HP High-End Firewalls

Transcription

1 HP High-End Firewalls Attack Protection Configuration Guide Part number: Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW

2 Legal and notice information Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

3 Contents Blacklist configuration 1 Blacklist overview 1 Configuring the blacklist feature 1 Enabling the blacklist feature 2 Adding a blacklist entry manually 2 Viewing the blacklist 3 Blacklist configuration example 3 Packet inspection configuration 5 Packet inspection overview 5 Configuring packet inspection 6 Packet inspection configuration example 7 Traffic abnormality detection configuration 9 Traffic abnormality detection overview 9 Configuring traffic abnormality detection 10 Configuring ICMP flood detection 10 Configuring UDP flood detection 12 Configuring SYN flood detection 13 Configuring connection limits 14 Configuring scanning detection 15 Traffic abnormality detection configuration example 16 URPF Configuration 18 URPF overview 18 What is URPF 18 How URPF works 18 Configuring URPF 19 TCP proxy configuration 20 Overview 20 SYN flood attack 20 TCP proxy 20 How TCP proxy works 21 Configuring TCP proxy 22 Configuration task list 22 Performing global TCP proxy setting 23 Enabling TCP proxy for a security zone 23 Adding a protected IP address entry 24 Displaying information about protected IP address entries 24 TCP proxy configuration example 25 Configuration guidelines 26 IDS collaboration configuration 27 Overview 27 Enabling IDS collaboration 27 Configuration guidelines 27 Intrusion detection statistics 29 Overview 29 Displaying intrusion detection statistics 29 i

4 ARP attack protection configuration 32 Configuring periodic sending of gratuitous ARP packets 32 Introduction to periodic sending of gratuitous ARP packets 32 Configuring periodic sending of gratuitous ARP packets 32 Configuring ARP automatic scanning 33 Introduction to ARP automatic scanning 33 Configuring ARP automatic scanning in the web interface 33 Configuring ARP automatic scanning in the CLI 34 Configuring fixed ARP 35 Introduction to fixed ARP 35 Configuring fixed ARP in the web interface 35 Configuring fixed ARP in the CLI 36 ARP attack protection configuration example 36 Web filtering configuration 38 Web filtering overview 38 URL address filtering 38 IP address-supported URL address filtering 39 URL parameter filtering 39 Java blocking 40 ActiveX blocking 40 Filtering rule file backup and loading 40 Configuring web filtering in the web interface 41 URL address filtering configuration task list 41 URL parameter filtering configuration task list 41 Java blocking configuration task list 42 ActiveX blocking configuration task list 42 Configuring URL address filtering 43 Configuring URL address filtering keywords 44 Backing up and loading a URL address filtering rule file 44 Displaying URL address filtering information 45 Configuring URL parameter filtering 45 Configuring URL parameter filtering keywords 46 Backing up and loading a URL parameter filtering rule file 46 Displaying URL parameter filtering information 47 Configuring Java blocking 47 Configuring Java blocking keywords 48 Displaying Java blocking information 48 Configuring ActiveX blocking 48 Configuring ActiveX blocking keywords 49 Displaying ActiveX blocking information 50 Web filtering configuration examples 50 Configuring web filtering in the CLI 53 Configuring URL address filtering 53 Configuring IP address-supported URL address filtering 54 Configuring URL parameter filtering 54 Configuring Java blocking 54 Configuring ActiveX blocking 55 Displaying and maintaining web filtering 55 Web filtering configuration examples 56 Configuration guidelines 59 Troubleshooting web filtering 60 Failed to add filtering entry or suffix keyword due to upper limit 60 Invalid characters are present in the configured parameter 60 Invalid use of wildcards 61 ii

5 Invalid blocking suffix 62 ACL configuration failed 62 Unable to access website by IP address 62 Support and other resources 63 Contacting HP 63 Subscription service 63 Related information 63 Documents 63 Websites 63 Conventions 64 Index 66 iii

6 Blacklist configuration NOTE: The firewall supports configuring the blacklist feature only in the web interface. Blacklist overview Blacklist is an attack prevention mechanism that filters packets based on source IP address. Compared with ACL-based packet filtering, the blacklist feature is easier to configure and fast in filtering packets sourced from particular IP addresses. The firewall can cooperate with the scanning detection feature to dynamically add and remove blacklist entries. When the firewall detects that packets sourced from an IP address have a behavior pattern that implies a potential scanning attack, it automatically blacklists the IP address to filter subsequent packets sourced from that IP address. Blacklist entries added in this way will age out after a period of time. NOTE: For more information about scanning detection configuration, see the chapter Traffic abnormality detection configuration. The firewall also supports adding and removing blacklist entries manually. Manually configured blacklist entries fall into two categories: permanent and non-permanent. A permanent blacklist entry is always present unless being removed manually, whereas a non-permanent blacklist entry has a limited lifetime depending on your configuration. When the lifetime of a non-permanent entry expires, the firewall removes the entry from the blacklist, allowing the packets of the IP address defined by the entry to pass through. Configuring the blacklist feature Table 1 Blacklist configuration task list Task Enabling the blacklist feature Configuring the Scanning Detection Feature to Add Blacklist Entries Automatically Adding a blacklist entry manually Viewing the blacklist Remarks Required By default, the blacklist feature is disabled. Required Complete either of the task By default, no blacklist entries exist. For more information about scanning detection configuration, see the chapter Traffic abnormality detection configuration. IMPORTANT: If you modify a dynamic blacklist entry, the entry will turn into a manual one. Optional 1

7 Enabling the blacklist feature From the navigation tree, select Intrusion Detection > Blacklist to enter the blacklist management page, as shown in Figure 1. Then, select the Enable Blacklist option and click Apply to enable the blacklist feature. Figure 1 Blacklist management page Return to Blacklist configuration task list. Adding a blacklist entry manually From the navigation tree, select Intrusion Detection > Blacklist to enter the blacklist management page, and then click Add to add a blacklist entry, as shown in Figure 2. Figure 2 Add a blacklist entry manually Table 2 Blacklist entry configuration items Item IP Address Hold Time Permanence Description Specify the IP address to be blacklisted. It cannot be a network, broadcast, loopback, or Class E address. Set the entry to a non-permanent one and specify a lifetime for it. Set the entry to a permanent one. Return to Blacklist configuration task list. 2

8 Viewing the blacklist From the navigation tree, select Intrusion Detection > Blacklist to enter the blacklist management page, where you can view the blacklist information, as shown in Figure 1. Table 3 Blacklist fields Field IP Address Add Method Start Time Hold Time Dropped Count Description Blacklisted IP address Type of the blacklist entry, which can be: Auto Added by the scanning detection feature automatically. Manual Added manually or modified manually. Time when the blacklist entry starts to take effect. Lifetime of the blacklist entry since the effective start time Number of packets dropped based on the blacklist entry Return to Blacklist configuration task list. Blacklist configuration example Network requirements As shown in Figure 3, Host A is located in the trusted zone while Host B is located in the untrusted zone. Configure the firewall to filter all packets from Host A within 100 minutes since the creation of the blacklist entry. Figure 3 Network diagram for blacklist configuration Configuration procedure # Enable the blacklist feature. 1. From the navigation tree, select Intrusion Detection > Blacklist. 2. Select the Enable Blacklist option. 3. Click Apply. # Add a blacklist entry for Host A. 1. Click Add. The Add to Blacklist page appears. 2. Enter IP address Select the Hold Time option and, in the box next to the option, set the lifetime of the entry to 100 minutes. 4. Click Apply to complete the configuration. 3

9 Configuration verification To verify the configurations, perform the following operations: Selecting Log Report > Report > Blacklist Log from the navigation tree to check where there are logs for the newly added blacklist entry. Check whether Host A can ping Host B within 100 minutes after the entry was added. 4

