Elog Experiment PDF

Huawei Symantec Proprietary and Confidential
Copyright Huawei Symantec Technologies Co., Ltd.

Secoway eLog
Experiment Volume

Issue 01
Date 2009-07-14


Huawei Symantec Technologies Co., Ltd. provides customers with comprehensive technical support and
service. For any assistance, please contact our local representative office, agency, or customer service
center.

Huawei Symantec Technologies Co., Ltd.
Address: Building 1
The West Zone Science Park of UESTC, No.88, Tianchen Road
Chengdu, 611731
P.R.China
Website: http://www.huaweisymantec.com
Email: support@huaweisymantec.com

Copyright Huawei Symantec Technologies Co., Ltd. 2009. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Symantec Technologies Co., Ltd.

Trademarks and Permissions
and other Huawei Symantec trademarks are trademarks of Huawei Symantec Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.

Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.


1 Login
Before logging in to the Secoway eLog, you need to add the eLog Web site to the trusted sites.
Procedure
1. In the Internet Explorer, choose Tools > Internet Options....
2. Select Security tab.
3. Select and click sites. Pop up Trusted sites dialog.
4. Enter https://IP/ in the textbox after Add this Web site to the zone.
5. Click Add.
6. Click OK. The Internet Properties window is displayed.
7. Click OK.
Logging in to the Secoway eLog
Procedure
1. Enter https://IP/, the login address of the Secoway eLog. IP is the IP address of the log server. For
example, https://10.0.0.254/.
2. Press Enter.
3. In the Secoway eLog dialog box, enter the user name, password, and authentication code, as shown
in Figure 1-1. Upon initial login, the administrator account is admin and the password is null.
Figure 1-1 Login system


Introduction to the Home Page of the Secoway eLog
This section introduces the home page of the Secoway eLog. Only the valid user can log in to the
Secoway eLog.
On the Secoway eLog home page, there are the tool bar, navigation tree, and description area, as
shown in Figure 1-2. The contents of the home page vary with login users.
Figure 1-2 Secoway eLog Home Page


2 Add a Log Collector
The Secoway eLog system consists of log collectors and log servers. After adding the log collector
to the system, you can set the log collector for the device management. Only the device exists in
one of the subnetworks managed by the log collector can be added to the log collector.
Procedure
1. In the navigation tree, choose System Management > Log Collector Management. The Log
Collector Management window is displayed.
2. Click Add to display the Add Log Collector window.
3. Set the log collector. Table 3-1 describes the parameters related to setting the log collector.
Table 3-1 Parameters related to setting the log collector
Parameter Description
Log Collector Name Indicates the name of the log collector. You can enter a maximum of 16
characters.
IP Address Indicates the IP address of the log collector.
Standby Collector If the specified collector is in a cluster and is as standby collector, select it.
Subnet/Mask Indicates the IP addresses and masks of the subnets that the log collector can
manage.
Details Indicates the details of the log collector. You can enter a maximum of 128
characters.
4. Click OK. If the adding is successful, you can view the new information about the log collector in
the lower part of the Log Collector Management window.
5. Click to change the information about the log collector. If some devices are managed by the log
collector, only the name, IP address, and details can be modified. If you want to modify the subnet/mask,
you need to delete the devices first.
6. Click to delete the log collector. You need to delete the devices which are managed by the
collector first, then you can delete the log collector.



3 Adding a Device
You can configure all managed devices. The system can collect, analyze, and manage logs of a device only
when it is added to the system. In addition, you can export all managed devices or import them in batches.
Procedure
1. In the navigation tree, choose System Management > Device Management. The Device
Management window is displayed.
2. Click Add to display the Add Device window.
3. Enter the device information in the Add Device window. Table 2-1 describes the parameters related
to adding a device.
Table 2-1 Parameters related to adding a device
Device Name Indicates the device name. You can enter a maximum of 16 characters.
Device Type Indicates the device type.
Firewall Type Indicates the firewall type. Only when Device Type is selected Eudemon/USG
Firewall, this option is displayed.
Whether the UTM
features are available
Choose it if the firewall has the UTM feature. Only when Device Type is
selected Eudemon/USG Firewall, this option is displayed.
IP Address
Indicates the IP address of the device.
NOTE:
The IP address of the device must be selected from the IP addresses managed by the log
collector.
Details Indicates the device details. You can enter a maximum of 256 characters.
4. Click OK to finish adding a device. If the adding is successful, you can view the device information
in the table at the lower part of the page.



