HCNA-Security-CBSN Constructing Basic Security Network Training

The privilege of HCNA/HCNP/HCIE: e n
m /
o
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
c
 1、Comprehensive E-Learning Courses
i .
Content：All Huawei Career Certification E-Learning courses
w e
a

h u
Methods to get the E-learning privilege : submit Huawei Account and email being used for Huawei Account
registration to Learning@huawei.com .
g .
 2、 Training Material Download
i n
r n training material
Content: Huawei product training material and Huawei career certification
a Training/Classroom Training ,then you can

 Method：Logon http://learning.huawei.com/en and enter HuaWei

e
lpage.
/
download training material in the specific training introduction
/
 3、 Priority to participate in Huawei Online Open Class(LVC) :
p all ICT technical domains like R&S, UC&C, Security,
t
ht professional instructors
 Content：The Huawei career certification training covering
Storage and so on, which are conducted by Huawei
Method：The plan and participate method :

e s please refer to
c
http://support.huawei.com/ecommunity/bbs/10154479.html
r
 4、Learning Tool: eNSP u
o Platform) is a graphical network simulation tool which is developed by
e s
eNSP (Enterprise Network Simulation
R

Huawei and free of charge. eNSP mainly simulates enterprise routers, switches as close to the real hardware as
n
it possible, which makesg the lab practice available and easy without any real device.
i
In addition, Huaweinhas built up Huawei Technical Forum which allows candidates to discuss technical issues with

r
Huawei expertsa, share exam experiences with others or be acquainted with Huawei Products(
Le
http://support.huawei.com/ecommunity/）
r e TECHNOLOGIES CO., LTD.

o
HUAWEI 华为保密信息，未经授权禁止扩散 Pa g e 1
e n
m/
c o
i .
we
u a
h
Chapter 1 Network in g .
r n
Security Overview lea
/ /
t p:
ht
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
e n
m/
Objectives c o
i .
e w
 Upon completion of this course, you will be h
a
u to:
able
g .
Understand OSI model in

r n
Understand TCP/IP principles ea

/ l
: /
 Understand TCP/IP security issues
t p
Understand Common attack ht means
:

e s
r c
o u
s
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 2
e n
m/
Contents c o
i .
we
1. OSI Model Introduction u a
. h
n g
2. TCP/IP Introduction n i
a r
3. TCP/IP Security Issues / le
/
4. Common Network Attackstt p:
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 3
e n
m/
OSI Model Generation c o
i .
we
u a
 Purposes
. h
n g
 Design principles n i
a r
 Strengths
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
Introduction to Seven Layers of the OSIom /
. c
Model e i
a w
h u
APDU Application layer
g .
7 Providing inter-application
Three i n
communication
PPDU Presentation layer 6 Processing r n data formats and

upper
ea encryption
data
layers
/ l
SPDU Session layer
:/ 5 Setting up, maintaining, and managing
t p sessions
Segment ht
Transport layer 4 Establishing E2E connections of hosts
s :
ce
Packet u r
Network layer 3 Addressing and routing
Four
s o
lower
R e Data link layer 2 Providing medium access and link
Frame
layers
n g management
n i
a r Bit Physical layer 1 Transmitting bit streams
Le
r e
o
e n
/ m
Communication Between Peer Layers c o
i .
w e
 Each layer communicates with its peer layer by using the service
u a
. h
provided by the lower layer.
n g
APDU i
n layer
Application layer
a r
Application
PPDU l e
Presentation layer / / Presentation layer
SPDUtp
:
Session layer ht Session layer
:
Segment
s
Transport layer
c e Transport layer
u r Packet
s
Network layer
o Network layer
Host A R e Frame Host B
n
Datag link layer Data link layer
n i Bit
r
a Physical layer
L e Physical layer

o
Copyrig Pa ge 6
e n
Procedure for Processing Network Dataom /
. c
Streams e i
a w
h u
g .
Application
in Application
layer D
r nC layer
ea
l
Presentation Presentation
layer
A / / layer
Session :
p E Session
B tt
layer
layer
h
Transport
layer Router A
s :Router B Router C
Transport
layer
Network c
e
Network
layer u
r Network Network Network
layer
s o layer layer layer
Dataelink
Data link
R
layer
Data link
layer
Data link
layer
Data link
layer
gPhysical
layer
n
i layer
Physical
layer
r n Physical
layer
Physical
layer
Physical
layer
a
Le
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
/
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
/ m
Mapping Between TCP/IP and OSI Model Layers c o
i .
w e
 TCP/IP is simply tiered and layers clearly map withu OSI model a
. h
layers. n g
OSI n i TCP/IP
a r
Application layer l e
/ /
Presentation layer p : Application layer
t t
Session layer h
s :
Transport layer c e Transport layer
u r
Network layer s o Network layer
Re
Data link layern g Data link layer
i
nlayer
a
Physicalr
L e
o
Copyrig Pa ge 10
e n
Encapsulation and Decapsulation Processesom /
. c
of TCP/IP Packets ei
a w
u
Decapsulation process
h
Encapsulation
User data User data
g .
process
in
rn
a
Application
/ le Application
layer APP User data /
p:
layer
Transport
t t
layer TCP APP User data h Transport
s : layer
Network ce Network
layer IP TCP APP
u r User data
layer
s o
Data link
Eth RIPe TCP APP Data link
layer
n g User data
layer
n i
a r
10101011010101001010100011101010010101
Le
r e
o
e n
/ m
Functions of Each TCP/IP Layer i.c o
w e
u a
. h
Application n g
layer HTTP, Telnet, FTP,TFTP, DNS iProviding a network interface
n for applications
a r
l e
Transport TCP/UDP / /
layer p : Establishing E2E connections
t t
ICMP,hIGMP
Network IP
s
ARP,
: RARP
Addressing and routing
layer
c e
u r PPP, HDLC, FR
Data link Ethernet,
s o802.3,
layer R e Accessing physical media
n g
n i
a r
Le
o
Copyrig Pa ge 13
e n
m/
Socket c o
i .
w e
u a
FTP . h SNMP
HTTP Telnet SMTP DNS TFTP
n g
n i
80 20/21 23 25 53
a r 69 161
/ le
/
TCP
tp: UDP
t
hpackets
:
IP data
s
r ce
o u
e s
R

n g
Source socket: source IP address + protocol + source port
Socket
n i

r
Destination socket: destination IP address + protocol + destination
a
Le
port
r e
o
e n
m/
Data Link Layer Protocol c o
i .
we
u a
Ethernet protocol encapsulation . h

n g
n i
Destinatio Source Type Data a r CRC
/ le
n address address /
t p:
ht 46-1500 bytes
s :
ce
u r

Types
s o

Type 0800: indicates IP. Re

n g
Type 0806: indicates ARP.
n i

r
Type 8035: indicates RARP.
a
Le
r e
o
e n
m /
ARP c o
i .
w e
u a
ARP encapsulation . h

ng
n i
a r
le
Protocol address length Ethernet address
/
IP address
/
p:
Hardware address length
t t
Destination Source Frame Hardware hProtocol Address OP Source Destinatio
address address type type
s : type length address n address
ce
u r 28-byte ARP
s o
Re
request/response
n g
n i
a r

Le 0806
IP type:
r e
o
e n
m/
Network Layer Protocol c o
i .
we
Packet u a
Version Service type
. h
Total length
length
ng
n i
Identification Flag a r
le
Fragment offset
/ /
TTL Protocol t p: Head checksum
ht
s :
e
Source IP address
c
u r
o
sDestination IP address
Re
n g
i
rn
IP option
e a
L
r e
o
e n
m/
Transport Layer Protocol c o
i .
we
0 8 16 24
u a 31
Source port
. h
Destination port
n g
UDP checksum (optional)
UDP length
n i
Data
a r
l e
UDP packet format
/ /
p :
Source port t Destination port
hSNt
s :
ce
Confirmation No.
u r
URG
ACK
RST
PSH
FIN
SYN
Head length Reserved (6 bits) Window size

s o
TCP checksum
R e Urgent pointer
n g Option
i
rn
Data
e a TCP packet format

L
r e
o
e n
m/
TCP Connection Establishment c o
i .
we
u a
 Three-way handshake
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
Client
r Server
s ou
R e
n g
n i
a r
Le
r e
o
e n
m/
TCP Connection Cutoff c o
i .
we
u a
 Four-way handshake
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
Proactively cut
u r Passively cut off
off connections
s o
Re
connections
n g
n i
a r
Le
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
/
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
TCP/IP Security Risks c o
i .
we
 IPv4 u a
. h
Lacking the data source verification mechanism n g

n i
Lacking the integrity verification mechanism a r
le


/ /
Lacking the confidentiality guarantee mechanism
tp:
 Common security risks
ht
s :
Data link layer: MAC spoofing, MAC flood, ARP spoofing, STP redirection

c e
Network layer: IP address u rspoofing, packet fragmentation, ICMP attack, and
o

s
route attack
Re
Transport layer: n g SYN flood
i

n
r layer: buffer overflow, vulnerabilities, viruses, and Trojan horses

a
Application
Le
o
Copyrig Pa ge 25
e n
m/
ARP Security Risks c o
i .
we
u a
. h
Gateway IP address: 192.168.0.1 n g
MAC address: 01-11-21-31-41-51
n i
a r
le
I am the gateway.
/ /
t p:
IP address: 192.168.0.10
ht IP address: 192.168.0.11
MAC address: 00-01-02-03-04-05
s : MAC address: 00-10-20-30-40-50
ce
u r
s o
Re
g
in
ARP-reply to 192.168.0.1
ARP spoofing

r n
a

Le
ARP flood
r e
o
e n
m/
IP Security Risks c o
i .
we
Sniffer u a
A: 192.168.0.11 B:192.168.0.12
. h
192.168.0.11
n g
n i
Spoofed reply a r
/ le
sniffed /
t p:
h t Why IP address
request
s : is easily spoofed?
ce
u r
s o
 Re
Inter-node trust relationship: Build the trust relationship through IP addresses.
n g

n i
Man-in-the-middle attack: Forge legitimate IP addresses to obtain confidential
information. a r
Le
r e
o
e n
m/
TCP Security Risks c o
i .
w e
u a
Unauthorize
. h
d connection
n g
n i Host A
Host C that SYN SEQ ACK
a r
initiates an
attack
1 11001 0
/ le
Spoofed packet from C to A
/
p:
SYN ACK SEQ ACK
ACK SEQ
t t
ACK
1 1 54002 11001
1 11001
h54003
:
Spoofed packet from B to A
e s
Deny service r c A trusts B
from C to B
s ou
R e
n g Host B
n i
a r
Le
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
/
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
Passive Attack c o
i .
we
u a
. h
n g
Internet
n i
a r
Host A
/ le Host B
:/
t
Monitorinp
g
ht
s : Why the IP
e
Detection
r c
Defense
address is easily
o u
s spoofed?
Re
n g
n i
a r
Le
r e
o
e n
m /
Active Attack c o
i .
we
u a
. h
Internet n g
n i
a r Host A
Business
resources of / le
/
an enterprise
t p:
ht
s :
ce
u r
s o
Re
n g
Spoofing attack
i Falsification attack DoS attack
a rn
L e
Spoofed part Data load Packet head Falsified part
r e
o
e n
m/
Man-in-the-Middle Attack c o
i .
we
u a
. h
n g
Internet
n i
a r
le
Falsify information
Host A Host B
Steal information / /
tp:
Proactive attack
ht
Passive attack
s :
ce
u r
s o
Re
n g
n i
a r
Le Attacker
e
or ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
Copyrig Pa ge 33
e n
m/
Summary c o
i .
we
u a
 OSI model
. h
n g
 TCP/IP principles n i
a r
 TCP/IP security issues
/ le
/
 Common attack means t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
Question c o
i .
we
u a
 Why is ARP spoofing easily initiated?
. h
n g
 How to realize IP spoofing? n i
a r
 What is the difference between TCP l e and UDP?
/ /
p : but UDP does not have?
 Why does TCP have head length,
t t
h
 Why does TCP connection
s : establishment require three-way
c e
handshake, but disconnection u r require four-way
s o
handshake? e
R
n g
n i
a r
Le
o
Copyrig Pa ge 35
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
h
Chapter 2 Basic in g .
r n
Firewall Technology
l ea
/ /
t p:
ht
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
o
e n
m/
Objectives c o
i .
e w
a
u to:
able
g .
Definition and classification of firewalls in

r n
 Main features and technologies oflfirewalls ea
/ /
 Data forwarding process and pbasic : firewall configurations
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. Firewall Overview u a
. h
n g
2. Firewall Working Modes n i
a r
3. Firewall Security Zones / le
/
4. Firewall Functions t p:
ht
s :
5. Basic Firewall Configuration
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
e n
m/
Firewall Overview c o
i .
we
u a
Firewall functions:
. h
n g
 Filter for logical areas
n i
a r
 Hides intranet structure
/ le
/
p:
 Self-security guarantee
t t
 Active attack defense h Intranet
s : Firewall
ce
u r
s o
Re Is it possible
to protect against the
n g Router
flow that does not go through
n i the firewall?
a r
Le
r e
o
e n
m/
Firewall Classification c o
i .
we
u a
 By form
. h
Hardware firewall n g

n i
 Software firewall
a r
 By protected target / le
/
 Standalone firewall
t p:
 Network firewall
ht
 By access control method s:
ce
 Packet filtering firewall
u r
Proxy firewall s o
Re

Stateful inspection firewall

g

i n
r n
a
Le
r e
o
e n
Firewall Classification — Packet /
m
c o
Filtering Firewall i .
w e
u a
1. Cannot correlate data packets
. h
2. Cannot adapt to multi-channel
protocols n g
TCP layer
n
3. Do not check application-layer data i TCP layer
a r
l e
IP layer
/ /
p : IP layer
t t
only h
Detect headers
Data link layer s :

ce Data link layer
u rIP TCP APP

s o
Re
n g
n i
a r
Le
r e
o
e n
Firewall Classification — Proxy om /
. c
Firewall e i
w a
h u
1. Slow processing
g .
Extranet terminal Proxy firewall n
2. Difficult to upgrade
i Intranet server
r n
Send connection requests
e a
Security checklon the requests to
/ / ones
Establish connection with the
p :
block unqualified
t t
client if the request goes
h connection with the
Establish
through the security check.
s : server if going through the
ce check
u r
o
Send packet A to the firewall.
s
Re Send packet A’ to the server.
n g
i
rn
Send response packet B to the firewall.
Send response packet B’ to the
e a
terminal.
L
r e
o
e n
Firewall Classification — Stateful om /
. c
Inspection Firewall e i
a w
h u
Host 10.0.0.1
g .Server 20.0.0.1
in
r n
ea
/ l
TCP ACK
:/
10.0.0.1
10.0.0.1 20.0.0.1
10.0.0.1 20.0.0.1TCP
20.0.0.1 TCP
SYN
TCP SYNACK’
t p 20.0.0.1 10.0.0.1 TCP SYN’
TCP ACK
ht
s : policy check
Security
State error, drop
ce
u rRecord session information
s o
1.Rapid processing
following packets R
e
2.High security g
i n
r n
e a
L
r e
o
e n
Firewall Hardware m/
c o
Platform Classification i .
we
u a
. h
g
Multi-core
n
iNew-generation
n hardware platform.
a r Multi-core solutions,
le
NP
higher integration,
ASIC / /
Specifically more efficient inter-
p:
designed for data core communication
Hardware circuit,
which solidifies the t t
packets, a and management
instruction or h
compromise
between the X86
mechanism
Intel X86 s
calculation logic to: and ASIC
c
the hardware fore
Suitable for 100 r
high processing
u
M networks,
o
capacity and
s
Re
limited by CPU firewall
processing ability performance
and PCI bus
n g
speed
n i
a r
Le
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
/
ht
s :
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
e n
m/
Firewall Working Modes c o
i .
we
u a

Routing mode: each interface has an
. h
g
in mode
IP address;
Routing

Transparent mode: No interface has
r n
any IP addresses;
ea

Composite mode: some interfaces
/ l Firewall
have an IP address; / working
t p: mode
ht
s :
ce
Do the interfaces
u r
in transparent mode
s o have
Re
no IP address?
n g
n i
a r
Le
r e
o
e n
m /
Routing Mode c o
i .
we
u a

Features of routing mode . h
n g
Internet

Supports more security features n i
a r
le

Has some influence on network
topology / /
t p:
ht
192.168.10.1/30
Untrust 192.168.10.129/30
s :
ce
u r
s o 192.168.10.5/30
Trust 192.168.10.133/30
Re
n g
n i
a r
Le
r e
o
e n
m /
Transparent Mode c o
i .
w e
u a

Features of transparent mode . h
ng
Internet

Having no influence on network n i
a r
le
topology
/ /
t p: 192.168.10.1/30
ht Untrust
s :
ce
u r Trust
s o
Re 192.168.10.2/30
n g
n i
a r
Le
r e
o
e n
m /
Composite Mode c o
i .
we
u a

Features of composite mode . h
n g

Transparent to network topology n i
a r
/ le Internet
/
t p:
ht
s:
192.168.10.1/30 192.168.10.129/30
Untrust
Whether single
ce
firewall supports
u r 1.1.1.1/30
composite mode
s o
Re 1.1.1.2/30
n g
i
192.168.10.2/30
192.168.10.130/30
r n
a Trust
Le
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
/
ht
s :
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
e n
m/
Definition of Security Zones c o
i .
we

Default security zone u a
. h

Untrust zone ISP A ng ISP B
n i

Demilitarized zone (DMZ)
a r

Trust zone Mail server / le Untrust
/
p:

Local zone
Web server t t
DMZ h
s :
r ce
o u Financial
Where is the local zone?
e s server
R ERP data
n g server
OA server
i
rn
User terminal
Enterprise Trust
e a Intranet
L
r e
o
e n
m/
Definition of Inbound and Outbound c o
i .
w e

Definition of Inbound and Outbound u a
. h

What is inbound? n g
n i

What is outbound?
a r
l e
/ /
:
Low security level

t p Untrust
h t zone
s : Internet
e
High security level
Trust zone
r c
o u
s
Re
n g
i
Enterprise
n
r
Intranet
a
Le
o
Copyrig Pa ge 20
e n
Relationship Between Firewall Security m /
c o
Zones and Interfaces .
ei w

Relationship between firewall security zones and interfaces u a

Whether can the firewall have two security zones with the same h
. security level?
g
nbelong to two different

Whether does the firewall allow one physical interface to
n i
security zones? r
a to a same security zone?

Whether can different interfaces of the firewall belong
l e
/
/ Internet
p :
t
ht
s :
G0/0/2DMZ c e G0/0/3Untrust zone
u r
s o
Re zone
G0/0/0Trust G0/0/1Trust zone
n g
n i
a r
Le
o
Copyrig Pa ge 21
e n
m/
Contents c o
i .
we
. h
n g
a r
/
ht
s :
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
e n
m /
Firewall Functions c o
i .
we
Switch
•FE, GE
u a
Routing
•VLAN
. h
•Trunk,802.1ad
g
n Security
•Static routing n i
•Policy routing a r
le
•ACL
•RIPv2
•OSPFv2 / / •NAT
p:
•VPN:L2TP/GRE/IPSec/SS
•BGPv4 L/ MPLS
t t
h •P2P/IM
Unified
s : UTM
management
ce UTM
u r •WiFi
•SNMPv2v3
s o •802.11 •AV
Re
•RMON bg •IPS
•TR069 •PPP
•Telnet/SSL/HTTP(s)
n g WLAN/WWAN •PPPoE
•Anti-spam
•FTP/TFTP
n i •ADSL2+
•URL filtering
•SYSLOG
a r •HDLC
Le •3G
r e
o
e n
Main Firewall Function — Access om /
. c
Control e i
w a
Identify header, offer
h u
.
implementation measures
g
in
r n
a
/ le
MAC IP /
: load
TCP
tpData
Policy
ht
s :
ce
Identity check
u r
Host A
s o Server
Re
Access control
Identity
Subject attributes
n g
n i
r
Subject operations
a
Le
r e
o
e n
Basic Firewall Function — Deep Packet om /
. c
Inspection e i
a w
h u
Identification based on: g .
in
 Feature fields r n
ea
/ l
 Application-layer gateways
:/
t p
 Behavior patterns ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
oCopyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 25
e n
m/
c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m /
SACG Interworking Technology c o
i .
we
Branches
u a
. h
Agent Agent
n g
n i
a r
le
Agent VPN access
/ /
p:
Post-authentication
domain
Agent
t t
SACG
h
Agent
s : UCL: account ACL
ce
u r
 Agent: client agent
s o
 SACG: security access control R e
gateway
SM
SRS SC
SPS
Anti-virus
Security auditor
(firewall)
n g Domain
managemen
server
 SM: management server n i t server Patch
Security
administrator
a r server

L e
SC: control server Pre-authentication domain

o
Copyrig Pa ge 27
e n
High Availability 1 — Dual-SystemomHot /
. c
Backup USG (host)
ei
a w
hu
g .
in PC PC
PC
r n
a
/ le Untrust zone
Trust zone /
t p:
Intranet ht Extranet Server
Server
s : 202. 10.0.0/24
10.110.1.0/24
ce
ru
VRRP: provides redundant backup s o USG (standby)
R e
VGMP: unifies the hostgand standby state of all interfaces on the device
i n
HRP: indicates the
r n session information between synchronized firewalls, for
example, e aconfiguration information.
L
o
Copyrig Pa ge 28
e n
/ m
High Availability 2 — IP Link i.c o
w e
u a
. h
n g
Carrier A
X n i
a r
l e
/ /
Carrier B
p :
t t
h
s :
c e
The results of IP link automatic
u r inspection can be referenced by other functions,
and the main applicationssinclude: o
Re

Applications in static
n g routing
n i

Applicationsar in dual-system hot backup
Le
o
Copyrig Pa ge 30
e n
m/
QoS c o
i .
we
u a
E2E Flow Control
. h
n g
n i
a r
/ le
/
t p:
Receiving
packets
Classificatio
n and
Congestion
monitoring ht Congestion
management
Bandwidth
guarantee
marking
s :
ce
ur
s o
Re
Provides service quality assurance
n g Improves customer satisfaction
n i
a r
Maximize resource utilization and improve service quality
Le
r e
o
e n
m/
Log Auditing c o
i .
we
u a
. h
n g
Collects all logs
Extranet
n i
passing through
a r
le Realizes high-speed
the device
/ / log flow through
t p: binary log format
ht
s :
ce
u r Intranet
s o Log server
Re
ng
Enterprise Intranet users
n i
With eLog software, the firewall provides users with clear a record of network
a r
access, and analysis for reference.
L e
r e
o
e n
m /
Firewall Features 1 c o
i .
w e
a
u Packet Filtering
Security Zone Session List and ASPF Long Connection Fragment Caching
. h
n g
Trust Session list: Corresponding
n i
Apply segment
caching to the
IP packet filtering
Untrust
quintuple data flow should
a r
segment packet
le
DMZ
Server map list: not be aged at a that reaches
Local
triple long time / / firewall earlier than
t p: the first segment

packet.
ht
Packet Statistics s :Blacklist MAC and IP
Attack Defense
ce Address Binding
Port Identification
Attack defense can Through packet u r User IP address Avoid IP address Allow users to
s o
detect various
types of network firewall R
e
statistics analysis,
realizes
matching blacklist
will be shielded.
fraud attack. define a group of
new port number in
attacks. n g protection.
Intranet addition to famous
ni
ar
port number.
Le
r e
o
e n
m/
Firewall Features 2 c o
i .
w e
Network Address Authentication and
u a
.h
Access Control List Layer- 2 Tunneling GRE VPN
Translation Authorization Protocol
n g
ni
Application basis Slow down IP RADIUS protocol Adopt packet Layer-3 tunneling
of packet filtering, address space HWTACACS
a r
exchange network protocol uses
tunnel technology.
le
NAT, IPSec, QoS, exhaustion technology for
and policy-based Hide Intranet information
routing private IP address.
/ / exchange, which
t p: extends the PPP
ht model.
s :
IPSec VPN Load Balancing
ce IP-CAR P2P Traffic Limiting Logging
r
ou
Privacy Use the processing IP connection limit Limit P2P traffic to Attack defense log
es
Integrity capacity of all IP bandwidth limit ensure normal Traffic monitoring
Authenticity
R
servers for load operation of other log
Replay attack
g
balancing.
n
services. Blacklist log
i
defense Information
rn
statistics
e a
L
r e
o
e n
Firewall Performance Indicator — m/
c o
Throughput i .
e w
a
u can
 Throughput: the maximum traffic load that firewall
. h
process at unit time n g
n i
a r
 Effective throughput: the actual transmission l e rate per second
/ /
excluding the data due to TCP packet
p : drop and retransmission
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 40
e n
Firewall Performance Indicator — om /
. c
Latency e i
w a
 Definition: The time interval indicator, from the last bit of data packets going
h u
g .
n
in the firewall to the first bit going out of the firewall, is used to measure the
i
speed of firewall processing data. rn
a
time interval
the last bit of data
/ le
the first bit going out
packets going in
/
t p:
ht
s :
ce
u r
Smartbits 6000B o
s Latency of packet arrival
Re
n g
i Packets can be forwarded
a rn only after being detected
L e in the queue.
r e
o
Firewall Performance Indicator — New /en
o m
Connections per Second . c
e i
a w
 Definition: the number of new complete TCPhu connections
g .
established through firewall per second.in
r n
ea
/ l
:/
This indicator is used to measure the t preal-time data flow processing
capacity of the firewall. ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Firewall Performance Indicator — e n
m /
Concurrent Connections c o
i .
w e
 Definition: A firewall processes packets based on connections,
u a and the
. hnumber of
number of concurrent connections refers to the maximum
n g
connections that can be accommodated at the same n itime. One connection is
a r
a TCP/UDP access attempt.
l e
/ /
p : number of connections
This indicator is used to measure the maximum
t and the server at the same time.
that can be established between the thost
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
/
ht
s :
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
e n
m/
VRP Platform c o
i .
we
u a
. h
ng
1 2 n i 3
a r
Implements a unified Implements the
/ le Implements the
user's interface and platform control / network interface
management interface
p:
function, define plane
t
layer and shield
including real-time
operating system ht
interface forwarding
specifications, and
differences between
the link layer and
kernel, IP software :
realize the interaction
s
network layer of each
forwarding engine,
ce
between the product.
route processing, and
u r forwarding plane and
configuration
management platform. s o the VRP control plane
of each product.
Re
n g
n i
a r
Le
r e
o
e n
/
m
VRP Command Line Classificationi.c o
w e
It includes network diagnostic tool commands (ping and a
u tracert),
h (Telnet client,
Visit Level
commands accessing external devices from the local device
g .
in
SSH, and Rlogin). By using these commands, the configuration files are not
allowed to be saved.
r n
ea
It is used for system maintenance andlservice failure diagnosis. It includes
Monitoring / / using these commands, the
Level
display and debugging commands.
p : By
configuration files are not allowed
t t to be saved.
h
s :
Configuration e
It includes service configuration commands. For example, commands of
cnetwork layer, which provide direct network services
routing and each r
for users. ou
Level
e s
R
nItgis related to the system basic operation. It includes commands used by
Management
n i
Level r the system to support the module. These commands provide a support
a for services.
L e
o
Copyrig Pa ge 47
e n
m/
VRP Command View c o
i .
we
 The system divides the command line interface into multiple command views.
u a
. h
All commands of the system are registered under certain command views.
n g
The commands under this view can be run in the corresponding view. n i
a r
 Command view classification:
/ le
/
p:
 User view
<USG> t t
h

 System view
s :
 [USG] ce
u r
 Interface view
s o
 [USG -Ethernet0/0/1 ]
Re
 Protocol view
n g
n i

a r
[USG -rip]
 …
Le
r e
o
e n
m/
VRP Online Help c o
i .
we
 Type a command, followed by "?" separated by spaces. If the keyword is in
u a
this location, all keywords and brief description are displayed. . h
n g
<USG 5000> display ? n i
a r
Type a command, followed by "?" separated by l espaces. If the parameter is in

/ /
this location, the description related to parameters
p : is displayed.
t t
[USG 5000] interface ethernet ? h
s :
<3-3> Slot number
c e
u r by "?", all commands begin with this
 Type a character string, followed
s o
Re
character string are displayed.
<USG 5000> d? n
g
n i
debugging a r delete dir display
Le
o
Copyrig Pa ge 49
e n
m/
VRP Online Help c o
i .
we

u
Type the first few characters of a key word of the command and then pressa
. h
Tab. The complete key word can be displayed. g n
When the pause menu is displayed, press Ctrl+C to nstop display and
i

a r
command execution. l e
/ /
When the pause menu is displayed, press:Space to continue to display the

t p
information of the next screen.
ht
When the pause menu is displayed, s : press Enter to continue to display the

c e
information of the next line.r
o u
e s
R
n g
n i
a r
Le
o
Copyrig Pa ge 50
e n
Basic Configuration Thinking of om /
. c
Firewall e i
w a
h u
Layer-3 Interface IP
g .
Based on network interface
in
address
requirements
Interface
r n Adding
mode a interface into
Layer-2
/ le the security
zone
interface/
t p:
Interzone NATh t
s :
configuration
c e
Routing u r NAT
configuration so NAT is not required Interzone packet

Packets Re filtering
relationship
forwarding
n g configuration
n i
a r
L e
r e
o
e n
m /
Interface Mode Configuration c o
i .
e w
 Step 1 Run the system-view command to enter the u a
system view.
. h
Step 2 Run the interface interface-type interface-number n g

n i
command. a r
l e
 Step 3.1 Run the ip address ip-address / /{ mask | mask-length }
p :
command to configure L3 Ethernet
t t interface.
h
Step 3.2 Run the portswitch:command to configure L2 Ethernet

e s
interface. r c
o u
e s
R
n g
n i
a r
Le
o
Copyrig Pa ge 52
e n
m /
Security Zone Configuration c o
i .
e w
Step 1 Run the system-view command to enter the system a
u view.

