Little Learn: Common Network Devices (4)

Router: device for communications across network segments
Switch: device for communications on the same network segment or across network segments
Anti-DDoS: The anti-distributed denial of service (DDoS) system is deployed at the network egress in bypass mode. It is upstream of the firewall to reduce the firewall's packet processing load.
NGFW: The next-generation firewall (NGFW) can be deployed at the network egress to provide preliminary protection or to protect the data center from attack.
vNGFW: The virtual NGFW (vNGFW) is deployed on virtual machines (VMs) and has similar functions to a hardware firewall.
NIP: The next-generation intrusion prevention (NIP) system is a Huawei-developed intrusion detection and prevention device that can be deployed in a data center to provide protection against intrusion.
Agile-Controller: The agile controller is an automated network resource control system used for access control. It is based on users and applications, and is deployed in the DMZ.

As the number of users on an enterprise network increases, a switch can be deployed to provide a sufficient number of access interfaces. In addition, a switch completely solves the conflict issue of the Ethernet, greatly improving the performance and security of the Ethernet.

A switch works at the data link layer and forwards data frames. After receiving the data frame, a switch forwards a data frame according to the header information.

Next, let's take a small switch network as an example to explain the basic working

principles of a switch.

A switch has a MAC address table that stores the mapping between MAC addresses and switch interfaces. A MAC address table is also called a Content Addressable Memory (CAM) table.

As shown in the figure, a switch can perform three types of frame operations: flooding, forwarding, and discarding.

Flooding: The switch forwards the frames received on an interface through all other interfaces. (It does not forward frames through the interface that receives them).
Forwarding: The switch forwards the frames received on an interface through another interface (it does not forward frames through the interface that receives them).
Discarding: The switch discards the frames received on an interface.

The basic working principles of a switch are as follows:

Upon receipt of a unicast frame, the switch searches the MAC address table for the destination MAC address of the frame.

If the MAC address cannot be found, the switch floods the frame.
If the MAC address is found, the switch forwards the frame if the MAC address is not that of the interface on which the frame was received. Otherwise, the switch discards the frame.

If a switch receives a broadcast frame, the switch does not check the MAC address table but directly performs the flooding operation.
Upon receipt of a broadcast frame, the switch directly floods the frame without checking the MAC address table. For a multicast frame, the switch performs complex processing that is beyond the scope of this course. In addition, a switch has the capability to learn information from received frames. Upon receipt of a frame, a switch checks the source MAC address of the frame, maps this address to the interface that receives the frame, and saves the mapping to the MAC address table.

In the initial state, a switch does not know any MAC addresses of the connected hosts. Therefore, the MAC address table is empty. In this example, SWA is in the initial state. Before receiving a data frame from Host A, SWA's MAC address table contains no entry for Host A.

When Host A sends data to Host C, it sends an ARP request to obtain the MAC address of Host C. In the ARP request, the destination MAC address is the broadcast address, and the source MAC address is the MAC address of Host A. After receiving the ARP request, SWA adds the mapping between the source MAC address and the receiving interface to the MAC address table. The aging time of MAC address entries learned by X7 series switches is 300 seconds by default. If SWA receives a data frame from host A again within the aging time, SWA updates the aging time of the mapping between Host A's

MAC address and G0/0/1. After receiving a data frame whose destination MAC address is 00-01-02-03-04-AA, SWA forwards the frame through interface G0/0/1.

In this example, the destination MAC address of the ARP request sent by Host A is a broadcast address. Therefore, the switch broadcasts the ARP request to Host B and Host C through interfaces G0/0/2 and G0/0/3.

After receiving the ARP request, Host B and Host C query the ARP packet. Host C processes the ARP request and sends an ARP reply. However, Host B does not reply. The destination MAC address of the ARP reply is the MAC address of Host A and the source MAC address is the MAC address of Host C. After receiving the ARP reply, SWA adds the mapping between the source MAC address and the receiving interface to the MAC address table. If the mapping exists in the MAC address table, the mapping is updated. Then SWA queries the MAC address table, finds the corresponding forwarding interface according to the destination MAC address of the frame, and forwards the ARP reply through G0/0/1.

A router is a network layer device that forwards packets between different networks. As shown in the figure, host A and host B reside on different networks. When host A wants to communicate with host B, host A sends a frame to host B. Upon receipt of this frame, the router that resides on the same network as host A analyzes the frame. At the data link layer, the router analyzes the frame header and determines that the frame is sent to itself. It then sends the frame to the network layer. At the network layer, the router determines to which network segment the destination address belongs based on the network layer packet header of the frame. It then searches the table and forwards the frame through the corresponding interface to the next hop destined to host B.

