Professional Documents
Culture Documents
m /
o
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
c
1、Comprehensive E-Learning Courses
i .
Content:All Huawei Career Certification E-Learning courses
w e
a
h u
Methods to get the E-learning privilege : submit Huawei Account and email being used for Huawei Account
registration to Learning@huawei.com .
g .
2、 Training Material Download
i n
r n training material
Content: Huawei product training material and Huawei career certification
a Training/Classroom Training ,then you can
e s please refer to
c
http://support.huawei.com/ecommunity/bbs/10154479.html
r
4、Learning Tool: eNSP u
o Platform) is a graphical network simulation tool which is developed by
e s
eNSP (Enterprise Network Simulation
R
Huawei and free of charge. eNSP mainly simulates enterprise routers, switches as close to the real hardware as
n
it possible, which makesg the lab practice available and easy without any real device.
i
In addition, Huaweinhas built up Huawei Technical Forum which allows candidates to discuss technical issues with
r
Huawei expertsa, share exam experiences with others or be acquainted with Huawei Products(
Le
http://support.huawei.com/ecommunity/)
u r
s o
Re
n g
n i
a r
L e
r e
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
e n
m/
Objectives c o
i .
e w
Upon completion of this course, you will be h
a
u to:
able
g .
Understand OSI model in
r n
Understand TCP/IP principles ea
/ l
: /
Understand TCP/IP security issues
t p
Understand Common attack ht means
:
e s
r c
o u
s
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 2
e n
m/
Contents c o
i .
we
1. OSI Model Introduction u a
. h
n g
2. TCP/IP Introduction n i
a r
3. TCP/IP Security Issues / le
/
4. Common Network Attackstt p:
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 3
e n
m/
OSI Model Generation c o
i .
we
u a
Purposes
. h
n g
Design principles n i
a r
Strengths
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 4
e n
Introduction to Seven Layers of the OSIom /
. c
Model e i
a w
h u
APDU Application layer
g .
7 Providing inter-application
Three i n
communication
Segment ht
Transport layer 4 Establishing E2E connections of hosts
s :
ce
Packet u r
Network layer 3 Addressing and routing
Four
s o
lower
R e Data link layer 2 Providing medium access and link
Frame
layers
n g management
n i
a r Bit Physical layer 1 Transmitting bit streams
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 5
e n
/ m
Communication Between Peer Layers c o
i .
w e
Each layer communicates with its peer layer by using the service
u a
. h
provided by the lower layer.
n g
APDU i
n layer
Application layer
a r
Application
PPDU l e
Presentation layer / / Presentation layer
SPDUtp
:
Session layer ht Session layer
:
Segment
s
Transport layer
c e Transport layer
u r Packet
s
Network layer
o Network layer
Host A R e Frame Host B
n
Datag link layer Data link layer
n i Bit
r
a Physical layer
L e Physical layer
ea
l
Presentation Presentation
layer
A / / layer
Session :
p E Session
B tt
layer
layer
h
Transport
layer Router A
s :Router B Router C
Transport
layer
Network c
e
Network
layer u
r Network Network Network
layer
Dataelink
Data link
R
layer
Data link
layer
Data link
layer
Data link
layer
gPhysical
layer
n
i layer
Physical
layer
r n Physical
layer
Physical
layer
Physical
layer
a
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 8
e n
m/
Contents c o
i .
we
1. OSI Model Introduction u a
. h
n g
2. TCP/IP Introduction n i
a r
3. TCP/IP Security Issues / le
/
4. Common Network Attackstt p:
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 9
e n
/ m
Mapping Between TCP/IP and OSI Model Layers c o
i .
w e
TCP/IP is simply tiered and layers clearly map withu OSI model a
. h
layers. n g
OSI n i TCP/IP
a r
Application layer l e
/ /
Presentation layer p : Application layer
t t
Session layer h
s :
Transport layer c e Transport layer
u r
Network layer s o Network layer
Re
Data link layern g Data link layer
i
nlayer
a
Physicalr
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 10
e n
Encapsulation and Decapsulation Processesom /
. c
of TCP/IP Packets ei
a w
u
Decapsulation process
h
Encapsulation
User data User data
g .
process
in
rn
a
Application
/ le Application
layer APP User data /
p:
layer
Transport
t t
layer TCP APP User data h Transport
s : layer
Network ce Network
layer IP TCP APP
u r User data
layer
s o
Data link
Eth RIPe TCP APP Data link
layer
n g User data
layer
n i
a r
10101011010101001010100011101010010101
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 11
e n
/ m
Functions of Each TCP/IP Layer i.c o
w e
u a
. h
Application n g
layer HTTP, Telnet, FTP,TFTP, DNS iProviding a network interface
n for applications
a r
l e
Transport TCP/UDP / /
layer p : Establishing E2E connections
t t
ICMP,hIGMP
Network IP
s
ARP,
: RARP
Addressing and routing
layer
c e
u r PPP, HDLC, FR
Data link Ethernet,
s o802.3,
layer R e Accessing physical media
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 13
e n
m/
Socket c o
i .
w e
u a
FTP . h SNMP
HTTP Telnet SMTP DNS TFTP
n g
n i
80 20/21 23 25 53
a r 69 161
/ le
/
TCP
tp: UDP
t
hpackets
:
IP data
s
r ce
o u
e s
R
n g
Source socket: source IP address + protocol + source port
Socket
n i
r
Destination socket: destination IP address + protocol + destination
a
Le
port
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 15
e n
m/
Data Link Layer Protocol c o
i .
we
u a
Ethernet protocol encapsulation . h
n g
n i
Destinatio Source Type Data a r CRC
/ le
n address address /
t p:
ht 46-1500 bytes
s :
ce
u r
Types
s o
Type 0800: indicates IP. Re
n g
Type 0806: indicates ARP.
n i
r
Type 8035: indicates RARP.
a
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 16
e n
m /
ARP c o
i .
w e
u a
ARP encapsulation . h
ng
n i
a r
le
Protocol address length Ethernet address
/
IP address
/
p:
Hardware address length
t t
Destination Source Frame Hardware hProtocol Address OP Source Destinatio
address address type type
s : type length address n address
ce
u r 28-byte ARP
s o
Re
request/response
n g
n i
a r
Le 0806
IP type:
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 17
e n
m/
Network Layer Protocol c o
i .
we
Packet u a
Version Service type
. h
Total length
length
ng
n i
Identification Flag a r
le
Fragment offset
/ /
TTL Protocol t p: Head checksum
ht
s :
e
Source IP address
c
u r
o
sDestination IP address
Re
n g
i
rn
IP option
e a
L
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 19
e n
m/
Transport Layer Protocol c o
i .
we
0 8 16 24
u a 31
Source port
. h
Destination port
n g
UDP checksum (optional)
UDP length
n i
Data
a r
l e
UDP packet format
/ /
p :
Source port t Destination port
hSNt
s :
ce
Confirmation No.
u r
URG
ACK
RST
PSH
FIN
SYN
n g Option
i
rn
Data
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 23
e n
m/
Contents c o
i .
we
1. OSI Model Introduction u a
. h
n g
2. TCP/IP Introduction n i
a r
3. TCP/IP Security Issues / le
/
4. Common Network Attackstt p:
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 24
e n
m/
TCP/IP Security Risks c o
i .
we
IPv4 u a
. h
Lacking the data source verification mechanism n g
n i
Lacking the integrity verification mechanism a r
le
/ /
Lacking the confidentiality guarantee mechanism
tp:
Common security risks
ht
s :
Data link layer: MAC spoofing, MAC flood, ARP spoofing, STP redirection
c e
Network layer: IP address u rspoofing, packet fragmentation, ICMP attack, and
o
s
route attack
Re
Transport layer: n g SYN flood
i
n
r layer: buffer overflow, vulnerabilities, viruses, and Trojan horses
a
Application
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 25
e n
m/
ARP Security Risks c o
i .
we
u a
. h
Gateway IP address: 192.168.0.1 n g
MAC address: 01-11-21-31-41-51
n i
a r
le
I am the gateway.
/ /
t p:
IP address: 192.168.0.10
ht IP address: 192.168.0.11
MAC address: 00-01-02-03-04-05
s : MAC address: 00-10-20-30-40-50
ce
u r
s o
Re
g
in
ARP-reply to 192.168.0.1
ARP spoofing
r n
a
Le
ARP flood
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 26
e n
m/
IP Security Risks c o
i .
we
Sniffer u a
A: 192.168.0.11 B:192.168.0.12
. h
192.168.0.11
n g
n i
Spoofed reply a r
/ le
sniffed /
t p:
h t Why IP address
request
s : is easily spoofed?
ce
u r
s o
Re
Inter-node trust relationship: Build the trust relationship through IP addresses.
n g
n i
Man-in-the-middle attack: Forge legitimate IP addresses to obtain confidential
information. a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 27
e n
m/
TCP Security Risks c o
i .
w e
u a
Unauthorize
. h
d connection
n g
n i Host A
Host C that SYN SEQ ACK
a r
initiates an
attack
1 11001 0
/ le
Spoofed packet from C to A
/
p:
SYN ACK SEQ ACK
ACK SEQ
t t
ACK
1 1 54002 11001
1 11001
h54003
:
Spoofed packet from B to A
e s
Deny service r c A trusts B
from C to B
s ou
R e
n g Host B
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 29
e n
m/
Contents c o
i .
we
1. OSI Model Introduction u a
. h
n g
2. TCP/IP Introduction n i
a r
3. TCP/IP Security Issues / le
/
4. Common Network Attackstt p:
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 30
e n
m/
Passive Attack c o
i .
we
u a
. h
n g
Internet
n i
a r
Host A
/ le Host B
:/
t
Monitorinp
g
ht
s : Why the IP
e
Detection
r c
Defense
address is easily
o u
s spoofed?
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 31
e n
m /
Active Attack c o
i .
we
u a
. h
Internet n g
n i
a r Host A
Business
resources of / le
/
an enterprise
t p:
ht
s :
ce
u r
s o
Re
n g
Spoofing attack
i Falsification attack DoS attack
a rn
L e
Spoofed part Data load Packet head Falsified part
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 32
e n
m/
Man-in-the-Middle Attack c o
i .
we
u a
. h
n g
Internet
n i
a r
le
Falsify information
Host A Host B
Steal information / /
tp:
Proactive attack
ht
Passive attack
s :
ce
u r
s o
Re
n g
n i
a r
Le Attacker
e
or ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
Copyrig Pa ge 33
e n
m/
Summary c o
i .
we
u a
OSI model
. h
n g
TCP/IP principles n i
a r
TCP/IP security issues
/ le
/
Common attack means t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 34
e n
m/
Question c o
i .
we
u a
Why is ARP spoofing easily initiated?
. h
n g
How to realize IP spoofing? n i
a r
What is the difference between TCP l e and UDP?
/ /
p : but UDP does not have?
Why does TCP have head length,
t t
h
Why does TCP connection
s : establishment require three-way
c e
handshake, but disconnection u r require four-way
s o
handshake? e
R
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 35
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 36
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
h
Chapter 2 Basic in g .
r n
Firewall Technology
l ea
/ /
t p:
ht
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
e n
m/
Objectives c o
i .
e w
Upon completion of this course, you will be h
a
u to:
able
g .
Definition and classification of firewalls in
r n
Main features and technologies oflfirewalls ea
/ /
Data forwarding process and pbasic : firewall configurations
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. Firewall Overview u a
. h
n g
2. Firewall Working Modes n i
a r
3. Firewall Security Zones / le
/
4. Firewall Functions t p:
ht
s :
5. Basic Firewall Configuration
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 2
e n
m/
Firewall Overview c o
i .
we
u a
Firewall functions:
. h
n g
Filter for logical areas
n i
a r
Hides intranet structure
/ le
/
p:
Self-security guarantee
t t
Active attack defense h Intranet
s : Firewall
ce
u r
s o
Re Is it possible
to protect against the
n g Router
flow that does not go through
n i the firewall?
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 3
e n
m/
Firewall Classification c o
i .
we
u a
By form
. h
Hardware firewall n g
n i
Software firewall
a r
By protected target / le
/
Standalone firewall
t p:
Network firewall
ht
By access control method s:
ce
Packet filtering firewall
u r
Proxy firewall s o
Re
i n
r n
a
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 4
e n
Firewall Classification — Packet /
m
c o
Filtering Firewall i .
w e
u a
1. Cannot correlate data packets
. h
2. Cannot adapt to multi-channel
protocols n g
TCP layer
n
3. Do not check application-layer data i TCP layer
a r
l e
IP layer
/ /
p : IP layer
t t
only h
Detect headers
r n
Send connection requests
e a
Security checklon the requests to
/ / ones
Establish connection with the
p :
block unqualified
t t
client if the request goes
h connection with the
Establish
through the security check.
s : server if going through the
ce check
u r
o
Send packet A to the firewall.
s
Re Send packet A’ to the server.
n g
i
rn
Send response packet B to the firewall.
Send response packet B’ to the
e a
terminal.
L
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 6
e n
Firewall Classification — Stateful om /
. c
Inspection Firewall e i
a w
h u
Host 10.0.0.1
g .Server 20.0.0.1
in
r n
ea
/ l
TCP ACK
:/
10.0.0.1
10.0.0.1 20.0.0.1
10.0.0.1 20.0.0.1TCP
20.0.0.1 TCP
SYN
TCP SYNACK’
t p 20.0.0.1 10.0.0.1 TCP SYN’
TCP ACK
ht
s : policy check
Security
State error, drop
ce
u rRecord session information
s o
1.Rapid processing
following packets R
e
2.High security g
i n
r n
e a
L
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 7
e n
Firewall Hardware m/
c o
Platform Classification i .
we
u a
. h
g
Multi-core
n
iNew-generation
n hardware platform.
a r Multi-core solutions,
le
NP
higher integration,
ASIC / /
Specifically more efficient inter-
p:
designed for data core communication
Hardware circuit,
which solidifies the t t
packets, a and management
instruction or h
compromise
between the X86
mechanism
Intel X86 s
calculation logic to: and ASIC
c
the hardware fore
Suitable for 100 r
high processing
u
M networks,
o
capacity and
s
Re
limited by CPU firewall
processing ability performance
and PCI bus
n g
speed
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 9
e n
m/
Contents c o
i .
we
1. Firewall Overview u a
. h
n g
2. Firewall Working Modes n i
a r
3. Firewall Security Zones / le
/
4. Firewall Functions t p:
ht
s :
5. Basic Firewall Configuration
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 13
e n
m/
Firewall Working Modes c o
i .
we
u a
Routing mode: each interface has an
. h
g
in mode
IP address;
Routing
Transparent mode: No interface has
r n
any IP addresses;
ea
Composite mode: some interfaces
/ l Firewall
have an IP address; / working
t p: mode
ht
s :
ce
Do the interfaces
u r
in transparent mode
s o have
Re
no IP address?
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 14
e n
m /
Routing Mode c o
i .
we
u a
Features of routing mode . h
n g
Internet
Supports more security features n i
a r
le
Has some influence on network
topology / /
t p:
ht
192.168.10.1/30
Untrust 192.168.10.129/30
s :
ce
u r
s o 192.168.10.5/30
Trust 192.168.10.133/30
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 15
e n
m /
Transparent Mode c o
i .
w e
u a
Features of transparent mode . h
ng
Internet
Having no influence on network n i
a r
le
topology
/ /
t p: 192.168.10.1/30
ht Untrust
s :
ce
u r Trust
s o
Re 192.168.10.2/30
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 16
e n
m /
Composite Mode c o
i .
we
u a
Features of composite mode . h
n g
Transparent to network topology n i
a r
/ le Internet
/
t p:
ht
s:
192.168.10.1/30 192.168.10.129/30
Untrust
Whether single
ce
firewall supports
u r 1.1.1.1/30
composite mode
s o
Re 1.1.1.2/30
n g
i
192.168.10.2/30
192.168.10.130/30
r n
a Trust
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 17
e n
m/
Contents c o
i .
we
1. Firewall Overview u a
. h
n g
2. Firewall Working Modes n i
a r
3. Firewall Security Zones / le
/
4. Firewall Functions t p:
ht
s :
5. Basic Firewall Configuration
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 18
e n
m/
Definition of Security Zones c o
i .
we
Default security zone u a
. h
Untrust zone ISP A ng ISP B
n i
Demilitarized zone (DMZ)
a r
Trust zone Mail server / le Untrust
/
p:
Local zone
Web server t t
DMZ h
s :
r ce
o u Financial
Where is the local zone?
e s server
R ERP data
n g server
OA server
i
rn
User terminal
Enterprise Trust
e a Intranet
L
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 19
e n
m/
Definition of Inbound and Outbound c o
i .
w e
Definition of Inbound and Outbound u a
. h
What is inbound? n g
n i
What is outbound?
a r
l e
/ /
:
Trust zone
r c
o u
s
Re
n g
i
Enterprise
n
r
Intranet
a
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 20
e n
Relationship Between Firewall Security m /
c o
Zones and Interfaces .
ei w
Relationship between firewall security zones and interfaces u a
Whether can the firewall have two security zones with the same h
. security level?
g
nbelong to two different
Whether does the firewall allow one physical interface to
n i
security zones? r
a to a same security zone?
Whether can different interfaces of the firewall belong
l e
/
/ Internet
p :
t
ht
s :
G0/0/2DMZ c e G0/0/3Untrust zone
u r
s o
Re zone
G0/0/0Trust G0/0/1Trust zone
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 21
e n
m/
Contents c o
i .
we
1. Firewall Overview u a
. h
n g
2. Firewall Working Modes n i
a r
3. Firewall Security Zones / le
/
4. Firewall Functions t p:
ht
s :
5. Basic Firewall Configuration
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 22
e n
m /
Firewall Functions c o
i .
we
Switch
•FE, GE
u a
Routing
•VLAN
. h
•Trunk,802.1ad
g
n Security
•Static routing n i
•Policy routing a r
le
•ACL
•RIPv2
•OSPFv2 / / •NAT
p:
•VPN:L2TP/GRE/IPSec/SS
•BGPv4 L/ MPLS
t t
h •P2P/IM
Unified
s : UTM
management
ce UTM
u r •WiFi
•SNMPv2v3
s o •802.11 •AV
Re
•RMON bg •IPS
•TR069 •PPP
•Telnet/SSL/HTTP(s)
n g WLAN/WWAN •PPPoE
•Anti-spam
•FTP/TFTP
n i •ADSL2+
•URL filtering
•SYSLOG
a r •HDLC
Le •3G
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 23
e n
Main Firewall Function — Access om /
. c
Control e i
w a
Identify header, offer
h u
.
implementation measures
g
in
r n
a
/ le
MAC IP /
: load
TCP
tpData
Policy
ht
s :
ce
Identity check
u r
Host A
s o Server
Re
Access control
Identity
Subject attributes
n g
n i
r
Subject operations
a
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 24
e n
Basic Firewall Function — Deep Packet om /
. c
Inspection e i
a w
h u
Identification based on: g .
in
Feature fields r n
ea
/ l
Application-layer gateways
:/
t p
Behavior patterns ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
oCopyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 25
e n
m/
c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 26
e n
m /
SACG Interworking Technology c o
i .
we
Branches
u a
. h
Agent Agent
n g
n i
a r
le
Agent VPN access
/ /
p:
Post-authentication
domain
Agent
t t
SACG
h
Agent
s : UCL: account ACL
ce
u r
Agent: client agent
s o
SACG: security access control R e
gateway
SM
SRS SC
SPS
Anti-virus
Security auditor
(firewall)
n g Domain
managemen
server
SM: management server n i t server Patch
Security
administrator
a r server
L e
SC: control server Pre-authentication domain
n i
a r
Maximize resource utilization and improve service quality
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 31
e n
m/
Log Auditing c o
i .
we
u a
. h
n g
Collects all logs
Extranet
n i
passing through
a r
le Realizes high-speed
the device
ht
s :
ce
u r Intranet
s o Log server
Re
ng
Enterprise Intranet users
n i
With eLog software, the firewall provides users with clear a record of network
a r
access, and analysis for reference.
L e
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 32
e n
m /
Firewall Features 1 c o
i .
w e
a
u Packet Filtering
Security Zone Session List and ASPF Long Connection Fragment Caching
. h
n g
Trust Session list: Corresponding
n i
Apply segment
caching to the
IP packet filtering
Untrust
quintuple data flow should
a r
segment packet
le
DMZ
Server map list: not be aged at a that reaches
Local
triple long time / / firewall earlier than
Attack defense can Through packet u r User IP address Avoid IP address Allow users to
s o
detect various
types of network firewall R
e
statistics analysis,
realizes
matching blacklist
will be shielded.
fraud attack. define a group of
new port number in
attacks. n g protection.
Intranet addition to famous
ni
ar
port number.
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 33
e n
m/
Firewall Features 2 c o
i .
w e
Network Address Authentication and
u a
.h
Access Control List Layer- 2 Tunneling GRE VPN
Translation Authorization Protocol
n g
ni
Application basis Slow down IP RADIUS protocol Adopt packet Layer-3 tunneling
of packet filtering, address space HWTACACS
a r
exchange network protocol uses
tunnel technology.
le
NAT, IPSec, QoS, exhaustion technology for
and policy-based Hide Intranet information
routing private IP address.
/ / exchange, which
ht model.
s :
IPSec VPN Load Balancing
r
ou
Privacy Use the processing IP connection limit Limit P2P traffic to Attack defense log
es
Integrity capacity of all IP bandwidth limit ensure normal Traffic monitoring
Authenticity
R
servers for load operation of other log
Replay attack
g
balancing.
n
services. Blacklist log
i
defense Information
rn
statistics
e a
L
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 36
e n
Firewall Performance Indicator — m/
c o
Throughput i .
e w
a
u can
Throughput: the maximum traffic load that firewall
. h
process at unit time n g
n i
a r
Effective throughput: the actual transmission l e rate per second
/ /
excluding the data due to TCP packet
p : drop and retransmission
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 40
e n
Firewall Performance Indicator — om /
. c
Latency e i
w a
Definition: The time interval indicator, from the last bit of data packets going
h u
g .
n
in the firewall to the first bit going out of the firewall, is used to measure the
i
speed of firewall processing data. rn
a
time interval
the last bit of data
/ le
the first bit going out
packets going in
/
t p:
ht
s :
ce
u r
Smartbits 6000B o
s Latency of packet arrival
Re
n g
i Packets can be forwarded
L e in the queue.
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 41
Firewall Performance Indicator — New /en
o m
Connections per Second . c
e i
a w
Definition: the number of new complete TCPhu connections
g .
established through firewall per second.in
r n
ea
/ l
:/
This indicator is used to measure the t preal-time data flow processing
capacity of the firewall. ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 42
Firewall Performance Indicator — e n
m /
Concurrent Connections c o
i .
w e
Definition: A firewall processes packets based on connections,
u a and the
. hnumber of
number of concurrent connections refers to the maximum
n g
connections that can be accommodated at the same n itime. One connection is
a r
a TCP/UDP access attempt.
l e
/ /
p : number of connections
This indicator is used to measure the maximum
t and the server at the same time.
that can be established between the thost
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 43
e n
m/
Contents c o
i .
we
1. Firewall Overview u a
. h
n g
2. Firewall Working Modes n i
a r
3. Firewall Security Zones / le
/
4. Firewall Functions t p:
ht
s :
5. Basic Firewall Configuration
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 44
e n
m/
VRP Platform c o
i .
we
u a
. h
ng
1 2 n i 3
a r
Implements a unified Implements the
/ le Implements the
user's interface and platform control / network interface
management interface
p:
function, define plane
t
layer and shield
including real-time
operating system ht
interface forwarding
specifications, and
differences between
the link layer and
kernel, IP software :
realize the interaction
s
network layer of each
forwarding engine,
ce
between the product.
route processing, and
u r forwarding plane and
configuration
management platform. s o the VRP control plane
of each product.
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 45
e n
/
m
VRP Command Line Classificationi.c o
w e
It includes network diagnostic tool commands (ping and a
u tracert),
h (Telnet client,
Visit Level
commands accessing external devices from the local device
g .
in
SSH, and Rlogin). By using these commands, the configuration files are not
allowed to be saved.
r n
ea
It is used for system maintenance andlservice failure diagnosis. It includes
Monitoring / / using these commands, the
Level
display and debugging commands.
p : By
configuration files are not allowed
t t to be saved.
h
s :
Configuration e
It includes service configuration commands. For example, commands of
cnetwork layer, which provide direct network services
routing and each r
for users. ou
Level
e s
R
nItgis related to the system basic operation. It includes commands used by
Management
n i
Level r the system to support the module. These commands provide a support
a for services.
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 47
e n
m/
VRP Command View c o
i .
we
The system divides the command line interface into multiple command views.
u a
. h
All commands of the system are registered under certain command views.
n g
The commands under this view can be run in the corresponding view. n i
a r
Command view classification:
/ le
/
p:
User view
<USG> t t
h
System view
s :
[USG] ce
u r
Interface view
s o
[USG -Ethernet0/0/1 ]
Re
Protocol view
n g
n i
a r
[USG -rip]
…
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 48
e n
m/
VRP Online Help c o
i .
we
Type a command, followed by "?" separated by spaces. If the keyword is in
u a
this location, all keywords and brief description are displayed. . h
n g
<USG 5000> display ? n i
a r
Type a command, followed by "?" separated by l espaces. If the parameter is in
/ /
this location, the description related to parameters
p : is displayed.
t t
[USG 5000] interface ethernet ? h
s :
<3-3> Slot number
c e
u r by "?", all commands begin with this
Type a character string, followed
s o
Re
character string are displayed.
<USG 5000> d? n
g
n i
debugging a r delete dir display
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 49
e n
m/
VRP Online Help c o
i .
we
u
Type the first few characters of a key word of the command and then pressa
. h
Tab. The complete key word can be displayed. g n
When the pause menu is displayed, press Ctrl+C to nstop display and
i
a r
command execution. l e
/ /
When the pause menu is displayed, press:Space to continue to display the
t p
information of the next screen.
ht
When the pause menu is displayed, s : press Enter to continue to display the
c e
information of the next line.r
o u
e s
R
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 50
e n
Basic Configuration Thinking of om /
. c
Firewall e i
w a
h u
Layer-3 Interface IP
g .
Based on network interface
in
address
requirements
Interface
r n Adding
mode a interface into
Layer-2
/ le the security
zone
interface/
t p:
Interzone NATh t
s :
configuration
c e
Routing u r NAT
R e
n g
Step 3 Run the set priority security-priority command to configure the
security leveln i of the security zone.
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 53
e n
Adding Interface into the Securityom /
. c
Zone e i
w
Step 1 Run the system-view command to enter theuasystem view.
. h
n
Step 2 Run the firewall zone [ vpn-instance vpn-instance-name g
]
i
[ name ] zone-name command to create thernsecurity zone and
ea
l
enter the corresponding security zone/view.
: /
Step 3 Run the add interface interface-type
t p interface-number
command to configure the interface ht to be added into the security
zone. s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 54
e n
Configuration of Default Interzone m /
c o
Packet-Filtering Rules i .
w e
a
u view.
Step 1 Run the system-view command to enter the system
. h
Step 2 Run the firewall packet-filter default { permit
g
n | deny } { { all |
i
n| outbound } ] }
interzone zone1 zone2 } [ direction { inbound a r
e
l packet filtering rules.
command to configure the interzone default
/ /
p :
t
ht
Do zones1:or zone 2 follow the sequence?
ce
u r
s o
Re No, because the inbound and outbound
n g
n i direction are only related to the domain priority.
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 55
e n
m /
Route Configuration c o
i .
e w
The operation should be performed when configuringu static routing. a
. h
Step 1 Run the system-view command to enter the system n g view.
n i
Step 2 Run the ip route-static ip-address { maskar | mask-length } { interface-
l e
type interface-number | next-ip-address }/[ preference value ] [ reject |
: /
blackhole ] command to add a staticprouting.
t t
The operation should be performed h when configuring default
s :
routing.
c e
u r command to enter the system view.
Step 1 Run the system-view
s o
Re
Step 2 Run the ip route-static ip-address { mask | mask-length } { interface-
n g
i
type interface-number | next-ip-address } [ preference value ] [ reject |
n] command to configure the default routing.
blackhole a r
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 56
e n
m/
AAA Configuration c o
i .
e w
The configuration method for adding the user into uthe firewall a
. h
in the AAA view is shown as follows: n g
n i
Step 1 Run the aaa command to enter the AAA
a r view.
l e
Step 2 Run the local-user user-name password
/ / { simple | cipher }
password command to create the p :user and set the password.
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 58
e n
m/
FTP Configuration c o
i .
we
a
If the firewall is configured as the FTP server, the configuration method is shown as
u
follows: . h
n g
n i
Step 1 Run the system-view command to enter the system view and complete the basic
a r
le
firewall configuration.
/ /
p:
Step 2 Run the ftp server enable command to enable the FTP server.
t t
Step 3 Refer to section "AAA configuration" and create the FTP user.
h
s :
Step 4 Run the local-user user-name ftp-directory ftp-directory command to configure
c e
the user access directory.r Only when the username, password, and access
o u
directory are configured,
e s the FTP client can be logged in and files on the firewall
R
g
can be accessed. The system be accessed by multiple users at the same time.
n
n i
Step 5 Run the local-user lever number { 1 | 2 | 3 } command to configure the user's
r
alevel.
e
access
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 59
e n
m /
Telnet Configuration c o
i .
e w
Step 1 Run the system-view command to enter the system view. u a
. h
Step 2 Run the user-interface [ user-interface-type ] user-interface-number n g
[ ending-userinterface-number ] command to renter
i
n the user interface
ea
view.
/ l
: / ] command to allow to end the
Step 3 Run the idle-timeout minutes [ seconds
t p
Telnet connection at regular time. ht To prevent an illegitimate invasion of
authorized users, if the terminal s : user's input is not received after a
c e with users should be disconnected. The
period of time, the connection
u r
disconnection timesof o the terminal user by default is set as 10 minutes.
R e
Note: Refer to section
n g "AAA Configuration" to add the Telnet user.
n i
a r
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 61
e n
m /
Telnet Configuration c o
i .
we
u a
Telnet authentication modes . h
n g
n i
a r AAA
No
authentication
Password
Password
authentication / leauthentication
/
p:
authentication
n
Step 6 Run the user privilegeg level level command to configure the command level that can be
n i from the current user interface login system. The default level is 0
accessed by the user
a r the authentication-mode is set as the aaa mode, this step does not need to
(optional). (When
Le
be configured.)
t
configuration file. After the configuration file is erased, the firewall will
t
h
adopt the default configuration parameters to initiate for the next time
when powering on. s :
c e
In the user's view, run the r
o u reboot command. The firewall is restarted and
this restart action is logged.
e s
R
Run the startup system-software sysfile command to configure the system
n g for the next startup.
software file name
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 64
e n
m /
Summary c o
i .
w e
u a
Definition and classification of firewalls
. h
n g
n i
Main features and technologies of firewalls
a r
Data forwarding process and basic l efirewall configurations
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 65
e n
m/
Questions c o
i .
we
u a
What is the difference between the stateful inspection firewall and the
. h
packet-filtering firewall? g n
Why the V100R005 has no firewall working modenconfiguration? What i
a r
mode does it use to differentiate?
l e
/ /
What is the relationship between the security
p : zone and the interface?
t t
What is the difference between Inbound h and Outbound in the interzone
packet filtering policies? s :
c e
After the reliable technology u r IP link is integrated with the static routing and
s o
dual-system hot backup
R e technology, what are the advantages?
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 66
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 67
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
h
Chapter 3 Firewall Packet in g .
r n
Filtering Technologyle a
/ /
p :
t t
h
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
e n
m/
Objectives c o
i .
e w
Upon completion of this course, you will be h
a
u to:
able
g .
ACL principles in
r n
ACL functions and classification lea
/ /
Application scenarios and configurations p : of interface-based
t t
packet filtering h
s :
Application scenariose and configurations of interzone
r c
packet filtering ou
e s
R
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. ACL Overview u a
. h
n g
2. Interface-based Packet Filtering n i
a r
3. Interzone Packet Filtering / le
/
p:
tt Filtering
4. Application Analysis of Packet
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 2
e n
m /
Overview of IP Packet Filtering Technology c o
i .
w e
For the packets to be forwarded, the firewall reads/examines the packet
u a header and
compare the header information against the defined rules to determine . h whether to
n gor discard the packet
permit the packets or not. The firewall determines to forward
n i
based on the comparison. The key packet filtering technology
a r is ACL.
l e
/ /
p :
t t
Intranet
h
s :
c e
u r Internet
s o
Re Regional office
n g
n i
a r
H.Q.Le Unauthorized user
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 3
e n
m /
ACL Definition c o
i .
e w
a
u figure.
TCP/IP packet format is as shown in the following
. h
In this figure, the upper-layer protocol isinTCP/UDP.
g
r n
ea
MAC packet TCP/UDP /
l
header
IP packet
: / Data
header packet header
t p
ht
s :
Protocol No. Protocol No. ce
u r Source port
Source address
s
Source addresso For TCP/UDP packets, these five
Destination R e
Destination
Destination
port
elements constitute a quintuple,
while the ACL is defined
address
n gaddress according these information.
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 4
e n
m/
ACL Principles c o
i .
we
u a
ACL
. h
Step 2: g
Allows A to carry out
i n
n for the ACL.
subsequent operations
Denies subsequent r
Search
aDetermine whether to
operations of B
l e
/ / allow the next operation.
p :
Default policy operation Step 3:
Step 1:
t
The inbound data flow ht The firewall processes
arrives on the firewall.
s : AAAA packets according to the
BBAABBBAAAA
ce
AA ACL.
u r
Inbound
s o Outbound
data flow
R e data flow
ACL functions: n g
n i
r
Filter flows that pass through the firewall based on the defined rules. The
a
Le
keyword determines the next step for the filtered out flows.
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 5
e n
m/
Packet Filtering Classificationi.c o
w e
Interface packet filtering u a
. h
Outbound n g
n i
Inbound a r
l e
G0/0/0 G0/0/1 //
p :
t t
h
Interzone packet filtering :
e s
Outbound
r c
o u
Trust zonee s Untrust zone
R
n g
n i
a r
Le Inbound
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 10
e n
m /
Basic ACL Configuration c o
i .
w e
Access the system view: u a
. h
acl [ number ] acl-number [ vpn-instance vpn-instance-name ]
n g
Create a basic ACL and enter the ACL view: n i
a r
rule [ rule-id ] { permit | deny } [ source { source-address
l e source-wildcard |
/ /
any |address-set address-set-name } | time-range
p : time-name | logging ]
Apply the basic ACL and enter the tinterface view:
h t
:
firewall packet-filter acl-number {inbound | outbound}
s
c e
u r How do you use an IP
s o
R e address and a
wildcard mask to indicate
n g a network segment?
n i
a r
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 11
e n
m /
How to Use the Wildcard Mask c o
i .
e w
The wildcard mask format is similar to the subnet mask u a format, but
. h
they have different meanings.
n g
n i
0: indicates that the corresponding bit in the IP
a r address should be
compared. l e
/
/in the IP address will not be
1: indicates that the corresponding bit p :
t
compared. ht
The wildcard mask is used etogether s: with the IP address, which can
describe an address range. r c
o u What is the
e s function of
0 0 0 255R Compares the first 24 bits only wildcard mask
0 0 3 in 255
g Compares the first 22 bits only
0.255.0.255?
r n
0 255 a255
L e 255 Compares the first 8 bits only
e a
L 192.168.12.0/24 192.168.11.0/24
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 13
e n
/ m
Meanings of Time Range Operators .c o
e i
a w
h u
Operator and Syntax g .
Meanings
i n
n
Fromr xx time To xx time
HH:MM
ea
/ l
YYYY/MM/DD : / From xx date To xx date
t p
h tMonday/Tuesday/Wednesday/Thursda
Mon/Tue/Wed/Thu/Fri/Sat/Sun :
e s y/Friday/Saturday/Sunday
r c
Daily o u Every day in a week
e s
Off days R Off days (Saturday/Sunday) )
n g
n i days
a r
Working Working days (Monday to Friday)
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 14
e n
m/
Advanced ACL c o
i .
e w
a
u the
The advanced ACL uses more information besides
. h
source address to define a packet, indicating
g
n whether to
n i
carry out the next step. a r
l e
/ /
p : Which information is
The packets from IP address
202.110.10.0/24 to IP address ht
t detected by the firewall
based on status detection?
s:
179.100.17.10 that use TCP
and access resources by e using
HTTP can pass through r c the
firewall!ou
e s
R
n g Firewall
n i
a r
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 15
e n
/ m
Advanced ACL Configuration Commands c o
i .
w e
In system view:
u a
acl [ number ] acl-number [ vpn-instance vpn-instance-name.]
h
n g
Create an advanced ACL and enter the ACL view: n i
a r
l e { destination-address
rule [ rule-id ] { deny | permit } protocol [ destination
/ /
destination-wildcard | any | address-set address-set-name
p : } | destination-port {
t t } | precedence precedence | source
operator port1 [ port2 ] | port-set port-set-name
h
{ source-address source-wildcard |:any | address-set address-set-name } | source-
e s
port { operator port1 [ port2 ] |cport-set port-set-name } | time-range time-name | tos
u r
tos | icmp-type icmp-type s o icmp-code | logging ]
R e
Apply the advanced ACL and enter the interface view:
n g
n i
a r
firewall packet-filter acl-number {inbound | outbound}
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 16
e n
Meanings of Port Number Operators in the m /
c o
Advanced ACL i .
w e
u a
. h
Operator and Syntax
n g
Meanings
n i
equal portnumber a r to port number
Equal
l e
/ /Greater than port number
greater-than portnumber
p :
t t
less-than portnumber h Smaller than port number
s :
not-equal portnumberrc
e Not equal to port number
o u
range es
R Between port number1 and port
portnumber1 gportnumber2
i n number2
r n
a
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 18
e n
Functions of Address Set and Service m /
c o
Set i .
w e
u a
. h
Address Set ServicengSet
n i
a r
ip address-set guest type object l e
ip service-set Internet type object
/ /
service protocol tcp destination-port 80
address 0 192.168.12.0 0.0.0.15
:
servicep protocol tcp destination-port 8080
address 1 192.168.15.0 0.0.0.63
t t
address 2 192.168.30.0 0.0.0.127 h protocol tcp destination-port 8443
service
Re
address 0 10.10.0.0 0.0.0.127 service protocol tcp destination-port 21
n g
address 1 10.16.15.0 0.0.0.255 service protocol tcp destination-port 80
n
address 2 10.100.10.0i 0.0.0.255 service protocol tcp destination-port 1521
a r
L e service protocol tcp destination-port 8443
:/
rule [ rule-id ] { permit | deny } { type {type-code
t p
name}} [ source-mac source-address source-mac-wildcard ] [ dest-mac destination-
address destination-mac-wildcard ] ht
s :
Apply the MAC address-based
c e ACL and enter the interface
u r
view:
s o
Re
firewall ethernet-frame-filter acl-number inbound
g
i n
r n
a
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 22
e n
m /
Hardware Packet Filtering ACL i. c o
w e
u on the
It filters hardware packets. Traffic can be matched based a
. h
source MAC address, destination MAC address, source n g IP address,
n i
destination IP address and protocol.
a r
l e
Interface/ / that supports
p :hardware packet
t t
h filtering
s : IP Prot Source Destinatio
Source MAC Destination
MAC address address c e
Source IP Destination
address n port
address
u r ocol port
s o
Re Firewall
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 23
e n
m /
Hardware ACLs Configuration c o
i .
Access the system view: w e
u a
acl [ number ] acl-number [ vpn-instance vpn-instance-name ] . h
g
in
Create a hardware ACL and enter the ACLnview:
a r
l
rule [ rule-id ] { permit | deny } { source-mac source-mac-address e source-mac-
/ / destination-mac-wildcard
wildcard | destination-mac destination-mac-address
p :
|source-ip source-ip-address source-wildcard
t t | destination-ip destination-ip-address
h
:
destination-wildcard | protocol { icmp [ icmp-type { icmp-type icmp-code | icmp-
s
c e { port | protocol-name } ] [ destination-port
message } ] | { tcp | udp } [ source-port
r
{ port | protocol-name ] | ipu| igmp | gre | ospf | ipinip } | ethernet-type { type-code |
s o
e
type-name } | cos {Rcos-code | cos-name } }
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 24
e n
/m
Matching Mode and Step Configuration c o
i .
w e
u a
. h
Access the system view:
n g
n i
acl [ number ] acl-number [ vpn-instance vpn-instance-name
a r ] [match-
l e
order{auto|config}]
/ /
p :
Set the ACL step:
t t
h
Step step
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 25
e n
/m
Acceleration and Counter Functions c o
i .
w e
ACL acceleration function u a
. h
It enhances the ACL search performance significantly. n g
n i
ACL counter a r
l e
ACL counter acl 2001 /
/ 10.32.255.0 0.0.0.255
rule 0 permit source
p :
t
rule 10 permit
ht source 192.168.10.0 0.0.0.255
s :
c e
u r
display acl 2001 s o
17:18:07 2009/07/21 e
R
Acl's step is 5 ng
Basic ACL 2001, 2 rules, not binding with vpn-instance
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 26
e n
m/
Contents c o
i .
we
1. ACL Overview u a
. h
n g
2. Interface-based Packet Filtering n i
a r
3. Interzone Packet Filtering / le
/
p:
tt Filtering
4. Application Analysis of Packet
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 27
e n
Overview of Interzone Packet Filtering om /
. c
Technology e i
a w
Trust zone Untrust zone. h u
n g
n i
Client
Firewall
a r Server
l e
Search the routing table. Based on the zone and direction of the
/ /
interface, search for the interzone packet filtering rule.
Hit the
p :
Policy0: allows packets with the source address
t
of 192.168.168.0 through
ht
first packet.
Policy1: denies packets with the source IP address
s : of 192.168.100.0
ce ……
u r
s o The default interzone packet
filtering rule is prohibited.
Re
n g
n i If it is not the first packet, search the session table.
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 28
e n
Interzone Packet Filtering m/
c o
Application i .
we
u a
Permit packets from a
. h
Trust zone to an
n g
Deny packets from
Untrust zone. n i
an Untrust zone to a
a r zone.
Trust
/ le
/
t p:
Trust zone ht
Firewal Untrust zone
s :
r ce l
o u
e s
R
policy interzone trust untrust outbound
policy 0
n g
action permit
n i
r
policy source 192.168.168.0 0.255.0.255
a
Le
policy service service-set { service-set-name }
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 29
e n
m/
Policy Priority c o
i .
w e
u a
. h
Address-set address set Service-setnportg set
n i
a r
policy 0 policy 1
l e
action deny /
action permit
: / address-set guest
policy source address-set guest
pdestination address-set intranet
policy source
t
ht service service-set intranet
policy destination address-set Internet policy
policy service service-set Internet policy
s :
ce policy 0
policy 1
u r
action deny
s o action permit
policy source address-set guest
Re policy source address-set guest
g
policy destination address-set intranet
policy service service-setnintranet
policy destination address-set Internet
a r
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 30
e n
m/
Multi-Channel Protocol Technology.c o
e i
a w
Single channel protocol: It uses only one port during communication.
h u For
example, WWW occupies port 80 only. g .
n
icommunication. In
Multi-channel protocol: It uses two or more ports during
r n
passive FTP mode, the protocol uses port 21 and e
a
/ l a random port.
: /
t p
t
How to useha pure packet filtering method
to defines : ports used by the multi-channel
c e at port level?
r
protocol
u
s o
Re
n g A pure packet filtering method cannot define
n i data flows for the protocols that use a
a r randomly negotiated port.
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 31
e n
m /
ASPF Overview c o
i .
e w
Application specific packet filter (ASPF) is an advanced filteringu technology, a
t
ht
establish a data
channel with you.
s :
Session table FTP:10.0.0.1:4927
c e --> 20.0.0.1:21
u
FTP:10.0.0.1:4926 r --> 20.0.0.1:4952
s o
ServerMap table
R e
--------------------------------------------------------------------------------------------------------------------
n
Inside-Address :Port Global-Address g :Port Pro AppType TTL Left
n i
--------------------------------------------------------------------------------------------------------------------
20.0.0.1 : 4952
a r --- tcp FTP DATA 00:01:00 00:00:47
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 34
e n
Port Identification Supporting Multi- om /
. c
Channel Protocol e i
a w
Port identification is used to map a non-standard protocol
h u port into
g .
an identifiable application protocol port.
in
r n
Control channel
ea FTP Server
Host 10.0.0.1
/ l 20.0.0.1:31
:/
t p
ht
Which application protocol
Data channel is used by port 31?
s : What should I do if
Configure the basic ACL.
ce I don’t know it?
u r
ACL 2000-2099 Ruleopermit source a non-standard protocol port Server
e s
R
IPaddress Wildcard
n g
Configureiport identification (or port mapping).
r n
e a
Port-mapping protocol-name port port-number acl acl-number
L
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 35
e n
Fragment Cache and Long Connection om /
. c
Functions e i
a w
Fragment
Configure the aging time of fragment cache.
Firewall session aging-time fragment interval (1-40000)h
u
cache function Disable direct forwarding of fragments. g .
in
Firewall fragment-forward disable
Enable direct forwarding of fragments. r n
Firewall fragment-forward enable
ea
/ l
:/
Long link t p
ht
s :
Configure long link aging ce time.
u r
s
Firewall long-link aging-timeo time
R e
Enable long link.
n g
n i
Firewall interzone zone-name1 zone-name2 lonk-link acl-number
{ inbound
a r | outbound }
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 36
e n
m/
Contents c o
i .
we
1. ACL Overview u a
. h
n g
2. Interface-based Packet Filtering n i
a r
3. Interzone Packet Filtering / le
/
p:
tt Filtering
4. Application Analysis of Packet
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 38
e n
m /
Procedure of Firewall Packet Filtering c o
i .
w e
Inbound
Search
Not hit
Search the Hit
u a Update the
packet
the session
. h session
blacklist table
n g entry
n i
Hit
a r
l e
Discard the
Search for
the default
/ / Allow Outbound
packet interzone
p : Search the
packet
Not hit rules
t t routing
table
h Denied or not matched with the rule
s : Discard
c e
Not matched packets
Search the
routing table to u r Deny a rule
match the
s o Allow
interzone
packet-filtering
e
R Search for
rule
n g the
n i interzone
a r ACL
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 39
e n
/ m
Analysis of ACL Application Scenarios c o
i .
