< Home

CLI: Example for Configuring IDS Interworking with the NIP

This example describes the typical networking and method for configuring IDS interworking.

Networking Requirements

The FW and IDS (NIP in this example) work together to protect the intranet security, as shown in Figure 1.

The NIP records network events, including attacks and abnormal behavior (such as worms and Trojan horses), unusual network access, and misuse and abuse of network services in real time. When the NIP detects attacks or unusual behavior, the NIP delivers the attack information to the FW, and the FW blocks the attack traffic.

Figure 1 Typical IDS interworking configuration

Data Planning

Item

Data

FW
  • Interface: GigabitEthernet 0/0/1 is connected to the NIP.
  • IP address: 192.168.5.2/24
  • Security zone: Trust

NIP
  • IP address: 192.168.5.1/24
  • Port: 30000
  • Authentication method: AES256
  • Authentication key: Admin@123

Configuration Roadmap

  1. Specify interface IP addresses and assign the interfaces to security zones.
  2. Configure a security policy.
  3. Specify the interface IP addresses of the IDS.
  4. Specify the port for the FW to communicate with the NIP.
  5. Configure the authentication method and key for the FW.

  6. Enable the interworking between the FW and the IDS.

  7. Configure the NIP.

Procedure

  1. Configure port mirroring on Switch_1.

    The Huawei Technologies Co., Ltd. S5300 switch is used as an example to illustrate how to configure port mirroring. For configuration of other functions, refer to the product documents of the S5300 switch.

    1. Configure port GigabitEthernet 0/0/2 as a mirroring port. 

      <Switch_1> system-view
[Switch_1] observe-port 1 interface GigabitEthernet 0/0/2

    2. Configure port GigabitEthernet 0/0/1 as a mirrored port. 

      [Switch_1] interface GigabitEthernet 0/0/1
[Switch_1-GigabitEthernet 0/0/1] port-mirroring to observe-port 1 both
[Switch_1-GigabitEthernet 0/0/1] quit

  2. Configure the FW.
    1. Complete the basic configurations of the FW.

      # Configure the IP address of the GigabitEthernet 0/0/1.

      <FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet 0/0/1] ip address 192.168.5.2 24
[FW-GigabitEthernet 0/0/1] quit

      # Add GigabitEthernet 0/0/1 to the Trust zone.

      [FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/1
[FW-zone-trust] quit

    2. Configure security policies to permit traffic as desired.

      # Configure the Trust-to-Local interzone security policy to allow the IDS to access the local zone and instruct the FW to take actions. 

      [FW] security-policy
[FW-policy-security] rule name abc
[FW-policy-security-rule-abc] source-zone trust
[FW-policy-security-rule-abc] destination-zone local
[FW-policy-security-rule-abc] source-address 192.168.5.1 24
[FW-policy-security-rule-abc] action permit
[FW-policy-security-rule-abc] quit

    3. Enable the blacklist function.

      # Enable the blacklist function.

      [FW] firewall blacklist enable

    4. Complete the interworking configuration.

      # Specify the interface IP addresses of the IDS.

      [FW] firewall ids client 192.168.5.1

      # Specify the port for the FW to communicate with the IDS. 

      [FW] firewall ids port 30000

      # Configure the authentication method and key for the FW.

      [FW] firewall ids authentication type aes256 key Admin@123

      The IDS IP address, port number, and authentication method and key specified on the FW must be the same as those on the IDS.

      # Enable the interworking between the FW and the IDS.

      [FW] firewall ids enable

  3. Configure the NIP.

    Specify the IP address of the FW as 192.168.5.2, port number as 30000, authentication method as AES256, and authentication key as Admin@123.

Configuration Scripts

Configuration script of the FW:

#                                                                               
 firewall ids authentication type aes256 key %$%$!^8fKr$NsR&Vql.7E`mIjJA8%$%$
 firewall ids client 192.168.5.1                                                
 firewall ids port 30000                                                        
 firewall ids enable  
#                                                                               
interface GigabitEthernet 0/0/1
ip address 192.168.5.2 255.255.255.0
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet 0/0/1                                            
#                                                                               
security-policy                                                                 
  rule name abc                                                                 
    source-zone trust                                                           
    destination-zone local                                                      
    source-address 192.168.5.1 24                                               
    destination-address any                                                     
    service any                                                                 
    user any                                                                    
    application any                                                             
    time-range any                                                              
    action permit                                                               
#  
firewall blacklist enable                                                       
#                                                                              
return
Parent Topic: Security Protection
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >