Huawei Smart University Exit Security Solution (3)

This article is undertaken by:
https://qiuhualin.blog.csdn.net/article/details/133267254?spm=1001.2014.3001.5502
Focus on explaining the deployment process of attack defense, security operation and maintenance, and log auditing of Huawei's smart university exit security solution .

Course address

The course resources related to this program have been released in the Huawei O3 community. If you need to watch the video, you can follow the following steps to access it (you need a Huawei account, an ordinary personal account is enough~)

Course address:

1. Copy the link https://o3community.huawei.com/ to enter the Huawei O3 community;
2. Click "Training Empowerment > Guided Learning";
   
3. Select "Huawei Intelligent University Exit Security Solution" in the guided course to see the relevant content of the course.
   
   The video is explained by myself. The course includes solution explanation and solution-related technical documents. If you have any questions during the learning process, you can leave a message below the video course or in the comment area of ​​this article for discussion~

Attack defense deployment

Attack defense deployment process

Intrusion prevention deployment:

• Configure the intrusion prevention function on the firewall device to prevent the campus server from network intrusion, effectively ensure the security of the university network, and protect the security of teaching and scientific research information.

Anti-virus deployment:

• Configure the anti-virus function on the firewall device to prevent users from carrying viruses when downloading files from the external network or uploading files to the school server, disrupting the normal operation of the server and affecting the business development of the university.

APT defense deployment:

• Deploy sandbox devices to detect suspicious files, and notify the firewall device of the detection results through linkage with the firewall device to defend against unknown attacks and threats.

DDoS defense deployment:

• Deploy anti-DDoS devices in direct transparent mode outside the egress firewall, and configure traffic cleaning policies to clean abnormal traffic to avoid DDoS attacks on the school's public website.

Intrusion prevention deployment

Configure the intrusion prevention function on the firewall device to detect intrusions (including buffer overflow attacks, Trojans, worms, etc.) by analyzing network traffic, and stop the intrusion in real time through a certain response method to protect the university information system and network architecture. Violated.

The detailed steps for intrusion prevention deployment are as follows:

Anti-virus deployment

The anti-virus function on the firewall device can effectively protect network security with the help of a large and constantly updated virus signature database, prevent virus files from invading system data and affecting the normal teaching and research work of universities.

The specific deployment steps of the anti-virus function are as follows:

APT defense deployment

APT is an attack mode that carries out long-term and persistent network attacks against specific targets. It has the characteristics of persistence, pertinence, concealment and unknownness. The more effective defense ideas against such attacks are:

• Construct an isolated threat detection environment through sandbox devices;
• Send suspicious files to the sandbox for detection and finally give a conclusion on whether there is a threat;
• If the sandbox detects that a file is malicious, the firewall refreshes the malicious file list cached by the device based on the detection results;
• When subsequent traffic with the same characteristics hits a malicious file, it can be blocked directly.

The overall steps of APT defense deployment are as follows:

• The device logs in to the sandbox device and exports the certificate as firewall verification credentials;
• Log in to the firewall device and import the sandbox certificate into the firewall as the CA certificate;
• Configure security policies on the firewall to ensure that the firewall and sandbox can communicate normally;
• Sandbox linkage configuration is performed on the firewall side;
• Firewall creates APT defense configuration file;
• Firewall configuration security policy calls the anti-virus configuration file and submits the configuration;
• Log in to the sandbox and configure the firewall as a linkage device;
• Check the sandbox connection result on the firewall's sandbox linkage configuration interface.

DDoS defense deployment

A DDoS attack is a type of network attack that uses a large number of terminals or network devices to make large-scale requests to the target system, causing the target system to be unable to respond to legitimate requests or crash. It poses a great threat to public websites of universities and related servers.

The defense ideas against such attacks are:

• Deploy direct-connect transparent mode Anti-DDoS devices outside the egress firewall;
• Configure and issue traffic cleaning policies on the SecoManager side to clean abnormal traffic;
• Enable the baseline learning function on the SecoManager side to optimize defense thresholds in real time to avoid misjudgments.