Internet zone w e
Application scenarios u a
h
. zone
ACL in the g
i
Trust
n of the address and port sets
r n
Application
e a link between the Trust zone and
Long
192.168.150.1/24
192.168.100.1/24 /
lDMZ
: / Time-based control between the Trust
t p
e s
R Fragment cache between the Internet
User group B s :
ce
172.16.160.0/24
u r
s o
Re
QoS Question: Why is the ACL
Policy routing g valid to these applications?
i n
IPSec
r n
…… e a
L
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 42
e n
m /
ACL Commands c o
i .
e w
acl [ number ] acl-number [ vpn-instance vpn-instance-name u a ]
. h
acl-number: It defines a numerical ACL. n g
i
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 45
e n
m/
ACL Matching Order c o
i .
we
u a
Matching order of ACL rules:
. h
n g
n i
config mode: The rules configured first are matched first. In other
a r
words, the smaller the rule SN is, the higher the priority is.
le /
/
auto mode: The matching rule is depth first. In other words, the
: the priority is.
smaller the address range is, the t phigher
h t
Matching order of various
s : ACLs
c e
ACLs based on MACraddresses > Advanced ACLs > Basic ACLs
o u
Matching order e sof ACLs of the same type
R
n g
The smaller
n i the ACL-number is, the higher the priority is.
a r
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 46
e n
Example of Configuring an Interface- om /
. c
based ACL (on CLI) e i
a w Server
Telnet
FTP Server
192.168.1.1 h u192.168.1.2
海
External interface
g . 外
202.38.160.1 192.168.1.5 in
r n
ea
Internal interface
/ l
: /
WWW Server t p 192.168.1.4
192.168.1.3 t
h
s :
202.39.2.3
c e
u rbetween the intranet and extranet
n
addresses 192.168.1.1,
i in Trust and Untrust zones to run the ping command to test communication
n
3. Allow all hosts
r and they communicate well.
a
with each other
Le PC, firewall, server, router
Networked devices:
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 47
e n
Example of Configuring an Interface- om /
. c
based ACL (on Web) e i
a w
h u
g .
in
r n
ea
/ l
:/
t p
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 48
e n
Example of Configuring an Interzone om /
. c
ACL (on CLI) e i
a w
h u
E2/0/0
g .zone
DMZ
192.168.2.1
Local zone E1/0/0 n
Untrust
i
192.168.1.1 n
a r
l e
/ /
192.168.2.2
p :
192.168.1.2
t t port
Console
h
s :
ce
u r
s o
R e
Objective: To enable two devices in the DMZ and Untrust zone of the
n g
n i
firewall to successfully ping each other
a r
Networked
Le devices: PC, firewall, server
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 49
e n
Example of Configuring an Interzone om /
. c
ACL (on Web) e i
a w
h u
g .
in
r n
ea
/ l
:/
t p
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 50
e n
m/
Summary c o
i .
w e
u a
ACL principles
. h
n g
ACL functions and classification n i
a r
Application scenarios and configurations l e of interface-based
/ /
packet filtering p :
t t
h
Application scenarios and configurations of interzone
s :
packet filtering c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 51
e n
m /
Questions c o
i .
What’s the relationship among packet filtering, status inspection w e
mechanism, and session table? u a
. h
Fragment cache function: What is the difference nbetween g formats of
i
n If the first fragment
the first packet fragment and other fragments?
a r
arrives first, which measure will be carried e
l out? If the first fragment
/ /
arrives late, which measure will be taken?
p :
t
Which are application scenarios h oft port identification (port mapping)?
s : application scenarios of interzone
What is the difference between
c e
packet filtering and interface u r packet filtering?
s o
What is the difference Re between inbound of interzone packet filtering
and inbound ofninterface g packet filtering? What is difference
between outbound n i of interzone packet filtering and outbound of
a r
interface L epacket filtering?
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 52
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 53
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
h
Chapter 4 Network in g .
r n
Address Translation l ea
/ /
Technology tp
:
ht
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
e n
m/
Objectives c o
i .
e w
Upon completion of this course, you will be h
a
u to:
able
g .
NAT Technical Principles in
r n
NAT Application Modes ea
/ l
Firewall NAT Configuration p:
/
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 1
e n
m /
Contents c o
i .
e w
1. Introduction to Network Address Translation u a
. h
Technology n g
n i
r
a IP Address
2. NAT Technology Based on the Source
l e
/ /
3. NAT Technology Based on the :
p Destination IP Address
t
ht
4. Bidirectional NAT Technology
s :
c e
5. NAT Application Scenario u r Configuration
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 2
e n
m /
Background Information c o
i .
w e
The explosive growth of the Internet leads to the depletion of IPv4
u a
addresses. . h
g n
The next generation of IP technology, IPv6, cannotnreplace IPv4 addresses in i
a r
a large scale in a short time.
l e
/ /
With the continuous development of technologies,
p : various technologies for
t
extending the IPv4 lifespan emerge continuously.
ht NAT is one of the most
excellent technical means.
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 3
e n
m /
Why NAT is Required? c o
i .
w e
Using the private network address can implement address reuse and increase IP
u a
resource utilization.
. h
The private network address cannot be routed over public networks;
n g otherwise, it
leads to routing problems.
n i
The NAT technology is used to translate a large number a rof private network addresses
e communication services
into a small amount of public network addresses tolensure
and save IP address resources. / /
p
No address: is 10.1.1.1 is private
t t
translation network address.
hdone. The route is unknown.
s :
Communication Destination IP
e
address:123.3.2.3
c
between the
u r
Source IP address: 10.1.1.1
: /
Destination IP address:123.3.2.3
t p
Destination IP address: 123.3.2.3
Source IP address: 10.1.1.1
h t
Source IP address: 123.3.2.1
s :
c e Destination IP address: 123.3.21
i n
Inbound direction: The data packets are transferred from a low-security network to a high-security network.
l e
No-PAT mode: It is used for a one-to-one translation of IP addresses,
translation. /
/translation of IP addresses, which involves the
NAPT mode: It is used for a many-to-one or many-to-many
p :
t
port translation.
h t
Based on the Destination IP Address Translation Function
:
NAT Server function: The private networksserver provides services for public network users by using this
c e
function.
u r NAT can be used for Internet access by mobile phone users. The
Bidirectional NAT
NAT Inbound and n
g
a
Intrazone NATr and NAT Server are used together.
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 6
e n
/
m
NAT Advantages and Disadvantages c o
i .
w e
u a
. h
Advantages
n g
i
n resources.
Allow IP address reuse and save precious address
a r
Be transparent to users in the process of/address l e translation.
/
p :
Hide the internal network topology/information
t t from external users.
s :
c e
Disadvantages
u r
Increase difficultieses
o
in term of network monitoring.
R
h u
Conversion
g .
n
ni
Source IP address Destination IP Source IP Destination IP
192.168.0.11 Address 1.1.1.1
r
address 9.9.9.9
a
address 1.1.1.1
/ le
Trust /
p:
Untrust
t t
Conversion Based on the Source IP Address h and Port
s :
c e Conversion
Source IP address
u r
Destination IP Source IP address Destination IP
192.168.0.11
Source port X
s o
address 1.1.1.1 2.2.2.2 Source port Y address 1.1.1.1
Re
n g
n i Trust Untrust
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 10
e n
Differences Between NAT Outbound and om /
. c
NAT Inbound e i
a w
NAT Outbound h u
High-security zone
Outbound g . Low-security zone
in
Conversion
r n
Source IP address Destination IP
ea Source IP address Destination IP
192.168.0.11 Address 1.1.1.1
/ l 9.9.9.9 address 1.1.1.1
:/
Trust t p Untrust
h t
NAT Inbound
s :
ce
High-security zone Low-security zone
u r
s o Conversion
Re
Source IP address Destination IP
192.168.0.11 Address 1.1.1.1 Source IP address Destination IP
n g Inbound
9.9.9.9 address 1.1.1.1
n i
a r DMZ Untrust
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 11
e n
/ m
One-to-One Address Translation i.c o
w e
u a
. h
The address before the conversion is bound with
n g the one after
conversion in order to meet some specialr requirements. n i
ea
Therefore, this application is scarcely / lused.
: /
t p
ht
192.168.1.1
s : 155.133.87.1
192.168.1.2 c e 155.133.87.2
u r
192.168.1.3so 155.133.87.3
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 12
e n
/ m
Many-to-Many Address Translation c o
i .
w e
u a
A segment of address used for conversion can be configured by using the h
.address pool. During
g
in
conversion, the Internet address in the address pool will be selected successively, and then be
taken as a intranet address in address translation until all addressnin the address pool are used up.
a r
In this case, subsequent private addresses cannot be translated.
l e
/ /
p :
192.168.1.1
t t
155.133.87.1
h155.133.87.2
192.168.1.2
s :
192.168.1.3 c e 155.133.87.3
u r
192.168.1.4
s o Discard
Re is on a first-come first-server basis; whereas one-to-one address
Many-to-many address translation
n
translation uses manually g configured one-to-one address mappings. In many-to-many address
n i number of public addresses is the same number of private addresses.
translation, the required
a r
L e
Therefore, many-to-many address translation is not common either.
. h The NAPT
of the same public
address in order to implement the many-to-one address conversion.
n g
technology is used to implement the many-to-one address i conversion.
r n
ea
/ l
192.168.1.1 : /
155.133.87.1 :7111
t p
192.168.1.2
h t 155.133.87.1 :7112
192.168.1.3
s : 155.133.87.1:7113
NAPT is a technology that usesrLayer ce 4 information to extend Layer-3 addresses. An
o u use. Theoretically, a public address can be mapped to
IP address has 65,535 ports
e s for
65535 private addresses, R which effectively enhances address spaces and increase
n g Therefore, NAPT is a frequently-used address translation
i
utilization of IP addresses.
n
method.
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 14
e n
Configuration Based on Source IP Address m /
c o
Translation (NAT No-PAT) i .
we
Configure the NAT address pool in the system view. u a
. h
g
nat address-group group-number [group-name] start-address end-address
n
ni view.
Enter the interzone NAT policy view in the system
r
nat-policy interzone zone-name1 zone-name2e{inbound | outbound} a
/ l
Create the NAT policy and enter the policy
: / ID view.
t p
policy [ policy-id ]
h t
:
Policy source { source-address source-wildcard |……}
s
Policy destination { source-address c e source-wildcard |……}
u r {service-set-name}
Policy service service-set
s o
action { source-natR|no-nat} e
Address-groupng {number | name} no-pat
n i
a r
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 15
e n
Configuration Based on Source IP m /
c o
Address and Port Conversion (NAPT)ei .
a w
Configure the NAT address pool in the system view.. h u
n g
nat address-group group-number [group-name] start-address
n i end-address
Enter the interzone NAT policy view in the system a r view.
e
l {inbound | outbound}
nat-policy interzone zone-name1 zone-name2
/ /
Create the NAT policy and enter the :
ppolicy ID view.
t
policy [ policy-id ] ht
s :
Policy source { source-address
ce source-wildcard |……}
u r
Policy destination { source-address source-wildcard |……}
s o {service-set-name}
Re
Policy service service-set
action { source-nat
n g |no-nat}
Address-group n i {number | name}
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 17
e n
m /
Contents c o
i .
e w
1. Introduction to Network Address Translation u a
. h
Technology n g
n i
r
a IP Address
2. NAT Technology Based on the Source
l e
/ /
3. NAT Technology Based on the :
p Destination IP Address
t
ht
4. Bidirectional NAT Technology
s :
c e
5. NAT Application Scenario u r Configuration
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 18
e n
m/
NAT Server-Internal Server c o
i .
w e
In the practical application, a Web server is required when the external resource
u a
.
accesses the internal host. The external host does not have route to point the internal h
n g
i
address; therefore, the internal server cannot be accessed. The NAT Server function
n
r
selects a public network address to represent the internal server address.
a
/ le
/
Source IP
address
Destination IP address
192.168.1.1
t p: Source IP
address
Destination IP address
202.202.1.1
True address ht
Conversion
192.168.1.1
s :
ce 202.202.1.1
rDMZ untrust
s ou
WWW server
R e Internet users
g
On the firewall, a dedicated public network address is configured for the internal
n
n
server to represent i the private network address. For Internet users, the Internet
a r on the firewall is the server address.
address configured
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 19
e n
/ m
Configuration Based on NAT Server c o
i .
w e
u a
In the system view:
. h
nat server [ id ] zone zone-name protocol protocol-type
g
n global {global-
i
n| interface-type
address [ global-port ] | interface {interface-name a r
l e
interface-number } } inside host-address [ host-port /
/ ]
] [ vrrp virtual-router-id ]
[no-reverse] [ vpn-instance vpn-instance-name p :
t
ht
s : based on the destination address. If the
NAT Server is a frequently-used
c e NAT
intranet deploys a server u r its true IP address is a private network address,
and
s o access this server by using a public network
public network users can
R e
address. In this case, NAT Server can be configured and the device can
n g
transfer the packet
n i that public network users access this public network
address toathe r intranet server.
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 21
e n
m /
Destination NAT c o
i .
we
u a
. h
n g
n i
a r
Base station GSR / le Firewall WAP gateway
GGSN /
t p:
ht
s :
e
When the mobile terminal accesses the wireless network, if the default WAP
c
gateway address is not consistent u r with the WAP gateway address of the
o
local operator, a devicescan be deployed between the terminal and the WAP
R e
gateway in order to configure the NAT function. In this case, the device will
n g
n i
automatically forward the packet that is wrongly sent to the WAP gateway
address byathe r terminal to the correct WAP gateway.
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 23
e n
/ m
Configuration Based on Destination o
c NAT
i .
w e
Access the system view: u a
acl [ number ] acl-number [ vpn-instance vpn-instance-name g ].
h
in
r n
Create the advanced ACL and enter the ACL eaview.
/ l { destination-address
rule [ rule-id ] { deny | permit } protocol [ destination
: /
destination-wildcard | any | address-set address-set-name
t p } | destination-port
{ operator port1 [ port2 ] | port-set port-set-name ht } ……..
s :
c e
Access the system view:ur
s o vpn-instance-name ] [ name ] zone-name
Re
firewall zone [ vpn-instance
n g
Enter the securityn i zone view.
a r
Le acl-number address ip-address [ port port-number ]
destination-nat
R
The internal server
n g and interzone NAT are used together.
n i
a r
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 26
e n
m/
Interzone Bidirectional NAT c o
i .
we
NAT Inbound
u a
private IP address
. h
n g Untrust
DMZ
n i
192.168.1.1
a r 2.2.2.5
192.168.1.5 l e
Internet server / /
202.20.1.5
Internet users
tp:
True IP address
ht Public network
address
s :
ce
r u
To simplify the configuration s o of the routing from the server to
R e
the public network,
n g the NAT Inbound configuration can be
n i
added based
a r on the NAT Server.
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 27
e n
m /
Intrazone Bidirectional NAT c o
i .
e w
If both sides that need to translate addresses areuin the same a
. h
security zone, the interzone NAT is required.ng
n i
User publicrnetwork address
Server public network address
ea
202.202.1.1
l
202.202.1.5
/
Trust domain /
p :
t t
h
192.168.1.5
s : 192.168.1.1
c e
u r
Intranet users
o Server
susers access the intranet server, the NAT conversion by using the
In the intranet, when intranet e
R conditions. If users access the server by using the domain name,
firewall is required under
n g certain
the public network i
communication r
n address of the server will be used after DNS resolution. In this case, the
n g {service-set-name}
Policy service service-set
n i |no-nat}
r
action { source-nat
a
Le {number | name}
Address-group
p :
t t
h
s :
c e
u r
DMZ
s o
192.168.0.1/24
Re
n g
n i
a r
Le Trust zone
p
[USG-policy-interzone-trust-untrust-outbound-0]: action permit
t t
2. Configure the address pool h
s : 202.169.10.6
[USG] nat address-group 1 202.169.10.2
c e policy
3. Configure the NAT outbound
u r
s o trust untrust outbound
[USG] nat-policy interzone
Re
[USG-nat-policy-interzone-trust-untrust-outbound] policy 0
n g
n i
[USG-nat-policy-interzone-trust-untrust-outbound-0] policy source 192.168.0.0 0.0.0.255
a r
[USG-nat-policy-interzone-trust-untrust-outbound-0] action source-nat
L e
[USG-nat-policy-interzone-trust-untrust-outbound-0] address-group 1
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 32
e n
m /
Firewall NAT Outbound Configuration.c(Web) o
e i
a w
h u
g .
in
r n
ea
/ l
: /
t p
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 34
e n
Firewall NAT Server Configuration m/
c o
(Command Line) i .
w e
u a
Roadmap and Examples for Configuring the Internal Server
. h
1. Configure the internal Web and FTP server n g
n i
r
[USG] nat server protocol tcp global 202.169.10.1 80 inside 192.168.20.2 8080
a192.168.20.3 ftp
l e
[USG] nat server protocol tcp global 202.169.10.1 ftp inside
2. Configure the interzone packet filtering rules / /
[USG] policy interzone dmz untrust inbound p
:
t t
h policy 0
[USG-policy-interzone-dmz -untrust-outbound]
s :
[USG-policy-interzone- dmz -untrust-outbound-0] policy destination 192.168.20.2 0
ce
[USG-policy-interzone- dmz -untrust-outbound-0] policy service service-set http
u r
[USG-policy-interzone- dmz -untrust-outbound-0] action permit
s o-untrust-outbound] policy 1
Redmz -untrust-outbound-1] policy destination 192.168.20.3 0
[USG-policy-interzone- dmz
[USG-policy-interzone-
n g
[USG-policy-interzone-dmz -untrust-outbound-1] policy service service-set ftp
n i
r
[USG-policy-interzone- dmz -untrust-outbound-1] detect ftp
e a
[USG-policy-interzone- dmz -untrust-outbound-1] action permit
L
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 35
e n
Firewall NAT Server Configurationom /
. c
(Web) e i
w a
h u
g .
in
rn
a
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 37
e n
m/
Summary c o
i .
we
u a
NAT Technical Principles
. h
n g
NAT Application Modes n i
a r
Firewall NAT Configuration
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 38
e n
m/
Questions c o
i .
we
What is the difference between NAT inbound and NAT outbound?
u a
Why NAT based on the IP address does not have the one-to-many . h
n g
application scenario?
n i
What limitations does No-PAT have? a r
le
a
Le
configuration
u r
s o
Re
n g
n i
a r
L e
r e
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
e n
m/
Objectives c o
i .
e w
Upon completion of this course, you will be h
a
u to:
able
g .
Basic VLAN technologies in
r n
SA and E1 WAN interface technologies ea
/ l
: /
Basic ADSL technologies
t p
WLAN and 3G wireless technologies ht
:
e s
r c
o u
s
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. VLAN Feature Technology u a
. h
n g
2. SA and E1 Feature Technology n i
a r
3. ADSL Feature Technology / le
/
4. WLAN Feature Technologytt p:
h
5. 3G Feature Technologys :
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 2
e n
/m
VLAN Background – Broadcast Storm c o
i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
Broadcastttdomain
h
s :
c e
u r
s o
Re …
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 3
e n
m/
Dividing Broadcast Domains by VLANs.c o
e i
a w
h u
Port 1 : VLAN-1 Port 2 : VLAN-2 g .
in
r n
ea
/ l
: /
t p
Broadcast
h t Broadcast
domain
s : domain
c e
u r
s o
R e ……
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 4
e n
m/
c o
VLAN Frame Format e i .
a w
Standard
h u Ethernet frame
g .
DA SA TYPE DATA n
CRC
i
a rn
e
l frame with IEEE802.1Q tag
/
Ethernet
/
DA SA TAG p :
TYPE DATA CRC
t
ht
s :
ce
ur
s o
Re C
n g
0x8100 PRI F VLAN ID
n i I
a r
Le
TPID TCI
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 5
e n
/ m
Types of Ethernet Switch Ports i.c o
w e
Access port
u a
. h port can belong
Generally, the access port is used to connect the user PC. An access
n g
to only a VLAN.
n i
a r
Trunk port
l e
Generally, the trunk port is used for the connection / / between switches. A trunk port
p :send packets from and to multiple
can belong to multiple VLANs to receive and
t t
VLANs. h
s :
Hybrid port
c e
The hybrid port is used for the u r connection between switches or user PCs. A hybrid
s o VLANs to receive and send packets from and to
port can belong to multiple
R e
multiple VLANs.
n g
n i What is the
a r function of the
L e default ID (PVID)?
p :
Createta VLAN:
ht 3
Port-0/1 : VLAN3
vlan
s :
Port-0/2 : VLAN3 ce Add a port to the VLAN:
u r port ethernet 0/1
s o
Re
n g Add the VLAN to a port:
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 9
e n
m/
c o
Routers Between VLANs i .
we
u a
. h
n g
n i
a r
/ le
/
VLAN 100
t p: VLAN 200
ht
s :
ce
u r
s o
Re VLAN 300
n g
The packets of different VLANs cannot go across the VLAN boundaries. The
n i
r
packets must be forwarded by the Layer-3 device from a VLAN to another
a
VLAN. Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 10
e n
m/
Contents c o
i .
we
1. VLAN Feature Technology u a
. h
n g
2. SA and E1 Feature Technology n i
a r
3. ADSL Feature Technology / le
/
4. WLAN Feature Technologytt p:
h
5. 3G Feature Technologys :
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 11
e n
m /
SA Serial Port Overview c o
i .
w e
The serial port is a common WAN port. The serial port is classified into synchronous
u a
. h
serial port and asynchronous serial port. The synchronous serial port is widely used.
n g
n i
The SA interface is a synchronous serial interface and supports various cables such as
r
V2.4, V3.5, X.21, RS449, and RS530. It supports various baud rates to satisfy different
a
peer devices. The maximum bandwidth is 2.048 Mbit/s, l e which can satisfy the service
/ /
data transmission requirements of carriers and enterprise
: customers.
p equipment (DTE) and data circuit-
The SA has two work modes, that is, data terminal
t t
terminal equipment (DCE). h
s :
As the uplink interface, the SA canebear various services such as HTTP and FTP.
r c
The SA supports various data u
o link layer protocols, including Peer-Peer Protocol (PPP)
s (HDLC).
and High Level Data LinkeControl
R
The SA supports thegIP network layer protocols.
i n
r n
e a
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 12
e n
m /
SA Serial Port — Configuration Example c o (CLI)
i .
w e
The SA interface uses the PPP protocol. u a
h
g .
in
r n
ea
/ l
Configure the USG 2200A: /
: protocol to PPP. Set other
#Configure the serial1/0/0. Set the encapsulation t p
parameters to the default values. h t
<USG2200A>system-view
s :
c e 1/0/0
[USG2200A]interface serial
u r address 10.110.1.11 255.255.255.0
[USG2200A-serial1/0/0]ip
s o
R e
[USG2200A-serial1/0/0]link-protocol ppp
g
[USG2200A-serial1/0/0]shutdown
n
i
[USG2200A-serial1/0/0]undo shutdown
n configuration is complete, add the serial1/0/0 interface to the
Note: After ther
a Enable the default interzone packet filtering rules.
L e
security zone.
:
TSs. A multiframe (MF) contains 16 frames.
s
c e
u rtransmit the frame alignment signals (FASs), cyclic
TS0 redundancys ocheck 4 (CRC4) codes, and peer alarm indications.
TS0 is used to
Re
n g
TS16 n iTS16 is used to transmit the channel associated signaling (CAS),
a r multiframe alignment signals, and multiframe peer alarm indications.
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 16
e n
m/
E1 Application Modes c o
i .
we
u a
. h
Unframed
n g
i
nChannelized
a r
Mode / le PCM31
Framed /
t p: Unchannelized
ht
Framed multiframe
s : PCM30
ce
u r
s o
Re mode is also called clear channel mode.
The unchannelized
n
The framed imultiframe
g
uses the TS16 as the signal channel, which
is mainly r n to transmit voice data such as ISDN PRI.
used
e a
L
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 19
E1 Typical Networking — One-to-One m/en
Interconnection c o
i .
w e
E1 E1
u a
1 Carrier SDH/PDH
. h
n g
n i
a r
l e
/ / Protocol converter
E1 p :
2 t t
Carrier SDH/PDH
h
s : Serial port
ce
u r
s
Protocol convertero
Re Carrier SDH/PDH Protocol converter
3 n g
n i Serial port Serial port
a r
L e
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 21
E1 Typical Networking — One-to-Many m/en
Interconnection c o
i .
Protocol converteraw
e
h u
128K
g .
Serialnport
Branch 1
E1 2M
1 Carrier SDH/PDH
n i
a r
Headquarters l e
/ / 512K E1
Branch 2
p :
t t Protocol converter
h
s :
ce 2M Branch 1
2
cPOS
u r SDH/PDH
Serial port
155M
s o Carrier
Headquarters R
e Branch 2
n g 2M E1
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 22
e n
m/
Configuration Methods c o
Enter the E1 interface view i .
we
u a
. h
Set the CE1 work mode. E1gwork mode
Set the n .
n i
Physical interface parameters
a r
Configure the clock. e
Configure
l the clock.
a r
e
clock master link-protocol
code hdb3
/ l 100.1.1.1 255.255.255.252
ip address
# :/
p
frame-format no-crc4
t
ht link-protocol ppp
using ce1 interface Serial9/0/0:1
channel-set 0 timeslot-list 1-4
channel-set 1 timeslot-list 5-8s:
ce ip address 110.1.1.1 255.255.255.252
#
u r #
s o
R e
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 24
e n
m/
Contents c o
i .
we
1. VLAN Feature Technology u a
. h
n g
2. SA and E1 Feature Technology n i
a r
3. ADSL Feature Technology / le
/
4. WLAN Feature Technologytt p:
h
5. 3G Feature Technologys :
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 25
e n
m/
xDSL Overview c o
i .
Asymmetric Digital Subscriber's Line we
u a
.
In the asymmetric digital subscriber’s line, the data h rate on the
channel from the service provider end to the user endn g (downlink) and
n i
the data rate on the channel from the user endrto the service provider
end (uplink) are different. ea l
/
A telephone line can bear both voice:/services and data services
simultaneously. With the existing PSTN t p network infrastructure, the
h t
asymmetric digital subscriber’s line uses the existing twisted-pair
cables to provide high-speed edata s: transmission without affecting the
voice service through the special r c modulation technology. The major
xDSL access technologies o uare as follows:
e s
ADSL/ADSL2/ADSL2+ R ;
n g
VDSL/VDSL2 n i;
a r
G.SHDSL Le (SHDSL series)
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 26
e n
m /
ADSL Overview c o
i .
e w
u a
The ADSL2+ technology uses the existing twisted-pair
. h cables
to provided asymmetric transmission rates non g the uplink and
n i
downlink.
a r
The G.SHDSL/.bis technology uses lthe e common twisted-pair
/ /
cables to provide high-speed private p : line access services for
users. This technology is hmainly tt used for interconnection
between small and medium s : enterprise networks, mobile
c e group access.
station trunks, and ISDN
u r
The VDSL2 broadband s o access technology is applicable to the
R e
private line interconnection and private line access used in
n g
hotel networks,
n i high-speed network access of net bars, video
a r
conferences.
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 27
e n
m /
ADSL2+ Model c o
i .
we Internet
u a
PSTN
. h
Splitter
n g
ATU-R
n i
r
Twisted-pair cable
a
l e
/ / Splitter
p :
t
ht
s :
The ADSL is an asymmetric c e DSL technology in which the uplink and
u r
downlink transmissionsorates are different. The uplink transmission
R e
indicates the transmission from the user end to the central office end
n g transmission indicates the transmission from the
and the downlink
n i
central office a rend to the user end.
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 29
e n
ADSL Configuration Example 1 (CLI) om /
. c
e i
1. Configure the dialer interface.
a w
<USG> system-view h u
. g
n
[USG] dialer-rule 1 ip permit # Create the dialer interface and enter the dialer view.
i who originates the dialing.
[USG] interface Dialer 1 # Specify the name of the remote user
r n
[USG-Dialer1] dialer user USG # Specify the dialer bundleamode used by the dialer
l e
interface.
/ /
[USG-Dialer1] dialer bundle 1 # Configure the dialing
p : bundle group to which the dialer 1
interface belongs.
t t
[USG-Dialer1] dialer-group 1 # Set the link h layer protocol to PPP.
[USG-Dialer1] link-protocol ppp # Obtain s : the IP address through negotiation.
c e # Obtain the DNS address through negotiation.
[USG-Dialer1] ip address ppp-negotiate
u r
[USG-Dialer1] ppp ipcp dns admit-any
s o # Use the PAP authentication mode. The user name
and password are Abcdefgh~.
R e
[USG-Dialer1] ppp papglocal-user Abcdefgh~ password simple Abcdefgh~ # Exit and go
back to the system iview.n
r n
[USG-Dialer1] quit
e a
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 31
e n
/m
ADSL Configuration Example 2 (CLI) c o
i .
w e
u a
2. Create the interface Virtual-Ethernet 1.
. h
[USG] interface Virtual-Ethernet 1 n g
n i
[USG-Virtual-Ethernet1] quit r
3. Configure the PVC value of the interface Atm l ea Set the PVC
2/0/0.
encapsulation type to LLC. / /
p :
[USG] interface Atm2/0/0
t t
[USG-Atm2/0/0] PVC 8/35 h
[USG-Atm2/0/0-8/35] map bridgeevirtual-ethernet 1s :
r c
[USG-Atm2/0/0-8/35] encapsulation
o u llc
4. Configure the PPPoE session. e s
R
g
[USG] interface Virtual-Ethernet 1
n pppoe-client dial-bundle-number 1
n
[USG-Virtual-Ethernet1] i
a r
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 33
e n
m/
ADSL Configuration 3 (CLI) c o
i .
we
5. Add the Vlanif interface and Dialer interface to the trust zones.
u a
[USG] interface Vlanif 1
. h
[USG-Vlanif1] ip address 192.168.0.1 24
n g
[USG-Vlanif1] quit n i
a r
le
[USG] firewall zone trust
[USG-zone-trust] add interface Vlanif 1
/ /
6. Add the Dialer 1 interface to the Untrust zone. p :
t t
[USG] firewall zone untrust
h
[USG-zone-untrust] add interface Dialer:
e s
7. For the USG series products, configure c the inter-zone packet filter policies to ensure
r the USG BSR/HSR series products, skip this step.
normal network transmission. For
o u
[USG] policy interzone trust s
R e untrust inbound
[USG-policy-interzone-trust-untrust-inbound] policy 0
n g
n i
[USG-policy-interzone-trust-untrust-inbound-0] action permit
a r
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 34
e n
/m
ADSL Configuration Example 4 (CLI) c o
i .
w e
8. Configure the NAT and default route. u a
. h
[USG] nat-policy interzone trust untrust outbound
n g
[USG-nat-policy-interzone-trust-untrust-outbound] n
i
policy 1
r
a action source-nat
[USG-nat-policy-interzone-trust-untrust-outbound-1] l e
/ /
[USG-nat-policy-interzone-trust-untrust-outbound-1]
p : policy source
192.168.0.0 0.0.0.255
t t
h
[USG-nat-policy-interzone-trust-untrust-outbound-1] easy-ip Dialer 1
s :
9. Configure the default route.e
r c
[USG] ip route-static 0.0.0.0 o u 0.0.0.0 Dialer 1
e s
R
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 35
e n
m/
ADSL Configuration Example (Web) c o
i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 36
e n
m/
Contents c o
i .
we
1. VLAN Feature Technology u a
. h
n g
2. SA and E1 Feature Technology n i
a r
3. ADSL Feature Technology / le
/
4. WLAN Feature Technologytt p:
h
5. 3G Feature Technologys :
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 37
e n
m /
WLAN Overview c o
i .
w e
The Wireless Local Area Network (WLAN) is a hot technology used in the
u a
communications industry. The WLAN system is easy to deploy and use. During the
. h
g
deployment, you do not need to consider the complex cabling and migration. The
n
i
WLAN, however, is not a complete wireless system. The servers and backbone
n r
networks are still deployed in the fixed network except that the users are movable.
a
The carriers and enterprises can provide wireless LAN
l e services using the WLAN
solution. The services include:
/ /
The wireless LAN devices can be used to p :
establish the wireless network. The users
o u
to ensure security.
e ssecure network access and mobile area is provided for the
Seamless roaming for
wireless networkg users.
R
n
The WLAN, WIFI,iand 802.11 indicate the same technology.
r n
e a
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 38
e n
m/
WLAN Security Overview c o
i .
e w
The wireless security performance provided by the 802.11 a
u protocol
. h
can better defend against general network attacks.gA few hackers,
in
however, still can intrude the wireless network. r nTherefore, the 802.11
protocol cannot comprehensively protect l easensitive data. A
the
/ /is required.
protocol with better security mechanism
p :
t t security feature to enhance the
The USG2000 system uses the WLAN h
system security and health. s The: WLAN security feature uses the
c e
WLAN-MAC to check the
u r access security of the 802.11 clients.
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 39
e n
m /
WLAN Basic Concepts c o
i .
e
w
Wireless client (STA) a
ucalled wireless clients.
On a network, all the devices that connect to the wireless medium are h
. 802.11 standard.
Each wireless client must install the wireless network card that supports
n g
The wireless client is classified into AP and client.
n i
Access point (AP) r
a user and the LAN. Frames are
The AP functions as a bridge between the wireless network e
l between the user end and the
converted from wired transmission to wireless transmission
/ /
LAN end. The USG2100/2200 functions as an AP.
p :
Client
t t
The clients include fixed devices such as h laptops, personal digital assistants, IP phones, PCs,
: the wireless network cards.
authentication algorithm, that is, non-authenticated. When the authentication.modeh is set to open system
authentication, all the clients are allowed to access the WLAN.
n g
Shared key authentication n i
r
The shared key authentication is mainly applicable to the pre-RSNadevice. This authentication mode is used
TKIP encryption s :
c ethe security of the WEP protocol on the pre-RSN devices. The security
so
of the TKIP encryption is much higher
i n
Wi-Fi Protected
r n Access (WPA)
The WPAa
L e is used to ensure the security of the wireless PC network. The WPA complies with the major IEEE
802.11i standards. The WEP authentication and encryption features are improved in the WPA.
t t
h
VPN
s:
VPN ADSL
ADSL ISDN
ISDN
Fax
Fax
-
ce
u r
o
s Fat AP
Re
Analogue
Analogue Phone
Phone PC
PC
ng
Printer
Printer
PC
PC
n i
r
ea
Laptop
Laptop
L
Video
Video phone
phone WiFi
WiFi Phone
Phone PDA
PDA
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 42
e n
/ m
WLAN Configuration Example 1 (CLI) .c o
e i
a w
h u
Station .
n g
Ethernet1/0/0 WLAN-BSS2
n i
a r
l e
Ethernet0/0/0
/ / Station
:
AP
t p
Networking requirements: h t
The AP connects to the router over the
s : Ethernet0/0/0 interface (added to the Untrust zone).
e interface is 202.169.10.1/24. The IP address of the
c
rrouter is 202.169.10.2/24.
The fixed IP address of the Ethernet0/0/0
u
so are 192.168.1.2/24 and 192.168.1.3/24.
Ethernet1/0/0 interface on the
The IP addresses of theestation
R
n g
The station connects to the AP (SRG) using the wireless network card. The SSID is WLAN100.
n i mode is set to WPA2-PSK. The CCMP encryption suite is configured. The
The authentication
pre-sharedr
a key (PSK) is abcdefgh.
Le is configured to provide wireless access for the stations.
The WLAN
o u
network card are
e s the same as those set on the SRG.
R
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 45
e n
m/
Contents c o
i .
we
1. VLAN Feature Technology u a
. h
n g
2. SA and E1 Feature Technology n i
a r
3. ADSL Feature Technology / le
/
4. WLAN Feature Technologytt p:
h
5. 3G Feature Technologys :
e c
u r
s o
R e
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 46
e n
m/
c o
3G Overview i .
we
u a
. h
What is 3G?
n g
n i
3G standards a r
/ le
/
WCDMA
t p:
ht
TD-SCDMA
s :
ce
CDMA200 u r
s o
Re
g
3G applications
n
n i
a r
L e
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 47
e n
m/
3G Implementation Modes c o
i .
we
The data cards determine the supported wireless interface standards. At
u a
present, the USG series support three types of data cards that provide Express . h
n g
interfaces, USB interfaces, and MIC card interfaces.
n i
3G database with 3G database with a r 3G database with
Express interface USB interface
/ le MIC interface
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 50
e n
m/
Installation of 3G Data Cards i. c o
w e
a u
LAN users can access the WAN over the uplink using h
. the 3G data cards.
n g
A device supports only a 3G data card at a time. i
n You cannot install
r
areplacing the 3G data card,
multiple 3G data cards on one device. When l e
/
/ and then install the new data
you must pull out the existing data card
p :
t
card. ht
s :
Ensure that the subscriber identity
c e module (SIM) or UMTS subscriber
r
identity module (USIM)oisu installed on the data card. Check whether the
e s
SIM card insertion direction R is correct. The SIM is provided by the
carrier. n g
n i
Insert thee3G ar data card to the corresponding port of the USG2100.
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 51
e n
m/
3G Implementation Principles c o
i .
w e
a
The 3G functions are implemented on the following modules:
u
. h
Dial control center (DCC)
n g
n i
It determines the dialing triggering mode.
a r
MODEM simulation le /
/
:corresponding dialing digits.
It simulates the MODEM to send the t p
h t
Data card management
s :
It manages and obtains the c ecurrent data card information, including
u r
the APN configuration s oand status information.
R e
Link control g
n
It converts rthe ni received data to the required format to implement
e
data forwarding
a or other functions.
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 52
e n
3G Application Configuration Example-om /
. c
CLI Mode e i
a w 1/0/0
h u The
The USG2200 connects to the enterprise internal network over the Ethernet
.
interface and connects to the Internet over the USB 3G 5/0/0 interface.
g
configurations are as follows:
in
The IP address of the enterprise network is on the network
r n segment 192.168.1.0/24.
The dialing is performed at Dialer 0 interface. ea
l by the wireless network
/ /
The IP address of the Express-3G interface is allocated
through negotiation.
p :
t
–Networking diagram of the dialing over
ht the Dialer interface
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 53
e n
m /
3G Typical Configuration (CLI) c o
i .
China Telecom CDMA2000 (E169C) China Unicom WCDMA (E180)
w e
China Mobile TD-SCDMA (ET128)
firewall packet-filter default permit all firewall packet-filter default permit all a
firewall packet-filter default permit all
u
#
dialer-rule 1 ip permit
#
dialer-rule 1 ip permit
#
. h
dialer-rule 1 ip permit
interface Dialer0
link-protocol ppp
interface Dialer0
link-protocol ppp
n g
interface Dialer0
link-protocol ppp
//For the CDMA2000 network, configure the PPP
authentication information.
//For the TD-SCDMA and WCDMA network, the
PPP authentication is not required. n i
// For the TD-SCDMA and WCDMA network, the
PPP authentication is not required.
ppp chap user card
a r
le
ppp chap password simple card ppp ipcp dns admit-any
ppp ipcp dns admit-any ppp ipcp dns admit-any ip address ppp-negotiate
ip address ppp-negotiate
dialer enable-circular
ip address ppp-negotiate
dialer enable-circular
/ / dialer enable-circular
dialer-group 1
dialer-group 1
//This ID is the same as the corresponding dialer-
dialer-group 1
t p:
// This ID is the same as the corresponding dialer-
// This ID is the same as the corresponding dialer-
rule ID.
rule ID.
dialer timer idle 60
dialer timer autodial 10
rule ID.
dialer timer idle 60
ht
dialer timer autodial 10
dialer timer idle 60
dialer timer autodial 10
dialer number *99# autodial // The dialer number
dialer number #777 autodial
//For the CDMA2000 network, the dialer number s :
dialer number *99# autodial //The dialer number
for the TD-SCDMA and WCDMA networks is *99#.
for the TD-SCDMA and WCDMA networks is *99#.
#
is #777. #
ce interface Cellular5/0/0
#
interface Cellular5/0/0
u r
interface Cellular5/0/0
apn UNINET
apn CMNET
//For the TD-SCDMA standard, it is set to
Re
needs to be configured. dialer circular-group 0 dialer circular-group 0
link-protocol ppp // This SN must be the same as the corresponding // This SN must be the same as the
dialer circular-group 0
n g
//This SN must be the same as the corresponding
dialer interface number.
#
corresponding dialer interface number.
#
dialer interface number.
#
n i ip route-static 0.0.0.0 0.0.0.0 Dialer0 ip route-static 0.0.0.0 0.0.0.0 Dialer0
r
ip route-static 0.0.0.0 0.0.0.0 Dialer0
a
Le
Public configuration: Add the interface to the trusted zone. Set the NAT policies for the private network users to access the public network. Set
the routes to access the public network.
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 54
e n
m/
3G Typical Configuration (Web) c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 55
e n
m/
Summary c o
i .
we
u a
Basic VLAN technologies
. h
g
SA and E1 WAN interface technologiesnin
a r
Basic ADSL technologies le /
: /
WLAN and 3G wireless technologies t p
h t
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 56
e n
m/
Questions c o
i .
e w
What interface types do the VLAN support? Howu does each a
. h
interface process the tags?
n g
n i
What are the encapsulation modes of ther E1 data frames?
ea
What are the differences between thel encapsulation modes?
/ /
What key deployment elements are p : involved in the ADSL
t t
configuration? h
s :
What key deployment elements
c e are involved in the WLAN
configuration? u r
s o
What key deployment Re elements are involved in the 3G
configuration? n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 57
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 58
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
Chapter 6 VPN Overview
le
a r
/ /
t p:
ht
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
e n
m/
Objectives c o
i .
e w
Upon completion of this course, you will be h
a
u to:
able
g .
VPN concepts in
r n
Key VPN technologies ea
/ l
: /
Types and applications of VPNs
t p
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. VPN Introduction u a
. h
n g
2. VPN Technologies n i
a r
3. VPN Types / le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 2
e n
m/
VPN Definition c o
i .
we
VPN
u a
. h
A Virtual Private Network (VPN) is built by establishing private data channels
n g
i
over a shared public network (usually the Internet) to connect networks or
n
a r
terminals that need to access the private network, to form the private network
l e
guaranteeing a certain level of security and QoS.
/ /
Virtualization p :
t t
Users do not need to have physical data h links for long-distance transmission.
Instead, long distance data lineses
:
of the Internet are used to create a private
r c
network.
o u
Private Network e s
R
n g
Provide secure information transport by authenticating users, and encrypting
i
n unauthorized persons from reading the transmitted information.
data to prevent
a r
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 3
e n
m/
Contents c o
i .
we
1. VPN Introduction u a
. h
n g
2. VPN Technologies n i
a r
3. VPN Types / le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 4
e n
m/
Common VPN Technologies c o
i .
we
u a
Encrypts and decrypts data on both ends of a
. h
Tunneling
tunnel to create a data channel n g
n i
Identity a r
le
Ensures the legitimacy and validity of
authentication operators to a VPN
/ /
Data t p:
Data can be only legitimately altered when
authentication ht
it is sent over the network
s :
Encryption
ce data can be only legitimately
Ensures that
/decryption
u
capturedr when it is sent over the network
s o
Key management
e
R The key is sent securely over an insecure
n g network
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 5
e n
m/
Tunneling c o
i .
we
u a
. h
n g
Branch n i
a r
Internet / le
/
t p:
ht Headquarters
s :
ce
u r
SOHO user
s o
Re
n g
n i
r
Employee on business trip
a
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 7
e n
m/
Cryptography c o
i .
we
u a
. h
n g
n i
1.1 What is cryptography a r
/le
1.2 Classification of encryption : /
t p
technologies ht
s :
1.3 Key managementrtechnologies c e
o u
e s
R
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 8
e n
m/
Cryptography c o
i .
we
u a
Encryption: from plain text to cipher text . h
n g
n i
a r
/ le
/
Plain text t p: Key
ht
s :
Ce= En (K, P)
c
u r
s o
Re
n g Cipher text
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 9
e n
m/
Cryptography c o
i .
we
u a
. h
n g
n i
Confidentiality
a r Integrity
/ le
/
t p:
ht
Cryptography
s :
ce
o ur
Availability
e s Non-repudiation
R
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 11
e n
m/
Development of Cryptography c o
i .
we
u a
. h
n g
n i
Scytale
a r
Caesar
/ le
cipher :/
Development of
t p
t
hencryption technologies
s :
Rail fence ce
r
u Cipher
cipher
s o
Re machine
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 12
e n
m/
Cryptography .c o
e i
a w
h u
g .
in
1.1 What is cryptography rn
a
/le
1.2 Classification of encryption : /
t p
technologies ht
s :
1.3 Key management rtechnologies c e
o u
e s
R
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 14
e n
m/
Key-based Classification c o
i .
we
Key
u a
. h
Private key
n g
n i
Public key
a r
Symmetric encryption le /
/
: and decryption.
The same key is used for encryption t p
h t
Asymmetric encryption :
s
e for encryption and decryption. What
Two different keys are r cused
one key encrypts, s only
u
o the other can decrypt. The private key is for
data protection, Rewhile the public key is used by users in the same
system to icheck ng the validity and identity of the information and
sender.ar
n
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 15
e n
/m
Symmetric Encryption Algorithms.c o
e i
a w
h u
g .
