Creating an AntiDDoS

After the communication between the ATIC Management center and the AntiDDoS is established through SNMP, you can add the AntiDDoS.

Prerequisites

  • The IP address segments of the AntiDDoS devices are known.
  • The communication has been set up between the ATIC Management center server and the AntiDDoS devices.
NOTICE:

The ATIC cannot manage the AntiDDoS running V100R001 and the AntiDDoS running V500R001 at the same time.

Procedure

  1. Choose Defense > Network Settings > Devices.
  2. Click .

  3. In the Basic Information group box, set the name and IP address of an AntiDDoS device and set Device Type to AntiDDoS.

    • IP address indicates the management interface IP address for the ATIC to manage the AntiDDoS device. You are advised to set it to that of GigabitEthernet0/0/0. You can no longer change the address after setting it.
    • Log Source IP indicates the interface for the AntiDDoS device to send logs to the ATIC. You can change the log source IP address after setting it. For the AntiDDoS8000, GigabitEthernet0/0/0 is an MPU interface and cannot be set to a log source interface. For the AntiDDoS1600, the log source interface can be set to GigabitEthernet0/0/0.

    • Log Password indicates the encryption key of reported logs. After a device is successfully created, the ATIC delivers the key to the Anti-DDoS device.

      NOTE:

      The password shall meet the minimum complexity requirement. That is, the password must contain at least three of the following, including upper-case letters (A to Z), lower-case letters (a to z), digits (0 to 9), and special characters (such as !, #, $, and %). In addition, you shall periodically change the password.

      For versions earlier than AntiDDoS V500R001C60, only packet capture logs are encrypted. For AntiDDoS V500R001C60, all logs are encrypted.

  4. Set Telnet parameters.

    • When you select STelnet, the ATIC Management center uses port 22 for accessing AntiDDoS devices through STelnet by default. In this case, enter the name and password of an STelnet user for authentication. Public Key indicates the public key for device authentication.

      NOTE:

      The STELNET, SFTP server will authenticate the public key if you provide Public Key information.

      It is strongly recommended to use public key when you try to access the STELNET or SFTP server.

    • When you select Telnet, the ATIC Management center uses port 23 for accessing AntiDDoS devices through Telnet by default. In this case, enter the name and password of a Telnet user for authentication.
    NOTE:
    SFTP is more secure than FTP.

  5. Set SNMP parameters.

    • When you select SNMPv1 and SNMPv2c, set read and write community names.

      Read community indicates the name of a read-only community and the default value is public. Write community indicates the name of a write-only community and the default value is private.

    • When you select SNMPv3, see parameter settings as shown in Table 1.
      NOTE:
      • Compared with SNMPv3, SNMPv1 and SNMPv2c is insecure. Therefore, SNMPv3 is recommended.
      • When you select SNMPv3, do not configure several security levels for the same SNMPv3 user group to prevent authentication bypass vulnerability.
      • The Username, Environment name, Environment engine ID, Data encryption protocol, Data encryption password, Authentication protocol, Authentication password parameters are available only when the type is SNMPv3.
      Table 1 SNMPv3 template parameters

      Parameter

      Description

      Recommended Value

      Username

      User name used for accessing the AntiDDoS device.

      -

      Environment name

      Name of the environment engine.

      This parameter value is the same as the environment name on the AntiDDoS device or blank.

      Environment engine ID

      Unique identifier of an SNMP engine. This ID is used together with the environment name to determine an environment that uniquely identifies an SNMP entity. The SNMP message packet is processed only when the environments of the sender terminal and the recipient terminal are the same; otherwise, the SNMP message packet will be discarded.

      Same as the environment engine ID on the AntiDDoS device.

      Authentication protocol

      Protocol used for verifying messages.

      The parameter value can be the HMACMD5 or HMACSHA protocol or no protocol. If the HMACMD5 or HMACSHA protocol is selected, you need to set the authentication password.

      The passwords must meet the minimum complexity requirement. That is, the passwords must contain at least three of the following, including upper-case letters (A to Z), lower-case letters (a to z), digits (0 to 9), and special characters (such as !, #, $, and %). You must change the passwords periodically.

      You can select the authentication protocol as required.

      • HMACMD5 converts the character string in any order based on the hash algorithm and produces a 128-bit message digest, in integer format.

      NOTE:
      Using HMAC-MD5 or no authentication protocol brings security risks. HMAC-SHA is more secure and therefore recommended.

      Authentication password

      If the authentication protocol is used when verifying messages, you need to set the authentication password.

      The passwords must meet the minimum complexity requirement. That is, the passwords must contain at least three of the following, including upper-case letters (A to Z), lower-case letters (a to z), digits (0 to 9), and special characters (such as !, #, $, and %). You must change the passwords periodically.

      -

      Data encryption protocol

      Encryption protocol used when encapsulating data.

      The parameter value can be the DES, AES128 or AES256 encryption protocol or no encryption. If the DES, AES128 or AES256 encryption protocol is selected, you need to set the encryption password.

      The passwords must meet the minimum complexity requirement. That is, the passwords must contain at least three of the following, including upper-case letters (A to Z), lower-case letters (a to z), digits (0 to 9), and special characters (such as !, #, $, and %). You must change the passwords periodically.

      You can select the encryption protocol as required.

      • DES: It indicates the Data Encryption Standard (DES), which is an international encryption algorithm with the key length of 56 characters.
      • AES256: It indicates the Advanced Encryption Standard (AES256). There are three types of key lengths of 128 characters.
      • AES128: It indicates the Advanced Encryption Standard (AES128).
      NOTE:

      Using DES no encryption protocol brings security risks. The more secure AES256 data encryption protocol is recommended for the AntiDDoS8000. The AntiDDoS1000 supports only the AES128 and DES data encryption protocols, and AES128 is recommended.

      Ensure that the ATIC management center and AntiDDoS have the same encryption protocol.

      Data encryption password

      If the encryption algorithm is used when encapsulating data, you need to set the data encryption password.

      The passwords must meet the minimum complexity requirement. That is, the passwords must contain at least three of the following, including upper-case letters (A to Z), lower-case letters (a to z), digits (0 to 9), and special characters (such as !, #, $, and %). You must change the passwords periodically.

      -

  6. Click OK to add an AntiDDoS device,After successfully added, the AntiDDoS device is displayed on the Devices page.

Result

Each AntiDDoS device is automatically synchronized once it is added. If synchronization fails, rectify the fault as prompted and synchronize AntiDDoS devices manually with the ATIC Management center.

Follow-up Procedure

If only one collector is available, the new AntiDDoS devices are automatically associated with the collector. If multiple collectors are available, associate AntiDDoS devices with the given collector.

Parent topic: Adding Devices
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.