Dr. WoW
Jointly presented by Enterprise Network Documentation
Development Department and Firewall PDU
Basics
Security Policy
Attack Defense
NAT
GRE&L2TP VPN
IPSec VPN
SSL VPN
Hot Standby
Multi-homing
oW
W
Learn Firewalls with
Learn Firewalls with Dr. WoW
Contents
1 Basics ............................................................................................................................................... 1
1.1 What Are Firewalls? ......................................................................................................................................... 1
1.2 Development of Firewalls ................................................................................................................................ 3
1.2.1 Stage One: 1989–1994 ............................................................................................................................ 4
1.2.2 Stage Two: 1995–2004 ............................................................................................................................ 4
1.2.3 Stage Three: 2005–Present ...................................................................................................................... 4
1.2.4 Summary ................................................................................................................................................. 5
1.3 Huawei’s Firewall Products at a Glance ........................................................................................................... 5
1.3.1 USG2110 Product Introduction ............................................................................................................... 7
1.3.2 USG6600 Product Introduction............................................................................................................... 7
1.3.3 USG9500 Product Introduction............................................................................................................... 8
1.4 Security Zones .................................................................................................................................................. 8
1.4.1 Relationships Between Interfaces, Networks and Security Zones .......................................................... 9
1.4.2 Direction of Packet Flow Between Security Zones ............................................................................... 12
1.4.3 Security Zone Configuration ................................................................................................................. 14
1.5 Stateful Inspection and Session Mechanism .................................................................................................. 17
1.5.1 Stateful Inspection ................................................................................................................................ 17
1.5.2 Session .................................................................................................................................................. 19
1.5.3 Verification of Stateful Inspection......................................................................................................... 20
1.6 Appendix to the Stateful Inspection and Session Mechanism ........................................................................ 20
1.6.1 More About Sessions ............................................................................................................................ 21
1.6.2 Stateful Inspection and Session Establishment ..................................................................................... 23
1.7 Precautions for Configuration and Troubleshooting Guides .......................................................................... 28
1.7.1 Security Zones ...................................................................................................................................... 28
1.7.2 Stateful Inspection and Session Mechanism ......................................................................................... 29
2 Security Policy ............................................................................................................................. 31
2.1 First Experience of Security Policies ............................................................................................................. 31
2.1.1 Basic Concepts ...................................................................................................................................... 31
2.1.2 Matching Sequence ............................................................................................................................... 33
2.1.3 Implicit Packet Filtering........................................................................................................................ 33
2.2 History of Security Policies ............................................................................................................................ 35
2.2.1 Phase 1: ACL-based Packet Filtering .................................................................................................... 35
1
Learn Firewalls with Dr. WoW
2.2.2 Phase 2: UTM-integrated Security Policy ............................................................................................. 36
2.2.3 Phase 3: Unified Security Policy........................................................................................................... 39
2.3 Security Policies in the Local Zone ................................................................................................................ 42
2.3.1 Configuring a Security Policy in the Local Zone for OSPF .................................................................. 42
2.3.2 Which Protocols Require Security Policies Configured in the Local Zone on Firewalls? .................... 47
2.4 ASPF .............................................................................................................................................................. 50
2.4.1 Helping FTP Data Packets Traverse Firewalls ...................................................................................... 50
2.4.2 Helping QQ/MSN Packets Traverse Firewalls ...................................................................................... 54
2.4.3 Helping User-Defined Protocol Packets Traverse Firewalls ................................................................. 55
2.5 Configuration Precautions and Troubleshooting Guide ................................................................................. 57
2.5.1 Security Policy ...................................................................................................................................... 57
2.5.2 ASPF ..................................................................................................................................................... 60
3 Attack Defense............................................................................................................................. 63
3.1 DoS Attack ..................................................................................................................................................... 63
3.2 Single-Packet Attack and Defense ................................................................................................................. 64
3.2.1 Ping of Death Attack and Defense ........................................................................................................ 64
3.2.2 LAND Attack and Defense ................................................................................................................... 65
3.2.3 IP Scanning ........................................................................................................................................... 65
3.2.4 Recommended Configurations for Preventing Single-Packet Attacks .................................................. 65
3.3 SYN Flood Attack and Defense ..................................................................................................................... 66
3.3.1 Attack Mechanism ................................................................................................................................ 68
3.3.2 TCP Proxy ............................................................................................................................................. 69
3.3.3 TCP Source Authentication ................................................................................................................... 71
3.3.4 Commands ............................................................................................................................................ 73
3.3.5 Threshold Configuration Guide ............................................................................................................ 73
3.4 UDP Flood Attack and Defense ..................................................................................................................... 73
3.4.1 Rate Limiting ........................................................................................................................................ 74
3.4.2 Fingerprint Learning ............................................................................................................................. 74
3.4.3 Commands ............................................................................................................................................ 76
3.5 DNS Flood Attack and Defense ..................................................................................................................... 77
3.5.1 Attack Mechanism ................................................................................................................................ 78
3.5.2 Defense Measure ................................................................................................................................... 78
3.5.3 Commands ............................................................................................................................................ 81
3.6 HTTP Flood Attack and Defense ................................................................................................................... 81
3.6.1 Attack Mechanism ................................................................................................................................ 81
3.6.2 Defense Measure ................................................................................................................................... 82
3.6.3 Commands ............................................................................................................................................ 85
4 NAT................................................................................................................................................ 87
4.1 Source NAT .................................................................................................................................................... 87
4.1.1 Source NAT Mechanism ....................................................................................................................... 87
4.1.2 NAT No-PAT ......................................................................................................................................... 89
2
Learn Firewalls with Dr. WoW
4.1.3 NAPT .................................................................................................................................................... 92
4.1.4 Egress Interface Address Mode (Easy-IP) ............................................................................................ 93
4.1.5 Smart NAT ............................................................................................................................................ 94
4.1.6 Triplet NAT ........................................................................................................................................... 96
4.1.7 Source NAT in Multi-Egress Scenario ................................................................................................ 100
4.1.8 Summary ............................................................................................................................................. 102
4.1.9 Further Reading .................................................................................................................................. 103
4.2 NAT Server................................................................................................................................................... 104
4.2.1 NAT Server Mechanism ...................................................................................................................... 104
4.2.2 NAT Server in Multi-Egress Scenario ................................................................................................. 107
4.3 Bidirectional NAT ........................................................................................................................................ 113
4.3.1 NAT Inbound + NAT Server ............................................................................................................... 113
4.3.2 Intrazone NAT + NAT Server.............................................................................................................. 116
4.4 NAT ALG ..................................................................................................................................................... 119
4.4.1 FTP Packets Traversing NAT Devices ................................................................................................ 119
4.4.2 QQ/MSN/User-defined Protocol Packets Traversing NAT Devices ................................................... 123
4.4.3 One Command Controlling Two Functions ........................................................................................ 123
4.4.4 Differences Between ASPF for User-defined Protocols and Triplet NAT ........................................... 124
4.5 Function of Blackhole Routes in NAT Scenarios ......................................................................................... 126
4.5.1 Blackhole Route in a Source NAT Scenario ....................................................................................... 126
4.5.2 Blackhole Route in a NAT Server Scenario ........................................................................................ 131
4.5.3 Summary ............................................................................................................................................. 133
5 GRE&L2TP VPN ....................................................................................................................... 135
5.1 Introduction to VPN Technology ................................................................................................................. 135
5.1.1 VPN Classification .............................................................................................................................. 135
5.1.2 Key VPN Technologies ....................................................................................................................... 138
5.1.3 Summary ............................................................................................................................................. 140
5.2 GRE.............................................................................................................................................................. 141
5.2.1 GRE Encapsulation/Decapsulation ..................................................................................................... 142
5.2.2 Configuring Basic GRE Parameters .................................................................................................... 145
5.2.3 Configuring GRE Security Mechanisms ............................................................................................. 147
5.2.4 Approach to Security Policy Configuration ........................................................................................ 150
5.3 The Birth and Evolution of L2TP VPNs ...................................................................................................... 153
5.4 L2TP Client-initiated VPNs ......................................................................................................................... 154
5.4.1 Step 1: Setting Up an L2TP Tunnel (Control Connection)—Three Pieces of Information Enter the
Wormhole ..................................................................................................................................................... 156
5.4.2 Step 2: Establishing an L2TP Session—Three Pieces of Information to Awaken the Wormhole
Gateguard ..................................................................................................................................................... 157
5.4.3 Step 3: Creating a PPP Connection—Identity Authentication and Issuance of the "Special Pass" ..... 158
5.4.4 Step 4: Data Encapsulation Transmission— Passing Through the Wormhole to Visit Earth .............. 161
5.4.5 Approach to Security Policy Configuration ........................................................................................ 163
5.5 L2TP NAS-initiated VPNs ........................................................................................................................... 166
3
Learn Firewalls with Dr. WoW
5.5.1 Step 1: Establishing a PPPoE Connection—The Dialing Interface Dials the VT Interface ................ 168
5.5.2 Step 2: Establishing the L2TP Tunnel— Three Pieces of Information to Negotiate Entrance to the
Wormhole ..................................................................................................................................................... 169
5.5.3 Step 3 Establishing an L2TP Session—Three Pieces of Information to Awaken the Wormhole
Gatekeeper ................................................................................................................................................... 171
5.5.4 Steps 4-5: LNS Authentication and IP Address Assignment—the LNS Sternly Accepts the LAC ..... 171
5.5.5 Step 6: Data Encapsulation Transmission— Obstacle-Free Communication ..................................... 173
5.5.6 Approach to Security Policy Configuration ........................................................................................ 174
5.6 L2TP LAC-Auto-initiated VPNs .................................................................................................................. 178
5.6.1 LAC-Auto-initiated VPN Principles and Configuration ..................................................................... 178
5.6.2 Approach to Security Policy Configuration ........................................................................................ 182
5.7 Summary ...................................................................................................................................................... 185
6 IPSec VPN................................................................................................................................... 187
6.1 IPSec Overview ............................................................................................................................................ 187
6.1.1 Encryption and Authentication ............................................................................................................ 187
6.1.2 Security Encapsulation ........................................................................................................................ 190
6.1.3 Security Associations .......................................................................................................................... 191
6.2 Manual IPSec VPNs ..................................................................................................................................... 192
6.3 IKE and ISAKMP ........................................................................................................................................ 196
6.4 IKEv1 ........................................................................................................................................................... 197
6.4.1 Configuring IKE/IPSec VPNs............................................................................................................. 197
6.4.2 Phase 1: Establishing IKE SA (Main Mode) ....................................................................................... 200
6.4.3 Phase 2: Establishing IPSec SA .......................................................................................................... 204
6.4.4 Phase 1: Establishing IKE SA (Aggressive Mode) ............................................................................. 206
6.5 IKEv2 ........................................................................................................................................................... 207
6.5.1 IKEv2 Overview ................................................................................................................................. 207
6.5.2 IKEv2 Negotiation Process ................................................................................................................. 209
6.6 Summary of IKE/IPSec ................................................................................................................................ 212
6.6.1 IKEv1 V.S. IKEv2 ............................................................................................................................... 212
6.6.2 IPSec Protocol Profiles ....................................................................................................................... 213
6.7 Template IPSec ............................................................................................................................................. 214
6.7.1 Point-to-Multi-Point Networking Applications ................................................................................... 215
6.7.2 Customized Pre-Shared Keys (USG9500-Series Firewall Only) ........................................................ 219
6.7.3 Designated Peer Domain Name Usage ............................................................................................... 220
6.7.4 Summary ............................................................................................................................................. 221
6.8 NAT Traversal .............................................................................................................................................. 222
6.8.1 Overview of NAT Traversal Scenarios ................................................................................................ 222
6.8.2 IKEv1 NAT Traversal Negotiation (Main Mode) ............................................................................... 227
6.8.3 IKEv2 NAT Traversal Negotiation ...................................................................................................... 228
6.8.4 IPSec and NAT for a Single Firewall .................................................................................................. 230
6.9 Digital Certificate Authentication ................................................................................................................ 231
6.9.1 Public Key Cryptology and PKI Profiles ............................................................................................ 232
4
Learn Firewalls with Dr. WoW
6.9.2 Certificate Applications....................................................................................................................... 233
6.9.3 Digital Certificate Identity Authentication .......................................................................................... 237
6.10 Security Policy Configuration Roadmap .................................................................................................... 239
6.10.1 IKE/IPSec VPN Scenarios ................................................................................................................ 239
6.10.2 IKE/IPSec VPN+NAT Traversal Scenarios ...................................................................................... 242
7 SSL VPN ..................................................................................................................................... 246
7.1 SSL VPN Mechanisms ................................................................................................................................. 246
7.1.1 Advantages of SSL VPN ..................................................................................................................... 246
7.1.2 SSL VPN Use Scenarios ..................................................................................................................... 247
7.1.3 SSL Protocol Operating Mechanisms ................................................................................................. 248
7.1.4 User Identity Authentication ............................................................................................................... 255
7.2 File Sharing .................................................................................................................................................. 258
7.2.1 File Sharing Use Scenarios ................................................................................................................. 258
7.2.2 Configuring File Sharing .................................................................................................................... 260
7.2.3 Interaction Between the Remote User and the Firewall ...................................................................... 260
7.2.4 Interaction of the Firewall with the File Server .................................................................................. 265
7.3 Web Proxy .................................................................................................................................................... 267
7.3.1 Configuring Web Proxy Resources ..................................................................................................... 267
7.3.2 Rewriting URL addresses.................................................................................................................... 269
7.3.3 Rewriting Resource Paths in URLs..................................................................................................... 271
7.3.4 Rewriting Files Contained in URLs .................................................................................................... 272
7.4 Port Forwarding ........................................................................................................................................... 273
7.4.1 Configuring Port Forwarding .............................................................................................................. 273
7.4.2 Preparatory Stage ................................................................................................................................ 275
7.4.3 Telnet Connection Establishment Stage .............................................................................................. 276
7.4.4 Data Communication Stage ................................................................................................................ 279
7.5 Network Extension ....................................................................................................................................... 280
7.5.1 Network Extension Use Scenarios ...................................................................................................... 280
7.5.2 Network Extension Process ................................................................................................................ 281
7.5.3 Reliable Transport Mode and Fast Transport Mode ............................................................................ 283
7.5.4 Configuring Network Extension ......................................................................................................... 285
7.5.5 Login Process ...................................................................................................................................... 288
7.6 Configuring Role Authorization ................................................................................................................... 290
7.7 Configuring Security Policies ...................................................................................................................... 292
7.7.1 Configuring Security Policies for Web Proxy/File Sharing/Port Forwarding Scenarios ..................... 292
7.7.2 Configuring a Security Policy in a Network Extension Scenario ....................................................... 294
7.8 Integrated Use of the Four Major SSL VPN Functions ................................................................................ 299
8 Hot Standby ............................................................................................................................... 304
8.1 Hot Standby Overview ................................................................................................................................. 304
8.1.1 Dual Device Deployment Improving Network Availability ................................................................ 304
8.1.2 Only Routing Failover Needs to Be Considered in Dual Router Deployments .................................. 305
5
Learn Firewalls with Dr. WoW
8.1.3 Session Failover Also Needs to Be Considered in Dual Firewall Deployments ................................. 308
8.1.4 Hot Standby Resolving the Problem with Firewall Session Failover ................................................. 309
8.1.5 Summary ............................................................................................................................................. 311
8.2 The Story of VRRP and VGMP ................................................................................................................... 311
8.2.1 VRRP Overview.................................................................................................................................. 311
8.2.2 VRRP Working Mechanisms .............................................................................................................. 314
8.2.3 Issues Created by Multiple, Independent VRRP States ...................................................................... 320
8.2.4 The Creation of VGMP Solves VRRPs' Problems .............................................................................. 321
8.2.5 VGMP Packet Structure ...................................................................................................................... 323
8.2.6 Firewall VGMP Groups' Default States .............................................................................................. 325
8.2.7 The Process of State Formation for Active/Standby Failover Hot Standby ........................................ 326
8.2.8 State Switching Process Following a Primary Device Interface Failure ............................................. 331
8.2.9 State Switching Process After a Failure of the Entire Primary Device ............................................... 334
8.2.10 Process of State Switching After a Failure on the Original Primary Device is Fixed (Preemption) . 334
8.2.11 Process of State Formation in Load Sharing Hot Standby ................................................................ 337
8.2.12 State Switching Process in Load Sharing Hot Standby ..................................................................... 340
8.2.13 Summary ........................................................................................................................................... 342
8.2.14 Addendum: VGMP State Machine .................................................................................................... 342
8.3 Explanation of VGMP Techniques ............................................................................................................... 344
8.3.1 VGMP Technique For Firewall-Router Connections .......................................................................... 344
8.3.2 VGMP Technique When Firewalls Transparently Access and Connect to Switches .......................... 348
8.3.3 VGMP Technique When Firewalls Transparently Access and Connect to Routers ............................ 350
8.3.4 VGMP Groups' Remote Interface Monitoring Techniques ................................................................. 352
8.3.5 Summary ............................................................................................................................................. 354
8.4 Explanation of the HRP Protocol ................................................................................................................. 356
8.4.1 HRP Overview .................................................................................................................................... 356
8.4.2 HRP Packet Structure and Implementation Mechanisms .................................................................... 359
8.4.3 HRP Backup Methods ......................................................................................................................... 361
8.4.4 Configurations and State Information that HRP Can Back Up ........................................................... 364
8.4.5 Heartbeat Interface and Heartbeat Link Detection Packets ................................................................. 364
8.4.6 HRP Consistency Check Packets' Role and Mechanism ..................................................................... 366
8.5 Hot Standby Configuration Guide ................................................................................................................ 367
8.5.1 Configuration Process ......................................................................................................................... 368
8.5.2 Configuration Check and Result Verification ..................................................................................... 372
9 Multi-homing ............................................................................................................................. 376
9.1 Multi-homing Overview ............................................................................................................................... 376
9.1.1 Shortest Path Routing.......................................................................................................................... 376
9.1.2 Policy-based Routing .......................................................................................................................... 377
9.2 Shortest Path Routing ................................................................................................................................... 378
9.2.1 Default Routing vs. Specific Routing ................................................................................................. 378
9.2.2 ISP Routing ......................................................................................................................................... 382
6
Learn Firewalls with Dr. WoW
9.3 Policy-based Routing ................................................................................................................................... 385
9.3.1 Policy-based Routing Concepts .......................................................................................................... 386
9.3.2 Destination IP Address-based Policy-based Routing .......................................................................... 387
9.3.3 Source IP Address-based Policy-based Routing.................................................................................. 389
9.3.4 Application-based Policy-based Routing ............................................................................................ 391
9.3.5 Policy-based Routing In Out-of-path Networks .................................................................................. 393
10 Firewall Deployment on Campus Network ....................................................................... 399
10.1 Networking Requirements .......................................................................................................................... 399
10.2 Network Planning ....................................................................................................................................... 400
10.2.1 Multi-ISP Routes Planning................................................................................................................ 400
10.2.2 Security Planning .............................................................................................................................. 401
10.2.3 NAT Planning .................................................................................................................................... 402
10.2.4 Bandwidth Management Planning .................................................................................................... 402
10.2.5 Network Management Planning ........................................................................................................ 402
10.3 Configuration Procedure ............................................................................................................................ 403
10.4 Highlights ................................................................................................................................................... 412
11 Firewall Deployment on Media Company Network ....................................................... 414
11.1 Networking Requirements .......................................................................................................................... 414
11.2 Network Planning ....................................................................................................................................... 416
11.2.1 Hot Standby Planning ....................................................................................................................... 416
11.2.2 Multi-ISP Routing Planning .............................................................................................................. 416
11.2.3 Bandwidth Management Planning .................................................................................................... 417
11.2.4 Security Planning .............................................................................................................................. 417
11.2.5 NAT Planning .................................................................................................................................... 418
11.2.6 Intranet Server Planning .................................................................................................................... 419
11.2.7 Log Planning ..................................................................................................................................... 419
11.3 Configuration Procedure ............................................................................................................................ 419
11.4 Highlights ................................................................................................................................................... 431
12 Firewall Deployment on Stadium Network ...................................................................... 432
12.1 Networking Requirements .......................................................................................................................... 432
12.2 Network Planning (For Egress Firewall) .................................................................................................... 434
12.2.1 BGP Planning .................................................................................................................................... 434
12.2.2 OSPF Planning .................................................................................................................................. 434
12.2.3 Hot Standby Planning ....................................................................................................................... 434
12.2.4 Security Function Planning ............................................................................................................... 435
12.2.5 NAT Planning .................................................................................................................................... 435
12.2.6 Planning for Inconsistent Forward and Return Paths ........................................................................ 436
12.3 Network Planning (For Data Center Firewall) ........................................................................................... 437
12.3.1 Hot Standby Planning ....................................................................................................................... 437
12.3.2 Security Function Planning ............................................................................................................... 437
7
Learn Firewalls with Dr. WoW
12.4 Configuration Procedure (For Egress Firewall) ......................................................................................... 437
12.5 Configuration Procedure (For Data Center Firewall) ................................................................................. 443
12.6 Highlights ................................................................................................................................................... 446
13 Firewalls On the VPN Connecting Corporate Branches and Headquarters................ 447
13.1 Networking Requirements .......................................................................................................................... 447
13.2 Network Planning ....................................................................................................................................... 449
13.2.1 Interface Planning ............................................................................................................................. 449
13.2.2 Security Policy Planning ................................................................................................................... 449
13.2.3 IPSec Planning .................................................................................................................................. 449
13.2.4 NAT Planning .................................................................................................................................... 449
13.2.5 Routing Planning .............................................................................................................................. 450
13.3 Configuration Procedure ............................................................................................................................ 450
13.4 Highlights ................................................................................................................................................... 458
8
Learn Firewalls with Dr. WoW
1
Basics
1.1 What Are Firewalls?
In September 2013, Huawei released its USG6600 Next Generation Firewall (NGFW) at the
first Huawei Enterprise Networking Conference, marking the beginning of a new stage of
development for Huawei’s firewalls.
Following this, in December 2013, Huawei’s NGFW made Huawei the only Chinese vendor
mentioned in Forrester Research’s newest report on network segmentation gateways. This
firewall’s comprehensive functional support and reliable quality guarantees have earned it an
exceptionally high satisfaction rating of over 95%, as well as excellent reviews.
Thirteen years ago, in 2001, Huawei released its first plug-in firewall card. Time flies, and
over these past 13 years, the Internet has developed at a speed that could not have been
predicted. Huawei’s firewalls have weathered many storms during these formative years, all
the while gradually maturing and growing, a process that continues today.
There are likely more readers familiar with network switches and routers than with firewalls.
As a first line defense in cyber security, firewalls play an important role, and the time has
come to learn a bit more about this faithful protector of cyber security.
My name is Dr. WoW. I’ve worked my way up through the ranks at Huawei, and today I’m a
member of Huawei’s Firewall R&D team. In this chapter I’ll combine Huawei’s firewall and
security products together to explain firewalls’ developmental history and their key
technologies to everyone. I’ll also go over the implementation principles behind firewall’s
security features, as well as the methods for their configuration. I hope that through my
explanation, all of you network engineers will gain a firm understanding of firewalls.
I’ll begin with a discussion of the word "firewall". Walls had their beginnings as defensive
structures, and since ancient times have given people a feeling of safety. A firewall is true to
its name—firewalls prevent fires. The word was used originally in construction/architecture,
and these original firewalls stopped fires from spreading from one area to another by isolating
them.
As used in the telecommunications field, firewalls also came to embody this one feature: a
firewall is a specific kind of network equipment generally used to separate two networks from
one another. Of course, this kind of separation is highly ‘smart’; firewalls stop "fires" from
spreading, but guarantee that "people" can still pass through. "Fire" here refers to various
kinds of attacks on networks, while "people" refers to normal communication packets.
With this in mind, and to give a definition that suits firewalls’ position in the telecom world, a
firewall is primarily used to protect a network from attacks and intrusion from other networks.
1
Learn Firewalls with Dr. WoW
Because of their abilities to isolate and protect, firewalls are flexibly positioned on network
perimeters, used for network segmentation, and others. For example, they can be used on
enterprise network egresses, or to segment internal subnets in large networks, or on data
center perimeters, as shown in Figure 1-1.
Figure 1-1 Schematic of firewall deployment scenarios
From the above introduction we can see that firewalls, routers, and network switches are
different from one another. Routers are used to connect different networks, and use routing
protocols to guarantee interconnectedness and ensure that packets are sent to their intended
destinations. Network switches are generally used to set up local area networks (LANs), and
are important hubs for LAN communication, quickly forwarding packets through
Layer-2/Layer-3 switching. Firewalls are primarily deployed to network perimeters, exert
control over access into and out of the network, and their core feature is security protection.
Routers and network switches are based in forwarding, while firewalls are based in control,
as shown in Figure 1-2.
Figure 1-2 Comparison of firewalls, network switches, and routers
2
Learn Firewalls with Dr. WoW
There is an ongoing trend of low and mid-end routers and firewalls being combined together.
This is largely because the two are similar in form and functionality. Huawei has released a
line of this kind of low and mid-end equipment (for example the USG2000/5000 firewall
series) which possess both routing and security functions—these are truly "all in one"
products.
Now that we’ve learned about the basic concepts behind firewalls, the next order of business
is for me to take everyone down the road of firewalls’ evolution.
1.2 Development of Firewalls
In the last section I introduced the basics about firewalls. In this section I will talk with all of
you about the past, present, and future of firewalls. I ask that everyone come along with me,
Dr. WoW, on a trip through the developmental history of firewalls, after which we’ll climb
into our time machine to catch a glimpse of their bright future.
Just as with mankind’s evolution, firewalls have transitioned from being simple ‘life forms’
(simple functionality) to advanced ‘life forms’ (complex functionality) over the course of their
evolutionary history, as shown in Figure 1-3. During this process, the development and
evolution of firewalls have been spurred forward by the fast development of network
technology and continuous new demand.
Figure 1-3 Firewalls’ developmental history
The earliest firewalls can be traced back to the end of the 1980s, meaning that firewalls have
already been around for more than 20 years. Over these 20+ years, their developmental
process can roughly be broken down into three stages.
3
Learn Firewalls with Dr. WoW
1.2.1 Stage One: 1989–1994
The major events during this stage of firewalls’ development include:
1989 saw the birth of packet filtering firewalls, which achieved simple control over
access. We call these 1st generation firewalls.
Following this came proxy firewalls, which act as application layer proxies for
communication between internal and external networks—these are the 2nd generation
firewalls. Proxy firewalls are fairly secure, but have slow processing speeds. Moreover,
developing a corresponding proxy service for every application is very difficult to
achieve, and therefore these can only provide proxy support for a small number of
applications.
In 1994, the Checkpoint Company released the first firewall based in stateful inspection
technology. Stateful inspection uses dynamic analysis of the state of a packet to
determine the action it should take towards the packet, and does not require proxy
services for every application. These firewalls also have fast processing times, and
provide a high level of security. Stateful inspection firewalls have been called 3rd
generation firewalls.
NOTE
CheckPoint is an Israeli security company, and released the first stateful inspection technology-based
firewall intended for commercial use.
1.2.2 Stage Two: 1995–2004
The major events during this stage of firewalls’ development include:
Stateful inspection firewalls became mainstream. In addition to offering functions for
controlling access, firewalls also began to incorporate other functions, such as virtual
private networks (VPNs).
Meanwhile, specialized equipment also began to appear in embryonic form. One
example of this was Web application firewall (WAF) equipment specially designed to
protect the security of Web servers.
In 2004, the united threat management (UTM) theory was first introduced in the industry.
This combined traditional firewalls, intrusion detection, antivirus functions, URL
filtering, application control, email filtering, and other functions into one firewall, thus
achieving comprehensive security protection.
1.2.3 Stage Three: 2005–Present
The major events during this stage of firewalls’ development include:
After 2004, the UTM market developed quickly, and numerous UTM products sprung
onto the scene. However, new problems also appeared. First among these was that the
degree to which application layer information could be inspected was limited. For
example, if a firewall allowed "men" to pass through, but refused to pass "women"
through, should it allow an alien named Professor Du to pass through? Such scenarios
require even more advanced inspection measures, and this has resulted in the wide use of
deep packet inspection (DPI) technology. A second issue is that of performance: with
multiple security functions operating at the same time, UTM equipment’s processing
performance was significantly lower than other models.
In 2008, Palo Alto Networks released the Next-Generation Firewall (NGFW), which
resolved these issues of performance degradation that occurred when multiple functions
4
Learn Firewalls with Dr. WoW
are running at the same time. NGFWs also allow for management/control of users,
applications, and content.
In 2009, Gartner defined Next Generation Firewalls, clarifying the functions and features
that such firewalls should possess. Following this, each security solutions company
released its own NGFW, marking the beginning of a new era for firewalls.
NOTE
Palo Alto Networks is an American security products vendor. It was the first to release the Next
Generation Firewall, and is thus the trailbreaker for NGFWs.
Gartner is a renowned IT research & consulting company, and is the developer of the world famous
Magic Quadrant. In 2013, Huawei became the first Chinese company to enter the Gartner firewall and
UTM Magic Quadrant, ample evidence of Huawei’s abilities in developing security products.
1.2.4 Summary
Below are three of the main messages to be learned from firewalls’ developmental history:
The first is that firewalls have attained increasingly accurate control over access. The
transition from simple access control in the earliest stages of firewall development, to
session-based access control, and then again to NGFW’s user, application and
content-based access control, has all been to bring about more effective and accurate
control.
The second is that firewalls’ protective capabilities have grown ever stronger. In the
initial stages of their development, the function of firewalls was to separate/segment.
Intrusion detection functions were then gradually added, as were functions such as
antivirus capabilities, URL filtering, application control, and email filtering. Therefore,
protective measures have increased, and the scope of firewalls’ protection has become
broader.
Third is that firewall processing performance has become better with time. The explosion
in network traffic has placed increasingly high demands on firewall performance.
Vendors have continued to improve and optimize both the hardware and software
framework of their firewalls, bringing about continued improvement in firewall
processing performance.
NGFWs do not signal the ‘end of history’ for firewalls. Networks are changing all the time,
and new technologies and demands will continue to arise. Therefore, it may not be many
years before firewalls become even more advanced and smart, and even easier to manage and
configure—this is something worth looking forward to.
1.3 Huawei’s Firewall Products at a Glance
In the last section, I explained the history of firewall development. Firewall functionality has
become increasingly robust, and performance increasingly higher, throughout 20+ years of
development and evolution. Huawei’s firewalls have likewise run the course of beginning
from scratch and becoming stronger through gradual improvements. Over these past 10+
years, Huawei has used bold innovation and continuous breakthroughs to keep its firewalls in
the industry vanguard, achieving milestone after milestone, as shown in Figure 1-4.
5
Learn Firewalls with Dr. WoW
Figure 1-4 Timeline of Huawei’s firewall development
I will now go into further detail about Huawei’s firewall products by leading you on a tour of
the entire line of Huawei’s firewalls, with a focus on our star products. Hearing (or in this case
reading) is nothing, but seeing is everything, so let’s first take a look at the whole family of
Huawei firewalls, shown in Figure 1-5.
Figure 1-5 Huawei’s firewalls
Huawei has four main lines of firewall products—the USG2000, USG5000, USG6000, and
USG9000 series. These series cover low-end, mid-end, and high-end equipment, with broad
functionality and models to suit any need, and are thus more than able to satisfy the demands
of any network scenario.
Of these, the USG2000 and USG5000 series are UTM products, the USG6000 series are
NGFW products, and the USG9000 series are high-end firewall products. Next, I will pick a
few representative firewall products to introduce to you.
6
Learn Firewalls with Dr. WoW
1.3.1 USG2110 Product Introduction
First for us to look at today is the small USG2110, shown in Figure 1-6. It might look small,
but it has strong functionality.
Figure 1-6 USG2110 external view
The USG2110 combines firewall, UTM, VPN, routing, wireless (WiFi/3G) and other
functions into one box. It is ‘plug and play’, easy to configure, and is a network set-up and
connection solution that provides security, flexibility and convenience to clients.
The USG2110 has excellent quality and is inexpensive. It not only allows customers to save
on their investment costs, but effectively reduces operation and maintenance costs, and thus is
a must-have ‘genie’ for small and medium business, franchises, and SOHO enterprises.
1.3.2 USG6600 Product Introduction
Next is the popular product USG6600, shown in Figure 1-7. A part of the USG6000 product
series, the USG6600 is one of Huawei’s products designed to face the next generation of
network scenarios: this firewall provides next generation security services based in
application layer threat protection, allowing network managers to exercise complete control
over the network, and improving oversight, management, and ease of use.
Figure 1-7 USG6600 external view
It’s not an exaggeration to say that the USG6600 is extremely popular. The firewall earned
placement on the IT CIO Excellence in Product Trustworthiness ranking, an IT 168 Annual
Award for Technical Excellence, and several first place finishes in China Network World’s
NGFW horizontal evaluations. The USG6600 has also won attention and praise in every area
following its release, further proving its popularity.
USG6600’s stand-out features are endless: it has the most accurate application access control,
recognizes over 6000 applications, has multiple kinds of user identification technologies, and
also offers comprehensive unknown threat protection, the simplest security management, and
the best total service performance experience…the list just goes on and on!
7
Learn Firewalls with Dr. WoW
1.3.3 USG9500 Product Introduction
The last products to be introduced today are the large USG9500s. These ‘smart giants with big
hearts’ belong to the USG9000 series, and are shown in Figure 1-8. As the industry’s first
Terabit data center firewalls, the USG9500s have successfully passed industry authority and
security assessment organization NSS’s (USA) third party laboratory testing, and have been
deemed to be the industry’s fastest firewall!
Figure 1-8 USG9500 external views
The USG9500s' use of distributed software design and integration of multiple industry leading
security technologies has led to their wide deployment in organizations/industries including
large data centers and enterprises, education, government, and broadcasting.
Having the strength of Hercules, or the charm of Aphrodite, is all well and good, but speed is
what truly makes the world go round. High speed networks are the cornerstone for the cloud
computing era, and the USG9500 series offers Huawei’s highest-end firewall products.
Created to carry the weight of the cloud computing world, and sturdy and ready for any
challenge, these products are capable of easily handling an enormous volume of access
requests and data traffic.
Through the above introductions, I’ve led everyone in getting to know several of Huawei’s
firewall products. With your appetite now whetted, I’m sure you’d like to see even more of
Huawei’s outstanding products, wouldn’t you? In addition to the aforementioned products,
Huawei also has many more firewalls. If you’d like to learn more about Huawei’s firewall
products, please visit Huawei’s enterprise business website, where I trust you’ll be able to find
the information you’re looking for.
1.4 Security Zones
Thus far, we’ve examined the concepts behind firewalls as well as their developmental history,
and I’ve also just introduced Huawei’s firewall products; I trust that everyone now has an
8
Learn Firewalls with Dr. WoW
elementary understanding of firewalls. Beginning with this section, I’ll detail firewall
technologies and continue to explore the amazing world of firewalls.
1.4.1 Relationships Between Interfaces, Networks and Security
Zones
As we mentioned in section "What Are Firewalls?", firewalls are primarily deployed on
network perimeters to help separate/segment them. The question then arises, how can
firewalls recognize different networks?
To help answer this question, we’ve incorporated a very important concept for use with
firewalls: the security zone, or ‘zone’ for short. A security zone is a combination of one or
many interfaces. Firewalls use security zones to separate/segment networks, thus marking the
"route" that packets can flow. Generally speaking, packets are only controlled when passing
between two different security zones.
NOTE
Under default settings, packets are controlled when passing between different security zones, but are not
controlled when they flow within a single security zone. However, Huawei’s firewalls also support
control over packets flowing within the same security zone. The control mentioned here is implemented
by "rules", also called "security policies", and we will introduce the specifics of these in Chapter 2
"Security Policies."
We all know that firewalls connect networks through interfaces; after interfaces are assigned
to security zones, these interfaces can connect security zones to the network. Generally
speaking, referring to any one security zone is the same as referring to the network connected
to by the security zone’s interface. The relationships between interfaces, networks and
security zones are shown in Figure 1-9.
CAUTION
On Huawei’s firewalls, any one interface can only be added to one security zone.
9
Learn Firewalls with Dr. WoW
Figure 1-9 Relationships between interfaces, networks and security zones
Security
zone
Network
Port
Firewall
By assigning interfaces to different security zones, we can create different networks on a
firewall. As shown in Figure 1-10, we’ve assigned Interface 1 and Interface 2 to Security
Zone A, Interface 3 to Security Zone B, and Interface 4 to Security Zone C. In this way there
are three security zones on the firewall, and three corresponding networks.
Figure 1-10 Assigning interfaces to security zones
Security
zone B
3
Security
zone A
1
4
Security
zone C
2
Firewall
Huawei’s default setting for its firewalls is to provide three security zones. These are the Trust,
DMZ and Untrust security zones. From these names alone it is apparent that these three
security zones are rich in meaning, and I’ll delve deeper into this below.
The Trust Zone—the trustworthiness of this zone’s network is very high, and this is
generally used to define the network on which internal users are located.
The DMZ Zone—the trustworthiness of this zone’s network is at an intermediate level,
and this is generally used to define the network on which internal servers are located.
10
Learn Firewalls with Dr. WoW
The Untrust Zone—this zone represents untrustworthy networks, and is generally
defined as being the Internet and other unsafe networks.
NOTE
The demilitarized zone (DMZ) is a military term used to describe territory administered in a way that is
‘looser’ than the strict administration of districts under military control, but stricter than loosely
administered public spaces. This term has been incorporated into firewall terminology to describe a
security zone with a degree of trustworthiness intermediate to those of internal and external networks.
In scenarios where network traffic is relatively light and the network environment is simple,
using the provided default security zones is enough to satisfy network segmentation needs. In
Figure 1-11, Interface 1 and Interface 2 are connecting to internal users, and so we can assign
these two interfaces to the Trust Zone; Interface 3 is connecting to internal servers, and so it
can be assigned to the DMZ zone; Interface 4 is connecting to the Internet, and it can be
assigned to the Untrust Zone. Of course, for network settings with more data traffic, we can
create new security zones based upon need.
Figure 1-11 Assigning interfaces to default security zones
Internal
server
DMZ
3
Trust
1
Intranet
2
4
Untrust
Internet
Firewall
Therefore, we can describe the route taken by packets through the firewall when users from
different networks communicate with one another. For example, when users in internal
networks access the Internet, the ‘route’ for packets through the firewall is from the Trust
Zone to the Untrust Zone; when Internet users access internal servers, the route of packets
through the firewall is from the Untrust Zone to the DMZ Zone.
In addition to packets passing between different networks, there are also packets sent from
networks to the firewall itself (for example when we log into the firewall to configure it), as
well as packets sent out by the firewall. How can the routes taken by these packets be
identified on the firewall?
As shown in Figure 1-12, a Local Zone is provided on the firewall—this represents the
firewall itself. Any locally-generated packets from the firewall can be deemed to have been
sent from the Local Zone; any packets that need a response and handling (not including
forwarding) from/by the firewall can be deemed to have been destined to the Local Zone.
11
Learn Firewalls with Dr. WoW
Figure 1-12 Local security zone
DMZ
3
1
Trust
Local
4
Untrust
2
Firewall
I’ll also add one reminder about the Local Zone: the Local Zone cannot add any interfaces,
but all of the firewall’s interfaces are hidden in the Local Zone. This is to say that when
packets pass through an interface towards a network, their destination security zone is the
security zone in which the interface is located, but when packets pass through an interface to
the firewall itself, their destination security zone is simply the Local Zone. This allows all
equipment/devices under an interface to be able to access the firewall itself. This also makes
the Local Zone’s relationship to the other security zones more explicit, thus killing two birds
with one stone.
1.4.2 Direction of Packet Flow Between Security Zones
As I explained above, different networks have different levels of trustworthiness. After using
security zones to define networks on firewalls, how can we deduce the trustworthiness of a
security zone? On Huawei’s firewalls, every security zone must have its own unique security
level from 1-100; the larger the number, the higher the trustworthiness of the zone’s network.
For default security zones, the security rating is fixed. The Local Zone’s security level is 100,
the Trust Zone’s security level is 85, the DMZ’s security level is 50, and the Untrust Zone’s
security level is 5.
Setting security levels separates security zones by rank. When packets pass between two
security zones, our rule is that when packets pass from low-level security zones to
high-level security zones, the packet’s direction is considered to be Inbound; when
packets pass from high-level security zones to low-level security zones the packet’s
direction is considered to be Outbound. Figure 1-13 details the directions for packets
passing between the Local Zone, the Trust Zone, the DMZ Zone, and/or the Untrust Zone.
12
Learn Firewalls with Dr. WoW
Figure 1-13 Direction of packets passing between security zones
Outbound
Outbound
DMZ
50
Inbound
Inbound
Trust
85
Inbound
Outbound
Inbound
Inbound
Local
100
Outbound
Outbound
Untrust
5
Firewall
Inbound
Outbound
By configuring security levels, each security zone on the firewall has an explicit, tiered
relationship with one another. Different security zones represent different networks, and the
firewall serves as the node that connects all the networks together. With this architecture as a
foundation, the firewall can manage and control packets passing between each network.
How do firewalls determine which two security zones a packet is passing between? First, the
source security zone can be easily determined, as the security zone for whichever interface the
firewall receives a packet from is the source security zone for the packet.
There are two different scenarios to consider when determining the destination security zone.
In Layer 3 mode, the firewall determines which interface a packet will be sent out from by
checking against the routing table—this interface’s security zone is the destination security
zone for the packet. In Layer 2 mode, the firewall checks the MAC address table to determine
which interface the packet will be sent out from—this interface’s security zone is the
destination security zone for the packet. After the source security zone and the destination
security zone are determined, the two security zones a packet is flowing between can be
ascertained.
There is also another scenario. This involves VPN settings in which the packet a firewall
receives is an encapsulated packet. The firewall decapsulates the packet to obtain the original
packet, and then checks a routing table to determine the destination security zone—the
security zone for whichever interface the packet will be sent out from is the destination
security zone for the packet. However, the source security zone cannot be simply determined
according to the interface that receives the packet, and so the firewall will use "reverse route
table checking " to determine the source security zone for the original packet. More
specifically, the firewall will assume that the original packet’s source address is its destination
IP address, and then use the routing table to determine which interface a packet with this
destination IP address would be sent from—this interface’s security zone is the security zone
the packet would be sent to. But as the real situation is the reverse of this, we have actually
determined the security zone from which the packet has been sent, and so the security zone
13
Learn Firewalls with Dr. WoW
found using this "reverse route table checking" method is in fact the source security zone for
the packet.
Determining a packet’s source and destination security zones is the premise for us to
accurately configure security policies, and it is vital that everyone understands the methods
for determining a packet’s source and destination security zones. We’ll also discuss this while
configuring security policies later in this manual.
1.4.3 Security Zone Configuration
Security zone configuration primarily involves creating security zones and adding interfaces
to security zones. Below is a test for creating a new security zone and then adding Interface
GE0/0/1 to this security zone (Interface GE0/0/1 can work in either Layer 3 mode or Layer 2
mode).
The configuration commands are very simple. The only thing to pay attention to is that newly
created security zones do not have security levels, and we need to configure a security level
for them before adding an interface to the security zone. Of course, as security levels are
unique, the configured security level cannot be the same as any existing security zone’s rating.
[FW] firewall zone name test
[FW-zone-test] set priority 10
[FW-zone-test] add interface GigabitEthernet 0/0/1
//creates security zone test
//sets security level to 10
//adds Interface GE0/0/1 to
security zone
All of the content we discussed above concerned adding a physical interface to a security zone.
In addition to physical interfaces, firewalls can also support logical interfaces, such as
subinterfaces, and VLANIF interfaces. When these logical interfaces are used they also need
to be added to security zones. Below, I have given examples of adding subinterfaces and
VLANIF interfaces to security zones.
As shown in Figure 1-14, PC A and PC B belong to different sub-networks, and the network
switch, which is connected to the firewall’s GE0/0/1 interface, has segmented the PC A and
PC B’s subnets using two VLANs. This kind of networking is a classic "one-armed"
environment for firewalls.
Figure 1-14 Using one firewall interface to connect multiple sub-nets
PC A
192.168.10.2/24
VLAN 10
Switch
VLAN 20
GE0/0/1
Firewall
PC B
192.168.20.2/24
In this scenario, one of the firewall’s interfaces is connecting two subnets. If we wanted to set
different security levels for these two-subnets, that is, if we needed to assign PC A and PC B
14
Learn Firewalls with Dr. WoW
to different security zones, how would we go about configuring this? As any one of a
firewall’s interfaces can only be added to one security zone, we cannot simply add Interface
GE0/0/1 to just any security zone. However, we can use subinterfaces or VLANIF interfaces
to achieve our desired result.
Let’s first take a look at how to create subinterfaces. First, we create two subinterfaces,
GE0/0/1.10 and GE0/0/1.20, under interface GE0/0/1. These correspond with VLAN 10 and
VLAN 20 respectively. Following this, these two subinterfaces are assigned to different
security zones (Interface GE0/0/1 does not need to be added to a security zone) thus achieving
the goal of assigning PC A and PC B to different security zones, as shown in Figure 1-15.
Figure 1-15 Assigning subinterfaces to security zones
PC A
192.168.10.2/24
GE0/0/1
Trust1
GE0/0/1.10
GE0/0/1.20
Trust2
PC B
192.168.20.2/24
Firewall
The specifics of configuration are as follows:
[FW] interface GigabitEthernet 0/0/1.10
[FW-GigabitEthernet0/0/1.10] vlan-type dot1q 10
[FW-GigabitEthernet0/0/1.10] ip address 192.168.10.1 24
[FW-GigabitEthernet0/0/1.10] quit
[FW] interface GigabitEthernet 0/0/1.20
[FW-GigabitEthernet0/0/1.20] vlan-type dot1q 20
[FW-GigabitEthernet0/0/1.20] ip address 192.168.20.1 24
[FW-GigabitEthernet0/0/1.20] quit
[FW] firewall zone name trust1
[FW-zone-trust1] set priority 10
[FW-zone-trust1] add interface GigabitEthernet 0/0/1.10
[FW-zone-trust1] quit
[FW] firewall zone name trust2
[FW-zone-trust2] set priority 20
[FW-zone-trust2] add interface GigabitEthernet 0/0/1.20
[FW-zone-trust2] quit
Following the above configuration, PC A has been assigned to the Trust 1 security zone, and
PC B has been assigned to the Trust 2 security zone, and we can now exert control over
packets from PC A accessing PC B.
Next, we’ll look at how to set up VLANIF interfaces. While still using the network
organization from Figure 1-14, we can create two VLANs on the firewall, configure an IP
address for each of their VLANIF interfaces, and then configure Interface GE0/0/1 to work in
Layer 2 mode (transparent mode), allowing VLAN10 and VLAN20’s packets to pass through.
Assigning VLANIF10 and VLANIF20 to different security zones (without needing to add
GE0/0/1 to a security zone), achieves the goal of assigning PC A and PC B to different
security zones, as shown in Figure 1-16.
15
Learn Firewalls with Dr. WoW
Figure 1-16 Assigning VLANIF interfaces to security zones
PC A
192.168.10.2/24
GE0/0/1
Trust1
Trust2
PC B
192.168.20.2/24
VLANIF10
VLANIF20
Firewall
The specifics of configuration are as follows:
[FW] vlan 10
[FW-vlan-10] quit
[FW] interface Vlanif 10
[FW-Vlanif10] quit
[FW] vlan 20
[FW-vlan-20] quit
[FW] interface Vlanif 20
[FW-Vlanif20] quit
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] portswitch
[FW-GigabitEthernet0/0/1] port link-type trunk
[FW-GigabitEthernet0/0/1] port trunk permit vlan 10 20
[FW-GigabitEthernet0/0/1] quit
[FW] firewall zone name trust1
[FW-zone-trust1] set priority 10
[FW-zone-trust1] add interface Vlanif 10
[FW-zone-trust1] quit
[FW] firewall zone name trust2
[FW-zone-trust2] set priority 20
[FW-zone-trust2] add interface Vlanif 20
[FW-zone-trust2] quit
After completing configuration, PC A has been assigned to the Trust 1 security zone, and PC
B has been assigned to the Trust 2 security zone. Control can now be exerted over PC A
packets accessing PC B.
Above, we introduced examples of adding subinterfaces and VLANIF interfaces to security
zones. Firewalls can also support other logical interfaces besides these two, such as Tunnel
interfaces used in generic routing encapsulation (GRE), Virtual Template interfaces used in
Layer two tunneling protocols (L2TP). These logical interfaces still need to be added to
security zones, and we’ll introduce how to do this in the corresponding GRE and L2TP
chapters to follow.
Our introduction of the concepts behind security zones and their configuration is complete. I
hope that my introduction has allowed everyone to understand the use of security zones and
grasp the relationships between them, as this will provide you with a good foundation for
deepening your knowledge of firewalls in the following chapters.
16
Learn Firewalls with Dr. WoW
1.5 Stateful Inspection and Session Mechanism
As mentioned in section 1.2 "Development of Firewalls", the third generation firewall is
stateful inspection firewall. This type of firewall sets a milestone on the firewall history and
its stateful inspection and session mechanism has been used as a basic function for firewalls to
provide security defense. Now, I'm going to introduce the stateful inspection and session
mechanism.
1.5.1 Stateful Inspection
Let's start from the background of stateful inspection firewall. On a simple network setup
shown in Figure 1-17, the PC and Web server are deployed in different networks and both
directly connected to the firewall, which controls communications.
Figure 1-17 Network setup for PC-to-Web server access
Untrust
Trust
PC
192.168.0.1
Web server
172.16.0.1
Firewall
When the PC needs to access the Web server for Web pages, a rule numbered 1 listed in Table
1-1 has to be configured on the firewall to allow the packets to pass through just as a security
policy does. As this section focuses on the stateful inspection and session mechanism instead
of a security policy, a rule is used for easy understanding. Security policies will be described
in Chapter 2 "Security Policies."
Table 1-1 Rule 1 on the firewall
No.
Source IP
Address
Source
Port
Destination IP
Address
Destination
Port
Action
1
192.168.0.1
ANY
172.16.0.1
80
Permit
In this rule, ANY indicates that the source port can be any port, because it is the PC's OS that
determines the source port when the PC accesses the Web server. For the Windows OS, the
source port number can be any one in the range of 1024 to 65535. This port number is
uncertain and is therefore set to ANY.
When this rule applies, all the packets from the PC can pass the firewall and reach the Web
server. When receiving the packets, the Web server replies with packets, which will reach the
PC through the firewall as well. Before the stateful inspection firewall came up, a packet
filtering firewall has to be deployed for this function, for which another rule numbered 2 has
to be configured to allow the packets in the reverse direction to pass.
17
Learn Firewalls with Dr. WoW
Table 1-2 Rule 2 on the firewall
No.
Source IP
Address
Source
Port
Destination IP
Address
Destination
Port
Action
1
192.168.0.1
ANY
172.16.0.1
80
Permit
2
172.16.0.1
80
192.168.0.1
ANY
Permit
In rule 2, the destination port can be any port, as the PC uses an uncertain source port to
access the Web server. For the reply packets from the Web server to traverse the firewall and
reach the PC, the destination port has to be set to any in rule 2.
If the PC is running on a properly-protected network, this configuration may leave a serious
security risk. As rule 2 opens all destination ports to the PC, an attacker with malicious
attention may attack the PC under disguise of the Web server and attack packets will traverse
the firewall straightway.
Then let's see how a stateful inspection firewall solves this issue. In the preceding network
setup, rule 1 has to be applied on the firewall as well to allow the PC to access the Web server.
When the access packets reach the firewall, the firewall allows them to pass and sets up a
session for the access. This session will include information about the PC-sent packets, such
as IP addresses and ports.
When receiving the reply packets from the Web server, the firewall compares the packet
information with that included in the session. If the packet information matches and the reply
packets agree with the HTTP protocol, the firewall takes the reply packets as the subsequent
reply packets associated with the PC-to-Web server access, and allows the packets to pass.
Figure 1-18 shows the process.
NOTE
For easy understanding, this section uses an example where the PC and Web server are directly
connected to a firewall. In a real-world setup, if the PC and Web server are deployed in different
networks and directly connected to the firewall, routes have to be configured on the firewall so that the
PC and Web server are mutually reachable. In other words, a route to the PC has to be found on the
firewall even when the reply packets match the session. Only in this way can the reply packets reach the
PC as expected.
18
Learn Firewalls with Dr. WoW
Figure 1-18 Packet exchange through the stateful detection firewall
Untrust
Trust
PC
192.168.0.1
1
Web server
172.16.0.1
Firewall
PC access to Web
server
2
Session
established
3 Web server reply to PC
4
Session
matched, permit
If an attacker with malicious intentions requests the PC for access while under disguise of the
Web server, the firewall will not take the request packets as the subsequent reply packets
associated with the PC-to-Web server session, and then denies them. This design prevents
security risks associated with open ports while enabling the PC to access the Web server.
To sum up, before the stateful inspection firewall came up, a packet filtering firewall permits
or denies packets based on static rules as it takes packets as stateless and isolated ones, while
ignoring their associations. Then the packet filtering firewall requires a rule for packets in
each direction, which means low efficiency and high security risks.
The stateful inspection firewall fixes this defect. The stateful inspection firewall uses an
inspection mechanism based on connection status and takes all the packets exchanged over
the same connection between communication peers as a single date flow. For this firewall, the
packets in a data flow are associated, not isolated. A session is established for the first packet,
and the subsequent packets will be directly forwarded without any rule-by-rule inspection,
given that they match the session. This design improves the efficiency in forwarding packets.
1.5.2 Session
Then let's take a close look at "session". On a firewall, a session refers to a connection
established between communication peers. A collection of sessions form a session table. The
following example is a standard session table entry.
http VPN:public --> public 192.168.0.1:2049-->172.16.0.1:80
The key fields in the session table entry are as follows:
http: application-layer protocol
192.168.0.1: source IP address
2049: source port
19
Learn Firewalls with Dr. WoW
172.16.0.1: destination IP address
80: destination port
Then how to tell the source and destination? You need to find the "->" symbol in the entry.
The field before the symbol is the source and that after the symbol is the destination.
The five fields (source address, source port, destination address, destination port, and protocol)
are important information for a session, and they are called "5-tuple". The stateful inspection
firewall takes the packets that have the same 5-tuple as one flow and uniquely identifies a
connection by the 5-tuple.
How does the firewall generate a session table when dealing with some protocol packets that
do not include port information? For example, the ICMP protocol packets do not include port
information. Then the firewall uses the ID field in the packet header as the source port and
2048 as the destination port for the ICMP session. For other examples, the authentication
header (AH) and encapsulating security payload (ESP) protocol packets, which are used in
IPSec (to be depicted in later sections), do not include port information either. For these
packets, the firewall takes the source and destination ports as 0 for the AH and ESP sessions.
1.5.3 Verification of Stateful Inspection
Talk is cheap. Let's use an eNSP simulator to set up a simple network to verify stateful
inspection of the firewall. The network uses the same topology in Figure 1-17.
NOTE
Enterprise network simulation platform (eNSP) is a graphic network device simulation platform
provided by Huawei for free. It is capable of simulating network devices like enterprise routers, switches
and firewalls, for the purposes of verifying functions and learning network technologies without having
to use real devices. The eNSP can simulate the USG5500 firewall and supports the majority of its
security functions. As mentioned in the following sections, the eNSP will be used for verification.
Only one rule (listed in Table 1-1) is configured on the firewall to allow the PC-to-Web server
packets to pass. When the HttpClient runs on the PC to access the Web server, the access is
successful. On the firewall, run the display firewall session table command and you will find
a session in the displayed session table.
[FW] display firewall session table
Current Total Sessions : 1
http VPN:public --> public 192.168.0.1:2049-->172.16.0.1:80
The preceding information shows that the stateful inspection mechanism is functioning.
Specifically, when receiving the reply packets from the Web server, the firewall takes them as
session-matched and allows them to pass, even if a rule is absent for allowing the packets to
pass in the reverse direction.
Hopefully, my introduction helps you understand the stateful inspection and session
mechanism and I suggest that you practice using the eNSP, too.
1.6 Appendix to the Stateful Inspection and Session
Mechanism
In section 1.5 "Stateful Inspection and Session Mechanism", we've learned how stateful
inspection works and what 5-tuple means. Now, you may have the following questions:
Does a firewall session include only 5-tuple?
20
Learn Firewalls with Dr. WoW
For what protocols does the firewall establishes connections?
Does stateful inspection apply to all network environments?
In this appendix to the previous section, I will further discuss the stateful inspection and
session mechanism, introduce more about sessions, and conclude how the firewall processes
packets with stateful inspection enabled or not. Hopefully, this appendix will answer your
questions.
1.6.1 More About Sessions
Let's again start from a simple network setup as shown in Figure 1-19, where the PC and Web
server are directly connected to the firewall. The firewall interfaces connecting the PC and
Web server are added to different security zones, and a rule is applied to allow the PC to
access the Web server.
Figure 1-19 Network setup for PC-to-Web server access
Untrust
Trust
GE0/0/1
PC
192.168.0.1
GE0/0/2
Firewall
Web server
172.16.0.1
The PC is properly accessing the Web server. If you run the display firewall session table
verbose command on the firewall, you can find that the session has been established
successfully. The verbose parameter in the command displays more details about the session.
[FW] display firewall session table verbose
Current Total Sessions : 1
http VPN:public --> public
Zone: trust--> untrust TTL: 00:00:10 Left: 00:00:04
Interface: GigabitEthernet0/0/2 NextHop: 172.16.0.1 MAC: 54-89-98-fc-36-96
<--packets:4 bytes:465
-->packets:7 bytes:455
192.168.0.1:2052-->172.16.0.1:80
In addition to the 5-tuple, the command output also includes:
Zone: the direction in which packets flow between security zones. trust->untrust
indicates that packets flow from a trust zone to an untrust zone.
TTL: session aging time. When TTL expires, the session will be tore down.
Left: time left for the session to live.
Interface: outgoing interface.
NextHop: IP address of the next hop towards the destination, which is the Web server's
IP address in this network setup.
MAC: MAC address of the next hop towards the destination, which is the Web server's
MAC address in this network setup.
<--packets:4 bytes:465: packet statistics in the reverse session direction, or the number of
packets and bytes sent by the Web server to PC.
21
Learn Firewalls with Dr. WoW
<--packets:7 bytes:455: packet statistics in the forward session direction, or the number
of packets and bytes sent by the PC to Web server.
Among the preceding items, two deserves more attention.
2.
Aging time
A session is generated dynamically and will not exist for ever. If a session does not match
packets in a long time, the communication peers may have been disconnected and this session
is not required any more. To save the system resources, the firewall will delete the session
after a certain period of time, which is called session aging time.
The session aging time has to be set properly. If it is too large, the system resources may be
unnecessarily occupied, affecting the establishment of other sessions; if it is too small, the
firewall may forcibly tear down service connections that have more data to transmit. For
different types of protocols, Huawei firewall sets proper default aging time, for example, 20s
for ICMP and 30s for DNS. Generally, the default aging time is fine, but you can change it
using the firewall session aging-time command. For example, you can run the following
command to change the DNS session aging time to 10s.
[FW] firewall session aging-time dns 10
For one type of services on networks, such as SQL database services, the two consecutive
packets over a connection may have an extended time interval. When a user retrieves data on
an SQL database server, the time interval between retrievals may far exceed the session aging
time of SQL database service. After the firewall ages out the session for this service, the user
may experience sluggish or even failed access to the SQL database.
One way to resolve the issue is to extend the session aging time for such type of services, but
some other sessions may not need extended aging time and have to unnecessarily occupy
system resources.
To completely resolve this issue, Huawei firewall provides the persistent connection function,
which extends the session aging time only for the specified packets that match certain ACL
rules. Unlike the way to extend the session aging time by protocol, the persistent connection
function extends the session aging time more precisely. The default session aging time of a
persistent connection is 168 hours (long enough), but you can change the aging time from the
default.
NOTE
Currently, the persistent connection function applies to TCP protocol packets only.
Persistent connections can be configured within or between security zones. The following
provides an example of configuring a persistent connection between the trust and untrust
security zones for the SQL database packets from the 192.168.0.1 (the source) to the
172.16.0.2 (the destination).
[FW] acl 3000
[FW-acl-adv-3000] rule permit tcp source 192.168.0.1 0 destination 172.16.0.2 0
destination-port eq sqlnet
[FW-acl-adv-3000] quit
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] long-link 3000 outbound
WARNING: Too large range of ACL maybe affect the performance of firewall, please use
this command carefully!
Are you sure?[Y/N]y
3.
Packet statistics
22
Learn Firewalls with Dr. WoW
Packet statistics in both directions (identified by the <- and -> symbols) are important for
locating network faults. If there are packet statistics in only the "->" direction but not the "<-"
direction, the PC-to-Web server packets have passed the firewall but the Web server-to-PC
packets have not, which means a communication anomaly. Regarding the possible causes of
anomaly, the firewall may have discarded the Web server-to-PC packets, the firewall and Web
server may have failed communication, or the Web server may be malfunctioning. Then the
scope of faults can be narrowed down. There can be surely exceptions. Under special network
environment, communication may be functional even if there are no packet statistics in one
direction. How special is the network environment? This remains to be seen in the later
sections.
1.6.2 Stateful Inspection and Session Establishment
The firewall's stateful inspection function takes packets over a connection as one data flow.
How to express a connection as a session? This requires the firewall's analysis of
protocol-specific exchange modes. The following uses TCP as an example. A TCP connection
between the communication peers is established with a three-way handshake, as shown in
Figure 1-20.
Figure 1-20 Three-way handshake of TCP
Web server
PC
1 SYN(seq=a)
2 SYN+ACK(seq=b, ack=a+1)
3 ACK(ack=b+1)
As a SYN packet initiates a TCP connection, the SYN packet is usually called the first packet.
For a TCP connection, the firewall establishes a session only after it receives a SYN packet
and the SYN packet is permitted by a rule. Then the TCP packets that match the session will
be directly forwarded. If the firewall does not receive any SYN packet, but the subsequent
SYN+ACK or ACK packets, it does not establish a session and discards these packets.
This process is fine unless under special network environments. As shown in Figure 1-21, the
request packets from the internal network go to the external network directly through the
router, and the reply packets from the external network are forwarded by the router to the
firewall, which then forwards them back to the router after processing them. Finally, the
router forwards the reply packets to the internal network. In other words, the firewall does not
receive any SYN packet but only SYN+ACK packets. In this example, the request and reply
packets are forwarded over different paths.
23
Learn Firewalls with Dr. WoW
Figure 1-21 Request and reply packets being forwarded over different paths
External
network
SYN+ACK
Router
SYN
Firewall
Internal
network
In this network environment, the firewall discards the received SYN+ACK packets as they
match no session. Consequently, the internal and external networks have interrupted
communication. Then what to do next?
The firewall provides the option of disabling stateful inspection. After stateful inspection is
disabled, the firewall will not analyze the status of connection just as a packet filtering
firewall does. Then the firewall establishes a session for the following packets if the rules
(security policies) allow them to pass, which ensures normal communication.
CAUTION
Disabling stateful inspection will change the firewall working mode. On live networks, do not
disable stateful inspection, unless otherwise required.
The following uses a network setup where the request and reply packets are forwarded over
different paths as an example to show how the firewall processes the TCP, UDP, and ICMP
protocol packets, when its stateful inspection is enabled and disabled.
TCP
Let's start with the TCP protocol. The network setup is simulated using the eNSP. The request
packets from the PC reach the Web server through the router and the reply packets from the
Web server are forwarded to the firewall, then back to the router and finally to the PC. Figure
1-22 shows the network topology.
24
Learn Firewalls with Dr. WoW
NOTE
To simulate the network setup, policy-based routing (PBR) needs to be configured on the router so that
the reply packets from the Web server are redirected to the firewall. For details on how to configure PBR,
see the router configuration guides. In addition, a route to the PC needs to be configured on the firewall
and the route's next hop has to be the router's interface (at 10.1.2.2 in this example) connected to the
firewall's interface GE0/0/1.
Figure 1-22 TCP request and reply packets being forwarded over different paths
Web server
172.16.0.1
Untrust
GE0/0/2
Router
GE0/0/1
Firewall
Trust
PC
192.168.0.1
A rule listed in Table 1-3 is configured on the firewall to allow the reply packets from the Web
server to pass.
Table 1-3 Rule to allow the reply packets from the Web server to pass
No.
Source IP
Address
Source
Port
Destination IP
Address
Destination
Port
Action
1
172.16.0.1
80
192.168.0.1
ANY
Permit
When stateful inspection is enabled on the firewall, an attempt for the PC to access the Web
server fails, as shown in Figure 1-23.
25
Learn Firewalls with Dr. WoW
Figure 1-23 PC's failure to access the Web server
On the firewall, no session information can be found.
[FW] display firewall session table
Current Total Sessions : 0
When you run the display firewall statistic system discard command to check packet loss
on the firewall, you will find Session miss packets discarded message.
[FW] display firewall statistic system discard
Packets discarded statistic
Total packets discarded:
Session miss packets discarded:
8
8
This information indicates that the firewall has discarded packets that match no session. As
the firewall receives the reply SYN+ACK packets but not SYN packets, the session cannot be
established, and the firewall has to discard the SYN+ACK packets.
Then you use the undo firewall session link-state check command to disable stateful
inspection.
[FW] undo firewall session link-state check
Then an attempt for the PC to access the Web server succeeds, and session information can be
found on the firewall.
[FW] display firewall session table verbose
Current Total Sessions : 1
tcp VPN:public --> public
Zone: untrust--> trust TTL: 00:00:10 Left: 00:00:10
Interface: GigabitEthernet0/0/1 NextHop: 10.1.2.2 MAC: 54-89-98-e4-79-d5
<--packets:0 bytes:0 -->packets:5 bytes:509
172.16.0.1:80-->192.168.0.1:2051
26
Learn Firewalls with Dr. WoW
In the session information, there are packet statistics in the "->" direction but none in the "<-"
direction, which means that only the reply packets from the server pass the firewall. Then we
can conclude that after stateful inspection is disabled, the firewall establishes a session for the
received SYN+ACK packets, maintaining communication between the PC and Web server.
On a network where the request and reply packets are forwarded over different paths, and
stateful inspection is disabled on the firewall, there are no packet statistics in one session
direction but the communication is normal. This is how we say "special" in the preceding
sections. For live networks, no rule always applies.
UDP
Then let's take a look at the UDP protocol. Unlike TCP, UDP is a connectionless protocol. The
firewall establishes a session for the received UDP packets if the rule allows them to pass,
regardless of whether stateful inspection is enabled or not.
ICMP
ICMP is a reminder of ping tests. Ping tests are usually used in routine maintenance to check
whether a device is reachable on a network. In a ping operation, you send an echo request,
and the destination device replies with an echo reply.
When stateful inspection is enabled, the firewall establishes a session for the received echo
request only if the firewall rule allows it to pass, and establishes no session for the received
echo reply if it does not receive the echo request, and discards the echo reply. When stateful
inspection is disabled, the firewall establishes a session for the echo request or reply.
The following provides an example of session information for a network where the request
and reply packets are forwarded over different paths, and stateful inspection is disabled on the
firewall.
[FW] display firewall session table verbose
Current Total Sessions : 1
icmp VPN:public --> public
Zone: untrust--> trust TTL: 00:00:20 Left: 00:00:11
Interface: GigabitEthernet0/0/1 NextHop: 10.1.2.2 MAC: 54-89-98-e4-79-d5
<--packets:0 bytes:0 -->packets:1 bytes:60
172.16.0.1:2048-->192.168.0.1:45117
For other types of ICMP packets, the firewall establishes a session for the received packets if
the rule allows them to pass, regardless of whether stateful inspection is enabled or not.
Table 1-4 concludes how the firewall processes TCP, UDP, and ICMP packets when stateful
inspection is enabled or disabled, given that the firewall rule allows the packets to pass.
Table 1-4 Session establishment for the TCP, UDP, and ICMP packets
Stateful Inspection
Enabled
Stateful Inspection
Disabled
SYN packets
Session established,
packets forwarded
Session established,
packets forwarded
SYN+ACK and ACK
packets
Session not established,
packets discarded
Session established,
packets forwarded
Session established,
packets forwarded
Session established,
packets forwarded
Protocol
TCP
UDP
27
Learn Firewalls with Dr. WoW
Stateful Inspection
Enabled
Stateful Inspection
Disabled
Ping echo requests
Session established,
packets forwarded
Session established,
packets forwarded
Ping echo replies
Session not established,
packets discarded
Session established,
packets forwarded
Other ICMP packets
Session not established,
packets forwarded
Session not established,
packets forwarded
Protocol
ICMP
The preceding sections explain how the firewall processes the TCP, UDP, and ICMP packets
when stateful inspection is enabled or disabled, for you to better understand the stateful
inspection and session mechanism. The next section will describe the essential precautions for
configuring security zones and the stateful inspection and session mechanism, and will also
provide troubleshooting guidelines.
1.7 Precautions for Configuration and Troubleshooting
Guides
1.7.1 Security Zones
For a new security zone on a firewall, a priority (security level) has to be specified; otherwise,
the associated interfaces cannot be added into the security zone. The following provides an
example of failing to add interfaces to a security zone.
[FW] firewall zone name abc
[FW-zone-abc] add interface GigabitEthernet 0/0/1
Error: Please set the priority on this zone at first.
The following command can be used to specify a priority, which must be unique.
[FW-zone-abc] set priority 10
A common mistake during security zone configuration is to forget to add interfaces to security
zones. If no interfaces are added to a security zone, the firewall cannot determine the path for
forwarding packets as well as interzone relationship. Consequently, the firewall discards the
packets and the service will be unavailable.
In this case, you can use the display zone command to check security zone configurations on
the firewall and the interfaces that have been added to the security zone.
[FW] display zone
local
priority is 100
#
trust
priority is 85
interface of the zone is (1):
GigabitEthernet0/0/1
#
untrust
28
Learn Firewalls with Dr. WoW
priority is 5
interface of the zone is (1):
GigabitEthernet0/0/2
GigabitEthernet0/0/3
#
dmz
priority is 50
interface of the zone is (0):
#
abc
priority is 10
interface of the zone is (0):
#
When a service is unavailable, there may be packet loss. You can use the display firewall
statistic system discard command to check packet statistics on the firewall. If the following
command output is displayed, the firewall cannot determine interzone relationship and have to
discard packets.
[FW] display firewall statistic system discard
Packets discarded statistic
Total packets discarded:
Interzone miss packets discarded:
5
5
The root cause of packet loss is that the interfaces have not been added to the security zone.
Then you can see how the packet loss information on the firewall helps in locating faults.
1.7.2 Stateful Inspection and Session Mechanism
The core technology inside the stateful inspection firewall is to analyze status of connections
between communication peers, and establish sessions for forwarding packets. If a service is
unavailable, a session may not be established on the firewall. Remember this when
troubleshooting.
You can use the display firewall session table command to check for a session of a service.
If there is no service session on the firewall…
There are two possible causes:
The service packets do not reach the firewall.
The service packets are discarded by the firewall.
For the first possible cause, the service packets may be discarded by other network devices
before they reach the firewall. If the other network devices do not discard the service packets,
it is the firewall that discards them.
In this case, run the display firewall statistic system discard command to check packet loss
statistics on the firewall. If the following information is displayed, the firewall fails to
determine the interzone relationship or find an ARP entry.
[FW] display firewall statistic system discard
Packets discarded statistic
Total packets discarded:
ARP miss packets discarded:
2
2
If the firewall fails to obtain ARP entries, check the ARP function on its upstream and
downstream devices.
29
Learn Firewalls with Dr. WoW
If the following information is displayed, the firewall discards packets because it cannot find a
route for them.
[FW] display firewall statistic system discard
Packets discarded statistic
Total packets discarded:
FIB miss packets discarded:
2
2
Then the firewall has an issue with route configurations. In this case, check for routes to the
destinations on the firewall.
If the following information is displayed, the firewall discards packets because it cannot find a
session for them.
[FW] display firewall statistic system discard
Packets discarded statistic
Total packets discarded:
Session miss packets discarded:
2
2
The firewall may receive the subsequent packets but not the first packets. In this case, check
whether the request and reply packets are forwarded over different paths. If required, use the
undo firewall session link-state check command to disable stateful inspection for
verification.
If the following information is displayed, the firewall discards packets because it fails to
establish a session.
[FW] display firewall statistic system discard
Packets discarded statistic
Total packets discarded:
Session create fail packets discarded:
2
2
The sessions on the firewall may reach the capacity and no more session can be established.
In this case, check for the sessions that are idle for a long time. For example, there are a large
number of DNS sessions that have only a small number of packets to transmit. Then the DNS
session aging time can be changed to 3s to speed up aging, using the following command:
[FW] firewall session aging-time dns 3
If there is a service session on the firewall…
Use the display firewall session table verbose command to check the session details. If the
following information is displayed, there are packet statistics in the forward session direction
but none in the reverse session direction.
[FW] display firewall session table verbose
Current Total Sessions : 1
icmp VPN:public --> public
Zone: trust--> untrust TTL: 00:00:10 Left: 00:00:04
Interface: GigabitEthernet0/0/1 NextHop: 172.16.0.1 MAC: 54-89-98-fc-36-96
<--packets:0 bytes:0 -->packets:5 bytes:45
192.168.0.1: 54187-->172.16.0.1:2048
Regarding the probable causes, the reply packets may not reach the firewall or be discarded
by the firewall. Then check whether the packets are discarded by other network devices
before reaching the firewall. And also check packet loss statistics on the firewall.
30
Learn Firewalls with Dr. WoW
2
Security Policy
2.1 First Experience of Security Policies
As I mentioned many times in the preceding chapter, "rules" are actually "security check
inspectors" for security control and play an important role when firewalls forward packets.
Packets can flow between security zones only when the action in the rules is "permit". If the
action is "deny", the packets will be discarded.
On firewalls, rules are expressed as "security policies". I will explain security policies in
detail in this chapter.
2.1.1 Basic Concepts
First, let's start from a simple network environment. As shown in Figure 2-1, a PC and a Web
server are on different networks, and both of them connect to a firewall. The PC is in the Trust
zone, while the Web server is in the Untrust zone.
Figure 2-1 Networking for a PC to access a Web server
Untrust
Trust
PC
192.168.0.1
Firewall
Web server
172.16.0.1
If we want the firewall to allow the PC to access the Web server, the requirement can be
described as follows: Allow packets to pass from source address 192.168.0.1 in the Trust zone
to destination address 172.16.0.1 and destination port 80 (HTTP port) in the Untrust zone.
If we express the requirement in a security policy and add the implied source port information,
the result is shown in Figure 2-2.
31
Learn Firewalls with Dr. WoW
Figure 2-2 Security policy for a PC to access a Web server
Trust
Untrust
Security policy
Condition
Source
address
Action
Permit
/Deny
Source
port
Destination
address
Destination
port
We can see that security policies are based on interzone relationships. A security policy
consists of the following parts:
Condition
Indicates the condition based on which the firewall checks packets. The firewall
compares the information carried in a packet with the condition one by one to check
whether the packet matches the condition.
Action
Indicates the action to be taken on matching packets. One policy has only one action,
either permit or deny.
Note that the condition has multiple fields, such as the source address, destination address,
source port, and destination port. These fields are ANDed. That is, a packet matches a policy
only when the information in the packet matches all the fields in the policy. If one field has
multiple options (such as two source addresses or three destination addresses), the options are
ORed. That is, a packet matches a field when it matches one option of the field.
After the security policy is configured on the firewall, the PC can access the Web server. The
packets that the Web server replies to the PC match a session, and therefore no additional
security policy is required. This mechanism has been described in section 1.5.
In real-world network environments, it is often that the communications are between two
networks (such as 192.168.0.0/24 and 172.16.0.0/24), not only between two systems (such as
the PC and Web server). In this case, we set the condition of a security policy to a network.
For example, we can permit the packets from source network 192.168.0.0/24 in the Trust zone
to destination network 172.16.0.0/24 in the Untrust zone. You may ask that what if we want to
deny the packets destined from one host (for example, 192.168.0.100) on network
192.168.0.0/24 to network 172.16.0.0/24?
We can configure another security policy to deny the packets from source address
192.168.0.100 in the Trust zone to the Untrust zone. Here you may ask what the firewall will
do since source address 192.168.0.100 matches the conditions of both security policies.
Let's look at the matching sequence of security policies.
32
Learn Firewalls with Dr. WoW
2.1.2 Matching Sequence
Security policies are matched in sequence. When a firewall forwards packets between security
zones, it searches interzone security policies top down. If a packet matches a specific security
policy, the firewall takes the action defined in the policy and stops searching remaining
security policies. If the packet does not match the policy, the firewall continues to search
remaining policies one by one.
Because of the matching sequence, we must comply with the principle of "putting more
specific policies before more general ones" when configuring security policies, just as in
configuring ACL rules.
The preceding situation is used as an example. As shown in Figure 2-3, we configure the first
security policy to deny the packets from 192.168.0.100 in the Trust zone to the Untrust zone
and the second security policy to allow packets to pass from network 192.168.0.0/24 in the
Trust zone to network 172.16.0.0/24 in the Untrust zone.
Figure 2-3 Matching sequence of security policies
Trust
Untrust
Security policy 1
Condition
Source address
192.168.0.100
Action
Deny
Matching
sequence
Security policy 2
Condition
Source address
192.168.0.0/24
Action
Permit
Destination address
172.16.0.0/24
When the firewall searches security policies, the packets from 192.168.0.100 matches the first
policy and are therefore denied. Other packets from network 192.168.0.0/24 match the second
policy and are forwarded. If we change the sequence of the two security policies, packets
from 192.168.0.100 will never match the policy with the action being deny.
You may ask how does the firewall process packets if none of security policies is matched?
For such a situation, firewalls implement the "implicit packet filtering" policy.
2.1.3 Implicit Packet Filtering
The implicit packet filtering policy can be implicit permit or implicit deny, which applies to
all packets that do not match any explicit policy. Therefore, the implicit packet filtering is the
last resort of the firewall, as shown in Figure 2-4. Note that implicit packet filtering has
nothing to do with the first-generation packet filtering firewalls.
33
Learn Firewalls with Dr. WoW
Figure 2-4 Security policies and implicit packet filtering
Trust
Untrust
Security policy 1
Condition
Source address
192.168.0.100
Action
Deny
Matching
condition
Security policy 2
Condition
Source address
192.168.0.0/24
Action
Permit
Destination address
172.16.0.0/24
Implicit packet filtering
Condition
Any
Action
Permit
/Deny
By default, the action of the implicit packet filtering is deny. That is, the firewall does not
allow packets that do not match any explicit security policy to flow between security zones.
To simplify configuration, we may set the action to permit for the implicit packet filtering
between security zones. However, this operation brings huge security risks because the
firewall is no longer used as a firewall if you do so, and there will be no network isolation.
Therefore, we recommend that you configure specific security policies instead of setting the
action of the implicit packet filtering to permit.
The preceding security policies apply to packets flowing between security zones. Can Huawei
firewalls control packets within a security zone? Of course YES. By default, packets within a
security zone are not controlled by security policies and they are forwarded without restriction.
Huawei firewalls support intrazone security policies. You can configure security policies to
control the flow of packets within a security zone if necessary.
note that when the interfaces on a firewall work in Layer 2 (transparent) mode, packets
passing the firewall are controlled by security policies. In this case, security policies are
required.
Security policies control not only the service packets forwarded by a firewall, but also the
packets that the firewall exchanges with other devices, such as the packets generated when an
administrator logs in to the firewall or the firewall establishes a VPN with another device. The
conditions in such security policies differ a lot, and we will introduce them in section 2.4.
Through the preceding introduction, I believe that you have had a rough understanding of
security policies. Everything is changing, so are the security policies on Huawei firewalls. In
the next section, we will tell you the history of Huawei firewall security policies.
34
Learn Firewalls with Dr. WoW
2.2 History of Security Policies
The networks are constantly changing, and security threats emerge one after another. To adapt
to such changes, Huawei firewalls are constantly upgraded, and security policies are improved
accordingly.
As shown in Figure 2-5, the development of Huawei firewall security policies has
experienced three phases: ACL-based packet filtering, UTM-integrated security policy, and
unified security policy.
Figure 2-5 History of Huawei firewall security policies
Function
Unified security policy
UTM-integrated security policy
ACL-based packet filtering
Matching condition: quintuple
information in packets (source/
destination addresses, source/
destination ports, and protocol)
and time range
Action: permit or deny
Implemented by referencing an
ACL in an interzone
Matching condition: quintuple
information in packets, user, and
time range
Action: permit or deny (perform
UTM processing, such as IPS,
antivirus, and URL filtering, on
permitted packets)
Implemented by configuring
policies with conditions and
actions
Traditional firewall
UTM
Accurately identifies packets
based on six dimensions
(ACTUAL).
Identifies the application type
and content of traffic at a time
and allows concurrent
processing of multiple content
security services.
Enhanced application,
content, and threat awareness
capabilities
NGFW
The development history shows the following characteristics:
Matching conditions are more refined, from IP address- and port-based packet
identification by traditional firewalls to user-, application-, and content-based packet
identification by next-generation firewalls (NGFWs). The packet identification capability
is enhanced.
More actions are available. At the beginning, packets were simply permitted or denied.
Now, firewalls can perform various content security checks on packets.
The configuration is more convenient. To configure security policies on traditional
firewalls, you must be familiar with the ACL configuration. The unified security policy
configuration on NGFWs is more simple, convenient, and easy to understand.
Let's describe the three phases one by one.
2.2.1 Phase 1: ACL-based Packet Filtering
ACL-based packet filtering is the implementation on early Huawei firewalls, such as
V100R003 of USG2000/5000 series and V200R001 of USG9500 series.
In this phase, ACLs are configured to control packets. Each ACL contains several rules, and
each rule has its condition and action. ACLs must be configured and referenced in interzones.
When forwarding a packet between security zones, a firewall searches for rules in ACLs top
down. If the packet matches a rule, the firewall takes the action defined in the rule and stops
rule searching. If the packet does not match the rule, the firewall continues to search for the
35
Learn Firewalls with Dr. WoW
next rule. If the packet does not match any rule, the firewall takes the action defined for the
implicit packet filtering.
As shown in Figure 2-6, the Trust-Untrust interzone relationship is used as an example to
explain the logic of ACL-based packet filtering.
Figure 2-6 Logic of ACL-based packet filtering
Trust
Untrust
ACL-based packet filtering
ACL
Rule 1
Condition
Protocol|Source address|Source
port|Destination address|Destination port
Action
Permit/Deny
Matching
sequence
Rule 2
Condition
Protocol|Source address|Source
port|Destination address|Destination port
Action
Permit/Deny
…...
Rule N
Condition
Protocol|Source address|Source
port|Destination address|Destination port
Action
Permit/Deny
Implicit packet filtering
Condition
Action
Any
Permit/Deny
To configure ACL-based packet filtering, you must first configure an ACL and then reference
the ACL in the interzone. For example, to deny the packets from 192.168.0.100 in the Trust
zone to the Untrust zone and permit the packets from 192.168.0.0/24 to 172.16.0.0/24,
configure the following ACL:
[FW] acl 3000
[FW-acl-adv-3000] rule deny ip source 192.168.0.100 0
[FW-acl-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0
0.0.0.255
[FW-acl-adv-3000] quit
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] packet-filter 3000 outbound
2.2.2 Phase 2: UTM-integrated Security Policy
With the release of UTM products, Huawei firewall security policies take a step forward and
become actual "policies". Different from ACL-based packet filtering, UTM-integrated
36
Learn Firewalls with Dr. WoW
security policies have conditions and actions defined without referencing ACLs. In addition, if
the action is permit, UTM policies, such as antivirus and IPS policies, can be referenced for
further packet inspection.
V300R001 of USG2000/5000 series uses UTM-integrated security policies. V300R001 of
USG9500 series also supports this type of security policy, but only conditions and actions can
be set, and UTM policies cannot be referenced.
As shown in Figure 2-7, a UTM-integrated security policy consists of the condition, action,
and UTM policy. Note that the "service set" concept emerges in security policy conditions to
replace the protocol and port. Some service sets including common protocols have been
predefined in security policies. These service sets can be directly set as conditions. For other
protocols or ports, we can define new service sets and reference them in security policies.
Figure 2-7 Composition of a UTM-integrated security policy
UTM-integrated security policy
Condition
Action
UTM policy
Source address
Permit
IPS
Destination
address
Deny
AV
Service set
Web filtering
Packet
Time range
Mail filtering
User
FTP filtering
Application
control
UTM-integrated security policies are matched in sequence. When a firewall forwards packets
between security zones, it searches interzone security policies top down. If a packet matches a
specific security policy, the firewall takes the action defined in the policy and stops searching
remaining security policies. If the packet does not match the policy, the firewall continues to
search remaining policies. If the packet does not match any policy, the firewall takes the
action defined for the implicit packet filtering.
As shown in Figure 2-8, the Trust-Untrust interzone relationship is used as an example to
explain the logic of UTM-integrated security policies.
37
Learn Firewalls with Dr. WoW
Figure 2-8 Logic of UTM-integrated security policies
Trust
Untrust
UTM-integrated security policy
Policy 1
Condition
Source address|Destination
address|Service set|Time range|User
Action
Permit/Deny
Matching
sequence
UTM policy
Policy 2
Condition
Source address|Destination
address|Service set|Time range|User
Action
Permit/Deny
UTM policy
…...
Policy N
Condition
Source address|Destination
address|Service set|Time range|User
Action
Permit/Deny
UTM policy
Implicit packet filtering
Condition
Action
Any
Permit/Deny
To configure a UTM-integrated security policy, you can directly set the condition and action.
If UTM inspection on packets is required, set a UTM policy and reference the UTM policy in
the security policy with the action being permit. For example, to deny the packets from
192.168.0.100 in the Trust zone to the Untrust zone and permit the packets from
192.168.0.0/24 to 172.16.0.0/24, configure the following security policy:
[FW] policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound] policy 1
[FW-policy-interzone-trust-untrust-outbound-1] policy
[FW-policy-interzone-trust-untrust-outbound-1] action
[FW-policy-interzone-trust-untrust-outbound-1] quit
[FW-policy-interzone-trust-untrust-outbound] policy 2
[FW-policy-interzone-trust-untrust-outbound-2] policy
[FW-policy-interzone-trust-untrust-outbound-2] policy
0.0.0.255
source 192.168.0.100 0
deny
source 192.168.0.0 0.0.0.255
destination 172.16.0.0
38
Learn Firewalls with Dr. WoW
[FW-policy-interzone-trust-untrust-outbound-2] action permit
2.2.3 Phase 3: Unified Security Policy
With the high-speed growth of networks and applications, the way protocols are used and data
is transmitted has changed dramatically, and network worms, botnets, and other
application-based attacks constantly emerge. Traditional firewalls are incapable of preventing
threats from network worms and botnets as they identify applications based on ports and
protocols and detect and defend against attacks based on transport-layer signatures. The new
security requirement drives the emergence of the next-generation firewall. Huawei firewalls
keep pace with the times, and their security policies have evolved into the "unified" security
policies. Currently, V100R001 of USG6000 series supports unified security policies.
By "unified", we mean:
Unified configuration: Security profiles can be referenced in security policies to
implement security functions, such as antivirus, intrusion prevention, URL filtering, and
mail filtering, simplifying configurations.
Unified service processing: Multiple services are conducted on packets in parallel when
security policies are used to check the packets, greatly improving system performance.
As shown in Figure 2-9, unified security policies are configured to identify actual service
environments based on applications, content, time, users, attacks, and locations (ACTUAL) in
addition to traditional quintuple information, implementing accurate access control and
security inspection.
Figure 2-9 Identification dimensions of unified security policies
A unified security policy consists of the condition, action, and profile, as shown in Figure
2-10. The profile is used for content security inspection on packets and can be referenced only
when the action in the policy is permit.
39
Learn Firewalls with Dr. WoW
Figure 2-10 Composition of a unified security policy
Unified security policy
Condition
Action
Profile
Source zone
Permit
AV
Deny
IPS
Destination zone
Packet
Source address/
zone
Destination
address/zone
URL filtering
File filtering
User
Service
Content filtering
Application
Application
behavior control
Time range
Mail filtering
Compared with security policies in the first two phases, unified security policies have the
following advantages:
Unified security policies are applied globally, not just between security zones. Security
zones are optional, and multiple security zones can be set at the same time. A special
implementation on Huawei USG6000 series is that packets are not allowed to flow
between security zones by default. To allow the data flow, you must configure an
intrazone security policy.
The default action in security policies replaces the implicit packet filtering, and the
action takes effect globally.
If multiple unified security policies are configured on a firewall, the firewall searches the
policies top down when forwarding packets. As shown in Figure 2-11, if a packet matches a
specific security policy, the firewall takes the action defined in the policy and stops searching
remaining security policies. If the packet does not match the policy, the firewall continues to
search remaining policies. If the packet does not match any policy, the firewall takes the
default action for security policies. The function of the default action is the same as that in the
implicit packet filtering. The difference is that the default action is set in a security policy.
40
Learn Firewalls with Dr. WoW
Figure 2-11 Logic of unified security policies
Unified security policy
Policy 1
Condition
Source zone|Destination zone|Source address (zone)|Destination address
(zone)|User|Service|Application|Time range
Action
Permit/Deny
Matching
sequence
Configuration file
Policy 2
Condition
Source zone|Destination zone|Source address (zone)|Destination address
(zone)|User|Service|Application|Time range
Action
Permit/Deny
Configuration file
…...
Policy N
Condition
Source zone|Destination zone|Source address (zone)|Destination address
(zone)|User|Service|Application|Time range
Action
Permit/Deny
Configuration file
Default action for security policies
Condition
Any
Action
Permit/Deny
For example, to deny the packets from 192.168.0.100 in the Trust zone to the Untrust zone
and permit the packets from 192.168.0.0/24 to 172.16.0.0/24, configure the following unified
security policies:
[FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone trust
[FW-policy-security-rule-policy1] destination-zone untrust
[FW-policy-security-rule-policy1] source-address 192.168.0.100 32
[FW-policy-security-rule-policy1] action deny
[FW-policy-security-rule-policy1] quit
[FW-policy-security] rule name policy2
[FW-policy-security-rule-policy2] source-zone trust
[FW-policy-security-rule-policy2] destination-zone untrust
[FW-policy-security-rule-policy2] source-address 192.168.0.0 24
[FW-policy-security-rule-policy2] destination-address 172.16.0.0 24
[FW-policy-security-rule-policy2] action permit
After the preceding introduction, I believe that you have understood the history of Huawei
firewall security policies. The security policies mentioned in the following parts are
configured as UTM-integrated security policies, which are popular nowadays, but we only
provide conditions and actions and do not cover the configuration of UTM policies.
41
Learn Firewalls with Dr. WoW
2.3 Security Policies in the Local Zone
Firewalls also forward locally generated or terminated traffic when, for example,
administrators log in to the firewalls for management, Internet devices and users establish
VPNs with the firewalls, the firewalls and routers run routing protocols, such as Open
Shortest Path First (OSPF), and the firewalls interconnect with authentication servers.
To ensure the normal flow of such traffic, we must configure corresponding security policies
on the firewalls. To be specific, we must configure security policies between the Local zone
of the firewalls and the security zones where the interfaces used by the services reside.
In the preceding parts, we describe security policies for the packets passing through firewalls.
Now, let's see how to configure security policies for locally generated or terminated packets of
firewalls. OSPF packets are used as an example.
2.3.1 Configuring a Security Policy in the Local Zone for OSPF
A USG9500 running V300R001 is connected to two routers, as shown in Figure 2-12.
This section verifies the security policy configuration between the security zone where the firewall
interface connecting the router resides and the Local zone when the firewall participates in OSPF route
calculation. If the firewall does not participate in OSPF route calculation, only transparently transmits
OSPF packets, and uses interfaces in different security zones to send and receive OSPF packets, a
security policy must be configured on the firewall to allow the OSPF packets to pass.
Figure 2-12 Networking for OSPF packet exchange
Untrust
Local
GE1/0/1
192.168.0.1/24
Firewall
GE0/0/1
192.168.0.2/24
GE0/0/2
192.168.1.1/24
Router1
GE0/0/1
192.168.1.2/24
Router2
The configuration on the firewall is as follows:
[FW] interface GigabitEthernet1/0/1
[FW-GigabitEthernet1/0/1] ip address 192.168.0.1 24
[FW-GigabitEthernet1/0/1] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet1/0/1
[FW-zone-untrust] quit
[FW] ospf
[FW-ospf-1] area 1
[FW-ospf-1-area-0.0.0.1] network 192.168.0.0 0.0.0.255
The configuration on Router 1 is as follows:
[Router1] interface GigabitEthernet0/0/1
[Router1-GigabitEthernet0/0/1] ip address 192.168.0.2 24
[Router1-GigabitEthernet0/0/1] quit
[Router1] interface GigabitEthernet0/0/2
[Router1-GigabitEthernet0/0/2] ip address 192.168.1.1 24
42
Learn Firewalls with Dr. WoW
[Router1-GigabitEthernet0/0/2] quit
[Router1] ospf
[Router1-ospf-1] area 1
[Router1-ospf-1-area-0.0.0.1] network 192.168.0.0 0.0.0.255
[Router1-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
The configuration on Router 2 is as follows:
[Router2] interface GigabitEthernet0/0/1
[Router2-GigabitEthernet0/0/1] ip address 192.168.1.2 24
[Router2-GigabitEthernet0/0/1] quit
[Router2] ospf
[Router2-ospf-1] area 1
[Router2-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
By default, no security policy is configured between the Untrust zone where GE1/0/1 resides
and the Local zone, and therefore packets are not allowed to flow between the zones.
After the configuration is complete, run the display ospf peer command to view the OSPF
adjacency.
[FW] display ospf peer
OSPF Process 1 with Router ID 192.168.0.1
Neighbors
Area 0.0.0.1 interface 192.168.0.1(GigabitEthernet1/0/1)'s neighbors
Router ID: 192.168.1.1
Address: 192.168.0.2
State: ExStart Mode:Nbr is Slave Priority: 1
DR: None BDR: None MTU: 0
Dead timer due in 32 sec
Retrans timer interval: 0
Neighbor is up for 00:00:00
Authentication Sequence: [ 0 ]
Run the display ospf peer command on Router 1 to view the OSPF adjacency.
[Router1] display ospf peer
OSPF Process 1 with Router ID 192.168.1.1
Neighbors
Area 0.0.0.1 interface 192.168.0.2(GigabitEthernet0/0/1)'s neighbors
Router ID: 192.168.0.1
Address: 192.168.0.1
GR State: Normal
State: ExStart Mode:Nbr is Slave Priority: 1
DR: 192.168.0.1 BDR: 192.168.0.2 MTU: 0
Dead timer due in 32 sec
Neighbor is up for 00:00:00
Authentication Sequence: [ 0 ]
Neighbors
Area 0.0.0.1 interface 192.168.1.1(GigabitEthernet0/0/2)'s neighbors
Router ID: 192.168.1.2
Address: 192.168.1.2
GR State: Normal
State: Full Mode:Nbr is Slave Priority: 1
DR: 192.168.1.2 BDR: 192.168.1.1 MTU: 0
Dead timer due in 32 sec
Neighbor is up for 00:09:28
43
Learn Firewalls with Dr. WoW
Authentication Sequence: [ 0 ]
The OSPF adjacency state is ExStart on both the firewall and Router 1. According to the
process for establishing an OSPF adjacency shown in Figure 2-13, we can find that the OSPF
adjacency failed to be established because the firewall and Router 1 did not exchange
Database Description (DD) packets.
Figure 2-13 Process for establishing an OSPF adjacency
Firewall
Down
Router 1
Hello(DR=0.0.0.0, Neighbors Seen=0)
Hello(DR=R2, Neighbors Seen=R1)
ExStart
Init
DD(Seq=x, I=1,M=1,MS=1)
DD(Seq=y, I=1,M=1,MS=1)
Exchange
Down
ExStart
DD(Seq=y, I=0,M=1,MS=0)
DD(Seq=y+1, I=0,M=1,MS=1)
Exchange
DD(Seq=y+1, I=0,M=1,MS=0)
DD(Seq=y+n, I=0,M=0,MS=1)
Loading
DD(Seq=y+n, I=0,M=0,MS=0)
LS Request
Full
LS Update
Full
LS Ack
It is possible that the firewall discards the DD packets. Run the display firewall statistic
system discarded command on the firewall to view information about discarded packets.
[FW] display firewall statistic system discarded
Packets discarded statistic on slot 3 CPU 3
Total packets discarded : 31
Total deny bytes discarded : 1,612
Default deny packets discarded : 31
The command output shows that packets are discarded due to implicit packet filtering. This is
because we have not configured a security policy to allow DD packets to pass, and therefore
the packets matched were discarded. Additionally, we find that the number of discarded
44
Learn Firewalls with Dr. WoW
packets is increasing, indicating that the OSPF module keeps sending DD packets to establish
the OSPF adjacency, but the packets are still discarded.
Then, we configure a security policy in the Local-Untrust interzone to allow OSPF packets to
pass. Note that the security policy must be configured in both inbound and outbound
directions as the firewall needs to send and receive DD packets.
To exactly match OSPF, we use the OSPF service set provided by security policies. If this service set is
unavailable, create one and set the protocol number to 89.
[FW] policy interzone local untrust inbound
[FW-policy-interzone-local-untrust-inbound] policy 1
[FW-policy-interzone-local-untrust-inbound-1] policy service service-set ospf
[FW-policy-interzone-local-untrust-inbound-1] action permit
[FW-policy-interzone-local-untrust-inbound-1] quit
[FW-policy-interzone-local-untrust-inbound] quit
[FW] policy interzone local untrust outbound
[FW-policy-interzone-local-untrust-outbound] policy 1
[FW-policy-interzone-local-untrust-outbound-1] policy service service-set ospf
[FW-policy-interzone-local-untrust-outbound-1] action permit
Run the display ospf peer command on the firewall and Router 1 to view the OSPF adjacency.
The following result may appear after several minutes, or we can run the reset ospf process
command to restart the OSPF process to see the results more quickly.
[FW] display ospf peer
OSPF Process 1 with Router ID 192.168.0.1
Neighbors
Area 0.0.0.1 interface 192.168.0.1(GigabitEthernet1/0/1)'s neighbors
Router ID: 192.168.0.2
Address: 192.168.0.2
State: Full Mode:Nbr is Slave Priority: 1
DR: 192.168.0.2 BDR: 192.168.0.1
Dead timer due in 32 sec
Retrans timer interval: 4
Neighbor is up for 00:00:51
Authentication Sequence: [ 0 ]
MTU: 0
[Router1] display ospf peer
OSPF Process 1 with Router ID 192.168.1.1
Neighbors
Area 0.0.0.1 interface 192.168.0.2(GigabitEthernet0/0/1)'s neighbors
Router ID: 192.168.0.1
Address: 192.168.0.1
GR State: Normal
State: Full Mode:Nbr is Slave Priority: 1
DR: 192.168.0.1 BDR: 192.168.0.2 MTU: 0
Dead timer due in 32 sec
Neighbor is up for 00:00:00
Authentication Sequence: [ 0 ]
Neighbors
Area 0.0.0.1 interface 192.168.1.1(GigabitEthernet0/0/2)'s neighbors
Router ID: 192.168.1.2
Address: 192.168.1.2
GR State: Normal
45
Learn Firewalls with Dr. WoW
State: Full Mode:Nbr is Slave Priority: 1
DR: 192.168.1.2 BDR: 192.168.1.1 MTU: 0
Dead timer due in 32 sec
Neighbor is up for 01:35:43
Authentication Sequence: [ 0 ]
As the command output indicates, the OSPF adjacency has been established, and the firewall
has learned the OSPF route to network 192.168.1.0/24.
[FW] display ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Public routing table : OSPF
Destinations : 2
Routes : 2
OSPF routing table status : <Active>
Destinations : 1
Routes : 1
Destination/Mask
Proto Pre Cost
192.168.1.0/24 OSPF
10
2
Flags NextHop
D
192.168.0.2
Interface
GigabitEthernet1/0/1
In conclusion, we need to configure a security policy between the security zone where the
OSPF-enabled interface resides and the Local zone to allow OSPF packets to pass, so that the
firewall can establish an OSPF adjacency with the connected device.
Actually, we can also consider this issue from the unicast and multicast packets' perspective.
For firewalls, unicast packets are controlled by security policies in most cases, and
therefore security policies must be configured to allow the packets to pass. Multicast
packets, however, are not controlled by security policies, and no additional security
policy needs to be configured.
Which OSPF packets are unicast packets and which are multicast packets? OSPF packet types
vary with network types, as listed in Table 2-1.
The ospf network-type command can be used to change the OSPF network type.
Table 2-1 OSPF network and packet types
Network
Type
Hello
Broadcast
Database
Link State
Link State
Link State
Description
Request
Update
Ack
Multicast
Unicast
Unicast
Multicast
Multicast
P2P
Multicast
Multicast
Multicast
Multicast
Multicast
NBMA
Unicast
Unicast
Unicast
Unicast
Unicast
P2MP
Multicast
Unicast
Unicast
Unicast
Unicast
As Table 2-1 indicates, when the network type is Broadcast, OSPF DD and LSR packets are
unicast, and security policies must be configured to allow the unicast packets to pass. When
the network type is P2P, all OSPF packets are multicast, and no additional security policy
needs to be configured. This security policy configuration principle also applies to the NBMA
46
Learn Firewalls with Dr. WoW
and P2MP network types. In real-world networks, if the OSPF status is abnormal on a firewall,
check whether security policies are absent for unicast OSPF packets.
In addition to OSPF packets, other services that firewalls need to process require security
policies in the Local zone to allow the packets to pass. In the next part, I will tell you how to
configure security policies for such services.
2.3.2 Which Protocols Require Security Policies Configured in the
Local Zone on Firewalls?
As shown in Figure 2-14, the USG2200/5000 series is used as an example. The firewall needs
to process locally generated or terminated packets in the the following scenarios: an
administrator logs in to the firewall, the firewall interconnects with an authentication server,
an Internet device or user establishes a VPN with the firewall, and the firewall runs OSPF to
communicate with a router.
GRE VPN, L2TP VPN, IPSec VPN, and SSL VPN will be described in the following chapters.
Figure 2-14 Common types of locally generated and terminated packets
DMZ
RADIUS server
172.16.0.2
Trust
Untrust
SSL VPN
172.16.0.1/24
GE0/0/3
192.168.0.2
Telnet/SSH/FTP/
HTTP/HTTPS
192.168.0.1/24
GE0/0/1
1.1.1.1/24
GE0/0/2
User
OSPF 1.1.1.2
Administrator
Firewall
GRE/L2TP/IPSec VPN
2.2.2.2
When configuring security policies for such services, we need to ensure normal service
operation and secure the firewall. Therefore, we must specify refined matching conditions for
the security policies. How to specify accurate matching conditions? We need to analyze
information such as the source addresses, destination addresses, and protocol types of the
services.
In Table 2-2, I provide matching conditions for services shown in Figure 2-14 for your
reference.
47
Learn Firewalls with Dr. WoW
Table 2-2 Setting matching conditions in security policies based on protocols or applications
Service
Telnet
Matching Conditions in Security Policies
Source
Zone
Destination
Zone
Source
Address
Destinatio
n Address
Application or Protocol +
Destination Port
Trust
Local
192.168.0.2
192.168.0.1
Telnet
Or TCP + port 23
SSH
Trust
Local
192.168.0.2
192.168.0.1
SSH
Or TCP + port 22
FTP
Trust
Local
192.168.0.2
192.168.0.1
FTP
Or TCP + port 21
HTTP
Trust
Local
192.168.0.2
192.168.0.1
HTTP
Or TCP + port 80
HTTPS
Trust
Local
192.168.0.2
192.168.0.1
HTTPS
Or TCP + port 443
RADIUS
Local
DMZ
172.16.0.1
172.16.0.2
RADIUS
Or UDP + port
1645/1646/1812/1813*
Sending OSPF
Local
negotiation packets
(outbound)
Untrust
1.1.1.1
1.1.1.2
OSPF
Receiving OSPF
Untrust
negotiation packets
(inbound)
Local
1.1.1.2
1.1.1.1
OSPF
Sending GRE
VPN tunnel
establishment
requests
(outbound)
Local
Untrust
1.1.1.1
2.2.2.2
GRE
Receiving GRE
VPN tunnel
establishment
requests (inbound)
Untrust
Local
2.2.2.2
1.1.1.1
GRE
Sending L2TP
VPN tunnel
establishment
requests
(outbound)
Local
Untrust
1.1.1.1
2.2.2.2
L2TP
Receiving L2TP
VPN tunnel
establishment
requests (inbound)
Untrust
Or UDP + port 1701
Local
2.2.2.2
1.1.1.1
L2TP
Or UDP + port 1701
48
Learn Firewalls with Dr. WoW
Service
Matching Conditions in Security Policies
Sending IPSec
VPN tunnel
establishment
requests
(outbound)
Local
Untrust
1.1.1.1**
2.2.2.2
Manual mode:
No configuration is required.
IKE mode (non-NAT
traversal environments):
UDP + port 500
IKE mode (NAT traversal
environments):
UDP + ports 500 and 4500
Receiving IPSec
VPN tunnel
establishment
requests (inbound)
Untrust
Local
2.2.2.2
1.1.1.1
Manual mode:
AH/ESP
IKE mode (non-NAT
traversal environments):
AH/ESP and UDP + port
500
IKE mode (NAT traversal
environments):
UDP + ports 500 and 4500
SSL VPN
Untrust
Local
ANY
1.1.1.1
Reliable mode:
UDP + port 443***
Fast mode:
UDP + port 443
*: The default port number is used here. For the actual port number, see the RADIUS server configuration.
**: In NAT traversal environments, the source and destination addresses may be public or private addresses,
depending on actual situations.
***: If the firewall supports both HTTPS and SSL VPN, configure the ports depending on actual situations.
In the preceding example that an administrator logs in to a USG2000/5000 through GE 0/0/1,
a security policy must be configured for the access from the Trust zone to the Local zone.
Actually, all firewall models provide default login methods, and administrators can log in to
the firewalls through specific ports without security policies. For details, see Table 2-3.
Table 2-3 Default login modes supported by firewalls
Model
Port
Login Mode
USG2100
LAN ports (GE0/0/0 through
GE0/0/7)
Telnet or HTTP
USG2200/5000
Management port (GE0/0/0)
Telnet or HTTP
USG6000
Management port (GE0/0/0)
HTTPS
USG9500
Management port (GE0/0/0)
HTTPS
49
Learn Firewalls with Dr. WoW
2.4 ASPF
After understanding security policies, you may think that security policies are configured once
for all to defend against all threats. However, some protocols, such as FTP, are more complex
than security policies can handle. In this case, we need the application-specific packet filter
(ASPF)
Now I'll use FTP as an example to introduce how ASPF works.
2.4.1 Helping FTP Data Packets Traverse Firewalls
First, I'll use the eNSP to simulate an FTP client accessing an FTP server, as shown in Figure
2-15. The FTP client and server directly connect to a firewall. The FTP client resides in the
Trust zone, and the FTP server is in the Untrust zone.
Figure 2-15 Networking for an FTP client to access an FTP server
Untrust
Trust
FTP client
192.168.0.1
FTP server
172.16.0.1
Firewall
How to configure a security policy to allow the FTP client to access the FTP server? You may
say: "It is easy. Configure a security policy to allow FTP packets from 192.168.0.1 in the
Trust zone to 172.16.0.1 in the Untrust zone."
[FW] policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound] policy 1
[FW-policy-interzone-trust-untrust-outbound-1] policy
[FW-policy-interzone-trust-untrust-outbound-1] policy
[FW-policy-interzone-trust-untrust-outbound-1] policy
[FW-policy-interzone-trust-untrust-outbound-1] action
source 192.168.0.1 0
destination 172.16.0.1 0
service service-set ftp
permit
After the configuration, simulate the FTP client accessing the FTP server on the eNSP. The
access FAILS. Let's check the configuration. You can see that policy 1 was matched,
indicating that the configuration has taken effect.
[FW] display policy interzone trust untrust outbound
policy interzone trust untrust outbound
firewall default packet-filter is deny
policy 1 (1 times matched)
action
policy
policy
policy
permit
service service-set ftp (predefined)
source 192.168.0.1 0
destination 172.16.0.1 0
Let's check the session table. You can see that a session has been established on the firewall.
[FW] display firewall session table
Current Total Sessions : 1
ftp VPN:public --> public 192.168.0.1:2049-->172.16.0.1:21
50
Learn Firewalls with Dr. WoW
Everything seems OK. Then, why did the access fail?
Let's see the particular characteristics of FTP. FTP is a typical multi-channel protocol. The
FTP client and server establish two connections in between, namely, control and data
connections. The control connection communicates FTP commands and parameters including
information necessary for setting up the data connection. The data connection obtains
directories and transfers data.
FTP works in either active (PORT) or passive (PASV) mode, determined by the data
connection initiation mode. In active mode, the FTP server initiates a data connection to the
FTP client. In passive mode, the FTP server receives the data connection initiated from the
FTP client.
The working mode can be set on the FTP client. This example uses the active mode, as shown
in Figure 2-16.
Figure 2-16 Working mode setting on the FTP client
Let's look at the FTP interactive process in active mode, as shown in Figure 2-17.
51
Learn Firewalls with Dr. WoW
Figure 2-17 FTP interactive process in active mode
FTP client
FTP server
SYN
IP
Port
192.168.0.1
xxxx
SYN+ACK
IP
Port
172.16.0.1
21
ACK
TCP three-way
handshake for
control connection
……
Interact for the user
name/password
……
PORT Command (IP 192.168.0.1 Port yyyy)
PORT command
interaction for
control connection
PORT Command OK
SYN
IP
Port
192.168.0.1
yyyy
SYN+ACK
ACK
IP
Port
172.16.0.1
20
TCP three-way
handshake for
data connection
LIST Command
Transmit data
……
Control connection
Data connection
xxxx/yyyy
Random port
The process is described as follows:
2.
The FTP client initiates a control connection request from a random port xxxx to port 21
of the FTP server.
3.
The FTP client uses the PORT command to negotiate the port number with the server
for a data connection. Port yyyy is obtained.
4.
The FTP server initiates a data connection request to port yyyy of the FTP client.
5.
The FTP server sends data to the client after the data connection is established.
In the preceding example, we have configured only one security policy to allow the FTP client
to access the FTP server. That is, the control connection was established. When the firewall
received the packet from the FTP server to port yyyy of the FTP client, the firewall considered
the packet a new connection, not the subsequent packet of the previous connection. To allow
the packet to arrive at the FTP client, we must configure another security policy on the
firewall.
How to resolve this problem? Is that OK if we configure a security policy for packets from the
FTP server to the FTP client? But there is another problem. The port used for the data
connection is negotiated by the client and server and is therefore random. So we have to
enable all ports, and this operation brings security risks to the FTP client. It would be perfect
if the firewall could record the port and automatically configure a security policy to allow the
packets to pass from the FTP server to the FTP client.
Fortunately, firewall designers have considered this issue and introduced the Application
Specific Packet Filter (ASPF). As the name suggests, ASPF works on the application-layer
information of packets. Its working principle is to check the application-layer information of
52
Learn Firewalls with Dr. WoW
packets and record the key data in the application-layer information, so that the packets that
are not explicitly permitted in security policies can be forwarded.
Entries recording the key application-layer data are called server map entries. Once a packet
matches a server map entry, it is no longer controlled by any security policy. It's like enabling
an "invisible channel" on the firewall. Of course, this channel is not arbitrarily enabled.
Instead, the firewall allows the existence of such a channel only after analyzing the
application-layer information of packets to predict the behavior of subsequent packets.
What is the difference between the server map and session table? First, the session table
records the connection status of communicating parties. After generating a session for the first
packet of a connection, the firewall directly forwards subsequent packets of the session, and
the packets are no longer controlled by security policies. The server map records the
information obtained by analyzing the packets on existing connections. This information
indicates packet features, according to which the firewall predicts packet behavior.
Second, after receiving a packet, the firewall checks whether the packet matches the session
table. If so, the firewall forwards the packet. If not, the firewall checks whether the packet
matches the server map. If the packet matches the server map, it is no longer controlled by
security policies. Certainly, the firewall will generate a session for the packet.
Both the server map and session table are important for firewalls. They have different
functions and cannot replace each other.
In addition to ASPF, NAT can generate the server map, which will be detailed in chapter 4.
It is easy to enable ASPF. For example, enable ASPF for FTP in the Trust-Untrust interzone.
ASPF can also be enabled for FTP within a security zone.
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect ftp
Then, let's verify the access from the FTP client to the FTP server again. Run the display
firewall server-map command on the firewall to view the server-map entry recording the
FTP data connection.
[FW] display firewall server-map
server-map item(s)
-----------------------------------------------------------------------------ASPF, 172.16.0.1 -> 192.168.0.1:2052[any], Zone: --Protocol: tcp(Appro: ftp-data), Left-Time: 00:00:57, Addr-Pool: --VPN: public -> public
We can see that the firewall has generated a server-map entry. The packet from the FTP server
to the FTP client matched this entry and has been forwarded. In this manner, no security
policy is required for this packet. This server-map does not permanently exist. It will be
deleted after it expires. This means that the "invisible channel" is not permanently enabled,
improving security.
View the session table on the firewall. The command output shows that the FTP server has
established a data connection with the FTP client.
[FW] display firewall session table
Current Total Sessions : 2
ftp VPN:public --> public 192.168.0.1:2051+->172.16.0.1:21
ftp-data VPN:public --> public 172.16.0.1:20-->192.168.0.1:2052
53
Learn Firewalls with Dr. WoW
Figure 2-18 shows the ASPF processing for FTP. After ASPF is enabled, the firewall
generates a server map in the FTP control connection, so that the FTP data connection can be
established.
Figure 2-18 ASPF processing for FTP
Firewall
FTP client
IP
Port
192.168.0.1
xxxx
SYN
SYN
SYN+ACK
SYN+ACK
ACK
Interact for the user
name and password
……
Create
server-map
SYN
PORT Command (IP 192.168.0.1 Port yyyy)
PORT command
interaction for
control connection
PORT Command OK
PORT Command OK
192.168.0.1
yyyy
TCP three-way
handshake for
control connection
……
Interact for the user
name and password
……
PORT Command (IP 192.168.0.1 Port yyyy)
IP 172.16.0.1
Port
21
ACK
……
IP
Port
FTP server
Match
server-map
SYN
SYN+ACK
SYN+ACK
ACK
ACK
LIST Command
LIST Command
Transmit data
Transmit data
……
……
IP 172.16.0.1
Port
20
TCP three-way
handshake for
data connection
Control connection
Data connection
xxxx/yyyy Random port
In conclusion, ASPF dynamically generates server-map entries based on the application-layer
information in packets, simplifying security policy configuration and improving security.
ASPF can be considered a firewall traversal technique. Server-map entries "open" a channel
on the firewall, so that subsequent packets of multi-channel protocols, such as FTP, traverse
the firewall through the channel without being controlled by security policies.
In addition to FTP, firewalls support ASPF for other multi-channel protocols, such as the
Session Initiation Protocol (SIP), H.323, and Media Gateway Control Protocol (MGCP). To
check whether a firewall model supports ASPF for a specific protocol, see the product
documentation of the firewall model.
2.4.2 Helping QQ/MSN Packets Traverse Firewalls
Firewalls also support ASPF for common instant messaging protocols, such as Tencent QQ
and Microsoft Service Network (MSN) Messenger. The implementation process differs from
that for FTP. Let me introduce APSF for QQ and MSN for you.
Generally, text QQ/MSN messages are relayed by a QQ or MSN server. However, audio and
video messages are not relayed through a server. Instead, the communicating parties establish
a connection to transmit such messages because they consume a lot of resources, as shown in
Figure 2-19.
54
Learn Firewalls with Dr. WoW
Figure 2-19 Networking for transmitting QQ/MSN messages
Trust
Untrust
QQ/MSN server
QQ/MSN client
192.168.0.1
Firewall
QQ/MSN client
Text message
Audio/Video message
In most cases, we configure only the security policy for the Trust-Untrust interzone on a
firewall to allow QQ/MSN clients on an intranet to access the Internet. Due to the lack of the
security policy for the Untrust-Trust interzone, QQ/MSN clients on the Internet cannot initiate
audio/video connection requests to the intranet.
QQ is used as an example. To allow QQ clients on the Internet to access the QQ server on an
intranet, ASPF generates the following server-map entry (This entry is only an example. The
actual entry should contain address translation information.):
Type: STUN, ANY -> 192.168.0.1:53346, Zone:--Protocol: udp(Appro: qq-derived), Left-Time:00:05:45, Pool: ---,
Vpn: public -> public
In the entry, the source address is ANY, indicating that any user can initiate connection
requests to port 53346 at 192.168.0.1, and the firewall allows the requests to pass. The entry
contains the destination address (192.168.0.1), destination port (53346), and protocol type
(udp), which are considered a triplet for server-map entries.
The entry type is Simple Traversal of UDP Through Network Address Translators (STUN). QQ, MSN,
and user-defined server-map entries, which will be described in the following part, are all of the STUN
type. STUN will be described in section 4.7 "NAT ALG."
The command for enabling ASPF for QQ and MSN is similar to that for FTP. Enable ASPF
for QQ and MSN in the Trust-Untrust interzone.
ASPF can also be enabled for QQ and MSN within a security zone.
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect qq
[FW-interzone-trust-untrust] detect msn
2.4.3 Helping User-Defined Protocol Packets Traverse Firewalls
For applications beyond the supported application scope of the detect command, firewalls
provide ASPF for user-defined protocols. We can define an ACL to identify the packets of an
55
Learn Firewalls with Dr. WoW
application, given that the protocol used by the application is understood. ASPF automatically
establishes a triplet server-map entry for the application on a firewall, so that the packets of
the application can pass the firewall. Note that precise ACL rules are preferred to minimize
the adverse impact on other services.
Currently, the most typical application is the Trivial File Transfer Protocol (TFTP), as shown
in Figure 2-20.
Figure 2-20 Networking for TFTP
Trust
Untrust
TFTP client
192.168.0.1
TFTP server
Firewall
The TFTP control and data connections share the TFTP client port number. After the TFTP
client initiates an access request to the TFTP server, ASPF generates the following server-map
entry:
Type: STUN, ANY -> 192.168.0.1:55199, Zone:--Protocol: udp(Appro: stun-derived), Left-Time:00:04:52, Pool: ---,
Vpn: public -> public
In this entry, 192.168.0.1 is the TFTP client IP address, and 55199 is the port opened on the
TFTP client. The TFTP client also uses this port number to access the TFTP server. Before
this server-map entry expires, the TFTP client at any address can initiate connection requests
to port 55199 at 192.168.0.1, ensuring that TFTP packets can pass through the firewall.
Similarly, it is not difficult to enable ASPF for user-defined protocols. The support condition
and command syntax vary with firewall models. See the product documentation for details.
[FW] acl 3000
[FW-acl-adv-3000] rule permit ip source 192.168.0.1 0
[FW-acl-adv-3000] quit
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect user-defined 3000 outbound
For QQ, MSN, and user-defined protocols, although triplet server-map entries generated by
ASPF ensure the normal running of the services, this mechanism brings risks because the
ports have been enabled for access and packets matching the server-map entries are no longer
controlled by security policies.
To reduce the risks, firewalls provide ASPF-specific security policies (packet filtering) to
filter the packets matching triplet server-map entries for refined access control. For example,
after the previous triplet server-map entry is generated, configure the following ACL to allow
only the matching packets from 192.168.0.1 to 172.16.0.1 to pass.
[FW] acl 3001
[FW-acl-adv-3001] rule permit ip source 192.168.0.1 0 destination 172.16.0.1 0
[FW-acl-adv-3001] quit
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] aspf packet-filter 3001 outbound
56
Learn Firewalls with Dr. WoW
Upon the preceding description, we find that ASPF generates server-map entries for
multi-channel protocols (such as FTP), QQ, MSN, and user-defined protocols to allow the
packets of these protocols traverse firewalls.
In addition, ASPF on firewalls can block Java and ActiveX plug-ins in HTTP. These plug-ins
provided by HTTP may be made into Trojan horses and viruses to compromise hosts in
intranets. Generally, Java and ActiveX plug-ins are transmitted in HTTP payloads. If firewalls
check only HTTP headers, they cannot identify the plug-ins. In this case, ASPF must be used
to check HTTP payloads to block Java and ActiveX plug-ins.
To block HTTP plug-ins, run the detect activex-blocking and detect java-blocking
commands in a security zone or an interzone. The support condition and command syntax
vary with firewall models. See the product documentation for details.
2.5 Configuration Precautions and Troubleshooting Guide
2.5.1 Security Policy
In real-world networks, inappropriate security policies often result in service interruptions.
The display firewall statistic system discard command can display statistics on packets
discarded by firewalls. By analyzing the command output, we can determine whether the
packets are discarded due to security policies. For example:
[FW] display firewall statistic system discard
Packets discarded statistic
Total packets discarded:
ACL deny packets discarded:
Default deny packets discarded:
10
5
5
In the command output, the value of "ACL deny packets discarded" indicates the number of
packets discarded due to security policies; the value of "Default deny packets discarded"
indicates the number of packets discarded due to implicit packet filtering. If statistics on
discarded packets contain the preceding information, and we need to troubleshoot security
policies.
First, check the matching conditions in security policies. If the matching conditions are
incorrect, packets cannot match the security policies, and therefore firewalls cannot take the
predefined actions on the packets. After a security policy is configured on a firewall, if the
firewall does not process packets in the expected way, we must check the security policy
configuration.
[FW] display policy interzone trust untrust outbound
policy interzone trust untrust outbound
firewall default packet-filter is deny
policy 1 (0 times matched)
action
policy
policy
policy
permit
service service-set http (predefined)
source 192.168.0.1 0
destination 172.16.0.1 0
In the preceding command output, 0 packets matched policy 1. If the corresponding interface
has been added to the correct security zone, we should check whether the conditions in the
policy are correct.
57
Learn Firewalls with Dr. WoW
Second, if multiple security policies are configured in an interzone, pay attention to their
matching sequence. In the following example, two security policies are configured in the
Trust-Untrust interzone.
[FW] policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound] policy 1
[FW-policy-interzone-trust-untrust-outbound-1] policy
[FW-policy-interzone-trust-untrust-outbound-1] policy
0.0.0.255
[FW-policy-interzone-trust-untrust-outbound-1] action
[FW-policy-interzone-trust-untrust-outbound-1] quit
[FW-policy-interzone-trust-untrust-outbound] policy 2
[FW-policy-interzone-trust-untrust-outbound-2] policy
[FW-policy-interzone-trust-untrust-outbound-2] action
[FW-policy-interzone-trust-untrust-outbound-2] quit
source 192.168.0.0 0.0.0.255
destination 172.16.0.0
permit
source 192.168.0.100 0
deny
As the source address scope in policy 1 covers that in policy 2, packets from 192.168.0.100
always match policy 1 and pass through the firewall. The action deny defined in policy 2 for
packets from 192.168.0.100 will never be taken.
To resolve this problem, we can run the following command to put policy 2 before policy 1.
[FW-policy-interzone-trust-untrust-outbound] policy move 2 before 1
Then, packets from 192.168.0.100 first match policy 2 and are denied by the firewall.
#
policy interzone trust untrust outbound
policy 2
action deny
policy source 192.168.0.100 0
policy 1
action permit
policy source 192.168.0.0 0.0.0.255
policy destination 172.16.0.0 0.0.0.255
#
It is difficult to specify accurate matching conditions for security policies. Loose matching
conditions bring security risks, while strict matching conditions may cause some packets not
to match policies, affecting services. Here, I want to introduce a general configuration
roadmap for you: First, set the action for the implicit packet filtering to "permit" to
debug services, ensuring normal service operation. Then, view the session table and
configure security policies with information recorded in the session table being matching
conditions. At last, restore the default implicit packet filtering configuration to debug
services again, verifying the effect of the security policy.
When the action for the implicit packet filtering is permit, the firewall allows all unmatched
packets to pass, exposing the firewall to risks. Therefore, using this setting only for debugging.
After service debugging, you must restore the default implicit packet filtering configuration.
That is, set the action to deny.
Let's look at two examples. Figure 2-21 shows the networking for the first example. A PC and
a Web server directly connect to a firewall. The PC resides in the Trust zone, and the Web
server resides in the Untrust zone. The PC needs to access the Web server.
58
Learn Firewalls with Dr. WoW
Figure 2-21 Networking for a PC to access a Web server
Untrust
Trust
PC
192.168.0.1
Web server
172.16.0.1
Firewall
At the beginning, we do not know the exact matching condition. So, set the action to permit
for the implicit packet filtering in the Trust-Untrust interzone and enter y when the following
message is displayed.
[FW] firewall packet-filter default permit interzone trust untrust direction outbound
Warning: Setting the default packet filtering to permit poses security risks. You are
advised to configure the security policy based on the actual data flows. Are you sure
you want to continue?[Y/N] y
At this time, the firewall allows all unmatched packets to pass from the Trust zone to the
Untrust zone. Use the PC to access the Web server. After the access succeeds, view the
session table on the firewall.
[FW] display firewall session table verbose
Current Total Sessions : 1
http VPN:public --> public
Zone: trust--> untrust TTL: 00:00:10 Left: 00:00:07
Interface: GigabitEthernet0/0/1 NextHop: 172.16.0.1 MAC: 54-89-98-c0-15-c5
<--packets:4 bytes:465
-->packets:7 bytes:455
192.168.0.1:2052-->172.16.0.1:80
A session has been generated for the connection from the PC to the Web server. Then,
configure the following security policy:
[FW] policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound] policy 1
[FW-policy-interzone-trust-untrust-outbound-1] policy
[FW-policy-interzone-trust-untrust-outbound-1] policy
[FW-policy-interzone-trust-untrust-outbound-1] policy
[FW-policy-interzone-trust-untrust-outbound-1] action
[FW-policy-interzone-trust-untrust-outbound-1] quit
source 192.168.0.1 0
destination 172.16.0.1 0
service service-set http
permit
At last, set the action back to deny for the implicit packet filtering. The security policy
configuration is complete.
[FW] firewall packet-filter default deny interzone trust untrust direction outbound
Figure 2-22 shows the networking for the second example. A PC in the Trust zone directly
connects to a firewall. An administrator needs to log in to the firewall through Telnet from the
PC.
59
Learn Firewalls with Dr. WoW
Figure 2-22 Networking for an administrator to log in to a firewall through Telnet from a PC
Trust
Local
PC
192.168.0.1
Firewall
First, set the action for the implicit packet filtering in the Trust-Local interzone to permit.
When the following message is displayed, enter y.
[FW] firewall packet-filter default permit interzone trust local direction inbound
Warning: Setting the default packet filtering to permit poses security risks. You
are advised to configure the security policy based on the actual data flows. Are
you sure you want to continue?[Y/N] y
Use Telnet to log in to the firewall from the PC. After the login succeeds, view the session
table on the firewall.
[FW] display firewall session table verbose
Current Total Sessions : 1
telnet VPN:public --> public
Zone: trust--> local TTL: 00:10:00 Left: 00:09:55
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:6 bytes:325
-->packets:8 bytes:415
192.168.0.1:2053-->192.168.0.2:23
Then, configure the following security policy based on the preceding session:
[FW] policy interzone local trust inbound
[FW-policy-interzone-local-trust-inbound] policy 1
[FW-policy-interzone-local-trust-inbound-1] policy
[FW-policy-interzone-local-trust-inbound-1] policy
[FW-policy-interzone-local-trust-inbound-1] policy
[FW-policy-interzone-local-trust-inbound-1] action
source 192.168.0.1 0
destination 192.168.0.2 0
service service-set telnet
permit
At last, set the action back to deny for the implicit packet filtering. The security policy
configuration is complete.
[FW] firewall packet-filter default deny interzone trust local direction inbound
I hope that these two examples help you understand the configuration roadmap, so that you
can configure accurate matching conditions in real-world networks.
2.5.2 ASPF
ASPF determines whether firewalls can properly forward the packets of special protocols.
When FTP is used on a network, check whether ASPF is enabled. The USG2000/5000 series
firewalls are used as an example. Table 2-4 lists the protocols for which ASPF can be enabled.
For the support conditions of other firewall models, see the product documentation of the
firewall model.
60
Learn Firewalls with Dr. WoW
Table 2-4 Protocols for which ASPF can be enabled on the USG2000/5000
Location
Protocol
Interzone
DNS, FTP, H.323, ICQ, ILS, MGCP, MMS, MSN, NETBOIS,
PPTP, QQ, RTSP, SIP, and SQLNET
Zone
DNS, FTP, H.323, ILS, MGCP, MMS, MSN, NETBOIS, PPTP,
QQ, RTSP, SIP, and SQLNET
Run the display interzone command to check whether ASPF has been enabled in an
interzone. For example:
[FW] display interzone
interzone trust untrust
detect ftp
#
The command output shows that ASPF has been enabled for FTP in the Trust-Untrust
interzone. Run the display zone command to check whether ASPF has been enabled in a zone.
For example:
[FW] display zone
local
priority is 100
#
trust
priority is 85
detect qq
interface of the zone is (1):
GigabitEthernet0/0/1
#
untrust
priority is 5
interface of the zone is (0):
#
dmz
priority is 50
interface of the zone is (0):
#
The command output shows that ASPF has been enabled for QQ in the Trust zone.
If ASPF for a user-defined protocol does not take effect, run the display firewall server-map
command to check whether the corresponding server-map entry has been generated. For
example:
[FW] display firewall server-map
server-map item(s)
-----------------------------------------------------------------------------Type: STUN, ANY -> 192.168.0.1:55199, Zone:--Protocol: udp(Appro: stun-derived), Left-Time:00:04:52, Pool: ---,
Vpn: public -> public
The command output shows that the server-map entry has been generated. If the server-map
entry does not exist, check whether ACL rules are correctly configured and whether packets
can match the ACL rules. If the ACL is incorrect, reconfigure it.
61
Learn Firewalls with Dr. WoW
62
Learn Firewalls with Dr. WoW
3
Attack Defense
3.1 DoS Attack
In the previous two chapters, we have learned that the major function of a firewall is to
protect a particular network from attacks of an untrusted network. In this chapter, we will
learn the common single-packet, traffic-based, and application-layer attacks and the defensive
measures of the firewall.
First, let's look back to the recent evolution of attacks. In the 1990s, the Internet was growing
fast, and so were attacks, which had gone from labs to the Internet. However, a fox can be
out-foxed. Although attack techniques are involving, so are defense measures, as shown in
Figure 3-1.
Figure 3-1 Evolution of attack and defense techniques
1996
2008
2000
Scanning & overflow
Network-layer attacks HTTP application attacks
attacks
2011
Upgraded HTTP/HTTPS
application attacks
2012
DDoS attacks on mobile
applications
Attacks Evolve
DoS attacks
Defense Keeps Up
Malformed packet
filtering
DDoS attacks with
fake source addresses
Transport layer
source
authentication
Attacks with
real source
addresses
Application layer
source
authentication
1 HTTPS encrypted attacks
2 Low-and-slow Web application
attacks
1 IP reputation of botnet
2 Session monitoring
3 IP reputation of local service
addresses
Pretend to be smart
devices
1 Behavior analysis
2 IP reputation of botnet
3 IP reputation of local service
addresses
When we talk about "network attacks", we can never forget to mention denial of service (DoS)
attacks. As the name suggests, the purpose of a DoS attack is to make the target computer or
network unable to provide normal services.
Then what does "denial of service" really mean? Let's say there is a diner on the street
providing meals, but some villains often make trouble in the diner, such as occupying dining
tables, blocking the door, or harassing waiters, waitresses, or chefs so that customers cannot
enjoy the flood of the diner. This is "denial of service."
63
Learn Firewalls with Dr. WoW
The computers and servers on the Internet are like the diners and provide resources and
services. Attackers can exhaust the resource of the computers and servers or the bandwidth of
the links to them to launch a DoS attack.
3.2 Single-Packet Attack and Defense
Single-packet attack is a common DoS attack and is usually launched by individuals using
simple attack packets. Such attacks may cause severe impacts, but can be easily prevented if
we know the attack signature.
We divide single-packet attacks into three types, as shown in Figure 3-2.
Figure 3-2 Types of single-packet attacks
Single-Packet Attacks
Malformed packet
attacks
·
·
·
·
·
·
·
·
·
Smurf
LAND
Fraggle
Attacks using IP
fragments
IP spoofing
Ping of Death
Attacks using TCP
flags
Teardrop
WinNuke
Scanning attacks
·
·
IP scanning
Port scanning
·
·
·
·
·
·
·
Attacks using special
control packets
Oversized ICMP packets
Attacks using ICMP
redirects
Attacks using ICMP
unreachable packets
Attacks using packets
with record route option
Attacks using packets
with source route
Attacks using Tracert
packets
Attacks using packets
with timestamp
Malformed packet attack: Attackers send malformed packets. The target systems may
crash if they cannot process such packets.
Scanning attack: To be accurate, scanning attacks are not really attacks, but
reconnaissance activities for attacks.
Attacks using special control messages: To be accurate, such attacks are not really
attacks, but reconnaissance activities for attacks. They use special control messages to
probe network structures.
Preventing single-packet attacks is a basic function of firewalls. All Huawei firewalls support
this function. Now let's see how Huawei firewalls prevent typical single-packet attacks.
3.2.1 Ping of Death Attack and Defense
The length field of an IP packet has 16 bits, which means that the maximum length of this IP
packet is 65535 bytes. Some old versions of operating systems have restrictions on packet size.
If a packet is larger than 65535 bytes, memory allocation error occurs, and the receiving
64
Learn Firewalls with Dr. WoW
system crashes. The ping of death attack is launched by sending packets larger than 65535
bytes to target hosts to crash them.
To prevent such attacks, the firewall checks the size of packets. If a packet is larger than
65535 bytes, the firewall considers it an attack packet and discards it.
3.2.2 LAND Attack and Defense
In a local area network denial (LAND) attack, the attacker sends spoofed TCP packets with
the target host's IP address as both the source and destination. This causes the victim to reply
to itself continuously to exhaust its system resources.
To prevent LAND attacks, firewalls check the source and destination addresses of TCP
packets and discard the packets if the source and destination addresses are the same or the
source addresses are loopback addresses.
3.2.3 IP Scanning
An attacker uses ICMP packets (such as ping or Tracert commands) or TCP/UDP packets to
initiate connections to certain IP addresses to check whether the targets reply. In this way, the
attacker can determine whether these hosts are live on the network.
IP scanning does not have direct impacts, but is a reconnaissance method that gathers
information for later attacks. However, firewalls will not ignore IP scanning.
Firewalls inspect TCP, UDP, and ICMP packets. If the destination address of a packet sent
from a source address is different from that of the previous packet, the exception count will
increase by 1. When the exception count reaches the predefined threshold, the firewalls
consider that the source IP address is performing an IP scanning. Then, the firewalls blacklist
the source IP address and discard subsequent packets from the source.
From these single-packet attacks and the defense mechanisms, we can see that single-packet
attacks demonstrate noticeable patterns. Therefore, we can prevent these attacks as long as we
identify their patterns.
3.2.4 Recommended Configurations for Preventing Single-Packet
Attacks
Firewalls have a lot of defense functions to prevent single-packet attacks. However, in real
networks, which functions should be enabled and which should not? This question must have
been bugging us for a long time. To tackle this, some recommended configurations are
provided as follows:
As shown in Figure 3-3, the recommended configurations allow firewalls to prevent
single-packet attacks without compromising performance in real-world networks. The
scanning attack defense functions are resource-intensive. Therefore, you are advised to enable
these functions only when scanning attacks occur.
65
Learn Firewalls with Dr. WoW
Figure 3-3 Recommended configurations for preventing single-packet attacks
Enable
·
·
·
·
·
·
·
Smurf attack defense
LAND attack defense
Fraggle attack defense
Ping of Death attack defense
WinNuke attack defense
Defense against attacks using
packets with source route
Defense against attacks using
packets with timestamp
Disable
·
·
·
IP scanning attack defense
Port scanning attack
defense
Teardrop attack defense
Table 3-1 lists the commands to enable defense functions on USG9500 V300R001, for
example, to prevent common single-packet attacks.
Table 3-1 Commands for enabling defense functions against single-packet attacks
Function
Command
Enable Smurf attack defense.
firewall defend smurf enable
Enable LAND attack defense.
firewall defend land enable
Enable Fraggle attack defense.
firewall defend fraggle enable
Enable WinNuke attack defense.
firewall defend winnuke enable
Enable ping of death attack defense.
firewall defend ping-of-death enable
Enable defense against attacks launched
through IP packets with the timestamp
option set.
firewall defend time-stamp enable
Enable defense against attacks launched
through IP packets with the record route
option set.
firewall defend route-record enable
Actually, single-packet attacks are only a small fraction of network attacks. The most
common and troublesome network attacks are traffic-based attacks (such as SYN and UDP
floods) and application-layer (such as HTTP and DNS floods) attacks, which will be
described in the following sections.
3.3 SYN Flood Attack and Defense
In the past, a major obstacle facing attackers is insufficient bandwidth, which prevents
attackers from sending requests in a large number. Although such attacks like ping of death
can crash an unpatched operating system using a small number of packets, most DoS attacks
require a large amount of traffic to crash the victims, which cannot be done by a single
attacker. That is when distributed denial of service (DDoS) attacks have emerged.
DDoS attackers control massive zombie hosts to send a large number of grafted attack packets
to the target. As a result, links are congested and system resources are exhausted on the
66
Learn Firewalls with Dr. WoW
attacked network, making the victim unable to respond to legitimate users, as shown in Figure
3-4.
Figure 3-4 DDoS attack
Attacker
Zombie hosts
Attack target
Zombie hosts
Control traffic
Attack traffic
When we talk about DDoS attacks, the first that comes to mind is SYN flood. SYN flood is a
highly technical attack and has been a major DDoS attack for quite a long time. The special
aspect of SYN flood is that it is difficult to prevent based on the features of a single packet or
traffic statistics because it is too "real" and "commonplace."
SYN floods have powerful variation capabilities and have not fallen into oblivion these years
thanks to the "excellent genes":
Each packet looks like "real" and is not malformed.
The attack cost is low, and a small overhead can be used to launch massive attacks.
During the 2014 Chinese New Year, an IDC experienced three rounds of attacks consecutively
within days, and the longest attack lasted three hours and created a burst traffic volume of 160
Gbit/s. Based on the target and attack type analysis, it could be concluded that the attacks
were well coordinated by hacker groups to attack the same target. The analysis of the captured
packets showed that the major attack method was SYN flood.
According to a security operation report in 2013, DDoS attacks are increasing each year, and
SYN flood attacks account for 31% of DDoS attacks in 2013.
Obviously, SYN flood attacks are still rampant nowadays. Know yourself and know your
enemy, you will never be defeated. Let's take a look at the attack mechanism of SYN floods.
67
Learn Firewalls with Dr. WoW
3.3.1 Attack Mechanism
As the name suggests, SYN flood attack is related to the SYN message of TCP. Therefore,
let's review the TCP three-way handshake process, as shown in Figure 3-5.
Figure 3-5 TCP three-way handshake
Server
Client
SYN
Three-way
handshake
SYN+ACK
ACK
Data transmission
……
1.
First handshake: The client sends a SYN (synchronize) message to the server.
2.
Second handshake: After receiving the SYN message from the client, the server replies
with a SYN+ACK message, indicating that the request sent by the client is accepted. In
addition, the server sets the acknowledgment number in the SYN+ACK message to the
client's ISN plus 1.
3.
Third handshake: After receiving the SYN+ACK message from the server, the client
sends an ACK message to the server to complete the three-way handshake.
If the client becomes faulty after sending the SYN message, the server will not receive the
ACK message after sending the SYN+ACK message. In this case, the three-way handshake
cannot be completed. In this situation, the server usually retransmits the SYN+ACK message
and waits for a period of time. If the server cannot receive an ACK message from the client
within the specified period of time, the incomplete connection is removed.
An attacker can take advantage of the TCP three-way handshake mechanism to launch SYN
flood attacks. As shown in Figure 3-6, the attacker sends the target server a large number of
SYN messages, whose source IP addresses do not exist or are unreachable. Therefore, after
the server replies with SYN+ACK messages, the server will receive no ACK message,
causing a large number of half-open connections. These half-open connections exhaust server
resources and make the server unable to respond to legitimate requests.
68
Learn Firewalls with Dr. WoW
Figure 3-6 SYN flood attacks
Attacker
Forged packet
Target server
SYN
SYN+ACK
?
Forged packet
SYN
SYN+ACK
?
Forged packet
SYN+ACK
……
?
SYN
The firewalls usually use TCP proxy or TCP source authentication to defend against SYN
flood attacks.
3.3.2 TCP Proxy
The firewall can be deployed between the client and server as a TCP proxy to establish a
three-way handshake with the client on behalf of the server and relay the TCP connection to
the server if the three-way handshake is complete.
As shown in Figure 3-7, the firewall collects statistics on SYN packets. If the number of SYN
packets destined to a destination reaches the preset threshold during a specified period of time,
the TCP proxy is triggered.
After TCP proxy is enabled, the firewall will return a SYN+ACK message on behalf of the
server upon receiving a SYN message from a client. If the client fails to return an ACK
message, thee firewall considers the SYN message abnormal, and maintains the half-open
connection until the half-open connection expires. If the client returns an ACK message, the
firewall considers the SYN message normal and establishes a three-way handshake with the
client. Subsequent TCP packets from the client will be sent to the server. The TCP proxy
process is transparent to both the client and server.
69
Learn Firewalls with Dr. WoW
Figure 3-7 TCP proxy
Attacker
Forged packet
Firewall
Target server
SYN
SYN+ACK
?
Forged packet
SYN
SYN+ACK
……
?
TCP proxy is triggered when the rate
of SYN packets destined to a
destination during a period of time
reaches the specified threshold.
Forged packet
SYN
SYN+ACK
?
……
Legitimate client
ACK
After the client passes the authentication, the
three-way handshake between the client and
firewall is completed.
SYN
SYN+ACK
ACK
The three-way handshake
between the firewall and
the server is completed.
Subsequent packets are
sent to the server.
During the TCP proxying, the firewall proxies and responds to each SYN message received
and maintains half-open connections. Therefore, if a large number of SYN messages are sent
to the firewall, the firewall must have high performance to handle them. In TCP proxying, the
firewall is using its own resource to handle half-open connections. Firewalls usually have
higher performance than servers. Therefore, firewalls can handle the resource intensive
attacks.
However, when the forward and return paths are different, TCP proxy cannot be used because
the packets destined from the client to the server pass through the firewall, but the packets
70
Learn Firewalls with Dr. WoW
destined from the server to the client do not. Therefore, the SYN+ACK message returned by
the server to the client does not pass through the firewall during the three-way handshake.
In this case, TCP proxy cannot be used to prevent SYN flood. However, different forward and
return paths are common scenarios. How can we prevent SYN flood attacks in these
scenarios?
Don't worry. We have another measure: TCP source authentication.
3.3.3 TCP Source Authentication
TCP source authentication can prevent SYN flood attacks when forward and return paths are
different. Therefore, compared with TCP proxy, TCP source authentication is more widely
used.
As shown in Figure 3-8, the firewall collects statistics on SYN packets. If the number of SYN
packets destined to a destination reaches the preset threshold during a specified period of time,
TCP source authentication is triggered.
After TCP source authentication is enabled, the firewall will reply with a SYN+ACK message
that carries an incorrect acknowledge number upon receiving a SYN message from the client.
If the firewall does not receive a RST message from the client, the firewall considers the SYN
message abnormal and determines that the source address is a fake address. If the firewall
receives a RST message, the firewall considers the SYN message normal and determines that
the source address is real. Then, the firewall whitelists the source address and considers all
packets from the client legitimate until the whitelist entry expires.
71
Learn Firewalls with Dr. WoW
Figure 3-8 TCP source authentication
Firewall
Attacker
Forged packet
SYN
SYN+ACK
?
Forged packet
Forged packet
?
SYN
SYN+ACK
……
?
Target server
TCP source authentication is triggered if
the rate of SYN packets destined to a
destination reaches the preset threshold
during a specified period of time.
SYN
Replies with a SYN+ACK
packet with an incorrect
acknowledge number.
……
Legitimate client
SYN
Replies with a SYN+ACK
packet with an incorrect
acknowledge number.
RST
The client passes the
authentication and is
whitelisted.
SYN
The source IP address matches
the whitelist and is trusted.
In TCP source authentication, the source client is whitelisted once the client passes the
authentication, and authentication is not performed on subsequent SYN messages sent by this
source. This implementation greatly improves the defense efficiency and performance and
minimizes the resource consumption.
72
Learn Firewalls with Dr. WoW
3.3.4 Commands
Table 3-2 lists the TCP proxy and TCP source authentication configuration commands on
USG9500 V300R001, for example.
Table 3-2 TCP proxy and TCP source authentication configuration commands
Function
Command
Enable SYN flood attack
defense.
firewall defend syn-flood enable
Configure interface-based
TCP proxy.
firewall defend syn-flood interface { interface-type
interface-number | all } [ alert-rate alert-rate-number ]
[ max-rate max-rate-number ] [ tcp-proxy { auto | on } ]
Enable IP address-based
TCP proxy.
firewall defend syn-flood ip ip-address [ max-rate
max-rate-number ] [ tcp-proxy { auto | on | off } ]
Enable security zone-based
TCP proxy.
firewall defend syn-flood zone zone-name [ max-rate
max-rate-number ] [ tcp-proxy { auto | on | off } ]
Configure TCP
authentication.
firewall source-ip detect interface { interface-type
interface-number | all } [ alert-rate alert-rate-number ]
[ max-rate max-rate-number ]
source
3.3.5 Threshold Configuration Guide
In this section, we will learn some tips for configuring flood attack alarm thresholds.
Alarm thresholds are tricky. If they are too high, attacks may not be detected in time; if they
are too low, legitimate packets may be considered attack packets and discarded.
The traffic patterns vary with networks. Therefore, before configuring these thresholds, you
must learn the types and patterns of the traffic on your network in normal situations. These
benchmarks can be based on your experience or statistics for a period of time.
For example, if you want to configure an alarm threshold to prevent SYN flood attacks, you
must roughly know the peak rate of SYN packets on your network in normal situations. The
SYN flood attack defense threshold is usually 1.2 to 2 times that peak rate. After the threshold
is configured, you need to monitor your network for the next days to check whether the
threshold interrupts normal services. If the threshold interrupts normal services, increase the
value of the threshold.
These configuration tips apply to the thresholds for preventing the following attacks, such as
UDP, DNS, and HTTP flood attacks.
3.4 UDP Flood Attack and Defense
Let's review the UDP protocol before moving on to UDP flood attacks. As we know, TCP is a
connection-oriented protocol, but UDP is a connectionless protocol. No connection is set up
between the client and server before data transmission. If packet loss occurs during the data
transmission from the client to the server, UDP cannot detect the packet loss or send any error
message. Therefore, UDP is usually considered an unreliable transmission protocol.
73
Learn Firewalls with Dr. WoW
Then why should we use an unreliable protocol like UDP? Is UDP useless?
Yes. UDP could be very useful in some scenarios. The biggest advantage of UDP over TCP is
speed. TCP provides some security and reliability mechanisms, but at the cost of high
overhead and slow transmission speed. In contrast, UDP leaves these mechanisms to
higher-layer protocols to achieve high transmission speed.
However, UDP can be exploited by hackers to launch UDP flood attacks. UDP flood attacks
are high-bandwidth attacks. In UDP flood attacks, attackers use zombies to send a large
number of oversized UDP packets to target servers at high speed, bringing the following
impacts:
Network bandwidth resources are exhausted, and links are congested.
The large numbers of UDP attack packets with changing source IP addresses or ports
compromise the performance of session-based forwarding devices or even crash the
network to cause a DoS.
Firewalls cannot prevent UDP flood attacks as they do to SYN flood attacks because UDP is
connectionless and source authentication cannot be used. The, how do firewalls prevent UDP
flood attacks?
3.4.1 Rate Limiting
A simple way to prevent UDP flood attacks is rate limiting. The rate limiting types are
described as follows:
Incoming interface-based rate limiting: Limit the rate of an incoming interface and
discard excess UDP packets.
Destination address-based rate limiting: Limit the rate of a destination address and
discard excess UDP packets.
Destination security zone-based rate limiting: Limit the rate of a destination security
zone and discard excess UDP packets.
Session-based rate limiting: Collect the statistics on UDP packets of each UDP session.
If the rate of UDP packets reaches the alarm threshold, the session is locked and
subsequent UDP packets matching the session are discarded. If no traffic matches the
session in three or more consecutive seconds, the firewall unlocks the session and
subsequent packets matching the session are permitted.
3.4.2 Fingerprint Learning
Rate limiting is effective to protect bandwidth, but may interrupt normal services. To resolve
this problem, the firewalls also support fingerprint learning to prevent UDP flood attacks.
As shown in Figure 3-9, fingerprint learning is to check whether the payloads in UDP packets
sent from the client to the server are identical to determine whether the packets are normal.
Firewalls collect the statistics on the UDP packets destined to the target server. If the rate of
UDP packets reaches the alarm threshold, the firewalls start the fingerprint learning. If
identical features appear repeatedly, the features will be learned as fingerprints. Subsequent
UDP packets matching the fingerprints will be considered attack packets and discarded. Those
do not match any fingerprint will be forwarded by the firewalls.
74
Learn Firewalls with Dr. WoW
Figure 3-9 Fingerprint learning
Attacker
Forged packet
Firewall
Target server
UDP packet
Reply
Forged packet
UDP packet
Reply
Forged packet
UDP packet
Reply
……
Fingerprint learning is triggered if the
rate of UDP packets destined to a
destination during a period of time
reaches the specified threshold.
UDP packet
Forged packet
UDP packet
Forged packet
UDP packet
Forged packet
UDP packet
……
UDP packet
Forged packet
Fingerprint
learning
Forged packet
UDP packets
matching the
fingerprints are
discarded.
Legitimate client
UDP packet
UDP packets that do not match
any fingerprint are forwarded.
UDP flood attack packets have some common features, such as identical character string or
payload. Fingerprint learning is based on this fact. This is because attackers often use tools to
graft UDP packets with identical payload to increase the UDP flood speed.
However, normal UDP packets have different payloads. Therefore, firewalls can learn the
fingerprints of UDP packets to distinguish attack packets from normal packets to reduce false
positives.
75
Learn Firewalls with Dr. WoW
As shown in the following two packet capture screenshots, the two UDP packets destined for
the same destination have identical payload. If a firewall receives a large number of such UDP
packets, the firewall can determine that a UDP flood attack is going on.
To sum up, firewalls prevent UDP flood attacks through rate limiting and fingerprint learning,
with each having its own merits and limitations. Rate limiting is a simple and crude way to
control the rate of UDP packets, but rate limiting discards packets indiscriminately and may
interrupt normal services. In contrast, fingerprint learning is smarter and can distinguish
attack packets from normal packets after learning the fingerprints of attack packets. Currently,
fingerprint learning is a major measure to prevent UDP flood attacks and is supported by all
Huawei firewall series.
3.4.3 Commands
Table 3-3 lists the rate limiting and fingerprint learning configuration commands on USG9500
V300R001, for example.
76
Learn Firewalls with Dr. WoW
Table 3-3 Rate limiting and fingerprint learning configuration commands
Function
Enable UDP
defense.
Command
flood
attack
firewall defend udp-flood enable
Configure
interface-based
UDP rate limiting.
firewall defend udp-flood interface { interface-type
interface-number | all } max-rate max-rate-number ]
Configure IP address-based
UDP rate limiting.
firewall defend udp-flood ip ip-address [ max-rate
max-rate-number ]
Configure security zone-based
UDP rate limiting.
firewall defend udp-flood zone zone-name [ max-rate
max-rate-number ]
Configure session-based UDP
rate limiting.
firewall defend udp-flood base-session max-rate
max-rate-number
Configure IP address-based
UDP
flood
fingerprint
learning.
firewall defend udp-fingerprint-learn ip ip-address
[ alert-rate alert-rate-number ]
Configure security zone-based
UDP
flood
fingerprint
learning.
firewall defend udp-fingerprint-learn zone zone-name
[ alert-rate alert-rate-number ]
Configure UDP fingerprint
learning parameters.
firewall defend udp-flood fingerprint-learn offset
offset fingerprint-length fingerprint-length
3.5 DNS Flood Attack and Defense
Before we move to application-layer attacks, let's take a look at some real attack cases.
In the evening of May 19 2009, the recursive domain name services in six provinces of China
were compromised due to excessive DNS requests, and domain name services in other
provinces were also interrupted, causing network outage for a long time.
Let's play back the attack. In the evening of May 19, some attackers attacked the DNS server
(DNSPod) that provided DNS service for private servers of other game websites. The attack
traffic exceeded 10 Gbit/s, which crashed DNSPod. However, DNSPod also provided DNS
services for the servers of the Storm player.
The Storm player has a process that automatically starts during the startup of clients and
automatically connects to the Storm servers to download advertisements or software updates.
After DNSPod was crashed, the domain names of Storm servers could not be resolved, but the
process of the Storm player automatically attempted to connect to the servers. As a result, the
Storm clients accidentally became zombies that continuously sent DNS requests to local DNS
servers. The DNS traffic exceeded 30 Gbit/s and caused the DNS flood.
Then, the police started to investigate the attack and busted the attackers on May 29. The
investigation showed that the attackers were operators of some private game servers. The
attackers had rented servers to attack other private game servers or websites for illegal gains.
77
Learn Firewalls with Dr. WoW
This attack case demonstrates the severe impacts of application-layer attacks. These attacks
interrupt our lives and must be prevented. Now let's talk about DNS flood attack and defense.
3.5.1 Attack Mechanism
Let's start with the mechanism of the DNS protocol. When we surf the Internet, we enter
domain names of websites we want to visit. The domain names are resolved into IP addresses
by DNS servers. As shown in Figure 3-10, when we visit www.huawei.com, the client will
send a DNS request to the local DNS server. If the local DNS server stores the mapping
between the domain name and IP address, it sends the IP address to the client.
If the local DNS server cannot find the IP address, the server will send a request to the
upper-level DNS server. After the upper-level DNS server finds out the IP address, it sends the
IP address to the local DNS server, which in turn, sends the IP address to the client. To reduce
the DNS traffic on the Internet, the local DNS server caches the domain name-IP address
mappings so that the local DNS server does not need to request upper-level DNS servers to
honor the requests of hosts.
Figure 3-10 DNS process
Client
Local DNS server
Upper-level DNS
server
Sends a DNS request for the IP address of
www.huawei.com.
Replies with the IP
address if a match is
found in the cache.
DNS reply: The IP address of www.huawei.com is XX.
Sends a DNS request for the IP address of
www.huawei.com.
Sends a request to the upper-level
DNS server if no match is found in the
cache.
Sends a DNS request for the IP address of
www.huawei.com.
DNS reply: The IP address of www.huawei.com is XX.
DNS reply: The IP address of www.huawei.com is XX.
DNS flood is to send a DNS server a large number of requests for the IP addresses of domain
names that do not exist to crash the DNS server and make it unable to handle legitimate DNS
requests. In the above-mentioned attack case, the DNS server (DNSPod) was crashed and
unable to resolve domain names of Storm servers, but tens of thousands of Storm clients
continuously sent DNS requests to local DNS servers, causing the DNS flood.
3.5.2 Defense Measure
DNS supports TCP and UDP. Usually, UDP is used because the connectionless protocol is fast.
UDP also has a smaller overhead than TCP, reducing the resource consumption on DNS
servers.
78
Learn Firewalls with Dr. WoW
However, in some cases, you must configure DNS servers to instruct clients to use TCP to
send requests. In this situation, when the DNS server receives a request from a client, the
server replies with a message with the TC flag being set to 1, indicating that the client must
use TCP to send the request.
This mechanism can be used by firewalls to verify whether the source of DNS requests is real
to prevent DNS flood attacks.
As shown in Figure 3-11, the firewall collects statistics on DNS requests. If the number of
DNS requests destined to a destination reaches the preset threshold during a specified period
of time, the DNS source authentication is triggered.
After DNS source authentication is enabled, the firewall responds to the DNS requests on
behalf of the DNS server, with the TC flag of DNS replies being set to 1. This flag instructs
the client to use TCP to send the DNS requests. If the firewall does not receive a TCP DNS
request from the client, the firewall considers the client false. If the firewall receives a TCP
DNS request, the firewall considers the client real. Then, the firewall whitelists the source
address of the client and considers all packets from the client legitimate until the whitelist
entry expires.
Figure 3-11 DNS source authentication
Attacker
Forged packet
DNS server
Firewall
DNS request
DNS reply
?
Forged packet
DNS request
DNS reply
?
……
DNS source authentication is triggered if the rate
of DNS requests to a destination during a period
of time reaches the specified threshold.
UDP DNS request: What is the IP address of
www.huawei.com?
Forged
packet
?
DNS reply: Please use TCP to send the request.
……
Legitimate client
UDP DNS request: What is the IP address of
www.huawei.com?
DNS reply: Please use TCP to send the request.
TCP DNS request: What is the IP address
of www.huawei.com?
The client passes the
authentication and is
whitelisted.
TCP DNS request: What is the IP address of
www.huawei.com?
TCP DNS reply: 200.72.X.X
DNS request
TCP DNS reply: 200.72.X.X
Subsequent packets
match the whitelist and
are forwarded.
79
Learn Firewalls with Dr. WoW
Let's see the detailed process through the following packet capture screenshots.
1.
The client uses UDP to send a DNS request, as shown in the following figure.
2.
The firewall responds to the DNS request on behalf of the DNS server, with the TC flag
of the DNS reply being set to 1, as shown in the following figure. This flag instructs the
client to use TCP to send the DNS requests.
3.
After receiving the DNS reply, the client uses TCP to send the DNS request as instructed
by the firewall, as shown in the following figure.
80
Learn Firewalls with Dr. WoW
However, DNS source authentication is not a one-fit-all solution in real world because not all
clients can send TCP DNS requests. If a client cannot send TCP DNS requests, requests of the
client cannot be honored, interrupting normal services.
3.5.3 Commands
Table 3-4 lists the rate DNS flood attack defense configuration commands on USG9500
V300R001, for example.
Table 3-4 DNS flood attack defense commands
Function
Command
Enable DNS flood attack defense.
firewall defend dns-flood enable
Configure the DNS flood attack
defense parameters.
firewall defend dns-flood interface { interface-type
interface-number
|
all
}
[
alert-rate
alert-rate-number ] [ max-rate max-rate-number ]
3.6 HTTP Flood Attack and Defense
Now let's take a look at another typical application-layer attack: HTTP flood. HTTP flood
attacks are increasing each year and should not be underestimated.
3.6.1 Attack Mechanism
To launch an HTTP flood, the attacker can use zombie hosts to send a large number of HTTP
requests to the target. The requests contain uniform resource identifiers (URIs) that require
resource-intensive operations, such as database operations, to exhaust the resources on the
target server and make it unable to respond to normal requests.
URI is used to define web resources, but Uniform Resource Locator (URL) is used to locate web
resources. For example, www.huawei.com/abc/12345.html is a URL, but /abc/12345.html is a URI.
81
Learn Firewalls with Dr. WoW
3.6.2 Defense Measure
To prevent HTTP flood attacks, we can use HTTP redirection. When a client requests
www.huawei.com/1.html from the web server, the web server returns a message to instruct the
client to request www.huawei.com/2.html to redirect the request to a new URI.
HTTP redirection is a self-healing process for web servers to redirect a request to a new URI
if the originally requested URI has been obsolete so that the client can visit the desired web
page, as shown in Figure 3-12.
Figure 3-12 HTTP redirection
Client
Web server
SYN
SYN+ACK
ACK
HTTP request: Get (an obsolete URI)
302Moved Temporarily (new URI)
HTTP request: Get (new URI)
HTTP reply: 200 OK
Data transmission
……
This mechanism can be used by firewalls to verify whether the source of HTTP requests is
real to prevent HTTP flood attacks.
As shown in Figure 3-13, the firewall collects statistics on HTTP requests. If the number of
HTTP requests destined to a destination reaches the preset threshold during a specified period
of time, the HTTP source authentication is triggered.
After HTTP source authentication is enabled, the firewall sends an HTTP redirect to the client
on behalf of the web server upon receiving a request to instruct the client to request a new
URI that does not exist. If the firewall does not receive a request for the new URI, the firewall
considers the client false. If the firewall receives a request for the new URI, the firewall
considers the client real and whitelists the IP address of the client. Then, the firewall sends
another HTTP redirect to the client to instruct the client to request the original URI, that is,
the URI requested by the client in the first place. All subsequent HTTP requests from the
client are considered legitimate until the whitelist entry expires.
82
Learn Firewalls with Dr. WoW
Figure 3-13 HTTP source authentication
Attacker
Forged packet
HTTP request
HTTP reply
?
Forged packet
HTTP request
HTTP reply
?
……
Forged packet
?
Web server
Firewall
HTTP source authentication is triggered if the
rate of HTTP requests to a destination during a
period of time reaches the specified threshold.
HTTP request: search1.huawei.com
HTTP reply: Please request search2.huawei.com
……
Legitimate client
HTTP request: search1.huawei.com
HTTP reply: Please request search2.huawei.com
HTTP request: search2.huawei.com
The client passes
the authentication
and is whitelisted.
HTTP reply: Please request search1.huawei.com
HTTP request: search1.huawei.com
HTTP reply
HTTP request
Subsequent packets match the
whitelist and are forwarded.
Although two HTTP redirects are used in the authentication process, the redirection is done
quickly between the server and browser and will not affect user experience.
Let's see the detailed process through the following packet capture screenshots.
2.
The client requests /index.html, as shown in the following figure.
83
Learn Firewalls with Dr. WoW
3.
Upon receiving the request, the firewall replies on behalf of the web server to redirect the
client to /index.html?sksbjsbmfbclwjcc, as shown in the following figure.
4.
The client requests /index.html?sksbjsbmfbclwjcc, as shown in the following figure.
5.
Upon receiving the request, the firewall determines that the source of the HTTP request
is real and redirects the client to the originally requested URI (/index.html), as shown in
the following figure.
84
Learn Firewalls with Dr. WoW
However, HTTP source authentication is not a one-fit-all solution in real world because some
clients, such as set top boxes (STBs), do not support HTTP redirection. Therefore, before
configuring HTTP source authentication, verify that no such clients exist on your network.
Otherwise, normal services will be interrupted.
3.6.3 Commands
Table 3-1 lists the rate HTTP flood attack defense configuration commands on USG9500
V300R001, for example.
Table 3-5 HTTP flood attack defense commands
Function
Command
Enable HTTP flood attack defense.
firewall defend http-flood enable
Configure HTTP flood
defense parameters.
firewall defend http-flood source-detect interface
{ interface-type interface-number | all } alert-rate
alert-rate-number [ max-rate max-rate-number ]
attack
Those are common DDoS attacks and related defense measures on firewalls. Although
firewalls have DDoS attack defense capabilities, they are not dedicated anti-DDoS products.
If you need dedicated anti-DDoS products, we have AntiDDoS1000 and AntiDDoS8000.
These are world-leading anti-DDoS products and Huawei's killer products. For more
information about these products, visit Huawei website and download the product documents.
Questions from Dr. WoW:
1. What are the three types of single-packet attacks?
2. What are the measures to prevent SYN flood attacks? What are the application scenarios
of the measures?
3. What are the measures to prevent UDP flood attacks?
85
Learn Firewalls with Dr. WoW
4. To prevent HTTP flood attacks, is each HTTP request from a source redirected?
86
Learn Firewalls with Dr. WoW
4
NAT
4.1 Source NAT
4.1.1 Source NAT Mechanism
When the Internet was invented, no one thought that it could grow so fast as to be pervasive in
our lives in merely 20 years. Therefore, the problems that were not considered during the
invention of the Internet are surfacing. For example, IPv4 addresses are exhausting. While
seeking alternatives, people are also using technologies that can alleviate the exhaustion of
IPv4 addresses, and the most common technology is network address translation (NAT). A lot
of NAT implementations are out there. The most common one is source NAT.
Source NAT translates private source IP addresses into public source IP addresses. With
source NAT, users on an intranet can access the Internet from their private addresses to use
public IP addresses more efficiently.
The process of source NAT is shown in Figure 4-1.Upon receiving the packets destined from
the private network to the Internet, the firewall translates the private source addresses into
public addresses. Upon receiving the return packets, the firewall translates the public
destination addresses back to private destination addresses. The whole NAT process is
transparent to the users on the private network and hosts on the Internet.
Figure 4-1 Source NAT process
Private
network user
192.168.0.2
IP packet
IP packet
Src addr: 192.168.0.2
Src addr: 202.1.1.2
Dst addr: 210.1.1.2
Data
210.1.1.2
Dst addr: 210.1.1.2
NAT
Data
Private network
IP packet
Firewall
Src addr: 210.1.1.2
Dst addr: 192.168.0.2
Data
IP packet
Src addr: 210.1.1.2
Dst addr: 202.1.1.2
NAT
Data
Before moving on to similar and different features of NAT implementations, let's introduce
the concept of NAT address pool. NAT address pool is a pool or container where we put IP
87
Learn Firewalls with Dr. WoW
addresses. During address translation, the firewall translates the private address into a public
address selected from the pool. The public address is randomly selected and has nothing
to do with the configuration time or value of the IP addresses.
The following command is used to configure a NAT address pool on USG2000/USG5000
series. The NAT address pool has four public IP addresses. We will use the
USG2000/USG5000 as an example in NAT address pool configuration thereafter unless
otherwise specified.
[FW] nat address-group 1 202.1.1.2 202.1.1.5
A configured NAT address pool can be referenced by NAT policies. On USG2000/USG5000
firewall series, NAT policies are similar to security policies. They all contain conditions and
actions. The difference is that the action in a NAT policy is source NAT or no-NAT. If the
action is source NAT, a NAT address pool must be referenced, as shown in Figure 4-2. We
will use the USG2000/USG5000 as an example in NAT policy configuration thereafter unless
otherwise specified.
Figure 4-2 NAT policy
Trust
Untrust
NAT policy 1
Condition
Src addr|Dst addr|...
Action
Source NAT|No NAT
Match
sequence
NAT address pool
NAT policy 2
Condition
Src addr|Dst addr|...
Action
Source NAT|No NAT
NAT address pool
If a packet matches one NAT policy, the NAT policy is implemented, and the remaining NAT
policies are ignored. If a packet does not match a NAT policy, the packet is compared against
the next NAT policy.
Configuring multiple NAT policies provides flexibility. For example, user group 1
(192.168.0.2-192.168.0.5) and user group 2 (192.168.0.6-192.168.0.10) can use different
public IP addresses to access the Internet. This cannot be done if we put the two public IP
addresses into the same NAT address pool because the public IP addresses are randomly
selected.
Instead, we can put the two IP addresses into different NAT address pools and configure two
NAT policies. One NAT policy allows user group 1 to use NAT address pool 1, and the other
88
Learn Firewalls with Dr. WoW
allows user group 2 to use NAT address pool 2. Then, the two user groups can use different
public IP address to access the Internet.
Table 4-1 lists the source NAT implementations supported by Huawei firewalls.
Table 4-1 Source NAT implementations supported by Huawei firewalls
Source
NAT
Implementation
Description
Application Scenario
NAT No-PAT
Only IP addresses are translated, and
ports are not translated.
The number of available
public IP addresses is almost
the same as the private
network users who need
Internet access.
NAPT
Both addresses
translated.
are
The number of private
network users is larger than
that of available public
addresses.
Egress
interface
address mode (also
called easy-IP)
Both IP addresses and ports are
translated, but the public address can
only be the IP address of the egress
interface.
Only one public IP address is
available, and the public IP
address
is
dynamically
obtained on the egress
interface.
Smart NAT
One address in an address pool is
reserved for NAPT, and other
addresses in the address pool are used
for NAT No-PAT.
Usually,
each
private
network user can have a
public IP address in the
address
pool,
but
occasionally,
public
addresses are not sufficient
and
NAPT
must
be
implemented so that multiple
users can share the same
public IP address.
Triplet NAT
The mappings between private IP
address/port
and
public
IP
address/port are fixed instead of
being random.
Users on the Internet initiate
access to users on the private
network. This is the case in
P2P service.
and
ports
Each of the NAT implementations has their own merits and demerits. Let's dive deeper into
them.
4.1.2 NAT No-PAT
"No-PAT" means that port addresses are not translated and public addresses cannot be shared
by more than one private network address user. Therefore, NAT No-PAT is a one-to-one
address translation. Figure 4-3 shows an example of NAT No-PAT configuration. In this
example, the firewall and the web server are reachable to each other.
89
Learn Firewalls with Dr. WoW
Figure 4-3 NAT No-PAT networking
Trust
Untrust
Private network user
192.168.0.3/24
Web Server
210.1.1.2
NAT address pool
202.1.1.2-202.1.1.3
Private
network
Firewall
Private network user
192.168.0.2/24
The detailed configuration process is as follows:
1.
Configure a NAT address pool and NAT policy.
Configure a NAT address pool.
[FW] nat address-group 1 202.1.1.2 202.1.1.3
//Add two public IP addresses to the
address pool.
Configure a NAT policy.
[FW] nat-policy interzone trust untrust outbound
[FW-nat-policy-interzone-trust-untrust-outbound] policy 1
[FW-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0
0.0.0.255
//Specify the match condition.
[FW-nat-policy-interzone-trust-untrust-outbound-1] action source-nat //Specify the
action (source NAT).
[FW-nat-policy-interzone-trust-untrust-outbound-1] address-group 1 no-pat
//Reference the NAT address pool and specify No-PAT as the NAT method.
[FW-nat-policy-interzone-trust-untrust-outbound-1] quit
[FW-nat-policy-interzone-trust-untrust-outbound] quit
Note that security policies and blackhole routes must be configured after the NAT
configuration is complete.
2.
Configure a security policy.
Security policies and NAT policies are similar, just as their names suggest. However, they
have different functions. Security policies determine whether packets can pass through the
firewall, whereas NAT policies determine how to translate IP addresses in the packets. NAT is
performed only for permitted packets. Security policies are processed before NAT policies.
Therefore, if you configure a security policy for a source address, the source address must be
the private address.
[FW] policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound] policy 1
[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255
[FW-policy-interzone-trust-untrust-outbound-1] action permit
[FW-policy-interzone-trust-untrust-outbound-1] quit
[FW-policy-interzone-trust-untrust-outbound] quit
90
Learn Firewalls with Dr. WoW
3.
Configure blackhole routes.
A blackhole route is a route that goes nowhere and is used to drop packets that match the
route. To avoid routing loops, blackhole routes must be configured on the firewall for the
addresses in the public address pool. The blackhole routes are configured as follows. The
reason why we need to configure blackhole routes will be discussed later.
[FW] ip route-static 202.1.1.2 32 NULL 0
[FW] ip route-static 202.1.1.3 32 NULL 0
After the previous configurations are complete, the users on the private network can access
the web server. If you display the sessions on the firewall, you can see the following
information:
[FW] display firewall session table
Current Total Sessions : 1
http VPN:public --> public 192.168.0.2:2050[202.1.1.2:2050]-->210.1.1.2:80
http VPN:public --> public 192.168.0.3:2050[202.1.1.3:2050]-->210.1.1.2:80
From the session table, we can see that the two private IP addresses have been translated into
different public IP addresses in the brackets, but the port is not translated.
Do you remember that we have mentioned "server-map" table in Chapter 2 Security Policies?
NAT No-PAT generates two server-map entries, one in the forward direction, and the other in
the return direction.
[FW] display firewall server-map
server-map item(s)
-----------------------------------------------------------------------------No-Pat, 192.168.0.2[202.1.1.2] -> any, Zone: --Protocol: any(Appro: ---), Left-Time: 00:11:59, Addr-Pool: 1
VPN: public -> public
No-Pat Reverse, any -> 202.1.1.2[192.168.0.2], Zone: untrust
Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
No-Pat, 192.168.0.3[202.1.1.3] -> any, Zone: --Protocol: any(Appro: ---), Left-Time: 00:11:59, Addr-Pool: 1
VPN: public -> public
No-Pat Reverse, any -> 202.1.1.3[192.168.0.3], Zone: untrust
Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
The server-map entry in the forward direction allows for fast address translation when a
private network user accesses the Internet, because in NAT No-PAT, each private address is
exclusively translated to a public IP address and the translation is performed when the packets
match the server-map entry. Similarly, when the packets destined from the Internet to the
private network match the server-map entry in the return direction, address translation is
performed. Note that packets matching the server-map entries must be checked against
security policies. Only packets permitted by the security policies can pass through the
firewall.
Other users on the private network cannot access the web server, because only two public IP
addresses are available in the address pool and both public IP addresses have been used. Other
users must wait until the public addresses are released. As we can see, one public IP address
can be used by only one private network user in NAT No-PAT. This implementation does not
91
Learn Firewalls with Dr. WoW
conserve public addresses. The following NAT implementation, NAPT, can conserve public
IP addresses.
4.1.3 NAPT
Network address and port translation (NAPT), sometimes also known as port address
translation (PAT), means both the network address and port are translated. NAPT is the most
widely used address translation implementation. NAPT allows a large number of private
network users to share a small number of public IP addresses to access the Internet.
The difference between NAPT and NAT No-PAT configuration is: In NAPT configuration, the
"no-pat" keyword is not specified when you reference a NAT address pool in a NAT policy.
The following NAPT configuration is still based on Figure 4-3.
1.
Configure a NAT address pool.
[FW] nat address-group 1 202.1.1.2 202.1.1.3
2.
Configure a NAT policy.
[FW] nat-policy interzone trust untrust outbound
[FW-nat-policy-interzone-trust-untrust-outbound] policy 1
[FW-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0
0.0.0.255
[FW-nat-policy-interzone-trust-untrust-outbound-1] action source-nat
[FW-nat-policy-interzone-trust-untrust-outbound-1] address-group 1
//Reference the NAT address pool
[FW-nat-policy-interzone-trust-untrust-outbound-1] quit
[FW-nat-policy-interzone-trust-untrust-outbound] quit
3.
Configure a security policy.
[FW] policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound] policy 1
[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255
[FW-policy-interzone-trust-untrust-outbound-1] action permit
[FW-policy-interzone-trust-untrust-outbound-1] quit
[FW-policy-interzone-trust-untrust-outbound] quit
4.
Configure blackhole routes.
[FW] ip route-static 202.1.1.2 32 NULL 0
[FW] ip route-static 202.1.1.3 32 NULL 0
After the previous configurations are complete, the users on the private network can access
the web server. If you display the sessions on the firewall, you can see the following
information:
[FW] display firewall session table
Current Total Sessions : 2
http VPN:public --> public 192.168.0.2:2053[202.1.1.2:2048]-->210.1.1.2:80
http VPN:public --> public 192.168.0.3:2053[202.1.1.3:2048]-->210.1.1.2:80
From the session table, we can see that the two private IP addresses have been translated into
different public IP addresses and the port is also translated.
Other users on the private network can also access the web server. If you display the sessions
on the firewall, you can see the following information:
[FW] display firewall session table
Current Total Sessions : 3
http VPN:public --> public 192.168.0.2:2053[202.1.1.2:2048]-->210.1.1.2:80
http VPN:public --> public 192.168.0.3:2053[202.1.1.3:2048]-->210.1.1.2:80
92
Learn Firewalls with Dr. WoW
http VPN:public --> public 192.168.0.4:2051[202.1.1.2:2049]-->210.1.1.2:80
From the session table, we can see that two users on the private network share the same public
IP address, but the ports of the users are different. The two users sharing the same public IP
address are distinguished by the ports. Therefore, you do not need to worry about IP address
conflict.
Note that in NAPT, no server-map entry will be generated. This is different than in NAT
No-PAT.
4.1.4 Egress Interface Address Mode (Easy-IP)
In egress interface address mode, the public IP address of the egress interface is used for
address translation. Multiple users of the private network share the same public IP address.
Therefore, port translation is also performed. This mode can be deemed a variant of NAPT.
When the egress of a firewall obtains the public IP address through dial-up, you cannot add
the public IP address to the address pool because the public address is dynamically obtained.
In this case, you need to configure the egress interface address mode so that addresses can be
translated when the public IP address changes. The egress interface address mode simplifies
the configuration process and is therefore called easy-IP, which is available on USG2000,
USG5000, and USG6000 series.
Easy-IP does not require a NAT address pool or blackhole route. All you need is to specify the
outgoing interface in the NAT address policy, as shown in Figure 4-4.
Figure 4-4 Easy-IP networking
Trust
Untrust
Private network user
192.168.0.3/24
Web Server
210.1.1.2
GE1/0/2
Dynamic address
Private
network
Firewall
Private network user
192.168.0.2/24
The configuration is as follows:
2.
Configure a NAT policy.
[FW] nat-policy interzone trust untrust outbound
[FW-nat-policy-interzone-trust-untrust-outbound] policy 1
[FW-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0
0.0.0.255
[FW-nat-policy-interzone-trust-untrust-outbound-1] action source-nat
[FW-nat-policy-interzone-trust-untrust-outbound-1] easy-ip GigabitEthernet1/0/2
//Specify the outgoing interface.
[FW-nat-policy-interzone-trust-untrust-outbound-1] quit
[FW-nat-policy-interzone-trust-untrust-outbound] quit
93
Learn Firewalls with Dr. WoW
3.
Configure a security policy.
[FW] policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound] policy 1
[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255
[FW-policy-interzone-trust-untrust-outbound-1] action permit
[FW-policy-interzone-trust-untrust-outbound-1] quit
[FW-policy-interzone-trust-untrust-outbound] quit
The users on the private network can access the web server. If you display the sessions on the
firewall, you can see the following information:
[FW] display firewall session table
Current Total Sessions : 2
http VPN:public --> public 192.168.0.2:2054[202.1.1.1:2048]-->210.1.1.2:80
http VPN:public --> public 192.168.0.3:2054[202.1.1.1:2049]-->210.1.1.2:80
From the session table, we can see that the two private IP addresses have been translated into
the public IP address (202.1.1.1) of the egress interface and the port is also translated. If other
uses on the private network access the web server, the addresses are also translated to
202.1.1.1, and the port is translated to different ports to distinguish the users.
Like NAPT, easy-IP does not generate any server-map entry.
4.1.5 Smart NAT
As we have mentioned before, NAP No-PAT is a one-to-one address translation, which means
that a public address in the address pool can be used by only one private network user. If all
the public addresses are used, other users cannot access the Internet. Then, what if other users
want to access the Internet? The solution is smart NAT.
Smart NAT incorporates the benefits of both NAT No-PAT and NAPT. The mechanism is as
follows:
Let's say the address pool has N IP addresses, and one of them is reserved and the remaining
addresses form address section 1. During address translation, the addresses in section 1 are
preferentially used for one-to-one address translation. When the IP addresses in section 1 are
exhausted, the reserved IP address is used for NAPT (many-to-one address translation).
We can consider smart NAT an enhanced NAP No-PAT because smart NAT overcomes the
limitation of NAT No-PAT. In NAT No-PAT, other users cannot access the Internet if the
number of users accessing the Internet equals to the number of public addresses in the address
pool until the used public addresses are released (the sessions expire).
If the same situation occurs in smart NAT, other users can share the reserved public IP address
to access the Internet.
Smart NAT is available on USG9500 V300R001. Therefore, USG9500 series is used as an
example to describe smart NAT configuration, as shown in Figure 4-5.
94
Learn Firewalls with Dr. WoW
Figure 4-5 Smart NAT networking
Trust
Private network user
192.168.0.3/24
Untrust
NAT address pool
Seciton1: 202.1.1.2
Reserved address: 202.1.1.3
Web Server
210.1.1.2
Private
network
Firewall
Private network user
192.168.0.2/24
The detailed configuration process is as follows:
2.
Configure a NAT address pool.
[FW] nat address-group 1
[FW-address-group-1] mode no-pat local
[FW-address-group-1] smart-nopat 202.1.1.3
//reserved address
[FW-address-group-1] section 1 202.1.1.2 202.1.1.2 //This section cannot contain the
reserved address.
[FW-address-group-1] quit
3.
Configure a NAT policy.
[FW] nat-policy interzone trust untrust outbound
[FW-nat-policy-interzone-trust-untrust-outbound] policy 1
[FW-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0
0.0.0.255
[FW-nat-policy-interzone-trust-untrust-outbound-1] action source-nat
[FW-nat-policy-interzone-trust-untrust-outbound-1] address-group 1 //Reference the
NAT address pool.
[FW-nat-policy-interzone-trust-untrust-outbound-1] quit
[FW-nat-policy-interzone-trust-untrust-outbound] quit
4.
Configure a security policy.
[FW] policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound] policy 1
[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255
[FW-policy-interzone-trust-untrust-outbound-1] action permit
[FW-policy-interzone-trust-untrust-outbound-1] quit
[FW-policy-interzone-trust-untrust-outbound] quit
5.
Configure blackhole routes.
[FW] ip route-static 202.1.1.2 32 NULL 0
[FW] ip route-static 202.1.1.3 32 NULL 0
If one user on the private network accesses the web server, the session information on the
firewall resembles:
[FW] display firewall session table
Current total sessions: 1
Slot: 2 CPU: 3
95
Learn Firewalls with Dr. WoW
http VPN:public --> public 192.168.0.2:2053[202.1.1.2:2053]-->210.1.1.2:80
From the session table, we can see that the private IP address has been translated into a public
IP address in section 1 and the port is not translated.
Other users on the private network can also access the web server. If you display the sessions
on the firewall, you can see the following information:
[FW] display firewall session table
Current total sessions: 3
Slot: 2 CPU: 3
http VPN:public --> public 192.168.0.2:2053[202.1.1.2:2053]-->210.1.1.2:80
http VPN:public --> public 192.168.0.3:2053[202.1.1.3:2048]-->210.1.1.2:80
http VPN:public --> public 192.168.0.4:2053[202.1.1.3:2049]-->210.1.1.2:80
From the session table, we can see that the two private IP addresses have been translated into
the reserved public IP address and the port is also translated. That is, NAPT is performed for
the two users. NAPT is performed using the reserved public IP address only when the
public IP addresses (except the reserved address) in the address pool are exhausted.
Let's take a look at the server-map table. Smart NAT includes NAT No-PAT. Therefore, related
server-map entries are generated.
[FW] display firewall server-map
ServerMap item(s) on slot 2 cpu 3
-----------------------------------------------------------------------------Type: No-Pat, 192.168.0.2[202.1.1.2] -> ANY, Zone: untrust
Protocol: ANY(Appro: unknown), Left-Time:00:05:55, Pool: 1, Section: 1
Vpn: public -> public
Type: No-Pat Reverse, ANY -> 202.1.1.2[192.168.0.2], Zone: untrust
Protocol: ANY(Appro: unknown), Left-Time:---, Pool: 1, Section: 1
Vpn: public -> public
4.1.6 Triplet NAT
We have learned four types of source NAT, among which NAPT is most widely used. Source
NAT not only alleviates the exhaustion of public addresses, but also hides the real private
network addresses, improving security as well. However, these NAT implementations do not
work well with P2P, which is widely used in file sharing, voice communications, and video
transfer. When NAT meets P2P, it is not a rosy NAT-P2P. Instead, the result is that you cannot
use P2P to download the latest movies or video chat.
To resolve this problem, we need triplet NAT. To understand triplet NAT, we must first
understand the P2P mechanism and the problems to P2P services if NAPT is enabled.
As shown in Figure 4-6, P2P services are running on both PC2 and PC2. To run the P2P
services, the two clients must exchange messages with the P2P server for login and
authentication. The P2P server records the addresses and ports of the clients. If PC1 resides on
a private network, the firewall performs NAPT for packets destined from PC1 to the P2P
server. Therefore, the client address and port recorded on the P2P server are the post-NAT
public address and port. When PC2 downloads a file, the P2P server sends PC2 the IP address
and port of the client on which the requested file resides (for example, the address and port of
PC1). Then, PC2 sends a request to PC1 and starts to download the file.
96
Learn Firewalls with Dr. WoW
Figure 4-6 P2P service interaction process
P2P Server
PC1 (P2P Client)
1
Private
network
2
3
Firewall
PC2 (P2P Client)
The interaction seems to be perfect. However, two problems exist:
2.
PC1 periodically sends packets to the P2P server, and NAPT is performed on these
packets. Therefore, the address and port are changing after NAPT. Therefore, the address
and port of PC1 stored on the P2P server must be constantly updated, affecting the
running of P2P services.
3.
More importantly, the forwarding mechanism of the firewall determines that packets
returned by the P2P server to the PC1 can pass through the firewall only when they
match the session table. Other hosts, such as PC2, cannot initiate access to PC1 through
the post-NAT address and port. By default, the security policies on the firewall do not
allow such packets to pass through.
Triplet NAT can perfectly resolve these two problems because triplet NAT has the following
two features:
4.
The post-NAT port is stable.
During a period of time after PC1 accesses the P2P server, the post-NAT port will be the
same when PC1 accesses the P2P server again or accesses other hosts on the Internet.
5.
Access initiated from the Internet is supported.
PC2 can obtain the post-NAT address and port of PC1 to initiate access to the address
and port, regardless of whether PC1 has accessed PC2. The access packets initiated from
PC2 to PC1 are permitted, even when no security policy is configured on the firewall for
such packets.
These features of triplet NAT support P2P services. Triplet NAT is available on USG9500
V300R001. The triplet NAT configuration is described as follows, as shown in Figure 4-7.
For USG2000, USG5000, and USG6000 series firewalls, user-defined ASPF can be configured to ensure
that P2P services are normal.
97
Learn Firewalls with Dr. WoW
Figure 4-7 Triplet NAT networking
Trust
P2P Client
192.168.0.2/24
Untrust
NAT address pool
202.1.1.2-202.1.1.3
P2P Server
210.1.1.2
Private
network
Firewall
P2P Client
Triplet NAT configuration is described as follows. Blackhole routes cannot be configured.
Otherwise, services will be interrupted.
6.
Configure a NAT address pool.
[FW] nat address-group 1
[FW-address-group-1] mode full-cone local
//Set the mode to triplet NAT.
[FW-address-group-1] section 1 202.1.1.2 202.1.1.3
[FW-address-group-1] quit
7.
Configure a NAT policy.
[FW] nat-policy interzone trust untrust outbound
[FW-nat-policy-interzone-trust-untrust-outbound] policy 1
[FW-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0
0.0.0.255
[FW-nat-policy-interzone-trust-untrust-outbound-1] action source-nat
[FW-nat-policy-interzone-trust-untrust-outbound-1] address-group 1
//Reference the NAT address pool.
[FW-nat-policy-interzone-trust-untrust-outbound-1] quit
[FW-nat-policy-interzone-trust-untrust-outbound] quit
8.
Configure a security policy.
[FW] policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound] policy 1
[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255
[FW-policy-interzone-trust-untrust-outbound-1] action permit
[FW-policy-interzone-trust-untrust-outbound-1] quit
[FW-policy-interzone-trust-untrust-outbound] quit
When the P2P clients on the private network access the P2P server, the session information on
the firewall resembles:
[FW] display firewall session table
Current total sessions: 1
Slot: 2 CPU: 3
tcp VPN: public --> public 192.168.0.2:4661[202.1.1.2:3536] --> 210.1.1.2:4096
From the session table, we can see that the private IP address of the P2P client has been
translated into a public IP address and the port is also translated. Now let's take a look at the
server-map table.
98
Learn Firewalls with Dr. WoW
−
The Untrust zone in the server-map table is generated because the local parameter in the mode
full-cone local command is specified. If the command is mode full-cone global, the zone is not
specified, indicating that security zones are not restricted.
−
For more information about the FullCone field in the server-map table, see 4.1.9 Further Reading.
[FW] display firewall server-map
ServerMap item(s) on slot 2 cpu 3
-----------------------------------------------------------------------------Type: FullCone Src, 192.168.0.2:4661[202.1.1.2:3536] -> ANY, Zone: Untrust
Protocol: tcp(Appro: ---), Left-Time:00:00:58, Pool: 1, Section: 0
Vpn: public -> public
Hotversion: 2
Type: FullCone Dst, ANY -> 202.1.1.2:3536[192.168.0.2:4661], Zone: Untrust
Protocol: tcp(Appro: ---), Left-Time:00:00:58, Pool: 1, Section: 0
Vpn: public -> public
Hotversion: 2
From the server-map table, we can see that two server-map entries are generated for the triplet
NAT: a source server-map entry (FullCone Src) and a destination server-map entry (FullCone
Dst). The functions of the two entries are described as follows:
Source server map entry (FullCone Src)
Before the expiration of the entries, the address and port after address translation are
202.1.1.2:3536 when PC1 accesses any host in the Untrust zone, ensuring port
consistency.
Destination server map entry (FullCone Dst)
Before the expiration of the entries, any host in the Untrust zone can access port 4661 on
PC1 through 202.1.1.2:3536, meaning that P2P clients on the Internet can initiate
connection to PC1.
Therefore, the source and destination server-map entries allow triplet NAT to support P2P
services. From the source and destination server-map entries, we can see that only the source
IP address and port and protocol are involved in triplet NAT, and that is why it is called
"triplet" NAT.
As we have mentioned, the destination server-map entry allows P2P clients on the Internet to
initiate connections to PC1. Some may ask, are server-map entries generated in triplet NAT
the same as those in ASPF so that packets matching the entries are not subject to the control
of security policies? There are more to tell. For triplet NAT, the firewalls also support
endpoint-independent filter function. The command is as follows.
In the command, the endpoint-independent parameter means that the address translation is independent
from the address and port translation on the other end. This parameter can be considered another name
for triplet NAT. On Huawei firewalls, this command controls whether security policies are needed to
examine packets in triplet NAT.
[FW] firewall endpoint-independent filter enable
After the endpoint-independent filter is enabled, packets matching the destination server-map
entry can pass through the firewall without being matched against security policies. If the
function is disabled, packets matching the destination server-map entries must also be
matched against security policies to determine whether they are permitted. By default, the
99
Learn Firewalls with Dr. WoW
endpoint-independent filter function is enabled. That is why the P2P clients on the Internet
can initiate connections to PC1 on the private network.
4.1.7 Source NAT in Multi-Egress Scenario
We have learned NAT implementations of various types and it seems that we have understood
everything about NAT. However, in real-world configuration, we may still have challenges.
For example, in the multi-egress scenario, how to configure source NAT?
In the following example, the firewall has two ISP links to the Internet. We will use this
example to illustrate how to configure source NAT. If more ISP links are available, the
configuration method is similar.
As shown in Figure 4-8, an enterprise has deployed a firewall at the network egress as the
gateway, which is connected to the Internet through links ISP1 and ISP2 so that the PCs on
the private network can access the Internet.
Figure 4-8 Source NAT networking in the dual-ISP scenario
Private network user
ISP1
Private
network
Firewall
ISP2
In this scenario, a major challenge for the firewall is to select an ISP link when forwarding
traffic destined from the private network to the Internet. If the optimal ISP link for a packet is
ISP1 but the packet is forwarded through ISP2, the detour may increase latency and
deteriorate user experience.
ISP links can be selected based on destination addresses. In this case, we can configure two
equal-cost default or specific routes. ISP links can also be selected based on source addresses.
In this case, we can configure policy-based routing. These will be described in detail in
Chapter 10 ISP Link Selection.
For NAT, packets are sent out through either ISP1 or ISP2, regardless of the route selection
method. Regardless of which ISP link is used, NAT is doing its job as long as the private
addresses are translated into a public address before packets are sent out.
Usually, we add the interfaces connected to ISP1 and ISP2 to different security zones. Then,
we configure source NAT policies between the security zone (usually the Trust zone) where
the private network resides and the security zones of the two interfaces connected to ISP1 and
ISP2, as shown in Figure 4-9.
100
Learn Firewalls with Dr. WoW
Figure 4-9 NAT networking in the dual-ISP scenario
Trust
ISP1
Private network
user
Private
network
GE1/0/1
192.168.0.1/24
2
0/ 0
1/ .1/3
E
G 1.1
1.
GE
2.2 1/0
.2 . /3
Firewall
2 /3
0
ISP1
ISP2
ISP2
This following example describes how to configure source NAT in NAPT mode. In the
example, the public addresses assigned by ISP1 are 1.1.1.10 through 1.1.1.12, and those by
ISP2 are 2.2.2.10 through 2.2.2.12.
Add interfaces to security zones.
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet1/0/1
[FW-zone-trust] quit
[FW] firewall zone name isp1
[FW-zone-isp1] set priority 10
[FW-zone-isp1] add interface GigabitEthernet1/0/2
[FW-zone-isp1] quit
[FW] firewall zone name isp2
[FW-zone-isp2] set priority 20
[FW-zone-isp2] add interface GigabitEthernet1/0/3
[FW-zone-isp2] quit
Configure two NAT address pools.
[FW] nat address-group 1 1.1.1.10 1.1.1.12
[FW] nat address-group 2 2.2.2.10 2.2.2.12
Configure two NAT policies based on the interzone relationship.
[FW] nat-policy interzone trust isp1 outbound
[FW-nat-policy-interzone-trust-isp1-outbound] policy 1
[FW-nat-policy-interzone-trust-isp1-outbound-1] policy source 192.168.0.0 0.0.0.255
[FW-nat-policy-interzone-trust-isp1-outbound-1] action source-nat
[FW-nat-policy-interzone-trust-isp1-outbound-1] address-group 1
[FW-nat-policy-interzone-trust-isp1-outbound-1] quit
[FW-nat-policy-interzone-trust-isp1-outbound] quit
[FW] nat-policy interzone trust isp2 outbound
[FW-nat-policy-interzone-trust-isp2-outbound] policy 1
[FW-nat-policy-interzone-trust-isp2-outbound-1] policy source 192.168.0.0 0.0.0.255
[FW-nat-policy-interzone-trust-isp2-outbound-1] action source-nat
[FW-nat-policy-interzone-trust-isp2-outbound-1] address-group 2
[FW-nat-policy-interzone-trust-isp2-outbound-1] quit
[FW-nat-policy-interzone-trust-isp2-outbound] quit
101
Learn Firewalls with Dr. WoW
Configure two security policies based on the interzone relationship.
[FW] policy interzone trust isp1 outbound
[FW-policy-interzone-trust-isp1-outbound] policy 1
[FW-policy-interzone-trust-isp1-outbound-1] policy
[FW-policy-interzone-trust-isp1-outbound-1] action
[FW-policy-interzone-trust-isp1-outbound-1] quit
[FW-policy-interzone-trust-isp1-outbound] quit
[FW] policy interzone trust isp2 outbound
[FW-policy-interzone-trust-isp2-outbound] policy 1
[FW-policy-interzone-trust-isp2-outbound-1] policy
[FW-policy-interzone-trust-isp2-outbound-1] action
[FW-policy-interzone-trust-isp2-outbound-1] quit
[FW-policy-interzone-trust-isp2-outbound] quit
source 192.168.0.0 0.0.0.255
permit
source 192.168.0.0 0.0.0.255
permit
Of course, do not forget blackhole routes.
[FW]
[FW]
[FW]
[FW]
[FW]
[FW]
ip
ip
ip
ip
ip
ip
route-static
route-static
route-static
route-static
route-static
route-static
1.1.1.10
1.1.1.11
1.1.1.12
2.2.2.10
2.2.2.11
2.2.2.12
32
32
32
32
32
32
NULL
NULL
NULL
NULL
NULL
NULL
0
0
0
0
0
0
If we add the interfaces connected to ISP1 and ISP2 to the same security zone, for example,
the Untrust zone, the NAT policies cannot distinguish the two links based on the interzone
relationship. To help you understand this, we provide a configuration script, in which NAT
policy 1 and policy 2 are configured in the Trust-to-Untrust interzone.
#
nat-policy interzone trust untrust outbound
policy 1
action source-nat
policy source 192.168.0.0 0.0.0.255
address-group 1
policy 2
action source-nat
policy source 192.168.0.0 0.0.0.255
address-group 2
#
Policy 1 has a higher priority than policy 2. Therefore, all packets destined from the private
network to the Internet match policy 1 and are forwarded through ISP1. Policy 2 is ignored.
Therefore, we must add the interfaces to different security zones and configure NAT policies
based on the interzone relationship.
4.1.8 Summary
We have thoroughly studied various NAT implementations. Now let's compare them side by
side, as shown in Table 4-2.
102
Learn Firewalls with Dr. WoW
Table 4-2 Comparison between source NAT implementations supported by Huawei firewalls
Source NAT
Implementatio
n
IP Address
Mapping
Port
Translated?
Dynamic
Server-Map
Entry
Generated?
Blackhole
Route
Needed?
Source
Address
in
the
Security
Policy
NAT No-PAT
One-to-one
No
Yes
Yes
NAPT
Many-to-one
Yes
No
Yes
Private
address
before
NAT
Many-to-ma
ny
Egress
interface
address mode
(also
called
easy-IP)
Many-to-one
Yes
No
No
Smart NAT
One-to-one+
many-to-one
(the reserved
address)
No, except
for
the
reserved
address
Yes, but only
for
NAT
No-PAT
Yes
Triplet NAT
Many-to-one
Yes
Yes
No
Many-to-ma
ny
4.1.9 Further Reading
Triplet NAT has a scientific name: full cone. According to RFC3489, full cone is one of the
four types of port mapping methods in NAT. The other three are restricted cone, port restricted
cone, and symmetric.
To further your understanding, we will compare the full cone mode with the symmetric mode.
Since RFC3489 has been obsoleted by RFC5389, the restricted cone and port restricted cone
are not discussed.
Full cone NAT is illustrated in Figure 4-10. The public address and port for hosts on the
private network are stable in a period of time after address translation, regardless of the
destination addresses. Therefore, the hosts on the private network can use the same triplet
(source IP address, source port, and protocol) to access different hosts on the Internet. The
hosts on the Internet can also initiate access to the hosts on the private network using the same
triplet.
103
Learn Firewalls with Dr. WoW
Figure 4-10 Full cone NAT
TCP[S1:P1]
Client2
TCP[S1:P1]
Client1
TCP[S0:P0]
Firewall
Client3
TCP[S1:P1]
Client4
Symmetric NAT is illustrated in Figure 4-11. The addresses of the hosts on the private
network are translated based on destination addresses, and the public addresses and ports vary.
The hosts on the private network have different triplets (source IP address, source port, and
protocol). Therefore, only hosts on the Internet that have specific ports can access the private
network. That is to say, you need to specify the target hosts and ports. Symmetric NAT is also
called quintuplet (source IP address, destination IP address, source port, destination port, and
protocol) NAT. NAPT is also quintuplet NAT.
Figure 4-11 Symmetric NAT
TCP[S1:P1]
Client2
TCP[S1:P2]
Client1
TCP[S0:P0]
Firewall
Client3
TCP[S1:P3]
Client4
4.2 NAT Server
4.2.1 NAT Server Mechanism
Schools and companies may need to provide services for external users. The servers that
provide such services usually use private addresses and cannot be accessed by users on the
Internet. In this case, how can we configure the firewall as the gateway to resolve the
problem?
104
Learn Firewalls with Dr. WoW
Readers who have read about source NAT must have thought about NAT.
Bingo! You are in the right direction. However, source NAT works well when users on a
private network need to access the Internet. However, the situation is just the opposite here.
The server on a private network provides services, and users on the Internet imitate the access
to the server. The address to be translated is changed from source address to destination
address. Therefore, we name this implementation NAT server.
Let's use Figure 4-12 to illustrate how to configure NAT server on the firewall. NAT server
also needs a public IP address, just as in source NAT. However, you do not need to put the
public address into an address pool. Let's say the public address is 1.1.1.1 in this example.
If possible, do not use the IP address of the WAN interface on the firewall as the public address for NAT.
If you must do so, specify the protocol and port during NAT server configuration to avoid conflicts
between NAT server and management functions, such as Telnet and web interface.
Figure 4-12 NAT server networking
DMZ
Private server
10.1.1.2/24
Untrust
Public IP address
1.1.1.1
Public network user
1.1.1.2/24
Firewall
NAT server is configured as follows:
2.
Configure NAT server.
Run the following command on the firewall to map the private address (10.1.1.2) of the server
to a public address (1.1.1.1).
[FW] nat server global 1.1.1.1 inside 10.1.1.2
If multiple protocols and ports are enabled on the same server, this configuration will make all
services accessible to users on the Internet, bringing security risks. Huawei firewalls support
service-specific NAT server so that only specified services are accessible to users on the
Internet after NAT server is configured. For example, we can map port 80 to port 9980 for
users on the Internet to access.
In this example, port 80 is translated into port 9980 instead of port 80 because some carriers will block
new services on ports 80, 8000, and 8080.
[FW] nat server protocol tcp global 1.1.1.1 9980 inside 10.1.1.2 80
After NAT server is configured, server-map entries will be generated. However, unlike in
source NAT, the server-map entries in NAT server are static and are not triggered by packets.
The entries will be automatically generated after NAT server configuration and will be
automatically deleted after NAT server configuration is deleted. The server-map entries in
NAT server look like the following output:
[FW] display firewall server-map
server-map item(s)
105
Learn Firewalls with Dr. WoW
-----------------------------------------------------------------------------Nat Server, any -> 1.1.1.1:9980[10.1.1.2:80], Zone: --Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
Nat Server Reverse, 10.1.1.2[1.1.1.1] -> any, Zone: --Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
Just like triplet NAT, NAT server also generates two server-map entries:
Forward server-map entry
"Nat Server, any -> 1.1.1.1:9980[10.1.1.2:80]" is the forward server-map entry, which
records the mapping between private address/port and public address/port.
"[10.1.1.2:80]" is the private address and port of the server, and 1.1.1.1:9980 is the
public address and port. If we translate the entry into human words, it is: When any
client initiates a connection to 1.1.1.1:9980, the destination address and port will be
translated into 10.1.1.2:80. This entry is used to translate the destination address and port
of packets destined from the Internet to the server.
Return server-map entry
"Nat Server Reverse, 10.1.1.2[1.1.1.1] -> any" is the return server-map entry. It is used to
translate the private source address into a public address when the server initiates access
to the Internet without using a source NAT policy. This is the sweet part of NAT server,
because you can use one command to configure NAT in both directions between the
server and the Internet.
Here the word "translate" appears multiple times. Yes. The entries are just address translation,
whether in the forward or return direction. They are not like the server-map entries in ASPF.
In ASPF, server-map entries can create a channel that can bypass security policies. Therefore,
in NAT server, you must configure security policies to permit traffic in both directions
between the private server and the Internet.
3.
Configure a security policy.
Now comes a typical question asked by thousands of people: To allow users on the Internet
to access the private server in NAT server configuration, is the destination address in the
security policy the private address or public address? Before answering this question, let's
first take a look at how the firewall process packets destined from users on the Internet to the
private server.
When a user initiates access to 1.1.1.1:9980 (the private server), the firewall check whether
the packet matches a server-map entry. If a match is found, the firewall translates the
destination address and port to 10.1.1.2:80. Then, the firewall look for an outgoing interface
for destination address 10.1.1.2. Then, the firewall checks the security zones where the
incoming and outgoing interfaces reside to determine the interzone security policy. Therefore,
the destination address in the security policy must be the private address, not the public
address mapped to the private address of the server. Therefore, the security policy for this
example should be:
[FW] policy interzone dmz untrust inbound
[FW-policy-interzone-dmz-untrust-inbound] policy 1
[FW-policy-interzone-dmz-untrust-inbound-1] policy destination 10.1.1.2 0
[FW-policy-interzone-dmz-untrust-inbound-1] policy service service-set http
[FW-policy-interzone-dmz-untrust-inbound-1] action permit
[FW-policy-interzone-dmz-untrust-inbound-1] quit
[FW-policy-interzone-trust-untrust-outbound] quit
106
Learn Firewalls with Dr. WoW
If the packet is permitted by the security policies, the firewall creates the following session
and forward the packet to the private server.
[FW] display firewall session table
Current Total Sessions : 1
http VPN:public --> public 1.1.1.2:2049-->1.1.1.1:9980[10.1.1.2:80]
Upon receiving the packet, the firewall responds to the packet. After the response packet
arrives on the firewall and matches the session table, the firewall translates the source address
and port of the packet to 1.1.1.1:9980 and forwards the packet to the Internet. When
subsequent packets between the user and private server arrive on the firewall, the firewall
translates the address and port based on the session table, not the server-map entry.
The packet captures before and after NAT show the results of NAT server:
The destination address and port of packets destined from the user on the Internet to the
private server are translated.
The source address and port of packets destined from the private server to the user on the
Internet are translated.
4.
Configure a blackhole route.
To avoid routing loops, a blackhole route must be configured for NAT server.
[FW] ip route-static 1.1.1.1 32 NULL 0
4.2.2 NAT Server in Multi-Egress Scenario
Similar like source NAT, NAT server also needs to address the multi-egress scenario. As
shown in the following example, the firewall has two ISP links. NAT server is configured as
follows:
1.
Configure NAT server.
107
Learn Firewalls with Dr. WoW
As shown in Figure 4-13, an enterprise has deployed a firewall at the network egress as the
gateway, which is connected to the Internet through links ISP1 and ISP2 so that the users on
the Internet can access the server on the private network.
Figure 4-13 NAT server networking in the dual-ISP scenario
Web Server
ISP1
Private
network
Firewall
ISP2
As the egress gateway, the firewall is connected to two ISPs. Therefore, the NAT server
configuration is divided into two parts so that the private server can provide services through
public addresses obtained from both ISPs. Two methods are available:
Method 1: Add the WAN interfaces connected to the two ISPs to different security zones
and specify the zone parameter during NAT server configuration. In this way, the server
can advertise different public IP addresses to different security zones, as shown in
Figure 4-14.
Figure 4-14 NAT server networking in the dual-ISP scenario (WAN interfaces in different security
zones)
DMZ
ISP1
Web Server
172.16.0.2
Private
network
GE1/0/4
172.16.0.1/24
2
0/ 0
1/ .1/3
E
1
G 1.
1.
GE
2.2 1/0
.2 . /3
Firewall
2/3
0
ISP1
ISP2
ISP2
In the following example, the public address advertised to ISP1 is 1.1.1.20 and that advertised
to ISP2 is 2.2.2.20.
Add interfaces to security zones.
[FW] firewall
[FW-zone-dmz]
[FW-zone-dmz]
[FW] firewall
zone dmz
add interface GigabitEthernet1/0/4
quit
zone name isp1
108
Learn Firewalls with Dr. WoW
[FW-zone-isp1] set priority 10
[FW-zone-isp1] add interface GigabitEthernet1/0/2
[FW-zone-isp1] quit
[FW] firewall zone name isp2
[FW-zone-isp2] set priority 20
[FW-zone-isp2] add interface GigabitEthernet1/0/3
[FW-zone-isp2] quit
Configure NAT server with the zone parameter specified.
[FW] nat server zone isp1 protocol tcp global 1.1.1.20 9980 inside 172.16.0.2 80
[FW] nat server zone isp2 protocol tcp global 2.2.2.20 9980 inside 172.16.0.2 80
Configure two security policies based on the interzone relationship.
[FW] policy interzone isp1 dmz inbound
[FW-policy-interzone-dmz-isp1-inbound] policy 1
[FW-policy-interzone-dmz-isp1-inbound-1] policy
[FW-policy-interzone-dmz-isp1-inbound-1] policy
[FW-policy-interzone-dmz-isp1-inbound-1] action
[FW-policy-interzone-dmz-isp1-inbound-1] quit
[FW-policy-interzone-dmz-isp1-inbound] quit
[FW] policy interzone isp2 dmz inbound
[FW-policy-interzone-dmz-isp2-inbound] policy 1
[FW-policy-interzone-dmz-isp2-inbound-1] policy
[FW-policy-interzone-dmz-isp2-inbound-1] policy
[FW-policy-interzone-dmz-isp2-inbound-1] action
[FW-policy-interzone-dmz-isp2-inbound-1] quit
[FW-policy-interzone-dmz-isp2-inbound] quit
destination 172.16.0.2 0
service service-set http
permit
destination 172.16.0.2 0
service service-set http
permit
Of course, do not forget blackhole routes.
[FW] ip route-static 1.1.1.20 32 NULL 0
[FW] ip route-static 2.2.2.20 32 NULL 0
After the configuration, the following server-map entries are generated on the firewall.
[FW] display firewall server-map
server-map item(s)
-----------------------------------------------------------------------------Nat Server, any -> 1.1.1.20:9980[172.16.0.2:80], Zone: isp1
Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
Nat Server Reverse, 172.16.0.2[1.1.1.20] -> any, Zone: isp1
Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
Nat Server, any -> 2.2.2.20:9980[172.16.0.2:80], Zone: isp2
Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
Nat Server Reverse, 172.16.0.2[2.2.2.20] -> any, Zone: isp2
Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
109
Learn Firewalls with Dr. WoW
We can see that both the forward and return server-map entries are generated. The forward
server-map entries allow users on the Internet to access the private server, and the return
server-map entries allow the private server to initiate access to the Internet.
Therefore, we recommend that you add the WAN interfaces connected to ISP1 and ISP2 to
different security zones and configure NAT server with the zone parameter specified. If the
two interfaces have been added to the same zone and cannot be changed, there is another way.
Method 2: Specify the no-reverse parameter during NAT server configuration so that
the server can advertise two public IP addresses, as shown in Figure 4-15.
Figure 4-15 NAT server networking in dual-ISP scenario (WAN interfaces in the same security
zone)
DMZ
Untrust
Web Server
172.16.0.2
Private
network
GE1/0/4
172.16.0.1/24
2
0/ 0
1/ .1/3
E
G 1.1
1.
GE
2.2 1/0
.2 . /3
Firewall
2/3
0
ISP1
ISP2
In this scenario, the no-reverse parameter must be specified to ensure the functioning of NAT
server. The following example illustrates the NAT server configuration. Some configurations
are the same as in method 1 and are therefore omitted.
Configure NAT server with parameter no-reverse specified.
[FW] nat server protocol tcp global 1.1.1.20 9980 inside 172.16.0.2 80 no-reverse
[FW] nat server protocol tcp global 2.2.2.20 9980 inside 172.16.0.2 80 no-reverse
After the configuration, the following server-map entries are generated on the firewall.
[FW] display firewall server-map
server-map item(s)
-----------------------------------------------------------------------------Nat Server, any -> 1.1.1.20:9980[172.16.0.2:80], Zone: --Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
Nat Server, any -> 2.2.2.20:9980[172.16.0.2:80], Zone: --Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
We can see only the forward server-map entries are generated to allow users on the Internet to
access the private server. However, to allow the private server to initiate access to the
Internet, you must configure a NAT policy in the Trust-to-Untrust interzone.
110
Learn Firewalls with Dr. WoW
You may ask that what if we do not specify the no-reverse parameter and configure two NAT
server entries? The answer is that the two NAT server commands cannot be delivered if we do
not specify the parameter.
[FW] nat server protocol tcp global 1.1.1.20 9980 inside 172.16.0.2 80
[FW] nat server protocol tcp global 2.2.2.20 9980 inside 172.16.0.2 80
Error: This inside address has been used!
Let's see what will happen if the two commands can be delivered. Let's run one command on
one firewall and the other command on the other firewall and check the server-map entries on
the two firewalls.
[FW1] nat server protocol tcp global 1.1.1.20 9980 inside 172.16.0.2 80
[FW1] display firewall server-map
server-map item(s)
-----------------------------------------------------------------------------Nat Server, any -> 1.1.1.20:9980[172.16.0.2:80], Zone: --Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
Nat Server Reverse, 172.16.0.2[1.1.1.20] -> any, Zone: --Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
[FW2] nat server 1 global 2.2.2.20 inside 172.16.0.2
[FW2] display firewall server-map
server-map item(s)
-----------------------------------------------------------------------------Nat Server, any -> 2.2.2.20:9980[172.16.0.2:80], Zone: --Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
Nat Server Reverse, 172.16.0.2[2.2.2.20] -> any, Zone: --Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
We can see that the return server-map entry on one firewall translates source address
172.16.0.2 to 1.1.1.20, and that on the other firewall translates source address 172.16.0.2 to
2.2.2.20. If the two return server-map entries appear on the same firewall, what will happen?
The firewall must translate source address 172.16.0.2 to both 1.1.1.20 and 2.2.2.20. Then, the
firewall does not know what to do. That is the problem if we do not specify the no-reverse
parameter in the nat server command. If the no-reverse parameter is specified, the return
server-map entries will not be generated, and this problem will not happen.
2.
Configure the sticky load balancing function.
We have learned how to determine whether to specify the zone or no-reverse parameter based
on whether the WAN interfaces connected to ISP1 and ISP2 are added to the same security
zone. However, we need to consider more than that in the dual-ISP scenario. We also need to
consider which ISP will be used to access the private server.
For example, if the users on ISP1 network access the private server through the public address
assigned by ISP2, the route is a detour. Moreover, the two ISPs may not be connected to each
other. As a result, the connection will be slow or even unavailable.
111
Learn Firewalls with Dr. WoW
Therefore, we must avoid such situations to ensure that the public address advertised for users
on ISP1 network is the public address obtained from ISP1 and that for users on ISP2 network
is the public address obtained from ISP2.
Moreover, when the firewall processes the return packets from the private server, such
problem may also occur. As shown in Figure 4-16, users on ISP1 network access the private
server through the public address obtained from ISP1, and the packets are received on
GE1/0/2. When the return packets from the private server arrive on the firewall, although the
packets match the session table and NAT is performed, the firewall must determine the
outgoing interface based on the destination address. If the firewall has a default route but does
not have a specific route to the user on the Internet, the return packets may be forwarded
through GE1/0/3, which is connected to the ISP2 network. The packets transmitted through
the ISP2 network may not be able to arrive on the ISP1 network.
Figure 4-16 NAT server traffic interrupted because the forward and return packets do not pass
through the same firewall interface
DMZ
ISP1
Web Server
172.16.0.2
Private
network
GE1/0/4
172.16.0.1/24
2
0/ 0
1/ .1/3
E
G 1.1
1.
ISP1
GE
2.2 1/0
.2 . /3
Firewall
2/3
0
ISP2
ISP2
To resolve this problem, we can configure routes to the users on ISP1 and ISP2 networks.
However, ISP1 and ISP2 networks have a large number of networks, and manual
configuration is not pragmatic. To resolve this issue, the firewall provides the sticky load
balancing function, meaning that packets take the same route back, without depending on the
routing table to determine the outgoing interface.
The sticky load balancing function must be configured on both firewall interfaces connected
to ISP1 and ISP2 networks. The following commands are used to enable sticky load balancing
on GE1/0/2. In this example, the next hop on ISP1 is 1.1.1.254. The commands are available
on USG9500 series.
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] redirect-reverse nexthop 1.1.1.254
For USG2000 or USG5000 series, the commands are:
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] reverse-route nexthop 1.1.1.254
For USG6000 series, the commands are:
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] gateway 1.1.1.254
[FW-GigabitEthernet1/0/2] reverse-route enable
112
Learn Firewalls with Dr. WoW
4.3 Bidirectional NAT
With the description in the previous sections, I believe you have known what are Source NAT
and NAT Server. With the two NAT functions, a firewall easily and skillfully translates both
incoming and outgoing traffic. Well, can the two NAT functions work together? The answer is
definitely "YES".
If both source and destination addresses of packets need to be translated, Source NAT and
NAT server are required. This configuration is also called "bidirectional NAT". Note that
bidirectional NAT is not an independent function. Instead, it is only a combination of Source
NAT and NAT Server. This combination applies to the same flow (for example, a packet from
an Internet user to an intranet server). When receiving the packet, the firewall translates both
its source and destination addresses. If Source NAT and NAT Server are configured on a
firewall for different flows, the configuration is not called bidirectional NAT.
To help you understand Source NAT, we assume the networking in which intranet users
access the Internet and verify the Source NAT configuration in that networking. Actually,
Source NAT can be classified into interzone NAT and intrazone NAT based on packet
transmission directions on the firewall.
Interzone NAT
NAT is performed on the packet transmitted between security zones. Interzone NAT can
also be classified into the following types based on packet transmission directions:
−
NAT Inbound
NAT is performed on the packets transmitted from a low-level security zone to a
high-level security zone. Generally, such NAT applies when Internet users access an
intranet, and therefore this technique is seldom used.
−
NAT Outbound
NAT is performed on the packets transmitted from a high-level security zone to a
low-level security zone. Such NAT applies when intranet users access the Internet,
which is a common scenario.
Intrazone NAT
NAT is performed when packets are transmitted within a security zone. Typically,
intrazone NAT works with NAT Server. Intrazone NAT is seldom separately configured.
When intrazone or interzone NAT works with NAT Server, bidirectional NAT is implemented.
Of course, the prerequisites of the previous description are the proper setting of security levels
for security zones and appropriate network planning: the intranet belongs to the Trust zone
(with a high security level); intranet servers belong to the DMZ (with a medium security
level); and the Internet belongs to the Untrust zone (with a low security level).
Bidirectional NAT is not special in terms of technologies and implementation principles, but
its applicable scenario has characteristics. When is bidirectional NAT required? What are
benefits after bidirectional NAT is configured? Is that OK if I do not configure bidirectional
NAT? These questions must be considered for the planning and deployment of live networks.
4.3.1 NAT Inbound + NAT Server
Figure 4-17 shows a typical NAT Server scenario in which an Internet user accesses an
intranet server. The following part describes how to configure and apply bidirectional NAT in
this scenario and the advantages of bidirectional NAT.
113
Learn Firewalls with Dr. WoW
Figure 4-17 Networking for NAT Inbound + NAT Server
DMZ
Intranet
server
10.1.1.2/24
Untrust
Public IP
address
1.1.1.1
Internet PC
1.1.1.2/24
Firewall
The NAT Server and Source NAT are configured as follows. The security policy and
blackhole route configurations are the same as those provided in previous sections and
therefore are omitted in this part. Let's first look at the NAT Server configuration.
[FW] nat server protocol tcp global 1.1.1.1 9980 inside 10.1.1.2 80
I think you have no doubt about the NAT Server configuration. After the configuration is
complete, the following server map is generated on the firewall:
[FW] display firewall server-map
server-map item(s)
-----------------------------------------------------------------------------Nat Server, any -> 1.1.1.1:9980[10.1.1.2:80], Zone: --Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
Nat Server Reverse, 10.1.1.2[1.1.1.1] -> any, Zone: --Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
Then, let's look at the Source NAT configuration.
[FW] nat address-group 1 10.1.1.100 10.1.1.100
[FW] nat-policy interzone untrust dmz inbound
[FW-nat-policy-interzone-dmz-untrust-inbound] policy 1
[FW-nat-policy-interzone-dmz-untrust-inbound-1] policy destination 10.1.1.2 0
//As
NAT Server is performed prior to Source NAT, the destination address here is the post-NAT
Server address, namely, the private address of the server.
[FW-nat-policy-interzone-dmz-untrust-inbound-1] action source-nat
[FW-nat-policy-interzone-dmz-untrust-inbound-1] address-group 1
[FW-nat-policy-interzone-dmz-untrust-inbound-1] quit
[FW-nat-policy-interzone-dmz-untrust-inbound] quit
The Source NAT configuration is different from that described in the previous section. The
difference is that the NAT address pool here has private addresses, not public addresses. In
addition, the NAT policy direction is inbound, indicating that NAT is performed when packets
flow from a low-level security zone to a high-level security zone. This NAT configuration is
NAT Inbound.
After the configuration is complete, when the Internet user accesses the intranet server, we
can view the session table on the firewall. The command output shows that both the source
and destination addresses of the packet have been translated.
[FW] display firewall session table
Current Total Sessions : 1
114
Learn Firewalls with Dr. WoW
http VPN:public --> public
1.1.1.2:2049[10.1.1.100:2048]-->1.1.1.1:9980[10.1.1.2:80]
Let's see the NAT process as indicated in Figure 4-18. After the packet from the Internet user
to the intranet server arrives at the firewall, NAT Server translates the destination address
(public address of the intranet server) into a private address, and NAT Inbound translates the
source address into a private address in the same network segment as the server address. In
this way, both the source and destination addresses of the packet are translated, implementing
bidirectional NAT. When the response packet from the intranet server arrives at the firewall,
bidirectional NAT is performed again. To be specific, both the source and destination
addresses of the packet are translated into public addresses.
Figure 4-18 Address translation procedures for NAT Inbound + NAT Server
IP packet
DMZ
Intranet server
10.1.1.2/24
IP packet
Source: 10.1.1.100
Source: 1.1.1.2
Destination: 10.1.1.2
Data
IP packet
Destination: 1.1.1.1
NAT
Firewall
Source: 10.1.1.2
Internet PC
1.1.1.2/24
IP packet
Source: 1.1.1.1
Destination: 10.1.1.100
Data
Data
Untrust
Destination: 1.1.1.2
NAT
Data
Here you may have a question: The Internet user can still access the intranet server even if
NAT Inbound is not configured. Why do you configure it? The answer lies in how the intranet
server processes the response packet.
We have set the addresses in the NAT address pool into the same network segment as the
intranet server address. When the intranet server replies to the access requests from the
Internet user, it finds that its address and the destination address are in the same network
segment. Then, the server does not search the routing table. Instead, it sends an ARP broadcast
packet to query the MAC address corresponding to the destination address. In this case, the
firewall sends the MAC address of the interface connecting to the intranet server to the
intranet server and asks the intranet server to reply. Then, the intranet server sends the
response packet to the firewall, and the firewall processes the packet.
As the intranet server does not search the routing table, it is unnecessary to set a gateway.
This is the benefit of using NAT Inbound. Someone may say "it is easier to set a gateway on
the server than configuring NAT Inbound on the firewall". It is true if there is only one server
on the network. If there are dozens of or even hundreds of servers on the network, you will
find how convenient the NAT Inbound configuration is. Certainly, applying bidirectional NAT
in such a scenario has a prerequisite that the intranet server and firewall must be in the same
network segment. Otherwise, bidirectional NAT does not apply.
If I add a Trust zone in this networking and intranet users in the Trust zone need to access the
intranet server in the DMZ, how can I configure bidirectional NAT? The NAT Server
configuration remains unchanged, while the Source NAT configuration changes a little bit. As
the security level of the Trust zone is higher than that of the DMZ, NAT Outbound is required
for the packets transmitted from the Trust zone to the DMZ. That is, the bidirectional NAT
configuration changes to NAT Server + NAT Outbound.
115
Learn Firewalls with Dr. WoW
4.3.2 Intrazone NAT + NAT Server
The combination of intrazone NAT + NAT Server applies to small networks. Figure 4-19
shows a typical small network. The administrator saves the trouble and plans the intranet host
and server in the same security zone.
Figure 4-19 Networking diagram for intrazone NAT + NAT Server
Trust
Intranet PC
10.1.1.3/24
Public IP address
1.1.1.1
Switch
Intranet
server
10.1.1.2/24
Firewall
In this networking, if the intranet host wants to use the public address 1.1.1.1 to access the
intranet server, NAT Server must be configured on the firewall. However, merely configuring
NAT Server is not enough. As shown in Figure 4-20, after a packet from the intranet host to
the intranet server arrives at the firewall, the firewall translates the destination address of the
packet from 1.1.1.1 to 10.1.1.2. When the intranet server replies, it finds that the destination
address is in the same network segment as its own address, and the reply packet is directly
forwarded through the switch to the intranet host, bypassing the firewall.
