DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

Transcription

1 DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0 i

2 Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any help, please contact Hangzhou DPtech Technologies Co., Ltd. and its sale agent, according to where you purchase their products. Hangzhou DPtech Technologies Co., Ltd. Address: 6th floor, zhongcai mansion, 68 tonghelu, Binjiangqu, Hangzhoushi Address code: ii

3 Declaration Copyright 2013 Hangzhou DPtech Technologies Co., Ltd. All rights reserved. No Part of the manual can be extracted or copied by any company or individuals without written permission, and cannot be transmitted by any means. Owing to product upgrading or other reasons, information in this manual is subject to change. Hangzhou DPtech Technologies Co., Ltd. has the right to modify the content in this manual, as it is a user guides, Hangzhou DPtech Technologies Co., Ltd. made every effort in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind express or implied. iii

4 Table of Contents CHAPTER 1 FIREWALL INTRODUCTION TO FIREWALL PACKET FILTERING POLICY PACKET FILTERING POLICY PACKET FILTERING POLICY LOG ALG CONFIGURATION IPV6 PACKET FILTERING POLICY NAT INTRODUCTION TO NAT SOURCE NAT DESTINATION NAT ONE TO ONE NAT ADDRESS POOL ALG CONFIGURATION NAT_PT BASIC ATTACK PROTECTION BASIC ATTACK PROTECTION BASIC ATTACK LOG QUERY SESSIONS LIMIT SERVICE LIMITATION IPV4 BASIC DDOS PROTECTION DEFEND OBJECT MANAGEMENT CONFIGURATION AND TENDENCY PROTECTION HISTORY BLACKLIST BLACKLIST BLACKLIST QUERY BLACKLIST LOG QUERY QOS VIP BANDWIDTH GUARANTEE TRAFFIC SHAPING ANTI-ARP-SPOOFING ANTI-ARP-SPOOFING ARP CONFIGURATION 23 CHAPTER 2 LOAD BALANCING LINK LOAD BALANCING INTRODUCTION TO LINK LOAD BALANCING LINK CONFIG ISP LOGIC LINK GROUP LINK HEALTH CHECK 27 iv

5 CHAPTER 3 VPN INTRODUCTION TO IPSEC IPSEC VPN CONFIGURATION DPVPN XAUTH USER IPSEC INTERFACE DISPLAY CONNECTIONS OPERATION LOG L2TP INTRODUCTION TO L2TP L2TP GRE VPN INTRODUCTION TO THE GRE CONFIGURING GRE CONFIGURATION SSL VPN INTRODUCTION TO THE SSL VPN GLOBAL CONFIGURATION RESOURCE CONFIGURATION USER MANAGEMENT ONLINE USER STATUS OPERATION LOG QUERY 37 CHAPTER 4 IDS INTEGRATION IDS INTEGRATION LOG 39 v

6 List of Figures Figure1-1 Firewall module... 3 Figure1-2 Packet filtering policy... 3 Figure1-3 Packet filtering policy log... 5 Figure1-4 Packet filtering policy log... 6 Figure1-5 ALG configuration... 7 Figure1-6 IPv6 packet filtering policy... 7 Figure1-7 Source NAT... 8 Figure1-8 Destination NAT... 9 Figure1-9 One to one NAT Figure1-10 Address pool Figure1-11 ALG configuration Figure1-12 ALG configuration Figure1-13 Basic attack protection Figure1-14 Basic attack log query Figure1-15 Session limitation Figure1-16 Service limitation Figure1-17 Defend object management Figure1-18 Traffic status and monitoring Figure1-19 DDOS defend settings Figure1-20 Protection history Figure1-21 Blacklist configuration Figure1-22 Blacklist query Figure1-23 Blacklist log query Figure1-24 VIP bandwidth guarantee Figure1-25 Traffic shaping Figure1-26 Anti-ARP-Spoofing Figure1-27 ARP configuration Figure2-1 Link load balancing Figure2-2 ISP Figure2-3 Logic link group Figure2-4 Link health check Figure3-1 IPsec VPN configuration Figure3-2 DPVPN Figure3-3 Xauth user Figure3-4 IPsec interface Figure3-5 Display connection Figure3-6 Operation log Figure3-7 L2TP Figure3-8 GRE Figure3-9 SSL VPN Figure3-10 Resource configuration Figure3-11 Resource configuration Figure3-12 Online user status Figure3-13 Operation log query vi