10 Packet inspection configuration NOTE: The firewall supports configuring packet inspection only in the web interface. Packet inspection overview A single-packet attack, or malformed packet attack, occurs when either of the following events occurs: An attacker sends defective IP packets, such as overlapping IP fragments and packets with illegal TCP flags, to a target system, making the target system malfunction or crash when processing such packets. An attacker sends large quantities of junk packets to the network, using up the network bandwidth. The packet inspection feature allows the firewall to analyze the characteristics of received packets to determine whether the packets are attack packets. Upon detecting an attack, the firewall logs the event and, when configured, blocks the packet. The firewall supports detection of the following types of single packet attacks. Table 4 Supported single packet attack types Attack type Fraggle Land WinNuke TCP Flag ICMP unreachable ICMP redirect Description A Fraggle attack occurs when an attacker sends large amounts of UDP echo requests with the UDP port number being 7 or Chargen packets with the UDP port number being 19, resulting in a large quantity of junk replies and finally exhausting the bandwidth of the target network. A Land attack occurs when an attacker sends a great number of TCP SYN packets with both the source and destination IP addresses being the IP address of the target, exhausting the half-open resources of the victim and disabling the target from providing services normally. A WinNuke attacker sends out-of-band (OOB) data with the pointer field values overlapped to the NetBIOS port (139) of a Windows system with an established connection to introduce a NetBIOS fragment overlap, causing the system to crash. Some TCP flags are processed differently on different operating systems. A TCP flag attacker sends TCP packets with such TCP flags to a target to probe its operating system. If the operating system cannot process such packets properly, the attacker will successfully make the host crash down. Upon receiving an ICMP unreachable response, some systems conclude that the destination is unreachable and drop all subsequent packets destined for the destination. By sending ICMP unreachable packets, an ICMP unreachable attacker can cut off the connection between the target host and the network. An ICMP redirect attacker sends ICMP redirect messages to a target to modify its routing table, interfering with the normal forwarding of IP packets. 5

11 Attack type Tracert Smurf Source route Route record Large ICMP Description The Tracert program usually sends UDP packets with a large destination port number and an increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when the packet passes each firewall. Upon receiving a packet with a TTL of 0, a firewall must send an ICMP time exceeded message back to the source IP address of the packet. A Tracert attacker exploits the Tracert program to figure out the network topology. A Smurf attacker sends large quantities of ICMP echo requests to the broadcast address of the target network. As a result, all hosts on the target network will reply to the requests, causing the network congested and hosts on the target network unable to provide services. A source route attack exploits the source route option in the IP header to probe the topology of a network. A route record attack exploits the route record option in the IP header to probe the topology of a network. For some hosts and devices, large ICMP packets will cause memory allocation error and crash down the protocol stack. A large ICMP attacker sends large ICMP packets to a target to make it crash down. Configuring packet inspection From the navigation tree, select Intrusion Detection > Packet Inspection to configure packet inspection, as shown in Figure 4. Figure 4 Packet inspection configuration page Table 5 Packet inspection configuration items Item Zone Description From the zone dropdown list, select the security zone to which the configuration will be applied. 6

12 Item Discard Packets when the specified attack is detected Enable Fraggle Attack Detection Enable Land Attack Detection Enable WinNuke Attack Detection Enable TCP Flag Attack Detection Enable ICMP Unreachable Packet Attack Detection Enable ICMP Redirect Packet Attack Detection Enable Tracert Packet Attack Detection Enable Smurf Attack Detection Enable IP Packet Carrying Source Route Attack Detection Enable Route Record Option Attack Detection Enable Large ICMP Packet Attack Detection Max Packet Length Description Select this option to discard detected attack packets. Enable or disable detection of Fraggle attacks. Enable or disable detection of Land attacks. Enable or disable detection of WinNuke attacks. Enable or disable detection of TCP flag attacks. Enable or disable detection of ICMP unreachable attacks. Enable or disable detection of ICMP redirect attacks. Enable or disable detection of Tracert attacks. Enable or disable detection of Smurf attacks. Enable or disable detection of source route attacks. Enable or disable detection of route record attacks. Enable detection of large ICMP attacks and set the packet length limit, or disable detection of such attacks. Packet inspection configuration example Network requirements As shown in Figure 5, the internal network is the trusted zone and the external network is the untrusted zone. The internal servers are located in the DMZ zone. Configure the firewall to detect the Land attacks from the untrusted zone. Figure 5 Network diagram for packet inspection configuration Configuration procedure # Assign IP addresses to interfaces. 7

13 1. From the navigation tree, select Device Management > Interface. 2. Assign IP address /24 to interface GigabitEthernet 0/0. 3. Assign IP address /24 to interface GigabitEthernet 0/1. 4. Assign IP address /24 to interface GigabitEthernet 0/2. # Assign the interfaces to security zones. 1. From the navigation tree, select Device Management > Zone. 2. Assign interface GigabitEthernet 0/0 to the trusted zone. 3. Assign interface GigabitEthernet 0/1 to the DMZ zone. 4. Assign interface GigabitEthernet 0/2 to the untrusted zone. # Enable the Land attack packet inspection function for the untrusted zone. 1. From the navigation tree, select Intrusion Detection > Packet Inspection. 2. Select Untrust from the Zone dropdown list. 3. Select Discard Packets when the specified attack is detected. 4. Select Enable Land Attack Detection. 5. Click Apply to complete the configuration. Configuration verification Now, the firewall should be able to output alarm logs when interface GigabitEthernet 0/2 receives packets with the Land attack characteristics and drop the packets. 8

14 Traffic abnormality detection configuration NOTE: The firewall supports configuring traffic abnormality detection only in the web interface. Traffic abnormality detection overview The traffic abnormality detection feature analyzes the characteristics of traffic to detect abnormal traffic, such as flood attacks and scanning attacks, and to take countermeasures accordingly. ICMP flood detection An ICMP flood attack overwhelms the victim with an enormous number of ICMP echo requests in a short period, preventing the victim from providing normal services. To fence off ICMP flood attacks, you can set a connection rate threshold on your firewall. Once the ICMP connection rate of the protected host exceeds the threshold, the firewall outputs an attack alarm log and, depending on your configuration, blocks the subsequent ICMP echo requests to the host. UDP flood detection A UDP flood attack overwhelms the victim with an enormous number of UDP packets in a short period, preventing the victim from providing normal services. To fence off UDP flood attacks, you can set a connection rate threshold on your firewall. Once the UDP echo connection rate of the protected host exceeds the threshold, the firewall outputs an attack alarm log and, depending on your configuration, blocks the subsequent UDP echo requests to the host. SYN flood detection A SYN flood attack exhausts the limited resources of the victim by exploiting SYN packets of TCP. The number of TCP connections that can be created on a firewall is limited due to resource limitation. The idea of SYN Flood attack is to initiate TCP connections to a victim with spurious SYN packets. As the SYN_ACK packets that the victim sends in response can never get an acknowledgement (ACK), half-open connections are created on the victim. The presence of excessive half-open connections can exhaust the resources of the victim, making the victim inaccessible until the number of half-open connections drops to a reasonable level due to timeout of half-open connections. Likewise, SYN flood attacks can exhaust system resources such as memory on a system performing implementations that do not limit creation of connections. To protect a host against SYN flood attacks, you can set a connection rate threshold and a half-open connection threshold for the host on your firewall. Once the TCP connection rate of the protected host exceeds either of the thresholds, the firewall outputs an attack alarm log and, depending on your configuration, takes the following actions: Blocks subsequent TCP connection requests. Removes the oldest half-open connections of the host. Add protected IP address entries for TCP proxy. For more information about TCP proxy, see the chapter TCP proxy configuration. 9

15 Connection limit Connection limit limits the number of connections based on source IP address or destination IP address. You can set a connection threshold for an IP address on your firewall. Once the number of connections of that IP address exceeds the threshold, the firewall outputs an attack alarm log and, depending on your configuration, blocks the subsequent connection requests from or to that IP address. Scanning detection A scanning attack explores the addresses and ports on a network to identify the hosts attached to the network and the application ports available on the hosts. To fence off scanning attacks, you can set a scanning rate threshold on your firewall. Once the rate of the connections from an IP address exceeds the threshold, the firewall outputs an attack alarm log, blocks the subsequent connections from the IP address, and blacklists the IP address, depending on your configuration. Configuring traffic abnormality detection NOTE: ICMP flood detection, UDP flood detection, and SYN flood detection are intended to protect servers and are usually configured on an internal zone. They work by inspecting the relevant connection rate or number of relevant connections. Scanning detection is intended to detect scanning behaviors and is usually configured on an external zone. It works by inspecting the connection rate. Scanning detection can be configured to add blacklist entries automatically. If you remove such a blacklist entry, the system will not add the entry back to the blacklist during a period of time. This is because the system considers that the subsequent packets are initiated from the same attack. To configure traffic abnormality, complete the following tasks: Configuring ICMP flood detection Configuring UDP flood detection Configuring SYN flood detection Configuring connection limits Configuring scanning detection Configuring ICMP flood detection From the navigation tree, select Intrusion Detection > Traffic Abnormality > ICMP Flood to enter the ICMP flood detection configuration page, as shown in Figure 6. You can select a security zone and then view and configure ICMP flood detection rules for the security zone. 10