Figure 4-20 Diagram for packet forwarding after NAT Server is configured
IP packet
Source: 10.1.1.3
Destination: 1.1.1.1
Trust
Data
Packet sent from the intranet PC
to the intranet server
Intranet PC
10.1.1.3/24
IP packet
Source: 10.1.1.2
Destination: 10.1.1.3
Reply packet from the
intranet server
Data
SW
Firewall
Intranet server
10.1.1.2/24
116
Learn Firewalls with Dr. WoW
To improve intranet security by forcing the packets replied by the intranet server to pass
through the firewall, we must configure intranet NAT to translate the source address of the
packet sent from the intranet host to the intranet server. The post-NAT source address can be a
public or private address as long as it is not in the same network segment as the intranet server
address, ensuring that the reply packets from the intranet server can be forwarded to the
firewall.
The NAT Server and intrazone NAT are configured as follows. The blackhole route
configuration is the same as that provided in previous sections and therefore is omitted in this
part. Let's first look at the NAT Server configuration.
[FW] nat server protocol tcp global 1.1.1.1 9980 inside 10.1.1.2 80
After the configuration is complete, the following server map is generated on the firewall:
[FW] display firewall server-map
server-map item(s)
-----------------------------------------------------------------------------Nat Server, any -> 1.1.1.1:9980[10.1.1.2:80], Zone: --Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
Nat Server Reverse, 10.1.1.2[1.1.1.1] -> any, Zone: --Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
Then, let's look at the intrazone NAT configuration. The intrazone NAT configuration is
almost the same as the interzone NAT configuration. The only difference is that NAT is
performed within a zone for intrazone NAT while between zones for interzone NAT.
[FW] nat address-group 1 1.1.1.100 1.1.1.100
//The address can be either a public or
private address but cannot be in the same network segment as the intranet server.
[FW] nat-policy zone trust
[FW-nat-policy-zone-trust] policy 1
[FW-nat-policy-zone-trust-1] policy destination 10.1.1.2 0 //As NAT Server is
performed prior to intrazone NAT, the destination address here is the post-NAT Server
address, namely, the private address of the server.
[FW-nat-policy-zone-trust-1] action source-nat
[FW-nat-policy-zone-trust-1] address-group 1
[FW-nat-policy-zone-trust-1] quit
[FW-nat-policy-zone-trust] quit
The security policy configuration is not provided because firewalls (except the USG6000
series) do not control the packets transmitted within a security zone by default. Of course,
administrators can configure proper intrazone security policies as required.
After the configuration is complete, when the intranet host at 1.1.1.1 accesses the intranet
server, we can view the session table on the firewall. The command output shows that both
the source and destination addresses of the packet have been translated.
[FW] display firewall session table
Current Total Sessions : 1
http VPN:public --> public
10.1.1.3:2050[1.1.1.100:2048]-->1.1.1.1:9980[10.1.1.2:80]
Figure 4-21 shows the packet forwarding process.
117
Learn Firewalls with Dr. WoW
Figure 4-21 Diagram for packet forwarding after intrazone NAT and NAT Server are configured
Packet sent from the intranet PC
to the intranet server
IP packet
Source: 10.1.1.3
Trust
Destination: 1.1.1.1
Data
Intranet PC
10.1.1.3/24
SW
Intranet server
10.1.1.2/24
Firewall
IP packet
Source: 1.1.1.100
Destination: 10.1.1.2
Data
IP packet
Source: 1.1.1.1
Trust
Destination: 10.1.1.3
Data
Intranet PC
10.1.1.3/24
SW
Intranet server
10.1.1.2/24
Firewall
IP packet
Source: 10.1.1.2
Reply packet from the
intranet server
Destination: 1.1.1.100
Data
On the basis of this networking, if we connect the intranet host and server to the firewall
through interfaces in different network segments, only NAT Server is required, and all the
packets transmitted between the intranet host and server are forwarded through the firewall.
By way of the previous description, do you feel that the principle and configuration of
bidirectional NAT is not complicated? It is important to clarify the NAT direction and the
function of post-NAT addresses, not the attribute of the post-NAT addresses (public or
private). In addition, bidirectional NAT is not required. Sometimes, only Source NAT or NAT
118
Learn Firewalls with Dr. WoW
Server can achieve the same effect. The flexible use of bidirectional NAT simplifies network
configuration and facilitates network management, achieving the effect that one plus one is
greater than two.
4.4 NAT ALG
In the previous sections, I have introduced Source NAT, NAT Server, and bidirectional NAT
supported by firewalls. These NAT functions can be flexibly used in different scenarios. As
we know, NAT translates only the addresses in headers. For some protocols, such as FTP,
packet payloads also carry address information. If firewalls cannot properly process such
information, FTP may not work properly. Well, how should firewalls process such protocol
packets?
4.4.1 FTP Packets Traversing NAT Devices
Let's use FTP as an example to see what problems occur when FTP packets attempt to pass
through NAT devices. In this example, an FTP client resides on an intranet, and an FTP server
resides on the Internet. FTP works in active mode. Figure 4-22 shows the FTP interaction
process on the NAT device.
Figure 4-22 FTP interaction process 1 when Source NAT is configured
Source NAT
Firewall
FTP client
Intranet
src IP 192.168.1.2
src Port
2048
SYN
SYN+ACK
ACK
……
User name/password
exchange
……
PORT Command
(IP 192.168.1.2 Port 2049)
PORT Command OK
FTP server
Internet
src IP
src Port
1.1.1.1
4096
dst IP
dst Port
SYN
SYN+ACK
ACK
……
User name/password
exchange
……
PORT Command
(IP 192.168.1.2 Port 2049)
PORT Command OK
3.3.3.3
21
1
TCP three-way
handshake for
the control
connection
2
PORT command
exchange
3
192.168.1.2:2049
???
TCP three-way
handshake for
the data
connection
We can see that after a control connection is established between the FTP client and server,
the client sends a PORT command packet to the server, and the packet contains the private
address and port of the client. The firewall directly forwards the packet to the server. After
119
Learn Firewalls with Dr. WoW
receiving the packet, the FTP server initiates a data connection to 192.168.1.2 as instructed by
the PORT command. The problem is incurred. 192.168.1.2 is a private address. Packets
destined for this address cannot be transmitted on the Internet. As a result, the FTP service is
abnormal.
What should the firewall do to resolve the problem? If the firewall translates both the source
address in the header and the IP address in the application-layer information in the payload,
the data connection can be established.
The NAT Application Level Gateway (ALG) function resolves the problem. As a technique to
help packets traverse firewalls, NAT ALG enables a firewall to translate the IP addresses in
both headers and payloads. Figure 4-23 shows the FTP interaction process after NAT ALG is
enabled on the firewall.
Figure 4-23 FTP interaction process 2 when Source NAT is configured
Source NAT
Firewall
FTP client
Intranet
src IP 192.168.1.2
src Port
2048
FTP server
Internet
src IP
src Port
1.1.1.1
4096
dst IP
dst Port
SYN
SYN
SYN+ACK
SYN+ACK
ACK
……
User name/password
exchange
……
PORT Command
(IP 192.168.1.2 Port 2049)
NAT
ALG
PORT Command OK
3.3.3.3
21
1
TCP three-way
handshake for the
control connection
ACK
……
User name/password
exchange
……
PORT Command
(IP 1.1.1.1 Port 4097)
2
PORT command
exchange
PORT Command OK
dst IP
dst Port
1.1.1.1
4097
SYN
src IP
src Port
3.3.3.3
20
3
TCP three-way
handshake for the
data connection
After NAT ALG is enabled, the firewall translates the IP address carried in the PORT
command packet payload into the public address 1.1.1.1. After receiving the packet, the FTP
server initiates a data connection to 1.1.1.1.
You may have another question. Can the firewall permit the connection request even if the
FTP server can initiate the connection request? This question is so familiar. Right? To find the
answer, let's go back to the ASPF function in chapter 2 "Security Policy". After ASPF is
enabled, the firewall opens up an invisible channel for FTP data to bypass security policy
checks, traversing the firewall. The FTP service requires ASPF in NAT scenarios. Actually,
NAT ALG and ASPF are implemented using one command. Enabling NAT ALG also has
ASPF enabled. Therefore, after NAT ALG is enabled, the following server-map entry is
generated:
120
Learn Firewalls with Dr. WoW
Type: ASPF, 3.3.3.3 -> 1.1.1.1:24576[192.168.1.2:55177], Zone:--Protocol: tcp(Appro: ftp-data), Left-Time:00:00:03, Pool: --Vpn: public -> public
This server-map entry has address translation information. Before the aging time expires, this
entry helps the FTP server's data connection request packet traverse the firewall and
accurately arrive at the FTP client on the intranet. Figure 4-24 shows the complete FTP
interaction process.
Figure 4-24 FTP interaction process 3 when Source NAT is configured
Source NAT
Firewall
FTP client
Intranet
FTP server
Internet
src IP
src Port
src IP 192.168.1.2
src Port
2048
1.1.1.1
4096
dst IP
dst Port
SYN
SYN
SYN+ACK
SYN+ACK
ACK
……
User name/password
exchange
……
PORT Command
(IP 192.168.1.2 Port 2049)
PORT Command OK
ACK
……
User name/password
exchange
……
NAT
ALG
3.3.3.3
21
1
TCP three-way
handshake for the
control connection
PORT Command
(IP 1.1.1.1 Port 4097)
2
PORT Command OK
PORT command
exchange
Generate
server-map
dst IP 192.168.1.2
2049
dst Port
SYN
SYN+ACK
ACK
LIST Command
dst IP
dst Port
Match
server-map
1.1.1.1
4097
src IP
src Port
SYN
SYN+ACK
ACK
3.3.3.3
20
3
TCP three-way
handshake for the
data connection
LIST Command
Transmit data
Transmit data
……
……
In addition to the Source NAT scenario, the NAT Server scenario requires NAT ALG and
ASPF. In this example, an FTP client resides on the Internet, and an FTP server resides on an
intranet. FTP works in passive mode. Figure 4-25 shows the complete FTP interaction
process.
121
Learn Firewalls with Dr. WoW
Figure 4-25 FTP interaction process when NAT Server is configured
NAT Server
Firewall
FTP server
Intranet
src IP
src Port
src IP 192.168.1.2
src Port
21
FTP client
Internet
1.1.1.1
21
dst IP
dst Port
3.3.3.3
2048
SYN
SYN
1
SYN+ACK
ACK
……
User name/password
exchange
……
SYN+ACK
TCP three-way
handshake for the
control connection
ACK
……
User name/password
exchange
……
PASV Command
PASV Command
PASV Command OK
(IP 192.168.1.2 Port 2049)
NAT
ALG
2
PASV command
exchange
PASV Command OK
(IP 1.1.1.1 Port 4097)
Generate
server-map
dst IP 192.168.1.2
2049
dst Port
SYN
SYN+ACK
dst IP
dst Port
Match
server-map
ACK
LIST Command
1.1.1.1
4097
src IP
src Port
3.3.3.3
2049
SYN
SYN+ACK
ACK
3
TCP three-way
handshake for the
data connection
LIST Command
Transmit data
Transmit data
……
……
The following server-map entries are generated on the firewall:
[FW] display firewall server-map
server-map item(s)
-----------------------------------------------------------------------------Nat Server, any -> 1.1.1.1:21[192.168.1.2:21], Zone: --Protocol: tcp(Appro: ftp), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
Nat Server Reverse, 192.168.1.2[1.1.1.1] -> any, Zone: --Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: --VPN: public -> public
ASPF, 3.3.3.3 -> 1.1.1.1:4097[192.168.1.2:2049], Zone: --Protocol: tcp(Appro: ftp-data), Left-Time: 00:00:53, Addr-Pool: --VPN: public -> public
The control connection packet initiated by the FTP client matches the forward server-map
entry for NAT Server, and the address is translated. The data connection packet initiated by
the FTP client matches the server-map entry for ASPF, and the address is translated.
122
Learn Firewalls with Dr. WoW
In conclusion, if multi-channel protocols such as FTP, SIP, and H.323 are used and NAT
applies on a network, enabling both NAT ALG and ASPF on the firewall is
recommended, so that the protocols can work properly.
4.4.2 QQ/MSN/User-defined Protocol Packets Traversing NAT
Devices
We also mentioned QQ, MSN, and user-defined protocols in chapter 2 "Security Policy".
Firewalls classify such protocols into one type: STUN. STUN is short for Simple Traversal of
UDP Through Network Address Translators, which is a NAT traversal mode. Unlike NAT
ALG, STUN does not need any processing on NAT devices. Instead, the STUN client on an
intranet obtains its public address through information exchanges between the STUN client
and server. Then, the client adds the public address in the payload and sends the packet. In
this manner, the server on the Internet obtains the public address of the client from the
payload and initiates a connection request to the client.
STUN protocols are responsible for their running during address translation. Therefore, NAT
ALG is not required for these protocols. However, we still to consider how to make their
service packets pass through the firewall. The solution is also ASPF. After a packet matches
the ASPF server-map entry, it can traverse the firewall.
TFTP is used as an example. The following part provides a triplet ASPF server-map entry for
the user-defined protocol in a NAT scenario (the server-map entries generated for QQ and
MSN are similar to this server-map entry):
Type: STUN, ANY -> 1.1.1.1:4096[192.168.1.2:63212], Zone:--Protocol: udp(Appro: stun-derived), Left-Time:00:04:58, Pool: 1, Section: 0
Vpn: public -> public
Type: STUN Reverse, 192.168.1.2:63212[1.1.1.1:4096] -> ANY, Zone:--Protocol: udp(Appro: stun-derived), Left-Time:00:04:58, Pool: 1, Section: 0
Vpn: public -> public
Unlike the entries generated in non-NAT scenarios, these entries contain address translation
information. In addition, two server-map entries are generated. The entry with the Type being
STUN is the forward entry, while the entry with the Type being STUN Reverse is the reverse
entry. Before the aging time expires, the forward entry helps the connection request initiated
by the TFTP server traverse the firewall and accurately arrive at the TFTP client on the
intranet; the reverse entry helps the firewall translate the address and port (63212) of the
packet sent from the TFTP client to the server into the public address (1.1.1.1) and port (4096).
This implementation ensures that a specific application (identified by the port number) for an
intranet user is presented using the fixed public address and port, ensuring the normal running
of TFTP services.
4.4.3 One Command Controlling Two Functions
In early Huawei firewalls, ASPF and NAT ALG are controlled using separate commands.
Currently, most firewalls use one command to control these two functions. To be specific, the
detect command can be used in the intrazone or interzone view to enable ASPF. Then, NAT
ALG is automatically enabled.
The firewall determines the use of NAT ALG, ASPF, or both as required. What we should do
is only to run the command, reducing the configuration workload.
Specific to typical protocols, Table 4-3 lists the firewall processing modes after the detect
command is used.
123
Learn Firewalls with Dr. WoW
Table 4-3 Processing modes for typical protocols
Typical
Protocol
NAT Scenario
or Not
Effective
Function
Effect
FTP
Non-NAT
scenario
ASPF
Server-map entries are generated to
help the packets from other hosts to
FTP, SIP, and H.323 hosts traverse the
firewall.
NAT scenario
NAT ALG
The IP addresses in payloads are
translated.
ASPF
Server-map entries (with address
translation information) are generated
to help the packets from other hosts on
the Internet to FTP, SIP, and H.323
hosts on an intranet traverse the
firewall.
Non-NAT
scenario
ASPF
Triplet
server-map
entries
are
generated to help the packets from
other hosts to QQ, MSN, and
user-defined hosts traverse the firewall.
NAT scenario
ASPF
Triplet server-map entries (with
address translation information) are
generated to help the packets from
other hosts on the Internet to QQ,
MSN, and user-defined hosts on an
intranet traverse the firewall.
SIP
H323
QQ
MSN
User-defined
As indicated in the preceding table, ASPF generates a triplet server-map entry for a
user-defined protocol in the NAT scenario. We also mentioned triplet NAT in section 4.1.6
"Triplet NAT". What is the difference between them?
4.4.4 Differences Between ASPF for User-defined Protocols and
Triplet NAT
Triplet NAT allows the co-existence of P2P and NAT. When an intranet host accesses the
Internet, an asymmetric network system is established after NAT is performed on a firewall.
This means that the intranet host can access the Internet, but Internet users cannot initiate
access to the intranet host.
After triplet NAT is deployed, the firewall generates a server-map entry to allow the packets
from an Internet user to the intranet user to traverse the firewall. In this way, P2P-based
applications such as file sharing, voice communications, and video transmission can properly
run in NAT scenarios.
The server map for triple NAT contains the source (forward) and destination (reverse) entries.
Type: FullCone Src, 192.168.1.2:51451[1.1.1.1:2048] -> ANY, Zone:--Protocol: tcp(Appro: ---), Left-Time:00:00:57, Pool: 1, Section: 0
Vpn: public -> public
Type: FullCone Dst, ANY -> 1.1.1.1:2048[192.168.1.2:51451], Zone:---
124
Learn Firewalls with Dr. WoW
Protocol: tcp(Appro: ---), Left-Time:00:00:57, Pool: 1, Section: 0
Vpn: public -> public
In the preceding example, the entry marked FullCone Src is the source server-map entry.
Before the aging time expires, the addresses of the packets that the intranet host initiates using
the specific port (51451) to the Internet are translated into the public address (1.1.1.1) and
port (2048). This implementation ensures that a specific application (identified by the port
number) for the intranet user is presented using the fixed public address and port, ensuring the
normal running of P2P services. The entry marked FullCone Dst is the destination
server-map entry. Before the aging time expires, Internet users can initiate access to the
specified intranet user.
If we compare these server-map entries with the triplet server-map entries that ASPF
generates for user-defined protocols in NAT scenarios, we can find that two server-map
entries are generated in both conditions, including the address, port, and protocol information.
The ASPF processing for user-defined protocols in NAT scenarios can be considered as a
special triplet NAT implementation. Both techniques allow P2P packets to traverse firewalls.
Let's look at their difference. ASPF applies to both NAT and non-NAT scenarios. In non-NAT
scenarios, triplet server-map entries do not carry address translation information. In NAT
scenarios, triplet server-map entries carry address translation information. As a NAT mode,
triplet NAT works only in NAT scenarios, and its server-map entries carry address translation
information.
Another important difference is that after a packet matches an ASPF triplet server-map entry,
the firewall allows the packet to pass without checking it based on security policies (the aspf
packet-filter acl-number { inbound | outbound } command in the interzone view or the aspf
packet-filter acl-number command in the intrazone view can also be configured to filter
packets); after a packet matches a triplet NAT server-map entry, the firewall determines
whether to check the packet based on security policies according to the firewall
endpoint-independent filter enable command setting. If this function is enabled, the firewall
does not check the packet. If this function is disabled, the firewall checks the packet.
From the configuration perspective, the ASPF configuration for a user-defined protocol
requires the familiarity of the protocol features for the accurate ACL definition. An incorrect
configuration may cause the protocol unable to work or affect the normal running of other
services. Compared with the ASPF configuration, the triplet NAT configuration is simpler.
What we should do is to configure a NAT policy and specify the address pool mode to triplet
NAT (full-cone).
Their support conditions on Huawei firewalls also differ. The USG9500 series supports both
ASPF for user-defined protocols and triplet NAT; the USG2000/5000/6000 series supports
only ASPF for user-defined protocols. When both NAT and P2P applications exist on a
network, you are advised to configure triplet NAT on the USG9500 series or ASPF for
user-defined protocols on the USG2000/5000/6000 series for the normal running of P2P
services.
Table 4-4 lists the comparison between ASPF for user-defined protocols and triplet NAT.
Table 4-4 Differences between ASPF for user-defined protocols and triplet NAT
ASPF
for
Protocols
Item
Server-map
elements
entry
User-defined
Triplet NAT
Triplet
Triplet
Including the address, port,
and protocol type
Including the address, port, and
protocol type
125
Learn Firewalls with Dr. WoW
Item
ASPF
for
Protocols
Number
of
server-map entries
Two
Two
Including the forward and
reverse entries
Including the source
destination entries
Operating
environment
NAT and non-NAT scenarios
NAT scenario
The packets matching ASPF
server-map entries are not
controlled by security policies.
A specific command setting
determines whether the packets
matching
triplet
NAT
server-map
entries
are
controlled by security policies.
Configuration
requirement
ACL rules must be accurately
defined.
The NAT address pool must be
set to the full-cone mode.
Support condition
Supported
by
the
USG2000/5000/6000/9500
series
Supported only by the USG9500
Impact on
policies
security
User-defined
Triplet NAT
and
4.5 Function of Blackhole Routes in NAT Scenarios
In previous sections, I have mentioned multiple times that a blackhole route must be
configured for NAT to prevent routing loops. Why should we do this? I will tell you the cause
in this section.
4.5.1 Blackhole Route in a Source NAT Scenario
First, let's establish a typical Source NAT network, as shown in Figure 4-26.
Figure 4-26 Networking diagram 1 for Source NAT
Trust
Untrust
NAT address pool
202.1.1.10
GE1/0/1
192.168.0.1/24
Intranet PC
192.168.0.2
Internet Web server
210.1.1.2
GE1/0/2
202.1.1.1/30
Firewall
Router
The NAT configuration on the firewall is as follows:
Configure a NAT address pool.
[FW] nat address-group 1 202.1.1.10 202.1.1.10
Configure a NAT policy.
126
Learn Firewalls with Dr. WoW
[FW] nat-policy interzone trust untrust outbound
[FW-nat-policy-interzone-trust-untrust-outbound] policy 1
[FW-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0
0.0.0.255
[FW-nat-policy-interzone-trust-untrust-outbound-1] action source-nat
[FW-nat-policy-interzone-trust-untrust-outbound-1] address-group 1
[FW-nat-policy-interzone-trust-untrust-outbound-1] quit
[FW-nat-policy-interzone-trust-untrust-outbound] quit
Configure a security policy.
[FW] policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound] policy 1
[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255
[FW-policy-interzone-trust-untrust-outbound-1] action permit
[FW-policy-interzone-trust-untrust-outbound-1] quit
[FW-policy-interzone-trust-untrust-outbound] quit
In addition, configure a default route with the next hop pointing to the address of the router
interface.
[FW] ip route-static 0.0.0.0 0 202.1.1.2
The address in the NAT address pool is 202.1.1.10. The address of the interface connecting
the firewall to the router is 202.1.1.1 with a 30-bit mask. The two addresses are not in the
same network segment.
In normal conditions, when the intranet PC accesses the Web server on the Internet, a session
table is generated, and the source address is translated.
[FW] display firewall session table
Current Total Sessions : 1
http VPN:public --> public 192.168.0.2:2050[202.1.1.10:2049]-->210.1.1.2:80
If a PC on the Internet proactively accesses the NAT address pool on the firewall, as shown in
Figure 4-27, what will happen?
Figure 4-27 Networking diagram 2 for Source NAT
Trust
Untrust
NAT address pool
202.1.1.10
GE1/0/1
192.168.0.1/24
Intranet PC
192.168.0.2
Internet Web server
210.1.1.2
GE1/0/2
202.1.1.1/30
Firewall
Router
Internet PC
220.1.1.2
Run the ping 202.1.1.10 command on the Internet PC. The ping fails.
PC> ping 202.1.1.10
Ping 202.1.1.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
127
Learn Firewalls with Dr. WoW
--- 202.1.1.10 ping statistics --5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
Obviously, this is the expected result. The NAT address pool is used only for private address
translation. In other words, the firewall translates the address in the request packet only when
the intranet PC initiates an access request. The NAT address pool does not provide other
services. Therefore, when the Internet PC initiates an access request to the NAT address pool,
the request packet cannot traverse the firewall to reach the intranet PC. Consequently, the ping
fails.
The actual situation is much more complicated. If we enable packet capture at GE1/0/2 on the
firewall and run the ping 202.1.1.10 -c 1command on the Internet PC to send only one packet,
the command output is as follows:
PC> ping 202.1.1.10 -c 1
Ping 202.1.1.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
--- 202.1.1.10 ping statistics --1 packet(s) transmitted
0 packet(s) received
100.00% packet loss
Then, check information about the packets captured on GE1/0/2.
Wow! The result shocks me. So many ICMP packets! I analyze these packets and find that the
TTL values of the packets decrease by 1 and finally become 1. We know that the TTL stands
for Time to Live. The TTL value of a packet reduces 1 whenever the packet is forwarded by a
device. When the TTL value becomes 0, the packet will be discarded. This means that the
packet from the Internet PC to the NAT address pool is repeatedly forwarded between the
firewall and router until the TTL value of the packet becomes 0 and the packet is discarded.
128
Learn Firewalls with Dr. WoW
Let's go through the process:
2.
The router receives a packet from the Internet PC to the NAT address pool and finds the
destination address is not in the directly connected network segment. Then, the router
searches its routing table and forwards the packet to the firewall.
3.
After receiving the packet, the firewall forwards it based on the default route because the
packet is not the return packet from the intranet to the Internet and does not match the
session table. What's more, the destination address is not in the directly connected
network segment (the firewall is unaware that the destination address is its NAT address
pool address). As the packet comes in to and goes out of the firewall through the same
interface, it flows within one security zone, and therefore the packet is not controlled by
security policies by default. Consequently, the firewall forwards the packet through
GE1/0/2 to the router.
4.
After receiving the packet, the router searches the routing table again and then sends the
packet back to the firewall. The process repeats. This poor packet is like a ball kicked
between the devices and finally discarded, leaving the network with pity.
Well, what will happen if a blackhole route is configured? First, let's configure a blackhole
route with the destination address being the NAT address pool address. To prevent the
blackhole route from affecting services, set its mask to 32-bit to exactly match 202.1.1.10.
[FW] ip route-static 202.1.1.10 32 NULL 0
Then, enable packet capture at GE1/0/2 on the firewall and run the ping 202.1.1.10 -c 1
command on the Internet PC. This time we also send only one packet. View information about
the captured packet.
You can see that only one ICMP packet is captured, indicating that the packet matches the
blackhole route on the firewall and the firewall directly discards the packet. The blackhole
route prevents routing loops between the firewall and router. The firewall sends such packets
to the black hole, instead of repeatedly forwarding them. Moreover, the blackhole route does
not affect services. The intranet PC can still access the Web server on the Internet.
129
Learn Firewalls with Dr. WoW
You may say that the packet will be finally discarded even if I do not configure the blackhole
route. So the blackhole route is not necessary. In the preceding example, we use only one ping
packet to demonstrate the process. Try to imagine, if a malicious user on the Internet
manipulates thousands of PCs to initiate access to the NAT address pool, numerous packets
will be repeatedly forwarded between the firewall and router, consuming link bandwidth
resources and exhausting the system resources on the devices for processing such packets,
probably affecting normal services.
Therefore, when the NAT address pool and the public interface address are in different
network segments, you must configure a blackhole route to prevent loops.
Does the problem persist if the NAT address pool and the public interface address are in the
same network segment? Let's verify the process.
First, change the mask to 24-bit for the interface connecting the firewall to the router. In this
way, the NAT address pool and interface address are in the same network segment. Then,
delete the blackhole route configuration, enable packet capture on GE/1/0/2, run the ping
202.1.1.10 -c 1 command on the Internet PC, and view information about the captured
packets.
The result shows that only three ARP packets and one ICMP packet are captured. The packets
from the Internet PC to the NAT address pool are not forwarded between the firewall and
router. Let's look at the process:
5.
After receiving a packet requesting to access the NAT address pool from the Internet PC,
the router finds that the destination address of the packet belongs to a directly connected
network segment and sends an ARP request. The firewall then replies to the ARP request.
The first two captured packets complete this interaction process. Then, the router
encapsulates the MAC address notified by the firewall into a packet and sends the packet
to the firewall.
6.
After receiving the packet, the firewall finds that the destination address belongs to the
same network segment as its GE1/0/2 and sends an ARP request (the third captured ARP
packet) to search for the MAC address corresponding to this IP address (the firewall is
still unaware that the destination address is its NAT address pool address). No device
130
Learn Firewalls with Dr. WoW
replies because this address is configured only on the firewall. Finally, the firewall
discards the packet.
So, no routing loop occurs in this situation. But if malicious users on the Internet initiate a
large number of access requests, the firewall has to send the corresponding number of ARP
requests, exhausting system resources. Therefore, a blackhole route is recommended even if
the NAT address pool and the public interface address are in the same network segment,
saving system resources on the firewall.
The following screenshot shows information about the captured packet after a blackhole route
is configured. You can see that the firewall does not send ARP requests.
There is an extreme case that the public interface address is configured as the post-NAT
address (in Easy-IP mode) or the NAT address pool. Do I still need to configure a blackhole
route?
Let's analyze the process. The firewall receives a packet from the Internet PC and finds that
the firewall itself is the destination of the packet. How the firewall processes the packet is
determined by the security policy applying to the interzone between the public interface's
zone and the Local zone. If the action for the matching condition is permit, the firewall
processes the packet; if the action is deny, the firewall discards the packet. In this process, no
routing loop occurs, and no blackhole route is required.
4.5.2 Blackhole Route in a NAT Server Scenario
Now, you may ask me "Does NAT Server have the same problem?" Yes, NAT Server may also
encounter routing loops, but the prerequisites are special and determined by the NAT Server
configuration. In the typical NAT Server networking shown in Figure 4-28, the Global address
of NAT Server and public interface address are in different network segments. The following
description is based on the assumption that the interface addresses, security zones, security
policies, and routes have been configured.
131
Learn Firewalls with Dr. WoW
Figure 4-28 NAT Server networking
DMZ
Untrust
NAT Server public IP address
202.1.1.20
Internet PC
220.1.1.2
GE1/0/1
192.168.0.1/24
Intranet Web server
192.168.0.20
GE1/0/2
202.1.1.1/30
Firewall
Router
If we configure imprecise NAT Server on the firewall to advertise the intranet Web server to
the Internet as follows:
[FW] nat server global 202.1.1.20 inside 192.168.0.20
The firewall translates the destination addresses of all packets from the Internet PC to
202.1.1.20 into 192.168.0.20 and then sends the packets to the intranet Web server. No loop
occurs.
If we configure refined NAT Server to advertise only the port number used by the intranet
Web server to the Internet as follows:
[FW] nat server protocol tcp 202.1.1.20 9980 inside 192.168.0.20 80
But the Internet PC uses the ping command to access 202.1.1.20, instead of accessing port
9980 for 202.1.1.20 as we expected, the packet does not match the server map or session table
on the firewall. Finally, the firewall searches the routing table and forwards the packet
through GE1/0/2. After receiving the packet, the router sends it back to the firewall, causing a
routing loop.
Therefore, when NAT Server with the specified protocol and port number is configured
on the firewall, and the Global address for NAT Server and the public interface address
132
Learn Firewalls with Dr. WoW
are in different network segments, you must configure a blackhole route to prevent
loops.
If the Global address for NAT Server and the public interface address are in the same network
segment, after the firewall receives a ping packet, it sends an ARP request, and the following
process is the same as that described above. Likewise, a blackhole route is recommended
when the specified protocol and port number for NAT Server are configured and the
Global address for NAT Server and the public interface address are in the same network
segment, saving system resources on the firewall.
Also, we can set the public interface address as the Global address when configuring NAT
Server. In this case, after receiving a packet from the Internet PC, if the packet matches the
server map, the firewall translates the destination address of the packet and forwards the
packet to the intranet; if the packet does not match the server map, the firewall considers
itself as the destination of the packet. How the firewall processes the packet is determined
by the security zone applying to the interzone between the public interface's zone and the
Local zone. No routing loop occurs, and no blackhole route is required.
4.5.3 Summary
Now, I believe you have understood why we need to configure a blackhole route. Do you feel
your "internal strength" has improved? Let's sum up.
For Source NAT:
If the NAT address pool and public interface address are in different network segments, a
blackhole route is required.
If the NAT address pool and public interface address are in the same network segment, a
blackhole route is required.
For NAT Server with the specified protocol and port number:
If the Global address and public interface address are in different network segments, a
blackhole route is required.
If the Global address and public interface address are in the same network segment, a
blackhole route is recommended.
Besides the advantages described above, a blackhole route has another function: to advertise
the blackhole route on the firewall (OSPF route) to the router.
When the NAT address pool (or Global address) and the address of the interface connecting
the firewall to the router are in different network segments, a static route must be configured
on the router to the NAT address pool or Global address, so that the router can forward the
packets destined for the NAT address pool or Global address to the firewall.
If the firewall and router run OSPF, they can automatically learn OSPF routes, reducing
manual configuration workloads. However, unlike interface addresses, the NAT address pool
and Global address cannot be advertised using the network command as OSPF routes. Well,
how can the router learn such routes?
The blackhole route helps resolve the problem. We can import the blackhole route as a static
route to the OSPF routing table on the firewall and advertise this OSPF route to the router. In
this manner, the router forwards the packets destined for the NAT address pool or Global
address to the firewall (NOT to the black hole).
The NAT Server networking is used as an example. The Global address and public interface
address are in different network segments. Both the firewall and router run OSPF. Import the
following static route to the OSPF routing table on the firewall:
133
Learn Firewalls with Dr. WoW
[FW] ospf 100
[FW-ospf-100] import-route static
[FW-ospf-100] area 0.0.0.0
[FW-ospf-100-area-0.0.0.0] network 202.1.1.0 0.0.0.3
[FW-ospf-100] quit
Now, the router can learn the route to the Global address for NAT Server:
[Router] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 7
Routes : 7
Destination/Mask
127.0.0.0/8
127.0.0.1/32
202.1.1.0/30
202.1.1.2/32
202.1.1.20/32
Proto
Direct
Direct
Direct
Direct
O_ASE
Pre Cost
0
0
0
0
150
210.1.1.0/30 Direct 0
210.1.1.1/32 Direct 0
Flags NextHop
Interface
0
0
0
0
1
D
D
D
D
D
127.0.0.1
127.0.0.1
202.1.1.2
127.0.0.1
202.1.1.1
InLoopBack0
InLoopBack0
Ethernet0/0/0
Ethernet0/0/0
Ethernet0/0/0
0
0
D
D
210.1.1.1
127.0.0.1
Ethernet0/0/1
Ethernet0/0/1
134
Learn Firewalls with Dr. WoW
5
GRE&L2TP VPN
5.1 Introduction to VPN Technology
The wireless access needs of large companies are not limited only to those of the company
HQ network—branch companies, offices, mobile employees and partner entities also require
access to company HQ network resources. Everyone knows that these circumstances require
the use of Virtual Private Network (VPN) technology, but choosing which VPN technology to
use still requires quite a bit of skill and knowledge, and therefore I, Dr. WoW, will share some
of my knowledge about this below.
VPNs refer to private, dedicated virtual communications networks established on public
networks, and are extensively used in corporate network scenarios where branch
organizations and mobile employees connect to their company's HQ network.
How are VPN networks and VPN technologies generally classified?
5.1.1 VPN Classification
1.
By the entity that builds them
This kind of classification is made according to whether the VPN network's endpoint
equipment (key equipment) is provided by a carrier or by the enterprise itself.
−
Leasing carrier VPN lines to build a corporate VPN network: as shown in Figure 5-1,
this primarily refers to leasing a carrier's Multiprotocol Label Switching (MPLS)
VPN line services. Examples of this include the MPLS VPN line services offered by
China Unicom and China Telecom. The main advantage of MPLS VPN lines
compared with more traditional leased transmissions lines, such as E1 or
Synchronous Digital Hierarchy (SDH) lines, is that line leasing costs are lower.
135
Learn Firewalls with Dr. WoW
Figure 5-1 Leasing carrier VPN lines to build a corporate VPN network
Branch 1
CE
Carrier
MPLS VPN
PE
HQ
PE
CE
Branch 2
CE
−
CE: Customer Edge
PE: Provider Edge
User-built VPN networks: As shown in Figure 5-2, the most commonly used method
at present is to build an Internet-based corporate VPN network, using technology
such as GRE, L2TP, IPSec, DSVPN, SSL and VPN. When using this sort of plan, a
company only needs to pay for equipment purchases and Internet access fees—there
is no VPN line leasing fee. In addition, companies enjoy more decision-making
power over network control, and can carry out network adjustments more
conveniently. The VPNs that I'll be introducing are exactly this class of VPNs.
Figure 5-2 User-built enterprise VPN network
Branch
Partner
HQ
Mobile employee
2.
By the method of network organization
−
Remote access VPNs: Figure 5-3 shows a scenario used when a mobile employee
connects to the network using a VPN dial up. The employee can simply access the
enterprise's internal network at any place with an Internet connection through a
remote dial-up, allowing him/her to access internal network resources.
136
Learn Firewalls with Dr. WoW
Figure 5-3 Remote access VPN
Access user
HQ
−
Site-to-site VPN: As shown in Figure 5-4, this kind of VPN is used when
interconnecting the LANs of two of an enterprise's branches from different locations.
Figure 5-4 Site-to-site VPN
Branch
3.
HQ
By type of use
−
Access VPNs (remote access): targeted towards mobile employees, these permit a
mobile employee to "step-over" the public network to obtain remote access to a
company's internal network.
−
Intranet VPNs: intranet VPNs use a public network to interconnect a corporation's
various internal networks.
−
Extranet VPNs: an extranet VPN uses a VPN to extend a company's network to
include its partners' offices, allowing different companies to set up a VPN together
using the Internet. The difference between intranet VPNs and extranet VPNS
primarily lies in the extent to which access is granted to a company's HQ network
resources.
Figure 5-5 Remote access VPN/intranet VPN/extranet VPN
Intranet VPN
Branch
HQ
Partner
Extranet VPN
Remote access VPN
Mobile employee
137
Learn Firewalls with Dr. WoW
4.
By the network layer on which VPN technology operates
−
Data link layer-based VPNs: L2TP, L2F, and PPTP. Of these, L2F and PPTP have
already been replaced by L2TP, and this chapter will not further detail these two
technologies.
−
Network layer-based VPNs: GRE, IPSec, and DSVPN
−
Application layer-based VPNs: SSL
5.1.2 Key VPN Technologies
The common point of Internet-based VPN technologies is that they must solve the VPN
network's security problems:
The geographical location from which mobile employees connect to a network is not
fixed, and the location at which they are located frequently is not protected by their
company's information security measures, so there needs to be strict access
authentication for mobile employees. This involves identity authentication technology. In
addition, there also needs to be precise control over the resources that can be accessed by
mobile employees and the authority given to them.
Authorization needs to be given flexibly to partner companies/individuals based upon
new operational developments, and limits also need to be placed on the extent to which
partners can access the network and on the categories of data they can transmit. It is
recommended that identity authentication be conducted for partners. After successful
authentication, security policies can be used to limit partner's access privileges.
In addition, data transmission between HQ and its branch organizations, partners, and
mobile users must be secure, and the process of achieving this involves data encryption
and data validation technologies.
A brief explanation of several key technologies that VPNs use in resolving the aforesaid
problems is made below:
1.
Tunneling technology
Tunneling technology is a fundamental VPN technology, and is similar to point-to-point
connection technologies. As shown in Figure 5-6, after VPN gateway 1 receives the
original packet, it "encapsulates" the packet, and then transmits it over the Internet to
VPN gateway 2. VPN gateway 2 then "decapsulates" the packet to obtain the original
packet.
Figure 5-6 Tunneling technology
HQ
Branch
VPN gateway 1
Original
packet
VPN gateway 2
Encapsulated packet
Server
Decapsulated
packet
VPN tunnel
The process of "encapsulation/decapsulation" itself provides security protections for the
original, 'raw' packets, and so when encapsulated packets are transmitted on the Internet,
138
Learn Firewalls with Dr. WoW
the logical path they travel is called a "tunnel". The processes of
encapsulation/decapsulation used by different VPN technologies are completely different,
and specific encapsulation processes will be explained below in detail for each VPN
technology.
2.
Identity authentication technologies
These are primarily used in remote connections by employees working remotely. HQ's
VPN gateways authenticate users' identities to confirm that users connecting to the
internal network are legitimate, and not malicious, users.
Different VPN technologies provide different methods for user identity authentication:
3.
−
GRE: does not support user identity authentication technology.
−
L2TP: relies on PPP-provided authentication (for example, CHAP, PAP, or EAP).
When authenticating users accessing the network, it can use either local
authentication methods or a third-party RADIUS server to verify the users' identities.
Following successful authentication, users are assigned internal IP addresses, and
authorization and management of the users is conducted using these IP addresses.
−
IPSec: supports EAP authentication of users when IKEv2 is used. Authentication can
be made using local authentication methods or using a third-party RADIUS server.
Following successful authentication, users are assigned internal IP addresses, and
authorization and management of the users is conducted using these IP addresses.
−
DSVPN: does not support user identity authentication technology.
−
SSL VPN: supports local authentication, certificate-based authentication and
server-based authentication of access users. In addition, users seeking to connect to a
network can also authenticate the identity of the SSL VPN server to confirm the SSL
VPN server's legitimacy.
Encryption technology
Encryption is the process of making a plaintext message into a ciphertext message. As
shown in Figure 5-7, this makes it so that even if hackers intercept and capture a packet,
they have no way of knowing the packet's real meaning. The target of encryption can be
either data packets or protocol packets, allowing for improved protocol security for both
protocol packets and data packets.
Figure 5-7 Data encryption
Source
Destination
Plaintext
Hello
Encryption
!@#$%
!@#$%
Ciphertext
!@#$%
Ciphertext
Decryption
Hello
Plaintext
139
Learn Firewalls with Dr. WoW
4.
−
GRE and L2TP protocols do not provide encryption technology themselves, so these
are generally combined with IPSec protocols, relying on IPSec's encryption
technology.
−
IPSec: supports encryption of data packets and protocol packets.
−
DSVPN: supports encryption of data packets and protocol packets after an IPSec
security framework is configured.
−
SSL VPN: supports encryption of data packets and protocol packets.
Data validation technologies
Data validation technology conducts inspections of packet integrity, and discards
counterfeit packets and packets that have been tampered with. How is this validation
conducted? By using a kind of "digest" technology, shown in Figure 5-8 (the figure only
shows the validation process; under normal circumstances, validation is used together
with encryption). "Digest" technology primarily uses the hash function to convert a long
packet into a short packet. Packet validation is conducted both at the sending and
receiving ends, with only packets with identical digests being accepted.
Figure 5-8 Data validation
Source
Destination
Plaintext
Hello
Hash
Digest
Hello
Digest
Hello
Digest
Hash
Consistent?
Digest
−
GRE: only provides simple checksum validation and keyword validation, but it can
be used together with the IPSec protocol, allowing IPSec's data validation technology
to be used.
−
L2TP: doesn't provide data validation technology itself, but can be used together with
IPSec protocols, allowing IPSec data validation technology to be used.
−
IPSec: supports complete data validation and data source validation.
−
DSVPN: supports complete data validation and data source validation after an IPSec
security framework is configured.
−
SSL VPN: supports complete data validation and data source validation.
5.1.3 Summary
Table 5-1 is a brief summary of the commonly used security technologies and use scenarios
for GRE, L2TP, IPSec, and SSL VPNs.
140
Learn Firewalls with Dr. WoW
Table 5-1 Comparison of commonly used VPN technologies
Protocol
Scope of
Protection
Use
Scenario
User Identity
Authentication
Encryption and
Validation
GRE
Data at the IP
layer and above
Intranet
VPN
Not supported
Simple keyword
validation and
checksum
validation supported
L2TP
Data at the IP
layer and above
Access VPN
PPP-based
CHAP, PAP, and
EAP
authentication
supported
Not supported
Data at the IP
layer and above
Access VPN
Pre-shared key or
certificate-based
authentication and
IKEv2's EAP
authentication
supported
Supported
Not supported
Supported after an
IPSec security
framework is
configured
User
name/password or
certificate
authentication
supported
Supported
IPSec
Extranet
VPN
Intranet
VPN
Extranet
VPN
DSVPN
Data at the IP
layer and above
Intranet
VPN
Extranet
VPN
SSL VPN
Specific
application-layer
data
Access VPN
This section has provided a simple introduction to VPNs. If these basics are not enough, a
more detailed introduction to the use, configuration, and principles behind each kind of VPN
technology is below.
5.2 GRE
To discuss GRE, we first have to shift our focus 20 years back into the past, and look at some
of the events that happened during those times. At that time, the Internet had already begun to
develop quickly, and increasing amounts of resources were being connected by the Internet,
making contact between people faster and more convenient—certainly cause for celebration.
However, the seemingly harmonious online world was also full of many causes for worry.
Life is often like this—people's sources of happiness tend to be roughly the same, but their
sources of misery vary greatly. After being connected to the Internet, private networks faced
the following headaches:
There was no way for networks with private IP addresses to directly connect with each
other through the Internet.
141
Learn Firewalls with Dr. WoW
Not too much needs to be said about this point—all private networks use private
addresses, while packets sent on the Internet must use public addresses. This is shown in
Figure 5-9.
Figure 5-9 Private IP networks cannot connect directly through the Internet)
Private IP network
Internet
Private IP network
Different types of networks (IPX, AppleTalk) cannot directly communicate with each
other through the Internet.
This headache is caused by a head-ache inducing, but logical 'birth defect', this being that
as IPX and IP are not the same type of Internet protocol, IP networks don't transmit IPX
packets. This is shown in Figure 5-10.
Figure 5-10 Different types of networks (IPX, AppleTalk) cannot directly communicate with each
other through the Internet
Private
IPX
network
Internet
Private
IPX
network
There are many more similarly tear-inducing stories, and I won't go into detail about
them, but basically these headaches coagulated and formed together into an enormous
impetus that drove network engineers to wrack their brains in looking for a solution.
Finally, in 1994, Generic Routing Encapsulation (GRE) (RFC 1701 and RFC 1702) came
into being.
The creation of GRE ensures that the aforesaid headaches will no longer occur today.
Now, I'm sure everyone is thinking: "What methods does GRE use exactly to solve all of
these aforesaid difficulties? Actually, this is very easy to explain. GRE uses the "alter
ego" technology popular today--if packets sent by private networks cannot be transmitted
on the Internet for various reasons, why not give these packets "alter egos" that the
Internet can recognize, and then transmit them on the Internet? This works because the
Internet only recognizes the alter-ego, not the person behind it. The network term for this
kind of alter-ego is "encapsulation."
5.2.1 GRE Encapsulation/Decapsulation
Any kind of network encapsulation technology's basic structural elements can be divided into
three parts (passenger protocols, encapsulation protocols, and transport protocols), and GRE
is no exception. Below, I'll use a comparison to the postal system to help us understand
encapsulation technology.
Passenger protocols
142
Learn Firewalls with Dr. WoW
Passenger protocols are the letters we write. These letters may be written in Chinese,
English, French, etc., and the writer and reader themselves are responsible for the
specific content of the letter.
Encapsulation protocols
Encapsulation protocols can be compared to different types of mail: mail can be sent
using ordinary mail, registered mail or EMS. Different types of mail correspond to
different encapsulation protocols.
Transport protocols
Transport protocols are a letter's method of transport; this could be by land, sea or air.
Different methods of transportation correspond to different transport protocols.
Now that we've understood the above metaphor, we can take another look at which protocols
are used in GRE, as shown in Figure 5-11.
Figure 5-11 GRE protocols
IP/IPX
Passenger protocol
GRE
Encapsulation protocol
IP
Transport protocol
Link-layer protocol
The figure allows us to clearly see that the protocols that GRE can carry include IP protocols
and IPX protocols, and that the transport protocol used by GRE is the IP protocol.
Now that we've learned about the basic concepts behind GRE, let us next look at the
principles behind GRE encapsulation. In Figure 5-12, we've used the IP protocol as the
passenger protocol, so that the end result of encapsulation is an IP packet encapsulating an IP
packet.
Figure 5-12 GRE packet encapsulation
IP header
Data
GRE header IP header
Data
New IP header GRE header IP header
Data
The GRE encapsulation process is made up of two steps. The first step is adding a GRE
heading onto the front of the private network's original packet. The second step is adding a
new IP heading in front of this GRE heading, with the IP address in the new IP heading being
the public network address. The addition of the new IP heading means that this private
network's packet, having been encapsulated layer by layer, can now be transmitted on the
Internet.
143
Learn Firewalls with Dr. WoW
On firewalls, encapsulation operations are achieved using a logical interface, this being the
famous tunnel interface. From the word tunnel we can see that this logical interface is created
for tunneling. Information about the source address and destination address for the new IP
header is on the tunnel interface, and after a packet enters the tunnel interface, the firewall
will encapsulate a GRE header and IP header onto the packet.
So how does a firewall deliver a packet to the tunnel interface? This is achieved via routing,
and firewalls support two methods for this:
Static routing
This refers to firewalls on both ends of the GRE tunnel configuring static routing to and
from each other's private network segments. The next hop is set to the IP address of the
terminal's tunnel interface, which is the sending tunnel interface.
Dynamic routing
Configuring dynamic routing (such as OSPF) on firewalls on both ends of the GRE
tunnel means broadcasting the addresses of their private network segments and tunnel
interfaces, so that the two firewalls will learn routes to each other's private network
segments. The next hop is the other firewall's tunnel interface's IP address, and the
sending interface is the tunnel interface of the sending firewall.
Regardless of which kind of routing is used, the end goal is to generate routes for the
corresponding private network segments on the firewalls' routing tables, and to use these
routes to guide packets into the tunnel interface for encapsulation.
Figure 5-13 shows the process by which firewalls encapsulate, decapsulate, and forward
private network packets.
Figure 5-13 GRE packet forwarding process
FW_A
FW_B
Public IP: 2.2.2.2
Tunnel IP: 10.1.1.2
Public IP: 1.1.1.1
Tunnel IP: 10.1.1.1
GRE tunnel
PC_A:192.168.1.1/24
data
PC_B:192.168.2.1/24
dst:192.168.2.1
data
dst:192.168.2.1
next hop
192.168.2.1
Routing table
1
Routing table
dst add
192.168.2.0
2.2.2.2
……
2
next hop
10.1.1.1
1.1.1.2
dst add
192.168.2.1
7
3
6
Tunnel interface encapsulation
tnl src add
1.1.1.1
……
4
Tunnel interface decapsulation
tnl dst add
2.2.2.2
…
…
src add
192.168.1.1
……
dst add
192.168.2.1
……
5
data
dst:192.168.2.1
GRE
dst:2.2.2.2
When PC_A seeks to access PC_B through GRE tunneling, the packet forwarding process by
FW_A and FW_B is as follows:
2.
After PC_A's original packets accessing PC_B enters FW_A, the routing table is first
checked for a match.
3.
FW_A then sends the packet to the tunnel interface for GRE encapsulation based upon
the results of the route check, where a GRE header and a new outer-layer IP header are
added.
144
Learn Firewalls with Dr. WoW
4.
FW_A then re-checks the routing table using the encapsulated packet's new IP header's
destination address.
5.
FW__A sends the packet to FW_B based upon the results of the route check. In the
above figure it is assumed that the next-hop address found by FW_A for FW_B is
1.1.1.2.
6.
After FW_B receives the packet, it must first determine whether or not this packet is a
GRE packet.
How can this be deduced? We've seen that during the encapsulation process the
encapsulated GRE packet has a new IP header. This new IP header includes a protocol
segment, which marks the class of the inner layer's protocol. If this protocol segment's
value is 47, this means that the packet is a GRE packet.
7.
If a packet received by FW_B is a GRE packet, then the packet will be sent to the tunnel
interface for decapsulation, where the outer layer IP header and GRE header will be
stripped away, restoring the original packet.
8.
FW_B will re-check the routing table based upon the destination address of the original
packet, and will then send the packet to PC__B using the matching routing result.
This is the complete process for how firewalls carry out GRE encapsulation/decapsulation and
forwarding for private network packets. Pretty simple, huh!?
5.2.2 Configuring Basic GRE Parameters
Above, we discussed the tunneling, encapsulation and decapsulation processes for private
network packets from a theoretical perspective. But, I bet everyone is more interested in
learning about how to configure GRE tunneling on firewalls, isn't that right? Below, we'll use
Figure 5-14 to help explain configuration methods for GRE tunneling.
Figure 5-14 GRE VPN network organization
GRE tunnel
Tunnel1
10.1.1.1/24
GE0/0/2
1.1.1.1/24
Branch
192.168.1.0/24
FW_A
Tunnel1
10.1.1.2/24
GE0/0/2
2.2.2.2/24
Branch
192.168.2.0/24
FW_B
Configuring GRE tunneling is very simple, and can be divided into two steps.
2.
Configure the tunnel interface.
Configure FW_A's tunnel interface's encapsulation parameters.
[FW_A] interface Tunnel 1
[FW_A-Tunnel1] ip address 10.1.1.1 24
[FW_A-Tunnel1] tunnel-protocol gre
[FW_A-Tunnel1] source 1.1.1.1
[FW_A-Tunnel1] destination 2.2.2.2
[FW_A-Tunnel1] quit
Add FW_A's tunnel interface to a security zone. The tunnel interface can be added onto
any one security zone; here we've added the tunnel interface to the DMZ zone.
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface Tunnel 1
145
Learn Firewalls with Dr. WoW
[FW_A-zone-dmz] quit
Configure FW_B's tunnel interface's encapsulation parameters.
[FW_B] interface Tunnel 1
[FW_B-Tunnel1] ip address 10.1.1.2 24
[FW_B-Tunnel1] tunnel-protocol gre
[FW_B-Tunnel1] source 2.2.2.2
[FW_B-Tunnel1] destination 1.1.1.1
[FW_B-Tunnel1] quit
Add FW_B's tunnel interface to a security zone. As with FW_A, we've added the tunnel
interface to the DMZ zone.
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface Tunnel 1
[FW_B-zone-dmz] quit
When configuring encapsulation parameters for the tunnel interfaces, we first set the
tunnel interfaces' encapsulation type to GRE, and then designated the GRE tunnel's
source and destination addresses. These steps seem very simple, but although few in
number, they play a decisive role in allowing the tunnel interfaces to complete GRE
packet encapsulation:
−
This first stipulated that the tunnel interfaces need to encapsulate GRE headers.
−
Next, this stipulated the source and destination addresses for the new IP header,
which in fact are just the IP addresses for the public network interfaces for the
firewalls on both ends of the GRE tunnel.
These two points are identical in theory to encapsulating GRE packets, and are relatively
easy to understand. However, I'm thinking that everyone may now have the following
thoughts about the properties of the tunnel interfaces themselves:
−
Is it necessary to configure IP addresses for the tunnel interfaces?
−
Are the IP addresses for the tunnel interfaces belonging to the firewalls on both ends
of the tunnel related to one another?
−
Do the tunnel interfaces use public network IP addresses or private network IP
addresses?
It is necessary to configure IP addresses for the tunnel interfaces. If IP addresses are not
configured, it is impossible for the tunnel interfaces to be in an UP state. Secondly, in
terms of the process of GRE encapsulation, the tunnel interfaces' IP addresses do not
participate in packet encapsulation, so there is no relationship between the IP addresses
for the tunnel interfaces belonging to the firewalls on each of the tunnel; each can be
configured separately. Finally, since the tunnel interfaces do not participate in
encapsulation, there is no need to use a public network address, and configuring a private
network IP address is fine.
3.
Routing configuration—guiding packets in need of GRE encapsulation to the tunnel
interface.
I've already mentioned above that firewalls support both static and dynamic routing, and
either one of these two methods can be chosen.
Static routing
To configure static routing on FW_A, set the next-hop for the route to HQ's private network
as the tunnel interface.
[FW_A] ip route-static 192.168.2.0 24 Tunnel 1
To configure static routing on FW_B, set the next-hop for the route to the branch
organization's private network as the tunnel interface.
146
Learn Firewalls with Dr. WoW
[FW_B] ip route-static 192.168.1.0 24 Tunnel 1
Dynamic routing
To configure OSPF on FW_A, broadcast the network segments for the branch organization's
private network and the Tunnel interface in OSPF.
[FW_A] ospf 1
[FW_A-ospf-1] area 0
[FW_A-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[FW_A-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
To configure OSPF on FW_B, broadcast the network segments for HQ's private network and
the tunnel interface in OSPF.
[FW_B] ospf 1
[FW_B-ospf-1] area 0
[FW_B-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[FW_B-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
After configuration is complete, FW_A and FW_B will learn the routes to each other's private
network segments.
There is one point to be aware of: when using the OSPF dynamic routing method, if the
public network interface corresponding to the GRE tunnel also uses OSPF to broadcast routes,
we need to use a new OSPF process to broadcast the network segments for the private
network and the tunnel interface, to avoid private network packets being directly forwarded
through the public network interface rather than being forwarded through the GRE tunnel.
5.2.3 Configuring GRE Security Mechanisms
I'm guessing that everyone has a common worry, which is if a malicious user on the Internet
forged a GRE packet to look like it was being sent from FW_A to FW_B, wouldn't this
pretender then be able to access FW_B's resources? When building the GRE tunnel on FW_A
and FW_B, how can we achieve mutual trust? Next we'll discuss GRE's security mechanisms.
1.
Keyword validation
After the GRE tunnel has been configured on the firewall, the firewall won't actually
handle every GRE packet it receives, but will instead only handle GRE packets sent by
the corresponding terminal device with which it jointly built the GRE tunnel. The "key"
segment in the GRE header is used to achieve this function.
When the firewall encapsulates packets with a GRE header, the value of the key bit in
the GRE header is set to 1, and the key segment is inserted into the GRE header. When
two firewalls build a tunnel, this key segment's value is used by the firewalls to verify
each other's identity, and the tunnel can only be built if the value for the key set by the
two corresponding terminals is exactly identical.
The figure below shows the GRE header's information. In this header, the fact that the
key bit is set to 1 shows that the keyword validation function has been activated, while
the "Key:0x00003039" near the bottom is the keyword value (converted to the decimal
system this is '12345').
147
Learn Firewalls with Dr. WoW
The steps for configuring keyword validation are very simple. The only thing to pay
attention to is that the keywords set for the firewalls on both ends of the tunnel must be
identical.
Set the keyword to 12345 on FW_A.
[FW_A-Tunnel1] gre key 12345
Also set the keyword on FW_B to 12345.
[FW_B-Tunnel1] gre key 12345
2.
Checksum validation
Although the firewalls on both ends of the tunnel have now established mutual trust, if
the possibility exists for packets to be tampered with by malicious users when they are
transmitted over the Internet, how can we guarantee the integrity of packets during
transmission? The "checksum" field in the GRE header can be used here.
When a firewall encapsulates a GRE header onto a packet, the GRE header's checksum
bit value is set to 1. A checksum is then calculated according to the packet's information,
and this checksum is added to the checksum field. When the other terminal of the tunnel
receives this packet, it can also compute a checksum based on the packet's information
and compare this with the checksum carried by the packet. If the results of the check are
identical, then the firewall will accept the packet; if they are not identical, it will discard
the packet.
The checksum validation function is one-directional; whether or not the other firewall
has enabled the function will not affect the firewall's checksum validation function. In
real-world environments, it is advised that this be simultaneously enabled on the
firewalls on both ends of the tunnel.
In the screenshot below, the GRE header's checksum bit is 1, meaning that the checksum
validation function has been enabled. The "checksum: 0x8f8d" in the figure below is the
checksum value.
148
Learn Firewalls with Dr. WoW
The steps for configuring checksum validation are also very simple. To activate
checksum validation on FW_A:
[FW_A-Tunnel1] gre checksum
To activate checksum validation on FW_B:
[FW_B-Tunnel1] gre checksum
3.
Keepalive
GRE's security mechanisms can achieve mutual trust between firewalls on both ends of a
tunnel, and can guarantee the integrity of packet transmission. However, there is still a
problem: if one of a tunnel's terminals has a failure/problem, how can the tunnel's other
terminal detect this?
GRE tunnels are a kind of stateless tunnel. This word "stateless" means that one terminal
of the tunnel will not determine the state of the other terminal. Or, to put things another
way, if a problem arises with one terminal of the tunnel, the terminal on the other end of
the tunnel will not be able to detect this. To resolve this problem, GRE tunneling
provides the Keepalive mechanism.
As shown in Figure 5-15, after the Keepalive function is activated on FW_A, FW_A will
regularly send probe packets to FW_B to detect the state of this other end of the tunnel.
If FW_B can be reached, then FW__A will receive a response packet from FW_B, and
FW_A will then maintain the tunnel's normal state. If FW_A does not receive a response
packet from FW_B, this means that FW_B is unreachable, and FW_A will close the
tunnel. This avoids data "black holes" due to one of a tunnel's terminals being
unreachable.
Figure 5-15 GRE Keepalive function
FW_A
FW_B
GRE tunnel
Periodically sends
Keepalive packets.
Receives a reply packet, indicating
that the tunnel works properly.
Does not receive any reply packets
and therefore terminates the tunnel.
GRE tunnel
The Keepalive function is one-directional; whether or not one terminal enables the
Keepalive function does not affect the other terminal's Keepalive function. In real-world
environments, it is advised that both of a tunnel's firewalls activate this function
simultaneously.
The commands to activate the Keepalive function are given below. Here is the command
to activate the Keepalive function on FW_A:
[FW_A-Tunnel1] keepalive
To activate the Keepalive function on FW_B:
[FW_B-Tunnel1] keepalive
At this point in our lesson, I'm guessing that everyone thinks that GRE tunnels are a
great thing, but actually that's not completely correct. GRE tunneling has its own
149
Learn Firewalls with Dr. WoW
Achille's heel: it doesn't include a security encryption function. GRE packets without
security encryption packets are really only transparent "alter-egos", and the packets are
all 'visible' when transmitted in the tunnel. Therefore, in real life we very rarely use GRE
by itself, but rather frequently use GRE and IPSec together. As IPSec technology is
equipped with very strong encryption functions, this approach resolves GRE's security
problems, and this is the GRE over IPS technology that we'll explain below.
5.2.4 Approach to Security Policy Configuration
In "Chapter 2 Security Policies," we stated that "both data streams forwarded by a firewall
and data streams between a firewall and the outside are controlled by security policies." With
this in mind, which interfaces and security zones should we use with GRE? How can we
configure security policies for use with GRE? Due to the existence of tunnel interfaces, GRE
security policy configuration can be a bit complicated and confusing. But luckily for you, Dr.
WoW has a suite of methods that I'll use to help you understand this!
In Figure 5-16, FW_A and FW_B's GE0/0/1 interfaces are connected to private networks, and
belong to the Trust zone; the GE0/0/2 interfaces belong to the Untrust zone; the tunnel
interface belongs to the DMZ zone.
Figure 5-16 A network's GRE VPN security policy configuration
DMZ
DMZ
Tunnel1
10.1.1.1/24
Tunnel1
10.1.1.2/24
Untrust
Trust
GE0/0/1
PC_A
192.168.1.1/24
Untrust
Trust
GE0/0/2
2.2.2.2/24
GE0/0/2
1.1.1.1/24
GE0/0/1
GRE tunnel
FW_A
FW_B
PC_B
192.168.2.1/24
The process for configuring security policies is below:
2.
We first configure an interzone security policy that is as broad as possible, in order to
assist GRE adjustment/testing.
FW_A's interzone default packet filtering action is set to "permit":
[FW_A] firewall packet-filter default permit all
FW_B's interzone default packet filtering action is set to "permit":
[FW_B] firewall packet-filter default permit all
3.
After GRE is configured, PC_A pings PC_B. The session table is then checked. Using
FW_A as an example:
[FW_A] display firewall session table verbose
Current Total Sessions : 2
gre VPN:public --> public
Zone: local--> untrust TTL: 00:04:00 Left: 00:03:37
Interface: GigabitEthernet0/0/2 NextHop: 1.1.1.2 MAC: 54-89-98-87-22-a4
<--packets:4 bytes:352 -->packets:5 bytes:460
1.1.1.1:0-->2.2.2.2:0
icmp VPN:public --> public
Zone: trust--> dmz TTL: 00:00:20 Left: 00:00:00
150
Learn Firewalls with Dr. WoW
Interface: Tunnel1 NextHop: 192.168.2.2 MAC: 00-00-00-00-00-00
<--packets:1 bytes:60 -->packets:1 bytes:60
192.168.1.2:22625-->192.168.2.2:2048
The above information shows that PC_A can successfully ping PC_B, and that a GRE
session has been successfully and normally established.
4.
Analysis of the session table allows for the most appropriate security policy for the
existing conditions to be selected.
We can see two streams on the session table. One is the ICMP packets from Trust to
DMZ, and the other is the GRE packets from Local to Untrust. This allows us to obtain
the direction of packets on FW_A, as shown in Figure 5-17.
Figure 5-17 FW_A packet direction
DMZ
Tunnel1
Trust
Untrust
GE0/0/1
Local
GRE tunnel
GE0/0/2
PC_A
192.168.1.1/24
1.1.1.1
FW_A
Original packet from PC_A to PC_B
GRE packet
The above figure shows that FW_A needs to configure a Trust-->DMZ security policy
that permits packets from PC_A seeking access to PC_B to pass; another
Local-->Untrust security policy that permits FW_A and FW_B to establish a GRE tunnel
also needs to be configured.
Similarly, we can also obtain the direction for packets on FW_B, as shown in Figure
5-18.
Figure 5-18 FW_B packet direction
DMZ
Tunnel
Untrust
GRE tunnel
Trust
Local
2.2.2.2 GE0/0/2
GE0/0/1
PC_B
192.168.2.1/24
FW_B
Original packet from PC_A to PC_B
GRE packet
151
Learn Firewalls with Dr. WoW
The above figure shows that FW_B needs to configure a DMZ-->Trust security policy
that permits packets from PC_A seeking access to PC_B to pass; another
Untrust-->Local security policy that permits FW_A and FW_B to establish a GRE tunnel
also needs to be configured.
When PC_B initiates calls on PC_A, the packet direction is the opposite of the direction
when PC_A accesses PC_B, and there is no need to further review this.
To summarize, the security policies that should be configured on FW_A and FW_B
under various conditions are shown in Table 5-2, and we should configure the security
policies that best match existing conditions as shown in the table.
Table 5-2 Selecting security policies for FW_A and FW_B based upon conditions
Transaction
Direction
Device
Source
Security Zone
Destination
Security Zone
Source
Address
Destination
Address
Used in
PC_A
accesses
PC_B
FW_A
Local
Untrust
1.1.1.1/32
2.2.2.2/32
GRE
Trust
DMZ
192.168.1.0/24
192.168.2.0/24
*
Untrust
Local
1.1.1.1/32
2.2.2.2/32
GRE
DMZ
Trust
192.168.1.0/24
192.168.2.0/24
*
Untrust
Local
2.2.2.2/32
1.1.1.1/32
GRE
DMZ
Trust
192.168.2.0/24
192.168.1.0/24
*
Local
Untrust
2.2.2.2/32
1.1.1.1/32
GRE
Trust
DMZ
192.168.2.0/24
192.168.1.0/24
*
FW_B
PC_B
accesses
PC_A
FW_A
FW_B
*: Use in this instance is related to the transaction type, and can be configured according to actual
circumstances (for example: TCP, UDP, and ICMP).
In GRE scenarios, FW_A and FW_B's tunnel interfaces must be added to security
zones, and the security zones the tunnel interfaces belong to determine the direction
of packets within a firewall. If the tunnel interface belongs to the Trust zone, then no
DMZ-Trust interzone security policy needs to be configured, but this approach also
carries security risks. Therefore, I suggest that the tunnel interface be added to a separate
security zone, and then configured with the security policy that best matches existing
conditions.
5.
Finally, the default packet filtering's action is changed to "deny".
Set FW_A's interzone default packet filtering action to "deny":
[FW_A] firewall packet-filter default deny all
Set FW_B's interzone default packet filtering action to "deny":
[FW_B] firewall packet-filter default deny all
Although the aforesaid adjustment/testing process is a bit difficult, security policies
configured in this way are relatively refined, and can adequately ensure the security of
firewalls and the internal network.
152
Learn Firewalls with Dr. WoW
5.3 The Birth and Evolution of L2TP VPNs
To discuss L2TP VPNs we must first shift our focus to the early stages of the Internet's
development once more. This was an era when both individual and corporate users generally
went online using telephone lines, and of course company branches and traveling users
normally also used the "phone network " (academic name: PSTN-Public Switched Telephone
Network)/ISDN (Integrated Services Digital Network)" to connect to their HQ networks.
People called PSTN/ISDN-based VPNs "VPDNs" (Virtual Private Dial Networks). L2TP
VPNs are a kind of VPDN technology, but other VPDN technologies have already gradually
fallen out of use.
As shown in Figure 5-19, in a traditional PSTN/ISDN-based L2TP VPN, a carrier deploys a
LAC (for VPDN's this is called a NAS--Network Access Server) between the PSTN/ISDN
and IP networks. This provides centralized L2TP VPN line services for multiple corporate
users, and is equipped with authentication and charging functions. When branch organizations
and mobile employees dial the special connection number for the L2TP VPN, the connecting
modem uses a PPP protocol to establish a PPP session with the LAC, and authentication and
charging are simultaneously enabled. After successful authentication, the LAC initiates L2TP
tunnel and session negotiation with the LNS, and the corporate HQ LNS re-authenticates the
access user's identity (due to security concerns). After successful authentication, the branch
organization or mobile employee can access the HQ network.
Figure 5-19 PSTN/ISDN-based L2TP VPN
AAA server
AAA server
Modem
LAC
LNS
Branch
Carrier IP network
Modem
PPP session
HQ
L2TP session & tunnel
Mobile employee
LAC: deployed on the carrier network
LNS: deployed at the enterprise headquarter’s egress
LAC and LNS are concepts of L2TP protocols, while NAS is a VPDN concept. So actually, for L2TP
VPNs, the LAC is actually the NAS.
As IP networks became widespread, PSTN/ISDN networks gradually fell out of use in the
data communication sector. As companies and individual users were both able to use the
Ethernet to directly connect to the Internet, L2TP VPNs were also able to quietly take "two
small steps" forward. This may have looked like only two small steps, but actually these two
small steps allowed the formerly 'over the hill' L2TP VPNs to remain on the ever-changing IP
scene. Today's L2TP VPN use scenarios are shown in Figure 5-20, and from the figure we can
see that L2TP VPNs have already calmly stepped onto the IP stage.
153
Learn Firewalls with Dr. WoW
Figure 5-20 Common L2TP VPN scenario
Branch
L2TP session & tunnel
PPPoE session
AAA Server
LAN
PPPoE client
AAA server
LAC
(PPPoE server)
LNS
HQ
Mobile
employee
L2TP client
L2TP session & tunnel
The first "small step"—PPP deigns to dwell on the Ethernet. This was a mandatory
step in the process of evolving from dial-up networks to the Ethernet. While this was not
specially designed for L2TP VPNs, L2TP VPNs were the biggest beneficiary of this. If
branch organization users install a PPPoE client, and trigger PPPoE dialing on the
Ethernet, a PPPoE session is established between the PPPoE client and the LAC (PPPoE
Server). This does not change the process of setting up the L2TP VPN between the LAC
and the LNS.
The second "small step"—extending L2TP to users' PCs: under this kind of scenario,
PCs can use the L2TP client their system comes equipped with, or third-party L2TP
client software, to directly dial and set up an L2TP VPN with the LNS. L2TP clients
render the services of the broker, the LAC, moot, by establishing a direct 'partnership'
with HQ—it looks like this sort of 'replacement' isn't limited just to everyday life!
The common ground between these two scenarios and the original L2TP VPN scenarios
is that the company invests in buying equipment, and then uses the Internet to establish
an L2TP VPN. This avoids the carrier charging for use of VPN line services, and reduces
long-term investment. In order to distinguish between the aforesaid two kinds of L2TP
VPNs, the former (LAC-dial-up-based L2TP VPNs) are called NAS-initiated VPNs,
while the latter (L2TP VPNs established by direct client dialing) are called
client-initiated VPNs. We'll go into further detail below about these two kinds of L2TP
VPNs.
5.4 L2TP Client-initiated VPNs
At present most people are pretty familiar with clients on PCs, tablets, or mobile phones. The
most common are PPPoE clients, which are the often-talked about broadband Internet access
clients. Second to these are VPN clients. These kinds of clients are not used by leisure Internet
users, but are rather generally services provided by companies for their employees working
remotely. Here we'll primarily discuss one type of VPN client, the L2TP VPN client.
154
Learn Firewalls with Dr. WoW
The role of an L2TP VPN client is to help users initiate and build an L2TP tunnel directly to
the company HQ network on a PC, tablet or cell phone. This achieves the objective of
allowing the user to freely access the HQ network, and is a bit like how Professor Du (star of
a popular Korean sci-fi/romance drama) was able to instantly travel between two distant
worlds by controlling the entrance to the wormhole to Earth (HQ). Whether we're talking
about the real world or the virtual online world, it seems that happiness can only be
experienced when time and distance concerns are eliminated. I'll use real-world experience to
inform everyone how client-initiated VPNs can help you attain the same happiness as
Professor Du.
If Professor Du wanted to use the L2TP VPN client to pass through the "wormhole" and enter
an enterprise network, he would first have to pass through the LNS "gatekeeper" identity
check (the methods involved in this check are very clear, with everything necessary for tunnel
inspection included, including checks of user name, password, and host name). Users who
pass inspection are supplied with a special pass (an IP address of the enterprise network) by
the LNS, while those who attempt to gain unauthorized access are bid adieu—this is the
simple approach displayed in client-initiated VPNs' information exchange. In order to help
everyone better grasp this, and to aid in comparing client-initiated VPNs to the NAS-initiated
VPNs discussed in the next section, I've drawn a simple diagram (Figure 5-21). I'll then use
this diagram to further dissect the information exchanges between the L2TP client and the
LNS.
Figure 5-21 Process for building a client-initiated VPN
Public IP address: 1.1.1.2
Obtained private IP address: 192.168.2.2
L2TP client
Address pool: 192.168.2.2~192.168.2.100
VT interface’s IP address: 192.168.2.1
L2TP tunnel
LNS
Intranet server
IP: 192.168.1.2/24
GE0/0/2
1.1.1.1/24
HQ
1. Create an L2TP tunnel.
2. Create an L2TP session.
3. Create a PPP connection.
Authentication
succeeds, and an
address is allocated.
4. Encapsulate data and transmit the packet.
Client-initiated VPN configuration is shown in Table 5-3. A key point is that the connections
between the L2TP client, the LNS, and the internal network servers are all direct connections,
which avoids routing configuration; user authentication also is done using relatively simple
local authentication. In addition, the internal network server needs to configure a gateway, to
ensure that its response packets bound for the L2TP client are able to reach the LNS.
155
Learn Firewalls with Dr. WoW
Table 5-3 Client-initiated VPN configuration
Configured Item
L2TP Client (Using a VPN
Client as an Example)
LNS
L2TP
configuration
Other terminal's IP address:
1.1.1.1
l2tp enable
User log-in (PPP user)
name: l2tpuser
User log-in (PPP user)
password: Admin@123
LNS Tunnel name
(optional): LNS
PPP authentication mode
(PAP/CHAP/EAP; some
clients are defaulted to
CHAP): CHAP
Tunnel validation (optional,
some clients don't support
this): not selected
interface Virtual-Template1
ppp authentication-mode chap
ip address 192.168.2.1
255.255.255.0
remote address pool 1
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1
//Designates a VT interface.
tunnel name LNS
//Indicates the name of this
tunnel terminal.
The first three fields are
mandatory, while the last three
fields may not be available on
all clients
AAA
authentication
configuration
-
aaa
local-user l2tpuser password
cipher Admin@123 //Indicates
the local user name and password.
local-user l2tpuser
service-type ppp //Indicates
the user service type.
ip pool 1 192.168.2.2
192.168.2.100
//Indicates the
address pool.
Now, I don't think many people know too much about the VT interface, is that right? The VT
interface is a logical interface used in Layer 2 protocol communication, and is usually used
during PPPoE negotiation. L2TP cooperates with PPPoE in order to acclimate itself to the
Ethernet environment, which is why we find the VT interface here. I will explain more about
the role of VT interfaces in client-initiated VPNs as we proceed.
Below, I will use packet captures to help explain the complete process of setting up a
client-initiated VPN.
5.4.1 Step 1: Setting Up an L2TP Tunnel (Control
Connection)—Three Pieces of Information Enter the Wormhole
An L2TP client and the LNS negotiate parameters such as the tunnel ID, UDP port (the LNS
uses port 1701 to respond to the client's tunnel building request), host name, L2TP version,
tunnel authentication (if the client does not support tunnel authentication, the LNS tunnel
156
Learn Firewalls with Dr. WoW
authentication function should be closed—this is true for the WIN7 operating system) by
exchanging three pieces of information.
To aid everyone in understanding the meaning of negotiation, Table 5-4 gives the tunnel ID
negotiation process.
Table 5-4 Tunnel ID negotiation process
Step 1
SCCRQ
L2TP Client: Hey LNS, use "1"
as the tunnel ID to communicate
with me.
SCCRP
LNS: OK, L2TP Client, and
make sure you also use "1" as
the tunnel ID to communicate
with me.
Step 3
L2TP Client: OK.
Step 2
-
SCCCN
5.4.2 Step 2: Establishing an L2TP Session—Three Pieces of
Information to Awaken the Wormhole Gateguard
The L2TP client and the LNS exchange three pieces of information to negotiate a session ID
and establish an L2TP session. However, only if the "gateguard" is first notified can identity
authentication information be submitted!
Table 5-5 gives the process for negotiating a session ID.
157
Learn Firewalls with Dr. WoW
Table 5-5 Process for negotiating a session ID
Step 1
ICRQ
L2TP Client: Hey LNS, use "1" as the
session ID to communicate with me.
ICRP
LNS: OK, L2TP Client, and make sure you
also use "1" as the session ID to
communicate with me.
Step 3
L2TP Client: OK.
Step 2
-
ICCN
5.4.3 Step 3: Creating a PPP Connection—Identity Authentication
and Issuance of the "Special Pass"
1.
LCP negotiation
LCP negotiation is conducted separately in both directions, and primarily negotiates
MRU size. MRU is a PPP data link layer parameter, and is similar to the Ethernet's MTU.
If one of the terminal devices in the PPP link sends a packet with a payload larger than
the other terminal's MRU, this packet will be fragmented when it is sent.
The above screenshot shows that the post-negotiation MRU value is 1460.
2.
PPP authentication
Authentication methods include CHAP, PAP, and EAP. Both CHAP and PAP
authentication can be conducted either locally or on an AAA server, while EAP can
conduct authentication on an AAA server. EAP authentication is relatively complex, and
there are differences in the support provided for this by different models of firewalls, so
here we'll only discuss CHAP, the most common authentication process.
158
Learn Firewalls with Dr. WoW
Table 5-6 displays a classic three-way handshake PPP authentication process.
Table 5-6 Three-way handshake PPP authentication process
Step 1
LNS: Hey, L2TP Client, I'm
sending you a "challenge", use it
to encrypt your password.
Step 2
L2TP Client: OK, I'm sending
my user name and encrypted
password to you, please
authenticate them.
Step 3
LNS: Authentication was
successful, welcome to the world
of PPP!
The user name and password configured on the LNS are used to authenticate the client.
Of course, this requires that the "person in question" and the "visa" have to be exact
matches—this is to say that the user name and password configured on the L2TP client
and the LNS have to be identical. Next, I'll briefly explain what it means for the user
names to be identical.
−
If the "visa" configured on the LNS is the user name (no domain), then the L2TP
client's user log-in name must be the user name.
−
If the "visa" configured on the LNS is the full user name (username@default or
username@domain), then the L2TP client's user log-in name must be
username@default or username@domain.
In this example, the user name configured on the LNS is 12tpuser, so when the client
logs-in it must enter an identical user name. The reasoning behind this is very simple, but
this is a common error that many make during configuration.
The concept of a "domain" is always used in AAA authentication, and I'm sure everyone
is wondering what purpose it serves to add a domain behind the user name.
Large corporations will often assign different departments to different domains, and then
create different address pools for these different departments on the LNS according to
their domain—this is to say that different departments' network segments can be
separated using address pools, which makes it easy to later deploy different security
policies for different departments.
3.
IPCP negotiation to successfully assign an IP address
The IP address assigned by the LNS to the L2TP client is 192.168.2.2.
159
Learn Firewalls with Dr. WoW
After having read this far, everyone should be clear that the addresses in the LNS's
address pool are used to assign IP addresses to remote clients. Of course, these should be
private addresses and should also abide by the internal network's IP address planning
rules just like other internal network host addresses. But what about the VT interface?
Actually, the VT interface is also an internal network interface, and should also be
planned according to the internal network's IP address planning principles. The overall
principles behind IP address planning are as follows:
−
It is suggested that independent network segments be planned separately for the VT
interface, the address pool and the HQ network address, so that the addresses for the
three don't overlap.
−
If the addresses of the address pool and the HQ network address are configured to the
same network segment, then the ARP proxy function must be activated on the LNS
interface that connects to the HQ network, and the L2TP virtual forwarding function
must also be enabled, to ensure that the LNS can respond to ARP requests sent by the
HQ network server.
If the LNS interface connecting to the HQ network is GE0/0/1, then the configuration for
enabling the ARP proxy function and the L2TP virtual forwarding function is as follows:
[LNS] interface GigabitEthernet0/0/1
[LNS-GigabitEthernet0/0/1] arp-proxy enable
//Enable the ARP proxy function.
[LNS-GigabitEthernet0/0/1] virtual-l2tpforward enable
//Enable the L2TP
virtual forwarding function.
After reading through the process for PPP authentication, everyone should now know
that L2TP is cleverly able to use PPP's authentication functions to achieve its own
objective of authenticating remote user access. What was responsible for facilitating this
cooperative project? The VT interface:
[LNS] l2tp-group 1
[LNS-l2tp1] allow l2tp virtual-template 1
It is this above command that links L2TP with PPP; the VT interface manages PPP
authentication, while the L2TP module is the VT interface's boss. Cooperation between
the two is thus achieved in this way. The VT interface is only used between L2TP and
PPP—this is a nameless hero that doesn't participate in encapsulation, and also doesn't
need to be broadcast publicly, so it is perfectly acceptable to configure its IP address as a
private network IP address.
The L2TP client-initiated VPN negotiation process is far more complex than for GRE
VPNs. Let's summarize the characteristics of client-initiated VPN tunnels:
−
L2TP VPNs are greatly different than GRE VPNs. GRE VPNs do not have a tunnel
negotiation process, and are tunnels that do not control connections and state, so there
is no way to view the tunnel or inspect the state of the tunnel. However, L2TP VPNs
are controlled-connection tunnels, and can check on and view the tunnel and session.
160
Learn Firewalls with Dr. WoW
−
As shown in Figure 5-22, there is an L2TP tunnel between the L2TP client and the
LNS for client-initiated VPNs. There is only one L2TP session in the tunnel, and the
PPP connection is carried on this L2TP session. This is different than the
NAS-initiated VPNs that will be discussed in the next section, and this is important to
pay attention to.
Figure 5-22 Relationship between an L2TP tunnel and session with the PPP connection on a
client-initiated VPN
L2TP client
LNS
Intranet server
PPP dial-up
L2TP tunnel
L2TP session
PPP connection
5.4.4 Step 4: Data Encapsulation Transmission— Passing Through
the Wormhole to Visit Earth
After the L2TP tunnel has been built, L2TP client data can freely go to and from the HQ
network. Giving a clear explanation as to the process of how Professor Du passed through his
wormhole is difficult, but it is not very difficult to explain how L2TP client data passes
through the L2TP tunnel to reach the HQ network; this involves the encapsulation process for
L2TP data packets. This process is very similar to GRE packets adopting and later discarding
"alter-egos", with the difference being that the "alter-egos" are slightly different here.
Public IP header
UDP header
L2TP header
PPP header
Private IP header
The packet capture above shows the structure of L2TP packet encapsulation, and a more
detailed analysis elucidates the encapsulation/decapsulation process for L2TP data packets in
a client-initiated VPN scenario (Figure 5-23).
161
Learn Firewalls with Dr. WoW
Figure 5-23 Process for client-initiated VPN packet encapsulation/decapsulation
L2TP client
Intranet server
LNS
L2TP tunnel
Data
Data
Private IP
Private IP
PPP header
PPP header
L2TP header
L2TP header
Data
Data
UDP header
UDP header
Private IP
Private IP
Public IP
Public IP
Ethernet header
Ethernet header
L2TP data
decapsulation
Ethernet
encapsulation
Ethernet
decapsulation
L2TP data
encapsulation
Data flow direction
The L2TP client's process for forwarding packets towards the internal network server is as
follows:
2.
The L2TP client encapsulates the original packet using a PPP header, an L2TP header, a
UDP header, and finally, on the outermost layer, a public network IP header, making this
into an L2TP packet. The source address on the outer layer public network IP header is
the L2TP client's public network IP address, while the destination address is the LNS's
public network interface's IP address.
3.
L2TP packets pass through the Internet to the LNS.
4.
After the LNS receives the packets, it completes identity authentication and packet
decapsulation in the L2TP module, discarding the PPP header, the L2TP header, the
UDP header and the outer layer IP header, to restore the original packet.
5.
The original packet carries only an inner-layer private network IP header. This
inner-layer private network IP header's source address is the private network IP address
obtained by the L2TP client, while the destination address is the private network IP
address of the internal network server. The LNS checks its routing table based upon the
destination address, and then forwards the packet using the matching routing result.
The L2TP client now has obstacle-free access to the HQ internal network server, but there is
still a problem: how do return packets from HQ's internal network server bound for the L2TP
client enter the tunnel to return to the L2TP client? We don't seem to have configured any
route to guide these return packets into the tunnel, right? A look at the routing table on the
LNS shows something interesting: the LNS has automatically issued a host route for the L2TP
client that obtained the private network IP address.
[LNS] display ip routing-table
Destination/Mask
Proto Pre Cost
192.168.2.2/32 Direct 0
0
Flags NextHop
D
192.168.2.2
Interface
Virtual-Template1
This automatically generated host route is a user network route (UNR), the destination
address and the next-hop are both the private network address that the LNS assigned for the
L2TP client, and the sending interface is the VT interface. This route is the LNS's wormhole
entrance, and guides packets bound for the L2TP client into the tunnel. Our question has been
162
Learn Firewalls with Dr. WoW
resolved, and it should now be easy to understand the forwarding process for return packets
from the internal network server.
6.
After the LNS receives a return packet from the internal network server, it checks for a
route based upon the packet's destination address (the L2TP client's private network IP
address), selects a UNR route, and sends the return packet to the VT interface.
7.
The return packet is encapsulated with a PPP header, an L2TP header, a UDP header,
and an outer-layer public network IP header in the L2TP module.
8.
The LNS checks the routing table based upon the packet's outer-layer IP header's
destination IP address (the L2TP client's public network IP address), and then forwards
the packet using the matching routing result.
The above process is a bit complicated, as return packets must be matched twice to the routing
table on their trip back to the L2TP client.
Our above explanation only used one L2TP client, but in real-world environments there will
be many L2TP clients accessing the HQ network through the wormhole simultaneously. If the
L2TP client is not satisfied with only accessing the HQ network, but also wants to access
other L2TP clients (this is to say, if there is to be mutual access between L2TP clients), can
L2TP achieve this? Don't forget, the LNS is the transfer station that connects multiple
wormholes, and it has host routes to many L2TP clients. Therefore, two L2TP clients can
freely access each other through LNS forwarding, as shown in Figure 5-24. Of course, the
premise for mutual access is that each L2TP client must know the IP address assigned by the
LNS for each other. This premise is not very easily achieved, so scenarios with mutual access
between L2TP clients are not very common.
Figure 5-24 L2TP client mutual access scenario
L2TP client
L2TP
L2TP
tunn
e
LNS
l
e
tunn
Intranet server
l
L2TP client
5.4.5 Approach to Security Policy Configuration
The overall approach to configuration of security policies for L2TP client-initiated VPNs is
similar to that for configuration of GRE security policies, except that the tunnel interface has
been replaced by the VT interface.
As shown in Figure 5-25, in our hypothetical scenario, the LNS's GE0/0/1 is connected to the
HQ private network, and belongs to the Trust zone; GE0/0/2 is connected to the Internet, and
belongs to the Untrust zone; the VT interface belongs to the DMZ zone; the IP address
assigned by the LNS for the L2TP client is 192.168.2.2.
163
Learn Firewalls with Dr. WoW
Figure 5-25 Network organization for configuring client-initiated VPN security policies
DMZ
VT1
192.168.2.1/24
Public IP address: 1.1.1.2
Private IP address: 192.168.2.2
Untrust
Trust
Intranet server
GE0/0/2
1.1.1.1/24
GE0/0/1
L2TP tunnel
L2TP client
LNS
192.168.2.1/24
The process for configuring a security policy is as follows:
2.
We first configure the broadest possible interzone security policy to assist L2TP
VPN adjustments/testing.
The interzone default packet filtering action on the LNS is set to "permit":
[LNS] firewall packet-filter default permit all
3.
After L2TP configuration, we ping the internal network server with the L2TP client, and
then check the session table.
[LNS] display firewall session table verbose
Current Total Sessions : 2
l2tp VPN:public --> public
Zone: untrust--> local TTL: 00:02:00 Left: 00:01:58
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:20 bytes:1120 -->packets:55 bytes:5781
1.1.1.2:1701-->1.1.1.1:1701
icmp VPN:public --> public
Zone: dmz--> trust TTL: 00:00:20 Left: 00:00:01
Interface: GigabitEthernet0/0/1 NextHop: 192.168.1.2 MAC: 20-0b-c7-25-6d-63
<--packets:5 bytes:240 -->packets:5 bytes:240
192.168.2.2:1024-->192.168.1.2:2048
The above information shows that the L2TP client successfully pinged the internal
network server, and that an L2TP session has been created.
4.
Analysis of the session table shows the existing conditions to which a refined security
policy can be matched.
From the session table we can see two streams (one being Untrust-->Local L2TP packets,
and the other DMZ-->Trust ICMP packets), and we therefore can obtain the direction of
packets on the LNS, as shown in Figure 5-26.
164
Learn Firewalls with Dr. WoW
Figure 5-26 LNS packet direction
DMZ
VT
L2TP tunnel
Untrust
Trust
Local
1.1.1.1
GE0/0/1
GE0/0/2
L2TP client
private IP address: 192.168.2.2
Intranet server
192.168.1.2/24
LNS (FW)
Original packet from the L2TP client to
the intranet server
L2TP packet
The above figure shows that the LNS needs to configure a DMZ-->Trust security policy
that allows packets from the L2TP client seeking access to the internal network server to
pass, and also needs to configure an Untrust-->Local security policy to allow the L2TP
client and the LNS to establish an L2TP tunnel.
After the L2TP tunnel is established, the direction of return packets sent from the internal
server to the L2TP client is the opposite of when the L2TP client accesses the internal
server, and we therefore do not need to elaborate further about this.
To summarize, the security policies that should be configured on the LNS under various
conditions are shown in Table 5-7, and we should configure the security policies that best
match existing conditions.
Table 5-7 Selecting LNS security policies based upon existing conditions
Transactional
Direction
Source
Security Zone
Destination
Security Zone
Source Address
Destination
Address
Used
in
The L2TP client
accesses the
internal network
server
Untrust
Local
ANY
1.1.1.1/32
L2TP
DMZ
Trust
192.168.2.2~192.
168.2.100
192.168.1.0/24
*
192.168.2.2~192.1
68.2.100
*
(address pool
addresses)
The internal
network server
accesses the
L2TP client
Trust
DMZ
192.168.1.0/24
address pool
addresses
*: Use in this instance is related to the transaction type, and can be configured according to actual
circumstances (for example: TCP, UDP, and ICMP).
In this scenario, the LNS only passively receives the request from the L2TP client to establish a tunnel,
but will not actively initiate a request to the L2TP client to establish a tunnel, so only an Untrust-->Local
security policy needs to be configured on the LNS for the L2TP tunnel.
165
Learn Firewalls with Dr. WoW
Therefore, in L2TP VPN scenarios using the client-initiated method, the LNS's VT
interface must be added to a security zone, and the security zone the VT interface
belongs to determines the direction of packets on the firewall. If the VT interface
belongs to the Trust zone, then no DMZ-Trust interzone security policy is necessary, but
this also involves security risks. Therefore, it is advisable to add the VT interface to a
separate security zone, and then configure the security policy that best matches the
existing conditions.
5.
Finally, the default packet filtering's action is changed to "deny".
[LNS] firewall packet-filter default deny all
5.5 L2TP NAS-initiated VPNs
In the above section we discussed how client-initiated VPNs can allow companies' mobile
employees to pass through the "wormhole", just like Professor Du, and freely access the HQ
network. However, company branch organization users are not as fortunate, and they
generally use a dial-up network to connect to the Internet. Faced with the vast ocean of the
Internet, and unable to find the entrance to the "wormhole", they can only look at this ocean
and sigh sadly. Even if their dial-up network has evolved onto the Ethernet, this only solves
the local Internet connection problem, but they are still unable to access the HQ network.
Does this mean branch organization users are destined to be forever separated from the HQ
network?
Fortunately, the arrival of LACs onto the network scene has helped branch organizations solve
this problem. The LAC serves as a PPPoE server, and a branch organization user, as the
PPPoE client, can establish a PPPoE connection with the LAC, allowing PPP to be used freely
on the Ethernet. Additionally, as an "agent" for the LNS, the LAC provides a "wormhole"
entrance for branch organizations, meaning that branch organization users can use the LAC as
a portal to reaching the HQ network.
The LAC is also called the NAS on VPDNs, and so these kinds of L2TP VPNs are also called
NAS-initiated VPNs. This would be easier to understand if the name "NAS-initiated VPN"
was changed to "LAC-initiated VPN", because on our representations of network organization
the name LAC is clearly displayed, but we still have to use this now-discarded "former name",
which might be a bit confusing to newcomers.
The process of constructing a NAS-initiated VPN is a bit complicated, and to aid in
remembering this I have drawn a simple figure (Figure 5-27), to aid in your understanding of
the following.
166
Learn Firewalls with Dr. WoW
Figure 5-27 Process for establishing a NAS-initiated VPN
LAC
(PPPoE server)
PPPoE client
LNS
Intranet server
L2TP tunnel
Branch
HQ
1. Establish a PPPoE session.
Authentication succeeds.
2. Establish an L2TP tunnel.
3. Establish an L2TP session.
4. Perform LNS authentication and
secondary authentication (optional).
Authentication succeeds,
and an address is allocated.
5. Establish a PPP connection.
6. Encapsulate data and transmit the packet.
In order to review our understanding of PPPoE, we've used a firewall as the PPPoE client,
while a virtual PC's PPPoE client is shown in Figure 5-28.
Figure 5-28 NAS-initiated VPN network schematic
PPPoE client
Obtained private IP
address: 172.16.0.2
LAC
(PPPoE server)
GE0/0/1
Branch
GE0/0/1
GE0/0/2
1.1.1.1/24
LNS address pool: 172.16.0.2~172.16.0.100
VT interface IP address: 172.16.0.1
GE0/0/2
1.1.1.2/24
Intranet server IP
address: 192.168.0.2
GE0/0/1
192.168.0.1/24
HQ
A key point to remember is that the connections between the PPPoE client, the LAC, the LNS,
and the internal server are direct connections, eliminating the need to configure routing; user
authentication also uses local authentication, which is relatively simple. In addition, the
internal server needs to configure a gateway to ensure that the packets it gives the PPPoE
client in response are able to be sent to the LNS.
167
Learn Firewalls with Dr. WoW
5.5.1 Step 1: Establishing a PPPoE Connection—The Dialing
Interface Dials the VT Interface
After PPP changed to PPPoE so that it could settle down in the Ethernet "world", in order to
simulate the PPP dial-up process on the Ethernet, PPPoE invented two virtual interfaces—the
dialer interface and the VT interface. When PPPoE runs on a firewall, these two interfaces are
also used: when a firewall serves as the PPPoE client it uses the dialer interface, and when a
firewall serves as the PPPoE server it uses the VT interface. Related PPPoE parameters are
configured on these two interfaces, as shown in Table 5-8.
Table 5-8 Configuring an NAS-initiated VPN's PPPoE
PPPoE Client
PPPoE Server (LAC)
interface dialer 1
interface Virtual-Template 1
dialer user user1
ppp authentication-mode chap
dialer-group 1
interface GigabitEthernet 0/0/1
dialer bundle 1
pppoe-server bind virtual-template 1
//Enables the PPPoE server on the physical
interface and binds the VT interface.
ip address ppp-negotiate //Configures
the negotiation mode, so that IP addresses
are dynamically assigned.
ppp chap user user1 //Indicates the PPPoE
client's user name.
aaa
local-user user1 password Password1
local-user user1 service-type ppp
ppp chap password cipher Password1
//Indicates the PPPoE client's password.
dialer-rule 1 ip permit
interface GigabitEthernet0/0/1
pppoe-client dial-bundle-number 1
//Enables the PPPoE client on the physical
interface and binds dial-bundle.
The VT interface on the PPPoE server (LAC) only completes PPPoE work, providing PPP
authentication functions for the PPPoE server, but doesn't contain a function for cooperation
with L2TP.
In L2TP, all user IP addresses are uniformly assigned by HQ (the LNS or AAA server), so
there is no need to configure an address pool on the LAC (even if an address pool is
configured, so long as the L2TP tunnel has already been established, the HQ address pool will
be preferentially used for address assignment), but ordinary PPPoE dialing needs an address
pool to be configured on the PPPoE server.
We can use the below packet capture to analyze the process of establishing a PPPoE
connection.
168
Learn Firewalls with Dr. WoW
The negotiation process in the PPPoE discovery step is quite important. As shown in Table
5-9, the PPPoE client and PPPoE server exchange PADI, PADO, PADR and PADS packets to
confirm each other's Ethernet address and PPPoE session ID.
Table 5-9 Negotiation process in the PPPoE discovery stage
Step 1
PADI
Step 2
PADO
Step 3
PADR
Step 4
PADS
PPPoE Client: Attention, attention, I
want to connect to PPPoE, who will
come help me?
PPPoE Server: PPPoE client, look for
me, I'll help you!
PPPoE Client: That's great PPPoE
Server! I'd like to establish a PPPoE
session with you.
PPPoE Server: Fine. I'll send the
session ID to you, and we can simply
use this ID to establish a PPPoE session.
Then, following PPP LCP negotiation and PPP CHAP authentication, the PPPoE connection is
established.
5.5.2 Step 2: Establishing the L2TP Tunnel— Three Pieces of
Information to Negotiate Entrance to the Wormhole
Let's first look at the specific configuration of the LAC and LNS, as shown in Table 5-10.
169
Learn Firewalls with Dr. WoW
Table 5-10 Configuring the NAS-initiated VPN's L2TP
LAC
LNS
l2tp enable
l2tp enable
l2tp-group 1
interface Virtual-Template 1
tunnel authentication //Avoids
counterfeit LACs from connecting to the
LNS.
ppp authentication-mode chap
tunnel password cipher Password1
tunnel name lac
start l2tp ip 1.1.1.2 fullusername
user1 //Designates the address of the
other tunnel terminal.
ip address 172.16.0.1 255.255.255.0
remote address pool 1
l2tp-group 1
tunnel authentication //Avoids
counterfeit LACs from connecting to the
LNS.
tunnel password cipher Password1
allow l2tp virtual-template 1 remote lac
//Designates the VT interface and allows a
remote LAC connection.
aaa
local-user user1 password Password1
local-user user1 service-type ppp
ip pool 1 172.16.0.2 172.16.0.100
The LAC and the LNS exchange three pieces of information in negotiating the L2TP tunnel.
We've already covered this process in "5.4 L2TP Client-initiated VPNs", and we'll review this
again here. See the packet capture information below:
The tunnel ID negotiation process is shown in Table 5-11.
Table 5-11 Tunnel ID negotiation process
Step 1
SCCRQ
Step 2
SCCRP
LAC: LNS, use "1" as the
Tunnel ID to communicate
with me.
LNS: OK. LAC, make sure
you also use "1" as your
tunnel ID to communicate
with me.
170
Learn Firewalls with Dr. WoW
Step 3
LAC: OK.
-
SCCCN
5.5.3 Step 3 Establishing an L2TP Session—Three Pieces of
Information to Awaken the Wormhole Gatekeeper
The LAC and the LNS exchange three pieces of information to negotiate a session ID and
establish an L2TP session. We'll likewise review this process again. See the packet capture
information below:
Table 5-12 gives the session ID negotiation process.
Table 5-12 Session ID Negotiation Process
Step 1
ICRQ
LAC: LNS, use "4" as the session ID to
communicate with me.
ICRP
LNS: OK, LAC, and make sure you also
use "4" as the session ID to
communicate with me.
Step 3
LAC: OK.
Step 2
-
ICCN
5.5.4 Steps 4-5: LNS Authentication and IP Address
Assignment—the LNS Sternly Accepts the LAC
1.
LNS authentication and secondary authentication (optional)
The LAC sends user information to the LNS for authentication. However, the LNS
understands all too well that the LAC is only an "agent", and the LNS can adopt one of
three attitudes towards this:
−
LAC agent authentication: the LNS doesn't trust that the LAC is trustworthy, and
directly carries out authentication of the user information sent by the LAC.
171
Learn Firewalls with Dr. WoW
−
Enforce mandatory CHAP authentication: the LNS doesn't trust the LAC, and
requires that a "qualification inspection" be carried out anew of the user (enforce new
CHAP authentication of the user).
−
LCP re-negotiation: the LNS not only doesn't trust the LAC, but also expresses its
dissatisfaction with the aforesaid "service contract" that was signed, and requires the
user to again 'negotiate services' (re-initiate LCP negotiation, and negotiate MRU
parameters and authentication methods).
The latter two methods are together called LNS secondary authentication. If the LNS is
configured for secondary authentication but the PPPoE client does not support secondary
authentication, this means the L2TP VPN cannot be established. The common point
between these two secondary authentications is that the LNS skirts around the LAC and
carries out direct verification of the user information provided by the PPPoE client,
providing increased security protections for VPN services. Configuration methods for
the three kinds of authentication methods are shown in Table 5-13.
Table 5-13 Configuring a NAS-initiated VPN's LNS authentication
Authentication
Method
Configuration Method
LAC proxy
authentication*
Default, don't need to
configure
Mandatory
CHAP
authentication
**
l2tp-group 1
LCP
re-negotiation***
interface
virtual-template 1
Packet Capture Analysis
The LNS directly authenticates the user information sent by
the LAC, and if authentication is successful a PPP
connection is established.
mandatory-chap
The LNS re-conducts CHAP authentication of the user. The
LNS sends a challenge, the PPPoE client uses the challenge
to send the user name and encrypted password to the LNS,
and after the LNS authenticates this, a PPP connection is
successfully established.
ppp authentication-mode
chap // designates
authentication mode
after re-negotiation
l2tp-group 1
mandatory-lcp
The LNS re-initiates LCP negotiation, negotiates MRU
parameters and an authentication method, and then conducts
CHAP authentication. After successful negotiation, a PPP
connection is established.
* Represents degree of excellence; configuring LCP re-negotiation is the most preferable of these three
methods.
2.
IP address assignment
The LNS assigns an IP address for the PPPoE client through PPP IPCP negotiation.
172
Learn Firewalls with Dr. WoW
We went over the address pool's address planning problem in section 5.4 "Client-initiated
VPNs", and you can go back and review this if you wish.
Let's summarize the characteristics of NAS-initiated VPNs:
As shown in Figure 5-29, in NAS-initiated VPNs, multiple tunnels can be established
between a LNS-LAC pair (one is built for every L2TP group), and every tunnel can carry
multiple sessions. This means that each LAC can carry sessions for all dial-up users of
the branch organization it belongs to. For example, PPP connection 1 and L2TP session 1
are established between access user 1 and the LNS, and PPP connection 2 and L2TP
session 2 are established between access user 2 and the LNS. When a user dials-in, this
triggers establishment of a tunnel between the LAC and the LNS. So long as this user
doesn't go offline, when other users dial-in, they will establish sessions in the existing
tunnel rather than re-triggering tunnel establishment.
Figure 5-29 Relationship between an L2TP tunnel and session with the PPP connection on a
NAS-initiated VPN
Access user 1
LAC
LNS
Intranet server
Access user 2
PPPoE dial-up
L2TP tunnel
PPP connection 1
L2TP session 1
PPP connection 2
L2TP session 2
……
5.5.5 Step 6: Data Encapsulation Transmission— Obstacle-Free
Communication
After the PPPoE client packets bound for the HQ server reach the LAC, the LAC gives the
packets three layers of "alter-egos", these being the L2TP header, the UDP header and the
public network IP header, and then sends these to the LNS. After the LNS receives the packets,
it strips off these three layers of "alter-egos", and then forwards the packet to the internal
server.
173
Learn Firewalls with Dr. WoW
Public IP header
UDP header
L2TP header
PPP header
Private IP header
Figure 5-30 shows the process of packet encapsulation and decapsulation in a NAS-initiated
VPN scenario.
Figure 5-30 NAS-initiated VPN packet encapsulation process
Access user
(PPPoE client)
Data
LAC
(PPPoE server)
Data
Intranet
server
LNS
L2TP tunnel
Data
Data
Private IP
Private IP
Private IP
Private IP
PPP header
PPP header
PPP header
PPP header
L2TP header
L2TP header
Data
Data
PPPoE header
PPPoE header
UDP header
UDP header
Private IP
Private IP
Ethernet header
Ethernet header
Public IP
Public IP
Ethernet header
Ethernet header
PPP encapsulation
PPPoE encapsulation
PPPoE
decapsulation
L2TP
encapsulation
L2TP decapsulation
Ethernet
PPP decapsulation encapsulation
Ethernet
decapsulation
Data flow direction
As with client-initiated VPNs, in NAS-initiated VPN scenarios, the LNS will also
automatically issue a host route (UNR route) for the PPPoE client that obtained the private
network IP address, and use this to guide return packets from the internal server bound for the
PPPoE client into the tunnel.
5.5.6 Approach to Security Policy Configuration
NAS-initiated VPN security policy configuration is a bit more troublesome than for
client-initiated VPNs because both the LAC and the LNS need to be configured. However, the
approach to configuration is similar.
As shown in Figure 5-31, in our hypothetical scenario, the LAC's GE0/0/2 is connected to the
Internet, and belongs to the Untrust zone. On the LNS, GE0/0/1 is connected to the private
network, and belongs to the Trust zone; GE0/0/2 is connected to the Internet, and belongs to
the Untrust zone; the VT interface belongs to the DMZ zone; the IP address assigned by the
LNS for the PPPoE client is 172.16.0.2.
174
Learn Firewalls with Dr. WoW
Figure 5-31 Network organization for VPN security policy configuration in a NAS-initiated VPN
DMZ
VT1
172.16.0.1/24
Untrust
172.16.0.2
GE0/0/1
PPPoE client
Untrust
GE0/0/2
1.1.1.1/24
Trust
GE0/0/2
1.1.1.2/24
GE0/0/1
L2TP tunnel
LAC
(PPPoE server)
LNS
192.168.0.2/24
The security policy configuration process is as follows:
2.
We first configure the interzone security policy to be as broad as possible, to aid in
L2TP VPN adjustment/testing.
The LAC's interzone default packet filtering action is set to "permit":
[LAC] firewall packet-filter default permit all
The LNS's interzone default packet filtering action is also set to "permit":
[LNS] firewall packet-filter default permit all
3.
After both the LAC and LNS have configured L2TP, we ping the internal server with the
PPPoE client, and then look at both the LAC and LNS session tables.
−
LAC session table
[LAC] display firewall session table verbose
Current Total Sessions : 1
l2tp VPN:public --> public
Zone: local--> untrust TTL: 00:02:00 Left: 00:01:52
Interface: GigabitEthernet0/0/2 NextHop: 1.1.1.2 MAC: 00-00-00-53-62-00
<--packets:26 bytes:1655 -->packets:11 bytes:900
1.1.1.1:60416-->1.1.1.2:1701
Analysis of the session table provides the direction of packets on the LAC, as shown
in Figure 5-32.
Figure 5-32 LAC packet direction
Untrust
GE0/0/1
L2TP
tunnel
Local
PPPoE client
Private IP address:
172.16.0.2/24
GE0/0/2
1.1.1.1
LAC
Original packet from the PPPoE client to
the intranet server
L2TP packet
175
Learn Firewalls with Dr. WoW
There is no ICMP session on the LAC, just the one L2TP session. Therefore, a
Local-->Untrust security policy needs to be configured on the LAC permitting the
LAC and LNS to build an L2TP tunnel. Moreover, the PPPoE client's packets
accessing the internal server will first be encapsulated into PPPoE packets, then
be directly encapsulated into L2TP packets when the LAC receives the PPPoE
packet, and finally enter the L2TP tunnel, and so these are not controlled by the
security policy. Therefore, only a Local-->Untrust security policy needs to be
configured on the LAC.
−
LNS session table
[LNS] display firewall session table verbose
Current Total Sessions : 2
l2tp VPN:public --> public
Zone: untrust--> local TTL: 00:02:00 Left: 00:01:52
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:18 bytes:987 -->packets:23 bytes:2057
1.1.1.1:60416-->1.1.1.2:1701
icmp VPN:public --> public
Zone: dmz--> trust TTL: 00:00:20 Left: 00:00:00
Interface: GigabitEthernet0/0/1 NextHop: 192.168.0.2 MAC:
54-89-98-62-32-60
<--packets:4 bytes:336 -->packets:5 bytes:420
172.16.0.2:52651-->192.168.0.2:2048
There are two sessions on the LNS: one L2TP session, and one ICMP session. Analysis
of the session table provides the direction of packets on the LNS, as shown in Figure
5-33.
Figure 5-33 LNS packet direction
DMZ
VT
Untrust
L2TP
tunnel
Trust
Local
1.1.1.2 GE0/0/2
GE0/0/1
Intranet server
192.168.0.2/24
LNS
Original packet from the PPPoE client to
the intranet server
L2TP packet
The above figure shows that a DMZ-->Trust security policy needs to be configured on
the LNS permitting PPPoE client packets seeking access to the internal server to pass; an
Untrust-->Local security policy permitting the LAC and LNS to build an L2TP tunnel
also needs to be configured.
After the L2TP tunnel is established, when the internal server initiates a call on the
PPPoE client, the packet direction is the opposite of when the PPPoE client accesses the
server, and there is no need to further elaborate on this.
176
Learn Firewalls with Dr. WoW
To summarize, the security policies that should be configured on the LAC and LNS
under various conditions are shown in Table 5-14, and we should configure the security
policies that best match existing conditions.
Table 5-14 Selecting security policies for the LAC and LNS based upon conditions
Direction of
Transaction
Device
Source
Security
Zone
Destination
Security Zone
Source Address
Destination
Address
Used
in
PPPoE client
accesses the
server
LAC
Local
Untrust
1.1.1.1/32
1.1.1.2/32
L2TP
LNS
Untrust
Local
1.1.1.1/32
1.1.1.2/32
L2TP
DMZ
Trust
172.16.0.2~172.16.0.1
00
192.168.0.0/24
*
172.16.0.2~172.1
6.0.100
*
address pool
addresses
Server
accesses the
PPPoE client
LNS
Trust
DMZ
192.168.0.0/24
address pool
addresses
*: Use in this instance is related to the transaction type, and can be configured according to actual
circumstances (for example: TCP, UDP, and ICMP).
In this scenario, the LNS only passively accepts the LAC's request to establish the tunnel, but will not
actively initiate a request to the LAC to establish the tunnel, so only an Untrust-->Local security policy
needs to be configured on the LNS for the L2TP tunnel.
Therefore, in L2TP VPNs using the NAS-initiated method, the LNS's VT interface
must be added to a security zone, and the security zone the VT interface belongs to
determines the packet's direction within the device. If the VT interface belongs to the
Trust zone, a DMZ-Trust interzone security policy doesn't need to be configured, but this
will also carry with it additional security risks. Therefore, it is advisable to add the VT
interface to a separate security zone, and then configure the most appropriate security
policy.
4.
Finally, the default packet filtering's action is changed to "deny".
Set the LAC's interzone default packet filtering action to "deny":
[LAC] firewall packet-filter default deny all
Set the LNS's interzone default packet filtering action to "deny":
[LNS] firewall packet-filter default deny all
In NAS-initiated VPNs, the branch organization user must dial-in before using the L2TP
VPN, and packets also need to be encapsulated into PPPoE, which is too much trouble.