7 Figure4-1 IDS integration log vii

8 List of Tables Table1-1 packet filtering policy... 4 Table1-2 Configuring action... 4 Table1-3 Packet filtering policy log... 6 Table1-4 ALG configuration... 7 Table1-5 Source NAT configuration... 8 Table1-6 Destination NAT configuration... 9 Table1-7 One to one NAT configuration Table1-8 Address pool configuration Table1-9 Alg configuration Table1-10 Basic attack protection Table1-11 Basic attack log query Table1-12 Exceeding control Table1-13 Defend object management Table1-14 Traffic and status monitoring Table1-15 DDOS defend settings Table1-16 Blacklist configuration Table1-17 Blacklist query Table1-18 Blacklist log query Table1-19 VIP bandwidth guarantee Table1-20 Anti-ARP-Spoofing Table1-21 ARP configuration Table2-1 Link load balancing Table2-2 ISP Table3-1 IPsec VPN configuration Table3-2 DPVPN Table3-3 Display connections Table3-4 Operation log Table3-5 L2TP Table3-6 GRE Table3-7 Global configuration

9 Chapter 1 Firewall 1.1 Introduction to Firewall Firewall can control the incoming and outgoing data packet and block intrusion from outside network, the followings are provided by firewall, including: Packet filtering IPv6 packet filtering NAT NAT_PT Basic protection Sessions limitation Service limit Basic DDoS Advanced Algorithm Blacklist QoS Anti-ARP-spoofing Traffic analysis To view the firewall menu, you choose Firewall module > Packet filtering, as shown in Figure1-1. 2

10 Figure1-1 Firewall module 1.2 Packet Filtering Policy Packet Filtering Policy Packet filtering is to inspect the source domain, destination domain, originator source IP, originator destination IP, originator source MAC, originator destination MAC, service, IP fragment, flow re-mark, action for every data packet. To enter the packet filtering policy page, you choose Firewall module > Packet filtering, as shown in Figure1-2. Figure1-2 Packet filtering policy Table1-1 describes the details of packet filtering policy. 3

11 Table1-1 packet filtering policy Serial number Source domain Destination domain Originator source IP Originator destination IP Originator source MAC Originator destination MAC Service IP fragment Valid time Status Action Serial number of packet filtering policy. Specify the source domain. Specify the destination domain. Specify the originator source IP. Specify the originator destination IP. Specify the range of packet source MAC. Specify the range of packet destination MAC. Specify the service scope of packet filtering policy. Specify whether to fragment packet. Specify the valid time of packet filtering policy. Specify whether the current policy is effective. Specify whether permit the packet pass the device and further limit packet filtering policy. Operation Click the Click the Click the copy icon, and then your copy will add into new policy. delete icon, and then you can delete a policy. insert icon, and then you can insert a new rule. Table1-2 describes the details of how to configure action Table1-2 Configuring action Pass Discard Rate limitation Per IP rate limitation Access control URL filtering Allow packet to pass through the device. Not allow packet pass through the device. Select rate limitation rule which will apply to the packet filtering policy. Select per IP limitation rule which will apply to the packet filtering policy. Select access control rule which will apply to the packet filtering policy. Select URL filtering rule which will apply to the packet filtering policy. 4

12 Advanced filtering Behavior audit Flow analysis Select advanced filtering rule which will apply to the packet filtering policy. Select behavior audit rule which will apply to the packet filtering policy. Select whether to enable the flow analysis. To create packet filtering policy: Click copy icon Select source domain and destination domain in the new line Select initiate source IP and initiate destination IP for the packet filtering policy Select the related service and valid for the packet filtering policy The action you can select is the pass, discard or rate limitations Click Ok button in the upper right! Caution: It will perform by default if there is no packet match with packet filtering policy. The default is the interface with high security level can visit the interface with lower security level, but interface with low security level can visit high security level Packet Filtering Policy Log Packet filtering policy log query function allows you to query some specific logs in the database. You select an item to be enabled, as shown in Figure1-3. Figure1-3 Packet filtering policy log To enter the packet filtering policy page, you choose Firewall module > Packet filtering policy > Packet filtering policy log, as shown in Figure1-4. 5