16 Figure 6 ICMP flood detection configuration page Do the following to configure ICMP flood detection: 1. In the Attack Prevention Policy section, specify the protection action to be taken upon detection of an ICMP flood attack. If you do not select the Discard packets when the specified attack is detected option, the firewall only collects ICMP flood attack statistics. 2. In the ICMP Flood Configuration section, view the configured ICMP flood detection rules, or click Add to enter the page shown in Figure 7 to configure an ICMP flood detection rule. Figure 7 Add an ICMP flood detection rule Table 6 ICMP flood detection configuration items Item Protected Host Configuration Global Configuration of Security Zone IP Address Connection Rate Threshold Connection Rate Threshold Description Specify the IP address of the protected host. Set the maximum ICMP connection rate for the IP address. Set the global maximum ICMP connection rate for each host in the current security zone. NOTE: In a security zone, you can configure multiple protected hosts and one global connection rate threshold. For a host, the host-specific setting overrides the global setting of the security zone in case conflict occurs. 11

17 Configuring UDP flood detection From the navigation tree, select Intrusion Detection > Traffic Abnormality > UDP Flood to enter the UDP flood detection configuration page, as shown in Figure 8. You can select a security zone and then view and configure UDP flood detection rules for the security zone. Figure 8 UDP flood detection configuration page Do the following to configure UDP flood detection: 1. In the Attack Prevention Policy section, specify the protection action to be taken upon detection of a UDP flood attack. If you do not select the Discard packets when the specified attack is detected option, the firewall only collects UDP flood attack statistics. 2. In the UDP Flood Configuration section, view the configured UDP flood detection rules, or click Add to enter the page shown in Figure 9 to configure a UDP flood detection rule. Figure 9 Add a UDP flood detection rule Table 7 UDP flood detection configuration items Item Protected Host Configuration IP Address Connection Rate Threshold Description Specify the IP address of the protected host. Set the maximum UDP connection rate for the IP address. 12

18 Item Global Configuration of Security Zone Connection Rate Threshold Description Set the global maximum UDP connection rate for each host in the current security zone. NOTE: In a security zone, you can configure multiple protected hosts and one global connection rate threshold. For a host, the host-specific setting takes precedence over the global setting of the security zone in case conflict occurs. Configuring SYN flood detection From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood to enter the SYN flood detection configuration page, as shown in Figure 10. You can select a security zone and then view and configure SYN flood detection rules for the security zone. Figure 10 SYN flood detection configuration page Do the following to configure SYN flood detection: 1. In the Attack Prevention Policy section, specify the protection actions to be taken upon detection of a SYN flood attack. If you do not select any option, the firewall only collects SYN flood attack statistics. The available protection actions include: Discard packets when the specified attack is detected. If detecting that a protected object in the security zone is under SYN flood attack, the firewall drops the TCP connection requests to the protected host to block subsequent TCP connections. Send Reset packet to the attacked host: If detecting that a protected object in the security zone is under SYN flood attack, the firewall releases the oldest half-open connection resources of the protected object but does not block connection requests. Add protected IP entry to TCP Proxy: If detecting that a protected object in the security zone is under SYN flood attack, the firewall adds the target IP address to the protected IP list on the TCP proxy as a dynamic one, setting the port number as any. If TCP proxy is configured for the security zone, all TCP connection requests to the IP address will be processes by the TCP proxy until the protected IP 13

19 entry gets aged out. If you select this option, it is good practice to configure the TCP proxy feature on the page you can enter after selecting Intrusion Detection > TCP Proxy. 2. In the SYN Flood Configuration section, view the configured SYN flood detection rules, or click Add to enter the page shown in Figure 11 to configure a SYN flood detection rule. Figure 11 Add a SYN flood detection rule Table 8 SYN flood detection configuration items Item Protected Host Configuration Global Configuration of Security Zone IP Address Connection Rate Threshold Half Connection Count Connection Rate Threshold Half Connection Count Description Specify the IP address of the protected host. Set the maximum TCP connection rate for the IP address. Set the maximum number of the half-open TCP connections that can be present for the IP address. Set the global maximum TCP connection rate for each host in the current security zone. Set the global maximum number of half-open TCP connections that can be present for each host in the current security zone. NOTE: In a security zone, you can configure multiple protected hosts and one global connection rate threshold. For a host, the host-specific setting overrides the global setting of the security zone in case conflict occurs. Configuring connection limits From the navigation tree, select Intrusion Detection > Traffic Abnormality > Connection Limit to enter the connection limit configuration page, as shown in Figure 12. You can select a security zone and then view and configure the connection limit for the security zone. 14

20 Figure 12 Connection limit configuration page Table 9 Connection limit configuration items Item Security Zone Discard packets when the specified attack is detected Enable connection limit per source IP Threshold Enable connection limit per dest IP Threshold Description Select a security zone to which the connection limit configuration will apply. Select this option to block connections destined for or sourced from an IP address when the number of the connections for that IP address has exceeded the limit. Select the option to set the maximum number of connections that can be present for a source IP address. Select the option to set the maximum number of connections that can be present for a destination IP address. Configuring scanning detection From the navigation tree, select Intrusion Detection > Traffic Abnormality > Scanning Detection to enter the scanning detection configuration page, as shown in Figure 13. You can select a security zone and then view and configure the scanning detection rule for the security zone. Figure 13 Scanning detection configuration page Table 10 Scanning detection configuration items Item Security Zone Description Select a security zone to which the scanning detection configuration will apply. 15

21 Item Enable Scanning Detection Scanning Threshold Add a source IP to the blacklist Lifetime Description Set the maximum connection rate for a source IP address. Select this option to allow the system to blacklist a suspicious source IP address. If this option is selected, you can then set the lifetime of the blacklisted source IP addresses. Set the lifetime of the blacklist entry. Traffic abnormality detection configuration example Network requirements As shown in Figure 14, the intranet protected by the firewall is the trusted zone, the subnet where the internal servers are located is the DMZ zone, and the extranet is the untrusted zone. To fence off the SYN Flood attacks to a server in the DMZ zone, limit the number of new connections to the protected server to 5000 per second and the number of half-open connections to 6000, considering the actual traffic size of the server. Once either limit is exceeded, the subsequent connections to the server will be blocked. Figure 14 Network diagram for traffic abnormality detection configuration Configuration procedure # Assign IP addresses to interfaces. 1. From the navigation tree, select Device Management > Interface. 2. Assign IP address /24 to interface GigabitEthernet 0/0. 3. Assign IP address /24 to interface GigabitEthernet 0/1. 4. Assign IP address /24 to interface GigabitEthernet 0/2. # Assign the interfaces to security zones. 1. In the navigation tree on the left of the web interface, select System > Zone. 2. Assign interface GigabitEthernet 0/0 to the trusted zone. 3. Assign interface GigabitEthernet 0/1 to the DMZ zone. 16

22 4. Assign interface GigabitEthernet 0/2 to the untrusted zone. # Enable SYN Flood detection. 1. From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood. 2. Select DMZ from the Security Zone dropdown list. 3. In the Attack Prevention Policy section, select the Discard packets when the specified attack is detected option. 4. Click Apply. 5. In the SYN Flood Configuration section, click Add. 6. On the page that appears, select the Protected Host Configuration option. 7. Configure the IP address as Set Connection Rate Threshold to 5000 connections per second. 9. Set Half Connection Count Threshold to 6000 per second. 10. Click Apply to complete the configuration. Configuration verification Now, the firewall should be able to output an alarm log when detecting a SYN Flood attack on Server A and block all subsequent SYN packets to the server. 17

23 URPF Configuration NOTE: The term router and router icons in this document refers to a routing device running routing protocols in a generic sense. The firewall supports configuring URPF only in the web interface. URPF overview What is URPF Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks. Attackers launch such attacks by sending a large number of packets with forged source addresses. For applications using IP-address-based authentication, this type of attacks allows unauthorized users to access the system in the name of authorized users, or even access the system as the administrator. Even if the attackers cannot receive any response packets, the attacks are still disruptive to the attacked target. Figure 15 Attack based on source address spoofing As shown in Figure 15, Router A sends a request with a forged source IP address of /8 to the server (Router B), and Router B sends a packet to Router C at /8 in response to the request. Consequently, this packet affects the communication between Router B and Router C. URPF can prevent source address spoofing attacks. How URPF works URPF provides two check modes: strict and loose. URPF works as follows: 1. If the source address of an incoming packet is found in the FIB table: In strict approach, URPF does a reverse route lookup for routes to the source address of the packet. If at least one outgoing interface of such a route matches the receiving interface, the packet passes the check and is forwarded normally. Otherwise, the packet is rejected. In loose approach, the packet passes the check and is forwarded normally. 2. If the source address is not found in the FIB table, URPF makes a decision based on the default route and the allow-default-route option. 18