Moreover, dial-up networks are gradually disappearing, and Ethernet is becoming
mainstream—does this mean that branch organization users cannot access the HQ
network directly on the Ethernet? Of course they can. Mankind's desire to reduce work is
the real driver of advances in science and technology, and in the next section I'll
introduce LAC-auto-initiated VPNs to everyone, in which the LAC automatically dials
the LNS, eliminating the dial-up process for branch organization employees—this is
known as being the L2TP VPN that involves the least work.
177
Learn Firewalls with Dr. WoW
5.6 L2TP LAC-Auto-initiated VPNs
LAC-auto-initiated VPNs are also called LAC automatic dialing VPNs. These do just what
they sound like they do—after LAC configuration is complete, the LAC will automatically
dial the LNS and establish an L2TP tunnel and session, meaning that it is not necessary for the
branch organization user to dial-up to trigger this. For the branch organization user, this
means that accessing the HQ network is the same as accessing his/her own branch
organization's network, and he/she won't feel at all as if they are on a remote connection.
However, in this method the LNS only authenticates the LAC, so that so long as the branch
organization user is able to connect to the LAC they can use the L2TP tunnel to connect to
HQ, meaning that this method offers slightly lower security compared with NAS-initiated
VPNs.
5.6.1 LAC-Auto-initiated VPN Principles and Configuration
As shown in Figure 5-34, the set-up process for LAC-auto-initiated VPNs is similar to that of
client-initiated VPNs, except that for LAC-auto-initiated VPNs, the LAC has replaced the role
the L2TP client plays for client-initiated VPNs.
Figure 5-34 Set-up process for LAC-auto-initiated VPNs
LNS
LAC
Intranet server
L2TP tunnel
Branch
HQ
1. Establish an L2TP tunnel.
2. Establish an L2TP session.
3. Establish a PPP connection.
Authentication succeeds,
and an address is allocated.
4. Encapsulate data and
transmit the packet.
Each step in the set-up process is largely similar to the set-up process for client-initiated
VPNs, and I won't say any more except that you can review "5.4 L2TP Client-initiated VPNs".
One point to note is that in step 3, the LNS only authenticates the LAC, and after successful
authentication the LNS assigns an IP address to the LAC's VT interface, not to the branch
organization user. Although the LNS does not assign an IP address for the branch organization,
this doesn't mean that the branch organization's IP address can be configured at will. In order
to ensure normal access between the branch organization network and the HQ network, please
plan separate, independent private network segments for the branch organization and HQ
networks, and ensure that the network segments for the two do not overlap.
178
Learn Firewalls with Dr. WoW
Configuration of LAC-auto-initiated VPNs is not complicated, and we can set up a network
like the one shown in Figure 5-35.
Figure 5-35 LAC-auto-initiated VPN network
LNS address pool: 10.1.1.2
Intranet server
VT interface IP address: 10.1.1.1 192.168.0.2
LAC
User in a branch
172.16.0.2
172.16.0.1/24
1.1.1.1/24
1.1.1.2/24
Branch
192.168.0.1/24
HQ
Configuration for the LAC and LNS is shown in Table 5-15. A key point is that the
connections between the LAC, LNS, and internal server are direct connections, eliminating
the need to configure routing. User authentication also uses relatively simple local
authentication. Additionally, gateways need to be configured for both the branch organization
user and the internal network server, to ensure that packets exchanged between the two are
able to be sent to the LAC and LNS.
Table 5-15 Configuring an L2TP LAC-auto-initiated VPN
LAC
LNS
l2tp enable
l2tp enable
l2tp-group 1
interface Virtual-Template 1
tunnel authentication
tunnel password cipher Password1
tunnel name lac
start l2tp ip 1.1.1.2 fullusername lac
//Designates an address for the tunnel's
other terminal.
interface Virtual-Template 1
ppp authentication-mode chap
ip address 10.1.1.1 255.255.255.0
remote address pool 1
l2tp-group 1
tunnel authentication
tunnel password cipher Password1
ppp authentication-mode chap
allow l2tp virtual-template 1 remote lac
//Permits remote access.
ppp chap user lac
aaa
ppp chap password cipher Password1
local-user lac password Password1
ip address ppp-negotiate
call-lns local-user lac binding
l2tp-group 1 //LAC dials LNS.
ip route-static 192.168.0.0
255.255.255.0 Virtual-Template 1
//Configures a static route to the HQ
network; this is different than in
client-initiated VPNs and NAS-initiated
VPNs, and the LAC must configure this
route to guide branch organization user
packets seeking to access the HQ network
into the L2TP tunnel.
local-user lac service-type ppp
ip pool
assigns
address
address
1 10.1.1.2 //As the LNS only
addresses for the LAC, only one IP
needs to be configured in the
pool.
ip route-static 172.16.0.0 255.255.255.0
Virtual-Template 1 //Configures a
static route to the branch organization
network; if a source NAT is configured on
the LAC this route does not need to be
configured, and more details about this are
provided below.
179
Learn Firewalls with Dr. WoW
The characteristics of LAC-Auto-initiated VPN tunnels are briefly summarized below:
As shown in Figure 5-36, in LAC-auto-initiated VPN scenarios, a permanent tunnel is
established between the LAC and LNS, which only carries one permanent L2TP session and
PPP connection. The L2TP session and PPP connection only exists between the LAC and the
LNS.
Figure 5-36 Relationship between the L2TP tunnel/session and the PPP connection on a
LAC-auto-initiated VPN
User in a branch
LAC
Intranet server
LNS
Permanent L2TP tunnel
Permanent L2TP session
Permanent PPP connection
PPP encapsulation and L2TP encapsulation in a LAC-auto-initiated VPN are limited only to
packets exchanged between the LAC and the LNS, as shown in Figure 5-37.
Figure 5-37 LAC-auto-initiated VPN packet encapsulation process
User in a branch
Data
Private IP
LAC
Data
L2TP tunnel
LNS
Data
Data
Private IP
Private IP
Private IP
PPP header
PPP header
L2TP header
L2TP header
UDP header
UDP header
Public IP
Public IP
PPP encapsulation
L2TP encapsulation
Intranet server
L2TP decapsulation
PPP decapsulation
Data flow direction
Additionally, there is still another issue that requires special attention, this being how return
packets enter the tunnel. This process is different than in client-initiated VPNs and
NAS-initiated VPNS; in LAC-auto-initiated VPNs the LNS only issues one destination
address for the LAC's VT interface address's UNR route, and doesn't have a route going to the
branch organization's network. In response to this the LNS asserts: "I'm only responsible for
assigning IP addresses, and can ensure that the LAC's VT interface is reached. The branch
180
Learn Firewalls with Dr. WoW
organization network's addresses are not assigned by me, and I don't even know what their
addresses are, so I can only say 'Sorry, I can't help you'".
How can this problem be resolved? The simplest method is to manually configure a static
route to the branch organization network on the LNS, guiding the return packets into the
tunnel:
[LNS] ip route-static 172.16.0.0 255.255.255.0 Virtual-Template 1
Are there other methods we can use besides configuring a static route? I've just recalled NAT,
which we mentioned earlier! Even if the LNS only recognizes the IP addresses it assigns, we
can configure a source NAT function on the LAC to convert the source addresses of the
packets from the branch organization accessing the HQ network into the VT interface's
address—this is the Easy-IP method's "source NAT". After the LNS receives a return packet,
and discovers the destination address is the LAC's VT interface's address, it will forward this
by a direct route into the tunnel. In this way there is no need to configure a static route on the
LNS.
I will next use a real network shown in Figure 5-38 as an example to briefly introduce the
whole process for packet encapsulation and decapsulation when a branch organization user
accesses the HQ server following configuration of source NAT on a LAC:
Figure 5-38 The LAC-auto-initiated VPN packet encapsulation process following configuration
of source NAT on the LAC
User in a branch
172.16.0.2
LAC
VT: 10.1.1.2
Static route: 192.168.0.0 24
Source NAT
1.1.1.1/24
172.16.0.1/24
1 Original packet
VT1
NAT + PPP encapsulation +
L2TP encapsulation
LNS
VT: 10.1.1.1
Direct route: 10.1.1.2 32
1.1.1.2/24
VT1
Intranet server
192.168.0.2
192.168.0.1/24
PPP decapsulation +
L2TP decapsulation
Decapsulated packet
Data
Data
Data
Data
Source IP: 172.16.0.2
Source IP: 10.1.1.2
Source IP: 10.1.1.2
Source IP: 10.1.1.2
Destination IP: 192.168.0.2
Destination IP: 192.168.0.2
Destination IP: 92.168.0.2
Destination IP: 192.168.0.2
PPP
PPP
L2TP
L2TP
UDP
UDP
Public source IP: 1.1.1.1
Public source IP: 1.1.1.1
Public destination IP: 1.1.1.2
Decapsulated packet
2.
PPP decapsulation + L2TP
decapsulation + NAT by
matching the session table
Public destination IP: 1.1.1.2
Entering the VT interface
according to the direct route
PPP encapsulation + L2TP
encapsulation
2 Return packet
Data
Data
Data
Data
Source IP: 192.168.0.2
Source IP: 192.168.0.2
Source IP: 192.168.0.2
Source IP: 192.168.0.2
Destination IP: 172.16.0.2
Destination IP: 10.1.1.2
Destination IP: 10.1.1.2
Destination IP: 10.1.1.2
PPP
PPP
L2TP
L2TP
UDP
UDP
Public source IP: 1.1.1.2
Public source IP: 1.1.1.2
Public destination IP: 1.1.1.1
Public destination IP: 1.1.1.1
After the LAC receives an original packet from a branch organization user seeking
access to the HQ server, it checks the route according to the destination address, selects
our manually configured static route, and sends the packet to the VT interface.
181
Learn Firewalls with Dr. WoW
3.
The LAC conducts NAT conversion on the original packet at the VT interface,
converting the source address into the VT interface's address, and then encapsulates a
PPP header, an L2TP header and a public network address onto the packet. The LAC
then checks the route based upon the public network destination address, and sends the
encapsulated packet to the LNS.
4.
After the LNS receives the packet, it strips away the PPP header and the L2TP header,
and checks the route based upon the destination address (this is a directly connected
route), and then sends the packet to the HQ server.
5.
After the LNS receives the return packet from the HQ server, it checks the route based
upon the destination address, selects the route automatically issued by the LNS, and
sends the packet to the VT interface.
6.
The packet is encapsulated with a PPP header, an L2TP header and a public network
address at the VT interface. The LNS checks the route based upon the public network
address, and sends the encapsulated packet to the LAC.
7.
After the LAC receives the packet, it strips away the PPP header and the L2TP header,
converts the packet's destination address into the branch organization user's address, and
then sends the packet to the branch organization user.
An example of configuring the Easy-IP method's source NAT on the LAC is given below (this
example assumes the LAC's interface connecting to the branch organization network belongs
to the Trust zone, and that the VT interface belongs to the DMZ zone):
[LAC] nat-policy interzone trust dmz outbound
[LAC-nat-policy-interzone-trust-dmz-outbound] policy 1
[LAC-nat-policy-interzone-trust-dmz-outbound-1] policy source 172.16.0.0 0.0.0.255
[LAC-nat-policy-interzone-trust-dmz-outbound-1] action source-nat
[LAC-nat-policy-interzone-trust-dmz-outbound-1] easy-ip Virtual-Template 1
5.6.2 Approach to Security Policy Configuration
The overall approach to security policy configuration in LAC-auto-initiated VPNs is basically
the same as the configuration approaches introduced in the previous two sections, but we'll
still discuss this briefly below.
In Figure 5-39 we assume that on the LAC and LNS GE0/0/1s are connected to the private
network and belong to the Trust zone; GE0/0/2s are connected to the Internet, and belong to
the Untrust zone; the VT interfaces belong to the DMZ zone.
Figure 5-39 Network security policy configuration in a LAC-auto-initiated VPN
DMZ
DMZ
VT1
10.1.1.2/24
VT1
10.1.1.1/24
Untrust
Trust
GE0/0/1
User in a branch
172.16.0.2
Untrust
Trust
GE0/0/2
1.1.1.2/24
GE0/0/2
1.1.1.1/24
GE0/0/1
L2TP tunnel
LAC
LNS
Intranet server
192.168.0.2
The process for security policy configuration is as follows:
182
Learn Firewalls with Dr. WoW
2.
We first configure the broadest possible interzone security policy to assist L2TP
VPN adjustments/testing.
The LAC's interzone default packet filtering action is set to "permit":
[LAC] firewall packet-filter default permit all
The LNS's interzone default packet filtering action is set to "permit":
[LNS] firewall packet-filter default permit all
3.
After the LAC and LNS have successfully configured L2TP, a branch organization user
pings the internal network server to initiate access, and the LAC and LNS's session
tables are then checked.
−
LAC session table
[LAC] display firewall session table verbose
Current Total Sessions : 2
l2tp VPN:public --> public
Zone: local--> untrust TTL: 00:02:00 Left: 00:01:57
Interface: GigabitEthernet0/0/2 NextHop: 1.1.1.2 MAC: 00-00-00-c5-48-00
<--packets:38 bytes:2517 -->packets:62 bytes:4270
1.1.1.1:60416-->1.1.1.2:1701
icmp VPN:public --> public
Zone: trust--> dmz TTL: 00:00:20 Left: 00:00:07
Interface: Virtual-Template1 NextHop: 192.168.0.2 MAC: 00-00-00-c5-48-00
<--packets:1 bytes:60 -->packets:1 bytes:60
172.16.0.2:11749-->192.168.0.2:2048
Analysis of the session table provides the direction of packets on the LAC, as shown
in Figure 5-40.
Figure 5-40 LAC packet direction
DMZ
VT
Trust
Untrust
GE0/0/1
L2TP
tunnel
Local
User in a branch
Private IP address:
172.16.0.2/24
GE0/0/2
1.1.1.1
LAC
Original packet from the branch
to the intranet server
L2TP packet
As shown above, the LAC needs to configure a Trust-->DMZ security policy to
permit the branch organization user's packets seeking access to the internal server to
pass; it also needs to configure a Local-->Untrust security policy to allow the LAC
and the LNS to establish an L2TP tunnel.
−
LNS session table
183
Learn Firewalls with Dr. WoW
[LNS] display firewall session table verbose
Current Total Sessions : 2
l2tp VPN:public --> public
Zone: untrust--> local TTL: 00:02:00 Left: 00:01:52
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:18 bytes:987 -->packets:23 bytes:2057
1.1.1.1:60416-->1.1.1.2:1701
icmp VPN:public --> public
Zone: dmz--> trust TTL: 00:00:20 Left: 00:00:00
Interface: GigabitEthernet0/0/1 NextHop: 192.168.0.2 MAC:
54-89-98-62-32-60
<--packets:4 bytes:336 -->packets:5 bytes:420
172.16.0.2:52651-->192.168.0.2:2048
There are two sessions on the LNS: one L2TP session, and one ICMP session. Analysis
of the session table provides the LNS's packet direction, as shown in Figure 5-41.
Figure 5-41 LNS packet direction
DMZ
VT
Untrust
L2TP tunnel
Trust
Local
1.1.1.2 GE0/0/2
GE0/0/1
Intranet server
192.168.0.2/24
LNS
Original packet from the branch
to the intranet server
L2TP packet
From the above it is obvious that a DMZ-->Trust security policy needs to be configured on
the LNS to permit branch organization users' packets seeking access to the internal network
server to pass; an Untrust-->Local security policy also needs to be configured to permit the
LAC and LNS to establish an L2TP tunnel.
After the L2TP tunnel is established, when the PC initiates a call on the server, the packet
direction is the opposite of the direction when the server accesses the PC, and we do not need
to elaborate further about this
To summarize, the security policies that should be configured on the LAC and LNS under
various conditions are shown in Table 5-16, and we should configure the security policies that
best match existing conditions.
184
Learn Firewalls with Dr. WoW
Table 5-16 Selecting security policies for the LAC and LNS based upon existing conditions
Direction of
Transaction
Device
Source
Security Zone
Destination
Security Zone
Source
Address
Destination
Address
Used
in
PC seeks
access to the
server
LAC
Local
Untrust
1.1.1.1/32
1.1.1.2/32
L2TP
Trust
DMZ
172.16.0.0/24
192.168.0.0/24
*
Untrust
Local
1.1.1.1/32
1.1.1.2/32
L2TP
DMZ
Trust
172.16.0.0/24
192.168.0.0/24
*
LAC
DMZ
Trust
192.168.0.0/24
172.16.0.0/24
*
LNS
Trust
DMZ
192.168.0.0/24
172.16.0.0/24
*
LNS
Server seeks
access to the
PC
*: Use in this instance is related to the transaction type, and can be configured according to actual
circumstances (for example: TCP, UDP, and ICMP).
Therefore, in L2TP scenarios using the LAC automatic dial-up method, the LAC and
LNS's VT interfaces must be added to security zones, and the security zones the VT
interfaces belong to determine the direction of the packet within the device. If a VT
interface belongs to the Trust zone, then a DMZ-Trust interzone security policy does not
need to be configured, but this will add additional security risk. Therefore, it is suggested
that the VT interfaces be added to separate security zones, and that the most appropriate
security policy be configured for them.
4.
Finally, the default packet filtering's action is set to "deny".
Set the LAC's interzone default packet filtering action to "deny":
[LAC] firewall packet-filter default deny all
Set the LNS's interzone default packet filtering action to "deny":
[LNS] firewall packet-filter default deny all
5.7 Summary
Over the past three sections I've introduced three kinds of L2TP VPNs, and we'll summarize
these three kinds of L2TP VPNs in Table 5-17.
185
Learn Firewalls with Dr. WoW
Table 5-17 Comparison of three kinds of L2TP VPNs
Item
Client-initiated VPN
NAS-initiated VPN
LAC-Auto-initiated VPN
Negotiation method
The L2TP client and the
LNS negotiate the
establishment of an
L2TP tunnel and L2TP
session, and establish a
PPP connection.
The access user uses
PPPoE dial-up to
trigger the
establishment of an
L2TP tunnel and L2TP
session between the
LAC and LNS, and the
access user and LNS
negotiate the
establishment of a PPP
connection.
The LAC initiates dialing,
and negotiates the
establishment of an L2TP
tunnel and L2TP session and
of a PPP connection with the
LNS.
Tunnel and session
relationship
One L2TP tunnel is
established between
every L2TP client and
LNS, and each tunnel
only carries one L2TP
session and PPP
connection.
Multiple L2TP tunnels
can exist between a
LAC and a LNS, and
one L2TP tunnel can
carry multiple L2TP
sessions.
A permanent L2TP tunnel is
established between the LAC
and LNS, which only carries
one permanent L2TP session
and PPP connection.
Security
The LNS conducts PPP
authentication of the
L2TP client (PAP or
CHAP); this method
offers relatively high
security.
The LAC authenticates
access users, and then
the LNS conducts
secondary
authentication
(optional) of access
users; this offers the
highest in security.
The LAC does not conduct
authentication of users; the
LNS conducts PPP
authentication (PAP or
CHAP) of LAC configured
users. This provides low
security.
Return route
The LNS will
automatically issue a
UNR route, guiding the
return packet into the
L2TP tunnel; manual
configuration is not
required.
The LNS will
automatically issue a
UNR route, guiding the
return packet into the
L2TP tunnel; manual
configuration is not
required.
It is necessary to manually
configure the LNS so that the
destination address is the
network segment's static
route, or configure the
easy-IP method's source NAT
for the LAC.
IP address assignment
The LNS assigns an IP
address for the client.
The LNS assigns an IP
address for the client.
The LNS assigns an IP
address for the LAC's VT
interface.
Our look at L2TP VPNs has ended. It is important to note that none of the L2TP VPN
methods supports encryption functions, and therefore security risks are present during the
process of data transmission through the tunnel. How can this problem be resolved? The
answer to this will be clear after we've studied the functionally powerful, hard-to-configure,
and highly secure IPSec VPNs.
186
Learn Firewalls with Dr. WoW
6
IPSec VPN
6.1 IPSec Overview
With the wide-spread use of GRE and L2TP, private "Tiandihui" (lit. Heaven and Earth
Society, in reference to anti-Qing Dynasty resistance groups) have also kept pace with the
times, deploying host-to-sub-hosts GREs and L2TPs. Hosts and sub-hosts use GRE and L2TP
tunnels to exchange and transmit messages. The cause to "overthrow the Qing Dynasty and
restore the Ming Dynasty" is in full swing. However, the good times rarely last for long, and
many of the confidential messages transmitted between hosts and sub-hosts have been seized
by "government officials". Sub-host client groups have been rounded up by the dozen. An
undercurrent surges through the Internet, and the road ahead is perilous.
Faced with the faction's life and death, Host Chen hastened to convene a conference to discuss
countermeasures. The problem at hand, be it GRE or L2TP, no security encryption measures
had been taken for any established tunnels, and as such, it is all too easy for "government
officials" to seize plaintext confidential messages transmitted between hosts and sub-hosts
through both GRE and L2TP tunnels. Tiandihui was faced with the issue of ensuring the safe
transfer of messages. Private lines are a possible solution, but the treasures of the Sutra of 42
Chapters have yet to be discovered. Strapped for the cash needed to build host-to-sub-host
private lines, Tiandihui must seek recourse through an existing, common resource - the
Internet.
After paying homage to the Supreme Host, Tiandihui finally found the answer: IPSec (IP
Security). As a next-generation VPN technology, IPSec can establish secure, stable dedicated
lines across the Internet. Compared to GREs and L2TPs, IPSec is more secure and can
guarantee the safe transfer of messages between hosts and sub-hosts.
6.1.1 Encryption and Authentication
To discuss IPSec is no easy task. It's not a single maneuver, but rather a set of tactics. IPSec
cleverly borrows the art of hoodwinks from the school of cryptology and has created its own
unique blend of shapeshifting for safe passage through changing AHs (Authentication
Headers) and ESPs (Encapsulating Security Payloads) for positive identification to "return the
jade intact to its rightful owner". Even if the message is intercepted, no one would ever
understand it, and any message that has been tampered can be spotted almost instantly.
Shapeshifting for safe passage - encryption
As shown in Figure 6-1, IPSec borrows a simple trick - before either end transmits a
message, an encryption algorithm and cipher key is first used to change the message
header; this process is known as encryption. Once the other end receives the message,
the same encryption algorithm and cipher key is used to restore the message to its
187
Learn Firewalls with Dr. WoW
original; this process is known as decryption. As the message is being transmitted, it's
impossible to see its true nature, leaving perpetrators empty-handed.
Figure 6-1 Schematic of packet encryption/decryption
Source
Destination
IP packet
IP packet
Encryption algorithm
(encryption)
Symmetric
encryption key
Encrypted IP packet
Encryption algorithm
(decryption)
Encrypted IP packet
When Tiandihui hosts and sub-hosts must exchange messages, both ends must first agree to
an encryption algorithm and cipher key. Suppose that the host must send the command
"August 15, shores of Lake Taihu, holding a big event" to the sub-host. The host must first use
an incoherent encryption algorithm to garble the text. Then, once the cipher key "Overthrow
the Qing to Restore the Ming" is inserted, the encrypted command will finally read out a
message like "Overthrow 15 the Lake Taihu Qing shores to holding Restore a the big event
August Ming" which is then transmitted. Even if this message is intercepted by "government
officials" along the way, they'll be stumped, without even so much as a trace of the original
meaning. Once the sub-host receives the message, it will use the same encrypted algorithm
and decryption key "Overthrow the Qing to Restore the Ming", so that the message will be
restored to its original command "August 15, shores of Lake Taihu, holding a big event".
Hosts and sub-hosts use the same key for encryption and decryption. This method is also
known as a symmetric encryption algorithm (or symmetric-key algorithm), of which there are
3 - DES, 3DES and AES. See Table 6-1 for a comparison of the 3 algorithms.
Table 6-1 Symmetrical encryption algorithms
Item
DES
3DES
AES
Full Name
Data Encryption
Standard
Triple Data
Encryption Standard
Advanced Encryption
Standard
Key Length
(bits)
56
168
128, 192. 256
Security Level
Low
Medium
High
Positive identification to "return the jade intact to its rightful owner" - authentication
Packet authentication, as shown in Figure 6-2, is a process wherein an authentication
algorithm and authentication key pair is used before the message is transmitted to "sign
the papers" and create a signature. Then, the signature is sent together with the message.
Once the other end receives the message, the same authentication algorithm and
authentication key pair is used to get the same signature. If the packet is sent over with a
188
Learn Firewalls with Dr. WoW
signature, and if the signature is the same, it will verify that the message has not been
tampered with.
Figure 6-2 Schematic of packet authentication
Source
Destination
IP packet
IP packet
Yes
No
Signature
matched?
Signature
Authentication
algorithm
Symmetric
authentication
key
IP packet
IP packet
Drop
Signature
Authentication
algorithm
Signature
Apart from authenticating the integrity of the message, IPSec can also authenticate the source
of the message. That is, it positively identifies the message to ensure that the message was
sent from the real sender.
In general, authentication and encryption are used in tandem, and encrypted packets will go
through an authentication algorithm to generate signatures. MD5 and SHA series algorithms
are two common forms of authentication. See Table 6-2 for a comparison of the two.
Table 6-2 Authentication algorithms
Item
MD5
SHA1
SHA2
Full Name
Message Digest 5
Secure Hash Algorithm 1
Secure Hash Algorithm 2
Signature
Length (bits)
128
160
SHA2-256: 256
SHA2-384: 384
SHA2-512: 512
Security
Level
Low
Medium
High
Of IPSec's two feats, AHs can only be used for authentication but not for encryption. ESP, on
the other hand, can be used for both encryption and authentication. AH and ESP can be used
independently or in tandem.
189
Learn Firewalls with Dr. WoW
6.1.2 Security Encapsulation
Tiandihui cannot raise their "anti-Qing" banners or proclaim their mission, so they often have
to cloak their actions through "legitimate" forms of business. For instance, the public identity
of a host might be as online shopkeeper, and the public identity of a sub-host might be a buyer;
such an exchange just might be the best catch-all. To better utilize this catch-all, IPSec has
designed two modes of encapsulation:
Openly repair the gallery by day while secretly passing through Chencang - tunnel mode
With tunneling, before an AH or ESP header is inserted into the original IP header, a new
packet header is generated and placed before the AH or ESP header, as shown in Figure 6-3.
Figure 6-3 Tunnel mode packet encapsulation
Original packet
Original packet
Encapsulated packet
Encapsulated packet
Host FW
Sub-host FW
Original
packet
IP Header
AHencapsulated
packet
New IP Header
ESPencapsulated
packet
New IP Header ESP
AH
IP Header
TCP
Header
data
TCP
Header
data
TCP
Header
data
For authentication
IP Header
ESP Tail
ESP Auth
data
ESP Tail
ESP Auth
data
For encryption
AH-ESPencapsulated
packet
New IP Header
For authentication
AH
ESP
IP Header
TCP
Header
data
For ESP encryption
For ESP authentication
For AH authentication
The tunnel uses the new packet header to encapsulate the message; the new IP header's source
and destination IP addresses serve as the tunnel's two public IP addresses; in this way,
tunneling uses two gateways to establish an IPSec tunnel, thereby guaranteeing
communication between the two networks behind each gateway. This is currently one of the
more commonly-used modes of encapsulation. Messages within the host-to-sub-host private
network is often disguised as everyday communication between the identities of the host and
sub-host (public IP addresses) as ship-owner and buyer once the message is encrypted and
encapsulated so it won't be suspected.
190
Learn Firewalls with Dr. WoW
"The door opens on a view of mountains"; cut to the chase - transfer mode
In a transfer, the AH header or ESP header is inserted between the IP header and TCP, as
shown in Figure 6-4.
Figure 6-4 Transfer mode packet encapsulation
Packet encapsulation
Packet decapsulation
PC
PC
Original
packet
AHencapsulated
packet
IP Header
IP Header
AH
TCP Header
data
TCP Header
data
For authentication
ESPencapsulated
packet
IP Header
ESP
TCP Header
data
ESP Tail
ESP Auth data
ESP Tail
ESP Auth data
For encryption
For authentication
AH-ESPencapsulated
packet
IP Header
AH
ESP
TCP Header
data
For ESP encryption
For ESP authentication
For AH authentication
In a transfer, the packet header is left unchanged, and the tunnel source and destination IP
addresses are the final source and destination IP addresses of the string of communication. As
such, only messages sent between the two ends are protected instead of all network-wide
messages. For this reason, this mode is only useful for communication between two parties
rather than private networks amongst Tiandihui hosts and sub-hosts.
6.1.3 Security Associations
A connection established in IPSec between two ends is known as an SA (Security
Association). As the name suggests, the two ends become associates wherein the same
encapsulation mode, encryption algorithm, cipher key, authentication algorithm, and
authentication key are used, which naturally requires mutual trust and a degree of intimacy.
An SA is a unidirectional connection, wherein hosts and sub-hosts will establish an SA to
protect all aspects of communication. Host inbound SAs correspond to sub-host outbound
SAs, and host outbound SAs correspond to sub-host inbound SAs, as shown in Figure 6-5.
191
Learn Firewalls with Dr. WoW
Figure 6-5 Schematic of IPSec security association
Data flow 1
Data flow 2
Sub-host
FW
Host FW
Outbound
SA1
Inbound
Inbound
SA2
Outbound
Sub-host
FW
Host FW
To differentiate between SAs in different directions, IPSec will add unique identifier to each
SA. This identifier is called an SPI (Security Parameter Index).
The most direct method of establishing an SA is to have hosts and sub-hosts define
encapsulation modes, encryption algorithms, cipher keys, authentication algorithms, and
authentication keys, that is, to manually establish IPSec SAs.
6.2 Manual IPSec VPNs
Having learned of the power that IPSec had to offer, Tiandihui Host Chen decided to first
manually establish an IPSec between the host and a single sub-host to protect messages
transmitted within the internal host-to-sub-host network to test the security that IPSec tunnels
had to offer.
Figure 6-6 Manual IPSec VPN networking
Host
GE0/0/2
2.2.2.2/24
GE0/0/2
1.1.1.1/24
GE0/0/1
192.168.0.1/24
GE0/0/1
172.16.0.1/24
IPSec tunnel
FW_A
Sub-host
FW_B
PC_A
192.168.0.2/24
PC_B
172.16.0.2/24
IPSec is a VPN technique established on the Internet, overlaid on the fundamental features of
a firewall. As such, before an IPSec VPN is configured, communication throughout the entire
network must first be unimpeded. Specifically, the following two conditions must first be met:
The FW_A and FW_B are routable through a public network.
FW_A and FW_B security policies allow for traffic between PC_A and PC_B.
As for the configuration of IPSec VPN security policies, see section 6.10 "Security Policy
Configuration Roadmap". For now, we should avoid any detours and first focus on this
section - manual IPSec VPN configuration.
To make the relationships between encryption, authentication, and SA configuration even
clearer, there are 4 steps to manually configure an IPSec:
192
Learn Firewalls with Dr. WoW
Define which data flows must be protected
Only internal network messages between hosts and sub-hosts will be protected by the
IPSec. All other messages are unprotected.
Configure the IPSec proposal
Host and sub-host FWs decide whether or not to become an associate based on the other
party's proposal. Encapsulation modes, security protocols, encryption algorithms and
authentication algorithms are all set in the security proposal.
Configure the manual IPSec policy
The host and sub-host FW public IP addresses, the SA identifier (SAID), and the cipher
and authentication keys are designated.
Apply the IPSec policy
The logic behind manual IPSec configuration is as shown in Figure 6-7.
Figure 6-7 Schematic of manual IPSec VPN configuration
1. Define which data flows must
be protected.
security acl A
3. Configure the manual IPSec
policy
ipsec policy C
rule permit ip
security acl A
2. Configure the IPSec
proposal
proposal B
ipsec proposal B
tunnel remote
4. Apply the IPSec
policy
interface
ipsec policy C
tunnel local
transform
sa spi inbound
esp encryptionalgorithm
esp authenticationalgorithm
ah authenticationalgorithm
sa spi outbound
sa string-key inbound
sa string-key outbound
encapsulation-mode
Tiandihui host and sub-host FW key configurations and corresponding explanations are as
shown in Table 6-3.
Table 6-3 Manual IPSec VPN configuration (IPSec parameters)
Configuration
Host FW_A
Sub-Host FW_B
ACL
acl number 3000
acl number 3000
rule 5 permit ip source
192.168.0.0 0.0.0.255 destination
172.16.0.0 0.0.0.255
rule 5 permit ip source 172.16.0.0
0.0.0.255 destination 192.168.0.0
0.0.0.255
193
Learn Firewalls with Dr. WoW
IPSec Proposal
IPSec proposal pro1
IPSec proposal pro1
transform esp
transform esp
encapsulation-mode tunnel
encapsulation-mode tunnel
esp authentication-algorithm
sha1
esp authentication-algorithm sha1
esp encryption-algorithm aes
esp encryption-algorithm aes
IPSec Policy
IPSec Policy
Application
IPSec policy policy1 1 manual
security acl 3000
security acl 3000
proposal pro1
proposal pro1
tunnel local 1.1.1.1
tunnel local 2.2.2.2
tunnel remote 2.2.2.2
tunnel remote 1.1.1.1
sa spi inbound esp 54321
sa spi inbound esp 12345
sa spi outbound esp 12345
sa spi outbound esp 54321
sa string-key inbound esp
huawei@123
sa string-key inbound esp
huawei@456
sa string-key outbound esp
huawei@456
sa string-key outbound esp
huawei@123
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/2
ip address 1.1.1.1 255.255.255.0
IPSec policy policy1
Route
IPSec policy policy1 1 manual
ip route-static 172.16.0.0
255.255.255.0 1.1.1.2 //static
route configured in peer private
network to guide traffic through
the applied IPSec policy interface
ip address 2.2.2.2 255.255.255.0
IPSec policy policy1
ip route-static 192.168.0.0
255.255.255.0 2.2.2.1 //static route
configured in peer private network
to guide traffic through the applied
IPSec policy interface
When IPSec is manually configured, all IPSec SA parameters, including the encryption and
authentication keys, must be manually configured and updated by the user. Also, the IPSec
VPN access route between the two private network users can only rely on the configured
static route. There are not any better options.
Once deployed, PC_A will ping messages to PC_B and PC_B will ping back a reply.
Tiandihui simulated a "government" checkpoint on the Internet to find that the messages
pinged back and forth had already been protected by the IPSec SA. The IPSec SA identifier
SPIs for each direction were, respectively, 0x3039 (decimal notation 12345) as well as
0xd431 (decimal notation 54321), which are consistent with the configurations.
194
Learn Firewalls with Dr. WoW
Public network packet header
ESP header
Encapsulated message
Because tunneling was used for encapsulation, the external IP header address on the IPSec
packet was the public IP address. By taking a look at the contents of the packet, we'll see that
the ESP header ping message was already encrypted and completely unintelligible on the
surface. In other words, even if this message was flagged down by "government officials",
they'd have no way of retrieving anything of value.
To weigh the value of ESPs and AHs, Tiandihui used IPSec's other trick, AH, to establish an
SA. AH can only be used for authentication and cannot encrypt messages. As such, messages
obtained in the government checkpoint would reveal the true nature of the private network
packet header and ping messages encapsulated within the AH header. As such, if encryption is
needed, it's still better to use ESP, or AH and ESP in tandem.
Public network packet header
AH header
Private network packet header
Message not encrypted
Once IPSec is in use, communication between Tiandihui hosts and sub-hosts was unimpeded.
Shortly thereafter, many new sub-hosts were added. These new sub-hosts also needed to
establish an IPSec tunnels to the host. If manual configurations were to continue to be used,
every single sub-host would have to configure their own parameters, a Herculean effort for
sure; also, for security reasons, cipher and authentication keys would also need to be updated
often. Naturally, this backwards approach did not last long, and Host Chen and his attendants
195
Learn Firewalls with Dr. WoW
quickly solved this dilemma: an IKE/IPSec VPN could be used to replace their manual IPSec
VPNs.
6.3 IKE and ISAKMP
Keys used for manual IPSec VPN encryption and authentication are all manually configured.
To ensure the long-term security of an IPSec VPN, these keys must be modified and replaced
often. As the number of sub-hosts grow, the task of key configuration and modification
becomes ever more difficult. As Tiandihui's forces grew in strength, the maintenance and
administration of IPSec VPNs became a daunting task. To lessen the load of IPSec VPN
administration, the Tiandihui Host paid homage to the Supreme Host to find an elixir for their
ailments. The elixir was there all along, a gift of the gods. IPSec protocol profiles have long
pondered this dilemma - the answer lies in a "smart" key steward - the IKE (Internet Key
Exchange) protocol.
IKE combines 3 major protocols - the ISAKMP (Internet Security Association and Key
Management Protocol), Oakley protocol and SKEME protocol.
ISAKMP mainly defines the process used to establish the collaborative relationship (for
example, IKE SA and IPSec SA) between IKE peers.
At the heart of the Oakley and SKEME protocols is the DH (Diffie-Hellman) algorithm,
which ensures data transfer security through the safe distribution of key and
authentication identification over the Internet. Do not underestimate the DH algorithm.
With it, the cipher and authentication keys needed for IPSec and IKE SAs can also be
dynamically refreshed.
With an IKE association, IPSec VPN security and administrative hassles were no longer a
problem for Tiandihui. Now, new sub-host VPNs could be established at incredible speeds.
The ultimate goal of the IKE protocol is to establish a dynamic IPSec SA through
host-to-sub-host negotiations while also providing real-time maintenance of the IPSec SA.
The establishment of an IPSec SA and the corresponding IKE negotiation is completed
through ISAKMP packets, and as such, before we deploy our IKE, Dr. WoW will give us a
lesson on ISAKMP packets, as shown in Figure 6-8.
Figure 6-8 ISAKMP packet encapsulation and packet headers
IP Header
UDP Header
ISAKMP Header
Payload
Source port Destination port
(IKE=500)
(IKE=500)
Initiator’s Cookie (SPI)
Responder’s Cookie (SPI)
Protocaol
(udp=17)
Source address (local
gateway)
Destination address
(remote gateway)
Next
Playload
Maj Min Exchange
Type
Ver Ver
Message ID
Flag
s
Message Length
ISAKMP Payload (Type Payload)
196
Learn Firewalls with Dr. WoW
IP packet header
−
SRC (Source IP Address): local IP address of the initiated IKE negotiation; may be
that of a physical/logical interface and maybe be command configured.
−
DST (Destination IP Address): peer IP address of the initiated IKE negotiation;
command configured.
UDP packet header
IKE protocol port 500 initiates negotiation and responds to negotiation. When both the
host and sub-hosts have fixed IP addresses, this port will never change in the negotiation
process. When either the host or the sub-host s have an NAT device (NAT traversal
scenario), the IKE protocol will use a special process which we will discuss later on.
ISAKMP packet header
−
Initiator's cookie (SPI) and responder's cookie (SPI): the SPI serves as a cookie for
both IKEv1 and IKEv2, a unique IKE SA identifier.
−
Version: the IKE version number. Many things have changed for the better since the
launch of IKEs. To differentiate, older IKEs are known as IKEv1 while updated IKEs
are known as IKEv2.
−
Exchange Type: the IKE defined exchange type. Exchange types define the exchange
sequence that ISAKMP messages must follow. Later, we will discuss the IKEv1 main
mode, aggressive mode, and fast mode. When discussing IKEv2, we'll mention initial
exchanges and child SA exchanges. All of these are different IKE defined exchange
types.
−
Next Payload: The next payload type identifies the message. A single ISAKMP
packet may be loaded with multiple payloads. This field provides "link" capabilities
within the payload. If the current payload is the message's final payload, this field
will be 0.
−
ISAKMP Payload (Type Payload): A type of payload carried in an ISAKMP packet
that is used as a "parameters packet" for negotiating IKE and IPSec SAs. There are
many different types of payloads, and each different payload may carry different
"parameter packets". The specific usage of different payloads will be discussed
together with the packet capturing process.
The essence of IKEv1 and IKEv2 is the focus of this section. Without further ado, Dr. WoW
will introduce it.
6.4 IKEv1
6.4.1 Configuring IKE/IPSec VPNs
IKEs are best for establishing IPSec VPNs between a single host and multiple sub-hosts. Its
advantages become ever more prominent as the number of sub-hosts grows. For
convenience's sake, here we'll only give a snapshot of how IPSec VPN networking is
established between one host FW and one sub-host FW, as shown in Figure 6-9.
197
Learn Firewalls with Dr. WoW
Figure 6-9 IKEv1/IPSec VPN networking
GE0/0/2
1.1.1.1/24
GE0/0/1
192.168.0.1/24
GE0/0/1
172.16.2.1/24
GE0/0/2
2.2.3.2/24
Host
Sub-host 1
FW_A
FW_B
PC_B
172.16.2.2/24
PC_A
192.168.0.2/24
As shown in Figure 6-10, compared to manual configurations, the procedure used for
IKE/IPSec VPNs only adds two further steps: the configuration of the IKE proposal and the
IKE peer. The IKE proposal is primarily used to configure the encryption and authentication
algorithms used to establish the IKE SA. The IKE peer is primarily used to configure the IKE
version, identity authentication and exchange mode.
Figure 6-10 Schematic of IKEv1/IPSec configuration
1. Define which data flows must
be protected.
security acl A
rule permit ip
2. Configure the IKE
security proposal.
ike proposal B
encryption-algorithm
authentication-method
authentication-algorithm
dh
sa duration
Dotted line: optional
Solid line: mandatory
3. Configure the IKE
peer.
ike peer D
5. Configure the IPSec security
policy in IKE mode.
ipsec policy F
security acl A
Ike-peer D
6. Apply the IPSec
security policy group.
interface
ike proposal B
proposal C
undo version 2
pfs
Configure identify
authentication parameters
according to the selected
authentication-method.
speed-limit
ipsec policy F
exchange-mode
4. Configure the IPSec
security proposal.
ipsec proposal C
transform
esp encryptionalgorithm
esp authenticationalgorithm
ah authenticationalgorithm
encapsulation-mode
Similar to manual IPSec VPNs, communication throughout the entire network must first be
unimpeded. Specifically, the following two conditions must first be met:
The FW_A and FW_B are routable over a public network.
FW_A and FW_B security policies allow for traffic between PC_A and PC_B.
As for the configuration of IPSec VPN security policies, see section 6.10 "Security Policy
Configuration Roadmap". For now, we should first focus on this section - IKE IPSec VPN
configuration.
See Table 6-4 for the steps to configure an IKE/IPSec VPN.
198
Learn Firewalls with Dr. WoW
Table 6-4 IKE/IPSec VPN configuration
Configuration
Host FW_A
Sub-Host FW_B
IKE proposal
ike proposal 10
ike proposal 10
IKE Peer
ike peer b
ike peer a
ike-proposal 10
undo version 2 //IKEv1
IPSec Proposal
undo version 2 //IKEv1
exchange-mode main//main
mode (default)
exchange-mode main//main mode
(default)
remote-address 2.2.3.2//peer
initiated IKE negotiation address
remote-address 1.1.1.1//peer initiated
IKE negotiation address
pre-shared-key tiandihui2
ACL
ike-proposal 10
pre-shared-key tiandihui2
acl number 3001
acl number 3000
rule 5 permit ip source
192.168.0.0 0.0.0.255
destination 172.16.2.0 0.0.0.255
rule 5 permit ip source 172.16.2.0
0.0.0.255 destination 192.168.0.0
0.0.0.255
IPSec proposal a
IPSec proposal b
transform esp
transform esp
encapsulation-mode tunnel
esp authentication-algorithm
md5
encapsulation-mode tunnel
esp authentication-algorithm md5
esp encryption-algorithm des
esp encryption-algorithm des
IPSec Policy
IPSec Policy
Application
Route
IPSec policy policy1 1 isakmp
IPSec policy policy1 1 isakmp
security acl 3001
security acl 3000
proposal a
proposal b
ike-peer b
ike-peer a
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/2
ip address 1.1.1.1 255.255.255.0
ip address 2.2.3.2 255.255.255.0
IPSec policy policy1
IPSec policy policy1
ip route-static 172.16.2.0
255.255.255.0 1.1.1.2 //static
route configured in peer private
network to guide traffic through
the applied IPSec policy
interface
ip route-static 192.168.0.0
255.255.255.0 2.2.3.1 //static route
configured in peer private network to
guide traffic through the applied
IPSec policy interface
Once configured, when host and sub-host FWs access a data flow, it can trigger the
establishment of an IPSec VPN tunnel. Next, Dr. WoW will use capture packets to help us all
understand the essence of IKEv1.
IKEv1 can be divided into two phases to complete the dynamic establishment of an IPSec SA:
Phase 1 establish IKE SA: the main mode or aggressive mode is used to establish IKE
SA negotiation.
199
Learn Firewalls with Dr. WoW
Phase 2 establish IPSec SA: the fast mode is used to establish IPSec SA negotiation.
Why would we divide this into two phases? How are these two phases related? To simply
put, phase 1 is used to prepare for phase 2. Both IKE peers will exchange key materials,
generate keys, and perform mutual identity authentication. Only after these preparations are
completed will the IPSec actually begin the IPSec SA negotiation.
Next, we will introduce the main mode + fast mode process used to establish an IPSec SA.
First, we will take a look at the differences between IKE/IPSec VPNs and manual IPSec
VPNs.
6.4.2 Phase 1: Establishing IKE SA (Main Mode)
Three steps are taken to establish an IKE SA with six ISAKMP messages through main mode
IKEv1. The screen capture of packet messages is as follows:
Next, we will use a host FW initiated IKE negotiation to illustrate the phase 1 negotiation
process, as shown in Figure 6-11.
Figure 6-11 IKE SA main mode negotiation process
IKE SA
FW_A
FW_B
1. Send the local IKE security proposal.
Negotiate
Negotiate
parameters for
parameters for
setting up IKE SA. 2. Confirm the IKE security proposal. setting up IKE SA.
Exchange key
information and
generate new
keys.
Exchange identify
information and
authenticate
peer’s identity.
2.
3. Send key materials.
4. Send key materials.
5. Send identity information.
5. Send identity information.
Exchange key
information and
generate new
keys.
Exchange identify
information and
authenticate
peer’s identity.
IKE proposal negotiation.
The negotiation is divided into two circumstances:
The initiator's IKE peer cited an IKE proposal (sends the cited IKE proposal)
200
Learn Firewalls with Dr. WoW
The initiator's IKE peer did not cite an IKE proposal (sends all IKE proposals)
Under these two circumstances, responders will search from among their own configured IKE
proposals for an IKE proposal that matches the sender's (As such, the cited IKE proposal line
in Figure 6-10 "Schematic of IKEv1/IPSec configuration" is dashed which means that cited
and uncited are both acceptable). If there is no matching security proposal, the negotiation
will fail.
The principles by which both IKE peers judge whether or not the IKE proposals match
include whether or not the ends use the same encryption algorithm, authentication algorithm,
identity authentication method, and DH group ID, but does not include the IKE SA's life
cycle.
IKE peer configuration parameters are header keys, peer IDs or IP addresses or domain names
that allow the IKE ends to successfully connect. They also include identity authentication
parameters. No matter where the error lies, "though we sit end by end, fate would not have it
so".
NOTE
When an IPSec SA is established through IKEv1 negotiation, the timing of the IKE SA timeout is either
the local life cycle or the peer life cycle, whichever is shorter. If the life cycles configured on the two
devices on either end of the tunnel differ, it will not affect IKE negotiation.
By taking a look at a screen capture packet, we can see the IKE proposal used for negotiation
that is carried in the SA payload of the ISAKMP messages. Message (1) is used as an example
below:
3.
The DH algorithm is used to exchange key materials and also generate keys.
Host and sub-host FWs use Key Exchange and nonce payloads in ISAKMP messages to
exchange key materials. Key Exchange is used to exchange public DH values; nonce is used
to transfer temporary random numbers. The two IKE peers in the DH algorithm only
exchange key materials and do not exchange the actual shared keys. As such, hackers who
steal DH values and temporary values cannot figure out shared keys. This is precisely the
beauty of the DH algorithm. Within the screen capture packet, we can see the key materials
exchanged between the IKE peers. Message (3) is used as an example below:
201
Learn Firewalls with Dr. WoW
Once key materials are exchanged, the two IKE peers will combine their own configured
identity authentication methods to each begin their respective complicated key computing
processes (pre-shared keys or digital certificates are all involved in the key computing
process), and ultimately generate 3 keys:
SKEYID_a: ISAKMP message integrity authentication key - No one would dare to
tamper with an ISAKMP message. If the message has even the slightest change, its
response integrity will be detected!
SKEYID_e: ISAKMP message cipher key - Don't even try to steal an ISAKMP message.
Even if you do, you won't understand it!
SKEYID_d: Used for encryption and authentication keys derived from IPSec packets ultimately, this key guarantees the security of IPSec encapsulated data packets!
The first two keys above ensure the security of subsequent ISAKMP message exchanges!
Throughout the entire key exchange and computing process, when controlled by an IKE SA
timeout, the time will be automatically refreshed at a certain interval to avoid potential
security issues when keys are used for a long period of time.
4.
Identity authentication
The two IKE peers perform identity authentication with the ISAKMP message (5) and (6)
exchange identity message. Currently, there are two identity authentication techniques that are
commonly used:
Pre-shared key method (pre-share): The device identity message is the IP address or
name.
Digital certificate method: The device identity message is the certificate and a partial
message HASH value (signature) authenticated through private-key encryption.
The identity messages above are encrypted with the SKEYID_e. As such, in the screen
capture packets, we can only see ISAKMP messages identified as "Encrypted" and cannot see
the contents of the message (identity message). Message (5) is used as an example below:
202
Learn Firewalls with Dr. WoW
The pre-shared key is the simplest and most common method of identity authentication. With
this method, device identity messages can be identified by the IP address or name (including
the FQDN and USER-FQDN). When IKE peers both have a fixed IP address, in general, they
will both be identified by their IP addresses; when one peer has a dynamically assigned IP
address, this peer will only be identified by its name. Only when the identity messages of the
authenticating peer and authenticated peer match will identity authentication be successful.
The key points to host and sub-host FW identity authentication configuration are as shown in
Table 6-5.
Table 6-5 Identity authentication message configuration
Device Identity
Type
Host
(Authenticating)
Sub-Host (Subject to Authentication)
IP address
remote-address
Interface address or local-address
designated address for initiating IPSec tunnel
negotiation
FQDN
remote-id
ike local-name
USER-FQDN
remote-id
ike local-name
There's an issue here that we should all be aware of. When the two IKE peers both have a
fixed IP address, the IP addresses configured with a remote-address command must keep the
same address as the one used for peer-initiated IKE negotiation. The use of this IP address is
threefold: not only does it designate the IP address of the tunnel peer, it's also used when
looking for local pre-shared keys and for authenticating peer identities. This is the greatest
pitfall of IPSec; in different circumstances, it may change over many different times. If the
proper law cannot be found, there will definitely be an error.
In summary, the IKE will perform two major actions in the phase 1 negotiation process:
It will generate cipher and authentication keys for successive ISAKMP messages and
also generate key materials for IPSec SA.
Once identity authentication is complete and when encrypted, the identity message can
be an IP address, device name, or a digital certificate with even more information.
Moreover, all of these contributions are subject to the SA life cycle control, and as soon as the
SA times out, all of the tasks above will be repeated. The benefit here is that regardless of the
203
Learn Firewalls with Dr. WoW
results of key computing and identity authentication, the whole process will be repeated at a
definite time, thereby eliminating opportunities for malicious behavior. None of this is
included for manual IPSec VPNs, which is precisely why IKEs are "smart" key stewards.
6.4.3 Phase 2: Establishing IPSec SA
Beginning with phase 2, the two IKE peers will continue to exchange key materials, including
SKEYID_d, SPIs and protocols (AH and/or ESP protocols), nonce, and other such parameters.
Then, each peer will perform key computing and generate keys for IPSec SA encryption and
authentication. In this way, each IPSec SA is guaranteed to use an absolutely unique key for
the subsequent encryption and authentication of data transfers. Also, IPSec SA also has
timeout; as soon as the IPSec SA times out, the IKE SA and IPSec SA will be deleted, and the
negotiation will begin anew.
IKEv1 uses the fast exchange mode to establish an IPSec SA through three ISAKMP
messages. The screen capture of the packet messages is as follows:
Because the SKEYID_e generated by IKEv1 phase 1 of the fast exchange mode encrypts
ISAKMP messages, all of the packets that we have captured are all encrypted and we cannot
see the specific contents of the payloads. As such, we can only explain the following steps
textually. As shown in Figure 6-12, we will still illustrate this with a host FW initiated IPSec
negotiation.
Figure 6-12 IPSec SA fast exchange mode negotiation process
IPSec SA
FW_A
FW_B
1. Send IPSec security parameters and key
materials.
Negotiate IPSec
SA
2. (Responder) sends matched security
parameters and key materials.
Negotiate IPSec
SA
3. Send confirmation.
2.
Initiator sends the IPSec proposal, protected data flow (ACL) and key materials to the
responder.
3.
Responder responds with a matching IPSec proposal and protected data flow. At the
same time, both parties generate a key for the IPSec SA.
The IPSec uses ACL to delineate the data flows that it wants to protect. As in our example,
where the host only needs to communicate with a single sub-host, the configuration is
relatively simple and only an ACL "mutual mirror" (the source and destination IP addresses of
one ACL are the opposite of the other) needs to be configured on each FW. However, for other
more complex situations, for instance, when a host establishes a VPN with multiple sub-hosts
204
Learn Firewalls with Dr. WoW
that the sub-hosts access through the host, as well as L2TP/GRE over IPSec, or 2-in-1 IPSec
and NAT gateways, ACL configurations become more particular. We will revisit these
scenarios when we encounter them again.
The principle by which both IKE peers judge whether or not the IPSec proposals match
is that the authentication algorithms, encryption algorithms and encapsulation modes
used by both security protocols must all be the same.
Because all IPSec SA keys are derived from SKEYID_d, as soon as SKEYID_d is leaked, it
may compromise the IPSec VPN. To elevate the security of key management, IKE delivers a
PFS (perfect forward secrecy) function. Once PFS is activated, a one-time add-on DH
exchange will be performed during IPSec SA negotiation, to regenerate new IPSec SA keys,
thereby further improving IPSec SA security. Remember that if a PFS is to be configured, it
must be configured on both tunnel FWs!
4.
Initiator sends confirmation results.
Once negotiation is complete, the sender will begin to send the IPSec (ESP) packets.
Once an IPSec SA is successfully established, check the IPSec VPN presence message. This is
illustrated with the host FW_A display message.
Check the IKE SA status:
<FW_A> display ike sa
current ike sa number: 2
-----------------------------------------------------------------------conn-id peer flag phase vpn
-----------------------------------------------------------------------40129 2.2.3.2 RD|ST v1: 2 public
40121 2.2.3.2 RD|ST v1: 1 public
Here both the IKE SA (v1: 1) and IPSec SA (v1: 2) statuses are displayed. RD means
that the SA is set to READY. There is only one IKE SA between the IKE peers. The IKE
SA is a two-way logical connection (no distinction between the source and destination).
Check the IPSec SA status:
<FW_A> display IPSec sa brief
current IPSec sa number: 2
current IPSec tunnel number: 1
--------------------------------------------------------------------Src Address Dst Address SPI Protocol Algorithm
--------------------------------------------------------------------1.1.1.1 2.2.3.2 4090666525 ESP E: DES; A: HMAC-MD5-96;
2.2.3.2 1.1.1.1 2927012373 ESP E: DES; A: HMAC-MD5-96;
The IPSec SA is unidirectional (distinction between source and destination), and both
IPSec SAs together constitute a single IPSec tunnel. Generally speaking, a single data
flow will correspond to a single IPSec SA. However, when the IPSec also uses ESP +
AH encapsulation, a single data flow will correspond to two IPSec SAs.
Check the session table:
<FW_A> display firewall session table
205
Learn Firewalls with Dr. WoW
Current Total Sessions: 3
icmp VPN: public --> public 192.168.0.2: 18334-->172.16.2.2: 2048
udp VPN: public --> public 1.1.1.1: 500-->2.2.3.2: 500
esp VPN: public --> public 2.2.3.2: 0-->1.1.1.1: 0
We have now established the IPSec SA. On the surface, it might seem like there are not many
differences between the IKE method and the manual method, but in fact, the differences are
massive:
Different key generation methods
Manually, all IPSec SA parameters that must be created, including the encryption and
authentication keys, are all manually configured and can only be manually refreshed.
With the IKE method, all IPSec SA encryption and authentication keys that must be
created are generated by the DH algorithm and can be dynamically refreshed. Key
management costs are lower, and security is higher.
Different IPSec SA life cycles
Manually created IPSec SAs will have a permanent presence.
With the IKE method, IPSec SAs are triggered by the data flow, and the SA life cycle
parameter (also known as the SA timeout) controls are configured by both ends.
The main mode is the recommended method of configuration for reliable security. Next, we
will take a brief look at another kind of IKE SA negotiation method - aggressive mode.
6.4.4 Phase 1: Establishing IKE SA (Aggressive Mode)
IKEv1 completes IPSec dynamic negotiation in two phases; when phase 1 uses the main
mode negotiation, it offers reliable security, but sometimes, the perfect main mode will still be
useless. Why is that? Let's take a look at what happens when we replace main mode with
aggressive mode.
In Table 6-4 "IKE/IPSec VPN configuration", if we change the IKE peer configuration
command exchange-mode main to exchange-mode aggressive, the IKEv1 phase 1
negotiation mode will be changed to aggressive mode. Let's take a look at the capture packets
to see how aggressive mode packets interact:
As shown in Figure 6-13, aggressive mode only needs three ISAKMP messages to complete
the phase 1 negotiation process. Phase 2 is still the same fast mode as before.
206
Learn Firewalls with Dr. WoW
Figure 6-13 IKE SA aggressive mode negotiation process
IKE SA
FW_B
FW_A
1. Send the local IKE security proposal, key and identity
information.
Negotiate
parameters.
Generate
keys.
Authenticate
identities.
2. Search for the matched IKE security proposal and
send key and identity information as well as local
authentication information.
3. Return the local authentication
information and implement authentication.
Negotiate
parameters.
Generate
keys.
Authenticate
identities.
The initiator and responder peremptorily place all of their messages, including the IKE
proposal, relevant key messages and identity messages, into a single ISAKMP message and
send it to the other end, thereby improving IKE negotiation efficiency. However, because the
identity message is transferred as plaintext, it does not go through the encryption and integrity
authentication process, which lowers IKE SA security. Clearly, security here falls shorts. So
why do we even have aggressive mode?
Back in the early days of IPSec VPNs, when people used the main mode + pre-shared key
identity authentication method, the IPSec needed to search for the pre-shared key locally on
the peer IP address. This kind of key search method only works when the peer has a fixed IP
address. If there is not a fixed address, aggressive mode can be used to "brutally" solve this
problem.
In aggressive mode, the "identity messages" are not encrypted, and locally, the identity
message is exactly the same as what was sent from the peer (i.e. the IP address). This is all
that is needed to search for the pre-shared key. As such, in the initial stages of IPSec VPN
applications, aggressive mode was mainly used to deploy IPSec VPNs to nodes that did not
have fixed IP addresses. Nowadays, IPSec VPN has many other ways to solve this problem
and the unsafe aggressive mode is clearly not the best option. All we really need to do now is
understand how it used to be used; Dr. WoW does not recommend any actual use of it though.
6.5 IKEv2
6.5.1 IKEv2 Overview
IKEv1 seemed perfect enough, but before long, its shortcomings started to become clear.
Long IPSec SA negotiation times
For a single IPSec SA negotiation, IKEv1 main mode will typically need to send 6 (IKE
SA negotiation) + 3 (IPSec SA negotiation) = 9 messages.
207
Learn Firewalls with Dr. WoW
For a single IPSec SA negotiation, IKEv1 aggressive mode will typically need to send 3
(IKE SA negotiation) + 3 (IPSec SA negotiation) = 6 messages.
No support for remote user accessions
IKEv1 cannot perform authentication for remote users. If we want to support remote user
accessions, we can only use L2TP, and use AAA authentication with PPP to authenticate
remote users.
How to deal with this? Never fear! There's never a problem too difficult to solve! IKEv2 is the
perfect answer to all these problems.
IKEv2 v.s. IKEv1:
Major speed boost to IPSec SA negotiations
The average IKEv2 negotiation for a single IPSec SA will only require 2 (IKE SA
negotiation) + 2 (IPSec SA negotiation) = 4 messages. Successive IPSec SAs will only
require two more messages.
EAP (Extensible Authentication Protocol) method identity authentication added.
Here, we'll only discuss the basic IKEv2 negotiation process and won't touch on EAP
authentication in our discussion of enterprise networks just yet.
In Figure 6-14 we can see the entire networking environment which can help explain how
IKEv2 actually works.
Figure 6-14 IKEv2/IPSec VPN networking
GE0/0/2
1.1.1.1/24
GE0/0/1
192.168.0.1/24
GE0/0/1
172.16.2.1/24
GE0/0/2
2.2.2.2/24
Host
Sub-host 1
FW_A
PC_A
192.168.0.2/24
FW_B
PC_B
172.16.2.2/24
The IKEv2 configuration roadmap is almost exactly the same as IKEv1's, with a few detours.
As shown in Figure 6-15, the commands in italics differ from IKEv1. By default, the firewall
will start both the IKEv1 and IKEv2 protocols. When the negotiation is initiated locally,
IKEv2 is used. When receiving a negotiation, IKEv1 and IKEv2 are both supported. So, we
can also leave IKEv1 activated.
208
Learn Firewalls with Dr. WoW
Figure 6-15 Schematic of IKEv2/IPSec configuration
1. Define which data flows
must be protected.
security acl A
rule permit ip
2. Configure the IKE
security proposal.
ike proposal B
encryption-algorithm
authentication-method
authentication-algorithm
5. Configure the IPSec security
policy in IKE mode.
ipsec policy F
security acl A
3. Configure the IKE peer.
ike peer D
ike proposal B
Ike-peer D
6. Apply the IPSec
security policy group.
proposal C
interface
undo version 1
pfs
Configure identity
authentication parameters
based on the selected
authentication-method.
speed-limit
ipsec policy F
dh
integrity-algorithm
sa duration
4. Configure the IPSec
security proposal.
ipsec proposal C
transform
Dotted line: optional
Solid line: mandatory
esp encryptionalgorithm
esp authenticationalgorithm
ah authenticationalgorithm
encapsulation-mode
6.5.2 IKEv2 Negotiation Process
The IKEv2 IPSec SA negotiation process is very different from IKEv1's; we can create an
IPSec SA in as little as 4 messages! Talk about efficiency!
1.
With 4 initial exchange messages, IKE SA and IPSec SA are simultaneously taken care
of.
The IKEv2 initial exchange uses 4 messages to establish IKE SA and IPSec SA. The capture
packet messages are as follows:
As shown in Figure 6-16, the initial exchange includes the IKE SA initial exchange
(IKE_SA_INIT exchange) and the IKE authentication exchange (IKE_AUTH exchange).
209
Learn Firewalls with Dr. WoW
Figure 6-16 Initial exchange
IPSec
SA
FW_A
Set up IKE SA and
generate keys.
Authenticate identities
and create the first pair of
IPSec SA.
FW_B
Initially exchange IKE SA
Initially exchange IKE SA
Exchange authentication
Exchange authentication
Set up IKE SA and
generate keys.
Authenticate identities
and create the first pair of
IPSec SA.
First message (IKE_SA_INIT)
This negotiation is responsible for IKE SA parameters, including the IKE proposal,
temporary random numbers (nonce) and DH values.
210
Learn Firewalls with Dr. WoW
The SA payload is mainly used for negotiating IKE proposals.
KE (Key Exchange) and nonce payloads are mainly used to exchange key materials.
Once exchanged by the IKE_SA_INIT, the IKEv2 will ultimately generate 3 types of
keys:
−
SK_e: used to encrypt the second message.
−
SK_a: used to authenticate the identity of the second message.
−
SK_d: used for encryption materials derived from the child SA (IPSec SA).
Second message (IKE_AUTH)
This is responsible for identity authentication and for creating the first child SA (IPSec
SA). Currently, there are two commonly used techniques for identity authentication:
211
Learn Firewalls with Dr. WoW
−
Pre-shared key method (pre-share): The device identity message is the IP address or
name.
−
Digital certificate method: The device identity message is the certificate and a partial
message HASH value (signature) authenticated through private-key encryption.
The identity messages above all use SKEYID_e encryption.
When a child SA is created, naturally, it also needs to negotiate an IPSec proposal for the
protected data flow. IKEv2 will use TS payloads (TSi and TSr) to negotiate ACL rules
between the two devices. The final result is that the two ACL rules will set up an intersection
(this is different from IKEv1; IKEv1 does not have TS payloads to negotiate the ACL rule).
When a single IKE SA needs to create multiple IPSec SAs, such as when two IPSec peers
send multiple data flows back and forth, a child SA exchange must be used to negotiate the
subsequent IPSec SAs.
2.
The child SA exchanges two messages to establish one IPSec SA.
Child SA exchanges can only be performed after the IKE initial exchange is completed. The
exchange initiator can be the initiator from the IKE initial exchange as well as the responder
to the IKE initial exchange. These two messages will be protected by the IKE initial exchange
negotiation key.
IKEv2 also supports the PFS function, and a new DH exchange can be performed and a new
IPSec SA key generated during the child SA exchange phase.
6.6 Summary of IKE/IPSec
6.6.1 IKEv1 V.S. IKEv2
Having written so much about IKEv1 and IKEv2 already, it's a good time for us to summarize
the main differences between the two, as shown in Table 6-6.
Table 6-6 Comparison of IKEv1 and IKEv2
Function
IKEv1
IKEv2
IPSec SA
Establishment
Process
Divided into two phases. Phase 1 is
divided into two modes: main mode and
aggressive mode; phase 2 is fast mode.
Not divided into phases.
IPSec SA can be established
with a minimum of 4
messages.
Main mode + fast mode requires 9
messages to establish IPSec SA.
Aggressive mode + fast mode requires 6
messages to establish IPSec SA.
IKE SA Integrity
Authentication
Not supported
Supported
212
Learn Firewalls with Dr. WoW
ISAKMP
Payload
The supported payloads differ; for instance, IKEv2 supports TS
payloads for ACL negotiations, but IKEv1 does not.
IKEv1 and IKEv2 supported payloads also have other differences, but
for now, we'll only mention TS payloads.
Authentication
Method
pre-shared key
pre-shared key
digital certificate
digital certificate
Digital envelope (rarely used)
EAP
Digital envelope (rarely
used)
Remote Access
Via L2TP over IPSec
Via EAP authentication
support
Clearly, IKEv2 with its faster and more secure services, takes the win. As in the Yangtze River,
the coming waves ride on the ones before them. No surprises here.
6.6.2 IPSec Protocol Profiles
Security protocols (AH and ESP), encryption algorithms (DES, 3DES, AES), authentication
algorithms (MD5. SHA1. SHA2), IKEs, DHs… did you catch all that? In case this is getting a
little confusing, Dr. WoW has come up with a summary for us all. Let's take a look:
Security protocol (AH and ESP) - IP packet security encapsulation.
Once an IP packet puts on its AH or/and ESP vest, it becomes an IPSec packet. This
"vest" is not just your everyday vest; this is a "bulletproof vest" stitched with
"encryption" and "authentication" algorithms (for tips on wearing these vests, see section
6.1.2 "Security Encapsulation"). The differences between the two are as shown in Table
6-7.
Table 6-7 AH versus ESP
Security Features
AH
ESP
IP Protocol No.
51
50
Data Integrity Check
Supported (authentication
for entire IP packet)
Supported (no IP header
authentication)
Data Origin Authentication
Supported
Supported
Data Encryption
Not Supported
Supported
Packet Replay Attack Protection
Supported
Supported
IPSec NAT-T (NAT Traversal)
Not Supported
Supported
Encryption algorithms (DES, 3DES, AES) - the IPSec packet's Ace of Spades. IPSec
data packets use symmetrical encryption algorithms for encryption, but only the ESP
protocol supports encryption; the AH protocol does not. Also, IKE negotiation packets
also perform encryptions.
213
Learn Firewalls with Dr. WoW
Authentication algorithms (MD5. SHA1. SHA2) - the IPSec packet method of positive
identification. Encrypted packets will generate digital signatures through the
authentication algorithm; the digital signature will fill out the AH and ESP packet
headers' integrity check value ICV segment and send it to the peer; in the receiving
device, the integrity and origin of the data is authenticated by comparing digital
signatures.
IKE - powerful, attentive key steward. IPSec uses the IKE protocol when sending and
receiving inter-device security negotiation keys and updated keys.
DH algorithm - the attentive steward's abacus. DH is known as the public key exchange
method. It's used to generate key materials and perform exchanges via ISAKMP
messages. Moreover, it will ultimately send and receive the computer cipher and
authentication keys from both peers.
Having laid out all these concepts before us, Dr. WoW cannot help but marvel at the genius of
the IPSec protocol designers. With all these new and old protocols and algorithms stitched
together so seamlessly, all the malice of the Internet can be shielded outside of our tunnels! Dr.
WoW has come up with a diagram to help us remember these acronyms, as shown in Figure
6-17.
Figure 6-17 IPSec security protocol profile
Security protocol
Encryption
Authentication
Key exchange
ESP
DES
MD5
3DES
AH
AES
SHA
MD5
SHA
IKE (ISAKMP,DH)
With this out of the way, Dr. WoW is relieved and can smile to himself with pride at the
success of the Tiandihui network. But we're not out of the woods just yet - once IKE
applications are used for IPSec VPNs, those communication problems faced by large and
mid-sized fixed public IP address sub-hosts are quickly resolved, but those sub-hosts who
cannot get onto fixed public IP addresses are not so fortunate, crying out that such favoritism
flies in the face of true fraternity! Sub-hosts without fixed public IP addresses cannot establish
stable IPSec VPNs with hosts. It is for this reason that Tiandihui posed the question: Do both
ends have to use fixed public IP addresses to establish an IPSec VPN?
Of course not! Next, Dr. WoW will teach us all about a new way to establish IPSec VPNs the IPSec template method.
6.7 Template IPSec
Similar to the IKE IPSec policy, the template IPSec policy also must rely on an IKE
negotiated IPSec tunnel. The greatest improvement that comes with the template IPSec policy
is that it does not require fixed peer IP addresses: a peer IP address can be strictly
designated (single IP), broadly designated (IP address segment) or simply left
undesignated (i.e. the peer IP can be any IP).
The template IPSec policy is like a valiant general, leaving no peer IP behind enemy lines;
fixed, dynamic, private… all are welcome to join the ranks. It's precisely because of this
214
Learn Firewalls with Dr. WoW
demeanor that the template IPSec policy is suitable for Tiandihui hosts because it allows them
to respond to a multitude of sub-host negotiation requests. The benefits become ever more
obvious as the ranks of sub-hosts begin to swell:
IKE IPSec policy is used. Hosts must configure n-number of IPSec policies and IKE
peers, where n equals the number of sub-hosts.
Template IPSec policy is used. Hosts only need to configure one IPSec policy and one
IKE peer, irrespective of n.
In conclusion, the template IPSec policy's two main advantages secure its ticket to the IPSec
"Hall of Fame":
For seldom initiation requests, non-fixed public IPs are okay
Simple configuration; only one IKE peer is needed
However, even stars have their own unspoken difficulties; template IPSec policies can only
respond to peer-initiated negotiation requests and cannot actively initiate negotiations.
6.7.1 Point-to-Multi-Point Networking Applications
As shown in Figure 6-18, sub-host 1 and sub-host 2's interfaces use the dynamic method of
retrieving public IP addresses. Respective IPSec tunnels must be established between sub-host
1 and the host and sub-host 2 and the host. Moreover, sub-host 1 and sub-host 2 can also
communicate through the IPSec VPN.
Figure 6-18 IPSec VPN point-to-multi-point networking
PC_B
172.16.1.2
GE0/0/1
172.16.1.1/24
IPSec Tunnel
GE0/0/1
192.168.0.1/24
GE0/0/2
1.1.1.1/24
GE0/0/2
Subhost 1
FW_B
Host
GE0/0/2
GE0/0/1
172.16.2.1/24
FW_A
PC_A
192.168.0.2/24
Subhost 2
IPSec Tunnel
FW_C
PC_C
172.16.2.2/24
The logic behind IPSec Policy template configuration is as shown in Figure 6-19.
215
Learn Firewalls with Dr. WoW
Figure 6-19 Schematic of IPSec policy template configuration
1. Define which data flows must
be protected.
security acl A
rule permit ip
2. Configure the IKE
security proposal.
ike proposal B
encryption-algorithm
authentication-method
authentication-algorithm
integrity-algorithm
dh
Dotted line: optical
Solid line: mandatory
3. Configure the IKE peer.
ike peer D
ike proposal B
undo version
Configure identity
authentication parameters
based on the selected
authentication-method.
exchange-mode
5. Configure the IPSec security policy
in template mode.
1. ipsec policy-template E
4. Configure the IPSec
security proposal.
Ike-peer D
transform
proposal C
encapsulation-mode
interface
security acl A
ipsec proposal C
esp encryptionalgorithm
esp authenticationalgorithm
ah authenticationalgorithm
6. Apply the IPSec
security policy group.
ipsec policy F
pfs
speed-limit
2. ipsec policy F isakmp
template E
The template IPSec policy configuration is as shown in Table 6-8. We won't go over IKE and
IPSec proposal default configurations again. Sub-host 2 configuration is similar to that of
sub-host 1. Simply refer to the sub-host 1 configuration.
Table 6-8 IPSec VPN template configuration
Configuration
Host FW_A (with Template
IPSec policy)
Sub-Host 1 FW_B (with IKE
IPSec Policy)
IKE proposal
Configuration
ike proposal 10
ike proposal 10
IKE Peer
Configuration
ike peer a
ike peer a
ike-proposal 10
pre-shared-key tiandihui1
//can forego remote-address
configuration; the
remote-address can also be used
to designate the IP address
segment.
ACL
ike-proposal 10
remote-address 1.1.1.1
pre-shared-key tiandihui1
acl number 3000
acl number 3000
rule 5 permit ip destination
172.16.1.0 0.0.0.255
rule 5 permit ip source 172.16.1.0
0.0.0.255
rule 10 permit ip destination
172.16.2.0 0.0.0.255
IPSec Proposal
IPSec proposal a
IPSec proposal a
216
Learn Firewalls with Dr. WoW
IPSec Policy
IPSec policy-template tem1 1
//configuration IPSec policy
template
security acl 3000
proposal a
IPSec policy policy1 1 isakmp
security acl 3000
proposal a
ike-peer a
ike-peer a
IPSec policy policy1 12 isakmp
template tem1//configuration
template IPSec policy
IPSec Policy
Application
Route
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/2
ip address 1.1.1.1 255.255.255.0
ip address 2.2.2.2 255.255.255.0
IPSec policy policy1
IPSec policy policy1 auto-neg //once
auto-neg is configured, traffic
trigger is not needed; IPSec tunnel is
established directly.
Route configuration required for
each private network exchange
of visits
Route configuration required for
each private network exchange of
visits
The configuration above has two differences from the standard IKE method; note the
following:
Host FW uses template IPSec policy.
The template IPSec policy does not require IKE peers to configure remote-addresses; or
remote-addresses can be used to designate IP address segments.
In section 6.4.2 "Phase 1: Establishing IKE SA (Main Mode)", we discussed the three
uses of remote-address, command, and designated IP addresses. Now, let's consider for
a moment - if the template IPSec policy does not configure the remote-address
command, will it cause confusion? Even if the host gives up its rights, there still won't be
any problems:
−
If the host does not configure a remote-address command, there won't be a
designated tunneling peer IP address. At this time, the host can only accept active
sub-host access and cannot perform sub-host authentication nor can it actively access
the sub-host.
−
If the host uses a remote-address to designate the tunneling peer IP address segment,
the host can check to see whether the sub-host device ID (IP address) is contained in
the IP address segment; requests will only be accepted when the ID is in fact within
the segment. Even at this time, the host still cannot actively access the sub-host.
From the two points above it can be seen that the template IPSec policy seems to let
hosts get over the issue of "no fixed IP" and "no public IP" peers. But, in fact, this is only
achieved when the host actively gives up two rights.
ACL configuration is specific; with more sub-hosts, host ACL configuration becomes
more complicated.
−
Host FW_A's ACL requirements include two rules:
To allow sub-host 2 and host FW to access sub-host 1 FW, the source must include
the sub-host 2 and host network segment, and the destination must be the sub-host 1
217
Learn Firewalls with Dr. WoW
network segment. In this case, the source is not designated which means that the
source can be sub-host 2 or the host or another IP address segment.
To allow sub-host 1 and the host FW to access the sub-host 2 FW, the source must
include the sub-host 1 and host network segment, and the destination must be the
sub-host 2 network segment. In this case, there is no designated source which means
that the source can be sub-host 1 or the host or another IP address segment.
−
Sub-host FW's ACL requirement:
To allow the sub-host 1 FW to access the sub-host 2 and host FWs, the source must
be the sub-host 1network segment, and the destination must be the sub-host 2 and
host network segments. In this case, there is no designated destination which means
that the source can be sub-host 2 or the host or another IP address segment.
Authentication is performed when configuration is complete:
2.
On the host FW_A, the first and second-phase SAs are normally established between the
host and the sub-host 1 and sub-host 2 FWs.
3.
Sub-host 1, sub-host 2, and host can communicate back and forth.
Question: If auto-neg parameters are not configured on the FW_B interface IPSec policy,
can sub-host 1 and sub-host 2 communicate directly?
4.
After the IPSec policies are cancelled on the sub-host 1 and sub-host 2 FWs, when
re-applied, the auto-neg parameters are not configured. If sub-host 1's PC_B pings
sub-host 2's PC_C, the ping will not go through.
5.
Check the status of sub-host 1 FW_B's SA.
<FW_B> display ike sa
current ike sa number: 2
------------------------------------------------------------------------conn-id peer flag phase vpn
------------------------------------------------------------------------40022 1.1.1.1 RD|ST v2: 2 public
7 1.1.1.1 RD|ST v2: 1 public
The SA established between sub-host 1 and the host is normal.
6.
Check the status of sub-host 2 FW_ C's SA.
<FW_C> display ike sa
current sa Num: 0
There is no SA established between sub-host 2 and the host FW. This is because the host FW
configured the template IPSec policy and can only respond to negotiations. As such, sub-host
1 created a normal SA with the host FW, but the host cannot establish an SA with the sub-host
2 FW. Once auto-neg parameters are set up on the IPSec policy applied by the sub-host 1 and
sub-host 2 FWs, the IPSec SA will be automatically created. Because SAs are already in place
from the sub-host 1 to the host FW and the host to the sub-host 2 FW, sub-host 1 can
communicate with sub-host 2. Similarly, he host can send pings to the sub-hosts.
At this point, we have already introduced three different IPSec policies: the manual IPSec
policy, IKE IPSec policy, and the template IPSec policy. All three of these IPSec policies can
be configured in a single IPSec policy group. This so-called IPSec policy group is a group of
IPSec policies with the same name. At most, there can only be one IPSec template in a single
IPSec policy group, the serial number of which must also be the largest, set to minimum
priority. Otherwise, accession request will first be received by the template IPSec policy; low
priority IKE IPSec policies won't have any way to show off their talent.
218
Learn Firewalls with Dr. WoW
Template and IKE IPSec policies both need to negotiate IPSec tunnels with IKEs. The
negotiation process is the same, and there's no need for Dr. WoW to go over that again. Next,
we will focus our discussion on the "characteristics" of the template IPSec policy.
6.7.2 Customized Pre-Shared Keys (USG9500-Series Firewall
Only)
Only one IKE peer can be cited in the IPSec template. Moreover, a single IKE Peer can only
have one pre-shared key configured. As such, all interconnected peers must be configured
with the same pre-shared key. Because of this, if even a single firewall leaks the pre-shared
key, the security of all other firewalls is compromised.
So, if a host wants to establish interconnected point-to-multi-point networking with multiple
sub-hosts, can the sub-host firewalls configure different pre-shared keys? Since the pre-shared
key is associated with key generation and identity authentication, the pre-shared key only
needs to be linked to the device identity, and identity authentication can be performed with the
pre-shared key authentication method for the local IP address or device name. When an IP
address or a device name is used to designate a pre-shared key, a "customized pre-shared
key" can be configured for each sub-host firewall.
Customized pre-shared key designation through peer IP address for each sub-host
firewall
This method is suitable for sub-host firewalls with fixed IP addresses. The host firewall
ike peer configured remote-address and pre-shared-key are deleted and changed
globally so that each sub-host firewall has its own remote-address and pre-shared-key.
In this way, the template method can stay ahead of the game and cleverly circumvent its
limitations.
Table 6-9 Customized pre-shared key designation through peer IP address
Configuration
Host FW_A
Sub-Host 1 FW_B
IKE Peer
Configuration
ike peer a
ike peer a
local-id-type ip
ike-proposal 10
local-id-type ip
ike-proposal 10
remote-address 1.1.1.1
pre-shared-key tiandihui1
Customized
Pre-Shared Key
Configuration
ike remote-address 2.2.2.2
pre-shared-key tiandihui1
-
ike remote-address 2.2.3.2
pre-shared-key tiandihui2
Pre-shared key name designation through peer device
When the sub-host firewall does not have a fixed IP address, the device name can be
used to verify the identity (ike local-name). At this time, host firewall can then globally
configure a unique remote-id and pre-shared-key for each sub-host firewall.
219
Learn Firewalls with Dr. WoW
Table 6-10 Customized pre-shared key name designation through peer device
Configuration
Host FW_A
sub-host 1 FW_B
IKE Peer
Configuration
ike peer a
ike peer a
local-id-type ip
ike-proposal 10
local-id-type fqdn // when
identity authentication is
performed via the device
name, the local authentication
must be configured to FQDN
or USER-FQDN.
ike-proposal 10
remote-address 1.1.1.1
pre-shared-key tiandihui1
Local Name
Configuration
-
ike local-name tdhfd1
Customized
Pre-Shared Key
Configuration
ike remote-id tdhfd1
pre-shared-key tiandihui1
-
ike remote-id tdhfd2
pre-shared-key tiandihui2
NOTE
The host FW_A configured "ike remote-id" must be the same as the sub-host 1 FW_B configured "ike
local-name".
6.7.3 Designated Peer Domain Name Usage
When a sub-host firewall is accessed with a dynamic IP address, are IKE IPSec policy's hands
tied?
In fact, there's also a method out there that can help the IKE IPSec policy: when the peer IP
address is not fixed, naturally, a remote-address cannot be configured, but the host can still
learn the IP address through other indirect methods, such as through the domain name. In
other words, the host can use a designated remote-domain to replace the remote-address;
the sub-host firewall configured DNS will then obtain a mapping relationship between the
domain name and IP address, and use the DDNS to ensure that the mapping relationship is
constantly updated. Of course, dynamically configured domain names can also be used with
the template IPSec policy.
220
Learn Firewalls with Dr. WoW
Table 6-11 Peer domain name designation in IKE peer
Configuration
Adjustments
Host FW_A
Sub-Host 1 FW_B
IPSec
Configuration
Only IKE Peer
configuration changes
No changes
ike peer a
ike-proposal 10
pre-shared-key tiandihui1
remote-domain
www.adcd.3322.org
Additional
Configuration
-
1. Start domain name resolution
dns resolve
dns server 200.1.1.1
2. Configure DDNS policy //the
following configuration requires
contact with the DDNS service
provider and must be performed
according to the DDNS service
provider's instructions.
ddns policy abc
ddns client www.adcd.3322.org
ddns server www.3322.org
ddns username abc123 password
abc123
3. Apply DDNS policy //dialer port is
the logical interface that corresponds
to the ADSL interface. This solution
has relatively more applications for
sub-host ADSL dial-up ports; in this
case, the sub-host DDNS policy will
apply to the dialer port.
ddns client enable
interface dialer 1
ddns apply policy abc
The limitation of this solution is that the dynamic access parties must have a fixed domain
name and must also add DNS and DDNS configurations, which is a little complicated. As
such, it's not as useful as the template IPSec policy. Only use this method when you have no
other choice.
6.7.4 Summary
So just how great is the template IPSec policy? In practical situations, it's not fighting the
battle alone, and the war can only be won if the template and IKE IPSec policies work
together. Their compatibility is as shown in Table 6-12.
221
Learn Firewalls with Dr. WoW
Table 6-12 Template IPSec policy and IKE IPSec policy compatibility
Scenario
Host FW_A
Sub-Host FW_B
Host IP address fixed +
sub-host IP address
fixed
IKE IPSec policy or template
IPSec policy
IKE IPSec policy
Host IP address fixed +
sub-host IP address
dynamically assigned
Template IPSec policy or IKE
IPSec policy (designated peer
domain name)
IKE IPSec policy
Host IP address
dynamically assigned +
sub-host IP address
dynamically assigned
Template IPSec policy or IKE
IPSec policy (designated peer
domain name)
IKE IPSec policy (designated
peer domain name)
The template IPSec policy truly is quite powerful, and only with this shield in hand can the
host FW connect to sub-host FWs, worry-free, regardless of whether they're using public IP
addresses, fixed configuration, or even dynamic addresses. However, after taking a closer
look, we can see that the template IPSec policy takes different approaches to public and
private IP addresses. When the peer is a private IP address, the template IPSec policy still has
to take some other steps to get everything in order!
6.8 NAT Traversal
Previously, we learned that the template IPSec policy can be used to establish an IPSec
tunnels when the host connects to sub-hosts without fixed egress IP addresses. At this point,
regardless of whether or not the sub-host is using a fixed or dynamic public IP address, it can
still safely access the host through the IPSec tunnel. All was well for the Tiandihui.
And yet the lands of the Internet never remain calm for long. Tiandihui faced yet another
challenge. Some sub-hosts did not even have dynamic public IP addresses! They could only
access the Internet through network NAT device address. Can these sub-hosts access the host
as usual? Also, apart from sub-host access to the host, they still need to access the Internet;
some sub-hosts have both IPSec and NAT configured on their firewalls; can the two
peacefully coexist? Two answer these two questions, let's listen to Dr. WoW.
6.8.1 Overview of NAT Traversal Scenarios
First, let's take a look at networks with NAT devices. As shown in Figure 6-20, if the sub-host
firewall interface IP is a private network address, it must be transformed by an NAT device.
The address can only be used to establish an IPSec tunnel with the host firewall after it has
been transformed into a public IP address.
222
Learn Firewalls with Dr. WoW
Figure 6-20 NAT traversal scenario
NAT
Host
Sub-host
FW_A
NAT device
FW_B
As we all know, IPSec is used to ensure that packets cannot be modified; NAT, on the other
hand, are specially made to modify packet IP addresses. It feels like we're mixing fire with ice.
After taking a closer look though, we can see that, first of all, the IPSec negotiation process is
completed via ISAKMP messages; ISAKMP messages are UDP-encapsulated, the source and
destination port numbers for which are both 500; NAT devices can transform the IP address
and ports of these messages, and as such, ISAKMP messages can be successfully transformed
by NAT transform to complete IPSec SA negotiation. However data traffic is transferred via
the AH or ESP protocol; this throws a wrench in the NAT transformation process. Below,
we'll take a look at whether or not AH and ESP packet s can pass through NAT devices.
AH protocol
Because AH performs an integrity check on data, it will perform a HASH computation
for all IP packets within the IP address. NAT, on the other hand, will change the IP
addresses, thereby breaking the AH HASH values. As such, AH packets cannot pass
through the NAT gateway.
ESP protocol
ESP performs an integrity check on data, but this check does not include the external IP
header; as such, ID address translation will not break the ESP HASH value. However,
because the ESP packet TCP port is encrypted and cannot be changed, because ports are
simultaneously transformed by the NAT, ESP cannot be supported.
To better understand these issues, we must first take a look at the NAT traversal function (nat
traversal) that occurs on both firewalls when the IPSec tunnel is established. After the NAT
traversal function is activated and when the NAT device must be traversed, the ESP packet
will be encapsulated to the UDP header; the source and destination port number will both be
4500. The IP address and port of IPSec packets with this kind of UDP header won't be
modified by the NAT device.
Given the different NAT device settings and address transformation functions, we'll introduce
this topic from the following three different scenarios.
Scenario 1: Post-NAT Transformation Sub-Host Public IP Address Unknown
As shown in Figure 6-21, when there is an NAT device within the carrier network, the
sub-host FW interface GE0/0/2 private IP address will become a public IP address when
transformed by the NAT device. Because Tiandihui has no way of knowing the sub-host's
public IP address when transformed by the NAT device, there's no way for the host FW to
explicity designate the peer sub-host public IP address. As such, the host FW must use the
template method to configure the IPSec policy; at the same time, the host and sub-host FWs
both must activate the NAT traversal function.
In this scenario, the host still uses the template method, so it cannot actively access the
sub-host; only the sub-host can actively initiate access to the host.
223
Learn Firewalls with Dr. WoW
Figure 6-21 Post-NAT transformation sub-host public IP address unknown
NAT
Sub-host
Host
GE0/0/2
1.1.1.1/24
GE0/0/1
192.168.0.1/24
FW_A
GE0/0/2
172.16.0.1/24
NAT device
GE0/0/1
172.16.1.1/24
FW_B
PC_A
192.168.0.2/24
PC_B
172.16.1.2/24
Host and sub-host FW key configuration is as shown in Table 6-13.
Table 6-13 NAT traversal configuration (1)
Key
Configuration
Host FW_A
Sub-Host FW_B
IPSec Proposal
IPSec proposal pro1
IPSec proposal pro1
transform esp // ESP protocol
transform packet used
transform esp // ESP protocol
transform packet used
ike peer sub-host
ike peer host
IKE Peer
pre-shared-key tiandihui1
pre-shared-key tiandihui1
ike-proposal 10
ike-proposal 10
nat traversal / both ends start
simultaneously, default start
IPSec Policy
IPSec policy-template tem1 1 //
template method configuration
remote-address 1.1.1.1
nat traversal / /both ends start
simultaneously, default start
IPSec policy policy1 1 isakmp
security acl 3000
security acl 3000
proposal pro1
proposal pro1
ike-peer host
ike-peer sub-host
IPSec policy policy1 1 isakmp
template tem1
Scenario 2: Post-NAT Transformation Sub-Host Public IP Address Known
As shown in Figure 6-22, when there is an NAT device within the sub-host network, the
sub-host FW interface GE0/0/2 private IP address will be become a public IP address when
transformed by the NAT device. Because the NAT device is within the scope of the sub-host's
control, the transformed public IP address will be known, so the host FW can use both the
template and IKE methods for IPSec policy configuration.
It must be noted that even if the IKE method is used, the host still cannot actively establish an
IPSec tunnel with the sub-host. This is not an IPSec issue but rather an NAT device issue. The
NAT device can only transform the source address for sub-host --->host access; once the
sub-host is "hidden" by the NAT device, host--->sub-host access is impossible. If the host
224
Learn Firewalls with Dr. WoW
needs to actively accesss the ub-host FW_B private network address, the NAT Server function
must be configured on the NAT device; we'll discuss this in Scenario 3.
Figure 6-22 Post-NAT transformation sub-host public IP address known
NAT
2.2.2.10
Host
GE0/0/2
1.1.1.1/24
GE0/0/1
192.168.0.1/24
FW_A
Sub-host
GE0/0/2
172.16.0.1/24
GE0/0/0
172.16.0.2/24
NAT device
GE0/0/1
172.16.1.1/24
FW_B
PC_A
192.168.0.2/24
PC_B
172.16.1.2/24
Using the IKE IPSec policy as an example, host and sub-host FW key configuration is as
shown in Table 6-14.
Table 6-14 NAT traversal configuration (2)
Key
Configuration
Host FW_A
Sub-Host FW_B
IPSec Proposal
IPSec proposal pro1
IPSec proposal pro1
transform esp // ESP protocol
transform packet used
transform esp // ESP protocol
transform packet used
ike peer sub-host
ike peer host
IKE Peer
pre-shared-key tiandihui1
pre-shared-key tiandihui1
ike-proposal 10
ike-proposal 10
nat traversal // both ends start
simultaneously, default start
remote-address 2.2.2.10 //peer
address is the post-NAT address.
When IKE used, because peer
address is a single address, only one
address from the NAT device
address pool can be used. When
template used, this does not apply.
remote-address 1.1.1.1
nat traversal // both ends start
simultaneously, default start
remote-address
authentication-address 172.16.0.1 //
Authentication address is the
pre-NAT address. When template
used, this does not apply.
IPSec Policy
IPSec policy policy1 isakmp
IPSec policy policy1 1 isakmp
security acl 3000
security acl 3000
proposal pro1
proposal pro1
ike-peer sub-host
ike-peer host
225
Learn Firewalls with Dr. WoW
Scenario 3: NAT Device with NAT Server Functions
As shown in Figure 6-23, when the NAT device is within the sub-host network, it will provide
the NAT Server function; the publicly issued address is 2.2.2.20, and the mapped private
network address is the sub-host FW interface GE0/0/2 address 172.16.0.1. When the host FW
uses the IKE method to configure the IPSec policy, host--->sub-host access is possible.
When NAT Server is configured on the NAT device, the 2.2.2.20 UDP 500 and 4500 ports
will be mapped respectively to the 172.16.0.1 UDP 500 and 4500 ports; the specific
configuration is as follows:
[NAT] nat server protocol udp global 2.2.2.20 500 inside 172.16.0.1 500
[NAT] nat server protocol udp global 2.2.2.20 4500 inside 172.16.0.1 4500
Meanwhile, because the NAT Server configuration on the NAT device will generate a reverse
Server-map table, the sub-host FW will also be able to actively initiate access to the host.
Once the packet arrives at the NAT device and matches the reverse Server-map table, the
source address will be transformed to 2.2.2.20, thereby making sub-host --->host access
possible.
Figure 6-23 NAT device with NAT server functions
Host
NAT Server
Global: 2.2.2.20
GE0/0/2
1.1.1.1/24
GE0/0/1
192.168.0.1/24
FW_A
Sub-host
GE0/0/2
172.16.0.1/24
GE0/0/0
172.16.0.2/24
NAT device
GE0/0/1
172.16.1.1/24
FW_B
PC_A
192.168.0.2/24
PC_B
172.16.1.2/24
Host and sub-host FW key configuration is as shown in Table 6-15.
Table 6-15 NAT traversal configuration (3)
Key
Configuration
Host FW_A
Sub-Host FW_B
IPSec Proposal
IPSec proposal pro1
IPSec proposal pro1
transform esp // ESP protocol
transform packet used
transform esp // ESP protocol
transform packet used
ike peer sub-host
ike peer host
IKE Peer
pre-shared-key tiandihui1
pre-shared-key tiandihui1
ike-proposal 10
ike-proposal 10
nat traversal // both ends start
simultaneously, default start
remote-address 2.2.2.20 //peer
addressis the Server's Global address
remote-address 1.1.1.1
nat traversal // both ends start
simultaneously, default start
remote-address
authentication-address 172.16.0.1 //
authentication address is the
226
Learn Firewalls with Dr. WoW
pre-NAT transformation address
IPSec Policy
IPSec policy policy1 isakmp
IPSec policy policy1 1 isakmp
security acl 3000
security acl 3000
proposal pro1
proposal pro1
ike-peer sub-host
ike-peer host
Three characteristics of NAT traversal configuration:
The two firewalls must both activate the NAT traversal function (nat traversal), that is,
only one firewall egress is a private IP address.
Because the sub-host firewall egress is "hidden" by the NAT device, the tunneling peer
IP address "visible to the host firewall is the post-NAT transformation public IP address.
So, when the host uses the IKE IPSec policy, the remote-address command designated
IP address is the NAT-transformed address and no longer the peer initiated IKE
negotiation private network address.
Because the remote-address command designated public IP address can no longer be
used for identity authentication, an additional command must be added, i.e. the
remote-address authentication-address command to designate the peer identity
authentication address (this must be the peer device's pre-NAT transformation address,
the actual IKE negotiation initiating address); this IP address is used locally to
authenticate the peer device.
Of course, if the host uses a template-configured IPSec policy, it will still automatically give
up its rights to actively initiate access nor will it be able to authenticate the peer device; as
such, the remote-address and remote-address authentication-address commands don't
need to be configured.
Next, we'll use the second scenario to introduce how IPSec can traverse NATs when IKEv1
and IKEv2 are used.
6.8.2 IKEv1 NAT Traversal Negotiation (Main Mode)
The IKEv1 main mode NAT traversal negotiation packet interaction process is as follows:
1.
When NAT traversal begins, the IKEv1 negotiation phase 1 messages (1) and (2) will be
marked with the NAT traversal (NAT-T) Vendor ID payload to check whether or not
both ends of the communication support NAT-T.
227
Learn Firewalls with Dr. WoW
When the messages from both ends include this payload, only then will the relevant NAT-T
negotiation begin.
2.
Main mode messages (3) and (4) will be sent with the NAT-D (NAT Discovery) payload.
The NAT-D payload is used to detect whether or not the two firewalls that wish to
establish the IPSec tunnel have NAT gateways and NAT gateway settings.
If both ends of the negotiation send source and destination IP addresses and port HASH
values to peers through the NAT-D, changes in the address and port transfer process can be
detected. If the packet computer HASH value received by the recipient is the same as the
HASH value sent by the peer, the table will display that there is no NAT device; otherwise, it
will indicate that an NAT device transformed the packet's IP address and port during the
transfer process.
The first NAT-D payload is the peer IP and port HASH value; the second NAT-D payload is
the local IP and port HASH value.
3.
Once the NAT gateway is discovered, the port number of subsequent ISAKMP messages
(main mode from message (5)) will be transformed to 4500. The ISAKMP packet ID is
"Non-ESP Marker".
4.
When the second IKEv1 phase negotiates whether or not to use the NAT transformation
and traversal, the IPSec packet will be encapsulated: as a UDP encapsulation tunnel
packet (UDP-Encapsulated-Tunnel) and UDP encapsulation transfer packet
(UDP-Encapsulated-Transport).
To encapsulate the UDP header for the ESP packet, the UDP packet port number is 4500.
When the encapsulated packet goes through the NAT device, the NAT device will transform
the address and port number of the packet‘s outer IP header and added UDP header.
6.8.3 IKEv2 NAT Traversal Negotiation
The IKEv2 NAT traversal negotiation packet interaction process is as follows:
1.
Once the NAT traversal begins, the IKE initiator and responder will both set the notify
payload in the IKE_SA_INIT message to NAT_DETECTION_SOURCE_IP and
228
Learn Firewalls with Dr. WoW
NAT_DETECTION_DESTINATION_IP. These two notify payloads are used to
detection whether or not an NAT exists between the two firewalls that wish to establish
an IPSec tunnel and which firewall is post-NAT. If the NAT_DETECTION_SOURCE
notify payload received does not match the packet IP header's source IP and port HASH
value, this indicates that the peer is behind an NAT gateway. If the
NAT_DETECTION_DESTINATION_IP notify payload received does not match the
packet IP header's destination IP and port HASH value, this means that the local peer is
behind the NAT gateway.
2.
Once the NAT gateway is detected, from the IKE_AUTH message on, the ISAKMP
packet port number will change to 4500. The packet ID is "Non-ESP Marker".
IKEv2 also uses UDP to encapsulate the ESP packet; the UDP packet port number is 4500.
When the encapsulated packet goes through the NAT device, the NAT device will perform an
address and port number transformation for the packet's outer IP header and added UDP
header.
In the second scenario, the configured PC_A can ping to PC_B. Check the IKE and IPSec
SAs on the host FW_A:
<FW_A> display ike sa
current ike sa number: 2
--------------------------------------------------------------------------conn-id peer flag phase vpn
---------------------------------------------------------------------------
229
Learn Firewalls with Dr. WoW
40014 2.2.2.10: 264 RD v1: 2 public
40011 2.2.2.10: 264 RD v1: 1 public
Check host FW_A session:
<FW_A> display firewall session table
Current Total Sessions: 2
udp VPN: public --> public 2.2.2.10: 2050-->1.1.1.1: 4500
udp VPN: public --> public 2.2.2.10: 2054-->1.1.1.1: 500
Check sub-host FW_B session:
<FW_B> display firewall session table
Current Total Sessions: 2
udp VPN: public --> public 172.16.0.1: 4500-->1.1.1.1: 4500
udp VPN: public --> public 172.16.0.1: 500-->1.1.1.1: 500 //at the start of the
negotiation, the port number is still 500
Because source NAT transform is configured on the NAT device, there can only be sub-host to
host sessions on the sub-host FW_B and no host to sub-host sessions.
6.8.4 IPSec and NAT for a Single Firewall
We discussed IPSec NAT traversal, but what happens when the IPSec and NAT are configured
on the same firewall?
As shown in Figure 6-24, when the IPSec and NAPT are configured on the sub-host FW_B at
the same time, the IPSec is used to protect the traffic of sub-host to host communications
when NAPT deals with the traffic of the sub-host's access to the Internet. When IPSec and the
NAT Server are configured on the host FW_A, the IPSec is used to protect the traffic of host
to sub-host communications when NAT Server deals with the traffic of the Internet user's
access to the host server.
Figure 6-24 IPSec and NAT for a single gateway
IPSec tunnel
IPSec traffic
Host
192.168.0.0/24
NAT Server traffic
FW_A
Sub-host
172.16.1.0/24
NAPT traffic
FW_B
192.168.0.1/24
(Global address: 1.1.1.1)
Arguably, the IPSec and NAT traffic on the two firewalls should be entirely different and
unrelated; instead, however, in this case, the IPSec and NAT traffic overlap, and in the
firewall forwarding process, the NAT is upstream and the IPSec is downstream; as such,
IPSec traffic will not be interrupted by the NAT process. In other words, the traffic that was
supposed to be sent through the IPSec tunnel will be transformed by the NAT as soon as the
NAT policy is in place; the transformed traffic will no longer match that of the IPSec ACL and
cannot be used in IPSec. As such, if the IPSec and NAT relationship is not ironed out at this
point, all sorts of baffling problems will arise.
For the sub-host, the sub-host user access to the host user will be unsuccessful. Upon
investigation, it will show that the sub-host user access traffic to the host user did not
enter the IPSec tunnel, matching the NAT policy.
230
Learn Firewalls with Dr. WoW
For the host, the host server access to the sub-host user will be unsuccessful, as the
access traffic matches the NAT Server reverse Server-map table such that it cannot enter
the IPSec tunnel.
The method for solving these two problems is simple, as follows:
When an IPSec and NAPT are on a single firewall, the requirements are as follows:
When configuring our NAT policy, we must set a specific policy to not transform IPSec
traffic addresses; this policy's priority must be higher than that of other policies, and the
traffic range defined in this policy must be a subset of other policies. In this way, IPSec
traffic will first be excluded from the NAT transformation policy so that the addresses
won't be transformed nor will transformation have an impact on future IPSec
troubleshooting; traffic that must go through NAT troubleshooting will be transformed as
usual according to other policies.
Next, we'll take a look at a string of NAT policy configuration script; we've configured
two NAT policies - policy 1 and policy 2 in the Trust-->Untrust security zone:
nat-policy interzone trust untrust outbound
policy 1 // IPSec protected traffic must not be transformed by NAT
action no-nat
policy source 172.16.1.0 mask 24
policy destination 192.168.0.0 mask 24
policy 2 // Internet access traffic transformed by NAT
action source-nat
policy source 172.16.1.0 mask 24
address-group 1
When an IPSec and NAT Server are on a single firewall, the requirements are as follows:
When configuring the NAT Server, designate no-reverse parameters, and do not generate
a reverse Server-map table.
[FW_A] nat server protocol tcp global 1.1.1.1 9980 inside 192.168.0.1 80 no-reverse
The key to understanding the issues above is to understand the firewall forwarding process.
The firewall forwarding process is incredibly complicated, and here, we'll only breach the tip
of the iceberg. For a more in-depth look at the firewall forwarding process, see "Appendix A
Packet Processing Process".
6.9 Digital Certificate Authentication
For each additional sub-host, the host must configure a pre-shared key for each peer formed
for each sub-host. If all peers used the same key, there is a glaring security risk; if each peer
uses a different key, it will be hard to administer and maintain the network. As such, Tiandihui
urgently required a new identity message authentication scheme to replace the pre-shared key
method and lower administration costs. Since Tiandihui's hosts and sub-hosts were all under
the guise of legitimate businesses (i.e. shop-owners and buyers), they might as well directly
apply to the government's Penal Bureau for shop-owner and buyer identity vouchers to market
their respective identity messages as shop-owner and buyer. Because the Penal Bureau is a
fair and reliable government authority, identity vouchers stamped by the Penal Bureau can
also be trusted; in this way, hosts and sub-hosts can directly authenticate their respective
identities with these identity vouchers.
This identity voucher, known as a digital certificate or simply a certificate, is an "ID card" that
serves as a device identity message issued by third-party organizations. By introducing this
certificate function, the host and sub-host s can simply and easily perform identity
231
Learn Firewalls with Dr. WoW
authentication. For a further introduction to certificates, see "Appendix B Certificate
Analysis".
Before we discuss the certificate implementation principles and methods of retrieval, we first
must understand public key cryptology and PKI profiles.
6.9.1 Public Key Cryptology and PKI Profiles
In section 6.1 "IPSec Overview", we mentioned symmetric cryptology, in which the host and
sub-hosts use the same key for encryption and decryption. Conversely, asymmetric cryptology
is when encryption and decryption data uses different keys; this is also known as public key
cryptology. Currently, the more commonly used public key cryptology algorithms are RSA
(Ron Rivest, Adi Shamirh, LenAdleman) and DSA (Digital Signature Algorithm).
In public key cryptology, two different keys are used: one key, available to the public, is
known as the "public key"; conversely, the key only known to its owner is the "private key".
What's unique about this set of keys is that the message used to encrypt the public key can
only be used to decrypt the corresponding private key; conversely, the message used to
encrypt the private key can only be used to decrypt the corresponding public key.
By utilizing this special feature, mutual identity authentication is possible. For instance,
suppose a certain sub-host firewall uses its own private key for message encryption (digital
signature); the host firewall will then use the sub-host firewall's publicly available public key
for decryption. Because others don't know the sub-host firewall's private key, only when the
host uses the corresponding public key can the message be decrypted, thereby confirming that
the message was sent by the sub-host - thus completing identity authentication.
Now that we understand the basic concept of public key cryptology, how then are these
concepts put to use in our actual environment? PKI (Public Key Infrastructure) is a basic
profile based on public key cryptology that is used for message security services; the digital
certificate is a core component of this profile, and IKE borrows the PKI certificate function to
perform peer identity authentication.
A PKI profile will include the following two major characters:
End Entity (EE): the certificate end user, such as the host and sub-host firewalls.
Certificate Authority (CA): an authoritative, trusted third-party organization (similar to
the Imperial Penal Bureau), responsible for issuing, querying and updating certificates
and other such tasks.
In an IPSec, the host and sub-host firewalls are the certificate end users. If we want to
generate a certificate for a firewall, we must first guarantee that the firewall has its own
private-public key pair. We can create a private-public key pair on the host and sub-host
firewalls and then send the public key and firewall messages (entity messages) to the CA for
certificate application; private-public key pairs can also be generated on the CA for the host
and sub-host, and on this basis, a certificate can be generated as well; the host and sub-host
firewalls will then import their own respective private-public key pairs and certificates. In this
section, we will mainly discuss host and sub-host firewall self-created private-public key pairs
and the certificate that they use; for the CA host and sub-host firewall private-public key pair
and certificate generation process, see "Appendix B Certificate Analysis".
NOTE
All certificates mentioned herein can be divided into two categories: firewall certificates known as local
certificates which serve as the firewall identity and CA "signature-based" certificates known as CA
certificates or root certificates which serve as the CA identity.
We've just briefly introduced some of the major concepts about certificates. Next, let's take a
look at how host and sub-host firewalls obtain such certificates.
232
Learn Firewalls with Dr. WoW
6.9.2 Certificate Applications
Before host and sub-host firewalls can apply a certificate, they must first generate a
private-public key pair. Then, the public key and firewall entity messages shall be given to the
CA, and the CA will generate a certificate based on these messages. The host and sub-host
firewalls can apply for certificates through the following two methods:
Online method (in-band method)
The firewall and CA exchange packets through the certificate application protocol for an
online certificate application. The certificate applied for will be directly saved to the
firewall's storage device (Flash or CF card); common certificate application protocols
include SCEP (Simple Certification Enrollment Protocol) and CMP (Certificate
Management Protocol). This method is suitable for firewalls that support SCEP or CMP
and also depends on the network connectivity between the firewall and CA.
Offline method (out-of-band method)
First, the firewall will generate a certificate request (the contents of which include the
public key and entity message); we'll then send these documents to the CA on a disk, via
email or other such methods. Then, the CA will formulate a certificate for the firewall
based on the certificate request and the certificate will be returned in the same way, on a
disk, via email or through other such methods. Lastly, we will transfer the certificate to
the firewall storage device. This method is suitable for firewalls that do not support
SCEP or CMP, or when there is no network connectivity between the firewall and CA.
These two methods can be chosen flexible based on the actual firewall situation. Next, we will
use the offline method and the networking environment as shown in Figure 6-25 to illustrate
the process by which the host and sub-host firewalls retrieve certificates.
Figure 6-25 IKE/IPSec networking
Host
192.168.0.0/24
1.1.1.1/24
FW_A
Sub-host
192.168.1.0/24
3.3.3.3/24
FW_B
The offline certificate application process is as shown in Figure 6-26.
233
Learn Firewalls with Dr. WoW
Figure 6-26 Offline certificate application process
3 Generate
Certificate
request file
2 Configure
Entity info
Send CA through disk or email.
Public/private
key pair
1 Create
CA
FW
Certificate
request file
5 Import
4
Gener
ate
Returned through disk or email.
+
FW certificate
2.
CA certificate
FW certificate
CA certificate
Create private-public key pair
First, respective private-public key pairs are created on FW_A and FW_B to be used in the
public key message when applying for the certificate. In the process, the system will prompt
for the public key number; the length of the number will range from 512 to 2048. The longer
the length of the public key, the higher its security; however, in terms of computing speeds,
longer keys take longer to process. Here, we need maximum security, so we'll enter 2048.
Create private-public key pair on FW_A:
[FW_A] rsa local-key-pair create
The key name will be: FW_A_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512.
It will take a few minutes.
Input the bits in the modulus[default = 512]: 2048
Generating keys...
.................................................+++
...............................................+++
..............++++++++
.++++++++
Create private-public key pair on FW_B:
[FW_B] rsa local-key-pair create
The key name will be: FW_B_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512.
It will take a few minutes.
Input the bits in the modulus[default = 512]: 2048
Generating keys...
.................................................+++
...............................................+++
..............++++++++
234
Learn Firewalls with Dr. WoW
.++++++++
3.
Configure entity message
When applying for the certificate, FW_A and FW_B must provide sufficient messages to the
CA to verify their identities; entity messages serve as identity messages for firewalls, such as:
CN (Common Name), FQDN (Fully Qualified Domain Name) name, IP address, email
address, etc. Of these messages, the CN must be configured, while the configuration of other
items is optional.
These messages must be included in the certificate, and when configuring the ID type on the
IKE peer, the ID type to be used for authentication can be determined based on the entity
messages included in the certificate.
Once the entity messages are configured, they must also be cited in the PKI domain. Table
6-16 lays out the configuration of FW_A and FW_B entity messages and PKI domains.