13 Figure1-4 Packet filtering policy log Table1-3 describes the details of packet filtering policy log. Table1-3 Packet filtering policy log Serial number Time Protocol Source IP Destination IP Source port/type Destination port/code Inbound interface Outbound interface Action Displays the policy serial number. Displays when the log is created. Displays the protocol of the packet filtering policy. Displays the source IP of the packet filtering policy. Displays the destination IP of the packet filtering policy. Displays the source port/type of the packet filtering policy. Displays the destination port /code of the packet filtering policy. Displays the inbound interface of the packet filtering policy. Displays the outbound interface of the packet filtering policy. Display the action of the packet filtering policy ALG configuration ALG configuration means you can configure all protocols application gateway, so that it can transmit all kind protocol packets to the destination. To enter the ALG configuration page, you choose Firewall module > Packet filtering policy > ALG configuration, as shown in Figure1-5. 6

14 Figure1-5 ALG configuration Table1-4 describes the details of ALG configuration. Table1-4 ALG configuration Protocol State Displays the protocol name Displays the enabling status of alg configuration 1.3 IPv6 packet filtering policy To enter the IPv6 packet filtering policy page, you choose Firewall module > Packet filtering policy > IPv6 packet filtering policy, as shown in Figure1-6. Figure1-6 IPv6 packet filtering policy 7

15 1.4 NAT Introduction to NAT NAT (Network Address Translation) provides a way of translating the IP address in an IP packet header to another IP address. In practice, NAT is primarily used to allow users using private IP addresses to access public networks. With NAT, a smaller number of public IP addresses are used to meet public network access requirements from a larger number of private hosts, and thus NAT effectively alleviating the depletion of IP addresses Source NAT To enter the source NAT page, you choose Firewall module > NAT > Source NAT, as shown in Figure1-7. Figure1-7 Source NAT Table1-5 describes the details of source NAT configuration. Table1-5 Source NAT configuration ID Out interface Source IP Destination IP Service Public IP address pool Operation Displays the serial number of source NAT policy. Select the out interface for source NAT policy. Configure the source IP segment for the source NAT policy. Configure the destination IP segment for the source NAT policy. Configure the service scope of the source NAT policy, including all, service group, user-defined service object and the pre-defined service object. Configure the public address pool of the source NAT policy. Click the copy icon and the delete icon to do the operations. To configure the source NAT configuration: Click the copy button of source NAT configuration Configure the outbound interface of source NAT policy 8

16 Configure the IP address and mask of source NAT policy Configure the public IP of the source NAT policy After you configured the advanced configuration, click the Ok button on the upper right Destination NAT To enter the destination NAT page, you choose Firewall module > Firewall > NAT > Destination NAT, as shown in Figure1-8. Figure1-8 Destination NAT Table1-6 describes the details of destination NAT configuration. Table1-6 Destination NAT configuration ID In interface Common address Service Expert config Advanced configuration Operation Displays the destination NAT ID. Displays the inbound interface of destination NAT policy. Displays the destination NAT policy. Displays the service type of destination NAT policy. Displays the expert config of the destination policy. Displays the advanced configuration of the destination policy Click the copy icon and the delete icon to do the operations. To configure destination NAT configuration: Click the copy button of destination NAT policy Configure the outbound interface of the destination NAT policy Configure the service type of the destination NAT policy Configure the public address of destination NAT server Configure the inner IP address of destination NAT server After you finish the above steps, you can click Ok button in the upper right. 9

17 Note: If you configure the server inner port in the advanced configuration, it will connect to the destination port after it switched destination NAT One to one NAT To enter the one to one NAT page, you choose Firewall module > Firewall > NAT > One to one NAT, as shown in Figure1-9. Figure1-9 One to one NAT Table1-7 describes the details of one to one NAT configuration. Table1-7 One to one NAT configuration Destination Serial number Public interface One to one NAT Public address Operation Displays the serial number of one to one NAT policy. Displays the outbound interface of one to one NAT policy. Displays the inner address of one to one NAT policy. Displays the public address of one to one NAT policy. Click the copy icon, and then you copy a one to one NAT policy. Click the delete icon, and then you can delete a one to one NAT policy. To configure one to one NAT configuration: Click icon of the one to one NAT policy Configure the public interface of one to one NAT policy Configure the inner address of one to one NAT policy Configure the public address of one to one NAT policy After you finished the above steps, you can click Ok button in the upper right 10