24 If the default route is available but the allow-default-route option is not selected, the packet is rejected no matter which check approach is taken. If the default route is available and the allow-default-route option is selected, URPF operates depending on the check approach. In strict approach, URPF lets the packet pass if the outgoing interface of the default route is the receiving interface, and otherwise rejects it. In loose approach, URPF lets the packet pass directly. If ACL check is configured, a packet failed to pass URPF check will be filtered by the specified ACL. If the packet passes the ACL, it is forwarded normally; otherwise, it is discarded. Configuring URPF Select Intrusion Detection > URPF Check from the navigation tree to enter the URPF check configuration page, as shown in Figure 16. On this page, select a security zone to view and configure URPF check settings for the security zone. Figure 16 URPF check configuration page Table 11 URPF check configuration items Item Security Zone Enable URPF Allow Default Route ACL Type of Check Description Security zone where the URPF check is to be configured. Enable/disable URPF check. If this checkbox is not selected, URPF check is disabled and the following parameters are not configurable. By default, URPF check is disabled. Allow using the default route for URPF check. Reference an ACL. Set the URPF check type, Strict or Loose. 19

25 TCP proxy configuration NOTE: The firewall supports TCP proxy configuration only in the web interface. Overview SYN flood attack TCP proxy As a general rule, the establishment of a TCP connection is a three-way handshake: 1. The request originator sends a SYN message to the target server. 2. After receiving the SYN message, the target server establishes a TCP connection in the SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response. 3. After receiving the SYN ACK message, the originator returns an ACK message. Thus, the TCP connection is established. Attackers may exploit the TCP connection establishment to mount SYN flood attacks. Attackers send a large number of SYN messages to the server to establish TCP connections, but they never make any response to SYN ACK messages. As a result, a large amount of incomplete TCP connections are established, making the server unable to handle services normally. The TCP proxy feature can protect the server from SYN flood attacks. The TCP client sets up a TCP connection with the TCP server through a TCP proxy. The TCP proxy intercepts SYN requests from the TCP clients and verifies whether the requests are SYN flood attack packets. If so, the TCP proxy drops the requests, thus protecting the TCP server against SYN flood attacks. TCP proxy can work in two modes: unidirectional proxy and bidirectional proxy. The unidirectional proxy only processes packets from the TCP client while the bidirectional proxy processes packets from both the TCP client and TCP server. You can choose a proper mode according to your network scenario. As shown in Figure 17, packets from the TCP client to the server go through the TCP proxy, while packets from the TCP server to the client are transferred by the Router in between. Thus unidirectional proxy is required. 20

26 Figure 17 Network diagram for unidirectional proxy As shown in Figure 18, all packets between the TCP client and TCP server go through the TCP proxy, and thus you can configure unidirectional proxy or bidirectional proxy as desired. Figure 18 Network diagram for unidirectional/bidirectional proxy How TCP proxy works Unidirectional proxy Figure 19 shows the data exchange process of unidirectional proxy. Figure 19 Data exchange process of unidirectional proxy After receiving a SYN message from a client to the protected server (such a message matches a protected IP address entry), the TCP proxy sends back a SYN ACK message with a wrong sequence number on behalf of the server, that is, using the IP address and port number of the server. If the client is legitimate, the TCP proxy will receive an RST message, and will receive a SYN message again from the client. The TCP proxy then directly forwards the SYN, SYN ACK, and ACK messages to establish a TCP connection 21

27 between the client and the server. After the TCP connection is established, the TCP proxy forwards the subsequent packets of the connection without additional processing. Bidirectional proxy Figure 20 shows the data exchange process of bidirectional proxy. Figure 20 Data exchange process of bidirectional proxy After receiving a SYN message from a client to the protected server (such a message matches a protected IP address entry), the TCP proxy sends back a SYN ACK message with the window size being 0 on behalf of the server. If the client is legitimate, the TCP proxy will receive an ACK message, and then sets up a connection between itself and the server through a three-way handshake on behalf of the client. As two TCP connections are established, different sequence numbers are used. They are translated by the TCP proxy for data exchange between the client and the server. Configuring TCP proxy Configuration task list Perform the tasks in Table 12 to configure TCP proxy. Table 12 TCP proxy configuration task list Task Performing global TCP proxy setting Enabling TCP proxy for a security zone Remarks Optional The configuration is effect on all security zones. By default, bidirectional proxy is used. Required By default, the TCP proxy feature is disabled globally. 22

28 Task Remarks At least one method is required. Adding a protected IP address entry Configure to automatically add a protected ip address entry Displaying information about protected IP address entries You can add protected IP address entries by either of the methods: Static: Add entries manually. By default, no such entries are configured in the system. Dynamic: Select Intrusion Detection > Traffic Abnormality > SYN Flood, and then select the Add protected IP entry to TCP Proxy check box. After the configuration, the TCP proxy-enabled device will automatically add protected IP address entries when detecting SYN flood attacks. For more information, see the chapter Traffic abnormality detection configuration. Optional You can view information about all protected IP address entries. Performing global TCP proxy setting Select Intrusion Detection > TCP Proxy > TCP Proxy Configuration from the navigation tree to enter the page shown in Figure 21. The Global Configuration area allows you to perform global setting for TCP proxy. Figure 21 TCP proxy configuration Table 13 Global configuration items of TCP proxy Item Unidirection/Bidirediction Description Set the global proxy mode of TCP proxy. Return to TCP proxy configuration task list. Enabling TCP proxy for a security zone Select Intrusion Detection > TCP Proxy > TCP Proxy Configuration from the navigation tree to enter the page shown in Figure 21. You can enable/disable the TCP proxy feature for a security zone in the Zone Configuration area. The icon indicates that the TCP proxy feature is disabled for the corresponding security zone. You can click the Enable button beside the icon to enable the feature. The icon indicates that the TCP proxy feature is enabled for the corresponding security zone. You can click the Disable button beside the icon to disable the feature. 23

29 Return to TCP proxy configuration task list. Adding a protected IP address entry Select Intrusion Detection > TCP Proxy > Protected IP Configuration to enter the page shown in Figure 22, which lists information about protected IP address entries and the relative statistics. Click Add to enter the page for configuring a protected IP address entry, as shown in Figure 23. Figure 22 Protected IP address entries Figure 23 Protected IP address entry configuration page Table 14 Protected IP address entry configuration items Item Protected IP Address Port Number Description Type the IP address to be protected by the TCP proxy. It is the destination IP address of the TCP connection. Type the destination port of the TCP connection. The option any specifies that TCP proxy services TCP connection requests to any port of the server at the destination IP address. Return to TCP proxy configuration task list. Displaying information about protected IP address entries Select Intrusion Detection > TCP Proxy > Protected IP Configuration to enter the page shown in Figure 22, which lists information about protected IP address entries. Table 15 Information about protected IP address entries Item Protected IP Description IP addresses protected by the TCP proxy feature. 24

30 Item Port Number Type Lifetime(min) Number of Rejected Description Destination port of the TCP connection. The option any specifies that TCP proxy services TCP connection requests to any port of the server at the destination IP address. The protected IP address entries can be static or dynamic. Lifetime for the IP address entry under protection. This item is displayed as for static IP address entries. When the time reaches 0, the protected IP address entry will be deleted. Amount of requests for TCP connection requests matching the protected IP address entry but were proved to be illegitimate. Return to TCP proxy configuration task list. TCP proxy configuration example Network requirements As shown in Figure 24, configure bidirectional TCP proxy on Firewall to protect Server A, Server B, and Server C against SYN flood attacks from the Internet. Add a protected IP address entry for Server A manually and configure dynamic TCP proxy for the other servers. Figure 24 Network diagram for TCP proxy configuration Configuration procedure # Assign IP addresses for the interfaces and then add interface GigabitEthernet 1/1 to the security zone Untrust, and GigabitEthernet 1/2 to the security zone Trust. (Omitted) # Set the TCP proxy mode to bidirectional and enable TCP proxy for the security zone Untrust. Select Intrusion Detection > TCP Proxy > TCP Proxy Configuration from the navigation tree. Select Bidirection for the global setting. Click Apply. In the Zone Configuration area, click Enable for the Untrust zone. # Add an IP address entry manually for protection. Select Intrusion Detection > TCP Proxy > Protected IP Configuration from the navigation tree. Then on the right pane, click Add. 25

31 Type in the Protected IP Address text box. Select any from the port list. Click Apply. # Configure the SYN flood detection feature, specifying to automatically add protected IP address entries. Select Intrusion Detection > Traffic Abnormality > SYN Flood from the navigation tree. Select Trust from the Security Zone drop-down list. Select the Add protected IP entry to TCP Proxy check box in the Attack Prevention Policy area. Click Apply. In the SYN Flood Configuration area, click Add. Select Global Configuration of Security Zone. Use the default values for the connection rate threshold and half connection count threshold. Click Apply. Configuration guidelines Follow these guidelines when configuring TCP proxy: 1. TCP proxy is effective only for incoming traffic of the security zone. 2. The performance of the Web-based management system may be degraded if the system s IP address and port number are in the protected IP entry list. 26