After receiving a packet, a router selects an optimal path according to the destination IP address of the packet. It then forwards the packet to the next router. The last router on the path forwards the packet to the destination host. The transmission of data packets on the network is similar to a relay race. Each router forwards data packets to the nexthop router according to the optimal path, and the packets are forwarded to the destination through the optimal path. In some cases, because certain routing policies are implemented, the path through which the data packets pass may not be optimal.

A router can determine the forwarding path of data packets. If multiple paths exist to the destination, the router determines the optimal next hop according to calculations specific to the routing protocol in use.

The word "firewall" was first used in the construction field, where a firewall's primary function is to isolate and prevent a fire from spreading. In the communications field, a firewall device is usually deployed to meet certain requirements by logically isolating networks. It blocks various attacks on networks and allows normal communication packets to pass through.

In communications, a firewall is mainly used to protect one network area against network attacks and intrusions from another network area. Because of its isolation and defense capabilities, it can be flexibly applied to network borders and subnet isolation, for example, enterprise network egress, internal subnet isolation, and data center border.

Firewalls are different from routers and switches. A router is used to connect different networks and ensure interconnection through routing protocols so that packets can be forwarded to the destination. A switch is usually deployed to set up a local area network (LAN) and serve as an intermediate hub for LAN communications. A switch forwards packets through Layer 2/Layer 3 switching. A firewall is deployed at the network border to control access to and from the network. Security protection is the core feature of a firewall. The primary function of routers and switches is forwarding, whereas that of

firewalls is controlling.

It is common for mid-range and low-end devices to integrate router and firewall functionality. Huawei has released a series of such all-in-one devices.Currently, there is a trend for mid-range and low-end routers and firewalls to integrate for function complementary. Huawei has released a series of such all-in-one devices.

The earliest firewall can be traced back to the late 1980s. Broadly speaking, firewall development can be divided into the following phases:

1989-1994:

Packet filtering firewalls ware developed in 1989 for simple access control. This type of firewall is called the first-generation firewall.
Proxy firewalls were developed soon after and acted as a proxy for communications between an intranet and an extranet at the application layer. This type of firewall is referred to as the second-generation firewall. Proxy firewalls have high security but low processing. In addition, developing a proxy service for each type of application can be difficult. Therefore, a proxy is provided for only a few applications.
In 1994, the industry released the first stateful inspection firewall, which determined what action should be performed by dynamically analyzing packet status. Because it does not need to proxy each application, a stateful inspection firewall provides faster processing and higher security. This type of firewall is called the third-generation firewall.

1995-2004:

During this period, stateful inspection firewalls had gained popularity. In addition to access control, firewalls also provided other functions, such as VPN.
At the same time, specific devices started to appear, for example, Web Application Firewalls (WAFs) that protect web servers.
In 2004, the industry proposed the concept of United Threat Management (UTM). This concept integrates the conventional firewall, intrusion detection, antivirus, URL filtering, application control, and mail control into one firewall for all-round security protection.

From 2005 to now:

After 2004, the UTM market developed rapidly, and the UTM products mushroomed, but new problems arose. First, the detection degree of the application layer information was limited, and a more advanced detection method is required, which makes the Deep Packet Inspection (DPI) technology widely applied. Next was performance issues. When multiple functions are running at the same time, the processing performance of the UTM deteriorated greatly.
In 2008, the industry released the next-generation firewall to solve the performance deterioration issue when multiple functions were running at the same time. In addition, management and control can be performed based on users, applications, and content.
In 2009, the industry defined the next-generation firewall to specify its functions and features. Subsequently, security vendors launched their nextgeneration firewall products, and firewalls entered a new era.

Zone functions:

Security policies are implemented based on security zones.
Data flows in the same security zone bring no security risks and therefore require no security policies.
The firewall performs security checks and implements security policies only when data flows between security zones.
All devices on the networks connected to the same interface must reside in the same security zone, and one security zone may contain the networks connected to multiple interfaces.

Default security zones

Untrust zone
DMZ
Trust zone
Local zone

All devices on the networks connected to the same interface must reside in the same security zone. Each security zone may contain networks connected to multiple interfaces. The interfaces can be physical or logical interfaces. Users on different network segments connected to the same physical interface can be added to different security zones by using logical interfaces such as subinterfaces or VLANIF interfaces.

Question: If different interfaces belong to the same security zone, does the inter-zone security forwarding policy take effect?

