAN. Users in the restrict VLAN can access resources in the restrict VLAN without authentication but must be authenticated when they access external resources.
Page 125: Optional) Enabling The Handshake Function
Context If a client does not support the handshake function, the AR1200-S will not receive handshake response packets within the handshake interval and considers that the user is offline. Therefore, if the client does not support the handshake function, disable the handshake function on the AR1200-S.
Page 126: Checking The Configuration
5 NAC Configuration Context If the AR1200-S does not receive a response after sending an authentication request to a user, it retransmits the authentication request to the user. If the AR1200-S still fails to receive the response when the maximum number of times for sending authentication requests is reached, it does not send the authentication request to the user any more.
Page 127: Enabling Global Mac Address Authentication
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration Pre-configuration Tasks None. Data Preparation To configure MAC address authentication, you need the following data. Data Interface that will be enabled with MAC address authentication (Optional) Domain for MAC address authentication (Optional) Maximum number of access users who use MAC address authentication 5.4.2 Enabling Global MAC Address Authentication...
Page 128: Optional) Setting The Format Of The User Name
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration Procedure Enabling MAC address authentication in the system view Run: system-view The system view is displayed. Run: mac-authen interface { interface-type interface-number1 [ to interface- number2 ] } &<1-10>...
Page 129: Optional) Configuring A Domain For Mac Address Authentication
5.4.6 (Optional) Setting Values for MAC Address Authentication Timers The following values can be set on the AR1200-S: re-authentication interval, interval for detecting whether users are online, value of the quiet timer, and value of the timeout timer of the authentication server.
Page 130: Optional) Setting The Maximum Number Of Users For Mac Address Authentication
5.4.7 (Optional) Setting the Maximum Number of Users for MAC Address Authentication When the number of access users on an interface reaches the maximum, the AR1200-S does not trigger authentication for subsequent users; therefore, these users cannot access the network.
Page 131: Optional) Re-Authenticating A User With The Specified Mac Address
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration Run: system-view The system view is displayed. Run: interface interface-type interface-number The interface view is displayed. Run: mac-authen max-user user-number The maximum number of users for MAC address authentication is set on the interface.
Page 132: Maintaining Nac
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration 5.5 Maintaining NAC This section describes how to maintain NAC. 5.5.1 Clearing the Statistics on 802.1x Authentication Before collecting 802.1x authentication statistics, run the reset command to clear the existing statistics.
Page 133: Configuration Examples
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration 5.6 Configuration Examples This section provides several NAC configuration examples. 5.6.1 Example for Configuring 802.1x Authentication After 802.1x authentication is configured, a user that is not authenticated can access limited network resources.
Page 134 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration Data Preparation To complete the configuration, you need the following data: IP address 192.168.2.30 and port number 1812 of the RADIUS authentication server RADIUS server key dot1x-isp and retransmission count 2...
Page 135 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration Step 5 Configure MAC address bypass authentication. [Huawei] interface ethernet 2/0/1 [Huawei-Ethernet2/0/1] dot1x mac-bypass Step 6 Verify the configuration. Run the display dot1x interface command on the Router to view the 802.1x authentication configuration and statistics.
Page 136: Example For Configuring Mac Address Authentication
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration radius-server template temp1 radius-server shared-key cipher #%I/SW5&ABHRID9_LGZK@1!! radius-server authentication 192.168.2.30 1812 radius-server retransmit 2 authentication-scheme scheme1 authentication-mode radius domain isp1 authentication-scheme scheme1 radius-server temp1 interface Ethernet2/0/0 dot1x enable...
Page 137 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration Configure AAA authentication. User names and passwords are sent to the RADIUS server for authentication. Configure MAC address authentication to authenticate users on Ethernet2/0/0. Data Preparation To complete the configuration, you need the following data: IP address 192.168.2.30 and port number 1812 of the RADIUS server...
Page 138 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 5 NAC Configuration <Huawei> display mac-authen interface ethernet 2/0/0 Ethernet2/0/0 state: UP. MAC address authentication is enabled Maximum users: 128 Current users: 1 Authentication success: 1 Authentication failure: 0 ----End Configuration Files...
Page 139: Arp Security Configuration
6.5 Configuring ARP Suppression If the AR1200-S receives a lot of ARP attack packets, the ARP table overflows or the CPU usage is high. The AR1200-S prevents ARP attacks by discarding attack packets and limiting the rate of attack packets.
Page 140: Arp Security Overview
ARP flood attack: An attacker sends a large number of bogus ARP Request packets or gratuitous ARP packets. The AR1200-S is busy with ARP processing for a long period and cannot process other services. The rate of ARP packets may exceed the limit and ARP entries may overflow.
Page 141 AR1200-S and the bandwidth reserved for sending ARP packets are occupied. The AR1200-S can limit the rate of ARP packets with a specified source IP address. If the number of ARP packets with a specified source IP address received by the AR1200-S within a specified period exceeds the threshold, the AR1200-S does not process the excessive ARP request packets.
Page 142: Configuring Arp Entry Limiting
AR1200-S considers that an attack occurs. When the AR1200-S detects an attack, configure the rate limit for ARP Miss packets to limit the rate of ARP Miss packets so that the CPU is protected and other services can be processed by the CPU.
Page 143: Enabling Strict Arp Learning
----End 6.3.3 Configuring Interface-based ARP Entry Limiting If attackers occupy a large number of ARP entries, the AR1200-S cannot learn ARP entries of authorized users. To prevent such attacks, set the maximum number of ARP entries that can be dynamically learned by an interface.
Page 144: Checking The Configuration
The system view is displayed. Run: interface interface-type interface-number.subnumber The sub-interface view is displayed. On the AR1200-S, sub-interface-based ARP entry limiting can be enabled on GE sub- interface,Ethernet sub-interface, Eth-Trunk sub-interface. Run: arp-limit maximum maximum Sub-interface-based ARP entry limiting is configured.
Page 145: Configuring Arp Anti-Attack
To prevent attackers from sending gratuitous ARP packets with the source IP addresses as the forged gateway address on a LAN, configure the ARP gateway anti-collision function and configure the AR1200-S to send gratuitous ARP packets. To prevent unauthorized users from accessing external networks by sending ARP packets to the AR1200-S, configure the ARP packet checking function.
Page 146: Configuring Arp Anti-Spoofing
----End 6.4.3 Configuring the AR1200-S to Check Source MAC Address Consistency in ARP Packets The AR1200-S checks validity of ARP packets and discards invalid ARP packets to defend against ARP attacks. Context By default, the AR1200-S checks the following items of ARP packets:...
Page 147: Configuring Arp Gateway Anti-Collision
6 ARP Security Configuration By default, the AR1200-S checks the source and destination MAC addresses of all ARP packets. If an ARP packet has an all-0 source or destination MAC address, the AR1200-S discards the ARP packet. Generally, the Ethernet header and ARP header of an ARP packet contain the same source MAC address.
Page 148 6 ARP Security Configuration Context The AR1200-S periodically sends ARP Request packets with the destination IP address as the gateway address to update the gateway MAC address in ARP entries on the network. By doing this, the AR1200-S sends user packets to the correct gateway and prevents attackers from intercepting these packets.
Page 149: Checking The Configuration
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration 6.4.6 Checking the Configuration This section describes how to check the ARP anti-attack configuration. Procedure Run the display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit | arp-speed-limit | arpmiss-speed-limit | entry-check | gateway-duplicate | log-trap- timer | all } command to check the ARP anti-attack configuration.
Page 150: Configuring Arp Suppression
There are 1 records in gateway conflict table 6.5 Configuring ARP Suppression If the AR1200-S receives a lot of ARP attack packets, the ARP table overflows or the CPU usage is high. The AR1200-S prevents ARP attacks by discarding attack packets and limiting the rate of attack packets.
Page 151: Configuring Source Ip Address-Based Arp Packet Suppression
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration Data Rate limit for ARP packets with a specified source IP address Rate limit for ARP Miss packets with a specified source IP address Rate limit duration and rate limit for sending ARP packets.
Page 152: Configuring Rate Limit Of Arp Packets
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration 6.5.3 Configuring Rate Limit of ARP Packets This section describes how to configure the rate limit for ARP packets. Procedure Configuring the rate limit of ARP packets in the system view...
Page 153: Configuring Source Ip Address-Based Arp Miss Packet Suppression
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration By default, rate limiting of ARP packets is disabled. Run: arp anti-attack rate-limit packet-number [ interval-value ] The rate limit duration and the rate limit of ARP packets are set.
Page 154: Configuring Rate Limiting Of Arp Miss Packets
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration 6.5.5 Configuring Rate Limiting of ARP Miss Packets This section describes how to configure rate limiting for ARP Miss packets. Context If many ARP Miss packets are triggered, the system is busy in broadcasting ARP request packets and its performance deteriorates.
Page 155: Setting The Aging Time Of Fake Arp Entries
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration system-view The system view is displayed. Step 2 Run: arp speed-limit source-mac maximum maximum The rate limit of ARP packets is set. Step 3 (Optional)Run: arp speed-limit source-mac ip-address maximum maximum The rate limit of ARP packets with a specified source MAC address is set.
Page 156: Optional) Setting The Rate Limit Of Broadcasting Arp Packets On The Vlanif Interface Of A Super Vlan
ARP entries. If a large number of sub-VLANs are configured for the super-VLAN, the AR1200-S generates a large number of ARP Request packets. As a result, the CPU is busy in processing ARP Request packets and cannot process other services in a timely manner.
Page 157: Maintaining Arp Security
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration Example # Run the display arp anti-attack configuration command to view the rate limit for ARP packets. <Huawei> display arp anti-attack configuration arp-speed-limit ARP speed-limit for source-MAC configuration:...
Page 158: Clearing The Statistics On Discarded Arp Packets
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration Context CAUTION Statistics cannot be restored after being cleared. Exercise caution when you run this command. Run the following command in the user view to clear the statistics.
Page 159: Networking Requirements
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration Networking Requirements As shown in Figure 6-1, the Router is connected to a server through Ethernet0/0/3 that is added to VLAN 30 and is connected to users in VLAN 10 and VLAN 20 through Ethernet0/0/1 and Ethernet0/0/2.
Page 160 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration Configure the rate limit for ARP packets with the specified source IP address. Configure the rate limit for ARP Miss packets. Enable log and alarm functions for potential attacks.
Page 161 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration # Set the rate limit for ARP packets sent by user 4 to 10 pps. To prevent all users from sending a large number of ARP packets incorrectly, set the rate limit for ARP packets of the system to 15 pps.
Page 162 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration ARP speed-limit for source-MAC configuration: MAC-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- 0 specified MAC addresses are configured, spec is 256 items. ARP speed-limit for source-IP configuration:...
Page 163 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 6 ARP Security Configuration port hybrid tagged vlan 10 arp-limit vlan 10 maximum 20 interface Ethernet0/0/2 port hybrid pvid vlan 20 port hybrid tagged vlan 20 arp-limit vlan 20 maximum 20...
Page 164: Icmp Security Configuration
This section describes ICMP security principles. 7.2 ICMP Security Features Supported by the AR1200-S The AR1200-S can limit the rate at which ICMP packets are received, check the validity of ICMP packets, discard invalid and specified ICMP packets, and ignore destination-unreachable packets.
Page 165: Icmp Security Overview
The AR1200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. Therefore, the AR1200-S needs to check the validity of ICMP packets, discard specified ICMP packets, and limit the rate at which ICMP packets are received.
Page 166 CPU, ensuring nonstop service transmission. After this function is configured, the AR1200-S discards excess packets. NOTE After rate limiting of ICMP packets is configured, the AR1200-S may fail to respond to ping packets. Procedure Configuring the global rate limit for ICMP packets...
Page 167: Configuring The Ar1200-S To Discard Specified Icmp Packets
The AR1200-S receives a large number of ICMP packets from the network, and these packets consume a lot of CPU resources. The AR1200-S can be configured to discard the ICMP packets with the TTL value of 1. This helps reduce the burden on the AR1200-S and protect CPU resources.
Page 168: Configuring The Ar1200-S To Discard The Icmp Packets With Options
This section describes how to configure the AR1200-S to discard the ICMP packets with options. Context The AR1200-S is busy in processing tasks defined in options in the IP header of ICMP packets. For example, the AR1200-S calculates the hop count. As a result, normal services are not processed immediately.
Page 169: Checking The Configuration
By default, the AR1200-S does not discard ICMP destination-unreachable packets. ----End 7.4.5 Checking the Configuration After configuring the AR1200-S to discard specified ICMP packets, you can use the following commands to verify the configuration. Procedure Run the display current-configuration command to check whether the AR1200-S is configured to discard specified ICMP packets.
Page 170: Maintaining Icmp Security
By default, the AR1200-S is enabled to send ICMP port-unreachable packets. Step 3 Run: interface interface-type interface-number The interface view is displayed. The AR1200-S cannot be configured to send the ICMP host-unreachable packets on a Layer 2 interface. Step 4 Run: undo icmp host-unreachable send The interface is disabled from sending the ICMP host-unreachable packets.
