0 evaluări0% au considerat acest document util (0 voturi)
111 vizualizări22 pagini
Huawei Symantec Technologies Co., Ltd. Provides customers with comprehensive technical support and service. Before logging in to the Secoway eLog, you need to add the eLog Web site to the trusted sites. The information in this document is subject to change without notice.
Huawei Symantec Technologies Co., Ltd. Provides customers with comprehensive technical support and service. Before logging in to the Secoway eLog, you need to add the eLog Web site to the trusted sites. The information in this document is subject to change without notice.
Huawei Symantec Technologies Co., Ltd. Provides customers with comprehensive technical support and service. Before logging in to the Secoway eLog, you need to add the eLog Web site to the trusted sites. The information in this document is subject to change without notice.
Huawei Symantec Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any assistance, please contact our local representative office, agency, or customer service center.
Huawei Symantec Technologies Co., Ltd. Address: Building 1 The West Zone Science Park of UESTC, No.88, Tianchen Road Chengdu, 611731 P.R.China Website: http://www.huaweisymantec.com Email: support@huaweisymantec.com
Copyright Huawei Symantec Technologies Co., Ltd. 2009. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Symantec Technologies Co., Ltd.
Trademarks and Permissions and other Huawei Symantec trademarks are trademarks of Huawei Symantec Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
1 Login Before logging in to the Secoway eLog, you need to add the eLog Web site to the trusted sites. Procedure 1. In the Internet Explorer, choose Tools > Internet Options.... 2. Select Security tab. 3. Select and click sites. Pop up Trusted sites dialog. 4. Enter https://IP/ in the textbox after Add this Web site to the zone. 5. Click Add. 6. Click OK. The Internet Properties window is displayed. 7. Click OK. Logging in to the Secoway eLog Procedure 1. Enter https://IP/, the login address of the Secoway eLog. IP is the IP address of the log server. For example, https://10.0.0.254/. 2. Press Enter. 3. In the Secoway eLog dialog box, enter the user name, password, and authentication code, as shown in Figure 1-1. Upon initial login, the administrator account is admin and the password is null. Figure 1-1 Login system
Introduction to the Home Page of the Secoway eLog This section introduces the home page of the Secoway eLog. Only the valid user can log in to the Secoway eLog. On the Secoway eLog home page, there are the tool bar, navigation tree, and description area, as shown in Figure 1-2. The contents of the home page vary with login users. Figure 1-2 Secoway eLog Home Page
2 Add a Log Collector The Secoway eLog system consists of log collectors and log servers. After adding the log collector to the system, you can set the log collector for the device management. Only the device exists in one of the subnetworks managed by the log collector can be added to the log collector. Procedure 1. In the navigation tree, choose System Management > Log Collector Management. The Log Collector Management window is displayed. 2. Click Add to display the Add Log Collector window. 3. Set the log collector. Table 3-1 describes the parameters related to setting the log collector. Table 3-1 Parameters related to setting the log collector Parameter Description Log Collector Name Indicates the name of the log collector. You can enter a maximum of 16 characters. IP Address Indicates the IP address of the log collector. Standby Collector If the specified collector is in a cluster and is as standby collector, select it. Subnet/Mask Indicates the IP addresses and masks of the subnets that the log collector can manage. Details Indicates the details of the log collector. You can enter a maximum of 128 characters. 4. Click OK. If the adding is successful, you can view the new information about the log collector in the lower part of the Log Collector Management window. 5. Click to change the information about the log collector. If some devices are managed by the log collector, only the name, IP address, and details can be modified. If you want to modify the subnet/mask, you need to delete the devices first. 6. Click to delete the log collector. You need to delete the devices which are managed by the collector first, then you can delete the log collector.
