您的位置:360文档中心› SecPath防火墙地址扫描和端口扫描攻击防范典型配置

SecPath防火墙地址扫描和端口扫描攻击防范典型配置

合集下载

H3C SecPath系列防火墙典型配置案例集-6W100-SecPath系列防火墙IPSec典型配置举例

H3C SecPath系列防火墙典型配置案例集-6W100-SecPath系列防火墙IPSec典型配置举例

SecPath系列防火墙IPSec典型配置举例关键词:IKE、IPSec摘要:本章首先介绍了IKE和IPSec的基本概念,随后说明了防火墙的配置方法,最后给出两种典型应用的举例。

缩略语:缩略语英文全名中文解释IKE Internet Key Exchange 因特网密钥交换Security IP网络安全协议IPsec IP目录1 特性简介 (3)1.1 IPSec基本概念 (3)1.1.1 SA (3)1.1.2 封装模式 (3)2 应用场合 (4)3 配置指南 (4)3.1 配置概述 (4)3.2 配置ACL (6)3.3 配置IKE (6)3.3.1 配置IKE全局参数 (6)3.3.2 配置IKE安全提议 (7)3.3.3 配置IKE对等体 (8)3.4 IPSec安全提议 (10)3.5 配置安全策略模板 (12)3.6 配置安全策略 (14)3.7 应用安全策略组 (16)4 配置举例一:基本应用 (17)4.1 组网需求 (17)4.2 使用版本 (18)4.3 配置步骤 (18)4.4 配置结果验证 (27)4.4.1 查看IPSec安全联盟 (27)4.4.2 查看报文统计 (27)5 配置举例二:与NAT结合 (27)5.1 组网需求 (27)5.2 配置说明 (28)5.3 配置步骤 (28)5.4 配置验证结果 (34)5.4.1 查看IPSec安全联盟 (34)5.4.2 查看报文统计 (35)6 注意事项 (35)7 相关资料 (35)7.1 相关协议和标准 (35)7.2 其它相关资料 (36)1 特性简介IPsec(IP Security)协议族是IETF制定的一系列协议,它为IP数据报提供了高质量的、可互操作的、基于密码学的安全性。

特定的通信方之间在IP层通过加密与数据源验证等方式,来保证数据报在网络上传输时的私有性、完整性、真实性和防重放。

IPsec通过AH(Authentication Header,认证头)和ESP(Encapsulating Security Payload,封装安全载荷)这两个安全协议来实现上述目标,并且还可以通过IKE(Internet Key Exchange,因特网密钥交换协议)为IPsec提供自动协商交换密钥、建立和维护安全联盟的服务,以简化IPsec 的使用和管理。

SecPath防火墙ip-sweep和port-scan攻击防范动态加入黑名单的典型配置

SecPath防火墙ip-sweep和port-scan攻击防范动态加入黑名单的典型配置

Current manual insert items : 1
Current automatic insert items : 2
Need aging items : 2
IP Address
Insert reason Insert time
Age time(minutes)
--------------------------------------------------------------------------
2
编辑配置文件:
运行脚本,构造攻击报文:
3
验证结果:
ËÄ¡¢ 配置关键点 1. 连接发起域出方向启用 IP统计功能; 2. 使用 EasyToolKit 前,必须安装 dotnetfx.exe 和 WinPcap;
4
3. 全局下必须开启统计功能; 4. max-rate默认值为 4000; 5. 默认不加入黑名单。
firewall defend port-scan max-rate 300 blacklist-timeout 10 //配置 port-scan 防范属性
#
[Quidway]dis firewall blacklist item
//显示黑名单表项
Firewall blacklist item :
SecPath防火墙 ip-sweep和 port-scan攻击防范 动态加入黑名单的典型组网
安全产品 赵彪 04708
Ò»¡¢ 组网需求: 测试 SecPath防火墙 ip-sweep和 port-scan防范功能,对扫描类的攻击动 态加入到黑名单。
¶þ¡¢ 组网图
SecPath1000F:版本为 Version3.40,ESS1604P01;

