HCNA-Security CBSN Constructing Basic Security Network

Mo r
Le a
rn i s: ht tp :/ /l ea rn in
ng
Re
so u
rc e
g. hu
aw ei
.c o
m/ en
Huawei Certification
HCNA-CBSN
Constructing Basic Security Network
re
Le
ar
ni
ng
Re
so
ur c
es :
Huawei Technologies Co.,Ltd
2013-2-27
ht
tp :
// l
1 , 7
Mo
ea r
ni n
g. hu aw ei .c om /e n
Copyright Huawei Technologies Co., Ltd. 2010. All rights reserved. without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions
No part of this document may be reproduced or transmitted in any form or by any means
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All respective holders. Notice
other trademarks and trade names mentioned in this document are the property of their
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Certification
re
Le
ar
ni
ng
Re
so
ur c
es :
2013-2-27
ht
HCNA-CBSN Constructing Basic Security Network Version 1.0
tp :
// l
2 , 7
Mo
ea r
ni n
Huawei Certification System
Relaying on its strong technical and professional training system, according to different customers at different levels of ICT technology, Huawei certification is committed to provide customs with authentic, professional certification.Based on characteristics of ICT customers with certification system of four levels.
technologies and customersneeds at different levels, Huawei certification provides
security maintenance engineers, and any others who want to learn the Network Security Firewall Technology, Firewall Packet Filtering Technology, Network Address Translation Terminal Security.
HCNP-Security (Huawei Certified Network Professional-Security) is aimed at enterprise-class network security maintenance engineersProfessional engineers
tp :
// l
Technology, Friewall Networking Technology,(L2TPGREIPSECSSL)VPN Technology,
ea r
knowledge. HCNA-Security certification covers the Network Security Overview, Basic
like to learn further about Boarder Security Network Professional Terminal Security ProfessionalService Security Professional technology and deployment. HCNP-Security includes CISNConstructing Infrastructure of Security Network, CTSS Network . It covers firewalls advance technology ( IP Car, IP-Link, Eth-Trunk, Link-Group , Security Technology(TSM, DSM and troubleshooting), UTM(Anti Virus, IPS, Mail/Web/FTP Filtering, DPI and troubleshooting). HCIE-SecurityHuawei Certified Internetwork ExpertSecurity aims at nurturing those diagnosing and troubleshooting security products, and who are good at security HUAWEI Certification leads you to the industry, change and makes you stand ahead of ICT world. who can master all kinds of firewalls technology, who are professional at maintaining , programming, designing and optimizing of large scale network. Constructing Terminal Security System , CSSN Constructing Service Security VFW, two-node cluster hot backup, IPSec VPN, L2TP over IPSEC VPN , DDOS), Terminal
re
Le
ar
ni
ng
Re
so
ur c
es :
2013-2-27
ht
ni n
HCNA-Security (Huawei Certification Datacom Associate-Security) is primary for network
Mo
and those who would
3 , 7
Mo
re
Le so ur c es : ht tp : // l ea r
ar
ni
2013-2-27
ng
Re
ni n
4 , 7
Preface
Introduction
This book is for HCNA-Security certification training. It is suitable for Huawei Certified suitable for the trainees who want to master the Huawei network security products and technologies. Content
Network Security Engineers who are ready to participate in HCNA-Security exams. And it is
With a total of twelve modules, this book systematically introduces the huawei firewall \ L2TP \ SSL VPN), terminal security technology and its application and common Module1 introduces network security overview in detail, mainly including safety problems and common network attacks of OSI model, the TCP/IP protocol principle, TCP/IP protocol. Module 2 introduces the basic firewall technology in detail, mainly including the configuration of firewall. including the principles,
es :
Module 3 introduces the firewall packet filtering technology in detail, mainly functions, classification of ACL. and application scenario ,configuration method of interface packet filtering technology and zone between packet filtering technology . Module 4 introduces the network address translation technology in detail, mainly including technology principle, application scenarios and configuration of NAT. the VLAN basic technology, SA and E1 interface technology, ADSL basic technology, WLAN Module 6 introduces the VPN technology in detail, mainly including the concept, key technology, classification and application of VPN. Module 5 introduces the firewall networking technology in detail, mainly including and 3G wireless technology.
re
Le
ar
scenarios , L2TP basic principle, application scenarios of Client-Initialized and
NAS-Initialized ,L2TP configuration
ni
Module7 introduces the L2TP VPN technology in detail, mainly including VPDN
ng
Re
so
ur c
2013-2-27
ht
definition, classification, main functions, technologies, forwarding data flow, the basic
tp :
// l
troubleshooting methods.
ea r
technology (packet filtering technology, NAT technology, Internet technology, GRE \ IPSEC
ni n
Mo
5 , 7
Module8 introduces the GRE VPN technology in detail, mainly including the basic configuration of GRE VPN .
principle and implementation principle, security mechanism, typical scenarios and Module 9 introduces the IPSEC VPN technology in detail, mainly including the basic and ESP technology introduction, business flow of IKE protocol.
principle, application scenarios and configuration of IPSEC technology, security protocol AH Module 10 introduces the SSL VPN technology in detail, mainly including the VPN.
technology principle, configuration method and basic functions and characteristics of SSL Module 11 introduces the SSL VPN technology in detail, mainly including the Terminal management and Accurate control method, configuration policies..
Module 12 introduces the huawei security products in detail, mainly Mainly introduces Huawei USG series firewalls, VPN gateway, security software products, SIG products, NIP products, DDOS solutions. This book will guide the students to accomplish all Modules ,. After finishing the course, firewalls and TSM products, which enable them to be network security engineers or system Prerequisites following basic conditions:
This is a basic course of Huawei certification. It requires the readers (1) familiar with the basic knowledge of data communication network. (2) have a certain network equipment networking experience.
es :
administrators.
ht
the students will master basic planning, installation and deployment abilities of USG series
tp :
// l
ea r
security definition, TSM system component and deployment, TSM system organization of TSM system security
ni n
re
Le
ar
ni
ng
Re
so
ur c
2013-2-27
Mo
one of the the
6 , 7
Icons Used in This Book
Router
Switch
Eudemon
SVN
ea r // l
Web Server
PC
Server
Branch
Network Maintenance
ni n
Mobile Office
es :
ht
Business Resources
Email Server
DHCP Server
tp :
re
Le
ar
ni
ng
Re
so
ur c
2013-2-27
Mo
ADSL
Other Network
7 , 7
Mo
re
ar
ni
ng
Re
ni n
Table of Contents
HCNA-Security V1.0 CBSN Chapter 1 Network Security Overview ........................................ Page 11 Section1 OSI Model Introduction ................................................................................... Page 15 Section2 TCP/IP Introduction .......................................................................................... Page 22 Section4 Common Network Attacks .............................................................................. Page 43 HCNA-Security V1.0 CBSN Chapter 2 Basic Firewall Technology ........................................... Page 51 Section1 Firewall Overview............................................................................................. Page 55 Section2 Firewall Working Modes . ................................................................................ Page 66 Section4 Firewall Functions ............................................................................................ Page 75 HCNA-Security V1.0 CBSN Chapter 3 Firewall Packet Filtering Technology ......................... Page 123 Section2 Interface-based Packet Filtering..................................................................... Page 132 Section3 Interzone Packet Filtering .............................................................................. Page 153 Section4 Application Analysis of Packet Filtering ......................................................... Page 165 HCNA-Security V1.0 CBSN Chapter 4 Network Address Translation Technology ................ Page 185 Section2 NAT Technology Based on the Source IP Address.......................................... Page 196 Section4 Bidirectional NAT Technology ........................................................................ Page 212 Section5 NAT Application Scenario Configuration ....................................................... Page 217 HCNA-Security V1.0 CBSN Chapter 5 Firewall Networking ................................................. Page 229 Section1 VLAN Feature Technology ............................................................................. Page 233 Section3 ADSL Feature Technology ............................................................................. Page 256 Section2 SA and E1 Feature Technology ..................................................................... Page 242 Section3 Firewall Security Zones .................................................................................... Page 71 Section5 Basic Firewall Configuration ............................................................................ Page 98 Section1 ACL Overview................................................................................................. Page 127
re
Le
HCNA-Security V1.0 CBSN Chapter 6 VPN Overview ........................................................... Page 291 Section1 VPN Introduction ........................................................................................... Page 295
ar
Section4 WLAN Feature Technology ............................................................................ Page 268
Section5 3G Feature Technology ................................................................................. Page 277
ni
ng
Re
so
Section3 NAT Technology Based on the Destination IP Address .................................. Page 205
ur c
Section1 Introduction to Network Address Translation Technology ............................ Page 189
es :
ht
tp :
// l
ea r
ni n
Section3 TCP/IP Security Issues....................................................................................... Page 37
Mo
Page 9
Section2 VPN Technologies .......................................................................................... Page 297 Section3 VPN Types ...................................................................................................... Page 334 Section1 VPDN Overview . ............................................................................................ Page 347 Section2 L2TP VPN Technology . .................................................................................. Page 350 Section3 Client-Initialized L2TP . ................................................................................... Page 362 Section4 NAS-Initialized L2TP . ..................................................................................... Page 370 HCNA-Security V1.0 CBSN Chapter 7 L2TP VPN .................................................................. Page 343
HCNA-Security V1.0 CBSN Chapter 8 GRE VPN ................................................................... Page 391 Section1 GRE VPN Overview ........................................................................................ Page 395 Section3 Analyzing the Application Scenarios of GRE VPN.......................................... Page 406 Section2 GRE VPN Technology ..................................................................................... Page 399
Section1 IPSec VPN Overview ...................................................................................... Page 425 Section2 IPSec VPN Architecture ................................................................................. Page 429 Section3 AH Technology............................................................................................... Page 436 Section4 ESP Technology.............................................................................................. Page 439 Section5 IKE Technology............................................................................................... Page 443 Section6 IPSec VPN Application Scenarios ................................................................... Page 463 Section1 SSL VPN Overview ........................................................................................ Page 485 Section3 SSL VPN Security Policy ................................................................................. Page 516 HCNA-Security V1.0 CBSN Chapter 11 Terminal Security .................................................... Page 553 Section1 Overview of Terminal Security........................................................................ Page 557 Section2 Deployment of the TSM System .................................................................... Page 562 HCNA-Security V1.0 CBSN Chapter 12 Introduction to Huawei Security Products .............. Page 589 Section2 USG Series Products Overview ....................................................................... Page 595 Section4 Security Software Products Overview............................................................ Page 610 Section5 SIG Products Overview .................................................................................. Page 624 Section3 Deployment of Terminal Security Policies ...................................................... Page 570 Section1 Huawei Security Products Overview............................................................... Page 593 Section3 VPN Gateway Products Overview ................................................................. Page 604 HCNA-Security V1.0 CBSN Chapter 10 SSL VPN .................................................................. Page 481 Section2 SSL VPN Technology ..................................................................................... Page 490 Section4 SSL VPN Application Scenario ...................................................................... Page 521
re
Mo
Le
ar
Section6 NIP Products Overview .................................................................................. Page 628
Section7 Anti-DDoS Solution Overview ............................................................................. Page 634
Page 10
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r
HCNA-Security V1.0 CBSN Chapter 9 IPSec VPN ................................................................. Page 421
ni n
HCNA-Security V1.0 CBSN Chapter 1
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
Network Security Overview
ea r
ni n
Mo
Page 11
Mo
re
Page 12
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 13
Mo
re
Page 14
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 15
OSI is short for Open System Interconnect reference model. OSI model aims to become an open network interconnect model to overcome interconnect difficulty and raise efficiency.
Each layer implements a specific function without affecting each other.
Layer division helps define the international standard protocol. The number of layers should be enough to prevent different layers from having the same function.
OSI model strengths:
Le
ar
re
Page 16
Mo
ni
ng
Simplify related network operations. Provides plug-and-play compatibility and standard interfaces between devices of different vendors. Enables each vendor to design interoperable network devices and speeding up datacom network development.
Re
so
Each layer serves its upper layer and is served by its lower layer.
ur c
There is a clear edge between layers for easy understanding.
es :
OSI model soon becomes the basic model for computer network communication, observing the following design rules:
ht
tp :
// l
ea r
ni n
region
and operation
re
Le
ar
ni
ng
Re
so
ur c
es :
Breaks down complex network problems into simple problems to facilitate learning
ht
Enables the network in each region to be rapidly and independently upgraded to protect the network in a region against influence of network changes in another
tp :
// l
ea r
Page 17
Mo
ni n
presentation layer is named presentation protocol data unit (PPDU). The data at the session layer is named session protocol data unit (SPDU). Generally, the data at the transport layer is
called segment; the data at the network layer is called packet; the data at the data link layer is called frame; and the data at the physical layer is called bit.
specific protocol head and also refers to adding a packet to the end of the data at some
re
Mo
Le
ar
Page 18
ni
ng
Re
so
layers for processing. Each layer in the OSI model encapsulates data to ensure that data properly reaches the destination, and is received and executed by the terminal host.
ur c
Encapsulation means that a network node packetizes the data to be transmitted with a
es :
ht
In the OSI model, data at each peer layer is named protocol data unit (PDU). The data at the application layer is called application protocol data unit (APDU), while the data at the
tp :
// l
ea r
ni n
required by data transmission. The physical layer does not care about the meanings of each bit stream (0,1), but cares about how to transmit bit streams to the peer end over different physical links. In other words, the physical layer cares about signals, for example, amplifying signals to transmit them to farther places, but does not care about whether each bit stream
The data link layer sets up data links between adjacent nodes on the basis of bit stream service provided by the physical layer. The data link layer aims to control the physical layer, and detect and correct possible errors to create an error-free link for the network layer. In addition, the data link layer monitors traffic. (This feature is optional. Traffic can be monitored by the data link layer or the transport layer.)
The network layer checks the network topology to determine the best route for packet transmission and forwarding. The key is to determine how to select routes for the packets from the source to destination. Devices at the network layer figure out the best route to destinations by using the routing protocol and find out the next network devices to which packets should be forwarded. Then, devices use the protocol at the network layer to encapsulate packets and send data to the next network devices based on the service provided by the lower layer.
re
Le
ar
ni
ng
Re
so
ur c
represents an address or a piece of application data. The typical devices are relay devices and hubs.
es :
ht
The physical layer involves the original bit streams transmitted over channels. The physical layer is the basis of the OSI model, providing mechanical, electrical, and functional features
tp :
// l
ea r
Page 19
Mo
ni n
layer).
The presentation layer solves syntax presentation of user information. It converts data from abstract syntax suitable for a user into transmission syntax suitable for internal use in the OSI. In other words, the presentation layer provides formatted presentation and data conversion service, compresses/decompresses data and encrypts/decrypts data. For example, image format display is supported by the protocol at the presentation layer. The application layer provides an interface to operating systems or network applications for accessing network services.
re
Mo
Le
ar
Page 20
ni
ng
Re
so
ur c
example, the session layer enables servers to verify user logins.
es :
At the session layer and its upper layers, data transmission unit is called packet. The session layer does not participate in transmission, but offers a mechanism including access verification and session management for enabling and maintaining inter-application communication. For
ht
The transport layer is the fourth layer of the OSI model with the final aim of delivering effective and reliable services to users (which generally refer to processes at the application
tp :
// l
ea r
ni n
Process for data stream processing at the network layer:

When a host application on a network needs to send a packet to the destination on another network, one interface of a router on the same network of the host receives the frame. The data link layer of the router checks the frame, determines the carried data type at
the network layer, removes the frame head of the data link layer, and sends the data to the corresponding network layer.
The network layer checks the packet head to determine the network segment of the destination, and then obtains the corresponding output interface by searching for the routing table.
re
Le
ar
Forwarding of each packet follows this process: After reaching the network of the destination host, the packet is encapsulated as the frame at the data link layer of the destination network and sent to the corresponding target host. After the destination host receives the packet, the frame head of the data link layer is removed by the data link layer and the packet head of the network layer is removed by the network layer. Then, the packet is sent to the corresponding protocol module.
ni
ng
Re
The data link layer of the output interface adds the frame head of the data link layer to the packet, encapsulates the packet as a frame, and sends it to the next hop.
so
ur c
es :
ht
tp :
// l
ea r
Page 21
Mo
ni n
Mo
re
Page 22
ar
ni
ng
Re
ni n
re
Le
ar
ni
ng
Re
so
ur c
into four layers from bottom up: data link layer, network layer, transport layer, and application layer. In some documents, the TCP/IP model is divided into five layers, among which the physical layer is a separate layer.
es :
The difference between the TCP/IP model and OSI model is that presentation layer and session layer of TCP/IP fall under the application layer. Therefore, the TCP/IP model is divided
ht
Due to its openness and ease-of-use features, TCP/IP is widely used and becomes a standard protocol.
tp :
// l
ea r
Page 23
Mo
ni n
1. The user data is sent to the application layer first and added with application layer 2. After being processed by the application layer, the data is sent to the transport layer and added with transport layer information (for example, TCP or UDP. The
application layer protocol is TCP or UDP).

3. After being processed at the transport layer, data is sent to the network layer and added with network layer information (such as IP protocol).
re
Mo
Le
ar
After reaching the destination, the user data is decapsulated. The procedure is as follows: 1. The packet is sent to the data link layer. After resolution, data link layer information is removed and network layer protocol is known, for example, the IP protocol.
Page 24
ni
added with data link layer information (such as Ethernet, 802.3, PPP, and HDLC). Then, data is transmitted to the peer end in bit stream manner. (In this process, processing manners vary with device types. In general, the switch acts as the data link layer, whereas the router works as the network layer. The user data is restored only when they reach the destination.)
ng
Re
4. After being processed at the network layer, data is sent to the data link layer and
so
ur c
es :
information.
ht
The sender submits user data to the application for sending them to the destination. The data stream encapsulation procedure is as follows:
tp :
// l
ea r
ni n
3. After the transport layer receives the packet, the transport layer information is 4. After the application layer receives the packet, the application layer information is removed after resolution. The finally displayed user data is the same as that sent by host A.
re
Le
ar
ni
ng
Re
so
ur c
es :
removed after resolution and the application layer protocol is known, such as HTPP.
ht
2. After the network layer receives the packet, network layer information is removed after resolution and transport layer protocol is known, for example, TCP.
tp :
// l
ea r
Page 25
Mo
ni n
under the network layer at which the IP protocol runs. However, in some scenarios, ICMP and IGMP fall under the upper layer of the IP protocol, while ARP and RARP fall under the lower
layer of the IP protocol. Both the application layer and transport layer provide E2E service, while both the network layer and data link layer offer segment-to-segment service.
HTTP: It is used to access various pages on the www server.
DNS: It enables conversion from host domain names to IP addresses.
Transport layer
ar
re
Mo
Le
Page 26
ni
ng
TCP: It provides reliable connection-oriented communication service to applications, applying to the applications that require response. Currently, many popular applications use TCP. UDP: It provides connectionless communication without guaranteeing reliability of packet transmission. It is suitable for transmitting a small number of data. Reliability is guaranteed by the application layer.
Re
so
FTP: It provides a path for file transmission, allowing data transmission from one host to another.
ur c
Application layer
es :
ht
Each layer of the TCP/IP model has protocols for enabling network applications. Some of the protocols do not have their specific layers. For example, ICMP, IGMP, ARP, and RAPP fall
tp :
// l
ea r
ni n
Network layer:
ARP: It resolves the known IP addresses into MAC addresses.
ICMP: It defines control and message transmission functions of the network layer.
Data link layer
The data link layer is classified into two sublayers: LLC and MAC sublayers.
re
Le
ar
ni
ng
Re
so
IGMP: It is used to manage broadcast group members.
ur c
RARP: It resolves IP addressees when the data link layer address is known.
es :
IP: The IP protocol and routing protocol work with each other to find out the best path to transmit packets to destinations. The IP protocol does not care about packet content, and provides connectionless and unreliable service.
ht
tp :
// l
ea r
Page 27
Mo
ni n
A socket consists of a quintuple: source IP address, destination IP address, protocol, source UDP, the value of protocol is 17.
example, HTTP, FTP, and Telnet services. Some applications are not popular and their ports are generally defined by developers. In this case, registered service ports on one server are
Source port: The source port is numbered in ascending order from 1024. Some operating ascending order. Because the source port is unpredictable, the source port is not frequently To provide external services, all application servers are required to register their ports in servers can respond to any concurrent service requests and ensure that each link is unique to the system.
re
Mo
Le
ar
Page 28
ni
ng
TCP/UDP during startup to respond to service requests. Through the quintuple, application
Re
involved in the ACL policy.
so
systems may use a greater number as its initial port number and assign port number in
ur c
unique.
es :
Destination port: In general, a commonly used application service has a standard port, for
ht
port, and destination port. If the protocol is TCP, the value of protocol is 6. If the protocol is
tp :
// l
ea r
ni n
among which Ethernet frame format is mainly used. The 802.3 frame format is more complex than the Ethernet frame format. Apart from the length field, the 802.3 frame format contains
other fields. Both Ethernet and 802.3 frame formats require the same minimum length and the same maximum length.
describes only one LAN protocol. For WAN protocols, refer to Internet documents. LAN
protocols include Ethernet and token ring network protocols.
Protocols at the data link layer implement the following functions: 1. Coordinate data link parameters such as duplex and rate. 2. Encapsulate the frame head (frame tail may be encapsulated) of the sent packet.
re
Le
ar
3. Most of protocols at the data link layer support error detection, but do not support error correction. Error correction is generally provided by the protocols at the transport
ni
layer, for example TCP.
ng
Identify the frame head of the received packet. Decapsulate the packet sent to the data link layer.
Re
so
ur c
Protocols at the data link layer are classified into LAN and WAN protocols. This document
es :
ht
In the TCP/IP stack, protocols at the data link layer are at the lowest layer. Currently, protocols at the data link layer have two frame formats; Ethernet and 802.3 frame formats,
tp :
// l
ea r
Page 29
Mo
ni n
encapsulation. However, during initial communication, the source host does not know the MAC address of the destination host. To complete communication, a technology for querying
the MAC address of the destination host is required. ARP is such a protocol, which maps IP addresses of destination hosts with Ethernet MAC addresses of destination hosts.
Dynamic ARP means that ARP is dynamically implemented and automatically
Static ARP means that there is a fixed mapping between IP and MAC addresses. Both IP and MAC addresses of network devices cannot be dynamically adjusted.
re
Mo
Le
ar
Page 30
ni
Static ARP requires manual configuration of mapping entries. During Ethernet data communication, source hosts need to encapsulate MAC and IP addresses of destination hosts. After knowing IP addresses of the peer hosts, source hosts use ARP to request MAC addresses of the peer hosts.
ng
Re
so
searches for the mapping from IP addresses to MAC addresses without intervention of network administrators.
ur c
ARP is classified into dynamic and static ARP.
es :
ht
During data communication on the Ethernet, to send data to the destination host, the source host needs to know about IP and MAC addresses of the destination host for data
tp :
// l
ea r
ni n
Process:
of the destination host. The destination MAC address is encapsulated as FF-FF-FF-FFFF-FF(a broadcast MAC address).
After receiving ARP-request, the switch broadcasts the packet. All hosts in one network segment can receive the packet. After receiving the packet, hosts check
re
Le
ar
ni
ng
whether the destination IP address of the packet matches with their IP addresses. If yes, the corresponding host records the mapping between the MAC and IP addresses of the source host, and then encapsulates its own MAC address into ARPreply that is sent to the source host in unicast mode to complete the process from ARP request to response. If the destination IP address of the packet cannot match the IP address of the host itself, the host discards ARP-request.
Re
so
ur c
es :
A source host sends ARP-request. In the encapsulated data, the source IP address field is the IP address of the source host, while the source MAC address field is the MAC address of the source host and the destination IP address field is the IP address
ht
tp :
// l
ea r
Page 31
Mo
ni n
A common IP head contains 20 bytes excluding the IP option field. The version field indicates IP version number. The current protocol version number is 4 and the next-generation IP protocol version number is 6. Packet length refers to the length of IP packet head, which occupies four bits. An IP packet contains up to 60 bits. bit ToS field indicates the minimum delay, maximum throughput, highest reliability and minimum cost. Among four bits, only one bit can be set. If four bits are set, it indicates a common service. Telnet and Rlogin applications require the minimum transport delay, because people mainly use them to transmit a small number of interaction data. FTP file
re
Mo
Le
Although an IP packet that contains up to 65,535 bytes can be sent, most of link layers fragment it and hosts are required not to receive a packet that contains more than 576 bytes. According to UDP restriction, a packet shall contain up to 512 bytes, less than 576 bytes. In fact, most of applications (especially those that support the network file system (NFS) allows an IP packet to contain more than 8192 bytes.
ar
Page 32
ni
Total length refers to the length of the entire IP packet, including data part. The total length field contains 16 bits. Therefore, an IP packet can contain up to 65,535 bytes.
ng
transfer requires the maximum throughput. The highest reliability is appointed to SNMP and routing protocol. Usenet news (NNTP) is the unique application that requires minimum cost.
Re
so
ur c
The 8-bit ToS field contains one 3-bit CoS field, 4-bit ToS field and one unused bit. The 4-
es :
ht
tp :
// l
ea r
ni n
Flag bit: It contains three bits. Bit 0 is reserved, which must be 0. Bit 1: (DF) 0 = It can be
Fragment offset: It determines the position of the fragment in the data stream. The time to live (TTL) field determines the number of routers that the packet can pass. Once the packet passes one router, TTL value decreases by one. If the TTL field value is 0, The protocol field determines the upper-layer protocol transmitted in the packet. The protocol field is similar to the port number field. The IP protocol is distinguished by using a protocol number. TCP number is 6, UDP number is 17. The head checksum field calculates checksum of the IP head to check integrity of the IP head. Source IP address and destination IP address fields identify source device and destination device of the packet.
re
Le
ar
ni
ng
Re
so
the packet is discarded.
ur c
es :
fragmented; 1 = It cannot be fragmented; Bit 2: (MF) 0 = Final fragmentation; 1 =More fragmentation
ht
The identification field uniquely identifies each packet sent by hosts. Generally, the identification field value adds by 1 every time when one packet is sent.
tp :
// l
ea r
Page 33
Mo
ni n
TCP and UDP provide a commonly used service concurrently, they usually select the same port number. This facilitates use, but is not required by protocols themselves. The UDP packet format is different from the TCP packet format. The TCP packet contains more bytes than the UDP packet and therefore has more functions, such as reliability.
re
Mo
Le
ar
Page 34
ni
ng
Re
so
ur c
es :
ht
Source port and destination port identify and distinguish between application processes on source and destination devices. TCP port number is independent from UDP port number. If
tp :
// l
ea r
ni n
TCP connection setup is a three-way handshake process, aiming to enable both
communication in an orderly manner.
the initial SN of the client, namely a.
information corresponding to the SYN packet that contains a. The retuned SN is the SN of the packet that the server hopes to receive next time, namely, a+1. The returned SYN
which contains the SN of the packet that the client hopes to receive next time, namely,
b+1.
After the preceding process, a TCP connection is established for communication.
re
Le
ar
ni
ng
Re
3. After receiving the returned SYN packet, the client returns one ACK packet for response,
so
packet also contains the initial SN b of the server.
ur c
2. After receiving the SYN packet, the server returns an SYN packet that contains ACK
es :
1. When the TCP connection begins to set up, the client sends an SYN packet that contains
ht
communication
parties
to confirm start serial numbers
tp :
// l
(SNs) for
ea r
subsequent
ni n
Page 35
Mo
The four-way handshake process for terminating a TCP connection is as follows: 1. The host that sends the first FIN packet is proactively shut down, while the server that receives this FIN packet is passively shut down.
3. The TCP server also sends a file terminator to the application (namely, the discarding server). Then, the server program shuts down the connection. As a result, the TCP end 4. The client must return a confirmation message and set the confirmation SN to the received SN plus 1.
re
Mo
Le
ar
Page 36
ni
ng
Re
so
sends one FIN packet.
ur c
es :
2. After receiving the FIN packet, the server returns one ACK packet and confirms that the SN is the received SN plus 1. One FIN packet occupies one SN, which is the same as SYN packet.
ht
tp :
// l
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 37
IP spoofing
access the destination system as a root user. If the response packet cannot reach the attackers host, the attacked host may be damaged. This is IP spoofing.
SYN flood
Due to resource restriction, TCP/IP implementation only allows a limited number of TCP connections. Attackers utilize this feature to initiate SYN flood. An attacker forges a SYN packet, of which the source address is a forged or nonexistent IP address, and initiates connection to the server. After receiving the packet, the server returns SYN-ACK and does not receive ACK. As a result, a half open connection is
re
Mo
Le
ar
set up. If the attacker sends a great number of such SYN packets, a lot of half open connections are set up on the attacked host, consuming resources of the host. As a result, normal users cannot access the host until half open connections expire. In some systems in which connection establishment is not restricted, Sin flood uses up system resources, such as memory, so that these hosts cannot respond to legitimate requests.
Page 38
ni
ng
Re
so
ur c
es :
To get access permission, an intruder generates a packet with a forged source address. For the applications that employ verification based on IP addresses, this attack manner allows unauthorized users to access the destination system and even
ht
tp :
// l
ea r
ni n
ARP response packets, hosts do not verify whether they have sent the ARP request, but directly replace the original ARP buffer table with the mapping between MAC and IP
addresses in the response packet.
ARP DoS.
re
Le
ar
Note: ARP spoofing can be implemented by an ARP request or response.
ni
ARP flood (ARP scanning): When attackers use a tool to scan hosts in the network segment of attackers or hosts across network segments, the USG searches for the ARP entries before sending response packets. If MAC address of the destination does not exist, the ARP module of the USG sends ARP Miss to the upper-layer software to request the upper-layer software to send an ARP request to obtain MAC address of the destination. A lot of scanning packets result in a great number of ARP Miss messages. As a result, USG resources are used to process ARP Miss messages, affecting other service processing and initiating a scanning attack.
ng
Re
so
ur c
ARP spoofing: Attackers send a great number of forged ARP requests and response packets to attack network devices. ARP spoofing is classified into ARP buffer overflow and
es :
ht
ARP implementation mechanism considers normal service interaction only without verifying improper service interaction or malicious behaviors. For example, after receiving
tp :
// l
ea r
Page 39
Mo
ni n
IP spoofing procedure is as follows:
attacked host. Generally, this process is repeated for N times and the ISN finally sent by the destination host is stored. Then, the attacker estimates the round trip time between the attackers host and trusted host. The round trip time is figured out by statistical average for several times. Once ISN is figured out, the attacker initiates an attack. If the guessed SN is correct, the false TCP packet is saved in the buffer of the destination host. If the guessed SN is smaller than the correct SN, the false TCP packet is discarded. If the guessed SN is greater than the correct SN and within the buffer size, the packet is regarded as a future packet and the TCP module waits for other absent data. If the guessed SN is greater than the expected digit and beyond the buffer size, the TCP
re
Mo
Le
ar
Page 40
ni
ng
Re
so
Sample and predict SNs. This step involves TCP applications instead of UDP applications. To attack the destination host, the attacker must know the packet SN of the destination host. How does the attacker make prediction? The attacker generally establishes a normal connection with one port (such as port 80) of the
ur c
es :
Disable the trusted host so that the trusted host cannot receive any valid network data. To disable the trusted host, the attacker can initiate SYN flood, TTN and Land attacks. Assume that the attacker has disabled the trusted host.
ht
IP spoofing is implemented based on IP trust relationship. The trusted hosts may obtain the highest permission to access destination hosts without authorization.
tp :
// l
ea r
ni n
1. Break down the trusted host for the moment to avoid interfering with the attack.
re
Le
ar
4. Wait for the destination host to send the SYN+ACK packet to the broken down host. 5. Forged as the trusted host to send the ACK packet to the destination host. The sent data segment carries guessed SN of the destination host, namely ISN+1.
6. Set up the connection and send a command request.
ni
3. Forge the source address as the trusted host address. Send the data segment that carries the SYN flag to request connection.
ng
2. Connect to a port of the destination host to guess ISN basic value and addition rule.
Re
The entire IP spoofing procedure is summarized as follows:
so
The attackers host sends a connection request to port 80 of the destination host. The destination host immediately responds to the connection requests and sends the updated SYN+ACK packet to the trusted host. Because the trusted host still breaks down, the trusted host cannot receive this packet. As a result, the attackers host sends an ACK packet to the destination host. This ACK packet uses the guessed SN plus 1 as its SN. If the SN is correct, the destination host receives this ACK packet and connection is set up for data transmission. Of course, the final aim of the attacker is to obtain rights of the destination host administrator.
ur c
es :
ht
module discards the packet and returns one expected data SN. The attackers host uses the IP address of the trusted host. At this time, the trusted host breaks down.
tp :
// l
ea r
Page 41
Mo
ni n
act as a victim to obtain information from the server. The example is as described in IP spoofing.
Example:
A trusts B. (For example, B can implement rlogin.) C is an attacker, which hopes to act as B to set up a connection with A.
C destroys B, for example, by floogin, redirect, and crashing.

C sends a TCP packet to A, uses Bs address as the source address and 0 as the SN. TCP SYN/ACK is sent from A to B, carrying the SN S. C does not receive the SN S, but uses S+1 as the SN for response to finish
ar
re
Mo
Le
Page 42
ni
ng
handshaking. C can do one of the following things:

C monitors the SYN/ACK packet and figures out the SN based on the obtained value. C guesses the SN according to the operating system feature. Handshaking ends and a false connection is built.
Re
so
ur c
es :
ht
Most of TCP spoofing occurs during TCP connection establishment. A false TCP connection is set up by using the trust relationship of a network service between hosts. The attacker may
tp :
// l
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 43
As a result, focus on attack prevention instead of detection.
re
Mo
Le
ar
Page 44
ni
ng
Re
so
ur c
es :
In general, the encryption technology is used to protect information confidentiality.
ht
The biggest feature of passive attack is to monitor the information to be stolen to get confidential information. Data owners or legitimate users cannot know such a passive attack.
tp :
// l
ea r
ni n
service resources. Analyze and attack data streams to put forward technical measures to guarantee proper service running, for example, data source verification, integrity version, and
anti-DoS technology.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
Active attack refers to forging or falsifying packet heads or data load in service data stream to imitate legitimate users to access service resources without authorization or destroy
tp :
// l
ea r
Page 45
Mo
ni n
forwarding). In this case, the attackers host can easily get confidential information on hosts A and B and hosts A and B do not know it at all. 2. Falsifying information: The attackers host acts as the data exchange intermediary between hosts A and B. To hosts A and B, hosts A and B directly communicate with
re
Mo
Le
ar
Page 46
ni
ng
Attackers may use various technologies to intercept information, such as DNS spoofing and network stream monitoring.
Re
each other. In fact, there is a transit host between them, namely, the attackers host. Generally, the attacker inserts information into data streams between hosts A and B or modifies corresponding information to initiate an attack.
so
ur c
es :
1. Stealing information: When host A exchanges data with host B, the attackers host intercepts information for backup and forwards data (or only monitoring without
ht
Man-in-the-middle attack is an indirect attack. It has passive and active attack features, subject to attack manners (such as stealing or falsifying information).
tp :
// l
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 47
Mo
re
Page 48
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 49
Mo
re
Page 50
ar
ni
ng
Re
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
Basic Firewall Technology
ea r
ni n
Mo
Page 51
Mo
re
Page 52
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 53
Mo
re
Page 54
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 55
according to the network environment to prevent illegal access and ensure network security.
Modern firewall system should not be just an "entry protective screen", but an access control point of many networks, making all incoming and outgoing data flows first go through the firewall. The firewall, serving as a gateway, protects not only the internal network security in Internet environment, but also internal network security of many hosts. In each of
re
Le
ar
the network separated by firewall, all hosts are considered "trusted", and the communication between them is free from firewall interference. The networks separated by the firewall must access each other in accordance with the provisions of the firewall "policy."
Page 56
ni
ng
Re
It is used to address network security and works as a highly efficient "filter". In addition, it can provide access control, authentication, data encryption, VPN technology, address translation and other security features, so users can configure their own security policies
so
ur c
The firewall described in this document refers to hardware firewall, an integration of various kinds of security technologies using dedicated hardware structure, high-speed CPU, and embedded operating system. It supports a variety of high-speed interfaces (LAN interface), and is used to protect private network (host) security. Such a device is called a hardware firewall. Hardware firewalls can be independent of operating systems (such as HP-UNIX, SUN OS, AIX, and NT.) and hosts (IBM6000 and ordinary PCs).
es :
ht
Firewall technology is a specific embodiment of security technology. Firewall is literally referred to a wall between two houses to prevent the spread of fire when a fire breaks out.
tp :
Mo
// l
3
ea r
ni n
requirements, firewall has also been developed into more types.
1. Hardware firewall system deployed with hardware equipment (servers or special platforms), featuring: 1) hardware + software, requiring no OS platform; 2) security is decided by special OS platform; 3) high network adaptability (supporting multiple access mode); 4) high stability; 5) low flexibility for upgrade and update 2. Software firewall installed with software applications, featuring: 1) only firewall software is provided, so extra OS platform is needed; 2) security is decided by lowerlayer OS; 3) network adaptability is low (mainly route mode); 4) high stability; 5) easy to upgrade;
re
Le
ar
1. Standalone firewall which protects only standalone devices, featuring: 1) separated security policies; 2) simple security features; 3) common user maintenance; 4) high security risks; 5) flexible policy setting 2. Network firewall which protects an entire network, featuring: 1) centralized security policies; 2) complex and diverse security features; 3) professional administrator maintenance; 4) low security risks; 5) complex policy setting
ni
ng
By protected target
Re
so
ur c
es :
By form:
ht
Early firewalls were only software deployed on a single device, and the control mode could only be based on packets. With progress in technology and environment security
tp :
// l
ea r Mo
4
ni n
Page 57
firewall. By protected target, firewalls can be classified into standalone firewall and network firewall. But generally, the mainstream classification method is by processing method.
Firewalls can be divided into the following three categories by processing method:
Packet filtering firewall
identification and packet forward direction in the data packet. Packet filtering firewall has simple design, so it is easy to deploy and cheap.
2. Static ACL policies are hard to meet dynamic security requirements.
re
Le
ar
3. Packet filtering does not check or analyze data, which gives chance to hackers. For example, attackers can cheat with false address by setting his own IP address into a legitimate IP address and then go through the filter easily.
Page 58
ni
1. As ACL becomes longer and more complex, the filtering capability declines.
ng
Packet filtering firewall has the following defects:
Re
so
Packet filtering means checking every data packet at the network layer, and forwarding or dropping the packets according to the configured security policy. The basic principle of packet filtering firewall is to carry out packet filtering by configuring Access Control List (ACL) mainly based on source or destination IP address, source or destination IP port number, IP
ur c
es :
ht
Firewall has experienced three-generation development and has various classification methods. For example, by form, firewalls can be classified into hardware firewall and software
tp :
Mo
// l
5
ea r
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
Note: Multichannel protocols such as FTP generates dynamic data channel port based on FTP control channel, and later data interaction is mainly carried out on the data channel.
tp :
// l
ea r Mo
6
ni n
Page 59
Proxy Firewall
Proxy firewall is for the application layer, which is to take over the direct user services between extranet and intranet. Proxy check comes from user requests. After the user goes through the security check, the firewall establishes connection with the real server on behalf of the user, forwards external user request, and sends the response from the real server back to the external user.
Proxy firewall has high security control capabilities. It can completely control network information exchange and session process. The defects are:
2. Application layer proxy needs to be developed for each protocol, and the development cycle is long and it is difficult to upgrade.
re
Le
ar
Page 60
ni
ng
Re
so
1. The software limits processing speed, making it easy to be attacked by Denial of Service (DoS) attacks.
ur c
es :
ht
tp :
7
Mo
// l
ea r
ni n
Stateful inspection firewall
Stateful inspection is an extension of packet filtering technology. Connection state based packet filtering considers each data packet as an independent unit and considers the history relations between the packets front and back. As we know, the establishment of all reliable connection based data flow (TCP protocol based data flow) needs to go through the "threeway handshake", namely, "client synchronization request", "server response "and "client
1. Stateful inspection firewall uses all kinds of sessions to track the activated TCP sessions
Le
2. Stateful inspection firewall blocks data packets, and acquires the state information needed by the security policy from the application layer, and saves to session list. By analyzing these sessions and the following request related to the data packet, it makes proper decisions.
re
ar
ni
and UDP false sessions, and the access control list decides to establish which sessions, and data packets are forwarded only when connected to sessions. UDP false sessions are virtual connections (UDP are protocols facing no connection) for stateful inspection and they are established for the UDP data flow when the UDP protocol packet is processed.
ng
Re
so
Basic principles:
ur c
response", which means each data packet is not independent, but connected to each other closely. Stateful inspection technology is developed on this basis.
es :
ht
tp :
// l
ea r Mo
8
ni n
Page 61
Stateful inspection firewall features the following advantages: 1. Excellent processing of following data packets: When the stateful inspection firewall performs ACL check, it records the data flow connection state, so the following packets in this data flow do not need ACL check again, but connection record check according to the session. After going through the check, the connection record is updated to avoid check on data packets with the same connection state. Records in the connection
re
Le
ar
Page 62
ni
ng
intranet security. Stateful inspection firewall uses real-time connection state monitoring technology to identify connection state information, thus strengthening security control.
Re
2. High security: Connection state list management is dynamic. The entrance for temporary response packets established at the end of the session closes right away to protect
so
ur c
session list do not have fixed order, which is different from those with fixed order. Therefore, stateful inspection firewall can use binary tree or hash for rapid search to improve system transmission efficiency.
es :
ht
tp :
Mo
// l
9
ea r
ni n
core processor architecture. Here we will introduce them one by one.
Common CPU architecture is based on the X86 platform, using a host CPU to process services. Card chip and CPU use PCI bus for data transmission. Traditional 32-bit PCI bus
re
Le
ar
With the development of hardware technology, Intel presented a new solution later for PCI bus PCI-E, or PCI-Express. The main advantage of PCI-E is that the data transfer rate is high, more than 10GB/s currently. It uses the industry's most popular point to point
ni
frequency is 33 Hz, so the data transfer rate between card chip and the CPU can theoretically reach 1056Mbits/s, meeting the need of gigabit firewall theoretically. But the X86 platform uses a shared bus, so if two cards simultaneously transmit data, the average rate of each card can only be 528 Mbit/s. And so on, the bigger the card number is, the lower the rate is. As long as there is more than one card, the rate is lower than 1000 Mbit/s. In addition, based on X86 platform architecture, the thread scheduling mechanism is implemented using interrupt, so when there is a large number of small data packets in the network, the same traffic will face more interrupts, and then the firewall throughput is only about 20%, and the CPU usage is very high. This architecture based on X86 platform cannot meet the needs of gigabit firewall, and is only suitable for the hardware platform with 100M firewall.
ng
Re
so
ur c
es :
Universal CPU Architecture
ht
Firewall hardware platform can be divided into universal CPU architecture, Application Specific Integrated Circuit (ASIC) architecture, Network Processor (NP) architecture and multi-
tp :
// l
ea r Mo
10
ni n
Page 63
ASIC architecture
architecture improvement, its development cycle also requires three months, so in the face of
more complex network, ASIC architecture is clearly not competent.
NP Architecture
NP framework can be said as a compromise solution of CPU and ASIC solutions, and it has a network processor on each card. Network processor is designed for network equipment to
re
Le
process network traffic. The program on each network processor uses microcode for programming. Although software development on network processor is difficult, specialized instruction sets and supporting software development system can still provide powerful programming capabilities, so it is a substantial improvement from ASIC architecture in both development difficulty and cycle. Same with the ASIC, NP has a clear performance advantage if compared with the X86 architecture. NP hardware design mostly uses high-speed interface technology and the bus specification, with high I/O capability. In addition, NP also built a hardware-accelerated programmable architecture, whose hardware and software are easy to upgrade, and software can support the new standards and protocols, and hardware design supports higher network speeds, so that product life cycle is longer. But compared with X86, micro-code
ar
Page 64
ni
ng
Re
so
ur c
es :
ht
and scalability is very poor. ASIC architecture uses chip after all, but the chip development is very difficult, so the services can be processed are also very limited. The ASIC architecture is used to develop new features with a development cycle of 18 months, and after the
tp :
instructions and algorithms directly to the chip. Data received from the card are not processed by main CPU. Instead the data are processed and forwarded directly by the ASIC chip integrated on the card. Thus, not all the data are required to be processed by the main CPU, and chip processing does not use interrupt mechanism, which can significantly improve the processing performance of the firewall. ASIC also has its own shortcomings, as its flexibility
Mo
// l
11
ea r
In contrast, ASIC architecture based firewall improves the interrupt mechanism from the architecture. ASIC designs specialized ASIC chip to accelerate data processing, and to solidify
ni n
serial technology, comparing to PCI bus or earlier shared host bus parallel architecture, each device has its own dedicated connection, and does not need to request bus bandwidth, and data transmission rate can be improved to a very high frequency, reaching the high bandwidth that PCI cannot provide. Compared with traditional PCI bus which could achieve only one-way transmission within a certain time period, PCI-E dual-simplex connection can provide higher transmission rates and quality, and the differences between them are similar to that between half-duplex and full duplex. The technology allows the replacement of PCI-E for PCI to become a new unified interface standard. After using PCI-E technology, data transmission rate of X86 platform can meet the requirements of gigabit firewall, but the interrupt mechanism still has impact on the integrated device processing rate, so X86 technology still has space for improvement even with the use of PCI-E.
programming is not flexible enough, and function scalability continues to be limited to a certain degree; compared with ASIC, as the processing has certain dependence on software, thus forwarding performance is a weaker than bit ASIC. Multi-Core Architecture As can be seen from the above, common CPU architecture, NP architecture and ASIC architectures have their own advantages and disadvantages. Common CPU architecture has the highest flexibility, most new features, and new modules are easy to expand, but certainly cannot meet the gigabit performance needs. ASIC has the highest performance; gigabit and 10 gigabit throughput rate can be achieved, but it is the least flexible, and it is very difficult to expand after it is fixed. NP is somewhere in between, so it is a compromise and cannot solve the problems completely. The emergence of multi-core architecture greatly eases these contradictions. Each core in a multi-core architecture is a common CPU, so it offers higher integration, more efficient inter-core communication and management mechanisms as opposed to CPU. A small amount of cores are used for management, and most of the cores are to complete routine service
The processing core of multi-core CPU architecture is still the CPU fundamentally, but it
re
Le
ar
ni
assisted data packet scheduling capability, but the efficiency of common operating system decreases rapidly if the number of CPU cores increases. SOS system is efficient, stable, secure, and suitable for high-performance network forwarding, security development platform, and it supports efficient packet scheduling, concurrent processing, which maximizes multi-core CPU utilization.
ng
Re
multi-core hardware platform. For this multi-core hardware platform based on firewall, Huawei, Symantec Firewall combines many technological advantages, uses multi-core technologies, such as multi-core operating system Security Operation System (SOS). Multi-core processors have a powerful parallel processing capabilities and I/O capability, and hardware-
so
ur c
As a new generation of hardware platform, multi-core has very high technical requirements for software development, how to effectively implement and play the advantages of multi-core technology is a great challenge for product development based on
es :
offers a number of technical advantages for multi-core processors, making it an ideal hardware platform for the next generation of network security products.
ht
integrates multiple cores or threads together with the associated parallel processing technology. In terms of logic chip design, it uses forward flow, shares cache optimization, integrates special co-processor to achieve the performance and flexibility. This integration
tp :
// l
processing functions. Some CPU carries out encryption and decryption through protocol coprocessor, and because it can use c programming, and function extension is free from control, the platform can realize VPN encryption and decryption, firewall, UTM, and other services without affecting the corresponding performance.
ea r
12
ni n
Mo
Page 65
Mo
re
Page 66
ar
ni
ng
Re
ni n
Question: Do the interfaces in transparent mode have no IP address for sure? Does the
re
Le
ar
ni
ng
Re
so
Note: In versions later than USG2200&5100 V100R005, firewall working mode has some changes; the mode is displayed mainly through layer 2 or layer 3?
ur c
In transparent mode, is the interface that can have IP address configuration actual physical interface or Vlanif logical interface?
es :
management interface in transparent mode have IP address? If yes, what is the role of the IP address?
ht
The switchover of firewall working modes requires device restart, but not configuration saving.
tp :
// l
ea r Mo
14
ni n
Page 67
re
Le
ar
Page 68
ni
ng
Re
so
ur c
network topology, for example, Intranet users need to modify gateway, or router to modify routing configuration. Therefore, the designer needs to consider network transformation and service interruption and other factors comprehensively. In routing mode, firewall is set between the Intranet and Extranet, and the interfaces to Intranet and Extranet are configured with different IP addresses. The firewall is responsible for routing for Intranet and Extranet, like a router.
es :
ht
In routing mode, firewall can support more security features, such as NAT and UTM. However, if adopting routing mode, the network administrator may need to modify the
tp :
Mo
// l
15
ea r
ni n
If the firewall is connected to Extranet through the data link layer (the interface has no IP If the firewall operates in transparent mode, it can avoid the trouble of topology modification. In transparent mode, only a bridge is needed in the network without modifying
any existing configuration. IP packets will also go through relevant filtering checks, and internal network users are still protected by the firewall.
re
Le
ar
ni
ng
Re
so
In transparent mode, the firewall cannot route address, so the two networks linked together must be in the same segment.
ur c
es :
address), firewall is regarded in transparent mode.
ht
In transparent mode, the firewall is responsible for packet forwarding, but not routing. The two networks connected to the firewall must be in the same segment.
tp :
// l
ea r Mo
16
ni n
Page 69
re
Le
ar
Page 70
ni
ng
Re
so
ur c
es :
Question: If there is only one firewall, will there be any application scenario for the composite mode?
ht
Composite mode is mainly used for dual-drive backup in transparent mode. At this time, the IP address needs to be configured to start VRRP, and other interfaces do not need to configure IP address.
tp :
Mo
// l
17
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 71
defined security zones.
Untrust zone: a security zone with low security level of level 5.
Trust zone: a security zone with high security level of level 85.
Note that, the operation of adding the interface to the secure zone, in fact, means adding to the local security zone reserved by the system to represent the device itself.
re
Le
ar
Page 72
ni
ng
the network connected to the interface into the security zone, and the interface still belongs
Re
The four security zones do not need to create, and cannot be deleted, and the security level cannot be reset. Security level is specified from 1 the lowest to 100 the highest.
so
Local zone: a security zone with highest security level of level 100.
ur c
DMZ: a security zone with medium security level of level 50.
es :
The default four security zones are described as following:
ht
A firewall supports multiple security zones. It supports four predefined security zones, namely, Untrust zone, DMZ, Trust zone, and local zone by default, but also supports user-
tp :
Mo
// l
19
ea r
ni n
Data flows between two security zones (referred to as interzone) are in two directions:

Inbound: data transfer from the low security level zone to the high security level zone Outbound: data transfer from the high security level zone to the low security level zone High priority and low priority are relative.
zone, different security policy checks are triggered.
re
Le
ar
ni
ng
Re
so
ur c
Data transmission between security zones of different security levels triggers USG security policy checks. Different security policies can be specified in advance for different directions in the same security zone. When data flows in the two different flow directions in the security
es :
ht
tp :
// l
ea r Mo
20
ni n
Page 73
networks connected through many interfaces. Here the interfaces can be physical ones or logic ones. Therefore, users at different network segments connected by a same physical interface belong to different security zones through the sub-interface, Vlanif, or other logical interfaces.
re
Le
ar
Page 74
ni
ng
Re
so
ur c
Question: If different interfaces belong to one security zone, is the interzone packetfiltering policy still effective?
es :
ht
Firewall zones are classified by interfaces. That is, all network devices connected by a same interface should belong to a same security zone, while one security zone can include many
tp :
Mo
// l
21
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 75
Mo
re
Page 76
ar
ni
ng
Re
23
ni n
specific resources, thus preventing malicious or casual access by unauthorized users.Access control involves three basic concepts, namely, subject, object, and access authorization.
Subject: a kind of entity (such as processes, operations, and customers) to make the information flow among objects, or active entity that can access or use objects.
Authorized access: indicates the object authorizes access to the subject and authorized
access between each pair of subject and object is given. User access authorization is decided by system security policy, such as allowing a user for read-write operation.
In an access control system, distinguishing the subject and object is important, and between the subject and the object can be converted to each other. First, the subject launches access operation to the object, and the operation is allowed through or denied
re
Le
ar
according to the system authorization. The relationship between subject and object is relative. When a subject is accessed by another subject, the subject converts into an object.
ni
ng
Re
so
Object: a kind of entity that can receive information (files, directories, data blocks, records, procedures, memory segments, and network nodes) from other subject or object, namely, the entities that contain information and can be accessed.
ur c
es :
ht
Access Control: The firewall enables a set of policies and mechanisms. It identifies the packet headers flowing through the data flow to allow legitimate data to authorize access to
tp :
// l
ea r Mo
24
ni n
Page 77
Identification based on feature fields
re
Le
ar
Use BitTorrent protocol as an example. We can use the reverse engineering approach to analyze the protocol; the so-called peer protocol refers to the protocol of peer to peer exchange of information. Peer protocol always starts from a handshake, followed by cycles of message flow, and in front of each message, there is a number to
Page 78
ni
based on feature fields decides the application loaded by the service flow by identifying the fingerprints in the data packet. Feature field based identification technologies can be divided into the fixed position feature field matching, mobile position feature field matching, and status feature field matching technologies by inspection method. Through fingerprint information upgrade, feature field based identification technology can easily expand to cover new protocols.
ng
Re
so
Different applications often use different protocols, and different protocols have their own special fingerprints, which may be specific ports, strings or Bit-specific sequence. Identification
ur c
For different types of protocols, identification technologies can be divided into the following three categories.
es :
including the source address, destination address, source port, destination port, and protocol type, and DPI includes the application layer analysis on this basis, so it can identify a variety of applications and contents.
ht
Deep Packet Inspection (DPI) is a relatively new technology for common packet analysis, as common packet inspection only analyzes the contents under Layer four of the IP packet,
tp :
Mo
// l
25
ea r
ni n
indicate the length of the message. In the handshake process, first sent is 19, followed by
the string BitTorrentprotocol. It can be determined that 19BitTorrentProtocol is the feature field of BitTorrent protocol.
Identification based on application-layer gateways
As we know, there is a kind of service with separated control flows and service flows, and its service flow has no characteristics. The identification based on application layer gateway is flow, and selects specified application layer according to control flow protocol to analyze the
designed for this kind of service. First, the application layer gateway identifies the control control flow and then to identify the service flow.
Each different protocol needs different application layer gateway for analysis. For example, through consultation by signaling interaction; generally it is encapsulated voice flow in RTP RTP is established. The full analysis can be obtained only after the protocol interaction of SIP or H.323 is inspected.
Identification based on behavior patterns
of the terminal must be studied to establish behavior identification model on this basis. Based on behavior identification model, behavior pattern identification technology can determine
the ongoing action or the action to be carried out by the user according to the actions already
carried out by the user.
The behavior pattern identification technology is usually used for the services that cannot be decided by the protocol itself. From the email content, spam service flow and common
email flow are not different, so only further analysis can identify spam. Specifically, behavior
change frequency, the number of source email addresses, change frequency, the frequency of email being rejected to sort out spam.
re
Le
ar
ni
ng
Re
identification model can be established by email sending rate, the number of email addresses,
so
ur c
es :
ht
Before the identification based on behavior pattern is implemented, all kinds of behaviors
tp :
// l
format. In other words, only RTP inspection cannot determine the protocol through which this
ea r
26
SIP and H323 protocols belong to this category. SIP and H323 obtain their data channels
ni n
Mo
Page 79
Access domain: It consists of a group of clients on which the TSM Agent is installed to Pre-authentication domain: It is a logical domain, and its ACL configuration is carried out
Post-authentication domain: It is a logical domain, corresponding to the pre-authentication domain. Through SACG configuration, when a user gains service authorization, the user can access the service resources of the post-authentication domain, such as OA server, ERP server, and financial server.
re
Le
ar
Page 80
ni
ng
through SACG to ensure that users only have access to ACL specified networks or hosts before they obtain access authorization. Pre-authentication domain of terminal security management system includes SM management server, SC control server, AD domain management server, anti-virus server, patch server.
Re
so
form a local network through Layer-2 or Layer-3 switches.
ur c
Based on the SACG, the main internal network is divided into three logical domains:
es :
authenticates the terminal, and informs SACG of the results, and then decides the access permission according to UCL policy to prevent external users from accessing internal network, and internal legitimate but insecure users connecting to the corporate network which may further infect corporate networks.
ht
Security Access Control Gateway (SACG) controls terminal network access authorization. Users with different security situations have different permissions. SC control server
tp :
Mo
// l
27
ea r
ni n
The reliable firewall should also support VRRP, but during the stateful inspection firewall
re
Le
ar
processing, only the first session packet is checked and a session table entry is generated dynamically. Subsequent packets (including the return packet) can pass through the firewall only when the table entry hits the session. When inbound path and outbound path of a session is inconsistent, follow-up packets or return packets cannot hit the firewall session
table entry, causing packets to be discarded.

28
ni
ng
Virtual Router Redundancy Protocol (VRRP) is developed to resolve the previous problem. As a fault-tolerant protocol, VRRP is suitable for local area network (such as Ethernet) that supports multicast or broadcast. VRRP organizes a group of routers on LANs into a virtual router, which is called a backup group. Among them, only one device is active, which is the active one; the rest devices are in backup state, and are prepared to take over services according to priorities; they are standby ones. If the original active router in the backup group fails, another standby router in the backup group will be selected according to the priority level to act as the new active one, which continues providing network routing services to the host in the network. Therefore, VRRP technology makes the host of the internet network communicate with external network uninterruptedly, so reliability is guaranteed.
Re
so
ur c
es :
users go through the router. If the router fails, the communication between the external network and all hosts with the router as the next hope of the default router host will be interrupted. As a result, communication reliability cannot be guaranteed.
ht
Typically, internal network hosts configure a default route, and the next hop is the interface IP address of the egress router. All interactive packets between internal and external
tp :
// l
ea r
Page 81
Mo
ni n
achieve smooth takeover by the standby device.
re
Le
ar
Page 82
ni
ng
Re
After HRP function is enabled, active and standby devices will synchronize critical configuration commands and session table state at a real-time manner. If the active device fails, it results in VRRP management group state change, causing VRRP back group seizure to
so
ur c
In addition, to make standby device take over services smoothly when the Mater device fails, critical configuration commands and session table state information needs to be backed up. To this end, Huawei introduced the Huawei Redundancy Protocol (HRP).
es :
mechanism can realize consistency management, seizure management and channel management of the state of many VRRP backup groups to ensure the interfaces on a firewall in active or standby state at the same time, realizing consistency of VRRP state.
ht
To resolve this problem, Huawei proposed the VRRP Group Management Protocol(VGMP), which is responsible for unified management of all backup group VRRP state. The VGMP
tp :
Mo
// l
29
ea r
ni n
IP link
IP link automatically determines to use the characteristics of ICMP or ARP protocol to detect whether the service link is normal or not. It sends ICMP or ARP requests to specified destination IP address regularly and waits for the destination IP address response to determine the network connectivity according to the responses. If response packet is not received in preset time, the link is regarded as failed, and related operation will be carried out. If three
Application in static routing
re
Le
ar
with low priority with the high priority one to ensure that the link being used every time is with high priority and is reachable, so that services can be continuous.
Application in dual-system hot backup When IP link inspection finds out the link is unreachable, firewall will adjust its VGMP
priority level for host to standby switch to ensure that service continuity.
30
ni
When IP link finds out the link is unreachable, the firewall will adjust its static route accordingly. If the link of the original static route with high priority is detected as failed, the firewall will choose a new link for service forwarding. If the original static routing with high priority recovers, the firewall will adjust the static routing again to replace the static routing
ng
Re
so
The result of IP link automatic inspection (destination host is reachable or unreachable) can be referenced by other functions, and the main applications include:
ur c
consecutive response packets are received in the reset time, then the link that was regarded failed is recovered, and link recovery operations will be carried out.
es :
ht
tp :
// l
ea r
Page 83
Mo
ni n
Mo
re
Page 84
ar
ni
ng
Re
31
ni n
Mo
re
ar
ni
ng
Re
32
ni n
Page 85
Long Link
In actual application, the aging time of some firewall sessions is relatively short, while the corresponding data flow needs not to be aged in a long time. To address this contradiction, Long connection feature is used to set extra long aging time for specified data flow. The data flow is decided by ACL. The aging time of the data flow is not limited by global aging the long link is proposed for the firewall.
time.
Segment Caching
ensure normal session continuation. The working process is as follows:
re
Le
ar
1. Apply segment caching to the segment packet that reaches firewall earlier than the first segment packet. 2. Forward the segment packets after the first segment arrives.
Page 86
ni
To ensure normal continuation of sessions, firewall adds the segment caching function to
ng
In ideal packet transfer, all segmented packets will be transferred in a fixed order. In actual transfer, it is possible that the first segment packet is not the first reaching the firewall. If without segment caching, firewall drops this series of segment packets.
Re
When network device transfers packets, if the MTU configured on the device is shorter than the packet, the packet will be segmented before being forwarded.
so
ur c
es :
ht
tp :
33
Mo
// l
ea r
ni n
If in a certain time (five seconds by default) the first segment packet cannot reach firewall, the cached following segments will be dropped.
Packet Filtering
As long as data flows between two security zones, it triggers firewall security rule
inspection function. Packet filtering is an important part of firewall security rule inspection.
Packet filtering realizes IP packet filtering and its working process is as follows:
1. For the packets that need to be forwarded, firewall first obtains the packet header information, including the protocol number of the upper layer protocol loaded on IP
2. Compare the packet header information and the preset ACL rules.
3. According to the comparison result and ACL rules, allow or reject packet forwarding.
Attack Defense
Packet Statistics
Firewall needs to not only monitor data flow, but also inspect link connections between internal and external networks, so it needs a lot of statistics, calculation and analysis.
1. Special analysis software analyzes log information afterwards.
Analyzing the TCP launched by the external network to internal network, or detecting if the total UDP connection number exceeds the preset threshold can tell if it is needed to limit
re
Le
ar
ni
launching new connections in this direction, or to limit new connections to one IP address in internal networks.
ng
Re
Through packet analysis, firewall realizes protection for internal networks. For example:
so
2. Firewall completes partial real-time analysis functions.
ur c
Firewall analysis of packet statistics includes the two following aspects:
es :
ht
network services or even business interruption. Firewall attack defense feature detects various types of network attacks, and can take appropriate measures to protect internal networks from malicious attacks to ensure the normal operation of internal networks and systems.
tp :
Common network attacks are intrusion or damage Web servers (hosts), to steal sensitive server data or disrupt or interfere with service provision. There are also network attacks to directly undermine network devices, which have greater impact and lead to abnormal
// l
ea r
34
ni n
layer, packet source address, destination address, source port number and destination port number.
Mo
Page 87
Through analysis, it is found that the total number of system connection exceeds the preset threshold, so the system connection aging can be sped up to ensure new connections can be set normally, and prevent service rejection because the system is too busy.
Blacklist
Blacklist is an important firewall security feature; it is a list of IP addresses. If a user's IP address matches the IP address on the blacklist, the firewall will drop all packets from the user. Blacklist allows dynamical adding or deletion. Compared with ACL packet filtering, blacklist only matches IP address, so it can achieve higher speed blacklist entry match, which quickly and effectively block specific IP addresses users.
1. Create manually through command lines
Firewall dynamically creates blacklist according to the following process:
2. Insert the IP address into blacklist table entries automatically. 3. Firewall drops the packet from the IP address according to the blacklist to ensure
network security.
some special users free from blacklist interference. At this point, the security policy determines whether to allow the packet through based on advanced ACL rules to drop the flow denied
by ACL rules and to allow the flow through allowed by ACL rules. Even if the user is added to the blacklist at this time, it still can carry out normal communication.
MAC and IP address binding is an effective means to avoid IP address fraud attack: 1. Source address is the packet of the IP address. If the MAC address is not the MAC address in specified relationship, the firewall will drop it.
Port Identification Application layer protocol generally uses well-known port number for communication.
re
Le
ar
Page 88
ni
2. Destination address is the packet of the IP address, and it will be forcibly sent to the MAC address corresponding to this IP address in the MAC-IP address correlation.
ng
Re
so
MAC and IP address binding means firewall can generate a correlation between MAC and IP address according to user configuration.
ur c
MAC and IP Address Binding
es :
ht
Reference to the blacklist advanced ACL can bind blacklist and advanced ACL to ensure
tp :
Mo
// l
35
1. Detect attack attempt from a specified IP address according to packet behavior features.
ea r
2. Create dynamically through firewall attack defense modules or IDS modules
ni n
Two ways of creating blacklist entries:
Port identification allows users to define a new set of port numbers in addition to well-known port number for different applications. Port identification provides some mechanisms to maintain and use user-defined port configuration information.
Port identification can create and maintain a pre-defined and user-defined port identification table for different application protocols.
Firewall supports basic ACL-based host port identification. This host port identification identifies the customized port number and application protocol of packets destined for certain hosts. For example: TCP packets (of the host port) destined for network segment 10.110.0.0 and using port 8080 are identified as HTTP packets. Host range can be specified by the ACL.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
36
ni n
Page 89
Access Control List
Access Control List can define network data flow through packet source address, destination address, port number, combination of upper-layer protocols and other information, and is the application basis of packet filtering, NAT, IPSec, QoS, policy routing and others.
Network Address Translation
Network Address Translation is the process to translate the IP address in IP address packet header into another IP address.
Authentication and Authorization
resource side, and user information is stored centrally on servers. This structure not only has good scalability, but also is good for centralized management of user information. Authentication and authorization support the following authentication methods: No authentication: Users are trusted and do not need legality check. Generally this approach is not adopted. Local Authentication: When user accesses a network, locally configured user information (including user name, password and other properties) on the broadband access server is the basis for authentication. Local authentication is fast and can reduce
re
Le
ar
Page 90
ni
ng
Re
Authentication and authorization generally use C/S structure. Clients run on the managed
so
ur c
es :
ht
tp :
37
Mo
// l
ea r
ni n
operating costs; the drawback is that the amount of stored information is limited by device hardware.
Remote authentication: supports Remote Authentication Dial In User Service (RADIUS) protocol or HWTACACS protocol for remote authentication.
Network Access Server (NAS) works as the Client for communication with the RADIUS server or HWTACACS server. For the RADIUS protocol, standard RADIUS protocol or Huawei expansion RADIUS protocol can be used in collaboration with RADIUS server to complete the authentication.
Layer 2 Tunneling Protocol
L2TP is an IETF Layer 2 tunneling protocol industry standard drafted by Internet Engineering Task Force (IETF) with the participation of Microsoft and other companies. It is a combination of the advantages of Point-to-Point Tunneling Protocol (PPTP) and Layer Two Forwarding Protocol (L2F). PPP protocol defines a packaging technology that can transfer multi-protocol packet on Layer 2 point-to-point link. At this point, the PPP protocol is running between the user and the NAS. Layer 2 link and PPP session endpoint reside on the same point on the hardware device. L2TP supports the transmission channel of PPP link layer packets, and allows Layer 2 link point and PPP session endpoint to reside on different devices, and uses packet-switched network technology for information exchange, which extends the PPP model.
GRE VPN
can be encapsulated and de-encapsulated at both ends of a tunnel.
IPSec VPN
IPSec (IP Security) protocol suite is a series of IETF accustomed protocols, which provide cryptography-based, interoperable, high-quality security protection mechanisms for IP packets. Both sides of specific communications by encryption and data source authentication at the IP layer ensure that confidentiality, integrity, authenticity, and effective defense against
replay attacks for packet transmission in the network.
re
Le
ar
AH protocol provides the main functions of data source authentication, data integrity
check packet replay attack defense, but cannot encrypt the packets that need to be protected.
ni
IPSec protects packet through authentication header (AH) and Encapsulating Security Payload (ESP). Function descriptions of the protocols are as follows:
ng
Re
so
ur c
practice can be seen as a virtual interface supporting point-to-point connections that provides a path so that the encapsulated packets can be transmitted in this pathway, and data packets
es :
GRE is the Layer 3 tunneling protocol of Virtual Private Network (VPN), and tunneling technology is used between the layers. Tunnel is a virtual point to point connection, and in
ht
tp :
// l
ea r
38
ni n
Mo
Page 91
In addition to providing all the features of the AH protocol, ESP protocol also provides IP packet encryption. Different from the AH protocol, the data integrity check does not include IP packet header.
ESP protocol allows packet encryption and authentication at the same time, or only encryption or only authentication. The use and management of IPSec can be simplified through manually creating security association (SA), but also key exchange, the establishment and maintenance of SA through the Internet Key Exchange (IKE) by auto-negotiation. IKE protocol is used for auto-negotiation for AH and ESP cryptographic algorithms, and puts the key required by algorithm into a appropriate location.
1.Virtual services technology
After firewall configuration load balancing, multiple servers share a single public IP address
address (the IP address), the flow generated from multi-layer switch/firewall access to the virtual IP address is allocated to each real server in accordance with pre-configured algorithm.
2. Server health detection
3. Flow-based forwarding Through specified algorithm, the data flow is sent to different
real servers for processing.
IP-CAR functions include:
re
Le
ar
Connection number limiting: limits the number of connections launched to specified IP
address or the number of incoming connections.
Page 92
ni
IP-CAR
ng
Re
The firewall detects the real servers periodically for health check. If the real server is available, then it returns response packet; if unavailable, the firewall will disable the real server after a period of time and allocate the traffic to other real servers according to configured policies.
so
ur c
es :
(the virtual IP address), and these servers are called real servers. Users access to the content on these real servers through this virtual IP address. Each real server uses a different private IP
ht
tp :
The following technologies are used for load balancing to allocate user traffic to multiple servers:
Mo
// l
39
purpose of sharing traffic, but also guarantee server availability and security for the best network scalability.
ea r
Load balancing, that is, firewall configuration according to certain algorithms, distributes user traffic accessing the same IP address to different servers. Access users consider their access to the same server, but the firewall will in fact give their requests to different servers for processing. This can not only make use of each server's processing capability to meet the
ni n
Load Balancing
Bandwidth limiting: limits the bandwidth of specified IP address.
Limiting the number of connections can prevent users launching attacks, protect specified users from attacks; bandwidth limitations can optimize network traffic, ensure normal access rates, and support the preventing against network attacks P2P limiting
Network (Peer to Peer) P2P traffic (such as the traffic generated by BT download and eMule download) is too large and may affect other services. Firewall P2P limiting can limit P2P traffic to ensure normal operation of other services.
P2P limiting accurately identifies P2P traffic on the network through in-depth P2P packet inspection and behavior detection and limit the traffic accordingly. Firewall P2P limiting can combine ACL set a limiting rate for a specific time period to limit P2P traffic and meet the needs of different users. If the current firewall does not recognize the P2P traffic, a new model file can be obtained to control the emerging new P2P traffic. P2P limiting function can be applied to networks with large P2P traffic, such as community, campus and enterprise.
Logging
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
Huawei firewall logs include: attack prevention log, traffic monitoring log, blacklist log and various statistical information.
tp :
Firewall can output syslog in txt. format, but also create flow-based state information table according to the features of large data flow through the firewall and rich log information, and output log through binary. Compared with syslog, binary log is more suitable for the application to large log information transmission and higher network speeds.
// l
ea r
40
ni n
Mo
Page 93
Throughput
Throughput refers to the firewall packet processing capacity. RFC2647 defines that firewall throughput is the number of bits of firewall receiving and processing specified data load and forwarding to correct destination interface per second. When testing firewall throughput, ignore error traffic and the retransmitted traffic, for example, calculate the traffic that is forwarded to the destination interface only; traffic at different load levels and traffic in
re
Le
ar
Page 94
ni
ng
Re
different directions also need to be tested for the final average value. For load levels, the industry generally uses big packet of 1 KB to 1.5 KB to measure firewall packet processing capacity. However, most network traffic is 200 byte packets, so the test should also consider small packet throughput. Firewall needs to configure rules, so the forwarding performance supported by firewall under the ACL also needs to be tested.
so
ur c
es :
ht
tp :
41
Mo
// l
ea r
ni n
Latency
The time interval indicator, from the last bit of data packets going in the firewall to the first bit going out of the firewall, is used to measure the speed of firewall processing data.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
42
ni n
Page 95
New Connections per Second
It refers to the number of new complete TCP connections established through firewall per second. Firewall connections are established dynamically according to the current situations of
re
Le
ar
Page 96
ni
ng
Re
so
ur c
both communication sides. Each session must establish a connection on firewall before data exchange. If the connection establishment on firewall is slow, then client may find long delay at each time of communication. Therefore, the higher the supporting indicator is, the higher the forwarding rate will be. When it is attacked, it will have stronger protection capacity if the indicator is high; and also the higher the indicator is, the stronger the backup capacity will be.
es :
ht
tp :
43
Mo
// l
ea r
ni n
Concurrent Connections
It refers to the maximum number of connections that can be accommodated at the same time. The firewall processes packets based on connections, and the number of concurrent connections refers to the maximum number of connections that can be accommodated at the same time. One connection is a TCP/UDP access attempt. The higher the indicator of concurrent connection is, the stronger the attack defense capacity will be. When the number
of concurrent connections reaches the upper limit, new connection request packet will be dropped when it reaches the firewall.
re
Le
ar n
in g
Re so ur ce
s:
ht
tp
:/
/l
ea
rn
in
g.
Mo
hu aw
Page 97
ei .c
om /e
Mo
re
Page 98
ar
ni
ng
Re
ni n
1. Implement a unified user's interface and management interface including real-time
2. Implement the platform control function, define plane interface forwarding
specifications, and realize the interaction between the forwarding plane and the VRP control plane of each product.
In addition, the VRP platform system features ensure the high availability of devices. The system features of the VRP platform mainly include:
Componentization: The VRP adopts the component-based architecture, provides abundant function features, and implements the application-based cropping capability and expansion
re
Le
capability. Specifically, all protocols and features in the VRP are constructed in the component mode, which can be controlled dynamically by using license files. In addition, the core component is configured on the hardware platform independently, which provides wide adaptability and cross-platform application.
License mechanism: The VRP implements high availability by using the license. The
ar
ni
ng
Re
so
3. Implement the network interface layer and shield differences between the link layer and network layer of each product.
ur c
es :
operating system kernel, IP software forwarding engine, route processing, and configuration management platform.
ht
The Versatile Routing Platform (VRP) is a software core engine operating on the Huawei firewall. VRP provides the following functions:
tp :
// l
ea r
Page 99
Mo
ni n
remove features based on requirements and save user's investment. HA: The VRP device reliability reaches 99.999% through the high availability (HA) design. This reliability indicator indicates that the unavailable time of this system in a year is less than
re
Mo
Le
ar
Page 100
ni
ng
Re
so
ur c
five minutes.
es :
ht
license has two functions: 1. It controls whether features are available. Users only can use features allowed by the license. 2. It controls resources and limit routings reserved by the system, LSPs established, and VPN examples. The license mechanism can flexibly add and
tp :
// l
ea r
ni n
management level.
Configuration level: It includes service configuration commands, for example, commands
of routing and each network layer, which provide direct network services for users.
Management level: It is related to the system basic operation. It includes commands used by the system to support the module. These commands provide a support for services including file system, FTP, TFTP, Xmodern downloading, configuration file switching commands, standby board control commands, user management commands, command level configuration commands, and system internal parameter configuration commands.
re
Le
ar
ni
ng
Re
so
Monitoring level: It is used for system maintenance and service failure diagnosis. It includes display and debugging commands. By using these commands, the configuration files are not allowed to be saved.
ur c
es :
Visit level: It includes network diagnostic tool commands (ping and tracert), commands accessing external devices from the local device (Telnet client, SSH, and Rlogin). By using these commands, the configuration files are not allowed to be saved.
ht
For VRP system commands, the hierarchical protection mode is adopted. Commands are classified into four levels including visit level, monitoring level, configuration level, and
tp :
// l
ea r
Page 101
Mo
ni n
re
Mo
Le
ar
Page 102
ni
ng
Re
so
ur c
es :
commands that are equal to or lower than their own level. When user's privilege is switched from the low level to the high level, the super password [ level user-level ] { simple | cipher } password command must be used to switch.
ht
The system classifies users logged into four levels, which are corresponded to command levels respectively. After users of different levels log in to the system, they only can use
tp :
// l
ea r
ni n
commands under this view can be run in the corresponding view. operation only completes simple functions including operating status and statistics information view. After system-view is typed, the system interview is displayed. In the system view, different configuration commands can be typed to enter corresponding protocol and interface view.
re
Le
ar
ni
ng
Re
so
ur c
es :
After the connection with the firewall is established, the user view is displayed. This
ht
The system divides the command line interface into multiple command views. All commands of the system are registered under a certain (or some) command views. The
tp :
// l
ea r
Page 103
Mo
ni n
1. For example, type a question mark directly in the system view. Then the system displays 2. Or type a space after the parameter and then type a question mark. After obtaining this parameter, the parameter list can be used. 3. Type a character string and then type a question mark after it, the system lists all commands begin with this character string.
re
Le
ar
Page 104
ni
ng
Re
so
ur c
es :
command parameters that can be configured in the system view.
Mo
ht
The VRP platform provides the convenient command line online help function. You can type a question mark where you have any questions.
tp :
51
// l
ea r
ni n
When the pause menu is displayed, press Ctrl+C to stop display and command execution.
re
Le
ar
ni
ng
Re
so
When the pause menu is displayed, press Enter to continue to display the information of the next line.
ur c
When the pause menu is displayed, press Space to continue to display the information of the next screen.
es :
We can see that the displayed information may beyond the screen. In this case, the system provides the pause function. Users have following choices:
ht
In addition, type the first few characters of a key word of the command and then press Tab. The complete key word can be displayed.
tp :
// l
ea r Mo
52
ni n
Page 105
The preceding configuration procedures are different from firewall forwarding procedures. The USG2200&5100 V100R005 and later versions do not have independent working mode configuration and concept. If all interfaces are Layer-3 interfaces, they are in routing mode. If all interfaces are Layer-2 interfaces, it indicates that they are in transparent mode.
re
Le
ar
Page 106
ni
ng
Re
so
ur c
es :
Mo
ht
tp :
53
// l
ea r
ni n
USG supports following two interface cards: not supported.
L2 interface card: All interfaces are L2 Ethernet interfaces. Switching to L3 interfaces are L3 interface card: All interfaces are L3 Ethernet interfaces by default. Running the portswitch command can switch to L2 Ethernet interfaces.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
54
ni n
Page 107
Running the firewall zone command has following scenarios. The security zone exists: Configuring the key word, name is not required. Enter the security zone view directly. The security zone does not exist: Configuring the key word, name is required. Enter the security zone view. routing mode, four security zones are not required to be created and cannot be deleted. The firewall supports up to 16 security zones. The following principles should be followed when configuring the security level of the security zone. 1. Only the security level of the customized security zone can be set.
re
Le
ar
4. For the newly established security level, the security level of the system is set as 0 if the security level is not set.
Page 108
ni
3. In the same system, the same security level is not allowed to be configured in two security zones.
ng
2. Once the security level is set, it is not allowed to be modified.
Re
so
ur c
The system predefines four security zones including Local, Trust, DMZ, and Untrust. In
es :
Mo
ht
tp :
55
// l
ea r
ni n
Adding Interface into the Security Zone
Step 1 Run the system-view command to enter the system view. Step 2 Run the firewall zone [ vpn-instance vpn-instance-name ] [ name ] zone-name
re
Le
ar
ni
ng
Re
so
ur c
Step 3 Run the add interface interface-type interface-number command to configure the interface to be added into the security zone.
es :
command to create the security zone and enter the corresponding security zone view.
ht
tp :
// l
ea r Mo
56
ni n
Page 109
Configuration of Interzone Default Packet Filtering Rules When the data flow cannot match the ACL in the firewall, the packets of this data flow will be forwarded or discarded according to the interzone default packet filtering rules. The following operation should be implemented when configuring the interzone default packet filtering rules.
Parameter Description:
permit: It indicates that the filtering rules are allowed by default.
zone1: It indicates the name of the first security zone, it can be DMZ, Local, Trust, zone2: It indicates the name of the second security zone, it can be DMZ, Local, Trust, Untrust zone or customized zones. direction: It indicates that the direction of filtering rules is configured. inbound: It
re
Le
ar
By default, packets are prohibited to pass through all firewall security zones.
Page 110
ni
indicates that the inbound of security zones of filtering rules is configured. outbound: It configures that the outbound of security zones of filtering rules is configured.
ng
Untrust zone or customized zones.
Re
interzone: It indicates specific security zones are configured.
so
deny: It indicates that the filtering rules are prohibited by default. all: It indicates that all security zones are configured.
ur c
es :
Mo
ht
tp :
57
// l
ea r
ni n
Routing Configuration
An interconnection network can be established by configuring the static routing. If failures of a network occur, the static routing will not be changed automatically, but it can be The default routing can be used if the matched routing table entry is not found. If a suitable routing cannot be found, the default routing can be used. In the routing table, the changed by configuration of the administrator.
re
Le
ar
2) When configuring the static routing or the default routing, if the number of the same routing table is more than 2 or above, the minimum routing table of the preference value will take effect.
ni
1) When configuring the static routing or the default routing, if the next hoppoints to the interface, whether the interface type (including point-to-point, non-broadcast multiaccess, and broadcast) is the point-to-point needs to be confirmed.
ng
Note:
Re
default routing is configured as the routing reaching to the network (mask:0.0.0.0). If the destination address of the packet does not match any entry of the routing table, this packet will select the default routing. If the default routing does not exist and the destination address of the packet is not in the routing table, this packet will be discarded. Meanwhile, this packet will return an ICMP packet report to the source terminal that this destination address or the network is unreachable.
so
ur c
es :
ht
tp :
// l
ea r Mo
58
ni n
Page 111
Mo
re
Page 112
ar
ni
ng
Re
59
ni n
File System Management-FTP
The file system is used to manage storage units on the firewall and save files into storage units. The storage units supported by the firewall currently include Flash, and Compact Flash (CF) card. The file system can create, delete, and modify directories in storage devices of the firewall, copy, move, and delete files, and modify file names. The file name supports up to 64 bytes. If the file name is too long, you cannot operate the file system.
The FTP services provided by the system include:
FTP server service: Users can log in to the firewall by using the FTP client and access files on the firewall.
FTP client service: Users can establish the connection with the remote FTP server by using the FTP command on the firewall and access files on the remote server. The FTP client, as the
re
Le
ar
firewall system, provides an additional function for users. It has no configuration function, it is an application module. Users are taken as the connection between the FTP client and the remote server. Users can type the FTP client command to create and delete directories.
ni
ng
Re
so
FTP is an application layer protocol in the TCP/IP protocol family, which is used to transmit files between users and remote hosts. The FTP Protocol can be implemented based on corresponding files.
ur c
es :
ht
tp :
// l
ea r Mo
60
ni n
Page 113
users' access at the same time.
re
Le
ar
Page 114
ni
ng
Re
so
ur c
es :
Mo
ht
Only when the username, password, and access directory are configured, the FTP client can be logged in and files on the firewall can be accessed. The system can support multiple
tp :
61
// l
ea r
ni n
User Login Configuration Telnet
Telnet is an application-layer protocol in the TCP/IP protocol family, which provides remote login and virtual terminal function by using the network. The Telnet services provided by the If the firewall is set as the Telnet server, it provides three authentication modes for client login. No authentication: By using the method, the firewall does not implement any authentication on the login client. Password authentication: By using this method, the password should be typed when the client log in to the firewall. This password can be configured on the firewall. AAA authentication: By using this method, the AAA authentication is required when the client log in to the firewall. The AAA authentication can be configured in the firewall AAA view. firewall system include Telnet Server terminal service and Telnet Client terminal service.
re
Le
times, the system will add this client IP address into the blacklist and configures that it stays 10 minutes in the blacklist. If the firewall blacklist function is enabled, users are not allowed to use this client IP address to log in to the firewall within 10 minutes. If the firewall blacklist function is closed, this limitation is not required.
ar
ni
When using the Telnet to log in to the firewall, if a user types the wrong password three
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
62
ni n
Page 115
If the firewall is set as the Telnet server, the configuration method is shown as follows: Step1 Run the system-view command to enter the system view. Step2 Run the user-interface [ user-interface-type ] user-interface-number [ endingStep3 Run the idle-timeout minutes [ seconds ] command to allow to disconnect the Telnet connection at regular time. In order to prevent an illegal invasion of authorized users, if the terminal user's input is not received after a certain time, the connection with users should be disconnected. The disconnection time of the terminal user by default Step4 Run the authentication-mode { aaa | none | password | local user username password password } command to set the authentication mode when logging in to the user's interface. By default, the password authentication is set as the authentication method. Step5 Run the set authentication password { simple | cipher } password command to set the password for the local authentication. When the password authentication is set as the authentication method, this command needs to be configured (optional).
re
Le
ar
Step6 Run the user privilege level level command to configure the command level that can be
Page 116
ni
accessed by the user from the current user interface login system. The default level is 0 (optional).
ng
Re
so
is set as 10 minutes.
ur c
es :
userinterface-number ] command to enter the user's interface view.
Mo
ht
tp :
63
// l
ea r
ni n
Web Management Configuration
Encryption: The Web browser is interacted with the firewall by using the HTTP Security (HTTPS) Protocol. The encryption function ensures the user's information. No encryption: The Web browser is interacted with the firewall by using the HTTP Protocol. The configuration procedures are as follows:
Step2 Run the web-manager [ security ] enable [ port port-number ] command to enable the Step3 Run the AAA command to enter the AAA view. Step4 Run the local-user user-name password { simple | cipher } password command to create the AAA local user.
Mo
re
Le
ar
Step5 Run the local-user user-name service-type web command to configure the user's service type as Web.
Step6 Run the local-user user-name level 3 command to configure the user's level. The Web user's level must be set as level 3 (highest level). Page 117 64
ni
ng
Web management function.
Re
Step1 Run the system-view command to enter the system view.
so
ur c
es :
The Huawei firewall provides a simple and easy-to-use Web configuration interface for users, which facilitates users to operate and maintain the firewall. It provides following two access modes.
ht
tp :
// l
ea r
ni n
Configuration Files Operation and Firewall Restart
save command to save this current configuration into the default storage device and form the configuration file. Step2 In the user's view, run the reset saved-configuration command to erase the configuration file. After the configuration file is erased, the firewall will adopt the Step3 In the user's view, run the reboot command. The firewall will be restarted and this restart action is logged. Step4 Run the startup system-software sysfile command to configure the system software file
re
Le
ar
Page 118
ni
ng
name for the next startup.
Re
so
default configuration parameters to initiate for the next time when powering on.
ur c
es :
Step1 In the user's view, run the save command to save the current configuration. Users can modify the current firewall configuration on the CLI. To set this current configuration as the initial configuration of the firewall for the next time when powering on, run the
Mo
ht
tp :
65
// l
ea r
ni n
Mo
re
ar
ni
ng
Re
66
ni n
Page 119
Mo
re
Page 120
ar
ni
ng
Re
67
ni n
Mo
re
ar
ni
ng
Re
68
ni n
Page 121
Mo
re
Page 122
ar
ni
ng
Re
69
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
Firewall Packet Filtering Technology
ea r
ni n
Mo
Page 123
Mo
re
Page 124
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 125
Mo
re
Page 126
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 127
The traditional packet-filtering firewall obtains header information on the packet to be
The forwarding mechanism of the packet filter firewall is to match head information of each packet with the filter rule. As a result, the forwarding efficiency is low. Currently, the firewall uses the status inspection mechanism. The firewall checks the first packet of a connection against the filtering rule. If the first packet is permitted, the firewall creates a session and adds the session in a session table. All subsequent packets of the session are permitted.
re
Le
ar
Page 128
ni
ng
Re
so
ur c
forward or discard the packet according to matching results.
es :
forwarded, including source IP address, destination IP address, upper-layer protocol number in the IP layer, source port number and destination port number. Then, the firewall matches the packet head information with the pre-defined filter rule. Finally, the firewall determines to
ht
As a network protection mechanism, packet filtering is the basic control of traffic forwarding.
tp :
Mo
// l
3
ea r
ni n
The ACL is the basis for packet filtering, NAT, IPSec, QoS and policy routing.
1. ACLs can be used in the firewall.
3. ACLs can be used in the DCC to determine conditions of triggering dialup.
5. ACLs can be used to filter routing information when a routing policy is configured.
re
Le
ar
ni
ng
Re
so
4. ACLs can be used for address translation.
ur c
2. ACLs can be used in QoS to control data flows.
es :
ACL usage:
ht
ACLs are filtering rules for data flows on a network based on the combination of source addresses, destination addresses, port numbers, and upper-layer protocol numbers of packets.
tp :
// l
ea r Mo
4
ni n
Page 129
Firewalls can use ACLs to permit or deny packets to allow only secure data to pass through. The ACLs filter packets based on the source addresses, destination addresses, port numbers
and upper-layer protocols of packets.
Question: In the ACL, how is the quintuple used for matching?
re
Le
ar
Page 130
ni
ng
Re
so
ur c
es :
ht
The ACL defines the rule for the firewall to process data flows. In detail, the ACL is used to filter flows that pass through the firewall and the key word determines the next operation.
tp :
Mo
// l
5
ea r
ni n
Interface packet filtering
Interzone packet filtering
Interzone policy Default interzone packet filtering policy
The device checks the interzone policy first. If the packet does not match the policy, use the default packet filter. If many interzone policies coexist, the device matches the packet with the policy in the order of policy priority. Matching ends if the packet matches with one policy. By default, the earlier the policy is configured, the higher the priority is. Policy priority can be adjusted by running the corresponding command. Outbound means that data flows are transmitted from a security zone at a higher level to a security zone at a lower level. Inbound means that data flows are transmitted from a security zone at a lower level to a security zone at a higher level.
re
Le
ar
ni
ng
Re
so
Interzone packet filtering of the firewall is used to control flow transmission between security zones, based on the following rules:
ur c
The interface packet filtering function of the firewall controls the IP packets received and sent by the interfaces that are not added to a security zone. Regarding interface packet filtering, basic ACLs, advanced ACLs, ACLs based on MAC addresses and hardware ACLs are mainly used to define flows and ACLs are applied on interfaces. If the action defined in the ACL is permit, the packets received or sent by the interfaces are forwarded. If the action is deny, they are discarded. Regarding interface packet filtering, inbound refers to the packets received by interfaces, while outbound refers to the packets sent by interfaces.
es :
ht
tp :
// l
ea r Mo
6
ni n
Page 131
Mo
re
Page 132
ar
ni
ng
Re
ni n
Interface-based packet filtering: Uses basic or advanced ACLs. MAC address-based packet filtering: Uses ACLs based on MAC addresses.
Hardware packet filtering: Uses hardware packet filtering ACLs.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
8
ni n
Page 133
ACL differences:
Basic ACLs ranging from 2000 to 2999 use only source addresses for matching. Advanced ACLs ranging from 3000 to 3999 use quintuples (including source addresses, destination addresses, protocol type carried by the IP layer, source ports and destination ports of packets) for matching. address, destination MAC address, and type fields in the frame head of data link layer protocols, such as Ethernet, for matching. Hardware packet filtering ACLs are special ACLs, which send hardware packet filtering ACLs to interface cards. Packet filtering through hardware is faster than that through
re
Le
ar
Page 134
ni
ng
software and consumes less system resources. Hardware packet filtering ACLs can use source IP addresses, destination IP addresses, source MAC addresses, destination MAC address, and protocols for matching.
Re
so
ur c
ACLs based on MAC addresses range from 4000 to 4999, which use the source MAC
es :
ht
tp :
9
Mo
// l
ea r
ni n
The basic ACL includes the rule number, action, and source IP address. On the firewall, the
In firewalls, basic ACLs match packets by source address. Therefore, basic ACLs are usually
used in the scenarios in which source addresses of packets must be limited.
re
Le
ar
ni
ng
Re
so
ur c
es :
ACL is identified by a number and ACL definition, and references are determined according to a specified range. Regarding ACLs of Huawei firewalls, basic ACLs range from 2000 to 2999.
ht
When the firewall processes packets, the basic ACL identifies packets according to their source addresses.
tp :
// l
ea r Mo
10
ni n
Page 135
The rule command is used to add or edit an ACL rule. The undo rule command deletes a rule or some configuration information of a rule. To delete a rule, specify the rule number. If the rule number is unknown, run the display acl Parameter description:
Deny: Denies the packets that match the conditions.
Source: Specifies the source IP address that matches the rule.
Src-address: Indicates the source IP address of a packet, in dotted decimal notation.
re
Le
ar
Basic ACLs (ranging from 2000 to 2999). You are advised to configure ACL description after the ACL is completely configured. The used ACL rule is valid to the corresponding interface only. That is, only the packets from or to this interface are checked against the ACL rule. If the action is permit, packets are allowed to be
Page 136
ni
ng
Src-wildcard: Indicates the wildcard of the source IP address, in dotted decimal format. Its meanings are reserve to those of the IP address mask. Any: Matches the source IP address of any packet.
Re
so
Permit: Allows the packets that match the conditions through.
ur c
Rule-id: Indicates the ACL rule number, ranging from 0 to 4,294,967,294.
es :
command.
ht
tp :
Mo
// l
11
ea r
ni n
packets sent by the interface.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
forwarded. If the action is deny, packets are discarded. Regarding interface-based packet filtering, inbound refers to the packets received by the interface, while outbound refers to the
tp :
// l
ea r Mo
12
ni n
Page 137
192.168.10.0 0.0.0.255: indicates a network segment. 192.168.10.1 0: indicates an IP address.
re
Le
ar
Page 138
ni
ng
Re
so
ur c
es :
Question: In which situation is the 0.255.0.255 wildcard mask used? What are functions and meanings of the wildcard mask?
ht
tp :
Mo
// l
13
ea r
ni n
Internet during working time. The ACLs described previously do not support such an application, but ACLs based on time ranges do. They can properly restrict effective time of an
ACL and therefore support such an application.

