Login
- Table of Contents
-
- 07-Security Configuration Guide
- 00-Preface
- 01-Security Overview
- 02-AAA Configuration
- 03-802.1X Configuration
- 04-MAC Authentication Configuration
- 05-Portal Configuration
- 06-Port Security Configuration
- 07-User Profile Configuration
- 08-Password Control Configuration
- 09-Public Key Configuration
- 10-PKI Configuration
- 11-SSH Configuration
- 12-SSL Configuration
- 13-SSL VPN Configuration
- 14-TCP Attack Protection Configuration
- 15-ARP Attack Protection Configuration
- 16-IPsec Configuration
- 17-ALG Configuration
- 18-Firewall Configuration
- 19-Session Management Configuration
- 20-Web Filtering Configuration
- 21-User Isolation Configuration
- 22-Source IP Address Verification Configuration
- 23-FIPS Configuration
- 24-Protocol Packet Rate Limit Configuration
- 25-Attack detection and protection configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-Security Overview | 52.39 KB |
Security overview
Network security services provide solutions to solve or reduce security threats. Network security threats are existing or potential threats to data confidentiality, data integrity, and data availability.
Network security threats
· Information disclosure—Information is leaked to an unauthorized person or entity.
· Data integrity damage—Data integrity is damaged by unauthorized modification or malicious destruction.
· Denial of service—Makes information or other network resources unavailable to their intended users.
· Unauthorized usage—Resources are used by unauthorized persons or in unauthorized ways.
Network security services
A security service is implemented by one or more network security technologies. One technology involves multiple services. The following are the most important security services:
· Identity authentication—Identifies users and determines if a user is valid. Typical methods include AAA-based username plus password authentication, and PKI digital certificate-based authentication.
· Access security—Prevents unauthorized access and use of network resources by implementing AAA-based identity authentication. Access security protocols such as 802.1X, MAC authentication, and portal authentication work together with AAA to implement user identity authentication.
· Data security—Encrypts and decrypts data during data transmission and storage. Typical encryption mechanisms include symmetric encryption and asymmetric encryption, and their common applications are IPsec, SSL, and SSH. IPsec secures IP communications. SSL and SSH protect data transfer based on TCP.
· Firewall—A highly effective network security model to block unauthorized Internet access to a protected network. Major firewall implementations are ACL based packet filter, ASPF, and ALG.
Network security technologies
Identity authentication
AAA
AAA provides a uniform framework for implementing network access management. It provides the following security functions:
· Authentication—Identifies network users and determines whether the user is valid.
· Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.
· Accounting—Records all network service usage information, including the service type, start time, and traffic. The accounting function provides information for charging and user behavior auditing.
AAA can be implemented through multiple protocols, such as RADIUS, HWTACACS, and LDAP, among which RADIUS is used most often.
PKI
PKI is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.
H3C's PKI system provides digital certificate management for IPsec and SSL.
Access security
802.1X
802.1X is a port-based network access control protocol for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
MAC authentication
MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software and users do not need to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port. If the MAC address passes authentication, the user can access authorized network resources.
Port security
Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. It applies to networks that require different authentication methods for different users on a port, such as a WLAN. Port security prevents unauthorized access to a network by checking the source MAC address of inbound traffic and prevents access to unauthorized devices by checking the destination MAC address of outbound traffic.
Portal authentication
With portal authentication, an access device redirects all unauthenticated users to a specific webpage. All users can access resources on the webpage without passing portal authentication. However, to access the Internet, a user must pass portal authentication on the portal authentication page.
Data security
Managing public keys
Public key configuration enables you to manage the local asymmetric key pairs (for example, creating or destroying a local asymmetric key pair, and displaying or exporting a local host public key), and configure the peer host public keys on the local device.
IPsec and IKE
IPsec is a security framework for securing IP communications. It is a Layer 3 VPN technology used for data encryption and data origin authentication.
IKE provides automatic negotiation security parameters for IPsec, simplifying the configuration and maintenance of IPsec. Security parameters for IKE negotiation include authentication and encryption algorithms, authentication and encryption keys, IP packet encapsulation modes (tunnel mode and transport mode), and key lifetime.
SSL
SSL is a security protocol that provides communication security for TCP-based application layer protocols by using the public key mechanism and digital certificates. SSL is independent of the application layer protocol, and enables an application layer protocol to use an SSL-based secure connection. A common application is HTTPS—HTTP over SSL or HTTP Secure.
SSH
SSH is a network security protocol that provides secure remote login and file transfer over an insecure network. Using encryption and authentication, SSH protects devices against attacks such as IP spoofing and plaintext password interception.
Firewall
ACL based packet-filter
An ACL packet-filter implements IP packet specific filtering.
Before forwarding an IP packet, the device obtains the following header information:
· Number of the upper layer protocol carried by the IP layer
· Source address
· Destination address
· Source port number
· Destination port number
The device compares the head information against the preset ACL rules and processes (discards or forwards) the packet based on the comparison result.
ASPF
An ASPF implements status-based packet filtering, and provides the following functions:
· Transport layer protocol inspection (generic TCP and UDP inspection)—ASPF checks a TCP/UDP packet's source and destination addresses and port numbers to determine whether to permit the packet to pass through the firewall into the internal network.
· Application layer protocol inspection—ASPF checks application layer information for packets, such as the protocol type and port number, and monitors the application layer protocol status for each connection. ASPF maintains status information for each connection, and based on status information, determines whether to permit a packet to pass through the firewall into the internal network, thus defending the internal network against attacks.
ASPF also supports other security functions, such as port to application mapping, ICMP error message inspection and first packet inspection for TCP connection.
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide the network with a security policy that is more comprehensive and better satisfies the actual needs.
ALG
ALG processes payload information for application layer packets.
Working with NAT, ALG implements address translation in packet payloads. Working with ASPF, ALG implements data connection detection and application layer status checking.
Session management
Session management is a common feature designed to implement session-based services such as NAT and ASPF. Session management tracks the connection status by inspecting the transport layer protocol (TCP or UDP) information, and regards packet exchanges at transport layer as sessions, performing unified status maintenance and management of all connections.
In actual applications, session management works together with ASPF to dynamically determine whether a packet can pass the firewall and enter the internal network according to connection status, thus preventing intrusion.
The session management function only implements connection status tracking. It does not block potential attack packets.
Attack detection and protection
ARP attack protection
ARP provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices. To protect the device against user and gateway spoofing attacks and flood attacks, H3C provides multiple ARP attack protection features. For information about these features, see "Configuring ARP attack protection."
TCP attack protection
Attackers can attack the device during the process of TCP connection establishment. To prevent such attacks, the device provides the SYN Cookie feature.
Web filtering
Web filtering can help devices prevent internal users from accessing unauthorized websites and block Java applets and ActiveX objects from webpages to improve internal network security.
Additional security technologies
The device also provides additional network security technologies to implement a multifunctional and full range of security protection for users.
User profile
A user profile provides a configuration template to save predefined configurations, such as a CAR policy or a QoS policy. Different user profiles are applicable to different application scenarios.
The user profile works with PPPoE, 802.1X, MAC authentication, and portal authentication. It is capable of restricting authenticated users' behaviors. After the authentication server verifies a user, it sends the device the name of the user profile that is associated with the user.