Shared key Key = 1010110101… in Shared key
r n
e a
/ l
: /
t p
ht
abcdef s : abcdef
E c e
*$@g)(!34*^hcftibf D
u r
Encryptions
o
algorithm R e Decryption
algorithm
n g
Sender n i Receiver
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 17
e n
/ m
Common Symmetric Encryption Algorithms c o
i .
w e
a
Plain text
h u
Flow encryption
g .
n
round 1
Key flow
RC4 n i
a r
l e
Block encryption
/ /
:
Plain text
p
Cipher text
DES t
ht
round N
3DES s :
c e
AES u r
o
s
IDEA Re
n g
RC2, RC5, i and RC6
r n
a Cipher text
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 18
e n
/ m
Asymmetric Encryption Algorithms c o
i .
w e
u a
. h
Search the g
n key = 1010110101…
Public key = 1111010101…
public key
n i
Private
database
a r
Sender’s public key
l e Receiver’s private key
/ /
p :
t t
h
s :
abcdef c e
E u r abcdef
s o&^(#!b&%2(#c7(*@!Cs D
R e
Encryption Decryption
n g
algorithm algorithm
n i
a r Receiver
Sender
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 21
e n
Comparison Between Symmetric and m /
c o
Asymmetric Algorithms i .
w e
u a
Symmetric key algorithm
. h
g
Advantage: Fast encryption/decryption in
r n
Disadvantage: Transmission of keys ea
/ l
:/
Asymmetric key algorithm
t p
ht
Advantage: High security of keys
s :
ce
Disadvantage: Encryption/decryption is sensitive to speed
u r
s o
R e
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 23
e n
m /
Key Exchange c o
i .
w e
u a
. h
Session key
ng
n i
Plain text Cipher text
a r Plain text
Huawei
Encryption le
/tr09 Huawei
Symantec 1
tr09
vi16vsk
:/ vi16vsk
Symantec
t p Decryption4
ht
Transmission
n i
a r
Le
Sender Receiver
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 24
e n
m/
Hash Algorithm c o
i .
e w
Hash algorithm: Inputted data of any lengthhis
a
u changed
g .
to output data of fixed length. in
r n
h = H (M) ea
/ l
Common hash algorithms : /
t p
MD5 ht
s :
SHA-1 c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 25
e n
m /
Digital Signature c o
i .
Sender Receiver e
aw u
. h 1. Not altered
n g
Digital
n i Plain text Digital Plain text
r
signature
a
signature
Le 3
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 27
e n
m/
Digital Certificates c o
i .
we
Bearer of the public key u a
. h
n g
Digital certificate format X.509 i
n XXX
r
Subject:
a
Issued by a trustworthy organization
l ePublic key: 9f 0a 34 ...
/ /
Storage of the digital certificate
t p: Validity: 5/5/2008-5/5/2009
s : Issuer: CA
ce
r
ou
Signature: CA digital signature
s :
Core keys must be keptce separately by the respective owners.
u r
s o
R e
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 34
e n
m /
Key Management Strategy c o
i .
e w
a
uthe following
A complete key management policy should meet
. h
requirements: n g
n i
r
a users to reuse an old
The password control policy allows or forbids
l e
password (compulsory password history), / / and determines the duration
p : password lifetime and
between two password changes (maximum
t t
minimum password lifetime), thehminimum password length, and
s :
combination of case-sensitive
c e letters, numbers, and special characters
u
(password complexity requirements).
r
s o
The account lockout Re policy determines how many login failures the
system accepts n gbefore it locks an account within a specific time period.
n i
a r
Legal requirements and service contract
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 35
e n
m/
Contents c o
i .
we
1. VPN Introduction u a
. h
n g
2. VPN Technologies n i
a r
3. VPN Types / le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 37
e n
Service-based VPN Classification om /
. c
(1) e i
w VPN management system a
h u
g .
in
r n
a
/ le Enterprise’s
data center
/
tp:
ht Headquarters
s :
ce
Mobile office ur
employee s o VPDN gateway
Access VPN Re
n g
Employees of n i enterprise need to work from a distance during business
an
a r
trips, or the
L e enterprise needs to provide B2C secure access service.
t t center
h Headquarters
s :
Small/medium-sized
ce
branch
u r
Gateway to gateway
s o
Re
Intranet VPN in
g
r n
e
Interconnectinga branches of an enterprise
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 39
e n
Service-based VPN Classification om /
. c
(3) e i
w a
h u
VPN management system
g .
in
rn
a
le
Customer
/ / Enterprise’
t p: s data
center
ht Headquarters
s :
Supplier ce
u r
s o
Re
Extranet VPN
n g
n i
r
Providing Business to Business (B2B) secure access
a
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 40
e n
m/
Layer-based VPN Classification i.c o
w e
u a
. h
n g
GRE n i IPSec
Layer-3 VPN:
a r
l e
/ /
Network layer p :
t t
h
s :
c e
Layer-2 VPN: PPTP
u r L2F L2TP
s o
e
R Data link layer
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 41
e n
m/
Summary c o
i .
we
u a
VPN concepts
. h
n g
Key VPN technologies n i
a r
Types and applications of VPNs
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 42
e n
m /
Questions c o
i .
e
aw
What are the features of symmetric encryption and uasymmetric
. h
encryption respectively?
n g
n i
r algorithm and
What is the difference between the encryption
a
l e
Hash algorithm?
/ /
Does a longer key strengthen thetencryption p: performance? Can
h t
we analyze it based on different encryption algorithms?
s :
What are the functions of c etunneling in the VPN technology?
u r
s o protocol, while GRE and IPSec are L3VPN
Re
Why is L2TP a L2VPN
protocols?
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 43
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 44
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
Chapter 7 L2TP VPN lear
/ /
t p:
ht
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
e n
m/
Objectives c o
i .
e w
Upon completion of this course, you will be h
a
u to:
able
g .
Application scenarios of VPDN in
r n
Basic concepts of L2TP ea
/ l
: / Client-Initialized and NAS-
Application scenarios of VPDN
t p in
Initialized modes ht
s :
Configuration methods
c e of L2TP
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. VPDN Overview u a
. h
n g
2. L2TP VPN Technology n i
a r
3. Client-Initialized L2TP / le
/
4. NAS-Initialized L2TP t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 2
e n
m /
VPDN Overview c o
i .
e w
a
u through the
The client is directly connected to the enterprise gateway
h
—
Network
device and Point-to-Point Protocol (PPP). Currently, Layer 2 Forwarding g . (L2F) and Layer
VPDN gateway
in
2 Tunneling Protocol are available.
r n
ea
—
The client is connected to the Internet / l and then the gateway through
Client and
: / the L2TP client supported by
VPDN
gateway
certain dedicated software, for example,
t p
ht
Windows 2000.
a
R
UDP c
e Link
u r UDP
layer
Private IP Physical Public
s o IP Public IP Private IP
PPP
layer
e layer
RLink Link layer Link layer
Physical n g Physical Physical Physical Physical
layer
n i layer layer layer layer
Client ea
r LAC LNS Server
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 10
e n
m/
L2TP Messages and Formats c o
i .
we
u a
Control Applies to the establishment, maintenance, and
. h
message n g
transmission control of tunnel and session connections.
n i
a r
Encapsulates PPP frames and transmits them along
Data message
the tunnel.
/le
/
tp:
0 1 2 3 4 7 12 h
15 t 31
T L X X S X O P X X X X s :Version length
ce
Tunnel ID
ur Session ID
Ns s o Nr
Offset size Re Offset pad
n g
n i
r
T indicates the message type. 1: control message; 0: data message.
a
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 12
e n
/m
L2TP Session Establishment Process c o
i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 13
e n
m/
Contents c o
i .
we
1. VPDN Overview u a
. h
n g
2. L2TP VPN Technology n i
a r
3. Client-Initialized L2TP / le
/
4. NAS-Initialized L2TP t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 14
e n
L2TP VPN — Initiated by a Remote Dial-Up m /
c o
User i .
w e
u a
. h
L2TP tunnel
n g
n i LNS
a r
Remote
l e
user
/ /
p :
Remote t t
branch h
s :
c eemployee L2TP tunnel
Mobile office
u r Headquart
s o ers server
R e
VPN acts as a trunk; LNS acts as a checkpoint.
n g
LNS: You can
n i pass through.
VPN user: a rOK. I send the goods by myself.
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 15
e n
Typical Configuration of L2TP VPN — om /
. c
Client-LNS e i
a w
h u
E1/0/1
g .
3.3.2.1/16 i
n
r n
Internet ea Headquarters
/ l
: / E1/0/0
t p 192.168.1.1
ht
LNS
Mobile office employee /24
s :
Networking requirements ce
r
An enterprise sets up a uVPN network. There is a VPN gateway (that is, USG
o
firewall) at the egresssof the public network of the headquarters. Mobile office
e
employees need to Rcommunicate with the service server in the enterprise through
the L2TP tunnel.g
i n
The LNS uses
r n local authentication. Here:
LNSea
is a USG firewall.
L
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 16
e n
m/
L2TP Configuration — Client c o
i .
we
u a
Start . h
n g
n i
a r
Enable tunnel authentication.
Configure the IP address / le
/
of the LNS server.
t p: Configure the user
ht name and password.
s :
Disable IPSec. ce
u r
s o End
Configure the R e
authentication n g mode.
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 17
e n
m/
L2TP Configuration — LNS c o
i .
we
u a
. h
Start
n g
n i
Configure L2TP group of
a r the LNS end.
Perform basic configuration
/ le
(including interface IP
/
address).
t p: In the AAA view, configure the user
ht name of the VPDN group.
s :
ce
Configure virtual
u r Enable the interzone filtering
interface template.
s o rule.
Re
n g End
n i
r
Enable L2TP.
a
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 18
e n
Typical Configuration of L2TP VPN — om /
. c
LNS (1) e i
a w
Create a virtual interface template. h u
g .
[LNS] interface Virtual-Template 1
in
r n
Set the IP address of the virtual interface ea template.
/ l
[LNS-Virtual-Template1] ip address 10.1.1.1
:/ 24
t p
Configure the PPP authentication ht mode.
s :
ce
[LNS-Virtual-Template1] ppp authentication-mode chap
r
u from the address pool to the peer
Assign an IP address
s o
interface. R e
n g
n i
[LNS-Virtual-Template1] remote address pool 1
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 19
e n
Typical Configuration of L2TP VPN — oLNS m/
. c
(2) e i
Add the virtual interface template to a security zone. u a w
h
n i
[LNS] firewallrpacket-filter default permit interzone local untrust
e a
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 21
e n
m/
Contents c o
i .
we
1. VPDN Overview u a
. h
n g
2. L2TP VPN Technology n i
a r
3. Client-Initialized L2TP / le
/
4. NAS-Initialized L2TP t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 22
e n
m/
L2TP VPN — NAS Initiated c o
i .
we
PPP
u a
. h
L2TP tunnel
n g
n i LNS
Remote PSTN
a r
user
/ le
/
Branch
Ethernet
LAC
t p:
ht
s :
PPPOE
ce L2TP tunnel
r office
Mobile
u Headquarter
s oemployee s server
R e
VPN user acts asg a trunk; LAC acts as a forwarder.
i n
LAC: Your goods
r n can pass through. May I help you?
VPN user: e aDeliver the goods to No. XX of XX Street.
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 23
e n
Typical Configuration of L2TP m /
c o
VPN — LAC-LNS i .
w e
u a
E0/0/1 E1/0/1
. h
E0/0/0 2.2.1.1/16 3.3.2.1/16 n g
1.1.1.1/24
n i
a r Headquarters
le
Internet
E1/0/0
/ /
Branch LAC
t p: LNS
3.1.1.1/24
ht
Networking requirements:
s :
ce
A company sets up a VPN network. There is a VPN gateway (that is, USG firewall)
r
at the egress of the public network of the headquarters. Mobile office employees
u
o
need to communicate with the service server in the enterprise through the L2TP
s
tunnel
R e
n g
LNS uses local authentication. Here:
LAC acts i
r n as a USG firewall.
LNS a acts as a USG firewall.
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 24
e n
m/
L2TP Configuration — LAC c o
i .
we
u a
. h
Start
n g
n i
a rConfigure the L2TP group
Perform basic configuration / le of the LNS end.
/
p:
(including interface IP address).
s : VPDN group.
Configure virtual interface
ce
template and bind to the
u r
physical interface.
s o Enable the interzone
Re
filtering rule.
n g
i
Enable L2TP.
n
a r End
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 25
e n
m/
L2TP Configuration — LNS c o
i .
we
u a
. h
Start
n g
i
nConfigure the L2TP
a r group of the LNS.
Perform basic configuration
/ le
(including interface IP
/
address).
t p: In the AAA view, configure the
ht accounts of the VPDN group.
s :
ce
Configure the virtual
u r Enable the interzone filtering
interface template.
s o rule.
Re
n g End
n i
r
Enable L2TP.
a
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 26
e n
m /
Typical Configurations of L2TP VPN — .cLAC o (1)
e i
a w
Create a virtual template interface. h u
g .
[LAC] interface Virtual-Template 1
in
Configure the PPP authentication mode. r n
ea
[LAC-Virtual-Template1] ppp authentication-mode / l chap
: / template.
Bind the interface to the virtual interface
t p
[LAC]interface ethernet 0/0/0 ht
[LAC-Ethernet0/0/0] pppoe-server s : bind virtual-template 1
c e
Add the virtual interfacertemplate to the security zone.
o u
[LAC]firewall zoneetrust s
Radd interface Virtual-Template 1
[LAC-zone-trust]
n g
[LAC-zone-trust]n i add interface ethernet 0/0/0
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 27
e n
m /
Typical Configurations of L2TP VPN — .cLAC o (2)
e i
a w
Enable L2TP. h u
g .
[LAC] l2tp enable
in
Create an L2TP group. r n
ea
[LAC] l2tp-group 1 / l
: /
Set a peer IP address for the L2TP tunnel.
t p
[LAC-l2tp1] start l2tp ip 3.3.2.1 htfullusername pc1 (domain hs.com)
Start L2TP tunnel authentication. s :
c e
[LAC-l2tp1] tunnel authentication u r
s o
Configure an authentication
e password for the L2TP tunnel.
R password simple hello
[LAC-l2tp1] tunnel
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 28
e n
m /
Typical Configurations of L2TP VPN —.cLAC o (3)
e i
Configure the name of the local end of the tunnel.u a w
. h
LAC-l2tp1] tunnel name lac
n g
Enter AAA view. n i
a r
[LAC] aaa l e
/ / the local user.
Configure the name and password
p : for
[LAC-aaa] local-user pc1 password t t simple pc1pc1
h
Configure the default interzone
s : packet filtering policy.
[LAC] firewall packet-filter c e default permit interzone trust local
u r
s
[LAC] firewall packet-filter o default permit interzone untrust
local R e
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 29
e n
m /
Typical Configurations of L2TP VPN —.cLNS o (1)
e i
a w
Create a virtual interface template.
h u
[LNS] interface Virtual-Template 1 g .
in
Configure the IP address of the virtual interface
r n template.
ea 24
[LNS-Virtual-Template1] ip address 10.1.1.1
/ l
Configure the PPP authentication : /
mode.
t p
[LNS-Virtual-Template1] ppp tauthentication-mode chap
h
Allocate an IP address from
s : the address pool to the peer
interface. c e
u r
[LNS-Virtual-Template1]
s o remote address pool 1
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 30
e n
m /
Typical Configurations of L2TP VPN —.cLNS o (2)
e i
Add the virtual interface template to the security zone. w
u a
[LNS-zone-trust] add interface Virtual-Template 1 .h
n g
Enable L2TP
n i
[LNS] l2tp enable a r
l e
Configure an L2TP group.
/ /
[LNS] l2tp-group 1 p :
t t
Specify the name and Virtual-Template h of the tunnel peer when
receiving a call. s :
c e
[LNS-l2tp1] allow l2tp virtual-template
u r 1
Start L2TP tunnel authentication. s o
R e
[LNS-l2tp1] tunnel
n g authentication
i
Configure annL2TP tunnel authentication password.
a r
[LNS-l2tp1]
Le tunnel password simple hello
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 31
e n
m /
Typical Configurations of L2TP VPN — .cLNS o (3)
e i
Configure the name of the local end of the tunnel.
a w
h u
[LNS-l2tp1] tunnel name lns
g .
Enter the AAA view. in
r n
[LNS] aaa ea
/ l
Create the user name and password of the local user.
: /
[LNS-aaa] local-user pc1 password t p simple pc1pc1
h t
Configure the user type.
s :
[LNS-aaa] local-user pc1cservice-type e ppp
u r
Configure a public IP address
s o pool.
[LNS-aaa] ip pool e
R 1 4.1.1.1 4.1.1.99
Configure default n g interzone packet filtering rules.
n i
r packet-filter default permit interzone local untrust
[LNS] firewall
a
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 32
e n
m/
L2TP VPN Configuration (Web) c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 33
e n
Typical Configurations of L2TP VPN — m /
c o
Verification and Maintenance .
ei w
Display information about the current L2TP tunnel. u a
. h
<LAC> display l2tp tunnel n g
n i
LocalTID RemoteTID Remote Address Port Sessions Remote Name
a r
1 8 3.3.2.1 1701 / l1e lns
/
Total tunnels = 1 p: t
t
h L2TP session.
Display information about the current
s :
<LAC> display l2tp session ce
u r
LocalSID RemoteSID
s o LocalTID
1 R8
e 1
n g
Total session i= 1
r n
e a
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 34
e n
m/
Precautions on L2TP VPN Configuration c o
i .
w e
u a
The LNS must be configured with the IP address of theh
virtual template. This template must be added to a g
.
in zone.
r n
By default, the firewall needs to carry out e
a
l
authentication. If tunnel authentication/is not configured,
tunnel
. h
the differences between them?
n g
What information does LNS use to identify L2TP packets?
n i
What are the differences between the LAC/client and the LNS/server a r in data packets?
l e Client-Initialized L2TP?
In what situation should tunnel authentication be disabled
/ / for
Why an LAC virtual interface template and its corresponding
p : physical interface Ethernet 0/0/0
t
To ensure that remote dial-upsusers can access resources of the private network, how do you
R e
configure the interzone packet filtering on the LNS, and the relationship between virtual interface
n gzone?
i
template and security
n
For L2TP, how r do you configure the interzone packet filtering to meet the requirements for
e a
L
minimum rights?
u r
s o
Re
n g
n i
a r
L e
r e
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
e n
m /
Objectives c o
i .
e w
Upon completion of this course, you will be h
a
u to:
able
g .
Basic principles and implementation modes in of Generic
r n
Routing Encapsulation (GRE) VPN ea
/ l
Security mechanisms of GRE VPN : /
t p
Application scenarios andhconfiguration t methods of GRE
VPN s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
w e
1. GRE VPN Overview u a
. h
n g
2. GRE VPN Technology n i
a r
3. Analyzing the Application Scenarios l e of GRE VPN
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 2
e n
m /
GRE Overview c o
i .
w e
Link
IP GRE IPX Payloadhu
a
layer
g .
in
GRE Tunnel
r n
ea
/ l HQ
/
INTERNET
t p:
IPX network
Firewall A
ht Firewall B IPX network
s :
GRE refers to encapsulation of data
c e packets of certain network layers such as IP, IPX,
and AppleTalk, so that encapsulated u r packets can be transmitted over another
s oexample, IP.
network layer protocol, for
R e
n g
GRE provides a mechanism in which a packet of one protocol can be encapsulated
n i
into a packet of another protocol so that packets can be transmitted over various
encapsulated. s
e is forwarded to the IP module for further
The encapsulated data packet
r c
u
processing.
s o
Decapsulation process: e
R
The destination gaddress of the packet is the IP address of the local device; the
n 47; Then, start the decapsulation.
protocol fieldiis
r n
a
The encapsulated data packet is forwarded to the IP module for further
Le
processing.
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 8
e n
m /
Format of a GRE Packet Header i. c o
w e
ua
. h
n g
ni r
ea
C: Checksum Present bit. 1: The checksum field is present.
/ l 0 : The checksum field is
absent.
: /
K: Key Present bit. 1: The key field is present p
t in the GRE header. 0: The key field is
absent. h t
s :
Recursion: Contains the number of
c e additional encapsulations which are permitted.
Flags: reserved bits. They must u rbe set to 0s.
s o
Version bit. It must be set
Re to 0. The value 1 is used in PPTP of RFC2637.
Protocol Type: typegof the passenger protocol.
i n
Checksum: GRE r nheader and the checksum field born on the GRE header.
ea IP checksum of the GRE header and the payload packet.
Key: key Lfield.
a r
l e
When bit C is 1, the / /
If bit K is 1, the key field
checksum is valid.
t p: is present in the GRE
ht header.
Bit C being 1 s :
ce
Sender calculates the r
Only when the keyword is
checksum.
s ou consistent, the check
Receiver verifies the R e succeeds.
checksum. n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 11
e n
m/
Contents c o
i .
w e
1. GRE VPN Overview u a
. h
n g
2. GRE VPN Technology n i
a r
3. Analyzing the Application Scenarios l e of GRE VPN
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 12
e n
Typical Application Scenario of GRE m /
c o
VPN i .
w e
u a
h .
E1/0/0 n g
E2/0/0
n i
192.13.2.1/24 131.108.5.2/24
a r
E0/0/0
l e
10.1.1.1/24
/ /
Internet
p : E0/0/0 HQ
t t 10.1.3.1/24
h
s :
c e tunnel
GRE
Firewall A r
o u Firewall B
s
Re
Subnets 1 andng2 are interconnected through Layer 3 tunnel
n i
r
protocol abetween firewalls A and B.
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 13
e n
/ m
Configuration Roadmap of GRE VPN c o
i .
w e
u a
. h
Start
n g
i
nConfigure a route to the
r
asegment on the peer network.
e
l The next hop is the tunnel
Perform basic configuration
/ /
(including interface IP
p : interface.
t
ht
address).
c e
u r
s o
Configure a tunnel logicaleinterface End
R
destination addressn gused by the
and specify the source address and
i
GREntunnel.
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 14
e n
/ m
Configuration Method of GRE VPNi.c o
Run the interface tunnel number command to create a virtual tunnel w
e
u a interface and
enter the interface view.
. h
(Optional) Run the tunnel-protocol gre command to configure n gthe encapsulation
i
/ l
the source address of the Tunnel interface.
: /
Run the destination ip-address command topconfigure the destination address of the
t t
Tunnel interface. h
s : of the tunnel identify a tunnel. The
e
The source and destination addresses
addresses of the two ends c
u r are source and destination addresses to each other.
configure the networkRaddress of the tunnel interface. Run the gre checksum
command to configure
n g end-to-end check for both ends of the tunnel.
i
(Optional) Runnthe gre key key-number command to configure identification keys for
a r
the Tunnele interface.
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 15
e n
/ m
Typical Configuration of GRE VPN o
c (1)
i .
w e
Configure firewall A.
u a
1.Perform basic configuration (omitted). . h
n g
2.Create interface Tunnel 1.
n i
[A] interface tunnel 1
a r
3.Configure the IP address of interface Tunnel 1. l
e
/ /
[A-Tunnel1] ip address 10.1.1.1 24
p :
4.Configure the tunnel encapsulation mode. t t
h
[A-Tunnel1] tunnel-protocol gre
s :
5.Configure the source address cofe interface Tunnel 1 (IP address of Ethernet 1/0/0 on
firewall A). u r
s o
[A-Tunnel1] source 192.13.2.1
R e
g
6.Configure the destination
n B). address of interface Tunnel 1 (IP address of Ethernet
2/0/0 on firewall
n i
r
[A-Tunnel1]adestination 131.108.5.2
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 17
e n
/ m
Typical Configuration of GRE VPN o
c (2)
i .
w e
u a
7. Configure a static route to Tunnel 1 and then to Grouph2.
g .