. h
Step 2 Run the firewall zone [ vpn-instance vpn-instance-name n g ]

i
n zone and enter
[ name ] zone-name command to create the security
a r
the corresponding security zone view. l e
/ /
p :
t
The security Configuring the keyword.tNo name is required. Enter the
h
zone exists.
:
security zone view directly.
s
The security e
Configuring theckeyword. No name is required. Enter the
zone does u r
not exist.
s o view.
security zone
R e

n g
Step 3 Run the set priority security-priority command to configure the
security leveln i of the security zone.
a r
Le
o
Copyrig Pa ge 53
e n
Adding Interface into the Securityom /
. c
Zone e i
w
Step 1 Run the system-view command to enter theuasystem view.

. h
n
Step 2 Run the firewall zone [ vpn-instance vpn-instance-name g
]

i
[ name ] zone-name command to create thernsecurity zone and
ea
l
enter the corresponding security zone/view.
: /
 Step 3 Run the add interface interface-type
t p interface-number
command to configure the interface ht to be added into the security
zone. s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 54
e n
Configuration of Default Interzone m /
c o
Packet-Filtering Rules i .
w e
a
u view.
 Step 1 Run the system-view command to enter the system
. h
Step 2 Run the firewall packet-filter default { permit
g
n | deny } { { all |

i
n| outbound } ] }
interzone zone1 zone2 } [ direction { inbound a r
e
l packet filtering rules.
command to configure the interzone default
/ /
p :
t
ht
Do zones1:or zone 2 follow the sequence?
ce
u r
s o
Re No, because the inbound and outbound
n g
n i direction are only related to the domain priority.
a r
Le
r e
o
e n
m /
Route Configuration c o
i .
e w
The operation should be performed when configuringu static routing. a

. h
Step 1 Run the system-view command to enter the system n g view.
n i
Step 2 Run the ip route-static ip-address { maskar | mask-length } { interface-
l e
type interface-number | next-ip-address }/[ preference value ] [ reject |
: /
blackhole ] command to add a staticprouting.
t t
The operation should be performed h when configuring default

s :
routing.
c e
u r command to enter the system view.
Step 1 Run the system-view
s o
Re
Step 2 Run the ip route-static ip-address { mask | mask-length } { interface-
n g
i
type interface-number | next-ip-address } [ preference value ] [ reject |
n] command to configure the default routing.
blackhole a r
L e
o
Copyrig Pa ge 56
e n
m/
AAA Configuration c o
i .
e w
The configuration method for adding the user into uthe firewall a
. h
in the AAA view is shown as follows: n g
n i
Step 1 Run the aaa command to enter the AAA
a r view.
l e
Step 2 Run the local-user user-name password
/ / { simple | cipher }
password command to create the p :user and set the password.
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 58
e n
m/
FTP Configuration c o
i .
we
a
If the firewall is configured as the FTP server, the configuration method is shown as
u
follows: . h
n g
n i
Step 1 Run the system-view command to enter the system view and complete the basic
a r
le
firewall configuration.
/ /
p:
Step 2 Run the ftp server enable command to enable the FTP server.
t t
Step 3 Refer to section "AAA configuration" and create the FTP user.
h
s :
Step 4 Run the local-user user-name ftp-directory ftp-directory command to configure
c e
the user access directory.r Only when the username, password, and access
o u
directory are configured,
e s the FTP client can be logged in and files on the firewall
R
g
can be accessed. The system be accessed by multiple users at the same time.
n
n i
Step 5 Run the local-user lever number { 1 | 2 | 3 } command to configure the user's
r
alevel.
e
access
L
o
Copyrig Pa ge 59
e n
m /
Telnet Configuration c o
i .
e w
Step 1 Run the system-view command to enter the system view. u a
. h
Step 2 Run the user-interface [ user-interface-type ] user-interface-number n g
[ ending-userinterface-number ] command to renter
i
n the user interface
ea
view.
/ l
: / ] command to allow to end the
Step 3 Run the idle-timeout minutes [ seconds
t p
Telnet connection at regular time. ht To prevent an illegitimate invasion of
authorized users, if the terminal s : user's input is not received after a
c e with users should be disconnected. The
period of time, the connection
u r
disconnection timesof o the terminal user by default is set as 10 minutes.
R e
Note: Refer to section
n g "AAA Configuration" to add the Telnet user.
n i
a r
L e
o
Copyrig Pa ge 61
e n
m /
Telnet Configuration c o
i .
we
u a
Telnet authentication modes . h
n g
n i
a r AAA
No
authentication
Password
Password
authentication / leauthentication
/
p:
authentication
Step 4 Run the authentication-mode { aaa | none | h t t

password | local user username password
password } command to set the authentication
s : mode when logging in to the user interface. By
default, the password authenticationeis set as the authentication method.
r c { simple | cipher } password command to set the
u When the password authentication is set as the
Step 5 Run the set authentication password
o
escommand needs to be configured (optional).
password for the local authentication.
authentication method, R this
n
Step 6 Run the user privilegeg level level command to configure the command level that can be
n i from the current user interface login system. The default level is 0
accessed by the user
a r the authentication-mode is set as the aaa mode, this step does not need to
(optional). (When
Le
be configured.)

o
Copyrig Pa ge 62
e n
m/
Web Management Configuration c o
i .
e
awview.
Step 1 Run the system-view command to enter the system
u
. h
g port-number ]
Step 2 Run the web-manager [ security ] enable [ port
n
command to enable the Web management nifunction. r
a
eto add the Web
Step 3 Refer to section "AAA Configuration"
/ l
management user. : /
t p
Step 4 Run the local-user user-name t
h service-type web command to
configure the user's service s : type as Web.
c e
Step 5 Run the local-user user-name u r level 3 command to configure the
o
user's level. TheesWeb user's level must be set to level 3 (highest
R
level).
n g
n i
a r
Le
o
Copyrig Pa ge 63
e n
m/
Other Basic Configurations c o
i .
we

u a
Users can modify the current firewall configuration by using the command
h
line interface. To set this current configuration as the initial configuration of
.
n g
the firewall for the next time when powering on, run the save command to
n i
r
save this current configuration into the default storage device and form the
a
configuration file.
/ le
/
In the user's view, run the reset saved-configuration command to erase the
p:

t
configuration file. After the configuration file is erased, the firewall will
t
h
adopt the default configuration parameters to initiate for the next time
when powering on. s :
c e
In the user's view, run the r

o u reboot command. The firewall is restarted and
this restart action is logged.
e s
R
Run the startup system-software sysfile command to configure the system

n g for the next startup.
software file name
n i
a r
Le
o
Copyrig Pa ge 64
e n
m /
Summary c o
i .
w e
u a
 Definition and classification of firewalls
. h
n g

n i
Main features and technologies of firewalls
a r
 Data forwarding process and basic l efirewall configurations
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 65
e n
m/
Questions c o
i .
we

u a
What is the difference between the stateful inspection firewall and the
. h
packet-filtering firewall? g n
Why the V100R005 has no firewall working modenconfiguration? What i

a r
mode does it use to differentiate?
l e
/ /
 What is the relationship between the security
p : zone and the interface?
t t
 What is the difference between Inbound h and Outbound in the interzone
packet filtering policies? s :
c e
After the reliable technology u r IP link is integrated with the static routing and

s o
dual-system hot backup
R e technology, what are the advantages?
n g
n i
a r
Le
o
Copyrig Pa ge 66
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
h
Chapter 3 Firewall Packet in g .
r n
Filtering Technologyle a
/ /
p :
t t
h
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
o
e n
m/
Objectives c o
i .
e w
a
u to:
able
g .
ACL principles in

r n
 ACL functions and classification lea
/ /
 Application scenarios and configurations p : of interface-based
t t
packet filtering h
s :
Application scenariose and configurations of interzone

r c
packet filtering ou
e s
R
n g
n i
a r
Le
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. ACL Overview u a
. h
n g
2. Interface-based Packet Filtering n i
a r
3. Interzone Packet Filtering / le
/
p:
tt Filtering
4. Application Analysis of Packet
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m /
Overview of IP Packet Filtering Technology c o
i .
w e
 For the packets to be forwarded, the firewall reads/examines the packet
u a header and
compare the header information against the defined rules to determine . h whether to
n gor discard the packet
permit the packets or not. The firewall determines to forward
n i
based on the comparison. The key packet filtering technology
a r is ACL.
l e
/ /
p :
t t
Intranet
h
s :
c e
u r Internet
s o
Re Regional office
n g
n i
a r
H.Q.Le Unauthorized user
o
Copyrig Pa ge 3
e n
m /
ACL Definition c o
i .
e w
a
u figure.
 TCP/IP packet format is as shown in the following
. h
In this figure, the upper-layer protocol isinTCP/UDP.
g
r n
ea
MAC packet TCP/UDP /
l
header
IP packet
: / Data
header packet header
t p
ht
s :
Protocol No. Protocol No. ce
u r Source port
Source address
s
Source addresso For TCP/UDP packets, these five
Destination R e
Destination
Destination
port
elements constitute a quintuple,
while the ACL is defined
address
n gaddress according these information.
n i
a r
Le
o
Copyrig Pa ge 4
e n
m/
ACL Principles c o
i .
we
u a
ACL
. h
Step 2: g
Allows A to carry out
i n
n for the ACL.
subsequent operations
Denies subsequent r
Search
aDetermine whether to
operations of B
l e
/ / allow the next operation.
p :
Default policy operation Step 3:
Step 1:
t
The inbound data flow ht The firewall processes
arrives on the firewall.
s : AAAA packets according to the
BBAABBBAAAA
ce
AA ACL.
u r
Inbound
s o Outbound
data flow
R e data flow
ACL functions: n g
n i
r
Filter flows that pass through the firewall based on the defined rules. The
a
Le
keyword determines the next step for the filtered out flows.
r e
o
e n
m/
Packet Filtering Classificationi.c o
w e
Interface packet filtering u a

. h
Outbound n g
n i
Inbound a r
l e
G0/0/0 G0/0/1 //
p :
t t
h
Interzone packet filtering :

e s
Outbound
r c
o u
Trust zonee s Untrust zone
R
n g
n i
a r
Le Inbound

o
Copyrig Pa ge 6
e n
m/
Contents c o
i .
we
1. ACL Overview u a
. h
n g
a r
/
p:
tt Filtering
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
Overview of Interface-based Packet m /
c o
Filtering i .
w e
u a
Application . h
Filtered Object PacketngFiltering Mode
Interface n i
a r
IP packet l e
Interface-based packet filtering
/ /
Common interface p :MAC address-based packet
Ethernet framett
h filtering
s :
Interface on special IP packet ce and
u r Hardware packet filtering
interface card s o frame
Ethernet
Re
n g Scenario: Interfaces
n i has not been added
a r to a security zone.
Le
r e
o
e n
m/
ACL Classification c o
i .
we
Identify ACLs by using numbers. u a

. h
g
 in
Identify ACL types by using number ranges.
n
a r
l e
/ /
ACL Type
t p: Number Range
ht
Basic ACL 2000-2999
e s:
Advanced ACL r c 3000-3999
o u
s
Re
MAC-based ACL 4000-4999
n g
Hardware
n i packet filtering ACL 9000-9499
a r
Le
r e
o
e n
m/
Basic ACL c o
i .
e w
 The basic ACL uses only source addresses tohdescribe u a
g .
data, indicating whether to perform next inoperation.
r n
ea
Packets from/IP l address
:
202.110.10.0/24/ can
t
pass through p the firewall!
ht
s :
c e
Packets from IP addressr
192.110.10.0/24 cannot o u Firewall
s
Re
pass through the firewall!
n g
n i
a r
Le
o
Copyrig Pa ge 10
e n
m /
Basic ACL Configuration c o
i .
w e

Access the system view: u a
. h
acl [ number ] acl-number [ vpn-instance vpn-instance-name ]
n g

Create a basic ACL and enter the ACL view: n i
a r
rule [ rule-id ] { permit | deny } [ source { source-address
l e source-wildcard |
/ /
any |address-set address-set-name } | time-range
p : time-name | logging ]

Apply the basic ACL and enter the tinterface view:
h t
:
firewall packet-filter acl-number {inbound | outbound}
s
c e
u r How do you use an IP
s o
R e address and a
wildcard mask to indicate
n g a network segment?
n i
a r
L e
o
Copyrig Pa ge 11
e n
m /
How to Use the Wildcard Mask c o
i .
e w
 The wildcard mask format is similar to the subnet mask u a format, but
. h
they have different meanings.
n g
n i
 0: indicates that the corresponding bit in the IP
a r address should be
compared. l e
/
/in the IP address will not be
 1: indicates that the corresponding bit p :
t
compared. ht
 The wildcard mask is used etogether s: with the IP address, which can
describe an address range. r c
o u What is the
e s function of
0 0 0 255R Compares the first 24 bits only wildcard mask
0 0 3 in 255
g Compares the first 22 bits only
0.255.0.255?
r n
0 255 a255
L e 255 Compares the first 8 bits only

o
Copyrig Pa ge 12
e n
m/
Time Range-Based ACL c o
i .
time-range work-policy1 08:00 to 18:00 working-dayw e
u a to 18:00 2009/12/31
time-range work-policy2 from 08:00 2009/01/01
. h
n g
n i
rule permit ip source 192.168.11.0 0.0.0.255 time-range work-policy1
rule permit ip source 192.168.12.0r0.0.0.255 time-range work-policy2
ea
172.16. 0.0/16
/ l
:/
DMZ
t p
ht Firewall Untrust
s :
Server group
ce
u r
s o 2009/07/15 14:15
R e
n g
i
rn
Trust
e a
L 192.168.12.0/24 192.168.11.0/24
r e
o
e n
/ m
Meanings of Time Range Operators .c o
e i
a w
h u
Operator and Syntax g .
Meanings
i n
n
Fromr xx time To xx time
HH:MM
ea
/ l
YYYY/MM/DD : / From xx date To xx date
t p
h tMonday/Tuesday/Wednesday/Thursda
Mon/Tue/Wed/Thu/Fri/Sat/Sun :
e s y/Friday/Saturday/Sunday
r c
Daily o u Every day in a week
e s
Off days R Off days (Saturday/Sunday) ）
n g
n i days
a r
Working Working days (Monday to Friday)
L e
o
Copyrig Pa ge 14
e n
m/
Advanced ACL c o
i .
e w
a
u the
 The advanced ACL uses more information besides
. h
source address to define a packet, indicating
g
n whether to
n i
carry out the next step. a r
l e
/ /
p : Which information is
The packets from IP address
202.110.10.0/24 to IP address ht
t detected by the firewall
based on status detection?
s:
179.100.17.10 that use TCP
and access resources by e using
HTTP can pass through r c the
firewall!ou
e s
R
n g Firewall
n i
a r
L e
o
Copyrig Pa ge 15
e n
/ m
Advanced ACL Configuration Commands c o
i .
w e
 In system view:
u a
acl [ number ] acl-number [ vpn-instance vpn-instance-name.]
h

n g
 Create an advanced ACL and enter the ACL view: n i
a r
l e { destination-address
rule [ rule-id ] { deny | permit } protocol [ destination

/ /
destination-wildcard | any | address-set address-set-name
p : } | destination-port {
t t } | precedence precedence | source
operator port1 [ port2 ] | port-set port-set-name
h
{ source-address source-wildcard |:any | address-set address-set-name } | source-
e s
port { operator port1 [ port2 ] |cport-set port-set-name } | time-range time-name | tos
u r
tos | icmp-type icmp-type s o icmp-code | logging ]
R e
 Apply the advanced ACL and enter the interface view:
n g
n i

a r
firewall packet-filter acl-number {inbound | outbound}
L e
o
Copyrig Pa ge 16
e n
Meanings of Port Number Operators in the m /
c o
Advanced ACL i .
w e
u a
. h
Operator and Syntax
n g
Meanings
n i
equal portnumber a r to port number
Equal
l e
/ /Greater than port number
greater-than portnumber
p :
t t
less-than portnumber h Smaller than port number
s :
not-equal portnumberrc
e Not equal to port number
o u
range es
R Between port number1 and port
portnumber1 gportnumber2
i n number2
r n
a
Le
o
Copyrig Pa ge 18
e n
Functions of Address Set and Service m /
c o
Set i .
w e
u a
. h
Address Set ServicengSet
n i
a r
ip address-set guest type object l e
ip service-set Internet type object
/ /
service protocol tcp destination-port 80
address 0 192.168.12.0 0.0.0.15
:
servicep protocol tcp destination-port 8080
address 1 192.168.15.0 0.0.0.63
t t
address 2 192.168.30.0 0.0.0.127 h protocol tcp destination-port 8443
service
s : service protocol udp destination-port 53

ce
ur
ip address-set ERP type object
s o ip service-set ERP type object
Re
address 0 10.10.0.0 0.0.0.127 service protocol tcp destination-port 21
n g
address 1 10.16.15.0 0.0.0.255 service protocol tcp destination-port 80
n
address 2 10.100.10.0i 0.0.0.255 service protocol tcp destination-port 1521
a r
L e service protocol tcp destination-port 8443

o
Copyrig Pa ge 19
e n
m /
Advanced ACL Examples c o
i .
e w
 rule deny ip source address-set guest destination address-set u a erp
. h
 rule permit tcp source address-set guest destination n g any destination-
port service-set Internet n i
a r
IP packets l e
/ /
10.1.0.0/16
p :
t t
h
s :
rule deny tcp source 129.9.0.0 c e 0.0.255.255 destination 202.38.160.0

u r
0.0.0.255 destination-port
s o equal www
Re TCP packets
WWW port
n g
129.9.0.0/16i
r n 202.38.160.0/24
a
Le
o
Copyrig Pa ge 20
e n
m /
MAC Address-Based ACL c o
i .
e w
MAC address-based ACL defines data flows according to a
u the source

h
. in the
MAC address, destination MAC address, and type fields
n g
n i
Ethernet frame head to control Layer-2 data frames.
a r
l e
Packets to DMAC /
/ B-B-B
p :
can pass through t the
ht
firewall!
s :
c e
Packets from SMAC A-A- ur
A cannot pass through s o
the firewall! Re
Firewall
n g
n i
a r
Le
o
Copyrig Pa ge 21
e n
m/
MAC Address-Based ACL Configuration . c o
e i
 Access the system view: a w
h u
g . ]
acl [ number ] acl-number [ vpn-instance vpn-instance-name
in
 Create an MAC address-based ACL and enter r n the ACL view:
e a
/ l| type-name} | cos lcos-code |cos-

:/
rule [ rule-id ] { permit | deny } { type {type-code
t p
name}} [ source-mac source-address source-mac-wildcard ] [ dest-mac destination-
address destination-mac-wildcard ] ht
s :
 Apply the MAC address-based
c e ACL and enter the interface
u r
view:
s o
Re
firewall ethernet-frame-filter acl-number inbound
g

i n
r n
a
Le
r e
o
e n
m /
Hardware Packet Filtering ACL i. c o
w e
u on the
It filters hardware packets. Traffic can be matched based a

. h
source MAC address, destination MAC address, source n g IP address,
n i
destination IP address and protocol.
a r
l e
Interface/ / that supports
p :hardware packet
t t
h filtering
s : IP Prot Source Destinatio
Source MAC Destination
MAC address address c e
Source IP Destination
address n port
address
u r ocol port
s o
Re Firewall
n g
n i
a r
Le
o
Copyrig Pa ge 23
e n
m /
Hardware ACLs Configuration c o
i .
Access the system view: w e

u a
acl [ number ] acl-number [ vpn-instance vpn-instance-name ] . h
g

 in
Create a hardware ACL and enter the ACLnview:
a r

l
rule [ rule-id ] { permit | deny } { source-mac source-mac-address e source-mac-
/ / destination-mac-wildcard
wildcard | destination-mac destination-mac-address
p :
|source-ip source-ip-address source-wildcard
t t | destination-ip destination-ip-address
h
:
destination-wildcard | protocol { icmp [ icmp-type { icmp-type icmp-code | icmp-
s
c e { port | protocol-name } ] [ destination-port
message } ] | { tcp | udp } [ source-port
r
{ port | protocol-name ] | ipu| igmp | gre | ospf | ipinip } | ethernet-type { type-code |
s o
e
type-name } | cos {Rcos-code | cos-name } }
Apply the hardware n g ACL and enter the interface view:


i
n acl-number inbound
a r
hardware-filter
e

L
o
Copyrig Pa ge 24
e n
/m
Matching Mode and Step Configuration c o
i .
w e
u a
. h
 Access the system view:
n g
n i
 acl [ number ] acl-number [ vpn-instance vpn-instance-name
a r ] [match-
l e
order{auto|config}]
/ /
p :
 Set the ACL step:
t t
h
 Step step
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 25
e n
/m
Acceleration and Counter Functions c o
i .
w e
ACL acceleration function u a

. h
It enhances the ACL search performance significantly. n g

n i
ACL counter a r

l e
ACL counter acl 2001 /
/ 10.32.255.0 0.0.0.255
rule 0 permit source
p :
t
rule 10 permit
ht source 192.168.10.0 0.0.0.255
s :
c e
u r
display acl 2001 s o
17:18:07 2009/07/21 e
R
Acl's step is 5 ng
Basic ACL 2001, 2 rules, not binding with vpn-instance
i 10.32.255.0 0.0.0.255 (27 times matched)

rule 0 permitnsource
a r source 192.168.10.0 0.0.0.255 (1 times matched)
rule 10 permit
Le
o
Copyrig Pa ge 26
e n
m/
Contents c o
i .
we
1. ACL Overview u a
. h
n g
a r
/
p:
tt Filtering
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
Overview of Interzone Packet Filtering om /
. c
Technology e i
a w
Trust zone Untrust zone. h u
n g
n i
Client
Firewall
a r Server
l e
Search the routing table. Based on the zone and direction of the
/ /
interface, search for the interzone packet filtering rule.
Hit the
p :
Policy0: allows packets with the source address
t
of 192.168.168.0 through
ht
first packet.
Policy1: denies packets with the source IP address
s : of 192.168.100.0
ce ……
u r
s o The default interzone packet
filtering rule is prohibited.
Re
n g
n i If it is not the first packet, search the session table.
a r
Le
r e
o
e n
Interzone Packet Filtering m/
c o
Application i .
we
u a
Permit packets from a
. h
Trust zone to an
n g
Deny packets from
Untrust zone. n i
an Untrust zone to a
a r zone.
Trust
/ le
/
t p:
Trust zone ht
Firewal Untrust zone
s :
r ce l
o u
e s
R
policy interzone trust untrust outbound
policy 0
n g
action permit
n i
r
policy source 192.168.168.0 0.255.0.255
a
Le
policy service service-set { service-set-name }
r e
o
e n
m/
Policy Priority c o
i .
w e
u a
. h
Address-set address set Service-setnportg set
n i
a r
policy 0 policy 1
l e
action deny /
action permit
: / address-set guest
policy source address-set guest
pdestination address-set intranet
policy source
t
ht service service-set intranet
policy destination address-set Internet policy
policy service service-set Internet policy
s :
ce policy 0
policy 1
u r
action deny
s o action permit
policy source address-set guest
Re policy source address-set guest
g
policy destination address-set intranet
policy service service-setnintranet
policy destination address-set Internet
n i policy service service-set Internet
a r
L e
o
Copyrig Pa ge 30
e n
m/
Multi-Channel Protocol Technology.c o
e i
a w

Single channel protocol: It uses only one port during communication.
h u For
example, WWW occupies port 80 only. g .
n
icommunication. In

Multi-channel protocol: It uses two or more ports during
r n
passive FTP mode, the protocol uses port 21 and e
a
/ l a random port.
: /
t p
t
How to useha pure packet filtering method
to defines : ports used by the multi-channel
c e at port level?
r
protocol
u
s o
Re
n g A pure packet filtering method cannot define
n i data flows for the protocols that use a
a r randomly negotiated port.
Le
o
Copyrig Pa ge 31
e n
m /
ASPF Overview c o
i .
e w
Application specific packet filter (ASPF) is an advanced filteringu technology, a

which checks protocol information at the application layerg.

h
and monitors status
i n
of the application layer protocol of connections. For all
r n connections,
information on connection status is maintained byaASPF and used to
l e
dynamically determine whether packets can pass
/ / through the firewall or
should be discarded. p :
t t
h
s :
c e
u r
s o
Re
Monitor
n g packets during Dynamically create and
n i communication delete a filtering rule

r
a Diversified ASPF functions guarantee service security.
L e
o
Copyrig Pa ge 32
e n
m/
ASPF Supporting Multi-Channel Protocols c o
i .
w e

ASPF applies to packet filtering at the application layer.
u a
h
. Server 20.0.0.1
n gFTP
Control channel
n i
Host 10.0.0.1
a r
l e
/ /
Data channel p : I use port 4952 to
t
ht
establish a data
channel with you.
s :
Session table FTP:10.0.0.1:4927
c e --> 20.0.0.1:21
u
FTP:10.0.0.1:4926 r --> 20.0.0.1:4952
s o
ServerMap table
R e
--------------------------------------------------------------------------------------------------------------------
n
Inside-Address :Port Global-Address g :Port Pro AppType TTL Left
n i
--------------------------------------------------------------------------------------------------------------------
20.0.0.1 : 4952
a r --- tcp FTP DATA 00:01:00 00:00:47
L e
o
Copyrig Pa ge 34
e n
Port Identification Supporting Multi- om /
. c
Channel Protocol e i
a w

Port identification is used to map a non-standard protocol
h u port into
g .
an identifiable application protocol port.
in
r n
Control channel
ea FTP Server
Host 10.0.0.1
/ l 20.0.0.1:31
:/
t p
ht
Which application protocol
Data channel is used by port 31?
s : What should I do if
 Configure the basic ACL.
ce I don’t know it?
u r
ACL 2000-2099 Ruleopermit source a non-standard protocol port Server

e s
R
IPaddress Wildcard
n g
 Configureiport identification (or port mapping).
r n
e a
Port-mapping protocol-name port port-number acl acl-number
L

r e
o
e n
Fragment Cache and Long Connection om /
. c
Functions e i
a w
Fragment
Configure the aging time of fragment cache.
Firewall session aging-time fragment interval (1-40000)h
u
cache function Disable direct forwarding of fragments. g .
in
Firewall fragment-forward disable
Enable direct forwarding of fragments. r n
Firewall fragment-forward enable
ea
/ l
:/
Long link t p
ht
s :

Configure long link aging ce time.
u r
s
Firewall long-link aging-timeo time
 R e
Enable long link.
n g
n i
Firewall interzone zone-name1 zone-name2 lonk-link acl-number
{ inbound
a r | outbound }
Le
r e
o
e n
m/
Contents c o
i .
we
1. ACL Overview u a
. h
n g
a r
/
p:
tt Filtering
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m /
Procedure of Firewall Packet Filtering c o
i .
w e
Inbound
Search
Not hit
Search the Hit
u a Update the
packet
the session
. h session
blacklist table
n g entry
n i
Hit
a r
l e
Discard the
Search for
the default
/ / Allow Outbound
packet interzone
p : Search the
packet
Not hit rules
t t routing
table
h Denied or not matched with the rule
s : Discard
c e
Not matched packets
Search the
routing table to u r Deny a rule
match the
s o Allow
interzone
packet-filtering
e
R Search for
rule
n g the
n i interzone
a r ACL
L e
o
Copyrig Pa ge 39
e n
/ m
Analysis of ACL Application Scenarios c o
i .
Internet zone w e
Application scenarios u a

h
. zone
ACL in the g

i
Trust
n of the address and port sets

r n
Application

e a link between the Trust zone and
Long
192.168.150.1/24
192.168.100.1/24 /
lDMZ
: / Time-based control between the Trust
t p 
h t and Internet zones

ASPF application between the Internet
:

e s zone and DMZ
r c  Port identification between the Internet

DMZ
o u
192.168.168.1/24 zone and DMZ
e s
R  Fragment cache between the Internet
n g zone and DMZ
n i  Function: NAT/QoS/IPSec/routing policy

r
a Trust zone
L e
o
Copyrig Pa ge 40
e n
m/
ACL Function 1 c o
i .
we
u a
 Packet filtering
. h
n g
n i
a r
le
The packets from IP address
202.110.10.0/24 to IP address
/ /
p:
172.16.17.10 that use TCP and
access resources by using HTTP can
t t
pass through the firewall!
h
s
The packets from IP address :
ce
192.110.10.0/24 to IP address
r Firewall
ou
172.16.160.23 that use TCP and
access resources by using Telnet
e s
cannot pass through the firewall!
R
n g
n i
a r
Le
r e
o
e n
m/
ACL Function 2 c o
i .
 Address translation we
ACL
u a
Address translation applies to
. h
user group A only.
n g
n i
a r
User group A
/ le Internet
192.168.10.0/24 /
t p:
10.32.255.50/24
ht 58.241.12.253/30
User group B s :
ce
172.16.160.0/24
u r
s o
Re
 QoS Question: Why is the ACL
Policy routing g valid to these applications?

i n
 IPSec
r n
…… e a

L
r e
o
e n
m /
ACL Commands c o
i .
e w
 acl [ number ] acl-number [ vpn-instance vpn-instance-name u a ]
. h
acl-number: It defines a numerical ACL. n g
i

The ACLs ranging from 2000 to 2999 are basicrACLs. n

ea
The ACLs ranging from 3000 to 3999 are advanced
/ l ACLs.
vpn-instance vpn-instance-name: It defines /
: the VPN instance ACL.
p
t the VPN instance name, which is a
Herein, vpn-instance-name indicates
h t
string containing one to 19 characters.
s :
c e
 undo acl { [ number ] uacl-number r | all }
s o
 The command aclRis e used to create an ACL and enter the ACL view.
n gundo acl is used to delete an ACL.
 The command
n i
a r
Le
o
Copyrig Pa ge 44
e n
m /
ACL Configuration Methods c o
i .
we
u a
 ACL step
. h
n g
 Edit the ACL. n i
a r
acl 3000 e 3000
displaylacl
rule deny source 1.1.1.1 0 / /3000
p:
acl
rule permit tcp destination-port equal www
t t Acl's step is 5
rule permit ip source 172.16.12.31 0 h
s:
rule 0 deny source 1.1.1.1 0 logging
acl 3000
c e rule 3 permit ip source 192.168.10.0 24
rule 3 permit ip source 192.168.10.0 u r 24 rule 5 deny logging
s o
rule 5 deny logging
R e rule 10 permit ip source 172.16.12.31 0
n g
n i
a r
Le
o
Copyrig Pa ge 45
e n
m/
ACL Matching Order c o
i .
we
u a
 Matching order of ACL rules:
. h
n g

n i
config mode: The rules configured first are matched first. In other
a r
words, the smaller the rule SN is, the higher the priority is.
le /

/
auto mode: The matching rule is depth first. In other words, the
: the priority is.
smaller the address range is, the t phigher
h t
 Matching order of various
s : ACLs
c e
ACLs based on MACraddresses > Advanced ACLs > Basic ACLs

o u
 Matching order e sof ACLs of the same type
R
n g
 The smaller
n i the ACL-number is, the higher the priority is.
a r
L e
o
Copyrig Pa ge 46
e n
Example of Configuring an Interface- om /
. c
based ACL (on CLI) e i
a w Server
Telnet
FTP Server
192.168.1.1 h u192.168.1.2
海
External interface
g . 外
202.38.160.1 192.168.1.5 in
r n
ea
Internal interface
/ l
: /
WWW Server t p 192.168.1.4
192.168.1.3 t
h
s :
202.39.2.3
c e
u rbetween the intranet and extranet

s o 192.168.1.4 in the Trust zone to access the Untrust zone.

