HP High-End Firewalls

Transcription

1 HP High-End Firewalls Attack Protection Configuration Guide Part number: Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW

2 Legal and notice information Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

3 Contents Configuring blacklist 1 Overview 1 Recommended configuration procedure 1 Enabling the blacklist function 2 Adding a blacklist entry manually 2 Viewing the blacklist 3 Blacklist configuration example 3 Verifying the configuration 5 Configuring packet inspection 6 Overview 6 Configuration procedure 7 Packet inspection configuration example 8 Network requirements 8 Configuration procedure 8 Verifying the configuration 9 Configuring traffic abnormality detection 10 Overview 10 Flood detection 10 Connection limit 11 Scanning detection 11 Configuring ICMP flood detection 11 Configuring UDP flood detection 13 Configuring DNS flood detection 15 Configuring SYN flood detection 16 Configuring connection limit 18 Configuring scanning detection 19 Traffic abnormality detection configuration example 20 Network requirements 20 Configuration considerations 20 Configuration procedure 21 Verifying the configuration 23 Configuring URPF 25 URPF overview 25 What is URPF 25 How URPF works 25 Configuration procedure 26 URPF configuration example 27 Configuring TCP proxy 30 Overview 30 SYN flood attack 30 TCP proxy 30 How TCP proxy working mechanism 31 Configuring TCP proxy 32 Recommended configuration procedure 32 Performing global TCP proxy setting 33 Enabling TCP proxy for a security zone 33 Adding a protected IP address entry 33 i

4 Displaying information about protected IP address entries 34 TCP proxy configuration example 35 Configuration guidelines 37 Configuring IDS collaboration 38 Feature and hardware compatibility 38 Overview 38 Enabling IDS collaboration 38 Configuration guidelines 39 Displaying intrusion detection statistics 40 Overview 40 Configuration procedure 40 Configuring ARP attack protection 43 Configuring periodic sending of gratuitous ARP packet 43 Introduction 43 Configuring periodic sending of gratuitous ARP packet in the web interface 44 Configuring periodic sending of gratuitous ARP packet at the CLI 45 Configuring ARP automatic scanning and fixed ARP 46 Introduction 46 Configuring ARP automatic scanning in the web interface 47 Configuring fixed ARP in the web interface 48 Configuring ARP automatic scanning and fixed ARP at the CLI 49 Configuring TCP attack protection 50 Overview 50 Enabling the SYN Cookie feature 50 Enabling protection against Naptha attacks 51 Displaying and maintaining TCP attack protection 51 Configuring firewall 52 Overview 52 Configuring a packet-filter firewall 52 Packet-filter firewall configuration task list 52 Enabling the IPv6 firewall function 53 Configuring the default filtering action of the IPv6 firewall 53 Configuring IPv6 packet filtering on an interface 53 Displaying and maintaining a packet filtering firewall 54 Configuring content filtering 55 Overview 55 HTTP packet content filtering 55 SMTP packet content filtering 56 POP3 packet content filtering 56 FTP packet content filtering 56 Telnet packet content filtering 57 Configuring content filtering 57 Configuration guide 57 Configuring keyword filtering entries 59 Configuring URL hostname filtering entries 61 Configuring filename filtering entries 61 Configuring address filtering entries 63 Configuring URL parameter filtering keywords 63 Configuring java blocking keywords 64 Configuring ActiveX blocking keywords 65 Configuring an HTTP filtering policy 66 ii

5 Configuring an SMTP filtering policy 68 Configuring a POP3 filtering policy 69 Configuring an FTP filtering policy 71 Configuring a telnet filtering policy 72 Configuring a content filtering policy template 73 Displaying content filtering statistics 74 Content filtering configuration example 75 Configuration guidelines 87 Support and other resources 89 Contacting HP 89 Subscription service 89 Related information 89 Documents 89 Websites 89 Conventions 90 Index 92 iii

6 Configuring blacklist NOTE: The blacklist configuration is available only in the web interface. Overview Blacklist is an attack prevention mechanism that filters packets based on source IP address. Compared with ACL-based packet filtering, the blacklist feature is easier to configure and fast in filtering packets sourced from particular IP addresses. The firewall can dynamically add and remove blacklist entries. This is implemented in cooperation with the scanning detection feature. When the firewall detects that packets sourced from an IP address have a behavior pattern that implies a potential scanning attack, it automatically blacklists the IP address to filter subsequent packets sourced from that IP address. Blacklist entries added in this way will age out after a period of time. NOTE: For more information about scanning detection configuration, see "Configuring traffic abnormality detection." The firewall also supports adding and removing blacklist entries manually. Manually configured blacklist entries fall into two categories: permanent and non-permanent. A permanent blacklist entry is always present unless being removed manually, whereas a non-permanent blacklist entry has a limited lifetime depending on your configuration. When the lifetime of a non-permanent entry expires, the firewall removes the entry from the blacklist, allowing the packets of the IP address defined by the entry to pass through. Recommended configuration procedure Task 1. Enabling the blacklist function 2. Configuring the scanning detection feature to add blacklist entries automatically 3. Adding a blacklist entry manually Remarks 4. Viewing the blacklist Optional. Required. By default, the blacklist function is disabled. Required. Complete either of the tasks. For more information about scanning detection configuration, see "Configuring traffic abnormality detection" By default, no blacklist entries exist. IMPORTANT: If you modify a dynamic blacklist entry, the entry will turn into a manual one. 1

7 Enabling the blacklist function 1. From the navigation tree, select Intrusion Detection > Blacklist to enter the blacklist management page. 2. Select the Enable Blacklist box. 3. Click Apply. Figure 1 Blacklist management page Adding a blacklist entry manually 1. From the navigation tree, select Intrusion Detection > Blacklist to enter the blacklist management page. 2. Click Add to enter the blacklist entry configuration page. Figure 2 Adding a blacklist entry manually 3. Configure a blacklist entry as described in Table Click Apply. Table 1 Configuration items Item IP Address Hold Time Permanence Specify the IP address to be blacklisted. Configure the entry to be a non-permanent one and specify a lifetime for it. Configure the entry to be a permanent one. 2

8 Viewing the blacklist From the navigation tree, select Intrusion Detection > Blacklist to enter the blacklist management page, where you can view the blacklist information, as shown in Figure 1. Table 2 describes the blacklist fields. Table 2 Field description Field IP Address Add Method Blacklisted IP address Type of the blacklist entry. Possible values include: Auto Added by the scanning detection feature automatically. Manual Added manually or modified manually. IMPORTANT: Once modified manually, an auto entry becomes a manual one. Start Time Hold Time Dropped Count Time when the blacklist entry is added. Lifetime of the blacklist entry Number of packets dropped based on the blacklist entry Blacklist configuration example Network requirements As shown in Figure 3, the internal network is the trusted zone and the external network is the untrusted zone. Configure Firewall to do the following tasks: Block packets from Host D forever (suppose that Host D is an attack source.) Block packets from Host C within 50 minutes, so as to control access of the host. Perform scanning detection for traffic from the untrusted zone and, upon detecting a scanning attack, blacklist the source. The scanning threshold is 4500 connections per second. Figure 3 Network diagram Host A Host B GE0/ /16 GE0/ /16 Internet Trust Firewall Untrust Host D /24 Host C /16 Configuration procedure 1. Assign IP addresses to the interfaces. (Details not shown.) 2. Select Intrusion Detection > Blacklist from the navigation tree. The blacklist management page appears. 3

9 Figure 4 Enabling the blacklist feature 3. In the Global Configuration area, select the Enable Blacklist option, and click Apply. 4. In the Blacklist Configuration area, click Add. The page for adding a blacklist entry for Host D appears. Figure 5 Adding a blacklist entry for Host D 5. Enter IP address , select the Permanence option., and click Apply 6. In the Blacklist Configuration area, click Add. The page for adding a blacklist entry for Host C appears. Figure 6 Adding a blacklist entry for Host C 7. Enter IP address , select the Hold Time option, in the box next to the option, set the lifetime of the entry to 50 minutes and click Apply 8. Select Intrusion Detection > Traffic Abnormality > Scanning Detection from the navigation tree. The page for configuring scanning detection for the untrusted zone appears. 4

10 Figure 7 Configuring scanning detection for the untrusted zone 9. Select security zone Untrust, select the Enable Scanning Detection option, set the scanning threshold to 4500, select the Add the source IP to the blacklist option, and Click. Verifying the configuration Select Intrusion Detection > Blacklist from the navigation tree to display the list. Check whether the manually added blacklist entries appear on the blacklist. Check whether Firewall discards all packets from Host D before you remove the blacklist entry for the host. Check whether Firewall discards all packets from Host C within 50 minutes. After 50 minutes, check whether Firewall forwards packets from Host C normally. Check whether Firewall outputs an alarm log and adds the IP address to the blacklist when detecting a scanning attack from the untrusted zone. You can select Intrusion Detection > Blacklist from the navigation tree to check the blacklist for the entry. 5

11 Configuring packet inspection NOTE: The packet inspection configuration is available only in the web interface. Overview A single-packet attack, or malformed packet attack, occurs when either of the following events occurs: An attacker sends defective IP packets, such as overlapping IP fragments and packets with illegal TCP flags, to a target system, making the target system malfunction or crash when processing such packets. An attacker sends large quantities of junk packets to the network, using up the network bandwidth. With packet inspection configured, the firewall analyzes the characteristics of received packets to determine whether the packets are attack packets. Upon detecting an attack, the firewall logs the event and, when configured, discards the attack packets. The firewall supports detection of the following types of single packet attacks. Table 3 Types of single packet attacks Attack type Fraggle Land WinNuke TCP Flag ICMP unreachable ICMP redirect A Fraggle attack occurs when an attacker sends large amounts of UDP echo requests with the UDP port number being 7 or Chargen packets with the UDP port number being 19, resulting in a large quantity of junk replies and finally exhausting the bandwidth of the target network. A Land attack occurs when an attacker sends a great number of TCP SYN packets with both the source and destination IP addresses being the IP address of the target, exhausting the half-open resources of the victim and disabling the target from providing services normally. A WinNuke attacker sends out-of-band (OOB) data with the pointer field values overlapped to the NetBIOS port (139) of a Windows system with an established connection to introduce a NetBIOS fragment overlap, causing the system to crash. Some TCP flags are processed differently on different operating systems. A TCP flag attacker sends TCP packets with such TCP flags to a target to probe its operating system. If the operating system cannot process such packets properly, the attacker will successfully make the host crash down. Upon receiving an ICMP unreachable response, some systems conclude that the destination is unreachable and drop all subsequent packets destined for the destination. By sending ICMP unreachable packets, an ICMP unreachable attacker can cut off the connection between the target host and the network. An ICMP redirect attacker sends ICMP redirect messages to a target to modify its routing table, interfering with the normal forwarding of IP packets. 6

12 Attack type Tracert Smurf Source route Route record Large ICMP The Tracert program usually sends UDP packets with a large destination port number and an increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when the packet passes each router. Upon receiving a packet with a TTL of 0, a router must send an ICMP time exceeded message back to the source IP address of the packet. A Tracert attacker exploits the Tracert program to figure out the network topology. A Smurf attacker sends large quantities of ICMP echo requests to the broadcast address of the target network. As a result, all hosts on the target network will reply to the requests, causing the network congested and hosts on the target network unable to provide services. A source route attack exploits the source route option in the IP header to probe the topology of a network. A route record attack exploits the route record option in the IP header to probe the topology of a network. For some hosts and devices, large ICMP packets will cause memory allocation error and crash down the protocol stack. A large ICMP attacker sends large ICMP packets to a target to make it crash down. Configuration procedure 1. From the navigation tree, select Intrusion Detection > Packet Inspection to enter the packet inspection page. Figure 8 Configuration page 2. Configure packet inspection as described in Table Click Apply. Table 4 Configuration items Item Zone Select a zone to detect attacks from the zone. 7

