No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Operation Guide 09

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Security Services

Configuring Security Services

You can click in the Operation column of the related deployment task on the deployment task page, select devices, and execute deployment again or restore device data when the policy, ASPF configuration, anti-attack configuration, and junk mail filtering configuration fails to be deployed or device data before the configuration deployment needs to be restored.

Configuring Policies

A policy is a rule configuration mode that defines traffic matching conditions and traffic processing actions.

A policy is composed of rules, and a rule contains many elements such as conditions, actions, and options:

  • Condition: Conditions are used to filter packets. Conditions include the source security zone, destination security zone, source address or region, destination address or region, user or security group, service (source port, destination port, and protocol type), application, and schedule.

    Elements in conditions are public objects.

  • Action: The NGFW takes an action on the packets that match the conditions. The action can be allow, block, or content security check.

    A content security detection mechanism is provided to check traffic content based on conditions in security profiles and perform actions specified in security profiles based on the detection result.

  • Option: You can configure additional options for a rule, such as whether to enable the log function and whether to apply this rule.
Operation Procedure

Operation

Description

1. Configure public objects.

A common object is a set of elements that are defined in advance and can be referenced by policies or configuration files. You can define objects in a centralized data plan to simplify configurations.

Public objects are referenced by security profiles or policies

2. Create security profiles.

Security profile is a special object for security policies. This object is a set of content security check and protection rules. You can use a security profile to define the threats for a security function to identify, as well as the countermeasures. Each security function has respective security profiles. You can configure a security policy and reference multiple security profiles for one traffic flow to implement multi-dimensional content security checks and protection for this data flow.

Security profiles are referenced by security policies.

3. Configure policies.

Policies control the actions taken for traffic.

Configuring Public Objects

A policy is a rule configuration mode that defines traffic matching conditions and traffic processing actions.

A policy is composed of rules, and a rule contains many elements such as conditions, actions, and options:

  • Condition: Conditions are used to filter packets. Conditions include the source security zone, destination security zone, source address or region, destination address or region, user or security group, service (source port, destination port, and protocol type), application, and schedule.

    Elements in conditions are public objects.

  • Action: The NGFW takes an action on the packets that match the conditions. The action can be allow, block, or content security check.

    A content security detection mechanism is provided to check traffic content based on conditions in security profiles and perform actions specified in security profiles based on the detection result.

  • Option: You can configure additional options for a rule, such as whether to enable the log function and whether to apply this rule.
Operation Procedure

Operation

Description

1. Configure public objects.

A common object is a set of elements that are defined in advance and can be referenced by policies or configuration files. You can define objects in a centralized data plan to simplify configurations.

Public objects are referenced by security profiles or policies

2. Create security profiles.

Security profile is a special object for security policies. This object is a set of content security check and protection rules. You can use a security profile to define the threats for a security function to identify, as well as the countermeasures. Each security function has respective security profiles. You can configure a security policy and reference multiple security profiles for one traffic flow to implement multi-dimensional content security checks and protection for this data flow.

Security profiles are referenced by security policies.

3. Configure policies.

Policies control the actions taken for traffic.

Creating Security Profiles
  1. Choose Resource > Network > Security Business > Secure Center from the main menu.

  2. Perform corresponding operations based on the site requirements.

    Public Object

    Operation

    Function

    Description

    Security zone

    Choose Objects Management > Zones from the navigation tree on the left. Click and set security zone parameters.

    A security zone is a set of the networks connected by interfaces. Users on these networks have the same security attributes.

    Address or address set

    Choose Objects Management > Addresses from the navigation tree on the left. Click and set address set parameters.

    If the dynamic mapping between devices an address sets needs to be configured, set Mapping status to ON, click Create, and configure the mapping address scope of each device.

    Object address is a set of IP addresses or MAC addresses.

    To perform control over the traffic with specific source or destination IP addresses, you are advised to create an address set and reference the address set in the security policy.

