SupportResource CenterH3C VG 80-20 Voice GatewayConfiguration
Chapters Download(172 KB)
Table of Contents
1.2.2 Configuring Authentication and Authorization
1.5.1 Applying Authentication and Authorization to Login Users
Chapter 2 Firewall Configuration
2.1.1 Introduction to Firewall
2.1.2 Introduction to Packet Filtering
2.2.1 Enabling/Disabling Firewall
2.2.2 Configuring Standard ACL
2.2.3 Configuring Extended ACL
2.2.4 Defining Default Filtering Mode
2.2.5 Defining ACL Rules at Interface
2.3 Displaying and Debugging Firewall
2.4 Firewall Configuration Example
AAA provides an overall configuration framework for the three security functions of Authentication, Authorization and Accounting. AAA configuration is actually the management over network security.
The network security discussed here mainly refers to access control, which determines the:
l Users who can access the network server
l Services that the users with access authority can obtain
l Accounting of users using network resources
AAA can implement the following services:
l Authenticate whether the user has the right of access (Authentication).
l Authorize the user with certain types of services (Authorization).
l Record the information about network resources usage by users (Accounting)
1) Flexibility and easy-to-control
2) Standard authentication and authorization mode
3) Multiple standby systems
AAA configuration tasks include:
l Configuring authentication and authorization
You can proceed to perform other AAA configuration tasks only after enabling AAA.
Perform the following configuration in system view.
|
Operation |
Command |
|
Enable AAA |
aaa-enable |
|
Disable AAA |
undo aaa-enable |
By default, AAA is enabled.
The authentication and authorization must be used in AAA. In other words, you can choose not to use the accounting of AAA, but you must use and may only use the authentication and authorization. The authentication and authorization configuration includes:
1) Configure authentication and authorization scheme
2) Apply authentication and authorization scheme
Configuring a local user includes configuring the user name and password for local authentication and authorization.
Perform the following configuration in system view.
1) Configuring a local user and the password
You can configure a username and its password in the local database.
Table 1-2 Configure a local user and the password
|
Operation |
Command |
|
Configure a username and the password |
local-user user-name [ password { simple | cipher } password ] |
|
Remove the user |
undo local-user user-name |
Where, user-name is a character string (which may contain digits) of 1 to 31 characters in length, and password is a character string (which may contain digits) of 1 to 16 characters in length.
2) Authorizing users with certain types of services
In local database, the users are classified into the following four categories, each enjoying different services:
l administrator: Authorizes the user to administrator. Administrator refers to the operations of accessing the VG by means of telnet or console interface for making configuration.
l guest: Authorizes the user to guest.
l operator: Authorizes the user to operator.
l ftp: Refers to the means of accessing the VG by means of file transfer for enjoying the appropriate services.
To authorize a single service to a user, you only need to configure the argument administrator, operator, guest or ftp. To authorize multiple services to a user, you should configure the desired service arguments (you can only choose one from administrator, operator, and guest) behind service-type rather than repeatedly using this command to configure the services for the same user. The service type configured using this command will not be added to the service type previously configured. Rather, it will replace the old service type, if there has been one.
Table 1-3 Specify the service types available for the authorized users
|
Operation |
Command |
|
Specify the service types available for the authorized users |
local-user user-name service-type { administrator | guest | operator | ftp } |
|
Remove the services available for the authorized users |
undo local-user user-name |
By default, a user is authorized as a guest.
Perform the following tasks to configure authentication and authorization:
l Configuring an authentication and authorization scheme
l Specifying an authentication and authorization scheme
1) Configure a login authentication and authorization scheme
An authentication and authorization scheme defines the methods to be executed and the execution order for authenticating and authorization users as well.
For login users, the authentication and authorization can be implemented through the local database or RADIUS server, or you can configure none authentication and authorization.
The users in the local user database can be configured using the local-user command. If a RADIUS server is used for authentication and authorization, you should first configure the relevant user information (user name and the password) on the RADIUS server and enable the RADIUS service as well.
Perform the following configuration in system view.