Page 171: Configuration Examples
This section provides ICMP security configuration examples. 7.7.1 Example for Disabling the AR1200-S from Sending Host- Unreachable Packets This section provides an example to illustrate how to disable the AR1200-S from sending host- unreachable packets. Networking Requirements As shown in...
Page 172 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 7 ICMP Security Configuration NOTE By default, an interface is enabled to send ICMP host-unreachable packets. If this function is enabled, skip this step. Disable GE1/0/0 on Router B from sending ICMP host-unreachable packets so that...
Page 173: Example For Optimizing System Performance By Discarding Certain Icmp Packets
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 7 ICMP Security Configuration There is no reachable route from RouterB to RouterC; therefore RouterB should respond to ping packets received from RouterA with ICMP host-unreachable packets. Because GE1/0/0 of Router B is disabled from sending ICMP host-unreachable packets, RouterB does not respond to ping packets received from RouterA.
Page 174 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 7 ICMP Security Configuration Figure 7-2 Networking diagram of ICMP security configurations Internet RouterB RouterA user network Individual Enterprise user Configuration Roadmap The configuration roadmap is as follows: Configure RouterA to discard ICMP packets with the TTL value of 1.
Page 175 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 7 ICMP Security Configuration [RouterA] icmp unreachable drop Step 2 Verify the configuration. # Run the display current-configuration command in the user view. You can view the ICMP security configuration. <RouterA> display current-configuration | include icmp...
Page 176: Ip Address Anti-Spoofing Configuration
To protect authorized users from source IP address spoofing attacks, configure URPF. 8.1 IP Address Anti-spoofing Overview This function defends against source address spoofing attacks. 8.2 IP Source Address-based Attack Defense Features Supported by the AR1200-S This section describes the IP source address-based attack defense features supported by the AR1200-S.
Page 177: Ip Address Anti-Spoofing Overview
(URPF). URPF When the AR1200-S receives a packet, it searches for the route to the destination address of the packet. If the route is found, the AR1200-S forwards the packet. Otherwise, the AR1200-S discards the packet. After URPF is configured, the AR1200-S obtains the source address and inbound interface of the packet.
Page 178: Configuring Urpf
Unmatched packets are discarded. Loose check: A packet can pass the check as long as the FIB table of the AR1200-S has a routing entry with the destination address being the source address of the packet.
Page 179: Configuration Examples
Step 2 Run: interface interface-type interface-number The interface view is displayed. URPF cannot be configured on Layer 2 interfaces of the AR1200-S. Step 3 Configure URPF check for packets on the interface. Configure URPF check for IPv4 packets on the interface.
Page 180 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 8 IP Address Anti-spoofing Configuration through RouterA. RouterA is required to prevent staff in different departments from accessing the server without permission. NOTE RouterA is an enterprise router and RouterB is an aggregation router.
Page 181 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 8 IP Address Anti-spoofing Configuration Procedure Step 1 Configure the URPF check mode on the interface. <Huawei> system-view [Huawei] sysname RouterA [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] urpf strict allow-default-route [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] urpf strict allow-default-route Step 2 Verify the configuration.
Page 182: Local Attack Defense Configuration
This section describes the background and functions of local attack defense. 9.2 Local Attack Defense Features Supported by the AR1200-S This section describes local attack defense features supported by the AR1200-S. 9.3 Configuring Attack Source Tracing The attack source tracing function checks for attack packets sent to the CPU and notifies users by sending logs or alarms.
Page 183: Local Attack Defense Overview
As a result, the CPU performance deteriorates and services are interrupted. To protect the CPU and ensure that it can process services, the AR1200-S provides the local attack defense function. The local attack defense functions protect the AR1200-S against attacks, ensure service transmission in the case of attacks, and minimize the impact on the services in the case of attacks by limiting the rate of packets sent to the CPU.
Page 184: Configuring Attack Source Tracing
Rate limit The AR1200-S can limit the rate of all the packets sent to the CPU to protect the CPU. Active link protection (ALP) protects session-based application layer data, including data of HTTP Sessions, FTP sessions.
Page 185 | telnet | ttl- expired } The types of traced packets are specified. By default, the AR1200-S traces sources of ARP, DHCP, ICMP, IGMP, TCP, Telnet, and TTL- expired packets after attack source tracing is enabled. Step 6 (Optional) Run:...
Page 186: Configuring Cpu Attack Defense
This will help you complete the configuration task quickly and accurately. Applicable Environment When a large number of users connect to the AR1200-S, the AR1200-S may be attacked by the packets sent to the CPU or needs to process a large of number of these packets. The AR1200- S can limit the rate of all the packets sent to the CPU to protect the CPU.
Page 187: Creating An Attack Defense Policy
Configuration Guide - Security 9 Local Attack Defense Configuration Level 2: The AR1200-S limits the rate of packets sent to the CPU based on the protocol type to prevent excess packets of a particular protocol from being sent to the CPU.
Page 188: Optional) Configuring A Blacklist
By default, no blacklist is configured on the AR1200-S. ----End 9.4.4 (Optional) Configuring the Rate Limit for Packets Sent to the The AR1200-S sets different rate limits for packets of different types or discards packets of a certain type to protect the CPU. Procedure...
Page 189: Optional) Setting The Priority Of Protocol Packets
Run: deny packet-type packet-type The AR1200-S is configured to discard packets of a specified type sent to the CPU. That is, the rate limit for packets of the specified type to be sent to the CPU is 0. By default, the AR1200-S applies the rate limit defined in the default attack defense policy to the packets sent to the CPU.
Page 190: Optional) Configuring The Rate Limit For Packets After Alp Is Enabled
The rate limit for all packets sent to the CPU is set. The AR1200-S then randomly discards the packets that exceed the rate limit to protect the CPU. ----End 9.4.7 (Optional) Configuring the Rate Limit for Packets After ALP Is Enabled You can set the rate limit for packets in the attack defense policy after ALP is enabled.
Page 191: Applying The Attack Defense Policy
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 9 Local Attack Defense Configuration 9.4.8 Applying the Attack Defense Policy An attack defense policy takes effect only when it is applied to a board. Prerequisites To protect session-based application layer data, including data of HTTP Sessions, FTP sessions andand ensure non-stop transmission of these services when attacks occur, enable active link protection (ALP) before you create an attack defense policy.
Page 192: Maintaining The Attack Defense Policy
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 9 Local Attack Defense Configuration Run the display cpu-defend configuration [ packet-type packet-type ] { all | slot slot- id | sru } command to check the rate limit configuration for protocol packets sent to the CPU.
Page 193 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 9 Local Attack Defense Configuration Most LAN users obtain IP addresses using DHCP, whereas RouterA does not first process DHCP Client packets sent to the CPU. The Telnet server is not enabled on RouterA, whereas RouterA often receives a large number of Telnet packets.
Page 194 Priority of DHCP Client packets: 3 NOTE This section provides only the configuration procedure for the local attack defense function supported by the AR1200-S. For details about the routing configuration, see the Huawei AR1200-S Series Enterprise Routers Configuration Guide - IP Routing. Procedure Step 1 Configure an ACL to be referenced by the blacklist.
Page 195 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 9 Local Attack Defense Configuration Packet-type arp-request rate-limit : 64(pps) Packet-type dhcp-client priority : 3 Rate-limit all-packets : 2000(pps) (default) Application-apperceive packet-type ftp : 2000(pps) Application-apperceive packet-type tftp : 2000(pps) # View the rate limit configuration on the SRU. You can see that application layer association for Telnet, the rate limit for ARP Request packets sent to the CPU, and the priority for DHCP client packets are configured successfully.
Page 196 Disabled ----------------------------------------------------------------- # The log for attack source tracing of Net1 indicates that attack source tracing has taken effect. Dec 18 2010 09:55:50-05:13 AR1200-S %%01SECE/4/USER_ATTACK(l)[0]:User attack occurred.(Slot=MPU, SourceAttackInterface=Ethernet0/0/1, OuterVlan/ InnerVlan=0/0, UserMacAddress=0001-c0a8-0102, AttackPackets=48 packets per second) # View the statistics on packets sent to the SRU. The discarded packets indicate that the rate limit is set for ARP Request packets.
Page 197 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 9 Local Attack Defense Configuration nhrp ospf ospfv3 pppoe radius 11306 ripng 7385 snmp ssh-client ssh-server sslvpn telnet-client 81476 telnet-server ttl-expired udp-helper unknown-multicast unknown-packet 66146 voice vrrp --------------------------------------------------------------------- ----End Configuration Files...
Page 198: Acl Configuration
10 ACL Configuration ACL Configuration About This Chapter This chapter explains how to filter data packets on an AR1200-S by defining an Access Control List (ACL) to determine allowed packet types. 10.1 ACL Overview This section describes the basic concept of ACLs.
Page 199: Acl Overview
After these rules are applied to the AR1200-S, the AR1200-S determines which packets to receive and reject. ACLs can be applied to some services and functions on the AR1200-S, for example, the routing policy, traffic classifier, firewall, and IPSec.
Page 200: Function Description
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Classification Type Function Description Rule Naming mode Numbered A numbered ACL is identified by a number, which can be specified to reference the ACL. Named A named ACL is identified...
Page 201 Other Time range information Other ACL Features Supported by the AR1200-S The AR1200-S supports the following ACL features: Step: The step value makes it possible to add a new rule between existing rules and to control the matching order of rules.
Page 202: Configuring A Basic Acl
Basic ACLs can be referenced by many services and functions such as the routing policy and traffic classifier. The AR1200-S processes different types of packets based on basic ACL rules. Basic ACLs are applied to all the IPv4 packets at the network layer and upper layers. Basic ACLs classify packets based on source IP addresses, fragment flags, and time ranges in the packets.
Page 203: Optional) Creating A Time Range For A Basic Acl
{ start-time to end-time days | from time1 date1 [ to time2 date2 ] } A time range is created. To configure multiple time ranges with the same name on the AR1200-S, run the preceding command with the same value of time-name multiple times. NOTE You can configure the same name for multiple time ranges to describe a special period.
Page 204 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Procedure Creating a numbered basic ACL Run: system-view The system view is displayed. Run: acl [ number ] acl-number [ match-order { auto | config } ] A basic ACL with the specified number is created and the basic ACL view is displayed.
Page 205: Configuring A Basic Acl Rule
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Follow-up Procedure Configure rules in the basic ACL. 10.3.4 Configuring a Basic ACL Rule A basic ACL is composed of a list of rules. The ACL classifies packets by matching packet information with the ACL rules.
Page 206: Applying A Basic Acl
Apply a basic ACL to add specified users to the blacklist for local attack defense. A blacklist is a set of unauthorized users. The AR1200-S uses basic ACLs to add users with a specific characteristic to a blacklist and discards the packets from the users in the blacklist.
Page 207 Apply an ACL to an interface to filter packets on the interface. The AR1200-S can filter packets on an interface using an ACL. – If the action in an ACL rule is deny, the AR1200-S discards all packets matching the rule.
Page 208: Checking The Configuration
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration 10.3.6 Checking the Configuration After a basic ACL is configured, you can view information about the basic ACL and time range. Prerequisites The basic ACL configurations are complete.
Page 209: Establishing The Configuration Task
Applicable Environment Advanced ACLs are applied to multiple services and functions, for example, traffic classifiers and multicast. The AR1200-S processes different types of packets based on advanced ACL rules. Advanced ACLs can be applied to: All the IPv4 packets at the network layer and upper layers. Advanced ACLs classify IPv4 packets based on information such as source and destination IP addresses, packet priorities, fragment flags, time ranges, and VPN instances in the packets.
Page 210: Optional) Creating A Time Range For An Advanced Acl
{ start-time to end-time days | from time1 date1 [ to time2 date2 ] } A time range is created. To configure multiple time ranges with the same name on the AR1200-S, run the preceding command with the same value of time-name multiple times. NOTE You can configure the same name for multiple time ranges to describe a special period.
Page 211: Creating An Advanced Acl
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Follow-up Procedure Reference the time range in an advanced ACL rule. 10.4.3 Creating an Advanced ACL Before using an advanced ACL, ensure that the advanced ACL has been created. You can create a named or numbered advanced ACL.
Page 212: Configuring An Advanced Acl Rule
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration acl-number specifies the number of an advanced ACL. The value ranges from 3000 to 3999. match-order specifies the matching order of advanced ACL rules: – auto: indicates that ACL rules are matched based on the depth first principle.
Page 213 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] ] | [ fragment | none- first-fragment ] ] l Configure an advanced ACL rule based on the protocol over IP.
Page 214: Applying An Advanced Acl
Apply an advanced ACL to add specified users to the blacklist for local attack defense. A blacklist is a set of unauthorized users. The AR1200-S uses advanced ACLs to add users with a specific characteristic to a blacklist and discards the packets from the users in the blacklist.
Page 215: Checking The Configuration
Apply an advanced ACL to an interface to filter packets on the interface. The AR1200-S can filter packets on an interface using an ACL. – If the action in an ACL rule is deny, the AR1200-S discards all packets matching the rule.
