H3c-technologies H3C SecPath F1000-E Manual de usuario

H3C SecPath Series High-End FirewallsAttack Protection Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.co

2 Enabling the blacklist function 1. From the navigation tree, select Intrusion Detection > Blacklist to enter the blacklist management page. 2.

3 Item Description Permanence Configure the entry to be a permanent one. Viewing the blacklist From the navigation tree, select Intrusion Detection

4 Configuration procedure 1. Assign IP addresses to the interfaces. (Details not shown.) 2. From the navigation tree, select Intrusion Detection &g

5 8. Select Intrusion Detection > Traffic Abnormality > Scanning Detection from the navigation tree. The page for configuring scanning detect

6 Configuring packet inspection The packet inspection configuration is available only in the Web interface. Overview A single-packet attack, or malfo

7 Attack type Description Smurf A Smurf attacker sends large quantities of ICMP echo requests to the broadcast address of the target network. As a r

8 Item Description Enable WinNuke Attack Detection Enable or disable detection of WinNuke attacks. Enable TCP Flag Attack Detection Enable or disab

9 Figure 10 Enabling Land and Smurf attack detection for the untrusted zone 3. Select Untrust from the Zone list, select Discard Packets when the

10 Configuring traffic abnormality detection The traffic abnormality detection configuration is available only in the Web interface. Overview The tra

11 Connection limit When an internal user initiates a large number of connections to a host on the external network in a short period of time, system

Copyright © 2011-2013, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmi

12 Figure 11 ICMP flood detection configuration page To configure ICMP flood detection, follow these steps: 1. In the Attack Prevention Policy are

13 Table 5 Configuration items Item Description Protected Host Configuration IP Address Specify the IP address of the protected host. Action Thres

14 Figure 13 UDP flood detection configuration page To configure UDP flood detection, follow these steps: 1. In the Attack Prevention Policy area,

15 Item Description Action Threshold Set the protection action threshold for UDP flood attacks that target the protected host. If the sending rate o

16 Figure 15 DNS flood detection configuration page To configure DNS flood detection, follow these steps: 1. In the DNS Flood Attack Prevention Po

17 Item Description Global Configuration of Security Zone Action Threshold Set the protection action threshold for DNS flood attacks that target a h

18 security zone, all TCP connection requests to the IP address will be processes by the TCP proxy until the protected IP entry gets aged out. If you

19 NOTE: Host-specific settings take precedence over the global settings for security zones. Configuring connection limit From the navigation tree

20 then view and configure the scanning detection rule for the security zone. Table 10 lists the scanning detection configuration items. Figure 20 S

21 Figure 21 Network diagram Configuration considerations To satisfy the requirements, perform the following configurations on the SecPath: • Conf

Preface The H3C SecPath Series High-End Firewalls documentation set includes 10 configuration guides, which describe the software features for the H3C

22 Figure 22 Enabling the blacklist feature Perform the following operations on the page: • In the Global Configuration area, select the Enable Bl

23 Figure 24 Configuring connection limit for the trusted zone Perform the following operations on the page: • Select zone Trust. • Select the Di

24 Figure 26 Configuring SYN flood detection for the DMZ Perform the following operations on the page: • Select zone DMZ. • In the Attack Prevent

25 Verifying the configuration • After a scanning attack packet is received from zone Untrust, SecPath should output alarm logs and add the IP addre

26 Configuring URPF URPF configuration is available only in the web interface. URPF overview What is URPF Unicast Reverse Path Forwarding (URPF) prot

27 { If the default route is available but the allow-default-route option is not selected, the packet is rejected no matter which check approach is

28 URPF configuration example In this configuration example, either Device A or Device B is the SecPath firewall. Network requirements As shown in Fi

29 Figure 32 Configuring ACL 2010 • Select Permit in Operation. • Select Source IP Address and enter 10 .1.1. 0 in the field. • Enter 0.0.0.255

30 • Select Intrusion Detection > URPF Check from the navigation tree and perform the following operations, as shown in Figure 34. Figure 34 Conf

31 Configuring TCP proxy The TCP proxy configuration is available only in the Web interface. Overview SYN flood attack As a general rule, the establi

