Professional Documents
Culture Documents
V100R002
Feature Description
Issue
01
Date
2009-01-20
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any
assistance, please contact our local office or company headquarters.
Website:
http://www.huawei.com
Email:
support@huawei.com
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but the statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Contents
Contents
About This Document.....................................................................................................................1
1 Overview......................................................................................................................................1-1
1.1 Overview of Network Security.......................................................................................................................1-2
1.1.1 Security Threats......................................................................................................................................1-2
1.1.2 Classification of Network Security Services..........................................................................................1-2
1.1.3 Implementation of Network Security Services......................................................................................1-3
1.2 Overview of Firewalls.....................................................................................................................................1-5
1.2.1 Functions of Firewalls............................................................................................................................1-5
1.2.2 Firewall Development Course................................................................................................................1-6
1.3 Overview of the Eudemon 1000E...................................................................................................................1-7
1.3.1 Product Series.........................................................................................................................................1-7
1.3.2 Advantages.............................................................................................................................................1-8
1.4 Functions and Features of the Eudemon 1000E............................................................................................1-10
1.4.1 Security Defense..................................................................................................................................1-10
1.4.2 Network Interconnection......................................................................................................................1-12
1.4.3 Service Application..............................................................................................................................1-13
1.4.4 Configuration and Management...........................................................................................................1-14
1.4.5 Maintenance and Reliability.................................................................................................................1-14
1.4.6 System Log...........................................................................................................................................1-15
1.5 Location of the Eudemon 1000E on the Network.........................................................................................1-15
3 Security Features........................................................................................................................3-1
3.1 Virtual Firewalls..............................................................................................................................................3-3
Issue 01 (2009-01-20)
Contents
3.2 ACL.................................................................................................................................................................3-4
3.2.1 ACL Definition......................................................................................................................................3-4
3.2.2 ACL Application....................................................................................................................................3-4
3.2.3 ACL on the Eudemon 1000E.................................................................................................................3-6
3.2.4 ACL Step................................................................................................................................................3-8
3.3 Security Policy................................................................................................................................................3-8
3.3.1 Packet Filtering......................................................................................................................................3-9
3.3.2 ASPF......................................................................................................................................................3-9
3.3.3 Blacklist................................................................................................................................................3-11
3.3.4 MAC and IP Address Binding.............................................................................................................3-11
3.3.5 Port Identification.................................................................................................................................3-11
3.4 Attack Defense..............................................................................................................................................3-12
3.4.1 Overview of Attack Defense................................................................................................................3-12
3.4.2 Types of Network Attacks....................................................................................................................3-12
3.4.3 Typical Examples of Network Attacks................................................................................................3-13
3.4.4 Attack Defense Principles....................................................................................................................3-15
3.5 NAT...............................................................................................................................................................3-16
3.5.1 Overview of NAT.................................................................................................................................3-16
3.5.2 NAT on the Eudemon 1000E...............................................................................................................3-17
3.6 Static Multicast..............................................................................................................................................3-22
3.6.1 Restrictions of Unicast or Broadcast....................................................................................................3-23
3.6.2 Overview of Static Multicast................................................................................................................3-24
3.6.3 Implementing Static Multicast on the Eudemon 1000E.......................................................................3-26
3.7 Keyword Authentication...............................................................................................................................3-26
3.8 P2P Traffic Limiting.....................................................................................................................................3-26
3.8.1 Introduction to P2P Traffic Limiting...................................................................................................3-27
3.8.2 P2P Traffic Detection and Limiting.....................................................................................................3-27
3.9 GTP Function................................................................................................................................................3-28
3.9.1 Overview of GTP.................................................................................................................................3-28
3.9.2 Applications of GTP On the Eudemon 1000E.....................................................................................3-29
3.9.3 License.................................................................................................................................................3-29
3.10 IDS Cooperation..........................................................................................................................................3-29
3.10.1 Overview of the IDS Cooperation......................................................................................................3-30
3.10.2 Features of IDS Cooperation..............................................................................................................3-31
3.10.3 Types of IDS Servers.........................................................................................................................3-31
3.11 Secospace Cooperation...............................................................................................................................3-31
3.11.1 Background........................................................................................................................................3-32
3.11.2 Work Flow of Secospace Cooperation...............................................................................................3-33
3.11.3 Specifications of Secospace Cooperation...........................................................................................3-34
3.12 Authentication and Authorization...............................................................................................................3-34
3.12.1 Overview of Authentication and Authorization.................................................................................3-35
3.12.2 Overview of the RADIUS Protocol...................................................................................................3-35
ii
Issue 01 (2009-01-20)
Contents
4 VPN...............................................................................................................................................4-1
4.1 Introduction.....................................................................................................................................................4-2
4.1.1 VPN Overview.......................................................................................................................................4-2
4.1.2 VPN Classification.................................................................................................................................4-3
4.1.3 VPN Fundaments...................................................................................................................................4-4
4.1.4 VPN Basic Networking Application......................................................................................................4-6
4.2 L2TP................................................................................................................................................................4-7
4.2.1 VPDN Overview....................................................................................................................................4-7
4.2.2 L2TP Overview......................................................................................................................................4-8
4.2.3 Access to VPN Supported by L2TP.....................................................................................................4-13
4.2.4 License.................................................................................................................................................4-13
4.3 IPSec..............................................................................................................................................................4-13
4.3.1 Overview of the IPSec Protocol...........................................................................................................4-14
4.3.2 IPSec Basic Concepts...........................................................................................................................4-15
4.3.3 Overview of the IKE Protocol..............................................................................................................4-18
4.3.4 Overview of the IKEv2 Protocol..........................................................................................................4-20
4.3.5 Security Analysis of IKEv2..................................................................................................................4-21
4.3.6 IKEv2 and EAP Authentication...........................................................................................................4-23
4.3.7 NAT Traversal of IPSec.......................................................................................................................4-24
4.3.8 Implementing IPSec on the Eudemon 1000E......................................................................................4-24
4.3.9 Access to VPN Supported by IPSec.....................................................................................................4-27
4.3.10 License...............................................................................................................................................4-27
4.4 GRE...............................................................................................................................................................4-28
4.4.1 Introduction..........................................................................................................................................4-28
4.4.2 Realization............................................................................................................................................4-30
4.4.3 License.................................................................................................................................................4-31
4.4.4 Applications of GRE............................................................................................................................4-31
5 Reliability....................................................................................................................................5-1
5.1 Overview of VRRP.........................................................................................................................................5-2
5.1.1 Traditional VRRP...................................................................................................................................5-2
5.1.2 Disadvantages of Traditional VRRP in Eudemon 1000E Backup.........................................................5-4
5.2 Overview of Two-Node Cluster Hot Backup..................................................................................................5-6
5.2.1 HRP Application....................................................................................................................................5-6
5.2.2 Primary/Secondary Configuration Devices............................................................................................5-7
5.3 Relations Between the VRRP Backup Group, Management Group, and HRP..............................................5-8
5.4 Overview of Optical Bypass...........................................................................................................................5-9
5.4.1 Background............................................................................................................................................5-9
5.4.2 Optical Bypass Application..................................................................................................................5-10
iii
Figures
Figures
Figure 2-1 Networking in routing mode...............................................................................................................2-3
Figure 2-2 Networking in transparent mode........................................................................................................2-3
Figure 2-3 Networking in composite mode..........................................................................................................2-4
Figure 2-4 Broadcasting an information packet...................................................................................................2-6
Figure 2-5 Reversely learning the relation between the MAC address of workstation A and the port................2-6
Figure 2-6 Reversely learning the relation between the MAC address of workstation B and the port................2-7
Figure 2-7 Forwarding frames after finding the address table.............................................................................2-8
Figure 2-8 Discarding frames after finding the address table .............................................................................2-8
Figure 2-9 Forwarding frames after not finding the address table.......................................................................2-9
Figure 2-10 Relations between interfaces, networks, and security zones..........................................................2-12
Figure 3-1 Networking diagram of the basic processes of NAT........................................................................3-17
Figure 3-2 Basic process of NAPT.....................................................................................................................3-19
Figure 3-3 Networking diagram of configuring inbound NAT..........................................................................3-20
Figure 3-4 Networking diagram of NAT within a security zone.......................................................................3-21
Figure 3-5 Unicast information transmission.....................................................................................................3-23
Figure 3-6 Broadcast information transmission.................................................................................................3-24
Figure 3-7 Multicast information transmission..................................................................................................3-25
Figure 3-8 Transmission mode of static multicast.............................................................................................3-26
Figure 3-9 Networking diagram of the IDS cooperation....................................................................................3-30
Figure 3-10 Networking diagram of Secospace Cooperation............................................................................3-32
Figure 3-11 Message flow between the RADIUS client and server..................................................................3-36
Figure 3-12 RADIUS message structure............................................................................................................3-37
Figure 4-1 Networking diagram of a VPN access................................................................................................4-4
Figure 4-2 Networking diagram of VPN applications.........................................................................................4-6
Figure 4-3 Networking diagram of VPDN application based on L2TP...............................................................4-8
Figure 4-4 L2TP protocol structure......................................................................................................................4-9
Figure 4-5 Two typical L2TP tunnel modes......................................................................................................4-10
Figure 4-6 Typical networking diagram of L2TP..............................................................................................4-11
Figure 4-7 Procedure for setting up an L2TP call..............................................................................................4-11
Figure 4-8 Packet format in the transport mode.................................................................................................4-17
Figure 4-9 Packets format in the tunnel mode...................................................................................................4-17
Figure 4-10 The relation between IKE and IPSec..............................................................................................4-19
Figure 4-11 Setup process of SA........................................................................................................................4-20
Issue 01 (2009-01-20)
Figures
Figure 4-12 Connecting a VPN with the Eudemon 1000E through Internet.....................................................4-27
Figure 4-13 Connecting a VPN with the Eudemon 1000E directly...................................................................4-27
Figure 4-14 Format of an encapsulated GRE packet..........................................................................................4-28
Figure 4-15 Delivery packet format in the tunnel..............................................................................................4-29
Figure 4-16 GRE packet header ........................................................................................................................4-29
Figure 4-17 Private IP network interconnection through GRE tunnels.............................................................4-31
Figure 4-18 Enlarging the network operation scope..........................................................................................4-31
Figure 4-19 Connecting two Discontinuous Sub-Networks with tunnel...........................................................4-32
Figure 4-20 GRE-IPSec tunnel...........................................................................................................................4-32
Figure 5-1 Networking using the default route....................................................................................................5-2
Figure 5-2 Networking of using the VRRP virtual router....................................................................................5-3
Figure 5-3 Typical networking of Eudemon 1000E backup................................................................................5-4
Figure 5-4 Eudemon 1000E backup state.............................................................................................................5-5
Figure 5-5 Typical data path in primary/secondary mode....................................................................................5-7
Figure 5-6 Hierarchical relations between the VRRP backup group, management group, and HRP..................5-8
Figure 5-7 Networking diagram of a single link..................................................................................................5-9
Figure 5-8 Networking diagram before and after optical bypass.......................................................................5-10
vi
Issue 01 (2009-01-20)
Tables
Tables
Table 1-1 Link layer protocols of the Eudemon 1000E.....................................................................................1-12
Table 1-2 IP services of the Eudemon 1000E....................................................................................................1-12
Table 1-3 Routing protocols of the Eudemon 1000E.........................................................................................1-13
Table 1-4 AAA service applications of the Eudemon 1000E.............................................................................1-13
Table 1-5 QoS service applications of the Eudemon 1000E..............................................................................1-14
Table 3-1 ACL description...................................................................................................................................3-6
Issue 01 (2009-01-20)
vii
Related Version
The following table lists the product version related to this document.
Product Name
Version
V100R002
Intended Audience
This document is intended for:
l
Network engineers
Network administrators
Organization
This document is organized as follows.
Issue 01 (2009-01-20)
Chapter
Contents
1 Overview
2 Introduction to the
Eudemon 1000E
Chapter
Contents
3 Security Features
4 VPN
5 Reliability
A Acronyms and
Abbreviations
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
TIP
NOTE
General Conventions
The general conventions that may be found in this document are defined as follows.
Issue 01 (2009-01-20)
Convention
Description
Boldface
Italic
Courier New
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Italic
[]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Issue 01 (2009-01-20)
Convention
Description
Boldface
>
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows.
Format
Description
Key
Press the key. For example, press Enter and press Tab.
Key 1+Key 2
Key 1, Key 2
Mouse Operations
The mouse operations that may be found in this document are defined as follows.
Action
Description
Click
Double-click
Drag
Press and hold the primary mouse button and move the
pointer to a certain position.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Issue 01 (2009-01-20)
1 Overview
Overview
Issue 01 (2009-01-20)
1-1
1 Overview
Unauthorized use
Resources are used by an unauthorized user (also called illegal user) or in unauthorized
mode (also called illegal authorization).
For example, an attacker makes out the user name and password to access a computer
system and use resources illegally.
DoS
The server denies legal access requests from legal users.
For example, an attacker sends a large number of data packets to the server within a short
time to prevent the server from processing legal tasks due to overload.
Information theft
An attacker eavesdrops the system and obtains significant data or information from the
network instead of attacking the system directly.
Data tampering
An attacker undermines data integrity by modifying, deleting, delaying, reordering system
data or message streams, or inserting false messages.
Issue 01 (2009-01-20)
1 Overview
Availability service
Ensures information or services can be accessed if required.
Confidentiality service
Ensures that sensitive data or information is not disclosed or exposed to an unauthorized
entity.
Integrity service
Ensures that data cannot be changed or destroyed in an unauthorized mode.
Verification service
Ensures the legality of an entity ID.
Authorization
Specifies the access authority for a user to control resources.
Encryption
Encryption is a process to translate a readable message into an unreadable encrypted text.
It not only ensures communication security, but also serves as the basis of many security
mechanisms.
Encryption can be applied in the following mechanisms:
l
Hash
It is used to compress a variable message into an invariable code and change it into a hash
or message digest.
Includes Message Digest 5 (MD5) and Secure Hash Algorithm (SHA).
Issue 01 (2009-01-20)
1-3
1 Overview
Authentication
Authentication is used to verify the legality of a user ID before the user accesses the network or
obtains services.
Authentication can be either provided locally by each device on the network, or carried out
through a dedicated authentication server. The latter has better flexibility, controllability and
expandability.
Now, in a heterogeneous network environment, Remote Authentication Dial in User Service
(RADIUS), as an open standard, is widely used for an authentication service.
Access Control
Access control is an enhanced authorization method. Generally, it is classified into the following
types:
l
Security Protocols
Network security protocols play extremely significant roles in network security. The following
section describes the widely used security protocols in terms of Transmission Control Protocol /
Internet Protocol (TCP/IP) layered model:
l
Based on this idea, the Secure Socket Layer (SSL) protocol is developed on the basis of
reliable transmission service.
l
1-4
Issue 01 (2009-01-20)
1 Overview
At present, the most significant security protocol at the network layer is IP Security Protocol
(IPSec). IPSec is a generic term for a series of network security protocols, including security
protocols and encryption protocols.
IPSec can provide communication parties with the following services:
Access control
Connectionless integrality
Anti-replay
Encryption
Restricting the entry of users or information from a specific and strictly-controlled Website.
Restricting the exit of users or information from a specific and strictly-controlled website.
Issue 01 (2009-01-20)
1-5
1 Overview
As the complexity and length of ACL increases, its filtering performance will degrade
greatly.
Packet filtering neither checks session states nor analyzes data, that is, it cannot filter data
at user levels to prevent hackers from spoofing. For example, an attacker can configure the
host IP address to a legal host IP address to pass packet filtering.