Objectives: To enable access control

e
1. Allow the host at IP address
2. Allow the host at IPRaddress 202.39.2.3 in the Untrust zone to access the servers at IP
g 192.168.1.2, and 192.168.1.3 in the Trust zone.

n
addresses 192.168.1.1,
i in Trust and Untrust zones to run the ping command to test communication

n
3. Allow all hosts
r and they communicate well.
a
with each other

Le PC, firewall, server, router
Networked devices:
r e
o
e n
Example of Configuring an Interface- om /
. c
based ACL (on Web) e i
a w
h u
g .
in
r n
ea
/ l
:/
t p
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
Example of Configuring an Interzone om /
. c
ACL (on CLI) e i
a w
h u
E2/0/0
g .zone
DMZ
192.168.2.1
Local zone E1/0/0 n
Untrust
i
192.168.1.1 n
a r
l e
/ /
192.168.2.2
p :
192.168.1.2
t t port
Console
h
s :
ce
u r
s o
R e
Objective: To enable two devices in the DMZ and Untrust zone of the

n g
n i
firewall to successfully ping each other
a r
 Networked
Le devices: PC, firewall, server
r e
o
e n
Example of Configuring an Interzone om /
. c
ACL (on Web) e i
a w
h u
g .
in
r n
ea
/ l
:/
t p
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
Summary c o
i .
w e
u a
 ACL principles
. h
n g
 ACL functions and classification n i
a r
 Application scenarios and configurations l e of interface-based
/ /
packet filtering p :
t t
h
 Application scenarios and configurations of interzone
s :
packet filtering c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 51
e n
m /
Questions c o
i .
 What’s the relationship among packet filtering, status inspection w e
mechanism, and session table? u a
. h
Fragment cache function: What is the difference nbetween g formats of

i
n If the first fragment
the first packet fragment and other fragments?
a r
arrives first, which measure will be carried e
l out? If the first fragment
/ /
arrives late, which measure will be taken?
p :
t
 Which are application scenarios h oft port identification (port mapping)?
s : application scenarios of interzone
 What is the difference between
c e
packet filtering and interface u r packet filtering?
s o
 What is the difference Re between inbound of interzone packet filtering
and inbound ofninterface g packet filtering? What is difference
between outbound n i of interzone packet filtering and outbound of
a r
interface L epacket filtering?
o
Copyrig Pa ge 52
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
h
Chapter 4 Network in g .
r n
Address Translation l ea
/ /
Technology tp
:
ht
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
o
e n
m/
Objectives c o
i .
e w
a
u to:
able
g .
NAT Technical Principles in

r n
NAT Application Modes ea

/ l
 Firewall NAT Configuration p:
/
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 1
e n
m /
Contents c o
i .
e w
1. Introduction to Network Address Translation u a
. h
Technology n g
n i
r
a IP Address
2. NAT Technology Based on the Source
l e
/ /
3. NAT Technology Based on the :
p Destination IP Address
t
ht
4. Bidirectional NAT Technology
s :
c e
5. NAT Application Scenario u r Configuration
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 2
e n
m /
Background Information c o
i .
w e
 The explosive growth of the Internet leads to the depletion of IPv4
u a
addresses. . h
g n
The next generation of IP technology, IPv6, cannotnreplace IPv4 addresses in i

a r
a large scale in a short time.
l e
/ /
 With the continuous development of technologies,
p : various technologies for
t
extending the IPv4 lifespan emerge continuously.
ht NAT is one of the most
excellent technical means.
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 3
e n
m /
Why NAT is Required? c o
i .
w e
 Using the private network address can implement address reuse and increase IP
u a
resource utilization.
. h
 The private network address cannot be routed over public networks;
n g otherwise, it
leads to routing problems.
n i
The NAT technology is used to translate a large number a rof private network addresses
e communication services

into a small amount of public network addresses tolensure
and save IP address resources. / /
p
No address: is 10.1.1.1 is private
t t
translation network address.
hdone. The route is unknown.
s :
Communication Destination IP
e
address:123.3.2.3
c
between the
u r
Source IP address: 10.1.1.1
private network s o Discard
and public network Re

without NAT g
IntranetnUser FTP Server
n i 123.3.2.3
r
10.1.1.1
a
Le
o
Copyrig Pa ge 4
e n
m/
Basic Principles of NAT Technology c o
i .
w e
 The NAT technology is used to translate the source address or the destination a
u access the
address
in the IP packet header. It enables a large number of private IP addresses h
. which can effectively
public network by sharing a small amount of public IP addresses,
slow down the speed of the IP address space depletion andienable
g
n a large number of
private network users access the Internet. r n
e a address
Replace the private network
l
/ network address
source to the public
: /
Destination IP address:123.3.2.3
t p
Destination IP address: 123.3.2.3
h t
s :
c e Destination IP address: 123.3.21
u r Source IP address: 123.3.2.3

Intranet User s o Destination IP address: 10.1.1.1
10.1.1.1
R e Source IP address: 123.3.2.3
FTP Server
123.3.2.3
n g
n i Replace the public network
a r destination address to the
L e private network address

o
Copyrig Pa ge 5
e n
m /
NAT Categories c o
i .
w e
 Based on the Source IP Address Translation Direction
u a
. h
Outbound direction: The data packets are transferred from a high-security network to a low-security network.
g

i n
Inbound direction: The data packets are transferred from a low-security network to a high-security network.
Based on Whether the Source IP Address Port is Translated r n

a which does not involve the port

l e
No-PAT mode: It is used for a one-to-one translation of IP addresses,
translation. /
/translation of IP addresses, which involves the
NAPT mode: It is used for a many-to-one or many-to-many
p :
t

port translation.
h t
Based on the Destination IP Address Translation Function

:
NAT Server function: The private networksserver provides services for public network users by using this

c e
function.
u r NAT can be used for Internet access by mobile phone users. The

default WAP gateway is not s

o
Destination NAT function: Destination
R e consistent with the gateway provided by the local operator.
 Bidirectional NAT
NAT Inbound and n
g

n i NAT Server are used together.


a
Intrazone NATr and NAT Server are used together.
L e
o
Copyrig Pa ge 6
e n
/
m
NAT Advantages and Disadvantages c o
i .
w e
u a
. h
 Advantages
n g
i
n resources.
 Allow IP address reuse and save precious address
a r
Be transparent to users in the process of/address l e translation.
/

p :
 Hide the internal network topology/information
t t from external users.
Implement load balancing of intranet servers. h


s :
c e
 Disadvantages
u r
Increase difficultieses
o
in term of network monitoring.
R

 Do not support n g some applications.

n i
a r
Le
o
Copyrig Pa ge 7
e n
m /
Contents c o
i .
e w
. h
Technology n g
n i
r
a IP Address
l e
/ /
t
ht
s :
c e
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 9
e n
Overview of NAT Technology Based on the Source oIPm /
Address . c
i e
Conversion Based on the Source IP Address a w

h u
Conversion
g .
n
ni
Source IP address Destination IP Source IP Destination IP
192.168.0.11 Address 1.1.1.1
r
address 9.9.9.9
a
address 1.1.1.1
/ le
Trust /
p:
Untrust
t t
Conversion Based on the Source IP Address h and Port

s :
c e Conversion
Source IP address
u r
Destination IP Source IP address Destination IP
192.168.0.11
Source port X
s o
address 1.1.1.1 2.2.2.2 Source port Y address 1.1.1.1
Re
n g
n i Trust Untrust
a r
Le
o
Copyrig Pa ge 10
e n
Differences Between NAT Outbound and om /
. c
NAT Inbound e i
a w
 NAT Outbound h u
High-security zone
Outbound g . Low-security zone
in
Conversion
r n
Source IP address Destination IP
ea Source IP address Destination IP
192.168.0.11 Address 1.1.1.1
/ l 9.9.9.9 address 1.1.1.1
:/
Trust t p Untrust
h t
 NAT Inbound
s :
ce
High-security zone Low-security zone
u r
s o Conversion
Re
Source IP address Destination IP
192.168.0.11 Address 1.1.1.1 Source IP address Destination IP
n g Inbound
9.9.9.9 address 1.1.1.1
n i
a r DMZ Untrust
Le
r e
o
e n
/ m
One-to-One Address Translation i.c o
w e
u a
. h
 The address before the conversion is bound with
n g the one after
conversion in order to meet some specialr requirements. n i
ea
Therefore, this application is scarcely / lused.
: /
t p
ht
192.168.1.1
s : 155.133.87.1
192.168.1.2 c e 155.133.87.2
u r
192.168.1.3so 155.133.87.3
Re
n g
n i
a r
Le
o
Copyrig Pa ge 12
e n
/ m
Many-to-Many Address Translation c o
i .
w e
u a
A segment of address used for conversion can be configured by using the h
.address pool. During
g

in
conversion, the Internet address in the address pool will be selected successively, and then be
taken as a intranet address in address translation until all addressnin the address pool are used up.
a r
In this case, subsequent private addresses cannot be translated.
l e
/ /
p :
192.168.1.1
t t
155.133.87.1
h155.133.87.2
192.168.1.2
s :
192.168.1.3 c e 155.133.87.3
u r
192.168.1.4
s o Discard

Re is on a first-come first-server basis; whereas one-to-one address
Many-to-many address translation
n
translation uses manually g configured one-to-one address mappings. In many-to-many address
n i number of public addresses is the same number of private addresses.
translation, the required
a r
L e
Therefore, many-to-many address translation is not common either.

o
Copyrig Pa ge 13
e n
/m
Many-to-One Address Translationi.c o
w e
Multiple internal addresses are mapped to different port numbers u
a

. h The NAPT
of the same public
address in order to implement the many-to-one address conversion.
n g
technology is used to implement the many-to-one address i conversion.
r n
ea
/ l
192.168.1.1 : /
155.133.87.1 ：7111
t p
192.168.1.2
h t 155.133.87.1 ：7112
192.168.1.3
s : 155.133.87.1：7113

NAPT is a technology that usesrLayer ce 4 information to extend Layer-3 addresses. An
o u use. Theoretically, a public address can be mapped to
IP address has 65,535 ports
e s for
65535 private addresses, R which effectively enhances address spaces and increase
n g Therefore, NAPT is a frequently-used address translation
i
utilization of IP addresses.
n
method.
a r
Le
o
Copyrig Pa ge 14
e n
Configuration Based on Source IP Address m /
c o
Translation (NAT No-PAT) i .
we

Configure the NAT address pool in the system view. u a
. h
g
nat address-group group-number [group-name] start-address end-address
n

ni view.
Enter the interzone NAT policy view in the system
r
nat-policy interzone zone-name1 zone-name2e{inbound | outbound} a
/ l

Create the NAT policy and enter the policy
: / ID view.
t p
policy [ policy-id ]
h t
:
Policy source { source-address source-wildcard |……}
s
Policy destination { source-address c e source-wildcard |……}
u r {service-set-name}
Policy service service-set
s o
action { source-natR|no-nat} e
Address-groupng {number | name} no-pat
n i
a r
L e
o
Copyrig Pa ge 15
e n
Configuration Based on Source IP m /
c o
Address and Port Conversion (NAPT)ei .
a w

Configure the NAT address pool in the system view.. h u
n g
nat address-group group-number [group-name] start-address
n i end-address

Enter the interzone NAT policy view in the system a r view.
e
l {inbound | outbound}
nat-policy interzone zone-name1 zone-name2
/ /

Create the NAT policy and enter the :
ppolicy ID view.
t
policy [ policy-id ] ht
s :
Policy source { source-address
ce source-wildcard |……}
u r
Policy destination { source-address source-wildcard |……}
s o {service-set-name}
Re
action { source-nat
n g |no-nat}
Address-group n i {number | name}
a r
Le
r e
o
e n
m /
Contents c o
i .
e w
. h
Technology n g
n i
r
a IP Address
l e
/ /
t
ht
s :
c e
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 18
e n
m/
NAT Server-Internal Server c o
i .
w e
 In the practical application, a Web server is required when the external resource
u a
.
accesses the internal host. The external host does not have route to point the internal h
n g
i
address; therefore, the internal server cannot be accessed. The NAT Server function
n
r
selects a public network address to represent the internal server address.
a
/ le
/
Source IP
address
Destination IP address
192.168.1.1
t p: Source IP
address
Destination IP address
202.202.1.1
True address ht
Conversion
Public network address
192.168.1.1
s :
ce 202.202.1.1
rDMZ untrust
s ou
WWW server
R e Internet users

g
On the firewall, a dedicated public network address is configured for the internal
n
n
server to represent i the private network address. For Internet users, the Internet
a r on the firewall is the server address.
address configured
Le
o
Copyrig Pa ge 19
e n
/ m
Configuration Based on NAT Server c o
i .
w e
u a

In the system view:
. h
nat server [ id ] zone zone-name protocol protocol-type
g
n global {global-
i
n| interface-type
address [ global-port ] | interface {interface-name a r
l e
interface-number } } inside host-address [ host-port /
/ ]
] [ vrrp virtual-router-id ]
[no-reverse] [ vpn-instance vpn-instance-name p :
t
ht
s : based on the destination address. If the

NAT Server is a frequently-used
c e NAT
intranet deploys a server u r its true IP address is a private network address,
and
s o access this server by using a public network
public network users can
R e
address. In this case, NAT Server can be configured and the device can
n g
transfer the packet
n i that public network users access this public network
address toathe r intranet server.
Le
o
Copyrig Pa ge 21
e n
m /
Destination NAT c o
i .
we
u a
. h
n g
n i
a r
Base station GSR / le Firewall WAP gateway
GGSN /
t p:
ht
s :

e
When the mobile terminal accesses the wireless network, if the default WAP
c
gateway address is not consistent u r with the WAP gateway address of the
o
local operator, a devicescan be deployed between the terminal and the WAP
R e
gateway in order to configure the NAT function. In this case, the device will
n g
n i
automatically forward the packet that is wrongly sent to the WAP gateway
address byathe r terminal to the correct WAP gateway.
Le
o
Copyrig Pa ge 23
e n
/ m
Configuration Based on Destination o
c NAT
i .
w e

Access the system view: u a
acl [ number ] acl-number [ vpn-instance vpn-instance-name g ].
h
in
r n

Create the advanced ACL and enter the ACL eaview.
/ l { destination-address
rule [ rule-id ] { deny | permit } protocol [ destination
: /
destination-wildcard | any | address-set address-set-name
t p } | destination-port
{ operator port1 [ port2 ] | port-set port-set-name ht } ……..
s :
c e

Access the system view:ur
s o vpn-instance-name ] [ name ] zone-name
Re
firewall zone [ vpn-instance
n g

Enter the securityn i zone view.
a r
Le acl-number address ip-address [ port port-number ]
destination-nat

o
Copyrig Pa ge 24
e n
m /
Contents c o
i .
e w
. h
Technology n g
n i
r
a IP Address
l e
/ /
t
ht
s :
c e
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 25
e n
Overview of Bidirectional NAT m /
c o
Technology i .
w e
 ua two sides of
In the bidirectional NAT application scenario, when the
h
g .
communication access the opposite side, the destination
in address is
not a true address, but an address after NATrconversion. For n
ea
applications such as outbound direction, / linbound direction, and
: /
internal server, the addresses are translated
t p based on requirements
of one side. ht
s :
The bidirectional NAT hascfollowing e scenarios.

u r
The internal server and s o NAT inbound are used together.
e

R
 The internal server
n g and interzone NAT are used together.
n i
a r
L e
o
Copyrig Pa ge 26
e n
m/
Interzone Bidirectional NAT c o
i .
we
NAT Inbound
u a
private IP address
. h
n g Untrust
DMZ
n i
192.168.1.1
a r 2.2.2.5
192.168.1.5 l e
Internet server / /
202.20.1.5
Internet users
tp:
True IP address
ht Public network
address
s :
ce
r u
 To simplify the configuration s o of the routing from the server to
R e
the public network,
n g the NAT Inbound configuration can be
n i
added based
a r on the NAT Server.
L e
o
Copyrig Pa ge 27
e n
m /
Intrazone Bidirectional NAT c o
i .
e w
 If both sides that need to translate addresses areuin the same a
. h
security zone, the interzone NAT is required.ng
n i
User publicrnetwork address
Server public network address
ea
202.202.1.1
l
202.202.1.5
/
Trust domain /
p :
t t
h
192.168.1.5
s : 192.168.1.1
c e
u r
Intranet users
o Server
susers access the intranet server, the NAT conversion by using the

In the intranet, when intranet e
R conditions. If users access the server by using the domain name,
firewall is required under
n g certain
the public network i
communication r
n address of the server will be used after DNS resolution. In this case, the
a between users and the server is implemented via the firewall.

Le
o
Copyrig Pa ge 28
e n
m /
Interzone Bidirectional NAT Configuration c o
i .
w e

NAT Server Configuration u a
nat server [ id ] zone zone-name protocol protocol-type global. {global-address
h
n g
[ global-port ] | interface {interface-name | interface-type interface-number
n i } } inside
host-address [ host-port ] [ vrrp virtual-router-id ] [no-reverse] a r [ vpn-instance vpn-
l e
instance-name ]
/ /

NAT Inbound Configuration p :
t
nat address-group group-number [group-name] ht start-address end-address
nat-policy interzone zone-name1 zone-name2
s : {inbound | outbound}
c e
policy [ policy-id ]
u r
Policy source { source-address
s o source-wildcard |……}
Re
Policy destination { source-address source-wildcard |……}
n g {service-set-name}
n i |no-nat}
r
action { source-nat
a
Le {number | name}
Address-group

o
Copyrig Pa ge 29
e n
m /
Contents c o
i .
e w
. h
Technology n g
n i
r
a IP Address
l e
/ /
t
ht
s :
c e
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 30
e n
/ m
NAT Application Scenario Analysis c o
i .
Untrust zone w e
a
uScenario Analysis
 Application
. h
g
nOutbound application
 NAT
n i
r
a NAT Server application

l e
202.169.10.1/29//
192.168.20.1/24
p :
t t
h
s :
c e
u r
DMZ
s o
192.168.0.1/24
Re
n g
n i
a r
Le Trust zone

o
Copyrig Pa ge 31
e n
Firewall NAT Outbound Configuration om /
. c
(Command Line) e i
Roadmap and Examples for Configuring Outbound NAT aw

h u
1. Configure the interzone packet filtering policy
g .
in
[USG] policy interzone trust untrust outbound
r n
[USG-policy-interzone-trust-untrust-outbound] policy 0 a
l e
/ / source 192.168.0.0 0.0.0.255
[USG-policy-interzone-trust-untrust-outbound-0] policy
p
[USG-policy-interzone-trust-untrust-outbound-0]: action permit
t t
2. Configure the address pool h
s : 202.169.10.6
[USG] nat address-group 1 202.169.10.2
c e policy
3. Configure the NAT outbound
u r
s o trust untrust outbound
[USG] nat-policy interzone
Re
[USG-nat-policy-interzone-trust-untrust-outbound] policy 0
n g
n i
[USG-nat-policy-interzone-trust-untrust-outbound-0] policy source 192.168.0.0 0.0.0.255
a r
[USG-nat-policy-interzone-trust-untrust-outbound-0] action source-nat
L e
[USG-nat-policy-interzone-trust-untrust-outbound-0] address-group 1
r e
o
e n
m /
Firewall NAT Outbound Configuration.c(Web) o
e i
a w
h u
g .
in
r n
ea
/ l
: /
t p
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 34
e n
Firewall NAT Server Configuration m/
c o
(Command Line) i .
w e
u a
 Roadmap and Examples for Configuring the Internal Server
. h
1. Configure the internal Web and FTP server n g
n i
r
[USG] nat server protocol tcp global 202.169.10.1 80 inside 192.168.20.2 8080
a192.168.20.3 ftp
l e
[USG] nat server protocol tcp global 202.169.10.1 ftp inside
2. Configure the interzone packet filtering rules / /
[USG] policy interzone dmz untrust inbound p
:
t t
h policy 0
[USG-policy-interzone-dmz -untrust-outbound]
s :
[USG-policy-interzone- dmz -untrust-outbound-0] policy destination 192.168.20.2 0
ce
[USG-policy-interzone- dmz -untrust-outbound-0] policy service service-set http
u r
[USG-policy-interzone- dmz -untrust-outbound-0] action permit
s o-untrust-outbound] policy 1
Redmz -untrust-outbound-1] policy destination 192.168.20.3 0
[USG-policy-interzone- dmz
[USG-policy-interzone-
n g
[USG-policy-interzone-dmz -untrust-outbound-1] policy service service-set ftp
n i
r
[USG-policy-interzone- dmz -untrust-outbound-1] detect ftp
e a
[USG-policy-interzone- dmz -untrust-outbound-1] action permit
L
r e
o
e n
Firewall NAT Server Configurationom /
. c
(Web) e i
w a
h u
g .
in
rn
a
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
Summary c o
i .
we
u a
 NAT Technical Principles
. h
n g
 NAT Application Modes n i
a r
 Firewall NAT Configuration
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
Questions c o
i .
we
 What is the difference between NAT inbound and NAT outbound?
u a
Why NAT based on the IP address does not have the one-to-many . h

n g
application scenario?
n i
What limitations does No-PAT have? a r
le

 What is the application scenario of easy IP?

/ /
 What is the meaning of the no-reverse tparameter p: in the NAT based on the
destination IP address? ht

:
What is the difference betweenesNAT server and destination NAT
implementation mechanisms? r c
o u
 What is the differenceebetween s the interzone bidirectional NAT and
R
g
interzone bidirectional NAT application scenarios?
n
In different NAT n i application scenarios, what are the concerns in the
r of interzone packet filtering rules?

a
Le
configuration

o
Copyrig Pa ge 39
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
Chapter 5 Firewall r n i
ea
Networking :/
/ l
t p
ht
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
o
e n
m/
Objectives c o
i .
e w
a
u to:
able
g .
Basic VLAN technologies in

r n
SA and E1 WAN interface technologies ea

/ l
: /
 Basic ADSL technologies
t p
WLAN and 3G wireless technologies ht
:

e s
r c
o u
s
Re
n g
n i
a r
Le
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. VLAN Feature Technology u a
. h
n g
2. SA and E1 Feature Technology n i
a r
3. ADSL Feature Technology / le
/
4. WLAN Feature Technologytt p:
h
5. 3G Feature Technologys :
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
e n
/m
VLAN Background – Broadcast Storm c o
i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
Broadcastttdomain
h
s :
c e
u r
s o
Re …
n g
n i
a r
Le
o
Copyrig Pa ge 3
e n
m/
Dividing Broadcast Domains by VLANs.c o
e i
a w
h u
Port 1 : VLAN-1 Port 2 : VLAN-2 g .
in
r n
ea
/ l
: /
t p
Broadcast
h t Broadcast
domain
s : domain
c e
u r
s o
R e ……
n g
n i
a r
Le
o
Copyrig Pa ge 4
e n
m/
c o
VLAN Frame Format e i .
a w
Standard
h u Ethernet frame
g .
DA SA TYPE DATA n
CRC
i
a rn
e
l frame with IEEE802.1Q tag
/
Ethernet
/
DA SA TAG p :
TYPE DATA CRC
t
ht
s :
ce
ur
s o
Re C
n g
0x8100 PRI F VLAN ID
n i I
a r
Le
TPID TCI
r e
o
e n
/ m
Types of Ethernet Switch Ports i.c o
w e
 Access port
u a
. h port can belong
Generally, the access port is used to connect the user PC. An access
n g
to only a VLAN.
n i
a r
 Trunk port
l e
Generally, the trunk port is used for the connection / / between switches. A trunk port
p :send packets from and to multiple
can belong to multiple VLANs to receive and
t t
VLANs. h
s :
 Hybrid port
c e
The hybrid port is used for the u r connection between switches or user PCs. A hybrid
s o VLANs to receive and send packets from and to
port can belong to multiple
R e
multiple VLANs.
n g
n i What is the
a r function of the
L e default ID (PVID)?

o
Copyrig Pa ge 6
e n
m /
Access-Link Configuration c o
i .
e w
 By default, all the ports of the switch are access ports andhbelong u a to VLAN-1.
g .
That is, the PVID is 1.
in
r n
Configure the portatype:
l e
port link-type
/ / access
p :
Createta VLAN:
ht 3
Port-0/1 : VLAN3
vlan
s :
Port-0/2 : VLAN3 ce Add a port to the VLAN:
u r port ethernet 0/1
s o
Re
n g Add the VLAN to a port:
n i port access vlan 3

a r
Le
o
Copyrig Pa ge 7
e n
m/
Trunk-Link Configuration c o
i .
we
 The trunk port is responsible for transmitting the data of multiple VLANs.
u a
. h
 By default, the PVID of the trunk port is 1.
n g
n i
a r
Port-0/3 e
Port-0/3
/ l
:/
t p
Configure the port type: ht
s :
port link-type trunk
ce
u r
o
Configure the VLANs whose packets can be transmitted
s
e
over the trunk port:
R
n g
port trunk permit vlan all
i
n the PVID of the trunk port:
r
Configure
L eaport trunk pvid 1

r e
o
e n
m/
Hybrid-Link Configuration c o
i .
we
 The hybrid port is responsible for transmitting the data of multiple VLANs.
u a
It can determine whether to strip the tag. . h
n g
 By default, the PVID of the hybrid port is 1.
n i
a r
Port-0/3 e
Port-0/3
/ l
:/
t p
ht
Configure the port type: s :
ce
port link-type rhybrid
o u whose packets can be transmitted
s
Configure the VLANs
e
R port and the PVID:
over the hybrid
port n
g
n i hybrid pvid 1 vlan 10 to 20 tagged
a r
Le
r e
o
e n
m/
c o
Routers Between VLANs i .
we
u a
. h
n g
n i
a r
/ le
/
VLAN 100
t p: VLAN 200
ht
s :
ce
u r
s o
Re VLAN 300
n g
The packets of different VLANs cannot go across the VLAN boundaries. The

n i
r
packets must be forwarded by the Layer-3 device from a VLAN to another
a
VLAN. Le
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
/
h
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
e n
m /
SA Serial Port Overview c o
i .
w e
 The serial port is a common WAN port. The serial port is classified into synchronous
u a
. h
serial port and asynchronous serial port. The synchronous serial port is widely used.
n g

n i
The SA interface is a synchronous serial interface and supports various cables such as
r
V2.4, V3.5, X.21, RS449, and RS530. It supports various baud rates to satisfy different
a
peer devices. The maximum bandwidth is 2.048 Mbit/s, l e which can satisfy the service
/ /
data transmission requirements of carriers and enterprise
: customers.
p equipment (DTE) and data circuit-
 The SA has two work modes, that is, data terminal
t t
terminal equipment (DCE). h
s :
As the uplink interface, the SA canebear various services such as HTTP and FTP.

r c
The SA supports various data u

o link layer protocols, including Peer-Peer Protocol (PPP)
s (HDLC).
and High Level Data LinkeControl
R
The SA supports thegIP network layer protocols.

i n
r n
e a
L
o
Copyrig Pa ge 12
e n
m /
SA Serial Port — Configuration Example c o (CLI)
i .
w e
The SA interface uses the PPP protocol. u a
h

g .
in
r n
ea
/ l
Configure the USG 2200A: /
: protocol to PPP. Set other
#Configure the serial1/0/0. Set the encapsulation t p
parameters to the default values. h t
<USG2200A>system-view
s :
c e 1/0/0
[USG2200A]interface serial
u r address 10.110.1.11 255.255.255.0
[USG2200A-serial1/0/0]ip
s o
R e
[USG2200A-serial1/0/0]link-protocol ppp
g
[USG2200A-serial1/0/0]shutdown
n
i
[USG2200A-serial1/0/0]undo shutdown
n configuration is complete, add the serial1/0/0 interface to the
Note: After ther
a Enable the default interzone packet filtering rules.
L e
security zone.

o
Copyrig Pa ge 13
e n
m/
What Is E1 Interface? .c o
e i
 The E1 is a widely used low-speed WAN physical interface. It works at the a w
bottom layer of the PDH rate system. It provides various application modeshu
g .
to support flexible low-speed access modes.
in
r n
 The E1/T1 interface uses the regional standards. The E1 interface complies
a
le
with the ITU-T standards and is applicable to Europe and China. The T1 (also
/
/
p:
called J1) interface complies with the ANSI standard and is applicable to
North America and Japan.
t t
h
 The E1/T1 interface uses the time-division : multiplexing (TDM) mechanism.
s application modes: unchannelization
The E1/T1 interface supports various
c e
r
(supported only by the E1uinterface), channelization, partial channelization,
s o
Re
and PRI.
 The E1/T1 interface
n g supports the following physical features: clock,
encoding, frame n i format, frame synchronization, idle code, inter-frame filling,
a r
Le
and loopback.

o
Copyrig Pa ge 14
e n
/m
TDM Mechanism of the E1 Interface c o
i .
w e
 In the E1 system, the frequency of the frame synchronization u a
. h
signal is 8 KHz. That is, there are 8000 duplicated g
n frames in
i
n = 125 μs. The
each second. The sampling interval is 1s/8000 a r
e
l timeslot contains eight
125 μs is divided to 32 timeslots. Each
/ /
bits. The E1 interface rate is 8000
:
p x 32 x 8 = 2,048,000 bit/s.
t t
h
The following figure shows the basic PCM frame structure of
s :
the E1 interface. c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 15
e n
m/
E1 Related Concepts c o
i .
e
w
a
u except the
Standard
The E1 standard is an Europe standard used in the countries
h
. The T1 standard is
USA, Canada, and Japan. The E1 rate is 2.048 Mbit/s.
n g
used the US, Canada, and Japan. The E1 interface
mechanism. n i uses the PCM
The E1 interface uses the TDM mechanism r

e a timeslots, numbered
(the sampling interval is 125
TDM
/ lbits. The E1 interface has 256 bits.
μs). The E1 interface is divided to 32 equivalent
from 0 to 31. Each timeslot has eight
8000 frames are transmitted every :/second. Therefore, the E1 rate is
2.048 Mbit/s.
t p
TS ht contains eight bits. A frame contains 32
TS is short for timeslot. A TS
:
TSs. A multiframe (MF) contains 16 frames.
s
c e
u rtransmit the frame alignment signals (FASs), cyclic
TS0 redundancys ocheck 4 (CRC4) codes, and peer alarm indications.
TS0 is used to
Re
n g
TS16 n iTS16 is used to transmit the channel associated signaling (CAS),
a r multiframe alignment signals, and multiframe peer alarm indications.
Le
r e
o
e n
m/
E1 Application Modes c o
i .
we
u a
. h
Unframed
n g
i
nChannelized
a r
Mode / le PCM31
Framed /
t p: Unchannelized
ht
Framed multiframe
s : PCM30
ce
u r
s o

Re mode is also called clear channel mode.
The unchannelized
 n
The framed imultiframe
g
uses the TS16 as the signal channel, which
is mainly r n to transmit voice data such as ISDN PRI.
used
e a
L
r e
o
E1 Typical Networking — One-to-One m/en
Interconnection c o
i .
w e
E1 E1
u a
1 Carrier SDH/PDH
. h
n g
n i
a r
l e
/ / Protocol converter
E1 p :
2 t t
Carrier SDH/PDH
h
s : Serial port
ce
u r
s
Protocol convertero
Re Carrier SDH/PDH Protocol converter
3 n g
n i Serial port Serial port
a r
L e
r e
o
E1 Typical Networking — One-to-Many m/en
Interconnection c o
i .
Protocol converteraw
e
h u
128K
g .
Serialnport
Branch 1
E1 2M
1 Carrier SDH/PDH
n i
a r
Headquarters l e
/ / 512K E1
Branch 2
p :
t t Protocol converter
h
s :
ce 2M Branch 1
2
cPOS
u r SDH/PDH
Serial port
155M
s o Carrier
Headquarters R
e Branch 2
n g 2M E1
n i
a r
Le
r e
o
e n
m/
Configuration Methods c o
Enter the E1 interface view i .
we
u a
. h
Set the CE1 work mode. E1gwork mode
Set the n .
n i
Physical interface parameters
a r
 Configure the clock. e
 Configure
l the clock.
 Configure the line code (AMI/HDB3). //

p :  Configure the line code (AMI/HDB3).
Configure the frame format (CRC).t
t
h
s :
e
Bind the timeslots of the channel.
c
u r
s o the corresponding serial interface
Re
Configure
Logical interface
parameters
n g the link layer parameters such as PPP and HDLC

n i
Configure
a r Configure the network layer parameters such as IP address

Le and routing protocol
r e
o
e n
/
E1/CE1 Configuration Example-CLI Mode com
i .
w e
u a
Physical interface configuration: Logical interface.h configuration:
n g
controller e 9/0/0 i
n ppp
interface Serial9/0/0:0
a r
e
clock master link-protocol
code hdb3
/ l 100.1.1.1 255.255.255.252
ip address
# :/
p
frame-format no-crc4
t
ht link-protocol ppp
using ce1 interface Serial9/0/0:1
channel-set 0 timeslot-list 1-4
channel-set 1 timeslot-list 5-8s:
ce ip address 110.1.1.1 255.255.255.252
#
u r #
s o
R e
n g
n i
a r
Le
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
/
h
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
e n
m/
xDSL Overview c o
i .
Asymmetric Digital Subscriber's Line we
u a
.
In the asymmetric digital subscriber’s line, the data h rate on the
channel from the service provider end to the user endn g (downlink) and
n i
the data rate on the channel from the user endrto the service provider
end (uplink) are different. ea l
/
A telephone line can bear both voice:/services and data services
simultaneously. With the existing PSTN t p network infrastructure, the
h t
asymmetric digital subscriber’s line uses the existing twisted-pair
cables to provide high-speed edata s: transmission without affecting the
voice service through the special r c modulation technology. The major
xDSL access technologies o uare as follows:
e s

ADSL/ADSL2/ADSL2+ R ；
n g

VDSL/VDSL2 n i；
a r

G.SHDSL Le (SHDSL series)
o
Copyrig Pa ge 26
e n
m /
ADSL Overview c o
i .
e w
u a

The ADSL2+ technology uses the existing twisted-pair
. h cables
to provided asymmetric transmission rates non g the uplink and
n i
downlink.
a r

The G.SHDSL/.bis technology uses lthe e common twisted-pair
/ /
cables to provide high-speed private p : line access services for
users. This technology is hmainly tt used for interconnection
between small and medium s : enterprise networks, mobile
c e group access.
station trunks, and ISDN
u r

The VDSL2 broadband s o access technology is applicable to the
R e
private line interconnection and private line access used in
n g
hotel networks,
n i high-speed network access of net bars, video
a r
conferences.
Le
o
Copyrig Pa ge 27
e n
m /
ADSL2+ Model c o
i .
we Internet
u a
PSTN
. h
Splitter
n g
ATU-R
n i
r
Twisted-pair cable
a
l e
/ / Splitter
p :
t
ht
s :
The ADSL is an asymmetric c e DSL technology in which the uplink and
u r
downlink transmissionsorates are different. The uplink transmission
R e
indicates the transmission from the user end to the central office end
n g transmission indicates the transmission from the
and the downlink
n i
central office a rend to the user end.
Le
o
Copyrig Pa ge 29
e n
ADSL Configuration Example 1 (CLI) om /
. c
e i
1. Configure the dialer interface.
a w
<USG> system-view h u
. g
n
[USG] dialer-rule 1 ip permit # Create the dialer interface and enter the dialer view.
i who originates the dialing.
[USG] interface Dialer 1 # Specify the name of the remote user
r n
[USG-Dialer1] dialer user USG # Specify the dialer bundleamode used by the dialer
l e
interface.
/ /
[USG-Dialer1] dialer bundle 1 # Configure the dialing
p : bundle group to which the dialer 1
interface belongs.
t t
[USG-Dialer1] dialer-group 1 # Set the link h layer protocol to PPP.
[USG-Dialer1] link-protocol ppp # Obtain s : the IP address through negotiation.
c e # Obtain the DNS address through negotiation.
[USG-Dialer1] ip address ppp-negotiate
u r
[USG-Dialer1] ppp ipcp dns admit-any
s o # Use the PAP authentication mode. The user name
and password are Abcdefgh~.
R e
[USG-Dialer1] ppp papglocal-user Abcdefgh~ password simple Abcdefgh~ # Exit and go
back to the system iview.n
r n
[USG-Dialer1] quit
e a
L
o
Copyrig Pa ge 31
e n
/m
ADSL Configuration Example 2 (CLI) c o
i .
w e
u a
2. Create the interface Virtual-Ethernet 1.
. h
[USG] interface Virtual-Ethernet 1 n g
n i
[USG-Virtual-Ethernet1] quit r
3. Configure the PVC value of the interface Atm l ea Set the PVC
2/0/0.
encapsulation type to LLC. / /
p :
[USG] interface Atm2/0/0
t t
[USG-Atm2/0/0] PVC 8/35 h
[USG-Atm2/0/0-8/35] map bridgeevirtual-ethernet 1s :
r c
[USG-Atm2/0/0-8/35] encapsulation
o u llc
4. Configure the PPPoE session. e s
R
g
[USG] interface Virtual-Ethernet 1
n pppoe-client dial-bundle-number 1
n
[USG-Virtual-Ethernet1] i
a r
L e
o
Copyrig Pa ge 33
e n
m/
ADSL Configuration 3 (CLI) c o
i .
we
5. Add the Vlanif interface and Dialer interface to the trust zones.
u a
[USG] interface Vlanif 1
. h
[USG-Vlanif1] ip address 192.168.0.1 24
n g
[USG-Vlanif1] quit n i
a r
le
[USG] firewall zone trust
[USG-zone-trust] add interface Vlanif 1
/ /
6. Add the Dialer 1 interface to the Untrust zone. p :
t t
[USG] firewall zone untrust
h
[USG-zone-untrust] add interface Dialer:
e s
7. For the USG series products, configure c the inter-zone packet filter policies to ensure
r the USG BSR/HSR series products, skip this step.
normal network transmission. For
o u
[USG] policy interzone trust s
R e untrust inbound
[USG-policy-interzone-trust-untrust-inbound] policy 0
n g
n i
[USG-policy-interzone-trust-untrust-inbound-0] action permit
a r
L e
o
Copyrig Pa ge 34
e n
/m
ADSL Configuration Example 4 (CLI) c o
i .
w e
8. Configure the NAT and default route. u a
. h
[USG] nat-policy interzone trust untrust outbound
n g
[USG-nat-policy-interzone-trust-untrust-outbound] n
i
policy 1
r
a action source-nat
[USG-nat-policy-interzone-trust-untrust-outbound-1] l e
/ /
[USG-nat-policy-interzone-trust-untrust-outbound-1]
p : policy source
192.168.0.0 0.0.0.255
t t
h
[USG-nat-policy-interzone-trust-untrust-outbound-1] easy-ip Dialer 1
s :
9. Configure the default route.e
r c
[USG] ip route-static 0.0.0.0 o u 0.0.0.0 Dialer 1
e s
R
n g
n i
a r
Le
o
Copyrig Pa ge 35
e n
m/
ADSL Configuration Example (Web) c o
i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 36
e n
m/
Contents c o
i .
we
. h
n g
a r
/
h
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
e n
m /
WLAN Overview c o
i .
w e
 The Wireless Local Area Network (WLAN) is a hot technology used in the
u a
communications industry. The WLAN system is easy to deploy and use. During the
. h
g
deployment, you do not need to consider the complex cabling and migration. The
n
i
WLAN, however, is not a complete wireless system. The servers and backbone
n r
networks are still deployed in the fixed network except that the users are movable.
a
 The carriers and enterprises can provide wireless LAN
l e services using the WLAN
solution. The services include:
/ /
The wireless LAN devices can be used to p :
establish the wireless network. The users

with wireless network cards can access t

t the wireless network, fixed network, or
Internet. h
s : the traditional 802.3 LANs.
 Wireless network users can access
c e
Users can access the WLANrusing different authentication and encryption modes

o u
to ensure security.
e ssecure network access and mobile area is provided for the
 Seamless roaming for
wireless networkg users.
R
n
The WLAN, WIFI,iand 802.11 indicate the same technology.

r n
e a
L
o
Copyrig Pa ge 38
e n
m/
WLAN Security Overview c o
i .
e w
The wireless security performance provided by the 802.11 a
u protocol

. h
can better defend against general network attacks.gA few hackers,
in
however, still can intrude the wireless network. r nTherefore, the 802.11
protocol cannot comprehensively protect l easensitive data. A
the
/ /is required.
protocol with better security mechanism
p :
t t security feature to enhance the
 The USG2000 system uses the WLAN h
system security and health. s The: WLAN security feature uses the
c e
WLAN-MAC to check the
u r access security of the 802.11 clients.
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 39
e n
m /
WLAN Basic Concepts c o
i .
e
w
 Wireless client (STA) a
ucalled wireless clients.
 On a network, all the devices that connect to the wireless medium are h
. 802.11 standard.
Each wireless client must install the wireless network card that supports
n g
The wireless client is classified into AP and client.
n i
 Access point (AP) r
a user and the LAN. Frames are
 The AP functions as a bridge between the wireless network e
l between the user end and the
converted from wired transmission to wireless transmission
/ /
LAN end. The USG2100/2200 functions as an AP.
p :
 Client
t t
The clients include fixed devices such as h laptops, personal digital assistants, IP phones, PCs,
: the wireless network cards.

or work stations that are equipped with

e s
 Wireless router
r c
The wireless router indicatesuthe router that provides wireless access function, for example,

o
a router that provides L3sinterfaces and functions as a Fat AP. All the wireless clients can
R
access the wired network, e fixed network, or Internet using the wireless routers. In this
g
document, the Fat AP and wireless router represent the same device.
n
 USG2100/USG2200
n i
a r
Le
o
Copyrig Pa ge 40
e n
m /
WLAN Basic Concepts c o
i .
Open system authentication we

a
The open system authentication is the default authentication mechanism. It is alsouthe simplest

authentication algorithm, that is, non-authenticated. When the authentication.modeh is set to open system
authentication, all the clients are allowed to access the WLAN.
n g
Shared key authentication n i

r
The shared key authentication is mainly applicable to the pre-RSNadevice. This authentication mode is used

only when the WEP encryption is enabled. This authentication mode

l e is used for backward compatibility with
legacy devices.
/ /
Wired Equivalent Privacy (WEP) encryption p :

t t of the data exchanged between the authenticated

users on the wireless LAN. The WEP encryptionhcan prevent the data from being intercepted.
 The WEP encryption is used to protect the confidentiality
TKIP encryption s :

c ethe security of the WEP protocol on the pre-RSN devices. The security

u r than that of the WEP encryption.

The TKIP encryption is used to enhance
so
of the TKIP encryption is much higher
 Advanced EncryptioneStandard (AES) encryption

R applicable to the RSNA client. The CCM and the counter mode (CTR) are used
The AES encryption is only
together to performgthe privacy check. This encryption level is the highest.

i n
 Wi-Fi Protected
r n Access (WPA)
The WPAa

L e is used to ensure the security of the wireless PC network. The WPA complies with the major IEEE
802.11i standards. The WEP authentication and encryption features are improved in the WPA.

o
Copyrig Pa ge 41
e n
m/
WLAN Network Topology c o
i .
we
u a
. h
g
Internet
n
n i
a r
Headquarter
Headquarter
/ le
/
p:
PSTN
t t
h
VPN
s:
VPN ADSL
ADSL ISDN
ISDN
Fax
Fax
-
ce
u r
o
s Fat AP
Re
Analogue
Analogue Phone
Phone PC
PC
ng
Printer
Printer
PC
PC
n i
r
ea
Laptop
Laptop
L
Video
Video phone
phone WiFi
WiFi Phone
Phone PDA
PDA
r e
o
e n
/ m
WLAN Configuration Example 1 (CLI) .c o
e i
a w
h u
Station .
n g
Ethernet1/0/0 WLAN-BSS2
n i
a r
l e
Ethernet0/0/0
/ / Station
:
AP
t p
Networking requirements: h t
The AP connects to the router over the
s : Ethernet0/0/0 interface (added to the Untrust zone).
e interface is 202.169.10.1/24. The IP address of the

 c
rrouter is 202.169.10.2/24.
The fixed IP address of the Ethernet0/0/0
u
so are 192.168.1.2/24 and 192.168.1.3/24.
Ethernet1/0/0 interface on the
The IP addresses of theestation
R

n g
The station connects to the AP (SRG) using the wireless network card. The SSID is WLAN100.

n i mode is set to WPA2-PSK. The CCMP encryption suite is configured. The
The authentication
pre-sharedr
a key (PSK) is abcdefgh.

Le is configured to provide wireless access for the stations.
The WLAN

o
Copyrig Pa ge 43
e n
m/
WLAN Configuration Example 2 (CLI).c o
e i
 Configuration procedure: a w
h u
Create the Vlanif 2 interface.
g .
[SRG] interface Vlanif 2
in
r n
[SRG-Vlanif2] ip address 192.168.1.1 24
ea
Configure the WLAN-BSS interface.
/ l
[SRG] interface wlan-bss 2 : /
[SRG-Wlan-Bss2] port access vlan t 2t
p
h
Configure the services.
s :
[SRG] wlan service-class 2 crypto
c e
u r
[SRG-wlan-sc-2] ssid WLAN100
s o
Re
[SRG-wlan-sc-2] authentication-method wpa2-psk
[SRG-wlan-sc-2]
n g encryption-suite ccmp
n i pre-shared-key pass-phrase abcdefgh
r
[SRG-wlan-sc-2]
a
Le
[SRG-wlan-sc-2] service-class enable

o
Copyrig Pa ge 44
e n
m/
WLAN Configuration Example 3 (CLI) . c o
i e
a w
 Configure the RF interface.
h u
g .
[SRG] interface wlan-rf 4/0/0 n
rni
[SRG-Wlan-rf4/0/0] radio-type dot11gn a
/ le
/
[SRG-Wlan-rf4/0/0] bind service-class 2 interface wlan-bss 2
t p:
 Configure the wireless network card for the client.
ht

s :
Set the IP address of the wireless network card to 192.168.1.10/24.
ce
Ensure that the SSID,r encryption mode, and PSK of the wireless

o u
network card are
e s the same as those set on the SRG.
R
n g
n i
a r
Le
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
/
h
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
e n
m/
c o
3G Overview i .
we
u a
. h
 What is 3G?
n g
n i
 3G standards a r
/ le
/
 WCDMA
t p:
ht
 TD-SCDMA
s :
ce
 CDMA200 u r
s o
Re
g
 3G applications
n
n i
a r
L e
r e
o
e n
m/
3G Implementation Modes c o
i .
we
 The data cards determine the supported wireless interface standards. At
u a
present, the USG series support three types of data cards that provide Express . h
n g
interfaces, USB interfaces, and MIC card interfaces.
n i
3G database with 3G database with a r 3G database with
Express interface USB interface
/ le MIC interface
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
Installation of 3G Data Cards i. c o
w e
a u
LAN users can access the WAN over the uplink using h
. the 3G data cards.

n g
A device supports only a 3G data card at a time. i
n You cannot install

r
areplacing the 3G data card,
multiple 3G data cards on one device. When l e
/
/ and then install the new data
you must pull out the existing data card
p :
t
card. ht
s :
 Ensure that the subscriber identity
c e module (SIM) or UMTS subscriber
r
identity module (USIM)oisu installed on the data card. Check whether the
e s
SIM card insertion direction R is correct. The SIM is provided by the
carrier. n g
n i
 Insert thee3G ar data card to the corresponding port of the USG2100.
L
o
Copyrig Pa ge 51
e n
m/
3G Implementation Principles c o
i .
w e
a
The 3G functions are implemented on the following modules:
u
. h
 Dial control center (DCC)
n g
n i
It determines the dialing triggering mode.
a r
MODEM simulation le /

/
:corresponding dialing digits.
It simulates the MODEM to send the t p
h t
 Data card management
s :
It manages and obtains the c ecurrent data card information, including
u r
the APN configuration s oand status information.
R e
 Link control g
n
It converts rthe ni received data to the required format to implement
e
data forwarding
a or other functions.
L
o
Copyrig Pa ge 52
e n
3G Application Configuration Example-om /
. c
CLI Mode e i
a w 1/0/0

h u The
The USG2200 connects to the enterprise internal network over the Ethernet
.
interface and connects to the Internet over the USB 3G 5/0/0 interface.
g
configurations are as follows:
in
 The IP address of the enterprise network is on the network
r n segment 192.168.1.0/24.
The dialing is performed at Dialer 0 interface. ea
l by the wireless network


/ /
The IP address of the Express-3G interface is allocated
through negotiation.
p :
t
–Networking diagram of the dialing over
ht the Dialer interface
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m /
3G Typical Configuration (CLI) c o
i .
China Telecom CDMA2000 (E169C) China Unicom WCDMA (E180)
w e
China Mobile TD-SCDMA (ET128)
firewall packet-filter default permit all firewall packet-filter default permit all a
firewall packet-filter default permit all
u
#
dialer-rule 1 ip permit
#
#
. h
interface Dialer0
link-protocol ppp
interface Dialer0
link-protocol ppp
n g
interface Dialer0
link-protocol ppp
//For the CDMA2000 network, configure the PPP
authentication information.
//For the TD-SCDMA and WCDMA network, the
PPP authentication is not required. n i
// For the TD-SCDMA and WCDMA network, the
PPP authentication is not required.
ppp chap user card
a r
le
ppp chap password simple card ppp ipcp dns admit-any
ppp ipcp dns admit-any ppp ipcp dns admit-any ip address ppp-negotiate
ip address ppp-negotiate
dialer enable-circular
ip address ppp-negotiate
dialer enable-circular
/ / dialer enable-circular
dialer-group 1
dialer-group 1
//This ID is the same as the corresponding dialer-
dialer-group 1
t p:
// This ID is the same as the corresponding dialer-
// This ID is the same as the corresponding dialer-
rule ID.
rule ID.
dialer timer idle 60
dialer timer autodial 10
rule ID.
ht
dialer number *99# autodial // The dialer number
dialer number #777 autodial
//For the CDMA2000 network, the dialer number s :
dialer number *99# autodial //The dialer number
for the TD-SCDMA and WCDMA networks is *99#.
for the TD-SCDMA and WCDMA networks is *99#.
#
is #777. #
ce interface Cellular5/0/0
#
interface Cellular5/0/0
u r
interface Cellular5/0/0
apn UNINET
apn CMNET
//For the TD-SCDMA standard, it is set to
//For the CDMA2000 network, no APN parameter

s o //For the WCDMA standard, it is set to UNINET.
link-protocol ppp
CMNET.
link-protocol ppp
Re
needs to be configured. dialer circular-group 0 dialer circular-group 0
link-protocol ppp // This SN must be the same as the corresponding // This SN must be the same as the
dialer circular-group 0
n g
//This SN must be the same as the corresponding
dialer interface number.
#
corresponding dialer interface number.
#
dialer interface number.
#
n i ip route-static 0.0.0.0 0.0.0.0 Dialer0 ip route-static 0.0.0.0 0.0.0.0 Dialer0
r
ip route-static 0.0.0.0 0.0.0.0 Dialer0
a
Le
Public configuration: Add the interface to the trusted zone. Set the NAT policies for the private network users to access the public network. Set
the routes to access the public network.
r e
o
e n
m/
3G Typical Configuration (Web) c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
Summary c o
i .
we
u a
 Basic VLAN technologies
. h
g
 SA and E1 WAN interface technologiesnin
a r
 Basic ADSL technologies le /
: /
 WLAN and 3G wireless technologies t p
h t
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 56
e n
m/
Questions c o
i .
e w
What interface types do the VLAN support? Howu does each a

. h
interface process the tags?
n g
n i
What are the encapsulation modes of ther E1 data frames?

ea
What are the differences between thel encapsulation modes?
/ /
What key deployment elements are p : involved in the ADSL

t t
configuration? h
s :
 What key deployment elements
c e are involved in the WLAN
configuration? u r
s o
 What key deployment Re elements are involved in the 3G
configuration? n g
n i
a r
Le
o
Copyrig Pa ge 57
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
Chapter 6 VPN Overview
le
a r
/ /
t p:
ht
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
o
e n
m/
Objectives c o
i .
e w
a
u to:
able
g .
VPN concepts in

r n
Key VPN technologies ea

/ l
: /
 Types and applications of VPNs
t p
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. VPN Introduction u a
. h
n g
2. VPN Technologies n i
a r
3. VPN Types / le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
VPN Definition c o
i .
we
 VPN
u a
. h
A Virtual Private Network (VPN) is built by establishing private data channels
n g
i
over a shared public network (usually the Internet) to connect networks or
n
a r
terminals that need to access the private network, to form the private network
l e
guaranteeing a certain level of security and QoS.
/ /
Virtualization p :

t t
Users do not need to have physical data h links for long-distance transmission.
Instead, long distance data lineses
:
of the Internet are used to create a private
r c
network.
o u
Private Network e s

R
n g
Provide secure information transport by authenticating users, and encrypting
i
n unauthorized persons from reading the transmitted information.
data to prevent
a r
L e
o
Copyrig Pa ge 3
e n
m/
Contents c o
i .
we
. h
n g
a r
3. VPN Types / le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
Common VPN Technologies c o
i .
we
u a
Encrypts and decrypts data on both ends of a
. h
Tunneling
tunnel to create a data channel n g
n i
Identity a r
le
Ensures the legitimacy and validity of
authentication operators to a VPN
/ /
Data t p:
Data can be only legitimately altered when
authentication ht
it is sent over the network
s :
Encryption
ce data can be only legitimately
Ensures that
/decryption
u
capturedr when it is sent over the network
s o
Key management
e
R The key is sent securely over an insecure
n g network
n i
a r
Le
r e
o
e n
m/
Tunneling c o
i .
we
u a
. h
n g
Branch n i
a r
Internet / le
/
t p:
ht Headquarters
s :
ce
u r
SOHO user
s o
Re
n g
n i
r
Employee on business trip
a
Le
r e
o
e n
m/
Cryptography c o
i .
we
u a
. h
n g
n i
1.1 What is cryptography a r
/le
1.2 Classification of encryption : /
t p
technologies ht
s :
1.3 Key managementrtechnologies c e
o u
e s
R
n g
n i
a r
Le
o
Copyrig Pa ge 8
e n
m/
Cryptography c o
i .
we
u a
 Encryption: from plain text to cipher text . h
n g
n i
a r
/ le
/
Plain text t p: Key
ht
s :
Ce= En (K, P)
c
u r
s o
Re
n g Cipher text
n i
a r
Le
r e
o
e n
m/
Cryptography c o
i .
we
u a
. h
n g
n i
 Confidentiality
a r Integrity
/ le
/
t p:
ht
Cryptography
s :
ce
o ur
 Availability
e s  Non-repudiation
R
n g
n i
a r
Le
r e
o
e n
m/
Development of Cryptography c o
i .
we
u a
. h
n g
n i
Scytale
a r
Caesar
/ le
cipher :/
Development of
t p
t
hencryption technologies
s :
Rail fence ce
r
u Cipher
cipher
s o
Re machine
n g
n i
a r
Le
r e
o
e n
m/
Cryptography .c o
e i
a w
h u
g .
in
1.1 What is cryptography rn
a
/le
t p
technologies ht
s :
1.3 Key management rtechnologies c e
o u
e s
R
n g
n i
a r
Le
o
Copyrig Pa ge 14
e n
m/
Key-based Classification c o
i .
we
 Key
u a
. h
 Private key
n g
n i
 Public key
a r
 Symmetric encryption le /
/
: and decryption.
 The same key is used for encryption t p
h t
 Asymmetric encryption :
s
e for encryption and decryption. What
 Two different keys are r cused
one key encrypts, s only
u
o the other can decrypt. The private key is for
data protection, Rewhile the public key is used by users in the same
system to icheck ng the validity and identity of the information and
sender.ar
n
Le
o
Copyrig Pa ge 15
e n
/m
Symmetric Encryption Algorithms.c o
e i
a w
h u
g .
Shared key Key = 1010110101… in Shared key
r n
e a
/ l
: /
t p
ht
abcdef s : abcdef
E c e
*$@g)(!34*^hcftibf D
u r
Encryptions
o
algorithm R e Decryption
algorithm
n g
Sender n i Receiver
a r
Le
o
Copyrig Pa ge 17
e n
/ m
Common Symmetric Encryption Algorithms c o
i .
w e
a
Plain text
h u
 Flow encryption
g .
n
round 1
Key flow
RC4 n i

a r
l e
 Block encryption
/ /
:
Plain text
p
Cipher text
DES t
ht

round N
3DES s :
c e
AES u r
o

s
IDEA Re
n g
RC2, RC5, i and RC6

r n
a Cipher text
Le
o
Copyrig Pa ge 18
e n
/ m
Asymmetric Encryption Algorithms c o
i .
w e
u a
. h
Search the g
n key = 1010110101…
Public key = 1111010101…
public key
n i
Private
database
a r
Sender’s public key
l e Receiver’s private key
/ /
p :
t t
h
s :
abcdef c e
E u r abcdef
s o&^(#!b&%2(#c7(*@!Cs D
R e
Encryption Decryption
n g
algorithm algorithm
n i
a r Receiver
Sender
L e
o
Copyrig Pa ge 21
e n
Comparison Between Symmetric and m /
c o
Asymmetric Algorithms i .
w e
u a
 Symmetric key algorithm
. h
g
Advantage: Fast encryption/decryption in

r n
Disadvantage: Transmission of keys ea

/ l
:/
 Asymmetric key algorithm
t p
ht
Advantage: High security of keys

s :
ce
Disadvantage: Encryption/decryption is sensitive to speed

u r
s o
R e
n g
n i
a r
Le
r e
o
e n
m /
Key Exchange c o
i .
w e
u a
. h
Session key
ng
n i
Plain text Cipher text
a r Plain text
Huawei
Encryption le
/tr09 Huawei
Symantec 1
tr09
vi16vsk
:/ vi16vsk
Symantec
t p Decryption4
ht
Transmission
Receiver’s public key s : Receiver’s private key

ce
ur
Session key
s o Session key
Encryption
Re Decryption
2
n g 3
n i
a r
Le
Sender Receiver
r e
o
e n
m/
Hash Algorithm c o
i .
e w
 Hash algorithm: Inputted data of any lengthhis
a
u changed
g .
to output data of fixed length. in
r n
h = H (M) ea

