No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Access Control

Access Control

Keep the following principles in mind before you perform access control and security hardening:

The best security defense method is to take preventive measures before attacks strike.

Access control is the basis for security hardening. Further security destruction can be avoided only when insecure access requests are denied.

Physical and Environmental Security

Physical and environmental access control is essential to device security protection. The following measures must be considered when physical and environmental security hardening is performed:

  • Formulate physical and environmental security policies and standardize the access, reception, operation, and record processes.
  • Arrange special security personnel for important areas.
  • Record information about exit and entry of the equipment room area.
  • For important equipment rooms, install double-layered doors, divide a neutral area between two doors, and provide video monitoring (to prevent unauthorized persons from following authorized persons into equipment rooms).
  • Deploy an access control system, which provides password cards or biological authentication methods (for example, authentication by fingerprint and iris) for persons with access authorities.
  • Deploy a video monitoring system.
  • Configure lock protection for cabinet doors and ensure that the doors are closed when cabinets are not used.
  • Install filler panels on unused slots of subracks.
  • Check for exposed serial interfaces and network interfaces on cabinets.
  • Configure unused physical ports to be disabled by default. Unused physical ports cannot communicate even when network cables are connected.
  • Perform identity-based authentication on the keyboard, video, and mouse (KVM) when the KVM virtual connection environment exists.
  • Perform disaster recovery remotely for important systems.
  • Ensure power supply backup and continuous power supply.
  • Monitor and control the equipment room temperature and humidity.

Disabling Unused Services and Ports

Disable unused services and Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports based on analysis of the device service requirements and the minimum authorization principle (by default, access channels are disabled unless definite access requirements exist).

By default, Telnet ports are enabled. If Telnet ports are not used, disable them. Disable RIP and FTP according to service requirements.

When TCP and UDP ports cannot be disabled by disabling services, formulate access control list (ACL) policies to disable the TCP and UDP ports.

Example of Disabling FTP Ports

Networking Requirements

Files must be transferred in Secure File Transfer Protocol (SFTP) mode to ensure file transfer reliability. FTP ports of devices must be disabled to ensure device security and prevent unauthorized users from attacking devices by using FTP ports.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Check whether the FTP port of a device is enabled and whether the FTP port needs to be disabled.
  2. Disable the FTP port to prevent users from transferring files using FTP.
  3. View the status of the FTP port of the device and check whether the FTP port is successfully disabled.
Data Preparation

None

Procedure
  1. Check the status of the FTP port.
    <HUAWEI> display network status tcp
    Proto Task/SockId Local Addr&Port          Foreign Addr&Port        State
    TCP   FTPS/1      0.0.0.0:21                  0.0.0.0:0                  Listening
    TCP   VTYD/1      0.0.0.0:23                  0.0.0.0:0                  Listening
    TCP6  VTYD/2      ::->23                       ::->0                      Listening
    

    The command output shows that the FTP port is enabled.

  2. Disable the FTP port.
    <HUAWEI> system-view
    [HUAWEI] undo ftp server
    
  3. Check whether the FTP port is successfully disabled.
    <HUAWEI> display network status tcp
    Proto Task/SockId Local Addr&Port          Foreign Addr&Port        State
    TCP   VTYD/1      0.0.0.0:23               0.0.0.0:0            Listening
    TCP6  VTYD/2      ::->23                   ::->0              Listening
    

    The command output shows that the FTP port is disabled.

Discarding Insecure Access Channels

The access requirements of services must be met preferentially based on service requirement analysis. When an access requirement has multiple access channel services, the insecure access channels must be obsoleted, whereas the secure channels must be selected.

The access channels of higher security levels are selected. The following table lists the security levels of the various access channels:

Table 1-4  Assessment of the security capabilities of access channels

Access Requirement

Secure Channel

Insecure Channel

Remote login

SSHv2

Telnet

File transfer

SFTP

FTP, TFTP

Network management system (NMS)

SNMPv3

SNMPv1/v2

Routing Information Protocol (RIP) route

RIPv2

RIP

Example for Managing Files Using SFTP When the Device Functions as an SSH Server

Networking Requirements

As shown in Figure 1-3, PC1 connects to the device, and the IP address of the management network interface on the device is 10.136.23.4. Files need to be securely transferred between PC1 and the device. Configure the device as the SSH server to provide the SFTP service so that the SSH server can authenticate the client and encrypt data in bidirectional mode, ensuring secure file transfer. A security policy is configured to ensure that only PC1 is allowed to access the SSH server.

