Huawei Agile Distributed Wi-Fi Solution: what is it? Part two
In this article, I want to continue the topic of the Huawei Agile Distributed Wi-Fi wireless access solution launched here . This time we will try to analyze what built-in security features are incorporated by the manufacturer in this decision and how efficient they are.
Obviously, if access to the corporate infrastructure via Wi-Fi becomes a priority method of connection, then it will be imposed on more stringent requirements for security, quality of work, flexibility and scaling. The second point is the absence in the Russian-speaking segment of the Internet of any kind of instructions, and generally no mention of setting up Huawei equipment for any line of vendors.
Let me remind you that we are still talking about the model AD9430DN-12 and radio modules R230.
In the documentation in the “Security Features” section we find the following list of supported options:
')
Naturally, the presence of a complete list of authentication methods (WEP / WPA / WPA2, etc.) will not surprise anyone. Even home-grown “home” routers can do this. But the presence of such options right out of the box (without licenses and paid subscriptions), such as URL filtering, Intrusion prevention, Antivirus and Smart Application Control - this is already interesting!
But all in order. To begin, let us turn to the web-interface of the system, by the way, quite good in design and implementation.
In the last article, we already described the procedure for configuring WLAN services using the Small-Scale Network WLAN as an example through a CLI interface. Therefore, we skip this part and proceed to how to configure user authentication and authentication, for example, through the built-in Built-in Portal Authentication.
The built-in authentication portal allows us to authorize connections only for those subscribers who are already entered into the local user database, for example, with guest access. A user who has connected to an open network will be redirected to the authorization page when trying to access the Internet, where they will be asked to enter their login and password.
To do this, we need to create an Authentication Profile "ad9430" in the Configuration - Security - AAA section (hereafter, for simplicity, all the settings profiles will have the name "ad9430"), which in turn includes profiles: Portal Profile and Authentication Scheme. The settings are shown in the screenshots.
Then you need to create a bunch of user - password in the local database to authorize our subscribers. In the same section Configuration - Security - AAA, then Local User.
Now, on the Built-in Portal Server tab, we specify the IP address and port of the server where requests from users will be redirected during authentication. You can also select a web page template. SSL Policy is left by default.
It remains only to make our network "open" to connect. Go Configuration - AP config - AP group - Security Profile.
We try to log in - the first time intentionally with the wrong password (as you can see, the system “swears”). Then everything is regular.
URL filtering technology governs Internet access, controlling which URLs users of our network can access. Thus, the administrator can directly at the level of the Wi-Fi network limit access to certain resources on the Internet.
It is not a secret for anyone what the URL format is:
In our case, the manufacturer provides us with the ability to filter not only the full name of the host, but also the URL of any depth.
To configure URL filtering, we first need to use the Security Engine in the section: Configuration - Security - Attack Defense.
Now we will create a profile for URL filtering in the section: Configuration - AP Config - Profile Management - Wireless Services - URL Filtering Profile. After making changes, do not forget to click "Apply".
As we can see, the algorithm of the URL filtering may be as follows:
A rather superficial test of URL filtering showed that the function works and rather well filters the addresses from the blacklist.
However, if we change the filtering rule to a white sheet, and say that everything except the addresses from the list is blocked, an incomprehensible situation arises.
"White" address is still available:
But when the protocol in the address is changed to https, the filtering rule stops working. This is due to the fact that the HTTPS protocol with encryption support and URL filtering will not work without disclosing the certificate, since the link is encrypted in HTTPS:
The popularity of services such as P2P, online games and VoIP attracts a large number of customers, but also creates big problems.
For example, many P2P applications may consume too many network resources. As a result, the network is overloaded. Smart Application Control technology is used to limit the impact of these redundant applications on network resources.
The mechanism inherent in Smart Application Control uses detection technology to identify packets of dynamic protocols, such as HTTP and RTP, by checking information at OSI levels 4-7 and comparing it with the current signature files of blocked applications. The same algorithm Huawei uses in its AR series routers.
Traditional traffic classification technology scans the contents of packets only up to level 4 and lower levels, for example: source address, destination address, source port, destination port, and type of service. It cannot analyze applications in batches. In addition to the IP packet header, the SAC can analyze the contents of the application layer.
Smart Application Control signature files contain about 1600+ applications. Of course, most of them are focused on the Chinese market (qq, baidu, 21cn, tencent, etc.), but nevertheless, there are Russian social networks (vk, ok, mail.ru), and other Google services and Facebook.
Applications are divided into groups according to the type of services provided.