Low processing speed due to software restriction, and vulnerable to DoS attacks
Difficult for upgrade as it requires developing the application proxy for each protocol
1-6
The stateful firewall uses various state tables to keep track of activated Transmission
Control Protocol (TCP) sessions and User Datagram Protocol (UDP) pseudo sessions. Then
ACL determines the sessions that can be set up. Finally, only the packets associated with
the sessions that are permitted are forwarded.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 01 (2009-01-20)
1 Overview
NOTE
A UDP pseudo session is a session process during which a virtual connection is set up to process
UDP-based protocol packets and to monitor the status of UDP connection processes.
l
The stateful firewall captures packets at the network layer. Then the firewall extracts the
state information required by security policies at the application layer, and saves it in the
dynamic state tables. The firewall analyzes the state tables and the subsequent connection
requests related to the data packet to make a proper decision.
For the Internet, the stateful firewall serves as a proxy system because all external service
requests come from the same host.
For the intranet, the stateful firewall serves as a packet filtering system because intranet users
consider that they interwork with the Internet.
The stateful firewall has the following advantages:
l
High speed
A stateful firewall can record the connection state while performing ACL checks on the
initial packet. ACL checks are not required for the subsequent packets. Thus, the firewall
only needs to check the connection state records of the subsequent packets based on the
state table. After these packets pass the checks, the connection state records will be
refreshed. In this case, packets with the same connection state are no longer repeatedly
checked. Different from fixed arrangement of ACL, the records in the connection state table
can be arranged randomly. Thus, the firewall can quickly search the records by using such
algorithms as binary tree or hash to improve system transmission efficiency.
Reliable security
The connection state table is managed dynamically. After sessions are completed, the
temporary return packet entry created on the firewall will be closed to ensure the security
of intranets. Meanwhile, with a real-time connection state monitoring technology, the
firewall can identify the connection state based on state factors such as responses in the
state table to enhance system security.
1-7
1 Overview
The Eudemon 1000E uses a specially designed hardware system with highly reliability and a
dedicated OS with an independent intellectual property right.
The Eudemon 1000E is integrated with:
l
In addition, it provides:
l
The Eudemon 1000E series consist of the following products. For each product, the main
performance parameters are as follows:
l
With a combination of the Eudemon 1000E series firewalls and the existing routers and switches
of Huawei, Huawei provides customers with an advanced and overall security solution for smallsized, medium-sized, and large-sized intranets.
1.3.2 Advantages
As a new generation of high-speed stateful firewalls, the Eudemon 1000E provide customers
with cost-effective security solutions to protect their small and medium-sized networks. They
have some advantages such as enhanced security features and high-speed processing capability.
Enhanced Security
Compared with the software firewalls based on a common OS, the Eudemon 1000E uses a
specially designed hardware platform and a secure OS with independent intellectual property
rights. Its packet processing is totally separated from OSs, which significantly increases system
security.
With its own ASPF state inspection technology, the Eudemon 1000E can:
1-8
Issue 01 (2009-01-20)
1 Overview
With the above features, the Eudemon 1000E ensures the security of networks.
High Reliability
Various attack details have been taken into account in software design. The Eudemon 1000E
achieves great robustness by means of priority scheduling and flow control.
In addition, the Eudemon 1000E supports two-node cluster hot backup so that the service cannot
be disrupted during state switchover.
Besides the security protection function, the Eudemon 1000E is integrated with certain routing
functions:
l
Static routing
The Eudemon 1000E supports multiple working modes, such as routing mode, transparent mode,
and composite mode. You do not need to change original networking configurations in
transparent mode. The Eudemon 1000E working in transparent mode serves as a network bridge
to simplify the networking process.
1-9
1 Overview
Working Mode
The Eudemon 1000E supports the following working modes:
l
Routing mode
Transparent mode
Composite mode
Packet Filtering
The Eudemon 1000E supports the following packet filtering modes:
1-10
Inter-zone ACL
Blacklists
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 01 (2009-01-20)
1 Overview
NAT
The Network Address Transmission (NAT) function of the Eudemon 1000E is described as
follows:
l
NBT
H.323
MSN
Attack Defense
The attack defense of the Eudemon 1000E is described as follows:
l
Defending multiple DoS attacks, such as SYN Flood, ICMP Flood, UDP Flood, WinNuke,
ICMP redirection, unreachable packest, Land, Smurf ,and Fraggle.
Defending scanning and snooping, such as address scanning, port scanning, IP source
routing option, IP routing record option, and ICMP snooping packet.
IDS Cooperation
The following describes the cooperation between the Eudemon 1000E and the intrusion detective
system (IDS):
l
The Eudemon 1000E opens the related ports to interwork with other security software. In
this way, a unified security network is set up.
IDS cooperation depends on the joint work of the firewall and the IDS devices on the
intranet. In this way, IDS cooperation detects and prevents the illegal operations of intranet
users and the attacks that have accessed the intranet illegally.
Traffic Monitoring
The following describes the traffic monitoring of the Eudemon 1000E:
Issue 01 (2009-01-20)
1-11
1 Overview
l
Supporting the limit to the rate and the number of IP-based connections.
Description
Eudemon 1000E
Supports Ethernet_II.
Supports VLAN a.
IP Services
Table 1-2 describes the IP services of the Eudemon 1000E.
Table 1-2 IP services of the Eudemon 1000E
Product
Description
Eudemon 1000E
Supports ARP a.
Routing Protocols
Table 1-3 describes the routing protocols of the Eudemon 1000E.
1-12
Issue 01 (2009-01-20)
1 Overview
Description
Eudemon 1000E
AAA
Table 1-4 describes the service applications of authentication, authorization, and accounting
(AAA) of the Eudemon 1000E.
Table 1-4 AAA service applications of the Eudemon 1000E
Product
Description
Eudemon 1000E
QoS
Table 1-5 describes the service applications of quality of service (QoS) of the Eudemon
1000E.
Issue 01 (2009-01-20)
1-13
1 Overview
Description
Eudemon 1000E
CAR
Sequence guarantee
CLI
The following describes the command line interface (CLI) of the Eudemon 1000E:
l
Hierarchical protection of command lines from the intrusion from the unauthorized users.
Network test tools, such as tracert and ping commands, which can help rapidly identify
whether the network is normal.
System Management
The following describes the system management of the Eudemon 1000E:
l
Supports configuration file upload license file upload, and file download and deletion in
Web mode.
Terminal Services
The following describes the terminal services of the Eudemon 1000E:
l
Supports the send function so that terminal users can communicate with each other.
Reliability
The following describes the reliability of the Eudemon 1000E:
l
1-14
Issue 01 (2009-01-20)
Forms a network with the OSN 900A to achieve the optical bypass function.
1 Overview
System Management
Supports the standard network management protocols SNMP v1/v2c/v3.
Working with the log server to provide the functions of browsing and querying log
information.
Provides the input and output IP packet statistics, NAT log, ASPF log, attack defense log,
and blacklist log.
When you need to prevent intranets and data against illegal access or malicious attacks
from the Internet, or such unauthorized or unauthenticated access, you can deploy the
Eudemon 1000E at the jointing point of the intranet and the Internet.
When you need to deny sensitive data to intranet users, you can deploy the Eudemon
1000E at the jointing point where an open network segment meets a sensitive one (such as
segment that holds sensitive or private data).
Issue 01 (2009-01-20)
1-15
Issue 01 (2009-01-20)
2-1
Routing mode
If the Eudemon 1000E connects the Internet over the third layer (the interface has an IP
address), the Eudemon 1000E works in routing mode.
Transparent mode
If the Eudemon 1000E connects the Internet over the second layer (the interface does not
have an IP address), the Eudemon 1000E works in transparent mode.
Composite mode
If the Eudemon 1000E has the interfaces worked in routing mode (the interface has an IP
address), and in transparent mode (the interface has no IP address), the Eudemon 1000E
works in composite mode.
Routing Mode
When the Eudemon 1000E is located between the intranet and the Internet, you need to configure
the interfaces, through which the Eudemon 1000E is connected to the intranet, Internet, and
demilitarized zone (DMZ), with IP addresses in different network segments, and you need to
redesign the network topology. In this case, the Eudemon 1000E serves as a router.
2-2
Issue 01 (2009-01-20)
As shown in Figure 2-1, the Eudemon 1000E is connected to the intranet through an interface
in the Trust zone and connected to the Internet through an interface in the Untrust zone.
Note that the interface in the Trust zone and that in the Untrust zone are segmented to different
subnets.
Figure 2-1 Networking in routing mode
PC
PC
10.110.1.254
Server
Trust
PC
202.10.0.1
Firewall
Router
Untrust
Server
When working in routing mode, the Eudemon 1000E can perform ACL packet filtering, ASPF
dynamic filtering, and NAT. Network topology, however, needs to be changed. For example,
intranet users need to change their gateways and routers' routing configurations need to be
changed, which are complicated processes. It is recommended that you weigh the advantages
and disadvantages before changing the network topology.
Transparent Mode
If the Eudemon 1000E works in transparent mode, you do not need to change network topology.
In this case, the Eudemon 1000E is completely transparent to the users in subnets and the routers.
That is, users are not fully aware of the existence of the Eudemon 1000E.
In transparent mode, you only need to place the Eudemon 1000E on the network as placing a
network bridge without modifying any existing configurations. Similar to routing mode, the
Eudemon 1000E checks and filters IP packets and protects intranet users against threats.
Figure 2-2 shows a typical networking in transparent mode.
Figure 2-2 Networking in transparent mode
PC
PC
202.10.0.2/24
Server
Trust
PC
202.10.0.1/24
Firewall
Router
Untrust
Server
The Eudemon 1000E is connected to the intranet through an interface in the Trust zone, while
it is connected with the Internet through an interface in the Untrust zone.
Note that the interface in the Trust zone and that in the Untrust zone must reside in the same
subnet.
Issue 01 (2009-01-20)
2-3
Composite Mode
If there are interfaces working in routing mode (such interfaces have IP addresses) and interfaces
working in transparent mode (such interfaces have no IP address) in the Eudemon 1000E, it
means that the Eudemon 1000E works in composite mode.
The composite mode is applied to the two-node cluster hot backup in transparent mode. The
interface on which Virtual Router Redundancy Protocol (VRRP) is enabled needs to be
configured with an IP address, and other interfaces do not need to be configured with IP
addresses. For more information about two-node cluster hot backup in transparent mode, see the
Quidway Eudemon 1000E Unified Security Gateway Configuration Guide Reliability Volume.
Figure 2-3 shows a typical networking in composite mode.
Figure 2-3 Networking in composite mode
Firewall
(Primary)
PC
PC
PC
HUB
Server
Untrust
Trust
202.10.0.0/24
202.10.0.0/24 Server
Firewall
(Secondary)
Primary and secondary Eudemon 1000Es are connected to the intranet through interfaces in the
Trust zone, and connected to the Internet through interfaces in the Untrust zone.
In addition, primary and secondary Eudemon 1000Es:
l
Connect with each other through a hub or a local area network (LAN) Switch.
The primary and secondary Eudemon 1000Es can be connected directly or through a hub or a LAN Switch.
You can connect the primary and the secondary Eudemon 1000Es based on the actual conditions. The
intranet and the Internet must reside in the same subnet.
Issue 01 (2009-01-20)
unlike the processing of a router, IP packets in the Eudemon 1000E are sent to the upper layer
for filtering. The Eudemon 1000E determines whether to permit the packets to pass through
based on session entries or ACL rules. In addition, the Eudemon 1000E is also responsible for
other attack defense checks.
Overview
When packets are forwarded between interfaces in Layer 2 security zone, the Eudemon 1000E
serves as a transparent bridge to search for outbound interfaces based on medium access control
(MAC) addresses of the packets. Different from a network bridge, IP packets in the Eudemon
1000E need to be sent to the upper layer for filtering, and then the Eudemon 1000E determines
whether to permit the packets to pass through based on session entries or ACL rules. In addition,
the Eudemon 1000E is also responsible for other attack defense checks.
In transparent mode, the Eudemon 1000E is connected to the LAN at data link layer so that end
users do not need to perform special configurations when connecting to the network (as LAN
Switch connection).
The working process in transparent mode is divided into two sections: obtaing an address table
and forwarding and filtering frames.
Issue 01 (2009-01-20)
2-5
00e0.fcbb.bbbb
Workstation A
Workstation B
Destination
address
Source
address
00e0.fcaa.aaaa 00e0.fcbb.bbbb
Ethernet segment 1
Port 1
Firewall
00e0.fccc.cccc
00e0.fcdd.dddd
Port 2
Workstation C
Workstation D
Ethernet segment 2
Workstations A, B, C, and D reside in two LANs. Ethernet segments 1 and 2 are connected
to ports 1 and 2 respectively on the Eudemon 1000E. For example, when workstation A
sends an Ethernet frame to workstation B, both the Eudemon 1000E and workstation B
receives the frame.
2.
Reversely learn the relation between the MAC address of workstation A and the port.
After receiving the Ethernet frame, the Eudemon 1000E is aware that workstation A is
connected to Port 1 on the Eudemon 1000E because the received frame is sent from Port
1. Then the relation between the MAC address of workstation A and Port 1 on the Eudemon
1000E is added to the MAC address table, as shown in Figure 2-5.
Figure 2-5 Reversely learning the relation between the MAC address of workstation A and
the port
00e0.fcaa.aaaa
00e0.fcbb.bbbb
Workstation A
Destination
address
00e0.fcaa.aaaa
Workstation B
Source
address
00e0.fcbb.bbbb
Address table
MAC Address Port
00e0.fcbb.bbbb
1
Ethernet segment 1
Port 1
Firewall
00e0.fccc.cccc
Port 2
Workstation C
3.
2-6
00e0.fcdd.dddd
Workstation D
Ethernet segment 2
Reversely learn the relation between the MAC address of workstation B and the port.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 01 (2009-01-20)
After workstation B responds to the Ethernet frame sent from workstation A, the Eudemon
1000E monitors the response Ethernet frame and is aware that workstation B is also
connected to Port 1 on the Eudemon 1000E because the received frame is sent from Port
1. Then the relation between the MAC address of workstation B and Port 1 is added to the
MAC address table, as shown in Figure 2-6.
Figure 2-6 Reversely learning the relation between the MAC address of workstation B and
the port
00e0.fcaa.aaaa
Workstation A
00e0.fcbb.bbbb
Workstation B
Destination
address
Source
address
00e0.fcaa.aaaa 00e0.fcbb.bbbb
Address table
MAC Address Port
00e0.fcaa.aaaa 1
00e0.fccc.cccc 00e0.fcbb.bbbb 1
Workstation C
Ethernet segment 1
Port 1
Firewall
Port 2
00e0.fcdd.dddd
Workstation D
Ethernet segment 2
Reversely learning the relation continues until all the relations between the MAC addresses
and the interfaces (workstation A, B, C, and D in this case) are obtained by the Eudemon
1000E working in transparent mode (Assume that all workstations are in use).
Issue 01 (2009-01-20)
2-7
00e0.fcbb.bbbb
Source
address
Destination
address
Workstation B
00e0.fcaa.aaaa 00e0.fccc.cccc
Address table
MAC Address
Port
00e0.fcaa.aaaa 1
00e0.fccc.cccc 00e0.fcbb.bbbb 1
00e0.fccc.cccc 2
00e0.fcdd.dddd 2
Forwarding
Workstation C
Destination
address
Ethernet segment 1
Port 1
Firewall
Port 2 00e0.fcdd.dddd
Workstation D
Ethernet segment 2
Source
address
00e0.fccc.cccc 00e0.fcaa.aaaa
If the Eudemon 1000E receives broadcast frames or multicast frames from an interface, it
forwards them to other interfaces.
l
00e0.fcbb.bbbb
Source
address
Destination
address
Workstation B
00e0.fcaa.aaaa 00e0.fccc.cccc
Address table
00e0.fccc.cccc
Workstation C
l
Ethernet segment 1
Port 1
Firewall
00e0.fcdd.dddd
Port 2
Workstation D
Ethernet segment 2
2-8
Issue 01 (2009-01-20)
1000E forwards this frame to other ports except the source port. At this time, the Eudemon
1000E serves as a hub, so as to ensure continuous information transferring, as shown in
Figure 2-9.
Figure 2-9 Forwarding frames after not finding the address table
00e0.fcaa.aaaa
Workstation A
00e0.fcbb.bbbb
Source
address
Workstation B
Destination
address
00e0.fcaa.aaaa 00e0.fcccc.cccc
00e0.fccc.cccc
Address table
MAC Address Port
00e0.fcaa.aaaa 1
00e0.fcbb.bbbb 1
Workstation C
Ethernet segment 1
Port 1
Firewall
Port 2
00e0.fcdd.dddd
Workstation D
Ethernet segment 2
The interfaces configured with IP addresses reside in Layer 3 security zone, with VRRP
enabled for two-node cluster hot backup.
The interfaces configured with no IP addresses reside in Layer 2 security zone. Internet
users connected to the interfaces in Layer 2 security zone belong to the same subnet.
When packets are forwarded between interfaces in Layer 2 security zone, the forwarding process
is the same as that in transparent mode. For details, see section "2.1.4 Working Process in
Transparent Mode".
When the Eudemon 1000E performs two-node cluster hot backup, the forwarding process is
similar to that in routing mode. For details, see section "2.1.3 Working Process in Routing
Mode".
2-9
The security level is denoted by an integer ranging from 0 to 100. The greater the number
is, the higher the level is.
The Eudemon 1000E security check is enabled only when data is transmitted between interfaces
or their security zones with different security levels rather than the interfaces in the same security
zone.
Untrust zone
It is a low-level security zone whose security level is 5.
DMZ
It is a medium-level security zone whose security level is 50.
2-10
Issue 01 (2009-01-20)
Trust zone
It is a high-level security zone whose security level is 85.
Local zone
It is a highest-level security zone whose security level is 100.
When the Eudemon 1000E works in routing mode, you do not need to create the five zones
mentioned above. At the same time, deleting and resetting a security level is prohibited.
You can create security zones and specify security levels for them based on the actual networking
requirements.
NOTE
Derived from military, DMZ is an intermediate zone between the severe military zone and the non-compact
public zone. That is, it is partially dominated by the military.
For Eudemon 1000Es, the DMZ indicates a zone that is independent of intranets and the Internet both
logically and physically, in which public devices such as World Wide Web (WWW) Server and FTP Server
are placed.
It is hard to ensure the security of these servers if they are installed in the Internet. While placed in intranets,
their security defects might provide opportunity for some external malicious users to attack intranets. Thus,
DMZ is developed to solve this problem.
CAUTION
Neither two security zones with the same security level nor an interface belonging to two
different security zones is allowed in the system.
Relations among interface, networks, and security zones are described as follows:
l
Protected networks must be located in high-level security zone, for example, Trust zone.
The Internet must be located in low-level security zone, for example, Untrust zone.
Networks offering conditional services for Internet users should be located in mediumlevel security zone, for example, DMZ.
Besides that,
The Local zone has no interface. The Eudemon 1000E device is in the Local zone.
The Vzone has no interface and is used for the traffic forwarding between Virtual Private
Network (VPN) instances.
The traffic of data flow between VPN instances needs to hop through their own Vzones.
For example, when a data flow moves from the Trust zone of VPN1 to the DMZ of VPN2,
the data flow needs to enter from the Vzone of VPN1 through the Trust zone of VPN1 and
Issue 01 (2009-01-20)
2-11
then moves from the Vzone of VPN2 to the DMZ of VPN2. All VPN instances of the Vzone
are inter-connected. Data can flow free of restrictions from interzone-filtering rules on the
Eudemon 1000E.
l
GE0/0/1
Outbound
Untrust
Outbound
Inbound
Outbound
Inbound
......
Server Inbound
Server
Outbound
DMZ
Outbound
Inbound
Vzone
Inbound
It refers to the direction in which data is transmitted from low-level security zones to highlevel security zones.
Outbound
It refers to the direction in which data is transmitted from high-level security zones to lowlevel security zones.
Data transmission between security zones with different levels enables the Eudemon 1000E to
check data based on security policies. You can set different security policies to different
directions of the same interzone. When data flow moves in the two directions of the security
zones, different security policy checks are triggered.
2-12
Issue 01 (2009-01-20)
Data transmission directions on the Eudemon 1000E are determined based on the side with a
higher security level. You can conclude that:
l
The data stream transmitted from the Local zone to the Trust zone is called outbound data
stream, while the data stream transmitted from the Trust zone to the Local zone is called
inbound data stream.
The data stream transmitted from the Local zone to the DMZ zone is called outbound data
stream, while the data stream transmitted from the DMZ zone to the Local zone is called
inbound data stream.
The data stream transmitted from the Local zone to the Untrust zone is called outbound
data stream, while the data stream transmitted from the Untrust zone to the Local zone is
called inbound data stream.
The data stream transmitted from the Local zone to Vzone is called outbound data stream,
while the data stream transmitted from the Vzone to the Local zone is called inbound data
stream.
The data stream transmitted from the Trust zone to the DMZ is called outbound data stream,
while the data stream transmitted from the DMZ to the Trust zone is called inbound data
stream.
The data stream transmitted from the Trust zone to the Untrust zone is called outbound data
stream, while the data stream transmitted from the Untrust zone to the Trust zone is called
inbound data stream.
The data stream transmitted from the Trust zone to the Vzone is called outbound data
stream, while the data stream transmitted from the the Vzone to the Trust zone is called
inbound data stream.
The data stream transmitted from the DMZ to the Untrust zone is called outbound data
stream, while data stream transmitted from the Untrust zone to the DMZ is called inbound
data stream.
The data stream transmitted from the DMZ to the Vzone is called outbound data stream,
while the data stream transmitted from the Vzone to the DMZ is called inbound data stream.
The data stream transmitted from the Untrust zone to the Vzone is called outbound data
stream, while the data stream transmitted from the Vzone to the Untrust zone is called
inbound data stream.
NOTE
Issue 01 (2009-01-20)
If you allow users in a high-level security zone to access the Internet, you can configure a default
interzone packet-filtering rule for the Eudemon 1000E, allowing packets to travel from a high-level
security zone to a low-level security zone.
The data transmission direction on the router is determined based on the interface, which is also one
of the main features differentiating the Eudemon 1000E from a router. The data stream sent from the
interface is called outbound data stream while the data stream sent to the interface is called inbound
data stream.
2-13
3 Security Features
Security Features
3-1
3 Security Features
3-2
Issue 01 (2009-01-20)
3 Security Features
To meet the requirements of such customers, the network operator can adopt the Eudemon
1000E multi-instance solution of Huawei to logically divide one Eudemon 1000E into multiple
virtual firewalls to provide independent security services for multiple small private networks.
Operators can provide network security protection rental services by using the technology.
Each virtual firewall is a combination of one virtual private network (VPN) instance, one security
instance, and one configuration instance. It provides the proprietary route forwarding plane,
security service plane, and configuration management plane for virtual firewall users.
VPN Instance
A VPN instance provides isolated VPN routes for virtual firewall users. One VPN instance
corresponds to one virtual firewall.
VPN routes support the packets received by each virtual firewall.
Security Instance
A security instance provides isolated security services for virtual firewall users. A security
instance corresponds to one virtual firewall.
A security instance owns:
l
Private interfaces
Private ACLs
The security instance can provide virtual firewall users with the following private security
services:
l
Address binding
Blacklist
Address translation
Packet filtering
Statistics
Attack defense
Issue 01 (2009-01-20)
3-3
3 Security Features
l
ASPF
NAT
Configuration Instance
A configuration instance provides isolated configuration management planes for virtual firewall
users. A configuration instance corresponds to one virtual firewall. Configuration instances
enable virtual firewall users to log in to the Eudemon 1000E and manage and maintain the private
VPN routes and security instances.
3.2 ACL
This describes the definition, applications, settings, and steps of ACLs on the Eudemon
1000E.
3.2.1 ACL Definition
An Access Control List (ACL) includes a series of ordered rules consisting of the permit or
deny statements. The rules are described mainly by source address, destination address, port
number, upper layer protocol, or other information.
3.2.2 ACL Application
ACLs can be used in other services or applications such as packet filtering, NAT, QoS, and
routing policy.
3.2.3 ACL on the Eudemon 1000E
The Eudemon 1000E supports various ACLs as well as time range-based application and logs
of ACL.
3.2.4 ACL Step
Step is introduced to help users insert new rules between the sub-rules in the current ACL rule
group. Step means the difference between IDs automatically allocated to each sub-rule in the
ACL rule group.
Network security
QoS requirements
The access control list (ACL) is one of the methods to control data streams.
Issue 01 (2009-01-20)
3 Security Features
Packet Filtering
Packet filtering is a network security protection mechanism. It is used to control the inbound
and outbound data between networks at different security levels.
Before forwarding a data packet, the Eudemon 1000E checks the information in the packet
header, including:
l
Source address
Destination address
Source port
Destination port
Then, the Eudemon 1000E determines to forward the data packet or to discard it based on the
comparison with the defined rules.
A series of filtering rules are required to filter data packets. Data packets can be filtered by
applying filtering rules defined by the ACL between different security zones on the Eudemon
1000E.
NAT
Network Address Translation (NAT) is to convert an IP address in a data packet header into
another IP address, so that the intranet (with a private IP address) can access the Internet (with
a public IP address), and the problem of shortage of IP addresses can be solved.
In practice, it is required that some intranet hosts (with private IP addresses) can access the
Internet while others cannot. This can be achieved by associating ACLs and NAT address pools,
that is, NAT can be performed only on the data packet that match ACL rules. In this way, the
range of NAT can be efficiently controlled.
QoS
Quality of Service (QoS) is used to evaluate how well services providers meet customer
requirements. To perform QoS guarantee on the Internet, it is required to enhance traffic control
and resource allocation at the network layer to provide different services based on different
requirements.
Traffic classification is the basis of different services. In practice, you need to do as follows:
1.
Identifying traffic priority based on the type of service (ToS) field in the IP packet header
ACLs
Issue 01 (2009-01-20)
Source address
Destination address
IP protocol
3-5
3 Security Features
2.
Routing Policy
The routing policy is used to send, receive, and filter routing information.
There are many methods to filter routing information, in which ACL is one of the most important
methods and widely used. A client can apply ACL to specify an IP address or subnet range as
the destination address, source network segment address, or the next hop address for matched
routing information.
ACL Classification
The Eudemon 1000E supports the following ACLs:
l
Basic ACLs
Advanced ACLs
Value Range
Description
Basic ACLs
2000 to 2999
Advanced ACLs
3000 to 3999
Issue 01 (2009-01-20)
3 Security Features
11000000.10101000.00001111.00010000
00000000.00000000.00000000.11111111
11000000.10101000.00001111.00000000
If you set the source address to any, it indicates that all packets from any source address meet
the matching condition, namely, any = 0.0.0.0 255.255.255.255.
The configuration effects of the above commands are the same as that of the following ACL
rules:
Issue 01 (2009-01-20)
3-7
3 Security Features
[Eudemon 1000E] acl 3000
[Eudemon 1000E-acl-adv-3000]
0 destination-port eq 21
[Eudemon 1000E-acl-adv-3000]
0 destination-port eq 22
[Eudemon 1000E-acl-adv-3000]
0 destination-port eq 21
[Eudemon 1000E-acl-adv-3000]
0 destination-port eq 22
[Eudemon 1000E-acl-adv-3000]
0 destination-port eq 21
[Eudemon 1000E-acl-adv-3000]
0 destination-port eq 22
[Eudemon 1000E-acl-adv-3000]
0 destination-port eq 21
[Eudemon 1000E-acl-adv-3000]
0 destination-port eq 22
If you set a step, you must delete the existing rule (including rule 0) before you use the step command to
change the step value or use the undo step command to restore the default step value.
Issue 01 (2009-01-20)
3 Security Features
Using port identification, you can create and maintain a system-defined port and user-defined
port identification list for various application protocols.
Source address
Destination address
After that, the Eudemon 1000E determines to forward the data packet or discard it based on the
comparison results.
A series of filtering rules are required to filter data packets. Data packets are filtered between
different security zones according to the filtering rules on the Eudemon 1000E.
3.3.2 ASPF
The Eudemon 1000E delivers the application layer-based packet filtering function, namely, the
application specific packet filter (ASPF) function, such as TCP/UDP tunnel and state check.
Overview of ASPF
Application Specific Packet Filter (ASPF) is the packet filtering based on the application layer,
that is, the status-based packet filtering. ASPF works with ACL-based packet filtering to
implement security policies on intranets. ASPF can detect the application layer protocol session
to prevent unmatched data packets from passing the Eudemon 1000E.
To protect the security of networks, the packet filtering based on ACL rules can detect data
packets at network layer and transmission layer to prevent illegal intrusion. ASPF can detect
protocols at the application layer and monitor application traffic.
In addition, ASPF provides the following functions:
l
Java Blocking can prevent networks from being destroyed by malicious Java Applets.
ActiveX Blocking can prevent networks from being destroyed by harmful ActiveX.
ASPF detects protocols at the application layer and prevents malicious intrusion, by maintaining
session status and checking packet protocols and port numbers of sessions.
The ASPF protocol of the Eudemon 1000E supports the following types of traffic monitoring:
l
Issue 01 (2009-01-20)
3-9
3 Security Features
l
QQ (Detect QQ protocol)
Triplet ASPF
The Eudemon 1000E is a senary NAT device.
In other words, the setup of each session requires six fields:
l
Source IP address
Source port
Destination IP address
Destination port
Protocol number
VPN-ID
The lack of any of these six fields leads to the failure of a session.
However, some real-time communication tools, like QQ and MSN, require process of triplet
fields:
l
3-10
Source IP address
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 01 (2009-01-20)
Source port
Protocol number
3 Security Features
In order to adapt to such communication mechanisms, the Eudemon 1000E changes the senary
process to the triplet process. In this way, communication such as QQ and MSN can traverse
smoothly.
Besides the NAT traversal of QQ or MSN, other sessions like TFTP, which only uses the source
IP address, the source port, and the protocol number, also needs to configure the triplet ASPF
on the Eudemon 1000E.
3.3.3 Blacklist
The blacklist is an important security feature of the Eudemon 1000E. The blacklist can be added
or deleted dynamically by the Eudemon 1000E module.
Compared with ACL-based packet filtering, the blacklist filters packets based on only IP address
with high speed. This effectively shields the packets sent from a specific IP address.
You can create blacklist entries in three ways:
l
Dynamic creation by using the Eudemon 1000E attack defense module or the IDS module.
If a user fails to log in to the system three times consecutively, the IP address of the user
is added to the blacklist.
When Eudemon 1000E discovers the attack attempt of a specific IP address based on the packet
action, it can automatically add the IP address to the blacklist to filter all the packets sent from
the specific IP address.
3-11
3 Security Features
General port identification sets up the identification relations between user-defined port numbers
and application layer protocols. For example, if you configure that port 8080 identifies HTTP,
all TCP packets sent to port 8080 are considered as HTTP packets.