Figure 1-3  Networking diagram for managing files using SFTP when the device functions as an SSH server

Configuration Roadmap

The configuration roadmap is as follows:

  1. Generate a local key pair and enable the SFTP server function on the SSH server so that the server and client can securely exchange data.

  2. Configure the VTY user interface on the SSH server.

  3. Configure SSH user information including the authentication mode, user name, and password.

  4. Configure access permissions on the SSH server to control SSH users.
  5. Connect to the SSH server using the third-party software OpenSSH on the PC.

Procedure

  1. Generate a local key pair on the SSH server, and enable the SFTP server.

    <Huawei> system-view
    [Huawei] sysname SSH Server
    [SSH Server] sftp server enable
    [SSH Server] rsa local-key-pair create
    The key name will be: Host
    RSA keys defined for Host already exist.
    Confirm to replace them? (y/n)[n]:y
    The range of public key size is (512 ~ 2048).
    NOTES: If the key modulus is less than 2048,
           It will introduce potential security risks.
    Input the bits in the modulus[default = 2048]:2048
    Generating keys...
    ......................................................................................+++
    ....+++
    .......................................++++++++
    ..............++++++++
    

  2. Configure the VTY user interface on the SSH server.

    [SSH Server] user-interface vty 0 14
    [SSH Server-ui-vty0-14] authentication-mode aaa
    [SSH Server-ui-vty0-14] protocol inbound ssh
    [SSH Server-ui-vty0-14] quit

  3. Configure SSH user information including the authentication mode, user name, and password.

    [SSH Server] aaa
    [SSH Server-aaa] local-user client001 password irreversible-cipher Huawei@123
    [SSH Server-aaa] local-user client001 privilege level 15
    [SSH Server-aaa] local-user client001 service-type ssh
    [SSH Server-aaa] quit
    [SSH Server] ssh user client001 authentication-type password
    

  4. Configure access permissions on the SSH server.

    [SSH Server] acl 2001
    [SSH Server-acl-basic-2001] rule permit source 10.136.23.10 32
    [SSH Server-acl-basic-2001] rule deny source 10.136.23.20 32
    [SSH Server-acl-basic-2001] quit
    [SSH Server] user-interface vty 0 14
    [SSH Server-ui-vty0-14] acl 2001 inbound
    [SSH Server-ui-vty0-14] quit

  5. Connect to the SSH server using the third-party software OpenSSH on the PC.

    The Windows CLI can identify OpenSSH commands only when the OpenSSH is installed on the PC.

    Figure 1-4  Connecting to the SSH server

    After you connect to the SSH server through third-party software, the SFTP view is displayed. Then you can perform file-related operations in the SFTP view.

Configuration File

Configuration file of the SSH_Server

#
 sysname SSH Server
#       
acl number 2001           
 rule 5 permit source 10.136.23.10 0         
 rule 10 deny source 10.136.23.20 0       
#
aaa
 local-user client001 password irreversible-cipher %^%#<R<G9j0<_;@]`h@]TnCUuGP-1Za*%2i*k!X<~Q4Ha1B0GP0u%^%#
 local-user client001 privilege level 15
 local-user client001 service-type ssh
#
 sftp server enable
#
user-interface vty 0 14
 acl 2001 inbound
 authentication-mode aaa
 protocol inbound ssh
#
return

Limiting User Login to the Device Using HTTP

The current device cannot limit source addresses of login users that log in through the web NMS, posing potential security risks. To ensure device security and prevent unauthorized users from logging in to the device through the web NMS, you can configure ACLs to specify users that can log in to the device using HTTP.

Procedure
  1. Configure ACL 2000 to allow devices with IP address 192.168.6.10 or in network segment 192.168.5.0 to log in to the device using HTTP.
    <Huawei> system-view
    [Huawei] acl 2000
    [Huawei-acl-basic-2000] rule 5 permit source 192.168.6.10 0 
    [Huawei-acl-basic-2000] rule 10 permit source 192.168.5.0 0.0.0.255
    [Huawei-acl-basic-2000] quit
  2. Configure HTTP to reference ACL 2000.
    [Huawei] http acl 2000
    

    After the preceding configurations, only devices with IP address 192.168.6.10 or in network segment 192.168.5.0 can log in to the device through the web NMS.

Filtering the Routes Advertised by the Management Interface

Security risks exist when routes are advertised by the management network. You can configure routing policies (IP prefix list, ACL, and route-policy) to filter advertised OSPF, IS-IS, RIP, and BGP routes.