18 1.4.5 Address pool To enter the address pool page, you choose Firewall module > Firewall > NAT > Address pool, as shown in Figure1-10. Figure1-10 Address pool Table1-8 describes the details of address pool. Table1-8 Address pool configuration ID Start IP address End IP address Operation Display the start IP address of address pool. Configure the start IP address of address pool. Configure the end IP address of address pool. Click the copy icon and the delete icon to do the operations. To configure address pool configuration: Click the button of the address pool (except the first line of the table) Configure the ID number Configure the start IP of address pool Configure the end IP of address pool After you finished the above steps, you can click the Ok button on the upper right ALG configuration ALG configuration means you can configure all protocols application gateway, so that it can transmit all kind protocol packets to the destination. To enter the ALG configuration page, you choose Firewall module > Firewall > NAT > ALG configuration, as shown in Figure

19 Figure1-11 ALG configuration Table1-9 describes the detail of Alg configuration. Table1-9 Alg configuration Protocol State Displays the protocol name. Select whether to enable or disable the protocol. 1.5 NAT_PT Enabling the NAT_PT function, you can set the NAT_PT configuration. To enter the ALG configuration page, you choose Firewall module > Firewall > NAT_PT, as shown in Figure1-12. Figure1-12 ALG configuration 12

20 1.6 Basic attack protection Basic attack protection Sometimes, there are some attacking packets transmitting in the network, which can disturb the host receiving normal packets. Basic attack protection can block the attack packets and send log. To enter the basic attack protection page, you choose Firewall module > Basic attack protection, as shown in Figure1-13. Figure1-13 Basic attack protection Table1-10 describes the details of basic attack protection. Table1-10 Basic attack protection Attack type Threshold Block Send log Number of attacks Select an attack type of basic attack protection. Set the threshold of the basic attack protection. Click the select box of the basic attack protection, which enable the relevant protocol attack protection. Click the select box and then you can view the log while attack packet transmitted through the device interface. Statistics of the attack count. 13

21 Clear counter Time interval(per second) Terms interval Clear the attack count statistics. Select how much time it sending log per second. Select how many log it report the new log. To configure basic attack protection: Click the select box of attack type. Click the send log box and then, you can click the Ok button on the right top Basic Attack Log Query Basic attack log query allow you to query the specific log from the database. To enter the basic attack lo query page, you choose Firewall module > Basic attack protection > Basic attack log query, as shown in Figure1-14. Figure1-14 Basic attack log query Table1-11 describes the details of basic attack log query. Table1-11 Basic attack log query Serial number Time Attack type Protocol Source IP Destination IP Source port Displays serial number of the attack. Displays when the attack log is created. Displays the type of the attack. Displays the protocol of the attack. Displays the source IP of the attack. Displays the attack packet destination IP address. Displays the interface of the attack. 14

22 Action Displays the action for the attack. To query the basic attack log query: Enter the desired to query parameter Click Search button to view the searching result. Click Export button to export the logs. Click Delete button to delete the logs. 1.7 Sessions limit To enter the service limitation page, you choose Firewall module > Firewall > Sessions limit, as shown in Figure1-15. Figure1-15 Session limitation Table1-12 describes the details of exceeding control. Table1-12 Exceeding control Security zone/user group Maximum of session by one IP Maximum of subsequent connect sessions Maximum of create sessions(count of sessions/second) Operation Select the user group which will apply to the exceeding control rule. Set the maximum number of connections. Set the maximum number of subsequent connections. Set the maximum number of create sessions Click the copy icon and the delete icon to do the operations. 1.8 Service limitation To access the service limitation page, you choose Firewall module > Firewall > Basic DDoS Protection > Defend object management, as shown in Figure