Table 1-4 Configure login authentication and authorization in AAA
|
Operation |
Command |
|
Configure a login authentication and authorization scheme |
aaa authentication-scheme login { default | scheme-name } { method [ method ]} |
|
Delete the authentication scheme of a specified login user |
undo aaa authentication-scheme login { default | scheme-name } |
By default, the login scheme is aaa authentication-scheme login default local.
If the user has not defined the scheme-name argument, the default scheme will be used.
method: The authentication and authorization method (s) defined for the scheme. At least one and at most two of the three methods listed below should be specified.
l Implement authentication and authorization using local user database (local)
l Implement authentication and authorization using RADIUS server (radius)
l Implement no authentication and authorization, that is, all the users can access without undergoing authentication and authorization in any form (none)
If several methods have been specified for authenticating the login accessing users, a method will be tried only when using the previous one cannot get any response (due to a busy server, the failure to set up a connection with the server, or any other reasons). If the authentication and authorization using a method is failed during this process, that is, the security server denies accessing of the user, however, the subsequent methods will not be tried any more and the authentication and authorization will be terminated. In addition, you cannot put any other methods behind either local or none.
2) Specifying the scheme for authenticating and authorizing login users
When specifying an authentication and authorization mode list for a login user, the login authentication and authorization is enabled at the same time. Different login types have different authentication and authorization mode list.
The login types supported by H3C Series VG include console (console interface), telnet (Telnet), http (HTTP), and ftp. Different authentication and authorization schemes can be applied to different login types.
& Note:
If the administrator user is not configured on the VG, the system will not enable authentication and authorization when the user logs in through the Console interface, but all the other types of login need to be authenticated and authorized.
Perform the following configuration in system view.
Table 1-5 Specify a scheme for login authentication and authorization
|
Operation |
Command |
|
Specify a scheme for login authentication and authorization |
login-method authentication-mode login-type { default | scheme-name } |
|
Reuse the default scheme to authenticate and authorize a login user |
undo login-method authentication-mode login-type |
By default, the users that log in by means of console, telnet or ftp must be authenticated and authorized, and the default list is used as the login authentication and authorization scheme. As for the login users that log in by means of HTTP, the authentication and authorization scheme is not used, so they can log in directly.
& Note:
The accounting is discussed in a broad sense in this manual. Actually, it refers to the records about all the involved activities. Therefore, you should take care to distinguish it from the accounting referred in telecom services.
The basic accounting configuration tasks include:
l Creating a login accounting scheme
l Applying an accounting scheme
Perform the following configuration in system view.
Table 1-6 Create a login accounting scheme
|
Operation |
Command |
|
Create a login accounting scheme |
aaa accounting-scheme login { default | scheme-name } { method [ method ] } |
|
Delete an accounting scheme by specifying its name |
undo aaa accounting-scheme login { default | scheme-name } |
By default, the default accounting scheme aaa accounting-scheme login default none has existed.
Applying an accounting scheme to the users of a specified type will enable accounting, while disabling it will also disable the accounting for the users of the specified type.
Perform the following configuration in system view.
Table 1-7 Specify an accounting scheme for login users
|
Operation |
Command |
|
Enable accounting for specified login type and specify a scheme for it |
login-method accounting-mode login-type { default | scheme-name } |
|
Disable accounting for specified login type |
undo login-method accounting-mode login login-type |
By default, no accounting scheme is applied to login uses, that is, accounting is disabled for login users.
The argument login-type can be console (console interface), telnet (Telnet).
& Note:
l The system does not perform accounting on FTP or HTTP users.
l For any login that does not need authentication and authorization, the system does not perform accounting on it.
After configuring the user accounts, you can use the following command to display the local users and the online users.
Perform the following configuration in any view.
|
Operation |
Command |
|
Display the list of local users |
display local-user { command-history { all | brief | index number | username name } | level | login-history { all | username name } | online } |
|
Display the AAA users |
display aaa user |
|
Display the role of the current login user |
display level |
The administrator and operator can clear the history commands used by the users who do not login to operate the voice gateways.
Execute the following command in any view.
Table 1-9 Clear user operations
|
Operation |
Command |
|
Clear user operations |
reset local-user history username |
For details, refer to the AAA Configuration Commands in Command Manual.