Example for Filtering the Routes Advertised by the Management Interface
Networking Requirements

As shown in Figure 1-5, on the OSPF network, RouterA receives routes from the Internet and provides Internet routes to the OSPF network. It is required that the routes advertised by the management interface not be advertised through the OSPF network. The management interface of RouterA belongs to network segment 172.16.16.0/24.

Figure 1-5  Filtering received and advertised routes

Configuration Roadmap

The configuration roadmap is as follows:

Configure a routing policy on RouterA. During the advertising of routes, use the routing policy to filter routes to 172.16.16.0/24 to prevent the OSPF network from accessing the network where 172.16.16.0/24 belongs.

Procedure

  1. Assign IP addresses to interfaces. The configuration procedure is not mentioned here.
  2. Configuring basic OSPF functions.

    # Configure RouterA.

    [RouterA] ospf
    [RouterA-ospf-1] area 0
    [RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
    [RouterA-ospf-1-area-0.0.0.0] quit

    # Configure RouterB.

    [RouterB] ospf
    [RouterB-ospf-1] area 0
    [RouterB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
    [RouterB-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
    [RouterB-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255
    [RouterB-ospf-1-area-0.0.0.0] quit

    # Configure RouterC.

    [RouterC] ospf
    [RouterC-ospf-1] area 0
    [RouterC-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
    [RouterC-ospf-1-area-0.0.0.0] quit
    [RouterC-ospf-1] quit

    # Configure RouterD.

    [RouterD] ospf
    [RouterD-ospf-1] area 0
    [RouterD-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255
    [RouterD-ospf-1-area-0.0.0.0] quit

  3. Import direct routes on RouterA into OSPF.

    [RouterA-ospf-1] import-route direct
    [RouterA-ospf-1] quit

    # Check the IP routing table on RouterB. The IP routing table contains the direct routes imported by OSPF.

    [RouterB] display ip routing-table
    Route Flags: R - relay,
    D - download to fib
    ------------------------------------------------------------------------------
    Routing Tables: Public
             Destinations : 16       Routes : 16
    
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
    
         10.10.10.0/8   Direct 0    0            D   10.10.10.1      InLoopBack0
         10.10.10.1/32  Direct 0    0            D   10.10.10.1      InLoopBack0
        172.16.16.0/24 O_ASE 150  1            D   192.168.1.1   GigabitEthernet0/0/0
        192.168.1.0/24  Direct 0    0            D   192.168.1.2     GigabitEthernet0/0/0
        192.168.1.1/32  Direct 0    0            D   192.168.1.1     GigabitEthernet0/0/0
        192.168.1.2/32  Direct 0    0            D   10.10.10.1      InLoopBack0
        192.168.2.0/24  Direct 0    0            D   192.168.2.1     GigabitEthernet0/0/1
        192.168.2.1/32  Direct 0    0            D   10.10.10.1      InLoopBack0
        192.168.2.2/32  Direct 0    0            D   192.168.2.2     GigabitEthernet0/0/1
        192.168.3.0/24  Direct 0    0            D   192.168.3.1     GigabitEthernet0/0/2
        192.168.3.1/32  Direct 0    0            D   10.10.10.1      InLoopBack0
        192.168.3.2/32  Direct 0    0            D   192.168.3.2     GigabitEthernet0/0/2

  4. Configure a policy for advertising routes.

    # Configure an IP prefix list a2b on RouterA.

    [RouterA] ip ip-prefix a2b permit 192.168.1.0 24

    # Configure a policy for advertising routes on RouterA, and use the IP prefix list a2b to filter routes.

    [RouterA] ospf
    [RouterA-ospf-1] filter-policy ip-prefix a2b export

    # Check the IP routing table on RouterB. The command output shows that RouterB receives only the four routes defined in IP prefix list a2b.

    [RouterB] display ip routing-table
    Route Flags: R - relay,
    D - download to fib
    ------------------------------------------------------------------------------
    Routing Tables: Public
             Destinations : 16       Routes : 16
    
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
    
         10.10.10.0/8   Direct 0    0            D   10.10.10.1      InLoopBack0
         10.10.10.1/32  Direct 0    0            D   10.10.10.1      InLoopBack0
        192.168.1.0/24  Direct 0    0            D   192.168.1.2     GigabitEthernet0/0/0
        192.168.1.1/32  Direct 0    0            D   192.168.1.1     GigabitEthernet0/0/0
        192.168.1.2/32  Direct 0    0            D   10.10.10.1      InLoopBack0
        192.168.2.0/24  Direct 0    0            D   192.168.2.1     GigabitEthernet0/0/1
        192.168.2.1/32  Direct 0    0            D   10.10.10.1      InLoopBack0
        192.168.2.2/32  Direct 0    0            D   192.168.2.2     GigabitEthernet0/0/1
        192.168.3.0/24  Direct 0    0            D   192.168.3.1     GigabitEthernet0/0/2
        192.168.3.1/32  Direct 0    0            D   10.10.10.1      InLoopBack0
        192.168.3.2/32  Direct 0    0            D   192.168.3.2     GigabitEthernet0/0/2

Configuration Files
  • Configuration file of RouterA

    #
     sysname RouterA
    #
    interface MEth0/0/0
     ip address 192.168.20.20 255.255.255.0 
    #
    interface GigabitEthernet0/0/0
     ip address 192.168.1.1 255.255.255.0
    #
    ospf 1
     filter-policy ip-prefix a2b export
     import-route direct
     area 0.0.0.0
      network 192.168.1.0 0.0.0.255
    #
    return
  • Configuration file of RouterB

    #
     sysname RouterB
    #
    interface GigabitEthernet0/0/0
     ip address 192.168.1.2 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     ip address 192.168.3.1 255.255.255.0
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.2.1 255.255.255.0
    #
    ospf 1
     area 0.0.0.0
      network 192.168.1.0 0.0.0.255
      network 192.168.2.0 0.0.0.255
      network 192.168.3.0 0.0.0.255
    #
    return
  • Configuration file of RouterC

    #
     sysname RouterC
    #
    interface GigabitEthernet0/0/0
     ip address 192.168.2.2 255.255.255.0
    #
    ospf 1
     filter-policy ip-prefix in import
     area 0.0.0.0
      network 192.168.2.0 0.0.0.255
    #
    return
  • Configuration file of RouterD

    #
     sysname RouterD
    #
    interface GigabitEthernet0/0/0
     ip address 192.168.3.2 255.255.255.0
    #
    ospf 1
     area 0.0.0.0
      network 192.168.3.0 0.0.0.255
    #
    return

Obsoleting Insecure Parameters

Routers must be compatible with a great number of earlier versions containing many insecure parameters due to historical causes. If those parameters are still used, the requirements of security defense cannot be met as the data processing capability of computers has been enhanced significantly.

Algorithms and parameters of lower security levels must be replaced by those of higher security levels. The following table lists the replacement relationships for security parameters.

Table 1-5  Replacement relationships for security algorithms and parameters
Security Parameter Security Parameter Insecure Parameter
Encryption algorithm AES DES
Hash algorithm SHA2 MD5
Software check SHA2 CRC

Security Area Isolation

Access control policies are complex due to the complexity of the configuration models and services of devices. The security defense policies of devices can be described properly based on the logical model of security area isolation.

Figure 1-6  Model of the secure access control policies of devices

The external interfaces of a device are classified based on the following security areas:

  • Management network of the customer
  • Residential network of the user
  • Public network of the Internet

The following table lists the access control models used to achieve high-level security defense.

Table 1-6  Secure access control policies

Access Channel

Management Network

Residential network of the user

Public network of the Internet

Telnet/SSH/SNMP/Radius/TACACS/Syslog Mgmt

Trusted, access allowed

Untrusted, access denied

Untrusted, access denied

PPPoE/IPoE/WEB Portal end user dialing protocol

Untrusted, access denied

Trusted, access allowed

Untrusted, access denied

RIP/OSPF/BGP/IS-IS internetworking

Untrusted, access denied

Untrusted, access denied

Trusted, access allowed

Access control policies help eliminate the security risks caused by access requests from untrusted networks to devices.

Example for Configuring Login to Devices Through Telnet Performed by Users in Different Isolated Areas

Networking Requirements

In Figure 1-7, the device connects to the residential network on the left with the interface GE2/0/0 in the network segment 10.1.2.0/24. The device connects to the management network on the top with the interface GE1/0/0 in the network segment 10.1.1.0/24. The device connects to the Internet on the right with the interface GE3/0/0 in the network segment 10.1.3.0/24.

Users on the management network are allowed to log in to the device using Telnet, whereas users on the residential network and Internet are not allowed to log in to the device using Telnet. This ensures the security of the device.