Table 6-16 Configuration entity and PKI
Key
Configuration
Host FW_A
Sub-Host FW_B
Entity Message
pki entity fwa
pki entity fwb
common-name fwa //CN
PKI domain
4.
common-name fwb //CN
fqdn fwa.tdh.com //FQDN name
fqdn fwb.tdh.com //FQDN name
ip-address 1.1.1.1 //IP address
ip-address 3.3.3.3 //IP address
email fwa@tdh.com //Email
address
email fwb@tdh.com //Email
address
pki domain fwa
pki domain fwb
certificate request entity fwa //PKI
domain cited entity message
certificate request entity fwb //PKI
domain cited entity message
Generate certificate request
Next, we can generate the certificate request on FW_A and FW_B. The generated certificate
request can be saved on the FW_A and FW_B storage devices under the name
"PKIdomainname.req". The name of the certificate request generated on FW_A is fwa.req,
while the name of the certificate request generated on FW_B is fwb.req.
[FW_A] pki request-certificate domain fwa pkcs10
Creating certificate request file...
Info: Certificate request file successfully created.
[FW_B] pki request-certificate domain fwb pkcs10
Creating certificate request file...
Info: Certificate request file successfully created.
By checking the certificate request generated on FW_A, you can see that it will include the
configured CN, FQDN name, IP address, and email address, as well as the FW_A public key
message.
[FW_A] display pki cert-req filename fwa.req
Certificate Request:
Data:
Version: 0 (0x0)
235
Learn Firewalls with Dr. WoW
Subject: CN=fwa
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00: ae: 68: 50: 18: e7: 55: 32: 7a: 0e: 61: b6: 6e: 47: 45:
ec: fb: 29: d9: 1b: 4a: 9d: 6b: b0: 00: b0: 65: c8: fc: 5b:
b4: 68: d7: 90: 7d: 96: f7: 1d: e4: 62: 43: 06: bc: d0: a3:
5b: b4: fa: 30: a3: 19: 7e: 6f: 7c: 05: 6b: 47: 0c: a2: 42:
1b: c4: 82: f7: 5b: 0a: 73: a1: 0a: 8b: 00: dd: 37: aa: 5e:
21: 02: 56: b2: e6: 55: 31: 08: 8f: 71: 03: 13: 92: b9: c1:
51: 7e: 51: 04: e2: ca: 85: 2e: 45: 97: bb: 9a: 0e: ed: 61:
03: 97: d2: 1e: 44: b2: 9f: ff: b9: b1: 1d: 5d: 65: 7e: fc:
e6: 13: c3: 1e: 71: 81: d0: fe: a0: 60: 71: a4: 8a: 40: 93:
92: e3: b3: b6: cf: 56: f1: 30: b2: fc: 53: 31: bd: 9d: 6f:
3c: 33: 1e: 4a: a5: 6f: 83: c7: 45: 26: 8d: c6: 9c: 84: 85:
b5: 8f: b9: e3: 86: 86: 59: ad: 9b: 58: 63: a1: 3d: 7b: 81:
d7: 43: 14: 3d: 98: 4a: a2: cb: 82: 2c: fa: ca: 91: 32: b1:
e0: 09: de: fa: a8: d6: fc: ea: 8e: 7e: 36: 8f: fb: 86: 31:
1e: bc: 5e: 01: 71: 6b: b4: 23: 86: 7b: 05: c1: 63: 7a: f5:
bc: a7: 9b: a1: da: ff: 4f: 26: 2d: 33: 44: 06: 72: f1: 7b:
84: d5: a8: 49: 1d: be: b4: 0e: 9c: 94: 85: 34: 7b: e5: bb:
8a: 49
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
IP Address: 1.1.1.1. DNS: fwa.tdh.com, email: fwa@tdh.com
Signature Algorithm: md5WithRSAEncryption
4b: a6: fc: 91: 2a: 77: e3: 30: 02: bb: e4: 0f: 1a: bf: d2:
3e: 44: 51: 81: b1: 26: 2d: 2e: 83: 7c: 0c: 29: 70: 3c: 6a:
27: c8: a4: 8d: 3b: 8f: dc: a7: d7: df: 10: be: 4c: 96: 1f:
4d: e9: 28: 82: b9: 2d: 9b: e6: 6d: 22: 52: ca: 50: 07: c2:
c7: 49: 7a: a6: a5: 7c: cc: 82: 02: 15: 14: ca: 9c: 69: 39:
3a: c9: 75: d9: f5: b6: bf: b1: 45: e4: e7: f4: db: df: eb:
ac: 14: e9: 51: af: b1: c8: d6: c1: 19: 48: bc: 27: c1: 37:
9c: 1f: 9a: 7e: c7: fe: 20: c9: e8: 1d: 94: 55: ff: 85: 3e:
f3: ff: 9b: 18: 36: b1: 25: 2b: 4d: 60: 2e: 13: 7b: be: 91:
6c: 5c: 1a: f6: 3a: 5b: e7: 87: 2b: 43: 7f: d8: f6: 2b: c8:
c8: 40: df: 07: f9: 52: 4c: 8b: ba: b0: 10: f3: 34: 00: 00:
c1: 7a: 9c: dd: de: 26: 26: 28: 30: de: e8: 6c: dc: 0a: c6:
c6: 0d: 5e: 8e: 68: a8: 8d: cc: eb: 91: 9c: 59: 3d: 1e: f3:
16: bf: cc: f5: df: 71: bc: 51: fb: 98: 83: c5: 2b: 17: 73:
f7: 93: 76: f4
5.
a1:
8a:
f5:
7a:
eb:
3d:
59:
8c:
c0:
b1:
74:
8f:
f3:
d7:
ad:
7a:
db:
2b:
fb:
6b:
41:
5a:
a1:
df:
0b:
27:
58:
0a:
81:
1a:
96:
17:
44:
74:
38:
f5:
1f:
7d:
ae:
27:
72:
6c:
CA formulates request based on certificate request
Once the certificate request is generated, these documents can be sent to the CA on a disk, via
email or though other such methods, and the CA will formulate a certificate for FW_A and
FW_B. In addition to the FW_A and FW_B certificates, the CA will also create its own
certificate, i.e. the CA certificate. The CA will return the FW_A and FW_B certificates along
with its own certificate on a disk, via email or through other such methods.
The commonly used Windows Server operating system can serve as a CA for generating and
issuing certificates; the specific operating steps can be found through a simple online search
and will not be discussed at this time.
236
Learn Firewalls with Dr. WoW
6.
Import certificate
Once CA processing is complete, we will ultimately receive FW_A certificate fwa.cer, FW_B
certificate fwb.cer, and also the CA's own certificate, ca.cer.
fwa.cer and ca.cer will be uploaded to the FW_A storage device, and fwb.cer and ca.cer will
be uploaded to the FW_B storage device; afterwards, the certificate must also be respectively
imported to FW_A and FW_B.
Import CA certificate and local certificate on FW_A:
[FW_A] pki import-certificate ca filename ca.cer
Info: Import file successfully.
[FW_A] pki import-certificate local filename fwa.cer
Info: Import file successfully.
Import CA certificate and local certificate on FW_B:
[FW_B] pki import-certificate ca filename ca.cer
Info: Import file successfully.
[FW_B] pki import-certificate local filename fwb.cer
Info: Import file successfully.
6.9.3 Digital Certificate Identity Authentication
Once the certificates are imported, FW_A and FW_B will both have "identitified" devices.
When the certificate is cited in the IKE peer, FW_A and FW_B can authenticate the other
peer's identity through the certificate.
Previously we mentioned that when certificates are used for identity authentication, the ID
type can be determined based on the entity message in the certificate. Currently, for IKE peers,
the four ID types of the DN (Distinguished Name), FQDN, User-FQDN and IP can be used.
These four ID types correspond to the certificate text as well as the values on FW_A and
FW_B, as shown in Table 6-17.
Table 6-17 Certificate identity ID text and firewall values
ID Type
Corresponding
Certificate Text
FW_A Values
FW_B Values
DN
Subject
local ID: /CN=fwa
local ID: /CN=fwb
peer ID: /CN=fwb
peer ID: /CN=fwa
local ID: fwa.tdh.com
local ID: fwb.tdh.com
peer ID: fwb.tdh.com
peer ID: fwa.tdh.com
local ID:
fwa@tdh.com
local ID: fwb@tdh.com
FQDN
User-FQDN
DNS
email
peer ID: fwa@tdh.com
peer ID: fwb@tdh.com
IP
IP Address
local ID: 1.1.1.1
local ID: 3.3.3.3
peer ID: 3.3.3.3
peer ID: 1.1.1.1
Table 6-18 illustrates the key configuration for FW_A and FW_B with the ID type of DN.
237
Learn Firewalls with Dr. WoW
Table 6-18 IKE/IPSec certificate authentication configuration
Key
Configuration
Host FW_A
Sub-Host FW_B
IKE Proposal
ike proposal 10
ike proposal 10
authentication-method
rsa-sig//use certificate
authentication method
authentication-method rsa-sig//use
certificate authentication method
ike peer fwb
ike peer fwa
certificate local-filename
fwa.cer //FW_A certificate
certificate local-filename fwb.cer
//FW_B certificate
ike-proposal 10
ike-proposal 10
local-id-type dn //ID type of DN
local-id-type dn //ID type of DN
remote-id /CN=fwb //FW_B
DN
remote-id /CN=fwb //FW_A DN
IKE Peer
remote-address 3.3.3.3 //FW_B
IP address
Certificate
Attribute
Access Control
Policy
pki certificate
access-control-policy default
permit
remote-address 1.1.1.1 //FW_A IP
address
pki certificate access-control-policy
default permit
When the certificate method is used for the IKE negotiation process, it is roughly the same as
when the pre-shared key method is used. The difference between the two is that when the
certificate method is used, the ISAKMP identity messages (main mode is ISAKMP message
(5) and (6); aggressive mode is ISAKMP message (1) and (2)) sent between the two peers will
include an additional certificate payload and signature payload. We won't go into the specifics
on the negotiation process again.
At this point, Tiandihui had found an alternative identity message authentication scheme to
the pre-shared key method. When new sub-hosts establish an IPSec connection to the host FW,
all the sub-host needs to do is apply for a certificate with the same CA; then the sub-host and
host can perform identity authentication with the certificate. Since the host does not need to
protect the same pre-shared key for each sub-host, Tiandihui could reduce its administration
costs.
NOTE
Apart from its use in IPSec connections, a digital certificate can also be used for identity authentication
between SSL VPN clients and servers; for details, see "Chapter 7 Overview of SSL VPNs".
In addition to the surge in new sub-hosts, Tiandihui also had some older sub-hosts who had
already been accessed into the host via GRE or L2TP method accession host. How can IPSec
be used to ensure secure communications between these sub-hosts and the host without
changing the original access mode? Dr. WoW will take us through an in-depth study on this
very topic.
238
Learn Firewalls with Dr. WoW
6.10 Security Policy Configuration Roadmap
With IPSec VPNs, there are lots of special features when it comes to security policy
configurations; not only will it allow firewall traffic traversal, but it will also allow for IPSec
protocol packets. This section is designed to teach us all about the precise security policy
configuration methods for IPSec VPNs.
6.10.1 IKE/IPSec VPN Scenarios
As shown in Figure 6-27, an IPSec tunnel is established between host FW_A and sub-host
FW_B so that PC_A and PC_B can interact through the IPSec tunnel. Suppose that FW_A
and FW_B connect to a private network through the GE0/0/1 interface; this is the trust zone;
when connecting to the Internet through the GE0/0/2 interface, this is the untrust zone.
Figure 6-27 IKE/IPSec networking
Untrust
Trust
GE0/0/1
192.168.0.1/24
Trust
GE0/0/1
172.16.2.1/24
GE0/0/2
GE0/0/2
1.1.1.1/24
2.2.3.2/24
IPSec tunnel
Host
FW_A
PC_A
192.168.0.2/24
Sub-host 1
FW_B
PC_B
172.16.2.2/24
The security policy configuration process is as follows:
2.
First configure the broadest domain security policy to commission the IPSec.
Set the FW_A domain default packet filtering to permit:
[FW_A] firewall packet-filter default permit all
Set the FW_B domain default packet filtering to permit:
[FW_A] firewall packet-filter default permit all
3.
Once the IPSec is configured on the firewalls, PC_A will initiate access to PC_B; by
analyzing the firewall session table, we can obtain the security policy match conditions.
Host FW_A session table
[FW_A] display firewall session table verbose
Current Total Sessions: 3
udp VPN: public --> public
Zone: local--> untrust TTL: 00: 02: 00 Left: 00: 00: 55
Interface: GigabitEthernet0/0/2 NextHop: 1.1.1.2 MAC: 00-e0-fc-e4-65-58
<--packets: 4 bytes: 692 -->packets: 6 bytes: 944
1.1.1.1: 500-->2.2.3.2: 500 //Corresponds to ISAKMP negotiation packet, port 500
icmp VPN: public --> public
Zone: trust--> untrust TTL: 00: 00: 20 Left: 00: 00: 16
Interface: GigabitEthernet0/0/2 NextHop: 1.1.1.2 MAC: 00-e0-fc-e4-65-58
<--packets: 0 bytes: 0 -->packets: 1 bytes: 60
192.168.0.2: 14235-->172.16.2.2: 2048 //Corresponds to original IP packets
esp VPN: public --> public
239
Learn Firewalls with Dr. WoW
Zone: untrust--> local TTL: 00: 10: 00 Left: 00: 09: 59
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets: 0 bytes: 0 -->packets: 2 bytes: 224
2.2.3.2: 0-->1.1.1.1: 0 //Corresponds to IPSec packets. If AH and ESP encapsulation
are both configured, there will be two sessions.
There's a strange phenomenon herein; the session direction that corresponds to host FW_A
sending an ESP packet is untrust-->local (2.2.3.2: 0—>1.1.1.0); on the table, there seems to
be an inconsistency with the session direction when FW_A receives ESP packets. Why is that?
It turns out that when FW_A sends the encrypted ESP packet, it does not establish a session
and so it does not go through the firewall forwarding process; naturally, it won't check the
security policy either. However, when the firewall receives the ESP packet for encryption, it
must first establish a session for the forwarding process and check the security policy; as we
can see, this session corresponds to an ESP packet receipt. Whether ISAKMP negotiation
packets are sent or received, the forwarding process must be performed both times, so this
issue does not occur.
By analyzing the session table we can obtain the FW_A packet path, as shown in Figure 6-28.
Figure 6-28 Host FW_A packet path
Trust
Untrust
GE0/0/2
GE0/0/1
Local
IPSec tunnel
1.1.1.1
PC_A
192.168.0.2/24
FW_A
Original packet of PC_A-to-PC_B access
ISAKMP and IPSec packets
As can be seen in the figure above, FW_A must configure the trust zone--->untrust zone
security policy to allow PC_A to PC_B access packets to go through; it must also configure
the local zone--->untrust zone security policy to allow ISAKMP negotiation packets to go
through; an untrust zone--->local zone security policy must also be configured to allow ESP
packets to go through.
Sub-host FW_B session table
[FW_B] display firewall session table verbose
Current Total Sessions: 3
udp VPN: public --> public
Zone: untrust--> local TTL: 00: 02: 00 Left: 00: 00: 36
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets: 1 bytes: 200 -->packets: 2 bytes: 280
1.1.1.1: 500-->2.2.3.2: 500
esp VPN: public --> public
Zone: untrust--> local TTL: 00: 10: 00 Left: 00: 09: 59
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets: 0 bytes: 0 -->packets: 4 bytes: 448
1.1.1.1: 0-->2.2.3.2: 0
icmp VPN: public --> public
240
Learn Firewalls with Dr. WoW
Zone: untrust--> trust TTL: 00: 00: 20 Left: 00: 00: 16
Interface: GigabitEthernet0/0/1 NextHop: 172.16.2.2 MAC: 54-89-98-39-60-e2
<--packets: 1 bytes: 60 -->packets: 1 bytes: 60
192.168.0.2: 61095-->172.16.2.2: 2048
By analyzing the session table, we can obtain the FW_B packet path, as shown in Figure 6-29.
Figure 6-29 Sub-Host FW_B packet path
Untrust
GE0/0/2
IPSec tunnel
Trust
GE0/0/1
Local
2.2.3.2
PC_B
172.16.2.2/24
FW_B
Original packet of PC_A-to-PC_B access
ISAKMP and IPSec packets
As can be seen in the figure above, FW_B must configure an untrust zone--->trust zone
security policy to allow PC_A to PC_B access packets to go through; it must also configure
an untrust zone--->local zone security policy to allow ISAKMP negotiation packets to go
through; an untrust zone--->local zone security policy must also be configured to allow ESP
packets to go through.
When PC_B initiates access to PC_A, the packet path is the opposite of the PC_A access path
to PC_B, so we don't need to discuss it again.
In conclusion, in the IKE/IPSec scenario, FW_A and FW_B should configure security policy
match conditions, as shown in Table 6-19.
Table 6-19 Host and Sub-host FW security policy match conditions
Service
Direction
Device
Source
Security
Zone
Destination
Security
Zone
Source
Address
Destination
IP Address
Applications
(Protocol+Destination
Port)
PC_A
access to
PC_B
Host
FW_A
Untrust
Local
2.2.3.2/32
1.1.1.1/32
AH and/or ESP (ESP for
this example)
Local
Untrust
1.1.1.1/32
2.2.3.2/32
UDP+500
Trust
Untrust
192.168.0.
0/24
172.16.2.0/24
*
Untrust
Local
1.1.1.1/32
2.2.3.2/32
AH and/or ESP (ESP for
this example)
Sub-Host
FW_B
UDP+500
Untrust
Trust
192.168.0.
0/24
172.16.2.0/24
*
241
Learn Firewalls with Dr. WoW
PC_B
access to
PC_A
Host
FW_A
Untrust
Local
2.2.3.2/32
AH and/or ESP (ESP for
this example)
1.1.1.1/32
UDP+500
Sub-Host
FW_B
Untrust
Trust
172.16.2.0
/24
192.168.0.0/24
*
Untrust
Local
1.1.1.1/32
2.2.3.2/32
AH and/or ESP (ESP for
this example)
Local
Untrust
1.1.1.1/32
2.2.3.2/32
UDP+500
Trust
Untrust
172.16.2.0
/24
192.168.0.0/24
*
*: This depends on the specific service type and can be configured based on the actual situation, e.g. tcp, udp,
icmp, etc.
NOTE
Manual IPSec VPNs differ from IKE IPSec VPNs in that they do not have an ISAKMP session and as
such, there is no need to configure a UDP+500 security policy.
4.
Finally, change the default packet filtering action to deny.
Set the FW_A domain default packet filtering to deny:
[FW_A] firewall packet-filter default deny all
Set the FW_B domain default packet filtering to deny:
[FW_B] firewall packet-filter default deny all
6.10.2 IKE/IPSec VPN+NAT Traversal Scenarios
With IKE/IPSec VPN+NAT traversals, the security policy configuration also has several
unique characteristics. We'll introduce this characteristic with Scenario 2 from "6.8.1
Overview of NAT Traversal Scenarios".
As shown in Figure 6-30, an IPSec tunnel has been established between host FW_A and
sub-host FW_B; there is an NAT device between the two; the post-NAT transformation
address is 2.2.2.10 (an address set in the address pool). Suppose that FW_A and FW_B
connect to a private network through the GE0/0/1 interface; this is the trust zone; the upstream
device connects through the GE0/0/2 interface; this is the untrust zone.
Figure 6-30 IKEv1/IPSec VPN+NAT traversal networking
Untrust
Trust
GE0/0/1
192.168.0.1/24
GE0/0/2
1.1.1.1/24
IPSec tunnel
Host
FW_A
PC_A
192.168.0.2/24
Trust
NAT
2.2.2.10
GE0/0/1
172.16.1.1/24
GE0/0/2
172.16.0.1/24
Sub-host
GE0/0/0
172.16.0.2/24
NAT device
FW_B
PC_B
172.16.1.2/24
242
Learn Firewalls with Dr. WoW
The security policy configuration process is as follows:
2.
First configure the broadest domain security policy to commission the IPSec.
Set the FW_A domain default packet filtering to permit:
[FW_A] firewall packet-filter default permit all
Set the FW_B domain default packet filtering to permit:
[FW_A] firewall packet-filter default permit all
3.
Once the IPSec is configured on the firewalls, PC_B will initiate access to PC_A; by
analyzing the firewall session table, we can obtain the security policy match conditions.
Host FW_A session table
<FW_A> display firewall session table verbose
Current Total Sessions: 3
udp VPN: public --> public
Zone: untrust--> local TTL: 00: 02: 00 Left: 00: 01: 52
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets: 1 bytes: 296 -->packets: 1 bytes: 296
2.2.2.10: 2052-->1.1.1.1: 500
udp VPN: public --> public
Zone: untrust--> local TTL: 00: 02: 00 Left: 00: 01: 58
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets: 1 bytes: 228 -->packets: 5 bytes: 740
2.2.2.10: 2049-->1.1.1.1: 4500
icmp VPN: public --> public
Zone: untrust--> trust TTL: 00: 00: 20 Left: 00: 00: 14
Interface: GigabitEthernet0/0/2 NextHop: 192.168.0.2 MAC: 54-89-98-7f-1e-b2
<--packets: 1 bytes: 60 -->packets: 1 bytes: 60
172.16.1.2: 34201-->192.168.0.2: 2048
Host FW_A has a total of three sessions: two udp sessions and one icmp session. Of the two
udp sessions, one port is 500, and one is 4500; this means that after the IKE detected the NAT
gateway, the ISAKMP outer packet added UDP encapsulation, and the negotiation port also
switched from 500 to 4500. The subsequently transferred ESP packet also has an added UDP
header, so FW_A cannot see the corresponding ESP packet session.
By analyzing the session table, we can obtain the host FW_A packet path, as shown in Figure
6-31.
Figure 6-31 Host FW_A packet path
Trust
GE0/0/2
GE0/0/1
Untrust
Local
IPSec tunnel
1.1.1.1
PC_A
192.168.0.2/24
FW_A
Packets of PC_B-to-PC_A access
ISAKMP and IPSec packets
243
Learn Firewalls with Dr. WoW
As can be seen in the figure above, host FW_A must configure an untrust zone--->trust zone
security policy to allow PC_B to access PC_A packets; it must also configure an untrust
zone--->local zone security policy to allow host FW_A and sub-host FW_B to establish an
IPSec tunnel.
Sub-host firewall FW_B session table
<FW_B> display firewall session table verbose
Current Total Sessions: 3
udp VPN: public --> public
Zone: local--> untrust TTL: 00: 02: 00 Left: 00: 01: 45
Interface: GigabitEthernet0/0/2 NextHop: 172.16.0.2 MAC: 00-00-00-d3-84-01
<--packets: 1 bytes: 296 -->packets: 1 bytes: 296
172.16.0.1: 500-->1.1.1.1: 500
udp VPN: public --> public
Zone: local--> untrust TTL: 00: 02: 00 Left: 00: 01: 50
Interface: GigabitEthernet0/0/2 NextHop: 172.16.0.2 MAC: 00-00-00-d3-84-01
<--packets: 5 bytes: 708 -->packets: 1 bytes: 260
172.16.0.1: 4500-->1.1.1.1: 4500
icmp VPN: public --> public
Zone: trust--> untrust TTL: 00: 00: 20 Left: 00: 00: 07
Interface: GigabitEthernet0/0/2 NextHop: 10.1.5.1 MAC: 00-00-00-d3-84-01
<--packets: 1 bytes: 60 -->packets: 1 bytes: 60
172.16.1.2: 34201-->192.168.0.2: 2048
By analyzing the session table, we can obtain the sub-host FW_B packet path, as shown in
Figure 6-32.
Figure 6-32 Sub-Host FW_B packet path
Untrust
IPSec tunnel
GE0/0/2
GE0/0/1
Trust
Local
PC_B
172.16.2.2/24
FW_B
Packets of PC_B-to-PC_C access
ISAKMP and IPSec packets
As can be seen in the figure above, sub-host FW_B must configure a trust zone--->untrust
zone security policy to allow PC_B to PC_A access packets to go through; it must also
configure a local zone--->untrust zone security policy to allow host FW_A and sub-host
FW_B to establish an IPSec tunnel.
If the NAT device is only configured for source NAT, then this scenario will only allow
sub-host FW_B to actively establish an IPSec tunnel with host FW_A. If this is the case, the
match conditions for host FW_A and sub-host FW_B security policy configurations are as
shown in Table 6-20.
244
Learn Firewalls with Dr. WoW
Table 6-20 Host and sub-host fw security policy match conditions
Service
Direction
Device
Source
Security
Zone
Destination
Security
Zone
Source
Address
Destination
IP Address
Applications
(Protocol+Destination
Port)
PC_B
access to
PC_A
Host
FW_A
Untrust
Local
172.16.0.
1/32
1.1.1.1/32
UDP+500 and 4500
Untrust
Trust
172.16.1.
0/24
192.168.0.0/24
*
Local
Untrust
172.16.0.
1/32
1.1.1.1/32
UDP+500 and 4500
Trust
Untrust
172.16.1.
0/24
192.168.0.0/24
*
Sub-Host
FW_B
*: This depends on the specific service type and can be configured based on the actual situation, e.g. tcp, udp,
icmp, etc.
If the host has not configured a template IPSec policy and NAT Server is configured on the
NAT device, host FW_A is allowed to actively establish an IPSec tunnel with sub-host FW_B;
we can summarize the match conditions for this security policy for PC_A access to PC_B
based on the method above.
4.
Lastly, change the default packet filtering to deny.
Set the FW_A domain default packet filtering to deny:
[FW_A] firewall packet-filter default deny all
Set the FW_B domain default packet filtering to deny:
[FW_B] firewall packet-filter default deny all
245
Learn Firewalls with Dr. WoW
7
SSL VPN
7.1 SSL VPN Mechanisms
7.1.1 Advantages of SSL VPN
The Internet has developed in a fast, unpredictable manner, and it can now be said that
"network connections are available anywhere, anytime". Although PCs and laptops are
ubiquitous, these are already being looked down upon as being too heavy and inconvenient,
and everyone now has a smart phone or tablet, allowing them to enjoy anytime/anywhere
Internet access. The times are ever changing, and advances in science and technology
continue to be made, but what remains the same is the concept that science and technology are
people-centric—people are looking for more convenience, simplicity and security. For
specific use scenarios involving remote connections and access to internal networks, a few
cracks have appeared in the leading traditional VPN technology, IPSec:
Inflexible networking. When constructing an IPSec VPN, if equipment is added or the
user's IPSec policy is altered, the existing IPSec configuration needs to be adjusted.
Client software needs to be installed for IPSec VPNs, leading to a good deal of trouble in
terms of compatibility, deployment and maintenance.
IPSec is not strict enough regarding user access control; IPSec can only undertake
network layer control, but is unable to conduct granular access control of application
layer resources.
As the saying goes, "there is a way up every mountain; if there's a problem there must be a
solution", and accordingly a new kind of technology has begun to take center stage: Secure
Sockets Layer VPN (SSL VPN), a new lightweight remote access solution, effectively solves
the aforementioned problems, and has very broad application in real-world remote access
solutions.
SSL VPN operates between the transport layer and the application layer, and does not
change IP or TCP headers or impact the existing network topology. If a firewall is
deployed in the network, an SSL VPN only requires that the traditional HTTPS (port 443)
be enabled on the firewall.
SSL VPN uses the browser/server (B/S) architecture. Therefore, SSL VPN does not
require client applications, and only requires a browser for ease of use.
Although SSL VPN does not require the installation of additional clients, SSL VPN features have
explicit requirements regarding the browser and operating system type and version. For specific
requirements please review product documents.
246
Learn Firewalls with Dr. WoW
More importantly, compared with IPSec network layer control, all access control in an
SSL VPN is based in the application layer, and the level of granularity can reach the
URL or file levels, which can greatly improve the security of remote access.
Below I, Dr. WoW, will take everyone on a detailed introduction of SSL VPN technology.
7.1.2 SSL VPN Use Scenarios
So-called SSL VPN technology is actually a name created by VPN vendors, and refers to
remotely connected users using the SSL function embedded in standard Web browsers to
connect to an SSL VPN server on an enterprise intranet, following which the SSL VPN server
can forward packets to a specific internal server, thereby allowing remotely connected users to
access specially designated server resources within the company after passing authentication.
In this scenario, remotely connected users and SSL VPN servers use the standard SSL
protocol to encrypt data transmitted between them—this amounts to establishing a tunnel
between the remotely connected user and the SSL VPN server.
Generally speaking, SSL VPN servers are deployed behind firewalls at the egress; the typical
use scenario for SSL VPN is shown in Figure 7-1.
Figure 7-1 Typical use scenario for SSL VPN
SSL VPN server
Server
SSL VPN
Internal
network
resources
Remotely
connected
users
Enterprise egress firewall
Remotely connected users will hereinafter be called "remote users."
Huawei's USG2000/5000/6000 families of firewalls can serve directly as SSL VPN servers,
conserving network construction and administration costs. While I have the opportunity, let
me get a word in on behalf of Huawei, which has released the specialized SVN2000 and
SVN5000 series of SSL VPN server products. These provide support for higher numbers of
users, and support SSL VPN solutions for even greater numbers of use scenarios.
In this section, I will primarily introduce the establishment of a connection between remote
users and an SSL VPN server, as well as the process of successfully logging in to the SSL
VPN server. How SSL VPN servers forward remote user requests to various internal servers
will be introduced in subsequent sections.
Before beginning a rather dull, theoretical introduction, I will provide a demonstration of the
steps involved in logging in to an SSL VPN server, so that the ease and convenience of SSL
VPNs can be observed visually.
The steps typically involved in remote user access of an SSL VPN server are extremely
simple, as shown in Table 7-1.
247
Learn Firewalls with Dr. WoW
Table 7-1 Steps for remote user access of an SSL VPN server
Step
Detailed description
1
Open a browser, enter the https://SSL VPN server address: port or https://domain,
to initiate a connection.
2
The web page may give a reminder that there is a problem with the security
certificate for the website about to be accessed, but we'll select "continue to this
website."
3
The SSL server login interface successfully appears. The interface's right side
requests for the user name/password to be input.
4
Input the user name/password (previously obtained from the enterprise network
administrator), successfully log in to the SSL VPN server, and enter the intranet
resources access page.
Can these few steps guarantee the establishment of an SSL VPN connection and secure access?
Why is there a reminder that there is a problem with the security certificate of the web address
to be accessed? I'm sure there are many questions swirling around in everyone's minds now.
With these questions in mind, we'll explore how remote users exchange packets with the SSL
VPN server in these few brief steps.
I believe there are two keys involved in this, which also display two basic security features of
SSL VPN technology:
1.
Security of the transmission process
In the aforesaid definition of SSL VPN, we mentioned that remote users and SSL VPN
servers use the standard SSL protocol to encrypt data transmitted between them. The
SSL protocol begins operating from when a user opens his/her browser and accesses the
SSL VPN server address. Therefore, we need to explore the mechanisms through which
the SSL protocol operates in more detail.
2.
Security of user identities.
In the above demonstration of logging in to SSL VPN servers, the remote user accessed
the SSL VPN server's login interface, and the SSL VPN server requested that the user
name/password be input. This is actually the SSL VPN server requesting authentication
of the user's identity. SSL VPN servers generally support multiple kinds of user
authentication methods to guarantee the security and legitimacy of access. Huawei's
firewalls support multiple methods for authenticating user names/passwords, including
local authentication, server authentication, certificate authentication, two-factor
authentication (user name/password + certificate), etc.
7.1.3 SSL Protocol Operating Mechanisms
SSL is a kind of protocol that establishes a secure path between clients and servers. It is a Web
application-based security protocol developed by the Netscape company, and provides data
encryption, server authentication, information integrity and optional client authentication for
application protocols based in TCP/IP connections (such as HTTP, Telnet and FTP, etc.). This
is to say that the SSL protocol has the following features:
248
Learn Firewalls with Dr. WoW
All data to be transmitted is encrypted for transmission, so that third parties cannot
eavesdrop.
It possesses verification mechanisms, so the two communicating parties will
immediately discover any information tampering.
It's equipped with an identity certificate to prevent identities from being forged.
The SSL protocol has been developed continuously since being released in 1994. The SSL 2.0
and SSL 3.0 versions released by the Netscape company have been broadly used. Following
these, an Internet standardization organization released the TLS 1.0 protocol (also known as
SSL 3.1) based in SSL 3.0, and later also released the TLS1.1 and TLS 1.2 versions. At
present, most mainstream browsers now support TLS 1.2. Huawei's firewalls support the SSL
2.0, SSL 3.0 and TLS 1.0 versions.
The SSL protocol's structure is made up of two layers. The lower layer is the SSL record
protocol, and the higher layer has the SSL handshake protocol, the SSL change cipher spec
protocol and the SSL alert protocol; the roles of each protocol are as shown in Figure 7-2.
Figure 7-2 SSL protocol structure and uses
It's thus obvious that the establishment of an SSL connection primarily relies on the SSL
handshake protocol, and below we'll explore the SSL handshake protocol in detail.
249
Learn Firewalls with Dr. WoW
The SSL handshake protocol's basic design approach can be summarized in a brief sentence:
it transmits ciphertext using a public key encryption algorithm. Or, to put things another
way, the server tells its public key to the client, the client then uses the server's public key to
encrypt information, and after the server receives the ciphertext, it uses its own private key for
decryption.
There are two problems with this design approach which require further refined solutions:
2.
When the server tells its public key to the client, how can it be guaranteed that the public
key has not been tampered with?
Solution: Incorporate a digital certificate. Include the server's public key into the server
certificate, with the server sending the certificate to the client. So long as the certificate
is trustworthy, the public key can be trusted.
3.
The security of the public key encryption algorithm is high, however, as the two
endpoints each use private keys for decryption, the algorithm is relatively complicated,
and the encryption and decryption are computing-intensive—how can efficiency be
increased?
Solution: Incorporate a new "session key". The client and server negotiate the "session key"
using a public key encryption algorithm, and subsequent data packets all use this "session
key" for encryption and decryption (this is also known as a symmetric encryption algorithm).
The computing speed is very fast when using a symmetric encryption algorithm, allowing for
a great increase in the computing efficiency of encryption and decryption.
To explain things further, "the session key" is actually a secret key shared by the server and
the client. It is called the "session key" because it incorporates the concept of a session. Every
TCP-based SSL connection is associated with a session, and the session is created by the SSL
handshake protocol. This provides complete transmission encryption for each connection, and
means that the handshake process is included in the session.
Since the design of the SSL handshake protocol has already resolved the key questions, below
we'll cover specific design details: the aforementioned design approach is achieved through
four communications between the server and the client, thereby ensuring that highly efficient,
securely encrypted packet transmission can be conducted following the handshake stage.
The specific contents of the four communications involved in the SSL handshake is shown in
Figure 7-3. It is important to note that all communications in this stage are cleartext.
250
Learn Firewalls with Dr. WoW
Figure 7-3 SSL handshake process
SSL VPN Client
SSL VPN Server
Client Hello
2
Server Hello
Sever Certificate
Sever Key Exchange
Client Certificate Request
Server Hello Done
Client Certificate
Client Key Exchange
Certificate Verify
Change Cipher Spec
Client Finished Message
4
4.
1
3
Change Cipher Spec
Server Finished Message
Client sends request (Client Hello)
The client (generally the browser) first sends a communication encryption request to the
server. The primary information provided to the server in this step is as follows:
(1) The protocol version supported, for example TLS version 1.0.
(2) A random number generated by the client, to be used a bit later in generating the
"session key".
5.
Server's reply (Server Hello)
After receiving the client's request, the server sends a reply to the client. This step
includes the following information:
(1) Confirmation of the version of the cryptographic communication protocol being
used, for example TLS version 1.0. If the version is not supported by both the
browser and the server, then the server closes encrypted communication.
251
Learn Firewalls with Dr. WoW
(2) A random number generated by the server, to be used a bit later in generating the
"session key".
(3) Confirmation of the cipher suite.
(4) A server certificate that contains the server's public key.
The SSL handshake protocol supports two-way authentication between the client and the server. If the
server needs to verify the client, the server must send a request to authenticate the certificate of the client
in this step.
6.
Client Response
After the client receives the server's reply, it first authenticates the server's certificate. If
the certificate has not been issued by a trustworthy authority, the domain name provided
in the certificate is not the real domain name, or the certificate has expired, an alert will
be displayed in which a choice can be made as to whether or not to continue the
communication. If there is no problem with the certificate, the client will extract the
server's public key from the certificate. Following this it will send the following three
items of information to the server:
(1) A pre-master key, encrypted using the server's public key. This prevents
eavesdropping, and the pre-master-key will be used momentarily to generate the
"session key". At this time the client will have three random numbers, and can
compute the "session key" to be used for this session.
(2) A change cipher spec notice, expressing that all future information will be sent
using the encryption method and key negotiated by the two parties.
(3) The client's handshake finish notice, expressing that the client's handshake stage has
already been concluded. At the same time as this is the HASH value for all content
sent previously, used for server authentication.
7.
The server's final response
After the server receives the client's random pre-master key, it computes and generates
the "session key" to be used for this session (the computing method and computed results
are the same as the client's). Following this, the below, final information is sent to the
client:
(1) A change cipher spec notice, expressing that future information will all be sent
using the encryption method and key negotiated by the two parties.
(2) The server handshake finish message, expressing the end of the server's handshake
stage.
Now that everyone has finished reviewing the specific content of the SSL handshake
protocol's four communications, I think it likely that some additional questions have
arisen. As always, I'm ready to serve:
(1) When the random pre-master-key appears, the client and server already have three
random numbers, and the two then use the previously negotiated encryption method
to each generate the same "session key" to be used in this session. Why do three
random numbers need to be used to generate the "session key"?
Answer: It is clear that the public key encryption algorithm's use of the three
random numbers in obtaining the final symmetric secret key is done in order to
increase security. The reason the pre-master-key exists is because the SSL protocol
does not trust that every host will be able to generate "completely random" random
numbers. If the random numbers are not random, then it may be possible to infer
them, creating security problems. And, three 'pseudo random numbers' gathered
together are extremely close to being random.
252
Learn Firewalls with Dr. WoW
(2) During the SSL handshake protocol's second communication, when the server
responds (server hello), it sends its own certificate, and the client immediately
conducts verification of the servers' certificate; this is to say that the client verifies
the servers' legitimacy. Is this related to the alert encountered in Table 7-1 when we
were demonstrating logging in into the SSL VPN server that "there is a problem
with this website's security certificate"?
Answer: Actually, the SSL protocol begins to operate from when the client (the
remote user) accesses the SSL VPN server through HTTPS in step 1 of Table 7-1.
The notice in step 2 just happens to correspond with the second communication of
the SSL handshake protocol—at this time the server sends its own local certificate
to the client, and the client needs to authenticate the server's certificate. The
appearance of the alert indicates that the client believes this server's certificate is not
trustworthy. If this reminder appears during our everyday access to online banking
and other similar interfaces, we need to increase our vigilance to prevent mistakenly
entering phishing websites. However, we'll choose to mandate trust for this website
for now.
My explanation of the SSL handshake protocol's operating mechanisms is now complete.
Take a deep breath—we still need to test the principles behind this from a practical
standpoint.
Step 1 Use a firewall as the SSL VPN server and complete the configurations on the firewall.
SSL server functionality on a firewall is called a virtual gateway. The virtual gateway's
address/domain name is the SSL VPN server's address/domain name.
a.
Configure the virtual gateway, enable the SSL VPN server function, and configure the
server address.
b.
Configure the authentication method as local authentication, and create the user
(including the user name and password.)
c.
Configure security policies to ensure network connectivity. We will introduce methods
for configuring security policies in section 8.7 "Configuring Security Policies."
Step 2 Follow the steps provided at the beginning of this chapter demonstrating how to log in to
the SSL VPN server from a client, and use the configured user name/password to log in
to the SSL VPN server.
a.
Client 10.108.84.93 initiates a connection request using an IE browser to the firewall's
virtual gateway at https://10.174.64.61. In the figure blow, numbers 21-29 show the
entire four-communication SSL handshake process. After the server replies with its
Server Finished Message (encrypted) in No. 29, the alert interface stating that the
253
Learn Firewalls with Dr. WoW
security certificate has a problem appears. At this point, the client and server have
actually not begun normal communication, but are in the SSL handshake stage. The
client has verified that the server is not legitimate, and the client's Web interface has
asked the user whether or not they want to continue browsing this website.
b.
Select "continue to this website". Beginning with No. 103, the client requests to use a
new session, and again initiates the SSL handshake protocol. After handshake
completion, normal encrypted communication is begun, and continues until the user's
browser successfully loads the firewall's virtual gateway's user login interface.
c.
Enter the user name and password. Beginning with No. 1561, SSL handshake protocol
initiation is continued. Following the four communications, the "session key" is
negotiated, and beginning with the packet carrying the user name and password, all data
between the user and the server is encrypted (shown as 'Application Data') and sent to
the server.
254
Learn Firewalls with Dr. WoW
----End
7.1.4 User Identity Authentication
To guarantee the legitimacy of SSL VPN remote users and improve system security, the SSL
VPN server supports multiple authentication methods. In the previous example, the user name
and password are configured and stored on the firewalls. This is the most basic and simple
authentication method. Huawei's firewalls support the following authentication methods:
Local user name/password authentication: The user name and password are
configured and stored on the firewall. The user can successfully log in by simply
entering the matching user name/password.
User name/password authentication on server: The user name and password are
stored on a special third party authentication server. After the user enters the user name
and password, the firewall forwards them to the authentication server for authentication.
Currently supported types of authentication servers include RADIUS, HWTACACS,
SecurID, AD, and LDAP.
Certificate anonymous authentication: A client certificate is configured on the user's
client. The firewall verifies the client certificate to authenticate the user's identity.
Certificate challenge authentication: The server uses two-factor authentication (user
name/password+ client certificate) to authenticate a user's identity. This method is clearly
the most secure.
−
If only client certificate authentication is used, it is impossible to guarantee security if
the client is lost or is illegally used;
−
If only the client name/password is used for authentication, and a different client is
used, the client may present a security hazard.
255
Learn Firewalls with Dr. WoW
The two-factor authentication method ensures that a designated user uses a designated
client to log in to the SSL VPN server, thereby legitimately accessing internal network
resources.
Local user name/password authentication and user name/password authentication on a
third-party server are the most common authentication methods, and will not be described
further here. Below, I will introduce certificate authentication.
Certificate challenge authentication has one more user name/password authentication than
certificate anonymous authentication, but the principles remain the same, and they can thus be
described together.
The firewall (the SSL VPN server) verifies the client's certificate to authenticate the user's
identity, as shown in Figure 7-4.
Figure 7-4 Certificate authentication process
CA
1
1
Client CA certificate
Client certificate
Resource server
2
3
User
Optional
2'
Challenge password
authentication:
The User field in a certificate
+ entered password
Authentication input
Auxiliary password
authentication system
(local or third-party server)
Authentication data flow
Service data flow
The process is described as follows:
2.
Import a client certificate on the client, and import a client CA certificate on the firewall.
3.
The user (client) sends its own certificate to the firewall for authentication, which will be
successful if the following conditions are met.
−
The client's certificate and the client CA certificate imported onto the firewall are
issued by the same CA.
−
The client certificate is within its validity period.
−
The user filtering field in the client certificate is the user name that has already been
configured and stored on the firewall. For example, if the client certificate's user
256
Learn Firewalls with Dr. WoW
filtering field reads CN=user000019, the certificate is issued for user000019.
Therefore, user000019 must have been configured on the firewall.
4.
After the user passes the firewall's identity authentication, the user can log in to the
resource interface and access the specified resources on the internal network.
Above, I, Dr. WoW, have already displayed a packet capture from the SSL handshake stage
when using the user name/password to log in to the firewall's virtual gateway, and below we'll
change the authentication method to certificate anonymous authentication to take a look at
how the server authenticates a client certificate during the transfer of encrypted data.
On the firewall virtual gateway interface, and after configuration of the certificate the client
needs to use, the packet capture information is shown below. It is impossible to discern what
packet this is from the information, and so we import the firewall's (the SSL server) private
key, and use the packet capturing tool to decode the captured packet.
257
Learn Firewalls with Dr. WoW
To compare the left and right columns briefly, we can see that in No. 895, the first message
that appears as 'Encrypted Handshake Message' is actually a Hello Request sent from Server
10.174.64.61 to Client 10.108.84.93. The client then replies, after which the server sends a
Server Hello. Following this message, the server sends the client a request to authenticate the
client's certificate. From the packet capture, it seems that this negotiation wasn't successful for
some reason, and negotiation between the client and the server will continue.
Beginning with No. 1045, the server again discovers a Hello Request, and then continues on
with operations. In No. 1085, the server requests that the client provide a certificate. In No.
1088, the client sends its certificate to the server, and in No. 1097 the server authenticates the
client's certificate, with the packet capture displaying that the certificate is illegitimate and
cannot pass authentication. Although authentication was unsuccessful, the aforesaid
information factually reflects the entire process of server authentication of the client's
certificate; please compare the left and right sides to aid your understanding.
Above, I've finished my entire introduction of the process of establishing a connection
between a remote user and the SSL VPN server and successfully logging in to the SSL VPN
server. In the following sections, I will use the USG6000 family of firewalls as an example,
and first introduce file access and Web access (of e-mails, etc.; file access and Web access are
extremely common uses in an office scenario), and then introduce port forwarding and
network extension, organizing our discussion from more refined access control granularity to
coarser access control granularity.
We're using the USG6000 family of firewalls in our introduction because compared to the
USG2000/5000 firewall series, the SSL VPN functionality on the USG6000 has an improved user
authentication method, using the universal authentication method provided by the Firewall (this was
introduced in section 7.1.4 "User Identity Authentication") to render the configuration logic and process
clearer and easier to understand. Below, we'll shift our focus to SSL VPN operational configuration,
resource authorization and access control to introduce SSL VPN functionality, and will not give a further
detailed introduction regarding user authentication.
7.2 File Sharing
7.2.1 File Sharing Use Scenarios
In the introduction in the last section, we learned that a great difference between SSL VPN
and IPSec is that SSL VPN can refine the granularity of a remote user's access onto a
designated resource object, for example a file or a URL. In order to allow remote users to
instantly understand their own access permissions, the virtual gateway provides an especially
friendly and personalized platform: it combines files and URLs into a "custom made"
resource lists to show to the remote user. This is as if the virtual gateway is a new-wave,
fashionable restaurant that not only sells gourmet food but also sells customized services,
allowing different menus to be customized for customers with different tastes.
This isn't its only special feature. As most enterprises, out of security considerations, don't
want to make their internal server's resource addresses (URL or file path) public, the SSL
VPN therefore also provides a "resource address encryption" service that rewrites the
resource's path, allowing the remote user to not only smoothly access internal network
resources, but also making it very difficult to discover the internal network resource address.
This is like calling a simple potato dish 'Spheres of Glory', or calling a hotdog 'the King's
Scepter'—at first glance the name's meaning is unclear, and a great deal of time and effort is
required before such a name can be deciphered. But I digress-let's begin with the first dish:
258
Learn Firewalls with Dr. WoW
To put things simply, the SSL VPN's file sharing function allows remote users to securely
access company internal file servers directly using a browser, and supports file operations
such as creating new files, editing, uploading and downloads, as shown in Figure 7-5.
Figure 7-5 SSL VPN file sharing use scenario
SMB server
4.0.2.11/24
GE1/0/1
GE0/0/1
4.0.2.1/24 4.1.64.12/24
Internal network
SSL VPN
Firewall
Client
NFS server
At the moment, file sharing protocols that are relatively popular in companies include SMB
(Server Message Block) and NFS (Network File System). The former is primarily used in the
Windows operating system, while the latter is primarily used in the Linux operating system.
Huawei firewalls' SSL VPN is compatible with both of these protocols, so we don't need to
worry about this. The following content will use the SMB protocol as an example, and will
make use of the domain controller, a common authentication method, in introducing the file
sharing interaction.
In Figure 7-6, it can be seen that the firewall serves as a proxy device, and that its
communication with the client is always encrypted through the HTTPS (HTTP+SSL) protocol.
After the encrypted packet reaches the firewall, the firewall decrypts it and conducts protocol
conversion. Finally, the firewall serves as the SMB client and initiates a request to the
corresponding SMB file sharing server, and this also involves the file server authentication
process. Based upon the protocols used in communication, the aforesaid process can be
summarized into two phases:
2.
HTTPS interaction between the remote client serving as the Web client and the firewall
serving as the Web server.
3.
SMB interaction between the firewall serving as the SMB client and the file server (the
SMB server)
Figure 7-6 SSL VPN file sharing process
259
Learn Firewalls with Dr. WoW
Below, we'll describe file sharing configuration methods in detail and the principles behind
file sharing.
7.2.2 Configuring File Sharing
Before officially introducing the packet exchanges involved in file sharing, we will first
assume that file sharing resources have already been configured on an SMB file server (here
we'll use Windows Server 2008 as an example), and that permissions have been granted on
the domain controller:
Resource access address: \\4.0.2.11\huawei
Configuration of user permissions: the admin has read/write permissions; usera only has the
read permission.
The virtual gateway serves as the SSL VPN's entrance for all resources. Any resources that
need to be accessed must appear in the SSL VPN configuration—this also embodies the SSL
VPN's design approach that allows the granularity of access control to be refined. File sharing
first requires turning on the file sharing function and creating new file sharing resources, with
the goal being to provide a visible file sharing resources "menu" for the remote user, as shown
in Figure 7-7.
Figure 7-7 Configuring file sharing
7.2.3 Interaction Between the Remote User and the Firewall
After a successful login, the resources the virtual gateway makes available to the user will
appear on this interface. Hovering the mouse over a resource allows for the resources'
corresponding Web link to be seen in the browser status bar; this link includes the pages that
need to be requested from the firewall and parameters that need to be delivered, as shown in
Figure 7-8. We don't want to underestimate this URL, as it represents the remote user's
requested file resource information and corresponding operational commands. Different
directories and operations will each correspond with different URLs.
260
Learn Firewalls with Dr. WoW
Figure 7-8 SSL VPN login interface—file sharing
https://4.1.64.12/protocoltran/Login.html?VTID=0&UserID=4&SessionID=2141622535&Re
sourceType=1&ResourceID=4&PageSize=20&%22,1)
Q: Why can't the file resource \\4.0.2.11\huawei mentioned above be seen here?
A: Because the firewall has already hidden this. Using Resource ID is the only way to identify
the resource's address. The corresponding relationship between the Resource ID and the
resource's address is stored in the firewall's brain (memory); this allows for the internal
server's real address to be hidden, protecting server security.
To further our analysis of this Web link, in addition to the obvious fact that 4.1.64.12 is the
virtual gateway's address, I will break the remaining portions of the link's structure into three
parts:
protocoltran is the special directory for file sharing. It is clear from its name that this is
protocol+transform, indicating that this carries out conversion back and forth between
the HTTPS protocol and the SMB/NFS protocols.
Login.html is the request page. Generally speaking, different operations will correspond
with different request pages. I have organized all of the request pages and request results
pages that may be used in Table 7-2.
Table 7-2 File sharing request pages and request results pages
Page Name
Meaning
login.html
SMB file server authentication page
loginresult.html
dirlist.html
Shows folder structure and detailed list of file sharing resources.
downloadresult.html
Downloads files.
downloadfailed.html
create.html
Creates folders.
result.html
deleteresult.html
Deletes files and folders.
result.html
rename.html
Renames files and folders.
result.html
upload.html
Uploads files.
uploadresult.html
261
Learn Firewalls with Dr. WoW
?VTID=0&UserID=4&SessionID=2141622535&ResourceType=1&ResourceID=4&Pag
eSize=20&%22,1 are parameters transmitted to the request page. Here I will first give a
detailed parameter table. In addition to the parameters covered by this URL, I've also
included request parameters for other operations to aid everyone's understanding.
Table 7-3 Request page parameter details
Parameter
Meaning
VTID
The Virtual Gateway ID, used to distinguish between multiple
virtual gateways on the same firewall.
UserID
The User ID, identifying the currently logged-in user. For
security purposes, the ID is different for each login by the same
user to prevent a man-in-the-middle-attack from creating
fabricated data packets.
SessionID/RandomID
The session ID; all session IDs for the same login to the virtual
gateway are the same.
ResourceID
The Resource ID, identifying each file sharing resource.
CurrentPath
The file path of the current operation.
MethodType
Types of operations:
1: Deleting folders
2: Deleting files
3: Displaying a directory
4: Renaming a directory
5: Renaming a file
6: Creating a new directory
7: Uploading a file
8: Downloading a file
ItemNumber
Number of operational objects.
ItemName1
Name(s) of operational object(s); this can contain multiple
operational targets, for example deleting multiple files.
ItemType1
Type of operational object:
0: File
1: Folder
NewName
New name.
ResourceType
Resource type:
1: SMB resources
2: NFS resources
PageSize
Each page displays the number of resource items.
262
Learn Firewalls with Dr. WoW
In order to allow everyone to gain an understanding of the entire panorama of file sharing
functions, I will give a further, one-by-one explanation of some of the aforesaid operations
and commands using specific file sharing functions as examples.
When accessing file sharing resources for the first time, the file server's authentication must
first be passed.
The authentication stated here must be distinguished from the authentication that occurs when
logging in to the SSL VPN. In the login stage, the first thing the remote user needs to pass is
the firewall's authentication. This time we want to access file sharing resources, and of course
need to check whether or not the file server agrees to this. When "Public_Share" in the
resource list is clicked on, an authentication page will pop out, as shown in Figure 7-9.
Figure 7-9 File sharing login
After the authentication succeeds, the file resource page appears, as shown in Figure 7-10.
Figure 7-10 File sharing file operations
We know the above access process can be divided into two stages (authentication and folder
display), but is the real interaction process like this? A packet capture analysis of the
interaction process is as below:
263
Learn Firewalls with Dr. WoW
That's right, it looks like my understanding was correct. Login.html/LoginResult.html are all
authentication pages, and after the encrypted packet is decrypted, LoginResult.html also
includes the user name and password awaiting authentication by the file server. In addition,
Dirlist.html is the page that displays the folder structure.
2.
Verification of file downloading
The file download page and the corresponding URL are as shown in Figure 7-11.
Figure 7-11 Downloading files
The above table can be used to put the file download operation in words: the download
(MethodType=8) is of a root directory's (CurrentPath=2F) file (ItemType1=0), named
readme_11 (ItemName1=%r%e%a%d%m%e_%1%1). But it is important to note that
there is a bit of URL decrypted content here. For example, decrypting CurrentPath's
value ('2F') gives '/', which expresses the current resources' root directory.
3.
Folder rename authentication
The rename folder page is shown in Figure 7-12.
264
Learn Firewalls with Dr. WoW
Figure 7-12 Renaming folders
As usera only has the read permission, a failure notice is given, but this doesn't stop us from
continuing with analyzing this: file (ItemType1=1) userb (ItemName1=%u%s%e%r%b) in the
root directory (CurrentPath=2F) is being renamed usera (NewName=%u%s%e%r%a); the
corresponding URL is shown in Figure 7-13.
Figure 7-13 URL corresponding to folder rename operation.
Through the above introduction I believe that everyone now understands that the firewall's
establishment of these links is first to hide the true internal network file resource path
(\\4.0.2.11\huawei\), and secondly to, as the SSL VPN gateway, create a bridge for remote
user access and, as the SMB client, initiate file access to the SMB server (defining the file
object and operation to be accessed.)
7.2.4 Interaction of the Firewall with the File Server
A packet capture from between the firewall and the file server is shown below.
265
Learn Firewalls with Dr. WoW
1.
Firewall 4.0.2.1, serving as the client, initiates a negotiation request to file server
4.0.2.11. First to be negotiated is the SMB version (dialect). The firewall currently only
supports the use of SMB1.0 (NT LM 0.12) in its role as the client in interacting with the
server.
2.
The server's response information contains the authentication method to be used next and
a 16-bit challenge random number. A kind of secure authentication mechanism is used
here: the NT challenge/response mechanism, known as NTLM.
The authentication process is roughly as follows:
a.
The server generates a 16 bit random number and sends it to the firewall, to serve as a
challenge random number.
b.
The firewall uses a HASH algorithm to hash the user password and encrypt the received
challenge random number. It also returns its own user name (in plaintext) together with
this to the server.
c.
The server sends the user name, challenge random number and the encrypted challenge
random number returned from the firewall to the domain controller.
d.
The domain controller uses the user name to find the user password hash value in the
password administration database, encrypts the challenge random number, and compares
the encrypted challenge random number with the encrypted challenge random number
sent by the server. If they are the same then authentication is successful.
266
Learn Firewalls with Dr. WoW
After authentication succeeds, the user can access the designated file or folder.
To summarize the above, we can see that the firewall's role in the file sharing function is
actually that of a proxy that is an intermediary between the remote user and the SMB Server:
in the HTTPS stage it serves as the Web Server in receiving the file access request from the
remote user, and translates this into an SMB request; in the SMB stage, it serves as the SMB
client in initiating a request, receiving the response, and translating this to give to the remote
user. With the file sharing function, the remote user access to the internal file server is just as
convenient as its access of ordinary Web pages—it doesn't need to install a file sharing client,
doesn't have to remember the server's IP address, and won't get lost among a multitude of
servers.
7.3 Web Proxy
Although they both involve object level resource access, URL and file sharing are not the
same. When accessing a URL, the HTTP protocol is used. As the SSL protocol is a natural
born partner to HTTP, protocol conversion is no longer necessary in the Web proxy function.
However, we still want to focus on the two most critically important areas of content in our
description here: URL level access control and hiding the real URL address.
Web proxy services, means accessing an internal network's Web server resources (URL
resources) using the firewall as a proxy. Here, you might ask, isn't this just an ordinary proxy
function: when using one server as a springboard to access a destination URL address, this
server acts as a proxy—isn't the firewall doing the same? The answer is that these are not
completely the same thing, as throughout the entire process the firewall not only acts as a
proxy, but also rewrites the real URL, thereby achieving the goal of hiding the real internal
network URL, and further protecting the security of the internal network Web server.
7.3.1 Configuring Web Proxy Resources
Let's assume that a company has already set up a Web server and provided a portal address for
the company internal network (http://portal.test.com:8081/), and hopes to use the Web proxy
function to provide access for remote users.
Just as with file sharing resources, in order to refine the granularity of access control to the
URL level, it is necessary to configure a corresponding Web proxy resource in the virtual
gateway, as shown in Figure 7-14.
267
Learn Firewalls with Dr. WoW
Figure 7-14 Web proxy resource list—creating a new resource.
In the above configuration, the most important parameter is the resource type, which defines
the Web proxy method. Proxy methods include Web rewriting and Web-Link, and the
differences between the two are as shown in Table 7-4.
Table 7-4 Web Rewriting and Web-Link comparison
Item
Compared
Web Rewriting
Web-Link
Security
Rewrites the real URL, hiding
the internal server's
address—confers strong
security.
Cannot rewrite the URL, and directly
forwards Web requests and
responses, which can reveal the
internal server's real address.
Ease of use
Doesn't rely on IE controls, and
can be used normally on a
non-IE environment browser.
Relies on IE controls, and cannot be
used normally in non-IE
environments.
Compatibility
As Web technology has
developed very quickly,
firewalls cannot rewrite every
single class of URL resources,
and there may be some problems
such as misplaced pictures,
abnormal looking font, etc.
Does not need to rewrite resources,
and the firewall directly forwards
requests and responses, so there are
no problems with page compatibility.
Use advice
Web rewriting is the preferential
choice, as it is the most secure
and convenient type of access
method. If page display
abnormalities appear, then the
Web-Link method can be
Web-Link is the best substitute for
Web rewriting, but due to its reliance
on IE controls, there are still
limitations on its use. Moreover, it
does not rewrite the internal network
URL, meaning there is a security
268
Learn Firewalls with Dr. WoW
considered.
risk.
In Table 7-5 I list the meaning of some other parameters.
Table 7-5 Details of Web proxy parameters
Parameter
Details
URL
A Web application address that can be directly accessed by the internal
network. If in a domain name format, this requires that a corresponding
DNS server address be configured on the virtual gateway.
Resource
group
Is equivalent to a user-defined classification of Web application
addresses; after the remote user logs in they can screen needed resources
by resource group—this is like the entrée and beverage groupings on a
menu.
Portal link
Selects whether or not Web proxy resources appear on the virtual
gateway's homepage after login. If not selected, this is like preparing a
'house dish' that is not on the menu for an old customer. The 'old user'
can, after logging in, manually input a URL address in the upper right
hand corner address bar, and access some relatively confidential URL
resources.
I will take everyone on a further exploration of how Web rewriting actually works. As for
Web-Link, I've only made a small introduction to this here, as I will highlight this in 7.4 Port
Forwarding.
7.3.2 Rewriting URL addresses
From the URL address that actually appears to the user, we can see that the Web proxy
resource URL configured above, http://portal.test.com:8081/, has been rewritten.
269
Learn Firewalls with Dr. WoW
Figure 7-15 SSL VPN login interface—Web proxy
To analyze the rewriting results, in the address, 4.1.64.12 is the virtual gateway address, and
the remaining portions can roughly be broken down as:
Webproxy: the Web proxy's exclusive directory.
1/1412585677/4: UserID/SessionID/ResourceID; these parameters have already been
mentioned when introducing file sharing
http/portal.test.com:8081/0-2+: the altered form of the original URL address.
When the user accesses the rewritten address, the following exchange occurs.
2.
The remote user makes a request to the firewall for the rewritten URL address.
Before arriving at the firewall, the request packet is in an encrypted state. The above
screenshot is taken from after decryption, so we can also understand this as being the real
request received by the firewall.
3.
After the firewall decrypts the received packet, but before it sends the request to the
internal server, it conducts the following further treatment of the original packet:
a.
The original packet header's Accept-Encoding field needs to be deleted, otherwise
the Web server may encrypt the response packet and send it to the virtual firewall,
which would be unable to decrypt the packet, and unable to further forward the
packet. In the below screenshot, it can be seen that the firewall has already deleted
the original packet's Accept-Encoding field.
b.
The real internal network Web resource address is substituted in for the host field.
270
Learn Firewalls with Dr. WoW
c.
4.
The referer field for some URLs related to this Web resource is rewritten to be the
real internal network Web resource address.
The firewall, serving as the Web client, sends the rewritten data to the real Web server.
After this comes normal HTTP exchange, which we won't elaborate further on here.
7.3.3 Rewriting Resource Paths in URLs
The firewall receives the response packet—the page that needs to be displayed for the user
(we'll use the home page http://portal.test.com:8081/ as an example)—, and also needs to
rewrite some resource paths in the page. If the resource paths are not rewritten, the client will
use erroneous/non-existent addresses to obtain the resources, which will ultimately mean that
the corresponding content cannot be normally displayed. At present, firewalls support
rewriting for the following page resources:
HTML attributes
HTML events
271
Learn Firewalls with Dr. WoW
JavaScript
VBScript
ActiveX
CSS
XML
The firewall can rewrite the internal paths of these resources for normal page display and
function use.
7.3.4 Rewriting Files Contained in URLs
Actually, in the last sub-section we already gave a partial introduction to file rewriting.
However, this was all based on the rewriting of requested page resources, which is to say that
there was no need for the user to perceive the rewritten content—what the user cared about
was whether the page could be normally displayed and whether Web functionality was normal.
However, what we'll talk about next are the files near and dear to the user's heart, including
PDF, Java Applet and Flash.
Using PDF as an example, we've embedded a.pdf into http://portal.test.com:8081/, to provide
this to the user for download in the form of a link. The content in the PDF is as below,
including a link that can only be accessed on the internal network
(http://support.test.com/enterprise). If the firewall doesn't rewrite this, when the remote user
opens the downloaded PDF and attempts to access the links in it, they will be unable to attain
access, as shown in Figure 7-16.
Figure 7-16 File contained in a URL
But, through a virtual gateway download of the PDF file contained in a Web proxy resource,
display is as below when this is opened locally. As you can see, the original internal network
URL in the file has already been rewritten, and the rewritten URL is the beginning of the
virtual gateway address. In this way, external network users can access the internal network
resource embedded in the PDF file. This is shown in Figure 7-17.
Figure 7-17 Rewriting a file contained in a URL
272
Learn Firewalls with Dr. WoW
7.4 Port Forwarding
File sharing and Web proxies can address the majority of remote users' needs for access to
internal resources, however, under some circumstances (for example for access to TCP-based
non-Web applications such as Telnet, SSH, email, etc.), file sharing and Web proxies appear
to be helpless. However, it is not this way in practice, and in this section I will introduce port
forwarding, SSL VPN's third remarkable function, to everyone.
Port forwarding, to put things simply, is using a special port forwarding client program on the
remote user side to obtain a user's access requests, and then forwarding these to the internal
network's corresponding server through the virtual gateway. Next, we'll use Telnet, the most
commonly used application, as an example to introduce the configuration and processes
involved in remote clients accessing internal networks through SSL VPN.
7.4.1 Configuring Port Forwarding
A port forwarding use scenario is shown in Figure 7-18.
Figure 7-18 Port forwarding use scenario
FTP server
4.1.64.179
Email
server
Internal
network
10.1.1.2 4.1.64.11
SSL VPN
Firewall
Client
Telnet server
10.1.1.1
Just as with the other SSL VPN functions introduced above, regardless of what kind of
application is being accessed, corresponding resources need to first be added to the virtual
gateway. For Telnet, all that is required is to configure a Telnet server's IP address and port on
the virtual gateway, as shown in Figure 7-19.
Figure 7-19 Port forwarding—adding a new resource.
273
Learn Firewalls with Dr. WoW
There are two methods to enable the port forwarding function. The first is for the remote user
to choose to manually enable the port forwarding function in the virtual gateway interface that
appears after login. The second is for the administrator to set configuration as being
automatically enabled on the client after login, as shown in Figure 7-20. In addition to
being able to automatically enable the port forwarding function, the administrator can also
choose whether or not to keep port forwarding connections alive. This is important because
as some applications' access continues for a relatively long time (for example, if the remote
user suddenly needs to leave for a period of time while operating Telnet), after this is selected
it can prevent the interruption of the port forwarding service due to the SSL connection
timeout.
Figure 7-20 Configuring port forwarding
The data handling process for port forwarding is comparatively complex. Here, I'll give a
simple figure (Figure 7-21), and will go through each step from this bit by bit below.
274
Learn Firewalls with Dr. WoW
Figure 7-21 Port forwarding handling process
Remote users
Virtual gateway
Telnet server
+
Port forwarding client
Telnet client
1. Log in to SSL VPN.
Preparation
2. Download the ActiveX control
and deliver resource information.
Initiate a Telnet connection
C:\> telnet 10.1.1.1
Loopback
interface
3. Obtain the original request,
establish a local loopback
connection (TCP connection 1).
Put the client socket ID
into the private header.
4. Construct a private header and
establish an SSL connection
(open).
Telnet connection establishment
6. Construct a private header and
establish an SSL connection
(data).
Display the login page
Loopback
interface
Data communications
Through two private header
interactions, the relationship between
the TCP connections is established.
5. Decrypt the packet, obtain
connection information, and establish
TCP connection 2 with the internal
server.
Put the server socket
ID into the private
header.
7. Decrypt the packet and send the packet
through TCP connection 1 based on the
relationship between TCP connection 1 and
TCP connection 2.
Reuse TCP connection 1 and TCP connection 2 for data communications.
The port forwarding client here provides the SSL VPN client function, and is only called by this name in
order to emphasize its port forwarding service.
7.4.2 Preparatory Stage
1.
Log in to the SSL VPN
This process has already been introduced in 7.1.2 SSL VPN Use Scenarios and will not
be elaborated upon further here.
In addition, everyone needs to be aware that in the above sections I've focused on URLs
in beginning my analysis, but our analysis of port forwarding will be different. Although
we've once again logged in to the virtual gateway, because this is non-Web application
access, the Web is no longer used for the corresponding resource access, and instead
other applications, such as Putty (a Telnet/SSH tool), Filezilla (an FTP tool), and
Foxmail (an email program) are used. This gives rise to a question-- how does a
non-Web application make use of an already logged-in SSL VPN connection?
2.
The port forwarding client enters the "listening" state.
275
Learn Firewalls with Dr. WoW
It would seem that using a non-Web application for data access shouldn't involve an SSL
VPN, but in reality, the key technological point of port forwarding is displayed here:
after a user uses the Windows operating system's IE browser to log in to the virtual
gateway, their local PC's IE browser will automatically run the port forwarding client
(Active X control). The role of this client is to constantly "listen" to all requests from
other programs (making the client an 'All-Hearing Listener'; we'll call it the 'Listener' at
times below), "intercept" requests remote users send to the internal server at important
moments, and then send these to the virtual gateway over the SSL connection. Of the
requests it "listens to", the Listener doesn't unilaterally choose which requests to
intercept, but instead strictly implements the instructions given to it by its 'superior
officer', the virtual gateway. Now, what orders are given?
The port forwarding resource configured above is actually the order issued to the port
forwarding client by the virtual gateway: "if a user wants to access this resource, please
assist them in completing their access tasks." In the port forwarding function, the orders
given are the destination host IP address+destination port, and only the aforesaid
information can identify the application information the remote user wants to access.
As shown in Figure 7-22, after a remote user manually enables the port forwarding
function, the port forwarding client will automatically request resource information from
the virtual gateway. The resource information successfully requested by the client will be
saved in the memory of the remote user's PC, and the client will wait for further orders,
to aid in subsequent selection of which requests are to be "intercepted."
Figure 7-22 Port forwarding—initiation
So that the internal server address is not disclosed, specific resource information cannot be
viewed on the port forwarding client, and the resources in the menu can't be directly clicked
on and thus serve only a simple notification role.
7.4.3 Telnet Connection Establishment Stage
1.
Accurate interception by the Listener and display of its proxy abilities
The Listener's 'mind' is now clear as to which requests it needs to "intercept", and the
next thing to do is to use its 'ears' and listen to the content it is concerned with. When a
user uses Telnet to request a connection to 10.1.1.1's port 23 (a TCP SYN packet), the
Listener discover that this matches the resource information (destination IP+destination
address) issued by its commanding officer (the virtual gateway), and immediately
"intercepts" this TCP SYN packet. If the normal method was used, at this time the
request packet would be sent to the virtual gateway by the Listener per its duty, but here
the Listener considers that if this is sent to the virtual gateway without further processing,
this will result in every Telnet request (that is, every TCP connection) correspondingly
establishing a new SSL connection, which would not only occupy too many system
resources, but also delay response speed.
276
Learn Firewalls with Dr. WoW
In order to conserve the virtual gateway's session and memory resources and improve
user experience, the Listener decides to first disguise itself as the receiver, and simulate
reception of a Telnet service request (TCP connection) to determine exactly what kind of
resources the user wants to access—the strategy it is using here is a centralized proxy
method that seeks a one SSL connection solution to lessen the pressure on its superior
officer (the virtual gateway). How can receipt of Telnet services be simulated? And how
can centralized proxy services be provided? The Listener, this outstanding proxy, has an
ingenious plan:
After the port forwarding client receives a Telnet request, it modifies the packet,
changing the original request that was to be sent to 10.1.1.1 to being sent to itself
(127.0.0.1). This is equivalent to substituting itself in place of the Telnet server in
receiving the request. However, a simulation is still just a simulation, and at the same
time as the simulation it must record the corresponding pre-modification and
post-modification relationship, so that it can subsequently reply to the real user
(4.1.64.179) in place of the Telnet server.
The port forwarding client establishes TCP Connection 1 (also called the local loopback
connection) with itself. Use of the netstat command provides the following verification
of this:
C:\> netstat -anp tcp
Active Connections
Protocol Local address
TCP
127.0.0.1:1047
TCP
127.0.0.1:1047
TCP
127.0.0.1:7319
2.
External Address
Status
0.0.0.0:0
LISTENING
127.0.0.1:7319
ESTABLISHED
127.0.0.1:1047
ESTABLISHED
Creating a private packet header, and submitting the "port forwarding service
request form".
After the simulated receipt of a Telnet service request, the port forwarding client has a
complete understanding of the user's request, and needs to complete the "port forwarding
service request form" and submit this to it's the virtual gateway in accordance with
procedural requirements. The service request form must include the destination address
(10.1.1.1) and port (23) requested by the user, as well as a command word (to establish a
connection, transfer data packets, or close the connection, etc.) so that the virtual
gateway can carry out further processing.
Here we need to note that as the port forwarding client itself simulated the receiver's
establishment of TCP Connection 1, there must be a marker (TCP Connection 1's socket
ID, called the client socket ID) in the service request form of this TCP Connection. Only
in this way can the port forwarding client use the marker to find TCP Connection 1 when
the superior officer returns the results, and then send the return results to the
corresponding Telnet client.
The port forwarding service request form is called a private packet header (or
simply a private header) during the port forwarding service, as shown in Table 7-6.
Here, we'll only look at Telnet request connection packets, and will explain the primary
fields in the private packet header. In the Telnet connection establishment stage the
packet's payload is empty, so during transmission there is only a private packet header;
the packet doesn't have a payload until the data transfer stage.
277
Learn Firewalls with Dr. WoW
Table 7-6 Port forwarding private packet header
Field Name
Field Details
User ID
Marks the user's identity, and is automatically assigned for the user
by the virtual gateway. This can be understood to be the No. of the
port forwarding service request form.
Command word
Open- create a new connection
Data- data command
Close-close connection
Service type
Port forwarding
Web-Link
Web-Link is actually HTTP/HTTPS's port forwarding service. Or to
put things another way, Web-Link resources can likewise also be
configured as port forwarding resources. But please remember that a
well-known port does not need to be designated for Web-Link
resources, for example http://www.huawei.com/, but in configuring
port forwarding the port number is mandatory, for example, HTTP's
well-known port number 80 and HTTPS's 443.
Source IP Address
The source IP address for the original request. In this example this is
the remote user's client address: 4.1.64.179.
Destination IP
address.
The destination IP address from the original request. In this example
this is the internal network's Telnet address: 10.1.1.1.
Protocol type
At the moment only TCP is supported.
Destination port
The destination port in the original request. In this example this is the
internal network Telnet port 23.
Client socket ID.
The socket ID used to establish a connection between the remote user
and the firewall. This is used to identify this session; subsequent
packets will continue to use this socket ID.
Server socket ID
The socket ID used to establish a connection between the firewall
(serving as the Telnet client) and the internal server. This has the
same role as the client socket ID—both are used to identify the
session.
After being completed, the "port forwarding service request form" is encrypted and sent
to the virtual gateway using the SSL connection.
It is important to note that what it is established here is an SSL connection specially used
for the port forwarding service, not the SSL connection that was established during login.
When Telnet initiates similar access requests to other resources, and after it establishes a
new TCP connection, the port forwarding client will also again complete a "port
forwarding service request form", and send it via this SSL connection. In this way, an
exclusive SSL connection will always be maintained between the client and virtual
gateway. To summarize, all "port forwarding service request forms" will be sent first to
this SSL connection, and will then be sent to the virtual gateway after encryption, greatly
reducing the virtual gateway's workload.
3.
Establishing a connection between the virtual gateway and the internal server
278
Learn Firewalls with Dr. WoW
The virtual gateway receives the encrypted packet, decrypts it, and obtains the real Telnet
destination IP address and port, the command key and other information from the "port
forwarding service request form". At this point, the virtual gateway will serve as the
Telnet client and interact with the internal server to establish a Telnet connection. A
check of the firewall's session table shows that the firewall randomly enabled port 10010
to initiate an access request to 10.1.1.1:23, establishing TCP connection 2:
telnet VPN:public --> public 10.1.1.2:10010-->10.1.1.1:23
4.
The server on the internal network returns a reply to the Telnet client.
The virtual gateway receives the internal server's response packet (login interface), and
before sending it to the remote client, the virtual gateway will still construct a private
packet header, and fill in TCP Connection 2's socket ID (the server socket ID); this
allows it to establish a relationship with TCP Connection 1. Finally, the virtual gateway
sends the SSL encrypted private packet header +data to the port forwarding client; the
port forwarding client finds TCP Connection 1 based upon the client socket ID in the
private header, then finds the Telnet client's real IP address, and finally returns the real
data.
SSL-decrypted data received by the port forwarding client is shown below. In the portion
highlighted in the screenshot, the login page's text can already be vaguely seen (this is
the Telnet data packet), and the content in the upper part is the private header's content.
7.4.4 Data Communication Stage
Subsequent Telnet data packets will continue to use the previously established TCP
Connection 1 and TCP Connection 2, and will associate the two connections using private
packet headers, finally opening a Telnet client- port forwarding client- virtual gateway-Telnet
server transmission channel, allowing for data communication to be achieved.
The introduction to the port forwarding process of Telnet concludes here. Telnet is only a
single channel protocol, the simplest kind of protocol. In addition to this, port forwarding also
supports the following types of applications:
Multi-channel protocols, supporting FTP and Oracle SQL Net. During actual
configuration, only the control channel's port 21 needs to be designated for the FTP
protocol; negotiated data ports will be passively "listened" to, and additional
configuration is not required.
279
Learn Firewalls with Dr. WoW
Multi-protocol applications. Some applications require the support of multiple protocols.
Take email for example: prior to configuring the port forwarding service, the port
numbers of the sending protocol (SMTP:25) and the receiving protocol (POP3:110 or
IMAP:143) must be configured, as must a port forwarding resource for each type of
protocol.
Multi-IP fixed port applications. Using IBM Lotus Notes as an example, its
corresponding databases are on multiple servers, however, when providing external
service, only the 1352 port is used. When configuring port forwarding for this type of
application, we do not need to specify all servers. Instead, we can simply select "Any IP
address" from "Host address type".
In real-world scenarios, the configuration and use of port forwarding is extremely simple (of
course it is— this is an SSL VPN feature after all!), but what you don't see is how much
behind-the-scenes work goes into creating this marvelous functionality. You may not use such
abstract content frequently, but just trust that when the need does arrive, my words will appear
again and help you discover ways to improve your VPN connection even further.
7.5 Network Extension
There is an old saying that goes "everything has its place; each has their own abilities." SSL
VPN's four major services are similar: to access Web resources you need to use the Web
proxy service; to access file resources you need to use the file sharing service, etc. With this in
mind, I'm sure there will be a few questions, such as: "In what scenarios will the network
extension that you're speaking about today be used?" "What are its working principles?" Why
is this service called "network extension"? Perhaps you have even more questions, but it's
alright, as I'll explain these questions one by one in this section.
7.5.1 Network Extension Use Scenarios
Figure 7-23 is a scenario in which a remote user is accessing the internal network resources of
a company. Specifically, the remote user needs to access the company's internal voice server
(SIP server) to participate in a teleconference. Can SSL VPN's first three services meet this
kind of need?
Figure 7-23 Network extension use scenario
Enterprise HQ
Web server
FTP server
SSL VPN
Mail server
Switch
Firewall
Remote
user
SIP server
280
Learn Firewalls with Dr. WoW
Let's analyze this first. The remote user wants to access the voice server. SIP, which is layered
on top of UDP, will be used in the communication between the two. Web proxy and file
sharing enable remote users to access Web and file resources, but not voice resources. Can the
port forwarding service resolve this problem? The answer is also no. The reason is that port
forwarding applies to only TCP-based application protocols. But SIP is generally a
UDP-based protocol, and so the port forwarding service is helpless in accomplishing this. Is it
possible that SSL VPN can't aid in accomplishing even this need? Of course not, they can, but
they need to use the network extension service that we are discussing today.
Initiating the network extension service on a firewall is of large value here, as the network
extension service can meet the remote user's need to access all IP resources on the company
internal network, and the SIP-based voice resource mentioned above is a kind of IP resource.
Perhaps some readers don't have a very deep understanding regarding what we mean by
saying that network extension allows remote users to access all IP resources on company
internal networks, and so I've used Figure 7-24 to further my explanation.
Figure 7-24 Network extension's position in the layers
NMS, ERP, telephone
conference system...
OA system,
email, financing
Web proxy
File sharing
HTTP, FTP, Telnet,
SMB, SMTP...
SIP, SNMP, TFTP,
NFS, DHCP, DNS...
Port
forwarding
TCP
UDP
UDP
Network
extension
IP
User service
systems
Application-layer
protocols
Transport-layer
protocols
Network-layer
protocol
From the above figure it can be seen that the user has many kinds of service systems, and
indeed there are too many to review separately. But if we dig several layers deeper, we'll
discover that regardless of how many service systems the user has at the upper layers, they
still need to rely on lower layer protocols to provide communication support for them—it's
just that the lower-layer protocol types used by different service systems are different.
The application layer protocols supported by Web proxies and file sharing are very specific.
For example, Web proxy can only support HTTP-based applications; file sharing only
supports SMB and NFS applications; and port forwarding supports all TCP-based applications.
However, having the port forwarding service doesn't mean the SSL VPN can do everything:
for example, the port forwarding service is in over its head when it encounters some
UDP-based applications (for example the SIP protocol used by the user's teleconference
system). If we want to enable SSL VPN to support more user applications, this requires that
we provide protocol support at the layer below this, and network extension is exactly this kind
of function: it offers complete support directly at the IP layer. Therefore, the network
extension service is able to provide even more varied types of resources to remote users.
7.5.2 Network Extension Process
When a remote user uses the network extension function to access internal network resources,
the internal exchange process involved is shown in Figure 7-25.
281
Learn Firewalls with Dr. WoW
Figure 7-25 Network extension process
Address pool
Start add 192.168.1.1
End add 192.168.1.100
SSL VPN
Server
10.1.1.2
GE0/0/1
10.1.1.1
GE0/0/2
Firewall 1.1.1.1
Remote user
(Public IP address: 6.6.6.6)
Log in to the virtual
gateway
1
Deliver IP addresses and
routes
2
Virtual NIC
(192.168.1.1)
Physical port
(6.6.6.6)
5
Decrypted IP packet
Response packet
Encrypted IP packet
6
Encrypted response packet
4
IP packet
Response
packet
3
7
2.
The remote users logs in to the virtual gateway using an IE browser.
3.
After the remote user successfully logs in to the virtual gateway, he/she enables the
network extension function.
When the remote user enables the network extension function, it will trigger the
following actions:
a.
A new SSL VPN tunnel will be established between the remote user and the virtual
gateway.
b.
The remote user's local PC will automatically generate a virtual network card. The
virtual gateway randomly selects an IP address from the address pool, and assigns
the address to the remote user's virtual network card for the communication
between the remote user and the company internal network. With this private IP
address, the remote user can conveniently access internal network IP resources just
as if they were a user in the company internal network.
c.
The virtual gateway issues routing information for reaching the internal server to
the remote user.
4.
The remote user sends a service request packet to the company internal network's server.
This packet reaches the virtual gateway through the SSL VPN tunnel.
5.
After receiving the packet, the virtual gateway decapsulates it, and then sends the
decapsulated service request packet to the internal server.
6.
The internal server responds to the remote user's service request.
7.
After arriving at the virtual gateway, the response packet enters the SSL VPN tunnel.
8.
After the remote user receives the service response packet, it decapsulates the packet to
extract the service response packet within.
282
Learn Firewalls with Dr. WoW
The above is the basic process of a remote user utilizing the network extension service to
access company internal network IP resources. If we compare network extension with the
other three SSL VPN services, it's not hard to see that the mechanisms by which these three
services (Web proxy, file sharing and port forwarding) are accomplished are largely the same
as each other—they map the enterprise network's internal resources onto the firewall, and
these are then presented for viewing to the remote user by the firewall. From this perspective,
the firewall is simply a piece of secure proxy equipment, and the remote user hasn't actually
connected into the company internal network.
However, network extension is different. During the network extension service, the remote
user obtains a company internal private network IP address from the firewall, and uses this IP
address to access the enterprise network's internal resources. When an Internet user possesses
the company private IP address, it is as if the user itself is located inside the enterprise
network. Or, to switch our perspective, this is equivalent to the borders of the enterprise
network being extended to the remote user's location. The area surrounded with gray dashes in
Figure 7-26 can be understood to be the extension of the enterprise network onto the Internet,
so it's not hard to understand why this service is called network extension.
Figure 7-26 Network extension schematic
Remote user
Extended enterprise network
Enterprise network
Firewall
Remote user
Remote user
To allow us to further understand the internal implementation mechanisms for network
extension, I will use the aforesaid exchange process and add in an explanation of the
principles behind encapsulation and decapsulation of service request packets entering the
VPN tunnel and packets emerging from the VPN tunnel.
7.5.3 Reliable Transport Mode and Fast Transport Mode
There are two methods by which the network extension function can establish an SSL VPN
tunnel: reliable transport mode and fast transport mode. In reliable transport mode, the SSL
VPN uses SSL to encapsulate packets, and uses TCP as the transport protocol; in fast transport
mode, the SSL VPN uses the QUIC (Quick UDP Internet Connections) protocol to
encapsulate packets, and uses UDP as the transport protocol. QUIC is also a TLS/SSL-based
data encryption protocol, and its role is the same as SSL, except that packets encapsulated by
it need to be transported using UDP.
Figure 7-27 displays the use of reliable transport mode for packet encapsulation. From the
figure it can be seen that the source address (SRC: 192.168.1.1) for communication between
the remote user and the company internal network (the SIP Server) is its virtual gateway
card's IP address. Packets being exchanged in the process safely reach the two communicating
parties following repeated encapsulation and decapsulation. When the remote user accesses
283
Learn Firewalls with Dr. WoW
the SIP server, the source port for the inner packet layer is 5880 (random), the destination port
is 5060, and the transport protocol UDP. The encapsulation protocol used for the outer packet
layer is SSL, and the transport protocol is TCP.
Figure 7-27 Packet encapsulation process when using reliable transport mode
Address pool
Start add 192.168.1.1
End add 192.168.1.100
GE0/0/1
10.1.1.1
SIP server
10.1.1.2
Firewall
GE0/0/2
1.1.1.1
Remote user
(Public IP address: 6.6.6.6)
(Virtual NIC address: 192.168.1.1)
SSL VPN tunnel
IP
UDP
SIP
SRC:192.168.1.1 SRC Port: 5880 Request
DST Port: 5060 DATA
DST:10.1.1.2
IP
UDP
SIP
SRC:192.168.1.1 SRC Port: 5880 Request
DST Port: 5060 DATA
DST:10.1.1.2
4
Service request packet
(SSL decapsulation)
IP
SIP
UDP
Reply SRC Port: 5060 SRC:10.1.1.2
DATA DST Port: 5880 DST:192.168.1.1
5 Service response packet
SSL
TCP
SRC Port: 6293
Encrypt
DST Port: 443
IP
SRC: 6.6.6.6
DST: 1.1.1.1
3
Service request packet
(SSL encapsulation)
IP
SIP
UDP
Reply SRC Port: 5060 SRC:10.1.1.2
DATA DST Port: 5880 DST:192.168.1.1
TCP
IP
SSL
443 SRC: 1.1.1.1
Encrypt SRC Port: 6293
DST: 6.6.6.6
DST Port:
Service response packet
6 (SSL encapsulation)
Figure 7-28 shows the process of using fast transport mode to encapsulate packets. The packet
encapsulation principles in this mode are the same as those in the reliable mode, with the
difference that the outer layer packet encapsulation protocol has been changed from SSL to
QUIC, and the transport protocol has been changed from TCP to UDP.
284
Learn Firewalls with Dr. WoW
Figure 7-28 Packet encapsulation process when using fast transfer mode
Address pool
Start add 192.168.1.1
End add 192.168.1.100
GE0/0/1
10.1.1.1
GE0/0/2
1.1.1.1
Remote user
(Public IP address: 6.6.6.6)
(Virtual NIC address: 192.168.1.1)
Firewall
SIP server
10.1.1.2
SSL VPN tunnel
IP
UDP
SIP
SRC:192.168.1.1 SRC Port: 5880 Request
DST Port: 5060 DATA
DST:10.1.1.2
IP
UDP
SIP
SRC:192.168.1.1 SRC Port: 5880 Request
DST Port: 5060 DATA
DST:10.1.1.2
IP
SRC: 6.6.6.6
DST: 1.1.1.1
Service request packet
3 (QUIC encapsulation)
4 Service request packet
(QUIC decapsulation)
IP
SIP
UDP
Reply SRC Port: 5060 SRC:10.1.1.2
DATA DST Port: 5880 DST:192.168.1.1
5 Service response packet
QUIC
UDP
SRC Port: 54013
Encrypt
DST Port: 443
IP
SIP
UDP
Reply SRC Port: 5060 SRC:10.1.1.2
DATA DST Port: 5880 DST:192.168.1.1
UDP
IP
QUIC
SRC: 1.1.1.1
Encrypt SRC Port: 443
6.6.6.6
DST Port: 54013 DST:
6
Service response packet
(QUIC encapsulation)
In unstable network environments, reliable transport mode is the suggested mode; however,
when the network environment is relatively stable, fast encapsulation mode is suggested, as
this improves data transmission efficiency.
7.5.4 Configuring Network Extension
The configuration of the network extension service can be divided into the following steps:
1.
Create a virtual gateway.
2.
Under the virtual gateway, create and configure the authentication method for remote
users and configure role authorization.
3.
Configure the network extension service.
Figure 7-29 shows the detailed configuration page.
285
Learn Firewalls with Dr. WoW
Figure 7-29 Configuring network extension
The network extension service only requires two IP address segments to be configured; there
are few items to be configured, so this is very simple. However, selecting these two IP address
segments is complicated.
Parameter 1: The range of the IP address pool
In the theoretical section above, I explained that after a remote user enables the network
extension function, the virtual gateway will assign an IP address to the remote user's virtual
network card, but where does this address come from? Clever readers have probably already
guessed that this is randomly selected from the address pool we are about to configure.
This address pool is designated by the network administrator. When designating the address
pool it is important to pay attention to the relationship between this address pool's network
segment and the internal network's segment. If this address segment is configured on the same
subnet as the internal network segment 10.1.1.2, then after the remote user obtains this
address assigned by the virtual gateway, it will be as if the remote user and the internal server
were connected together by a Layer 2 switch—the remote user will be able to directly access
the server, and so there will be no issues with routing. If the address pool and the internal
server are not in the same network segment here (in the example they aren't in the same
network segment), then a route with a destination address being the address pool network
segment (192.168.1.0) and an outgoing interface being a public interface linked to the
Internet needs to be configured on the firewall. This route is only used for determining
relationships between security zones and is not used for packet forwarding.
[FW] ip route-static 192.168.1.0 255.255.255.0 GigabitEthernet0/0/2 1.1.1.2
Additionally, if a server (such as a DHCP server, a third party authentication server, etc.)
dedicated to assigning IP addresses to users has been set up inside a company, this will be
acceptable so long as the address pool used in network extension does not conflict with the
address segments assigned by the server—each can assign their own IP addresses without
affecting each other.
Parameter 2: List of accessible internal network segments
I stated above that a remote user that enables network extension can access all IP resources in
a company internal network, but if this is true, why is there still an "accessible internal
network segment"? This is ultimately done for control, as if we don't configure this parameter,
remote users will be able to access all resources on the internal network by default; we add
this function for access control.
286
Learn Firewalls with Dr. WoW
Whether or not we configure this parameter not only affects the scope to which users can
access the company internal network, but also affects other network statuses for the remote
user.
If the "accessible internal network segment" is configured as 10.1.1.0 for network
extension, then the virtual gateway will send a specific route to the remote user's PC,
with the destination address being the internal network segment 10.1.1.0 and the
outgoing interface being the virtual gateway card's address (the company internal
network's private IP address 192.168.1.1 obtained by the remote user)
C:\> route print
IPv4 Routing Table
===========================================================================
Active routes:
Network Destination
Netmask
Gateway
Interface
Metric
0.0.0.0
0.0.0.0
10.111.78.1
10.111.78.155
10
10.1.1.0
255.255.255.0
On-Link
192.168.1.1
1
10.1.1.255
255.255.255.255
On-Link
192.168.1.1
257
If the "accessible internal network segment" parameter is not configured for network
extension, what would the remote user's route be like? In the below table we can see that
the virtual gateway has sent a default route to the remote user, and that the outgoing
interface is the virtual network card's address (the company internal network's private IP
address 192.168.1.1 obtained by the remote user)
C:\> route print
IPv4 Routing Table
===========================================================================
Active Routes:
Network Destination
Netmask
Gateway
Interface
Metric
0.0.0.0
0.0.0.0
On-Link
192.168.1.1
1
Don't underestimate the differences between the two kinds of routes shown just above. When
configuring "the accessible internal network segment", the virtual gateway only issues a route
to some company internal network segments to the remote user, and this route will not affect
other routes. This is to say that if the remote user wants to access the company internal
network, he/she can access the company internal network, and if the remote user wants to
access the Internet, he/she can access the Internet—this kind of access will not be affected at
all, meaning that the user can accomplish whatever should be accomplished.
If we choose not to configure this parameter then problems arise. Normally a remote user's
route for accessing the Internet is the default route, but now the virtual gateway is sending
another default route, and this default route sent by the virtual gateway has the highest priority
(the hop count is 1). This will make the remote user's original default route invalid, meaning
that the remote user will have no way to access the Internet. If the remote user must access the
Internet, then he/she can only temporarily disconnect from the network extension connection,
and then re-enable network extension when they want to access the internal network.
Therefore the choice of which network extension configuration method to choose depends
upon the corporate user's needs.
Configuration of the network extension service has been completed, and below we'll look at
how the remote user should use the network extension function to access internal network
resources.
287
Learn Firewalls with Dr. WoW
7.5.5 Login Process
The SSL VPN network extension function provides remote users with two kinds of paths to
access the internal network—one uses the IE browser, and the other uses an independent
network extension client.
IE Browser
a.
The remote user inputs the virtual gateway's access address into the IE browser's
address bar.
b.
After the virtual gateway's login interface appears, the remote user enters the user
name and password.
c.
Users who have successfully logged in can see the Network Extension tab on the
virtual gateway's resource page, and can click Start under Network Extension. As
shown in Figure 7-30, the remote user will obtain the company internal network IP
address assigned to it by the virtual gateway, and in this way can directly access the
company's internal network resources.
Figure 7-30 Network extension—initiation
When introducing the principles of packet encapsulation, I mentioned that the
establishment of an SSL VPN tunnel is divided into two modes (reliable transport and
fast transport), and the default mode when establishing the SSL VPN tunnel between
the IE browser and the virtual gateway is the fast transport mode.
Independent client
a.
The remote user downloads and installs the network independent extension client
After the remote user successfully logs in to the virtual gateway, he/she then clicks
user options in the upper right corner of the interface, after which the network
extension client download link can be seen, as shown in Figure 7-31. Installation is
very simple—all that needs to be done is to follow the instructions in clicking Next.
Figure 7-31 Downloading the network extension client software
288
Learn Firewalls with Dr. WoW
The advantage of using the independent client is that the network extension client
can initiate automatically when a device turns on, and can automatically reconnect
when a connection is lost. On the other hand, when using the IE browser method,
the virtual gateway must be logged in to each time, which is relatively cumbersome.
b.
Log in to the virtual gateway.
URL: virtual gateway address
User and Password: the virtual gateway login user name and password assigned to
the remote user by the administrator.
As shown in Figure 7-32, by clicking Login, the remote user can access internal
network resources in the same way as internal network users.
Figure 7-32 Logging in to the virtual gateway
When using the independent client to establish an SSL VPN tunnel, the tunnel establishment
mode can be configured. On the login interface, click Option. A choice can then be made in
Tunnel to use either the reliable transfer mode or the fast transfer mode. Within Tunnel Mode
there is also a Auto-sensing mode, meaning that the client will automatically select whether
to use reliable transfer mode or fast transfer mode to establish the SSL VPN tunnel according
to network conditions.
If the network extension function has already been enabled, how can the remote user
determine if their network extension function is working? Two methods can be used here.
First, the ipconfig command can be used to look at whether the remote user has obtained the
private IP address assigned by the virtual gateway. According to the above example, if, after
network extension is enabled, you as a remote user obtain an IP address within the
192.168.1.0 network segment, then congratulations! You've already successfully connected
into the enterprise's internal network.
The second method is for the remote user to test and see whether or not they can access the
company internal network's resources.
289
Learn Firewalls with Dr. WoW
We frequently encounter the following circumstance: a remote user has already obtained the
IP address assigned by the virtual gateway, but cannot access internal network resources. Why
is this? There are generally two reasons why this kind of situation occurs:
The first is that the remote user did not have service permissions to access this internal
network resource (for example R&D staff not having permissions to access the finance
system);
The second is that when we configured network extension, the network segment in
which the internal network resource(s) the remote user wants to access is located was not
included in the "accessible internal network segment."
These two problems are easily resolved. Either the remote user applies from the network
administrator for service permissions or the network administrator check the firewall to verify
whether the internal network resources have all been added.
7.6 Configuring Role Authorization
In SSL VPN services, the company administrator can create different "special menus" for
different users to control access to Web and non-Web resources. On Huawei's firewalls,
control over different users' access to resources is completed through role authorization. All
users of one role have the same permissions. The administrator can add users or user groups
with the same permissions into a role, and then associate accessible service resources with
that role.
Figure 7-33 shows that a role can contain multiple users/usere groups, and can also be
associated with multiple service resources.
Figure 7-33 Relationship between role and user/user group and resources
As
re soc
so i a
ur tin
ce g
sw
www.abc.com
ith
usera
ro
les
Role
rs/
use s
g
n
i
le
Add s to ro
p
u
o
gr
Employee
www.def.com
Employee group
master
Manager
\\10.1.1.1\a
Manager
\\10.1.1.2\b
The specific controls that can be associated with these roles are as follows:
Service authorization (enable)
290
Learn Firewalls with Dr. WoW
Specifies the services (such as Web proxy, file sharing, port forwarding and network
extension) that users within a role can use.
Resource authorization
For the Web proxy, file sharing, and port forwarding services, assuming the service has
already been enabled, this specifies the resources that can be accessed. If no resource is
specified, users within the role will be unable to access any resources.
For the network extension service, assuming the service has already been enabled,
user-based security policies can be used to control the access of remote users to
resources. For details, see 7.7.2 Configuring a Security Policy in a Network Extension
Scenario.
According to the above approach, we've created different roles (usera and master) for ordinary
employees and managers, and then specified different resources for them. In this way we can
achieve finely granular, role-based resource access control.
Figure 7-34 Configuring role authorization
After completing the above configuration, ordinary employees and managers will see their
own respective resource interface after logging in to the virtual gateway, as shown in Figure
7-35.
Figure 7-35 Resource interfaces after user login
Resource page seen by usera after login
Resource page seen by master after login
291
Learn Firewalls with Dr. WoW
7.7 Configuring Security Policies
The approach to configuring SSL VPN security policies is similar to that with IPSec, as we
first configure a relatively permissive security policy on the firewall, to guarantee that SSL
VPN services run normally, and then obtain refined security policy match conditions through
analyzing the session table. For the specific process refer to the introduction in "Chapter 6
IPSec VPN".
Below I'll detail separate security policy configuration processes for two kinds of
scenarios—Web proxy/file sharing/port forwarding scenarios and network extension
scenarios.
7.7.1 Configuring Security Policies for Web Proxy/File
Sharing/Port Forwarding Scenarios
The purpose of configuring security policies in Web proxy, file sharing and port forwarding
scenarios is to achieve network connectivity. To learn more about conducting permission
control over remote user resource access, please refer to the content we introduced above
regarding "resource authorization"
In our example here, an SSL VPN tunnel is established between a remote user and firewall
(here we'll use the file sharing access service as an example), with the remote user accessing
the file server, as shown in Figure 7-36. We'll assume that interface GE0/0/1 of the firewall is
connected to the private network and belongs to the DMZ, and that interface GE0/0/2 is
connected to the Internet and belongs to the Untrust Zone.
Figure 7-36 SSL VPN file sharing
DMZ
Internal
network
SMB server
4.0.2.11/24
Untrust
GE0/0/1
4.0.2.1/24
GE0/0/2
4.1.64.12/24
SSL VPN
Firewall
Remote
user
After the remote user successfully initiates access to the server, the following session table
can be seen on the firewall.
<FW> display firewall session table verbose
Current Total Sessions : 4
https VPN:public --> public ID: a48f3629814102f62540ade7f
Zone: untrust--> local TTL: 00:10:00 Left: 00:09:52
Output-interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:436 bytes:600276 -->packets:259 bytes:32089
4.1.64.179:41066-->4.1.64.12:443 //packet establishing SSL VPN tunnel
https VPN:public --> public ID: a48f3629815b06fd6540ade7f
Zone: untrust--> local TTL: 00:10:00 Left: 00:09:52
Output-interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
292
Learn Firewalls with Dr. WoW
<--packets:291 bytes:395991 -->packets:176 bytes:26066
4.1.64.179:41067-->4.1.64.12:443 //packet establishing SSL VPN tunnel
tcp VPN:public --> public ID: a48f3629818f0c229540ade8d
Zone: local--> dmz TTL: 00:00:10 Left: 00:00:02
Output-interface: GigabitEthernet0/0/1 NextHop: 4.0.2.11 MAC: 78-ac-c0-ac-93-7f
<--packets:5 bytes:383 -->packets:8 bytes:614
4.0.2.1:10013-->4.0.2.11:445
//packet from firewall (serving as the client)
accessing the server
netbios-session VPN:public --> public ID: a58f3629817501ad8a540ade8d
Zone: local--> dmz TTL: 00:00:10 Left: 00:00:02
Output-interface: GigabitEthernet0/0/1 NextHop: 115.1.1.2 MAC: 78-ac-c0-ac-93-7f
<--packets:1 bytes:40
-->packets:1 bytes:44
4.0.2.1:10012-->4.0.2.11:139
//Packet from firewall (serving as the client)
accessing the server
The packets establishing the SSL VPN tunnel trigger the establishment of two identical
sessions. One session is established during login, and one session is established when
accessing service resources.
Analysis of the above session table reveals movement of packets on the firewall, as shown in
Figure 7-37.
Figure 7-37 Packet movement on the firewall
SSL VPN
tunnel
Untrust
DMZ
Local
Remote
user
4.1.64.12
GE0/0/2
GE0/0/1
4.0.2.1
Server
4.0.2.11/24
FW
Packets used to establish an SSL
VPN tunnel
Packets sent from the firewall that
acts as a proxy to the server
From the above figure we learn that an Untrust Zone-->Local Zone security policy needs to
be configured on the firewall to enable the establishment of an SSL VPN tunnel between the
remote user and the firewall; a Local Zone-->DMZ security policy also needs to be
configured to enable the firewall to serve as a proxy for the remote user to access the server.
The security policy configuration approaches for the Web proxy/port forwarding functions are
completely identical with that of file sharing. To summarize, the security policy match
conditions that should be configured on the firewall for the above three functions are as
shown in Table 7-7.
293
Learn Firewalls with Dr. WoW
Table 7-7 Security zone match conditions
Service
Direction
Source
Security Zone
Destination
Security
Zone
Source
Address
Destination
Address
Application (Protocol +
Destination Port)
Remote
user access
to the server
Untrust
Local
ANY
4.1.64.12/32
TCP+443*
Local
DMZ
ANY**
4.0.2.11/24
TCP+139
TCP+445***
*: The port used by the device should be determined based upon actual circumstances.
**: For the USG6000 family of firewalls, although the source address displayed in the session table is the
interface's private IP address, however, during actual configuration, the source address must be set to ANY. For
the USG 2000/5000 families of firewalls, the source address can be set to the interface's private IP address
during actual configuration.
***: The file sharing service is used as an example here; if this is the Web Proxy or port forwarding service,
please determine this in accordance with actual circumstances.
7.7.2 Configuring a Security Policy in a Network Extension
Scenario
The purpose of configuring a security policy in network extension scenarios is to achieve
network connectivity and control the access of remote users to resources.
In the below example, an SSL VPN tunnel is established between the remote user and the
firewall, and the network extension service is used to access the company internal network's
server. We'll assume that on the firewall, interface GE0/0/1 is connected to the private
network and belongs to the DMZ, and that interface GE0/0/2 is connected to the Internet and
belongs to the Untrust zone.
In network extension, whether or not the server and the virtual gateway address pool are in the
same network segment affects the security zones traversed by service packets, and therefore
the configuration of inter-zone security policies needs to be divided into the following two
circumstances for discussion.
The server and the virtual gateway address pool are in the same network segment:
Figure 7-38 shows network diagram when the server and the virtual gateway address
pool are in the same network segment.
294
Learn Firewalls with Dr. WoW
Figure 7-38 Network extension scenario with the server and the virtual gateway address pool in
the same network segment
DMZ
Address pool
Untrust
Public IP address:
6.6.6.6
Start add 10.1.1.10
End add 10.1.1.100
Remote
user
SSL VPN
Server
10.1.1.2
GE0/0/1
10.1.1.1
Firewall
GE0/0/2
1.1.1.1
Routing table
Direct route
(destination network) (outbound interface)
10.1.1.10
GE0/0/1
Private IP address:
10.1.1.10
DMZ
The server and the virtual gateway address pool being in the same network segment
means that a remote user who has obtained the private IP address is in the same network
segment as the server. Of course, they are also in the same security zone—the DMZ.
After the remote user's access to the server through network extension is successful, we
can verify this conclusion on the firewall's session table:
<FW> display firewall session table verbose
Current Total Sessions : 3
https VPN:public --> public ID: a48f3fc25ef7084f654bfcacd
Zone: untrust--> local TTL: 00:00:10 Left: 00:00:02
Output-interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:10 bytes:2577 -->packets:9 bytes:804
6.6.6.6:50369-->1.1.1.1:443
//packet establishing SSL VPN tunnel
icmp VPN:public --> public ID: a58f3fc25f2b05940054bfcb3f
Zone: dmz--> dmz TTL: 00:00:20 Left: 00:00:13
User: huibo
Output-interface: GigabitEthernet0/0/1 NextHop: 10.1.1.2 MAC:
00-22-a1-0a-eb-7d
<--packets:3 bytes:180 -->packets:4 bytes:240
10.1.1.10:1-->10.1.1.2:2048
//raw packet from remote user accessing the
server
https VPN:public --> public ID: a58f3fc25f1107f81954bfcace
Zone: untrust--> local TTL: 00:10:00 Left: 00:09:55
Output-interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:34 bytes:4611 -->packets:44 bytes:14187
6.6.6.6:58853-->1.1.1.1:443
// packet establishing SSL VPN tunnel
The packets establishing the SSL VPN tunnel trigger the establishment of two identical
sessions: one is established during login, and one is established when initiating network
extension.
Packet movement on the firewall can be obtained by analyzing the above session table,
as shown in Figure 7-39
295
Learn Firewalls with Dr. WoW
Figure 7-39 Packet movement on the firewall when the server and the virtual gateway address
pool are in the same network segment
Untrust
GE0/0/1
GE0/0/2
DMZ
Local
Remote user
1.1.1.1
Public IP address: 6.6.6.6/24
Virtual NIC address: 10.1.1.10/24
Server
10.1.1.2/24
FW
Packets used to establish an SSL
VPN tunnel
Original packets sent from the
remote user to the server
From the above figure we can learn that an Untrust-->Local security policy needs to be
configured to permit the establishment of an SSL VPN tunnel between the remote user
and the firewall; a DMZ-->DMZ security policy also needs to be configured so that
service packets can pass (USG6000 series firewalls' default settings do not permit packet
movement within security zones, so this security policy needs to be configured. USG
2000/5000 series firewalls do not have this restriction.)
In summary, the security policy match conditions that should be configured on the
firewall are shown in Table 7-8.
Table 7-8 Security policy match conditions
Service
Direction
Source
Security
Zone
Destination
Security Zone
Source
Address
Destination
Address
Application (Protocol
+ Destination Port)
Remote
user access
to the
server
Untrust
Local
ANY
1.1.1.1/32
Reliable transport mode
TCP+443
Fast transport mode
TCP+UDP+443*
DMZ
DMZ
10.1.1.0/24
10.1.1.2/32
***
(this is the
network
segment of
the virtual
network card
address
pool)**
*: The port used by devices should be determined based on actual circumstances. The above is an example of
the remote user using the reliable transport mode to establish an SSL VPN tunnel. When a tunnel is established
using the fast transport mode, a UDP session will still be generated between the Untrust-->Local zones, and this
application needs to be configured in the security policy at this time.
**: In addition to the source address, the USG6000 series of firewalls also support user-based security policies,
and can use a remote user's user name as a match condition to configure the security policy. As compared to the
296
Learn Firewalls with Dr. WoW
source address, using the user name as the match condition increases visibility and precision.
***: The application here is related to the specific service type, and can be configured according to actual
circumstances. For example, TCP, UDP, ICMP, etc.
The server and the virtual gateway's address pool are not in the same network segment:
Figure 7-40 shows a network in which the server and the virtual gateway address pool
are not in the same network segment.
Figure 7-40 Network extension scenario in which the server and the virtual gateway address pool
are not in the same network segment
Address pool
DMZ
Untrust
Start add 192.168.1.1
End add 192.168.1.100
SSL VPN
GE0/0/1
Server
10.1.1.2
Remote user
GE0/0/2
Firewall 1.1.1.1
Routing table
Static route
(destination network) (outbound interface)
192.168.1.0
Public IP address: 6.6.6.6
Private IP address: 192.168.1.1
GE0/0/2
The server and the virtual gateway address pool not being in the same network segment
means that a remote user who has obtained the private network IP address is in a
different network segment from the server, and of course the two are also located in
different security zones. With this being the case, which security zone exactly does the
user belong to?
If there is not a route to the 192.168.1.0/24 network segment on the virtual gateway, it is
impossible for the virtual gateway to determine the source security zone the remote user
belongs to, and it will discard the packets the remote user sends. In order to resolve this
problem, we need to manually configure a route that has the virtual gateway address pool
(network segment 192.168.1.0/24) as its destination address; the outgoing interface can
be chosen by the administrator. This is to say that what this packet's source security zone
is at this time depends upon which outgoing interface is used for this route we are
configuring. We introduced content pertaining to this in 7.5.4 Configuring Network
Extension.
We normally believe that since this packet comes from the Internet, it comes from the
Untrust Zone. Therefore, when we configure routes, we configure the route's outgoing
interface as the public interface GE0/0/2 that is connected to the Internet. Using this
route, the data flow from a remote user accessing the server travels from the Untrust
zone to the DMZ.
After the remote user successfully accesses the server through network extension, we can
verify this conclusion using the firewall's session table.
<FW> display firewall session table verbose
Current Total Sessions : 3
https VPN:public --> public ID: a58f3fe3a31502f49354bfcccf
Zone: untrust--> local TTL: 00:10:00 Left: 00:10:00
Output-interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:36 bytes:4989 -->packets:54 bytes:20751
297
Learn Firewalls with Dr. WoW
6.6.6.6:51668-->1.1.1.1:443
//packet establishing SSL VPN tunnel
icmp VPN:public --> public ID: a58f3fe3a36302f8d854bfcd3d
Zone: untrust--> dmz TTL: 00:00:20 Left: 00:00:20
User: huibo
Output-interface: GigabitEthernet0/0/1 NextHop: 10.1.1.2 MAC:
00-22-a1-0a-eb-7d
<--packets:3 bytes:180 -->packets:3 bytes:180
192.168.1.1:1-->10.1.1.2:2048
//remote packet from remote user accessing
server
https VPN:public --> public ID: a58f3fe3a2fb03e68154bfccce
Zone: untrust--> local TTL: 00:10:00 Left: 00:08:08
Output-interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:6 bytes:2417 -->packets:7 bytes:724
6.6.6.6:51255-->1.1.1.1:443
//packet establishing an SSL VPN tunnel.
Analyzing the above session table gives the packet direction on the firewall, as shown in
Figure 7-41.
Figure 7-41 Packet direction on the firewall when the server and the virtual gateway address pool
are not in the same network segment
Untrust
GE0/0/1
GE0/0/2
DMZ
Local
Remote user
1.1.1.1
Public IP address: 6.6.6.6
Virtual NIC address: 192.168.1.1/24
Server
10.1.1.2/24
FW
Packets used to establish an SSL
VPN tunnel
Original packets sent from the remote
user to the server
As shown in the above diagram, an Untrust-->Local security policy needs to be
configured to permit the establishment of an SSL VPN tunnel between the remote user
and the firewall; an Untrust-->DMZ security policy needs to be configured to guarantee
that service packets can pass.
