H3c-technologies H3C SecPath F1000-E Manual de usuario Pagina 1

i Table of Contents Portal Configuration··············································································································

9 Controlling Access of Portal Users Configuring a Portal-Free Rule A portal-free rule allows specified users to access specified external websites w

1 Web Filtering Configuration This chapter includes these sections: • Introduction to Web Filtering • Configuring Web Filtering • Displaying and Main

2 Processing procedure After receiving an HTTP request containing URL parameters, the device obtains the parameters according to the parameter transm

3 the request is forwarded; otherwise, the suffix is replaced with “.block” and then the request is forwarded. • In addition to the default suffix “

4 To do... Use the command... Remarks Enter system view system-view — Add an ActiveX blocking suffix keyword firewall http activex-blocking suffix

5 Figure 1 Network diagram for URL parameter filtering configuration Configuration procedure # Configure IP addresses for the interfaces. (Omitted)

6 Java Blocking Configuration Example Network requirements The hosts in the network segment 192.168.1.0/24 access the Internet through Device. Enable

7 The configured ACL group is 2100. There are 0 packet(s) being filtered. There are 1 packet(s) being passed. Use the display firewall http java-b

8 Invalid Use of Wildcard Symptom: When you configure a URL parameter filtering entry, the system prompts you that the wildcards are not used correct

i Table of Contents Public Key Configuration··········································································································

1 Public Key Configuration This chapter includes these sections: • Asymmetric Key Algorithm Overview • Configuring the Local Asymmetric Key Pair • Co

10 To do… Use the command… Remarks Configure an authentication subnet portal auth-network network-address { mask-length | mask } Optional By defaul

2 Asymmetric Key Algorithm Applications Asymmetric key algorithms can be used for encryption and digital signature: • Encryption – The sender uses t

3 Displaying or Exporting the Local RSA or DSA Host Public Key Display the local RSA or DSA host public key on the screen or export it to a specified

4 NOTE: • If you choose to input the public key manually, be sure to input it in the correct format. The key data displayed by the display public-

5 Public Key Configuration Examples Configuring the Public Key of a Peer Manually Network requirements As shown in Figure 2, Device A is authenticate

6 ===================================================== Time of Key pair created: 09:50:07 2007/08/07 Key name: SERVER_KEY Key type: RSA Encryption

7 Figure 3 Network diagram for importing the public key of a peer from a public key file Configuration procedure Step1 Create key pairs on Device

8 Step2 Enable the FTP server function on Device B # Enable the FTP server function, create an FTP user with the username ftp and password 123 . <

i Table of Contents Connection Limit Configuration····································································································

1 Connection Limit Configuration This chapter includes these sections: • Connection Limit Overview • Connection Limit Configuration Task List • Creat

2 Configuring the Connection Limit Policy A connection limit policy contains one or more connection limit rules, each specifying an object or range f

11 NOTE: The device selects the authentication domain for a portal user on an interface in this order: the ISP domainspecified for the interface, t

3 Displaying and Maintaining Connection Limiting To do… Use the command… Remarks Display information about the specified or all connection limit po

4 # Configure connection limit rule 0 to limit connections from hosts on segment 192.168.0.0/24 to the external network per source address, with the

5 Solution Rearrange the two connection limit rules by exchanging their rule IDs so that the rule for the host is matched first. Connection Limit Rul

i Contents Firewall configuration·····················································································································

1 Firewall configuration NOTE: The packet filter function supports only the IPv6 packet filtering configurations at the CLI. Firewall overview A

2 Configuring a packet-filter firewall Packet-filter firewall configuration task list Complete the following tasks to configure a packet-filter firew

3 Follow these steps to configure IPv6 packet filtering on an interface: To do... Use the command... Remarks Enter system view system-view — Ente

i Table of Contents IPsec Configuration···············································································································

ii IKE Configuration Examples ························································································································

1 IPsec Configuration This chapter includes these sections: • IPsec Overview • Configuring IPsec • Implementing ACL-Based IPsec • Implementing Tunnel

12 To do… Use the command… Remarks Specify the NAS-Port-Type value for the interface portal nas-port-type ethernet Required Not configured by defau

2 Implementation of IPsec IPsec consists of a series of protocols for IP data security, including Authentication Header (AH), Encapsulating Security

3 • Traffic-based lifetime: Defines the maximum traffic that an SA is allowed to process. An SA becomes invalid when its lifetime expires. Before an

4 Negotiation modes There are two negotiation modes for setting up an SA: • Manual mode: In this mode, all information that an SA needs must be conf

5 Figure 2 Encapsulation process of a clear text packet 1. The router forwards a clear text packet received on the inbound interface to the forwar

6 policy to the IPsec tunnel interface; if you want to apply QoS to IPsec packets, apply the QoS to the physical interface. IPsec for IPv6 Routing Pr

7 applying a manual IPsec policy to a certain IPv6 routing protocol, the packets of that protocol are IPsec protected. For configuration details, ref

8 • Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is a rule rule 0 permit ip source 1.1.1.0 0.0.0.

9 proposal 1 Configuration on Router B: acl number 3001 rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255 rule 1 deny ip # i

10 Protection modes Currently, data flows can be protected in two modes: • Standard mode: One tunnel is used to protect one data flow. That is, th

11 To do… Use the command… Remarks Specify the authentication algorithm for ESP esp authentication-algorithm { md5 | sha1 } Optional MD5 by default

13 To do… Use the command… Remarks Enter system view system-view — Enter interface view interface interface-type interface-number — Specify the sou

12 • Both ends of an IPsec tunnel must be configured with the same key in the same format, and the keys of the inbound and outbound SAs at an end mu

13 To do… Use the command… Remarks Configure the encryption key (in characters) sa string-key { inbound | outbound } esp string-key Configure the e

14 To do… Use the command… Remark Configure an IPsec connection name connection-name name Optional By default, no IPsec connection name is configur

15 To do… Use the command… Remark Enter system view system-view — Create an IPsec policy template and enter its view ipsec policy-template templa

16 • An IPsec policy can reference only one ACL. If you apply multiple ACLs to an IPsec policy, only the last one takes effect. • With SAs to be es

17 • If the encryption engine is enabled, the engine takes over the responsibility of IPsec processing; • If the encryption engine is disabled or h

18 Enabling ACL Checking of De-Encapsulated IPsec Packets In tunnel mode, the IP packet that was encapsulated in an inbound IPsec packet may not be a

19 IPsec anti-replay checking does not affect IPsec SAs created manually. Configuring Packet Information Pre-Extraction If you apply both an IPsec p

20 Task Remarks Applying a QoS Policy to an IPsec Tunnel Interface Optional Enabling the Encryption Engine Optional Configuring the IPsec Anti-Repl

21 To do… Use the command… Remarks Specify the IKE peer for the IPsec profile to reference ike-peer peer-name Required An IPsec profile cannot refe

14 example, once detecting that the portal server is unreachable, the access device will allow portal users to access network resources without authe

22 To do… Use the command… Remarks Create a tunnel interface and enter its view interface tunnel number Required By default, no tunnel interface ex

23 To do… Use the command… Remarks Apply a QoS policy to the IPsec tunnel interface qos apply policy policy-name { inbound | outbound } Required C

24 To do… Use the command… Remarks Clear IPsec statistics reset ipsec statistics Available in user view IPsec Configuration Examples Example for

25 [DeviceA-ipsec-proposal-tran1] esp authentication-algorithm sha1 [DeviceA-ipsec-proposal-tran1] quit # Create an IPsec policy named map1 manually.

26 # Create an IPsec policy manually. [DeviceB] ipsec policy use1 10 manual # Apply the ACL. [DeviceB-ipsec-policy-manual-use1-10] security acl 3101

27 # Create an IPsec proposal named tran1. [DeviceA] ipsec proposal tran1 # Specify the encapsulation mode as tunnel. [DeviceA-ipsec-proposal-tran1]

28 [DeviceB-ipsec-proposal-tran1] transform esp # Specify the algorithms for the proposal. [DeviceB-ipsec-proposal-tran1] esp encryption-algorithm de

29 Figure 7 Network diagram for setting up an IPsec tunnel with IPsec tunnel interfaces Configuation procedure 1. Configure Device A # Name the l

30 # Set the tunnel destination address to 1.1.1.1, the source address of the remote peer. [DeviceA–Tunnel1] destination 1.1.1.1 # Apply IPsec profil

31 # Apply IPsec profile btoa to tunnel interface Tunnel 1. [DeviceB–Tunnel1] ipsec profile btoa [DeviceB–Tunnel1] quit # Configure a static route to

15 To do… Use the command… Remarks Enter system view system-view — Configure the portal server detection function portal server server-name server-

32 [inbound ESP SAs] spi: 1974923076 (0x75b6ef44) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa duration (kilobytes/sec): 1843200/

33 To meet the above requirements, • Configure basic RIPng parameters. • Configure a manual IPsec policy. • Apply the IPsec policy to a RIPng p

34 [DeviceA-ripng-1] quit 2. Configure Device B # Assign an IPv6 address to each interface. (Omitted) # Create a RIPng process and enable it on Giga

35 # Create an IPsec proposal named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm t

36 ----------------------------- IPsec policy name: "policy001" sequence number: 10 mode: manual -----------------------------

1 IKE Configuration This chapter includes these sections: • IKE Overview • IKE Configuration Task List • Displaying and Maintaining IKE • IKE Configu

2 PFS The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm. It guarantees that decryption of a key makes no impa

3 Functions of IKE • IKE automatically negotiates IPsec parameters such as the keys, reducing the manual configuration complexity greatly. • IKE al

4 • Determine the strength of the algorithms for IKE negotiation, namely the security protection level, including the identity authentication method

5 for a match. The search starts from the one with the lowest sequence number and proceeds in the ascending order of sequence number until a match is

16 NOTE: • The user information synchronization function requires that a portal server supports the portal user heartbeat function (currently only

6 To do… Use the command… Remarks Specify the IKE proposals for the IKE peer to reference proposal proposal-number&<1-6> Optional By defa

7 To do… Use the command… Remarks Apply a DPD to the IKE peer dpd dpd-name Optional No DPD is applied to an IKE peer by default. For DPD configura

8 To do… Use the command… Remarks Set the ISAKMP SA keepalive timeout ike sa keepalive-timer timeout seconds Required No keepalive packet is sent b

9 Disabling Next Payload Field Checking The Next payload field is in the generic payload header of the last payload of the IKE negotiation message (t

10 Figure 11 Network diagram for IKE configuration Configuration procedure 1. Configure Device A # Configure an IKE peer. <DeviceA> system-v

11 Example for Configuring IKE Aggressive Mode and NAT Traversal Network requirements • As shown in Figure 12, the branch office is connected to the

12 [DeviceA-ipsec-proposal-prop] transform esp [DeviceA-ipsec-proposal-prop] esp encryption-algorithm des [DeviceA-ipsec-proposal-prop] esp authentic

13 [DeviceB] ipsec policy policy 10 isakmp # Configure the IPsec policy to reference the IKE peer. [DeviceB-ipsec-policy-isakmp-policy-10] ike-peer p

14 [DeviceA] ike proposal 1 [DeviceA-ike-proposal-1] authentication-algorithm sha [DeviceA-ike-proposal-1] authentication-method pre-share [DeviceA-i

15 # Configure an ACL. [DeviceB] acl number 3101 [DeviceB-acl-adv-3101] rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.25

17 To do… Use the command… Remarks Display information about portal users on a specified interface or all interfaces display portal user { all | in

16 [DeviceB-Dialer0] dialer-group 1 [DeviceB-Dialer0] dialer bundle 1 [DeviceB-Dialer0] ipsec policy policy [DeviceB-Dialer0] mtu 1492 [DeviceB-Diale

17 Proposal Mismatch Symptom The proposals mismatch. Analysis Following is the debugging information: got NOTIFY of type NO_PROPOSAL_CHOSEN Or drop m

18 Solution When a device has multiple peers, you are recommended to configure ACL on the device to distinguish different data flows and try to avoid

18 NOTE: • You need to configure IP addresses for the host, Device, and servers as shown in Figure 4 and ensure that they can reach each other. •

1 Portal Configuration This chapter includes these sections: • Portal Overview • Portal Configuration Task List • Displaying and Maintaining Portal •

19 Figure 6 Add an IP address group # Add a portal device. Select Portal Service Management > Device from the navigation tree to enter the porta

20 Figure 8 Device list On the port group configuration page, click Add to enter the page for adding a port group, as shown in Figure 9. Perform th

21 [Device-radius-rs1] key authentication radius [Device-radius-rs1] key accounting radius # Specify that the ISP domain name should not be included

22 State:ONLINE SubState:NONE ACL:NONE Work-mode:stand-alone MAC IP Vlan Interface ------------------------------

23 NOTE: • For re-DHCP authentication, you need to configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10

24 [Device] domain default enable dm1 Step3 Configure portal authentication # Configure the portal server as follows: • Name: newpt • IP address:

25 Figure 11 Configure Layer 3 portal authentication Device AHost8.8.8.2/24GE0/220.20.20.1/24Portal server192.168.0.111/24RADIUS server192.168.0.112/

26 # Configure the ISP domain to use RADIUS scheme rs1. [DeviceA-isp-dm1] authentication portal radius-scheme rs1 [DeviceA-isp-dm1] authorization por

27 Figure 12 Configure direct portal authentication with extended functions DeviceHost2.2.2.2/24Gateway : 2.2.2.1/24GE0/22.2.2.1/24GE0/1192.168.0.100

28 # Configure the ISP domain to use RADIUS scheme rs1. [Device-isp-dm1] authentication portal radius-scheme rs1 [Device-isp-dm1] authorization porta

2 • Resource access limit: A user passing identity authentication can access only network resources in the quarantined area, such as the anti-virus

29 portal authentication, the host uses an assigned private IP address. After passing the authentication, the host can get a public IP address. • Wh

30 # Set the server type for the RADIUS scheme. When using the CAMS or iMC server, you need set the server type to extended. [Device-radius-rs1] ser

31 • U R L : h t t p : / / 19 2.16 8 . 0 .111:8080/portal. [Device] portal server newpt ip 192.168.0.111 key portal port 50100 url http://192.168.0

32 NOTE: • Make sure that the IP address of the portal device added on the portal server is the IP address of the interface connecting users (20.2

33 NOTE: On the security policy server, you need to specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL. [DeviceA] acl number 3

34 Figure 15 Network diagram for configuring portal server detection and portal user synchronization DeviceHost2.2.2.2/24Gateway : 2.2.2.1/24GE0/22.2

35 Figure 16 Portal server configuration # Configure an IP address group. Select Portal Service Management > IP Group from the navigation tree t

36 Figure 18 Add a portal device # Associate the portal device with the IP address group. As shown in Figure 19, on the device list, click the icon

37 Figure 20 Add a port group # Select Service Parameters > Validate System Configuration from the navigation tree to make the above configurati

38 # Configure dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication and

3 Portal server Server that listens to authentication requests from authentication clients and exchanges client authentication information with the a

39 URL : http://192.168.0.111:8080/portal Status : Up Layer 3 Portal Authentication Across VPNs Network requirements As shown in Figure 21

40 [DeviceA-radius-rs1] user-name-format without-domain # Specify the source IP address for outgoing RADIUS packets as 3.3.0.3. [DeviceA-radius-rs1]

41 ACL:NONE Work-mode:stand-alone VPN instance:vpn1 MAC IP Vlan Interface ----------------------------------------

42 Solution Use the display portal server command to display the listening port of the portal server configured on the access device and use the port

i Table of Contents ALG Configuration·················································································································

1 ALG Configuration This chapter includes these sections: • ALG Overview • Enabling ALG • ALG Configuration Examples ALG Overview The Application Lev

2 • Real-Time Streaming Protocol (RTSP) • Skinny Client Control Protocol (SCCP) • Session Initiation Protocol (SIP) • SQLNET (a language in Ora

3 If the host passes the authentication, a data connection is established between it and the server. Note that if the host is accessing the server in

4 Figure 2 Network diagram for FTP ALG configuration Configuration procedure # Configure the address pool and ACL. <Device> system-view [Devi

5 Figure 3 Network diagram for SIP ALG configuration Configuration procedure # Configure the address pool and ACL. <Device> system-view [Devi

4 • Direct authentication Before authentication, a user manually configures a public IP address or directly obtains a public IP address through DHCP

6 <Device> system-view [Device] nat static 192.168.1.3 5.5.5.9 # Enable ALG for NBT. [Device] alg nbt # Configure NAT. [Device] interface gigab

i Table of Contents RSH Configuration ················································································································

1 RSH Configuration This chapter includes these sections: • Introduction to RSH • Configuring RSH • RSH Configuration Example Introduction to RSH Re

2 . NOTE: If RSH daemon authentication is enabled on the remote host, you must provide the username configuredon the remote host in advance RSH Co

3 Figure 4 Services window Step3 Check for the Remote Shell Daemon entry. If it does not exist, install the daemon first. Step4 Look at the Statu

4 # Set the time of the host remotely. <Device>rsh 192.168.1.10 command time Trying 192.168.1.10 ... Press CTRL+K to abort The current time is:

i Table of Contents SSH2.0 Configuration ·············································································································

1 SSH2.0 Configuration This chapter includes these sections: • SSH2.0 Overview • Configuring the Device as an SSH Server • Configuring the Device as

2 Stages Description Interaction After the server grants the request, the client and server start to communicate with each other. Version negotiatio

3 • Password authentication: The server uses AAA for authentication of the client. During password authentication, the client encrypts its username

5 The direct authentication/cross-subnet authentication process is as follows: Step1 An authentication client initiates authentication by sending an

4 NOTE: • In the interaction stage, you can execute commands from the client by pasting the commands in text format (the text must be within 2000

5 Generating a DSA or RSA Key Pair In the key and algorithm negotiation stage, the DSA or RSA key pair is required to generate the session ID and fo

6 Follow these steps to configure the protocols for the current user interface to support: To do… Use the command… Remarks Enter system view system

7 To do… Use the command… Remarks Enter public key code view public-key-code begin — Configure a client public key Enter the content of the public

8 To do… Use the command… Remarks For all users or SFTP users ssh user username service-type { all | sftp } authentication-type { password | { any

9 • Setting the maximum number of SSH authentication attempts Setting the above parameters can help avoid malicious guess at and cracking of the ke

10 To do… Use the command… Remarks Specify a source IPv4 address or interface for the SSH client ssh client source { ip ip-address | interface inte

11 To do... Use the command… Remarks Configure the server host public key See Configuring a Client Public Key Required The method for configuring t

12 To do… Use the command… Remarks Display the source IP address or interface currently set for the SSH client display ssh client source Available

13 [Device] ssh server enable # Configure an IP address for interface GigabitEthernet 0/1, which the SSH client will use as the destination for SSH c

6 The re-DHCP authentication process is as follows: Step 1 through step 6 are the same as those in the direct authentication/cross-subnet authenticat

14 Figure 3 SSH client configuration interface In the window shown in Figure 3, click Open to connect to the server. If the connection is normal, y

15 NOTE: During SSH server configuration, the client public key is required. Therefore, you are recommended to usethe client software to generate a

16 Figure 6 Generate a key pair on the client 2) After the key pair is generated, click Save public key and specify the file name as key.pub to sav

17 Figure 7 Generate a key pair on the client 3) Likewise, to save the private key, click Save private key. A warning window pops up to prompt you

18 [Device-GigabitEthernet0/1] quit # Set the authentication mode for the user interfaces to AAA. [Device] user-interface vty 0 4 [Device-ui-vty0-4]

19 Select Connection > SSH > Auth from the navigation tree. The following window appears. Click Browse… to bring up the file selection window,

20 Configuration procedure Step1 Configure the SSH server # Create RSA and DSA key pairs and enable the SSH server. <DeviceB> system-view [Dev

21 Do you want to save the server public key? [Y/N]:n Enter password: After you enter the correct password, you can log into Device B successfully. •

22 After you enter the correct username and password, you can log into Device B successfully. When Device Acts as Client for Publickey Authentication

23 # Set the authentication mode for the user interfaces to AAA. [DeviceB] user-interface vty 0 4 [DeviceB-ui-vty0-4] authentication-mode scheme # En

7 Configuration Prerequisites The portal feature provides a solution for user identity authentication and security check. However, the portal feature

1 SFTP Service This chapter includes these sections: • SFTP Overview • Configuring the Device as an SFTP Server • Configuring the Device an SFTP Clie

2 NOTE: When the device functions as the SFTP server, only one client can access the SFTP server at a time. If the SFTP client uses WinSCP, a file

3 To do… Use the command… Remarks Establish a connection to the remote IPv4 SFTP server and enter SFTP client view sftp server [ port-number ] [ vp

4 To do… Use the command… Remarks Display the current working directory of the remote SFTP server pwd Optional dir [ -a | -l ] [ remote-path ] Disp

5 Displaying Help Information This configuration task is to display a list of all commands or the help information of an SFTP client command, such as

6 NOTE: During SFTP server configuration, the client public key is required. Therefore, you are recommended to use the client software to generate

7 <DeviceA> sftp 192.168.0.1 identity-key rsa Input Username: client001 Trying 192.168.0.1 ... Press CTRL+K to abort Connected to 192.168.0.1 .

8 -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noo

9 # Generate RSA and DSA key pairs and enable the SSH server. <Device> system-view [Device] public-key local create rsa [Device] public-key loc

10 Figure 15 SFTP client interface

8 CAUTION: • At present, the access device allows you to specify up to four portal servers. • The specified parameters of a portal server can be m

i Table of Contents SSL Configuration·················································································································

1 SSL Configuration This chapter includes these sections: • SSL Overview • SSL Configuration Task List • Displaying and Maintaining SSL • Troublesh

2 NOTE: • For more information about symmetric key algorithms, asymmetric key algorithm RSA and digital signature, see Public Key Configuration

3 Configuring an SSL Server Policy An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes

4 To do... Use the command... Remarks Configure the policy to use a hardware encryption card for SSL encryption and decryption crypto-accelerator

5 Configuration procedure Step1 Configure the HTTPS server (Device) # Create a PKI entity named en, and configure the common name as http-server1

6 On Host, launch IE, enter http://10.1.2.2/certsrv in the address bar and request a certificate for Host as prompted. Step3 Verify your configura

7 To do… Use the command… Remarks Enable certificate-based SSL server authentication server-verify enable Optional Enabled by default NOTE: If

8 Step2 You can use the display ssl server-policy command to view the cipher suites that the SSL server policy supports. If the server and the cli

i Table of Contents Web Filtering Configuration ······································································································