The privilege of HCNA/HCNP/HCIE:

With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
n
 1、e-Learning Courses： Logon http://learning.huawei.com/en and enter Huawei Training/e-Learning
/e


o m
If you have the HCNA/HCNP certificate：You can access Huawei Career Certification and Basic Technology e-Learning
courses.
e i .c
If you have the HCIE certificate: You can access all the e-Learning courses which marked for HCIE Certification Users.

aw


Methods to get the HCIE e-Learning privilege : Please associate HCIE certificate information with your Huawei account, and

hu


email the account to Learning@huawei.com to apply for HCIE e-Learning privilege.

g .
 2、 Training Material Download
i n


arn
Content: Huawei product training material and Huawei career certification training material.


//le
Method：Logon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can download
training material in the specific training introduction page.
p :
 3、 Priority to participate in Huawei Online Open Class (LVC)
t t


s :h
The Huawei career certification training and product training covering all ICT technical domains like R&S, UC&C, Security,

4、Learning Tools: rc e
Storage and so on, which are conducted by Huawei professional instructors.

u


s o
eNSP ：Simulate single Router&Switch device and large network.


R e
WLAN Planner ：Network planning tools for WLAN AP products.


n g
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with Huawei experts ,

ni
share exam experiences with others or be acquainted with Huawei Products.

a r
 Statement:
L e
r e
This material is for personal use only, and can not be used by any individual or organization for any commercial purposes.
o
M
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g .h
ni n
ar
// le
p :


t t
OSI is short for Open System Interconnect reference model.

s :h
The OSI model is designed to become an open network interconnect model to overcome

r c e
interconnect difficulties and improve efficiency.

ou
The OSI model soon becomes a basic model for computer network communication. It

s
complies with the following design principles:
e

R
There is a clear edge between layers for easy understanding.

n g
Each layer implements a specific function without affecting each other.

ni


a r
Each layer serves its upper layer and is served by its lower layer.

L e
 Layer division helps define the international standard protocol.

e
or
 The number of layers should be enough to prevent different layers from having the
same function.
M
  The OSI model has the following features:

 Simplifies related network operations.

 Provides plug-and-play compatibility and standard interfaces between devices of

different vendors.

 Enables each vendor to design interoperable network devices and speed up datacom
network development.

Enables the network in each region to be rapidly and independently upgraded to

n
/e


protect the network in a region against influence of network changes in another

region.
o m


e i.c
Breaks down complex network problems into simple problems to facilitate learning
and operation.
aw
u
g.h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In the OSI model, data at each peer layer is named protocol data unit (PDU). The data at

:h
the application layer is called application protocol data unit (APDU), while the data at the

s
presentation layer is named presentation protocol data unit (PPDU). The data at the
e
c
session layer is named session protocol data unit (SPDU). Generally, the data at the
r
u
transport layer is called segment; the data at the network layer is called packet; the data at
o
s
the data link layer is called frame; and the data at the physical layer is called bit.
e

R
Encapsulation means that a network node packetizes the data to be transmitted with a

n g
specific protocol header and also refers to adding a packet to the end of the data at some

ni
layers for processing. Each layer in the OSI model encapsulates data to ensure that the
r
a
data properly reaches the destination and is received and executed by the terminal host.
e
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The physical layer involves the original bit streams transmitted over channels. The physical

:h
layer is the basis of the OSI model, providing mechanical, electrical, and functional features

s
required by data transmission. The physical layer does not care about the meanings of
e
c
each bit stream (0,1), but cares about how to transmit bit streams to the peer end over
r
u
different physical links. In other words, the physical layer cares about signals, for example,
o
s
amplifying signals to transmit them to farther places, but does not care about whether
e
R
each bit stream represents an address or a piece of application data. The typical devices

g
are relay devices and hubs.

n
ni
 The data link layer sets up data links between adjacent nodes on the basis of bit stream

a r
service provided by the physical layer. The data link layer aims to control the physical layer

L e
and detect and correct possible errors to create an error-free link for the network layer. In

e addition, the data link layer monitors traffic. (This feature is optional. Traffic can be

or monitored by the data link layer or the transport layer.)

M  The network layer checks the network topology to determine the best route for packet
transmission and forwarding. The key is to determine how to select routes for the packets
from the source to destination. Devices at the network layer figure out the best routes to
destinations by using routing protocols and find out the next network devices to which
packets should be forwarded. Then, devices use the network-layer protocols to
encapsulate packets and send data to the next network devices based on the service
provided by the lower layer.
  The transport layer is the fourth layer of the OSI model with the final aim of delivering
effective and reliable services to users (which generally refers to processes at the
application layer).

 At the session layer and its upper layers, the data transmission unit is called packet. The
session layer does not participate in transmission, but offers a mechanism including access
verification and session management for enabling and maintaining inter-application
communication. For example, the session layer enables servers to verify user logins.

n
/e
 The presentation layer solves syntax presentation of user information. It converts data from

m
abstract syntax suitable for a user into transmission syntax suitable for internal use in the
OSI. In other words, the presentation layer provides formatted presentation and data
o
conversion services, compresses/decompresses data, and encrypts/decrypts data. For
e i.c
w
example, image format display is supported by the protocol at the presentation layer.


u a
The application layer provides an interface to operating systems or network applications
for accessing network services.
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Procedure for processing network data streams:

1.

s :h
When an application on a network host needs to send a packet to a destination on

r
receives the frame. c e
another network, one interface of the router on the same network of the host

ou
2.

es
The data link layer of the router checks the frame, determines the carried data type

R
at the network layer, removes the frame head, and sends the data to the

g
corresponding network layer.

n
3.

r ni
The network layer checks the packet header to determine the network segment of

e a the destination and obtains the next-hop interface by looking up the routing table.

e L 4. The data link layer of the next-hop interface adds a frame header to the packet,

or
encapsulates the packet as a frame, and sends it to the next hop. Forwarding of
each packet follows this process.
M 5. After reaching the network of the destination host, the packet is encapsulated as
the frame at the data link layer of the destination network and sent to the target
host.

6. After the destination host receives the packet, the frame header is removed by the
data link layer and the packet header is removed by the network layer. Then, the
packet is sent to the corresponding protocol module.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Due to its openness and ease-of-use features, TCP/IP is widely used and becomes a

:h
standard protocol.


e s
The difference between the TCP/IP model and OSI model is that the presentation layer and

r c
session layer of TCP/IP fall under the application layer. Therefore, the TCP/IP model is

ou
divided into four layers from bottom up: data link layer, network layer, transport layer, and

es
application layer. In some documents, the TCP/IP model is divided into five layers, among
R
which the physical layer is an independent layer.

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The sender submits data to the application to send to the destination. The data

:h
encapsulation process is as follows:

s
1. The data is sent to the application layer first and added with application-layer
e
information.
r c
u
2. After being processed by the application layer, the packet is sent to the transport
o
s
layer and added with transport-layer information (for example, TCP or UDP. The
e
R
application-layer protocol is TCP or UDP).

g
3. After being processed by the transport layer, the packet is sent to the network layer
n
ni
and added with network-layer information (such as IP protocol).

a r
4. After being processed by the network layer, the packet is sent to the data link layer

L e and added with data link-layer information (such as Ethernet, 802.3, PPP, and

e HDLC). Then, the data is transmitted to the peer end in bit stream format. (In this

or process, processing methods vary with device types. In general, switches process

M data link-layer information, whereas routers process network-layer information. The

data is restored only when it reaches the destination.)
 After reaching the destination, the packet is decapsulated. The procedure is as follows:
1. The packet is sent to the data link layer. After resolution, the data link-layer
information is removed, and the network-layer protocol is obtained, such as the IP
protocol.
 2. After the network layer receives the packet, the network-layer information is
removed, and the transport-layer protocol is obtained, such as TCP.

3. After the transport layer receives the packet, the transport-layer information is
removed, and the application-layer protocol is obtained, such as HTPP.

4. After the application layer receives the packet, the application-layer information is
removed. The finally displayed data is the same as that sent from the sender.

 Both the application layer and transport layer provide E2E services, while both the network
n
layer and data link layer provide segment-to-segment services.
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Each layer of the TCP/IP model has protocols for enabling network applications. Some of

:h
the protocols do not have their specific layers. For example, ICMP, IGMP, ARP, and RAPP

s
fall under the network layer at which the IP protocol runs. However, in some scenarios,
e
c
ICMP and IGMP fall under the upper layer of the IP protocol, while ARP and RARP fall
r
u
under the lower layer of the IP protocol.
o
 Application layer:
es
R


n g
HTTP: used to access web pages.

ni
 FTP: used for file transfer, allowing data transmission from one host to another.

a r
DNS: enables conversion from host domain names to IP addresses.
e


e L
Transport layer:

or  TCP: provides reliable connection-oriented communication services to applications,

M applying to the applications that require response. Currently, many popular

applications use TCP.

 UDP: provides connectionless communication without guaranteeing transmission

reliability. It is suitable for transmitting a small number of data. Reliability is
guaranteed by the application layer.
  Network layer:

 IP: works with routing protocols to find out the best route to destinations. The IP
protocol does not care about packet content and provides connectionless and
unreliable services.

 ARP: resolves known IP addresses into MAC addresses.

 RARP: resolves known MAC addresses into IP addressees.

ICMP: defines network layer control and message transmission functions.

n
/e


 IGMP: used to manage broadcast group members.

o m
i.c
 Data link layer:

w e
The data link layer is classified into two sub-layers: LLC and MAC sub-layers.

u a
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
A socket consists of a quintuple: source IP address, destination IP address, protocol, source

:h
port, and destination port. The protocol information for TCP is 6, and that for UDP is 17.

e s
Destination port: In general, a commonly used application service has a standard
c


r
port, for example, HTTP, FTP, and Telnet services. Some applications are not
u
o
popular, and their ports are generally defined by developers. In this case, the
s
e
registered service ports on one server must be unique.
R


n g
Source port: The source port is numbered in ascending order from 1024. Some

ni
operating systems may use a greater number as its initial port number and assign

a r
port numbers in ascending order. Because the source port is unpredictable, it is not

L e frequently involved in ACL policies.

e
or
 To provide services for external users, all application servers are required to register their
ports in TCP/UDP during startup to respond to service requests. Through the quintuple,
M application servers can respond to any concurrent service requests and ensure that each
link is unique in the system.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
In the TCP/IP stack, data link-layer protocols are at the lowest layer. Currently, data link-

:h
layer protocols have two frame formats, namely, Ethernet and 802.3 frame formats,

s
among which the Ethernet frame format is widely used. The 802.3 frame format is more
e
c
complex than the Ethernet frame format. Apart from the length field, the 802.3 frame
r
u
format contains other fields. Both Ethernet and 802.3 frame formats require the same
o
s
minimum length and the same maximum length.
e

R
Data link-layer protocols are classified into LAN and WAN protocols. This document

n g
describes only one LAN protocol. For WAN protocols, refer to other Internet

ni
documentations. LAN protocols include Ethernet and token ring network protocols.
r

e a
Data link-layer protocols implement the following functions:

e L 1. Coordinate data link parameters, such as duplex and rate.

or 2. Encapsulate the frame header (frame tail may be encapsulated) of the transmitted
M packet, identify the frame header of the received packet, and decapsulate the
packet destined to itself.

3. Most data link-layer protocols support error detection but do not support error
correction. Error correction is generally provided by the protocols at the transport
layer, such as TCP.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Version: This field contains 4 bits, and it indicates IP version number. The current protocol

:h
version is IPv4.


e s
Header length: This field contains 4 bits, and it indicates the length of the IP packet
header, in bytes.
r c
ou


es
Type of service: This field contains 8 bits. The first 3 bits defines the packet priority, and
the last five bits respectively indicate the delay (D), throughput (T), reliability (R),
R
g
transmission cost (M), and the reserved bit (0).

n


r ni
Total length: This field contains 16 bits. It indicates the length of the entire IP packet, in

a
bytes, including the header and data. Therefore, an IP packet can contain up to 65,535
e
e L bytes.

or
 Identifier: This field contains 16 bits and functions with the flag and fragment offset fields
to fragment large upper-layer data packets.
M  Flag: This field contains 3 bits. The first bit is reserved. The second bit is DF (Don’t
Fragment). If it is set to 1, the data packet cannot be fragmented. If it is set to 0, the data
packet can be fragmented. The third bit is MF (More Fragments). If it is set to 0, it is the
last fragment. If it is set to 1, it indicates more fragments.

 Fragment offset: This field contains 3 bits and indicates the position of the fragment in the
data stream.
  TTL: This field contains 8 bits and determines the number of routers that the packet can
pass. Once the packet passes one router, the TTL value decreases by one. When the TTL
value is 0, the packet is discarded.

 Protocol: This field contains 8 bits and determines the upper-layer protocol. Protocols are
distinguished by protocol numbers. The protocol number for TCP is 6 and that for UDP is
17.

Head checksum: This field calculates the checksum of IP headers to check the integrity of
n


IP headers.
/e


o
Source IP address and destination IP address: identify the source device and destinationm
device of a packet.

e i.c
 IP option: The length of this field can be extended.

aw
u
Padding: The header length is in bytes (32 bits). Therefore, the length of IP headers must

.h


be an integral multiple of 32 bits. The padding field can be used to pad 0s after the IP

n g
ni
option field to achieve this effect.

ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :


t t
The UDP packet format is different from the TCP packet format. A TCP packet contains

:h
more bytes than a UDP packet and therefore has more functions, such as reliability.

e s
The TCP packet format is described as follows:

r c


ou
Sequence number (SN): The sender determines an initial number when encapsulating a

es
TCP packet. Then the serial numbers of subsequent packets increase in ascending order.
The recipient can check whether packets are all received based on the serial numbers.
R


n g
Acknowledgement number: After receiving a TCP packet, the recipient verifies the packet

ni
and returns an acknowledge number. Then the sender knows that the packet has been

a r
received by the recipient.


L e
Source port and destination port: identify and distinguish application processes on source
e
or
and destination devices.

M  Data offset: It is the fixed length of the header. If the option field is not specified, the
header length is 20 bytes.

 Reserved: Reserved bits.

 Control flag: includes six flags:

 If URG is 1, the packet is an emergency packet.

19
  If ACK is 1, the packet is an acknowledge packet.

 If PSH is 1, the data of this packet is sent directly to the upper-layer application
program without being processed by TCP.

 If RST is 1, retransmission is required.

 If SYN is 1, both parties are required to communicate about synchronization.

 If FIN is 1, data transmission is over.

n
/e
 Window size: also called Sliding Window. After a TCP connection is established, both

m
parties set the window size to an initial value. For example, if the initial value is set to 3,

o
i.c
then the sender sends three TCP packets to the recipient. Then the window moves
backward 3 packet spaces to pad the spaces of the transmitted packets. If the recipient

w e
can process the three packets at a time, it tells the sender that the window size is 3. If it

u a
processes only 2 packets, it tells that the window size is 2. In this case, the sender changes

next time, the sender can send only 2 TCP packets.

g .h
its window size to 2, and the window moves backward 2 packet spaces. Therefore, the

ni n


ar
Checksum: Before sending a TCP packet, the sender calculates the packet to obtain a

le
checksum and sends the checksum together with the packet to the recipient. After

//
receiving the packet, the recipient calculates the packet again.
:

t p
If the new checksum is different from the one from the sender, the recipient asks
t
:h
the sender to send the packet again.


e s
Urgent pointer: If URG is set to 1, this field indicates the position of the urgent packet.

r c
However, this situation rarely occurs.

ou


es
Option: This field is rarely used. If synchronization programs, such as Telnet, are used, use
the option field to specify the packet size. The option field is 0 bit or an integral multiple of
R
g
32 bits. If insufficient, pad it.

n
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Establishing a TCP connection is a three-way handshake. Both communication parties

:h
confirm the initial sequence number (SN) for subsequent communication in an orderly

s
manner. The three-way handshake is as follows:
e
r c
1. The client sends an SYN packet with initial SN a.

ou
s
2. After receiving the SYN packet, the server returns an SYN packet that contains the
e
R
ACK information of SYN packet a. The retuned SN is the SN of the packet that the

g
server hopes to receive next time, namely, a+1. The returned SYN packet also
n
ni
contains initial SN b of the server.

a r
3. After receiving the returned SYN packet, the client returns one ACK packet for

L e response, which contains the SN of the packet that the client hopes to receive next
e
or
time, namely, b+1.

M  After the preceding process, a TCP connection is established, and the client and server can
communicate.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The four-way handshake process for terminating a TCP connection is as follows:

:h
1. The host that sends the first FIN packet proactively terminates the connection, and
s
r c e
then the server that receives this FIN packet passively closes the connection.

u
2. After receiving the FIN packet, the server returns one ACK packet and confirms

o
es
that the SN is the received SN plus 1. One FIN packet has one SN, which is the
same as SYN packets.
R
g
3. The TCP server also sends a file terminator to the application (namely, the
n
ni
discarding server). Then, the server program closes the connection. As a result, the

a rTCP server sends one FIN packet.

L e 4. The client must return an acknowledge message and set the acknowledge SN to
e
or
the received SN plus 1.

M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Along with the rapid development of the Internet, the TCP/IP protocol has become the

:h
most widely used network interconnection protocol. However, due to insufficient of

s
security concerns at the beginning of the design, the protocol has some security risks. The
e
c
Internet was firstly applied to research environment for a few trusted user groups.
r
u
Therefore, network security problems are not the major concern, and in the TCP/IP
o
s
protocol stack, the vast majority protocols do not provide the necessary security
e
R
mechanisms. For example, they do not provide the following functions:

n g
Authentication

ni
1.

2.

a rConfidentiality protection

L e
3. Data integrity protection

e
or
4. Anti-denial of services

M 5. QoS
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
In the TCP/IP protocol stack, each layer has its own protocols. At the beginning, these

:h
protocols do not focus on safety, so they do not have necessary security mechanisms.

s
Therefore, more and more security threats and attacks target at these protocols, and
e
c
TCP/IP protocol stack security problems become more obvious.
r
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Equipment damage generally does not cause information leaks but usually causes network

:h
communication interruptions. It is usually a violent means of attacks.


e s
Now we increasingly emphasize the high reliability of network services. So equipment

r c
damage attacks need more focus. Of course, if not human vandalism, various physical

ou
device damages under natural disasters also need concerns, such as earthquake, typhoon
etc.
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Among common network devices, hubs and repeaters work similar. All packets received

:h
from a port will be forwarded to all the other ports. If an attack host can connect to the

s
hub or repeater, the attacker host can use sniffing tools to obtain all the traffic data.
e
r c
For wireless networks, because the data is transmitted through wireless signals, the
u


o
eavesdropper can easily obtain the signals.
s
Re
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Taking advantages of the MAC address learning mechanism of switches, attackers can

:h
send packets with forged source MAC addresses to the switch, causing the switch to learn

s
the wrong mapping between MAC address and port. As a result, the packets which should
e
c
be sent to the correct destination are sent to the attacker's host. The attacker can install
r
u
sniffing software on the host to obtain information for attacks.
o

es
You can configure static entries on the switch to bind the IP address to the correct port to
R
prevent MAC spoofing attacks.

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
MAC flooding attacks exploit the MAC address learning mechanism of switches. Attackers

:h
send packets with forged source MAC addresses to a switch, so the switch learns the

s
incorrect MAC entries. While the number of MAC entries on the switch is a specified
e
c
number. After a large number of such attack packets are sent to the switch, the MAC
r
u
entries on the switch are used up. Therefore, normal packets can not match MAC entries
o
s
and flood to all the other ports on the same VLAN. In this way, packet interception is
e
implemented.
R
n g
You can configure static MAC entries or limit the number of MAC entries to prevent MAC

ni


flooding attacks.

a r
L e
e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
ARP implementation considers only normal service interaction without verifying improper

:h
service interaction or malicious behaviors. For example, after receiving ARP response

s
packets, hosts do not verify whether they have sent the ARP request, but directly replace
e
c
the original ARP buffer table with the mapping between MAC and IP addresses in the
r
response packet.
ou

es
ARP spoofing: Attackers send a great number of forged ARP requests and response
R
packets to attack network devices. ARP spoofing is classified into ARP buffer overflow and
ARP DoS.
n g
r ni
ARP flood (ARP scanning): When attackers use a tool to scan hosts in the network
a


L e
segment of attackers or hosts across network segments, the USG searches for the ARP
entries before sending response packets. If the MAC address of the destination does not
e
or
exist, the ARP module of the USG sends ARP Miss to the upper-layer software to request

M
the upper-layer software to send an ARP request to obtain the MAC address of the
destination. A lot of scanning packets result in a great number of ARP Miss messages. As a
result, USG resources are used up to process ARP Miss messages, affecting the processing
of normal services.

 Note: ARP spoofing can be implemented using ARP requests or replies.

 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
IP spoofing is implemented based on the trust relationship between hosts. The trusted

:h
hosts can access destination hosts without authorization.


e s
The entire IP spoofing procedure is summarized as follows:

r c
u
1. Paralyze the trusted host for the moment to avoid interfering the attack.

o
s
2. Connect to a port of the target host to guess ISN basic value and addition rule.
e
R
3. Forge the source address as the trusted host address and send a data segment that

n g
ni
carries the SYN flag to request for a connection.

r
4. Wait for the target host to send the SYN+ACK packet to the paralyzed host.
a
L e
5. Pretend to be the trusted host to send the ACK packet to the target host. The sent

e
or
data segment carries the guessed SN of the target host, namely, ISN+1.

6. Set up the connection and send a command request.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The attacker sends ICMP request packets (the source IP addresses are the IP addresses of

:h
victims) to broadcast IP addresses to lure all hosts on the network into returning ICMP

s
response packets to the victims. As a result, the victims are busy, and the links are
e
congested.
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 ICMP Redirect Packet Attack
t t


s :h
If router detects that the route on a host to a destination is not the optimal route, it

r c e
sends an ICMP redirect packet to the host, requesting the host to change the route.
At the same time, the router sends the initial datagram to the destination. ICMP is
u
not a routing protocol, but it can redirect the direction of data flows (to the correct
o
gateway).
es
R
In ICMP redirect packet attacks, the attacker sends ICMP redirect packets to the
g


ni n
victim host proactively so that the packets cannot send packets to the gateway. This
type of attacks can be launched from both the LAN and WAN.

a r
L


e To defend against ICMP redirect packet attacks, modify the registries to disable
ICMP redirect packet processing capability.
e
or  ICMP Unreachable Packet Attack

M  After receiving an ICMP unreachable packet indicating that a network or host is

unreachable, certain systems directly regard that follow-up packets to the network
or the host cannot reach the destination and therefore close the connection to the
host or network. Knowing this, attackers forge ICMP unreachable packets to break
the connections between victims and destinations to launch attacks.
 To defend against ICMP unreachable packet attacks, modify the registries to disable
ICMP unreachable packet processing capability.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
IP address sweeping usually serves as the prelude for other attacks. Attackers usually use IP

:h
sweep to obtain the topology and live systems on the target network to prepare for further
attacks.
e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Most TCP spoofing attacks occur during the establishment of TCP connections. A false TCP

:h
connection is set up using the trust relationship of a network service between hosts. The

s
attacker may act as a victim to obtain information from the server. The process is similar as
e
IP spoofing.
r c

ou
Example: A trusts B, and C is an attacker hoping to act as B to set up a connection with A.

es
C destroys B, for example, by floogin, redirect, or crashing.
R
1.

2.

n g
C sends a TCP packet to A using B’s address as the source address.

3.

r ni
A returns a TCP SYN/ACK packet to B, carrying serial number (SN) S.

e a C does not receive serial number S but uses S+1 as the SN for response to finish the
L
4.

e
three-ay handshake. In this case, C can use either of the following methods to

or
obtain serial number S:

M  C monitors the SYN/ACK packet and figures out the SN based on the obtained
value.

 C guesses the SN according to the operating system feature of A.

5. C uses the obtained serial number S to respond to A. The handshake is complete,

and a false connection is established.
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :
 Features of SYN flood attacks:
t t


s :h
The attacker starts a three-way handshake using a fragment with the SYN flag.

c e
The attacked host replies an SYN-ACK packet.
r


ou
The attacker does not respond.

es
The attacked host continues to send SYN-ACK packets because it does not receive
R


any ACK packets from the peer. However, the attacked host supports only a limited

n g
number of half-open TCP connections. When the number exceeds the specified

r ni
value, new connections fail to be established.

e a
To resolve this problem, close half-open connections.
L


e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
UDP is connectionless. Therefore, stateful inspection cannot be enabled for it. You can

:h
enable proactive learning of and collect statistics on UDP packets and analyze the rules and

s
features that hosts send UDP packets. If a host sends a large number of the same or similar
e
c
UDP packets or UDP packets with specific rules, the host is considered as an attacker.
r

ou
You can set a limit for the rate of UCP packets, so that packets exceeding the threshold are
discarded.
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
After the parameters of port scanning attack defense are set, the firewall inspects the

:h
incoming TCP, UDP, and ICMP packets. In addition, the firewall checks whether the

s
destination port of a packet and the destination port of the previous packet from the same
e
c
source address are the same. If the destination ports are different, the number of
r
u
anomalies increases by one. When the number of anomalies exceeds the specified
o
s
threshold, the packets from the source IP address are regarded as port scanning attack
e
R
packets, and this source IP address is blacklisted.

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Buffer is a place to store data in memory. When a program attempts to put data into a

:h
certain space in the memory, buffer overflow will occur when there is not enough space.

s
When the attacker writes a character string which length exceeds buffer space and
e
c
implants the character string into the buffer, there will be two results: one result is that the
r
u
long string overwrites the adjacent memory cell, causing the program running failure, or
o
s
even cause a system crash; another result is that you can take advantage of this
e
R
vulnerability to execute arbitrary commands, or even get the system root privileges.

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :


t t
A typical Web application consists of three layers:

s :h
Client - browser/Javasrcipt/Applet


r e
Presentation layer - HTTP Server + Server Side script
c
Service logic and data storage layer – implementation of service logic and database
u


s o
Re
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The biggest feature of passive attacks is to monitor the information to be stolen to get

:h
confidential information. Data owners or legitimate users cannot know such passive

s
attacks. Therefore, focus on attack prevention instead of detection.
e
r c
In general, the encryption technology is used to protect information confidentiality.
u


s o
Re
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Active attacks refer to forging or falsifying packet headers or data payload in service data

:h
streams to imitate legitimate users to access service resources without authorization or

s
destroy service resources. To defend against active attacks, analyze and detect data
e
c
streams to put forward technical measures, such as data source authentication, integrity
r
u
check, and anti-DoS technology, to ensure proper service running.
o
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Man-in-the-middle attacks is a type of indirect attacks. This type of attacks has the

:h
features of passive and active attacks, subject to attack manners (such as stealing or falsifying
information).
e s
r c
Stealing information: When host A exchanges data with host B, the attacker’s host
u


o
intercepts information for backup and forwards data (or only monitoring without
s
Re
forwarding). In this case, the attacker’s host can easily get confidential information
on hosts A and B and hosts A and B do not know it at all.

n g
ni
 Falsifying information: The attacker’s host acts as the data exchange intermediary

a r
between hosts A and B. To hosts A and B, they directly communicate with each

Le other. In fact, there is a transit host between them, the attacker’s host. Generally,
the attacker inserts information into data streams between hosts A and B or
e
or
modifies corresponding information to initiate an attack.

M  Attackers may use various technologies to intercept information, such as DNS spoofing
and network stream monitoring.
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
ARP does not perform any verification against abnormal data exchanges or malicious

:h
behaviors. For example, when a host receives an ARP reply, the host updates its ARP cache

s
with the MAC-IP mapping in the ARP reply without verifying whether the reply is in
e
c
response to an ARP request it sent.
r

ou
The process of an IP spoofing attack is as follows:

es
Crash the network where a trusted host resides to launch the attack without resistance;
R
1.

2.

n g
Connect to a port of the target host to guess the sequence and sequence increment

ni
value;

a r
Send a data segment with the SYN flag set and the source address being the address of
e
3.

e L the trusted host to initiate a connection;

or
4. Wait for the target host to send an SYN-ACK packet to the compromised host;

M 5. Send the target host an ACK packet, with the source address being the address of the
trusted host and sequence number being the sequence number expected by the target
host plus 1;

6. After the connection is established, send commands and requests to the target host.

 Transmission Control Protocol (TCP): Provides reliable and connection-oriented

communication services to applications that require responses. Currently, many popular
applications use TCP.
 User Datagram Protocol (UDP): Provides connectionless communication services and does
not guarantee the reliability of packet transmission. UDP is suitable for exchanging a small
amount of data, and the reliability can be provided on the application layer.

 The establishment of a TCP connection requires a three-way handshake to determine the

initial sequence of both communication parties. The three-way handshake is as follows:

1. At the beginning, the connection initiator (the client) sends a SYN packet containing its
initial sequence a;
n
2. Upon receiving the SYN packet, the receiver (the server) replies with a SYN-ACK. The
/e
ACK flag is to acknowledge the receipt of the SYN packet from the client, and the value
o m
i.c
of the ACK field is a + 1, which is the sequence number of the next packet the server

server.
w e
expects from the client. The SYN field is set to b, the initial sequence number of the

u a
.h
3. After receiving the SYN-ACK packet, the client replies with an ACK packet, containing

g
the sequence number (b + 1) of the next packet it expects from the server.
n
 The TCP connection termination process is a four-way handshake:
r ni
1.

le a
The end that wants to close the connection sends a FIN packet (this end performs the

//
active close and the other end that receives this FIN packet performs the passive close).
:
2.
t p
When the server receives the FIN packet, it sends back an ACK packet of the received
t
:h
sequence number plus one. A FIN packet consumes a sequence number, just like a SYN
packet.
e s
3.
r c
At this point, the server's TCP also delivers an end-of-file to the application (the discard

ou
server). The server then closes its connection, causing its TCP to send a FIN.

es
The client TCP must acknowledge by sending an ACK packet of the received sequence
R
4.

g
number plus one.

n
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The firewall technology is a specific embodiment of security technology. Firewall is

:h
literally referred to a wall between two houses to prevent the spread of fire in case

s
of fire. The firewall described in this document refers to the hardware firewall, an
e
r c
integration of various types of security technologies using the dedicated hardware

u
structure, high-speed CPU, and embedded operating system. It supports a variety of
o
s
high-speed interfaces (LAN interface) and is used to protect private network (host)
e
R
security. Such a device is called a hardware firewall. Hardware firewalls can be

g
independent of operating systems (such as HP-UNIX, SUN OS, AIX, and NT.) and
n
ni
hosts (IBM6000 and ordinary PCs).

a r
The firewall is used to address network security issues and works as a highly
e


e L
efficient "filter". In addition, it can provide access control, authentication, data

or
encryption, VPN technology, address translation, and other security functions, so
users can configure their own security policies according to their network
M environment to prevent unauthorized access and ensure network security.

 Modern firewall system should not be just an "entry protective screen", but an
access control point of many networks, forcing all incoming and outgoing data
flows to go through the firewall first. The firewall, serving as a gateway, protects
not only the internal network security in Internet environment, but also internal
network security of many hosts
  In each of the network separated by a firewall, all hosts are considered "trusted",
and the communication between the hosts is free from firewall interference. The
networks separated by the firewall must access each other in accordance with the
provisions of the firewall "policy."

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
Early firewalls were only software deployed on a single device, and the control mode

:h
could only be based on packets. With the development of technologies and Internet

s
environment, firewalls have also been developed into more types. For example, firewalls
e
r c
include hardware firewall and software firewall by form, standalone firewall and

u
network firewall by protected target, and packet filtering firewall, proxy firewall, and
o
s
stateful inspection firewall by access control method.
e

R
The mainstream firewall classification method is based on access control methods.

n g
ni
Network firewalls can protect the entire network in a distributed mode. The features of

r
network firewalls are as follows:
a
L e 1. Centralized security policies

e
or
2. Complex and diversified security functions

M 3.

4.
Professional maintenance by administrators

Low security risks

5. Complicated policy configuration

This document mainly describes firewall classification by access control method.

 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Packet filtering means checking every data packet at the network layer and

:h
forwarding or dropping the packets according to the configured security policy. The

s
basic principle of packet filtering firewalls is to carry out packet filtering by configuring
e
r c
Access Control Lists (ACLs) mainly based on source or destination IP address, source or

u
destination port, IP identifier, and packet forwarding direction in the data packet.
o
s
Packet filtering firewalls have a simple design, so it is cheap and easy to deploy.
e

R
However, packet filtering firewalls have the following defects:

n g
ni
1. If ACLs are longer and more complex, the filtering capability declines.

a r
2. Static ACL rules are hard to meet dynamic security requirements.

L e
3. Packet filtering neither check session status nor analyze data, which gives
e
or
chance to hackers. For example, packets from attackers can pass the firewall if
they set their IP addresses to legitimate IP addresses.
M Note: Multichannel protocols, such as FTP, generate dynamic data channel port based
on FTP control channel, and later data interaction is mainly carried out in the data
channel.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Proxy firewall is for the application layer, which is to take over the direct user services

:h
between extranet and intranet. The proxy firewall checks user requests. After the user

s
passes the security check, the proxy firewall establishes a connection with the real
e
r c
server on behalf of the user, forwards the user request to the server, and sends the

u
response from the server back to the external user.
o

es
Proxy firewalls have high security control capabilities. They can completely control
R
network information exchange and session process. However, they have the following
defects:
n g
r ni
1. The software limits the processing speed, prone to Denial of Service (DoS)

e aattacks.

e L 2. Application-layer proxies must be developed for each protocol, the development

or cycle is long, and it is difficult to upgrade.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Stateful inspection is an extension of the packet filtering technology. Connection status-

:h
based packet filtering considers each data packet as an independent unit and take into

s
account the history relations between the previous and follow-up packets. As we know,
e
r c
the establishment of all reliable connections (TCP connections) needs to go through the

u
"three-way handshake“ process, namely, "client synchronization request", "server
o
s
response“, and "client response", which means each data packet is not independent, but
e
R
closely connected with each other. The stateful inspection technology is developed on this
basis.
n g


r ni
Basic principles:

e a
1. Stateful inspection firewalls use all kinds of session tables to track the activated TCP

e L sessions and UDP false sessions, the access control list (ACL) decides which sessions

or
should be established, and data packets are forwarded only when they match a

M
session entry. UDP false sessions are virtual connections (UDP are connectionless
protocols) for stateful inspection, and they are established for the UDP data flow
when the UDP packets are processed.

2. Stateful inspection firewalls intercept data packets and acquire the status information
required by the security policy from the application layer, and save the information
to the session table. Then the firewalls determines whether to allow follow-up
packets based on the session table.
  Stateful inspection firewalls have the following advantages:

1. Excellent processing of follow-up data packets: When the stateful inspection

firewall performs ACL checks, it records the data flow connection status, so the
follow-up packets in this data flow do not need ACL checks again and the firewalls
forward the data flows based on the session table. After passing the check, the
connection record is updated to avoid check on data packets with the same
connection state. Session entries do not have a fixed order, which is different from
ACLs which are arranged in a fixed order. Therefore, stateful inspection firewalls
n
can use binary tree or hash for rapid search to improve system transmission
/e
efficiency.
o m
2.

e i.c
High security: The connection status list is dynamic. The entrance for temporary

w
response packets closes right away after a session is completed to protect intranet

a
security. Stateful inspection firewalls use the real-time connection status monitoring
u
.h
technology to identify connection status information, thus strengthening security
control.
n g
r ni
le a
: //
t t p
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Firewall hardware platforms can be classified into the universal CPU architecture,

:h
Application Specific Integrated Circuit (ASIC) architecture, Network Processor (NP)

s
architecture, and multi-core processor architecture. Here we will introduce them one
e
by one.
r c

ou
Universal CPU Architecture

es
The universal CPU architecture is based on the X86 platform, using a host CPU
R


g
to process services. Card chip and CPU use PCI bus for data transmission. The

n
ni
traditional 32-bit PCI bus frequency is 33 Hz, so the data transfer rate between

a r
card chip and the CPU can theoretically reach 1056 Mbits/s, meeting the need

L e of Gigabit firewall theoretically. But the X86 platform uses a shared bus, so if
two cards simultaneously transmit data, the average rate of each card can only
e
or
be 528 Mbit/s. And so on, the bigger the card number is, the lower the rate is.

M
As long as there is more than one card, the rate is lower than 1000 Mbit/s. In
addition, based on the X86 platform architecture, the thread scheduling
mechanism is implemented using interrupts, so when there is a large number of
small data packets on the network, the same traffic will face more interrupts,
and then the firewall throughput is only about 20%, and the CPU usage is very
high. This architecture based on X86 platform cannot meet the needs of Gigabit
firewalls and is only suitable for the hardware platform for 100M firewalls.
  With the development of hardware technologies, Intel presented a new solution later
for PCI bus — PCI-E, or PCI-Express. The main advantage of PCI-E is that the data
transfer rate is high, more than 10 GBit/s currently. After using the PCI-E technology,
data transmission rate of the X86 platform can meet the requirements of Gigabit
firewalls, but the interrupt mechanism still has impact on the integrated device
processing rate, so the X86 technology still has space for improvement even with the
use of PCI-E.

ASIC architecture
n
/e


m
 ASIC architecture-based firewalls improve the interrupt mechanism from the
architecture. ASIC designs specialized ASIC chips to accelerate data processing
o
and to solidify instructions and algorithms directly to the chip. Data received
e i.c
w
from the card is not processed by the main CPU. Instead, the data is processed

a
and forwarded directly by the ASIC chip integrated on the card. Therefore, not
u
.h
all data is required to be processed by the main CPU, and chip processing does

g
not use interrupt mechanism, which can significantly improve the processing
n
ni
performance of the firewall. However, ASIC also has its own shortcomings, as

ar
its flexibility and scalability is very poor. The ASIC architecture uses chips after

// le
all, but the chip development is very difficult, so the services that can be

:
processed are also very limited. On complex networks, the ASIC architecture is
p
clearly incompetent.
t t
 NP architecture
s :h

c e
The NP architecture is a compromise solution between the CPU and ASIC
r
u
architectures. It uses a network processor on each network adapter. Network
o
s
processors are designed dedicated for network devices to process network
e
R
traffic. Compared with the X86 architecture, the NP architecture has obvious

g
advantages. However, the network processor microcode programming is
n
ni
inflexible, and function extension is limited. Compared with the ASIC

a r
architecture, the NP architecture processing flow depends on software to some

L e extent, its forwarding performance is slightly weaker than the ASIC

e architecture.

or
M
  Multi-core architecture

 As mentioned above, the universal CPU architecture, NP architecture, and ASIC

architecture have their own advantages and disadvantages. The comeout of the
multi-core architecture greatly mitigates the conflicts. Each core of the multi-
core architecture is a universal CPU. Compared with the multi-CPU solution, this
architecture provides higher integrity and more efficient inter-core
communication and management, with a small number of cores for
management and a large number of cores for service processing. Some CPUs
n
use coprocessors to implement encryption and decryption. Since c programming
/e
can be used, function extension is not limited, and the platform is capable of
o m
VPN encryption and decryption, firewall functions, and UTM without impacting
the performance.
e i.c
aw
As a new hardware platform, the multi-core architecture has high requirements
u


.h
on software development. Therefore, how to implement and make use of its

g
advantages is a great challenge in developing products based on the multi-core
n
ni
hardware platform. Huawei integrates multiple technological advantages for

ar
such multi-core hardware platform-based firewalls and makes full use of the

// le
multi-core technologies, such as multi-core operating system SOS (Security

:
Operation System). Multi-core processors have powerful concurrent processing
p
t t
capability and I/O capability as well as data packet scheduling capability with

:h
hardware assistance. However, the efficiency of the universal operating system

s
decreases fast when the number of CPU cores increases. The SOS, efficient,
e
r c
stable, and secure, is suitable for high-performance forwarding and security

u
services. It supports highly efficient packet scheduling and concurrent
o
es
processing to maximize multi-core CPU usage.

R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In transparent mode, the firewall is responsible for packet forwarding, but not routing.

:h
The two networks connected to the firewall must be on the same subnet. The upstream

s
and downstream interfaces of the firewall both work at Layer 2 and do not have IP
e
addresses.
r c
ou
Firewalls in this networking mode can avoid the trouble of topology modification. You
s


Re
can deploy the firewall just like deploying a bridge without modifying any existing
configuration. IP packets will also go through relevant filtering checks, and internal

n g
network users are still protected by the firewall.

r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
In routing mode, the firewall can support more security features, such as NAT and UTM.

