Tuesday, April 5, 2016

SSM and Huawei will deploy the eLTE broadband access network in Poland

Here is an example for configuring local attack defense, this configuration can be applied for all the huawei switches, such as Huawei S2700, Huawei S3700Huawei S5700

Networking Requirements

As shown in Figure 1, users on different network segments access the Internet through the Huawei Switch. Because a large number of users connect to the Switch, the CPU of Switch will receive a lot of protocol packets. If malicious users send a lot of attack packets to the Switch, the CPU usage will increase to affect services. The network administrator has the following requirements:
  • The network administrator wants to monitor CPU status. When the CPU is attacked, the Switch can promptly notify the administrator and take measures to protect the CPU.
  • When the Switch receives a lot of ARP Request packets, the CPU usage of the Switch greatly increases. The administrator wants to reduce the CPU usage to avoid impact on services.
  • Users on Net1 often initiate attacks, so the administrator wants to reject the access of Net1 users.
  • The administrator wants to upload files to the Switch through FTP, so data transmission between the administrator’s computer and Switch must be reliable and stable.
Figure 1 Networking diagram of local attack defense

networking-diagram-of-local-attack-defense

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure attack source tracing, alarms, and punishment so that the device can send an alarm to the administrator when detecting an attack source and automatically take punishment actions.
  2. Set the protocol rate threshold so that the Switch can limit the rate of protocol packets based on ports and record a log. (Port attack defense is enabled by default, so it does not need to be enabled again.)
  3. Set the CPCAR for ARP Request packets to limit the rate of ARP Request packets sent to the CPU. This reduces impact of ARP Request packets on the CPU.
  4. Add Net1 users to the blacklist to reject their access.
  5. Set the rate limit for the FTP packets sent to the CPU to ensure reliability and stability of data transmission between administrator’s computer and Switch. (ALP is enabled for FTP by default, so it does not need to be enabled again.)

Procedure

  1. Configure the rule for filtering packets sent to the CPU.
# Define ACL rules.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] acl number 2001
[Switch-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255
[Switch-acl-basic-2001] quit
  1. Configure an attack defense policy.
# Create an attack defense policy.
[Switch] cpu-defend policy policy1
# Configure attack source tracing.
[Switch-cpu-defend-policy-policy1] auto-defend enable
# Enable the alarm function for attack source tracing.
[Switch-cpu-defend-policy-policy1] auto-defend alarm enable
# Set the punishment action to discard.
NOTE:
Before configuring the punishment action, ensure that the device is attacked; otherwise, the punishment action may discard a lot of valid protocol packets.
[Switch-cpu-defend-policy-policy1] auto-defend action deny
# Set the rate threshold to 40 pps. (Port attack defense is enabled by default, so it does not need to be enabled again.)
[Switch-cpu-defend-policy-policy1] auto-port-defend protocol arp-request threshold 40
# Add the network-side interface GE0/0/1 to the whitelist so that the CPU can promptly process the packets from the network-side interface.
[Switch-cpu-defend-policy-policy1] auto-port-defend whitelist 1 interface gigabitethernet 0/0/1
# Set the CPCAR of ARP Request packets to 120 kbit/s.
[Switch-cpu-defend-policy-policy1] car packet-type arp-request cir 120
# Configure the blacklist for CPU attack defense.
[Switch-cpu-defend-policy-policy1] blacklist 1 acl 2001
# Set the CIR of FTP packets sent to the CPU to 5000 kbit/s.
[Switch-cpu-defend-policy-policy1] linkup-car packet-type ftp cir 5000
[Switch-cpu-defend-policy-policy1] quit
  1. Apply the attack defense policy globally.
4.             [Switch] cpu-defend-policy policy1 global
5.             [Switch] quit
  1. Verify the configuration.
# Display the configuration of attack source tracing.
<Switch> display auto-defend configuration
 ----------------------------------------------------------------------------
 Name  : policy1
 Related slot : <0>
 auto-defend                      : enable
 auto-defend attack-packet sample : 16
 auto-defend threshold            : 128 (pps)
 auto-defend alarm                : enable
 auto-defend alarm threshold      : 128 (pps)
 auto-defend trace-type           : source-mac source-ip source-portvlan
 auto-defend protocol             : arp icmp dhcp igmp ttl-expired tcp telnet
 auto-defend action               : deny (Expired time : 300 s)
 ----------------------------------------------------------------------------
# Display the configuration of port attack defense.
<Switch> display auto-port-defend configuration 
 ----------------------------------------------------------------------------
 Name  : policy1
 Related slot : 0
 Auto-port-defend                       : enable
 Auto-port-defend sample                : 5
 Auto-port-defend aging-time            : 300 second(s)
 Auto-port-defend arp-request threshold : 40 pps(enable)
 Auto-port-defend arp-reply threshold   : 30 pps(enable)
 Auto-port-defend dhcp threshold        : 30 pps(enable)
 Auto-port-defend icmp threshold        : 30 pps(enable)
 Auto-port-defend igmp threshold        : 60 pps(enable)
 Auto-port-defend ip-fragment threshold : 30 pps(enable)
--------------------------------------------------------------------------------
# Display the configuration of the attack defense policy.
<Switch> display cpu-defend policy policy1
 Related slot : <0>
 Configuration :
   Blacklist 1 ACL number : 2001
   Car packet-type arp-request : CIR(120)  CBS(22560)
   Linkup-car packet-type  ftp : CIR(5000)  CBS(940000)
# Display the CPCAR setting.
<Switch> display cpu-defend configuration packet-type arp-request
Car configurations on slot 0.
----------------------------------------------------------------------
Packet Name           Status   Cir(Kbps)   Cbs(Byte)  Queue  Port-Type
----------------------------------------------------------------------
arp-request       Enabled       120       22560    3       UNI          
----------------------------------------------------------------------

Configuration Files

Configuration file of the Switch
#
sysname Switch
#
acl number 2001
 rule 5 permit source 10.1.1.0 0.0.0.255
#
cpu-defend policy policy1
 blacklist 1 acl 2001
 car packet-type arp-request cir 120 cbs 22560
 linkup-car packet-type ftp cir 5000 cbs 940000
 auto-defend enable
 auto-defend alarm enable
 auto-defend action deny
 auto-port-defend protocol arp-request threshold 40
 auto-port-defend whitelist 1 interface GigabitEthernet0/0/1
#
cpu-defend-policy policy1 global
#
return

More blog:

Huawei Low-end Switches Boot Upgrade For BOOTROM

No comments:

Post a Comment