Quidway Eudemon 200E-C&200E-F Firewall Feature Description(V100R002_01)

of 217/217
Quidway Eudemon 200E-C/200E-F Firewall V100R002 Feature Description Issue 01 Date 2009-12-01 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • date post

    05-Mar-2015
  • Category

    Documents

  • view

    528
  • download

    15

Embed Size (px)

Transcript of Quidway Eudemon 200E-C&200E-F Firewall Feature Description(V100R002_01)

Quidway Eudemon 200E-C/200E-F Firewall V100R002

Feature Description

Issue Date

01 2009-12-01

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any assistance, please contact our local office or company headquarters.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com [email protected]

Website: Email:

Copyright Huawei Technologies Co., Ltd. 2009. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissionsand other Huawei trademarks are the property of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.

NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but the statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

Contents

ContentsAbout This Document.....................................................................................................................1 1 Overview......................................................................................................................................1-11.1 Introduction to the Device...............................................................................................................................1-2 1.2 Location of the Eudemon................................................................................................................................1-3 1.3 Functions and Features of the Eudemon.........................................................................................................1-3 1.3.1 Network Interconnection........................................................................................................................1-3 1.3.2 Security Defense....................................................................................................................................1-4 1.3.3 Service Application................................................................................................................................1-5 1.3.4 Configuration and Management.............................................................................................................1-5 1.3.5 Maintenance...........................................................................................................................................1-6 1.3.6 System Log Management.......................................................................................................................1-6

2 Introduction.................................................................................................................................2-12.1 Working Mode................................................................................................................................................2-2 2.1.1 Working Mode Classification................................................................................................................2-2 2.1.2 Working Process in Route Mode...........................................................................................................2-4 2.1.3 Working Process in Transparent Mode..................................................................................................2-4 2.1.4 Working Process in Composite Mode..................................................................................................2-10 2.2 Security Zone................................................................................................................................................2-10 2.2.1 Introduction to Security Zone..............................................................................................................2-10 2.2.2 Features of the Security Zone...............................................................................................................2-10 2.2.3 Security Zone on Eudemon..................................................................................................................2-11

3 System Management.................................................................................................................3-13.1 SNMP Overview.............................................................................................................................................3-2 3.1.1 Introduction to SNMP............................................................................................................................3-2 3.1.2 SNMP Versions and Supported MIB.....................................................................................................3-3 3.2 Introduction to the Features of Web Management..........................................................................................3-4

4 Security Features........................................................................................................................4-14.1 ACL.................................................................................................................................................................4-2 4.1.1 ACL Definition......................................................................................................................................4-2 4.1.2 ACL Application....................................................................................................................................4-2 4.1.3 ACL Step................................................................................................................................................4-3 4.1.4 ACL on the Eudemon.............................................................................................................................4-4 Issue 01 (2009-12-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. i

Contents

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

4.2 Security Policy................................................................................................................................................4-6 4.2.1 Packet Filter............................................................................................................................................4-6 4.2.2 ASPF......................................................................................................................................................4-6 4.2.3 Blacklist..................................................................................................................................................4-8 4.2.4 MAC and IP Address Binding...............................................................................................................4-8 4.2.5 Port Identification...................................................................................................................................4-8 4.2.6 Virtual Firewall......................................................................................................................................4-9 4.3 NAT...............................................................................................................................................................4-10 4.3.1 Introduction..........................................................................................................................................4-10 4.3.2 NAT on the Device..............................................................................................................................4-12 4.4 Attack Defense..............................................................................................................................................4-17 4.4.1 Introduction..........................................................................................................................................4-17 4.4.2 Classes of Network Attacks.................................................................................................................4-17 4.4.3 Typical Examples of Network Attacks................................................................................................4-18 4.4.4 Introduction to the Attack Defense Principle.......................................................................................4-19 4.5 P2P Traffic Limiting.....................................................................................................................................4-21 4.5.1 Introduction to P2P Traffic Limiting...................................................................................................4-21 4.5.2 P2P Traffic Detection and Limiting.....................................................................................................4-21 4.6 IM Blocking..................................................................................................................................................4-22 4.6.1 Introduction to IM Detecting and Blocking.........................................................................................4-22 4.6.2 IM Detecting and Blocking..................................................................................................................4-22 4.7 Static Multicast..............................................................................................................................................4-23 4.7.1 Restrictions of Unicast or Broadcast....................................................................................................4-23 4.7.2 Overview of Static Multicast................................................................................................................4-25 4.7.3 Implementing Static Multicast on the Eudemon..................................................................................4-26 4.8 Keyword Authentication...............................................................................................................................4-26 4.9 Authentication and Authorization.................................................................................................................4-27 4.9.1 Introduction to Authentication and Authorization...............................................................................4-27 4.9.2 Introduction to Domain........................................................................................................................4-28 4.9.3 Introduction to Local User Management..............................................................................................4-28 4.10 IP-CAR........................................................................................................................................................4-28 4.11 TSM Cooperation........................................................................................................................................4-29 4.11.1 Introduction to TSM Cooperation......................................................................................................4-29 4.11.2 Work Flow of TSM Cooperation.......................................................................................................4-30 4.11.3 Specifications of TSM Cooperation...................................................................................................4-31 4.12 SLB..............................................................................................................................................................4-31 4.12.1 Introduction to SLB............................................................................................................................4-31 4.12.2 Virtual Service Technology...............................................................................................................4-32 4.12.3 Server Health Check...........................................................................................................................4-33 4.12.4 Traffic-based Forwarding...................................................................................................................4-33

5 VPN...............................................................................................................................................5-15.1 Introduction.....................................................................................................................................................5-2 ii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2009-12-01)

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

Contents

5.1.1 VPN Overview.......................................................................................................................................5-2 5.1.2 Basic VPN Technology..........................................................................................................................5-3 5.1.3 VPN Classification.................................................................................................................................5-5 5.2 L2TP................................................................................................................................................................5-7 5.2.1 VPDN Overview....................................................................................................................................5-7 5.2.2 L2TP Overview......................................................................................................................................5-7 5.3 IPSec..............................................................................................................................................................5-13 5.3.1 IPSec Overview....................................................................................................................................5-13 5.3.2 IPSec Basic Concepts...........................................................................................................................5-14 5.3.3 IKE Overview......................................................................................................................................5-17 5.3.4 Overview of the IKEv2 Protocol..........................................................................................................5-19 5.3.5 Security Analysis of IKEv2..................................................................................................................5-20 5.3.6 IKEv2 and EAP Authentication...........................................................................................................5-21 5.3.7 NAT Traversal of IPSec.......................................................................................................................5-22 5.3.8 Realizing IPSec on the Eudemon.........................................................................................................5-23 5.4 GRE...............................................................................................................................................................5-25 5.4.1 GRE Overview.....................................................................................................................................5-25 5.4.2 Implementation of GRE.......................................................................................................................5-25 5.4.3 GRE Application..................................................................................................................................5-26