To summarize, the security policy match conditions that should be configured on the
firewall are shown in Table 7-9.
Table 7-9 Security policy configuration conditions
Service
Direction
Source
Security Zone
Destination
Security
Zone
Source
Address
Destination
Address
Application (Protocol +
Destination Port)
Remote
user access
to the
Untrust
Local
ANY
1.1.1.1/32
Reliable transport mode
TCP+443
Fast transport mode:
298
Learn Firewalls with Dr. WoW
server
TCP+UDP+443*
Untrust
DMZ
192.168.1.0
/24 (this is
the network
segment of
the virtual
gateway
card's
address
pool)**
10.1.1.2/32
***
*: The port used by devices should be determined based on actual circumstances. The above is an example of
the remote user using the reliable transport mode to establish an SSL VPN tunnel. When a tunnel is established
using the fast transport mode, a UDP session will still be generated between the Untrust-->Local zones, and this
application needs to be configured in the security policy at this time.
**: In addition to the source address, the USG6000 series of firewalls also support user-based security policies,
and can use a remote user's user name as a match condition to configure the security policy. As compared to the
source address, using the user name as the match condition increases visibility and precision.
***: The application here is related to the specific service type, and can be configured according to actual
circumstances. For example, TCP, UDP, ICMP, etc.
7.8 Integrated Use of the Four Major SSL VPN Functions
After finishing their review of network extension, most readers will be a bit confused, and
wonder why, if network extension is so powerful, can't we simply use the network extension
service for a user regardless of what type of internal network resource the user wants to
access—why do we still use Web proxy, file sharing, etc.?
This is a key question. SSL VPN' provision of services at so many different layers and
different granularities is to control remote users' access permissions to internal network
systems; in the end this is done for one goal—security. When the network extension service is
used, this means a remote user can access all types of resources in the company internal
network. Although this is quite convenient for the user, this undoubtedly increases
management and control risk for internal network resources. Both meeting user needs and
correctly controlling permissions requires configuring different services for the user according
to the user's needs, thus avoiding the aforesaid problem.
Figure 7-42 shows a hypothetical network scenario in which a certain company has deployed
firewall equipment and provided SSL VPN service for employees on the move.
299
Learn Firewalls with Dr. WoW
Figure 7-42 SSL VPN integrated scenario
OA system Financing system
www.oa.com www.finance.com
Manager
Web servers
File server
(FTP-based)
SSL VPN
Firewall
Mail server
(SMTP-based)
Employee
Voice server
(SIP-based)
Company remote users' needs for access to the internal network and the plan on the firewall
for opening SSL VPN services for employees on the move are shown in Table 7-10.
Table 7-10 SSL VPN service plan
Role
Access Needed
Service
Type
Role Authorization
Ordinary
employees
Access OA
system
Web proxy
Create a www.oa.com resource in the
Web proxy service, and bind this
resource with an ordinary employee or
the group the ordinary employee
belongs to.
Use the company
email system to
send and receive
emails
Port
forwarding
Create an email server resource in the
port forwarding service, and bind this
resource with an ordinary employee or
the group the ordinary employee
belongs to.
Access the OA
system and the
finance system
Web proxy
Create two resources-- www.oa.com
(already created) and www.
finance.com—in the Web proxy
service, and bind these resources to a
manager or the group the manager
belongs to.
Access the file
sharing server
File sharing
Create a file server resource in the file
sharing service and bind this resource
with a manager or the group the
manager belongs to.
Use the company
Port
Create a file server resource in the port
Managers
300
Learn Firewalls with Dr. WoW
email system to
send and receive
emails
forwarding
forwarding service, and bind the email
server resource with a manager or the
group a manager belongs to.
Convene
teleconferences
Network
extension
Enable the network extension function,
and configure the voice server's
address into "the accessible internal
network segment", and then bind the
network extension service with a
manager or the manager's group.
Once network service configuration is complete, when users with different roles log in to the
virtual gateway, the service resources they are able to see are also different.
Ordinary employees
After ordinary employees on the move log in to the virtual gateway, they can see the
resource links they are able to access, as shown in Figure 7-43, and then access them by
clicking the links.
Figure 7-43 Ordinary employee login interface
Managers
Figure 7-44 displays the interface for mangers on the move after logging in to the virtual
gateway.
301
Learn Firewalls with Dr. WoW
Figure 7-44 Manager login interface
Of these, Web proxy and file sharing resources are all provided for selection using links. Port
forwarding and network extension can only be used after clicking Start. But how does a
remote user know which of the company's internal network resources they will be able to
access after clicking Start? This requires that the network administrator use other channels,
for example a bulletin, to inform the remote user of the company internal network resource
server domain name and address. In this regard, Web proxy and file sharing are both
advantageous, because when the remote user utilizes these two services, he/she can see which
resources he/she can access from the resources list after logging in to the virtual gateway.
The relationship between a remote user's need to access the company internal network and
what kind of SSL VPN service should be enabled on the firewall can be broken down into two
points.
The resource type (Web resource, file resource, TCP, IP) that the remote user accesses on
the company's internal network determines what kind of SSL VPN service the network
administrator should select.
For example, for a traveling employee who only needs to access Web resources and
email resources, just two services, Web proxy and port forwarding, can be enabled.
302
Learn Firewalls with Dr. WoW
However, if a manager needs to access four types of resources, then this requires that
four types of services be initiated for this user.
It is necessary to state that as network extension has the functionality of the former three
services, to make configuration more convenient, we can also enable only the network
extension service for the manager, allowing the manager to access all of the internal
network's IP resources.
Whether the remote user possesses access permissions to a certain resource is determined
through role authorization configuration.
In order to avoid having to configure services authorization for each and every employee,
we can establish two groups (ordinary employees and managers), add these two types of
employees into the appropriate group, and then simply conduct service authorization for
these two role groups.
For example, if a traveling employee and a manager both enable the Web proxy service,
the traveling employee would only be able to access the OA system (www.oa.com),
while the manager could enjoy access permissions to both the OA system and the finance
system (www.finance.com)—this would have been configured in role authorization.
303
Learn Firewalls with Dr. WoW
8
Hot Standby
In the previous chapters, I, Dr. WoW, explained the basic functions of firewalls for everyone.
These previous lessons of mine concerned configuring functions on a single firewall, however,
in order to increase network reliability, we often need to configure identical functions on two
firewalls so that they can back up for one another. How can this be accomplished?
This requires the use of a major, special function of firewalls that is the focus of this
chapter—hot standby.
8.1 Hot Standby Overview
8.1.1 Dual Device Deployment Improving Network Availability
The dynamic development of mobile working, online-shopping, instant messaging, Internet
finance, online education, and other similar network services has been accompanied by a
relentless increase in both the number and the importance of services on networks. Therefore,
uninterrupted network transmission has become a challenge in urgent need of resolution.
On the left side of Figure 8-1, a firewall has been deployed on an enterprise network's egress
to forward all traffic between the intranet and an external. If the firewall failed, this would
result in the complete severance of traffic between the intranet and external network.
Therefore, if only one device is used in such a key network position, we must accept the risk
of a network interruption due to a single point of failure, regardless of how reliable the device
is.
Therefore, when we design a network architecture, we usually deploy two (dual) or more
devices in key network positions to improve network reliability. On the right side of Figure
8-1, we can see that when one firewall fails, traffic will be forwarded through the other
firewall.
304
Learn Firewalls with Dr. WoW
Figure 8-1 Dual device deployment improving network reliability
Router
Firewall
Switch
Internal network Internal
network user
Internal network
Fault
Traffic
8.1.2 Only Routing Failover Needs to Be Considered in Dual
Router Deployments
If using traditional network devices (such as routers or Layer 3 switches), all that needs to be
done to guarantee reliable service is to configure routing failover on two devices. This is
because ordinary routers and switches don't record packets' exchange state and
application-level information, and simply forward packets according to their routing tables.
An example is provided below to illustrate this.
As shown in Figure 8-2, OSPF runs on the two routers (R1 and R2) and R3 and R4. Under
normal circumstances, because the Ethernet interface's default OSPF cost is 1, from the
perspective of R3, the cost for the link on which R1 is positioned (R3 -> R1 -> R4 -> FTP
server) is 3. And, because we've configured the OSPF cost as 10 for the interfaces on the R2
link (R3 -> R2 -> R4 -> FTP server), from the perspective of R3, the cost of the link on which
R2 is positioned is 21. As traffic will only be forwarded through the link with the lower cost,
traffic between the FTP client and the server will only be forwarded through R1.
305
Learn Firewalls with Dr. WoW
Figure 8-2 Traffic forwarded through the link with the lower routing cost
FTP server
1.1.1.10/24
GE0/0/0
1.1.1.1/24
Cost=1
Eth0/0/0
10.1.3.2/24
Eth0/0/1
10.1.4.2/24
Cost=10
Eth0/0/1
10.1.3.1/24
Eth0/0/1
10.1.4.1/24
R4
R1
Cost=1
R2
Eth0/0/0
10.1.1.2/24
Eth0/0/0
10.1.2.2/24
R3
Eth0/0/0
10.1.1.1/24
Cost=10
Eth0/0/1
10.1.2.1/24
GE0/0/0
192.168.1.1/24
FTP client
192.168.1.10/24
Traffic
As OSPF will only choose to add the most optimal routes to the routing table, we can only see
the routes with a relatively low cost in R3's routing table (below). Therefore, packets to/from
the FTP server (destination address is 1.1.1.0/24) can only be forwarded through R1 (next hop:
10.1.1.2).
[R3] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 11
Routes : 11
Destination/Mask
1.1.1.0/24
10.1.1.0/24
10.1.1.1/32
10.1.2.0/24
10.1.2.1/32
10.1.3.0/24
10.1.4.0/24
127.0.0.0/8
127.0.0.1/32
192.168.1.0/24
192.168.1.1/32
Proto
Pre Cost
Flags NextHop
Interface
OSPF
10
3
D
10.1.1.2
Ethernet0/0/0
Direct
Direct
Direct
Direct
OSPF
OSPF
Direct
Direct
Direct
Direct
0
0
0
0
10
10
0
0
0
0
0
0
0
0
2
12
0
0
0
0
D
D
D
D
D
D
D
D
D
D
10.1.1.1
127.0.0.1
10.1.2.1
127.0.0.1
10.1.1.2
10.1.1.2
127.0.0.1
127.0.0.1
192.168.1.1
127.0.0.1
Ethernet0/0/0
Ethernet0/0/0
Ethernet0/0/1
Ethernet0/0/1
Ethernet0/0/0
Ethernet0/0/0
InLoopBack0
InLoopBack0
GigabitEthernet0/0/0
GigabitEthernet0/0/0
306
Learn Firewalls with Dr. WoW
As shown in Figure 8-3, when R1 fails, the cost of the link on which R1 is positioned
becomes infinitely great, while to R3 the cost of R2's link is still 21. At this time, the network
routes will be converged, and traffic will be forwarded to R2. The time required for traffic to
switch from R1 to R2 is the network routing convergence time. If the routing convergence
time is relatively short, then traffic transmissions won't be interrupted.
Figure 8-3 Routing failover ensuring uninterrupted services
FTP server
1.1.1.10/24
GE0/0/0
1.1.1.1/24
Eth0/0/0
10.1.3.2/24
Eth0/0/1
10.1.4.2/24
Eth0/0/1
10.1.3.1/24
Cost=10
Eth0/0/1
10.1.4.1/24
R4
R1
R2
Eth0/0/0
10.1.1.2/24
R3
Cost=1
Eth0/0/0
10.1.1.1/24
Eth0/0/0
10.1.2.2/24
Cost=10
Eth0/0/1
10.1.2.1/24
GE0/0/0
192.168.1.1/24
Fault
FTP client
192.168.1.10/24
Traffic
From the routing table on R3 below, we can learn that when a failure occurs on R1's Eth0/0/1
interface, packets to/from the FTP server (destination address is 1.1.1.0/24) can only be
forwarded through R2 (next hop: 10.1.2.2).
[R3] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 10
Routes : 10
Destination/Mask
1.1.1.0/24
OSPF
10.1.1.0/24
10.1.1.1/32
10.1.2.0/24
10.1.2.1/32
10.1.4.0/24
127.0.0.0/8
127.0.0.1/32
192.168.1.0/24
192.168.1.1/32
Proto
10
Pre Cost
21
Direct
Direct
Direct
Direct
OSPF
Direct
Direct
Direct
Direct
D
0
0
0
0
10
0
0
0
0
0
0
0
0
20
0
0
0
0
Flags NextHop
10.1.2.2
D
D
D
D
D
D
D
D
D
Interface
Ethernet0/0/1
10.1.1.1
127.0.0.1
10.1.2.1
127.0.0.1
10.1.2.2
127.0.0.1
127.0.0.1
192.168.1.1
127.0.0.1
Ethernet0/0/0
Ethernet0/0/0
Ethernet0/0/1
Ethernet0/0/1
Ethernet0/0/1
InLoopBack0
InLoopBack0
GigabitEthernet0/0/0
GigabitEthernet0/0/0
307
Learn Firewalls with Dr. WoW
8.1.3 Session Failover Also Needs to Be Considered in Dual
Firewall Deployments
Everything changes when we replace a traditional network device with a stateful inspection
firewall. Let's review the content we discussed in "Stateful Inspection and Session
Mechanism": stateful inspection firewalls inspect only the first packet of a flow, and establish
a session to record packets' stateful information (including the source IP address, source port,
destination IP address, destination port, protocol, etc.). Subsequent packets in this data flow
must match a session to be forwarded by the firewall.
Below we'll give an example to illustrate this—two firewalls (FW1 and FW2) are deployed in
a network. OSPF runs on the two firewalls and R1 and R2. As shown on the left side of
Figure 8-4, under normal circumstances, as the OSPF cost of the link on which FW1 sits is
relatively low, packets will be forwarded through FW1. A session will be established on FW1,
and all subsequent packets will match the session and be forwarded.
The right side of Figure 8-4 shows that when FW1 fails, traffic will be directed onto FW2
based on the upstream and downstream devices' routing information. However, as there is no
session on FW2, packets will be discarded by FW2, leading to service interruption. At this
time the user needs to reinitiate their access request (for example by redownloading FTP) and
trigger FW2 in reestablishing a session before the user's service can continue.
Figure 8-4 Session failover also needs to be considered in dual firewall deployment
FTP server
1.1.1.10/24
FTP server
1.1.1.10/24
GE0/0/0
1.1.1.1/24
GE0/0/0
10.1.3.2/24
GE0/0/1
GE0/0/1
10.1.4.2/24
GE0/0/1
10.1.4.1/24
R2
10.1.3.1/24
Session
established
FW1
on FW1 for
the first SYN
packet
GE0/0/0
10.1.1.2/24
GE0/0/0
10.1.1.1/24
GE0/0/0
1.1.1.1/24
FW2
GE0/0/0
10.1.2.2/24
R1
GE0/0/1
10.1.2.1/24
GE0/0/0
10.1.3.2/24
GE0/0/1
10.1.3.1/24
GE0/0/1
10.1.4.1/24
R2
FW1
GE0/0/0
10.1.1.2/24
GE0/0/0
10.1.1.1/24
GE0/0/0
192.168.1.1/24
FTP client
192.168.1.10/24
GE0/0/1
10.1.4.2/24
FW2
GE0/0/0
10.1.2.2/24
R1
Subsequent
packets discarded
due to session
mismatch on FW2
GE0/0/1
10.1.2.1/24
GE0/0/0
192.168.1.1/24
FTP client
192.168.1.10/24
Fault
Traffic
A session exists on FW1, as shown below:
[FW1] display firewall session table
Current Total Sessions : 1
ftp VPN:public --> public 192.168.1.10:2050-->1.1.1.10:21
No session exists on FW2, as shown below:
[FW2] display firewall session table
Current Total Sessions :0
308
Learn Firewalls with Dr. WoW
8.1.4 Hot Standby Resolving the Problem with Firewall Session
Failover
So, how can we resolve this problem with achieving session failover to ensure service
continuity after active/standby switchover between the two firewalls? Here, the firewall hot
standby function lends a helping hand!
As shown on the left side of Figure 8-5, the most important feature of the firewall hot
standby function is to negotiate active/standby states and synchronize important state
and configuration information, including session and server-map table information,
between the two firewalls through the failover channel (heartbeat link). After the hot
standby function is enabled, one of the two firewalls will become the primary device and the
other the backup device based upon the administrator's configuration. The firewall that
becomes the primary device (FW1) will handle traffic, and synchronizes important status and
configuration information, including session and server-map table information to the backup
device (FW2) through the heartbeat link. The firewall that becomes the backup device (FW2)
will not handle traffic, and only receives the state and configuration information from the
primary device (FW1) through the failover channel.
As shown on the right side of Figure 8-5, when the link where primary device FW1's resides
fails, the two firewalls will use the failover channel to exchange packets, and renegotiate their
active/standby states. At this time, FW2 will negotiate to become the new primary device and
handle traffic, while FW1 will negotiate to become the backup device and will not handle
traffic. Concurrently with this, service traffic will be redirected to the new primary device
(FW2) by the upstream and downstream devices. As FW2 was already provided with the
primary device's backup information (such as session and configuration information) when it
served as the backup device, service packets will match the session and be forwarded.
The backup of routing, session and configuration information guarantees that the backup
device FW2 will successfully replace the original primary device FW1, thus avoiding service
interruption.
Figure 8-5 Hot standby ensuring service continuity
FTP server
1.1.1.10/24
FTP server
1.1.1.10/24
R2
R2
Session
established on
FW1 for the first
SYN packet
Session
backup
Session
backup
FW1
Active
FW2
Standby
R1
FW1
Standby
Subsequent
packets forwarded
after matching the
session on FW2
FW2
Active
R1
Fault
Failover channel
FTP client
192.168.1.10/24
FTP client
192.168.1.10/24
Backup traffic
Service traffic
309
Learn Firewalls with Dr. WoW
There is a session on FW1, as shown below:
[FW1]display firewall session table
Current Total Sessions : 1
ftp VPN:public --> public 192.168.1.10:2050-->1.1.1.10:21
There is also a session on FW2, as shown below:
[FW2]display firewall session table
Current Total Sessions : 1
ftp VPN:public --> public 192.168.1.10:2050-->1.1.1.10:21
The method introduced above is the active/standby failover method of hot standby. In typical
active/standby failover scenarios, the backup device does not handle service traffic, and is in
an idle state. If you don't wish for the device you've bought to be idle, or if there is too much
traffic for one device to handle, we can use the load sharing method of hot standby.
As shown in Figure 8-6, in a load sharing scenario, both firewalls are primary devices, and
each establish sessions and handle service traffic. At the same time, the two firewalls also
serve as each other's backup devices, and receive each other's backup session and
configuration information. As seen on the right side of Figure 8-6, when one of these firewalls
fails, the other firewall will handle all service traffic. As these two firewalls' session
information is backed up, all subsequent service packets can match a session on either firewall
and be forwarded, avoiding service interruption.
Figure 8-6 Load sharing method of hot standby
FTP server
1.1.1.10/24
Web server
1.1.1.20/24
FTP server
1.1.1.10/24
R2
R2
Mutual
session
backup
FTP session
established
on FW1
FW1
Active
Session
backup
HTTP session
established
on FW2
FW2
Active
FW1
Standby
Subsequent FTP and
HTTP packets forwarded
on FW2 after matching
sessions
FW2
Active
R1
R1
PC1
192.168.1.10/24
Web server
1.1.1.20/24
PC2
192.168.1.20/24
PC1
192.168.1.10/24
PC2
192.168.1.20/24
Fault
Failover channel
Backup traffic
FTP traffic
HTTP trafic
310
Learn Firewalls with Dr. WoW
There are FTP and HTTP sessions on FW1, as shown below:
[FW1]display firewall session table
Current Total Sessions : 2
ftp VPN:public --> public 192.168.1.10:2050-->1.1.1.10:21
http VPN:public --> public 192.168.1.20:2080-->1.1.1.20:80
There are also FTP and HTTP sessions on FW2, as shown below:
[FW2]display firewall session table
Current Total Sessions : 2
ftp VPN:public --> public 192.168.1.10:2050-->1.1.1.10:21
http VPN:public --> public 192.168.1.20:2080-->1.1.1.20:80
8.1.5 Summary
To improve network reliability and avoid single point of failures, we need to deploy two
network devices at key network nodes. If these devices are routers or switches, we can simply
configure routing failover. If these devices are firewalls, we also need to provide failover for
stateful information (such as the session table, etc.) between the firewalls.
The firewall hot standby function provides a special failover channel used in negotiating
active/standby states between two firewalls and in providing backup state information about
sessions, etc. Hot standby includes active/standby failover and load sharing scenarios.
Active/standby failover refers to only having the primary device handle traffic, with the
backup device idle; when a failure occurs on the primary device's interface(s), link or the
entire device, the backup device will change to the primary device, and replace the primary
device in handling services. Load sharing can also be called "complementary active/standby",
as this is two devices simultaneously handling services. When one device fails, the other
device will immediately assume its services, guaranteeing that there is no interruption of the
services that originally forwarded through this device.
8.2 The Story of VRRP and VGMP
For readers familiar with routers and switches, the VRRP protocol will certainly be the first to
spring to mind when network dual device deployment is mentioned, and the firewall hot
standby function is actually an expansion on the foundation provided by the VRRP protocol.
Therefore, as I explain the story of VGMP and VRRP step by step in this section, I will first
discuss VRRP, and then introduce VGMP from this basis.
8.2.1 VRRP Overview
In the router or firewall hot standby networking discussed in the above section, whether traffic
was directed to the primary or backup device was decided by the upstream and downstream
devices' routing tables. This is because dynamic routing can dynamically adjust routing
tables according to link states to automatically direct traffic onto the correct device.
However, what if the upstream and downstream devices are using static routing? This is
indeed a problem, as dynamic adjustments cannot be made in static routing.
Let's look at an example of this below. As shown in Figure 8-7, the router is configured as the
default gateway on the hosts on the internal network. Therefore, when the hosts want to
311
Learn Firewalls with Dr. WoW
access the Internet, it will first send a packet to the gateway, and the packet will then be sent
by the gateway to the Internet. However, when the gateway fails, communication between the
hosts and the Internet will be interrupted.
Figure 8-7 A single gateway failure resulting in service interruption
Router
Firewall
Switch
Internal
network users
Fault
Traffic
As shown in Figure 8-8, if we want to solve the problem of network interruptions, we need to
add multiple gateways (Router 1 and Router 2). However, the dynamic routing cannot be
configured on hosts. Only a default gateway can be specified on the hosts. If we configure
Router 1 as the default gateway, then when Router 1 fails, traffic will not be automatically
directed to Router 2. At this time, only manually changing the host's default gateway to
Router 2 will allow the host's traffic to be directed to Router 2. However, this will certainly
result in the interruption of the host's traffic accessing the Internet for a period of time.
Moreover, in large networks, there may be hundreds of hosts, and manually adjusting the
network to achieve gateway failover is clearly not realistic.
312
Learn Firewalls with Dr. WoW
Figure 8-8 Multiple gateways cannot guarantee uninterrupted service
Router1
Router2
I’ve set Router1 as
my default
gateway.
Host
Router1
Router2
I cannot access the
Internet, so it seems that
Router1 failed, and I have
to re-set my default
gateway.
Host
In order to better resolve the problem of network interruptions occurring due to gateway
failures, network developers have developed the VRRP protocol. The VRRP protocol is a
kind of fault-tolerant protocol, and guarantees that when a failure occurs on a host's
next hop router (the default gateway), a backup router will automatically replace the
failed router in completing packet forwarding tasks, thereby maintaining continuous
and reliable network communication.
In Figure 8-9, we've assigned a group of routers (actually these are the routers' downstream
interfaces) from within a LAN together, forming a VRRP group. VRRP groups are equivalent
to a virtual router which has its own virtual IP address and virtual MAC address
(format:00-00-5E-00-01-{VRID}, where VRID is the VRRP group's ID). Therefore, the hosts
within the LAN can configure their default gateway as the VRRP group's virtual IP address.
The hosts within the LAN 'think' they are communicating with the virtual router and using the
virtual router to communicate with the external network.
313
Learn Firewalls with Dr. WoW
Figure 8-9 VRRP basics
3
2
If Router1 fails, I will
take place it to forward
packets.
I and Router2 form a
virtual router.
Normally, I am
responsible for
forwarding packets.
Router2
Backup
Priority: 100
Router1
Master
Priority: 110
Virtual router
GE1/0/1
(VRRP group 1)
10.1.1.1/24
Virtual IP address: 10.1.1.3/24
Virtual MAC address: 00-00-5E-00-01-01
GE1/0/1
10.1.1.2/24
1
I communicate with
the virtual router. The
default gateway is
10.1.1.3/24.
Host
The routers in a VRRP group will determine their own state in the VRRP group based
on the priority specified by the administrator. The highest priority state is Master, and
the other state is Backup. A router whose state is Master is called the master router, and a
router whose state is Backup is called the backup router. When the master router is operating
normally, hosts within the LAN will communicate with the external world through the master
router. If the master router fails, a backup router (the one with the next highest VRRP priority)
will become the new master router and take over the work of forwarding packets,
guaranteeing that the network is not interrupted.
8.2.2 VRRP Working Mechanisms
Here, I will use visual aids to demonstrate the entire process of VRRP operations, in order to
help readers in understanding VRRP's implementation principles. So long as you look through
the below figures in their entirety and commit them to memory, you will assuredly understand
and remember the VRRP protocol.
1.
After the administrator finishes configuring the VRRP group and priorities on routers,
the VRRP group will temporarily work in the Initialize state. As shown in Figure 8-10,
after the VRRP group receives the messages indicating that the interfaces have been
314
Learn Firewalls with Dr. WoW
brought up, the group's routers switch into the Backup state, and wait for their timers to
elapse to switch into the Master state.
Figure 8-10 VRRP group states' switching from Initialize to Backup
My interface works
normally, and I change the
interface status to Backup
and then to Master after the
timer expires.
Router2
Router1
Me too.
Let’s see who will be
faster to be Master.
VRRP group 1
10.1.1.3/24
GE1/0/1
State: Backup
Priority: 110
GE1/0/1
State: Backup
Priority: 100
Eth0/0/1
Eth0/0/2
As shown in Figure 8-11, of the VRRP group's routers, the first router to change its
state to Master will become the master router. The router with the highest priority
in a VRRP group will have the shortest timer, meaning it is easiest for this router to
become the master router. This process is called the master router election.
After a successful election, the master router will immediately send periodic (the default
is one second) VRRP packets to all backup routers in the VRRP group to notify them of
its own Master state and priority.
Figure 8-11 Electing the master router
My priority is higher, and
my timer expires first.
I will switch to the Master
state.
Router2
Router1
GE1/0/1
State: Master
Priority: 110
VRRP group 1
Eth0/0/1
GE1/0/1
State: Backup
Priority: 100
Eth0/0/2
State: Master
VRRP priority: 110
2.
Your priority is higher
than mine.
OK. I will still be in
Backup state.
VRRP packet
VRRP packet
direction
The master router will also send a gratuitous ARP packet to notify the switch connected
to it of the VRRP group's virtual MAC address and virtual IP address; this is shown in
Figure 8-12. An entry will be made in the downstream switch's MAC table recording the
relationship between the virtual MAC address and port Eth0/0/1.
315
Learn Firewalls with Dr. WoW
Figure 8-12 The master router sending a gratuitous ARP packet
This is the virtual MAC
address of the VRRP group.
Send me the subsequent
packets destined for this MAC
address.
Router2
Router1
GE1/0/1
State: Master
Priority: 110
VRRP group 1
Virtual MAC:
00-00-5E-00-01-01
Eth0/0/1
MAC address
00-00-5E-00-01-01
Port
Eth0/0/1
GE1/0/1
State: Backup
Priority: 100
Eth0/0/2
Yes Sir.
I’ve recorded the mapping
between this MAC address
and Eth0/0/1 in the MAC
entry.
Gratuitous ARP packet
Direction of the
gratuitous ARP packet
3.
As shown in Figure 8-13, since the gateway on the intranet's PC is set to the virtual IP
address of VRRP group 1, when an intranet PC accesses the Internet, it will first
broadcast ARP packets in the broadcast network to request the virtual MAC address that
corresponds with the virtual IP address. At this point, only the master router will respond
to this ARP packet by giving its virtual MAC address to the PC.
Figure 8-13 Master router responding to the PC's ARP request packet
I know.
The MAC address of
10.1.1.3 is 00-00-5E00-01.
Router2
Router1
VRRP group 1
10.1.1.3/24
GE1/0/1
State: Master
Priority: 110
Virtual MAC:
00-00-5E-00-01-01
GE1/0/1
State: Backup
Priority: 100
Eth0/0/2
Eth0/0/1
Does anybody know
the MAC address of
the gateway address
10.1.1.3?
ARP broadcast
ARP reply packet
Direction of the ARP
reply packet
PC’s gateway address:
10.1.1.3/24
4.
As shown in Figure 8-14, the PC uses the virtual MAC address as the destination MAC
address for encapsulating packets, and then sends a packet to the switch. The switch
forwards the packet sent by the PC through port Eth0/0/1 to Router 1 according to the
MAC address and port relationship recorded in the MAC table.
316
Learn Firewalls with Dr. WoW
Figure 8-14 A downstream switch sending a packet to the master router
Router2
Router1
VRRP group 1
10.1.1.3/24
GE1/0/1
State: Master
Priority: 110
GE1/0/1
State: Backup
Priority: 100
Eth0/0/1
Eth0/0/2
Yes Sir.
(The packet destined for
this address has been
sent through Eth0/0/1.)
MAC address
00-00-5E-00-01-01
Destination MAC:
00-00-5E-00-01-01
PC’s gateway
address:
10.1.1.3/24
Port
Eth0/0/1
Destination IP:
10.1.1.3
Help me send the
packet to MAC address
00-00-5E-00-01.
Service packet
Direction of the
service packet
The above description is of the establishment of the master router and backup router(s) states
and their operating processes. Below, we'll introduce state switching and related operational
processes for the master router and the backup router.
1.
As shown in Figure 8-15, when the master router fails (a failure of the entire Router 1
device or a failure on interface GE1/0/1), it will be unable to send a VRRP packet to
notify the backup router of the failure. If the backup router(s) has not received a VRRP
packet sent by the master router before the time expires, it will deem this to mean that
the master router has failed, and will therefore switch its own state to Master.
Figure 8-15 VRRP state switching
I am faulty and cannot
send VRRP packets.
Router2
Router1
GE1/0/1
State: Initialize
VRRP group 1
Eth0/0/1
Eth0/0/2
VRRP priority:
100
I do not receive VRRP packets
before the timer expires.
The master router must be faulty.
I must switch to the Master state.
GE1/0/1
State: Master
Priority: 100
Fault
VRRP packet
Direction of the
VRRP packet
317
Learn Firewalls with Dr. WoW
There is also another scenario: if the master router abandons its position as Master (for
example the master router withdraws from the VRRP group), it will immediately send a
VRRP packet with a priority of 0, causing the backup router to quickly switch to become
the master router.
2.
As shown in Figure 8-16, after the completion of state switching, the new master router
will immediately send a gratuitous ARP packet carrying the VRRP group's virtual MAC
address and virtual IP address, to refresh the MAC table entries for the device connected
to it (the downstream switch). The relationship between the virtual MAC address and the
new port Eth0/0/2 will be recorded in the downstream switch's MAC table.
Figure 8-16 The new master router sending a gratuitous ARP packet
Router2
Router1
VRRP group 1
Eth0/0/1
This is the virtual MAC
address of the VRRP group.
Send me subsequent packets
destined for this MAC
address.
GE1/0/1
State: Master
Priority: 100
Virtual MAC:
00-00-5E-00-01-01
Eth0/0/2
Yes Sir.
I’ve updated the mapping
between the MAC address
and Eth0/0/2 in the MAC
entry.
MAC address
00-00-5E-00-01-01
Port
Eth0/0/2
Fault
Gratuitous ARP packet
Direction of the
gratuitous ARP packet
3.
As shown in Figure 8-17, after the intranet PC sends a packet to the switch, the switch
will forward the packet sent by the PC through port Eth0/0/2 to Router 2. Therefore, the
intranet PC's traffic is all forwarded through the new master router, Router 2. This
process is completely transparent to the user, and the intranet PC does not perceive that
the master router has already switched from Router 1 to Router 2.
318
Learn Firewalls with Dr. WoW
Figure 8-17 The downstream switch sending a packet to the new master router
Router2
Router1
VRRP group 1
10.1.1.3/24
GE1/0/1
State: Initialize
GE1/0/1
State: Master
Priority: 100
Eth0/0/2
Eth0/0/1
Eth0/0/2
Yes Sir.
(Packets destined for
this MAC address will
be sent through
Eth0/0/2.)
Destination MAC:
00-00-5E-00-01-01
PC’s gateway
address:
10.1.1.3/24
4.
MAC address
00-00-5E-00-01-01
Port
Eth0/0/2
Destination IP:
10.1.1.3
Fault
Help me send the
packet to MAC address
00-00-5E-00-01.
Service packet
Direction of the
service packet
In Figure 8-18, when the failure on the original master router (the current backup router)
is fixed, this router's priority will be higher than the current master router. At this time, if
the preemption function has been enabled, the original master router will change its state
to Master after the preemption timer expires and becomes the master router again; if the
preemption function has not been enabled, the original master router will continue to
maintain its Backup state.
Figure 8-18 Original master router preemption after a failure is fixed
My fault has been rectified.
My priority is higher than yours
and I’ve been configured with
preemption, so I will switch to
the Master state.
Router2
Router1
GE1/0/1
State: Backup
Priority: 110
VRRP group 1
Eth0/0/1
GE1/0/1
State: Master
Priority: 100
Eth0/0/2
State: Master
Priority: 100
VRRP packet
Direction of the
VRRP packet
319
Learn Firewalls with Dr. WoW
8.2.3 Issues Created by Multiple, Independent VRRP States
The above section explained how running VRRP on a gateway's downstream interface can
ensure gateway availability. But what would happen if we run VRRP simultaneously on both
a gateway's upstream and downstream interfaces?
In Figure 8-19, two devices' downstream interfaces join VRRP group 1, and their upstream
interfaces join VRRP group 2. Under normal circumstances, R1's state is Master in VRRP
group 1, and its VRRP group 2's status is Master, so R1 is the master router in both VRRP
group 1 and VRRP group 2. As we learned above when discussing VRRP principles, all
service packets between the intranet and an external network will therefore be forwarded
through R1.
Figure 8-19 Multiple VRRPs operating simultaneously
PC2
PC2
Internet
MAC address
00-00-5E-00-01-02
Port
Eth0/0/1
Internet
MAC address
00-00-5E-00-01-02
Eth0/0/1
Eth0/0/1
Eth0/0/2
Eth0/0/2
LSW2
LSW2
VRRP group 2
GE1/0/3
Virtual IP address: 1.1.1.1/24
GE1/0/3
Master
R1
VRRP group 2
Virtual IP address: 1.1.1.1/24
GE1/0/3
Master
Backup
R1
R2
VRRP group 1
Backup
Virtual IP address: 10.1.1.1/24
VRRP group 1
Virtual IP address: 10.1.1.1/24
LSW1
PC1's gateway
address:
10.1.1.1/24
Internal
network
GE1/0/1
Master
LSW1
Eth0/0/2
Eth0/0/2
Eth0/0/1
GE1/0/3
Backup
R2
GE1/0/1
Initialize
GE1/0/1
GE1/0/1
Master
Port
Eth0/0/1
MAC address
00-00-5E-00-01-01
Port
Eth0/0/1
Eth0/0/1
PC’s gateway
address:
10.1.1.1/24
MAC address
00-00-5E-00-01-01
Port
Eth0/0/2
Internal
network
Packets from internal
networks to the Internet
Return packets
When R1's GE1/0/1 interface fails, R1's state in VRRP group 1 switches to Initialize, and R2's
state in VRRP group 1 switches to Master. R2 therefore becomes the master router in VRRP
group 1, and sends a gratuitous ARP packet to LSW1, refreshing the MAC table in LSW1; at
this point PC1's packets accessing PC2 will be forwarded through R2. However, as the link
between R1 and LSW2 is operating normally, R1 is still the master router in VRRP group 2,
while R2 is still the backup router in VRRP group 2. Therefore, the return packets sent from
PC2 to PC1 will still be forwarded to R1. However, as R1's downstream interface GE1/0/1
has failed, R1 can only discard these return packets, resulting in an interruption of service
traffic.
320
Learn Firewalls with Dr. WoW
After finishing reading through this process, readers will certainly have discovered the
problem with VRRP: VRRP groups are independent of one another, meaning that when there
are multiple VRRP groups on one device, their states can't be backed up.
Huawei's firewalls, routers, switches and other network devices have a unique method of
solving this VRRP problem. Below, we'll focus on introducing how Huawei's firewalls resolve
this problem.
8.2.4 The Creation of VGMP Solves VRRPs' Problems
In order to resolve this problem of a lack of state unity in multiple VRRP groups, Huawei's
firewalls incorporate VGMP (VRRP group Management Protocol) in exercising unified
management over VRRP groups to guarantee the state consistency in VRRP groups. We add
all VRRP groups on a firewall into a VGMP group, and the VGMP group centrally supervises
and manages the states of all VRRP groups. If the VGMP group discovers that one of its
VRRP groups' state has changed, the VGMP group will mandate that all of the VRRP groups
in the VGMP group undergo unified state switching, guaranteeing the state consistency in all
VRRP groups.
A VGMP group has two basic attributes (state and priority) and three basic operating
principles:
A VGMP group's state determines the state of the VRRP groups within the group,
and also determines its firewall's active/standby state.
The VGMP group states of two firewalls are determined by mutual priority
comparison. The state of the VGMP group with the higher priority is active, while
the state of the VGMP group(s) with the lower priority is standby.
A VGMP group will update its own priority according to state changes by the
VRRP groups within it. When a VRRP group's state changes to Initialize, the
VGMP group's priority will decrease by 2.
Now that we understand and are intimately familiar with the basic principles of VGMP group
operation, we'll together take a look at how the VGMP protocol resolves the problem of
VRRP group state discordance.
As shown in Figure 8-20, on FW1 we've added both VRRP group 1 and VRRP group 2 to a
VGMP group in the active state. On FW2 we've added VRRP group 1 and VRRP group 2 to a
VGMP group in the standby state. As a VGMP group's state determines the states of the
group's VRRP groups, the states of VRRP groups 1 and 2 on FW1 are both active, and the
states of VRRP groups 1 and 2 on FW2 are both standby. Therefore, FW1 is the active router
in VRRP group 1 and VRRP group 2 (it is the primary device of the two firewalls), while
FW2 is the standby router for them (it is the backup device of the two firewalls), and therefore
upstream and downstream service traffic will all be directed to the primary device FW1 for
forwarding.
321
Learn Firewalls with Dr. WoW
Figure 8-20 VGMP ensuring unified VRRP state switching
PC2
Eth0/0/1
VGMP
Active
MAC address
Port
MAC address
Port
Eth0/0/1
00-00-5E-00-01-02
Eth0/0/2
GE1/0/1
Active
Eth0/0/1
Eth0/0/2
GE1/0/2
GE1/0/3
Standby
GE1/0/2
Heartbeat link
VRRP group 1
10.1.1.1/24
Eth0/0/1
VGMP
Standby
GE1/0/1
Standby
Eth0/0/2
MAC address
Internal
network
FW1
Eth0/0/2
VRRP group 2
1.1.1.1/24
GE1/0/3
Standby
FW2
00-00-5E-00-01-01
PC1's gateway
address:
10.1.1.1/24
Internet
00-00-5E-00-01-02
VRRP group 2
1.1.1.1/24
GE1/0/3
Active
FW1
PC2
Internet
GE1/0/2
VGMP
Standby
GE1/0/3
Active
GE1/0/2
Heartbeat link
VGMP
Active
GE1/0/1
Active
VRRP group 1
10.1.1.1/24
GE1/0/1
Initialize
Eth0/0/1
FW2
Eth0/0/2
Port
MAC address
Port
Eth0/0/1
00-00-5E-00-01-01
Eth0/0/2
PC1's gateway
address:
10.1.1.1/24
Internal
network
Packets from internal
networks to the Internet
Return packets
A heartbeat cable is needed between two firewalls to exchange VGMP protocol packets.
[Question from Dr. WoW] Above, while explaining VRRPs, the states we studied were all
"Master" and "standby" —why have these changed to "active" and "standby" here?
Answer: In the USG6000 series of firewalls, hot standby states (originally "Master" and
"Slave") and VRRP states (originally "Master" and "standby") have been uniformly changed
to read "active" and "standby". Therefore, when you see other documents use multiple
different terms to describe states, please don't think this unusual; understanding these states as
the "active" and "standby" described here will work just fine.
As shown in Figure 8-20, when one of FW1's interfaces fails, the process by which the VGMP
group controls unified state switching of the VRRP groups is as follows:
2.
When FW1's GE1/0/1 interface fails, VRRP group 1 on FW1 switches states (switches
from active to initialize).
3.
After FW1's VGMP group perceives this failure, it will lower its own priority, and then
compare priorities with FW2's VGMP group and renegotiate their active/standby states.
4.
After negotiation, the state of the VGMP group on FW1 switches from active to standby,
and the state of the VGMP group on FW2 switches from standby to active.
5.
At the same time, as a VGMP group's state determines the state of the group's VRRP
groups, FW1's VGMP group will mandate that its VRRP group 2 switch from the active
state to the standby state, and FW2's VGMP group will also mandate that its VRRP
groups 1 and 2 switch from the standby state to the active state.
In this way, FW2 becomes the active router in VRRP group 1 and VRRP group 2, and
also is thus the primary device of the two firewalls; meanwhile, FW1 becomes the
322
Learn Firewalls with Dr. WoW
standby router in VRRP group 1 and VRRP group 2, and is thus also the backup device
of the two firewalls.
6.
FW2 will send gratuitous ARP packets to both LSW1 and LSW2 to update their MAC
address tables, causing PC1's upstream packets and return packets accessing PC2 to be
forwarded to FW2. This completes the unified switching of VRRP group states, and
guarantees uninterrupted service traffic.
8.2.5 VGMP Packet Structure
After reading through the above content, everyone should understand that VGMP not only
allows for unified management of VRRP groups, but also replaces VRRP in managing
firewall active/standby states as needed. At this point a question arises: how is information
about states and priorities sent between two firewalls' VGMP groups?
In 8.2.2 VRRP Working Mechanisms above, we explained that two routers' VRRP groups use
VRRP packets to send state and priority information. So, do two firewalls' VGMP groups still
use VRRP packets to send state and priority information? This is of course not very likely, as
new leadership naturally brings with it new methods.
During hot standby, two firewalls' VGMP groups use VGMP packets to send state and
priority information. VGMP is Huawei's proprietary protocol, and this protocol expands on
and alters VRRP packets to achieve the firewall hot standby function, deriving multiple kinds
of packets that use VGMP headers in their encapsulation. An understanding of VGMP packets
and headers is the foundation necessary to understand VGMP state negotiation and switching,
so let's first have a look at the structure of VGMP packets.
The VGMP packet structure discussed in this section applies to the USG2000/5000/6000 firewall series
and the USG9000 firewall series' V100R003 version.
Figure 8-21 VGMP packet structure
VRRP
header
VGMP
header
From the sequence of VGMP packet encapsulation shown in Figure 8-21, we can see that
VGMP packets are rooted in VRRP packets, and are encapsulated from VRRP header.
However, the VRRP header is not standard VRRP header, but is "new VRRP header" that has
been expanded on and amended by Huawei. The specific changes are listed below:
323
Learn Firewalls with Dr. WoW
Standard VRRP header' "Type" field only has a value of "1", while the new VRRP
header has added a value of "2". This is to say that if Type=1, this is a standard VRRP
header; if Type=2, this is a new kind of VRRP header that has been altered by us.
Standard VRRP header' "Virtual Rtr ID" field represents the VRRP group ID, while the
new, altered VRRP header' "Virtual Rtr ID" value is always set to "0".
The standard VRRP header's "IP address" field has been eliminated from the new, altered
VRRP header.
The "Priority" field in the standard VRRP header has been changed to a "Type2" field in
the new VRRP header.
−
When Type2=1, packets are encapsulated as heartbeat link detection packets.
Heartbeat link detection packets are used to detect whether or not the peer device's
heartbeat interface can receive packets from the sending device; this verifies whether
or not the heartbeat interface can be used.
−
When Type2=5, the packets are encapsulated as consistency check packets.
Consistency check packets are used to inspect whether two firewalls in hot standby
state have the same hot standby and policy configuration.
−
Only when Type2=2 will VRRP packets be further encapsulated into a VGMP header.
These packets are further separated into three kinds of packets according to the
VGMP header's "vType" field.
VGMP packets (VGMP Hello packets). VGMP Hello packets are used to
negotiate active/standby states between two firewalls' VGMP groups.
HRP heartbeat packets (HRP Hello packets). HRP heartbeat packets are used
to detect whether a peer VGMP group is in a working state. A VGMP group in
the active state will send HRP heartbeat packets to its peer VGMP group at
intervals (the default is 1s), and these are used to notify the peer of the sending
group's VGMP group state and priority. If a VGMP group in the standby state
doesn't receive HRP heartbeat packets sent from its peer group for three
consecutive intervals, it will deem this to mean there has been a failure on the
peer VGMP group, and will switch its own state to active.
HRP data packets. Only by adding an HRP header after the VGMP header can
a packet be encapsulated into an HRP data packet. HRP data packets are used for
data backup between active and standby devices, and include backup of
command line configuration and state information.
By this point, everyone is likely wondering: if during firewall hot standby a new VRRP
header is used to encapsulate VGMP packets, then do standard VRRP packets still exist, and if
so, what are they used for? The answer is that standard VRRP packets still exist, and they
are still used for internal communication within VRRP groups. However, as their
priority field (Priority) is already a fixed value, it cannot be configured, and so standard
VRRP packets actually exist in name only. The loss of the Priority field means that standard
VRRP packets can no longer control negotiation of VRRP group state, and can only provide
notification of VRRP group states and virtual IP addresses between the active and standby
firewalls. This is the same as the role of the "emperor" in a constitutional monarchy—their
title is preserved but they lack the power to manage the nation.
VGMP's desire to take over management of firewall and VRRP group states means that
VGMP packets must contain VGMP group state and priority information. Let's look again at
the structure of the VGMP header.
The "Mode" field states whether this is a request packet or a response packet.
The "vgmpID" field states whether the VGMP group is an active group or a standby
group.
324
Learn Firewalls with Dr. WoW
The "vPriority" field states the VGMP group's priority.
In addition, information about a VGMP group's state is contained in VGMP packet
"data". These two points demonstrate that the VGMP protocol possesses the material
basis necessary to allow it to replace the standard VRRP protocol in managing VRRP
group and firewall states.
To summarize the above, the VGMP protocol alters the standard VRRP header and defines
different kinds of packets that use the VGMP header in encapsulation. With this in mind,
through what channel are these packets sent between two firewalls? Above, we discussed the
fact that firewalls use a failover channel (the heartbeat cable) to send backup data, and it's
obvious that HRP data packets are transmitted through the failover channel. Indeed, all of the
various VGMP packets discussed above (with the exception of standard VRRP packets) are
transmitted through the failover channel.
In addition, the USG6000 firewall series and the USG2000/5000 firewall series' V300R001
version also support the encapsulation of the various VGMP and HRP packets discussed
above (with the exception of standard VRRP packets) into UDP packets. The structure for this
is shown in Figure 8-22.
Figure 8-22 Using UDP to encapsulate a VGMP packet
So what is the difference between using VRRP-encapsulated VGMP packets and
UDP-encapsulated VGMP packets? The former are multicast packets, can't be transmitted
outside the subnet, and aren't controlled by security policies; the latter are unicast packets, and
can be transmitted outside of the subnet as long as the route is accessible, and they are
controlled by security policies. A bit more specifically, if multicast packets are used, then the
two firewalls' heartbeat interfaces must be directly connected or connected through a Layer 2
switch, but no security policy needs to be configured. If unicast packets are used, then the two
firewalls' heartbeat interfaces can be connected through a Layer 3 device such as a router, but
a security policy permitting packets to pass in both directions between the Local zone and the
security zone the heartbeat interface is located in must be configured. In addition, when using
a service interface as the heartbeat interface, UDP-encapsulated VGMP packets must be used.
8.2.6 Firewall VGMP Groups' Default States
In 8.2.4 The Creation of VGMP Solves VRRPs' Problems, we already made a simple
introduction into how VGMP guarantees unified switching of VRRP group states, but the
actual switching process and packet exchange is a bit more complicated. Before introducing
the formation of VGMP states and the switching process in more detail, we'll first introduce
firewalls' VGMP groups' default states and priorities.
In Figure 8-23, each firewall provides two VGMP groups: the active group and the
standby group. By default, the active group's priority is 65001, and its state is active; the
standby group's priority is 65000, and its state is standby. In an active/standby failover
scenario, the primary device enables the active group, and all members (for example,
VRRP groups) join the active group; the backup device enables the standby group, and
all members join the standby group. In a load sharing scenario, both firewalls enable the
active and standby groups, and all members on each device join both the active group
and the standby group. FW1's active group and FW2's standby group form one
"active/standby" group, and FW2's active group and FW1's standby group form
325
Learn Firewalls with Dr. WoW
another "active/standby" group; the two firewalls are both complementing each other's
"active/standby", creating load sharing.
Figure 8-23 Firewall VGMP groups
Active/standby
backup
FW2 S
FW1 A
Active group
State: Active
Priority: 65001
HRP heartbeat
packet
Standby group
State: Initialize
Standby group
State: Standby
Priority: 65000
Active group
State: Initialize
Load balancing
FW1 A
FW2 S
Active Group
State: Active
Priority: 65001
Standby Group
State: Standby
Priority: 65000
Standby Group
State: Standby
Priority: 65000
HRP heartbeat
packet
Active Group
State: Active
Priority: 65001
The above description is applicable to the USG2000/5000/6000 firewall series. As the
USG9000 firewall has both interface boards and service boards, their default priorities are
different.
The USG9000 firewall series' V100R003 version's VGMP group's default priorities are as
follows:
Master (active) group's default priority = 45001 + 1000 x (# of service boards + # of interface
boards)
Slave (standby) group's default priority = 45000 + 1000 x (# of service boards + # of interface
boards)
8.2.7 The Process of State Formation for Active/Standby Failover
Hot Standby
The active/standby failover method of hot standby is in widespread use at present. Its
configuration and principles are relatively simple, and therefore we'll start with an explanation
of the processes through which states are formed in active/standby failover hot standby.
To allow everyone to truly experience how VRRP and VGMP function on firewalls, below
we'll first detail the configuration of hot standby through active/standby failover, and then
describe the process of hot standby state formation.
326
Learn Firewalls with Dr. WoW
The hot standby configuration described in this section is generally as done using the USG6000 firewall
series.
As shown in Figure 8-24, to implement the active/standby failover method of hot standby, we
need to enable the active VGMP group on FW1, and add FW1's VRRP groups into the active
VGMP group to monitor the them. We also enable the standby VGMP group on FW2 and add
all of FW2's VRRP groups to the standby VGMP group to monitor them.
Figure 8-24 Network diagram of active/standby failover hot standby
PC2
Internet
Eth0/0/1
GE1/0/3
1.1.1.2/24
Active
FW1
Eth0/0/2
GE1/0/3
1.1.1.3/24
Standby
VRRP group 2
1.1.1.1/24
GE1/0/2
VGMP
Active
GE1/0/2
Heartbeat link
GE1/0/1
10.1.1.2/24
Active
VGMP
Standby
VRRP group 1
10.1.1.1/24
Eth0/0/1
PC1's gateway
address:
10.1.1.1/24
FW2
GE1/0/1
10.1.1.3/24
Standby
Eth0/0/2
Internal
network
The command to achieve this operation is vrrp vrid virtual-router-id virtual-ip
virtual-address [ ip-mask | ip-mask-length ] { active | standby }. This command is simple but
very useful and can accomplish the following two tasks:
Add an interface to the VRRP group, and assign a virtual IP address and mask. When the
interface's IP address and the VRRP group's virtual IP address are not on the same subnet,
a virtual IP address subnet mask must be specified.
327
Learn Firewalls with Dr. WoW
Use the "active | standby" parameter to add VRRP groups to the active or standby
VGMP groups.
Configuration of active/standby failover hot standby on two firewalls is shown in Table 8-1.
Table 8-1 Configuration of active/standby failover hot standby
Item
Configuration on FW1
Configuration on FW2
Configure VRRP
group 1.
interface GigabitEthernet 1/0/1
interface GigabitEthernet 1/0/1
ip address 10.1.1.2
255.255.255.0
ip address 10.1.1.3
255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.1
255.255.255.0 active
vrrp vrid 1 virtual-ip 10.1.1.1
255.255.255.0 standby
interface GigabitEthernet 1/0/3
interface GigabitEthernet 1/0/3
Configure VRRP
group 2.
ip address 1.1.1.2 255.255.255.0
vrrp vrid 2 virtual-ip 1.1.1.1
255.255.255.0 active
ip address 1.1.1.3
255.255.255.0
vrrp vrid 2 virtual-ip 1.1.1.1
255.255.255.0 standby
Configure the
heartbeat interface.
hrp interface GigabitEthernet
1/0/2
hrp interface GigabitEthernet
1/0/2
Enable hot standby.
hrp enable
hrp enable
The various VGMP packets and the HRP packets are all sent through the heartbeat interface,
which can be understood as hot standby's "lifeblood", and there are many key points that will
require your focus here:
The two devices' heartbeat interfaces must be added to the same security zone.
The two devices' heartbeat interfaces' interface type and number must be the same. For
example, if the primary device's heartbeat interface is GigabitEthernet 1/0/2, then the
backup device's heartbeat interface must also be GigabitEthernet 1/0/2.
Specifics regarding choosing a suitable heartbeat interface connection method are below.
−
When two hot standby firewalls are relatively close together, the heartbeat interfaces
can be directly connected, or connected via a Layer 2 switch. The configuration
method is that when configuring the heartbeat interfaces, a remote parameter is not
added. At this time the packets sent by the heartbeat interfaces are encapsulated into
multicast VRRP packets. Multicast packets cannot be transmitted across subnets, and
are not controlled by security policies. This is the preferred method.
−
When the distance between two hot standby firewalls is relatively large and
cross-subnet transmission is necessary, the heartbeat interfaces need to be connected
using routers. To configure this, a remote parameter is added when configuring the
heartbeat interfaces, designating the other heartbeat interface's address (for example
hrp interface GigabitEthernet 1/0/2 remote 10.1.1.2). After adding the remote
parameter, the various packets sent from a heartbeat interface will be encapsulated
into UDP packets. UDP packets are unicast packets, and can be transmitted across
subnets as long as a route is available, but need to be controlled by security policies.
To configure the security policy, permit packets with a destination port of 18514 or
18515 to pass in both directions between the Local zone and the security zone the
heartbeat interface is located in.
328
Learn Firewalls with Dr. WoW
−
When no heartbeat interface is available, service interfaces can also be used as the
heartbeat interfaces. To configure this, when configuring the heartbeat interface add
remote parameters, designating the other heartbeat interface's (one of the service
interfaces) address. To configure the security policy, permit packets with destination
ports of 18514 and 18515 to pass in both directions between the Local zone and the
security zone the heartbeat interface is located in.
By now, I believe everyone should understand the method to control VGMP and HRP
packet encapsulation.
After completing configuration, we run the command display hrp state on FW1, which
allows us to see that VRRP groups 1 and 2 have joined the active VGMP group and are in the
active state.
HRP_A<FW1> display hrp state
The firewall's config state is: ACTIVE
Current state of virtual routers configured as active:
GigabitEthernet1/0/3
vrid
2 : active
GigabitEthernet1/0/1
vrid
1 : active
Running the command display hrp state on FW2 shows that VRRP groups 1 and 2 have
joined the standby VGMP group, and are in the standby state.
HRP_S<FW2> display hrp state
The firewall's config state is: STANDBY
Current state of virtual routers configured as standby:
GigabitEthernet1/0/3
vrid
2 : standby
GigabitEthernet1/0/1
vrid
1 : standby
Running the command display hrp group on FW1 shows that the active group's state is
active, its priority is 65001, and that the standby group hasn't been enabled.
HRP_A<FW1> display hrp group
Active group status:
Group enabled:
yes
State:
active
Priority running:
65001
Total VRRP members:
1
Hello interval(ms):
1000
Preempt enabled:
yes
Preempt delay(s):
30
Peer group available: 1
Peer's member same:
yes
Standby group status:
Group enabled:
no
State:
initialize
Priority running:
65000
Total VRRP members:
0
Hello interval(ms):
1000
Preempt enabled:
yes
Preempt delay(s):
0
Peer group available: 0
Peer's member same:
yes
329
Learn Firewalls with Dr. WoW
Running the command display hrp group on FW2 shows that the standby group's state is
standby, its priority is 65000, and that the active group hasn't been enabled.
HRP_S<FW2> display hrp group
Active group status:
Group enabled:
no
State:
initialize
Priority running:
65001
Total VRRP members:
0
Hello interval(ms):
1000
Preempt enabled:
yes
Preempt delay(s):
30
Peer group available: 1
Peer's member same:
yes
Standby group status:
Group enabled:
yes
State:
standby
Priority running:
65000
Total VRRP members:
2
Hello interval(ms):
1000
Preempt enabled:
yes
Preempt delay(s):
0
Peer group available: 1
Peer's member same:
yes
After completing configuration and state switching for the various hot standby networks that we'll
discuss below, we can run the above two commands to check VGMP group information and verify
whether or not our configuration is correct and whether state switching has occurred.
As shown in Figure 8-25, after configuration, the process of state formation for the
active/standby failover method of hot standby is as follows (the numbers in the Figure 8-25
are the same numbers as in the below text)
2.
After hot standby is enabled, the state of the active VGMP group on FW1 switches from
initialize to active, and the state of the standby VGMP group on FW2 switches from
initialize to standby.
3.
As FW1's VRRP groups have all joined the active VGMP group, and as the active
VGMP group's state is active, FW1's VRRP group 1 and VRRP group 2 are both in the
active state. Similarly, FW2's VRRP group 1 and VRRP group 2 are both in the standby
state.
4.
At this time, FW1's VRRP groups 1 and 2 will each send gratuitous ARP packets to the
upstream and downstream switches to notify them of their VRRP group virtual MAC
address. 00-00-5E-00-01-01 is VRRP group 1's virtual MAC address, and
00-00-5E-00-01-02 is VRRP group 2's virtual MAC address.
5.
The upstream and downstream switches' MAC tables will each have entries made
recording the mapping between the virtual MAC address and port Eth0/0/1. In this way,
after upstream and downstream service packets arrive at the switches, the switches will
forward the packets to FW1. Therefore, FW1 becomes the primary device, and FW2
becomes the backup device.
6.
At the same time, FW1's active VGMP group will also send HRP heartbeat packets to
FW2's standby VGMP group at fixed intervals through the heartbeat cable.
330
Learn Firewalls with Dr. WoW
Figure 8-25 Process of state formation in active/standby failover hot standby
Switch
4
3
Gratuitous
ARP
MAC address
Port
00-00-5E-00-01-02
Eth0/0/1
Eth0/0/1
Eth0/0/2
GE1/0/3
GE1/0/3
VRRP group 2
State: Active
2
FW1
VRRP group 2
State: Standby
2
Active group
1 State: Active
Priority: 65001
GE1/0/2 Heartbeat link GE1/0/2
5
A
Standby group
1 State: Standby
Priority: 65000
Standby group
State: Initialize
备
Active group
State: Initialize
2
VRRP group 1
State: Standby
2
VRRP group 1
State: Active
GE1/0/1
GE1/0/1
3
FW2
HRP heartbeat
Gratuitous
ARP
Eth0/0/1
Eth0/0/2
Interface
Switch
4
Network cable
MAC address
Port
00-00-5E-00-01-01
Eth0/0/1
Packet
VRRP group
Packet direction
VGMP monitoring
8.2.8 State Switching Process Following a Primary Device
Interface Failure
Once two firewalls are in their active/standby failover states, if the primary device's interface
fails, the two firewalls will change their active/standby state as follows:
1.
As shown in Figure 8-26, after the primary device's interface GE1/0/1 fails, FW1's
VRRP group 1's state changes to initialize.
2.
FW1's active group will perceive this change, and lower its own priority by 2 (if one
interface fails the priority is lowered by two), and switch its own state to 'active to
standby' (this is abbreviated in the figure as A To S). Active to standby is a temporary,
intermediate state, invisible to the user.
3.
FW1's active VGMP group will send a VGMP request packet to its peer group,
requesting that its state be changed to standby. VGMP request packets are a kind of
VGMP packet, and this packet carries the sending VGMP group's adjusted priority of
64999.
331
Learn Firewalls with Dr. WoW
Figure 8-26 Primary device link or interface failure and request for state switching
GE1/0/3
GE1/0/3
VRRP group 2
State: Active
FW1
VRRP group 2
State: Standby
Active group
2 State: A To S
Priority: 64999
GE1/0/2
3
Heartbeat link GE1/0/2
VGMP request
Standby group
State: Initialize
VRRP group 1
State: Initialize
Standby group
State: Standby
Priority: 65000
FW2
Active group
State: Initialize
VRRP group 1
State: Standby
1
GE1/0/1
GE1/0/1
Interface
VRRP group
Network
cable
Fault
Packet
direction
Packet
VGMP
monitoring
4.
As shown in Figure 8-27, after FW2's standby VGMP group receives the VGMP request
from the active VGMP group on FW1, it will compare its VGMP priority with that of its
peer VGMP group (FW1's active VGMP group). After comparison, it discovers that its
own priority of 65000 is higher than its peer's 64999, and therefore FW2's standby group
will switch its state to active.
5.
FW2's standby VGMP group will return a VGMP reply packet to its peer group (FW1's
active VGMP group), permitting this peer to switch states.
6.
Simultaneous to this, FW2's standby VGMP group will mandate that its VRRP groups 1
and 2 switch their states to active.
7.
FW2's VRRP groups 1 and 2 will send gratuitous ARP packets to the downstream and
upstream switches respectively to update their MAC address tables.
332
Learn Firewalls with Dr. WoW
Figure 8-27 Backup device state switching
Switch
MAC address
Port
00-00-5E-00-01-02
Eth0/0/1
Eth0/0/1
Eth0/0/2
GE1/0/3
7
Gratuitous
ARP
GE1/0/3
VRRP group 2
State: Active
FW1
VRRP group 2
State: Active
6
Active group
State: A To S
Priority: 64999
GE1/0/2 Heartbeat link
VGMP
response
Standby group
State: Initialize
GE1/0/2
Standby group
4 State: Active
Priority: 65000
FW2
5
Active group
State: Initialize
6
VRRP group 1
State: Active
VRRP group 1
State: Initialize
GE1/0/1
7
Eth0/0/1
Gratuitous
ARP
Eth0/0/2
Switch
GE1/0/1
Interface
Fault
Network cable
MAC address
Port
00-00-5E-00-01-01
Eth0/0/1
Packet
VRRP group
Packet direction
VGMP monitoring
8.
As shown in Figure 8-28, after FW1's active VGMP group receives its peer group's
VGMP acknowledgement packet, it switches its own state to standby.
9.
FW1's active VGMP group will mandate that its VRRP groups switch their states to
standby. Due to the interface failure within VRRP group 1, VRRP group 1's state of
initialize does not change, and only VRRP group 2's state will switch to standby.
10. At the same time as this, after the upstream and downstream switches receive FW2's
gratuitous ARP packets, they will update their MAC table entries, by recording the
mapping between the virtual MAC address and port Eth0/0/2. Therefore, after upstream
and downstream service traffic reaches these switches, the switches will forward traffic
onto FW2. At this point the two firewalls' active/standby state switching is complete;
FW2 has become the new primary device, and FW1 has become the new backup device.
11. After the completion of active/standby state switching, FW2 (the new primary device)
will send heartbeat packets to FW1 (the new backup device) at fixed intervals.
333
Learn Firewalls with Dr. WoW
Figure 8-28 Completion of active/standby state switching
Switch
MAC address
Port
00-00-5E-00-01-02
Eth0/0/1
Eth0/0/1
10
Eth0/0/2
GE1/0/3
GE1/0/3
VRRP group 2
State: Standby
9
VRRP group 2
State: Active
Active group
8 State: Standby
Priority: 64999
FW1
GE1/0/2 Heartbeat link
GE1/0/2
Standby group
State: Active
Priority: 65000
FW2
HRP heartbeat
S
Standby group
State: Initialize
A
Active group
State: Initialize
11
9
VRRP group 1
State: Active
VRRP group 1
State: Initialize
GE1/0/1
GE1/0/1
Eth0/0/1
Eth0/0/2
Interface
Switch
Fault
Network cable
MAC address
Port
00-00-5E-00-01-01
Eth0/0/2
10
Packet
VRRP group
Packet direction
VGMP monitoring
8.2.9 State Switching Process After a Failure of the Entire Primary
Device
If there is a total failure of the primary device, the primary device's VGMP group will no
longer send HRP heartbeat packets. At such a time, if the backup device's VGMP group has
not received an HRP heartbeat packet from the primary device for three consecutive intervals,
it will deem this to mean there has been a failure in the other VGMP group, and will switch its
own state to the active state.
8.2.10 Process of State Switching After a Failure on the Original
Primary Device is Fixed (Preemption)
After a failure on the original primary device is fixed. If the preemption function has not
been configured, the original primary device will remain in a backup state; if the preemption
334
Learn Firewalls with Dr. WoW
function has been configured, the original primary device will initiate a 'coup' to again
become the primary device as follows:
1.
In Figure 8-29, after interface GE1/0/1 of the original primary device recovers from
failure, the state of VRRP group 1 switches from initialize to standby.
2.
After FW1's active VGMP group perceives this change, it raises its own priority by 2 (if
a failure on one interface is fixed, priority increases by 2) to 65001. FW1's active VGMP
group will compare its VGMP priority with that of its peer group obtained from an HRP
heartbeat packet sent by the peer. The comparison finds that FW1's active VGMP
group's priority of 65001 is higher than this peer group's 65000. At this point, if the
preemption function has been configured, the preemption hold-down timer will be
enabled. After the timer expires, FW1's active VGMP group will switch its state from
standby to 'standby to active' (this is abbreviated in the figure as S to A), which is a
temporary intermediate state that is invisible to the user.
3.
FW1's active VGMP group will send a VGMP request to its peer group, requesting that
its state be switched to active. The VGMP request is a kind of VGMP packet that carries
this VGMP group's (FW1's active group) adjusted priority of 65001.
Figure 8-29 Request for state switching once the original primary device recovers from failure
GE1/0/3
GE1/0/3
VRRP group 2
State: Standby
FW1
VRRP group 2
State: Active
Active group
2 State: S To A
Priority: 65001
GE1/0/2 Heartbeat link GE1/0/2
Standby group
State: Active
Priority: 65000
3 VGMP request
Standby group
State: Initialize
FW2
Active group
State: Initialize
VRRP group 1
State: Active
VRRP group 1
1
State: Standby
GE1/0/1
GE1/0/1
Network
cable
Interface
VRRP group
Packet
direction
Packet
VGMP
monitoring
4.
As shown in Figure 8-30, after FW2's standby group receives FW1's active group's
VGMP request packet, it will compare its VGMP priority with this peer group. Through
this comparison it will discover that its priority of 65000 is lower than its peer's 65001,
and therefore FW2's standby group will switch its own state from active to standby.
5.
FW2's standby group will return a VGMP response packet to its peer group, permitting
this peer group to switch its state to active.
6.
At the same time as this, FW2's standby group will mandate its VRRP groups 1 and 2
switch their states to standby.
335
Learn Firewalls with Dr. WoW
Figure 8-30 State switching of current primary device
GE1/0/3
GE1/0/3
VRRP group 2
State: Standby
FW1
VRRP group 2
State: Standby
6
Active group
State: S To A
Priority: 65001
GE1/0/2
Heartbeat link GE1/0/2
Standby group
4 State: Standby
Priority: 65000
VGMP ACK
Standby group
State: Initialize
FW2
Active group
State: Initialize
5
6
VRRP group 1
State: Standby
VRRP group 1
State: Standby
GE1/0/1
GE1/0/1
Network
cable
Interface
VRRP group
Packet
direction
Packet
VGMP
Monitoring
7.
As shown in Figure 8-31, after FW1's active VGMP group receives the peer group's
VGMP acknowledgement packet, it will switch its own state to active.
8.
FW1's active VGMP group will mandate that its VRRP groups 1 and 2 also switch their
states to active.
9.
FW1's VRRP groups 1 and 2 will send gratuitous ARP packets to the downstream and
upstream switches respectively to update their MAC address tables to record the
mapping between the virtual MAC address and port Eth0/0/1. In this way, after upstream
and downstream service packets arrive at the switches, the switches will forward the
packets to FW1. At this point, active/standby state switching for the two firewalls is
complete. FW1 has again snatched the position of primary device through preemption,
while FW2 has again become the backup device.
10. After the completion of active/standby state switching, the primary device (FW1) will
send heartbeat packets to the backup device (FW2) at fixed intervals.
336
Learn Firewalls with Dr. WoW
Figure 8-31 The original primary device preempting to become primary again
Switch
9
Gratuitous
ARP
MAC address
Port
00-00-5E-00-01-02
Eth0/0/1
Eth0/0/1
Eth0/0/2
GE1/0/3
GE1/0/3
VRRP group 2
State: Active
8
FW1
VRRP group 2
State: Standby
Active group
7 State: Active
Priority: 65001
GE1/0/2 Heartbeat link GE1/0/2
Standby group
State: Standby
Priority: 65000
FW2
HRP heartbeat
packet
A
Standby group
State: Initialize
8
VRRP group 1
State: Active
VRRP group 1
State: Standby
GE1/0/1
GE1/0/1
9
S
Active group
State: Initialize
10
Gratuitous
ARP
Eth0/0/1
Eth0/0/2
Interface
Switch
Network cable
MAC address
Port
00-00-5E-00-01-01
Eth0/0/1
Packet
VRRP group
Packet direction
VGMP monitoring
8.2.11 Process of State Formation in Load Sharing Hot Standby
Above we described state formation and the switching process for the active/standby failover
method of hot standby. Below we'll take a look at load sharing states.
As shown in Figure 8-32, in order to achieve the load sharing method of hot standby, we need
to enable active and standby VRRP groups on both FW1 and FW2, allow FW1's active VRRP
groups to communicate with FW2's standby VRRP groups to form an "active/standby" group,
and allow FW2's active VRRP groups and FW1's standby VRRP groups to communicate (also
forming an "active/standby" group). In this way the two FWs will be in complementary
active/standby states, which are in fact load sharing states.
337
Learn Firewalls with Dr. WoW
Figure 8-32 Load sharing hot standby network diagram
PC2
Internet
Eth0/0/1
Standby
GE1/0/3
Active
1.1.1.3/24
FW1
Eth0/0/2
VRRP group 4
1.1.1.2/24
Active
VRRP group 3
1.1.1.1/24
Standby
GE1/0/2
VGMP
Active
GE1/0/2
GE1/0/3
1.1.1.4/24
VGMP
Standby
FW2
Heartbeat link
GE1/0/1
Active
10.1.1.3/24
Standby
VRRP group 1
10.1.1.1/24
VRRP group 2
10.1.1.2/24
Eth0/0/1
PC1's gateway
address:
10.1.1.1/24
Standby
GE1/0/1
10.1.1.4/24
Active
Eth0/0/2
Internal
network
Configuration of the load sharing method of hot standby is shown in Table 8-2.
Table 8-2 Configuration of load sharing hot standby
Item
Configuration on FW1
Configuration on FW2
Configure two
VRRP groups on
interface GE1/0/1,
and add one to the
active VGMP group
and the other to the
standby VGMP
group.
interface GigabitEthernet 1/0/1
interface GigabitEthernet 1/0/1
ip address 10.1.1.3
255.255.255.0
ip address 10.1.1.4
255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.1
255.255.255.0 active
vrrp vrid 1 virtual-ip 10.1.1.1
255.255.255.0 standby
vrrp vrid 2 virtual-ip 10.1.1.2
255.255.255.0 standby
vrrp vrid 2 virtual-ip 10.1.1.2
255.255.255.0 active
338
Learn Firewalls with Dr. WoW
Item
Configuration on FW1
Configuration on FW2
Configure two
VRRP groups on
interface GE1/0/3,
and add one to the
active VGMP group
and the other to the
standby VGMP
group.
interface GigabitEthernet 1/0/3
interface GigabitEthernet 1/0/3
Configure the
heartbeat interface
hrp interface GigabitEthernet
1/0/2
hrp interface GigabitEthernet
1/0/2
Enable hot standby
hrp enable
hrp enable
ip address 1.1.1.3 255.255.255.0
vrrp vrid 3 virtual-ip 1.1.1.1
255.255.255.0 active
vrrp vrid 4 virtual-ip 1.1.1.2
255.255.255.0 standby
ip address 1.1.1.4
255.255.255.0
vrrp vrid 3 virtual-ip 1.1.1.1
255.255.255.0 standby
vrrp vrid 4 virtual-ip 1.1.1.2
255.255.255.0 active
From Table 8-2 above we can see that:
2.
In load sharing scenarios, each service interface needs to be added into two VRRP
groups, and one of these two VRRP groups needs to be added to the active VGMP group
and the other needs to be added to the standby VGMP group. For example, the GE1/0/1
interface is added to groups 1 and 2, and groups 1 and 2 are added to the active VGMP
group and the standby VGMP group respectively.
3.
For every pair of the two firewalls' identically numbered VRRP groups, one group must
be added to the active VGMP group and the other to the standby VGMP group. For
example, FW1's VRRP group 1 is added to the active VGMP group, and FW2's VRRP
group 1 is added to the standby VGMP group.
As shown in Figure 8-33, after the configuration is complete, the state formation process for
the load sharing method of hot standby is as follows:
4.
FW1 and FW2's active VGMP groups' states switch from initialize to active, and their
standby VGMP groups' states switch from initialize to standby.
5.
As FW1's VRRP groups 1 and 3 have joined the active VGMP group whose state is
active, FW1's VRRP groups 1 and 3's states are both active; as FW1's VRRP groups 2
and 4 have joined the standby VGMP group whose state is standby, FW1's VRRP groups
2 and 4's states are both standby. Likewise, the states of FW2's VRRP groups 1 and 3 are
both standby, and the states of VRRP groups 2 and 4 are both active.
6.
At this point, FW1's VRRP groups 1 and 3 will send gratuitous ARP packets to the
downstream and upstream switches respectively, notifying them of VRRP groups 1 and
3's virtual MAC addresses; FW2's VRRP groups 2 and 4 will send gratuitous ARP
packets to the downstream and upstream switches respectively to notify them of the
virtual MAC addresses for VRRP groups 2 and 4.
7.
Entries will be made in the downstream switch's MAC address table recording the
mapping between VRRP group 1's virtual MAC address (00-00-5E-00-01-01) and port
Eth0/0/1, as well as the mapping between VRRP group 2's virtual MAC address
(00-00-5E-00-01-02) and port Eth0/0/2. In this way, when service packets arrive at the
downstream switch, the switch will send packets to either FW1 or FW2 according to the
specific destination MAC address. If the default gateway of the switch's downstream
device is VRRP group 1's address, then its packets will be forwarded to FW1; if the
default gateway of the switch's downstream device is set to VRRP group 2's address,
then its packets will be forwarded to FW2. Upstream switches and devices operate under
the same principles.
339
Learn Firewalls with Dr. WoW
Therefore, FW1 and FW2 can both forward service packets, and so FW1 and FW2 are
both primary devices, and a load sharing state has been achieved.
8.
After a load sharing state is achieved, FW1's active VGMP group will send HRP
heartbeat packets to FW2's standby VGMP group at fixed intervals, and FW2's active
VGMP group will send HRP heartbeat packets to FW1's standby VGMP group at fixed
intervals.
Figure 8-33 State formation process in load sharing hot standby
4
3 Gratuitous ARP packet
MAC address
Port
00-00-5E-00-01-03
Eth0/0/1
00-00-5E-00-01-04
Eth0/0/2
Eth0/0/1
00-00-5E-00-01-03
Gratuitous ARP packet
00-00-5E-00-01-04
Eth0/0/2
GE1/0/3
VRRP group 3
State: Active
2
3
GE1/0/3
VRRP group 4
State: Standby
2
VRRP group 3
State: Standby
2
VRRP group 4
State: Active
2
GE1/0/2
FW1
Active group
1 State: Active
Priority: 65001
Standby group
1 State: Standby
Priority: 65000
Heartbeat link
A
Standby group
1 State: Standby
Priority: 65000
2
VRRP group 1
State: Active
FW2
A
5
Active group
1 State: Active
Priority: 65001
HRP heartbeat
packet
2
VRRP group 1
State: Standby
2
VRRP group 2
State: Standby
GE1/0/1
2
VRRP group 2
State: Active
GE1/0/1
3
3
Gratuitous ARP
packet
00-00-5E-00-01-01
Eth0/0/1
Eth0/0/2
Gratuitous ARP
packet
00-00-5E-00-01-02
Interface
Network cable
Switch
Packet
4
MAC address
00-00-5E-00-01-01
Port
Eth0/0/1
00-00-5E-00-01-02
Eth0/0/2
VRRP group
Packet direction
VGMP monitoring
8.2.12 State Switching Process in Load Sharing Hot Standby
After two firewalls implement hot standby using the load sharing method, if one of the
firewall's interfaces malfunctions, the firewalls will switch into an active/standby failover
state, the process of which is described below.
1.
As shown in Figure 8-34, when FW1's GE1/0/1 interface fails, the states of FW1's VRRP
groups 1 and 2 will each change to initialize.
340
Learn Firewalls with Dr. WoW
2.
The priority of FW1's active and standby VGMP groups will each be lowered by 2. After
this, FW1's active VGMP group's priority will be changed to 64999, lower than FW2's
standby VGMP group's priority of 65000. FW2's standby VGMP group's priority will
change to 64998, which is still lower than FW2's active VGMP group's priority of 65001.
Therefore, following state negotiation between the VGMP groups, FW1's active VGMP
group's state will switch to standby, and FW2's standby VGMP group's state will switch
to active.
3.
FW1's active VGMP group and FW2's standby VGMP group will mandate that the
VRRP groups within them also undergo state switching, and therefore the states of
FW2's VRRP groups 1 and 3 will switch to active.
4.
FW2's VRRP groups 1 and 3 will send gratuitous ARP packets to the downstream and
upstream switches respectively to update their MAC address tables.
5.
After the downstream switch receives the gratuitous ARP packet, it will update its own
MAC address table, and link VRRP group 1's virtual MAC address (00-00-5E-00-01-01)
with Eth0/0/2. Likewise, the upstream switch will link VRRP group 3's virtual MAC
address (00-00-5E-00-01-03) with Eth0/0/2. Therefore, when upstream and downstream
service packets reach these switches, the switches will forward the packets onto FW2. At
this point, hot standby state switching is complete. FW1 has become the backup device
and FW2 the primary device, meaning that the load sharing state has changed into an
active/standby failover state.
6.
After load sharing has switched to active/standby failover, the primary device (FW2)
will send heartbeat packets to the backup device (FW1) at fixed intervals.
Figure 8-34 State switching process in load sharing hot standby
MAC address
Port
00-00-5E-00-01-03
Eth0/0/2
00-00-5E-00-01-04
Eth0/0/2
Eth0/0/1
5
4
Eth0/0/2
GE1/0/3
VRRP group 3
State: Standby
3
Gratuitous ARP
packet
00-00-5E-00-01-03
GE1/0/3
VRRP group 4
State: Standby
VRRP group 3
State: Active
3
VRRP group 4
State: Active
GE1/0/2
FW1
Active group
State: Standby
2
Priority: 64999
Standby group
2 State: Active
Priority: 65000
Heartbeat link
S
FW2
A
6
Standby group
State: Standby
2
Priority: 64998
VRRP group 1
State: Initialize
1
Active group
State: Active
Priority: 65001
HRP heartbeat
packet
3
VRRP group 1
State: Active
VRRP group 2
State: Initialize
GE1/0/1
VRRP group 2
State: Active
GE1/0/1
Eth0/0/1
4
Gratuitous ARP
packet
Eth0/0/2
00-00-5E-00-01-01
Interface
Fault
Network cable
Switch
Packet
MAC address
00-00-5E-00-01-01
00-00-5E-00-01-02
Port
Eth0/0/2
Eth0/0/2
VRRP group
5
Packet direction
VGMP monitoring
341
Learn Firewalls with Dr. WoW
8.2.13 Summary
The above content should have provided a satisfactory answer to the question: "How are two
firewalls' VGMP groups' packet exchange and state negotiation and state switching processes
accomplished?" Therefore, we now know that in hot standby, VGMP's three main functions
are:
1.
Fault monitoring: VGMP groups are able to monitor changes in VRRP groups' states,
and thereby perceive both interface failures within VRRP groups as well as when such
failures are fixed. Here, I've thought of a new question: can VGMP groups directly
monitor interface failures, and do they have to conduct their interface monitoring
through VRRP groups?
2.
State switching: the VGMP group state switching process is actually also the device
active/standby state switching process. After a VGMP group perceives VRRP state
changes, it will adjust its own priority, and will renegotiate active/standby states with its
peer device's VGMP group. This point should already be fairly clear, as this section has
delved deeply into how state switching and negotiation are accomplished.
3.
Traffic direction: after two VGMP groups' active/standby states are established or
switched, the VGMP groups will mandate that their VRRP group states undergo unified
switching. Following this, the active VRRP group will send a gratuitous ARP packet to
direct the traffic to it (the primary device). Here, a new question has popped to mind: "If
VGMP groups were able to directly monitor interfaces, how would traffic direction be
accomplished?
Actually, VGMP's functionality is extremely strong, and effecting firewall fault monitoring
and traffic direction by monitoring VRRP group states is only one of VGMP's techniques.
This technique can only be used when firewall's upstream or downstream devices are switches,
as VRRP itself was created especially for this kind of scenario. Is VGMP useless when a
firewall's upstream or downstream device(s) is a router? Of course not! In the next section I'll
introduce more of VGMP's features to allow everyone to gain a thorough understanding of the
hot standby function, and be completely prepared for all contingencies!
8.2.14 Addendum: VGMP State Machine
Above, we've learned about the processes for VGMP groups' various state changes. Below, I'll
use an explanation of a VGMP state machine (a visual representation is shown in Figure 8-35)
to help deepen everyone's understanding of VGMP group state switching.
The VGMP state machine discussed in this section is currently applicable to the USG2000/5000/6000
firewall series and the USG9000 firewall series' V100R003 version.
342
Learn Firewalls with Dr. WoW
Figure 8-35 VGMP state machine
Other states
0
Initialize
2
1
4
Standby
Active
8
5
7
10
S To A
9
6
3
A To S
0.
After the hot standby function is enabled, each VGMP group enters the initialize state.
1.
After the active VGMP group is enabled, the active group's state switches from initialize
to active.
2.
After the standby VRRP group is enabled, the standby group's state switches from
initialize to standby.
3.
When one of the interfaces monitored by this device's VGMP group fails, its state
switches from 'active' to 'active to standby', and it sends a VGMP request packet to its
peer device's VGMP group.
4.
When this VGMP group receives the peer's VGMP request packet, it discovers that its
priority is higher than its peer's, switches from the standby state to the active state, and
sends a VGMP acknowledgement packet to the peer device's VGMP group.
5.
This device's VGMP group receives its peer's VGMP acknowledgement packet, and
confirms that it (this device) needs to conduct state switching, so this device's VGMP
group's state is switched from 'active to standby' to 'standby'.
6.
The peer device's VGMP group determines that this device's VGMP group does not need
to undergo state switching or the peer doesn't answer this device's VGMP request
packets for three intervals, and so this device's VGMP group's state switches from the
'active to standby' state to the 'active' state.
7.
After the failure with the interface monitored by this device's VGMP group is fixed, if
this device's VGMP group's priority is higher than the peer device's, and if the
preemption function has been configured, then this device's VGMP group's state will
switch from 'standby' to 'standby to active', and it will send a VGMP request packet to its
peer.
343
Learn Firewalls with Dr. WoW
8.
This device's VGMP group receives the peer device's VGMP request packet and
discovers that the peer device's priority is higher, and it therefore switches from the
active state to the standby state and sends a VGMP acknowledgement packet to the peer
device's VGMP group.
9.
This device's VGMP group receives the peer device's VGMP acknowledgement packet,
and confirms that it (this device) needs to undergo state switching. This device's VGMP
group therefore switches from the 'standby to active' state to the 'active' state, completing
the preemption process.
10. The peer VGMP group determines that this device's VGMP group doesn't need to
undergo state switching, or it hasn't answered this device's VGMP request packet for
three consecutive intervals, and therefore this device's VGMP group switches from the
'standby to active' state to the 'standby' state.
8.3 Explanation of VGMP Techniques
The marriage of VGMP and VRRP is only applicable to networking using firewalls connected
to Layer 2 devices. Therefore, if a firewall connects to a router, or a firewall transparently
accesses a network (service interfaces are working in Layer 2), what technique does a VGMP
group use in response? In this section, I will reveal the remaining VGMP group techniques for
everyone.
8.3.1 VGMP Technique For Firewall-Router Connections
In Figure 8-36, two firewalls' upstream and downstream service interfaces are working in
Layer 3, and are connected to routers. The firewalls and the routers are running OSPF
between them. As the upstream and downstream devices are not Layer 2 switches, the VGMP
group cannot use VRRP groups. Therefore, the technique that the VGMP groups will use to
monitor failures is direct interface state monitoring. This is accomplished by directly
adding interfaces to VGMP groups. When there is a failure with one of a VGMP group's
interfaces, the VGMP group will directly perceive the interface's change in state, and
therefore lower its own priority.
344
Learn Firewalls with Dr. WoW
Figure 8-36 Networking with firewalls connected to upstream and downstream routers
PC2
1.1.1.10/24
PC2
1.1.1.10/24
Internet
Internet
R2
R2
GE1/0/3
10.2.1.2/24
FW1
A
VGMP
Active
The cost
increases by
65500.
GE1/0/3
10.2.2.2/24
OSPF
GE1/0/2 10.10.0.2/24
10.10.0.1/24 GE1/0/2
GE1/0/1
10.1.1.2/24
VGMP
Standby
FW2
S
GE1/0/1
10.1.2.2/24
OSPF
The cost
increases by
65500.
GE1/0/3
10.2.1.2/24
FW1
S
R1
PC1
192.168.1.1/24
Internal
network
GE1/0/3
10.2.2.2/24
OSPF
VGMP
Standby
GE1/0/2 10.10.0.2/24
10.10.0.1/24 GE1/0/2
GE1/0/1
10.1.1.2/24
VGMP
Active
FW2
A
GE1/0/1
10.1.2.2/24
OSPF
The cost
increases by
65500.
GE0/0/2
GE0/0/1
GE0/0/2
GE0/0/1
GE0/0/2
GE0/0/1
The cost of the path to PC2
via FW1 is 3 while the cost of
the path via FW2 is 65503.
Therefore, I select FW1 to
forward packets.
GE0/0/2
GE0/0/1
PC1
192.168.1.1/24
R1
Internal
network
The path to PC2 via FW1 is
disconnected while the
path via FW2 is normal.
Therefore, I select FW2 to
forward packets.
The steps for configuring direct interface monitoring using VGMP groups are as shown in
Table 8-3 (as performed using the active/standby failover method of hot standby.)
Table 8-3 Configuration of direct interface monitoring using VGMP groups
Item
Configuration on FW1
Configuration on FW2
Configure the VGMP
group to directly
monitor interface
GE1/0/1.
interface GigabitEthernet 1/0/1
interface GigabitEthernet 1/0/1
ip address 10.1.1.2
255.255.255.0
ip address 10.1.2.2
255.255.255.0
Configure the VGMP
group to directly
monitor interface
GE1/0/3.
interface GigabitEthernet 1/0/3
interface GigabitEthernet 1/0/3
ip address 10.2.1.2
255.255.255.0
ip address 10.2.2.2
255.255.255.0
Configure the
automatic cost
adjustment function.
hrp ospf-cost adjust-enable
hrp ospf-cost adjust-enable
Configure the
heartbeat interface.
hrp interface GigabitEthernet
1/0/2
hrp interface GigabitEthernet
1/0/2
Enable the hot
standby function.
hrp enable
hrp enable
hrp track active
hrp track active
hrp track standby
hrp track standby
345
Learn Firewalls with Dr. WoW
If the load sharing method of hot standby is used, then we only need to execute the hrp track active and
hrp track standby commands on each service interface, and add the service interfaces to both the active
and standby VGMP groups.
[Question from Dr. Wow] Here, curious readers may ask: aren't we adding interfaces to
VGMP groups to allow a VGMP(s) group to monitor interface states? Why is the command
hrp track and not vgmp track? This is because of what we discussed in the section above
regarding VGMP and HRP packets both being encapsulated with a VRRP header and a
VGMP header (with the only difference between them being that HRP packets also need to be
further encapsulated with an HRP header.) Therefore, when developers designed this
command, they used the hrp parameter, and this practice has continued in use until today.
After configuration is complete, we can run command display hrp state on FW1, allowing us
to see that interfaces GE1/0/1 and GE1/0/3 have both been added to the active group, and are
being monitored by the active group.
HRP_A<FW1> display hrp state
The firewall's config state is: ACTIVE
Current state of interfaces tracked by active:
GigabitEthernet0/0/1 : up
GigabitEthernet0/0/3 : up
Running the command display hrp state on FW2 shows that interfaces GE1/0/1 and GE1/0/3
have both been added to the standby VGMP group, and are being monitored by the group.
HRP_S<FW2> display hrp state
The firewall's config state is: Standby
Current state of interfaces tracked by standby:
GigabitEthernet0/0/1 : up
GigabitEthernet0/0/3 : up
Running the command display hrp group on FW1 shows that the active VGMP group's state
is active, its priority is 65001, and that the standby VGMP group hasn't been enabled.
HRP_A<FW1> display hrp group
Active group status:
Group enabled:
yes
State:
active
Priority running:
65001
Total VRRP members:
0
Hello interval(ms):
1000
Preempt enabled:
yes
Preempt delay(s):
30
Peer group available: 1
Peer's member same:
yes
Standby group status:
Group enabled:
no
State:
initialize
Priority running:
65000
Total VRRP members:
0
Hello interval(ms):
1000
Preempt enabled:
yes
Preempt delay(s):
0
Peer group available: 0
346
Learn Firewalls with Dr. WoW
Peer's member same:
yes
Running the command display hrp group on FW2 shows that the standby VGMP group's
state is standby, its priority is 65000, and that the active VGMP group hasn't been enabled.
HRP_S<FW2> display hrp group
Active group status:
Group enabled:
no
State:
initialize
Priority running:
65001
Total VRRP members:
0
Hello interval(ms):
1000
Preempt enabled:
yes
Preempt delay(s):
30
Peer group available: 1
Peer's member same:
yes
Standby group status:
Group enabled:
yes
State:
standby
Priority running:
65000
Total VRRP members:
2
Hello interval(ms):
1000
Preempt enabled:
yes
Preempt delay(s):
0
Peer group available: 1
We can therefore conclude that after the completion of configuration, FW1's VGMP group is
in the active state, and FW1 has become the primary device. FW2's VGMP group's state is in
the standby state, and FW2 has become the backup device.
In 8.1 Hot Standby Overview, I mentioned that if we wish PC1's traffic to PC2 to be
forwarded by FW1, we need to manually increase the OSPF cost of FW2's link (R1—>FW2
—>R2). However, what happens if it's inconvenient/impossible to configure the upstream and
downstream router(s) R1 or R2? This situation requires that we use the firewall's VGMP
group's traffic direction function to automatically direct traffic onto the primary device. This
can be done because the firewall will automatically adjust OSPF costs according to a
VGMP group's state (the command is hrp ospf-cost adjust-enable). Once this function is
enabled, if an active VGMP group is on a firewall, the firewall will advertise routes with
normal costs; if a firewall's VGMP group is in the standby state, then the firewall will increase
costs by 65500 (this is a default value, and can be adjusted) when advertising routes.
If this is a load sharing network, as there are active VGMP groups on both firewalls, each firewall will
advertise routes with normal costs.
On the left of Figure 8-36, the primary firewall FW1 (its VGMP group's state is active) is
advertising routes normally, and the backup device FW2 (its VGMP group is in the standby
state) will therefore increase costs by 65500 when advertising routes to the upstream and
downstream devices. Therefore, from the perspective of R1, the OSPF cost of using FW1 to
access PC2 is 1+1+1=3, while the OSPF cost of using FW2 to access PC2 is
65501+1+1=65503. As the router will choose the path with the lower cost when forwarding
traffic (R1—>FW1—>R2), traffic from the intranet's PC1 to the external network's PC2 will
be forwarded through the primary device FW1.
We can see from R1's routing table that the next hop of packets going to network 1.1.1.0 is
FW1's GE1/0/1's address 10.1.1.2 .
347
Learn Firewalls with Dr. WoW
[R1] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 11
Routes : 11
Destination/Mask
1.1.1.0/24
OSPF
Proto
10
Pre Cost
3
Flags NextHop
D
10.1.1.2
Interface
GigabitEthernet0/0/1
After one of FW1's service interfaces fails, the two firewalls' VGMP groups will undergo state
switching. After state switching, FW2's VGMP group's state will switch to active, and FW2
will become the primary device; FW1's VGMP group's state will switch to standby, and FW1
will become the backup device. FW2 will announce routes normally (it does not increase the
cost value), while the route cost announced by FW1 will increase to 65500. To R1, the path to
PC2 using FW1 is blocked (because FW1's upstream interface has failed), and the route to
PC2 through FW2 is accessible, and the cost is 3, so traffic from intranet PC1 accessing PC2
on the external network will be forwarded through the new primary device FW2.
From R1's routing table we can also see that the next hop of packets travelling to destination
network segment 1.1.1.0 has changed to FW2's GE1/0/1's address 10.1.2.2.
[R1] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 11
Routes : 11
Destination/Mask
1.1.1.0/24
OSPF
Proto
10
Pre Cost
3
Flags NextHop
D
10.1.2.2
Interface
GigabitEthernet0/0/2
8.3.2 VGMP Technique When Firewalls Transparently Access and
Connect to Switches
In Figure 8-37, two firewalls' upstream and downstream service interfaces are both working in
Layer 2 and are connected to switches. As the firewalls' service interfaces are working in
Layer 2, they do not have IP addresses, and so there is no way for the VGMP groups to use
VRRP groups or to directly monitor interface states. Therefore, the fault monitoring technique
used by the VGMP groups is to monitor interface states using a VLAN. This is
accomplishing by adding Layer 2 service interfaces to a VLAN, with the VGMP group
monitoring the VLAN. When an interface in a VGMP group fails, the VGMP group will
perceive this change in state of one of its interfaces through the VLAN, and therefore lower
its own priority.
348
Learn Firewalls with Dr. WoW
Figure 8-37 Networking with a firewall transparently accessing and connecting to switches
PC2
1.1.1.10/24
Router
192.168.1.2/24
00-11-22-33-44-66
Eth0/0/1
MAC address
Port
00-11-22-33-44-55
Eth0/0/1
GE1/0/2
10.10.0.2/24
VLAN2
VLAN2
forwards
does not
traffic.
forward
traffic.
GE1/0/1
Eth0/0/1
PC1
192.168.1.1/24
00-11-22-33-44-55
Eth0/0/1
VGMP
Standby
MAC address
Port
00-11-22-33-44-55
Eth0/0/2
Eth0/0/2
GE1/0/3
GE1/0/3
GE1/0/2
10.10.0.1/24
VGMP
Active
Router
192.168.1.2/24
00-11-22-33-44-66
Eth0/0/2
GE1/0/3
FW1
A
PC2
1.1.1.10/24
Internet
Internet
FW1
S
FW2
S
VGMP
Standby
GE1/0/1
GE1/0/1
GE1/0/2
VLAN2 10.10.0.2/24
VLAN2
does not
forwards
forward
packets.
traffic.
Eth0/0/1
Eth0/0/2
GE1/0/3
GE1/0/2
10.10.0.1/24
VGMP
Active
FW2
A
GE1/0/1
Eth0/0/2
MAC address
Port
MAC address
Port
00-11-22-33-44-66
Eth0/0/1
00-11-22-33-44-66
Eth0/0/2
PC1
192.168.1.1/24
00-11-22-33-44-55
Internal
network
Internal
network
Table 8-4 shows the configuration steps used to allow a VGMP group to use a VLAN to
monitor interface states (active/standby failover).
Table 8-4 Configuration of VGMP groups' use of a VLAN to monitor interfaces (active/standby
failover)
Item
Configuration FW1
Configuration FW2
Add Layer 2 service
interfaces into the same
VLAN, and configure the
VGMP group to monitor
the VLAN.
vlan 2
vlan 2
port GigabitEthernet 1/0/1
port GigabitEthernet 1/0/1
port GigabitEthernet 1/0/3
port GigabitEthernet 1/0/3
hrp track active
hrp track standby
Configure the heartbeat
interface.
hrp interface GigabitEthernet
1/0/2
hrp interface
GigabitEthernet 1/0/2
Enable the hot standby
function.
hrp enable
hrp enable
When firewalls' service interfaces work in Layer 2 and are connected to switches, the load sharing
method of hot standby is not supported. This is because if working in the load sharing method, the
VLANs would be enabled on both devices, and each device would be able to forward traffic, so that the
entire network would form a loop.
349
Learn Firewalls with Dr. WoW
After completing configuration, FW1's VGMP group's state is active, and FW1 becomes the
primary device; FW2's VGMP group's state is standby, and FW2 becomes the backup device.
As the firewalls' service interfaces are working in Layer 2, the firewalls themselves cannot
run OSPF, and therefore the VGMP groups cannot direct upstream and downstream traffic
using OSPF costs. However, the VGMPs can control whether or not their VLAN forwards
traffic to ensure that traffic is directed onto the primary device. When a VGMP's group is
active, the group's VLAN is able to forward traffic; when a VGMP group's state is standby,
the group's VLAN is disabled, and it cannot forward traffic. A VGMP's control of whether its
VLAN forwards traffic does not need to be separately configured; adding a VLAN to the
VGMP group is all that is required.
As shown in Figure 8-37, under normal circumstances, the primary device's (FW1; its VGMP
group's state is active) VLAN is enabled, and it can forward traffic. The backup device's
(FW2; its VGMP group is in the standby state) VLAN is disabled, and it cannot forward
traffic. Therefore, the traffic from PC1 to PC2 will all be forwarded by primary device FW1.
After a service interface failure on FW1, the two firewalls' VGMP groups will undergo state
switching; for details on this process please see 8.2.8 State Switching Process Following a
Primary Device Interface Failure. When FW1's VGMP group's state switches from active
to standby, the state of the normal interface(s) in the group's VLAN will go down and
then up. This causes the upstream and downstream switches to update their own MAC
address tables to map the destination MAC address to port Eth0/0/2, thereby directing
traffic onto FW2.
8.3.3 VGMP Technique When Firewalls Transparently Access and
Connect to Routers
In Figure 8-38, two firewalls' upstream and downstream service interfaces are both working in
Layer 2, and are connected to routers. OSPF is running between the two firewalls. In this sort
of networking, the fault monitoring and traffic direction methods adopted by the firewalls'
VGMP groups are essentially the same as in 8.3.2 VGMP Technique When Firewalls
Transparently Access and Connect to Switches, which is to say that VLAN is used to
monitor interface faults and control traffic direction.
The difference between these methods lies in the fact that the networking described in
this section only supports the load sharing method of hot standby, and does not support
active/standby failover. This is because if working using the active/standby failover method,
the backup device's VLAN would be disabled, and its upstream and downstream routers
would be unable to communicate or establish OSPF routes. Therefore, when active/standby
switching occurred, the new primary device's (the original backup device) VLAN would be
enabled, and its upstream and downstream routers would only then begin to build new OSPF
routes. However, the building of new OSPF routes requires a certain amount of time, and this
would result in a temporary service interruption.
350
Learn Firewalls with Dr. WoW
Figure 8-38 Networking with firewall transparently accessing and connecting to routers
PC2
1.1.1.10/24
PC2
1.1.1.10/24
Internet
R2
R2
GE0/0/1
10.1.1.2/24
Internet
GE0/0/1
10.1.1.2/24
GE0/0/2
10.1.2.2/24
OSPF
OSPF
A
VGMP
Active
VLAN2
forwards
traffic.
VGMP
Standby
VGMP
Active
VGMP
Standby
GE1/0/1
GE1/0/1
FW2
FW1
A
S
VLAN2
forwards
traffic.
VGMP
VGMP
Standby Standby
VLAN2
does not
forward
traffic.
VGMP
Active
A
VLAN2
forwards
traffic.
GE0/0/2
10.1.2.1/24
R1
R1
PC1
192.168.1.1/24
FW2
OSPF
GE0/0/1
10.1.1.1/24
GE0/0/2
10.1.2.1/24
VGMP
Active
GE1/0/1
GE1/0/1
OSPF
GE0/0/1
10.1.1.1/24
GE1/0/3
GE1/0/3
GE1/0/3
GE1/0/3
FW1
GE0/0/2
10.1.2.2/24
PC1
192.168.1.1/24
Internal
network
Internal
network
The steps for configuring VGMP group to monitor interface states (load sharing) through
VLAN are shown in Table 8-5.
Table 8-5 Configuration of VGMP group to monitor interfaces using a VLAN (load sharing)
Item
Configuration on FW1
Configuration on FW2
Add the Layer 2 service
interfaces to the same VLAN
and configure the active and
standby VGMP groups to
monitor the VLAN.
vlan 2
vlan 2
port GigabitEthernet 1/0/1
port GigabitEthernet 1/0/1
port GigabitEthernet 1/0/3
port GigabitEthernet 1/0/3
hrp track active
hrp track active
hrp track standby
hrp track standby
Configure the heartbeat
interface.
hrp interface
GigabitEthernet 1/0/2
hrp interface GigabitEthernet
1/0/2
Enable the hot standby
function.
hrp enable
hrp enable
When the firewalls' service interfaces work in Layer 2 and are connected to routers, do not use the
active/standby failover method of hot standby. This is because the backup device's VLAN is disabled,
and its upstream and downstream routers can't communicate, and thus can't establish routes. Therefore,
during active/standby switching, the backup device is unable to immediately replace the primary device,
resulting in a service interruption.
351
Learn Firewalls with Dr. WoW
After configuration, as there are active VGMP groups on both FW1 and FW2, FW1 and FW2
are both primary devices, and each of their VLAN2s will forward traffic. At this time, R1's
routing table shows that traffic going to PC2 can be forwarded through either FW1 or FW2.
<R1> display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 14
Routes : 15
Destination/Mask
1.1.1.0/24
OSPF
10
OSPF
2
Proto
Pre Cost
10
D
2
10.1.2.2
Flags NextHop
D
Interface
10.1.1.2
GigabitEthernet0/0/1
GigabitEthernet0/0/2
After one of FW1's service interfaces fails, the two firewalls' VGMP groups will conduct state
switching, and the hot standby state will change from load sharing to active/standby failover.
When FW1's VGMP group's state switches from active to standby, all of the interfaces
in the groups VLAN will go down and then up. This will cause the upstream and
downstream routers' routes to change and converge, and all traffic will therefore be
directed onto FW2.
At this time, R1's routing table (below) also shows that the next hop of packets going to
network 1.1.1.0 has changed to R2's GE0/0/2's address 10.1.2.2.
<R1>display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 10
Routes : 11
Destination/Mask
1.1.1.0/24
10.1.2.0/24
Proto
Pre Cost
OSPF
10
Direct 0
2
0
Flags NextHop
D
D
10.1.2.2
10.1.2.1
Interface
GigabitEthernet0/0/2
GigabitEthernet0/0/2
8.3.4 VGMP Groups' Remote Interface Monitoring Techniques
The techniques used by VGMP groups in handling various hot standby networks were
described above, and in these the VGMP groups were monitoring the firewall's own interfaces.
Below we'll take a look at two techniques for VGMP group monitoring of remote interfaces.
"Remote interfaces" refer to other devices' interfaces on a link. When a remote interface
monitored by a VGMP group fails, the VGMP group's priority lowers by 2, just as we've seen
previously. The techniques by which VGMP monitors firewalls' own interfaces can be used
together with the techniques by which remote interfaces are monitored.
It is important to note that the two kinds of techniques for VGMP to monitor remote interfaces
can only be used on networks in which firewalls' service interfaces are working in Layer 3,
because only Layer 3 interfaces have IP addresses and can send IP-Link and BFD detection
packets to the remote device(s).
Monitoring the state of remote interfaces using IP-link
The method is to establish an IP-link to probe the remote interface, and then have the
VGMP group monitor the IP-link's state. When an interface being probed through an
IP-link fails, the IP-link state will change to Down, and the VGMP group will perceive
the IP-link's state change and therefore lower its own priority.
352
Learn Firewalls with Dr. WoW
As shown in Figure 8-39, we need to use IP-Link 1 on FW1 (FW2) to inspect R1's (R2's)
GE1/0/1 interface (an indirectly connected remote interface), and then add IP-Link 1 to
the active (standby) VGMP group to monitor IP-Link 1's state.
Figure 8-39 VGMP monitoring of remote interfaces using IP-link
Configuration details are shown in Table 8-6 (configuration of the hot standby function
must be completed prior to the below configuration)
Table 8-6 Configuration of VGMP monitoring of remote interfaces using IP-link
Item
Configuration on FW1
Configuration on FW2
Enable IP-link.
ip-link check enable
ip-link check enable
Configure IP-link to
monitor the remote
address.
ip-link 1 destination 1.1.1.1
interface
GigabitEthernet1/0/3 mode
icmp
ip-link 1 destination 2.2.2.1
interface GigabitEthernet1/0/3
mode icmp
Configure VGMP to
monitor the IP-link.
hrp track ip-link 1 active
hrp track ip-link 1 standby
Monitoring remote interface status using BFD
This method entails using BFD to probe remote interfaces, with a VGMP group
monitoring the BFD state. When there is a failure of the remote interface being inspected
by BFD, BFD's state will change to Down, and the VGMP group will perceive the BFD
state change and therefore lower its own priority.
353
Learn Firewalls with Dr. WoW
As shown in Figure 8-40, we need to use BFD session 10 on FW1 (FW2) to probe R1's
(R2's) GE1/0/1 interface (an indirectly connected remote interface), and then add BFD
session 1 to the active (standby) VGMP group to monitor BFD session 1's state.
Figure 8-40 VGMP monitoring of remote interfaces using BFD
R1
R2
BFD discriminator 20
BFD discriminator 20
GE1/0/1
2.2.2.1/24
GE1/0/1
1.1.1.1/24
BFD discriminator 20
GE1/0/3
BFD 1
BFD 1
GE1/0/3
BFD discriminator 10
BFD discriminator 10
FW1
VGMP
Active
GE1/0/1
VGMP
Standby
FW2
GE1/0/1
Configuration details are shown in Table 8-7 (the hot standby function must be
configured prior to the below configuration)
Table 8-7 Configuring VGMP monitoring of remote interfaces using BFD
Item
Configuration on FW1
Configuration on FW2
Configure BFD to monitor
the remote address, and
specify the local and peer
discriminators.
bfd 1 bind peer-ip 1.1.1.1
bfd 1 bind peer-ip 2.2.2.1
discriminator local 10
discriminator local 10
discriminator remote 20
discriminator remote 20
Configure the VGMP
group to monitor BFD.
hrp track bfd-session 10
active
hrp track bfd-session 10
standby
8.3.5 Summary
In summary, although there are many different VGMP group monitoring and traffic direction
techniques, they all abide by the following two principles:
Whenever a failure occurs on an interface that is being monitored by a VGMP group,
regardless of whether it is directly or indirectly monitored, and regardless of whether the
monitoring is of a firewall's own interface or a remote interface, the VGMP group's
priority will be lowered by 2.
Only primary devices (VGMP group in the active state) will direct traffic onto
themselves, while backup devices (VGMP group in the standby state) will think of a way
to refuse traffic from being directed onto them.
354
Learn Firewalls with Dr. WoW
Finally, I'll summarize the relationships between the various typical hot standby networks and
the VGMP fault monitoring and traffic direction techniques in Table 8-8.
Table 8-8 Summary of various hot standby networks' VGMP techniques
Hot Standby
Network
Supported
Scenarios
Fault Monitoring
Technique
Traffic Direction
Technique
Firewall service
interfaces are
working in Layer
3, and are
connected to
Layer 2 switches.
Active/standby
failover and load
sharing
Interface
monitoring using
VRRP groups
Interface
monitoring using
IP-links (optional)
The primary device will
send gratuitous ARP
packets to connected
switches, updating the
switches' MAC address
tables
Interface
monitoring using
BFD (optional)
Direct interface
monitoring
Interface
monitoring using
IP-links (optional)
Interface
monitoring using
BFD (optional)
Firewall service
interfaces are
working in Layer
3, and are
connected to
routers.
Active/standby
failover and load
sharing
Firewall service
interfaces are
working in Layer
2 (transparent
mode) and are
connected to
Layer 2 switches.
Only supports
active/standby
failover
Interface monitoring
using VLANs
The primary device
advertises routes with
normal costs, and the cost
of routes advertised by
the backup device
increases by 65500.
The primary device's
VLAN is able to forward
traffic, while the backup
device's VLAN is
disabled. When the
primary device becomes
the backup device, the
interfaces in the primary
device's VLAN will go
down and then up,
triggering the upstream
and downstream Layer 2
devices to update their
MAC address tables.
355
Learn Firewalls with Dr. WoW
Hot Standby
Network
Supported
Scenarios
Fault Monitoring
Technique
Traffic Direction
Technique
Firewall service
interfaces are
working in Layer
2 (transparent
mode), and are
connected to
routers.
Only supports
load sharing
Interface monitoring
using VLANs
The primary device's
VLAN is able to forward
traffic, while the backup
device's VLAN is
disabled. When the
primary device becomes
the backup device, the
interfaces in the primary
device's VLAN will go
down and then up once,
triggering route
convergence on the
upstream and
downstream Layer 3
devices.
8.4 Explanation of the HRP Protocol
In the above introduction to VGMP packet structure we reviewed several kinds of HRP
packets, and in this section I'll explain the HRP protocol and several kinds of HRP packets for
everyone, including: HRP data packets, heartbeat link detection packets and HRP consistency
check packets.
You may be wondering: "Isn't HRP responsible only for data backup between two devices—
what's so difficult about this? Actually, there is still much more to discuss about HRP, and I'll
now reveal these juicy details about HRP for everyone.
8.4.1 HRP Overview
Firewalls use commands (Web configuration is actually also executing a command(s)) to
achieve the various functions required by users. If a configuration command is not backed up
to the backup device prior to a backup device becoming the primary device, then the backup
will not be able to achieve the primary device's functions, resulting in a service interruption.
In Figure 8-41, a security policy permitting an intranet user to access an external network has
been configured on the primary device (FW1). If the security policy configured on primary
device FW1 has not been backed up to backup device FW2, then if the primary device's state
changes, the new primary device (FW2) will not permit the intranet user to access the external
network (because the firewall's implicit deny policy denies packets that fail to match any
policy).
356
Learn Firewalls with Dr. WoW
Figure 8-41 Scenario where a configuration command has not been backed up
Internet
Internet
My security policy
permits packets from
the internal network to
the Internet.
FW1
A
My implicit deny
policy denies all
packets that fail to
match any policy.
