Address Object

An address object is a set of addresses, including one or more IPv4 addresses, IPv6 addresses, and MAC addresses. An address object can be directly referenced by various service policies or added to one or more address groups.

# Create an address object named Research_Dept and specify the IP address range.

ip address-set Research_Dept type object     //object indicates the address object.
 address 10 range 192.168.1.1 192.168.1.120  //192.168.1.1 and 192.168.1.120 indicate the start and end addresses of an IPv4 address segment respectively.

It is the most common practice to use the start and end addresses to specify the range of an address object. You can also use the wildcard, mask, or mask length to specify an address range.

# Use a wildcard to specify an address range. The wildcard is in dotted decimal notation. In the binary format, digit 0s are matched, but not digit 1s. For example, 192.168.1.1/0.0.0.255 indicates all IP addresses in 192.168.1.* format.

ip address-set Research_Dept type object 
 address 11 192.168.1.1 0.0.0.255  //Use the wildcard to specify an address range.

# Use the mask to specify an address range. The mask is in dotted decimal notation. In the binary format, digit 1s are matched, but not digit 0s. For example, 192.168.1.1/255.255.255.0 indicates all addresses in 192.168.1.* format.

ip address-set Research_Dept type object 
 address 11 192.168.1.1 mask 255.255.255.0  //Use the mask to specify an address range

# Specify the address range by using the mask length.

ip address-set Research_Dept type object 
 address 11 192.168.1.1 mask 24  //Use the mask length to specify an address range.

When you add a MAC address to an address object, the address format can be XXXX-XXXX-XXXX, XX:XX:XX:XX:XX:XX, or XX-XX-XX-XX-XX-XX (X is a 1-digit hexadecimal number).

ip address-set Research_Dept type object 
 address 12 68-05-CA-90-A1-C9

Address Group

An address group is also a set of addresses. Different from an address object, you can add various addresses, address objects, and address groups to another address group. In this way, various address objects and address groups can be managed more conveniently.

The method of adding an address to an address group is the same as that of adding an address to an address object. The following describes how to add an address object and an address group to another address group.

ip address-set R&D_Dept type group   //group indicates the address group.
 address address-set Research_Dept   //Add the address object Research_Dept to the address group R&D_Dept.
 address address-set Test_Dept

ip address-set Product type group
 address address-set R&D_Dept        //Add the address group R&D_Dept to the address group Product.

Referencing an Address Group in a Security Policy

The following describes how to use an address group to prohibit R&D_Dept from accessing HR services in the DMZ.

security-policy   
  rule name "Deny R&D_Dept to HR"  
    source-zone trust
    destination-zone dmz 
    source-address address-set R&D_Dept   //Specify source addresses in address group mode.
    service HRService                     //Enter customized HR service.
    action deny 

Address Exclusion

security-policy   
  rule name "Deny R&D_Dept to HR"  
    source-zone trust
    destination-zone dmz 
    source-address address-set R&D_Dept   //Specify the source addresses (192.168.1.1/24) in address set mode.
    source-address-exclude 192.168.1.66 32   //Exclude the IP address.
    service HRService                     //Enter customized HR service.
    action deny 

User-defined Region

User-defined regions are isolated and do not belong to pre-defined regions. Private IP addresses are used on the local area network (LAN) and do not belong to any geographical country or region. By default, private IP addresses belong to the unknown zone. To manage and display LAN services by region, you can create a user-defined region for the private IP addresses of the LAN.

# Create a user-defined region named HangZhouBranch and add the local LAN address segment to it.

location
 geo-location user-defined HangZhouBranch
  description Hangzhou branch
  add address 10.10.1.0 mask 24

Adding IP Addresses to a Pre-defined Region

If an IP address is not added to a region, service access may be affected. For example, an administrator configures a security policy to allow users from region A to access web services, but a PC in region A fails to access the web services. If the security policy is correctly configured, the IP address of the PC must be incorrectly allocated to another region. In this case, you can add the IP address to region A.

# Add IP address segment 10.20.20.20 to 10.20.20.30 to a pre-defined region named BeiJing.

location
 geo-location pre-defined BeiJing
  add address range 10.20.20.20 10.20.20.30

Excluding IP Addresses from a Pre-defined Region

You can exclude IP addresses by adding the IP addresses to another region. You cannot run a command to delete the IP addresses from the current region. If you know the actual region to which these IP addresses belong, you can add these IP addresses to the corresponding region by referring to "Adding IP Addresses to a Pre-defined Region". Otherwise, you can add them to the unknown region.