Before you define an ACL based on a time range, define a time range on the firewall first.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
Network applications are generally open according to time ranges. For example, some ports of a server are not open during working time and some LAN users cannot access the
tp :
// l
ea r Mo
14
ni n
Page 139
re
Le
ar
Page 140
ni
ng
Re
so
ur c
es :
ht
The time-range operator can be expressed in two manners: absolute time range (namely, specifying the start and end dates) and periodic time range (namely, Monday, Tuesday).
tp :
Mo
// l
15
ea r
ni n
flows.
Apart from source IP addresses, advanced ACLs use more information for matching. Because advanced ACLs can define more accurate, diversified, and flexible rules than basic ACLs, advanced ACLs can define rules according to the following information on data flows: 1. Source address
3. Protocol type carried at the IP layer
Questions: What is detected by stateful firewalls? 1) For TCP packets: During three-way handshake, the firewall detects SYN/ACK identification bit and number. After handshake ends, the firewall checks the quintuple. 2) How does the firewall process UDP and ICMP packets?
re
Le
ar
ni
ng
4. Source and destination port numbers
Re
2. Destination address
so
ur c
es :
Advanced ACLs are most widely applied. Among ACLs of Huawei firewalls, advanced ACLs range from 3000 to 3999.
ht
Different from basic ACLs, advanced ACLs can restrict source IP addresses of data flows and also define destination IP addresses, protocol types, source and destination ports of data
tp :
// l
ea r Mo
16
ni n
Page 141
Parameter description:
Permit: Allows the packets that meet the conditions through.
Source-ip-address: Indicates the source IP address of a packet, in dotted decimal format. Source-wildcard: Indicates the wildcard of the source IP address, in dotted decimal format. Its meanings are reverse to those of the IP address mask. Destination: Indicates the destination IP address for matching.
Le
re
ar
Page 142
ni
ng
Destination-ip-address: Indicates the destination IP address of a packet, in dotted decimal format. Destination-wildcard: Indicates the wildcard of the destination IP address, in dotted decimal format. Its meanings are reverse to those of the IP address mask. Any: Matches source IP address or destination IP address of any packet. Precedence: Indicates the priority of the matched packet, ranging from 0 to 7. ToS: Indicates type of service of the matched packet, ranging from 0 to 15.
Time-range: Indicates the time range in which the rule takes effect.
17
Mo
Re
so
ur c
Source: Indicates the source IP address used for matching.
es :
Protocol: Indicates the protocol type carried at the IP layer and represented by a name or a digit. Its value ranges from 1 to 255. When being represented by a name, its value can be icmp, igmp, ip, ospf, tcp, and udp.
ht
Deny: Denies the packets that meet the conditions.
tp :
// l
ea r
ni n
Time-name: Indicates the name of the specified time range. The applied ACL takes effect on the applied interface only. Only the packets received by or sent from this interface are checked. If the action is permit, packets are allowed to be forwarded. If the action is deny, packets are discarded. Regarding interface-based packet filtering, inbound refers to the packets received by the interface, while outbound refers to the packets sent by the interface.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
18
ni n
Page 143
re
Le
ar
Page 144
ni
ng
Re
so
ur c
es :
parameters, indicating TCP or UDP port numbers. They are represented by names or digits (ranging from 0 to 65535).
ht
Names and meanings of operators: lt (smaller than), gt (greater than), eq (equal to), range (within the range). Only the range operator requires two port numbers as operand, while other operators require one port number as operand. Port1 and port2 are optional
tp :
Mo
// l
19
ea r
ni n
and also make ACL rules more readable.
re
Le
ar
ni
ng
Re
so
Both address and service sets support two types: object and group. When the type is group, the address or service set can be added as a member.
ur c
elements in address set 2 x Number of elements in service set 1 x Number of elements in service set 2
es :
A rule described by using address and service sets is embodied as a set of traditional rules that have the same priority. The formula is as following: The number of elements in the rules with the same priority in a new set = Number of elements in address set 1 x Number of
ht
To simplify ACL rule configuration and maintenance, the firewall can reference ACLs of address and service sets. This feature helps raise efficiency in configuration and maintenance
tp :
// l
ea r Mo
20
ni n
Page 145
Question: What does the following ACL mean? port greater-than 128
rule deny udp source 129.9.8.0 0.0.0.255 destination 202.38.160.0 0.0.0.255 destination-
re
Le
ar
Page 146
ni
ng
Re
so
ur c
es :
ht
tp :
21
Mo
// l
ea r
ni n
packet filtering based on MAC addresses.
re
Le
ar
ni
ng
Re
so
ur c
addresses supported by Huawei firewalls range from 4000 to 4999.
es :
In transparent mode, packet forwarding process in the firewall is similar to that in the switch. That is, packets are forwarded based on the source or destination MAC address. Therefore, an ACL should be defined based on MAC addresses. ACLs based on MAC
ht
MAC address-based ACLs are used to match packets at the data link layer. Packets can be matched according to source or destination MAC addresses. Such ACLs are mainly used in
tp :
// l
ea r Mo
22
ni n
Page 147
Type: Indicates protocol type of Ethernet frame head. Parameter description is as follows: type-name: It indicates a common protocol type.
type-code: Indicates priority number. The value is an integer ranging from 0 to 7. typename: It indicates a common cos priority name. The applied ACL takes effect on the corresponding interface only. That is, only the packets received by this interface can be checked against ACL rules. If the action is permit, packets are allowed to be forwarded. If the action is deny, packets are discarded. Regarding packet filter
re
Le
ar
Packet filter based on MAC addresses is not applied to the preceding interfaces added to a security zone, because interzone packet filtering controls packet forwarding on the interface added to a security zone.
Page 148
ni
based on MAC addresses, only the packets received by the interface are filtered. Only one ACL can be applied at each interface. If ACL of an interface is configured for several times, the new ACL overwrites the previous one.
ng
Re
so
ur c
Cos: Indicates a frame priority. Parameter description is as follows:
es :
type-code: Indicates protocol number, which contains four digits in hexadecimal format.
ht
Because ACLs based on MAC addresses do not support minimum matching mode, rules are matched in ascending order of rule numbers.
tp :
Mo
// l
23
ea r
ni n
re
Le
ar
ni
ng
Re
so
ur c
destination IP addresses, protocols, source ports and destination ports. Hardware packet filter filters packets through interface cards, thus speeding up filtering. Currently, hardware packet filter can be applied to the interfaces on 5 FSW, 8 FE+2 GE, 18 FE+2 SFP, and 16 GE+4 SFP, and other interface cards. Regarding Huawei firewalls, hardware packet filtering ACLs range from 9000 to 9499.
es :
ht
Hardware packet filtering ACLs apply to hardware packet filtering to match flows according to source MAC addresses, destination MAC addresses, source IP addresses,
tp :
// l
ea r Mo
24
ni n
Page 149
Protocol defines the IP packet protocol type.
Port: Specifies a port number to specify a protocol.
For ICMP:
icmp-message: Specifies the ICMP packet type name to specify an ICMP packet.
The ACL is valid to the applied interface only. That is, only the packets received this interface are checked against the ACL. If the action is permit, packets can be forwarded. If the action is deny, packets are discarded. During hardware packet filtering, only the inbound direction is supported. That is, only the packets received by this interface are filtered. Only one ACL can be applied to each interface. If the ACL is configured repeatedly, an error is prompted. The ACL can be set again after the previous ACL is deleted.
re
Le
ar
Page 150
ni
ng
Description of other parameters is the same as that of basic ACLs, advanced ACLs, and MAC address-based ACLs.
Re
so
icmp-type icmp-cod: Specifies the ICMP packet type number and code to specify an ICMP packet.
ur c
protocol-name: Specifies a protocol name to specify a protocol.
es :
For TCP and UDP:
ht
Because the hardware packet filtering ACL does not support minimum matching mode, rules are matched according to the ascending order or rule numbers.
tp :
Mo
// l
25
ea r
ni n
Auto: It indicates automatic matching, which is called minimum matching or in-depth
The default match-order value is config and the default step is 5. When the step is greater than 1, use the config mode so that administrators can insert a rule.
re
Le
ar
ni
ng
By setting step, the system allocates rule numbers in an ascending order, therefore reserving a certain rule number range between two rules. As a result, administrators can insert a new rule between two rules.
Re
Config: It indicates that matching is implemented according to rule numbers. It is a default matching mode. The smaller the rule number is, the earlier the rule is matched. Once matching succeeds, the rest rules are not matched again.
so
ur c
In this case, packets from IP address 192.168.1.100 are prohibited, because the IP address range restricted by rule 2 is smaller and more accurate.
es :
matching. Action is carried out according to the rule with the minimum matching range. Assume that rule 1 is to allow the packets from the IP addresses in the 192.168.1.0/24 network segment, while rule 2 is to prohibit the packets from the IP address 192.168.1.100.
ht
According to the matching type specified during ACL creation, multiple rules in an ACL are implemented in the following two cases:
tp :
// l
ea r Mo
26
ni n
Page 151
ACL acceleration
ACL counter
<USG50000>display ACL 2001 Basic ACL 2001, 2 rules, not binding with vpn-instance ACL's step is 5 rule 0 permit source 10.32.255.0 0.0.0.255 (27 times matched) rule 10 permit source 192.168.10.0 0.0.0.255 (1 times matched)
re
Le
ar
This example shows rule matching of ACL 2001, which provides a basis and steps for fault diagnosis.
Page 152
ni
ng
17:18:07 2009/07/21
Re
Example:
so
The ACL counter is incorporated in the USG series. When a packet matches with an ACL, the ACL counter adds by 1. Through the counter, users can test the matching of an ACL for diagnosing a fault.
ur c
es :
ACL acceleration helps enhance ACL search function. ACL matching does not slow down due to the ACL rule addition. In the case of a numerous ACL rules, ACL acceleration significantly enhances firewall performance. After ACL acceleration is enabled, the system creates indexes for the defined ACLs so that these ACLs can be accelerated. The system does not create indexes for modified ACLs or new ACLs after acceleration is enabled. To accelerate these ACLs, run the undo acl accelerate enable command first, and then run the acl accelerate enable to create new indexes.
ht
tp :
Mo
// l
27
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 153
slows down packet forwarding and therefore packet filter firewalls bottleneck forwarding.
identical packet in one data flow. At the three-way handshake stage, firewalls check TCP packets based on the quintuple as well as other fields. After three-way handshake is complete, firewalls check subsequent packets according to the quintuple in the session table to determine whether to allow them
to pass through the firewalls.
re
Le
ar
Page 154
ni
ng
Re
Generally, firewalls check a quintuple of an IP packet, namely, source IP address, destination IP address, source port number, destination port number, and protocol type. By checking the quintuple of an IP packet, the firewall can make a proper judgment about the
so
ur c
session entries. This mechanism rapidly raises detection and forwarding efficiency of firewalls and therefore becomes a mainstream packet filtering mechanism.
es :
To resolve this deficiency, an increasing number of firewalls filter packets based on the status inspection mechanism. This mechanism checks the first packet of one flow against the packet filtering rule instead of detecting packet contents. In this mechanism, status refers to
ht
The earlier packet-filtering firewalls check all received packets one by one according to packet filtering rules to determine whether to allow the packets through. This mechanism
tp :
Mo
// l
29
ea r
ni n
Interzone packet filter is used to control flows between security zones based on two rules: 1) interzone policy;
2) default interzone packet filtering policy.
In this example, the priority of the Trust zone is higher than that of the Untrust zone. Inbound means that data flows are transmitted from a security zone with a lower priority to a security zone with a higher priority, while outbound means that data flows are transmitted from a security zone with a higher priority to a security zone with a lower priority. Remarks: Meanings of inbound and outbound used in interzone packet filtering are different from those of inbound and outbound used in interface packet filtering.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
30
ni n
Page 155
To modify the packet filtering policy priority, users can run the following commands:
Rules of implementing an interzone packet filtering policy:
Manually modify policy priorities.
re
Le
ar
Once one policy matches a packet, this policy is used for packet processing and the rest policies are not used for matching.
Page 156
ni
ng
By default, the earlier the policy is created, the higher the priority is. The policy with the highest priority is used first for matching.
Re
Run the policy move policy-id1 after policy-id2 command so that the priority of policy-id1 is lower than that of policy-id2.
so
Run the policy move policy-id1 before policy-id2 command so that the priority of policy-id1 is higher than that of policy-id2.
ur c
In the packet filtering policy view, run the policy policy-id { enable | disable } command to enable or disable one self-defined policy.
es :
After the packet filtering policy is configured, users can run the following command to modify it:
ht
In interzone packet filtering policy view, users can create policies for different flows. By default, the earlier the policies configured, the higher the priority is. The policy with the highest priority is used first for packet matching. The priority of each policy can be modified by running a corresponding command.
tp :
Mo
// l
31
ea r
ni n
Mo
re
ar
ni
ng
Re
32
ni n
Page 157
re
Le
ar
simple, but is not flexible. In many application scenarios, common packet filtering technology cannot protect the network. For the multi-channel protocol that uses FTP for communication, configuring firewalls is difficult.
Page 158
ni
In common scenarios, ACL-based IP packet filtering technology is generally used, which is
ng
source IP addresses, destination IP addresses, and ports of UDP packets to determine the existence of a connection according to whether packets are similar to other UDP packets within the defined time range.
Re
UDP packets are connectionless, but ASPF is based on connections. Therefore, ASPF checks
so
For TCP connections, ASPF can intelligently detect three-way handshake information as well as connection release handshake information. By detecting handshake and connection release status, ASPF ensures that proper TCP access can proceed, while incomplete TCP handshake connection packets are directly denied.
ur c
es :
cannot be saved by ACL rules. Firewalls check each packet in data flows and ensure that packet status and packets comply with the customized security rules. Connection status information is used to intelligently enable or disable packets. When a session is terminated, session entries are also deleted and sessions in firewalls are disabled.
ht
In the data structure of the session table, ASPF maintains connection status, based on which ASPF maintains session access rules. ASPF saves important status information that
tp :
Mo
// l
33
ea r
ni n
re
Le
ar
ni
ng
Re
Port selection cannot be predicted. Some applications may even use multiple ports. Therefore, packet filter firewalls should block application transmission on a single channel to protect the intranet. By doing so, however, only some applications that use fixed ports are blocked, causing hidden security risks. ASPF monitors the port used by each connection of each application. Enabling a proper channel can let session data pass through the firewall. After a session ends, ASPF disables the channel, therefore effectively controlling access from the applications that use dynamic ports.
so
ur c
es :
Most of multiple application protocols (such as H.323 and SIP), FTP and Netmeeting used agreed ports to initialize one control connection and dynamically select ports for data transmission.
ht
ASPF enables firewalls to support multiple data connection protocols on one control connection and helps users define various security policies in complex application scenarios.
tp :
// l
ea r Mo
34
ni n
Page 159
Server map entry
FTP contains one TCP control channel with a known port and one TCP data channel
re
Le
used to enable a new control or data connection, ASPF dynamically generates a server map entry. The returned packet is allowed to pass through the firewall only when it belongs to one existing valid connection. When the returned packet is processed, the status table is updated. When a connection is disabled or expires, the
ar
Page 160
ni
As shown in the figure, the server map entry is dynamically generated in the dynamic detection process of the FTP control channel. When a packet passes a firewall, ASPF compares the packet with the specified ACL. If the rule permits the packet to pass through the firewall, the packet is checked. Otherwise, the packet is directly discarded. If the packet is
ng
Re
cannot be known when a security policy is configured. Therefore, the data channel ingress cannot be determined. In this case, a proper security policy cannot be configured. ASPF technology resolves this problem. It detects application layer packets above the IP layer and dynamically creates and deletes the temporary server map entry according to packet contents to allow packets to pass.
so
ur c
dynamically negotiated. For a common packet-filtering firewall, the data channel port number
es :
interruption due to other rule restriction (such as ACLs), one channel should be enabled temporarily. The server map entry is the data structure designed to meet this need.
ht
In multi-channel protocols, such as FTP, control channels are separate from data channels. Data channels are dynamically negotiated in control packets. To prevent data channels from
tp :
Mo
// l
35
ea r
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
status table of the connection is deleted and the unauthorized packet cannot pass through the firewall. As a result, ASPF can properly protect networks in complex situations.
tp :
// l
ea r Mo
36
ni n
Page 161
HTTP, RTSP, PPTP, MGCP, MMS, SMTP, H.323, SIP, and SQLNET.
Port mapping is valid to data flows between security zones. Therefore, when port mapping Question: What is the application system object matched with ACLs?
re
Le
ar
Page 162
ni
ng
Re
so
is configured, security zones and inter-security zone must be configured.
ur c
addresses configured in basic ACLs.
es :
Port identification is based on ACLs. Port mapping is valid to the packets that match with an ACL. Port mapping uses basic ACLs, ranging from 2000 to 2999. When port mapping uses ACLs to filter packets, destination IP addresses of packets are used to match the source IP
ht
Port identification is also called port mapping, which is used by firewalls to identify application-layer protocol packets that uses non-standard ports. Port mapping supports FTP,
tp :
Mo
// l
37
ea r
ni n
Fragment cache
By default, the fragment cache function of the firewall is enabled and fragments are saved for five seconds. Users can choose the function of direct packet forwarding without caching fragments. The fragment cache function is used to cache the subsequent fragments that arrive prior to the first segment to prevent fragments from being discarded by the firewall. When a network device transmits a packet, if its maximum transfer unit (MTU) is set to be
re
Le
ar
required. After this function is enabled, the firewall directly forwards the received fragments without creating a session table.
ni
2. Direct fragment forwarding: Generally, this function is implemented when NAT is not
ng
1. Aging time of fragment cache: If the first fragment does not arrive within the given time, the firewall discards the fragments saved in the buffer.
Re
smaller than packet size, the packet is fragmented before transmission. In ideal situations, fragments are transmitted on the network in the fixed order. During actual transmission, the first fragment may not the first to arrive at the firewall. In this case, the firewall discards this series of fragments. By default, the firewall supports fragment cache function. The firewall saves fragments that arrive before the first segment in the buffer and forwards them after the first fragment arrives.
so
ur c
es :
ht
tp :
// l
ea r Mo
38
ni n
Page 163
Long link
In the actual network environment, session information on some special service data flows need to be saved for a long time without aging. By default, the aging time of a long link is The long link function is to set the ultra-long aging time. Normally, when the interval at which two successive packets of a TCP session arrive is greater than the session aging time, 168 hours (7 x 24 hours). By setting the long link function, services can run properly.
re
Le
ar
Page 164
ni
ng
Re
the firewall deletes the corresponding session information from the session table. By doing so, after the subsequent packets arrive at the firewall, the firewall discards them, which interrupts connection. To solve this problem, the firewall allows users to configure the long link function between security zones and set the ultra-long aging time for specific data flows to guarantee normal session implementation. The firewall allows users to set the interzone long link function for TCP packets.
so
ur c
es :
ht
tp :
39
Mo
// l
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 165
Mo
re
Page 166
ar
ni
ng
Re
41
ni n
Mo
re
ar
ni
ng
Re
42
ni n
Page 167
Packet filtering
As a network protection mechanism, packet filtering is used to control data into and out of two networks at different security levels. When forwarding packets, a firewall checks packet header information first (such as source/destination addresses, source/destination ports and upper-layer protocol of packets), and then compares it with the defined rule. Finally, the firewall determines whether to forward or discard packets according to the comparison
re
Le
ar
Page 168
ni
ng
Re
so
ur c
results.
es :
ht
tp :
43
Mo
// l
ea r
ni n
Address translation
NAT translates the IP address in the packet header to another IP address to enable private IP addresses to access the extranet. to access the Internet. This can be realized by associating the ACL with the NAT address pool. In other words, NAT applied only to the packets that meet the ACL, therefore effectively controlling the address translation range.
Routing policy
the ACL is an important filter. That is, users use ACLs to specify one IP address or subnet range as the destination network segment address or next hop address for routing QoS
re
Le
ar
QoS evaluates the capability of meeting customer needs. The effective method to guarantee Internet QoS is to add traffic control and resource assignment functions to the network layer to provide differentiated services for various services. Traffic classification is the precondition and basis of differentiated service. In actual application, define the traffic classification policy (rule). The traffic classification policy
ni
ng
information matching.
Re
Routing policy is implemented when routing information is sent and received, which can filter routing information. The routing policy supports various filtering methods. Among them,
so
ur c
es :
In actual application, we may need to allow some internal hosts (with private IP addresses)
ht
tp :
// l
ea r Mo
44
ni n
Page 169
IPSec
re
Le
ar
Page 170
ni
IPSec protocol family can provide different protection for data flows. For example, the firewall uses different security protocols, algorithms, and keys for data flows. In actual application, data flows are defined by ACLs. Traffic of one ACL is logically regarded as a data flow for matching. Then implement the ACL in the security policy to protect the specified data flow.
ng
Re
so
IPSec protocol family is a series of protocols defined by IETF. IPSec protocol family guarantees privacy, integrity and trueness of the packets transmitted between two communication network nodes on the Internet by the encryption and data source verification mechanism at the IP layer.
ur c
es :
source IP addresses, destination IP addresses, MAC addresses, IP protocolor port numbers of applications, and then employ traffic classification policies or ACLs in terms of traffic monitoring, traffic shaping, congestion management and congestion avoidance.
ht
can use the ToS field in the IP packet head to identify flows with different priorities. Traffic classification policies can be defined through ACLs. For example, classify traffic according to
tp :
Mo
// l
45
ea r
ni n
an interzone filtering rule.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
An ACL is a series of rule lists incorporating permit or deny statement. Before configuring an ACL rule, create an ACL. The firewall ACL is used to define a simple rule which is used as
tp :
// l
ea r Mo
46
ni n
Page 171
display acl 3000 acl 3000 Acl's step is 5
rule 0 deny source 1.1.1.1 0 logging
rule 5 deny logging
re
Le
ar
Page 172
ni
ng
Re
so
rule 10 permit ip source 172.16.12.31 0
ur c
rule 3 permit ip source 192.168.10.0 24
es :
ht
tp :
47
Mo
// l
ea r
ni n
rules of Huawei firewalls:
There are two matching orders: auto and config. By default, the matching order is config. the smaller the rule SN is, the higher the priority is.
Auto: Depth preference. The smaller the address range, the higher the priority is.
Order of matching different types of ACLs
ACLs based on MAC addresses > Advanced ACLs > Basic ACLs
Order of matching ACLs of the same type The ACL with a smaller ACL number is matched first.
re
Le
ar
ni
ng
Re
so
ur c
Config: In config mode, the rules configured earlier are matched first. In other words,
es :
Order of matching different rules in one ACL
ht
When a firewall filters data flows, if data flows match with an ACL, the firewall processes them according to the action stipulated by the ACL.The following describes ACL matching
tp :
// l
ea r Mo
48
ni n
Page 173
Conclusions: Rules of matching packets with ACLs:
2. ACLs based on MAC addresses are used for matching prior to advanced ACLs.
4. For ACLs of the same type, the smaller the ACL number is, the earlier the ACL is 5. In one ACL rule group, the smaller the rule ID is, the earlier the rule is matched.
Remarks: Interzone packet filtering or interface-based packet filtering is implemented

between interfaces.
re
Le
ar
Page 174
ni
ng
Re
so
matched.
ur c
3. Advanced ACLs are used for matching priority to basic ACLs.
es :
1. After data flows match an ACL, packets are processed according to the ACL without matching with other ACLs.
ht
tp :
49
Mo
// l
ea r
ni n
Configure firewall interfaces so that they are added to security zones. (Details are omitted.)
[USG]acl number 3101
Configure ACL 3101 to allow the specified host to access the extranet and internal servers to access the extranet.
Create ACL 3102.
[USG-acl-adv-3102]rule permit tcp source 202.39.2.2 0 destination 192.168.1.1 0 [USG-acl-adv-3102]rule permit tcp source 202.39.2.2 0 destination 192.168.1.2 0 [USG-acl-adv-3102]rule permit tcp source 202.39.2.2 0 destination 192.168.1.3 0
re
Le
ar
Implement the rule of ACL 3101 in the inbound direction of interface of the firewall.
[USG]interface GigabitEthernet 0/0/0

[USG-GigabitEthernet0/0/0] firewall packet-filter 3101 inbound
ni
ng
Re
Configure ACL 3102 to allow the specified users to access internal servers from the extranet.
so
ur c
[USG-acl-adv-3101]rule permit ip source 192.168.1.4 0
es :
ht
Create ACL 3101.
tp :
// l
ea r Mo
50
ni n
Page 175
Create ACL 3103 to allow the using of the ping command.
[USG-acl-adv-3103]rule permit icmp
re
Le
ar
Page 176
ni
ng
[USG-GigabitEthernet0/0/0] firewall packet-filter 3103 outbound
Re
so
Apply ACL 3103 to both inbound and outbound directions of Untrust and Trust zones.
ur c
es :
ht
Implement the rule of ACL 3102 in the inbound direction of the external interface of the firewall.
tp :
Mo
// l
51
ea r
ni n
Define security zones and corresponding interfaces.
[USG-Ethernet1/0/0] ip address 192.168.1.1 255.255.255.0 [USG-zone-untrust] add interface ethernet 1/0/0 [USG-Ethernet2/0/0] ip address 192.168.2.1 255.255.255.0 [USG] firewall zone dmz [USG-zone-dmz] add interface ethernet 2/0/0
[USG] policy interzone trust untrust inbound [USG-policy-interzone-trust-untrust-inbound-0] action permit [USG-policy-interzone-trust-untrust-inbound-0] policy destination 192.168.2.2 0 [USG-policy-interzone-trust-untrust-inbound-0] policy service service-set icmp
re
Le
ar
Now, the ping command can be used to check communication between the devices in the Untrust zone with those in the DMZ and they can communicate with each other.
ni
[USG-policy-interzone-trust-untrust-inbound-0] policy source 192.168.1.2 0
ng
[USG-policy interzone trust untrust inbound] policy 0
Re
Create access rules of DMZ and Untrust zone.
so
ur c
[USG] interface ethernet 2/0/0
es :
[USG] firewall zone untrust
ht
[USG] interface ethernet 1/0/0
tp :
// l
ea r Mo
52
ni n
Page 177
Mo
re
Page 178
ar
ni
ng
Re
53
ni n
Mo
re
ar
ni
ng
Re
54
ni n
Page 179
Mo
re
Page 180
ar
ni
ng
Re
55
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 181
Mo
re
Page 182
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 183
Mo
re
Page 184
ar
ni
ng
Re
ni n
Technology
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
Network Address Translation
ea r
ni n
Mo
Page 185
Mo
re
Page 186
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 187
Mo
re
Page 188
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 189
re
Le
the Internet expands rapidly and the IPv4 address application volume increases at a higher rate. The problem of Internet sustainable development has become more serious. China operators apply many IP addresses for Internet Corporation for Assigned Names and Numbers (ICANN) each year, which is the largest number in the world. Some experts predict that according to the development speed of the Internet, the available IPv4 address resources in the world will be depleted at around 2011. The proposal of IPv6 is to resolve the problem of IPv4 address exhaustion fundamentally. The IPv6 address set extends the address bit from 32 bits of IPv4 to 128 bits. For network applications, such an address space is really infinite. Therefore, the IPv6 technology can solve the address inefficiency. But, the IPv6 technology confronts with sharp problems such as immature technology or great cost in update. There is a long way to go in terms of replacement of the mature and widely-used IPv4 network. The transition to the IPv6 network cannot be achieved immediately; therefore, some technical means are required to extend the IPv4 lifespan. The technology development can effectively delay the depletion of IPv4 addresses. The address depletion predicted by experts has not occurred as early as predicted. The technologies that have been used widely include Classless Inter-Domain Routing (CIDR), Variable Length Subnet Mask (VLSM), and Network Address Translation (NAT).
ar
Page 190
ni
ng
Re
so
ur c
es :
ht
In the early 1990s, the related RFC document proposes the possibility of the IP address depletion. With the increasing Web applications based on the TCP/IP Protocol,
tp :
Mo
// l
3
ea r
ni n
assigns three IP address segments for the private network. The details are as follows:
172.16.0.0 to 172.31.255.255 (172.16.0.0/12) in class B IP addresses.
The addresses in the preceding three ranges cannot be assigned on the Internet; therefore, these addresses can be used freely without application. The intranet uses the private network address and the Internet uses the public network address. If the private network address cannot be translated into the public network address by using the NAT technology, the routing problems will occur and the private network cannot communicate with external networks. The private network address and Internet can be used to implement the communication. The NAT technology must be used to translate addresses and ensure
the communication.
re
Le
ar
ni
ng
Re
so
ur c
192.168.0.0 to 192.168.255.255 (192.168.0.0/16) in class C IP addresses.
es :
10.0.0.0 to 10.255.255.255 (10.0.0.0/8) in class A IP addresses.
ht
To meet requirements of some laboratories, companies or other organizations on private networks in addition to Internet, the Requests For Comment (RFCA) 1918
tp :
// l
ea r Mo
4
ni n
Page 191
1. The host IP addresses and ports in the intranet are translated into the Internet
2. The Internet addresses and ports are translated into the intranet host IP addresses
and ports of NAT devices.

That is, the conversion between <private address + port> and <public address + port> is implemented.
re
Le
ar
packets exchanged between the internal PC and the external server pass through this NAT device. The frequently-used NAT devices include router and firewall.
Page 192
ni
The NAT devices are deployed at the edge between the intranet and Internet. All
ng
Re
so
addresses and ports of NAT devices.
ur c
The address translation mechanism is classified into two parts:
es :
Internet (public IP address). In terms of implementation, the ordinary NAT devices (network devices that implement the NAT function) maintain an address translation table. All packets that pass through NAT devices and need to translate addresses must be modified correspondingly through this table.
ht
The NAT technology is used to translate an IP address in the IP data packet header into another IP address, which enables the intranet (private IP address) access the
tp :
Mo
// l
5
ea r
ni n
In terms of conversion based on the destination IP address, only destination IP
In terms of bidirectional NAT, both source IP addresses and destination IP addresses need to be translated.
re
Le
ar
ni
ng
Re
so
ur c
es :
addresses are translated. In some scenarios, the port conversion may be involved.
ht
In addition to the conversion based on the source IP addresses, the port conversion may be involved.
tp :
// l
ea r Mo
6
ni n
Page 193
development of NAT technology, the NAT technology absorbs advanced concepts constantly. NAT advantages and disadvantages are shown as follows:
NAT advantages:
By using the NAT technology, multiple hosts in a LAN can use a small number
Intranet users do not perceive the IP address translation. The entire process is
transparent to users.
re
Le
ar
Page 194
ni
ng
The NAT technology can hide the internal network topology/information from external users. Internet users cannot obtain the information about IP addresses and services of intranet users directly.
NAT allows multiple intranet servers to provide services for external users in load balancing mode.
Re
so
of public addresses to access external resources and intranet servers can provide services such as HTTP, FTP, and Telnet for external users. This technology alleviates the depletion of IPv4 addresses.
ur c
es :
ht
In addition to advantages such as implementing address multiplexing and saving precious IP address resources, the NAT technology has other advantages. With the
tp :
Mo
// l
7
ea r
ni n
NAT disadvantages:
The IP addresses of data packets needs to be translated; therefore, the header cannot be encrypted. applications (such as FTP) that require encryption cannot be used if NAT is enabled. For example, if the encrypted FTP connection cannot be used, the FTP port command cannot be translated correctly.
NAT makes it difficult to monitor the Internet access of internal users.
In terms of implementation, the routers and firewalls can implement NAT. NAT has become a basic function of network devices.
re
Le
ar
ni
ng
Re
so
For example, if In addition to advantages such as implementing address multiplexing and saving a hacker attacks a server in the Internet from the intranet, it is difficult to trace this attacker. After the packet passes through the NAT device, the address is translated and the real host that launched the attack cannot be tracked.
ur c
es :
ht
tp :
// l
ea r Mo
8
ni n
Page 195
Mo
re
Page 196
ar
ni
ng
Re
ni n
translated into public addresses. Multiple hosts in a LAN can use a small amount of public addresses to access external resources, which effectively hide the host IP
address of the interior LAN and protect the IP address. Because the security level of the ordinary intranet is higher than the Internet, this application is called NAT Outbound.
source port Y, that is, the original port information is saved and displayed in the session
re
Le
ar
ni
ng
Re
so
table entry. This translation mode needs to ensure the uniqueness of the session table entry.
ur c
In terms of translation based on the IP address and port, source port X is mapped to
es :
ht
In source address-based NAT, only the source IP addresses are translated. It enables intranet users to access the Internet. The private addresses of the internal host are
tp :
// l
ea r Mo
10
ni n
Page 197
re
Le
ar
Page 198
ni
ng
Re
so
ur c
es :
ht
Source IP addresses are translated both in NAT inbound and NAT outbound. The difference is the direction. Their similarity is translation of the source IP address.
tp :
Mo
// l
11
ea r
ni n
One-to-One Address Translation
If multiple users access the Internet, multiple public IP addresses must be set in order
re
Le
ar
ni
ng
Re
to implement the one-to-one address translation for each user. Because the public network address number in reality is less than the private network address, if the static address translation mode is adopted, many users cannot go online. Therefore, this technology is scarcely used in the practical application.
so
ur c
called one-to-one address translation. It is also called NAT No-PAT. This technology only involves the source IP address translation. The port number translation is not required.
es :
In general, the outbound interface IP address of the NAT device is the source address after NAT. Only this public IP address can be used when all intranet hosts access the Internet. In this case, only one internal host is allowed to access the Internet, this is
ht
tp :
// l
ea r Mo
12
ni n
Page 199
Many-to-Many Address Translation
Because all internal hosts do not access the Internet at the same time, the number of
The firewall implements the many-to-many address translation by configuring
re
Le
ar
address-group and controls the address translation by accessing the control list. The address pool collects some public IP addresses used for address translation. Users can configure the address pool according to their own legal public IP addresses, internal network hosts and applications. In the process of address translation, an address will be selected from the address pool as the source address after translation.
Page 200
ni
ng
Re
needed public IP addresses is not sure. The number of public IP addresses should be determined according to the number of internal hosts that possibly access the Internet simultaneously during peak times of network.
so
ur c
address. When another internal host accesses the Internet, the firewall will select the second public address as its public IP address, and so on. This type of NAT is called "many-to-many address translation".
es :
Many-to-many address translation is a variant of NAT, which allows concurrent address translation for multiple private addresses. When the first internal host accesses the Internet, the firewall will select the first public address as its public IP
ht
tp :
13
Mo
// l
ea r
ni n
Many-to-One Address Translation
NAPT maps data packets from different internal addresses to different port numbers of the same public address; therefore, they still share the same address. Compared with one-to-one or many-to-many address translation, NAPT can greatly reduce the needed public addresses in the address pool. In the NAPT mode, the IP address of interface connecting devices and Internet can be borrowed and used as the IP address after translation. This application is called easy IP. The interface IP address can be directly used as the public address, without creating the NAT address pool.
re
Le
ar
ni
ng
Re
so
ur c
es :
Network Address Port Translation (NAPT) allows multiple internal addresses to use a public address to access the Internet, this is called "many-to-one address translation" or "address reuse."
ht
tp :
// l
ea r Mo
14
ni n
Page 201
to replace the source IP address in the packet. The port translation is unnecessary.
NAT policies can be adjusted according to policies after configuration.
re
Le
ar
In the NAT policy view, run the policy policy-id { enable | disable } command to enable or disable a customized policy. The NAT policy priority can be adjusted according to following information.
Page 202
ni
Multiple NAT policies can be configured in the same interzone NAT policy view. By default, the policy that is configured the earliest enjoys the highest priority to match packets.
ng
Re
higher than that of the security zone where the destination address locates, outbound should be selected, vice versa, inbound is selected. In NAT No-pat application, the source IP address that needs to be translated by using the NAT technology is the IP address of intranet users. Therefore, the flow direction is from intranet to Internet. The security level of Internet security zones is generally lower than that of intranet. Therefore, outbound is selected.
so
ur c
es :
In two security zones where the source IP address that enters the NAT interzone to implement the NAT locates, the interzone direction selection is consistent with the packet filtering. When the priority of the security zone where the source address locates is
ht
The NAT address pool refers to the public IP address range used for translation. During translation, the NAT device randomly selects an address from this address pool
tp :
Mo
// l
15
ea r
ni n
id1 is higher than that of policy policy-id2.
re
Le
ar
ni
ng
Re
so
ur c
typical application of bidirectional NAT.
es :
Note: For details of intrazone NAT and NAT Server technology, please see HSCSP intermediate certification course, which is an application scenario that the source address and destination address are in the same security zone. The intrazone NAT is a
ht
Run the policy move policy-id1 before policy-id2 command to adjust the policy policyid1 priority higher than the policy policy-id2. After adjustment, the priority of policy policy-
tp :
// l
ea r Mo
16
ni n
Page 203
In the NAPT mode, if the IP address of the interface connecting devices and Internet
re
Le
ar
Page 204
ni
ng
Re
so
ur c
es :
is used as the source IP address after conversion, run the easy-ip interface-type interface-number command to configure the interface IP address directly quoted by the policy.
ht
The difference between NAPT and NAT No-pat is, NAPT translate ports in addition to source IP address conversion. Configuring the no-pat parameter is not required.
tp :
Mo
// l
17
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 205
NAT Server (Internal Server)
server cannot be accessed. In this case, the NAT Server function can be used to implement this application. Using the NAT can flexibly add internal servers. For example, the public network address, 202.202.1.1 can be used as the external address of the Web server, or IP
When external users access the internal server, following operations will be performed:
re
Le
ar
For example, when providing access services for external users who are in multiple network segments, the firewall can configure the internal server based on the security zone in order to configure multiple public network address for an internal server. The
Page 206
ni
2. The firewall translates the source address (private network address) of response packets of the internal server into the public network address.
ng
1. The firewall translates the destination address of request packets of external users into the private address of the internal server.
Re
so
address (202.202.1.1:8080) + port number can be used as the external address of the Web server.
ur c
es :
The NAT hides the internal network structure and shields the internal host. But in the application, a Web server is required when the external host accesses the internal host. The external host does not have the route the internal address; therefore, the internal
ht
tp :
19
Mo
// l
ea r
ni n
server can be configured according to different security zones. In this case, when theexternal network in different network segments accesses the same internal server,
the internal server can be accessed by accessing the corresponding configured public network address.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
firewall security zone with different levels is corresponded to the external network in different network segments. Different public network addresses of the same internal
tp :
// l
ea r Mo
20
ni n
Page 207
For NAT Server configuration, different situations are shown as follows: If the same public IP address is released in all security zones, users in these security zones can access the internal server by accessing the same public IP address.
The parameter, no-reverse, indicates that the device only translates the public network address into the private network address, but not translate the private
re
Le
ar
network address into the public network address. When the internal server accesses the Internet, the NAT policy of outbound is required. The public IP address configured by NAT Server must be in the referenced address pool; otherwise, the reverse NAT address is not consistent with the forward access public IP address. Therefore, the network connection is failed.
Running the nat server command carrying the parameter no-reverse for many times can configure multiple public network address for this internal server. If the parameter no-reverse is not configured, it indicates that a public network address is configured for this internal server.
21
Page 208
Mo
ni
ng
Re
so
Compared with releasing different public IP addresses, a parameter, no-reverse is added when releasing the same public IP address. After NAT Server without carrying the parameter, no-reverse is configured, when public network users access the server, the device can translate the server public network address into the private network address. Meanwhile, when the server initiates the access to the public network, the device will translate the server private network address into the public network address.
ur c
es :
ht
tp :
// l
ea r
ni n
The internal server provides services for different operators' networks. It has a public IP address in each operator's network. The internal server that allows the Internet accesses is generally placed in the DMZ security zone. Considering the security, it is not recommended that the device in this
Note: When the internal server needs to provide the multi-channel protocol service,
The Internet address routing information is configured on the internal server or its default gateway is set as the IP address of the interface connecting the USG and the
re
Le
ar
ni
ng
internal server. In this case, packets will return to devices by default and are forwarded to corresponding Internet users by using devices.
Re
so
NAT ALG needs to be configured to translate the random port negotiated by these protocols during communication by using the NAT.
ur c
security zone initiates the connection.
es :
ht
Different public IP addresses are released in different security zones. Users in these security zones can access the internal server by accessing different public IP addresses.
tp :
// l
ea r Mo
22
ni n
Page 209
1. When mobile phone users go online, the request packets reach the firewall after passing through the base station and other intermediate devices. 2. If packets reaching the firewall match the destination NAT policy configured on the firewall, the destination IP address of this data packet will be translated into the configured IP address of the WAP gateway and sent to the WAP gateway. 3. The WAP gateway provides corresponding services (such as video and Web page services) for the mobile phone client, responds packets, and sends these packets to the firewall. 4. The response packet hits the session on the firewall. The firewall translates the source IP address of this packet and then sent this packet to the mobile phone user to finish the communication. 5. Note: Here, we can take the WAP gateway as the agent server.
re
Le
ar
Page 210
ni
ng
Re
so
ur c
Mobile phone users need to log in to the Wireless Application Protocol (WAP) gateway to go online. At present, a large number users purchase mobile phones from overseas areas. But the default configured WAP gateway address of these mobile phones is not consistent with the WAP gateway address of China. Users cannot modify the WAP gateway address; therefore, they cannot go online. To solve this problem, a firewall between the WAP gateway and users is deployed in the wireless network. After the destination NAT function is configured on the device, partial mobile users can acquire network resources normally. When mobile phone users go online, the destination NAT will perform following operations.
es :
ht
tp :
Mo
// l
23
ea r
ni n
category of WAP gateway IP address needs to be confirmed. Then the WAP gateway IP address can be defined by using the ACL.
Note: The destination NAT cannot be used with the NAT ALG together. This ACL should be configured strictly in order that the non-WAP service data flow is
referenced by the destination-nat command and the non-WAP services are interrupted.
Here, only the advanced ACL ranging from 3,000 to 3,999 can be referenced.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
The destination NAT is a data flow that uses the ACL identification to forward the destination IP address. ACL is a key to implement this application scenario. The
tp :
// l
ea r Mo
24
ni n
Page 211
Mo
re
Page 212
ar
ni
ng
Re
ni n
re
Le
ar
ni
ng
Re
so
ur c
In order to avoid configuring the routing of the public network address, the NAT from the low-priority security zone to the high-priority zone (inbound NAT) can be configured. The NAT is required during access within the same security zone. The interzone NAT function needs to be configured.
es :
network address of the internal server, the packet destination address will be translated into the private network address of the internal server. The internal server needs to be configured to the routing of this public network address.
ht
In general, the intranet is a zone enjoys the high priority. Internet is a zone enjoys the low priority. When Internet users in the low-priority security zone access the public
tp :
// l
ea r Mo
26
ni n
Page 213
to be simplified, configuring the routing to the public network address should be avoided. The source IP address of Internet users can be translated. The source IP address after
re
Le
ar
Page 214
ni
ng
Re
so
ur c
translation and the private network address of the server are in the same network segment. In this case, the internal server will send the response packet to the gateway by default. Because the security level of Internet is lower than the intranet, this application is called NAT Inbound.
es :
ht
When configuring NAT Server, a route to the public network must be configured on the server, and then response packets can be sent normally. If the configuration needs
tp :
Mo
// l
27
ea r
ni n
address of the server. In the process of NAT implementation, the destination address of the packet that accesses the internal server is translated from the public network
address to the private network address. The source address is translated from the private network address to the public network address.
When the FTP server and the user are both in the Trust zone, the user accesses the
re
Le
ar
2. The firewall translates the source address of the FTP server response packet into the address released. The destination address is translated into the intranet IP address.
ni
1. The firewall translates the destination address of user's request packets into the intranet IP address of the FTP server. The source address is translated into the IP address released by the user.
ng
In the process of intrazone NAT address conversion, the following IP address conversion is involved.
Re
public IP address of the FTP server. In this case, all interactive packets between the user and the FTP server are transmitted via the firewall. This NAT is called intrazone NAT. Therefore, configuring the internal server and the intrazone NAT is required.
so
ur c
Intrazone NAT
es :
ht
The intrazone NAT refers to a scenario that when the intranet user and the server are deployed in the same security zone, the intranet user only can access the public network
tp :
// l
ea r Mo
28
ni n
Page 215
re
Le
ar
Page 216
ni
ng
Re
so
ur c
be simplified, configuring the routing to the public network address should be avoided. The source IP address of Internet users can be translated. The source IP address after translation and the private network address of the server are in the same network segment. In this case, the internal server will sent the response packet to the gateway by default. Because the security level of Internet is lower than the intranet, this application is called NAT Inbound.
es :
ht
When configuring NAT Server, a route to the public network must be configured on the server so that response packets can be sent normally. If the configuration needs to
tp :
Mo
// l
29
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 217
Mo
re
Page 218
ar
ni
ng
Re
31
ni n
Step 1 Run the system-view command to enter the system view. Step 2 Run the nat-policy interzone zone-name1 zone-name2 { inbound | outbound } command to enter the interzone NAT policy view.
priority to match packets.
traffic to be matched.
Step 5 (Optional) Run the policy destination { source-address{ source-wildcard | 0 | mask { mask-address | mask-len } } | address-set { address-set-name } &<1-256> | range start-address end-address } command to specify the destination address of the traffic to be matched.
re
Le
ar
Step 6 (Optional) Run the policy service service-set { service-set-name } &<1-256> command to specify the service type of the traffic to be matched.
ni
ng
Re
so
Step 4 (Optional) Run the policy source { source-address{ source-wildcard | 0 | mask { mask-address | mask-len } } | address-set { address-set-name } &<1-256> | range start-address end-address } command to specify the source address of the
ur c
es :
Step 3 Run the policy [ policy-id ] command to cerate the NAT policy and enter the policy ID view. Multiple NAT policies can be configured in the same interzone NAT policy view. By default, the policy that is configured the earliest enjoys the highest
ht
tp :
// l
ea r Mo
32
ni n
Page 219
Step 8 Run the address-group { number | name } no-pat command to configure the NAT
conversion is required.
re
Le
ar
Page 220
ni
ng
Re
Step 9 (Optional) When intranet users need to use the multi-channel protocol to access the Internet, NAT ALG configuration is required. For random ports negotiated temporarily in the communication process by using these protocols, the NAT
so
ur c
address pool referenced by NAT polices. The NAT policy is bound with the public network address. For the matched traffic, the NAT conversion is required.
es :
command can be used to configure the action for the defined traffic. source-nat indicates that the source address of packets that match policies is translated. nonat indicates that the address of packets that match policies is not translated.
ht
Step 7 Run the action { source-nat | no-nat } command to configure the action of matched traffic. After using multiple preceding commands to match the traffic, this
tp :
Mo
// l
33
ea r
ni n
Mo
re
ar
ni
ng
Re
34
ni n
Page 221
Step 1 Run the system-view command to enter the system view. Step 2 Run the nat server [ zone zone-name ] global global-address inside host-address [ vrrp virtual-router-ID | vpn-instance vpn-instance-name ] * [ no-reverse ] command to configure the internal server. Or run the nat server [ zone zonename ] protocol protocol-type global global-address [ global-port ] inside hostaddress [ host-port ] [ vrrp virtual-router-ID | vpn-instance vpn-instance-name ] * [ no-reverse ] command to configure the internal server. When multiple different internal servers use a public address to release, the nat server command can be used to configure repeatedly. The parameter zone can be configured in order to implement the NAT server reverse conversion when the internal server accesses this zone. When a user and an internal server are in the same security zone, the USG unified security gateway allows this user to use the internal server public IP address to access this internal server. The internal server that allows the Internet accesses is generally placed in the DMZ of the USG unified security gateway. It is not recommended to allow the device in this security zone to initiate the connection. When the unified security gateway is applied in the two-node cluster hot backup network, if the NAT server address after conversion and the Virtual Router Redundancy Protocol (VRRP) backup group virtual IP address are not in the same network segment, the configuration of the nat server command carrying the keyword vrrp is unnecessary.
re
Le
ar
Page 222
ni
ng
Re
so
ur c
es :
ht
When the NAT and the internal server are configured on the USG at the same time, the internal server priority is higher than the NAT. The following operations are implemented when configuring the internal server.
tp :
Mo
// l
35
ea r
ni n
virtual-router-ID is set as the ID of the VRRP backup group corresponded to the unified security gateway NAT server outbound. Step 3 Run the policy interzone [ vpn-instance vpn-instance-name ] zone-name1 zonename2 inbound command to enter the interzone view. Step 4 Run the detect protocol command to configure the ASPF function (optional).
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
If the NAT server address after conversion and the VRRP backup group virtual IP address are in the same network segment, related commands need to be configured and
tp :
// l
ea r Mo
36
ni n
Page 223
Mo
re
Page 224
ar
ni
ng
Re
37
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 225
Mo
re
Page 226
ar
ni
ng
Re
39
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 227
Mo
re
Page 228
ar
ni
ng
Re
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
Firewall Networking
ea r
ni n
Mo
Page 229
Mo
re
Page 230
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 231
Mo
re
Page 232
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 233
re
Le
ar
Page 234
ni
broadcast storm. To improve the network efficiency, the network is fragmented. A large broadcast domain is divided into multiple small broadcast domains.
ng
Due to the limitation of bridge work principles on L2, the bridge cannot handle the
Re
The packets sent from any host can be received by other hosts in the same collision domain. After the bridge (Layer-2 switch) replaces the hub, each port can be considered as an independent bus. A port can be considered as a collision domain. In this manner, the efficiency for the network sending unicast packets is improved and the L2 network performance is improved. When a host sends the broadcast packets, other devices can still receive the broadcast information. The range where the broadcast packets can reach is called a broadcast domain. The bridge copies the broadcast packets for multiple copies upon delivering the broadcast packets and sends the broadcast packets everywhere on the network. With the network expansion, the quantity of broadcast packets becomes higher. The broadcast packets occupy more network resources, which greatly affects the network performance. This is called broadcast storm.
so
ur c
es :
ht
The traditional LAN uses the hub. The hub has only a bus, which functions as a collision domain. Therefore, the traditional LAN is a flat network. A LAN belongs to a collision domain.
tp :
Mo
// l
3
ea r
ni n
re
Le
ar
ni
ng
Re
so
ur c
On the VLAN, a group of users in different physical network segments are allocated to a logical LAN. The allocation is the same as that in traditional LAN in function and operation. The VLAN supports the interaction between terminals within a certain scope.
es :
small logical networks. The small logical networks have their own broadcast domains, that is, VLANs. In the figure, the two switches belong to different VLANs and have respective broadcast domains. The broadcast packets cannot be delivered between domains.
ht
The virtual local area network (VLAN) is the logical LAN that contains network resources and users allocated based on a certain principle. A physical network is divided into multiple
tp :
// l
ea r Mo
4
ni n
Page 235
The TPID is a new type of identifier defined by the IEEE. It indicates the frame with 802.1Q The TCI contains the following elements: ranging from 0 to 7. The IEEE 802.1Q standard uses three bits to indicate the frame information. Canonical format indicator (CFI): If it is set to 0, it indicates standard frame format. If it is set to 1, it indicates non-standard frame format. The CFI is used in the token ring or source
route FDDI medium access method to specify the bit sequence in the encapsulated frame.
The VLAN identifier (VLAN ID) is a 12-bit domain. It indicates the ID of a VLAN. The VLAN ID ranges from 0 to 4095. There are total 4096 VLAN IDs. Each data packet sent from the switch supporting the 802.1Q contains the VLAN ID.
re
Le
ar
On the switching network, there are two Ethernet frame formats. Certain frames do not contain these 4-byte tags, which are called untagged frames. The frames with these 4-byte tags are called tagged frames.
Page 236
ni
ng
Re
so
ur c
Priority: It has three bits and indicates the frame priority. There are eight frame priories
es :
tag. The TPID contains a fixed value, that is, 0x8100.
ht
The 4-byte 802.1Q tag header contains 2-byte tag protocol identifier (TPID) and 2-byte tag control information (TCI).
tp :
Mo
// l
5
ea r
ni n
of only the default VLAN. On the same switch, the hybrid port and trunk port cannot co-exist.
1. An access port can belong to only a VLAN. Therefore, the default port ID is the ID of
VLAN to which it belongs. The default port ID of the access port does not need to be configured.
re
Le
ar
ni
ng
Re
so
2. A hybrid port or a trunk port can belong to multiple VLANs. Therefore, you must set the default port ID. By default, the default VLAN ID is 1.
ur c
es :
The default ID of the port is the port VLAN ID (PVID). It indicates the VLAN to which the port belongs.
ht
The differences between the hybrid port and the trunk port are: The hybrid port supports the untagged packets of multiple VLANs while the trunk port supports the untagged packets
tp :
// l
ea r Mo
6
ni n
Page 237
indicates the VLAN to which the port belongs. For example, if the PVID is 3, it indicates that the port is allocated to VLAN3.
re
Le
ar
Page 238
ni
ng
Re
so
ur c
es :
ht
For all the switches that use the 802.1q standard, all the ports are access ports and belong to VLAN1. Therefore, VLAN1 is known as the default VLAN. The PVID of the access port
tp :
Mo
// l
7
ea r
ni n
frames that can be transmitted.
re
Le
ar
ni
ng
Re
so
ur c
function of the PVID of the trunk port is different from that of the access port. The PVID of the access port indicates the VLAN to which the port belongs. The PVID of the trunk port indicates the default VLAN ID.
es :
The command port trunk pvid vlan-id is used to change the PVID of the trunk port. The
ht
The trunk port is responsible for transmitting the frames of multiple VLANs between switches. You can use the port trunk permit vlan [VID] command to configure the VLAN
tp :
// l
ea r Mo
8
ni n
Page 239
{ vlan-id1 [ to vlan-id2 ] } & <110> { tagged | untagged } } command to set the VLANs whose frames can be transmitted and tags are stripped. The untagged parameter indicates to strip
the tag. The tagged parameter indicates not to strip the tag.
re
Le
ar
Page 240
ni
ng
Re
so
ur c
es :
ht
The hybrid port allows the transmission of frames of multiple VLANS and can strip the tags of frames of certain VLANs at the output end. You can use the port hybrid { pvid vlan-id | vlan
tp :
Mo
// l
9
ea r
ni n
Run system-view to enter the system view.
Run interface interface-type interface-number.subinterface-number to create the subinterface and enter the sub-interface view.
Run vlan-type dot1q vlan-id to configure the encapsulation type and associated VLAN ID of the sub-interface.
re
Le
ar
Run ip address ip-address { mask | mask-length } [ sub ] to configure the IP address of the sub-interface. The IP address of the sub-interface can be in the same network segment as the IP address of the main interface. The subnet masks, however, must be different.
ni
ng
Re
so
Operation procedure:
ur c
A physical interface is configured with multiple sub-interfaces, which are allocated to different VLANs. The device can communicate with different VLANs by connecting to a physical interface.
es :
Different VLANs communicate with each other through routers. This communication mode wastes the physical interfaces of devices. To solve this problem, the sub-interfaces are introduced.
ht
The communication between VLANs must be implemented through L3 devices such as router or L3 switch. Different VLANs are connected to different interfaces of the L3 devices.
tp :
// l
ea r Mo
10
ni n
Page 241
Mo
re
Page 242
ar
ni
ng
Re
ni n
connect to the WAN or industry network from the carriers.
re
Le
ar
The SA supports various data link layer protocols, including Peer-Peer Protocol (PPP) and High Level Data Link Control (HDLC). The SA supports the IP network layer protocols.
ni
As the uplink interface, the SA can bear various services such as HTTP and FTP. To effectively use the uplink bandwidth, the SA is used together with the QoS. Meanwhile, the USG2200 supports the L2TP and IPSec VPN. The E1 interface can serve as one end of the VPN tunnel. The USG2200 can bear the L2TP and IPSec tunnels.
ng
Re
The SA has two work modes, that is, data terminal equipment (DTE) and data circuitterminal equipment (DCE). Generally, the SA works as the DTE and accepts the clock provided by the DCE device.
so
ur c
The maximum bandwidth is 2.048 Mbit/s, which can satisfy the service data transmission requirements of carriers and enterprise customers. In the typical networking, the SA interface serves as a uplink interface to bear services. Enterprises can rent a dedicated SA line to
es :
The SA interface is a synchronous serial interface and supports various cables such as V2.4, V3.5, X.21, RS449, and RS530. It supports various baud rates to satisfy different peer devices.
ht
The serial port is a common WAN port. The serial port is classified into synchronous serial port and asynchronous serial port. The synchronous serial port is widely used.
tp :
// l
ea r Mo
12
ni n
Page 243
Router configuration:
# Configure the serial1/0/0. Set the encapsulation protocol to PPP. Set other parameters to the default values.
[Router A]interface serial 1/0/0
[Router A-serial1/0/0]link-protocol PPP
re
Le
ar
Page 244
ni
ng
Re
[router A-serial1/0/0]undo shutdown
so
[Router A-serial1/0/0]shutdown
ur c
[Router A-serial1/0/0]ip address 10.110.1.10 255.255.255.0
es :
<Router A>system-view
ht
tp :
13
Mo
// l
ea r
ni n
Mo
re
ar
ni
ng
Re
14
ni n
Page 245
Mo
re
Page 246
ar
ni
ng
Re
15
ni n
E1 system:
The E1 system is recommended by the ITU-T. The E1 interface uses the G.703 standard. The E1 frame structure complies with the G.704 standard. The E1 rate is 2.048 Mbit/s. A physical medium can be multiplexed to up to 31 channels. The E1 system is mainly used in Europe and China. The T1 system is recommended by the ANSI. The T1 interface rate is 1.544 Mbit/s. The T1 system is mainly used in US, Japan, and Canada. In 1960s, the American
re
Le
ar
technology supports various standards based on different application principles. The widely used multiplex technologies are Frequency Division Multiplexing (FDM) and Time Division Multiplexing (TDM).
ni
medium (network cable and optical fiber) is higher than the capability required by a single data source. A technology that can transmit multiple-channel signals on a channel without interference is required to improve the usage of transmission medium. For the long-distance transmission, the technology is required to reduce the cable installation and maintenance costs. To meet these requirements, the multiplex technology is introduced. The multiplex
ng
Re
In the actual communications network, the transmission capability of the transmission
so
Telephone and Telegraph Company widely deployed the T1 system to reduce the cubing in big cities. In the T1 system, a T1 channel can be multiplexed to 24 channels. Therefore, a telephone line can support 24 ongoing calls. The T1 system is widely applied in the audio, data, and image signal transmission.
ur c
es :
ht
tp :
// l
ea r Mo
16
ni n
Page 247
FDM: It is a form of signal multiplexing which involves assigning non-overlapping frequency ranges to different signals or to each user of a medium. These signals are transmitted simultaneously.
TDM: It is a type of digital multiplexing in which two or more signals are transferred apparently simultaneously as sub-channels in one communication channel, but are physically taking turns on the channel. The time domain is divided into several recurrent timeslots of fixed length, one for each sub-channel. Due to wide frequency band, the digital signals mainly use the TDM technology. The E1 and T1 systems are stipulated by different standard organizations.
Concepts related to the E-carrier and T-carrier interface work modes: 1. Channelized: In the framed mode, the timeslots of the data stream (E1, T1, and DS3) except for the frame headers can be assigned to multiple channels. 2. Unchannelized: In the framed mode, all the timeslots of the data stream except for the frame headers can be bound only once and assigned to a channel. 3. Clear channel: It is also called unframed mode. The data streams do not have framed signals. Any bits in the data streams are the data. The data in the data streams belongs to only a channel.
re
Le
ar
2. When the E1 interface works in the unchannelized mode (framed mode), the interface can be bound with multiple timeslots. Only a channel can be bound. For example,
Page 248
ni
equivalent to an interface that does not divide any timeslots and transmits data at 2.048 Mbit/s.
timeslot 1 and timeslot 2 are bound to a 128 kbit/s serial port. The remaining timeslots cannot be bound. That is, only a serial port can be bound irrespective of how may timeslots are used.
ng
1. When the E1 interface works in the clear channel mode (unframed mode), all the timeslots are used as a channel. All the bits in the channel are data. The E1 interface is
Re
E1 interface features:
so
E1 interface description:If the physical interfaces using the E1 technology can work in clear channel mode or unchannelized mode, these interfaces are called E1 interfaces.
ur c
es :
ht
tp :
Mo
// l
17
E1/T1 systems are mainly used on certain old-model routers. Huawei USG uses the E1/T1 interfaces to interconnect to the routers. The USG serves as the router and manages the data between LAN and WAN in an integrated manner.
ea r
The E1 and T1 systems improve the usage of physical lines. At first, these systems are designed for the audio signal transmission. The T1 system divides a channel to 24 timeslots. The total bandwidth is 64x24=1.544 Mbit/s. The E1 system divides a channel to 32 timeslots. The total bandwidth is 2.048 Mbit/s. 2 Mbit/s bandwidth is sufficient for the audio signal transmission while it cannot satisfy the transmission of data and image signals. Currently, the
ni n
CE1 interface description:
If the physical interfaces using the E1 technology can work in clear channel mode or channelized mode, these interfaces are called CE1 interfaces.
CE1 interface features:
1. When the CE1 interface works in the clear channel mode (unframed mode), all the timeslots are used as a channel. All the bits in the channel are data. The CE1 interface is equivalent to an interface that does not divide any timeslots and transmits data at 2.048 Mbit/s. 2. When the CE1 interface works in the unchannelized mode (framed mode), the interface is divided to 32 timeslots, ranging from 0 to 31. Nx64 kbit/s logical channels can be bound. Timeslot 0 is used to transmit frame synchronization signal and cannot be bound. The other 31 timeslots can be divided to several groups (channel-set). The timeslots in each group can be bound as an interface.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r
18
ni n
Mo
Page 249
requirements and data link quantity requirements) on the channel. The E1/T1 TDM mechanism supports the following application modes:
1. Unchannelized (supported only by the E1 interface) mode: The bandwidth of the E1 interface is used for only a data line. The E1 functions as a 2 Mbit/s serial interface.
2. Channelized/partial channelized mode: The bandwidth of the E1/T1 interface is distributed to multiple data links through the timeslots. Flexible bandwidth selection is supported by changing the timeslot combinations. Multiple data links use the same physical line in TDM mode. Therefore, to ensure the data transmission sequence and reliability, the E1/T1 interface defines the physical frame, which is used to synchronize the data transmitted over multiple data links. In this way, data confliction and disorder problems are avoided. The physical frame is the key factor in the channelized mode. The physical frame consumes certain bandwidth. In E1 mode, the physical frame occupies the first timeslot of each sampling frame. In the T1 mode, the physical frame occupies the extra bits of each sampling frame. The data link bandwidth is Nx64 kbit/s or N x56 kbit/s (N indicates the number of timeslots that can transmit data. In E1 mode, the maximum value of N can be 31. In T1 mode, the maximum value of N can be 24). The calculation of the 64 kbit/s bandwidth is: 8 bits of each timeslot x 8k sampling timeslots = 64 kbit/s. In the earlier applications, a bit of the eight bits of a timeslot is unavailable. Therefore, the calculation of the 56 kbit/s bandwidth is: 7 bits of each
re
Le
ar
Page 250
ni
ng
Re
so
ur c
es :
ht
The E1/T1 interface is a physical interface. It transmits data streams in serial mode. The E1/T1 mode indicates how to satisfy different service requirements (including the bandwidth
tp :
Mo
// l
19
ea r
ni n
bandwidth can be adjusted through variable timeslot combinations.
re
Le
ar
ni
ng
Re
When the E1 interface is used in the PRI mode, timeslot 16 is used as channel-D for transmitting signal. Another group of timeslots selected from the 30 timeslots are used as channel-B, that is, the PRI group. When the T1 interface is used in the PRI mode, extra bits are used for synchronization. Timeslot 24 is used as channel-D to transmit signaling. Another group of timeslots selected from the 23 timeslots are used as channel-B, that is, the PRI group.
so
ur c
es :
3. PRI mode: Based on the timeslot division feature of the E1/T1 interface, the E1/T1 interface is used for the ISDN network. The PRI mode is also the channelized mode in principle. The channelized mode is used to transmit data while the PRI mode is used to transmit voice.
ht
timeslot x 8k sampling timeslots = 56 kbit/s. The partial channelized mode is also the channelized mode in principle but an E1/T1 interface can be used by only a data link. The
tp :
// l
ea r Mo
20
ni n
Page 251
Mo
re
Page 252
ar
ni
ng
Re
21
ni n
Mo
re
ar
ni
ng
Re
22
ni n
Page 253
Mo
re
Page 254
ar
ni
ng
Re
23
ni n
Mo
re
ar
ni
ng
Re
24
ni n
Page 255
Mo
re
Page 256
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
26
ni n
Page 257
re
Le
of the VDSL, however, is short. It is applicable to the residential areas with relative high user density, medium-long distance (within 1-1.5 km), and high bandwidth requirements. For the hotels and business buildings, and other special business areas where do not support integrated cabling, cannot afford high integrated
ar
Page 258
ni
The VDSL is a DSL access technology with the highest transmission bandwidth. The VDSL supports bi-directional symmetric rate and high transmission rate. The transmission distance
ng
Compared with the ADSL, the VDSL has higher transmission rate and is a high-speed ADSL. The typical transmission rates of the VDSL on a pair of common twisted-pair cables are: the uplink rate is 1.6-2.3 Mbit/s; the downlink rate is 12.96-55.2 Mbit/s (at present, the highest rate can reach 155 Mbit/s). The VDSL rate is about 10 times higher than the ADSL rate. The transmission distance, however, is shorter than that of the ADSL. The typical transmission distance is 0.3-1.5 km. Because the transmission speed of the VDSL is short, it is applicable to the last mile connection between the optical fiber access network and user end. The VDSL requires that the optical network unit must be close to the user end. The VDSL system configuration diagram is similar to the ADSL system configuration diagram. The VDSL is used between the user end and the local optical network unit. The VDSL supports various broadband services such as HDTV, HD image communication, and visual computing. The international VDSL standards are being stipulated.
Re
so
ur c
es :
ht
VDSL: The VDSL is similar to the ADSL. The VDSL uses the FDM mode. The uplink and downlink signals of the POTS, ISDN, and VDSL are transmitted in different frequency bands.
tp :
Mo
// l
27
ea r
ni n
ADSL: At present, in the coverage, outgoing line rate, downlink bandwidth, power
re
Le
ar
conference), it can meet the requirements for high bandwidth for long-distance separated user access.
ni
With the significant increasing of video services such as IPTV, the broadband video services require high bandwidth, data rate, QoS, and other functions. At present, the common ADSL technology cannot meet the video service requirements. The VDSL+Ethernet technology can meet the integrated user access and short-distance separated user access. Although the ADSL2+ has certain limitations on the data transmission rate and interactive services (video
ng
Re
upgrading the existing devices rather than obsolescing the existing devices. Therefore, as the supplementary of the ADSL technology, the ADSL2+ is available on the upgraded devices. In the areas where the user line distance is long, higher bandwidth is required, and outgoing line rate is low, the ADSL2+ can be used to reduce the interference between lines and improve the outgoing line rate.
so
ur c
es :
management, and error detection aspects, the ADSL2+ improves greatly than the ADSL. The ADSL2+ supports various new features and functions, which further improves the network performance and cooperation capability. Carriers can deploy the new technical applications by
ht
cabling costs, or have completed the cabling by other vendors, the VDSL technology can be used to quick occupy the market.
tp :
// l
ea r Mo
28
ni n
Page 259
central office end and the downlink transmission indicates the transmission from the central office end to the user end.
The downlink transmission rate of the ADSL can reach 8 Mbit/s to the maximum and the uplink transmission rate can reach 896 Mbit/s. The uplink transmission rate is much higher The ADSL supports the transmission of data signals and traditional analog voice signals on The technical features and usability of the ADSL enable it to become the widely used
access technology.
re
Le
ar
2. The ADSL transmission greatly reduces the near-end crosstalk.
The breakthrough the ADSL compared with other DSL technologies is that it can provide voice services over the same twisted-pair cable. In this manner, it facilitates the user implementation and saves cable deployment costs.
Page 260
ni
1. For most of the DSL applications, the users obtain a large number of data from the backbone network while sending few data. For example, users require high-speed data transmission for Internet access and video on demand service. In these services, only a few address information and command information is sent out.
ng
Re
so
the same twisted-pair cable.
ur c
than the downlink rate. Therefore, it is called asymmetric DSL technology.
es :
ht
The ADSL is an asymmetric DSL technology in which the uplink and downlink transmission rates are different. The uplink transmission indicates the transmission from the user end to the
tp :
Mo
// l
29
ea r
ni n
G.992.1 is also called G.dmt. It specifies the full rate ADSL technical specifications.
re
Le
ar
ni
ng
Re
so
splitters. This ADSL system does not use the splitters, which lowers the device installation complexity and costs. It also reduces the signal transmission rate. The maximum uplink transmission rate is 1.536 Mbit/s and the maximum uplink transmission rate is 512 kbit/s.
ur c
G.992.2 is also called G.lite, It specifies the ADSL technical specifications without using the
es :
The maximum downlink transmission rate is 8 Mbit/s and the maximum uplink transmission rate is 896 kbit/s.
ht
In October 1998, the ITU releases the recommended ADSL standards: G.992.1 and G.992.2.
tp :
// l
ea r Mo
30
ni n
Page 261
uplink and downlink bandwidth, sub-frequency band quantity, and exchanged parameters. In this manner, it ensures that an available communication link is successfully established. The ADSL system initialization can be originated by the ATU-R or ATU-C. When the ATU-C originates the initialization, the ATU-C sends the activation request signals upon system powering on, signal loss, or system self-check and waits for the ATU-R response. This process can be performed twice to the maximum extent. If the ATU-C does not receive any response from the ATU-R, it waits for the ATU-R to send the activation request signals or the network to send the re-attempt instructions. When the ATU-R originates the initialization, the ATU-R continuously sends the activation request signals upon system powering on or system self-check. The ADSL system initialization is divided into four major processes: activation request process, acknowledge process, transceiver training process, channel analysis process, and parameter exchange process.
re
Le
ar
The activation request and acknowledge process include the necessary handshake process
during the initialization. Generally, upon the system powering on, signal loss, and self-check, the system performs the initialization. During the initialization, the ATU-R and ATU-R transceivers are enabled to perform the handshake operation, which
Page 262
ni
ng
Re
so
ur c
es :
ht
The ADSL system initialization is used to test the performance of the channels and coordinate the transmission configurations between ATU-C and ATU-R, for example, the
tp :
Mo
// l
31
ea r
ni n
complies with the G.hs protocol.
Through the transceiver training and channel analysis processes, the transceivers can learn the signal transmission features and determine the transmission related parameters. parameters with the remote transmitter to ensure that the parameters sent and received are matched. The parameters exchanged include the bit number and transmission rate of each DMT sub-carrier modulation. To ensure the optimal system performance, all the parameters must be used based on transceiver training and channel analysis processes.
re
Le
ar
ni
ng
Re
so
ur c
es :
During the parameter exchange process, the local receiver exchanges the device
ht
tp :
// l
ea r Mo
32
ni n
Page 263
established.
channel to perform the transceiver training. Sub-channel analysis: The transceivers analyze the transmission channels based on the received signals, including the attenuation, signal noise ratio, and data bit quantity. Through the sub-channel analysis, the transmission and parameter processing of the sub-channels are
re
Le
ar
Page 264
ni
Power/rate adjustment during the running process: For the sub-channels with high attenuation and low signal noise rate, signal power can be increased. For the sub-channels with high signal noise rate, the signal power can be reduced. The power adjustable range is 3 dB.
ng
Re
determined. After the channel analysis is complete, the local receiver exchanges the preset parameters with the remote transmitter to ensure that the sent and received parameters are matched.
so
ur c
es :
Transceiver training: The ADSL transceiver sends certain training information on each sub-
ht
After the initialization is complete, the system enters the normal work state. The ADSL initialization is self-adaptive to the rate. The channel between the DSLAM and ATU-R is
tp :
Mo
// l
33
ea r
ni n
Mo
re
ar
ni
ng
Re
34
ni n
Page 265
Mo
re
Page 266
ar
ni
ng
Re
35
ni n
Mo
re
ar
ni
ng
Re
36
ni n
Page 267
Mo
re
Page 268
ar
ni
ng
Re
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
need to consider the complex cabling and migration. The WLAN, however, is not a complete wireless system. The servers and backbone networks are still deployed in the fixed network except that the users are movable.
ht
The Wireless Local Area Network (WLAN) is a hot technology used in the communications industry. The WLAN system is easy to deploy and use. During the deployment, you do not
tp :
// l
ea r Mo
38
ni n
Page 269
Mo
re
Page 270
ar
ni
ng
Re
39
ni n
Wireless client (STA)
On a network, all the devices that connect to the wireless medium are called wireless clients. Each wireless client must install the wireless network card that supports 802.11 standard. The wireless client is classified into AP and client.
Access point (AP)
Frames are converted from wired transmission to wireless transmission between the user end and the LAN end. The USG2100/2200 functions as an AP.
Client
phones, PCs, or work stations that are equipped with the wireless network cards.
Le
ar
re
ni
ng
Wireless router The wireless router indicates the router that provides wireless access function, for example, a router that provides L3 interfaces and functions as a Fat AP. All the wireless clients can access the wired network, fixed network, or Internet using the wireless routers. In this document, the Fat AP and wireless router represent the same device. USG2100/USG2200
Re
The clients include fixed devices such as laptops, personal digital assistants, IP
so
ur c
The AP functions as a bridge between the wireless network user and the LAN.
es :
ht
tp :
// l
ea r Mo
40
ni n
Page 271
Open system authentication
The open system authentication is the default authentication mechanism. It is also the simplest authentication algorithm, that is, non-authenticated. When the authentication mode is set to open system authentication, all the clients are allowed to access the WLAN.
Shared key authentication
The shared key authentication is mainly applicable to the pre-RSN device. This authentication mode is used only when the WEP encryption is enabled. This authentication mode is used for backward compatibility with legacy devices.
Wired Equivalent Privacy (WEP) encryption
encryption.
Advanced Encryption Standard (AES) encryption
Wi-Fi Protected Access (WPA)
complies with the major IEEE 802.11i standards. The WEP authentication and encryption features are improved in the WPA.
re
Le
ar
Page 272
ni
ng
Re
so
ur c
The WPA is used to ensure the security of the wireless PC network. The WPA
es :
The AES encryption is only applicable to the RSNA client. The CCM and the counter mode (CTR) are used together to perform the privacy check. This encryption level is the highest.
ht
tp :
The TKIP encryption is used to enhance the security of the WEP protocol on the preRSN devices. The security of the TKIP encryption is much higher than that of the WEP
Mo
// l
41
TKIP encryption
ea r
The WEP encryption is used to protect the confidentiality of the data exchanged between the authenticated users on the wireless LAN. The WEP encryption can prevent the data from being intercepted.
ni n
Mo
re
ar
ni
ng
Re
42
ni n
Page 273
Mo
re
Page 274
ar
ni
ng
Re
43
ni n
Mo
re
ar
ni
ng
Re
44
ni n
Page 275
Mo
re
Page 276
ar
ni
ng
Re
45
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 277
The Wideband CDMA (WCDMA) is also called CDMA Direct Spread. The WCDMA is a 3G
re
Le
ar
standard that is developed based on the GSM network. The WCDMA is proposed by Europe and it is the same as the WCDMA standard proposed by Japan. The WCDMA defines the evolution strategy of the GSM(2G)-GPRS-EDGE-WCDMA(3G).
Page 278
ni
ng
In May 2000, the ITU determined four major wireless interface standards, that is, WCDMA, CDMA2000, TD-SCDMA, and WiMax. The standards are incorporated in the 3G technical guidance file, namely, International Mobile Telecommunications-2000 (IMT-2000). The Code Division Multiple Access (CDMA) is the basis of the 3G technology.
Re
so
The 3G standards include WCDMA (in Europe), CDMA2000 (in US), and TD-SCDMA (in China).
ur c
On November 5, 1999, the ITU-R TG8/1 released the IMT-2000 wireless interface technical specifications in the 18th conference, which marks the completion of the wireless interface standard stipulation. The 3G development and application enter the implementation phase.
es :
FPLMTS was renamed International Mobile Telecommunications-2000 (IMT-2000). IMT-2000 indicates that the system works at 2000 MHz, the highest service rate is 2000 kbit/s, and it is commercially used around 2000.
ht
3G is short for the third generation. The 3G concept was first proposed by the ITU in 1985, which was called Future Public Land Mobile Telecommunication System (FPLMTS). In 1996,
tp :
Mo
// l
47
ea r
ni n
This system can be deployed on the existing GSM network. Therefore, system providers can easily implement the transition. It is predicted that this technology will be widely accepted in Asia where the GSM system is widely applied. Therefore, the WCDMA technology has inherent marketing advantages.
The CDMA2000 technology is the broadband CDMA technology developed from the narrowband CDMA (CDMA IS95). The CDMA2000 is also called CDMA Multi-Carrier. It is proposed by Qualcomm North America Corporation. Later, Motorola, Lucent, and Samsung join this standard stipulation organization. At present, Korea leads this standard implementation.
standard.
The TD-SCDMA standard supports the network transition directly to the 3G network without experiencing the 2.5G network. Therefore, the TD-SCDMA is applicable to the GSM system evolution to the 3G network. Military networks also use the TD-SCDMA technology.
3G applications:
phones function as small PCs. 2. Video call: In the 3G era, the traditional voice calls are not popular. The video call and voice mail box services are mainstream services. Therefore, the traditional voice call rate is decreased. The video calls with strong visual impact and quick and direct features are
re
Le
popularized rapidly. In the 3G era, the most popular function is the video calls. The 3G video calls are popular worldwide. The QQ, MSN, or Skype applications enable users to chat with friends face to face. With the high-speed data transmission function on the 3G network, the 3G phone users can also chat with each other face to face. When users originate video calls, they face to the phones and wear the wired earphones or Bluetooth earphones to view the images of the peer users. They can also record the videos and send to the peer users.
ar
ni
ng
Re
so
Portal. However, the GPRS network speed cannot satisfy users. In the 3G era, the 3G
ur c
1. Broadband network: The broadband network connection is a major function of the 3G phones. You can use email services, write blogs, chat, search, and download pictures and music. These applications have already been supported by the current wireless Internet
es :
ht
tp :
The Time Division-Synchronous CDMA (TD-SCDMA) is a 3G standard stipulated by China. On June 29, 1999, Datang Telecom proposed this standard to the ITU. The TD-SCDMA was first invented by Siemens. The TD-SCDMA features low radiation and is known as green 3G
// l
ea r
48
The CDMA2000 stipulates the evolution strategy of CDMA IS95(2G)-CDMA20001xCDMA20003x(3G). The CDMA20001x is considered as the 2.5G telecommunication technology. Different from the CDMA20001x, the CDMA20003x uses multi-carrier technology. The bandwidth is increased through three carriers. At present, China Telecom uses this scheme to conduct the transition to the 3G network. China Telecom has deployed the CDMA IS95 network.
ni n
Mo
Page 279
3. Mobile TV: From the carrier perspective, the release of 3G licenses resolves a major technical barrier. The TD-SCDMA and CMMB standards promote the development of the entire industry. The stream media software for the mobile phones become the most popular TV software used on the 3G mobile phones. The fluency and quality of video images continuously improve and break the bottlenecks. Therefore, the stream media software is widely used.
4. Wireless search: The wireless search service is practical and easy to accept. Users can user the search services conveniently on the mobile phones. Wireless search becomes a common search habit of users.
7. Mobile network games: Compared with the PC network games, users do not have good experience in mobile network games. The mobile network games, however, are
convenient for users. Young people prefer the mobile network games since they can play the games whenever they have time. Therefore, the mobile network games become an important capital growth point in 3G network. In 3G era, the game platforms become more stable and quick and support higher compatibility. The games are more fun. Users can obtain better experience in visual and game effects.
re
Le
ar
Page 280
ni
ng
Re
so
ur c
es :
goods over the mobile phones, for example, daily necessities. The experts predict that the online shopping service will be rapidly developed in China. Users can enable the network connection services for the mobile phones to query the goods information and purchase goods online. The high-speed 3G network facilitates the online shopping on the mobile phones. The high quality images and video calls shorten the distance between sellers and buyers, improve the user experience, and popularize the online shopping on mobile phones.
ht
tp :
6. Mobile online shopping: Most users are familiar with online shopping on PCs, for example, shopping on Taobao. However, online shopping on mobile phones is not common. Actually, the mobile electronic business service is highly demanded by 3G network users. At present, 90% of the mobile phone users in Japan and Korea are used to purchase
Mo
// l
49
ea r
5. Mobile music: In Japan where the wireless Internet is mature, the mobile phone music is a most popular feature service. The music downloading speed on the mobile phones is 50 times faster than that on the PCs. In 3G era, a user can download and save plenty of music with fast speed over the wireless Internet. The traffic cost for downloading music is low and can be neglected.
ni n
Mo
re
ar
ni
ng
Re
50
ni n
Page 281
Mo
re
Page 282
ar
ni
ng
Re
51
ni n
Mo
re
ar
ni
ng
Re
52
ni n
Page 283
Mo
re
Page 284
ar
ni
ng
Re
53
ni n
Mo
re
ar
ni
ng
Re
54
ni n
Page 285
Mo
re
Page 286
ar
ni
ng
Re
55
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 287
Mo
re
Page 288
ar
ni
ng
Re
57
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 289
Mo
re
Page 290
ar
ni
ng
Re
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
VPN Overview
ea r
Page 291
Mo
ni n
Mo
re
Page 292
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 293
Mo
re
Page 294
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 295
re
Le
ar
network, and carrier networks are increasingly improving, its lower cost and QoS can meet customers needs and it has better scalability and manageability. Accordingly, more and more users choose the IP-based VPN and carriers are building IP-based VPNs to attract users.
Page 296
ni
With continuous development of the IP data communications technology, the IP-based VPN is becoming the mainstream VPN technology. As the IP-based VPN is carried by the IP
ng
leased lines for long distance data transmission; instead, long distance data lines of the Internet are used to create a private network. A private network means that users can customize a network that best suits their needs.
Re
The IETF draft defines the IP-based VPN as a private WAN that is simulated using the IP mechanism, which means the tunneling technology is used to simulate a point-to-point leased line over the public data network. Virtualization means that users do not need physical
so
ur c
network (DDN), ATM permanent virtual circuit (PVC), and frame relay (FR) PVC. The carrier maintains the backbone network and customers manage their the sites and routes. For a client-based encryption VPN, all VPN functions are implemented by the client, and all members of the VPN are interconnected by the untrustworthy public network. The former is more costly and has lower scalability; the latter has higher requirements on devices and operators of the client.
es :
ht
Traditional VPN networking mainly uses two modes: leased line VPN and client-based encryption VPN. A leased line VPN is a Layer-2 VPN that is built through a digital data
tp :
Mo
// l
3
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 297
decryption, key management, data authentication and identity authentication, need to be used to ensure data security of VPNs.
Tunneling
Tunneling is the core of the VPN technology. It refers to a data channel that is created over
re
Le
ar
the public network with encryption and decryption implemented on both ends. Through the data channel, data packets are sent. A tunnel is formed by tunneling protocols, which are divided into Layer-2 and Layer-3 tunneling protocols. L2 tunneling protocols are used to build remote VPNs by sending Layer-2 network protocols. Main Layer-2 tunnel protocols include Layer 2 Forwarding (L2F), Point-to-Point Tunneling Protocol (PPTP), and Layer 2 Tunneling Protocol (L2TP). L2TP is the combination of the PPTP and L2F developed by the Internet Engineering Task Force (IETF). Layer-3 tunneling protocols are used to build Intranet VPNs and Extranet VPNs by sending Layer-3 network protocols. Main Layer-3 tunneling protocols include VTP and IP Security (IPSec). IPSec is constituted by multiple protocols, and this protocol set allows you to choose security protocols and security algorithms, and determine the key used for services, to provide security on the IP layer.
Data authentication and identity authentication Data authentication ensures that data can be only legitimately altered when it is sent
Page 298
ni
ng
Re
so
ur c
es :
ht
VPNs are implemented mainly through tunneling. However, due to the complicated services and lower security of public networks, other technologies, including encryption,
tp :
Mo
// l
5
ea r
ni n
the same.
Encryption/decryption
Key management
re
Le
ar
ni
Key management mainly ensures that a key is sent over an insecure public data network without being stolen. The typical application is the IKE technology that is usually used by the IPSec VPN. The principles are described in the following slides.
ng
Re
so
Encryption/decryption is a sophisticated technology in data communications that can be used in VPNs to ensure that data can be only legitimately captured when it is sent over the network. This means that data is encrypted when it is encapsulated in a tunnel, and the peer end decrypts the data when it is sent to the peer end of the tunnel.
ur c
es :
Identity authentication ensures that legitimacy and validity of operators to a VPN, mainly using the user name and password mode. The USB key can also be used for higher security.
ht
over the network. Data authentication mainly uses the hash algorithm, which, due to its irreversibility and theoretical uniqueness, ensures that data is not altered when the summary is
tp :
// l
ea r Mo
6
ni n
Page 299
Mo
re
Page 300
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 301
Cryptography is the main method for cryptographic communications by using special symbols to hide languages, texts, and graphics. Cryptographic communications refer to a communications method in which the original information is concealed in special symbols in a way agreed by both parties, so that a third party will not understand the information. In network communications, cryptography is usually used to conceal information before it is sent, so that the information cannot be read even if it is stolen or captured. This ensures the security of information.
Encryption refers to the technology that changes a plain text into cipher text using cryptography (encrypt) to prevent anyone without the key from understanding the real meaning of the information or altering, forging, or damaging the information. In an open
re
Le
ar
network environment, encryption is very important for communication security. Encryption is the foundation of computer network security, providing technical means to achieve confidentiality, integrity, availability, and non-repudiation of information, and accordingly is of significance to computer network security.
Page 302
ni
ng
Re
so
ur c
es :
information theory. With the development of computer networks and communications technologies, more importance has been attached to cryptology and it is being widely used and is developing at an unprecedented speed. It is the main research topic in computer security and the focus in computer security courses in foreign countries.
ht
Cryptography is a subject that studies how to transfer information securely, so it is usually considered as a branch of mathematics and computer science, and is closely related to the
tp :
Mo
// l
9
ea r
ni n
Cryptography has four elements, namely, plain text, key, encrypt, and cipher text. The encryption express: C = En (K, P)
re
Le
ar
ni
ng
Re
so
ur c
es :
Cryptography can be regarded as a complicated function, where C stands for the cipher text (sequence of characters after encryption), P for the plain text (sequence of characters to be encrypted), K for the key, and En for the encrypt (a character sequence chosen secretly).
ht
tp :
// l
ea r Mo
10
ni n
Page 303
the right key is used to decrypt the information. Encryption protects data from being captured and read by unauthorized users. It prevents theft and capture of private information over networks. A simple example is transmission of passwords, which are very important, because many security systems are based on passwords and leakage of passwords to some extend Therefore, the provision of passwords requires information security:
It allows only certain users to access and read the information, but makes the information not understandable for unauthorized users. This is the common objective of encryption. It ensures that only the corresponding receivers can read it by using equations.
re
Le
ar
It ensures that data is not changed (altered, deleted, added, and replayed) by unauthorized users during the storage and transmission processes. For users that require high-level security, mere data encryption is not enough, because data can still be cracked and changed by
unauthorized users.
Page 304
ni
ng
2. Integrity: using data encryption, hash algorithm, or digital signature
Re
so
1. Confidentiality: using data encryption
ur c
means total breakdown of a security system.
es :
ht
Encryption is a process that makes the information only readable for the right receivers and not understandable for other users by enabling the original contents to be shown only after
tp :
Mo
// l
11
ea r
ni n
3. Authentication: using data encryption, hash, or digital signature It authenticates the data sent and receiver identity. 4. Non-repudiation: It uses symmetric encryption or asymmetric encryption and digital
re
Le
ar
ni
ng
Re
so
ur c
es :
signature, with the help of trustworthy registration or certification organizations, to prevent users from denying speech or activities that they have performed.
ht
tp :
// l
ea r Mo
12
ni n
Page 305
alphabet are replaced by first three letters respectively. For example, after encryption HuaweiSymantec becomes KxdzhlvBPdqwhf.
Recent encryption technologies were mainly used for military purposes, such as the War of Independence of the US, the Civil War, and two World Wars. During the War of Independence of the US, the rail fence cipher was used. In this method, the plain text is
re
Le
ar
written downwards and diagonally on successive "rail" of an imaginary fence, then moving up when we reach the bottom rail. When we reach the top rail, the message is written downwards again until the whole plaintext is written out. During World War I, Germans wrote codes based on a dictionary. For example, 10-4-
Page 306
ni
ng
Re
About 50 BC, ancient Roman ruler Caesar invented a method for encrypting information in the wartime, which was later called the Caesar cipher. The principle is that each letter in the plain text is replaced by the third letter down the alphabet, and the last three letters in the
so
ur c
to communicate and had to find a way to keep their correspondence confidential. Before the 6th century BC, ancient Greeks might be the first people to use technologies to encrypt information. They used a rod called scytale, with a piece of parchment wound around it, on which is written a message. Then the parchment was sent to the receiver. Anyone who did not know the diameter of the rod, which was the key in this case, could not understand the information on the message.
es :
ht
As a method for information security protection, cryptography was not an invention of the modern world and could be dated back long time ago, when human being tried to learn how
tp :
Mo
// l
13
ea r
ni n
information. Later, thanks to the efforts of Alan Turing and other people in the Ultra project, the German ciphers were broken, which changed situations in the war.
In the 20th Century, Americans studied computers to break the German ciphers, at which time people had not expect the information revolution that computers brought to the world.
re
Le
ar
ni
ng
Re
With the development of computers and their computation abilities, breaking traditional ciphers became an easy task. At the same time, continuously growing use of computers in businesses and other fields make it more and more important to protect data security and prevent leakage of information. All these factors accelerated the development of encryption technologies. Americans introduced the public key encryption system that was a milestone in the encryption technology development.
so
ur c
es :
ht
2 means the 2nd word in the 4th paragraph on page 10 of a dictionary. In World War II, the most well-known cipher machine was the Enigma machine used by Germans to encrypt
tp :
// l
ea r Mo
14
ni n
Page 307
Mo
re
Page 308
ar
ni
ng
Re
15
ni n
Symmetric encryption: It is also called traditional cryptography (secret key algorithm, one-
Symmetric encryption has many algorithms, which are used for the same goal: change a plain text into cipher text and change it back to the original plain text. The cipher text is encoded using a key, without which the cipher text is meaningless to everyone. As the same key is used for encryption and decryption in symmetric encryption, the encryption security depends on whether the key is obtained by unauthorized users. Note that both parties that want to use symmetric encryption in their communications must exchange the key securely before exchanging encrypted data.
re
Le
not. The longer the key is, a larger number of keys must be tested before the right key needed to decrypt data is found. Accordingly, it is more difficult to break the cipher. With a good algorithm and sufficiently long key, it is not feasible for anyone to derive the plain text from the cipher text in practice.
Asymmetric encryption: Asymmetric encryption, also called public key encryption, is a
ar
ni
Length of the key determines whether an algorithm for symmetric encryption is good or
ng
Re
so
ur c
large amount of data.
es :
key algorithm). The encryption key can be calculated based on the decryption key. The sender and receiver have the same key, which is used for both encryption and decryption (also called symmetric key or session key). Symmetric encryption is an effective method for encrypting a
ht
Keys are divided into private keys and public keys. As their names imply, a private key is private and needs to be encrypted; a public key is open and not encrypted.
tp :
// l
ea r Mo
16
ni n
Page 309
In this encryption, the public key can be transferred publicly between both parities in
re
Le
ar
Page 310
ni
The public key algorithm is a complicated mathematical equation using very large numbers. The limitation of the public key algorithm is that this encryption is relatively slow. In fact, it is usually used only for critical events, such as entities exchanging the symmetric key or signing the hash for an email (hash is a result of fixed length obtained using a unidirectional function and is called the hash algorithm).
ng
Re
symmetric encryption, asymmetric encryption also uses multiple algorithms. However, algorithms of symmetric encryption are different from those of asymmetric encryption. You can use one algorithm to replace another in symmetric encryption and see few changes, because they work in the same way. On the other hand, different algorithms work in totally different ways in asymmetric encryption, so they cannot be interchanged.
so
ur c
es :
communications or published in a public database, but the private key is confidential. Only the private key can be used to decrypt the data encrypted using the public key, and only the public key can be used to decrypt the data encrypted using the private key. Similar to
ht
form of encryption where keys come in pairs. What one key encrypts, only the other can decrypt. Two keys are used: a public key and a private key, which are related mathematically.
tp :
Mo
// l
17
ea r
ni n
A symmetric key algorithm system includes:
Plain text: It is the original message or data to be inputted Encryption algorithm: It is used to replace and convert the plain text. Secret key: It is part of the algorithm, determining how the plain text is replaced and transformed through the algorithm.
Encryption process:
re
Le
ar
2. The receiver uses the key K to decrypt the cipher text Y to X. This process is expressed in the equation X = D[K,Y].
ni
ng
1. The sender uses the key K to encrypt the plain text X to Y. This process is expressed in the equation Y = E[K,X].
Re
Decryption algorithm: It is essentially the reversal operation of the encryption algorithm, and uses the same key to generate the plain text from the cipher text.
so
ur c
Cipher text: It is an output message in a disordered form, which is decided by the plain text and secret key. For the same message, two different keys generate two different cipher texts.
es :
ht
tp :
// l
ea r Mo
18
ni n
Page 311
1. A strong algorithm is needed. This means the key should be strong enough to prevent 2. The key should be sent in a secure manner that the sender shall notify the receiver of the key in a secure way without letting a third party know about it.
re
Le
ar
Page 312
ni
ng
Re
so
ur c
es :
attackers from breaking the key using the plain text and cipher text available.
ht
The following two requirements should be met to ensure the security of symmetric encryption:
tp :
Mo
// l
19
ea r
ni n
Stream algorithms
Common stream encryption algorithm: RC4 was created by Ron Rivest for RSA Security in
1987. Its key is a stream cipher of a changeable size. Byte-oriented operations encrypt information as a whole in real time.
re
Le
ar
divided into two parts, which are combined into cipher text blocks after n rounds of processing, and the input of each round is the output of the previous round. The subkey is also generated by the key. The typical size of a block is 64 bits.
Operations of the symmetric block ciphers are determined by the following parameters and design features:
ni
Plain text blocks and the key are inputted in the encryption algorithm. The plain text is
ng
Block algorithms
Re
so
generate an apparently random byte stream, which is called the key stream. A stream encryption algorithm is usually used for data communications channels, browsers, and network links.
ur c
es :
It is also called a stream encryption algorithm, in which elements are inputted continuously and one output element is generated at a time. A typical stream algorithm encrypts a plain text of one byte at a time, and the key is inputted into a pseudo-random byte generator to
ht
Many special mathematical algorithms can be used to enable symmetric encryption, and they fall into the following two categories:
tp :
// l
ea r Mo
20
ni n
Page 313
Block size: If other conditions are fixed, a larger block means higher security but lower encryption/decryption speed. The typical size of a block is 64 bits.
The typical size of a key is 128 bits.
Key size: A larger key size means higher security but lower encryption/decryption speed.
Number of rounds: One round of processing cannot provide sufficient security in the symmetric block algorithm, and multiple rounds provide better security. The typical number of rounds is 16.
Subkey generation algorithm: The more complicated the subkey generation algorithm is, the more difficult it is to break a cipher. Round function: The more complicated the round function is, the more difficult it is to break a cipher.Common symmetric encryption algorithms for blocks include DES, 3DES, and AES.
Data Encryption Standard (DES)
Triple DES (3DES)
The DES can be broken by modern servers by force, so it cannot provide enough security. The Triple DES solves this problem by using a 128-bit key. Data is first encrypted with a 56-bit key, and then encoded with another 56-bit key, and lastly encrypted with the first key. In this
The DES and 3DES are relatively slow. Therefore, the National Institute for Standards and Technology (NIST) published the AES (FIPS197) in 2001. The AES uses the block size of 128 bits, and supports key sizes of 128 bits, 192 bits, and 256 bits, as well as different platforms. The 128-bit key can provide sufficient security, and needs less time for processing than longer
re
Le
ar
keys. To date, the AES does not have any material weakness. It is a trend that the AES will replace the DES and 3DES to enhance security and efficiency.
Page 314
ni
ng
Advanced Encryption Standard (AES)
Re
way, the 3DES uses a valid 128-bit key. The greatest advantage of the Triple DES is that the existing software and hardware can be used and it can be implemented easily based on the DES encryption algorithm.
so
ur c
es :
The DES is fast and easy to implement. It has been used for 26 years, so it is used in a lot of hardware and software. However, it is very difficult to send and manage the key, because the DES is dependent on a single key.
ht
and decrypt data. The DES is a block encryption algorithm, in which a 64-bit plaintext and 56bit key are inputted to generate a 64-bit cipher text (data is encrypted to a 64-bit block). It uses the diffusion and confusion technology. Each 64-bit block is divided into two parts, and each part is calculated using the key (this is a round). The DES runs 16 rounds, and the key used in each round has different number of bits.
tp :
Mo
// l
21
The DES was the first widely used encryption algorithm. It uses the same key to encrypt
ea r
ni n
International Data Encryption Algorithm (IDEA)
The IDEA is a symmetric encryption algorithm, with a 64-bit plaintext and 128-bit key inputted to generate a 64-bit cipher text. The IDEA is enabled in the PGP.
RC2, RC5, RC6
RC2 was an encryption algorithm with a key of a changeable size designed by Ron Rivest for RSA Security. It is a cipher text in blocks, which means data is encrypted to 64-bit blocks. It can use keys of different sizes, from zero to infinity, and the encryption speed depends on the key size. RC5 is a new encryption algorithm designed by Rviest for RSA Security in 1994.
was introduced in 1998 following RC5, which was found to have a vulnerability in encryption for a special round. RC6 was designed to tackle this vulnerability. Advantages and disadvantages of the symmetric key algorithms: Advantages: Symmetric keys are more than 100 times faster than asymmetric keys and can The main disadvantages are the complicated management of keys and lack of nonrepudiation. As each pair of communicators need a different key, n (n-1)/2 keys are needed when n people are communicating. How to send these secret keys to receivers in a secure
or sent.
re
Le
ar
ni
ng
Re
so
ur c
way is the biggest problem. Since there is no signature mechanism, non-repudiation cannot be achieved, which means both parties in communications can deny what they have received
es :
ht
be implemented easily through hardware.
tp :
// l
RC6 is unlike other new encryption algorithms. It covers the whole algorithm family. RC6
ea r
22
Similar to RC2, RC5 is also a cipher text in blocks, but uses different block and key sizes. In addition, it runs a different number of rounds. It is normally suggested to use RC5 with a 128bit key and run 12 to 16 rounds. It is a cipher algorithm with changeable block sizes, key sizes, and number of rounds.
ni n
Mo
Page 315
An asymmetric key algorithm system includes::
Plain text: It is a readable message or data to be inputted
Le
re
ar
Page 316
ni
ng
Encryption algorithm: It is used to transform the plain text. Public key and private key: They are a pair of chosen keys. If one is used for encryption, then the other is used for decryption. The public key is open and the private key is confidential. Cipher text: It is an output message in a disordered form, which is decided by the plaintext and key. For the same message, two different keys generate two different
cipher texts
23
Mo
Re
so
key can be transferred publicly between both parities in communications or published in a public database, but the private key is confidential. Only the private key can be used to decrypt the data encrypted using the public key, and only the public key can be used to decrypt the data encrypted using the private key. Similar to symmetric encryption, asymmetric encryption also uses multiple algorithms. However, algorithms of symmetric encryption are different from those of asymmetric encryption. You can use one algorithm to replace another in symmetric encryption and see few changes, because they work in the same way. On the other hand, different algorithms work in totally different ways in asymmetric encryption, so they cannot be interchanged.
ur c
es :
ht
The asymmetric algorithm is also called public key encryption. Two different keys are used: a public key and a private key, which are related mathematically. In this encryption, the public
tp :
// l
ea r
ni n
Decryption algorithm: It uses the cipher text and key to generate the plaintext.
Encryption process:
1. Each user generates a pair of keys.
2. Each user puts one of the keys in a public register or accessible file folder as the public key, and keeps the other as the private key. Each user also keeps the public keys of other people. 3. As shown in the figure, a sender who wants to send a message to a receiver must search his/her own or the public key database for the public key PU and use it to encrypt the message X to the cipher text Y. This process is expressed as Y=E[PU,X]. Then the cipher text is sent to the receiver. 4. After receiving the cipher text Y, the receiver uses his/her private key PR to decrypt the cipher text Y to the plain text X. This process is expressed as X=D[PR,Y]. Only the receiver has the private key, so other people cannot decrypt the cipher text.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
24
ni n
Page 317
Symmetric key algorithm
1. The advantage of symmetric keys is that they are more than 100 times faster than asymmetric keys and can be implemented easily through hardware 2. The main disadvantage is the complicated management of keys. As each pair of communicators need a different key, n (n-1)/2 keys are needed when n people are communicating. How to share these secret keys with receivers in a secure way is the
Asymmetric key algorithm
re
Le
ar
2. The main limitation is speed. In fact, it is usually used only for critical events, such as entities exchanging the symmetric key or signing the hash for an email (hash is a result of fixed length obtained using a unidirectional function and is called a hash algorithm).
Page 318
ni
1. The main advantage of asymmetric keys is that the key is open. As the encryption key (public key) is different from the decryption key (private key), the decryption key cannot be deducted based on the encryption key. Therefore, the public key can be open to all users. The public key provides an effective way to send the secret keys used to encrypt a large amount of data. It is mainly for digital signatures that private keys are used for encryption and public keys for decryption.
ng
Re
so
biggest problem. Since there is no signature mechanism, non-repudiation cannot be achieved, which means both parties in communications can deny what they have sent or received.
ur c
es :
ht
tp :
25
Mo
// l
ea r
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
Symmetric and asymmetric algorithms are often combined for key encryption and digital signatures to achieve both security and optimal performance.
tp :
// l
ea r Mo
26
ni n
Page 319
Key exchange: Combination of symmetric key and asymmetric key Symmetric algorithms are suitable for encrypting data fast and securely. However, the
sender and receiver must exchange the secret key before exchanging data. Combination of
Steps of key exchange based on the public key: 1. The sender gets the public key of the receiver. 2. The sender creates a random secret key (the only key used in symmetric encryption). 3. The sender uses the secret key and symmetric algorithm to encrypt the data in plain text to cipher text. 4. The sender uses the receivers public key to encrypt secret key to a ciphered secret key.
7. The receiver uses the secret key to decrypt the ciphered data to plain text.
re
Le
ar
Page 320
ni
6. The receiver uses the private key to decrypt ciphered secret key to a plain text.
ng
5. The sender sends the ciphered data and secret key to the receiver.
Re
so
ur c
es :
the symmetric algorithm for encrypting data and the public key algorithm for exchanging secret keys is a fast and flexible solution.
ht
tp :
Mo
// l
27
ea r
ni n
Features:
1. A one-time symmetric key (session key) is generated. 2. The session key is used to encrypt the information. 3. The receivers public key is used to encrypt the session key, because it is short and easy to decrypt.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
28
ni n
Page 321
Encryption principles of hash algorithms
In communication, the sender usually performs hash calculation on data to be sent to get a hash value and send the data together with the encrypted hash value. After receiving the data, the receiver performs hash calculation on the data and compares the result with the received hash value. If they are the same, it means the data is not damaged or altered. Hash encryption is a method in which both parties in communications compare their hash
Message-DigestAlgorithm5 (MD5)
re
Le
ar
MD5 is a unidirectional function (hash algorithm) evolving from MD2, MD3, and MD4, and can generate a 128-bit hash value. It was developed by R. Rivest, the chief designer of RSA (an well-known public-key encryption algorithm), in the 1990s. MD5 mainly functions to compress a large number of files before they are signed by the digital signature software with the private key. This compression is irreversible. MD5 has been optimized, so that it can be used in Intel processors. The principles of this algorithm were leaked, and this is why it is not popular.
Page 322
ni
ng
Re
so
values to determine whether the information is changed. This can be used to verify the integrity of information. The other function of hash encryption is for signatures in documents. Hash algorithm examples :
ur c
es :
ht
tp :
29
Mo
// l
ea r
ni n
SHA-1
SHA-1 is a popular unidirectional hash algorithm used to create digital signatures. Similar to the Digital Signature Algorithm (DSA), Secure Hash Algorithm 1 (SHA-1) was also designed by the NSA and was included in the Federal Information Processing Standard (FIPS) by the NIST as a standard for hash data. It can change a character string of any length into a 160-bit hash value. The SHA is similar to MD4 and MD5 in structure. Although it is 25% slower than
re
Le
ar
ni
ng
Re
so
MD5, it is more secure. Its information summary generated is 25% longer than that of MD5, so it is safer against attacks. However, the vulnerabilities of SHA-1 were detected; therefore, SHA-224, SHA-256, SHA-384, and SHA-512 that are more secure were gradually promoted before 2010.
ur c
es :
ht
tp :
// l
ea r Mo
30
ni n
Page 323
Digital signatures can be obtained through both public-key based cryptography and
re
Le
ar
network environment and can fully replace personal signatures with technical and legal approval. In the application of digital signatures, the senders public key can be obtained easily, while the private key must be kept strictly confidential.
Page 324
ni
In the application process of digital signatures, the sender uses his/her private key to encrypt the variables for data verification and/or related to data contents, so as to put a valid signature on the data. Then the receiver uses the senders public key to read the digital signature received and uses the result for data integrity verification to ensure the signature validity. The digital signature is an important technology for confirming identities in a virtual
ng
Re
The digital signature technology is a typical application of public-key based cryptography.
so
Shamir, Guillou-Quisquarter, Schnorr, and Ong-Schnorr-Shamir, Des/DSA, elliptic curve digital signature algorithms, and limited automaton digital signature algorithms. Special digital signatures include blind signatures, proxy signatures, undeniable signatures, fair blind signatures, threshold signatures, and signatures that can recover messages.
ur c
es :
private-key based cryptography. Currently digital signatures are usually based on the publickey cryptography, including normal digital signatures and special digital signatures. Normal digital signature algorithms include digital signature algorithms such as RSA, ElGamal, Fiat-
ht
Digital signatures mainly function to ensure the integrity of information, authenticate the senders identity, and prevent repudiation in transactions.
tp :
Mo
// l
31
ea r
ni n
1. The sender processes the data with a hash algorithm to generate a hash value.
3. The sender sends data and signature to the receiver.
5. The receiver processes the received data with the hash algorithm to generate a hash 6. The receiver compares the hash value from the sender with the hash value newly generated and see if they are identical. 7. If the hash values are the same, the message is sent from the sender and is not altered.
re
Le
ar
ni
ng
Re
so
value.
ur c
4. The receiver uses the senders public key to decrypt the digital signature.
es :
2. Then sender uses the private key change the hash value into a digital signature.
ht
Digital signatures can be used to check data integrity and provide evidence of possession a private key. The steps of signature and data verification are as follows:
tp :
// l
ea r Mo
32
ni n
Page 325
A digital certificate comprises three parts, namely, main body, algorithm, and signature.
The main body consists of:
the Certificate Revocation Lists. This is the only reason of the existence of serial numbers.
and should be registered at a well-known international standardization organization, such as the ISO.
re
Le
ar
Page 326
ni
ng
Issuer: Indicates the X.509DN name of CA that issues a certificate, including the country, province/city, region, organization, department, and common name.
Validity: Indicates the validity period of a certificate, including the effective date and time and expiration date and time. Every time when the certificate is used, its validity is verified.
Re
Signature: Indicates the signature algorithm used when the CA issues a certificate. It specifies the public-key algorithm and Hash algorithm when the CA issues a certificate,
so
ur c
Serial Number: Indicates a unique digital ID assigned by the Certification Authority (CA) to a certificate. When the certificate is revoked, actually its serial number is added to
es :
Version: Indicates the version of the X.509 certificate, and can be v1 (0), v2 (1), and v3 (2) now.
ht
tp :
Mo
// l
33
ea r
ni n
personal information such as email.
A digital certificate is in the electronic form and can be downloaded from the Internet or
re
Le
ar
ni
obtained through other means. A digital certificate can be stored on an IC card, which means it is written to an IC card, so that users can carry the IC card and enjoy secure E-business services on E-business terminals that can read the IC card. Users can download or copy certificates issued by the CA to a disk or their PCs or smart terminals. When they use their terminals for E-business services, the certificates can be read directly from their terminals.
ng
Re
so
Certificate Revocation Lists (CRL): It provides an effective way for applications and other systems to verify certificates. When any certificate is revoked, the CA will notify all related parties by releasing the CRL.
ur c
es :
Subject Public Key Info: It comprises two parts of important information, namely, subject public key and ID of the algorithm used by the public key. This ID includes the public key algorithm and Hash algorithm.
ht
Subject: Indicates the unique X.509 name of the certificate holder, including the country, province/city, region, organization, department, common name, and possibly
tp :
// l
ea r Mo
34
ni n
Page 327
Mo
re
Page 328
ar
ni
ng
Re
35
ni n
Hierarchical key management: the working key for data encryption should be generated dynamically and protected by the upper-layer encryption keys. The key on the top layer is the main key, the core of the whole key management system. The hierarchical key management system significantly enhances the reliability of the cryptography, because the working key that is used most frequently is changed all the time, while upper-layer keys are used less frequently. This makes it hard for attackers to break the cipher.
Allocation and storage Allocation of keys refers to the process of generating and sending keys to users. A key can
re
Le
be transmitted in whole or in parts. When a whole session key is sent, it should be protected by the main key and the main key should be sent through a secure channel. When a key is sent in parts, it is divided into multiple parts and sent through secret sharing. It can be recovered as long as a part is sent. This method is suitable for transmission through an insecure channel.
ar
ni
ng
Re
so
ur c
Generation of keys
es :
use of data, data encryption is application of the key in many cases. Therefore, the key is usually the main object to be protected against theft. Key management technologies include security measures taken regarding generation of keys, allocation and storage, and replacement and destruction.
ht
Key management is an important part of the data encryption technology. The objective of key management is to ensure the security of keys (authenticity and validity). To facilitate the
tp :
// l
ea r Mo
36
ni n
Page 329
Replacement and destruction
A key can be stored in whole or in parts. Methods for storing a key in whole include personal memory, external memory device, key recovery, and system internal storage. The objective of storing a key in parts is to reduce the possibility of key leakage caused by the keeper or device. The backup key can be stored in the same way as the key is stored in parts, so that it will not be known to many people. Destruction of keys requires a management and
re
Le
ar
Page 330
ni
ng
Re
so
ur c
arbitration mechanism; otherwise a key can be lost unintentionally, causing repudiation of usage.
es :
ht
tp :
37
Mo
// l
ea r
ni n
1. Generate keys for different cryptography and different application software.
3. Send a key to relevant users, including how to activate the key when they receive it.
5. Change or update a key, including rules such as when and how to change the key.
this case).
9. File keys for information filing or backup.
re
Le
ar
10. Destroy a key. 11. Record and check the key management activities.
ni
8. Recover a lost or damaged key as part of the service continuity management, for example, recovery of the encrypted information.
ng
Re
7. Activate a key, including how to withdraw or invalidate a key. For example, when is a key damaged or when does a user leave the organization (the key should be filed in
so
6. Process a damaged key.
ur c
4. Store the key, including how can authorized users get the key.
es :
2. Generate and get the public key.
ht
A key management system should be based on a set of standards, programs, and security methods. They are used to:
tp :
// l
ea r Mo
38
ni n
Page 331
re
Le
ar
4. The criteria, standards, and protocols of cryptographic methods should be developed and issued nationally or internationally.
Page 332
ni
3. The development of cryptographic methods shall meet different requirements of individuals, companies, and governments.
ng
2. Users can choose a cryptographic method at their discretion as long as it is allowed by laws.
Re
1. To strengthen peoples confidence in using the information and communications systems, the cryptographic methods should be trustworthy.
so
The cryptographic policies of the Organization for Economic Cooperation and Development (OECD) are as follows:
ur c
To address the legal requirements regarding access cryptographic keywords, some procedures need to be considered. For example, the decryption method of encrypted information may need to be submitted to the court. The contents of service grade management and or contracts entered into by external cryptographic service providers (for example, a contract signed by an authoritative certification organization) shall include responsibilities, service reliability, and service response time.
es :
ht
To reduce the damage possibility, keys should have preset activation and termination dates, so that they can only be used within a limited time period. The period should be determined according to the environment in which cryptographic management measures are taken and the risks detected.
tp :
Mo
// l
39
ea r
ni n
implementation and use of cryptographic technology.
7. The responsibilities of individuals or organizations that provide the cryptographic service or hold, store or obtain keys shall be specified in laws or contracts.
re
Le
ar
ni
ng
Re
so
8. Governments shall coordinate the relationships between all parties in development of cryptographic policies to prevent hindrance to normal trade or abuse of power.
ur c
es :
6. The national cryptographic policies shall permit storage and retrieval of the plaintext or key of encrypted data according to laws. However, this policy shall not interfere with other principles in this guide.
ht
5. Individual privacy, such as privacy of communications and personal data protection, should be respected under the national cryptographic policies and in the
tp :
// l
ea r Mo
40
ni n
Page 333
Mo
re
Page 334
ar
ni
ng
Re
ni n
and Extranet that is formed by the networks of an enterprise and its business partners.
If employees of an enterprise need to travel or work from a distance, or the enterprise needs to provide B2C secure access service, Access VPN is a good choice. The Access VPN provides remote access to an enterprises Intranet and Extranet through a shared infrastructure that has the same policies as a private network. It allows users to access resources of an enterprise anytime and anywhere according to their needs. An access VPN has the analog, dialup, Integrated Services Digital Network (ISDN), x Digital Subscriber Line (xDSL), mobile IP and cable technologies to securely connect mobile users, remote workers, and branches.
re
Le
ar
ni
The Access VPN is suitable for companies that have employees traveling a lot and working from a distance. Remote users can use the VPN service provided by the local ISP to build a private tunnel to connect to the enterprises VPN gateway.
ng
Re
so
ur c
es :
Access VPN
ht
VPNs can be divided into the access VPN, intranet VPN, and extranet VPN based on service types. These three types of VPNs correspond to traditional access network, enterprise Intranet,
tp :
// l
ea r Mo
42
ni n
Page 335
Intranet VPN
The intranet VPN is a good choice for interconnecting branches of an enterprise. A lot of companies need to build offices, subsidiaries, and R&D centers all over the country
re
Le
ar
Page 336
ni
ng
Re
or even around the world today. The traditional way of connecting networks of subsidiaries is leased lines. Apparently, when more and more subsidiaries and services are launched, networks are becoming more complicated and expensive. VPN features can be used to build intranet VPNs worldwide over the Internet. The Internet ensures network interconnection, while VPN features, such as tunneling and encryption, ensure that data is sent securely within an entire intranet VPN. The intranet VPN is connected to the enterprise headquarters, remote offices, and branches through a shared infrastructure that uses dedicated connections. In this way, the Intranet has the same policies regarding security, QoS, manageability, and reliability as private networks.
so
ur c
es :
ht
tp :
43
Mo
// l
ea r
ni n
Extranet VPN
The Extranet VPN can be used to provide Business to Business (B2B) secure access. In the age of information, companies attach more importance to information processing in hope of providing the fastest and most convenient information service to customers and understanding their needs in various ways. Also, companies are cooperating and exchanging information more frequently. The Internet has laid a sound foundation for this development.
Advantages of Extranet VPNs: external networks can be deployed and managed easily, and external network connections can be deployed using the framework and protocols that are adopted to deploy Intranet VPNs and Access VPNs. The main difference is that external users can access the Intranet and the resources only when they are authorized.
re
Le
ar
ni
ng
An Extranet VPN connects customers, vendors, business partners, and people who have interest in an enterprise to the Intranet through a shared infrastructure that uses dedicated connections. In this way, the Intranet has the same policies regarding security, QoS, manageability, and reliability as private networks.
Re
so
How to use the Internet to achieve effective information management is a critical issue that companies need to address during their growth. The VPN technology can be used to establish a secure Extranet, not only providing effective information services to customers and business partners, but also ensuring security of the Intranet.
ur c
es :
ht
tp :
// l
ea r Mo
44
ni n
Page 337
Layer-3 VPN
header encapsulate data payload at the same time. Besides the IPSec VPN, the other major L3VPN technology is GRE VPN, which was created early and is easy to implement. The GRE VPN can encapsulate any network protocol into another network protocol. Compared with the IPSec, the GRE VPN does not ensure security Layer-2 VPN
Similar to the L3VPN, the L2VPN refers to the VPN technology working on the data link layer of the protocol stack. Main L2VPN protocols include Point-to-Point Tunneling Protocol
re
Le
ar
Page 338
ni
ng
(PPTP), Layer 2 Forwarding (L2F), and Layer 2 Tunneling Protocol (L2TP).
Re
so
and can only provide a limited, simple security mechanism.
ur c
es :
The L3VPN refers to the VPN technology working on the network layer of the protocol stack. For example, in the IPSec VPN technology, the IPSec header is on the same layer as the IP header, and the packets are encapsulated in the IPinIP mode, or the IPSec header and IP
ht
tp :
45
Mo
// l
ea r
ni n
Mo
re
ar
ni
ng
Re
46
ni n
Page 339
Mo
re
Page 340
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 341
Mo
re
Page 342
ar
ni
ng
Re
ni n
Mo
re
Le so ur c es : // l
L2TP VPN
ar
ni
ng
Re ht tp : ea r
ni n
Page 343
Mo
re
Page 344
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 345
Mo
re
Page 346
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 347
(ISDN) or Public Switched Telephone Network (PSTN) and access network. VPDN can provide access for enterprises, small Internet service providers (ISPs), and mobile office users.
Using specialized network communication protocols, VPDN is a virtual private network with certain security established for an enterprise on the public network. Remote branches
VPDN can be implemented in either of the following modes:
re
Le
1. A tunnel is set up between the client and VPDN gateway through NAS. In this mode, the PPP connection of the user is directed to the enterprise gateway. Currently, you can use protocols such as L2F and L2TP. The advantages of this mode are as follows. The enterprise network is transparent to the user. The user can access the enterprise network after logging in to the network just once. The enterprise network carries out user authentication and address allocation, and does not occupy any public addresses. Users can use various platforms to access the Internet. This mode requires that NAS supports VPDN and the authentication system to support VPDN attributes. Commonly, the firewall or specialized VPN server should function as the gateway.
ar
Page 348
ni
ng
Re
so
ur c
and employees on business trips of an enterprise can connect to the network at the headquarters through the public network and virtual tunnel. The other users on the public network cannot pass through the virtual tunnel and access resources inside the enterprise.
es :
ht
Virtual Private Dial Network (VPDN) refers to a virtual private network that is implemented through the dialing function of a public network, such as Integrated Services Digital Network
tp :
Mo
// l
3
ea r
ni n
re
Le
ar
ni
ng
Re
so
ur c
dedicated software, for example, the L2TP client supported by Windows 2000. The advantage of this mode is that users can access the Internet without any limit to the location or time, and the ISP does not need to be involved. The weaknesses of this mode are as follows: The user must install specialized software and is restricted by the platform used. In addition, the VPN is hard to maintain.
es :
ht
2. A tunnel is directly set up between the client and the VPDN gateway. First, the client is connected to the Internet. Then, the client is connected to the gateway through certain
tp :
// l
ea r Mo
4
ni n
Page 349
Mo
re
Page 350
ar
ni
ng
Re
ni n
and Layer-2 link endpoints and PPP session points camp on the same hardware. L2TP provides a tunnel for transmission of PPP packets at the link layer. It also allows Layer-2 link
re
Le
ar
ni
ng
Re
so
endpoints and PPP session points to camp on different devices and perform information exchange through a packet switched network. Therefore, L2TP extends the PPP model. From a certain angle, L2TP is an application of PPPoIP, like PPPoE, PPPoA, and PPPoFR. L2TP makes use of certain features of PPP to overcome its weakness. In addition, L2TP combines the advantages of L2F and PPTP. Therefore, it becomes the industrial standard for Layer 2 protocols of IETF.
ur c
es :
ht
PPP defines a type of encapsulation technology. It can transmit various types of protocol packets over point-to-point links at Layer 2. In this case, PPP runs between users and NAS,
tp :
// l
ea r Mo
6
ni n
Page 351
User authentication
IPSec provides mutual-authentication between tunnel endpoints.
Support of Token card
tunneling protocols also support similar methods, for example, IPSec determines public key certificate authentication through ISAKMP/Oakley.
Dynamic address allocation
re
Le
ar
of the Network Control Protocol (NCP). Layer 3 tunneling protocols is commonly based on the assumption that addresses are allocated before the tunnel is set up. At present, address allocation in the IPSec tunnel mode is adopted.
Data compression
L2TP supports PPP-based data compression mode. For example, the Microsoft PPTP
Page 352
ni
L2TP supports dynamic allocation of user addresses based on the negotiation mechanism
ng
Re
By using the Extended Authentication Protocol (EAP), L2TP supports several authentication methods such as One-Time Password, Cryptographic Calculator, and Smart Card. Layer 3
so
ur c
es :
They inherit the user authentication mode of PPP. Several Layer 3 tunneling protocols are based on the assumption that the two endpoints of the tunnel know each other or are authenticated before the tunnel is created. There is still one exception. ISAKMP negotiation of
ht
Layer 2 tunneling protocols such as PPTP and L2TP are usually used in VPDN applications. They are based on PPP and inherit a full set of features.
tp :
Mo
// l
7
ea r
ni n
Data encryption
methods through ISAKMP/Oakley negotiation. The Microsoft L2TP ensures the security of data flows between the client and server by using IPSec encryption.
As a Layer-2 protocol, MPPE relies on the key generated during user authentication and updates it regularly. IPSec negotiates the public key publicly during ISAKMP exchange and updates it regularly.
Supporting multiple protocols
re
Le
ar
protocols can be encapsulated into PPP data packets so that tunnel users can access the enterprise network of multiple protocols such as IP, IPX, or NetBEUI. Layer 2 tunnel protocol, for example, IPSec tunnel mode, supports target network that uses IP.
ni
L2TP can transmit PPP data packets and PPP supports multiple protocols and IP. Several
ng
Re
so
Key management
ur c
es :
L2TP supports PPP-based data encryption mechanism. The PPTP scheme of Microsoft supports selection of MPPE on the basis of RSA/RC4 algorithm. The Layer 3 tunneling protocol can also use similar methods. For example, IPSec determines optional data encryption
ht
and L2TP schemes use Microsoft Point-to-Point Encryption (MPPE). IETF is developing a similar data compression mechanism that can be applied to Layer 3 tunneling protocols.
tp :
// l
ea r Mo
8
ni n
Page 353
Reliability
L2TP supports the standby LNS. When the active LNS is unreachable, the LAC can reconnect to the standby LNS, therefore improving the reliability and tolerance of the VPN service.
re
Le
ar
Page 354
ni
ng
Re
so
ur c
es :
ht
tp :
9
Mo
// l
ea r
ni n
On an L2TP-constructed VPDN, the protocol components include three parts:
Remote system:
LAC
re
Le
ar
LNS is both a PPP end system and a server for L2TP. LNS usually acts as a border device on enterprise network. Being the device at the other end of the L2TP tunnel, LNS is the peer device of the LAC. LNS is the logical end of the PPP session transmitted over the tunnel. By setting up
ni
LNS
ng
to L2TP and then sends them to LNS. Besides, it decapsulates information packets from the LNS and then send them to the remote system. Local connection or PPP link is used between the LAC and the remote system. Usually, a PPP link is used in VPDN application.
Re
LAC is between the LNS and remote system, and it is used to transmit information between the LNS and remote system. It encapsulates packets from the remote end according
so
ur c
LAC is a device that is attached to the switched network and has PPP system and L2TP processing capability. Usually, it is a NAS of the local ISP and provides access service for PPP type users.
es :
The remote system is remote users and branches that need to access the VPDN. It is usually a host of dial-up users or a router on a private network.
ht
tp :
// l
ea r Mo
10
ni n
Page 355
There are two types of messages on L2TP: control message and data message. A control
re
Le
ar
Page 356
ni
ng
Re
so
ur c
es :
message is used to set up, maintain, and delete sessions on the tunnel; a data message is used to encapsulate PPP frames and transmit them over the tunnel.
ht
an L2TP tunnel on the public network, it extends the other end of the PPP connection of the remote system to the LNS on the enterprise network.
tp :
Mo
// l
11
ea r
ni n
LAC encapsulates PPP packets from the client in the following process:
1701. When LNS receives messages from this port, it can identify them and sends them to L2TP processing module for further handling. 3) Encapsulating public IP header: forwards packets on the Internet. Note that LAC uses the start and end of an L2TP tunnel for encapsulating IP headers of Internet packets. After LNS receives an L2TP packet, the decapsulation process is as follows:
re
Le
ar
ni
it decapsulates IP and UDP headers. Otherwise, it discards packets.

