Contents

Configuring server connection detection· 1

About server connection detection· 1

SCD tasks at a glance· 1

Configuring server connection learning· 1

Configuring an SCD policy· 1

Configuring SCD rules in an SCD policy· 2

Display and maintenance commands for server connection detection· 3

SCD configuration examples· 3

Example: Configuring SCD·· 3

 

Configuring server connection detection

About server connection detection

Server connection detection (SCD) provides protections for internal servers. It enables the device to identify legal and illegal connections initiated by the protected servers. This helps you monitor internal servers and prevent them from becoming part of a botnet and launching attacks or performing internal network penetration.

SCD tasks at a glance

To configure SCD, perform the following tasks:

1.     Configuring server connection learning

2.     Configuring an SCD policy

3.     Configuring SCD rules in an SCD policy

Configuring server connection learning

About this task

Server connection learning learns connections initiated by given servers. The learning results provide the basis for you to create SCD policies to monitor and log illegal connections initiated by the servers.

Restrictions and guidelines

You cannot edit any settings in server connection learning configuration view if server connection learning is in progress.

Procedure

1.     Enter system view.

system-view

2.     Enter server connection learning configuration view.

scd learning

3.     Specify an IP address object group for server connection learning.

source-ip object-group-name

By default, no IP address object groups are specified for server connection learning.

4.     Enable server connection learning for a learning period.

auto-learn enable period { one-day | one-hour | seven-day | twelve-hour }

By default, server connection learning is disabled.

Configuring an SCD policy

About this task

An SCD policy monitors the connections initiated by the specified protected server. You can configure the following settings in an SCD policy:

·     Protected server IP address.

·     SCD rules to identify legal connections initiated by the server.

·     Logging for illegal connections initiated by the server.

·     SCD policy enabling status.

Restrictions and guidelines

An SCD policy monitors only the connections initiated by the server specified by the protected-server command.

The protected server IP address must be unique for each SCD policy.

Procedure

1.     Enter system view.

system-view

2.     Create an SCD policy and enter its view.

scd policy name policy-name

3.     Specify the IP address of the protected server.

protected-server ip-address

By default, no protected server IP address is specified.

4.     (Optional.) Enable logging for illegal connections initiated by the protected server.

logging enable

By default, the device does not log illegal connections initiated by the protected server.

5.     Enable the SCD policy.

policy enable

By default, an SCD policy is disabled.

Configuring SCD rules in an SCD policy?

About this task

You can configure multiple SCD rules in an SCD policy. Each SCD rule contains the following criteria to identify legal connections initiated by the protected server:

·     A destination IP address criterion, which specifies the destination IP address for server-initiated connections.

·     One or more protocol criteria. Each protocol criterion specifies a protocol and optionally a set of destination port numbers.

A connection initiated by the protected server matches the SCD rule if the connection matches both the destination IP address criterion and a protocol criterion. Connections initiated by the server that do not match any SCD rules are considered illegal connections.

Restrictions and guidelines

If you do not configure any rules in an SCD policy, all connections initiated by the protected server of the policy are illegal connections.

An SCD rule must contain one destination IP address criterion and a minimum of one protocol criteria.

In one SCD policy, each SCD rule must use a unique destination IP address.

Procedure

1.     Enter system view.

system-view

2.     Enter the view of an SCD policy.

scd policy name policy-name

3.     Create an SCD rule and enter its view.

rule rule-id

4.     Configure the destination IP address criterion.

permit-dest-ip ip-address

By default, the destination IP address criterion is not configured.

5.     Configure a protocol criterion.

protocol { icmp | tcp port port-list | udp port port-list }

By default, no protocol criterion is configured in an SCD rule.

Display and maintenance commands for server connection detection

Execute display commands in any view.

Execute reset commands in user view.

 

Task	Command
Display the server connection learning information.	display scd auto-learn config
Display the server connection learning results.	display scd learning record [ protected-server ip-address ] [ destination-ip ip-address ]
Display the SCD policy information.	display scd policy [ name policy-name ]
Clear the server connection learning results.	reset scd learning record

 

SCD configuration examples

Example: Configuring SCD

Network configuration

As shown in Figure 1, configure SCD on the device to perform the following tasks:

·     Monitor connections initiated by servers in subnet 2.2.1.0/24 for one day.

·     Logs all connections initiated by the server except for TCP connections destined for TCP ports 80 and 443 on host 2.2.3.2/24.

Figure 1 Network diagram

?

Procedure

1.     Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.)

2.     Create an IP address object group named abc and specify IPv4 address 2.2.1.0 and mask length 24 for the object group.

<Device> system-view

[Device] object-group ip address abc

[Device-obj-grp-ip-abc] network subnet 2.2.1.0 24

[Device-obj-grp-ip-abc] quit

3.     Configure server connection learning:

# Enter server connection learning configuration view.

[Device] scd learning

# Specify IP address object group abc for server connection learning.

[Device-scd-learning] source-ip abc

# Enable server connection learning for one day.

[Device-scd-learning] auto-learn enable period one-day

[Device-scd-learning] quit

4.     Configure an SCD policy:

# Create an SCD policy named policy1 and enter its view.

[Device] scd policy name policy1

# Specify 2.2.1.2 as the IP address of the protected server.

[Device-scd-policy-policy1] protected-server 2.2.1.2

# Enable logging for illegal connections initiated by the protected server.

[Device-scd-policy-policy1] logging enable

# Create SCD rule 1 and enter its view.

[Device-scd-policy-policy1] rule 1

# Specify 2.2.3.2 as the destination IP address for legal connections initiated by the protected server.

[Device-scd-policy-policy1-1] permit-dest-ip 2.2.3.2

# Specify the TCP protocol and TCP ports 80 and 443 as the protocol and port number used by legal connections initiated by the protected server.

[Device-scd-policy-policy1-1] protocol tcp port 80 443

[Device-scd-policy-policy1-1] quit

# Enable the SCD policy.

[Device-scd-policy-policy1] policy enable

[Device-scd-policy-policy1] quit

Verifying the configuration

# Display the server connection learning results.

[Device] display scd learning record

Id???? Protected server??? Destination IPv4 address?? Protocol??? Port

1????? 2.2.1.2?????? ??????2.2.3.2?? ?????????????????TCP???????? 80

2????? 2.2.1.2?????? ??????2.2.3.2????????? ??????????TCP???????? 443

3????? 2.2.1.2?????? ??????2.2.3.2????????? ??????????UDP???????? 4433

4????? 2.2.1.2?????? ??????2.2.3.2????????? ??????????UDP???????? 567

Total entries: 4

# Display information about SCD policy policy1.

<Sysname> display scd policy name policy1

SCD policy name: policy1

?Protected server IPv4: 2.2.1.2

?Logging: Enabled

?Policy status: Enabled

?Rule ID: 1

? Permitted dest IPv4: 2.2.3.2

? Protocol: TCP port 80,443