6 Network Interconnection..........................................................................................................6-16.1 VLAN..............................................................................................................................................................6-2 6.1.1 Introduction............................................................................................................................................6-2 6.1.2 Advantages of VLAN.............................................................................................................................6-3 6.2 PPP..................................................................................................................................................................6-4 6.2.1 Introduction............................................................................................................................................6-4 6.2.2 PPP Authentication................................................................................................................................6-5 6.2.3 PPP Link Operation................................................................................................................................6-6 6.3 PPPoE..............................................................................................................................................................6-9 6.3.1 Basic Principles of PPPoE......................................................................................................................6-9 6.3.2 PPPoE Discovery Period......................................................................................................................6-10 6.3.3 PPPoE Session Period..........................................................................................................................6-12 6.4 DHCP Overview...........................................................................................................................................6-12 6.4.1 DHCP Service......................................................................................................................................6-12 6.4.2 DHCP Relay.........................................................................................................................................6-13 6.4.3 DHCP Client........................................................................................................................................6-14 6.5 Static Route Overview..................................................................................................................................6-16 6.5.1 Static Route..........................................................................................................................................6-16 6.5.2 Default Route.......................................................................................................................................6-18 6.6 RIP.................................................................................................................................................................6-18 6.6.1 RIP Overview.......................................................................................................................................6-18 6.6.2 RIP Versions........................................................................................................................................6-19 6.6.3 RIP Startup and Operation...................................................................................................................6-19 Issue 01 (2009-12-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. iii

Contents

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

6.7 OSPF.............................................................................................................................................................6-20 6.7.1 OSPF Overview....................................................................................................................................6-20 6.7.2 Process of OSPF Route Calculation.....................................................................................................6-20 6.7.3 Basic Concepts Related to OSPF.........................................................................................................6-21 6.7.4 OSPF Packets.......................................................................................................................................6-25 6.7.5 Types of OSPF LSAs...........................................................................................................................6-25 6.8 BGP...............................................................................................................................................................6-27 6.8.1 BGP Overview.....................................................................................................................................6-27 6.8.2 Classification of BGP Attributes..........................................................................................................6-30 6.8.3 Principles of BGP Route Selection......................................................................................................6-31 6.9 Introduction to Policy-Based Routing...........................................................................................................6-33 6.10 Routing Policy Overview............................................................................................................................6-33 6.10.1 Applications and Implementation of Routing Policy.........................................................................6-34 6.10.2 Differences Between Routing Policy and Policy-based Routing.......................................................6-34 6.11 Load Balancing...........................................................................................................................................6-35 6.12 Introduction to QoS.....................................................................................................................................6-37 6.12.1 QoS Overview....................................................................................................................................6-37 6.12.2 Traditional Packets Transmission Application..................................................................................6-37 6.12.3 New Application Requirements.........................................................................................................6-37 6.12.4 Congestion Causes, Impact and Countermeasures.............................................................................6-38 6.12.5 Traffic Control Techniques................................................................................................................6-39 6.13 GPON Line..................................................................................................................................................6-40 6.13.1 Introduction to the GPON Line Feature.............................................................................................6-40 6.13.2 Principles of GPON Upstream Transmission.....................................................................................6-41 6.13.3 Principles of GPON Lines..................................................................................................................6-41 6.14 Introduction to Voice Services....................................................................................................................6-42 6.14.1 Overview of Voice Features...............................................................................................................6-42 6.14.2 General Specifications........................................................................................................................6-43 6.14.3 H.248based Voice Services..............................................................................................................6-45 6.14.4 SIP-based Voice Services...................................................................................................................6-54 6.14.5 Key Voice Feature..............................................................................................................................6-69 6.14.6 Voice Reliability................................................................................................................................6-78

7 Reliability....................................................................................................................................7-17.1 Overview of VRRP......................................................................................................................................... 7-2 7.1.1 Traditional VRRP...................................................................................................................................7-2 7.1.2 Disadvantages of Traditional VRRP in Eudemon Backup.................................................................... 7-4 7.2 Introduction to Dual-System Hot Backup.......................................................................................................7-6 7.2.1 HRP Application....................................................................................................................................7-6 7.2.2 Primary/Secondary Configuration Devices............................................................................................7-7 7.3 Relations Between the VRRP Backup Group, Management Group, and HRP.............................................. 7-7 7.4 IP-Link Auto-detection Overview...................................................................................................................7-8

A Glossary..................................................................................................................................... A-1iv Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2009-12-01)

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

Contents

B Acronyms and Abbreviations.................................................................................................B-1

Issue 01 (2009-12-01)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

v

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

Figures

FiguresFigure 2-1 Networking diagram in route mode....................................................................................................2-2 Figure 2-2 Networking diagram in transparent mode..........................................................................................2-3 Figure 2-3 Networking in composite mode..........................................................................................................2-4 Figure 2-4 Broadcasting a data packet.................................................................................................................2-5 Figure 2-5 Reversely learning the relationship between the MAC address of workstation A and the interface ...............................................................................................................................................................................2-6 Figure 2-6 Reversely learning the relationship between the MAC address of workstation B and the interface ...............................................................................................................................................................................2-7 Figure 2-7 Forwarding the frame after successfully obtaining corresponding information from the address table ...............................................................................................................................................................................2-8 Figure 2-8 Filtering frames after successfully obtaining corresponding information from the address table ...............................................................................................................................................................................2-9 Figure 2-9 Forwarding the frame after failing to obtain corresponding information from the address table......2-9 Figure 2-10 Relationship diagram of interface, network and security zones.....................................................2-12 Figure 3-1 MIB tree..............................................................................................................................................3-3 Figure 4-1 Networking diagram of virtual firewall..............................................................................................4-9 Figure 4-2 Networking diagram of basic processes of NAT..............................................................................4-11 Figure 4-3 NAPT allows multiple internal hosts to share a public address by translating IP address and port number .............................................................................................................................................................................4-13 Figure 4-4 Networking diagram of configuring inbound NAT..........................................................................4-15 Figure 4-5 Networking diagram of NAT within the zone..................................................................................4-15 Figure 4-6 Unicast information transmission.....................................................................................................4-24 Figure 4-7 Broadcast information transmission.................................................................................................4-24 Figure 4-8 Multicast information transmission..................................................................................................4-25 Figure 4-9 Transmission mode of static multicast.............................................................................................4-26 Figure 4-10 Networking diagram of TSM Cooperation.....................................................................................4-30 Figure 4-11 Schematic diagram of Virtual Service............................................................................................4-32 Figure 5-1 Networking diagram of VPN applications.........................................................................................5-3 Figure 5-2 Networking diagram of a VPN access................................................................................................5-4 Figure 5-3 Networking diagram of VPDN application based on L2TP...............................................................5-8 Figure 5-4 L2TP protocol structure......................................................................................................................5-9 Figure 5-5 Two typical L2TP tunnel modes......................................................................................................5-10 Figure 5-6 Typical networking diagram of L2TP..............................................................................................5-11 Figure 5-7 Procedure for setting up an L2TP call..............................................................................................5-11 Figure 5-8 Data encapsulation format for security protocols.............................................................................5-16 Issue 01 (2009-12-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vii