4 User and Role Management
Adding the Operator Role
This section describes how to add the operator role, and determine the authorized devices.
Context
By default, the user can perform the administrator role or the auditor role only. The system
administrator can add operator role to users. Based on the system devices, the administrator can
configure different operators, and allow them to perform on corresponding devices. Otherwise,
users who do not perform the operator roles have no authority to perform on the devices of the
system.
Procedure
1. In the navigation tree, choose System Management > User/Role Management . The
User/Role Management window is displayed.
2. Click Add Role to display the Add Role window.
3. Set the operator role. Table 4-1 describes the parameters related to adding the operator role.
Table 4-1 Parameters related to adding the operator role
Role Name Indicates the role name. You can enter a maximum of 16 characters.
Role Description Indicates the role description. You can enter a maximum of 32 characters.
Role Type Indicates the role type. The default value is Operator, and this cannot be modified.
Authorized
Devices
Indicates the devices that the operator is authorized to use. Operators are authorized
to use the devices in Selected Device.
Click to add the device selected from Unselected Device to Selected
Device.
Click to add all the devices from Unselected Device to Selected Device.
Click to move the device selected from Selected Device to Unselected
Device.
Click to move all the devices from Selected Device to Unselected
Device.
4. Click OK to finish adding the operator role.


Adding Users
This section describes how to add users for the system. You can add three types of user roles,
including the administrator, auditor, and operator. The three types of user roles perform different
operations on the system.
Procedure
1. In the navigation tree, choose System Management > User/Role Management. The
User/Role Management window is displayed.
2. Click Add User to display the Add User window.
3. Set the user information. Table 4-2 describes the parameters related to adding users.
Table 4-2 Parameters related to adding users
User Account Indicates the user account. You can enter a maximum of 16 characters.
User Name Indicates the user name. You can enter a maximum of 16 characters.
Mobile Phone Indicates the telephone number of the user.
Email Indicates the email address of the user.
Password Indicates the user password. The password must contain at least eight characters, but
the maximum number is 16. In addition, capitalized and small letters, numbers, and
special characters must be contained in the password concurrently.
Confirm
Password
Indicates entering the user password again.


User Information Indicates the user information. You can enter a maximum of 32 characters.
Account Status Indicates the account status. Users activated can log in to the Secoway eLog.
Role Type
Indicates the role type. If you select the operator role, do as follows to allocate the
operator roles.
Click to add the operator role selected from Unselected Operator Roles
to Selected Operator Roles.
Click to add all the operator roles from Unselected Operator Roles to
Selected Operator Roles.
Click to move the operator role selected from Selected Operator Roles
to Unselected Operator Roles.
Click to move all the operator roles from Selected Operator Roles to
Unselected Operator Roles.

4. Click OK to finish adding users.


5 Configuring the Firewall
A Networking Example
All the following descriptions of configuring the firewall are based on this networking example.
Analyze this example closely before configuring the firewall.

Figure 4-1 A networking example

Configuring Basic Functions of Firewall Logs
Most service logs of the firewall are sent in the Syslog form while small types of logs, including
traffic logs and session logs, are sent in the binary form. You are required to enable the functions of
collecting and sending traffic logs and session logs.
Procedure
1. Connect the firewall with the log server through serial cables.
2. Choose Start > Program Files > Accessories > Communications > Super Terminal on the log
server. The interface as shown in Figure 4-2 is displayed.
Figure 4-2 Creating a connection
192.168.0.100/24
192.168.0.1/24
10.0.0.1/24
ELog
10.0.0.100/24
10.0.0.200/24
10.0.0.50/24


3. In the Name, enter a name for the connection.
4. Click OK. The interface as shown in Figure 4-3 is displayed.
Figure 4-3 Choosing a COM port for the connection

5. Select a COM port for connecting the serial port cable in For use during connections.
Figure4-4 Setting the port


7. Click Restore Defaults. The interface as shown in Figure 4-5 is displayed.
Figure 4-5 Restoring the default port settings



Figure 4-6 Main interface of the Hyper Terminal

9. Press Enter.
10. Enter the default user name and password.
The default user name is admin, and the password is Admin@123.
11. Press Enter.
The user view is displayed.
12. Change the time zone and time on the firewall to those on the log server.
#Change the time zone on the firewall to that on the log server.
<Eudemon> clock timezone c8 add 08:00:00
NOTE:
c8 is a customized time zone. The following takes Beijing time as an example. Beijing time is eight hours earlier
than the default UTC on the firewall. Therefore, you can use add 08:00:00. If the time is later than the UTC, use
minus.
#Change the time on the firewall to that on the log server. For example, set the current date on
the firewall to 00:00:00 on November 1, 2009.
<Eudemon> clock datetime 0:0:0 2009/11/01
13. Enable the inter-zone packet-filter between Trust and Local zone
Enable the inter-domain function of recording session logs based in actual situations. Take the
domain between the trust and the untrust for example.
<Eudemon> system-view
[Eudemon] Firewall packet-filter default permit interzone local trust all

Enable the functions of collecting and sending Syslog logs
Redirecting logs of the information center to the log server (10.0.0.100).


NOTE:
The 10.0.0.100 is the IP address of the log server. You can change it in actual situations.
[Eudemon] info-center loghost 10.0.0.100
CAUTION:
The language attribute of firewall logs must be English so that the logs can be parsed by the log server
properly. Therefore, when you run the info-center loghost command, do not set the language attribute
or set it to English.

Enable the functions of collecting and sending Session logs
Enable the inter-domain function of recording session logs based in actual situations. Take the
domain between the trust and the untrust for example.
[Eudemon] acl 3000
[Eudemon-acl-basic-3000] rule permit tcp destination 10.0.0.100 0
[Eudemon-acl-basic-3000] quit
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] session log enable acl-number 3000 inbound
[Eudemon-interzone-trust-untrust] session log enable acl-number 3000 outbound
[Eudemon-interzone-trust-untrust] quit
#Redirect the interzone session logs to the log server (10.0.0.100).
[Eudemon] firewall session log-type binary host 10.0.0.100 9002 source 10.0.0.1 9003
NOTE:
The 10.0.0.100 is the IP address of the log server. You can change it in actual situations. 9002 is a port occupied by
binary logs and requires no change. Session logs must be sent in a binary format and no change upon the format is
required.
(Optional) 10.0.0.1 is the source IP address used for communication between the firewall and log server. 9003 is the
source port number of the firewall for sending logs. You need to change the values based on the actual situation.

Enabling the Function of Sending Login Logs
Login logs of the firewall refer to logs that are generated when the firewall administrator logs in to
the firewall system in a specific method, including the login through the Console interface, login
through the Telnet, login through the File Transfer Protocol (FTP), and login through the Hyper
Text Transfer Protocol (HTTP). In every login method, both success logs and failure logs are
generated.
Prerequisite
The firewall has been connected to the network and basic configurations of the firewall have been
completed.


Procedure
1. Enable the Telnet function.
Enable the AAA authentication function and authenticate remote logins. For example, you can configure the
firewall as supporting five routes of remote logins at a time (the VTY numbers range from 0 to 4).
[Eudemon] user-interface vty 0 4
[Eudemon-ui-vty0-4] authentication-mode aaa
Configure the user priorities for the login method (the default priority of the user is visitor). For example,
you can configure the user priority as the management level (level 3).
[Eudemon-ui-vty0-4] user privilege level 3
Create the login user name, password, and type for the local authentication. For example, you can configure
the user name as telnetuser and password as telnetpwd for logins through the Telnet.
[Eudemon-ui-vty0-4] quit
[Eudemon] aaa
[Eudemon-aaa] local-user telnetuser password simple telnetpwd
[Eudemon-aaa] local-user telnetuser service-type telnet
Configure the password for switching over priorities of login users. For example, you may configure the
password as superpwd for switching the user priority to the management level (level 3).
[Eudemon-aaa] quit
[Eudemon] super password level 3 simple superpwd
2. Enable the FTP function.
Enable FTP services and configure the username and password for FTP-based login users and the
directory for storing FTP documents. For example, the username and password are ftpuser and
ftppassword respectively.
[Eudemon] ftp server enable
[Eudemon] aaa
[Eudemon-aaa] local-user ftpuser password simple ftppassword
[Eudemon-aaa] local-user ftpuser service-type ftp
[Eudemon-aaa] local-user ftpuser ftp-directory flash:
Initiate a FTP-based connection to the Eudemon firewall (FTP Server) from a remote PC (10.0.0.100).
a. C:\WINDOWS\Desktop> ftp 10.0.0.1 Connected to 10.0.0.1. 220 FTP service ready. User (10.0.0.1(none)):
ftpuser 331 Password required for ftpuser. Password:****** 230 User logged in. ftp> bye 221 Server closing.
b. C:\WINDOWS\Desktop>
3. Enable the function of managing pages through the Web.
NOTE:
The Eudemon 8000E does not support this function.


Enable HTTP services and configure the username and password for Web-based login users. For
example, the username and password are webuser and webpassword.
[Eudemon] web-manager enable
[Eudemon] web-manager security enable
[Eudemon] aaa
[Eudemon-aaa] local-user webuser password simple webpassword
[Eudemon-aaa] local-user webuser service-type web
[Eudemon-aaa] quit
Initiate a HTTP (S)-based connection to the Eudemon firewall (FTP Server) from a remote PC
(10.0.0.100).
Enter the IP address of the firewall in the address bar of your browser and press Enter.

Enabling the Function of Sending Packet Filtering Logs
The packet filtering log refers to the log that is generated when the packet passes the
network-packet quintuple of the firewall (the source IP address, destination IP address, source port
number, destination port number, and protocol) and hits ACL rules.
Prerequisite
completed.
Context
The firewall can control the network traffic to set up policies of the security, QoS requirement, and so on. A
method for controlling the network traffic is to use the ACL. An ACL is a series of ordered rules constituted
by permit statements and deny statements.
Procedure
1. Configure basic ACL rules to allow the Extranet address 192.168.0.100 to pass the firewall and all
Intranet addresses to pass the firewall.
[Eudemon] acl 2000
[Eudemon-acl-basic-2000] rule permit source 192.168.0.100 0 logging
[Eudemon] acl 2001
[Eudemon-acl-basic-2001] rule permit source any logging
2. Apply basic ACL rules to the inter-domain area of the Demilitarized Zone (DMZ) and the untrust.
[Eudemon] firewall interzone dmz untrust


[Eudemon-interzone-dmz-untrust] packet-filter 2000 inbound
[Eudemon-interzone-dmz-untrust] packet-filter 2001 outbound
[Eudemon-interzone-dmz-untrust] quit
Enabling the Function of Sending NAT Logs and ASPF Logs
This function provides log alarms for the NAT and ASPF features supported by the firewall. The
log alarms are exported in a binary form.
Prerequisite
completed.
Context
The NAT is the process in which the IP address and port number of the internal host is replaced by
the external IP address and port number of the firewall, and the external IP addresses and port
number of the firewall are translated into the IP addresses and port numbers of internal hosts.
The ASPF is a packet filtering process that is applied at the application layer. That is, it is a
state-based message filtering process. It cooperates with the common static firewall to implement
the security policies of the Intranet. The ASPF detects application layer sessions that attempt to pass
the firewall to block messages that fail to comply with the security rule.
Procedure
1. Define an ACL.
[Eudemon] acl 2000
[Eudemon-acl-basic-2000] rule permit
[Eudemon] quit
2. Configure a NAT address pool that has an ID and NAME attributes.
[Eudemon] nat address-group 1 192.168.0.200 192.168.0.200
3. Configure the NAT Outbound between the domains of the trust and the untrust. The reference to
addresses from the pool is based the ID.
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] nat outbound 2000 address-group 1
4. Enable the inter-domain ASPF function of the firewall.
[Eudemon-interzone-trust-untrust] detect ftp
5. Enable the inter-domain session recording function of the firewall.
[Eudemon-interzone-trust-untrust] session log enable acl-number 2000
Enabling the Function of Sending Traffic Monitoring Logs
The system makes statistics of the traffic on the firewall periodically.


1. Prerequisite
completed.
2. Context
NOTE:
You do not need to configure the Eudemon 8000E. By default, the function of sending traffic monitoring logs is
enabled.
3. Procedure
1. Display the system view.
2. Enable the system statistics function.
[Eudemon] firewall statistic system enable
3. If you are using the Eudemon 1000 series firewall and Eudemon 8080, you need to configure the
type for the log statistics type.
[Eudemon] firewall log stream enable

Enabling the Function of Sending Blacklist Logs
Secoway eLog provides log alarms for the blacklist features supported by the firewall. The log
alarms are generated in the Syslog form.
Prerequisite
completed.
Context
Blacklist is a method of filtering packets according to their source IP addresses. Compared with the
ACL-based packet filtering function, the blacklist function has relatively simple matching domains and is
able to filter messages at a high speed. This helps the firewall to filter messages sent from specific IP
addresses.
A major feature of the blacklist function is that blacklists can be added or deleted by the Eudemon
firewall dynamically. When the firewall detects any attack attempt of a specific IP address by
analyzing the behavior of a message, it adds the IP address to the blacklist actively and filters
messages sent from the IP address. Thus the blacklist function is an important security feature of the
firewall.
Procedure


2. Enable the blacklist function.
[Eudemon] firewall blacklist enable
3. Add 7.7.7.72 to the blacklist manually.
[Eudemon] firewall blacklist item X.X.X.X

Enabling the Function of Sending Address Binding Logs
The Secoway eLog provides log alarms for the address binding features supported by the firewall.
The log alarms are generated in the Syslog form.
Prerequisite
The firewall is connected to the network, and basic configurations of the firewall have been completed.
Context
NOTE:
The Eudemon 8000E does not support this function.
The binding of the MAC address and the IP address indicates that the firewall is able to set up
associations between a specific MAC address and IP address according to the user configuration.
For a message that is claimed to be from this IP address, if its MAC address is not included in the
specified association, the message will be discarded by the firewall. The packet sent to this IP
address will be forcibly sent to the corresponding MAC address when it passes the firewall. This is
an effective protection against the IP-address Spoofing attack.
The function of binding MAC addresses and IP addresses is generally applicable to the connection
with layer-2 switches and helps to prevent attacks of the IP-address Spoofing, ARP Flood, and
DHCP Flood. Besides, it is applicable to the user authentication.
Procedure
1. The system view is displayed.
2. Enable the system statistics function.
[Eudemon] firewall mac-binding enable
3. Bind X.X.X.X with 00E0-4C77-1EF3.
[Eudemon] firewall mac-binding X.X.X.X 00E0-4C77-1EF3

Enabling the Function of Sending Attack Defending Logs
The Secoway eLog provides log alarms for the attack defending features supported by the firewall.
The log alarms are generated in the Syslog form.


Prerequisite
completed.
Procedure
2. Enable the attack-defending function
Enable the function of defending against single attacks, such as the SYN Flood .
[Eudemon] firewall defend syn-flood enable
Enable the function of defending against all types of attacks.
[Eudemon] firewall defend all enable

Elog Experiment PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Elog Experiment PDF

Uploaded by

Copyright:

Available Formats

Huawei Symantec Proprietary and Confidential

Copyright Huawei Symantec Technologies Co., Ltd.

You might also like