:h
However, if adopting the routing mode, the network administrator may need to modify

s
the network topology, for example, Intranet users need to modify the gateway or
e
r c
routing configurations on routers. Therefore, the designer needs to consider network

u
transformation and service interruption and other factors comprehensively.
o

es
In routing mode, firewall is deployed between the intranet and Internet. The upstream
R
and downstream interfaces on the firewall work at Layer 3 and have IP addresses on

n g
different subnets. The firewall is responsible for routing for intranet-Internet

ni
communication, like a router.
r
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 Functions of security zones
t t


s :h
Security policies are implemented on the basis of security zones.

c e
Data exchanged within a security zone is secure and does not require any security
r
policy.

ou


es
Data exchange between zones triggers security checks, and related security policies

R
are implemented.

n g
On a firewall, all network devices on the network connected to the same interface

ni


r
reside in the same security zone, and one security zone can include the networks

e a connected to multiple interfaces.

e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
A firewall supports multiple security zones. It supports four predefined security zones,

:h
including the Untrust zone, DMZ, Trust zone, and local zone, and also supports user-
defined security zones.
e s
r c
The default four security zones are described as follows:
u


s o
Untrust zone: a security zone with low security level (level 5)


Re
DMZ: a security zone with medium security level (level 50)

n g
ni
 Trust zone: a security zone with high security level (level 85)

a r
Local zone: a security zone with highest security level (level 100)


L e
The four security zones do not need to create and cannot be deleted, and the security

e
or
level cannot be reset. The security level is specified from 1 the lowest to 100 the highest.

Note that, the operation of adding an interface to a security zone, in fact, means
M


adding the network connected to the interface into the security zone, and the
interface still belongs to the local security zone reserved by the system to represent the
device itself.

 The USGs support a maximum of 32 security zones.

 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Firewall zones are classified one the basis of interfaces. That is, all network devices

:h
connected to the same interface should belong to the same security zone, while one

s
security zone can include multiple networks connected to multiple interfaces. Here the
e
r c
interfaces can be physical interfaces or logic interfaces. Therefore, users on different

u
subnets connected by the same physical interface belong to different security zones
o
s
using subinterfaces, Vlanif interfaces, or other logical interfaces.
e

R
Question: If different interfaces belong to one security zone, is the interzone packet-

n g
filtering policy still effective?

r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
Data flows between two security zones (referred to as interzone) are in two

:h
directions:

e s
Inbound: data transfer from a low security level zone to a high security level
c


zone
ur


s o
Outbound: data transfer from a high security level zone to a low security level
zone
Re


n g
High priority and low priority are relative.

r ni
Data transmission between security zones of different security levels triggers USG

e a
security policy checks. Different security policies can be specified in advance for

e L different directions in the same interzone. When data flows in the two different

or
directions within the interzone, different security policy checks are triggered.

M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
The firewalls provide the following functions:

:h
 Routing

e
IPv4 routes and IPv6 routes s
c


 Static routes
ur
s o
Dynamic routes, including RIP, OSPF, BGP, and ISIS routes
e



R
Routing policies and routing iteration

n g
ni
 Unified management


a r
SNMP

L e
 Web-based management

e
or
 NTP
 Ethernet
M  Provides Layer-2 and Layer-3 Ethernet interfaces and switchover between
 Eth-Trunk and VLAN
 Security
 UTM
 Access technologies
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Access Control: The firewall enables a set of policies and mechanisms. It identifies the

:h
packet headers to allow legitimate data to specific resources and block malicious or casual
access.
e s
r c
The implementation process of access control is as follows:
u


s o
1. The firewall obtains packet header information from the packets to be forwarded.

Re
The information includes upper-layer protocol, source IP address, destination IP

g
address, source port, and destination port.

n
ni
2. The firewall compares the header information with the specified access control
r
e apolicies.

e L 3. The firewall allows or blocks the packet based on the action specified in the

or
matched access control policy.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The USG uses the Service Awareness (SA) technology to perform in-depth inspection

:h
on packets, identify application-layer protocols, and control the traffic of specific

s
types. The USG analyzes packets, compares them with the signatures in the
e
r c
knowledge base, identifies online gaming, stock trading, P2P, IM, and VoIP traffic,

u
and takes actions to control the traffic according to the application type and
o
associated polices.
es
R
Supports the knowledge base query. The knowledge base covers a wide variety
g


n
of protocol signatures.

ni


a r
Supports the online and local update of the knowledge base.

L e
 Supports time-based control policy to block some applications such as MSN

e during working hours but allow them during off hours.

or Supports the control over online gaming, stock trading, P2P, IM, and VoIP
M


traffic.

 Supports user-defined rules to permit or block traffic (such as online gaming,

stock trading, or P2P traffic) as needed.
  Identification based on application-layer gateways

 As we know, there is a kind of service with separated control flows and service
flows, and its service flow has no characteristics. The identification based on
application layer gateway is designed for this kind of service. First, the
application layer gateway identifies the control flow and selects specified
application layer according to control flow protocol to analyze the control flow
and then to identify the service flow. For example, SIP and H323 obtain their
data channels through consultation by signaling interaction; generally it is
n
encapsulated voice flow in RTP format.
/e
Identification based on behavior patterns
o m
i.c


w e
The behavior pattern identification technology is usually used for the services
that cannot be decided by the protocol itself. From the email content, spam

u a
service flow and common email flow are the same, so only further analysis can

.h
identify spam. Specifically, a behavior identification model can be established
g
n
based on the email sending rate, the number of email addresses, and change

ni
r
frequency to sort out spam.

le a
: //
t t p
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Security Access Control Gateway (SACG) controls terminal network access permissions.

:h
Users with different security situations have different permissions. The control server

s
(SC) authenticates the terminal, informs the SACG of the results, and then decides the
e
r c
access permission according to UCL policies to prevent external users and intranet

u
insecure hosts from accessing intranet resources.
o

es
Based on the SACG, the intranet is divided into three logical domains:
R


n g
Access domain: It consists of a group of clients on which the TSM Agent is

ni
installed to form a local network connected using Layer-2 or Layer-3 switches.

a r
Pre-authentication domain: It is a logical domain, and its ACL configuration is

L e carried out on the SACG to ensure that users are allowed to access only the

e network or hosts specified by the ACLs before they are authenticated. The pre-

or authentication domain of the terminal security management system includes the

M management server (SM), SC, AD domain management server, antivirus server,

and patch server.

 Post-authentication domain: It is a logical domain, corresponding to the pre-

authentication domain. The configurations are completed on the SACG. When a
user gains service authorization, the user can access the service resources in the
post-authentication domain. Such resources include the OA server, ERP server,
and financial server.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Typically, each intranet host has a default route with the next hop as the interface IP

:h
address of the egress router. All interactive packets between internal and external

s
users go through the router. If the router fails, the communication between the
e
r c
external network and all hosts with the router as the default next hop will be

u
interrupted. As a result, communication reliability cannot be guaranteed.
o

es
Virtual Router Redundancy Protocol (VRRP) is developed to resolve this problem. VRRP
R
organizes a group of routers on LANs into a virtual router, which is called a VRRP

n g
group. Among them, only one device is active. All the rest devices are in backup state

ni
and are prepared to take over services according to priorities. If the active router in
r
a
the VRRP group fails, another standby router in the VRRP group will be selected
e
e L according to the priority to act as the new active router, which continues providing

or
network routing services. Therefore, VRRP enables intranet hosts to communicate
with external networks without being interrupted.
M  To centrally manage multiple VRRP groups, Huawei proposes the VRRP Group
Management Protocol(VGMP), which is responsible for unified management of all
VRRP groups. The VGMP mechanism can implement status consistency management,
preemption management, and channel management of multiple VRRP groups to
ensure that all interfaces on the same firewall are in active or standby state at the
same time.
  In addition, to make the standby device take over services smoothly when the active
device fails, configuration commands and session information must to be
synchronized. For this, Huawei introduced the Huawei Redundancy Protocol (HRP).
After HRP is enabled, active and standby devices will synchronize configuration
commands and information in real time. So that the standby device can take over
service if the active device fails.

n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
IP link automatically determines to use the characteristics of ICMP or ARP to detect

:h
whether the service link is reachable. It sends ICMP or ARP requests to a specific IP

s
address regularly and waits for responses from the IP address to determine network
e
c
connectivity. If no response packet is received in the specified time, the link is
r
u
regarded as unreachable, and related operation will be carried out. If three
o
s
consecutive response packets are received in the specified time on a failed link, the
e
R
link is regarded recovered, and link recovery operations will be carried out.


n g
The result of IP link automatic inspection (destination host is reachable or unreachable)

ni
can be referenced by other functions, and the main applications include:

a r
L e
e
or
M
  Application in static routing
 When IP link finds out a link is unreachable, the firewall will adjust its static
route accordingly. If the link of the original static route with high priority is
detected as unreachable, the firewall will choose a new link for service
forwarding. If the original static route with high priority recovers, the firewall
will adjust the static route again to replace the static route with low priority
with the high priority one to ensure that the link being used every time has the
highest priority and is reachable, so that services can be forwarded without
n
interruption.
/e
 Application in dual-system hot backup
o m
 When IP link finds out that a link is unreachable, the firewall will adjust its
e i.c
w
VGMP priority to trigger an active/standby switchover to ensure service continuity.

u a
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
QoS enables firewalls to provide functions, such as traffic classification, traffic policing,

:h
traffic shaping, congestion management, and congestion avoidance. It is the basis for

s
differentiated services, and these functions aim to:

c e
Traffic classification identifies traffic based on certain rules for implementing
r
u
differentiated services.
o


es
Traffic policing monitors the volume of specific traffic to the network. If the traffic

R
volume exceeds certain threshold, the firewall takes actions to protect customer

g
benefits and network resources.
n
ni
 Traffic shaping limits the traffic of specific data flows from a network so that the

a r
traffic of the data flow can be forwarded in a smooth rate. This is an active measure

L e for scheduling traffic forwarding.

e Congestion management is a mechanism for defining resource scheduling policies in

or


case of traffic congestion to determine packet processing orders. The major

M scheduling policies include FIFO, CQ, PQ, WFQ, and RTP.

Note: For Layer-3 interfaces, the USG5500 must configure interface rate limiting for the
queues to take effect. However, classifier-based WRR is not prone to this limit.
 Congestion avoidance enables the firewall to monitor network resource (queue and
memory buffer) usage and discard packets in case of congestions. It is a traffic
control mechanism by adjusting network traffic to resolve overload issues.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The Elog is a dedicated log software of Huawei firewalls. It supports the universal syslogs

:h
and binary logs.

 Syslogs
e s
r c


ou
Common syslogs and traffic monitoring logs (excluding Service Awareness traffic

es
monitoring logs) are ouput in text format as syslogs. These logs require the
information center for log management and output redirection. Then they are
R
g
displayed on terminal screens or sent to log hosts for storage and analysis.

n
ni
 Binary logs

a r
Session logs (NAT/ASPF logs) and SA traffic monitoring logs are output in binary
e


e L format. They are directly output to binary log hosts for storage and analysis and do

or
not require the processing of the information center.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 Traffic attack
t t


s :h
Traffic attacks refer to the attacks where the attackers use large quantities of data to

r c e
occupy excessive resources, causing the servers to stop responding to services.

ou
Scanning and sniffing attack

es
Scanning and sniffing attacks mainly include IP sweep and port scanning attacks. In

R
IP sweep attacks, the attacker sends IP packets such as TCP, UDP, and ICMP packets

g
whose destination addresses change instantly, to find target hosts and networks.
n


r ni
Malformed-packet attack

e a In malformed-packet attacks, the attacker sends malformed IP packets to the target

L


e
system. The target system may encounter errors or crash when handling such

or
packets. Malformed-packet attacks mainly include Ping of Death attacks and

M 
Teardrop attacks.

Special-packet attack

 In special-packet attacks, the attacker uses specific packets to probe networks or

detect data. The packets used are normal packets, which are seldom used on
networks.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
After analyzing packet statistics, the firewall can protect the intranet. For example, the

:h
firewall can:


e s
Check whether the number of TCP or UDP connections from the Internet to the

r c
intranet exceeds the specified threshold to determine whether to limit the

ou
connections in this direction or limit the new connections to a specific intranet IP
address.
es
R


n g
Check whether the total number of connections exceeds the specified threshold. If

ni
yes, the firewall can accelerate the connection aging time to ensure that new

a r
connections can be established and to prevent the system from denial of services.

Le
e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The firewall can create blacklist entries as follows:

:h
1. Detects attacks with specific behavior characteristics from specific IP address.
s
c e
2. Automatically adds this IP address to the blacklist.
r
u
3. Discards packets from this IP address to ensure network security.
o

es
You can reference advanced ACLs in the blacklist to ensure that special users are
R
exempted from the blacklist. In this case, the security policies determine whether to allow

n g
packets based on the advanced ACLs. If an ACL rule denies the traffic, the firewall discards

r ni
the traffic and vice versa even if the IP address is blacklisted.

e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Load balancing enables the firewall to distribute user traffic to multiple servers using the

:h
following technologies:

 Virtual service technology

e s
r c


ou
Every real server has a unique private IP address (real IP address) but share the same

es
public IP address (virtual IP address). All user access to these servers is sent to the
virtual IP address, and the firewall distributes the traffic accessing the virtual server
R
g
IP address to each real server by using the configured load balancing algorithm.

n
ni
 Server health check

a r
The firewall detects real servers regularly. If a real server is available, it returns a
e


e L response packet. If not, the firewall does not use this real server and forwards traffic

or
to other real servers based on the configured policies.

M  Traffic-based forwarding

 The firewall sends data streams to each real server for processing based on the
specified algorithm.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
SA inspects the content of the application-layer data. The firewall matches the application-

:h
layer data in parsed packets with the rules in the SA signature database to analyze the

s
application type of packets or flows at layers above the IP and UDP/TCP layer.
e
r c
If a match is found, control actions are performed on the identified network traffic, such
u


o
as allowing and blocking the traffic, limiting the number of connections, and limiting the
s
traffic rate.
Re
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Throughput refers to the packet processing capability of firewalls. RFC2647 defines

:h
that firewall throughput is the number of bits that a firewall receives, processes, and

s
forwards to the correct destination interface per second. When testing firewall
e
r c
throughput, ignore error traffic and the retransmitted traffic, that is, you need to

u
calculate only the traffic that is forwarded to the destination interface. Traffic at
o
s
different load levels and traffic in different directions also need to be tested to obtain
e
R
the final average value. For payload levels, the industry generally uses big packet of 1

g
KB to 1.5 KB to measure firewall packet processing capability. However, most
n
ni
network traffic is 200-byte packets, so the test should also consider small packet

a r
throughput. Firewalls must configure rules, so the forwarding performance supported

L e
by a firewall under the ACL also needs to be tested.

e
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
New connections per second refers to the number of new complete TCP connections

:h
established on a firewall per second.


e s
Connections are established dynamically according to the current situations of both

r c
communication parties. Each session must establish a connection on the firewall

ou
before data exchange. If the connection establishment on the firewall is slow, the

es
client may find long delay at each time of communication. Therefore, the larger the
R
indicator is, the higher the forwarding rate will be. However, in case of attacks, the

n g
defense capability is stronger if the indicator is large; and so it is with the backup

ni
capability.
r
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The greater the indicator is, the stronger the attack defense capability will be. When

:h
the number of concurrent connections reaches the upper limit, new connection

s
request packets will be dropped when it reaches the firewall.
e
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Device login management
t t
:h
 Logging in through the console port: Log in to the device through the console port
connected to the PC.
e s
r c
Logging in through Web: Access the firewall on the PC through the Web browser to
u


o
control and manage the firewall.
s


Re
Logging in through Telnet: Connect the PC to the network and log in to the firewall
through Telnet.

n g
ni
 Logging in through SSH: Logging in through SSH provides secure information

a r
guarantee and powerful authentication to protect the system from being attacked

L e by attacks, such as IP spoofing.



eFile management

or  A configuration file refers to the configuration items loaded when the firewall is

M started. You can save, modify, or clear the configuration file or select the
configuration file to be loaded for startup. The system files include the software
version and database file.
 You can upload system software to the firewall using TFTP or FTP.
 A license acts as an agreement for the device provider to authorize the application
and duration of product features. A license can dynamically control the availability of
certain product features.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Logging in through the console port: Log in to the USG through the console port

:h
connected to the PC and power on and configure the USG for the first time. If you fail to

s
access the USG remotely, you can log in to the USG locally through the console port. If the
e
c
USG cannot be started normally, you can diagnose the system or enter the BootROM
r
u
system through the console port to upgrade it.
o

es
Logging in through Telnet: Connect the PC to the network and log in to the USG through
R
Telnet to implement the local or remote configuration. Then the USG can authenticate

n g
users according to the specified login parameters. Logging in through Telnet facilitates the

ni
remote management and maintenance over the USG.
r

e a
Logging in through SSH: Logging in through SSH provides secure information guarantee

e L
and powerful authentication to protect the system from being attacked by attacks, such as

or
IP spoofing. Logging in through SSH ensures the security of data exchange to the greatest

M
extent.

 Logging in through Web: You can access the USG on the PC through the Web browser to
control and manage the USG. This is applicable to the scenario where you log in to the
USG on the PC through Web.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
To configure the USG using a PC, you need to run a simulation program, such as

:h
Windows3.1 Terminal and Windows98/Windows2000/Windows XP HyperTerminal, on the

s
PC to set up a new connection. As shown in the figure, enter a name for the connection
e
and click OK.
r c

ou
In the dialog box for setting serial port attributes, set the baud rate to 9600, data bit to 8,

es
parity bit to none, stop bit to 1, and flow control to none. Then click OK to return to the
R
HyperTerminal window.

n g
ni
 Power on the USG and check whether the indicators on the front panel are normal.

a r
L e
e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
By default, HTTP and HTTPS are enabled on the USG. HTTPS is recommended to improve

:h
security. Users can use the default user name and password (admin/Admin@123) to log in.

s
For security reasons, change the password after login.
e
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :
 Enabling HTTP
t t


s :h
Run the system-view command to access the system view.

c e
Run the web-manager enable [ port port-number ] command to enable HTTP.
r
u
At this time, you can enter an address in the http://ip-address:port format on the Web
o
s
browser to access the device. The default port number is 80.
e
R
Enable HTTPS (default certificate).
g


ni n
Run the system-view command to access the system view.


a r
Run the web-manager security enable port port-number command to enable

L e
HTTPS.

e
or
At this time, you can enter an address in the https://ip-address:port format on the Web
browser to access the device.
M  The local-user level command sets the priority of a local user.

 Level 3: management level

 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
Enable web management and HTTP/HTTPS services as required and set the port number.

:h
After the HTTP/HTTPS services are enabled (using the device as a Web server), you can

s
configure terminals to access the device by using HTTP/HTTPS for remote configuration
e
c
and management. HTTPS has a higher security than HTTP; therefore, you are advised to
r
u
employ the HTTPS services on a network that requires enhanced security.
o

es
Creating an administrator account：
R
1.

n g
Choose System > Admin > Administrators

ni
2. Click Add

a r
Set the administrator parameters
e
3.

e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Configuring Device Services
t t
1.

s :h
Choose System > Admin > Settings。

2.

c e
Select Enable for HTTPS/HTTP Service。
r
3.

ou
Enter a port number in HTTP Port, HTTPS Port, or both service ports

Click Apply.
es
R
4.

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Configure the login interface.
t t
1.

s :h
Choose Network > Interface, choose the right interface you want to configure.

2.

c e
Set the parameters: security zone, IP address, and allow HTTPS management.
r
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
Assign interface GigabitEthernet 0/0/0 to the Trust zone with a default IP address

:h
192.168.0.1/24.

e s
r c
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
The USG provides two methods for verifying the validity of telnet users: password

:h
authentication and AAA authentication.

 Password authentication:
e s
r c


ou
When the authentication mode is password authentication, remote users need to

s
enter only their passwords to log in to the USG.
e

R
Run the user-interface [ interface-type ] first-number [ last-number ] command

g
to access the VTY user interface view.
n


r ni
Run the authentication-mode password command to set the authentication

e amode to password authentication.

e L  Run the set authentication password cipher password command to set a

or
password for password authentication.

M  AAA authentication:

 Run the user-interface [ interface-type ] first-number [ last-number ] command

to access the VTY user interface view.

 Run the authentication-mode aaa command to set the authentication mode to

AAA authentication.
  Run the aaa command to access the AAA view.

 Run the manager-user manager-name command to create a admin account.

 Run the service-type { ftp | ssh | telnet | terminal | web } * command to set the
service type.

 Run the level level command to set the level of the local user.

n
/e
o m
ei.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
 Enable the telnet service.
t t
1. Choose System > Admin > Settings
s :h
2.

c e
Click to select the telnet service check box
r
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
// le
p :
 Creating a telnet administrator account：
t t
1.

s :h
Choose System > Admin > Administrators

2. Click Add
r c e
3.

ou
Set the administrator parameters, add telnet service.

es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Configure the login interface.
t t
1.

s :h
Choose Network > Interface, choose the right interface you want to configure.

2.

c e
Set the parameters: security zone, IP address, and allow Telnet management.
r
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
SSH provides enhanced information security and powerful authentication for user login to

:h
the device. Configure USG interface SSH device management function as required.


e s
Generate a local RSA key pair on the USG.

r c


ou
To log into the device successfully, you must configure and generate a local RAS key pair

es
on the USG. Before you perform other SSH configurations, you must run the rsa local-
key-pair create command to crate a local RSA key pair. You need to run this command
R
g
only once. After the device is restarted, you do not need to run it again.

n
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :
 Create an SSH user on the USG.
t t


s :h
When the USG functions as an SSH server, you can configure SSH user

r c e
authentication mode as password or RSA authentication. Here we use password
authentication as an example.

ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 saved-configuration:
t t


s :h
Configuration file for the next startup. The USG stores the configuration file in the

r c e
Flash or CF card of the USG, and it is still available after restart

 current-configuration:

ou


es
Running configuration file of the USG. Command and web operations are performed

R
on the running configuration file. It is saved in the memory of the USG and is

g
unavailable after restart.
n


r ni
Save the configuration file.

e a Save the configurations for the next startup to use.

L


e
or
 Method 1 (CLI): In the user view, run the save command.

Method 2 (Web): In the upper right of the homepage, click save.

M


 Reboot the device.

 Restart the USG and log the restart.

 Method 1 (CLI): In the user view, run the reboot command.

 Method 2 (Web): Log in to the USG web UI and choose System > Maintenance >
Restart.
  Clear the configuration file.

 After you clear the configuration file, the USG uses the default parameters to
initialize the system.

 Method 1 (CLI): In the user view, run the reset saved-configuration command.

 Method 2 (Web): Choose System > Maintenance > Configuration Management.

Then click Restore Factory Settings.

Method 3 (Reset button): If the USG is not powered on, hold the RESET button and
n
/e


then turn the power on. When the indicators on the panel blink twice every second
at the same time, release the RESET button. The device starts with the default
o m
setting.
e i.c


aw
Method 4 (Reset button): If the device has started normally, hold the RESET button

u
for a long time (more than 10 seconds). The device will restart and use the default
setting for startup.

g .h
 Specify the system software for the next startup.

ni n


ar
CLI: In the user view, run the startup system-software sysfile command.

//le
Web: Choose System > Maintenance > System Upgrade and select the system
software for the next startup.
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :
 TFTP
t t


s :h
The USG serving as the TFTP client obtains system software from the TFTP server. In

r c e
this case, the TFTP server and the USG are not required to be on the same network
segment, but they must be reachable to each other.

ou
 FTP
es

R
If FTP is used, the FTP server and USG are not required to be on the same network

g
segment, but they must also be reachable to each other.
n


rni
The USG serves as an FTP client.

e a Run the FTP server program on the FTP client and save the system software to
L


e
be downloaded in the corresponding FTP directory. In the user view of the

or
USG, use commands to download the system software to the corresponding

M 
directory of the USG.

The USG serves as an FTP server.

 Start the FTP server on the USG. Log in to the USG using an FTP client and
upload system software to the corresponding directory of the USG.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 One-touch system software upgrade
t t


s :h
If the storage space in the USG is insufficient, the USG automatically deletes the

r c e
running system software.

ou
The system software must use .bin as the file name extension, and the file name can

s
contain any Chinese characters.
e

R
Choose System > System Upgrade.

n g
Click One-Touch Version Upgrade. The wizard for one-touch version upgrade is

ni


r
displayed.

e aOptional: Click Export to export USG alarm information, log information, and
L


e
configuration information to a terminal. You are advised to save the configuration

or
information to the terminal.

M  Click Browse and select the system software to be uploaded.

 Select Restart the system now or Do not restart the system according to
whether the current network allows the device to restart immediately after system
upgrade.

 The USG must restarts for the target system software to take effect.
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :


t t
A license file must use .dat as the file name extension, and the file name cannot contain

:h
any Chinese characters.

e s
Choose System > License Management.
c


ur
Select Local Manual Activation from the License Activation Mode

s o
Click Browse. Select the license file to be uploaded.
e


R
Click Activate to activate the uploaded license file.
g


ni n
a r
L e
e
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
VRP system commands are hierarchically classified. They are classified into four levels,

:h
including the visit level, monitoring level, configuration level, and management level.


e s
The system classifies login users into four levels as well, which corresponded to the

r c
command levels respectively. After users of different levels log in to the system, they

ou
can use only the commands that are equal to or lower than their own level. To switch

es
from a low level user to a high level user, use the super password [ level user-level ]
R
{ simple | cipher } password command.

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The system divides the command line interface into multiple command views. All

:h
commands of the system are registered under a certain (or some) command views. The

s
commands under this view can be run in the corresponding view.
e
r c
After the connection with the firewall is established, the user view is displayed. You can
u


o
view the operating status and statistics information in this view. Then you can access the
s
R
and interface views.e
system view to enter different configuration commands to enter corresponding protocol

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The VRP platform provides the command line online help function. You can type a

:h
question mark where you have a question.

e s
1. For example, you can type a question mark in the system view. Then the system

r c
displays command parameters that can be configured in the system view.

ou
es
2. Or type a space after a parameter and then type a question mark. The list of
available parameters is displayed.
R
g
3. Type a character string and then a question mark. The system lists all commands
n
ni
beginning with this character string.
r
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Type the first a few characters of a key word of the command and then press Tab. The

:h
complete key word will be displayed.


e s
When the pause menu is displayed, press Ctrl+C to stop display and command execution.

r c


ou
When the pause menu is displayed, press Space to continue to display the information of
the next screen.
es

R
When the pause menu is displayed, press Enter to continue to display the information of
the next line.
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Configure the network to enable network communication.

s :h
Configure the object to manage the common factors referenced in all policies.

c e
Configure policies to secure the network and manage the traffic.
r
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The USG supports the following two interface cards:

s :h
Layer-2 interface card: All interfaces are Layer-2 Ethernet interfaces and cannot

r c e
be switched to Layer-3 interfaces.

ou
Layer-3 interface card: All interfaces are Layer-3 Ethernet interfaces by default.

s
You can rung the portswitch command to switch to Layer-2 Ethernet interfaces.
e
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Create a security zone.
t t


s :h
Step 1 Run the system-view command to enter the system view.

c e
Step 2 Run the firewall zone [ name ] zone-name command to create a
r
u
security zone and enter the security zone view.

o
s
Run the firewall zone command based on the following scenarios:
e
R
If the security zone exists: Do not configure keyword name. The security zone

n g
ni
view is displayed directly.

a r
If the security zone does not exist: Configure keyword name. Then the security

L e zone view is displayed.

e
or
The system predefines four security zones, including Local, Trust, DMZ, and
Untrust. In routing mode, the four security zones are not required to create and

M cannot be deleted. The firewall supports up to 16 security zones.

 Step 3 Run the set priority security-priority command to configure the security
level of the security zone.
  The following principles should be followed when configuring the security level of the
security zone.

 Only the security level of user-defined security zones can be set.

 Once the security level is set, it is not allowed to modify.

 In the same system, two security zones cannot have the same security level.

 For newly established zones, their security levels are 0 before the security levels
are set.
n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g .h
ni n
ar
//le
p :


t t
The action command configures the action in the security policy rule.

s :h
Permit: Indicates that the traffic that matches the rule is permitted.

c e
Deny: Indicates that the traffic that matches the rule is denied.
r


ou
By default, NGFW blocks all the inter-zone packets.

es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
An interconnection network can be established by configuring static routes. If a

:h
network failure occurs, the static route will not be changed automatically. Therefore,

s
it must be changed by the administrator.
e
r c
The default route is used if no routing entry is matched. In the routing table, the
u


o
default route is configured as the route to network 0.0.0.0 (mask:0.0.0.0). If the
s
Re
destination address of the packet does not match any entry of the routing table, this
packet will use the default route. If the default route does not exist and the

n g
destination address of the packet is not in the routing table, this packet will be

ni
discarded. Meanwhile, an ICMP packet is returned to the source indicating that this
r
a
destination address or network is unreachable.
e
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 Choose Network > Interface > Interface.
t t


s :h
Set an IP address and switch the interface mode.

c e
The USG supports the two types of interface cards:
r


ou
Layer-2 interface card: All interfaces are Layer-2 interfaces and cannot be switched to
Layer-3 interfaces.
es
R
Layer-3 interface card: All interfaces are Layer-3 interfaces by default and can be stitched
g


ni n
to Layer-2 interfaces using the portswitch command.

a r
L e
e
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
 Step 1 Choose Network > Zone.
t t


s :h
Step 2 Select a default zone or create a zone.

c e
Step 3 If you create a zone, set the zone name and security level.
r
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
Step 4 Assign an interface to a zone.
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g .h
ni n
ar
//le
p :


t t
Configuring an security policy using the Web UI.

1.

s :h
Choose Policy > Security Policy > Security Policy.

2. Click Add.
r c e
3.

ou
Configure the name and description of the security policy.

es
Define the match conditions of the security policy.
R
4.

5.

n g
Configure the action of the security policy.

6.

r ni
Configure the profiles.

e
7.
a Click OK to complete the application of the security policy.

e L
or
M
 n
/e
o m
ei.c
aw
u
g .h
ni n
ar
//le
p :


t t
Choose Network > Router > Static Route to create a static route.

s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
A packet filtering firewall inspects the network layer of each packet and forwards or

:h
discards the packets according to the configured security policies. Packet filtering firewalls

s
are easy to design and implement and are inexpensive. However, packet filtering firewalls
e
have the following drawbacks:
r c
1.
ou
The firewall performance deteriorates exponentially as ACLs increase in length and
complexity.
es
R
2.

n g
ACLs are static and unable to meet dynamic security needs.

ni
3. Packet filtering firewalls do not inspect session status or analyze data, and can be easily

a r
spoofed by hackers.


L e
Stateful inspection firewalls have improvements over packet filtering firewalls. Based on
e
or
the connection state, stateful packet filtering firewalls not only treat each packet as an
independent unit, but also inspect the relevance between previous and subsequent
M packets during packet inspection. Stateful inspection firewalls have the following
advantages:

1. Outstanding performance in processing subsequent packets: When a stateful inspection

firewall performs ACL checks on the initial packet of a data flow, the firewall records
the state of the data flow. Subsequent packets are checked against the connection
state and will not be subjected to the ACL checks.

2. Higher security: The connection state list is maintained in a dynamic manner. After the
 session is established, the connection created temporarily on the firewall for replies is
terminated, ensuring the security of the internal network. Stateful inspection firewalls
monitor the connection state in real time, improving system security.

 As for the relationship between security zones and interfaces, all network devices on a
network attached to a firewall interface are in the same security zone, and a security zone
can contain networks attached to multiple interfaces. The interfaces can be physical or
logical interfaces. Therefore, logical interfaces such as subinterfaces or Vlanif interfaces can
be created to add the users on different subnets of a network connected to a physical
n
interface to different security zones.
/e
Two security zones cannot have the same security level.
o m
i.c
1.

2.

w e
One physical firewall interface cannot be assigned to two different security zones.

3.

u a
Different interfaces of a firewall can be assigned to the same security zone.

g
referenced by other features. The main application scenarios are as follows:.h
The detection result (destination host reachable or unreachable) of IP-link can be

ni n


ar
In static routing: When IP-link identifies that a link is unreachable, the firewall

le
adjusts its static routes. For example, if a link that a higher-priority static route must

//
pass through fails, the firewall forwards the traffic through a lower-priority static
:
t t p
route. If the link recovers from the fault, the firewall will switch back to the static

:h
route with a higher priority to ensure that traffic is always forwarded through the
static route that is available and has the highest priority.

e s


r c
In hot standby scenario: When IP-Link detects that a link is unreachable, the firewalls

u
will adjust the priorities of VGMP groups to trigger active/standby switchover,
o
s
ensuring service continuity.
e
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
As a network protection mechanism, packet filtering controls the forwarding of

:h
traffic of various types on the network.


e s
The traditional packet-filtering firewall obtains header information of the packet to be

r c
forwarded, including the source IP address, destination IP address, upper-layer

ou
protocol number at the IP layer, source port number, and destination port number.

es
Then, the firewall matches the packet header information against the pre-defined
R
filtering rules. The firewall determines to forward or discard the packet according to

n g
the matching result.

r ni
Before packet forwarding, the packet-filtering firewall has to match the header
a


L e
information of each packet against the filtering rules. As a result, the forwarding
efficiency is low. Currently, the firewall uses the status detection mechanism. The
e
or
firewall checks the first packet of a connection against the filtering rules. If the first

M
packet matches the filtering rules, the firewall creates a session and adds the session
to a session table. All subsequent packets of the session are forwarded directly.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Packets are filtered against the source MAC address, destination MAC address,

:h
source IP address, destination IP address, source port number, destination port

s
number, and upper-layer protocol information. The source IP address, destination IP
e
r c
address, source port number, destination port number, and upper-layer protocol are

u
the quintuple used by status detection firewalls and key elements used to establish
o
TCP/UDP connections.
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The firewall protects a network from being attacked by any untrusted network while

:h
permitting authorized communication between the two networks. The security policy

s
checks the firewall traffic and allows only the traffic that matches the security policy to
e
c
pass. The major applications are as follows:
r

ou
Controlling the cross-firewall network access

es
The security policy can be used to control the authority to access an extranet from
R


g
an intranet or the access authority between the subnets with different security levels

n
ni
on an intranet.


a r
Controlling the device access

L e
 The security policy can be used to prevent some devices with specified IP addresses
e
or
from logging in to the firewall through Telnet or Web and control the mutual access
between NMSs or NTP servers and devices.
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The security policy defines the rules against which data flows are filtered, and the key

:h
word determines the action to be applied to the data flows that match the rules. Firewalls

s
can use security policies to permit or deny packets, and detects the traffic content to allow
e
c
only secure data to pass through. The security policies filter packets based on the source
r
u
address or region, destination address or region, user, service (including source port,
o
s
destination port, upper layer protocol), application, and schedule.
e
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 Interzone Security Policy
t t


s :h
An interzone security policy is used for controlling interzone data flows (called a

r c e
forwarding policy). It applies to scenarios where an interface is added to different
trusted zones. An interzone security policy matches traffic based on the IP address,

ou
period and services (port or protocol type), and users and permits or denies the

es
traffic that matches the filtering rules or performs the advanced UTM application
R
layer detection. In addition, an interzone security policy controls the mutual access

n g
between the local and remote devices (called a local policy) by matching traffic

ni
based on the IP address, period and services (port or protocol type), and users and
r
e apermitting or denying the traffic that matches the filtering rules.

e L
Intrazone Security Policy

or  Intrazone traffic is not limited by default. An intrazone security policy is employed

M for controlling intrazone traffic if needed. Similar to an interzone security policy, an

intrazone security policy matches traffic based on the IP address, period and services
(port or protocol type), and users. For example, the marketing department and
finance department of a company all belong to the trusted zone, and they can
access each other.
 However, the finance department has the most important data of the company,
and the data needs to be protected against attacks from malicious internal
employees or PCs. In this situation, an interzone security policy can be used for IPS
detection to deny unauthorized access.

 Interface-based Packet Filtering

 Interface-based packet filtering is used to control the IP packets transmitted through

n
the interface that is not added to the security zone. A policy can be used to match
/e
m
traffic based on the IP address, period and services (port or protocol type), and users
o
i.c
and permits or denies the traffic that matches the filtering rules. MAC address-based

w e
packet filtering controls which Ethernet frames can be received based on the MAC
address, frame protocol type, and frame priority and permit or deny the traffic that

u a
matches the filtering rules. Hardware packet filtering is performed on Layer 2

.h
hardware interface boards and controls which traffic flows can be received.
g
n
Hardware packet filtering is fast because the filtering is implemented through

ni
r
hardware.

le a
: //
t t p
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The earlier packet-filtering firewalls check all received packets one by one according to

:h
packet filtering rules to determine whether to allow the packets through. This

s
mechanism slows down packet forwarding and therefore packet-filtering firewalls
e
bottleneck forwarding.
r c

ou
To resolve this deficiency, an increasing number of firewalls filter packets based on the

es
status detection mechanism. This mechanism checks only the first packet of one flow
R
against the packet filtering rules and records the status of the flow. Firewalls check the

n g
status of the flow to determine to forward or discard subsequent packets without

ni
detecting packet contents. In this mechanism, status refers to session entries. This
r
a
mechanism rapidly improves detection and forwarding efficiency of firewalls and
e
e L therefore becomes a mainstream packet filtering mechanism.

or
 Generally, firewalls check a quintuple of an IP packet: the source IP address,

M
destination IP address, source port number, destination port number, and protocol
type. By checking the quintuple of an IP packet, the firewall can identify the packets of
one data flow. Besides the quintuple, NGFW can also check the user, application,
schedule, etc of an packet.

 At the three-way handshake stage, firewalls check TCP packets based on the quintuple
as well as other fields. After the three-way handshake stage, firewalls check
subsequent packets according to the quintuple in the session table to determine
whether to forward them.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The detection of packets that have an existing session is much shorter than those that do

:h
not. This mechanism checks only the first packet of one flow against the packet filtering

s
rules and creates a session for the flow. Subsequent packets do not have to be detected.
e
c
This mechanism rapidly improves detection and forwarding efficiency.
r
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 For TCP packets
t t


s :h
When the status detection mechanism is enabled, a session entry is established for

r c e
the first packet (the SYN packet) of a connection. If packets other than the SYN
packet do not have the corresponding session entries (the device has not received

ou
any SYN packet or the session entry has aged), the packets are discarded, and no

es
session entry is established.
R


n g
When the status detection mechanism is disabled, the system can establish session

ni
entries for the packets in any format as long as the packets pass the security check

a r
even without corresponding session entries.


L e
For UDP packets

e
or
 UDP is based on connectionless communications. The system can establish session
entries for the UDP packets in any format as long as the packets pass the security
M check even without corresponding session entries.
  For ICMP packets

 After the status detection mechanism is enabled, the ICMP response packets
without corresponding sessions are discarded.

 When the status detection mechanism is disabled, the response packet without the
corresponding session is processed as the first packet.

n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Sessions are critical to firewalls. Each firewall creates a session for each flow that is

:h
forwarded by the firewall. The session is based on the quintuple of the flow (the source

s
and destination IP addresses, the source and destination port numbers, and the protocol
e
c
type). NGFW expands the quintuple to 7-tuple, e.g, the source IP address, source port,
r
u
destination IP address, destination port, protocol, application, and user. Dynamic sessions
o
s
can be created to ensure higher security of inter-zone data forwarding.
e

R
Seven elements of a session for NGFW:

n g
ni
 Source IP address

a r
Destination IP address

L e
 Source port number
e
or
 Destination port number

M  Protocol type

 Application

 User
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
Description of the command display firewall session table

s :h
current total sessions: Number of current session entries

r c e
telnet/http: Protocol name

ou
VPN:public-->public: VPN instance name: Source --> Destination

es
192.168.3.1:2855-->192.168.3.2:23: Session table information
R


n g
Description of the command display firewall session table verbose

r ni
current total sessions: Number of current session entries

e ahttp: Protocol name

e L VPN:public-->public: VPN instance name: Source --> Destination

or


 ID: ID of current session entries

M  zone:trust-->local: Session security zone: Source zone --> Destination zone

 TTL: Total TTL of the session entry.

 Left: Remaining TTL of the session entry.

  Output-interface: Outbound interface

 NextHop: Next-hop IP address

 MAC: Next-hop MAC address

 <--packets:3073 bytes:3251431: Numbers of packets (including fragments) and

bytes in the inbound direction of the session.

 -->packets:2881 bytes:705651: Numbers of packets (including fragments) and bytes

in the outbound direction of the session.
n
/e
 PolicyName: Packet matching policy name.

o m
i.c
 Description of the command reset firewall session table

 This command deletes the session information.

w e


u a
Exercise caution when running this command because it may interrupt services.

g.h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
After the firewall receives a packet, it searches the session table based on the quintuple

:h
and performs subsequent operations based on the result.

e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Most multimedia application protocols (for example, H.323 and SIP) and some

:h
protocols, such as FTP and NetMeeting, use a designated port to initialize a control

s
connection and then dynamically select ports to transmit data. The selected ports are
e
r c
unpredictable, and some applications may use multiple ports at the same time.

u
Traditional packet-filtering firewalls can use ACLs to filter only single channel protocol
o
s
packets to protect the internal network from attacks. Therefore, some security risks
e
remain.
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In the data structure of the session table, ASPF maintains connection status, based on

:h
which ASPF maintains session access rules. ASPF saves important status information

s
that cannot be saved by ACL rules. Firewalls check each packet in data flows and
e
r c
ensure that packet status and packets comply with the customized security rules.

u
Connection status information is used to permit or deny packets. When a session is
o
s
terminated, session entries are also deleted and sessions in firewalls are disabled.
e

R
For TCP connections, ASPF can intelligently detect three-way handshake information

n g
as well as connection deletion handshake information. By detecting handshake and

ni
connection deletion status, ASPF processes normal TCP access and discards
r
a
incomplete TCP handshake connection packets.
e
e
 L UDP packets are connectionless, but ASPF is based on connections. Therefore, ASPF

or
checks source IP addresses, destination IP addresses, and ports of UDP packets to

M
determine the existence of a connection according to whether packets are similar to
other UDP packets within the defined time range.

 In common scenarios, ACL-based IP packet filtering technology is generally used,

which is simple, but is not flexible. In many application scenarios, common packet
filtering technology cannot protect the network. For the multi-channel protocol that
uses FTP for communication, configuring firewalls is difficult.
  ASPF enables firewalls to support multiple data connection protocols on one control
connection and helps users define various security policies in complex application
scenarios. ASPF monitors ports used by each application in each connection, delivers a
channel for session data to pass through the firewall, and closes the channel after the
session is terminated. This mechanism controls the access of each application that
uses dynamic ports.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In multi-channel protocols, such as FTP, control channels are separate from data

:h
channels. Data channels are dynamically negotiated in control packets. To prevent

s
data channels from being interrupted due to other rule restriction (such as ACLs), one
e
r c
channel should be enabled temporarily. The server-map entry is the data structure

u
designed to meet this need.
o

es
FTP contains one TCP control channel with a known port and one TCP data channel
R
that is dynamically negotiated. A common packet-filtering firewall does not know the

n g
data channel port number when a security policy is configured. Therefore, the data

ni
channel ingress cannot be determined. In this case, a proper security policy cannot be
r
a
configured. ASPF resolves this problem. It detects application layer packets above the
e
e L
IP layer and dynamically creates and deletes the temporary server-map entry

or
according to packet contents to allow packets to pass.

M
  As shown in the figure, the server-map entry is dynamically generated in the dynamic
detection process of the FTP control channel. When a packet passes a firewall, ASPF
matches the packet against the specified ACL. If the rule permits the packet to pass
through the firewall, the packet is checked. Otherwise, the packet is directly
discarded. If the packet is used to enable a new control or data connection, ASPF
dynamically generates a server-map entry. The returned packet is allowed to pass
through the firewall only when it belongs to one existing valid connection. When the

n
returned packet is processed, the status table is updated. When a connection is
disabled or expires, the status table of the connection is deleted and the unauthorized
/e
packet cannot pass through the firewall. As a result, ASPF can properly protect
o m
i.c
networks in complex situations.

w e
Server-map entries are about mappings. If session data matches the dynamic server-

u a
map entry, the filtering policy does not need to be matched against, and such a
mechanism ensures the proper transmission of special applications. In some cases,

g .h
after the session data matches the server-map entry, the IP address and port in the
packet are translated.
ni n

ar
Server-map entries are used to check only the first packet, and subsequent packets are
forwarded based on the session.
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The control channel between the client and the server dynamically negotiates a data

:h
channel for the multi-channel protocol. Specifically, the port numbers at both

s
communications parties are unfixed. After the ASPF function is configured, the device
e
c
identifies the negotiation of the control channel, and dynamically creates the server-map
r
u
entry according to the address information in the key packet payload for being queried
o
s
during the connection initiation of the date channel. The server-map entry contains the
e
R
information about the data channel negotiated in the packets of the multi-channel
protocol.
n g


r ni
For the QQ/MSN protocol, after the user logs in, the IP address and port of the user are

a
fixed, but those of the other party that may initiate a session to the user are unfixed. By
e
e L
configuring ASPF for the traffic of the STUN type, the device records the information

or
about the IP address and port of the user when the QQ or MSN user connects to the
server, and dynamically generates the server-map entry of the STUN type. The server-map
M entry contains only triplet information: the IP address, port number, and protocol number
of one communication party. In this way, other users can directly adopt the IP address and
port to communicate with this user.
  When NAT Server is configured, the external network user initiates an access request to
the internal server. The IP address and port number of the user is uncertain, but the IP
address of the internal server and the port number of the provided service are certain.

 Therefore, after the NAT server is configured, the device automatically generates the
server-map entry to save the mapping between the public and private IP addresses. The
device translates the IP address of the packet and forwards the packet according to the
mapping. The NAT server generates static server-map entries for traffic of both directions.
With SLB, multiple servers share one IP address, and the IP address is advertised to
n
external networks. In such a situation, similar server-map entries also need to be
/e
o m
established, but one entry is created for the outgoing traffic and multiple entries need to
be created for the incoming traffic.

e i.c
w
 When NAT is configured, and No-PAT parameters are specified, the device implements the

a
one-to-one mapping for private and public IP addresses without port translation. At this
u
.h
time, all ports of intranet IP addresses are mapped to those of public IP addresses. External

g
network users can proactively initiate connections to any ports of internal users. Therefore,
n
ni
the device creates a server-map table to save the mapping between the internal and

ar
external IP addresses. Based on the mapping, the device translates the IP addresses before
forwarding packets.
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Port identification is also called port mapping, which is used by firewalls to identify

:h
application-layer protocol packets that use non-standard ports. Port mapping supports
FTP, HTTP, RTSP, PPTP, MGCP, MMS, SMTP, H.323, SIP, and SQLNET.

e s


r c
Port identification is based on ACLs. Port mapping is valid to the packets that match

ou
an ACL. Port mapping uses basic ACLs (with numbers ranging from 2000 to 2999).
When port mapping uses ACLs to filter packets, destination IP addresses of packets

es
are used to match the source IP addresses configured in basic ACLs.
R
An ACL includes a series of ordinal rule groups. A rule contains the source address,
g


ni n
destination address, and port number of a packet. An ACL classifies packets using
rules. When the rules are applied to a router, the router determines the packets to be

a r
received and rejected.

L e
ACLs can be classified as follows:

e
or
 Basic ACLs (with numbers ranging from 2000 to 2999): match traffic only based
on the source IP address and time period, applicable in easy matching.
M  Advanced ACLs (with numbers ranging from 3000 to 3999): match traffic based
on the source IP address, destination IP address, ToS, time period, protocol
type, priority, ICMP packet type, and ICMP packet codes. Advanced ACLs have
wide applications.
 MAC address-based ACLs (with numbers ranging from 4000 to 4999): match
traffic based on the source MAC address, destination MAC address, CoS, and
protocol code.
  Hardware-based ACLs (with numbers ranging from 9000 to 9499) are those
used by interfaces to filter packets based on hardware. Hardware-based filtering
is much faster than software-based filtering and consumes less system
resources. Hardware-based ACLs can use the source IP address, destination IP
address, source MAC address, destination MAC address, CoS, and the protocol
to filter packets.

 Port mapping takes effect only on inter-trusted zone data. Therefore, when
configuring port mapping, configure the trusted zone and security interzone.
n
/e
m
Question: What is the application system that an ACL is used to match?

o
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
When a network device transmits a packet, if the MTU configured on the device is shorter

:h
than the packet length, the packet is fragmented and then transmitted. In the ideal case,

s
fragmented packets are transmitted on the network in order. After receiving all
e
r c
fragmented packets, the terminal device reassembles them into a complete packet.


ou
During actual transmission, the first fragment may not be the first one to arrive at the

es
firewall. In this case, the firewall discards this series of fragments. By default, the fragment
R
cache function of the firewall is enabled. The firewall saves fragments that arrive before

n g
the first segment in the buffer and forwards them after the first fragment arrives. If the

ni
firewall does not receive the first fragment before an interval expires, the firewall discards
r
a
the cached fragments.
e
e
 L In VPN scenarios (such as IPsec and GRE), the device need to perform decryption or

or
decapsulation after assembling fragments before performing next processing operations.

M
Therefore, the fragment cache function needs to be enabled. In NAT scenarios, the device
needs to assemble fragments before parsing and translating the IP address. Therefore, the
fragment cache function needs to be enabled too.
  The direct fragment forwarding function is used when NAT is not required. After the
function is enabled, the firewall forwards a fragment on receiving it without creating a
session.

 Configure the aging time of the fragment hash

Firewall session aging-time fragment interval (1-40000)

 Enable/disable the direct fragment forwarding function

firewall fragment-forward enable/disable

n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
To protect the network, the default aging time for various sessions on the device is

:h
relatively short, that is, only several minutes. When the interval for two subsequent packets

s
of a TCP session reaching the device is longer than the aging time of the session, the
e
c
device deletes the corresponding session information from the session table. When the

ur
following packets reach the device, it discards these packets according to the transmission

o
mechanism, which leads to a disconnection.
s


Re
In certain actual applications, the interval for two subsequent packets of a TCP session

g
needs to be long enough. To meet such a need, configure the long link function on the

n
ni
firewall in the trusted zone. You can configure the aging time of the long link for the

r
packets that match the ACL rule. By default, the aging time is 168 hours.
a


L e
The long link function on the firewall takes effect only on TCP packets.

eWhen the state detection mechanism is disabled, sessions can be created for non-first

or


fragment. In this situation, the long link function is no longer needed.

M  To set the aging time of the long link, run the firewall long-link aging-time time
command.
 To enable the long link function, run the following commands:
firewall interzone [ vpn-instance vpn-instance-name ] zone-name1 zone-name2
long-link acl-number { inbound | outbound }
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The NGFW compares the attributes with the conditions defined in the first security

:h
policy. If all the conditions are met, the traffic matches the policy. If one or more
conditions are not met, the NGFW compares the traffic attributes with the conditions

e s
defined in the next policy. If all policies are not met, the NGFW denies the traffic by
default.
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
The NGFW processes the passing traffic as follows:

1.

s :h
The NGFW analyzes traffic and retrieves the attributes, including the source security

r c e
zone, destination security zone, source IP address, source region, destination IP
address, destination region, service (source port, destination port, and protocol

ou
type), application and schedule.

es
The NGFW compares the attributes with the conditions defined in the first security
R
2.

g
policy. If all the conditions are met, the traffic matches the policy. If one or more

n
ni
conditions are not met, the NGFW compares the traffic attributes with the

a r
conditions defined in the next policy. If all policies are not met, the NGFW denies

L e the traffic by default.

e If the traffic matches a policy, the NGFW performs the defined action over the

or
3.

traffic. If the action is deny, the NGFW blocks the traffic. If the action is permit, the

M NGFW checks whether certain profiles are referenced in the policy. If yes, go to step
4. If no, the traffic is permitted.

4. If certain profiles are referenced in the policy and the action defined in the policy is
permit, the NGFW performs integrated checks on the content carried over the
traffic.

5. The integrated check inspects the content carried over the traffic based on the
conditions defined in the referenced profiles and implements appropriate actions
based on the check result. If any profile determines to block the traffic, the NGFW
blocks the traffic. If all profiles determine to permit the traffic, the NGFW allows the
traffic through.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Compared with the security policies of the traditional firewall, the security policies of the

:h
next generation firewall

e s
Distinguish among employees of different departments based on users.
c


ur
Distinguish among various applications carried over the same protocol. For example,

s o
distinguish between web-based IM and online gaming traffic carried over HTTP.


Re
Implement content security check to block viruses and hacker intrusions.

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The flowchart shows how to configure a forwarding policy.

1.

s :h
Determine how to create security zones and assign interfaces to them.

2.

c e
Classify employees by source IP address or user.
r
3.

ou
User security policies to determine the permissions of user groups and then those of

s
privileged users. You must specify the source security zones and addresses of users,
e
R
destination security zones and addresses of users, services and applications that the

g
users can access, and time ranges in which the policies take effect.
n
4.

r ni
Determine which types of traffic needs content security inspection and what items

e a need to be inspected.

e L5. List the parameters in the security policies and sort the policies from the most

or
specific to the least specific and configure security policies in this order.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The topmost security policy rule has the highest priority and is matched first. The security

:h
policy configured first ranks topmost and has the highest priority, unless you manually

s
adjust the priority. You can use the rule move command to move a security policy rule to
e
change its priority.
r c

ou
The specified source security zone must exist. You can add or delete a maximum of six

es
security zones at a time.
R


n g
Description of the parameters for command source-address and destination-address

ni
 address-set: Specifies the name of an address or address group.

a r
ipv4-address: Specifies the IPv4 address, the value is in dotted decimal notation.
e


e L  ipv4-mask-length: Specifies the mask of an IPv4 address, ranging from 1 to 32.

or  mask: Specifies the mask of an IPv4 address, The value is in decimal dotted notation.

M  wildcard: Specifies the wildcard of an IPv4 address.

 range: Indicates the address range.

 geo-location: Specifies the name of a region.

 mac-address: Specifies the MAC address.

 any: Indicates any source address.

  Examples for set the source address in the security policy rule view.

 [sysname-policy-security-rule-policy_sec] source-address 1.1.1.1 24

 [sysname-policy-security-rule-policy_sec] source-address 192.168.0.1 0.0.0.255

 [sysname-policy-security-rule-policy_sec] source-address geo-location BeiJing

 [sysname-policy-security-rule-policy_sec] source-address address-set ip_deny

[sysname-policy-security-rule-policy_sec] source-address range 192.168.2.1

n


/e
192.168.2.10

 [sysname-policy-security-rule-policy_sec] source-address any

o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
192.168.10.0 0.0.0.255: indicates a network segment.

s :h
192.168.10.1 0: indicates an IP address.

c e
Question: In which situation is the 0.255.0.255 wildcard mask used? What are
r
u
functions and meanings of the wildcard mask?

o


es
The mask indicates that only the A and C segments in an IP address need to be

R
matched against the mask.

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
To simplify configurations and maintenance, the firewall supports address sets and

:h
service sets, which improves rule readability as well.


e s
When the source or destination IP address is used to control traffic, consecutive or

r c
inconsecutive addresses can be added to the address set, and the policy or rule then
applies the address set.
ou
es
When the service type (port or protocol type) is used to control traffic, you can use the
R


g
predefined known service set or customize a service set based on the port information for

n
ni
the policy or rule. The predefined service set the default service set that is available to the

r
system. Predefined service sets are known protocols, such as HTTP, FTP, and Telnet.
a
L e
Customized service sets are those customized by network administrators by specifying the
port information or a combination of service sets.
e
or  Address sets and service sets support two types: object and group. When the type is

M group, address sets or service sets can be added as members.

 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
If you want to match or control traffic during a specified period, you can use a time range-

:h
based ACL.


e s
Network applications are generally open according to time ranges. For example, some

c
ports of a server are not open during working time and some LAN users cannot access the
r
u
Internet during working time. The ACLs described previously do not support such an

o
application, but ACLs based on time ranges do. They can properly restrict effective time of
s
Re
an ACL and therefore support such an application.
Before you define an ACL based on a time range, define a time range on the firewall.
g


ni n
The action command configures the action in the security policy rule.

a r
Permit: Indicates that the traffic that matches the rule is permitted.
e


e L  Deny: Indicates that the traffic that matches the rule is denied.

or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
The time-range operator can be expressed in absolute time range (specifying the start

:h
and end dates) and periodic time range (Monday, Tuesday, for example).


e s
Example for period-range configuration：

r c
[sysname] time-range test

ou
s
[sysname-time-range-test] period-range 8:00:00 to 18:00:00 working-day
e

R
Example for absolute-range configuration:

n g
ni
[sysname] time-range test

a r
[sysname-time-range-test] absolute-range 8:00:00 2013/05/01 to 10:00:00

L e
2013/08/01

e
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
The device can identify traffic attributes and match the attributes with security policy

:h
conditions. If all the conditions are met, the traffic matches the policy. The device

s
implements the matched security policy.
e
r c
If the action is Permit, the device detects the traffic content. If the traffic passes the
u


o
security detection, the traffic is allowed through. If not, the traffic is denied.
s


Re
If the action is Deny, the traffic is denied.

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Default security zones cannot be deleted, and their security levels cannot be reset. You can

:h
create security zones and specify their security levels as needed.


e
Steps for creating a security zone.s
r c
1.

ou
Choose Network > Zone.

2. Click Add.
es
R
Set the security zone parameters.
g
3.

4.

ni n
Click Apply.

a r
L e
e
or
M
 n
/e
o m
ei.c
aw
u
g .h
ni n
ar
//le
p :


t t
Configuring an Address and Address Group Using the Web UI.

1.

s :h
Choose Object > Address > Address (or Address Group).

2.

c e
Click Add and set the parameters. .
r
3.

ou
Click OK to view the created address or address group object.

es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
 Configuring an region using the Web UI.
t t
1.

s :h
Choose Object > Region > Region.

2.

c e
Click Add and set the parameters.
r
3. Click OK.
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Predefined services use ports to define well-known protocols. Predefined services cannot

:h
be deleted.


e s
Configuring an service using the Web UI (configuration of service group is similar).

r c
1.

ou
Object > Service > Service.

2.

es
Click Add and set the parameters.

Click OK. R
g
3.

ni n
a r
L e
e
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :


t t
Configuring an application using the Web UI.

1.

s :h
Choose Object > Application > Application

2.

c e
Click Add and set the parameters.
r
3. Click OK.
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
// le
p :
 Configuring an schedule using the Web UI.
t t
1. Choose Object > Schedule.
s :h
2. Click Add.
r c e
3.

ou
In Name, enter the name of a schedule list.

es
Create a schedule member.
R
4.

5.

n g
Click OK.

r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g .h
ni n
ar
//le
p :


t t
Configuring an security policy using the Web UI.

1.

s :h
Choose Policy > Security Policy > Security Policy.

2. Click Add.
r c e
3.

ou
Configure the name and description of the security policy.

es
Define the match conditions of the security policy.
R
4.

5.

n g
Configure the action of the security policy.

6.

r ni
Configure the profiles.

e
7.
a Click OK to complete the application of the security policy.

e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 The roadmap is as follows:
t t
:h
1. Plan the forwarding policy. Two forwarding policies need to be configured. First
s
r c e
configure a forwarding policy that denies the Internet access of the PCs at
192.168.5.2, 192.168.5.3, and 192.168.5.6, and then configure another

ou
forwarding policy that permits the Internet access of the whole network segments.

es
If you reverse the configuration sequence, 192.168.5.2, 192.168.5.3, and
R
192.168.5.6 can match the forwarding policy that permits the Internet access of

n g
the whole network segments and no longer match against the other forwarding

ni
policy.
r
e a
2. Plan the address set. When IP addresses are used to control the access, you can

e L specify these addresses as the filtering rules. If the addresses are consecutive, you

or
can specify the address segment in the policy. If the addresses are inconsecutive,

M
configure an address set. The address set facilitates management and can be used
by other policies. In this example, configuring an address set is recommended.

3. Configure forwarding policies to control the Internet access.

 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
Configure address set ip_deny, and add the denied IP addresses to the address set.

:h
[sysname] ip address-set ip_deny type object
s
r c e
[sysname-object-address-set-ip_deny] address 0 192.168.5.2 0

u
[sysname-object-address-set-ip_deny] address 1 192.168.5.3 0
o
es
[sysname-object-address-set-ip_deny] address 2 192.168.5.6 0
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g .h
ni n
ar
//le
p :


t t
Configure an address group named ip_deny and add the IP addresses not permitted to

:h
access the Internet to the address group.

e s
Choose Object > Address > Address.
c
1.

2.

ur
Click Add and set the parameters. .

s o
Click OK to view the created address or address group object.
e
3.

R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Configure a security policy to deny Internet accesses of users whose IP addresses are in the

:h
ip_deny address group

e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
Configure another policy to permit users on network segment 192.168.5.0/24 to access

:h
the Internet

e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The stateful inspection mechanism inspects and forwards packets by flow. Only the first

:h
packet of a flow is inspected against the packet filtering rules, and the result is recorded as

s
part of the state information of the flow. The subsequent packets of the flow will be
e
c
forwarded, further inspected for content security, or discarded based on the state of the
r
u
flow. The "state" is the session entry.
o

es
In a multi-channel protocol, for example, FTP, the control channel is separated from the
R
data channel. The data channel is dynamically negotiated through control packets. To

n g
prevent the negotiated data channel from being blocked by rules (such as an ACL), a

ni
temporary channel is needed. The server-map entry is a data structure designed for this
r
a
purpose. Temporary server-map entries are dynamically created and deleted based on the
e
e L
application-layer information of packets to permit or deny packets. Server-map entries are

or
usually used to inspect first packets. After the data channel is established, packets are
forwarded based on the session entry information.
M  The packet format of first fragments is different from that of subsequent fragments. The
Flags field of first fragments is set to 001, while that of subsequent fragments is set to
000.

If the first fragment arrives first, the device checks the fragment against the packet filtering
rules, creates a session entry based on the check result, and forwards or discards
subsequent fragments based on the session entry.

If the first fragment is not the first to arrive, the device caches the fragments that have
 arrived in a hash table, establishes a connection after the first fragment arrives, and then
forwards all fragments. If the first fragment fails to arrive within the specified period, the
firewall discards all cached fragments.

 Port identification is also known as port mapping, which is used by firewalls to identify
application-layer protocol packets that do not use standard ports, and map non-standard
protocol ports to identifiable application protocol ports. The application-layer protocols
supported by port mapping include FTP, HTTP, RTSP, PPTP, MGCP, MMS, SMTP, H.323,
SIP, and SQLNET. Port mapping is applicable only to data flows between security zones.
n
Therefore, security zones and interzones must be configured during port mapping
/e
configuration.
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
In the early 1990s, RFC documents has stated that IPv4 address might be exhausted. With

:h
the increasing TCP/IP-based web applications, the Internet expands rapidly, and an

s
increasing number of IPv4 addresses are applied for, posing a severe challenge for the
e
r c
Internet sustainable. China carriers apply for the largest number of IP addresses from

u
Internet Corporation for Assigned Names and Numbers (ICANN) each year. Some experts
o
s
predict that according to the development speed of the Internet, the available IPv4 address
e
R
resources in the world will be depleted at around 2011.

n g
IPv6 is proposed to resolve the problem of IPv4 address exhaustion. An IPv6 address

ni


extends a 32-bit IPv4 address to 128 bits, which indicates an infinite number of addresses

a r
for network applications. Therefore, the IPv6 technology can solve the address deficiency.

L e
However, the IPv6 technology confronts with sharp problems such as immature
e
or
technology or great cost in update. There is a long way to go for IPv6 addresses to replace
the mature and widely-used IPv4 addresses.
M  Since the transition to IPv6 networks cannot be implemented immediately, some other
technologies must be developed to extend the IPv4 lifespan. These technologies include
Classless Inter-Domain Routing (CIDR), Variable Length Subnet Mask (VLSM), and Network
Address Translation (NAT). These technologies effectively delay the depletion of IPv4
addresses, and the address depletion predicted by experts has not occurred.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Using private network addresses implements address reuse and increases IP resource

:h
utilization.


e s
To meet requirements of some laboratories, companies or other organizations for private

r c
networks, the Requests For Comment (RFC) 1918 assigns three IP address segments for
private networks:
ou
es
10.0.0.0 to 10.255.255.255 (10.0.0.0/8) in class A IP addresses.
R


n g
172.16.0.0 to 172.31.255.255 (172.16.0.0/12) in class B IP addresses.

r ni
192.168.0.0 to 192.168.255.255 (192.168.0.0/16) in class C IP addresses.

e a
The addresses in the preceding three ranges cannot be assigned on the Internet; therefore,
L


e
these addresses can be used freely without application.

or  The intranet uses private network addresses and the Internet uses public network

M addresses. If private network addresses cannot be translated into public network addresses
using NAT, routing problems will occur, and communication will fail. Therefore, NAT must
be used to translate private network addresses to public network addresses to ensure
proper communication.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
NAT translates an IP address in the IP packet header into another IP address, which

:h
enables the intranet (using a private IP address) to access the Internet (using a public IP

s
address). A NAT device (a network device that implements the NAT function) maintains an
e
r c
address translation table. All packets that pass through a NAT device and have addresses

u
to be translated will be modified based on this table.
o

es
The address translation mechanism can be:
R
1.

n g
The host IP addresses and ports of the intranet are translated into the Internet

ni
addresses and ports.

2.

a r
The Internet addresses and ports are translated into the intranet host IP addresses

L e and ports.

e
or
 That is, the conversion between <private address + port> and <public address + port> is
implemented.
M  The NAT devices are deployed at the edge between the intranet and Internet. All packets
exchanged between the internal PC and the external server pass through this NAT device.
The frequently-used NAT devices include routers and firewalls.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
NAT has three typical application scenarios:

s :h
Source NAT: enables multiple intranet users to access the Internet.

c e
Address pool mode: Private addresses are translated into a public address in an
r
u
address pool. Source NAT applies when a large number of intranet users access the

o
s
Internet using a limited number of public IP addresses.
e

R
Outbound interface address mode (also called easy IP): IP addresses of intranet

g
hosts are translated into the public IP address of a outbound interface. This mode
n
ni
applies when the public IP address is dynamically allocated.
r


e a
Server mapping: enables Internet users to access private network servers.

e L  Static mapping (also called NAT Server): A private address is mapped to a single

or public address. Static mapping applies when Internet users access a private intranet

M 
server that provides a specific service.

Destination NAT: enables mobile phones to send service packets to reachable Wireless
Application Protocol (WAP) gateways

 Destination NAT is used when mobile phones access the Internet through WAP
gateways.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In addition to advantages such as reusing addresses and saving precious IP address resources,

:h
the NAT technology has other advantages. NAT advantages and disadvantages are as follows:

 NAT advantages:
e s
r c


ou
Allows multiple hosts in a LAN to use a small number of public addresses to access

es
external resources and intranet servers to provide services such as HTTP, FTP, and
Telnet for external users. This technology alleviates the depletion of IPv4 addresses.
R


n g
Intranet users do not perceive the IP address translation. The entire process is

ni
transparent to users.
r
e

a Protects intranet user information. Internet users cannot obtain information about IP

e L addresses and services of intranet users.

or  Allows multiple intranet servers to balance loads.

M  NAT disadvantages:
  As IP addresses of packets need to be translated, the IP packet headers cannot be
encrypted. In applications (such as FTP), if a packet address or port required to be
translated, packets can be encrypted. For example, the encrypted FTP connection
cannot be used. Otherwise, the FTP port command cannot be translated correctly.

 NAT brings more difficulties in network monitoring. For example, if an intranet

hacker attacks a public network server, tracing the hacker becomes more difficulty.
It is hard to determine which host belongs to the hacker as the hacker’s address is
translated by the NAT device.
n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
The addresses in the NAT address pool can be one or multiple public IP addresses.

s :h
When configuring source IP address-based NAT and intra-zone NAT, you must configure a

r c e
NAT address pool, and then bind the NAT address pool with an NAT policy. You can select
different parameters to implement different NAT functions.

ou


es
When an address pool is associated with a policy, you cannot delete the address pool.


R
When configuring the NAT address pool, configure the IP address of the Internet access

g
interface and the address pool on the same network segment; that is, the address pool is
n
ni
on the same network segment as the assigned public IP address. If the address pool and

a r
the Internet access interface reside on different network segments, configure routes to the

L e
address pool on the next-hop router of the USG.

e
or
 To remove specified IP addresses from the address pool, run the exclude-ip ipv4-address1
[ to ipv4-address2 | mask { mask-address | mask-length } ] command.
M  The functions of the parameters pat and no-pat are as follows:

 pat: enables both address and port translation, which allows multiple intranet hosts
to share a single public address.

 no-pat: enables address translation only.

 If port translation is disabled, each private address is mapped to a single public address.
When all IP addresses in the NAT address pool have been allocated, the NGFW waits for
an available IP address that is released by another host before forwarding the packet
  By default, port translation is enabled. To disable port translation for specified ports, run
the exclude-port port1 [ to port2 ] command. The port1 and port2 values range from
2048 to 65535.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :


t t
In the web GUI, to configure the NAT address pool:

1.

s :h
Choose Policy > NAT Policy > Source NAT > NAT Address Pool.

2.

c e
Click Add in NAT Address Pool List.
r
3.

ou
Enter or select parameters, Click OK.

es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Source address-based NAT translates a source IP address in an IP packet header that

:h
initiates a connection. It enables intranet users to access the Internet. After private

s
addresses of internal hosts are translated into public addresses, multiple hosts in a LAN can
e
r c
use a small number of public addresses to access external resources, which effectively hide

u
the host IP addresses in the LAN.
o

es
Source NAT in this mode is implemented using a NAT address pool that contains multiple
R
public addresses. Source NAT translates only IP addresses and maps one private address

n g
only to a single public address.

r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Source NAT in this mode is implemented using a NAT address pool that contains one or

:h
more public addresses. Source NAT in this mode translates both private addresses and port

s
numbers. Intranet users can share one or multiple public IP addresses
e

r c
Source NAT with translate ports allows multiple private network addresses to use a public

ou
address to access the Internet. This refers to multiple-to-one address translation or address
reuse.
es
R
Source NAT with translate ports is a technology that uses the forth layer information to
g


ni n
extend the third layer address. An IP address has 65535 available ports. Theoretically
speaking, 65535 private network addresses can be translated to one public network IP

a r
address. NAPT can also map IP packets with different private network addresses to

L e
different ports of a public network address. Compared with one-to-one or multiple-to-

e multiple address translation, NAPT greatly saves the public network addresses and

or increases address usage efficiency.

M  In this mode, you can also use the IP address of the interface connecting a NAT device to
the public network. This application is referred to easy IP that does not need to create a
NAT address pool.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
This mode is also called easy IP mode. It translates private addresses into an IP address of a

:h
WAN interface, and does not require a NAT address pool. Source NAT in this mode

s
translates both private addresses and port numbers. Intranet users can share a single
e
c
public IP address of a specific WAN interface.
r
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In the action parameter, you can specify either of the following parameters:

s :h
nat: enables NAT for data flows. If nat is configured, specify either of the following NAT
modes:

r c e


ou
address-group: address pool mode that translates source private addresses into

s
public addresses contained in a NAT address pool.
e

R
easy-ip: outbound interface address mode that translates source private addresses

g
into a public address of a WAN interface. If easy-ip is configured, the NGFW
n
ni
automatically routes the traffic to the WAN interface.
r


e a
no-nat: disables NAT for data flows. This parameter is used for some particular clients. For

e L example, when NAT is required for all addresses of the network segment 192.168.1.0/24

or
except 192.168.1.2, you can configure a translation rule in which the source address is set
to 192.168.1.2 and disable NAT for packets originating at 192.168.1.2. Then configure
M another translation rule for performing NAT for packets originating at the network
segment 192.168.1.0/24.

17
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
In the Web configuration GUI, to translate a source IP address:

1.

s :h
Choose Policy > NAT Policy > Source NAT.

2.

c e
Click Add in Source NAT Policy List.
r
3.

ou
Enter or select parameters. Click OK.


es
Both parameters Destination Zone and Outbound Interface are used to specify the
R
scope of the traffic that requires NAT. You can select either of them to specify the scope

n g
of the traffic that requires NAT based on the actual condition.

r ni
e a
e L
or
M

18
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In the Ethernet data frame structure, the IP header contains the 32-bit source IP address

:h
and the 32-bit destination IP address, and TCP header contains a 16-bit source port

s
number and 16-bit destination port number.
e
r c
Multiple protocols use the data payloads of IP packets to negotiate new ports and IP
u


o
addresses. After the negotiations are complete, communications parties establish new
s
Re
connections for transmitting subsequent packets. The ports and IP addresses are
negotiated randomly, and the administrator cannot pre-configure NAT rules for the ports

n g
and IP addresses. As a result, faults occur during NAT translation.

r ni
Normal NAT translates only IP address and port information in UDP or TCP packet headers
a


L e
and does not analyze fields in application layer payloads. However, the packet payloads of
some protocols may contain IP address or port information (e.g. H.323, FTP, SIP etc.),
e
or
which may cause problems if not translated. NAT ALG processes the payload information

M
of application layer packets to make sure data connections can be established.

 For example, an FTP application involves both data connection and control connection,
and data connection establishment dynamically depends on the payload information of the
control connection. In this situation, ALG is used to translate the payload information to
make sure data correct connections.
  ASPF is to filter the packets of application-layer protocols. ASPF analyzes the packets of
application-layer protocols and enables packet-filtering rules for the packets. NAT ALG,
however, enables NAT rules. Generally, ASPF interworks with NAT ALG. Therefore, you can
run only one command to enable both functions at the same time.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
In this figure, the host in the private network wants to access to the FTP server on the

:h
public network. The NAT mapping between private network IP address (192.168.1.2) and

s
public network IP address (8.8.8.1) is configured on the NAT device so that the host can
e
c
access the public network. If there is no NAT ALG configured, after the PORT packet sent
r
u
by the host arrived at the FTP server, the server cannot resolve the address, and the data
o
s
connection cannot be established for data transmission. The communication between the
e
R
host and FTP server involves the following processes:

n g
The host and FTP server successfully establish a control connection after TCP three-

ni
1.

way handshake.

a r
L e
2. After the control connection is established, the host sends a PORT packet that
contains the destination IP address and port number for data connection. The host
e
or
instructs the server to use this address and port number to establish a data

M
connection channel.

3. When the PORT packet arrives at the ALG-enabled NAT device, the device resolves
the packet and translates the host’s private network address (192.168.1.2) and port
number (1084) into the public network address and port number (8.8.8.11, 12487)
respectively.
 4. When the PORT packet arrived, the server resolves this packet and initiates a data
connection request to the host. The destination address of request packet is
8.8.8.11 and destination port number is 12487. (Note that generally, the source
port number of the packet is 20. As there is no strict regulation on the FTP
protocol, some servers send a packet with a random source port number greater
than 1024. For example, if a WFTPD server is used, the source port number is
3004.) Because this destination address is a public IP address, the data connection
can be established successfully, and the host and the FTP server can exchange data
n
/e
over the established data connection.

o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The firewall device must dynamically establish packet filtering rules and NAT translation

:h
rules in the data channel in multi-channel protocol communication with a NAT device.

s
These rules are stored in the server-map table. In this way, data packets can pass through
e
c
firewalls or be correctly translated by NAT, thereby ensuring normal multi-channel protocol
r
services.
ou

es
If no-reverse is not configured, each valid NAT server can generate two static server-map
R
tables in forward and reverse directions. After no-reverse is configured, each valid NAT

n g
server generates only one static server-map table in the forward direction. When the user

ni
deletes the NAT server, the server-map table is deleted simultaneously.
r
e a
After the NAT server is successfully configured, the device automatically generates a
L


server-map table to store the mapping between the global and inside IP addresses.
e
or After NAT No-PAT is configured, the device establishes a server-map table for the

M data flow that carries traffic and is generated by multi-channel protocols.

 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
A NAT server is an internal server. NAT hides the internal network structure and shields the

:h
internal host. In a particular situation, an external host may need to access the internal

s
host. For example, even if a web server (internal server) is provided for the external host to
e
c
access, as no route to the server is available, the external host cannot access the server. In
r
this case, the NAT Server function can be used to implement this application.
u

s o
NAT allows you to flexibly add internal servers. For example, the public network address,

Re
202.202.1.1 can be used as the external address of the web server, or IP address + port

g
number (202.202.1.1:8080) can be used as the external address of the web server.


ni n
When external users access the internal server, following operations will be performed:

a r
The firewall translates the destination address of request packets of external users
e


e L into the private address of the internal server.

or
 The firewall translates the source address (private network address) of response
packets of the internal server into the public network address.
M  The firewall supports security zone-based internal server configuration. For example, when
a firewall needs to provide access services for external users who are in multiple network
segments, you can configure multiple public addresses that are in various security zones
for an internal server. In this way, when these external users access an internal server, they
can access the public addresses of the server.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
NAT Server is the most frequently used destination IP address-based NAT. When a server

:h
whose actual IP address is a private one is deployed on the internal network, and public

s
network users need to use a public IP address to access the server, NAT Server can be
e
r c
configured to ensure that the device automatically forwards the packets from public

u
network users to the server on the internal network.
o

es
For NAT Server configuration, different situations are shown as follows:
R


n g
If the same public IP address is released in all security zones, users in these security zones

ni
can access the internal server by accessing the same public IP address.

a r
Compared with releasing different public IP addresses, a parameter, no-reverse is added

L e
when releasing the same public IP address. After NAT Server without carrying no-reverse

eis configured, when public network users access the server, the device can translate the

or server public network address into the private network address. Meanwhile, when the

M server initiates the access to the public network, the device will translate the server private
network address into the public network address.
  Running the nat server command carrying the parameter no-reverse for many times can
configure multiple public network address for this internal server. If the parameter no-
reverse is not configured, a public network address is configured for this internal server.

 Different public IP addresses are released in different security zones. Users in these security
zones can access the internal server by accessing different public IP addresses. This
application applies to the situation where the internal server provides services for different
carriers' networks and each carrier's network has a public network IP address.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
In the Web GUI, the process to configure NAT Server is:

1.

s :h
Choose Policy > NAT Policy> Server Mapping.

2.

c e
Click Add in Server Mapping List.
r
3.

ou
Enter or select parameters. Click OK.

es
‘Allow Port Translation’ specifies whether port translation is enabled or disabled during the
R


server mapping process. You can perform either of the following operations:

n g
ni
 Select the Allow Port Translation check box to enable port translation and set the

a r
public and private port numbers for a specific protocol.

L e
 Leave the Allow Port Translation check box deselected to disable port translation.

e
or
 When the same public address is mapped to private addresses for intranet servers that
process different types of services, enable port translation to allow the NGFW to
M distinguish services based on port numbers.

 The following is an example of static address and port mappings for services:

 Web services: public address 1.1.1.1 is mapped to private address 10.1.1.2, and
public 80 is mapped to private port 80.

 FTP services: public address 1.1.1.1 is mapped to private address 10.1.1.3, and
public port 21 is mapped to private port 21.

28
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Mobile phone users need to log in to the Wireless Application Protocol (WAP) gateway to

:h
go online. At present, a large number users purchase mobile phones from overseas.

s
However, the default configured WAP gateway address of these mobile phones is not
e
r c
consistent with the WAP gateway address of China. Users cannot modify the WAP

u
gateway address; therefore, they cannot go online. To resolve this problem, a firewall
o
s
device between the WAP gateway and users is deployed on the wireless network. After
e
R
the destination NAT function is configured on the device, mobile users can access network

g
resources normally.
n


r ni
When mobile phone users go online, the destination NAT function will perform following

a
operations:
e
e L 1. When mobile phone users send request packets to go online, their request packets

or
reach the firewall after passing through the base station and other intermediate

M
devices.

2. If packets reaching the firewall match the destination NAT policy configured on the
firewall, the firewall device translates the destination IP address of these packets
into the IP address of the WAP gateway and sends these packets to the WAP
gateway.
 3. The WAP gateway provides services (such as video and web page services) for the
mobile phone users, and sends response packets to the firewall.

4. The response packets hit the session on the firewall. The firewall translates the
source IP addresses of these packets and then sends these packets to mobile phone
users. Communication between mobile users and a WAP gateway is complete.

 Here, we can consider the WAP gateway the agent server.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Destination NAT use ACL rules to identify which packets with specified destination IP

:h
addresses need to be forwarded. ACL is a key in this application scenario. Learn about a

s
WAP gateway IP address and uses ACL rules to define the WAP gateway IP address.
e
r c
Note: Destination NAT cannot be used with NAT ALG together.
u



s o
Strict ACL rules must be configured so that the non-WAP service data flow is not
e
referenced by the destination-nat command and the non-WAP services are not
R
g
interrupted. Here, the advanced ACL only ranging from 3,000 to 3,999 can be referenced.

n
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In the bidirectional NAT application scenario, the destination addresses used for

:h
communication between two devices are not actual real addresses, but addresses

s
translated by NAT. While, in applications source NAT, and internal server, only one device’s
e
address is translated.
r c

ou
In general, the intranet is a high-priority zone, and Internet is a low-priority zone. When

es
Internet users in the low-priority security zone access the public network address of the
R
internal server, the packet destination address will be translated into the private network

n g
address of the internal server. The internal server and public network address must be
routable.
r ni
e a
To avoid configuring a route to the public network address, NAT from the low-priority
L


security zone to the high-priority zone can be configured. The intrazone NAT function
e
or
needs to be configured for access within the same security zone.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
When you configure a NAT Server, configure a route to the public on the server, and then

:h
the server can send response packets. To simplify configuration and avoid configuring the

s
route, translate the source IP address of an Internet user to be in the same network
e
c
segment as the private network address of the server. In this case, the internal server will
r
u
send the response packet to the gateway by default.
o
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The intrazone NAT refers to a scenario where the intranet user and the server are deployed

:h
in the same security zone. When the FTP server and the user are both in the Trust zone,

s
the user accesses the public IP address of the FTP server. In this case, all interactive packets
e
c
between the user and the FTP server are transmitted via the firewall. Both NAT server and
r
u
intrazone NAT are required.
o

es
Intrazone NAT is used when intranet users and the server are deployed in the same
R
security zone, but intranet users can only access the server's public IP address. During the

n g
implementation of intrazone NAT, the destination address of the packet sent to the

ni
internal server must be translated from a public address to a private address and source
r
a
address must be translated from a private address to a public address.
e
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
To configure the interzone access policy, run the following commands:

 [USG6600] security-policy
s :h


r c e
[USG6600-policy-security] rule name natpolicy

ou
[USG6600-policy-security-rule-natpolicy] source-address 192.168.0.0 24

es
[USG6600-policy-security-rule-natpolicy] action permit
R


n g
Source NAT is used when the internal users access the internet resources. Source NAT

ni
translates the source IP addresses of packets sent from a high-priority security zone to a

r
low-priority one. The source IP address is a segment of intranet. The address pool for
a
L e
internal user should be an external address segment used for accessing the Internet.

e
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Usually, a source security zone is the one where the private IP address before NAT

:h
translation resides. In this example, it is a trust zone. Destination security zone is the one

s
where the public IP address after NAT translation resides. In this example, it is an untrust
e
zone.
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
When the NAT and the internal server are configured on the USG at the same time, the

:h
internal server has a higher priority than the NAT.


e s
When multiple different internal servers use a public address, run the nat server

r c
command repeatedly on the internal servers. The parameter zone can be configured to

ou
implement the NAT server reverse conversion when the internal server accesses this zone.

es
When a user and an internal server are in the same security zone, the USG allows this user
R
to use the internal server public IP address to access this internal server. Configuring the

n g
device in this security zone to initiate a connection to the devices outside the security zone

ni
is not recommended. When the USG is applied in the two-device hot backup network, if
r
a
the NAT server address after translation and the Virtual Router Redundancy Protocol
e
e L (VRRP) backup group virtual IP address are not in the same network segment, you do not

or
need to configure the nat server command carrying the vrrp keyword.

M
 If the NAT server address after translation and the VRRP backup group virtual IP address
are in the same network segment, run the nat server command which carries the virtual-
router-ID parameter. The parameter is set as the ID of the VRRP backup group on the USG
NAT server outbound interface.
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
When you configure a NAT server, set the external address to be the public IP address

:h
provided by the internal server for external users and the internal address to be the IP

s
address of the internal server on the LAN.
e
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
In the Web GUI, the process to configure the interzone security forwarding policy is:

1.

s :h
Choose Policy > Security Policy.

2.

c e
Click Add in Security Policy List.
r
3.

ou
Enter or select parameters. Click OK.


es
When you configuring an interzone security forwarding policy, you need to set the source
R
and destination security zones to determine a data flow direction.

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In this example, the enterprise obtains one IP address from each carrier. To ensure the

:h
access rate of all users, the users on carriers’ networks need to use corresponding IP

s
addresses of carriers to access the services provided by the enterprise, and the traffic is not
e
c
transmitted by carriers. At the same time, the internal users can access internet resources
r
u
over the networks provided by the two carriers.
o

es
ISP1 and ISP2 as the internet carriers are connected to the internet and can communicate
with each other. R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Configure static routes to make the routes from internal users to ISP1/ISP2 available.

s :h
IP-link allows a device to send ICMP or ARP Request packets to monitor the links that are

r c e
not directly connected to the device. This feature is used in the scenario where dual-device
hot backup, static routes, or policy-based routes are configured.When IP-link detects a link

ou
fault, the USG firewall will automatically adjust its static route to ensure that the link it

es
selects is reachable and has the highest priority for data transmission. In this example,
R
there are two static routes (ISP1 and ISP2) available when an internal user accesses the

n g
internet. One static route (ISP1) is bound to IP-link. When the link is detected unreachable,

ni
another route will take over the traffic of this faulty link to ensure proper service
r
a
transmission.
e
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
To configure interface IP addresses and add the interfaces to security zones, run the

:h
following commands:


e s
[USG] interface GigabitEthernet 1/0/3

r c


ou
[USG-GigabitEthernet0/0/3] ip address 10.1.1.1 24

es
[USG] interface GigabitEthernet 1/0/4

R
[USG-GigabitEthernet0/0/4] ip address 1.1.1.1 24
g


ni n
[USG-GigabitEthernet0/0/4] quit


a r
[USG] interface GigabitEthernet 1/0/5

Le [USG-GigabitEthernet0/0/5] ip address 2.2.2.1 24

e
or  [USG]firewall zone trust

M  [USG-zone-trust] add interface gigabitetherent 1/0/3

 [USG] firewall zone isp1

 [USG-zone-isp1] add interface gigabitetherent 1/0/4

 [USG] firewall zone isp2

 [USG-zone-isp2] add interface gigabitetherent 1/0/5

 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
// le
p :


t t
To configure static routes, run the following commands:

s :h
[USG] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2

c e
[USG] ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
r
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
To configure interface IP addresses and add the interfaces to security zones, run the

:h
following commands:
 <USG> system-view
e s
r c
[USG] interface GigabitEthernet 1/0/3
u


s o
[USG-GigabitEthernet1/0/3] ip address 10.1.1.1 24

Re
[USG-GigabitEthernet1/0/3] quit

n g
[USG] interface GigabitEthernet 1/0/4

ni


a r
[USG-GigabitEthernet1/0/4] ip address 1.1.1.1 24

L

e [USG-GigabitEthernet1/0/4] quit

e [USG] interface GigabitEthernet 1/0/5

or


 [USG-GigabitEthernet1/0/5] ip address 2.2.2.1 24

M  [USG-GigabitEthernet1/0/5] quit
 [USG] firewall zone dmz
 [USG-zone-dmz] add interface GigabitEthernet 1/0/3
 [USG-zone-dmz] quit
 [USG] firewall zone untrust
 [USG-zone-untrust] add interface GigabitEthernet 1/0/4
 [USG-zone-untrust] add interface GigabitEthernet 1/0/5
 [USG-zone-untrust] quit
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In this example, ISP1 and ISP2 can be in the same security zone or different security zones.

:h
If they are in different security zones, configure the nat server zone command to help the

s
firewall to recognize the domain that sends or receive packets and help firewall to
e
c
translate the source address and destination address based on the mapping modes created
r
u
by the nat server command.
o
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
// le
p :


t t
In the web GUI, the process to create security zone is:

1. Choose Network > Zone .

s :h
2.

c e
Click Add in Zone List.
r
3.

ou
Enter parameters. Click Apply.

es
Zone Name and Priority cannot be changed once they are configured, and the values
R


cannot be the same as the name or priority of an existing security zone.

n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
// le
p :


t t
In the web GUI, the process to configure static route is:

1.

s :h
Choose Network > Router > Static Route.

2.

c e
In Static Route List, click Add.
r
3.

ou
Enter or select the parameters. Click OK.

es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The preceding figure shows that a NAT outbound policy from internal user (10.1.1.3/24)

:h
to the ISP1 network segment is configured. The internal user’s IP address is translated to

s
be the interface (G1/0/4) IP address of ISP1. This function is equal to easy IP.
e
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Easy-IP is suitable for scenarios in which the IP addresses of public interfaces are obtained

:h
dynamically or only the public address of the device's public interface is available, such as
in a dial-up network.
e s
r c
In the scenario in which an internal server advertises multiple public IP addresses for
u


o
Internet users, if the interfaces with the IP addresses reside in the same security zone, NAT
s
Re
Server can be configured with the no-reverse parameter specified. After the no-reverse
parameter is specified, you can map multiple global IP addresses to one inside IP address.

n g
In addition, after the no-reverse parameter is specified, Server-map entries are generated

ni
only in the forward direction. If the internal server initiates access to the Internet, the
r
a
device cannot translate the private IP address of the internal server to a public IP address
e
e L
and the access will fail. Therefore, specifying the no-reverse parameter can prevent internal

or
servers from initiating access to the Internet.

M
 Bidirectional NAT between security zones: A route to a public address must be configured
on the internal server during NAT server configuration to enable the internal server to send
replies. An alternative is to configure bidirectional NAT so that the source IP addresses of
Internet users can be translated to private addresses in the same subnet as the internal
server.

 Intrazone NAT can be configured to enable the intranet users on the same security zone as
the internal server to access the server only through the public address of the server.
During intrazone NAT, the destination address of packets sent to the internal server must
be translated from the public address to a private address, and the source address must be
translated from the private address to the public address.
56
  After NAT server is configured, firewalls generate static server-map entries. When firewalls
forward traffic, the following entries may be looked up in turn: server-map entries, routing
table entries, security policies, and NAT policies. Therefore, if NAT server is configured, the
destination address in a security policy for traffic from the Internet to the intranet must be
the address of the network where the internal server resides; if source NAT is configured,
the source address in the security policy must be the address of the internal network.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
To prevent such failures, you can deploy two gateway firewalls at the network egress to

:h
form a dual-system hot backup network. When one firewall is faulty, service traffic can be

s
smoothly switched to the other firewall without causing service interruption.
e
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
To prevent single points of failures caused by traditional networking modes of routers, you

:h
can usually use multiple links and rely on dynamic routing protocols for link switchover.

s
However, this type of switchover has its disadvantages. If no dynamic routing protocol is
e
c
available, link interruption will occur. To resolve this issue, Virtual Router Redundancy
r
u
Protocol (VRRP) is developed. VRRP-based link protection is much more reliable than that
o
s
using dynamic protocols and the link switching time is shortened as well.
e

R
VRRP is a basic fault-tolerant protocol.

n g
ni
 VRRP group: A group of routers in a broadcast domain form a virtual router, namely, a

r
VRRP group. All the routers in the VRRP group use one virtual IP address, which is also the
a
L e
gateway IP address of the intranet.

e Active (Master) router: Among all routers in the VRRP group, only one router is active,

or


and the rest are in standby state. Only the active router can forward the packets using the

M 
virtual IP address as the next-hop IP address.

Standby (backup) router: All routers except the active router in the VRRP group function
as standby routers.
  The active router periodically sends hello packets to standby routers in multicast mode. The
standby routers monitor the hello packets to prepare for switchover at any time. Because
VRRP hello packets are multicast packets, routers in the VRRP group must b connected
through Layer-2 interfaces. Namely, when VRRP is enabled, the downstream or upstream
devices must have the Layer-2 switching function; otherwise standby routers cannot
receive the hello packets from the active router. If the networking requirement is not
satisfied, you cannot use VRRP.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The USG is a stateful firewall requiring that the incoming and outgoing packets pass

:h
through the same firewall. To meet this requirement, the status of all VRRP groups of the

s
firewall must be the same. That is, all the VRRP groups of the active firewall must be in
e
c
active state to enable all the packets to pass through the firewall, and the other firewall
r
u
acts as the standby firewall.
o
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
As shown in the figure, if the VRRP status of all interfaces on USG A is active, and those on

:h
USG B is standby:

e s
PC1 in the Trust zone accesses PC2 in the Untrust zone, and the packet forwarding route is
c


r
(1) - (2) - (3) - (4). USG A forward the packet and dynamically generates a session entry.
u
o
The return packet form PC2 goes through (4) - (3) to USG A. Because it matches the
s
Re
session entry, USG A forwards the packet through (2) - (1) to PC1. Similarly, PC2 and the
server in the DMZ also can communicate with each other.

n g
ni
 If the VRRP status of all interfaces on USG A is inconsistent, and those on USG B is also

r
inconsistent:
a


L e
For example, the interface on USG B connecting to the Trust zone is in standby state, but

ethe interface connecting to the Untrust zone is in active state. A packet from PC1 arrives

or PC2 through USG A, and USG A dynamically generates a session entry in the USG A session

M table. The return from PC2 travels on route (4) - (9). However, USG B does not have a
session entry for the packet. If no other packet filtering rule allows this packet, USG B will
discard the packet, and the session is terminated.
  Cause of the problem: different packet forwarding mechanisms

 Router:
The router looks up the routing table for each packet and forward them only after a
routing entry is available. When the link is switched, subsequent packets are not affected
and continue to be forwarded.

 Stateful Inspection Firewall:

If the firewall permits the first packet, it also creates a quintuple session entry. Then the
n
firewall forwards subsequent packets (including returned packets) if they match the session
/e
entry. If the link is switched, subsequent packets can not match the correct entry and will
o m
i.c
cause service interruption.

generated after NAT.

w e
Note: The same problem occur on the router with NAT configured, because a new entry is

u a
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In firewall applications, VRRP requires VRRP status consistency and session status backup.

s :h
The VGMP brings a concept of VRRP management group. Multiple VRRP groups of a

r c e
firewall are added into one VRRP management group (VGMP group), and the VGMP group
centrally manages all the VRRP groups. Through the unified status switchover, the status of

ou
all the VRRP groups in the VGMP group is kept consistent.

es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
When the firewall VGMP status is Active, all VRRP groups in the VGMP group are in Active

:h
state, and all packets pass through the firewall. At this time, the VGMP status on the other

s
firewall is Standby. That is to say, the other firewall is the standby firewall.
e
r c
You can set priorities for the VGMP groups to decide which firewall functions as the active
u


firewall.
s o


Re
The priorities of VGMP groups are dynamically adjusted on the basis of the status of VRRP

g
groups in the VGMP groups, which triggers active/standby switchover.

n


r ni
Similar to VRRP, the active VGMP (in Active state) periodically sends Hello packets to notify

a
the peer of its operating status (including its priority and VRRP group status). Different
e
e L from VRRP, the standby VGMP (in Standby state) replies an ACK message to the active
VGMP upon receiving the Hello message. The ACK message contains the priority and VRRP

or group status information about the standby VGMP.

M  The default interval for sending VGMP Hello is 1s. If the standby VGMP does not receive
any Hello messages in three intervals, it determines that the active VGMP is faulty and
functions as the active VGMP.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Status consistency management
t t
:h
The active/standby status change of each VRRP group must be reported to the related
s
r c e
VGMP group, which permits or denies the status switchover of the VRRP group. If the
switchover is necessary, the VGMP group centrally switches over the status of all VRRP

ou
groups. After a VRRP group is added into a VGMP group, its status cannot be randomly
switched.
es
R


n g
Preemption management

ni
The VRRP group has the preemption function. When the faulty active firewall recovers, its
r
a
priority recovers as well, and it can preempt to become the active device again.
e
e L The preemption function of the VGMP group is similar with that of the VRRP group. When

or
a faulty VRRP group in the VGMP group recovers, the priority of the VGMP group also
recovers. The VGMP group can determine whether to restore the active state. If a VRRP
M group is added into a VGMP group, the preemption function of the VRRP group will be
disabled, and its preemption activity is determined by the VGMP group.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
If the active firewall is faulty, all traffic is switched over to the standby firewall. However,

:h
the USG is a stateful firewall, which denies traffic from the standby firewall if it does not

s
synchronize the connection status from the active firewall, causing connection
e
r c
interruption. In this case, the user has to reinitiate a connection.


ou
The HRP module provides the basic data backup mechanism and transmission function.

es
Each application module collects its data to be backed up and sends it to the HRP module.
R
The HRP module sends the data to the corresponding application modules of the peer

n g
firewall. The corresponding application modules resolve the data sent from the HRP

ni
module and add the resolved results to the dynamic data pool of the firewall.
r

e a
Backup content

e L The connection status data to be backed up includes the TCP/UDP session table,

or ServerMap entry, dynamic blacklist, NO-PAT entry, and ARP entry. When the standby

M firewall lacks any of the data, it denies the traffic switched over from the active firewall,
causing connection interruption.
 Backup direction
  Backup mode

 Batch backup: After the first negotiation of the two firewalls, all the data is backed
up in batches.

 Real-time backup: The new or refreshed data is backed up in real time during firewall
operation.

 Quick session backup.

Backup channel
n
/e


Under normal circumstances, the directly-connected ports on the two firewalls form a

o m
i.c
backup channel, also called a heartbeat link. (The VGMP also performs communication
through this link.) The ports of the backup channel must be the main interfaces of the

w e
interface boards, which support GE and Eth-Trunk interfaces, but not POS and IP-Trunk
interfaces.
u a
.h
You can run the hrp interface interface-name command to configure the backup
g
channel.

ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
On a network with inconsistent forward and return paths, the forward and return packets

:h
of a service flow may pass different firewalls. For this reason, the quick session backup

s
function is developed on firewalls. Owning to this function, after a session is created
e
c
through the first packet, the session information is immediately synchronized to the peer
r
u
firewall before the packet is forwarded. This function ensures that the peer firewall
o
s
receives the session information and adds the information to the session table before it
e
R
receives the return packet. For a packet requiring TCP three-way handshakes, when a SYN-

g
ACK packet is sent from a firewall, its peer firewall cannot find the session information;
n
ni
therefore, the connection cannot be established. For a UDP session, when the first return

a r
packet is sent from a firewall, its peer firewall cannot find the session information either;

L e
therefore, the packet filtering procedure is required, causing packet loss.

e
or
 In most cases, session information of TCP connections and packets with status change is
synchronized to the peer firewall if they match a session entry. These connections and
M packets include three-way handshake packets, FIN packets, and RST packets. For UDP
sessions, fast session backup refers to immediate session information backup after the
session is created. Follow-up packets are also backed up to prevent session information
aging.
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In most common dual-system hot backup networks, the firewalls work in routing mode

:h
and connect to switches on the downstream links. Under normal circumstances, firewall A

s
is the active firewall. If the upstream or downstream link of firewall A is down, firewall B
e
c
automatically takes over, and then the traffic from the switches is sent to firewall B.
r
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
The active VGMP group sends one VRRP packet every two seconds by default, and the

:h
interval can be modified in the interface view. In the interface view, run the following

s
command to modify the VRRP packet interval:
e
r c
vrrp vrid virtual-router-ID timer advertise adver-interval

ou


es
The VRRP function can cooperate with the IP-link function. If the upstream link is down,
the VRRP function can perform the active/standby switchover. Configure IP-link in the
R
g
interface view:

n
ni
vrrp vrid virtual-router-id ip-link link-id

a r
By default, the VGMP group preemption function is enabled, and the default preemption
e


e L time is 60s. Run the following command to set the VGMP group preemption delay:

or
hrp preempt [ delay interval ]

M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
The interface type and number of the two heartbeat interfaces on the USG must be the

:h
same, and the heartbeat interfaces cannot be Layer-2 Ethernet interfaces. The USGs can

s
use Eth-Trunk interfaces as heartbeat interfaces to ensure reliability and increase the
e
c
bandwidth. The heartbeat interfaces can connect each other directly or with devices in
r
u
between, such as switches and routers. If there is a device in between, you must set the
o
s
remote parameter to specify the peer IP address.
e

R
After HRP is enabled, the USGs negotiate to determine the active and backup USGs

n g
(displayed as HRP_A and HRP_S). Then the active USG backs up configuration and

ni
connection information to the standby USG.
r

e a
If configuring the standby device is allowed, all information to be backed up can be

e L configured directly on the standby USG, and the configurations can be synchronized to the

or
active USG. If specific setting is performed on both the active and standby USGs, the

M
setting performed later overwrites that configured earlier.

 If the USGs work in load balancing mode, the forward and return packet paths may differ.
Therefore, you must enable fast session backup to synchronize session information
immediately to the other, which ensures service continuity.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 VRRP group 2 configuration on USG-A
t t
s :h
[USG-A]interface GigabitEthernet 1/0/3

r c e
[USG-A-GigabitEthernet 1/0/3 ]ip address 10.3.0.1 24

ou
es
[USG-A-GigabitEthernet 1/0/3 ]vrrp vrid 2 virtual-ip 10.3.0.3 255.255.255.0 active
R


n g
VRRP group 2 configuration on USG-B

rni
[USG-B]interface GigabitEthernet 1/0/3

e a
e L
[USG-B-GigabitEthernet 1/0/3 ]ip address 10.3.0.2 24

or [USG-B-GigabitEthernet 1/0/3 ]vrrp vrid 2 virtual-ip 10.3.0.3 255.255.255.0 standby

M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
// le
p :


t t
View the status information about the standby firewall:

HRP_S[USG_B] display hrp state

s :h
r c e
The firewall's config state is: STANDBY
Current state of virtual routers configured as slave:

ou
GigabitEthernet1/0/1 vrid 1 : slave

es
GigabitEthernet1/0/3 vrid 2 : slave
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
Answer：
t t
 True or False
s:h
 F
r c e
 Single
ou
A
es
R


n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Currently, application-layer attacks are booming, bringing threats to network security and

:h
promoting the demand on network access control. Enterprises are searching for ways to

s
precisely identify users, ensure the normal operating of legitimate applications, and block
e
c
applications which may bring security risks. However, IP addresses and ports are no longer
r
u
sufficient to distinguish users and applications. Traditional access control policies based on
o
s
quintuples cannot cope with the changes in the current network environment.
e
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
Example:


t t
1.

s :h
When a user accesses the Internet, the user needs to enter a username and

r c e
password for authentication.

2.

ou
After authentication, the firewall starts to authorize the user and grant permissions

s
for the user to access different resources, such as baidu.com or google.com.
e
3.
R
During user access, accounting is performed on the user to record the operations

g
and online duration of the user.
n
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 Authentication mode:
t t


s :h
What I know: includes the information that a user knows (password, knowledge,
and experience)

r c e


ou
What I have: includes the information that a user has (token cards, smart cards, and
bank cards)
es

R
What I am: includes the biological features that the user has (fingerprint, voice, iris,
and DNA)
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Authorizes users to accessible service resources, such as public resources and sensitive

:h
service resources.


e s
Authorizes users to use certain commands to manage the USG, such as the display, delete,
copy commands.
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
 How long did the user use the service?
t t
 How much did the user spend?
s :h


c e
What have the user done during that time?
r
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 No authentication
t t


s :h
No authentication is performed on trusted users. In most cases, this type of

r c e
authentication mode is not recommended.

 Local authentication:

ou


es
Configures user information, including the user name, password, and attributes of

R
local users, on a Network Access Server (NAS). Local authentication features fast

g
processing and low operation cost. The major limitation of local authentication is
n
ni
that the hardware restricts the capacity of information storage.

a r
Remote authentication:
e


e L  Configures user information, including the user name, password, and attributes, on

or
the third-party authentication server. AAA can remotely authenticate users through

M the Remote Authentication Dial In User Service (RADIUS) protocol or the HuaWei
Terminal Access Controller Access Control System (HWTACACS) protocol.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
RADIUS is one of commonly-used protocols to implement AAA. The RADIUS protocol was

:h
initially used for managing a large number of scattered users who use serial interfaces and

s
modems. Now this protocol is widely applied to the NAS system. The NAS transfers user
e
c
authentication and accounting information to the RADIUS server. The RADIUS protocol
r
u
defines how the NAS and RADIUS server transfer user authentication and accounting
o
s
information as well as authentication and accounting results. The RADIUS server receives
e
R
connection requests from users, authenticates the users, and returns authentication results
to the NAS.
n g


r ni
Using the User Datagram Protocol (UDP) as the transport protocol, RADIUS features a high

a
real-time performance. Owing to the retransmission mechanism and standby server
e
e L
mechanism, RADIUS is of high reliability.

or
 The main process of RADIUS message transmission between the server and the client is as

M
follows:

 When logging in to a network device such as a USG or an access server, the user
sends the user name and password to the network device.

 After the RADIUS client (an NAS server) on this network receives the user name and
password, it sends an authentication request to the RADIUS server.
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :


t t
If the request is valid, the server completes the authentication and sends the

:h
required authorization information back to the client. If the request is invalid, the

s
server sends the authorization failure information back to the client.
e
RADIUS Message Structure
r c
u


s o
Code: Code refers to the message type, such as an access request, access permit
e
and accounting request.
R


n g
Identifier: Identifier refers to numbers in ascending sequence. The fields of the

ni
request packet and response packet must match.

a r
Length: Length refers to the total length of all fields.
e


e L Authenticator: Authenticator is used to authenticate the validity of RADIUS.

or  Attribute: Attributes specifies the contents of a message, including various

M attributes relative to the user.

 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
 Radius message exchange process:
t t
:h
 User inputs username/password
Access-Request
e s
c


 Access-Accept
ur


s o
Accounting-Request (start)


Re
Accounting-Response

g
User accesses resources
n
ni


Accounting-Request (stop)
r


e a Accounting-Response

e L Notifies the PC of access termination

or  Code:

M 


Access-Request
Access-Accept
 Access-Reject
 Accounting-Request
 Accounting-Response
 Access-Challenge
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
The C/S-based LDAP server authenticates the requests from the application server and

:h
specifies the resources accessible to the given application server.

e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
HWTACACS is a security protocol whose functions are enhanced on the basis of TACACS

:h
defined in RFC 1492. It is used mainly for access user authentication, authorization, and
accounting.
e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Local authentication
t t


s :h
User information is saved on a NGFW. If a user sends the user name and password

r c e
to the NGFW, the NGFW implements authentication on the user.

 Server authentication

ou


es
User information is not saved on a NGFW. If a user sends the user name and

R
password to the NGFW, the NGFW forwards the user information to a third-party

g
authentication server for identity authentication.
n


r ni
Single Sign-On (SSO)

e a A user sends the user name and password to a third-party authentication server.
L


e
After authenticating the user, the third-party authentication server sends the user

or
information to a NGFW. The NGFW records the user information.

M  The NGFW authenticates Internet access users when they access Internet resources or
intranet resources. The NGFW authenticates remote access users when they connect to
the NGFW and performs a second authentication of them when necessary.
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Users are added to different user groups are labeled through authentication. The user

:h
groups are granted with different permissions and applications to ensure security.

 For example:
e s
r c


ou
The employees of an enterprise are added to user groups, and network behavior control

s
and audit are performed based on the users or user groups.
e

R
By creating policies based on the users or user groups in a visualized manner, the

g
function enhances policy usability .
n


r ni
The system analyzes the statistics on application types, threats, and data

e atransmission behaviors according to the information displayed in reports, and

e L analyzes the online behaviors to trace and audit certain users instead of certain IP

or
addresses.

M  This function resolves the issue of analyzing the user behaviors whose IP addresses
change frequently on the live network.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
An administrator can manage, configure, and maintain the USG by any of the following

:h
methods:
 Console
e s
Web
r c
u


Telnet
s o
e


 FTP
R
n g
ni
 SSH


a r
Access user

L e
An access user is a user who uses the 802.1X protocol or Point-to-Point Protocol (PPP) to

eaccess a certain network.

or 802.1X
M


 PPP
 SSL
 Internet access user
 An Internet access user is a distinguishing entity of the Internet access behavior and
the basic management unit of Internet access permissions. The device authenticates
the user accessing the Internet and performs the control action specified in the
policy applied to the user.
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The administrator can log in to the USG in the following modes manage, configure, and

:h
maintain the device:

 Console
e s
r c


ou
The console port provides command lines for the administrator to manage the

s
device, usually for the following purposes:
e

R
Configuring the USG for the first time or the configuration file is lost.

n g
When the USG cannot be started normally, you can diagnose the system or enter

ni


r
the BootROM system through the console port to upgrade the system.

Web
e a
L


e
or
 Access the device through HTTP or HTTPS to configure and manage the device.

Telnet
M


 Log in to the device through Telnet and use commands to implement local or
remote configuration.
  FTP

 The FTP administrator uploads files to or downloads files from the storage space of
the device. The device functions as a FTP server for FTP-based management.

 SSH

 Logging in through SSH provides secure information guarantee and powerful

authentication to protect the device system from being attacked, such as IP
spoofing. At this time, the USG functions as an SSH server.
n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g .h
ni n
ar
//le
p :
 CLI:
t t
 Step 1: User-interface
s :h
 Console:
r c e


ou
[USG] user-interface console 0

es
[USG-ui-con0] authentication-mode aaa
R


 Telnet:
n g


r ni
[USG] user-interface vty 0 3

e

a [USG-ui-vty0] authentication-mode aaa

e L
Step 2: AAA View

or  [USG] aaa

M  [USG -aaa]manager-user client001

 [USG -aaa-manager-user-client001]password cipher Admin@123

 [USG -aaa-manager-user-client001]service-type terminal telnet ftp

 [USG -aaa-manager-user-client001]level 3

 [USG -aaa-manager-user-client001]ftp-directory hda1:

 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
 Enable SSH service on USG
t t
[USG]stelnet server enable
s :h
c e
Info: The Stelnet server is already started.
r


ou
Set password for SSH user

[USG] aaa
es
R
g
[USG-aaa] manager-user sshuser
n
ni
[USG-aaa-manager-user-client001] ssh authentication-type password
r
e a
[USG-aaa-manager-user-client001] password cipher Admin@123

e L
[USG-aaa-manager-user-client001] service-type ssh

or After the configuration, run SSH client software, setup the SSH connection with

M firewall.
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
 Enabling the web management function.
t t
s :h
[USG] web-manager security enable port 6666

Create a Web user.

r c e
u


s o
e
[USG] aaa

R
g
[USG-aaa]manager-user webuser
n
r ni
[USG-aaa-manager-user-webuser]password cipher Admin@123

e a
e L
[USG-aaa-manager-user-webuser]service-type web

or [USG-aaa-manager-user-webuser]level 3

M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Authentication Policy
t t


s :h
Authentication policy means triggering authentication exemption or redirected

r c e
authentication on Internet access users, or redirected authentication on remote
access users who have connected to a NGFW.

ou


es
An authentication policy helps you identify data flows on which authentication
exemption or redirected authentication is implemented. The NGFW identifies the
R
g
users to be exempted from authentication based on their IP-MAC mappings. The

n
ni
NGFW pushes authentication web pages to users on whom redirected

a r
authentication is implemented. The authentication policy does not take effect when

L e Single Sign-On (SSO) or user-initiated authentication is implemented.

eAuthentication Domain

or


Authentication domains are important in the authentication process. the

M


authentication domain configuration determines the user authentication mode and

user organizational structure.

 Authentication domains have different functions for users with different

authentication modes:

 For a local/server authentication user, the authentication domain determines the

authentication mode (either local or server authentication). If the server authentication
mode is used, the authentication domain also determines a specific authentication server.
  For an SSO user, the NGFW only receives user login and logout messages from the
authentication server and does not participate in user authentication. Therefore, the
authentication mode set for the authentication domain does not take effect on SSO users.
Only the “New User Authentication Item“ setting in the authentication domain that has
the same name with the user domain (dc field) takes effect on SSO users.

 A NGFW identifies authentication domains in user names and authenticates users by

authentication domain.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
To enable differentiated management over users and departments, enterprises need to

:h
plan and manage the organizational structures in advance. The firewall can create tree

s
structure, which is similar to that of the enterprise administration structure.
e
r c
The device regulates the relationship between users and user groups as follows:
u


s o
The system has a root group that exists by default. Other user groups are subgroups
e
of the root group, or subgroups of subgroups.
R


n g
Each user group can have multiple users and user groups, but each user group

ni
belongs to only one parent group.

a r
Each user belongs to at lease one user group or multiple user groups.
e


e L  Each user or user group can be referenced in security policies and traffic limiting

or
policies for user-specific permission and bandwidth control.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
If another identity authentication system is deployed on the network, the device can use

:h
single sign-on (SSO) to identify the authenticated users. After that, the users do not need

s
to re-enter their user names and passwords.
e
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :


t t
The user and AD server interact to complete the authentication without the involvement

:h
of the USG.


e s
The AD monitoring service does the following:

r c


ou
Upon passing the authentication, the PC sends an authentication success message to

s
the AD monitoring service with the user name and IP address.
e

R
The AD monitoring service searches for the information about the user according to

g
the obtained user name and IP address to the USG.
n


r ni
The AD monitoring service sends the obtained user name, user group name, and IP

e aaddress to the USG (retransmission on packet loss is supported).

e L
The USG does the following:

or  Receives and resolves the packets from the AD server.

M  Creates a user entry in the monitoring table according to the received user login
information.

30
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
In this mode, the plug-in does not need to be installed on the AD server. The NGFW listens

:h
to the authentication packets sent by users who log in to the AD server (AD domain

s
controller) to obtain authentication results. If a user is authenticated, the NGFW adds the
e
c
mapping between the user name and the user's IP address to the online user list.
r

ou
When the NGFW is deployed between users and the AD server, the NGFW can obtain

es
authentication packets. If the authentication packets pass through the NGFW (as shown in
R
Figure), the messages carrying authentication results from the AD server must be mirrored
to the NGFW.
n g
r ni
Firewall support TSM SSO and Radius SSO as well.
a


L e
e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Web Redirection Authentication
t t
1. The PC accesses www.google.com.
s :h
c e
2. The firewall device sends a redirection packet and pushes a web authentication
r
page.

ou
s
3. The user inputs user name and password.
e
R
4. The user passes the authentication.

n g
ni
5. After being authenticated, the user is directed to the originally visited Google page

r
or the page specified by the administrator.
a
Le
e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Login process for Internet access users:
t t
:h
1. To access Internet 1.1.1.1, the user accesses HTTP 192.168.1.1 firstly.
s
c e
2. Pushes a new web page，User=? Password=?
r
u
3. User=*** Password=***
o
es
4. Passes authentication and creates a connection.
R
g
5. Accesses Internet 1.1.1.1, then the firewall creates a session.
n
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Configuring a User or User Group:
t t


s :h
Before the USG performs user-specific and user group-specific management, users and

r c e
user groups must be created. Users and user groups can be created using the method of
manual configuration, local import, or server import.

ou


es
Configuring a user or user group manually


R
The USG has a root group by default.

n g
This step is mandatory if user-specific network permission authorization is required.

ni


a r To implement local password authentication on users, you must create local users

L e
first and configure local passwords.

e
or
 Local import

The administrator can import the user information from CSV and DBM files to the
M


local device.

 Importing users or user groups from the server

 When an enterprise uses a third-party authentication server and this authentication

server stores the information of all users and user groups, the administrator can import
the user and user group information from the third-party server to the device.

35
  Configure authentication options contains Setting Global Parameters, Configuring SSO and
Customizing an Authentication Web Page.

 Setting global parameters involves the following operations:

 Configure password strength, mandatory password change upon first login, and password
expiration settings.

 Set the handling method for authentication conflicts.

Set the page to which the users are redirected after authentication.
n
/e


 Set the protocol and port used by an authentication web page.

o m
i.c
 Set the maximum number of failed login attempts, lockout duration, and online timeout
period.

w e


u a
SSO contains AD Single Sign On (SSO), TSM SSO, and RADIUS SSO. In this book, we only

.h
introduce AD SSO.

n g
Customizing an Authentication Web Page can customize the logo, background image,

ni


welcome message, or help message as required.

ar
le
 Trigger redirected authentication on Internet access users or remote access users who

//
have connected to a NGFW must pass the authentication policy.
:


t t p
An authentication policy is a set of authentication rules. A NGFW matches packets with

:h
multiple authentication rules from top to bottom. If the attributes of a packet match all

s
the conditions of an authentication rule, the rule is successfully matched, and the NGFW
e
r c
does not match the packet with other rules. If no rule is matched, the NGFW applies the

u
default authentication policy to the packet.
o

es
The NGFW has a default authentication policy with all matching conditions set to any and
R
the action set to No authentication.

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
In this book, we only take Radius sever and AD server as example.

s :h
If a RADIUS server is deployed to implement server authentication on users, a NGFW sends

r c e
the user names and passwords to the RADIUS server.

ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
In the AD SSO scenario, set the parameters for a NGFW to communicate with an AD server

:h
so that user information on the AD server can be imported to the NGFW.

e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Group/User
t t


s :h
Before the device can perform user-specific and user group-specific management,

r c e
users and user groups must be existing on the device. You can manually create a
user or user group at the Group/User node.

ou
 Creating a user group
es

R
The root group is a default group and cannot be deleted. You cannot rename the

g
root group but can assign it with a description for identification.
n


r ni
All the other user groups have the same ultimate owning group, the root group.

e aChoose Object > User > User/Group.

L


e
or
 Select an authentication domain for which the user group is created. By default, only
the default authentication domain is available.

M  In Member Management, click Add and select Create Group.

 Creating a user

 Creating a user applies to the circumstance under which users are created one by
one instead of in a batch. Besides all the configuration items involved in Creating
Multiple Users, the operation of creating a user also includes the setting of the
display name and the bidirectional IP/MAC address binding.

 Choose Object > User > User/Group.

39
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Expiration time
t t


s :h
The time the user's account will expire.

c e
Allow users to share this account to log in
r


ou
If this option is selected, the login name of a user can be used by multiple users to

s
log in concurrently, namely, this login name can be used concurrently on multiple
e
PCs.
R
n g
If this option is cleared, the login name can be used on only one PC at a time.

ni


a r
IP/MAC binding

L e
 Method of binding the user and the IP/MAC address.

e
or
 If No binding is selected, the user is not bound to the IP/MAC address. The PCs
within the IP address range specified by the authentication policy can log in using
M the user account.

 If Unidirectional binding is selected, the user must use the specified IP/MAC
address for identity authentication. However, other users can also use the same
IP/MAC address for identity authentication.

40
  If Bidirectional binding is selected, the user must use the specified IP/MAC address
for identity authentication, and other users cannot use the same IP/MAC address for
identity authentication.

 IP/MAC Address

 IP address, MAC address, or IP/MAC address pair bound to the user.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Portal authentication requires a portal server to complete the authentication. The portal

:h
server needs to provide and push an authentication page to users. At present, the NGFW

s
can interconnect to Huawei Agile Controller or Policy Center.
e
r c
When configure web redirect authentication, security policy for port 8887 to local firewall
u


also required.
s o
Re
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Without the plug-in, the NGFW cannot obtain user logout messages. Users go offline

:h
only when their connections time out.


e s
If a NGFW is deployed between the users and the AD domain controller,

r c
authentication packets must pass through the NGFW. To apply the SSO function,

ou
configure an authentication policy to exempt the authentication packets from

es
authentication. In addition, the authentication packets must pass the security check of
R
the security policy of the NGFW. Therefore, the administrator needs to configure the

n g
following security policy on the NGFW:

r ni
Source Zone: indicates the security zone where the PC resides.
a


L
e Destination Zone: indicates the security zone where the AD server resides.

e
or
 Destination Address: indicates the IP address of the AD server.

M  Action: permit.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
When using triggering redirected authentication on Internet access users or remote access

:h
users who have connected to a NGFW must configure authentication policy.

e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Importing Users in Batches from a CSV File
t t


s :h
User import from a CSV file is performed as follows:

c e
Edit the user information (login names, display names, group paths, user description,
r
u
and local passwords) in a CSV file. Then import the user information included in the

o
s
CSV file into the memory of the device.
e

R
Import the user information included in the CSV file that has been exported from a

g
device into the device memory.
n


r ni
Choose Object > User > User Import > Local Import or Object > User >

e aUser/Group > Member Management > Import to download a CSV template.

e L Read the instructions on the CSV template and fill in user information.

or
 Importing Users in Batches from the Authentication Server

M  When an enterprise uses a third-party authentication server and this authentication

server stores the information of all users and user groups, the enterprise can import
user and user group information from the third-party server to the device.

 The device supports the import from only the AD and LDAP servers.

 Choose Object > User > User Import > Server Import.

 Click Add.

45
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
The administrator can view the list of online users that have already been authenticated.

:h
The administrator can also manage these users, such as forcing an online user off.
 Viewing an Online User
e s


r c
Choose Object > User > Online User.


ou
Specify the online users to be viewed.


es
You can specify the online users to be viewed using either of the following methods:

R
In Organizational Structure, click the user group to which the online users belong.

n g
All online users of the user group are displayed in Online User List.


r ni
Use the basic search or advanced search function to find the online users. The

e a search results are displayed in Online User List.



e L
Forcing off an online user

or
 Choose Object > User > Online User.
Specify the online user to be forcibly logged out.
M


 You can specify the online user to be forcibly logged out in either of the following
methods:
 In Organizational Structure, click the user group to which the online user belongs.
All online users of the user group are displayed in Online User List.
 Use the basic search or advanced search function to find the online user. The search
results are displayed in Online User List.
 In Online User List, select the online users to be forcibly logged out and click
Disconnect.
 Users who are logged out are no longer displayed in Online User List.

46
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
SSL VPN is an HTTPS-based VPN technology and works between the transport layer and

:h
application layer. It is a security protocol for the Internet and applies to fields, such as web

s
agent, network extension, file sharing, and port forwarding.
e
r c
Handshake Process of SSL-based Communications
u


s o
The SSL client connects to the SSL server and requires the server to authenticate the
server itself.
Re


n g
The server authenticates its identity by sending its digital certificate.

r ni
The server sends a request to authenticate the certificate on the client.

e a The encryption algorithm and the HASH function are negotiated. The former is used
L


e
to encrypt the message, and the latter is used to check the integrity. The client

or
usually provides the list of all supported algorithms, and the server selects the most

M powerful algorithm from the list.

  The client and the server generate the session key in the following steps:

 The client generates a random number, uses the server public key (obtained
from the server certificate) to encrypt it, and sends the key to the server.

 The server responds to the client by using random data. The client's key is
used if it is available; otherwise, data is sent in plain text.

 The key is generated from the random data by using the HASH function.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
After the configuration is complete, you can configure service-specific

:h
security policies, PBR policies, bandwidth policies, quota control policies, proxy

s
policies, audit policies, and SSL VPNs to reference the user and user group
e
objects.
r c

ou
Configuration Verification

es
On the NGFW Web UI, choose Object > User > User/Group to see if the
R


g
configured user and user group objects are available.

n
ni
 An R&D employee on the move accesses the authentication web page of the SSL

a r
VPN virtual gateway and enters user name user_0002 and password Admin@123

L e for authentication. After being authenticated, the employee on the move can use

e the network extension service to access network resources.

or On the NGFW Web UI, choose Object > User > Online User to see if there is
M


information about online users.

 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Typical authentication, authorization, and accounting (AAA) methods include local and

:h
remote authentication, and remote authentication can use RADIUS, HWTACACS, and
LDAP technologies.
e s


r c
User management covers Internet access users, access users, and administrators.


ou
SSO authentication can be done with or without a plug-in.
 With a plug-in:
es
R
The user logs in to the AD domain, and the AD server returns a login success message
g
1.

n
to the user and delivers a login script.

ni
2.

a r
The user's PC executes the login script and sends the user login information to the AD

e
monitor.

e L
3. The AD monitor connects to the AD server to query information about the user. If the

or
information about the user exists, the user login information is forwarded to the NGFW.

M
4. The NGFW extracts the user-IP address mapping from the user login information and
adds the mapping to the online user list.
 Without plug-in:
The NGFW listens to the authentication packets sent by users during login to the AD server
(AD domain controller) to obtain authentication results. If a user is authenticated, the
NGFW adds the mapping between the user name and the user's IP address to the online
user list. When the NGFW is deployed between users and the AD server, the NGFW can
obtain authentication packets. If the authentication packets do not pass through the
NGFW, the messages carrying authentication results from the AD server must be mirrored
to the NGFW.
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
A Virtual Private Network (VPN) is built by establishing private data channels over a

:h
shared public network to connect networks or terminals that need to access the

s
private network, to form a private network guaranteeing a specific level of security
e
and QoS.
r c

ou
Traditional VPN networking mainly uses two modes: leased line VPN and client-based

es
encryption VPN. A leased line VPN is a Layer 2 VPN that is built through a digital data
R
network (DDN), ATM permanent virtual circuit (PVC), and frame relay (FR) PVC. The

n g
carrier maintains the backbone network and customers manage their sites and routes.

ni
For a client-based encryption VPN, all VPN functions are implemented by the client,
r
a
and all members of the VPN are interconnected by the untrustworthy public network.
e
e L The former is more costly and has lower scalability; the latter has higher requirements

or
on devices and operators of the client.

M
 The IETF draft defines the IP-based VPN as "a private WAN that is simulated using the
IP mechanism", which means the tunneling technology is used to simulate a point-to-
point leased line over the public data network. Virtualization means that users do not
need physical leased lines for long distance data transmission. Instead, long distance
data lines of the Internet are used to create a private network. A private network
means that users can customize a network that best suits their needs.
  With continuous development of the IP data communications technology, the IP-
based VPN is becoming the mainstream VPN technology. As the IP-based VPN is
carried by the IP network, and carrier networks are increasingly improved, its lower
cost and QoS can meet customers' needs, and it has better scalability and
manageability. Accordingly, more and more users choose the IP-based VPN and
carriers are building IP-based VPNs to attract users.

n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
VPNs are implemented mainly through tunneling. However, due to the complicated

:h
services and lower security of public networks, other technologies, including encryption,

s
decryption, key management, data authentication, and identity authentication, are used to
e
secure VPN data.
r c

ou
Tunneling is the core of VPN technology. It refers to a data channel that is created over the

es
public network with encryption and decryption implemented on both ends. Through the
R
data channel, data packets are sent. A tunnel is formed by tunneling protocols, which are

n g
divided into Layer 2 and Layer 3 tunneling protocols. L2 tunneling protocols are used to

ni
build remote VPNs by sending Layer 2 network protocols. Main Layer 2 tunnel protocols
r
a
include Layer 2 Forwarding (L2F), Point-to-Point Tunneling Protocol (PPTP), and Layer 2
e
e L Tunneling Protocol (L2TP). L2TP is the combination of the PPTP and L2F developed by the

or
Internet Engineering Task Force (IETF). Layer 3 tunneling protocols are used to build
Intranet VPNs and Extranet VPNs by sending Layer 3 network protocols. Main Layer 3
M tunneling protocols include VTP and IP Security (IPsec). IPsec is constituted by multiple
protocols, and this protocol set allows you to choose security protocols and security
algorithms, and determine the key used for services, which provides security on the IP layer.
  Data authentication ensures that data can be only legitimately altered when it is sent over
the network. Data authentication mainly uses the hash algorithm, which, due to its
irreversibility and theoretical uniqueness, ensures that data is not altered when the digest
message is the same. Identity authentication ensures that legitimacy and validity of
operators to a VPN, mainly using the "user name and password" mode. The USB key can
also be used for higher security.

 Encryption/decryption is a sophisticated technology in data communications that can be

used in VPNs to ensure that data can be only legitimately obtained when it is sent over the
n
network. This means that data is encrypted when it is encapsulated in a tunnel, and the
/e
peer end decrypts the data when it is sent to the peer end of the tunnel.
o m


e i.c
Key management mainly ensures that a key is sent over an insecure public data network

w
without being stolen. The typical application is the IKE technology that is usually used by
the IPsec VPN. The principles are described in the following slides.
u a
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Encryption is a process that makes the information only readable for the correct

:h
receivers and not understandable for other users by enabling the original Agenda to

s
be shown only after the correct key is used to decrypt the information. Encryption
e
r c
protects data from being obtained and read by unauthorized users. It prevents theft

u
and capture of private information over networks. A simple example is transmission of
o
s
passwords, which are very important, because many security systems are based on
e
R
passwords and leak of passwords to some extend means total breakdown of a

g
security system. Therefore, the provision of passwords requires information security:
n


r ni
Confidentiality: uses data encryption. It allows only some users to access and read the

a
information, but makes the information not understandable for unauthorized users.
e
e L This is the common objective of encryption. It ensures that only the corresponding

or
receivers can read it by using equations.

M
 Integrity: using data encryption, hash algorithm, or digital signature. It ensures that
data is not changed (altered, deleted, added, and replayed) by unauthorized users
during the storage and transmission processes. For users that require high-level
security, mere data encryption is not enough, because data can still be cracked and
changed by unauthorized users.

 Non-repudiation: uses symmetric encryption or asymmetric encryption and digital

signature, with the help of trustworthy registration or certification organizations,
which prevents users from denying speech or activities that they have performed.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
As a method for information security protection, cryptography was not an invention

:h
of the modern world and could be dated back long time ago, when human being

s
tried to learn how to communicate and had to find a way to keep their
e
r c
correspondence confidential. Before the 6th century BC, ancient Greeks might be the

u
first people to use technologies to encrypt information. They used a rod called scytale,
o
s
with a piece of parchment wound around it, on which a message is written. Then the
e
R
parchment was sent to the receiver. Anyone who did not know the diameter of the

g
rod, which was the key in this case, could not understand the information on the
n
ni
message.

a r
About 50 B.C., ancient Roman ruler Caesar invented a method for encrypting
e


e L information in the wartime, which was later called the Caesar cipher. The principles

or
are that each letter in the simple text is replaced by the third letter down the alphabet,
and the last three letters in the alphabet are replaced by first three letters respectively.
M For example, after encryption HuaweiSymantec becomes KxdzhlvBPdqwhf.

 Recent encryption technologies were mainly used for military purposes, such as the
War of Independence of the US, the Civil War, and two World Wars. During the War
of Independence of the US, the rail fence cipher was used. In this method, the simple
text is written downwards and diagonally on successive "rail" of an imaginary fence,
then moving up when we reach the bottom rail. When we reach the top rail, the
message is written downwards again until the whole plaintext is written out.
  During World War I, Germans wrote codes based on a dictionary. For example, 10-4-2
means the 2nd word in the 4th paragraph on page 10 of a dictionary. In World War II,
the most well-known cipher machine was the Enigma machine used by Germans to
encrypt information. Later, thanks to the efforts of Alan Turing and other people in
the Ultra project, the German ciphers were broken, which changed

 In the 20th Century, Americans studied computers to break the German ciphers, at
which time people had not expect the information revolution that computers brought
to the world. With the development of computers and their computation abilities,
n
breaking traditional ciphers became an easy task. At the same time, continuously
/e
growing use of computers in businesses and other fields make it more and more
o m
e
accelerated the development of encryption technologies. Americans introduced thei.c
important to protect data security and prevent information leaks. All these factors

aw
public key encryption system that was a milestone in encryption technology
development.
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
Keys are divided into private keys and public keys. As their names imply, a private key is

:h
private and needs to be encrypted; a public key is open and not encrypted.


e s
Symmetric encryption: It is also called traditional cryptography (secret key algorithm,

r c
one-key algorithm). The encryption key can be calculated based on the decryption key.

ou
The sender and receiver have the same key, which is used for both encryption and

es
decryption (also called symmetric key or session key). Symmetric encryption is an
R
effective method for encrypting a large amount of data.

n g
ni
 Length of the key determines whether an algorithm for symmetric encryption is good or

r
not. The longer the key is, a larger number of keys must be tested before the correct
a
L e
key needed to decrypt data is found. Accordingly, it is more difficult to break the cipher.
With a good algorithm and sufficiently long key, it is not feasible for anyone to derive
e
or
the simple text from the cipher text in practice.

M  Asymmetric encryption: Asymmetric encryption, also called public key encryption, is a

form of encryption where keys come in pairs. What one key encrypts, only the other can
decrypt. Two keys are used: a public key and a private key, which are related
mathematically.
  The public key algorithm is a complex mathematical equation using very large numbers.
The limitation of the public key algorithm is that this encryption is relatively slow. In fact,
it is usually used only for critical events, such as entities exchanging the symmetric key
or signing the hash for an email (hash is a result of fixed length data obtained using a
unidirectional function and is called the hash algorithm).

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 A symmetric key algorithm system includes:
t t


s :h
Simple text: the original message or data to be inputted.

c e
Encryption algorithm: used to replace and convert the simple text.
r


ou
Secret key: part of the algorithm, determining how the simple text is replaced

s
and transformed using the algorithm.
e
R
Cipher text: an output message in a disordered form, which is decided by the
g


ni n
simple text and secret key. For the same message, two different keys generate

a r
two different cipher texts.

L

e Decryption algorithm: is essentially the reversal operation of the encryption

e
algorithm and uses the same key to generate the simple text from the cipher

or text.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 Encryption process:
t t


s :h
The sender uses the key K to encrypt the simple text X to Y. This process is

r c e
expressed in the equation Y = E[K,X].

ou
The receiver uses the key K to decrypt the cipher text Y to X. This process is

s
expressed in the equation X = D[K,Y].
e

R
The following two requirements should be met to ensure the security of symmetric
encryption:
n g


r ni
A strong algorithm is needed. This means the key should be strong enough to

e aprevent attackers from breaking the key using the available simple text and

e L cipher text.

or  The key should be sent in a secure manner that the sender shall notify the

M receiver of the key in a secure way without letting a third party know about it.
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
Many special mathematical algorithms can be used to enable symmetric encryption,

:h
and they fall into the following two categories:


e s
Stream algorithms: it is also called a stream encryption algorithm, in which

r c
elements are inputted continuously and one output element is generated at a

ou
time. A typical stream algorithm encrypts 1-bytesimple text at a time, and the

es
key is inputted into a pseudo-random byte generator to generate an apparently
R
random byte stream, which is called a key stream. A stream encryption

n g
algorithm is used for data communications channels, browsers, and network

ni
links.
r
e a Common stream encryption algorithm: RC4 was created by Ron Rivest for RSA
L


Security in 1987. Its key is a stream cipher of a changeable size. Byte-oriented

e
or
operations encrypt information as a whole in real time.

M  Block algorithms: Plain text blocks and the key are inputted in the encryption
algorithm. The simple text is divided into two parts, which are combined into
cipher text blocks after n rounds of processing, and the input of each round is
the output of the previous round. The subkey is also generated by the key. The
typical size of a block is 64 bits.
  Data Encryption Standard (DES): the first widely used encryption algorithm. It uses
the same key to encrypt and decrypt data. The DES is a block encryption algorithm,
in which a 64-bit plaintext and 56-bit key are inputted to generate a 64-bit cipher
text (data is encrypted to a 64-bit block). It uses the "diffusion and confusion"
technology. Each 64-bit block is divided into two parts, and each part is calculated
using the key (this is a round). The DES runs 16 rounds, and the key used in each
round has different number of bits.
 Triple DES (3DES): the DES can be broken by modern servers by force, so it cannot
n
provide enough security. The Triple DES solves this problem using a 128-bit key.
/e
Data is first encrypted using a 56-bit key then encoded using another 56-bit key,
o m
i.c
and lastly encrypted using the first key. In this way, the 3DES uses a valid 128-bit

e
key. The greatest advantage of the Triple DES is that the existing software and

w
hardware can be used, and it can be implemented easily based on the DES
a
u
encryption algorithm.


g .h
Advanced Encryption Standard (AES): the DES and 3DES are relatively slow.

n
Therefore, the National Institute for Standards and Technology (NIST) published the

ni
r
AES (FIPS197) in 2001. The AES uses the block size of 128 bits, and supports key

a
sizes of 128 bits, 192 bits, and 256 bits, as well as different platforms. The 128-bit
le
//
key can provide sufficient security and takes less time for processing than longer

p :
keys. To date, the AES does not have any material weakness. It is a trend that the

t t
AES will replace the DES and 3DES to enhance security and efficiency.

s :h
International Data Encryption Algorithm (IDEA): a symmetric encryption algorithm,

c e
with a 64-bit plaintext and 128-bit key inputted to generate a 64-bit cipher text. The
r
u
IDEA is enabled in the PGP.

o


es
RC2 was an encryption algorithm with a key of a changeable size designed by Ron

R
Rivest for RSA Security. It is a cipher text in blocks, which means data is encrypted to

g
64-bit blocks. It can use keys of different sizes, from zero to infinity, and the
n
ni
encryption speed depends on the key size.

a r
RC5 is a new encryption algorithm designed by Rviest for RSA Security in 1994.
e


e L Similar to RC2, RC5 is also a cipher text in blocks, but uses different block and key

or
sizes. In addition, it runs a different number of rounds. It is suggested to use RC5
with a 128-bit key and run 12 to 16 rounds. It is a cipher algorithm with changeable
M block sizes, key sizes, and number of rounds.

 RC6 is unlike other new encryption algorithms. It covers the whole algorithm family.
RC6 was introduced in 1998 following RC5, which was found to have a vulnerability
in encryption for a special round. RC6 was designed to tackle this vulnerability.

DES, 3DES, and AES are often used.

 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The asymmetric algorithm is also called public key encryption. Two different keys are

:h
used: a public key and a private key, which are related mathematically. In this

s
encryption, the public key can be transferred publicly between both parities in
e
r c
communications or published in a public repository, but the private key is confidential.

u
Only the private key can be used to decrypt the data encrypted using the public key,
o
s
and only the public key can be used to decrypt the data encrypted using the private key.
e
R
Similar to symmetric encryption, asymmetric encryption also uses multiple algorithms.

g
However, algorithms of symmetric encryption are different from those of asymmetric
n
ni
encryption. You can use one algorithm to replace another in symmetric encryption and

a r
see few changes, because they work in the same way. On the other hand, different

L e
algorithms work in totally different ways in asymmetric encryption, so they cannot be

e interchanged.

or  An asymmetric key algorithm system includes:

M  Plain text: a readable message or data to be inputted.

 Encryption algorithm: used to transform the simple text.

 Public key and private key: a pair of chosen keys. If one is used for encryption,
then the other is used for decryption. The public key is open, and the private
key is confidential.
  Cipher text: an output message in a disordered form, which is decided by the
plaintext and key. For the same message, two different keys generate two
different cipher texts.

 Decryption algorithm: uses the cipher text and key to generate the plaintext.
 Encryption process:
1. Each user generates a pair of keys.
2. Each user puts one of the keys in a public register or accessible file folder as the
n
public key, and keeps the other as the private key. Each user also keeps the public
/e
m
keys of other people.

o
i.c
3. As shown in the figure, a sender who wants to send a message to a receiver must
search his/her own or the public key database for the public key PU and use it to
e
encrypt the message X to the cipher text Y. This process is expressed as Y=E[PU,X].
w
Then the cipher text is sent to the receiver.
u a
.h
4. After receiving the cipher text Y, the receiver uses his/her private key PR to

g
decrypt the cipher text Y to the simple text X. This process is expressed as
n
ni
X=D[PR,Y]. Only the receiver has the private key, so other people cannot decrypt
the cipher text
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 Symmetric key algorithm
t t


s :h
The advantage of symmetric keys is that they are more than 100 times faster than

r c e
asymmetric keys and can be implemented easily using hardware.

ou
The main disadvantage is complex key management. As each pair of communicators

es
needs a different key, n (n-1)/2 keys are needed when n people are communicating.
How to share these secret keys with receivers in a secure way is the biggest problem.
R
g
Since there is no signature mechanism, non-repudiation cannot be achieved, which

n
ni
means both parties in communications can deny what they have sent or received.


a r
Asymmetric key algorithm

L e The main advantage of asymmetric keys is that the key is open. As the encryption
e
or
key (public key) is different from the decryption key (private key), the decryption key
cannot be deducted based on the encryption key. Therefore, the public key can be
M open to all users. The public key provides an effective way to send the secret keys
used to encrypt a large amount of data. It is mainly for digital signatures that private
keys are used for encryption and public keys for decryption.
  The main limitation is speed. In fact, it is usually used only for critical events, such as
entities exchanging the symmetric key or signing the hash for an email (hash is a
result of fixed length data obtained using a unidirectional function and is called a
hash algorithm).

 Symmetric and asymmetric algorithms are often combined for key encryption and digital
signatures to achieve both security and optimal performance.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Key exchange: Combination of symmetric key and asymmetric key symmetric algorithms

:h
are suitable for encrypting data fast and securely. However, the sender and receiver

s
must exchange the secret key before exchanging data. Combination of the symmetric
e
r c
algorithm for encrypting data and the public key algorithm for exchanging secret keys is

u
a fast and flexible solution.
o

es
Steps of key exchange based on the public key:
R
g
1. The sender gets the public key of the receiver.

n
ni
2. The sender creates a random secret key (the only key used in symmetric
r
e aencryption).

e L 3. The sender uses the secret key and symmetric algorithm to encrypt the data in

or
simple text to cipher text.

M 4. The sender uses the receiver's public key to encrypt secret key to a ciphered secret
key.

5. The sender sends the ciphered data and secret key to the receiver.

6. The receiver uses the private key to decrypt ciphered secret key to a simple text.

7. The receiver uses the secret key to decrypt the ciphered data to simple text.
  Features:

 A one-time symmetric key (session key) is generated.

 The session key is used to encrypt the information.

 The receiver's public key is used to encrypt the session key, because it is short and
easy to decrypt.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 Encryption principles of hash algorithms
t t
:h
In communication, the sender usually performs hash calculation on data to be sent to
s
r c e
get a hash value and send the data together with the encrypted hash value. After
receiving the data, the receiver performs hash calculation on the data and compares

ou
the result with the received hash value. If they are the same, it means the data is not
damaged or altered.
es
R
g
Hash encryption is a method in which both parties in communications compare their

n
ni
hash values to determine whether the information is changed. This can be used to

r
verify information integrity. The other function of hash encryption is for signatures in
a
L e
documents.

e Hash algorithm examples are as follows:

or  Message-Digest Algorithm5 (MD5)

M MD5 is a unidirectional function (hash algorithm) evolving from MD2, MD3, and MD4,
and can generate a 128-bit hash value. It was developed by R. Rivest, the chief
designer of RSA (a well-known public-key encryption algorithm), in the 1990s. MD5
mainly functions to "compress" a large number of files before they are signed by the
digital signature software with the private key. This compression is irreversible. MD5
has been optimized, so that it can be used in Intel processors. The principles of this
algorithm were leaked, and this is why it is not popular.
  SHA-1

SHA-1 is a popular unidirectional hash algorithm used to create digital signatures.

Similar to the Digital Signature Algorithm (DSA), Secure Hash Algorithm 1 (SHA-1) was
also designed by the NSA and was included in the Federal Information Processing
Standard (FIPS) by the NIST as a standard for hash data. It can change a character
string of any length into a 160-bit hash value. The SHA is similar to MD4 and MD5 in
structure. Although it is 25% slower than MD5, it is more secure. Its information
summary generated is 25% longer than that of MD5, so it is more secure against
n
attacks. However, the vulnerabilities of SHA-1 were detected; therefore, SHA-224,
/e
SHA-256, SHA-384, and SHA-512 that are more secure were gradually promoted
o m
before 2010.

e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Digital signatures mainly function to ensure information integrity, authenticate the

:h
sender's identity, and prevent repudiation in transactions.


e s
Digital signatures can be obtained using both public-key based cryptography and

r c
private-key based cryptography. Currently digital signatures, including normal digital

ou
signatures and special digital signatures, are usually based on the public-key

es
cryptography. Normal digital signature algorithms include digital signature algorithms
R
such as RSA, ElGamal, Fiat-Shamir, Guillou-Quisquarter, Schnorr, and Ong-Schnorr-

n g
Shamir, Des/DSA, elliptic curve digital signature algorithms, and limited automaton

ni
digital signature algorithms. Special digital signatures include blind signatures, proxy
r
a
signatures, undeniable signatures, fair blind signatures, threshold signatures, and
e
e L signatures that can recover messages.

or
M
  The digital signature technology is a typical application of public-key based
cryptography. In the application process of digital signatures, the sender uses his/her
private key to encrypt the variables for data verification and/or related to data Agenda,
to put a valid "signature" on the data. Then the receiver uses the sender's public key
to read the "digital signature" received and uses the result for data integrity
verification to ensure signature validity. The digital signature is an important
technology for confirming identities in a virtual network environment and can fully

n
replace "personal signatures" with technical and legal approval. In the application of
digital signatures, the sender's public key can be obtained easily, while the private key
/e
must be kept strictly confidential.
o m
 Digital signatures can be used to check data integrity and provide evidence of
possession a private key.
e i.c
The steps of signature and data verification are as follows:
aw
u


.h
1. The sender processes the data using a hash algorithm to generate a hash value.
g
ni n
2. Then sender uses the private key change the hash value into a digital signature.

3. The sender sends data and signature to the receiver.

ar
// le
4. The receiver uses the sender's public key to decrypt the digital signature.

p :
t
5. The receiver processes the received data with the hash algorithm to generate a
t
:h
hash value.

e s
6. The receiver compares the hash value from the sender with the hash value newly

r c
generated and sees if they are identical.

ou
altered.
es
7. If the hash values are the same, the message is sent from the sender and is not

R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
A digital certificate comprises three parts, namely, main body, algorithm, and

:h
signature. The main body consists of:


e s
Version: the version of the X.509 certificate. The value can be v1 (0), v2 (1), or v3 (2)
now.
r c
ou


es
Serial Number: a unique digital ID assigned by the Certification Authority (CA) to a
certificate. When the certificate is revoked, actually its serial number is added to the
R
g
Certificate Revocation Lists. This is the only reason of the existence of serial numbers.

n


r ni
Signature: the signature algorithm used when the CA issues a certificate. It specifies

a
the public-key algorithm and hash algorithm when the CA issues a certificate and
e
e L must be registered at a well-known international standardization organization, such as
the ISO.

or  Issuer: the X.509DN name of CA that issues a certificate. The name can be a country,
M province/city, region, organization, department, or common name.

 Validity: the validity period of a certificate, including the effective date and time and
expiration date and time. Each time when the certificate is used, its validity is verified.
  Subject: the unique X.509 name of the certificate holder. The name CA be a country,
province/city, region, organization, department, common name, or possibly personal
information, such as email.

 Subject Public Key Info: comprises two parts of important information, namely,
subject public key and ID of the algorithm used by the public key. This ID includes the
public key algorithm and hash algorithm.

Certificate Revocation Lists (CRL): provides an effective way for applications and other
n


/e
systems to verify certificates. When any certificate is revoked, the CA will notify all

m
related parties by releasing the CRL. A digital certificate is in the electronic form and
can be downloaded from the Internet or obtained through other means. A digital
o
i.c
certificate can be stored on an IC card, which means it is written to an IC card, so that
e
w
users can carry the IC card and enjoy secure E-business services on E-business

a
terminals that can read the IC card. Users can download or copy certificates issued by
u
.h
the CA to a disk or their PCs or smart terminals. When they use their terminals for E-

g
business services, the certificates can be read directly from their terminals.
n
r ni
le a
: //
t t p
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Key management is an important part of the data encryption technology. The objective

:h
of key management is to ensure the security of keys (authenticity and validity). To

s
facilitate the use of data, data encryption is application of the key in many cases.
e
r c
Therefore, the key is usually the main object to be protected against theft. Key

u
management technologies include security measures taken regarding generation of keys,
o
s
allocation and storage, and replacement and destruction.
e
 Generation of keys R
n g
ni
Hierarchical key management: the working key for data encryption should be generated

r
dynamically and protected by the upper-layer encryption keys. The key on the top layer
a
L e
is the main key, the core of the whole key management system. The hierarchical key
management system significantly enhances the reliability of the cryptography, because
e
or
the working key that is used most frequently is changed all the time, while upper-layer

M
keys are used less frequently. This makes it hard for attackers to break the cipher.
  Allocation and storage

Allocation of keys refers to the process of generating and sending keys to users. A key
can be transmitted in whole or in parts. When a whole session key is sent, it should be
protected by the main key and the main key should be sent through a secure channel.
When a key is sent in parts, it is divided into multiple parts and sent through secret
sharing. It can be recovered as long as a part is sent. This method is suitable for
transmission through an insecure channel.

n
/e
 Replacement and destruction

A key can be stored in whole or in parts. Methods for storing a key in whole include
o m
i.c
personal memory, external storage device, key recovery, and system internal storage.

w e
The objective of storing a key in parts is to reduce the possibility of key leak caused by
the keeper or device. The backup key can be stored in the same way as the key is stored

u a
in parts, so that it will not be known to many people. Destruction of keys requires a

.h
management and arbitration mechanism; otherwise a key can be lost unintentionally,
g
causing repudiation of usage.

ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
A key management system should be based on a set of standards, programs, and security

:h
methods. They are used to:


e s
Generate keys for different cryptography and different application software.

r c
Generate and get the public key.
u


s o
Send a key to relevant users, involving how to activate the key when they receive it.


Re
Store the key, including how can authorized users get the key.

n g
Change or update a key, including rules such as when and how to change the key.

ni


a r
Process a damaged key.

L

e Activate a key, including how to withdraw or invalidate a key. For example, a key
must be filed when it is damaged or when a user using this key leave the
e
or
organization.

M  Recover a lost or damaged key as part of the service continuity management, for
example, recovery of the encrypted information.
 File keys for information filing or backup.
 Destroy a key.
 Record and check the key management activities.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
To reduce the damage possibility, keys should have preset activation and termination

:h
dates, so that they can only be used within a limited time period. The period should be

s
determined according to the environment in which cryptographic management
e
r c
measures are taken and the risks detected. To address the legal requirements regarding

u
access cryptographic keywords, some procedures need to be considered. For example,
o
s
the decryption method of encrypted information may need to be submitted to the court.
e
R
The Agenda of service grade management and or contracts entered into by external

g
cryptographic service providers (for example, a contract signed by an authoritative
n
ni
certification organization) shall include responsibilities, service reliability, and service

a r
response time. The cryptographic policies of the Organization for Economic Cooperation

L e
and Development (OECD) are as follows:

e
or
 To strengthen people's confidence in using the information and communications
systems, the cryptographic methods should be trustworthy.
M  Users can choose a cryptographic method at their discretion as long as it is
allowed by laws.

 The development of cryptographic methods shall meet different requirements of

individuals, companies, and governments.
  The criteria, standards, and protocols of cryptographic methods should be
developed and issued nationally or internationally.

 Individual privacy, such as privacy of communications and private data protection,

should be respected under the national cryptographic policies and in the
implementation and use of cryptographic technology.

 The national cryptographic policies shall permit storage and retrieval of the
plaintext or key of encrypted data according to laws. However, this policy shall
n
/e
not interfere with other principles in this guide.

 The responsibilities of individuals or organizations that provide the cryptographic

o m
i.c
service or hold, store or obtain keys shall be specified in laws or contracts.

 Governments shall coordinate the relationships between all parties in

w e
a
development of cryptographic policies to prevent hindrance to normal trade or
u
.h
abuse of power.

n g
r ni
le a
: //
t t p
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
VPNs can be divided into the access VPN, intranet VPN, and extranet VPN based on service

:h
types. These three types of VPNs correspond to traditional access network, enterprise

s
Intranet, and Extranet that is formed by the networks of an enterprise and its business
e
partners.
r c
 Access VPN
ou
es
If employees of an enterprise need to travel or work from a distance, or the
R


g
enterprise needs to provide B2C secure access service, Access VPN is a good choice.

n
ni
 The Access VPN provides remote access to an enterprise's Intranet and Extranet

a r
through a shared infrastructure that has the same policies as a private network. It

L e allows users to access resources of an enterprise anytime and anywhere according

e to their needs. An access VPN has the analog, dialup, Integrated Services Digital

or Network (ISDN), x Digital Subscriber Line (xDSL), mobile IP and cable technologies to

M 
securely connect mobile users, remote workers, and branches.

The Access VPN is suitable for companies that have employees traveling a lot and
working from a distance. Remote users can use the VPN service provided by the
local ISP to build a private tunnel to connect to the enterprise's VPN gateway.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Intranet VPN
t t


s :h
The intranet VPN is a good choice for interconnecting branches of an enterprise.

c e
A lot of companies need to build offices, subsidiaries, and R&D centers all over the
r
u
country or even around the world today. The traditional way of connecting

o
es
networks of subsidiaries is leased lines. Apparently, when more and more
subsidiaries and services are launched, networks are becoming more complicated
R
g
and expensive. VPN features can be used to build intranet VPNs worldwide over the

n
ni
Internet. The Internet ensures network interconnection, while VPN features, such as

a r
tunneling and encryption, ensure that data is sent securely within an entire intranet

L e VPN. The intranet VPN is connected to the enterprise headquarters, remote offices,
and branches through a shared infrastructure that uses dedicated connections. In
e
or
this way, the Intranet has the same policies regarding security, QoS, manageability,

M
and reliability as private networks.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Extranet VPN
t t


s :h
The Extranet VPN can be used to provide Business to Business (B2B) secure
access.

r c e


ou
In the age of information, companies attach more importance to information

es
processing in hope of providing the fastest and most convenient information
service to customers and understanding their needs in various ways. Also,
R
g
companies are cooperating and exchanging information more frequently. The

n
ni
Internet has laid a sound foundation for this development. How to use the

a r
Internet to achieve effective information management is a critical issue that

L e companies need to address during their growth. The VPN technology can be
used to establish a secure Extranet, not only providing effective information
e
or
services to customers and business partners, but also ensuring security of the

M
Intranet.

 An Extranet VPN connects customers, vendors, business partners, and people

who have interest in an enterprise to the Intranet through a shared
infrastructure that uses dedicated connections. In this way, the Intranet has the
same policies regarding security, QoS, manageability, and reliability as private
networks.

 Advantages of Extranet VPNs: external networks can be deployed and managed

easily, and external network connections can be deployed using the framework
and protocols that are adopted to deploy Intranet VPNs and Access VPNs. The
main difference is that external users can access the Intranet and the resources
only when they are authorized.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 Layer 3 VPN
t t


s :h
The L3VPN refers to the VPN technology working on the network layer of the

r c e
protocol stack. For example, in the IPsec VPN technology, the IPsec header is on the
same layer as the IP header, and the packets are encapsulated in the IPinIP mode, or

ou
the IPsec header and IP header encapsulate data payload at the same time.

es
Besides the IPSec VPN, the other major L3VPN technology is GRE VPN, which was
R


g
created early and is easy to implement. The GRE VPN can encapsulate any network

n
ni
protocol into another network protocol. Compared with the IPSec, the GRE VPN

a r
does not ensure security and can only provide a limited, simple security mechanism.


L e
Layer 2 VPN

e
or
 Similar to the L3VPN, the L2VPN refers to the VPN technology working on the data
link layer of the protocol stack. Main L2VPN protocols include Point-to-Point
M Tunneling Protocol (PPTP), Layer 2 Forwarding (L2F), and Layer 2 Tunneling Protocol
(L2TP).
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
VPDN realizes VPN by using dial-up of public network (such as ISDN and PSTN) and access

:h
network. In this way, it provides access service for: Enterprises, Mini-ISPs and Mobile
businessmen.
e s
r c
VPDN adopts special network encryption protocol to set up safe VPN in public network for
u


o
enterprises. In this way, overseas offices and staff on business can pass through the public
s
Re
network to connect to the network of headquarters through the encrypted virtual tunnel;
however, other users in public network have no access to internal resources of enterprise

n g
network through the virtual tunnel.

r ni
There are two ways to fulfill VPDN:
a



L e
Network Access Server (NAS) creating tunnel with VPDN gateway through tunneling

eprotocol

or NAS sets up tunnel with VPDN gateway through tunneling protocol. In this way, PPP
M connections of users are directly connected to gateway in an enterprise. By now, available
tunnel protocols are L2F and L2TP.

Its advantages are:

It is transparent to users.

Users access enterprise network by login once.

  Enterprise network performs user authentication and address assignment without
occupying public address.

 Users can access network by a wide variety of platforms. This way of VPDN requires NAS
that supports the VPDN protocol, and authentication system that supports VPDN attributes,
with gateway generally using firewall or VPN dedicated server.

 Clients creating tunnel with VPDN gateway

 In this way, clients first establish connection to the Internet, and then channel connection
n
to gateway through dedicated client software (such as L2TP client port supported by
/e
Win2000/XP). Its advantages are:
o m
 No limit to the way and place of users' accessing network, and no need for ISP's
involvement. Its disadvantages are: e i.c
aw
u
 Users need to install dedicated software (usually Win2000/XP), which limits platforms
available for users.

g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Layer Two Tunneling Protocol (L2TP) is set between the user and the enterprise server

:h
transparent transmission of PPP message. Provide the PPP link layer packet channel

s
(Tunnel) transmission support. PPP defines a type of encapsulation technology, which can
e
c
transmit types of data packets on point-to-point link of Layer 2. Meanwhile, PPP runs
r
u
between users and NAS, with link endpoint of layer 2 and PPP session point staying at the
o
s
same hardware device. From a specific perspective, L2TP is actually PPPoIP, like PPPoE,
e
R
PPPoA, PPPoFR, are some of the characteristics of network applications want to use PPP,

g
can make up the deficiency of the network itself. L2TP combines the advantages of PPTP
n
ni
and L2F. Therefore, it becomes the industrial standard of IETF's L2TP.

a r
L e
e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In the construction of an L2TP tunnel, protocol components include the following three

:h
parts:

 LAC
e s
r c


ou
A LAC is a device with the PPP end system and L2TP processing function in the

es
switching network. The LAC is usually an access device of the local ISP, such as the
NAS that provides access services for users through the PSTN or ISDN. LAC isolates
R
g
user data from other data streams through the L2TP tunnel and PPP connection.

n


r ni
The LAC provides services for a specified VPN or multiple VPNs.

 LNS
e a
e L  The LNS receives the PPP connection. Through LNS authentication, the client can log

or in to the private network to access private resources. As the other endpoint of an

M L2TP tunnel, the LNS is a peer device of the LAC, which is the logical termination
point of the PPP connection.
  The LNS lies on the border between the private and public networks. It is often an
enterprise network gateway device. The network gateway implements the network
access and LNS functions. In addition, the LNS can implement the network address
translation (NAT) function. The LNS translates the private IP address in the
headquarter network to the public IP address. The LNS can be placed in the
enterprise network of the headquarters, or act as the provider edge (PE) device of
the IP public network.

Client
n
/e


m
 In the L2TP networking model, a client is a device that must log in to the private
network (such as a PC). A VPDN client features the unfixed access mode and
o
i.c
location. A client can be connected to the L2TP Access Concentrator (LAC) through
e
w
the PSTN or ISDN. Alternatively, a client can access the Internet to set up a
connection to the headquarters server.
u a


g .h
A client is the end device that initiates PPP negotiation. The client acts as both the

n
end of the PPP Layer 2 link and the end of the PPP connection.

ni
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Why is L2TP a Layer 2 VPN protocol? PPP packets are encapsulated into the header of

:h
L2TP VPN protocol packets.


e s
LAC encapsulates PPP packets from the client in the following process:

r c


ou
Encapsulating L2TP header: includes Tunnel ID and Session ID used to identify

s
the message. They are both IDs of the remote end, not local ID information.
e

R
Encapsulating UDP header: identifies upper layer application. L2TP registers

g
UDP port 1701. When the LNS receives messages from this port, it can identify
n
ni
them and sends them to L2TP processing module for further handling.
r
e

a Encapsulating public IP header: forwards packets on the Internet. Note that the

e L LAC uses the start and end of an L2TP tunnel for encapsulating IP headers of

or
Internet packets.

M
  After LNS receives an L2TP packet, the decapsulation process is as follows:

 Check information about the Internet IP header and UDP header: LNS first uses
UDP port to identify L2TP packets and then checks whether the source and
destination addresses in the IP header are consistent with that of the
established L2TP tunnel. If yes, it decapsulates IP and UDP headers. Otherwise,
it discards packets.

Check information about the L2TP header: LNS reads information about Tunnel
n


/e
ID and Session ID in the packet header and checks whether it is the same as the

m
L2TP Tunnel ID and L2TP Session ID that are locally established. If yes, it
decapsulates the packets. Otherwise, it discards packets.
o
 Check information about PPP header: LNS checks information in the PPP
e i.c
header and then decapsulates the PPP header.
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :
 The establishment process is as follows:
t t
1.

s :h
The client initiates the request for a session.

2.

c e
The PC negotiates PPP LCP with the LAC (Router A).
r
3.

ou
The LAC performs the PAP or CHAP authentication on the user information

s
provided by the PC.
e
R
The LAC sends the authenticated information (the user name and password) to the
g
4.

n
RADIUS server for authentication.

ni
5.

a rThe RADIUS server authenticates this user. If the authentication succeeds, the

L e RADIUS server replies the LNS address of this user. Then, the LAC prepares to

e
initiate the request for a tunnel connection.

or 6. The LAC initiates the tunnel connection request to the specified LNS.

M 7. The LAC sends a CHAP challenge packet to the specified LNS. The LNS replies to
this challenge packet with a CHAP response packet. Then, the LAC replies to this
challenge packet with a CHAP response packet. Note that, this step authenticates
the device, not the user.
 8. Tunnel authentication succeeds.

9. The LAC transmits the user CHAP response, response identifier, and PPP negotiation
parameters to the LNS.

10. The LNS sends the access request packet to the RADIUS server for authentication.

11. The RADIUS server authenticates this request packet. If the authentication succeeds,
a response packet is returned;

If the user configures the forced local CHAP authentication on the LNS, the LNS
n
/e
12.

authenticates this user and sends a CHAP challenge packet. Then, the user replies
with a CHAP response packet.
o m
13. The LNS sends the access request packet to the RADIUS server for authentication
e i.c
again.
aw
u
The RADIUS server authenticates this request packet. If the authentication succeeds,

.h
14.

a response packet is returned;

n g
ni
15. The authentication succeeds, and the user can access the internal resources.

ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
An L2TP Access Concentrator (LAC) supports PPP client and L2TP functions on a switching

:h
network. A NAS usually functions as a LAC. The LAC provides access services over a PSTN

s
or ISDN. An L2TP Network Server (LNS) is a PPP endpoint that processes L2TP server
e
functions.
r c

ou
The LAC client can send a request directly to the LNS to set up a tunnel, not through a

es
single LAC device. The LNS authenticates the received request based on the user name and
R
password and allocates a private IP address to the LAC user.

n g
ni
 Client-Initialized indicates the remote dial-up users initiates requests to establish tunnels.


a r
A LAC user (the user supports L2TP locally) accesses an ISP network through PSTN/ISDN

L e
and initiates a request to set up a tunnel to the remote LNS, without sending the request

e through a LAC. The user must obtain the IP address of the LNS. The LAC client can send a

or request directly to the LNS to set up a tunnel, not through a single LAC device. The LNS

M authenticates the received request based on the user name and password and allocates a
private IP address to the LAC user.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Mobile users can initiate a request to establish tunnels directly to an LNS. The mobile users

:h
must have VPDN client software installed and obtain LNS's IP address. Windows 2000/XP

s
users can also use the L2TP VPN dial-up software in the Windows operating system, or
e
r c
Huawei Secoway VPN client. This type of networking is used when mobile Internet users

u
access the enterprise network.
o

es
The components are as follows:
R


n g
VPN client: obtains a public IP address, maintains LNS connectivity, and initiates a

ni
request to the LNS to establish a tunnel.


a r
LNS: provides private IP addresses for users and allows users to access an internal

L e network.

e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Note: Before you use L2TP client dial-up software on the Windows operating system,

:h
disable IPsec. Perform the following procedure:


e s
Choose "Start > Run", enter the regedit command, and click "OK". The registry

r c
editor window is displayed..

ou


es
In the left navigation tree, navigate to the "MY computer > HKEY_LOCAL_MACHINE

R
> SYSTEM > CurrentControlSet > Services > Rasman > Parameters". On the right,

g
check whether there is a name for the ProhibitIPsec, the data type for the DWORD

n
ni
key. If not, right-click, select "new > DWORD value", and the name ProhibitIPsec. If

a r
this key exists, please perform the following steps.

L 
e Select the value, right-click, select "Modify", and edit DWORD value. In the "value

e data" field, fill 1 in the text box and click "OK".

or Restart the PC to make the changes to take effect.

M

 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The authentication mode and password on the client are the same as those configured on

:h
the LNS..

e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :


t t
Add the template virtual interface to the security zone:

:h
[LNS-zone-trust] add interface Virtual-Template 1
s
c e
Description: The address pool must be the same as that configured in the AAA view.
r


ou
If the "remote client01" command is used, the L2TP group is not the default one, only

s
client01 is allowed to initiate a request. If the "remote client01" command is not used,
e
R
L2TP-group 1 is the default one, and all users can initiate requests.

n g
If client-initialized L2TP is used, L2TP client software must be installed and enabled. For

ni


r
example, Huawei Secospace VPN client software supports this function.

e a
Thinking: What are the main functions of the default L2TP group?

e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
// le
p :


t t
Create a local user name、password and user’s parent group.

[LNS] user-manage user vpdnuser

s :h
c e
[LNS-localuser-vpdnuser] password Admin@123
r
u
[LNS-localuser-vpdnuser] parent-group /default
o

es
Configure a public IP address pool.
R
[LNS] aaa
n g
ni
[LNS-aaa] domain default
r
e a
[LNS-aaa-domain-default] ip pool 1 4.1.1.1 4.1.1.99

e L
Configure the interzone policy rules.

or [LNS] security-policy
M [LNS-policy-security] rule name policy_sec_1

[LNS-policy-security-rule-policy_1] source-zone trust

[LNS-policy-security-rule-policy_1] destination-zone untrust

[LNS-policy-security-rule-policy_1] source-address 192.168.1.0 24

 [LNS-policy-security-rule-policy_1] action permit

[LNS-policy-security-rule-policy_1] quit

[LNS-policy-security] rule name policy_sec_2

[LNS-policy-security-rule-policy_1] source-zone untrust

[LNS-policy-security-rule-policy_1] destination-zone trust

n
[LNS-policy-security-rule-policy_1] destination-address 192.168.1.0 24 /e
o m
[LNS-policy-security-rule-policy_1] action permit

ei.c
[LNS-policy-security-rule-policy_1] quit
aw
u
[LNS-policy-security] rule name policy_sec_3

g.h
[LNS-policy-security-rule-policy_1] source-zone local
ni n
ar
le
[LNS-policy-security-rule-policy_1] destination-zone untrust

: //
t t p
[LNS-policy-security-rule-policy_1] source-address 202.38.160.2 32

:h
[LNS-policy-security-rule-policy_1] action permit

e s
c
[LNS-policy-security-rule-policy_1] quit
r
ou
[LNS-policy-security] rule name policy_sec_4

es
R
[LNS-policy-security-rule-policy_1] source-zone untrust

n g
ni
[LNS-policy-security-rule-policy_1] destination-zone local

a r
e
[LNS-policy-security-rule-policy_1] destination-address 202.38.160.2 32
L
e
or
[LNS-policy-security-rule-policy_1] action permit

M [LNS-policy-security-rule-policy_1] quit
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
In the web page, configure L2TP by performing the following steps:

 Choose "Network> L2TP> L2TP".

s :h


c e
In the "Configuring L2TP" tab page, select "Enable" and click "Apply."
r


ou
In the "L2TP group list", click "Add."


es
Set "Group Type" to "LNS."
R


n g
Enter parameters.

r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The server address is set to a local address used in PPP negotiation. PPP negotiation can be

:h
successful only after the IP address is configured, so that on-line dial-up users access the
LNS network server.
e s
r c
If mandatory CHAP authentication is selected, the user is authenticated on the LAC, and
u


o
the LNS performs CHAP authentication for the user again. If authentication fails, the
s
Re
session cannot be established. Mandatory CHAP authentication improves security, but
increases the tunnel setup duration.

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t
Users access a NAS (LAC) over a PSTN or ISDN. The LAC checks the VPN user identify. Then
t
:h
the LAC sends a request to an LNS over the Internet to establish a tunnel. The LNS assigns IP

s
addresses to dial-up users. The LAC-side agent or LNS provides authentication and accounting
e
r c
services for remote dial-up users. In this situation, L2TP allows a BRAS device to request to

u
establish L2TP tunnels for users that attempt to access the Internet. Mobile users, however,
o
s
do not need to install VPDN software, but they must use PPP or PPPoE to access the Internet.
e
R
When the LAC is authenticating user names and passwords, it can identify L2TP tunnel users

n g
and automatically request the LNS to establish connections. Then users can access enterprise

ni
VPNs through the tunnels. This solution applies when a small LAN access the HQ network.
r
e a
The process is as follows:

e L VPN client: initiates PPP or PPPoE connections to the LAC.

or
1.

LAC: checks whether the users are L2TP users or not. Then the LAC automatically requests
M
2.

the LNS to establish tunnels for the L2TP users.

3. LNS: assigns private IP address to users to allow them to access the intranet.
  The VPDN access has the following characteristics:

 Users must run PPP to access the Internet. The PPP methods include PPPoE or PPP
dial-up.

 VPN must be enabled on carriers' access devices (primarily BRAS devices).

 Users have to apply for VPN services to carriers.

 There are no requirements on the client, and users does not sense the process of
accessing the enterprise network. The process is implemented by the L2TP tunnel
n
service. /e
o m
i.c
 A single tunnel can carry multiple sessions.

w e
u a
g.h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
GRE encapsulates the packets of some network layer protocols, for example, Internetwork

:h
Packet Exchange (IPX) packets, and transmits them using another network layer protocol,

s
for example, IP. GRE functions as a Layer 3 tunneling protocol on virtual private networks
e
c
(VPNs), and provides a tunnel for transparently transmitting VPN packets. GRE uses a
r
u
protocol to encapsulate packets of another protocol so that packets can be transmitted
o
s
across different types of networks. These packets are transmitted over GRE tunnels.
e

R
A tunnel is a virtual P2P connection, which can be considered as a P2P virtual interface.

n g
This interface provides an available path to transmit packets. Packets are encapsulated on

ni
one end, and decapsulated on the other end of the tunnel..
r
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :


t t
During GRE implementation on a specific device, a tunnel interface, which is a virtual

:h
logical interface, needs to be generated. A tunnel interface is a point-to-point virtual

s
interface for packet encapsulation. Similar to a loopback interface, it is a logical
e
interface.
r c

ou
A tunnel interface consists of the following elements:

es
Source address: carried by the packet transport protocol. To the network over
R


g
which an encapsulated packet is transmitted, the source address of a tunnel is

n
ni
equal to the IP address of the interface through which a packet is transmitted.


a r
Destination address: carried by the packet transport protocol. To the network

L e over which en encapsulated packet is transmitted, the destination address of the

e local end of a tunnel is actually the source IP address of the tunnel destination.

or
M
  IP address of a tunnel interface: To start a dynamic routing protocol on a tunnel
interface or use static routes to advertise a tunnel interface, you must assign an
IP address to the tunnel interface. The IP address of the tunnel interface does
not have to be a public network address. You can use the IP address of other
interface to save IP addresses. When the tunnel interface borrows an IP address,
a dynamic routing protocol cannot be started on the interface because the
tunnel interface has no IP address. You must configure static route or policy-

n
based route to implement connectivity between routers.

 Encapsulation type: the encapsulation mode in which a tunnel interface

/e
encapsulates packets. The common encapsulation modes are as follows: GRE,
o m
MPLS TE, IPv6-IPv4, and IPv4-IPv6. A tunnel is manually configured and

e i.c
established successfully on a tunnel interface which can be considered a physical

aw
interface. Run a dynamic routing protocol or configure static route on the
interface.
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The transmission of a packet over a GRE tunnel consists of two steps: encapsulation

:h
and decapsulation. Take the network in the preceding figure as an example. If a

s
private network packet is transmitted from FW A to FW B, encapsulation is carried out
e
r c
on FW A, and decapsulation is carried out on FW B. FW A receives a private network

u
packet from the interface connecting to the private network and then sends the
o
s
packet to the protocol module running on the private network for further processing.
e
R
The protocol module checks the destination address in the packet header, searches

g
the routing table or forwarding table for an egress, and determines how to route the
n
ni
packet. If the egress is a tunnel interface, the packet is sent to the tunnel module.

a r
The tunnel module handles the received packet as follows:
e


e L  The tunnel module performs GRE encapsulation for the packet based on the

or
protocol type of the passenger packet and the Key and Checksum parameters

M
configured for the current GRE tunnel. The tunnel module adds a GRE header to
the packet.

 The tunnel module adds an IP header to the packet based on configuration (the
transport protocol being IP). The source address of the IP header is the source
address of the tunnel. The destination address of the IP header is the
destination address of the tunnel.
  The packet is processed by the IP module. The IP module searches the public
routing table for an entry mapped to the destination IP address and sends the
packet through a specific outbound interface. Then the encapsulated packet
travels over the IP public network.

 Decapsulation is performed in a reverse way as encapsulation.

 After FW B receives the packet on a public interface, it finds that the packet is
destined for itself and the protocol field is 47, indicating GRE (RFC 1700). FW B
n
forwards the packet to the GRE module. The GRE module removes the IP and GRE /e
headers and finds the passenger protocol is a private network protocol. Then the GRE
o m
module sends this packet to the private network protocol. The private network
protocol transmits the packet as a data packet. e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t
When you configure the tunnel logical interface, specify the source and destination addresses
t
:h
of the GRE tunnel. The next hop for the route to the peer network segment is the tunnel
interface.
e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :
 GRE VPN has the following key configuration:
t t
 Create a virtual tunnel interface.
s :h


c e
Configure a tunnel interface source address.
r


ou
The destination address configuration of the tunnel interface (address and the

s
destination tunnel source end address uniquely identifies a channel address should
e
R
be mutual, both ends of the source and destination addresses.)

n g
ni
 Configure a tunnel interface network address.

a r
Firewall inter-zone forwarding strategy.


L e
The two firewalls use the similar configurations. For example:

e
or
[B-Tunnel1] ip address 10.1.1.2 24

M [B-Tunnel1] source 5.5.5.5

[B-Tunnel1] destination 1.1.1.1

 Configure a static route form Firewall B to Group1 through Tunnel1.

[B] ip route-static 10.3.1.0 255.255.255.0 tunnel 1

 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
In the Web tab page, configure GRE VPN by performing the following steps:

 Select "Network> GRE> GRE".

s :h


c e
In the "GRE interface list", click "Add."
r


ou
Enter or select the parameters of GRE interfaces.

Click "Apply."
es
R


n g
After enabling the tunnel verification function, GRE tunnel will perform verification and

ni
authentication.


a r
After a GRE key is configured, both ends of a tunnel authenticate the GRE key. Data is

L e
valid only when both ends of the tunnel have the key. If the keys are different on the two

e
or
ends, the packet is discarded.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The IPsec protocol at the IP layer using encryption and data origin authentication, which

:h
ensures confidentiality, integrity, authenticity, and anti-replay for data transmission over
the network.
e s
r c
IPsec VPN will be introduced in details in the following chapters.
u


s o
Re
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :


t t
The SSL protocol is implemented using three elements:

 SSL Handshake Protocol

s :h
 SSL Record Protocol
r c e
 SSL Alert Protocol
ou

es
SSL Change Cipher Spec Protocol
R


n g
SSL VPN will be introduced in details in the following chapters.

r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Symmetric encryption: The same key is used in encryption and decryption. Encryption and

:h
decryption are fast and can be done by hardware. The major challenges are complex key

s
management and secure key transfer.
e
c
Asymmetric encryption: Different keys are used in encryption and decryption. The private
r
u
key is used for data encryption, and the public key is shared among users to verify the
o
s
authenticity of the data and the sender's identity. The keys are highly secure, but the
e
R
limitation is that encryption and decryption are slow and can be done only by software.

n g
Encryption algorithm: Encryption algorithms are used to encrypt data in transit to protect

ni


data confidentiality.

a r


L e
Hash algorithm: Hash algorithms are used to verify the integrity of data in transit. The data
sender computes a hash value of the data to be transmitted, encrypts the hash value, and
e
or
sends it with the data. Upon receiving the data, the receiver computes a hash value of the

M
data, and compares the hash value with the one in the data. If the data is not tampered
with or corrupted, the two hashes will be identical.

 Encryption strength depends on the length of keys and the complexity of encryption
algorithms. Encryption is generally stronger if keys are longer.

 Tunneling is the most critical technology in VPN. Tunneling means creating a tunnel over
the Internet using encapsulation and decapsulation on the endpoints of the tunnel to
transmit packets.
  L2TP works on the link layer to encapsulate PPP frames; GRE and IPSec work on the
network layer to encapsulate data packets. Therefore, L2TP is a Layer 2 VPN technology
and GRE and IPSec are Layer 3 VPN technologies.

 The security of L2TP VPN is ensured through the access user authentication on the LAC,
tunnel authentication between the LAC and LNS, and the access user authentication on
the LNS. The limitation is that data is not protected in transit. L2TP VPN is used for mobile
or remote users to access enterprise intranets.

n
/e
 GRE VPN is used for the communication between the gateway at the HQ and the gateway

m
at a branch office. Limitations: The tunnel parameters are manually configured; the cost is
high in deployment of complex connections, no security is provided, and address space
o
cannot be separated.
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M

4
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Confidentiality:
t t
:h
Encrypts data to ensure that data is not exposed to others during transmission.
s
 Integrity:
r c e
u
Verifies integrity of the received packets to ensure that data is not being tampered with
o
during transmission.
es
Authenticity: R
g


ni n
Verifies data sources to ensure that data is sent from the actual sender (identified by the

r
source address in the IP packet header).
a

L e
Anti-replay:

e
or
Prevents malicious users from repeatedly sending the captured packets. This means that
the receiver rejects old or repeated packets.
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
IPSec protects data at the IP and upper layers and is transparent to upper-layer

:h
applications without modifying any applications. Protection measures include

s
confidentiality, integrity, authenticity, and anti-replay.
e
r c
IPSec protects packets based on policies. For example, a type of measure is taken to
u


o
protect data streams of a service, whereas another type of measure or no measure is taken
s
e
to protect data streams of another service.
R


n g
In this example, a measure is taken to protect traffic sent to the HQ, whereas no measure

ni
is taken to protect traffic for Internet access.

a r
L e
e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
When enterprises or individuals in different areas want to communicate over the Internet,

:h
most traffic exchanged between them will traverse an unknown network on the Internet.

s
Therefore, security cannot be ensured for the data sent and received on the network.
e
r c
IPSec provides a method of establishing and managing security tunnels. It prevents data
u


o
from being illegitimately viewed or tempered with on the network or during transmission
s
Re
on the public network by authenticating and encrypting packets to be transmitted. This
functions in the same way as a secure communication tunnel for users in different places.

n g
ni
 The following application scenarios are available:


a r
Between gateways (such as firewalls)

L e
This scenario is also called P2P or P2MP IPSec VPN. It is mainly used for establishing IPSec
e
or
tunnels between the HQ and branches and headquarters.

M  Between the host and gateway

This scenario is used for employees on business to have access to HQ resources.

  Between hosts

This scenario is used for hosts who transfer encrypted data over the Internet. The hosts
encrypt and decrypt data. In some scenarios, for example, servers are deployed in the DMZ
zone, a NAT server can be configured on the firewall to achieve the same purpose. This
will be talked about later.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The IPSec VPN architecture consists of the AH, ESP, and IKE protocols. IPSec uses ESP to

:h
guarantee IP data confidentiality during transmission and uses AH/ESP to provide data

s
integrity, data source authentication, and anti-replay of packets. ESP and AH define
e
c
protocol and payload header formats as well as the provided services, but do not define
r
u
the transcode mode required for providing these functions. Transcode mode includes data
o
s
conversion mode, such as algorithm and key size. To simplify IPSec usage and
e
R
management, IPSec can use IKE to automatically negotiate key exchange and establish and

g
maintain SA services. Details are as follows:
n


r ni
AH: is the packet header authentication protocol, providing the functions of data source

a
authentication, data integrity check, and anti-replay of packets. However, AH does not
e
e L
encrypt the protected packets.

or
 ESP: is a protocol for encapsulating the security payload. In addition to all functions of the

M
AH (ESP does not check data integrity of IP headers), ESP can encrypt IP packets.

 IKE: is used to automatically negotiate the password algorithm used by both AH and ESP.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
IKE is an application layer protocol above UDP and is the IPSec signaling protocol.

s :h
IKE generates a key for IPSec negotiation, and this key is used for AH/ESP encryption,

respectively.
r c e
decryption, and verification. AH and ESP have their own protocol numbers: 51 and 50,

ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
AH and ESP are two major protocols of IPSec. AH enables data source authentication, data

:h
integrity check and anti-replay. ESP guarantees integrity check, authentication, encryption,

s
and anti-replay for IP communication.
e
r c
AH and ESP can be used together or alone. In actual networking, ESP is used more
u


frequently.
s o
Re
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
IPSec supports two encapsulation modes: transport mode and tunnel mode.

s :h
In transport mode, the IPSec protocol processing module inserts an IPSec packet header

r c e
between the IP packet header and the upper-layer protocol packet header. In this mode,
the IP packet header is the same as the IP packet header in the original IP packets, but the

ou
protocol field in the IP packet is changed to the IPSec protocol number (50 or 51), and the

es
IP packet header checksum is recalculated. In transport mode, the payload and upper-layer
R
protocol of packets are protected. The IPSec source endpoint does not change the

n g
destination IP address in the IP packet header and the original IP address retains the

ni
plaintext mode. The transport mode provides security services only for upper-layer
r
a
protocols. The transport mode is generally applied to the E2E connection between two
e
e L hosts to be protected, but not data streams between two gateways of multiple hosts.

or
 In tunnel mode, the original IP packets are encapsulated as a new IP packet; one IPSec

M
header is inserted between the original and new packet headers. The original IP address is
protected by IPSec as a part of payload. These are different from those in transport mode.
The IP address in the original packet can be hidden by data encryption, better protecting
data during E2E communication.
  Transport mode:

 Application scenario 1: communication between the host and network security

gateway

 Application scenario 2: communication between hosts

 Tunnel mode:

 Application scenario: communication between network security gateways

n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g .h
ni n
ar
// le
p :


t t
Encryption algorithm: ESP can encrypt IP packet contents to prevent them from being

:h
pried about. The encryption algorithm is implemented by the symmetrical key system that

s
uses the same keys to encrypt and decrypt data.
e
r c
In general, IPSec uses the following encryption algorithms:

ou


es
Data encryption standard (DES)

R
It uses a 56-bit key to encrypt one 64-bit plaintext block.

n g
ni
 Triple data encryption standard (3DES)

r
It uses three 56-bit DES keys (168 bits in total) to encrypt plaintext blocks.
a

L e
Advanced encryption standard (AES)

e
or
It uses an AES key to encrypt plaintext blocks. The key can contain 128 bits, 192 bits, or
256 bits.
M  The 3DES algorithm is more secure than DES, but slower than DES regarding data
encryption. AES has lower computing complexity than 3DES, but has higher encryption
strength than 3DES.
  Authentication algorithm: Both AH and ESP can authenticate IP packet integrity to
determine whether IP packets are tampered with during transmission. The Authentication
algorithm is implemented using a hash function. The hash function is an algorithm that can
accept the input of messages of any sizes and generate output of a fixed size. The output
is called message digest. IPSec peers compute digests. If two digests are the same, the
packets are not tampered with.

 In general, IPSec uses two authentication algorithms:

n
/e
 Message Digest 5 (MD5): MD5 generates 128-bit message digests based on the input of

m
messages of any sizes.

o
i.c
 Secure hash algorithm (SHA-1): SHA-1 generates 160-bit message digests based on the

w e
input of messages that contain less than 264 bits. SHA-1 digest has more bits than MD5.
As a result, SHA-1 digest is more secure, but SHA-1computing requires more time and
resources than MD5.
u a
g.h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
AH is an important IPSec protocol, which protects data integrity, data source

:h
authentication, and anti-replay of IP packets. AH is defined in RFC 2402. AH provides all

s
the functions supported by ESP, except confidentiality.
e
r c
Because AH does not protect confidentiality, AH does not require any encryption algorithm.
u


o
AH defines the protection method, packet header location, ID authentication coverage,
s
Re
and rules of handling inputs and outputs, but does not define the used identity
authentication algorithm. AH does not stipulate protection against anti-replay, which is the

n g
same as ESP. The receiver determines whether to use the anti-replay service. The sender

ni
does not know whether the receiver checks the SN of the sender. As a result, the sender
r
a
must regard that the receiver is using the anti-replay service.
e


e L
Like ESP, AH is a universal security service protocol of IP. Data integrity provided by AH is

or
slightly different from that provided by ESP. AH authenticates each part of the external IP

M
header.

 The protocol number assigned to AH is 51. In other words, the protocol field in the IP
header of the IPv4 packet protected by AH is 51. The AH header follows the IP header.
The AH header is more simpler than the ESP header, because AH does not provide
confidentiality. Because AH does not need to be padded, a tail field does not exist. An
initial vector is not required either.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
AH uses the transport mode to protect one upper-layer protocol or uses the tunnel mode

:h
to protect one complete IP packet. In either mode, the AH header follows one IP header.

s
AH can be used alone or together with ESP to protect the most complete data protection.
e
r c
When AH is used in transport mode, it protects E2E communication. The communication
u


o
end point must be the IPSec end point. The AH header is inserted in a packet and follows
s
e
an IP header (and any option) and is prior to the upper-layer protocol to be protected.
R


n g
When AH is used in tunnel mode, it encapsulates the packets it protects. Prior to the AH

ni
header, a new IP header is added. The IP packet being encapsulated contains the original

r
packet, while the new IP header contains IPSec end point address. The tunnel mode can
a
e
replace the transport mode of the E2E security service.
L
e
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
ESP uses a series of encryption algorithms to provide confidentiality, whereas data integrity

:h
is guaranteed by the authentication algorithm. The algorithm used is determined by the

s
corresponding component of the ESP SA. ESP can provide the anti-replay service through
e
r c
the SN, whereas the packet receiver determines whether to use the anti-replay service. A

u
unique and unidirectional ascending SN is inserted by the sender, but the receiver is not
o
s
required to check packets. Such protection is advantageous to security, and therefore is
e
generally used.
R
n g
ESP can be used in different operation modes. The ESP header follows an IP header,

ni


irrespective of the ESP operation mode. The protocol number used by ESP is 50. That is,

a r
after the ESP header is inserted in the original packet, the protocol field in the IP header

L e
prior to the ESP header is 50, indicating that the ESP header follows the IP header.
e
or
 As an IPSec header, the ESP header contains an SPI field. The SPI, destination address prior

M
to the IP header, and protocol identify a specific SA. The SPI can be specified by the user or
determined after negotiation by key management technologies. The SPI can be
authenticated, but cannot be encrypted. That is because the SPI is used as the SA identifier,
specifies the used encryption algorithm and key, and decrypts the packet. If the SPI has
been encrypted, we may encounter a serious problem: which exists earlier: chick or egg?
  The SN is a unique 32-bit unidirectional ascending value that is inserted by the sender in
the ESP header. The SN allows the ESP to have the anti-replay function. Similar to the SPI,
the SN is authenticated, but not encrypted. That is because we hope to determine whether
a packet is repeated at the front end of the processing flow of the protocol module, and
then determine whether to discard the packet without using more resources to decrypt the
packet.

 The initialization vector (IV) is an optional field. In the encryption algorithms defined by ESP,
some special encryption algorithms need to use the IV. IV valuing is subject to encryption
n
algorithms. Use DES-CBC as an example. The IV is the first 8-bit group among payload data
/e
fields. IV is also the field that is authenticated, but not encrypted.
o m
 The padding field has three functions in the ESP header. Some encryption algorithms
e i.c
w
strictly define the input plaintext. For example, the plaintext size must be the integral

a
multiple of x bytes. The blocking encryption algorithm requires that the plaintext be the
u
.h
integral multiple of a single block size. The first function of the padding field is to extend

g
the plaintext to the size required by the algorithm. ESP also requires that the ESP header be
n
ni
the integral multiple of 32 bits. The padding size and next packet header fields must align

ar
right. The padding field is also used to guarantee such a packet format. The last function

// le
of the padding field is to hide the actual size of the data payload to provide confidentiality.

:
The padding field contains up to 255 bytes. The filling contents are related to the
p
t t
encryption algorithm that provides confidentiality. If the algorithm defines a specific value,

:h
the padding field must use it. If the algorithm does not specify a value, the ESP determines

s
the first byte to be filled is 1 and all the following byte values are added in ascending order
e
unidirectionally.
r c
ou
The padding size field identifies the data size filled in the padding field. The receiver can
s


Re
restore the actual size of the payload data based on the padding size field. The padding
size field is stipulated. This means that even if the packet is not padded, the padding size

n g
ni
field still exists.

a r
The next packet header field indicates the data type in the payload. If ESP in tunnel mode

L e
is used, the next packet header field value is 4, which indicates IP-in-IP. If ESP in transport

e mode is used, the next packet header field value indicates the upper protocol type, for

or example, the value corresponding to TCP is 6.

M  The authentication data field is used to contain data integrity check results. The
authentication data field is a hash function that is processed using keys. The authentication
data field size is determined by the ID authentication algorithm used by the SA. If the
authentication algorithm is not specified in the SA, the authentication data field does not
exist.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In specific applications, ESP can use either the transport or tunnel mode. Different modes

:h
determine the definitions in ESP of protected objects. In transport mode, the original IP

s
header cannot be protected. In tunnel mode, the entire original packet can be protected.
e
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Before using IPSec to protect one IP packet, establish an SA. An IPSec SA can be manually

:h
established. However, manual configuration is difficult and security is hard to guarantee

s
when there is a great number of network nodes. IKE can be used to automatically establish
e
r c
an SA and exchange keys. IKE is used for dynamic SA establishment, indicating that IPSec
negotiates SAs.
ou

es
IKE described in RFC 2409 is a hybrid protocol, built upon the framework defined by the
R
Internet SA and key management protocol (ISAKMP). For details about ISAKMP, see RFC

n g
2408. Moreover, IKE implements Oakley and SKEME, a part of two key management

ni
protocols. IKE also defines two key exchange modes.
r
e a
Oakley is a protocol based on Diffie-Hellman (DH) algorithm and developed by Hilarie
L


Orman, a security expert of the University of Arizona. Oakley is a free status protocol,
e
or
which allows research institutes to improve the protocol status based on their capabilities.

M
Based on Oakley, IKE defines a regular key exchange method. Although the Oakley model
flexibility is reduced, multiple exchange modes are available. As a result, Oakley is a proper
key exchange technology.
  SKEME is another key exchange protocol, which is designed by the encryption expert Hugo
Krawczyk. SKEME defines how to authenticate key exchange. Communication parties use
the public key encryption method to support mutual authentication and share the
exchanged components. Each communication party needs to use the public key of another
party to encrypt one random number. Two random numbers (after decryption) affect final
keys. IKE directly uses SKEME technology in its one authentication method (public key
encryption authentication).

ISAKMP is developed by researchers of NSA. In the past, NSA was a highly confidential
n
/e


organization and the U.S.A. government even denied its existence. Recently, NSA has been

o m
gradually unveiled and its encryption and security technologies are also in the spotlight.
ISAKMP is an open technology.

e i.c
w
 ISAKMP, Oakley, and SKEME are the basis of IKE. As a result, IKE is regarded as a hybrid

a
protocol, which inherits the ISAKMP basis, Oakley mode, and SKEME sharing and key
u
.h
update technologies.

n g
Based on the inheritance, IKE defines its unique technology of authentication and

ni


r
encryption material generation, negotiation, and sharing policies. Functions of the three

a
technologies as described in the IKE specifications are shown in the IKE discussion. Among
le
these technologies, ISAKMP plays a dominant role.
: //

t p
ISAKMP defines the communication mode, information format, and status exchange
t
:h
process that guarantees communication security of two parties. However, ISAKMP does

s
not define a specific key exchange technology. Key exchange is defined by other protocols.
e
c
To IPSec, the defined key exchange is IKE. IKE uses ISAKMP language to define key
r
u
exchange that is a manner of negotiation about the security service. The final result of IKE
o
s
is a key that passes authentication and the security service based on common consent,
e
R
namely, IPSec SA. However, IKE is not used by IPSec only. If required by other protocols,

g
such as RIPv2 or OSPF, IKE can also be used to provide security services.
n
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
IKE has a self-protection mechanism, which can safely distribute keys, authenticate

:h
identities, and establish IPSec SAs on insecure networks.


e
DH exchange and key distributions
r c
u
DH is a common key algorithm. Without key transmission, two communication parties

o
es
compute the shared key through data exchange. The precondition of encryption is that the
two parties of exchanging encrypted data must have the shared key. The essence of IKE is
R
g
that IKE never transmits a key on an insecure network, but computes the shared key

n
ni
through a series of data exchange. Even if the third party, such as a hacker, intercepts all

r
the exchanged data for key computing, the actual key cannot be figured out.
a

L e
Perfect forward secrecy

e
or
PFS is a security feature, meaning that cracking a key does not affect security of other keys.
That is because these keys do not have deriving relationship between them. PFS is
M guaranteed by DH and implemented by adding key exchange in Phase 2 of IKE.
  ID authentication

ID authentication confirms identities of two communication parties. For the pre-shared key
authentication method, the authenticator is used to generate a key as an input. Different
authenticators cannot generate the same key for two parties. The authenticator is the key
of identity authentication.

 ID protection

ID data is encrypted for transmission after the key is generated, protecting identity data.
n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
During DH exchange as defined in IKE, computing and generation results at every time are

:h
irrelative. To ensure that the keys used by each SA are not related to each other, DH

s
exchange must be implemented every time the SA is established.
e
r c
IPSec uses SNs in the IP headers for anti-replay. The SN is a 32-bit value. After the SN is
u


o
overflowed, the SA should be established again to support anti-replay. This process
s
e
requires the cooperation of IKE.
R


n g
Authenticating and managing identities of communication parties may affect IPSec

ni
deployment. IPSec implementation on a large scale requires the participation of the

r
Certification Authority (CA) or other institutes that manage identity data in a centralized
a
L e
manner.

e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
IPSec provides secure communication between two end points. Each end point is called an

:h
IPSec peer. IPSec allows users or administrators of systems and networks to control the

s
security service granularity between peers. For example, the security policy of an
e
c
organization may stipulate that data streams from the specified subnet use AH and ESP for
r
u
protection and 3DES for encryption. The policy may stipulate that data streams from
o
s
another site may use ESP for protection and DES for encryption. Using the SA, IPSec can
e
R
provide protection at different levels for different data streams.

n g
The SA is the IPSec basis and IPSec essence. The SA is the convention of communication

ni


peers against some elements, such as the selected security protocol, protocol operation

a r
mode (transport or tunnel mode), encryption algorithm (DES and 3DES), and shared key in

L e
the specified stream for data protection and key lifecycle.

e
or
 An SA is unidirectional. The bidirectional communication between two peers requires at

M
least two SAs to protect data streams from two directions. If AH and ESP are required to
protect data streams between peers, two SAs are needed. One SA is used for AH, and the
other is used for ESP.
  An SA is uniquely identified by a triplet, including SPI, destination IP address, and security
protocol number (AH or ESP). SPI is a 32-bit value for uniquely identifying the SA. The SPI
is transmitted in the IPSec header.

 The IPSec device stores SA parameters in a Security Policy Database (SPD), determining
how to process specific data. Before an IPSec packet is sent or received, the SPD is
searched for the follow-up procedure.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
As an IKE SA mainly functions to negotiate the security protocol for an IPSec SA, the

:h
negotiation content of the IKE SA is the authentication algorithm and encryption algorithm
used by AH or ESP.
e s
r c
An IPSec SA refers to the tunnel parameter agreement made by communication parties
u


o
that need to establish an IPSec tunnel. The parameters include the IP addresses of the two
s
Re
ends of the tunnel, authentication mode, authentication algorithm, authentication key,
encryption algorithm, encryption key, shared key, and lifecycle.

n g
ni
 IKE passes two phases to negotiate the key and establish SAs for IPSec.


a r
Phase 1: Communication parties set up a channel that passes identity authentication and

L e
security protection. An ISAKMP Security Association (ISAKMP SA or IKE SA) is created

eusing key exchange.

or  Phase 2: The IKE SA established in Phase 1 is used to negotiate IPSec parameters, that is,
M negotiate specific SAs for IPSec, and establish IPSec SAs, which are used for the final
secure transmission of IP packets.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
IKE uses ISAKMP in two phases. In Phase 1, IKE SA is established. In Phase 2, the

:h
established SA is used to negotiate a specific SA for IPSec.


e s
As described in RFC 2409, IKE negotiation Phase 1 has two modes: main mode and

r c
aggressive mode. IKE negotiation in both modes establishes an encrypted IKE SA that

ou
passes authentication and generates an authenticated key to provide confidentiality, data

es
integrity, and data source authentication service for two communication parties. All other
R
exchanges defined in IKE require one authenticated IKE SA. The authenticated IKE SA is

n g
the primary condition. Phase 1 must be complete before other exchanges, irrespective of

ni
the main mode or aggressive mode.
r

e a
IKE works as follows:

e L After IPSec is applied to an interface, the interface checks packets it sends against

or
1.

IPSec policies.

M 2. If a packet matches an IPSec policy, the interface searches for an SA. If a matching
SA has not been established, IKE is triggered to negotiate SAs in Phase 1, that is,
IKE SAs.

3. Under the protection of IKE SAs established in Phase 1, IKE continues to negotiate
SAs in Phase 2, that is, IPSec SAs.

4. The IPSec SAs are employed to protect the communication data.

 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The main mode is designed as an exchange technology that separates key exchange

:h
information from identity authentication information. Such separation guarantees security

s
of identity information during transmission, because the exchanged identity information is
e
encrypted.
r c

ou
In main mode, three steps and six messages are required to complete negotiation in Phase

es
1 to finally establish the IKE SA.
R


n g
The three steps are mode negotiation, DH exchange & nonce exchange, and identity

ni
authentication of the peer party. Features of the main mode include identity protection

r
and full utilization of the ISAKMP negotiation capability. Identity protection is rather
a
L e
important when the peer party wants to hide its identity. In the discussion of aggressive
mode, full utilization of the negotiation capability also shows importance.
e
or  Assume that the pre-shared key is used for authentication. Before messages 1 and 2 are

M sent, the negotiation initiator and responder must generate their cookie to uniquely
identify each independent exchange negotiation. The cookie is figured out by MD5
calculation of the source/destination IP address, random number, date and time and is
inserted in ISAKMP of message 1 to identify an independent exchange negotiation.
  During the first exchange, the two parties exchange the cookie and SA payload. The SA
payload carries various IKE SA parameters to be negotiated, including the hash type,
encryption algorithm, authentication algorithm, and negotiation time limit of IKE SA.

 Between the first exchange and the second exchange, two communication parties need to
generate the DH value for generating the DH shared key. To do so, the two parties
respectively generate a random number and use the DH algorithm to compute the random
number to obtain Xa and Xb. Here, Xa is the DH value of the initiator, whereas Xb is the
DH value of the responder. Then, the two parties use the DH algorithm to calculate a
n
temporary value Ni and Nr, respectively.
/e
During the second exchange, the two parties exchange their key exchange payload (DH
o m
i.c


exchange) and temporary value payload (nonce exchange). The key exchange payload
contains Xa and Xb, whereas the temporary value exchange contains Ni and Nr.
w e

u a
After the two parties exchange temporary value payload Ni and Nr, SKEYID is generated

.h
according to the pre-set pre-shared key and calculation for the random function. SKEYID is
g
n
the basis for generation of all keys. The two parties then use the calculated DH value,

ni
r
exchanged DH value, and SKEYID to calculate the shared key SKEYID_d that is only known

a
by the two parties. The shared key is not transmitted. Only the DH value and temporary
le
//
value are transmitted. As a result, even if the third party obtains this information, it cannot
:
figure out the shared key.

t t p
:h
 After the second exchange is complete, the two parties have completed exchanging all the

s
required computing materials. In this case, the two parties can figure out all keys and use
e
c
these keys to protect the subsequent IKE messages. These keys include SKEYID_a and
r
u
SKEYID_e. SKEYID_a is used to provide integrity and data source identity authentication
o
s
services. SKEYID_e is used to encrypt IKE messages.
e

R
During the third exchange, the identification payload and hash payload are exchanged.

n g
The identification payload contains identification information and IP address or host name

ni
of the initiator. The hash payload contains the value obtained by hashing the three groups
r
a
of keys generated in the last process. These two payloads are encrypted using SKEYID_e. If
e
e L the payloads of two parties are the same, authentication succeeds. The pre-shared key

or
exchange in main mode in the first IKE phase is now complete.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
First Phase of IKE Exchange — Aggressive Mode

s :h
As previously mentioned in main mode, after the second exchange, a session key is

r c e
generated. The generation materials of the session key contain the pre-shared key. When a
peer negotiates with multiple peers about the SA, a pre-shared key must be set for each

ou
peer. To enable each peer to properly select a pre-shared key, peers in main mode must be

es
distinguished based on the IP address in the previous exchange information.
R


n g
If the IP address of the initiator is dynamically assigned, the IP address of the initiator

ni
cannot be known by the responder in advance. However, the two parties plan to use the

r
pre-shared key for authentication. Therefore, the responder cannot select a proper pre-
a
e
shared key based on the IP address. The aggressive mode is used to solve this problem.
L
eIn aggressive mode, only three messages are required to complete the establishment of

or


the IKE SA, which is different from that in the main mode. Because the number of

M messages is restricted, the negotiation capability is also restricted in aggressive mode and
identity is not protected.
  During exchange in aggressive mode, the initiator provides a protection suite list, DH
public value, nonce, and identity materials. All this information is exchanged together with
the first message. The responder needs to select a protection suite, DH public value, nonce,
identity materials, and an authentication payload. The initiator then places its
authentication payload in the last message for exchange.

 In aggressive mode, because the first message carries identity information, identity
information cannot be encrypted. This reduces negotiation security and identities are not
identified based on IP addresses. As a result, more flexible applications are supported in
n
aggressive mode.
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Second Phase of IKE Exchange — Fast Mode
t t


s :h
After an IKE SA is established, irrespective of whether main mode or aggressive mode is

r c e
used, the IKE SA can be used to generate an SA for IPSec. An IPSec SA is established using
the fast mode under the protection of the previously established IKE SA.

ou


es
In fast exchange mode, the two communication parties must negotiate various features of
IPSec SAs and generate keys for them. The fast mode encrypts IKE SAs and authenticate
R
g
messages. Messages are authenticated by the pseudo-random function. SKEYID_a of the

n
ni
IKE SA authenticates the entire message in fast mode as a key. This not only guarantees

r
data integrity, but also authenticates identities of data sources. After the message is
a
L e
received, we know that the message must come from an entity that passes authentication
and the message is not changed during transmission. Exchange confidentiality can be
e
or
guaranteed by encryption (using SKEYID_e).

M  In fast mode, the key used in the IPSec SA must be derived from the SKEYID_d status. This
key is used in the pseudo-random function together with the exchanged nonce, SPI from
the IPSec SA, and protocol so that each SA has its unique key. Each SA has a different SPI.
Therefore, the key of the inbound SA also differ from the outbound SA. All IPSec keys are
derived from the same source.
  Therefore, they are related to each other. If an attacker can determine the SKEYID_d value
based on the IKE SA, any keys of any IPSec SAs derived from SKEYID_d can be easily
obtained as well as all future keys. This is a big problem. All these keys cannot guarantee
PFS. The fast mode provides a PFS option to meet this need. Users can determine whether
to use PFS. To implement PFS in fast mode, an extra DH exchange must be implemented
and the finally generated shared key is used during the key generation for IPSec. Once the
exchange is complete, the key no longer exists, and the memory location of the key must
be cleared and released so that keys are not relative.
n
 In the previous sections, we describe the fast mode as a simple request/response exchange.
/e
However, the fast mode function is more than this. The initiator may require an on-site
o m
i.c
evidence, proving that the responder is online and processes its initial fast mode messages.

e
To meet this requirement, the responder must add the initiator nonce and message ID to

w
a
the authentication hash payload. This digest guarantees message integrity and provides
source authentication function for the initiator and on-site evidence.
u

g .h
The responder also requires an on-site evidence. The message from the initiator may be an

ni n
expired message, which is sent by a malicious person. This person may not know the

ar
message contents. However, through communication analysis, we know that this is a fast

le
mode message. If the message is played again, the responder has to create an extra SA.
//
:
We can regard this as a mild DoS attack. The responder may add unnecessary memory and
p
t t
SA management cost based on this message. To prevent such an attack, the third message

:h
must be added in fast mode. This message must contain nonce and message ID of this

s
exchange and save them in one authentication hash payload. In this case, the initiator can
e
r c
prove that it is the participant of this exchange.

ou
In the first two messages, both the initiator and responder send SA payload, which is the
s


Re
same as that in main mode and aggressive mode. The SA payload is used to negotiate
various protection algorithms, whereas Ni, Nr, and ID are used to provide on-site evidence.

n g
Xa and Xb are used to generate a new DH shared key to guarantee PFS. Xa, Xb, SKEYID_d

ni
generated in the first phase of IKE, Ni, Nr and SPI generate the key for IPSec encryption.
r
e a
Finally, the initiator sends an acknowledgment message. After receiving this message, the
L


responder knows that the initiator has received the second message. The second phase of
e
or
IKE ends.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Key lifecycle
t t
:h
The key lifecycle determines when to change an old key into a new key and determines the
s
r c e
period for alternating between old and new keys within a certain period. For example, a
communication service requires 1000 seconds, while we set the key lifecycle to 100

ou
seconds. In this case, 10 keys are generated within the transmission of the entire packet.

es
Because 10 keys are used within the communication period of the service, even if attackers
R
crack a key to decrypt packets, not all packets can be cracked.

n g
ni
 PFS

a r
Each key is unique. Even if a key is cracked, security of other keys is not affected, because

L e
these keys do not have deriving relationship. If attackers crack a key, only the packets

e protected by this key can be accessed, whereas packets protected by other keys cannot be

or cracked. PFS is guaranteed by the DH algorithm. This feature is supported by adding key

M exchange during negotiation in Phase 2 of IKE.

  DH group

The DH algorithm is a public key algorithm. Two communication parties figure out the
shared key by exchanging some data without transmitting keys. The precondition of
encryption is that two parties of exchanging encrypted data must have the shared key. The
IKE essence is that IKE never directly transmits a key on an insecure network, but figures
out the shared key through a series of data exchanges. Even if the third party (such as
hacker) intercepts all the exchanged data for key calculation, the actual key cannot be
figured out. IKE defines five DH groups in total. Group 1 defines keys with 768 bits,
n
whereas group 2 defines keys with 1024 bits. The longer the key is, the higher the key
/e
o m
security is, and the more difficult the key can be cracked. DH group selection is important,
because the DH group is determined during SA negotiation in Phase 1. The DH group is

e i.c
not selected during negotiation in Phase 2. Two phases use one DH group. As a result, DH

aw
group selection affects the generation of the session key. During negotiation, one DH

u
group should be selected for peers. That is, the key length should be the same. However, if

g .h
the DH groups selected for the peers are not matched, negotiation fails.

ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Based on IPSec applications, firewalls discard packets, bypass the security service, and

:h
apply the security service based on data types to process inbound and outbound flows.


e s
Outbound flow: Firewalls check whether the outbound packets are protected data flows

r c
and check which security service to apply to the packets.

ou


es
Bypass the security service: The IPSec policy is not implemented and only the
traditional IP forwarding procedure is implemented.
R


n g
Apply the security service: Apply the IPSec policy to packets based on the established

ni
SA and forward packets. If the SA is not established, call IKE to complete SA
r
e a establishment.

e L
or
M
  Inbound flow: The inbound flow processing is different from outbound flow processing.
Firewalls process packets in the following ways based on whether the packets contain the
IPSec header.

 Discard packets: If packets do not contain the IPSec header and the policy output is
discarding, packets are discarded. If the policy output is applying IPSec, but the SA is
not established, packets are also discarded.

Bypass the security service: If packets do not contain the IPSec header, packets are
n


/e
forwarded following the traditional IP forwarding procedure.

 Apply the security service: If packets contain the IPSec header and the SA has been
o m
i.c
established, packets are handed to the IPSec layer for processing.

w e
u a
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
The public IP addresses of the two networks are fixed and the two networks need to

:h
access each other. A point-to-point (P2P) IPSec tunnel in IKE negotiation mode can be

s
established so that the devices in the two networks can both initiate a connection.
e
r c
For USG_A and USG_B, the configuration roadmap is the same and as follows:
u


1.

s o
Complete basic interface configurations and route configurations and enable the
e
local policy and forwarding policy.
R
2.

n g
Configure IKE Phase 1 parameters, including the IKE version, negotiation mode,

ni
pre-shared key, and peer IP address.

a r
On the basis of Phase 1, configure Phase 2.
e
3.

e L4. Configure an IPSec policy and add data flows to be protected, namely,

or
communication data between network A and network B.

M 5. Apply the IPSec policy to interfaces.

 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Configure advanced ACLs to define the data flows to protect so that IPSec can protect the

:h
data flows for different applications and in different directions. A data flow is a group of

s
traffic defined by the source IP address and mask, destination IP address and mask, IP
e
r c
protocol number, source port, and destination port. An ACL defines a data flow. All the

u
traffic that matches an ACL is regarded as a data flow at the logical level.
o

es
Advance ACLs are used for defining data flows to be protected in IPSec. The range of an
R
advance ACL is 3000-3999. An advanced ACL includes relatively all-around matching

n g
conditions. Traffic can be matched through the source IP address, destination IP address,

ni
ToS, time segment, protocol type, precedence, ICMP message type and ICMP message
r
a
code. You can use the advanced ACL in most functions to accurately match the traffic.
e
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
If pre-shared key authentication method is selected, set the pre-shared key for each peer

:h
end. The pre-shared keys on two peer ends that establish a secure connection must be the
same.
e s
r c
In aggressive mode, the peer IP address and peer end name can be set. In main mode,
u


o
only the peer IP address can be set. By default, the main mode is used for IKE negotiation.
s
Re
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
When configuring an IPSec proposal, you can only create an IPSec proposal and use

:h
default values of other parameters. By default, ESP is used as the security protocol; AH and

s
ESP use SHA2 as the authentication algorithm; ESP uses AES as the encryption algorithm.
e
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The configuration of FW_B is similar to the FW_A:

s :h
Choose Network > IPSec > IPSec, click Add, and select Scenario as Site-to-site.

c e
Configure the basic IPSec policy information, specify the remote gateway, and set
r
u
the pre-shared key to huawei.

o
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
In this example, all proposal parameters are set to default values, as shown in the

:h
following figure. If you change the value of a parameter, you must ensure that the

s
parameter settings are the same on both tunnel ends.
e
r c
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
In this example, all proposal parameters are set to default values, as shown in the

:h
following figure. If you change the value of a parameter, you must ensure that the

s
parameter settings are the same on both tunnel ends.
e
r c
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :


t t
In actual applications, the networking of the HUB-Spoke type is frequently used. Branches

:h
nodes establish IPSec tunnels to the HQ, and the communication between branches are

s
transmitted and controlled by the HQ node. This is a point-to-multipoint (P2MP) IPSec
e
application.
r c

ou
For USG_A, USG_B, and USG_C, the configuration roadmap is the same and as follows:

es
Complete basic interface configurations and route configurations and enable the
R
1.

g
local policy and forwarding policy.

n
ni
2. Configure IKE Phase 1 parameters, including the IKE version, negotiation mode,

a r
pre-shared key, and peer IP address. USG_A does not initiate a connection, and

L e therefore you do not need to specify the IP address of the peer gateway on USG_A.

e On USG_B and USG_C, you need to specify the IP address of the peer gateway as

or 202.38.163.2/24.

M 3. On the basis of Phase 1, configure Phase 2.

4. Configure an IPSec security policy and add data flows to be protected, namely,
communication data between the HQ, branch 1, and branch 2.

5. Apply the IPSec security policy to interfaces.

 The P2MP application scenario is similar to the P2P application scenario. The
configurations on branches are almost the same, with the peer device as the HQ’s USG.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Choose Network > IPSec > IPSec, click Add, and select Scenario as Site-to-multisite.

 Basic Configuration
s :h
 Basic Configuration
r c e


ou
IKE/IPSec Proposal

es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
The communication between PC1 and PC2 triggers IKE negotiation and IPSec VPN

:h
establishment. After an IPSec VPN is established, PC1 and PC2 can communicate.

e s
r c
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
1. IKE does not succeed in the first phase.
t t
:h
Run the display ike peer and display ike proposal commands to check whether the
s
r c e
IKE peer and IKE proposal on two ends are the same.

2.

ou
IKE does not succeed in the second phase.

s
Generally, the problem occurs due to the ACL. Check whether the referenced ACL has
e
been matched.
R
n g
ni
In the template mode of the server, the ACL of the client must specify the network

r
segment of the source IP address.

e a
Check whether a NAT device exists in the tunnel and whether NAT traversal has been

e L configured.

or 3. An IPSec SA is not successfully created.

M Check whether IPSec proposal configurations are the same on both ends.

4. An IPSec SA has been established, but services are not successfully provided.

Possible causes are as follows: A NAT device exists between IPSec gateways, the firewall
filtering software is installed on the host, or the gateways point to different router
interfaces.
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
IPSec VPN provides security services such as confidentiality, integrity, authenticity, and

:h
anti-replay.


e s
Confidentiality: The data is encrypted to ensure that unauthorized users cannot read
the data in transit.
r c
ou


with in transit. es
Integrity: Received packets are verified for integrity to ensure that data is not tampered

R


n g
Authenticity: Data sources are verified to ensure that the data is sent from authentic

ni
senders (the source addresses in the IP header).

a r
Anti-replay: The receiver denies repeated packets to prevent malicious users from
e


e L sending captured packets.

or
IPSec uses ESP to ensure the confidentiality of IP packets in transit and uses AH/ESP to

M 
provide integrity, data source verification, and anti-replay.

Two major security protocols used in IPSec are AH and ESP.

 AH provides data source verification, data integrity check, and anti-replay. However, AH
does not encrypt data packets. The protocol number of AH is 51.

 ESP provides all the functions of AH (except that the integrity check does not cover the
IP header) as well as packet encryption. The protocol number of ESP is 50.
  IPSec encapsulation mode can be transport mode or tunnel mode.
 Transport mode:
Application scenario 1: communication between hosts and the security gateway;
Application scenario 2: Communication between hosts.
 Tunnel mode:
Application scenario: Communication between security gateways.

n
/e
 IKE provides DH exchange and key distribution, perfect forward secrecy (PFS), identity
verification, and identity protection mechanisms. The functions of the mechanisms are
described as follows:
o m


e i.c
DH exchange and key distribution: DH is a public key algorithm. Instead of directly

w
transmitting the shared key, the two communication parties can exchange some data

a
and calculate the shared key. Even if third parties (such as hackers) intercept all the
u
.h
data exchanged between the two parties, they cannot calculate the key.


n g
PFS ensures that a compromised key has no impact on the security of other keys,

ni
because the keys are not derived from each other.

ar
Identity verification verifies the identity of both parties.
le


: //
Identity protection: After the key is generated, identity information is encrypted during
transmission.
t t p
:h
 Security association (SA) is the basis and essence of IPSec. SA is the attributes agreed

s
between two communication peers, such as security protocol, mode (transport or tunnel
e
c
mode), encryption algorithm (DES or 3DES), shared keys for protecting specified data
r
ou
flows, and the lifetime of the keys. SA is uniquely identified by using a triplet, including
security parameter index (SPI), destination IP address, and security protocol number (AH or
ESP).
es
R


n g
The two modes of phase 1 IKE negotiation are main mode and aggressive mode. When

ni
the IP address of the initiator is dynamically obtained, the responder cannot know the IP

r
address in advance. If the two communication peers need to use the shared key
a
L e
verification method, the responder is unable to select a shared key based on the IP
address. In this case, only the aggressive mode can be used. If the IP addresses of the
e
or
initiator and responder are static, main mode is recommended.
In aggressive mode, both the peer IP address and the peer name can be specified; in main
M


mode, only the peer IP address can be specified.

 The establishment of an IPSec tunnel is triggered when traffic matches an ACL for IPSec
traffic.
 In tunnel mode, a route pointing to the private network where the peer resides must be
configured on either gateway, with the next hop being the public address of the peer's
WAN interface.
  During the interzone packet filtering configuration for IPSec:

 The source security zone must be the zone where the inside interface (LAN interface)
resides.

 The destination security zone must be the zone where the outside interface (the WAN
interface).

 The source and destination networks must be the private networks connected to the
tunnel interfaces.
n
/e
The IKE protocol and encapsulation protocol (such as AH or ESP) traffic must be permitted.
m


o
e i.c
aw
u
g.h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The Secure Socket Layer (SSL) is a secure connection for the application layer protocols

:h
based on the Transmission Control Protocol (TCP). The SSL works between layer 4 and

s
layer 7 in the TCP/IP protocol stack. The SSL provides secure connections for the Hypertext
e
r c
Transfer Protocol (HTTP). The SSL protocols are widely applied to e-commerce and Internet

u
banking to ensure the security of data transmission.
o

es
The SSL provides a secure channel between two devices. It protects the data transmission
R
and recognizes communications devices.

n g
ni
 The SSL has three versions. SSL2.0 and SSL3.0 are widely used. Based on SSL3.0, the IETF

r
defines the TLS1.0 (also called SSL3.1).
a

L e
With the continuous consummation of the SSL, more browsers including the Microsoft

eInternet Explorer browser support the SSL. The SSL becomes one of the most popular

or security protocols.

M  The SSL Virtual Private Network (VPN) is based on the SSL/TLS. With the embedded
SSL/TLS in the standard browsers, the functions of the SSL VPN are extended. Except for
the Web access and TCP/UDP applications, the SSL VPN can protect the IP
communications. The SSL VPN is based on the TCP/UDP so that it is not restricted by the
NAT. Users can access the intranet resources traversing the firewalls using the SSL VPN. In
this way, the remote security access is flexible and simple, which helps enterprises reduce
the VPN deployment costs.
  The SSL VPN enables users to access the intranets using the standard browsers. In this
manner, users can remotely access the intranets through Internet. The SSL VPN, boasting
security, convenience, and usability, improves the mobile users’ work efficiency.

 To use the SSL VPN, both ends must support the SSL. Generally, the common applications,
such as Internet Explorer and Netscape browsers, Outlook, and Eudora email, support the
SSL.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Same as the IPsec, the SSL provides the encryption and identity authentication mechanisms.

:h
The SSL, however, encrypts only the application data transmitted between both ends

s
rather than all the data transmitted from a host to another host.
e
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The SSL supports the following security mechanism:

1.

s :h
The identity can be authenticated using the key encryption algorithm.

2.

c e
The connection is encrypted.
r
u
After the key is negotiated using the handshake protocol, the data is encrypted using
o
s
the symmetric key encryption method.
e
R
The connection is reliable.
g
3.

ni n
The secure HASH algorithm is used. The message authentication code with key is used

r
to verify the message integrity.
a

L e
Identity authentication

e
or
Before setting up an SSL connection, the client and the server should perform
authentication using a digital certificate. The authentication can be unidirectional from the
M client to the server or bidirectional between the client and the server.

 Confidentiality

The encryption algorithm can be used to encrypt the transmitted data.

 Integrity

The data verification algorithm can be used to check whether data is modified during
transmission.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The IPsec VPN can transmit the data between two networks in the secure and stable

:h
manner. The IPsec VPN ensures the data integrity. It is applicable to the data exchange

s
between headquarter networks and branch networks. It is also applicable to the site-to-
e
c
site application scenario.

ur
The IPsec is a network-layer-based protocol. Therefore, it is difficult to traverse the NAT

s o
and firewall, especially the personal network and public computers that are well protected.

Re
The mobile users must install the private client software to use the IPsec VPN. The

g
administrators of the IPsec VPNs are overburdened for provisioning, installing, configuring,

ni n
and maintaining the client software. Therefore, the IPsec VPN is not applicable to the

r
remote mobile communications in the point-to-site scenario.

a


L e
The SSL Virtual Private Network (VPN) is based on the SSL/TLS. With the embedded
SSL/TLS in the standard browsers, the functions of the SSL VPN are extended. Except for
e
or
the Web access and TCP/UDP applications, the SSL VPN can protect the IP
communications. The SSL VPN is based on the TCP/UDP so that it is not restricted by the
M NAT. Users can access the intranet resources traversing the firewalls using the SSL VPN. In
this way, the remote security access is flexible and simple, which helps enterprises reduce
the VPN deployment costs.
 The SSL VPN is an application-oriented VPN. It supports better independency at the
bottom layer. The easy-to-use and clientless applications fulfill the remote access
requirements. The SSL VPN enables the mobile users to set up secure and controllable
connections at anytime and anywhere.
 n
/e
o m
ei.c
aw
u
g .h
ni n
ar
//le
p :
 Convenience of clientless applications:
t t


s :h
Allows rapid deployment without any change in intranet structure.

c e
Reduces investment, technology, and management costs.
r


ou
Requires no NAT operations.


es
Security of application layer access:
R


n g
Allows users to access enterprise application resources only using the SSL VPN,

ni
which greatly suppresses virus infection.


a r
Controls access based on specific application resources.


L e
Efficiency of enterprise extension:
e
or  Allows flexible access of any device at any time and anywhere.

M  Allows mobile and remote enterprises and workers to securely access intranets at
any time and anywhere.

 Provides secure connections for branch enterprises, integrates service flows of

cooperating enterprises, and allows remote services.
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The SSL protocol consists of the following two protocols:

s :h
SSL record protocol at the bottom layer. Responsible for isolating, compressing, and

records to the peer end.

r c e
calculating the upper layer data blocks, adding the MAC, encrypting, and sending the

ou


upper layer es
SSL handshake protocol, SSL change cipher spec protocol, and SSL alert protocol at the

R


n g
SSL handshake protocol: Allows the client and server to establish a session to

ni
negotiate a set of parameters such as the session ID, peer end’s certificate,

a r
encryption algorithm list (such as the private key exchange algorithm, data

L e encryption algorithm, and MAC algorithm), compression algorithm, and main

e primary key. The SSL session can be shared by multiple connections to reduce

or session negotiation costs.

M  SSL change cipher spec protocol: Allows the client and server to notify the receiver
that the newly negotiated encryption algorithm and shared key will be used to
protect and transmit subsequent packets.

 SSL alert protocol: Allows one end to report alarm messages that carry the alarm
severity and description to the other end.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 Handshake protocol:
t t
:h
It is used to configure the encryption parameters used for the session between the client
s
r c e
and the server. During the first communications between the client and the server, they
negotiate a protocol version, encryption algorithm, and authentication mode. The public

ou
key is used to generate the shared key.

Record protocol: es
R


g
It is used to exchange the application data. The application messages are segmented to
n
ni
multiple manageable data blocks. The application messages can be compressed to

a r
generate a message authentication code (MAC). The MAC is encrypted and transmitted to

L e
the peer end. The peer end receives and decrypts the data. The peer end checks the MAC.

eThen, the peer end decompresses the MAC and assembles it again. The final data is

or delivered to the application program protocol.

M  Alert protocol:

It specifies the start time and end time of an error and the session end time.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The handshake process of the SSL is as follows:

s :h
Phase 1: The security capability attribute is established. The client sends a client_hello

r c e
message, carrying the version, random number (32-bit time stamp and 28-byte random
sequence number), session ID, cipher suite supported by the client, and compression

ou
method list supported by the client. The server sends a server_hello message, carrying the

es
version, random number generated by the server, session ID, recommended cipher suite,
R
and recommended compression method.

n g
ni
 Phase 2: The server sends its X.509 certificate in the server_key_exchange message. After

r
sending the certificate_request and server_hello_done messages, the server waits for the
a
L e
client to respond.

e Phase 3: After receiving the server_done message, the client checks the server certificate.

or


The client checks whether the parameters in the server_hello message are acceptable. If

M the parameters are proper, the client sends one or more messages to the server. If the
server requests for the certificate, the client sends a certificate message. If the client does
not have certificate, it sends a no_certificate message. Then, the client sends the
client_key_exchange message. The content of the client_key_exchange message depends
on the key exchange type. At last, the client sends a certificate_verify message, which
carries a signature for the HMACs (master_secret) in all the handshake messages.
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :


t t
The handshake process of the SSL is as follows:

s :h
Phase 1: The security capability attribute is established. The client sends a client_hello

r c e
message, which carries the following parameters:

ou
Version: The version field is two bytes long and indicates the primary and secondary

s
versions. Currently the SSL version can be SSLv1, SSLv2, and TSLv1 (SSLv3).
e

R
Random number: The random number is displayed in the format of 32-bit time stamp +

g
28-byte random sequence number and is used to calculate the summary of all messages
n
ni
and the primary shared key.

a r
Session ID: Specifies a session and can be used repeatedly.
e


e L
Cipher suite: The cipher suite is a list of shared keys and contains all shared keys

or
supported by the client.

M  Compression method list: Indicates the list of compression algorithms supported by the
client. The value 0 indicates no compression method list.

 After receiving the client_hello message, the server sends a server_hello message, which
carries the following parameters:

 Version: The server compares the versions in the client_hello and server_hello messages,
and chooses the later version as the one for the SSL.

 Random number: Similar to that in the client_hello message.

  Session ID: A new one will be generated if the server detects that the received session ID is
null or is not recorded in the session list.

 The server chooses one cipher suit from the password algorithms recommended by the
client.

 The server chooses one compression algorithm from the compression methods
recommended by the client.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Server certificate message (optional)
t t
:h
Generally this message is required in the entire SSL handshake process except for the time
s
r c e
when the session is restored. This message carries an X.509 certificate, which contains a
public key for the client to verify signature or encrypt the message for share key exchange.

ou


es
Server Key Exchange (optional)

R
The ciphersuit information in the hello message determines the shared key exchange

g
method, such as RSA or DH. Therefore, the server key exchange message carries a series of
n
ni
parameters that are used for shared key exchange.

a r
Certificate Request (optional)
e


e L
The server sends a client cert request message to require the client to reply its certificate

or
for authentication. This message contains the certificates that the server supports (such as

M RSA, DSA, ECDSA) and all the Distinguished Name lists trusted by the server. The client
uses such information to identify certificates.

 Server Hello Done.

This message indicates that the server has sent all messages and waits for the client to
reply.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 Client certificate (optional):
t t
:h
If the server requires the client to reply its certificate, the client does so. As the certificate
s
r c e
request message sent by the server contains the certificate type and CA list supported by
the server, the client replies with the first certificate that meet these two requirements. If

ou
the client does not have a certificate, the client replies with a no certificate alarm.

Client Key exchange: es

R


g
The client calculates a pre-master based on the random number received from the server
n
ni
and different shared key exchange algorithms, and sends the pre-master to the server.

a r
After receiving the pre-master, the server calculates the main master. As the client can also

L e
calculate the main master based on the pre-master, the client and server calculate the

esymmetrical shared key.

or  Certificate verify (optional):

M The client sends this message only after sending its certificate to the server. This message
contains a signature for all HMAC values.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
A secure connection is established. The client sends a change_cipher_spec message and

:h
copies the negotiated cipher suite to the current connection status. Then, the client sends

s
a finished message using the new algorithm and key parameters. The finished message
e
c
indicates whether the key exchange and authentication are successful. The finished
r
u
message includes a check value, which is used to verify all the messages. The server sends
o
s
a change_cipher_spec message and a finished message. After the handshake is complete,
e
R
the client and server can exchange the application layer data.

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The session recovery function significantly reduces the overhead generated for SSL VPN

:h
tunnel establishment.

e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
The SSL VPN provides the following functions:


t t
 Cutting-edge virtual gateway
s :h
 Web proxy
r c e
 File sharing
ou
 Port agent
es
R


n g
Network expansion

r ni
User security control

e aComprehensive log function

e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Each virtual gateway can be managed independently. The virtual gateways can be

:h
configured with respective resources, users, authentication modes, access control policies,
and administrators.
e s
r c
When an enterprise has multiple departments, different virtual gateways can be
u


o
configured for different departments and user groups. In this manner, a complete isolated
s
e
access system is constructed.
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The Web proxy supports clientless Web access, which fully shows the SSL VPN usability.

:h
The Web proxy is an important function of the SSL VPN differentiated from other VPNs. It

s
forwards the Web request (using the HTTP protocol) from the remote browser to the Web
e
r c
server. Then, the Web proxy sends the response from the Web server to the remote user. It

u
can control the permissions of the URL, that is, controlling the access of the user to a
o
specific Web page.
es

R
The Web proxy supports two implementation modes: Web-link and Web rewriting.

n g
ni
 The Web-link function uses the ActiveX control to forward the Web pages.


a r
The Web rewrite function uses the script rewrite mode to rewrite the links on the specified

L e
Web page without modifying other content.

e
or
 Advantages of the Web-link:

M  Users can remotely access the Web resources on the intranet using the standard
browsers without installing clients.

 Users can be assigned different access permissions for the same URL.
  Implementation process:

 The remote user originates an access request for a certain Web page on the intranet
through the SVN gateway.

 The internal server sends the response to the SVN. The SVN obtains the specified
Web page and sends it to the remote user.

 For the users, the SVN functions as a Web server. For the internal servers, the SVN
functions as a client.
n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
The file sharing function enables servers with different systems (such as the Windows

:h
system using the SMB protocol and Linux system using the NFS protocol) to share the

s
resources with users in Web page mode.
e
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
File sharing functions as the file server agent so that users can access the file server on the

:h
intranet.

e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The port forwarding function is mainly applicable to the applications in C/S architecture

:h
that do not support the Web access.


e s
Supports TCP applications on static ports.


r c
Single-port single-server: One server corresponds to one port. For example,

u
Windows remote desktop, Telnet, Secure Shell (SSH), VNC, Enterprise Resource
o
s
Planning (ERP), Structured Query Language） Server (SQL), iNotes, Outlook Web

Re
Access (OWA), Business and Operation Support System (BOSS).
Single port multi-server: Multiple servers correspond to one port. For example,
g


Notes.

ni n


a r
Multi-port single-server: One server corresponds to multiple ports. For example, Post
Office Protocol 3 (POP3) email (SMTP:25, POP3: 110).

L e
Supports TCP applications on dynamic ports.
e
or
 Dynamic ports: One server corresponds to multiple dynamic ports. For example, FTP
passive mode and Oracle Manager.
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
An ActiveX control needs to be run on the client to implement port forwarding. The

:h
control serves as a port repeater to monitor connections on a port. The data packets

s
received by the monitored port are transmitted to the USG through the SSL tunnel. The
e
c
USG decapsulates the data packets and forward them to the destination application
r
server.
ou

es
Port forwarding of the USG provides abundant intranet TCP application services, which
R
can be classified as follows according to the mapping between services and ports: TCP

n g
applications on static ports

ni
ar
 Single-port and single-service: One service corresponds to one port, such as

L e Windows remote desktop, Telnet, Secure Shell (SSH), VNC, Enterprise Resource
Planning (ERP), Structured Query Language (SQL) Server, iNotes, Outlook Web
e
or
Access (OWA), and Business and Operation Support System (BOSS).

M  Single-port and multi-services: Multiple services correspond to one port, such as

Notes (multiple database servers correspond to one port).

 Multi-ports and single-service: One service corresponds to multiple ports, such as

POP3 (Post Office Protocol 3) Email (SMTP (Simple Message Transfer Protocol):
25, POP3: 110).

 TCP applications on dynamic ports

 Dynamic port services: One service corresponds to multiple dynamic ports, such
as FTP passive mode and Oracle Manager.
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
After the network extension function is enabled, the remote client can obtain an IP

:h
address of the intranet and access the intranet resources conveniently.

e s
Access mode (configured by the administrator based on different application scenarios, the
c


r
SVN series could be configuration for both WEB and CLI, and USG series could only
u
configuration on CLI)
s o
 Full Tunnel:
Re
g
The user can access only the enterprise interface network.
n


r ni
Split Tunnel:

e aThe user can access the intranet and local subnet.

e L
or
 Manual Tunnel:

The user can access the resources in the specified network segment of the enterprise
M network. The network access does not affect other operations. Users can access the
Internet and local subnet.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Before using SSL network extension, install the virtual network interface card in either of the

:h
following modes:


e s
Install the network extension client for the USG firewall on the local terminal.

r c
Log in to the Web page of the virtual gateway to enable network extension.
u


s o
After the network extension function is enabled, the virtual network interface card will

Re
automatically apply for a virtual IP address from the USG firewall. The USG(only supports
the IP address pool )/SVN (all supports)supports three IP address allocation modes.

n g
ni
 DHCP allocation mode: The SVN provides interfaces for enterprise DHCP servers. You can

r
allocate the IP addresses of the intranet to the remote users who log in to the SVN.
a


L e
IP address pool: You can specify a series of consecutive and unused IP addresses as the

evirtual addresses for SSL VPN users. You can configure the IP addresses on the USG/SVN.

or
The IP addresses are assigned randomly. You can bind an account with an IP address.
Therefore, when the user enables the network extension function, the user uses the same
M IP address of the intranet. If the bound IP address is included in the address pool, the IP
address is locked and is not assigned to other users.
 External authentication and authorization server. After receiving requests for IP addresses,
the SVN applies to the external authentication and authorization server and allocates IP
addresses to the client.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The tunneling mode determines the route for sending packets to the client. The network

:h
extension function supports three tunnel modes: Full Tunnel, Split Tunnel, and Manual
Tunnel.
e s
Full Tunnel:
r c
u



s o
The network resources accessible to the client are blocked. The client can only remotely
e
access the intranet resources.
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Split Tunnel: Except for the resources in the network segment to which the client belongs,

:h
the client is prohibited from accessing the public network resources. During the access of

s
public network resources, resources in different network segments are forwarded by the
e
c
virtual network adapter and the source IP addresses are specified as the virtual IP
r
u
addresses. As a result, the response data cannot be routed to the correct destination.
o
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Manual Tunnel: The client can remotely access the intranet while accessing the previous

:h
accessible network resources unless the network resources conflict with the intranet
resources.
e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
The VPNDB is used to perform certification authority for the local VPN database. The

:h
administrator of the virtual gateway can maintain the VPNDB through the user and group

s
management. Grouping users facilitates user management. You can grant users
e
c
permissions based on groups.
r

ou
The USG authenticates remote clients using the Remote Authentication Dial In User Service

es
(RADIUS). The network access server (NAS) functions as the client to communicate with
R
the RADIUS server. The standard RADIUS protocol can be used to complete certification

n g
with devices such as iTELLIN/CAMS.

r ni
The USG can also use the Lightweight Directory Access Protocol (LDAP) to authenticate the
a


e
remote clients.
L
e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 System log
t t
:h
System reboot record, network interface status record, temperature alarm record, import
s
management record
r c e
and export record, system administrator management record, and virtual gateway

ou
 User log
es
R
User successful login record, user failed login record, offline after login record, password

g
modification record, and service log
n


r ni
Virtual gateway administrator log

e a
Administrator online and offline record, administrator login failure record, virtual gateway

e L
configuration saving record, user management record, and security management record

or  Log export

M Real-time log export, text-format log export, and CLI log export.

 Log query

Hierarchical Web page log query and CLI log query

 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
 USG/SVN provides the following functions:
t t
1. Web proxy
s :h
2. File sharing
r c e
3. Port forwarding
ou
4.
e
Network extensions
R
5.

n g
IPsec tunneling

6.

r ni
Various certification modes

e
7.
a Virtual gateway

e L 8. Fine-grained access control

or 9. Various route features (RIP/OSPF)

M 10. VLAN networking

11. Dual-host backup

12. Dual-power supply

13. Comprehensive log and auditing function

 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The link between the remote user and the server is divided into two segments. The TCP/IP-

:h
based data transmission on the link between the USG and the server is over the intranet

s
and is secure. The data transmission on the link between the remote user and the USG is
e
c
threatened by various security risks. Therefore, data must be encrypted in SSL mode to
r
u
avoid interruption and malicious modification. In this manner, the data security and
o
integrity are ensured.
es

R
In this deployment scheme, Huawei Secoway SSL VPN is deployed at the back-end of the

n g
enterprise firewall to implement identity authentication and secure communications. The

ni
Secoway SSL VPN supports various authentication modes and URL-based access control to
r
a
help users conveniently access the intranet and use intranet resources. The browser at the
e
e L
user end communicates with the Secoway SSL VPN over the SSL channel to secure remote

or
access.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
In this networking mode, the SVN is directly connected to the firewall at the edge of the

:h
enterprise network. The SVN can also be connected to the router or switch. Only an

s
interface of the SVN is used to transmit packets between external and intranets.
e
r c
During the network planning, set the IP address of the SVN to the IP address of the
u


o
intranet. This IP address is accessible to all the server routes. Configure the NAT server on
s
Re
the firewall. Map the SVN address to a certain IP address of the public network that
connects to the firewall. You can also map the SVN address to a certain port such as 443.

n g
If the external network user requires the management of SVN, you must map the related

ni
ports such as SSH and Telnet.
r
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
In this networking mode, the SVN3000 communicates with the intranet and external

:h
network using different network interfaces. This networking clearly separates the intranet

s
and external networks and does not require extra configurations. The external network
e
c
interface uses the virtual gateway IP address. The intranet interface uses the management
r
u
IP address of the intranet.
o

es
The conversion of the virtual gateway IP address by the NAT is optional. If the external
R
network user can access the virtual gateway IP address, the virtual gateway IP address

n g
does not need to be converted. The interface between internal and external networks is

ni
not specified. Any physical interface can be used to connect the external and intranets.
r

e a
In this figure, the router and the switch are connected because certain applications on the

e L
intranet does not require SSL encryption. Users can directly access the external network

or
through the firewall. In this manner, the policy routing must be configured on the switch

M
and the router. Based on the policy routing, traffic for establishing the SSL VPN is
forwarded to the SVN3000 and the traffic for common applications is forwarded to the
external network through the firewall.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
By dividing the SSL VPN into multiple virtual devices, you can set administrators and access

:h
policies for these virtual devices independently. In this manner, the carrier investments are

s
reduced and device usage is maximized.
e
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t
By default, HTTP and HTTPS are enabled on the USG. HTTPS is recommended to improve
t
:h
security. Users can use the default user name and password (admin/Admin@123) to log in.

s
For security reasons, change the password after login.
e
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
A license is needed to enable SSL VPN function on USG. You can check the license state

:h
from System > License Management Center.


e s
The virtual gateways have the following types based on the IP address and domain name

r c
usage(the SVN series could be configuration for both WEB and CLI, and USG series could

ou
only configuration on CLI):

Exclusive type es
R


g
The virtual gateway exclusively uses the IP address and domain name. Users can access the
n
ni
virtual gateway in exclusive type using the corresponding domain name and IP address.

a r
Shared type
e


e L
Multiple virtual gateways share the same IP address and parent domain name. Virtual

or
gateways are differentiated based on the sub-domain names. Users can access the virtual

M 
gateway in shared type using only the domain name.

Maximum number of concurrent users: the maximum number of users who access the
virtual gateway simultaneously

 Maximum number of users: VPNDB

 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
If the USG is configured with the DNS server, you can configure the address of the

:h
network (not have to be IP address) at the URL.


e s
Before configuring the basic functions of the Web proxy, collect the following information:

r c
1.

ou
Web resource name

2.

es
Web resource URL address

R
Web resource description
g
3.

ni n
a r
L e
e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Log in to the USG through the SSL VPN tunnel on the remote client. The interface shown

:h
in the figure is displayed. Before clicking a link, ensure that the Web server is accessible

s
and is configured. Through the SSL VPN tunnel established using the SVN3000, remote
e
c
clients can access the intranet Web resources as on the local network.
r
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
If the USG is configured with the DNS server, you can input a network address in URL, but

:h
not have to be an IP address.


e s
The file system type is classified into SMB (for Windows) and NFS (for Linux).

r c


ou
Before configuring the basic functions of the file sharing, prepare the following
information:
es
1.
R
File sharing resource name

n g
File sharing resource path

ni
2.

3.

a r
File sharing resource type

L e
4. File sharing resource description (optional)

e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Log in to the SSL VPN main page through the SSL VPN tunnel on the remote client. The

:h
page shown in the figure is displayed. Before you click a link, ensure that the file server is
accessible and is configured.
e s
r c
You can enter the user name and password the same as you do on a shared host in the
u


o
LAN. If you are not willing to enter the user name and password, you can set the
s
e
corresponding permissions on the file sharing server.
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :


t t
Before configuring the basic functions of the port forwarding, collect the following

:h
information:

1.
e s
Port forwarding resource name

r c
2.

ou
Host name and IP address of the port forwarding resource

3.

es
Port used for providing the forwarding resource

R
Port forwarding resource description (optional)
g
4.

ni n
The host address type can be one of the following types:


a r
Host name: You can fill in the host name, which must be configured on the DNS.


L e
Host IP address: You can fill in the IP address of the host.
e
or  Any IP address: You can fill in the port number.

M  The port forwarding function provides user access control at the application layer. It
controls whether to provide various application services (the TCP-based services such as
Telnet, remote desktop, FTP, and email) to users.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Log in to the USG through the SSL VPN tunnel on the remote client. The interface shown

:h
in the figure is displayed.

e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
After you run the Telnet command, enter the IP address of the device that you want to

:h
access on the intranet, rather than the IP address of the firewall or SVN.

e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
 IP address pool
t t
:h
You can specify a series of consecutive and unused IP addresses as the virtual addresses for
s
r c e
USG/SVN users. You can configure the IP addresses on the USG/SVN.

u
The IP addresses are assigned randomly. You can bind an account with an IP address.

o
es
Therefore, when the user enables the network extension function, the user uses the same
IP address of the intranet. If the bound IP address is included in the address pool, the IP
R
g
address will be locked and cannot be assigned to other users.

n
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Check the PC IP address. There are two Ethernet adapters. One is local address, the other

:h
is the virtual assigned by USG/SVN.

e s
r c
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
When checking the IP address of the remote client, you can view two network adapters,

:h
that is, a real network adapter and a virtual network adapter.

e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
You can create a single user in the VPNDB or create a group of users in a batch by

:h
importing the user information file. The user information file is in .txt format. Each line

s
contains the information of a user. The user information format is “user name+password”
e
c
or “user name+password+UID+GID”. Lines are terminated with a CR-LF combination.
r

ou
You can configure the account for establishing the SSL VPN tunnel between the client and

es
the USG and add the account to a user group.
R


n g
If you configure the virtual IP address for the client, the virtual IP address is bound to the

ni
user name.

a r
L e
e
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
SSL VPN is used to provide secure and efficient access to enterprise intranets from remote

:h
users.


e s
SSL VPN provides security services such as web proxy, file sharing, port forwarding, and

r c
network extension, as well as user authentication and authorization.

ou


es
Each virtual gateway can be managed independently. Resources, users, authentication
methods, access control rules, and administrators can be configured separately for each
R
g
virtual gateway. An enterprise can create a virtual gateway for each department or user

n
ni
group to separately manage their communication.


a r
The differences between exclusive and shared virtual gateways are as follows:


L e
Exclusive: Each exclusive virtual gateway exclusively uses an IP address and a domain
e
or
name. Users can access an exclusive virtual gateway through its domain name or IP
address. The desktop cloud and load balancing gateways support only exclusive virtual
M gateways.

 Shared: Multiple virtual gateways share the same IP address and the same parent
domain name, and are distinguished by sub-domain names. Users can access shared
virtual gateways only through domain names. Shared virtual gateways can be
configured if the number of public IP addresses is limited.

 The application scenarios for web proxy, file sharing, port forwarding, and network
extension are described as follows:
  Web proxy enables clientless web access.
 File sharing enables users to access the shared resources on different server systems
(such as Windows systems that support SMB and Linux systems that support NFS)
through web pages.
 Port forwarding is used for technologies (such as C/S mode) that do not support web
access.
Support TCP applications that use static ports .
n
/e
Support TCP applications that use dynamic ports .
 Network extension enables users to access all complex applications on the entire
o m
i.c
intranet.
 Network extension supports three access modes:
w e


u a
Split tunnel mode: Users can access the remote intranet (through a virtual network

.h
adapter) and LAN (through a physical network adapter), but not the Internet.

n g
Full tunnel mode: Users can access only the remote intranet (through a virtual network

ni


adapter), but not the Internet or LAN.

ar
le
Manual mode: Users can access the specified subnets of the remote intranet (through

//


:
a virtual network adapter) and the Internet and LAN (through a physical network

p
t
adapter). If the LAN and remote intranet connected by the tunnel overlap, traffic is
t
:h
routed to the remote intranet instead of the LAN.

e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
:h
 Malware (viruses, worms, Botnets, Rootkits, Trojan horses, backdoors, and vicious

s
programs that attack vulnerabilities) accounts for a large percentage of all the security
e
r c
threats that have occurred, and grayware (spyware/adware) is becoming more influential.

u
Security threats relevant to crimes have become important factors that threat network
o
security.
es
R
Today users are no longer threatened by traditional viruses but by network threats that
g


n
integrating viruses, hacker attacks, Trojan horses, Botnets, and spyware. The network

ni
r
threats are difficult to resist using previous antivirus or anti-hacker technologies.

e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :
t t
:h
 Server vulnerability brings serious security threats.

e s
Vulnerabilities may exist in various applications on the intranet.
c



ur
The Internet spreads the vulnerabilities of applications rapidly.

s o
e
 Worms make use of software vulnerabilities to spread widely, consuming network

R
bandwidth and destroying key data.

n g
ni
 Hackers and employees exploit the vulnerabilities to attack or intrude the server to tamper

r
with, destroy, and steal confidential information.
a
L e
e
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :
t t
:h
 Threat of DDoS attacks:

1.
e s
DDoS attacks come into being as a global black industrial chain aiming to get

r c
economic benefits. There are a lot of Botnets on the network.

ou
2.

es
Racketeering, blackmail, and vicious competition might lead to DDoS attacks.

3.
R
During DDoS attacks, a lot of network bandwidth is used, causing network

g
breakdown. When the resources of attacked servers are used up and cannot
n
ni
respond to user requests, the system might even break down. As a result, an
r
e a enterprise cannot run normally.

e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
:h
 Viruses, Trojan horses, and spyware intrude the intranet mainly through Web browsing
and mail transmission.
e s
r c
Viruses can crash the computer system, and tamper with and destroy service data.
u



s o
Trojan horses enable hackers to steal key information on the computer and crash

Re
computers on the intranet. Spyware collects, uses, and transmits sensitive information of

g
enterprise employees, disturbing normal services.
n


r ni
It's difficult for desktop antivirus software to prevent virus widespread globally.

e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :
t t
:h
 The overuse of P2P and IM applications seriously consumes the enterprise bandwidth and
reduces operation efficiency.
e s
r c
Unrestricted website access may bring the following threats:
u



s o
Malicious codes may be embedded by insecure links or malicious download, making

Re
the intranet a Botnet or resulting in virus infection.

n g
Employees may be deceived by phishing websites to disclose confidential

ni
information, such as personal bank accounts and passwords.
r
e

a Employees may be attracted by entertaining contents.

e L  Websites may contain illegitimate contents, such as pornography and violence,

or bringing legal risks to the enterprise.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
:h
 As attacks extend from the network layer to the application and service layers, the

s
network-centered TM technology and terminal-centered SCM technology should be
e
r c
integrated to defend against such attacks.

ou
Optimized management over resources and contents is the main concern – SA-centered
s


e
services will become the focus.
R


n g
As customers' requirements shift from devices to services, and application of SCTM/SA

ni
products requires continuous upgrade and response, which changes the business model.


a r
Changing from network security to secure network, development of chips and software

L e
technology makes it possible to integrate network devices and security products.

e
or
Requirements of WAN security, centralized management of multiple gateways, and TCO
will propel the integration of routers and security products. Building secure networks has

M become a basic requirement.

 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
:h
 The UTM integrates the intrusion protection system (IPS), AV gateway antivirus, Internet

s
behavior management, and DDoS attack defense to defend against the threats from the
e
intranet and Internet.
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
:h
 Typical intrusions


e
Tampering with web pages s
r c
Cracking system password
u


s o
Copying and viewing sensitive data

Re
Obtaining user password using network sniffing tools

n g
Unauthorized server access

ni


a rObtaining original packets by special hardware

L e
 Implanting Trojan horses on hosts

e What is phishing?

or


 Phishing is combined by fishing and phone because telephones are used in early
M 
phishing cases. Ph replaces f to form word phishing.
Phishing uses deceptive emails and forged websites to initiate fraudulent activities.
The cheater pretends to be an eminent website, bank, online retailer to attract
victims, and the victims may disclose their sensitive information, such as bank
accounts and passwords on the forged websites.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
:h
 Intrusion detection covers various authorized and unauthorized intrusion behaviors, such as

s
the activity that violates security policies, identity spoofing, resource disclosure, malicious
e
r c
behavior, illegitimate access, and authority abuse.

ou
The IDS dynamically collects a large amount of key information using networks or
s


Re
computers, analyzes and identifies the status of the entire system promptly, and enables
the corresponding security mechanism immediately after it identifies activities that violate

n g
security policies or attacks on the system. For example, the IDS can report intrusion

r ni
behaviors to the network administrator using the console or email, stop intrusion behaviors

a
in time, close the entire system, and terminate network connections.
e
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
:h
 In the security system, the IDS serves the same role as the surveillance camera. It monitors

s
and analyzes the traffic across key nodes in the information system, and finds out the
e
r c
ongoing security events. The IDS seems like a camera in the security surveillance system. By

u
using the IDS, the system administrator can obtain and analyze the traffic of key nodes to
o
s
discover anomalies and suspicious network behaviors and report them.
e
Firewall and IDS R
g


ni n
The firewall is a device usually deployed in serial mode and performs fast forwarding,

a r
but it cannot perform in-depth inspection.

L e
 The firewall can neither correctly analyze malicious code in application data flows

e
or
nor detect the malicious operations and misoperations of intranet users.

The firewall performs coarse-grained access control, whereas the IDS provides fine-
M


grained detection. Through the IDS, the administrator monitors the live network
even more accurately.

 The IDS can interwork with the firewalls and switches. It becomes the helpful
assistant of the firewall to control interzone access.

 The IDS can be manually or automatically updated, and its policies can be easily
configured.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
:h
 The IPS can promptly block attack traffic upon detection. The IPS is an intelligent intrusion

s
detection and prevention product. It not only detects intrusions, but also prevents and
e
r c
terminates intrusion behaviors in certain response modes to protect the information system

ou
in real time against substantial attacks.


es
Switched Port Analyzer (SPAN), also called port mirroring or port monitoring, copies traffic

R
from a source port or a group of source ports to other ports through switch

n
configurations.g


r ni
Test Access Point (TAP) allows original traffic through and splits traffic to the detection

a
device for analysis. TAP is generally translated as splitter. The optical splitter is used for
e
e L data transmission through optical fibers, and the divider is used for data transmission

or
through network cables. Currently, the TAP is developed into many meanings, including
TAP converging the traffic of multiple links, TAP splitting the traffic of one link for multiple
M links, filtering TAP, and TAP switch. The TAP brings about great changes in the entire
monitoring and detection field. It transforms the access mode of the detection analysis
system fundamentally, enabling the complete and flexible solution for the entire detection
analysis system.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
:h
 The IPS has the following technology characteristics:

e s
Inline mode: In inline mode, the IPS blocks discovered network attack traffic in real time to
c


r
remedy the shortcoming of the IDS in terms of real-time blocking and improve system
u
o
security to the greatest extent.
s


Re
Self-learning and adaptive: The IPS minimizes the false negative and false positive of the

g
system through self-learning and adaptive to reduce the impact on services.
n


r ni
User-defined rules: Intrusion prevention rules can be customized for the IPS to respond to

a
latest threats to the greatest extent.
e


e L
Service Awareness(SA) :The USG uses the Service Awareness (SA) technology to perform

or
in-depth inspection on packets, identify application-layer protocols, and control the traffic
of specific types. The USG analyzes packets, compares them with the signatures in the
M knowledge base, identifies online gaming, stock trading, P2P, IM, and VoIP traffic, and
takes actions to control the traffic according to the application type and associated
polices.

 Real-time blocking: Deployed in inline mode, the IPS blocks attack traffic in real time to
protect the object to the greatest extent.
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
:h
 A computer virus features destruction, replication, and infection. Trojan horses, spyware,

s
worms, logic bomb, vulnerability attack, spam senders, downloaders, dialers, flood
e
r c
attackers, keystroke recorders are malicious codes.

ou
Strictly speaking, a computer virus is a type of malicious code, but it is used primarily to
s


e
refer to malicious code in the academic field.
R


n g
Computer viruses include:

r ni
Worms and Trojan horses (by function)

e

a Mobile media, network sharing, network scanning, email, and P2P network (by

e L propagation mechanism)

or  Operating system, application, and device (by object)

M  Executable file, script, macro, and boot section (by carrier object)
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
:h
 Proxy-based AV gateway:

e s
More advanced operations, such as decompression and unpacking can be performed
c


r
and the virus detection ratio is high. However, since all files are cached, performance
u
o
degrades greatly, and system consumption is high.
s

Re
Flow scanning-based AV gateway:

n g
It features high performance and low system consumption. However, the virus

ni


detection ratio is low, and it cannot detect files that have been packed or

a r
compressed.

L e
e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
:h
 Identifying file types makes AV technologies more accurate and reliable. For example,

s
viruses probably exist in PE files (PE files are executable files in the Windows operating
e
r c
system, and EXE files are PE files).

ou
A malicious code is usually packed to hide itself. Packing changes the feature code of a
s


Re
malicious code. To detect the features of a malicious code, the virus detection engine must
unpack the malicious code.

n g
ni
 File compression occurs everywhere on the network. The response of an ordinary HTTP

r
webpage request can be a compressed file. Neither the intrusion detection system nor the
a
e
virus detection system can inspect a compressed file directly.
L
e
or
 Static identification provides accurate and less false positives and rapid and static analysis.
Because data is extracted from viruses, it is lagged behind of viruses. Limited response to

M "feature" variation.

 Virtual execution provides a manageable and executable environment with a simulated

x86 instruction set for programs to be inspected to execute some commands.
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
:h
 A license is required for the UTM. Before configuring the UTM, you must apply for a
license and activate it.
e s
r c
Before using anti-virus (AV), IPS, URL classification, and application control, specify the
u


o
used virus database, IPS signature database, URL hotspot, and knowledge base. A license
s
and URL hotspot. Re
must be activated before you install and update the virus database, IPS signature database,

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
:h
 Obtain the LAC.

e s
The LAC is obtained from the license authentication certificate. It is a string of 21
c


r
characters, containing digits, letters, and hyphens (-).
u

s o
Obtain the equipment serial number (ESN).


Re
The ESN is obtained by performing required operations on the device.

n g
ni
 Obtain the license file.

a r
The license file is recommended to be obtained from the license self-service.

L e
 The license file can also be obtained from an email.

e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
:h
 Before activating a license, make sure that the license (must be a .dat file) is saved in the

s
root directory of the storage device on the USG. Only one activated license exists in the
e
r c
system. Activating a new license makes the old one ceases to be effective.

ou
The license is activated only when the ESN and software version of the device match those
s


in the license file.

Re
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :
t t
:h
 Online update indicates that the USG connects to the security service center or internal

s
update server to download the latest version.
e
r c
The USG performs the following operations for online update through the security service
u


center:
s o
Re
1. Sends a version update request to the security service center and passes the update

g
permission verification.
n
ni
2. Downloads the latest IPS signature database and virus database.
r


e a
The USG performs the following operations for update through the internal update server:

e L 1. Periodically sends the requests for downloading the IPS version and AV version.

or 2. Downloads the IPS version and AV version.

M 3. Sends a version update request to the internal update server and pass the update
permission and validity period verification.

4. Downloads the latest version from the internal update server.

Online update includes scheduled online update and manual online update.
  Scheduled online update

 The USG periodically connects to the security service center or internal update server
to check whether the latest version of the IPS signature database is available. If
available, the USG downloads the new version, and upgrades the local IPS signature
database at the scheduled time.

 Manual online update

 When new attacks emerge on the network, but the scheduled upgrade time does
n
not expire or the scheduled upgrade of the USG is not enabled, you need to trigger
/e
the upgrade manually.
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
:h
 When the USG is separated from the Internet physically, and the intranet does not deploy

s
the internal update server, the local update should be employed. Before the update, you
e
r c
need to obtain the activated serial code and update file from the security service center

u
and upload the update file to the USG.
o
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
:h
If the policy template meets the requirements of the application scenario, or is similar to the

s
application scenario, you can directly reference the policy template or modify the signature set
e
r c
after referencing the policy template. In this manner, the attack detection rate and

u
performance is optimized to the greatest extent and configurations are simplified.
o

es
The system provides the following profiles:
R


n g
Default: The security profile applies to the scenarios in which the device is deployed

ni
in-line as an IPS.

a r
Ids : The security profile applies to the scenarios in which the device is deployed off-

L e
line as an IDS.

e
or
 outside_firewall: The security profile applies to the scenarios in which the device is
deployed in front of a firewall.
M  Dmz: The security profile applies to the scenarios in which the device is deployed in
front of a DMZ.

 inside_firewall: The security profile applies to the scenarios in which the device is
deployed behind a firewall.

 web_server: The security profile applies to the scenarios in which the device is
deployed in front of a web server.
  mail_server: The security profile applies to the scenarios in which the device is deployed in
front of a mail server.

 dns_server: The security profile applies to the scenarios in which the device is deployed in
front of a DNS server.

 file_server: The security profile applies to the scenarios in which the device is deployed in
front of a file server.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
:h
 Administrator can configure a signature filter to filter out signatures matching the specified

s
conditions. A signature can be added to a signature filter only after meeting all filtering
e
conditions.
r c
ou
Signature filters are displayed in top-down order on the Web UI. The signature filters
s


e
configured first match packets preferentially.
R
g
Administrator can add a signature as an exception and configure a different action for the
n
ni
exception signature.


a r
An exception signature has a higher priority than a signature filter. If different actions are

L e
configured for an exception signature and a signature filter, the action for the exception

e
or
signature applies.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
:h
 When configuring target, the Server and Client are indicated:

e s
Server: detects intrusions (especially vulnerability exploits) to a server. For example,
c


r
the local end (server) is attacked when accessed by the peer end.
u


s o
Client: detects intrusions (especially vulnerability exploits) to a client. For example, a

Re
PC (client) accesses a malicious code-embedded server and is attacked.

n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :
t t
:h
 Action for a signature filter are indicate:

e s
Default: The device processes packets matching signatures of the signature filter based on
c


r
the default actions for the signatures.
u

s o
Alert: The device generates alarms on and logs all packets matching any signature of the

Re
signature filter. The action for the signature is ignored.

n g
Block: The device blocks and logs all packets matching any signature of the signature filter.

ni
The action for the signature is ignored.
r
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
:h
 Note: The created or modified security profile does not take effect immediately. You need

s
to click Commit on the upper right of the web page to activate the configuration. To save
e
r c
time, commit the configuration after you complete all operations on the security profile.

ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
:h
 The configured IPS profile takes effect only after it is used in an security policy.

e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
:h
 After packet capture is enabled, the NGFW captures a maximum of 1600 bytes of virus-

s
infected packets. You can use the auditor account to log in to the NGFW. Choose
e
r c
Monitor > Log > Threat Log, select the entry whose Threat Type is virus, and you can

u
view or download the virus-infected packets. Only auditor accounts can be used to view
o
s
or download virus-infected packets.
e
R
High risk detection refers to the discovery of potentially infected files during the antivirus
g


n
detection. This function improves security,

ni


a r
but may cause false positives. Therefore, the function is disabled by default.


L e
Response actions to a detected virus, including:

e
or
 Alert: The device permits files and generates virus logs.

Block: The device blocks the files and generates virus logs.
M


 Declare: For virus-infected email messages, the device permits them but adds
information to their subjects to announce the detection of viruses and generates
virus logs. This action applies only to SMTP and POP3.

 Delete Attachment: For virus-infected email messages, the device deletes their
attachments, adds information to their subjects to announce the detection of
viruses, permits them, and generates virus logs. This action applies only to SMTP
and POP3.
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :
t t
:h
 Applications use protocols for transmission. To configure a different response action for a

s
certain application using the protocol, configure it in application exception.
e
r c
You can select either of the following two methods to add an application. The latest
u


o
configured response action takes effect if you configure the application repeatedly using
s
Re
the two methods. Enter or select an application in the drop-down list of Application
Exception, and click Add.

n g
ni
 In the Protocol interface, click the link of the protocol, and select the action for the

r
application in the dialog box that is displayed.
a

L e
If you believe that false positive is reported on a certain virus, obtain the virus ID from the

elog, enter the virus ID in the text box of Virus Exception, and click Add to configure virus

or exception for the virus. Then the system permits files infected by the virus once detected.

42
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
:h
The configured AV profile takes effect only after it is used in an security policy.


e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :
t t
:h
1. The Service Awareness(SA) technology analyzes the application types of packets or flows at

s
the upper layers of IP and UDP/TCP layers and various tunnels using application layer
e
content inspection.
r c
Answer: True
ou
es
R
2. After the resumable data transfer of the AV function is enabled, the data packets

g
transmitted by block are no longer scanned and can pass through the firewall.
n
ni
Answer: True
r
e a
3. Which of the following are common application layer attacks?

e L
A. Buffer overflow B. Virus C. CC attack D. ARP spoofing

or Answer: A,B,C

M 4. Which of the following protocols are supported by the AV function?

A. HTTP B. TP C. SMTP D. POP3

Answer: A, B, C, D
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Although antivirus and security equipment are deployed on enterprise networks, enterprise

:h
still face the following problems:


e s
Unstoppable information leaks

r c


ou
Unauthorized access: Alien computers, inter-departmental access

es
Intentional information disclousure: Peripheral copy, chat, file transfer, asset out

R
Unintentional information disclosure: Trojan virus worms, malicious websites, asset
g


ni
loss
n


a r
Terminal anormalies

L e
 Viruses, worms, Trojans, malware cause the device to respond slowly

e
or
 Malicious code or intrusion events leading network or software anomalies, making
IT staff become exhausted "fireman
M  System damage, software conflicts result in frequent downtime, tarnishing the IT
departments tarnished image

 Hard to detect network threats

 Viruses, worms, malicious attacks from the terminal (to the network Scissorhands,
network agents, etc., ARP attack), misuse of network resources causing network
slow or abnormal service termination or application
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
Many network security problems trouble IT managers and maintenance personnel,

:h
including:


e s
Any non-compliance with the security regulations?

r c


ou
Whether there is unauthorized access to important s?

es
Information leaks?

R
Whether the network incident was caused by a terminal?
g


ni n
Any assets lost? What plan to upgrade the hard disks?


a r
What software with legal issues is installed on terminals?

L e
 How to deploy Office software or patches to thousands of new terminals?
e
or  How to remotely resolve computer problems at branches?

M  What is the information disclosure trend?

 Trend of terminal security and usability?

 Trend of security regulations and standard compliance?

 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
According to a statistics report from International Data Corporation (IDC) and the

:h
computer crime and security survey delivered by Federal Bureau of Investigation (FBI) and

s
Computer Sciences International (CSI), storage medium abuse and theft, unauthorized
e
r c
access, key information leaks, IT system vulnerabilities, viruses and malicious codes, IM

u
tools, and web access at non-working hours become major threats to enterprises' security.
o
s
In terms of establishing information security, enterprises spare no effort in defending
e
R
against external hackers and viruses but ignore internal threats. The preceding two

g
authoritative reports show that massive internal security threats are posing severe impacts
n
ni
to the key information assets of enterprises.

a r
Traditional border protection measures become meaningless before increasing internal
e


e L security risks. Against this backdrop, IT administrators are supposed to turn attention to

or
intranet security protection.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Traditionally, terminal security covers antivirus software, personal firewalls, and patch

:h
management. In a narrow sense, they are terminal security. We can see that they are

s
isolated. In a broad sense, they are only components of terminal security. What is
e
r c
terminal security, then? What problems does terminal security need to resolve? Why

u
cannot the above-mentioned terminal security products essentially resolve security
o
problems?
es

R
Antivirus software was first developed in the 1980’ as viruses emerged. Over the years

n g
of development, antivirus software has been developed from the earliest personal

ni
versions to the current network versions and gateway versions. After deploying
r
a
antivirus software, enterprises find that devices are widely infected with viruses,
e
L
however. Although products have their own technical limitations, most engines and
e
or
virus libraries are not updated on terminals as required, or even no antivirus software
is installed on terminals in a long time. During deployment, personal firewalls and
M patch management software may face challenges similar to those that antivirus
software faces.
  In view of the limitations of the traditional terminal security products, in the early
2000’s, IT manufacturers began to develop terminal security software to resolve these
challenges. During implementation and delivery, however, IT manufacturers and
enterprises feel that only terminal security software are difficult to completely solve
the problems that terminals face from the aspect of system architecture. This causes
some IT manufacturers with the comprehensive technical capability to involve in the
terminal security field. By virtue of its own security practice, network technology

n
development, and security software development, Huawei puts forward a terminal
security 3D defense system.
/e
 The 3D defense system refers to a unified, integrated defense-in-depth system formed
o m
after consolidation of relevant products and components on the basis of the problems

e
that terminals face to resolve the limitations that a single protection method may i.c
aw
bring. Terminal security is a systematic product and solution on the basis of the 3D

u
defense philosophy. It embodies the ideas of the 3D architecture and proactive

g .h
defense and continuously improves the security capability of enterprise terminals
through PDCA.
ni n

ar
The terminal security 3D defense system identifies terminal users through access

//le
control to determine whether terminal users are allowed to access networks. Desktop

:
management guarantees the security of terminal desktops through preparation of
p
t t
security policies. Through preparation of security management regulations suitable for

:h
the business operation of enterprises, security management guarantees that the

s
prepared security policies are governed by these regulations.
e
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Now we look at the design roadmap of terminal security management solutions: Enterprise

:h
security policy is the core. Before users access enterprise networks, they must be authenticated,

s
then compliance checks are implemented on them (including security checks and system
e
c
configuration checks). Based on the check results, the server authorizes the users compliant
r
u
with enterprise security polices to access related network resources and non-compliant
o
s
terminals to access only repair resources to complete the necessary repairs before they are
e
R
allowed to access the network. The proxy monitors the network behaviors of all access

g
terminals, responds to policy breaches, and logs the breach behaviors. The entire process is the
n
ni
PDCA continuous improvement process for intranet security protection.

a r
L e
e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Terminal security system five elements:
t t


s :h
Identity authentication: Focus on identity, role definition, external authentication
systems, etc.;

r c e


ou
Access control: Focus on software firewall, 802.1X switches, gateway access control,
ARP, DHCP;
es

R
Security authentication: Focus on anti-virus software, patch management,

g
illegitimate external connection management, storage media management, Internet
n
ni
behavior management, etc;
r
e

a Service authorization: Focus on service system access control, file permission control;

e L  Service audit: focus on service systems and documents.

or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
// le
p :
 Composition of the Terminal Security system:
t t
 Management server (SM)
s :h
 Control server (SC)
r c e


ou
Access control: hardware security access control gateway (SACG), 802.1x

s
switch, software SACG
e
Terminal access mode:R
g


ni n
Web: In Web mode, only identity authentication is performed.


a r
Web Agent: In Web Agent mode, identity authentication and partial security

L e authentication are performed.

e
or
 Agent: In Agent mode, identity authentication and security authentication are
performed.
M  Terminal Security domains:

 Pre-authentication domain: a domain that a terminal can access before identity

authentication

 Isolation domain: a domain that requires security repair after a terminal passes
identity authentication but fails security authentication

 Post-authentication domain: a domain that a terminal can access based on the

assigned business resource access rights according to the business role after
security authentication
  Relationship between Terminal Security domains and security domains:

 The pre-authentication domain and isolation domain are service domains of a

security domain.

 The post-authentication domain is a business domain of a security domain.

n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
t t
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
Major characteristics of the centralized deployment mode: Secospace servers are deployed

:h
in a centralized way. The components such as the SM, SC, and database can be installed

s
on a server or installed separately, depending on the number of terminals that the server
e
r c
manages. SC servers can be deployed in a cluster for redundancy (in this case, two or more

u
SC servers are required). The SACG can work in standalone mode or dual-system hot
o
backup mode.
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In the following cases, the distributed networking mode is recommended:

s :h
Terminals are relatively centralized in several domains and the bandwidths

r c e
between domains are small. Because certain traffic exists between SAs and the
server, the bandwidths between domains will be occupied to affect service

ou
provisioning if the centralized deployment mode is adopted.

es

R
There are a lot of terminals. In this case, the distributed deployment mode can

g
be adopted to avoid a great network bandwidth consumption caused by the
n
ni
access of massive terminals to the Terminal Security server.

a r
When the distributed deployment mode is adopted, the SAs of the Terminal Security
e


e L system select the nearest SC to obtain services such as identity authentication and

or
access control.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Currently, the industry vendors use NAC solutions such as Gateway, 802.1X, DHCP, host

:h
firewall, ARP, etc. to provide access control:


e s
The Terminal Security supports a variety of access control, including suing gateways,

r c
802.1X switches, and host firewalls. These three powerful access control methods can

ou
basically cover all typical cases and meet access control requirements to control access

es
from internal employees, affiliates, visitors, and teleworkers using VPN, wireless, etc..
R
Three kinds of access control can be implemented in combination or deployed

n g
independently, such as hardware SACG + host firewall, or hardware SACG +802.1 X, can

ni
effectively implement strict access control.
r
e a
Web Agent: currently implemented through ActiveX plugin, free from installation and
L


uninstallation. The Terminal Security provides only one pre-authentication domain but
e
or
multiple isolation and post-authentication domains for you to specify.

M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
In offline mode, SACG is attached to the core network switch or router in the original

:h
network to achieve Policy Center function. This deployment mode does not affect the
original network topology.
e s

r c
To establish an access permission management mechanism, assign different permissions to

ou
employees, and protect enterprise core network resources, you can deploy the USG an the

es
SACG to function with the Terminal Security.
Requirements: R
g


ni n
Deploy two Terminal Security controllers. If the USG fails to interwork with the two

a r
controllers, the USG will not control terminals, but allows all the terminals through.

L 
e The Terminal Security agent software has been installed on all intranet terminals.

e However, in order to allow some temporary visitors to be authenticated to access

or resources, you must also configure the terminals without installing the Terminal

M 
Security agent software to pass the Web authentication.
Different useers can access different network resources. For example, UserA is
allowed to access only the service system but prevented from accessing other post-
authentication resources.
 If a user passes identify authentication but fails the security authentication, the user
must be repaired in the isolation domain, such as downloading patches or update its
antivirus database
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Access control includes:
t t


s :h
Guest management, exception equipment management, enforced compliance

r c e
assessment, accessible resources for authorized users

ou
Authentication, compliance checks, one-button auto repair, time range-based NAC


es
Security management includes:

R
g
 Security hardening, online behavior management

ni n
Customization of a variety of security policies, data leak prevention

a r
Network protection
e


e
 L Desktop management includes:

or  Patch management, asset management

M  Software distribution, remote assistance

 News bulletin
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The Terminal Security system supports hierarchical management structure. One

:h
department in the system corresponds to a division of the enterprise, supporting

s
centralized management, distributed management, and hierarchical management.
e
r c
The Terminal Security system achieves corporate or department employee information for
u


o
centralized maintenance and management. User names can be the same, even if they
s
Re
belong to the same department. During batch user/account import, some restrictions are
made. Users with the same name cannot be imported if they belong to the same

n g
ni
department.

a r
Before accessing public resources within the enterprise, employees need to apply for an

L e
account from the administrator. Then they can enter their account on the Terminal

e Security Agent, Web Agent plug-in, or Web client for authentication. They can access the

or intranet resources only after they pass the identity authentication and security

M authentication. User accounts are globally unique, including the accounts created in the
system as well as those imported from an external system.

 The Terminal Security system achieves internal IP addresses and bind the IP addresses to
services to implement intranet security protection. Network area-based management is
different from department-based management. Network area-based management does
not distinguish user departments but manages uses based on the areas (IP addresses)
where the users reside.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :
 Ordinary account/password authentication
t t


s :h
Users use ordinary account for authentication before accessing the controlled
network.

r c e


ou
MAC account authentication


es
Users use the MAC addresses of their terminals for authentication before accessing

R
the controlled network.

n g
ni
 AD account authentication


a r
A Microsoft AD domain controller has been deployed on the network. Users use

L e their Microsoft AD domain accounts for authentication before accessing the

e controlled network.

or LDAP authentication
M


 An LDAP authentication server has been deployed on the network. Useers use their
LDAP account for authentication.

 USBKEY authentication

 Before accessing the controlled network, users use their mobile certificates for
authentication.
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The policy checks whether the terminal host is installed with the specified anti-virus

:h
software. If the terminal host is already installed with the anti-virus software, the policy

s
checks the version of the anti-virus software, and whether the virus library is updated in
e
r c
time and the anti-virus software runs. If the terminal host is not installed with the specified

u
anti-virus software, or the anti-virus software does not meet requirements, the AnyOffice
o
s
records the related information about the terminal host. After that, the violation
e
R
information is reported to the database for the administrator to query.

n g
Display policy check results on the terminal

ni


a r
Configure whether check results are displayed on the terminal. If this item is selected, the

L e
check results are displayed after terminal policy check is complete.

e
or
 If this item is unselected, the check results are not displayed after terminal policy check is
complete.The parameter is selected by default.

M  Disable network access in case of critical violation

 Configure whether network access is disabled in the case of the critical violation on the
terminal host. If this item is selected, when the violation level is Critical, the Service
Controller prohibits the terminal host to access the network.

 If this item is unselected, when the violation level is Critical, the Service Controller allows
the terminal host to access the network.

 The parameter is unselected by default.

  Execute policy offline

 Specify whether to perform the policy when the AnyOffice runs in offline mode.

 If this item is selected, the policy is performed when the AnyOffice runs in offline
mode and violation is reported to the Service Controller after the terminal host
passes authentication.

 If this option is deselected, the policy is not performed when the AnyOffice runs in
offline mode.
n
The AnyOffice runs in offline mode in the following situations: The terminal host /e
m


does not perform identity authentication.

o
 The terminal host performs identity authentication but the authentication fails.
e i.c


aw
After the terminal host passes the authentication, the terminal user logs out.

u
.h
 The AnyOffice is disconnected from the Service Controller.

The parameter is unselected by default.

n g
ni


 Report the illegality

ar
 Set whether to report the violation.
// le
p :
If this item is selected, it indicates that the violation is reported to the Service
t


t
Controller when a violation occurs on the terminal host.


s :h
If this item is deselected, it indicates that the violation is not reported to the Service

c e
Controller when a violation occurs on the terminal host.
r


ou
The parameter is selected by default. If violation report is not required, do not select

es
Report the illegality, protecting the database against massive violation.

R
Set the check period
g


ni n
Set the check period of the policy. The value ranges from 5 to 999.

a r
L e
e
or
M
 n
/e
o m
e i.c
aw
u
g.h
ni n
ar
//le
p :


t t
This policy checks whether the corresponding patch package of the Microsoft Windows

:h
OS is installed on the terminal host. If the terminal host is not installed with the patch

s
package of the corresponding version, the AnyOffice records the related information
e
r c
about the OS, and reports it to the database for the administrator to query.

ou
Configure patch check contents (interaction required)
s


Re
Set the violation level for the terminal host that does not install the Microsoft Windows OS

g
patch package of the specified level. If the level of the OS patch package is unselected, the

n
ni
AnyOffice or Web Agent Plug-in does not check the OS patch packages of this level.


a r
Minor: indicates the minor violation level.


L e
Critical: indicates the critical violation level.
e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
The policy checks whether important subkeys and keys in the registry meet requirements.

:h
If the registry does not contain the subkey and key specified by the policy, or the registry

s
contains the subkey and key prohibited by the policy, the check result of the policy is a
e
violation.
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
This policy checks the terminal host computer name against the requirements. A failure to

:h
meet the user-defined computer name requirements means a security violation.

e s
r c
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
// le
p :


t t
This policy checks whether the account and permissions of the terminal file sharing are

:h
compliant with the requirements, and provides the auto-recovery function.

 Permit terminal sharing file

e s
r c


ou
Configure whether terminal hosts are allowed to share files. If this item is selected, it

s
indicates that terminal hosts are allowed to share files, and that terminal hosts are checked
e
R
for violation according to the permission to shared accounts.

n g
If this item is deselected and Prohibit share violation level is configured, it indicates that

ni
terminal hosts are prohibited from sharing files. When a terminal host violates the sharing
r
a
policy, the violation level is Prohibit share violation level.
e
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
This policy checks whether the account of a terminal host complies with requirements.

:h
If the account password specified by the terminal user does not comply with security

s
rules, violation is displayed upon the check result.
e
Check weak password
r c
u



s o
Check whether the password complies with rules.


Re
If the item is selected, the system checks password compliance according to rules.

n g
ni
 If the item is not selected, the system does not check password compliance according

r
to rules.

a
L e
e
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
This policy checks whether the account and permissions of the local shared printer are

:h
compliant with the requirements, and provides the auto-recovery function.


e s
Allow the terminal to share the local printer

r c


ou
Configure whether to allow the terminal to share the local printer. If this item is selected,

s
the terminal is allowed to share the local printer.
e

R
If this item is unselected, the terminal is forbidden to share the local printer.

n g
ni
 Policy violation level

a r
When the terminal is not allowed to share the local printer, the policy violation level should

L e
be specified. Minor: indicates the minor violation level.

e
or
 Critical: indicates the critical violation level.

M
 n
/e
o m
ei.c
aw
u
g .h
ni n
ar
// le
p :


t t
This policy checks whether the port enabled on the terminal is compliant with the

:h
requirements according to the information about the specified port or port segment.


e s
Check only the ports in the listening state

r c


ou
Configure whether to check only the ports in Listening state.

es
If this item is selected, only the ports in Listening state are checked.

R
If this item is unselected, all the ports are checked.
g


ni n
a r
L e
e
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
 n
/e
o m
e i.c
aw
u
g .h
ni n
ar
//le
p :


t t
Terminal security uses a three-dimensional architecture, proactive defense, and Plan, Do,

:h
Check, Action (PDCA) model to improve the security capability of enterprise terminals. The

s
three-dimensional defense system uses access control to identify users and determine
e
r c
whether to allow their access; desktop management protects the security of terminal

u
desktops through security policies; security management ensures that security policies
o
s
comply with the operational requirements of enterprise services.
e

R
The terminal security system consists of the service manager (SM), service controller (SC),

n g
and access control devices, such as hardware SACG, 802.1X switches, and software SACG.

r ni
The service manager (SM) allows system administrators to manage users, control access,
a


L e
configure mobility policies, and configure and manage security collaboration services on a
web interface. The SM manages its service controllers (SCs) and sends instructions to the
e
or
SCs in real time. The SCs have RADIUS and Portal servers built in and interwork with the

M
access device (SACG) to control network access based on users.

 The terminal security system manages users by organization or area.

 By organization: Create departments on the system to provide centralized, distributed,

and hierarchical management.

 By area: Bind the services with IP addresses and manage users by area (IP addresses).

 The terminal security system supports the following authentication methods:

 User name/password authentication

Users are authenticated using user names and passwords before they can access
restricted networks.
  MAC authentication
Users are authenticated using the MAC addresses of their terminals before they can
access restricted networks.
 AD account authentication
Users are authenticated using Microsoft AD domain accounts before they can access
restricted networks, if Microsoft AD domain controllers have been deployed on the
network.
n
/e
 LDAP authentication
Users are authenticated using LDAP accounts if LDAP authentication servers have been
o m
i.c
deployed on the network.
 USB key authentication
w e
a
Users are authenticated using mobile certificates before they can access restricted
u
.h
networks.


n g
Major security polices of the terminal security system and the functions of the policies are

ni
described as follows:
Antivirus software check
ar
le


: //
This policy checks whether the required antivirus software has been installed on the

t t p
terminal. If the required antivirus software has been installed, the policy further checks
whether the program version and signature database are current and whether the

:h
antivirus software is running. If the required antivirus software has not been installed
s
r c e
on the terminal, or the antivirus software does not meet the requirements, AnyOffice
records the check result and sends the result to the database for administrators to
check.
ou
es
Operating system patch check
R


g
This policy checks whether Microsoft Windows patches have been installed on the
n
ni
terminal. If the patches are not installed on the terminal, AnyOffice records the check

r
result and sends the result to the database for administrators to check.
a
L 
e
Registry check

e
or
This policy checks whether important subkeys and their values in the registry meet the
requirements. If the registry does not have mandatory subkeys and key values or have
M forbidden subkeys and key values, the terminal fails this check.
 Computer name check

This policy checks whether the computer name of the terminal meets the requirements.
If the computer name set by the user does not meet the requirements, the terminal fails
this check.
  File sharing check

This policy checks whether the file sharing accounts and permissions meet the
requirements and automatically fixes them if they fail to meet the requirements.

 Account security check

This policy checks whether the account settings on the terminal meet the requirements.
If the password set by the user does not meet the requirements, the terminal fails this
check.
n
Printer sharing check /e
m


o
i.c
This policy checks whether the local printer sharing accounts and permissions meet the
requirements and automatically fixes them if they fail to meet the requirements.

Port check
w e
a


u
.h
This policy checks whether ports are enabled as required.

n g
r ni
le a
: //
t t p
s :h
r c e
ou
es
R
n g
r ni
e a
e L
or
M
 n
/e
o m
ei.c
aw
u
g.h
ni n
ar
//le
p :
t t
s:h
r c e
ou
es
R
n g
rni
e a
e L
or
M
The privilege of HCNA/HCNP/HCIE:
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
n
 1、e-Learning Courses： Logon http://learning.huawei.com/en and enter Huawei Training/e-Learning
/e


o m
If you have the HCNA/HCNP certificate：You can access Huawei Career Certification and Basic Technology e-Learning
courses.
e i .c
If you have the HCIE certificate: You can access all the e-Learning courses which marked for HCIE Certification Users.

aw


Methods to get the HCIE e-Learning privilege : Please associate HCIE certificate information with your Huawei account, and

hu


email the account to Learning@huawei.com to apply for HCIE e-Learning privilege.

g .
 2、 Training Material Download
i n


arn
Content: Huawei product training material and Huawei career certification training material.


//le
Method：Logon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can download
training material in the specific training introduction page.
p :
 3、 Priority to participate in Huawei Online Open Class (LVC)
t t


s :h
The Huawei career certification training and product training covering all ICT technical domains like R&S, UC&C, Security,

4、Learning Tools: rc e
Storage and so on, which are conducted by Huawei professional instructors.

u


s o
eNSP ：Simulate single Router&Switch device and large network.


R e
WLAN Planner ：Network planning tools for WLAN AP products.


n g
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with Huawei experts ,

ni
share exam experiences with others or be acquainted with Huawei Products.

a r
 Statement:
L e
r e
This material is for personal use only, and can not be used by any individual or organization for any commercial purposes.
o
M
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1