Implementation

CloudEngine 12800 and 12800E V200R005C10 Configuration Guide - Security

This document describes the configurations of Security, including AAA, 802.1x Authentication, ACL, TCAM ACL Customization, local attack defense, Microsegmentation, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, MACsec, DHCP snooping, IPSG, URPF, SSL, Keychain and FIPS.

About This Document
AAA Configuration
- Overview of AAA
- Understanding AAA
- Application Scenarios for AAA
- Licensing Requirements and Limitations for AAA
- Summary of AAA Configuration Tasks
- Configuring Local Authentication and Authorization
- Configuring RADIUS AAA
- Configuring HWTACACS AAA
- Clearing AAA Statistics
- Configuration Examples for AAA
  - Example for Configuring RADIUS Authentication and Accounting
  - Example for Configuring HWTACACS Authentication, Accounting, and Authorization
- Troubleshooting AAA
  - An AAA Local User Cannot Be Created Due to Incorrect Password Setting
802.1x Authentication Configuration
- Understanding 802.1x Authentication
- Application Scenarios for 802.1x Authentication
- Licensing Requirements and Limitations for 802.1x Authentication
- Default Settings for 802.1x Authentication
- Configuring 802.1x Authentication
- Maintaining 802.1x Authentication
  - Clearing Statistics on 802.1x Authentication Packets
  - Forcing Users Offline
- Configuration Examples for 802.1x Authentication
  - Example for Configuring 802.1x Authentication to Control Users' Internal Access
ACL Configuration
- Overview of ACLs
- Understanding ACLs
- Application Scenarios for ACLs
- Licensing Requirements and Limitations for ACLs
- Default Settings for ACLs
- Configuring a Basic ACL
- Configuring an Advanced ACL
- Configuring a Layer 2 ACL
- Configuring a User-defined ACL
- Configuring an ARP-based ACL
- Configuring a Basic ACL6
- Configuring an Advanced ACL6
- Maintaining an ACL
  - Clearing ACL Statistics
  - Checking ACL Resource Usages
- Configuration Examples for ACLs
- ACL FAQ
  - Which Packets Cannot Be Filtered by the ACL Used by a Traffic Policy?
TCAM ACL Customization Configuration
- Overview of TCAM ACL Customization
- Licensing Requirements and Limitations for TCAM ACL Customization
- Configuring TCAM ACL Customization
  - Enabling TCAM ACL Customization
  - Configuring the TCAM ACL Customization Function for Services
- Displaying Information about a TCAM ACL Customization Profile or Preset Profile
- Configuration Examples for TCAM ACL Customization
  - Example for Configuring TCAM ACL Customization
Microsegmentation Configuration
- Overview of Microsegmentation
- Understanding Microsegmentation
- Application Scenarios for Microsegmentation
- Licensing Requirements and Limitations for Microsegmentation
- Configuring Microsegmentation
- Maintaining Microsegmentation
  - Checking Microsegmentation Statistics
  - Clearing Microsegmentation Statistics
- Configuration Examples for Microsegmentation
  - Example for Configuring IP Address-based Microsegmentation
Local Attack Defense Configuration
- Overview of Local Attack Defense
- Licensing Requirements and Limitations for Local Attack Defense
- Default Settings for Local Attack Defense
- Configuring CPU Attack Defense
- Configuring Attack Source Tracing
- Maintaining Local Attack Defense
- Configuration Examples for Local Attack Defense
  - Example for Configuring Local Attack Defense
- Troubleshooting Local Attack Defense
MFF Configuration
- Overview of MFF
- Understanding MFF
- Application Scenarios for MFF
- Licensing Requirements and Limitations for MFF
- Configuring MFF
- Configuration Examples for MFF
  - Example for Configuring MFF to Implement Layer 2 Isolation and Layer 3 Connection
- Troubleshooting MFF
  - Users Fail to Access the Internet After MFF Is Configured
Attack Defense Configuration
- Overview of Attack Defense
- Understanding Attack Defense
- Application Scenarios for Attack Defense
- Licensing Requirements and Limitations for Attack Defense
- Default Settings for Attack Defense
- Configuring Defense Against Malformed Packet Attacks
- Configuring Defense Against Packet Fragment Attacks
- Configuring Defense Against Flood Attacks
- Clearing Attack Defense Statistics
