No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples for IPS

Configuration Examples for IPS

Example for Configuring IPS to Block Intrusion Behaviors

Networking Requirements

As shown in Figure 6-8, an enterprise deploys a Router as the security gateway. Enterprise employees are internal users and are deployed in the Trust zone. The internal server is deployed in the demilitarized zone (DMZ).

To protect internal users and the internal server against attacks such as worms, Trojan horses, and botnets, the device needs to detect traffic between different zones and block intrusion behaviors in real time to protect the enterprise internal network security.

Figure 6-8  Networking diagram for configuring IPS to block intrusion behaviors

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure IP addresses and routes for interfaces to ensure connectivity.
  2. Deploy the internal server, internal users and external network in the DMZ, Trust zone, and Untrust zone respectively, and monitor network traffic between different security zones.
  3. For internal users, configure the IPS profile profile_ips_pc.
    1. Detect and defend against intrusion behaviors whose threat level is high.
    2. Detect and defend against intrusion behaviors whose protocol types are HTTP and FTP.
    3. Detect and defend against intrusion behaviors whose targets are clients.
  4. For the internal server, configure the IPS profile profile_ips_server.
    1. Detect and defend against intrusion behaviors whose threat level is high.
    2. Detect and defend against intrusion behaviors whose protocol type is FTP.
    3. Detect and defend against intrusion behaviors whose targets are servers.
    4. Use exception signatures to block intrusion behaviors that occur frequently.
  5. Configure interzones that need to be detected.
  6. Configure two security policies policy_sec_1 and policy_sec_2, bind the IPS profiles profile_ips_pc and profile_ips_server to the two policies respectively, and detect network traffic based on the two IPS profiles.
  7. Apply the security policy policy_sec_1 to the interzone between the Trust and Untrust zones. Make the security policy take effect to protect internal users against attacks from the Internet.
  8. Apply the security policy policy_sec_2 to the interzone between the Untrust zone and DMZ and the interzone between the Trust zone and DMZ. Make the security policy take effect to protect the internal server against attacks from internal users and the Internet.

Procedure

  1. Configure security zones and interzones on the Router.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] engine enable
    [Router] firewall zone DMZ
    [Router-zone-DMZ] priority 14
    [Router-zone-DMZ] quit
    [Router] firewall zone Trust
    [Router-zone-Trust] priority 13
    [Router-zone-Trust] quit
    [Router] firewall zone Untrust
    [Router-zone-Untrust] priority 1
    [Router-zone-Untrust] quit
    [Router] firewall interzone Trust Untrust
    [Router-interzone-Trust-Untrust] quit
    [Router] firewall interzone DMZ Trust
    [Router-interzone-DMZ-Trust] quit
    [Router] firewall interzone DMZ Untrust
    [Router-interzone-DMZ-Untrust] quit
    

  2. Configure IP addresses for interfaces on the Router and add the interfaces to security zones.

    [Router] interface gigabitethernet 1/0/0
    [Router-GigabitEthernet1/0/0] undo portswitch
    [Router-GigabitEthernet1/0/0] ip address 10.1.0.1 24 
    [Router-GigabitEthernet1/0/0] zone DMZ
    [Router-GigabitEthernet1/0/0] quit
    [Router] interface gigabitethernet 2/0/0
    [Router-GigabitEthernet2/0/0] undo portswitch
    [Router-GigabitEthernet2/0/0] ip address 10.2.0.1 24 
    [Router-GigabitEthernet2/0/0] zone Trust
    [Router-GigabitEthernet2/0/0] quit
    [Router] interface gigabitethernet 3/0/0
    [Router-GigabitEthernet3/0/0] undo portswitch
    [Router-GigabitEthernet3/0/0] ip address 1.1.1.1 24 
    [Router-GigabitEthernet3/0/0] zone Untrust
    [Router-GigabitEthernet3/0/0] quit

  3. Configure the IPS profile profile_ips_pc to protect internal users. Configure signature filters to meet security requirements.

    [Router] profile type ips name profile_ips_pc
    [Router-profile-ips-profile_ips_pc] signature-set name filter1
    [Router-profile-ips-profile_ips_pc-sigset-filter1] target client
    [Router-profile-ips-profile_ips_pc-sigset-filter1] severity high 
    [Router-profile-ips-profile_ips_pc-sigset-filter1] protocol HTTP FTP 
    [Router-profile-ips-profile_ips_pc-sigset-filter1] action default 
    [Router-profile-ips-profile_ips_pc-sigset-filter1] quit
    [Router-profile-ips-profile_ips_pc] quit
    

  4. Configure the IPS profile profile_ips_server to protect the internal server. It is observed in logs that a type of attacks occurs frequently. The attacks match a signature whose ID is 74320. All attacks of this type need to be blocked.