Page 216: Configuring A Layer 2 Acl
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Run the display time-range { all | time-name } command to view information about the time range. ----End Example # Run the display acl acl-number command to view the advanced ACL number, the number of rules, the step value, and the content of the rules.
Page 217: Optional) Creating A Time Range For A Layer 2 Acl
{ start-time to end-time days | from time1 date1 [ to time2 date2 ] } A time range is created. To configure multiple time ranges with the same name on the AR1200-S, run the preceding command with the same value of time-name multiple times. Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright ©...
Page 218: Creating A Layer 2 Acl
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration NOTE You can configure the same name for multiple time ranges to describe a special period. Assume that the same name test is configured for the following time ranges:...
Page 219: Configuring A Layer 2 Acl Rule
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Creating a named Layer 2 ACL Run: system-view The system view is displayed. Run: acl name acl-name { link | acl-number } [ match-order { auto | config } ] A Layer 2 ACL with the specified name is created and the Layer 2 ACL view is displayed.
Page 220: Applying A Layer 2 Acl
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration step step-value The step value between ACL rule IDs is set. By default, the step value is 5. Step 2 Run: rule { permit | deny } [ l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac- mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | [ time-range time-...
Page 221: Checking The Configuration
Apply a Layer 2 ACL to add users to the blacklist for local attack defense. A blacklist is a set of unauthorized users. The AR1200-S uses Layer 2 ACLs to add users with a specific characteristic to a blacklist and discards the packets from the users in the blacklist.
Page 222: Configuration Examples
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Example # Run the display acl acl-number command to view the Layer 2 ACL number, the number of rules, the step value, and the content of the rules.
Page 223 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Figure 10-1 Configuring a basic ACL to limit user access to the FTP server PC A 172.16.105.111 FTP Server PC B 172.16.107.111 Network Router PC C 172.16.104.110 10.10.10.1...
Page 224: Example For Using Advanced Acls To Configure The Firewall Function
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Run the ftp 172.16.104.110 command on PC B (172.16.107.111/24) in subnet 2 on Monday in 2010. PC B cannot connect to the FTP server. Run the ftp 172.16.104.110 command on PC B (172.16.107.111/24) in subnet 2 at 15:00 on Saturday in 2010.
Page 225 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Figure 10-2 Using advanced ACLs to configure the firewall function FTP server Web server 202.169.10.6 202.169.10.5 Eth0/0/0 GE0/0/1 Internet Router 202.39.2.3 Internal network Telnet server 202.169.10.7 Configuration Roadmap The configuration roadmap is as follows: Configure zones on the internal and external networks.
Page 226 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration [Router-zone-company] priority 12 [Router-zone-company] quit # Add VLANIF 100 to the zone company. [Router] interface vlanif 100 [Router-Vlanif100] zone company [Router-Vlanif100] quit # Configure a zone on the external network.
Page 227 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration [Router-interzone-company-external] packet-filter 3002 outbound [Router-interzone-company-external] quit Step 6 Verify the configuration. After the configuration is complete, only the host at 202.39.2.3 can access internal servers and only internal servers can access the external network.
Page 228: Example For Using A Layer 2 Acl To Configure Traffic Classification
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration ip address 129.39.10.8 255.255.255.0 zone external return 10.6.3 Example for Using a Layer 2 ACL to Configure Traffic Classification A Layer 2 ACL is used to configure traffic classification to collect statistics on packets with the specified source MAC address.
Page 229 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Procedure Step 1 Create a VLAN and configure each interface. # Create VLAN 20. <Huawei> system-view [Huawei] sysname Router [Router] vlan 20 [Router-vlan20] quit # Configure Ethernet0/0/0 as a trunk interface and add Ethernet0/0/0 to VLAN 20.
Page 230 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 10 ACL Configuration Step 6 Verify the configuration. # View the ACL configuration. <Router> display acl name layer2 L2 ACL layer2 4999, 1 rule Acl's step is 5 rule 5 permit source-mac 0000-0000-0003 # View the traffic classifier configuration.
Page 231: Ssl Configuration
TCP-based application layer protocols. 11.2 SSL Features Supported by the AR1200-S The AR1200-S supports server SSL policies and client SSL policies. 11.3 Configuring a Server SSL Policy A server SSL policy defines parameters that an SSL server uses in SSL handshakes, including the PKI domain name, maximum number of sessions that can be saved, timeout period of a saved session, and cipher suite.
Page 232: Ssl Overview
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration 11.1 SSL Overview The Secure Sockets Layer (SSL) protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols. Introduction to SSL SSL is a cryptographic protocol that provides communication security over the Internet.
Page 233: Security Mechanisms
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration Figure 11-1 Certificate issuing and authentication Certificate issuing Server … certificate … Certificate verification Digital certificate A digital certificate is an electronic document issued by a CA to bind a public key with a certificate subject (an applicant that has obtained a certificate).
Page 234: Ssl Features Supported By The Ar1200-S
To use an AR1200-S as an SSL server, configure a server SSL policy on the AR1200-S. During an SSL handshake, the AR1200-S uses the SSL parameters in the server SSL policy to negotiate session parameters with an SSL client.
Page 235 When functioning as an SSL server, the AR1200-S can communicate with SSL clients running SSL3.0, TLS1.0, or TLS 1.1. The AR1200-S determines the SSL protocol version used for this communication and sends a Server Hello message to notify the client.
Page 236: Configuring A Client Ssl Policy
TCP-based application layer protocols. To use an AR1200-S as an SSL client, configure a client SSL policy on the AR1200-S. A client SSL policy can be applied to application layer protocols such as the CPE WAN Management Protocol (CWMP) to provide secure connections.
Page 237 AR1200-S establishes a session with the server. When functioning as an SSL client, the AR1200-S does not allow SSL servers to authenticate it, but it can authenticate SSL servers. When the AR1200-S functions as an SSL client, enable it to authenticate servers to ensure secure communication.
Page 238: Configuration Examples
11.5.1 Example for Configuring a Server SSL Policy This example shows how to configure a server SSL policy on an AR1200-S functioning as an HTTPS server. After the configuration is complete, users can use a web browser to log in to and manage the Router.
Page 239 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration Configuration Roadmap The configuration roadmap is as follows: Configure a PKI entity and a PKI domain. Configure a server SSL policy. Configure the Router as an HTTPS server.
Page 240 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration Procedure Step 1 Configure a PKI entity and a PKI domain. # Configure a PKI entity. <Huawei> system-view [Huawei] sysname Router [Router] pki entity users [Router-pki-entity-users] common-name hello...
Page 241: Example For Configuring A Client Ssl Policy
11.5.2 Example for Configuring a Client SSL Policy This example shows how to configure a client SSL policy on the AR1200-S functioning as the customer premises equipment (CPE). After the configuration is complete, the AR1200-S can authenticate the auto-configuration server (ACS) and communicate with the ACS securely.
Page 242 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration The ACS functions as an SSL server and has obtained a digital certificate from the CA. You need to configure the Router as an SSL client to authenticate the ACS. This ensures privacy and integrity of data exchanged between the Router and the ACS.
Page 243 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration Item Data PKI entity PKI entity name: cwmp0 l Entity's common name: hello l Entity's country code: CN l Entity's province name: jiangsu l Entity's organization name: huawei...
Page 244 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration For security reasons your password will not be saved in the configuration. Plea se make a note of it. Choice no password ,please enter the enter-key. Please enter Password: Start certificate enrollment ...
Page 245 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration # Set the maximum number of connection attempts to 5. [Router-cwmp] cwmp cpe connect retry 5 # Set the close-wait timer of the Router to 100 seconds. If no data is transmitted within 100 seconds, the connection is torn down.
Page 246 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 11 SSL Configuration sysname Router interface Ethernet 1/0/0 ip address 11.1.1.1 255.255.255.0 cwmp cwmp cpe inform interval enable cwmp acs url https://www.acs.com:80/acs cwmp acs username newacsname cwmp acs password newacspsw cwmp cpe username newcpename...
Page 247: Pki Configuration
IP Security (IPSec) protocol and Secure Sockets Layer (SSL) protocol. 12.2 PKI Features Supported by the AR1200-S On the AR1200-S, you can configure PKI entities, PKI domains, manually or automatically enroll certificates, authenticate certificate validity, manage certificates, import or export certificates, and delete expired certificates.
Page 248: Pki Overview
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration 12.1 PKI Overview The Public Key Infrastructure (PKI) is a system that generates public keys and digital certificates, and verifies identities of certificate subjects to ensure information security. PKI provides a certificate management mechanism for the IP Security (IPSec) protocol and Secure Sockets Layer (SSL) protocol.
Page 249: Pki Features Supported By The Ar1200-S
(CDPs) to indicate the location of these CRLs. 12.2 PKI Features Supported by the AR1200-S On the AR1200-S, you can configure PKI entities, PKI domains, manually or automatically enroll certificates, authenticate certificate validity, manage certificates, import or export certificates, and delete expired certificates.
Page 250 PKI Working Process On a PKI network, PKI is configured on the AR1200-S to allow the AR1200-S to obtain a local certificate from a CA and verify certificate validity. The PKI working process is as follows: An entity applies for a certificate from a registration authority (RA).
Page 251: Configuring A Pki Entity
Export a certificate License Support The PKI function is used with a license. To use the PKI function, apply for and purchase the following license from the Huawei local office: AR1200 Value-Added Security Package 12.3 Configuring a PKI Entity A certificate binds a public key to a set of information that uniquely identifies a PKI entity. A PKI entity identifies a certificate applicant.
Page 252: Configuring A Pki Entity Identifier
Run the common-name common-name command to configure the common name for the PKI entity. By default, no PKI entity name is configured on the AR1200-S. l Run the fqdn fqdn-name command to configure the FQDN for the PKI entity.
Page 253: Checking The Configuration
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: pki entity entity-name The PKI entity view is displayed. Step 3 Run: country country-code A country code is configured for the PKI entity.
Page 254: Configuring A Pki Domain
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration 12.4 Configuring a PKI Domain Before an entity applies for a PKI certificate, registration information needs to be configured for the entity. A set of the registration information is the PKI domain of the entity.
Page 255: Configuring A Pki Entity Name
Step 2 Run: pki realm realm-name A PKI domain is created. By default, no PKI domain is configured on the AR1200-S. ----End 12.4.3 Configuring a PKI Entity Name In a PKI domain, configure a name for the PKI entity applying for a certificate. A PKI entity name binds to only one PKI entity.
Page 256: Optional) Configuring Ca Certificate Fingerprint
----End 12.4.5 (Optional) Configuring CA Certificate Fingerprint Before the AR1200-S obtains a root certificate from a CA, the AR1200-S needs to check the CA root certificate fingerprint. The CA root certificate fingerprint is the hash value of the root certificate and is unique to each certificate. If the CA root certificate fingerprint is different from the fingerprint configured in a specified PKI domain, the AR1200-S refuses the issued root certificate.
Page 257: Optional) Configuring A Certificate Revocation Password
By default, no certificate revocation password is configured on the AR1200-S. ----End 12.4.7 (Optional) Configuring the RSA Key Length of Certificates After the RSA key length of certificates is set, the AR1200-S generates the RSA key of the specified length when requesting a certificate. Context An RSA key pair contains a public key and a private key.
Page 258: Optional) Configuring A Source Ip Address For Tcp Connection Setup
Step 3 Run: source interface interface-name The source interface is specified. The AR1200-S uses the IP address of this interface to set up a TCP connection. By default, the AR1200-S uses an outbound interface's IP address as the source IP address for TCP connection setup.
Page 259: Configuring Certificate Enrollment
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration 12.5 Configuring Certificate Enrollment Certificate enrollment is a process in which an entity registers with a CA and obtains a certificate from the CA. During this process, the entity provides the identity information and public key, which will be added to the certificate issued to the entity.
Page 260: Configuring Automatic Certificate Enrollment And Update
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration Prerequisites A PKI domain has been created and configured. For details, see 12.4 Configuring a PKI Domain. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: pki enroll-certificate pki-realm-name [ pkcs10 [ filename filename ] ] Manual certificate enrollment is configured.
Page 261: Creating A Self-Signed Certificate Or Local Certificate
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration By default, no PKI domain is configured on the AR1200-S. Step 3 Run: auto-enroll [ percent ] [ regenerate ] The automatic certificate enrollment and update function is enabled.
Page 262: Configuring The Certificate Check Mode
The system view is displayed. Step 2 Run: pki realm realm-name A PKI domain is configured. By default, no PKI domain is configured on the AR1200-S. Step 3 Run: certificate-check { crl | none | ocsp } The certificate check mode is configured.
Page 263: Checking Certificate Validity
If the CDP URL is configured in the PKI domain, the PKI entity obtains the CRL from the specified URL. – Run: crl cache The AR1200-S is configured to use the buffered CRL for certificate check, without having to download the CRL from the CA. – Run: crl update-period hours The interval at which a PKI entity downloads a CRL from a CRL storage server is configured.
Page 264: Checking The Configuration
The system view is displayed. Step 2 Run: pki import-certificate { ca | local | ocsp } pki-realm-name { der | pkcs12 | pem } The external certificate is imported to the AR1200-S. ----End Issue 02 (2012-03-30) Huawei Proprietary and Confidential...
Page 265: Exporting A Certificate
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration 12.7.3 Exporting a Certificate To provide a certificate for another device, export the certificate. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: pki export-certificate { ca | local | ocsp } pki-realm-name { der | pkcs12 | pem } The certificate is exported and saved in a file.
Page 266 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration Table 12-1 Data plan Item Data PKI entity PKI entity name: user01 l Entity's common name: hello l Entity's country code: CN l Entity's province name: jiangsu l Entity's organization name: huawei...
Page 267 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration # Configure the trusted CA, bound entity, enrollment URL, and root certificate fingerprint. [Huawei] pki realm test [Huawei-pki-realm-test] ca id ca_root [Huawei-pki-realm-test] entity user01 [Huawei-pki-realm-test] enrollment-url http://10.137.145.158:8080/certsrv/mscep/ mscep.dll ra...
Page 268: Example For Configuring Pki In Ipsec
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf return 12.8.2 Example for Configuring PKI in IPSec Networking Requirements As shown in Figure 12-4, devices in two subnets communicate with the Internet using respective gateways and need to establish an IPSec tunnel to transmit data flows.
Page 269 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration Table 12-2 Data plan of RouterA Item Data PKI entity PKI entity name: routera l Entity's common name: helloa l Entity's country code: CN l Entity's province name: jiangsu...
Page 270 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration Table 12-3 Data plan of RouterB Item Data PKI entity PKI entity name: routerb l Entity's common name: hellob l Entity's country code: CN l Entity's province name: jiangsu...
Page 271 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration Procedure Step 1 Configure interface IP addresses and routes to enable IPSec peers and CA to communicate. Step 2 Configure a PKI entity. # Configure RouterA. <Huawei> system-view...
Page 272 Step 5 Configure access control lists (ACLs) and define the data flows to be protected in the ACLs. # Configure RouterA. [Huawei] acl 3000 [Huawei-acl-adv-3000] rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.1 [Huawei-acl-adv-3000] rule 15 permit ip source 10.1.1.1 0 destination 11.1.1.1 0 [Huawei-acl-adv-3000] quit # Configure RouterB. [Huawei] acl 3000 [Huawei-acl-adv-3000] rule 5 permit ip source 2.2.2.1 0 destination 1.1.1.1 0...
Page 273 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] ipsec policy routerb [Huawei-GigabitEthernet0/0/1] quit Step 8 Configure devices to request a certificate and download it for IKE negotiation. # Configure RouterA. [Huawei] pki enroll-certificate testa Create a challenge password.
Page 274 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration [Huawei] ping 2.2.2.1 PING 2.2.2.1: 56 data bytes, press CTRL_C to break Reply from 2.2.2.1: bytes=56 Sequence=1 ttl=255 time=3 ms Reply from 2.2.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 2.2.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms...
Page 275 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration country CN state jiangsu organization huawei organization-unit info common-name helloa pki realm testa ca id ca_root enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra entity routera fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf certificate-check none return Configuration file of RouterB router id 3.3.3.3...
Page 276 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 12 PKI Configuration return Issue 02 (2012-03-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Page 277: Keychain Configuration
This chapter describes the keychain fundamentals. It also provides keychain configuration steps based on different parameters along with typical example. 13.1 Introduction to Keychain 13.2 Keychain Features Supported by the AR1200-S 13.3 Configuring Basic Keychain Functions This section descries how to configure the basic functions of keychain module.
Page 278: Introduction To Keychain
Thus the system needs a mechanism to achieve centralization of all authentication processing and dynamic changes of authentication algorithm and keys without much human intervention. To achieve this functionality the keychain module is used. 13.2 Keychain Features Supported by the AR1200-S The AR1200-S supports the following keychain features: Authentication for applications Application that requires authentication support has to quote a keychain.
Page 279: Configuring Basic Keychain Functions
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration send-key-id. There can be only one default send-key-id in a keychain. When any key-id becomes active, the application uses the new active key-id instead of the default send-key- id.
Page 280: Creating A Keychain
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration Data Key-string for each key-id Authentication algorithm for each key-id Send and Receive time for each key-id Receive tolerance if required 13.3.2 Creating a Keychain Procedure Step 1 Run: system-view The system view is displayed.
Page 281: Configuring A Key-Id In A Keychain
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration NOTE Receive tolerance can be configured in the following two ways: l Specifying a particular receive tolerance value in minutes, which can be a maximum of 10 days (14400 minutes).
Page 282: Configuring Authentication Algorithm Of A Key-Id
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration Key-string is the authentication string used while sending and receiving the packets. In case of plain text the password string is displayed as un-encrypted text. In case of Cipher text the password string is displayed in encrypted form.
Page 283: Configuring Send-Time Of A Key-Id
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration Step 4 Run: default send-key-id The key-id is set as the default send-key-id. NOTE Only one key-id in a keychain can be configured as the default send-key-id. ----End 13.3.8 Configuring send-time of a key-id...
Page 284 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration The system view is entered. Run: keychain keychain-name mode periodic weekly The keychain is created in weekly periodic timing mode and keychain view is entered. Run: key-id key-id The key-id is created and key-id view is entered.
Page 285: Configuring Receive-Time Of A Key-Id
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration NOTE Send-time for a key-id is configured according to the timing mode defined for the keychain. Only one send key-id in a keychain can be active at a time. The send-time of different key-ids in a keychain must not overlap each other.
Page 286 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration Run: keychain keychain-name mode periodic weekly The keychain is created in weekly periodic timing mode and keychain view is entered. Run: key-id key-id The key-id is created and key-id view is entered.
Page 287: Checking The Configuration
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration 13.3.10 Checking the Configuration Prerequisites The configurations of the keycahin are complete. Procedure Run the display keychain keychain-name command to view the current configuration of a keychain. Run the display keychain keychain-name key-id key-id command to view the current configuration of a key-id inside a keychain.
Page 288: Configuring Tcp Authentication Parameters
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration SEND TIMER Start time : 2012-03-14 00:00 End time : 2012-08-08 23:59 Status : Active RECEIVE TIMER Start time : 2012-03-14 00:00 End time : 2012-08-08 23:59 Status...
Page 289: Configuring Tcp Kind Of A Keychain
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration 13.4.2 Configuring TCP Kind of a Keychain Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: keychain keychain-name Keychain view is entered Step 3 Run: tcp-kind kind-value The TCP kind value for the keychain is configured.
Page 290 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration Prerequisites The configurations of the keycahin are complete. Procedure Run the display keychain keychain-name command to view the current configuration of a keychain. Run the display keychain keychain-name key-id key-id command to view the current configuration of a key-id inside a keychain.
Page 291: Configuration Examples
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration Start time : 2012-03-14 00:00 End time : 2012-08-08 23:59 Status : Active DEFAULT SEND KEY ID INFORMATION Default : Not configured 13.5 Configuration Examples This section provides configuration examples of the keychain module.
Page 292: Configuration File
Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration [RouterA] keychain huawei mode absolute [RouterA-keychain] receive-tolerance 100 [RouterA-keychain] key-id 1 [RouterA-keychain-keyid-1] algorithm md5 [RouterA-keychain-keyid-1] key-string plain hello [RouterA-keychain-keyid-1] send-time utc 14:40 2008-10-10 to 14:50 2008-10-10 [RouterA-keychain-keyid-1] receive-time utc 14:30 2008-10-10 to 14:50 2008-10-10...
Page 293 Huawei AR1200-S Series Enterprise Routers Configuration Guide - Security 13 Keychain Configuration keychain huawei mode absolute receive-tolerance 100 key-id 1 algorithm md5 key-string plain hello send-time utc 14:40 2008-10-10 to 14:50 2008-10-10 receive-time utc 14:30 2008-10-10 to 14:50 2008-10-10 return...
Page 294: Configuration Of Attack Defense And Application Layer Association
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association Configuration of Attack Defense and Application Layer Association About This Chapter Attack defense and application layer association can prevent the attack of packets to the CPU, which ensures that the device runs normally when it is attacked.
Page 295: Overview To Attack Defense And Application Layer Association
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association 14.1 Overview to Attack Defense and Application Layer Association Attacks on TCP/IP networks increase steadily. Attacks to network devices may cause the network to be disabled or unavailable.
Page 296: Attack Defense And Application Layer Association Supported By Ar1200-S
Supported by AR1200-S The AR1200-S supports defense against various attacks such as malformed packet attacks, fragmented packet attacks, and flooding attacks. In addition, the AR1200-S offers the application layer association module to implement association with the application layer and packet filtering at the application layer.
Page 297: Configuring Abnormal Packet Attack Defense
When a protocol is disabled, the AR1200-S directly discards packets of this protocol to prevent attacks. When a protocol is enabled, the AR1200-S limits the rate of protocol packets sent to the CPU to protect the CPU. The application layer association module supports SNMP, HW-TACACS, NTP, SSH, DHCP, 802.1x, and PIM protocols and supports HTTP server, Telnet server, STelnet server, FTP server,...
Page 298: Enabling Defense Against Abnormal Packet Attacks
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association To prevent the network devices from being attacked and to ensure normal network services, defense against abnormal packet attacks must be configured.
Page 299: Configuring Fragmented Packet Attack Defense
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association <Huawei> display anti-attck statistics abnormal Packets Statistic Information: ------------------------------------------------------------------------------- AntiAtkType TotalPacketNum DropPacketNum PassPacketNum ------------------------------------------------------------------------------- Abnormal ------------------------------------------------------------------------------- 14.3 Configuring Fragmented Packet Attack Defense...
Page 300: Checking The Configuration
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: anti-attack fragment enable Defense against packet fragment attacks is enabled.
Page 301: Establishing The Configuration Task
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association 14.4.1 Establishing the Configuration Task This section describes the applicable environment, required tasks, and data for configuring defense against flood attacks. Applicable Environment Different types of attacks on a network cause network devices overused, and even failed, thus affecting network services.
Page 302: Configuring Defense Against Udp Flood Attacks
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association The rate of sending TCP SYN packets is restricted. ----End 14.4.3 Configuring Defense Against UDP Flood Attacks The major measure to defend UDP flood attacks is to limit the rate of UDP packets.
Page 303: Checking The Configuration
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association 14.4.5 Checking the Configuration After configuring defense against flood attacks, you can view statistics about defense against flood attacks on the interface board.
Page 304: Configuring Application Layer Association
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association Applicable Environment To prevent network devices from being attacked by the packets of idle protocols and to prevent the network from running busily, overhigh usage of CPU, and DoS attack, the application layer association is required and the protocol module must be disabled.
Page 305: Maintenance Attack Defense And Application Layer Association
Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association 14.6 Maintenance Attack Defense and Application Layer Association This section describes how to clear statistics about attack defense. 14.6.1 Clearing Statistics of Attack Defense and Application Layer...
Page 306 Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association Enable defense against packet fragment attacks and restrict the rate for sending packet fragments to 15000 bit/s to prevent packet fragments from attacking the CPU and using excessive CPU and system resources.
Page 307 Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association IP address of each interface Restricted rate of sending packets to the CPU Procedure Step 1 Configure the IP addresses and routes of each interface to guarantee internetworking (omitted).
Page 308 Huawei AR1200-S Series Enterprise Routers 14 Configuration of Attack Defense and Application Layer Configuration Guide - Security Association interface GigabitEthernet1/0/0 ip address 100.111.1.1 255.255.255.252 anti-attack fragment car cir 15000 anti-attack tcp-syn car cir 15000 anti-attack icmp-flood car cir 15000 return...

Huawei AR1200-S Configuration Manual

About this Document

1 AAA Configuration

2 HTTPS Configuration

3 Firewall Configuration

4 Traffic Suppression Configuration

5 NAC Configuration

6 ARP Security Configuration

7 ICMP Security Configuration

8 IP Address Anti-Spoofing Configuration

9 Local Attack Defense Configuration

10 ACL Configuration

11 SSL Configuration

12 PKI Configuration

13 Keychain Configuration

14 Configuration of Attack Defense and Application Layer Association

Quick Links

Related Manuals for Huawei AR1200-S

Summary of Contents for Huawei AR1200-S