Check information about the L2TP header: LNS reads information about Tunnel ID and Session ID in the packet header and checks whether it is the same as the
ng
Check information about the Internet IP header and UDP header: LNS first uses UDP port to identify L2TP packets and then checks whether the source and destination addresses in the IP header are consistent with that of the established L2TP tunnel. If yes,
Re
so
ur c
2) Encapsulating UDP header: identifies upper layer application. L2TP registers UDP port
es :
1) Encapsulating L2TP header: includes Tunnel ID and Session ID used to identify the message. They are both IDs of the remote end instead of local ID information.
ht
Why is L2TP a Layer 2 VPN protocol? PPP packets are encapsulated into the header of L2TP VPN protocol packets.
tp :
// l
ea r Mo
12
ni n
Page 357
Check information about PPP header: LNS checks information in the PPP header and
Receive IP packet of the private network: The packet handling process of LNS is the same as that for common IP packets. It sends IP packets of the private network to the upper layer
module or routes it.
longer decapsulated. Instead, PPP packets are sent to the client through PPP sessions.
re
Le
ar
Page 358
ni
ng
Re
so
The encapsulation and decapsulation of packets from LNS to LAC are similar to the preceding process. The difference is as follows. During decapsulation of LAC, after IP headers, UDP headers, and L2TP headers of the public network are decapsulated, PPP headers are no
ur c
es :
then decapsulates the PPP header.
ht
L2TP Tunnel ID and L2TP Session ID that are locally established. If yes, it decapsulates the packets. Otherwise, it discards packets.
tp :
Mo
// l
13
ea r
ni n
Nr: It is used by a control message and identifies the serial number of the next control
Offset size: indicates the offset of the payload compared with the L2TP header. Offset pad: filling item for the offset. It has no specific definition. This field is used only for format purpose.
re
Le
ar
ni
ng
Re
so
ur c
es :
message to be received. Nr = Ns of previously received message + 1. Nr is reserved for a data message. When a data message is received, Nr is neglected.
ht
Ns: identifies the serial number of a data or control message. If the message is the first one, the value is 0. Then, it is added by one each time.
tp :
// l
ea r Mo
14
ni n
Page 359
1. The user PC initiates call connection request.
2. The PC and LAC carry out PPP LCP negotiation. 3. LAC carries out PAP or CHAP authentication for the user information provided by the PC. 4. LAC sends authentication information (user name and password) to the RADIUS server for authentication. as the LNS address of the user is returned. In addition, the LAC initiates tunnel connection
request.
6. LAC initiates tunnel connection request to the specified LNS. 7. LAC sends a CHAP challenge message to the specified LNS. LNS responds the challenge message with CHAP response and sends LNS-side CHAP challenge message. LAC responds 8. The tunnel authentication succeeds. 9. The LAC sends CHAP response, response identifier, and PPP negotiation parameters to the LNS.
re
Le
ar
10. LNS sends the access request message to the RADIUS server for authentication.
Page 360
ni
ng
the challenge message with CHAP response message.
Re
so
ur c
5. The RADIUS server authenticates the user. If the authentication succeeds, information such
es :
ht
tp :
15
Mo
// l
ea r
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
12. If the user configures forcible CHAP authentication locally, the LNS authenticates the user and sends CHAP challenge message. The user replies with a CHAP response message.
ht
11. The RADIUS server authenticates the request message. If the authentication succeeds, it replies with a message.
tp :
// l
ea r Mo
16
ni n
Page 361
Mo
re
Page 362
ar
ni
ng
Re
ni n
Initiated by a remote dial-up user
L2TP in this mode allows mobile office users to initiate L2TP tunnel connection. It requires that mobile office users should install client software of the VPDN and know the IP address of the LNS. The client software can be Windows L2TP VPN dial-up software or Huawei Secoway VPN Client. The operations of each component are as follows: Obtains the public network address first, keeps the communications with the LNS and initiates a tunnel setup request to the LNS.
re
Le
ar
LNS: allocates a private network address to the user and allows the user to access the internal network.
ni
ng
Re
so
The user accesses the ISP through PSTN/ISDN and obtains the rights to access the Internet and then initiates L2TP connection to the remote LNS server. In this case, the user can initiate connection request to the LNS directly and does not pass through a separate LAC. The address of the LAC client is allocated by the LNS.
ur c
es :
The LAC client can initiate a tunnel connection request to the LNS and does not pass through a separate LAC device. The address of the LAC client is allocated by the LNS.
ht
LAC refers to L2TP Access Concentrator. It is attached to the switching system and has the capability of PPP end system and L2TP processing. Usually, LAC is a NAS and provides access service for users through the STN/ISDN. LNS refers to L2TP Network Server. It is a device that processes L2TP server in the PPP end system.
tp :
// l
ea r Mo
18
ni n
Page 363
1. Choose Start > Operation and enter the regedit command, and then click OK. You can 2. On the navigation tree on the left of the page, choose My Computer > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Rasman >
3. Select the value and right-click it. Select Change and edit the value of DWOD. Enter 1 in the Value Data text box, and then click OK.
re
Le
ar
Page 364
ni
ng
4. Restart the PC so that the modification becomes effective.
Re
so
Parameters. On the right page of this path, check whether the key value whose name is ProhibitIpSec and whose data type is DWORD exists. If you can find it, right-click it. Choose New > DWORD Value and name it ProhibitIpSec. If this key value exists, do as follows.
ur c
es :
enter the registration table editor.
ht
Note: If you use the L2TP client software of Windows, forbid the IPSec function item. The operation procedure is as follows:
tp :
Mo
// l
19
ea r
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
The authentication mode and tunnel verification password at the client side must be consistent with that at the LNS side.
tp :
// l
ea r Mo
20
ni n
Page 365
Mo
re
Page 366
ar
ni
ng
Re
21
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
Note: The address pool number specified here must correspond to the address pool configured in the AAA view.
tp :
// l
ea r Mo
22
ni n
Page 367
L2TP-group 1 is the default L2TP group, and all the client calls can be received.
Think: What are the main functions of the default L2TP group?
re
Le
ar
Page 368
ni
ng
Re
so
ur c
es :
If tunnel authentication is enabled for Client-Initialized L2TP, L2TP client software must be supported and started. The Secospace VPN client software supports this function.
ht
If the remote client01 command is added, l2tp-group is not the default L2TP group. In addition, only the calls from Client01 are received. If the command has no remote client01,
tp :
Mo
// l
23
ea r
ni n
Mo
re
ar
ni
ng
Re
24
ni n
Page 369
Mo
re
Page 370
ar
ni
ng
Re
ni n
address of the dial-up user is allocated by the LNS. Authentication and accounting of remote dial-up users are performed by the LAC or LNS side.
The operations of each component are as follows:
Mo re
Le
ar ni ng
1. VPN Client: initiates PPP (or PPPOE) connection to the LAC. 2. LAC: determines whether the user is an L2TP one. If the user is an L2TP one, determine
to which LNS should the tunnel setup request be sent.
3. LNS: allocates private network addresses to the user and allows the user to access the internal network.
Re
tunnel user according to user names. Then, the LAC initiates connection to the LNS automatically. In this manner, the user accesses the enterprise VPN. This scheme applies to access to headquarters network from a small LAN.
so u
During authentication of the user name and password on the LAC, you can identify L2TP
rc
The user must access the Internet in PPP or PPPOE mode.
es
L2TP in this mode allows users to initiate L2TP tunnel setup through the BAS when the user accesses the Internet. In this case, the user does not need to install the VPDN software.
ht
The user accesses the NAS (LAC) through the PSTN/ISDN. If the LAC identifies that the user is a VPN user, the LAC initiates tunnel setup request to the LNS through the Internet. The
tp
:/
/l
ea
rn
26
in
Page 371
g. hu
aw ei .c om /e n
The features of VPDN access in this mode are as follows: 1. The user must access the Internet in PPP mode, for example, PPPOE or conventional PPP dialup mode. 2. You can configure VPN service on the carrier access device (mainly BAS). 3. The user needs to apply for this service from the carrier.
re
Le
ar
Page 372
ni
ng
Re
so
5. A tunnel bears several sessions.
ur c
4. There is no requirements to the client, The user cannot sense that he has accesses the enterprise network. The carrier provides L2TP tunnel service.
es :
ht
tp :
Mo
// l
27
ea r
ni n
Mo
re
ar
ni
ng
Re
28
ni n
Page 373
Mo
re
Page 374
ar
ni
ng
Re
29
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
Think: Why the setting of IP addresses is not required on the LAC virtual interface template and physical interface Ethernet 0/0/0?
ht
Physical interface Ethernet 0/0/0 and the LAC virtual interface template are in the same security zone. You do not need to configure interzone packet filtering policy.
tp :
// l
ea r Mo
30
ni n
Page 375
re
Le
ar
Page 376
ni
ng
Re
so
ur c
es :
ht
Think: What are the differences between the two trigger mechanisms for L2TP tunnel setup, the full user name and domain?
tp :
Mo
// l
31
ea r
ni n
Mo
re
ar
ni
ng
Re
32
ni n
Page 377
Mo
re
Page 378
ar
ni
ng
Re
33
ni n
Mo
re
ar
ni
ng
Re
34
ni n
Page 379
Mo
re
Page 380
ar
ni
ng
Re
35
ni n
Mo
re
ar
ni
ng
Re
36
ni n
Page 381
Mo
re
Page 382
ar
ni
ng
Re
37
ni n
When the LNS end is configured with multiple L2TP groups, the system matches remote If no L2TP-Group matches, it determines whether L2TP-Group 1 allows access of all LACs. That is, the LAC name is not configured. The other groups must be configured with the
remote LAC name.
re
Le
The address allocated to the user that adopts dial-up and the address of the internal network user must be in different network segments so that the dial-up user of L2TP can access internal network address. Otherwise, when the PC on the internal network requests the MAC address of the dial-up user, the APR of the corresponding IP address is requested directly. ARP packets cannot arrive at the dial-up user. The PC cannot obtain the MAC address of the user IP address. This results in service interruption. To achieve normal forwarding on the same network segment, you can start virtual forwarding, that is, the virtual-l2tpforward enable and arp-proxy enable commands.
ar
ni
ng
Re
so
If the undo tunnel authentication command is not configured, you must use the tunnel password command. The password for tunnel authentication configured for LAC must be consistent with that of the LNS. By default, the firewall needs tunnel authentication.
ur c
es :
LAC name configured for L2TP group based on the group number.
ht
The LNS end of L2TP must be configured with the IP address of the virtual template. This template must be added to a zone.
tp :
// l
ea r Mo
38
ni n
Page 383
The troubleshooting roadmap for L2TP tunnel interconnection failure is:
1. Run the display l2tp tunnel command to view whether the tunnel is set up.
Yes: go to step 3. No: go to step 2.
2. Check whether the IP address in the start l2tp ip insip command of the LAC L2TP group can be successfully pinged.
Yes. Check whether l2tp-group configuration between the LAC and LNS corresponds to each other. Check whether the tunnel name and authentication mode are correct. No: Check whether the route is correct.
3. Run the display l2tp session command to check whether the L2TP session can be set up.
PPP authentication fails: Check whether the authentication mode of the LNS is correct.
IP address not allocated: Check the address pool configuration at the LNS end and the domain user address pool must be configured in the correspond domain. If the index of the address pool of the peer is not specified, address pool 0 is used by default.
4. Run the debug l2tp event/error command and the debug ppp lcp/pap/chap/ipcp command to view prompted information.
re
Le
ar
Page 384
ni
ng
Re
so
ur c
es :
ht
tp :
Mo
// l
39
ea r
Unstable: Check whether the VT is added to the domain.
ni n
Mo
re
ar
ni
ng
Re
40
ni n
Page 385
Mo
re
Page 386
ar
ni
ng
Re
41
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 387
Mo
re
Page 388
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 389
Mo
re
Page 390
ar
ni
ng
Re
ni n
Mo
re
GRE VPN
ar
ni
ng
Re ht tp : ea r
ni n
Page 391
Mo
re
Page 392
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 393
Mo
re
Page 394
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 395
protocol, for example, IP. GRE provides a mechanism in which a packet of a certain protocol can be encapsulated into a packet of another protocol so that packets can be transmitted
over various types of networks. The packet transmission path is referred to as tunnel.
A tunnel is a virtual point-to-point connection and can be considered as a virtual interface that supports only point-to-point connection. This interface provides a path on which encapsulated packets are transmitted. In addition, packets are encapsulated and decapsulated
at the two ends of the tunnel.
re
Le
ar
Page 396
ni
ng
Re
so
ur c
es :
ht
GRE refers to encapsulation of data packets of certain network layers such as IP, IPX, and AppleTalk so that encapsulated packets can be transmitted over another network layer
tp :
Mo
// l
3
ea r
ni n
packet transmission on various types of networks. GRE can also act as a Layer 3 Tunneling Protocol for VPN and provides a transparent transmission channel for VPN data. Being a
Payload: data packets that the system receives and need to be encapsulated and routed.
re
Le
ar
Transport Protocol or Delivery Protocol: the protocol that is responsible for forwarding of
encapsulated packets.
ni
Encapsulation Protocol: the preceding GRE protocol is referred to as an encapsulation protocol, also called carrier protocol.
ng
Passenger Protocol: a packet protocol before encapsulation.
Re
The relevant concepts are defined as follows:
so
transmission method, it is highly practical and defines only how packets of a certain protocol are encapsulated and forwarded over another protocol. Therefore, on VPN, GRE is widely used. When the system receives packets of a certain network layer protocol (for example, IPX) that need to be encapsulated and routed, the system adds GRE header to it so that the packets become GRE packets. Then, they are encapsulated into another protocol, for example, IP. In this manner, packet forwarding is fully preformed by the IP protocol.
ur c
es :
ht
To enable the transmission of certain network layer protocol packets on an IPv4 network (ATM, IPV6, and AppleTalk), you can encapsulate these packets. This resolves the problem of
tp :
// l
ea r Mo
4
ni n
Page 397
GRE features:
Simple mechanism, loads of the CPUs of devices at both ends of the tunnel are small.
Does not provide data encryption. Does not verify data source.
Does not ensure that data packets can reach the destination. Does not provide flow control or QoS.
re
Le
ar
Page 398
ni
ng
Re
Certain discontiguous subnets are connected to build VPN.
so
The multi-protocol local network can implement transmission over backbone network through a single protocol.
ur c
es :
ht
tp :
5
Mo
// l
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 399
for packet encapsulation. It is similar to a loopback interface and is a logical interface.
Source address: source address in the packet transport protocol. To the network over which an encapsulated packet is transmitted, the source address of a tunnel is actually the IP
address of the interface through which a packet is transmitted.