Figure 1-7  Model of the secure access control policies of devices

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure different access control policies on the device to isolate the management network, residential network, and Internet.
  2. Apply the access control policies on the interfaces of the device to restrict the Telnet authorities of users in different areas.
Data Preparation

To complete the configuration, you need the following data:

  • Network segment for the IP address of each area
  • ACL numbers and policy names
  • Applications
Procedure
  1. Configure access control policies.

    # Configure the ACLs that allow users in the network segment 10.1.1.0/24 to log in to the device using Telnet and forbid users in the network segments 10.1.2.0/24 and 10.1.3.0/24 to log in to the device using Telnet.

    <Huawei> system-view
    [Huawei] acl number 3000
    [Huawei-acl-basic-3000] rule permit tcp destination-port eq telnet source 10.1.1.0 0.0.0.255
    [Huawei-acl-basic-3000] quit
    [Huawei] acl number 3001
    [Huawei-acl-basic-3001] rule deny tcp destination-port eq telnet source 10.1.2.0 0.0.0.255
    [Huawei-acl-basic-3001] quit
    [Huawei] acl number 3002
    [Huawei-acl-basic-3002] rule deny tcp destination-port eq telnet source 10.1.3.0 0.0.0.255
    [Huawei-acl-basic-3002] quit
    

    # Configure traffic classifiers and define ACL-based matching rules.

    [Huawei] traffic classifier classifier1
    [Huawei-classifier-classifier1] if-match acl 3000
    [Huawei-classifier-classifier1] quit
    [Huawei] traffic classifier classifier2
    [Huawei-classifier-classifier2] if-match acl 3001
    [Huawei-classifier-classifier2] quit
    [Huawei] traffic classifier classifier3
    [Huawei-classifier-classifier3] if-match acl 3002
    [Huawei-classifier-classifier3] quit
    

    # Define traffic behaviors that allow users on the management network to log in to the device using Telnet and forbid users on other networks to log in to the device using Telnet.

    [Huawei] traffic behavior behavior1
    [Huawei-behavior-behavior1] quit
    [Huawei] traffic behavior behavior2
    [Huawei-behavior-behavior2] quit
    [Huawei] traffic behavior behavior3
    [Huawei-behavior-behavior3] quit
    

    # Define traffic policies to associate the traffic classifiers with the traffic behaviors.

    [Huawei] traffic policy policy1
    [Huawei-trafficpolicy-policy1] classifier classifier1 behavior behavior1
    [Huawei-trafficpolicy-policy1] quit
    [Huawei] traffic policy policy2
    [Huawei-trafficpolicy-policy2] classifier classifier2 behavior behavior2
    [Huawei-trafficpolicy-policy2] quit
    [Huawei] traffic policy policy3
    [Huawei-trafficpolicy-policy3] classifier classifier3 behavior behavior3
    [Huawei-trafficpolicy-policy3] quit
    
  2. Apply the access control policies.
    [Huawei] interface gigabitethernet 1/0/0
    [Huawei-GigabitEthernet1/0/0] ip address 10.1.1.100 255.255.255.0
    [Huawei-GigabitEthernet1/0/0] traffic-policy policy1 inbound
    [Huawei-GigabitEthernet1/0/0] quit
    [Huawei] interface gigabitethernet 2/0/0
    [Huawei-GigabitEthernet2/0/0] ip address 10.1.2.100 255.255.255.0
    [Huawei-GigabitEthernet2/0/0] traffic-policy policy2 inbound
    [Huawei-GigabitEthernet2/0/0] quit
    [Huawei] interface gigabitethernet 3/0/0
    [Huawei-GigabitEthernet3/0/0] ip address 10.1.3.100 255.255.255.0
    [Huawei-GigabitEthernet3/0/0] traffic-policy policy3 inbound
    [Huawei-GigabitEthernet3/0/0] quit
    
Configuration Files
  • Configuration file of the device
#
acl number 3000
 rule 5 permit tcp source 10.1.1.0 0.0.0.255 destination-port eq telnet
#
acl number 3001
 rule 5 deny tcp source 10.1.2.0 0.0.0.255 destination-port eq telnet
#
acl number 3002
 rule 5 deny tcp source 10.1.3.0 0.0.0.255 destination-port eq telnet
#
traffic classifier classifier1 operator or
 if-match acl 3000
traffic classifier classifier3 operator or
 if-match acl 3002
traffic classifier classifier2 operator or
 if-match acl 3001
#
traffic behavior behavior3
traffic behavior behavior2
traffic behavior behavior1
#
traffic policy policy1
 share-mode
 classifier classifier1 behavior behavior1
traffic policy policy2
 share-mode
 classifier classifier2 behavior behavior2
traffic policy policy3
 share-mode
 classifier classifier3 behavior behavior3
#
dot1x-template 1
#
aaa
 authentication-scheme default0
 authentication-scheme default1
 authentication-scheme default
  authentication-mode local radius
 #
 authorization-scheme default
 #
 accounting-scheme default0
 accounting-scheme default1
 accounting-scheme default
 #
 domain default0
 domain default1
 domain default_admin
 domain default
#
interface GigabitEthernet1/0/0
 ip address 10.1.1.100 255.255.255.0
 traffic-policy policy1 inbound
#
interface GigabitEthernet2/0/0
 ip address 10.1.2.100 255.255.255.0
 traffic-policy policy2 inbound
#
interface GigabitEthernet3/0/0
 ip address 10.1.3.100 255.255.255.0
 traffic-policy policy3 inbound
#
interface NULL0
#
interface LoopBack1
#
#
user-interface con 0
user-interface tty 1 32
user-interface aux 0
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 15
 idle-timeout 0 0
user-interface vty 16 20
#
return

Deploying the HWTACACS for Command-Line Authorization

Devices have a large number of command lines due to the complexity of the configuration models and services of devices. To simplify device management and maintenance, devices are configured to manage authorities based on roles instead of identities. Therefore, when an administrator is authorized, all command lines of the corresponding level are provided to the administrator.

In actual network operation and maintenance, the administrator does not require all the command-line authorities of the corresponding level. The Huawei Terminal Access Controller Access-Control System (HWTACACS) is deployed to limit the set of command lines that can be used by the administrator.

Configure HWTACACS command-line authorization on the device and authorize command lines on the HWTACACS server to complete the configuration.

Example for Configuring Command-Line Authorization for Users Based on the HWTACACS Protocol

Networking Requirements

In Figure 1-8, the user uses a device to access the network. The user is in the huawei domain and belongs to level 3, but the user does not need to execute all the level 3 commands. The HWTACACS protocol is used to authorize the user based on command lines to simplify management and ensure device security.

The IP address of the HWTACACS server is 10.10.10.1/24, the authenticated port number is 49, and the authorized port number is 49.

Figure 1-8  Command-line authorization based on the TACACS

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an HWTACACS server template.
  2. Configure an authentication scheme and an authorization scheme to authorize the user based on command lines.
  3. Apply the HWTACACS server template, authentication scheme, and authorization scheme.
Data Preparation

To complete the configuration, you need the following data:

  • IP address of the HWTACACS authentication server
  • IP address of the HWTACACS authorization server
  • Shared key of the HWTACACS authentication server and authorization server
Procedure
  1. Configure an HWTACACS server template.

    # Configure the HWTACACS server template ht.

    <Huawei> system-view
    [Huawei] hwtacacs enable
    [Huawei] hwtacacs-server template ht
    

    # Configure the IP addresses and ports of the HWTACACS authentication server and HWTACACS authorization server.

    [Huawei-hwtacacs-ht] hwtacacs-server authentication 10.10.10.1 49
    [Huawei-hwtacacs-ht] hwtacacs-server authorization 10.10.10.1 49
    

    # Configure the key of the HWTACACS server.

    [Huawei-hwtacacs-ht] hwtacacs-server shared-key cipher it-is-my-secret
    [Huawei-hwtacacs-ht] quit
    
  2. Configure an authentication scheme and an authorization scheme to authorize the user based on command lines.

    # Enter the AAA view.

    [Huawei] aaa

    # Configure the authentication scheme to be l-h and the authentication mode to be HWTACACS.

    [Huawei-aaa] authentication-scheme l-h
    [Huawei-aaa-authen-l-h] authentication-mode hwtacacs
    [Huawei-aaa-authen-l-h] quit
    

    # Configure the authorization scheme to be hwtacacs and the authorization mode to be HWTACACS so that the level 3 user is authorized based on command lines.