- Configuration Examples for Attack Defense
  - Example for Configuring Attack Defense
Traffic Suppression and Storm Control Configuration
- Overview of Traffic Suppression and Storm Control
- Understanding Traffic Suppression and Storm Control
  - Traffic Suppression
  - Storm Control
- Application Scenarios for Traffic Suppression and Storm Control
  - Traffic Suppression
  - Storm Control
- Licensing Requirements and Limitations for Traffic Suppression and Storm Control
- Default Settings for Traffic Suppression and Storm Control
- Configuring Traffic Suppression
- Configuring Storm Control
- Configuration Examples for Traffic Suppression and Storm Control
  - Example for Configuring Traffic Suppression
  - Example for Configuring Storm Control
ARP Security Configuration
- Overview of ARP Security
- Understanding ARP Security
- Application Scenarios for ARP Security
  - Defense Against ARP Flood Attacks
  - Defense Against ARP Spoofing Attacks
- Licensing Requirements and Limitations for ARP Security
- Default Settings for ARP Security
- Configuring Defense Against ARP Flood Attacks
- Configuring Defense Against ARP Spoofing Attacks
- Maintaining ARP Security
- Configuration Examples for ARP Security
  - Example for Configuring ARP Security Functions
  - Example for Configuring Defense Against ARP MITM Attacks
Port Security Configuration
- Overview of Port Security
- Understanding Port Security
- Application Scenarios for Port Security
- Licensing Requirements and Limitations for Port Security
- Default Settings for Port Security
- Configuring Port Security
- Configuration Examples for Port Security
  - Example for Configuring Port Security
MACsec Configuration
- Overview of MACsec
- Understanding MACsec
- Application Scenarios for MACsec
- Default Configuration
- Licensing Requirements and Limitations for MACsec
- Configuring MACsec
- Maintaining MACsec
  - Displaying MACsec Statistics
  - Clearing MACsec Statistics
- Configuration Examples for MACsec
  - Example for Configuring Point-to-Point MACsec
DHCP Snooping Configuration
- Overview of DHCP Snooping
- Understanding DHCP Snooping
  - DHCP Snooping Fundamentals
  - Option 82 Supported by DHCP Snooping
- Application Scenarios for DHCP Snooping
- Licensing Requirements and Limitations for DHCP Snooping
- Default Settings for DHCP Snooping
- Configuring Basic Functions of DHCP Snooping
- Configuring DHCP Snooping Attack Defense
- Inserting the Option 82 Field in a DHCP Message
- Maintaining DHCP Snooping
- Configuration Examples for DHCP Snooping
  - Example for Configuring DHCP Snooping Attack Defense
- Troubleshooting DHCP Snooping
  - DHCP Clients Cannot Go Online Due to DHCP Snooping
IPSG Configuration
- Overview of IPSG
- Licensing Requirements and Limitations for IPSG
- Default Settings for IPSG
- Configuring IPSG
- Maintaining IPSG
  - Checking Statistics on Discarded IP Packets
  - Clearing Statistics on Discarded IP Packets
- Configuration Examples for IPSG
  - Example for Configuring IPSG to Check Interface + IP + MAC Binding Entries
URPF Configuration
- Overview of URPF
- Understanding URPF
- Application Scenarios for URPF
- Licensing Requirements and Limitations for URPF
- Default Settings for URPF
- Configuring URPF
- Configuration Examples for URPF
  - Example for Configuring URPF (CE12800)
  - Example for Configuring URPF (CE12800E)
SSL Configuration
- Overview of SSL
- Understanding SSL
- Application Scenarios for SSL
  - Application of SSL in Information Center
- Licensing Requirements and Limitations for SSL
- Configuring SSL
  - Configuring an SSL Policy
  - Applying an SSL Policy
- Configuration Examples for SSL
  - Example for Outputting SSL-Encrypted Logs to a Log Host
Keychain Configuration
- Overview of Keychains
- Understanding Keychains
- Application Scenarios for Keychains
- Licensing Requirements and Limitations for Keychain
- Configuring a Keychain
- Configuration Examples for Keychains
  - Example for Applying the Keychain to RIP
  - Example for Applying the Keychain to BGP
FIPS Configuration
- Overview of FIPS
- Configuring the FIPS Mode
Separating the Management Port from the Service Plane
Checking Security Risks
Setting the System Master Key

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Implementation

SSL implementation consists of two stages: the handshake process and data transmission process.

Handshake Process: authenticates the server and client and negotiates a key and a cipher suite including an encryption algorithm, a key exchange algorithm, and a MAC algorithm. The handshake process must be completed before data transmission starts.
Data Transmission Process: uses the negotiated key and cipher suite to divide data into a series of protected records and transmits the records.

Handshake Process

A client and a server set up a session using the SSL Handshake Protocol to authenticate the identities of the two parties and negotiate the key and cipher suite. Figure 16-2 shows the SSL handshake process. The Change Cipher Spec message is based on the SSL Change Cipher Spec Protocol, and other messages exchanged in the handshake process are based on the SSL Handshake Protocol, and are SSL handshake messages.

It is optional for an SSL server to authenticate a client's identity. That is, Steps 4, 6, and 8 in Figure 16-2 are optional.

Figure 16-2 SSL handshake process

An SSL client sends a Client Hello message to an SSL server to start the handshake process. The Client Hello message carries information about the SSL version and cipher suite supported by the client.
The server replies to the client with a Server Hello message, carrying the specified version and cipher suite. If the server allows the client to reuse the session in subsequent communication, the server allocates a session ID for the session.
The server sends a digital certificate carrying its public key information to the client, allowing the client to authenticate server identity.
(Optional) The server requests that the client provide a certificate, so that the server can authenticate the client identity.
The server sends a Server Hello Done message to the client, indicating that the SSL protocol version and cipher suite negotiation finishes and key exchange starts.
(Optional) The client sends its certificate to the server.
After verifying the validity of the digital certificate of the server, the client responds with a Client Key Exchange message carrying a randomly generated key, which is encrypted using the public key in the server's certificate.

The randomly generated key, which is called the premaster secret, is used to calculate the symmetric key and MAC key but cannot be used to encrypt data or calculate the MAC value. The client and server use the premaster secret to calculate the same master secret and then use the master secret to calculate the symmetric key and MAC key. Therefore, the premaster secret is of great importance in calculating the symmetric key and MAC key.
(Optional) The client sends a Certificate Verify message to the client, so that the server can authenticate the client identity.

The client computes the hash value using handshake messages and the master secret, encrypts the hash value using its private key, and then sends the hash value to the server through the Certificate Verify message. The server computes the hash value using handshake messages and the master secret, decrypts the received Certificate Verify message using the public key in the client's certificate, and then compares the decrypted value with the hash value. If the two values are the same, the client passes identity authentication.
The client sends a Change Cipher Spec message to notify the server that encryption and MAC computation of every subsequent message will be performed based on the key generated using the master secret and cipher suite.
The client sends a Finished message to request that the server verify security of the handshake process.

The client computes a hash value for the exchanged handshake messages, uses the negotiated key and cipher suite to process the hash value (for example, computing, adding MAC, and encrypting the value), and sends a Finished message containing the processed hash value to the server. The server computes a hash value in the same way, decrypts the received Finished message, and compares the two values. If they are the same, MAC verification succeeds and the negotiation of key and cipher suite is successful.

A hash value is a fixed-length message that is converted from an arbitrary-length message by using a hash algorithm (MD5 or SHA).
The server sends a Change Cipher Spec message to notify the client that encryption and MAC computation of every subsequent message will be performed based on the key generated using the master secret and cipher suite.
The server sends a Finished message to request that the client verify security of the handshake process.

The server computes a hash value for the exchanged handshake messages, uses the negotiated key and cipher suite to process the hash value (for example, computing, adding MAC, and encrypting the value), and sends a Finished message containing the processed hash value to the client. The client computes a hash value in the same way, decrypts the received Finished message, and compares the two values. If they are the same, MAC verification succeeds and the negotiation of key and cipher suite is successful.

The SSL client completes authenticating the server identity after the handshake succeeds. Only after the SSL server with a private key decrypts the premaster secret from the Client Key Exchange message, the subsequent handshake process can be successful.

Asymmetric cryptography is used to encrypt keys and authenticate peers during the handshake process between the client and server. The computation consumes considerable system resources. To simplify the SSL handshake process, SSL supports resuming of a negotiated session, as shown in Figure 16-3. The details are as follows:

Figure 16-3 SSL handshake process when session resuming is supported

The client sends a Client Hello message. The session ID in this message is set to the ID of the session to be resumed.
If the server allows this session to be resumed, it replies with a Server Hello message carrying the same session ID. The client and server can subsequently use the key and cipher suite of the resumed session without additional negotiation.
The client sends a Change Cipher Spec message to notify the server that encryption and MAC computation of every subsequent message will be performed based on the key and cipher suite of the original session.
The client computes a hash value for the exchanged handshake messages, uses the negotiated key and cipher suite of the original session to process the hash value, and then sends a Finished message to the server so that the server can check whether the key and cipher suite are correct.
Similarly, the server sends a Change Cipher Spec message to notify the client that encryption and MAC computation of every subsequent message will be performed based on the key and cipher suite of the original session.
The server computes a hash value for the exchanged handshake messages, uses the negotiated key and cipher suite for the original session to process the hash value, and then sends a Finished message to the client so that the client can check whether the key and cipher suite are correct.

Data Transmission Process

The client and server can exchange application layer data after the handshake process completes. Data transmission is implemented using the SSL record protocol during the process.

Figure 16-4 illustrates the data transmission process. The device uses the SSL record protocol to perform the following operations:

Receive application layer data
Divide the data into manageable blocks
Compress the data (optional)
Add a MAC
Encrypt the data using an encryption algorithm
Add an SSL record header to the packet

After receiving application layer data, the device performs the operations in the following sequence: decapsulation, verification, decompression, and reassembling.

Figure 16-4 Data transmission process

Handshake Process
Data Transmission Process

Translation

简体中文

Download

Updated: 2021-09-17

Document ID: EDOC1100075347

Downloads: 99

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

Handshake Process

Data Transmission Process

Related Version

Related Documents

Digital Signature File