Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-NetShare control configuration | 121.44 KB |
Contents
Restrictions: Hardware compatibility with NetShare control
NetShare control tasks at a glance
Prerequisites for NetShare control
Creating a NetShare control policy
Configuring NetShare inspection filtering criteria
Configuring a NetShare detection method
Setting the maximum number of terminals sharing an IP address
Setting the NetShare control action
Activating NetShare control policy settings
Disabling the NetShare control policy
Manually freezing and unfreezing a shared IP address
Display and maintenance commands for NetShare control
NetShare control configuration examples
Example: Configuring NetShare control
Configuring NetShare control
About NetShare control
NetShare control uses the NetShare control policy to identify and control network sharing behaviors.
The network sharing behavior is the behavior of multiple terminals using the same IP address for network access through NAT or proxy. If an IP address is detected to be used as the source IP address in packets sent by multiple terminals, the IP address is a shared IP address. NetShare control monitors the number of terminals sharing the IP address and takes the NetShare control action if the number of terminals sharing the IP address exceeds the limit.
NetShare detection methods
NetShare control uses the following methods to detect network sharing behaviors:
· APR-based detection—The device analyzes the application layer information of packets based on the Application Recognition (APR)-based packet analysis to detect NetShare behaviors of terminals. For more information about APR, see APR configuration in Security Configuration Guide.
· IPID trail tracking—The device tracks the values of the IPID fields in packets to detect NetShare behaviors.
NetShare control policy
The device uses the NetShare control policy to detect NetShare behaviors.
A NetShare control policy defines the following attributes:
· Filtering criteria.
· Detection methods.
· Maximum number of terminals allowed to share an IP address.
· Actions on terminals that exceed the NetShare control upper limit.
If the number of terminals sharing the IP address exceeds the limit, NetShare control takes the NetShare control actions specified in the policy.
NetShare control mechanism
As shown in Figure 1, the NetShare control module processes a packet as follows:
1. Determines if the NetShare policy is enabled.
¡ If the policy is disabled, NetShare control permits the packet to pass through.
¡ If the policy is enabled, NetShare control proceeds to step 2.
2. Determines if the source IP address of the packet is frozen:
¡ If yes, NetShare control drops the packet.
¡ If not, NetShare control proceeds to step 3.
3. Compares the packet attributes with the NetShare inspection criteria in the NetShare control policy to determine if the packet matches the policy.
¡ If the packet does not match the policy, NetShare control permits the packet to pass through.
¡ If the packet matches the policy, NetShare control proceeds to step 4.
4. Determines if the source IP address of the packet is shared by multiple terminals:
¡ If not, NetShare control permits the packet to pass through.
¡ If yes, NetShare control further determines whether the number of terminals sharing the IP address exceeds the limit:
- If the limit is exceeded, NetShare control takes the NetShare control action specified in the policy.
- If the limit is not exceeded, NetShare control permits the packet to pass through.
Figure 1 NetShare control mechanism
Restrictions: Hardware compatibility with NetShare control
|
F1000 series |
Models |
NetShare control compatibility |
|
F1000-X-G5 series |
F1000-A-G5, F1000-C-G5, F1000-C-G5-LI, F1000-E-G5, F1000-H-G5, F1000-S-G5 |
Yes |
|
F1000-X-G3 series |
F1000-A-G3, F1000-C-G3, F1000-E-G3, F1000-S-G3 |
Yes |
|
F1000-X-G2 series |
F1000-A-G2, F1000-C-G2, F1000-E-G2, F1000-S-G2 |
Yes |
|
F1000-9X0-AI series |
F1000-9390-AI, F1000-9385-AI, F1000-9380-AI, F1000-9370-AI, F1000-9360-AI, F1000-9350-AI, F1000-9330-AI, F1000-9320-AI, F1000-990-AI, F1000-980-AI, F1000-970-AI, F1000-960-AI, F1000-950-AI, F1000-930-AI, F1000-920-AI, F1000-910-AI, F1000-905-AI |
Yes |
|
F1000-C83X0 series |
F1000-C8395, F1000-C8390, F1000-C8385, F1000-C8380, F1000-C8370, F1000-C8360, F1000-C8350, F1000-C8330 |
Yes |
|
F1000-C81X0 series |
F1000-C8180, F1000-C8170, F1000-C8160, F1000-C8150, F1000-C8130, F1000-C8120, F1000-C8110 |
Yes |
|
F1000-7X0-HI series |
F1000-770-HI, F1000-750-HI, F1000-740-HI, F1000-730-HI, F1000-720-HI, F1000-710-HI |
Yes |
|
F1000-C-X series |
F1000-C-EI, F1000-C-HI, F1000-C-XI, F1000-E-XI |
Yes |
|
F1000-V series |
F1000-E-VG, F1000-S-VG |
Yes |
|
SecBlade IV |
LSPM6FWD8, LSQM2FWDSC8 |
Yes |
|
F100 series |
Models |
NetShare control compatibility |
|
F100-X-G5 series |
F100-A-G5, F100-C-G5, F100-E-G5, F100-M-G5, F100-S-G5 |
Yes |
|
F100-X-G3 series |
F100-A-G3, F100-C-G3, F100-E-G3 , F100-M-G3, F100-S-G3 |
Yes |
|
F100-X-G2 series |
F100-A-G2, F100-C-G2, F100-E-G2, F100-M-G2, F100-S-G2 |
Yes |
|
F100-WiNet series |
F100-A80-WiNet, F100-C80-WiNet, F100-C60-WiNet, F100-C50-WiNet, F100-S80-WiNet, F100-A91-WiNet, F100-A81-WiNet |
Yes |
|
F100-C-A series |
F100-C-A6, F100-C-A5, F100-C-A3, F100-C-A6-WL, F100-C-A5-W, F100-C-A3-W |
Yes |
|
F100-C-A2, F100-C-A1 |
No |
|
|
F100-X-XI series |
F100-A-EI, F100-A-HI, F100-A-SI, F100-C-EI, F100-C-HI, F100-C-XI, F100-E-EI, F100-S-HI, F100-S-XI |
Yes |
NetShare control tasks at a glance
To configure NetShare control, perform the following tasks:
1. Creating a NetShare control policy
2. Configuring NetShare inspection filtering criteria
3. Configuring a NetShare detection method
¡ Enabling APR-based detection
¡ Enabling IPID trail tracking
4. Setting the maximum number of terminals sharing an IP address
5. Setting the NetShare control action
6. Activating NetShare control policy settings
7. (Optional.) Disabling the NetShare control policy
8. (Optional.) Manually freezing and unfreezing a shared IP address
Prerequisites for NetShare control
Before you configure NetShare control, you must perform the following tasks:
· Upgrade the APR signature library on the device to the most recent version.
· Configure IP address object groups. For information about the configuration procedure, see object group configuration in Security Configuration Guide.
· Configure users and user groups. For information about the configuration procedures, see user identification configuration in Security Configuration Guide.
· Configure security zones. For information about the configuration procedure, see security zone configuration in Security Configuration Guide.
Creating a NetShare control policy
Restrictions and guidelines
The device supports only one NetShare control policy.
Procedure
1. Enter system view.
system-view
2. Enter NetShare control configuration view.
netshare-control
3. Create a NetShare control policy and enter its view.
policy name policy-name
4. (Optional.) Configure a description for the NetShare control policy.
description string
By default, a NetShare control policy does not have a description.
Configuring NetShare inspection filtering criteria
About this task
In the NetShare control policy, you can configure multiple criteria of different criterion types to filter the packets to be analyzed for NetShare inspection. A packet must match a minimum of one criterion in each configured criterion type to be inspected by the NetShare control module.
The following filtering criterion types are supported:
· Source IP address.
· Destination IP address.
· Source security zone.
· Destination security zone.
· User, including username- and user group-based filtering criteria.
Procedure
system-view
2. Enter NetShare control configuration view.
netshare-control
3. Enter NetShare control policy view.
policy name policy-name
4. Configure source and destination security zone criteria:
¡ Configure a source security zone criterion.
source-address { ipv4 | ipv6 } object-group-name
By default, the NetShare control policy does not contain any source security zone criterion.
¡ Configure a destination security zone criterion.
destination-address { ipv4 | ipv6 } object-group-name
By default, the NetShare control policy does not contain any destination security zone criterion.
5. Configure source and destination address criteria:
¡ Configure a source address criterion.
source-address { ipv4 | ipv6 } object-group-name
By default, the NetShare control policy does not contain any source address criterion.
¡ Configure a destination address criterion:
destination-address { ipv4 | ipv6 } object-group-name
By default, the NetShare control policy does not contain any destination address criterion.
6. Configure user and user group criteria:
¡ Configure a user criterion.
user username [ domain domain-name ]
By default, the NetShare control policy does not contain any user criterion.
¡ Configure a user group criterion.
user-group user-group-name [ domain domain-name ]
By default, the NetShare control policy does not contain any user group criterion.
Configuring a NetShare detection method
Enabling APR-based detection
About this task
This feature supports detecting only a limited set of applications in the APR signature library.
Restrictions and guidelines
You can enable both APR-based detection and IPID trail tracking to detect NetShare behaviors.
APR-based NetShare detection uses the APR signature library to inspect only specific applications, such as QQ and WeChat. If an application is encrypted, APR-based NetShare detection cannot inspect it. As a best practice, enable APR-based detection only when explicitly required, because the detection might degrade the device performance.
Procedure
1. Enter system view.
system-view
2. Enter NetShare control configuration view.
netshare-control
3. Enter NetShare control policy view.
policy name policy-name
4. Enable APR-based detection in the NetShare control policy.
application-inspect enable
By default, APR-based detection is enabled.
Enabling IPID trail tracking
About this task
By default, the device uses only the APR-based detection method to detect NetShare behaviors. APR-based NetShare detection applies only to a limited set of applications in the APR signature library. To meet the NetShare control requirements of various application scenarios, you can enable the IPID trail tracking method so the device can use both detection methods for NetShare behavior detection.
IPID trail tracking tracks the values of the IPID fields in packets to detect NetShare behaviors.
Restrictions and guidelines
You can enable both APR-based detection and IPID trail tracking to detect NetShare behaviors.
IPID trail tracking might degrade the device performance. Enable it only when explicitly required.
IPID trail tracking supports detecting the terminals that are running the Windows system, and detecting packets in which values of the IPID fields change regularly. Mobile terminals are not supported.
IPID trail tracking supports detecting IPv4 packets.
Procedure
1. Enter system view.
system-view
2. Enter NetShare control configuration view.
netshare-control
3. Enter NetShare control policy view.
policy name policy-name
4. Enable IPID trail tracking in the NetShare control policy.
ipid-trail enable
By default, IPID trail tracking is disabled in the NetShare control policy.
Setting the maximum number of terminals sharing an IP address
About this task
If the number of terminals sharing an IP address exceeds the limit, the device will take the NetShare control action set in the NetShare control policy.
Procedure
system-view
2. Enter NetShare control configuration view.
netshare-control
3. Enter NetShare control policy view.
policy name policy-name
4. Set the maximum number of terminals that can share an IP address.
per-ip-shared max-terminals number
By default, the number of terminals that can share an IP address is not limited.
Setting the NetShare control action
About this task
The NetShare control action is taken when the number of terminals sharing an IP address exceeds the limit.
The following NetShare control actions are supported:
· Freeze—Freezes the shared IP address for the specified freezing time. All packets sourced from the frozen IP address will be dropped.
· Permit—Permits the packets sourced from the IP address to pass through.
· Logging—Logs the NetShare control event.
Restrictions and guidelines
The logging keyword enables the NetShare control module to log NetStream control events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output NetShare control logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view NetShare control logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Procedure
system-view
2. Enter NetShare control configuration view.
netshare-control
3. Enter NetShare control policy view.
policy name policy-name
4. Set the NetShare control action.
action { freeze freeze-time | permit } [ logging ]
By default, the NetShare control policy uses the permit action.
Activating NetShare control policy settings
About this task
After you create or delete a NetShare control policy, perform this task to activate the configuration.
Restrictions and guidelines
This task can cause temporary outage for all DPI services. As a best practice, perform the task after all DPI service policy and rule settings are complete.
For more information about activating DPI service module configuration, see DPI engine configuration in DPI Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Activate NetShare control policy settings.
inspect activate
By default, NetShare control policy creation and deletion do not take effect.
Disabling the NetShare control policy
About this task
If the NetShare control feature is not required on the network, disable the NetShare control policy.
Restrictions and guidelines
The device supports only one NetShare control policy. After you disable the NetShare control policy, the NetShare control feature becomes invalid.
Procedure
1. Enter system view.
system-view
2. Enter NetShare control configuration view.
netshare-control
3. Enter NetShare control policy view.
policy name policy-name
4. Disable the NetShare control policy.
disable
By default, a NetShare control policy is enabled.
Manually freezing and unfreezing a shared IP address
About this task
You can manually unfreeze a frozen IP address or freeze a shared IP address that is not in frozen state.
Procedure
1. Enter system view.
system-view
2. Enter NetShare control configuration view.
netshare-control
3. Manually freeze a shared IP address.
freeze { ipv4 | ipv6 } ip-address [ vpn-instance vpn-instance-name ] time freeze-time
4. Manually unfreeze a frozen IP address.
unfreeze { ipv4 | ipv6 } ip-address [ vpn-instance vpn-instance-name ]
Display and maintenance commands for NetShare control
Execute display commands in any view.
|
Task |
Command |
|
Display NetShare control information about shared IP addresses. |
display netshare-control [ { ipv4 | ipv6 } ip-address | status { frozen | unfrozen } ] [ slot slot-number ] |
NetShare control configuration examples
Example: Configuring NetShare control
Network configuration
As shown in Figure 2, the device connects to the LAN and Internet through security zones Trust and Untrust, respectively.
Configure NetShare control on the device to meet the following requirements:
· Monitor the packets sent by the hosts on the LAN to the Internet for network sharing behavior inspection.
· If an IP address is detected to be shared by more than one host for Internet access, NetShare control will freeze the IP address for 1 hour and logs the event.
Procedure
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures a static route to reach the server, and the next hop in the route is 2.2.2.2.
[Device] ip route-static 5.5.5.0 24 2.2.2.2
3. Add interfaces to security zones.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
4. Enter IPv4 security policy view and create a security policy rule named trust-untrust to permit the packets from security zone Trust to security zone Untrust.
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-1-trust-untrust] source-zone trust
[Device-security-policy-ip-1-trust-untrust] destination-zone untrust
[Device-security-policy-ip-1-trust-untrust] source-ip-host 192.168.1.2
[Device-security-policy-ip-1-trust-untrust] source-ip-host 192.168.1.3
[Device-security-policy-ip-1-trust-untrust] source-ip-host 192.168.1.4
[Device-security-policy-ip-1-trust-untrust] action pass
[Device-security-policy-ip-1-trust-untrust] quit
[Device-security-policy-ip] quit
5. Create a NetShare control policy named a. Configure NetShare control to freeze an IP address for 1 hour if the number of endpoints sharing the IP address exceeds 1 and to log the event.
[Device] netshare-control
[Device-netshare-control] policy name a
[Device-netshare-control-policy-a] source-zone trust
[Device-netshare-control-policy-a] destination-zone untrust
[Device-netshare-control-policy-a] per-ip-shared max-terminals 1
[Device-netshare-control-policy-a] action freeze 60 logging [Device-netshare-control-policy-a] quit
[Device-netshare-control] quit
6. Activate the NetShare control policy settings.
[Device] inspect activate
Verifying the configuration
# Verify that if a host on the LAN accesses the Internet by using a shared IP address through a proxy, the device can detect the network sharing behavior. In addition, the device will freeze the shared IP address for 1 hour and log the event. (Details not shown.)