The same is in the Web-interface of the system: Configuration - Other Services - SAC
To enable SAC functionality, we need to create a settings profile: Configuration - AP Config - Profile - Wireless Services - SAC Profile. Next, we need to configure application management policies:
Now let's check how the selected policies are applied by the system and applied to our network traffic.
We chose a block: VK social network, Youtube video hosting, download applications from Google Play, Gmail mail service and Skype / Skype for Business services.
As a result of the tests, only Skype services (survivable) continued to work. The rest of the policy worked correctly. At the same time, the Youtube application starts and allows you to perform some actions, for example, search, but does not play the video.
The same can be said about Google Play: the blocking policy is included only for downloading applications.
When creating a rule, you can also choose not to block the service, but to limit its bandwidth. Below is an example from Google Play:
Surely, there will be those who read this small report on testing solutions of Huawei Agile Distributed Wi-Fi, and they will say why they should plant a garden with firewalls, authorization portals and other smart controls at the Wi-Fi access level, when there arespecially trained separate equipment for this. Yes, such equipment is there, it does an excellent job with its tasks and in most cases, of course, it is better to use it.
But you must admit, if you are a customer from SMB and your IT-budget is not striving for infinity, but in the opposite direction, but you really want to have everything that was mentioned above, so why not.
Obviously, if access to the corporate infrastructure via Wi-Fi becomes a priority method of connection, then it will be imposed on more stringent requirements for security, quality of work, flexibility and scaling. The second point is the absence in the Russian-speaking segment of the Internet of any kind of instructions, and generally no mention of setting up Huawei equipment for any line of vendors.
Let me remind you that we are still talking about the model AD9430DN-12 and radio modules R230.
In the documentation in the “Security Features” section we find the following list of supported options:
')
- Open system authentication
- WEP authentication / encryption using a 64-bit, 128-bit, or 152-bit encryption key,
- WPA / WPA2-PSK authentication and encryption (WPA / WPA2 personal edition),
- WPA / WPA2-802.1x authentication and encryption (WPA / WPA2 enterprise edition),
- WPA-WPA2 hybrid authentication,
- WAPI authentication and encryption,
- Wireless intrusion detection system and wireless intrusion prevention system (WIPS), including detection and dynamic blacklist, and STA / AP blacklist and whitelist,
- DHCP snooping
- Dynamic ARP Inspection (DAI),
- IP Source Guard (IPSG),
- URL filtering,
- Intrusion prevention,
- Antivirus,
- Smart Application Control (SAC).
Naturally, the presence of a complete list of authentication methods (WEP / WPA / WPA2, etc.) will not surprise anyone. Even home-grown “home” routers can do this. But the presence of such options right out of the box (without licenses and paid subscriptions), such as URL filtering, Intrusion prevention, Antivirus and Smart Application Control - this is already interesting!
But all in order. To begin, let us turn to the web-interface of the system, by the way, quite good in design and implementation.
In the last article, we already described the procedure for configuring WLAN services using the Small-Scale Network WLAN as an example through a CLI interface. Therefore, we skip this part and proceed to how to configure user authentication and authentication, for example, through the built-in Built-in Portal Authentication.
Built-in Portal
The built-in authentication portal allows us to authorize connections only for those subscribers who are already entered into the local user database, for example, with guest access. A user who has connected to an open network will be redirected to the authorization page when trying to access the Internet, where they will be asked to enter their login and password.
To do this, we need to create an Authentication Profile "ad9430" in the Configuration - Security - AAA section (hereafter, for simplicity, all the settings profiles will have the name "ad9430"), which in turn includes profiles: Portal Profile and Authentication Scheme. The settings are shown in the screenshots.
Then you need to create a bunch of user - password in the local database to authorize our subscribers. In the same section Configuration - Security - AAA, then Local User.
Now, on the Built-in Portal Server tab, we specify the IP address and port of the server where requests from users will be redirected during authentication. You can also select a web page template. SSL Policy is left by default.
It remains only to make our network "open" to connect. Go Configuration - AP config - AP group - Security Profile.
We try to log in - the first time intentionally with the wrong password (as you can see, the system “swears”). Then everything is regular.
URL Filtering
URL filtering technology governs Internet access, controlling which URLs users of our network can access. Thus, the administrator can directly at the level of the Wi-Fi network limit access to certain resources on the Internet.
It is not a secret for anyone what the URL format is:
- http protocol
- www.example.com hostname
- 8088 port
- news / edu.aspx path
- name = tom & age = 20 parameters
In our case, the manufacturer provides us with the ability to filter not only the full name of the host, but also the URL of any depth.
To configure URL filtering, we first need to use the Security Engine in the section: Configuration - Security - Attack Defense.
Now we will create a profile for URL filtering in the section: Configuration - AP Config - Profile Management - Wireless Services - URL Filtering Profile. After making changes, do not forget to click "Apply".