23 Figure1-16 Service limitation 1.9 IPV4 Basic DDoS Protection Defend Object Management Defend object management is to configure the defend object group, including IP address protected by DDoS attack protection and comment information. To enter the defend object management page, you choose Firewall module > Firewall > Basic DDoS Protection > Defend object management, as shown in Figure1-17. Figure1-17 Defend object management Table1-13 describes the details of defend object management. Table1-13 Defend object management Defend object management IP address and mask Comment Operation Enter a name for the defend object management. Enter an IP address or several IP address protected by defend object management. Comment the defend object group. Click the copy icon and the delete icon to do the operations. To create a defend object management rule: Enter the name of defend object management rule Configure the IP address of protected by defend object management rule 16

24 After you finish the above steps, click Ok button in the upper right corner Configuration and Tendency Traffic Status and Monitoring You can view the current defend group traffic status and monitoring via configuration and tendency. To enter the traffic status and monitoring page, you choose Firewall module > Firewall > Basic DDoS Protection > Configuration and tendency, as shown in Figure1-18. Figure1-18 Traffic status and monitoring Table1-14 describes the details of traffic status and monitoring Table1-14 Traffic and status monitoring Name IP address Belong to Time range Displays the name of traffic status monitoring. Displays the IP address of traffic monitoring. Displays which protect type belong to. Displays the status time range DDOS defend settings DDOS defend settings is the basic configuration to all kind of attack. To enter the DDOS defend settings page, you choose Firewall module > Firewall > Basic DDOS Protection > DDOS defend settings, as shown in Figure

25 Figure1-19 DDOS defend settings Table1-15 describes the details of DDOS defend settings. Table1-15 DDOS defend settings Manual configure the threshold Auto-learning the threshold You can sleek the manual configure or auto-learning the threshold. Set the number of the threshold. To modify DDOS defend settings: Select whether to enable the manual configure the threshold and auto-learning the threshold. Set the number of the threshold in the black. After you finished the above steps, you can click the Open button, and then you can click the Ok button Protection History Protection History To enter the protection history page, you choose Firewall module > Firewall > Basic DDOS Protection > Snapshot and history > Protection history, as shown in Figure

26 Figure1-20 Protection history 1.10 Blacklist Blacklist Blacklist is an attack prevention mechanism that filters packets based on source IP address. Blacklists are easier to configure and fast in filtering packets sourced from a particular IP address. To enter the blacklist page, you choose Firewall module > Firewall > Blacklist, as shown in Figure1-21. Figure1-21 Blacklist configuration Table1-16 describes the details of blacklist configuration. Table1-16 Blacklist configuration Option IP address/mask Source IP Remaining life time Click the Enable blacklist option Specifies the IP address to be blacklisted. Displays the entry of the remaining life time in which you can view the remaining time of blacklist. Displays the entry last configuration record in which you can the last configuration record. And the remaining time of your configuration. Last configuration record Click the copy icon and then you can copy the rule. To configure the blacklist configuration: 19

27 You can enter an IP address in the IP address/mask configuration column, which is the blacklist source IP address. Select an option for the remaining life time Click Confirm button If you want to delete the configuration, you can click the Delete icon Blacklist query To enter the blacklist query page, you choose Firewall module > Firewall > Blacklist query, as shown in Figure1-22. Figure1-22 Blacklist query Table1-17 describes the details of blacklist query. Table1-17 Blacklist query IP address/mask Valid time Remaining time Cause Displays the blacklisted IP address. Displays the valid time Displays the remaining time and the time when you create the black list. Displays the add reason of a blacklisted IP address Blacklist log query To enter the blacklist log query page, you choose Firewall module > Firewall > Blacklist log query, as shown in Figure1-23. Figure1-23 Blacklist log query Table1-18 describes the details of blacklist log query. 20

28 Table1-18 Blacklist log query Serial number Time IP address Lifecycle Add reason Displays the serial number of a blacklist log query. Displays the time when attack beginning. Displays the blacklisted IP address in blacklist log query. Displays the blacklisted IP address lifecycle in blacklist log query. Displays the add reason of blacklisted IP address. To query the blacklist log: Configuring the query item which you want to query Click Search button to view the searching result Click the Export to CSV button, and then you can export the log file Click the delete button, and then you can delete the logs you have searched QoS QoS can ensure bandwidth with configuring VIP bandwidth guarantee and traffic classification VIP Bandwidth Guarantee To enter the VIP bandwidth guarantee page, you choose Firewall module > QoS > VIP bandwidth guarantee, as shown in Figure1-24. Figure1-24 VIP bandwidth guarantee Table1-19 describes the details of VIP bandwidth guarantee. Table1-19 VIP bandwidth guarantee Name Outbound interface Total bandwidth settings Displays the policy name of VIP bandwidth guarantee. Displays the outbound interface of data traffic. Displays the total bandwidth setting of outbound interface. 21

