USG Firewall

FIREWALL BASICS

状态检测防火墙 FWaaS

五元组
源目安全区域
时间段
用户
应用
安全配置文件（Anti-virus等）

高级别安全区域到低级别安全区域的流量称作outbound流量

常见攻击

保密性完整性源验证
应用层缓冲区溢出攻击、XSS、SQL注入
传输层 TCP欺骗、SYN Flood攻击、UDP Flood攻击、端口扫描
网络层 IP欺骗、Smurf攻击、IP扫描攻击
链路层 MAC欺骗、MAC泛洪、ARP欺骗
物理层设备破坏、线路侦听

ASPF Application Specific Packet Filtering

创建Server-map表项
dis firewall server-map （nat aspf）
dis firewall session table verbose
STUN

转发流程

白名单黑名单
见HUAWEI USG6000, USG9500, NGFW Module V500R005C20 产品文档

NAT

PAT, Bidirectional NAT

LB

GSLB LSLB L4 proxy L7 proxy (LVS, HAproxy, Nginx)

DNS Transparent Proxy

Firewall as a DNS server, resolving to Servers on different ISPs according to requesting addresses.

Exit Selection

is there a firewall session?

longest match first (as per the routing table), default route last.

choose exits according to ISP public addresses stored in FW. This will generate detailed routes in the routing table.

policy routing (src/dst add, src zone, service, user, time, etc.), preferred to fib.

source in source out.

intelligent routing (link bandwidth, link weight, link active-standby, link quanity)

USG FW HA

MTBF MTTR

inspection technology: BFD, IP-LINK(icmp), NQA(icmp, tcp, udp)

redundancy techonolgy: Eth-Trunk, Link-Group(vgmp), Hot Backup

BFD

can converge in microseconds.

universal, media independent, protocol independent

asynchronous mode, echo assistance mode

where ip-link applies, bfd works too. BFD even supports OSPF (more commonly used).

BFD control packets using UDP, dst port 3784

disadvantages: it cosumes more resources; it must be configured on both peers.

bfd
quit
bfd b1 bind peer-ip 10.1.1.254 interface G1/0/1
discriminator local 10
discriminator remote 20
commit
quit
ip route-static 0.0.0.0 0 10.1.1.254 track bfd-session b1 ## ip-link more common
ip route-static 0.0.0.0 0 10.2.1.254 preference 50
dis bfd session all

ospf 1
bfd all-interfaces enable
inter g1/0/0
ospf bfd enable
ospf bfd min-rx-interval 500 min-tx-interval 500 detect-multiplier 3

By-Pass

Power Supply Redundancy, Fan Redundancy, By-Pass Card

By-Passs Card has 4 ports. to up-stream, to down-stream, to firewall in, to firewall out.

By-Pass function is only supported on some USG6000 devices.

Eth-Trunk

Huawei devices support a max of 16 cables.

Mode can be manual or LACP.

LACP is generic.

display eth-trunk
display trunkmembership

Firewall loadbalance in flows by default. When using iperf to do stream test, it should initiate multple streams with different pairs of source and destination addresses. So that all phisical links can share the streams.

VRRP/VGMP/HRP (Dual FW Active Standby)

HRP is used for synchronizing configuration and state information like policies, objects, some network items, some system items, etc.

VRRP manges virutal interfaces. protocol no 112. Gratuitous arp sent on switchover.

VGMP synchronizes states of upstream and downstream interfaces on the same FW. VGMP state (active or standby) can be seen as FW state. Or VGMP manages VRRP backup groups.

dis hrp
hrp ospf-cost adjust-enable [standby-cost]
dis mac-address
dis arp
dis ip routing-table#R1
inter g0/0/0
ip add 10.1.1.1 24
vrrp vrid 10 veritual-ip 10.1.1.254
vrrp vrid 10 priority 105
vrrp vrid 10 track interface int g0/0/1 reduced 10
inter g0/0/1
ip add 20.1.1.1 24
vrrp vrid 20 veritual-ip 20.1.1.254
vrrp vrid 20 priority 105
dis vrrp#R2
int g0/0/0
ip add 10.1.1.2 24
vrrp vrid 10 virtual-ip 10.1.1.254
int g0/0/1
ip add 20.1.1.2 24
vrrp vrid 20 virtual-ip 20.1.1.254
dis vrrp brief

dis hrp interface # 查看心跳接口
hrp mirror session enable # while using loadbalance.#R5
ospfa 0network 1.1.1.5 0.0.0.0network 2.2.2.5 0.0.0.0netowrk 3.3.3.5 0.0.0.0
#FW3
ospfarea 0network 10.1.1.10 0.0.0.0network 1.1.1.3 0.0.0.0
hrp enable
hrp int g1/0/2 remote 172.16.1.4
int g1/0/1ip add 10.1.1.10 24vrrp vrid 10 virtual-ip 10.1.1.254 24 active
it g1/0/2ip add 172.16.1.3 24
int g1/0/0ip add 1.1.1.3 24
firewall zone trustadd inter g1/0/1
firewall zone untrustadd inter g1/0/0
firewall zone hbadd inter g1/0/2
dis hrp state verbose
#FW4
ospfarea 0network 10.1.1.10 0.0.0.0network 2.2.2.4 0.0.0.0
hrp enable
hrp standby config enable # from loadbalance to master-backup
hrp int g1/0/2 remote 172.16.1.3
int g1/0/1ip add 10.1.1.20 24vrrp vrid 10 virtual-ip 10.1.1.254 24 standby
it g1/0/2ip add 172.16.1.4 24
int g1/0/0ip add 2.2.2.4 24
firewall zone trustadd inter g1/0/1
firewall zone untrustadd inter g1/0/0
firewall zone hbadd inter g1/0/2

VRRP virtual ip doesn’t have to be in the same subnet as real IPs. This feature can save public network IPs.

VPN

GRE

Can encapsulate IP, IPX, AppleTalk, etc.

Tunnel interface should also be put in an area.

ip route-static 172.16.0.0 16 Tunnel1
inter Tunnel 1tunnel-protocol gresource 1.1.1.3destination 2.2.2.4ip add 192.168.3.3 24 # the interface won't be up without an IP.
firewall zone dmzadd int Tun 1
security-policyrule name 1-2source-zone trustdestination-zone dmzsource-address 10.1.1.0 mask 255.255.255.0destination-address 172.16.1.0 mask 255.255.255.0service icmpaction permitrule name 2-1.1srouce-zone untrustdestination-zone localsrouce-add 2.2.2.4 32dest 1.1.1.3 32action permitrule name 2-1.2source-zone dmzdestination-zone trustsource-add 172.16.1.0 24dest 10.1.1.0 24action permitrule name defaultaction deny

After encapsulation, security-policy won’t check packets any more. But after decapsulation, security-policy will check packets again if there is no corrsponding session.

Firstly configure default action permit. After checking sessions with command dis firewall session table, then consider how to write security policies.

This command firewall packet-filter basic-protocol enable can permit OSPF packets by default. Some deivces permit self-related OSPF packets by default.

IPSec

Peer, SA, Security Protocol, Mode

New IP Header | ESP Header | IP Header TCP Header Data | ESP Trailer | ESP Auth

IKEv1 main mode (6 packets)/ aggressive mode (3 packets), IPSec quick mode(3 packets)

SKEYID = prf(pre-shared-key, Ni_b |  Nr_b) 或 SKEYID = prf(K，Ni_b | Nr_b)
SKEYID_d = prf(SKEYID, K | Ci | Cr | 0) # used in IPSec service
SKEYID_a = prf(SKEYID, SKEYID_d | K | Ci | Cr | 1) # used in HMAC for IPSec SA
SKEYID_e = prf(SKEYID, SKEYID_a | K | Ci | Cr | 2) # used in encryption for IPSec SA

prf (psudo random function)

PFS (perfect forward secrecy) will initiate another DH exchange.

SPI in ESP header is used to find what algorithm and key are to used to decapsulate the packet.