& Note:
A user cannot clear the history command information of another user that has higher rights.
Perform the local authentication and authorization on all the login users requiring no accounting.
Figure 1-1 Perform local authentication and authorization on the PPP users
# Enable AAA.
[VG] aaa-enable
# Configure the login users.
[VG] local-user ftp service-type ftp password simple ftp
[VG] local-user admin service-type administrator password cipher admin
[VG] local-user operator service-type operator password simple operator
[VG] local-user guest service-type guest password simple guest
# Perform the local authentication and authorization on login users.
[VG] aaa authentication-scheme login default local
[VG] login-method authentication-mode con default
[VG] login-method authentication-mode telnet default
# Configure the authentication and authorization on FTP users.
[VG] login-method authentication-mode ftp default
# Disable the accounting for the login users by applying no accounting scheme to them.
[VG] undo login-method accounting-mode con
[VG] undo login-method accounting-mode telnet
As a basic technology of Internet access control, firewall can monitor and filter the packets passing through it, decide whether or not the current packet should be forwarded or discarded according to access control policy configurations, so as to deny illegal intrusion into the network and permit legal access.
Usually firewall is located at the network entrance to achieve access control. For example, if the firewall is located between the internal network and external network, it can protect the internal network and data against the unauthorized or unauthenticated access and malicious attack from the outside; If the firewall is located between the public source and the source to be protected inside the intranet, all the access to the protected data must be filtered by the firewall, even if it come from the inside.
The firewall shields the information, structure and operation of the intranet as much as possible from outside by detecting, restricting and modifying data flow overriding the firewall.
After configured with firewall features, the H3C VG becomes a strong and effective firewall.
Figure 2-1 Isolating the internal network form the Internet with a VG as the firewall
Usually, packet filtering refers to filtering IP data packets forwarded. For a data packet that needs to be forwarded by the VG, first the packet header information is obtained, including the upper layer protocol number over the IP layer, the packet's source/destination address and source/destination port. Then the information is compared with the preset rules, and finally the packet is forwarded or discarded depending on the comparison result.
Packet filtering (for IP data packets) selects the following elements for judgment (in the figure, the upper layer protocol carried by IP is TCP), as shown in Figure 2-2.
Data packet filtering achieves these functions:
l Prohibiting Telnet login from outside
l Every E-mail is sent using SMTP.
l One PC, rather than all other PCs, can send news to us using NNTP (Network News Transfer Protocol).
The packet filtering of H3C VG features as follows:
1) Based on ACL: ACL is applied in packet filtering.
l Supporting standard and extended ACL: Set a simple address range with the standard ACL or set the specific protocol, source address range, destination address range, source port range, and destination port range with the extended ACL.
To filter data packet, some rules need to be configured.
The access control list is generally employed to configure the filtering rules. There are two types of ACLs:
l Standard ACL
l Extended ACL
acl acl-number [ match-order ] [ config | auto ]
rule { permit | deny } source { source-addr source-wildcard | any }
The acl-number argument is in the range of 1 to 99.
acl acl-number [ match-order ] [ config | auto ]
rule { permit | deny } { protocol-number | icmp | ip | tcp | udp } source { source-addr source-wildcard | any } destination { dest-addr dest-wildcard | any } [ logging ]
acl-number is in the range of 3000 to 3099. protocol-number is the protocol type over IP expressed in name or number: number in the range of 0 to 255 and name including icmp, igmp, ip, tcp, udp, gre and ospf.
The above command can also be written in following formats for the different protocol.
rule { permit | deny } icmp source { source-addr source-wildcard | any } destination { dest-addr dest-wildcard | any } [ icmp-type icmp-type [ icmp-code ] ] [ logging ]
rule { permit | deny } ip source { source-addr source-wildcard | any } destination { dest-addr dest-wildcard | any } [ logging ]
rule { permit | deny } { tcp | udp } source { source-addr source-wildcard | any } [ source-port operator port1 [ port2 ] ] destination { dest-addr dest-wildcard | any } [ destination-port operator port1 [ port2 ] ] [ established ] [ logging ]
Only the TCP and UDP require specifying the port range. Listed below are the supported operators and their syntaxes.