Host port identification sets up the relations between user-defined port numbers and application
protocols for the packets sent to certain specific hosts. For example, regard TCP packets sent to
the host at 10.110.0.0 through port 8080 as HTTP packets. The host range is defined based on
the basic ACL.
The ACLs identified by the port of the host and quoted by the packet filtering differ in the
following aspects:
l
For the interzone packet-filtering rules, the Eudemon 1000E only permits the packets that
move from the source address to the target address to pass through.
For host port identification, the specified basic ACL is only used to define the range of
hosts and no direction restriction.
3-12
Issue 01 (2009-01-20)
3 Security Features
Denial of Service (DoS) attacks are to attack a system by sending a large number of
data packets. As a result, the system cannot receive requests from valid users, or the
host is suspended and cannot work normally.
The main DoS attacks include: SYN Flood and Fraggle. The DoS attack differs from
other types of attacks. For the DoS attack, attackers prevent valid users from accessing
resources or routers. In other types of attacks, attackers search for ingresses of intranets.
Distributed Denial of Service (DDOS) attacks are one type of DoS attacks. For the
DDOS attacks, attackers attack a host by using tens or hundreds of computers under
their control, so that the system of the host cannot accept normal requests of valid users
or the host is suspended and cannot work normally.
IP spoofing attacks
To access a network, an intruder generates a packet carrying a bogus source address that
can make an unauthorized user access the system by applying the IP authentication even
in the root authority. In this way, the system can also be destroyed even though the response
packet does not reach the system. This is the IP spoofing attack.
Land attacks
Land attacks are to configure both the source address and the destination address of the
TCP SYN packet to the IP address of the attack target. Thus, the target sends the SYNACK messages to itself and then returns the ACK messages to itself, and then creates a
null connection. Each null connection is saved till it is disconnected because of timeout.
Different types of attack targets respond differently to Land attacks. For example, many
UNIX hosts crash and Windows NT hosts slow down.
Smurf attacks
A simple Smurf attack is to attack a network by sending an ICMP request to the broadcast
address of the target network. All the hosts on the network respond to the request, which
generates the traffic 10 or 100 times more than the traffic of large ping packets. Network
congestion thus occurs. The advanced Smurf attack is mainly used to attack the target host
by configuring the source address of the ICMP packet to the address of the target host so
as to make the host crash completely.
An advanced Smurf attack is to attack a host by sending an ICMP request from the address
of the target host. As a result, the host crashes. It takes certain traffic and duration to send
the attack packets to perform the attacks. Theoretically, the larger the number of hosts is,
Issue 01 (2009-01-20)
3-13
3 Security Features
the more obvious the effect will be. Another new form of the Smurf attack is the Fraggle
attack.
l
WinNuke attacks
WinNuke attacks are to cause a NetBIOS fragment overlap by sending Out-Of-Band (OOB)
data packets to the NetBIOS port (139) of the specified target installed with the Windows
system so as to make the target host crash. Internet Group Management Protocol (IGMP)
fragment packets also exist. Because IGMP packets cannot be fragmented generally,
systems usually fail to process the IGMP fragment packets. When the system receives
IGMP fragment packets, you can assume that there is an attack.
DNS-flood attacks
DNS-flood attacks are a type of DDoS attacks. Attackers send a large number of query
packets to the Domain Name Server (DNS) within a short time. Therefore, the server has
3-14
Issue 01 (2009-01-20)
3 Security Features
to respond to all the query requests. As a result, the DNS cannot provide services for legal
users.
The Eudemon 1000E detects the TCP SYN packets sent to the server. If the rate of the TCP
SYN packet exceeds the threshold, the Eudemon 1000E considers that the server is under
SYN flood attacks.
2.
The Eudemon 1000E uses the TCP proxy or TCP reverse source-detect to defend SYN
flood attacks.
2.
The Eudemon 1000E monitors the source IP addresses accessing the server.
If the Eudemon 1000E finds that one source IP address sends the same UDP packets to a
certain server multiple times, this source IP address is considered as the IP address of the
attacker.
2.
Issue 01 (2009-01-20)
If the link between the user and the server is generated, the Eudemon 1000E checks whether
the user is an authorized user in the following two aspects.
l
The Eudemon 1000E collects the packets that are sent from the user to the server. Within
a specified period, if the number of packets does not exceed the threshold, the user is
an unauthorized user.
The Eudemon 1000E collects the links between the user and the server. Within a
specified period, if the number of links is larger than the threshold, the user is an
unauthorized user.
3-15
3 Security Features
3.5 NAT
NAT is mainly used to help internal network users (private IP addresses) to access external
networks (public IP addresses), and provides the internal server function.
3.5.1 Overview of NAT
NAT is a process to convert the IP address in IP data packet header into another IP address. It
is mainly used for intranets (with private IP addresses) to access the Internet (with public IP
addresses).
3.5.2 NAT on the Eudemon 1000E
The Eudemon 1000E supports multiple modes of NAT, such as one-to-one NAT, many-to-many
NAT, and NAPT. In addition, it supports multiple NAT ALGs, bi-directional NAT and
destination NAT.
IP addresses in the previous three ranges are not be assigned in the Internet. This ensures that
the IP address in the previous three ranges can be used in the intranet of a company or enterprise
without requesting Internet Service Provider (ISP) or register center.
NAT is mainly used for private networks to access the Internet. It can slow down the IP address
space depletion by using several public IP addresses to represent multiple private IP addresses.
Figure 3-1 shows a basic NAT application process.
3-16
Issue 01 (2009-01-20)
3 Security Features
Server
192.168.1.2
GE0/0/0
192.168.1.1
Firewall
GE0/0/1
202.169.10.1
202.130.10.3
PC
Untrust
Data packet 2:
Data packet 2':
Source: 202.120.10.2
Source: 202.120.10.2
Destination: 192.168.1.3 Destination: 202.169.10.1
Server
202.120.10.2
The NAT server such as the Eudemon 1000E is located at the joint between a private network
and a public network. Interactive packets between an intranet PC and an Internet server all pass
through the NAT server. An IP address is converted as follows.
1.
When the internal PC at 192.168.1.3 sends data packet 1 to the external server at
202.120.10.2, the data packet reaches the NAT server. The NAT server checks the contents
in the packet header and finds that the data packet is sent to an external network.
2.
The server converts the source IP address 192.168.1.3 of data packet 1 into a valid public
IP address 202.169.10.1 on the Internet, forwards the packet to the external server and
records the mapping on the NAT list.
3.
After receiving data packet 1, the external server sends response packet 2 to the internal
PC (The initial destination IP address is 202.169.10.1).
4.
After data packet 2 accesses the NAT server, the NAT server inquires the NAT list, replaces
the destination address in packet 2 header with the original private address 192.168.1.3,
and then sends the data packet to the internal PC.
This NAT process is transparent for terminals such as the PC and server in the previous figure.
NAT "hides" the private network of an enterprise because the external server regards
202.169.10.1 as the IP address of the internal PC with no realization of 192.168.1.3.
Translating an IP address and port of a host on the intranet into an external IP address and
port of the Eudemon 1000E.
Translating the external IP address and port into the IP address and port of a host on the
intranet.
This process is called translation between a private address or port and a public address or port.
Issue 01 (2009-01-20)
3-17
3 Security Features
When the data flow moves from one security zone to another, the Eudemon 1000E checks the
data packet to determine whether to perform the NAT. If necessary, the NAT is performed based
on the following principles:
l
At the egress of the IP layer, the Eudemon 1000E converts the source IP address from the
private address into the public address and sends it to the Internet.
At the ingress of the IP layer, the Eudemon 1000E restores the destination IP address from
the public address into the private address and sends it to the intranet.
The number of public IP addresses on the NAT server is far less than the number of hosts on the intranet
because not all hosts access the Internet at a time. The number of public IP addresses is determined based
on the maximum number of intranet hosts that access the Internet at the rush hour.
In practice, it might require that only some intranet hosts can access the Internet while others
cannot. In other words, when the NAT process checks the header of the data packets and finds
that the source IP addresses are those that cannot access the Internet, the NAT server will not
convert source IP addresses of those unauthorized hosts, which is called NAT control.
The Eudemon 1000E implements many-to-many NAT by defining the address pool and
controlling NAT through ACL. The details are as follows:
l
Address pool
It is a set of public IP addresses for NAT. You should configure a proper address pool based
on the number of valid IP addresses, the number of hosts on the intranet, and the actual
conditions. A IP address is chosen from the pool as the source IP address during the NAT.
ACL-based NAT
It indicates that only the data packet meeting the requirements of ACL rules can be
converted. In this way, the NAT range can be controlled effectively and some hosts are
entitled to access the Internet.
The public address pool can be used by the root firewalls and virtual firewalls.
The private address pool is created by the super-user for a virtual firewall. It can be used
only by the virtual firewall.
NAPT
Besides the many-to-many NAT, network address port translation (NAPT) is another way to
achieve the NAT of concurrent access.
3-18
Issue 01 (2009-01-20)
3 Security Features
NAPT allows the map from multiple internal IP addresses to a public IP address. Therefore, it
can be called as "many-to-one NAT" or address multiplex informally.
NAPT maps IP addresses and port numbers. Data packets from various internal IP addresses
can be mapped to the same public IP address with different port numbers. In this way, different
internal addresses can share the same public IP address.
Figure 3-2 shows the basic process of NAPT.
Figure 3-2 Basic process of NAPT
Data packet 1:
Source: 192.168.1.3
Source port: 1357
Data packet 2:
192.168.1.3
Source: 192.168.1.3
PC
Source port: 2468
Trust
Server
192.168.1.2
192.168.1.1
GE0/0/0
Data packet 3:
Source: 192.168.1.1
Source port: 11111
Data packet 4:
Source: 192.168.1.2
Source port: 11111
Server
202.120.10.2
As shown in Figure 3-2, four data packets carrying internal addresses arrive at the NAT server.
l
Packet 1 and packet 2 come from the same internal IP address with different source port
number.
Packet 3 and packet 4 come from different internal IP addresses with the same source port
number.
After the NAT mapping, the IP addresses of the four packets are converted into the same public
IP address with different source port numbers so that they are still different from each other.
When the response packets access the Eudemon 1000E, the NAT process can also differentiate
them based on their destination IP addresses and port numbers and forward them to the
corresponding internal hosts.
After the NAPT function is configured, during the NAT, the Eudemon 1000E0 first multiplexes
the chosen IP address in the IP address pool. When the port numbers of the IP address are used,
the Eudemon 1000E chooses another IP address to complete the translation. Compared with the
many-to-many NAT, this can largely reduce the number of public IP addresses in the address
pool.
Issue 01 (2009-01-20)
3-19
3 Security Features
Internal Server
NAT can "shield" internal hosts by hiding the architecture of the Internet; however, sometimes
you want to permit some hosts on the Internet to access some hosts on the intranet, such as a
Web server or a FTP server. You can flexibly add servers on the intranet through NAT. The
Eudemon 1000E specifies the external IP address for an internal server in the following two
ways.
l
You can use 202.169.10.10 as the external IP address of the WWW server.
You can use 202.110.10.12:8080 as the external IP address of the WWW server.
NAT on the Eudemon 1000E provides certain servers on the intranet for some hosts to access
on the Internet. When a user on the Internet accesses a server on the intranet, the Eudemon
1000E functions as follows:
l
The Eudemon 1000E converts the destination IP address in the request packet into a private
IP address of the internal server.
The Eudemon 1000E converts the source IP address (a private IP address) in the response
packet into a public IP address.
Moreover, NAT can provide multiple identical servers such as WWW servers for Internet users.
NOTE
The internal servers serving for external hosts are usually located in the DMZ of the Eudemon 1000E.
Generally, the equipment in the DMZ is not allowed to originate connections to external devices.
Bi-Directional NAT
The bi-directional NAT can be used in the following two scenarios:
l
When users in the low-priority zone access the public IP address of the NAT server, the
destination IP address of the packets are converted into the private IP address of the server.
The server, however, needs to be configured with the route to the public IP address. If you
need to simplify the configuration, that is, if you do not want to configure the route to the
public IP address, you need to configure the inbound NAT , that is, the NAT from the low
priority zone to the high priority zone.
When users in the same security zone access each other, you need to configure interzone
NAT.
As shown in Figure 3-3, the NAT from the low priority zone accessing the high priority zone
is configured on the Eudemon 1000E. For example, configure the NAT from the Untrust zone
to the DMZ.
Figure 3-3 Networking diagram of configuring inbound NAT
GE0/0/0
10.1.1.1/24
GE0/0/1
200.1.1.1/24
Firewall
DMZ
FTP Server
10.1.1.2/24
3-20
Untrust
PC
200.1.1.2/24
Issue 01 (2009-01-20)
3 Security Features
When users in the Untrust zone access a server in the DMZ, the Eudemon 1000E performs NAT
as follows:
l
The Eudemon 1000E converts the destination IP address of the request packet from the
Internet users into the private IP address of the internal server. The Eudemon 1000E
converts the source IP address into one IP address (private IP address) in the address pool.
The Eudemon 1000E converts the source IP address (private IP address) of the response
packets from the internal server to the public IP address. The Eudemon 1000E converts the
destination IP address (private IP address) to the public IP address.
NOTE
The internal servers that allow the access of the Internet users are usually located in the DMZ. Generally,
the equipment in the DMZ is not allowed to originate connections to external devices.
As shown in Figure 3-4, NAT within the same zone is configured on the Eudemon 1000E. For
example, configure NAT in the Trust zone.
Figure 3-4 Networking diagram of NAT within a security zone
Firewall
GE0/0/0
10.1.1.1/24
PC
10.1.1.5/24
Switch
Trust
FTP Server
10.1.1.2/24
When users in the Trust zone access a server in the Trust zone, the Eudemon 1000E carries out
NAT as follows:
l
The Eudemon 1000E converts the destination IP address of the request packet from the
Internet users into the private IP address of the internal server. The Eudemon 1000E
converts the source IP address into a public IP address in the address pool.
The Eudemon 1000E converts the private source IP address of the response packet in the
internal server into the public IP address. The Eudemon 1000E converts the destination
address (public IP address) into the address of the public network.
ALG
NAT and NAPT can convert only the IP address in the IP packet header and the port number in
the TCP/UDP packet header. The IP address and port number, however, can also be put in the
payload of some packets, such as ICMP and FTP packets, which cannot be converted by NAT
technologies and may cause some errors.
For instance, an FTP server sends its private IP address to an external host to establish a session
connection. Because the IP address is put in the payload of the packet, NAT cannot convert it.
If the external host uses the unconverted private IP address, the FTP server is unreachable.
Issue 01 (2009-01-20)
3-21
3 Security Features
By adding application level gateway (ALG) to NAT, you can solve the above problem. ALG is
the translation proxy of some application protocols. It interacts with NAT to modify the specific
data encapsulated in the IP packet based on the NAT state and helps the application protocols
to function in various ranges through other necessary processes.
For instance, a "destination unreachable" ICMP packet is that its payload contains the header of
packet A that causes the error. The IP address of packet A has been converted over NAT, so the
current source IP address is not the real IP address of the internal host. If ICMP ALG is enabled,
it interacts with NAT and open the ICMP packet before NAT forwards the packet. Then NAT
converts the address in the header of packet A into the accurate format of the internal host IP
address and forwards the ICMP packet after other necessary processes.
The Eudemon 1000E provides a perfect NAT ALG mechanism with good scalability, which can
support various special application protocols without modifying the NAT platform.
Between different security zones, the Eudemon 1000E implements the following ALG functions
of commonly used application protocols:
l
FTP
H.323
ICMP
MSN
NetBIOS
PPTP
User-define
IPSec ESP
In a security zone, the Eudemon 1000E implements the ALG function: FTP.