Configuration
not backed up
Internal
network
FW2
S
FW1
S
Configuration
not backed up
FW2
A
Internal
network
The firewalls are stateful inspection firewalls, and have session table entries corresponding
with every dynamically generated connection. Many dynamic sessions are created on the
primary device, but not on the backup device, because no packets pass through it. If sessions
are not backed up to the backup device before the backup device becomes the primary device,
subsequent service packets will not match any session and will be discarded.
In Figure 8-42, a session for PC1 accessing PC2 (source address 10.1.1.10, destination
address 200.1.1.10), has been created on primary device FW1, and subsequent packets
between PC1 and PC2 will be forwarded according to this session. If the session on the
primary device (FW1) cannot be backed up to the backup device FW2, then after
active/standby state switching, PC1's subsequent packets accessing PC2 will not match a
session on FW2. This will result in the interruption of PC1's services accessing PC2.
357
Learn Firewalls with Dr. WoW
Figure 8-42 Scenario in which the session has not been backed up
PC2
200.1.1.10/24
PC2
200.1.1.10/24
Internet
Internet
I’ve created a session
for the traffic from PC1
to PC2. Packets from
PC1 to PC2 will match
this session.
FW1
A
PC1
10.1.1.10/24
I do not have the session
for the traffic from PC1 to
PC2. Packets from PC1 to
PC2 cannot match any
session.
Sessions not
backed up
Internal
network
FW2
S
FW1
S
PC1
10.1.1.10/24
Sessions not
backed up
FW2
A
Internal
network
Therefore, in order to ensure that the backup device is able to smoothly take over work when
the primary device fails, key configuration commands and state information such as session
tables, must be backed up between the primary and backup devices. To achieve this, Huawei
has introduced the HRP (Huawei Redundancy Protocol) protocol.
In Figure 8-43, a security policy permitting an intranet user to access an external network(s) is
configured on FW1, and FW1 will thus permit packets from intranet PC1 to the external
network's PC2, and will establish a session. As the HRP protocol (with hot standby configured)
is used on both FW1 and FW2, the security policy configured on FW1, as well as the session
created on FW1, will both be backed up to the backup device FW2. Therefore, packets from
PC1 to PC2 will not be denied after the active/standby failover.
358
Learn Firewalls with Dr. WoW
Figure 8-43 Scenario when session and configurations are backed up
PC2
200.1.1.10/24
PC2
200.1.1.10/24
Internet
Internet
I permit internal
network users to
access the Internet and
have created a session
for the traffic from PC1
to PC2.
FW1
A
PC1
10.1.1.10/24
I have a security
policy to permit the
traffic from PC1 to
PC2 and a session to
match the traffic.
Sessions and
configurations
backed up
Internal
network
FW2
S
FW1
S
PC1
10.1.1.10/24
Sessions and
configurations
backed up
FW2
A
Internal
network
To summarize the above, in an active/standby failover network, configuration commands and
state information are both backed up to the backup device from the primary device.
However, in a load sharing network, the two firewalls are both primary devices (they both
have active VGMPs), and thus if the primary devices are permitted to synchronize commands
between them, the two firewalls' commands may be overlapping or conflicting with one
another. Therefore, to avoid such problems, we define that in a load sharing network,
configuration commands are backed up only from the master configuration device
(whose command line prompt begins with HRP_A) to the backup configuration device
(whose command line prompt begins with HRP_S). However, state information is
backed up between both devices.
In load sharing, the first device on which hot standby is enabled is the master configuration device
(whose command line prompt begins with HRP_A).
8.4.2 HRP Packet Structure and Implementation Mechanisms
Firewalls use heartbeat interfaces (the HRP failover channel) to send and receive HRP data
packets to synchronize configuration and state information. In Figure 8-44, HRP data packets
have been sequentially encapsulated with a VRRP header, a VGMP header, and an HRP
header (listed from outside>in). Of these, the VRRP header's Type=2 and Type2=2. In the
VGMP header, the field "vType" corresponds with the "HRP data packet" value.
359
Learn Firewalls with Dr. WoW
Figure 8-44 Structure of an HRP data packet
VRRP header
Ver
Type
(2)
Auth Type
Complete HRP data
packet structure
VRID (0)
Type2
(2)
Interval
IP Count
Checksum
Authentication Data
MAC Header (14+ bytes)
VGMP header
IP Header (20+ bytes)
VRRP Header (16 bytes)
Ver
vType Mode
ID
Priority
VGMP Header (12 bytes)
Check Code
HRP Header (36 bytes)
Data Length
DATA
HRP header
Ptr (NULL)
Source Module ID
Source Sub Module ID
Dest Module ID
Dest Sub Module ID
Message Mode
Message Type
Message Length
Sequence
Error ID || Data
An explanation of the key parameters in an HRP header follows:
Source Module ID and Source Sub Module ID state which of this firewall's modules and
sub-modules' data need to be backed up.
Dest Module ID and Dest Sub Module ID state which modules and submodules data
need to be synchronied to the peer firewall.
360
Learn Firewalls with Dr. WoW
The process of HRP data backup is shown in Figure 8-45:
2.
When FW1 sends an HRP data packet, it will write the ASPF module's ID into the HRP
headers' "Source Module ID" and "Dest Module ID" fields, and encapsulate the ASPF
module's configuration and table entry information into the HRP data packet.
3.
FW1 sends the HRP data packet through the failover channel (heartbeat cable) to FW2.
After FW2 receives the HRP data packet, it will send configuration and table entry
information in the packet to its own ASPF module according to the "Source Module ID" and
"Dest Module ID" fields in the HRP header, and issues the configuration and table entries.
Figure 8-45 HRP data backup process
FW2
FW1
HRP data
packet
Failover channel
Above, I mentioned that USG6000 series firewalls and the USG2000/5000 series' V300R001
version firewall also support many kinds of VGMP and HRP packets being encapsulated into
UDP packets. Of course, we're introducing HRP data packets here, and the heartbeat link
detection packets and consistency check packets that I will discuss below can also be
encapsulated into UDP packets by adding a UDP header to the VRRP header. The structure of
UDP HRP data packets is shown in Figure 8-46.
Figure 8-46 Structure of UDP HRP data packets
A benefit of using UDP packets is that UDP packets can be transmitted across networks and
controlled by security policies because UDP packets are unicast packets.
8.4.3 HRP Backup Methods
Hot standby's HRP supports three backup methods—automatic backup, manual batch backup,
and fast backup. I'll describe these backup methods, and the differences between them, one by
one below
Automatic backup
The automatic backup function (the command is hrp auto-sync [ config |
connection-status ]) is enabled by default to automatically back up configuration
361
Learn Firewalls with Dr. WoW
commands in real time and periodically back up state information; this function is
used in various hot standby networks.
− After the automatic backup function is enabled, each time a command that can be
backed up is executed on the primary (master configuration) device, the configuration
command will be immediately synced and backed up onto the backup (backup
configuration) device.
Configuration commands (that can be backed up) can only be configured on the
primary (master configuration) device, and cannot be configured on the backup
(backup configuration) device. Configuration commands that cannot be backed up
can be configured manually on the backup (backup configuration) device. To view
which configuration commands can or cannot be backed up, please see 8.4.4
Configurations and State Information that HRP Can Back Up.
−
After enabling the automatic backup function, the primary device will periodically
back up state information (so long as it can be backed up) onto the backup device.
This means that the state information established on the primary device won't be
backed up in real time.
Automatic backup will not back up the following session types (only supported
by fast session backup):
Sessions to the firewall itself, for example a session generated when an
administrator logs in to the firewall
Half-open TCP connection sessions that have not completed a three way
handshake
Sessions that were only created for an initial UDP packet and are not matched by
subsequent packets.
Manual batch backup
Manual batch backup is done by executing the hrp sync { config | connection-status }
command on the primary device. After the command is executed:
−
The primary (master configuration) device will immediately sync configuration
commands (so long as they can be backed up) to a backup (backup configuration)
device.
−
The primary device will immediately sync state information (so long as it can be
backed up) to the backup device.
Fast backup
The fast session backup function (the command is hrp mirror session enable), is
used in load sharing to address scenarios in which the forward and return paths are
not the same. To ensure that state information is immediately synchronized, the fast
backup function only backs up state information, not configuration commands. The
backup of configuration commands is done by the automatic backup function.
After the fast backup function is enabled, the primary device will immediately
synchronize established state information that can be backed up (including the sessions
mentioned above that automatic backup does not support) onto the backup device in real
time.
To summarize the above, these three backup methods are generally used as follows:
automatic backup (hrp auto-sync [ config | connection-status ] is enabled by default, and
shouldn't be disabled; if configuration between primary/backup devices is not synced,
then the manual batch backup command (hrp sync [ config | connection-status ]) needs
to be executed; if the network uses load sharing, this generally requires enabling the fast
session backup function (hrp mirror session enable).
Below I'll explain why fast session backup is especially useful in load sharing networks.
362
Learn Firewalls with Dr. WoW
In load sharing networks, as the two firewalls are both primary devices, they can both forward
packets, and so there may be situations in which the forward and return packets take different
paths (passing through different firewalls). When this happens, if the state information has not
been immediately backed up between the firewalls, return packets will be discarded they
cannot match any state information, resulting in a service interruption.
To prevent this, the fast session backup function must be enabled in load sharing networks to
allow two firewalls to mutually back up state information in real time, so that return packets
can match the state information, regardless of which firewall they pass through.
In the example in Figure 8-47, FW1 and FW2 have formed a load sharing network. Packets
from an intranet PC to the server on the external network are forwarded through FW1, and a
session is established. As the forward and return paths are not the same, the return packets
sent from the server to the PC are forwarded to FW2. If at this time only the automatic backup
function is enabled, then FW1's session has not been backed up onto FW2. This means that
the return packets cannot match a session on FW2 and will be discarded.
If the fast session backup function is enabled, then sessions generated on FW1 will be
immediately backed up onto FW2. Therefore, return packets can match a session on FW2 and
be forwarded to the PC.
Figure 8-47 Scenario in which forward and return packets take different paths
Server
Internet
I’ve created a session for
the traffic from the PC to
the server and will back up
the session to FW2 after a
certain period of time.
I receive a packet, but
the session has not
been backed up from
FW1. Therefore, I have
to discard this packet.
Only auto-backup
is enabled.
FW1
A
FW2
A
PC
Internal
network
363
Learn Firewalls with Dr. WoW
8.4.4 Configurations and State Information that HRP Can Back
Up
The configurations firewalls can back up are shown below (as applies to the USG6000
firewall series' V100R001 version):
Policies: security, NAT, bandwidth management, authentication, and attack defense
policies, blacklists, and ASPF
Objects: addresses, regions, services, applications, users, authentication servers, time
intervals, URL classifications, keyword groups, email address groups, signatures,
security profiles (antivirus, intrusion prevention, URL filtering, file filtering, content
filtering, application behavior control, and email filtering profiles)
Networks: new logical interfaces, security zones, DNS, IPSec, SSL VPN, TSM
interworking
Systems: administrator and log configuration
Backup of display, reset and debugging commands is typically not supported.
From the above description we can see that a firewall network's basic configurations (such as
interface addresses and routes) cannot be backed up, and configuration of these needs to be
completed prior to the successful establishment of a hot standby state. Meanwhile, the
supported configurations listed above can be configured on the primary device alone after a
hot standby state has been successfully established.
The stateful information that firewalls can back up is shown below:
Session tables
Server-map tables
IP monitoring tables
Fragment caching tables
GTP tables
Blacklists
PAT port mapping tables
NO-PAT address mapping tables
8.4.5 Heartbeat Interface and Heartbeat Link Detection Packets
As shown in Figure 8-48, data backed up between two firewalls is sent and received through
the firewalls' heartbeat interfaces over the heartbeat link (the failover channel). A heartbeat
interface must have an IP address. This can be a physical interface or a logical interface (such
as an Eth-Trunk interface bonded by multiple physical interfaces to increase bandwidth).
Under normal circumstances, backup data constitutes about 20%-25% of service traffic, so the
number of physical interfaces depends on the volume of backup data.
364
Learn Firewalls with Dr. WoW
Figure 8-48 Physical and logical interfaces serving as the heartbeat interfaces
A physical interface acts as
the heartbeat interface.
FW1
GE1/0/1 running
1.1.1.1
running
GE1/0/1
1.1.1.2
FW2
An Eth-Trunk interface acts
as the heartbeat interface.
FW1
Eth-Trunk1
1.1.1.1
running
running
GE1/0/1
GE1/0/1
GE1/0/2
GE1/0/2
GE1/0/3
GE1/0/3
FW2
Eth-Trunk1
1.1.1.2
Heartbeat interface
HRP data packet
A heartbeat interface has five possible states (viewed by executing the command display hrp
interface):
invalid: this state is displayed when a firewall's heartbeat interface is incorrectly
configured (the interface is up, but the line protocol is down)—for example, the specified
heartbeat interface is a Layer 2 interface or the heartbeat interface's IP address has not
been configured.
Down: this state is displayed when a firewall's both the heartbeat interface and the line
protocol are down.
peerDown: when both the heartbeat interface and the line protocol are up, the heartbeat
interface will send a heartbeat link detection packet to its peer device's heartbeat
interface. If no response packet from the peer is received, the first firewall will set its
heartbeat interface's state as peerDown. However, the heartbeat interface will continue to
send heartbeat link detection packets to restore the link once the peer's heartbeat
interface is up.
ready: when both the heartbeat interface and the line protocol are up, the heartbeat
interface will send heartbeat link detection packets to the peer device's heartbeat
interface. If the peer's heartbeat interface responds to these packets (by also sending
heartbeat link detection packets), then the firewall will set its heartbeat interface's state
as ready, and be prepared to send and receive heartbeat packets at any time. The
heartbeat interface will continue to send heartbeat link detection packets to monitor the
state of the heartbeat link.
running: when a firewall has multiple heartbeat interfaces in the ready state, the firewall
will choose the heartbeat interface that was first configured to form the heartbeat link,
and will set this heartbeat interface's state as 'running'. If there is only one heartbeat
interface in the ready state, then it will naturally be the heartbeat interface that enters the
running state. The interface in the running state is responsible for sending HRP
heartbeat packets, HRP data packets, HRP consistency check packets and VGMP
365
Learn Firewalls with Dr. WoW
packets. The remaining 'ready' heartbeat interfaces will be in backup state, and if the
heartbeat interface in the running state or the heartbeat link fails, the remaining heartbeat
interfaces in ready state will replace the current heartbeat interface one by one in
configuration order. As shown in Figure 8-49, the order in which two firewalls' heartbeat
interfaces are configured is the same as the interface numbering scheme, so GE1/0/3
changes into the running state, and GE1/0/4 is in a backup state.
Figure 8-49 Heartbeat interface states
invalid
FW1
peerdown
GE1/0/1
GE1/0/2
2.2.2.1
peerdown
GE1/0/3
3.3.3.1
running
GE1/0/4
4.4.4.1
ready
down
GE1/0/1
1.1.1.2
FW2
GE1/0/2
running
GE1/0/3
3.3.3.2
ready
GE1/0/4
4.4.4.2
Interface
Heartbeat cable
HRP heartbeat link detection packet
HRP data packet
To summarize the above, the role of heartbeat link detection packets is to detect whether a
peer device's heartbeat interface can receive the other device's packets to determine
whether a heartbeat link can be used. So long as the sending device's heartbeat interface
and line protocol are both up, the heartbeat interface will send heartbeat link detection packets
to the peer's heartbeat interface.
Heartbeat link detection packets are also encapsulated with the new VRRP header.
When Type=2, and Type2=1 in the new VRRP header, packets are encapsulated into
heartbeat link detection packets.
Above, we discussed the fact that HRP heartbeat packets are used to detect whether the peer
device (VGMP group) is working normally. HRP heartbeat packets are only sent by the
primary device's VGMP group through a heartbeat interface in the running state.
8.4.6 HRP Consistency Check Packets' Role and Mechanism
HRP consistency check packets are used to check whether the hot standby configurations of
two firewalls in hot standby states are consistent and if their policy configurations are
identical. Consistency checking of hot standby configuration includes checking whether two
firewalls are monitoring the same service interfaces, and whether the same heartbeat
interfaces are configured on them. Policy configuration consistency checks primarily involve
checking whether two firewalls have identical policies, including security, bandwidth, NAT,
authentication, and audit policies. HRP consistency check packets are also encapsulated by
VRRP headers. When Type=2 and Type2=5 in a VRRP header, packets are encapsulated into
HRP consistency check packets.
366
Learn Firewalls with Dr. WoW
The implementation mechanism of the HRP consistency check is as follows:
1.
After the consistency check command (hrp configuration check { all | audit-policy |
auth-policy | hrp | nat-policy | security-policy | traffic-policy }) is executed, the device
will send a consistency check request packet to its peer and collect the brief
configuration information from its own relevant modules.
2.
After the peer device receives the request, it will collect the brief configuration
information from its own relevant modules, and then encapsulate the information into a
consistency check packet to return to the first device.
3.
The first device compares its own brief configuration with its peer's configuration, and
then records the compared information. The customer can execute the command display
hrp configuration check to view the results of the consistency check. The below results
show that the hot standby configuration is consistent.
HRP_A<FWA> display hrp configuration check hrp
Module
State Start-time
End-time
Result
hrp
finish 2008/09/08 14:21:56 2008/09/08 14:21:56 same configuration
8.5 Hot Standby Configuration Guide
Prior to deploying hot standby, please first select a suitable hot standby networking approach,
which can be:
Firewall service interfaces work in Layer 3, and are connected to switches.
Firewall service interfaces work in Layer 3, and are connected to routers.
Firewall service interfaces work in Layer 2, and are connected to switches.
Firewall service interfaces work in Layer 2, and are connected to routers.
Of these, when firewall service interfaces work in Layer 3, networking often will involve
different upstream and downstream devices— for example, connecting to switches upstream,
and to routers downstream. There is actually nothing particularly noteworthy about this.
After determining the hot standby networking approach, we also need to determine whether to
select the active/standby failover method or the load sharing method based on the following
principles:
If both the active/standby failover and load sharing methods are feasible, the
active/standby failover method is recommended.
If load sharing is deployed on other parts of the customer's network (for example the
egress gateway, core switches, etc.), then the customer generally will request that load
sharing be deployed on the firewalls, too.
When one firewall forwards all service traffic, if one or more of its three important
parameters— session table, throughput, and CPU usage— has exceeded 80% of the
maximum capacity for a long time, we must use the load sharing method.
Performance will degrade after security features such as IPS and antivirus are enabled on
a firewall. If a firewall's forwarding performance drops to below the existing network's
total capacity, then the load sharing method must be used.
The support for active/standby failover and load sharing depends on the hot standby
networking approaches, as shown in Table 8-9.
367
Learn Firewalls with Dr. WoW
Table 8-9 Support for the active/standby failover and load sharing methods
Networking Approach
Active/Standby Failover
Load Sharing
Firewall service interfaces work in Layer
3, and connect to switches.
Supported
Supported
Firewall service interfaces work in Layer
3, and connect to routers.
Supported
Supported
Firewall service interfaces work in Layer
2, and connect to switches.
Supported
Not supported
Firewall service interfaces work in Layer
2, and connect to routers.
Not supported
Supported
Before deploying hot standby, we still need to check of the two firewalls' hardware and
software to ensure that:
The two firewalls' product model and hardware configurations are identical, including
the locations, types and numbers of interface boards/cards, service boards, and main
processing units (MPU).
The two firewalls' software versions and Bootroom versions must be identical.
(Recommended) The firewalls' configuration files are the initial configuration files.
8.5.1 Configuration Process
The hot standby configuration process is shown in Figure 8-50. Understanding hot standby's
configuration process can help everyone understand the relationships between the hot standby
protocols we discussed before and in remembering the logic behind hot standby configuration.
368
Learn Firewalls with Dr. WoW
Figure 8-50 Hot standby configuration flowchart
Complete basic network
1
configuration.
Interface
Security zone
Routing
Security policy
Layer 3 service interface
connecting to a switch
Layer 2 service
interface
Layer 3 service interface
connecting to a router
Configure VGMP to monitor
VRRP groups.
Configure VGMP to monitor
interfaces.
Configure VGMP to monitor
VLAN
Interface view: vrrp vrid
Interface view: hrp track active |
standby
VLA view: hrp track active | standby
(Optional) Configure VGMP to
monitor remote interfaces.
2
Configure VGMP to
monitor interfaces.
hrp track ip-link
hrp track bfd-session
Configure the heartbeat
3
interfaces.
hrp interface
4 Enable hot standby
hrp enable
5 Configure a backup method.
Auto backup: hrp auto-sync
Manual batch backup: hrp sync
Quick session backup:
hrp mirror session enable
6 Configure security services.
The configuration steps in the flowchart are explained as follows:
2.
Complete basic network configuration.
− Interfaces: if the firewall's service interfaces are working in Layer 3, then IP
addresses need to be configured for every service interface. Service interfaces' IP
addresses must be fixed, and therefore the hot standby cannot work with features that
automatically acquire IP addresses such as PPPoE dialing and DHCP clients.
369
Learn Firewalls with Dr. WoW
If a firewall's service interfaces are working in Layer 2, they must be added into the
same VLAN.
In addition, the primary and backup devices need to select identical service and
heartbeat interfaces. For example, if the primary device selects GigabitEthernet1/0/1
as the service interface and GigabitEthernet1/0/7 as the heartbeat interface, then the
backup device also needs to make the same selections.
−
Security zone: all interfaces must be added to a security zone regardless of whether
they are Layer 2 or Layer 3 interfaces, and regardless of whether they are service
interfaces or heartbeat interfaces. Primary and backup devices' corresponding
interfaces must be added to the same security zone: if the primary device's
GigabitEthernet1/0/1 interface is added to the Trust zone, then the backup device's
GigabitEthernet1/0/1 interface must also be added to the Trust zone.
−
Routing: if a firewall's service interfaces are working in Layer 3 and are connected to
switches, we need to configure static routing on the firewall; if a firewall's service
interfaces are working in Layer 3 and are connected to routers, we need to configure
OSPF on the firewall; if a firewall's service interfaces are working in Layer 2, we do
not need to configure routing on the firewall.
−
Security policies: the primary types of packet exchanges between firewalls and other
devices in hot standby deployments are as follows:
VGMP and HRP packets are exchanged between two firewalls through their
heartbeat interfaces.
VRRP packets are exchanged between two firewalls through their service
interfaces.
When a firewall's service interfaces are working in Layer 3 and are connected to
switches, the firewall will send gratuitous ARP packets to the switches.
When a firewall's service interfaces are working in Layer 3 and are connected to
routers, the firewall needs to exchange OSPF packets with the routers.
When a firewall's service interfaces are working in Layer 2, OSPF packets sent
between the upstream and downstream devices need to pass through the firewall.
To ensure the normal establishment of a hot standby state, we need to configure
corresponding security policies to permit the aforesaid packets, as shown in Table 8-10.
Table 8-10 The security policies needed to establish hot standby
Packets
Security Policies
VGMP and HRP
packets
In USG9000 series firewalls, VGMP and HRP packets are not
controlled by security policies.
For USG2000/5000/6000 series firewalls, if the remote parameter
is not specified when configuring the heartbeat interface, VGMP
and HRP packets are multicast packets and are not controlled by
security policies; if the remote parameter is specified, VGMP and
HRP packets will be encapsulated into unicast UDP packets, and a
security policy needs to be configured between the heartbeat
interface's security zone and the Local zone to permit packets
destined to port 18514 for USG2000/5000 (18514 or 18515 for
USG6000) in both directions.
VRRP packets
VRRP packets are multicast packets, and are not controlled by security
policies
Gratuitous ARP
Gratuitous ARP packets are broadcast packets, and are not controlled
370
Learn Firewalls with Dr. WoW
Packets
Security Policies
packets
by security policies
OSPF packets
destined for the
firewall
A security policy permitting OSPF packets must be configured
between the security zones in which the upstream/downstream service
interfaces are located and the Local zone.
OSPF packets
passing through
the firewall
A security policy permitting OSPF packets must be configured
between the upstream service interface's zone and the downstream
service interface's zone.
After hot standby is successfully established, we can back up security policy configurations. However,
the security policies mentioned above are the foundation for establishing hot standby, and this must
therefore be completed separately on the two firewalls prior to configuring hot standby.
When configuring security policies, we generally first set the default security policy action as 'permit',
and then restore the default security zone action to 'deny' after configuring a specific security policy.
3.
Configure VGMP interface monitoring.
−
−
−
−
When firewalls' service interfaces are working in Layer 3 and are connected to
switches, a VRRP group(s) must be configured on the interfaces.
In active/standby failover, configure a VRRP group on the primary device's
service interface, and then add this VRRP group to the active VGMP group;
configure the same VRRP group on the backup device's service interface, and
then add this VRRP group to the standby VGMP group.
In load sharing, configure two VRRP groups on every service interface on each
device, and then add the VRRP groups to the active VGMP group and standby
VGMP group respectively. The same VRRP group must be added to different
VGMP groups on the two devices – the active VGMP group on one device, and
the standby VGMP group on the other device.
When a firewall's service interfaces are working in Layer 3 and are connected to
routers, VGMP direct interface monitoring must be configured on the interface.
In the active/standby failover method, the primary device's service interfaces
must all be added to the active VGMP group, and the backup device's service
interfaces to the standby VGMP group. The function of automatic OSPF cost
adjustment based on the VGMP state (hrp ospf-cost adjust-enable) must also
be configured.
In the load sharing method, each device's service interfaces must be added to
both the active and the standby VGMP groups.
When a firewall's service interfaces are working in Layer 2, VGMP monitoring of a
VLAN must be configured on the VLAN.
In the active/standby failover method, the primary device's service interfaces
need to all be added to the same VLAN, and then this VLAN is added to the
active group; the backup device's service interfaces must all be added to another
VLAN, and then this VLAN is added to the standby group.
In the load sharing method, all service interfaces for each device need to be
added to the same VLAN, and then this VLAN is simultaneously added to both
the active group and the standby group.
When the firewall needs to monitor remote interfaces, configure the VGMP to
monitor remote interfaces
371
Learn Firewalls with Dr. WoW
VGMP can monitor remote interfaces through IP-link or BFD. Under normal
circumstances, either of the two methods can be selected.
4.
Configure the heartbeat interface.
Directly connect the two firewalls' heartbeat interfaces if possible. In this case, you do
not need to specify the remote parameter in commands (e.g.: hrp track interface
GigabitEthernet1/0/7).
If two firewalls' heartbeat interfaces are connected through Layer 3 devices or if service
interfaces are used as heartbeat interfaces, the remote parameter must be used to specify
the peer's interface address (e.g: hrp track interface GigabitEthernet1/0/7 remote
10.1.1.2). After the remote parameter is specified, packets are encapsulated into UDP
unicast packets, and need to be controlled by security policies.
5.
Enable hot standby.
After completing configuration, we need to execute the hrp enable command to enable
the hot standby feature. If the above configurations were correct, a hot standby state will
be successfully established, and command prompt HRP_A will appear on one device and
HRP_S on the other.
6.
7.
Configure a backup method.
− The automatic backup (hrp auto-sync [ config | connection-status ]) function is
enabled by default, and I suggest that you do not disable this.
−
If configuration is not synced between the primary/backup devices, we must execute
the manual batch backup command (hrp sync [ config | connection-status ]).
−
If this is a load sharing network, we usually need to enable the fast session backup
function (hrp mirror session enable).
Configure security services.
After hot standby setup has been successfully completed, security services
configurations will typically be backed up by the primary (master configuration) device
onto the backup (backup configuration) device. Therefore, we only need to configure
security services on the primary device, and don't need to configure them on the backup
device. Common security services include security policies, NAT, attack defense,
bandwidth management, and VPN policies.
8.5.2 Configuration Check and Result Verification
After completing our hot standby configuration, we need to check the configuration and
verify the results as follows:
Step 1 View the command line prompt.
After successfully setting up hot standby, if a firewall's command line prompt begins with
HRP_A, this means that this firewall has become the primary device after negotiation with the
other firewall; if the command line prompt begins with HRP_S, this means that this firewall
has become the backup device following negotiation with the other firewall.
Step 2 Check whether the key hot standby configurations are correct according to Table 8-11.
Table 8-11 Hot standby configuration checklist
No.
Mandatory?
Item Checked
Command/Method
1
Mandatory
The two firewalls' product models and
software versions are identical.
display version
372
Learn Firewalls with Dr. WoW
No.
Mandatory?
Item Checked
Command/Method
2
Mandatory
The two firewalls' interface card types
and installation positions are identical.
display device
3
Mandatory
The two firewalls use the same service
interfaces.
display hrp state
4
Mandatory
The two firewalls use the same
heartbeat interfaces.
display hrp interface
5
Optional
If an Eth-Trunk interface is used as the
failover channel, the two firewalls'
Eth-Trunk interfaces have identical
member interfaces.
display
eth-trunk trunk-id
6
Optional
If a service channel is used as the
failover channel, both the heartbeat
interface and the IP address of the
heartbeat interface of the peer are
specified.
display
current-configuration
| include hrp interface
7
Mandatory
The two firewalls' interfaces are added
to the same security zone.
display zone
8
Mandatory
The two firewalls' configurations are
consistent (this includes hot standby,
audit, authentication, security, NAT,
and bandwidth policies.)
display hrp
configuration check
all
Service interfaces are working in Layer 3
8
Mandatory
IP addresses have been configured for
the two firewalls' interfaces.
display ip interface
brief
9
Mandatory
If the firewalls are connected to
switches, the two firewalls' service
interfaces are added to the same VRRP
groups and share a virtual IP address.
display vrrp interface
interface-type
interface-number
10
Mandatory
If the firewalls are connected to
switches, the next hop of the firewalls'
upstream and downstream devices have
been set to the VRRP groups' virtual IP
addresses.
Check the firewalls'
upstream and
downstream device's
static routing
configurations.
11
Mandatory
If the firewalls are connected to routers,
the two firewalls' service interfaces are
added to the correct VGMP group. In
active/standby failover, the primary
device's service interfaces are added to
the active VGMP group, and the backup
device's service interfaces to the
standby VGMP group. In load sharing,
the two devices' service interfaces are
added to both the active and standby
VGMP groups.
display hrp state
373
Learn Firewalls with Dr. WoW
No.
Mandatory?
Item Checked
Command/Method
12
Mandatory
If the firewalls are connected to routers,
the firewalls are correctly running
OSPF, and the OSPF area does not
include the heartbeat interfaces.
display ospf
[ process-id ] brief
13
Mandatory
If firewalls are connected to routers,
automatic OSPF cost adjustment based
on active/standby state is configured.
display
current-configuration
| include hrp ospf-cost
Service interfaces are working in Layer 2
14
Mandatory
A firewall's upstream and downstream
service interfaces are added to the same
VLAN.
display port vlan
[interface-type
interface-number ]
15
Mandatory
The firewalls' VLANs are added to the
correct VGMP groups. In
active/standby failover, the primary
device's VLAN is added to the active
VGMP group, and the backup device's
VLAN to the standby VGMP group. In
load sharing, the two devices' VLANs
are each added to both the active and
standby VGMP groups.
display hrp state
16
Mandatory
If the firewalls are connected to
switches, the active/standby failover
method is used.
display hrp group
17
Mandatory
If the firewall is connected to routers,
the load sharing method is used.
display hrp group
Checks for load sharing alone
18
Mandatory
The fast session backup function is
enabled.
display
current-configuration
| include hrp mirror
19
Optional
The port range of the NAT address pool
is correctly specified.
display
current-configuration
| include hrp nat
Prior to a firewall officially going online, complete the verification in steps 3 and 4.
Step 3 In the primary device's interface view, execute the shutdown command to verify whether the
primary/backup devices conduct failover.
After the shutdown command is executed on one of the primary device's service interfaces,
the state of this primary device interface will change to down, but its other interface(s) will be
working normally. The backup device's command line prompt will begin with HRP_A instead
of HRP_S, and the primary device's command line prompt will begin with HRP_S instead of
HRP_A. Traffic will be normally forwarded, indicating that active/backup failover succeeds.
374
Learn Firewalls with Dr. WoW
After the undo shutdown command is executed on the same interface on the primary device,
the state of the interface changes back to up. After the preemption hold-down time expires, the
primary device's command prompt will begin with HRP_A gain instead of HRP_S, and the
backup device's command prompt will begin with HRP_S instead of HRP_A. Traffic will be
normally forwarded, demonstrating that the preemption has succeeded.
Step 4 In the primary device's user view, execute the reboot command to reboot the device and
verify whether the primary/backup devices conduct failover.
If the backup device's command prompt begins with HRP_A instead of HRP_S, and traffic is
normally forwarded after the reboot command is executed on the primary device, the failover
succeeded.
After the primary device has completed its reboot and the preemption hold-down time expires,
the primary device's command prompt will begin with HRP_A instead of HRP_S, the backup
device's command prompt will begin with HRP_S instead of HRP_A, and traffic will be
normally forwarded, demonstrating that the preemption has succeeded.
375
Learn Firewalls with Dr. WoW
9
Multi-homing
9.1 Multi-homing Overview
In "What Are Firewalls" I mentioned that firewalls are primarily deployed on network borders
to separate intranets from external networks. However, firewalls also assume the role of
interconnecting these same intranets and external networks, as the traffic exchanged between
these intranets and external networks must all be forwarded through the firewalls. In
real-world scenarios, due to bandwidth and reliability requirements, enterprises will lease
multiple Internet-link bandwidth resources from multiple ISPs, meaning that their egress
position firewall(s) will be connected to the Internet via multiple egress links. Therefore, how
to select a suitable egress link for user traffic is a problem that needs to be considered by
enterprise network administrators.
I'll thus specially summarize several common methods of multi-homing in multiple egress
environments in which firewalls serve as enterprise egress network gateways. Below, I'll give
an initial introduction to these multi-homing methods, so that everyone can first gain a basic
understanding of them.
9.1.1 Shortest Path Routing
Shortest path routing is a multi-homing method completed through a combination of default
routing and specific routing. This method is relatively simple, and is also the most commonly
used. As shown in Figure 9-1, using default routes can ensure that enterprise user data and
traffic is all matched to routes and forwarded, while using specific routes allows user traffic
accessing a certain ISP to be forwarded from the link connected to this ISP, avoiding traffic
being sent on a circuitous path from another ISP link—this is what is known as shortest path
routing. However, with so many services on the Internet, it's impossible to configure specific
routes one by one, so is there a simple method to configure specific routes en masse? This is
where the ISP routing function comes into play. The ISP routing function collects each ISP's
well-known network segments within a firewall, and issues static routes in batches by
configuring designated egress interfaces and next hops, greatly reducing the workload
involved in configuring specific routes.
376
Learn Firewalls with Dr. WoW
Figure 9-1 Shortest path routing
ISP1
ISP2
Firewall
Enterprise network
Specific route
Default route
Configuring the specific routing +default routing method of multi-homing is very simple,
convenient and practical, and can be used in standard enterprise networks. However, if
enterprises need to conduct differentiated forwarding of traffic for certain special users (such
as managers) or for certain special applications (P2P downloads), this routing method cannot
be used. Therefore, I'll introduce a second multi-homing method below: policy-based routing.
9.1.2 Policy-based Routing
Policy-based routing is exactly what it sounds like—it entails forwarding packets based upon
specific policies. Therefore, policy-based routing is a more flexible forwarding mechanism
than standard static routing and dynamic routing. When routing devices forward packets, they
first filter the packets based upon pre-configured rules, with packets that are successfully
matched being forwarded according to a fixed forwarding policy. The rules discussed here can
be based in the source IP address, the destination IP address, or can be user-based or based in
a certain type of special application.
In Figure 9-2, an enterprise intranet has a high volume of P2P services, and in order to ensure
the bandwidth needs of a special user (the managers), policy-based routing can be used to
formulate rules allowing traffic from the manager and other special users to be forwarded
from the ISP1 link (which has stable link bandwidth), while P2P and other high traffic
services are designated to be forwarded from the ISP2 link (which has uplink and downlink
bandwidths that are greatly unequal— for example, a situation in which the uplink bandwidth
is 50 Mbit/s, and the downlink bandwidth is 500 Mbit/s).
377
Learn Firewalls with Dr. WoW
Figure 9-2 Policy-based routing
ISP1
ISP2
Manager’s
traffic
P2P service
traffic
Firewall
Enterprise
network
Manager
P2P service
Manager’s service traffic
P2P service traffic
Policy-based routing equips enterprise network administrators with a more flexible measure
by which to control traffic: so long as they have a prior understanding of the merits of the
egress links' bandwidths, administrators can allow important users and key services to be
forwarded from links with stable bandwidths. However, policy-based routing requires that
humans (administrators) interfere with traffic routing, and is also not able to assign specific
bandwidth for links (for example, stipulating that a link's maximum bandwidth is 500 Mbit/s).
This is not, however, an issue when using smart routing equipped with "intelligent"
deterministic abilities, as smart routing can choose the most optimal egress link for intranet
user traffic using system-initiated determination, and can set fixed egress bandwidth based
upon the unique properties of a certain link's bandwidth, thereby achieving its goal of
forwarding traffic intelligently.
In summary, each of the two types of routing for multi-homing have their own special features,
and their use scenarios are also different from one another. Administrators can select an
appropriate routing method based upon their network's actual needs. Of course, network
conditions in actual networks are complex, and user needs are diverse and multitudinous, so it
may be difficult for a single routing method to satisfy all needs. If this is the case, multiple
routing methods should be used together in a complementary fashion to complete complex
network planning. In the following sections, we'll introduce the mechanisms and application
of each multi-homing routing method one by one.
9.2 Shortest Path Routing
9.2.1 Default Routing vs. Specific Routing
What is shortest path routing? Just as it sounds, this entails selecting the closest path. For
networks with multiple egresses, shortest path routing refers to packets choosing the link that
will involve the smaller cost to reach the destination network for use in forwarding. Now, how
do packets select the link with the smaller cost for forwarding? This can be accomplished
378
Learn Firewalls with Dr. WoW
using default routes and specific routes. Below, I'll answer several questions to introduce a
few of the essential concepts behind default routing and specific routing and help everyone in
understanding this.
Question 1: What is default routing, and is default routing a kind of static routing?
Actually, default routing is a special kind of routing that can be configured through static
routes or generated through dynamic routes such as OSPF and IS-IS. Therefore, default
routing is actually not a kind of static routing. In routing tables, the default route has a
destination network of 0.0.0.0 and a subnet mask of 0.0.0.0. Below is a default route in a
routing table:
[FW] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 1
Destination/Mask
0.0.0.0/0
Routes : 2
Proto Pre Cost
Static 60 0
Static 60 0
Flags NextHop
RD
10.1.1.2
RD
10.2.0.2
Interface
GigabitEthernet2/2/21
GigabitEthernet2/2/17
If a packet's destination address cannot be matched with any route, then the system will use
default routing to forward this packet.
Question 2: What are specific routes?
I, Dr. WoW, believe that specific routing is defined comparatively against default routing; all
routes in a routing table that are not default routes are specific routes. For example,
10.1.0.0/16 and 192.168.1.0/24 are both specific routes when compared with the default route.
Compared to the parent route 10.1.0.0/16, the routes 10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24
are all specific routes. There is no relationship between specific routes and the protocol type,
so specific routes can be configured as static routes or can be generated by dynamic routing
policies.
Question 3: How do packets check the routing table?
As everyone may know, when packets check the routing table, they conduct their check based
upon the longest matching principle, but what exactly does this mean? To give an example, a
routing table has three routes, 10.1.0.0/16,10.1.1.0/24 and 0.0.0.0/0. When packets with a
destination address of 10.1.1.1/30 check the routing table, the route that they ultimately match
is the 10.1.1.0/24 route, because when a packet checks the routing table, a packet's destination
address is matched digit by digit with the routing table's entries' masks using "AND" logic,
and if the obtained address corresponds with a routing table entry's network address then they
match. Ultimately, the longest matching routing table entry is selected to forward the packet.
If a packet with the destination address of 192.168.1.1/30 checks the routing table, it will only
be able to be matched to the default route 0.0.0.0/0 (because the packet's destination address
cannot be matched with any specific route) and so the system will ultimately use default
routing to forward this packet.
From the above questions it should be clear that when there are specific routes in a routing
table, the packet is first matched to a specific route, and only if there is not a matching
specific route is the default route(s) checked.
Below, we'll look at Question 4: How is routing conducted when there are multiple default
routes?
379
Learn Firewalls with Dr. WoW
Let's first look at the networking approach shown in Figure 9-3. We've configured two default
routes on a firewall, with one that has a next hop of R1 and one that has a next hop of R2.
Let's ping the two server addresses on the destination network from the PC.
Figure 9-3 Default route multi-homing
R1
10.10.10.10/32
ISP1
GE0/0/3
PC
192.168.0.2/24
GE0/0/1
GE0/0/2
Firewall
GE0/0/3
10.1.1.2/24
Target
network
GE0/0/2
10.1.2.2/24
ISP2
R2
10.10.11.11/32
The two default routes are configured as follows on the firewall:
[FW] ip route-static 0.0.0.0 0 10.1.1.2
[FW] ip route-static 0.0.0.0 0 10.1.2.2
A packet capture on FW's GE0/0/3 interface shows that the packets have both been forwarded
from GE0/0/3:
Why did this happen? Did the two default routes not load distribute? In fact, for multi-homing
routing when there are multiple default routes, the specific link that a packet travels is
calculated by a HASH algorithm involving the source IP address+the destination IP address.
This kind of algorithm primarily looks at a packet's source IP address and destination IP
address, so when addresses are different, the calculated results will also be different. Using
this kind of algorithm, the opportunity to forward packets is identical between equal-cost
routes. To give an example, if packets' source IP addresses are the same, and the destination IP
addresses neighbor one another, for example 10.1.1.1 and 10.1.1.2, then during path selection,
each link will forward one stream of packets. However, as the source and destination IP
addresses for a network's traffic accessing external networks are random, the results of the
HASH algorithm are completely uncontrollable. Therefore, although the default routes are
equal-cost routes, it's possible that the packets will all be forwarded from one link. This is also
why the packets in the above example were both forwarded from interface GE0/0/3.
What I discussed above was a bit of basic knowledge. Now let's look at how the 'default
routing+specific route' shortest path routing method selects the shortest path. Let's first look at
a simple network environment, shown in Figure 9-4.
380
Learn Firewalls with Dr. WoW
Figure 9-4 Multiple egress network diagram
Path 1: longer way
ISP1
Firewall
Enterprise
network
Path 2: shorter way
ISP2
Server
Path 1
Path 2
In the above figure, when enterprise intranet users access an external network server, there are
two paths for associated packets through the firewall. Under normal circumstances,
enterprises generally configure two default routes on an egress firewall, one for each ISP.
Above, I mentioned that in path selection via default routing, a source IP+destination IP
HASH algorithm determines the path by which data packets are forwarded. This may result in
traffic accessing ISP2's server being forwarded through Path 1 in the figure after the HASH
algorithm is calculated, meaning that the packet would be sent on Path 1 to ISP1, and then
sent through ISP1 to ISP2, travelling a large loop before finally reaching its ultimate
destination. This would severely and negatively affect forwarding efficiency and user
experience.
So, what method can we use to ensure packets do not travel a circuitous path? The answer is
to configure specific routing. As we discussed above, packets are preferentially matched to
specific routes, and only look for default routes if there is not a specific route they can be
matched to. For the network shown in Figure 9-4, we could configure a specific route to the
server, with the next hop pointing to ISP2. In this way, after packets are matched to this
specific route they will not be forwarded circuitously. From the figure it can be seen that the
path selected for sending packets is the shortest of the two paths, which is what we mean by
'shortest path routing.' We can also verify this using the network shown in Figure 9-3. We
configure two static routes on the firewall such as the ones below:
[FW] ip route-static 10.10.10.10 255.255.255.255 10.1.1.2(Next hop is R1's address)
[FW] ip route-static 10.10.11.11 255.255.255.255 10.1.2.2(Next hop is R2's address)
A packet capture on the firewall's GE0/0/3 interface shows that there are only packets going
to 10.10.10.10:
381
Learn Firewalls with Dr. WoW
A packet capture on the firewall's GE0/0/2 interface shows that there are only packets going
to 10.10.11.11.
This proves that the packets preferentially checked for the two specific routes that we just
configured. However, in real-world network environments, there are many servers on the
Internet, and asking administrators to configure so many specific routes on egress network
gateway firewalls is not realistic. Is there a convenient and fast method to configure specific
routes? This requires that the ISP routing function step into the limelight. But what exactly is
ISP routing?
9.2.2 ISP Routing
In the term 'ISP routing', we can see the key acronym "ISP", which indeed speaks to this
method's functionality. Each ISP has their own public well-known network segments, and if
all of these public well-known network segments were configured into specific routes as we
discussed above, then none of the packets going to this ISP would be forwarded in a
circuitous fashion. How can we change an ISP's public well-known network segments into
specific routes?
First, the administrator needs to collect together all of the public network segments within an
ISP (these can be found through online searches), and then compile the address network
segments into a file with an extension of .csv (we'll call this the ISP address file). The
compilation requirements are as shown in Figure 9-5:
Figure 9-5 Compiling an ISP address file
After the ISP address file's compilation is complete, we need to upload this onto the firewall's
designated path, for example onto a CF Card. There are many upload methods, such as SFTP,
FTP, TFTP, etc., and these will not be described here.
After the ISP address file has been uploaded to the firewall, the egress interface and next hop
are configured, so that after the ISP routing function is enabled, each IP address segment in
the ISP address file will be converted into a separate static route. In this way, the entire ISP
382
Learn Firewalls with Dr. WoW
address file will morph into a script for configuring a batch of static routes for one ISP, and
you won't need to worry about configuring an enormous number of static routes again!
Below, we'll use an experimental network to verify the results of multi-homing using ISP
routing; this network is shown in Figure 9-6.
Figure 9-6 ISP routing network diagram
Server
210.1.1.1/32
Server
210.1.1.2/32
ISP1
GE2/0/1
201.1.1.1/24
Enterprise
network
Server
210.1.1.3/32
GE2/0/2
202.1.1.1/24
Server
220.1.1.3/32
Firewall
ISP2
Server
220.1.1.2/32
Server
220.1.1.1/32
Path 1
Path 2
In this network, we've separately compiled ISP1 and ISP2's address network segments into the
files ispa.csv and ispb.csv respectively.
We first used methods such as SFTP, FTP, TFTP, etc. to upload the two csv files onto the
firewall's designated path. The USG9500 firewall series' path is cfcard:/isp/; the USG6000
firewall series' path is hda1:/isp/.
After completing the upload of the csv files, a related command is used to configure the
corresponding egress interface and next hop, and the ISP routing function is enabled. Using
the USG9500 firewall series as an example, the configuration command is as below:
[FW] isp set filename ispa.csv GigabitEthernet 2/0/1 next-hop 201.1.1.2
In addition to this, we can also use the Web configuration method to configure ISP routing.
This method is even simpler, and csv file uploading and configuration(s) input can be
completed in one step. Using USG9500 as an example, the input method is shown in Figure
9-7.
383
Learn Firewalls with Dr. WoW
Figure 9-7 Using the Web configuration method to enable ISP routing
The input method for ispb.csv is the same as for ispa.csv, with the exception that the egress
interface and next hop are changed to GE2/0/2 and 202.1.1.2 respectively:
Destination/Mask
210.1.1.1/32
210.1.1.2/32
210.1.1.3/32
220.1.1.1/32
220.1.1.2/32
220.1.1.3/32
Proto
ISP
ISP
ISP
ISP
ISP
ISP
Pre Cost
60 0
60 0
60 0
60 0
60 0
60 0
D
D
D
D
D
D
Flags NextHop
201.1.1.2
201.1.1.2
201.1.1.2
202.1.1.2
202.1.1.2
202.1.1.2
Interface
GigabitEthernet2/0/1
GigabitEthernet2/0/1
GigabitEthernet2/0/1
GigabitEthernet2/0/2
GigabitEthernet2/0/2
GigabitEthernet2/0/2
When an intranet user accesses a server belonging to ISP1, after packets are matched to the
routing table they are forwarded from interface GigabitEthernet2/0/1; likewise, when one of
ISP2's servers is accessed, packets are forwarded from interface GigabitEthernet2/0/2. This
guarantees that packets are always forwarded to the destination network via the shortest path.
In the above routing table, it can be seen that ISP routing and static routing are extremely
similar; in the routing table, other than the fact that the protocol type is ISP, the table's other
content is exactly the same as with static routing. Moreover, these two kinds of routing can
overlap one another; for example, if a static route is first configured and then an ISP route
with the same destination address and next hop is imported, this route's protocol type will
change from static to ISP in the routing table (the opposite is true as well). However, in
real-world use, there are still several differences between ISP routing and static routing:
2.
Static routes are configured manually route by route, and can be displayed in the
configuration file; ISP routes can only be input collectively via the method described
above, and cannot be displayed in the configuration file.
3.
Static routes can be deleted and added; for ISP routing, deletions and additions may only
be of the address network segments in the ISP address file, but single ISP routes cannot
be deleted or added using commands.
384
Learn Firewalls with Dr. WoW
What we discussed above was the process of an administrator building ISP routes, but in
actuality, firewalls have already been equipped with factory default csv files for 4
ISPs—china-mobile.csv (China Mobile), china-telecom.csv(China Telecom),
china-unicom.csv (China Unicom) and china-educationnet.csv (CERNET)— and so ISP
routing for these can be enabled simply by the admin executing the input.
To summarize, at the core of shortest path routing is a 'head to head battle' between the three
kinds of routing:
Default equal-cost routing allows all packets passing through a firewall to be matched to
a route and forwarded, but there is no way to ensure that packet forwarding uses the
shortest link for forwarding (the packet's forwarding egress is selected through a HASH
algorithm involving the source IP address+the destination IP address).
Specific routing ensures that packets accessing different ISP servers from one another are
all forwarded from the firewall's link connected to the corresponding ISP, achieving
shortest path access, however, the difficulty involved in configuring a large number of
specific routes manually is a problem for enterprise network administrators.
ISP routing, on the other hand, fills in the deficiencies of specific routing in terms of the
difficulty presented by large batch manual configuration, allowing for specific routes to
be configured for all of an ISP's address network segments in just a matter of minutes.
Each of these three kinds of routing has their own unique properties, and only using them
together allows for each of them to make up for the others' shortcomings so that their strong
points may be displayed. In this sort of combined use, specific routing and ISP routing are
used to direct packets in being forwarded by the shortest path, with packets that can't be
matched to a specific route then being forwarded through checking for a default route.
However, the shortest path routing method is only a basic method of conducting routing for
multi-homing. As we know, route checking in this method is performed using packets'
destination addresses, and this is where a problem arises: if an admin wishes to differentiate
between intranet users and allow users with different priority levels to forward packets from
different links, or if the admin wishes to differentiate the links used to forward traffic based
upon different applications, these goals cannot be completed through checking for routes
using the destination address. To accomplish this, we need more flexible path selection
mechanisms, for example using packets' source IP address, the application protocol type, etc.
to differentiate user traffic, and then furthermore conduct differentiated forwarding of this
different user traffic. Therefore, our focus naturally shifts to policy-based routing.
9.3 Policy-based Routing
Now that we've reached policy-based routing, the first thing that comes to my mind is that in
its early years, policy-based routing's greatest use in China was in interconnecting China
Telecom and China Netcom. After Telecom and Netcom split into different companies, a
networking environment unique to China formed, with the south of the country being
dominated by China Telecom and the north by Netcom (which now has merged into China
Unicom). When networks only had single egresses, service for Telecom users accessing
Netcom services was relatively slow, as was service for Netcom users accessing Telecom's
services. Therefore, people thought of an enterprise network dual egress plan consisting of
network egresses that connected to both Telecom and Netcom. The widespread use of the dual
egress plan allowed policy-based routing to display its functionality! Configuring
policy-based routing on enterprise egress network gateway devices allowed Telecom traffic to
use each network's Telecom egress, and Netcom traffic to use each network's Netcom egress.
385
Learn Firewalls with Dr. WoW
How did policy-based routing accomplish the splitting of Telecom and Network traffic? Let's
begin by describing what policy-based routing is.
9.3.1 Policy-based Routing Concepts
So-called 'policy-based routing' is exactly what it sounds like: forwarding packets based on
specific policies. Moreover, these policies are human-formulated, and therefore policy-based
routing is a more flexible mechanism for multi-homing than the traditional method of
selecting routes based upon destination address. After policy-based routes are configured on a
firewall, the firewall first conducts filtering of the packets it receives based upon the rules
configured in policy-based routing. After matching is successful, the packets are then
forwarded according to specific forwarding policies. The 'configured rules' need matching
conditions to be defined, usually using ACL; meanwhile, the "specific forwarding policies"
require related actions be executed according to the matching condition(s). Therefore, we can
deduce that policy-based routing is comprised of the following two components:
Matching conditions (defined using ACL)
Used to differentiate traffic that will be forwarded using policy-based routing. Matching
conditions include: packets' source IP address, destination IP address, protocol type,
application type, etc. The matching conditions that can be set by different firewalls are
different. One policy-based routing rule may contain multiple matching conditions,
related in an "And" manner, and packets must satisfy all of the matching conditions
before the subsequent defined forwarding action can be executed.
Actions
Involve performing an action (such as designating the egress interface and next hop) on
traffic that meets the matching conditions.
When there are multiple policy-based routing rules, a firewall will accord with their matching
order and check the first rule first; if the first policy-based routing rule's matching condition is
met, then the packet will be processed using the designated action. If the first rule's matching
condition is not met, then the firewall will check the next policy-based routing rule. If all
policy-based routing rules' matching conditions cannot be met, the packet will be forwarded
according to the routing table— policy-based routing matching is completed prior to a packet
checking the routing table, which is to say that policy-based routing's priority is higher than
that of routing. The process for policy-based routing rule matching is shown in Figure 9-8.
386
Learn Firewalls with Dr. WoW
Figure 9-8 Process of policy-based routing rule matching
PBR rule 1
Packet
Condition
Rule 2
Matched
Action
Mismatched
Condition
Matched
Action
Mismatched
Rule 3
Condition
……
Matched
Action
Mismatched
Forward based on
the routing table
Redirect to the next hop
or outbound interface
Additionally, if the status of the egress interface designated by policy-based routing is 'Down'
or the next hop cannot be reached, the packet will be forwarded by checking the routing table.
Now that we've finished discussing the basic principles of policy-based routing, let's look
back at how policy-based routing was able to bring about the forwarding of Telecom traffic by
Telecom and Netcom traffic by Netcom.
9.3.2 Destination IP Address-based Policy-based Routing
We'll use a network environment (shown in Figure 9-9) to verify the results of this kind of
policy-based routing.
Figure 9-9 Destination IP address-based policy-based routing
PC1
192.168.0.2/24
Internal network
192.168.0.0/24
Server
10.10.11.11/32
R1
GE0/0/3
Trust
192.168.0.1/24
GE0/0/1
Untrust
10.1.1.1/24
Telecom
10.1.1.2/24
Firewall GE0/0/2
Untrust1
10.1.2.1/24
Target
network
10.1.2.2/24
Netcom
Server
10.10.10.10/32
R2
Here, the firewall is serving as the enterprise's egress network gateway and is connected to the
Internet via two links. Of these, the link passing through R1 is Telecom's line, and the link
passing through R2 is Netcom's line. At this point, we'll want to allow enterprise users
387
Learn Firewalls with Dr. WoW
accessing server 10.10.11.11/32 to be forwarded through the Telecom path, while users
accessing server 10.10.10.10/32 are forwarded through the Netcom path.
If two default routes are configured on the firewall, when enterprise users access the two
services 10.10.11.11/32 and 10.10.10.10/32, we can see that all corresponding packets are
forwarded through the R1 link. We discussed this in the shortest path routing section
above—path selection for default routing is accomplished using a source IP
address+destination IP address HASH algorithm that calculates the egress link chosen by
packets, and there is no way to ensure that the requirement that traffic accessing
10.10.11.11/32 be forwarded through the Telecom line and traffic accessing 10.10.10.10/32 be
forwarded through the Netcom line is fulfilled.
Below, we'll configure policy-based routing on the firewall, and look at what the results of
this experiment are. The configuration is as follows (we'll use the USG2000/5000 firewall
series in this example):
1.
Configure the matching conditions to be based on the packet's destination address.
[FW] acl number 3000
[FW-acl-adv-3000] rule 5 permit ip destination 10.10.11.11 0
[FW-acl-adv-3000] quit
[FW] acl number 3001
[FW-acl-adv-3001] rule 5 permit ip destination 10.10.10.10 0
[FW-acl-adv-3001] quit
2.
Configure policy-based routing.
[FW] policy-based-route test permit node 10
[FW-policy-based-route-test-10] if-match acl 3000
matching condition
[FW-policy-based-route-test-10] apply ip-address next-hop 10.1.1.2
action, redirect Telecom as the next hop
[FW-policy-based-route-test-10] quit
[FW] policy-based-route test permit node 20
[FW-policy-based-route-test-20] if-match acl 3001
matching condition
[FW-policy-based-route-test-20] apply ip-address next-hop 10.1.2.2
//apply
// configure
//apply
// configure
action, redirect Netcom as the next hop
[FW-policy-based-route-test-20] quit
3.
Apply policy-based routing.
[FW] interface GigabitEthernet0/0/3
[FW-GigabitEthernet0/0/3] ip policy-based-route test
//apply
policy-based routing on the ingress interface
[FW-GigabitEthernet0/0/3] quit
After configuration is complete, we ping both the 10.10.11.11 and10.10.10.10 addresses
from the PC, and the pings go through successfully. We can also take a look on the
firewall at the detailed information expressed in the session table, displayed below:
[FW] display firewall session table verbose
Current total sessions: 2
icmp VPN: public --> public
Zone: trust --> untrust TTL: 00:00:20 Left: 00:00:16
Interface: GigabitEthernet0/0/1 Nexthop: 10.1.1.2 MAC:54-89-98-1d-74-24
<--packets: 4 bytes: 240 -->packets: 4 bytes: 240
192.168.0.2:54999 --> 10.10.11.11:2048
icmp VPN: public --> public
Zone: trust --> untrust TTL: 00:00:20 Left: 00:00:17
388
Learn Firewalls with Dr. WoW
Interface: GigabitEthernet0/0/2 Nexthop: 10.1.2.2 MAC:54-89-98-ea-53-c9
<--packets: 4 bytes: 240 -->packets: 4 bytes: 240
192.168.0.2:63959 --> 10.10.10.10:2048
From the displayed information we can see that packets going to 10.10.11.11 are
forwarded from the firewall's GE0/0/1 interface, with the next hop as the address of the
interface connecting R1 with the firewall; meanwhile, packets going to 10.10.10.10 are
forwarded from the firewall's GE0/0/2 interface, with the next hop as the address of the
interface connecting R2 with the firewall. This therefore accomplishes the requirement
of traffic accessing 10.10.11.11/32 being forwarded from Telecom's path and traffic
accessing 10.10.10.10/32 being forwarded from the Netcom path.
Having read to here, some may say, "The shortest path access introduced in the previous
section can also accomplish this objective." Correct! Indeed, as the 'default
routing+specific routing' method of shortest path routing forwards packets according to
destination address, and as the policy-based routing configured above also uses packet's
destination addresses as the condition for formulating the forwarding policy, these are
both able to accomplish the same objective.
However, in reality, traditional static routes and dynamic routes are only able to provide
a relatively simple routing method for users based upon a packet's destination
address—this primarily solves network packet forwarding problems, but is not able to
provide flexible service. Policy-based routing, on the other hand, is different—it allows
network administrators to not only be able to choose forwarding routes based upon
destination address, but also to be able to do this based upon packet source IP address,
protocol type, application type or other conditions. Therefore, policy-based routing
provides greater control over packets than traditional routing protocols.
9.3.3 Source IP Address-based Policy-based Routing
If it seems there was still some crossover between the application of policy-based routing
described in the last section and that of shortest path routing, then let's look at another
application of policy-based routing. Everyone knows that networks today are developing
towards Fiber to the Home (FTTH), however, the cost associated with fiber-optics is not a
small one in today's China, and many networks therefore use the fiber + ADSL connection
method, which entails two simultaneous connections to the Internet via two lines of different
speeds. This means that we can configure policy-based routing to allow traffic with relatively
high priorities to use the fiber-optic connection, while traffic with relatively low priorities
uses the ADSL connection.
Figure 9-10 Source IP address-based policy-based routing
Employee
192.168.0.2/24
R1
GE0
/0/3
T
192.
168. rust
0.1/2
4
GE0/0/1
Untrust
10.1.1.1/24
ISP1
10.1.1.2/24
Target
network
10.1.2.2/24
/0/4
GE0 st
Tru Firewall GE0/0/2
Untrust1
/24
10.1
10.1.2.1/24
168.
192.
Manager
192.168.10.10/24
Server
10.10.10.10/32
ISP2
R2
389
Learn Firewalls with Dr. WoW
In this scenario, the firewall is the enterprise's egress network gateway, and is connected to the
Internet through two links belonging to different ISPs. Of these, the link passing through R1
has a relatively high bandwidth bitrate—let's say it is 10 Mbit/s; the link passing through R2
has a relatively low bandwidth bitrate, 2 Mbit/s. In order to ensure a good user experience for
one of the enterprise's manager's Internet access, we want to allow his/her traffic accessing the
Internet to be forwarded through the R1 link, while an employee's traffic accessing the
Internet is forwarded through the R2 link.
This aforesaid goal cannot be achieved through checking for a route using the destination
address. Instead, setting the source IP address as the matching condition using policy-based
routing allows for this problem to be easily solved. Configure this on the firewall as follows
(we'll use the USG2000/5000 firewall series in this example):
1.
Configure the matching conditions to be based on the packet's source IP address.
[FW] acl number 3000
[FW-acl-adv-3000] rule 5 permit ip source 192.168.10.0 0.0.0.255
[FW-acl-adv-3000] quit
[FW] acl number 3001
[FW-acl-adv-3001] rule 5 permit ip source 192.168.0.0 0.0.0.255
[FW-acl-adv-3001] quit
2.
Configure policy-based routing.
[FW] policy-based-route boss permit node 10
[FW-policy-based-route-boss-10] if-match acl 3000
//apply
matching condition
[FW-policy-based-route-boss-10] apply ip-address next-hop 10.1.1.2 // configure
action, redirect next hop as R1
[FW-policy-based-route-boss-10] quit
[FW] policy-based-route employee permit node 10
[FW-policy-based-route-employee-10] if-match acl 3001
//apply
matching condition
[FW-policy-based-route-employee-10] apply ip-address next-hop 10.1.2.2 //
configure action, redirect next hop as R2
[FW-policy-based-route-employee-10] quit
3.
Apply policy-based routing.
[FW] interface GigabitEthernet0/0/3
[FW-GigabitEthernet0/0/3] ip policy-based-route employee
policy-based routing on the ingress interface
[FW-GigabitEthernet0/0/3] quit
[FW] interface GigabitEthernet0/0/4
[FW-GigabitEthernet0/0/4] ip policy-based-route boss
//apply
//apply
policy-based routing on the ingress interface
[FW-GigabitEthernet0/0/4] quit
After completing configuration, ping server address 10.10.10.10 on the Internet from
both the manager's and employee's PCs, and view the detailed session table information
on the firewall, displayed below:
[FW] display firewall session table verbose
Current total sessions: 2
icmp VPN: public --> public
Zone: trust --> untrust TTL: 00:00:20 Left: 00:00:16
Interface: GigabitEthernet0/0/1 Nexthop: 10.1.1.2 MAC:54-89-98-1d-74-24
<--packets: 4 bytes: 240 -->packets: 4 bytes: 240
192.168.10.2:47646 --> 10.10.10.10:2048
icmp VPN: public --> public
390
Learn Firewalls with Dr. WoW
Zone: trust --> untrust TTL: 00:00:20 Left: 00:00:17
Interface: GigabitEthernet0/0/2 Nexthop: 10.1.2.2 MAC:54-89-98-ea-53-c9
<--packets: 4 bytes: 240 -->packets: 4 bytes: 240
192.168.0.2:53022 --> 10.10.10.10:2048
In the information displayed above, the manager's (192.168.10.2) traffic accessing the
server is forwarded from the link connected to R1 (10.1.1.2), while the employee's
(192.168.0.2) traffic accessing the server is forwarded from the link connected to R2
(10.1.2.2), thus meeting the user's need for higher priority traffic to use the high speed
link and for lower priority traffic to use the lower speed link.
9.3.4 Application-based Policy-based Routing
What I introduced above were some traditional uses of policy-based routing, but there is still a
kind of common policy-based routing scenario in networks today that is related to
applications. As everyone knows, there are more than a few types of applications used in
networks, and of these some are applications with large traffic demands, such as P2P, online
video, etc. These applications use a high amount of egress bandwidth, severely affecting the
forwarding of enterprise service traffic. Application-based policy-based routing was
developed for this sort of circumstance, and application-based policy-based forwarding is
accomplished by combining policy-based routing with functions that identify applications and
by using the traffic application type as a matching condition.
Below, I'll examine the actual results of application-based policy-based routing; please see
Figure 9-11.
Figure 9-11 Application-based policy-based routing
PC1
192.168.0.2/24
Internal network
192.168.0.0/24
R1
GE2/2/23
Trust
192.168.0.1/24
GE2/2/21
Untrust
10.1.1.1/24
ISP1
10.1.1.2/24
GE2/2/17
Firewall Untrust1
10.1.2.1/24
Server
10.10.10.10/24
Target
network
10.1.2.2/24
ISP2
P2P service
R2
Here, the firewall is the enterprise's egress network gateway, and is connected to the Internet
using two links (one from ISP1 and one from ISP2). Of these, the link provided by ISP2 is a
stable link with equal uplink and downlink bandwidth, and is the primary link used for
forwarding the enterprise's normal traffic; the link provided by ISP1 has unequal uplink and
downlink bandwidth and relatively slow speed, but the leasing price is low, and so this can be
provided for use as a link for forwarding certain high traffic applications (in the figure this is
P2P).
We'll use the "BitSpirit" tool to simulate P2P services, have simulated a P2P server on the
server and a P2P client on the enterprise user's PC1, and have also used pings to simulate
normal services.
We first configure application-based policy-based routing on the firewall, to cause the P2P
application's traffic to be forwarded from the GE2/2/21 egress interface, while normal traffic
is directly forwarded by routing from the GE2/2/17 egress interface. The configuration
commands are below (we'll use the USG9500 firewall series in this example):
391
Learn Firewalls with Dr. WoW
1.
Configure the matching condition to be based on the source IP address.
[FW] acl number 3000
[FW-acl-adv-3000] rule 5 permit ip source 192.168.0.0 0.0.0.255
[FW-acl-adv-3000] quit
2.
Configure policy-based routing.
[FW] traffic classifier p2p
[FW-classifier-p2p] if-match acl 3000 category p2p
// set the user's P2P
application as a matching condition
[FW-classifier-p2p] quit
[FW] traffic behavior p2p
[FW-behavior-p2p] redirect ip-nexthop 10.1.1.2 interface GigabitEthernet2/2/21 //
redirect the egress interface and next hop
[FW-behavior-p2p] quit
[FW] traffic policy p2p
[FW-trafficpolicy-p2p] classifier p2p behavior p2p
[FW-trafficpolicy-p2p] quit
3.
Apply policy-based routing.
[FW] interface GigabitEthernet2/2/23
[FW-GigabitEthernet2/2/23] traffic-policy p2p inbound
//apply
policy-based routing on the ingress interface
[FW-GigabitEthernet2/2/23] quit
Following the completion of configuration, we enable the "BitSpirit" client download
function on PC1. A screenshot of this is below.
We then view the session table (displayed below) on the firewall:
[FW] display firewall session table verbose
Current total sessions: 2
tcp VPN: public --> public
Zone: trust --> untrust Slot: 3 CPU: 3 TTL: 00:00:05 Left: 00:00:02
Interface: GigabitEthernet2/2/21 Nexthop: 10.1.1.2
<--packets: 0 bytes: 0 -->packets: 2 bytes: 96
192.168.0.2:1712 --> 10.10.10.10:29553
tcp VPN: public --> public
Zone: trust --> untrust Slot: 3 CPU: 3 TTL: 00:00:05 Left: 00:00:02
Interface: GigabitEthernet2/2/21 Nexthop: 10.1.1.2
<--packets: 0 bytes: 0 -->packets: 2 bytes: 96
192.168.0.2:1711 --> 10.10.10.10:29553
392
Learn Firewalls with Dr. WoW
From the information displayed above, we can see that the session's destination address and
port are the same as those displayed on the "BitSpirit" client—they all are 10.10.10.10:29553.
Moreover, this portion of traffic is being forwarded from the link with GE2/2/21 as the egress
interface and a next hop of 10.1.1.2. This is the same as the policy-based route's redirected
egress interface and next hop, meaning that P2P application-based policy-based routing has
been successfully applied.
Below, we'll ping server address 10.10.10.10 from PC1.
At this point, let's take another look at the session table, displayed below:
[FW] display firewall session table verbose
Current total sessions: 1
icmp VPN: public --> public
Zone: trust --> untrust Slot: 3 CPU: 3 TTL: 00:00:20 Left: 00:00:17
Interface: GigabitEthernet2/2/17 Nexthop: 10.1.2.2
<--packets: 4 bytes: 240 -->packets: 4 bytes: 240
192.168.0.2:768 --> 10.10.10.10:2048
The session table shows that the ping packet was forwarded from the link with egress
interface GE2/2/17 and a next hop of 10.1.2.2. This demonstrates that our normal service
traffic is being forwarded from the link provided by ISP2, meaning that our original objective
has been achieved.
To summarize the above uses of policy-based routing, we now know that the flexibility of
policy-based routing is rooted in the flexibility and diversity of the matching conditions.
There are different matching conditions for different scenarios, and the matching conditions
contained in the three above examples were destination IP address, source IP address and
application type respectively. In addition to this, there are a multitude of other matching
conditions that are relatively commonly used, including user, protocol type, etc. As the
configuration methods for these are essentially the same, we won't introduce these one by one
here.
9.3.5 Policy-based Routing In Out-of-path Networks
Another scenario in which policy-based routing is used in networks today must also be
mentioned: when firewalls are deployed out-of-path off of enterprise egress routers or core
switches. In this sort of scenario, policy-based routing is not configured on the firewall, but
rather is configured on the router or switch. However, as this kind of approach is used on
many enterprise egresses and data center egresses, I'll also give an introduction to this here.
First, we'll examine this kind of scenario using a model of actual network conditions, shown
in Figure 9-12.
393
Learn Firewalls with Dr. WoW
Figure 9-12 Network diagram for an out-of-path firewall
PC
10.10.10.10/24
GE0/0/2
10.1.2.2/24
GE0/0/2
10.1.2.1/24
GE0/0/3
10.1.4.1/24
Firewall
R1
GE0/0/1
10.1.1.2/24
GE0/0/1
10.1.1.1/24
GE0/0/0
192.168.0.1/24
Enterprise
network
Server
192.168.0.2/24
Incoming traffic
Outgoing traffic
Here, the enterprise egress is router R1, and the firewall is deployed out-of-path off of the
egress router R1. When an external network user accesses the intranet server, after traffic is
guided from R1 to the firewall for security protection, it is then forwarded again to the
intranet server.
In this networking approach, policy-based routing is configured on the egress router R1, and
the approach used for configuring the router's policy-based routing is the same as that for
firewall policy-based routing introduced above—both involve first defining a matching
condition(s) (here, this is the destination IP address), setting an action (redirecting the egress
interface or next hop), and then applying this on the ingress interface. In this networking
approach, in addition to conducting security processing of the traffic guided to it, the firewall
also needs to return (reinsert) traffic to the egress router R1.
Traffic return is actually quite simple, and below I'll introduce two return methods—static
routing and OSPF.
Method for configuring static routing return
Table 9-1 only lists the configuration of policy-based routing and static routing.
394
Learn Firewalls with Dr. WoW
Table 9-1 Configuring static routing return
R1
FW
#
ip route-static 192.168.0.0
255.255.255.0 10.1.1.1
acl number 3000
rule 5 permit ip destination 192.168.0.2 0
#
policy-based-route in permit node 10
if-match acl 3000
apply ip-address next-hop 10.1.2.2
#
interface GigabitEthernet0/0/3
ip address 10.1.4.1 255.255.255.0
ip policy-based-route in
#
ip route-static 10.10.10.0 255.255.255.0
10.1.4.2
Configuration method for OSPF routing return
When the number of connected users is relatively high, this configuration method can be
considered, as it eases the administrator's maintenance. In the networking approach
shown in Figure 9-13, R1 is the enterprise egress router, and the core switch LSW is
connected to the intranet server. When an external network user accesses the intranet
server, traffic passes through R1 to LSW, and is then guided onto firewall FW for
security policy filtering by the policy-based routing configured on LSW. After filtering,
the traffic is then returned to LSW through checking the OSPF route on FW, after which
it accesses the intranet server.
395
Learn Firewalls with Dr. WoW
Figure 9-13 OSPF network diagram
PC
10.10.10.10/24
GE0/0/3
10.1.4.1/24
R1
GE0/0/0
10.1.3.1/24
OSPF2
GE0/0/2
10.1.2.2/24
GE0/0/2
10.1.2.1/24
Firewall
GE0/0/1
10.1.3.2/24
LSW
GE0/0/1
GE0/0/1
10.1.1.2/24 10.1.1.1/24
OSPF1
Enterprise
network
Server
192.168.0.2/24
Enterprise
network
Enterprise
network
Server
192.168.1.2/24
Server
192.168.2.2/24
Incoming traffic
Outgoing traffic
Table 9-2 only lists the configuration of policy-based routing and OSPF.
396
Learn Firewalls with Dr. WoW
Table 9-2 Configuring OSPF routing return
R1
LSW
FW
ospf 2
#
ospf 1
area 0.0.0.0
network
10.1.3.0
0.0.0.255
network
10.1.2.0
0.0.0.255
vlan batch 100
import-route ospf 2
#
area 0.0.0.0
interface Vlanif100
ip address 10.1.3.2 255.255.255.0
network 10.1.1.0
0.0.0.255
ospf 2
#
acl number 3000
rule 5 permit ip destination
192.168.0.2 0
rule 10 permit ip destination
192.168.1.2 0
import-route ospf 1
area 0.0.0.0
network 10.1.2.0
0.0.0.255
rule 15 permit ip destination
192.168.2.2 0
#
policy-based-route in permit node 10
if-match acl 3000
apply ip-address next-hop 10.1.2.2
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 100
ip policy-based-route in
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
ospf 2
area 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.1.2.0 0.0.0.255
Configuration for using OSPF return is a bit more complicated. First we need to use OSPF
dual processes on the LSW to isolate upstream and downstream traffic, then use policy-based
routing to guide traffic onto FW, and finally configure the incorporation of the two OSPF
processes together on FW, allowing the two OSPF processes to learn each other's routes.
Traffic guidance is completed by policy-based routing on LSW, while static routing or OSPF
routing on FW completes traffic return. After configuration is complete, using tracert from an
397
Learn Firewalls with Dr. WoW
external network PC (10.10.10.10) for the intranet server's address 192.168.0.2 gives the
following result (a static routing network configuration is used in this example):
PC>tracert 192.168.0.2
traceroute to 192.168.0.2, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.10.10.1 16 ms <1 ms <1 ms
2 10.1.4.1 31 ms 31 ms 32 ms
3 10.1.2.2 140 ms 63 ms 47 ms
4 10.1.1.1 94 ms 62 ms 47 ms
5
192.168.0.2
63 ms 78 ms 94 ms
This path information shows that after access traffic passes through FW it is returned again to
R1, and finally arrives at the target server, achieving the expected results.
Policy-based routing is actually just conducting path selection and redefining the egress
interface and next hop for traffic that matches the matching condition(s). This requires that
administrators have an ample understanding of the current network state and be able to choose
suitable matching conditions accordingly. For example, clearly knowing the merits of multiple
egress links allows traffic from an enterprise's important clients or important services to be
forwarded from a high priority link(s). Flexibly applied policy-based routing can provide
administrators with an expanded network planning toolbox.
398
Learn Firewalls with Dr. WoW
10
Firewall Deployment on Campus
Network
10.1 Networking Requirements
As shown in Figure 10-1, USG9560 V300R001C20 is deployed at the egress of the campus
network as a gateway to provide broadband access to intranet users and internal server access
to external users. The campus has three WAN links: one to ISP1 (1 Gbit/s), one to ISP2 (1
Gbit/s), and one to China Education and Research Network (CERNET) (10 Gbit/s).
Figure 10-1 Networking diagram of campus network egress
218.1.1.2/30
CERNET
GE2/0/0
218.1.1.1/30
172.16.1.2/30
GE1/0/3
172.16.1.1/30
Campus network
10.1.0.0/16
Library
server
10.1.10.10
Log server
10.1.10.30
DNS
10.1.10.20
Server zone
10.1.10.0/24
200.1.1.2/30
GE1/0/1
200.1.1.1/30
ISP1
GE1/0/2
202.1.1.1/30
202.1.1.2/30
ISP2
399
Learn Firewalls with Dr. WoW
The specific requirements:
To ensure the Internet access experience of the intranet users, the campus requires that
traffic to specific destination addresses be forwarded through specified ISP link. For
instance, the traffic to the servers hosted by ISP1 can be forwarded through the link
provided by ISP1; the traffic to servers hosted by ISP2 can be forwarded through the link
provided by ISP2; and the traffic to servers hosted by CERNET can be forwarded
through its link.
In addition, the campus requires the traffic from special intranet users be forwarded
through a specified ISP link. For instance, the data traffic from library users can be
forwarded through the CERNET link.
Servers for external users are deployed on the campus, such as school website, email,
and Portal servers.
The DNS server is also deployed to provide resolve the domain names of the servers.
The campus requires that the domain name of the server is resolved into the public IP
address assigned by the ISP that serves the user who requested the server, so as to
increase access speed.
The campus requires the firewall protect the intranet from SYN flood attacks and alert on
network intrusions.
Due to limited bandwidth of ISP1 and ISP2 links, the campus requires the P2P traffic on
ISP1 and ISP2 links be limited, including the P2P traffic of each user, and the overall
P2P traffic.
The campus requires the network management system display the attack defense and
intrusion detection logs and the IP addresses before and after NAT.
10.2 Network Planning
10.2.1 Multi-ISP Routes Planning
ISP Routing
To ensure the traffic to specific destination addresses can be forwarded through specified
ISP links, ISP routing function needs to be deployed on the firewall. Mainstream ISP
address files are built in the firewall, and ISP address files can be manually created or
modified when necessary. IP-Link can be used to verify whether the ISP links are
normal.
In addition, due to a relatively high CERNET link bandwidth, the next hop of the default
route can be set to the IP address assigned by CERNET to ensure the traffic not matching
any other route can be forwarded through the CERNET link.
Policy-Based Routing (PBR)
To ensure the traffic from special intranet users can be forwarded through specified ISP
links, PBR function needs to be deployed on the firewall.
The PBR of firewalls in this example is implemented through traffic classification, traffic
behavior, and traffic policy. For instance, if the data traffic from library users is to be
forwarded through the CERNET link, the traffic class must match the host addresses of
online users in the library; CERNET link must be set as the next hop in the traffic
behavior; and then associate the traffic class with the traffic behavior in the traffic policy.
400
Learn Firewalls with Dr. WoW
10.2.2 Security Planning
Security Zone
In this example, there are four interfaces on the firewall. Since the four interfaces
connect to different networks, they should be added to different security zones.
−
GE1/0/1 connected to ISP1 is added to isp1 zone, which needs to be created and
whose priority is set to 10.
−
GE1/0/2 connected to ISP2 is added to isp2 zone, which needs to be created and
whose priority is set to 15.
−
GE2/0/0 connected to the CERNET link is added to cernet zone, which needs to be
created and whose priority is set to 25.
−
GE1/0/3 connected to the switch is added to the trust zone. The trust zone is a
predefined security zone of the firewall with a priority of 85.
Security policy
To enable communications and access control between the zones, security policies must
be deployed to:
−
Allow the intranet users in the trust zone to access the isp1, isp2, and cernet zones.
−
Allow Internet users in the cernet, isp1, and isp2 zones to access specified ports on
the servers in the trust zone. The library server (only HTTP and FTP services are
enabled) and the DNS are used as examples in this document.
−
Allow the connection between the firewall in the local zone and the log servers in the
trust zone.
To ensure the communications of multi-channel protocols, such as FTP, between the
zones, application-specific packet filter (ASPF) must be configured between the zones.
The implicit security policy action of the firewall is set to deny. Traffic not matching any security policy
will be blocked.
IPS
To prevent the intrusion of zombies, Trojan horses, and worms, IPS must be deployed on
the firewall. The IPS is implemented by referencing IPS profiles in security policies. In
this example, we need to reference an IPS profile in each security policy (except those
for the local zone) to perform IPS inspection on all traffic that is allowed by security
policies.
This example uses the predefined IPS profile, ids, which only alerts on attack packets
without blocking them. If the requirement on security is not very high, profile ids is
recommended to reduce the risk of IPS false positive. If the requirement on security is
relatively high, predefined IPS profile default is recommended to block intrusion
behavior.
Attack defense
To protect intranet servers and users from network attacks, SYN flood attack defense and
some single-packet attack defense functions need to be enabled.
401
Learn Firewalls with Dr. WoW
10.2.3 NAT Planning
Source NAT
To ensure that intranet users can access the Internet through limited public IP addresses,
source network address translation (source NAT) function must be deployed on the
firewall. When an outbound packet reaches the firewall, its source address will be
translated into a public IP address, and its source port will be randomly translated into an
ephemeral port through NAT. In this way, one public IP address can be used by multiple
intranet users simultaneously to access the Internet.
NAT Server
To make servers available for users of each ISP, the NAT server function needs to be
deployed on the firewall to translate the servers' private addresses into public IP
addresses assigned by the ISPs.
The user usually uses the domain name to access an intranet server. Therefore, a DNS
server is deployed in the server area to translate the domain name into a public IP
address. By deploying the intelligent DNS function on the firewall, the domain name of
the server is resolved into the public IP address assigned by the ISP that serves the user
who requested the server. In this way, the server access latency is minimized and user
experience is optimized.
NAT ALG
When the NAT function and the forwarding of multi-channel protocol packets, such as
FTP packets, are enabled on the firewall, the NAT ALG function must be enabled. In this
example, multi-channel protocols, such as FTP, SIP, H323, MGCP, and RTSP are used.
Therefore, NAT ALG must be enabled for them.
The configuration commands for NAT ALG and ASPF are the same, regardless of their different
implementation principles and functions.
10.2.4 Bandwidth Management Planning
To limit the P2P traffic of ISP1 and ISP2 links, the bandwidth management function needs to
be deployed to control the traffic based on applications.
In this example, the firewall manages the bandwidth through traffic profile and traffic policy.
A traffic profile defines available bandwidth resources that can be assigned to managed
objects and is referenced in a traffic policy. In this example, the total bandwidth of the
traffic profile is configured as no more than 300 Mbit/s, and the bandwidth of each IP as
no more than 1 Mbit/s.
Traffic policy defines the bandwidth management objects and the traffic actions, and
references traffic profile. In this example, the object defined in the traffic policy is P2P
traffic, the action is traffic limit, and the previously configured traffic profile is
referenced. In this manner, the traffic policy can limit P2P traffic.
10.2.5 Network Management Planning
The eSight log server on the firewall can collect, query, and display the log reports. The
session logs on the firewall can be used to query the address information before and after
NAT; and the IPS logs and attack defense system log on the firewall can be used to check for
network attacks and intrusions.
402
Learn Firewalls with Dr. WoW
10.3 Configuration Procedure
Step 1 Configure interface IP addresses, and add the interfaces to security zones.
# Configure the IP addresses of each interface.
[Dr. WoW's comment] Normally, the mask length of the IP addresses assigned by ISPs is 30
bits. It is recommended that interface description or alias be configured to tell the information
about the interface.
<FW> system-view
[FW] interface GigabitEthernet 2/0/0
[FW-GigabitEthernet2/0/0] ip address 218.1.1.1 255.255.255.252
[FW-GigabitEthernet2/0/0] description cernet
[FW-GigabitEthernet2/0/0] quit
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 200.1.1.1 255.255.255.252
[FW-GigabitEthernet1/0/1] description isp1
[FW-GigabitEthernet1/0/1] quit
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] ip address 202.1.1.1 255.255.255.252
[FW-GigabitEthernet1/0/2] description isp2
[FW-GigabitEthernet1/0/2] quit
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] ip address 172.16.1.1 255.255.255.252
[FW-GigabitEthernet1/0/3] description campus
[FW-GigabitEthernet1/0/3] quit
# Create security zones isp1, isp2, and cernet, and add the interfaces to corresponding security
zones.
[Dr. WoW's comment] When the firewall needs to be connected to multiple ISPs, a security
zone must be created for each interface connecting to an ISP, and the name of the security
zone should suggest the network of the zone.
[FW] firewall zone name isp1
[FW-zone-isp1] set priority 15
[FW-zone-isp1] add interface GigabitEthernet 1/0/1
[FW-zone-isp1] quit
[FW] firewall zone name isp2
[FW-zone-isp2] set priority 20
[FW-zone-isp2] add interface GigabitEthernet 1/0/2
[FW-zone-isp2] quit
[FW] firewall zone name cernet
[FW-zone-cernet] set priority 25
[FW-zone-cernet] add interface GigabitEthernet 2/0/0
[FW-zone-cernet] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/3
[FW-zone-trust] quit
Step 2 Configure IP-Link to detect whether the ISP links are in normal state.
[FW]
[FW]
[FW]
[FW]
ip-link
ip-link
ip-link
ip-link
check enable
1 destination 218.1.1.2 interface GigabitEthernet2/0/0
2 destination 200.1.1.2 interface GigabitEthernet1/0/1
3 destination 202.1.1.2 interface GigabitEthernet1/0/2
403
Learn Firewalls with Dr. WoW
[Dr. WoW's comment] When a link monitored by IP-Link is faulty, the static route or
policy-based route bound to it will become invalid.
Step 3 Configure static routes to ensure IP connectivity.
# Create a default route and set the next hop to the IP address assigned by CERNET to ensure
the traffic not matching any other route can be forwarded through the CERNET link.
[FW] ip route-static 0.0.0.0 0.0.0.0 218.1.1.2
# Create a static route and set the destination IP address to the intranet and the next hop to the
address of the intranet switch, to ensure that the traffic from the Internet can reach the
intranet.
[FW] ip route-static 10.1.0.0 255.255.0.0 172.16.1.2
[Dr. WoW's comment] Configure both outbound and inbound static routes on the gateway.
Generally, at least one outbound default route will be configured.
Step 4 Configure ISP routing function.
1.
Obtain the latest destination IP addresses from each ISP.
2.
Edit the csv file for each ISP in the following format. The figure below is for reference
only, the addresses provided by local ISP may differ.
3.
Import all csv files.
4.
Run the following commands, load the csv files, and specify the next hop.
[FW] isp set filename cernet.csv GigabitEthernet 2/0/0 next-hop 218.1.1.2 track
ip-link 1
[FW] isp set filename isp1.csv GigabitEthernet 1/0/1 next-hop 200.1.1.2 track
ip-link 2
[FW] isp set filename isp2.csv GigabitEthernet 1/0/2 next-hop 202.1.1.2 track
ip-link 3
[Dr. WoW's comment] The ISP routing function actually issues specific routes in a batch,
with the addresses in the ISP files as the destination IP addresses and the addresses
specified by configuration commands as the next-hops. ISP routing can ensure that the
traffic destined for the specific ISP destination IP address is forwarded through
corresponding ISP link.
404
Learn Firewalls with Dr. WoW
Step 5 Configure policy-based routes to ensure the traffic from specific intranet users (IP addresses)
can be forwarded through specified links (interfaces).
[Dr. WoW's comment] Policy-based routing is source IP address-based. (An advanced ACL
can certainly also select routes based on destination address.) For instance, Internet access
users in the library (network 10.1.2.0/24) can only access the Internet through CERNET. The
policy-based routing is configured using Huawei classic classifier and behavior (CB) pair
configuration.
[FW] acl number 2000
[FW-acl-basic-2000] rule permit source 10.1.2.0 0.0.0.255
[FW-acl-basic-2000] quit
[FW] traffic classifier classlb
[FW-classifier-classlb] if-match acl 2000
[FW-classifier-classlb] quit
[FW] traffic behavior behaviorlb
[FW-behavior-behaviorlb] redirect ip-nexthop 218.1.1.2 interface GigabitEthernet 2/0/0
track ip-link 1
[FW-behavior-behaviorlb] quit
[FW] traffic policy policylb
[FW-trafficpolicy-policylb] classifier classlb behavior behaviorlb
[FW-trafficpolicy-policylb] quit
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] traffic-policy policylb inbound
[FW-GigabitEthernet1/0/3] quit
Step 6 Configure security policies and IPS to detect intrusion behavior of the allowed traffic.
# Configure an outbound security policy for the trust-isp1 interzone to enable intranet users to
access the Internet through ISP1. Reference predefined profile ids when configuring security
policies to detect intrusion behavior.
[FW] policy interzone trust isp1 outbound
[FW-policy-interzone-trust-isp1-outbound] policy 0
[FW-policy-interzone-trust-isp1-outbound-0] action permit
[FW-policy-interzone-trust-isp1-outbound-0] profile ips ids
[FW-policy-interzone-trust-isp1-outbound-0] quit
[FW-policy-interzone-trust-isp1-outbound] quit
# Configure an inbound security policy for the trust-isp1 interzone to enable internet users to
access the intranet library server (only HTTP and FTP services are enabled) and the DNS
through ISP1. Reference predefined profile ids when configuring security policies to detect
intrusion behavior.
[FW] policy interzone trust isp1 inbound
[FW-policy-interzone-trust-isp1-inbound] policy 0
[FW-policy-interzone-trust-isp1-inbound-0] policy destination 10.1.10.10 0.0.0.0
[FW-policy-interzone-trust-isp1-inbound-0] policy service service-set http ftp
[FW-policy-interzone-trust-isp1-inbound-0] action permit
[FW-policy-interzone-trust-isp1-inbound-0] profile ips ids
[FW-policy-interzone-trust-isp1-inbound-0] quit
[FW-policy-interzone-trust-isp1-inbound] policy 1
[FW-policy-interzone-trust-isp1-inbound-1] policy destination 10.1.10.20 0.0.0.0
[FW-policy-interzone-trust-isp1-inbound-1] policy service service-set dns
[FW-policy-interzone-trust-isp1-inbound-1] action permit
[FW-policy-interzone-trust-isp1-inbound-1] profile ips ids
[FW-policy-interzone-trust-isp1-inbound-1] quit
[FW-policy-interzone-trust-isp1-inbound] quit
405
Learn Firewalls with Dr. WoW
# Configure an outbound security policy for the trust-isp2 interzone to enable intranet users to
access the internet through ISP2. Reference predefined profile ids when configuring security
policies to detect intrusion behavior.
[FW] policy interzone trust isp2 outbound
[FW-policy-interzone-trust-isp2-outbound] policy 0
[FW-policy-interzone-trust-isp2-outbound-0] action permit
[FW-policy-interzone-trust-isp2-outbound-0] profile ips ids
[FW-policy-interzone-trust-isp2-outbound-0] quit
[FW-policy-interzone-trust-isp2-outbound] quit
# Configure an inbound security policy for the trust-isp2 interzone to enable internet users to
access the intranet library server (only HTTP and FTP services are enabled) and the DNS
through ISP2. Reference predefined profile ids when configuring security policies to detect
intrusion behavior.
[FW] policy interzone trust isp2 inbound
[FW-policy-interzone-trust-isp2-inbound] policy 0
[FW-policy-interzone-trust-isp2-inbound-0] policy destination 10.1.10.10 0.0.0.0
[FW-policy-interzone-trust-isp2-inbound-0] policy service service-set http ftp
[FW-policy-interzone-trust-isp2-inbound-0] action permit
[FW-policy-interzone-trust-isp2-inbound-0] profile ips ids
[FW-policy-interzone-trust-isp2-inbound-0] quit
[FW-policy-interzone-trust-isp2-inbound] policy 1
[FW-policy-interzone-trust-isp2-inbound-1] policy destination 10.1.10.20 0.0.0.0
[FW-policy-interzone-trust-isp2-inbound-1] policy service service-set dns
[FW-policy-interzone-trust-isp2-inbound-1] action permit
[FW-policy-interzone-trust-isp2-inbound-1] profile ips ids
[FW-policy-interzone-trust-isp2-inbound-1] quit
[FW-policy-interzone-trust-isp2-inbound] quit
# Configure an outbound security policy for the trust-cernet interzone to enable intranet users
to access the Internet through CERNET. Reference predefined profile ids when configuring
security policies to detect intrusion behavior.
[FW] policy interzone trust cernet outbound
[FW-policy-interzone-trust-cernet-outbound] policy 0
[FW-policy-interzone-trust-cernet-outbound-0] action permit
[FW-policy-interzone-trust-cernet-outbound-0] profile ips ids
[FW-policy-interzone-trust-cernet-outbound-0] quit
[FW-policy-interzone-trust-cernet-outbound] quit
# Configure inbound security policies for the trust-cernet interzone to enable Internet users to
access the intranet library server (only HTTP and FTP services are enabled) and the DNS
through the CERNET. Reference predefined profile ids when configuring security policies to
detect intrusion behavior.
[FW] policy interzone trust cernet inbound
[FW-policy-interzone-trust-cernet-inbound] policy 0
[FW-policy-interzone-trust-cernet-inbound-0] policy destination 10.1.10.10 0.0.0.0
[FW-policy-interzone-trust-cernet-inbound-0] policy service service-set http ftp
[FW-policy-interzone-trust-cernet-inbound-0] action permit
[FW-policy-interzone-trust-cernet-inbound-0] profile ips ids
[FW-policy-interzone-trust-cernet-inbound-0] quit
[FW-policy-interzone-trust-cernet-inbound] policy 1
[FW-policy-interzone-trust-cernet-inbound-1] policy destination 10.1.10.20 0.0.0.0
[FW-policy-interzone-trust-cernet-inbound-1] policy service service-set dns
[FW-policy-interzone-trust-cernet-inbound-1] action permit
406
Learn Firewalls with Dr. WoW
[FW-policy-interzone-trust-cernet-inbound-1] profile ips ids
[FW-policy-interzone-trust-cernet-inbound-1] quit
[FW-policy-interzone-trust-cernet-inbound] quit
# Configure outbound and inbound security policies for the local-trust interzone and enable
the connection between the firewall and the log server.
[FW] policy interzone local trust outbound
[FW-policy-interzone-local-trust-outbound] policy 0
[FW-policy-interzone-local-trust-outbound-0] policy destination 10.1.10.30 0.0.0.0
[FW-policy-interzone-local-trust-outbound-0] action permit
[FW-policy-interzone-local-trust-outbound-0] quit
[FW-policy-interzone-local-trust-outbound] quit
[FW] policy interzone local trust inbound
[FW-policy-interzone-local-trust-inbound] policy 0
[FW-policy-interzone-local-trust-inbound-0] policy source 10.1.10.30 0.0.0.0
[FW-policy-interzone-local-trust-inbound-0] action permit
[FW-policy-interzone-local-trust-inbound-0] quit
[FW-policy-interzone-local-trust-inbound] quit
[Dr. WoW's comment] When the firewall serves as the gateway and network does not have
high requirements on security, the action in the interzone security policy can be set as permit.
The reference of IPS profiles in security policies prevents intrusion in the interzone traffic.
The predefined IPS profiles on the firewall are default and ids. Profile default is used to
detect and block intrusion behavior, and profile ids is used to detect and alert on intrusion
behavior (without blocking them).
# Enable the IPS function and set scheduled online update of the signature database.
[FW]
[FW]
[FW]
[FW]
[FW]
[FW]
[FW]
ips enable
update schedule ips-sdb enable
update schedule weekly sun 02:00
update schedule sa-sdb enable
update schedule weekly sun 03:00
undo update confirm ips-sdb enable
undo update confirm sa-sdb enable
# Configure the DNS server address of the firewall so that the firewall can access the security
center platform through domain name and download the signature database.
[FW] dns resolve
[FW] dns server 202.106.0.20
Step 7 Configure source NAT so that multiple intranet users can simultaneously access the Internet
through the shared public IP address.
# Configure source NAT for the trust-isp1 interzone. The addresses in the NAT address pool
are obtained from ISP1.
[FW] nat address-group isp1
[FW-address-group-isp1] mode pat
[FW-address-group-isp1] section 200.1.1.3 200.1.1.5
[FW-address-group-isp1] quit
[FW] nat-policy interzone trust isp1 outbound
[FW-nat-policy-interzone-trust-isp1-outbound] policy 0
[FW-nat-policy-interzone-trust-isp1-outbound-0] action source-nat
[FW-nat-policy-interzone-trust-isp1-outbound-0] address-group isp1
407
Learn Firewalls with Dr. WoW
# Configure source NAT for the trust-isp2 interzone. The addresses in the NAT address pool
are obtained from ISP2.
[FW] nat address-group isp2
[FW-address-group-isp2] mode pat
[FW-address-group-isp2] section 202.1.1.3 202.1.1.5
[FW-address-group-isp2] quit
[FW] nat-policy interzone trust isp2 outbound
[FW-nat-policy-interzone-trust-isp2-outbound] policy 0
[FW-nat-policy-interzone-trust-isp2-outbound-0] action source-nat
[FW-nat-policy-interzone-trust-isp2-outbound-0] address-group isp2
# Configure source NAT for the trust-cernet interzone. The addresses in the NAT address pool
are obtained from CERNET.
[FW] nat address-group cernet
[FW-address-group-cernet] mode pat
[FW-address-group-cernet] section 218.1.1.3 218.1.1.5
[FW-address-group-cernet] quit
[FW] nat-policy interzone trust cernet outbound
[FW-nat-policy-interzone-trust-cernet-outbound] policy 0
[FW-nat-policy-interzone-trust-cernet-outbound-0] action source-nat
[FW-nat-policy-interzone-trust-cernet-outbound-0] address-group cernet
# Configure a black-hole route; and advertise all public IP addresses in the NAT address pool.
[FW]
[FW]
[FW]
[FW]
[FW]
[FW]
[FW]
[FW]
[FW]
ip
ip
ip
ip
ip
ip
ip
ip
ip
route-static
route-static
route-static
route-static
route-static
route-static
route-static
route-static
route-static
200.1.1.3
200.1.1.4
200.1.1.5
202.1.1.3
202.1.1.4
202.1.1.5
218.1.1.3
218.1.1.4
218.1.1.5
32
32
32
32
32
32
32
32
32
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
0
0
0
0
0
0
0
0
0
[Dr. WoW's comment] A black-hole route must be configured for source NAT and NAT
Server.
Step 8 Configure zone-based NAT server to enable Internet users to access intranet servers.
# The private IP address of a server is generally mapped to the public IP addresses of multiple
ISPs.
The campus provides many servers for external access, but we will only take the library
server (10.1.10.10) and DNS server (10.1.10.20) as an example to illustrate how to configure
zone-based NAT server.
[FW] nat server 1 zone isp1 global 200.1.10.10 inside 10.1.10.10 description lb-isp1
[FW] nat server 2 zone isp2 global 202.1.10.10 inside 10.1.10.10 description lb-isp2
[FW] nat server 3 zone cernet global 218.1.10.10 inside 10.1.10.10 description lb-cernet
[FW] nat server 4 zone isp1 global 200.1.10.20 inside 10.1.10.20 description dns-isp1
[FW] nat server 5 zone isp2 global 202.1.10.20 inside 10.1.10.20 description dns-isp2
[FW] nat server 6 zone cernet global 218.1.10.20 inside 10.1.10.20 description dns-cernet
# Configure a black-hole route and advertise all public IP addresses used in NAT server.
[FW] ip route-static 200.1.10.10 32 NULL 0
[FW] ip route-static 202.1.10.10 32 NULL 0
408
Learn Firewalls with Dr. WoW
[FW]
[FW]
[FW]
[FW]
ip
ip
ip
ip
route-static
route-static
route-static
route-static
218.1.10.10
200.1.10.20
202.1.10.20
218.1.10.20
32
32
32
32
NULL
NULL
NULL
NULL
0
0
0
0
Step 9 Configure intelligent DNS.
[Dr. WoW's comment] Intelligent DNS ensures that the domain name of an intranet server is
resolved into the address assigned by the ISP that serves the user to increase access speed. For
instance, when ISP1 users access the library server at private address 10.1.10.10, the domain
name of the server is resolved into public address 200.1.10.10, which is assigned by ISP1 and
mapped to private address 10.1.10.10.
# Configure intelligent DNS, and bind the server address assigned by each ISP with the
outgoing interface connected to the ISP.
[FW] dns-smart enable
[FW] dns-smart group 1
[FW-dns-smart-group-1]
[FW-dns-smart-group-1]
[FW-dns-smart-group-1]
[FW-dns-smart-group-1]
[FW-dns-smart-group-1]
[FW-dns-smart-group-1]
type single
description lb
real-server-ip 10.1.10.10
out-interface GigabitEthernet 2/0/0 map 218.1.10.10
out-interface GigabitEthernet 1/0/1 map 200.1.10.10
out-interface GigabitEthernet 1/0/2 map 202.1.10.10
quit
Step 10 Configure NAT ALG.
[Dr. WoW's comment] The configuration commands for NAT ALG and ASPF are the same.
# Configure NAT ALG between the trust zone and other zones.
[FW] firewall interzone trust isp1
[FW-interzone-trust-isp1] detect ftp
[FW-interzone-trust-isp1] detect sip
[FW-interzone-trust-isp1] detect h323
[FW-interzone-trust-isp1] detect mgcp
[FW-interzone-trust-isp1] detect rtsp
[FW-interzone-trust-isp1] detect qq
[FW-interzone-trust-isp1] quit
[FW] firewall interzone trust isp2
[FW-interzone-trust-isp2] detect ftp
[FW-interzone-trust-isp2] detect sip
[FW-interzone-trust-isp2] detect h323
[FW-interzone-trust-isp2] detect mgcp
[FW-interzone-trust-isp2] detect rtsp
[FW-interzone-trust-isp2] detect qq
[FW-interzone-trust-isp2] quit
[FW] firewall interzone trust cernet
[FW-interzone-trust-cernet] detect ftp
[FW-interzone-trust-cernet] detect sip
[FW-interzone-trust-cernet] detect h323
[FW-interzone-trust-cernet] detect mgcp
[FW-interzone-trust-cernet] detect rtsp
[FW-interzone-trust-cernet] detect qq
[FW-interzone-trust-cernet] quit
Step 11 Enable attack defense to protect the campus network.
[FW] firewall defend land enable
409
Learn Firewalls with Dr. WoW
[FW]
[FW]
[FW]
[FW]
[FW]
[FW]
[FW]
[FW]
[FW]
auto
[FW]
auto
firewall defend smurf enable
firewall defend fraggle enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
firewall defend syn-flood enable
firewall defend syn-flood interface GigabitEthernet1/0/1 max-rate 24000 tcp-proxy
firewall defend syn-flood interface GigabitEthernet1/0/2 max-rate 24000 tcp-proxy
[Dr. WoW's comment] Generally, if there is no special requirement on the network security,
the above attack defense functions would suffice.
For SYN flood attack defense, the recommended threshold on the GE interface is 16,000 pps.
All interfaces in this example are GE interfaces with a threshold of 24,000 pps, which is set
based on practical test result. Because, according to practical experience, a higher threshold
value is often set first; then the value is gradually lowered after observation to an appropriate
range, in which attacks can be well prevented and normal services are not affected.
Step 12 Configure bandwidth management.
[Dr. WoW's comment] To configure bandwidth management, a traffic profile (a set of traffic
limiting parameters) is created and referenced in a traffic policy. Pay attention that upload is
in the outbound direction and download is in the inbound direction. In addition, it is
recommended that P2P traffic be limited to 20% to 30% of the total bandwidth.
# Configure download and upload traffic profiles. The total bandwidth is limited to 300
Mbit/s with per-IP address bandwidth to 1 Mbit/s.
[FW] car-class p2p_all_download
[FW-car-class-p2p_all_download] car-mode per-ip
[FW-car-class-p2p_all_download] cir 1000
[FW-car-class-p2p_all_download] cir 300000 total
[FW-car-class-p2p_all_download] quit
[FW] car-class p2p_all_upload
[FW-car-class-p2p_all_upload] car-mode per-ip
[FW-car-class-p2p_all_upload] cir 1000
[FW-car-class-p2p_all_upload] cir 300000 total
[FW-car-class-p2p_all_upload] quit
# Configure inbound and outbound traffic policies in ISP1 zone to limit the P2P download
and upload traffic respectively.
[FW] car-policy zone isp1 inbound
[FW-car-policy-zone-isp1-inbound] policy 0
[FW-car-policy-zone-isp1-inbound-0] policy application category p2p
[FW-car-policy-zone-isp1-inbound-0] action car
[FW-car-policy-zone-isp1-inbound-0] car-class p2p_all_download
[FW-car-policy-zone-isp1-inbound-0] description p2p_limit_download
[FW-car-policy-zone-isp1-inbound-0] quit
[FW-car-policy-zone-isp1-inbound] quit
[FW] car-policy zone isp1 outbound
[FW-car-policy-zone-isp1-outbound] policy 0
[FW-car-policy-zone-isp1-outbound-0] policy application category p2p
410
Learn Firewalls with Dr. WoW
[FW-car-policy-zone-isp1-outbound-0] action car
[FW-car-policy-zone-isp1-outbound-0] car-class p2p_all_upload
[FW-car-policy-zone-isp1-outbound-0] description p2p_limit_upload
[FW-car-policy-zone-isp1-outbound-0] quit
[FW-car-policy-zone-isp1-outbound] quit
# Configure inbound and outbound traffic policies in ISP2 zone to limit the P2P download
and upload traffic respectively.
[FW] car-policy zone isp2 inbound
[FW-car-policy-zone-isp2-inbound] policy 0
[FW-car-policy-zone-isp2-inbound-0] policy application category p2p
[FW-car-policy-zone-isp2-inbound-0] action car
[FW-car-policy-zone-isp2-inbound-0] car-class p2p_all_download
[FW-car-policy-zone-isp2-inbound-0] description p2p_limit_download
[FW-car-policy-zone-isp2-inbound-0] quit
[FW-car-policy-zone-isp2-inbound] quit
[FW] car-policy zone isp2 outbound
[FW-car-policy-zone-isp2-outbound] policy 0
[FW-car-policy-zone-isp2-outbound-0] policy application category p2p
[FW-car-policy-zone-isp2-outbound-0] action car
[FW-car-policy-zone-isp2-outbound-0] car-class p2p_all_upload
[FW-car-policy-zone-isp2-outbound-0] description p2p_limit_upload
[FW-car-policy-zone-isp2-outbound-0] quit
[FW-car-policy-zone-isp2-outbound] quit
Step 13 Enable system logging and NAT source tracing, and check the logs on the network
management system (eSight).
# Enable the firewall to send system logs (IPS and attack defense logs in this example) to the
log host (10.1.10.30).
[FW]
[FW]
[FW]
[FW]
[FW]
info-center enable
engine log ips enable
info-center source ips channel loghost log level emergencies
info-center source ANTIATTACK channel loghost
info-center loghost 10.1.10.30
# Enable the firewall to send session logs to port 9002 of the log host (10.1.10.30), and
configure both inbound and outbound audit policies between the trust zone and the
isp1/isp2/cernet zone.
[Dr. WoW's comment] NAT source tracing is enabled to check the addresses before and after
NAT. Our approach is to configure audit function on the firewall to generate session logs,
which are then exported to the log host. On the log host, we can check the session logs
through eSight to check the addresses before and after NAT.
[FW] firewall log source 172.16.1.1 9002
[FW] firewall log host 2 10.1.10.30 9002
[FW] audit-policy interzone trust isp1 outbound
[FW-audit-policy -interzone-trust-isp1-outbound] policy 0
[FW-audit-policy -interzone-trust-isp1-outbound-0] action audit
[FW-audit-policy -interzone-trust-isp1-outbound-0] quit
[FW-audit-policy -interzone-trust-isp1-outbound] quit
[FW] audit-policy interzone trust isp1 inbound
[FW-audit-policy -interzone-trust-isp1-inbound] policy 0
[FW-audit-policy -interzone-trust-isp1-inbound-0] action audit
[FW-audit-policy -interzone-trust-isp1-inbound-0] quit
411
Learn Firewalls with Dr. WoW
[FW-audit-policy -interzone-trust-isp1-inbound] quit
[FW] audit-policy interzone trust isp2 outbound
[FW-audit-policy -interzone-trust-isp2-outbound] policy 0
[FW-audit-policy -interzone-trust-isp2-outbound-0] action audit
[FW-audit-policy -interzone-trust-isp2-outbound-0] quit
[FW-audit-policy -interzone-trust-isp2-outbound] quit
[FW] audit-policy interzone trust isp2 inbound
[FW-audit-policy -interzone-trust-isp2-inbound] policy 0
[FW-audit-policy -interzone-trust-isp2-inbound-0] action audit
[FW-audit-policy -interzone-trust-isp2-inbound-0] quit
[FW-audit-policy -interzone-trust-isp2-inbound] quit
[FW] audit-policy interzone trust cernet outbound
[FW-audit-policy -interzone-trust-cernet-outbound] policy 0
[FW-audit-policy -interzone-trust-cernet-outbound-0] action audit
[FW-audit-policy -interzone-trust-cernet-outbound-0] quit
[FW-audit-policy -interzone-trust-cernet-outbound] quit
[FW] audit-policy interzone trust cernet inbound
[FW-audit-policy -interzone-trust-cernet-inbound] policy 0
[FW-audit-policy -interzone-trust-cernet-inbound-0] action audit
[FW-audit-policy -interzone-trust-cernet-inbound-0] quit
[FW-audit-policy -interzone-trust-cernet-inbound] quit
# In this example, eSight is installed on the log host (10.1.10.30). To check logs on eSight,
SNMP must be configured on the firewall so that the firewall can communicate with eSight.
The SNMP parameters on eSight must be the same as those on the firewall.
[FW] snmp-agent sys-info v3
[FW] snmp-agent group v3 NMS1 privacy
[FW] snmp-agent usm-user v3 admin1 NMS1 authentication-mode md5 Admin@123 privacy-mode
aes256 Admin@123
# After eSight is configured, choose Business > Security Business > LogCenter > Log
Analysis > Session Analysis > IPv4 Session Query to check session logs.
----End
10.4 Highlights
What is amazing about this example is that it involves almost all classical features of a
firewall, including security policy, NAT, ASPF, attack defense, IPS, and bandwidth
management (application-based and IP-based bandwidth throttling). If readers feel
difficult to choose between various firewall functions, this example is a good reference.
Another highlight of this example is that it shows the firewall's capability to serve as the
gateway. One of the most important features of a gateway is the ISP routing. ISP routing
is based on destination IP addresses, policy-based routing is based on source IP addresses,
and intelligent DNS allows Internet users to access intranet servers through optimal
links.
In addition, as a gateway, the advantages of a firewall over a router are better NAT and
security functions.
Another highlight of this example is that it illustrates the NAT source tracing function on
a firewall (The firewall configured with audit policies will send session logs to the
network management system, on which the customer can check the addresses before and
after NAT). This function is especially useful during the inspection from the upper-level
and related departments.
412
Learn Firewalls with Dr. WoW
413
Learn Firewalls with Dr. WoW
11
Firewall Deployment on Media
Company Network
11.1 Networking Requirements
As shown in Figure 11-1, the network of the media company is connected to two ISPs through
two links of 10 Gbit/s each to provide broadband access to its users on the metropolitan area
network (MAN). Servers are also deployed in the server area to provide hosting services to
internal and external users.
Two firewalls are deployed at the egress of the media company's intranet to the Internet as
egress gateways (USG9560 V300R001C20). The uplink interfaces of the two firewalls are
connected to the two ISPs through the aggregation switches; the downlink interfaces are
connected to the MAN through the core routers. Both firewalls are connected to the servers
through the switch in the server area.