# Exclude IP address range 10.10.10.1 to 10.10.10.20 from pre-defined region BeiJing and add it to the unknown zone.

location
 geo-location pre-defined unknown-zone
  add address range 10.10.10.1 10.10.10.20

Referencing Region Groups in Security Policies

The following describes how to use a region group to prevent certain countries from accessing the HTTPS service in the DMZ.

# Create region group Five. When adding countries in the command line, you can use the two-digit country code defined by the ISO standard or directly enter the country names.

location
 geo-location-set Five
  add geo-location AU          //Add Australia using a two-digit country code.
  add geo-location CA
  add geo-location NewZealand    //Enter the country name directly. Pay attention to the case of and delete spaces between the country name.
  add geo-location UnitedKingdom
  add geo-location UnitedStates

Many countries and regions exist, and the country and region names need to be strictly input in the command line, which brings inconvenience. You are advised to configure region groups on the web page. In the Available area, you can enter a country name in the search box to quickly locate and select the country.

# Configure a security policy to deny traffic from source address Five to access the HTTPS service.

security-policy   
  rule name "Deny Five"  
    source-zone untrust
    destination-zone dmz 
    source-address geo-location Five   // Specify the source addresses using the region group
    service protocol https
    action deny 

Working Principles of Domain Groups

To access a specified service using a domain name, a client needs to send a DNS request to the DNS server. The firewall resolves the response packet from the DNS server to obtain the mapping between the domain name and IP address, confirms that the domain name belongs to a domain group, and records the mapping in the domain name mapping table. When the client initiates a service access request to the server, the firewall checks the security policy based on the domain name mapping table. In this scenario, DNS request packets from the client must pass through the firewall, as shown in Figure 1-1.

Figure 1-1 Basic working principles of domain groups

If the DNS request from the client does not pass through the firewall, the firewall cannot resolve the mapping between the domain name and IP address from the DNS response packet. In this case, you need to configure a DNS server on the firewall which initiates a DNS request to obtain the domain name mapping. If the TTL is less than 7 minutes, the firewall initiates a DNS request every 3 minutes to update the domain name mapping table. The domain name resolution results of different DNS servers may vary by geographical location, time zone, and load balancing configuration. Therefore, the DNS server configured on the firewall must be the same as that used by the client.

A domain name mapping table is stored in the memory of a firewall. When the firewall restarts, the domain name mapping table is cleared. The client has recorded the DNS cache and does not initiate a DNS request again. As a result, the firewall cannot obtain the domain name mapping table again. In this case, you also need to configure a DNS server on the firewall.

Considering the possibility of firewall restart, you are advised to configure a DNS server on a firewall regardless of whether a DNS request from the client passes through the firewall.

Configuring a Domain Group

The Windows operating system update scenario is used as an example. The complete configuration of a domain group includes three steps.

1. Configure a domain group. Many domain names are used for Windows operating system update. For details, see Microsoft official documents. The domain name list here is used only as an example and may not be complete.

system-view
 domain-set name WindowsUpdate
  description WindowsUpdate
  add domain windowsupdate.microsoft.com
  add domain *.windowsupdate.microsoft.com
  add domain *.update.microsoft.com
  add domain *.windowsupdate.com
  add domain download.microsoft.com
  add domain wustat.windows.com

The domain names added to a domain group can be a specific domain name (download.example.com) or a domain name with a wildcard (*.example.com). The following domain names can match *.example.com:

• www.example.com
• news.example.com
• www.news.example.com

If a wildcard is used, the domain name can contain only one "*" and must start with "*". The supported formats of domain names with a wildcard are listed in the Table 1-1.