ike proposal 1encryption-algorithm sm4authentication-algorithm sm3 | sha2-256authentication-method pre-share | rsa-signaturedh group10integrity-algorithm hmac-sha2-256prf hmac-sha2-256
ike peer 2undo version 2 # both versions are supported by default.remote-add 2.2.2.2ike-proposal 1exchange-mode main | aggressive | autopre-shared-key azen123
acl 3001rule permit ip source 10.1.1.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
ipsec proposal 3encapsulation-mode tunneltransform esp # security protocolesp encryption-algorithm aes-256esp authentication-algorithm sha2-256
ipsec policy 4 10 isakmp # ike port number: udp 500proposal 3ike-peer 2security acl 3001
int g1/0/1ipsec policy 4ip add 1.1.1.1 24
int g1/0/0ip add 10.1.1.254 24
ospf 5router-id a 0net 1.1.1.1 0.0.0.0ip route-static 192.168.1.0.24 1.1.1.11
firewall zone untrustadd int g1/0/1
security-policyrule name 1source-zone trustdestination-zone untrustsource 10.1.1.0 mask 24desti 10.1.2.0 mask 24service icmpaction permitrule name 2source-zone localdest untrustsource-add 1.1.1.1 32dest 2.2.2.2 32service isakmpaction permitrule name 3srouce-zone untrustdestination-zone localsource-address 2.2.2.2 mask 32dest 1.1.1.1 mask 32service espaction permit
dis ipsec sa
reset ipsec sa# with ipsec policy templates, you don't have to configure acl or remote address. the applying scenario is when the other end doesn't have a static IP.
ike peer 8undo version 2pre-shared-key azen123ike-proposal 1
ipsec policy-template 10 100proposal 3ike peer 8route inject dynamic
ipsec policy 4 20 isakmp template 10

NAT Travesal

SNAT and IPSec enabled on the same device: After SNAT, source address is changed and ipsec policy acl can’t match the packet so the packet won’t be encapsulated as expected. One workaround is add paticular acls on both peers in a mirrored manner. Another way is to insert a nat-policy for packets going to and coming from two vpn sites with action no-nat.

SNAT device behind IPsec device (nat travesal): during IKE SA negotiation, if nat is detected, nat-t is launched and a udp header with port 4500 will be inserted between the outer ip header and esp header. IKE v1 can use nat-t but it must be configured manually. IKE v2 supports nat-t by itself.

IKE v2

Better than IKE v1 in efficiency and security. 4 packets in total to negotiate IKE SA and the first pair of IPSec SAs.

USG Firewall相关推荐

华为USG Firewall Ipsec L2L
*需要解决的问题 1.Untrust local inbound /esp ike (做策略放行IKE/ESP流量) policy interzone local untrust inbound po ...
PPPOE拨号之七：华为防火墙 USG PPPoE拨号配置【针对Client+NAT工作常用方式与服务器】
掌握目标 1.在华为USG上PPPOE服务器的配置 2.在华为USG上PPPOE 客户端的配置(工作上常用) 3.配置NAT(上网使用) 4.默认路由+策略配置拓扑 1.在华为USG上PPPOE服务 ...
华为eNSP防火墙NAT配置
NAT技术的基本原理 NAT技术通过对IP报文头中的源地址或目的地址进行转换,可以使大量的私网IP地址通过少量的公网IP地址来访问公网. NAT是将IP数据报文报头中的IP地址转换为另一个IP地址的过 ...
华为防火墙USG6309E开局基础配置之网络设置
防火墙,实质上就是一台偏重于安全策略的交换机,或者说,更像是路由器,之所以如此说,是因为防火墙可以将IP设置等,直接设置在端口上,而不必创建一个vlanif. 配置防火墙,他的基础就是网络要畅通,其次 ...
防火墙入侵与检测 day03 详解NAT及配置
NAT NAT类型 NAT技术分类源NAT 源NAT 地址池 no-pat和pat 出接口地址方式(Easy IP) 源NAT策略源NAT配置案例 NAT ALG实现原理 NAT ALG配置案例 ...
HCNA之华为ensp基本操作总结
本文主要介绍的是华为ENSP的一些基本配置,主要包括链路聚合(手动模式和lacp模式).vlan配置.hybrid端口配置.三层路由.生成树协议(MSTP.RSTP).静态路由OSPF以及基于防火墙的 ...
强叔拍案惊奇出差员工使用手机通过L2TP over IPSec接入总部
强叔最近开始在"侃墙"系列连载VPN了,许多小伙伴们看后大呼不过瘾,希望强叔能加快更新速度.但强叔也不是三头六臂,也需要一笔一笔来写啊.为了满足小伙伴们对VPN的浓厚学习兴趣,强叔 ...
华为USG地址池方式的NAPT和NAT Server配置案例
网络拓扑如下: 需求描述: 1.公司使用华为USG防火墙连接互联网,Trust区域192.168.1.0/24网段用户可正常上网,该区域其他网段禁止上网.USG出口IP:1.1.1.1/24 可用地 ...
华为防火墙USG多出口网络场景是如何排除故障的
故障案例 USG2230多出口网络场景配置非等价默认路由时,NAT SERVER映射不通的故障排查问题描述 USG2230配置等价路由时从外网访问内网服务器映射出去的公网地址是通的,但将映射出去的公 ...