Figures

Quidway Eudemon 200E-C/200E-F Firewall Feature Description Figure 5-9 Relationship of IKE and IPSec.........................................................................................................5-18

Figure 5-10 Procedure for setting up an SA.......................................................................................................5-18 Figure 5-11 IP network interconnection through the GRE tunnel.....................................................................5-25 Figure 5-12 Format of the encapsulated packet.................................................................................................5-26 Figure 5-13 IP packet transported in the tunnel.................................................................................................5-26 Figure 5-14 Network enlargement.....................................................................................................................5-27 Figure 5-15 Inconsistent subnet connection.......................................................................................................5-27 Figure 5-16 GRE-IPSec tunnel...........................................................................................................................5-28 Figure 6-1 Example of VLAN..............................................................................................................................6-3 Figure 6-2 Operation process of PPP...................................................................................................................6-7 Figure 6-3 Diagram of the host sending PADI packets in broadcast.................................................................6-10 Figure 6-4 Sending the PADO packet from the server.......................................................................................6-11 Figure 6-5 Diagram of the host choosing a server and sending a PADR packet...............................................6-11 Figure 6-6 Diagram of the server sending a PADS packet to the host...............................................................6-11 Figure 6-7 DHCP relay.......................................................................................................................................6-14 Figure 6-8 OSPF area partition..........................................................................................................................6-22 Figure 6-9 OSPF router types.............................................................................................................................6-23 Figure 6-10 Area and route summary.................................................................................................................6-24 Figure 6-11 Opaque LSAs structure...................................................................................................................6-26 Figure 6-12 BGP operating mode......................................................................................................................6-29 Figure 6-13 Synchronization of IBGP and IGP.................................................................................................6-33 Figure 6-14 Networking diagram of packet-by-packet load balancing..............................................................6-35 Figure 6-15 Networking diagram of session-by-session load balancing............................................................6-36 Figure 6-16 Schematic diagram of traffic congestion........................................................................................6-38 Figure 6-17 Overall voice service solution of the SRG.....................................................................................6-43 Figure 6-18 Registration flow of the MG...........................................................................................................6-47 Figure 6-19 Unsolicited deregistration flow of the MG.....................................................................................6-48 Figure 6-20 Unsolicited deregistration flow of the MGC..................................................................................6-48 Figure 6-21 Authentication flow........................................................................................................................6-49 Figure 6-22 Principle of the VoIP feature that supports the H.248 protocol ....................................................6-50 Figure 6-23 Principles of the T.38 fax...............................................................................................................6-54 Figure 6-24 IETF multimedia data and control protocol stack..........................................................................6-55 Figure 6-25 Flowchart of the registration through unsafe connection...............................................................6-59 Figure 6-26 Flowchart of the registration through safe connection...................................................................6-60 Figure 6-27 SIP-based call flow of a VoIP calling party...................................................................................6-61 Figure 6-28 SIP-based call flow of a VoIP called party.....................................................................................6-62 Figure 6-29 Flow of call release.........................................................................................................................6-63 Figure 6-30 Flow of the negotiated-switching transparent transmission fax.....................................................6-64 Figure 6-31 Flow of the negotiated-switching T.38 fax.....................................................................................6-65 Figure 6-32 Flow of the negotiated-switching T.38 fax when the peer device does not support the T.38 mode (scenario 1)..........................................................................................................................................................6-66 Figure 6-33 Flow of the negotiated-switching T.38 fax when the peer device does not support the T.38 mode (scenario 2)..........................................................................................................................................................6-67 viii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2009-12-01)

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

Figures

Figure 6-34 Flow of the negotiated-switching modem service..........................................................................6-69 Figure 6-35 Generation of the electrical echo....................................................................................................6-71 Figure 6-36 Implementation of the EC function................................................................................................6-72 Figure 6-37 Working principles of dual homing................................................................................................6-79 Figure 6-38 Operating principle for implementing the dual-homing with no auto-switching...........................6-80 Figure 6-39 Operating principle for implementing the dual-homing with auto-switching................................6-81 Figure 6-40 Call releasing flow..........................................................................................................................6-82 Figure 6-41 802.1q frame format.......................................................................................................................6-83 Figure 6-42 DSCP identification format............................................................................................................6-84 Figure 7-1 Networking using the default route....................................................................................................7-2 Figure 7-2 Networking of using the VRRP virtual router....................................................................................7-3 Figure 7-3 Typical networking of Eudemon backup............................................................................................7-4 Figure 7-4 Eudemon backup state........................................................................................................................7-5 Figure 7-5 Typical data path in primary/secondary mode....................................................................................7-6 Figure 7-6 Hierarchical relations between the VRRP backup group, management group, and HRP..................7-7

Issue 01 (2009-12-01)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

ix

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

Tables

TablesTable 3-1 MIB supported by the system.............................................................................................................. 3-3 Table 4-1 Classification of the ACL.....................................................................................................................4-4 Table 6-1 Default settings of the timers.............................................................................................................6-16 Table 6-2 Route attributes and their types..........................................................................................................6-30 Table 6-3 Differences between routing policy and PBR....................................................................................6-35 Table 6-4 Voice services supported....................................................................................................................6-43 Table 6-5 SIP request messages.........................................................................................................................6-58 Table 6-6 SIP response messages.......................................................................................................................6-59 Table 6-7 Codec list............................................................................................................................................6-70 Table 6-8 Mapping between frequencies and numbers......................................................................................6-75

Issue 01 (2009-12-01)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

xi

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

About This Document

About This Document

PurposeThis document describes the functions and features of the Quidway Eudemon 200E-C/200E-F ( hereafter referred to as the Eudemon ), including system management, security features and network interconnection. This document introduces the functions, principles and features of the Eudemon.

Related VersionsThe following table lists the product versions related to this document. Product Name Quidway Eudemon 200E-C/200E-F Version V100R002

Intended AudienceThis document is intended for:l l l l l

Technical support engineers Maintenance engineers Network engineers Network administrators Network maintenance engineers

OrganizationThis document is organized as follows.Issue 01 (2009-12-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1

About This Document

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

Chapter 1 Overview 2 Introduction 3 System Management 4 Security Features

Description This section describes introduction to Eudemon, the location of the Eudemon in network and the functions of Eudemon. This section describes the operating modes and the security zones of the Eudemon. This section describes SNMP management features and Web management features of the Eudemon, This section describes the security features of the Eudemon, including ACL, security policy, attack defense, NAT, keyword authentication, authentication and authorization , IP-CAR, P2P Traffic Limiting, IM Blocking, Static Multicast, TSM Cooperation and SLB. This describes the VPN features of the Eudemon, including L2TP, IPSec, and GRE. This section describes the network interconnection features of the Eudemon, including VLAN, PPP, PPPoE, DHCP, IP static route, RIP, OSPF, BGP, policy-based routing and QoS. This describes the reliability features of the Eudemon, including VRRP, two-node cluster hot backup, and IP-Link. This section lists acronyms in the volume. This section lists abbreviations in the volume.

5 VPN 6 Network Interconnection

7 Reliability A Glossary B Acronyms and Abbreviations

ConventionsSymbol ConventionsThe symbols that may be found in this document are defined as follows. Symbol Description

DANGER

Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results.

WARNING

CAUTION

2

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-12-01)

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

About This Document

SymbolTIP

Description Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.

NOTE

General ConventionsThe general conventions that may be found in this document are defined as follows. Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman. Names of files, directories, folders, and users are in boldface. For example, log in as user root. Book titles are in italics. Examples of information displayed on the screen are in Courier New.

Command ConventionsThe command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.

[ x | y | ... ]*

Issue 01 (2009-12-01)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

3

About This Document

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

GUI ConventionsThe GUI conventions that may be found in this document are defined as follows. Convention Boldface > Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.

Keyboard OperationsThe keyboard operations that may be found in this document are defined as follows. Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, pressing Ctrl+Alt +A means the three keys should be pressed concurrently. Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.

Mouse OperationsThe mouse operations that may be found in this document are defined as follows. Action Click Double-click Drag Description Select and release the primary mouse button without moving the pointer. Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a certain position.

Update HistoryUpdates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.

4

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-12-01)

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

About This Document

Updates in Issue 01 (2009-12-01)Initial commercial release.

Issue 01 (2009-12-01)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

5

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

1 Overview

1About This Chapter1.1 Introduction to the Device 1.2 Location of the Eudemon 1.3 Functions and Features of the Eudemon

Overview

Issue 01 (2009-12-01)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

1-1

1 Overview

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

1.1 Introduction to the DeviceThe Eudemon is a Firewall developed by Huawei. The Eudemon is a cost-effective security and access solution for small and medium-sized enterprise networks and the telecommunication networks.

Powerful Networking and Service-Supporting CapabilityThe Eudemon is integrated with powerful routing capabilities:l l l l l l

Static routing Routing Information Protocol (RIP) dynamic routing Open Shortest Path First (OSPF) dynamic routing Routing policy Routing iteration Routing management

These increase the flexibility in the Eudemon networking application. Besides the powerful routing capabilities, the Eudemon is integrated with security and safety capabilities:l l l l

Supports detection to malicious commands. Supports Network Address Translation (NAT) application. Supports filtering static and dynamic black list. Supports proxy-based SYN Flood defense flow control.

Multiple Types of InterfacesThe Eudemon provides fixed interfaces, such as the Gigabit Ethernet (GE) interfaces and Console ports, and extended slots for optional Mini Interface Cards (MICs) and Flexible Interface Modules (FICs). The Ethernet fiber and electrical interface card, Asymmetric Digital Subscriber Line 2+ (ADSL2+) interface card, E1/CE1 interface card, GE interface card can be inserted in the extended slots. You can select the interface cards according to the network environment. The excellent software scalability provides you with an economical solution for future network upgrades.

Enhanced SecurityThe Eudemon uses a specially designed hardware platform and a secure operating system with independent intellectual property right. Its packet processing is totally separated from operating system, which greatly increases the security of the system. With its own Application Specific Packet Filter (ASPF) state inspection technology, the Eudemon can:l l l

Monitor the connection process and malicious commands. Cooperate with ACL to achieve packet filtering. Provide a number of attack defense capabilities.Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2009-12-01)

1-2

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

1 Overview

All of the above features ensure the security of networks.

High-Speed Processing CapabilityOriented to medium and small-sized enterprise and industry users, the Eudemon provides wirerate, high-performance security defense and packet processing capabilities by using the multicore technology. The Eudemon uses high speed algorithm and optimized software structure, which effectively ensure the performance of the system. For example, ACL high speed algorithm can search a few or thousands of policies for a specific one at the same speed.

Powerful Log and StatisticBased on powerful log and statistic provided by the Eudemon, you can obtain useful help in security analysis and event tracing.

1.2 Location of the EudemonThe Eudemon is often deployed in the entrance to the zone protected to provide access control policy-based security defense. For example:l

When you need to protect malicious attack or internal network and data from illegal access of external network, (such as unauthorized or unauthenticated access), you can deploy the Eudemon at the joint of the internal and external network. When you need to deny internal users access to sensitive data, you can deploy the Eudemon at the joint where relatively open segment meets relatively sensitive ones (such as segment that holds sensitive or private data).

l

1.3 Functions and Features of the Eudemon1.3.1 Network Interconnection 1.3.2 Security Defense 1.3.3 Service Application 1.3.4 Configuration and Management 1.3.5 Maintenance 1.3.6 System Log Management

1.3.1 Network InterconnectionLink Layer ProtocolDescription of the link layer protocol of the Eudemon:l

Supports Ethernet_II and Ethernet_SNAP.Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-3

Issue 01 (2009-12-01)

1 Overviewl l l l l

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

Supports VLAN (Virtual Local Area Network). Supports HDLC (High-level Data Link Control). Supports PPP (Point-to-Point Protocol). Supports PPPoE (PPP over Ethernet). Supports DDR (Dial-on-Demand Routing)

IP ServiceDescription of the IP services of the Eudemon:l l

Supports ARP (Address Resolution Protocol). Supports DHCP (Dynamic Host Configuration Protocol) relay, DHCP server and DHCP client. Supports FTP client/server. Supports TFTP client. Supports ping and tracert.

l l l

Routing ProtocolDescription of the routing protocol of the Eudemon:l l l l l

Supports static routing. Supports dynamic routing (RIP, OSPF). Supports route policy. Supports policy-based routing. Supports route management and route iteration.

1.3.2 Security DefensePacket FilteringThe Eudemon supports the following packet filtering modes:l l l l l l l

Supports basic ACL, advanced ACL. Supports time range ACL. Supports inter-zone ACL. Maintains ACL rules dynamically. Supports blacklist, MAC and IP addresses binding. Supports the application specific packet filter (ASPF) and the state inspection. Provides the port mapping mechanism.

NATThe following describes the NAT (Network Address Translation) of the Eudemon:l

Address translation.Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2009-12-01)

1-4

Quidway Eudemon 200E-C/200E-F Firewall Feature Descriptionl l l

1 Overview

Provides the internal server. Port-level NAT server. Supports multiple NAT ALG (Application Level Gateway), including FTP (File Transfer Protocol), PPTP (Point-to-Point Tunneling Protocol), ILS (Instrument Landing System), ICMP (Internet Control Message Protocol), H.323, QQ, MSN and RTSP (Real-Time Streaming Protocol).

Attack DefenseThe following describes the attack defense of the Eudemon:l

Defends multiple DoS attacks, such as SYN Flood, ICMP Flood, UDP Flood, ARP, WinNuke, ICMP redirection and unreachable packet, Land, Smurf and Fraggle. Defends scanning and snooping, such as address scanning, port scanning, IP source routing option, IP routing record option and ICMP snooping packet. Defends other attacks, such as IP Spoofing.

l

l

Traffic MonitoringThe following describes the traffic monitoring of the Eudemon:l l l

Supports the limit to connection rate and connection number based on IP. Supports CAR (Committed Access Rate). Supports real time traffic statistic and attack packet statistic.

1.3.3 Service ApplicationAAAAAA (Authentication, Authorization and Accounting) service application of the Eudemon:l l l

Supports AAA domain. Supports local user management. Supports multiple ISP.

QoSQoS (Quality of Service) service application of the Eudemon:l l l

Supports traffic categorization. Supports traffic monitoring. Supports congestion management.

1.3.4 Configuration and ManagementCommand Line InterfaceThe following describes the command line interface of the Eudemon:Issue 01 (2009-12-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-5

1 Overviewl l l l

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

Prompt and help information in English and Chinese. Hierarchical protection of command lines from the intrusion from the unauthorized users. Detailed debugging information helps network fault diagnosis. Network test tools, such as tracert and ping tools, which can help rapidly identify whether the network is normal.

Web Configuration InterfaceThe Eudemon provides user-friendly and easy-to-use Web configuration interfaces to help you operate and maintain the Eudemon in a centralized manner. In addition, the Eudemon supports both encrypted access and unencrypted access.

System ManagementThe following describes the system management of the Eudemon:l l l

Supports programs upload, download, or delete files through FTP. Supports programs upload or download files through TFTP. Supports programs upload configuration file or license file, download, or delete files through web.

Terminal ServiceThe following describes the terminal service of the Eudemon:l l l

Supports terminal services of the console port. Supports terminal services of Telnet and secure shell (SSH). Supports the send function so that terminal users can communicate with each other.

1.3.5 MaintenanceSystem ManagementSupports standard network management protocol SNMP v1/v2c/v3.

CPU Protection for Over-high TemperatureWhen the temperature of the CPU is higher than 60C, the alarm indicator on the front panel is on. The system sends an alarm information for high temperature and a log. When the temperature of the CPU is higher than 90C, the system sends an alarm information of shutting down and a log. If the temperature is still rising, the system switches to the heat protection state after the alarm information of shutting down is generated for three minutes. The indicators on the front panel are flashing except for the system indicator and the active/standby indicators. This indicates that the system is in the heat protection state. After 16 minutes, the system switches on automatically.

1.3.6 System Log ManagementThe following describes the system log of the Eudemon:1-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2009-12-01)

Quidway Eudemon 200E-C/200E-F Firewall Feature Descriptionl l

1 Overview

Provides the log server for browsing and querying log information. Provides input and output IP packets statistics. NAT log, ASPF log, attack defense log, blacklist log, address binding log, traffic statistics alarm/recovery log, and operation log can be queried. Supports the syslog format and binary log format. The syslog logs can be queried based on date. The binary logs can be queried based on time, protocol, source address/port, NAT address/port, and destination address/port. The system supports fuzzy query. The query results can be exported as an Excel file.

l l

Issue 01 (2009-12-01)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

1-7

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

2 Introduction

2About This Chapter2.1 Working Mode 2.2 Security Zone

Introduction

Issue 01 (2009-12-01)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

2-1

2 Introduction

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

2.1 Working Mode2.1.1 Working Mode Classification 2.1.2 Working Process in Route Mode 2.1.3 Working Process in Transparent Mode 2.1.4 Working Process in Composite Mode

2.1.1 Working Mode ClassificationRoute ModeIn the scenario where the Eudemon is connected to external networks through Network Layer (the physical interface is configured with an IP address), the Eudemon works in route mode. When the Eudemon is deployed between an internal network and an external network, you need to configure the Eudemon interfaces connecting respectively with the internal network and external network with IP addresses in different segments. In addition, you need to replan the network topology. The Eudemon fulfills the routing function in internal networks and external networks. It functions as a router. As shown in Figure 2-1, the Eudemon is connected to the internal network through an interface segmented to the Trust zone, and connected to the external network through an interface segmented to the Untrust zone. The two interfaces respectively in the Trust zone and the Untrust zone are segmented to different subnets. Figure 2-1 Networking diagram in route modePC 10.110.1.254/24 202.10.0.1/24 PC PC

Server

Eudemon Trust Internal network

Router Untrust External network Server

When working in route mode, the Eudemon can implement functions such as ACL packet filtering, ASPF dynamic filtering, and NAT. When you configure a Eudemon to work in route mode, you need to change the topology of the existing network. For example, internal network users need to change their gateway settings and the route configuration of the router should be changed as well. Reconstructing a network is time and resource consuming. It is recommended that you weigh the advantages and disadvantages in selecting this mode.2-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2009-12-01)

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

2 Introduction

Transparent ModeIn the scenario where the Eudemon is connected to external networks through Data Link layer (the physical interface is not configured with an IP address), the Eudemon works in transparent mode. Letting the Eudemon to work in transparent mode saves you from the trouble in changing network topology. To adopt the transparent mode, you only need to deploy the Eudemon on the network just like placing a bridge. That saves you from the trouble in changing any current configuration. Similar to the transaction in route mode, the Eudemon checks and filters IP packets, protecting internal users against threats. Figure 2-2 shows a typical networking in transparent mode. Figure 2-2 Networking diagram in transparent modePC 202.10.0.2/24 202.10.0.1/24 PC PC

Server

Router Trust Internal network

Eudemon

Router Untrust External network

Server

In transparent mode, the Eudemon can perform packet forwarding only. The two connected networks must be in the same network segment. The Eudemon is connected with the internal network through an interface in the Trust zone, and connected with the external network through an interface in the Untrust zone. Note that the internal network and external network should be in the same subnet.

Composite ModeIf there are interfaces working in routing mode (such interfaces have IP addresses) and interfaces working in transparent mode (such interfaces have no IP address) in the Eudemon, it means that the Eudemon works in composite mode. The composite mode is applied to the two-node cluster hot backup in transparent mode. The interface on which Virtual Router Redundancy Protocol (VRRP) is enabled needs to be configured with an IP address, and other interfaces do not need to be configured with IP addresses.. Figure 2-3 shows a typical networking in composite mode.

Issue 01 (2009-12-01)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

2-3

2 Introduction

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

Figure 2-3 Networking in composite modeEudemon (Master)

PC

PC

PC

HUB Server Trust 202.10.0.0/24 Untrust 202.10.0.0/24 Server

Eudemon (backup)

Primary and secondary Eudemons are connected to the intranet through interfaces in the Trust zone, and connected to the Internet through interfaces in the Untrust zone. In addition, primary and secondary Eudemons:l l

Connect with each other through a hub or a local area network (LAN) Switch. Perform backup over VRRP.NOTE

The primary and secondary Eudemons can be connected directly or through a hub or a LAN Switch. You can connect the primary and the secondary Eudemons based on the actual conditions. The intranet and the Internet must reside in the same subnet.

2.1.2 Working Process in Route ModeWhen packets are forwarded between interfaces in the network layer, the Eudemon acts as a router, searching for routing entries based on IP addresses of the packets. Different from a router, the Eudemon delivers the forwarded IP packets to the upper layer for filtering. The Eudemon determines whether to allow the packets pass through or not according to session entries and ACL rules. In addition, the Eudemon is also responsible for some other attack defense checks.

2.1.3 Working Process in Transparent ModeWhen packets are forwarded between interfaces in the layer 2 network, the Eudemon acts as a transparent bridge, searching for outbound interfaces based on MAC addresses of the packets. Different from a bridge, the Eudemon delivers the forwarded IP packets to the upper layer for filtering. The Eudemon determines whether to permit the packets to pass through or not according to session entries and ACL rules. In addition, the Eudemon is also responsible for some other attack defense checks. In transparent mode, the Eudemon is connected to a LAN at Data Link Layer; therefore, end users do not need to perform special configurations on devices for connecting the networks (like LAN Switch connection).2-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2009-12-01)

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

2 Introduction

The working process in transparent mode has several phases, which are described in the following sections:l l

Obtaining an Address Table Forwarding or Filtering a Frame

Obtaining an Address TableIn transparent mode, the Eudemon forwards packets based on the MAC address table, which consists of MAC addresses and interfaces. To forward packets, the Eudemon must obtain information about the relationship between MAC addresses and interfaces. In transparent mode, the process that the Eudemon obtain address table is as follows: 1. Broadcast a data packet. When connected with a physical network segment, the transparent Eudemon monitors all Ethernet frames on the physical network segment. Once it detects an Ethernet frame from a certain interface, it extracts the source MAC address from the frame, and then adds the relationship between the MAC address and the interface to the MAC address table. Figure 2-4 shows the process. Figure 2-4 Broadcasting a data packet00e0.fcaa.aaaa Workstation A Source address Destination address 00e0.fcbb.bbbb Workstation B

00e0.fcaa.aaaa 00e0.fcbb.bbbb Interface 1 00e0.fccc.cccc Workstation C Eudemon Interface 2 Workstation D Segment 2 Segment 1 00e0.fcdd.dddd

Segments 1 and 2 are respectively connected with interfaces 1 and 2 on the Eudemon. For example, when workstation A sends an Ethernet frame to workstation B, both the transparent Eudemon and workstation B receive the frame. 2. Reversely learn the relationship between the MAC address of workstation A and the interface. After receiving the Ethernet frame, the transparent Eudemon knows that workstation A is connected with interface 1 on the Eudemon because interface 1 receives the frame. Then the Eudemon adds the relationship between the MAC address of workstation A and interface 1 of workstation A to the MAC address table. Figure 2-5 shows the process.Issue 01 (2009-12-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-5

2 Introduction

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

Figure 2-5 Reversely learning the relationship between the MAC address of workstation A and the interface00e0.fcaa.aaaa Workstation A Source address Destination address 00e0.fcbb.bbbb Workstation B

00e0.fcaa.aaaa 00e0.fcbb.bbbb Address table MAC address Interface 00e0.fcaa.aaaa 1 Segment 1 Interface 1 Eudemon Interface 2 Workstation C 00e0.fccc.cccc Workstation D 00e0.fcdd.dddd Segment 2

3.

Reversely learn the relationship between the MAC address of workstation B and the interface. After workstation B responds to the Ethernet frame from workstation A, the transparent Eudemon can detect the response Ethernet frame of workstation B. The transparent Eudemon knows that it is connected with workstation B through interface 1, because interface 1 receives the frame. Then the Eudemon adds the relationship between the MAC address of workstation B and interface 1 to the MAC address table. Figure 2-6 shows the process.

2-6

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-12-01)

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

2 Introduction

Figure 2-6 Reversely learning the relationship between the MAC address of workstation B and the interface00e0.fcaa.aaaa Workstation A Destination address 00e0.fcbb.bbbb Workstation B Source address

00e0.fcaa.aaaa 00e0.fcbb.bbbb Address table MAC address Interface 00e0.fcaa.aaaa 00e0.fcbb.bbbb 1 1 Segment 1 Interface 1 Eudemon Interface 2 00e0.fcdd.dddd

Workstation C 00e0.fccc.cccc

Workstation D Segment 2

The reverse learning process continues until the transparent Eudemon obtains all relationship between MAC addresses and interfaces.

Forwarding or Filtering a FrameAt Data Link Layer, the transparent Eudemon processes a frame in the following situations:l

When the transparent Eudemon successfully obtains corresponding information from the address table, it forwards the frame. After workstation A sends an Ethernet frame to workstation C, the transparent Eudemon searches the address table for the interface corresponding with workstation C. Then the Eudemon forwards the frame through interface 2 according to the searching result. Figure 2-7 shows the process.

Issue 01 (2009-12-01)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

2-7

2 Introduction

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

Figure 2-7 Forwarding the frame after successfully obtaining corresponding information from the address table00e0.fcaa.aaaa Workstation A Source address Destination address 00e0.fcbb.bbbb Workstation B

00e0.fcaa.aaaa 00e0.fccc.cccc Segment 1 Address table MAC address Interface 1 00e0.fcaa.aaaa 1 00e0.fcbb.bbbb 00e0.fccc.cccc 2 2 00e0.fcdd.dddd Workstation C 00e0.fccc.cccc Forwarding Interface 1 Eudemon 00e0.fcdd.dddd Interface 2 Workstation D Segment 2

Destination Source address address 00e0.fccc.cccc 00e0.fcaa.aaaa

If the transparent Eudemon receives a broadcast frame or multicast frame from a interface, it forwards the frame to other interfaces.l

When the transparent Eudemon successfully obtains corresponding information from the address table, it does not forward the frame. If workstation A sends an Ethernet frame to workstation B, the Eudemon does not forward but filter the frame. That is because workstations B and A reside in the same physical network segment. Figure 2-8 shows the process.

2-8

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-12-01)

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

2 Introduction

Figure 2-8 Filtering frames after successfully obtaining corresponding information from the address table00e0.fcaa.aaaa Workstation A Source address Destination address 00e0.fcbb.bbbb Workstation B

00e0.fcaa.aaaa 00e0.fcbb.bbbb Address table MAC address Interface 1 00e0.fcaa.aaaa 00e0.fcbb.bbbb 1 00e0.fccc.cccc 2 00e0.fcdd.dddd 2 Workstation C 00e0.fccc.cccc Not forwarding Segment 1 Interface 1 Eudemon Interface 2 Workstation D 00e0.fcdd.dddd Segment 2

l

When the transparent Eudemon fails to obtain corresponding information from the address table, it forwards the frame. When workstation A sends an Ethernet frame to workstation C and the Eudemon does not obtain the relationship between the MAC address of workstation C and the interface from the address table, the Eudemon forwards this frame to all the other interfaces but the source interface of the frame. In this case, the Eudemon acts as a hub, ensuring the continuous transfer of the frame. Figure 2-9 shows the process. Figure 2-9 Forwarding the frame after failing to obtain corresponding information from the address table00e0.fcaa.aaaa Workstation A Source address Destination address 00e0.fcbb.bbbb Workstation B

00e0.fcaa.aaaa 00e0.fcccc.cccc Address table Interface 1 MAC address Interface 00e0.fcaa.aaaa 1 00e0.fcbb.bbbb 1 Workstation C 00e0.fccc.cccc Segment 2Issue 01 (2009-12-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-9

Segment 1 Eudemon 00e0.fcdd.dddd Workstation D Interface 2

2 Introduction

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

2.1.4 Working Process in Composite ModeWhen the Eudemon works in composite mode, some interfaces should be configured with IP addresses and some not. The interfaces configured with IP addresses reside in the layer 3 network, with VRRP enabled for dual-system hot backup. The interfaces not configured with IP addresses reside in the layer 2 network. External users connected with the interfaces in the layer 2 network belong to the same subnet. When packets are forwarded between interfaces in the layer 2 network, the forwarding process is the same as that in transparent mode. For details, see section "2.1.3 Working Process in Transparent Mode". When packets are forwarded between interfaces in the layer 3 network, the forwarding process is similar to that in route mode. For details, see section "2.1.2 Working Process in Route Mode".

2.2 Security Zone2.2.1 Introduction to Security Zone 2.2.2 Features of the Security Zone 2.2.3 Security Zone on Eudemon

2.2.1 Introduction to Security ZoneZone is a concept introduced in Eudemon, which is one of main features distinguishing the Eudemon from the router. For the router, the network security check is performed on interfaces because the networks connected with each interface are equal in security. That is, there is no obvious difference between internal networks and external networks for the router. In this way, when a data stream unidirectionally passes through a router, it may be checked twice on both the ingress interface and the egress interface to meet the separate security definitions on each interface. However, the Eudemon's situation is different, where internal networks and external networks are clearly defined. The Eudemon protects internal networks from illegal intrusion of external networks. When a data stream passes through a Eudemon device, the security operation triggered varies with data stream direction. At this time, it is not suitable to check the security policy on the interface of the Eudemon. Therefore, the Eudemon introduces the concept of security zone.

2.2.2 Features of the Security ZoneA security zone is composed of one or more interfaces with the same security level. The features of the security zones are as follows:l

The security level is denoted by an integer in the range of 1 to 100. The greater the number is, the higher the level is. There are no two zones with the same security level.Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2009-12-01)

l

2-10

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

2 Introduction

2.2.3 Security Zone on EudemonSecurity Zone ClassificationThe default security zones on Eudemon are as follows:l

Virtual zone (Vzone) It is a lowest-level security zone whose security level is 0. Untrust zone It is a low-level security zone, whose priority is 5. Demilitarized Zone (DMZ) It is a medium level security zone, whose priority is 50. Trust zone It is a high-level security zone, whose priority is 85. Local zone It is a highest-level security zone, whose priority is 100.

l

l

l

l

When Eudemon works in router mode, you do not need to create the five zones above. At the same time, deleting and re-setting the security level is prohibited. When Eudemon works in transparent mode or composite mode, by default, the Vzone is not supported. And the other zones neither be created nor deleted or reset the security level. In addition to the preceding default zones, the Eudemon also supports 11 customized zones.NOTE

Derived from military, DMZ is an intermediate zone between the severe military zone and the incompact public zone. That is, it is partially dominated by military. Here in Eudemon, it indicates a zone that is independent of internal networks and external networks both logically and physically, in which public devices such as Web Server and FTP Server are placed. It is hard to locate these servers for external access if they are placed in external networks, their securities cannot be assured; while placed in internal networks, their security defects might provide opportunity for some external malicious client to attack internal networks. DMZ is developed to solve this problem.

Relations Between Interface, Network and Security Zones

CAUTIONNeither two security zones with the same security level nor an interface belonging to two different security zones are allowed in the system. Relations between interface, network and security zones:l

Relation between interface and security zones A security zone includes one or several interfaces with one security level. Except for the Local zone, all the other security zones need to be associated with some interfaces of the Eudemon respectively, that is, to add the interface into those zones.

l

Relations between network and security zonesHuawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-11

Issue 01 (2009-12-01)

2 Introduction

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

Internal networks should be located in high-level security zone, for example, trust zone. External networks should be located in low-level security zone, for example, untrust zone. Networks offering conditional services for the external should be located in medium level DMZ. The Local zone has no interface. The Eudemon device is in the Local zone. The Vzone has no interface and is used for the traffic forwarding between Virtual Private Network (VPN) instances.

l

Relation between the interface, network and security zones The relationship is shown in Figure 2-10. Figure 2-10 Relationship diagram of interface, network and security zonesOutbound Inbound Eudemon GE0/0/0 GE0/0/2 Local Trust Inbound Outbound Inbound Server DMZ Outbound Inbound Outbound

GE0/0/1 Outbound

Untrust

Inbound......

Server Inbound Outbound

Vzone

Inbound and OutboundData flows of the two security zones (interzone) are grouped into two directions:l

Inbound It refers to the direction that data are transmitted from low-level security zones to highlevel security zones.

2-12

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-12-01)

Quidway Eudemon 200E-C/200E-F Firewall Feature Descriptionl

2 Introduction

Outbound It refers to the direction that data are transmitted from high-level security zones to lowlevel security zones.

Data transmission between security zones in different levels will enable the Eudemon to check security policy. You can set different security policy to different direction of the same interzone. When data flow moves in the two directions of the security zones, different security policy check is triggered. Data transmission direction on the Eudemon is determined based on the side with higher level security. You can conclude that:l

Data stream transmitted from the Local zone to the Trust zone, DMZ zone and Untrust zone is called outbound data stream while inbound data stream contrarily. Data stream transmitted from the Trust zone to the DMZ zone, Untrust zone and vzone is called outbound data stream while inbound data stream contrarily. Data stream transmitted from the DMZ zone to the Untrust zone and vzone is called outbound data stream while inbound data stream contrarily. The data stream transmitted from the Untrust zone to the Vzone is called outbound data stream, while the data stream transmitted from the Vzone to the Untrust zone is called inbound data stream.NOTE

l

l

l

l

If you allow users in high security zone to access external networks, you can configure a default interzone packet-filtering rule for the Eudemon, allowing packets to travel from a high-level security zone to a low-level security zone. Data transmission direction on the router is determined based on the interface, which is also one of main features differentiating the Eudemon from the router. Data stream sent from the interface is called outbound data stream while inbound data stream contrarily.

l

Issue 01 (2009-12-01)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

2-13

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

3 System Management

3About This Chapter3.1 SNMP Overview

System Management

3.2 Introduction to the Features of Web Management

Issue 01 (2009-12-01)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

3-1

3 System Management

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

3.1 SNMP Overview3.1.1 Introduction to SNMP 3.1.2 SNMP Versions and Supported MIB

3.1.1 Introduction to SNMPAt present, the Simple Network Management Protocol (SNMP) is widely used in network management. It is an industrial standard. The SNMP protocol ensures that management information can be transmitted between any two nodes. Based on the SNMP, a network administrator can perform the following operations at any node on the network:l l l l l l

Retrieve information Modify information Locate a fault Diagnose a failure Plan capacity Generate reports

SNMP adopts the polling mechanism and provides a basic set of functions. It is applicable to the small-sized, fast, and low-cost scenario. SNMP is widely supported by many products because it requires only the unacknowledged transport layer protocol UDP. The architecture of the SNMP protocol can be divided into the following parts:l

Network Management Station (NMS) It is a workstation on which the client program runs. Agent It is a kind of server-side software running on the network device.

l

The detailed operations are described as follows: The NMS sends packets to the agent, including:l l l l

GetRequest GetNextRequest Getbulk SetRequest packet

After receiving the request packet from the NMS, the agent reads or writes the management variables based on the packet type. The agent generates a response packet, and then return the packet to the NMS. When exceptions occur during the cold/hot startup of the device, the agent sends a trap packet to the NMS to report the event.3-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2009-12-01)

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

3 System Management

3.1.2 SNMP Versions and Supported MIBTo uniquely identify the management variable of the device in the SNMP packet, SNMP uses a hierarchical naming scheme to identify the management object. The hierarchical structure is like a tree. Each node on the tree represents a management object. As shown in Figure 3-1, one path starting from the root can be used to uniquely identify the management object. Figure 3-1 MIB tree1 1 1 1 1 A B 2 2 2 2

As shown in Figure 3-1, management object B can be uniquely identified by a string of numbers {1.2.1.1} that is an object identifier of the management object. The management information base (MIB) is used to describe the hierarchical structure of the tree. It is a set of standard variable definitions of the monitored network device. At present, the SNMP agent on the Eudemon system supports standard network management system SNMP v3 and is compatible with SNMP v1 and SNMP v2c. Table 3-1 shows MIB supported by the system. Table 3-1 MIB supported by the system Attribute Public MIB Content MIB II based on the TCP/IP network device RIP-2 MIB Ethernet MIB PPP MIB OSPF MIB IF MIB SNMPV2 MIB Framework MIBIssue 01 (2009-12-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Standard or Specifications RFC1213 RFC1724 RFC2665, RFC2668 RFC1471, RFC1473 RFC1253 RFC1573 RFC1907 RFC25713-3

3 System Management

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

Attribute

Content Usm MIB Mpd MIB Vacm MIB Target MIB Notification MIB RADIUS MIB

Standard or Specifications RFC2573 RFC2572 RFC2275 RFC2273 RFC2273 RFC2618, RFC2620 -

Private MIB

Performance alarm MIB Device panel MIB Device resource MIB VLAN QoS Configuration management MIB System management MIB

3.2 Introduction to the Features of Web ManagementThe web-manager function provides users with a simple and friendly web configuration interface. Through this interface, users can operate and maintain the Eudemon conveniently. Users can access the interface with either of the following methods:l

Encryption The Web browser communicates with the Eudemon through the HTTP security protocol (HTTPS). The encryption function ensures the security of user information.

l

Non-encryption The Web browser communicates with the Eudemon through the HTTP protocol.

Users access the Eudemon through the Web browser and send HTTP packets to the Eudemon. The Eudemon starts the Web server to process the HTTP packets sent from the users. HTTP packets are classified into the following two types:l

get If the HTTP packets sent from the Web browser to the Eudemon are get packets, the Eudemon triggers the get-processing process and gets the configuration information about each function modules from the Eudemon.

l

postHuawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2009-12-01)

3-4

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

3 System Management

If the HTTP packets sent from the Web browser to the Eudemon are post packets, the Eudemon triggers the post-processing process and sends the configuration information to each function module of the Eudemon.

Issue 01 (2009-12-01)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

3-5

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

4 Security Features

4About This Chapter4.1 ACL 4.2 Security Policy 4.3 NAT 4.4 Attack Defense 4.5 P2P Traffic Limiting 4.6 IM Blocking 4.7 Static Multicast 4.8 Keyword Authentication 4.9 Authentication and Authorization 4.10 IP-CAR 4.11 TSM Cooperation 4.12 SLB

Security Features

Issue 01 (2009-12-01)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

4-1

4 Security Features

Quidway Eudemon 200E-C/200E-F Firewall Feature Description

4.1 ACL4.1.1 ACL Definition 4.1.2 ACL Application 4.1.3 ACL Step 4.1.4 ACL on the Eudemon

4.1.1 ACL DefinitionThe Eudemon must be capable of controlling network data stream so as to define:l l l

Network security QoS requirement Various policies

Access Control List (ACL) is one of methods to control data stream. An ACL is a series of ordered rules composed by permit or deny statements. The permit action allows the packets to pass through the Eudemon while the deny action forbids the packets to pass through the Eudemon. The rules are described mainly by:l l l l

Source address Destination address Port number Upper layer protocol

4.1.2 ACL ApplicationPacket FilterPacket filter is a kind of network security protection mechanism. It is used to control the inbound and outbound data between networks in different security levels. Before forwarding the data packet, the Eudemon needs to check information in the packet header, including source address of packets, destination address of packets, source port, destination port, upper layer protocol and so on. Then, the Eudemon determines whether to forward the data packet or discard it based on the comparison result with the defined rule.