Table 2-1 Operator meaning for ACL
|
Operator and syntax |
Meaning |
|
equal port-number |
Equal to port-number |
|
greater-than port-number |
More than port-number |
|
less-than port-number |
Less than port-number |
|
not-equal port-number |
Not equal to port-number |
|
range port-number1 port-number2 |
Ranging between port-number1 and port-number2 |
In specifying the port number, the following mnemonic symbols may be used to represent the actual meaning.
Table 2-2 Mnemonic symbols for port-number
|
Protocol |
Mnemonic Symbol |
Meaning and Actual Value |
|
TCP |
bgp chargen cmd daytime discard domain echo exec finger ftp ftp-data gopher hostname Irc chat klogin kshell login lpd nntp pop2 pop3 smtp sunrpc syslog tacacs talk telnet time uucp whois www |
Border Gateway Protocol (179) Character generator (19) Remote commands (rcmd, 514) Daytime (13) Discard (9) Domain Name Service (53) Echo (7) Exec (rsh, 512) Finger (79) File Transfer Protocol (21) FTP data connections (20) Gopher (70) NIC hostname server (101) Internet Relay Chat (194) Kerberos login (543) Kerberos shell (544) login (rlogin, 513) Printer service (515) Network News Transport Protocol (119) Post Office Protocol v2 (109) Post Office Protocol v3 (110) Simple Mail Transport Protocol (25) Sun Remote Procedure Call (111) Syslog (514) TAC Access Control System (49) Talk (517) Telnet (23) Time (37) Unix-to-Unix Copy Program (540) Nicname (43) World Wide Web (HTTP, 80) |
|
UDP |
biff bootpc bootps discard dns dnsix echo mobilip-ag mobilip-mn nameserver netbios-dgm netbios-ns netbios-ssn ntp rip snmp snmptrap sunrpc syslog tacacs-ds talk tftp time who xdmcp |
Mail notify (512) Bootstrap Protocol Client (68) Bootstrap Protocol Server (67) Discard (9) Domain Name Service (53) DNSIX Security Attribute Token Map (90) Echo (7) MobileIP-Agent (434) MobilIP-MN (435) Host Name Server (42) NETBIOS Datagram Service (138) NETBIOS Name Service (137) NETBIOS Session Service (139) Network Time Protocol (123) Routing Information Protocol (520) SNMP (161) SNMPTRAP (162) SUN Remote Procedure Call (111) Syslog (514) TACACS-Database Service (65) Talk (517) Trivial File Transfer (69) Time (37) Who(513) X Display Manager Control Protocol (177) |
As for the ICMP, you can use a number (ranging 0 to 255) or a mnemonic symbol to specify the ICMP packet type.
Table 2-3 Mnemonic symbols for ICMP
|
Mnemonic symbol |
Meaning |
|
echo echo-reply fragmentneed-DFset host-redirect host-tos-redirect host-unreachable information-reply information-request net-redirect net-tos-redirect net-unreachable parameter-problem port-unreachable protocol-unreachable reassembly-timeout source-quench source-route-failed timestamp-reply timestamp-request ttl-exceeded |
Type=8, Code=0 Type=0, Code=0 Type=3, Code=4 Type=5, Code=1 Type=5, Code=3 Type=3, Code=1 Type=16,Code=0 Type=15,Code=0 Type=5, Code=0 Type=5, Code=2 Type=3, Code=0 Type=12,Code=0 Type=3, Code=3 Type=3, Code=2 Type=11,Code=1 Type=4, Code=0 Type=3, Code=5 Type=14,Code=0 Type=13,Code=0 Type=11,Code=0 |
By configuring the firewall and adding appropriate access rules, the user can employ the packet filtering function to check IP packets and filter out the unwanted packets before they pass the VG. In this way the packet filtering ensures network security.
An ACL rule may be composed of several “permit/deny” statements and every statement may specify different packet range. The match sequence needs to be configured when matching a data packet with ACL rule.