32 IDS collaboration configuration NOTE: The firewall can collaborate with only Venusense IDS devices. The firewall supports the IDS collaboration configuration only in the web interface. Overview IDS collaboration is introduced for firewalls to work with an Intrusion detection system (IDS) device. As shown in Figure 25, the collaboration process occurs: 1. The IDS device examines network traffic for attacks. 2. When the IDS device detects an attack, it sends an SNMP trap message to the firewall device. The trap message may carry attack information such as source IP address of the attacker, target IP address to be attacked, source port and destination port. 3. When a firewall with IDS collaboration enabled receives the trap message, it retrieves the attack information, generates a blocking entry, and blocks subsequent traffic from the source. Figure 25 Network diagram for IDS collaboration Enabling IDS collaboration Select Intrusion Detection > IDS Collaboration from the navigation tree to enter the page for enabling IDS collaboration, as shown in Figure 26. Select the Enable IDS Collaboration check box, and click Apply. Figure 26 Enable IDS collaboration Configuration guidelines When configuring IDS collaboration, follow these guidelines: 1. Both the firewall devices and IDS devices must support and have SNMPv2c configured. 27

33 2. The aging time for an IDS blocking entry is five minutes. The timer restarts if the firewall receives an SNMP trap with the same attack information before the timer expires. 3. A blocking entry is effective only to subsequent connections matching this entry. To make entries apply to the current connections, disable the fast forwarding function of the firewall. 4. Disabling IDS collaboration will remove the generated blocking entries from the firewall. 28

34 Intrusion detection statistics Overview Intrusion detection is an important network security feature. By analyzing the contents and behaviors of packets passing by, this feature can determine whether the packets are attack packets and take actions accordingly as configured. Supported actions include outputting alarm logs, discarding packets, and updating session status. The intrusion detection statistics show the counts of attacks as per attack type, and the counts of attack packets dropped, helping you analyze the intrusion types and quantities present to generate better network security policies. NOTE: For information about packet inspection, see the chapter Packet inspection configuration. For information about traffic abnormality detection, see the chapter Traffic abnormality detection configuration. Displaying intrusion detection statistics To view intrusion detection statistics, select Intrusion Detection > Statistics in the navigation tree to enter the intrusion detection statistics page, as shown in Figure 27. Select a zone to view the counts of attacks and the counts of dropped packets in the security zone. Table 16 describes the attack types. 29

35 Figure 27 Intrusion detection statistics Table 16 Description of attack types Attack type Fraggle ICMP Redirect ICMP Unreachable Land Large ICMP Route Record Scan Description A Fraggle attack occurs when an attacker sends large amounts of UDP echo requests with the UDP port number being 7 or Chargen packets with the UDP port number being 19, resulting in a large quantity of junk replies and finally exhausting the bandwidth of the target network. An ICMP redirect attacker sends ICMP redirect messages to a target to modify its routing table, interfering with the normal forwarding of IP packets. Upon receiving an ICMP unreachable response, some systems conclude that the destination is unreachable and drop all subsequent packets destined for the destination. By sending ICMP unreachable packets, an ICMP unreachable attacker can cut off the connection between the target host and the network. A Land attack occurs when an attacker sends a great number of TCP SYN packets with both the source and destination IP addresses being the IP address of the target, exhausting the half-open resources of the victim and disabling the target from providing services normally. For some hosts and devices, large ICMP packets will cause memory allocation error and crash down the protocol stack. A large ICMP attacker sends large ICMP packets to a target to make it crash down. A route record attack exploits the route record option in the IP header to probe the topology of a network. A scanning attack probes the addresses and ports on a network to identify the hosts attached to the network and application ports available on the hosts and to figure out the topology of the network, so as to get ready further attacks. 30

36 Attack type Source Route Smurf TCP Flag Tracert WinNuke SYN Flood ICMP Flood UDP Flood Number of connections per source IP exceeds the threshold Number of connections per dest IP exceeds the threshold Description A source route attack exploits the source route option in the IP header to probe the topology of a network. A Smurf attacker sends large quantities of ICMP echo requests to the broadcast address of the target network. As a result, all hosts on the target network will reply to the requests, causing the network congested and hosts on the target network unable to provide services. Some TCP flags are processed differently on different operating systems. A TCP flag attacker sends TCP packets with such TCP flags to a target to probe its operating system. If the operating system cannot process such packets properly, the attacker will successfully make the host crash down. The Tracert program usually sends UDP packets with a large destination port number and an increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when the packet passes each firewall. Upon receiving a packet with a TTL of 0, a firewall must send an ICMP time exceeded message back to the source IP address of the packet. A Tracert attacker exploits the Tracert program to figure out the network topology. A WinNuke attacker sends out-of-band (OOB) data with the pointer field values overlapped to the NetBIOS port (139) of a Windows system with an established connection to introduce a NetBIOS fragment overlap, causing the system to crash. A SYN flood attack exploits TCP SYN packets. Due to resource limitation, the number of TCP connections that can be created on a firewall is limited. A SYN flood attacker sends a barrage of spurious SYN packets to a victim to initiate TCP connections. As the SYN_ACK packets that the victim sends in response can never get acknowledgments, large amounts of half-open connections are created and retained on the victim, making the victim inaccessible before the number of half-open connections drops to a reasonable level due to timeout of half-open connections. In this way, a SYN flood attack exhausts system resources such as memory on a system whose implementation does not limit creation of connections. An ICMP flood attack overwhelms the victim with an enormous number of ICMP echo requests (such as ping packets) in a short period, preventing the victim from providing services normally. A UDP flood attack overwhelms the victim with an enormous number of UDP packets in a short period, disabling the victim from providing services normally. When an internal user initiates a large number of connections to a host on the external network in a short period of time, system resources on the firewall will be used up soon. This will make the firewall unable to service other users. If an internal server receives large quantities of connection requests in a short period of time, the server will not be able to process normal connection requests from other hosts. 31

37 ARP attack protection configuration The Address Resolution Protocol (ARP) is easy to use, but it is often exploited by attackers because of its lack of security mechanism. ARP attacks and ARP viruses bring big threats to LANs. To avoid such attacks and viruses, the firewall provides multiple techniques to detect and prevent them. The following describes the principles and configuration of these techniques. Configuring periodic sending of gratuitous ARP packets NOTE: The firewall supports configuring periodic sending of gratuitous ARP packets only in the web interface. Introduction to periodic sending of gratuitous ARP packets If an attacker sends spoofed gratuitous ARP packets to hosts on a network, traffic that the hosts want to send to the gateway is sent to the attacker instead. As a result, the hosts cannot access external networks. To prevent such ARP attacks, you can enable the gateway s interfaces to send gratuitous ARP packets regularly. In this case, the gateway interface will regularly send gratuitous ARP packets containing the primary IP address and manually configured secondary IP address of the interface. Thus, the hosts in the network segment can learn the correct gateway and can therefore access the external network normally. Configuring periodic sending of gratuitous ARP packets Select Firewall > ARP Anti-Attack > Send Gratuitous ARP from the navigation tree to enter the Send Gratuitous ARP page, as shown in Figure 28. Figure 28 Configure periodic sending of gratuitous ARP packets 32

38 Table 17 Configuration items of periodic sending of gratuitous ARP packets Item Description Specify an interface and interval for periodically sending gratuitous ARP packets. Select an interface from the Standby Interface list, set its sending interval, and then click << to add it to the Sending Interface list box. To delete the combination of an interface and its sending interval, select it from the Sending Interface list and click >>. Sending Interface IMPORTANT: The firewall supports up to 1024 interfaces to send gratuitous ARP packets periodically. With this feature enabled, an interface can periodically send gratuitous ARP packets only after it is assigned with an IP address and the link comes up. If a sending interval is modified, the setting takes effect at the next interval. If a number of interfaces are enabled with this feature, or each interface has a large amount of secondary IP addresses, or the sending intervals are very short in the scenario where the above two conditions exist at the same time, the frequency at which gratuitous ARP packets are sent may be far lower than your expectation. The feature is mutually exclusive with VRRP backup group configuration. Configuring ARP automatic scanning Introduction to ARP automatic scanning With this feature enabled, the firewall scans the LAN for neighbors by sending requests for their MAC addresses, and thereby obtaining the MAC addresses and creating dynamic ARP entries. ARP automatic scanning allows you to specify the address range for scanning. If you specify neither the start IP address nor the end IP address, the firewall scans the network segment of the primary IP address of the current interface for neighbors, using the primary IP address of the interface as the source IP address of the ARP requests. To reduce the scanning time, you can specify the IP address range for scanning if you know the IP address range assigned to the neighbors in a LAN. The specified start and end IP addresses must be in the same network segment as the primary IP address or manually configured secondary IP address of the interface. If the specified address range covers multiple network segments of the interface, the source IP address in the ARP request is the interface address on the smallest network segment. ARP automatic scanning is usually used together with the fixed ARP feature. After creating dynamic ARP entries for all the neighbors on a LAN, the firewall can convert these dynamic ARP entries into static ones. For more information about fixed ARP, see Configuring fixed ARP. Configuring ARP automatic scanning in the web interface NOTE: It is not recommended to perform other operations when ARP automatic scanning is in progress. ARP automatic scanning may take a long time. You can abort the scanning by clicking Interrupt on the ARP scan page. 33

