[All About Switches - Configuration Examples]Example for Configuring IPS Module

Created: Jun 19, 2015 15:35:26Latest reply: Aug 24, 2016 03:51:33 7491 1 2 0

1 Overview

The IPS Module is an intrusion detection and prevention module applicable to Huawei S7700, S9700, and S12700 switch series to protect IP networks with security functions, such as intrusion prevention, antivirus, and anti-DDoS.

The IPS Module can be deployed as an IPS or IDS.

In IPS deployment, you can redirect traffic to the IPS Module for security detection based on service requirements. After the detection is complete, the IPS Module sends normal traffic back to the switch for forwarding and discards abnormal traffic. An example is shown in Figure 1. Traffic from the enterprise office and Internet to the enterprise servers is redirected to the IPS Module for security protection.

Figure 1 IPS deployment service traffic path

 

In IDS deployment, the switch mirrors specified traffic to the IPS Module. The IPS Module detects specific threats and records the detection results based on configured security policies. It does not participate in traffic forwarding. Figure 2 shows an example. Traffic from the enterprise office and Internet to the enterprise servers is mirrored to the IPS Module for security protection.

Figure 2 IDS deployment service traffic path

 

The IPS Module provides easy-to-use web UI and CLI for certain functions. In addition, the IPS Module can use SNMP to communicate with the standard NMS for centralized management.

1.1 Appearance

IPS Module is a card that provides intrusion detection and prevention functions. It can be used in Huawei S7700, S9700, and S12700 series switches and integrates various security functions such as intrusion prevention, antivirus, and anti-DDoS on an IP network for security protection.

Figure 3 Appearance of IPS Module

Ports

Description

MGMT port

Out-of-band 10/100/1000M autosensing Ethernet management port. The interface number is GigabitEthernet 0/0/0 and the default IP address of the interface is 192.168.0.1.

You can connect this port to a PC through a network cable. Then, you can use Telnet, or sTelnet to access the CLI or use a web browser to access the web UI to configure, manage, and maintain the IPS Module.

NOTE:

The MGMT port cannot be used as a service port. The service ports (GigabitEthernet 1/0/0 to GigabitEthernet 1/0/1) of the IPS Module are used to connect to the switch on which the module is installed.

Console port

Console port allows you to locally connect to the IPS Module. You can use a console cable to connect the console port on the IPS Module to the COM port on your PC and use a serial port terminal program on your PC to access, configure, and manage the IPS Module.

GE1-GE3 ports

Three 10/100/1000M autosensing Ethernet electrical ports, numbered from GigabitEthernet 0/0/1 to GigabitEthernet 0/0/3.

You can use one of the GE ports as the heartbeat interface during hot standby deployment or to connect a third-party log host.

NOTE:

The three ports cannot be used as service ports.

USB port

Reserved.

 

1.2 Functions

Table 1 lists the main functions of the IPS Module.

Table 1 IPS Module functions

Category

Function

Description

Content security

Application identification

·        Identifies common applications based on the predefined signature database.

·        Supports the constant update of the predefined signature database and the user-defined applications.

·        Parses the packets of tens of protocols and identifies the contents during the protocol negotiation and supports common multi-channel protocols.

Antivirus

·        Employs the advanced Intelligent Awareness Engine (IAE) and constantly updated virus signature database to detect and remove viruses.

·        Updates the signature database constantly.

Intrusion prevention

·        Detects and defends against thousands of common intrusion behaviors, worms, Trojan horses, and Botnets.

·        Updates the predefined signature database constantly and supports user-defined signatures.

Network-layer security protection

Packet filtering

Supports packet filtering based on policies.

DDoS attack defense

Defends against various DoS and DDoS attacks:

·        Non-application-layer DDoS attacks: SYN flood, UDP flood, ICMP flood, and ARP flood

·        Application-layer DDoS attacks: HTTP flood, HTTPS flood, DNS flood, and SIP flood

Single-packet attack defense

Implements packet validity checking to defend against various single-packet attacks, including IP spoofing attacks, LAND attacks, Smurf attacks, Fraggle attacks, Winnuke attacks, Ping of Death attacks, Teardrop attacks, address scanning attacks, port scanning attacks, IP option control attacks, IP fragment control attacks, TCP label validity check attacks, ICMP packet control attacks, ICMP redirect packet attacks, ICMP unreachable packet attacks, TRACERT packet attacks, and illegitimate access attacks.

Blacklist and whitelist

Rapidly filters packets based on the whitelist and blacklist of IP addresses.

 

1.3 Interface Application

The IPS Module and switch use internal Ethernet interfaces to exchange data. The IPS Module has two internal Ethernet interfaces: GE 1/0/0 and GE 1/0/1. The numbering rule of internal Ethernet interfaces on the switch is determined by the slot in which the IPS Module is installed. For example, when the IPS Module is installed in slot 1 of the switch, the internal Ethernet interfaces used by the switch are XGE 1/0/0 and XGE 1/0/1.

Figure 4 Internal Ethernet interface numbering

 

The IPS Module panel has other four GE ports. Among the ports, GE0/MGMT is numbered GE 0/0/0, used for device management and maintenance; GE1 to GE3 are numbered GE 0/0/1 to GE 0/0/3, used as the log source interface or the heartbeat interface and backup channel for hot standby.

2 Configuration Example

This example shows how to configure the connections on interfaces between IPS Module and switch and how to redirect traffic to the IPS Module. For more information about IPS policy configuration, see the HUAWEI IPS Module V100R001 Administrator Guide.

Configuration Notes

Table 2 Version support

S7700&S9700&S12700 Version Required

NGFW Version Required

V200R005C00 and later versions

V100R001C10 and later versions

 

Networking Requirements

Generally, a core switch on a campus network connects to the external network through an upstream router, and an IPS Module is deployed to provide security functions such as intrusion prevention, antivirus, and anti-DDoS.

The IPS Module is installed on the core switch to protect traffic between VLAN 301 and VLAN 302.

Two IPS Modules are deployed on the core switch to work in hot standby mode and improve device reliability. Two IPS Modules forward traffic at the same time. When an IPS Module fails, services can be smoothly transferred to another IPS Module.

Figure 5 IPS Module HA deployment scenario

 

To improve bandwidth and link reliability, bundle the internal Ethernet interfaces into an Eth-Trunk, as shown in Figure 5. The switch redirects traffic to the IPS Modules and the IPS Modules receive traffic through the Eth-Trunk main interfaces.

To understand the traffic forwarding direction, see Figure 6.

Figure 6 Hot standby networking

 

Configuration Roadmap

The configuration roadmap is as follows:

1.       Configure a cluster on the switch.

2.       Configure interfaces on the switch connected to the IPS Modules and links used to transmit traffic to the IPS Modules.

3.       Configure redirection on the switch to forward traffic to the IPS Modules.

4.       Configure interfaces on the switch connected to the IPS Modules and links used to transmit traffic to the IPS Modules.

5.       Configure hot standby on IPS Modules.

6.       Configure security policies on the IPS Modules.

Procedure

                          Step 1     On the switch: Create VLANs and VLANIF interfaces, and assign IP addresses to VLANIF interfaces.

<HUAWEI> system-view

[HUAWEI] vlan batch 301 302

[HUAWEI] interface GigabitEthernet 3/0/1  //Configure GE3/0/1 as the interface connected to service network 1.

[HUAWEI-GigabitEthernet3/0/1] port link-type trunk

[HUAWEI-GigabitEthernet3/0/1] port trunk allow-pass vlan 301

[HUAWEI-GigabitEthernet3/0/1] quit

[HUAWEI] interface vlanif301  //Configure VLANIF 301 as the gateway for service network 1.

[HUAWEI-vlanif301] ip address 10.10.10.1 24

[HUAWEI-vlanif301] quit

[HUAWEI] interface GigabitEthernet 3/0/0  //Configure GE3/0/3 as the interface connected to service network 2.

[HUAWEI-GigabitEthernet3/0/0] port link-type trunk

[HUAWEI-GigabitEthernet3/0/0] port trunk allow-pass vlan 302

[HUAWEI-GigabitEthernet3/0/0] quit

[HUAWEI] interface vlanif302  //Configure VLANIF 302 as the gateway for service network 2.

[HUAWEI-vlanif302] ip address 10.10.20.1 24

[HUAWEI-vlanif302] quit

                          Step 2     On the switch: Configure an Eth-Trunk between switch and IPS modules.

# Bundle four internal Ethernet interfaces on IPS Modules into an Eth-Trunk. Allow the traffic from VLAN 301 and VLAN 302 to pass and disable MAC address learning and STP on the Eth-Trunk.

[HUAWEI] interface Eth-Trunk 1 

[HUAWEI-Eth-Trunk1] trunkport XGigabitEthernet 1/0/0  //Configure XGE1/0/0 and XGE1/0/1 as the interfaces connected to IPS Module 1 and add the interfaces to Eth-Trunk1.

[HUAWEI-Eth-Trunk1] trunkport XGigabitEthernet 1/0/1

[HUAWEI-Eth-Trunk1] trunkport XGigabitEthernet 2/0/0  //Configure XGE2/0/0 and XGE2/0/1 as the interfaces connected to IPS Module 2 and add the interfaces to Eth-Trunk1.

[HUAWEI-Eth-Trunk1] trunkport XGigabitEthernet 2/0/1

[HUAWEI-Eth-Trunk1] port link-type trunk

[HUAWEI-Eth-Trunk1] port trunk allow-pass vlan 301 302  //Configure Eth-Trunk1 to transparently transmit service traffic from VLAN301-302.

[HUAWEI-Eth-Trunk1] undo port trunk allow-pass vlan 1 

[HUAWEI-Eth-Trunk1] mac-address learning disable  //If MAC address learning is enabled, Eth-Trunk1 can learn the MAC addresses from both upstream and downstream networks, causing MAC address flapping.

[HUAWEI-Eth-Trunk1] stp disable  //By default, STP is enabled on the switch's interfaces. In this example, the forward and return packet paths between the switch and IPS Modules are the same. The switch considers that a loop occurs and discards the packets, causing a service interruption; therefore, STP must be disabled on the Eth-Trunk.

[HUAWEI-Eth-Trunk1] quit

# Configure an enhanced load balancing mode for the Eth-Trunk.

NOTE:

When traffic is forwarded from the switch to the IPS Modules, the cross-board Eth-Trunk distributes the traffic. To ensure that the forward and return packet paths are the same, you must configure an enhanced load balancing mode for the Eth-Trunk. Here takes source and destination IP addresses for example.

[HUAWEI] load-balance-profile ips
[HUAWEI-load-balance-profile-ips] ipv4 field sip dip
[HUAWEI-load-balance-profile-ips] quit
[HUAWEI] interface Eth-Trunk 1
[HUAWEI-Eth-Trunk1] load-balance enhanced profile ips
[sysname-Eth-Trunk1] quit

                          Step 3     On the switch: Configure unidirectional isolation between the upstream and downstream interfaces and Eth-Trunk 1 to avoid ARP flapping.

[HUAWEI] interface GigabitEthernet 3/0/0

[HUAWEI-GigabitEthernet3/0/0] am isolate Eth-Trunk 1

[HUAWEI-GigabitEthernet3/0/0] quit

[HUAWEI] interface GigabitEthernet 3/0/1

[HUAWEI-GigabitEthernet3/0/1] am isolate Eth-Trunk 1

[HUAWEI-GigabitEthernet3/0/1] quit

                          Step 4     On the switch: Configure traffic policies to redirect traffic from VLAN 301 and VLAN 302 to the IPS Modules.

# Create ACLs.

[HUAWEI] acl 3001  //ACL 3001 matches traffic from service network 1 to service network 2.

[HUAWEI-acl-adv-3001] rule permit ip source 10.10.10.0 0.0.0.255 destination 10.10.20.0 0.0.0.255

[HUAWEI-acl-adv-3001] quit

[HUAWEI] acl 3002  //ACL 3002 matches traffic from service network 2 to service network 1.

[HUAWEI-acl-adv-3002] rule permit ip source 10.10.20.0 0.0.0.255 destination 10.10.10.0 0.0.0.255

[HUAWEI-acl-adv-3002] quit

# Configure traffic classifiers.

[HUAWEI] traffic classifier classifier1

[HUAWEI-classifier-classifier1] if-match acl 3001

[HUAWEI-classifier-classifier1] quit

[HUAWEI] traffic classifier classifier2

[HUAWEI-classifier-classifier2] if-match acl 3002

[HUAWEI-classifier-classifier2] quit

# Configure a traffic behavior.

[HUAWEI] traffic behavior behavior1

[HUAWEI-behavior-behavior1] redirect interface Eth-Trunk 1

[HUAWEI-behavior-behavior1] quit

# Configure traffic policies and apply the traffic policies to the inbound direction of the interfaces.

[HUAWEI] traffic policy policy1  //Redirect traffic from service network 1 to Eth-Trunk1.

[HUAWEI-trafficpolicy-policy1] classifier classifier1 behavior behavior1

[HUAWEI-trafficpolicy-policy1] quit

[HUAWEI] traffic policy policy2  //Redirect traffic from service network 2 to Eth-Trunk1.

[HUAWEI-trafficpolicy-policy2] classifier classifier2 behavior behavior1

[HUAWEI-trafficpolicy-policy2] quit

[HUAWEI] interface GigabitEthernet 3/0/1  //Apply policy1 to the inbound direction on the interface connected to service network 1.

[HUAWEI-GigabitEthernet3/0/1] traffic-policy policy1 inbound

[HUAWEI-GigabitEthernet3/0/1] quit

[HUAWEI] interface GigabitEthernet 3/0/0  //Apply policy2 to the inbound direction on the interface connected to service network 2.

