Talk about what functions on the device can achieve Network Security

When talking about network security, I want to learn more or less about it. The so-called network security means that the hardware, software, and data of the network system are protected, measures to ensure continuous and reliable operation of the system without accidental or malicious damages, changes, or leaks, and ensure that network services are not interrupted. Network security covers a wide range of areas, including hardware, software, and data of the network system. Next we will discuss which functions on the network device can achieve certain security.

 

I,AAAVerification:

AAA is a simplified Authentication, Authorization, and Accounting (Authentication, Authorization, and billing)

It provides a consistency framework for configuring authentication, authorization, and billing,

It is a management of network security. It can be implemented using multiple protocols. In practice, RADIUS is most often used to implement AAA.

AAA authentication: verifies that users can obtain access permissions, authorization: authorizes users to use services, billing: records users' usage of network resources, and other services.

1. Authentication

AAA supports the following authentication methods:

Unauthenticated: users are very trusted and do not perform legal checks. Generally, this method is not used.

Local authentication: Configure user information (including the user name, password, and various attributes of the local user) on the device. The advantage of local authentication is that it is fast and can reduce operation costs. The disadvantage is that the storage information is limited by hardware conditions of devices.

Remote Authentication: supports remote authentication through the RADIUS protocol or HWTACACS protocol. devices (such as Quidway series switches) act as clients and communicate with RADIUS servers or TACACS servers. For the RADIUS protocol, standard or extended RADIUS protocol can be used.

2. Authorization

AAA supports the following authorization methods:

Direct authorization: It is highly trusted to users and passes authorization directly.

Local authorization: Perform authorization based on the Properties configured for the local user account on the device.

Authorization after RADIUS Authentication is successful: authentication and authorization of the RADIUS protocol are bound together and cannot be authorized by RADIUS alone.

RADIUS (Remote Authentication Dial-In User Service, Remote Authentication dialing User Service) is a distributed information interaction protocol with client/server structures, it can protect the network from unauthorized access and is often used in a variety of network environments that require high security and remote user access.

The RADIUS service consists of three components:

Protocol: RFC 2865 and RFC 2866 define the RADIUS frame format and message transmission mechanism based on the UDP/IP layer, and define 1812 as the authentication port and 1813 as the billing port.

Server: the RADIUS server runs on a central computer or workstation and contains user authentication and Network Service access information.

Client: the client is located on the device side of the dial-up access server and can be deployed throughout the network.

AAA and RADIUS/HWTACACS Protocol Configuration

RADIUS is based on the client/server model. As a RADIUS client, the switch is responsible for transmitting user information to the specified RADIUS server, and then processing the user based on the information returned from the server (such as accessing/hanging up the user ). The RADIUS server is responsible for receiving user connection requests, authenticating users, and then returning all required information to the switch.

The RADIUS server usually maintains three databases: the first database "Users" is used to store user information (such as user names, passwords, protocols, IP addresses, and other configurations ). The second database "Clients" is used to store information (such as shared keys) of the RADIUS client ). The information stored in the third Database "Dictionary" is used to explain the meaning of attributes and attribute values in the RADIUS protocol.

Basic message interaction process of RADIUS: the RADIUS client (switch) and the radius server use a shared key to authenticate the messages that interact with each other, enhancing the security. The RADIUS protocol combines authentication and authorization processes, that is, the Response Message carries the authorization information.

The basic interaction steps are as follows:

(1) enter the user name and password.

(2) The RADIUS client sends an Access-Request packet to the RADIUS server based on the obtained user name and password ).

(3) The RADIUS server compares and analyzes the user information with the Users database information. If the authentication is successful, the user's permission information is used as the authentication response packet (Access-Accept) send to the RADIUS client. If authentication fails, the Access-Reject response packet is returned.

(4) The RADIUS client accesses/rejects users based on the received authentication results. If you can access the user, the RADIUS client sends the billing start Request packet (Accounting-Request) to the RADIUS server. The value of Status-Type is start.

(5) The RADIUS server returns the billing start Response packet (Accounting-Response ).

(6) The user starts to access resources.

(7) The RADIUS client sends a billing stop Request packet (Accounting-Request) to the RADIUS server. The value of Status-Type is stop.

(8) The RADIUS server returns the billing end Response packet (Accounting-Response ).

(9) The user's access to the resource ends.

AAA authentication Configuration:

# Configure the AAA Authentication Mode for Telnet users.

<Quidway> system-view

[Quidway] user-interface vty 0 4

[Quidway-ui-vty0-4] authentication-mode scheme specifies the authentication mode

# Configure domain.

[Quidway] domain cams create isp domain

[Quidway-isp-cams] access-limit enable 10 sets the maximum number of connections

[Quidway-isp-cams] quit

# Configure the RADIUS scheme.

[Quidway] radius scheme cams setting radius scheme

[Quidway-radius-cams] optional accounting optional Audit

[Quidway-radius-cams] primary authentication 10.110.91.164 1812 indicates the authentication server

[Quidway-radius-cams] key authentication expert specifies the domain shared key

[Quidway-radius-cams] server-type Huawei indicates the service type

[Quidway-radius-cams] user-name-format with-domain indicates that the user name does not contain a domain name

[Quidway-radius-cams] quit

# Configure the association between domain and RADIUS.

[Quidway] domain cams is associated with radius and domain

[Quidway-isp-cams] scheme radius-scheme cams

Ii. ACL (access control list ):

To filter data packets, You need to configure rules to specify what data packets can pass and what data

The package cannot pass.

Generally, the access control list is used to configure filtering rules. The access control list can be divided into the standard access control list and

Extended access control list.

1. Standard Access Control List

AclAcl-number[Match-order config | auto]

Rule {normal | special} {permit | deny} [sourceSource-addrsource-wildcard|

Any]

2. extended access control list

AclAcl-number[Match-order config | auto]

Rule {normal | special} {permit | deny}Pro-number[SourceSource-addr

Source-wildcard| Any] [source-portOperator port1[Port2] [Destination

Dest-addr dest-wildcard| Any] [destination-portOperator port1[Port2]

[Icmp-typeIcmp-type icmp-code] [Logging]

"Protocol-numberThe protocol type of the IP address. The number range is 0 ~

255; the value range is icmp, igmp, ip, tcp, udp, gre, and ospf.

ForProtocolDifferent parameters, the command has the following form:

(1)"ProtocolThe command format for "ICMP" is as follows:

Rule {normal | special} {permit | deny} icmp [sourceSource-addr

Source-wildcard| Any] [destinationDest-addr dest-wildcard| Any] [icmp-type

Icmp-type icmp-code] [Logging]

(2)"ProtocolThe command format for IGMP, IP, GRE, and OSPF is as follows:

Rule {normal | special} {permit | deny} {ip | ospf | igmp | gre} [source

Source-addr source-wildcard| Any] [destinationDest-addr dest-wildcard| Any]

[Logging]

(3)"ProtocolThe command format for TCP or UDP is as follows:

Rule {normal | special} {permit | deny} {tcp | udp} [sourceSource-addr

Source-wildcard| Any] [source-portOperator port1[Port2] [Destination

Dest-addr dest-wildcard| Any] [destination-portOperator port1[Port2]

[Logging]

Only the TCP and UDP protocols need to specify the port range. The supported operators and their syntax are as follows:

EqualPort-numberEqual to the port numberPort-number

Greater-Port-numberGreater than the port numberPort-number

Less-Port-numberLess than the port numberPort-number

Not-equalPort-numberNot equal to the port numberPort-number

RangePort-number1

Port-number2Between port numberPort-number1AndPort-number2Between

InPort-numberSome common port numbers can be replaced by corresponding Enis.

 

Iii. NAT address translation:

Network Address Translation (NAT Network AddressTranslation) is a WAN technology that can convert private (retained) addresses into valid IP addresses, it is widely used in various Internet access methods and networks. The reason is: NAT not only effectively solves the problem of insufficient lP addresses, but also effectively avoids attacks from outside the network and hides and protects computers inside the network.

 

NAT can be implemented in three modes: Static translation Static Nat, Dynamic translation Dynamic Nat, and network address and port translation NAPT.

StaticConversionIt refers to converting the private IP address of the internal network to a public IP address. The IP address pair is one-to-one and remains unchanged. A private IP address is only converted to a public IP address. Static conversions allow external networks to access certain devices (such as servers) in the internal network.

DYNAMIC CONVERSIONWhen a private IP address of an internal network is converted to a public IP address, the IP address is random and uncertain, all private IP addresses authorized to access the Internet can be randomly converted to any specified legal IP address. That is to say, dynamic conversion can be performed as long as you specify which internal addresses can be converted and which legitimate addresses can be used as external addresses. Multiple valid external address sets can be used for dynamic conversion. When the valid IP addresses provided by the ISP are slightly less than the number of computers in the network. You can use a dynamic conversion method.

Network address and port Conversion(Network Address Port Translation, NAPT)It refers to changing the source port of the outgoing packet and performing port conversion, that is, port address conversion. Using port multiplexing, all hosts in the internal network can share a valid external IP address to access the Internet, thus saving IP Address resources to the maximum extent. At the same time, all hosts in the network can be hidden to effectively prevent attacks from the internet. Therefore, port multiplexing is the most widely used network.

 

Iv. vlan Division

VLAN Virtual Local AreaNetwork (Virtual LAN) is a technology that logically divides the devices in the LAN into network segments rather than physically. In 1999, IEEE issued a draft IEEE 802.1Q protocol standard for VLAN standardization.

VLAN technology allows network administrators to logically divide a physical LAN into different broadcast domains or virtual LAN (VLAN, each VLAN contains a group of computer workstations that have the same requirements as the physical LAN. However, because it is divided logically rather than physically, the workstations in the same VLAN do not need to be placed in the same physical space, that is, these workstations do not necessarily belong to the same physical LAN network segment. The broadcast and unicast traffic in one VLAN is not forwarded to other VLANs, which helps to control traffic and reduce device investment. Simplifying network management improves network security. Because VLANs can isolate broadcast, different VLANs cannot communicate with each other, so they have a certain degree of security.

5. Port isolation

With the port isolation feature, you can add the ports to be controlled to an isolation group to isolate ports in the isolation group from Layer 2 and Layer 3 data, enhancing network security, it also provides users with flexible networking solutions. Currently, only one isolation group can be set up for one device. The number of Ethernet ports in the group is unlimited.

6. Ipsec

The InternetProtocol Security protocol is not a separate protocol. It provides a complete architecture for network data Security on the IP layer, including the Network Authentication Protocol AH (Authentication Header, Authentication Header), ESP (Encapsulating Security Payload, encapsulation Security load), IKE (Internet Key Exchange, Internet Key Exchange), and some algorithms used for network authentication and encryption. The AH and ESP protocols are used to provide security services, and the IKE protocol is used for key exchange. It is developed by IETF (Internet Engineering Task Force, Internet Engineering Task Group, it can provide communication parties with access control, Non-connection integrity, data source authentication, anti-replay, encryption, and classified data stream encryption services.

IPSec is a security mechanism at the network layer. Provides active protection by protecting the network layer packet information of the Peer end to prevent attacks on the private network and the Internet. Upper-layer applications automatically benefit from the security provided by the network layer even if they do not implement security.

IpsecSecurity features:

1. Non-human nature: "Non-repudiation" can prove that the message sender is the only possible sender, and the sender cannot deny that the message has been sent. "Undeniable" is a feature of public key technology. When public key technology is used, the sender uses the private key to generate a digital signature that is sent along with the message, the receiver uses the sender's public key to verify the digital signature. Theoretically, only the sender has the private key and only the sender can generate the digital signature. As long as the digital signature passes verification, the sender cannot deny that the message has been sent. However, "Non-repudiation" is not a feature of the authentication-based shared key technology, because in the authentication-based shared key technology, the sender and receiver master the same key.

2. anti-replay: When the ipsec receiver receives a packet, it detects the 32-Bit Single-increment serial Number (Sequence Number) of the data segment of the packet starting from 1, which cannot be repeated, uniquely identifies each sent packet. This serial number is used to verify the uniqueness of the data packet and reject outdated or repeated data packets, so as to prevent attackers from intercepting and deciphering information, use the same information package to obtain illegal access (even if such a behavior occurs several months later ).

3. data integrity: the ipsec receiving end uses MD5 (Message Digest), SHA-1 (Secure Hash Algorithm), and other hash algorithms to verify the packets sent from the other party, so as to prevent data packets from being tampered with during transmission, this ensures data integrity and consistency. IPSec uses the Hash function to generate an encryption check and for each data packet. The receiver calculates the check and the check before opening the packet. If the packet is tampered with, the check and the check are inconsistent, and the packet is discarded.

4. data reliability (encryption): the ipsec sender encrypts the data through DES, 3DES, and AES before transmission, which ensures that the information cannot be read even if the data packet is intercepted during transmission. This feature is optional in IPSec and depends on the specific settings of the IPSec Policy.

5. data Source Authentication: at the receiving end, IPsec authenticates the sender of the IPsec packet through pre-shared-key (domain sharing key, certificate, and kerberos v5), to authenticate the data source.

IpsecTwo security protocols:

1. the AH protocol (AuthenticationHeader, authentication header, and IP Protocol Number 51, rarely used) provides data source authentication, data integrity verification, and anti-packet replay functions. It can protect communication from tampering, but cannot prevent eavesdropping, suitable for transmitting non-confidential data. The working principle of AH is to add an authentication header to each data packet. This header is inserted behind the standard IP header to provide integrity protection for data. Optional authentication algorithms include MD5 (Message Digest) and SHA-1 (Secure Hash Algorithm. The calculation speed of the MD5 algorithm is faster than that of the SHA-1 algorithm, and the security strength of the SHA-1 algorithm is higher than that of the MD5 algorithm.

