Feature Description

Quidway Eudemon 1000E Unified Security Gateway
V100R002
Feature Description
Issue
01
Date
2009-01-20
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any
assistance, please contact our local office or company headquarters.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
support@huawei.com
Copyright Huawei Technologies Co., Ltd. 2009. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are the property of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but the statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.


Feature Description
Contents
Contents
About This Document.....................................................................................................................1
1 Overview......................................................................................................................................1-1
1.1 Overview of Network Security.......................................................................................................................1-2
1.1.1 Security Threats......................................................................................................................................1-2
1.1.2 Classification of Network Security Services..........................................................................................1-2
1.1.3 Implementation of Network Security Services......................................................................................1-3
1.2 Overview of Firewalls.....................................................................................................................................1-5
1.2.1 Functions of Firewalls............................................................................................................................1-5
1.2.2 Firewall Development Course................................................................................................................1-6
1.3 Overview of the Eudemon 1000E...................................................................................................................1-7
1.3.1 Product Series.........................................................................................................................................1-7
1.3.2 Advantages.............................................................................................................................................1-8
1.4 Functions and Features of the Eudemon 1000E............................................................................................1-10
1.4.1 Security Defense..................................................................................................................................1-10
1.4.2 Network Interconnection......................................................................................................................1-12
1.4.3 Service Application..............................................................................................................................1-13
1.4.4 Configuration and Management...........................................................................................................1-14
1.4.5 Maintenance and Reliability.................................................................................................................1-14
1.4.6 System Log...........................................................................................................................................1-15
1.5 Location of the Eudemon 1000E on the Network.........................................................................................1-15
2 Introduction to the Eudemon 1000E.......................................................................................2-1

2.1 Working Mode................................................................................................................................................2-2
2.1.1 Working Modes of the Eudemon 1000E................................................................................................2-2
2.1.2 Classification of Working Modes..........................................................................................................2-2
2.1.3 Working Process in Routing Mode........................................................................................................2-4
2.1.4 Working Process in Transparent Mode..................................................................................................2-5
2.1.5 Working Process in Composite Mode....................................................................................................2-9
2.2 Security Zone..................................................................................................................................................2-9
2.2.1 Overview of Security Zones.................................................................................................................2-10
2.2.2 Security Zones on the Eudemon 1000E...............................................................................................2-10
3 Security Features........................................................................................................................3-1
3.1 Virtual Firewalls..............................................................................................................................................3-3
Issue 01 (2009-01-20)

Contents

Feature Description
3.2 ACL.................................................................................................................................................................3-4
3.2.1 ACL Definition......................................................................................................................................3-4
3.2.2 ACL Application....................................................................................................................................3-4
3.2.3 ACL on the Eudemon 1000E.................................................................................................................3-6
3.2.4 ACL Step................................................................................................................................................3-8
3.3 Security Policy................................................................................................................................................3-8
3.3.1 Packet Filtering......................................................................................................................................3-9
3.3.2 ASPF......................................................................................................................................................3-9
3.3.3 Blacklist................................................................................................................................................3-11
3.3.4 MAC and IP Address Binding.............................................................................................................3-11
3.3.5 Port Identification.................................................................................................................................3-11
3.4 Attack Defense..............................................................................................................................................3-12
3.4.1 Overview of Attack Defense................................................................................................................3-12
3.4.2 Types of Network Attacks....................................................................................................................3-12
3.4.3 Typical Examples of Network Attacks................................................................................................3-13
3.4.4 Attack Defense Principles....................................................................................................................3-15
3.5 NAT...............................................................................................................................................................3-16
3.5.1 Overview of NAT.................................................................................................................................3-16
3.5.2 NAT on the Eudemon 1000E...............................................................................................................3-17
3.6 Static Multicast..............................................................................................................................................3-22
3.6.1 Restrictions of Unicast or Broadcast....................................................................................................3-23
3.6.2 Overview of Static Multicast................................................................................................................3-24
3.6.3 Implementing Static Multicast on the Eudemon 1000E.......................................................................3-26
3.7 Keyword Authentication...............................................................................................................................3-26
3.8 P2P Traffic Limiting.....................................................................................................................................3-26
3.8.1 Introduction to P2P Traffic Limiting...................................................................................................3-27
3.8.2 P2P Traffic Detection and Limiting.....................................................................................................3-27
3.9 GTP Function................................................................................................................................................3-28
3.9.1 Overview of GTP.................................................................................................................................3-28
3.9.2 Applications of GTP On the Eudemon 1000E.....................................................................................3-29
3.9.3 License.................................................................................................................................................3-29
3.10 IDS Cooperation..........................................................................................................................................3-29
3.10.1 Overview of the IDS Cooperation......................................................................................................3-30
3.10.2 Features of IDS Cooperation..............................................................................................................3-31
3.10.3 Types of IDS Servers.........................................................................................................................3-31
3.11 Secospace Cooperation...............................................................................................................................3-31
3.11.1 Background........................................................................................................................................3-32
3.11.2 Work Flow of Secospace Cooperation...............................................................................................3-33
3.11.3 Specifications of Secospace Cooperation...........................................................................................3-34
3.12 Authentication and Authorization...............................................................................................................3-34
3.12.1 Overview of Authentication and Authorization.................................................................................3-35
3.12.2 Overview of the RADIUS Protocol...................................................................................................3-35
ii

Issue 01 (2009-01-20)

Feature Description
Contents
3.12.3 Overview of Domains........................................................................................................................3-38

3.12.4 Overview of Local User Management...............................................................................................3-38
4 VPN...............................................................................................................................................4-1
4.1 Introduction.....................................................................................................................................................4-2
4.1.1 VPN Overview.......................................................................................................................................4-2
4.1.2 VPN Classification.................................................................................................................................4-3
4.1.3 VPN Fundaments...................................................................................................................................4-4
4.1.4 VPN Basic Networking Application......................................................................................................4-6
4.2 L2TP................................................................................................................................................................4-7
4.2.1 VPDN Overview....................................................................................................................................4-7
4.2.2 L2TP Overview......................................................................................................................................4-8
4.2.3 Access to VPN Supported by L2TP.....................................................................................................4-13
4.2.4 License.................................................................................................................................................4-13
4.3 IPSec..............................................................................................................................................................4-13
4.3.1 Overview of the IPSec Protocol...........................................................................................................4-14
4.3.2 IPSec Basic Concepts...........................................................................................................................4-15
4.3.3 Overview of the IKE Protocol..............................................................................................................4-18
4.3.4 Overview of the IKEv2 Protocol..........................................................................................................4-20
4.3.5 Security Analysis of IKEv2..................................................................................................................4-21
4.3.6 IKEv2 and EAP Authentication...........................................................................................................4-23
4.3.7 NAT Traversal of IPSec.......................................................................................................................4-24
4.3.8 Implementing IPSec on the Eudemon 1000E......................................................................................4-24
4.3.9 Access to VPN Supported by IPSec.....................................................................................................4-27
4.3.10 License...............................................................................................................................................4-27
4.4 GRE...............................................................................................................................................................4-28
4.4.1 Introduction..........................................................................................................................................4-28
4.4.2 Realization............................................................................................................................................4-30
4.4.3 License.................................................................................................................................................4-31
4.4.4 Applications of GRE............................................................................................................................4-31
5 Reliability....................................................................................................................................5-1
5.1 Overview of VRRP.........................................................................................................................................5-2
5.1.1 Traditional VRRP...................................................................................................................................5-2
5.1.2 Disadvantages of Traditional VRRP in Eudemon 1000E Backup.........................................................5-4
5.2 Overview of Two-Node Cluster Hot Backup..................................................................................................5-6
5.2.1 HRP Application....................................................................................................................................5-6
5.2.2 Primary/Secondary Configuration Devices............................................................................................5-7
5.3 Relations Between the VRRP Backup Group, Management Group, and HRP..............................................5-8
5.4 Overview of Optical Bypass...........................................................................................................................5-9
5.4.1 Background............................................................................................................................................5-9
5.4.2 Optical Bypass Application..................................................................................................................5-10
A Acronyms and Abbreviations................................................................................................A-1

Issue 01 (2009-01-20)

iii

Feature Description
Figures
Figures
Figure 2-1 Networking in routing mode...............................................................................................................2-3
Figure 2-2 Networking in transparent mode........................................................................................................2-3
Figure 2-3 Networking in composite mode..........................................................................................................2-4
Figure 2-4 Broadcasting an information packet...................................................................................................2-6
Figure 2-5 Reversely learning the relation between the MAC address of workstation A and the port................2-6
Figure 2-6 Reversely learning the relation between the MAC address of workstation B and the port................2-7
Figure 2-7 Forwarding frames after finding the address table.............................................................................2-8
Figure 2-8 Discarding frames after finding the address table .............................................................................2-8
Figure 2-9 Forwarding frames after not finding the address table.......................................................................2-9
Figure 2-10 Relations between interfaces, networks, and security zones..........................................................2-12
Figure 3-1 Networking diagram of the basic processes of NAT........................................................................3-17
Figure 3-2 Basic process of NAPT.....................................................................................................................3-19
Figure 3-3 Networking diagram of configuring inbound NAT..........................................................................3-20
Figure 3-4 Networking diagram of NAT within a security zone.......................................................................3-21
Figure 3-5 Unicast information transmission.....................................................................................................3-23
Figure 3-6 Broadcast information transmission.................................................................................................3-24
Figure 3-7 Multicast information transmission..................................................................................................3-25
Figure 3-8 Transmission mode of static multicast.............................................................................................3-26
Figure 3-9 Networking diagram of the IDS cooperation....................................................................................3-30
Figure 3-10 Networking diagram of Secospace Cooperation............................................................................3-32
Figure 3-11 Message flow between the RADIUS client and server..................................................................3-36
Figure 3-12 RADIUS message structure............................................................................................................3-37
Figure 4-1 Networking diagram of a VPN access................................................................................................4-4
Figure 4-2 Networking diagram of VPN applications.........................................................................................4-6
Figure 4-3 Networking diagram of VPDN application based on L2TP...............................................................4-8
Figure 4-4 L2TP protocol structure......................................................................................................................4-9
Figure 4-5 Two typical L2TP tunnel modes......................................................................................................4-10
Figure 4-6 Typical networking diagram of L2TP..............................................................................................4-11
Figure 4-7 Procedure for setting up an L2TP call..............................................................................................4-11
Figure 4-8 Packet format in the transport mode.................................................................................................4-17
Figure 4-9 Packets format in the tunnel mode...................................................................................................4-17
Figure 4-10 The relation between IKE and IPSec..............................................................................................4-19
Figure 4-11 Setup process of SA........................................................................................................................4-20
Issue 01 (2009-01-20)


Feature Description
Figures
Figure 4-12 Connecting a VPN with the Eudemon 1000E through Internet.....................................................4-27
Figure 4-13 Connecting a VPN with the Eudemon 1000E directly...................................................................4-27
Figure 4-14 Format of an encapsulated GRE packet..........................................................................................4-28
Figure 4-15 Delivery packet format in the tunnel..............................................................................................4-29
Figure 4-16 GRE packet header ........................................................................................................................4-29
Figure 4-17 Private IP network interconnection through GRE tunnels.............................................................4-31
Figure 4-18 Enlarging the network operation scope..........................................................................................4-31
Figure 4-19 Connecting two Discontinuous Sub-Networks with tunnel...........................................................4-32
Figure 4-20 GRE-IPSec tunnel...........................................................................................................................4-32
Figure 5-1 Networking using the default route....................................................................................................5-2
Figure 5-2 Networking of using the VRRP virtual router....................................................................................5-3
Figure 5-3 Typical networking of Eudemon 1000E backup................................................................................5-4
Figure 5-4 Eudemon 1000E backup state.............................................................................................................5-5
Figure 5-5 Typical data path in primary/secondary mode....................................................................................5-7
Figure 5-6 Hierarchical relations between the VRRP backup group, management group, and HRP..................5-8
Figure 5-7 Networking diagram of a single link..................................................................................................5-9
Figure 5-8 Networking diagram before and after optical bypass.......................................................................5-10
vi

Issue 01 (2009-01-20)

Feature Description
Tables
Tables
Table 1-1 Link layer protocols of the Eudemon 1000E.....................................................................................1-12
Table 1-2 IP services of the Eudemon 1000E....................................................................................................1-12
Table 1-3 Routing protocols of the Eudemon 1000E.........................................................................................1-13
Table 1-4 AAA service applications of the Eudemon 1000E.............................................................................1-13
Table 1-5 QoS service applications of the Eudemon 1000E..............................................................................1-14
Table 3-1 ACL description...................................................................................................................................3-6
Issue 01 (2009-01-20)

vii

Feature Description
About This Document
About This Document

Purpose
This document describes the functions and features of the Eudemon 1000E, including the
introduction to firewalls, introduction to the Eudemon 1000E, principles and application of
security features and reliability.
Related Version
The following table lists the product version related to this document.
Product Name
Version
Quidway Eudemon 1000E
V100R002
Intended Audience
This document is intended for:
l
Network engineers
Network administrators
Network maintenance engineers
Organization
This document is organized as follows.
Issue 01 (2009-01-20)
Chapter
Contents
1 Overview
This chapter describes the network security, firewalls,

Eudemon 1000E, position of the Eudemon 1000E on the
network and the functions of the Eudemon 1000E.
2 Introduction to the
Eudemon 1000E
This chapter describes the working modes and the security

zones of the Eudemon 1000E.


Feature Description
About This Document
Chapter
Contents
3 Security Features
This chapter describes the security features of the Eudemon

1000E, including ACL, packet filtering, attack defense,
blacklist, port identification, static multicast, user
authentication, content filtering, IDS cooperation,
authentication, and authorization.
4 VPN
This chapter describes the VPN features on the Eudemon

1000E, including L2TP, IPSec and GRE.
5 Reliability
This chapter describes the protocols that the Eudemon

1000E complies with, the two-node cluster hot backup
function, and the optical bypass function.
A Acronyms and
Abbreviations
This chapter lists the acronyms and abbreviations used in this

document.
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
Indicates a hazard with a high level of risk, which if not

avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which
if not avoided, could result in minor or moderate injury.
Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
TIP
Indicates a tip that may help you solve a problem or save

time.
NOTE
Provides additional information to emphasize or

supplement important points of the main text.
General Conventions
The general conventions that may be found in this document are defined as follows.

Issue 01 (2009-01-20)

Feature Description
About This Document
Convention
Description
Times New Roman
Normal paragraphs are in Times New Roman.
Boldface
Names of files, directories, folders, and users are in

boldface. For example, log in as user root.
Italic
Book titles are in italics.
Courier New
Examples of information displayed on the screen are in

Courier New.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... }
Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ]
Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }*
Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]*
Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Issue 01 (2009-01-20)
Convention
Description
Boldface
Buttons, menus, parameters, tabs, window, and dialog titles

are in boldface. For example, click OK.
>
Multi-level menus are in boldface and separated by the ">"

signs. For example, choose File > Create > Folder.


Feature Description
About This Document
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows.
Format
Description
Key
Press the key. For example, press Enter and press Tab.
Key 1+Key 2
Press the keys concurrently. For example, pressing Ctrl+Alt

+A means the three keys should be pressed concurrently.
Key 1, Key 2
Press the keys in turn. For example, pressing Alt, A means

the two keys should be pressed in turn.
Mouse Operations
The mouse operations that may be found in this document are defined as follows.
Action
Description
Click
Select and release the primary mouse button without moving

the pointer.
Double-click
Press the primary mouse button twice continuously and

quickly without moving the pointer.
Drag
Press and hold the primary mouse button and move the
pointer to a certain position.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Updates in Issue 01 (2009-01-20)

The initial commercial release.

Issue 01 (2009-01-20)

Feature Description
1 Overview
Overview
About This Chapter

This describes network security threats, types and implementation methods of network security
services, and importance, development history, advantages, functions, and locations on networks
of Eudemon 1000Es.
1.1 Overview of Network Security
With the rapid development of the Internet, an increasing number of enterprises turn to network
services for their company development. Customers concern more about how to protect
confidential data and confidential resources on open networks. As a result, network security
grows into a critical task in network construction.
1.2 Overview of Firewalls
Similar to the partition wall used to prevent fire from spreading in the building, the Internet
firewall is one or a group of system(s) to implement access control policy. The firewall can
monitor the access channels between the Trust zone (a intranet) and the Untrust zone (the
Internet) and prevent the risk spreaded from the Internet.
1.3 Overview of the Eudemon 1000E
As a high-speed stateful firewall, the Eudemon 1000E unified security gateway (hereinafter
referred to as the Eudemon 1000E) provides various grades of customers with cost-effective
network security guarantee.
1.4 Functions and Features of the Eudemon 1000E
The Eudemon 1000E supports such features as security defense, internetworking, service
applications, configuration management, maintenance, reliability, and system logs.
1.5 Location of the Eudemon 1000E on the Network
Typically, the Eudemon 1000E is deployed at the ingress of a protected zone to protect the zone
based on access control policies.
Issue 01 (2009-01-20)

1-1

Feature Description
1 Overview
1.1 Overview of Network Security

With the rapid development of the Internet, an increasing number of enterprises turn to network
services for their company development. Customers concern more about how to protect
confidential data and confidential resources on open networks. As a result, network security
grows into a critical task in network construction.
1.1.1 Security Threats
At present, common security threats on Internet can be categorized into the following types:
unauthorized use, Denial of Service (DoS), information theft and data tampering.
1.1.2 Classification of Network Security Services
Network security services are a set of security measures taken against security threats, including
availability service, confidentiality service, Integrity service, verification service, and
authorization.
1.1.3 Implementation of Network Security Services
Common network security services are carried out through encryption, authentication, access
control, and security protocols.
1.1.1 Security Threats

At present, common security threats on Internet can be categorized into the following types:
unauthorized use, Denial of Service (DoS), information theft and data tampering.
These four types of security threats are represented as follows:
l
Unauthorized use
Resources are used by an unauthorized user (also called illegal user) or in unauthorized
mode (also called illegal authorization).
For example, an attacker makes out the user name and password to access a computer
system and use resources illegally.
DoS
The server denies legal access requests from legal users.
For example, an attacker sends a large number of data packets to the server within a short
time to prevent the server from processing legal tasks due to overload.
Information theft
An attacker eavesdrops the system and obtains significant data or information from the
network instead of attacking the system directly.
Data tampering
An attacker undermines data integrity by modifying, deleting, delaying, reordering system
data or message streams, or inserting false messages.
1.1.2 Classification of Network Security Services

Network security services are a set of security measures taken against security threats, including
availability service, confidentiality service, Integrity service, verification service, and
authorization.
Details of network security services are as follows:
1-2

Issue 01 (2009-01-20)

Feature Description
l
1 Overview
Availability service
Ensures information or services can be accessed if required.
Confidentiality service
Ensures that sensitive data or information is not disclosed or exposed to an unauthorized
entity.
Integrity service
Ensures that data cannot be changed or destroyed in an unauthorized mode.
Verification service
Ensures the legality of an entity ID.
Authorization
Specifies the access authority for a user to control resources.
1.1.3 Implementation of Network Security Services

Common network security services are carried out through encryption, authentication, access
control, and security protocols.
Encryption
Encryption is a process to translate a readable message into an unreadable encrypted text.
It not only ensures communication security, but also serves as the basis of many security
mechanisms.
Encryption can be applied in the following mechanisms:
l
Authentication password design
Security communication protocol design
Digital signature design
Encryption methods are of the following three types:

l
Symmetric password mechanism

Its security keys of encryption and decryption are the same. One pair of users share one
key to exchange messages, and keys must be confidential.
Includes Data Encryption Standard (DES) and Triple DES (3DES).
Public key password mechanism

It provides two different security keys that separate encryption from decryption. One key
is called the private key that must be kept confidential; the other is called the public key
that can be distributed publicly.
Includes Diffie-Hellman (DH) and Rivest, Shamir, Adleman (RSA).
Hash
It is used to compress a variable message into an invariable code and change it into a hash
or message digest.
Includes Message Digest 5 (MD5) and Secure Hash Algorithm (SHA).
Issue 01 (2009-01-20)

1-3

Feature Description
1 Overview
Authentication
Authentication is used to verify the legality of a user ID before the user accesses the network or
obtains services.
Authentication can be either provided locally by each device on the network, or carried out
through a dedicated authentication server. The latter has better flexibility, controllability and
expandability.
Now, in a heterogeneous network environment, Remote Authentication Dial in User Service
(RADIUS), as an open standard, is widely used for an authentication service.
Access Control
Access control is an enhanced authorization method. Generally, it is classified into the following
types:
l
Access control based on an operating system (OS)

It authorizes a user to access resources on a certain computer. Access control policies can
be set based on user IDs, groups, or rules.
Access control based on the network

It authorizes a legal user to access the network. The mechanism is more complex than the
access control based on an OS. Usually, an access control component (such as firewalls)
is configured on an intermediate point between a requester and the destination to achieve
access control.
Security Protocols
Network security protocols play extremely significant roles in network security. The following
section describes the widely used security protocols in terms of Transmission Control Protocol /
Internet Protocol (TCP/IP) layered model:
l
Application layer security

It provides the end-to-end security from an application on a host to an application on another
host across the network. The application layer security mechanism depends on the specific
application, and its security protocol is a supplement of the application protocol. Therefore,
general application layer security protocols do not exist.
Transport layer security

It provides a process-to-process security service on a host or different hosts. The transport
layer security mechanism is based on the security of Inter-Process Communication (IPC)
interface and applications.
Providing security services at the transport layer is to strengthen its IPC interface. The
specific process includes:
Authentication of entities at both ends
Exchange of data encryption security keys
Based on this idea, the Secure Socket Layer (SSL) protocol is developed on the basis of
reliable transmission service.
l
Network layer security

Security provided at the network layer can also automatically protect user data, even if the
upper layers fail to implement the security. Therefore, Internet Protocol (IP) security is the
basis of the whole TCP/IP security and the core of the Internet security.
1-4

Issue 01 (2009-01-20)

Feature Description
1 Overview
At present, the most significant security protocol at the network layer is IP Security Protocol
(IPSec). IPSec is a generic term for a series of network security protocols, including security
protocols and encryption protocols.
IPSec can provide communication parties with the following services:
Access control
Connectionless integrality
Data source authentication
Anti-replay
Encryption
Classification encryption of data flow
Data link layer security

It provides a point-to-point security service, such as on a point-to-point link or Frame Relay
permanent virtual circuit. Data link layer security is implemented through encryption and
decryption at each end on the link using dedicated devices.
1.2 Overview of Firewalls

Similar to the partition wall used to prevent fire from spreading in the building, the Internet
firewall is one or a group of system(s) to implement access control policy. The firewall can
monitor the access channels between the Trust zone (a intranet) and the Untrust zone (the
Internet) and prevent the risk spreaded from the Internet.
1.2.1 Functions of Firewalls
In a security defense system, firewalls are usually the first line of defense against most of the
external attacks.
1.2.2 Firewall Development Course
Up to now, there have been three generations of firewalls. The first generation firewalls are
packet filtering firewalls, the second generation proxy firewalls, and the third generation stateful
firewalls.
1.2.1 Functions of Firewalls

In a security defense system, firewalls are usually the first line of defense against most of the
external attacks.
In practical applications, since a single security defense technology cannot construct a network
security system, multiple technologies should be used together to minimize security risks. In
general, the first step to implement security defense is to construct a barrier, known as a firewall,
between intranets and the Internet to protect intranets agains the attacks from the Internet.
Firewalls are mainly used for the following purposes:
l
Restricting the entry of users or information from a specific and strictly-controlled Website.
Preventing attackers from accessing other security defense facilities.
Restricting the exit of users or information from a specific and strictly-controlled website.
Issue 01 (2009-01-20)

1-5

Feature Description
1 Overview
1.2.2 Firewall Development Course

Up to now, there have been three generations of firewalls. The first generation firewalls are
packet filtering firewalls, the second generation proxy firewalls, and the third generation stateful
firewalls.
First Generation Firewall-Packet Filtering Firewall

Packet filtering is a method to check each packet at the network layer, and then to forward or
discard packets based on security policies.
The basic principle of a packet filtering firewall is that it filters packets by configuring access
control list (ACL), based on the source and destination IP addresses, the source and destination
port numbers, IP identifiers and packet delivery direction.
With moderate cost and simple design, the first-generation firewall can be implemented easily.
However, it has obvious disadvantages:
l
As the complexity and length of ACL increases, its filtering performance will degrade
greatly.
Static ACL rules are difficult to meet dynamic security requirements.
Packet filtering neither checks session states nor analyzes data, that is, it cannot filter data
at user levels to prevent hackers from spoofing. For example, an attacker can configure the
host IP address to a legal host IP address to pass packet filtering.
Second Generation FirewallProxy Firewall

The proxy services act at the application layer. In essence, a proxy takes over the services
between intranet users and Internet users. The working principle is that the proxy checks the
request from a user. If the authentication is passed, the firewall sets up the connection to a actual
server and forwards the request, and finally it returns the request response.
The proxy firewall has higher security. It can completely control network information exchanges
and session processes.
However, it has obvious disadvantages:
l
Low processing speed due to software restriction, and vulnerable to DoS attacks
Difficult for upgrade as it requires developing the application proxy for each protocol
Third Generation FirewallStateful Firewall

The stateful analysis technology is an extension of the packet filtering technology (also called
"dynamic packet filtering" informally). Packet filtering based on connection state not only
checks each packet as an independent unit, but also considers its history association.
The basic principle is described as follows:
l
1-6
The stateful firewall uses various state tables to keep track of activated Transmission
Control Protocol (TCP) sessions and User Datagram Protocol (UDP) pseudo sessions. Then
ACL determines the sessions that can be set up. Finally, only the packets associated with
the sessions that are permitted are forwarded.
Issue 01 (2009-01-20)

Feature Description
1 Overview
NOTE
A UDP pseudo session is a session process during which a virtual connection is set up to process
UDP-based protocol packets and to monitor the status of UDP connection processes.
l
The stateful firewall captures packets at the network layer. Then the firewall extracts the
state information required by security policies at the application layer, and saves it in the
dynamic state tables. The firewall analyzes the state tables and the subsequent connection
requests related to the data packet to make a proper decision.
For the Internet, the stateful firewall serves as a proxy system because all external service
requests come from the same host.
For the intranet, the stateful firewall serves as a packet filtering system because intranet users
consider that they interwork with the Internet.
The stateful firewall has the following advantages:
l
High speed
A stateful firewall can record the connection state while performing ACL checks on the
initial packet. ACL checks are not required for the subsequent packets. Thus, the firewall
only needs to check the connection state records of the subsequent packets based on the
state table. After these packets pass the checks, the connection state records will be
refreshed. In this case, packets with the same connection state are no longer repeatedly
checked. Different from fixed arrangement of ACL, the records in the connection state table
can be arranged randomly. Thus, the firewall can quickly search the records by using such
algorithms as binary tree or hash to improve system transmission efficiency.
Reliable security
The connection state table is managed dynamically. After sessions are completed, the
temporary return packet entry created on the firewall will be closed to ensure the security
of intranets. Meanwhile, with a real-time connection state monitoring technology, the
firewall can identify the connection state based on state factors such as responses in the
state table to enhance system security.
1.3 Overview of the Eudemon 1000E

As a high-speed stateful firewall, the Eudemon 1000E unified security gateway (hereinafter
referred to as the Eudemon 1000E) provides various grades of customers with cost-effective
network security guarantee.
1.3.1 Product Series
Combined with Huaweiapplication specific packet filter (ASPF) technology, the Eudemon
1000E features high security of a proxy firewall and high speed of a stateful firewall.
1.3.2 Advantages
As a new generation of high-speed stateful firewalls, the Eudemon 1000E provide customers
with cost-effective security solutions to protect their small and medium-sized networks. They
have some advantages such as enhanced security features and high-speed processing capability.
1.3.1 Product Series

Combined with Huaweiapplication specific packet filter (ASPF) technology, the Eudemon
1000E features high security of a proxy firewall and high speed of a stateful firewall.
Issue 01 (2009-01-20)

1-7

Feature Description
1 Overview
The Eudemon 1000E uses a specially designed hardware system with highly reliability and a
dedicated OS with an independent intellectual property right.
The Eudemon 1000E is integrated with:
l
Efficient packet filtering
Transparent proxy services
Improved state inspection security technology
Various analysis and statistics functions
Multiple security measures
In addition, it provides:
l
Multiple types of interfaces
Multiple working modes
The Eudemon 1000E series consist of the following products. For each product, the main
performance parameters are as follows:
l
Eudmeon 1000E-U2: The maximum throughput is 2Gbit/s. The maximum number of

concurrent connections is 1,600,000. The number of concurrent connections established in
a second is 150,000.