39 Select Firewall > ARP Anti-Attack > Scan from the navigation tree to enter the ARP scanning configuration page, as shown in Figure 29. Figure 29 ARP scanning Table 18 ARP automatic scanning configuration items Item Interface Start IP Address End IP address Also scan IP addresses of dynamic ARP entries Description Select the interface to be configured to perform ARP automatic scanning. Specify the start and end IP addresses of the IP address range for ARP automatic scanning IMPORTANT: Both the start and end IP addresses must be specified or not specified at the same time. The start and end IP addresses must be in the same network segment as the primary IP address or manually configured secondary IP address of the interface. The start IP address must be lower than or equal to the end IP address. With no IP address range specified, the firewall scans the network segment of the primary IP address of the interface for neighbors. Set whether to scan the IP addresses of the existing dynamic ARP entries. After the above configuration, click Scan to begin ARP automatic scanning. To abort scanning, click Interrupt. Configuring ARP automatic scanning in the CLI Follow these steps to configure ARP automatic sanning To do Use the command Remarks Enter system view system-view Enter interface view interface interface-type interface-number Enable ARP automatic scanning arp scan [ start-ip-address to end-ip-address ] Required 34

40 To do Use the command Remarks Return to system view quit NOTE: IP addresses already existent in ARP entries are not scanned. ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated. Configuring fixed ARP Introduction to fixed ARP This feature allows the firewall to convert dynamic ARP entries into static ones. Configuring fixed ARP in the web interface NOTE: Only dynamic ARP entries learnt on Layer 3 Ethernet interfaces, Layer 3 Ethernet subinterfaces, and VLAN interfaces can be converted into static ones. The static ARP entries resulting from conversion are the same with those manually configured. The number of dynamic ARP entries that can be converted into static ones is limited by the number of static ARP entries supported on the firewall. Some dynamic ARP entries may not be converted to static ones due to the limit. The fixing process may take some time, during which some dynamic entries may be added or aged out. The newly added dynamic entries will be fixed and the aged ones will not. Select Firewall > ARP Anti-Attack > Fix from the navigation tree to enter the fixed ARP configuration page, as shown in Figure 30. The page lists all static ARP entries, including manually configured ones and fixed ones, and all dynamic ARP entries. Figure 30 Fixed ARP page Click Fix All to convert all dynamic ARP entries to static ones. Click Del All Fixed to delete all static ARP entries. 35

41 Select the checkbox before dynamic ARP entries, and click Fix to convert the selected ARP entry to a static ARP entry. Select the checkbox before static ARP entries, and click Del Fixed to delete the selected static ARP entry. If you select a dynamic one and click Del Fixed, the entry will not be deleted. Configuring fixed ARP in the CLI Follow these steps to configure fixed ARP To do Use the command Remarks Enter system view system-view Enable fixed ARP arp fixup Optional NOTE: Fixed ARP changes dynamic ARP entries into static only when these entries are learnt on a Layer 3 Ethernet interface, Layer 3 Ethernet subinterface, or VLAN interface. The static ARP entries changed from dynamic ARP entries have the same attributes as the static ARP entries manually configured. Use the arp fixup command to change the recently created dynamic ARP entries into static. The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the firewall supports. As a result, the firewall may fail to change all dynamic ARP entries into static. To delete a specific static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command. ARP attack protection configuration example Network requirements Host A and Host B connect to Firewall A through Layer-2 access switch Switch B. On interface GigabitEthernet 0/3 of Firewall A, configure periodic sending of gratuitous ARP packets, ARP automatic scanning, and fixed ARP. 36

42 Figure 31 Network diagram of ARP automatic scanning Configuration procedure # Configure IP addresses for the interfaces. (Omitted) # Configure periodic sending of gratuitous ARP packets. Select Firewall > ARP Anti-Attack > Send Gratuitous ARP from the navigation tree. Select GigabitEthernet0/3 from the Standby Interface list. Click << to add the interface to the Sending Interface list. Click Apply to complete the configuration. # Configure ARP automatic scanning Select Firewall > ARP Anti-Attack > Scan from the navigation tree. Select GigabitEthernet0/3 from the Interface dropdown list. Type in the Start IP Address textbox. Type in the End IP Address textbox. Select check box Also scan IP addresses of dynamic ARP entries. Click Scan. The confirm dialog box appears. Click OK to begin ARP automatic scanning. After a while, the page displays Scan completed. # Configure fixed ARP. Select Firewall > ARP Anti-Attack > Fix from the navigation tree. The page lists two dynamic ARP entries whose IP addresses are and respectively. Select the check box before the two dynamic ARP entries, and click Fix. The two dynamic ARP entries become static ones. 37

43 Web filtering configuration Web filtering overview In conventional network security solutions, network protection is mainly against external attacks. With the popularity of network applications in every walk of life, however, more and more internal attacks appear. This requires network devices to construct a secure internal network and enhance the security of the internal network. The web filtering function can prevent internal users from accessing unauthorized websites and block Java applets and ActiveX objects from web pages. The web filtering function covers: URL address filtering URL parameter filtering Java blocking ActiveX blocking Filtering rule file backup and loading URL address filtering Overview URL address filtering can help prevent internal users from accessing prohibited websites or restrict them to specific websites. After receiving an HTTP request, the device checks the URL address in the request. If the address is permitted, the device forwards the request; otherwise, the device denies the request and sends a TCP reset packet to the request sender and the server. After enabling URL address filtering, you can specify the default filtering action, that is, the action to be taken for HTTP requests whose URL addresses do not match the configured filtering keywords. By default, the default filtering action for URL address filtering is deny. Processing procedure 1. After receiving an HTTP request, the device resolves the URL address in the request. 2. The device matches the URL address against the configured filtering keywords. If a match is found, the device takes the preset filtering action to permit or deny the request. Otherwise, the device takes the default filtering action. IP address-supported URL address filtering After the URL address filtering function is enabled, the system denies all web requests that use IP addresses by default. To enable users to access all websites using IP addresses, you can enable the support for IP addresses in URL address filtering and allow the access using all IP addresses, so that the system forwards all web requests that use IP addresses for website access. To enable users to access specified websites using IP addresses, you can enable the support for IP addresses in URL address filtering and configure ACL rules to permit the specified IP addresses of 38

44 the websites, so that the system will forward only the web requests that use the specified IP addresses for website access. IP address-supported URL address filtering Overview NOTE: You can configure this feature only in the command line interface (CLI). After the URL address filtering function is enabled, the system denies all web requests that use IP addresses by default. To enable users to access all websites using IP addresses, you can enable the support for IP addresses in URL address filtering, so that the system forwards all web requests that use IP addresses for website access. To enable users to access specified websites using IP addresses, you can configure the support for IP addresses in URL address filtering to deny and configure ACL rules to permit the specified IP addresses of the websites, so that the system will forward only the web requests that use the specified IP addresses for website access. Processing procedure After the device receives a web request that uses IP address, it processes the request as follows: If the support for IP addresses is configured as permit, the device forwards the request. If the support for IP addresses is configured as deny, the device checks the website IP address in the request against the configured ACL. If the ACL permits the IP address, the device forwards the request; otherwise, the device denies the request. URL parameter filtering Overview Currently, large quantities of web pages are dynamic and connected with databases, and support data query and modification through web requests. This makes it possible to fabricate special SQL statements in web pages to obtain confidential data from databases or break down databases by modifying database information repeatedly. This kind of attack is called SQL injection attack. To address this problem, the device compares the URL parameters in an HTTP request against SQL statement keywords and some other characters that may constitute SQL statements. If a match is found, the device regards the request as an SQL injection attack and denies it. This protection mechanism is called URL parameter filtering. Web requests transmit parameters mainly by the Get and Post methods. The method used for transmitting parameters determines the positions of the URL parameters, based on which URL parameter filtering obtains the parameters and then performs filtering. Currently, the device supports URL parameter filtering of web requests with the Get, Post or Put method. Processing procedure After receiving an HTTP request containing URL parameters, the device obtains the parameters according to the parameter transmission method: If the parameters are transmitted by a method other than Get, Post and Put, the device directly forwards the request. 39