The deployment steps on the Anti-DDoS device side are as follows:

• Configure the uplink and downlink service interfaces to work on layer 2;
• Business interfaces are added to relevant security areas;
• Enable all inter-zone security policies to ensure that all interactive messages are not restricted by security policies;
• Configure the management port IP address and log port IP address for communication with the management center;
• Configure the STelnet function to facilitate the management center to obtain the status of the cleaning equipment;
• Configure the SNMP function so that the management center can scan, discover and add cleaning devices;
• Enable the traffic statistics function on the traffic incoming interface and enable the traffic cleaning function.

The deployment steps on the SecoManager side are as follows:

• Log in to the management center and change the initial password;
• Create cleaning equipment, set network parameters, and complete docking with Anti-DDoS equipment;
• Create a protection object and set the school's public server as a protection object;
• Configure corresponding defense strategies and reasonably set defense thresholds and strategies based on business needs;
• Turn on the baseline learning function and optimize and adjust the defense threshold in real time.

Security operation and maintenance and log audit

Security operation and maintenance

SecoManager is a security controller launched by Huawei. Using SecoManager to manage firewalls can achieve unified orchestration and management of security policies, from single-point defense to network-wide coordinated defense, to resist various network threats.

When SecoManager manages firewalls, you need to pay attention to the following points:

• This solution adopts dual-machine hot standby network deployment, and both the active and standby firewalls need to be added to the SecoManager device list.
• When configuring device management parameters, you need to ensure that the SNMP Trap source address on the firewall device side is consistent with the management IP of the managed device. Otherwise, the controller cannot associate alarms to the device.

Firewall device side configuration steps:

• Time synchronization: configure time zone, date, system time and other parameters to ensure synchronization with the controller;
• Configure security policy: allow local traffic from the firewall to SecoManager to ensure that the firewall can report alarms to SecoManager;
• Configure SNMP: Configure the firewall SNMP Agent to ensure that it is consistent with the protocol version and authentication parameters on the controller side, and ensure that the controller can connect to the firewall;
• Configure NETCONF: Set the northbound management IP, protocol type, NETCONF port and other parameters to ensure that the controller can deliver the configuration to the device side;
• Create a management account for the controller on the device side, and set the corresponding service type and authentication type.

SecoManager side configuration steps:

• Load the License: The number of managed functional modules and loadable resource items in SecoManager is controlled by the License. To manage the equipment, you need to apply for and load the corresponding License;
• Add a device: Set the device discovery type to "SNMP", configure relevant parameters (consistent with the device side parameters), scan and discover the device and add it;
• Active and standby difference discovery: Use the active and standby difference check function to check whether the configurations of the active and standby devices in dual-system hot standby are consistent. If they are inconsistent, synchronization operations can be performed to ensure that the configurations of the active and standby devices are consistent;
• Immediate difference discovery: If the administrator configures the device offline, there will be difference data between the device and SecoManager. The administrator can perform the immediate difference discovery task and synchronize the data;
• Scheduled difference discovery: SecoManager performs difference discovery operations according to a set time period, can discover difference data in time, and synchronize relevant configurations in a timely manner through the administrator;
• Policy consistency: After turning on policy consistency, SecoManager will automatically redeploy the different orchestration policies based on the controller when performing difference discovery.

Log audit

LogAuditor is Huawei's log audit product. Based on the log collection and audit analysis functions of the LogAuditor product, university network administrators can perform correlation analysis, behavioral evidence collection, operation recurrence and intelligent decision-making, etc. to help university networks improve security, optimize network performance, refine management and improve user satisfaction. .

The log sources that LogAuditor can support include: security log sources, application log sources, host log sources, audit log sources and network log sources.

This solution takes the firewall device outputting security logs to LogAuditor as an example. The specific configuration and deployment are as follows:

• Turn off the Syslog receiving SSL configuration option on the LogAuditor side;
• Save the above configuration on the LogAuditor side and restart;
• After restarting LogAuditor, set the firewall device parameters in the "Asset Management" module and add the firewall as the log source device.

This ends the solution blog series~