Issue 01 (2009-01-20)
3 Security Features
Overview
With the development of the Internet, a large amount of data and voice and video information
are exchanged on the network.
In addition, new services come into being:
l
E-commerce
Online conference
Online auction
E-learning
All these have requirements for the information security, payment, and network bandwidth.
User B
Server
User C
Data transmission channel
Device connection
The amount of information transmitted on the network is in direct proportion to the number of
users who have demand for this information. When there are too many users, there is too much
identical information flow on the network. Thus, the bandwidth bottleneck is caused. The unicast
mode is not applicable to the transmission of mass information.
Issue 01 (2009-01-20)
3-23
3 Security Features
User B
Server
User C
Data transmission channel
Device connection
The broadcast mode cannot guarantee the information security and paid services. In addition,
the bandwidth is wasted when only few users require the information.
3-24
Issue 01 (2009-01-20)
3 Security Features
Suppose users A, C, and D require the information from the server. To transmit the information
accurately to the three users, first you should organize them into a receiver group. Then, the
routers on the network perform the information forwarding and replicating based on the
geographic location of each user of the group. Finally, the information can be correctly
transmitted to the three users.
For the multicast mode, the following roles exist during multicast transmission:
l
Receivers who receive the same information comprise a multicast group and each receiver
is a "multicast group member".
All the routers that provide the multicast function are called "multicast routers".
For the roles in each multicast transmission, the following rules exist:
l
Members in a multicast group can reside anywhere on the network without restriction on
the geographic location.
A multicast source may not belong to a multicast group. It sends data to the multicast group
and it may not be one receiver.
Some routers that do not support multicast exist on the network. Based on the tunnel
technology, a multicast router can encapsulate the multicast packets into unicast IP packets
and send them to a neighboring multicast router. The neighboring multicast router removes
the unicast IP header and continues the multicast transmission. This prevents the network
topology architecture from changing greatly.
Advantages of Multicast
The advantages of multicast are as follows:
l
Enhanced efficiency
It reduces network traffic and relieves server loads and CPU loads.
Optimized performance
It decreases redundancy traffic.
Issue 01 (2009-01-20)
3-25
3 Security Features
l
Distributed application
It makes multipoint application possible.
Multicast
User B
Server
Firewall
User C
User D
The Eudemon 1000E forwards packets from the multicast source host to the multicast access
router, and then the multicast access router is combined with other multicast routers to send
packets to each multicast user.
Issue 01 (2009-01-20)
3 Security Features
costs of network operation, especially for enterprises and operators who are charged by traffic.
To address this problem, the Eudemon 1000E is designed with the P2P traffic limiting function.
3.8.1 Introduction to P2P Traffic Limiting
The Eudemon 1000E can accurately identify P2P traffic on networks through in-depth detection
and behavior detection, and then limit the traffic according to the configured traffic limiting
policies. In addition, the Eudemon 1000E can produce detailed statistics on traffic of various
P2P protocols to facilitate monitoring of P2P traffic tendency.
3.8.2 P2P Traffic Detection and Limiting
The Eudemon 1000E detects P2P traffic and then limits it.
In-depth detection
The detection is the main detection mode. It provides feature matching based on files.
Behavior detection
The detection is on the basis of the length sequence of consecutive data packets. If the
length sequence complies with the preset rules, the detection result is the P2P traffic.
Behavior detection mainly detects encrypted data traffic.
To lower the load of the detection, the Eudemon 1000E uses the association detection
technology. When a session is identified as that of P2P traffic, its source IP address, source port
number, destination IP address, and destination port number are recorded in the associate table.
Issue 01 (2009-01-20)
3-27
3 Security Features
If the IP address and port number of a new session match those in the associate table, the session
is identified as that of P2P traffic. This reduces the burden of in-depth detection.
The Gn interface refers to the interface between different GPRS support nodes (GSNs) in
the same public land mobile network (PLMN). The GTP protocol is used on the Gn interface
to ensure the connection between the serving GPRS support node (SGSN) and the gateway
GRPS support node (GGSN).
The Gp interface refers to the interface between GSNs located in different PLMNs. The
Gp interface is used to implement data roaming services between different PLMNs. The
GPRS tunneling protocol (GTP) is used on the Gp interface to ensure the connection
between the SGSN and the GGSN.
The Gi interface refers to the interface between the GGSN and the packet data network
(PDN). The Gi interface is used to implement the connection between the GPRS network
and the external data network. The IP protocol is used on the Gi interface to ensure the
connection between the GGSN and the Internet.
GTP is a tunneling protocol that is defined for the Gn interface and the Gp interface. GTP
supports the connections between the GSNs. GTP is a TCP/UDP-based application layer
protocol.
3-28
Issue 01 (2009-01-20)
3 Security Features
GTP contains the GTP control plane (GTP-C) and the GTP user plane (GTP-U).
l
On the control plane, you need to use signaling to create, modify, and delete a tunnel.
On the user plane, you need to use the tunneling to transmit the data packets of the user.
GTP has two versions: version 0 and version 1. GTP in version 0 belongs to the 3GPP Release
98 protocol and is used in the GPRS network. GTP in version 1 belongs to the 3GPP Release
99 protocol and is used in the 3G network. GTP version 1 is compatible with version 0. You can
distinguish them based on the version field of the GTP packet header.
In addition, the GTP protocol for charging is also included in GTP.
3.9.3 License
GTP is controlled by the license.
You can obtain the service only when you receive a license.
If the Eudemon 1000E works on the Gn or Gp interface, you need a license to activate the related
function. If the Eudemon 1000E works on the Gi interface, no license is required.
3-29
3 Security Features
The Eudemon 1000E can cooperate with IDS servers from Huawei and other manufactures.
Prevent users from entering or information from being written to the restricted sites.
Monitor the access channel between the reliable network and unreliable ones to prevent
risks from the Internet from spreading into the intranet.
Prevent users from leaving or information from being read from the restricted sites. By
effectively controlling Internet users' access to the internal resources, the security of
information is guaranteed.
The Eudemon 1000E has a defect: Its detection granularity is rather broad, and it cannot perform
further analysis and detection on many protocols.
Therefore, the Eudemon 1000E opens some ports to link with other security software so as to
construct a united security network. That is the Intrusion Detective System (IDS) cooperation.
The Eudemon 1000E associates with the IDS device for networking. The Eudemon 1000E is
deployed between the internal LAN and the Internet. The IDS server and management server
are on the intranet.
Figure 3-9 shows the networking diagram of the IDS cooperation.
Figure 3-9 Networking diagram of the IDS cooperation
PC
PC
Trust
Untrust
Firewall
Administration
Server
Router
IDS server
IDS detector
The IDS in the network is just like a network analyzer installed on the network. That monitors
the network transmission. The system knows the latest means of attacks, and carefully detects
each packet that passes through. Network transmission that could be malicious can be handled
in time. Measures to be taken are determined by the specific IDS and configuration that users
use.
Cooperating with the IDS system, the Eudemon 1000E can make full use of functions of the
IDS software to analyze and detect packets that flow across the network. In addition, the
Eudemon 1000E can probe various possible abnormal and attack behaviors and respond in real
time. When detecting exceptions or attacks, the IDS sends a command, such as dynamically
maintaining ACL entry, to the Eudemon 1000E. The Eudemon 1000E discards the attack packets
or takes other actions accordingly.
3-30
Issue 01 (2009-01-20)
3 Security Features
IDS devices can monitor transmission of the network that they belong to.
IDS devices can detect the latest attacks on the network by continually updating the
software.
IDS devices check each packet that passes through and deal with network transmission that
could be malicious in time.
By using the IDS cooperation to defend attacks, intrusion detecting and attack defending
are effectively separated. Thus, all advantage of each device can be taken and the
performance of the system can be enhanced.
is-One
NIP
Topsec
Issue 01 (2009-01-20)
3-31
3 Security Features
3.11.1 Background
To clear hazards to network information security, the Eudemon 1000E cooperates with the
Secospace terminal security management system to control network access and protect network
resources.
Networks have become an indispensable part for enterprises. However, they also expose
enterprises to various security threats, such as:
l
Internal employees access enterprise application systems to tamper with important data
without permission.
To solve this problem, use the Eudemon 1000E to work with the Secospace security access
control system (hereinafter referred to as the Secospace server) to set up the Secospace terminal
security system, and implement the system on large-sized enterprise networks.
The Secospace terminal security system controls the access rights of users based on the role
ACL. Terminal users perform the security policy check on the Secospace server. After terminal
users pass the ID authentication, the Eudemon 1000E is notified of the access control on terminal
users. This feature can meet the requirements of controlling multiple user types on a large-sized
enterprise network. The Secospace supports two-node hot spare in association mode and uses
the SACG for load sharing.
Figure 3-10 shows a specific networking.
Figure 3-10 Networking diagram of Secospace Cooperation
Service server C
Service server B
Agent 1
Service server A
Firewall
(SACG)
LAN Switch
SM
Agent 2
SC
SRS
3-32
Issue 01 (2009-01-20)
3 Security Features
For information about the functions of each part, see Secospace server-related documents.
Connection between the Eudemon 1000E and the Secospace server is set up to obtain the
default ACL.
In this case, the interzone packet-filtering rules configured on the Eudemon 1000E before
become invalid. The terminal user can access servers that do not require authentication and
authority.
2.
3.
Domain authentication
802.1X authentication
Web authentication
4.
The Secospace server tells the Agent to perform security check on the valid user.
5.
After implementing security check, the Agent reports the result to the Security Policy Server
(SPS).
If the user does not pass through security check, the SRS prompts the user to implement
necessary repair. After repair is implemented, operation in 3 is re-performed.
6.
If the user passes through the authentication, the server notifies the Eudemon 1000E of the
user's login and requests it to grant necessary authority.
NOTE
According to the rule of roles, the Eudemon 1000E determines whether a user has the authority to access
the service server. Terminal users can access network resources matching their authority.
The Agent, SPS, and SRS are all parts of the Secospace server. For more information about each part, refer
to Secospace-related guides.
When the user accesses network resources for the first time, the Eudemon 1000E determines the
user's access authority according to the user's role. Then when the user accesses network
resources later, the Eudemon 1000E decides whether the user can access them or not based on
local information. If the Eudemon 1000E considers that the user does not have the authority,
operation in 3 is re-performed for authentication.
Issue 01 (2009-01-20)
3-33
3 Security Features
When the Secospace server receives the offline request from the user, it requests the Eudemon
1000E to update the local information. If the user accesses resources later, authentication is
performed again.
30,000 ACLs
ACL 5000 is referred to first. If the policy delivered by the server contains port information,
the policy is added to ACL 5000; if not, it is added to ACL 3000.
NOTE
One group can include multiple roles; one role can correspond with multiple users.
Issue 01 (2009-01-20)
3 Security Features
The authentication and authorization sets up a local user database on the local Eudemon
1000E to maintain the user information and to manage users. Besides creating local user
accounts, the Eudemon 1000E can conduct local authentication.
Authentication Modes
Eudemon 1000E supports the following authentication modes:
l
None authentication
It completely trusts users and does not check their validity. Generally, it is not used.
Local authentication
It configures the user information, including the user name, password, and other attributes
that are localling configured on the Eudemon 1000E, on the Eudemon 1000E, and then
authenticates users for access. Its advantage lies in the fast processing speed, which reduces
the operation cost. Its disadvantage is that information storage capacity is limited by its
hardware.
Remote authentication
The Eudemon 1000E authenticates users over the Remote Authentication Dial in User
Service (RADIUS) protocol. The Eudemon 1000E serves as the client to communicate with
the RADIUS server. The RADIUS protocol cooperates with iTELLIN/CAMS to complete
the authentication.
Authorization Modes
Eudemon 1000E supports the following authorization modes:
l
Direct authorization
It completely trusts users and directly authorizes them to pass through.
Local authorization
It authorizes users based on the relative attributes of the local user account configured on
the Eudemon 1000E.
If-authenticated authorization
If the user passes the authentication and the authentication mode is not none, the user is
authorized.
3-35
3 Security Features
number of scattered users that use serial ports and modems, and then is widely used in the network
access server (NAS) system later.
To access other networks or to use some network resources, you need to set up a connection to
the NAS through some networks (such as the telephony network). In this case, the NAS
authenticates a user or the connection. The NAS is responsible for sending the authentication
and authorization information of the user to the server that supports the RADIUS protocol. The
RADIUS protocol defines how to transmit the user information between the NAS and RADIUS
servers.
The RADIUS server receives the user's connection requests, completes the authentication, and
then sends the configurations that the user needs to the NAS. The authentication information is
transmitted with a secret key between the NAS and the RADIUS server so that the user password
cannot be stolen on insecure networks.
User
Username/Password
Router/
Access server
Request
RADIUS
server
Response
As shown in the figure, the Eudemon 1000E serves as an access server. When a user logs in to
the Eudemon 1000E, the following steps are performed.
1.
The user sends the user name and password to the Eudemon 1000E.
2.
After the RADIUS client receives the user name and password, it sends an authentication
request to the RADIUS server.
3.
When receiving the valid request, the RADIUS server completes the authentication and
sends the configurations that the user needs to the client.
The login user can be a PPPoE cooperated with L2TP user for using network resources or an
administrator for configuring or maintaining network devices.
3-36
Issue 01 (2009-01-20)
3 Security Features
0-1-2-3-4-5-6-7-0-1-2-3-4-5-6-7-0-1-2-3-4-5-6-7-0-1-2-3-4-5-6-7
Code
Length
Identifier
Authenticator
Attribute
Code
It refers to the message type, such as an access request or access permit.
Identifier
It specifies the numbers in ascending sequence and is used for matching the request packets
and response packets.
Length
It refers to the total length of all domains.
Authenticator
It is used to authenticate the validity of RADIUS.
Attributes
They specify the contents of a message, including user name, password, NAS IP address,
and other attributes of the user account.
RADIUS Features
The features of RADIUS are as follows:
l
High reliability by supporting the retransmission mechanism and the backup server
mechanism.
Easy implementation and is used in the multithreading structure of the server when there
are a large number of users.
Issue 01 (2009-01-20)
3-37
3 Security Features
When the waiting timer times out, if the current server is unavailable, or the number of
transmission events exceeds the maximum number configured, the current server should
be replaced by another server in the server group.
Default authorizations
RADIUS templates
Authentication schemes
The authorization precedence configured within a domain is lower than that configured on an
authentication and authorization server, that is, the authorization attributes of the authentication
and authorization server are used first. The domain authorization attributes are valid only when
the authentication and authorization server is not of this authorization or does not support the
authorization. In this way, the attribute limitation from the authentication and authorization
server does not exist, and the service addition becomes flexible by managing a domain
accordingly.
In the event that a domain and a user within the domain are configured with an attribute
simultaneously, the precedence of the user-based configuration is higher than that of the domainbased configuration.
Users whose information in the local user database are called local users.
3-38
Issue 01 (2009-01-20)
4 VPN
VPN
Issue 01 (2009-01-20)
4-1
4 VPN
4.1 Introduction
As enterprises and companies develop in scale, staffs go on business more frequently. With
overseas offices and clients increasingly scattered and the number of partners growing, more
and more enterprises need to use public Internet resources for conducting promotion, sale, aftersale service, training, cooperation, and consultation. The urgent demand helps VPN applications
find a good market.
4.1.1 VPN Overview
As a new technology, Virtual Private Network (VPN) rapidly develops as the Internet is widely
used in recent years. It is used to build private networks on a public network. Virtual mainly
indicates that a VPN network is a kind of logical network.