[HUAWEI-GigabitEthernet3/0/0] traffic-policy policy2 inbound

[HUAWEI-GigabitEthernet3/0/0] quit

                          Step 5     Login to the Web UI through an Ethernet interface.

a Use an Ethernet cable to connect the PC to GE0/MGMT port on an IPS Module.

b Set the IP address of the PC to any in the address range 192.168.0.2 to 192.168.0.254.

c Open a network browser on the PC and enter https://192.168.0.1:8443 in the address bar.

d On the login page, enter the default administrator user name admin and password Admin@123 and click Login.

e Change the default administrator password and click OK to access the web UI.

NOTE:

For security, the password must meet the minimum complexity requirement. That is, the password must contain three of the following, including upper-case letters (A to Z), lower-case letters (a to z), digits (0 to 9), and special characters (such as !, @, #, $, and %).

Remember the new password for future logins.

                          Step 6     On each IPS Module: Bundle internal Ethernet interfaces into an Eth-Trunk and configure an interface pair.

The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

a Choose Network > Interface, click  of interface GE1/0/0 and set the connection type of GE1/0/0 to access.

 

b Clickof interface GE1/0/1 and set the connection type of GE1/0/1 to access.

 

c Click Add, and configure Eth-Trunk 1.

 

d Choose Network > Interface Pair, click Add, and configure an interface pair.

After an interface pair is configured, packets enter from one interface and leave from another interface. The switch does not need to search MAC address forwarding table.

 

e Choose Network > Interface, click of the line of interface Eth-Trunk1, and configure interface Eth-Trunk1 to allow traffic from VLAN 301 and 302 through.

 

                          Step 7     IPS Module: Configure heartbeat interfaces and backup channel between two IPS Modules.

Click Add and bundle GE 0/0/1 and GE 0/0/2 into an Eth-Trunk as the heartbeat interface and backup channel.

NOTE:

·        The IP addresses of heartbeat interfaces on the IPS Modules must be in the same network segment.

·        The Eth-Trunk member interfaces on the IPS Modules must be the same.

# Configure a heartbeat interface on one IPS Module.

 

# Configure a heartbeat interface on the other IPS Module.

 

                          Step 8     IPS Module: Configure hot standby.

# Choose System > Dual-System Hot Backup, click Edit, and configure hot standby.

----END

Follow-up Procedure

1.      Test whether host 1 and 2 in the service network can communicate with each other properly. If any fault is detected, check configurations.

2.      Run the shutdown command on one IPS Module to disable Eth-Trunk 1 and check the hot standby status and service status. Then, restart the Eth-Trunk sub-interface.

3.      Configure refined security policies and services based on service requirements.

3 Summary

Each IPS Module deployment solution involves two elements: traffic diversion on the switch and interfaces on the IPS Module.

Switch Traffic Diversion Modes

To use the IPS Module for security functions, divert traffic from the switch to the IPS Module, so that the switch can exchange data with the IPS Module.

l   VLAN-based traffic diversion: VLANs are configured on the switch and IPS Module. Interfaces that need to communicate with each other are added to the same VLAN for Layer 2 interconnection.

l   Redirection traffic diversion: Traffic policies are configured on the switch to redirect traffic to be checked to the IPS Module.

Interface Selection

The two internal Ethernet interfaces on the IPS Module work at Layer 2. You can directly use the interfaces to communicate with the switch or configure sub-interfaces on the interfaces. Every two internal Ethernet interfaces or sub-interfaces can form an interface pair. Packets enter the IPS Module through one interface and are sent through the other in the pair. In this mode, the IPS Module forwards packets without searching the MAC table.

To improve interface bandwidth and link reliability, you are advised to bundle internal Ethernet interfaces into an Eth-Trunk and use the Eth-Trunk or its sub-interfaces to communicate with the switch.

 

For more information about IPS Module deployment, see the HUAWEI IPS Module V100R001 Deployment Guide.

 

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

johnston78     Created Jun 23, 2015 15:52:10 Helpful(1) Helpful(1)

Have a look on this software for Exchange Database through Ahsay backup software. It should Backup and Restore Microsoft Exchange Server is Simply a Breeze When using Ahsay™ Microsoft Exchange Backup Module in conjunction with AhsayOBM client-side backup application, backup and restore the whole information store of Microsoft Exchange Server can be done easily. Database hot backup. Fast multi-thread backup. In-File Delta incremental backup. Flexible scheduling. Unlimited retention. Secure 256-bit encryption. Local, LAN / WAN backup. Ahsay also provides us Exchange DAG backup and Exchange mail-level backup. Leaving a link below just check: http://www.ahsay.com/jsp/en/home/index.jsp?pageContentKey=ahsay_products_overview

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top