Up to 100 rules can be configured with an acl-number, that is, not more than 100 rules in total for the parameter acl-number. If some rules are in conflict, then follow these types of match sequence:
l Rules with the same serial number can be defined. If two rules with the same serial number conflict, use the “depth-first principle” to judge the source-addr, source-wildcard-mask, destination-addr, destination-wildcard-mask, protocol number and port number, then determine the match sequence.
l If the ranges defined by the rules are the same, then determine the match sequence according to the rule definition sequence. The system will choose the rule defined earlier.
According to “depth-first principle”, the rule with the least packet range will be matched first. It can be achieved by comparing the wildcards of address. The smaller the wildcards are, the smaller the range specified by the host is. For example, 129.102.1.1.0.0.0.0 specifies a host with address of 129.102.1.1, while 129.102.1.1.0.0.255.255 specifies a network segment with the addresses ranging from 129.102.1.1 to 129.102.255.255. Obviously the former comes in the front of the ACL rule.
The “depth-first principle” is detailed as follows:
l For the statement of standard ACL rules, compare the wildcards of the source addresses directly, and arrange them according to configuration sequence if the wildcards are the same.
l
l For extended ACL rules, compare the wildcards of source addresses. If they are the same, then compare the wildcards of the destination address. If they are still the same, compare the range of port numbers, and the rule with smaller range will be arranged in the front. If the port numbers are the same, then match the rules according the user’s configuration sequence.
Using the display acl acl-number command, you can view the match sequence of ACL rules. The rules listed in front will be selected first.
Firewall configuration tasks include:
l Defining Default Filtering Mode
Enable firewall before filtering data packets to validate other configurations.
Perform the following configuration in system view.
Table 2-4 Enable/disable firewall
|
Operation |
Command |
|
Enable firewall |
firewall enable |
|
Disable firewall |
firewall disable |
By default, firewall is enabled.
The serial number of a standard ACL is in the range of 2000 to 2098. First use the acl command in system view to configure the ACL rule match mode and enter ACL view, and then configure the specific ACL rules by using the rule command in ACL view. If the matching sequence is not configured, auto mode will be selected.
Perform the following configuration in system view (for the acl command) and ACL view (for the rule command).
Table 2-5 Configure standard ACL
|
Operation |
Command |
|
Configure the ACL rule match mode and enter ACL view |
acl acl-number [ match-order config | auto ] |
|
Configure standard ACL rules |
rule { permit | deny } source { source-addr source-wildcard | any } |
|
Delete specific ACL rules |
undo rule { rule-id | all } |
|
Delete ACL |
undo acl {acl-number| all } |
The serial number of the extended ACL ranges from 3000 to 3099. First use the acl command in system view to configure the ACL rule match mode and enter ACL view, and then configure the specific ACL rules by using the rule command in ACL view. If the matching sequence is not configured, the auto mode will be selected.
Perform the following configuration in system view (for the acl command) and ACL view (for the rule command).
Table 2-6 Configure extended ACL
|
Operation |
Command |
|
Configure the ACL rule match mode and enter ACL view |
acl acl-number [ match-order config | auto ] |
|
Configure extended ACL rules of IP protocol |
rule { permit | deny } ip source { source-addr source-wildcard | any } destination { dest-addr dest-wildcard | any } [ logging ] |
|
Configure extended ACL rules of TCP/UDP protocol |
rule { permit | deny } { tcp | udp } source { source-addr source-wildcard | any } [ source-port operator port1 [ port2 ] ] destination { dest-addr dest-wildcard | any } [ destination-port operator port1 [ port2 ] ] [ established ] [ logging ] |
|
Configure extended ACL rules of ICMP protocol |
rule { permit | deny } icmp source { source-addr source-wildcard | any } destination { dest-addr dest-wildcard | any } [ icmp-type icmp-type [ icmp-code ] ] [ logging ] |
|
Configure extended ACL rules of other protocol |
rule { permit | deny } protocol-number source { source-addr source-wildcard | any } destination { dest-addr dest-wildcard | any } [ logging ] |
|
Delete specific ACL rules |
undo rule { rule-id | all } |
|
Delete the ACL |
undo acl {acl-number| all } |
The default filtering mode refers to packet processing manner when there is no suitable access rule to determine whether a user data packet can pass through. The default firewall-filtering mode set by the user will determine whether to permit or allow this data packet to pass.
