HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls
Attack Protection
Configuration Guide
Part number:5998-2650
Document version: 6PW100-20110909
Legal and notice information
© Copyright 2011 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or use
of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Contents
Blacklist configuration·················································································································································· 1
Blacklist overview ······························································································································································1
Configuring the blacklist···················································································································································1
Configuration task list ··············································································································································1
Enabling the blacklist function·································································································································2
Adding a blacklist entry manually ··························································································································2
Viewing the blacklist ················································································································································3
Blacklist configuration example ·······································································································································3
Packet inspection configuration ·································································································································· 7
Packet inspection overview ··············································································································································7
Configuring packet inspection·········································································································································8
Packet inspection configuration example ·······················································································································9
Traffic abnormality detection configuration ·············································································································11
Traffic abnormality detection overview························································································································ 11
Flood detection ······················································································································································ 11
Connection limit····················································································································································· 12
Scanning detection················································································································································ 12
Configuring traffic abnormality detection···················································································································· 12
Configuring ICMP flood detection······················································································································· 12
Configuring UDP flood detection························································································································· 14
Configuring DNS flood detection ························································································································ 16
Configuring SYN flood detection ························································································································ 17
Configuring connection limit ································································································································ 19
Configuring scanning detection··························································································································· 20
Traffic abnormality detection configuration example································································································· 21
URPF configuration·····················································································································································26
URPF overview································································································································································ 26
What is URPF ························································································································································· 26
How URPF works ··················································································································································· 26
Configuring URPF··························································································································································· 27
URPF configuration example········································································································································· 28
TCP proxy configuration ············································································································································31
Overview········································································································································································· 31
SYN flood attack ··················································································································································· 31
TCP proxy······························································································································································· 31
How TCP proxy works ·········································································································································· 32
Configuring TCP proxy ·················································································································································· 33
Configuration task list ··········································································································································· 33
Performing global TCP proxy setting··················································································································· 34
Enabling TCP Proxy for a Security Zone············································································································· 34
Adding a protected IP address entry··················································································································· 34
Displaying information about protected IP address entries ·············································································· 35
TCP proxy configuration example ································································································································ 36
Configuration guidelines ··············································································································································· 38
IDS collaboration ·······················································································································································39
Overview········································································································································································· 39
i
Enabling IDS collaboration ··········································································································································· 39
Configuration guidelines ··············································································································································· 39
Intrusion detection statistics ·······································································································································41
Overview········································································································································································· 41
Displaying intrusion detection statistics························································································································ 41
ARP attack protection configuration ·························································································································44
Configuring periodic sending of gratuitous ARP packet···························································································· 44
Introduction to periodic sending of gratuitous ARP packet ··············································································· 44
Configuring periodic sending of gratuitous ARP packet in the web interface················································ 46
Configuring periodic sending of gratuitous ARP packet at the CLI·································································· 47
ARP automatic scanning and fixed ARP ······················································································································ 47
Introduction to ARP automatic scanning and fixed ARP···················································································· 47
Configuring ARP automatic scanning in the web interface ·············································································· 48
Configuring fixed ARP in the web interface ······································································································· 49
Configuring ARP automatic scanning and fixed ARP at the CLI······································································· 50
TCP attack protection configuration··························································································································51
TCP attack protection overview ···································································································································· 51
Enabling the SYN Cookie feature ································································································································ 51
Enabling protection against Naptha attacks··············································································································· 52
Displaying and maintaining TCP attack protection ···································································································· 52
Firewall configuration ················································································································································53
Firewall overview ··························································································································································· 53
Introduction to packet-filter firewall ····················································································································· 53
Support for fragment filtering ······························································································································· 53
Configuring a packet-filter firewall······························································································································· 54
Packet-filter firewall configuration task list ·········································································································· 54
Enabling the IPv6 firewall function ······················································································································ 54
Configuring the default filtering action of the IPv6 firewall ·············································································· 54
Configuring IPv6 packet filtering on an interface ······························································································ 55
Displaying and maintaining a packet filtering firewall ····················································································· 55
Support and other resources ·····································································································································56
Contacting HP ································································································································································ 56
Subscription service ·············································································································································· 56
Related information························································································································································ 56
Documents ······························································································································································ 56
Websites································································································································································· 56
Conventions ···································································································································································· 57
Index ···········································································································································································59
ii
Blacklist configuration
NOTE:
The blacklist configuration is available only in the web interface.
Blacklist overview
Blacklist is an attack prevention mechanism that filters packets based on source IP address. Compared
with ACL-based packet filtering, the blacklist feature is easier to configure and fast in filtering packets
sourced from particular IP addresses.
The firewall can dynamically add and remove blacklist entries. This is implemented in cooperation with
the scanning detection feature. When the firewall detects that packets sourced from an IP address have
a behavior pattern that implies a potential scanning attack, it automatically blacklists the IP address to
filter subsequent packets sourced from that IP address. Blacklist entries added in this way will age out
after a period of time.
NOTE:
For more information about scanning detection configuration, see the chapter “Traffic Abnormality
Detection Configuration.”
The firewall also supports adding and removing blacklist entries manually. Manually configured blacklist
entries fall into two categories: permanent and non-permanent. A permanent blacklist entry is always
present unless being removed manually, whereas a non-permanent blacklist entry has a limited lifetime
depending on your configuration. When the lifetime of a non-permanent entry expires, the firewall
removes the entry from the blacklist, allowing the packets of the IP address defined by the entry to pass
through.
Configuring the blacklist
Configuration task list
Table 1 Blacklist configuration task list
Task
Enabling the blacklist function
Configuring the scanning
detection feature to add blacklist
entries automatically
Remarks
Required
By default, the blacklist function is disabled.
Required
Complete either of the task
1
Task
Remarks
For more information about scanning detection configuration, see the
chapter “Traffic Abnormality Detection Configuration.”
Adding a blacklist entry
manually
By default, no blacklist entries exist.
IMPORTANT:
If you modify a dynamic blacklist entry, the entry will turn into a manual one.
Viewing the blacklist
Optional
Enabling the blacklist function
1.
From the navigation tree, select Intrusion Detection > Blacklist to enter the blacklist management
page.
2.
Select the Enable Blacklist box.
3.
Click Apply.
Figure 1 Blacklist management page
Adding a blacklist entry manually
1.
From the navigation tree, select Intrusion Detection > Blacklist to enter the blacklist management
page.
2.
Click Add to enter the blacklist entry configuration page.
Figure 2 Add a blacklist entry manually
2
3.
Configure a blacklist entry as described in Table 2.
4.
Click Apply.
Table 2 Configuration items
Item
Description
IP Address
Specify the IP address to be blacklisted.
Hold Time
Configure the entry to be a non-permanent one and specify a lifetime for it.
Permanence
Configure the entry to be a permanent one.
Viewing the blacklist
From the navigation tree, select Intrusion Detection > Blacklist to enter the blacklist management page,
where you can view the blacklist information, as shown in Figure 1. Table 3 describes the blacklist fields.
Table 3 Field description
Field
Description
IP Address
Blacklisted IP address
Type of the blacklist entry. Possible values include:
Add Method
• Auto—Added by the scanning detection feature automatically.
• Manual—Added manually or modified manually.
IMPORTANT:
Once modified manually, an auto entry becomes a manual one.
Start Time
Time when the blacklist entry is added.
Hold Time
Lifetime of the blacklist entry
Dropped Count
Number of packets dropped based on the blacklist entry
Blacklist configuration example
Network requirements
As shown in Figure 3, the internal network is the trusted zone and the external network is the untrusted
zone. Configure Firewall to do the following tasks:
•
Block packets from Host D forever (suppose that Host D is an attack source.)
•
Block packets from Host C within 50 minutes, so as to control access of the host.
•
Perform scanning detection for traffic from the untrusted zone and, upon detecting a scanning
attack, blacklist the source. The scanning threshold is 4500 connections per second.
3
Figure 3 Network diagram
Configuration procedure
# Assign IP addresses to the interfaces. (Details not shown)
# Enable the blacklist feature.
From the navigation tree, select Intrusion Detection > Blacklist. The blacklist management page appears,
as shown in Figure 4.
Figure 4 Enable the blacklist feature
Perform the following operations on the page:
•
In the Global Configuration area, select the Enable Blacklist option.
•
Click Apply.
# Add a blacklist entry for Host D.
In the Blacklist Configuration area, click Add. The page as shown in Figure 5 appears.
Figure 5 Add a blacklist entry for Host D
4
Perform the following operations on the page:
•
Enter IP address 5.5.5.5.
•
Select the Permanence option.
•
Click Apply to complete the configuration.
# Add a blacklist entry for Host C.
In the Blacklist Configuration area, click Add. The page as shown in Figure 6 appears.
Figure 6 Add a blacklist entry for Host C
Perform the following operations on the page:
•
Enter IP address 192.168.1.5.
•
Select the Hold Time option and, in the box next to the option, set the lifetime of the entry to 50
minutes.
•
Click Apply to complete the configuration.
# Configure scanning detection for the untrusted zone.
Select Intrusion Detection > Traffic Abnormality > Scanning Detection from the navigation tree. The page
as shown in Figure 7 appears.
Figure 7 Configure scanning detection for the untrusted zone
Perform the following operations on the page:
•
Select security zone Untrust.
•
Select the Enable Scanning Detection option.
•
Set the scanning threshold to 4500.
•
Select the Add the source IP to the blacklist option.
•
Click Apply to complete the configuration.
Verifying the configuration
To verify the configurations:
5
•
Select Intrusion Detection > Blacklist from the navigation tree to display the list. Check whether the
manually added blacklist entries appear on the blacklist.
•
Check whether Firewall discards all packets from Host D before you remove the blacklist entry for
the host.
•
Check whether Firewall discards all packets from Host C within 50 minutes. After 50 minutes, check
whether Firewall forwards packets from Host C normally.
•
Check whether Firewall outputs an alarm log and adds the IP address to the blacklist when
detecting a scanning attack from the untrusted zone. You can select Intrusion Detection > Blacklist
from the navigation tree to check the blacklist for the entry.
6
Packet inspection configuration
NOTE:
The packet inspection configuration is available only in the web interface.
Packet inspection overview
A single-packet attack, or malformed packet attack, occurs when either of the following events occurs:
•
An attacker sends defective IP packets, such as overlapping IP fragments and packets with illegal
TCP flags, to a target system, making the target system malfunction or crash when processing such
packets.
•
An attacker sends large quantities of junk packets to the network, using up the network bandwidth.
With packet inspection configured, the firewall analyzes the characteristics of received packets to
determine whether the packets are attack packets. Upon detecting an attack, the firewall logs the event
and, when configured, discards the attack packets.
The firewall supports detection of the following types of single packet attacks.
Table 4 Types of single packet attacks
Attack type
Description
Fraggle
A Fraggle attack occurs when an attacker sends large amounts of UDP echo requests with
the UDP port number being 7 or Chargen packets with the UDP port number being 19,
resulting in a large quantity of junk replies and finally exhausting the bandwidth of the target
network.
Land
A Land attack occurs when an attacker sends a great number of TCP SYN packets with both
the source and destination IP addresses being the IP address of the target, exhausting the
half-open resources of the victim and disabling the target from providing services normally.
WinNuke
A WinNuke attacker sends out-of-band (OOB) data with the pointer field values overlapped
to the NetBIOS port (139) of a Windows system with an established connection to introduce
a NetBIOS fragment overlap, causing the system to crash.
TCP Flag
Some TCP flags are processed differently on different operating systems. A TCP flag attacker
sends TCP packets with such TCP flags to a target to probe its operating system. If the
operating system cannot process such packets properly, the attacker will successfully make
the host crash down.
ICMP
unreachable
Upon receiving an ICMP unreachable response, some systems conclude that the destination
is unreachable and drop all subsequent packets destined for the destination. By sending
ICMP unreachable packets, an ICMP unreachable attacker can cut off the connection
between the target host and the network.
ICMP redirect
An ICMP redirect attacker sends ICMP redirect messages to a target to modify its routing
table, interfering with the normal forwarding of IP packets.
7
Attack type
Description
Tracert
The Tracert program usually sends UDP packets with a large destination port number and an
increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when the packet
passes each router. Upon receiving a packet with a TTL of 0, a router must send an ICMP
time exceeded message back to the source IP address of the packet. A Tracert attacker
exploits the Tracert program to figure out the network topology.
Smurf
A Smurf attacker sends large quantities of ICMP echo requests to the broadcast address of
the target network. As a result, all hosts on the target network will reply to the requests,
causing the network congested and hosts on the target network unable to provide services.
Source route
A source route attack exploits the source route option in the IP header to probe the topology
of a network.
Route record
A route record attack exploits the route record option in the IP header to probe the topology
of a network.
Large ICMP
For some hosts and devices, large ICMP packets will cause memory allocation error and
crash down the protocol stack. A large ICMP attacker sends large ICMP packets to a target
to make it crash down.
Configuring packet inspection
1.
From the navigation tree, select Intrusion Detection > Packet Inspection to enter the packet
inspection page.
Figure 8 Configuration page
2.
Configure packet inspection as described in Table 5.
3.
Click Apply.
Table 5 Configuration items
Item
Description
Zone
Select a zone to detect attacks from the zone.
8
Item
Description
Discard Packets when the specified attack is detected
Select this option to discard detected attack packets.
Enable Fraggle Attack Detection
Enable or disable detection of Fraggle attacks.
Enable Land Attack Detection
Enable or disable detection of Land attacks.
Enable WinNuke Attack Detection
Enable or disable detection of WinNuke attacks.
Enable TCP Flag Attack Detection
Enable or disable detection of TCP flag attacks.
Enable ICMP Unreachable Packet Attack Detection
Enable or disable detection of ICMP unreachable
attacks.
Enable ICMP Redirect Packet Attack Detection
Enable or disable detection of ICMP redirect attacks.
Enable Tracert Packet Attack Detection
Enable or disable detection of Tracert attacks.
Enable Smurf Attack Detection
Enable or disable detection of Smurf attacks.
Enable IP Packet Carrying Source Route Attack
Detection
Enable or disable detection of source route attacks.
Enable Route Record Option Attack Detection
Enable or disable detection of route record attacks.
Enable Large ICMP Packet Attack Detection
Enable detection of large ICMP attacks and set the
packet length limit, or disable detection of such
attacks.
Max Packet Length
Packet inspection configuration example
Network requirements
As shown in Figure 9, the internal network is the trusted zone and the external network is the untrusted
zone.
Configure Firewall to protect the trusted zone against Land attacks and Smurf attacks from the untrusted
zone.
Figure 9 Network diagram
Configuration procedure
# Assign IP addresses to interfaces. (Details not shown)
# Enable Land attack detection and Smurf attack detection for the untrusted zone.
From the navigation tree, select Intrusion Detection > Packet Inspection. The packet inspection
configuration page appears, as shown in Figure 10.
9
Figure 10 Enable Land and Smurf attack detection for the untrusted zone
Perform the following operations on the page:
1.
Select Untrust from the Zone list.
2.
Select Discard Packets when the specified attack is detected.
3.
Select Enable Land Attack Detection.
4.
Select Enable Smurf Attack Detection.
5.
Click Apply to complete the configuration.
Verifying the configuration
Check that Firewall can detect Land and Smurf attacks from the untrusted zone, output alarm logs
accordingly, and drop the attack packets. You can select Intrusion Detection > Statistics from the
navigation tree to view the counts of Land and Smurf attacks and the counts of dropped attack packets.
10
Traffic abnormality detection configuration
NOTE:
The traffic abnormality detection configuration is available only in the web interface.
Traffic abnormality detection overview
The traffic abnormality detection feature analyzes the characteristics of traffic to detect abnormal traffic
and take countermeasures accordingly. Supported countermeasures include outputting alarm logs,
dropping packets, and blacklisting the source of the packets.
This feature contains the following functions:
•
Flood detection
•
Connection limit
•
Scanning detection
Flood detection
A flood attack occurs when large amounts of fake packets are sent to a target system in a short period
of time. A flood attack depletes the resources of the target system, making the system unable to provide
services normally.
The firewall can protect against the following categories of attacks:
•
ICMP flood attacks, which overwhelm the target with large amounts of ICMP echo requests, such as
ping packets.
•
UDP flood attacks, which flood the target system with a barrage of UDP packets.
•
DNS flood attacks, which overwhelm the target with large amounts of DNS query requests.
•
SYN flood attacks, which exploit TCP SYN packets. Due to resource limitation, the number of TCP
connections that can be created on the firewall is limited. A SYN flood attacker sends a barrage of
spurious SYN packets with forged source IP addresses to a victim to initiate TCP connections. As the
SYN_ACK packets that the victim sends in response can never get acknowledgments, large
amounts of half-open connections are created and retained on the victim, making the victim
inaccessible before the number of half-open connections drops to a reasonable level due to timeout
of half-open connections. In this way, a SYN flood attack exhausts system resources such as memory
on a system whose implementation does not limit creation of connections.
Flood detection mainly protects servers against flood attacks. It detects flood attacks by tracking the
connection rates at which certain types of connection establishment requests are initiated to a server.
Usually, flood detection is deployed on the firewall for an internal security zone and takes effect for
packets entering the security zone when an attack prevention policy is configured for the security zone.
After you configure flood detection (except for DNS flood detection) for the firewall, the firewall enters the
attack detection state and starts to track the sending rates of packets destined for certain servers. If the
sending rate of a certain type of packets destined for a server constantly reaches or exceeds the
protection action threshold, the firewall considers the server is under attack, transitions to the attack
protection state, logs the event, and takes attack protection actions as configured. Later, if the sending
11
rate drops below the silent threshold, the firewall considers the attack is over, returns to the attack
detection state, and stops the attack protection actions.
DNS flood detection is different from other types of flood detection in that it uses only one threshold, the
action threshold. Upon detecting that the sending rate of DNS query requests destined for a server
constantly reaches or exceeds the action threshold, the firewall drops all extra packets and logs the event.
Connection limit
When an internal user initiates a large number of connections to a host on the external network in a short
period of time, system resources on the firewall will be used up soon. This will make the firewall unable
to service other users. In addition, if an internal server receives large quantities of connection requests in
a short period of time, the server will not be able to process normal connection requests from other hosts.
To protect internal network resources (including hosts and servers) and distribute resources of the firewall
reasonably, you can set connection limits based on source or destination IP addresses for security zones.
When a limit based on source or destination IP address is reached or exceeded, the firewall will output
an alarm log and discard subsequent connection requests from or to the IP address.
Scanning detection
A scanning attack probes the addresses and ports on a network to identify the hosts attached to the
network and application ports available on the hosts and to figure out the topology of the network, so as
to get ready for further attacks.
Scanning detection detects scanning attempts by tracking the rates at which connections are initiated to
protected systems. Usually, it is deployed on the firewall for the external security zone and takes effect for
packets from the security zone.
If detecting that a connection rate of an IP address has reached or exceeded the threshold, the firewall
outputs an attack alarm log, blocks the subsequent connection requests from the IP address, and
blacklists the IP address, depending on your configuration.
Configuring traffic abnormality detection
Complete the following tasks to configure traffic abnormality detection:
1.
Configuring ICMP flood detection
2.
Configuring UDP flood detection
3.
Configuring DNS flood detection
4.
Configuring SYN flood detection
5.
Configuring connection limit
6.
Configuring scanning detection
Configuring ICMP flood detection
NOTE:
ICMP flood detection is mainly intended to protect servers and is usually configured for an internal zone.
12
From the navigation tree, select Intrusion Detection > Traffic Abnormality > ICMP Flood to enter the ICMP
flood detection configuration page, as shown in Figure 11. You can select a security zone and then view
and configure ICMP flood detection rules for the security zone.
Figure 11 ICMP flood detection configuration page
To configure ICMP flood detection, follow these steps:
1.
In the Attack Prevention Policy area, specify the protection action to be taken upon detection of an
ICMP flood attack. If you do not select the Discard packets when the specified attack is detected
option, the firewall only collects ICMP flood attack statistics.
2.
In the ICMP Flood Configuration area, view the configured ICMP flood detection rules, or click Add
to enter the page shown in Figure 12 to configure an ICMP flood detection rule. Table 6 describes
the configuration items.
Figure 12 Add an ICMP flood detection rule
Table 6 Configuration items
Item
Protected Host
Description
IP Address
Specify the IP address of the protected host.
13
Item
Description
Configuration
Set the protection action threshold for ICMP flood attacks that
target the protected host.
Action Threshold
If the sending rate of ICMP packets destined for the specified IP
address constantly reaches or exceeds this threshold, the
firewall enters the attack protection state and takes attack
protection actions as configured.
Set the silent threshold for actions that protect against ICMP
flood attacks targeting the protected host.
Silent Threshold
If the sending rate of ICMP packets destined for the specified IP
address drops below this threshold, the firewall returns to the
attack detection state and stops the protection actions.
Set the protection action threshold for ICMP flood attacks that
target a host in the protected security zone.
Action Threshold
Global Configuration
of Security Zone
If the sending rate of ICMP packets destined for a host in the
security zone constantly reaches or exceeds this threshold, the
firewall enters the attack protection state and takes attack
protection actions as configured.
Set the silent threshold for actions that protect against ICMP
flood attacks targeting a host in the protected security zone.
Silent Threshold
If the sending rate of ICMP packets destined for a host in the
security zone drops below this threshold, the firewall returns to
the attack detection state and stops the protection actions.
NOTE:
Host-specific settings take precedence over the global settings for security zones.
Configuring UDP flood detection
NOTE:
UDP flood detection is mainly intended to protect servers and is usually configured for an internal zone.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > UDP Flood to enter the UDP
flood detection configuration page, as shown in Figure 13. You can select a security zone and then view
and configure UDP flood detection rules for the security zone.
14
Figure 13 UDP flood detection configuration page
To configure UDP flood detection, follow these steps:
1.
In the Attack Prevention Policy area, specify the protection action to be taken upon detection of a
UDP flood attack. If you do not select the Discard packets when the specified attack is detected
option, the firewall only collects UDP flood attack statistics.
2.
In the UDP Flood Configuration area, view the configured UDP flood detection rules, or click Add
to enter the page shown in Figure 14 to configure a UDP flood detection rule. Table 7 describes
the configuration items.
Figure 14 Add a UDP flood detection rule
Table 7 Configuration items
Item
Protected Host
Configuration
Description
IP Address
Specify the IP address of the protected host.
Set the protection action threshold for UDP flood attacks that
target the protected host.
Action Threshold
If the sending rate of UDP packets destined for the specified IP
address constantly reaches or exceeds this threshold, the
firewall enters the attack protection state and takes attack
protection actions as configured.
15
Item
Description
Set the silent threshold for actions that protect against UDP
flood attacks targeting the protected host.
Silent Threshold
If the sending rate of UDP packets destined for the specified IP
address drops below this threshold, the firewall returns to the
attack detection state and stops the protection actions.
Set the protection action threshold for UDP flood attacks that
target a host in the protected security zone.
Action Threshold
Global Configuration
of Security Zone
If the sending rate of UDP packets destined for a host in the
security zone constantly reaches or exceeds this threshold, the
firewall enters the attack protection state and takes attack
protection actions as configured.
Set the silent threshold for actions that protect against UDP
flood attacks targeting a host in the protected security zone.
Silent Threshold
If the sending rate of UDP packets destined for a host in the
security zone drops below this threshold, the firewall returns to
the attack detection state and stops the protection actions.
NOTE:
Host-specific settings take precedence over the global settings for security zones.
Configuring DNS flood detection
NOTE:
DNS flood detection is mainly intended to protect servers and is usually configured for an internal zone.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > DNS Flood to enter the DNS
flood detection configuration page, as shown in Figure 15. You can select a security zone and then view
and configure DNS flood detection rules for the security zone.
Figure 15 DNS flood detection configuration page
To configure DNS flood detection, follow these steps:
16
1.
In the DNS Flood Attack Prevention Policy area, select Enable DNS Flood Attack Detection. The
firewall will collect DNS flood attack statistics, and output logs upon detecting DNS flood attacks.
2.
In the DNS Flood Configuration area, view the configured DNS flood detection rules, or click Add
to enter the page shown in Figure 16 to configure a DNS flood detection rule. Table 8 describes
the configuration items.
Figure 16 Add a DNS flood detection rule
Table 8 Configuration items
Item
Description
IP Address
Protected Host
Configuration
Global Configuration
of Security Zone
Specify the IP address of the protected host.
Set the protection action threshold for DNS flood attacks that
target the protected host.
Action Threshold
If the sending rate of DNS query requests destined for the
specified IP address constantly reaches or exceeds this
threshold, the firewall drops all extra requests and logs the
event.
Set the protection action threshold for DNS flood attacks that
target a host in the protected security zone.
Action Threshold
If the sending rate of DNS query requests destined for a host in
the security zone constantly reaches or exceeds this threshold,
the firewall enters all extra requests and logs the event.
NOTE:
Host-specific settings take precedence over the global settings for security zones.
Configuring SYN flood detection
NOTE:
SYN flood detection is mainly intended to protect servers and is usually configured for an internal zone.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood to enter the SYN
flood detection configuration page, as shown in Figure 17. You can select a security zone and then view
and configure SYN flood detection rules for the security zone.
17
Figure 17 SYN flood detection configuration page
To configure SYN flood detection, follow these steps:
1.
In the Attack Prevention Policy area, specify the protection actions to be taken upon detection of a
SYN flood attack. If you do not select any option, the firewall only collects SYN flood attack
statistics. The available protection actions include:
•
Discard packets when the specified attack is detected. If detecting that a protected object in the
security zone is under SYN flood attack, the firewall drops the TCP connection requests to the
protected host to block subsequent TCP connections.
•
Add protected IP entry to TCP Proxy. If detecting that a protected object in the security zone is under
SYN flood attack, the firewall adds the target IP address to the protected IP list on the TCP proxy as
a dynamic one, setting the port number as any. If TCP proxy is configured for the security zone, all
TCP connection requests to the IP address will be processes by the TCP proxy until the protected IP
entry gets aged out. If you select this option, configure the TCP proxy feature on the page you can
enter after selecting Intrusion Detection > TCP Proxy.
2.
In the SYN Flood Configuration area, view the configured SYN flood detection rules, or click Add
to enter the page shown in Figure 18 to configure a SYN flood detection rule. Table 9 describes
the configuration items.
Figure 18 Add a SYN flood detection rule
18
Table 9 Configuration items
Item
Description
IP Address
Specify the IP address of the protected host.
Set the protection action threshold for SYN flood attacks that
target the protected host.
Action Threshold
Protected Host
Configuration
If the sending rate of SYN packets destined for the specified IP
address constantly reaches or exceeds this threshold, the
firewall enters the attack protection state and takes attack
protection actions as configured.
Set the silent threshold for actions that protect against SYN
flood attacks targeting the protected host.
Silent Threshold
If the sending rate of SYN packets destined for the specified IP
address drops below this threshold, the firewall returns to the
attack detection state and stops the protection actions.
Set the protection action threshold for SYN flood attacks that
target a host in the protected security zone.
Action Threshold
Global Configuration
of Security Zone
If the sending rate of SYN packets destined for a host in the
security zone constantly reaches or exceeds this threshold, the
firewall enters the attack protection state and takes attack
protection actions as configured.
Set the silent threshold for actions that protect against SYN
flood attacks targeting a host in the protected security zone.
Silent Threshold
If the sending rate of SYN packets destined for a host in the
security zone drops below this threshold, the firewall returns to
the attack detection state and stops the protection actions.
NOTE:
Host-specific settings take precedence over the global settings for security zones.
Configuring connection limit
From the navigation tree, select Intrusion Detection > Traffic Abnormality > Connection Limit to enter the
connection limit configuration page, as shown in Figure 19. You can select a security zone and then view
and configure the connection limit for the security zone. Table 10 describes the connection limit
configuration items.
Figure 19 Connection limit configuration page
19
Table 10 Configuration items
Item
Description
Security Zone
Select a security zone to perform connection limit
configuration for it.
Discard packets when the specified attack is detected
Select this option to discard subsequent packets
destined for or sourced from an IP address when the
number of the connections for that IP address has
exceeded the limit.