45 If the parameters are transmitted by the method of Get, Post or Put, the device compares the URL parameters against the configured filtering keywords. If a match is found, the device denies the request; otherwise, the device forwards the request. Java blocking Overview Java blocking can protect networks from being attacked by malicious Java applets. After the Java blocking function is enabled, Java applet requests to all web pages will be filtered. If Java applets on some web pages are expected, you can configure ACL rules to permit for Java applet requests to these web pages. Processing procedure If the Java blocking function is enabled but no ACL is configured for it, the device replaces suffixes.class and.jar with.block in all HTTP requests and then forwards the requests. If the Java blocking function is enabled and an ACL is configured for it, the device determines whether to replace suffixes.class and.jar with.block in HTTP requests according to the ACL rules. If the destination server of an HTTP request is a server permitted by the ACL, no replacement occurs and the request is forwarded; otherwise, the suffix in the request is replaced with.block and then the request is forwarded. In addition to the default blocking suffixes.class and.jar, you can manually add other Java blocking suffixes (that is, the filename suffixes to be replaced in HTTP requests). ActiveX blocking Overview ActiveX blocking can protect networks from being attacked by malicious ActiveX plugins. After the ActiveX blocking function is enabled, requests for ActiveX plugins to all web pages will be filtered. If the ActiveX plugins on some web pages are expected, you can configure ACL rules to permit requests for ActiveX plugins to these web pages. Processing procedure If the ActiveX blocking function is enabled but no ACL is configured for it, the device replaces suffix.ocx with.block in all HTTP requests and then forwards the requests. If the ActiveX blocking function is enabled and an ACL is configured for it, the device determines whether to replace suffix.ocx with.block in HTTP requests according to the ACL rules. If the destination server in an HTTP request is a server permitted by the ACL, no replacement occurs and the request is forwarded; otherwise, the suffix is replaced with.block and then the request is forwarded. In addition to the default blocking suffix.ocx, you can manually add other ActiveX blocking suffixes (that is, the filename suffixes to be replaced in HTTP requests). Filtering rule file backup and loading Filtering rule backup You can back up the filtering keywords by saving them into a specified file. Currently, this feature is available only to URL address filtering and URL parameter filtering. 40

46 Filtering rule loading You can specify a filtering file to be automatically loaded by the device at restart. This configuration takes effect after the device restarts and is available only to URL address filtering and URL parameter filtering. NOTE: Do not modify the contents of the filtering rule file. Otherwise, automatic loading of filtering rules may fail. If filtering rules are modified, you can back up the filtering rules to a new file, thus to implement the modification of the filtering rules. Because the file system does not support hot swapping, the filtering rule file on the active main processing unit (MPU) cannot be synchronized to the standby MPU when the standby MPU is inserted. Configuring web filtering in the web interface URL address filtering configuration task list Perform the tasks in Table 19 to configure URL address filtering: Table 19 URL address filtering configuration task list Task Configuring URL address filtering Configuring URL address filtering keywords Backing up and loading a URL address filtering rule file Displaying URL address filtering information Remarks Required Enable URL address filtering and configure the default filtering action, IP address-supported URL address filtering, and logging. Disabled by default. Required Specify a URL address filtering keyword and the corresponding filtering action. By default, no filtering keyword exists. The device supports a maximum of 256 URL address filtering keywords. Optional Optional Displays the number of times that each URL address filtering keyword has been matched and allows you to reset the statistics. URL parameter filtering configuration task list Perform the tasks in Table 20 to configure URL parameter filtering: Table 20 URL parameter filtering configuration task list Task Configuring URL parameter filtering Remarks Required Enable URL parameter filtering, and configure whether to enable system defined filtering parameters and logging. Disabled by default. 41

47 Task Configuring URL parameter filtering keywords Backing up and loading a URL parameter filtering rule file Displaying URL parameter filtering information Remarks Required when system defined filtering parameters are not configured. The device supports a maximum of 256 URL parameter filtering keywords (including system defined keywords). Optional Optional Displays the number of times that each URL parameter filtering keyword has been matched and allows you to reset the statistics. Java blocking configuration task list Perform the tasks in Table 21 to configure Java blocking: Table 21 Java blocking configuration task list Task Configuring Java blocking Configuring Java blocking keywords Displaying Java blocking information Remarks Required Enable Java blocking and configure an ACL and logging for Java blocking. Optional By default, blocking keywords.class and.jar exist. Besides the default blocking keywords, you can add a maximum of five Java blocking suffix keywords. Optional Displays the number of times that each Java blocking keyword has been matched and allows you to reset the statistics. ActiveX blocking configuration task list Perform the tasks in Table 22 to configure ActiveX blocking: Table 22 ActiveX blocking configuration task list Task Configuring ActiveX blocking Configuring ActiveX blocking keywords Displaying ActiveX blocking information Remarks Required Enable ActiveX blocking and configure an ACL and logging for ActiveX blocking. Optional By default, blocking keyword.ocx exists. Besides the default blocking keyword, you can add a maximum of five ActiveX blocking suffix keywords. Optional Displays the number of times that each ActiveX blocking keyword has been matched and allows you to reset the statistics. 42

48 Configuring URL address filtering Select Application Control > Web Filtering from the navigation tree. The URL Address Filtering page appears, as shown in Figure 32. Figure 32 URL address filtering Table 23 URL address filtering configuration items Item Enable URL Address Filtering Default Action Supporting Using IP Address to Access Enable logging Description Specify whether to enable URL address filtering. Specify the default action for URL address filtering, that is, action to be taken for web requests whose URL addresses do not match the configured filtering keywords. Specify whether to enable support for IP address in URL address filtering. If you select this option, you need to select the Any IP address radio box to allow access to any IP address or the Specify ACL radio box to allow all web requests using IP addresses according to the specified ACL. IMPORTANT: The source IP addresses specified in the ACL for URL address filtering must be the IP addresses of the websites to be accessed. Specify whether to enable logging for URL address filtering. Return to URL address filtering configuration task list. 43

49 Configuring URL address filtering keywords Select Application Control > Web Filtering from the navigation tree. The URL Address Filtering page appears, as shown in Figure 32. In the Keywords Setup area, all the keywords for URL address filtering are displayed. Click Add to enter the Add URL Address Filtering Keyword page, as shown in Figure 33. Figure 33 Add a URL address filtering keyword Table 24 URL address filtering keyword configuration items Item Keyword Action Description Add a URL parameter filtering keyword. See Figure 33 for how to set a keyword, and see Configuration guidelines for the rules of using wildcards. Specify the filtering action to be taken on the packets matching the keyword, deny or permit. Return to URL address filtering configuration task list. Backing up and loading a URL address filtering rule file Select Application Control > Web Filtering from the navigation tree. The URL Address Filtering page appears, as shown in Figure 32. In the Filtering File Setup area, you can back up and load a URL address filtering rule file. Table 25 describes the configuration items for backing up and loading a filtering rule file. Table 25 Configuration items for backing up and loading a URL address filtering rule file Item File Path Save/Load Description Name of the file for storing the filtering keywords. The name must contain the file path, for example, flash:/abc. Specify to save or load a specified URL address filtering file. When you perform the loading the operation, the rules in the filtering rule file can be loaded to the device only when the device is restarted. Return to URL address filtering configuration task list. 44

50 Displaying URL address filtering information Select Application Control > Web Filtering from the navigation tree. The URL Address Filtering page appears, as shown in Figure 32. In the Keywords Setup area, you can view the number of times that each URL filtering keyword has been matched. To reset the statistics, you can click Reset Counter. Return to URL address filtering configuration task list. Configuring URL parameter filtering Select Application Control > Web Filtering from the navigation tree, and then select the URL Parameter Filtering tab to enter the page shown in Figure 34. Figure 34 URL parameter filtering Table 26 URL parameter filtering configuration items Item Enable URL Parameter Filtering Use the Default Filtering Keywords Enable logging Description Specify whether to enable URL parameter filtering. Specify whether to use the default parameter filtering keywords, including: ^select$, ^insert$, ^update$, ^delete$, ^drop$, --, ', ^exec$, and %27. If you select this option, after your configuration, these default parameter filtering keywords will be displayed in the keyword list on the page. Specify whether to enable logging for URL parameter filtering. Return to URL parameter filtering configuration task list. 45