Destination address: destination address in the packet transport protocol. To the network over which en encapsulated packet is transmitted, the destination address of the local end of a tunnel is actually the source IP address of the tunnel destination.
re
Le
ar
IP address of a tunnel interface: To start a dynamic routing protocol on a tunnel interface or use static routes to advertise a tunnel interface, you must assign an IP address to the tunnel interface. The IP address of the tunnel interface does not have to be a public network address. You can use the IP address of other interface to save IP address. When the tunnel interface borrows an IP address, dynamic routing protocol cannot be started on the interface because the tunnel interface has no IP address. You must configure static route or policy route to ensure connectivity between routers.
Encapsulation type: refers to the encapsulation mode in which a tunnel interface encapsulates a packet.
Page 400
ni
ng
Re
so
ur c
es :
A tunnel interface consists of the following elements:
ht
During the implementation of GRE on a certain device, a tunnel interface, which is a virtual logical interface, needs to be generated. A tunnel interface is a point-to-point virtual interface
tp :
Mo
// l
7
ea r
ni n
The common encapsulation modes are as follows: GRE, MPLS TE, IPv6-IPv4, and IPv4-IPv6. After a tunnel is manually configured and established successfully, you can consider the tunnel interface as a physical interface. You can run a dynamic routing protocol or configure static route on the interface.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
8
ni n
Page 401
packet is transmitted from FW A to FW B, encapsulation is carried out on FW A, and decapsulation is carried out on FW B.
FW A receives a private network packet from the interface connecting to the private network and then sends the packet to the protocol module running on the private network The protocol module checks the destination address in the packet header and searches the
The tunnel module handles the received packet as follows:

1.The tunnel module performs GRE encapsulation for the packet according to the protocol type of the passenger packet and the Key and Checksum parameters configured for the current GRE tunnel. The tunnel module adds a GRE header to the packet.
re
Le
2. The tunnel module adds an IP header to the packet according to configuration information (the transport protocol being IP). The source address of the IP header is the source address of the tunnel. The destination address of the IP header is the destination address of the tunnel.
ar
Page 402
ni
ng
Re
so
routing table or forwarding table for an egress and determine how to route the packet. If the egress is a tunnel interface, the packet is sent to the tunnel module.
ur c
for further processing.
es :
ht
The transmission of a packet over a GRE tunnel consists of two steps: capsulation and decapsulation. Take the network in the preceding figure as an example. If a private network
tp :
Mo
// l
9
ea r
ni n
re
Le
ar
ni
ng
Re
so
IP header and then sends the packet. Then, the encapsulated packet is transmitted over the public network. The decapsulation process is reverse to the encapsulation process. FW B receives the packet from the interface connecting to the public network and analyzes the IP header, finding that the destination of the packet is the local device and the value of the protocol field is 47. This indicates the protocol is GRE (see RFC1700). Then, the packet is forwarded to the GRE module. The GRE module removes the IP and GRE headers from the packet. The GRE module finds that the passenger protocol is a protocol that runs on the private network. Then, the packet is sent to this protocol, which forwards the packet as an ordinary data packet.
ur c
es :
ht
3. The tunnel model sends the packet to the IP module for further processing. The IP module searches the routing table for the egress according to the address carried in the
tp :
// l
ea r Mo
10
ni n
Page 403
The fields in a GRE packet header are defined as follows:

C: Checksum Present bit. 1: The checksum field is present. 0 : The checksum field is absent. K: Key Present bit. 1: The key field is present in the GRE header. 0: The key field is absent. Recursion: Contains the number of additional encapsulations which are permitted. Flags: reserved bits. They must be set to 0s.
Version bit. It must be set to 0. The value 1 is used in PPTP of RFC2637.

Protocol Type: type of the passenger protocol. Checksum: GRE header and the checksum field born on the GRE header.
re
Le
ar
Page 404
ni
ng
Re
Key: key field. IP checksum of the GRE header and the payload packet.
so
ur c
es :
ht
tp :
Mo
// l
11
ea r
ni n
re
Le
Keyword identification refers to checking the tunnel interface. Such a weak mechanism can prevent incorrect identification and receiving of packets from other sources. According to RFC 1701, if bit K in a packet header is 1, the keyword field is inserted into the GRE header. The sender and receiver verify keywords. The keyword field contains four bits and is inserted into the GRE header during encapsulation. The keyword indicates the traffic volume of the tunnel. Packets belonging to the same traffic flow use the same keyword. During decapsulation, the tunnel end identifies data packets in the same flow according to the keyword. The verification succeeds only when the keyword settings at both ends of the tunnel are consistent. Otherwise, packets are discarded. Consistency means keyword is set at neither or both ends, and the values of the keywords are the same.
ar
ni
ng
Re
so
GRE provides two security mechanism: check and keyword identification. These two mechanisms are both weak. If more security mechanisms are needed, you can combine GRE with VPN technology that provides higher security, for example, combination with IPSec. Check and verification refers to end-to-end check of encapsulated packets. According to RFC 1701, if bit C in a packet header is 1, the checksum is valid. The checksum field is optional in the GRE header. If bit C is 1, the sender calculates the checksum according to GRE header and payload information. If the checksum is inserted into the calculated checksum, the packet is further handled. Otherwise, the packet is discarded. In a real application, the two ends of the tunnel can determine whether to configure the checksum as required and then determine whether to trigger the check function. Due to various checksum configuration, received and sent packets are handled in different manners.
ur c
es :
ht
tp :
// l
ea r Mo
12
ni n
Page 405
Mo
re
Page 406
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
14
ni n
Page 407
Mo
re
Page 408
ar
ni
ng
Re
15
ni n
Step 2: Run GRE configuration.
the tunnel interface packet.
To configure the encapsulation format of the tunnel interface packet, ensure the configuration at both ends of the tunnel are the same. At present, only the GRE encapsulation mode is supported. You cannot configure the same source and destination addresses for two
or more tunnel interfaces that use the same encapsulation protocol.
re
Le
ar
actual physical interface through which GRE packets are sent. The destination address should be the IP address of the actual physical interface that receives the GRE packet.
ni
The source address of the tunnel should be the address of the actual physical interface or
ng
3. Run the source { ip-address | interface-type interface-number } command to configure a source address for the tunnel interface.
Re
so
ur c
2. (Optional) Run the tunnel-protocol gre command to configure the encapsulation mode of
es :
1. Run the interface tunnel number command to create a virtual tunnel interface and enter the tunnel interface view.
ht
Step 1: Run the system-view command to enter the system view. Then, you can carry out basic configuration. (omitted)
tp :
// l
ea r Mo
16
ni n
Page 409
The source address and destination address of the tunnel identify a tunnel. The addresses 5. Run the ip address ip-address { mask | mask-length } command to configure the network address of the Tunnel interface. To support dynamic routing protocols, you must configure the network address of the tunnel interface. The network address of the tunnel interface does not have to be an a public network address. The network addresses configured for the two ends of the tunnel must be on the same subnet. These configurations must be available at both ends of the tunnel and
are in the same network segment.

6. Run the gre checksum command to configure end-to-end check at both ends of the tunnel. (optional)
Tunnel interface (optional).
re
Le
ar
8. Run the quit command to return to the system view. Step 3 Configure a route to the internal segment of the peer network. Run the ip route-static ip-address { mask | mask-length } { interface-type interface-number } [ preference value ] [ reject | blackhole ] command to configure static route.
17
Page 410
Mo
ni
7. Run the gre key key-number command to configure the identification keyword of the
ng
Re
so
ur c
es :
of the two ends are sources and destination addresses to each other.
ht
4. Run the destination ip-address command to configure the destination address of the tunnel interface.
tp :
// l
ea r
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
allows GRE packets to enter the firewall for decapsulation. This ensures that the corresponding rules of the security zone in which the internal and external networks reside are open. In this manner, packets can enter the firewall for encapsulation.
ht
Step 4 Configure an interzone rule to ensure that the interzone access is permitted between the Local zone and the security zone where the egress of the network resides. This
tp :
// l
ea r Mo
18
ni n
Page 411
Mo
re
Page 412
ar
ni
ng
Re
19
ni n
Mo
re
ar
ni
ng
Re
20
ni n
Page 413
Mo
re
Page 414
ar
ni
ng
Re
21
ni n
VPN. It is different from the ACL technology used by other VPNs.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
Note: Besides the back configuration of GRE, you must configure interzone packet filtering and static route. The static route adopts the protected data flow technology required by GRE
tp :
// l
ea r Mo
22
ni n
Page 415
When configuring GRE, note the following items.
To ensure smooth forwarding of data flows, add the physical interface and the tunnel interface created on the physical interface into the same security zone. checksum is valid. The sender calculates the checksum according to the GRE header and payload information. In addition, the packet that contains the checksum is sent to the peer. The receiver calculates the checksum for the received packet and compares it with that in the packet. If they are consistent, the packet is further processed. Otherwise, the packet is dropped. The two ends of the tunnel determine whether to configure the checksum as required and then determine whether to trigger the checksum function. According to RFC1701, if the key bit in the GRE packet header is set to 1, the sender and receiver verify the keyword through the tunnel. The verification succeeds only when the The devices at the two ends of a tunnel can forward GRE encapsulated packets only when there are tunnel forwarded routes on the two devices.
re
Le
ar
Page 416
ni
ng
keywords at both ends are the same. Otherwise, the packet is dropped.
Re
so
ur c
es :
According to RFC1701, if the Checksum field in the GRE packet header is set to 1, the
ht
tp :
23
Mo
// l
ea r
ni n
Mo
re
ar
ni
ng
Re
24
ni n
Page 417
Mo
re
Page 418
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 419
Mo
re
Page 420
ar
ni
ng
Re
ni n
Mo
re
IPSec VPN
ar
ni
ng
Re ht tp : ea r
ni n
Page 421
Mo
re
Page 422
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 423
Mo
re
Page 424
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 425
end transmission of IP packets.
transmission.
Integrity: Verifies integrity of the received packets to ensure that data is not falsified during transmission. Authenticity: Verifies data sources to ensure that data is from the actual sender (namely, Anti-replay: Prevents malicious users from repeatedly sending the captured packets. That is, the receiver rejects old or repeated packets.
re
Le
ar
Page 426
ni
ng
Re
so
the source address in the IP packet header).
ur c
es :
Confidentiality: Encrypts data to ensure that data is not viewed by others during
ht
IP Security (IPSec) is a series security protocol defined by the IETF, which provides an interoperable and high-quality protection mechanism based on cryptography for the end-to-
tp :
Mo
// l
3
ea r
ni n
authenticity and anti-replay.
re
Le
ar
ni
ng
Re
so
ur c
data streams of a service, while taking another type of measures to protect data streams of another service or do not take any measures to protect data streams of another service, such as Internet service data streams.
es :
IPSec protects packets based on policies. For example, take a type of measures to protect
ht
Protect data at the IP layer and above and be transparent to applications at the upper layer without modifying any applications. Protection measures include confidentiality, integrity,
tp :
// l
ea r Mo
4
ni n
Page 427
network on the Internet, failing to protect the data sent and received on the network. from being illegitimately viewed or falsified on the network or during transmission on the public network by providing authentication and encryption services for the packets to be transmitted, equivalent to creating a secure communication tunnel for the users in different places.
Between gateways (such as firewalls) Between the host and gateway Between hosts
re
Le
ar
Page 428
ni
ng
Re
so
Application scenarios are classified into three types:
ur c
es :
IPSec provides a manner of establishing and managing security tunnels. It prevents data
ht
When enterprises or individuals in different areas want to communicate through the Internet, most of communication flows of them are required to transverse the unknown
tp :
Mo
// l
5
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 429
authentication, and anti-replay of packets by AH/ESP. ESP and AH define formats of protocols and payload headers as well as the provided services, but do not define the Transcode mode
ESP: ESP is a protocol for encapsulating security payload. Apart from all functions of the AH (ESP does not check data integrity of IP headers), ESP can encrypt IP packets. IKE protocol: It is used to automatically negotiate about the password algorithm used by both AH and ESP.
re
Le
ar
Page 430
ni
ng
Re
AH: AH is the packet header authentication protocol, providing the functions of data source authentication, data integrity check and anti-replay of packets. However, AH does not encrypt the protected packets.
so
ur c
required for providing the preceding functions. Transcode mode includes data conversion mode, such as algorithm and key size. To simplify IPSec usage and management, IPSec can automatically negotiate about key exchange and establish and maintain SA service by the IKE. Details are as follows:
es :
ht
IPSec VPN architecture consists of the AH, ESP and IKE protocols. IPSec guarantees IP data confidentiality by ESP during transmission and provides data integrity, data source
tp :
Mo
// l
7
ea r
ni n
and anti-replay for IP communication.
re
Le
ar
ni
ng
Re
so
ur c
es :
AH and ESP can be used together or alone. In actual networking, ESP is used more frequently.
ht
AH and ESP are two major protocols of IPSec. AH enables data source authentication, data integrity check and anti-replay. ESP guarantees integrity check, authentication, encryption,
tp :
// l
ea r Mo
8
ni n
Page 431
IPSec supports two encapsulation modes: transport mode and tunnel mode. In transport mode, IPSec protocol processing module inserts an IPSec packet header between the IP packet header and the high-layer protocol packet header. In this mode, IP packet headers are the same as the IP packets in the original IP packets, but the protocol field in the IP packet is changed into the protocol number (50 or 51) of the IPSec and IP packet header checksum is calculated again. In transport mode, payload and high-layer protocol of
re
Le
ar
Transport mode: 1) Application scenario 1: communication between the host and network security gateway; 2) Application scenario 2: communication between hosts Tunnel mode: 1) Application scenario: communication between network security gateways
Page 432
ni
In tunnel mode, the original IP packets are encapsulated as a new IP packet; one IPSec header is inserted between the internal packet header and external packet header. The original IP address is protected by IPSec as a part of payload. These are different from those in transport mode. By data encryption, the IP address in the original packet can be hidden, better protecting data during E2E communication.
ng
Re
packets are protected. The IPSec source endpoint does not modify the destination IP address in the IP packet header and the original IP address keeps plain text. The transport mode provides security service for high-layer protocols only. The transport mode is always applied to the E2E connection between two hosts to be protected instead of data streams between two gateways of multiple hosts.
so
ur c
es :
ht
tp :
Mo
// l
9
ea r
ni n
Mo
re
ar
ni
ng
Re
10
ni n
Page 433
Encryption algorithm:
ESP can encrypt IP packet contents to prevent them from being pried about. The encryption algorithm is implemented by the symmetrical key system and uses the same keys to encrypt and decrypt data.
In general, IPSec uses the following encryption algorithms:
It uses 56-bit key to encrypt one 64-bit plain text block. Triple data encryption standard (3DES) Use three 56-bit DES keys (168 bits in total) to encrypt plain texts.
Advanced encryption standard (AES)
Use AES key to encrypt plain text. The key can contain 128 bits, 192 bits and 256 bits.
re
Le a
Both AH and ESP can authenticate IP packet integrity to determine whether IP packets are falsified during transmission. Authentication algorithm is implemented through a hash function. The hash function is an algorithm that can accept the input of
11
Page 434
Mo
rn in
The 3DES algorithm is more secure than DES, but slower than DES regarding data encryption. AES has lower computing complexity than 3DES, but has higher encryption strength than 3DES. Authentication algorithm:
Re
so u
rc
Data encryption standard (DES)
es :
ht tp
:/ /
le a
rn in
g. h
ua w
ei .
co m
/e n
falsified.
Message Digest 5 (MD5)
Secure hash algorithm (SHA-1)
than 264 bits.
SHA-1 digest has more bits than MD5. As a result, SHA-1 digest is more secure, but SHA1computing requires more time and resources than MD5.
re
Le
ar
ni
ng
Re
so
SHA-1 generates 160-bit message digests based on the input of messages that contain less
ur c
MD5 generates 128-bit message digests based on the input of messages of any sizes.
es :
In general, IPSec uses two authentication algorithms:
ht
messages of any sizes and generate output of a fixed size. The output is called message digest. IPSec peers compute digests. If two digests are the same, it indicates that packets are not
tp :
// l
ea r Mo
12
ni n
Page 435
Mo
re
Page 436
ar
ni
ng
Re
ni n
IPSec protocol AH
Because AH does not protect confidentiality, AH does not require encryption algorithm. AH defines the protection method, packet header location, ID authentication coverage and rules of handling inputs and outputs, but does not define the used identity authentication algorithm. AH does not stipulate protection against anti-replay, which is the same as ESP. The
re
Le
header is more simpler than the ESP header, because AH does not provide confidentiality. Because AH does not require filling or a filling size indicator, a tail field does not exist. An initial vector is not required either.
ar
ni
The assigned protocol number of AH is 51. In other words, the protocol field of the IPv4 packet protected by AH is 51, indicating that the AH header follows the IP header. The AH
ng
AH is a universal security service protocol of IP. Data integrity provided by AH is slightly different from that provided by ESP. AH authenticates each part of the external IP header.
Re
receiver determines whether to use the anti-replay service. The sender does not know whether the receiver checks SN of the sender. As a result, the sender must regard that the receiver is using the anti-replay service.
so
ur c
es :
AH is an important IPSec protocol, which protects data integrity, original ID authentication and anti-replay of IP packets. AH is defined in the RFC2402. Except confidentiality, AH provides all the functions supported by ESP.
ht
tp :
// l
ea r Mo
14
ni n
Page 437
The AH can be used alone or together with ESP to protect the most complete protection for data. When AH is used in transport mode, it protects E2E communication. The communication end point must be the IPSec end point. The AH header is inserted in a packet and follows an IP header (and any option) and is prior to the upper-layer protocol to be protected. When AH is used in tunnel mode, it encapsulates the packets protected by itself. Prior to
In the IP packet header, AH protocol number is 51.
re
Le
ar
Page 438
ni
ng
Transport mode: To authenticate the entire IP packet