    [Huawei-aaa] authorization-scheme hwtacacs
    [Huawei-aaa-author-hwtacacs] authorization-mode hwtacacs
    [Huawei-aaa-author-hwtacacs] authorization-cmd 3 hwtacacs
    [Huawei-aaa-author-hwtacacs] quit
    
  3. Configure the huawei domain. Use the l-h authentication scheme, HWTACACS authorization scheme, and ht HWTACACS template in the domain.
    [Huawei-aaa] domain huawei
    [Huawei-aaa-domain-huawei] authentication-scheme l-h
    [Huawei-aaa-domain-huawei] authorization-scheme hwtacacs
    [Huawei-aaa-domain-huawei] hwtacacs-server ht
    [Huawei-aaa-domain-huawei] quit
    [Huawei-aaa] quit
    
  4. Verify the configuration.

    On the device, run:

    display authorization-scheme hwtacacs

    The authorization of the level 3 user based on command lines is displayed.

    <Huawei> display hwtacacs-server template ht
    ---------------------------------------------------------------------------
     Authorization-scheme-name               : hwtacacs
     Authorization-method                    : HWTACACS
     Authorization-cmd level 0               : Disabled
     Authorization-cmd level 1               : Disabled
     Authorization-cmd level 2               : Disabled
     Authorization-cmd level 3      : enabled  ( HWTACACS )
     Authorization-cmd level 4               : Disabled
     Authorization-cmd level 5               : Disabled
     Authorization-cmd level 6               : Disabled
     Authorization-cmd level 7               : Disabled
     Authorization-cmd level 8               : Disabled
     Authorization-cmd level 9               : Disabled
     Authorization-cmd level 10              : Disabled
     Authorization-cmd level 11              : Disabled
     Authorization-cmd level 12              : Disabled
     Authorization-cmd level 13              : Disabled
     Authorization-cmd level 14              : Disabled
     Authorization-cmd level 15              : Disabled
     Authorization-cmd no-response-policy    : Online
    
Configuration Files
#
hwtacacs-server template ht
 hwtacacs-server authentication 10.10.10.1
 hwtacacs-server authorization 10.10.10.1
 hwtacacs-server shared-key cipher %@%@TPdFA(LX/8=j)9O/[\]WmHuX%@%@ 
#
aaa
 authentication-scheme default
 authentication-scheme l-h
  authentication-mode hwtacacs
 authorization-scheme default
 authorization-scheme hwtacacs
  authorization-mode hwtacacs
  authorization-cmd 3 hwtacacs
 accounting-scheme default
 domain default
 domain default_admin
 domain huawei
  authentication-scheme l-h
  authorization-scheme hwtacacs
  hwtacacs-server ht   
#
return

Access Control Based on Trusted Paths

The openness of IP networks determines that anyone can access or attack the target host as long as routes are reachable.

For a host, the path along which packets access its client is fixed, especially at the edge of a network.

For a telecommunication network, the topology of the neighboring NEs connecting to a device is determined at the network planning stage and rarely modified during network operation.

Based on the preceding assumptions, a trusted-path-based access control policy can be configured on the device to improve network security.

Figure 1-9  Reverse-path forwarding model of unicast reverse path forwarding (URPF)

URPF is deployed to determine whether the source IP address of a packet is valid. If the path of the packet is inconsistent with the path learned by URPF, the packet is discarded. URPF helps to prevent network attacks based on spoofed IP source addresses.

Example for Configuring URPF
Networking Requirements

As shown in Figure 1-10, the R&D department of an enterprise connects to GE2/0/0 of RouterA, and the marketing department connects to GE1/0/0. RouterA has a reachable route to an external server, and users in the R&D and marketing departments are allowed to connect to the server through RouterA. RouterA is required to prevent staff in other departments from accessing the server without permission using source IP address spoofing.

Figure 1-10  Networking diagram of URPF configuration

Configuration Roadmap

The configuration roadmap is as follows:

Configure URPF on GE1/0/0 and GE2/0/0, and allow special processing for the default route.

Procedure

  1. Configure URPF on the interface.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] undo portswitch
    [RouterA-GigabitEthernet1/0/0] urpf strict allow-default-route
    [RouterA-GigabitEthernet1/0/0] ip address 10.10.1.5 24
    [RouterA-GigabitEthernet1/0/0] quit
    [RouterA] interface gigabitethernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] undo portswitch
    [RouterA-GigabitEthernet2/0/0] ip address 10.10.2.5 24
    [RouterA-GigabitEthernet2/0/0] urpf strict allow-default-route
    

  2. Verify the configuration.

    # Run the display this command on GE1/0/0 to check the URPF configuration.

    [RouterA-gigabitethernet1/0/0] display this
    #
    interface GigabitEthernet1/0/0
     undo portswitch
     ip address 10.10.1.5 255.255.255.0
     urpf strict allow-default-route
    #
    return
    