With a combination of the Eudemon 1000E series firewalls and the existing routers and switches
of Huawei, Huawei provides customers with an advanced and overall security solution for smallsized, medium-sized, and large-sized intranets.
1.3.2 Advantages
As a new generation of high-speed stateful firewalls, the Eudemon 1000E provide customers
with cost-effective security solutions to protect their small and medium-sized networks. They
have some advantages such as enhanced security features and high-speed processing capability.
Enhanced Security
Compared with the software firewalls based on a common OS, the Eudemon 1000E uses a
specially designed hardware platform and a secure OS with independent intellectual property
rights. Its packet processing is totally separated from OSs, which significantly increases system
security.
With its own ASPF state inspection technology, the Eudemon 1000E can:
1-8
Monitor the connection process and malicious commands.
Cooperate with ACLs to achieve packet filtering.

Issue 01 (2009-01-20)

Feature Description
l
1 Overview
Provide the capability of preventing a dozens of attacks.
With the above features, the Eudemon 1000E ensures the security of networks.
High-Speed Processing Capability

Oriented to medium-sized and large-sized enterprises and industry users, the Eudemon 1000E
provides line-speed, high-performance security defense, and packet processing capability by
using the Multi-core processor technology.
The Eudemon 1000E uses high-speed algorithm and optimized software structure, which
effectively ensures the performance of the system. For example, the high-speed ACL algorithm
searches a few or thousands of policies for specific ones at the same speed.
High Reliability
Various attack details have been taken into account in software design. The Eudemon 1000E
achieves great robustness by means of priority scheduling and flow control.
In addition, the Eudemon 1000E supports two-node cluster hot backup so that the service cannot
be disrupted during state switchover.
Powerful Networking and Service-Supporting Capability

Being integrated high speed Ethernet interfaces, the Eudemon 1000E supports multiple
protocols, such as H.323, File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP).
In addition, the Eudemon 1000E has the following features:
l
Supports detection of malicious commands.
Supports Network Address Translation (NAT) application.
Supports static and dynamic blacklist filtering.
Supports proxy-based SYN flood defense flow control.
Besides the security protection function, the Eudemon 1000E is integrated with certain routing
functions:
l
Static routing
Routing Information Protocol (RIP) dynamic routing
Open Shortest Path First (OSPF) dynamic routing
The Eudemon 1000E supports multiple working modes, such as routing mode, transparent mode,
and composite mode. You do not need to change original networking configurations in
transparent mode. The Eudemon 1000E working in transparent mode serves as a network bridge
to simplify the networking process.
Powerful Log Statistics and Analysis Functions

Based on powerful log statistics and analysis functions provided by the Eudemon 1000E, you
can obtain help in security analysis and event tracing.
Issue 01 (2009-01-20)

1-9

Feature Description
1 Overview
1.4 Functions and Features of the Eudemon 1000E

The Eudemon 1000E supports such features as security defense, internetworking, service
applications, configuration management, maintenance, reliability, and system logs.
1.4.1 Security Defense
This describes the working modes, packet filtering, and network address translation (NAT)
related to security defense.
1.4.2 Network Interconnection
This describes the link layer protocols, IP services, routing features, and some other functions
related to internetworking of the Eudemon 1000E.
1.4.3 Service Application
This describes service applications of authorization, authentication and accounting (AAA),
virtual private network (VPN), and quality of service (QoS).
1.4.4 Configuration and Management
This configuration management function involves configurations of command line interfaces,
system management, and terminal services.
1.4.5 Maintenance and Reliability
The maintenance and reliability function involves reliability, system management, and CPU
Protection for Over-high Temperature.
1.4.6 System Log
This describes the system log function.
1.4.1 Security Defense

This describes the working modes, packet filtering, and network address translation (NAT)
related to security defense.
Working Mode
The Eudemon 1000E supports the following working modes:
l
Routing mode
Transparent mode
Composite mode
Packet Filtering
The Eudemon 1000E supports the following packet filtering modes:
1-10
Basic ACL and advanced ACL
Time range ACL
Inter-zone ACL
Dynamic-update of ACL rules
Blacklists
Issue 01 (2009-01-20)

Feature Description
l
Binding of medium access control (MAC) and IP addresses
ASPF and state inspection
port mapping mechanism
1 Overview
NAT
The Network Address Transmission (NAT) function of the Eudemon 1000E is described as
follows:
l
Providing address transmission function.
Providing the internal server.
Providing port-level NAT server.
Supporting multiple NAT ALG (Application Level Gateway), including:
File Transfer Protocol (FTP)
Point-to-Point Tunneling Protocol (PPTP)
Domain Name Server (DNS)
Instrument Landing System (ILS)
NBT
Internet Control Message Protocol (ICMP)
H.323
QQ
MSN
Real-Time Streaming Protocol (RTSP)
Attack Defense
The attack defense of the Eudemon 1000E is described as follows:
l
Defending multiple DoS attacks, such as SYN Flood, ICMP Flood, UDP Flood, WinNuke,
ICMP redirection, unreachable packest, Land, Smurf ,and Fraggle.
Defending scanning and snooping, such as address scanning, port scanning, IP source
routing option, IP routing record option, and ICMP snooping packet.
Defending other attacks, such as IP spoofing.
IDS Cooperation
The following describes the cooperation between the Eudemon 1000E and the intrusion detective
system (IDS):
l
The Eudemon 1000E opens the related ports to interwork with other security software. In
this way, a unified security network is set up.
IDS cooperation depends on the joint work of the firewall and the IDS devices on the
intranet. In this way, IDS cooperation detects and prevents the illegal operations of intranet
users and the attacks that have accessed the intranet illegally.
Traffic Monitoring
The following describes the traffic monitoring of the Eudemon 1000E:
Issue 01 (2009-01-20)

1-11

Feature Description
1 Overview
l
Supporting the limit to the rate and the number of IP-based connections.
Supporting CAR (Committed Access Rate).
Supporting real-time traffic statistics and attack packet statistics.
1.4.2 Network Interconnection

This describes the link layer protocols, IP services, routing features, and some other functions
related to internetworking of the Eudemon 1000E.
Link Layer Protocols

Table 1-1 describes the link layer protocols complied by the Eudemon 1000E.
Table 1-1 Link layer protocols of the Eudemon 1000E
Product
Description
Eudemon 1000E
Supports Ethernet_II.
Supports VLAN a.
a: VLAN: virtual local area network
IP Services
Table 1-2 describes the IP services of the Eudemon 1000E.
Table 1-2 IP services of the Eudemon 1000E
Product
Description
Eudemon 1000E
Supports ARP a.
Supports DHCP b relay and DHCP servers.
a: ARP :Address Resolution Protocol

b: DHCP: Dynamic Host Configuration Protocol
Routing Protocols
Table 1-3 describes the routing protocols of the Eudemon 1000E.
1-12

Issue 01 (2009-01-20)

Feature Description
1 Overview
Table 1-3 Routing protocols of the Eudemon 1000E

Product
Description
Eudemon 1000E
Supports static routing.
Supports dynamic routing (RIP, OSPF, and BGP a).
Supports policy-based routing.
Supports route policy and route iteration.
a: BGP: Border Gateway Protocol
1.4.3 Service Application

This describes service applications of authorization, authentication and accounting (AAA),
virtual private network (VPN), and quality of service (QoS).
AAA
Table 1-4 describes the service applications of authentication, authorization, and accounting
(AAA) of the Eudemon 1000E.
Table 1-4 AAA service applications of the Eudemon 1000E
Product
Description
Eudemon 1000E
Supports RADIUS protocol and provides PAP a and

CHAP b authentication.
Supports the AAA domain.
Supports local user management.
Supports multiple ISP c.
a: PAP: Password Authentication Protocol

b: CHAP: Challenge Handshake Authentication Protocol
c: ISP: Internet Service Provider
QoS
Table 1-5 describes the service applications of quality of service (QoS) of the Eudemon
1000E.
Issue 01 (2009-01-20)

1-13

Feature Description
1 Overview
Table 1-5 QoS service applications of the Eudemon 1000E

Product
Description
Eudemon 1000E
CAR
Sequence guarantee
1.4.4 Configuration and Management

This configuration management function involves configurations of command line interfaces,
system management, and terminal services.
CLI
The following describes the command line interface (CLI) of the Eudemon 1000E:
l
Prompt and help information in English or in Chinese.
Hierarchical protection of command lines from the intrusion from the unauthorized users.
Detailed debugging information helping network fault check.
Network test tools, such as tracert and ping commands, which can help rapidly identify
whether the network is normal.
System Management
The following describes the system management of the Eudemon 1000E:
l
Supports file upload, download, and deletion in FTP mode.
Supports file upload and download in TFTP mode.
Supports configuration file upload license file upload, and file download and deletion in
Web mode.
Terminal Services
The following describes the terminal services of the Eudemon 1000E:
l
Supports terminal services of the console port.
Supports terminal services of Telnet and secure shell (SSH) v1.5.
Supports the send function so that terminal users can communicate with each other.
1.4.5 Maintenance and Reliability

The maintenance and reliability function involves reliability, system management, and CPU
Protection for Over-high Temperature.
Reliability
The following describes the reliability of the Eudemon 1000E:
l
1-14
Supports VRRP (Virtual Router Redundancy Protocol).

Issue 01 (2009-01-20)

Feature Description
l
Supports VGMP (VRRP Group Management Protocol).
Supports HRP (Huawei Redundancy Protocol) hot backup.
Forms a network with the OSN 900A to achieve the optical bypass function.
1 Overview
System Management
Supports the standard network management protocols SNMP v1/v2c/v3.
CPU Protection for Over-high Temperature

When the temperature of the CPU is higher than 60C, the alarm indicator on the front panel is
on. The system outputs an alarm information for high temperature and records the alarm in the
log.
When the temperature of the CPU is higher than 90C, the system outputs an alarm information
of shutting down and records the alarm in the log. If the temperature is rising, the system switches
to the heat protection state three minutes after the alarm information of shutting down is
generated. The indicators on the front panel are on except for the system indicator and the active/
standby indicator. It indicates that the system is in the heat protection state. After 16 minutes,
the system switches on automatically.
1.4.6 System Log

This describes the system log function.
The following describes the system logs of the Eudemon 1000E:
l
Working with the log server to provide the functions of browsing and querying log
information.
Provides the input and output IP packet statistics, NAT log, ASPF log, attack defense log,
and blacklist log.
1.5 Location of the Eudemon 1000E on the Network

Typically, the Eudemon 1000E is deployed at the ingress of a protected zone to protect the zone
based on access control policies.
For example:
l
When you need to prevent intranets and data against illegal access or malicious attacks
from the Internet, or such unauthorized or unauthenticated access, you can deploy the
Eudemon 1000E at the jointing point of the intranet and the Internet.
When you need to deny sensitive data to intranet users, you can deploy the Eudemon
1000E at the jointing point where an open network segment meets a sensitive one (such as
segment that holds sensitive or private data).
Issue 01 (2009-01-20)

1-15

Feature Description
2 Introduction to the Eudemon 1000E
Introduction to the Eudemon 1000E
About This Chapter

Before introducing the specific features of the Eudemon 1000E, this describes the working
modes and security zones of the Eudemon 1000E. The Eudemon 1000E is referred to as Firewall
in the figure.
2.1 Working Mode
This describes the working modes of the Eudemon 1000E and the working process in each
working mode.
2.2 Security Zone
This describes the concept and division of security zones, the relationships between security
zones and interfaces, the relationship between security zones and networks, and the definition
of the inbound/outbound directions of data streams between security zones.
Issue 01 (2009-01-20)

2-1

Feature Description
2.1 Working Mode

This describes the working modes of the Eudemon 1000E and the working process in each
working mode.
2.1.1 Working Modes of the Eudemon 1000E
At present, the Eudemon 1000E can work in three working modes: routing mode, transparent
mode, and composite mode.
2.1.2 Classification of Working Modes
Introduce the three working modes of Eudemon 1000E.
2.1.3 Working Process in Routing Mode
When the Eudemon 1000E works in routing mode, all the interfaces should be configured with
IP addresses and be in Layer 3 network. Internet users connected to different interfaces in Layer
3 network belong to different subnets.
2.1.4 Working Process in Transparent Mode
In transparent mode (or bridge mode), interfaces on the Eudemon 1000E cannot be configured
with IP addresses and they reside in Layer 2 network. In addition, Internet users connected to
the interfaces in Layer 2 network reside in the same subnet.
2.1.5 Working Process in Composite Mode
When the Eudemon 1000E works in composite mode, certain interfaces must be configured with
IP addresses and other must not.
2.1.1 Working Modes of the Eudemon 1000E

At present, the Eudemon 1000E can work in three working modes: routing mode, transparent
mode, and composite mode.
l
Routing mode
If the Eudemon 1000E connects the Internet over the third layer (the interface has an IP
address), the Eudemon 1000E works in routing mode.
Transparent mode
If the Eudemon 1000E connects the Internet over the second layer (the interface does not
have an IP address), the Eudemon 1000E works in transparent mode.
Composite mode
If the Eudemon 1000E has the interfaces worked in routing mode (the interface has an IP
address), and in transparent mode (the interface has no IP address), the Eudemon 1000E
works in composite mode.
2.1.2 Classification of Working Modes

Introduce the three working modes of Eudemon 1000E.
Routing Mode
When the Eudemon 1000E is located between the intranet and the Internet, you need to configure
the interfaces, through which the Eudemon 1000E is connected to the intranet, Internet, and
demilitarized zone (DMZ), with IP addresses in different network segments, and you need to
redesign the network topology. In this case, the Eudemon 1000E serves as a router.
2-2

Issue 01 (2009-01-20)

Feature Description
As shown in Figure 2-1, the Eudemon 1000E is connected to the intranet through an interface
in the Trust zone and connected to the Internet through an interface in the Untrust zone.
Note that the interface in the Trust zone and that in the Untrust zone are segmented to different
subnets.
Figure 2-1 Networking in routing mode
PC
PC
10.110.1.254
Server
Trust
PC
202.10.0.1
Firewall
Router
Untrust
Server
When working in routing mode, the Eudemon 1000E can perform ACL packet filtering, ASPF
dynamic filtering, and NAT. Network topology, however, needs to be changed. For example,
intranet users need to change their gateways and routers' routing configurations need to be
changed, which are complicated processes. It is recommended that you weigh the advantages
and disadvantages before changing the network topology.
Transparent Mode
If the Eudemon 1000E works in transparent mode, you do not need to change network topology.
In this case, the Eudemon 1000E is completely transparent to the users in subnets and the routers.
That is, users are not fully aware of the existence of the Eudemon 1000E.
In transparent mode, you only need to place the Eudemon 1000E on the network as placing a
network bridge without modifying any existing configurations. Similar to routing mode, the
Eudemon 1000E checks and filters IP packets and protects intranet users against threats.
Figure 2-2 shows a typical networking in transparent mode.
Figure 2-2 Networking in transparent mode
PC
PC
202.10.0.2/24
Server
Trust
PC
202.10.0.1/24
Firewall
Router
Untrust
Server
The Eudemon 1000E is connected to the intranet through an interface in the Trust zone, while
it is connected with the Internet through an interface in the Untrust zone.
Note that the interface in the Trust zone and that in the Untrust zone must reside in the same
subnet.
Issue 01 (2009-01-20)

2-3

Feature Description
Composite Mode
If there are interfaces working in routing mode (such interfaces have IP addresses) and interfaces
working in transparent mode (such interfaces have no IP address) in the Eudemon 1000E, it
means that the Eudemon 1000E works in composite mode.
The composite mode is applied to the two-node cluster hot backup in transparent mode. The
interface on which Virtual Router Redundancy Protocol (VRRP) is enabled needs to be
configured with an IP address, and other interfaces do not need to be configured with IP
addresses. For more information about two-node cluster hot backup in transparent mode, see the
Quidway Eudemon 1000E Unified Security Gateway Configuration Guide Reliability Volume.
Figure 2-3 shows a typical networking in composite mode.
Figure 2-3 Networking in composite mode
Firewall
(Primary)
PC
PC
PC
HUB
Server
Untrust
Trust
202.10.0.0/24
202.10.0.0/24 Server
Firewall
(Secondary)
Primary and secondary Eudemon 1000Es are connected to the intranet through interfaces in the
Trust zone, and connected to the Internet through interfaces in the Untrust zone.
In addition, primary and secondary Eudemon 1000Es:
l
Connect with each other through a hub or a local area network (LAN) Switch.
Perform backup over VRRP.

NOTE
The primary and secondary Eudemon 1000Es can be connected directly or through a hub or a LAN Switch.
You can connect the primary and the secondary Eudemon 1000Es based on the actual conditions. The
intranet and the Internet must reside in the same subnet.
2.1.3 Working Process in Routing Mode

When the Eudemon 1000E works in routing mode, all the interfaces should be configured with
IP addresses and be in Layer 3 network. Internet users connected to different interfaces in Layer
3 network belong to different subnets.
When packets are forwarded between interfaces in Layer 3 security zone, the Eudemon 1000E
serves as a router to search for the routing entries based on IP addresses of the packets. However,
2-4

Issue 01 (2009-01-20)

Feature Description
unlike the processing of a router, IP packets in the Eudemon 1000E are sent to the upper layer
for filtering. The Eudemon 1000E determines whether to permit the packets to pass through
based on session entries or ACL rules. In addition, the Eudemon 1000E is also responsible for
other attack defense checks.
2.1.4 Working Process in Transparent Mode

In transparent mode (or bridge mode), interfaces on the Eudemon 1000E cannot be configured
with IP addresses and they reside in Layer 2 network. In addition, Internet users connected to
the interfaces in Layer 2 network reside in the same subnet.
Overview
When packets are forwarded between interfaces in Layer 2 security zone, the Eudemon 1000E
serves as a transparent bridge to search for outbound interfaces based on medium access control
(MAC) addresses of the packets. Different from a network bridge, IP packets in the Eudemon
1000E need to be sent to the upper layer for filtering, and then the Eudemon 1000E determines
whether to permit the packets to pass through based on session entries or ACL rules. In addition,
the Eudemon 1000E is also responsible for other attack defense checks.
In transparent mode, the Eudemon 1000E is connected to the LAN at data link layer so that end
users do not need to perform special configurations when connecting to the network (as LAN
Switch connection).
The working process in transparent mode is divided into two sections: obtaing an address table
and forwarding and filtering frames.
Obtaining an Address Table

In transparent mode, the Eudemon 1000E forwards packets based on the MAC address table.
The MAC address table consists of MAC addresses and interfaces, so that the Eudemon
1000E can obtain the relation between MAC addresses and interfaces.
In transparent mode, the procedure for the Eudemon 1000Eto obtain the MAC address table is
as follows:
1.
Broadcast an information packet.

When being connected to a physical network segment, the Eudemon 1000E monitors all
Ethernet frames in the physical network segment. Once it monitors an Ethernet frame sent
from the node on an interface, it extracts the source MAC address of the frame, and adds
the relation between the MAC address and the interface that receives the frame to the MAC
address table, as shown in Figure 2-4.
Issue 01 (2009-01-20)

2-5

Feature Description
Figure 2-4 Broadcasting an information packet

00e0.fcaa.aaaa
00e0.fcbb.bbbb
Workstation A
Workstation B
Destination
address
Source
address
00e0.fcaa.aaaa 00e0.fcbb.bbbb
Ethernet segment 1
Port 1
Firewall
00e0.fccc.cccc
00e0.fcdd.dddd
Port 2
Workstation C
Workstation D
Ethernet segment 2
Workstations A, B, C, and D reside in two LANs. Ethernet segments 1 and 2 are connected
to ports 1 and 2 respectively on the Eudemon 1000E. For example, when workstation A
sends an Ethernet frame to workstation B, both the Eudemon 1000E and workstation B
receives the frame.
2.
Reversely learn the relation between the MAC address of workstation A and the port.
After receiving the Ethernet frame, the Eudemon 1000E is aware that workstation A is
connected to Port 1 on the Eudemon 1000E because the received frame is sent from Port
1. Then the relation between the MAC address of workstation A and Port 1 on the Eudemon
1000E is added to the MAC address table, as shown in Figure 2-5.
Figure 2-5 Reversely learning the relation between the MAC address of workstation A and
the port
00e0.fcaa.aaaa
00e0.fcbb.bbbb
Workstation A
Destination
address
00e0.fcaa.aaaa
Workstation B
Source
address
00e0.fcbb.bbbb
Address table
MAC Address Port
00e0.fcbb.bbbb
1
Ethernet segment 1
Port 1
Firewall
00e0.fccc.cccc
Port 2
Workstation C
3.
2-6
00e0.fcdd.dddd
Workstation D
Ethernet segment 2
Reversely learn the relation between the MAC address of workstation B and the port.
Issue 01 (2009-01-20)

Feature Description
After workstation B responds to the Ethernet frame sent from workstation A, the Eudemon
1000E monitors the response Ethernet frame and is aware that workstation B is also
connected to Port 1 on the Eudemon 1000E because the received frame is sent from Port
1. Then the relation between the MAC address of workstation B and Port 1 is added to the
MAC address table, as shown in Figure 2-6.
Figure 2-6 Reversely learning the relation between the MAC address of workstation B and
the port
00e0.fcaa.aaaa
Workstation A
00e0.fcbb.bbbb
Workstation B
Destination
address
Source
address
00e0.fcaa.aaaa 00e0.fcbb.bbbb
Address table
MAC Address Port
00e0.fcaa.aaaa 1
00e0.fccc.cccc 00e0.fcbb.bbbb 1
Workstation C
Ethernet segment 1
Port 1
Firewall
Port 2
00e0.fcdd.dddd
Workstation D
Ethernet segment 2
Reversely learning the relation continues until all the relations between the MAC addresses
and the interfaces (workstation A, B, C, and D in this case) are obtained by the Eudemon
1000E working in transparent mode (Assume that all workstations are in use).
Forwarding and Discarding Frames

At data link layer, the Eudemon 1000E determines to forward the frame, or discard the frame
based on the following cases:
l
Forwarding frames after finding the address table

If workstation A sends an Ethernet frame to workstation C, the Eudemon 1000E searches
for the MAC address table and is aware that workstation C is connected to Port 2, and then
forwards the frame through Port 2, as shown in Figure 2-7.
Issue 01 (2009-01-20)

2-7

Feature Description
Figure 2-7 Forwarding frames after finding the address table

00e0.fcaa.aaaa
Workstation A
00e0.fcbb.bbbb
Source
address
Destination
address
Workstation B
00e0.fcaa.aaaa 00e0.fccc.cccc
Address table
MAC Address
Port
00e0.fcaa.aaaa 1
00e0.fccc.cccc 00e0.fcbb.bbbb 1
00e0.fccc.cccc 2
00e0.fcdd.dddd 2
Forwarding
Workstation C
Destination
address
Ethernet segment 1
Port 1
Firewall
Port 2 00e0.fcdd.dddd
Workstation D
Ethernet segment 2
Source
address
00e0.fccc.cccc 00e0.fcaa.aaaa
If the Eudemon 1000E receives broadcast frames or multicast frames from an interface, it
forwards them to other interfaces.
l
Discarding frames after finding the address table

If workstation A sends an Ethernet frame to workstation B, the Eudemon 1000E does not
forward but discard the frame because workstations B and A are located in the same physical
network segment, as shown in Figure 2-8.
Figure 2-8 Discarding frames after finding the address table
00e0.fcaa.aaaa
Workstation A
00e0.fcbb.bbbb
Source
address
Destination
address
Workstation B
00e0.fcaa.aaaa 00e0.fccc.cccc
Address table
00e0.fccc.cccc
Workstation C
l
MAC Address Port

00e0.fcaa.aaaa 1
00e0.fcbb.bbbb 1
00e0.fccc.cccc
2
00e0.fcdd.dddd 2
Not forwarding
Ethernet segment 1
Port 1
Firewall
00e0.fcdd.dddd
Port 2
Workstation D
Ethernet segment 2
Not forwarding frames after finding the address table

If workstation A sends an Ethernet frame to workstation C, and the Eudemon 1000E does
not find the relation between the MAC address of workstation C and the port, the Eudemon
2-8

Issue 01 (2009-01-20)

Feature Description
1000E forwards this frame to other ports except the source port. At this time, the Eudemon
1000E serves as a hub, so as to ensure continuous information transferring, as shown in
Figure 2-9.
Figure 2-9 Forwarding frames after not finding the address table
00e0.fcaa.aaaa
Workstation A
00e0.fcbb.bbbb
Source
address
Workstation B
Destination
address
00e0.fcaa.aaaa 00e0.fcccc.cccc
00e0.fccc.cccc
Address table
MAC Address Port
00e0.fcaa.aaaa 1
00e0.fcbb.bbbb 1
Workstation C
Ethernet segment 1
Port 1
Firewall
Port 2
00e0.fcdd.dddd
Workstation D
Ethernet segment 2
2.1.5 Working Process in Composite Mode

When the Eudemon 1000E works in composite mode, certain interfaces must be configured with
IP addresses and other must not.
The details of the interfaces are described as follows:
l
The interfaces configured with IP addresses reside in Layer 3 security zone, with VRRP
enabled for two-node cluster hot backup.
The interfaces configured with no IP addresses reside in Layer 2 security zone. Internet
users connected to the interfaces in Layer 2 security zone belong to the same subnet.
When packets are forwarded between interfaces in Layer 2 security zone, the forwarding process
is the same as that in transparent mode. For details, see section "2.1.4 Working Process in
Transparent Mode".
When the Eudemon 1000E performs two-node cluster hot backup, the forwarding process is
similar to that in routing mode. For details, see section "2.1.3 Working Process in Routing
Mode".
2.2 Security Zone

This describes the concept and division of security zones, the relationships between security
zones and interfaces, the relationship between security zones and networks, and the definition
of the inbound/outbound directions of data streams between security zones.
2.2.1 Overview of Security Zones
Zone is a concept introduced for firewalls, which is one of the main features that distinguishes
the Eudemon 1000E from routers. A security zone includes one or several interfaces. In addition,
a security zone is configured with a security level.
Issue 01 (2009-01-20)

2-9

Feature Description
2.2.2 Security Zones on the Eudemon 1000E

The Eudemon 1000E supports several security zones. Besides the predefined Local zone, Trust
zone, Untrust zone, and demilitarized zone (DMZ), the Eudemon 1000E supports user-defined
security zones.
2.2.1 Overview of Security Zones

Zone is a concept introduced for firewalls, which is one of the main features that distinguishes
the Eudemon 1000E from routers. A security zone includes one or several interfaces. In addition,
a security zone is configured with a security level.
For the router, the network security check is performed on interfaces because the networks
connected to each interface are equal in security. That is, there is no obvious difference between
intranets and the Internet for the router, and security checks are performed only on interfaces.
In this way, when a data stream unidirectionally passes through a router, it may be checked twice
on both the inbound interface and the outbound interface to meet the separate security definitions
on each interface. However, the Eudemon 1000E is different. On the Eudemon 1000E, intranets
and the Internet are clearly defined. The Eudemon 1000E protects intranets from illegal intrusion
by attackers in the Internet.
When a data stream passes through a Eudemon 1000E, the security operation triggered varies
according to the data stream direction. At this time, it is not suitable to check the security policy
on the interface of the Eudemon 1000E. Therefore, the Eudemon 1000E introduces the concept
of security zones.
A security zone is composed of one or more interfaces with the same security level.
The features of security zones are as follows:
l
The security level is denoted by an integer ranging from 0 to 100. The greater the number
is, the higher the level is.
Each security zone is with a unique security level.
The Eudemon 1000E security check is enabled only when data is transmitted between interfaces
or their security zones with different security levels rather than the interfaces in the same security
zone.
2.2.2 Security Zones on the Eudemon 1000E

The Eudemon 1000E supports several security zones. Besides the predefined Local zone, Trust
zone, Untrust zone, and demilitarized zone (DMZ), the Eudemon 1000E supports user-defined
security zones.
Security Zone Classification

There are five reserved security zones on the Eudemon 1000E:
l
Virtual zone (Vzone)

It is a lowest-level security zone whose security level is 0.
Untrust zone
It is a low-level security zone whose security level is 5.
DMZ
It is a medium-level security zone whose security level is 50.
2-10

Issue 01 (2009-01-20)

Feature Description
l
Trust zone
It is a high-level security zone whose security level is 85.
Local zone
It is a highest-level security zone whose security level is 100.
When the Eudemon 1000E works in routing mode, you do not need to create the five zones
mentioned above. At the same time, deleting and resetting a security level is prohibited.
You can create security zones and specify security levels for them based on the actual networking
requirements.
NOTE
Derived from military, DMZ is an intermediate zone between the severe military zone and the non-compact
public zone. That is, it is partially dominated by the military.
For Eudemon 1000Es, the DMZ indicates a zone that is independent of intranets and the Internet both
logically and physically, in which public devices such as World Wide Web (WWW) Server and FTP Server
are placed.
It is hard to ensure the security of these servers if they are installed in the Internet. While placed in intranets,
their security defects might provide opportunity for some external malicious users to attack intranets. Thus,
DMZ is developed to solve this problem.
Relations Between Interface, Networks, and Security Zones
CAUTION
Neither two security zones with the same security level nor an interface belonging to two
different security zones is allowed in the system.
Relations among interface, networks, and security zones are described as follows:
l
Relations between interfaces and security zones

A security zone includes one or several interfaces with one security level.
Except for the Local zone and Vzone, all the other security zones need to be associated
with certain interfaces on the Eudemon 1000E, that is, the interfaces need to be added to
those zones.
Relations between networks and security zones

The relations between security zones and networks are based on the following rules.
Protected networks must be located in high-level security zone, for example, Trust zone.
The Internet must be located in low-level security zone, for example, Untrust zone.
Networks offering conditional services for Internet users should be located in mediumlevel security zone, for example, DMZ.
Besides that,
The Local zone has no interface. The Eudemon 1000E device is in the Local zone.
The Vzone has no interface and is used for the traffic forwarding between Virtual Private
Network (VPN) instances.
The traffic of data flow between VPN instances needs to hop through their own Vzones.
For example, when a data flow moves from the Trust zone of VPN1 to the DMZ of VPN2,
the data flow needs to enter from the Vzone of VPN1 through the Trust zone of VPN1 and
Issue 01 (2009-01-20)

2-11

Feature Description
then moves from the Vzone of VPN2 to the DMZ of VPN2. All VPN instances of the Vzone
are inter-connected. Data can flow free of restrictions from interzone-filtering rules on the
Eudemon 1000E.
l
Relations among interfaces, networks, and security zones

The relations are shown in Figure 2-10.
Figure 2-10 Relations between interfaces, networks, and security zones
Outbound
Inbound
Firewall
GE0/0/0
GE0/0/2
Local
Trust
Inbound
GE0/0/1
Outbound
Untrust
Outbound
Inbound
Outbound
Inbound
......
Server Inbound
Server
Outbound
DMZ
Outbound
Inbound
Vzone
Inbound and Outbound

Data flows of two security zones (interzone) are classified into two directions:
l
Inbound
It refers to the direction in which data is transmitted from low-level security zones to highlevel security zones.
Outbound
It refers to the direction in which data is transmitted from high-level security zones to lowlevel security zones.
Data transmission between security zones with different levels enables the Eudemon 1000E to
check data based on security policies. You can set different security policies to different
directions of the same interzone. When data flow moves in the two directions of the security
zones, different security policy checks are triggered.
2-12

Issue 01 (2009-01-20)

Feature Description
Data transmission directions on the Eudemon 1000E are determined based on the side with a
higher security level. You can conclude that:
l
The data stream transmitted from the Local zone to the Trust zone is called outbound data
stream, while the data stream transmitted from the Trust zone to the Local zone is called
inbound data stream.
The data stream transmitted from the Local zone to the DMZ zone is called outbound data
stream, while the data stream transmitted from the DMZ zone to the Local zone is called
The data stream transmitted from the Local zone to the Untrust zone is called outbound
data stream, while the data stream transmitted from the Untrust zone to the Local zone is
called inbound data stream.
The data stream transmitted from the Local zone to Vzone is called outbound data stream,
while the data stream transmitted from the Vzone to the Local zone is called inbound data
stream.
The data stream transmitted from the Trust zone to the DMZ is called outbound data stream,
while the data stream transmitted from the DMZ to the Trust zone is called inbound data
stream.
The data stream transmitted from the Trust zone to the Untrust zone is called outbound data
stream, while the data stream transmitted from the Untrust zone to the Trust zone is called
The data stream transmitted from the Trust zone to the Vzone is called outbound data
stream, while the data stream transmitted from the the Vzone to the Trust zone is called
The data stream transmitted from the DMZ to the Untrust zone is called outbound data
stream, while data stream transmitted from the Untrust zone to the DMZ is called inbound
data stream.
The data stream transmitted from the DMZ to the Vzone is called outbound data stream,
while the data stream transmitted from the Vzone to the DMZ is called inbound data stream.
The data stream transmitted from the Untrust zone to the Vzone is called outbound data
stream, while the data stream transmitted from the Vzone to the Untrust zone is called
NOTE
Issue 01 (2009-01-20)
If you allow users in a high-level security zone to access the Internet, you can configure a default
interzone packet-filtering rule for the Eudemon 1000E, allowing packets to travel from a high-level
security zone to a low-level security zone.
The data transmission direction on the router is determined based on the interface, which is also one
of the main features differentiating the Eudemon 1000E from a router. The data stream sent from the
interface is called outbound data stream while the data stream sent to the interface is called inbound
data stream.

2-13

Feature Description
3 Security Features
Security Features
About This Chapter

The Eudemon 1000E supports security features such as ACL, security policies, NAT,
cooperation with IDS, authentication, and authorization. The Eudemon 1000E is referred to as
Firewall in the figure.
3.1 Virtual Firewalls
This describes the functions of VPN instances and how to realize the functions on the Eudemon
1000E.
3.2 ACL
This describes the definition, applications, settings, and steps of ACLs on the Eudemon
1000E.
3.3 Security Policy
The Eudemon 1000E supports various security policies, including packet filtering, ASPF,
blacklist, MAC and IP addresses binding, and port identification.
3.4 Attack Defense
The Eudemon 1000E provides a powerful attack defense mechanism to protect devices and
prevent illegal packets from damaging the intranet.
3.5 NAT
NAT is mainly used to help internal network users (private IP addresses) to access external
networks (public IP addresses), and provides the internal server function.
3.6 Static Multicast
The section describes the static multicast function of the Eudemon 1000E.
3.7 Keyword Authentication
Keyword authentication is to configure a function on the Eudemon 1000E so that the Eudemon
1000E decides based on the users' operation keywords whether a related packet can pass or not.
3.8 P2P Traffic Limiting
Peer to Peer (P2P) protocols are widely used in downloading on the network. The constant
increase of P2P traffic affects normal operation of other network applications and increases the
costs of network operation, especially for enterprises and operators who are charged by traffic.
To address this problem, the Eudemon 1000E is designed with the P2P traffic limiting function.
Issue 01 (2009-01-20)

3-1
3 Security Features

Feature Description
3.9 GTP Function

The Eudemon 1000E supports GTP function.
3.10 IDS Cooperation
On a network where the Eudemon 1000E cooperates with an IDS device, the IDS device
automatically detects whether there are malicious attacks, intrusions, or other vulnerabilities
across the network. If so, the IDS device notifies the Eudemon 1000E of the attacks by sending
messages (dynamically maintaining ACL entries). The Eudemon 1000E then discards the attack
packets or takes other defense actions.
3.11 Secospace Cooperation
As a Security Access Control Gateway (SACG), the Eudemon 1000E cooperates with the
Secospace terminal security management system to control terminal users' access to networks
based on specific classification of these users.
3.12 Authentication and Authorization
The Eudemon 1000E delivers the authentication and authorization functions to enable
centralized management of network security. The Eudemon 1000E supports local authentication,
standard Remote Authentication Dial-In User Service (RADIUS) authentication, and local user
management. It can authenticate users and grant authorities to legal users to prevent access by
illegal users.
3-2

Issue 01 (2009-01-20)

Feature Description
3 Security Features
3.1 Virtual Firewalls

This describes the functions of VPN instances and how to realize the functions on the Eudemon
1000E.
In recent years, the number of small private networks is increasing. Such networks are usually
used by small-sized enterprises that which have the following requirements:
l
High requirements on security
Inability to afford a dedicated security device
To meet the requirements of such customers, the network operator can adopt the Eudemon
1000E multi-instance solution of Huawei to logically divide one Eudemon 1000E into multiple
virtual firewalls to provide independent security services for multiple small private networks.
Operators can provide network security protection rental services by using the technology.
Each virtual firewall is a combination of one virtual private network (VPN) instance, one security
instance, and one configuration instance. It provides the proprietary route forwarding plane,
security service plane, and configuration management plane for virtual firewall users.
VPN Instance
A VPN instance provides isolated VPN routes for virtual firewall users. One VPN instance
corresponds to one virtual firewall.
VPN routes support the packets received by each virtual firewall.
Security Instance
A security instance provides isolated security services for virtual firewall users. A security
instance corresponds to one virtual firewall.
A security instance owns:
l
Private interfaces
Private security zones
Private security inter-zone
Private ACLs
Private NAT address pools
The security instance can provide virtual firewall users with the following private security
services:
l
Address binding
Blacklist
Address translation
Packet filtering
Statistics
Attack defense
Issue 01 (2009-01-20)

3-3

Feature Description
3 Security Features
l
ASPF
NAT
Configuration Instance
A configuration instance provides isolated configuration management planes for virtual firewall
users. A configuration instance corresponds to one virtual firewall. Configuration instances
enable virtual firewall users to log in to the Eudemon 1000E and manage and maintain the private
VPN routes and security instances.
3.2 ACL
This describes the definition, applications, settings, and steps of ACLs on the Eudemon
1000E.
3.2.1 ACL Definition
An Access Control List (ACL) includes a series of ordered rules consisting of the permit or
deny statements. The rules are described mainly by source address, destination address, port
number, upper layer protocol, or other information.
3.2.2 ACL Application
ACLs can be used in other services or applications such as packet filtering, NAT, QoS, and
routing policy.
3.2.3 ACL on the Eudemon 1000E
The Eudemon 1000E supports various ACLs as well as time range-based application and logs
of ACL.
3.2.4 ACL Step
Step is introduced to help users insert new rules between the sub-rules in the current ACL rule
group. Step means the difference between IDs automatically allocated to each sub-rule in the
ACL rule group.
3.2.1 ACL Definition

An Access Control List (ACL) includes a series of ordered rules consisting of the permit or
deny statements. The rules are described mainly by source address, destination address, port
number, upper layer protocol, or other information.
The Eudemon 1000E must be capable of controlling network data streams to define:
l
Network security
QoS requirements
Various customized policies
The access control list (ACL) is one of the methods to control data streams.
3.2.2 ACL Application

ACLs can be used in other services or applications such as packet filtering, NAT, QoS, and
routing policy.
3-4

Issue 01 (2009-01-20)

Feature Description
3 Security Features
Packet Filtering
Packet filtering is a network security protection mechanism. It is used to control the inbound
and outbound data between networks at different security levels.
Before forwarding a data packet, the Eudemon 1000E checks the information in the packet
header, including:
l
Source address
Destination address
Source port
Destination port
Upper layer protocol
Then, the Eudemon 1000E determines to forward the data packet or to discard it based on the
comparison with the defined rules.
A series of filtering rules are required to filter data packets. Data packets can be filtered by
applying filtering rules defined by the ACL between different security zones on the Eudemon
1000E.
NAT
Network Address Translation (NAT) is to convert an IP address in a data packet header into
another IP address, so that the intranet (with a private IP address) can access the Internet (with
a public IP address), and the problem of shortage of IP addresses can be solved.
In practice, it is required that some intranet hosts (with private IP addresses) can access the
Internet while others cannot. This can be achieved by associating ACLs and NAT address pools,
that is, NAT can be performed only on the data packet that match ACL rules. In this way, the
range of NAT can be efficiently controlled.
QoS
Quality of Service (QoS) is used to evaluate how well services providers meet customer
requirements. To perform QoS guarantee on the Internet, it is required to enhance traffic control
and resource allocation at the network layer to provide different services based on different
requirements.
Traffic classification is the basis of different services. In practice, you need to do as follows:
1.
Define traffic classification rules.

To define traffic classification rules, you can use the following ways:
l
Identifying traffic priority based on the type of service (ToS) field in the IP packet header
ACLs
For example, ACL including the following elements.
Issue 01 (2009-01-20)
Source address
Destination address
IP protocol
Port number of the application program

3-5

Feature Description
3 Security Features
2.
Apply traffic classification policies or ACLs on CAR and Sequence guarantee.
Routing Policy
The routing policy is used to send, receive, and filter routing information.
There are many methods to filter routing information, in which ACL is one of the most important
methods and widely used. A client can apply ACL to specify an IP address or subnet range as
the destination address, source network segment address, or the next hop address for matched
routing information.
3.2.3 ACL on the Eudemon 1000E

The Eudemon 1000E supports various ACLs as well as time range-based application and logs
of ACL.
ACL Classification
The Eudemon 1000E supports the following ACLs:
l
Basic ACLs
Advanced ACLs
Table 3-1 describes the two types of ACLs.

Table 3-1 ACL description
Type
Value Range
Description
Basic ACLs
2000 to 2999
Basic ACLs only use source addresses to define rules.
Advanced ACLs
3000 to 3999
Advanced ACLs can define rules based on source

addresses, destination addresses, and IP-bearing
protocol types, such as TCP source or destination
port, the type of the ICMP protocol, and message
codes.
ACL Match Order

An ACL is composed of multiple permit or deny statements. Each statement describes different
rules that may be repeated or inconsistent.
When matching a packet with the ACL rules, you need to set the ACL match order.
By default, packets are matched in configuration order on the Eudemon 1000E; that is, the
Eudemon 1000E permits the packets to be matched according to the configuration order of the
ACL rules.
When configuring the ACL rules, you need to pay attention to the matching order. Configure
the ACL rules as required.
Once the data stream successfully matches a rule, it does not continue the process of matching.
The Eudemon 1000E performs subsequent operations for the data streams based on this rule.
3-6

Issue 01 (2009-01-20)

Feature Description
3 Security Features
Source Address and Wildcard Mask

When basic ACLs are being applied, a source address needs to be specified, which can be a host,
a host group, or an entire subnet or network. The range of the source address is determined by
its wildcard mask field.
Different from a subnet mask, 0 in a wildcard mask refers to a bit that must be matched and 1
refers to a bit that allows mismatch. That is, perform NOT algorithm of each bit source-wildcard
and then perform AND with source-address to obtain the source address range. The following
gives an example:
source-address = 192.168.15.16
source-wildcard = 0.0.0.255
source-address range = 192.168.15.0
11000000.10101000.00001111.00010000
00000000.00000000.00000000.11111111
11000000.10101000.00001111.00000000
If you set the source address to any, it indicates that all packets from any source address meet
the matching condition, namely, any = 0.0.0.0 255.255.255.255.
Time RangeBased ACL Rules

It is required to improve the flexibility on the control of resource access. For example, the system
administrator only permits certain data streams to pass during worktime or allows clients to
access some resources in certain time ranges. In this case, ACL rules based on time range can
be used.
ACL Rules for Quoting the Address Book

To simplify the configuration and maintenance of ACL rules, the Eudemon 1000E supports the
ACL that quotes the address set and port set.
An ACL rule that is described through the address set and port set acts as a traditional set of
rules with the same priority level in applications. The formula in the new set is described as
follows:
The number of rule elements with the same priority level = the number of elements in address
set 1 x the number of elements in address set 2 x the number of elements in port set 1 x the
number of elements in port set 2.
For example, the following script is used to configure two address sets and one port set, with
each set containing two elements, and apply it in ACL 3000.
<Eudemon 1000E> system-view
[Eudemon 1000E] ip address-set a1
[Eudemon 1000E-address-set-a1] address 1 1.1.1.1 0
[Eudemon 1000E-address-set-a1] quit
[Eudemon 1000E] ip address-set a2
[Eudemon 1000E-address-set-a2] quit
[Eudemon 1000E] ip port-set p1 protocol tcp
[Eudemon 1000E-tcp-port-set-p1] port 1 eq 21
[Eudemon 1000E-tcp-port-set-p1] port 2 eq 22
[Eudemon 1000E-tcp-port-set-p1] quit
[Eudemon 1000E] acl 3000
[Eudemon 1000E-acl-adv-3000] rule permit tcp source address-set a1 destination
address-set a2 destination-port port-set p1
The configuration effects of the above commands are the same as that of the following ACL
rules:
Issue 01 (2009-01-20)

3-7

Feature Description
3 Security Features
[Eudemon 1000E] acl 3000
[Eudemon 1000E-acl-adv-3000]
0 destination-port eq 21
rule permit tcp source 1.1.1.1 0 destination 3.3.3.1

3.2.4 ACL Step

Step is introduced to help users insert new rules between the sub-rules in the current ACL rule
group. Step means the difference between IDs automatically allocated to each sub-rule in the
ACL rule group.
For example, the step is set to 5, IDs of rules should be multiples of 5 beginning with 0, that is,
0, 5, 10, 15 By default, the step of the ACL rule group is 5.
Setting step facilitates the insertion of new rules between sub-rules. For example, there are four
rules, and their sub-rule numbers are 0, 5, 10, and 15. To insert a rule after the first rule, you can
run the rule 1 xxxx command to insert a sub-rule numbered 1 between 0 and 5.
NOTE
If you set a step, you must delete the existing rule (including rule 0) before you use the step command to
change the step value or use the undo step command to restore the default step value.
3.3 Security Policy

The Eudemon 1000E supports various security policies, including packet filtering, ASPF,
blacklist, MAC and IP addresses binding, and port identification.
3.3.1 Packet Filtering
3.3.2 ASPF
The Eudemon 1000E delivers the application layer-based packet filtering function, namely, the
application specific packet filter (ASPF) function, such as TCP/UDP tunnel and state check.
3.3.3 Blacklist
The blacklist is an important security feature of the Eudemon 1000E. The blacklist can be added
or deleted dynamically by the Eudemon 1000E module.
3.3.4 MAC and IP Address Binding
For a Eudemon 1000E, MAC and IP address binding associates a specific IP address with a
MAC address according to your configuration. MAC and IP address binding is an effective
measure against IP spoofing attacks.
3.3.5 Port Identification
3-8

Issue 01 (2009-01-20)

Feature Description
3 Security Features
Using port identification, you can create and maintain a system-defined port and user-defined
port identification list for various application protocols.
3.3.1 Packet Filtering

When forwarding a packet, the Eudemon 1000E first checks and compares the information in
the packet header with ACL. Information includes:
l
Source address
Destination address
Upper layer protocol
Source port of the data packet
Destination port of the data packet
After that, the Eudemon 1000E determines to forward the data packet or discard it based on the
comparison results.
A series of filtering rules are required to filter data packets. Data packets are filtered between
different security zones according to the filtering rules on the Eudemon 1000E.
3.3.2 ASPF
The Eudemon 1000E delivers the application layer-based packet filtering function, namely, the
application specific packet filter (ASPF) function, such as TCP/UDP tunnel and state check.
Overview of ASPF
Application Specific Packet Filter (ASPF) is the packet filtering based on the application layer,
that is, the status-based packet filtering. ASPF works with ACL-based packet filtering to
implement security policies on intranets. ASPF can detect the application layer protocol session
to prevent unmatched data packets from passing the Eudemon 1000E.
To protect the security of networks, the packet filtering based on ACL rules can detect data
packets at network layer and transmission layer to prevent illegal intrusion. ASPF can detect
protocols at the application layer and monitor application traffic.
In addition, ASPF provides the following functions:
l
Java Blocking can prevent networks from being destroyed by malicious Java Applets.
ActiveX Blocking can prevent networks from being destroyed by harmful ActiveX.
ASPF detects protocols at the application layer and prevents malicious intrusion, by maintaining
session status and checking packet protocols and port numbers of sessions.
The ASPF protocol of the Eudemon 1000E supports the following types of traffic monitoring:
l
FTP (File Transfer Protocol)
H323 (H.323 Protocol)
HTTP (Hyper Text Transport Protocol)
HWCC (Huawei Conference Control protocol)
Issue 01 (2009-01-20)

3-9

Feature Description
3 Security Features
l
MSN (Microsoft Network)
NetBIOS (Network Basic Input/Output System)
QQ (Detect QQ protocol)
PPTP (Point to Point Tunnel Protocol)
RTSP (Real-Time Streaming Protocol)
SIP (Session initiation Protocol)
SQLNET (SQL*NET Protocol)
MGCP (Media Gateway Control Protocol)
MMS (Multimedia Messaging Service)
RPC (Remote Procedure Call)
QQ/MSN Chat Detection

At present, most networks deploy the NAT devices to save resources of IP addresses. Thus, users
in different intranets can chat with each other after NAT.
For the text-based chat, the communications of users can be forwarded smoothly by the QQ/
MSN server since the server saves the address mapping information on these users.
For audio or video chat, it is expected that the two users directly exchange files, audio, or video
information of large traffic. In this way, a large number of resources will be consumed resulting
from transferring such information or files by the QQ/MSN server, so that packets of the textbased chat cannot be forwarded normally, The QQ/MSN server needs users to exchange files,
audio or video information of large traffic through network devices directly; however, the
traditional NAT devices converts addresses and cannot meet such requirements.
To solve this problem, on the Eudemon 1000E, you can enable the detection of QQ or MSN
chats between the private network and the public network. Thus, address mapping is set up when
a QQ or MSN chat is started. In this case, users in two different private networks can transfer
files and conduct audio or video chats directly.
Triplet ASPF
The Eudemon 1000E is a senary NAT device.
In other words, the setup of each session requires six fields:
l
Source IP address
Source port
Destination IP address
Destination port
Protocol number
VPN-ID
The lack of any of these six fields leads to the failure of a session.
However, some real-time communication tools, like QQ and MSN, require process of triplet
fields:
l
3-10
Source IP address
Issue 01 (2009-01-20)

Feature Description
l
Source port
Protocol number
3 Security Features
In order to adapt to such communication mechanisms, the Eudemon 1000E changes the senary
process to the triplet process. In this way, communication such as QQ and MSN can traverse
smoothly.
Besides the NAT traversal of QQ or MSN, other sessions like TFTP, which only uses the source
IP address, the source port, and the protocol number, also needs to configure the triplet ASPF
on the Eudemon 1000E.
3.3.3 Blacklist
The blacklist is an important security feature of the Eudemon 1000E. The blacklist can be added
or deleted dynamically by the Eudemon 1000E module.
Compared with ACL-based packet filtering, the blacklist filters packets based on only IP address
with high speed. This effectively shields the packets sent from a specific IP address.
You can create blacklist entries in three ways:
l
Creation through command lines.
Dynamic creation by using the Eudemon 1000E attack defense module or the IDS module.
If a user fails to log in to the system three times consecutively, the IP address of the user
is added to the blacklist.
When Eudemon 1000E discovers the attack attempt of a specific IP address based on the packet
action, it can automatically add the IP address to the blacklist to filter all the packets sent from
the specific IP address.
3.3.4 MAC and IP Address Binding

For a Eudemon 1000E, MAC and IP address binding associates a specific IP address with a
MAC address according to your configuration. MAC and IP address binding is an effective
measure against IP spoofing attacks.
In this way, the Eudemon 1000E discards the packets whose MAC address does not correspond
to the associated IP address; the Eudemon 1000E forcibly forwards the packet whose destination
address is the specific IP address to the bound MAC address. As a result, the attack from a forged
IP address is prevented and the network is protected.
3.3.5 Port Identification

Using port identification, you can create and maintain a system-defined port and user-defined
port identification list for various application protocols.
Application layer protocols usually communicate through well-known port numbers. Port
identification allows a client to define a group of new port numbers besides the system-defined
port numbers for various applications and also provides certain mechanisms to maintain and use
the user-defined port configurations.
Port identification is implemented in two modes, general port identification and basic ACLbased host port identification. The Eudemon 1000E supports basic ACL-based host port
identification.
Issue 01 (2009-01-20)

3-11

Feature Description
3 Security Features
General port identification sets up the identification relations between user-defined port numbers
and application layer protocols. For example, if you configure that port 8080 identifies HTTP,
all TCP packets sent to port 8080 are considered as HTTP packets.
Host port identification sets up the relations between user-defined port numbers and application
protocols for the packets sent to certain specific hosts. For example, regard TCP packets sent to
the host at 10.110.0.0 through port 8080 as HTTP packets. The host range is defined based on
the basic ACL.
The ACLs identified by the port of the host and quoted by the packet filtering differ in the
following aspects:
l
For the interzone packet-filtering rules, the Eudemon 1000E only permits the packets that
move from the source address to the target address to pass through.
For host port identification, the specified basic ACL is only used to define the range of
hosts and no direction restriction.
3.4 Attack Defense

The Eudemon 1000E provides a powerful attack defense mechanism to protect devices and
prevent illegal packets from damaging the intranet.
3.4.1 Overview of Attack Defense
This section describes the attack defense function of the Eudemon 1000E.
3.4.2 Types of Network Attacks
This section describes the types of the network attacks.
3.4.3 Typical Examples of Network Attacks
This section describes the typical examples of network attacks.
3.4.4 Attack Defense Principles
This section describes the attack defense principles.
3.4.1 Overview of Attack Defense

This section describes the attack defense function of the Eudemon 1000E.
In general, network attacks intrude or destroy network servers (hosts) so that sensitive data on
servers can be stolen or server services can be disrupted. There are also the network attacks that
directly destroy network devices, which can make network services abnormal or even stop
services.
The attack defense function of the Eudemon 1000E can detect various types of network attacks
and take measures to protect intranets from malicious attacks. As a result, the Eudemon
1000E can assure the normal operations of the intranets and internal systems.
3.4.2 Types of Network Attacks

This section describes the types of the network attacks.
Network attacks can be divided into the following three types:
l
3-12
Denial of service attacks

Issue 01 (2009-01-20)

Feature Description
3 Security Features
Denial of Service (DoS) attacks are to attack a system by sending a large number of
data packets. As a result, the system cannot receive requests from valid users, or the
host is suspended and cannot work normally.
The main DoS attacks include: SYN Flood and Fraggle. The DoS attack differs from
other types of attacks. For the DoS attack, attackers prevent valid users from accessing
resources or routers. In other types of attacks, attackers search for ingresses of intranets.
Distributed Denial of Service (DDOS) attacks are one type of DoS attacks. For the
DDOS attacks, attackers attack a host by using tens or hundreds of computers under
their control, so that the system of the host cannot accept normal requests of valid users
or the host is suspended and cannot work normally.
Scanning and snooping attacks

Scanning and snooping attacks are to point out a potential target by identifying an existing
system on the network by means of ping scanning (including ICMP and TCP). Through
TCP and UDP port scanning, attackers detect the running system and the monitoring
services and then obtain the information about the service types and the potential security
defects of the system so as to prepare for further intrusion.
Malformed packet attacks

A malformed packet attacks are to send malformed IP packets to the destination system so
that the system crashes when it processes such IP packets. Malformed packet attacks include
Ping of Death and Teardrop.
3.4.3 Typical Examples of Network Attacks

This section describes the typical examples of network attacks.
The attacks to the current network are classified into the following groups:
l
IP spoofing attacks
To access a network, an intruder generates a packet carrying a bogus source address that
can make an unauthorized user access the system by applying the IP authentication even
in the root authority. In this way, the system can also be destroyed even though the response
packet does not reach the system. This is the IP spoofing attack.
Land attacks
Land attacks are to configure both the source address and the destination address of the
TCP SYN packet to the IP address of the attack target. Thus, the target sends the SYNACK messages to itself and then returns the ACK messages to itself, and then creates a
null connection. Each null connection is saved till it is disconnected because of timeout.
Different types of attack targets respond differently to Land attacks. For example, many
UNIX hosts crash and Windows NT hosts slow down.
Smurf attacks
A simple Smurf attack is to attack a network by sending an ICMP request to the broadcast
address of the target network. All the hosts on the network respond to the request, which
generates the traffic 10 or 100 times more than the traffic of large ping packets. Network
congestion thus occurs. The advanced Smurf attack is mainly used to attack the target host
by configuring the source address of the ICMP packet to the address of the target host so
as to make the host crash completely.
An advanced Smurf attack is to attack a host by sending an ICMP request from the address
of the target host. As a result, the host crashes. It takes certain traffic and duration to send
the attack packets to perform the attacks. Theoretically, the larger the number of hosts is,
Issue 01 (2009-01-20)

3-13

Feature Description
3 Security Features
the more obvious the effect will be. Another new form of the Smurf attack is the Fraggle
attack.
l
WinNuke attacks
WinNuke attacks are to cause a NetBIOS fragment overlap by sending Out-Of-Band (OOB)
data packets to the NetBIOS port (139) of the specified target installed with the Windows
system so as to make the target host crash. Internet Group Management Protocol (IGMP)
fragment packets also exist. Because IGMP packets cannot be fragmented generally,
systems usually fail to process the IGMP fragment packets. When the system receives
IGMP fragment packets, you can assume that there is an attack.
SYN flood attacks

Because of limited resources, TCP/IP stacks only permit a restricted number of TCP
connections. Based on the above disadvantage, the SYN Flood attack forges an SYN packet
whose source address is a bogus or non-existent address and initiates a connection to the
server. Accordingly, the server will not receive the ACK packet for its SYN-ACK packet,
which forms a semi-connection. A large number of semi-connections will exhaust the
network resources. As a result, valid users cannot access the network until the semiconnections time out. The SYN Flood attack also takes effect in the applications in which
the number of connections is not limited but exhaust the system resources such as memories.
ICMP flood attacks

ICMP flood attacks are to send a large number of ICMP messages (such as ping) to the
specific server to occupy its link bandwidth. In this way, the server cannot provide services
for the Internet due to overload.
UDP flood attacks

Attackers send many UDP packets to the server to occupy its link bandwidth. In this way,
the server cannot provide services for the Internet properly due to overload.
IP sweeping or port scanning attacks

IP sweeping or port scanning attacks are to detect the target address and port by using
scanning tools. The active system connects to the target network if it receives responses
from the system and the port through which the host provides services.
Ping of death attacks

Ping of death attacks are to attack the system by using large ICMP packets. The field length
of an IP packet is 16 bits, which means that the maximum length of an IP packet is 65535
bytes. Therefore, if the data length of an ICMP request packet is larger than 65507, the
entire length of the ICMP packet (ICMP data + IP header 20 + ICMP header 8) is larger
than 65535, which may make some routers or systems crash, stop, or restart. This is the
ping of death attack.
TCP connection flood attacks

TCP connection flood attacks are a type of DDoS attacks. Attackers send a large number
of requests to the attacked server. A large number of links are generated; therefore, the
attacked server cannot process the requests from legal users.
GET flood attacks

Attackers send a large number of get and post packets to the attacked server. The attacked
server breaks down and cannot process the legal packets.
DNS-flood attacks
DNS-flood attacks are a type of DDoS attacks. Attackers send a large number of query
packets to the Domain Name Server (DNS) within a short time. Therefore, the server has
3-14

Issue 01 (2009-01-20)

Feature Description
3 Security Features
to respond to all the query requests. As a result, the DNS cannot provide services for legal
users.
3.4.4 Attack Defense Principles

This section describes the attack defense principles.
ICMP Flood Attack Defense Principle

The Eudemon 1000E defends the ICMP flood attacks by restricting the ICMP packets. If a large
traffic of ICMP packets appears, the Eudemon 1000E determines that the traffic is the attack
traffic.
SYN Flood Attack Defense Principle

The process of defending SYN flood attacks is as follows:
1.
The Eudemon 1000E detects the TCP SYN packets sent to the server. If the rate of the TCP
SYN packet exceeds the threshold, the Eudemon 1000E considers that the server is under
SYN flood attacks.
2.
The Eudemon 1000E uses the TCP proxy or TCP reverse source-detect to defend SYN
flood attacks.
UDP Flood Attack Defense Principle

The process of defending UDP flood attacks is as follows.
1.
The Eudemon 1000E detects UDP packets transmitted to the server.

If the rate at which the protected server receives UDP packets exceeds the threshold
configured, the Eudemon 1000E considers that the server is under UDP flood attacks.
2.
The Eudemon 1000E monitors the source IP addresses accessing the server.
If the Eudemon 1000E finds that one source IP address sends the same UDP packets to a
certain server multiple times, this source IP address is considered as the IP address of the
attacker.
TCP Connection Flood Attack Defense Principle

If the TCP connection flood attack defense function is enabled, the Eudemon 1000E performs
the following operations:
1.
2.
Issue 01 (2009-01-20)
If the link between the user and the server is generated, the Eudemon 1000E checks whether
the user is an authorized user in the following two aspects.
l
The Eudemon 1000E collects the packets that are sent from the user to the server. Within
a specified period, if the number of packets does not exceed the threshold, the user is
an unauthorized user.
The Eudemon 1000E collects the links between the user and the server. Within a
specified period, if the number of links is larger than the threshold, the user is an
unauthorized user.
The Eudemon 1000E adds the IP address to the blacklist.

3-15

Feature Description
3 Security Features
GET Flood Attack Defense Principle

The Eudemon 1000E detects the get or post packets that are sent from the user to the target
system. If the packet rate is larger than the specific value, the Eudemon 1000E performs the
URL sampling match for the source IP address. When the number of matches reaches a specific
value, the Eudemon 1000E adds the source IP address to the blacklist.
DNS Flood Attack Defense Principle

The Eudemon 1000E detects DNS-flood attacks based on the querying rate of the DNS packets.
When the querying rates of the DNS packets are larger than the specific alarm value, the
Eudemon 1000E rebounds. That is, the Eudemon 1000E detects the source host and deals with
the packets according to the white list. The Eudemon 1000E discards the DNS packets whose
querying rates are larger than the specific value.
3.5 NAT
NAT is mainly used to help internal network users (private IP addresses) to access external
networks (public IP addresses), and provides the internal server function.
3.5.1 Overview of NAT
NAT is a process to convert the IP address in IP data packet header into another IP address. It
is mainly used for intranets (with private IP addresses) to access the Internet (with public IP
addresses).
3.5.2 NAT on the Eudemon 1000E
The Eudemon 1000E supports multiple modes of NAT, such as one-to-one NAT, many-to-many
NAT, and NAPT. In addition, it supports multiple NAT ALGs, bi-directional NAT and
destination NAT.
3.5.1 Overview of NAT

NAT is a process to convert the IP address in IP data packet header into another IP address. It
is mainly used for intranets (with private IP addresses) to access the Internet (with public IP
addresses).
Usually, intranets use private IP addresses. Request For Comments (RFC) 1918 defines three
IP-address blocks for private and intranet use as follows:
l
Class A: 10.0.0.0 to 10.255.255.255 (10.0.0.0/8)
Class B: 172.16.0.0 to 172.31.255.255 (172.16.0.0/12)
Class C: 192.168.0.0 to 192.168.255.255 (192.168.0.0/16)
IP addresses in the previous three ranges are not be assigned in the Internet. This ensures that
the IP address in the previous three ranges can be used in the intranet of a company or enterprise
without requesting Internet Service Provider (ISP) or register center.
NAT is mainly used for private networks to access the Internet. It can slow down the IP address
space depletion by using several public IP addresses to represent multiple private IP addresses.
Figure 3-1 shows a basic NAT application process.
3-16

Issue 01 (2009-01-20)

Feature Description
3 Security Features
Figure 3-1 Networking diagram of the basic processes of NAT

Data packet 1:
Data packet 1':
Source:
192.168.1.3
Source:
202.169.10.1
192.168.1.3
Destination: 202.120.10.2 Destination: 202.120.10.2
PC
Trust
Server
192.168.1.2
GE0/0/0
192.168.1.1
Firewall
GE0/0/1
202.169.10.1
202.130.10.3
PC
Untrust
Data packet 2:
Data packet 2':
Source: 202.120.10.2
Source: 202.120.10.2
Destination: 192.168.1.3 Destination: 202.169.10.1
Server
202.120.10.2
The NAT server such as the Eudemon 1000E is located at the joint between a private network
and a public network. Interactive packets between an intranet PC and an Internet server all pass
through the NAT server. An IP address is converted as follows.
1.
When the internal PC at 192.168.1.3 sends data packet 1 to the external server at
202.120.10.2, the data packet reaches the NAT server. The NAT server checks the contents
in the packet header and finds that the data packet is sent to an external network.
2.
The server converts the source IP address 192.168.1.3 of data packet 1 into a valid public
IP address 202.169.10.1 on the Internet, forwards the packet to the external server and
records the mapping on the NAT list.
3.
After receiving data packet 1, the external server sends response packet 2 to the internal
PC (The initial destination IP address is 202.169.10.1).
4.
After data packet 2 accesses the NAT server, the NAT server inquires the NAT list, replaces
the destination address in packet 2 header with the original private address 192.168.1.3,
and then sends the data packet to the internal PC.
This NAT process is transparent for terminals such as the PC and server in the previous figure.
NAT "hides" the private network of an enterprise because the external server regards
202.169.10.1 as the IP address of the internal PC with no realization of 192.168.1.3.
3.5.2 NAT on the Eudemon 1000E

The Eudemon 1000E supports multiple modes of NAT, such as one-to-one NAT, many-to-many
NAT, and NAPT. In addition, it supports multiple NAT ALGs, bi-directional NAT and
destination NAT.
NAT Mechanism on the Eudemon 1000E

The NAT mechanism can be divided into the following two parts:
l
Translating an IP address and port of a host on the intranet into an external IP address and
port of the Eudemon 1000E.
Translating the external IP address and port into the IP address and port of a host on the
intranet.
This process is called translation between a private address or port and a public address or port.
Issue 01 (2009-01-20)

3-17

Feature Description
3 Security Features
When the data flow moves from one security zone to another, the Eudemon 1000E checks the
data packet to determine whether to perform the NAT. If necessary, the NAT is performed based
on the following principles:
l
At the egress of the IP layer, the Eudemon 1000E converts the source IP address from the
private address into the public address and sends it to the Internet.
At the ingress of the IP layer, the Eudemon 1000E restores the destination IP address from
the public address into the private address and sends it to the intranet.
Many-to-Many NAT and NAT Control

As shown in Figure 3-1, NAT replaces the source address of the intranet with the public address
of the outbound interface on the NAT server. In this way, all the hosts on the intranet share one
public IP address when they access the Internet. In other words, when several hosts intend to
access the Internet at the same time, only one host can access the Internet at a time, which is
called one-to-one NAT.
An extended NAT implements the concurrent access, that is, multiple public IP addresses are
assigned to a NAT server. When one internal host accesses the Internet, the Eudemon 1000E
chooses public IP address 1 for the requesting host. When another internal host accesses the
Internet, the Eudemon 1000E chooses public IP address 2 for another request host and so on.
This is called many-to-many NAT.
NOTE
The number of public IP addresses on the NAT server is far less than the number of hosts on the intranet
because not all hosts access the Internet at a time. The number of public IP addresses is determined based
on the maximum number of intranet hosts that access the Internet at the rush hour.
In practice, it might require that only some intranet hosts can access the Internet while others
cannot. In other words, when the NAT process checks the header of the data packets and finds
that the source IP addresses are those that cannot access the Internet, the NAT server will not
convert source IP addresses of those unauthorized hosts, which is called NAT control.
The Eudemon 1000E implements many-to-many NAT by defining the address pool and
controlling NAT through ACL. The details are as follows:
l
Address pool
It is a set of public IP addresses for NAT. You should configure a proper address pool based
on the number of valid IP addresses, the number of hosts on the intranet, and the actual
conditions. A IP address is chosen from the pool as the source IP address during the NAT.
ACL-based NAT
It indicates that only the data packet meeting the requirements of ACL rules can be
converted. In this way, the NAT range can be controlled effectively and some hosts are
entitled to access the Internet.
The NAT address pool has two types:

l
The public address pool can be used by the root firewalls and virtual firewalls.
The private address pool is created by the super-user for a virtual firewall. It can be used
only by the virtual firewall.
NAPT
Besides the many-to-many NAT, network address port translation (NAPT) is another way to
achieve the NAT of concurrent access.
3-18

Issue 01 (2009-01-20)

Feature Description
3 Security Features
NAPT allows the map from multiple internal IP addresses to a public IP address. Therefore, it
can be called as "many-to-one NAT" or address multiplex informally.
NAPT maps IP addresses and port numbers. Data packets from various internal IP addresses
can be mapped to the same public IP address with different port numbers. In this way, different
internal addresses can share the same public IP address.
Figure 3-2 shows the basic process of NAPT.
Figure 3-2 Basic process of NAPT
Data packet 1:
Source: 192.168.1.3
Source port: 1357
Data packet 2:
192.168.1.3
Source: 192.168.1.3
PC
Source port: 2468
Trust
Server
192.168.1.2
192.168.1.1
GE0/0/0
Data packet 1':

Source: 202.169.10.1
Source port: 1357
Data packet 2':
Source: 202.169.10.1
202.130.10.3
Source port: 2468
PC
Firewall 202.169.10. Untrust

1
GE0/0/1
Data packet 3:
Source: 192.168.1.1
Source port: 11111
Data packet 3':

Source: 202.169.10.1
Source port: 11111
Data packet 4:
Source: 192.168.1.2
Source port: 11111
Data packet 4':

Source: 202.169.10.1
Source port: 22222
Server
202.120.10.2
As shown in Figure 3-2, four data packets carrying internal addresses arrive at the NAT server.
l
Packet 1 and packet 2 come from the same internal IP address with different source port
number.
Packet 3 and packet 4 come from different internal IP addresses with the same source port
number.
After the NAT mapping, the IP addresses of the four packets are converted into the same public
IP address with different source port numbers so that they are still different from each other.
When the response packets access the Eudemon 1000E, the NAT process can also differentiate
them based on their destination IP addresses and port numbers and forward them to the
corresponding internal hosts.
After the NAPT function is configured, during the NAT, the Eudemon 1000E0 first multiplexes
the chosen IP address in the IP address pool. When the port numbers of the IP address are used,
the Eudemon 1000E chooses another IP address to complete the translation. Compared with the
many-to-many NAT, this can largely reduce the number of public IP addresses in the address
pool.
Issue 01 (2009-01-20)

3-19

Feature Description
3 Security Features
Internal Server
NAT can "shield" internal hosts by hiding the architecture of the Internet; however, sometimes
you want to permit some hosts on the Internet to access some hosts on the intranet, such as a
Web server or a FTP server. You can flexibly add servers on the intranet through NAT. The
Eudemon 1000E specifies the external IP address for an internal server in the following two
ways.
l
You can use 202.169.10.10 as the external IP address of the WWW server.
You can use 202.110.10.12:8080 as the external IP address of the WWW server.
NAT on the Eudemon 1000E provides certain servers on the intranet for some hosts to access
on the Internet. When a user on the Internet accesses a server on the intranet, the Eudemon
1000E functions as follows:
l
The Eudemon 1000E converts the destination IP address in the request packet into a private
IP address of the internal server.
The Eudemon 1000E converts the source IP address (a private IP address) in the response
packet into a public IP address.
Moreover, NAT can provide multiple identical servers such as WWW servers for Internet users.
NOTE
The internal servers serving for external hosts are usually located in the DMZ of the Eudemon 1000E.
Generally, the equipment in the DMZ is not allowed to originate connections to external devices.
Bi-Directional NAT
The bi-directional NAT can be used in the following two scenarios:
l
When users in the low-priority zone access the public IP address of the NAT server, the
destination IP address of the packets are converted into the private IP address of the server.
The server, however, needs to be configured with the route to the public IP address. If you
need to simplify the configuration, that is, if you do not want to configure the route to the
public IP address, you need to configure the inbound NAT , that is, the NAT from the low
priority zone to the high priority zone.
When users in the same security zone access each other, you need to configure interzone
NAT.
As shown in Figure 3-3, the NAT from the low priority zone accessing the high priority zone
is configured on the Eudemon 1000E. For example, configure the NAT from the Untrust zone
to the DMZ.
Figure 3-3 Networking diagram of configuring inbound NAT
GE0/0/0
10.1.1.1/24
GE0/0/1
200.1.1.1/24
Firewall
DMZ
FTP Server
10.1.1.2/24
3-20
Untrust
PC
200.1.1.2/24

Issue 01 (2009-01-20)

Feature Description
3 Security Features
When users in the Untrust zone access a server in the DMZ, the Eudemon 1000E performs NAT
as follows:
l
The Eudemon 1000E converts the destination IP address of the request packet from the
Internet users into the private IP address of the internal server. The Eudemon 1000E
converts the source IP address into one IP address (private IP address) in the address pool.
The Eudemon 1000E converts the source IP address (private IP address) of the response
packets from the internal server to the public IP address. The Eudemon 1000E converts the
destination IP address (private IP address) to the public IP address.
NOTE
The internal servers that allow the access of the Internet users are usually located in the DMZ. Generally,
the equipment in the DMZ is not allowed to originate connections to external devices.
As shown in Figure 3-4, NAT within the same zone is configured on the Eudemon 1000E. For
example, configure NAT in the Trust zone.
Figure 3-4 Networking diagram of NAT within a security zone
Firewall
GE0/0/0
10.1.1.1/24
PC
10.1.1.5/24
Switch
Trust
FTP Server
10.1.1.2/24
When users in the Trust zone access a server in the Trust zone, the Eudemon 1000E carries out
NAT as follows:
l
The Eudemon 1000E converts the destination IP address of the request packet from the
Internet users into the private IP address of the internal server. The Eudemon 1000E
converts the source IP address into a public IP address in the address pool.
The Eudemon 1000E converts the private source IP address of the response packet in the
internal server into the public IP address. The Eudemon 1000E converts the destination
address (public IP address) into the address of the public network.
ALG
NAT and NAPT can convert only the IP address in the IP packet header and the port number in
the TCP/UDP packet header. The IP address and port number, however, can also be put in the
payload of some packets, such as ICMP and FTP packets, which cannot be converted by NAT
technologies and may cause some errors.
For instance, an FTP server sends its private IP address to an external host to establish a session
connection. Because the IP address is put in the payload of the packet, NAT cannot convert it.
If the external host uses the unconverted private IP address, the FTP server is unreachable.
Issue 01 (2009-01-20)

3-21

Feature Description
3 Security Features
By adding application level gateway (ALG) to NAT, you can solve the above problem. ALG is
the translation proxy of some application protocols. It interacts with NAT to modify the specific
data encapsulated in the IP packet based on the NAT state and helps the application protocols
to function in various ranges through other necessary processes.
For instance, a "destination unreachable" ICMP packet is that its payload contains the header of
packet A that causes the error. The IP address of packet A has been converted over NAT, so the
current source IP address is not the real IP address of the internal host. If ICMP ALG is enabled,
it interacts with NAT and open the ICMP packet before NAT forwards the packet. Then NAT
converts the address in the header of packet A into the accurate format of the internal host IP
address and forwards the ICMP packet after other necessary processes.
The Eudemon 1000E provides a perfect NAT ALG mechanism with good scalability, which can
support various special application protocols without modifying the NAT platform.
Between different security zones, the Eudemon 1000E implements the following ALG functions
of commonly used application protocols:
l
FTP
H.323
HWCC (Huawei Conference control Protocol)
ICMP
ILS (Internet Locator Service)
MGCP (Media Gateway Control Protocol)
MSN
NetBIOS
PPTP
QQ
RTSP (Real-Time Streaming Protocol)
User-define
IPSec ESP
In a security zone, the Eudemon 1000E implements the ALG function: FTP.
3.6 Static Multicast

The section describes the static multicast function of the Eudemon 1000E.
3.6.1 Restrictions of Unicast or Broadcast
The section describes the restrictions of unicast or broadcast.
3.6.2 Overview of Static Multicast
The section describes the IP multicast information transmission.
3.6.3 Implementing Static Multicast on the Eudemon 1000E
To ensure the security of the network where multicast sources are located without affecting the
sessions of multicast sources, Huawei offers a static multicast solutions by using the Eudemon
1000E.
3-22

Issue 01 (2009-01-20)

Feature Description
3 Security Features
3.6.1 Restrictions of Unicast or Broadcast

The section describes the restrictions of unicast or broadcast.
Overview
With the development of the Internet, a large amount of data and voice and video information
are exchanged on the network.
In addition, new services come into being:
l
E-commerce
Online conference
Online auction
Video on Demand (VOD)
E-learning
All these have requirements for the information security, payment, and network bandwidth.
Unicast Information Transmission

The unicast mode establishes an independent data transmission path and sends an independent
copy of the information for each user.
Figure 3-5 shows the unicast information transmission.
Figure 3-5 Unicast information transmission
User A
Unicast
User B
Server
User C
Data transmission channel
Device connection
The amount of information transmitted on the network is in direct proportion to the number of
users who have demand for this information. When there are too many users, there is too much
identical information flow on the network. Thus, the bandwidth bottleneck is caused. The unicast
mode is not applicable to the transmission of mass information.
Issue 01 (2009-01-20)

3-23

Feature Description
3 Security Features
Broadcast Information Transmission

The broadcast mode sends information to all the users on the network regardless of whether
users need it or not.
Figure 3-6 shows the broadcast information transmission.
Figure 3-6 Broadcast information transmission
User A
Broadcast
User B
Server
User C
Device connection
The broadcast mode cannot guarantee the information security and paid services. In addition,
the bandwidth is wasted when only few users require the information.
3.6.2 Overview of Static Multicast

The section describes the IP multicast information transmission.
Multicast Information Transmission

The IP multicast technology solves the above problems. When some users require specified
information, the multicast source sends the information only once. A tree topology is used in
routing connections for multicast packets based on multicast routing protocols. The information
being sent is replicated and distributed on the node as far as possible.
Figure 3-7 shows the multicast information transmission .
3-24

Issue 01 (2009-01-20)

Feature Description
3 Security Features
Figure 3-7 Multicast information transmission

User A
Multicast
User B
Server
User C
User D
Device connection
Suppose users A, C, and D require the information from the server. To transmit the information
accurately to the three users, first you should organize them into a receiver group. Then, the
routers on the network perform the information forwarding and replicating based on the
geographic location of each user of the group. Finally, the information can be correctly
transmitted to the three users.
For the multicast mode, the following roles exist during multicast transmission:
l
The information sender is called "multicast source".
Receivers who receive the same information comprise a multicast group and each receiver
is a "multicast group member".
All the routers that provide the multicast function are called "multicast routers".
For the roles in each multicast transmission, the following rules exist:
l
Members in a multicast group can reside anywhere on the network without restriction on
the geographic location.
A multicast source may not belong to a multicast group. It sends data to the multicast group
and it may not be one receiver.
Multiple sources can send packets to a multicast group concurrently.
Some routers that do not support multicast exist on the network. Based on the tunnel
technology, a multicast router can encapsulate the multicast packets into unicast IP packets
and send them to a neighboring multicast router. The neighboring multicast router removes
the unicast IP header and continues the multicast transmission. This prevents the network
topology architecture from changing greatly.
Advantages of Multicast
The advantages of multicast are as follows:
l
Enhanced efficiency
It reduces network traffic and relieves server loads and CPU loads.
Optimized performance
It decreases redundancy traffic.
Issue 01 (2009-01-20)

3-25

Feature Description
3 Security Features
l
Distributed application
It makes multipoint application possible.
3.6.3 Implementing Static Multicast on the Eudemon 1000E

To ensure the security of the network where multicast sources are located without affecting the
sessions of multicast sources, Huawei offers a static multicast solutions by using the Eudemon
1000E.
The Eudemon 1000E forwards packets in the static multicast mode. Thus, the Eudemon
1000E should be deployed between the multicast source and the access router rather than other
locations on the multicast network, as shown in Figure 3-8.
Figure 3-8 Transmission mode of static multicast
User A
Multicast
User B
Server
Firewall
User C
User D

Device connection
The Eudemon 1000E forwards packets from the multicast source host to the multicast access
router, and then the multicast access router is combined with other multicast routers to send
packets to each multicast user.
3.7 Keyword Authentication

Keyword authentication is to configure a function on the Eudemon 1000E so that the Eudemon
1000E decides based on the users' operation keywords whether a related packet can pass or not.
Users on the private network can download or upload files by logging in to the external FTP
server. For the sake of security and management, managers on the private network need to restrict
the rights of users to operate FTP. For example, when managers intend to configure that some
users only have the rights of "get" or "put" and other users have neither.
The Eudemon 1000E can be located on the egress of the private network and configured with
the keyword authentication function. When some users on the private network log in to the
external FTP server and intend to put or get a file, the Eudemon 1000E intercepts these packets,
thus ensuring information security and managing intranet users.
3.8 P2P Traffic Limiting

Peer to Peer (P2P) protocols are widely used in downloading on the network. The constant
increase of P2P traffic affects normal operation of other network applications and increases the
3-26

Issue 01 (2009-01-20)

Feature Description
3 Security Features
costs of network operation, especially for enterprises and operators who are charged by traffic.
To address this problem, the Eudemon 1000E is designed with the P2P traffic limiting function.
3.8.1 Introduction to P2P Traffic Limiting
The Eudemon 1000E can accurately identify P2P traffic on networks through in-depth detection
and behavior detection, and then limit the traffic according to the configured traffic limiting
policies. In addition, the Eudemon 1000E can produce detailed statistics on traffic of various
P2P protocols to facilitate monitoring of P2P traffic tendency.
3.8.2 P2P Traffic Detection and Limiting
The Eudemon 1000E detects P2P traffic and then limits it.
3.8.1 Introduction to P2P Traffic Limiting

The Eudemon 1000E can accurately identify P2P traffic on networks through in-depth detection
and behavior detection, and then limit the traffic according to the configured traffic limiting
policies. In addition, the Eudemon 1000E can produce detailed statistics on traffic of various
P2P protocols to facilitate monitoring of P2P traffic tendency.
The P2P traffic limiting function can control P2P traffic and guarantee normal running of other
services. The P2P traffic limiting function of the Eudemon 1000E can work jointly with ACL
rules and time segment-based rate control to restrict P2P traffic, thus satisfying customers'
specific requirements.
The P2P traffic limiting function can be widely applied to access networks carrying high volumes
of P2P traffic such as community network, campus network, and enterprise intranet.
The Eudemon 1000E can limit traffic of various P2P protocols, such as BT, PPLive, PPStream,
and QQLive. When excessive packets of each type of protocols are detected, the performance
is degraded. Therefore, the Eudemon 1000E supports setting of the number of packets to be
detected for each type of P2P protocol to meet different identification requirements.
When the current Eudemon 1000E cannot identify certain P2P traffic, it obtains new mode files
to limit the traffic.
3.8.2 P2P Traffic Detection and Limiting

The Eudemon 1000E detects P2P traffic and then limits it.
P2P Traffic Detection

If P2P traffic limiting policies are configured or P2P detection is enabled, the Eudemon
1000E detects the sessions to identify P2P traffic.
The Eudemon 1000E supports two modes of detection:
l
In-depth detection
The detection is the main detection mode. It provides feature matching based on files.
Behavior detection
The detection is on the basis of the length sequence of consecutive data packets. If the
length sequence complies with the preset rules, the detection result is the P2P traffic.
Behavior detection mainly detects encrypted data traffic.
To lower the load of the detection, the Eudemon 1000E uses the association detection
technology. When a session is identified as that of P2P traffic, its source IP address, source port
number, destination IP address, and destination port number are recorded in the associate table.
Issue 01 (2009-01-20)

3-27

Feature Description
3 Security Features
If the IP address and port number of a new session match those in the associate table, the session
is identified as that of P2P traffic. This reduces the burden of in-depth detection.
P2P Traffic Limiting

If P2P traffic Limiting policies are configured and a session is certainly confirmed that of P2P
traffic, the Eudemon 1000E limits the P2P traffic according to the policies.
The Eudemon 1000E supports flexible traffic limiting modes. The Eudemon 1000E can set
multiple types of traffic-limitation bandwidth concurrently, thus using different limited
bandwidth based on the P2P traffic with different policies. The Eudemon 1000E performs P2P
traffic limitation on certain users through ACLs, or limits the upload and download separately
of users. The Eudemon 1000E can also perform traffic limitation based on time periods.
3.9 GTP Function

The Eudemon 1000E supports GTP function.
3.9.1 Overview of GTP
GTP is a tunneling protocol that is defined for the Gn interface and the Gp interface. GTP
supports the connections between the GSNs. GTP is a TCP/UDP-based application layer
protocol.
3.9.2 Applications of GTP On the Eudemon 1000E
A large number of users use the wireless communication to transmit data. In addition, the users
have many requirements for the GPRS network, for example, data security protection.
3.9.3 License
GTP is controlled by the license.
3.9.1 Overview of GTP

protocol.
There are several types of interfaces on the general packet radio service (GPRS) network, such
as Gn, Gp, and Gi.
l
The Gn interface refers to the interface between different GPRS support nodes (GSNs) in
the same public land mobile network (PLMN). The GTP protocol is used on the Gn interface
to ensure the connection between the serving GPRS support node (SGSN) and the gateway
GRPS support node (GGSN).
The Gp interface refers to the interface between GSNs located in different PLMNs. The
Gp interface is used to implement data roaming services between different PLMNs. The
GPRS tunneling protocol (GTP) is used on the Gp interface to ensure the connection
between the SGSN and the GGSN.
The Gi interface refers to the interface between the GGSN and the packet data network
(PDN). The Gi interface is used to implement the connection between the GPRS network
and the external data network. The IP protocol is used on the Gi interface to ensure the
connection between the GGSN and the Internet.
protocol.
3-28

Issue 01 (2009-01-20)

Feature Description
3 Security Features
GTP contains the GTP control plane (GTP-C) and the GTP user plane (GTP-U).
l
On the control plane, you need to use signaling to create, modify, and delete a tunnel.
On the user plane, you need to use the tunneling to transmit the data packets of the user.
GTP has two versions: version 0 and version 1. GTP in version 0 belongs to the 3GPP Release
98 protocol and is used in the GPRS network. GTP in version 1 belongs to the 3GPP Release
99 protocol and is used in the 3G network. GTP version 1 is compatible with version 0. You can
distinguish them based on the version field of the GTP packet header.
In addition, the GTP protocol for charging is also included in GTP.
3.9.2 Applications of GTP On the Eudemon 1000E

A large number of users use the wireless communication to transmit data. In addition, the users
have many requirements for the GPRS network, for example, data security protection.
As GTP is a new protocol in the wireless field, the network carriers have different understanding
on GTP. In this way, different GSNs and the firewall products from different manufacturers
cannot work together. The Eudemon 1000E provides the GTP solution to achieve the networking
with Huawei GSN products. This ensures the data security for transmission on the GPRS
network. As the SGSN and the GGSN products provided by Huawei, the Eudemon 1000E
achieves the GTP function based on the UDP protocol.
The Eudemon 1000E provides the function of GTP charging overflow attack defense.
3.9.3 License
GTP is controlled by the license.
You can obtain the service only when you receive a license.
If the Eudemon 1000E works on the Gn or Gp interface, you need a license to activate the related
function. If the Eudemon 1000E works on the Gi interface, no license is required.
3.10 IDS Cooperation

On a network where the Eudemon 1000E cooperates with an IDS device, the IDS device
automatically detects whether there are malicious attacks, intrusions, or other vulnerabilities
across the network. If so, the IDS device notifies the Eudemon 1000E of the attacks by sending
messages (dynamically maintaining ACL entries). The Eudemon 1000E then discards the attack
packets or takes other defense actions.
3.10.1 Overview of the IDS Cooperation
When the Eudemon 1000E and an IDS device cooperates to defend against attacks, intrusion
detection and attack processing are separately accomplished by the two; thus, the advantages of
each device are fully exploited and the system performance is improved.
3.10.2 Features of IDS Cooperation
The cooperation of the Eudemon 1000E and the IDS devices can fully take the advantage of
dedicated IDS software from the following aspects: deeply analyzing and checking packets
passing through the network, detecting various and possible abnormal situations and attack
behaviors, and responding in real time to possible abnormal situations and attack behaviors
through the Eudemon 1000E.
3.10.3 Types of IDS Servers
Issue 01 (2009-01-20)

3-29

Feature Description
3 Security Features
The Eudemon 1000E can cooperate with IDS servers from Huawei and other manufactures.
3.10.1 Overview of the IDS Cooperation

When the Eudemon 1000E and an IDS device cooperates to defend against attacks, intrusion
detection and attack processing are separately accomplished by the two; thus, the advantages of
each device are fully exploited and the system performance is improved.
Usually, the Eudemon 1000E is mainly used to:
l
Prevent users from entering or information from being written to the restricted sites.
Monitor the access channel between the reliable network and unreliable ones to prevent
risks from the Internet from spreading into the intranet.
Prevent users from leaving or information from being read from the restricted sites. By
effectively controlling Internet users' access to the internal resources, the security of
information is guaranteed.
The Eudemon 1000E has a defect: Its detection granularity is rather broad, and it cannot perform
further analysis and detection on many protocols.
Therefore, the Eudemon 1000E opens some ports to link with other security software so as to
construct a united security network. That is the Intrusion Detective System (IDS) cooperation.
The Eudemon 1000E associates with the IDS device for networking. The Eudemon 1000E is
deployed between the internal LAN and the Internet. The IDS server and management server
are on the intranet.
Figure 3-9 shows the networking diagram of the IDS cooperation.
Figure 3-9 Networking diagram of the IDS cooperation
PC
PC
Trust
Untrust
Firewall
Administration
Server
Router
IDS server
IDS detector
The IDS in the network is just like a network analyzer installed on the network. That monitors
the network transmission. The system knows the latest means of attacks, and carefully detects
each packet that passes through. Network transmission that could be malicious can be handled
in time. Measures to be taken are determined by the specific IDS and configuration that users
use.
Cooperating with the IDS system, the Eudemon 1000E can make full use of functions of the
IDS software to analyze and detect packets that flow across the network. In addition, the
Eudemon 1000E can probe various possible abnormal and attack behaviors and respond in real
time. When detecting exceptions or attacks, the IDS sends a command, such as dynamically
maintaining ACL entry, to the Eudemon 1000E. The Eudemon 1000E discards the attack packets
or takes other actions accordingly.
3-30

Issue 01 (2009-01-20)

Feature Description
3 Security Features
3.10.2 Features of IDS Cooperation

The cooperation of the Eudemon 1000E and the IDS devices can fully take the advantage of
dedicated IDS software from the following aspects: deeply analyzing and checking packets
passing through the network, detecting various and possible abnormal situations and attack
behaviors, and responding in real time to possible abnormal situations and attack behaviors
through the Eudemon 1000E.
The features of the IDS cooperation are as follows:
l
IDS devices can monitor transmission of the network that they belong to.
IDS devices can detect the latest attacks on the network by continually updating the
software.
IDS devices check each packet that passes through and deal with network transmission that
could be malicious in time.
By using the IDS cooperation to defend attacks, intrusion detecting and attack defending
are effectively separated. Thus, all advantage of each device can be taken and the
performance of the system can be enhanced.
3.10.3 Types of IDS Servers

The Eudemon 1000E can cooperate with IDS servers from Huawei and other manufactures.
The Eudemon 1000E can cooperate with IDS servers from the following manufacturers:
l
is-One
NIP
Topsec
Kingnet Security Inc.
3.11 Secospace Cooperation

As a Security Access Control Gateway (SACG), the Eudemon 1000E cooperates with the
Secospace terminal security management system to control terminal users' access to networks
based on specific classification of these users.
3.11.1 Background
To clear hazards to network information security, the Eudemon 1000E cooperates with the
Secospace terminal security management system to control network access and protect network
resources.
3.11.2 Work Flow of Secospace Cooperation
The Eudemon 1000E establishes connections with the Secospace terminal security management
system, synchronizes the control polices on the Secospace server, and then controls users' access
according to the policies returned from the Secospace server.
3.11.3 Specifications of Secospace Cooperation
This describes the specifications of the cooperation between the Eudemon 1000E and the
Secospace, including the maximum number of online users, maximum number of roles, and so
on.
Issue 01 (2009-01-20)

3-31

Feature Description
3 Security Features
3.11.1 Background
To clear hazards to network information security, the Eudemon 1000E cooperates with the
Secospace terminal security management system to control network access and protect network
resources.
Networks have become an indispensable part for enterprises. However, they also expose
enterprises to various security threats, such as:
l
Internal employees steal confidential information for their own interests.
Internal employees access enterprise application systems to tamper with important data
without permission.
To solve this problem, use the Eudemon 1000E to work with the Secospace security access
control system (hereinafter referred to as the Secospace server) to set up the Secospace terminal
security system, and implement the system on large-sized enterprise networks.
The Secospace terminal security system controls the access rights of users based on the role
ACL. Terminal users perform the security policy check on the Secospace server. After terminal
users pass the ID authentication, the Eudemon 1000E is notified of the access control on terminal
users. This feature can meet the requirements of controlling multiple user types on a large-sized
enterprise network. The Secospace supports two-node hot spare in association mode and uses
the SACG for load sharing.
Figure 3-10 shows a specific networking.
Figure 3-10 Networking diagram of Secospace Cooperation
Service server C
Service server B
Agent 1
Service server A
Firewall
(SACG)
LAN Switch
SM
Agent 2
SC
SRS
Secospace server group
3-32
Secospace Controller (SC)
Security Recover Server (SRS)
Secospace Manager (SM)
Secospace Agent (Agent)

Issue 01 (2009-01-20)

Feature Description
3 Security Features
For information about the functions of each part, see Secospace server-related documents.
3.11.2 Work Flow of Secospace Cooperation

The Eudemon 1000E establishes connections with the Secospace terminal security management
system, synchronizes the control polices on the Secospace server, and then controls users' access
according to the policies returned from the Secospace server.
As shown in Figure 3-10, the Eudemon 1000E functions as the SACG and cooperates with the
Secospace to control users' network access and provide terminal users with services through the
service server.
To access network resources, a terminal user goes through the following steps:
1.
Connection between the Eudemon 1000E and the Secospace server is set up to obtain the
default ACL.
In this case, the interzone packet-filtering rules configured on the Eudemon 1000E before
become invalid. The terminal user can access servers that do not require authentication and
authority.
2.
The terminal user sends an authentication request to the Secospace server.

The authentication can be one of the following ways:
3.
Domain authentication
Username and password authentication
MAC address authentication
802.1X authentication
Web authentication
Third party authentication
The Secospace server authenticates the user.

If the user's group and user name exist, the user is considered as a valid user.
4.
The Secospace server tells the Agent to perform security check on the valid user.
5.
After implementing security check, the Agent reports the result to the Security Policy Server
(SPS).
If the user does not pass through security check, the SRS prompts the user to implement
necessary repair. After repair is implemented, operation in 3 is re-performed.
6.
If the user passes through the authentication, the server notifies the Eudemon 1000E of the
user's login and requests it to grant necessary authority.
NOTE
According to the rule of roles, the Eudemon 1000E determines whether a user has the authority to access
the service server. Terminal users can access network resources matching their authority.
The Agent, SPS, and SRS are all parts of the Secospace server. For more information about each part, refer
to Secospace-related guides.
When the user accesses network resources for the first time, the Eudemon 1000E determines the
user's access authority according to the user's role. Then when the user accesses network
resources later, the Eudemon 1000E decides whether the user can access them or not based on
local information. If the Eudemon 1000E considers that the user does not have the authority,
operation in 3 is re-performed for authentication.
Issue 01 (2009-01-20)

3-33

Feature Description
3 Security Features
When the Secospace server receives the offline request from the user, it requests the Eudemon
1000E to update the local information. If the user accesses resources later, authentication is
performed again.
3.11.3 Specifications of Secospace Cooperation

This describes the specifications of the cooperation between the Eudemon 1000E and the
Secospace, including the maximum number of online users, maximum number of roles, and so
on.
The Eudemon 1000E can support:
l
50,000 online users
900 common roles and a default role
30,000 ACLs
Role rule-based authority control

The Eudemon 1000E can generate dedicated ACLs for each role. Each role can correspond
with both ACL 3000 and ACL 5000. The relationship between a role and the ACL number
is as follows.
3,999-total number of roles (900) + role ID
5,999-total number of roles (900) + role ID
ACL 5000 is referred to first. If the policy delivered by the server contains port information,
the policy is added to ACL 5000; if not, it is added to ACL 3000.
NOTE
One group can include multiple roles; one role can correspond with multiple users.
3.12 Authentication and Authorization

The Eudemon 1000E delivers the authentication and authorization functions to enable
centralized management of network security. The Eudemon 1000E supports local authentication,
standard Remote Authentication Dial-In User Service (RADIUS) authentication, and local user
management. It can authenticate users and grant authorities to legal users to prevent access by
illegal users.
3.12.1 Overview of Authentication and Authorization
In general, authentication and authorization adopts the server-client mode. The client runs on
the resource side, and the server stores user information. This structure has good scalability and
is convenient for centralized management of user information.
3.12.2 Overview of the RADIUS Protocol
Authentication and Authorization can be implemented over various protocols, in which the
RADIUS protocol is a common one. The RADIUS protocol is first used to manage a large
number of scattered users that use serial ports and modems, and then is widely used in the network
access server (NAS) system later.
3.12.3 Overview of Domains
The Eudemon 1000E manages users by domains. In a domain, you can configure the default
authorization, RADIUS and authentication and accounting schemes.
3.12.4 Overview of Local User Management
3-34

Issue 01 (2009-01-20)

Feature Description
3 Security Features
The authentication and authorization sets up a local user database on the local Eudemon
1000E to maintain the user information and to manage users. Besides creating local user
accounts, the Eudemon 1000E can conduct local authentication.
3.12.1 Overview of Authentication and Authorization

In general, authentication and authorization adopts the server-client mode. The client runs on
the resource side, and the server stores user information. This structure has good scalability and
is convenient for centralized management of user information.
Authentication Modes
Eudemon 1000E supports the following authentication modes:
l
None authentication
It completely trusts users and does not check their validity. Generally, it is not used.
Local authentication
It configures the user information, including the user name, password, and other attributes
that are localling configured on the Eudemon 1000E, on the Eudemon 1000E, and then
authenticates users for access. Its advantage lies in the fast processing speed, which reduces
the operation cost. Its disadvantage is that information storage capacity is limited by its
hardware.
Remote authentication
The Eudemon 1000E authenticates users over the Remote Authentication Dial in User
Service (RADIUS) protocol. The Eudemon 1000E serves as the client to communicate with
the RADIUS server. The RADIUS protocol cooperates with iTELLIN/CAMS to complete
the authentication.
Authorization Modes
Eudemon 1000E supports the following authorization modes:
l
Direct authorization
It completely trusts users and directly authorizes them to pass through.
Local authorization
It authorizes users based on the relative attributes of the local user account configured on
the Eudemon 1000E.
If-authenticated authorization
If the user passes the authentication and the authentication mode is not none, the user is
authorized.
Authorization after RADIUS authentication

It authorizes users after they pass RADIUS authentication.
The authentication and the authorization of the RADIUS protocol are bound together, and
the RADIUS cannot be used to perform only authorization.
3.12.2 Overview of the RADIUS Protocol

Authentication and Authorization can be implemented over various protocols, in which the
RADIUS protocol is a common one. The RADIUS protocol is first used to manage a large
Issue 01 (2009-01-20)

3-35

Feature Description
3 Security Features
number of scattered users that use serial ports and modems, and then is widely used in the network
access server (NAS) system later.
To access other networks or to use some network resources, you need to set up a connection to
the NAS through some networks (such as the telephony network). In this case, the NAS
authenticates a user or the connection. The NAS is responsible for sending the authentication
and authorization information of the user to the server that supports the RADIUS protocol. The
RADIUS protocol defines how to transmit the user information between the NAS and RADIUS
servers.
The RADIUS server receives the user's connection requests, completes the authentication, and
then sends the configurations that the user needs to the NAS. The authentication information is
transmitted with a secret key between the NAS and the RADIUS server so that the user password
cannot be stolen on insecure networks.
RADIUS Message Flow

The RADIUS protocol defines the message flow and message structure for the message
interaction between the client and server.
The server that uses the RADIUS protocol is called RADIUS server.
Figure 3-11 shows a simple message flow defined in the RADIUS protocol.
Figure 3-11 Message flow between the RADIUS client and server
User
Username/Password
Router/
Access server
Request
RADIUS
server
Response
As shown in the figure, the Eudemon 1000E serves as an access server. When a user logs in to
the Eudemon 1000E, the following steps are performed.
1.
The user sends the user name and password to the Eudemon 1000E.
2.
After the RADIUS client receives the user name and password, it sends an authentication
request to the RADIUS server.
3.
When receiving the valid request, the RADIUS server completes the authentication and
sends the configurations that the user needs to the client.
The login user can be a PPPoE cooperated with L2TP user for using network resources or an
administrator for configuring or maintaining network devices.
RADIUS Message Structure

Figure 3-12 shows the RADIUS message structure.
3-36

Issue 01 (2009-01-20)

Feature Description
3 Security Features
Figure 3-12 RADIUS message structure

1 2 3 4 5 6
0-1-2-3-4-5-6-7-0-1-2-3-4-5-6-7-0-1-2-3-4-5-6-7-0-1-2-3-4-5-6-7
Code
Length
Identifier
Authenticator
Attribute
The details are as follows:

l
Code
It refers to the message type, such as an access request or access permit.
Identifier
It specifies the numbers in ascending sequence and is used for matching the request packets
and response packets.
Length
It refers to the total length of all domains.
Authenticator
It is used to authenticate the validity of RADIUS.
Attributes
They specify the contents of a message, including user name, password, NAS IP address,
and other attributes of the user account.
RADIUS Features
The features of RADIUS are as follows:
l
Real-time performance by using UDP as the transport protocol.
High reliability by supporting the retransmission mechanism and the backup server
mechanism.
Easy implementation and is used in the multithreading structure of the server when there
are a large number of users.
With these features, the RADIUS protocol is widely used.

As the client of the RADIUS protocol, the NAS implements the following functions:
l
Standard RADIUS protocols and extended attributes

It includes RFC 2865 and RFC 2866.
Active detection about the RADIUS server state

After receiving the authentication, enable the server detection process if the current status
of the server is Down, and then transform the message into a packet that functions as the
server probe packet and is sent to the current server. If a response packet is received from
the RADIUS server, the server is regarded as being available.
Issue 01 (2009-01-20)
Auto-switch of the RADIUS server

3-37

Feature Description
3 Security Features
When the waiting timer times out, if the current server is unavailable, or the number of
transmission events exceeds the maximum number configured, the current server should
be replaced by another server in the server group.
3.12.3 Overview of Domains

The Eudemon 1000E manages users by domains. In a domain, you can configure the default
authorization, RADIUS and authentication and accounting schemes.
The Eudemon 1000E manages users in the following two modes:
l
Management through domains
Management through user accounts
Note that all users belong to domains.

Within a domain, you can configure:
l
Default authorizations
RADIUS templates
Authentication schemes
The authorization precedence configured within a domain is lower than that configured on an
authentication and authorization server, that is, the authorization attributes of the authentication
and authorization server are used first. The domain authorization attributes are valid only when
the authentication and authorization server is not of this authorization or does not support the
authorization. In this way, the attribute limitation from the authentication and authorization
server does not exist, and the service addition becomes flexible by managing a domain
accordingly.
In the event that a domain and a user within the domain are configured with an attribute
simultaneously, the precedence of the user-based configuration is higher than that of the domainbased configuration.
3.12.4 Overview of Local User Management

The authentication and authorization sets up a local user database on the local Eudemon
1000E to maintain the user information and to manage users. Besides creating local user
accounts, the Eudemon 1000E can conduct local authentication.
Currently, the Eudemon 1000E is able to configure a single local user or a batch of local users
of a VLAN.
NOTE
Users whose information in the local user database are called local users.
3-38

Issue 01 (2009-01-20)

Feature Description
4 VPN
VPN
About This Chapter

The Eudemon 1000E supports IPSec VPN applications and provides highly reliable and secure
transmission tunnels for users. It also supports many types of VPN applications constructed by
using Multi-Protocol Label Switch (MPLS), Layer 2 Tunneling Protocol (L2TP), and Generic
Routing Encapsulation (GRE). The Eudemon 1000E is referred to as Firewall in the figure.
4.1 Introduction
As enterprises and companies develop in scale, staffs go on business more frequently. With
overseas offices and clients increasingly scattered and the number of partners growing, more
and more enterprises need to use public Internet resources for conducting promotion, sale, aftersale service, training, cooperation, and consultation. The urgent demand helps VPN applications
find a good market.
4.2 L2TP
The Layer 2 Tunneling Protocol (L2TP) is a kind of VPDN tunneling protocol. To know L2TP
better, you need certain knowledge of VPDN.
4.3 IPSec
IPSec can realize auto-negotiation key exchange and SA setup as well as maintenance services
through Internet Key Exchange (IKE). That simplifies the use and management of IPSec.
4.4 GRE
The Generic Routing Encapsulation (GRE) protocol is used to encapsulate packet of the network
layer protocol such as Internet Packet Exchange (IPX). The encapsulated packet can be
transmitted in another network layer protocol such as IP. GRE is the third layer tunnel protocol
of the VPN.
Issue 01 (2009-01-20)

4-1

Feature Description
4 VPN
4.1 Introduction
As enterprises and companies develop in scale, staffs go on business more frequently. With
overseas offices and clients increasingly scattered and the number of partners growing, more
and more enterprises need to use public Internet resources for conducting promotion, sale, aftersale service, training, cooperation, and consultation. The urgent demand helps VPN applications
find a good market.
4.1.1 VPN Overview
As a new technology, Virtual Private Network (VPN) rapidly develops as the Internet is widely
used in recent years. It is used to build private networks on a public network. Virtual mainly
indicates that a VPN network is a kind of logical network.
4.1.2 VPN Classification
IP VPN uses IP facilities, including public Internet or dedicated IP backbone networks, to realize
the emulation of WAN device private line services, such as remote dial-up and Digital Data
Network (DDN). According to different standards, IP VPNs can be classified into different types.
4.1.3 VPN Fundaments
The basic principle of VPN is to use tunneling protocols to encapsulate packets into tunnels and
construct private data transmission tunnels on backbone networks to realize transparent
transmission of data packets.
4.1.4 VPN Basic Networking Application
The following takes an enterprise network as an example to illustrate VPN basic networking.
4.1.1 VPN Overview

As a new technology, Virtual Private Network (VPN) rapidly develops as the Internet is widely
used in recent years. It is used to build private networks on a public network. Virtual mainly
indicates that a VPN network is a kind of logical network.
VPN Features
VPN has the following features:
l
Different from traditional networks, a VPN does not physically exist. It is a kind of logical
network, a virtual network configured based on existing public network resources.
A VPN is exclusively used by an enterprise or a user group.

For VPN users, a VPN is the same as a traditional dedicated network in usage. As a kind
of private networks, the resources of VPNs are independent of bear network resources.
Typically, the resources of one VPN are not used by other VPNs on the bear network or
non-authorized VPN users. VPN offers reliable protection mechanism to defend VPN
internal information against external intrusion and interruption.
VPN is a kind of sophisticated upper-layer service.

VPN services help set up interconnection for the users of a private network. VPN services
realize VPN internal network topology setup, routing calculation, and user login or logout.
VPN technology is much more complicated than common point-to-point application
mechanisms.
4-2

Issue 01 (2009-01-20)

Feature Description
4 VPN
VPN Advantages
VPN presents the following advantages:
l
Helping set up reliable connection between remote users, overseas offices, partners,
suppliers, and company headquarters to ensure secure data transmission.
This advantage is significant because it realizes the convergence of E-business or financial
networks with communication networks.
Using public networks to realize information communication. With VPNs, enterprises can
connect remote offices, telecommuters, and business partners at a dramatically low cost.
In addition, VPNs significantly increase the use rate of network resources, thus helping the
Internet Service Providers (ISPs) increase revenue.
Allowing you to add or delete VPN users through software without changing hardware
facilities.
This mechanism offers great flexibility in VPN applications.
Allowing telecommuting VPN users to access headquarter resources at any time and in any
place.
That satisfies the increasing demands for mobile services.
Offering high quality VPNs such as MPLS VPN and diversified VPN services to meet VPN
users' different demands for quality level. Service-specific rating mechanism brings ISPs
more profit.
4.1.2 VPN Classification

IP VPN uses IP facilities, including public Internet or dedicated IP backbone networks, to realize
the emulation of WAN device private line services, such as remote dial-up and Digital Data
Network (DDN). According to different standards, IP VPNs can be classified into different types.
Classification Based on Operation Modes

According to the operation modes, IP VPNs can be classified into the following types:
l
Customer Premises Equipment based VPN (CPE-based VPN)

This kind of VPN requires users to install expensive devices and special authentication
tools. In addition, users need to accomplish tedious maintenance tasks such as channel
maintenance and bandwidth management. The networking of this kind of VPN is
complicated and hardly scaled.
Network-based VPN (NBIP-VPN)

This kind of VPN outsource VPN maintenance to ISPs (meanwhile users are permitted to
manage and control certain services). The functionalities of VPN are realized on network
devices, thus reducing user investment, offering more flexibilities in adding services and
scalability, and bringing more profit to carriers.
Classification Based on Service Applications

According to usages of services, IP VPNs can be classified into the following types:
l
Issue 01 (2009-01-20)
Intranet VPN

4-3

Feature Description
4 VPN
An intranet VPN interconnects distributed internal points of an enterprise through public

networks. It is an extension or substitute of traditional private line networks and other
enterprise networks.
l
Access VPN
An access VPN provides private connections between internets and extranets for
telecommuting staff, mobile offices, and remote offices through public networks. There
are two type of access VPN architectures:
Client-initiated VPN connection
NAS-initiated VPN connection
Extranet VPN
An extranet VPN uses a VPN to extend an enterprise network to suppliers, partners, and
clients, thus establishing a VPN between different enterprises through public networks.
Classification Based on Networking Modes

According to networking modes, IP VPNs can be classified into the following types:
l
Virtual Leased Line (VLL)

A VLL is an emulation of traditional leased line services. By emulating leased line through
an IP network, a VLL provides asymmetric, low cost DDN service. For VLL users, a VLL
is similar to a traditional leased line.
Virtual Private Dial Network (VPDN)

A VPDN realizes a VPN through a dial-up public network, such as an ISDN and PSTN to
provide access services to enterprise customers, small-sized ISPs, and mobile offices.
Virtual Private LAN Segment (VPLS)

A VPLS interconnects LANs through VPN segments on IP public networks. It is an
extension of LANs on IP public networks.
Virtual Private Routing Network (VPRN)

A VPRN interconnects headquarters, branches, and remote offices through network
management virtual routers on IP public networks. There are two kinds of VPRN services:
VPRN realized through traditional VPN protocols such as IPSec and GRE
VPRN based on Multiprotocol Label Switch (MPLS)
4.1.3 VPN Fundaments

The basic principle of VPN is to use tunneling protocols to encapsulate packets into tunnels and
construct private data transmission tunnels on backbone networks to realize transparent
transmission of data packets.
Figure 4-1 Networking diagram of a VPN access
Tunnel
VPN user
4-4
NAS
VPN server
Issue 01 (2009-01-20)

Feature Description
4 VPN
As shown in Figure 4-1, VPN users dial up to the Network Access Server (NAS) of the ISP
through the PSTN or ISDN.
The NAS identifies users by checking user names or access numbers. If the NAS server
determines that a user is a VPN user, it sets up a connection (a tunnel) with the user's destination
VPN server. Then the NAS encapsulates the user's data into an IP packet and transmits it to the
VPN server through the tunnel. After the VPN server receives the packet, it decapsulates the
packet to read the real packet.
Packets can be encrypted on both sides of the tunnel. Other users on the Internet cannot read the
encrypted packets. That ensures the security of packets. For users, a tunnel is a logical extension
of the PSTN or ISDN link. The operations on the logical tunnel is similar to that on a physical
link.
Tunnels can be achieved through tunneling protocols. Based on the realization of tunnels on
Open Systems Interconnection (OSI) reference model, tunnel protocols can be categorized into
two groups:
l
Layer 2 (L2) tunneling protocols

An L2 tunneling protocol tunnels individual Point-to-Point Protocol (PPP) frames.
The existing L2 tunneling protocols are as follow:
Point-to-Point Tunneling Protocol (PPTP)

PPTP is supported by Microsoft, Ascend, and 3COM. Windows NT 4.0 and later
versions support PPTP. PPTP supports the tunneling of PPP frames on IP networks.
PPTP, as a call control and management protocol, uses an enhanced Generic Routing
Encapsulation (GRE) technology to provide flow and congestion control encapsulation
services for transmitted PPP packets.
Layer 2 Forwarding (L2F) protocol

It is a Cisco proprietary protocol. L2F permits the tunneling of the link layer of higher
level protocols and helps divorce the location of the initial dial-up server from the
location at which the dial-up protocol connection is terminated and access to the network
provided.
Layer 2 Tunneling Protocol (L2TP)

L2TP is drafted by IETF with the support of Microsoft. By integrating the advantages
of the preceding two protocols, L2TP has developed into a standard RFC. L2TP can be
used to realize both dial up VPN services (such as VPDN access) and private line VPN
services.
Layer 3 (L3) tunneling protocols

For an L3 tunneling protocol, both the starting point and ending point are within an ISP. A
PPP session is terminated on the NAS. Tunnels carry only L3 packets.
The existing L3 tunneling protocols are as follows:
Generic Routing Encapsulation (GRE)

It is used to realize the encapsulation of an arbitrary network layer protocol over another
arbitrary network layer protocol.
IP Security (IPSec)
IPSec is not a single protocol. Instead, it offers a set of system architecture for data
security on IP networks, including Authentication Header (AH), Encapsulating Security
Payload (ESP), and Internet Key Exchange (IKE).
GRE and IPSec are mainly applied to private line VPN services.
Issue 01 (2009-01-20)

4-5

Feature Description
4 VPN
l
Comparison between L2 and L3 tunneling protocols

L3 tunneling protocol is superior to L2 tunneling protocol in the following aspects:
Security and Reliability

An L2 tunnel usually ends at a user-side device, so it has higher requirements for the
security of user networks and firewall technology. An L3 tunnel usually ends at an ISP
gateway. Therefore, it has not high requirements for the security technology of user
networks.
Scalability
Since an L2 tunnel encapsulates a whole PPP frame, transmission efficiency may be
decreased. In addition, a PPP session runs through a whole tunnel and terminates in a
user-side device. That requires that the user-side gateway should keep a large amount
of PPP session status and information. That may overload the system and impact its
scalability. Moreover, since the Link Control Protocol (LCP) and Network Control
Protocol (NCP) negotiations are quite sensitive to time, degraded tunnel efficiency may
result in a series of problems such as PPP session timeout. On the contrary, an L3 tunnel
terminates in an ISP gateway, and a PPP session terminates in the NAS. Thus, the user
gateway does not need to manage and maintain the status of each PPP session. Thereby,
system load is reduced.
Typically, L2 tunneling protocols and L3 tunneling protocols are used separately. If they
are appropriately used together, for example, using L2TP and IPSec together, they may
provide users with high security and better performance.
4.1.4 VPN Basic Networking Application

The following takes an enterprise network as an example to illustrate VPN basic networking.
Figure 4-2 shows the internal network established through VPN.
Figure 4-2 Networking diagram of VPN applications
Remote user
PoP
PoP
PoP
Cooperator
Internal server
Company headquater
As shown in Figure 4-2, eligible users can connect to the Point of Presence (POP) server of the
local ISP through a Public Switched Telephone Network (PSTN), Integrated Services Digital
Network (ISDN), or LAN so as to access the internal resources of an enterprise. Traditional
WAN networking technology requires dedicated physical links to realize connections. With
established virtual networks, remote users and telecommuters can access internal resources of
an enterprise without need of being authorized by the local ISP. It is helpful for telecommuting
staff and scattered users.
To experience VPN services, an enterprise needs to deploy only a server, such as a Windows
NT server or a firewall that supports VPN to share resources. After connecting to the local POP
server through the PSTN, ISDN, or LAN, eligible users can directly call the remote server (VPN
4-6

Issue 01 (2009-01-20)

Feature Description
4 VPN
server) of the enterprise. The access server of the ISP and the VPN server work together to realize
the call.
4.2 L2TP
The Layer 2 Tunneling Protocol (L2TP) is a kind of VPDN tunneling protocol. To know L2TP
better, you need certain knowledge of VPDN.
4.2.1 VPDN Overview
A Virtual Private Dial Network (VPDN) realizes a VPN by using the dial-up function of public
networks such as the ISDN and PSTN as well as access networks. VPDNs provide access
services for enterprise customers, small-sized ISPs, and mobile offices.
4.2.2 L2TP Overview
L2TP supports the tunneling of PPP link layer packets. L2TP extends the PPP model by allowing
the L2 and PPP endpoints to reside on different devices interconnected by a packet-switched
network. By integrating the advantages of PPTP and L2F, L2TP has developed into the industry
standard of layer two tunneling protocols.
4.2.3 Access to VPN Supported by L2TP
At present, more and more enterprises build their VPN networks on Internet so as to save cost,
guarantee network security and is convenient for network management.
4.2.4 License
The number of tunnels supported by L2TP is determined by licenses.
4.2.1 VPDN Overview

A Virtual Private Dial Network (VPDN) realizes a VPN by using the dial-up function of public
networks such as the ISDN and PSTN as well as access networks. VPDNs provide access
services for enterprise customers, small-sized ISPs, and mobile offices.
VPDNs adopt special network encryption protocols to set up secure VPNs for enterprise
customers over public networks. With VPDNs, overseas offices and telecommuting staff can
obtain a network connection to their headquarter through a virtual encryption tunnel over public
networks. Other users on the public networks cannot pass through the virtual tunnel to access
internal resources on the enterprise network.
There are two ways to realize VPDNs:
l
The NAS sets up a tunnel to the VPDN gateway based on tunneling protocols.
This realization mechanism directly connects the PPP connection of users to the gateway
of the enterprise network. So far, available tunneling protocols are L2F and L2TP.
The advantages of this realization mechanism are as follows:
The realization process is transparent to users.
Users can access the enterprise network after a one-time login.
Since the enterprise network authenticates users and assigns IP addresses, no extra
public addresses are required.
Users can implement network access through different platforms.
This realization mechanism requires the NAS to support the VPDN protocol, and the
authentication system to support VPDN attributes. Typically, a firewall or dedicated VPN
server is used as a gateway.
Issue 01 (2009-01-20)

4-7

Feature Description
4 VPN
l
A client host sets up a tunnel with the VPND gateway.

The client host connects with the Internet first, and then it uses dedicated client software
such as the L2TP client on the Windows 2000 to set up a tunnel with the gateway.
The advantage and disadvantage of this realization mechanism are as follows:
Since this realization mechanism has no requirements for ISPs, users can access
resources at any place and in any way.
Since this mechanism requires users to install and use dedicated software, usually
Windows 2000, users can select a specified platform.
There are three types of VPDN tunneling protocols:

l
PPTP
L2F
L2TP
L2TP is widely used at present.
4.2.2 L2TP Overview

L2TP supports the tunneling of PPP link layer packets. L2TP extends the PPP model by allowing
the L2 and PPP endpoints to reside on different devices interconnected by a packet-switched
network. By integrating the advantages of PPTP and L2F, L2TP has developed into the industry
standard of layer two tunneling protocols.
Background
PPP defines an encapsulation mechanism for transporting multiprotocol packets across L2 pointto-point links. Typically, a user obtains a L2 connection to a NAS using one of a number.
The L2TP protocol expands the PPP model in the following ways:
l
L2TP supports the tunneling of PPP link layer packets.
L2TP allows the L2 and PPP endpoints to reside on different devices
L2TP transmits data by using the packet-exchanging network technology.
By integrating the advantages of PPTP and L2F, L2TP has developed into the industry standard
of layer two tunneling protocols.
Typical L2TP Networking Application

Figure 4-3 shows the typical networking of VPDN application based on L2TP.
Figure 4-3 Networking diagram of VPDN application based on L2TP
Remote user
L2TP Tunnel
LAC
Remote user Remote user
4-8

LNS
Internal server
Internal server
Issue 01 (2009-01-20)

Feature Description
4 VPN
As shown in Figure 4-3, the L2TP Access Concentrator (LAC) is attached to the switch network.
The LAC is a PPP endpoint system and can process L2TP. Usually, an LAC is a NAS, which
provides access services for users across the PSTN or ISDN. The L2TP Network Server (LNS)
acts as one node of the PPP endpoint system and is used to process the L2TP server.
An LAC sits between an LNS and a remote system and forwards packets to and from each.
Packets sent from the remote system to the LNS require tunneling with the L2TP protocol.
Packets sent from the LNS are decapsulated and then forwarded to the remote system. The
connection from the LAC to the remote system is either local or a PPP link. For VPDN
applications, the connections are usually PPP links.
An LNS acts as one side of an L2TP tunnel and is a peer to an LAC. The LNS is the logical
termination point of a PPP session that is being tunneled from the remote system by the LAC.
Technology Details
The following describes the technology details of L2TP:
l
L2TP protocol structure

Figure 4-4 L2TP protocol structure
PPP Frame
L2TP Data Message
L2TP Control Message
L2TP Control Tunnel

L2TP Data Tunnel
(reliable)
(unreliable)
Packet Transmission Network
(UDP, )
Figure 4-4 showss the relationship of PPP frames and Control Messages over the L2TP
Control and Data Channels. PPP Frames are passed over an unreliable Data Channel
encapsulated first by an L2TP header and then a Packet Transport such as UDP, Frame
Relay, and ATM. Control messages are sent over a reliable L2TP Control Channel which
transmits packets in-band over the same Packet Transport.
L2TP uses the registered UDP port 1701. The entire L2TP packet, including payload and
L2TP header, is sent within a UDP datagram. The initiator of an L2TP tunnel picks an
available source UDP port (which may or may not be 1701), and sends to the desired
destination address at port 1701. The recipient picks a free port on its own system (which
may or may not be 1701), and sends its reply to the initiator's UDP port and address, setting
its own source port to the free port it found. Once the source and destination ports and
addresses are established, they must remain static for the life of the tunnel.
l
Tunnel and session

There are two types of connections between an LNS-LAC pair:
Tunnel: defines an LNS-LAC pair.
Session: is multiplexed over a tunnel to denote each session process over the tunnel.
Multiple L2TP tunnels may exist between the same LAC and LNS. A tunnel consists of
one control connection and one or several sessions. A session is set up after a tunnel is
successfully created, namely, information such as ID, L2TP version, frame type, and
hardware transmission type are exchanged. Each session corresponds with a PPP data
stream between a LAC and a LNS.
Issue 01 (2009-01-20)

4-9

Feature Description
4 VPN
L2TP uses Hello messages to check the connectivity of a tunnel. The LAC and the LNS
periodically send Hello messages to each other. If no Hello message is received within a
period of time, the session between them is cleared.
l
Control message and data messag

L2TP utilizes two types of messages:
Control message
Control messages are used in the establishment, maintenance, and transmission control
of tunnels and sessions.
Control messages utilize a reliable Control Channel within L2TP to guarantee delivery.
Control messages support traffic control and congestion control.
Data messages
Data messages are used to encapsulate PPP frames being carried over the tunnel.
Data messages are not retransmitted when packet loss occurs. Data messages do not
support traffic control and congestion control.
L2TP packets for the control channel and data channel share a common header format.
An L2TP message header includes a tunnel ID and a session ID, which are used to identify
tunnels and sessions. Packets with the same Tunnel ID but different session IDs are
multiplexed over the same tunnel. tunnel IDs and session IDs in a packet header are assigned
by the peer ends.
Two Typical L2TP Tunnel Modes

Figure 4-5 shows the tunnel modes of PPP frames between a remote system or an LAC client
(running L2TP) and an LNS:
l
Initiated by a remote dial-up user

The remote client initiates a PPP connection across the PSTN/ISDN to an LAC. The LAC
then tunnels the PPP connection across the Internet. Authentication, Authorization, and
Accounting may be provided by the Home LAN's Management Domain or by the LNS.
Initiated directly by an LAC user (a host which runs L2TP natively)

The LAC users can directly initiate a tunnel connection to the LNS without use of a separate
LAC. In this case, the address of the LAC is assigned by the LNS.
Figure 4-5 Two typical L2TP tunnel modes

L2TP tunnel
Staff on
business trip
LAS
LNS
Remote branch
Remote user
4-10
L2TP tunnel

Issue 01 (2009-01-20)

Feature Description
4 VPN
Setup Procedure of an L2TP Tunnel Session

Figure 4-6 shows a typical networking of L2TP.
Figure 4-6 Typical networking diagram of L2TP
RADIUS Server
RADIUS Server
IP
network
IP
network
PC
PC
LAC
Firewall A
LNS
Firewall B
PC
Figure 4-7 shows the procedure for setting up an L2TP call.

Figure 4-7 Procedure for setting up an L2TP call
PC
LAC
Firewall A
(1) Call setup

(2) PPP LCP setup
(3) PAP or CHAP
authentication
LAC
RADIUS Server
LNS
Firewall B
(4) Access request

(5) Access accept
(6) Tunnel establishment
(7) PAP or CHAP authentication
(challenge/response)
(8) Authentication passes
(9) User CHAP response, PPP
negotiation parameter
LNS
RADIUS Server
(10) Access request

(11) Access accept
(12) CHAP authentication twice(challenge/response)

(13) Access request
(15) Authentication passes
(14) Access accept
The procedure for setting up an L2TP call is as follows:

1.
The PC at user side initiates a connection request.
2.
The PC and the LAC (Eudemon 1000E A) negotiate PPP LCP parameters.
Issue 01 (2009-01-20)

4-11

Feature Description
4 VPN
3.
The LAC performs the Password Authentication Protocol (PAP) or Challenge Handshake
Authentication Protocol (CHAP) authentication based on the user information provided by
the PC.
4.
The LAC sends the authentication information, including VPN username and password, to
the RADIUS server for ID authentication.
5.
The RADIUS server authenticates this user and sends back the access accept, such as LNS
address, after the authentication is passed successfully. Meanwhile, the LAC is ready for
initiating a new tunnel request.
6.
The LAC initiates a tunnel request to the LNS specified by the RADIUS server.
7.
The LAC informs the LNS of CHAP challenge, and the LNS sends back the CHAP response
and its self CHAP challenge, the LAC sends back the CHAP response.
8.
Authentication passes.
9.
The LAC transmits the CHAP response, response identifier, and PPP negotiation
parameters to the LNS.
10. The LNS sends the access request to RADIUS server for authentication.
11. The RADIUS server re-authenticates this access request and sends back a response if
authentication is successful.
12. If local mandatory CHAP authentication is configured at the LNS, the LNS will authenticate
the VPN user by sending challenge and the VPN user at PC sends back responses.
13. The LNS re-sends this access request to RADIUS for authentication.
14. RADIUS server re-authenticates this access request and sends back a response if
authentication is successful.
15. After all authentications are passed, the VPN user can access the internal resources of the
enterprise.
Features of the L2TP Protocol

The features of the L2TP Protocol are as follows:
l
Flexible ID authentication mechanism and high security
L2TP itself does not provide connection security, but it can depend on the
authentication, such as CHAP and PAP, provided by PPP. Thereby, it has all security
features of PPP.
L2TP can integrate with IPSec to fulfill data security, which make it more difficult to
attack the data transmitted with L2TP.
To improve data security, based on the requirement of specific network security, L2TP
adopts:
Tunnel encryption technique
End-to-end data encryption
Application layer data encryption
Multi-protocol transmission
L2TP transmits PPP data packet and a wide variety of protocols can be encapsulated in
PPP data packet.
Supporting authentication by the RADIUS server

The LAC sends user name and password to the RADIUS server for authentication request.
The RADIUS server is in charge of:
4-12

Issue 01 (2009-01-20)

Feature Description
Receiving authentication request of the user
Fulfilling the authentication
4 VPN
Supporting internal address assignment

The LNS can be put behind Intranet firewall. It can dynamically assign and manage the
addresses of remote users and support the application of private addresses (RFC1918). The
IP addresses assigned to remote users are internal private addresses of the enterprise instead
of Internet addresses. Thus, the addresses can be easily managed and the security can also
be improved.
Flexible network charging

L2TP charges in both the LAC and the LNS at the same time, that is, in ISP (to generate
bills) and Intranet gateway (to pay for charge and audit).
L2TP can provide the following charging data:
Transmitted packet number and byte number
Start time and end time of the connection
L2TP can easily perform network charging based on these data.

l
Reliability
L2TP supports the backup LNS. When the active LNS is inaccessible, the LAC can
reconnect with the backup LNS, which improves the reliability and fault tolerance of VPN
service.
4.2.3 Access to VPN Supported by L2TP

At present, more and more enterprises build their VPN networks on Internet so as to save cost,
guarantee network security and is convenient for network management.
In a VPN network, VPN users can communicate and exchange date with each other over L2TP
tunnels. As a vital VPN service gateway device, the firewall needs to be configured and
maintained be professionals. It is undoubtedly a big burden to small-sized enterprises. To solve
the problem, the Eudemon 1000E provides L2TP multi-instance solutions so that a firewall can
provide security and services for multiple VPNs at the same time.
The Eudemon 1000E supports two kinds of networking ways:
l
The Eudemon 1000E is connected with VPNs through Internet.

This way is suitable for small-sized enterprises.
The Eudemon 1000E is connected with VPNs directly.

This way is suitable for large-sized enterprises.
4.2.4 License
The number of tunnels supported by L2TP is determined by licenses.
You can obtain the services provided L2TP only when you receive the license.
4.3 IPSec
IPSec can realize auto-negotiation key exchange and SA setup as well as maintenance services
through Internet Key Exchange (IKE). That simplifies the use and management of IPSec.
Issue 01 (2009-01-20)

4-13

Feature Description
4 VPN
4.3.1 Overview of the IPSec Protocol

IP Security (IPSec) protocol family is a series of protocols defined by IETF. It provides IP data
packets with cryptology-based security, featuring by high quality, interoperability.
4.3.2 IPSec Basic Concepts
The basic IPSec concepts include security association (SA), SA negotiation mode/operation
mode, authentication algorithm and encryption algorithm.
4.3.3 Overview of the IKE Protocol
IKE is designed based on the framework provided by the Internet Security Association and Key
Management Protocol (ISAKMP). IKE can automatically negotiate key exchange and create
security associations (SAs) for IPSec. That helps simplify the use and management of IPSec.
4.3.4 Overview of the IKEv2 Protocol
The IKEv2 protocol reserves the basic functions of IKE and overcomes the problems found
during IKE study.
4.3.5 Security Analysis of IKEv2
IKEv2 closes the security loopholes of IKE and improves the security of key negotiation. In
addition, IKEv2 requires that all messages should exist in the format of request/reply pairs, thus
effectively improving reliability of UDP used as a transmission layer protocol.
4.3.6 IKEv2 and EAP Authentication
IKEv2 supports third-party EAP authentication of the negotiation initiator.
4.3.7 NAT Traversal of IPSec
The NAT traversal of IPSec is to add a standard UDP header between IP and ESP headers of
the original packet (without regard for AH mode).
4.3.8 Implementing IPSec on the Eudemon 1000E
Through IPSec, the Eudemon 1000E and its peer can implement different means of protection
for different data traffic (authentication, encryption, or both).
4.3.9 Access to VPN Supported by IPSec
With the respect to the Eudemon 1000E, the IPSec protocol can provide point-to-point tunnel
connections for users to ensure data security. However, many small-sized enterprises cannot
afford a firewall by their own, IPSec multi-instance are introduced to offer security guarantees
to multiple VPNs that are connected with a firewall.
4.3.10 License
The number of tunnels supported by IPSec is determined by licenses.
4.3.1 Overview of the IPSec Protocol

IP Security (IPSec) protocol family is a series of protocols defined by IETF. It provides IP data
packets with cryptology-based security, featuring by high quality, interoperability.
NOTE
The Eudemon 1000E implements the IPSec by using hardware encryption.
The two sides of communication perform encryption and data source authentication on IP layer
to assure confidentiality, data integrity, data origin authentication and anti-replay for packets
when they are transmitted on networks.
The details are as follows:
l
4-14
Confidentiality
Issue 01 (2009-01-20)

Feature Description
4 VPN
Confidentiality is to encrypt a client data and then transmit it in cipher text.

l
Data integrity
Data integrity is to authenticate the received data so as to determine whether the packet has
been modified.
Data authentication
Data origin authentication is to authenticate the data source to make sure that the data is
sent from a real sender.
Anti-replay
Anti-replay is to prevent some malicious client from repeatedly sending a data packet. In
other words, the receiver will deny old or repeated data packets.
IPSec realizes the above aims through AH and ESP. Moreover, IKE provides auto-negotiation
key exchange and Security Association (SA) setup and maintenance services for IPSec so as to
simplify the use and management of IPSec.
l
AH protocol
AH mainly provides data source authentication, data integrity check and anti-replay.
However, it cannot encrypt the packet.
ESP protocol
Encapsulating Security Payload (ESP) provides the encryption function apart from the
functions provided by AH. The data integrity authentication function of the ESP, however,
does not cover the IP header. ESP allows authenticating and encrypting packets
simultaneously or only authenticating or only encrypting packets.
NOTE
AH and ESP can be used either independently or in combination. There are two types of encapsulation
modes for both AH and ESP: transport mode and tunnel mode. The two encapsulation modes are
described in Encapsulation Modes of IPSec.
l
IKE protocol
IKE is used to negotiate the key for IPSec. It is to negotiate the key algorithm applied in
AH and ESP and to put the necessary key in the algorithm to the proper place.
NOTE
IKE negotiation is not necessary. IPSec policies and algorithms can also be negotiated manually. For
comparisons of these two negotiation modes will be introduced in IKE Negotiation Modes.
l
IKEv2
As a successor of IKE, IKEv2 provides all the basic functions of IKE, reduces the
complexity, and improves the efficiency and expansibility of IKE.
4.3.2 IPSec Basic Concepts

The basic IPSec concepts include security association (SA), SA negotiation mode/operation
mode, authentication algorithm and encryption algorithm.
Security Association
IPSec provides secure communication between two ends. These two ends are called IPSec peers.
IPSec allows systems, network subscribers, or administrators to control the granularity of
security services between peers.
For example, the IPSec policies of a group define that data streams from a subnet should be
protected with AH and ESP and be encrypted with Triple Data Encryption Standard (3DES) at
Issue 01 (2009-01-20)

4-15

Feature Description
4 VPN
the same time. Moreover, the policies define that data streams from another site should be
protected with ESP only and be encrypted with DES only. IPSec can provide protection in
various levels for different data streams based on SA.
An SA is the basis and essence of IPSec. An SA specifies the shared policies and keys used by
two negotiating peers to protect their communication:
l
Applied protocols (AH, ESP, or both)
Operation mode of protocols (transport mode or tunnel mode)
Encryption algorithm (DES, 3DES and AES)
Shared keys used to protect data in certain streams
Life duration of the shared keys
SA is unidirectional. For directional communication between peers, at least two SAs are needed
to protect data streams in two directions. Moreover, if both AH and ESP are applied to protect
data streams between peers, still two SAs are needed respectively for AH and ESP.
An SA is uniquely identified by a triplet, including:
l
Security Parameter Index (SPI)
Destination IP address
Security protocol number (AH or ESP)
SPI is a 32-bit figure, uniquely identifying an SA. It is transmitted in an AH or ESP header.

An SA has a life duration, which can be calculated in one of the two methods:
l
Time-based life duration

The SA is updated a specific interval.
Traffic-based life duration

The SA is updated after a specified volume of data (in byte) is transferred.
SA Negotiation Modes
There are two negotiation modes available for establishing an SA:
l
Manual mode (manual)

Manual mode is more complicated than auto-negotiation mode.
In manual mode, all information required to create an SA has to be configured manually.
Moreover, it does not support some advanced features of IPSec, such as scheduled key
update. The advantage of manual mode is that it can realize IPSec without IKE.
IKE auto-negotiation mode (isakmp)

In IKE auto-negotiation mode, an SA can be created and maintained by IKE autonegotiation as long as IPSec policies of IKE negotiation are configured.
The manual mode is feasible if few peer devices are deployed, or in a small-sized static
environment. It is recommended that you use the IKE auto-negotiation mode for a medium or
large-sized dynamic networking environment.
Encapsulation Modes of IPSec

IPSec has two encapsulation modes, which are as follows:
4-16

Issue 01 (2009-01-20)

Feature Description
l
4 VPN
Transport mode
In the transport mode, AH or ESP is inserted after the IP header but before all transmission
layer protocols or all other IPSec protocols.
Transmission Control Protocol (TCP) is taken as an example to show the data encapsulation
in this mode. See Figure 4-8.
Figure 4-8 Packet format in the transport mode
Mode
Protocol
Transport
AH
IP Header AH TCP Header data
ESP
IP Header ESP TCP Header data ESP Tail
AHESP
IP Header AH ESP TCP Header data
ESP Auth data
ESP Tail
ESP Auth data
Tunnel mode
In the tunnel mode, AH or ESP is inserted before the raw IP header but after the new IP
header.
TCP is taken as an example to show the data encapsulation in this mode. See Figure 4-9.
Figure 4-9 Packets format in the tunnel mode
Mode
Protocol
Tunnel
AH
new IP Header AH raw IP Header TCP Header data
ESP
new IP Header ESP raw IP Header TCP Header data ESP Tail ESP Auth data
AHESP
new IP Header AH ESP raw IP Header TCP Header data ESP Tail ESP Auth data
Use either of the two modes based on following situations:

l
In terms of security, the tunnel mode is safer than the transport mode. The former can
authenticate and encrypt original IP data packets completely. In addition, it can hide the
client IP address by using the IP address of the IPSec peer.
In terms of performance, the tunnel mode occupies more bandwidth than the transport mode
because it has an extra IP header.
Authentication Algorithm and Encryption Algorithm

l
Authentication algorithms
Both AH and ESP can authenticate integrity for an IP packet so as to judge whether the
packet is modified when it is transmitted. Authentication is implemented based on the hash
function. The hash function is a type of algorithm that does not limit the length of inputting
messages and outputs messages in a certain length. The output message is called message
digest. To authenticate the integrity, IPSec peers calculate the message summary based on
Issue 01 (2009-01-20)

4-17

Feature Description
4 VPN
the hash function. If the message digests are the same on two peers, the packet is considered
as integrated without being modified. There are two IPSec authentication algorithms, which
are as follows:
Message Digest 5 (MD5)

It inputs a message in any length and generates a 128-bit message digest.
Secure Hash Algorithm (SHA-1)

It inputs a message less than 264 bits and generates a 160-bit message digest.
The SHA-1 message digest is longer than that of MD5, so SHA-1 is safer than MD5.
l
Encryption algorithms
ESP can encrypt IP packets so that the contents of the packets will not let out during the
transmission. The encryption algorithm is implemented through a symmetric key system.
This system encrypts or decrypts data with the same key. IPSec uses three encryption
algorithms, which are as follows:
Data Encryption Standard (DES)

It encrypts a 64-bit packet in clear text with a 56-bit key.
3DES
It encrypts a packet in clear text with three 56-bit DES keys (168 bits key in total).
Advanced Encryption Standard (AES)

It encrypts a packet in clear text with a key. The length of the key can be 128-bit, 192bit or 256-bit.
Obviously, 3DES is much safer than DES. However, its encryption speed is far slower.
AES makes good balance between security and performance.
4.3.3 Overview of the IKE Protocol

IKE is designed based on the framework provided by the Internet Security Association and Key
Management Protocol (ISAKMP). IKE can automatically negotiate key exchange and create
security associations (SAs) for IPSec. That helps simplify the use and management of IPSec.
IKE
Before using IPSec to protect an IP packet, you must create an SA. The SA of the IPSec can be
created manually or dynamically. If the number of nodes on the network is great, it is difficult
to create an SA manually and security cannot be ensured. Therefore, you need to create an SA
by using Internet Key Exchange (IKE).
IKE has a self-protection mechanism; therefore, it can perform the following actions even on
an insecure network:
l
Distribute keys
Authenticate IDs
Create IPSec SA
IKE Security Mechanism

IKE security mechanism is as follows:
l
4-18
Diffie-Hellman (DH) exchange and key distribution

Issue 01 (2009-01-20)

Feature Description
4 VPN
DH algorithm is a public key algorithm. The both parties in communication can exchange
some data without transmitting the key and find the shared key by calculation. The
prerequisite for encryption is that the both parties must have a shared key. The merit of
IKE is that it never transmits the key directly in the unsecured network, but calculates the
shared key by exchanging a series of data. Even if the third party (such as Hackers) captured
all exchange data used to calculate the shared key for both parties, he cannot figure out the
real key.
l
Perfect Forward Secrecy (PFS)

PFS is a security feature. When a key is decrypted, there will be no impact on the security
of other keys, because these keys have no derivative relations among them. PFS is ensured
by DH algorithm.
The feature is realized by adding the key exchange during the second phase negotiation of
IKE.
ID authentication
ID authentication will identify both parties in communication. With respect to pre-shared
key authentication method, inputting an authenticator can generate a shared key. It is
impossible for different authenticators to generate the same shared key between the two
parties. Authenticator is the key in ID authentication for both parties.
ID protection
After shared key is generated, identity data will be sent in encrypted mode. Thus, identity
data is protected.
IKE Exchange Phases

IKE uses two phases to negotiate IPSec keys and create SAs:
l
Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with
which to communicate. This is called the ISAKMP Security Association (ISAKMP SA or
IKE SA).
Phase 2 is where SAs are negotiated on behalf of services such as IPSec or any other service
which needs key material and/or parameter negotiation. IPSec SA is used for transmitting
IP data.
The relation between IKE and IPSec is shown in Figure 4-10.

Figure 4-10 The relation between IKE and IPSec
SA negotiation
IKE
IKE
Firewall B
Firewall A
TCP/UDP
SA
SA
IPSec
TCP/UDP
IPSec
IP
Encrypted IP packets
The specific setup process of the SA is shown in Figure 4-11.

Issue 01 (2009-01-20)

4-19

Feature Description
4 VPN
Figure 4-11 Setup process of SA

Firewall A
Step 1
Firewall B
Matched data streams are forwarded over the interface
applying IPSec
Trigger SA in phase1 of IKE negotiation
Step 2
Negotiate IPSec SA in phase 2 of IKE negotiation

under the protection of SA in phase 1
Step 3
Communicate under the protection of SA in phase 2
Step 4
Setup process of SA is as follows.

1.
On an interface that applies IPSec, an outbound packet should be compared with IPSec
policies.
2.
If the packet matches an IPSec policy, search for the relevant SA. If the SA has not been
created, IKE will be triggered to negotiate an SA in stage1, that is, IKE SA.
3.
Negotiating the SA for stage 2 under the protection of the SA in stage 1, that is, IPSec SA.
4.
Use the IPSec SA to protect the communication data.
IKE Negotiation Modes

As defined in RFC 2409 (the Internet Key Exchange), IKE negotiation in phase 1 can use two
modes:
l
Main mode
In main mode, key exchange information is separated from ID and authentication
information. In this way, the exchanged ID information is protected by the generated DH
shared key. However, it takes three extra messages to complete the process.
Aggressive Mode
In aggressive mode, payloads relevant with SA, key exchange, and authentication can be
transmitted simultaneously. Transmitting these payloads in one message helps reduce
round trips. However, this mode cannot provide identity protection.
Although there is limit to functions in aggressive mode, it can meet the demand in some
specific network environment. For example in remote access, the responder (server end)
has no way to learn about the address of the initiator (terminal user) in advanced or the
address of the initiator is always changing, but both parties wish to create IKE SA through
authentication via pre-shared keys. In this case, the aggressive mode without ID protection
is the unique available exchange method. In addition, if the initiator has learnt about the
responder's policy or had a comprehensive understanding of it, aggressive mode can be
adopted to create IKE SA faster.
4.3.4 Overview of the IKEv2 Protocol

during IKE study.
4-20

Issue 01 (2009-01-20)

Feature Description
4 VPN
Introduction
As a first-choice key exchanging protocol to implement IPSec VPNs, IKE ensures secure and
dynamic creation of the SA. IKE is a hybrid protocol. Its complexity inevitably incurs defects
in security and performance, which already becomes a bottleneck for the current IPSec systems.
during IKE study. Moreover, for considerations of simplicity, efficiency, security, and
robustness, relevant IKE documents are replaced by RFC4306. By minimizing core functions
and default password algorithms, IKEv2 greatly improves the interoperation capability among
different IPSec VPNs.
Compared with IKE, IKEv2 has the following advantages:
l
After four messages, one IKE SA and a pair of IPSec SAs can be created through
negotiation. Thus, the negotiation efficiency is improved.
Data structures that are difficult to understand and likely to be confusing are deleted,
including DOI, SIT and domain identifier.
Many cryptographic loopholes are closed, and thus security is improved.
IKEv2 can choose payloads of specific traffic to protect. In this way, IKEv2 takes over
certain functions of the former ID payload and becomes more flexible.
IKEv2 supports EAP authentication, and thus the authentication is improved in flexibility
and expansibility.
Negotiation Process of IKEv2

To create a pair of IPSec SAs, IKE requires two stages, namely, the main mode + the fast mode
or the aggressive mode + the fast mode. The main mode + the fast mode requires at least 9
messages while the latter requires at least 6 messages. Normally, by using IKEv2 twice and
exchanging four messages, you can create one IKE SA and a pair of IPSec SAs through
negotiation. To create more than a pair of IPSec SAs, only one exchange is needed for each
additional pair of SAs. That is, two messages can accomplish the task. IKEv2 is much simpler
than IKE in this aspect.
4.3.5 Security Analysis of IKEv2

IKEv2 closes the security loopholes of IKE and improves the security of key negotiation. In
addition, IKEv2 requires that all messages should exist in the format of request/reply pairs, thus
effectively improving reliability of UDP used as a transmission layer protocol.
The following describes the security of IKEv2.
Defense against man-in-the-middle attacks

The man-in-the-middle attack is a kind of proactive attack. During the attack, the attacker
eavesdrops the communications parties to capture the messages. After inserting data into the
messages, or deleting or changing the information in the messages, the attacker returns the
changed messages to the sender, or replays or redirects the original messages. This is the most
harmful attack. In IKEv2, the mechanism and methods for defending against man-in-the-middle
attacks is as follows:
l
Modes for generating key materials

The key materials of IKEv2 are different from those of IKE in that the encryption key and
the authentication key used for follow-up interactions are different. These keys are extracted
Issue 01 (2009-01-20)

4-21

Feature Description
4 VPN
from the PRF + output traffic one by one. Therefore, it is more difficult for the attacker to
guess the keys. As a result, the keys are less likely to be disclosed, transmission becomes
safer, and to a certain extent, man-in-the-middle attacks are prevented.
l
Authentication
IKEv2 performs authentication by using pre-shared keys and digital signatures. The
authentication is two-way authentication. The negotiation parties authenticate each other.
In addition, the authentication is symmetrical. The negotiation parties use the same
mechanism and method to authenticate each other. The two-way authentication can
effectively defend against man-in-the-middle attacks. Meanwhile, IKEv2 defines extended
authentication. That is, the negotiation parties authenticate each other through the method
described in EAP. The extended authentication supports asymmetrical two-way
authentication, thus further improving the flexibility of authentication and expansibility of
negotiations.
Message exchange
IKEv2 reduces the six messages of IKE in main mode to four messages and sends the SA
payload, KE payload, and nonce payload together. So, the messages contain the nonce
values. When an attacker returns the messages to their senders, the senders can decide
whether the messages are real. This can prevent replay attacks to a certain extent. Each
IKEv2 message header contains a message ID, which is used for matching the
corresponding request and reply messages, and identifying replay attacks. When a request
is sent or received, the message ID must be increased in number order. Moreover, except
the IKE_SA_INIT interaction, the message ID is protected through encryption and the
integrity of the message ID is protected to prevent replay. IKEv2 introduces the sliding
window mechanism so that interactions can effectively resist replay attacks.
Defense against DoS attacks

In IKEv2, the mechanism and methods for defending against DoS attacks are as follows:
l
SPI value
In the header of an IKEv2 message, there are the initiator SPIi and the responder SPIr. The
SPIi and the SPIr are random 8-byte values generated by the kernel to identify the SA and
a pair of nodes for exchanging messages. Only one of the requests with the same SPI value
is processed, excluding retransmission messages. Other requests are discarded as repeated
data. This mechanism can prevent DoS attacks to a certain extent.
Interactions with cookies

IKEv2 defends against DoS attacks through auxiliary exchanges during which the Notify
payload carries cookies. During communications, when the responder deems that it is
suffering from DoS attacks, it can request a stateless cookie from the initiator.
When the responder receives the first message from the initiator, it does not perform the
IKE_SA_INIT interaction immediately. Instead, it generates a new cookie, encapsulates it
into a notice payload, and then sends it to the initiator. If the initiator is not an attacker, it
can receive this message, and then resume the negotiation. Moreover, it encapsulates the
cookie from the responder into the message and keep the other contents in the payload
unchanged.
Retransmission convention
All messages of IKEv2 come in pairs. In each pair of messages, the initiator is responsible
for retransmission events. The responder does not retransmit the response message unless
it receives a retransmission request from the initiator. In this way, the two parties do not
both initiate retransmission, and thus resources are not wasted. In addition, attackers cannot
4-22

Issue 01 (2009-01-20)

Feature Description
4 VPN
capture the messages for sending retransmission messages repeatedly to exhaust the
resources of the parties of the negotiation.
l
Discarding half-open connections

When using IKEv2, one negotiation party decides whether the other party expires in two
ways. One way is to repeatedly try to contact the other party until the response times out.
The other way is that it receives the encrypted Initial Contact notices of different IKE SAs
from the other party. The initiator allows multiple responders to respond to the first message
and in turn responds to all the responders by regarding them as legal. After sending some
messages, once the initiator receives an valid encrypted response message, it ignores all
the other response messages and discards all the other invalid half-open connections. In
this way, DoS attacks are avoided at the beginning of the negotiation.
Perfect forward secrecy (PFS)

PFS allows individual keys to decrypt only the data protected by them. Therefore, even if the
attacker obtains one key, it can only decrypt the data protected by the key. For IPSec VPNs, PFS
means that the encryption key used during IKE negotiation uses different materials from that of
the key used during IPSec negotiation. As a result, when an attacker obtains the key for IKE
negotiation, it cannot decrypt messages encrypted through IPSec.
The key materials used to generate keys for the initial IKEv2 interaction are not used to generate
keys for IPSec SAs. Instead, new key materials are generated by introducing available KE
payloads during the CREATE_IPsec_SA interaction.
4.3.6 IKEv2 and EAP Authentication

IKEv2 supports third-party EAP authentication of the negotiation initiator.
The Extensible Authentication Protocol (EAP) is an authentication protocol that supports
multiple authentication methods. The biggest advantage of EAP is its extensibility. New
authentication modes can be added like components without changing the original authentication
system. EAP authentication can conveniently adopt the original authentication mechanism of
the system.
IKEv2 supports third-party EAP authentication of the negotiation initiator. The responder
determines whether EAP authentication is necessary according to the fact whether the
Authentication (AUTH) payload exists in the message from the initiator.
If the message from the initiator does not contain the AUTH payload, it indicates that the initiator
requests EAP authentication. In the response message from the responder, the EAP
authentication method that the responder allows is specified. The next request message from the
initiator carries the authentication information for the EAP authentication method. After
receiving the message, the responder sends the message to the EAP authentication server of the
third party for the server to perform authentication according to RFC 3748. Then, the responder
sends a response message to notify of the success or failure of the authentication.
During the process, the responder does not need to know the specific authentication method and
process. Instead, it functions as a relay between the initiator and the EAP authentication server.
The initiator and the EAP authentication server accomplish the entire process and the responder
only needs the authentication result. In this way, many authentication methods can be supported.
Many high-density authentication algorithms are involved but the software complexity of the
responder is not increased.
Issue 01 (2009-01-20)

4-23

Feature Description
4 VPN
4.3.7 NAT Traversal of IPSec

The NAT traversal of IPSec is to add a standard UDP header between IP and ESP headers of
the original packet (without regard for AH mode).
NAT Traversal
One of the main applications of IPSec is to set up VPN. In actual networking application, there
is one situation which will lead to obstacles for deploying IPSec VPN network. If the initiator
resides in an internal private network and wishes to directly create an IPSec tunnel between the
remote responder and itself, it will require the cooperation of IPSec and NAT. The main problems
are that how IKE can discover there is NAT gateway between the two endpoints during
negotiation and how IKE can make ESP packets normally traverse NAT gateway.
At first, the two endpoints of the desired IPSec tunnel need to negotiate the NAT traversal
capacities. The negotiation is implemented with the first two messages of IKE negotiation. The
Vendor ID payload specifies a group of data to identify the negotiation The definitions of the
payload data vary with the draft versions.
NAT gateway discovery is carried out through NAT-D payload. The payload is used for two
purposes:
l
To discover the NAT gateway between the IKE peers
To determine which side of the peer NAT device resides
As the initiator, the peer on NAT side needs to send NAT keep alive packets regularly so that
NAT gateway can ensure security tunnel is in active state.
IPSec Traversing NAT Gateway

NAT traversal of IPSec is to add a standard UDP header between IP and ESP headers of the
original packet (without regard for AH mode). In this case, when an ESP packet traverses NAT
gateway, NAT will translate the address and port number of the external layer IP header of the
packet and the added UDP header. When the translated packet reaches the peer end of IPSec
tunnel, it will be processed in the same method as the common IPSec. However, an UDP header
also needs to be added between IP and ESP headers when the response packet is sent.
The firewall supports the following:
l
NAT traversal in aggressive mode
NAT traversal in main mode
4.3.8 Implementing IPSec on the Eudemon 1000E

Through IPSec, the Eudemon 1000E and its peer can implement different means of protection
for different data traffic (authentication, encryption, or both).
Implementing IKE on the Eudemon 1000E

The Eudemon 1000E supports the main mode and aggressive mode of traditional IKE and
achieves them based on RFC2408 and RFC2409. Thereby, the Eudemon 1000E can interwork
with the equipment of most mainstream vendors.
To realize NAT traversal for IPSec on the Eudemon 1000E, you need to adopt the main mode
or aggressive mode at the stage 1 of IKE negotiation. In this case, the peer ID type is the name
4-24

Issue 01 (2009-01-20)

Feature Description
4 VPN
or IP address of the peer. In addition, you need to configure ESP and encapsulate packets in
tunnel mode.
On the Eudemon 1000E, IKE is implemented as follows:
1.
Set local ID used in IKE exchange.
2.
Specify a series of attributes for IKE peer, including IKE negotiation mode, pre-shared key,
peer IP address or peer ID as well as NAT traversal, so as to assure validity for IKE
negotiation.
3.
Create IKE IPSec proposal to make clear of algorithm strength for IKE exchange process,
that is, security protection strength (including ID authentication method, encryption
algorithm, authentication algorithm and DH group). Strength varies from algorithm to
algorithm. The higher strength the algorithm has, the harder it is to decrypt the protected
data, but more calculation resource will be consumed. In general, the longer the key is, the
higher the algorithm strength is.
Besides the above basic procedures, IKE has the keepalive mechanism. It can determine
whether the peer can communicate normally, in which there are two parameters: "interval"
and "timeout".
Meanwhile, IKE has Dead Peer Detection (DPD), which has better performance and shorter
response time. The interval parameter can be configured.
When IPSec NAT traversal is configured, you can set a time interval, at which NAT
updating packets are sent.
After the above IKE configuration, you should quote IKE peer in IPSec policy view to complete
IPSec configuration by auto-negotiation.
Implementation of IKEv2 on the Eudemon 1000E

The Eudemon 1000E can currently implement the basic functions of IKEv2, including basic
interaction and information interaction, NAT traversal and DPD features, and interworking with
mainstream devices.
Configurations of IKEv2 on the Eudemon 1000E are almost the same as those of IKE. For details,
refer to the Quidway Eudemon 1000E Unified Security Gateway Configuration Guide Security
Defense Volume.
Implementing IPSec on the Eudemon 1000E

Eudemon 1000E helps realize the functions and mechanisms mentioned in the preceding
sections.
The following describes the realization roadmap. Through IPSec, data streams between peers
(here refer to the Eudemon 1000E and its peer) can perform data stream-specific protection by
means of authentication, encryption, or both:
l
Data streams are differentiated based on ACLs.
Security protection elements are defined in IPSec, including:
Issue 01 (2009-01-20)
Security protocol
Authentication algorithm
Encryption algorithm
Operation mode
4-25

Feature Description
4 VPN
l
Following are defined in the IPSec policy:
Association between data streams and the IPSec proposal (namely, apply a certain
protection on a certain data stream)
SA negotiation mode
Peer IP address settings (that is, the startpoint/endpoint of the protection path)
Required key
Life duration of the SA
IPSec policies are applied on Eudemon 1000E interfaces.
Following details the procedure:

1.
Define data streams to be protected.

A data stream is a collection of a group of traffic specified by:
l
Source address/mask
Destination address/mask
Number of protocol over IP
Source port number
Destination port number
An ACL rule defines a data stream. Namely, traffic that matches an ACL rule is a data
stream logically. A data stream can be a single TCP connection between two hosts or all
traffic between two subnets. IPSec can apply different security protections on data streams.
So the first step in IPSec configuration is to define data streams.
2.
Define an IPSec proposal.

The IPSec proposal prescribes the security protocol, authentication algorithm, and
encryption algorithm, and the encapsulation mode for data flows to be protected.
AH and ESP supported by the Eudemon 1000E can either be used independently or in
combination. AH supports MD5 and SHA-1 authentication algorithms. ESP supports MD5
and SHA-1 authentication algorithms as well as DES and 3DES and AES encryption
algorithms. The Eudemon 1000E supports both transport and tunnel encapsulation modes.
For one data flow, peers of the security tunnel should be configured with the same security
protocol, algorithm, and encapsulation mode. If IPSec is applied on two security gateways
(such as between firewalls), the tunnel mode must hide the real source and destination IP
addresses.
You can define a security proposal based on the actual requirements before associating the
data flow with the security proposal.
3.
Define an IPSec policy or IPSec policy group.

The security policy imports the configured security proposal to specify the security
protocol, algorithm, and packet encapsulation mode for a certain data flow. A security
policy is uniquely labeled with a name and a sequence number.
The IPSec policy has the following types:
4-26
Manual IPSec policy: Parameters such as key, SPI, and SA duration are configured
manually. In the tunnel mode, IP addresses of peers must be configured.
IKE negotiation IPSec policy: Parameters such as key, SPI, and SA duration are
generated automatically through the IKE auto-negotiation.
Issue 01 (2009-01-20)

Feature Description
4 VPN
An IPSec policy group contains IPSec policies with the same name but different sequence
numbers. In an IPSec policy group, the smaller sequence number has the higher priority.
4.
Apply IPSec policies on an interface.

Applying a security policy group on an interface indicates that all security policies in the
group are applied on the interface. This helps to provide different security protections on
different data flows passing the interface.
4.3.9 Access to VPN Supported by IPSec

With the respect to the Eudemon 1000E, the IPSec protocol can provide point-to-point tunnel
connections for users to ensure data security. However, many small-sized enterprises cannot
afford a firewall by their own, IPSec multi-instance are introduced to offer security guarantees
to multiple VPNs that are connected with a firewall.
In networking, the Eudemon 1000E supports the following two access modes:
l
VPNs are connected with the Eudemon 1000E through Internet.

Usually, small-sized enterprises do not have their own service gateways to save cost. They
protect their networks by using leased firewalls. In this case, VPNs and the Eudemon
1000E are connected through Internet. When hosts in the VPN access other network
resources, they must pass through insecure Internet. For these users, you can associate the
VPN with SA and connect the VPN with ISP backbone through an IPSec tunnel. The
networking diagram is shown in Figure 4-12.
Figure 4-12 Connecting a VPN with the Eudemon 1000E through Internet
VPN
Firewall
VPNs are connected with the Eudemon 1000E directly.

This is a standard access mode and can be applied by companies that can afford the cost of
service gateways. In this networking mode, a VPN is connected directly with an interface
of the Eudemon 1000E through the leased line. Data of the VPN is protected by using the
IPSec tunnel. The networking diagram is shown in Figure 4-13.
Figure 4-13 Connecting a VPN with the Eudemon 1000E directly
VPN
Firewall
4.3.10 License
The number of tunnels supported by IPSec is determined by licenses.
You can obtain the services provided IPSec only when you receive the license.
Issue 01 (2009-01-20)

4-27

Feature Description
4 VPN
4.4 GRE
The Generic Routing Encapsulation (GRE) protocol is used to encapsulate packet of the network
layer protocol such as Internet Packet Exchange (IPX). The encapsulated packet can be
transmitted in another network layer protocol such as IP. GRE is the third layer tunnel protocol
of the VPN.
4.4.1 Introduction
The GRE Protocol is used to encapsulate packet of the network layer protocol such as IP or
Internet Packet Exchange (IPX). The encapsulated packet can be transmitted in another network
layer protocol such as IP.
4.4.2 Realization
The transmission of packets in GRE tunnels can be divided into two processes: encapsulation
and decapsulation.
4.4.3 License
GRE is not controlled by the license.
4.4.4 Applications of GRE
The GRE protocol can implement many types of services. For example, the combination of GRE
and IPSec can protect multicast data.
4.4.1 Introduction
The GRE Protocol is used to encapsulate packet of the network layer protocol such as IP or
Internet Packet Exchange (IPX). The encapsulated packet can be transmitted in another network
layer protocol such as IP.
GRE Overview
GRE serves as a Layer 3 tunneling protocol of Virtual Private Networks (VPNs), and provides
a tunnel for transparently transmitting VPN packets. A tunnel is a virtual point-to-point
connection. It can be regarded as a virtual interface that supports only point-to-point connections.
This virtual interface provides a channel through which encapsulated data packets can be
transmitted. At both ends of a tunnel, data packets are encapsulated or decapsulated.
Format of GRE Packets

After receiving a certain network layer protocol packet that needs to be encapsulated and routed,
the system adds a GRE header to the packet, and then encapsulates the packet into IP packets.
Then, the IP protocol is responsible for forwarding the packet. Figure 4-14 shows the format of
an encapsulated GRE packet.
Figure 4-14 Format of an encapsulated GRE packet
Delivery Header
GRE Header
Payload Packet
4-28

Transport Protocol
Encapsulation Protocol
Passenger Protocol
Issue 01 (2009-01-20)

Feature Description
4 VPN
The meaning of each term is as follows:

l
Payload
It indicates the packet received by the system, which needs to be encapsulated and routed.
Passenger Protocol
It indicates the packet protocol before encapsulation.
The preceding GRE protocol is called an encapsulation protocol. It is also called carrier
protocol.
Transport Protocol
It is a protocol that is responsible for forwarding the encapsulated packets.
For example, Figure 4-15 shows the format of an IP packet encapsulated in an IP tunnel.
Figure 4-15 Delivery packet format in the tunnel
IP
GRE
IP
Passager Protocol
Transport Protocol
GRE Packet Header

The principles of GRE comply with the RFC specification. Figure 4-16 shows the format of a
GRE packet header.
Figure 4-16 GRE packet header
7
12
15
Bit: 0 1 2 3 4
C 0 K 0 0 Recursion Flags Version
Checksum ( optional )
Key ( optional )
31
Protocol Type
0
The meaning of each field is as follows:

l
C
It indicates the Checksum bit. If it is set to 1, then the Checksum field is present in the GRE
header; if it is set to 0, then the GRE header does not contain the Checksum field.
K
It indicates the Key bit. If this bit is set to 1, then the Key field is present in the GRE header;
if this bit is set to 0, then the GRE does not contain the Key field.
Issue 01 (2009-01-20)
Recursion
4-29

Feature Description
4 VPN
It indicates the number of encapsulations of GRE packets. This field increases by one after
each encapsulation. If the number of encapsulations is greater than 3, the packet is
discarded. This field is used to prevent the packet from being encapsulated infinitely.
l
Flags
It indicates the reserved field. At present, it must be set to 0.
Version
It indicates the version number. It must be set to 0. Version number 1 is used by PPTP as
defined in RFC 2637.
Protocol Type
It indicates the type of the passenger protocol.
Checksum
It indicates the checksum of the GRE header and the payload.
Key
It indicates the Key field. It is used by the receiver to authenticate the received packet
NOTE
The GRE header does not contain the Source Route field; therefore, Bit 1, Bit 3, and Bit 4 are all set to 0.
Characteristics of GRE
GRE has the following characteristics:
l
Its mechanism is simple. CPUs at two ends of the tunnel have low burden.
GRE itself does not encrypt the data. It can be used together with IPSec.
GRE does not provide traffic control and QoS.
4.4.2 Realization
The transmission of packets in GRE tunnels can be divided into two processes: encapsulation
and decapsulation.
the network shown in Figure 4-17 shows the two processes.
l
Encapsulation
After receiving the IP packet from the interface that is connected to IP Group1, the Eudemon
1000E A delivers the packet to the IP protocol module for processing.
The IP protocol module checks the destination address field in the IP packet header, and
decides how to route this packet. If the outgoing interface is the tunnel interface, the IP
protocol module sends the packet to the tunnel module.
After receiving the packet, the tunnel interface encapsulates it into a GRE packet, and then
delivers GRE packet to the IP module. The IP module adds an IP header to the packet, and
then delivers the packet to the corresponding network interface according to the destination
IP address and the routing table.
Decapsulation
The process of decapsulation is opposite to the process of encapsulation. After receiving
the packet from the interface that is connected to the public network, the Eudemon
1000E B analyzes the IP header. If it finds that itself is the destination of the packet, it
removes the IP header. Then it delivers the packet to the GRE module for processing. After
4-30

Issue 01 (2009-01-20)

Feature Description
4 VPN
completing processing, the GRE module removes the GRE header, and delivers the packet
to IP protocol. IP protocol forwards the packet as the ordinary packet.
Figure 4-17 Private IP network interconnection through GRE tunnels
Tunnel
IP
group1
IP
group1
Firewall A
Firewall B
4.4.3 License
GRE is not controlled by the license.
GRE is the basic feature of the Eudemon 1000E. You can obtain the service without a license.
4.4.4 Applications of GRE

The GRE protocol can implement many types of services. For example, the combination of GRE
and IPSec can protect multicast data.
Enlarging Operation Scope of the Network with Limited Hops

Figure 4-18 Enlarging the network operation scope
Tunnel
Firewall
Firewall
PC
PC
In Figure 4-18, the IP protocol is run on the network. Assume that the IP protocol limits the hop
count to 15. If the hop count between two PCs is greater than 15, they cannot communicate.
When the tunnel is used in the network, a few hops are hidden. This enlarges the scope of the
network operation.
Issue 01 (2009-01-20)

4-31

Feature Description
4 VPN
Connecting Some Discontinuous Sub-Networks to Establish a VPN

Figure 4-19 Connecting two Discontinuous Sub-Networks with tunnel
Tunnel
IP group 1
IP group 1
Firewall
Vlan
Firewall
As shown in Figure 4-19, two VPN sub-networks, Group 1 and Group 2 are in two different
cities. By setting up GRE tunnel between the devices at the network edge, you can connect the
two sub-networks to a continuous VPN network.
GRE-IPSec Tunnel
Figure 4-20 GRE-IPSec tunnel
FIrewall
Firewall
Remote office
network
Corporate
intranet
GRE Tunnel
IPSec Tunnel
As shown in Figure 4-20, the multicast data can be encapsulated in the GRE packet and
transmitted in the GRE tunnel. According to the protocol, the IPSec only encrypts and protects
unicast data. To transmit multicast data such as routing protocol, voice, and video, set up a GRE
tunnel and encapsulate the multicast data in the GRE packet. Then the IPSec encrypts the GRE
packet. In this way, the packet can be transmitted in the IPSec tunnel.
The user can choose to record the keyword of the GRE tunnel interface, and check the
encapsulated packet in end-to-end manner.
Encapsulation and decapsulation, and data increase due to the encapsulation may reduce the
forwarding efficiency of the Eudemon 1000E.
4-32

Issue 01 (2009-01-20)

Feature Description
5 Reliability
Reliability
About This Chapter

The Eudemon 1000E supports VRRP, VGMP, and HRP. It can implement routing information
backup, backup group management, and dual-system hot backup. Therefore, the Eudemon
1000E delivers high reliability. The Eudemon 1000E is referred to as Firewall in the figure.
5.1 Overview of VRRP
The Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol defined by the RFC
3768. By separating physical devices from logical devices, VRRP chooses a path from multiple
egress gateways.
5.2 Overview of Two-Node Cluster Hot Backup
The dual-system hot backup function of the Eudemon 1000E accomplishes hot backup of the
configuration commands and the state information. This function supports automatic backup
and manual patch backup.
5.3 Relations Between the VRRP Backup Group, Management Group, and HRP
Protocol relationships exist between the VRRP backup group and the VGMP group, and the
VGMP group and HRP. HRP packets are carried by VGMP packets for transmission.
5.4 Overview of Optical Bypass
The section describes the optical bypass function of the Eudemon 1000E.
Issue 01 (2009-01-20)

5-1

Feature Description
5 Reliability
5.1 Overview of VRRP

The Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol defined by the RFC
3768. By separating physical devices from logical devices, VRRP chooses a path from multiple
egress gateways.
5.1.1 Traditional VRRP
The Eudemon 1000E supports the Virtual Router Redundancy Protocol (VRRP) and formation
of backup groups based on virtual IP addresses. The hosts on a network continuously
communicate with other networks through a virtual router.
5.1.2 Disadvantages of Traditional VRRP in Eudemon 1000E Backup
Security zones are introduced in the Eudemon 1000E. Two Eudemon 1000Es can implement a
route redundancy backup. One serves as the primary Eudemon 1000E and the other the secondary
Eudemon 1000E. Interfaces on the primary and secondary Eudemon 1000Es are associated with
corresponding security zones.
5.1.1 Traditional VRRP

The Eudemon 1000E supports the Virtual Router Redundancy Protocol (VRRP) and formation
of backup groups based on virtual IP addresses. The hosts on a network continuously
communicate with other networks through a virtual router.
Usually, each host on an intranet is configured with a default route to the next hop that is to the
IP address of the egress router, that is, 10.100.10.1/24, as shown in Figure 5-1.
Figure 5-1 Networking using the default route
PC
10.100.10.1/24
Server
10.100.10.0/24
Router
The interactive packets between intranet users and Internet users all pass the router. When the
router fails, all hosts (whose next hops are the router by default) on the intranet fail to
communicate with the Internet. In this case, communication is unreliable in default route mode.
The Virtual Router Redundancy Protocol (VRRP) can solve such a problem.
As a fault tolerant protocol, VRRP is applicable to a LAN that supports multicast or broadcast,
such as Ethernet.
VRRP organizes several routers on a LAN into a virtual router, named a backup group. In a
backup group, only one device is in active state, which is named Primary. Others are in standby
state and are ready to take over the tasks at any time based on the priority, and these inactive
devices are named Secondary.
5-2

Issue 01 (2009-01-20)

Feature Description
5 Reliability
Figure 5-2 shows a backup group comprising of three routers.

Figure 5-2 Networking of using the VRRP virtual router
Primary
10.100.10.2/24
Router A
PC
Secondary
10.100.10.3/24
Router B
Server
Secondary
10.100.10.0/24
Backup group
Virtual IP address 10.100.10.4/24
Router C
10.100.10.1/24
As shown in Figure 5-2:

l
Routers A, B, and C make up a backup group (serves as a virtual router), whose virtual IP
address is 10.100.10.1.
Router A is the Primary with the IP address 10.100.10.2.
Routers B and C are Secondary with IP addresses 10.100.10.3 and 10.100.10.4 respectively.
In VRRP, only the active router can forward the packet that takes the virtual IP address as
the next hop.
All hosts on the intranet are aware of the virtual IP address 10.100.10.1, instead of the IP address
of the Primary or Secondary. Therefore, the default route of each host is configured to the virtual
IP address. Thus, all hosts on the intranet can communicate with the Internet through this backup
group.
The VRRP module on the primary router monitors the state of the communication interface and
sends notification packets to the secondary routers in multicast mode.
When the primary router fails, for example, an interface or link fails, the VRRP notification
packets are not be sent out as usual.
When the secondary router does not receive any VRRP notification packet in a specified interval,
the secondary router with the highest priority changes its VRRP state to the active state. In this
way, the services running on the primary router can continue to run on the secondary router.
If the primary router of the backup group fails, other secondary routers of the group select a new
secondary router according to their priorities. So the selected router works in active state and
provides routing services to the hosts on the network.
With the VRRP technology, the hosts on the intranet can communicate with the Internet
continuously. Thus, reliability is guaranteed.
Issue 01 (2009-01-20)

5-3

Feature Description
5 Reliability
5.1.2 Disadvantages of Traditional VRRP in Eudemon 1000E

Backup
Security zones are introduced in the Eudemon 1000E. Two Eudemon 1000Es can implement a
route redundancy backup. One serves as the primary Eudemon 1000E and the other the secondary
Eudemon 1000E. Interfaces on the primary and secondary Eudemon 1000Es are associated with
corresponding security zones.
Typical Networking of Eudemon 1000E Backup

Based on traditional VRRP, each zone needs a VRRP group to monitor the working state of
interfaces that are connected to security zones. Namely, interfaces connected to each security
zone on the Eudemon 1000E form a backup group (the virtual firewall), and each group is
assigned with a virtual IP address, as shown in Figure 5-3.
Figure 5-3 Typical networking of Eudemon 1000E backup
10.100.10.1
Virtual IP Address Primary
Backup group 1 Firewall A
Trust
10.100.10.0/24
10.100.20.0/24
DMZ
Backup group Untrust

Virtual IP Address
Firewall B 202.38.10.1
Backup group 2
Virtual IP Address
Secondary
10.100.20.1
As shown in Figure 5-3:

l
Eudemon 1000E A is the Primary and Eudemon 1000E B is the Secondary.
Interfaces connected to the Trust zone on the primary and secondary Eudemon 1000Es
make up backup group 1 with the virtual IP address 10.100.10.1.
Interfaces connected to the DMZ on the primary and secondary Eudemon 1000Es make up
backup group 2 with the virtual IP address 10.100.20.1.
Interfaces connected to the Untrust zone on the primary and secondary Eudemon 1000Es
make up backup group 3 with the virtual IP address 202.38.10.1.
State Requirements for Eudemon 1000E Backup

As the Eudemon 1000E is a stateful firewall, it checks the first session packet and generates a
session entry dynamically. Only the subsequent packets (including return packets) that match
the session entry can pass through the Eudemon 1000E. Therefore, the inbound path and the
outbound path of the same session must be consistent; otherwise, unmatched subsequent packets
or return packets are discarded, as shown in Figure 5-4.
5-4

Issue 01 (2009-01-20)

Feature Description
5 Reliability
Figure 5-4 Eudemon 1000E backup state
Firewall A
(1)
(2)
Primary
Session entry
(3)
PC1
(8)
Trust
(7)
(4)
(6)
(9)
DMZ
Secondary
Firewall B
PC2
(5)
Untrust
Actual connection
Packets traffic
Packets traffic
In Figure 5-4, assume that the VRRP status of Eudemon 1000E A and Eudemon 1000E B are
consistent, that is, all the interfaces on Eudemon 1000E A are in active state, and all the interfaces
on Eudemon 1000E B are in standby state. If PC1 in the Trust zone accesses PC2 in the Untrust
zone, a packet is sent from the Trust zone to the Untrust zone along the path (1)-(2)-(3)-(4).
When the packet passes Eudemon 1000E A, a dynamic session entry is generated. The return
packet matches the session entry and successfully reaches the host in the Trust zone if it is sent
along the path (5)-(6)-(7)-(8).
Assume that the VRRP status of Eudemon 1000E A and Eudemon 1000E B are inconsistent.
For example, on Eudemon 1000E B, the interface connected to the Trust zone is in standby state,
while the interface connected to the Untrust zone is in active state. After the packets from PC1
of the Trust zone pass Eudemon 1000E A and reach PC2 in the Untrust zone, a session entry is
dynamically generated on Eudemon 1000E A. The return packet is sent along the path (5)-(9).
At this time, no session entry related to the data flow is available on Eudemon 1000E B. If no
other packet-filtering rules are available to permit the packet to pass, Eudemon 1000E B discards
the packet. In this case, the session is disrupted.
To summarize, if the VRRP states are consistent, the states of interfaces connected to each zone
on the same Eudemon 1000E are identical, that is, all are in active state or in standby state at the
same time.
The Eudemon 1000E connects to several security zones and comprises a backup group with
other interfaces connected to each security zone.
Based on the traditional VRRP mechanism, VRRP in each backup group works in an independent
state. Therefore, the state of VRRP on each interface on one Eudemon 1000E cannot be
consistent. That is, the traditional VRRP mechanism cannot achieve VRRP state consistence of
the Eudemon 1000E.
Disadvantages of Traditional VRRP in Eudemon 1000E Backup

In the current networking application, the Eudemon 1000E, as a security device, is usually
located at the service access point between a protected network and an unprotected network.
In the current networking application, users have higher requirements on reliability.
Issue 01 (2009-01-20)

5-5

Feature Description
5 Reliability
Users specifically require that communications between the following points should be
undisrupted:
l
Important service ingress
Access points
Enterprise Internet access points
Bank database servers
If only one Eudemon 1000E is located at the service point, the network may be disrupted due
to the single point failure, though the Eudemon 1000E is highly reliable.
In this case, the redundancy backup mechanism is offered to improve the stability and reliability
of the entire system.
5.2 Overview of Two-Node Cluster Hot Backup

The dual-system hot backup function of the Eudemon 1000E accomplishes hot backup of the
configuration commands and the state information. This function supports automatic backup
and manual patch backup.
5.2.1 HRP Application
The Huawei Redundancy Protocol (HRP) is transmitted through the VGMP packets to back up
key configuration commands and session status information of the master device and the backup
device.
5.2.2 Primary/Secondary Configuration Devices
In load balancing mode, there are two master devices in the network. To avoid confusion during
backup, Eudemon 1000E devices are grouped into master configuration devices and backup
configuration devices.
5.2.1 HRP Application

The Huawei Redundancy Protocol (HRP) is transmitted through the VGMP packets to back up
key configuration commands and session status information of the master device and the backup
device.
The Eudemon 1000E is a stateful firewall, which means there is a session entry for each dynamic
session connection on the Eudemon 1000E, as shown in Figure 5-5.
5-6

Issue 01 (2009-01-20)

Feature Description
5 Reliability
Figure 5-5 Typical data path in primary/secondary mode
Firewall A
(2)
(1)
Primary
Session entry
PC1
(3)
Trust
(7)
(6)
(8)
(4)
(5)
Secondary
Firewall B
DMZ
PC2
Untrust
Actual connection
Packets traffic
Packets traffic
In primary/secondary mode, if Eudemon 1000E A is the active device, it takes up all data
transmission tasks and many dynamic session entries are set up on it; Eudemon 1000E B is the
standby device, and no data passes it.
When errors occur on Eudemon 1000E A or on associated links, Eudemon 1000E B switches
to the active Eudemon 1000E and begins to transfer data; however, if there is no backup session
entry or configuration command on Eudemon 1000E B before the switchover, all sessions that
have passed Eudemon 1000E A are disconnected as a result of mismatch. Then, services are
disrupted.
In order to make the secondary Eudemon 1000E take over tasks from the primary Eudemon
1000E smoothly when the primary Eudemon 1000E breaks down, you need to back up
configuration commands and state information between the primary Eudemon 1000E and the
secondary Eudemon 1000E.
Huawei Redundancy Protocol (HRP) is developed for this purpose. HRP is transmitted over
VGMP packets in data channels in the VRRP management group.
5.2.2 Primary/Secondary Configuration Devices

In load balancing mode, there are two master devices in the network. To avoid confusion during
backup, Eudemon 1000E devices are grouped into master configuration devices and backup
configuration devices.
In load balancing mode, there are two primary Eudemon 1000Es on the network. Users can enter
a lot of commands on the two primary Eudemon 1000Es. When one primary Eudemon 1000E
fails, to avoid confusion during backup, Eudemon 1000Es are grouped into primary
configuration devices to send backup data and secondary configuration devices to receive backup
data.
A primary configuration device must meet the following specifications:
l
Issue 01 (2009-01-20)
In a VRRP management group, only the Eudemon 1000E that is in active state can be the
primary configuration device.
5-7

Feature Description
5 Reliability
l
In load balancing mode, both Eudemon 1000E that take part in two-node cluster hot backup
are primary Eudemon 1000Es. In this case, the primary configuration device is selected
based on priorities of VRRP groups and actual IP addresses (in descending order) of
interfaces.
To assure the stability of the primary configuration device, the primary configuration device
always works in active mode unless it fails or quits the VRRP backup group.
NOTE
The concepts of primary and secondary configuration devices are used in load balancing mode rather than
primary/secondary mode.
5.3 Relations Between the VRRP Backup Group,

Management Group, and HRP
Protocol relationships exist between the VRRP backup group and the VGMP group, and the
VGMP group and HRP. HRP packets are carried by VGMP packets for transmission.
The hierarchical relations between the VRRP backup group, management group, and HRP are
shown in Figure 5-6.
Figure 5-6 Hierarchical relations between the VRRP backup group, management group, and
HRP
HRP module
HRP packet
VRRPmanagement group
VGMP packet
VRRPbackup group
When the state of the VRRP management group changes, the system notifies HRP and the
primary or secondary configuration device to change their states. In this way, configuration
commands and session state information between two Eudemon 1000Es can be backed up in
time. In addition, the state of the VRRP management group is affected by the HRP state. In other
words, based on the result of HRP state switchover, VRRP modifies priorities and change the
VRRP state.
When the state of the VRRP backup group changes, the VRRP management group determines
whether to change the states of the following elements:
5-8
VRRP management group
HRP
Primary and secondary configuration devices

Issue 01 (2009-01-20)

Feature Description
5 Reliability
5.4 Overview of Optical Bypass

The section describes the optical bypass function of the Eudemon 1000E.
5.4.1 Background
If the current network does not adopt the two-node cluster hot backup mode, the Eudemon
1000E is the single link. In the case of equipment failure, a single-point failure occurs, affecting
normal communications.
5.4.2 Optical Bypass Application
In actual practice, optical bypass can be switched in two ways: automatic switch and manual
switch.
5.4.1 Background
1000E is the single link. In the case of equipment failure, a single-point failure occurs, affecting
normal communications.
1000E is the single link for the network shown in Figure 5-7. All the interactive packets between
the intranet users and the Internet users must be forwarded by the Eudemon 1000E. The packet
transmission is shown in Figure 5-8 A. In the case of equipment failure, a single-point failure
occurs, affecting normal communications.
Figure 5-7 Networking diagram of a single link
Trust
Firewall
PC A
Issue 01 (2009-01-20)
Router B
PC B

5-9

Feature Description
5 Reliability
Figure 5-8 Networking diagram before and after optical bypass

Router A
Router A
OSN 900A
OSN 900A
Firewall
Firewall
Router B
Router B
A
To solve the preceding problem, you can use the optical bypass function of the network between
the Eudemon 1000E and the OSN 900A.Once this function is enabled, packets bypass the
Eudemon 1000E traveling along path B directly between Router A and Router B shown in
Figure 5-8 B. This ensures the continuity of communications. During this period, the Eudemon
1000E does not protect the Intranet.
When the Eudemon 1000E is faulty, malicious Internet users may intrude the intranet, causing
damage to the network. You are advised to rectify the fault of the Eudemon 1000E in time to
resume the packet transmission mode shown in Figure 5-8 A for the Eudemon 1000E to defend
the intranet.
5.4.2 Optical Bypass Application

In actual practice, optical bypass can be switched in two ways: automatic switch and manual
switch.
Once faults occur on the Eudemon 1000E, the link is automatically switched to ensure normal
communications between intranet users and Internet users.
When you need to upgrade the software of the Eudemon 1000E, you can switch the link manually
to prevent discontinuity in communications for the users.
NOTE
The Eudemon 1000E must work in transparent mode when you configure the optical bypass function.
5-10

Issue 01 (2009-01-20)

Feature Description
A Acronyms and Abbreviations
Acronyms and Abbreviations
This describes acronyms and abbreviations in this document.

A
AAA
Authentication, Authorization and Accounting
ACK
Acknowledgement
ACL
Access Control List
AES
Advanced Encryption Standard
AH
Authentication Header
ALG
Application Level Gateway
ARP
Address Resolution Protocol
ASPF
Application Specific Packet Filter
AUX
Auxiliary (port)
B
BAS
Broadband Access Server
BGP
Border Gateway Protocol
BSD
Berkeley Software Distribution
Issue 01 (2009-01-20)
CA
Certification Authority
CC
Challenge Collapsar
CAR
Committed Access Rate
CHAP
Challenge Handshake Authentication Protocol

A-1

Feature Description
CPE-based
VPN
Customer Premises Equipment based VPN
CRL
Certificate Revocation List
D
DB
Database
DDN
Digital Data Network
DDoS
Distributed Denial of Service
DES
Data Encryption Standard
DES-CBC
DES-Cipher Block Chaining
DH
Diffie-Hellman
DHCP
Dynamic Host Configuration Protocol
DMZ
Demilitarized Zone
DN
Distinguished Name
DNS
Domain Name Server
DoS
Denial of Service
E
ESP
Encapsulating Security Payload
F
FE
Fast Ethernet
FIFO
First In First Out
FTP
File Transfer Protocol
A-2
GE
Gigabit Ethernet
GGSN
Gateway GPRS Support Node
GPRS
General Packet Radio Service
GRE
Generic Routing Encapsulation
GSR
Gigabit Switching Router
GUI
Graphic User Interface

Issue 01 (2009-01-20)

Feature Description
H
HRP
Huawei Redundancy Protocol
HTTP
Hyper Text Transport Protocol
HWCC
HuaWei Conference Control protocol
I
ICMP
Internet Control Message Protocol
ID
Identity
IDC
Internet Data Center
IDS
Intrusion Detection System
IETF
Internet Engineering Task Force
IGMP
Internet Group Management Protocol
IKE
Internet Key Exchange
ILS
Internet Locator Service
IP
Internet Protocol
IPC
Inter-Process Communication
IPSec
IP Security Protocol
ISAKMP
Internet Security Association and Key Management Protocol
ISDN
Integrated Services Digital Network
IS-IS
Intermediate System-to-Intermediate System
ISP
Internet Service Provider
L
L2F
Layer 2 Forwarding
L2TP
Layer 2 Tunneling Protocol
LAC
L2TP Access Concentrator
LAN
Local Area Network
LCP
Link Control Protocol
LDAP
Lightweight Directory Access Protocol
LNS
L2TP Network Server
Issue 01 (2009-01-20)

A-3

Feature Description
MAC
Media Access Control
MAN
Metropolitan Area Network, Metropolitan-Area Network
MD5
Message Digest 5
MGCP
Media Gateway Control Protocol
MPLS
Multi-Protocol Label Switch
MSDP
Multicast Source Discovery Protocol
MSN
Microsoft Network
MTU
Maximum Transfer Unit
N
NAPT
Network Address and Port Translation
NAS
Network Access Server
NAT
Network Address Translation
NBT
NetBIOS over TCP/IP
NCP
Network Control Protocol
NetBIOS
Network Basic Input/Output System
NP
Number Portable
O
OSI
Open Systems Interconnection
OSPF
Open Shortest Path First
A-4
P2P
Peer To Peer
PAP
Password Authentication Protocol
PC
Personal Computer
PFS
Perfect Forward Secrecy
PIM-DM
Protocol Independent Multicast-Dense Mode
PIM-SM
Protocol Independent Multicast-Sparse Mode
PING
Packet Internet Groper
PKI
Public Key Interface
POP
Point of Presence

Issue 01 (2009-01-20)

Feature Description
PPP
Point-to-Point Protocol
PPTP
Point to Point Tunneling Protocol
PSTN
Public Switched Telephone Network
Q
QoS
Quality of Service
R
RADIUS
Remote Authentication Dial-In User Service
RAS
Remote Access Server
RD
Router Distinguisher
RFC
Request For Comments
RIP
Routing Information Protocol
RSA
Rivest, Shamir, Adleman
RTSP
Real-Time Streaming Protocol
S
SA
Security Association
SAS
Service Analyze Server
SC
Secospace controller
SLB
Server Load Balancing
SIG
Service Inspection Gateway
SIP
Session Initiation Protocol
SM
Secospace Manager
SMTP
Simple Mail Transfer Protocol
SPI
Security Parameter Index
SSH
Secure Shell
SSL
Secure Socket Layer
Issue 01 (2009-01-20)
TACACS
Terminal Access Controller Access Control System
TCP
Transmission Control Protocol

A-5

Feature Description
TCP/IP
Transmission Control Protocol / Internet Protocol
TFTP
Trivial File Transfer Protocol
ToS
Type of Service
U
UDP
User Datagram Protocol
URL
Uniform Resource Location
V
VGMP
VRRP Group Management Protocol
VLAN
Virtual Local Area Network
VLL
Virtual Leased Line
VOD
Video On Demand
VPDN
Virtual Private Data Network
VPLS
Virtual Private LAN Segment
VPN
Virtual Private Network
VPRN
Virtual Private Routed Network
VRP
Versatile Routing Platform
VRRP
Virtual Router Redundancy Protocol
VT
Virtual Tributary
VTP
VLAN Trunk Protocol
A-6
WAN
Wide Area Network
WAP
Wireless Application Protocol
WWW
World Wide Web

Issue 01 (2009-01-20)

Feature Description

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Feature Description

Uploaded by

Copyright:

Available Formats

Quidway Eudemon 1000E Unified Security Gateway

Huawei Proprietary and Confidential

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Copyright Huawei Technologies Co., Ltd. 2009. All rights reserved.

Trademarks and Permissions

Huawei Proprietary and Confidential

Quidway Eudemon 1000E Unified Security Gateway

2 Introduction to the Eudemon 1000E.......................................................................................2-1

Huawei Proprietary and Confidential

Quidway Eudemon 1000E Unified Security Gateway

Huawei Proprietary and Confidential

Quidway Eudemon 1000E Unified Security Gateway

3.12.3 Overview of Domains........................................................................................................................3-38

A Acronyms and Abbreviations................................................................................................A-1

Huawei Proprietary and Confidential

Quidway Eudemon 1000E Unified Security Gateway

Huawei Proprietary and Confidential

Quidway Eudemon 1000E Unified Security Gateway

Huawei Proprietary and Confidential

Quidway Eudemon 1000E Unified Security Gateway

Huawei Proprietary and Confidential

Quidway Eudemon 1000E Unified Security Gateway

About This Document

About This Document

Quidway Eudemon 1000E

Network maintenance engineers

This chapter describes the network security, firewalls,

This chapter describes the working modes and the security

Huawei Proprietary and Confidential

Quidway Eudemon 1000E Unified Security Gateway

About This Document

This chapter describes the security features of the Eudemon

This chapter describes the VPN features on the Eudemon

This chapter describes the protocols that the Eudemon

This chapter lists the acronyms and abbreviations used in this

Indicates a hazard with a high level of risk, which if not

Indicates a tip that may help you solve a problem or save

Provides additional information to emphasize or

Huawei Proprietary and Confidential

Quidway Eudemon 1000E Unified Security Gateway

About This Document

Times New Roman

Normal paragraphs are in Times New Roman.

Names of files, directories, folders, and users are in

Book titles are in italics.

Examples of information displayed on the screen are in

The keywords of a command line are in boldface.

Command arguments are in italics.

Items (keywords or arguments) in brackets [ ] are optional.

Optional items are grouped in braces and separated by

Optional items are grouped in brackets and separated by

Optional items are grouped in braces and separated by

Optional items are grouped in brackets and separated by

Buttons, menus, parameters, tabs, window, and dialog titles

Multi-level menus are in boldface and separated by the ">"

Huawei Proprietary and Confidential

Quidway Eudemon 1000E Unified Security Gateway

About This Document

Press the keys concurrently. For example, pressing Ctrl+Alt

Press the keys in turn. For example, pressing Alt, A means

Select and release the primary mouse button without moving

Press the primary mouse button twice continuously and

Updates in Issue 01 (2009-01-20)