VRP is a network operating system used Huawei routers, Ethernet switches, and service gateways to implement network access and interconnection services. It provides a unified user and management interface, implements control plane functionality, and defines the interface specifications of the forwarding plane (so that the interaction between a product's forwarding plane and the VRP control plane can be implemented). It also implements the network interface layer to shield the differences between the link and network layers of each product.

VRP commands use level-defined protection. The four command levels are visit, monitoring, configuration, and management levels.

Visit level: Network diagnosis commands (such as ping and tracert) and commands that are used to access external devices from the local device (for example, Telnet client, SSH, and Rlogin). Commands at this level cannot perform file storage configurations.
Monitoring level: Commands at this level are used for system maintenance or service fault diagnosis, including the display and debugging commands. Commands at the monitoring level cannot be saved in configuration files.
Configuration level: Service configuration commands, including routing commands and commands at each network layer, are used to provide direct network services for users.
Management level: Commands at this level affect normal system operation. Such commands include file system, FTP, TFTP, Xmodem download, configuration file switchover, standby board control, user management, command level setting, and system internal parameter setting commands.

The system classifies login users into four levels, each of which correspond to a command level. That is, after logging in to the system, a user can use only the commands that are assigned to a level equal to or lower than the user's level. To switch a user from a lower level to a higher level, run the following command: super password [level user-level] {simple | Cipher} password.

Enter an incomplete keyword and press Tab. The system automatically executes partial help:

If the match is unique, the system replaces the original input with a complete keyword and displays the keyword on a new line, with the cursor a space behind.
If no keyword is matched or multiple keywords are matched, the prefix is displayed first. Press Tab to switch from one matched keyword to another with the cursor placed on the last letter of the keyword. Press the space bar to enter the next word.
If you enter an incorrect keyword and press Tab, the keyword is displayed in a new line. The entered keyword does not change.

Configuration procedure:

Choose Network > Interface, and select the interface to be modified.
Configure an IP address for the interface and add the interface to the security zone.

Key commands:

Enter the view of an interface.
<USG>system-view
[USG]interface interface-type interface-number
Configure a Layer 3 or Layer 2 Ethernet interface.

Configure a Layer 3 Ethernet interface.
ip address ip-address { mask | mask-length }
Configure a Layer 2 Ethernet interface.
Portswitch

Assign the interface to a security zone.

Run the system-view command to enter the system view.
Run the firewall zone [ name ] zone-name command to create a security zone, and enter the view of the security zone.
Run the add interface interface-type interface-number command to assign the interface to the security zone.

To configure a static route, perform the following operations:

Run the system-view command to enter the system view.
Run the ip route-static ip-address { mask | mask-length } { interface-type interfacenumber | next-ip-address } [ preference value ] [ reject | blackhole ] command to add a static route.

To configure the default route, perform the following operations:

Run the system-view command to enter the system view.
Run the ip route-static 0.0.0.0 { 0.0.0.0 | 0 } { interface-type interface-number | nextip-address } [ preference value ] [ reject | blackhole] command to configure the default route.

You can configure a static route to ensure that traffic sent between two entities always follows this route. However, if the network topology changes or a fault occurs, the static route does not change automatically and requires manual intervention.

The default route is used only when no matching access entry is available in the routing table (that is, the routing table does not contain a specific route). The default route is a route to the network 0.0.0.0/0 and is used if the destination IP address of a packet does not match any access entry in the routing table. If no default route exists and the destination IP address of the packet is not in the routing table, the packet is discarded. In this case, an ICMP packet is returned to the source to report that the destination IP address or network is unreachable.

Device Login Management

Console: Connect a PC to the console port of a device through an RS-232 serial interface cable. Then, log in to the device through the PC, and configure the device after it is powered on. This login mode is useful if the device cannot be accessed remotely or the system cannot be started. In the latter case, the console port can be used to diagnose faults or enter the BootROM to upgrade the system.
Telnet: Connect a PC to the device over the network. Then, log in to the device through Telnet to perform local or remote configuration. The device performs user authentication according to the configured login parameters. This login mode enables remote management and maintenance of the device.
SSH: This login mode uses secure transmission channels to enhance security of data exchange. It provides powerful authentication functions to ensure information security and protect devices against attacks, such as IP spoofing attacks.
Web: Access the device through the web browser on a client to control and manage the device.

Right-click My Computer, choose Properties from the shortcut menu, and click Device Manager. Check parameters in the Device Manager window.

In the Serial window shown in the figure, set Serial line to connect to based on the port used by the PC (or configuration device), specify PuTTY configuration parameters on the left according to the parameter table on the right, and click Open.

The default user name and password for logging in to the USG configuration interface are admin and Admin@123 respectively. The user name is case insensitive and the password is case sensitive.

