No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the SOC

Configuring the SOC

This section describes how to configure the Security Operating Center (SOC).

Applicable Environment

When an exception occurs, for example, services are interrupted, the system performance deteriorates, or service flapping occurs, maintenance personnel can use the SOC to quickly determine if the exception has been caused by a security attack. Maintenance personnel can also use the SOC to perform routine maintenance and management to check if any security attack has occurred and take immediate measures.

Pre-configuration Tasks

None

Configuration Procedures

Figure 9-1 Flowchart of configuring SOC

Enabling the SOC

You can enable the Security Operating Center (SOC) by enabling attack detection, attack source tracing, and attack defense.

Context

Attack detection and attack source tracing are key SOC functions. Before using the SOC, ensure that these functions are enabled. If attack detection and attack source tracing are left disabled, the SOC can still be triggered by timers to collect the CPU usage, protocol module's state data, including the number of invalid packets and sessions, and CPCAR-related packet loss statistics. However, the SOC neither performs attack detection and attack source tracing nor generates alarms, and therefore cannot locate attack events.

After attack defense is enabled, the SOC automatically delivers attack defense policies if the NE20E is being attacked. This function isolates attacks or protects the NE20E against attacks.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run soc

    Attack detection and attack source tracing are enabled, and the SOC view is displayed.

  3. (Optional) Run attack-defend enable

    Attack defense is enabled.

    If the SOC determines that an attack event has occurred, enable attack defense.

  4. (Optional) Specify protocols in a user-defined group for which attack defense is enabled or disabled.
    1. (Optional) Run attack-defend user-enable-group

      A user-defined group for which attack defense is enabled is configured, and the user-group view is displayed.

    2. (Optional) Run attack-defend user-disable-group

      A user-defined group for which attack defense is disabled is configured, and the user-group view is displayed.

      You can specify the following protocols for a user-defined group: FTP server, FTP client, SSH server, SSH client, SNMP, Telnet server, Telnet client, TFTP, BGP, LDP, RSVP, OSPFv2, RIP, OSPFv3, MSDP, PIM, IGMP, IS-IS, PIMv6, RADIUS, HWTACACS, LSP ping, ICMP, VRRP, BFD, DHCP, DNS client, Telnetv6 server, Telnetv6 client, ICMPv6, DNSv6, SSHv6 server, FTPv6 server, FTPv6 client, LACP, and BGPv6. For example, to specify DHCP in a user-defined group for which attack defense is enabled or disabled, configure dhcp in the command.

      One protocol cannot be configured in both the user-defined group for which attack defense is enabled and the user-defined groups for which attack defense is disabled.

      The priority of the user-defined group configuration is higher than that of the attack-defend enable command configuration.

  5. Run commit

    The configuration is committed.

Analyzing Attack Events

The SOC determines whether an attack event has occurred by analyzing attack event reports and statistics. If attack defense is enabled, you can also check packet loss statistics of the interface under attack.

Context

If an exception occurs or an attack event alarm is generated on the NE20E, perform the following procedures to determine whether an attack event has occurred:
  1. Check attack event reports and identify the attack event to be analyzed.
  2. Check the Location and Reasons fields in attack event reports to find out the slot ID and protocol of the attack event and check the historical statistics. Historical statistics include the CPCAR statistics and protocol statistics. Determine whether the attack event is caused by protocol packets sent to the CPU or invalid packets or sessions on a protocol module.
  3. After the attack event is determined, enable attack defense. Then the NE20E uses the configured attack defense policies to defend against subsequent attack packets. You can also check packet loss statistics of the interface under attack.

Perform the following steps in any view.

Procedure

  1. Check attack event reports.
    1. Run the display soc attack-event command to check a summary of attack events.
    2. Run the display soc attack-event slot slot-id [ verbose ] command to check information about attack events on the board in a specified slot.

      The specified slot is identified by checking the Location field in the attack event summary. Detailed information about attack events is displayed if verbose is configured.

    3. Run the display soc attack-event event-number event-number [ verbose ] command to check information about the specified attack event.

      The specified attack event is identified by checking the Seq. field in the attack event summary or information about attack events on the board in a specified slot.

  2. Check historical statistics.

    NOTE:

    In the following commands, slot-id must be the same as the slot-id specified in the display soc attack-event command, and protocol-name must be the same as the Reasons field value in the display soc attack-event command output.

    Check CPCAR statistics.

    1. Run the display soc attack-detect statistics car slot slot-id protocol protocol-name command to check all CPCAR statistics monitored by the SOC. Identify CarName of the CPCAR with the highest packet loss rate or the largest number of lost packets.

      NOTE:

      CAR is a traffic policing instance. CPCAR functions for packets to be sent to the CPU.

    2. Run the display soc attack-detect statistics car slot slot-id protocol protocol-name [ cpcar-name history { 15-minute | 60-minutes | 72-hour } ] command to check the packet loss rate of the protocol packets identified by cpcar-name within a specified period.
    3. Run the display soc attack-detect cpu-usage slot slot-id history { 15-minutes | 60-minutes | 72-hours } command to check the CPU usage within a specified period. If the CPU usage and packet loss rate within a specified period have similar tendencies, the CPU overload is caused by the protocol packets identified by cpcar-name.

    Check protocol statistics.

    1. Run the display soc attack-detect statistics application slot slot-id command to check statistics about the protocol packets and sessions on the board in a specified slot. Identify the protocol module that has the largest percentage of the number of invalid packets or sessions to the total number of packets or sessions. This protocol module can be considered to have the poorest security.
    2. Run the display soc attack-detect statistics application slot slot-id protocol protocol-name history { 15-minute | 60-minutes | 72-hour } command to check statistics about the protocol packets and sessions and the average CPU usage within the last 15 minutes, 1 hour, or 72 hours. If the CPU usage is high while the percentage of the number of invalid packets or sessions to the total number of packets or sessions is high, attacks to the protocol module cause the CPU overload. If you cannot identify the problem by querying the average CPU usage, run the following command to check detailed information about the CPU usage within the specified period.
    3. (Optional) Run the display soc attack-detect cpu-usage slot slot-id history { 15-minutes | 60-minutes | 72-hours } command to check detailed information about the CPU usage within a specified period.
  3. (Optional) Run the display soc attack-defend statistics slot slot-id port-vlan-car command to check statistics about the packets that pass through or are discarded by interfaces being attacked on the board in a specified slot.

    After attack defense is enabled and the NE20E is being attacked, you can run this command.

(Optional) Configuring a User-Defined Group for Which Attack Defense Is Enabled

You can determine whether an attack event or source exists by checking alarm information and attack event reports. After an attack source is confirmed, you can configure a user-defined group for which attack defense is enabled to isolate the attack source.

Context

If a device works abnormally (for example, a device encounters CPU overloads, logout, route interruption), you can configure a user-defined group for which attack defense is enabled to isolate the attack sources.

NOTE:
Only when attack events or sources are confirmed, you can run the attack-defend user-enable-group command to configure a user-defined group for which attack defense is enabled. After a user-defined group for which attack defense is enabled and specific protocols are defined in the user-defined group, when a protocol attack is detected, the system automatically delivers an attack defense policy.

Procedure

  1. Check whether the alarm SOC_1.3.6.1.4.1.2011.5.25.165.1.11.12 hwBaseSocAttackTrap is generated. The alarm content includes the attack position, protocol type, sub-interface, and MAC address information.
  2. If the alarm is generated, run the display soc attack-event slot slot-id command in any view to query more detailed information about the attack event on the board in a specific slot, such as the attack possibility, physical interface under attacks, VLAN, and attack cause (protocol flooding or broadcast storm).
  3. Locate and isolate the attack source based on the obtained attack position and cause.
    1. If CPU overloads, severe service damage, or even service interruptions occur, shut down the interface under attack based on the attack position and attack packet information (MAC address, IP address, and protocol type) or run the blacklist acl command in the attack defense policy view to blacklist the attack packets and make adjustment based on live network situation.
    2. If CPU overloads occur but services run properly with a few packets being dropped, analyze the service deployment on the interface and check whether attack protocol packets are sent to the interface. If attack protocol packets are confirmed, blacklist the attack protocol and make adjustment based on live network situation.

    If services are restored and run properly later after the preceding operations, deliver an attack defense policy to apply the blacklist and interface or sub-interface shutdown actions to the forwarding plane.

    NOTE:
    If CPU overloads frequently occur due to device attacks, you can check service deployment on the interface under attack based on the port information of the attack event. If unexpected protocol packet loss is detected, run the attack-defend user-enable-group command to configure a user-defined group for which attack defense is enabled and define the protocol in the group. After that, when the protocol packets are sent to attack the device again, an attack defense policy is automatically delivered to protect the CPU.

(Optional) Configuring Attack Source Tracing Parameters

If attack event reports present incorrect or missing decisions on attack events, adjust attack source tracing parameters to allow attack source tracing to function precisely.

Context

As network configurations and traffic characteristics vary, the default attack source tracing thresholds may cause incorrect or missing decisions on attack events. You can adjust the attack source tracing parameters based on actual conditions. If an object under attack fails to be located, the attack source tracing thresholds are set high and need to be lowered. If an object not under attack is identified as being attacked, the attack source tracing threshold is set low and needs to be increased.
NOTE:

Each attack source tracing threshold has its default value. Adjust the thresholds based on your networking environment by referring to the default values and value ranges provided in the command reference. It is recommended that you adjust attack source tracing thresholds with assistance from Huawei engineers.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run soc

    The SOC view is displayed.

  3. Configure thresholds for determining attack events.
    • To configure the threshold for determining the location of an attack event, run the attack-trace location-type { interface | qinq | source-ip | source-mac | sub-interface | vlan | vni } threshold threshold-value command.
    • To configure the threshold for determining the probability of an attack event, run the attack-trace probability { top5-user | top5-source-mac | top5-source-ip | broadcast-flood | app-error-percent } { determined | notification | suspicion } threshold-value command.
    • To configure the threshold for determining the cause of an attack event, run the attack-trace reason { app-packet | broadcast-flood | change-source-packet } percentage percentage-value command.
  4. Run commit

    The configuration is committed.

(Optional) Configuring Attack Detection Parameters

If attack event reports present incorrect or missing decisions on attack events, adjust attack detection parameters to allow attack detection to function precisely.

Context

The security Operating Center (SOC) determines whether the system is being attacked based on the statistics analysis. To correctly obtain these statistics on a live network, you must set proper alarm thresholds for security attack events. The traffic models vary with different networkings in different scenarios.
  • On small-scale networks where the traffic rate is low, router bandwidth is low, and the number of users is small, setting a low alarm threshold is recommended.

  • On large-scale networks where the traffic rate is high, router bandwidth is high, and the number of users is great, setting a high alarm threshold is recommended.

Additionally, you can also adjust the threshold based on the security attack event reports. If false alarms are frequently reported, you can increase the alarm threshold. However, if some security attacks are ignored (the security attacks are detected by other monitoring systems but not reported by the SOC), you can lower the alarm threshold.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run soc

    The SOC view is displayed.

  3. Configure thresholds for determining attack events.
    • Run the attack-detect protocol protocol-name car { min-rate rate-value | drop-packet-percent percentage } * command to set the rate threshold for sending protocol packets to the CPU and the packet loss percentage threshold for attack detection.
    • Run the attack-detect cpu-usage-threshold threshold-value command to set the CPU usage threshold for attack detection.
  4. Run commit

    The configuration is committed.

Verifying the SOC Configuration

After configuring attack source tracing parameters, check the configurations. If some parameters are not configured, their default values are displayed.

Procedure

  1. Run the display soc attack-trace threshold configuration command to check attack source tracing thresholds.
  2. Run the display soc attack-detect car threshold configuration command to check the configured CP-CAR thresholds for attack detection.

Example

Run the display soc attack-trace threshold configuration command. The command output shows attack source tracing thresholds.