[A] ip route-static 10.1.3.0 255.255.255.0 tunnel 1 in
r n
8. Enter the Untrust zone view. ea
/ l
[A] firewall zone untrust
: /
t p
9. Add Tunnel 1 to the Untrust zone.t
h
[A-zone-Untrust] add interface Tunnel s : 1
c e
10.Configure default interzone u r packet filtering rules.
s o
[A] firewall packet-filter Re default permit interzone trust local
n g
n i
[A] firewall packet-filter default permit interzone untrust local
r
[A] firewallapacket-filter default permit interzone trust untrust
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 18
e n
/ m
Typical Configuration of GRE VPN o
c (3)
i .
w e
The configuration of firewall B is similar to that of firewall a
u A. You
. h
need to change only the source and destination addresses
n g of the
tunnel and the default route. n i
a r
1. Configure the IP address of the interface Tunnel
l e 1.
/ /
[B-Tunnel1] ip address 10.1.3.1 24
p :
2. Configure the source address of interface t t Tunnel 1 (IP address of Ethernet
1/0/0 on firewall A). h
s :
[B-Tunnel1] source 131.108.5.2
c e
u r address of interface Tunnel 1 (IP address of
3. Configure the destination
s o
Ethernet 2/0/0 on
Re firewall B).
n g
[B-Tunnel1] destination 192.13.2.1
n i a static route to Tunnel 1 and then to Group 1.
r
4. Configure
a
Leroute-static 10.1.1.0 255.255.255.0 tunnel 1
[B] ip
the principle of g
R
minimum authorization?
i n
r n
e a
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 23
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 24
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
ng
n i
Chapter 9 IPSec VPNlear
/ /
t p:
ht
s :
ce www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
e n
m/
Objectives c o
i .
e w
Upon completion of this course, you will be h
a
u to:
able
g .
Basic principles of IPSec in
r n
AH and ESP technologies ea
/ l
: /
Service flow of the IKE protocol
t p
t
Application scenarios andhconfigurations of IPSec VPN
:
e s
r c
o u
s
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. IPSec VPN Overview u a
. h
n g
2. IPSec VPN Architecture n i
a r
3. AH Technology / le
/
4. ESP Technology t p:
ht
5. IKE Technology s :
ce
u r
s o
6. IPSec VPN Application Scenarios
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 2
e n
m/
IPSec Overview c o
i .
IPSec VPN we
u a
. h
•
Security tunnel n g
n i
a r
Branch
/ le H.Q.
:/
t p
Confidentiality
ht
s :
r ce IPSec
Anti-replay o u Integrity
e s
R
n g
n i
a r Authentication
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 3
e n
m/
IPSec Features c o
i .
APP APP
w e
Data Data u a
. h
Protection areas TCP/
n g
TCP/ Protection areas
UDP
r niUDP
a
IP
/ le IP
/
t p:
ht
s : IPSec VPN
Branch
ce
u r
s o HQ
Re
n g
i
rn
Internet services
e a
L
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 4
e n
m/
IPSec Protection Scenario c o
i .
we
u a
. h
n g
IPSec VPN
n i
Branch
a r
/ le
/ H.Q.
t p:
ht
s :
ce
u r
s o
IPSec E2E scenario
Re
g
Between security gateways (such as firewalls)
n
n i
Between the host and security gateway
a r
Le
Between hosts
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 5
e n
m/
Contents c o
i .
we
1. IPSec VPN Overview u a
. h
n g
2. IPSec VPN Architecture n i
a r
3. AH Technology / le
/
4. ESP Technology t p:
ht
5. IKE Technology s :
ce
u r
s o
6. IPSec VPN Application Scenarios
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 6
e n
m /
IPSec VPN Architecture c o
i .
we
u a
IPSec VPN architecture
. h
n g
n i
a r
le
AH: authentication ESP: encapsulating
header
/ / security payload
t p:
Encryption algorithm ht Authentication
s : algorithm
ce
u r
o
s Key management
Re
n g
n i Policy
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 7
e n
m/
IPSec Protocols c o
i .
we
u a
. h
g
AH provides the functions of authenticating data
n
AH sources, checking data integrity, i
n and anti-replay, but
a r
AH does not encrypt all theeprotected packets.
/ l
: /
p
ESP provides all thet functions of AH and encrypts IP
h t
ESP packets. However, data integrity of IP headers is not
:
checked. e s
r c
o u
e s
IPSec enables privacy, R integrity, authenticity and anti-replay of
n g
packets during i
n network transmission.
a r
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 8
e n
m /
IPSec Encapsulation Modes c o
i .
we
u a
. h
In transport mode, IPSec headers are inserted behind the IP
Transpor
n g
header and before all transport layer protocols or all other
t mode IPSec protocols. n i
a r
In tunnel mode, IPSec headers l eare inserted before the
Tunnel
original IP header. The new /
/ packet header is placed before
mode AH or ESP. p :
t
ht
s :
c e IPH Data
Transport
u r
mode
s o
R e IPH IPSec Data
Tunnel
mode n g
n i
a rNew IPH IPSec Org IPH Data
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 9
e n
Comparison Between IPSec Encapsulation m /
c o
Modes i .
w e
u a
Transport mode: Original IP
header
IPSec
header IP data
. h
n g
n i
Tunnel mode:
New IP IPSec r
Original
a Original IP data
le
header header IP header
/ /
Comparison:
p: t
1. Security t
In tunnel mode, the original hIP header information is hidden,
therefore ensuring data s :
security.
c e
2. Performance
u r
In tunnel mode, there
s o is one extra IP header. In tunnel mode, more
bandwidth areeused than that in transport mode.
R
n g
To select an encapsulation mode, weigh performance against
security. rn i
e a
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 10
e n
/ m
Encryption and Authentication Algorithms c o
i .
w e
u a
Encryption algorithm
. h
n g
DES (56 bit64 bit)
n i
3DES (3 x 56 bit 64 bit ) a r
l e
AES (128, 192, 256)
/ /
p :
China encryption algorithm (256)
t t
Authentication algorithm
h
s :
MD5 (128 bit) c e
u r
SHA-1 (160 bit)
s o
Re Computing complexity is
n i encryption strength.
a r
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 11
e n
m/
Contents c o
i .
we
1. IPSec VPN Overview u a
. h
n g
2. IPSec VPN Architecture n i
a r
3. AH Technology / le
/
4. ESP Technology t p:
ht
5. IKE Technology s :
ce
u r
s o
6. IPSec VPN Application Scenarios
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 13
e n
m/
IPSec Protocol-AH c o
i .
e
aw
Providing data source authentication (authenticity), integrity check,
u
and anti-replay . h
n g
Encryption algorithms are not supported.
r ni
ea
Next packet header Payload / l
size Reserved
:/ field
t p
t
h index (SPI)
Security parameter
s :
ce SN
u r
s o
Re Authentication data
n g
n i
a r Payload data
L e
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 14
e n
m/
AH Packet Encapsulation Modes i. c o
w e
IPH Data hu
a
g .
Transport
mode in
r n
a
IPH AH
/ le Data
/
p:
Tunnel To authenticate all
mode
t
the unchanged parts
t
h
New IPH AH
s : IPH
Org Data
c e
r
To authenticate all the unchanged
u except the new IP header field
s o
parts
e
RAH protocol number is 51.
In the IP packet header,
n g
n
Transport mode: i To authenticate the entire IP packet
r
a
Tunnelemode: To authenticate the new IP header and the entire IP packet
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 15
e n
m/
Contents c o
i .
we
1. IPSec VPN Overview u a
. h
n g
2. IPSec VPN Architecture n i
a r
3. AH Technology / le
/
4. ESP Technology t p:
ht
5. IKE Technology s :
ce
u r
s o
6. IPSec VPN Application Scenarios
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 16
e n
m/
IPSec Protocol-ESP c o
i .
we
Providing data authenticity, data integrity, anti-replay, and data confidentiality
u a
. h
Supporting encryption algorithm
ng
n i
a r
Security parameter index(SPI)
l e
/ /
SN p :
t t
h
:
Initialization vector
s
ce
u r
Payload data
s o
R e
Filling field Filling size
Next packet
n g header
n i
ar Authentication data
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 17
e n
m/
ESP Packet Encapsulating Mode i. c o
w e
transport
IPH a
Data
u
mode
g.h
n
IPH ESPH Data r ni ESP Trailer ESP Auth
ea
Tunnel l
/ part
Encryption
mode :/
t p
Authentication part
t
h Data
New IPH ESPH Org IPH
s:
ESP Trailer ESP Auth
ce
ur Encryption part
s o Authentication part
Re
The protocol number of ESP in the IP packet header is 50.
n g
transport mode: The ESP header is located between the IP packet header and the
in
transport layer protocol packet header. The ESP tail is added behind the data.
Tunnel mode:a r The ESP packet header is located between the new IP header and
e
L packet. The ESP tail is added behind the data.
the initial
ce
r
Defines uthe state change process of
s o
ISAKMP R e
communication
format
mode and information
to guarantee communication
n g security …
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 21
e n
m/
IKE Security Mechanism c o
i .
we
u a
DH algorithm, . h
n g
key distribution
n i
a r
Identity e
lForward
protection
/ / security
tp:
t
Identity
h
:
authentication
s
ce
ur
s o
R e
IKE has a self-protection mechanism, which can safely distribute keys,
n g
n i
authenticate identities, and set up an IPSec association on an
a r
insecure network.
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 23
e n
m/
IPSec SA Concept c o
i .
we
u a
. h
SA Contents
SA
n g
i
SA n is the convention of
a r
Security protocols (AH ESP AH+ESP)
/ lecommunication peers against
/ some elements. An SA can be
Operation mode (transport mode and t p: established only when both
tunnel mode) ht communication parties
s : comply with SA conventions.
Encryption algorithm (DES and 3DES)
c e
u r SA is uniquely identified by a
Lifecycle of the sharedekeyso and key triplet, including the SPI,
R destination IP address, and
n g security protocol number.
……
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 24
e n
m/
IKE Functions in IPSec c o
i .
we
u a
Reduces complexity of manual configuration. . h
n g
Scheduled SA update. n i
a r
Scheduled key update.
/le
Allows IPSec to provide the anti-replay : /
t p
service. h t
Allows E2E dynamic authentication. s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 25
e n
m/
Relation Between IKE and IPSec i.c o
w e
SA negotiation of IKE
u a
IKE IKE . h
n g
n i
a r
l e
SA
/ / SA
TCP UDP
p : TCP UDP
t t
h
IPSec
s : IPSec
e
c IP
u r
o
s Encrypted IP packet
R e
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 26
e n
m /
IKE Phases of IKE c o
i .
IKE SA negotiation
1
we
IKE IKE
u a
Receive the data
streams to be
. h protected.
ng 2
SA SA
n i Negotiate about
the IKE SA.
TCP UDP TCP UDP
a r
le
3
IPSec IPSec
/ / Negotiate about
the IPSec SA.
t p: 4
IP
Encrypted IP Packet ht Provide AH and
ESP protection.
s :
c eabout IPSec keys and establish an SA:
IKE uses two phases to negotiate
u r parties establish a tunnel that has passed identity
First phase: Both communicationo
authentication and hassbeen protected, namely IKE SA. Negotiation modes include
main mode and aggressive R e mode. Authentication modes include pre-shared key,
g the tunnel established in the first phase to negotiate about the
digital signature, and public key encryption.
n
Second phase:
n
security servicei for IPSec and set up an IPSec SA. The IPSec SA is used for the final
Use
a r
safe transmission of IP data. The negotiation mode is fast mode.
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 27
e n
Exchange Process of IKE Pre-Shared Key m /
c o
in Main Mode i .
Initiator w e
u a Receiver
Initiator cookie . h
Mode negotiation
n g
n i
Algorithm
a r Responder cookie
confirmation Key exchange
l e
payload Xa
/ /
Temporary value
payload Ni p :
t Key exchange
ht
DH exchange payload Xb
Nonce exchange Temporary
s : value payload Nr
Key generation
c e
r
Key HASH generates
u
o
the hash payload.
s
Identity R e Key HASH generates
authentication
n g hash payload.
n i
a r End
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 28
e n
Negotiation Process of Pre-Shared Keyom /
. c
in IKE Aggressive Mode e i
a w
Peer 1 h
Peer. 2
u
n g
n i
a r
l e
/ /
Initiator
p : Receiver
t t
h
s :
ce
u r
In aggressive mode, three
s o messages in total should be exchanged.
R e
Message 1 exchanges SA payload, key specification and identity information.
g
n
i Hash authentication payload on the basis of message 1 contents.
Message 2 adds
r n
Messagea3 is the authentication initiated by the responder against the initiator.
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 30
e n
Difference Between Main Mode and m/
c o
Aggressive Mode of IKE i .
w e
u a
Exchanged messages:
. h
n g
Main mode: 6; aggressive mode: 3
n i
a r
Identity protection:
l e
/
/ encrypted, which can provide
In main mode, the last two messages are
:
p messages are highly integrated
t t
identity protection. In aggressive mode,
h
without the identity protection
s : function.
ce
Peer identifier:
u r
o
s are identified by IP addresses only. In aggressive mode,
R e
In main mode, peers
peers can begidentified by IP addresses or names.
i n
r n
e a
L
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 31
e n
/ m
Negotiation Process in Fast Mode c o
i .
Peer 1 Peer 2 aw
e
h u
g .
in
r n
eaReceiver
Initiator
/ l
: /
t p
ht
s :
c e
Fast mode requires exchanging u r three messages in total.
s o
In messages 1 and 2,eSA, key, Nonce, and ID are exchanged for algorithm
R
negotiation, PFSgguarantee and provisioning of on-site evidence.
i n
Message 3 is
r n used to verify whether responders can communicate, equivalent to
e a
an acknowledgment message.
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 32
e n
m/
Key Protection .c o
e i
a w
hu
Key lifecycle g .
i n
The key has its lifecycle. When the lifecycle expires, annew key replaces the
a r
original one.
l e
/ /
p :
Perfect forward secrecy (PFS) tt
h
s :
Defines that two keys do not have relationship with each other.
c e
u r
Diffie-Hellman (DH)sgroup o
R e
n g
In the public key encryption system, the information on shared key generation
n i
process is exchanged on a public communication channel (Internet) without
a
protection. r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 34
e n
m/
IPSec Flow Processing c o
i .
we
u a
Inbound . h
g
Inbound
n
n i
a r
/ le
/
Branch
Outbound
t p: Outbound H.Q.
ht
s :
c e
Inbound and outbound
u r
s o
Discarding packets
Re
Bypassingithe ng security service
r n
Applyinge a the security service
L
ce
Networking requirements
u r
s o
PC1 safely communicates with PC2 and uses IKE between the FWA and FWB for negotiating
Re
n g
Set the IKE recommendation with SN of 10 on both the FWA and FWB.
i
r n
Set the authenticator for the authentication that uses the pre-shared key.
a
Le
Both FWA and FWB are fixed public network addresses.
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 38
e n
m/
IPSec VPN Configuration Idea c o
i .
we
u a
Start
. h
n g
i
Configure IPSec policy
n
Basic configuration (such as setting
a r
the IP addresses of interfaces)
/ le Reference IPSec on
/
p:
interfaces
Configure IPSec proposal t t
h Enable filter rules of the
s : corresponding zones
ce
Configure IKE
u r
proposal
s o Configure the route to
Re
the peer intranet
segment
Configure IKE peer
n g
n i End
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 39
e n
IPSec Configuration Process — IPSec om /
. c
Proposal e i
a w
Run the ipsec proposal proposal-name command to create a security
h u proposal and
enter the security proposal view. g .
in
Run the transform { ah | ah-esp | esp } command to selectna security protocol. By
a r
default, esp is used.
l e
Run the encapsulation-mode tunnel command to// select the packet encapsulation
p :
mode.
t t
Run the ah authentication-algorithm { md5 h | sha1 } command to set the
:AH protocol. By default, MD5 algorithm is used
e
authentication algorithm used by the s
c
by the AH protocol as the IPSecr security proposal says.
o u
e s
Run the esp authentication-algorithm { md5 | sha1 } command to set the
authentication algorithmR used by the ESP protocol. By default, MD5 algorithm is used.
n g
i
Run the esp encryption-algorithm { 3des | des | aes | scb2} command to set the
n used by the ESP protocol. By default, DES algorithm is used.
a r
encryption algorithm
L e
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 40
e n
IPSec Configuration Process — IKE om /
. c
Proposal e i
Run the ike proposal proposal-number command to create and a w enter the IKE
u
authentication method. n i
r
a } command to select an
Run the encryption-algorithm { des-cbc | 3des-cbc
l e
encryption algorithm. By default, 56-bit DES / /algorithm in CBC mode is used.
p :
t is selected, set the pre-
If pre-shared key authentication method
t
h pre-shared keys on two peer ends
shared key for each peer end. The
s : must be the same.
that establish a secure connection
c e
Run the authentication-algorithm
u r { md5 | sha } command to select an
authentication algorithm. s o By default, SHA1 algorithm is used.
e
Run the dh { group1 R| group2 | group5} command to select the Diffie-
n g
Hellman group identifier. By default, the identifier is group1, namely, 768-
bit Diffie-Hellman i
n group.
r
aduration interval command to set the SA lifecycle.
Run the sa
L e
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 41
e n
IPSec Configuration Process — IKE om /
. c
Peer
Run the ike peer peer-name command to create an IKE peer and enter e
i
view. a w the IKE peer
h u the negotiation
Run the exchange-mode { main | aggressive } command to configure
mode. g .
i n
In aggressive mode, the peer IP address and peer r n end name can be set.
In main mode, only the peer IP address canlbe easet. By default, main mode
/ /
is used for IKE negotiation.
p :
t t
h
Run the ike-proposal proposal-number command to set the IKE security proposal.
s :
Run the local-id-type { ip | name } command to set the ID type (optional) of the IKE
peer.
ce
Run the pre-shared-key key-string
u r command to set the pre-shared key shared with
the peer end.
s o
negotiation. R e
Run the local-address ip-address command to set the local IP address used for IKE
n
Run the remote-address g low-ip-address [ high-ip-address ] command to set the peer IP
address. n i
a r
Run the remote-name name command to set the peer end name. (In aggressive mode,
when name e
L is used for authentication.)
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 42
e n
IPSec Configuration Process — IKE om /
. c
Peer (Continued) e i
a w
Run the ipsec sa global-duration { time-based interval
h u | traffic-
based kilobytes } command to set the global SA g .lifecycle
(optional). in
r n
Run the ike local-name router-name command
ea to set the local
ID (optional) for IKE negotiation. / l
:/
p
Run the ike sa keepalive-timer interval
t interval command to set
the interval (optional) at which
ht Keepalive packet is sent.
Run the ike sa keepalive-timer s : timeout interval command to
e
set the expiration timec(optional) of waiting for Keepalive
packet. u r
s o
R e
Run the ike sa nat-keepalive-timer interval interval command
to set the time
n g interval (optional) at which the NAT update
i
packet isnsent.
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 43
e n
IPSec Configuration Process — IPSec om /
. c
Security Policy and Application ei
a w
Create an ACL to define the protected data streams. h u
g .
Run the ipsec policy policy-name seq-number isakmp command
in to create a
security policy.
r n
Run the proposal proposal-name&<1-6> command ea to reference a security
security policy.
s o
Re
Run the interface interface-type interface-number command to enter the
g select the network egress.
interface view. Here,
n
i policy-name command to reference the security policy.
Run the ipsec npolicy
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 44
e n
/ m
IPSec VPN Configuration Wizard i.(Web) c o
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 45
e n
IPSec Result Verification and m/
c o
Maintenance Commands i .
we
PC1 and PC2 can access each other. u a
. h
g
in on the firewall.
Two bi-directional IPSec SAs can be shown
n
a r
l e
<FWA>display ipsec sa brief
/ /
tp:
current ipsec sa number: 2 ht
s :
e
--------------------------------------------------------------
c
Src Address Dst Address
u rSPI VPN Protocol Algorithm
s o
202.39.160.1 202.39.169.1
e
-------------------------------------------------------------------
R 957073432 0 ESP E:DES;A:HMAC-MD5-96;
n g
202.39.169.1 202.39.160.1
n i 2838744079 0 ESP E:DES;A:HMAC-MD5-96;
a r
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 46
e n
IPSec Result Verification and m/
c o
Maintenance Commands i .
we
u a
IKE peer and IKE SA information can be shown.
. h
n g
n i
a r
<USG B> dis ike sa
l e
/ /
p :
t
connection-id peer flag ht doi
phase
s :
-----------------------------------------------------------------------
c e
2 202.39.160.1 RD|ST
u r 1 IPSEC
s o RD|ST 2 IPSEC
4 202.39.160.1
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 47
e n
/ m
Notices About IPSec VPN Configuration c o
i .
w e
u a
. h
On the firewall, there must be a proper route to the peer intranet
n g
segment.
n i
a r
l e
/
Disable the fast forwarding function of the/USG2100 interface that
is connected to the intranet .
p :
t t
h
: ACL that actively triggers
Define the Source field in thesfirewall
IPSec VPN. Recommend setting
c e ACLs of both parties to be mutual
mirroring.
u r
s o
Re packet filter rule between Local and Untrust
Setting the default
zones aimsg to allow devices on two ends of the IPSec tunnel to
i n so that they can negotiate about the SA.
n
communicate
r
e a
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 48
e n
m /
Summary c o
i .
we
u a
Basic principles of IPSec
. h
n g
AH and ESP technologies n i
a r
Service flow of the IKE protocol le /
: /
Application scenarios and configurations t p of IPSec VPN
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 49
e n
m /
Questions c o
i .
w e
Which security services do the IPSec VPN provide? What are the meanings and
u a
implementation mode of each security service?
. h
What are two major security protocols of IPSec? What is the difference
n g between them?
What are two major encapsulation modes of IPSec? What n i is the difference between
r
What are two negotiation modes ofsIKE : in the first phase? What are their scenarios?
u r
s o
Re
n g
n i
a r
L e
r e
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
e n
m/
Objectives c o
i .
e w
Upon completion of this course, you will be h
a
u to:
able
g .
SSL VPN technology in
r n
Basic functions and features of thelSVN3000 ea
/ /
Methods for configuring the SSL p : VPN
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. SSL VPN Overview u a
. h
n g
2. SSL VPN Technology n i
a r
3. SSL VPN Security Policy / le
/
p:
tt
4. SSL VPN Application Scenario
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 2
e n
m/
SSL Overview c o
i .
we
u a
h
Not Secure
ng.
Secure
n i
a r
HTTP / le HTTP
/
t p: SSL
ht
TCP :
e s TCP
r c
IP o u
s
Re IP
n g
i
nPosition of the SSL in the TCP/IP protocol stack
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 3
e n
m /
Security Comparison Between SSL and IPSec c o
i .
w e
u a
SSL VPN IPSec g .h
VPN
in
r n
HTTP eaAPP+Data
/ l
: /
SSL t p TCP
h t
s :
TCP c e IP
u r
s o
IP
R e IPSec
n g
n i IP
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 5
e n
m/
SSL VPN Security Technology c o
i .
we
u a
.h aspects:
The SSL ensures data security from the following
g
n
Identity authentication
ni
r client and the server
Before setting up an SSL connection, the
ea
l
should perform authentication using/a digital certificate. The
/
authentication can be unilateralp:from the client to the server
tt and the server.
or bidirectional between the client
h
Confidentiality s :
c e
The encryption algorithm
u r can be used to encrypt the
transmitted data. so
R e
Integrity
n g
n i
The data discrimination algorithm can be used to check whether
r
data iseamodified during transmission.