13 Item Discard Packets when the specified attack is detected Enable Fraggle Attack Detection Enable Land Attack Detection Enable WinNuke Attack Detection Enable TCP Flag Attack Detection Enable ICMP Unreachable Packet Attack Detection Enable ICMP Redirect Packet Attack Detection Enable Tracert Packet Attack Detection Enable Smurf Attack Detection Enable IP Packet Carrying Source Route Attack Detection Enable Route Record Option Attack Detection Enable Large ICMP Packet Attack Detection Max Packet Length Select this option to discard detected attack packets. Enable or disable detection of Fraggle attacks. Enable or disable detection of Land attacks. Enable or disable detection of WinNuke attacks. Enable or disable detection of TCP flag attacks. Enable or disable detection of ICMP unreachable attacks. Enable or disable detection of ICMP redirect attacks. Enable or disable detection of Tracert attacks. Enable or disable detection of Smurf attacks. Enable or disable detection of source route attacks. Enable or disable detection of route record attacks. Enable detection of large ICMP attacks and set the packet length limit, or disable detection of such attacks. Packet inspection configuration example Network requirements As shown in Figure 9, the internal network is the trusted zone and the external network is the untrusted zone. Configure Firewall to protect the trusted zone against Land attacks and Smurf attacks from the untrusted zone. Figure 9 Network diagram Configuration procedure 1. Assign IP addresses to interfaces. (Details not shown.) 2. From the navigation tree, select Intrusion Detection > Packet Inspection. The packet inspection configuration page appears. 8

14 Figure 10 Enabling Land and Smurf attack detection for the untrusted zone 3. Select Untrust from the Zone list, select Discard Packets when the specified attack is detected, select Enable Land Attack Detection, select Enable Smurf Attack Detection, click Apply. Verifying the configuration Check that Firewall can detect Land and Smurf attacks from the untrusted zone, output alarm logs accordingly, and drop the attack packets. You can select Intrusion Detection > Statistics from the navigation tree to view the counts of Land and Smurf attacks and the counts of dropped attack packets. 9

15 Configuring traffic abnormality detection NOTE: The traffic abnormality detection configuration is available only in the web interface. Overview The traffic abnormality detection feature analyzes the characteristics of traffic to detect abnormal traffic and take countermeasures accordingly. Supported countermeasures include outputting alarm logs, dropping packets, and blacklisting the source of the packets. Flood detection A flood attack occurs when large amounts of fake packets are sent to a target system in a short period of time. A flood attack depletes the resources of the target system, making the system unable to provide services normally. The firewall can protect against the following categories of attacks: ICMP flood attacks Overwhelm the target with large amounts of ICMP echo requests, such as ping packets. UDP flood attacks Flood the target system with a barrage of UDP packets. DNS flood attacks Overwhelm the target with large amounts of DNS query requests. SYN flood attacks Exploit TCP SYN packets. Due to resource limitation, the number of TCP connections that can be created on the firewall is limited. A SYN flood attacker sends a barrage of spurious SYN packets with forged source IP addresses to a victim to initiate TCP connections. As the SYN_ACK packets that the victim sends in response can never get acknowledgments, large amounts of half-open connections are created and retained on the victim, making the victim inaccessible before the number of half-open connections drops to a reasonable level due to timeout of half-open connections. In this way, a SYN flood attack exhausts system resources such as memory on a system whose implementation does not limit creation of connections. Flood detection mainly protects servers against flood attacks. It detects flood attacks by tracking the connection rates at which certain types of connection establishment requests are initiated to a server. Usually, flood detection is deployed on the firewall for an internal security zone and takes effect for packets entering the security zone when an attack prevention policy is configured for the security zone. After you configure flood detection (except for DNS flood detection) for the firewall, the firewall enters the attack detection state and starts to track the sending rates of packets destined for certain servers. If the sending rate of a certain type of packets destined for a server constantly reaches or exceeds the protection action threshold, the firewall considers the server is under attack, transitions to the attack protection state, logs the event, and takes attack protection actions as configured. Later, if the sending rate drops below the silent threshold, the firewall considers the attack is over, returns to the attack detection state, and stops the attack protection actions. DNS flood detection is different from other types of flood detection in that it uses only one threshold, the action threshold. Upon detecting that the sending rate of DNS query requests destined for a server constantly reaches or exceeds the action threshold, the firewall drops all extra packets and logs the event. 10

16 Connection limit When an internal user initiates a large number of connections to a host on the external network in a short period of time, system resources on the firewall will be used up soon. This will make the firewall unable to service other users. In addition, if an internal server receives large quantities of connection requests in a short period of time, the server will not be able to process normal connection requests from other hosts. To protect internal network resources (including hosts and servers) and distribute resources of the firewall reasonably, you can set connection limits based on source or destination IP addresses for security zones. When a limit based on source or destination IP address is reached or exceeded, the firewall will output an alarm log and discard subsequent connection requests from or to the IP address. Scanning detection A scanning attack probes the addresses and ports on a network to identify the hosts attached to the network and application ports available on the hosts and to figure out the topology of the network, so as to get ready for further attacks. Scanning detection detects scanning attempts by tracking the rates at which connections are initiated to protected systems. Usually, it is deployed on the firewall for the external security zone and takes effect for packets from the security zone. If detecting that a connection rate of an IP address has reached or exceeded the threshold, the firewall outputs an attack alarm log, blocks the subsequent connection requests from the IP address, and blacklists the IP address, depending on your configuration. Configuring ICMP flood detection NOTE: ICMP flood detection is mainly intended to protect servers and is usually configured for an internal zone. From the navigation tree, select Intrusion Detection > Traffic Abnormality > ICMP Flood to enter the ICMP flood detection configuration page, as shown in Figure 11. You can select a security zone and then view and configure ICMP flood detection rules for the security zone. 11

17 Figure 11 ICMP flood detection configuration page To configure ICMP flood detection, follow these steps: 1. In the Attack Prevention Policy area, specify the protection action to be taken upon detection of an ICMP flood attack. If you do not select the Discard packets when the specified attack is detected option, the firewall only collects ICMP flood attack statistics. 2. In the ICMP Flood Configuration area, view the configured ICMP flood detection rules, or click Add to enter the page shown in Figure 12 to configure an ICMP flood detection rule. Table 5 describes the configuration items. Figure 12 Adding an ICMP flood detection rule 12

18 Table 5 Configuration items Item Protected Host Configuration Global Configuration of Security Zone IP Address Action Threshold Silent Threshold Action Threshold Silent Threshold Specify the IP address of the protected host. Set the protection action threshold for ICMP flood attacks that target the protected host. If the sending rate of ICMP packets destined for the specified IP address constantly reaches or exceeds this threshold, the firewall enters the attack protection state and takes attack protection actions as configured. Set the silent threshold for actions that protect against ICMP flood attacks targeting the protected host. If the sending rate of ICMP packets destined for the specified IP address drops below this threshold, the firewall returns to the attack detection state and stops the protection actions. Set the protection action threshold for ICMP flood attacks that target a host in the protected security zone. If the sending rate of ICMP packets destined for a host in the security zone constantly reaches or exceeds this threshold, the firewall enters the attack protection state and takes attack protection actions as configured. Set the silent threshold for actions that protect against ICMP flood attacks targeting a host in the protected security zone. If the sending rate of ICMP packets destined for a host in the security zone drops below this threshold, the firewall returns to the attack detection state and stops the protection actions. NOTE: Host-specific settings take precedence over the global settings for security zones. Configuring UDP flood detection NOTE: UDP flood detection is mainly intended to protect servers and is usually configured for an internal zone. From the navigation tree, select Intrusion Detection > Traffic Abnormality > UDP Flood to enter the UDP flood detection configuration page, as shown in Figure 13. You can select a security zone and then view and configure UDP flood detection rules for the security zone. 13

19 Figure 13 UDP flood detection configuration page To configure UDP flood detection, follow these steps: 1. In the Attack Prevention Policy area, specify the protection action to be taken upon detection of a UDP flood attack. If you do not select the Discard packets when the specified attack is detected option, the firewall only collects UDP flood attack statistics. 2. In the UDP Flood Configuration area, view the configured UDP flood detection rules, or click Add to enter the page shown in Figure 14 to configure a UDP flood detection rule. Table 6 describes the configuration items. Figure 14 Adding a UDP flood detection rule Table 6 Configuration items Item Protected Host Configuration IP Address Action Threshold Specify the IP address of the protected host. Set the protection action threshold for UDP flood attacks that target the protected host. If the sending rate of UDP packets destined for the specified IP address constantly reaches or exceeds this threshold, the firewall enters the attack protection state and takes attack protection actions as configured. 14

20 Item Global Configuration of Security Zone Silent Threshold Action Threshold Silent Threshold Set the silent threshold for actions that protect against UDP flood attacks targeting the protected host. If the sending rate of UDP packets destined for the specified IP address drops below this threshold, the firewall returns to the attack detection state and stops the protection actions. Set the protection action threshold for UDP flood attacks that target a host in the protected security zone. If the sending rate of UDP packets destined for a host in the security zone constantly reaches or exceeds this threshold, the firewall enters the attack protection state and takes attack protection actions as configured. Set the silent threshold for actions that protect against UDP flood attacks targeting a host in the protected security zone. If the sending rate of UDP packets destined for a host in the security zone drops below this threshold, the firewall returns to the attack detection state and stops the protection actions. NOTE: Host-specific settings take precedence over the global settings for security zones. Configuring DNS flood detection NOTE: DNS flood detection is mainly intended to protect servers and is usually configured for an internal zone. From the navigation tree, select Intrusion Detection > Traffic Abnormality > DNS Flood to enter the DNS flood detection configuration page, as shown in Figure 15. You can select a security zone and then view and configure DNS flood detection rules for the security zone. Figure 15 DNS flood detection configuration page To configure DNS flood detection, follow these steps: 15

21 1. In the DNS Flood Attack Prevention Policy area, select Enable DNS Flood Attack Detection. The firewall will collect DNS flood attack statistics, and output logs upon detecting DNS flood attacks. 2. In the DNS Flood Configuration area, view the configured DNS flood detection rules, or click Add to enter the page shown in Figure 16 to configure a DNS flood detection rule. Table 7 describes the configuration items. Figure 16 Adding a DNS flood detection rule Table 7 Configuration items Item Protected Host Configuration Global Configuration of Security Zone IP Address Action Threshold Action Threshold Specify the IP address of the protected host. Set the protection action threshold for DNS flood attacks that target the protected host. If the sending rate of DNS query requests destined for the specified IP address constantly reaches or exceeds this threshold, the firewall drops all extra requests and logs the event. Set the protection action threshold for DNS flood attacks that target a host in the protected security zone. If the sending rate of DNS query requests destined for a host in the security zone constantly reaches or exceeds this threshold, the firewall enters all extra requests and logs the event. NOTE: Host-specific settings take precedence over the global settings for security zones. Configuring SYN flood detection NOTE: SYN flood detection is mainly intended to protect servers and is usually configured for an internal zone. From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood to enter the SYN flood detection configuration page, as shown in Figure 17. You can select a security zone and then view and configure SYN flood detection rules for the security zone. 16

22 Figure 17 SYN flood detection configuration page To configure SYN flood detection, follow these steps: 1. In the Attack Prevention Policy area, specify the protection actions to be taken upon detection of a SYN flood attack. If you do not select any option, the firewall only collects SYN flood attack statistics. The available protection actions include: Discard packets when the specified attack is detected. If detecting that a protected object in the security zone is under SYN flood attack, the firewall drops the TCP connection requests to the protected host to block subsequent TCP connections. Add protected IP entry to TCP Proxy. If detecting that a protected object in the security zone is under SYN flood attack, the firewall adds the target IP address to the protected IP list on the TCP proxy as a dynamic one, setting the port number as any. If TCP proxy is configured for the security zone, all TCP connection requests to the IP address will be processes by the TCP proxy until the protected IP entry gets aged out. If you select this option, configure the TCP proxy feature on the page you can enter after selecting Intrusion Detection > TCP Proxy. 2. In the SYN Flood Configuration area, view the configured SYN flood detection rules, or click Add to enter the page shown in Figure 18 to configure a SYN flood detection rule. Table 8 describes the configuration items. Figure 18 Adding a SYN flood detection rule 17

23 Table 8 Configuration items Item Protected Host Configuration Global Configuration of Security Zone IP Address Action Threshold Silent Threshold Action Threshold Silent Threshold Specify the IP address of the protected host. Set the protection action threshold for SYN flood attacks that target the protected host. If the sending rate of SYN packets destined for the specified IP address constantly reaches or exceeds this threshold, the firewall enters the attack protection state and takes attack protection actions as configured. Set the silent threshold for actions that protect against SYN flood attacks targeting the protected host. If the sending rate of SYN packets destined for the specified IP address drops below this threshold, the firewall returns to the attack detection state and stops the protection actions. Set the protection action threshold for SYN flood attacks that target a host in the protected security zone. If the sending rate of SYN packets destined for a host in the security zone constantly reaches or exceeds this threshold, the firewall enters the attack protection state and takes attack protection actions as configured. Set the silent threshold for actions that protect against SYN flood attacks targeting a host in the protected security zone. If the sending rate of SYN packets destined for a host in the security zone drops below this threshold, the firewall returns to the attack detection state and stops the protection actions. NOTE: Host-specific settings take precedence over the global settings for security zones. Configuring connection limit From the navigation tree, select Intrusion Detection > Traffic Abnormality > Connection Limit to enter the connection limit configuration page, as shown in Figure 19. You can select a security zone and then view and configure the connection limit for the security zone. Table 9 describes the connection limit configuration items. Figure 19 Connection limit configuration page 18

24 Table 9 Configuration items Item Security Zone Discard packets when the specified attack is detected Enable connection limit per source IP Threshold Enable connection limit per dest IP Threshold Select a security zone to perform connection limit configuration for it. Select this option to discard subsequent packets destined for or sourced from an IP address when the number of the connections for that IP address has exceeded the limit. Select the option to set the maximum number of connections that can be present for a source IP address. Select the option to set the maximum number of connections that can be present for a destination IP address. Configuring scanning detection NOTE: Scanning detection is intended to detect scanning behaviors and is usually configured for an external zone. Scanning detection can be configured to add blacklist entries automatically. If you remove such a blacklist entry, the system will not add the entry back to the blacklist during a period of time. This is because the system considers that the subsequent packets are from the same attack. From the navigation tree, select Intrusion Detection > Traffic Abnormality > Scanning Detection to enter the scanning detection configuration page, as shown in Figure 20. You can select a security zone and then view and configure the scanning detection rule for the security zone. Table 10 lists the scanning detection configuration items. Figure 20 Scanning detection configuration page Table 10 Configuration items Item Security Zone Enable Scanning Detection Scanning Threshold Select a security zone to perform scanning detection configuration for it. Select this option to enable scanning detection for the security zone. Set the maximum connection rate for a source IP address. 19

25 Item Add a source IP to the blacklist Lifetime Select this option to allow the system to blacklist a suspicious source IP address. If this option is selected, you can then set the lifetime of the blacklisted source IP addresses. IMPORTANT: Only when the blacklist feature is enabled, can the scanning detection function blacklist a suspect and discard subsequent packets from the suspect. Set the lifetime of the blacklist entry. Traffic abnormality detection configuration example Network requirements As shown in Figure 21, the internal network is the trusted zone, the subnet where the internal servers are located is the demilitarized zone (DMZ), and the external network is the untrusted zone. Configure Firewall to: Protect the internal network against scanning attacks from the external network. Limit the number of connections initiated by each internal host. Limit the number of connections to the internal server. Protect the internal server against SYN flood attacks from the external network. Figure 21 Network diagram Configuration considerations To satisfy the requirements, perform the following configurations on the Firewall: Configure scanning detection for the untrusted zone, enable the function to add entries to the blacklist, and set the scanning threshold to, for example, 4500 connections per second. Configure source IP address-based connection limit for the trusted zone, and set the number of connections each host can initiate to, for example,

26 Configure destination IP address-based connection limit for the DMZ, and set the number of connections the server can accommodate to, for example, Configure SYN flood detection for the DMZ, and set the action threshold for attacks targeting the internal server (for example, to 5000 packets per second) and the silent threshold (for example, to 1000 packets per second). Set the attack protection action to blocking subsequent packets destined for the server. Configuration procedure # Assign IP addresses to interfaces. (Details not shown.) # Enable the blacklist feature. From the navigation tree, select Intrusion Detection > Blacklist. The blacklist management page appears, as shown in Figure 22. Figure 22 Enabling the blacklist feature Perform the following operations on the page: In the Global Configuration area, select the Enable Blacklist option. Click Apply. # Configure scanning detection for the untrusted zone. From the navigation tree, select Intrusion Detection > Traffic abnormality > Scanning Detection. The scanning detection configuration page appears, as shown in Figure 23. Figure 23 Configuring scanning detection for the untrusted zone Perform the following operations on the page: 21

27 Select zone Untrust. Select the Enable Scanning Detection option. Set the scanning threshold to 4500 connections per second. Select the Add the source IP to the blacklist option. Click Apply. # Configure connection limits for the trusted zone. From the navigation tree, select Intrusion Detection > Traffic Abnormality > Connection Limit. The connection limit configuration page appears, as shown in Figure 24. Figure 24 Configuring connection limit for the trusted zone Perform the following operations on the page: Select zone Trust. Select the Discard packets when the specified attack is detected option. Select the Enable connection limit per source IP option and set the threshold to 100. Click Apply. # Configure connection limits for the DMZ as shown in Figure 25. Figure 25 Configuring connection limit for the DMZ Perform the following operations on the page: Select zone DMZ. Select the Discard packets when the specified attack is detected option. Select the Enable connection limit per dest IP option and set the threshold to Click Apply. # Configure SYN flood detection for the DMZ. From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood. The SYN flood detection confirmation page appears. 22

28 Figure 26 Configuring SYN flood detection for the DMZ Perform the following operations on the page: Select zone DMZ. In the Attack Prevention Policy area, select the Discard packets when the specified attack is detected option. Click Apply. In the SYN Flood Configuration area, click Add. The SYN flood attack detection page appears. Figure 27 Configuring a SYN flood attack detection rule for the server Perform the following operations on the page: Select the Protected Host Configuration option. Specify the IP address as Set the action threshold to 5000 packets per second. Set the silent threshold to 1000 packets per second. Click Apply to complete the configuration. Verifying the configuration After a scanning attack packet is received from zone Untrust, Firewall should output alarm logs and add the IP address of the attacker to the blacklist. You can select Intrusion Detection > Blacklist from the navigation tree to view whether the attacker's IP address is on the blacklist. 23

29 If a host in zone Trust initiates 100 or more connections, Firewall should output alarm logs and discard subsequent connection request packets from the host. You can select Intrusion Detection > Statistics from the navigation tree to view how many times that a connection limit per source IP address has been exceeded and the number of packets dropped. If the number of connections to the server in the DMZ reaches or exceeds 10000, Firewall should output alarm logs and discard subsequent connection request packets. You can select Intrusion Detection > Statistics from the navigation tree to view how many times that a connection limit per destination IP address has been exceeded and the number of packets dropped. If a SYN flood attack is initiated to the DMZ, Firewall should output alarm logs and discard the attack packets. You can select Intrusion Detection > Statistics from the navigation tree to view the number of SYN flood attacks and the number of packets dropped. 24

30 Configuring URPF NOTE: URPF configuration is available only in the web interface. URPF overview What is URPF Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks. Attackers launch such attacks by sending a large number of packets with forged source addresses. For applications using IP-address-based authentication, this type of attacks allows unauthorized users to access the system in the name of authorized users, or even access the system as the administrator. Even if the attackers cannot receive any response packets, the attacks are still disruptive to the attacked target. Figure 28 Source address spoofing attack As shown in Figure 28, Device A sends a request with a forged source IP address of /8 to the server (Device B), and Device B sends a packet to Device C at /8 in response to the request. Consequently, this packet affects the communication between Device B and Device C. URPF can prevent source address spoofing attacks. How URPF works URPF provides two check modes: strict and loose. In addition, it supports ACL check, link layer check, and default route check. URPF works as follows: 1. First, URPF checks the source address validity, and then: Discards packets with a broadcast source address. Discards packets with an all-zero source address but a non-broadcast destination address. (A packet with source address and destination address might be a DHCP or BOOT packet, and thus is not discarded.) 2. If the source address of an incoming packet is found in the FIB table: In strict approach, URPF does a reverse route lookup for routes to the source address of the packet. If at least one outgoing interface of such a route matches the receiving interface, the packet passes the check. Otherwise, the packet is rejected. In loose approach, the packet passes the check. 25

31 3. If the source address is not found in the FIB table, URPF makes a decision based on the default route and the allow-default-route option. If the default route is available but the allow-default-route option is not selected, the packet is rejected no matter which check approach is taken. If the default route is available and the allow-default-route option is selected, URPF operates depending on the check approach. In strict approach, URPF lets the packet pass if the outgoing interface of the default route is the receiving interface, and otherwise rejects it. In loose approach, URPF lets the packet pass directly. 4. A rejected packet will be filtered by an ACL, if specified. If the packet is permitted by the ACL, it is forwarded as normal (such packets are displayed in the URPF information as "suppressed drops"); otherwise, it is discarded. Configuration procedure Select Intrusion Detection > URPF Check from the navigation tree to enter the URPF check configuration page, as shown in Figure 29. On this page, select a security zone to view and configure URPF check settings for the security zone. Figure 29 URPF check configuration page Table 11 Configuration items Item Security Zone Enable URPF Allow Default Route ACL Security zone where the URPF check is to be configured. URPF configuration takes effect on all the interfaces in the security zone. IMPORTANT: URPF configuration takes effect on the packets received by the interfaces in the security zone only. Enable/Disable URPF check. If this box is not selected, URPF check is disabled and the following parameters are not configurable. By default, URPF check is disabled. Allow using the default route for URPF check. Reference an ACL. 26

32 Item Type of Check Set the URPF check type, Strict or Loose. URPF configuration example CAUTION: In this configuration example, either Device A or Device B is the firewall. Network requirements As shown in Figure 30, Device A directly connects to Device B. Enable strict URPF check in zoneb of Device B to allow packets whose source addresses match ACL 2010 to pass. Enable strict URPF check in zonea of Device A to allow use of the default route for URPF check. Figure 30 Network diagram Configuring Device B # Configure the interface IP addresses and security zones they belong to. (Details not shown.) # Define ACL 2010 to permit traffic from network /24 to pass. Select Firewall > ACL from the navigation tree, click Add, and then perform the following operations, as shown in Figure 31. Figure 31 Defining ACL 2010 Enter 2010 in ACL Number. Select Config for Match Order. Click Apply. On the ACL list page, click corresponding to ACL 2010, click Add, and then perform the following operations, as shown in Figure

33 Figure 32 Configuring ACL 2010 Select Permit in Operation. Select Source IP Address and enter in the field. Enter in Source Wildcard. Click Apply. # Enable strict URPF check in zoneb. Select Intrusion Detection > URPF Check from the navigation tree and perform the following operations, as shown in Figure 33. Figure 33 Configuring URPF in zoneb Select zoneb in Security Zone. Select Enable URPF. Select ACL and enter 2010 in the field. Select Strict in Type of Check. Click Apply. Configuring Device A # Configure the interface IP addresses and security zones they belong to. (Details not shown.) # Enable strict URPF check in zonea. 28