/ l
 Common hash algorithms : /
t p
MD5 ht

s :
SHA-1 c e

u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 25
e n
m /
Digital Signature c o
i .
Sender Receiver e
aw u
. h 1. Not altered
ngSame 2. Sent by the sender

Huawei
Symantec Plain text
r ni 7
a
1 / le ？
Hash function
/ tr09 tr09
t p: vi16vsk = vi16vsk New

summary
Sender’s
tr09
vi16vsk Summary ht 6
private key
s : Sender’s public key4 5 Hash
2 ce algorithm
u r
s o
PGGjx
&%9$ R e
Huawei
Symantec
PGGjx
&%9$
Huawei
Symantec
n g
Digital
n i Plain text Digital Plain text
r
signature
a
signature
Le 3
r e
o
e n
m/
Digital Certificates c o
i .
we
Bearer of the public key u a

. h
n g
 Digital certificate format X.509 i
n XXX
r
Subject:
a
 Issued by a trustworthy organization
l ePublic key: 9f 0a 34 ...
/ /
 Storage of the digital certificate
t p: Validity: 5/5/2008-5/5/2009
ht Serial Number: 123465
s : Issuer: CA
ce
r
ou
Signature: CA digital signature
e s Path to the certificate: a trusted

R link
n g
n i
a r
Le
r e
o
e n
m/
Cryptography .c o
e i
a w
h u
g .
in
1.1 What is cryptography rn
a
/le
t p
technologies ht
s :
1.3 Key management rtechnologies c e
o u
e s
R
n g
n i
a r
Le
o
Copyrig Pa ge 31
e n
m/
Key Management Technologies c o
i .
we
u a
 Key management technologies
. h
n g
 Generation of keys
n i
a r
 Assignment and storage
/ le
 Replacement and destruction p:
/
t t
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m /
Key Management System c o
i .
we
u a
 .h that:
A complete key management system should ensure
g
n
 The key is difficult to steal or copy. ni r
ea
 The stolen key is useless, because it is / l limited by the use scope
: /
and time.
t p
h t
Assignment and replacement of keys is transparent to users.

s :
Core keys must be keptce separately by the respective owners.

u r
s o
R e
n g
n i
a r
Le
o
Copyrig Pa ge 34
e n
m /
Key Management Strategy c o
i .
e w
a
uthe following
 A complete key management policy should meet
. h
requirements: n g
n i
r
a users to reuse an old
 The password control policy allows or forbids
l e
password (compulsory password history), / / and determines the duration
p : password lifetime and
between two password changes (maximum
t t
minimum password lifetime), thehminimum password length, and
s :
combination of case-sensitive
c e letters, numbers, and special characters
u
(password complexity requirements).
r
s o
 The account lockout Re policy determines how many login failures the
system accepts n gbefore it locks an account within a specific time period.
n i
a r
Legal requirements and service contract

L e
o
Copyrig Pa ge 35
e n
m/
Contents c o
i .
we
. h
n g
a r
3. VPN Types / le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
Service-based VPN Classification om /
. c
(1) e i
w VPN management system a
h u
g .
in
r n
a
/ le Enterprise’s
data center
/
tp:
ht Headquarters
s :
ce
Mobile office ur
employee s o VPDN gateway
Access VPN Re

n g
Employees of n i enterprise need to work from a distance during business
an
a r
trips, or the
L e enterprise needs to provide B2C secure access service.

o
Copyrig Pa ge 38
e n
. c
(2) e i
w a
h u
VPN management
g .system
in
rn
Large/medium-sized a
branch
/ le Enterprise’
/
p:
Gateway to gateway s data
t t center
h Headquarters
s :
Small/medium-sized
ce
branch
u r
Gateway to gateway
s o
Re
 Intranet VPN in
g
r n
e
Interconnectinga branches of an enterprise
L
o
Copyrig Pa ge 39
e n
. c
(3) e i
w a
h u
VPN management system
g .
in
rn
a
le
Customer
/ / Enterprise’
t p: s data
center
ht Headquarters
s :
Supplier ce
u r
s o
Re
 Extranet VPN
n g
n i
r
Providing Business to Business (B2B) secure access
a
Le
r e
o
e n
m/
Layer-based VPN Classification i.c o
w e
u a
. h
n g
GRE n i IPSec
Layer-3 VPN:
a r
l e
/ /
Network layer p :
t t
h
s :
c e
Layer-2 VPN: PPTP
u r L2F L2TP
s o
e
R Data link layer
n g
n i
a r
Le
o
Copyrig Pa ge 41
e n
m/
Summary c o
i .
we
u a
 VPN concepts
. h
n g
 Key VPN technologies n i
a r
 Types and applications of VPNs
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m /
Questions c o
i .
e
 aw
What are the features of symmetric encryption and uasymmetric
. h
encryption respectively?
n g
n i
 r algorithm and
What is the difference between the encryption
a
l e
Hash algorithm?
/ /
 Does a longer key strengthen thetencryption p: performance? Can
h t
we analyze it based on different encryption algorithms?
s :
 What are the functions of c etunneling in the VPN technology?
u r
s o protocol, while GRE and IPSec are L3VPN
Re
 Why is L2TP a L2VPN
protocols?
n g
n i
a r
Le
o
Copyrig Pa ge 43
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
Chapter 7 L2TP VPN lear
/ /
t p:
ht
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
o
e n
m/
Objectives c o
i .
e w
a
u to:
able
g .
Application scenarios of VPDN in

r n
Basic concepts of L2TP ea

/ l
: / Client-Initialized and NAS-
 Application scenarios of VPDN
t p in
Initialized modes ht
s :
 Configuration methods
c e of L2TP
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. VPDN Overview u a
. h
n g
2. L2TP VPN Technology n i
a r
3. Client-Initialized L2TP / le
/
4. NAS-Initialized L2TP t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m /
VPDN Overview c o
i .
e w
a
u through the
The client is directly connected to the enterprise gateway
h
—
Network
device and Point-to-Point Protocol (PPP). Currently, Layer 2 Forwarding g . (L2F) and Layer
VPDN gateway
in
2 Tunneling Protocol are available.
r n
ea
—
The client is connected to the Internet / l and then the gateway through
Client and
: / the L2TP client supported by
VPDN
gateway
certain dedicated software, for example,
t p
ht
Windows 2000.
s :refers to a virtual private network that is

 Virtual Private Dial Network (VPDN)
c efunction of a public network, such as Integrated
implemented through the dialing
u r or Public Switched Telephone Network (PSTN) and
Services Digital Network (ISDN)
s oprovide access for enterprises, small Internet service
Re office users.
access network. VPDN can
providers (ISPs), and mobile
n g of VPDN tunneling protocols, namely, Point-to-Point Tunneling

n iL2F, and Layer 2 Tunneling Protocol (L2TP). Currently, L2TP is widely

There are three types
Protocol (PPTP),
a r
Le
used.

o
Copyrig Pa ge 3
e n
m/
Contents c o
i .
we
. h
n g
a r
/
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
L2TP Overview c o
i .
we
u a
 L2TP is short for Layer Two Tunneling Protocol. . h
ng

n i
It is developed for the transparent transmission of PPP packets between
a r
le
users and enterprise servers. It provides a tunnel for transmitting PPP
packets at the data link layer. / /
p: t

h t
It combines the advantages of L2F and PPTP. Therefore, it becomes the
industrial standard for Layer-2: protocols of IETF.
e s
Main usage: Remote branches r c and employees on business trips of an
o u
enterprise can access the
e s headquarters network through the virtual
R
tunnel established gon the public network.
i n
r n
e a
L
o
Copyrig Pa ge 6
e n
m/
Features of L2TP c o
i .
we
u a
. h
Identity
n g
authenticati n i
on a r
le
Multi-
High / protocol
/
reliability
t p: transmission
ht
L2TP
s:
Flexible ce
u r RADIUS
o
accounting
s support
R e Internal
address
n g
n i assignment
a r
Le
r e
o
e n
m/
L2TP VPN Protocol Components c o
i .
we
u a
. h
Data message n g
L2TP
message n i
r
Control message
R
a
R
LAC RADIUS Session / le LNS RADIUS

/
p:
Tunnel
t
Employee on
business trip
PSTN/ADSL ht
s :
LAC
ce LNS
u r Headquarters
s o
Re
n g
LAC: L2TP Access
n i Concentrator
a r
LNS: L2TP
L e Network Server

o
Copyrig Pa ge 9
e n
/ m
L2TP Protocol Stack and Encapsulation Process c o
i .
w e
Structure of the L2TP Protocol Stack u a
. h
Public Private g
n Data
IP header
UDP L2TP PPP
IP header
n i
a r
 L2TP Encapsulation Process
l e
/
/Private IP
Private IP
p :
t
PPP
ht PPP
L2TP
s : L2TP
UDP c
e Link
u r UDP
layer
Private IP Physical Public
s o IP Public IP Private IP
PPP
layer
e layer
RLink Link layer Link layer
Physical n g Physical Physical Physical Physical
layer
n i layer layer layer layer
Client ea
r LAC LNS Server
L
o
Copyrig Pa ge 10
e n
m/
L2TP Messages and Formats c o
i .
we
u a
Control Applies to the establishment, maintenance, and
. h
message n g
transmission control of tunnel and session connections.
n i
a r
Encapsulates PPP frames and transmits them along
Data message
the tunnel.
/le
/
tp:
0 1 2 3 4 7 12 h
15 t 31
T L X X S X O P X X X X s :Version length
ce
Tunnel ID
ur Session ID
Ns s o Nr
Offset size Re Offset pad
n g
n i
r
 T indicates the message type. 1: control message; 0: data message.
a
Le
r e
o
e n
/m
L2TP Session Establishment Process c o
i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 13
e n
m/
Contents c o
i .
we
. h
n g
a r
/
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
L2TP VPN — Initiated by a Remote Dial-Up m /
c o
User i .
w e
u a
. h
L2TP tunnel
n g
n i LNS
a r
Remote
l e
user
/ /
p :
Remote t t
branch h
s :
c eemployee L2TP tunnel
Mobile office
u r Headquart
s o ers server
R e
 VPN acts as a trunk; LNS acts as a checkpoint.
n g
 LNS: You can
n i pass through.
 VPN user: a rOK. I send the goods by myself.
Le
o
Copyrig Pa ge 15
e n
Typical Configuration of L2TP VPN — om /
. c
Client-LNS e i
a w
h u
E1/0/1
g .
3.3.2.1/16 i
n
r n
Internet ea Headquarters
/ l
: / E1/0/0
t p 192.168.1.1
ht
LNS
Mobile office employee /24
s :
 Networking requirements ce
r
An enterprise sets up a uVPN network. There is a VPN gateway (that is, USG

o
firewall) at the egresssof the public network of the headquarters. Mobile office
e
employees need to Rcommunicate with the service server in the enterprise through
the L2TP tunnel.g
i n
 The LNS uses
r n local authentication. Here:
LNSea
is a USG firewall.
L

r e
o
e n
m/
L2TP Configuration — Client c o
i .
we
u a
Start . h
n g
n i
a r
Enable tunnel authentication.
Configure the IP address / le
/
of the LNS server.
t p: Configure the user
ht name and password.
s :
Disable IPSec. ce
u r
s o End
Configure the R e
authentication n g mode.
n i
a r
Le
o
Copyrig Pa ge 17
e n
m/
L2TP Configuration — LNS c o
i .
we
u a
. h
Start
n g
n i
Configure L2TP group of
a r the LNS end.
Perform basic configuration
/ le
(including interface IP
/
address).
t p: In the AAA view, configure the user
ht name of the VPDN group.
s :
ce
Configure virtual
u r Enable the interzone filtering
interface template.
s o rule.
Re
n g End
n i
r
Enable L2TP.
a
Le
r e
o
e n
Typical Configuration of L2TP VPN — om /
. c
LNS (1) e i
a w
 Create a virtual interface template. h u
g .
[LNS] interface Virtual-Template 1
in
r n
 Set the IP address of the virtual interface ea template.
/ l
[LNS-Virtual-Template1] ip address 10.1.1.1
:/ 24
t p
 Configure the PPP authentication ht mode.
s :
ce
[LNS-Virtual-Template1] ppp authentication-mode chap
r
u from the address pool to the peer
 Assign an IP address
s o
interface. R e
n g
n i
[LNS-Virtual-Template1] remote address pool 1
a r
Le
r e
o
e n
Typical Configuration of L2TP VPN — oLNS m/
. c
(2) e i
Add the virtual interface template to a security zone. u a w
h

[LNS-zone-trust] add interface Virtual-Template 1 g .

in
 Enable L2TP.
r n
[LNS] l2tp enable ea
/ l
 Configure an L2TP group.
: /
t p
[LNS] l2tp-group 1
h t
 Specify the name and Virtual-Template
s : of the tunnel peer when
receiving a call.
c e
u r
[LNS-l2tp1] allow l2tp virtual-template 1 （remote Client01）
s o
 Enable L2TP tunnel
Re authentication.
n
[LNS-l2tp1] tunnel g authentication
n i tunnel authentication password.
 Set an L2TP
a r
Le tunnel password simple hello
[LNS-l2tp1]

o
Copyrig Pa ge 20
e n
Typical Configuration of L2TP VPN — oLNS m/
. c
(3) e i
a w
Configure the tunnel name of the local end.
h u
[LNS-l2tp1] tunnel name lns g .
in
Enter the AAA view.
r n
[LNS] aaa ea
/ l
Create the name and password of the local
: / user.
t p
[LNS-aaa] local-user pc1 password simple pc1pc1
h t
Configure the user type.
s :
[LNS-aaa] local-user pc1 service-type c e ppp
u r pool.
Configure a public IP address
s o
[LNS-aaa] ip pool 1 4.1.1.1 Re 4.1.1.99
Configure default n g interzone packet-filtering rules.

n i
[LNS] firewallrpacket-filter default permit interzone local untrust
e a
L
o
Copyrig Pa ge 21
e n
m/
Contents c o
i .
we
. h
n g
a r
/
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
L2TP VPN — NAS Initiated c o
i .
we
PPP
u a
. h
L2TP tunnel
n g
n i LNS
Remote PSTN
a r
user
/ le
/
Branch
Ethernet
LAC
t p:
ht
s :
PPPOE
ce L2TP tunnel
r office
Mobile
u Headquarter
s oemployee s server
R e
 VPN user acts asg a trunk; LAC acts as a forwarder.
i n
 LAC: Your goods
r n can pass through. May I help you?
VPN user: e aDeliver the goods to No. XX of XX Street.

L
o
Copyrig Pa ge 23
e n
Typical Configuration of L2TP m /
c o
VPN — LAC-LNS i .
w e
u a
E0/0/1 E1/0/1
. h
E0/0/0 2.2.1.1/16 3.3.2.1/16 n g
1.1.1.1/24
n i
a r Headquarters
le
Internet
E1/0/0
/ /
Branch LAC
t p: LNS
3.1.1.1/24
ht
Networking requirements:

s :

ce
A company sets up a VPN network. There is a VPN gateway (that is, USG firewall)
r
at the egress of the public network of the headquarters. Mobile office employees
u
o
need to communicate with the service server in the enterprise through the L2TP
s
tunnel
R e

n g
LNS uses local authentication. Here:
LAC acts i

r n as a USG firewall.
LNS a acts as a USG firewall.

L e
o
Copyrig Pa ge 24
e n
m/
L2TP Configuration — LAC c o
i .
we
u a
. h
Start
n g
n i
a rConfigure the L2TP group
Perform basic configuration / le of the LNS end.
/
p:
(including interface IP address).
t t In the AAA view, configure

h the user name of the
s : VPDN group.
Configure virtual interface
ce
template and bind to the
u r
physical interface.
s o Enable the interzone
Re
filtering rule.
n g
i
Enable L2TP.
n
a r End
Le
r e
o
e n
m/
L2TP Configuration — LNS c o
i .
we
u a
. h
Start
n g
i
nConfigure the L2TP
a r group of the LNS.
/ le
/
address).
t p: In the AAA view, configure the
ht accounts of the VPDN group.
s :
ce
Configure the virtual
u r Enable the interzone filtering
interface template.
s o rule.
Re
n g End
n i
r
Enable L2TP.
a
Le
r e
o
e n
m /
Typical Configurations of L2TP VPN — .cLAC o (1)
e i
a w
 Create a virtual template interface. h u
g .
[LAC] interface Virtual-Template 1
in
 Configure the PPP authentication mode. r n
ea
[LAC-Virtual-Template1] ppp authentication-mode / l chap
: / template.
 Bind the interface to the virtual interface
t p
[LAC]interface ethernet 0/0/0 ht
[LAC-Ethernet0/0/0] pppoe-server s : bind virtual-template 1
c e
 Add the virtual interfacertemplate to the security zone.
o u
[LAC]firewall zoneetrust s
Radd interface Virtual-Template 1
[LAC-zone-trust]
n g
[LAC-zone-trust]n i add interface ethernet 0/0/0
a r
Le
o
Copyrig Pa ge 27
e n
m /
Typical Configurations of L2TP VPN — .cLAC o (2)
e i
a w
 Enable L2TP. h u
g .
[LAC] l2tp enable
in
 Create an L2TP group. r n
ea
[LAC] l2tp-group 1 / l
: /
 Set a peer IP address for the L2TP tunnel.
t p
[LAC-l2tp1] start l2tp ip 3.3.2.1 htfullusername pc1 (domain hs.com)
 Start L2TP tunnel authentication. s :
c e
[LAC-l2tp1] tunnel authentication u r
s o
 Configure an authentication
e password for the L2TP tunnel.
R password simple hello
[LAC-l2tp1] tunnel
n g
n i
a r
Le
o
Copyrig Pa ge 28
e n
m /
Typical Configurations of L2TP VPN —.cLAC o (3)
e i
 Configure the name of the local end of the tunnel.u a w
. h
LAC-l2tp1] tunnel name lac
n g
 Enter AAA view. n i
a r
[LAC] aaa l e
/ / the local user.
 Configure the name and password
p : for
[LAC-aaa] local-user pc1 password t t simple pc1pc1
h
 Configure the default interzone
s : packet filtering policy.
[LAC] firewall packet-filter c e default permit interzone trust local
u r
s
[LAC] firewall packet-filter o default permit interzone untrust
local R e
n g
n i
a r
Le
o
Copyrig Pa ge 29
e n
m /
Typical Configurations of L2TP VPN —.cLNS o (1)
e i
a w
 Create a virtual interface template.
h u
[LNS] interface Virtual-Template 1 g .
in
 Configure the IP address of the virtual interface
r n template.
ea 24
[LNS-Virtual-Template1] ip address 10.1.1.1
/ l
 Configure the PPP authentication : /
mode.
t p
[LNS-Virtual-Template1] ppp tauthentication-mode chap
h
 Allocate an IP address from
s : the address pool to the peer
interface. c e
u r
[LNS-Virtual-Template1]
s o remote address pool 1
Re
n g
n i
a r
Le
o
Copyrig Pa ge 30
e n
m /
Typical Configurations of L2TP VPN —.cLNS o (2)
e i
 Add the virtual interface template to the security zone. w
u a
[LNS-zone-trust] add interface Virtual-Template 1 .h
n g
 Enable L2TP
n i
[LNS] l2tp enable a r
l e
 Configure an L2TP group.
/ /
[LNS] l2tp-group 1 p :
t t
 Specify the name and Virtual-Template h of the tunnel peer when
receiving a call. s :
c e
[LNS-l2tp1] allow l2tp virtual-template
u r 1
 Start L2TP tunnel authentication. s o
R e
[LNS-l2tp1] tunnel
n g authentication
i
 Configure annL2TP tunnel authentication password.
a r
[LNS-l2tp1]
Le tunnel password simple hello
o
Copyrig Pa ge 31
e n
m /
Typical Configurations of L2TP VPN — .cLNS o (3)
e i
 Configure the name of the local end of the tunnel.
a w
h u
[LNS-l2tp1] tunnel name lns
g .
 Enter the AAA view. in
r n
[LNS] aaa ea
/ l
 Create the user name and password of the local user.
: /
[LNS-aaa] local-user pc1 password t p simple pc1pc1
h t
 Configure the user type.
s :
[LNS-aaa] local-user pc1cservice-type e ppp
u r
 Configure a public IP address
s o pool.
[LNS-aaa] ip pool e
R 1 4.1.1.1 4.1.1.99
 Configure default n g interzone packet filtering rules.
n i
r packet-filter default permit interzone local untrust
[LNS] firewall
a
Le
o
Copyrig Pa ge 32
e n
m/
L2TP VPN Configuration (Web) c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
Typical Configurations of L2TP VPN — m /
c o
Verification and Maintenance .
ei w
Display information about the current L2TP tunnel. u a

. h
<LAC> display l2tp tunnel n g
n i
LocalTID RemoteTID Remote Address Port Sessions Remote Name
a r
1 8 3.3.2.1 1701 / l1e lns
/
Total tunnels = 1 p: t
t
h L2TP session.
Display information about the current

s :
<LAC> display l2tp session ce
u r
LocalSID RemoteSID
s o LocalTID
1 R8
e 1
n g
Total session i= 1
r n
e a
L
o
Copyrig Pa ge 34
e n
m/
Precautions on L2TP VPN Configuration c o
i .
w e
u a
The LNS must be configured with the IP address of theh
virtual template. This template must be added to a g
.
in zone.
r n
By default, the firewall needs to carry out e
a
l
authentication. If tunnel authentication/is not configured,
tunnel
run the undo tunnel authentication :

/
t p command.
The address allocated to the L2TP ht dial-up user and the

address of the internal network
s : user must be on different
network segments so that
c e the dial-up user of L2TP can
access internal network
u r address.
s o
R e
The USG5000 cannot be configured as the LAC.
n g
n i
a r
Le
o
Copyrig Pa ge 35
e n
m /
Summary c o
i .
we
u a
 Application scenarios of VPDN
. h
n g
 Basic concepts of L2TP n i
a r
Application scenarios of VPDN inlClient-Initialized e and

/ /
NAS-Initialized modes p :
t t
 Configuration methods:of L2TP
h
e s
r c
o u
e s
R
n g
n i
a r
Le
o
Copyrig Pa ge 37
e n
m/
Questions c o
i .
 What security services can the L2TP VPN provide? What are the restrictions? e w
a
What are the two trigger conditions for the LAC to establish an L2TP tunneluconnection? What are

. h
the differences between them?
n g
 What information does LNS use to identify L2TP packets?
n i
What are the differences between the LAC/client and the LNS/server a r in data packets?

l e Client-Initialized L2TP?
 In what situation should tunnel authentication be disabled
/ / for
Why an LAC virtual interface template and its corresponding
p : physical interface Ethernet 0/0/0
t

need not be configured with IP addresses? t

h number 1 (default group)? What are the
 What is the application scenario of L2TP group
s :
differences between this group number
c e and other group numbers?
What is the relationship betweenuthe r DHCP IP address and the domain?
o

To ensure that remote dial-upsusers can access resources of the private network, how do you

R e
configure the interzone packet filtering on the LNS, and the relationship between virtual interface
n gzone?
i
template and security
n
For L2TP, how r do you configure the interzone packet filtering to meet the requirements for

e a
L
minimum rights?

o
Copyrig Pa ge 38
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
Chapter 8 GRE VPN le
a r
/ /
t p:
ht
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
o
e n
m /
Objectives c o
i .
e w
a
u to:
able
g .
Basic principles and implementation modes in of Generic

r n
Routing Encapsulation (GRE) VPN ea
/ l
Security mechanisms of GRE VPN : /

t p
 Application scenarios andhconfiguration t methods of GRE
VPN s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
w e
1. GRE VPN Overview u a
. h
n g
2. GRE VPN Technology n i
a r
3. Analyzing the Application Scenarios l e of GRE VPN
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 2
e n
m /
GRE Overview c o
i .
w e
Link
IP GRE IPX Payloadhu
a
layer
g .
in
GRE Tunnel
r n
ea
/ l HQ
/
INTERNET
t p:
IPX network
Firewall A
ht Firewall B IPX network
s :
 GRE refers to encapsulation of data
c e packets of certain network layers such as IP, IPX,
and AppleTalk, so that encapsulated u r packets can be transmitted over another
s oexample, IP.
network layer protocol, for
R e

n g
GRE provides a mechanism in which a packet of one protocol can be encapsulated
n i
into a packet of another protocol so that packets can be transmitted over various
a r The packet transmission path is referred to as tunnel.

types of networks.
Le
o
Copyrig Pa ge 3
e n
m/
Applications of GRE c o
i .
we
u a
. h
IP/IPX Passenger n g protocol
n i
a r
GRE l e
Encapsulation protocol
/ /
IP p : Transport protocol
t t
h
Link layer protocol
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
GRE Features c o
i .
we
u a
. h
n g
1 2 n i 3
a r
/ le
Does not / Does not provide
p:
Simple
mechanism, provide data
t t flow control or
easy to h
encryption and QoS.
s :
can be used
configure and
ce
maintain u r with IPSec.
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
Contents c o
i .
w e
. h
n g
a r
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 6
e n
GRE Implementation — tunnel m /
c o
interface i .
w e
u a
. h
Source address n g
n i
a r
Encapsulation
/ le Destination
type Tunnel : / address
t p
t
interface
h
IP:address
e s
r c
o u
e s
R

n g
A tunnel interface is a point-to-point virtual interface that is provided to
n i
encapsulate packets. It is similar to loopback interface and is a logical
a r
interface.
Le
r e
o
e n
GRE Implementation — Encapsulation om /
. c
and Decapsulation e i
a w
h u
Next hop: tunnel
g
Protocol field:. 47
in
r n
ea
/ l
:/
Encapsulation process:
FW A GRE
t p
tunnel FW B
htentering the tunnel interface, the packet is


Routes the original data packet; after

:

encapsulated. s
e is forwarded to the IP module for further
The encapsulated data packet
r c
u

processing.
s o
Decapsulation process: e

R
The destination gaddress of the packet is the IP address of the local device; the

n 47; Then, start the decapsulation.
protocol fieldiis
r n
a
The encapsulated data packet is forwarded to the IP module for further
Le

processing.
r e
o
e n
m /
Format of a GRE Packet Header i. c o
w e
ua
. h
n g
ni r
ea
 C: Checksum Present bit. 1: The checksum field is present.
/ l 0 : The checksum field is
absent.
: /
K: Key Present bit. 1: The key field is present p
t in the GRE header. 0: The key field is

absent. h t
s :
 Recursion: Contains the number of
c e additional encapsulations which are permitted.
Flags: reserved bits. They must u rbe set to 0s.

s o
 Version bit. It must be set
Re to 0. The value 1 is used in PPTP of RFC2637.
Protocol Type: typegof the passenger protocol.

i n
 Checksum: GRE r nheader and the checksum field born on the GRE header.
 ea IP checksum of the GRE header and the payload packet.
Key: key Lfield.

o
Copyrig Pa ge 10
e n
m/
GRE Security Mechanism c o
i .
we
u a
. h
g
Check and …Verification in Identification
Keyword
n
…
a r
l e

When bit C is 1, the / / 
If bit K is 1, the key field
checksum is valid.
t p: is present in the GRE
ht header.

Bit C being 1 s :
ce

Sender calculates the r 
Only when the keyword is
checksum.
s ou consistent, the check

Receiver verifies the R e succeeds.
checksum. n g
n i
a r
Le
o
Copyrig Pa ge 11
e n
m/
Contents c o
i .
w e
. h
n g
a r
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 12
e n
Typical Application Scenario of GRE m /
c o
VPN i .
w e
u a
h .
E1/0/0 n g
E2/0/0
n i
192.13.2.1/24 131.108.5.2/24
a r
E0/0/0
l e
10.1.1.1/24
/ /
Internet
p : E0/0/0 HQ
t t 10.1.3.1/24
h
s :
c e tunnel
GRE
Firewall A r
o u Firewall B
s
Re
 Subnets 1 andng2 are interconnected through Layer 3 tunnel
n i
r
protocol abetween firewalls A and B.
Le
o
Copyrig Pa ge 13
e n
/ m
Configuration Roadmap of GRE VPN c o
i .
w e
u a
. h
Start
n g
i
nConfigure a route to the
r
asegment on the peer network.
e
l The next hop is the tunnel
/ /
p : interface.
t
ht
address).
s : Enable interzone rules.
c e
u r
s o
Configure a tunnel logicaleinterface End
R
destination addressn gused by the
and specify the source address and
i
GREntunnel.
a r
Le
o
Copyrig Pa ge 14
e n
/ m
Configuration Method of GRE VPNi.c o
Run the interface tunnel number command to create a virtual tunnel w
e

u a interface and
enter the interface view.
. h
(Optional) Run the tunnel-protocol gre command to configure n gthe encapsulation
i

mode of the tunnel interface packet.

r n
Run the source { ip-address | interface-type interface-number ea } command to configure

/ l
the source address of the Tunnel interface.
: /
Run the destination ip-address command topconfigure the destination address of the

t t
Tunnel interface. h
s : of the tunnel identify a tunnel. The
e
The source and destination addresses
addresses of the two ends c
u r are source and destination addresses to each other.
(Optional) Run the ip address s o ip-address { mask | mask-length } command to

e

configure the networkRaddress of the tunnel interface. Run the gre checksum
command to configure
n g end-to-end check for both ends of the tunnel.
i
(Optional) Runnthe gre key key-number command to configure identification keys for

a r
the Tunnele interface.
L
o
Copyrig Pa ge 15
e n
/ m
Typical Configuration of GRE VPN o
c (1)
i .
w e
 Configure firewall A.
u a
1.Perform basic configuration (omitted). . h
n g
2.Create interface Tunnel 1.
n i
[A] interface tunnel 1
a r
3.Configure the IP address of interface Tunnel 1. l
e
/ /
[A-Tunnel1] ip address 10.1.1.1 24
p :
4.Configure the tunnel encapsulation mode. t t
h
[A-Tunnel1] tunnel-protocol gre
s :
5.Configure the source address cofe interface Tunnel 1 (IP address of Ethernet 1/0/0 on
firewall A). u r
s o
[A-Tunnel1] source 192.13.2.1
R e
g
6.Configure the destination
n B). address of interface Tunnel 1 (IP address of Ethernet
2/0/0 on firewall
n i
r
[A-Tunnel1]adestination 131.108.5.2
Le
o
Copyrig Pa ge 17
e n
/ m
c (2)
i .
w e
u a
7. Configure a static route to Tunnel 1 and then to Grouph2.
g .
[A] ip route-static 10.1.3.0 255.255.255.0 tunnel 1 in
r n
8. Enter the Untrust zone view. ea
/ l
[A] firewall zone untrust
: /
t p
9. Add Tunnel 1 to the Untrust zone.t
h
[A-zone-Untrust] add interface Tunnel s : 1
c e
10.Configure default interzone u r packet filtering rules.
s o
[A] firewall packet-filter Re default permit interzone trust local
n g
n i
[A] firewall packet-filter default permit interzone untrust local
r
[A] firewallapacket-filter default permit interzone trust untrust
Le
o
Copyrig Pa ge 18
e n
/ m
c (3)
i .
w e
The configuration of firewall B is similar to that of firewall a
u A. You

. h
need to change only the source and destination addresses
n g of the
tunnel and the default route. n i
a r
1. Configure the IP address of the interface Tunnel
l e 1.
/ /
[B-Tunnel1] ip address 10.1.3.1 24
p :
2. Configure the source address of interface t t Tunnel 1 (IP address of Ethernet
1/0/0 on firewall A). h
s :
[B-Tunnel1] source 131.108.5.2
c e
u r address of interface Tunnel 1 (IP address of
3. Configure the destination
s o
Ethernet 2/0/0 on
Re firewall B).
n g
[B-Tunnel1] destination 192.13.2.1
n i a static route to Tunnel 1 and then to Group 1.
r
4. Configure
a
Leroute-static 10.1.1.0 255.255.255.0 tunnel 1
[B] ip

o
Copyrig Pa ge 19
e n
m/
Configuration of GRE VPN (Web) i.c o
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 20
e n
m/
Precautions on the Configuration of GRE VPN c o
i .
w e
u a
To ensure smooth forwarding of data flows, add the. h
physical interface and the tunnel interface creatednon g the
physical interface into the same security zone.ni
a r
The devices at the two ends of a tunnel/l
e
can forward GRE
encapsulated packets only when there : / are tunnel
forwarded routes on the two devices. t p
ht
To configure key verification s : on a tunnel, the verification
succeeds only when the c ekeywords at both ends are the
same. Otherwise, the u r packet is dropped.
s o
If checksum iseconfigured, the sender encapsulates the
R
g In addition, the packet that contains the
checksum according to the GRE header and payload
n
i is sent to the peer.
information.
n
r
checksum
a
Le
o
Copyrig Pa ge 21
e n
m /
Summary c o
i .
e w
 Basic principles and implementation modes h of
a
u Generic
g .
Routing Encapsulation (GRE) VPN in
r n
 Security mechanisms of GRE VPN e
a
/ l
: /
 Application scenarios and configuration
t p methods of GRE
VPN ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 22
e n
m/
Questions c o
i .
e w
a
uWhat are the
 What are the main application scenarios of GRE VPN?
. h
drawbacks of GRE VPN?
n g
 What security services can GRE VPN provide?rn
i
ea IP addresses of GRE
 What interfaces do the source and destination
/ l
represent in a real application scenario?
: /
What mechanism does the GRE source t p end use to trigger the setup

h t
of a tunnel?
s :
What information does theeGRE destination end use to identify

received GRE packets? ur

c
o
In a GRE applicationes scenario, how to set interzone filtering to meet

the principle of g
R
minimum authorization?
i n
r n
e a
L
o
Copyrig Pa ge 23
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
Chapter 9 IPSec VPNlear
/ /
t p:
ht
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
o
e n
m/
Objectives c o
i .
e w
a
u to:
able
g .
Basic principles of IPSec in

r n
AH and ESP technologies ea

/ l
: /
 Service flow of the IKE protocol
t p
t
Application scenarios andhconfigurations of IPSec VPN
:

e s
r c
o u
s
Re
n g
n i
a r
Le
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. IPSec VPN Overview u a
. h
n g
2. IPSec VPN Architecture n i
a r
3. AH Technology / le
/
4. ESP Technology t p:
ht
5. IKE Technology s :
ce
u r
s o
6. IPSec VPN Application Scenarios
Re
n g
n i
a r
Le
r e
o
e n
m/
IPSec Overview c o
i .
IPSec VPN we
u a
. h
•
Security tunnel n g
n i
a r
Branch
/ le H.Q.
:/
t p
Confidentiality
ht
s :
r ce IPSec
Anti-replay o u Integrity
e s
R
n g
n i
a r Authentication
Le
r e
o
e n
m/
IPSec Features c o
i .
APP APP
w e
Data Data u a
. h
Protection areas TCP/
n g
TCP/ Protection areas
UDP
r niUDP
a
IP
/ le IP
/
t p:
ht
s : IPSec VPN
Branch
ce
u r
s o HQ
Re
n g
i
rn
Internet services
e a
L
r e
o
e n
m/
IPSec Protection Scenario c o
i .
we
u a
. h
n g
IPSec VPN
n i
Branch
a r
/ le
/ H.Q.
t p:
ht
s :
ce
u r
s o
IPSec E2E scenario
Re

g
Between security gateways (such as firewalls)
n

n i
Between the host and security gateway
a r
Le

Between hosts
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
/
ht
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m /
IPSec VPN Architecture c o
i .
we
u a
IPSec VPN architecture
. h
n g
n i
a r
le
AH: authentication ESP: encapsulating
header
/ / security payload
t p:
Encryption algorithm ht Authentication
s : algorithm
ce
u r
o
s Key management
Re
n g
n i Policy
a r
Le
r e
o
e n
m/
IPSec Protocols c o
i .
we
u a
. h

g
AH provides the functions of authenticating data
n
AH sources, checking data integrity, i
n and anti-replay, but
a r
AH does not encrypt all theeprotected packets.
/ l
: /
 p
ESP provides all thet functions of AH and encrypts IP
h t
ESP packets. However, data integrity of IP headers is not
:
checked. e s
r c
o u
e s
IPSec enables privacy, R integrity, authenticity and anti-replay of

n g
packets during i
n network transmission.
a r
L e
o
Copyrig Pa ge 8
e n
m /
IPSec Encapsulation Modes c o
i .
we
u a

. h
In transport mode, IPSec headers are inserted behind the IP
Transpor
n g
header and before all transport layer protocols or all other
t mode IPSec protocols. n i
a r

In tunnel mode, IPSec headers l eare inserted before the
Tunnel
original IP header. The new /
/ packet header is placed before
mode AH or ESP. p :
t
ht
s :
c e IPH Data
Transport
u r
mode
s o
R e IPH IPSec Data
Tunnel
mode n g
n i
a rNew IPH IPSec Org IPH Data
L e
o
Copyrig Pa ge 9
e n
Comparison Between IPSec Encapsulation m /
c o
Modes i .
w e
u a
Transport mode: Original IP
header
IPSec
header IP data
. h
n g
n i
Tunnel mode:
New IP IPSec r
Original
a Original IP data
le
header header IP header
/ /
Comparison:
p: t
1. Security t

In tunnel mode, the original hIP header information is hidden,
therefore ensuring data s :
security.
c e
2. Performance
u r

In tunnel mode, there
s o is one extra IP header. In tunnel mode, more
bandwidth areeused than that in transport mode.
R
n g
To select an encapsulation mode, weigh performance against
security. rn i
e a
L
o
Copyrig Pa ge 10
e n
/ m
Encryption and Authentication Algorithms c o
i .
w e
u a
 Encryption algorithm
. h
n g
DES (56 bit64 bit)

n i
3DES (3 x 56 bit 64 bit ) a r

l e
AES (128, 192, 256)

/ /
p :
China encryption algorithm (256)

t t
 Authentication algorithm
h
s :
MD5 (128 bit) c e

u r
SHA-1 (160 bit)
s o
Re Computing complexity is
n g not inevitably connected to
n i encryption strength.
a r
L e
o
Copyrig Pa ge 11
e n
m/
Contents c o
i .
we
. h
n g
a r
/
ht
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
IPSec Protocol-AH c o
i .
e
 aw
Providing data source authentication (authenticity), integrity check,
u
and anti-replay . h
n g
 Encryption algorithms are not supported.
r ni
ea
Next packet header Payload / l
size Reserved
:/ field
t p
t
h index (SPI）
Security parameter
s :
ce SN
u r
s o
Re Authentication data
n g
n i
a r Payload data
L e
r e
o
e n
m/
AH Packet Encapsulation Modes i. c o
w e
IPH Data hu
a
g .
Transport
mode in
r n
a
IPH AH
/ le Data
/
p:
Tunnel To authenticate all
mode
t
the unchanged parts
t
h
New IPH AH
s : IPH
Org Data
c e
r
To authenticate all the unchanged
u except the new IP header field
s o
parts
e
RAH protocol number is 51.
 In the IP packet header,
n g
n
Transport mode: i To authenticate the entire IP packet
r

a
Tunnelemode: To authenticate the new IP header and the entire IP packet

L
o
Copyrig Pa ge 15
e n
m/
Contents c o
i .
we
. h
n g
a r
/
ht
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
IPSec Protocol-ESP c o
i .
we
 Providing data authenticity, data integrity, anti-replay, and data confidentiality
u a
. h
 Supporting encryption algorithm
ng
n i
a r
Security parameter index（SPI）
l e
/ /
SN p :
t t
h
:
Initialization vector
s
ce
u r
Payload data
s o
R e
Filling field Filling size
Next packet
n g header
n i
ar Authentication data
Le
r e
o
e n
m/
ESP Packet Encapsulating Mode i. c o
w e
transport
IPH a
Data
u
mode
g.h
n
IPH ESPH Data r ni ESP Trailer ESP Auth
ea
Tunnel l
/ part
Encryption
mode :/
t p
Authentication part
t
h Data
New IPH ESPH Org IPH
s:
ESP Trailer ESP Auth
ce
ur Encryption part
s o Authentication part

Re
The protocol number of ESP in the IP packet header is 50.

n g
transport mode: The ESP header is located between the IP packet header and the
in
transport layer protocol packet header. The ESP tail is added behind the data.
Tunnel mode:a r The ESP packet header is located between the new IP header and

e
L packet. The ESP tail is added behind the data.
the initial

o
Copyrig Pa ge 19
e n
m/
Contents c o
i .
we
. h
n g
a r
/
ht
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
IKE Overview c o
i .
we
u a
. h
n g
Free form protocol based on algorithmsrn
i
Oakley …
ea
/ l
:/
t p
Defines how to verifyh t exchange
key
IKE
SKEME
s : …
ce
r
Defines uthe state change process of
s o
ISAKMP R e
communication
format
mode and information
to guarantee communication
n g security …
n i
a r
Le
r e
o
e n
m/
IKE Security Mechanism c o
i .
we
u a
DH algorithm, . h
n g
key distribution
n i
a r
Identity e
lForward
protection
/ / security
tp:
t
Identity
h
:
authentication
s
ce
ur
s o
R e
IKE has a self-protection mechanism, which can safely distribute keys,

n g
n i
authenticate identities, and set up an IPSec association on an
a r
insecure network.
Le
o
Copyrig Pa ge 23
e n
m/
IPSec SA Concept c o
i .
we
u a
. h
SA Contents
 SA
n g
i
SA n is the convention of

a r
Security protocols (AH ESP AH+ESP)
/ lecommunication peers against
/ some elements. An SA can be
Operation mode (transport mode and t p: established only when both
tunnel mode) ht communication parties
s : comply with SA conventions.
Encryption algorithm (DES and 3DES)
c e
u r  SA is uniquely identified by a
Lifecycle of the sharedekeyso and key triplet, including the SPI,
R destination IP address, and
n g security protocol number.
……
n i
a r
Le
o
Copyrig Pa ge 24
e n
m/
IKE Functions in IPSec c o
i .
we
u a
 Reduces complexity of manual configuration. . h
n g
 Scheduled SA update. n i
a r
 Scheduled key update.
/le
Allows IPSec to provide the anti-replay : /

t p
service. h t
Allows E2E dynamic authentication. s :

c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 25
e n
m/
Relation Between IKE and IPSec i.c o
w e
SA negotiation of IKE
u a
IKE IKE . h
n g
n i
a r
l e
SA
/ / SA
TCP UDP
p : TCP UDP
t t
h
IPSec
s : IPSec
e
c IP
u r
o
s Encrypted IP packet
R e
n g
n i
a r
Le
o
Copyrig Pa ge 26
e n
m /
IKE Phases of IKE c o
i .
IKE SA negotiation
1
we
IKE IKE
u a
Receive the data
streams to be
. h protected.
ng 2
SA SA
n i Negotiate about
the IKE SA.
TCP UDP TCP UDP
a r
le
3
IPSec IPSec
/ / Negotiate about
the IPSec SA.
t p: 4
IP
Encrypted IP Packet ht Provide AH and
ESP protection.
s :
c eabout IPSec keys and establish an SA:
 IKE uses two phases to negotiate
u r parties establish a tunnel that has passed identity
 First phase: Both communicationo
authentication and hassbeen protected, namely IKE SA. Negotiation modes include
main mode and aggressive R e mode. Authentication modes include pre-shared key,
g the tunnel established in the first phase to negotiate about the
digital signature, and public key encryption.
n
 Second phase:
n
security servicei for IPSec and set up an IPSec SA. The IPSec SA is used for the final
Use
a r
safe transmission of IP data. The negotiation mode is fast mode.
Le
o
Copyrig Pa ge 27
e n
Exchange Process of IKE Pre-Shared Key m /
c o
in Main Mode i .
Initiator w e
u a Receiver
Initiator cookie . h
Mode negotiation
n g
n i
Algorithm
a r Responder cookie
confirmation Key exchange
l e
payload Xa
/ /
Temporary value
payload Ni p :
t Key exchange
ht
DH exchange payload Xb
Nonce exchange Temporary
s : value payload Nr
Key generation
c e
r
Key HASH generates
u
o
the hash payload.
s
Identity R e Key HASH generates
authentication
n g hash payload.
n i
a r End
Le
o
Copyrig Pa ge 28
e n
Negotiation Process of Pre-Shared Keyom /
. c
in IKE Aggressive Mode e i
a w
Peer 1 h
Peer. 2
u
n g
n i
a r
l e
/ /
Initiator
p : Receiver
t t
h
s :
ce
u r
 In aggressive mode, three
s o messages in total should be exchanged.
R e
Message 1 exchanges SA payload, key specification and identity information.
g

n
i Hash authentication payload on the basis of message 1 contents.
Message 2 adds

r n
Messagea3 is the authentication initiated by the responder against the initiator.
Le

r e
o
e n
Difference Between Main Mode and m/
c o
Aggressive Mode of IKE i .
w e
u a
 Exchanged messages:
. h
n g
Main mode: 6; aggressive mode: 3

n i
a r
 Identity protection:
l e
/
/ encrypted, which can provide
In main mode, the last two messages are

:
p messages are highly integrated
t t
identity protection. In aggressive mode,
h
without the identity protection
s : function.
ce
 Peer identifier:
u r
o
s are identified by IP addresses only. In aggressive mode,

R e
In main mode, peers
peers can begidentified by IP addresses or names.
i n
r n
e a
L
r e
o
e n
/ m
Negotiation Process in Fast Mode c o
i .
Peer 1 Peer 2 aw
e
h u
g .
in
r n
eaReceiver
Initiator
/ l
: /
t p
ht
s :
c e
Fast mode requires exchanging u r three messages in total.

s o
In messages 1 and 2,eSA, key, Nonce, and ID are exchanged for algorithm

R
negotiation, PFSgguarantee and provisioning of on-site evidence.
i n
 Message 3 is
r n used to verify whether responders can communicate, equivalent to
e a
an acknowledgment message.
L
o
Copyrig Pa ge 32
e n
m/
Key Protection .c o
e i
a w
hu
 Key lifecycle g .
i n
The key has its lifecycle. When the lifecycle expires, annew key replaces the

a r
original one.
l e
/ /
p :
Perfect forward secrecy (PFS) tt

h

s :
Defines that two keys do not have relationship with each other.
c e
u r
Diffie-Hellman (DH)sgroup o

R e

n g
In the public key encryption system, the information on shared key generation
n i
process is exchanged on a public communication channel (Internet) without
a
protection. r
Le
o
Copyrig Pa ge 34
e n
m/
IPSec Flow Processing c o
i .
we
u a
Inbound . h
g
Inbound
n
n i
a r
/ le
/
Branch
Outbound
t p: Outbound H.Q.
ht
s :
c e
 Inbound and outbound
u r
s o
 Discarding packets
Re
 Bypassingithe ng security service
r n
Applyinge a the security service
L


o
Copyrig Pa ge 36
e n
m/
Contents c o
i .
we
. h
n g
a r
/
ht
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
Networking Requirements c o
i .
USG A USG B
we
u a
Eth 0/0/0
202.39.160.1/16
Eth 0/0/0
.
202.39.169.1/16h
n g
i
n Eth 0/0/1
Eth 0/0/1
a r192.168.1.1/24
192.168.0.1/24
/ le
/
t p:
Host 1 ht Host 2
192.168.0.2/24
s : 192.168.1.2/24
ce
 Networking requirements
u r
s o
PC1 safely communicates with PC2 and uses IKE between the FWA and FWB for negotiating
Re

about secure channel establishment.
n g
Set the IKE recommendation with SN of 10 on both the FWA and FWB.
i

r n
Set the authenticator for the authentication that uses the pre-shared key.
a


Le
Both FWA and FWB are fixed public network addresses.
r e
o
e n
m/
IPSec VPN Configuration Idea c o
i .
we
u a
Start
. h
n g
i
Configure IPSec policy
n
Basic configuration (such as setting
a r
the IP addresses of interfaces)
/ le Reference IPSec on
/
p:
interfaces
Configure IPSec proposal t t
h Enable filter rules of the
s : corresponding zones
ce
Configure IKE
u r
proposal
s o Configure the route to
Re
the peer intranet
segment
Configure IKE peer
n g
n i End
a r
Le
r e
o
e n
IPSec Configuration Process — IPSec om /
. c
Proposal e i
a w
 Run the ipsec proposal proposal-name command to create a security
h u proposal and
enter the security proposal view. g .
in
Run the transform { ah | ah-esp | esp } command to selectna security protocol. By

a r
default, esp is used.
l e
Run the encapsulation-mode tunnel command to// select the packet encapsulation

p :
mode.
t t
Run the ah authentication-algorithm { md5 h | sha1 } command to set the
:AH protocol. By default, MD5 algorithm is used

e
authentication algorithm used by the s
c
by the AH protocol as the IPSecr security proposal says.
o u

e s
Run the esp authentication-algorithm { md5 | sha1 } command to set the
authentication algorithmR used by the ESP protocol. By default, MD5 algorithm is used.
n g
 i
Run the esp encryption-algorithm { 3des | des | aes | scb2} command to set the
n used by the ESP protocol. By default, DES algorithm is used.
a r
encryption algorithm
L e
r e
o
e n
IPSec Configuration Process — IKE om /
. c
Proposal e i
Run the ike proposal proposal-number command to create and a w enter the IKE
u

security proposal view.

. h
Run the authentication-method pre-share command to g
n set the

authentication method. n i
r
a } command to select an
 Run the encryption-algorithm { des-cbc | 3des-cbc
l e
encryption algorithm. By default, 56-bit DES / /algorithm in CBC mode is used.
p :
t is selected, set the pre-
If pre-shared key authentication method
t
h pre-shared keys on two peer ends
shared key for each peer end. The
s : must be the same.
that establish a secure connection
c e
 Run the authentication-algorithm
u r { md5 | sha } command to select an
authentication algorithm. s o By default, SHA1 algorithm is used.

e
Run the dh { group1 R| group2 | group5} command to select the Diffie-
n g
Hellman group identifier. By default, the identifier is group1, namely, 768-
bit Diffie-Hellman i
n group.
r
aduration interval command to set the SA lifecycle.
 Run the sa
L e
r e
o
e n
. c
Peer
Run the ike peer peer-name command to create an IKE peer and enter e
i

view. a w the IKE peer
h u the negotiation
 Run the exchange-mode { main | aggressive } command to configure
mode. g .
i n

In aggressive mode, the peer IP address and peer r n end name can be set.
In main mode, only the peer IP address canlbe easet. By default, main mode
/ /
is used for IKE negotiation.
p :
t t
 h
Run the ike-proposal proposal-number command to set the IKE security proposal.

s :
Run the local-id-type { ip | name } command to set the ID type (optional) of the IKE
peer.
ce
 Run the pre-shared-key key-string
u r command to set the pre-shared key shared with
the peer end.
s o

negotiation. R e
Run the local-address ip-address command to set the local IP address used for IKE
n
Run the remote-address g low-ip-address [ high-ip-address ] command to set the peer IP

address. n i
a r
Run the remote-name name command to set the peer end name. (In aggressive mode,

when name e
L is used for authentication.)
r e
o
e n
. c
Peer (Continued) e i
a w
 Run the ipsec sa global-duration { time-based interval
h u | traffic-
based kilobytes } command to set the global SA g .lifecycle
(optional). in
r n
 Run the ike local-name router-name command
ea to set the local
ID (optional) for IKE negotiation. / l
:/
 p
Run the ike sa keepalive-timer interval
t interval command to set
the interval (optional) at which
ht Keepalive packet is sent.
 Run the ike sa keepalive-timer s : timeout interval command to
e
set the expiration timec(optional) of waiting for Keepalive
packet. u r
s o
 R e
Run the ike sa nat-keepalive-timer interval interval command
to set the time
n g interval (optional) at which the NAT update
i
packet isnsent.
a r
Le
r e
o
e n
IPSec Configuration Process — IPSec om /
. c
Security Policy and Application ei
a w
Create an ACL to define the protected data streams. h u

g .
 Run the ipsec policy policy-name seq-number isakmp command
in to create a
security policy.
r n
Run the proposal proposal-name&<1-6> command ea to reference a security

proposal in the security policy template. //

l
p : | time-based interval } command

t t
Run the sa duration { traffic-based kilobytes
to set the SA lifecycle (optional). h
Run the ike-peer peer-name command s : to reference the IKE peer.
e command to set the ACL referenced by the

Run the security acl acl-number r c

u

security policy.
s o
 Re
Run the interface interface-type interface-number command to enter the
g select the network egress.
interface view. Here,
n
i policy-name command to reference the security policy.
Run the ipsec npolicy

a r
Le
r e
o
e n
/ m
IPSec VPN Configuration Wizard i.(Web) c o
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 45
e n
IPSec Result Verification and m/
c o
Maintenance Commands i .
we
PC1 and PC2 can access each other. u a

. h
g
 in on the firewall.
Two bi-directional IPSec SAs can be shown
n
a r
l e
<FWA>display ipsec sa brief
/ /
tp:
current ipsec sa number: 2 ht
s :
e
--------------------------------------------------------------
c
Src Address Dst Address
u rSPI VPN Protocol Algorithm
s o
202.39.160.1 202.39.169.1
e
-------------------------------------------------------------------
R 957073432 0 ESP E:DES;A:HMAC-MD5-96;
n g
202.39.169.1 202.39.160.1
n i 2838744079 0 ESP E:DES;A:HMAC-MD5-96;
a r
L e
o
Copyrig Pa ge 46
e n
IPSec Result Verification and m/
c o
Maintenance Commands i .
we
u a
 IKE peer and IKE SA information can be shown.
. h
n g
n i
a r
<USG B> dis ike sa
l e
/ /
p :
t
connection-id peer flag ht doi
phase
s :
-----------------------------------------------------------------------
c e
2 202.39.160.1 RD|ST
u r 1 IPSEC
s o RD|ST 2 IPSEC
4 202.39.160.1
Re
n g
n i
a r
Le
o
Copyrig Pa ge 47
e n
/ m
Notices About IPSec VPN Configuration c o
i .
w e
u a
. h
On the firewall, there must be a proper route to the peer intranet
n g
segment.
n i
a r
l e
/
Disable the fast forwarding function of the/USG2100 interface that
is connected to the intranet .
p :
t t
h
: ACL that actively triggers
Define the Source field in thesfirewall
IPSec VPN. Recommend setting
c e ACLs of both parties to be mutual
mirroring.
u r
s o
Re packet filter rule between Local and Untrust
Setting the default
zones aimsg to allow devices on two ends of the IPSec tunnel to
i n so that they can negotiate about the SA.
n
communicate
r
e a
L
o
Copyrig Pa ge 48
e n
m /
Summary c o
i .
we
u a
 Basic principles of IPSec
. h
n g
 AH and ESP technologies n i
a r
 Service flow of the IKE protocol le /
: /
 Application scenarios and configurations t p of IPSec VPN
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 49
e n
m /
Questions c o
i .
w e
 Which security services do the IPSec VPN provide? What are the meanings and
u a
implementation mode of each security service?
. h
 What are two major security protocols of IPSec? What is the difference
n g between them?
What are two major encapsulation modes of IPSec? What n i is the difference between
r

their application scenarios ?

ea
Which four security mechanisms can be provided l

/ / by the IKE? What is the function of
each security mechanism?
p :
What is the function of SAs in the IPSec? t

SA? h t Which triplet is the unique identifier of the
What are two negotiation modes ofsIKE : in the first phase? What are their scenarios?

c e options of two IKE negotiation modes in the

 What is the difference of configuration
u r
first phase?
s o
Which technology is usede by IPSec to trigger the establishment of an IPSec tunnel?

R
In tunnel mode, howg to set a private network route?

i n scenarios, how to set the interzone packet filter to meet the


r n requirements? Give analysis from the perspective of service flow
In IPSec application
minimum rights
direction.Le
a
o
Copyrig Pa ge 50
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
Chapter 10 SSL VPN lear
/ /
t p:
ht
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
o
e n
m/
Objectives c o
i .
e w
a
u to:
able
g .
SSL VPN technology in

r n
 Basic functions and features of thelSVN3000 ea
/ /
 Methods for configuring the SSL p : VPN
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. SSL VPN Overview u a
. h
n g
2. SSL VPN Technology n i
a r
3. SSL VPN Security Policy / le
/
p:
tt
4. SSL VPN Application Scenario
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
SSL Overview c o
i .
we
u a
h
Not Secure
ng.
Secure
n i
a r
HTTP / le HTTP
/
t p: SSL
ht
TCP :
e s TCP
r c
IP o u
s
Re IP
n g
i
nPosition of the SSL in the TCP/IP protocol stack
a r
Le
r e
o
e n
m /
Security Comparison Between SSL and IPSec c o
i .
w e
u a
SSL VPN IPSec g .h
VPN
in
r n
HTTP eaAPP+Data
/ l
: /
SSL t p TCP
h t
s :
TCP c e IP
u r
s o
IP
R e IPSec
n g
n i IP
a r
Le
o
Copyrig Pa ge 5
e n
m/
SSL VPN Security Technology c o
i .
we
u a
.h aspects:
The SSL ensures data security from the following
g
n
 Identity authentication
ni
r client and the server
Before setting up an SSL connection, the
ea
l
should perform authentication using/a digital certificate. The
/
authentication can be unilateralp:from the client to the server
tt and the server.
or bidirectional between the client
h
Confidentiality s :

c e
The encryption algorithm
u r can be used to encrypt the
transmitted data. so
R e
 Integrity
n g
n i
The data discrimination algorithm can be used to check whether
r
data iseamodified during transmission.
L
o
Copyrig Pa ge 6
e n
m/
Contents c o
i .
we
. h
n g
a r
/
p:
tt
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
SSL Protocol Structure c o
i .
we
u a
. h
Application layer protocol ng
n i
SSL handshake SSL change cipher ar
spec protocol/l
e SSL alert protocol
protocol /
p :
t t
h protocol
SSL record
s :
ce
r
s ou TCP
R e
n g IP
n i
a r
Le
r e
o
e n
SSL Bottom Layer – SSL Record om /
. c
Protocol e i
w a
h u
g .
Application data
in
rn
a
le
Segment
/ /
Compressp :
t t
hMAC address
:
Add
s
ce
u r Encrypt
s o
Re Add the SSL Record
n g packet header
n i SSL Record operation
SSL Record packet
a r
Le
structure process
r e
o
e n
m /
SSL Upper Layer Protocols c o
i .
e w
The SSL protocol is implemented using three helements: u a
g .
 Handshake protocol in
r n structure
SSL protocol
ea
 Record protocol
/ l
: /
 Alert protocol
t p
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 10
e n
SSL Principle – Handshake m/
c o
Protocol i .
we
u a
. h
n g
n i
a r
le
/Before the SSL communications,
/
t p: the handshake protocol is used to
ht negotiate the security parameters
s :
ce (such as encryption algorithm,
r
ou
shared key, and materials used for
e s generating the key) and
R
n g authenticate the peers.
n i
a r
Le
r e
o
e n
/ m
SSL Principle — Session Recovery c o
i .
w e
u a
. h
n g
i
If then client and server have
a r
l e
communicated with each other,
/ /they can skip the handshake
p :
t t process and directly exchange
h
s : data. The SSL uses the session
c e recovery function to reduce the

u r
s o huge overhead generated for the
R e SSL handshake.
n g
n i
a r
Le
o
Copyrig Pa ge 13
e n
m/
SSL VPN Introduction c o
i .
we
SVN3000 security access gateway
u a
. h
n g
n i
a r
/ le
/
t p:
ht
Cutting edge : proxy
sWeb
可靠性
可靠性
virtual
ce File sharing
gateway
u r
s o
Re
n g Network Comprehe
Port
可靠性 proxy
n i expansion
User security
nsive log
a r control
function
Le
r e
o
e n
m/
Virtual Gateway c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
r
The SVN provides the SSL VPN services using the virtual gateway.
a
Le
An SVN can be configured with a maximum of 128 virtual gateways.
r e
o
e n
m/
Web Proxy c o
i .
w e
u a
h
g.
The Web proxy enables users to safely access intranet Web
n
n i
resources.
a r
l e
 The Web proxy supports clientless Web access.
/ /
p : modes: Web-link and Web
 The Web proxy supports two implementation
t t
rewriting. h
s :
c e
u r
s o SVN3000 Web server
R e
Remote user in
g
r n
e a
L
o
Copyrig Pa ge 16
e n
m /
File Sharing c o
i .
e
aw file system.
The file sharing function supports secure access to the internal
u
The SSL VPN uses the protocol conversion technology to provide . h
the file sharing function.
g

Users can safely access the intranet file system directly from the n browsers.
i to the corresponding
 The SSL VPN converts the file sharing requests from the users
r n
protocol formats to interact with the servers.
e a
/ l
 Protocols:
: /
 SMB (Windows)
p
tSupporting Windows system
 NFS (LINUX) t
h (SMB)/UNIX system (NFS)
s :
c e
u r
s oNew
R e folder
Rename
Rename
the
the file or
file or
n g folder
folder
n i Browse Download Upload

Delete the
file or
a r the file the file the file

folder
Le
o
Copyrig Pa ge 17
e n
/ m
Implementation of File Sharing i.c o
Taking the access of internal Windows file server as anwe example, the
u a
implementation of file sharing is as follows:
h
.intranet. The HTTPS-
1. The client sends an HTTPS-format request to the file server on the
n g
format request is sent to the SVN. i
n packet.
2. The SVN converts the HTTPS-format request to the SMB-format
a r
l e
3. The SVN sends the SMB-format packet to the file server.
/
/SMB-format response to the SVN.
4. The file server receives the request and sends the :
pthe HTTPS-format packet.
5. The SVN converts the SMB-format response to
t t
6. The SVN sends the HTTP-format packet tohthe client.
s :
c e
u r 5
HTTPS SMB/NFS
6 o
e s
R 4
n g 3
Client
n i 1 File server
a r HTTPS 2 SMB/NFS
L e
o
Copyrig Pa ge 18
e n
m/
Characteristics of File Sharingi.c o
w e
u a
. h
n g
SSL encryption for n i
File-level access
file transmission a
permissionr control
l e
/ /
p :
Authentication SVN3000
t t
file sharing Extra access
on file access h control on the
s : factors
Success SVN
c e
u r
The access of file system
s o is as secure and convenient as that on the local
Re computer.
n g
n i The hot key Ctrl+C cannot be used.
a r
Le
o
Copyrig Pa ge 19
e n
m/
Port Forwarding c o
i .
e w
The port forwarding function provides various TCPuapplication a
. h
services on the intranet. n g
n i
a r
Supports TCP applications over static
l e ports
/ /
Single-port single-server (Telnet,:SSH, MS RDP, VNC)

t p
 Single-port multi-server (Lotus ht Notes)
s :
Multi-port multi-server c e(Outlook)

u r
s o
Supports TCP applications
R e over dynamic ports
Dynamicnports g (FTP, Oracle)

n i
a r
Provides
Le port-level access control
o
Copyrig Pa ge 20
e n
m/
Principles of Port Forwarding i. c o
w e
u a
. h
n g SERVER
CLIENT
rni
a
Providing secure
/ le TCP 23
access to TCP
:/
Application applications ont p
request
ht
the intranet
TCP 110
s :
Application SSL
ce
Internet TCP 25
agent
u r SVN3000
s o
Re
n g TCP 21
n i
a r
Le
r e
o
e n
m/
Port Forwarding Features c o
i .
we
u a
. h
ng
Support of various intranet TCP
n i
1
applications
a r
l
Remote desktop, Outlook, Notes,e Ensure the
SVN3000 2
FTP, and SSH / / security and
p : on all data reliability of TCP
3
t t
Encryption authentication
Port forwarding
flows h applications, and
s :
Global authentication and provide easy
4
ce on users
authorization operation and
u r management
5
s o control over TCP applications
Access
Re
methods
Standard browser without requiring
n g
6
client installation
n i
a r
Le
r e
o
e n
m /
Network Extension c o
i .
The network extension function supports the access towall e the
u a
complex applications on the entire network.
. h
 By establishing the secure SSL tunnel, users can access n gall the applications on
the IP-based intranet. n i
a r
 Implementation mode
l e
ActiveX control
/ /
Private client software: one-off installation p :

t requiring no manual configuration
 Access mode (configured by the administrator ht based on different application
scenarios)
s :
Full Tunnel: The user can access c e only the enterprise interface network.
r

Split Tunnel: The user canuaccess the intranet and local subnet.

s ocan access the resources in the specified network segment

Manual Tunnel: The user
R e
of the enterprise network. The network access does not affect other operations. Users
g
can access thenInternet and local subnet.
n i
a r
L e
o
Copyrig Pa ge 23
e n
/ m
Implementation of Network Extension c o
i .
w e
1. On the client, download the control and
u a
install the virtual network adapter. The
. h
virtual network adapter can obtain an IP
n g
address that can be identified by the
n i
intranet.
a r
2. The client originates a request for
l e
accessing the applications of the IP-
/ /
intercepts the request and performs tp
based intranet. The virtual gateway :
encapsulation and encryption. Then, theht
virtual gateway sends the packet to :the
SVN. e s
The SVN decrypts the packetrand then
c
3.
o u server.
s
sends the packet to the intranet
e
4. The intranet server sends R a response to
the SVN. The g
n SVN encrypts and
i packet. Then, the
encapsulates the
r n
SVN sends the
e a packet to the client.
L
o
Copyrig Pa ge 24
e n
m/
Full Tunnel c o
i .
we
u a
. h
g
Headquarters
in resources
Intranet
n
a r
LAN l e
/ /
Internet
t p:
ht
s :
ce
u is r SSL VPN tunnel
o
All the traffic
s to
R e
transmitted
the
n g gateway.
n i
a r
L e
r e
o
e n
m/
Split Tunnel c o
i .
we
u a
h
Headquarters
.
LAN ing resources
Intranet
r n
Internet
ea
/ l
/
t p:
ht
s :
Exceptcfor e the SSL VPN tunnel
u
intranet,
r the client
s o
cane access the local
R to which the
subnet
i ng client belongs.
r n
e a
L
r e
o
e n
m/
Manual Tunnel c o
i .
we
u a
. h
Headquarters
n g
Intranet resources
LAN
n i
a r
le
Internet
/ /
t p:
ht
s :
The client can access ce the SSL VPN tunnel
r
resources in theuspecified
network segment. s oThe client can
still access the Relocal subnet and
Internet n gat the same time.
n i
a r
Le
r e
o
e n
m/
SSL VPN Advantages c o
i .
we
u a
. h
 Convenient deployment without n g
n i
clients a r
le
 Security protection for application://
t p
layer access
ht
:
es
 Improvement of enterprise
c
u r
efficiency
s o
R e
n g
n i
a r
Le
r e
o
e n
m/
Disadvantages of Traditional VPNs c o
i .
w e
u a
L2TP
and . h
IPSec
dial-up
MPLS
n g
Insecure n i
Insecure
Extra expenses for No user authentication
a r
High client
management costs
dial-up
No application
l e NAT problems
Restriction of dial-up
permission
No auditing
/ / Security risks
No encryption :
access port on the
server No access control
t p No application-based
user authentication,
Lack of data High cost
h
Interconnection
t permission, and
authentication
s :
problems between auditing
No application-based
access control policy c e
carriers
Applicable to the
IP address leakage of
u r interconnection
the intranet o between large-scale
s intranets
R e
n g
n i
a r
Le
o
Copyrig Pa ge 29
e n
m/
SSL VPN Example — Common Application c o
i .
w e
u a
. h
Partner
n g
Mobile office n i
a r
l e
/ /
Branch
Internet p : Intranet
t
ht Linux/NFS ERP
s :
c e
r SMB Email
Clientou
Remote maintenance
e s
R Web server
n g Encrypted external connection
n i Standard internal connection
a r
Le
o
Copyrig Pa ge 30
e n
m /
SSL VPN Example — Operation Application c o
i .
w e
Example u a
. h
Virtual firewall
n g
n i
Virtual SSL VPN gateway
a r Trust server cluster
l
IDSe of enterprise A
/ /
p :
SSL VPN
t t
Enterprise h Server cluster of
user A
s : …
enterprise B
Internet c e SSL VPN
SW
u r FW
Enterprise
s o
user B
Re Server cluster
n g of enterprise C
n i IDC
Enterpriser
user e
a
L C

o
Copyrig Pa ge 31
e n
m/
Contents c o
i .
we
. h
n g
a r
/
p:
tt
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
Authentication and Authorization c o
i .
w e
Certification authority: u a
. h

VPNDB authentication and authorization ng
n i

RADIUS authentication and authorizationr
ea

LDAP authentication and authorization / l
: /

X.509 digital certificate authentication
t p

USB KEY+X.509 digital certificate ht authentication
s :
c e Authentication server
Remote access u r
o
sInternet
File server
R e
n g
n i Web server
a r OA server
L e
o
Copyrig Pa ge 33
e n
m/
Terminal Security Policy c o
i .
we
u a
Terminal security threatens .
Terminalgsecurity
h
policy
in
n
r
Non-effective e  a Antivirus
 Terminal self-security
implementation / l software check
 Terminal accessing
: /  Process check
unauthorized network
t p  Port check
resources
h t  Firewall check
 Network resource
s :  Operating system
abuse by terminals
c e check
 Damage caused by
u r  File check
malicious terminals
s o  Registry check
R e
n g
n i
a r
Le
o
Copyrig Pa ge 34
e n
m /
SVN3000 Functions c o
i .
we
u a
. h
Web access
n g Web
i
Web proxy
n
a r
File access
SSL VPN
/ le File sharing
/
t p:
ht Port forwarding E-mail
TCP applications
s : SVN3000
such as Notes and
ce IPSec VPN
Telnet
u r Network
s o extension ERP
Other complex Re
services
n g
n i IPSec VPN
a r
Le
r e
o
e n
m /
Comprehensive Log Functions c o
i .
we
 System log
u a
. h
g
System reboot record, network interface status record, temperature alarm record, import
n
i
and export record, system administrator management record, and virtual gateway
n
management record
a r
 User log le /
/
: offline after login record, password
User successful login record, user failed login record,
t p
modification record, and service log
h t
 Virtual gateway administrator log :
e s administrator login failure record, virtual gateway
Administrator online and offline record,
r c
configuration saving record, userumanagement record, and security management record
s o
 Log export
R e
Real-time log export,gtext-format log export, and CLI log export.
i n
 Log query
r n
a page log query and CLI log query
HierarchicaleWeb
L
o
Copyrig Pa ge 36
e n
m/
Contents c o
i .
we
. h
n g
a r
/
p:
tt
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
SVN3000 Application Scenario — m/
c o
Typical Network Position i .
w e
u a
Partner
. h
ng
Mobile office
n i
a
SVN3000 r
/ le Headquarters
Branch /
tp:
Remote maintenance ht Web server
Client
s : ERP
NFS
ce Database
ur Email
s o Encrypted internal connection
R e Standard internal connection

Generally, the SVN3000
n g is deployed between the enterprise edge firewall and
i
the application server.
nworks between the remote user and the server and is responsible
The SVN3000 r
athe communications between the remote user and the server.
for controlling
L e
o
Copyrig Pa ge 38
e n
SSL VPN Application Scenario — One- om /
. c
Armed Mode e i
a w
The SVN3000 is connected to the firewall, router, or switch in uone-armed mode.

. h
The SVN3000 communicates with the intranet and Internet
n g over this network
n i mode.
interface, which is know as the one-armed communication
a r
Partner l e
/ /
Mobile office p :SVN3000
Email
t
ht
s : Database
Branch
ce
u r ERP
Remote maintenance s
o
e
RClient
AAA
Web server
n g Enterprise
n i headquarter
a r Encrypted internal connection
Le Standard internal connection
r e
o
e n
SSL VPN Application Scenario — Two- om /
. c
Armed Mode e i
a w

u
The SVN3000 is connected to the firewall, router, or switch in two-armed
h different
mode.
The SVN3000 communicates with the intranet and Internet g .over
in
network interfaces, which is known as the two-armedncommunication mode.
a r
Partner
l e
Mobile office / /
SVN3000
p : Email
t
ht Database
Branch
s :
ce ERP
u r
Remote maintenance
s o AAA
e
RClient Web server
n g Enterprise
n i Encrypted internal connection headquarters
a r
L e Standard internal connection
r e
o
e n
m/
Enabling the Web NMS Function i. c o
w e
u a
 Take the SVN3000 as an example.
. h
 Configuration process:
n g
 Configure the interface IP address.
rni
a
 Bind the Web NMS and the IP
/ le
address. Specify the port used to
/
bind the Web NMS and the IP
t p:
address.
ht
 Start the Web browser. Enter the IP
address of the SVN3000 Web NMS e s :
in the address box, for example r
c
o uto
s
https://x.x.x.x:port. Press Enter
e
enter the Web NMS login R interface.
Enter the user name
n gand password
i to log in to the

n
on the login page
SVN3000.ar
Le
o
Copyrig Pa ge 41
e n
Configuring the Virtual Gateway and om /
. c
Related Parameters e i
a w
h u
g .
in
r n
ea
/ l
:/
t p
ht
s :
ce
u r
s o
Re
 After logging in ntog the SVN3000 Web NMS interface, click Virtual
n i
r
Gateway Management.
a
Le
r e
o
e n
m /
Web Proxy Access Instance (1) i. c o
w e
ua
. h
n g
r ni
a
/le
/
tp:
ht
s :
ce
ur
s o
Re
n g
 On the Virtual n i Gateway List navigation tree, click Web proxy to
enter theea
r
configuration interface.
L
o
Copyrig Pa ge 43
e n
m/
w e
u a
 Configure the Web-link resources.
. h
n g
rni
a
/ le
/
t p:
ht
s :
ce
u r
s o
Re
g
in
Enable the Web-Link function.
n
a r
Le
r e
o
e n
m/
w e
a
 hu linked Web
When you click a link, you can view the corresponding
.
n g
page.
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
w e
 When you click the sub-link on the Web page, you ucan a also view
. h
the corresponding linked Web page.
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 46
e n
/ m
File Sharing Access Instance (1) c o
i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i List navigation tree, click File Sharing to enter the configuration

interface. ea
r
On the Virtual Gateway
L
o
Copyrig Pa ge 47
e n
m/
i .
w e
u a
 Configure the file sharing resources.
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
Enable the file
a r sharing function.
L e
o
Copyrig Pa ge 48
e n
m/
i .
w e
u a
 File sharing resource list displayed on the client
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 49
e n
/ m
i .
e
w name,
 Click a resource on the file sharing list. Enter the user a
u file server
password, and domain. Submit the information to . hthe
for authentication. n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 50
e n
m/
i .
w e
 List of resources in the shared folder u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 51
e n
m/
Port Forwarding c o
i .
w e
a
The port forwarding function provides various TCP application
u
services on the intranet. . h
n g
 Supporting TCP applications over the static n i ports
a rRDP, and VNC)
 Single-port single-server (Telnet, SSH, MS
l e
Single-port multi-server (Lotus Notes) / /

p :
 Multi-port multi-server (Outlook) t t
h
 Supporting TCP applications s : over the dynamic ports
c e mode, Oracle)
 Dynamic port (FTP passive
u r
Providing port access s o control
Re

n g
n i
a r
Le
o
Copyrig Pa ge 52
e n
Port Forwarding Application Instance m /
c o
(1) i .
e
aw u
. h
n g
rni
a
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
On the Virtual Gateway List navigation tree, click Port Forwarding to enter the

n i
r
configuration interface.
a
Le
r e
o
e n
Port Forwarding Application Instance m /
c o
(2) i .
e
aw u
 Configure the port forwarding resources.
. h
n g
rni
a
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
i
rn port forwarding function.
Enable the
a
L e
r e
o
e n
/ m
Port Forwarding Application Instance c o (3)
i .
w e
u a
 Click Start to enable the port forwarding function.
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 55
e n
/ m
Port Forwarding Application Instance c o (4)
i .
w e
 Access the configured resources using the port forwarding u a
. h
function, for example, Telnet. n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 56
e n
/ m
Network Extension Access Instance o
c (1)
i .
w e
 Configure the IP address allocation mode and client routing
u a
. h
mode. n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
Enable the a rnetwork extension function.
Le
o
Copyrig Pa ge 57
e n
/ m
c (2)
i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
 Click the Lebutton to start the network extension function.
o
Copyrig Pa ge 58
e n
/ m
c (3)
i .
w e
u a
h
. control is
 After the Active
g
n in to the
n
installed, ilog
r
a again on the
e
SVN3000
l client. The client is
/ /
remote
:
p allocated a virtual IP address
t
ht of the intranet and functions
s :
c e as a device on the LAN.
u r
s o
R e
n g
Note:
n i During the operation, do not close this window.
a r
Otherwise, the network extension function is disabled.
L e
o
Copyrig Pa ge 59
e n
/ m
c (4)
i .
w e
a
u Log in to the
Application instance: h
.and browse the
Application instance: FTP remote desktop g
n the intranet.
video files on
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 60
e n
Login Interface of Network Extension om /
. c
Client e i
a w
h u
g .
in
r n
ea
/ l
:/
t p
ht
s :
 The network extension can be implemented
ce
r
by installing the dedicated client software.
u
You can download the software o

s from the
e requires
R
SVN3000 interface. The software
gthe network
only once installation and no configuration.
n

n i
You can directly enable
r
a software.
extension function using the network
L e
extension client
r e
o
e n
m/
VPNDB Application Instance (1) i.c o
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
Click VPNDB n i
Configuration to enter the configuration interface.
r

a
Le
o
Copyrig Pa ge 62
e n
m/
VPNDB Application Instance (2) i.c o
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
 Click Add in User Information Management to enter the configuration interface.

o
Copyrig Pa ge 63
e n
m/
Summary c o
i .
we
u a
 SSL VPN technology
. h
n g

n i
Basic functions and features of the SVN3000
a r
 Methods for configuring the SSL VPN l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 64
e n
m/
Questions c o
i .
we
 What scenarios does the SSL VPN apply to?
u a
. h

g
What security services does the SSL VPN provide?
n
What functions do the virtual gateway of thenSSL VPN provide? i

a r
 What are the differences between the exclusive l e and shared
virtual gateways? What are the respective / / application scenarios?
p :
 What are the application scenarios t t of Web proxy, file sharing,
port forwarding, and network: extension h functions?
e s
 What are the three access c modes of the network extension
rdifferences between their implementation
function? What are the o u
s
mechanisms? Re
n g
n i
a r
Le
o
Copyrig Pa ge 65
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
g
Chapter 11 Terminal rnin
ea
Security :/
/ l
t p
ht
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
o
e n
m/
Objectives c o
i .
e w
a
u to:
able
g .
Terminal security in

r n
Components and deployment of the ea system
TSM

/ l
: /
 Organization management and
t p access control modes of the
TSM system h t
s :
 Configuration of security
c e policies for the TSM system
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. Overview of Terminal Security u a
. h
n g
2. Deployment of the TSM System n i
a r
3. Deployment of Terminal Security/lPolicies e
: /
t p
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 2
e n
/ m
Most Threats Come from Intranets c o
.
i threats
lists 14esecurity
a wshould not be ignored
u
that
h
g . in enterprises.
According to Computer Security Institute in
(CSI) in San Francisco, California, the r n
ea
United States, about 60% to 80% of
/ l
network misuse events come from
: /
intranets.
t p
ht
s :
c e
u r File Sever
•
s o
Re •
Mail Sever
n g
n i •
Web Sever
a r
Le
o
Copyrig Pa ge 3
e n
Crises Surrounding Enterprises om /
. c
Terminals e i
w a
h u
g .
Failures to prevent Endless terminal
in
disclosures exceptions
rn

Unauthorized access

e a
Slow computer speed

Intentional disclosure

/
Networkl or software exception
/
: system crashes

Unintentional disclosure 
t pFrequent
Difficulty in implementing ht
conduct codes s : Unexpected
ce network threats
r
ou

Do things irrelevant to 
Slow network speed
work at working hours

Access resources not
e s 
Service interruption
related to work R Too many problems
ng

Misuse of network to monitor 
Service exception
resources
n i
a r
L e
r e
o
e n
m/
What Is Terminal Security? c o
i .
we
u a
. h
n g
i
Patch management
n
Personal firewall r
software
a
/ le
/
t p:
Antivirus software ht
s:
Software
ce terminal security
r
u 3-D defense
s o
Re
n g
n i Access control+desktop
a r management+security management
Le
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
: /
t p
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 7
e n
m /
Overview of the TSM System Architecture
.c
o
e i

Composition of Post-authentication domain
a w
Pre-authentication domain
File server Mail server OA server
h u
the TSM system W
g . SM

Access mode of in
r n SC SC
terminals a

TSM domains / le
/ Isolation domain
t p: AV server
ht
s :
ce SACG Patch server Repair server
ur
s o
Re
802.1X switch Common switch
n g
i
n Web Agent
a
Web r Agent
Le
Manager of an
Guests Users of an enterprise
enterprise manager
r e
o
e n
m/
c o
Centralized Deployment i .
we
u a
SA Internet . h
n g
Branch
n i
VPN gateway SACG
a r
SA
/ le
/ Post-authentication domain 1
SA t p:
ht
SA s : Post-authentication domain 2
ce
u r
SA
s o
Re
Post-authentication domain 3
TSM server
n g
n i
r
a
AV server
Le AD domain server Patch server
r e
o
e n
m /
c o
Distributed Deployment e i .
Core resource server a w
u
h SM
g .
Internet
Post-authentication
in
SA SC
domain
r n
a
le
Branch Pre-authentication domain
SACG
/ /
Border router
Intranet
t p: Antivirus server
ht AD domain server
s :
ce
ur
s o
SC Re SC
SACG
n g SACG SACG SACG
i…
rn
• •
…
e aSA SA SA SA SA SA
L Office A Office B
r e
o
e n
m /
c o
Access Control of the SACG i .
Hardware SACG
w e
Post-authentication domain
u a
hSensitive
. resources
n g
n i
a r
Finance department: No TSM Agent is
l e Public
resources
installed for new employees.
/ /
TSM server
p :
t
Marketing department: Agents are installed. ht AV server...
s:
Isolation domain
Identity
ce Security check
r
URL redirection Switchover to the
u
authentication post-authentication domain

The SACG
User s
o 
Is the antivirus The TSM notifies the SACG of sending
provides the Web
pushing function to

R e
name+password
software running?

Are the OS, Office,
Internet Explorer,
ACL rules and switching to the post-
authentication domain.
download the TSM

n g
LDAP and database patch
installed?
Automatic security
i

MAC repair
Agent for 
Is the virus
installation
r n database updated?

Is any illegitimate

Upgrade the antivirus software
e a software installed?
…


Update the virus database
Download patches automatically
L

…
r e
o
e n
m /
c o
Access Control of Host Firewall i.
w e
a
Post-authentication
Trusted domain 2:
Access control of host firewall domain
h u
Market department
g .
Network
n
ni
resources
a r
le
Security check
Access between trusted / / fails, and only
p:
restricted
domain is not allowed.
External untrusted terminals t t AV server Patch server
Isolation domain
network
h TSM server resources are
s:
cannot access trusted terminals. provided to
Trusted domain 1: Pre-authentication domain
Finance department ce isolate threats.
r
Identity Security policy check Switch to the post-
ou
authentication authentication domain
es

Is the antivirus

The TSM specifies an access
User name +
R software running? policy to control the trusted


Is the virus database domain and post-authentication
password

LDAP
n g updated?

Are the OS, Office, IE, domain that a terminal can

n
MAC
i and database patch
installed?
access.
a r 
Is any illegal software
installed?
Automatic security
repair
Le

…
r e
o
e n
m /
c o
802.1X Access Control i .
w e domain
Post-authentication
802.1X access control
u a
. h
Sensitive
n g resources
r ni
a
•
Terminal 1
/ le AV server
/
p:
Ports on an insecure terminal are
•
Patch server
Isolation domain
disabled and neighbor terminals
t t TSM server
cannot be accessed through these
h
:
Pre-authentication
Terminal 2 ports.
•
e s domain
r c
802.1x authentication
s ou
Security policy check Dynamically switch a VLAN

User name+password
R

e
Is the antivirus software
running?

The switch dynamically
switches the VLAN to
LDAP
g


Is the virus database is control the post-

MAC
i n updated?

Are the OS, Office, IE, and
authentication domain that
r n database patch installed?

a terminal can access
a Is any illegitimate software


Le
installed? Automatic

… security repair
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
: /
t p
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 14
e n
/
Major Functions of the TSM System com
. i
w e
u a
TSM . h
n g
n
Scalable and upgradeable policies and reportingiservice
r
a Management
Access Control Security Management
l e Desktop
management
Authority and domain based
Process policy model
Operability report
/ /
:
Guest management  Security enhancement  Information disclosure  Patch management
p
Exceptional device • Antivirus prevention • One-stop download and
t
management • Patch/service pack • Peripheral management installation
ht
 Forced compliance • Suspicious process/registry • Portable storage • Strong cooperation of
management 流
evaluation • Dangerous port/service the WSUS
…  Access range of authorized Software • Network access Quick subnet
程可
… •
… •
users
:
blacklist/whitelist
s •
…monitoring
Monitoring of illegal
distribution 化
策
运
营
e
 Identity authentication • Illegal sharing/account  Asset management
external connections
c
• Anonymous/Local security • Lifecycle management 略报
r
account • Illegal network • File operation auditing • Asset change alarm 模表
u
• AD/Third-party LDAP  Network protection
configuration management 型
o ARP protection
• PKI/CA  •
Office behavior management • Automatic IP device
s IP/MAC binding
 Compliance check •
• Network access auditing identification
• Security evaluation
• System configuration
•
•
R e
Media downloading
Non-office software
•
•
•
Traffic auditing
IP access rules
Control of malicious


Software distribution
Remote assistance
g
check • Terminal online record  Message announcement
network programs
n
• User access binding  Customized security policies
ni
 One-key automatic repair • Internet-intranet
 Time-based NAC connection monitoring
r IP device access auditing

•
e a
L Network identification
r e
o
e n
Organization Management Function – m /
c o
Management Dimension I i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
e n
Network Domain Management — Management m /
c o
Dimension II i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
e n
m/
c o
Identify Authentication Functioni.
w e
u a
 Ordinary user name + password authentication
. h
n g
ni
 MAC account authentication
a r
le
 AD account authentication
/ /
p:
 LDAP authentication
t t
 Support for USB key authentication
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
Security Policy — Checking a Shared om /
. c
Directory e i
a w
h u
g .
in
r n
ea
/ l
:/
t p
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
/
Security Policy — Checking Printer com
Sharing i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t t
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
Security Policy — Monitoring USB m /
c o
Storage Devices i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
e n
Security Policy — Monitoring Computer om /
Peripherals . c
e i
a w
h u
g .
in
r n
ea
/ l
:/
t p
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
Security Policy — Checking Ports
i.
w e
u a
. h
n g
rni
a
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m /
Security Policy — Monitoring DCHP Settings c o
i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 24
e n
Security Policy — Checking Illegal m /
c o
External Connections i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
e n
Security Policy — Checking Antivirus om /
. c
Software e i
a w
h u
g .
in
r n
ea
/ l
:/
t p
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
Security Policy — Checking c o
i .
Patches we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
Summary c o
i .
we
u a
 Terminal security
. h
n system g
 Components and deployment of the TSM
n i
a r
 Organization management and access l e control modes of the
/ /
TSM system p :
t t
h
 Configuration of security policies for the TSM system
s :
c e
u r
s o
Re
n g
n i
a r
Le
o
Copyrig Pa ge 28
e n
m/
Questions c o
i .
wTSM e
 What is the TSM? What terminal security problems can the
u a
system resolve? . h
n g
 What components does the TSM system consist of?
n i
What roles do the SM and SC play in the TSMarsystem? Which

l e
component exchanges services with the SACG?
/ /
 What are the two management dimensions p : of the TSM system? What
t t
differences are between them?
h
 What identity authentication modes s : does the TSM system support?
What differences are between c e them?
u r
 What security policies does
s o the TSM system involve? What problems
do these security policies Re solve?
n g
n i
a r
Le
o
Copyrig Pa ge 29
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
g n
Chapter 12 Introductionrn to i
ea
Huawei Security Products / / l
p :
t
ht
s :
c e www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
o
e n
m/
Objectives c o
i .
e w
a
u to:
able
g .
USG series firewalls in

r n
VPN gateway products ea

/ l
 Security software products p:
/
t t
SIG products h
:

e s
 NIP products
r c
o u
Anti-DDoS solution s
Re

n g
n i
a r
Le
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. Huawei Security Products Overview u a
. h
n g
2. USG Series Products Overview n i
a r
3. VPN Gateway Products Overview l e
/ /
p :
4. Security Software ProductsttOverview
h
5. SIG Products Overview s :
c e
u r
6. NIP Products Overview s o
Re
7. Anti-DDoSgSolution Overview
i n
r n
e a
L
o
Copyrig Pa ge 2
e n
m /
Security Products Overview c o
i .
e
aw
Spam database Emergent security fault Security management
Service center
Ability center
Botnet signature database

Security
services
response center
hu
Application protocol category URL category database Security management
Online upgrade platform services
.
database (DPI)
Virus/Malware signature
database
Intrusion/Vulnerability
signature database center
n g
Reputation evaluation Security consulting
n i
UTM Firewall
a r Anti-DDoS solution
le
Network and content
USG2000 USG5000 USG9000 USG5000-ADI/ADD USG9000 ATIC
/ /
p:
security
t t •
Mgmt Center
hSSL VPN
s:
Secure routing gateway IDS
USG2000BSR/HSR USG5000BSR/HSR
ce SVN3000 NIP200 NIP1000
u r
s o
R e
Terminal security management Security management
n g
software
Security
TSM
n i DSM eLog VSM
a r
Le
Terminal Security Mgmt Document Security Mgmt Log Mgmt and Audit Unified
Management
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
/ /
p :
h
c e
u r
Re
i n
r n
e a
L
o
Copyrig Pa ge 4
e n
m/
Huawei USG Series Products c o
i .
we
u a
. h
USG5120, USG5150
USG2205
n g
USG2210, USG2230
n i
USG2130, USG2130W
a r
USG2250, USG2260
USG2160, USG2160W
/ le
/
USG2110 p:
t enterprise
Enterprise
tSmall
h headquarters
headquarters
Large branch
Office
s : Large branch
e
Small branch
c
Remote site
u r
Office
s o
Re
n g
n i
a r
Le
r e
o
e n
m /
c o
USG2110 Fixed Model i .
w e

2WAN+8FE (desktop model)
u a

Fixed configuration . h
n g

Performance
n i

Firewall throughput (large packets): 150 a r
Mbit/s
/ le

Number of concurrent connections: /
100,000
t p:

Features ht

Basic firewall/VPN functions
s :

PPPoA/DDNS/TR069 ce
u r Model Description

SOHO users (1U to 20U)
s o USG2110-F 2FE+8FE, 1USB
Re USG2110-F-W 2FE+8FE, 1USB, WiFi
n g USG2110-A-W 1FE, 1ADSL+8FE, 1USB, WiFi
n i USG2110-A-GW-C 1FE, 1ADSL+8FE, 1USB, WiFi, 3G-CDMA2000
a r USG2110-A-GW-W 1FE, 1ADSL+8FE, 1USB, WiFi, 3G-WCDMA
L e USG2110-A-GW-T 1FE, 1ADSL+8FE, 1USB, WiFi, 3G-TD-SCDMA

o
Copyrig Pa ge 6
e n
m /
c o
USG2100 Series i .
we

1FE+8FE (chassis model)
u a

1/2 x extended slot (USG2130/2160)
. h

Serial/E1/ADSL2+/FE/GE/3G/G.SHDSL ng

Built-in WiFi (-W models) n i
a r
le

Complete UTM features (license control)

IPS/Antivirus/Anti-spam/URL filtering
/ /
p:

IPv6 support

VPN functions t t

L2TP/SSL/IPSec/MPLS/GRE h

Performance s :
ce
r

Firewall throughput (large packets):
200 Mbit/s o u Model Description
s
Re

Number of concurrent connections: USG2130 1FE+8FE, 1USB.1MIC
200,000
g
USG2130-W 1FE+8FE, 1USB.1MIC, WiFi

i n
Small branch users (30 U to 100 U) USG2160 1FE+8FE, 1USB.2MIC
r n USG2160-W 1FE+8FE, 1USB.2MIC, WiFi

a
Le
r e
o
e n
m/
c o
USG2200 Series i .
we

2GE Combo (chassis model)
u a

4MIC+2FIC expansion slot
. h

FE/GE/Serial/E1/ADSL2+/G.SHDSL/3 n g
G/WiFi n i

Multi-service open platform (X86) a r

Complete UTM features (license / le
/
p:
control)

IPS/Antivirus/Anti-spam/URL
t t
filtering h

IPv6 support
s :

VPN functions ce
r
ou

L2TP/SSL/IPSec/MPLS/GRE Model Description

DC power model: USG2250 e s USG2210 2GE Combo, 2USB.4MIC+2FIC
 R
Medium-sized enterprise users (200U USG2220 2GE Combo, 2USB.4MIC+2FIC
to 500U) n g
i
USG2230 2GE Combo, 2USB.4MIC+2FIC
r n USG2250AC/DC 2GE Combo, 2USB.4MIC+2FIC

a
Le
r e
o
e n
m/
c o
USG5120 i .

2GE+2GE Combo (chassis model) we

4MIC+2FIC+2DFIC expansion slot u a

FE/GE/Serial/E1/ADSL2+/G.SHDSL/3G/WiFi . h

Multi-service open platform (X86) n g
n i
r

a
le


IPv6 support
/ /
p:

VPN functions

L2TP/SSL/IPSec/MPLS/GRE
t t

Performance h

Firewall throughput (large packets): 2000 s :
Mbit/s ce

Number of concurrent connections: u r
1 million s o Model Description

DC power model Re USG5120
2GE+2GE Combo,
2USB.4MIC+2FIC+2DFIC

g
Medium-sized enterprise users (500U to
n 2GE+2GE Combo,
700U)
n i USG5120-DC 2USB.4MIC+2FIC+2DFIC, DC
a r power supply
Le
r e
o
e n
m/
c o
USG5150 e i .
a w

4GE Combo (chassis model)
h u

4MIC+2FIC+4DFIC expansion slot
g .

FE/GE/Serial/E1/ADSL2+/G.SHDSL/3G/WiFi
in

Multi-service open platform (X86) r n
a
le


/ /
p:

IPv6 support

VPN functions
t t

L2TP/SSL/IPSec/MPLS/GRE h

Performance s :

Firewall throughput (large packets): c e 4000
Mbit/s
u r

Number of concurrent s o
connections: 2
million
R e Model Description

1+1 redundant power
n g supply USG5150 4GE Combo, 2USB.4MIC+2FIC+4DFIC

n i
Medium-sized enterprise users (800U to USG5150-DC 4GE Combo, 2USB.4MIC+2FIC+4DFIC,
1000U)
a r DC power supply
L e
o
Copyrig Pa ge 10
e n
Application Scenario of Enterprise om /
. c
Security Protection ei
a w
h u
g .
in
rn
USG5150
a
le
USG5120
/ /
p:
Enterprise Enterprise
partner
t t headquarters
Internet h USG2200
s :
USG2200
ce
u r
VPNs
o USG2100
Re VPN
Regional office
n g
Enterprise n i
branch a r Remote site
Le
r e
o
e n
Application Scenario of Enterprise VPN om /
. c
Access e i
a w
h u
g .
in
USG5150
r n
ea
/ l Enterprise headquarters
:/
t p
h t
ADSL : Internet
USG2210
E1
e s
r c FE
o u USG2130
s
Re
USG2230
n g
n i
a r IPSec VPN tunnel
L e
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
/ /
p :
h
c e
u r
Re
i n
r n
e a
L
o
Copyrig Pa ge 13
e n
m/
Functions of the SVN3000 c o
i .
we
u a
SVN3000 secure access gateway . h
n g
n i
a r
/ le
/
t p:
ht
s:
可靠性
Advanced Web
可靠性
virtual
ce proxy
File sharing
gateway
u r
s o
Re
n g Network User security Complete
Port
可靠性 proxy
n i expansion control logging
a r functions
Le
r e
o
e n
Carrier-Class Hardware Platform of the om /
. c
SVN3000 e i
a w
h u
g .
Item SVN3000
in
r n
Ports a
Fixed ports: 3 x 10/100/1000M
e
combo ports
l
/ power supply
Power supply
/
Dual
: V to 240 V, 50/60 Hz
AC:p100
t t DC: –48 V to –60 V
h mm x 436 mm x 420 mm, for 19-inch
Dimensions (H x W x D) s :
1U: 44.45
c e cabinets
u r
Fans
s o 7 built-in fans
R e
n g
n i
a r
Le
r e
o
e n
m/
Front Panel of the SVN3000 c o
i .
we
u a
. h
n g
n i
a r
/ le
/
Type
t p: Indicator
Port Rate h
(Optical/El
t
s : PWR0 PWR0 state
ce
ectrical)
PWR1 PWR1 state
PORT0
o ur
10/100/1000M e s SYS System state
PORT1 R RJ45/SPF
g
combo
n ACT
Active/Standby
PORT2
r ni state
a
console e 9,600 bit/s RJ45
L
o
Copyrig Pa ge 16
e n
m/
Rear Panel of the SVN3000 c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
Rear panel of the SVN3000 AC model
ht
s :
ce
u r
s o
Re
n g
n i
a r Rear panel of the SVN3000 DC model
Le
r e
o
e n
m /
Typical Networking of the SVN3000i.c o
w e
u a
. h
n g
Residential building
n i File server
Hotel
a r
l e Web server Mail server
/ / SMC
p :
t t NMS
Mobile office employeeBest access

h experience
Business hall
s :
system(BOSS)
e
cWYSIWYG
Free of client u r Fast deployment

A terminal can access s o Requested resources Fast deployment


the application system R e are displayed on the

without changing
intranet topology
through a Web g Web page item by
browser without i n the item, forming a clear

Simple user and
installationnof special
permission management
a r view of available
achieved by user-friendly
Le
software. intranet services.
Web pages

o
Copyrig Pa ge 18
e n
m/
Contents c o
i .
we
. h
n g
a r
/ /
p :
h
c e
u r
Re
i n
r n
e a
L
o
Copyrig Pa ge 19
e n
Terminal Security Management (TSM) m /
c o
System Overview i .
w e
Product positioning:
u a

All-in-one terminal security solution for
. h
enterprises
n g Security policy
Application scenarios:
n i Access control management

Secure terminal access and security
a r
policy management
l e

Employee behavior auditing and mobile
device management / /

Asset management, software p : Patch management
Employee behavior
t 010101010 management
ht
distribution, and patch management 010101010
Secospace
010101010
Key performance: TSM
Supporting mainstream Windowss:

operating systems, including

c e Software distribution Asset management
XP/2000/Vista/Windows 7
Single server supporting o

upurto 20,000
concurrent users
e s
R
Product features:
n g

i
Distributed deployment
n architecture to provide the highest performance,
bottlenecks r
reliability, and scalability in
a in network devices
the industry, and completely eliminate network
L e
r e
o
e n
m /
Functions of the TSM c o
i .
w e
u a
TSM
. h
n g
n i
Security Access Security User Behavior Patch
a r
Software Asset
Control

Policy Check
Anti-virus
Audit Management
/ leDistribution Management
software  Access behavior

/
p:
 SACG mode
 WSUS  Time-specific  Asset registration
interworking management
 802.1X control interworking software  Asset lifecycle
t
 PC peripheral
check
t
mode  Operating system, management
 User-defined
distribution management
 Host firewall-
IE, and Office
 USB device
h patch task  Asset statistics
:
based access monitoring distribution  Resumable  Software license
patch check
s
 Illegitimate
control mode  Host security policy download and management
 AD/LDAP/CA check covering
ce
external
connection
 Efficient patch
integrity check  Asset change
interworking system accounts

u r
management distribution  Automatic alarm
o
authentication and registries  ARP protection based on running of  Server platform
s
 Shared file and  Network traffic
 Agent client patent executable files monitoring
Re
 Non-Agent IE
printer check monitoring technologies  Detailed  Bulletin and
 One-click  Process and
controller
 Patch filtering
distribution remote assistance
recovery g
intelligent
n
service
monitoring
 Patch statistics
status reports
n i and reports
a r Terminal Security Management Solution
Le
r e
o
e n
m /
TSM Deployment Topology c o
i .
•
TSM management center (TMC, optional)
w e
u a
Security Manager (SM) TMC
h
Upper-level system administrator
•
g .
Security Controller (SC)
n
•
ni
WAN
•
Security Access Control Gateway (SACG)
a r
le
•
Security Agent (SA)
TSM Pre-authentication TSM

/ / Pre-authentication
p:
management management
domain node n domain
node 1
SM SC
t t SM SC
Post-authenticationh Post-authentication
domain
s : domain
c e Service server 1 Service server 2

r
Service server 1 Service server 2
u
so
Patch server
Patch server
Core Network Core Network
Re Antivirus (AV) server AV server
SACG
ng SACG
ni
File repair File repair server
ar
server
Isolation
e A
LProvince
Isolation
domain Province B domain
r e
o
e n
Document Security Management (DSM) System m /
c o
Overview i .
• Powerful dynamic
w e
encryption and
u a

Enterprise document security solution
decryption
technologies
. h
Application scenarios: • Real-time document
n
Documentg

Preventing unauthorized document use
permission control
• Group policy and i
permission
permission template n
management
by employees
a r
Preventing information disclosure
e

Secospace DSM
through documents spreading
/ l
Auditing document use
/

Key performance:
p :
Single server supporting up to 20,000
t

users, 200 concurrent users, and a

throughput of 2,000 users/minute t
h management
• Account and
department
User Log • Web client
auditing login logs

Supporting mainstream document
types such as Word\PPT\Excel\PDF\JPG
s :roaming
management
• User
• Document
•eCross-system
operation logs
Supporting document permissions
c

such as read-only, read-write,

replication, distribution, print (times r
uuse
authorization
s o
controllable), full control, and offline
Product features: R e
Dynamic encryption g
n and decryption combining the application and driver layers, real-time permission
i key management, complete log auditing, centralized and distributed deployment; high-
n
management, centralized
r
managemente
a
availability, high-performance, and scalable architecture to provide a unified and powerful document security
L platform
o
Copyrig Pa ge 23
e n
m/
DSM Deployment c o
i .
we
u a
. h
n g
Powerful dynamic encryption and Document n i
decryption technologies permission
a r
Real-time document permission management
control / le
/
p:
Group policy and permission Secospace DSM
template
t t
h
s :
Account and department User e
management
r c Log Web client login logs
User roaming
o u
management auditing
Document operation logs
Cross-system authorization
e s
R
n g
n i
a r
Le
r e
o
e n
m /
DSM Deployment Topology c o
i .
we
u a
DSM management center (DMC)
. h
DSM server (DS)
ng
DMC
n i System administrator
DSM client (DC)
a r
Core network e
/ l
:/
DSM management
t pDSM management
node ht node DS2
DS1
s :
ce
u r
s o
R e
n g
DC DC DC DC DC DC
n i
a r Province A Province B
Le
r e
o
e n
m /
Functions of the eLog Log Management .System co
e i
NAT log management a w

NAT logs of firewalls, routers, and BRAS devices h u

Translation of source IP addresses, source ports, destination IP addresses, g . destination ports,
and protocol type
in
Network traffic auditing
r n

Working with the UTM device to provide an intuitive view of
ea the basic traffic, application
traffic, interface traffic, and P2P traffic in the form of reports
/ l system (IPS), mail filtering, virus

Displaying multi-dimensional statistics of intrusion prevention
detection, URL auditing, and instant messaging (IM), : /and defense services; and printing the
statistics in the form of reports
t p
Database and operating system auditing
h t

s :system logs
Audit the database through the off-line deployment of the behavior auditing probe

Audit the operating system by collecting
c e translation, behavior monitoring, and restoration
r
Application-layer protocol (FTP/Telnet/HTTP)
Through the behavior auditinguprobe
ofor network resources

s
Redevices, hosts, Web servers, and application systems
Unified log management platform

Network devices, security
Rich alarm managementg
n functions
i of mail, short message, alarm box, and audible and visual alarms
n
Alarming by means


a r and alarm statistics
Alarm monitoring
Le
o
Copyrig Pa ge 28
e n
Overview of the Versatile Security om /
. c
Management (VSM) System e i
a w
h u industrial
customers; deployed with the U2000 component on the SP network g.

Sold along with security products as a total solution for Chinese and overseas
in
r n

Unified management of switches, routers, and security products
e a
TMN standard framework:
/ l

Service management layer
:/

Network management layer
t p
Network element (NE) management layer t
h

Console
Communication modes:
s : Management Collection

SNMP, SFTP, and SSH
c e server server
Product features:
u r or out-of-band networking, topology management, NE

s o
C/S architecture, in-band networking
R e
management, performance management,
management, and VPN management
centralized policy configuration management, fault
for Eudemon/USG/SIG full series security devices and
mainstream network g
i n
locate network faults,
devices; intuitive network topology view to help administrators quickly
improve management, increase work efficiency, and reduce maintenance
r n efficient management platform of all devices on the network
cost, providing an
e a
L
r e
o
e n
m /
Functions of the VSM c o
i .
we
u a
.h
Unified management platform for network and security devices
g
n
r ni
NE management Fault management
Performance
management
ea configuration
Policy Northbound
interface
/ l
• Topology • Alarm browsing • Performance
/ • Security policy • SNMP
management
• Device
and statistics
• Alarm p:
monitoring
t
• Virtual firewall • CORBA
management
• Board
confirmation and
synchronization ht
• Real-time
management
•
•
Anti-attack
L2TP VPN policy
•
•
FTP
XML
management • Correlation rule
s : • Performance • IPSec VPN • TEXT
• Interface • Alarm screening
ce statistics policy
management • Remote
u r • Single-point
• Routing and
switching devices
notification
s o
• Alarm dumping
Web
Re
configuration
n g
n
Complete i self management capabilities of the system
a r
Le
r e
o
e n
m /
VSM Deployment Topology c o
i .
w e
u a
Enterprise headquarters
. h
n g
Security policy center
SIG NIP intrusion
VSM
n i NIP intrusion
detection
detection
a r USG
Secospace TSM
/ le firewall
/ Branch
SSL VPN gate

t p: IPSec
VPN
SACG
way
h t
SSL/IPSec USG
Switch
s : VPN
Router
firewall
ce Internet
r
ou
IPSec Partner
USG firewall VPN
e s
R SSL/IPSec
n g VPN
n i
Intranet
a r
TSM Agent Mobile user
Le
Data center DMZ
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
/ /
p :
h
c e
u r
Re
i n
r n
e a
L
o
Copyrig Pa ge 32
e n
/m
Service Inspection Gateway (SIG) .c o
The SIG is delivered by Huawei to help customers add to and maintain e i the value of
their MAN services. It provides functions such as service traffic flow analysis, a w VoIP service
monitoring, P2P service monitoring, shared access monitoring, abnormal h u traffic (such as
DDoS traffic) monitoring, user behavior analysis, and intelligent Web
g . pushing.
i n
Understanding traffic composition, distribution, and trend as r
 Service awareness n

ea

basis for network planning
Monitoring network applications and exploring new service
/ l Traffic
growth points
: / flow
 Flow control

Controlling P2P traffic to release bandwidth and t p
reduce
P2P
internetwork settlement cost t

h such as Monitoring
DDoS

Improving user experiences in other applications
Web page browsing, gaming, and stock :
 Illegitimate service control e s trading
Control
Unified platform

r c
Preventing illegitimate Internet connections by illegitimate
o u
Internet cafes and small enterprises, to help operators Security
Web

Restricting illegitimate VoIPe s
increase broadband service revenues
operation management pushing
 Value-added service operation

R
Statistics of the mostginterested websites of users, user Illegitimate
i nbehavior
classification by interest, and top N websites VoIP Behavior

n
Interest and instant
advertisementrpushing
based intelligent
analysis

DDoS attacke amonitoring to provide secure broadband
networks L
o
Copyrig Pa ge 33
e n
SIG9280E/1000E High-Integrity 10G Off-line m /
c o
DPI Device i .
w e
u a
Model SIG1000E
. hSIG9280E
n g
SIG1000E Appearance Rackmount, 5U
n iRackmount, 14U
Type of extended 10G POS, 10GE, 4 x a
r 10G POS, 10GE, 4 x 2.5G
2.5G POS, 8 x GE l
e POS, 8 x GE
interface cards
/ /
Number of
p :
extended 4
t 12
interface cards
ht
Extended service 4 x:service board, 2 x
e s 12 x service board, 2 x
c DC/AC; dual power

slots switching board switching board
SIG9280E Power supplyu

r
s o supply
DC/AC; dual power supply
High e
12 xR10G access High Key component
density
n g availability redundancy
i
n 12 x service
High
a r High
2.5G/10G POS
Le
scalability board flexibility

o
Copyrig Pa ge 34
e n
m/
Contents c o
i .
we
. h
n g
a r
/ /
p :
h
c e
u r
Re
i n
r n
e a
L
o
Copyrig Pa ge 35
e n
Overview of the NIP Intrusion m /
c o
Detection System (IDS) i .
we

IDC and enterprises of all sizes u a
. h

1000/100M intranet intrusion detection and
n g
behavior auditing
n i

IDC 1000/100M security defense intrusion
detection a r
Key performance:
/ le
NIP200: 200 Mbit/s throughput, 250,000
/

p:
concurrent users
NIP1000: 1 Gbit/s throughput, 1 million concurrent
t

users
Hardware specifications: ht

NIP200: 3 x GE electrical port
s :

ce
NIP1000: 2 x GE electrical port + 2 x GE optical
port
Product features: u r

s o
Special application-layer accelerating engine and
NIP200
Re
efficient algorithm for high-speed, efficient, and
accurate detection

n g
Special virtual engine technology to provide all-in-
i
one functions at lower cost
rn

Professional security anti-attack labs to adapt to NIP1000
a
the latest network attack prevention technologies in
e
L
the world and maintain technical edges
r e
o
e n
m/
Functions of the NIP IDS c o
i .
we
u a
Intrusion detection
and analysis
Security event
response . h
•Worm detection
n g
•Protocol decoding
•Alarming
n i
•IP fragment reassembly
•Logging
a r
•Session disconnection
•Log storm processing
•Protocol filtering and false le
•Program execution
/
/
•Firewall interworking
p:
positive processing
t t
h
System activity and
s :
Log management Statistics
status monitoring
cequery •Intrusion statistics
•Engine status monitoring
r
• Log
u •Traffic statistics
•Server status monitoring
•Email and MSN monitoring s o •Log replication
•File transfer and real-time

R e •Log synchronization
•Log deletion
session monitoring
n g •Log compression
n
•Multi-port listening i
•Harmful website monitoring
a r
Le
r e
o
e n
m/
NIP IDS Deployment Topology c o
i .
we
u a
. h
Switch Firewall n
Routerg
n i
a r
Intranet
•
内部网络
/ le Internet
/
t p:
ht
s :
ce
u r
s o
Re
ng
NIP console NIP engine
n i
a r
L e
r e
o
e n
m/
Contents c o
i .
we
. h
n g
a r
/ /
p :
h
c e
u r
Re
i n
r n
e a
L
o
Copyrig Pa ge 41
e n
/m
Overview of the Anti-DDoS Solution c o
i .
w e
u a
 Solution positioning:
. h
Professional anti-DDoS solution n g
i

Application scenarios: r n

ea
DMZ service protection for customers in the following
/ l industries:
Banks and securities : /

t p
Government (public security, HR, andtstatistics departments)

h
 Portal websites
s :
Other industries with DMZ c e as the key services
services

u r
 Components:
s o
 Re ADG 5320-I
Detection center device:
n g ADG 5320-D

n i
Cleaning device:

a
Management r center: VSM
L e ADG 5320

o
Copyrig Pa ge 42
e n
Anti-DDoS Solution Deployment m /
c o
Topology i .
e
aw u
Upper-level Management
. h
network n g
center
r ni Control
Policy
a
Network
egress Anti-DDoS solution interworking
/ le Device management interworking
/ Policy management
t p:Reporting
ht center
Detection Cleaning center
s :
ce Professional traffic Professional traffic
u r analysis device cleaning device
s o
Network
access Re
n g
n i
a r
Le
r e
o
e n
m/
Summary c o
i .
we
u a
 USG series firewalls
. h
n g
 VPN gateway products n i
a r
 Security software products
/ le
/
 SIG products t p:
ht
 NIP products s :
ce
u
Anti-DDoS solution r

s o
R e
n g
n i
a r
Le
r e
o
e n
m/
Questions c o
i .
we
 What security products can Huawei deliver? h u a
g .
 What main software security products can in Huawei
r n
provide? ea
/ l
: /
 What are the characteristics or
t p modes of Huawei security
products deployment? ht
s :
 What problems can Huawei c e security products resolve?
u r
s o
R e
n g
n i
a r
Le
o
Copyrig Pa ge 45
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o

HCNA-Security-CBSN Constructing Basic Security Network Training

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HCNA-Security-CBSN Constructing Basic Security Network Training

Uploaded by

Copyright:

Available Formats

The privilege of HCNA/HCNP/HCIE: e n

 Method：Logon http://learning.huawei.com/en and enter HuaWei

r e TECHNOLOGIES CO., LTD.

PPDU Presentation layer 6 Processing r n data formats and

r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

s o layer layer layer

Head length Reserved (6 bits) Window size

e a TCP packet format

Stateful inspection firewall

Data link layer s :

u rIP TCP APP

Low security level

r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

n g Improves customer satisfaction

/ / log flow through

t p: binary log format

t p: the first segment

t p: extends the PPP

ce IP-CAR P2P Traffic Limiting Logging

a rn only after being detected

configuration so NAT is not required Interzone packet

Step 4 Run the authentication-mode { aaa | none | h t t

r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

s : service protocol udp destination-port 53

r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

Apply the hardware n g ACL and enter the interface view:

i 10.32.255.0 0.0.0.255 (27 times matched)

n i policy service service-set Internet

which checks protocol information at the application layerg.

n i communication delete a filtering rule

h t and Internet zones

e s zone and DMZ

r c  Port identification between the Internet

n g zone and DMZ

n i  Function: NAT/QoS/IPSec/routing policy

The ACLs ranging from 2000 to 2999 are basicrACLs. n

s o 192.168.1.4 in the Trust zone to access the Untrust zone.

private network s o Discard

and public network Re

u r Source IP address: 123.3.2.3

a r destination address to the

L e private network address

r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

Based on Whether the Source IP Address Port is Translated r n

default WAP gateway is not s

R e consistent with the gateway provided by the local operator.

n i NAT Server are used together.

Implement load balancing of intranet servers. h

 Do not support n g some applications.

r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

Public network address

r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

a between users and the server is implemented via the firewall.

r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

 What is the application scenario of easy IP?

r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

n i port access vlan 3

L eaport trunk pvid 1

r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.