Tunnel mode: To authenticate the new IP header and the entire IP packet
Re
the AH header, a new IP header is added. The IP packet in the encapsulation contains the original communication packet, while the new IP header contains IPSec end point address. The tunnel mode can replace the transport mode of E2E security service.
so
ur c
es :
ht
AH uses the transport mode to protect one upper-layer protocol or uses the tunnel mode to protect one complete IP packet. In any one mode, the AH header follows one IP header.
tp :
Mo
// l
15
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 439
IPSec protocol ESP
ESP uses a series of encryption algorithm to provide confidentiality, while data integrity is guaranteed by the authentication algorithm. The algorithm used is determined by the corresponding component of the ESP SA. ESP can provide the anti-replay service through the SN, while the packet receiver determines whether to use the anti-replay service. That is because a unique and uni-directional ascending SN is inserted by the sender, but the receiver
protocol field in the IP header prior to ESP is 50, indicating that the ESP header follows the IP header. As an IPSec header, the ESP header contains an SPI field. The SPI, destination address prior to the IP header and protocol identify a specific SA. SPI is a number that can be specified by
re
Le
the user or determined by negotiation through some key management technologies. SPI can be authenticated, but cannot be encrypted. That is because the SPI is used as the SA identifier, specifies the used encryption algorithm and key, and decrypts the packet. If the SPI has been encrypted, we may encounter a serious problem: which exists earlier: chick or egg?
ar
Page 440
ni
ng
Re
ESP can be used in different operation modes. Regardless of operation mode of ESP, the ESP header follows an IP header. In IPv4, the ESP header follows the IP header. The protocol number used by ESP is 50. That is, after the ESP header is inserted in the original packet, the
so
ur c
is not required to check packets. Such protection is advantageous to security. As a result, such protection is used in general.
es :
ht
tp :
17
Mo
// l
ea r
ni n
The SN is a unique 32-bit uni-directional ascending value that is inserted by the sender in the ESP header. Through the SN, the ESP enables anti-replay. The SN is authenticated, but not encrypted, which is the same as the SPI. That is because we hope to determine whether a packet is repeated at the front end of the processing flow of the protocol module, and then The initialization vector (IV) is an optional field. In the encryption algorithms defined by the
determines whether to discard the packet without using more resources to decrypt the packet. ESP, some special encryption algorithms need to use IV. IV valuing is subject to encryption algorithms. Take DES-CBC as an example. IV is the first 8-bit group among payload data fields.
IV is also the field that is authenticated, but is not encrypted, due to the same reason.
The filling size field identifies the data size filled in the filling field. The receiver can restore stipulated. As a result, even if filling does not exist, the filling size field still represents the filling size field. The next packet header field indicates data type in the payload. In tunnel mode, ESP is
The authentication data field is used to contain data integrity check results. The authentication data field is a hash function that is processed by using keys. The authentication
re
Le
ar
ni
ng
data field size is determined by the ID authentication algorithm used by the SA. If the authentication algorithm is not specified in the SA, the authentication data field does not exist.
Re
so
used and the next packet header field value is 4, which indicates IP-in-IP. If ESP is used in transport mode, the next packet header field value indicates the upper protocol type. For example, the value corresponding to TCP is 6.
ur c
es :
the actual size of payload data according to the filling size field. The filling size field is
ht
algorithm does not specify a value, the ESP determines the first byte to be filled is 1 and all the following byte values are added in ascending order uni-directionally.
tp :
The filling field has three functions in the ESP header. Some encryption algorithms strictly define the input plain text. For example, the plain text size must be the integral multiple of XX bytes. For example, the blocking encryption algorithm requires that plain text be the integral multiple of a single block size. The first function of the filling field is to extend the plain text to the size required by the algorithm. According to ESP, the ESP header must be the integral multiple of 32 bits. The filling size and next packets header fields must align right. The filling field is also used to guarantee such a packet format. The final function of the filling field is to hide the actual size of data payload to provide confidentiality to some extent. The filling field contains up to 255 bytes. The filling contents are related to the encryption algorithm that provides confidentiality. If the algorithm defines a specific value, the filling field uses it. If the
// l
ea r
18
ni n
Mo
Page 441
packet can be protected.
The protocol number of ESP in the IP packet header is 50.
transport mode: The ESP header is located between the IP packet header and the transport layer protocol packet header. The ESP tail is added behind the data.
re
Le
ar
Page 442
ni
ng
Re
so
ur c
Tunnel mode: The ESP packet header is located between the new IP header and the initial packet. The ESP tail is added behind the data.
es :
ht
In specific application, ESP can be used in transport or tunnel mode. Different modes determine the definitions in ESP of protected objects. In transport mode, the entire original
tp :
Mo
// l
19
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 443
Before IPSec is used to protect one IP packet, establish an SA. IPSec SA can be established by manual configuration. However, manual configuration is difficult and security is hard to guarantee when there is a great number of network nodes. In this case, IKE can be used to automatically establish an SA and exchange keys. IKE is used for dynamic SA establishment, indicating that IPSec negotiates about SAs. IKE described in the RFC2409 is a mixed protocol, built upon the framework defined by the Internet SA and key management protocol (ISAKMP). For details, see the RFC2408 documentation. Moreover, IKE implements Oakley and SKEME, a part of two key management protocols. IKE also defines two key exchange modes. Oakley is a protocol based on Diffie-Hellman (DH) algorithm and developed by Hilarie Orman, a security expert of the University of Arizona. Oakley is a free status protocol, which allows research institutes to improve protocol status according to their capabilities. On the basis of Oakley, IKE defines a regular key exchange method. Although Oakley model flexibility is reduced, multiple exchange modes are available. As a result, Oakley is a proper key exchange technology. SKEME is another key exchange protocol, which is designed by the encryption expert Hugo Krawczyk. SKEME defines how to authenticate key exchange. Communication parties use public key encryption method to support mutual authentication and share the exchanged components. Each communication party needs to use the public key of another party to encrypt one random number. Two random numbers (after decryption) affect final keys. IKE directly uses SKEME technology in its one authentication method (public key encryption authentication).
re
Le
ar
Page 444
ni
ng
Re
so
ur c
es :
ht
tp :
Mo
// l
21
ea r
ni n
gradually unveiled and its encryption and security technologies are also in the spotlight. ISAKMP is an open technology.
ISAKMP, Oakley and SKEME are the basis of IKE. As a result, IKE is regarded as a mixed protocol, which inherits ISAKMP basis, Oakley mode and SKEME sharing and key update Based on the inheritance, IKE defines its unique technology of authentication and encryption material generation, negotiation, and sharing policies. Functions of three technologies as described in the IKE specifications are shown in the IKE discussion. Among these technologies, ISAKMP plays a dominant role. ISAKMP defines the communication mode, information format and status exchange process that guarantees communication security of two parties. However, ISAKMP does not define a specific key exchange technology. Key exchange definition is processed by other protocols. To IPSec, the defined key exchange is IKE. IKE uses ISAKMP language to define key
re
Le
exchange that is a manner of negotiation about the security service. The final result of IKE is a key that passes authentication and the security service based on common consent, namely IPSec SA. However, IKE is not used by IPSec only. If required by other protocols, such as RIPv2 or OSPF, IKE can be used to provide security service.
ar
ni
ng
Re
so
ur c
technologies.
es :
ht
ISAKMP is developed by researchers of NSA. In the past, NSA is a highly confidential organization and U.S.A. government even denied its existence. Recently, NSA has been
tp :
// l
ea r Mo
22
ni n
Page 445
DH exchange and key distribution
IKE never transmits a key on an insecure network, but computes the shared key through a series of data exchange. Even if the third party, such as a hacker, intercepts all the exchanged Perfect forward secrecy
PFS is a security feature, meaning that cracking a key does not affect security of other keys. That is because these keys do not have deriving relationship between them. PFS is guaranteed ID authentication
re
Le
ar
ID authentication confirms identities of two communication parties. For the pre-shared key authentication method, the authenticator is used to generate a key as an input. Different
authenticators cannot generate the same key for two parties. The authenticator is the key of identity authentication.
Page 446
ni
ng
by DH and implemented by adding key exchange at phase 2 of IKE.
Re
so
data for key computing, the actual key cannot be figured out.
ur c
es :
DH is a common key algorithm. Without key transmission, two communication parties compute the shared key through data exchange. The precondition of encryption is that the two parties of exchanging encrypted data must have the shared key. Essence of IKE is that
ht
IKE has a self-protection mechanism, which can safely distribute keys, authenticate identities, and establish IPSec SAs on insecure networks.
tp :
Mo
// l
23
ea r
ni n
ID protection
ID data is encrypted for transmission after the key is generated, thus protecting identity data.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
24
ni n
Page 447
security service granularity between peers. For example, the security policy of an organization may stipulate that data streams from the specified subnet may use AH and ESP for protection
The SA is IPSec basis and IPSec essence. The SA is the convention of communication peers
re
Le
ar
SA is uniquely identified by a triplet, including SPI, destination IP address, and security protocol number (AH or ESP). SPI is a 32-bit value for uniquely identifying the SA. SPI is transmitted in the IPSec header.
Page 448
ni
SA is unidirectional. The bi-directional communication between two peers requires at least two SAs to protect data streams from two directions. If AH and ESP are required to protect data streams between peers, two SAs are needed. One SA is used for AH, and the other is used for ESP.
ng
Re
against some elements, such as the selected security protocol, protocol operation mode (transport or tunnel mode), encryption algorithm (DES and 3DES), shared key in the specified stream for data protection and key lifecycle.
so
ur c
and 3DES for encryption. The policy may stipulate that data streams from another site may use ESP for protection and DES for encryption. Through the SA, IPSec can provide protection at different levels for different data streams.
es :
ht
IPSec provides secure communication between two end points. The end point is called IPSec peer. IPSec allows users or administrators of systems and networks to control the
tp :
Mo
// l
25
ea r
ni n
other, DH exchange must be implemented every time the SA is established.
re
Le
ar
ni
ng
Re
so
Authenticating and managing identities of communication parties may affect IPSec deployment. IPSec implementation on a large scale requires the participation of the Certification Authority (CA) or other institutes that manage identity data in a centralized manner.
ur c
es :
IPSec uses SNs in the IP packet headers for anti-replay. The SN is a 32-bit value. After the SN is overflowed, the SA should be established again to support anti-replay. This process requires the cooperation of the IKE protocol.
ht
During DH exchange as defined in the IKE protocol, computing and generation results at every time are irrelative. To ensure that the keys used by each SA are not related to each
tp :
// l
ea r Mo
26
ni n
Page 449
IKE is an application layer protocol above UDP and IPSec signaling protocol. IKE establishes an SA for IPSec negotiation and hands in the parameter and generated key to IPSec. IPSec uses the SA established by the IKE to encrypt or authenticate IP packets. IPSec processing is a part of the IP layer, dealing with packets at the IP layer. AH and ESP have their own protocol numbers: 51 and 50.
re
Le
ar
Page 450
ni
ng
Re
so
ur c
es :
ht
tp :
Mo
// l
27
ea r
ni n
SA. The authenticated IKE SA is the primary condition. Regardless of main mode or aggressive
mode, the first phase must be completed before other exchange.
re
Le
ar
ni
ng
Re
so
ur c
encrypted IKE SA that passes authentication and generate an authenticated key to provide confidentiality, message integrity, and message source authentication service for two communication parties. All other exchange defined in the IKE require one authenticated IKE
es :
As described in the RFC2409, IKE negotiation in the first phase has two modes: main mode and aggressive mode. In these two modes, the same things are done: establish an
ht
IKE uses ISAKMP in two phases. In the first phase, IKE SA is established. In the second phase, use the established SA to negotiate about a specific SA for IPSec.
tp :
// l
ea r Mo
28
ni n
Page 451
First Phase of IKE Exchange Main Mode
In main mode, three steps and six messages are required to complete negotiation in the first phase to finally establish the IKE SA.
re
Le
ar
During the first exchange, cookie and SA payload of two parties should be exchanged. The SA payload carries various parameters of IKE SA to be negotiated
Page 452
ni
Before messages 1 and 2 are sent, negotiation initiator and responder must generate their cookie to uniquely identify each independent exchange negotiation. The cookie is figured out by MD5 calculation of the source/destination IP address, random number, date and time and inserted in ISAKMP of message 1 to identify an independent exchange negotiation.
ng
Re
Three steps are mode negotiation, DH exchange & nonce exchange and identity authentication of the peer party. Features of the main mode include identity protection and full utilization of ISAKMP negotiation capability. Herein, identity protection is rather important when the peer party wants to hide its identity. In the discussion of aggressive mode, full utilization of negotiation capability also shows importance. Assume that the pre-shared key is used for authentication:
so
ur c
es :
The main mode is designed as an exchange technology that separates key exchange information from identity authentication information. Such separation guarantees security of identity information during transmission, because the exchanged identity information is encrypted.
ht
tp :
Mo
// l
29
ea r
ni n
about, including hash type, encryption algorithm, authentication algorithm and negotiation time limit of IKE SA.
After the first exchange and before the second exchange, two communication parties
need to generate the DH value for generating the DH shared key. The method is that two parties respectively generate a random number and compute the random number by the DH algorithm. Through computing, Xa and Xb are obtained. Herein, Xa indicates the DH value of the initiator, while Xb is the DH value of the responder. Then, two parties figure out a temporary value according to the DH algorithm. The temporary value is Ni and Nr. During the second exchange, two parties exchange their key exchange payload (namely, DH exchange) and temporary value payload (namely, nonce exchange). The key exchange payload contains Xa and Xb, while the temporary value exchange contains Ni and Nr.
After the second exchange is completed, two parties have completed exchanging all the required computing materials. In this case, two parties can figure out all keys and protect the subsequent IKE message by using these keys. These keys include SKEYID_a and SKEYID_e. SKEYID_a is used to provide integrity and data source identity authentication services.
SKEYID_e is used to encrypt the IKE message.
re
Le
ar
ni
ng
Re
SKEYID_e. If payload of two parties is the same, authentication succeeds. The pre-shared key exchange in main mode in the first IKE phase is also completed.
so
groups of keys generated in the last process. These two payloads are encrypted through
ur c
The third exchange is to exchange identification payload and hash payload. The identification payload contains identification information, IP address or host name of the initiator. Hash payload contains the value obtained through HASH computing based on three
es :
ht
tp :
Only the DH value and temporary value are transmitted. As a result, even if the third party obtains such materials, it cannot figure out the shared key.
// l
Then, the shared key SKEYID_d only known by two parties are generated according to the figured out DH value, exchanged DH value and SKEYID. The shared key is not transmitted.
ea r
30
After two parties exchange temporary value payload Ni and Nr, SKEYID is generated according to the pre-set pre-shared key and calculation for the random function. SKEYID is the basis for generation of all keys.
ni n
Mo
Page 453
First Phase of IKE Aggressive Mode
After the second exchange, a session key is generated. The generation materials of the session key contain the pre-shared key. When a peer negotiates with multiple peers about the SA, set one pre-shared key for each peer. To enable each peer to properly select a pre-shared key, in main mode, peers should be distinguished according to the IP address in the previous exchange information.
re
Le
first message. The responder needs to select a protection suite, DH public value, nonce, identity materials, and an authentication payload. The initiator places its authentication payload in the last message for exchange.
ar
Page 454
ni
During exchange in aggressive mode, the initiator provides a protection suite list, DH public value, nonce and identity materials. All this information is exchanged together with the
ng
In aggressive mode, only three messages are required to complete the establishment of the IKE SA, which is different from the main mode. Because the number of messages is restricted, negotiation capability is also restricted in aggressive mode and identity is not protected.
Re
so
Assume that IP address of the initiator is dynamically assigned. Because the IP address of the initiator cannot be known by the responder in advance and two parties plan to use the pre-shared key for authentication, the responder cannot select a proper pre-shared key according to the IP address. The aggressive mode is used to solve this problem.
ur c
es :
ht
tp :
31
Mo
// l
ea r
ni n
identified according to IP addresses. As a result, more flexible applications are supported in aggressive mode.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
In aggressive mode, because the first message carries identity information, identity information cannot be encrypted. This reduces negotiation security and identities are not
tp :
// l
ea r Mo
32
ni n
Page 455
Mo
re
Page 456
ar
ni
ng
Re
33
ni n
Second Phase of IKE Exchange Fast Mode
After the IKE SA is established (regardless of main mode or aggressive mode), the IKE SA can be used to generate an SA for IPSec. IPSec SA is established through the fast mode. To implement exchange in fast mode, IPSec SA is completed under the protection of the previously established IKE SA. In rapid exchange mode, two communication parties should negotiate about various
features of IPSec SAs and generate keys for them. Fast mode is to encrypt IKE SAs and authenticate messages. Messages are authenticated by the pseudo-random function. SKEYID_a from the IKE SA authenticates the entire message in fast mode as a key. This not only guarantees data integrity, but also authenticates identities of data sources. After the message is received, we know that the message may be only from the entity that passes authentication and the message is not changed during transmission. By encryption (using SKEYID_e), exchange confidentiality can be guaranteed.
In fast mode, the key used in the IPSec SA should be derived from SKEYID_d status. This key is used in the pseudo-random function together with the exchanged nonce, SPI from the
re
IPSec SA and protocol so that each SA has its unique key. Each SA has a different SPI. Therefore, the key of the inbound SA may differ from the outbound SA. All IPSec keys are derived from the same source. Therefore, they are connected to each other. Assume that an attacker can determine SKEYID_d value according to the IKE SA, any keys of any IPSec SAs derived from SKEYID_d can be easily obtained as well as all future keys. This is a big problem. All these keys cannot guarantee PFS. The fast mode
34
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r
Page 457
Mo
ni n
provides a PFS option to meet this need. Users can determine whether to use PFS.
To implement PFS in fast mode, an extra DH exchange should be implemented and the finally generated shared key is used during the key generation for IPSec. Once the exchange is completed, the key does not exist. Once the exchange is completed, the memory location of the key must be cleared and released to guarantee unrelated relationship of keys.
exchange and save them in one authentication hash payload. In this case, the initiator can prove that it is the participant of this exchange.
In the first two messages, both the initiator and responder send SA payload, which is the same as the main mode and aggressive mode. SA payload is used to negotiate about various used to generate a new DH shared key to guarantee PFS. Xa, Xb, SKEYID_d generated in the first phase of IKE, Ni, Nr and SPI generate the key for IPSec encryption. The final initiator sends an acknowledgment message. After receiving this message, the responder knows that the initiator has received the second message. The second phase of IKE
re
Le
ar
Page 458
ni
ng
Re
so
ends.
ur c
es :
protection algorithms, while Ni, Nr and ID are used to provide on-site evidence. Xa and Xb are
ht
tp :
message. If the message is played again, the responder has to create an extra SA. We can imagine this as a mild DoS attack. The responder may add unnecessary memory and SA management cost according to this message. To prevent such an attack, the third message should be added in fast mode. This message should contain nonce and message ID of this
Mo
// l
35
ea r
The responder also requires an on-site evidence. The message from the initiator may be an expired message, which is sent by a malicious person. This person may not know the message contents. However, through communication analysis, we know that this is a fast mode
ni n
In the previous sections, we describe the fast mode as a simple request/response exchange. However, the fast mode function is more than this. The initiator may require an on-site evidence, proving that the responder is on line and processes its initial fast mode message. To meet this requirement, the responder should add the initiator nonce and message ID to the authentication hash payload. This digest guarantees message integrity, and provides source authentication function for the initiator and on-site evidence.
Key lifecycle
This determines when to change an old key into a new key. Key lifecycle determines the period for alternating between old and new keys within a certain period. For example, a communication service requires 1000 seconds, while we set the lifecycle of key to 100 seconds. In this case, 10 keys are generated within the transmission of the entire packet. Because 10 keys are used within the communication period of the service, even if attackers PFS
DH group
re
Le
DH algorithm is a public key algorithm. Two communication parties figure out the shared key by exchanging some data without transmitting keys. The precondition of encryption is that two parties of exchanging encrypted data must have the shared key. IKE essence is that IKE never directly transmits a key on an insecure network, but figures out the shared key through a series of data exchange. Even if the third party (such as hacker) intercepts all the exchanged data for key calculation, the true key
36
ar
ni
ng
protected by this key can be accessed, while packets protected by other keys cannot be cracked. PFS is guaranteed by the DH algorithm. This feature is supported by adding key exchange during negotiation in phase 2 of IKE.
Re
so
Each key is unique. Even if a key is cracked, security of other keys is not affected, because these keys do not have deriving relationship. After attackers crack a key, only the packets
ur c
crack a key to decrypt packets, not all packets can be cracked.
es :
ht
tp :
// l
ea r
Page 459
Mo
ni n
The longer the key is, the higher the key security is. The longer the key is, the more difficult
re
Le
ar
Page 460
ni
ng
Re
so
ur c
the session key. During negotiation, one DH group should be selected for peers. That is, key length should be the same. If the DH group is not matched, negotiation fails.
es :
the key is cracked. DH group selection is important, because the DH group is determined during SA negotiation in the first phase. DH group is not selected during negotiation at phase two. Two phases use one DH group. As a result, DH group selection affects the generation of
ht
cannot be figured out. IKE defines five DH groups in total. Group 1 defines keys with 768 bits, while group 2 defines keys with 1024 bits.
tp :
Mo
// l
37
ea r
ni n
Discarding packets: Packets are discarded without any processing. IP forwarding procedure is implemented.
Inbound flow: The inbound flow processing is different from outbound flow processing.
Firewalls process packets according to the IPSec header presence.
re
Le
ar
ni
ng
Discarding packets: If packets do not contain IPSec headers and the policy output is discarded after the selector field and SPDB are retrieved, packets are discarded. If policy output is applied, but the SA is not established, packets are also discarded.
Bypassing the security service: If packets do not contain IPSec headers and the policy output is bypassed after the selector field and SPDB are retrieved, packets
Re
Applying the security service: Apply the IPSec policy according to the established SA and forward packets. If the SA is not established, call IKE to complete SA establishment.
so
ur c
Bypassing the security service: The IPSec policy is not implemented and the traditional
es :
Outbound flow: Outbound packets are retrieved in the SPDB to determine the security service retrieval output.
ht
Based on IPSec application, firewalls discard packets, bypass the security service and apply the security service based on data types to process inbound and outbound flows.
tp :
// l
ea r Mo
38
ni n
Page 461
are forwarded following the traditional procedure.
Applying the security service: If packets contain IPSec headers and the SA has been established, packets are handed to the IPSec layer for processing.
re
Le
ar
Page 462
ni
ng
Re
so
ur c
es :
ht
tp :
Mo
// l
39
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 463
Mo
re
Page 464
ar
ni
ng
Re
41
ni n
Mo
re
ar
ni
ng
Re
42
ni n
Page 465
Configure USG A.
Configure IPSec proposal. [USG A] ipsec proposal tran1
Configure the IPSec protocol.
[USG A-ipsec-proposal-tran1] transform esp
Configure the packet encapsulation type. [USG A-ipsec-proposal-tran1] encapsulation-mode tunnel
Configure the authentication algorithm of ESP.
Configure the encryption algorithm of ESP.
re
Le
ar
Page 466
ni
ng
[USG A-ipsec-proposal-tran1] esp encryption-algorithm des
Re
[USG A-ipsec-proposal-tran1] esp authentication-algorithm md5
so
ur c
es :
ht
tp :
43
Mo
// l
ea r
ni n
Create the IKE proposal 10. [USG A] ike proposal 10
Configure the authentication method that uses pre-shared-key. [USG A-ike-proposal-10] authentication-method pre-share
Configure the algorithm so that MD5 is used. [USG A-ike-proposal-10] authentication-algorithm md5
Set the lifecycle of ISAKMP SA to 5000 seconds. [USG A-ike-proposal-10] sa duration 5000
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
44
ni n
Page 467
Enter the IKE peer view. [USG A] ike peer a
Reference the IKE security proposal. [USG A-ike-peer-a] ike-proposal 10
Configure the authenticator as abcde. [USG A-ike-peer-a] pre-shared-key abcde
Set the peer IP address of the tunnel. [USG A-ike-peer-a] remote-address 202.39.169.1
re
Le
ar
Page 468
ni
ng
Re
so
ur c
es :
ht
tp :
45
Mo
// l
ea r
ni n
Mo
re
ar
ni
ng
Re
46
ni n
Page 469
[USG A] acl 3000
[USG A] ipsec policy map1 10 isakmp
[USG A-ipsec-policy-isakmp-map1-10] proposal tran1
Reference ike-peer a.
[USG A-ipsec-policy-isakmp-map1-10] ike-peer a
Reference the ACL with the group number of 3000. [USG A-ipsec-policy-isakmp-map1-10] security acl 3000 Enter the Ethernet interface view. [USG A] interface Ethernet 0/0/0
re
Le
ar
Page 470
ni
ng
Re
so
Reference a security proposal named tran1.
ur c
Create a security policy.
es :
[USG A-acl-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
ht
Configure the ACL rule and allow the host in the network segment where Host 1 is to access the host in the network segment where Host 2 is.
tp :
Mo
// l
47
ea r
ni n
Reference IPSec policy.
[USG A-Ethernet0/0/0] ipsec policy map1
Configure the static routing to Host 2.
[USG A] ip route-static 192.168.1.0 24 202.39.169.1 Remarks: Configuration on USG B is almost the same as that on USG A.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
48
ni n
Page 471
1) Select an application scenario.
4)Configure encryption and authentication: In general, default configuration is employed
and configuration at two ends is the same.
re
Le
ar
Page 472
ni
ng
Re
so
ur c
3) Define data streams to be protected.
es :
2) Configure the network. Select the network port with enabled IPSec application and configure the peer gateway IP address.
ht
Enter the Web configuration page. Choose Rapid Access to Wizard > IPSec Wizard. Select a proper application scenario to set IPSec VPN.
tp :
Mo
// l
49
ea r
ni n
Mo
re
ar
ni
ng
Re
50
ni n
Page 473
Mo
re
Page 474
ar
ni
ng
Re
51
ni n
IPSec FAQs:
IKE does not succeed in the first phase.
IKE does not succeed in the second phase.
In the template mode of the server, the ACL of the client must specify the network Whether an NAT device exists in the middle of the tunnel and whether NAT traversing has been configured.
IPSEC SA is not successfully created. Check whether IPSec proposal configuration is the same.
re
Le
ar
ni
IPSec SA has been established, but services are not successfully provided.
ng
Re
so
segment of the source IP address.
ur c
Generally, the cause lies in the ACL. Check whether the referenced ACL has been matched.
es :
Run the commands display ike peer and display ike proposal to check whether IKE peer and IKE proposal on two ends are the same.
ht
tp :
// l
ea r Mo
52
ni n
Page 475
Mo
re
Page 476
ar
ni
ng
Re
53
ni n
Mo
re
ar
ni
ng
Re
54
ni n
Page 477
Mo
re
Page 478
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 479
Mo
re
Page 480
ar
ni
ng
Re
ni n
Mo
re
SSL VPN
ar
ni
ng
Re ht tp : ea r
ni n
Page 481
Mo
re
Page 482
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 483
Mo
re
Page 484
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 485
the TCP/IP protocol stack. The SSL provides secure connections for Hypertext Transfer Protocol (HTTP). The SSL protocols are widely applied to electronic business and Internet
banking to ensure the security of data transmission.

The SSL provides a secure channel between two devices. It protects the data transmission and recognizes communications devices. The SSL has three versions. SSL2.0 and SSL3.0 are widely used. Based on the SSL3.0, the With the continuous consummation of the SSL, more browsers including the Microsoft Internet Explorer browser support the SSL. The SSL becomes one of the most popular security protocols.
re
Le
SSL VPN is based on the TCP/UDP so that it is not restricted by the NAT. Users can access the intranet resources traversing the firewalls using the SSL VPN. In this way, the remote security access is flexible and simple, which helps enterprises reduce the VPN deployment costs.
ar
Page 486
ni
The SSL Virtual Private Network (VPN) is based on the SSL/TLS. With the embedded SSL/TLS in the standard browsers, the functions of the SSL VPN are extended. Except for the Web access and TCP/UDP applications, the SSL VPN can protect the IP communications. The
ng
Re
so
IETF proposes the TLS1.0 (also called SSL3.1).
ur c
es :
ht
The Secure Socket Layer (SSL) is a secure connection for the application layer protocols based on Transmission Control Protocol (TCP). The SSL works between layer 5 and layer 7 in
tp :
Mo
// l
3
ea r
ni n
and usability of the SSL VPN improve the mobile users work efficiency.
re
Le
ar
ni
ng
Re
so
ur c
es :
To use the SSL VPN, both ends must support the SSL. Generally, the common applications such as Internet Explorer and Netscape browsers, Outlook, and Eudora email support the SSL.
ht
The SSL VPN enables users to access the intranets using the standard browsers. In this manner, users can remotely access the intranets through Internet. The security, convenience,
tp :
// l
ea r Mo
4
ni n
Page 487
ends rather than all the data transmitted from a host to another host.
re
Le
ar
Page 488
ni
ng
Re
so
ur c
es :
ht
The same as the IPSec, the SSL provides the encryption and identity authentication mechanisms. The SSL, however, encrypts only the application data transmitted between both
tp :
Mo
// l
5
ea r
ni n
The SSL supports the following security mechanism:
1. The identity can be authenticated using the key encryption algorithm. 2. The connection is encrypted.
After the key is negotiated by the handshake protocol, the data is encrypted using the symmetric key encryption method.
The secure HASH algorithm is used. The message authentication code with key is used to
re
Le
ar
ni
ng
Re
so
verify the message integrity.
ur c
3. The connection is reliable.
es :
ht
tp :
// l
ea r Mo
6
ni n
Page 489
Mo
re
Page 490
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 491
Protocol: It has one byte. It specifies the protocol encapsulated by the SSL record protocol. 20: Change Cipher Spec Protocol 21: Alert Protocol 22: Handshake Protocol
23: Application Protocol data
Version: It has two bytes. It specifies the highest and lowest versions supported by the SSL. At present, the SSLv3 version is 3.0 and the TLSv1 version is 3.1.
Protocol messages: It has several bytes. The protocol messages are encrypted.
re
Le
ar
Page 492
ni
ng
Re
Protocol message length: It is presented in 14-bit binary digits. The value cannot exceed 214.
so
Length: It has two bytes.
ur c
es :
ht
tp :
Mo
// l
9
ea r
ni n
the server, they negotiate a protocol version, encryption algorithm, and authentication mode. The public key is used to generate the shared key. Record protocol: It is used to exchange the application data. The application messages are segmented to multiple manageable data blocks. The application messages can be compressed to generate a message authentication code (MAC). The MAC is encrypted and transmitted to the peer end. The peer end receives and decrypts the data. The peer end checks the MAC.
re
Le
ar
ni
ng
Re
Alert protocol: It specifies the start time and end time of an error and the session end time.
so
Then, the peer end decompresses the MAC and assembles it again. The final data is delivered to the application program protocol.
ur c
es :
ht
Handshake protocol: It is used to configure the encryption parameters used for the session between the client and the server. During the first communications between the client and
tp :
// l
ea r Mo
10
ni n
Page 493
The handshake process of the SSL is as follows:
Phase 1: The security capability attribute is established. The client sends a client_hello message, carrying the version, random number (32-bit time stamp and 28-byte random sequence number), session ID, cipher suite supported by the client, and compression method list supported by the client. The server sends a server_hello message, carrying the version, random number generated by the server, session ID, Phase 2: The server sends its X.509 certificate in the server_key_exchange message. After
re
Le
Phase 3: After receiving the server_done message, the client checks the server certificate. The client checks whether the parameters in the server_hello message are acceptable. If the parameters are proper, the client sends one or more messages to the server. If the server requests for the certificate, the client sends a certificate message. If the client does not have certificate, it sends a no_certificate message. Then, the client sends the client_key_exchange message. The content of the client_key_exchange message depends on the key exchange type. At last, the client sends a certificate_verify message, which carries a signature for the HMACs (master_secret) in all the handshake messages.
ar
Page 494
ni
ng
Re
so
sending the certificate_request and server_hello_done messages, the server waits for the client to respond.
ur c
recommended cipher suite, and recommended compression method.
es :
ht
tp :
11
Mo
// l
ea r
ni n
re
Le
ar
ni
ng
Re
so
ur c
client sends a finished message using the new algorithm and key parameters. The finished message indicates whether the key exchange and authentication are successful. The finished message includes a check value, which is used to verify all the messages. The server sends a change_cipher_spec message and a finished message. After the handshake is complete, the client and server can exchange the application layer data.
es :
ht
Phase 4: A secure connection is established. The client sends a change_cipher_spec message and copies the negotiated cipher suite to the current connection status. Then, the
tp :
// l
ea r Mo
12
ni n
Page 495
re
Le
ar
Page 496
ni
ng
Re
so
ur c
es :
ht
The session recovery function significantly reduces the overhead generated for SSL VPN tunnel establishment.
tp :
Mo
// l
13
ea r
ni n
The SSL VPN provides the following functions:

Cutting-edge virtual gateway Web proxy File sharing Port agent Network expansion
User security control
Comprehensive log function
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
14
ni n
Page 497
and administrators.
configured for different departments and user groups. In this manner, a complete isolated access system is constructed.
re
Le
ar
Page 498
ni
ng
Re
so
ur c
es :
When an enterprise has multiple departments, different virtual gateways can be
ht
Each virtual gateway can be managed independently. The virtual gateways can be configured with respective resources, users, authentication modes, access control policies,
tp :
Mo
// l
15
ea r
ni n
It forwards the Web request (using the HTTP protocol) from the remote browser to the
It can control the permissions of the URL, that is, controlling the access of the user to a
specific Web page.

The Web proxy supports two implementation modes: Web-link and Web rewriting. The Web-link uses the ActiveX control to forward the Web pages. Web page without modifying other content.
re
Le
ar
Users can be assigned different access permissions for the same URL.
ni
Users can remotely access the Web resources on the intranet using the standard browsers without installing clients.
ng
Advantages of the Web-link:
Re
The Web rewrite function use the script rewrite mode to rewrite the links on the specified
so
ur c
es :
Web server. Then, the Web proxy sends the response from the Web server to the remote user.
ht
The Web proxy supports clientless Web access, which fully shows the SSL VPN usability. The Web proxy is an important function of the SSL VPN differentiated from other VPNs.
tp :
// l
ea r Mo
16
ni n
Page 499
Implementation process:
The remote user originates an access request for a certain Web page on the intranet through the SVN gateway. The internal server sends the response to the SVN. The SVN obtains the specified Web page and sends it to the remote user.
functions as a client.
re
Le
ar
Page 500
ni
ng
Re
so
ur c
For the users, the SVN functions as a Web server. For the internal servers, the SVN
es :
ht
tp :
17
Mo
// l
ea r
ni n
resources to users in Web page mode.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
The file sharing function enables servers with different systems (such as the Windows system using the SMB protocol and Linux system using the NFS protocol) to share the
tp :
// l
ea r Mo
18
ni n
Page 501
2. The SVN converts the HTTPS-format request to the SMB-format packet.
4. The file server receives the request and sends the SMB-format response to the SVN.
6. The SVN sends the HTTP-format packet to the client.
re
Le
ar
Page 502
ni
ng
Re
so
ur c
5. The SVN converts the SMB-format response to the HTTPS-format packet.
es :
3. The SVN sends the SMB-format packet to the file server.
ht
1. The client sends an HTTPS-format request to the file server on the intranet. The HTTPSformat request is sent to the SVN.
tp :
Mo
// l
19
ea r
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
The file sharing functions as the file server agent so that users can access the file server on the intranet using the file sharing function.
tp :
// l
ea r Mo
20
ni n
Page 503
re
Le
ar
Page 504
ni
ng
Re
so
ur c
es :
ht
The port forwarding function is mainly applicable to the applications in C/S architecture that do not support the Web access.
tp :
Mo
// l
21
ea r
ni n
(IP address and port of the destination server) configured on the NMS side. If the destination IP address and port in the TCP packet match the entries on the resource list, the ActiveX control intercepts the TCP packet and enables the interception port (obtained through the specific algorithm by the destination port). The ActiveX control rewrites the destination address as the loopback address and forwards the packet to the interception port.
re
Le
ar
ni
Upon receiving the response from the server, the SVN encrypts and encapsulates the response. Then, the SVN sends the response to the interception port of the client.
ng
After receiving the packet, the SVN decrypts the packet and sends the packet to the port of the real destination server.
Re
The ActiveX control encrypts and encapsulates the packet, adds the private header to the packet, sets the destination address to the IP address of the SVN, and sends the packet to the SVN over the interception port.
so
ur c
es :
The ActiveX control compares the TCP packet originated by the client with the resource list.
ht
After the button to enable the port forwarding function is clicked on the client, the system automatically installs a Windows ActiveX control and obtains the port forwarding resource list
tp :
// l
ea r Mo
22
ni n
Page 505
Mo
re
Page 506
ar
ni
ng
Re
23
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
After the network extension function is enabled, the remote client can obtain an IP address of the intranet and access the intranet resources conveniently.
tp :
// l
ea r Mo
24
ni n
Page 507
The SVN3000 supports two IP address allocation modes.
DHCP allocation mode
The SVN3000 provides interfaces for enterprise DHCP servers. You can allocate the IP IP address pool
SVN users. You can configure the IP addresses on the SVN3000.
re
Le
ar
Page 508
ni
ng
Re
The IP addresses are assigned randomly. You can bind an account with an IP address. Therefore, when the user enables the network extension function, the user uses the same IP address of the intranet. If the bound IP address is included in the address pool, the IP address is locked and is not assigned to other users.
so
ur c
You can specify a series of consecutive and unused IP addresses as the virtual addresses for
es :
addresses of the intranet to the remote users who log in to the SVN.
ht
tp :
Mo
// l
25
ea r
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
Full Tunnel: The network resources accessible to the client are blocked. The client can only remotely access the intranet resources.
ht
The tunneling mode determines the route for sending packets to the client. The network extension function supports three tunnel modes: Full Tunnel, Split Tunnel, and Manual Tunnel.
tp :
// l
ea r Mo
26
ni n
Page 509
public network resources, resources in different network segments are forwarded by the virtual network adapter and the source IP addresses are specified as the virtual IP addresses.
As a result, the response data cannot be routed to the correct destination.
re
Le
ar
Page 510
ni
ng
Re
so
ur c
es :
ht
Split Tunnel: Except for the resources in the network segment to which the client belongs, the client is prohibited from accessing the public network resources. During the access of
tp :
Mo
// l
27
ea r
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
Manual Tunnel: The client can remotely access the intranet while accessing the previous accessible network resources unless the network resources conflict with the intranet resources.
tp :
// l
ea r Mo
28
ni n
Page 511
Convenient deployment without clients:
The deployment is convenient and enterprises do not need to change the intranet architecture.
Security protection for application layer access
The SSL VPN supports fine-grained access control for the specific application resources.
re
Le
ar
Page 512
ni
ng
The SSL VPN helps enterprises improve efficiency.

Users can access the intranet at any time, any place, and any device. Enterprise mobile users or remote users can flexibly and safely access the intranet. The SSL VPN supports secure connection of enterprise branches, partners service stream integration, and remote service support.
Re
so
Users can access the enterprise application resources only through the SSL VPN. In this manner, the network virus propagation is suppressed to a certain extent.
ur c
The NAT traversal problem is not involved.
es :
Clientless deployment helps enterprises save investments such as technical support and management costs.
ht
tp :
29
Mo
// l
ea r
ni n
headquarter network and branch network. It is also applicable to the site-to-site application scenario. The IPSec is a network layer based protocol. Therefore, it is difficult to traverse the NAT and firewall, especially the personal network and public computers that are well protected. The mobile users must install the private client software to use the IPSec VPN. The administrators of the IPSec VPNs are overburdened for provisioning, installing, configuring,
re
Le
ar
The SSL VPN is an application-oriented VPN. It supports better independency at the bottom layer. The easy-to-use and clientless applications fulfill the remote access requirements. The SSL VPN enables the mobile users to set up secure and controllable connections at anytime and anywhere.
ni
SSL/TLS in the standard browsers, the functions of the SSL VPN are extended. Except for the Web access and TCP/UDP applications, the SSL VPN can protect the IP communications. The SSL VPN is based on the TCP/UDP so that it is not restricted by the NAT. Users can access the intranet resources traversing the firewalls using the SSL VPN. In this way, the remote security access is flexible and simple, which helps enterprises reduce the VPN deployment costs.
ng
Re
The SSL Virtual Private Network (VPN) is based on the SSL/TLS. With the embedded
so
and maintaining the client software. Therefore, the IPSec VPN is not applicable to the remote mobile communications in the point-to-site scenario.
ur c
es :
ht
The IPSec VPN can transmit the data between two networks in secure and stable manner. The IPSec VPN ensures the integration of data. It is applicable to the data exchange between
tp :
// l
ea r Mo
30
ni n
Page 513
available, the security of the intranet is not impaired when external network users excess the intranet.
re
Le
ar
Page 514
ni
ng
Re
so
ur c
es :
ht
After setting up SSL VPN tunnels to the SVN3000, remote clients can conveniently and safely access the intranet resources. Because the firewalls are configured and NAT function is
tp :
Mo
// l
31
ea r
ni n
reduced and device usage is maximized.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
By dividing the SSL VPN into multiple virtual devices, you can set administrators and access policies for these virtual devices independently. In this manner, the carrier investments are
tp :
// l
ea r Mo
32
ni n
Page 515
Mo
re
Page 516
ar
ni
ng
Re
ni n
management. Grouping users facilitates user management. You can grant users permissions based on groups. The SVN3000 authenticates remote clients using the Remote Authentication Dial In User Service (RADIUS). The network access server (NAS) functions as the client to communicate with the RADIUS server. The standard RADIUS protocol can be used to complete certification with devices such as iTELLIN/CAMS.
re
Le
ar
ni
ng
Re
so
The SVN3000 can also use the Lightweight Directory Access Protocol (LDAP) to authenticate the remote clients.
ur c
es :
ht
The VPNDB is used to perform certification authority for the local VPN database. The administrator of the virtual gateway can maintain the VPNDB through the user and group
tp :
// l
ea r Mo
34
ni n
Page 517
Mo
re
Page 518
ar
ni
ng
Re
35
ni n
SVN3000 provides the following functions:
2. File sharing
4. Network extension 5. IPSec tunneling 7. Virtual gateway
6. Various certification modes 8. Fine-grained access control 10. VLAN networking 11. Dual-host backup 12. Dual-power supply 13. Comprehensive log and auditing function 14. SNMP/SSH/Telnet/CLI management 15. Excellent Chinese and English Web UI management 16. SSL VPN products certified by the State Cryptography Administration
re
Le
ar
ni
ng
Re
9. Various route features (RIP/OSPF)
so
ur c
es :
3. Port forwarding
ht
1. Web proxy
tp :
// l
ea r Mo
36
ni n
Page 519
All the operations can be performed on the Web management interface.
re
Le
ar
Page 520
ni
ng
Re
so
ur c
es :
ht
tp :
Mo
// l
37
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 521
is secure. The data transmission on the link between the remote user and the SVN is threatened by various security risks. Therefore, data must be encrypted in SSL mode to avoid
interruption and malicious modification. In this manner, the data security and integrity are ensured.
enterprise firewall to implement identity authentication and secure communications. The
re
Le
ar
Page 522
ni
ng
Re
Secoway SSL VPN supports various authentication modes and URL-based access control to help users conveniently access the intranet and use intranet resources. The browser at the user end communicates with the Secoway SSL VPN over the SSL channel to secure remote access.
so
ur c
In this deployment scheme, Huawei Secoway SSL VPN is deployed at be back-end of the
es :
ht
The link between the remote user and the server is divided into two segments. The TCP/IPbased data transmission on the link between the SVN and the server is over the intranet and
tp :
Mo
// l
39
ea r
ni n
of the SVN is used to transmit packets between external and intranets. intranet. This IP address is accessible to all the server routes. Configure the NAT server on the firewall. Map the SVN3000 address to a certain IP address of the public network that connects to the firewall. You can also map the SVN3000 address to a certain port such as 443. If the external network user requires the management of SVN3000, you must map the
related ports such as SSH and Telnet.
re
Le
ar
ni
ng
Re
so
ur c
es :
During the network planning, set the IP address of the SVN3000 to the IP address of the
ht
In this networking mode, the SVN is directly connected to the firewall at the edge of the enterprise network. The SVN can also be connected to the router or switch. Only an interface
tp :
// l
ea r Mo
40
ni n
Page 523
external network and does not require extra configurations. The external network interface uses the virtual gateway IP address. The intranet interface uses the management IP address of
the intranet.
not need to be converted. The interface between internal and external networks is not
specified. Any physical interface can be used to connect the external and intranets.
In this figure, the router and the switch is connected because certain applications in the intranet does not require SSL encryption. Users can directly access the external network through the firewall. In this manner, the policy routing must be configured on the switch and the router. According to the policy routing, traffic for establishing the SSL VPN is forwarded to the SVN3000 and the traffic for common applications is forwarded to the external network through the firewall.
re
Le
ar
Page 524
ni
ng
Re
so
ur c
The conversion of the virtual gateway IP address by the NAT is optional. If the external network user can access the virtual gateway IP address, the virtual gateway IP address does
es :
ht
In this networking mode, the SNV3000 communicates with the intranet and external network using different network interfaces. This networking clearly separates the intranet and
tp :
Mo
// l
41
ea r
ni n
example, https://x.x.x.x:port). Otherwise, you cannot log in to the Web NMS. the port used by the Web NMS. Otherwise, you cannot complete the configuration of the virtual gateway. The initial user name and password for logging in to the SVN3000 is admin and Admin@123.
re
Le
ar
ni
ng
Re
so
ur c
es :
If the IP address of the virtual gateway and the Web NMS is the same, you must change
ht
If the port used to bind the Web NMS and the IP address is not 443, you must add :port number following the IP address that is entered during the next login to the Web NMS (for
tp :
// l
ea r Mo
42
ni n
Page 525
Exclusive type
Multiple virtual gateways share the same IP address and parent domain name. Virtual
re
Le
ar
Page 526
ni
ng
Maximum number of users: VPNDB
Re
Maximum number of concurrent users: the maximum number of users who access the virtual gateway simultaneously
so
gateways are differentiated based on the sub-domain names. Users can access the virtual gateway in shared type using only the domain name.
ur c
Shared type
es :
The virtual gateway exclusively uses the IP address and domain name. Users can access the virtual gateway in exclusive type using the corresponding domain name and IP address.
ht
The virtual gateways have the following types based on the IP address and domain name usage:
tp :
Mo
// l
43
ea r
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
If the SVN3000 is configured with the DNS server, you can configure the address of the network (not have to be IP address) at the URL.
tp :
// l
ea r Mo
44
ni n
Page 527
Before configuring the basic functions of the Web proxy, collect the following information: 1. Web resource name 2. Web resource URL address 3. Web resource description
re
Le
ar
Page 528
ni
ng
Re
so
ur c
es :
ht
tp :
Mo
// l
45
ea r
ni n
accessible and is configured.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
Log in to the SVN3000 through the SSL VPN tunnel on the remote client. The interface shown in the figure is displayed. Before clicking a link, ensure that the Web server is
tp :
// l
ea r Mo
46
ni n
Page 529
re
Le
ar
Page 530
ni
ng
Re
so
ur c
es :
ht
Through the SSL VPN tunnel established using the SVN3000, remote clients can access the intranet Web resources as in the local network.
tp :
Mo
// l
47
ea r
ni n
The file system type is classified into SMB (for Windows) and NFS (for Linux).
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
If the SVN3000 is configured with the DNS server, you can input a network address in URL, but not have to be an IP address.
tp :
// l
ea r Mo
48
ni n
Page 531
1. File sharing resource name
3. File sharing resource type
re
Le
ar
Page 532
ni
ng
Re
so
ur c
4. File sharing resource description (optional)
es :
2. File sharing resource path
ht
Before configuring the basic functions of the file sharing, prepare the following information:
tp :
Mo
// l
49
ea r
ni n
configured.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
Log in to the SVN3000 through the SSL VPN tunnel on the remote client. The page shown in the figure is displayed. Before you click a link, ensure that the file server is accessible and is
tp :
// l
ea r Mo
50
ni n
Page 533
corresponding permissions on the file sharing server.
re
Le
ar
Page 534
ni
ng
Re
so
ur c
es :
ht
You can enter the user name and password the same as you do on a shared host in the LAN. If you are not willing to enter the user name and password, you can set the
tp :
Mo
// l
51
ea r
ni n
Mo
re
ar
ni
ng
Re
52
ni n
Page 535
re
Le
ar
Page 536
ni
ng
Re
so
ur c
es :
ht
The port forwarding service is a secure access function of the TCP-based applications. It is a non-Web-based application such as Telnet, remote desktop, FTP, and email.
tp :
Mo
// l
53
ea r
ni n
The host address type can be one of the following types:

Host name: You can fill in the host name, which must be configured on the DNS. Host IP address: You can fill in the IP address of the host. Any IP address: You can fill in the port number.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
54
ni n
Page 537
Telnet, remote desktop, FTP, and email) to users.
re
Le
ar
Page 538
ni
ng
Re
so
ur c
es :
ht
The port forwarding function provides user access control at the application layer. It controls whether to provide various application services (the TCP-based services such as
tp :
Mo
// l
55
ea r
ni n
collect the following information: 1. Port forwarding resource name
2. Host name and IP address of the port forwarding resource
4. Port forwarding resource description (optional)
re
Le
ar
ni
ng
Re
so
ur c
3. Port used for providing the forwarding resource
es :
ht
Log in to the SVN3000 through the SSL VPN tunnel on the remote client. The interface shown in the figure is displayed. Before configuring the basic functions of the port forwarding,
tp :
// l
ea r Mo
56
ni n
Page 539
re
Le
ar
Page 540
ni
ng
Re
so
ur c
es :
ht
After you run the Telnet command, enter the IP address of the device that you want to access on the intranet, rather than the IP address of the firewall or SVN3000.
tp :
Mo
// l
57
ea r
ni n
The SVN3000 supports two IP address allocation modes.
DHCP allocation mode
The SVN3000 provides interfaces for enterprise DHCP servers. You can allocate the IP IP address pool
SVN users. You can configure the IP addresses on the SVN3000.
re
Le
ar
ni
ng
Re
The IP addresses are assigned randomly. You can bind an account with an IP address. Therefore, when the user enables the network extension function, the user uses the same IP address of the intranet. If the bound IP address is included in the address pool, the IP address will be locked and cannot be assigned to other users.
so
ur c
You can specify a series of consecutive and unused IP addresses as the virtual addresses for
es :
addresses of the intranet to the remote users who log in to the SVN.
ht
tp :
// l
ea r Mo
58
ni n
Page 541
Active control on the remote client. you can click Continue to complete the control installation.
re
Le
ar
Page 542
ni
ng
Re
so
ur c
es :
ht
Log in to the SVN3000 through the SSL VPN tunnel on the remote client. The interface shown in the figure is displayed. To use the network extension function, you must install the
tp :
Mo
// l
59
ea r
ni n
Mo
re
ar
ni
ng
Re
60
ni n
Page 543
re
Le
ar
Page 544
ni
ng
Re
so
ur c
es :
ht
When checking the IP address of the remote client, you can view two network adapters, that is, a real network adapter and a virtual network adapter.
tp :
Mo
// l
61
ea r
ni n
Mo
re
ar
ni
ng
Re
62
ni n
Page 545
contains the information of a user. The user information format is user name+password or user name+password+UID+GID. Lines are terminated with a CR-LF combination.
re
Le
ar
Page 546
ni
ng
Re
so
ur c
es :
ht
You can create a single user in the VPNDB or create a group of users in a batch by importing the user information file. The user information file is in .txt format. Each line
tp :
Mo
// l
63
ea r
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
If you configure the virtual IP address for the client, the virtual IP address is bound to the user name.
ht
You can configure the account for establishing the SSL VPN tunnel between the client and the SVN3000. Then, add the account to a user group.
tp :
// l
ea r Mo
64
ni n
Page 547
re
Le
ar
Page 548
ni
ng
Re
so
ur c
es :
ht
Note: The Web proxy and file sharing functions do not require active controls while the port forwarding and network extension functions require active controls.
tp :
Mo
// l
65
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 549
Mo
re
Page 550
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 551
Mo
re
Page 552
ar
ni
ng
Re
ni n
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
Terminal Security
ea r
ni n
Mo
Page 553
Mo
re
Page 554
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 555
Mo
re
Page 556
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 557
The figure on the right lists 14 security threats (including portable storage misuse, instant messaging (IM), non-work Web browsing, rogue WiFi access points, and personal devices)
that should not be ignored in enterprises.
awareness, or prevent various security vulnerabilities of systems, let alone sense and
implement security policies.
re
Le
ar
Page 558
ni
ng
Re
To completely control the network and data of an organization, the administrator must be ready to cope with security problems that the system faces.
so
ur c
The traditional defense style based on the gateway security architecture cannot manage ever-increasing network access points, prevent security threats caused by staffs weak security
es :
ht
The latest survey result of the Computer Economics shows that enterprises often ignore internal threats while preventing external hackers and viruses from attacking their networks.
tp :
Mo
// l
3
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 559
Antivirus software was first generated in the 1980s as viruses emerged. Over the years of development, antivirus software has been developed from the earliest personal versions to the current network versions and gateway versions. After deploying antivirus software, enterprises find that devices are widely infected with viruses, however. Although products have their own technical limitations, most engines and virus libraries are not updated in terminals as required by network managers, or even no antivirus software is installed in terminals in a long time. During deployment, personal firewalls and patch management software may face challenges similar to those antivirus software faces. In view of the limitations of the traditional terminal security products, in the early 2000s, IT manufacturers began to develop terminal security software to solve these challenges. During implementation and delivery, however, IT manufacturers and enterprises feel that only
re
Le
ar
terminal security software are difficult to completely solve the problems that terminals face from the aspect of the system architecture. This causes some IT manufacturers with the comprehensive technical capability to involve in the
Page 560
ni
ng
Re
so
ur c
es :
In a broad sense, they are only components of terminal security. What is terminal security, then? What problems does terminal security need to resolve? Why cannot the abovementioned terminal security products essentially solve security problems?
ht
Traditionally, terminal security covers antivirus software, personal firewalls, and patch management. In a narrow sense, they are terminal security. We can see that they are isolated.
tp :
Mo
// l
5
ea r
ni n
system.
The terminal security 3-D defense system identifies terminal users through access control to
re
Le
ar
ni
determine whether terminal users are allowed to access networks. Desktop management guarantees the security of terminal desktops through preparation of security policies. Through preparation of security management regulations suitable for the business operation of enterprises, security management guarantees that the prepared security policies are governed by these regulations.
ng
Re
so
Terminal security is a systematic product and solution on the basis of the 3-D defense philosophy. It embodies the ideas of the 3-D architecture and proactive defense and continuously improves the security capability of terminals of enterprises through PDCA.
ur c
es :
The 3-D defense system refers to a unified, integrated defense-in-depth system formed after consolidation of relevant products and components on the basis of the problems that terminals face to prevent the limitations that a single protection may bring.
ht
terminal security field. By virtue of its own security practice, network technology development, and security software development, Huawei puts forward a terminal security 3-D defense
tp :
// l
ea r Mo
6
ni n
Page 561
Mo
re
Page 562
ar
ni
ng
Re
ni n
1. Composition of the TSM system:

Security manager (SM) Security controller (SC) software SACG
Access control, hardware security access control gateway (SACG), 802.1x switch,
Web. In Web mode, only identity authentication is performed.
Agent. In Agent mode, identity authentication and security authentication are performed.
3. TSM domains:
re
Le
ar
ni
ng
Pre-authentication domain, a domain that a terminal can access before identity authentication Isolation domain, a domain that requires security repair after a terminal passes identity authentication, but fails security authentication
Re
so
Web Agent. In Web Agent mode, identity authentication and partial security authentication are performed.
ur c
2. Terminal access mode:
es :
ht
tp :
// l
ea r Mo
8
ni n
Page 563
authentication
The pre-authentication domain and isolation domain are service domains of a security domain. The post-authentication domain is a business domain of a security domain.
re
Le
ar
Page 564
ni
ng
Re
so
ur c
es :
4. Relationship between TSM domains and security domains:
ht
Post-authentication domain, a domain that a terminal can access based on the assigned business resource access rights according to the business role after security
tp :
Mo
// l
9
ea r
ni n
Major characteristics of the centralized deployment mode: Secospace servers are deployed in a centralized way. The components such as the SM, SC, and database can be installed on a server or installed separately, depending on the number of terminals that the server manages. SC servers can be deployed in a cluster for redundancy (in this case, two or more SC servers are required). The SACG can work in standalone mode or dual-system hot backup mode.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
10
ni n
Page 565
In the following cases, the distributed networking mode is recommended: 1. Terminals are relatively centralized in several domains and the bandwidths between domains are small. Because certain traffic exists between SAs and the server, the bandwidths between domains will be occupied to affect service provisioning if the centralized deployment mode is adopted. 2. There are a lot of terminals. In this case, the distributed deployment mode can be adopted
to avoid a great network bandwidth consumption caused by the access of lot of terminals to the TSM server.
re
Le
ar
Page 566
ni
ng
Re
so
When the distributed deployment mode is adopted, the SAs of the TSM system select the nearest SC to obtain services such as identity authentication and access control.
ur c
es :
ht
tp :
Mo
// l
11
ea r
ni n
How is network access protection implemented for different roles in different scenarios? The hardware SACG is adopted for access control. The SACG is attached to the switch at the convergence layer. Employees, who have Secospace agent installed on their terminals, in the market department can normally access the network and the public resources of the enterprise after identity authentication and security policy check.
Principle of access control implemented by the SACG:
1) Before authentication, no traffic can pass through the hardware SACG.

2)After authentication, firewall rules based on IP addresses are dynamically generated on the hardware SACG.
re
Le
ar
ni
ng
Re
so
an employee can be redirected to the customized Web page through URL redirection to download the Secospace agent (SA). After installing the SA, the employee can finally access the corresponding resource through the access control process.
ur c
Employees in the finance department have no Secospace agent installed on their terminals and the SACG provides the Web pushing function. When opening the IE to access a Web site,
es :
ht
tp :
// l
ea r Mo
12
ni n
Page 567
Similarly, the access control of host firewall can be adopted. Different trusted domains are established through access control policies between terminals. For example, terminals of the finance department are considered as trusted domain 1 and terminals of the market department are considered as trusted domain 2. Access between trusted domains is not allowed, even if terminals pass security check. In addition, external terminals on which no SA is installed or untrusted terminals that fail identity authentication and security check cannot access trusted terminals that pass security check. In this way, access of insecure terminals to secure terminals, for example shared directory, are effectively prevented. Thus, devices in a LAN can be protected against attacks by viruses and worms.
re
Le
ar
Page 568
ni
ng
Re
so
ur c
es :
ht
tp :
Mo
// l
13
ea r
ni n
re
Le
ar
ni
ng
3) For terminals that fail authentication, the switch can automatically switch them to the Guest VLAN.
Re
2) After authentication, ports are divided into different VLANs and the access to the ports is blocked.
so
1) Before authentication, the network is not available and only authentication protocol packets can pass through the network.
ur c
Principle of 802.1X access control:
es :
check, the switch dynamically switches the VLAN to control the post-authentication domain that the terminal can access and implement network access control based on different user roles.
ht
At last, 802.1X access control can be adopted. In this mode, before a terminal passes identity authentication and security check, the ports on the switch are disabled and the terminal cannot access neighboring terminals on the LAN. After the terminal passes security
tp :
// l
ea r Mo
14
ni n
Page 569
Mo
re
Page 570
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
16
ni n
Page 571
Support for a hierarchically managed organization structure Centralized management, distributed management, and hierarchical management are
supported.
Repeated user name
User names can be repeated, even in a department. There are some restrictions when users/accounts are imported in a batch. Repeated user names in a department cannot be imported.
Globally unique user account
Account import and export
re
Le
ar
Departments, users, accounts, and IP/MAC addresses bound to accounts can all be imported or exported.
Synchronization of external data sources
Page 572
ni
ng
The user accounts, including the accounts created in the system and the accounts synchronized from external data sources, are globally unique.
Re
so
ur c
es :
The upper level and lower level registration function is supported to provide unified lower level management by the upper level, including system management, policy delivery, license distribution, patch delivery, software distribution, and policy template
ht
tp :
Mo
// l
17
ea r
ni n
Various external data sources such as AD, Novel ED, IBM Tivoli, and Sun One are supported. Sub-departments can automatically be created according to the information about the sub-OU (according to the group attributes of a domain account by the AD) to lower the Note: Synchronized departments and accounts cannot be deleted. implementation complexity.
re
Le
ar
ni
ng
Re
so
ur c
At most 20 external data sources are supported.
es :
ht
tp :
// l
ea r Mo
18
ni n
Page 573
does not distinguish between the departments of users, but performs domain management according to the geographical areas (IP addresses) of users. 2. The network domain management mainly covers the following: 1) Policy template distribution 2) Patch template distribution
3) Parts related to access control

4) Local parameter distribution 5) WSUS parameter distribution 6) Software delivery task distribution 7) Advertisement distribution
re
Le
ar
Page 574
ni
8) Distribution of extended data sources 9) Query of information about violation
ng
Re
so
ur c
es :
ht
1. The network domain management function is provided. The management based on network domains, a management mode different from management based on departments,
tp :
Mo
// l
19
ea r
ni n
Ordinary user name + password authentication AD account authentication
In the case of non-Kerberos authentication, a direct AD authentication success is allowed when the server in the AD domain is faulty. LDAP authentication
The standard LDAP v3 is adopted.The supported leading LDAP servers include Novell eDirectory, IBM Tivoli, and Sun One. In principle, the TSM V1R2C05 supports USB key authentication as long as the USB key supports a standard CSP interface.
re
Le
ar
The support for USB key authentication is subject to the test because the implementation slightly varies with manufacturers.
ni
ng
Support for USB key authentication
Re
so
Synchronization and authentication information of a user can be encrypted in SSL.
ur c
es :
Kerberos authentication and non-Kerberos authentication are supported. Kerberos authentication requires that an SPN authentication service account needs to be added on the AD, while non-Kerberos authentication does not require any SPN authentication service account.
ht
MAC account authentication
tp :
// l
ea r Mo
20
ni n
Page 575
directory and shared authorities can be set for the account.
Name of a shared account (user or user group)
Automatic repair function: Illegitimate sharing is deleted.
re
Le
ar
Page 576
ni
ng
Re
so
ur c
Illegitimate shared right: read permission/reader, write permission/participant, and full control/sharer.
es :
The check items are as follows:
ht
The function of checking a shared directory of a terminal is provided. The function checks the settings of a shared directory of a terminal PC. An account can be set for a shared
tp :
Mo
// l
21
ea r
ni n
Purpose of checking printer sharing

Check whether the local printer is shared by others. Check whether printer sharing is enabled on a terminal and whether the shared right is
Check items

Check the accounts by which the printing rights are shared.
In the case of automatic repair, the sharing of specific accounts is deleted, but sharing is not disabled.
re
Le
ar
ni
ng
Re
Provision of the automatic repair function
so
Check the rights of printer sharing: print, manage the printer, and manage documents.
ur c
Check whether printer sharing is enabled.
es :
restricted.
ht
tp :
// l
ea r Mo
22
ni n
Page 577
hard disk, and USB CD-ROM cannot be used completely. devices can be used. For USB storage devices, only read is permitted, but write is forbidden. The capability of monitoring USB device file operations is provided. File operations can be identified and recorded. With the encrypted write function enabled, a file that a terminal user copies to a USB device is encrypted, and only the users, who has installed the TSM security agent on their terminals, of the enterprise can use the encrypted file. The encrypted file is automatically decrypted when it is copied from the USB device to a local hard disk.
re
Le
ar
Page 578
ni
ng
Re
so
ur c
es :
USB device read only is supported. That is, USB non-storage devices and USB storage
ht
Only the use of USB storage devices is forbidden. That is to say, non-storage devices such as USB mice and USB keyboards can be used, and storage devices such as USB device, USB
tp :
Mo
// l
23
ea r
ni n
multimedia card (MMC), and local printer are supported. In addition, peripherals can be disabled. When the state of a peripheral or interface is different from the policy configuration, the system records the event and whether the device is forbidden successfully. When the system detects that a user attempts to enable a device that is forbidden by force, the system records the event.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
The function of monitoring computer peripherals such as floppy disk drive, serial interface, parallel interface, infrared interface, IEEE1394 interface, modem, PCMCIA, Bluetooth, SD,
tp :
// l
ea r Mo
24
ni n
Page 579
Purpose of checking ports
Description of the function
re
Le
ar
Page 580
ni
ng
Re
so
The ports of terminals can periodically be checked and the checking period can be configured.
ur c
Only the monitoring port or all ports, including port in the TIME_WAIT state, can be checked.
es :
By checking the port that a host monitors, you can determine what software is installed on the host. For example, you can use this function to check whether the DHCP service is enabled on the host.
ht
tp :
25
Mo
// l
ea r
ni n
Description of monitoring DHCP settings

Check whether a terminal obtains an IP address through DHCP. Terminals can be forced to use DHCP to obtain IP addresses and terminal users cannot modify the configuration (disable the Attribute of TCP/IP).
Options provided
Only the network adapters connected to the SC server are checked. (When terminals are server. In this case, the network adapters connected to the SC server are not checked.)
re
Le
ar
ni
ng
Only the network adapters not connected to the SC server are checked. (When terminals are offline, the system is unable to determine which network adapters are connected to the SC server. In this case, the network adapters not connected to the SC server are not checked.)
Re
so
offline, the system is unable to determine which network adapters are connected to the SC
ur c
All network adapters are checked.
es :
ht
tp :
// l
ea r Mo
26
ni n
Page 581
external networks in any form.
specified external network address. The failure in passing the specified legitimate network egress is reported to the server.
re
Le
ar
Page 582
ni
ng
Re
so
ur c
es :
The function of monitoring legitimate external connections is provided. Detection of a
ht
The function of monitoring illegitimate external connections is provided. The proactive detection of a specified external network address is supported to prevent connections with
tp :
Mo
// l
27
ea r
ni n
database is automatically updated. The virus killing function is enabled after authentication. The path for virus scanning, including the memory/system directory and customized path, can
Support for enhanced interworking with the following antivirus software:
Jiangmin KV2008, KV2009, KV2010, KVNET2008, KVNET2009, and KVNET2010
Besides the enhanced interworking antivirus software, the weak interworking antivirus software (as the leading antivirus software in the industry) is supported. For relevant
re
Le
ar
ni
ng
information, see the latest product documentation.
Re
so
Kingsoft network versions 5.0 and 5.5
ur c
be defined after the virus removal function is enabled. When there are viruses that cannot be killed on a terminal, antivirus software cooperates with the access control device to isolate the terminal.
es :
ht
Enhanced interworking with the antivirus software provided by enterprises such as Jiangmin and Kingsoft is supported. The automatic repair function is provided. The virus
tp :
// l
ea r Mo
28
ni n
Page 583
featured module).
3. An exception patch list is provided, where some patches can be free from being checked. When a patch conflict exists, the patch is subject to the exceptional patch list. 4. Repair suggestions and repair connections can be configured to implement manual repair.
5. Automatic repair is supported.
re
Le
ar
Page 584
ni
ng
Re
so
ur c
es :
2. Check whether a patch is installed on terminal PCs according to the patch list.
ht
1. Check whether the patch at a specific level is installed on terminal PCs according to the patch level. The patch levels include critical, serious, major, minor, and unknown (full-
tp :
Mo
// l
29
ea r
ni n
Mo
re
ar
ni
ng
Re
30
ni n
Page 585
Mo
re
Page 586
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 587
Mo
re
Page 588
ar
ni
ng
Re
ni n
Security Products
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
Introduction to Huawei
ea r
ni n
Mo
Page 589
Mo
re
Page 590
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 591
Mo
re
Page 592
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 593
Mo
re
Page 594
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 595
USG unified security gateways provide rich interface functions, including fixed ports such as GE/FE and console ports, and general expansion slots for mini interface cards (MICs), and expansion slots for flexible interface modules (FICs). The expansion slots support GE/FE, ADSL2+, WiFi, 3G, and E1/CE1 interface cards, for flexible selection according to the network environments of customers. In addition, the strong software
re
Mo
Le
ar
scalability allows for cost-effective network upgrade and capacity expansion.
Page 596
ni
ng
Re
USG unified security gateways are based on a high-performance hardware platform and advanced software architecture. They are equipped with high-performance or multicore CPUs to provide line-rate packet processing, data forwarding, and anti-attack functions.
so
ur c
Huawei delivers the self-developed USG series unified security gateway products for large- and medium-sized enterprises. With 150 Mbit/s to 8 Gbit/s processing capabilities, these products provide cost-effective security solutions for large- and medium-sized networks.
es :
ht
With the rapid development of the Internet, a growing number of enterprises have begun to speed up development by taking advantages of network services. It has become a concern of enterprises to protect their intranet in an open network environment.
tp :
// l
ea r
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 597
Mo
re
Page 598
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 599
Mo
re
Page 600
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 601
Providing firewall and UTM functions to ensure intranet security
Providing 3G and WiFi functions for easy networking
re
Le
ar
Page 602
ni
ng
Re
so
ur c
es :
Providing rich VPN functions to ensure communication security
ht
The USG devices are used on the enterprise headquarters network, egress gateways of various branches, and security gateways of regional offices and remote sites.
tp :
Mo
// l
11
ea r
ni n
Mo
re
ar
ni
ng
Re
12
ni n
Page 603
Mo
re
Page 604
ar
ni
ng
Re
ni n
Main functions:

Advanced virtual gateway Web proxy File sharing Port proxy Network expansion
User security control
Complete logging functions
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
tp :
// l
ea r Mo
14
ni n
Page 605
faults.
re
Le
ar
Page 606
ni
ng
Re
so
ur c
es :
ht
The SVN3000 is based on a carrier-class high-reliability hardware platform that adapts it to various network environments to minimizes the losses caused by hardware
tp :
Mo
// l
15
ea r
ni n
MB.
re
Le
ar
ni
ng
Re
so
ur c
es :
ht
The SVN3000 is 1 U in height and 6 kg in weight. It has three 10/100/1000M combo ports and two expansion slots for encryption or interface cards. The flash memory is 64
tp :
// l
ea r Mo
16
ni n
Page 607
In the preceding figures, power and grounding cables are connected to the SVN3000. The AC and DC models have different power receptacles, and should be configured according to the equipment room situations of customers.
re
Le
ar
Page 608
ni
ng
Re
so
ur c
es :
ht
tp :
Mo
// l
17
ea r
ni n
Mo
re
ar
ni
ng
Re
18
ni n
Page 609
Mo
re
Page 610
ar
ni
ng
Re
ni n
Key performance:
Supporting
mainstream
ht
Windows
tp :
operating systems,
// l
ea r
including XP/2000/Vista/Windows 7
Product features:
re
Le
ar
ni
ng
Re
so
ur c
Distributed deployment architecture to provide the highest performance, reliability, and scalability in the industry, and completely eliminate network bottlenecks in network devices
es :
Single server supporting up to 20,000 concurrent users
ni n Mo
20
Page 611
Mo
re
Page 612
ar
ni
ng
Re
ni n
The SA is installed on a customer PC. It obtains security policy parameters from the server, and checks the compliance against the policies. It monitors user behaviors on the terminal in real time, and reports the auditing result to the server for reference.
The SACG is a special access control gateway that is developed on the basis of Huawei carrier-class hardware firewall platform. It is the core device for hardware gateway access control. The preceding figure shows the topology of an SACG network. Professional network security evaluation experts suggest that the outbound traffic from intranet terminals and public servers to the Internet or other untrusted networks be filtered, to prevent grab attacks from hackers and worms. The SACG filters all uplink traffics from terminals. It divides a network into untrusted zone, trusted zone, and DMZ. A user can access only the DMZ, the pre-authentication domain, before passing authentication and security check. After passing authentication and security check, the user has access to the role-based post-authentication domain. This mechanism effectively ensures intranet access security.
re
Le
ar
ni
ng
Re
so
ur c
es :
Deployment of the TSM: The SM and SC constitute the Secospace server. The SM, as the core management server, manages multiple SCs. The SM is in B/S architecture. System administrators can configure and modify user information, access permissions, and access policies, and print reports through Web pages. The SC, as a control point that interworks with the SA, implements system management functions, such as user identity authentication, security policy deployment, and software distribution. The SC interworks with 802.1x or the SACG for identity authentication and security policy check, permits ports or matches ACL rules, and authorizes users the use of network resources based on the match result.
ht
tp :
// l
ea r Mo
22
ni n
Page 613
re
Le
ar
The Secospace DSM provides powerful document permission management functions to effectively control who can access the documents, and when and how they can access them. This enables secure and reliable information sharing among employees, partners, and customers. Real-time permission control implements dynamic permission change and retrieval. The DSM provides user management functions, and supports department and account information synchronization between Microsoft Active Directory and Novell eDirectory. Crosssystem document authorization and user roaming ensure secure document sharing anywhere anytime.
Page 614
ni
ng
Re
The Secospace DSM adopts the transparent encryption technology that is based on the file filter driver, to effectively prevent hacker attacks and information disclosure by employees through networks (the Internet, email attachments, and FTP download) and storage media (CD-ROMs, USB storage devices, or disks). Data is encrypted, so its security is guaranteed even if it is illegally copied or obtained.
so
ur c
Huawei Secospace DSM is a document management software product that features powerful functions and ease of use. It provides real-time permission control to enable authorized confidential information sharing for enterprises. It allows the information owner to define who can access the information, and when and how they can access it, and logs the document access operation. A document permission, once defined, is always attached to the document wherever the document is forwarded, within the intranet or to the Internet (to partners or customers). With high stability, reliability, and scalability, the system can provide document encryption and authorization for the other application systems of an enterprise, to help the enterprise build a secure and controllable document security management platform.
es :
ht
tp :
Mo
// l
23
ea r
ni n
for tracing in case of information disclosure.
Dynamic encryption and decryption combining the application and driver layers, realtime permission management, centralized key management, complete log auditing,
re
Le
ar
ni
ng
Re
so
centralized and distributed deployment; high-availability, high-performance, and scalable architecture to provide a unified and powerful document security management platform
ur c
es :
Product features:
ht
The Secospace DSM support complete log auditing functions. It tracks and records the operation of all documents, to ensure that security policies are followed and provide evidence
tp :
// l
ea r Mo
24
ni n
Page 615
information, and when and how they can access it. In addition, document operation is logged. The DSM helps enterprises build a secure and reliable document security
management platform.
re
Le
ar
Page 616
ni
ng
Re
so
ur c
es :
ht
The Secospace DSM implements real-time permission control to allow for authorized confidential information sharing. An information owner can define who can access the
tp :
Mo
// l
25
ea r
ni n
The DSM comprises the DMC, DS, and DC. Their functions are as follows:
DMC
DSM management node
re
Le
the DS for a key and permissions before opening a document online. The DS sends the key and permissions to the client only when the client is authorized to open the document. The DS supports load balancing and hot backup, to completely avoid single point failure. The DS also provides Web-based management function. Ordinary users can log in to the Web page for document permission
ar
ni
A DSM management node comprises a database component and one to four DSs. The DS is primarily used to process client services, and manage document keys and permissions. In a DSM system, the permissions of all documents are stored on DSs, and a client must request
ng
Re
both systems the use of documents in either system, the DMC should take over the management of both DSs. In this case, DMC system administrators can manage the document administrators of both DSs and perform global group policy distribution. With the help of the DMC, users of level-2 DSs can authorize each other, making it easier to add users to the whole system.
so
ur c
es :
A DMC is necessary only when a number of users are connected to a system in a hierarchical and distributed manner. On such a network, the DMC resides at level 1 and DSs are at level 2. When a large number of widely-distributed users need to be connected, multiple DSs can be deployed, each of which can work independently. To authorize users in
ht
tp :
// l
ea r Mo
26
ni n
Page 617
management, and system administrators can manage the system. The security of the documents stored on disks.
DC
The DC is primarily used to encrypt and decrypt documents, and implement document permission control for security. When a DC obtains the permission information of a document from the DS, it controls the editor and operating system to control the document permission. Permission control is the core function of a DSM system. The DC ensures, through various technologies, that users can modify or print a document only when they are authorized to do so. The DC adopts the transparent encryption technology to make sure that documents are stored in disks in encrypted format, and are dynamically decrypted only when they are
displayed by the editor. Transparent encryption ensures t
re
Le
ar
Page 618
ni
ng
Re
so
ur c
es :
ht
tp :
Mo
// l
27
ea r
ni n
NAT log management

NAT logs of firewalls, routers, and BRAS devices
Network traffic auditing
Database and operating system auditing

Application-layer protocol (FTP/Telnet/HTTP) translation, behavior monitoring, and
ar
restoration
re
Le
ni
ng
Audit the database through the off-line deployment of the behavior auditing probe Audit the operating system by collecting system logs
Through the behavior auditing probe
Re
so
Displaying multi-dimensional statistics of intrusion prevention system (IPS), mail filtering, virus detection, URL auditing, and instant messaging (IM), and defense services; and printing the statistics in the form of reports
ur c
Working with the UTM device to provide an intuitive view of the basic traffic, application traffic, interface traffic, and P2P traffic in the form of reports
es :
Translation of source IP addresses, source ports, destination IP addresses, destination ports, and protocol type
ht
tp :
// l
ea r Mo
28
ni n
Page 619
Unified log management platform for network resources
Network devices, security devices, hosts, Web servers, and application systems
Rich alarm management functions
Alarming by means of mail, short message, alarm box, and audible and visual alarms
re
Le
ar
Page 620
ni
ng
Re
so
ur c
Alarm monitoring and alarm statistics
es :
ht
tp :
Mo
// l
29
ea r
ni n
Communication modes:
SNMP, SFTP, and SSH
Product features:
re
Le
ar
ni
ng
Re
so
intuitive network topology view to help administrators quickly locate network faults, improve management, increase work efficiency, and reduce maintenance cost, providing an efficient management platform of all devices on the network
ur c
C/S architecture, in-band networking or out-of-band networking, topology management, NE management, performance management, centralized policy configuration management, fault management, and VPN management for Eudemon/USG/SIG full series security devices and mainstream network devices;
es :
ht
tp :
// l
ea r Mo
30
ni n
Page 621
Mo
re
Page 622
ar
ni
ng
Re
31
ni n
Mo
re
ar
ni
ng
Re
32
ni n
Page 623
Mo
re
Page 624
ar
ni
ng
Re
ni n
Telecom operators face the following challenges from IP networks:
Illegitimate VoIP operation has formed direct competition with the traditional PSTN service of telecom operators, who have seen sharp decrease in PSTN revenues.
Illegitimately shared Internet access is eating up telecom operators revenues from broadband services.
Abnormal network traffics have overloaded the devices of telecom operators and impacted customers service networks, causing huge losses.
re
Le
More importantly, telecom operators have no idea about customers online habits, fail to customize services for them or conduct targeted promotional campaigns, and lack lean operation. As a result, the operators fail to add value to their IP bearer networks or to increase the average revenue per user (ARPU).
ar
ni
ng
Re
so
The widely-deployed P2P applications have occupied a number of the rare bandwidth resources of telecom operators, who are worried by growing capacity but stagnant revenue.
ur c
es :
Due to the complexity and variety of Internet services, telecom operators can hardly understand the traffic and service compositions of IP bearer networks, which are necessary for effective management of the traffics and services.
ht
The convergence of telecom and IP networks has become a trend, but the controllability of telecom networks and the openness of IP networks contradict each other in their natures.
tp :
// l
ea r Mo
34
ni n
Page 625
Mo re
Le ar ni ng
Page 626
Re so
ur
ce
s:
service monitoring, shared access monitoring, abnormal traffic (such as DDoS traffic) monitoring, user behavior analysis, and intelligent Web pushing. It helps operators add to and maintain the value of their MAN services.
ht
To solve all these problems in IP network operation management, Huawei delivers the SIG, which provides functions such as service traffic flow analysis, VoIP service monitoring, P2P
tp
:/
/l
35
ea
rn
in
g. hu
aw ei .c om /e n
Service awareness

Understanding traffic composition, distribution, and trend as basis for network planning Monitoring network applications and exploring new service growth points
Flow control
Controlling P2P traffic to release bandwidth and reduce internetwork settlement cost
Improving user experiences in other applications such as Web page browsing, gaming, and stock trading
Restricting illegitimate VoIP operation
Value-added service operation
Le
re
ar
ni
Statistics of the most interested websites of users, user classification by interest, and top N websites Interest and instant behavior based intelligent advertisement pushing DDoS attack monitoring to provide secure broadband networks
ng
Re
Preventing illegitimate Internet connections by illegitimate Internet cafes and small enterprises, to help operators increase broadband service revenues
so
Illegitimate service control
ur c
es :
ht
tp :
// l
ea r Mo
36
ni n
Page 627
Mo
re
Page 628
ar
ni
ng
Re
ni n
Hardware specifications:

NIP200: 3 x GE electrical port
NIP1000: 2 x GE electrical port + 2 x GE optical port
Product features:
Special virtual engine technology to provide all-in-one functions at lower cost
re
Le
ar
ni
ng
Re
so
Professional security anti-attack labs to adapt to the latest network attack prevention technologies in the world and maintain technical edges
ur c
Special application-layer accelerating engine and efficient algorithm for high-speed, efficient, and accurate detection
es :
ht
tp :
// l
ea r Mo
38
ni n
Page 629
The NIP traces the latest worm events in real time and provides event rules for known
Protocol decoding
protocols.
re
Le
ar
IP fragment reassembly
The NIP reassembles and analyzes the IP fragments on the monitored network, to prevent IP fragment spoofing.
Page 630
ni
The NIP decodes common application-layer protocols and records abnormal behaviors. Users can easily customize TCP/IP based analysis events, for example, connection and disabling of application-layer protocols such as HTTP, SMTP, FTP, and Telnet; connection requests and responses using POP3 commands, and keyword decoding for application-layer
ng
Re
so
worms. For a known vulnerability without related worm events, the NIP provides related event rules based on analysis of the vulnerability, to facilitate real-time worm discovery.
ur c
Worm detection
es :
and reduce false negatives and false positives. The efficient mode matching algorithm greatly improves detection efficiency. The NIP has more than 2,500 types of built-in intrusion rules for detecting various attacks such as DoS attacks, scanning attacks, code attacks, virus attacks, and backdoor attacks.
ht
The NIP adopts protocol analysis based intelligent mode matching. It can work with status analysis and abnormal behavior detection technologies to greatly increase detection accuracy,
tp :
Mo
// l
39
ea r
ni n
Log storm processing
The NIP merges the same type of attack events occurred in a certain period into one event, displays attacks on the console, and records the number of attacks, to prevent log storm on the console.
Protocol filtering and false positive processing
The NIP can filter a certain type of TCP/IP data flows so that they would not be recorded by the NIDS. In the meantime, it can filter events by the rule name and source/destination at the same time, so that events are reported to the console only when necessary and the NIDS is not loaded by unnecessary events.

Security event response Alarming
Audible alarming, focus window, indicator alarming, email alarming, short message
alarming, alarming program execution, and SNMP trapping
System logging: Records are generated as Windows operating system logs.
Session disconnection
A TCP intrusion session can be disconnected by a TcpRest.
Program execution
This function is used to execute local programs.
Firewall interworking
In case of an intrusion event, the IDS sends a message to the firewall, which dynamically generates a rule to block the intrusion and protect the network.
This function allows administrators to view engine status in real time, including resource
re
Le
ar
usage and network traffic (number of ongoing sessions, current traffic, number of packets per second, the number of packets lost per second) of listened network adapters. The number of packets lost per second provides evidence of network abnormality.
ni
Engine status monitoring
ng
System activity and status monitoring
Re
so
ur c
es :
ht
Detailed audit logging: Events for detailed logging are recorded in the detailed session process, which can be replayed later using the packet replay tool. This provides basis for administrators analysis and can be kept as evidence.
tp :
Common audit logging: Events for common logging are displayed at the console in real time, and recorded in the database.
// l
Logging
ea r
40
ni n
Page 631
Mo
Server status monitoring
A lot of servers, such as Web servers, FTP servers, and mail servers, on networks provide application services. These servers usually need to work around the clock, so their running
must be monitored. This function helps users find whether a server is alive and provide services properly, locate and solve any problems at the earliest time, and minimize losses caused by a malfunctioning server.
Email monitoring
The NIP can monitor emails transmitted through SMTP, POP3, IMAP, and Web to avoid disclosure of sensitive information.
MSN monitoring The NIP can monitor MSN chatting.
File transfer monitoring
Real-time session monitoring
The system can display a real-time session list. Users can query, record, or disconnect each
session.
The NIP can monitor harmful websites containing pornographic and violent contents.
re
Le
ar
Page 632
ni
ng
Re
so
ur c
The NIP can define multiple listening ports for each engine to protect different network segments. By default, three ports are configured for management, listening, and expansion respectively. The management port communicates with the console, the listening port monitors network traffic, and the expansion port provides scalability.
es :
Multi-port listening
ht
Harmful website monitoring
tp :
Mo
// l
41
The NIP can monitor file transfer through FTP or MSN to avoid disclosure of sensitive information.
ea r
ni n
NIP console
The console is the user interface program for NIP function and policy configuration. It is installed on an independent PC with Windows 2000 installed.
NIP engine
re
Le
ar
NIP1000: 2U standard chassis, serial port, 1 x 10/100M Ethernet port, 2 x 10/100/1000M Ethernet port, 2 x 1G multimode FC port, AC power supply; SYN flood attack
ni
NIP200: 1U standard chassis, serial port, 4 x 10/100/1000M Ethernet port, AC power supply
ng
The NIP engine is available in two models:
Re
Upon detecting intrusion, the engine automatically responds according to the preset response attributes and reports the intrusion to the console, which generates a log. The hardware and deployment of the engine is as follows.
so
ur c
The console collects intrusion logs from engines, and sends notifications to administrators through sounds, emails, or short messages.
es :
The console provides user interfaces for setting necessary intrusion detection rules and response attributes for various engines.
ht
tp :
// l
ea r Mo
42
ni n
Page 633
Mo
re
Page 634
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
44
ni n
Page 635
Management center
The management center displays attack events and traffics by type, and generates reports.
Detection center
Cleaning center
re
Le
ar
It redirects and cleans attack traffic according to the control policy of the security management center. After cleaning, it re-injects the traffic to the MAN, from where the traffic is passed to the original destination.
Page 636
ni
ng
The backbone MAN egress is heavily loaded by traffic, which should be redirected to the NE80E through an optical splitting platform. The traffic is then balanced among various SIGs according to the policy that is predefined to accelerate SIG processing.
Re
It is composed by the SIG SPS (hardware), and implements DDoS traffic detection and analysis.
so
ur c
es :
It is composed by the server system (including the SIG SAS, SRS, DB, and Web/report parts), and implements attack event processing, and redirection and cleaning policy control for the cleaning center.
ht
The anti-DDoS solution comprises the management center, detection center, and cleaning center.
tp :
Mo
// l
45
ea r
ni n
Mo
re
ar
ni
ng
Re
46
ni n
Page 637
Mo
re
Page 638
ar
ni
ng
Re
ni n
Mo
re
ar
ni
ng
Re
ni n
Page 639
Mo
re
Page 640
ar
ni
ng
Re
ni n
Mo r
Le a
rn i s: ht tp :/ /l ea rn in
ng
Re
so u
rc e
g. hu
aw ei
.c o
m/ en

HCNA-Security CBSN Constructing Basic Security Network

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

HCNA-Security CBSN Constructing Basic Security Network

Caricato da

Copyright:

Formati disponibili

Mo r

Constructing Basic Security Network

Huawei Technologies Co.,Ltd

HCNA-CBSN Constructing Basic Security Network Version 1.0

Huawei Certification System

technologies and customersneeds at different levels, Huawei certification provides

Technology, Friewall Networking Technology,(L2TPGREIPSECSSL)VPN Technology,

knowledge. HCNA-Security certification covers the Network Security Overview, Basic

HCNA-Security (Huawei Certification Datacom Associate-Security) is primary for network

and those who would

scenarios , L2TP basic principle, application scenarios of Client-Initialized and

NAS-Initialized ,L2TP configuration

one of the the

Icons Used in This Book

Section4 WLAN Feature Technology ............................................................................ Page 268

Section5 3G Feature Technology ................................................................................. Page 277

Section1 Introduction to Network Address Translation Technology ............................ Page 189

Section3 TCP/IP Security Issues....................................................................................... Page 37

Section6 NIP Products Overview .................................................................................. Page 628

Section7 Anti-DDoS Solution Overview ............................................................................. Page 634

HCNA-Security V1.0 CBSN Chapter 9 IPSec VPN ................................................................. Page 421

HCNA-Security V1.0 CBSN Chapter 1

Network Security Overview

Each layer implements a specific function without affecting each other.

OSI model strengths:

There is a clear edge between layers for easy understanding.

example, the session layer enables servers to verify user logins.

Process for data stream processing at the network layer:

application layer protocol is TCP or UDP).

HTTP: It is used to access various pages on the www server.

DNS: It enables conversion from host domain names to IP addresses.

ARP: It resolves the known IP addresses into MAC addresses.

Data link layer

IGMP: It is used to manage broadcast group members.

involved in the ACL policy.

protocols include Ethernet and token ring network protocols.

layer, for example TCP.

Dynamic ARP means that ARP is dynamically implemented and automatically

ARP is classified into dynamic and static ARP.

the packet is discarded.

fragmented; 1 = It cannot be fragmented; Bit 2: (MF) 0 = Final fragmentation; 1 =More fragmentation

TCP connection setup is a three-way handshake process, aiming to enable both

communication in an orderly manner.

the initial SN of the client, namely a.

After the preceding process, a TCP connection is established for communication.

packet also contains the initial SN b of the server.

to confirm start serial numbers

sends one FIN packet.

addresses in the response packet.

Note: ARP spoofing can be implemented by an ARP request or response.

IP spoofing procedure is as follows:

6. Set up the connection and send a command request.

The entire IP spoofing procedure is summarized as follows:

C destroys B, for example, by floogin, redirect, and crashing.

handshaking. C can do one of the following things:

As a result, focus on attack prevention instead of detection.

In general, the encryption technology is used to protect information confidentiality.

HCNA-Security V1.0 CBSN Chapter 2

Basic Firewall Technology

requirements, firewall has also been developed into more types.

Packet filtering firewall

2. Static ACL policies are hard to meet dynamic security requirements.

Packet filtering firewall has the following defects: