Referencing Services and Service Groups in Security Policies
A service is a set of one or more application protocols, specified by information such as the protocol type, source port, and destination port. A service group is a set of services and contains services, service groups, or both.
Firewalls can identify common application protocols based on services and service groups. If the protocol type and port number of data traffic meet the service conditions, the data traffic is regarded as the traffic of the specified application protocol. It is very common and necessary to specify a service or service group in a security policy.
User-defined Services
By default, common well-known services (pre-defined services), such as HTTP, FTP, Telnet, and DNS, are provided on a firewall. On a live network, if the port number used by a protocol is different from that used by a pre-defined service, you need to create a user-defined service. For example, the port number of ILS is 1002 in the pre-defined service, but certain software of old versions uses port 389 to receive ILS packets. In this case, you need to create a user-defined service with port number 389 and reference the service in the security policy.
system-view ip service-set new_ils type object //object indicates a user-defined service. service protocol tcp destination-port 389 //Specify the destination port number for the ILS service.
For TCP, UDP, and SCTP services, the source port and destination port numbers need to be specified. Typically, you only need to specify the destination port numbers.
For ICMP and ICMPv6 services, the type numbers and message codes need to be specified. The ICMP service is usually used for ping and tracert network diagnosis tools. Typically, the pre-defined ICMP service can be directly used. However, the ICMP service is also often used by attackers to spy on the network or establish covert channels. If you have high security requirements, you can permit ICMP messages of only specific types.
Take ping as an example. Ping requires two types of ICMP messages: ICMP Echo Request (Type 8) and ICMP Echo Reply (Type 0). The source sends several consecutive ICMP Echo Request messages to the destination. After receiving the messages, the destination replies with ICMP Echo Reply messages. If the source receives the ICMP Echo Reply messages within a specified period, the destination is reachable. When receiving an Echo Request message from the source, the firewall creates a session entry and forwards the message. When the Echo Reply messages returned by the destination match the session entry, the firewall will forward these messages.
In this case, you can customize an ICMP Echo Request service for security policies. For details about ICMP types and message codes, see RFC792 Internet Control Message Protocol.
system-view ip service-set ICMP_Echo_Request type object service protocol icmp icmp-type 8 //Customize ICMP type 8.
The PC in the Trust zone needs to ping the switch in the Untrust zone. The security policy is configured as follows:
security-policy rule name "Allow Ping" source-zone trust destination-zone untrust source-address 10.1.1.10 24 destination-address 10.1.2.10 24 service ICMP_Echo_Request action permit
Configuring Service Groups
system-view ip service-set MgtProt4 type group //group indicates a user-defined service group. service service-set ftp //Add a pre-defined service. service service-set ICMP_Echo_Request //Add a user-defined service ip service-set MgtProt type group service service-set MgtProt4 //Add a service group