4.1.2 VPN Classification
IP VPN uses IP facilities, including public Internet or dedicated IP backbone networks, to realize
the emulation of WAN device private line services, such as remote dial-up and Digital Data
Network (DDN). According to different standards, IP VPNs can be classified into different types.
4.1.3 VPN Fundaments
The basic principle of VPN is to use tunneling protocols to encapsulate packets into tunnels and
construct private data transmission tunnels on backbone networks to realize transparent
transmission of data packets.
4.1.4 VPN Basic Networking Application
The following takes an enterprise network as an example to illustrate VPN basic networking.
VPN Features
VPN has the following features:
l
Different from traditional networks, a VPN does not physically exist. It is a kind of logical
network, a virtual network configured based on existing public network resources.
4-2
Issue 01 (2009-01-20)
4 VPN
VPN Advantages
VPN presents the following advantages:
l
Helping set up reliable connection between remote users, overseas offices, partners,
suppliers, and company headquarters to ensure secure data transmission.
This advantage is significant because it realizes the convergence of E-business or financial
networks with communication networks.
Using public networks to realize information communication. With VPNs, enterprises can
connect remote offices, telecommuters, and business partners at a dramatically low cost.
In addition, VPNs significantly increase the use rate of network resources, thus helping the
Internet Service Providers (ISPs) increase revenue.
Allowing you to add or delete VPN users through software without changing hardware
facilities.
This mechanism offers great flexibility in VPN applications.
Allowing telecommuting VPN users to access headquarter resources at any time and in any
place.
That satisfies the increasing demands for mobile services.
Offering high quality VPNs such as MPLS VPN and diversified VPN services to meet VPN
users' different demands for quality level. Service-specific rating mechanism brings ISPs
more profit.
Issue 01 (2009-01-20)
Intranet VPN
4-3
4 VPN
Access VPN
An access VPN provides private connections between internets and extranets for
telecommuting staff, mobile offices, and remote offices through public networks. There
are two type of access VPN architectures:
Extranet VPN
An extranet VPN uses a VPN to extend an enterprise network to suppliers, partners, and
clients, thus establishing a VPN between different enterprises through public networks.
VPRN realized through traditional VPN protocols such as IPSec and GRE
VPN user
4-4
NAS
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
VPN server
Issue 01 (2009-01-20)
4 VPN
As shown in Figure 4-1, VPN users dial up to the Network Access Server (NAS) of the ISP
through the PSTN or ISDN.
The NAS identifies users by checking user names or access numbers. If the NAS server
determines that a user is a VPN user, it sets up a connection (a tunnel) with the user's destination
VPN server. Then the NAS encapsulates the user's data into an IP packet and transmits it to the
VPN server through the tunnel. After the VPN server receives the packet, it decapsulates the
packet to read the real packet.
Packets can be encrypted on both sides of the tunnel. Other users on the Internet cannot read the
encrypted packets. That ensures the security of packets. For users, a tunnel is a logical extension
of the PSTN or ISDN link. The operations on the logical tunnel is similar to that on a physical
link.
Tunnels can be achieved through tunneling protocols. Based on the realization of tunnels on
Open Systems Interconnection (OSI) reference model, tunnel protocols can be categorized into
two groups:
l
IP Security (IPSec)
IPSec is not a single protocol. Instead, it offers a set of system architecture for data
security on IP networks, including Authentication Header (AH), Encapsulating Security
Payload (ESP), and Internet Key Exchange (IKE).
GRE and IPSec are mainly applied to private line VPN services.
Issue 01 (2009-01-20)
4-5
4 VPN
l
Scalability
Since an L2 tunnel encapsulates a whole PPP frame, transmission efficiency may be
decreased. In addition, a PPP session runs through a whole tunnel and terminates in a
user-side device. That requires that the user-side gateway should keep a large amount
of PPP session status and information. That may overload the system and impact its
scalability. Moreover, since the Link Control Protocol (LCP) and Network Control
Protocol (NCP) negotiations are quite sensitive to time, degraded tunnel efficiency may
result in a series of problems such as PPP session timeout. On the contrary, an L3 tunnel
terminates in an ISP gateway, and a PPP session terminates in the NAS. Thus, the user
gateway does not need to manage and maintain the status of each PPP session. Thereby,
system load is reduced.
Typically, L2 tunneling protocols and L3 tunneling protocols are used separately. If they
are appropriately used together, for example, using L2TP and IPSec together, they may
provide users with high security and better performance.
Internal server
Company headquater
As shown in Figure 4-2, eligible users can connect to the Point of Presence (POP) server of the
local ISP through a Public Switched Telephone Network (PSTN), Integrated Services Digital
Network (ISDN), or LAN so as to access the internal resources of an enterprise. Traditional
WAN networking technology requires dedicated physical links to realize connections. With
established virtual networks, remote users and telecommuters can access internal resources of
an enterprise without need of being authorized by the local ISP. It is helpful for telecommuting
staff and scattered users.
To experience VPN services, an enterprise needs to deploy only a server, such as a Windows
NT server or a firewall that supports VPN to share resources. After connecting to the local POP
server through the PSTN, ISDN, or LAN, eligible users can directly call the remote server (VPN
4-6
Issue 01 (2009-01-20)
4 VPN
server) of the enterprise. The access server of the ISP and the VPN server work together to realize
the call.
4.2 L2TP
The Layer 2 Tunneling Protocol (L2TP) is a kind of VPDN tunneling protocol. To know L2TP
better, you need certain knowledge of VPDN.
4.2.1 VPDN Overview
A Virtual Private Dial Network (VPDN) realizes a VPN by using the dial-up function of public
networks such as the ISDN and PSTN as well as access networks. VPDNs provide access
services for enterprise customers, small-sized ISPs, and mobile offices.
4.2.2 L2TP Overview
L2TP supports the tunneling of PPP link layer packets. L2TP extends the PPP model by allowing
the L2 and PPP endpoints to reside on different devices interconnected by a packet-switched
network. By integrating the advantages of PPTP and L2F, L2TP has developed into the industry
standard of layer two tunneling protocols.
4.2.3 Access to VPN Supported by L2TP
At present, more and more enterprises build their VPN networks on Internet so as to save cost,
guarantee network security and is convenient for network management.
4.2.4 License
The number of tunnels supported by L2TP is determined by licenses.
The NAS sets up a tunnel to the VPDN gateway based on tunneling protocols.
This realization mechanism directly connects the PPP connection of users to the gateway
of the enterprise network. So far, available tunneling protocols are L2F and L2TP.
The advantages of this realization mechanism are as follows:
Since the enterprise network authenticates users and assigns IP addresses, no extra
public addresses are required.
This realization mechanism requires the NAS to support the VPDN protocol, and the
authentication system to support VPDN attributes. Typically, a firewall or dedicated VPN
server is used as a gateway.
Issue 01 (2009-01-20)
4-7
4 VPN
l
Since this realization mechanism has no requirements for ISPs, users can access
resources at any place and in any way.
Since this mechanism requires users to install and use dedicated software, usually
Windows 2000, users can select a specified platform.
PPTP
L2F
L2TP
Background
PPP defines an encapsulation mechanism for transporting multiprotocol packets across L2 pointto-point links. Typically, a user obtains a L2 connection to a NAS using one of a number.
The L2TP protocol expands the PPP model in the following ways:
l
By integrating the advantages of PPTP and L2F, L2TP has developed into the industry standard
of layer two tunneling protocols.
L2TP Tunnel
LAC
4-8
LNS
Internal server
Internal server
Issue 01 (2009-01-20)
4 VPN
As shown in Figure 4-3, the L2TP Access Concentrator (LAC) is attached to the switch network.
The LAC is a PPP endpoint system and can process L2TP. Usually, an LAC is a NAS, which
provides access services for users across the PSTN or ISDN. The L2TP Network Server (LNS)
acts as one node of the PPP endpoint system and is used to process the L2TP server.
An LAC sits between an LNS and a remote system and forwards packets to and from each.
Packets sent from the remote system to the LNS require tunneling with the L2TP protocol.
Packets sent from the LNS are decapsulated and then forwarded to the remote system. The
connection from the LAC to the remote system is either local or a PPP link. For VPDN
applications, the connections are usually PPP links.
An LNS acts as one side of an L2TP tunnel and is a peer to an LAC. The LNS is the logical
termination point of a PPP session that is being tunneled from the remote system by the LAC.
Technology Details
The following describes the technology details of L2TP:
l
Figure 4-4 showss the relationship of PPP frames and Control Messages over the L2TP
Control and Data Channels. PPP Frames are passed over an unreliable Data Channel
encapsulated first by an L2TP header and then a Packet Transport such as UDP, Frame
Relay, and ATM. Control messages are sent over a reliable L2TP Control Channel which
transmits packets in-band over the same Packet Transport.
L2TP uses the registered UDP port 1701. The entire L2TP packet, including payload and
L2TP header, is sent within a UDP datagram. The initiator of an L2TP tunnel picks an
available source UDP port (which may or may not be 1701), and sends to the desired
destination address at port 1701. The recipient picks a free port on its own system (which
may or may not be 1701), and sends its reply to the initiator's UDP port and address, setting
its own source port to the free port it found. Once the source and destination ports and
addresses are established, they must remain static for the life of the tunnel.
l
Session: is multiplexed over a tunnel to denote each session process over the tunnel.
Multiple L2TP tunnels may exist between the same LAC and LNS. A tunnel consists of
one control connection and one or several sessions. A session is set up after a tunnel is
successfully created, namely, information such as ID, L2TP version, frame type, and
hardware transmission type are exchanged. Each session corresponds with a PPP data
stream between a LAC and a LNS.
Issue 01 (2009-01-20)
4-9
4 VPN
L2TP uses Hello messages to check the connectivity of a tunnel. The LAC and the LNS
periodically send Hello messages to each other. If no Hello message is received within a
period of time, the session between them is cleared.
l
Control message
Control messages are used in the establishment, maintenance, and transmission control
of tunnels and sessions.
Control messages utilize a reliable Control Channel within L2TP to guarantee delivery.
Control messages support traffic control and congestion control.
Data messages
Data messages are used to encapsulate PPP frames being carried over the tunnel.
Data messages are not retransmitted when packet loss occurs. Data messages do not
support traffic control and congestion control.
L2TP packets for the control channel and data channel share a common header format.
An L2TP message header includes a tunnel ID and a session ID, which are used to identify
tunnels and sessions. Packets with the same Tunnel ID but different session IDs are
multiplexed over the same tunnel. tunnel IDs and session IDs in a packet header are assigned
by the peer ends.
LNS
Remote branch
Remote user
4-10
L2TP tunnel
Issue 01 (2009-01-20)
4 VPN
RADIUS Server
IP
network
IP
network
PC
PC
LAC
Firewall A
LNS
Firewall B
PC
LAC
Firewall A
LAC
RADIUS Server
LNS
Firewall B
LNS
RADIUS Server
2.
The PC and the LAC (Eudemon 1000E A) negotiate PPP LCP parameters.
Issue 01 (2009-01-20)
4-11
4 VPN
3.
The LAC performs the Password Authentication Protocol (PAP) or Challenge Handshake
Authentication Protocol (CHAP) authentication based on the user information provided by
the PC.
4.
The LAC sends the authentication information, including VPN username and password, to
the RADIUS server for ID authentication.
5.
The RADIUS server authenticates this user and sends back the access accept, such as LNS
address, after the authentication is passed successfully. Meanwhile, the LAC is ready for
initiating a new tunnel request.
6.
The LAC initiates a tunnel request to the LNS specified by the RADIUS server.
7.
The LAC informs the LNS of CHAP challenge, and the LNS sends back the CHAP response
and its self CHAP challenge, the LAC sends back the CHAP response.
8.
Authentication passes.
9.
The LAC transmits the CHAP response, response identifier, and PPP negotiation
parameters to the LNS.
10. The LNS sends the access request to RADIUS server for authentication.
11. The RADIUS server re-authenticates this access request and sends back a response if
authentication is successful.
12. If local mandatory CHAP authentication is configured at the LNS, the LNS will authenticate
the VPN user by sending challenge and the VPN user at PC sends back responses.
13. The LNS re-sends this access request to RADIUS for authentication.
14. RADIUS server re-authenticates this access request and sends back a response if
authentication is successful.
15. After all authentications are passed, the VPN user can access the internal resources of the
enterprise.
L2TP itself does not provide connection security, but it can depend on the
authentication, such as CHAP and PAP, provided by PPP. Thereby, it has all security
features of PPP.
L2TP can integrate with IPSec to fulfill data security, which make it more difficult to
attack the data transmitted with L2TP.
To improve data security, based on the requirement of specific network security, L2TP
adopts:
Multi-protocol transmission
L2TP transmits PPP data packet and a wide variety of protocols can be encapsulated in
PPP data packet.
4-12
Issue 01 (2009-01-20)
4 VPN
Reliability
L2TP supports the backup LNS. When the active LNS is inaccessible, the LAC can
reconnect with the backup LNS, which improves the reliability and fault tolerance of VPN
service.
4.2.4 License
The number of tunnels supported by L2TP is determined by licenses.
You can obtain the services provided L2TP only when you receive the license.
4.3 IPSec
IPSec can realize auto-negotiation key exchange and SA setup as well as maintenance services
through Internet Key Exchange (IKE). That simplifies the use and management of IPSec.
Issue 01 (2009-01-20)
4-13
4 VPN
The two sides of communication perform encryption and data source authentication on IP layer
to assure confidentiality, data integrity, data origin authentication and anti-replay for packets
when they are transmitted on networks.
The details are as follows:
l
4-14
Confidentiality
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 01 (2009-01-20)
4 VPN
Data integrity
Data integrity is to authenticate the received data so as to determine whether the packet has
been modified.
Data authentication
Data origin authentication is to authenticate the data source to make sure that the data is
sent from a real sender.
Anti-replay
Anti-replay is to prevent some malicious client from repeatedly sending a data packet. In
other words, the receiver will deny old or repeated data packets.
IPSec realizes the above aims through AH and ESP. Moreover, IKE provides auto-negotiation
key exchange and Security Association (SA) setup and maintenance services for IPSec so as to
simplify the use and management of IPSec.
l
AH protocol
AH mainly provides data source authentication, data integrity check and anti-replay.
However, it cannot encrypt the packet.
ESP protocol
Encapsulating Security Payload (ESP) provides the encryption function apart from the
functions provided by AH. The data integrity authentication function of the ESP, however,
does not cover the IP header. ESP allows authenticating and encrypting packets
simultaneously or only authenticating or only encrypting packets.
NOTE
AH and ESP can be used either independently or in combination. There are two types of encapsulation
modes for both AH and ESP: transport mode and tunnel mode. The two encapsulation modes are
described in Encapsulation Modes of IPSec.
l
IKE protocol
IKE is used to negotiate the key for IPSec. It is to negotiate the key algorithm applied in
AH and ESP and to put the necessary key in the algorithm to the proper place.
NOTE
IKE negotiation is not necessary. IPSec policies and algorithms can also be negotiated manually. For
comparisons of these two negotiation modes will be introduced in IKE Negotiation Modes.
l
IKEv2
As a successor of IKE, IKEv2 provides all the basic functions of IKE, reduces the
complexity, and improves the efficiency and expansibility of IKE.
Security Association
IPSec provides secure communication between two ends. These two ends are called IPSec peers.
IPSec allows systems, network subscribers, or administrators to control the granularity of
security services between peers.
For example, the IPSec policies of a group define that data streams from a subnet should be
protected with AH and ESP and be encrypted with Triple Data Encryption Standard (3DES) at
Issue 01 (2009-01-20)
4-15
4 VPN
the same time. Moreover, the policies define that data streams from another site should be
protected with ESP only and be encrypted with DES only. IPSec can provide protection in
various levels for different data streams based on SA.