    If a policy references the dynamic mapping between devices and the address set, the system deploys addresses for devices based on the mapping.

    Region or region group

    Choose Objects Management > Regions from the navigation tree on the left. Click and set region parameters.

    A region is a collection of public network IP addresses. A region group can contain multiple regions or existing region groups. Regions and region groups can be referenced by policies to implement region-based control.

    Service or service group

    Choose Objects Management > Services from the navigation tree on the left. Click and set service or service group parameters.

    Object service is a set of TCP/UDP ports or ICMP, STCP parameter rules. Network applications or communication protocols use specific TCP/UDP ports or ICMP, STCP packets to communicate. Therefore, you can define services to match these network applications or protocols.

    To perform control over the traffic of a specific protocol, you are advised to configure the corresponding service and reference the service in the security policy.

    Schedule

    Choose Objects Management > Schedules from the navigation tree on the left. Click and set schedule parameters.

    Object schedule is a set of time ranges. Schedule controls the valid time ranges of a policy. Therefore, the NGFW can apply different policies at different time.

    To perform control over the traffic within a specific schedule, you are advised to create a schedule and reference the schedule in the security policy.

    User or user group

    Choose Objects Management > Users from the navigation tree on the left.

    • Configure a user group.

      Choose Create > Create User Group and set user group parameters.

    • Configure a user.
      • To configure a single user, choose Create > Create User, set Create type to Single user, and set user parameters.
      • To configure multiple users, choose Create > Create User, set Create type to Multi users, and set user parameters.
      • To configure users in a batch, click , download the template, edit user information, and upload the template.

    Users refer to the ones who must pass the authentication procedure conducted by an NE before they can access network resources. You can manage users in groups and configure differentiated security policies for the groups.

    Security group

    Choose Objects Management > Security Groups from the navigation tree on the left. Click and set security group parameters.

    When a dedicated authentication server authenticates identities of users using a specified device in a unified manner, you need to configure the same security group on the device as that on the authentication server. eSight supports security group management to provide differentiated policies for different security groups.

    If a security group is referenced by a policy, the policy is applied to users of the security group but not users of the sub-security group.

    Application or application group

    Choose Objects Management > Applications from the navigation tree on the left. Click on the Application or Application Group tab page and set application or application group parameters.

    Applications are computer programs used for a special purpose or performing a special task. You can create different policies for applications.

    For details about regular expressions involved during application configuration, see IPS.

    For HTTP.Method and HTTP.URI fields, conform to the following rules for usage of metacharacters:

    • HTTP.Method: Only three metacharacters are supported: ( ) |. Only English characters are allowed.
    • HTTP.URI: Only four metacharacters are supported: * ( ) |.

    Signature

    Choose Objects Management > Signatures from the navigation tree on the left. Click and set user-defined signature parameters.

    A signature contains the features of a network intrusion. The device compares the received data flow with IPS signatures. If the data flow content matches a signature, the data flow contains threats.

    Signature is referenced by IPS profile.

    When packets match a signature, the device matches packets with rules based on the sequence in which rules were configured. Check items in each rule are matched randomly or based on the sequence in which check items were configured.

    For details about regular expressions involved during signature configuration, see IPS.

    NAT address pool

    Choose Objects Management > NAT Address Pools from the navigation tree on the left.

    • Click on the Source Translation Address Pool tab page and configure the address pool into which the source address can be converted.
    • Click on the Destination Translation Address Pool tab page and configure the address pool into which the destination address can be converted.

    The NAT address pool is an IP address resource pool. The NGFW uses the public addresses in the address pool to translate users' private addresses and therefore enables intranet users to access the Internet using public addresses.

    MIME header group

    Choose Objects Management > MIME Header Groups from the navigation tree on the left. Click and set MIME parameters.

    Generally, emails in compliance with MIME standards are used on the Internet. MIME headers of junk mails contain signatures. Emails can be handled based on configured MIME header signatures.