As we can see, the algorithm of the URL filtering may be as follows:
- The default action is to block or skip requests.
- Use the "white" or "black" list of allowed addresses.
- Filtering rule - Host or URL.
A rather superficial test of URL filtering showed that the function works and rather well filters the addresses from the blacklist.
However, if we change the filtering rule to a white sheet, and say that everything except the addresses from the list is blocked, an incomprehensible situation arises.
"White" address is still available:
But when the protocol in the address is changed to https, the filtering rule stops working. This is due to the fact that the HTTPS protocol with encryption support and URL filtering will not work without disclosing the certificate, since the link is encrypted in HTTPS:
Smart application control
The popularity of services such as P2P, online games and VoIP attracts a large number of customers, but also creates big problems.
For example, many P2P applications may consume too many network resources. As a result, the network is overloaded. Smart Application Control technology is used to limit the impact of these redundant applications on network resources.
The mechanism inherent in Smart Application Control uses detection technology to identify packets of dynamic protocols, such as HTTP and RTP, by checking information at OSI levels 4-7 and comparing it with the current signature files of blocked applications. The same algorithm Huawei uses in its AR series routers.
Traditional traffic classification technology scans the contents of packets only up to level 4 and lower levels, for example: source address, destination address, source port, destination port, and type of service. It cannot analyze applications in batches. In addition to the IP packet header, the SAC can analyze the contents of the application layer.
Smart Application Control signature files contain about 1600+ applications. Of course, most of them are focused on the Chinese market (qq, baidu, 21cn, tencent, etc.), but nevertheless, there are Russian social networks (vk, ok, mail.ru), and other Google services and Facebook.
CLI: display sac information
[AD9430]display sac information ------------------------------------------------------------------------------ SAC status : enabled App protocol number : 1588 SAC signature status : loaded SAC signature version : 7.2.1105.1 ------------------------------------------------------------------------------ Applications are divided into groups according to the type of services provided.
CLI: display sac application-group
[AD9430] -------------------------------------------------------------------------------- Index Group name State -------------------------------------------------------------------------------- 1 auth_service Unbound 2 finance Unbound 3 data_backup Unbound 4 database Unbound 5 email Unbound 6 enterprise_application Unbound 7 internet_conferencing Unbound 8 remote_access Unbound 9 game Unbound 10 instant_messaging Bound 11 media_sharing Unbound 12 wireless Unbound 13 social_networking Unbound 14 ucc Unbound 15 web_posting Unbound 16 browser_plugin Unbound 17 file_sharing Bound 18 im_file_transfer Unbound 19 search_engines Unbound 20 software_update Unbound 21 utility Unbound 22 web_content_aggregate Unbound 23 web_desktop Unbound 24 web_spider Unbound 25 web_browsing Unbound 26 encrypted_tunnel Unbound 27 infrastructure Unbound 28 ip_protocol Unbound 29 proxy Unbound 30 general_udp Unbound 31 general_tcp Unbound 32 other Unbound 33 electronic_business Unbound 34 file_access Unbound 35 webmail Unbound 36 microblog Unbound 37 peercasting Unbound 38 web_video Unbound 39 fileshare_p2p Unbound 40 network_storage Unbound 41 appdownload Bound 42 attack Unbound 43 network_admin Unbound 44 news_group Unbound 45 cloudservice Unbound -------------------------------------------------------------------------------- Total: 45 The same is in the Web-interface of the system: Configuration - Other Services - SAC
To enable SAC functionality, we need to create a settings profile: Configuration - AP Config - Profile - Wireless Services - SAC Profile. Next, we need to configure application management policies:
Now let's check how the selected policies are applied by the system and applied to our network traffic.
We chose a block: VK social network, Youtube video hosting, download applications from Google Play, Gmail mail service and Skype / Skype for Business services.
As a result of the tests, only Skype services (survivable) continued to work. The rest of the policy worked correctly. At the same time, the Youtube application starts and allows you to perform some actions, for example, search, but does not play the video.
The same can be said about Google Play: the blocking policy is included only for downloading applications.
When creating a rule, you can also choose not to block the service, but to limit its bandwidth. Below is an example from Google Play:
Instead of conclusion
Surely, there will be those who read this small report on testing solutions of Huawei Agile Distributed Wi-Fi, and they will say why they should plant a garden with firewalls, authorization portals and other smart controls at the Wi-Fi access level, when there are
But you must admit, if you are a customer from SMB and your IT-budget is not striving for infinity, but in the opposite direction, but you really want to have everything that was mentioned above, so why not.
Source: https://habr.com/ru/post/337162/
All Articles