H3C SecPath F100系列防火墙配置教程

H3C SecPath F100系列防火墙配置教程

H3C SecPath F100系列防火墙配置教程初始化配置〈H3C〉system-view开启防火墙功能[H3C]firewall packet-filter enable[H3C]firewall packet-filter default permit分配端口区域[H3C] firewall zone untrust[H3C-zone-trust] add interface GigabitEthernet0/0[H3C] firewall zone trust[H3C-zone-trust] add interface GigabitEthernet0/1工作模式firewall mode transparent 透明传输firewall mode route 路由模式http 服务器使能HTTP 服务器 undo ip http shutdown关闭HTTP 服务器 ip http shutdown添加WEB用户[H3C] local-user admin[H3C-luser-admin] password simple admin[H3C-luser-admin] service-type telnet[H3C-luser-admin] level 3开启防范功能firewall defend all 打开所有防范切换为中文模式 language-mode chinese设置防火墙的名称 sysname sysname配置防火墙系统IP 地址 firewall system-ip system-ip-address [ address-mask ] 设置标准时间 clock datetime time date设置所在的时区 clock timezone time-zone-name { add | minus } time取消时区设置 undo clock timezone配置切换用户级别的口令 super password [ level user-level ] { simple | cipher } password取消配置的口令 undo super password [ level user-level ]缺缺省情况下,若不指定级别,则设置的为切换到3 级的密码。

H3C SecPath防火墙GRE+IPSEC+OSPF典型配置举例

H3C SecPath防火墙GRE+IPSEC+OSPF典型配置举例
# //由于2630要与SecPath1与SecPath2都建立GRE连接,所以需要建立两个ike协商
ike peer 1 //ike对等体的名字为1
exchange-mode aggressive
pre-shared-key 1 //配置身份验证字为1
id-type name //使用name方式作为ike协商的ID类型
interface Aux0
async mode flow
link-protocol ppp
#
interface Dialer1 //创建一个共享式拨号接口1
link-protocol ppp //拨号接口封装的链路层协议为PPP
mtu 1450
ip address ppp-negotiate //拨号接口的地址采用PPP协商方式得到
ip address4.1.1.3 255.255.255.0
source 192.168.0.3
destination 192.168.0.1
ospf cost 100
#
interface Tunnel1
ip address5.1.1.3 255.255.255.0
source 192.168.0.3
也可以在virtual-ethernet上配置,此配置是配置pppoe会话,一个拨号接口对应创建一个pppoe会话
#
interface Tunnel0
ip address6.1.1.3 255.255.255.0
source 192.168.0.4
destination 192.168.0.1
ospf cost 100
dialer user test //配置呼叫对端的用户

H3C SecPath防火墙系列产品混合模式的典型配置

H3C SecPath防火墙系列产品混合模式的典型配置

H3C SecPath防火墙系列产品混合模式的典型配置
一、组网需求:
组网图中需要三台PC, PC1和PC4在Trust区域;PC2处于DMZ区域,其IP地址与PC1和PC4在同一网段,PC3位于Untrust区域,为外部网络。

G0/0接口和G1/0接口属于同一个桥组Bridge1。

对于访问控制有如下要求:
在防火墙G0/1接口上配置NAT,使Trust区域与DMZ区域通过地址转换才能访问Untrust区域;
通过NAT Server使DMZ区域对Untrust区域提供WWW服务;
在G1/0接口绑定ASPF策略并配合包过滤,使得Trust区域用户可以访问DMZ区域设备;但DMZ区域不能访问Trust区域;
在G0/0接口上绑定基于MAC地址的访问控制列表禁止PC4访问其他任何区域。

二、组网图:
支持混合模式的产品型号有:Secpath F1000-A/F1000-S/F100-E/F100-A;版本要求Comware software, Version 3.40, ESS 1622及以后。