    MIME header groups are referenced during configuration of email filtering profiles. You can add MIME headers with the same control action to the same MIME header group.

    MIME header group is referenced by Mail filtering profile.

    URL category

    Choose Objects Management > URL Categories from the navigation tree on the left. Click and set user-defined URL category parameters.

    An administrator can control URLs that are allowed and rejected by intranet users based on URL categories.

    URL category is referenced by URL filtering profile.

    Portal template

    Choose Objects Management > Portal Templates from the navigation tree on the left. Click and set Portal template parameters.

    A Portal template defines the URLs of servers that use user-defined Portal authentication.

    If the Portal server needs to interwork with the NGFW to exchange data, select Enable for Push information to the portal server.

    After the function is enabled, the NGFW will automatically add related information behind the URL of the Portal server, such as the client IP address and URL accessed before client authentication and then push the information to the Portal server for Portal authentication.

    Email address group

    Choose Objects Management > Email Address Groups from the navigation tree on the left. Click and set email address group parameters.

    The email address group is referenced during email address check. You can add email addresses with the same sending or receiving right to the same email address group.

    Email address group is referenced by Mail filtering profile.

    Keyword

    Choose Objects Management > Keyword Groups from the navigation tree on the left. Click and set keyword parameters.

    A keyword group is a set of keywords that need to be filtered. It defines the confidentiality or violation keywords that need to be filtered by the data filtering function.

    Keyword is referenced by Data filtering profile.

    An administrator defines the keywords to be detected. The text and regular expression can be used. For details about how to use regular expressions, see Table 12-73.

    Traffic profile

    Choose Objects Management > Traffic Profiles from the navigation tree on the left. Click and set traffic profile parameters.

    NOTE:

    Configure traffic profiles referenced by parent and child policies based on the following rules:

    • The guaranteed bandwidth, connection and connection rate limit specified in a child policy cannot be higher than those specified in the parent policy.
    • The parent and child policies must reference different traffic profiles.
    • Both the parent and child policies must set the traffic limiting mode to "setting the upstream and downstream bandwidth" or "setting the overall bandwidth" at the same time. Otherwise, bandwidth control is not accurate.

    A traffic profile defines bandwidth resources that can be used by objects to which bandwidth management applies. A traffic profile takes effect only after it is referenced by a traffic policy.

    • Exclusive mode

      After a traffic profile is referenced by multiple traffic policies in exclusive mode, traffic matching the conditions in each traffic policy exclusively occupies the maximum bandwidth resources.

    • Sharing mode

      After a traffic profile is referenced by multiple traffic policies in sharing mode, traffic matching the conditions in all traffic policies shares the maximum bandwidth resources.

Configuring Policies
  1. Choose Resource > Network > Security Business > Secure Center from the main menu.

  2. Configure policies based on the site requirements.

    Policy Name

    Operation

    Function

    Security policy

    1. Choose Policy Management > Security Policy from the navigation tree on the left.
    2. Choose Policy > Create and configure a security policy. Click to deploy the security policy to the device.

    Security policies control the accessible resources, such as IP addresses, ports, and applications for users or hosts as well as detect and protect the network traffic.

    After you classify network traffic in security policies once, you can enable different security functions for each traffic class to simplify the configuration.

    NAT policy

    1. Choose Policy Management > NAT Policy from the navigation tree on the left.
    2. Choose Policy > Create and configure a NAT policy. Click to deploy the NAT policy to the device.

    NAT policies translate the source IP addresses or ports and destination IP addresses or ports according to certain rules to alleviate the lack of IPv4 addresses.

    Traffic policy

    1. Choose Policy Management > Traffic Policy from the navigation tree on the left.
    2. Choose Policy > Create and configure a traffic policy. Click to deploy the traffic policy to the device.

    Traffic policies control bandwidth for a network or host. You can allocate bandwidth and control the connection numbers of different traffic to avoid network congestion and ensure positive user experience.