Configure a PC to obtain an IP address automatically. Connect the PC Ethernet interface to the default management interface on the device directly or through a switch. Enter https://192.168.0.1 in the PC's web browser to access the web login page.

The default user name and password is admin and Admin@123 respectively.

Enable the web management function:

[USG] web-manager security enable interface 8443

Configure a web user.

[USG] aaa
[USG-aaa] manager-user webuser
[USG-aaa-manager-user-webuser] password cipher Admin@123
[USG-aaa-manager-user-webuser] service-type web
[USG-aaa-manager-user-webuser] level 3

Configure web device management on the USG interface:

[USG-GigabitEthernet1/0/1] service-manage enable
[USG-GigabitEthernet1/0/1] service-manage https permit

Enable the Telnet service:

[USG] telnet server enable

Configure the vty interface:

[USG] user-interface vty 0 4
[USG-ui-vty0-4] authentication-mode aaa

Configure a Telnet administrator:

[USG] aaa
[USG-aaa] manager-user vtyadmin
[USG-aaa-manager-user-vtyadmin] password
Enter Password
[USG-aaa-manager-user-vtyadmin]] service-type telnet
[USG-aaa-manager-user-vtyadmin]] level 3

Configure Telnet device management on the USG interface:

[USG-GigabitEthernet1/0/1] service-manage enable
[USG-GigabitEthernet1/0/1] service-manage telnet permit

When the device functions as an SSH server, you can set the authentication mode to Password or RSA for SSH users.

Overview of Device File Management

The configuration file contains the configurations that the device will load when it is started. You can save configuration files on the device, modify and remove existing configuration files, and specify which configuration file the device will load upon each startup. System files include the USG software version and signature database files. Generally, management of system files is required during software upgrades.
Upgrading system software: The system software can be uploaded to the device through TFTP or FTP. Upgrade the system software to configure the software system for the next startup.
A license is provided by a vendor to authorize the usage scope and validity period of product features. It dynamically controls whether certain features of a product are available.

Save the configuration file: Enable the firewall to use the current configuration as the start configuration the next time it restarts.

Method 1 (command line): Run the save command in the user view.
Method 2 (web): Click Save in the upper right corner of the home page.

Erase the configuration file (restore to factory settings): After the configuration file is erased, the firewall uses the default parameter settings the next time it restarts.

Method 1 (command line): Run the reset saved-configuration command in the user view.
Method 2 (web): Choose System > Maintenance > Configuration Management to restore to factory settings.
Method 3 (hardware reset button): If the device is not powered on, press and hold the RESET button, and turn on the power switch. When the device indicator blinks twice per second, release the RESET button. The device starts with the default configuration.
Method 4 (hardware reset button): If the device is started normally, press and hold the RESET button for more than 10 seconds. The device restarts and uses the default configuration.

Configure the system software and configuration file for the next startup:

Command line: Run the startup system-software sysfile command in the user view.
Web: Choose System > Maintenance > System Update, and then select Next Startup System Software.

Restart the firewall:

Function: The firewall will be restarted and the restart will be recorded in logs.
Method 1 (command line): Run the reboot command in the user view.
Method 2 (web): Choose System > Maintenance > System Restart.

One-click upgrade of the system software:

If the device has insufficient storage space available, the device automatically deletes the system software that is running.

System software files are stored as .bin files.

Choose System > System Update.
Click One-Click Version Upgrade. The One-Click Version Upgrade wizard is displayed.
Optional: Click the Export button sequentially to export the device's alarm, log, and configuration information to the PC. You are advised to save the configuration information to the terminal.
Click Browse. Select the system software to be uploaded.
If the current network allows the device to restart immediately after upgrade, select either Set as the next startup system software, and restart the system or Set as the next startup system software, and do not restart the system according to requirements.
The upgraded system software can be used only after the device restarts.
Configuration using commands (the FW acts as an FTP client)
Download a file using FTP:

Run the ftp ftp-server [interface-number] [vpn-instance vpn-instance-name] command to set up a control connection with the FTP server and enter the FTP client view.
Run the get remote-filename [ local-filename ] command to download a file from the remote FTP server and save the file to a local path.

Configure the system software for the next startup:

Run the startup system-software sys-filename command.

The license can be activated online or offline. You can activate the license automatically through Huawei security center at sdplsp.huawei.com or manually activate it locally.

License files are stored as .dat files. The software file name cannot contain any Chinese characters.

Configuration commands:

Run the system-view command to enter the system view.
Run the license active license-file command to activate the specified license file.
Run the display license command to view the license information.

Ref : [1]