3 Adding a Device You can configure all managed devices. The system can collect, analyze, and manage logs of a device only when it is added to the system. In addition, you can export all managed devices or import them in batches. Procedure 1. In the navigation tree, choose System Management > Device Management. The Device Management window is displayed. 2. Click Add to display the Add Device window. 3. Enter the device information in the Add Device window. Table 2-1 describes the parameters related to adding a device. Table 2-1 Parameters related to adding a device Parameter Description Device Name Indicates the device name. You can enter a maximum of 16 characters. Device Type Indicates the device type. Firewall Type Indicates the firewall type. Only when Device Type is selected Eudemon/USG Firewall, this option is displayed. Whether the UTM features are available Choose it if the firewall has the UTM feature. Only when Device Type is selected Eudemon/USG Firewall, this option is displayed. IP Address Indicates the IP address of the device. NOTE: The IP address of the device must be selected from the IP addresses managed by the log collector. Details Indicates the device details. You can enter a maximum of 256 characters. 4. Click OK to finish adding a device. If the adding is successful, you can view the device information in the table at the lower part of the page.
4 User and Role Management Adding the Operator Role This section describes how to add the operator role, and determine the authorized devices. Context By default, the user can perform the administrator role or the auditor role only. The system administrator can add operator role to users. Based on the system devices, the administrator can configure different operators, and allow them to perform on corresponding devices. Otherwise, users who do not perform the operator roles have no authority to perform on the devices of the system. Procedure 1. In the navigation tree, choose System Management > User/Role Management . The User/Role Management window is displayed. 2. Click Add Role to display the Add Role window. 3. Set the operator role. Table 4-1 describes the parameters related to adding the operator role. Table 4-1 Parameters related to adding the operator role Parameter Description Role Name Indicates the role name. You can enter a maximum of 16 characters. Role Description Indicates the role description. You can enter a maximum of 32 characters. Role Type Indicates the role type. The default value is Operator, and this cannot be modified. Authorized Devices Indicates the devices that the operator is authorized to use. Operators are authorized to use the devices in Selected Device. Click to add the device selected from Unselected Device to Selected Device. Click to add all the devices from Unselected Device to Selected Device. Click to move the device selected from Selected Device to Unselected Device. Click to move all the devices from Selected Device to Unselected Device. 4. Click OK to finish adding the operator role.
Adding Users This section describes how to add users for the system. You can add three types of user roles, including the administrator, auditor, and operator. The three types of user roles perform different operations on the system. Procedure 1. In the navigation tree, choose System Management > User/Role Management. The User/Role Management window is displayed. 2. Click Add User to display the Add User window. 3. Set the user information. Table 4-2 describes the parameters related to adding users. Table 4-2 Parameters related to adding users Parameter Description User Account Indicates the user account. You can enter a maximum of 16 characters. User Name Indicates the user name. You can enter a maximum of 16 characters. Mobile Phone Indicates the telephone number of the user. Email Indicates the email address of the user. Password Indicates the user password. The password must contain at least eight characters, but the maximum number is 16. In addition, capitalized and small letters, numbers, and special characters must be contained in the password concurrently. Confirm Password Indicates entering the user password again.
Parameter Description User Information Indicates the user information. You can enter a maximum of 32 characters. Account Status Indicates the account status. Users activated can log in to the Secoway eLog. Role Type Indicates the role type. If you select the operator role, do as follows to allocate the operator roles. Click to add the operator role selected from Unselected Operator Roles to Selected Operator Roles. Click to add all the operator roles from Unselected Operator Roles to Selected Operator Roles. Click to move the operator role selected from Selected Operator Roles to Unselected Operator Roles. Click to move all the operator roles from Selected Operator Roles to Unselected Operator Roles.
5 Configuring the Firewall A Networking Example All the following descriptions of configuring the firewall are based on this networking example. Analyze this example closely before configuring the firewall.
Figure 4-1 A networking example
Configuring Basic Functions of Firewall Logs Most service logs of the firewall are sent in the Syslog form while small types of logs, including traffic logs and session logs, are sent in the binary form. You are required to enable the functions of collecting and sending traffic logs and session logs. Procedure 1. Connect the firewall with the log server through serial cables. 2. Choose Start > Program Files > Accessories > Communications > Super Terminal on the log server. The interface as shown in Figure 4-2 is displayed. Figure 4-2 Creating a connection 192.168.0.100/24 192.168.0.1/24 10.0.0.1/24 ELog 10.0.0.100/24 10.0.0.200/24 10.0.0.50/24
3. In the Name, enter a name for the connection. 4. Click OK. The interface as shown in Figure 4-3 is displayed. Figure 4-3 Choosing a COM port for the connection
5. Select a COM port for connecting the serial port cable in For use during connections. 6. Click OK. The interface as shown in Figure 4-4 is displayed. Figure4-4 Setting the port
9. Press Enter. 10. Enter the default user name and password. The default user name is admin, and the password is Admin@123. 11. Press Enter. The user view is displayed. 12. Change the time zone and time on the firewall to those on the log server. #Change the time zone on the firewall to that on the log server. <Eudemon> clock timezone c8 add 08:00:00 NOTE: c8 is a customized time zone. The following takes Beijing time as an example. Beijing time is eight hours earlier than the default UTC on the firewall. Therefore, you can use add 08:00:00. If the time is later than the UTC, use minus. #Change the time on the firewall to that on the log server. For example, set the current date on the firewall to 00:00:00 on November 1, 2009. <Eudemon> clock datetime 0:0:0 2009/11/01 13. Enable the inter-zone packet-filter between Trust and Local zone Enable the inter-domain function of recording session logs based in actual situations. Take the domain between the trust and the untrust for example. <Eudemon> system-view [Eudemon] Firewall packet-filter default permit interzone local trust all
Enable the functions of collecting and sending Syslog logs Redirecting logs of the information center to the log server (10.0.0.100).
NOTE: The 10.0.0.100 is the IP address of the log server. You can change it in actual situations. <Eudemon> system-view [Eudemon] info-center loghost 10.0.0.100 CAUTION: The language attribute of firewall logs must be English so that the logs can be parsed by the log server properly. Therefore, when you run the info-center loghost command, do not set the language attribute or set it to English.
Enable the functions of collecting and sending Session logs Enable the inter-domain function of recording session logs based in actual situations. Take the domain between the trust and the untrust for example. [Eudemon] acl 3000 [Eudemon-acl-basic-3000] rule permit tcp destination 10.0.0.100 0 [Eudemon-acl-basic-3000] quit [Eudemon] firewall interzone trust untrust [Eudemon-interzone-trust-untrust] session log enable acl-number 3000 inbound [Eudemon-interzone-trust-untrust] session log enable acl-number 3000 outbound [Eudemon-interzone-trust-untrust] quit #Redirect the interzone session logs to the log server (10.0.0.100). [Eudemon] firewall session log-type binary host 10.0.0.100 9002 source 10.0.0.1 9003 NOTE: The 10.0.0.100 is the IP address of the log server. You can change it in actual situations. 9002 is a port occupied by binary logs and requires no change. Session logs must be sent in a binary format and no change upon the format is required. (Optional) 10.0.0.1 is the source IP address used for communication between the firewall and log server. 9003 is the source port number of the firewall for sending logs. You need to change the values based on the actual situation.
Enabling the Function of Sending Login Logs Login logs of the firewall refer to logs that are generated when the firewall administrator logs in to the firewall system in a specific method, including the login through the Console interface, login through the Telnet, login through the File Transfer Protocol (FTP), and login through the Hyper Text Transfer Protocol (HTTP). In every login method, both success logs and failure logs are generated. Prerequisite The firewall has been connected to the network and basic configurations of the firewall have been completed.
Procedure 1. Enable the Telnet function. Enable the AAA authentication function and authenticate remote logins. For example, you can configure the firewall as supporting five routes of remote logins at a time (the VTY numbers range from 0 to 4). <Eudemon> system-view [Eudemon] user-interface vty 0 4 [Eudemon-ui-vty0-4] authentication-mode aaa Configure the user priorities for the login method (the default priority of the user is visitor). For example, you can configure the user priority as the management level (level 3). [Eudemon-ui-vty0-4] user privilege level 3 Create the login user name, password, and type for the local authentication. For example, you can configure the user name as telnetuser and password as telnetpwd for logins through the Telnet. [Eudemon-ui-vty0-4] quit [Eudemon] aaa [Eudemon-aaa] local-user telnetuser password simple telnetpwd [Eudemon-aaa] local-user telnetuser service-type telnet Configure the password for switching over priorities of login users. For example, you may configure the password as superpwd for switching the user priority to the management level (level 3). [Eudemon-aaa] quit [Eudemon] super password level 3 simple superpwd 2. Enable the FTP function. Enable FTP services and configure the username and password for FTP-based login users and the directory for storing FTP documents. For example, the username and password are ftpuser and ftppassword respectively. [Eudemon] ftp server enable [Eudemon] aaa [Eudemon-aaa] local-user ftpuser password simple ftppassword [Eudemon-aaa] local-user ftpuser service-type ftp [Eudemon-aaa] local-user ftpuser ftp-directory flash: Initiate a FTP-based connection to the Eudemon firewall (FTP Server) from a remote PC (10.0.0.100). a. C:\WINDOWS\Desktop> ftp 10.0.0.1 Connected to 10.0.0.1. 220 FTP service ready. User (10.0.0.1(none)): ftpuser 331 Password required for ftpuser. Password:****** 230 User logged in. ftp> bye 221 Server closing. b. C:\WINDOWS\Desktop> 3. Enable the function of managing pages through the Web. NOTE: The Eudemon 8000E does not support this function.
Enable HTTP services and configure the username and password for Web-based login users. For example, the username and password are webuser and webpassword. [Eudemon] web-manager enable [Eudemon] web-manager security enable [Eudemon] aaa [Eudemon-aaa] local-user webuser password simple webpassword [Eudemon-aaa] local-user webuser service-type web [Eudemon-aaa] quit Initiate a HTTP (S)-based connection to the Eudemon firewall (FTP Server) from a remote PC (10.0.0.100). Enter the IP address of the firewall in the address bar of your browser and press Enter.
Enabling the Function of Sending Packet Filtering Logs The packet filtering log refers to the log that is generated when the packet passes the network-packet quintuple of the firewall (the source IP address, destination IP address, source port number, destination port number, and protocol) and hits ACL rules. Prerequisite The firewall has been connected to the network and basic configurations of the firewall have been completed. Context The firewall can control the network traffic to set up policies of the security, QoS requirement, and so on. A method for controlling the network traffic is to use the ACL. An ACL is a series of ordered rules constituted by permit statements and deny statements. Procedure 1. Configure basic ACL rules to allow the Extranet address 192.168.0.100 to pass the firewall and all Intranet addresses to pass the firewall. <Eudemon> system-view [Eudemon] acl 2000 [Eudemon-acl-basic-2000] rule permit source 192.168.0.100 0 logging [Eudemon-acl-basic-2000] quit [Eudemon] acl 2001 [Eudemon-acl-basic-2001] rule permit source any logging [Eudemon-acl-basic-2001] quit 2. Apply basic ACL rules to the inter-domain area of the Demilitarized Zone (DMZ) and the untrust. [Eudemon] firewall interzone dmz untrust
[Eudemon-interzone-dmz-untrust] packet-filter 2000 inbound [Eudemon-interzone-dmz-untrust] packet-filter 2001 outbound [Eudemon-interzone-dmz-untrust] quit Enabling the Function of Sending NAT Logs and ASPF Logs This function provides log alarms for the NAT and ASPF features supported by the firewall. The log alarms are exported in a binary form. Prerequisite The firewall has been connected to the network and basic configurations of the firewall have been completed. Context The NAT is the process in which the IP address and port number of the internal host is replaced by the external IP address and port number of the firewall, and the external IP addresses and port number of the firewall are translated into the IP addresses and port numbers of internal hosts. The ASPF is a packet filtering process that is applied at the application layer. That is, it is a state-based message filtering process. It cooperates with the common static firewall to implement the security policies of the Intranet. The ASPF detects application layer sessions that attempt to pass the firewall to block messages that fail to comply with the security rule. Procedure 1. Define an ACL. [Eudemon] acl 2000 [Eudemon-acl-basic-2000] rule permit [Eudemon] quit 2. Configure a NAT address pool that has an ID and NAME attributes. [Eudemon] nat address-group 1 192.168.0.200 192.168.0.200 3. Configure the NAT Outbound between the domains of the trust and the untrust. The reference to addresses from the pool is based the ID. [Eudemon] firewall interzone trust untrust [Eudemon-interzone-trust-untrust] nat outbound 2000 address-group 1 4. Enable the inter-domain ASPF function of the firewall. [Eudemon-interzone-trust-untrust] detect ftp 5. Enable the inter-domain session recording function of the firewall. [Eudemon-interzone-trust-untrust] session log enable acl-number 2000 Enabling the Function of Sending Traffic Monitoring Logs The system makes statistics of the traffic on the firewall periodically.
1. Prerequisite The firewall has been connected to the network and basic configurations of the firewall have been completed. 2. Context NOTE: You do not need to configure the Eudemon 8000E. By default, the function of sending traffic monitoring logs is enabled. 3. Procedure 1. Display the system view. <Eudemon> system-view 2. Enable the system statistics function. [Eudemon] firewall statistic system enable 3. If you are using the Eudemon 1000 series firewall and Eudemon 8080, you need to configure the type for the log statistics type. [Eudemon] firewall log stream enable
Enabling the Function of Sending Blacklist Logs Secoway eLog provides log alarms for the blacklist features supported by the firewall. The log alarms are generated in the Syslog form. Prerequisite The firewall has been connected to the network and basic configurations of the firewall have been completed. Context Blacklist is a method of filtering packets according to their source IP addresses. Compared with the ACL-based packet filtering function, the blacklist function has relatively simple matching domains and is able to filter messages at a high speed. This helps the firewall to filter messages sent from specific IP addresses. A major feature of the blacklist function is that blacklists can be added or deleted by the Eudemon firewall dynamically. When the firewall detects any attack attempt of a specific IP address by analyzing the behavior of a message, it adds the IP address to the blacklist actively and filters messages sent from the IP address. Thus the blacklist function is an important security feature of the firewall. Procedure 1. Display the system view. <Eudemon> system-view
2. Enable the blacklist function. [Eudemon] firewall blacklist enable 3. Add 7.7.7.72 to the blacklist manually. [Eudemon] firewall blacklist item X.X.X.X
Enabling the Function of Sending Address Binding Logs The Secoway eLog provides log alarms for the address binding features supported by the firewall. The log alarms are generated in the Syslog form. Prerequisite The firewall is connected to the network, and basic configurations of the firewall have been completed. Context NOTE: The Eudemon 8000E does not support this function. The binding of the MAC address and the IP address indicates that the firewall is able to set up associations between a specific MAC address and IP address according to the user configuration. For a message that is claimed to be from this IP address, if its MAC address is not included in the specified association, the message will be discarded by the firewall. The packet sent to this IP address will be forcibly sent to the corresponding MAC address when it passes the firewall. This is an effective protection against the IP-address Spoofing attack. The function of binding MAC addresses and IP addresses is generally applicable to the connection with layer-2 switches and helps to prevent attacks of the IP-address Spoofing, ARP Flood, and DHCP Flood. Besides, it is applicable to the user authentication. Procedure 1. The system view is displayed. <Eudemon> system-view 2. Enable the system statistics function. [Eudemon] firewall mac-binding enable 3. Bind X.X.X.X with 00E0-4C77-1EF3. [Eudemon] firewall mac-binding X.X.X.X 00E0-4C77-1EF3
Enabling the Function of Sending Attack Defending Logs The Secoway eLog provides log alarms for the attack defending features supported by the firewall. The log alarms are generated in the Syslog form.
Prerequisite The firewall has been connected to the network and basic configurations of the firewall have been completed. Procedure 1. Display the system view. <Eudemon> system-view 2. Enable the attack-defending function Enable the function of defending against single attacks, such as the SYN Flood . [Eudemon] firewall defend syn-flood enable Enable the function of defending against all types of attacks. [Eudemon] firewall defend all enable