四、配置关键点:
1、每一个桥组都是独立的,报文不可能在分属不同桥组的端口之间
传输。

换句话说,从一个桥组端口接收到的报文,只能从相同桥
组的其他端口发送出去。

防火墙上的一个接口不能同时加入两个
或两个以上的桥组。

2、要实现不同桥组之间或二层接口和三层接口之间数据转发,需要
创建桥组虚接口,并且将桥组虚接口加入到相应的区域。

H3C SecPath F100-C-SI防火墙 Web配置指导-5PW100-安全配置

H3C SecPath F100-C-SI防火墙 Web配置指导-5PW100-安全配置

目录1访问控制 ············································································································································ 1-11.1 概述 ··················································································································································· 1-11.2 配置访问控制····································································································································· 1-11.3 访问控制典型配置举例 ······················································································································ 1-3 2网站过滤 ············································································································································ 2-12.1 概述 ··················································································································································· 2-12.2 网站过滤典型配置举例 ······················································································································ 2-23 MAC地址过滤 ···································································································································· 3-13.1 概述 ··················································································································································· 3-13.2 配置MAC地址过滤····························································································································· 3-13.2.1 配置MAC地址过滤类型··········································································································· 3-13.2.2 配置要过滤的MAC地址··········································································································· 3-23.3 MAC地址过滤典型配置举例 ·············································································································· 3-3 4攻击防范 ············································································································································ 4-14.1 概述 ··················································································································································· 4-14.1.1 黑名单功能······························································································································ 4-14.1.2 入侵检测功能 ·························································································································· 4-14.2 配置黑名单 ········································································································································ 4-34.2.1 配置概述 ································································································································· 4-34.2.2 启用黑名单过滤功能 ··············································································································· 4-44.2.3 手动新建黑名单表项 ··············································································································· 4-44.2.4 查看黑名单······························································································································ 4-54.3 配置入侵检测····································································································································· 4-54.4 攻击防范典型配置举例 ······················································································································ 4-64.4.1 攻击防范典型配置举例 ··········································································································· 4-6 5应用控制 ············································································································································ 5-15.1 概述 ··················································································································································· 5-15.2 配置应用控制····································································································································· 5-15.2.1 配置概述 ································································································································· 5-15.2.2 加载应用程序 ·························································································································· 5-15.2.3 配置自定义应用程序 ··············································································································· 5-25.2.4 使能应用控制 ·························································································································· 5-35.3 应用控制典型配置举例 ······················································································································ 5-41 访问控制1.1 概述访问控制是指通过设置时间段、局域网内计算机的IP地址、端口范围和数据包协议类型,禁止符合指定条件的数据包通过,来限制局域网内的计算机对Internet的访问。

SecPath高端防火墙攻防配置举例

SecPath高端防火墙攻防配置举例

SecPath高端防火墙攻击防范配置举例关键词:攻击防范、DDOS、扫描、黑名单摘要:本文简单描述了高端多核防火墙攻击防范模块的特点,包括SYN FLOOD攻击防范、UDP FLOOD攻击防范、ICMP FLOOD攻击防范、扫描攻击防范、单包攻击防范、静态黑名单功能、动态黑名单功能。

给出攻击防范典型的配置案例及攻击报文构造的详细步骤。

缩略语:目录1 介绍 (1)2 特性使用指南 (1)2.1 使用场合 (1)2.2 配置指南 (1)2.3 攻击软件介绍 (2)2.4 注意事项 (2)3 支持的设备和版本 (2)3.1 设备版本 (2)3.2 支持的设备 (3)3.3 配置保存 (3)4 配置举例 (4)4.1 典型组网 (4)4.2 设备基本配置 (4)4.3 攻击防范业务典型配置举例 (5)5 相关资料 (28)5.1 相关协议和标准 (28)5.2 其它相关资料 (28)1 介绍(1) 攻击防范是防火墙的重要特性之一,它分析经过防火墙报文的内容和行为,判断报文是否具有攻击特性,如果有则执行一定的防范措施:如加入黑名单、输出告警日志、丢弃报文等。

(2) 防火墙的攻击防范能够检测拒绝服务型(DoS)、扫描窥探型、畸形报文型等多种类型的攻击,并对攻击采取合理的防范措施。

攻击防范具体功能包括黑名单过滤、报文攻击特征识别、流量异常检测、入侵检测统计。

(3) 攻击防范管理是对防火墙的黑名单过滤、攻击特征识别、流量异常检测、入侵检测统计几项重要的功能进行配置管理。

本节将分别介绍上述功能及其配置。

2 特性使用指南2.1 使用场合(1) 在内外网之间通过分析防火墙报文的内容和行为,判断报文是否具有攻击特性,从而执行防范措施,保护网络安全运行。

2.2 配置指南关于攻击防范功能业务的配置全部可以采用Web方式配置。

攻击防范业务功能需要在Web配置以下内容:A. 静态黑名单功能B. 动态黑名单功能C. ICMP FLOOD攻击防范D. UDP FLOOD攻击防范E. SYN FLOOD攻击防范F. 扫描攻击防范G. 单包攻击防范2.3 攻击软件介绍攻击防范软件有很多选择,本文中选择使用NetWizard 2.2。

SecPath防火墙ip-sweep和port-scan攻击防范动态加入黑名单的典型配置

SecPath防火墙ip-sweep和port-scan攻击防范动态加入黑名单的典型配置

SecPath防火墙ip-sweep和port-scan攻击防范动态加入黑名单的典型配置一、组网需求:测试SecPath防火墙ip-sweep和port-scan防范功能,对扫描类的攻击动态加入到黑名单。

二、组网图SecPath1000F:版本为Version 3.40, ESS 1604P01;Web Server:Windows 2003操作系统;PC:Windows XP操作系统,安装EasyToolKit攻击工具。

三、配置步骤1.SecPath1000F的主要配置#sysname Quidway#firewall packet-filter enablefirewall packet-filter default permit#firewall statistic system enable //全局模式启用统计功能#firewall blacklist enable //启用黑名单功能firewall blacklist 202.38.1.99 //手工添加到黑名单条目#interface GigabitEthernet0/0ip address 172.16.1.1 255.255.255.0#interface GigabitEthernet0/1ip address 192.168.1.1 255.255.255.0#firewall zone trustadd interface GigabitEthernet0/0set priority 85#firewall zone untrustadd interface GigabitEthernet0/1set priority 5statistic enable ip outzone //连接发起域出方向启用IP统计功能#firewall defend ip-sweep max-rate 300 blacklist-timeout 15 //配置ip-sweep防范属性firewall defend port-scan max-rate 300 blacklist-timeout 10 //配置port-scan 防范属性#[Quidway]dis firewall blacklist item //显示黑名单表项Firewall blacklist item :Current manual insert items : 1Current automatic insert items : 2Need aging items : 2IP Address Insert reason Insert time Agetime(minutes)--------------------------------------------------------------------------202.38.1.99 Manual 2006/10/11 08:30:22 Permanent192.168.1.2 Port Scan 2006/10/11 08:59:53 10192.168.1.2 IP Sweep 2006/10/11 09:55:13 15[Quidway]dis firewall statistic system defend //显示攻击防范统计Display firewall defend statistic:IP-sweep, 2 time(s)TCP port-scan, 2 time(s)UDP port-scan, 0 time(s)total, 4 time(s)2.PC攻击工具配置打开“EasyAttacker”程序,选择攻击网卡,浏览选择攻击类型:编辑配置文件:运行脚本,构造攻击报文:验证结果:四、配置关键点1.连接发起域出方向启用IP统计功能;2.使用“EasyToolKit”前,必须安装“dotnetfx.exe”和“WinPcap”;3.全局下必须开启统计功能;4.max-rate默认值为4000;5.默认不加入黑名单。

  1. 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
  2. 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
  3. 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。

SecPath地址扫描和端口扫描攻击防范典型配置一、组网需求
部署SecPath防火墙,对地址扫描(ip-sweep)和端口扫描(port-scan)攻击进行防范,并利用黑名单功能将攻击者进行隔离。