Convention Description &<1-n> The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times

32 Figure 35 Network diagram for unidirectional proxy Figure 36 Network diagram for unidirectional/bidirectional proxy TCP proxy working mechanis

33 Bidirectional proxy Figure 38 Data exchange process in bidirectional proxy mode After receiving a SYN message from a client to the protected ser

34 Performing global TCP proxy setting Select Intrusion Detection > TCP Proxy > TCP Proxy Configuration from the navigation tree to enter the p

35 Figure 40 Protected IP address entries Figure 41 Protected IP address entry configuration page Table 13 Configuration items Item Description

36 TCP proxy configuration example Network requirements As shown in Figure 42, configure bidirectional TCP proxy on SecPath to protect Server A, Serv

37 Figure 44 Adding an IP address entry for protection • Enter 20.0.0.10 in the Protected IP Address field. • Click Apply. # Configure the SYN fl

38 Figure 46 Configuring global settings • Select Global Configuration of Security Zone. • Click Apply. Configuration guidelines Follow these gui

39 Configuring IDS collaboration Feature and hardware compatibility Feature F1000-A-EI/E-SI/S-AI F1000-E F5000-A5 Firewall module IDS collaboration

40 Figure 48 Enable IDS collaboration Configuration guidelines When you configure IDS collaboration, follow these guidelines: • Both the firewall

41 Displaying intrusion detection statistics The intrusion detection configuration is available only in the Web interface. Overview Intrusion detecti

Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical D

42 Figure 49 Intrusion detection statistics Table 15 Field description Field Description Fraggle A Fraggle attack occurs when an attacker sends lar

43 Field Description Scan A scanning attack probes the addresses and ports on a network to identify the hosts attached to the network and application

44 Configuring ARP attack protection The Address Resolution Protocol (ARP) is easy to use, but it is often exploited by attackers because of its lack

45 interface regularly. In this way, the hosts on the network segment can learn the correct gateway address information and can therefore access the

46 Figure 50 Configuring periodic sending of gratuitous ARP packets Table 16 Configuration items Item Description Sending Interface Specify an inte

47 • Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface goes up and an IP address has been assigned

48 ARP automatic scanning may take a long time. You can abort the scanning by clicking Interrupt on the ARP scan page. To configure ARP automatic sca

49 Configuring fixed ARP in the web interface When you configure fixed ARP, follow these guidelines: • The static ARP entries resulting from convers

50 • Use the arp fixup command to change the existing dynamic ARP entries into static ARP entries. You can use this command again to change the dyna

51 Configuring TCP attack protection Overview An attacker can attack the device during the process of TCP connection establishment. To prevent such a

i Contents Configuring blacklist ·····················································································································

52 Enabling protection against Naptha attacks Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the

53 Configuring firewall NOTE: The firewall configuration is available only at the CLI. Overview A firewall can block unauthorized accesses from t

54 Enabling the IPv6 firewall function Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the IPv6 firewall function. firewall

55 IPv6 packet filtering is a basic firewall function of an IPv6-based ACL. You can configure IPv6 packet filtering in the inbound or outbound direct

56 Configuring content filtering The content filtering configuration is available only in the Web interface. Overview With content filtering configur

57 • ActiveX blocking—Blocks ActiveX plugin requests to untrusted websites, protecting networks from being attacked by malicious ActiveX plugins. •

58 • Command word filtering—Blocks FTP requests that carry the specified command words. NOTE: FTP command words refer to the command words carrie

59 Table 18 Filtering entries and filtering keywords configuration task list Task Description Configuring keyword filtering entries Keyword filtering

60 Table 19 Content filtering policy configuration task list Task Description Configuring an HTTP filtering policy By default, no HTTP filtering poli

61 Configuring keyword filtering entries Select Identification > Content Filtering > Filtering Entry from the navigation tree. The keyword filt

ii Enabling TCP proxy for a security zone ············································································································

62 Item Description Protocol Specify the protocol for which the keyword filtering entry is configured. The protocol can be HTTP, SMTP, POP3, FTP, and