51 Configuring URL parameter filtering keywords Select Application Control > Web Filtering from the navigation tree, and then select the URL Parameter Filtering tab to enter the page shown in Figure 34. In the Keywords Setup area, all the keywords for URL parameter filtering are displayed. Click Add to enter the Add URL Parameter Filtering Keyword page, as shown in Figure 35. Figure 35 Add a URL parameter filtering keyword Table 27 URL parameter filtering keyword configuration items Item Keyword Description Add a URL parameter filtering keyword. See Figure 35 for how to set a keyword, and see Configuration guidelines for the rules of using wildcards. TIP: A parameter filtering keyword can be a string with spaces, but consecutive spaces are not allowed in such a keyword. Return to URL parameter filtering configuration task list. Backing up and loading a URL parameter filtering rule file Select Application Control > Web Filtering from the navigation tree, and then select the URL Parameter Filtering tab to enter the page shown in Figure 34. In the Filtering File Setup area, you can back up and load a URL parameter filtering rule file. Table 28 describes the configuration items for backing up and loading a URL parameter filtering rule file. Table 28 URL parameter filtering rule file configuration items Item File Path Save/Load Description Name of the file for storing the filtering keywords. The name must contain the file path, for example, flash:/abc. Specify to save or load a specified URL address filtering file. When you perform the loading the operation, the rules in the filtering rule file can be loaded to the device only when the device is restarted. Return to URL parameter filtering configuration task list. 46

52 Displaying URL parameter filtering information Select Application Control > Web Filtering from the navigation tree, and then select the URL Parameter Filtering tab to enter the page shown in Figure 34. In the Keywords Setup area, you can view the number of times that each URL parameter filtering keyword has been matched. To reset the statistics, click Reset Counter. Return to URL parameter filtering configuration task list. Configuring Java blocking Select Application Control > Web Filtering from the navigation tree, and then select the Java Blocking tab to enter the page as shown in Figure 36. Figure 36 Java blocking Table 29 shows the configuration items for Java blocking. Table 29 Java blocking configuration items Item Enable Java Blocking Description Specify whether to enable Java blocking. Specify that web requests containing any suffix keywords in the Java blocking suffix list will be processed according to the specified ACL. Specify ACL Enable logging TIP: The source IP addresses specified in the ACL for Java blocking must be the IP addresses of the websites to be accessed. Specify whether to enable logging for Java blocking. Return to Java blocking configuration task list. 47

53 Configuring Java blocking keywords Select Application Control > Web Filtering from the navigation tree, and then select the Java Blocking tab to enter the page shown in Figure 36. In the Keywords Setup area, all the keywords for Java blocking are displayed. Click Add to enter the Add Java Blocking Keyword page, as shown in Figure 37. Figure 37 Add a Java blocking keyword Table 30 Java blocking keyword configuration items Item Keyword Description Add a Java blocking suffix keyword to the Java blocking suffix list. See Figure 37 for how to set a keyword. TIP: You cannot configure the default block suffix keywords.class and.jar. Return to Java blocking configuration task list. Displaying Java blocking information Select Application Control > Web Filtering from the navigation tree, and then select the Java Blocking tab to enter the page shown in Figure 36. In the Keywords Setup area, you can view the number of times that each Java blocking keyword has been matched. To reset the statistics, click Reset Counter. Return to Java blocking configuration task list. Configuring ActiveX blocking Select Application Control > Web Filtering from the navigation tree, and then select the ActiveX Blocking tab to enter the page as shown in Figure

54 Figure 38 ActiveX blocking Table 31 ActiveX blocking configuration items Item Enable ActiveX Blocking Description Specify whether to enable ActiveX blocking. Specify that web requests containing any suffix keywords in the ActiveX blocking suffix list will be processed according to the specified ACL. Specify ACL Enable logging TIP: The source IP addresses specified in the ACL for ActiveX blocking must be the IP addresses of the websites to be accessed. Specify whether to enable logging for ActiveX blocking. Return to ActiveX blocking configuration task list. Configuring ActiveX blocking keywords Select Application Control > Web Filtering from the navigation tree, and then select the ActiveX Blocking tab to enter the page shown in Figure 38. In the Keywords Setup area, all the keywords for ActiveX blocking are displayed. Click Add to enter the Add Java Blocking Keyword page, as shown in Figure 39. Figure 39 Add an ActiveX blocking keyword 49

55 Table 32 Java blocking keyword configuration items Item Keyword Description Add an ActiveX blocking suffix keyword to the ActiveX blocking suffix list. See Figure 39 for how to set a keyword. IMPORTANT: You cannot configure the default block suffix keyword.ocx. Return to ActiveX blocking configuration task list. Displaying ActiveX blocking information Select Application Control > Web Filtering from the navigation tree, and then select the ActiveX Blocking tab to enter the page shown in Figure 38. In the Keywords Setup area, you can view the number times that each ActiveX blocking keyword has been matched. To reset the statistics, click Reset Counter. Return to ActiveX blocking configuration task list. Web filtering configuration examples Network requirements As shown in Figure 40, hosts in network segment /24 access the Internet through the firewall. Enable URL parameter filtering on the firewall, and use the user-defined filtering keyword group to filter HTTP requests. Enable Java blocking on the firewall, add suffix keyword.js, and configure the firewall to allow only Java applet requests to the website at Figure 40 Network diagram for web filtering configuration Host A /24 GE 0/ /24 GE 0/ /24 Internet Firewall Web server /24 Host B Host C / /24 Configuration procedure # Configure IP addresses for the interfaces. (Omitted) # Configure the NAT policy for the outbound interface. Select Firewall > ACL from the navigation tree, and then click Add. Type 2200 in the ACL Number text box. Click Apply. Click the icon of ACL 2200, and then click Add. 50

56 Select Permit from the Operation drop-down list. Select the Source IP Address check box. Type the source IP address Type the source wildcard Click Apply. Click Add. Select Deny from the Operation drop-down list. Click Apply. Select Firewall > NAT > Dynamic NAT from the navigation tree, and then click Add in the Address Pool area. Type 1 in the Index text box. Type in the Start IP Address text box. Type in the End IP Address text box. Click Apply. Click Add in the Add Dynamic NAT area. Select GigabitEthernet0/1 from the Interface drop-down list. Type 2200 in the ACL Number text box. Select PAT from the Address Transfer drop-down list. Type 1 in the Address Pool Index text box. Click Apply. # Enable URL parameter filtering. Select Application Control > Web Filtering from the navigation tree, and then select the URL Parameter Filtering tab. Select the check box before Enable URL Parameter Filtering. Click Apply. # Add URL filtering keyword group. Click Add in the Keywords Setup area. Type group in the Keyword text box. Click Apply. # Configure an ACL for Java blocking. Select Firewall > ACL from the navigation tree, and then click Add. Type 2100 in the ACL Number text box. Click Apply. Click the icon of ACL 2100, and then click Add. Select Permit from the Operation drop-down list. Select the Source IP Address check box. Type the source IP address Type the source wildcard Click Apply. Click Add. 51

57 Select Deny from the Operation drop-down list. Click Apply. # Enable Java blocking, and configure to process web requests according to the specified ACL. Select Application Control > Web Filtering from the navigation tree, and then select the Java Blocking tab. Select the check box before Enable Java Blocking. Select the check box before Specify ACL, and then type 2100 in the text box. Click Apply. # Add Java blocking suffix keyword.js. Click Add in the Keywords Setup area. Type keyword.js. Click Apply. Configuration verfication # Display URL parameter filtering information. Select Application Control > Web Filtering from the navigation tree, and then select the URL Parameter Filtering tab. You can see the information as shown in Figure 41 in the Keywords Setup area. Figure 41 URL parameter filtering configuration results # Display Java blocking information. Select the Java Blocking tab. You can see the information as shown in Figure 42 in the Keywords Setup tab. 52

58 Figure 42 Java blocking configuration results The above information indicates that the URL parameter filtering keyword group and the Java blocking keyword.js have been matched once respectively. Configuring web filtering in the CLI IP address-supported URL filtering can take effect only after the URL address filtering is enabled. URL parameter filtering, Java blocking, and ActiveX blocking can be enabled independently. Configuring URL address filtering Follow these steps to configure URL address filtering: To do... Use the command... Remarks Enter system view system-view Enable the URL address filtering function Specify the default filtering action Add a URL address filtering entry Save URL address filtering entries into a specified file Specify to load a URL address filtering file at restart Display information about URL address filtering firewall http url-filter host enable firewall http url-filter host default { deny permit } firewall http url-filter host url-address { deny permit } url-address firewall http url-filter host save file-name firewall http url-filter host load file-name display firewall http url-filter host [ all item keywords verbose ] Required Disabled by default Optional deny by default Required Optional Optional Optional 53