Enable connection limit per source IP
Select the option to set the maximum number of
connections that can be present for a source IP
address.
Threshold
Enable connection limit per dest IP
Select the option to set the maximum number of
connections that can be present for a destination IP
address.
Threshold
Configuring scanning detection
NOTE:
• Scanning detection is intended to detect scanning behaviors and is usually configured for an external
zone.
• Scanning detection can be configured to add blacklist entries automatically. If you remove such a
blacklist entry, the system will not add the entry back to the blacklist during a period of time. This is
because the system considers that the subsequent packets are from the same attack.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > Scanning Detection to enter
the scanning detection configuration page, as shown in Figure 20. You can select a security zone and
then view and configure the scanning detection rule for the security zone. Table 11 lists the scanning
detection configuration items.
Figure 20 Scanning detection configuration page
Table 11 Scanning detection configuration items
Item
Description
Security Zone
Select a security zone to perform scanning detection configuration for it.
Enable Scanning Detection
Select this option to enable scanning detection for the security zone.
20
Item
Description
Scanning Threshold
Set the maximum connection rate for a source IP address.
Select this option to allow the system to blacklist a suspicious source IP address.
Add a source IP to the
blacklist
If this option is selected, you can then set the lifetime of the blacklisted source IP
addresses.
IMPORTANT:
Only when the blacklist feature is enabled, can the scanning detection function
blacklist a suspect and discard subsequent packets from the suspect.
Lifetime
Set the lifetime of the blacklist entry.
Traffic abnormality detection configuration
example
Network requirements
As shown in Figure 21, the internal network is the trusted zone, the subnet where the internal servers are
located is the demilitarized zone (DMZ), and the external network is the untrusted zone.
Configure Firewall to:
•
Protect the internal network against scanning attacks from the external network.
•
Limit the number of connections initiated by each internal host.
•
Limit the number of connections to the internal server.
•
Protect the internal server against SYN flood attacks from the external network.
Figure 21 Network diagram
Host A
Host B
Firewall
GE0/3
192.168.1.1/24
GE0/2
202.1.0.1/16
GE0/1
10.1.1.1/24
Trust
Internet
Untrust
DMZ
Host C
Server
10.1.1.2/24
Configuration considerations
To satisfy the requirements, perform the following configurations on the Firewall:
•
Configure scanning detection for the untrusted zone, enable the function to add entries to the
blacklist, and set the scanning threshold to, for example, 4500 connections per second.
•
Configure source IP address-based connection limit for the trusted zone, and set the number of
connections each host can initiate to, for example, 100.
21
•
Configure destination IP address-based connection limit for the DMZ, and set the number of
connections the server can accommodate to, for example, 10000.
•
Configure SYN flood detection for the DMZ, and set the action threshold for attacks targeting the
internal server (for example, to 5000 packets per second) and the silent threshold (for example, to
1000 packets per second). Set the attack protection action to blocking subsequent packets destined
for the server.
Configuration procedure
# Assign IP addresses to interfaces. (Details not shown)
# Enable the blacklist feature.
From the navigation tree, select Intrusion Detection > Blacklist. The blacklist management page appears,
as shown in Figure 22.
Figure 22 Enable the blacklist feature
Perform the following operations on the page:
•
In the Global Configuration area, select the Enable Blacklist option.
•
Click Apply.
# Configure scanning detection for the untrusted zone.
From the navigation tree, select Intrusion Detection > Traffic abnormality > Scanning Detection. The
scanning detection configuration page appears, as shown in Figure 23.
Figure 23 Configure scanning detection for the untrusted zone
Perform the following operations on the page:
•
Select zone Untrust.
22
•
Select the Enable Scanning Detection option.
•
Set the scanning threshold to 4500 connections per second.
•
Select the Add the source IP to the blacklist option.
•
Click Apply.
# Configure connection limits for the trusted zone.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > Connection Limit. The
connection limit configuration page appears, as shown in Figure 24.
Figure 24 Configure connection limit for the trusted zone
Perform the following operations on the page:
•
Select zone Trust.
•
Select the Discard packets when the specified attack is detected option.
•
Select the Enable connection limit per source IP option and set the threshold to 100.
•
Click Apply.
# Configure connection limits for the DMZ as shown in Figure 25.
Figure 25 Configure connection limit for the DMZ
Perform the following operations on the page:
•
Select zone DMZ.
•
Select the Discard packets when the specified attack is detected option.
•
Select the Enable connection limit per dest IP option and set the threshold to 10000.
•
Click Apply.
# Configure SYN flood detection for the DMZ.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood. The SYN flood
detection confirmation page appears.
23
Figure 26 Configure SYN flood detection for the DMZ
Perform the following operations on the page:
•
Select zone DMZ.
•
In the Attack Prevention Policy area, select the Discard packets when the specified attack is
detected option.
•
Click Apply.
•
In the SYN Flood Configuration area, click Add. The SYN flood attack detection page appears.
Figure 27 Configure a SYN flood attack detection rule for the server
Perform the following operations on the page:
•
Select the Protected Host Configuration option.
•
Specify the IP address as 10.1.1.2.
•
Set the action threshold to 5000 packets per second.
•
Set the silent threshold to 1000 packets per second.
•
Click Apply to complete the configuration.
Verifying the configuration
To verify the configuration:
24
•
After a scanning attack packet is received from zone Untrust, Firewall should output alarm logs and
add the IP address of the attacker to the blacklist. You can select Intrusion Detection > Blacklist from
the navigation tree to view whether the attacker’s IP address is on the blacklist.
•
If a host in zone Trust initiates 100 or more connections, Firewall should output alarm logs and
discard subsequent connection request packets from the host. You can select Intrusion Detection >
Statistics from the navigation tree to view how many times that a connection limit per source IP
address has been exceeded and the number of packets dropped.
•
If the number of connections to the server in the DMZ reaches or exceeds 10000, Firewall should
output alarm logs and discard subsequent connection request packets. You can select Intrusion
Detection > Statistics from the navigation tree to view how many times that a connection limit per
destination IP address has been exceeded and the number of packets dropped.
•
If a SYN flood attack is initiated to the DMZ, Firewall should output alarm logs and discard the
attack packets. You can select Intrusion Detection > Statistics from the navigation tree to view the
number of SYN flood attacks and the number of packets dropped.
25
URPF configuration
NOTE:
URPF configuration is available only in the web interface.
URPF overview
What is URPF
Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks.
Attackers launch such attacks by sending a large number of packets with forged source addresses. For
applications using IP-address-based authentication, this type of attacks allows unauthorized users to
access the system in the name of authorized users, or even access the system as the administrator. Even
if the attackers cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 28 Attack based on source address spoofing
As shown in Figure 28, Device A sends a request with a forged source IP address of 2.2.2.1/8 to the
server (Device B), and Device B sends a packet to Device C at 2.2.2.1/8 in response to the request.
Consequently, this packet affects the communication between Device B and Device C.
URPF can prevent source address spoofing attacks.
How URPF works
URPF provides two check modes: strict and loose. In addition, it supports ACL check, link layer check,
and default route check.
URPF works as follows:
1.
First, URPF checks the source address validity, and then:
•
Discards packets with a broadcast source address.
•
Discards packets with an all-zero source address but a non-broadcast destination address. (A
packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP
or BOOT packet, and thus is not discarded.)
2.
If the source address of an incoming packet is found in the FIB table:
•
In strict approach, URPF does a reverse route lookup for routes to the source address of the packet.
If at least one outgoing interface of such a route matches the receiving interface, the packet passes
the check. Otherwise, the packet is rejected.
•
In loose approach, the packet passes the check.
26
3.
If the source address is not found in the FIB table, URPF makes a decision based on the default
route and the allow-default-route option.
•
If the default route is available but the allow-default-route option is not selected, the packet is
rejected no matter which check approach is taken.
•
If the default route is available and the allow-default-route option is selected, URPF operates
depending on the check approach. In strict approach, URPF lets the packet pass if the outgoing
interface of the default route is the receiving interface, and otherwise rejects it. In loose approach,
URPF lets the packet pass directly.
4.
A rejected packet will be filtered by an ACL, if specified. If the packet is permitted by the ACL, it
is forwarded as normal (such packets are displayed in the URPF information as "suppressed
drops"); otherwise, it is discarded.
Configuring URPF
Select Intrusion Detection > URPF Check from the navigation tree to enter the URPF check configuration
page, as shown in Figure 29. On this page, select a security zone to view and configure URPF check
settings for the security zone.
Figure 29 URPF check configuration page
Table 12 Configuration items
Item
Description
Security zone where the URPF check is to be configured. URPF configuration takes
effect on all the interfaces in the security zone.
Security Zone
IMPORTANT:
URPF configuration takes effect on the packets received by the interfaces in the security
zone only.
Enable/disable URPF check.
Enable URPF
If this box is not selected, URPF check is disabled and the following parameters are
not configurable.
By default, URPF check is disabled.
Allow Default Route
Allow using the default route for URPF check.
ACL
Reference an ACL.
27
Item
Description
Type of Check
Set the URPF check type, Strict or Loose.
URPF configuration example
CAUTION:
In this configuration example, either Device A or Device B is the firewall.
Network requirements
As shown in Figure 30, Device A directly connects to Device B. Enable strict URPF check in zoneB of
Device B to allow packets whose source addresses match ACL 2010 to pass. Enable strict URPF check in
zoneA of Device A to allow use of the default route for URPF check.