    [Router] profile type ips name profile_ips_server
    [Router-profile-ips-profile_ips_server] signature-set name filter1
    [Router-profile-ips-profile_ips_server-sigset-filter1] target server
    [Router-profile-ips-profile_ips_server-sigset-filter1] severity high 
    [Router-profile-ips-profile_ips_server-sigset-filter1] protocol FTP 
    [Router-profile-ips-profile_ips_server-sigset-filter1] action default 
    [Router-profile-ips-profile_ips_server-sigset-filter1] quit
    [Router-profile-ips-profile_ips_server] exception ips-signature-id 74320 action block
    [Router-profile-ips-profile_ips_server] quit
    [Router] engine configuration commit
    

  5. Create a security policy named policy_sec_1 and bind the IPS profile profile_ips_pc to the security policy.

    [Router] security-policy policy_sec_1
    [Router-security-policy-policy_sec_1] profile ips profile_ips_pc
    [Router-security-policy-policy_sec_1] quit
    

  6. Create a security policy named policy_sec_2 and bind the IPS profile profile_ips_server to the security policy.

    [Router] security-policy policy_sec_2
    [Router-security-policy-policy_sec_2] profile ips profile_ips_server
    [Router-security-policy-policy_sec_2] quit
    

  7. Apply the security policy policy_sec_1 to the interzone between the Trust and Untrust zones. Make the security policy take effect to protect internal users against attacks from the Internet.

    [Router] firewall interzone Trust Untrust
    [Router-interzone-Trust-Untrust] security-policy policy_sec_1
    [Router-interzone-Trust-Untrust] quit
    

  8. Apply the security policy policy_sec_2 to the interzone between the DMZ and Untrust zone and the interzone between the DMZ and Trust zone. Make the security policy take effect to protect the internal server against attacks from internal users and the Internet.

    [Router] firewall interzone DMZ Untrust
    [Router-interzone-DMZ-Untrust] security-policy policy_sec_2
    [Router-interzone-DMZ-Untrust] quit
    [Router] firewall interzone DMZ Trust
    [Router-interzone-DMZ-Trust] security-policy policy_sec_2
    [Router-interzone-DMZ-Trust] quit
    

  9. Verify the configuration.

    On the Router, run the display security-policy name policy-name command to view the security policy.

    <Huawei> display security-policy name policy_sec_1
      Policy-name: policy_sec_1                                                     
      Policy-ID: 4                                                                  
       IPS: profile_ips_pc                                                          
       URLF: -                                                                      
       ACL: 0                                                                      
      Reference-Num: 1                      

    On the Router, run the display firewall interzone zone-name1 zone-name2 command. The result is as follows:

    <Huawei> display firewall interzone Trust Untrust 
    interzone Trust Untrust                                                         
     firewall disable                                                               
     security-policy policy_sec_1                                                   
     packet-filter default deny inbound                                             
     packet-filter default permit outbound       
    

Configuration File

Configuration file of the Router

#                                                                               
 sysname Router
#                                                                         
 engine enable                                                                  
#                                                                               
profile type ips name profile_ips_pc                                            
 signature-set name filter1                                                     
  target client                                                                 
  severity high                                                                 
  protocol HTTP FTP                                                                  
#                                                                               
profile type ips name profile_ips_server                                        
 signature-set name filter1                                                     
  target server                                                                 
  severity high                                                                 
  protocol FTP                                                                  
 exception ips-signature-id 74320 action block                                  
#                                                                               
security-policy policy_sec_1                                                    
  profile ips profile_ips_pc                                                    
security-policy policy_sec_2                                                    
  profile ips profile_ips_server                                                
#                                                                               
firewall zone Untrust                                                           
 priority 1                                                                     
#                                                                               
firewall zone DMZ                                                               
 priority 14                                                                    
#                                                                               
firewall zone Trust                                                             
 priority 13                                                                    
#                                                                               
firewall interzone Trust Untrust                                                
 security-policy policy_sec_1                                                   
#                                                                               
firewall interzone DMZ Trust                                                    
 security-policy policy_sec_2                                                   
#                                                                               
firewall interzone DMZ Untrust                                                  
 security-policy policy_sec_2                                                   
#                                                                               
interface GigabitEthernet1/0/0                                                         
 ip address 10.1.0.1 255.255.255.0                                              
 zone DMZ                                                                       
#                                                                               
interface GigabitEthernet2/0/0                                                         
 ip address 10.2.0.1 255.255.255.0                                              
 zone Trust                                                                     
#                                                                               
interface GigabitEthernet3/0/0                                                         
 ip address 1.1.1.1 255.255.255.0                                               
 zone Untrust                                                                   
#
return
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95420

Downloads: 53

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next