2. Configure a DNS server on the firewall. The DNS server must be the same as that used by the client. Here, the Google Public DNS server is used as an example.

system-view
 dns resolve
 dns server 8.8.8.8
 dns server 8.8.4.4

security-policy
 rule name "Allow Windows update" 
  source-zone trust    
  destination-zone untrust  
  source-address 10.1.1.10 24
  destination-address domain-set WindowsUpdate    //Reference the created domain name group.
  action permit
 rule-name "Allow DNS"
  source-zone trust   //Allow DNS request packets from the client to pass through the firewall.
  source-zone local   //Allow the firewall to send DNS request packets.
  destination-zone untrust   //Set the zone where the DNS server is located.
  destination-address address-set 114DNS   //Set the destination IP address to that of 114DNS.
  service dns
  action permit

<sysname> display domain-set verbose WindowsUpdate 
Domain-set: WindowsUpdate 
Description: WindowsUpdate   
Reference number(s): 1         
Item number(s): 6             
Item(s):    
 Domain: windowsupdate.microsoft.com
 ID     : 0                                                                    
 Total IP Address: 1                                                            
  IP Address: 52.185.71.28                                                   
  TTL        : 38400 seconds                                                    
  Left Time : 38400 seconds                                                     
  Hit Times : 1
 Domain: *.windowsupdate.microsoft.com 
 ID    : 1 
 Total IP Address: 0     
 Domain: *.update.microsoft.com 
 ID    : 2 
 Total IP Address: 0     
 Domain: *.windowsupdate.com 
 ID    : 3 
 Total IP Address: 0     
 Domain: download.microsoft.com 
 ID    : 4 
 Total IP Address: 0     
 Domain: wustat.windows.com 
 ID    : 5 
 Total IP Address: 0  

Common Causes of Domain Name Resolution Failures

1. DNS requests from clients do not pass through the firewall. Configure the same DNS server on the firewall.

2. The DNS cache exists on the client which does not initiate a DNS request. Clear the DNS cache on the client or firewall.

For the client on the Windows operating system: run the ipconfig /flushdns command.

For the firewall: run the reset dns dynamic-host command.

3. Local domain name resolution is configured in the hosts file on the client. Delete the local domain name.

4. The domain name specified in the domain group uses an alias. Earlier versions of firewalls only support DNS A record type. When a domain group uses an alias, the DNS response packet uses the CNAME record type, and the firewall cannot resolve the final IP address. The latest firewall version supports both DNS A and CNAME record types. Upgrade the firewall to the latest version.

User Organizational Structure

The user organizational structure on a firewall is a mapping of the actual organizational structure in the society. It is the basis for user-specific access control. The user organizational structure contains two types of user objects in two dimensions, as shown in Table 1-2.

In other words, user group – user shows a vertical organizational structure, which reflects the ownership of users. A security group is a horizontal logical structure, which reflects the security level and service access permissions. Security groups have two typical application scenarios:

• Cross-department groups can be created based on projects. Access control policies can be configured for users from different departments who are added to the same security group.
• An enterprise has adopted a third-party authentication server and enabled horizontal groups (such as security groups on the AD server and static and dynamic groups on the SUN ONE LDAP server). To configure policies based on these groups, the administrator needs to create security groups with the same organizational structure as that on the authentication server.

For details about the principles and configuration methods of users, user groups, and security groups, see the product documentation.

Referencing users, user groups, or security groups in security policies.

When a user group, security group, or user is referenced as a matching condition of a security policy, the user has all access permissions of the user group and security group to which the user belongs. Note that when a user group and a security group are referenced in a security policy, the inherited policies of the user in the two groups are slightly different.

• User group: Affiliated users in a user group and users in all lower-level user groups inherit the security policies and access permissions of the user group.
• Security group: Only affiliated users inherit the security policies and access permissions of a security group. Users in sub-security groups do not inherit the security policies and access permissions of their upper-level security groups.

However, when you need to configure special permissions in addition to the inherited policy permissions for a user – user group, the inheritance of security policy permissions based on the user – user group will be invalid. Take Figure 1-2 as an example. Assume that all employees in the R&D department have the same basic access permission (resource A) and R&D department 1 has a specific permission (resource B).

Figure 1-2 Permission inheritance and special requirements of user groups

In this scenario, you need to configure security policy A to allow R&D employees to access resource A. Besides, the security policy B also needs to be configured for the specific permission of R&D department 1.

First, according to the matching rules of security policies, security policy B for R&D department 1 must be placed before security policy A. Otherwise, the access requests of the users in R&D department 1 match security policy A and do not continue to match security policy B. Therefore, the users can only obtain the permissions to access resource A.

Second, both resource A and resource B must be specified in security policy B. According to the matching rules of security policies, the access requests of users in R&D department 1 match security policy B and does not match security policy A. The users can obtain only the access permissions specified by security policy B. That is, in this scenario, the child security groups cannot inherit the access permissions of the parent security groups.

Table 1-3 shows the correct security policy configurations.

User-defined Services

By default, common well-known services (pre-defined services), such as HTTP, FTP, Telnet, and DNS, are provided on a firewall. On a live network, if the port number used by a protocol is different from that used by a pre-defined service, you need to create a user-defined service. For example, the port number of ILS is 1002 in the pre-defined service, but certain software of old versions uses port 389 to receive ILS packets. In this case, you need to create a user-defined service with port number 389 and reference the service in the security policy.

system-view
 ip service-set new_ils type object               //object indicates a user-defined service.
  service protocol tcp destination-port 389       //Specify the destination port number for the ILS service.

For TCP, UDP, and SCTP services, the source port and destination port numbers need to be specified. Typically, you only need to specify the destination port numbers.

For ICMP and ICMPv6 services, the type numbers and message codes need to be specified. The ICMP service is usually used for ping and tracert network diagnosis tools. Typically, the pre-defined ICMP service can be directly used. However, the ICMP service is also often used by attackers to spy on the network or establish covert channels. If you have high security requirements, you can permit ICMP messages of only specific types.

Take ping as an example. Ping requires two types of ICMP messages: ICMP Echo Request (Type 8) and ICMP Echo Reply (Type 0). The source sends several consecutive ICMP Echo Request messages to the destination. After receiving the messages, the destination replies with ICMP Echo Reply messages. If the source receives the ICMP Echo Reply messages within a specified period, the destination is reachable. When receiving an Echo Request message from the source, the firewall creates a session entry and forwards the message. When the Echo Reply messages returned by the destination match the session entry, the firewall will forward these messages.

Figure 1-3 Ping fundamentals

In this case, you can customize an ICMP Echo Request service for security policies. For details about ICMP types and message codes, see RFC792 Internet Control Message Protocol.

system-view
 ip service-set ICMP_Echo_Request type object
  service protocol icmp icmp-type 8   //Customize ICMP type 8.

The PC in the Trust zone needs to ping the switch in the Untrust zone. The security policy is configured as follows:

security-policy
 rule name "Allow Ping" 
  source-zone trust    
  destination-zone untrust  
  source-address 10.1.1.10 24
  destination-address 10.1.2.10 24
  service ICMP_Echo_Request
  action permit

Configuring Service Groups

system-view
 ip service-set MgtProt4 type group        //group indicates a user-defined service group.
  service service-set ftp                  //Add a pre-defined service.
  service service-set ICMP_Echo_Request    //Add a user-defined service
 ip service-set MgtProt type group
  service service-set MgtProt4             //Add a service group

Service Awareness (SA) Technology

Firewalls use the SA technology to accurately identify applications. Since the traditional protocol identification technology only checks 5-tuple information of packets and cannot identify applications, the SA technology can take a further step to inspect the application-layer data of packets. Traffic sent by different applications has their own signatures, which may be specific commands or bit sequences. These signatures constitute the "fingerprint" of an application. As long as you abstract the fingerprints that can identify specific applications and establish a fingerprint database, you can compare traffic against such a database.

Huawei Security Competence Center uses the SA technology to analyze and extract traffic signatures of a large number of Internet applications, and establishes a signature database of more than 6000 applications. The signature database is classified into five categories and 57 sub-categories. You can visit the Huawei Security Competence Center website and query the current application identification capability in the application encyclopedia. In the application encyclopedia, you can filter applications by category, sub-category, label, data transmission mode, and risk level, or enter an application name to search for the application. For each application, the application signature database also provides multi-dimensional description information to help you formulate targeted management and control policies.

Pre-defined Applications and Application Groups

After the application signature database is loaded to a firewall, the database becomes the pre-defined application. New applications are emerging on the Internet, and the signatures of existing applications change. Therefore, the application signature database must be upgraded periodically to ensure better identification effect.

An application group is a set of applications, facilitating management. You can create an application group for applications with the same access policy and reference the application group in a security policy. For example, to create a NetDisk application group, you can add applications based on the list or tree structure.

Figure 1-4 Creating an application group

1. Adding an application based on the list

The displayed page is similar to the application page. You can filter applications by category, subcategory, label, data transmission mode, and risk level, or enter an application name for fuzzy search.

Figure 1-5 Adding an application based on the list

2. Adding an application based on the tree structure

Tree structure is a new form of application organization. You can select an application based on the tree structure of application categories and sub-categories. You can also filter applications by Label/Software and then use the fuzzy search.