29 Assuring rate settings Configure assuring rate settings which ensure the transmitting rate in all applications. Operation Click the Click the copy icon, and then you can copy a VIP bandwidth guarantee rule. delete icon, and then you can delete a VIP bandwidth guarantee rule Traffic shaping To enter traffic shaping page, you choose Firewall module > Firewall > QoS> Traffic shaping, as shown in Figure1-25. Figure1-25 Traffic shaping 1.12 Anti-ARP-Spoofing Anti-ARP-Spoofing To enter the anti-arp-spoofing page, you choose Firewall module > Firewall > Anti-ARP-Spoofing, as shown in Figure

30 Figure1-26 Anti-ARP-Spoofing Table1-20 describes the details of Anti-ARP-Spoofing. Table1-20 Anti-ARP-Spoofing Option IP address MAC address VLAN ID Interface Type Select an anti-arp-spoofing entry and then click the option. Displays the IP address scanned by anti-arp-spoofing. Displays the MAC address scanned by anti-arp-spoofing. Displays the VLAN ID scanned by anti-arp-spoofing. Displays the interface scanned by anti-arp-spoofing. Displays the obtaining method of anti-arp-spoofing ARP configuration The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address (Ethernet MAC address, for example). In an Ethernet LAN, when a device sends data to another device, it uses ARP to translate the IP address of that device to the corresponding MAC address. To enter the congestion management page, you choose Firewall module > Firewall > Anti-ARP-Spoofing management, as shown in Figure

31 Figure1-27 ARP configuration Table1-21 describes the details of ARP configuration. Table1-21 ARP configuration Interface name Enable state Displays the all interfaces name of the device. Enable/disable ARP configuration interface. 24

32 Chapter 2 Load Balancing 2.1 Link Load Balancing Introduction to Link Load Balancing Link load balancing is to establish several outbound interfaces according to the link of different operator, which taking full advantage of the resource, meanwhile it supports several link back up mutually, to ensure the network stably working Link config To enter the link config page, you choose Firewall module > Load balancing > Link config, as shown in Figure2-1. Figure2-1 Link load balancing Table2-1 describes the details of link load balancing. Table2-1 Link load balancing Link outbound interface Next hop gateway Network operation configuration Link bandwidth (MB/S) Enter a name in the entry of link outbound interface. Type in an IP address in the next hop gateway item. Configure the item of network operation configuration. Configure the link bandwidth item Health check Type in the health check cost(cost should be in 1-255) 25

33 Route COST Configure the route cost (cost should be in 1-255) Health check state Operation Select a health check state Click the copy icon and the delete icon to do the operations ISP To enter the ISP page, you choose Firewall module > Load balancing > ISP, as shown in Figure2-2. Figure2-2 ISP Table2-2 describes the details of ISP. Table2-2 ISP ISP name Segment import Segment export Displays the name of ISP Import the segment of ISP Export the segment of ISP Operation Click the Click the copy icon, and then you can copy the rule. delete icon, and then you can delete the rule. 2.2 Logic link group To access logic link group page, you choose Firewall module > Load balancing > Logic link group, as shown in Figure

34 Figure2-3 Logic link group 2.3 Link health check To enter the link health check page, you choose Firewall module > Load balancing > Link health check, as shown in Figure2-4. Figure2-4 Link health check 27

35 Chapter 3 VPN VPN (Virtual Private Network) which is defined as public network (usually is defined as Internet) to create a temporary, safe link, it is a secure and steady tunnel traversing promiscuous public network. It supports SSL, IPsec, L2TP, and GRE and provides safe and efficient protection for enterprise or government user. The VPN module provides: IPsec L2TP GRE SSL VPN Introduction to IPsec IP Security (IPsec) refers to a series of protocols defined by the Internet Engineering Task Force (IETF) to provide high quality, interoperable, and cryptology-based security for IP packets. By means of facilities including encryption and data origin authentication, it delivers these security services at the IP layer: Through the IKE (Internet Key Exchange protocol), IPsec provides the auto-negotiate exchange password and establish and security associate service, to simplify using and management of IPsec. AH is packet header authentication protocol, mainly providing data source authentication, data integrity and anti-relay functions; Nonetheless, AH cannot encrypt protected packet. ESP is the Encapsulating Security Payload protocol, it not only provides the functions except AH protocol provided (not include IP header integrity verify), but also provides IP packet encryption. IKE is used to negotiate the password arithmetic of AH and ESP, and automatically establish the security association and security key exchange IPsec VPN configuration To enter the IPsec VPN configuration page, you choose Firewall module >VPN > IPsec, as shown in Figure

36 Figure3-1 IPsec VPN configuration Table3-1 describes the configuration items of the IPsec VPN. Table3-1 IPsec VPN configuration Connection name Status settings Local IP address Displays the name of IPsec configuration policy, which is configured by user. Displays enable/disable status of IPsec policy. Displays the local address IP address in IPsec configuration policy. Local device ID It provides four types of ID obtaining method in which you can select one: Auto, hostname, IP address, Local certificate ID alias: Displays auto Client ID In client ID item, you can enable auto or remote certificate ID alias option. Subnets available to the clients Allows you to configure one subnet for the client. Authentication method Advanced configuration Operation It delivers two types of authentication method, including pre-shared key and digital certificate. The advanced configuration provides you with the negotiation mode, IPsec security protocol type, ESP AH Enable PFS group, IKE security proposal, and IPsec security proposal. Click the copy icon and the delete icon to do the operations. To create IPsec VPN rule in gateway-gateway mode: 29

37 Type in a name of IPsec rule which is correspond to the requirement Click Enable IPsec operation Configure the local IP address item, such as Configure the local device ID item which provides four types of obtaining method, such as you can enable the auto. In the authentication method item, it provides two kinds of authentication method in which you can select one, such as pre-shared-key. After you finished the above configuration, click Ok button on the upper right DPVPN To enter the DPVPN page, you choose Firewall module > Firewall VPN > IPsec > DPVPN, as shown in Figure3-2. Figure3-2 DPVPN Table3-3 describes the details of DPVPN Table3-2 DPVPN Enable DPVPN Work mode Hub IP Protected subnets Template connection Allows you to enable the DPVPN function. Select a work mode for the DPVPN, including spoke and hub. Enter the hub IP address. Add a subnet that need protected Configure a template connection for DPVPN configuration To view the IPsec connection display interface: Select a query item, and make a choice form local IP address and remote IP address and connection name Enter the keyword of display IPsec connection Click the query button 30

38 3.1.4 Xauth user To enter the Xauth user page, you choose Firewall module > VPN > IPSec > Xauth user, as shown in Figure3-3. Figure3-3 Xauth user IPsec interface To enter the IPsec page, you choose Firewall module > VPN > IPsec > IPsec interface, as shown in Figure3-4. Figure3-4 IPsec interface Display connections To enter the display connections page, you choose Firewall module > VPN > IPsec > Display connections, as shown in Figure3-5. Figure3-5 Display connection Table3-3 describes the details of display connections Table3-3 Display connections Connection name Displays connection name of IPsec connection which is configured by users. 31

39 Local IP address Remote IP address Local protected network Remote protected network IKE SA information IPsec SA information Displays local IP address of IPsec connection. Displays remote IP address of IPsec connection. Displays local protected network of IPsec connection. Displays local protected network of IPsec connection. Displays the IKE SA information. Displays the IPsec SA information. To view the display IPsec connections interface: Select a query item, and make a choice form local IP address and remote IP address and connection name Enter the keyword of display IPsec connection Click query button Operation log To access the operation log page, you choose Firewall module > VPN > IPsec >Operation log, as shown in Figure3-6. Figure3-6 Operation log Table3-4 describes the details of operation log. Table3-4 Operation log No. Operation time User name IP address Operation Shows the sequence number of IPsec operation log. Displays the time when IPsec operation log is generated. Displays the name of IPsec user. Displays the IP address of IPsec connection. Displays the operation log you did the IPsec operation. 32