2. The ESP protocol (EncapsulatedSecurity Payload) provides encryption, data source authentication, data integrity verification, and anti-packet replay functions. The working principle of ESP is to add an ESP packet header after the standard IP packet header of each data packet, and append an ESP packet to the end. Unlike the AH protocol, ESP encrypts user data to be protected and then encapsulates it into an IP packet to ensure data confidentiality. Common encryption algorithms include DES, 3DES, and AES. As an option, you can choose the MD5 and SHA-1 algorithms to ensure the integrity and authenticity of packets. The security of these three encryption algorithms ranges from high to low: AES, 3DES, and DES. The implementation mechanism of these algorithms is complex and the computing speed is slow. The DES algorithm can meet general security requirements.

IpsecTwo working modes:

1. tunnel mode: the user's entire IP data packet is used to calculate the AH or ESP header, the AH or ESP header, and the user data encrypted by ESP are encapsulated in a new IP data packet. Generally, the tunnel mode is used for communication between two security gateways.

2. Transmission Mode: only the transmission layer data is used to calculate the AH or ESP header, the AH or ESP header, and the user data encrypted by ESP are placed behind the original IP address header. Generally, the transmission mode applies communication between two hosts or between one host and one Security Gateway.

Data encapsulation in tunnel and transport modes.

 

 

 

Encryption Algorithm and Verification Algorithm:

1. Verify the algorithm

Both AH and ESP can verify the integrity of IP packets to determine whether the packets are tampered during transmission. The implementation of the Verification Algorithm is mainly through the aggregate function. The aggregate function is an algorithm that can accept input messages of any length and generate output with a fixed length. The output is called a message digest. IPSec generally uses two verification algorithms:

MD5: Enter messages of any length to generate a message digest of bits.

SHA-1: A 64-bit message with a length less than 2 is input to generate a-bit message digest. SHA-1 is safer because its digest is longer than MD5.

2. Encryption Algorithm

ESP can encrypt and protect IP Message content to prevent packets from being Snoop during transmission. The encryption algorithm is implemented mainly through the symmetric key system, which uses the same key to encrypt and decrypt data.

StoneOS implements three encryption algorithms:

DES (DataEncryption Standard): uses a 56bit key to encrypt each 64bit plaintext block.

3DES (Triple DES): uses three 56bit DES keys (a total of 168bit keys) to encrypt plaintext.

AES (AdvancedEncryption Standard): StoneOS implements the AES algorithm with-bit, 192bit, and 256bit key lengths.

IpsecBasic Configuration:

Create an encrypted access control list

Acl-number

Rule {normal | special} {permit | deny} pro-number [source-addr source-wildcard | any] [source-port operator port1 [port2] [destination dest-addr dest-wildcard | any] [destination-port operator port1 [port2] [icmp-type icmp-typeicmp-code] [logging]

Define security proposal ipsecproposal proposal-name

Encapsulation-mode {transport | tunnel}

Select security protocol transform {ah-new | ah-esp-new | esp-new}

Select encryption algorithm and authentication algorithm

Transform {ah-new | ah-Esp-new | esp-new} in esp Protocol}

Transform {AH-new | ah-esp-new | esp-new} under the ah Protocol}

Create security policy

Configurations for manually creating security policies include:

Manually create a security policy ipsecpolicy policy-name sequence-number manual

Configure the access control list security aclaccess-list-number referenced by the security Policy

Specifies the start and end points of the Security tunnel local ip-address tunnel remote ip-address

Configure the security proposal-name referenced in the security policy

Configure Security Policy Alliance SPI and keys used

SPI Configuration

Sa inbound {ah | esp} spispi-number

Sa outbound {ah | esp} spispi-number

Key Configuration

Ah16hexadecimal key sa {inbound | outbound} ah hex-key-stringhex-key

AH character key sa {inbound | outbound} ah string-keystring-key

Esp16hexadecimal key sa {inbound | outbound} esp encryption-hexhex-key

ESP character key sa {inbound | outbound} esp string-keystring-key

Apply the Security policy Group ipsecpolicy policy-name on the Interface

Configurations of creating a Security Policy Alliance for IKE include:

Creating security policy alliances with IKE

Ipsec policy-name sequence-numberisakmp

Configure the access control list referenced by the Security Policy

Security acl access-list-number

Destination of the Security Tunnel

Tunnel remote ip-address

Configure the security proposal referenced in the security policy

Proposal proposal-name1 [proposal-name2… proposal-name6]

Configure the survival time of the Security Alliance (optional)

Configure global time

Ipsec sa global-duration time-basedseconds

Ipsec sa global-duration traffic-basedkilobytes

Configure the independent time

Sa duration {time-based seconds | traffic-based kilobytes}

 

In addition, mac Address binding can also achieve certain security.