    Authentication policy

    1. Choose Policy Management > Authentication Policy from the navigation tree on the left.
    2. Choose Policy > Create and configure an authentication policy. Click to deploy the authentication policy to the device.

    Authentication policies determine whether a user requires authentication. Special users can be exempted from authentication to access the intranet.

Configuring Attack Defense

You can use eSight to configure and deploy security defense measures for NGFWs one by one or in batches.

  • DDoS attack defense

    Enable traffic statistics on the bound interface upon the configuration of anti-DDoS to distinguish normal traffic from attacks. Anti-DDoS applies only to the bound interface. Therefore, you are advised to specify the interface that connects the NGFW to the Internet as the bound interface.

    To set a proper threshold, enable the threshold learning function and the automatic application function. In the case of device replacement, use the threshold configured on the original device.

  • Single-Packet attack defense

    By default, the defense against various single-packet attacks is disabled. You can enable the defense based on the actual situation over the network.

Configuring DDoS Attack Defense
  1. Accept change data about Anti-DDoS on the Policy-Content-Compared Result page after data synchronization.
  2. Choose Resource > Network > Security Business > Secure Center from the main menu.

  3. Choose Policy Management > Attack Defenses from the navigation tree on the left.
  4. On the Anti-DDoS tab, configure DDoS attack defense measures.

    It is difficult to set a proper defense threshold based on experience. You are advised to use the threshold learning function to enable the device to learn the traffic on the network and apply the learning results, or manually set the threshold.

    NOTE:
    • If you have enabled Automatic Application for threshold learning, the NGFW automatically applies the learning threshold, replacing the manually specified one and the default value after the learning process ends.

      Learning result = Learning value x (1 + Learning tolerance). The unit of learning tolerance is percentage.

    • The NGFW uses Source Detection and CNAME Redirection to defend against DNS request flood attacks.
    • If the DNS server is a cache server, use Source Detection.
    • If the DNS server is an authoritative server, use CNAME Redirection.
    • The NGFW uses Basic Source Detection, 302 Redirection, and Advanced Source Detection to defend against HTTP flood attacks.
    • If the attack source is a proxy server or the attack source has certain browser functions, the basic mode fails to defend. You must select Advanced Source Detection.
    • If the client of HTTP services is a set-top box, select 302 Redirection or Basic Source Detection because the no verification code can be entered in the set-top box. 302 Redirection is preferred.
  5. Click to deploy the configuration to devices.
Configuring Single-Packet Attack Defense
  1. Accept change data about Single-Packet Attack on the Policy-Content-Compared Result page after data synchronization.
  2. Choose Resource > Network > Security Business > Secure Center from the main menu.

  3. Choose Policy Management > Attack Defenses from the navigation tree on the left.
  4. On the Single-Packet Attack tab, set single-packet attack defense parameters.
  5. Click to deploy the configuration to devices.

Configuring the ASPF

ASPF filters the application-layer packets. That is, it is a stateful packet filtering method. After ASPF is enabled, the NGFW can identify multi-channel protocols and provide security policies accordingly.

Context

Multi-channel protocols randomly select ports for data connections, but in the case of strict security policies, the packets sent from the random ports cannot be forwarded. To resolve the issue, the system can use ASPF to parse the application-layer data, identify the port numbers negotiated by these protocols, and create policies to permit the data on negotiated data connections.

Procedure
  1. Accept ASPF change on the Policy-Content-Compared Result page after data synchronization.
  2. Choose Resource > Network > Security Business > Secure Center from the main menu.

  3. Choose Policy Management > ASPF Configuration from the navigation tree on the left.
  4. Click in the Operation column of the device record for which ASPF needs to be configured, select multi-channel protocols to be enabled, and click to deploy the ASPF to the device.
Download
Updated: 2019-05-17

Document ID: EDOC1100011877

Views: 284896

Downloads: 548

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next