414
Learn Firewalls with Dr. WoW
Figure 11-1 Networking diagram of a media company network egress
ISP1
ISP2
1.1.1.2/30
Egress aggregation
switch
VRRP group 1
1.1.1.1/30
GE1/0/1
10.0.1.1/24
2.2.2.2/30
Standby
Active
Active
Standby
GE1/0/2
GE1/0/1
10.0.2.1/24 10.0.1.2/24
GE1/0/5
10.0.7.1/24 GE1/0/5
10.0.7.2/24
GE1/0/3
GE1/0/3
GE1/0/4
10.0.4.1/24
10.0.3.1/24
10.0.5.1/24
FW1
VRRP group 2
2.2.2.1/30
GE1/0/2
10.0.2.2/24
FW2
GE1/0/4
10.0.6.1/24
DNS server
10.0.10.20/24
Web server
10.0.10.10/24
Server
area
Core router
FTP server
10.0.10.11/24
Log server
10.0.10.30/24
MAN
MAN
MAN
The requirements are as follows:
The two firewalls are deployed in active/standby backup mode to improve the network
availability.
Users on the MANs can simultaneously access the Internet through the NAT function of
the firewall, and the validity of the addresses in the NAT address pool is assured through
the NAT detection.
To improve intranet users' broadband access experience, the traffic destined to specific
destination addresses should be forwarded by the firewalls through specified ISP links.
For example, the traffic to the servers hosted by ISP1 can be forwarded through the link
provided by ISP1; and the traffic to the servers hosted by ISP2 can be forwarded through
the link provided by ISP2.
For the traffic destined to other ISP networks, the firewall can select the link with
minimum latency.
The firewall should be able to identify and control P2P and web video traffic, and
forward the traffic through ISP2 link.
415
Learn Firewalls with Dr. WoW
The servers hosted by the media company can be accessed by intranet and Internet users
of multiple ISPs. The DNS server is also deployed on the network to provide domain
name resolution. Domain name of the server should be resolved into the public IP
address assigned by the ISP that serves the user who requested the server, so as to
increase access speed.
The firewalls should be able to protect the intranet from DDoS attacks and alert on
network intrusion behavior such as zombies, Trojan horses, and worms.
The source tracing function should be provided to trace Internet access, including the IP
addresses before and after NAT and IM login and logout logs.
11.2 Network Planning
11.2.1 Hot Standby Planning
Since each ISP provides only one link which cannot be directly connected to two firewalls,
egress aggregation switches are deployed between the firewalls and ISP links. The egress
aggregation switch connected to each ISP link can be connected to two firewalls. OSPF is
running on the firewalls and downstream routers; thus a typical hot standby network is
formed.
To efficiently use public IP addresses, the uplink interfaces of the firewalls can use private IP
addresses, but the VRRP groups must use public addresses assigned by the ISPs to
communicate with ISP networks.
11.2.2 Multi-ISP Routing Planning
When an egress gateway (firewall in this example) has multiple outgoing interfaces, the
matching sequence in routing is: policy-based routes (PBRs), specific routes, and default
routes. The routing plan is as follows:
Application-specific PBR
P2P and web video traffic is bandwidth-hungry and needs to be forwarded through
specified links using application-specific PBR.
The PBR on firewalls in this example is implemented using traffic classifier, traffic
behavior, and traffic policy. We must define the P2P and web video applications as the
matching conditions in traffic class; set ISP2 link as the next hop in the traffic behavior;
and associate the traffic class with the traffic behavior in QoS policy. In this way, the P2P
and web video traffic will be forwarded through ISP2 link.
ISP routing
ISP routing issues specific ISP routes in batches by specifying ISP address files and the
next hops so that the traffic destined for an ISP can be forwarded through the link
connected to the ISP. Address files of major ISPs are predefined on the firewalls and you
can modify the address files or create new ones when necessary.
Intelligent routing (load balancing mode with minimum latency time)
In the case of dual-egress, besides specific routes (for ISP routing), we will also
configure two equal-cost routes to match the traffic that cannot be matched to specific
routes. For such case, we can enable intelligent routing function to select optimal links
for traffic forwarding through equal-cost routes.
The firewall supports three algorithms of intelligent routing:
416
Learn Firewalls with Dr. WoW
−
Least-delay load balancing: When multiple equal-cost routes are available, the
firewall will probe the delays of the routes to a same destination and select the link
with least delay to forward the traffic.
−
Weight-based load balancing: Weights are assigned to the outgoing interfaces of the
equal-cost routes so that traffic can be allocated to the routes based on the weights.
−
Bandwidth-based load balancing: Traffic is allocated to the equal cost routes in
proportion with the bandwidth of the links.
Least-delay load balancing algorithm is applied in this example for intelligent routing.
11.2.3 Bandwidth Management Planning
P2P and web video traffic is bandwidth-hungry; therefore, in the 11.2.2 Multi-ISP Routing
Planning, we have planned to forward it through ISP2 link using application-specific
policy-based routes. However, if such traffic is not controlled, other services on the ISP2 link
may be interrupted. Therefore, we need to enable bandwidth management (BWM) function to
implement application-specific traffic control.
In this example, the firewall manages the bandwidth through traffic profile and traffic policy.
A traffic profile defines bandwidth resources available to managed objects and is
referenced in a traffic policy. In this example, the maximum bandwidth of the traffic
profile is 300 Mbit/s.
A traffic policy defines the bandwidth management objects and the action, and references
a traffic profile. In this example, the object defined in the traffic policy is P2P and web
video traffic, the action is traffic limit, and the previously configured traffic profile is
referenced. In this way, the bandwidth for P2P and web video traffic will not exceed 300
Mbit/s.
11.2.4 Security Planning
Security Zone
In this example, there are five interfaces on the firewall. Since the five interfaces are
connected to different networks; they should be added to different security zones.
−
GE1/0/1 connected to ISP1 is added to isp1 zone, which needs to be created and
whose priority is set to 10.
−
GE1/0/2 connected to ISP2 is added to isp2 zone, which needs to be created and
whose priority is set to 15.
−
GE1/0/3 connected to the core router is added to the trust zone. Trust zone is a
predefined security zone of the firewall with a priority of 85.
−
GE1/0/4 connected to the server zone is added to the dmz zone. DMZ zone is a
predefined security zone of the firewall with a priority of 50.
−
GE1/0/5, the heartbeat interface, connecting the two firewalls is added to the heart
zone. The heart zone needs to be created and whose priority is set to 75.
Security policy
To enable the communication and access control between the zones, security policies
must be deployed to:
−
Allow the intranet users in the trust zone to access the isp1and isp2 zones.
−
Allow users in the trust, isp1 and isp2 zones to access the specified ports on the
servers in the dmz zone, including web, FTP, and DNS servers.
−
Allow the firewall in the local zone to set up a connection to the log server in the dmz
zone.
417
Learn Firewalls with Dr. WoW
−
The firewall in this example is USG9560, a high-end firewall. The HRP and VGMP
packets of high-end firewalls are free of security policy control.
To ensure the interzone communications of multi-channel protocols, such as FTP,
application-specific packet filter (ASPF) must be configured between the zones.
The implicit security policy action of the firewall is set to deny. Traffic not matching any security policy
will be blocked.
IPS
To prevent the intrusion of zombies, Trojan horses, and worms, IPS must be deployed on
the firewall. IPS is implemented by referencing IPS profiles in security policies. In this
example, we need to reference an IPS profile in each security policy to inspect all traffic
allowed by security policies.
This example uses the predefined IPS profile, ids, which only alerts on attack packets
without blocking them. If the requirement on security is not very high, profile ids is
recommended to reduce the risk of IPS false positive. If the requirement on security is
relatively high, predefined IPS profile default is recommended to block intrusion
behavior.
Attack defense
To protect intranet servers and users from network attacks, SYN flood attack defense and
some single-packet attack defense functions need to be enabled.
11.2.5 NAT Planning
Source NAT
To ensure that intranet users can access the Internet through limited public IP addresses,
network address translation (NAT) must be deployed on the firewall. When an outbound
packet reaches the firewall, its source address will be translated into a public IP address,
and its source port will be randomly translated into an ephemeral port. In this way, one
public IP address can be used by multiple intranet users simultaneously to access the
Internet.
NAT Address Detection
If the public IP address mapped to an intranet user is blocked by the ISP due to the user's
misoperation on the Internet, other users sharing the same public IP address will not be
able to access the Internet. In this case, NAT address detection can be deployed on the
firewall to check whether the public IP addresses in the NAT address pool are blocked. If
no traffic is returned from the Internet to a public IP address in the address pool or if the
traffic volume from the Internet to a public IP address is below the threshold within a
specified period of time, this IP address will be excluded from the NAT address pool to
ensure that the address will not be used for address translation.
NAT ALG
When the NAT function is enabled and multi-channel protocols, such as FTP, need to be
used, NAT ALG must be enabled. In this example, multi-channel protocols, such as FTP,
SIP, H323, MGCP, and RTSP are used.
The configuration commands for NAT ALG and ASPF are the same, regardless of their different
implementation principles and functions.
418
Learn Firewalls with Dr. WoW
11.2.6 Intranet Server Planning
The media company provides hosting services for customers, such as schools, office networks
of companies, and web portals.
The hosted servers are deployed in the dmz of the intranet, so the server addresses are private
IP addresses. The servers, however, provide services for users on the Internet, so they must
offer public IP addresses for intranet and Internet users to access. Therefore, NAT server must
be deployed on the firewall to translate the servers' private addresses into public IP addresses
assigned by different ISPs for their users.
A DNS server is deployed in the server area to translate the domain names of the servers into
public IP addresses. By deploying the intelligent DNS on the firewall, the domain name of a
server is resolved into the public IP address assigned by the ISP that serves the user who
requested the server. In this way, the server access latency is minimized and user experience is
optimized.
11.2.7 Log Planning
The eSight log server on the firewall can collect, query, and display the log reports. The
session logs on the firewall can be used to query the address information before and after NAT.
The IM online and offline logs on the firewall can be used to check and analyze users' IM
online and offline information.
11.3 Configuration Procedure
Step 1 Configure interface IP addresses, and add the interfaces to security zones.
# Configure the interface IP addresses on FW1.
<FW1> system-view
[FW1] interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1] ip address
[FW1-GigabitEthernet1/0/1] quit
[FW1] interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2] ip address
[FW1-GigabitEthernet1/0/2] quit
[FW1] interface GigabitEthernet 1/0/3
[FW1-GigabitEthernet1/0/3] ip address
[FW1-GigabitEthernet1/0/3] quit
[FW1] interface GigabitEthernet 1/0/4
[FW1-GigabitEthernet1/0/4] ip address
[FW1-GigabitEthernet1/0/4] quit
[FW1] interface GigabitEthernet 1/0/5
[FW1-GigabitEthernet1/0/5] ip address
[FW1-GigabitEthernet1/0/5] quit
10.0.1.1 24
10.0.2.1 24
10.0.3.1 24
10.0.5.1 24
10.0.7.1 24
# Configure the interface IP addresses on FW2.
<FW2> system-view
[FW2] interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1] ip address 10.0.1.2 24
[FW2-GigabitEthernet1/0/1] quit
[FW2] interface GigabitEthernet 1/0/2
[FW2-GigabitEthernet1/0/2] ip address 10.0.2.2 24
[FW2-GigabitEthernet1/0/2] quit
419
Learn Firewalls with Dr. WoW
[FW2] interface GigabitEthernet 1/0/3
[FW2-GigabitEthernet1/0/3] ip address 10.0.4.1 24
[FW2-GigabitEthernet1/0/3] quit
[FW2] interface GigabitEthernet 1/0/4
[FW2-GigabitEthernet1/0/4] ip address 10.0.6.1 24
[FW2-GigabitEthernet1/0/4] quit
[FW2] interface GigabitEthernet 1/0/5
[FW2-GigabitEthernet1/0/5] ip address 10.0.7.2 24
[FW2-GigabitEthernet1/0/5] quit
# Create security zones on FW1 and add FW1 interfaces to security zones. The security zones
on FW2 are configured in the same way.
[FW1] firewall zone name isp1
[FW1-zone-isp1] set priority 10
[FW1-zone-isp1] add interface GigabitEthernet1/0/1
[FW1-zone-isp1] quit
[FW1] firewall zone name isp2
[FW1-zone-isp2] set priority 15
[FW1-zone-isp2] add interface GigabitEthernet1/0/2
[FW1-zone-isp2] quit
[FW1] firewall zone trust
[FW1-zone-trust] add interface GigabitEthernet1/0/3
[FW1-zone-trust] quit
[FW1] firewall zone dmz
[FW1-zone-dmz] add interface GigabitEthernet1/0/4
[FW1-zone-dmz] quit
[FW1] firewall zone name heart
[FW1-zone-heart] set priority 75
[FW1-zone-heart] add interface GigabitEthernet1/0/5
[FW1-zone-heart] quit
Step 2 Configure default routes.
# Configure IP-Link to detect whether the ISP links are normal.
[FW1] ip-link check enable
[FW1] ip-link 1 destination 1.1.1.2 interface GigabitEthernet1/0/1
[FW1] ip-link 2 destination 2.2.2.2 interface GigabitEthernet1/0/2
# Create two default routes and set the next hops to the IP addresses assigned by ISP1 and
ISP2.
[FW1] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 track ip-link 1
[FW1] ip route-static 0.0.0.0 0.0.0.0 2.2.2.2 track ip-link 2
[Dr. WoW's comment] When a link monitored by IP-Link is faulty, the static route or
policy-based route bound to it will become invalid.
# The IP-Link and default route configurations on FW2 are the same as those on FW1.
Step 3 Configure ISP routing function.
1.
Obtain the latest destination IP address ranges from each ISP.
2.
Edit the csv files of each ISP in the following format. The figure below is for reference
only; the addresses provided by local ISP may differ.
420
Learn Firewalls with Dr. WoW
3.
Import all csv files.
4.
Run the following commands to load the csv files and specify the next hops.
[FW1] isp set filename isp2.csv GigabitEthernet 1/0/1 next-hop 1.1.1.2 track ip-link
1
[FW1] isp set filename isp2.csv GigabitEthernet 1/0/2 next-hop 2.2.2.2 track ip-link
2
5.
ISP routing configurations on FW2 are the same.
Step 4 Configure policy-based routes.
# Configure an ACL on FW1 to permit the packets from intranet users.
[FW1] acl number 2000
[FW1-acl-basic-2000] rule permit source 10.0.0.0 0.0.0.255
[FW1-acl-basic-2000] quit
# Configure a user-defined application group on FW1, and add P2P and web video
applications to the group.
[FW1] sa
[FW1-sa] app-set p2p_web_video
[FW1-sa-p2p_web_video] category p2p
[FW1-sa-p2p_web_video] web_video
[FW1-sa-p2p_web_video] quit
[FW1-sa] quit
# Configure a traffic classifier on FW1 to match the P2P and web video traffic from the
intranet.
[FW1] traffic classifier class1
[FW1-classifier-class1] if-match acl 2000 app-set p2p_web_video
[FW1-classifier-class1] quit
# Configure a traffic behavior on FW1 to redirect the traffic to ISP2.
[FW1] traffic behavior behavior1
[FW1-behavior-behavior1] redirect ip-nexthop 2.2.2.2 interface GigabitEthernet 1/0/1
421
Learn Firewalls with Dr. WoW
# Define a traffic policy on FW1 to associate the traffic class with the traffic behavior.
[FW1] traffic policy policy1
[FW1-trafficpolicy-policy1] classifier class1 behavior behavior1
[FW1-trafficpolicy-policy1] quit
# Apply the traffic policy on FW1's GE1/0/3 interface to enable policy-based routing function.
[FW1] interface GigabitEthernet 1/0/3
[FW1-GigabitEthernet1/0/3] traffic-policy policy1 inbound
[FW1-GigabitEthernet1/0/3] quit
[Dr. WoW's comment] To enable policy-based routing, the traffic policy must be applied to
the inbound interface to control the traffic, and the direction must be set to inbound.
# The configurations of policy-based routes on FW2 are the same.
Step 5 Configure OSPF.
# Configure open shortest path first (OSPF) on FW1 and advertise the networks connected to
the downlink interfaces.
[FW1] ospf 1
[FW1-ospf-1] area 0
[FW1-ospf-1-area-0.0.0.0] network 10.0.3.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0] network 10.0.5.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0] quit
[FW1-ospf-1] quit
# Configure OSPF on FW2 and advertise the networks connected to the downlink interfaces.
[FW2] ospf 1
[FW2-ospf-1] area 0
[FW2-ospf-1-area-0.0.0.0] network 10.0.4.0 0.0.0.255
[FW2-ospf-1-area-0.0.0.0] network 10.0.6.0 0.0.0.255
[FW2-ospf-1-area-0.0.0.0] quit
[FW2-ospf-1] quit
Step 6 Enable the hot standby function.
# Configure a VRRP group on FW1's uplink interfaces and set the state to Master.
[FW1] interface GigabitEthernet1/0/1
[FW1-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 30 master
[FW1-GigabitEthernet1/0/1] quit
[FW1] interface GigabitEthernet1/0/2
[FW1-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 2.2.2.1 30 master
[FW1-GigabitEthernet1/0/1] quit
# Configure a VGMP group on FW1 to monitor the downlink interfaces.
[FW1] hrp track interface GigabitEthernet1/0/3
[FW1] hrp track interface GigabitEthernet1/0/4
# Configure a heartbeat interface on FW1, and enable the hot standby function.
[FW1] hrp interface GigabitEthernet1/0/5 remote 10.0.7.2
[FW1] hrp enable
# Configure a VRRP group on FW2's uplink interfaces and set the state to Slave.
[FW2] interface GigabitEthernet1/0/1
422
Learn Firewalls with Dr. WoW
[FW2-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 30 slave
[FW2-GigabitEthernet1/0/1] quit
[FW2] interface GigabitEthernet1/0/2
[FW2-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 2.2.2.1 30 slave
[FW2-GigabitEthernet1/0/1] quit
# Configure a VGMP group on FW2 to monitor the downlink interfaces.
[FW2] hrp track interface GigabitEthernet1/0/3
[FW2] hrp track interface GigabitEthernet1/0/4
# Configure a heartbeat interface on FW2, and enable the hot standby function.
[FW2] hrp interface GigabitEthernet1/0/5 remote 10.0.7.1
[FW2] hrp enable
[Dr. WoW's comment] When hot standby is successfully enabled, most of the configurations
can be backed up. Therefore, in the following steps, we will only illustrate the configurations
on FW1, the master device (except for specified configurations).
Step 7 Enable intelligent routing function.
# Set the intelligent routing mode on FW1 to least latency.
HRP_M[FW1] ucmp group ucmp1 mode proportion-of-intelligent-control
# Set the mask length for intelligent routes on FW1 to 24.
HRP_M[FW1] ucmp group ucmp1 intelligent-control-mask 24
# Add GigabitEthernet1/0/1 on FW1 to the UCMP1 group, and set the source IP address for
remote host health check to 10.0.1.1.
HRP_M[FW1] interface GigabitEthernet 1/0/1
HRP_M[FW1-GigabitEthernet1/0/1] ucmp-group ucmp1
HRP_M[FW1-GigabitEthernet1/0/1] healthcheck source-ip 10.0.1.1
HRP_M[FW1-GigabitEthernet1/0/1] quit
# Add GigabitEthernet1/0/2 on FW1 to the UCMP1 group, and set the source IP address for
remote host health check to 10.0.2.1.
HRP_M[FW1] interface GigabitEthernet 1/0/2
HRP_M[FW1-GigabitEthernet1/0/2] ucmp-group ucmp1
HRP_M[FW1-GigabitEthernet1/0/2] healthcheck source-ip 10.0.2.1
HRP_M[FW1-GigabitEthernet1/0/2] quit
[Dr. WoW's comment] All the intelligent routing configurations support the hot standby
except for the healthcheck source-ip command, which needs to be manually executed on
both firewalls.
# Set the health check source IP address on the GigabitEthernet1/0/1 interface of FW2 to
10.0.1.2.
HRP_S[FW1] interface GigabitEthernet 1/0/1
HRP_S[FW1-GigabitEthernet1/0/1] healthcheck source-ip 10.0.1.2
HRP_S[FW1-GigabitEthernet1/0/1] quit
# Set the health check source IP address on the GigabitEthernet1/0/2 interface of FW2 as
10.0.2.2.
HRP_S[FW2] interface GigabitEthernet 1/0/2
HRP_S[FW2-GigabitEthernet1/0/2] healthcheck source-ip 10.0.2.2
423
Learn Firewalls with Dr. WoW
HRP_S[FW2-GigabitEthernet1/0/2] quit
Step 8 Configure bandwidth management.
[Dr. WoW's comment] To configure bandwidth management, a traffic profile (a set of traffic
limiting actions) is created and referenced in a traffic policy. Pay attention that upload is in the
outbound direction and download is in the inbound direction. In addition, it is recommended
that P2P traffic be limited to 20% to 30% of the total bandwidth.
# The total bandwidth for traffic profiles is limited to 3 Gbit/s.
HRP_M[FW1] car-class p2p_web_video
HRP_M[FW1-car-class-p2p_web_video] cir 3000000 total
HRP_M[FW1-car-class-p2p_web_video] quit
# Configure inbound and outbound traffic policies in ISP1 zone to limit the download and
upload traffic of the P2P and web video, respectively.
HRP_M[FW1] car-policy zone isp1 inbound
HRP_M[FW1-car-policy-zone-isp1-inbound] policy 0
HRP_M[FW1-car-policy-zone-isp1-inbound-0] policy application category p2p
HRP_M[FW1-car-policy-zone-isp1-inbound-0] policy application category web_video
HRP_M[FW1-car-policy-zone-isp1-inbound-0] action car
HRP_M[FW1-car-policy-zone-isp1-inbound-0] car-class p2p_web_video
HRP_M[FW1-car-policy-zone-isp1-inbound-0] description limit_download
HRP_M[FW1-car-policy-zone-isp1-inbound-0] quit
HRP_M[FW1-car-policy-zone-isp1-inbound] quit
HRP_M[FW1] car-policy zone isp1 outbound
HRP_M[FW1-car-policy-zone-isp1-outbound] policy 0
HRP_M[FW1-car-policy-zone-isp1-outbound-0] policy application category p2p
HRP_M[FW1-car-policy-zone-isp1-outbound-0] policy application category web_video
HRP_M[FW1-car-policy-zone-isp1-outbound-0] action car
HRP_M[FW1-car-policy-zone-isp1-outbound-0] car-class p2p_web_video
HRP_M[FW1-car-policy-zone-isp1-outbound-0] description limit_upload
HRP_M[FW1-car-policy-zone-isp1-outbound-0] quit
HRP_M[FW1-car-policy-zone-isp1-outbound] quit
# Configure inbound and outbound traffic policies in ISP2 zone to limit the download and
upload traffic of the P2P and web video, respectively.
HRP_M[FW1] car-policy zone isp2 inbound
HRP_M[FW1-car-policy-zone-isp2-inbound] policy 0
HRP_M[FW1-car-policy-zone-isp2-inbound-0] policy application category p2p
HRP_M[FW1-car-policy-zone-isp2-inbound-0] policy application category web_video
HRP_M[FW1-car-policy-zone-isp2-inbound-0] action car
HRP_M[FW1-car-policy-zone-isp2-inbound-0] car-class p2p_web_video
HRP_M[FW1-car-policy-zone-isp2-inbound-0] description limit_download
HRP_M[FW1-car-policy-zone-isp2-inbound-0] quit
HRP_M[FW1-car-policy-zone-isp2-inbound] quit
HRP_M[FW1] car-policy zone isp2 outbound
HRP_M[FW1-car-policy-zone-isp2-outbound] policy 0
HRP_M[FW1-car-policy-zone-isp2-outbound-0] policy application category p2p
HRP_M[FW1-car-policy-zone-isp2-outbound-0] policy application category web_video
HRP_M[FW1-car-policy-zone-isp2-outbound-0] action car
HRP_M[FW1-car-policy-zone-isp2-outbound-0] car-class p2p_web_video
HRP_M[FW1-car-policy-zone-isp2-outbound-0] description limit_upload
HRP_M[FW1-car-policy-zone-isp2-outbound-0] quit
HRP_M[FW1-car-policy-zone-isp2-outbound] quit
424
Learn Firewalls with Dr. WoW
Step 9 Configure security policies and content security function.
# Configure an outbound security policy for the trust-isp1 interzone to enable intranet users to
access the Internet through ISP1 and to detect intrusions.
HRP_M[FW1] policy interzone trust isp1 outbound
HRP_M[FW1-policy-interzone-trust-isp1-outbound] policy 0
HRP_M[FW1-policy-interzone-trust-isp1-outbound-0] action permit
HRP_M[FW1-policy-interzone-trust-isp1-outbound-0] profile ips ids
HRP_M[FW1-policy-interzone-trust-isp1-outbound-0] quit
HRP_M[FW1-policy-interzone-trust-isp1-outbound] quit
# Configure an outbound security policy for the trust-isp2 interzone to enable intranet users to
access the Internet through ISP2 and to detect intrusions.
HRP_M[FW1] policy interzone trust isp2 outbound
HRP_M[FW1-policy-interzone-trust-isp2-outbound] policy 0
HRP_M[FW1-policy-interzone-trust-isp2-outbound-0] action permit
HRP_M[FW1-policy-interzone-trust-isp2-outbound-0] profile ips ids
HRP_M[FW1-policy-interzone-trust-isp2-outbound-0] quit
HRP_M[FW1-policy-interzone-trust-isp2-outbound] quit
# Configure inbound security policies for the isp1-dmz interzone to enable the Internet users
to access the web, FTP, and DNS servers in the dmz zone through the ISP1 link and to detect
intrusions.
HRP_M[FW1] policy interzone isp1 dmz inbound
HRP_M[FW1-policy-interzone-isp1-dmz-inbound] policy 0
HRP_M[FW1-policy-interzone-isp1-dmz-inbound-0] policy destination 10.0.10.10
0.0.0.255
HRP_M[FW1-policy-interzone-isp1-dmz-inbound-0] policy service service-set http
HRP_M[FW1-policy-interzone-isp1-dmz-inbound-0] action permit
HRP_M[FW1-policy-interzone-isp1-dmz-inbound-0] profile ips ids
HRP_M[FW1-policy-interzone-isp1-dmz-inbound-0] quit
HRP_M[FW1-policy-interzone-isp1-dmz-inbound] policy 1
HRP_M[FW1-policy-interzone-isp1-dmz-inbound-1] policy destination 10.0.10.11
0.0.0.255
HRP_M[FW1-policy-interzone-isp1-dmz-inbound-1] policy service service-set ftp
HRP_M[FW1-policy-interzone-isp1-dmz-inbound-1] action permit
HRP_M[FW1-policy-interzone-isp1-dmz-inbound-1] profile ips ids
HRP_M[FW1-policy-interzone-isp1-dmz-inbound-1] quit
HRP_M[FW1-policy-interzone-isp1-dmz-inbound] policy 2
HRP_M[FW1-policy-interzone-isp1-dmz-inbound-2] policy destination 10.0.10.20
0.0.0.255
HRP_M[FW1-policy-interzone-isp1-dmz-inbound-2] policy service service-set dns
HRP_M[FW1-policy-interzone-isp1-dmz-inbound-2] action permit
HRP_M[FW1-policy-interzone-isp1-dmz-inbound-2] profile ips ids
HRP_M[FW1-policy-interzone-isp1-dmz-inbound-2] quit
HRP_M[FW1-policy-interzone-isp1-dmz-inbound] quit
# Configure inbound security policies for the isp2-dmz interzone to enable the Internet users
to access the web, FTP, and DNS servers in the dmz zone through the ISP2 link and to detect
intrusions.
HRP_M[FW1] policy interzone isp2 dmz inbound
HRP_M[FW1-policy-interzone-isp2-dmz-inbound] policy 0
HRP_M[FW1-policy-interzone-isp2-dmz-inbound-0] policy destination 10.0.10.10
0.0.0.255
425
Learn Firewalls with Dr. WoW
HRP_M[FW1-policy-interzone-isp2-dmz-inbound-0] policy service service-set http
HRP_M[FW1-policy-interzone-isp2-dmz-inbound-0] action permit
HRP_M[FW1-policy-interzone-isp2-dmz-inbound-0] profile ips ids
HRP_M[FW1-policy-interzone-isp2-dmz-inbound-0] quit
HRP_M[FW1-policy-interzone-isp2-dmz-inbound] policy 1
HRP_M[FW1-policy-interzone-isp2-dmz-inbound-1] policy destination 10.0.10.11
0.0.0.255
HRP_M[FW1-policy-interzone-isp2-dmz-inbound-1] policy service service-set ftp
HRP_M[FW1-policy-interzone-isp2-dmz-inbound-1] action permit
HRP_M[FW1-policy-interzone-isp2-dmz-inbound-1] profile ips ids
HRP_M[FW1-policy-interzone-isp2-dmz-inbound-1] quit
HRP_M[FW1-policy-interzone-isp2-dmz-inbound] policy 2
HRP_M[FW1-policy-interzone-isp2-dmz-inbound-2] policy destination 10.0.10.20
0.0.0.255
HRP_M[FW1-policy-interzone-isp2-dmz-inbound-2] policy service service-set dns
HRP_M[FW1-policy-interzone-isp2-dmz-inbound-2] action permit
HRP_M[FW1-policy-interzone-isp2-dmz-inbound-2] profile ips ids
HRP_M[FW1-policy-interzone-isp2-dmz-inbound-2] quit
HRP_M[FW1-policy-interzone-isp2-dmz-inbound] quit
# Configure outbound security policies for the trust-dmz interzone to enable the intranet users
to access the web, FTP, and DNS servers in the dmz zone and to detect intrusions.
HRP_M[FW1] policy interzone trust dmz outbound
HRP_M[FW1-policy-interzone-trust-dmz-outbound] policy 0
HRP_M[FW1-policy-interzone-trust-dmz-outbound-0] policy destination 10.0.10.10
0.0.0.255
HRP_M[FW1-policy-interzone-trust-dmz-outbound-0] policy service service-set http
HRP_M[FW1-policy-interzone-trust-dmz-outbound-0] action permit
HRP_M[FW1-policy-interzone-trust-dmz-outbound-0] profile ips ids
HRP_M[FW1-policy-interzone-trust-dmz-outbound-0] quit
HRP_M[FW1-policy-interzone-trust-dmz-outbound] policy 1
HRP_M[FW1-policy-interzone-trust-dmz-outbound-1] policy destination 10.0.10.11
0.0.0.255
HRP_M[FW1-policy-interzone-trust-dmz-outbound-1] policy service service-set ftp
HRP_M[FW1-policy-interzone-trust-dmz-outbound-1] action permit
HRP_M[FW1-policy-interzone-trust-dmz-outbound-1] profile ips ids
HRP_M[FW1-policy-interzone-trust-dmz-outbound-1] quit
HRP_M[FW1-policy-interzone-trust-dmz-outbound] policy 2
HRP_M[FW1-policy-interzone-trust-dmz-outbound-2] policy destination 10.0.10.20
0.0.0.255
HRP_M[FW1-policy-interzone-trust-dmz-outbound-2] policy service service-set dns
HRP_M[FW1-policy-interzone-trust-dmz-outbound-2] action permit
HRP_M[FW1-policy-interzone-trust-dmz-outbound-2] profile ips ids
HRP_M[FW1-policy-interzone-trust-dmz-outbound-2] quit
HRP_M[FW1-policy-interzone-trust-dmz-outbound] quit
# Configure outbound and inbound security policies for the local-dmz interzone to enable the
connection between the firewall and the log server.
HRP_M[FW1] policy interzone local dmz outbound
HRP_M[FW1-policy-interzone-local-dmz-outbound] policy 0
HRP_M[FW1-policy-interzone-local-dmz-outbound-0] policy destination 10.0.10.30
0.0.0.255
HRP_M[FW1-policy-interzone-local-dmz-outbound-0] action permit
HRP_M[FW1-policy-interzone-local-dmz-outbound-0] quit
HRP_M[FW1-policy-interzone-local-dmz-outbound] quit
426
Learn Firewalls with Dr. WoW
HRP_M[FW1] policy interzone local dmz inbound
HRP_M[FW1-policy-interzone-local-dmz-inbound] policy 0
HRP_M[FW1-policy-interzone-local-dmz-inbound-0] policy source 10.0.10.30 0.0.0.255
HRP_M[FW1-policy-interzone-local-dmz-inbound-0] action permit
HRP_M[FW1-policy-interzone-local-dmz-inbound-0] quit
HRP_M[FW1-policy-interzone-local-dmz-inbound] quit
# Enable the IPS function and set scheduled online update of the signature database.
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
ips enable
update schedule ips-sdb enable
update schedule weekly sun 02:00
update schedule sa-sdb enable
update schedule weekly sun 03:00
undo update confirm ips-sdb enable
undo update confirm sa-sdb enable
# Configure the DNS server address of the firewall so that the firewall can access the security
center platform's domain name and download the signature database.
HRP_M[FW1] dns resolve
HRP_M[FW1] dns server 202.106.0.20
Step 10 Enable attack defense function.
HRP_M[FW1] firewall
HRP_M[FW1] firewall
HRP_M[FW1] firewall
HRP_M[FW1] firewall
HRP_M[FW1] firewall
HRP_M[FW1] firewall
HRP_M[FW1] firewall
HRP_M[FW1] firewall
HRP_M[FW1] firewall
HRP_M[FW1] firewall
tcp-proxy auto
HRP_M[FW1] firewall
tcp-proxy auto
defend
defend
defend
defend
defend
defend
defend
defend
defend
defend
land enable
smurf enable
fraggle enable
winnuke enable
source-route enable
route-record enable
time-stamp enable
ping-of-death enable
syn-flood enable
syn-flood interface GigabitEthernet1/0/1 max-rate 100000
defend syn-flood interface GigabitEthernet1/0/2 max-rate 100000
[Dr. WoW's comment] The above attack defense functions would suffice for general security
purposes.
For SYN flood attack defense, the recommended threshold on the 10GE interfaces is 100,000
pps.
Step 11 Configure source NAT.
# Configure the NAT address pool isp1 on FW1.
HRP_M[FW1] nat address-group isp1
HRP_M[FW1-address-group-isp1] mode pat
HRP_M[FW1-address-group-isp1] section 1.1.1.10 1.1.1.12
HRP_M[FW1-address-group-isp1] quit
# Configure NAT policy for the trust-isp1 interzone on FW1 to translate the source IP
addresses of the packets from the trust zone into the IP addresses in the address pool isp1.
HRP_M[FW1] nat-policy interzone trust isp1 outbound
HRP_M[FW1-nat-policy-interzone-trust-isp1-outbound] policy 0
HRP_M[FW1-nat-policy-interzone-trust-isp1-outbound-0] action source-nat
427
Learn Firewalls with Dr. WoW
HRP_M[FW1-nat-policy-interzone-trust-isp1-outbound-0] address-group isp1
# Configure the NAT address pool isp2 on FW1.
HRP_M[FW1] nat address-group isp2
HRP_M[FW1-address-group-isp2] mode pat
HRP_M[FW1-address-group-isp2] section 2.2.2.10 2.2.2.12
HRP_M[FW1-address-group-isp2] quit
# Configure NAT policy for the trust-isp2 interzone on FW1 to translate the source IP
addresses of the packets from the trust zone into the IP addresses in the address pool isp2.
HRP_M[FW1] nat-policy interzone trust isp2 outbound
HRP_M[FW1-nat-policy-interzone-trust-isp2-outbound] policy 0
HRP_M[FW1-nat-policy-interzone-trust-isp2-outbound-0] action source-nat
HRP_M[FW1-nat-policy-interzone-trust-isp2-outbound-0] address-group isp2
# Configure a black-hole route on FW1 and advertise the public IP addresses in the NAT
address pool.
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
ip
ip
ip
ip
ip
ip
route-static
route-static
route-static
route-static
route-static
route-static
1.1.1.10
1.1.1.11
1.1.1.12
2.2.2.10
2.2.2.11
2.2.2.12
32
32
32
32
32
32
NULL
NULL
NULL
NULL
NULL
NULL
0
0
0
0
0
0
# Configure a black-hole route on FW2 and advertise the public IP addresses in the NAT
address pool.
HRP_S[FW2]
HRP_S[FW2]
HRP_S[FW2]
HRP_S[FW2]
HRP_S[FW2]
HRP_S[FW2]
ip
ip
ip
ip
ip
ip
route-static
route-static
route-static
route-static
route-static
route-static
1.1.1.10
1.1.1.11
1.1.1.12
2.2.2.10
2.2.2.11
2.2.2.12
32
32
32
32
32
32
NULL
NULL
NULL
NULL
NULL
NULL
0
0
0
0
0
0
[Dr. WoW's comment] Route configuration cannot be backed up, so the blackhole routes must
be configured on both firewalls.
Step 12 Configure NAT ALG.
[Dr. WoW's comment] The configuration commands for NAT ALG and ASPF are the same.
# Configure NAT ALG between the trust zone and other zones.
HRP_M[FW1] firewall interzone trust isp1
HRP_M[FW1-interzone-trust-isp1] detect ftp
HRP_M[FW1-interzone-trust-isp1] detect sip
HRP_M[FW1-interzone-trust-isp1] detect h323
HRP_M[FW1-interzone-trust-isp1] detect mgcp
HRP_M[FW1-interzone-trust-isp1] detect rtsp
HRP_M[FW1-interzone-trust-isp1] detect qq
HRP_M[FW1-interzone-trust-isp1] quit
HRP_M[FW1] firewall interzone trust isp2
HRP_M[FW1-interzone-trust-isp2] detect ftp
HRP_M[FW1-interzone-trust-isp2] detect sip
HRP_M[FW1-interzone-trust-isp2] detect h323
HRP_M[FW1-interzone-trust-isp2] detect mgcp
HRP_M[FW1-interzone-trust-isp2] detect rtsp
428
Learn Firewalls with Dr. WoW
HRP_M[FW1-interzone-trust-isp2] detect qq
HRP_M[FW1-interzone-trust-isp2] quit
HRP_M[FW1] firewall interzone trust dmz
HRP_M[FW1-interzone-trust-dmz] detect ftp
HRP_M[FW1-interzone-trust-dmz] detect sip
HRP_M[FW1-interzone-trust-dmz] detect h323
HRP_M[FW1-interzone-trust-dmz] detect mgcp
HRP_M[FW1-interzone-trust-dmz] detect rtsp
HRP_M[FW1-interzone-trust-dmz] detect qq
HRP_M[FW1-interzone-trust-dmz] quit
# Configure NAT ALG for the dmz-isp1 and dmz-isp2 interzones.
HRP_M[FW1] firewall interzone
HRP_M[FW1-interzone-dmz-isp1]
HRP_M[FW1-interzone-dmz-isp1]
HRP_M[FW1-interzone-dmz-isp1]
HRP_M[FW1-interzone-dmz-isp1]
HRP_M[FW1-interzone-dmz-isp1]
HRP_M[FW1-interzone-dmz-isp1]
HRP_M[FW1-interzone-dmz-isp1]
HRP_M[FW1] firewall interzone
HRP_M[FW1-interzone-dmz-isp2]
HRP_M[FW1-interzone-dmz-isp2]
HRP_M[FW1-interzone-dmz-isp2]
HRP_M[FW1-interzone-dmz-isp2]
HRP_M[FW1-interzone-dmz-isp2]
HRP_M[FW1-interzone-dmz-isp2]
HRP_M[FW1-interzone-dmz-isp2]
dmz isp1
detect ftp
detect sip
detect h323
detect mgcp
detect rtsp
detect qq
quit
dmz isp2
detect ftp
detect sip
detect h323
detect mgcp
detect rtsp
detect qq
quit
Step 13 Configure NAT server and intelligent DNS.
# Configure NAT server function to map the private IP address of the web server to the public
IP addresses that could be accessed by ISP1 and ISP2 users.
HRP_M[FW1] nat server 1 zone isp1 global 1.1.1.15 inside 10.0.10.10
HRP_M[FW1] nat server 2 zone isp2 global 2.2.2.15 inside 10.0.10.10
# Configure NAT server function to map the private IP address of the FTP server to the public
IP addresses that could be accessed by ISP1 and ISP2 users.
HRP_M[FW1] nat server 3 zone isp1 global 1.1.1.16 inside 10.0.10.11
HRP_M[FW1] nat server 4 zone isp2 global 2.2.2.16 inside 10.0.10.11
# Configure NAT server function to map the private IP address of the DNS server to the
public IP addresses that could be accessed by ISP1 and ISP2 users.
HRP_M[FW1] nat server 5 zone isp1 global 1.1.1.17 inside 10.0.10.20
HRP_M[FW1] nat server 6 zone isp2 global 2.2.2.17 inside 10.0.10.20
# Configure intelligent DNS to ensure that the domain name of an intranet server is resolved
into the address assigned by the ISP that serves the user to increase access speed. For instance,
when accessing the intranet web server 10.0.10.10, ISP1 users will obtain the address
assigned by ISP1, which is 1.1.1.15, while ISP2 users will obtain the address assigned by
ISP2, which is 2.2.2.15.
HRP_M[FW1] dns-smart enable
HRP_M[FW1] dns-smart group 1 type single
HRP_M[FW1-dns-smart-group-1] real-server-ip 10.0.10.10
429
Learn Firewalls with Dr. WoW
HRP_M[FW1-dns-smart-group-1]
HRP_M[FW1-dns-smart-group-1]
HRP_M[FW1-dns-smart-group-1]
HRP_M[FW1] dns-smart group 2
HRP_M[FW1-dns-smart-group-2]
HRP_M[FW1-dns-smart-group-2]
HRP_M[FW1-dns-smart-group-2]
HRP_M[FW1-dns-smart-group-2]
out-interface GigabitEthernet
out-interface GigabitEthernet
quit
type single
real-server-ip 10.0.10.11
out-interface GigabitEthernet
out-interface GigabitEthernet
quit
1/0/1 map 1.1.1.15
1/0/2 map 2.2.2.15
1/0/1 map 1.1.1.16
1/0/2 map 2.2.2.16
# Configure a black-hole route on FW1 and advertise the post-NAT public IP addresses.
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
ip
ip
ip
ip
ip
ip
route-static
route-static
route-static
route-static
route-static
route-static
1.1.1.15
1.1.1.16
1.1.1.17
2.2.2.15
2.2.2.16
2.2.2.17
32
32
32
32
32
32
NULL
NULL
NULL
NULL
NULL
NULL
0
0
0
0
0
0
# Configure a black-hole route on FW2 and advertise the post-NAT public IP addresses.
HRP_M[FW2]
HRP_M[FW2]
HRP_M[FW2]
HRP_M[FW2]
HRP_M[FW2]
HRP_M[FW2]
ip
ip
ip
ip
ip
ip
route-static
route-static
route-static
route-static
route-static
route-static
1.1.1.15
1.1.1.16
1.1.1.17
2.2.2.15
2.2.2.16
2.2.2.17
32
32
32
32
32
32
NULL
NULL
NULL
NULL
NULL
NULL
0
0
0
0
0
0
[Dr. WoW's comment] Route configuration cannot be backed up, so the blackhole routes must
be configured on both firewalls.
Step 14 Enable NAT source tracing and IM logging function.
[Dr. WoW's comment] NAT source tracing is enabled to check the addresses before and after
NAT. Our approach is to configure audit function on the firewall to generate session logs,
which are then sent to the log host. On the log host, we can check the session logs through
eSight to check the addresses before and after NAT.
# Enable the firewall to send session logs to port 9002 of the log host (10.1.10.30), and
configure both inbound and outbound audit policies between the trust zone and the isp1/isp2
zone.
HRP_M[FW1] firewall log source 10.0.5.1 9002
HRP_M[FW1] firewall log host 2 10.0.10.30 9002
HRP_M[FW1] audit-policy interzone trust isp1 outbound
HRP_M[FW1-audit-policy-interzone-trust-isp1-outbound] policy 0
HRP_M[FW1-audit-policy-interzone-trust-isp1-outbound-0] action audit
HRP_M[FW1-audit-policy-interzone-trust-isp1-outbound-0] quit
HRP_M[FW1-audit-policy-interzone-trust-isp1-outbound] quit
HRP_M[FW1] audit-policy interzone trust isp1 inbound
HRP_M[FW1-audit-policy-interzone-trust-isp1-inbound] policy 0
HRP_M[FW1-audit-policy-interzone-trust-isp1-inbound-0] action audit
HRP_M[FW1-audit-policy-interzone-trust-isp1-inbound-0] quit
HRP_M[FW1-audit-policy-interzone-trust-isp1-inbound] quit
HRP_M[FW1] audit-policy interzone trust isp2 outbound
HRP_M[FW1-audit-policy-interzone-trust-isp2-outbound] policy 0
HRP_M[FW1-audit-policy-interzone-trust-isp2-outbound-0] action audit
HRP_M[FW1-audit-policy-interzone-trust-isp2-outbound-0] quit
HRP_M[FW1-audit-policy-interzone-trust-isp2-outbound] quit
430
Learn Firewalls with Dr. WoW
HRP_M[FW1] audit-policy interzone trust isp2 inbound
HRP_M[FW1-audit-policy-interzone-trust-isp2-inbound] policy 0
HRP_M[FW1-audit-policy-interzone-trust-isp2-inbound-0] action audit
HRP_M[FW1-audit-policy-interzone-trust-isp2-inbound-0] quit
HRP_M[FW1-audit-policy-interzone-trust-isp2-inbound] quit
# Enable IM logging delivery function on FW1.
HRP_M[FW1] firewall log im enable
# The above log configurations on FW1 will be backed up to FW2. The source IP address of
the log will not be backed up, so we configure it on FW2.
HRP_S[FW2] firewall log source 10.0.6.1 9002
# Configure the SNMP on FW1 to connect FW1 with the eSight. The SNMP parameters on
eSight must be the same as those on FW1.
HRP_M[FW1] snmp-agent sys-info v3
HRP_M[FW1] snmp-agent group v3 NMS1 privacy
HRP_M[FW1] snmp-agent usm-user v3 admin1 NMS1 authentication-mode md5 Admin@123
privacy-mode aes256 Admin@123
# SNMP configuration is not backed up; therefore, we must configure SNMP on FW2 to
connect FW2 with the eSight. The SNMP parameters on eSight must be the same as those on
FW2.
HRP_S[FW2] snmp-agent sys-info v3
HRP_S[FW2] snmp-agent group v3 NMS1 privacy
HRP_S[FW2] snmp-agent usm-user v3 admin1 NMS1 authentication-mode md5 Admin@456
privacy-mode aes256 Admin@456
# After eSight is configured, choose Business > Security Business > LogCenter > Log
Analysis > Session Analysis > IPv4 Session Query to check session logs; choose Log
Analysis > Network Security Analysis > IM to check IM logs.
----End
11.4 Highlights
This example illustrates the typical application of firewall at the egress of the media
company's intranet to the Internet. If you are facing the same scenario, this example will
be a good reference.
This is a typical hot standby network of "firewalls are connected to upstream switches
and downstream routers".
This example demonstrates the multiple egress routing methods of the firewall as
gateway, including ISP routing, intelligent routing, policy-based routing, and intelligent
DNS.
This example shows the application identification and control capabilities of the firewall.
The firewall can identify port information and various applications, and carry out
application-based access control, policy-based routing, and traffic control.
431
Learn Firewalls with Dr. WoW
12
Firewall Deployment on Stadium
Network
12.1 Networking Requirements
As shown in Figure 12-1, two firewalls (USG6680 V100R001C20) are deployed as gateways
at the egress of the stadium network to provide broadband access. FW1 and FW2 are
connected to the same carrier through its a domestic link and an international link.
Another two firewalls (USG6680 V100R001C20) are deployed at the egress of the data center
inside the stadium to protect the server.
432
Learn Firewalls with Dr. WoW
Figure 12-1 Stadium networking
Domestic
GW
5.1.1.89/30
GE1/0/9
5.1.1.90/30
FW1
GE1/0/8
192.168.166.35/29
192.168.166.34/29
R1
International
GW
5.1.1.93/30
BGP
Eth-trunk 1
1.1.1.2/30
BGP
GE1/0/9
5.1.1.94/30
FW2
Eth-trunk 1
1.1.1.1/30
GE1/0/8
OSPF 192.168.166.19/29
OSPF
FW4
192.168.166.18/29
GE1/0/8
R2
Active
Standby
Standby
Active
Core switch
Eth-trunk 1
2.2.2.1/30
VLAN2100
GE1/0/9
Eth-trunk 1
2.2.2.2/30
Data
center
GE1/0/9
VLAN2200
GE1/0/8
FW3
West end
East end
The requirements on firewalls at the egress are as follows:
BGP is running between the firewalls serving as egress gateways and the carrier routers,
and OSPF is running between the firewalls and internal routers.
The two firewalls work in hot standby mode to improve network availability.
To ensure that users in the stadium can simultaneously access the Internet, NAT must be
deployed on the firewalls.
To ensure internal network security, traffic should only be initiated from the intranet to
the Internet, and security functions, such as IPS, antivirus, and URL filtering, must be
deployed on the firewall.
The requirements on internal data center firewalls:
The firewalls are deployed between the routers and the data center switch in transparent
mode (service interfaces working at Layer 2).
The two firewalls work in hot standby mode to improve network availability.
To ensure the data center network security, traffic should only be initiated from the
intranet to the Internet, and IPS and antivirus functions must be deployed on the firewall.
433
Learn Firewalls with Dr. WoW
12.2 Network Planning (For Egress Firewall)
12.2.1 BGP Planning
Users in the stadium can access the Internet through two nodes at different levels of the same
carrier. As mentioned previously, one ISP link is connected to the domestic gateway and the
other to the international gateway. The domestic gateway advertises domestic routes while the
international gateway advertises international routes to the stadium through BGP. In this
manner, the optimal paths can be used for users to access Internet sites hosted on different
locations.
The dual-link in this example is rather common outside of China.
12.2.2 OSPF Planning
Redistribute BGP routes into OSPF
The IGP routing table has a smaller capacity than the BGP routing table and cannot hold
the Internet routes. Therefore, BGP routes cannot be redistributed into IGP. Therefore,
you must redistribute only the default routes advertised by the carrier routers using the
default-route-advertise command in OSPF.
Advertise OSPF routes
To run OSPF between egress firewalls and downstream intranet routers, routes to the
intranet must be advertised in OSPF on the firewalls. Pay attention to the following
points:
−
The designated router (DR) election in OSPF takes dozens of seconds; however,
because OSPF is running only on the firewall and the intranet router for each network,
and the two devices are directly connected, so the network-type of OSPF can be
configured as p2p to save the time of DR election. In addition, P2P OSPF packets are
multicast packets, free of security policy control.
−
The heartbeat cables on the firewall are used only for the synchronization of
configuration commands and state information; therefore it is unnecessary to
advertise their addresses in OSPF.
Speed up route convergence
Enable the interworking of BFD and OSPF on the egress firewalls and intranet routers.
12.2.3 Hot Standby Planning
Hot standby networking
The network where the egress firewall is connected to the upstream carrier router and
downstream intranet router is a typical hot standby network where "firewall service
interfaces work at Layer 3 and connect to upstream and downstream routers". The
difference lies in the fact that BGP is running between the firewall and the upstream
router while OSPF is running between the firewall and the downstream router in this
example. We use VGMP group to directly monitor service interfaces in such networking.
Hot standby solution
Hot standby in load balancing mode is used in this example in consideration of the
following points:
−
The volume of traffic from the intranet to the Intranet is relatively high. Because IPS,
antivirus, and NAT need to be enabled on each egress firewall, the forwarding
434
Learn Firewalls with Dr. WoW
performance may be downgraded and inadequate for the traffic to the Internet without
load balancing.
−
The carrier provides one domestic link and one international link. If active/standby
backup mode is used, one of the links will be idle and the traffic cannot be forwarded
through the optimal path.
12.2.4 Security Function Planning
The following security functions are configured on the egress firewall:
Security zone: Generally, we will add the outside interfaces (interfaces connected to
external networks) to the untrust zone and the inside interfaces (interfaces connected to
internal networks) to the trust zone.
Security policy: To ensure internal network security, traffic can be initiated only from the
intranet to the Internet; therefore, security policy must be configured on egress firewalls
to allow the users in the trust zone to access the untrust zone.
IPS: To prevent the intrusion of zombies, Trojan horses and worms, IPS must be
deployed on the egress firewalls. This example uses the predefined IPS profile, ids,
which only alerts on attack packets without blocking them. If the requirement on security
is not very high, profile ids is recommended to reduce the risk of IPS false positive.
Antivirus: to prevent virus intrusion, antivirus function must be enabled on egress
firewalls. This example uses the predefined profile, default. During the initial
deployment of the firewall, predefined antivirus profile, default, is generally used. After
the firewall runs for a period of time, the administrator can customize the profile based
on the network operation.
URL filtering: To regulate the online behavior of intranet and Internet users, URL
filtering function must be deployed on egress firewalls. This example uses the
user-defined profile, url filtering. This profile blocks the access to specified URLs, and
marks the QoS priority of specified URLs for upstream and downstream routers to
control the traffic from these websites.
12.2.5 NAT Planning
To allow intranet users to access the Internet through limited number of public IP addresses,
network address translation (NAT) function must be deployed on egress firewall.
The number of needed public IP addresses
The IP addresses of outgoing interfaces of the firewalls and those in the NAT address
pools must be public IP address provided by the carrier. When deciding the number of
public addresses in the NAT address pool, consider the following factors:
−
Number of applications a public IP address can support
−
Estimated the per-user concurrent applications based on the traffic model
−
Number of concurrent users
Here is an example:
−
Empirical data: in this example, on average, each public IP address can support
60,000 applications, and each user runs 10 applications concurrently.
−
We assume that the number of concurrent users is 48,000, according to the empirical
data, eight public IP addresses are required, however, 10 are recommended for
redundancy.
435
Learn Firewalls with Dr. WoW
NAT ALG ensures the NAT of multi-channel protocols
When the NAT function and the forwarding of multi-channel protocol packets, such as
FTP packets, are enabled on the firewall, the NAT ALG function must be enabled. In this
example, three multi-channel protocols, FTP, SIP, H323, are used. Therefore, NAT ALG
must be enabled for them.
12.2.6 Planning for Inconsistent Forward and Return Paths
The IPS and antivirus functions require that the forward and return packets of a flow pass
through the same firewall. For example, if the packets from an intranet user to the Internet are
forwarded through FW1, the return packets must also be forwarded through FW1.
However, FW1 and FW2 both forward traffic in load balancing mode. As a result, the forward
and return packets may take different paths. Therefore, we need some sophisticated
configurations to ensure consistent forward and return paths.
We must first ensure that traffic from the west end (east end) to the Internet is forwarded to
FW1 (FW2), on which the source addresses are translated to public addresses in address pool
natpool1 (natpool2). To achieve this, the following configurations are required:
Configure two VRRP groups on each downlink interface of the intranet routers to
balance load (back up each other). Set the gateway to the address of VRRP group 1 in the
west end and the address of VRRP group 2 in the east end. In this way, the traffic from
the west end will be forwarded to FW1 via Router1; the traffic from the east end will be
forwarded to FW2 via Router2.
Divide the received public IP addressed into two parts and respectively assign them to
the NAT address pools natpool1 and natpool2. Then configure two NAT policies,
nat_policy1 and nat_policy2. The source addresses in nat_policy1 are the addresses of
the west end users, and natpool1 is referenced; the source addresses in nat_policy2 are
the addresses of the east end users, and natpool2 is referenced. We only need to
configure these on FW1 because the configurations will be synchronized to FW2.
In this manner, the source address of a packet from the west end will be translated into
an address in natpool1 on FW1; and the source address of a packet from the east end
will be translated into an address in natpool2 on FW2. If FW1 is faulty, the packets from
both ends will be forwarded to FW2, on which two NAT rules are applied; therefore, the
addresses of the packets from both ends can be translated into correct public IP
addresses.
The next step is to ensure that the packets returned from the Internet to the west end (east end)
users are forwarded to FW1 (FW2). To achieve this, we must use routing policy to control the
MED value of the BGP. The following configurations are required:
Advertise the addresses in the two NAT address pools in BGP to ensure that return
packets can be routed. NAT address pool is normally advertised through black-hole
routes. This example uses black-hole routes to advertise the networks first, and then
redistribute these black-hole routes to BGP.
A routing policy must be deployed on FW1 to increase the cost (BGP MED value) of
routes to addresses in natpool2. Therefore, packets destined for these addresses will be
forwarded to FW2 through the link with a lower cost rather than to FW1. The
configuration of routing policy on FW2 is the same.
The preceding configurations ensure that forward and return packets take the same path so
that IPS and antivirus functions apply to return packets.
436
Learn Firewalls with Dr. WoW
12.3 Network Planning (For Data Center Firewall)
12.3.1 Hot Standby Planning
The firewalls are deployed transparently at the egress of the data center network, connected to
the upstream routers and the downstream Layer 3 switch in the data center, which can be
regarded as a router. This is a typical hot standby network where the "firewall interfaces work
at Layer 2 and are connected to upstream and downstream routers". In such networking,
OSPF is running between the upstream routers and downstream Layer 3 switch of the
firewalls, but the firewalls are not part of the OSPF process. The VGMP groups of the
firewalls monitor service interfaces through VLAN.
12.3.2 Security Function Planning
The following security functions are configured on data center firewalls:
Security zone: In this case, the data center area has a high security level, so we must add
the interfaces connected to the data center to the trust zone and the interfaces connected
to the core routers to the untrust zone.
Security policy: To ensure the security of the data center, stadium permits only intranet
users to access specific ports on the data center servers. Therefore, security policies must
be deployed on the firewall to allow users from the untrust zone to access the specified
ports on the specified servers in the trust zone.
ASPF: To support multi-channel protocols, the ASPF function must be enabled. In this
example, three multi-channel protocols, FTP, SIP, H323, are used. Therefore, ASPF must
be enabled for them.
IPS: To prevent the intrusion of zombies, Trojan horses and worms, IPS must be
deployed. The requirements on security for data center firewalls are higher than those for
egress firewalls, so the predefined IPS profile, default, must be used to block intrusion
behavior.
Antivirus: To prevent viruses, the antivirus function must be deployed. The predefined
antivirus profile default is used in this example.
We can use the predefined IPS and antivirus profiles (default) at first and fine-tune the
profiles over time to better suit the network.
12.4 Configuration Procedure (For Egress Firewall)
Step 1 Configure interface IP addresses and add the interfaces to security zones.
# Configure the IP address and description of the inside interface GE1/0/8 on FW1.
<FW1> system-view
[FW1] interface GigabitEthernet 1/0/8
[FW1-GigabitEthernet1/0/8] ip address 192.168.166.35 255.255.255.248
[FW1-GigabitEthernet1/0/8] description to R1-GigabitEthernet1/0/0_192.168.166.34
[FW1-GigabitEthernet1/0/8] quit
# Configure the IP address and description of the outside interface GE1/0/9 on FW1.
[FW1] interface GigabitEthernet 1/0/9
[FW1-GigabitEthernet1/0/9] ip address 5.1.1.90 255.255.255.252
[FW1-GigabitEthernet1/0/9] description to ISP-internal
[FW1-GigabitEthernet1/0/9] quit
437
Learn Firewalls with Dr. WoW
# Configure Eth-Trunk1, add heartbeat interfaces GE3/0/8 and GE3/0/9 on FW1 to
Eth-Trunk1, and configure its IP address.
[FW1] interface Eth-Trunk1
[FW1-Eth-Trunk1] ip address 1.1.1.2 255.255.255.252
[FW1-Eth-Trunk1] description to hrp
[FW1-Eth-Trunk1] quit
[FW1] interface GigabitEthernet 3/0/8
[FW1-GigabitEthernet3/0/8] eth-trunk 1
[FW1-GigabitEthernet3/0/8] description to FW2-GigabitEthernet3/0/8
[FW1-GigabitEthernet3/0/8] quit
[FW1] interface GigabitEthernet 3/0/9
[FW1-GigabitEthernet3/0/9] eth-trunk 1
[FW1-GigabitEthernet3/0/9] description to FW2-GigabitEthernet3/0/9
[FW1-GigabitEthernet3/0/9] quit
# Add the interfaces on FW1 to security zones.
[FW1] firewall zone trust
[FW1-zone-trust] add interface GigabitEthernet1/0/8
[FW1-zone-trust] quit
[FW1] firewall zone untrust
[FW1-zone- untrust] add interface GigabitEthernet1/0/9
[FW1-zone- untrust] quit
[FW1] firewall zone dmz
[FW1-zone-dmz] add interface Eth-Trunk1
[FW1-zone-dmz] quit
# Configure the IP address and description of the inside interface GE1/0/8 on FW2.
<FW2> system-view
[FW2] interface GigabitEthernet 1/0/8
[FW2-GigabitEthernet1/0/8] ip address 192.168.166.19 255.255.255.248
[FW2-GigabitEthernet1/0/8] description to R2-GigabitEthernet1/0/0_192.168.166.18
[FW2-GigabitEthernet1/0/8] quit
# Configure the IP address and description of the outside interface GE1/0/9 on FW2.
[FW2] interface GigabitEthernet 1/0/9
[FW2-GigabitEthernet1/0/9] ip address 5.1.1.94 255.255.255.252
[FW2-GigabitEthernet1/0/9] description to ISP-International
[FW2-GigabitEthernet1/0/9] quit
# Configure Eth-Trunk1, add heartbeat interfaces GE3/0/8 and GE3/0/9 on FW2 to
Eth-Trunk1, and configure its IP address.
[FW2] interface Eth-Trunk1
[FW2-Eth-Trunk1] ip address 1.1.1.1 255.255.255.252
[FW2-Eth-Trunk1] description to hrp
[FW2-Eth-Trunk1] quit
[FW2] interface GigabitEthernet 3/0/8
[FW2-GigabitEthernet3/0/8] eth-trunk 1
[FW2-GigabitEthernet3/0/8] description to FW1-GigabitEthernet3/0/8
[FW2-GigabitEthernet3/0/8] quit
[FW2] interface GigabitEthernet 3/0/9
[FW2-GigabitEthernet3/0/9] eth-trunk 1
[FW2-GigabitEthernet3/0/9] description to FW1-GigabitEthernet3/0/9
[FW2-GigabitEthernet3/0/9] quit
# Add the interfaces on FW2 to security zones.
[FW2] firewall zone trust
438
Learn Firewalls with Dr. WoW
[FW2-zone-trust] add interface GigabitEthernet1/0/8
[FW2-zone-trust] quit
[FW2] firewall zone untrust
[FW2-zone- untrust] add interface GigabitEthernet1/0/9
[FW2-zone- untrust] quit
[FW2] firewall zone dmz
[FW2-zone-dmz] add interface Eth-Trunk1
[FW2-zone-dmz] quit
Step 2 Configure BGP.
# Configure BGP on FW1, such as specifying the peers, advertising neighboring networks,
and redistributing direct routes.
[FW1] bgp 65010
[FW1-bgp] router-id 5.1.1.90
[FW1-bgp] peer 5.1.1.89 as-number 20825
[FW1-bgp] peer 5.1.1.89 password cipher Admin@1234
[FW1-bgp] ipv4-family unicast
[FW1-bgp-af-ipv4] network 5.1.1.88 255.255.255.252
[FW1-bgp-af-ipv4] import-route static
[FW1-bgp-af-ipv4] peer 5.1.1.89 enable
# Configure BGP on FW2, such as specifying the peers, advertising neighboring networks,
and redistributing direct routes.
[FW2] bgp 65010
[FW2-bgp] router-id 5.1.1.94
[FW2-bgp] peer 5.1.1.93 as-number 20825
[FW2-bgp] peer 5.1.1.93 password cipher Admin@1234
[FW2-bgp] ipv4-family unicast
[FW2-bgp-af-ipv4] network 5.1.1.92 255.255.255.252
[FW2-bgp-af-ipv4] import-route static
[FW2-bgp-af-ipv4] peer 5.1.1.93 enable
Step 3 Configure routing policies.
# Configure IP prefix W2 on FW1 to permit IP addresses (5.1.1.153-5.1.1.158) on the network
5.1.1.152/29.
[FW1] ip ip-prefix W2 index 10 permit 5.1.1.152 29 greater-equal 29 less-equal 29
# Configure routing policy W2 on FW1 to set the cost of packets with source addresses from
5.1.1.153 to 5.1.1.158 as 300.
[FW1] route-policy
[FW1-route-policy]
[FW1-route-policy]
[FW1-route-policy]
[FW1] route-policy
W2 permit node 10
if-match ip-prefix W2
apply cost 300
quit
W2 permit node 20
# Configure IP prefix N1 on FW2 to permit IP addresses (5.1.1.145-5.1.1.150) on the network
5.1.1.144/29.
[FW2] ip ip-prefix N1 index 10 permit 5.1.1.144 29 greater-equal 29 less-equal 29
# Configure routing policy N1 on FW2 to set the cost of packets with source addresses from
5.1.1.145 to 5.1.1.150 as 300.
[FW2] route-policy N1 permit node 10
439
Learn Firewalls with Dr. WoW
[FW2-route-policy]
[FW2-route-policy]
[FW2-route-policy]
[FW2] route-policy
if-match ip-prefix N1
apply cost 300
quit
N1 permit node 20
Step 4 Configure OSPF.
# Configure OSPF on FW1, including redistributing default routes, enabling BFD, and
advertising networks.
[FW1] ospf 1
[FW1-ospf-1] default-route-advertise always
[FW1-ospf-1] bfd all-interfaces enable
[FW1-ospf-1] area 0
[FW1-ospf-1-area-0.0.0.0] network 192.168.166.32 0.0.0.7
[FW1-ospf-1-area-0.0.0.0] quit
[FW1-ospf-1] quit
# Enable BFD on FW1.
[FW1] bfd
[FW1-bfd] quit
# Set the OSPF network type to p2p on GE1/0/8 of FW1.
[FW1] interface GigabitEthernet1/0/8
[FW1-GigabitEthernet1/0/8] ospf network-type p2p
# Associate BFD with OSPF on GE1/0/8 of FW1.
[FW1-GigabitEthernet1/0/8] ospf bfd enable
[FW1-GigabitEthernet1/0/8] ospf bfd min-tx-interval 100 min-rx-interval 100
[FW1-GigabitEthernet1/0/8] quit
# Configure OSPF on FW2, including redistributing default routes, enabling BFD, and
advertising networks.
[FW2] ospf 1
[FW2-ospf-1] default-route-advertise always
[FW2-ospf-1] bfd all-interfaces enable
[FW2-ospf-1] area 0
[FW2-ospf-1-area-0.0.0.0] network 192.168.166.16 0.0.0.7
[FW2-ospf-1-area-0.0.0.0] quit
[FW2-ospf-1] quit
# Enable BFD on FW2.
[FW2] bfd
[FW2-bfd] quit
# Set the OSPF network type to p2p on GE1/0/8 of FW2.
[FW2] interface GigabitEthernet1/0/8
[FW2-GigabitEthernet1/0/8] ospf network-type p2p
# Associate BFD with OSPF on GE1/0/8 of FW2.
[FW2-GigabitEthernet1/0/8] ospf bfd enable
[FW2-GigabitEthernet1/0/8] ospf bfd min-tx-interval 100 min-rx-interval 100
[FW2-GigabitEthernet1/0/8] quit
440
Learn Firewalls with Dr. WoW
Step 5 Configure the hot standby function.
# Configure active and standby groups on FW1 to monitor interface GE1/0/8; and configure
Link-Group to speed up convergence.
[FW1] interface GigabitEthernet1/0/8
[FW1-GigabitEthernet1/0/8] hrp track active
[FW1-GigabitEthernet1/0/8] hrp track standby
[FW1-GigabitEthernet1/0/8] link-group 1
[FW1-GigabitEthernet1/0/8] quit
# Configure active and standby groups on FW1 to monitor interface GE1/0/9; and configure
Link-Group to speed up convergence.
[FW1] interface GigabitEthernet1/0/9
[FW1-GigabitEthernet1/0/9] hrp track active
[FW1-GigabitEthernet1/0/9] hrp track standby
[FW1-GigabitEthernet1/0/9] link-group 1
[FW1-GigabitEthernet1/0/9] quit
# Specify a heartbeat interface on FW1, configure quick session backup, and enable the hot
standby function.
[FW1] hrp interface Eth-Trunk1
[FW1] hrp mirror session enable
[FW1] hrp enable
# Configure active and standby groups on FW2 to monitor interface GE1/0/8; and configure
Link-Group to speed up convergence.
[FW2] interface GigabitEthernet1/0/8
[FW2-GigabitEthernet1/0/8] hrp track active
[FW2-GigabitEthernet1/0/8] hrp track standby
[FW2-GigabitEthernet1/0/8] link-group 1
[FW2-GigabitEthernet1/0/8] quit
# Configure active and standby groups on FW2 to monitor interface GE1/0/9; and configure
Link-Group to speed up convergence.
[FW2] interface GigabitEthernet1/0/9
[FW2-GigabitEthernet1/0/9] hrp track active
[FW2-GigabitEthernet1/0/9] hrp track standby
[FW2-GigabitEthernet1/0/9] link-group 1
[FW2-GigabitEthernet1/0/9] quit
# Specify a heartbeat interface on FW2, configure quick session backup, and enable the hot
standby function.
[FW2] hrp interface Eth-Trunk1
[FW2] hrp mirror session enable
[FW2] hrp enable
[Dr. WoW's comment] When hot standby is successfully configured, most of the
configurations can be automatically backed up. Therefore, in the following steps, we only
need to configure the active device, FW1 (except for some specified configurations).
Step 6 Configure the NAT function.
# Configure the NAT address pool, natpool1, on FW1.
HRP_A[FW1] nat address-group natpool1
441
Learn Firewalls with Dr. WoW
HRP_A[FW1-nat-address-group-natpool1] section 0 5.1.1.145 5.1.1.150
HRP_A[FW1-nat-address-group-natpool1] quit
# Configure NAT policy, nat_policy1, on FW1 to translate the source addresses of packets
from 10.0.0.0/16 into the IP addresses in natpool1.
HRP_A[FW1] nat-policy
HRP_A[FW1-policy-nat] rule name nat_policy1
HRP_A[FW1-policy-nat-rule-nat_policy1] source-address 10.0.0.0 16
HRP_A[FW1-policy-nat-rule-nat_policy1] action nat address-group natpool1
HRP_A[FW1-policy-nat-rule-nat_policy1] quit
HRP_A[FW1-policy-nat] quit
# Configure the NAT address pool, natpool2, on FW1.
HRP_A[FW1] nat address-group natpool2
HRP_A[FW1-nat-address-group-natpool2] section 0 5.1.1.153 5.1.1.158
HRP_A[FW1-nat-address-group-natpool2] quit
# Configure NAT policy, nat_policy2, on FW1 to translate the source addresses of packets
from 10.1.0.0/16 into the IP addresses in natpool2.
HRP_A[FW1] nat-policy
HRP_A[FW1-policy-nat] rule name nat_policy2
HRP_A[FW1-policy-nat-rule-nat_policy2] source-address 10.1.0.0 16
HRP_A[FW1-policy-nat-rule-nat_policy2] action nat address-group natpool2
HRP_A[FW1-policy-nat-rule-nat_policy2] quit
HRP_A[FW1-policy-nat] quit
[Dr. WoW's comment] When hot standby is applied, NAT address pool and NAT policy
configurations can be automatically backed up; therefore, we only need to configure the
active device, FW1.
# Configure a black-hole route on FW1 and advertise the public IP addresses in the NAT
address pool.
HRP_A[FW1] ip route-static 5.147.252.144 255.255.255.240 NULL0
# Configure a black-hole route on FW2 and advertise the public IP addresses in the NAT
address pool.
HRP_S[FW2] ip route-static 5.147.252.144 255.255.255.240 NULL0
[Dr. WoW's comment] Route configuration cannot be backed up, so the black-hole routes
must be configured on both firewalls.
# Enable NAT ALG on FW1. The configurations will be automatically backed up to the
standby device.
HRP_A[FW1] firewall interzone trust untrust
HRP_A[FW1-interzone-trust-untrust] detect ftp
HRP_A[FW1-interzone-trust-untrust] detect sip
HRP_A[FW1-interzone-trust-untrust] detect h323
HRP_A[FW1-interzone-trust-untrust] quit
Step 7 Configure security functions.
# Configure URL filtering profile, url1, on FW1.
HRP_A[FW1] profile type url-filter name url1
442
Learn Firewalls with Dr. WoW
HRP_A[FW1-profile-url-filter-url1]
remark dscp cs1
HRP_A[FW1-profile-url-filter-url1]
block
HRP_A[FW1-profile-url-filter-url1]
block
HRP_A[FW1-profile-url-filter-url1]
category pre-defined subcategory-id 109 action qos
category pre-defined subcategory-id 122 action
category pre-defined subcategory-id 182 action
quit
[Dr. WoW's comment] Before configuring the URL filtering profile, run display url-filter
category to check URL categories; and then select the appropriate category for the network.
Because the configuration procedure is identical, we will only illustrate the configurations of
the preceding three categories.
# Configure a security policy to allow intranet users to access the Internet and reference the
IPS, antivirus, and URL filtering profiles.
HRP_A[FW1] security-policy
HRP_A[FW1-policy-security] rule name policy_sec
HRP_A[FW1-policy-security-rule-policy_sec] source-zone trust
HRP_A[FW1-policy-security-rule-policy_sec] destination-zone untrust
HRP_A[FW1-policy-security-rule-policy_sec] profile ips ids
HRP_A[FW1-policy-security-rule-policy_sec] profile av default
HRP_A[FW1-policy-security-rule-policy_sec] profile url url1
HRP_A[FW1-policy-security-rule-policy_sec] action permit
HRP_A[FW1-policy-security-rule-policy_sec] policy logging
HRP_A[FW1-policy-security-rule-policy_sec] session logging
HRP_A[FW1-policy-security-rule-policy_sec] quit
HRP_A[FW1-policy-security] quit
[Dr. WoW's comment]During the initial deployment of the firewall, predefined antivirus
profile, default, is generally used. After the firewall runs for a period of time, the
administrator can customize the profile based on the network operation. If the requirement on
security is not very high, profile ids is recommended to reduce the risk of IPS false positive.
----End
12.5 Configuration Procedure (For Data Center Firewall)
Step 1 Configure and add the interfaces to security zones.
# Switch interface GE1/0/8 on FW3 to a Layer 2 interface, and add it to the Link-Group.
<FW3> system-view
[FW3] interface GigabitEthernet 1/0/8
[FW3-GigabitEthernet1/0/8] portswitch
[FW3-GigabitEthernet1/0/8] description to R1-GE1/0/3_192.168.166.42
[FW3-GigabitEthernet1/0/8] link-group 1
[FW3-GigabitEthernet1/0/8] quit
# Switch interface GE1/0/9 on FW3 to a Layer 2 interface, and add it to the Link-Group.
[FW3] interface GigabitEthernet 1/0/9
[FW3-GigabitEthernet1/0/8] portswitch
[FW3-GigabitEthernet1/0/8] description to DCSW-GE0/0/2_192.168.166.44
[FW3-GigabitEthernet1/0/8] link-group 1
[FW3-GigabitEthernet1/0/8] quit
# Create VLAN2200 on FW3 and add GE1/0/8 and GE1/0/9 to this VLAN.
443
Learn Firewalls with Dr. WoW
[FW3] vlan 2200
[FW3-vlan-2200] port GigabitEthernet 1/0/8
[FW3-vlan-2200] port GigabitEthernet 1/0/9
[FW3-vlan-2200] quit
# Configure Eth-Trunk1, add heartbeat interfaces GE3/0/8 and GE3/0/9 on FW3 to
Eth-Trunk1, and configure its IP address.
[FW3] interface Eth-Trunk1
[FW3-Eth-Trunk1] ip address 2.2.2.2 255.255.255.252
[FW3-Eth-Trunk1] description to hrp
[FW3-Eth-Trunk1] quit
[FW3] interface GigabitEthernet 3/0/8
[FW3-GigabitEthernet3/0/8] eth-trunk 1
[FW3-GigabitEthernet3/0/8] description to FW4-GigabitEthernet3/0/8
[FW3-GigabitEthernet3/0/8] quit
[FW3] interface GigabitEthernet 3/0/9
[FW3-GigabitEthernet3/0/9] eth-trunk 1
[FW3-GigabitEthernet3/0/9] description to FW4-GigabitEthernet3/0/9
[FW3-GigabitEthernet3/0/9] quit
# Add the interfaces on FW3 to security zones.
[FW3] firewall zone trust
[FW3-zone-trust] add interface GigabitEthernet1/0/9
[FW3-zone-trust] quit
[FW3] firewall zone untrust
[FW3-zone-untrust] add interface GigabitEthernet1/0/8
[FW3-zone-untrust] quit
[FW3] firewall zone dmz
[FW3-zone-dmz] add interface Eth-Trunk1
[FW3-zone-dmz] quit
# Switch interface GE1/0/8 on FW4 to a Layer 2 interface, and add it to the Link-Group.
<FW4> system-view
[FW4] interface GigabitEthernet 1/0/8
[FW4-GigabitEthernet1/0/8] portswitch
[FW4-GigabitEthernet1/0/8] description to R2-GE1/0/3_192.168.166.26
[FW4-GigabitEthernet1/0/8] link-group 1
[FW4-GigabitEthernet1/0/8] quit
# Switch interface GE1/0/9 on FW4 to a Layer 2 interface, and add it to the Link-Group.
[FW4] interface GigabitEthernet 1/0/9
[FW4-GigabitEthernet1/0/9] portswitch
[FW4-GigabitEthernet1/0/9] description to DCSW-GE0/0/1_192.168.166.28
[FW4-GigabitEthernet1/0/9] link-group 1
[FW4-GigabitEthernet1/0/9] quit
# Create VLAN2100 on FW4 and add GE1/0/8 and GE1/0/9 to this VLAN.
[FW4] vlan 2100
[FW4-vlan-2100] port GigabitEthernet 1/0/8
[FW4-vlan-2100] port GigabitEthernet 1/0/9
[FW4-vlan-2100] quit
# Configure Eth-Trunk1, add heartbeat interfaces GE3/0/8 and GE3/0/9 on FW4 to
Eth-Trunk1, and configure its IP address.
[FW4] interface Eth-Trunk1
444
Learn Firewalls with Dr. WoW
[FW4-Eth-Trunk1] ip address 2.2.2.1 255.255.255.252
[FW4-Eth-Trunk1] description to hrp
[FW4-Eth-Trunk1] quit
[FW4] interface GigabitEthernet 3/0/8
[FW4-GigabitEthernet3/0/8] eth-trunk 1
[FW4-GigabitEthernet3/0/8] description to FW4-GigabitEthernet3/0/8
[FW4-GigabitEthernet3/0/8] quit
[FW4] interface GigabitEthernet 3/0/9
[FW4-GigabitEthernet3/0/9] eth-trunk 1
[FW4-GigabitEthernet3/0/9] description to FW4-GigabitEthernet3/0/9
[FW4-GigabitEthernet3/0/9] quit
# Add the interfaces on FW4 to security zones.
[FW4] firewall zone trust
[FW4-zone-trust] add interface GigabitEthernet1/0/9
[FW4-zone-trust] quit
[FW4] firewall zone untrust
[FW4-zone- untrust] add interface GigabitEthernet1/0/8
[FW4-zone- untrust] quit
[FW4] firewall zone dmz
[FW4-zone-dmz] add interface Eth-Trunk1
[FW4-zone-dmz] quit
Step 2 Configure the hot standby function.
# Configure active and standby groups on FW3 to monitor the VLAN2200.
[FW3] vlan 2200
[FW3-vlan-2200] hrp track active
[FW3-vlan-2200] hrp track standby
[FW3-vlan-2200] quit
# Specify a heartbeat interface on FW3, configure quick session backup, and enable the hot
standby function.
[FW3] hrp interface Eth-Trunk1
[FW3] hrp mirror session enable
[FW3] hrp enable
# Configure active and standby groups on FW4 to monitor the VLAN2100.
[FW4] vlan 2100
[FW4-vlan-2100] hrp track active
[FW4-vlan-2100] hrp track standby
[FW4-vlan-2100] quit
# Specify a heartbeat interface on FW4, configure quick session backup, and enable the hot
standby function.
[FW4] hrp interface Eth-Trunk1
[FW4] hrp mirror session enable
[FW4] hrp enable
[Dr. WoW's comment] When hot standby is successfully configured, most of the
configurations can be automatically backed up. Therefore, in the following steps, we only
need to configure the active device, FW1 (except for some specified configurations).
Step 3 Configure security function.
445
Learn Firewalls with Dr. WoW
# Configure a security policy to allow intranet users to access the specified ports on the
servers in the data center, and reference the IPS and antivirus profiles. In this example, we
allow intranet users to access the HTTP server 10.10.10.10 in the data center.
HRP_A[FW3] security-policy
HRP_A[FW3-policy-security] rule name policy_sec
HRP_A[FW3-policy-security-rule-policy_sec] source-zone untrust
HRP_A[FW3-policy-security-rule-policy_sec] destination-zone trust
HRP_A[FW3-policy-security-rule-policy_sec] destination-address 10.10.10.10 32
HRP_A[FW3-policy-security-rule-policy_sec] service http
HRP_A[FW3-policy-security-rule-policy_sec] profile ips default
HRP_A[FW3-policy-security-rule-policy_sec] profile av default
HRP_A[FW3-policy-security-rule-policy_sec] action permit
HRP_A[FW3-policy-security-rule-policy_sec] policy logging
HRP_A[FW3-policy-security-rule-policy_sec] session logging
HRP_A[FW3-policy-security-rule-policy_sec] quit
HRP_A[FW3-policy-security] quit
[Dr. WoW's comment]During the initial deployment of the firewall, predefined antivirus
profile, default, is generally used. After the firewall runs for a period of time, the
administrator can customize the profile based on the network operation.
# Configure ASPF to permit multi-channel protocols.
HRP_A[FW3] firewall interzone trust untrust
HRP_A[FW3-interzone-trust-untrust] detect ftp
HRP_A[FW3-interzone-trust-untrust] detect sip
HRP_A[FW3-interzone-trust-untrust] detect h323
HRP_A[FW3-interzone-trust-untrust] quit
----End
12.6 Highlights
This example illustrates the typical deployment of the firewall at the egress of a stadium
network and internal data center. If you are dealing with the same scenario, this example
will be a good reference.
This example illustrates two typical hot standby networking scenarios "firewalls
connected to routers" and "firewalls connected to routers transparently", which could
help understand the typical application of hot standby.
In this example, BGP, rather than static routes, is running between the firewalls serving
as gateways and the carrier network. If you need to deploy BGP on egress gateways, you
may refer to this example.
The most important and also tricky part is to use source NAT and routing policies to
ensure that forward and return packets take the same path.
Finally, this example also demonstrates the configurations of content security functions
on the egress firewalls and data center firewalls, which are the easiest and safest
configurations applicable to the firewall during the initial deployment.
446
Learn Firewalls with Dr. WoW
13
Firewalls On the VPN Connecting
Corporate Branches and Headquarters
13.1 Networking Requirements
As shown in Figure 13-1, some large enterprise consists of a municipal branch, a provincial
branch, and the headquarters (HQ). The networking is as follows:
On the municipal branch network, the OA, ERP, and financial systems belong to three
different VLANs connected through a Layer 2 switch; a firewall, FW_A (USG2200
V300R001C10), is deployed at the egress.
The provincial branch network has OA and ERP servers and a firewall FW_B (USG5530
V300R001C10) at the egress.
The HQ network has the financial management server, several PCs, and a firewall,
FW_C (USG5530 V300R001C10), at the egress.
447
Learn Firewalls with Dr. WoW
Figure 13-1 VPN connecting corporate branches and HQ
Provincial branch
OA server
FW_B GE0/0/1
10.1.3.1/24
Trust
nel
c tun
IPSe
FW_A
GE0/0/1.1: 10.1.1.1/24
GE0/0/1.2: 10.1.2.1/24
GE0/0/1.3: 192.168.1.1/24
Trust
GE0/0/2
Untrust
GE0/0/2
2.2.2.2/30
Untrust
ERP server
PPPoE server
IPSe
c tun
nel
GE0/0/2
3.3.3.3/30
Untrust
Municipal branch
L2 switch
10.1.3.0/24
HQ
GE0/0/1
192.168.0.1/24
Trust
PC
192.168.0.0/24
FW_C
Financial
management server
192.168.0.200
VLAN10
10.1.1.0/24
VLAN20
10.1.2.0/24
VLAN30
192.168.1.0/24
OA system
ERP system
Financial system
The specific requirements:
At the municipal branch, the data on the OA and ERP systems must be sent to the
corresponding OA and ERP servers of the provincial branch; the data on the financial
system must be sent to the financial management server at the HQ for analysis. All the
data must be encrypted when transmitted on the Internet. In addition, the devices of the
OA, ERP, and financial systems are not allowed to access the Internet, but inter-system
communication is allowed.
To reduce manual configuration efforts, FW_A of the municipal branch allocates IP
addresses and gateway information to the devices of the OA, ERP, and financial systems.
No static public IP address is assigned to the municipal branch; therefore, FW_A is used
as a PPPoE client to obtain a public IP address from the PPPoE server through dial-up.
The financial management server at 192.168.0.200 at the HQ can receive access requests
only from 192.168.0.1 due to security restrictions. Therefore, the source addresses of
packets from the financial system of the municipal branch must be converted into the
address of GE0/0/1 on FW_C. In addition, the financial management server is not
allowed to access the Internet, while any PC within the range of addresses from
192.168.0.2 to 192.168.0.100 is allowed.
448
Learn Firewalls with Dr. WoW
13.2 Network Planning
13.2.1 Interface Planning
FW_A of the municipal branch is connected to the internal networks, on which OA, ERP, and
financial systems are run, through one physical interface. Therefore, three logical
subinterfaces must be configured to connect the networks. In addition, to dynamically obtain
public IP addresses from the PPPoE server through dial-up, a dialer interface must be
configured on FW_A.
No special requirement is set for FW_B of the provincial branch and FW_C of the HQ.
Configure the IP addresses and add them to the security zones after physical interfaces are
determined.
13.2.2 Security Policy Planning
Configure on FW_A a security policy for the trust-untrust interzone to permit the packets
destined for the provincial branch or the HQ from the OA, ERP, and financial systems; and
configure a security policy for the local-untrust interzone to permit IPSec packets.
Configure on FW_B a security policy for the trust-untrust interzone to permit the packets
destined for the OA and ERP servers from the OA and ERP systems; and configure a security
policy for the local-untrust interzone to permit IPSec packets.
Configure on FW_C a security policy for the trust-untrust interzone to permit the packets
destined for the financial management server from the financial system and allow PCs to
access the Internet; and configure a security policy for the local-untrust interzone to permit
IPSec packets.
13.2.3 IPSec Planning
The data between the municipal branch and the provincial branch, and between the municipal
branch and the HQ must be encrypted by IPSec. Therefore, IPSec tunnels must be set up
between FW_A and FW_B and between FW_A and FW_C.
Configure an IPSec policy group on the dialer interface of FW_A, including two IPSec
policies for the connection respectively to the two peers, FW_B and FW_C.
When the municipal branch initiates connections to the provincial branch and the HQ, FW_B
and FW_C set up policy template-based IPSec tunnels to allow the access.
13.2.4 NAT Planning
It is not necessary to create NAT policy on FW_A since the OA, ERP, and financial systems at
the municipal branch do not need to access the Internet. NAT policy is not configured on
FW_B because the provincial branch does not need to access the Internet.
Two NAT policies must be created on FW_C of the HQ. One uses the Easy-IP mode to
convert the source addresses of the packets destined for the financial management server from
the municipal branch financial system into GE0/0/1's address; the other uses the NAPT mode
to convert the source addresses of Internet access packets from the PCs at the HQ into
addresses in the public IP address pool. The objects of the second NAT policy are restricted to
the IP addresses of PCs. The address of financial management server is not included because
the server is not allowed to access the Internet.
449
Learn Firewalls with Dr. WoW
13.2.5 Routing Planning
Static routing is used because the network structures in this example are rather simple.
Configure a default route on FW_A, FW_B, and FW_C, with the next hop addresses being
the address provided by the ISP. In addition, configure a black-hole route on FW_C with the
destination IP address as an address from the NAT pool to prevent routing loops.
The gateway of the devices in the municipal branch network is assigned by FW_A. The
default gateway of the devices in the provincial branch or the HQ is set as FW_B or FW_C's
interface connected to the internal network.
13.3 Configuration Procedure
Step 1 Configure interface IP addresses, and add the interfaces to security zones.
# Create subinterfaces on FW_A, configure their IP addresses, and configure DHCP on them
to allocate IP addresses to intranet devices.
<FW_A> system-view
[FW_A] interface GigabitEthernet 0/0/1.1
[FW_A-GigabitEthernet0/0/1.1] vlan-type dot1q 10
[FW_A-GigabitEthernet0/0/1.1] ip address 10.1.1.1 255.255.255.0
[FW_A-GigabitEthernet0/0/1.1] dhcp select interface
[FW_A-GigabitEthernet0/0/1.1] quit
[FW_A] interface GigabitEthernet 0/0/1.2
[FW_A-GigabitEthernet0/0/1.2] vlan-type dot1q 20
[FW_A-GigabitEthernet0/0/1.2] ip address 10.1.2.1 255.255.255.0
[FW_A-GigabitEthernet0/0/1.2] dhcp select interface
[FW_A-GigabitEthernet0/0/1.2] quit
[FW_A] interface GigabitEthernet 0/0/1.3
[FW_A-GigabitEthernet0/0/1.3] vlan-type dot1q 30
[FW_A-GigabitEthernet0/0/1.3] ip address 192.168.1.1 255.255.255.0
[FW_A-GigabitEthernet0/0/1.3] dhcp select interface
[FW_A-GigabitEthernet0/0/1.3] quit
[Dr. WoW's comment] The structure of the municipal branch network is simple. After running
the dhcp select interface command, FW_A will send the IP addresses of the subinterfaces as
gateway addresses to the devices of the OA, ERP, and financial systems, and allocate other IP
addresses within the same subnet to these devices.
# Create a dialer interface on FW_A and configure dial-up parameters, and then bind it to a
physical interface. In this example, the user name allocated by the PPPoE server to the
enterprise is admin, the password is Admin@123, and the authentication mode is PAP.
[FW_A] dialer-rule 1 ip permit
[FW_A] interface Dialer 1
[FW_A-Dialer1] dialer user admin
[FW_A-Dialer1] dialer-group 1
[FW_A-Dialer1] dialer bundle 1
[FW_A-Dialer1] ip address ppp-negotiate
[FW_A-Dialer1] ppp pap local-user admin password cipher Admin@123
[FW_A-Dialer1] quit
[FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] pppoe-client dial-bundle-number 1
[FW_A-GigabitEthernet0/0/2] quit
450
Learn Firewalls with Dr. WoW
# Add the interfaces on FW_A to security zones.
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet0/0/1.1
[FW_A-zone-trust] add interface GigabitEthernet0/0/1.2
[FW_A-zone-trust] add interface GigabitEthernet0/0/1.3
[FW_A-zone-trust] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/2
[FW_A-zone-untrust] add interface Dialer 1
[FW_A-zone-untrust] quit
# Configure the interface IP addresses on FW_B.
<FW_B> system-view
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 10.1.3.1 255.255.255.0
[FW_B-GigabitEthernet0/0/1] quit
[FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ip address 2.2.2.2 255.255.255.252
[FW_B-GigabitEthernet0/0/2] quit
# Add the interfaces on FW_B to security zones.
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/1
[FW_B-zone-trust] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/2
[FW_B-zone-untrust] quit
# Configure the interface IP addresses on FW_C.
<FW_C> system-view
[FW_C] interface GigabitEthernet 0/0/1
[FW_C-GigabitEthernet0/0/1] ip address 192.168.0.1 255.255.255.0
[FW_C-GigabitEthernet0/0/1] quit
[FW_C] interface GigabitEthernet 0/0/2
[FW_C-GigabitEthernet0/0/2] ip address 3.3.3.3 255.255.255.252
[FW_C-GigabitEthernet0/0/2] quit
# Add the interfaces on FW_C to security zones.
[FW_C] firewall zone trust
[FW_C-zone-trust] add interface GigabitEthernet 0/0/1
[FW_C-zone-trust] quit
[FW_C] firewall zone untrust
[FW_C-zone-untrust] add interface GigabitEthernet 0/0/2
[FW_C-zone-untrust] quit
Step 2 Configure security policies.
# Configure on FW_A an outbound security policy for the trust-untrust interzone to allow the
OA and ERP systems to access the provincial branch.
[FW_A] policy interzone trust untrust outbound
[FW_A-policy-interzone-trust-untrust-outbound] policy 1
[FW_A-policy-interzone-trust-untrust-outbound-1] policy source 10.1.1.0 0.0.0.255
[FW_A-policy-interzone-trust-untrust-outbound-1] policy source 10.1.2.0 0.0.0.255
451
Learn Firewalls with Dr. WoW
[FW_A-policy-interzone-trust-untrust-outbound-1] policy destination 10.1.3.0
0.0.0.255
[FW_A-policy-interzone-trust-untrust-outbound-1] action permit
[FW_A-policy-interzone-trust-untrust-outbound-1] quit
# Configure on FW_A an outbound security policy for the trust-untrust interzone to allow the
financial system to access the financial management server of the HQ.
[FW_A-policy-interzone-trust-untrust-outbound] policy 2
[FW_A-policy-interzone-trust-untrust-outbound-2] policy source 192.168.1.0 0.0.0.255
[FW_A-policy-interzone-trust-untrust-outbound-2] policy destination 192.168.0.200 0
[FW_A-policy-interzone-trust-untrust-outbound-2] action permit
[FW_A-policy-interzone-trust-untrust-outbound-2] quit
[FW_A-policy-interzone-trust-untrust-outbound] quit
# Configure on FW_A security policies for the local-untrust interzone to permit IPSec
packets.
[FW_A] ip service-set udp500 type object
[FW_A-object-service-set-udp500] service protocol udp source-port 500 destination-port
500
[FW_A-object-service-set-udp500] quit
[FW_A] policy interzone local untrust outbound
[FW_A-policy-interzone-local-untrust-outbound] policy 1
[FW_A-policy-interzone-local-untrust-outbound-1] policy destination 2.2.2.2 0
[FW_A-policy-interzone-local-untrust-outbound-1] policy destination 3.3.3.3 0
[FW_A-policy-interzone-local-untrust-outbound-1] policy service service-set udp500
[FW_A-policy-interzone-local-untrust-outbound-1] action permit
[FW_A-policy-interzone-local-untrust-outbound-1] quit
[FW_A-policy-interzone-local-untrust-outbound] quit
[FW_A] policy interzone local untrust inbound
[FW_A-policy-interzone-local-untrust-inbound] policy 1
[FW_A-policy-interzone-local-untrust-inbound-1] policy source 2.2.2.2 0
[FW_A-policy-interzone-local-untrust-inbound-1] policy source 3.3.3.3 0
[FW_A-policy-interzone-local-untrust-inbound-1] policy service service-set esp
[FW_A-policy-interzone-local-untrust-inbound-1] action permit
[FW_A-policy-interzone-local-untrust-inbound-1] quit
[FW_A-policy-interzone-local-untrust-inbound] quit
[Dr. WoW's comment] The IPSec negotiation packets use UDP with both the source and
destination ports being 500; therefore, a service set, "udp500", is defined here to specify UDP
and the source and destination ports (both are 500) and is referenced in security policies. In
addition, ESP is used to encrypt IPSec service packets. The predefined esp protocol is directly
referenced in security policies.
# Configure on FW_B an inbound security policy for the trust-untrust interzone to allow the
OA and ERP systems to access the provincial branch.
[FW_B] policy interzone trust untrust inbound
[FW_B-policy-interzone-trust-untrust-inbound] policy 1
[FW_B-policy-interzone-trust-untrust-inbound-1] policy source 10.1.1.0 0.0.0.255
[FW_B-policy-interzone-trust-untrust-inbound-1] policy source 10.1.2.0 0.0.0.255
[FW_B-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.3.0 0.0.0.255
[FW_B-policy-interzone-trust-untrust-inbound-1] action permit
[FW_B-policy-interzone-trust-untrust-inbound-1] quit
[FW_B-policy-interzone-trust-untrust-inbound] quit
452
Learn Firewalls with Dr. WoW
# Configure on FW_B an inbound security policy for the local-untrust interzone to permit
IPSec packets.
[FW_B] ip service-set udp500 type object
[FW_B-object-service-set-udp500] service protocol udp source-port 500 destination-port
500
[FW_B-object-service-set-udp500] quit
[FW_B] policy interzone local untrust inbound
[FW_B-policy-interzone-local-untrust-inbound] policy 1
[FW_B-policy-interzone-local-untrust-inbound-1] policy destination 2.2.2.2 0
[FW_B-policy-interzone-local-untrust-inbound-1] policy service service-set udp500
[FW_B-policy-interzone-local-untrust-inbound-1] policy service service-set esp
[FW_B-policy-interzone-local-untrust-inbound-1] action permit
[FW_B-policy-interzone-local-untrust-inbound-1] quit
[FW_B-policy-interzone-local-untrust-inbound] quit
# Configure on FW_C an inbound security policy for the trust-untrust interzone to allow the
financial system to access the financial management server.
[FW_C] policy interzone trust untrust inbound
[FW_C-policy-interzone-trust-untrust-inbound] policy 1
[FW_C-policy-interzone-trust-untrust-inbound-1] policy source 192.168.1.0 0.0.0.255
[FW_C-policy-interzone-trust-untrust-inbound-1] policy destination 192.168.0.200 0
[FW_C-policy-interzone-trust-untrust-inbound-1] action permit
[FW_C-policy-interzone-trust-untrust-inbound-1] quit
[FW_C-policy-interzone-trust-untrust-inbound] quit
# Configure on FW_C an outbound security policy for the trust-untrust interzone to allow PCs
to access the Internet.
[FW_C] policy interzone trust untrust outbound
[FW_C-policy-interzone-trust-untrust-outbound] policy 1
[FW_C-policy-interzone-trust-untrust-outbound-1] policy source range 192.168.0.2
192.168.0.100
[FW_C-policy-interzone-trust-untrust-outbound-1] action permit
[FW_C-policy-interzone-trust-untrust-outbound-1] quit
[FW_C-policy-interzone-trust-untrust-outbound] quit
# Configure on FW_C an inbound security policy for the local-untrust interzone to permit
IPSec packets.
[FW_C] ip service-set udp500 type object
[FW_C-object-service-set-udp500] service protocol udp source-port 500 destination-port
500
[FW_C-object-service-set-udp500] quit
[FW_C] policy interzone local untrust inbound
[FW_C-policy-interzone-local-untrust-inbound] policy 1
[FW_C-policy-interzone-local-untrust-inbound-1] policy destination 3.3.3.3 0
[FW_C-policy-interzone-local-untrust-inbound-1] policy service service-set udp500
[FW_C-policy-interzone-local-untrust-inbound-1] policy service service-set esp
[FW_C-policy-interzone-local-untrust-inbound-1] action permit
[FW_C-policy-interzone-local-untrust-inbound-1] quit
[FW_C-policy-interzone-local-untrust-inbound] quit
Step 3 Configure IPSec.
# Configure ACLs on FW_A to define data flows to be protected by IPSec.
[FW_A] acl 3000
453
Learn Firewalls with Dr. WoW
[FW_A-acl-adv-3000] rule permit ip source 10.1.0.0 0.0.255.255 destination 10.1.3.0
0.0.0.255
[FW_A-acl-adv-3000] quit
[FW_A] acl 3001
[FW_A-acl-adv-3001] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0
0.0.0.255
[FW_A-acl-adv-3001] quit
# Configure an ACL on FW_B to define the data flow to be protected by IPSec.
[FW_B] acl 3000
[FW_B-acl-adv-3000] rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.0.0
0.0.255.255
[FW_B-acl-adv-3000] quit
# Configure an ACL on FW_C to define the data flow to be protected by IPSec.
[FW_C] acl 3000
[FW_C-acl-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0
0.0.0.255
[FW_C-acl-adv-3000] quit
# Configure IPSec proposals on FW_A.
[FW_A] ipsec proposal pro1
[FW_A-ipsec-proposal-pro1]
[FW_A-ipsec-proposal-pro1]
[FW_A-ipsec-proposal-pro1]
[FW_A-ipsec-proposal-pro1]
[FW_A-ipsec-proposal-pro1]
[FW_A] ipsec proposal pro2
[FW_A-ipsec-proposal-pro2]
[FW_A-ipsec-proposal-pro2]
[FW_A-ipsec-proposal-pro2]
[FW_A-ipsec-proposal-pro2]
[FW_A-ipsec-proposal-pro2]
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm aes
quit
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm aes
quit
# Configure an IPSec proposal on FW_B.
[FW_B] ipsec proposal pro1
[FW_B-ipsec-proposal-pro1]
[FW_B-ipsec-proposal-pro1]
[FW_B-ipsec-proposal-pro1]
[FW_B-ipsec-proposal-pro1]
[FW_B-ipsec-proposal-pro1]
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm aes
quit
# Configure an IPSec proposal on FW_C.
[FW_C] ipsec proposal pro1
[FW_C-ipsec-proposal-pro1]
[FW_C-ipsec-proposal-pro1]
[FW_C-ipsec-proposal-pro1]
[FW_C-ipsec-proposal-pro1]
[FW_C-ipsec-proposal-pro1]
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm aes
quit
# Configure IKE proposals on FW_A.
[FW_A] ike proposal 1
[FW_A-ike-proposal-1] authentication-method pre-share
454
Learn Firewalls with Dr. WoW
[FW_A-ike-proposal-1]
[FW_A-ike-proposal-1]
[FW_A-ike-proposal-1]
[FW_A-ike-proposal-1]
[FW_A-ike-proposal-1]
[FW_A] ike proposal 2
[FW_A-ike-proposal-2]
[FW_A-ike-proposal-2]
[FW_A-ike-proposal-2]
[FW_A-ike-proposal-2]
[FW_A-ike-proposal-2]
[FW_A-ike-proposal-2]
authentication-algorithm sha1
encryption-algorithm aes-cbc
dh group2
integrity-algorithm aes-xcbc-96
quit
authentication-method pre-share
authentication-algorithm sha1
encryption-algorithm aes-cbc
dh group2
integrity-algorithm aes-xcbc-96
quit
# Configure an IKE proposal on FW_B.
[FW_B] ike proposal 1
[FW_B-ike-proposal-1]
[FW_B-ike-proposal-1]
[FW_B-ike-proposal-1]
[FW_B-ike-proposal-1]
[FW_B-ike-proposal-1]
[FW_B-ike-proposal-1]
authentication-method pre-share
authentication-algorithm sha1
encryption-algorithm aes-cbc
dh group2
integrity-algorithm aes-xcbc-96
quit
# Configure an IKE proposal on FW_C.
[FW_C] ike proposal 1
[FW_C-ike-proposal-1]
[FW_C-ike-proposal-1]
[FW_C-ike-proposal-1]
[FW_C-ike-proposal-1]
[FW_C-ike-proposal-1]
[FW_C-ike-proposal-1]
authentication-method pre-share
authentication-algorithm sha1
encryption-algorithm aes-cbc
dh group2
integrity-algorithm aes-xcbc-96
quit
[Dr. WoW's comment] The parameters of IPSec and IKE proposals created on the two
firewalls of the IPSec tunnel must be the same.
# Configure the IKE peers on FW_A.
[FW_A] ike local-name FW_A
[FW_A] ike peer fwb
[FW_A-ike-peer-fwb] ike-proposal 1
[FW_A-ike-peer-fwb] local-id-type fqdn
[FW_A-ike-peer-fwb] remote-address 2.2.2.2
[FW_A-ike-peer-fwb] pre-shared-key Admin@123
[FW_A-ike-peer-fwb] quit
[FW_A] ike peer fwc
[FW_A-ike-peer-fwc] ike-proposal 2
[FW_A-ike-peer-fwc] local-id-type fqdn
[FW_A-ike-peer-fwc] remote-address 3.3.3.3
[FW_A-ike-peer-fwc] pre-shared-key Admin@456
[FW_A-ike-peer-fwc] quit
# Configure the IKE peer on FW_B.
[FW_B] ike peer fwa
[FW_B-ike-peer-fwa] ike-proposal 1
[FW_B-ike-peer-fwa] remote-id FW_A
[FW_B-ike-peer-fwa] pre-shared-key Admin@123
455
Learn Firewalls with Dr. WoW
[FW_B-ike-peer-fwa] quit
# Configure the IKE peer on FW_C.
[FW_C] ike peer fwa
[FW_C-ike-peer-fwa]
[FW_C-ike-peer-fwa]
[FW_C-ike-peer-fwa]
[FW_C-ike-peer-fwa]
ike-proposal 1
remote-id FW_A
pre-shared-key Admin@456
quit
[Dr. WoW's comment] In this example, FW_B and FW_C have fixed public IP addresses;
therefore, FW_A can authenticate them by IP addresses. FW_A does not have a fixed public
IP address; therefore, FW_B and FW_C use FQDN to verify FW_A.
IP address authentication is the default method. For authentication using FQDN, run the
local-id-type fqdn command on FW_A in the IKE peer view and then the ike local-name
local-name command in the system view. Meanwhile, run remote-id id on FW_B and FW_C
in the IKE peer view, and the id must be the same as the local-name configured through ike
local-name on FW_A.
In addition, if ike local-name local-name command is not executed, FW_A will send its
device name as the local name to FW_B and FW_C for authentication. The device name of
FW_A in this example is "FW_A"; therefore, the remote-id FW_A command can be
executed on FW_B and FW_C. The ike local-name FW_A command is optional on FW_A.
# Configure IPSec policies on FW_A.
[FW_A] ipsec policy map1 1 isakmp
[FW_A-ipsec-policy-isakmp-map1-1]
[FW_A-ipsec-policy-isakmp-map1-1]
[FW_A-ipsec-policy-isakmp-map1-1]
[FW_A-ipsec-policy-isakmp-map1-1]
[FW_A] ipsec policy map1 2 isakmp
[FW_A-ipsec-policy-isakmp-map1-2]
[FW_A-ipsec-policy-isakmp-map1-2]
[FW_A-ipsec-policy-isakmp-map1-2]
[FW_A-ipsec-policy-isakmp-map1-2]
security acl 3000
ike-peer fwb
proposal pro1
quit
security acl 3001
ike-peer fwc
proposal pro2
quit
# Configure an IPSec policy on FW_B.
[FW_B] ipsec policy-template map_temp 1
[FW_B-ipsec-policy-template-map_temp-1] security acl 3000
[FW_B-ipsec-policy-template-map_temp-1] ike-peer fwa
[FW_B-ipsec-policy-template-map_temp-1] proposal pro1
[FW_B-ipsec-policy-template-map_temp-1] quit
[FW_B] ipsec policy map1 1 isakmp template map1_temp
# Configure an IPSec policy on FW_C.
[FW_C] ipsec policy-template map_temp 1
[FW_C-ipsec-policy-template-map_temp-1] security acl 3000
[FW_C-ipsec-policy-template-map_temp-1] ike-peer fwa
[FW_C-ipsec-policy-template-map_temp-1] proposal pro1
[FW_C-ipsec-policy-template-map_temp-1] quit
[FW_C] ipsec policy map1 1 isakmp template map1_temp
# Apply the IPSec policies on FW_A.
[FW_A] interface Dialer 1
[FW_A-Dialer1] ipsec policy map1
456
Learn Firewalls with Dr. WoW
[FW_A-Dialer1] quit
# Apply the IPSec policy on FW_B.
[FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ipsec policy map1
[FW_B-GigabitEthernet0/0/2] quit
# Apply the IPSec policy on FW_C.
[FW_C] interface GigabitEthernet 0/0/2
[FW_C-GigabitEthernet0/0/2] ipsec policy map1
[FW_C-GigabitEthernet0/0/2] quit
Step 4 Configure NAT.
# Configure a NAT policy on FW_C for the municipal branch financial system to access the
financial management server; and the translated address is GE0/0/1's IP address 192.168.0.1.
[FW_C] nat-policy interzone trust untrust inbound
[FW_C-nat-policy-interzone-trust-untrust-inbound] policy 1
[FW_C-nat-policy-interzone-trust-untrust-inbound-1] policy source 192.168.1.0
0.0.0.255
[FW_C-nat-policy-interzone-trust-untrust-inbound-1] policy destination 192.168.0.200
0
[FW_C-nat-policy-interzone-trust-untrust-inbound-1] action source-nat
[FW_C-nat-policy-interzone-trust-untrust-inbound-1] easy-ip GigabitEthernet0/0/1
[FW_C-nat-policy-interzone-trust-untrust-inbound-1] quit
[FW_C-nat-policy-interzone-trust-untrust-inbound] quit
# Configure a NAT address pool on FW_C. Assume the public IP address the HQ obtained
from the ISP is 3.3.3.100.
[FW_C] nat address-group 1 3.3.3.100 3.3.3.100
# Configure a NAT policy on FW_C to allow PCs to access the Internet, and the translated
addresses are the IP addresses of the address pool.
[FW_C] nat-policy interzone trust untrust outbound
[FW_C-nat-policy-interzone-trust-untrust-outbound] policy 1
[FW_C-nat-policy-interzone-trust-untrust-outbound-1] policy source range 192.168.0.2
192.168.0.100
[FW_C-nat-policy-interzone-trust-untrust-outbound-1] action source-nat
[FW_C-nat-policy-interzone-trust-untrust-outbound-1] address-group 1
[FW_C-nat-policy-interzone-trust-untrust-outbound-1] quit
[FW_C-nat-policy-interzone-trust-untrust-outbound] quit
[Dr. WoW's comment] Two NAT policies are configured here in this example, one for
outgoing packets and the other for incoming packets.
Step 5 Configure routes.
# Configure a default route on FW_A with the next hop being the dialer 1 interface.
[FW_A] ip route-static 0.0.0.0 0.0.0.0 Dialer 1
# Configure a default route on FW_B, and assume the IP address of the next hop provided by
the ISP is 2.2.2.1.
[FW_B] ip route-static 10.1.0.0 16 2.2.2.1
457
Learn Firewalls with Dr. WoW
# Configure a default route on FW_C, and assume the IP address of the next hop provided by
the ISP is 3.3.3.1.
[FW_C] ip route-static 0.0.0.0 0.0.0.0 3.3.3.1
# Configure a black-hole route for the NAT address pool on FW_C to avoid routing loops.
[FW_C] ip route-static 3.3.3.100 32 NULL 0
----End
13.4 Highlights
This example seems to have nothing special, but still something could be learnt from it.
At the municipal branch, FW_A is connected with the OA, ERP, and financial systems
on the intranet through subinterfaces, and IP addresses are configured on the
subinterfaces to terminate the VLANs. This is the common configuration when the
firewall is connected to multiple VLANs through one physical interface.
Besides, the IPSec policy configured on FW_A is applied on the dialer interface (a
logical interface), rather than on the physical interface. This is because FW_A, as a
PPPoE client, obtains the public IP address by dialing up through the dialer interface;
and the obtained IP address will be used as the address of the IPSec tunnel initiator.
Therefore, the IPSec policy is applied to the dialer interface.
Finally, because the financial management server at the HQ can receive access requests
only from the specific IP addresses, a special NAT policy is configured on FW_C to
translate the source addresses of packets from the municipal branch financial system into
the IP address of GE0/0/1. Different from the conventional NAT for outgoing packets,
this NAT policy is used to translate the address of incoming packets and replace the
private address with another private address. This is a novel way to use NAT.
458
Android
Huawei
Enterprise Business
Huawei
Enterprise Support
To view technical posts on the web page, click:
http://support.huawei.com/ecommunity/bbs/10247000.html
Copyright © Huawei Technologies Co., Ltd. 2016. All rights reserved.