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 6
e n
m/
Contents c o
i .
we
1. SSL VPN Overview u a
. h
n g
2. SSL VPN Technology n i
a r
3. SSL VPN Security Policy / le
/
p:
tt
4. SSL VPN Application Scenario
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 7
e n
m/
SSL Protocol Structure c o
i .
we
u a
. h
Application layer protocol ng
n i
SSL handshake SSL change cipher ar
spec protocol/l
e SSL alert protocol
protocol /
p :
t t
h protocol
SSL record
s :
ce
r
s ou TCP
R e
n g IP
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 8
e n
SSL Bottom Layer – SSL Record om /
. c
Protocol e i
w a
h u
g .
Application data
in
rn
a
le
Segment
/ /
Compressp :
t t
hMAC address
:
Add
s
ce
u r Encrypt
s o
Re Add the SSL Record
n g packet header
n i SSL Record operation
SSL Record packet
a r
Le
structure process
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 9
e n
m /
SSL Upper Layer Protocols c o
i .
e w
The SSL protocol is implemented using three helements: u a
g .
Handshake protocol in
r n structure
SSL protocol
ea
Record protocol
/ l
: /
Alert protocol
t p
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 10
e n
SSL Principle – Handshake m/
c o
Protocol i .
we
u a
. h
n g
n i
a r
le
/Before the SSL communications,
/
t p: the handshake protocol is used to
ht negotiate the security parameters
s :
ce (such as encryption algorithm,
r
ou
shared key, and materials used for
e s generating the key) and
R
n g authenticate the peers.
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 11
e n
/ m
SSL Principle — Session Recovery c o
i .
w e
u a
. h
n g
i
If then client and server have
a r
l e
communicated with each other,
/ /they can skip the handshake
p :
t t process and directly exchange
h
s : data. The SSL uses the session
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 15
e n
m/
Web Proxy c o
i .
w e
u a
h
g.
The Web proxy enables users to safely access intranet Web
n
n i
resources.
a r
l e
The Web proxy supports clientless Web access.
/ /
p : modes: Web-link and Web
The Web proxy supports two implementation
t t
rewriting. h
s :
c e
u r
s o SVN3000 Web server
R e
Remote user in
g
r n
e a
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 16
e n
m /
File Sharing c o
i .
e
aw file system.
The file sharing function supports secure access to the internal
u
The SSL VPN uses the protocol conversion technology to provide . h
the file sharing function.
g
Users can safely access the intranet file system directly from the n browsers.
i to the corresponding
The SSL VPN converts the file sharing requests from the users
r n
protocol formats to interact with the servers.
e a
/ l
Protocols:
: /
SMB (Windows)
p
tSupporting Windows system
NFS (LINUX) t
h (SMB)/UNIX system (NFS)
s :
c e
u r
s oNew
R e folder
Rename
Rename
the
the file or
file or
n g folder
folder
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 17
e n
/ m
Implementation of File Sharing i.c o
Taking the access of internal Windows file server as anwe example, the
u a
implementation of file sharing is as follows:
h
.intranet. The HTTPS-
1. The client sends an HTTPS-format request to the file server on the
n g
format request is sent to the SVN. i
n packet.
2. The SVN converts the HTTPS-format request to the SMB-format
a r
l e
3. The SVN sends the SMB-format packet to the file server.
/
/SMB-format response to the SVN.
4. The file server receives the request and sends the :
pthe HTTPS-format packet.
5. The SVN converts the SMB-format response to
t t
6. The SVN sends the HTTP-format packet tohthe client.
s :
c e
u r 5
HTTPS SMB/NFS
6 o
e s
R 4
n g 3
Client
n i 1 File server
a r HTTPS 2 SMB/NFS
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 18
e n
m/
Characteristics of File Sharingi.c o
w e
u a
. h
n g
SSL encryption for n i
File-level access
file transmission a
permissionr control
l e
/ /
p :
Authentication SVN3000
t t
file sharing Extra access
on file access h control on the
s : factors
Success SVN
c e
u r
The access of file system
s o is as secure and convenient as that on the local
Re computer.
n g
n i The hot key Ctrl+C cannot be used.
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 19
e n
m/
Port Forwarding c o
i .
e w
The port forwarding function provides various TCPuapplication a
. h
services on the intranet. n g
n i
a r
Supports TCP applications over static
l e ports
/ /
Single-port single-server (Telnet,:SSH, MS RDP, VNC)
t p
Single-port multi-server (Lotus ht Notes)
s :
Multi-port multi-server c e(Outlook)
u r
s o
Supports TCP applications
R e over dynamic ports
Dynamicnports g (FTP, Oracle)
n i
a r
Provides
Le port-level access control
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 20
e n
m/
Principles of Port Forwarding i. c o
w e
u a
. h
n g SERVER
CLIENT
rni
a
Providing secure
/ le TCP 23
access to TCP
:/
Application applications ont p
request
ht
the intranet
TCP 110
s :
Application SSL
ce
Internet TCP 25
agent
u r SVN3000
s o
Re
n g TCP 21
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 21
e n
m/
Port Forwarding Features c o
i .
we
u a
. h
ng
Support of various intranet TCP
n i
1
applications
a r
l
Remote desktop, Outlook, Notes,e Ensure the
SVN3000 2
FTP, and SSH / / security and
p : on all data reliability of TCP
3
t t
Encryption authentication
Port forwarding
flows h applications, and
s :
Global authentication and provide easy
4
ce on users
authorization operation and
u r management
5
s o control over TCP applications
Access
Re
methods
Standard browser without requiring
n g
6
client installation
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 22
e n
m /
Network Extension c o
i .
The network extension function supports the access towall e the
u a
complex applications on the entire network.
. h
By establishing the secure SSL tunnel, users can access n gall the applications on
the IP-based intranet. n i
a r
Implementation mode
l e
ActiveX control
/ /
Private client software: one-off installation p :
t requiring no manual configuration
Access mode (configured by the administrator ht based on different application
scenarios)
s :
Full Tunnel: The user can access c e only the enterprise interface network.
r
Split Tunnel: The user canuaccess the intranet and local subnet.
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 24
e n
m/
Full Tunnel c o
i .
we
u a
. h
g
Headquarters
in resources
Intranet
n
a r
LAN l e
/ /
Internet
t p:
ht
s :
ce
u is r SSL VPN tunnel
o
All the traffic
s to
R e
transmitted
the
n g gateway.
n i
a r
L e
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 25
e n
m/
Split Tunnel c o
i .
we
u a
h
Headquarters
.
LAN ing resources
Intranet
r n
Internet
ea
/ l
/
t p:
ht
s :
Exceptcfor e the SSL VPN tunnel
u
intranet,
r the client
s o
cane access the local
R to which the
subnet
i ng client belongs.
r n
e a
L
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 26
e n
m/
Manual Tunnel c o
i .
we
u a
. h
Headquarters
n g
Intranet resources
LAN
n i
a r
le
Internet
/ /
t p:
ht
s :
The client can access ce the SSL VPN tunnel
r
resources in theuspecified
network segment. s oThe client can
still access the Relocal subnet and
Internet n gat the same time.
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 27
e n
m/
SSL VPN Advantages c o
i .
we
u a
. h
Convenient deployment without n g
n i
clients a r
le
Security protection for application://
t p
layer access
ht
:
es
Improvement of enterprise
c
u r
efficiency
s o
R e
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 28
e n
m/
Disadvantages of Traditional VPNs c o
i .
w e
u a
L2TP
and . h
IPSec
dial-up
MPLS
n g
Insecure n i
Insecure
Extra expenses for No user authentication
a r
High client
management costs
dial-up
No application
l e NAT problems
Restriction of dial-up
permission
No auditing
/ / Security risks
No encryption :
access port on the
server No access control
t p No application-based
user authentication,
Lack of data High cost
h
Interconnection
t permission, and
authentication
s :
problems between auditing
No application-based
access control policy c e
carriers
Applicable to the
IP address leakage of
u r interconnection
the intranet o between large-scale
s intranets
R e
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 29
e n
m/
SSL VPN Example — Common Application c o
i .
w e
u a
. h
Partner
n g
Mobile office n i
a r
l e
/ /
Branch
Internet p : Intranet
t
ht Linux/NFS ERP
s :
c e
r SMB Email
Clientou
Remote maintenance
e s
R Web server
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 30
e n
m /
SSL VPN Example — Operation Application c o
i .
w e
Example u a
. h
Virtual firewall
n g
n i
Virtual SSL VPN gateway
a r Trust server cluster
l
IDSe of enterprise A
/ /
p :
SSL VPN
t t
Enterprise h Server cluster of
user A
s : …
enterprise B
Internet c e SSL VPN
SW
u r FW
Enterprise
s o
user B
Re Server cluster
n g of enterprise C
n i IDC
Enterpriser
user e
a
L C
R e
n g
n i Web server
a r OA server
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 33
e n
m/
Terminal Security Policy c o
i .
we
u a
Terminal security threatens .
Terminalgsecurity
h
policy
in
n
r
Non-effective e a Antivirus
Terminal self-security
implementation / l software check
Terminal accessing
: / Process check
unauthorized network
t p Port check
resources
h t Firewall check
Network resource
s : Operating system
abuse by terminals
c e check
Damage caused by
u r File check
malicious terminals
s o Registry check
R e
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 34
e n
m /
SVN3000 Functions c o
i .
we
u a
. h
Web access
n g Web
i
Web proxy
n
a r
File access
SSL VPN
/ le File sharing
/
t p:
ht Port forwarding E-mail
TCP applications
s : SVN3000
such as Notes and
ce IPSec VPN
Telnet
u r Network
s o extension ERP
Other complex Re
services
n g
n i IPSec VPN
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 35
e n
m /
Comprehensive Log Functions c o
i .
we
System log
u a
. h
g
System reboot record, network interface status record, temperature alarm record, import
n
i
and export record, system administrator management record, and virtual gateway
n
management record
a r
User log le /
/
: offline after login record, password
User successful login record, user failed login record,
t p
modification record, and service log
h t
Virtual gateway administrator log :
e s administrator login failure record, virtual gateway
Administrator online and offline record,
r c
configuration saving record, userumanagement record, and security management record
s o
Log export
R e
Real-time log export,gtext-format log export, and CLI log export.
i n
Log query
r n
a page log query and CLI log query
HierarchicaleWeb
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 36
e n
m/
Contents c o
i .
we
1. SSL VPN Overview u a
. h
n g
2. SSL VPN Technology n i
a r
3. SSL VPN Security Policy / le
/
p:
tt
4. SSL VPN Application Scenario
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 37
e n
SVN3000 Application Scenario — m/
c o
Typical Network Position i .
w e
u a
Partner
. h
ng
Mobile office
n i
a
SVN3000 r
/ le Headquarters
Branch /
tp:
Remote maintenance ht Web server
Client
s : ERP
NFS
ce Database
ur Email
. h
The SVN3000 communicates with the intranet and Internet
n g over this network
n i mode.
interface, which is know as the one-armed communication
a r
Partner l e
/ /
Mobile office p :SVN3000
Email
t
ht
s : Database
Branch
ce
u r ERP
Remote maintenance s
o
e
RClient
AAA
Web server
n g Enterprise
n i headquarter
a r Encrypted internal connection
Le Standard internal connection
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 39
e n
SSL VPN Application Scenario — Two- om /
. c
Armed Mode e i
a w
u
The SVN3000 is connected to the firewall, router, or switch in two-armed
h different
mode.
The SVN3000 communicates with the intranet and Internet g .over
in
network interfaces, which is known as the two-armedncommunication mode.
a r
Partner
l e
Mobile office / /
SVN3000
p : Email
t
ht Database
Branch
s :
ce ERP
u r
Remote maintenance
s o AAA
e
RClient Web server
n g Enterprise
n i Encrypted internal connection headquarters
a r
L e Standard internal connection
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 40
e n
m/
Enabling the Web NMS Function i. c o
w e
u a
Take the SVN3000 as an example.
. h
Configuration process:
n g
Configure the interface IP address.
rni
a
Bind the Web NMS and the IP
/ le
address. Specify the port used to
/
bind the Web NMS and the IP
t p:
address.
ht
Start the Web browser. Enter the IP
address of the SVN3000 Web NMS e s :
in the address box, for example r
c
o uto
s
https://x.x.x.x:port. Press Enter
e
enter the Web NMS login R interface.
Enter the user name
n gand password
i to log in to the
n
on the login page
SVN3000.ar
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 41
e n
Configuring the Virtual Gateway and om /
. c
Related Parameters e i
a w
h u
g .
in
r n
ea
/ l
:/
t p
ht
s :
ce
u r
s o
Re
After logging in ntog the SVN3000 Web NMS interface, click Virtual
n i
r
Gateway Management.
a
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 42
e n
m /
Web Proxy Access Instance (1) i. c o
w e
ua
. h
n g
r ni
a
/le
/
tp:
ht
s :
ce
ur
s o
Re
n g
On the Virtual n i Gateway List navigation tree, click Web proxy to
enter theea
r
configuration interface.
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 43
e n
m/
Web Proxy Access Instance (2) i. c o
w e
u a
Configure the Web-link resources.
. h
n g
rni
a
/ le
/
t p:
ht
s :
ce
u r
s o
Re
g
in
Enable the Web-Link function.
n
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 44
e n
m/
Web Proxy Access Instance (3) i. c o
w e
a
hu linked Web
When you click a link, you can view the corresponding
.
n g
page.
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 45
e n
m/
Web Proxy Access Instance (4) i. c o
w e
When you click the sub-link on the Web page, you ucan a also view
. h
the corresponding linked Web page.
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 46
e n
/ m
File Sharing Access Instance (1) c o
i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i List navigation tree, click File Sharing to enter the configuration
interface. ea
r
On the Virtual Gateway
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 47
e n
m/
File Sharing Access Instance (2) c o
i .
w e
u a
Configure the file sharing resources.
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
Enable the file
a r sharing function.
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 48
e n
m/
File Sharing Access Instance (3) c o
i .
w e
u a
File sharing resource list displayed on the client
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 49
e n
/ m
File Sharing Access Instance (4) c o
i .
e
w name,
Click a resource on the file sharing list. Enter the user a
u file server
password, and domain. Submit the information to . hthe
for authentication. n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 50
e n
m/
File Sharing Access Instance (5) c o
i .
w e
List of resources in the shared folder u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 51
e n
m/
Port Forwarding c o
i .
w e
a
The port forwarding function provides various TCP application
u
services on the intranet. . h
n g
Supporting TCP applications over the static n i ports
a rRDP, and VNC)
Single-port single-server (Telnet, SSH, MS
l e
Single-port multi-server (Lotus Notes) / /
p :
Multi-port multi-server (Outlook) t t
h
Supporting TCP applications s : over the dynamic ports
c e mode, Oracle)
Dynamic port (FTP passive
u r
Providing port access s o control
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 52
e n
Port Forwarding Application Instance m /
c o
(1) i .
e
aw u
. h
n g
rni
a
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
On the Virtual Gateway List navigation tree, click Port Forwarding to enter the
n i
r
configuration interface.
a
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 53
e n
Port Forwarding Application Instance m /
c o
(2) i .
e
aw u
Configure the port forwarding resources.
. h
n g
rni
a
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
i
rn port forwarding function.
Enable the
a
L e
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 54
e n
/ m
Port Forwarding Application Instance c o (3)
i .
w e
u a
Click Start to enable the port forwarding function.
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 55
e n
/ m
Port Forwarding Application Instance c o (4)
i .
w e
Access the configured resources using the port forwarding u a
. h
function, for example, Telnet. n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 56
e n
/ m
Network Extension Access Instance o
c (1)
i .
w e
Configure the IP address allocation mode and client routing
u a
. h
mode. n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
Enable the a rnetwork extension function.
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 57
e n
/ m
Network Extension Access Instance o
c (2)
i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Click the Lebutton to start the network extension function.
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 58
e n
/ m
Network Extension Access Instance o
c (3)
i .
w e
u a
h
. control is
After the Active
g
n in to the
n
installed, ilog
r
a again on the
e
SVN3000
l client. The client is
/ /
remote
:
p allocated a virtual IP address
t
ht of the intranet and functions
s :
c e as a device on the LAN.
u r
s o
R e
n g
Note:
n i During the operation, do not close this window.
a r
Otherwise, the network extension function is disabled.
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 59
e n
/ m
Network Extension Access Instance o
c (4)
i .
w e
a
u Log in to the
Application instance: h
.and browse the
Application instance: FTP remote desktop g
n the intranet.
video files on
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 60
e n
Login Interface of Network Extension om /
. c
Client e i
a w
h u
g .
in
r n
ea
/ l
:/
t p
ht
s :
The network extension can be implemented
ce
r
by installing the dedicated client software.
u
You can download the software o
s from the
e requires
R
SVN3000 interface. The software
gthe network
only once installation and no configuration.
n
n i
You can directly enable
r
a software.
extension function using the network
L e
extension client
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 61
e n
m/
VPNDB Application Instance (1) i.c o
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
Click VPNDB n i
Configuration to enter the configuration interface.
r
a
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 62
e n
m/
VPNDB Application Instance (2) i.c o
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
Click Add in User Information Management to enter the configuration interface.
u r
s o
Re
n g
n i
a r
L e
r e
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
e n
m/
Objectives c o
i .
e w
Upon completion of this course, you will be h
a
u to:
able
g .
Terminal security in
r n
Components and deployment of the ea system
TSM
/ l
: /
Organization management and
t p access control modes of the
TSM system h t
s :
Configuration of security
c e policies for the TSM system
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. Overview of Terminal Security u a
. h
n g
2. Deployment of the TSM System n i
a r
3. Deployment of Terminal Security/lPolicies e
: /
t p
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 2
e n
/ m
Most Threats Come from Intranets c o
.
i threats
lists 14esecurity
a wshould not be ignored
u
that
h
g . in enterprises.
According to Computer Security Institute in
(CSI) in San Francisco, California, the r n
ea
United States, about 60% to 80% of
/ l
network misuse events come from
: /
intranets.
t p
ht
s :
c e
u r File Sever
•
s o
Re •
Mail Sever
n g
n i •
Web Sever
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 3
e n
Crises Surrounding Enterprises om /
. c
Terminals e i
w a
h u
g .
Failures to prevent Endless terminal
in
disclosures exceptions
rn
Unauthorized access
e a
Slow computer speed
Intentional disclosure
/
Networkl or software exception
/
: system crashes
Unintentional disclosure
t pFrequent
Difficulty in implementing ht
conduct codes s : Unexpected
ce network threats
r
ou
Do things irrelevant to
Slow network speed
work at working hours
Access resources not
e s
Service interruption
related to work R Too many problems
ng
Misuse of network to monitor
Service exception
resources
n i
a r
L e
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 4
e n
m/
What Is Terminal Security? c o
i .
we
u a
. h
n g
i
Patch management
n
Personal firewall r
software
a
/ le
/
t p:
Antivirus software ht
s:
Software
ce terminal security
r
u 3-D defense
s o
Re
n g
n i Access control+desktop
a r management+security management
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 5
e n
m/
Contents c o
i .
we
1. Overview of Terminal Security u a
. h
n g
2. Deployment of the TSM System n i
a r
3. Deployment of Terminal Security/lPolicies e
: /
t p
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 7
e n
m /
Overview of the TSM System Architecture
.c
o
e i
Composition of Post-authentication domain
a w
Pre-authentication domain
File server Mail server OA server
h u
the TSM system W
g . SM
Access mode of in
r n SC SC
terminals a
TSM domains / le
/ Isolation domain
t p: AV server
ht
s :
ce SACG Patch server Repair server
ur
s o
Re
802.1X switch Common switch
n g
i
n Web Agent
a
Web r Agent
Le
Manager of an
Guests Users of an enterprise
enterprise manager
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 8
e n
m/
c o
Centralized Deployment i .
we
u a
SA Internet . h
n g
Branch
n i
VPN gateway SACG
a r
SA
/ le
/ Post-authentication domain 1
SA t p:
ht
SA s : Post-authentication domain 2
ce
u r
SA
s o
Re
Post-authentication domain 3
TSM server
n g
n i
r
Pre-authentication domain
a
AV server
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 9
e n
m /
c o
Distributed Deployment e i .
Core resource server a w
u
h SM
g .
Internet
Post-authentication
in
SA SC
domain
r n
a
le
Branch Pre-authentication domain
SACG
/ /
Border router
Intranet
t p: Antivirus server
ht AD domain server
s :
ce
ur
s o
SC Re SC
SACG
n g SACG SACG SACG
i…
rn
• •
…
e aSA SA SA SA SA SA
L Office A Office B
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 10
e n
m /
c o
Access Control of the SACG i .
Hardware SACG
w e
Post-authentication domain
u a
hSensitive
. resources
n g
n i
a r
Finance department: No TSM Agent is
l e Public
resources
installed for new employees.
/ /
TSM server
p :
t
Marketing department: Agents are installed. ht AV server...
Pre-authentication domain
s:
Isolation domain
Identity
ce Security check
r
URL redirection Switchover to the
u
authentication post-authentication domain
The SACG
User s
o
Is the antivirus The TSM notifies the SACG of sending
provides the Web
pushing function to
R e
name+password
software running?
Are the OS, Office,
Internet Explorer,
ACL rules and switching to the post-
authentication domain.
i
MAC repair
Agent for
Is the virus
installation
r n database updated?
Is any illegitimate
Upgrade the antivirus software
e a software installed?
…
Update the virus database
Download patches automatically
L
…
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 11
e n
m /
c o
Access Control of Host Firewall i.
w e
a
Post-authentication
Trusted domain 2:
Access control of host firewall domain
h u
Market department
g .
Network
n
ni
resources
a r
le
Security check
p:
restricted
domain is not allowed.
External untrusted terminals t t AV server Patch server
Isolation domain
network
s:
cannot access trusted terminals. provided to
Trusted domain 1: Pre-authentication domain
r
Identity Security policy check Switch to the post-
ou
authentication authentication domain
es
Is the antivirus
The TSM specifies an access
User name +
R software running? policy to control the trusted
Is the virus database domain and post-authentication
password
LDAP
n g updated?
Are the OS, Office, IE, domain that a terminal can
n
MAC
i and database patch
installed?
access.
a r
Is any illegal software
installed?
Automatic security
repair
Le
…
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 12
e n
m /
c o
802.1X Access Control i .
w e domain
Post-authentication
802.1X access control
u a
. h
Sensitive
n g resources
r ni
a
•
Terminal 1
/ le AV server
/
p:
Ports on an insecure terminal are
•
Patch server
Isolation domain
disabled and neighbor terminals
t t TSM server
cannot be accessed through these
h
:
Pre-authentication
Terminal 2 ports.
•
e s domain
r c
802.1x authentication
s ou
Security policy check Dynamically switch a VLAN
User name+password
R
e
Is the antivirus software
running?
The switch dynamically
switches the VLAN to
LDAP
g
Is the virus database is control the post-
MAC
i n updated?