Figure 30 Network diagram
Configuring Device B
# Configure the interface IP addresses and security zones they belong to. (Details not shown)
# Define ACL 2010 to permit traffic from network 10.1.1.0/24 to pass.
•
Select Firewall > ACL from the navigation tree, click Add, and then perform the following operations,
as shown in Figure 31.
Figure 31 Define ACL 2010
•
Enter 2010 in ACL Number.
•
Select Config for Match Order.
•
Click Apply.
•
corresponding to ACL 2010, click Add, and then perform the
On the ACL list page, click
following operations, as shown in Figure 32.
28
Figure 32 Configure ACL 2010
•
Select Permit in Operation.
•
Select Source IP Address and enter 10.1.1.0 in the field.
•
Enter 0.0.0.255 in Source Wildcard.
•
Click Apply.
# Enable strict URPF check in zoneB.
•
Select Intrusion Detection > URPF Check from the navigation tree and perform the following
operations, as shown in Figure 33.
Figure 33 Configure URPF in zoneB
•
Select zoneB in Security Zone.
•
Select Enable URPF.
•
Select ACL and enter 2010 in the field.
•
Select Strict in Type of Check.
•
Click Apply.
Configuring Device A
# Configure the interface IP addresses and security zones they belong to. (Details not shown)
# Enable strict URPF check in zoneA.
29
•
Select Intrusion Detection > URPF Check from the navigation tree and perform the following
operations, as shown in Figure 34.
Figure 34 Configure URPF on zoneA
•
Select zoneA in Security Zone.
•
Select Enable URPF.
•
Select Allow Default Route.
•
Select Strict in Type of Check.
•
Click Apply.
30
TCP proxy configuration
NOTE:
The TCP proxy configuration is available only in the web interface.
Overview
SYN flood attack
As a general rule, the establishment of a TCP connection is a three-way handshake:
1.
The request originator sends a SYN message to the target server.
2.
After receiving the SYN message, the target server establishes a TCP connection in the
SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response.
3.
After receiving the SYN ACK message, the originator returns an ACK message. The TCP
connection is established.
Attackers may exploit the TCP connection establishment to mount SYN flood attacks. Attackers send a
large number of SYN messages to the server to establish TCP connections, but they never make any
response to SYN ACK messages. As a result, a large amount of incomplete TCP connections are
established, making the server unable to handle services normally.
TCP proxy
The TCP proxy feature can protect the server from SYN flood attacks. The TCP client sets up a TCP
connection with the TCP server through a TCP proxy. The TCP proxy intercepts SYN requests from the TCP
clients and verifies whether the requests are SYN flood attack packets. If so, the TCP proxy drops the
requests, protecting the TCP server against SYN flood attacks.
TCP proxy can work in two modes:
•
Unidirectional proxy: Only processes packets from the TCP client
•
Bidirectional proxy: Processes packets from both the TCP client and TCP server.
You can choose a proper mode according to your network scenario. For example, if packets from TCP
clients to a server go through the TCP proxy but packets from the server to clients do not, as shown in
Figure 35, configure unidirectional proxy. If all packets between TCP clients and a server go through the
TCP proxy, as shown in Figure 36, you can configure unidirectional proxy or bidirectional proxy as
desired.
31
Figure 35 Network diagram for unidirectional proxy
Figure 36 Network diagram for unidirectional/bidirectional proxy
How TCP proxy works
Unidirectional proxy
Figure 37 Data exchange process in unidirectional proxy mode
TCP client
TCP proxy
TCP server
1) SYN
2) SYN ACK (invalid sequence
number)
3) RST
4) SYN (retransmitting)
5) SYN (forwarding)
6) SYN ACK
7) ACK
8) ACK (forwarding)
After receiving a SYN message from a client to the protected server (such a message matches a protected
IP address entry), the TCP proxy sends back a SYN ACK message with a wrong sequence number on
behalf of the server, that is, using the IP address and port number of the server. If the client is legitimate,
the TCP proxy will receive an RST message, and will receive a SYN message again from the client. The
TCP proxy then directly forwards the SYN, SYN ACK, and ACK messages to establish a TCP connection
between the client and the server.
After the TCP connection is established, the TCP proxy forwards the subsequent packets of the connection
without additional processing.
32
Bidirectional proxy
Figure 38 Data exchange process in bidirectional proxy mode
TCP client
TCP proxy
TCP server
1) SYN
2) SYN ACK (win=0)
3) ACK
4) SYN
5) SYN ACK (win=n)
6) ACK
7) ACK (win=n)
After receiving a SYN message from a client to the protected server (such a message matches a protected
IP address entry), the TCP proxy sends back a SYN ACK message with the window size being 0 on
behalf of the server. If the client is legitimate, the TCP proxy will receive an ACK message, and then sets
up a connection between itself and the server through a three-way handshake on behalf of the client.
As two TCP connections are established, different sequence numbers are used. They are translated by the
TCP proxy for data exchange between the client and the server.
Configuring TCP proxy
Configuration task list
Table 13 TCP proxy configuration task list
Task
Performing global TCP proxy
setting
Enabling TCP Proxy for a
Security Zone
Remarks
Optional
The configuration is effect on all security zones.
By default, bidirectional proxy is used.
Required
By default, the TCP proxy feature is disabled globally.
At least one method is required.
Adding a protected IP address
entry
You can add protected IP address entries by either of the methods:
• Static: Add entries manually. By default, no such entries are configured in
the system.
• Dynamic: Select Intrusion Detection > Traffic Abnormality > SYN Flood,
Configure to Automatically
Add a Protected IP address
Entry
and then select the Add protected IP entry to TCP Proxy box. After the
configuration, the TCP proxy-enabled device will automatically add
protected IP address entries when detecting SYN flood attacks. For more
information, see the chapter “Traffic abnormality detection configuration.”
33
Task
Remarks
Displaying information about
protected IP address entries
Optional
You can view information about all protected IP address entries.
Performing global TCP proxy setting
Select Intrusion Detection > TCP Proxy > TCP Proxy Configuration from the navigation tree to enter the
page shown in Figure 39. The Global Configuration area allows you to perform global setting for TCP
proxy.
Figure 39 TCP proxy configuration
Table 14 Global configuration items of TCP proxy
Item
Description
Unidirection/Bidirediction
Set the global proxy mode of TCP proxy.
Enabling TCP Proxy for a Security Zone
Select Intrusion Detection > TCP Proxy > TCP Proxy Configuration from the navigation tree to enter the
page shown in Figure 39. You can enable/disable the TCP proxy feature for a security zone in the Zone
Configuration area.
•
The icon indicates that the TCP proxy feature is disabled for the corresponding security zone. You
can click the Enable button beside the icon to enable the feature.
•
The icon indicates that the TCP proxy feature is enabled for the corresponding security zone. You
can click the Disable button beside the icon to disable the feature.
Adding a protected IP address entry
Select Intrusion Detection > TCP Proxy > Protected IP Configuration to enter the page shown in Figure 40,
which lists information about protected IP address entries and the relative statistics. Click Add to enter the
page for configuring a protected IP address entry, as shown in Figure 41.
34
Figure 40 Protected IP address entries
Figure 41 Protected IP address entry configuration page
Table 15 Protected IP address entry configuration items
Item
Description
Protected IP Address
Enter the IP address to be protected by the TCP proxy. It is the destination
IP address of the TCP connection.
Enter the destination port of the TCP connection.
Port Number
The option any specifies that TCP proxy services TCP connection requests
to any port of the server at the destination IP address.
Displaying information about protected IP address entries
Select Intrusion Detection > TCP Proxy > Protected IP Configuration to enter the page shown in Figure 40,
which lists information about protected IP address entries.
Table 16 Field description
Item
Description
Protected IP
IP addresses protected by the TCP proxy feature.
Destination port of the TCP connection.
Port Number
The option any specifies that TCP proxy services TCP connection requests to
any port of the server at the destination IP address.
Type
The protected IP address entries can be static or dynamic.
Lifetime(min)
Lifetime for the IP address entry under protection. This item is displayed as –
for static IP address entries.
When the time reaches 0, the protected IP address entry will be deleted.
Number of Rejected
Amount of requests for TCP connection requests matching the protected IP
address entry but were proved to be illegitimate.
35
TCP proxy configuration example
Network requirements
As shown in Figure 42, configure bidirectional TCP proxy on Firewall to protect Server A, Server B, and
Server C against SYN flood attacks. Add a protected IP address entry for Server A and configure
dynamic TCP proxy for the other servers.
Figure 42 Network diagram for
Server A
20.0.0.10/24
GE0/1
10.0.0.1/24
IP network
Untrust
GE0/2
20.0.0.1/24
Firewall
Trust
Server B
Server C
Configuration procedure
# Assign IP addresses for the interfaces and then add interface GigabitEthernet 1/1 to zone Untrust, and
GigabitEthernet 1/2 to zone Trust. (Details not shown)
# Set the TCP proxy mode to bidirectional and enable TCP proxy for zone Untrust.
•
Select Intrusion Detection > TCP Proxy > TCP Proxy Configuration from the navigation tree. Select
the bidirectional mode and enable TCP proxy for zone Untrust as shown in Figure 43.
Figure 43 Select the bidirectional mode and enable TCP proxy for zone Untrust
•
Select Bidirection for the global setting.
•
Click Apply.
•
In the Zone Configuration area, click Enable for the Untrust zone.
# Add an IP address entry manually for protection.
•
Select Intrusion Detection > TCP Proxy > Protected IP Configuration from the navigation tree. Then
on the right pane, click Add. Add an IP address entry for protection as shown in Figure 44.
36
Figure 44 Add an IP address entry for protection
•
Enter 20.0.0.10 in the Protected IP Address field.
•
Click Apply.
# Configure the SYN flood detection feature, specifying to automatically add protected IP address
entries.
•
Select Intrusion Detection > Traffic Abnormality > SYN Flood from the navigation tree. In the Attack
Prevention Policy area, configure the action to be taken upon detecting a SYN flood attack, as
shown in Figure 45.
Figure 45 Configure the action to be taken upon detecting a SYN flood
•
Select Trust from the Security Zone list.
•
Select the Add protected IP entry to TCP Proxy box in the Attack Prevention Policy area.
•
Click Apply.
•
In the SYN Flood Configuration area, click Add. Configure global settings as shown in Figure 46.
37
Figure 46 Configure global settings
•
Select Global Configuration of Security Zone.
•
Click Apply.
Configuration guidelines
Follow these guidelines when configuring TCP proxy:
1.
TCP proxy is effective only for incoming traffic of the security zone.
2.
The performance of the Web-based management system may be degraded if the system’s IP
address and port number are in the protected IP entry list.
38
IDS collaboration
NOTE:
• The firewall device can collaborate with only Venusense IDS devices.
• The IDS collaboration configuration is available only in the web interface.
Overview
IDS collaboration is introduced for firewalls to work with an Intrusion detection system (IDS) device. As
shown in Figure 47, the collaboration process occurs:
1.
The IDS device examines network traffic for attacks.
2.
When the IDS device detects an attack, it sends an SNMP trap message to the firewall device. The
trap message may carry attack information such as source IP address of the attacker, target IP
address to be attacked, source port and destination port.
3.
When a firewall with IDS collaboration enabled receives the trap message, it retrieves the attack
information, generates a blocking entry, and blocks subsequent traffic from the source.
Figure 47 Network diagram for IDS collaboration
Enabling IDS collaboration
Select Intrusion Detection > IDS Collaboration from the navigation tree to enter the page for enabling IDS
collaboration, as shown in Figure 48. Select the Enable IDS Collaboration box, and click Apply.
Figure 48 Enable IDS collaboration
Configuration guidelines
When you configure IDS collaboration, follow these guidelines:
•
Both the firewall devices and IDS devices must support and have SNMPv2c configured.
39
•
The aging time for an IDS blocking entry is five minutes. The timer restarts if the firewall receives an
SNMP trap with the same attack information before the timer expires.
•
A blocking entry is effective only to subsequent connections matching this entry. To make entries
apply to the current connections, disable the fast forwarding function of the firewall.
•
Disabling IDS collaboration removes the generated blocking entries from the firewall.
40
Intrusion detection statistics
NOTE:
The intrusion detection configuration is available only in the web interface.
Overview
Intrusion detection is an important network security feature. By analyzing the contents and behaviors of
packets passing by, it can determine whether the packets are attack packets and take actions
accordingly as configured. Supported actions include outputting alarm logs, discarding packets, and
adding the attacker to the blacklist.
The intrusion detection statistics reflect the counts of attacks as per attack type, and the counts of attack
packets dropped, helping you analyze the intrusion types and quantities present to generate better
network security policies.
NOTE:
For information about packet inspection, see the chapter ”Packet inspection configuration.” For
information about traffic abnormality detection, see the chapter “Traffic abnormality detection
configuration.”
Displaying intrusion detection statistics
To view intrusion detection statistics, select Intrusion Detection > Statistics in the navigation tree to enter
the intrusion detection statistics page, as shown in Figure 49. Select a zone to view the counts of attacks
and the counts of dropped packets in the security zone. Table 17 describes the attack types.
41
Figure 49 Intrusion detection statistics
Table 17 Attack types description
Attack type
Description
Fraggle
A Fraggle attack occurs when an attacker sends large amounts of UDP echo requests
with the UDP port number being 7 or Chargen packets with the UDP port number being
19, resulting in a large quantity of junk replies and finally exhausting the bandwidth of
the target network.
ICMP Redirect
An ICMP redirect attacker sends ICMP redirect messages to a target to modify its
routing table, interfering with the normal forwarding of IP packets.
ICMP Unreachable
Upon receiving an ICMP unreachable response, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the
destination. By sending ICMP unreachable packets, an ICMP unreachable attacker
can cut off the connection between the target host and the network.
Land
A Land attack occurs when an attacker sends a great number of TCP SYN packets with
both the source and destination IP addresses being the IP address of the target,
exhausting the half-open resources of the victim and disabling the target from
providing services normally.
Large ICMP
For some hosts and devices, large ICMP packets will cause memory allocation error
and crash down the protocol stack. A large ICMP attacker sends large ICMP packets
to a target to make it crash down.
Route Record
A route record attack exploits the route record option in the IP header to probe the
topology of a network.
42
Attack type
Description
Scan
A scanning attack probes the addresses and ports on a network to identify the hosts
attached to the network and application ports available on the hosts and to figure out
the topology of the network, so as to get ready further attacks.
Source Route
A source route attack exploits the source route option in the IP header to probe the
topology of a network.
Smurf
A Smurf attacker sends large quantities of ICMP echo requests to the broadcast
address of the target network. As a result, all hosts on the target network will reply to
the requests, causing the network congested and hosts on the target network unable to
provide services.
TCP Flag
Some TCP flags are processed differently on different operating systems. A TCP flag
attacker sends TCP packets with such TCP flags to a target to probe its operating
system. If the operating system cannot process such packets properly, the attacker will
successfully make the host crash down.
Tracert
The Tracert program usually sends UDP packets with a large destination port number
and an increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when the
packet passes each router. Upon receiving a packet with a TTL of 0, a router must send
an ICMP time exceeded message back to the source IP address of the packet. A Tracert
attacker exploits the Tracert program to figure out the network topology.
WinNuke
A WinNuke attacker sends out-of-band (OOB) data with the pointer field values
overlapped to the NetBIOS port (139) of a Windows system with an established
connection to introduce a NetBIOS fragment overlap, causing the system to crash.
SYN Flood
A SYN flood attack exploits TCP SYN packets. Due to resource limitation, the number
of TCP connections that can be created on a device is limited. A SYN flood attacker
sends a barrage of spurious SYN packets to a victim to initiate TCP connections. As the
SYN_ACK packets that the victim sends in response can never get acknowledgments,
large amounts of half-open connections are created and retained on the victim, making
the victim inaccessible before the number of half-open connections drops to a
reasonable level due to timeout of half-open connections. In this way, a SYN flood
attack exhausts system resources such as memory on a system whose implementation
does not limit creation of connections.
ICMP Flood
An ICMP flood attack overwhelms the victim with an enormous number of ICMP echo
requests (such as ping packets) in a short period, preventing the victim from providing
services normally.
UDP Flood
A UDP flood attack overwhelms the victim with an enormous number of UDP packets in
a short period, disabling the victim from providing services normally.
DNS Flood
A DNS flood attack overwhelms the victim with an enormous number of DNS query
requests in a short period, disabling the victim from providing services normally.
Number of
connections per
source IP exceeds the
threshold
When an internal user initiates a large number of connections to a host on the external
network in a short period of time, system resources on the device will be used up soon.
This will make the device unable to service other users.
Number of
connections per dest
IP exceeds the
threshold
If an internal server receives large quantities of connection requests in a short period of
time, the server will not be able to process normal connection requests from other hosts.
43
ARP attack protection configuration
The Address Resolution Protocol (ARP) is easy to use, but it is often exploited by attackers because of its
lack of security mechanism.
•
ARP packets by acting as a trusted user or gateway so that the receiving devices obtain incorrect
ARP entries.
•
A large number of IP packets with unreachable destinations. As a result, the receiving device
continuously resolves destination IP addresses and thus its CPU is overloaded.
•
A large number of ARP packets to overload the CPU of the receiving device.
Currently, ARP attacks and ARP viruses bring big threats to LANs. To avoid such attacks and viruses, the
firewall provides multiple techniques to detect and prevent them.
The following describes the principles and configuration of these techniques.
Configuring periodic sending of gratuitous ARP
packet
Introduction to periodic sending of gratuitous ARP packet
In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the
sending device, the sender MAC address is the MAC address of the sending device, and the target MAC
address is the broadcast address ff:ff:ff:ff:ff:ff.
A device sends a gratuitous ARP packet for either of the following purposes:
•
Determine whether its IP address is already used by another device. If the IP address is already used,
the device will be informed of the conflict by an ARP reply;
•
Inform other devices of the change of its MAC address.
Enabling learning of gratuitous ARP packets
With this feature enabled, the firewall, upon receiving a gratuitous ARP packet, adds an ARP entry that
contains the sender IP and MAC addresses in the packet to its ARP table. If the corresponding ARP entry
exists, the device updates the ARP entry.
With this feature disabled, the firewall uses the received gratuitous ARP packets to update existing ARP
entries, but not to create new ARP entries.
Configuring periodic sending of gratuitous ARP packet
By sending gratuitous ARP packets periodically, the firewall can notify its downlink devices of the updates
of its ARP entries or MAC address entries, so as to:
1.
Prevent ARP spoofing
A spoofed gratuitous ARP packet can cause hosts on a network segment to update their ARP entries
incorrectly, and thereby redirect traffic that the hosts want to send to the gateway to incorrect MAC
address instead. As a result, the hosts cannot access external networks.
44
To prevent such ARP attacks, you can configure the gateway’s interfaces to send gratuitous ARP packets
for the primary IP address and manually configured secondary IP addresses of the interface regularly. In
this way, the hosts on the network segment can learn the correct gateway address information and can
therefore access the network.
2.
Prevent aging of the gateway ARP entry
In practice, if the network load is heavy or the CPU usage of hosts on the network is high, ARP packets
may be dropped or the hosts cannot process ARP packets timely. In such cases, the dynamic ARP entries
of the hosts may be aged out due to timeout, and the traffic between the hosts and the gateway may be
interrupted before the ARP entry of the gateway is learnt.
To solve this problem, you can enable the gateway interface to send gratuitous ARP packets that contain
the primary IP address or a manually configured secondary IP address regularly. This is to help the hosts
update their ARP entries timely and prevent such traffic interruption to the utmost extent.
3.
Prevent the virtual IP address of a VRRP group from being used by a host
When a network has a VRRP group, the master router in the VRRP group must regularly send gratuitous
ARP packets to the hosts on the network to make the hosts update their local ARP entries timely, thus
ensuring no device on the network uses the virtual IP address of the VRRP group.
As the virtual IP address of the VRRP group may correspond to the virtual MAC address or the actual
MAC address, the gratuitous ARP packets will use the virtual MAC address or the actual MAC address
accordingly.
4.
Update MAC entries of devices in the VLANs having ambiguous VLAN termination configured
In VRRP configuration, if ambiguous VLAN termination is configured for many VLANs and VRRP groups,
interfaces configured with VLAN termination need to be disabled from transmitting broadcast/multicast
packets and a VRRP control VLAN needs to be configured so that VRRP advertisements can be
transmitted within the control VLAN only. In such cases, you can enable periodic sending of gratuitous
ARP packets containing the VRRP virtual IP address, and the primary IP address or a manually configured
secondary IP address of the sending interface on the subinterfaces. In this way, when a VRRP failover
occurs, devices in the VLANs having ambiguous VLAN termination configured can use the gratuitous
ARP packets to update their corresponding MAC entries in time.
NOTE:
For more information about VRRP, see High Availability Configuration Guide.
45
Configuring periodic sending of gratuitous ARP packet in the
web interface
Select Firewall > ARP Anti-Attack > Send Gratuitous ARP from the navigation tree to enter the Send
Gratuitous ARP page, as shown in Figure 50.
Figure 50 Configure periodic sending of gratuitous ARP packets
Table 18 Configuration items
Item
Description
Specify an interface and interval for periodically sending gratuitous ARP
packets.
Select an interface from the Standby Interface list, set its sending interval,
and then click << to add it to the Sending Interface list box.
To delete the combination of an interface and its sending interval, select
it from the Sending Interface list and click >>.
IMPORTANT:
• The firewall supports up to 1024 interfaces to send gratuitous
ARP packets periodically.
Sending Interface
• With this feature enabled, an interface can periodically send
gratuitous ARP packets only after it is assigned with an IP
address and the link comes up.
• If a sending interval is modified, the setting takes effect at the
next interval.
• If a number of interfaces are enabled with this feature, or each
interface has a large amount of secondary IP addresses, or the
sending intervals are very short in the scenario where the above
two conditions exist at the same time, the frequency at which
gratuitous ARP packets are sent may be far lower than your
expectation.
46
Configuring periodic sending of gratuitous ARP packet at the
CLI
Follow these steps to configure gratuitous ARP:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable learning of gratuitous ARP
packets
gratuitous-arp-learning enable
Optional
Enabled by default.
Required
Enable the firewall to send
gratuitous ARP packets upon
receiving ARP requests from
another subnet
gratuitous-arp-sending enable
Enter interface view
interface interface-type
interface-number
Enable periodic sending of
gratuitous ARP packets and set the
sending interval
arp send-gratuitous-arp [ interval
milliseconds ]
By default, the firewall does not
send gratuitous ARP packets upon
receiving ARP requests from
another subnet.
—
Required
Disabled by default.
NOTE:
• You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces.
• Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface goes
up and an IP address has been assigned to the interface.
• If you change the interval for sending gratuitous ARP packets, the configuration is effective at the next
sending interval.
• The frequency of sending gratuitous ARP packets may be much lower than is expected if this function is
enabled on multiple interfaces, if each interface is configured with multiple secondary IP addresses, or
if a small sending interval is configured in such cases.
ARP automatic scanning and fixed ARP
Introduction to ARP automatic scanning and fixed ARP
ARP automatic scanning is usually used together with the fixed ARP feature.
•
With the ARP automatic scanning feature enabled, the firewall scans the LAN for neighbors by
sending ARP requests, and thereby obtains the MAC addresses of the neighbors and adds dynamic
ARP entries.
•
With the fixed ARP feature, the device can convert dynamic ARP entries (including those added by
ARP automatic scanning) into static ones, thus preventing attackers from modifying ARP entries
effectively.
NOTE:
HP recommends that you use these two features in small-sized and stable networks, such as an Internet
café.
47
Configuring ARP automatic scanning in the web interface
NOTE:
• Do not perform other operations when ARP automatic scanning is in progress.
• ARP automatic scanning may take a long time. You can abort the scanning by clicking Interrupt on the
ARP scan page.
Select Firewall > ARP Anti-Attack > Scan from the navigation tree to enter the ARP scanning
configuration page, as shown in Figure 51.
Figure 51 ARP scanning
Table 19 Configuration items
Item
Description
Interface
Select the interface to be configured to perform ARP automatic scanning.
Specify the start and end IP addresses of the IP address range for ARP automatic scanning.
Start IP
Address
To reduce the scanning time, you can specify the IP address range for scanning if you know the
IP address range assigned to the neighbors in a LAN. The specified start and end IP addresses
must be in the same network segment as the primary IP address or manually configured
secondary IP address of the interface. If the specified address range covers multiple network
segments of the interface, the source IP address in the ARP request is the interface address on
the smallest network segment
IMPORTANT:
• Both the start and end IP addresses must be specified or not specified at the same time.
• The start and end IP addresses must be in the same network segment as the primary
IP address or manually configured secondary IP address of the interface.
End IP
address
• The start IP address must be lower than or equal to the end IP address.
• With no IP address range specified, the firewall scans only the network segment of the
primary IP address of the interface for neighbors. The source IP address of the sent
ARP request is the primary IP address of the interface.
48
Item
Description
Also scan IP
addresses of
dynamic ARP
entries
Set whether to scan the IP addresses of the existing dynamic ARP entries.
After the above configuration, click Scan to begin ARP automatic scanning. To abort scanning, click
Interrupt.
Configuring fixed ARP in the web interface
NOTE:
• The static ARP entries resulting from conversion are the same with those manually configured.
• The number of dynamic ARP entries that can be converted into static ones is limited by the number of
static ARP entries supported on the firewall. Some dynamic ARP entries may not be converted to static
ones due to the limit.
• The fixing process may take some time, during which some dynamic entries may be added or aged out.
The newly added dynamic entries will be fixed and the aged ones will not.
Select Firewall > ARP Anti-Attack > Fix from the navigation tree to enter the fixed ARP configuration page,
as shown in Figure 52. The page lists all static ARP entries, including manually configured ones and fixed
ones, and all dynamic ARP entries.
Figure 52 Fixed ARP page
•
Click Fix All to convert all dynamic ARP entries to static ones.
•
Click Del All Fixed to delete all static ARP entries.
•
Select the box before dynamic ARP entries, and click Fix to convert the selected ARP entry to a static
ARP entry.
•
Select the box before static ARP entries, and click Del Fixed to delete the selected static ARP entry.
If you select a dynamic one and click Del Fixed, the entry will not be deleted.
49
Configuring ARP automatic scanning and fixed ARP at the CLI
Follow these steps to configure ARP automatic scanning and fixed ARP:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type interface-number
—
Enable ARP automatic
scanning
arp scan [ start-ip-address to end-ip-address ]
Required
Return to system view
quit
—
Enable fixed ARP
arp fixup
Required
NOTE:
• IP addresses existing in ARP entries are not scanned.
• ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP
entries are created based on ARP replies received before the scan is terminated.
• The static ARP entries changed from dynamic ARP entries have the same attributes as the static ARP
entries manually configured.
• Use the arp fixup command to change the existing dynamic ARP entries into static ARP entries. You can
use this command again to change the dynamic ARP entries learned later into static.
• The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static
ARP entries that the device supports. As a result, the device may fail to change all dynamic ARP entries
into static.
• To delete a specific static ARP entry changed from a dynamic one, use the undo arp ip-address
[ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp
static command.
50
TCP attack protection configuration
TCP attack protection overview
An attacker can attack the device during the process of TCP connection establishment. To prevent such
attacks, the device provides the following features:
•
SYN Cookie
•
Protection against Naptha attacks
This document describes the attacks these features can prevent, working mechanisms of these features,
and configuration procedures.
Enabling the SYN Cookie feature
As a general rule, the establishment of a TCP connection involves the following three handshakes.
1.
The request originator sends a SYN message to the target server.
2.
After receiving the SYN message, the target server establishes a TCP connection in the
SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response.
3.
After receiving the SYN ACK message, the originator returns an ACK message, establishing the
TCP connection.
Attackers may mount SYN Flood attacks during TCP connection establishment. They send a large number
of SYN messages to the server to establish TCP connections, but they never make any response to SYN
ACK messages. As a result, a large number of incomplete TCP connections are established, resulting in
heavy resource consumption and making the server unable to handle services normally.
The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the
server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection. Only
after receiving an ACK message from the client can the server establish a connection, and then enter the
ESTABLISHED state. In this way, incomplete TCP connections could be avoided to protect the server
against SYN Flood attacks.
Follow these steps to enable the SYN Cookie feature:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enable the SYN Cookie feature
tcp syn-cookie enable
Required
Enabled by default.
NOTE:
• If you enable MD5 authentication for TCP connections, the SYN Cookie configuration is ineffective.
Then, if you disable MD5 authentication for TCP connections, the SYN Cookie configuration
automatically becomes effective. For more information about MD5 authentication, see Network
Management Configuration Guide.
• With the SYN Cookie feature enabled, only the maximum segment size (MSS), is negotiated during TCP
connection establishment, instead of the window’s zoom factor and timestamp.
51
Enabling protection against Naptha attacks
Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the
six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and
SYN_RECEIVED), and SYN Flood attacks by using only the SYN_RECEIVED state.
Naptha attackers control a huge amount of hosts to establish TCP connections with the server, keep these
connections in the same state (any of the six), and request for no data so as to exhaust the memory
resource of the server. As a result, the server cannot process normal services.
Protection against Naptha attacks mitigates such attacks by accelerating the aging of TCP connections
in a state. After the feature is enabled, the firewall (serving as a TCP server) periodically checks the
number of TCP connections in each state. If the firewall detects that the number of TCP connections in a
state exceeds the maximum number, it considers that a Naptha attack occurs and accelerates the aging
of TCP connections in this state. The firewall will stop accelerating the aging of TCP connections when the
number of TCP connections in the state is less than 80% of the maximum number (1 at least).
Follow these steps to enable the protection against Naptha attack:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enable the protection against
Naptha attack
tcp anti-naptha enable
Required
Disabled by default.
Optional
Configure the maximum
number of TCP connections in
a state
tcp state { closing | established |
fin-wait-1 | fin-wait-2 | last-ack |
syn-received } connection-number
number
Configure the TCP state check
interval
tcp timer check-state timer-value
5 by default.
If the maximum number of TCP
connections in a state is 0, the aging
of TCP connections in this state will
not be accelerated.
Optional
30 seconds by default.
Displaying and maintaining TCP attack protection
To do…
Use the command…
Remarks
Display current TCP connection state
display tcp status [ | { begin | exclude |
include } regular-expression ]
Available in any view
52
Firewall configuration
NOTE:
The firewall configuration is available only at the CLI.
Firewall overview
A firewall can block unauthorized accesses from the Internet to a protected network while allowing
internal network users to access the Internet through, for example, WWW, or to send/receive E-mails. A
firewall can also be used to control access to the Internet, for example, to permit only specific hosts within
the organization to access the Internet. Many of today’s firewalls offer some other features, such as
identity authentication and security processing (encryption) of information.
Another application of firewall is to protect mainframes and important resources (such as data) on the
internal network. Any access to protected data must be first filtered by the firewall, even if such an access
is initiated by a user within the internal network.
The firewall mainly implements the following firewall functions:
•
Packet-filter firewall, which performs access control list (ACL) based packet filtering
•
Address translation
NOTE:
This chapter focuses on ACL packet-filter firewall. For more information about address translation, see
NAT Configuration Guide.
Introduction to packet-filter firewall
A packet-filter firewall implements IPv6 packet specific filtering. For each IPv6 packet to be forwarded,
the firewall first obtains the header information of the packet, including the number of the upper layer
protocol carried by the IP layer, the source address, destination address, source port number, and
destination port number of the packet. Then, it compares the obtained header information against the
preset ACL rules and processes the packet according to the comparison result.
Support for fragment filtering
The packet-filter firewall supports fragment inspection and filtering. It checks:
•
Packet type, which can be non-fragmented packet, first fragment, or non-first fragment.
•
Layer 3 information of the packet, for matching against basic ACL rules and advanced ACL rules
without information above Layer 3.
•
Upper layer Information, for matching against advanced ACL rules containing information above
Layer 3.
For a packet-filter firewall that configured with advanced ACL rules that provide for exact match, the
packet-filter firewall needs to record the information of Layer 3 and above carried in each first fragment.
53
When subsequent fragments arrive, the firewall uses the information saved to implement exact match
with each match condition of an ACL rule.
Exact match slightly decreases the efficiency of packet filtering. The more the match items, the lower the
packet filtering efficiency. You can specify a threshold to limit the maximum number of match entries to
be processed by the firewall.
NOTE:
For more information about ACL, see Access Control Configuration Guide.
Configuring a packet-filter firewall
Packet-filter firewall configuration task list
Complete the following tasks to configure a packet-filter firewall:
Task
Remarks
Enabling the IPv6 firewall function
Required
Configuring the default filtering action of the IPv6 firewall
Optional
Configuring IPv6 packet filtering on an interface
Required
Enabling the IPv6 firewall function
Following these steps to enable the IPv6 firewall function:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable the IPv6 firewall function
firewall ipv6 enable
Required
Disabled by default
Configuring the default filtering action of the IPv6 firewall
The default filtering action configuration is used for the firewall to determine whether to permit a data
packet to pass or deny the packet when there is no appropriate criterion for judgment.
Follow these steps to configure the default filtering action of the IPv6 firewall:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Specify the default filtering action
of the firewall
firewall ipv6 default { deny |
permit }
54
Optional
permit (permit packets to pass the
firewall) by default
Configuring IPv6 packet filtering on an interface
When an ACL is applied to an interface, the time range-based filtering will also work at the same time.
In addition, you can specify separate access rules for inbound and outbound packets.
The effective range for basic ACL numbers is 2000 to 2999. A basic ACL defines rules based on the
Layer 3 source IP addresses only to analyze and process data packets.
The effective range for advanced ACL numbers is 3000 to 3999. An advanced ACL defines rules
according to the source and destination IP addresses of packets, the type of protocol over IP, TCP/UDP
source and destination ports, and so on.
An advanced ACL supports the following match modes:
•
Normal match—Matches Layer 3 information. Non-layer 3 information is ignored.
•
Exact match—Matches all advanced ACL rules. For this reason, you must enable fragment
inspection for the firewall to record the status of the first fragment of each packet and obtain the
match information of the subsequent fragments.
The default mode is normal match mode.
NOTE:
You can neither enable packet filtering on an interface in an aggregation group or service loopback
group, nor add an interface with packet filtering enabled to an aggregation group or service loopback
group.
IPv6 packet filtering is a basic firewall function of an IPv6-based ACL. You can configure IPv6 packet
filtering in the inbound or outbound direction of an interface so that the interface filters packets that
match the IPv6 ACL rules.
Follow these steps to configure IPv6 packet filtering on an interface:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Configure IPv6 packet filtering on
an interface
firewall packet-filter ipv6
{ acl6-number | name acl6-name }
{ inbound | outbound }
Required
IPv6 packets are not filtered by
default
Displaying and maintaining a packet filtering firewall
To do...
Use the command...
Remarks
View the packet filtering statistics
of the IPv6 firewall
display firewall ipv6 statistics { all
| interface interface-type
interface-number } [ | { begin |
exclude | include }
regular-expression ]
Available in any view
Clear the packet filtering statistics
of the IPv6 firewall
reset firewall ipv6 statistics { all |
interface interface-type
interface-number }
Available in user view
55
Support and other resources
Contacting HP
For worldwide technical support information, see the HP support website:
http://www.hp.com/support
Before contacting HP, collect the following information:
•
Product model names and numbers
•
Technical support registration number (if applicable)
•
Product serial numbers
•
Error messages
•
Operating system type and revision level
•
Detailed questions
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.
Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
•
For related documentation, navigate to the Networking section, and select a networking category.
•
For a complete list of acronyms and their definitions, see HP A-Series Acronyms.
Websites
•
HP.com http://www.hp.com
•
HP Networking http://www.hp.com/go/networking
•
HP manuals http://www.hp.com/support/manuals
•
HP download drivers and software http://www.hp.com/support/downloads
•
HP software depot http://www.software.hp.com
56
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention
Description
Boldface
Bold text represents commands and keywords that you enter literally as shown.
Italic
Italic text represents arguments that you replace with actual values.
[]
Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
{ x | y | ... } *
Asterisk-marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select at least one.
[ x | y | ... ] *
Asterisk-marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
#
A line that starts with a pound (#) sign is comments.
GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in bold text. For
example, the New User window appears; click OK.
>
Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Convention
Description
Symbols
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
An alert that calls attention to essential information.
NOTE
TIP
An alert that contains additional or supplementary information.
An alert that provides helpful information.
57
Network topology icons
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Port numbering in examples
The port numbers in this document are for illustration only and might be unavailable on your device.
58
Index
ABCDEFOPRTU
A
Enabling the SYN Cookie feature,51
ARP automatic scanning and fixed ARP,47
F
B
Firewall overview,53
Blacklist configuration example,3
O
Blacklist overview,1
Overview,39
C
Overview,41
Overview,31
Configuration guidelines,39
Configuration guidelines,38
P
Configuring a packet-filter firewall,54
Packet inspection configuration example,9
Configuring packet inspection,8
Packet inspection overview,7
Configuring periodic sending of gratuitous ARP
packet,44
R
Related information,56
Configuring TCP proxy,33
Configuring the blacklist,1
T
Configuring traffic abnormality detection,12
TCP attack protection overview,51
Configuring URPF,27
TCP proxy configuration example,36
Contacting HP,56
Conventions,57
Traffic abnormality detection configuration
example,21
D
Traffic abnormality detection overview,11
Displaying and maintaining TCP attack protection,52
U
Displaying intrusion detection statistics,41
URPF configuration example,28
E
URPF overview,26
Enabling IDS collaboration,39
Enabling protection against Naptha attacks,52
59
Download PDF
Similar pages