Table of Contents
Advertisement
S9700 Core Routing Switch
Configuration Guide - SPU
bandwidth. If the source port is changed to Chargen and destination port is changed to ECHO,
the systems generate response packets continuously and cause serious damage.
IP-Fragment Attack
In an IP packet, some fields are relevant to flag bits and fragments, including Fragment Offset,
Length, Don't Fragment (DF), and MF.
If the previous fields conflict and are not processed correctly, the equipment may stop running.
In the following cases, the fields conflict:
l
l
In addition, the device must directly discard the fragment packet with the destination as itself.
This is because more fragments result in heavy load due to packet caching and assembling.
Tracert Attack
A Tracert attack discovers the packet transmission path through the ICMP timeout packets that
is returned when Time To Live (TTL) value is 0 or through the returned ICMP port-unreachable
packets.
2.3 Configuring Zones
All the security policies of the firewall are enforced based on zones.
2.3.1 Establishing the Configuration Task
Before configuring a zone, familiarize yourself with the applicable environment, complete the
pre-configuration tasks, and obtain the data required for the configuration. This will help you
complete the configuration task quickly and accurately.
Applicable Environment
Before configuring a firewall, you need to configure zones. Then you can configure the firewall
based on zones or interzones.
Pre-configuration Tasks
Before configuring a zone, complete the following task:
l
Data Preparation
To configure the zone, you need the following data.
No.
1
Issue 01 (2012-03-15)
DF bit and MF bit are set at the same time or the fragment offset is not 0.
The value of DF is 0, but the total values of Fragment Offset and Length is larger than
65535.
Configuring the interfaces that you want to add to the zone
Data
Name of the zone
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 Firewall Configuration
34
Advertisement
Table of Contents