34 Select Intrusion Detection > URPF Check from the navigation tree and perform the following operations, as shown in Figure 34. Figure 34 Configuring URPF on zonea Select zonea in Security Zone. Select Enable URPF. Select Allow Default Route. Select Strict in Type of Check. Click Apply. 29

35 Configuring TCP proxy NOTE: The TCP proxy configuration is available only in the web interface. Overview SYN flood attack TCP proxy As a general rule, the establishment of a TCP connection is a three-way handshake: 1. The request originator sends a SYN message to the target server. 2. After receiving the SYN message, the target server establishes a TCP connection in the SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response. 3. After receiving the SYN ACK message, the originator returns an ACK message. The TCP connection is established. Attackers may exploit the TCP connection establishment to mount SYN flood attacks. Attackers send a large number of SYN messages to the server to establish TCP connections, but they never make any response to SYN ACK messages. As a result, a large amount of incomplete TCP connections are established, making the server unable to handle services normally. The TCP proxy feature can protect the server from SYN flood attacks. The TCP client sets up a TCP connection with the TCP server through a TCP proxy. The TCP proxy intercepts SYN requests from the TCP clients and verifies whether the requests are SYN flood attack packets. If so, the TCP proxy drops the requests, protecting the TCP server against SYN flood attacks. TCP proxy can work in two modes: Unidirectional proxy Only processes packets from the TCP client. Bidirectional proxy Processes packets from both the TCP client and TCP server. You can choose a proper mode according to your network scenario. For example, if packets from TCP clients to a server go through the TCP proxy but packets from the server to clients do not, as shown in Figure 35, configure unidirectional proxy. If all packets between TCP clients and a server go through the TCP proxy, as shown in Figure 36, you can configure unidirectional proxy or bidirectional proxy as desired. 30

36 Figure 35 Network diagram for unidirectional proxy Figure 36 Network diagram for unidirectional/bidirectional proxy How TCP proxy working mechanism Unidirectional proxy Figure 37 Data exchange process in unidirectional proxy mode After receiving a SYN message from a client to the protected server (such a message matches a protected IP address entry), the TCP proxy sends back a SYN ACK message with a wrong sequence number on behalf of the server, that is, using the IP address and port number of the server. If the client is legitimate, the TCP proxy will receive an RST message, and will receive a SYN message again from the client. The TCP proxy then directly forwards the SYN, SYN ACK, and ACK messages to establish a TCP connection between the client and the server. After the TCP connection is established, the TCP proxy forwards the subsequent packets of the connection without additional processing. 31

37 Bidirectional proxy Figure 38 Data exchange process in bidirectional proxy mode After receiving a SYN message from a client to the protected server (such a message matches a protected IP address entry), the TCP proxy sends back a SYN ACK message with the window size being 0 on behalf of the server. If the client is legitimate, the TCP proxy will receive an ACK message, and then sets up a connection between itself and the server through a three-way handshake on behalf of the client. As two TCP connections are established, different sequence numbers are used. They are translated by the TCP proxy for data exchange between the client and the server. Configuring TCP proxy Recommended configuration procedure Task Performing global TCP proxy setting Enabling TCP proxy for a security Adding a protected IP address entry Configure to Automatically Add a Protected IP address Entry Displaying information about protected IP address entries Remarks Optional. The configuration is effect on all security zones. By default, bidirectional proxy is used. Required. By default, the TCP proxy feature is disabled globally. At least one method is required. You can add protected IP address entries by either of the methods: Static Add entries manually. By default, no such entries are configured in the system. Dynamic Select Intrusion Detection > Traffic Abnormality > SYN Flood, and then select the Add protected IP entry to TCP Proxy box. After the configuration, the TCP proxy-enabled device will automatically add protected IP address entries when detecting SYN flood attacks. For more information, see " Configuring traffic abnormality detection." Optional. You can view information about all protected IP address entries. 32

38 Performing global TCP proxy setting Select Intrusion Detection > TCP Proxy > TCP Proxy Configuration from the navigation tree to enter the page shown in Figure 39. The Global Configuration area allows you to perform global setting for TCP proxy. Figure 39 TCP proxy configuration Table 12 Configuration items Item Unidirection/Bidirediction Set the global proxy mode of TCP proxy. Enabling TCP proxy for a security zone Select Intrusion Detection > TCP Proxy > TCP Proxy Configuration from the navigation tree to enter the page shown in Figure 39. You can enable/disable the TCP proxy feature for a security zone in the Zone Configuration area. The icon indicates that the TCP proxy feature is disabled for the corresponding security zone. You can click the Enable button beside the icon to enable the feature. The icon indicates that the TCP proxy feature is enabled for the corresponding security zone. You can click the Disable button beside the icon to disable the feature. Adding a protected IP address entry Select Intrusion Detection > TCP Proxy > Protected IP Configuration to enter the page shown in Figure 40, which lists information about protected IP address entries and the relative statistics. Click Add to enter the page for configuring a protected IP address entry, as shown in Figure

39 Figure 40 Protected IP address entries Figure 41 Protected IP address entry configuration page Table 13 Configuration items Item Protected IP Address Port Number Enter the IP address to be protected by the TCP proxy. It is the destination IP address of the TCP connection. Enter the destination port of the TCP connection. The option any specifies that TCP proxy services TCP connection requests to any port of the server at the destination IP address. Displaying information about protected IP address entries Select Intrusion Detection > TCP Proxy > Protected IP Configuration to enter the page shown in Figure 40, which lists information about protected IP address entries. Table 14 Field description Field Protected IP Port Number Type Lifetime(min) Number of Rejected IP addresses protected by the TCP proxy feature. Destination port of the TCP connection. The option any specifies that TCP proxy services TCP connection requests to any port of the server at the destination IP address. The protected IP address entries can be static or dynamic. Lifetime for the IP address entry under protection. This item is displayed as for static IP address entries. When the time reaches 0, the protected IP address entry will be deleted. Amount of requests for TCP connection requests matching the protected IP address entry but were proved to be illegitimate. 34

40 TCP proxy configuration example Network requirements As shown in Figure 42, configure bidirectional TCP proxy on Firewall to protect Server A, Server B, and Server C against SYN flood attacks. Add a protected IP address entry for Server A and configure dynamic TCP proxy for the other servers. Figure 42 Network diagram Configuration procedure # Assign IP addresses for the interfaces and then add interface GigabitEthernet 1/1 to zone Untrust, and GigabitEthernet 1/2 to zone Trust. (Details not shown.) # Set the TCP proxy mode to bidirectional and enable TCP proxy for zone Untrust. Select Intrusion Detection > TCP Proxy > TCP Proxy Configuration from the navigation tree. Select the bidirectional mode and enable TCP proxy for zone Untrust as shown in Figure 43. Figure 43 Selecting the bidirectional mode and enabling TCP proxy for zone Untrust Select Bidirection for the global setting. Click Apply. In the Zone Configuration area, click Enable for the Untrust zone. # Add an IP address entry manually for protection. Select Intrusion Detection > TCP Proxy > Protected IP Configuration from the navigation tree. Then on the right pane, click Add. Add an IP address entry for protection as shown in Figure

41 Figure 44 Add an IP address entry for protection Enter in the Protected IP Address field. Click Apply. # Configure the SYN flood detection feature, specifying to automatically add protected IP address entries. Select Intrusion Detection > Traffic Abnormality > SYN Flood from the navigation tree. In the Attack Prevention Policy area, configure the action to be taken upon detecting a SYN flood attack, as shown in Figure 45. Figure 45 Configuring the action to be taken upon detecting a SYN flood Select Trust from the Security Zone list. Select the Add protected IP entry to TCP Proxy box in the Attack Prevention Policy area. Click Apply. In the SYN Flood Configuration area, click Add. Configure global settings as shown in Figure

42 Figure 46 Configuring global settings Select Global Configuration of Security Zone. Click Apply. Configuration guidelines Follow these guidelines when you configure TCP proxy: 1. TCP proxy is effective only for incoming traffic of the security zone. 2. The performance of the Web-based management system may be degraded if the system's IP address and port number are in the protected IP entry list. 37

43 Configuring IDS collaboration Feature and hardware compatibility Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module IDS collaboration Yes Yes Yes No NOTE: The firewall device can collaborate with only Venusense IDS devices. The IDS collaboration configuration is available only in the web interface. Overview IDS collaboration is introduced for firewalls to work with an Intrusion detection system (IDS) device. As shown in Figure 47, the collaboration process occurs: 1. The IDS device examines network traffic for attacks. 2. When the IDS device detects an attack, it sends an SNMP trap message to the firewall device. The trap message may carry attack information such as source IP address of the attacker, target IP address to be attacked, source port and destination port. 3. When a firewall with IDS collaboration enabled receives the trap message, it retrieves the attack information, generates a blocking entry, and blocks subsequent traffic from the source. Figure 47 Network diagram for IDS collaboration Enabling IDS collaboration Select Intrusion Detection > IDS Collaboration from the navigation tree to enter the page for enabling IDS collaboration, as shown in Figure 48. Select the Enable IDS Collaboration box, and click Apply. Figure 48 Enable IDS collaboration 38

44 Configuration guidelines When you configure IDS collaboration, follow these guidelines: Both the firewall devices and IDS devices must support and have SNMPv2c configured. The aging time for an IDS blocking entry is five minutes. The timer restarts if the firewall receives an SNMP trap with the same attack information before the timer expires. A blocking entry is effective only to subsequent connections matching this entry. To make entries apply to the current connections, disable the fast forwarding function of the firewall. Disabling IDS collaboration removes the generated blocking entries from the firewall. 39

45 Displaying intrusion detection statistics NOTE: The intrusion detection configuration is available only in the web interface. Overview Intrusion detection is an important network security feature. By analyzing the contents and behaviors of packets passing by, it can determine whether the packets are attack packets and take actions accordingly as configured. Supported actions include outputting alarm logs, discarding packets, and adding the attacker to the blacklist. The intrusion detection statistics reflect the counts of attacks as per attack type, and the counts of attack packets dropped, helping you analyze the intrusion types and quantities present to generate better network security policies. NOTE: For information about packet inspection, see " Configuring packet inspection." For information about traffic abnormality detection, see " Configuring traffic abnormality detection." Configuration procedure To view intrusion detection statistics, select Intrusion Detection > Statistics in the navigation tree to enter the intrusion detection statistics page, as shown in Figure 49. Select a zone to view the counts of attacks and the counts of dropped packets in the security zone. Table 15 describes the attack types. 40

46 Figure 49 Intrusion detection statistics Table 15 Field description Field Fraggle ICMP Redirect ICMP Unreachable Land Large ICMP Route Record A Fraggle attack occurs when an attacker sends large amounts of UDP echo requests with the UDP port number being 7 or Chargen packets with the UDP port number being 19, resulting in a large quantity of junk replies and finally exhausting the bandwidth of the target network. An ICMP redirect attacker sends ICMP redirect messages to a target to modify its routing table, interfering with the normal forwarding of IP packets. Upon receiving an ICMP unreachable response, some systems conclude that the destination is unreachable and drop all subsequent packets destined for the destination. By sending ICMP unreachable packets, an ICMP unreachable attacker can cut off the connection between the target host and the network. A Land attack occurs when an attacker sends a great number of TCP SYN packets with both the source and destination IP addresses being the IP address of the target, exhausting the half-open resources of the victim and disabling the target from providing services normally. For some hosts and devices, large ICMP packets will cause memory allocation error and crash down the protocol stack. A large ICMP attacker sends large ICMP packets to a target to make it crash down. A route record attack exploits the route record option in the IP header to probe the topology of a network. 41

47 Field Scan Source Route Smurf TCP Flag Tracert WinNuke SYN Flood ICMP Flood UDP Flood DNS Flood Number of connections per source IP exceeds the threshold Number of connections per dest IP exceeds the threshold A scanning attack probes the addresses and ports on a network to identify the hosts attached to the network and application ports available on the hosts and to figure out the topology of the network, so as to get ready further attacks. A source route attack exploits the source route option in the IP header to probe the topology of a network. A Smurf attacker sends large quantities of ICMP echo requests to the broadcast address of the target network. As a result, all hosts on the target network will reply to the requests, causing the network congested and hosts on the target network unable to provide services. Some TCP flags are processed differently on different operating systems. A TCP flag attacker sends TCP packets with such TCP flags to a target to probe its operating system. If the operating system cannot process such packets properly, the attacker will successfully make the host crash down. The Tracert program usually sends UDP packets with a large destination port number and an increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when the packet passes each router. Upon receiving a packet with a TTL of 0, a router must send an ICMP time exceeded message back to the source IP address of the packet. A Tracert attacker exploits the Tracert program to figure out the network topology. A WinNuke attacker sends out-of-band (OOB) data with the pointer field values overlapped to the NetBIOS port (139) of a Windows system with an established connection to introduce a NetBIOS fragment overlap, causing the system to crash. A SYN flood attack exploits TCP SYN packets. Due to resource limitation, the number of TCP connections that can be created on a device is limited. A SYN flood attacker sends a barrage of spurious SYN packets to a victim to initiate TCP connections. As the SYN_ACK packets that the victim sends in response can never get acknowledgments, large amounts of half-open connections are created and retained on the victim, making the victim inaccessible before the number of half-open connections drops to a reasonable level due to timeout of half-open connections. In this way, a SYN flood attack exhausts system resources such as memory on a system whose implementation does not limit creation of connections. An ICMP flood attack overwhelms the victim with an enormous number of ICMP echo requests (such as ping packets) in a short period, preventing the victim from providing services normally. A UDP flood attack overwhelms the victim with an enormous number of UDP packets in a short period, disabling the victim from providing services normally. A DNS flood attack overwhelms the victim with an enormous number of DNS query requests in a short period, disabling the victim from providing services normally. When an internal user initiates a large number of connections to a host on the external network in a short period of time, system resources on the device will be used up soon. This will make the device unable to service other users. If an internal server receives large quantities of connection requests in a short period of time, the server will not be able to process normal connection requests from other hosts. 42

48 Configuring ARP attack protection The Address Resolution Protocol (ARP) is easy to use, but it is often exploited by attackers because of its lack of security mechanism. ARP packets by acting as a trusted user or gateway so that the receiving devices obtain incorrect ARP entries. A large number of IP packets with unreachable destinations. As a result, the receiving device continuously resolves destination IP addresses and thus its CPU is overloaded. A large number of ARP packets to overload the CPU of the receiving device. Currently, ARP attacks and ARP viruses bring big threats to LANs. To avoid such attacks and viruses, the firewall provides multiple techniques to detect and prevent them. The following describes the principles and configuration of these techniques. Configuring periodic sending of gratuitous ARP packet Introduction In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: Determine whether its IP address is already used by another device. If the IP address is already used, the device will be informed of the conflict by an ARP reply; Inform other devices of the change of its MAC address. Enabling learning of gratuitous ARP packets With this feature enabled, the firewall, upon receiving a gratuitous ARP packet, adds an ARP entry that contains the sender IP and MAC addresses in the packet to its ARP table. If the corresponding ARP entry exists, the device updates the ARP entry. With this feature disabled, the firewall uses the received gratuitous ARP packets to update existing ARP entries, but not to create new ARP entries. Configuring periodic sending of gratuitous ARP packet By sending gratuitous ARP packets periodically, the firewall can notify its downlink devices of the updates of its ARP entries or MAC address entries, so as to: 1. Prevent ARP spoofing A spoofed gratuitous ARP packet can cause hosts on a network segment to update their ARP entries incorrectly, and thereby redirect traffic that the hosts want to send to the gateway to incorrect MAC address instead. As a result, the hosts cannot access external networks. To prevent such ARP attacks, you can configure the gateway's interfaces to send gratuitous ARP packets for the primary IP address and manually configured secondary IP addresses of the 43

49 interface regularly. In this way, the hosts on the network segment can learn the correct gateway address information and can therefore access the network. 2. Prevent aging of the gateway ARP entry In practice, if the network load is heavy or the CPU usage of hosts on the network is high, ARP packets may be dropped or the hosts cannot process ARP packets timely. In such cases, the dynamic ARP entries of the hosts may be aged out due to timeout, and the traffic between the hosts and the gateway may be interrupted before the ARP entry of the gateway is learnt. To solve this problem, you can enable the gateway interface to send gratuitous ARP packets that contain the primary IP address or a manually configured secondary IP address regularly. This is to help the hosts update their ARP entries timely and prevent such traffic interruption to the utmost extent. 3. Prevent the virtual IP address of a VRRP group from being used by a host When a network has a VRRP group, the master router in the VRRP group must regularly send gratuitous ARP packets to the hosts on the network to make the hosts update their local ARP entries timely, thus ensuring no device on the network uses the virtual IP address of the VRRP group. As the virtual IP address of the VRRP group may correspond to the virtual MAC address or the actual MAC address, the gratuitous ARP packets will use the virtual MAC address or the actual MAC address accordingly. 4. Update MAC entries of devices in the VLANs having ambiguous VLAN termination configured In VRRP configuration, if ambiguous VLAN termination is configured for many VLANs and VRRP groups, interfaces configured with VLAN termination need to be disabled from transmitting broadcast/multicast packets and a VRRP control VLAN needs to be configured so that VRRP advertisements can be transmitted within the control VLAN only. In such cases, you can enable periodic sending of gratuitous ARP packets containing the VRRP virtual IP address, and the primary IP address or a manually configured secondary IP address of the sending interface on the subinterfaces. In this way, when a VRRP failover occurs, devices in the VLANs having ambiguous VLAN termination configured can use the gratuitous ARP packets to update their corresponding MAC entries in time. NOTE: For more information about VRRP, see High Availability Configuration Guide. Configuring periodic sending of gratuitous ARP packet in the web interface Select Firewall > ARP Anti-Attack > Send Gratuitous ARP from the navigation tree to enter the Send Gratuitous ARP page, as shown in Figure

50 Figure 50 Configuring periodic sending of gratuitous ARP packets Table 16 Configuration items Item Sending Interface Specify an interface and interval for periodically sending gratuitous ARP packets. Select an interface from the Standby Interface list, set its sending interval, and then click << to add it to the Sending Interface list box. To delete the combination of an interface and its sending interval, select it from the Sending Interface list and click >>. IMPORTANT: The firewall supports up to 1024 interfaces to send gratuitous ARP packets periodically. With this feature enabled, an interface can periodically send gratuitous ARP packets only after it is assigned with an IP address and the link comes up. If a sending interval is modified, the setting takes effect at the next interval. If a number of interfaces are enabled with this feature, or each interface has a large amount of secondary IP addresses, or the sending intervals are very short in the scenario where the above two conditions exist at the same time, the frequency at which gratuitous ARP packets are sent may be far lower than your expectation. Configuring periodic sending of gratuitous ARP packet at the CLI Configuration guidelines Follow these guidelines when you configure gratuitous ARP: You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces. Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface goes up and an IP address has been assigned to the interface. 45

51 If you change the interval for sending gratuitous ARP packets, the configuration is effective at the next sending interval. The frequency of sending gratuitous ARP packets may be much lower than is expected if this function is enabled on multiple interfaces, if each interface is configured with multiple secondary IP addresses, or if a small sending interval is configured in such cases. Configuration procedure To configure gratuitous ARP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable learning of gratuitous ARP packets. 3. Enable the firewall to send gratuitous ARP packets upon receiving ARP requests from another subnet. 4. Enter interface view. 5. Enable periodic sending of gratuitous ARP packets and set the sending interval. gratuitous-arp-learning enable gratuitous-arp-sending enable interface interface-type interface-number arp send-gratuitous-arp [ interval milliseconds ] Optional. Enabled by default. By default, the firewall does not send gratuitous ARP packets upon receiving ARP requests from another subnet. N/A Disabled by default. Configuring ARP automatic scanning and fixed ARP Introduction ARP automatic scanning is usually used together with the fixed ARP feature. With the ARP automatic scanning feature enabled, the firewall scans the LAN for neighbors by sending ARP requests, and thereby obtains the MAC addresses of the neighbors and adds dynamic ARP entries. With the fixed ARP feature, the device can convert dynamic ARP entries (including those added by ARP automatic scanning) into static ones, thus preventing attackers from modifying ARP entries effectively. NOTE: HP recommends that you use these two features in small-sized and stable networks, such as an Internet café. 46

52 Configuring ARP automatic scanning in the web interface NOTE: Do not perform other operations when ARP automatic scanning is in progress. ARP automatic scanning may take a long time. You can abort the scanning by clicking Interrupt on the ARP scan page. Select Firewall > ARP Anti-Attack > Scan from the navigation tree to enter the ARP scanning configuration page, as shown in Figure 51. Figure 51 ARP scanning Table 17 Configuration items Item Interface Start IP Address End IP address Select the interface to be configured to perform ARP automatic scanning. Specify the start and end IP addresses of the IP address range for ARP automatic scanning. To reduce the scanning time, you can specify the IP address range for scanning if you know the IP address range assigned to the neighbors in a LAN. The specified start and end IP addresses must be in the same network segment as the primary IP address or manually configured secondary IP address of the interface. If the specified address range covers multiple network segments of the interface, the source IP address in the ARP request is the interface address on the smallest network segment IMPORTANT: Both the start and end IP addresses must be specified or not specified at the same time. The start and end IP addresses must be in the same network segment as the primary IP address or manually configured secondary IP address of the interface. The start IP address must be lower than or equal to the end IP address. With no IP address range specified, the firewall scans only the network segment of the primary IP address of the interface for neighbors. The source IP address of the sent ARP request is the primary IP address of the interface. 47

53 Item Also scan IP addresses of dynamic ARP entries Set whether to scan the IP addresses of the existing dynamic ARP entries. After the above configuration, click Scan to begin ARP automatic scanning. To abort scanning, click Interrupt. Configuring fixed ARP in the web interface NOTE: The static ARP entries resulting from conversion are the same with those manually configured. The number of dynamic ARP entries that can be converted into static ones is limited by the number of static ARP entries supported on the firewall. Some dynamic ARP entries may not be converted to static ones due to the limit. The fixing process may take some time, during which some dynamic entries may be added or aged out. The newly added dynamic entries will be fixed and the aged ones will not. Select Firewall > ARP Anti-Attack > Fix from the navigation tree to enter the fixed ARP configuration page, as shown in Figure 52. The page lists all static ARP entries, including manually configured ones and fixed ones, and all dynamic ARP entries. Figure 52 Fixed ARP page Click Fix All to convert all dynamic ARP entries to static ones. Click Del All Fixed to delete all static ARP entries. Select the box before dynamic ARP entries, and click Fix to convert the selected ARP entry to a static ARP entry. Select the box before static ARP entries, and click Del Fixed to delete the selected static ARP entry. If you select a dynamic one and click Del Fixed, the entry will not be deleted. 48

54 Configuring ARP automatic scanning and fixed ARP at the CLI Configuration guidelines Follow these guidelines when you configure ARP automatic scanning and fixed ARP: IP addresses existing in ARP entries are not scanned. ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated. The static ARP entries changed from dynamic ARP entries have the same attributes as the static ARP entries manually configured. Use the arp fixup command to change the existing dynamic ARP entries into static ARP entries. You can use this command again to change the dynamic ARP entries learned later into static. The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports. As a result, the device may fail to change all dynamic ARP entries into static. To delete a specific static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command. Configuration procedure To configure ARP automatic scanning and fixed ARP: Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Enable ARP automatic scanning. arp scan [ start-ip-address to end-ip-address ] 4. Return to system view. quit 5. Enable fixed ARP. arp fixup 49

55 Configuring TCP attack protection Overview An attacker can attack the device during the process of TCP connection establishment. To prevent such attacks, the device provides the following features: SYN Cookie Protection against Naptha attacks This document describes the attacks these features can prevent, working mechanisms of these features, and configuration procedures. Enabling the SYN Cookie feature As a general rule, the establishment of a TCP connection involves the following three handshakes. 1. The request originator sends a SYN message to the target server. 2. After receiving the SYN message, the target server establishes a TCP connection in the SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response. 3. After receiving the SYN ACK message, the originator returns an ACK message, establishing the TCP connection. Attackers may mount SYN Flood attacks during TCP connection establishment. They send a large number of SYN messages to the server to establish TCP connections, but they never make any response to SYN ACK messages. As a result, a large number of incomplete TCP connections are established, resulting in heavy resource consumption and making the server unable to handle services normally. The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection. Only after receiving an ACK message from the client can the server establish a connection, and then enter the ESTABLISHED state. In this way, incomplete TCP connections could be avoided to protect the server against SYN Flood attacks. To enable the SYN Cookie feature: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the SYN Cookie feature. tcp syn-cookie enable Enabled by default. NOTE: If you enable MD5 authentication for TCP connections, the SYN Cookie configuration is ineffective. Then, if you disable MD5 authentication for TCP connections, the SYN Cookie configuration automatically becomes effective. For more information about MD5 authentication, see Network Management Configuration Guide. With the SYN Cookie feature enabled, only the maximum segment size (MSS), is negotiated during TCP connection establishment, instead of the window's zoom factor and timestamp. 50

56 Enabling protection against Naptha attacks Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and SYN_RECEIVED), and SYN Flood attacks by using only the SYN_RECEIVED state. Naptha attackers control a huge amount of hosts to establish TCP connections with the server, keep these connections in the same state (any of the six), and request for no data so as to exhaust the memory resource of the server. As a result, the server cannot process normal services. Protection against Naptha attacks mitigates such attacks by accelerating the aging of TCP connections in a state. After the feature is enabled, the firewall (serving as a TCP server) periodically checks the number of TCP connections in each state. If the firewall detects that the number of TCP connections in a state exceeds the maximum number, it considers that a Naptha attack occurs and accelerates the aging of TCP connections in this state. The firewall will stop accelerating the aging of TCP connections when the number of TCP connections in the state is less than 80% of the maximum number (1 at least). To enable the protection against Naptha attack: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the protection against Naptha attack. 3. Configure the maximum number of TCP connections in a state. 4. Configure the TCP state check interval. tcp anti-naptha enable tcp state { closing established fin-wait-1 fin-wait-2 last-ack syn-received } connection-number number tcp timer check-state timer-value Disabled by default. Optional. 5 by default. If the maximum number of TCP connections in a state is 0, the aging of TCP connections in this state will not be accelerated. Optional. 30 seconds by default. Displaying and maintaining TCP attack protection Task Command Remarks Display current TCP connection state. display tcp status [ { begin exclude include } regular-expression ] Available in any view 51

57 Configuring firewall NOTE: The firewall configuration is available only at the CLI. Overview A firewall can block unauthorized accesses from the Internet to a protected network while allowing internal network users to access the Internet through, for example, WWW, or to send/receive s. A firewall can also be used to control access to the Internet, for example, to permit only specific hosts within the organization to access the Internet. Many of today's firewalls offer some other features, such as identity authentication and security processing (encryption) of information. Another application of firewall is to protect mainframes and important resources (such as data) on the internal network. Any access to protected data must be first filtered by the firewall, even if such an access is initiated by a user within the internal network. The firewall mainly implements the following firewall functions: Packet-filter firewall, which performs access control list (ACL) based packet filtering Address translation NOTE: This chapter focuses on ACL packet-filter firewall. For more information about address translation, see NAT and ALG Configuration Guide. A packet-filter firewall implements IPv6 packet specific filtering. For each IPv6 packet to be forwarded, the firewall first obtains the header information of the packet, including the number of the upper layer protocol carried by the IP layer, the source address, destination address, source port number, and destination port number of the packet. Then, it compares the obtained header information against the preset ACL rules and processes the packet according to the comparison result. Configuring a packet-filter firewall Packet-filter firewall configuration task list Task Enabling the IPv6 firewall function Configuring the default filtering action of the IPv6 firewall Configuring IPv6 packet filtering on an interface Remarks Required Optional Required 52

58 Enabling the IPv6 firewall function Following these steps to enable the IPv6 firewall function: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the IPv6 firewall function. firewall ipv6 enable Disabled by default. Configuring the default filtering action of the IPv6 firewall The default filtering action configuration is used for the firewall to determine whether to permit a data packet to pass or deny the packet when there is no appropriate criterion for judgment. To configure the default filtering action of the IPv6 firewall: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify the default filtering action of the firewall. firewall ipv6 default { deny permit } Optional. permit (permit packets to pass the firewall) by default. Configuring IPv6 packet filtering on an interface When an ACL is applied to an interface, the time range-based filtering will also work at the same time. In addition, you can specify separate access rules for inbound and outbound packets. The effective range for basic ACL numbers is 2000 to A basic ACL defines rules based on the Layer 3 source IP addresses only to analyze and process data packets. The effective range for advanced ACL numbers is 3000 to An advanced ACL defines rules according to the source and destination IP addresses of packets, the type of protocol over IP, TCP/UDP source and destination ports, and so on. An advanced ACL supports the following match modes: Normal match Matches Layer 3 information. Non-layer 3 information is ignored. Exact match Matches all advanced ACL rules. For this reason, you must enable fragment inspection for the firewall to record the status of the first fragment of each packet and obtain the match information of the subsequent fragments. The default mode is normal match mode. NOTE: You can neither enable packet filtering on an interface in an aggregation group or service loopback group, nor add an interface with packet filtering enabled to an aggregation group or service loopback group. IPv6 packet filtering is a basic firewall function of an IPv6-based ACL. You can configure IPv6 packet filtering in the inbound or outbound direction of an interface so that the interface filters packets that match the IPv6 ACL rules. 53

59 To configure IPv6 packet filtering on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure IPv6 packet filtering on an interface. firewall packet-filter ipv6 { acl6-number name acl6-name } { inbound outbound } IPv6 packets are not filtered by default. Displaying and maintaining a packet filtering firewall Step Command Remarks 1. View the packet filtering statistics of the IPv6 firewall. 2. Clear the packet filtering statistics of the IPv6 firewall. display firewall ipv6 statistics { all interface interface-type interface-number } [ { begin exclude include } regular-expression ] reset firewall ipv6 statistics { all interface interface-type interface-number } Available in any view Available in user view 54

60 Configuring content filtering NOTE: The content filtering configuration is available only in the Web interface. Overview With content filtering configured, the firewall will filter contents carried in Hypertext Transfer Protocol (HTTP) packets, Simple Mail Transfer Protocol (SMTP) packets, Post Office Protocol version 3 (POP3) packets, File Transfer Protocol (FTP) packets, and Telnet packets according to the configuration, so as to prevent internal users from accessing illegal websites or sending illegal s and prevent packets carrying illegal contents from entering the internal network. Upon receiving HTTP, SMTP, POP3, FTP, or Telnet packets, the firewall first matches the packets against interzone policies. If the action of the matched interzone policy is permit and the policy is configured with a content filtering policy, the firewall will proceed matching the packets against the content filtering policy to prevent illegal packets from passing through. HTTP packet content filtering The HTTP packet content filtering, hereafter referred to as HTTP filtering, includes these functions: Uniform Resource Locator (URL) hostname filtering Checks the hostname in the required URL of an HTTP request, preventing internal users from accessing specified websites. Header filtering The Header field in an HTTP response usually contains the type of the current Web page (such as text and figure), the content length, the basic server information (such as server type and response time), and the HTTP version. Using header filtering, the firewall can prevent HTTP responses with specified information carried in the header from passing through. Body filtering Filters the body message carried in an HTTP packet from a server to a client, that is, the content to be displayed by a browser. In this way, the firewall can prevent HTTP packets with specified contents in the body from passing through, thus preventing illegal contents from spreading over the internal network. URL IP blocking Blocks all HTTP requests that carry an IP address in the URL, so as to prevent internal users from using IP addresses in the URLs to access websites. URL parameter filtering Protects websites against attacks that use URL parameters. For example, URL parameter filtering can match an HTTP request against the keywords of SQL statements and other characters that may constitute an SQL statement. If there is a match, the firewall will consider the packet an SQL injection attack packet and drop it. NOTE: The firewall supports URL parameter filtering of Web requests with the Get, Post, or Put method. Web pages are usually dynamic and connected with databases, and support data query and modification through Web requests. This makes it possible for attackers to fabricate special SQL statements in Web requests to obtain confidential data from databases or break down databases by modifying database information repeatedly. Such attacks are known as SQL injection attacks. 55

61 ActiveX blocking Blocks ActiveX plugin requests to untrusted websites, protecting networks from being attacked by malicious ActiveX plugins. Java applet blocking Blocks Java applet requests to untrusted websites, protecting networks from being attacked by malicious Java applets. SMTP packet content filtering The SMTP packet content filtering, hereafter referred to as SMTP filtering, includes these functions: Sender filtering Filters sender addresses in SMTP requests, preventing specified senders from sending s. Receiver filtering Filters receiver addresses (including recipients and CC recipients) in SMTP requests, preventing internal users from sending s to the specified receivers. Subject filtering Filters mail subjects in SMTP requests, preventing users from sending s that contain specified keywords in the mail subject. Body filtering Filters mail bodies in SMTP requests, preventing users from sending s that contain specified keywords in the mail body. Attachment filtering Checks the names and contents of the attachments in SMTP requests, preventing users from sending s that carry attachments with specified names or with specified keywords in the attachment content. Illegal command blocking Blocks SMTP requests that carry illegal command words. NOTE: Legal command words in terms of content filtering include HELO, EHLO, RSET, QUIT, DATA, NOOP, HELP, EXPN, TURN, VRFY, SOML, SAML, SEND, MAIL, RCPT, and AUTH. Oversize mail blocking Limits the size of the mails from internal users and blocks s that are oversize. POP3 packet content filtering The POP3 packet content filtering, hereafter referred to as POP3 filtering, includes these functions: Sender filtering Filters sender addresses in POP3 responses, preventing users from receiving s from the specified senders. Receiver filtering Filters receiver addresses (including recipients and CC recipients) in POP3 responses, blocking s that contain the specified receiver addresses. Subject filtering Filters mail subjects in POP3 responses, preventing users from receiving s that contain specified keywords in the mail subject. Body filtering Filters mail bodies in POP3 responses, preventing users from receiving s that contain specified keywords in the mail body. Attachment filtering Checks the names and contents of the attachments in POP3 responses, preventing users from receiving s that carry attachments with specified names or with specified keywords in the attachment content. FTP packet content filtering The FTP packet content filtering, hereafter referred to as FTP filtering, includes these functions: Command word filtering Blocks FTP requests that carry the specified command words. 56

62 NOTE: FTP command words refer to the command words carried in the FTP requests, including RETR, STOR, APPE, USER, PASS, PORT, PASV, RNFR, RNTO, DELE, LIST, and QUIT, rather than the command words typed in the command line. For example, to upload a file named 123.txt, you type command put 123.txt. In this case, the FTP command word to be filtered is not put but STOR. Upload filename filtering Filters filenames carried in FTP upload requests, preventing clients from uploading files with the specified names to the server. Download filename filtering Filters filenames carried in FTP download requests, preventing clients from downloading files with the specified names from the server. Telnet packet content filtering Telnet packet content filtering, hereafter referred to as Telnet filtering, filters command words in Telnet requests, preventing Telnet users from executing specific commands that will greatly impact the normal operation of the firewall, such as format and reboot. NOTE: Telnet command filtering supports the following characters: Visible characters ASCII codes 0x20 to 0x7e. Special characters ASCII codes 0x0, 0x8, 0x0d, 0x0d00, and 0x0d0a. Others Cursor Left (0x1b5b44) and Cursor Right (0x1b5b43). Configuring content filtering Configuration guide To configure content filtering: 1. Configure filtering entries and filtering keywords You can configure various filtering entries and filtering keywords as needed. Table 18 Filtering entries and filtering keywords configuration task list Task Configuring keyword filtering entries Keyword filtering entries include: HTTP keyword filtering entries For header filtering and body filtering in HTTP filtering policies. SMTP keyword filtering entries For subject filtering, body filtering, and attachment content filtering in SMTP filtering policies. POP3 keyword filtering entries For subject filtering, body filtering, and attachment content filtering in POP3 filtering policies. FTP keyword filtering entries For command word filtering in FTP filtering polices. Telnet keyword filtering entries For command word filtering in Telnet filtering policies. By default, no keyword filtering entries exist. 57

63 Task Configuring URL hostname filtering entries Configuring filename filtering entries Configuring address filtering entries Configuring URL parameter filtering keywords Configuring java blocking keywords Configuring ActiveX blocking keywords Used for URL hostname filtering in HTTP filtering policies. By default, no URL hostname filtering entries exist. Filename filtering entries include: SMTP filename filtering entries For attachment name filtering in SMTP filtering policies. POP3 filename filtering entries For attachment name filtering in POP3 filtering policies. FTP filename filtering entries For upload filename filtering and download filename filtering in FTP filtering policies. By default, no filename filtering entries exist. address filtering entries include: SMTP address filtering entries For sender filtering and receiver filtering in SMTP filtering policies. POP3 address filtering entries For sender filtering and receiver filtering in POP3 filtering policies. By default, no mail address filtering entries exist. Add keywords to be used for URL parameter filtering in HTTP filtering policies. By default, the system has the following URL parameter filtering keywords: ^select$, ^insert$, ^update$, ^delete$, ^drop$, --, ', ^exec$, and %27. Used for Java applet blocking in HTTP filtering policies. By default, the following Java suffix keywords exist:.class and.jar. Used for ActiveX blocking in HTTP filtering policies. By default, the system has the ActiveX suffix keyword:.ocx. 2. Configure content filtering policies Content filtering policies fall into HTTP filtering policies, SMTP filtering policies, POP3 filtering policies, FTP filtering policies, and Telnet filtering policies. You can configure one or more content filtering policies as needed. Table 19 Content filtering policy configuration task list Task Configuring an HTTP filtering policy Configuring an SMTP filtering policy Configuring a POP3 filtering policy Configuring an FTP filtering policy Configuring a telnet filtering policy By default, no HTTP filtering policies exist. By default, no SMTP filtering policies exist. By default, no POP3 filtering policies exist. By default, no FTP filtering policies exist. By default, no Telnet filtering policies exist. 3. Configure a content filtering policy template A content filtering policy template is a combination of an HTTP filtering policy and an SMTP filtering policy. It can be applies to an interzone policy directly. 58

64 Table 20 Content filtering policy template configuration task Task Configuring a content filtering policy template By default, no HTTP filtering policy templates exist. IMPORTANT: You can configure a content filtering policy template in the content filtering module or in the interzone policy module. The configuration items in the two modules are the same. This document describes the policy template configuration in the content filtering module. For that in the interzone policy module, see Access Control Configuration Guide. 4. Configure the interzone policy that uses the content filtering policy template Configure an interzone policy to be used between the source and destination security zones, and apply the content filtering policy template to the interzone policy. In this way, the firewall can filter packets that match the interzone policy. Table 21 Interzone policy configuration task Task Configuring the interzone policy that uses the content filtering policy template For detailed configuration information, see Access Control Configuration Guide. You must set the action to Permit in the interzone policy to make the referenced content filtering policy template take effect. By default, no interzone policies exist. 5. Display content filtering statistics Table 22 Displaying content filtering statistics Task Displaying content filtering statistics View the statistics of various content filtering functions. Configuring keyword filtering entries Select Identification > Content Filtering > Filtering Entry from the navigation tree. The keyword filtering entry list page appears, as shown in Figure 53. Then, click Add to enter the page for adding a keyword filtering entry, as shown in Figure

65 Figure 53 Keyword filtering entry list Figure 54 Adding a keyword filtering entry Table 23 Configuration items Item Name Specify the name of the keyword filtering entry. Specify the keywords for the keyword filtering entry. Keyword Protocol You can specify up to 16 keywords separated by commas. You can use a wildcard (*) to represent any string up to 6 characters. The Wildcard (*) can appear only once in each keyword and cannot be at the start or end of a keyword. Specify the protocol for which the keyword filtering entry is configured. The protocol can be HTTP, SMTP, POP3, FTP, and Telnet. HTTP keyword filtering entries For header filtering and body filtering in HTTP filtering policies. SMTP keyword filtering entries For subject filtering, body filtering, and attachment content filtering in SMTP filtering policies. POP3 keyword filtering entries For subject filtering, body filtering, and attachment content filtering in POP3 filtering policies. FTP keyword filtering entries For command word filtering in FTP filtering polices. Telnet keyword filtering entries For command word filtering in Telnet filtering policies. 60

66 Configuring URL hostname filtering entries Select Identification > Content Filtering > Filtering Entry from the navigation tree, and then click the URL Hostname tab to enter the URL hostname filtering entry list page, as shown in Figure 55. Then, click Add to enter the page for adding a URL hostname filtering entry, as shown in Figure 56. Figure 55 URL hostname filtering entry list Figure 56 Adding a URL hostname filtering entry Table 24 Configuration items Item Name URL Hostname Protocol Specify the name of the URL hostname filtering entry. Specify URL hostname keywords for the URL hostname filtering entry. You can specify up to 16 keywords separated by commas. See "Configuration guidelines" for the rules of using wildcards. Specify the protocol for which the URL hostname filtering entry is configured. The protocol can only be HTTP. URL hostname filtering entries are for URL hostname filtering in HTTP filtering policies. Configuring filename filtering entries Select Identification > Content Filtering > Filtering Entry from the navigation tree, and then click the Filename tab to enter the filename filtering entry list page, as shown in Figure 57. Then, click Add to enter the page for adding a filename filtering entry, as shown in Figure

67 Figure 57 Filename filtering entry list Figure 58 Adding a filename filtering entry Table 25 Configuration items Item Name Specify the name of the filename filtering entry. Specify filename keywords for the filename filtering entry. Filename Protocol You can specify up to 16 filename keywords separated by commas. If you specify a filename keyword in the format of filename.extension, the firewall will perform exact match for this keyword. You can use a wildcard (*) to stand for the filename part, the extension, or a string of up to 6 characters in the filename or extension. In each keyword, wildcard * can be present only once in the filename and once in the extension. If multiple dots (.) are present in the keyword, the content following the last dot is regarded as the extension. If you specify a filename keyword containing no dots, the firewall will perform fuzzy match for this keyword. You can use wildcard * to stand for a string of up to 6 characters in the keyword. In each keyword, wildcard * can be present only once. Specify the protocol for which the filename filtering entry is configured. The protocol can be SMTP, POP3, or FTP. SMTP filename filtering entries are for attachment name filtering in SMTP filtering policies. POP3 filename filtering entries are for attachment name filtering in POP3 filtering policies. FTP filename filtering entries are for upload filename filtering and download filename filtering in FTP filtering policies. 62

68 Configuring address filtering entries Select Identification > Content Filtering > Filtering Entry from the navigation tree, and then click the Address tab to enter the address filtering entry list page, as shown in Figure 59. Then, click Add to enter the page for adding an address filtering entry, as shown in Figure 60. Figure 59 address filtering entry list Figure 60 Adding an address filtering entry Table 26 Configuration items Item Name Specify the name of the address filtering entry. Specify address keywords for the address filtering entry, in the format of name. Address Protocol You can specify up to 16 address keywords separated by commas. You can use a wildcard (*) to stand for any number of characters excluding dot (.) and use it only in the format of *@domain name or *@*domain name. Specify the protocol for which the address filtering entry is configured. The protocol can be SMTP or POP3. SMTP address filtering entries For sender filtering and receiver filtering in SMTP filtering policies. POP3 address filtering entries For sender filtering and receiver filtering in POP3 filtering policies. Configuring URL parameter filtering keywords Select Identification > Content Filtering > Filtering Entry from the navigation tree. Click the URL Parameter tab to enter the URL parameter filtering keyword list page, as shown in Figure 61. Click Add to enter the page for adding a URL parameter filtering keyword, as shown in Figure

69 Figure 61 URL parameter filtering keyword setup Figure 62 Adding a URL parameter filtering keyword Table 27 Configuration item Item Keyword Specify a URL parameter filtering keyword. See Figure 62 for the requirements on a keyword. See "Configuration guidelines" for the rules of using wildcards. IMPORTANT: A keyword string can contain spaces. However, consecutive spaces are not allowed. Configuring java blocking keywords Select Identification > Content Filtering > Filtering Entry from the navigation tree, and then click the Java tab to enter the java blocking keyword list page, as shown in Figure 63. Then, click Add to enter the page for adding a Java blocking keyword, as shown in Figure

70 Figure 63 Java blocking keywords setup Figure 64 Adding a Java blocking keyword Table 28 Configuration item Item Keyword Specify a suffix keyword for Java blocking. See Figure 64 for the requirements on a keyword. Configuring ActiveX blocking keywords Select Identification > Content Filtering > Filtering Entry from the navigation tree, and then click the ActiveX tab to enter the ActiveX blocking keyword list page, as shown in Figure 65. Then, click Add to enter the page for adding an ActiveX blocking keyword, as shown in Figure 66. Figure 65 ActiveX blocking keywords setup 65

71 Figure 66 Adding an ActiveX blocking keyword Table 29 Configuration item Item Keyword Specify a suffix keyword for ActiveX blocking. See Figure 66 for the requirements on a keyword. Configuring an HTTP filtering policy Select Identification > Content Filtering > Filtering Policy from the navigation tree. The HTTP filtering policy list page appears, as shown in Figure 67. Then, click Add to enter the page for adding an HTTP filtering policy, as shown in Figure 68. Figure 67 HTTP filtering policy list 66

72 Figure 68 Adding an HTTP filtering policy Table 30 Configuration items Item Name URL Filtering Header Filtering Body Filtering URL IP Blocking URL Parameter Filtering ActiveX Blocking Java Applet Blocking Specify the name for the HTTP filtering policy. Select the filtering entries to be used for URL hostname filtering. Available filtering entries are the configured URL hostname filtering entries. Select the filtering entries to be used for header filtering. Available filtering entries are the configured HTTP keyword filtering entries. Select the filtering entries to be used for body filtering. Available filtering entries are the configured HTTP keyword filtering entries. Specify whether to prevent internal users from using IP addresses in URLs to access websites. Specify whether to enable URL parameter filtering. If you select this item, all URL parameter filtering keywords are effective. Specify whether to enable ActiveX blocking. If you select this item, all ActiveX blocking keywords are effective. Specify whether to enable Java applet blocking. If you select this item, all Java blocking keywords are effective. IMPORTANT: Packets that match these filtering conditions will be dropped. You must configure or enable at least one of these items. 67

73 Item Enable Logging Specify whether to log packet matching events. IMPORTANT: The logging function takes effect only when it is enabled in both the content filtering policy and the interzone policy. Configuring an SMTP filtering policy Select Identification > Content Filtering > Filtering Policy from the navigation tree, and then click the SMTP Policy tab to enter the SMTP filtering policy list page, as shown in Figure 69. Then, click Add to enter the page for adding an SMTP filtering policy, as shown in Figure 70. Figure 69 SMTP filtering policy list Figure 70 Adding an SMTP filtering policy Table 31 Configuration items Item Name Specify the name for the SMTP filtering policy. 68

74 Item Sender Filtering Receiver Filtering Subject Filtering Body Filtering Attachment Filtering IllegalCmd Blocking Attachment Name Filtering Oversize Mail Blocking Attachment Content Filtering Select the filtering entries to be used for sender filtering. Available filtering entries are the configured address filtering entries. Select the filtering entries to be used for receiver filtering. Available filtering entries are the configured address filtering entries. Select the filtering entries to be used for subject filtering. Available filtering entries are the configured SMTP keyword filtering entries. Select the filtering entries to be used for body filtering. Available filtering entries are the configured SMTP keyword filtering entries. Select the filtering entries to be used for attachment name filtering. Available filtering entries are the configured filename filtering entries. Select the filtering entries to be used for attachment content filtering. Available filtering entries are the configured SMTP keyword filtering entries. Specify whether to block SMTP requests that carry illegal command words. Specify whether to block oversize s sent by internal users. If you select this option, you need to specify the maximum size allowed in bytes. Specify whether to log packet matching events. IMPORTANT: Packets that match these filtering conditions will be dropped. You must configure or enable at least one of these items. Enable Logging IMPORTANT: The logging function takes effect only when it is enabled in both the content filtering policy and the interzone policy. Configuring a POP3 filtering policy Select Identification > Content Filtering > Filtering Policy from the navigation tree, and then click the POP3 Policy tab to enter the POP3 filtering policy list page, as shown in Figure 71. Then, click Add to enter the page for adding a POP3 filtering policy, as shown in Figure

75 Figure 71 POP3 filtering policy list Figure 72 Adding a POP3 filtering policy Table 32 Configuration items Item Name Sender Filtering Receiver Filtering Subject Filtering Specify the name for the POP3 filtering policy. Select the filtering entries to be used for sender filtering. Available filtering entries are the configured address filtering entries. Select the filtering entries to be used for receiver filtering. Available filtering entries are the configured address filtering entries. Select the filtering entries to be used for subject filtering. Available filtering entries are the configured POP3 keyword filtering entries. IMPORTANT: Packets that match these filtering conditions will be dropped. You must configure at least one of these items. 70

76 Item Body Filtering Attachment Filtering Attachment Name Filtering Attachment Content Filtering Select the filtering entries to be used for body filtering. Available filtering entries are the configured POP3 keyword filtering entries. Select the filtering entries to be used for attachment name filtering. Available filtering entries are the configured filename filtering entries. Select the filtering entries to be used for attachment content filtering. Available filtering entries are the configured POP3 keyword filtering entries. Specify whether to log packet matching events. Enable Logging IMPORTANT: The logging function takes effect only when it is enabled in both the content filtering policy and the interzone policy. Configuring an FTP filtering policy Select Identification > Content Filtering > Filtering Policy from the navigation tree, and then click the FTP Policy tab to enter the FTP filtering policy list page, as shown in Figure 73. Then, click Add to enter the page for adding an FTP filtering policy, as shown in Figure 74. Figure 73 FTP filtering policy list 71

77 Figure 74 Adding an FTP filtering policy Table 33 Configuration items Item Name Command Filtering Upload Filename Filtering Download Filename Filtering Specify the name for the FTP filtering policy. Select the filtering entries to be used for command word filtering. Available filtering entries are the configured FTP keyword filtering entries. Select the filtering entries to be used for upload filename filtering. Available filtering entries are the configured FTP keyword filtering entries. Select the filtering entries to be used for download filename filtering. Available filtering entries are the configured FTP keyword filtering entries. Specify whether to log packet matching events. IMPORTANT: Packets that match these filtering conditions will be dropped. You must configure at least one of these items. Enable Logging IMPORTANT: The logging function takes effect only when it is enabled in both the content filtering policy and the interzone policy. Configuring a telnet filtering policy Select Identification > Content Filtering > Filtering Policy from the navigation tree, and then click the Telnet Policy tab to enter the Telnet filtering policy list page, as shown in Figure 75. Then, click Add to enter the page for adding a Telnet filtering policy, as shown in Figure

78 Figure 75 Telnet filtering policy list Figure 76 Adding a Telnet filtering policy Table 34 Configuration items Item Name Specify the name for the Telnet filtering policy. Select the filtering entries to be used for command word filtering. Available filtering entries are the configured Telnet keyword filtering entries. Command Filtering IMPORTANT: Packets that match these filtering conditions will be dropped. You must select at least one command word filtering entry for the Telnet filtering policy. Specify whether to log packet matching events. Enable Logging IMPORTANT: The logging function takes effect only when it is enabled in both the content filtering policy and the interzone policy. Configuring a content filtering policy template Select Identification > Content Filtering > Policy Template from the navigation tree, and policy template list page appears, as shown in Figure 77. Then, click Add to enter the page for adding a content filtering policy template, as shown in Figure

79 Figure 77 Policy template list Figure 78 Adding a content filtering policy template Table 35 Configuration items Item Name HTTP Filtering Policy Enter the name of the content filtering policy template. Select the HTTP filtering policy to be used in the content filtering policy template. SMTP Filtering Policy POP3 Filtering Policy FTP Filtering Policy Telnet Filtering Policy Select the SMTP filtering policy to be used in the content filtering policy template. Select the POP3 filtering policy to be used in the content filtering policy template. Select the FTP filtering policy to be used in the content filtering policy template. Select the Telnet filtering policy to be used in the content filtering policy template. IMPORTANT: You must specify at least one filtering policy. Displaying content filtering statistics Select Identification > Content Filtering > Statistic Information from the navigation tree. The content filtering statistics page appears, as shown in Figure 79. You can view the statistic of each content filtering function. 74

80 Figure 79 Statistic information Content filtering configuration example Network requirements As shown in Figure 80, hosts in LAN segment /24 access the Internet through Firewall. Security zones Trust and Untrust are configured on Firewall for the LAN and the Internet respectively. Perform the following configurations on Firewall: Enable HTTP body filtering to block HTTP responses that carry keyword abc. Enable HTTP Java applet blocking to block Java applet requests to all websites except the one with IP address Enable SMTP attachment name filtering to block all s that carry.exe attachments. Enable FTP upload filename filtering to prevent users from uploading files that carry abc in the filenames. Enable Telnet command word filtering to prevent users from executing commands that carry the command keyword reboot. 75

81 Figure 80 Network diagram Configuration procedures 1. Configure IP addresses for the interfaces of the Firewall and assign the interfaces to security zones. (Details not shown.) 2. Configure filtering entries. # Configure an HTTP keyword filtering entry named abc. Select Identification > Content Filtering > Filtering Entry from the navigation tree. The keyword filtering entry list page appears. Click Add and then configure the following configurations, as shown in Figure 81. Figure 81 Configuring HTTP keyword filtering entry abc Enter the entry name abc_http. Enter the keyword abc. Select protocol HTTP. Click Apply. # Configure a Telnet keyword filtering entry reboot. Click the Keyword tab, and then click Add to perform the configurations shown in Figure

82 Figure 82 Configuring Telnet keyword filtering entry reboot Enter the entry name reboot_telnet. Enter the keyword reboot. Select protocol Telnet. Click Apply. # Configure an SMTP filename filtering entry.exe. Click the Filename tab, and then click Add to perform the configurations shown in Figure 83. Figure 83 Configuring an SMTP filename filtering entry.exe Enter the entry name exe_smtp. Enter the filename keyword *.exe. Select protocol SMTP. Click Apply. # Configure an FTP filename filtering entry abc. Click the Filename tab, and then click Add to perform the configurations shown in Figure

83 Figure 84 Configuring an FTP filename filtering entry abc Enter the entry name abc_ftp. Enter the filename keyword abc. Select protocol FTP. Click Apply. 3. Configuring content filtering policies: # Configure an HTTP filtering policy without Java applet blocking. Select Identification > Content Filtering > Filtering Policy from the navigation tree. The HTTP filtering policy list page appears. Then, click Add to perform the configurations shown in Figure

84 Figure 85 Configuring an HTTP filtering policy without Java applet blocking Enter the policy name http_policy1. Click the expansion button before Body Filtering. Select body filtering entry abc_http in the available filtering entry list, and then click << to add it to the selected filtering entry list. Click Apply. # Configure an HTTP filtering policy with Java applet blocking. On the HTTP filtering policy list page, click Add to perform the configurations shown in Figure

85 Figure 86 Configuring an HTTP filtering policy with Java applet blocking Enter the policy name http_policy2. Click the expansion button before Body Filtering. Select body filtering entry abc_http in the available filtering entry list, and then click << to add it to the selected filtering entry list. Select the Java Applet Blocking box. Click Apply. # Configure an SMTP filtering policy. Click the SMTP Policy tab, and then click Add to perform the configurations shown in Figure

86 Figure 87 Configuring an SMTP filtering policy Enter the policy name smtp_policy. Click the expansion button before Attachment Filtering. In the Attachment Name Filtering area, select filename filtering entry exe_smtp in the available filtering entry list, and then click << to add it to the selected filtering entry list. Click Apply. 81

87 # Configure an FTP filtering policy. Click the FTP Policy tab, and then click Add to perform the configurations shown in Figure 88. Figure 88 Configuring an FTP filtering policy Enter the policy name ftp_policy. Click the expansion button before Upload Filename Filtering. Select filename filtering entry abc_ftp in the available filtering entry list, and then click << to add it to the selected filtering entry list. Click Apply. # Configure a Telnet filtering policy. Click the Telnet tab, and then click Add to perform the configurations shown in Figure

88 Figure 89 Configuring a Telnet filtering policy Enter the policy name telnet_policy. Click the expansion button before Command Filtering. Select command filtering entry reboot_telnet in the available filtering entry list, and then click << to add it to the selected filtering entry list. Click Apply. 4. Configure content filtering policy templates: # Configure a content filtering policy template without Java applet blocking. Select Identification > Content Filtering > Policy Template from the navigation tree, and then click Add to perform the configurations shown in Figure 90. Figure 90 Configuring a content filtering policy template without Java applet blocking Enter the template name template1. 83

89 Select HTTP filtering policy http_policy1. Select SMTP filtering policy smtp_policy. Select FTP filtering policy ftp_policy. Select Telnet filtering policy telnet_policy. Click Apply. # Configure a content filtering policy template with Java applet blocking. Select Identification > Content Filtering > Policy Template from the navigation tree, and then click Add to perform the configurations shown in Figure 91. Figure 91 Configuring a content filtering policy template with Java applet blocking Enter the template name template2. Select HTTP filtering policy http_policy2. Select SMTP filtering policy smtp_policy. Select FTP filtering policy ftp_policy. Select Telnet filtering policy telnet_policy. Click Apply. 5. Configure interzone policies that reference the content filtering policy templates: # Configure an interzone policy for traffic from security zone Trust to destination in security zone Untrust, referencing the content filtering policy template without Java applet blocking. Select Firewall > Security Policy > Interzone Policy from the navigation tree, and then click Add to perform the configurations shown in Figure

90 Figure 92 Configuring the interzone policy referencing the template without Java applet blocking Select Trust as the source zone. Select Untrust as the destination zone. Select any_address as the source IP address. In the Destination IP Address area, select the New IP Address option and then enter destination IP address / Select any_service as the service name. Select Permit as the filter action. Select the Enable the rule box to enable the rule. Select the Continue to add next rule box to add another rule after finishing this one. Select content filtering policy template template1. Click Apply. # Configure an interzone policy for traffic from security zone Trust to security zone Untrust, referencing the content filtering policy template with Java applet blocking. Select Trust as the source zone and Untrust as the destination zone, and configure the configurations shown in Figure