40 3.2 L2TP Introduction to L2TP L2TP is a standard Internet tunnel protocol similar to the PPTP protocol, and both of them can encrypt network on the network stream. But the difference is that PPTP required to be IP network and L2TP is the peer-to-peer connection facing to data packet; PPTP is to use a single tunnel whereas L2TP is to use multi tunnel; And the L2TP provides the packet header compressing, tunnel verification, and vice versa, the it cannot supported by PPTP L2TP To enter the L2TP configuration page, you choose Firewall module > VPN > L2TP, as shown in Figure3-7. Figure3-7 L2TP Table3-5 describes the details L2TP. Table3-5 L2TP Tunnel name Tunnel interface IP PPP authentication mode Client IP address range Advanced configuration Operation Displays the L2TP tunnel name. Displays the IP address configured by user. Select an option from PPP authentication mode, including CHAP or PAP Configure the client IP address which will encrypt by L2TP Advanced configuration about L2TP You can copy or delete an entry. 33

41 3.3 GRE VPN Introduction to the GRE Generic Routing Encapsulation (GRE) is a protocol designed for encapsulating and carrying the packets of one network layer protocol (for example, IP or IPX) over another network layer protocol (for example, IP). GRE is a tunneling technology and serves as a Layer 3 tunneling protocol. A GRE tunnel is a virtual point-to-point connection for transferring encapsulated packets Configuring GRE configuration To enter the GRE configuration page, you choose Firewall module > VPN > GRE, as shown in Figure3-8. Figure3-8 GRE Table3-6 describes the details of GRE. Table3-6 GRE Tunnel interface NO Configure the GRE tunnel interface NO (the number is from 1 to 64). Tunnel interface IP address Tunnel source interface/ip address Tunnel destination IP address Advanced configuration Operation Configure the GRE tunnel interface IP address. Configure the GRE tunnel source interface IP and you can select tunnel interface or IP address. Configure the GRE tunnel designations IP address. The advanced configuration provides uses with path MTU discovery and checksum checkout. Allows you to copy or delete the GRE rule. To create a GRE rule: Enter a GRE name which is correspond to the requirement Enter the tunnel interface IP address, such as /24 Configure the tunnel source interface IP address, such as or eth0_7 Configure the tunnel destination IP address, such as /24 Configure the advanced configuration, and select the discovery, checksum checkout option 34

42 After you finished the above steps, you can click the Ok button on the upper right. 3.4 SSL VPN Introduction to the SSL VPN SSL VPN is the most security technology to solve the remote user access the sensitive company data. Compare with IPsec VPN, it realize remote connection via simple method. Every computer with browser can use SSL VPN, for the reason of the SSL VPN embedded into the browser. It is not similar to the traditional IPsec VPN to setup client software in every each computer Global configuration To access the SSL VPN page, you choose Firewall module > VPN > SSL VPN, as shown in Figure3-9. Figure3-9 SSL VPN Table3-7 describes the details of global configuration. Table3-7 Global configuration Global configuration: Select a server certificate which you have import to the device. Select server digital certification Global configuration: Select a CA certificate which you have import the device. Select server digital certification Global configuration: Configure the user maximum number and select whether to enable IP compress. Advanced configuration User management: Configure the username, password, and description and user group information. User information configuration User configuration: User group information configuration Resource configuration: Configure user group information and accessible resource. Configure the start range of IP address. 35

43 Address range which allocate to users Resource configuration: Configure the subnets to which the user connect Resource configuration: Resource group which can be configure when IP resource existing Configure the segment which users require to visit. Configure the information and description of resource group Resource configuration To access the resource configuration page, you choose Firewall module > VPN > SSL VPN > Resource configuration, as shown in Figure3-10. Figure3-10 Resource configuration User management To enter the user management page, you choose Firewall module > VPN > SSL VPN > User management, as shown in Figure

44 Figure3-11 Resource configuration Online user status To enter the online user status page, you choose Firewall module > VPN > SSL VPN > online user status, as shown in Figure3-12. Figure3-12 Online user status Operation log query To enter operation log query page, you choose Firewall module > VPN > SSL VPN > Operation log query, as shown in Figure

45 Figure3-13 Operation log query 38

46 Chapter 4 IDS integration 4.1 IDS integration log To enter the IDS integration log page, you choose Firewall module > IDS Integration log, as shown in Figure4-1. Figure4-1 IDS integration log 39