An SA is the basis and essence of IPSec. An SA specifies the shared policies and keys used by
two negotiating peers to protect their communication:
l
SA is unidirectional. For directional communication between peers, at least two SAs are needed
to protect data streams in two directions. Moreover, if both AH and ESP are applied to protect
data streams between peers, still two SAs are needed respectively for AH and ESP.
An SA is uniquely identified by a triplet, including:
l
Destination IP address
SA Negotiation Modes
There are two negotiation modes available for establishing an SA:
l
The manual mode is feasible if few peer devices are deployed, or in a small-sized static
environment. It is recommended that you use the IKE auto-negotiation mode for a medium or
large-sized dynamic networking environment.
Issue 01 (2009-01-20)
4 VPN
Transport mode
In the transport mode, AH or ESP is inserted after the IP header but before all transmission
layer protocols or all other IPSec protocols.
Transmission Control Protocol (TCP) is taken as an example to show the data encapsulation
in this mode. See Figure 4-8.
Figure 4-8 Packet format in the transport mode
Mode
Protocol
Transport
AH
ESP
AHESP
ESP Tail
Tunnel mode
In the tunnel mode, AH or ESP is inserted before the raw IP header but after the new IP
header.
TCP is taken as an example to show the data encapsulation in this mode. See Figure 4-9.
Figure 4-9 Packets format in the tunnel mode
Mode
Protocol
Tunnel
AH
ESP
new IP Header ESP raw IP Header TCP Header data ESP Tail ESP Auth data
AHESP
new IP Header AH ESP raw IP Header TCP Header data ESP Tail ESP Auth data
In terms of security, the tunnel mode is safer than the transport mode. The former can
authenticate and encrypt original IP data packets completely. In addition, it can hide the
client IP address by using the IP address of the IPSec peer.
In terms of performance, the tunnel mode occupies more bandwidth than the transport mode
because it has an extra IP header.
Authentication algorithms
Both AH and ESP can authenticate integrity for an IP packet so as to judge whether the
packet is modified when it is transmitted. Authentication is implemented based on the hash
function. The hash function is a type of algorithm that does not limit the length of inputting
messages and outputs messages in a certain length. The output message is called message
digest. To authenticate the integrity, IPSec peers calculate the message summary based on
Issue 01 (2009-01-20)
4-17
4 VPN
the hash function. If the message digests are the same on two peers, the packet is considered
as integrated without being modified. There are two IPSec authentication algorithms, which
are as follows:
The SHA-1 message digest is longer than that of MD5, so SHA-1 is safer than MD5.
l
Encryption algorithms
ESP can encrypt IP packets so that the contents of the packets will not let out during the
transmission. The encryption algorithm is implemented through a symmetric key system.
This system encrypts or decrypts data with the same key. IPSec uses three encryption
algorithms, which are as follows:
3DES
It encrypts a packet in clear text with three 56-bit DES keys (168 bits key in total).
Obviously, 3DES is much safer than DES. However, its encryption speed is far slower.
AES makes good balance between security and performance.
IKE
Before using IPSec to protect an IP packet, you must create an SA. The SA of the IPSec can be
created manually or dynamically. If the number of nodes on the network is great, it is difficult
to create an SA manually and security cannot be ensured. Therefore, you need to create an SA
by using Internet Key Exchange (IKE).
IKE has a self-protection mechanism; therefore, it can perform the following actions even on
an insecure network:
l
Distribute keys
Authenticate IDs
Create IPSec SA
4-18
Issue 01 (2009-01-20)
4 VPN
DH algorithm is a public key algorithm. The both parties in communication can exchange
some data without transmitting the key and find the shared key by calculation. The
prerequisite for encryption is that the both parties must have a shared key. The merit of
IKE is that it never transmits the key directly in the unsecured network, but calculates the
shared key by exchanging a series of data. Even if the third party (such as Hackers) captured
all exchange data used to calculate the shared key for both parties, he cannot figure out the
real key.
l
ID authentication
ID authentication will identify both parties in communication. With respect to pre-shared
key authentication method, inputting an authenticator can generate a shared key. It is
impossible for different authenticators to generate the same shared key between the two
parties. Authenticator is the key in ID authentication for both parties.
ID protection
After shared key is generated, identity data will be sent in encrypted mode. Thus, identity
data is protected.
Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with
which to communicate. This is called the ISAKMP Security Association (ISAKMP SA or
IKE SA).
Phase 2 is where SAs are negotiated on behalf of services such as IPSec or any other service
which needs key material and/or parameter negotiation. IPSec SA is used for transmitting
IP data.
IKE
Firewall B
Firewall A
TCP/UDP
SA
SA
IPSec
TCP/UDP
IPSec
IP
Encrypted IP packets
4-19
4 VPN
Firewall B
Matched data streams are forwarded over the interface
applying IPSec
Trigger SA in phase1 of IKE negotiation
Step 2
Step 3
Step 4
On an interface that applies IPSec, an outbound packet should be compared with IPSec
policies.
2.
If the packet matches an IPSec policy, search for the relevant SA. If the SA has not been
created, IKE will be triggered to negotiate an SA in stage1, that is, IKE SA.
3.
Negotiating the SA for stage 2 under the protection of the SA in stage 1, that is, IPSec SA.
4.
Main mode
In main mode, key exchange information is separated from ID and authentication
information. In this way, the exchanged ID information is protected by the generated DH
shared key. However, it takes three extra messages to complete the process.
Aggressive Mode
In aggressive mode, payloads relevant with SA, key exchange, and authentication can be
transmitted simultaneously. Transmitting these payloads in one message helps reduce
round trips. However, this mode cannot provide identity protection.
Although there is limit to functions in aggressive mode, it can meet the demand in some
specific network environment. For example in remote access, the responder (server end)
has no way to learn about the address of the initiator (terminal user) in advanced or the
address of the initiator is always changing, but both parties wish to create IKE SA through
authentication via pre-shared keys. In this case, the aggressive mode without ID protection
is the unique available exchange method. In addition, if the initiator has learnt about the
responder's policy or had a comprehensive understanding of it, aggressive mode can be
adopted to create IKE SA faster.
Issue 01 (2009-01-20)
4 VPN
Introduction
As a first-choice key exchanging protocol to implement IPSec VPNs, IKE ensures secure and
dynamic creation of the SA. IKE is a hybrid protocol. Its complexity inevitably incurs defects
in security and performance, which already becomes a bottleneck for the current IPSec systems.
The IKEv2 protocol reserves the basic functions of IKE and overcomes the problems found
during IKE study. Moreover, for considerations of simplicity, efficiency, security, and
robustness, relevant IKE documents are replaced by RFC4306. By minimizing core functions
and default password algorithms, IKEv2 greatly improves the interoperation capability among
different IPSec VPNs.
Compared with IKE, IKEv2 has the following advantages:
l
After four messages, one IKE SA and a pair of IPSec SAs can be created through
negotiation. Thus, the negotiation efficiency is improved.
Data structures that are difficult to understand and likely to be confusing are deleted,
including DOI, SIT and domain identifier.
IKEv2 can choose payloads of specific traffic to protect. In this way, IKEv2 takes over
certain functions of the former ID payload and becomes more flexible.
IKEv2 supports EAP authentication, and thus the authentication is improved in flexibility
and expansibility.
Issue 01 (2009-01-20)
4-21
4 VPN
from the PRF + output traffic one by one. Therefore, it is more difficult for the attacker to
guess the keys. As a result, the keys are less likely to be disclosed, transmission becomes
safer, and to a certain extent, man-in-the-middle attacks are prevented.
l
Authentication
IKEv2 performs authentication by using pre-shared keys and digital signatures. The
authentication is two-way authentication. The negotiation parties authenticate each other.
In addition, the authentication is symmetrical. The negotiation parties use the same
mechanism and method to authenticate each other. The two-way authentication can
effectively defend against man-in-the-middle attacks. Meanwhile, IKEv2 defines extended
authentication. That is, the negotiation parties authenticate each other through the method
described in EAP. The extended authentication supports asymmetrical two-way
authentication, thus further improving the flexibility of authentication and expansibility of
negotiations.
Message exchange
IKEv2 reduces the six messages of IKE in main mode to four messages and sends the SA
payload, KE payload, and nonce payload together. So, the messages contain the nonce
values. When an attacker returns the messages to their senders, the senders can decide
whether the messages are real. This can prevent replay attacks to a certain extent. Each
IKEv2 message header contains a message ID, which is used for matching the
corresponding request and reply messages, and identifying replay attacks. When a request
is sent or received, the message ID must be increased in number order. Moreover, except
the IKE_SA_INIT interaction, the message ID is protected through encryption and the
integrity of the message ID is protected to prevent replay. IKEv2 introduces the sliding
window mechanism so that interactions can effectively resist replay attacks.
SPI value
In the header of an IKEv2 message, there are the initiator SPIi and the responder SPIr. The
SPIi and the SPIr are random 8-byte values generated by the kernel to identify the SA and
a pair of nodes for exchanging messages. Only one of the requests with the same SPI value
is processed, excluding retransmission messages. Other requests are discarded as repeated
data. This mechanism can prevent DoS attacks to a certain extent.
Retransmission convention
All messages of IKEv2 come in pairs. In each pair of messages, the initiator is responsible
for retransmission events. The responder does not retransmit the response message unless
it receives a retransmission request from the initiator. In this way, the two parties do not
both initiate retransmission, and thus resources are not wasted. In addition, attackers cannot
4-22
Issue 01 (2009-01-20)
4 VPN
capture the messages for sending retransmission messages repeatedly to exhaust the
resources of the parties of the negotiation.
l
Issue 01 (2009-01-20)
4-23
4 VPN
NAT Traversal
One of the main applications of IPSec is to set up VPN. In actual networking application, there
is one situation which will lead to obstacles for deploying IPSec VPN network. If the initiator
resides in an internal private network and wishes to directly create an IPSec tunnel between the
remote responder and itself, it will require the cooperation of IPSec and NAT. The main problems
are that how IKE can discover there is NAT gateway between the two endpoints during
negotiation and how IKE can make ESP packets normally traverse NAT gateway.
At first, the two endpoints of the desired IPSec tunnel need to negotiate the NAT traversal
capacities. The negotiation is implemented with the first two messages of IKE negotiation. The
Vendor ID payload specifies a group of data to identify the negotiation The definitions of the
payload data vary with the draft versions.
NAT gateway discovery is carried out through NAT-D payload. The payload is used for two
purposes:
l
As the initiator, the peer on NAT side needs to send NAT keep alive packets regularly so that
NAT gateway can ensure security tunnel is in active state.
Issue 01 (2009-01-20)
4 VPN
or IP address of the peer. In addition, you need to configure ESP and encapsulate packets in
tunnel mode.
On the Eudemon 1000E, IKE is implemented as follows:
1.
2.
Specify a series of attributes for IKE peer, including IKE negotiation mode, pre-shared key,
peer IP address or peer ID as well as NAT traversal, so as to assure validity for IKE
negotiation.
3.
Create IKE IPSec proposal to make clear of algorithm strength for IKE exchange process,
that is, security protection strength (including ID authentication method, encryption
algorithm, authentication algorithm and DH group). Strength varies from algorithm to
algorithm. The higher strength the algorithm has, the harder it is to decrypt the protected
data, but more calculation resource will be consumed. In general, the longer the key is, the
higher the algorithm strength is.
Besides the above basic procedures, IKE has the keepalive mechanism. It can determine
whether the peer can communicate normally, in which there are two parameters: "interval"
and "timeout".
Meanwhile, IKE has Dead Peer Detection (DPD), which has better performance and shorter
response time. The interval parameter can be configured.
When IPSec NAT traversal is configured, you can set a time interval, at which NAT
updating packets are sent.
After the above IKE configuration, you should quote IKE peer in IPSec policy view to complete
IPSec configuration by auto-negotiation.
Issue 01 (2009-01-20)
Security protocol
Authentication algorithm
Encryption algorithm
Operation mode
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
4-25
4 VPN
l
Association between data streams and the IPSec proposal (namely, apply a certain
protection on a certain data stream)
SA negotiation mode
Peer IP address settings (that is, the startpoint/endpoint of the protection path)
Required key
Source address/mask
Destination address/mask
An ACL rule defines a data stream. Namely, traffic that matches an ACL rule is a data
stream logically. A data stream can be a single TCP connection between two hosts or all
traffic between two subnets. IPSec can apply different security protections on data streams.
So the first step in IPSec configuration is to define data streams.
2.
3.
4-26
Manual IPSec policy: Parameters such as key, SPI, and SA duration are configured
manually. In the tunnel mode, IP addresses of peers must be configured.
IKE negotiation IPSec policy: Parameters such as key, SPI, and SA duration are
generated automatically through the IKE auto-negotiation.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 01 (2009-01-20)
4 VPN
An IPSec policy group contains IPSec policies with the same name but different sequence
numbers. In an IPSec policy group, the smaller sequence number has the higher priority.
4.
VPN
Firewall
VPN
Firewall
4.3.10 License
The number of tunnels supported by IPSec is determined by licenses.
You can obtain the services provided IPSec only when you receive the license.
Issue 01 (2009-01-20)
4-27
4 VPN
4.4 GRE
The Generic Routing Encapsulation (GRE) protocol is used to encapsulate packet of the network
layer protocol such as Internet Packet Exchange (IPX). The encapsulated packet can be
transmitted in another network layer protocol such as IP. GRE is the third layer tunnel protocol
of the VPN.
4.4.1 Introduction
The GRE Protocol is used to encapsulate packet of the network layer protocol such as IP or
Internet Packet Exchange (IPX). The encapsulated packet can be transmitted in another network
layer protocol such as IP.
4.4.2 Realization
The transmission of packets in GRE tunnels can be divided into two processes: encapsulation
and decapsulation.
4.4.3 License
GRE is not controlled by the license.
4.4.4 Applications of GRE
The GRE protocol can implement many types of services. For example, the combination of GRE
and IPSec can protect multicast data.
4.4.1 Introduction
The GRE Protocol is used to encapsulate packet of the network layer protocol such as IP or
Internet Packet Exchange (IPX). The encapsulated packet can be transmitted in another network
layer protocol such as IP.
GRE Overview
GRE serves as a Layer 3 tunneling protocol of Virtual Private Networks (VPNs), and provides
a tunnel for transparently transmitting VPN packets. A tunnel is a virtual point-to-point
connection. It can be regarded as a virtual interface that supports only point-to-point connections.
This virtual interface provides a channel through which encapsulated data packets can be
transmitted. At both ends of a tunnel, data packets are encapsulated or decapsulated.
4-28
Transport Protocol
Encapsulation Protocol
Passenger Protocol
Issue 01 (2009-01-20)
4 VPN
Payload
It indicates the packet received by the system, which needs to be encapsulated and routed.
Passenger Protocol
It indicates the packet protocol before encapsulation.
Encapsulation Protocol
The preceding GRE protocol is called an encapsulation protocol. It is also called carrier
protocol.
Transport Protocol
It is a protocol that is responsible for forwarding the encapsulated packets.
For example, Figure 4-15 shows the format of an IP packet encapsulated in an IP tunnel.
Figure 4-15 Delivery packet format in the tunnel
IP
GRE
IP
Passager Protocol
Encapsulation Protocol
Transport Protocol
31
Protocol Type
0
C
It indicates the Checksum bit. If it is set to 1, then the Checksum field is present in the GRE
header; if it is set to 0, then the GRE header does not contain the Checksum field.