63 Item Description Protocol Specify the protocol for which the URL hostname filtering entry is configured. The protocol can only be HTTP. URL hostna

64 Item Description Filename Specify filename keywords for the filename filtering entry. You can specify up to 16 filename keywords separated by com

65 Table 26 Configuration items Item Description Name Specify the name of the email address filtering entry. Email Address Specify email address key

66 Figure 62 Adding a URL parameter filtering keyword Table 27 Configuration item Item Description Keyword Specify a URL parameter filtering keywor

67 Table 28 Configuration item Item Description Keyword Specify a suffix keyword for Java blocking. See Figure 64 for the requirements on a keyword.

68 Figure 67 HTTP filtering policy list Figure 68 Adding an HTTP filtering policy Table 30 Configuration items Item Description Name Specify the

69 Item Description URL IP Blocking Specify whether to prevent internal users from using IP addresses in URLs to access websites. URL Parameter Filte

70 Figure 70 Adding an SMTP filtering policy Table 31 Configuration items Item Description Name Specify the name for the SMTP filtering policy. Se

71 Item Description Attachment Content Filtering Select the filtering entries to be used for attachment content filtering. Available filtering entrie

iii Configuring URL parameter filtering keywords ·································································································· 65

72 Figure 72 Adding a POP3 filtering policy Table 32 Configuration items Item Description Name Specify the name for the POP3 filtering policy. Sen

73 Item Description Enable Logging Specify whether to log packet matching events. IMPORTANT: The logging function takes effect only when it is enab

74 Table 33 Configuration items Item Description Name Specify the name for the FTP filtering policy. Command Filtering Select the filtering entries

75 Figure 76 Adding a Telnet filtering policy Table 34 Configuration items Item Description Name Specify the name for the Telnet filtering policy.

76 Figure 78 Adding a content filtering policy template Table 35 Configuration items Item Description Name Enter the name of the content filtering

77 Figure 79 Statistic information Content filtering configuration example Network requirements As shown in Figure 80, hosts in LAN segment 192.168

78 Figure 80 Network diagram Configuration procedures 1. Configure IP addresses for the interfaces of the SecPath firewall and assign the interfac

79 Figure 82 Configuring Telnet keyword filtering entry reboot { Enter the entry name reboot_telnet. { Enter the keyword reboot. { Select protoc

80 Figure 84 Configuring an FTP filename filtering entry abc { Enter the entry name abc_ftp. { Enter the filename keyword abc. { Select protocol

81 Figure 85 Configuring an HTTP filtering policy without Java applet blocking { Enter the policy name http_policy1. { Click the expansion button

1 Configuring blacklist The blacklist configuration is available only in the web interface. Overview Blacklist is an attack prevention mechanism that

82 Figure 86 Configuring an HTTP filtering policy with Java applet blocking { Enter the policy name http_policy2. { Click the expansion button be

83 Figure 87 Configuring an SMTP filtering policy { Enter the policy name smtp_policy. { Click the expansion button before Attachment Filtering.

84 # Configure an FTP filtering policy. { Click the FTP Policy tab, and then click Add to perform the configurations shown in Figure 88. Figure 88 C

85 Figure 89 Configuring a Telnet filtering policy { Enter the policy name telnet_policy. { Click the expansion button before Command Filtering.

86 { Select HTTP filtering policy http_policy1. { Select SMTP filtering policy smtp_policy. { Select FTP filtering policy ftp_policy. { Select Te

87 Figure 92 Configuring the interzone policy referencing the template without Java applet blocking { Select Trust as the source zone. { Select U

88 Figure 93 Configuring the interzone policy referencing the template with Java applet blocking { Select any_address as the source IP address and

89 Figure 94 Content filtering statistics Configuration guidelines 1. Wildcard usage in URL hostname filtering keywords: { The caret (^) matches

90 { A keyword with no wildcard used at the beginning and end indicates a fuzzy match, and matches website addresses containing the keyword. { If y

91 Index A B C D E F O P R T U V A Adding a blacklist entry manually,2 B Blacklist configuration example,3 C Configuration guidelines,38 Configurati