Are the OS, Office, IE, and
authentication domain that
Le
installed? Automatic
… security repair
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 13
e n
m/
Contents c o
i .
we
1. Overview of Terminal Security u a
. h
n g
2. Deployment of the TSM System n i
a r
3. Deployment of Terminal Security/lPolicies e
: /
t p
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 14
e n
/
Major Functions of the TSM System com
. i
w e
u a
TSM . h
n g
n
Scalable and upgradeable policies and reportingiservice
r
a Management
Access Control Security Management
l e Desktop
management
Authority and domain based
Operability report
/ /
:
Guest management Security enhancement Information disclosure Patch management
p
Exceptional device • Antivirus prevention • One-stop download and
t
management • Patch/service pack • Peripheral management installation
ht
Forced compliance • Suspicious process/registry • Portable storage • Strong cooperation of
management 流
evaluation • Dangerous port/service the WSUS
… Access range of authorized Software • Network access Quick subnet
程 可
… •
… •
users
:
blacklist/whitelist
s •
…monitoring
Monitoring of illegal
distribution 化
策
运
营
e
Identity authentication • Illegal sharing/account Asset management
external connections
c
• Anonymous/Local security • Lifecycle management 略 报
r
account • Illegal network • File operation auditing • Asset change alarm 模 表
u
• AD/Third-party LDAP Network protection
configuration management 型
o ARP protection
• PKI/CA •
Office behavior management • Automatic IP device
s IP/MAC binding
Compliance check •
• Network access auditing identification
• Security evaluation
• System configuration
•
•
R e
Media downloading
Non-office software
•
•
•
Traffic auditing
IP access rules
Control of malicious
Software distribution
Remote assistance
g
check • Terminal online record Message announcement
network programs
n
• User access binding Customized security policies
ni
One-key automatic repair • Internet-intranet
Time-based NAC connection monitoring
e a
L Network identification
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 15
e n
Organization Management Function – m /
c o
Management Dimension I i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
oCopyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 16
e n
Network Domain Management — Management m /
c o
Dimension II i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
oCopyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 17
e n
m/
c o
Identify Authentication Functioni.
w e
u a
Ordinary user name + password authentication
. h
n g
ni
MAC account authentication
a r
le
AD account authentication
/ /
p:
LDAP authentication
t t
Support for USB key authentication
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 18
e n
Security Policy — Checking a Shared om /
. c
Directory e i
a w
h u
g .
in
r n
ea
/ l
:/
t p
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 19
e n
/
Security Policy — Checking Printer com
Sharing i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t t
h
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 20
e n
Security Policy — Monitoring USB m /
c o
Storage Devices i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
oCopyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 21
e n
Security Policy — Monitoring Computer om /
Peripherals . c
e i
a w
h u
g .
in
r n
ea
/ l
:/
t p
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 22
e n
m/
c o
Security Policy — Checking Ports
i.
w e
u a
. h
n g
rni
a
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 23
e n
m /
Security Policy — Monitoring DCHP Settings c o
i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 24
e n
Security Policy — Checking Illegal m /
c o
External Connections i .
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
oCopyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 25
e n
Security Policy — Checking Antivirus om /
. c
Software e i
a w
h u
g .
in
r n
ea
/ l
:/
t p
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 26
e n
m/
Security Policy — Checking c o
i .
Patches we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 27
e n
m/
Summary c o
i .
we
u a
Terminal security
. h
n system g
Components and deployment of the TSM
n i
a r
Organization management and access l e control modes of the
/ /
TSM system p :
t t
h
Configuration of security policies for the TSM system
s :
c e
u r
s o
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 28
e n
m/
Questions c o
i .
wTSM e
What is the TSM? What terminal security problems can the
u a
system resolve? . h
n g
What components does the TSM system consist of?
n i
What roles do the SM and SC play in the TSMarsystem? Which
l e
component exchanges services with the SACG?
/ /
What are the two management dimensions p : of the TSM system? What
t t
differences are between them?
h
What identity authentication modes s : does the TSM system support?
What differences are between c e them?
u r
What security policies does
s o the TSM system involve? What problems
do these security policies Re solve?
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 29
e n
m/
Answer c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
ht
s :
ce
u r
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 30
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o
e n
m/
c o
i .
we
u a
. h
g n
Chapter 12 Introductionrn to i
ea
Huawei Security Products / / l
p :
t
ht
s :
c e www.huawei.com
u r
s o
Re
n g
n i
a r
L e
r e
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
e n
m/
Objectives c o
i .
e w
Upon completion of this course, you will be h
a
u to:
able
g .
USG series firewalls in
r n
VPN gateway products ea
/ l
Security software products p:
/
t t
SIG products h
:
e s
NIP products
r c
o u
Anti-DDoS solution s
Re
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 1
e n
m/
Contents c o
i .
we
1. Huawei Security Products Overview u a
. h
n g
2. USG Series Products Overview n i
a r
3. VPN Gateway Products Overview l e
/ /
p :
4. Security Software ProductsttOverview
h
5. SIG Products Overview s :
c e
u r
6. NIP Products Overview s o
Re
7. Anti-DDoSgSolution Overview
i n
r n
e a
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 2
e n
m /
Security Products Overview c o
i .
e
aw
Spam database Emergent security fault Security management
Service center
Ability center
response center
hu
Application protocol category URL category database Security management
Online upgrade platform services
.
database (DPI)
Virus/Malware signature
database
Intrusion/Vulnerability
signature database center
n g
Reputation evaluation Security consulting
n i
UTM Firewall
a r Anti-DDoS solution
le
Network and content
/ /
p:
security
t t •
Mgmt Center
hSSL VPN
s:
Secure routing gateway IDS
USG2000BSR/HSR USG5000BSR/HSR
u r
s o
R e
Terminal security management Security management
n g
software
Security
TSM
a r
Le
Terminal Security Mgmt Document Security Mgmt Log Mgmt and Audit Unified
Management
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 3
e n
m/
Contents c o
i .
we
1. Huawei Security Products Overview u a
. h
n g
2. USG Series Products Overview n i
a r
3. VPN Gateway Products Overview l e
/ /
p :
4. Security Software ProductsttOverview
h
5. SIG Products Overview s :
c e
u r
6. NIP Products Overview s o
Re
7. Anti-DDoSgSolution Overview
i n
r n
e a
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 4
e n
m/
Huawei USG Series Products c o
i .
we
u a
. h
USG5120, USG5150
USG2205
n g
USG2210, USG2230
n i
USG2130, USG2130W
a r
USG2250, USG2260
USG2160, USG2160W
/ le
/
USG2110 p:
t enterprise
Enterprise
tSmall
h headquarters
headquarters
Large branch
Office
s : Large branch
e
Small branch
c
Remote site
u r
Office
s o
Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 5
e n
m /
c o
USG2110 Fixed Model i .
w e
2WAN+8FE (desktop model)
u a
Fixed configuration . h
n g
Performance
n i
Firewall throughput (large packets): 150 a r
Mbit/s
/ le
Number of concurrent connections: /
100,000
t p:
Features ht
Basic firewall/VPN functions
s :
PPPoA/DDNS/TR069 ce
u r Model Description
SOHO users (1U to 20U)
s o USG2110-F 2FE+8FE, 1USB
a r power supply
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 9
e n
m/
c o
USG5150 e i .
a w
4GE Combo (chassis model)
h u
4MIC+2FIC+4DFIC expansion slot
g .
FE/GE/Serial/E1/ADSL2+/G.SHDSL/3G/WiFi
in
Multi-service open platform (X86) r n
a
le
Complete UTM features (license control)
IPS/Antivirus/Anti-spam/URL filtering
/ /
p:
IPv6 support
VPN functions
t t
L2TP/SSL/IPSec/MPLS/GRE h
Performance s :
Firewall throughput (large packets): c e 4000
Mbit/s
u r
Number of concurrent s o
connections: 2
million
R e Model Description
1+1 redundant power
n g supply USG5150 4GE Combo, 2USB.4MIC+2FIC+4DFIC
n i
Medium-sized enterprise users (800U to USG5150-DC 4GE Combo, 2USB.4MIC+2FIC+4DFIC,
1000U)
a r DC power supply
L e
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 10
e n
Application Scenario of Enterprise om /
. c
Security Protection ei
a w
h u
g .
in
rn
USG5150
a
le
USG5120
/ /
p:
Enterprise Enterprise
partner
t t headquarters
Internet h USG2200
s :
USG2200
ce
u r
VPNs
o USG2100
Re VPN
Regional office
n g
Enterprise n i
branch a r Remote site
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 11
e n
Application Scenario of Enterprise VPN om /
. c
Access e i
a w
h u
g .
in
USG5150
r n
ea
/ l Enterprise headquarters
:/
t p
h t
ADSL : Internet
USG2210
E1
e s
r c FE
o u USG2130
s
Re
USG2230
n g
n i
a r IPSec VPN tunnel
L e
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 12
e n
m/
Contents c o
i .
we
1. Huawei Security Products Overview u a
. h
n g
2. USG Series Products Overview n i
a r
3. VPN Gateway Products Overview l e
/ /
p :
4. Security Software ProductsttOverview
h
5. SIG Products Overview s :
c e
u r
6. NIP Products Overview s o
Re
7. Anti-DDoSgSolution Overview
i n
r n
e a
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 13
e n
m/
Functions of the SVN3000 c o
i .
we
u a
SVN3000 secure access gateway . h
n g
n i
a r
/ le
/
t p:
ht
s:
可靠性
Advanced Web
可靠性
virtual
ce proxy
File sharing
gateway
u r
s o
Re
n g Network User security Complete
Port
可靠性 proxy
n i expansion control logging
a r functions
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 14
e n
Carrier-Class Hardware Platform of the om /
. c
SVN3000 e i
a w
h u
g .
Item SVN3000
in
r n
Ports a
Fixed ports: 3 x 10/100/1000M
e
combo ports
l
/ power supply
Power supply
/
Dual
: V to 240 V, 50/60 Hz
AC:p100
t t DC: –48 V to –60 V
h mm x 436 mm x 420 mm, for 19-inch
Dimensions (H x W x D) s :
1U: 44.45
c e cabinets
u r
Fans
s o 7 built-in fans
R e
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 15
e n
m/
Front Panel of the SVN3000 c o
i .
we
u a
. h
n g
n i
a r
/ le
/
Type
t p: Indicator
Port Rate h
(Optical/El
t
s : PWR0 PWR0 state
ce
ectrical)
PWR1 PWR1 state
PORT0
o ur
10/100/1000M e s SYS System state
PORT1 R RJ45/SPF
g
combo
n ACT
Active/Standby
PORT2
r ni state
a
console e 9,600 bit/s RJ45
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 16
e n
m/
Rear Panel of the SVN3000 c o
i .
we
u a
. h
n g
n i
a r
/ le
/
t p:
Rear panel of the SVN3000 AC model
ht
s :
ce
u r
s o
Re
n g
n i
a r Rear panel of the SVN3000 DC model
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 17
e n
m /
Typical Networking of the SVN3000i.c o
w e
u a
. h
n g
Residential building
n i File server
Hotel
a r
l e Web server Mail server
/ / SMC
p :
t t NMS
t 010101010 management
ht
distribution, and patch management 010101010
Secospace
010101010
Key performance: TSM
Supporting mainstream Windowss:
L e
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 20
e n
m /
Functions of the TSM c o
i .
w e
u a
TSM
. h
n g
n i
Security Access Security User Behavior Patch
a r
Software Asset
Control
Policy Check
Anti-virus
Audit Management
/ leDistribution Management
t
PC peripheral
check
t
mode Operating system, management
User-defined
distribution management
Host firewall-
IE, and Office
USB device
h patch task Asset statistics
:
based access monitoring distribution Resumable Software license
patch check
s
Illegitimate
control mode Host security policy download and management
AD/LDAP/CA check covering
ce
external
connection
Efficient patch
integrity check Asset change
o
authentication and registries ARP protection based on running of Server platform
s
Shared file and Network traffic
Agent client patent executable files monitoring
Re
Non-Agent IE
printer check monitoring technologies Detailed Bulletin and
One-click Process and
controller
Patch filtering
distribution remote assistance
recovery g
intelligent
n
service
monitoring
Patch statistics
status reports
n i and reports
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 21
e n
m /
TSM Deployment Topology c o
i .
•
TSM management center (TMC, optional)
w e
u a
Security Manager (SM) TMC
h
Upper-level system administrator
•
g .
Security Controller (SC)
n
•
ni
WAN
•
Security Access Control Gateway (SACG)
a r
le
•
Security Agent (SA)
p:
management management
domain node n domain
node 1
SM SC
t t SM SC
Post-authenticationh Post-authentication
domain
s : domain
u
so
Patch server
Patch server
Core Network Core Network
SACG
ng SACG
ni
File repair File repair server
ar
server
Isolation
e A
LProvince
Isolation
domain Province B domain
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 22
e n
Document Security Management (DSM) System m /
c o
Overview i .
• Powerful dynamic
w e
encryption and
u a
Product positioning:
Enterprise document security solution
decryption
technologies
. h
Application scenarios: • Real-time document
n
Documentg
Preventing unauthorized document use
permission control
• Group policy and i
permission
permission template n
management
by employees
a r
Preventing information disclosure
e
Secospace DSM
through documents spreading
/ l
Auditing document use
/
Key performance:
p :
Single server supporting up to 20,000
t
s o
controllable), full control, and offline
Product features: R e
Dynamic encryption g
n and decryption combining the application and driver layers, real-time permission
i key management, complete log auditing, centralized and distributed deployment; high-
n
management, centralized
r
managemente
a
availability, high-performance, and scalable architecture to provide a unified and powerful document security
L platform
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 23
e n
m/
DSM Deployment c o
i .
we
u a
. h
n g
Powerful dynamic encryption and Document n i
decryption technologies permission
a r
Real-time document permission management
control / le
/
p:
Group policy and permission Secospace DSM
template
t t
h
s :
Account and department User e
management
r c Log Web client login logs
User roaming
o u
management auditing
Document operation logs
Cross-system authorization
e s
R
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 25
e n
m /
DSM Deployment Topology c o
i .
we
u a
DSM management center (DMC)
. h
DSM server (DS)
ng
DMC
n i System administrator
DSM client (DC)
a r
Core network e
/ l
:/
DSM management
t pDSM management
node ht node DS2
DS1
s :
ce
u r
s o
R e
n g
DC DC DC DC DC DC
n i
a r Province A Province B
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 26
e n
m /
Functions of the eLog Log Management .System co
e i
NAT log management a w
NAT logs of firewalls, routers, and BRAS devices h u
Translation of source IP addresses, source ports, destination IP addresses, g . destination ports,
and protocol type
in
Network traffic auditing
r n
Working with the UTM device to provide an intuitive view of
ea the basic traffic, application
traffic, interface traffic, and P2P traffic in the form of reports
/ l system (IPS), mail filtering, virus
Displaying multi-dimensional statistics of intrusion prevention
detection, URL auditing, and instant messaging (IM), : /and defense services; and printing the
statistics in the form of reports
t p
Database and operating system auditing
h t
s :system logs
Audit the database through the off-line deployment of the behavior auditing probe
Audit the operating system by collecting
c e translation, behavior monitoring, and restoration
r
Application-layer protocol (FTP/Telnet/HTTP)
Through the behavior auditinguprobe
ofor network resources
s
Redevices, hosts, Web servers, and application systems
Unified log management platform
Network devices, security
Rich alarm managementg
n functions
i of mail, short message, alarm box, and audible and visual alarms
n
Alarming by means
a r and alarm statistics
Alarm monitoring
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 28
e n
Overview of the Versatile Security om /
. c
Management (VSM) System e i
a w
Product positioning:
h u industrial
customers; deployed with the U2000 component on the SP network g.
Sold along with security products as a total solution for Chinese and overseas
in
Application scenarios:
r n
Unified management of switches, routers, and security products
e a
TMN standard framework:
/ l
Service management layer
:/
Network management layer
t p
Network element (NE) management layer t
h
Console
Communication modes:
s : Management Collection
SNMP, SFTP, and SSH
c e server server
Product features:
u r or out-of-band networking, topology management, NE
s o
C/S architecture, in-band networking
R e
management, performance management,
management, and VPN management
centralized policy configuration management, fault
for Eudemon/USG/SIG full series security devices and
mainstream network g
i n
locate network faults,
devices; intuitive network topology view to help administrators quickly
improve management, increase work efficiency, and reduce maintenance
r n efficient management platform of all devices on the network
cost, providing an
e a
L
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 29
e n
m /
Functions of the VSM c o
i .
we
u a
.h
Unified management platform for network and security devices
g
n
r ni
NE management Fault management
Performance
management
ea configuration
Policy Northbound
interface
/ l
• Topology • Alarm browsing • Performance
/ • Security policy • SNMP
management
• Device
and statistics
• Alarm p:
monitoring
t
• Virtual firewall • CORBA
management
• Board
confirmation and
synchronization ht
• Real-time
management
•
•
Anti-attack
L2TP VPN policy
•
•
FTP
XML
management • Correlation rule
s : • Performance • IPSec VPN • TEXT
• Interface • Alarm screening
ce statistics policy
management • Remote
u r • Single-point
• Routing and
switching devices
notification
s o
• Alarm dumping
Web
Re
configuration
n g
n
Complete i self management capabilities of the system
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 30
e n
m /
VSM Deployment Topology c o
i .
w e
u a
Enterprise headquarters
. h
n g
Security policy center
SIG NIP intrusion
VSM
n i NIP intrusion
detection
detection
a r USG
Secospace TSM
/ le firewall
/ Branch
SACG
way
h t
SSL/IPSec USG
Switch
s : VPN
Router
firewall
ce Internet
r
ou
IPSec Partner
USG firewall VPN
e s
R SSL/IPSec
n g VPN
n i
Intranet
a r
TSM Agent Mobile user
Le
Data center DMZ
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 31
e n
m/
Contents c o
i .
we
1. Huawei Security Products Overview u a
. h
n g
2. USG Series Products Overview n i
a r
3. VPN Gateway Products Overview l e
/ /
p :
4. Security Software ProductsttOverview
h
5. SIG Products Overview s :
c e
u r
6. NIP Products Overview s o
Re
7. Anti-DDoSgSolution Overview
i n
r n
e a
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 32
e n
/m
Service Inspection Gateway (SIG) .c o
The SIG is delivered by Huawei to help customers add to and maintain e i the value of
their MAN services. It provides functions such as service traffic flow analysis, a w VoIP service
monitoring, P2P service monitoring, shared access monitoring, abnormal h u traffic (such as
DDoS traffic) monitoring, user behavior analysis, and intelligent Web
g . pushing.
i n
Understanding traffic composition, distribution, and trend as r
Service awareness n
ea
basis for network planning
Monitoring network applications and exploring new service
/ l Traffic
growth points
: / flow
Flow control
Controlling P2P traffic to release bandwidth and t p
reduce
P2P
r c
Preventing illegitimate Internet connections by illegitimate
o u
Internet cafes and small enterprises, to help operators Security
Web
Restricting illegitimate VoIPe s
increase broadband service revenues
operation management pushing
Value-added service operation
R
Statistics of the mostginterested websites of users, user Illegitimate
i nbehavior
classification by interest, and top N websites VoIP Behavior
n
Interest and instant
advertisementrpushing
based intelligent
analysis
DDoS attacke amonitoring to provide secure broadband
networks L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 33
e n
SIG9280E/1000E High-Integrity 10G Off-line m /
c o
DPI Device i .
w e
u a
Model SIG1000E
. hSIG9280E
n g
SIG1000E Appearance Rackmount, 5U
n iRackmount, 14U
Type of extended 10G POS, 10GE, 4 x a
r 10G POS, 10GE, 4 x 2.5G
2.5G POS, 8 x GE l
e POS, 8 x GE
interface cards
/ /
Number of
p :
extended 4
t 12
interface cards
ht
Extended service 4 x:service board, 2 x
e s 12 x service board, 2 x
High e
12 xR10G access High Key component
density
n g availability redundancy
i
n 12 x service
High
a r High
2.5G/10G POS
Le
scalability board flexibility
p:
concurrent users
NIP1000: 1 Gbit/s throughput, 1 million concurrent
t
users
Hardware specifications: ht
NIP200: 3 x GE electrical port
s :
ce
NIP1000: 2 x GE electrical port + 2 x GE optical
port
Product features: u r
s o
Special application-layer accelerating engine and
NIP200
Re
efficient algorithm for high-speed, efficient, and
accurate detection
n g
Special virtual engine technology to provide all-in-
i
one functions at lower cost
rn
Professional security anti-attack labs to adapt to NIP1000
a
the latest network attack prevention technologies in
e
L
the world and maintain technical edges
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 36
e n
m/
Functions of the NIP IDS c o
i .
we
u a
Intrusion detection
and analysis
Security event
response . h
•Worm detection
n g
•Protocol decoding
•Alarming
n i
•IP fragment reassembly
•Logging
a r
•Session disconnection
•Log storm processing
•Protocol filtering and false le
•Program execution
/
/
•Firewall interworking
p:
positive processing
t t
h
System activity and
s :
Log management Statistics
status monitoring
cequery •Intrusion statistics
•Engine status monitoring
r
• Log
u •Traffic statistics
•Server status monitoring
•Email and MSN monitoring s o •Log replication
n
•Multi-port listening i
•Harmful website monitoring
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 37
e n
m/
NIP IDS Deployment Topology c o
i .
we
u a
. h
Switch Firewall n
Routerg
n i
a r
Intranet
•
内部网络
/ le Internet
/
t p:
ht
s :
ce
u r
s o
Re
ng
NIP console NIP engine
n i
a r
L e
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 40
e n
m/
Contents c o
i .
we
1. Huawei Security Products Overview u a
. h
n g
2. USG Series Products Overview n i
a r
3. VPN Gateway Products Overview l e
/ /
p :
4. Security Software ProductsttOverview
h
5. SIG Products Overview s :
c e
u r
6. NIP Products Overview s o
Re
7. Anti-DDoSgSolution Overview
i n
r n
e a
L
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 41
e n
/m
Overview of the Anti-DDoS Solution c o
i .
w e
u a
Solution positioning:
. h
Professional anti-DDoS solution n g
i
Application scenarios: r n
ea
DMZ service protection for customers in the following
/ l industries:
Banks and securities : /
t p
Government (public security, HR, andtstatistics departments)
h
Portal websites
s :
Other industries with DMZ c e as the key services
services
u r
Components:
s o
Re ADG 5320-I
Detection center device:
n g ADG 5320-D
n i
Cleaning device:
a
Management r center: VSM
L e ADG 5320
r ni Control
Policy
a
Network
egress Anti-DDoS solution interworking
/ le Device management interworking
/ Policy management
t p:Reporting
ht center
Detection Cleaning center
s :
ce Professional traffic Professional traffic
s o
Network
access Re
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 43
e n
m/
Summary c o
i .
we
u a
USG series firewalls
. h
n g
VPN gateway products n i
a r
Security software products
/ le
/
SIG products t p:
ht
NIP products s :
ce
u
Anti-DDoS solution r
s o
R e
n g
n i
a r
Le
r e
o
Copyrig ht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved. Pa ge 44
e n
m/
Questions c o
i .
we
What security products can Huawei deliver? h u a
g .
What main software security products can in Huawei
r n
provide? ea
/ l
: /
What are the characteristics or
t p modes of Huawei security
products deployment? ht
s :
What problems can Huawei c e security products resolve?
u r
s o
R e
n g
n i
a r
Le
r eht © 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
o
Copyrig Pa ge 45
e n
m/
c o
i .
we
u a
. h
ng
n i
a r
Thank :you le
//
t p
www.huawei.com
t h
s :
ce
ur
s o
Re
n g
n i
a r
Le
r e
o