Perform the following configuration in system view.
Table 2-7 Define default filtering mode
|
Operation |
Command |
|
Define default filtering mode as permit |
firewall default permit |
|
Define default filtering mode as deny |
firewall default deny |
By default, the filtering mode is set as permit.
To implement packet filtering at an interface, it is necessary to apply the access control list rules to the interfaces. The user can define different ACL rules in inbound and outbound directions at an interface.
Perform the following configuration in interface view.
Table 2-8 Define ACL rules at interface
|
Operation |
Command |
|
Define ACL rules in inbound or outbound direction at an interface |
firewall packet-filter acl-number [ inbound | outbound ] |
|
Cancel ACL rules in inbound or outbound direction at an interface |
undo firewall packet-filter { access-list-number [ inbound | outbound ] | inbound | outbound | all } |
By default, no ACL rule is defined at an interface.
UP to 20 ACL rules can be defined in one direction (inbound or outbound) of an interface.
If two ACL rules with different sequence numbers are in conflict, then the rule with greater acl-number should be matched preferentially.
& Note:
To improve configuration flexibility, the VG deals with configuration rules and application rules respectively, so it can apply rules first and then configure content of the rules.
Execute the following commands in any view.
Table 2-9 Display and debug firewall
|
Operation |
Command |
|
Display ACL rules at an interface |
display acl [ acl-number | interface type number ] |
|
Display firewall statistics |
display firewall |
|
Clear ACL rule counters |
reset acl counters [ acl-number ] |
|
Enable debugging of packet filtering |
debugging filter { all | icmp | tcp | udp} |
Two VGs perform IP voice conversation through WAN. Firewall is enabled on VG A and VG B, making it possible only mutual access between the two VGs and between VGs and the routers connected directly to them.
For example, to enable a telephone set with VG A number 010-1001 to converse with another one with VG B number 0755-2001, you must dial the number “0755-2001”, and mutual communication is set up after the called party picks up the phone.
Figure 2-3 Network diagram for firewall configuration
& Note:
l This example assumes that the route between VG A and VG B is reachable.
l Configure correct IP addresses and telephone numbers for the devices according to the actual networking environment.
l This example focuses on firewall configuration and omits conversation voice configuration.
1) Configure VG A
# Enable firewall.
[VGA] firewall enable
# Set the default filtering mode as deny.
[VGA] firewall default deny
# Configure rules to make the IP voice channel between VG A and VG B, and enable the two routers to access the two VGs reachable.
[VGA] acl 3050
[VGA-acl-3050] rule permit ip source 1.1.1.2 0 destination 1.1.1.1 0
[VGA-acl-3050] rule permit ip source 2.2.2.1 0 destination 1.1.1.1 0
[VGA-acl-3050] rule permit ip source 2.2.2.2 0 destination 1.1.1.1 0
[VGA-acl-3050] rule permit ip source 1.1.1.1 0 destination any
[VGA-acl-3050] quit
# Apply the rule 3050 to the packets passing through the interface Ethernet0.
[VGA] interface ethernet 0
[VGA-Ethernet0] firewall packet-filter 3050 inbound
[VGA-Ethernet0] firewall packet-filter 3050 outbound
2) Configure VG B
# Enable firewall.
[VGB] firewall enable
# Set the default filtering mode as deny.
[VGB] firewall default deny
# Configure rules to make reachable the IP voice channel between VG A and VG B, and enable the two routers to access the two VGs.
[VGB] acl 3060
[VGB-acl-3060] rule permit ip source 1.1.1.1 0 destination 2.2.2.2 0
[VGB-acl-3060] rule permit ip source 1.1.1.2 0 destination 2.2.2.2 0
[VGB-acl-3060] rule permit ip source 2.2.2.1 0 destination 2.2.2.2 0
[VGB-acl-3060] rule permit ip source 2.2.2.2 0 destination any
[VGB-acl-3060] quit
# Apply the rule 3060 to the packets passing through the interface Ethernet0.
[VGB] interface ethernet 0
[VGB-Ethernet0] firewall packet-filter 3060 inbound