Figure 1-6 Adding an application based on the tree structure

Referencing a Group of Applications in a Security Policy

Referencing a group of applications in a security policy is a common operation. You can select applications based on the application category, subcategory, label, software, and user-defined application group. The operation page and operation method are similar to those of adding applications to an application group based on the tree structure. The only difference is that you can directly select a created application group in a security policy.

Referencing a Single Application in a Security Policy

When referencing a single application in a security policy, you need to consider the dependent and associated applications of the application.

The dependent applications are underlying applications of an application, and correspondingly, the application is an upper-layer application of the dependent applications. During application identification, a firewall first identifies the dependent applications and then the upper-layer application. During security policy check, the firewall first searches for security policies based on the dependent applications. The firewall continues to identify the upper-layer application and searches for the corresponding security policies only when the action of the security policies that the dependent applications match is permit. Therefore, when the traffic of an application needs to be permitted, traffic of its dependent applications also needs to be permitted synchronously.

Associated applications are those with an association relationship with the application, and are typically multiple similar applications developed by the same company. They have similar traffic signatures. When an application needs to be blocked, you need to block the associated applications in the security policy to ensure that the application is completely blocked.

When a single application is referenced in a security policy, dependent applications and associated applications need to be configured synchronously, as shown in Table 1-4. Pay attention to the prompt information provided by a firewall.

The following example is used to allow access to Dropbox and perform antivirus check and file filtering as well as shows the prompt information and configuration page of a firewall. In the security policy, set Application to Dropbox, Action to Permit, and Antivirus and File Blocking to default. When the configuration is delivered, the firewall verifies the configuration and prompts you to select dependent applications.

Figure 1-7 Prompt information about selecting dependent applications

Click Configure in the prompt information. The dependent applications of Dropbox include HTTP, HTTPS, and SSL, as shown in Figure 1-8. You need to select all dependent applications and the security policy configuration can be properly delivered.

Figure 1-8 Selecting dependent applications

Pending Policy

After an application is referenced in a security policy, traffic needs to be sent to the content security engine for application identification. A firewall needs to obtain multiple packets to identify applications. Therefore, before application identification is complete, the firewall cannot determine the matched security policy, that is, the firewall is in the policy pending state. The firewall matches the first packet with conditions (mainly 5-tuple) other than the application in the security policy, temporarily permits the traffic, and establishes a session. The application information is empty. After application identification is complete, the firewall match traffic against security policies again and updates session information.

Scenario 1: Restricting Access to Specific Types of Websites

Assume that a security policy named inside-out has been configured on the firewall to allow all users to access the Internet without any restriction.

Figure 1-9 Initial security policy

Employees are now banned from accessing social networks and job-seeking websites. You can copy the inside-out security policy, change its name, specify the URL categories, and set Action to Deny.

Figure 1-10 Copying and modifying a security policy

After the previous step is complete, move the inside-out-exclude security policy on top of inside-out.

Figure 1-11 Adjusting the sequence of security policies

Scenario 2: Only Specific Employees Can Access Specific Types of Websites

According to the information security policy of a company, ordinary employees can access common websites and the URL profile is used to set access control over detailed URLs. In addition, IT personnel are allowed to access IT-related websites for work purposes. In this case, you need to configure two security policies.

• Policy 1: Allowing IT employees who belong to user group IT to access websites whose URL category is IT-related.
• Policy 2: Allowing ordinary employees who are not categorized into user groups to access common websites. The common websites are specified in the URL filtering profile of the content security and exclude the IT-related URL category.

Figure 1-12 Specific access requirements

Note that policy 1 must be on top of policy 2. Security policies are matched from top to bottom. When an IT employee attempts to access an IT-related website, policy 1 is matched and the access is permitted. When other employees attempt to access an IT-related website, they match policy 2 and continue to check the URL filtering profile. The access requests of ordinary employees are blocked, because the common websites that can be accessed do not contain the IT-related URL category.

A firewall need to identify HTTP applications and then URL categories, and then sends the identification result to the security policy module for matching. Before a URL category is identified, the security policy is in the pending state. The firewall establishes a session based on the matching conditions other than the URL categories, permits the traffic, and continues the detection. After the URL category is identified, the traffic is matched against the security policies again. For websites that use HTTPS, the SSL decryption function must be used together.