Creating an AntiDDoS1820-N

Only the administrator who has the right to create devices can add devices. After the communication between the ATIC and the AntiDDoS1820-N is established through SNMP, you can add the AntiDDoS1820-N.

Prerequisites

  • The IP address segments of the AntiDDoS1820-N devices are known.
  • The ATIC can communicate with the AntiDDoS1820-N. The AntiDDoS1820-N can be accessed by the administrator over the network and can be pinged from the ATIC.

    If the device cannot be pinged, the "Network is unreachable" message is displayed during device creation.

Procedure

  1. Choose Defense > Network Settings > Devices.
  2. Click .

  3. In the Basic Information area, set the name and IP address of an AntiDDoS1820-N and set Device Type to AntiDDoS1820-N.

    • IP address indicates the management interface IP address for the ATIC to manage the AntiDDoS1820-N.

    • Log Source IP indicates the interface for the AntiDDoS1820-N to send logs to the ATIC. You can change the log source IP address after setting it.

    • Log Password indicates the encryption key of reported logs. After a device is successfully created, the ATIC delivers the key to the AntiDDoS1820-N.

      The password shall meet the minimum complexity requirement. That is, the password must contain letters, digits (0 to 9), and special characters (such as !, #, $, and %). In addition, you shall periodically change the password.

  4. Set Telnet parameters.

    • When you select STelnet, the ATIC uses port 22 for accessing the AntiDDoS1820-N through STelnet by default. In this case, enter the name and password of an STelnet user for authentication. Public Key indicates the public key for device authentication.

      The STelnet and SFTP server will authenticate the public key if you provide public key information.

      For data transmission security, you are advised to use the public key.

    • When you select Telnet, the ATIC uses port 23 for accessing the AntiDDoS1820-N through Telnet by default. In this case, enter the name and password of a Telnet user for authentication.

    Telnet is an insecure protocol. To ensure data transmission security, you are advised to select STelnet.

  5. Set SNMP parameters.

    • When you select SNMPv2c, set read and write community names.

      Read community indicates the name of a read-only community. Write community indicates the name of a write-only community.

      The community name cannot be empty and must contain at least six characters that must include letters, digits, and special characters.

    • When you select SNMPv3, see parameter settings as shown in Table 1.
      • Compared with SNMPv3, SNMPv2c is insecure. Therefore, SNMPv3 is recommended.
      • When you select SNMPv3, do not configure several security levels for the same SNMPv3 user group to prevent authentication bypass vulnerability.
      • The Username, Environment name, Environment engine ID, Data encryption protocol, Data encryption password, Authentication protocol, Authentication password parameters are available only when the type is SNMPv3.
      Table 1 SNMPv3 template parameters

      Parameter

      Description

      Recommended Value

      Username

      User name used for accessing the AntiDDoS1820-N.

      -

      Environment name

      Name of the environment engine.

      This parameter value is the same as the environment name on the AntiDDoS1820-N or left blank.

      Environment engine ID

      Unique identifier of an SNMP engine. This ID is used together with the environment name to determine an environment that uniquely identifies an SNMP entity. The SNMP message packet is processed only when the environments of the sender terminal and the recipient terminal are the same; otherwise, the SNMP message packet will be discarded.

      Same as the environment engine ID on the AntiDDoS1820-N device.

      Authentication protocol

      Protocol used for verifying messages.

      The parameter value can be the HMACMD5 or HMACSHA protocol or no protocol. If the HMACMD5 or HMACSHA protocol is selected, you need to set the authentication password.

      The password shall meet the minimum complexity requirement. That is, the password must contain letters, digits (0 to 9), and special characters (such as ! # $ %). In addition, you shall periodically change the password.

      You can select the authentication protocol as required.

      • HMACMD5 converts the character string in any order based on the hash algorithm and produces a 128-bit message digest, in integer format.

      • HMACSHA is more secure than HMACMD5. It produces 160-bit message digests for messages whose length does not exceed 264 bits.

      NOTE:

      Using HMAC-MD5 or no authentication protocol brings security risks. HMAC-SHA is more secure and therefore recommended.

      Authentication password

      If the authentication protocol is used when verifying messages, you need to set the authentication password.

      The password shall meet the minimum complexity requirement. That is, the password must contain letters, digits (0 to 9), and special characters (such as ! # $ %). In addition, you shall periodically change the password.

      Data encryption protocol

      Encryption protocol used when encapsulating data.

      The parameter value can be the DES, AES128 or AES256 encryption protocol or no encryption. If the DES, AES128 or AES256 encryption protocol is selected, you need to set the encryption password.

      The password shall meet the minimum complexity requirement. That is, the password must contain letters, digits (0 to 9), and special characters (such as ! # $ %). In addition, you shall periodically change the password.

      You can select the encryption protocol as required.

      • DES: It indicates the Data Encryption Standard (DES), which is an international encryption algorithm with the key length of 56 characters.
      • AES256: It indicates the Advanced Encryption Standard (AES256). There are three types of key lengths of 128 characters.
      • AES128: It indicates the Advanced Encryption Standard (AES128).
      NOTE:

      Using DES or no encryption protocol brings security risks. The more secure AES256 data encryption protocol is recommended for the AntiDDoS1820-N.

      Ensure that the ATIC management center and AntiDDoS have the same encryption protocol.

      Data encryption password

      If the encryption algorithm is used when encapsulating data, you need to set the data encryption password.

      The password shall meet the minimum complexity requirement. That is, the password must contain letters, digits (0 to 9), and special characters (such as ! # $ %). In addition, you shall periodically change the password.

  6. Click the Flow Information tab. Click and select the router for traffic detection.
  7. Click OK to add an AntiDDoS1820-N.

    After successfully added, the AntiDDoS1820-N is displayed on the Devices page.

Result

Each AntiDDoS1820-N is automatically synchronized once it is added. If synchronization fails, rectify the fault as prompted and synchronize the AntiDDoS1820-N information manually with the ATIC.

Follow-up Procedure

If only one collector is available, the new AntiDDoS1820-Ns are automatically associated with the collector. If multiple collectors are available, associate AntiDDoS1820-Ns with the given collector. For details, see Associating the Collector with Devices.

Parent topic: Adding Devices
Copyright © Huawei Technologies Co., Ltd.