K
It indicates the Key bit. If this bit is set to 1, then the Key field is present in the GRE header;
if this bit is set to 0, then the GRE does not contain the Key field.
Issue 01 (2009-01-20)
Recursion
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
4-29
4 VPN
It indicates the number of encapsulations of GRE packets. This field increases by one after
each encapsulation. If the number of encapsulations is greater than 3, the packet is
discarded. This field is used to prevent the packet from being encapsulated infinitely.
l
Flags
It indicates the reserved field. At present, it must be set to 0.
Version
It indicates the version number. It must be set to 0. Version number 1 is used by PPTP as
defined in RFC 2637.
Protocol Type
It indicates the type of the passenger protocol.
Checksum
It indicates the checksum of the GRE header and the payload.
Key
It indicates the Key field. It is used by the receiver to authenticate the received packet
NOTE
The GRE header does not contain the Source Route field; therefore, Bit 1, Bit 3, and Bit 4 are all set to 0.
Characteristics of GRE
GRE has the following characteristics:
l
Its mechanism is simple. CPUs at two ends of the tunnel have low burden.
GRE itself does not encrypt the data. It can be used together with IPSec.
4.4.2 Realization
The transmission of packets in GRE tunnels can be divided into two processes: encapsulation
and decapsulation.
the network shown in Figure 4-17 shows the two processes.
l
Encapsulation
After receiving the IP packet from the interface that is connected to IP Group1, the Eudemon
1000E A delivers the packet to the IP protocol module for processing.
The IP protocol module checks the destination address field in the IP packet header, and
decides how to route this packet. If the outgoing interface is the tunnel interface, the IP
protocol module sends the packet to the tunnel module.
After receiving the packet, the tunnel interface encapsulates it into a GRE packet, and then
delivers GRE packet to the IP module. The IP module adds an IP header to the packet, and
then delivers the packet to the corresponding network interface according to the destination
IP address and the routing table.
Decapsulation
The process of decapsulation is opposite to the process of encapsulation. After receiving
the packet from the interface that is connected to the public network, the Eudemon
1000E B analyzes the IP header. If it finds that itself is the destination of the packet, it
removes the IP header. Then it delivers the packet to the GRE module for processing. After
4-30
Issue 01 (2009-01-20)
4 VPN
completing processing, the GRE module removes the GRE header, and delivers the packet
to IP protocol. IP protocol forwards the packet as the ordinary packet.
Figure 4-17 Private IP network interconnection through GRE tunnels
Tunnel
IP
group1
IP
group1
Firewall A
Firewall B
4.4.3 License
GRE is not controlled by the license.
GRE is the basic feature of the Eudemon 1000E. You can obtain the service without a license.
Firewall
PC
PC
In Figure 4-18, the IP protocol is run on the network. Assume that the IP protocol limits the hop
count to 15. If the hop count between two PCs is greater than 15, they cannot communicate.
When the tunnel is used in the network, a few hops are hidden. This enlarges the scope of the
network operation.
Issue 01 (2009-01-20)
4-31
4 VPN
IP group 1
IP group 1
Firewall
Vlan
Firewall
As shown in Figure 4-19, two VPN sub-networks, Group 1 and Group 2 are in two different
cities. By setting up GRE tunnel between the devices at the network edge, you can connect the
two sub-networks to a continuous VPN network.
GRE-IPSec Tunnel
Figure 4-20 GRE-IPSec tunnel
FIrewall
Firewall
Remote office
network
Corporate
intranet
GRE Tunnel
IPSec Tunnel
As shown in Figure 4-20, the multicast data can be encapsulated in the GRE packet and
transmitted in the GRE tunnel. According to the protocol, the IPSec only encrypts and protects
unicast data. To transmit multicast data such as routing protocol, voice, and video, set up a GRE
tunnel and encapsulate the multicast data in the GRE packet. Then the IPSec encrypts the GRE
packet. In this way, the packet can be transmitted in the IPSec tunnel.
The user can choose to record the keyword of the GRE tunnel interface, and check the
encapsulated packet in end-to-end manner.
Encapsulation and decapsulation, and data increase due to the encapsulation may reduce the
forwarding efficiency of the Eudemon 1000E.
4-32
Issue 01 (2009-01-20)
5 Reliability
Reliability
Issue 01 (2009-01-20)
5-1
5 Reliability
Server
10.100.10.0/24
Router
The interactive packets between intranet users and Internet users all pass the router. When the
router fails, all hosts (whose next hops are the router by default) on the intranet fail to
communicate with the Internet. In this case, communication is unreliable in default route mode.
The Virtual Router Redundancy Protocol (VRRP) can solve such a problem.
As a fault tolerant protocol, VRRP is applicable to a LAN that supports multicast or broadcast,
such as Ethernet.
VRRP organizes several routers on a LAN into a virtual router, named a backup group. In a
backup group, only one device is in active state, which is named Primary. Others are in standby
state and are ready to take over the tasks at any time based on the priority, and these inactive
devices are named Secondary.
5-2
Issue 01 (2009-01-20)
5 Reliability
Router A
PC
Secondary
10.100.10.3/24
Router B
Server
Secondary
10.100.10.0/24
Backup group
Virtual IP address 10.100.10.4/24
Router C
10.100.10.1/24
Routers A, B, and C make up a backup group (serves as a virtual router), whose virtual IP
address is 10.100.10.1.
Routers B and C are Secondary with IP addresses 10.100.10.3 and 10.100.10.4 respectively.
In VRRP, only the active router can forward the packet that takes the virtual IP address as
the next hop.
All hosts on the intranet are aware of the virtual IP address 10.100.10.1, instead of the IP address
of the Primary or Secondary. Therefore, the default route of each host is configured to the virtual
IP address. Thus, all hosts on the intranet can communicate with the Internet through this backup
group.
The VRRP module on the primary router monitors the state of the communication interface and
sends notification packets to the secondary routers in multicast mode.
When the primary router fails, for example, an interface or link fails, the VRRP notification
packets are not be sent out as usual.
When the secondary router does not receive any VRRP notification packet in a specified interval,
the secondary router with the highest priority changes its VRRP state to the active state. In this
way, the services running on the primary router can continue to run on the secondary router.
If the primary router of the backup group fails, other secondary routers of the group select a new
secondary router according to their priorities. So the selected router works in active state and
provides routing services to the hosts on the network.
With the VRRP technology, the hosts on the intranet can communicate with the Internet
continuously. Thus, reliability is guaranteed.
Issue 01 (2009-01-20)
5-3
5 Reliability
Trust
10.100.10.0/24
10.100.20.0/24
DMZ
Backup group 2
Virtual IP Address
Secondary
10.100.20.1
Interfaces connected to the Trust zone on the primary and secondary Eudemon 1000Es
make up backup group 1 with the virtual IP address 10.100.10.1.
Interfaces connected to the DMZ on the primary and secondary Eudemon 1000Es make up
backup group 2 with the virtual IP address 10.100.20.1.
Interfaces connected to the Untrust zone on the primary and secondary Eudemon 1000Es
make up backup group 3 with the virtual IP address 202.38.10.1.
Issue 01 (2009-01-20)
5 Reliability
Firewall A
(1)
(2)
Primary
Session entry
(3)
PC1
(8)
Trust
(7)
(4)
(6)
(9)
DMZ
Secondary
Firewall B
PC2
(5)
Untrust
Actual connection
Packets traffic
Packets traffic
In Figure 5-4, assume that the VRRP status of Eudemon 1000E A and Eudemon 1000E B are
consistent, that is, all the interfaces on Eudemon 1000E A are in active state, and all the interfaces
on Eudemon 1000E B are in standby state. If PC1 in the Trust zone accesses PC2 in the Untrust
zone, a packet is sent from the Trust zone to the Untrust zone along the path (1)-(2)-(3)-(4).
When the packet passes Eudemon 1000E A, a dynamic session entry is generated. The return
packet matches the session entry and successfully reaches the host in the Trust zone if it is sent
along the path (5)-(6)-(7)-(8).
Assume that the VRRP status of Eudemon 1000E A and Eudemon 1000E B are inconsistent.
For example, on Eudemon 1000E B, the interface connected to the Trust zone is in standby state,
while the interface connected to the Untrust zone is in active state. After the packets from PC1
of the Trust zone pass Eudemon 1000E A and reach PC2 in the Untrust zone, a session entry is
dynamically generated on Eudemon 1000E A. The return packet is sent along the path (5)-(9).
At this time, no session entry related to the data flow is available on Eudemon 1000E B. If no
other packet-filtering rules are available to permit the packet to pass, Eudemon 1000E B discards
the packet. In this case, the session is disrupted.
To summarize, if the VRRP states are consistent, the states of interfaces connected to each zone
on the same Eudemon 1000E are identical, that is, all are in active state or in standby state at the
same time.
The Eudemon 1000E connects to several security zones and comprises a backup group with
other interfaces connected to each security zone.
Based on the traditional VRRP mechanism, VRRP in each backup group works in an independent
state. Therefore, the state of VRRP on each interface on one Eudemon 1000E cannot be
consistent. That is, the traditional VRRP mechanism cannot achieve VRRP state consistence of
the Eudemon 1000E.
5-5
5 Reliability
Users specifically require that communications between the following points should be
undisrupted:
l
Access points
If only one Eudemon 1000E is located at the service point, the network may be disrupted due
to the single point failure, though the Eudemon 1000E is highly reliable.
In this case, the redundancy backup mechanism is offered to improve the stability and reliability
of the entire system.
5-6
Issue 01 (2009-01-20)
5 Reliability
Firewall A
(2)
(1)
Primary
Session entry
PC1
(3)
Trust
(7)
(6)
(8)
(4)
(5)
Secondary
Firewall B
DMZ
PC2
Untrust
Actual connection
Packets traffic
Packets traffic
In primary/secondary mode, if Eudemon 1000E A is the active device, it takes up all data
transmission tasks and many dynamic session entries are set up on it; Eudemon 1000E B is the
standby device, and no data passes it.
When errors occur on Eudemon 1000E A or on associated links, Eudemon 1000E B switches
to the active Eudemon 1000E and begins to transfer data; however, if there is no backup session
entry or configuration command on Eudemon 1000E B before the switchover, all sessions that
have passed Eudemon 1000E A are disconnected as a result of mismatch. Then, services are
disrupted.
In order to make the secondary Eudemon 1000E take over tasks from the primary Eudemon
1000E smoothly when the primary Eudemon 1000E breaks down, you need to back up
configuration commands and state information between the primary Eudemon 1000E and the
secondary Eudemon 1000E.
Huawei Redundancy Protocol (HRP) is developed for this purpose. HRP is transmitted over
VGMP packets in data channels in the VRRP management group.
Issue 01 (2009-01-20)
In a VRRP management group, only the Eudemon 1000E that is in active state can be the
primary configuration device.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
5-7
5 Reliability
l
In load balancing mode, both Eudemon 1000E that take part in two-node cluster hot backup
are primary Eudemon 1000Es. In this case, the primary configuration device is selected
based on priorities of VRRP groups and actual IP addresses (in descending order) of
interfaces.
To assure the stability of the primary configuration device, the primary configuration device
always works in active mode unless it fails or quits the VRRP backup group.
NOTE
The concepts of primary and secondary configuration devices are used in load balancing mode rather than
primary/secondary mode.
When the state of the VRRP management group changes, the system notifies HRP and the
primary or secondary configuration device to change their states. In this way, configuration
commands and session state information between two Eudemon 1000Es can be backed up in
time. In addition, the state of the VRRP management group is affected by the HRP state. In other
words, based on the result of HRP state switchover, VRRP modifies priorities and change the
VRRP state.
When the state of the VRRP backup group changes, the VRRP management group determines
whether to change the states of the following elements:
5-8
HRP
Issue 01 (2009-01-20)
5 Reliability
5.4.1 Background
If the current network does not adopt the two-node cluster hot backup mode, the Eudemon
1000E is the single link. In the case of equipment failure, a single-point failure occurs, affecting
normal communications.
If the current network does not adopt the two-node cluster hot backup mode, the Eudemon
1000E is the single link for the network shown in Figure 5-7. All the interactive packets between
the intranet users and the Internet users must be forwarded by the Eudemon 1000E. The packet
transmission is shown in Figure 5-8 A. In the case of equipment failure, a single-point failure
occurs, affecting normal communications.
Figure 5-7 Networking diagram of a single link
Trust
Firewall
PC A
Issue 01 (2009-01-20)
Router B
PC B
5-9
5 Reliability
Router A
OSN 900A
OSN 900A
Firewall
Firewall
Router B
Router B
A
To solve the preceding problem, you can use the optical bypass function of the network between
the Eudemon 1000E and the OSN 900A.Once this function is enabled, packets bypass the
Eudemon 1000E traveling along path B directly between Router A and Router B shown in
Figure 5-8 B. This ensures the continuity of communications. During this period, the Eudemon
1000E does not protect the Intranet.
When the Eudemon 1000E is faulty, malicious Internet users may intrude the intranet, causing
damage to the network. You are advised to rectify the fault of the Eudemon 1000E in time to
resume the packet transmission mode shown in Figure 5-8 A for the Eudemon 1000E to defend
the intranet.
The Eudemon 1000E must work in transparent mode when you configure the optical bypass function.
5-10
Issue 01 (2009-01-20)
ACK
Acknowledgement
ACL
AES
AH
Authentication Header
ALG
ARP
ASPF
AUX
Auxiliary (port)
B
BAS
BGP
BSD
Issue 01 (2009-01-20)
CA
Certification Authority
CC
Challenge Collapsar
CAR
CHAP
A-1
CPE-based
VPN
CRL
D
DB
Database
DDN
DDoS
DES
DES-CBC
DH
Diffie-Hellman
DHCP
DMZ
Demilitarized Zone
DN
Distinguished Name
DNS
DoS
Denial of Service
E
ESP
F
FE
Fast Ethernet
FIFO
FTP
A-2
GE
Gigabit Ethernet
GGSN
GPRS
GRE
GSR
GUI
Issue 01 (2009-01-20)
H
HRP
HTTP
HWCC
I
ICMP
ID
Identity
IDC
IDS
IETF
IGMP
IKE
ILS
IP
Internet Protocol
IPC
Inter-Process Communication
IPSec
IP Security Protocol
ISAKMP
ISDN
IS-IS
ISP
L
L2F
Layer 2 Forwarding
L2TP
LAC
LAN
LCP
LDAP
LNS
Issue 01 (2009-01-20)
A-3
MAC
MAN
MD5
Message Digest 5
MGCP
MPLS
MSDP
MSN
Microsoft Network
MTU
N
NAPT
NAS
NAT
NBT
NCP
NetBIOS
NP
Number Portable
O
OSI
OSPF
A-4
P2P
Peer To Peer
PAP
PC
Personal Computer
PFS
PIM-DM
PIM-SM
PING
PKI
POP
Point of Presence
Issue 01 (2009-01-20)
PPP
Point-to-Point Protocol
PPTP
PSTN
Q
QoS
Quality of Service
R
RADIUS
RAS
RD
Router Distinguisher
RFC
RIP
RSA
RTSP
S
SA
Security Association
SAS
SC
Secospace controller
SLB
SIG
SIP
SM
Secospace Manager
SMTP
SPI
SSH
Secure Shell
SSL
Issue 01 (2009-01-20)
TACACS
TCP
A-5
TCP/IP
TFTP
ToS
Type of Service
U
UDP
URL
V
VGMP
VLAN
VLL
VOD
Video On Demand
VPDN
VPLS
VPN
VPRN
VRP
VRRP
VT
Virtual Tributary
VTP
A-6
WAN
WAP
WWW
Issue 01 (2009-01-20)