<HUAWEI> display soc attack-trace threshold configuration
 The following is reason configuration.                                         
 ------------------------------------------------------------------------------ 
 Item                  Percentage(%)                                            
 change-source-packet  10                                                       
 broadcast-flood       55                                                       
 app-packet            35                                                       
 ------------------------------------------------------------------------------ 
                                                                                
 The following is location-type configuration.                                  
 ------------------------------------------------------------------------------ 
 Item          Threshold(%)                                                     
 interface     25                                                               
 sub-interface 25                                                               
 vlan          25                                                               
 source-ip     15                                                               
 source-mac    25                                                               
 qinq          15                                                               
 vni           25                                           
 ------------------------------------------------------------------------------ 
                                                                                
 The following is probability configuration.                                    
 ------------------------------------------------------------------------------ 
 Item                Determined(%)  Suspicion(%)   Notification(%)              
 top5-user           95              65              55                         
 top5-source-ip      85              65              50                         
 top5-source-mac     95              65              55                         
 broadcast-flood     95              75              55                         
 app-error-percent   95              80              65                         
 ------------------------------------------------------------------------------ 

Run the display soc attack-detect car threshold configuration command to check the configured CP-CAR thresholds for attack detection.

<HUAWEI> display soc attack-detect car threshold configuration
2015-06-11 16:47:21.367 
 ---------------------------------------------------------------------
 Attack detect CPU-usage Threshold     : 15
 Attack alarm CPU-usage Threshold      : 60
 ---------------------------------------------------------------------
 Protocol                         Car Rate(pps)     Car DropPktPct(%) 
 arp                              500               30              
 icmp                             300               30              
 dhcp                             500               20              
 pppoe                            500               20              
 ftp-server                       500               30              
 ssh-server                       500               30              
 snmp                             500               30              
 telnet-server                    500               30              
 tftp                             500               30              
 bgp                              500               30              
 ldp                              500               30              
 rsvp                             500               30              
 ospfv2                           500               30              
 rip                              500               30              
 ospfv3                           500               30              
 msdp                             500               30              
 pim                              500               30              
 igmp                             500               30              
 mld                              500               30              
 isis                             500               30              
 pimv6                            500               30              
 sftp-server                      500               30              
 ftp-client                       500               30              
 telnet-client                    500               30              
 ssh-client                       500               30              
 sftp-client                      500               30              
 ntp                              500               30              
 radius                           500               30              
 hwtacacs                         500               30              
 lspping                          500               30              
 vgmp                             500               30              
 vrrp                             500               30              
 bfd                              500               30              
 dns-client                       500               30              
 telnetv6-server                  500               30              
 telnetv6-client                  500               30              
 tftpv6-client                    500               30              
 icmpv6                           500               30              
 dnsv6                            500               30              
 sshv6-server                     500               30              
 mpls-oam                         500               30              
 rrpp                             500               30              
 802.1ag                          500               30              
 lacp                             500               30              
 unknown                          500               30              
 white-list                       500               30              
 hgmp                             500               30              
 bgpv6                            500               30              
 ftpv6-client                     500               30              
 ftpv6-server                     500               30              
 ipfpm                            500               30              
 snmpv6                           500               30              
 multicast                        500               30              
 multicastv6                      500               30              
 ipv6                             500               30              
 tcp                              500               30              
 udp                              500               30              
 eapol                            500               30              
 portal                           500               30              
 web                              500               30              
 l2tp                             500               30              
 dhcpv6                           500               30              
 nd                               500               30              
 fib-miss                         500               30              
 fib-missv6                       500               30              
 ttl-expired                      500               30              
 ttl-expiredv6                    500               30              
 lldp                             500               30              
 bfdv6                            500               30              
 arpmiss                          500               30              
 pim_mc                           500               30              
 openflow                         500               30              
 ra                               500               30              
 rs                               500               30              
 na                               500               30              
 ns                               500               30              
 web_auth_server                  500               30              
 diameter                         500               30              
 http-redirect-chasten            500               30              
 atm-inarp                        500               30              
 tcp-65410                        500               30              
 padi                             500               30              
 mka                              500               30              
 icmp-broadcast-address-echo      500               30              
 ---------------------------------------------------------------------
 
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20396

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next