No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Web-based Configuration Guide

AR650, AR1600, and AR6100 V300R003

This document describes how to configure and maintain your routers using the web platform.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Intrusion Defense Policy

Intrusion Defense Policy

Context

An intrusion prevention system (IPS) prevents and detects intrusions based on the intrusion defense library. Before configuring intrusion defense policies, load the intrusion defense library.

After the intrusion defense library is loaded, a large number of unclassified signatures are generated and characteristics in some signatures do not exist on the live network. You must use a signature filter to filter out the signatures and configure a unified action for the signatures. To configure specified actions for specified signatures, you must set the signatures as exception signatures, bringing heavy workload.

To resolve this problem, configure intrusion defense policies. You can configure only one signature filter but multiple exception signatures in an intrusion defense policy. After the signature filter and exception signatures are configured, signatures matching the network characteristics are selected. Intrusion defense policies can prevent intrusions on the device.

The device has multiple default intrusion prevention profiles for different application scenarios. The default intrusion prevention profiles can be displayed, cloned, or referenced in security policies, but cannot be modified or deleted.
  • strict: It contains all signatures and the action is block. Apply to all protocols and categorys. The intrusion prevention profile applies to the scenarios in which the device is required to block all matched packets.
  • web_server: It contains all signatures and the action is the default actions. Apply to DNS, HTTP, FTP protocols and all categorys. The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a web server.
  • file_server: It contains all signatures and the action is the default actions. Apply to DNS, SMB, NETBIOS, NFS, SUNRPC, MSRPC, FILE, TELNET protocols and all categorys. The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a file server.
  • dns_server: It contains all signatures and the action is the default actions. Apply to DNS protocol and all categorys. The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a DNS server.
  • mail_server: It contains all signatures and the action is the default actions. Apply to DNS, IMAP4, SMTP, POP3 protocols and all categorys. The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a mail server.
  • inside_firewall: It contains all signatures and the action is the default actions. Apply to all protocols and categorys. The intrusion prevention profile applies to the scenarios in which the device is deployed behind a firewall.
  • dmz: It contains all signatures and the action is the default actions. Apply to all protocols except NETBIOS, NFS, SMB, TELNET TFTP and categorys. The intrusion prevention profile applies to the scenarios in which the device is deployed behind a firewall. The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a DMZ.
  • outside_firewall: It contains all signatures and the action is the default actions. Apply to all protocols and categorys except Scanner. The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a firewall.
  • ids: It contains all signatures and the action is alert. Apply to all protocols and categorys. The intrusion prevention profile applies to the scenarios in which the device is deployed off-line as an IDS.
  • default: It contains all signatures and the action is the default actions. Apply to all protocols and categorys. The intrusion prevention profile applies to the scenarios in which the device is deployed in-line as an IPS.

Prerequisite

To use the deep security function, you must enable it. By default, the deep security function is disabled.

  1. Open the Service Management page.

    Log in to the web system, choose System Management > System Configuration > Service Management to open the Service Management page, as shown in Figure 14-28.

    Figure 14-28  Service Management tab page

  2. Enable or disable deep security.
    • Enable deep security.

      In the Service Management area, click Enabled > Apply of Value-added security service to enable the deep security function.

    • Disable deep security.

      To disable deep security, click Disable and Apply, and restart the device.

      After the device restarts, the deep security configurations are deleted.

Procedure

  • Creating an intrusion defense policy
    1. Access the Intrusion Defense Policy tab page, as shown in Figure 14-29.

      Log in to the tab page Deep Security and choose Intrusion Defense Policy.

      Figure 14-29  Intrusion Defense Policy tab page

    2. Click Create in the Intrusion Defense Policy Configuration List area. Set parameters in the Create Intrusion Defense Policy dialog box. Table 14-11 describes the parameters, as shown in Figure 14-30.

      Table 14-11  Parameters for creating an intrusion defense policy

      Parameter

      Description

      Policy name

      Name of the intrusion defense policy. The policy name cannot be changed after the intrusion defense policy is configured.

      Action setting

      Action of the signature filter.
      • Default: A signature has a predefined default action (Block or Alert).
      • Alert: When a packet matches a signature, the packet is allowed to pass, which is recorded in the log.
      • Block: When a packet matches a signature, the packet is discarded, which is recorded in the log.

      By default, the signature filter uses the default action of a signature.

      Target

      Targets to be filtered. You can select multiple targets. The signature filter can filter out signatures with specified targets.

      Severity

      Severity of intrusions to be filtered. You can select multiple severity values. The signature filter can filter out signatures with specified severity values.

      Operating system

      Operating systems to be filtered. You can select multiple operating systems. The signature filter can filter out signatures with specified operating systems.

      Protocol

      Protocols to be filtered. You can select multiple protocols. The signature filter can filter out signatures with specified protocols.

      Threat type

      Threat types to be filtered. You can select multiple threat types. The signature filter can filter out signatures with specified threat types.

      Figure 14-30  Create Intrusion Defense Policy dialog box

    3. Click Preview Signature Filtering Result. Signatures that are filtered out by the intrusion defense policy are displayed, as shown in Figure 14-31.

      Figure 14-31  Preview Signature Filtering Result page

    4. Click next to Add Other Signatures. Set Signature ID to complete the signature adding, as shown in Figure 14-32.

      Figure 14-32  Add Other Signatures
      NOTE:

      You can check mistakenly filtered signature IDs based on the log or in other ways. After adding these signatures to the list, you can modify the signature actions.

    5. Set parameters in List of Other Signatures. Table 14-12 describes the parameters.

      Table 14-12  Parameters in the list of exception signatures

      Parameter

      Description

      Signature ID

      This parameter is set by the system and cannot be changed.

      Signature name

      This parameter is set by the system and cannot be changed.

      Action

      Action of the exception signature.
      • Pass: When a packet matches the exception signature, the packet is allowed to pass, which is not recorded in the log.
      • Alert: When a packet matches the exception signature, the packet is allowed to pass, which is recorded in the log.
      • Block: When a packet matches the exception signature, the packet is discarded, which is not recorded in the log.

      The default action of an exception signature is pass.

      Operation

      You can click next to an exception signature to delete it.

    6. Click OK. The configuration is added to Intrusion Defense Policy Configuration List.
    7. On the Intrusion Defense Policy tab page, click Submit above Intrusion Defense Policy Configuration List. In the Information dialog box, click OK. The intrusion defense policy configuration is activated.

      NOTE:

      After an intrusion defense policy is created or modified, you must click Submit to make the configuration take effect. The activation takes a long period. You are advised to submit the configuration after modifying the intrusion defense policy.

  • Modifying an intrusion defense policy
    1. Select an intrusion defense policy in the Intrusion Defense Policy Configuration List area and click .

      NOTE:

      You cannot modify the predefined intrusion defense policies.

    2. In the Modify Intrusion Defense Policy dialog box, modify the parameters as described in Table 14-11, among which Policy name cannot be changed.
    3. Click Preview Signature Filtering Result. Signatures that are filtered out by the intrusion defense policy are displayed.
    4. Click OK. The configuration is saved.
    5. On the Intrusion Defense Policy tab page, click Submit above Intrusion Defense Policy Configuration List. In the Information dialog box, click OK. The intrusion defense policy configuration is activated.
  • Deleting an intrusion defense policy
    1. Select an intrusion defense policy in the Intrusion Defense Policy Configuration List area and click Delete. In the Information dialog box, click OK. The selected intrusion defense policy is deleted.
    2. On the Intrusion Defense Policy tab page, click Submit above Intrusion Defense Policy Configuration List. In the Information dialog box, click OK. The intrusion defense policy configuration is activated.
  • Searching an intrusion defense policy
    1. Select an intrusion defense policy in the Intrusion Defense Policy Configuration List area and click .
    2. Set the signature ID or name in Item and click Search. The predefined signature in the intrusion defense policy is displayed, as shown in Figure 14-33.

      Figure 14-33  View Signature Filtering Result

    3. Click Signature name. Information about the predefined signature is displayed.
Download
Updated: 2019-04-12

Document ID: EDOC1100041803

Views: 35499

Downloads: 92

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next