二、组网图
三、配置步骤
[SecPath10F]dis cur
#
sysname SecPath10F
#
firewall packet-filter enable
firewall packet-filter default permit
#
undo connection-limit enable
connection-limit default deny
connection-limit default amount upper-limit 50 lower-limit 20
#
firewall statistic system enable //开启全局报文统计功能#
firewall blacklist enable //启用黑名单功能
#
radius scheme system
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
interface Ethernet1/0
ip address 10.0.0.254 255.255.0.0
#
interface Ethernet2/0
speed 10
duplex half
ip address 9.0.0.254 255.0.0.0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet1/0
set priority 85
#
firewall zone untrust
add interface Ethernet2/0
set priority 5
statistic enable ip outzone //对非信任域出方向的报文进行统计
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
//设置地址扫描的阈值为每秒50次,将攻击者加入到黑名单并阻断10分钟firewall defend ip-sweep max-rate 50 blacklist-timeout 10
//设置端口扫描的阈值为每秒100次,将攻击者加入到黑名单并阻断10分钟firewall defend port-scan max-rate 100 blacklist-timeout 10
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
#
return
四、配置关键点
1.对域进入或送出的报文进行统计;
2.开启黑名单功能;
3.设置地址/端口扫描的阈值和攻击者被阻断的时间。

五、验证结果
1,在攻击机上ping 10.0.0.1,可以ping通。

然后在攻击机9.0.0.1上使用nmap对10.0.0.1进行地址扫描:nmap -v --min-hostgroup 100 -sS
10.0.0.0/16
//防火墙弹出地址扫描告警
[SecPath10F]
%Jan 1 00:15:54:165 2000 SecPath10F
SEC/5/BLS:blsOptMode(1026)=add;srcIPAddr(10
17)=9.0.0.1;blsOptReason(1027)= IP Sweep ;blsHoldTime(1028)=10
%Jan 1 00:16:08:915 2000 SecPath10F
SEC/5/ATCKDF:atckType(1016)=(16)IP-sweep;rc
vIfName(1023)=Ethernet2/0;srcIPAddr(1017)=9.0.0.1;srcMacAddr(1021)=;destIPAd dr(1
019)=10.0.0.51;destMacAddr(1022)=;atckSpeed(1047)=50;atckTime_cn(1048)=2000 01010
01554
//攻击者地址已经加入到黑名单中,并且阻断时间为10分钟
[SecPath10F]dis firewall blacklist item
Firewall blacklist item :
Current manual insert items : 0
Current automatic insert items : 1
Need aging items : 1
IP Address Insert reason Insert time Age time(minutes) ----------------------------------------------------------------------------------------------------9.0.0.1 IP Sweep 2000/01/01 00:15:53 10
此时在攻击机上ping 10.0.0.1,发现无法ping通。

2,10分钟阻断时间过后,在攻击机9.0.0.1上ping 10.0.0.1,可以ping 通。

然后,使用nmap对10.0.0.1进行端口扫描:nmap -v -p 1-65535
10.0.0.1
//防火墙弹出端口扫描告警
[SecPath10F]
%Jan 1 00:03:55:514 2000 SecPath10F
SEC/5/BLS:blsOptMode(1026)=add;srcIPAddr(10
17)=9.0.0.1;blsOptReason(1027)= Port Scan ;blsHoldTime(1028)=10
%Jan 1 00:04:08:915 2000 SecPath10F SEC/5/ATCKDF:atckType(1016)=(25)TCP port-sc
an;rcvIfName(1023)=Ethernet2/0;srcIPAddr(1017)=9.0.0.1;srcMacAddr(1021)=;destI PA
ddr(1019)=10.0.0.1;destMacAddr(1022)=;atckSpeed(1047)=100;atckTime_cn(1048) =2000
010*******
//攻击者地址已经加入到黑名单中,并且阻断时间为10分钟
[SecPath10F]dis firewall blacklist item
Firewall blacklist item :
Current manual insert items : 0
Current automatic insert items : 1
Need aging items : 1
IP Address Insert reason Insert time Age time(minutes) -------------------------------------------------------------------------------------------------------9.0.0.1 Port Scan 2000/01/01 00:03:54 10
此时在攻击机上ping 10.0.0.1,发现无法ping通。

相关文档
最新文档