    # Run the display this command on GE2/0/0 to check the URPF configuration.

    [RouterA-gigabitethernet2/0/0] display this
    #
    interface GigabitEthernet2/0/0
     undo portswitch
     ip address 10.10.2.5 255.255.255.0
     urpf strict allow-default-route
    #
    return

Configuration Files

Configuration files on RouterA

#
sysname RouterA
#
interface GigabitEthernet1/0/0
 undo portswitch
 ip address 10.10.1.5 255.255.255.0
 urpf strict allow-default-route
#
interface GigabitEthernet2/0/0
 undo portswitch
 ip address 10.10.2.5 255.255.255.0
 urpf strict allow-default-route
#
return
Example for Configuring DHCP Snooping Attack Defense
Networking Requirements

In Figure 1-11, RouterA and RouterB are access devices, and RouterC is a DHCP relay agent. Client1 and Client2 are connected to RouterA through Eth0/0/1 and Eth2/0/1 respectively. Client3 is connected to RouterB through Eth0/0/1. Client1 and Client3 obtain IP addresses using DHCP, while Client2 uses the static IP address. Attacks from unauthorized users prevent authorized users from obtaining IP addresses. The administrator needs to enable the device to defend against DHCP attacks on the network and provide better service to DHCP clients.

Figure 1-11  Networking diagram for configuring DHCP snooping attack defense

Configuration Roadmap

The configuration roadmap is as follows:

  1. Enable DHCP snooping.
  2. Configure an interface as the trusted interface to ensure that DHCP clients obtain IP addresses from the authorized server.
  3. Enable association between ARP and DHCP snooping to enable the device to update the binding entries when a DHCP user is disconnected.
  4. Enable the device to check DHCP messages against the binding table to prevent bogus DHCP message attacks.
  5. Set the maximum number of access DHCP clients and enable the device to check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message to prevent DHCP server DoS attacks.
  6. Configure the trap function for the number of discarded messages and the rate limit.

Procedure

  1. Enable DHCP snooping.

    # Enable DHCP snooping globally.

    <Huawei> system-view
    [Huawei] sysname RouterC
    [RouterC] dhcp enable
    [RouterC] dhcp snooping enable

    # Enable DHCP snooping on the user-side interface. Eth0/0/1 is used as an example. The configuration on Eth2/0/1 is the same as the configuration on Eth0/0/1 and is not mentioned here.

    [RouterC] interface ethernet 0/0/1
    [RouterC-Ethernet0/0/1] dhcp snooping enable
    [RouterC-Ethernet0/0/1] quit

  2. Configure the interface connected to the DHCP server as the trusted interface.

    [RouterC] interface ethernet 2/0/2 
    [RouterC-Ethernet2/0/2] dhcp snooping trusted 
    [RouterC-Ethernet2/0/2] quit

  3. Enable association between ARP and DHCP snooping.

    [RouterC] arp dhcp-snooping-detect enable

  4. Enable the device to check DHCP messages against the DHCP snooping binding table.

    # Configure the user-side interface. Eth0/0/1 is used as an example. The configuration on Eth2/0/1 is the same as the configuration on Eth0/0/1 and is not mentioned here.

    [RouterC] interface ethernet 0/0/1 
    [RouterC-Ethernet0/0/1] dhcp snooping check user-bind enable 
    [RouterC-Ethernet0/0/1] quit

  5. Enable the device to check whether the GIADDR field in a DHCP Request message is 0.

    # Configure the user-side interface. Eth0/0/1 is used as an example. The configuration on Eth2/0/1 is the same as the configuration on Eth0/0/1 and is not mentioned here.

    [RouterC] interface ethernet 0/0/1
    [RouterC-Ethernet0/0/1] dhcp snooping check dhcp-giaddr enable
    [RouterC-Ethernet0/0/1] quit

  6. Set the maximum number of access users allowed on the interface and enable the device to check the CHADDR field.

    # Configure the user-side interface. Eth0/0/1 is used as an example. The configuration on Eth2/0/1 is the same as the configuration on Eth0/0/1 and is not mentioned here.

    [RouterC] interface ethernet 0/0/1 
    [RouterC-Ethernet0/0/1] dhcp snooping max-user-number 20
    [RouterC-Ethernet0/0/1] dhcp snooping check mac-address enable
    [RouterC-Ethernet0/0/1] quit

  7. Configure the trap function for the number of discarded messages and the rate limit.

    # Enable the trap function for discarding messages and set the alarm threshold. Eth0/0/1 is used as an example. The configuration on Eth2/0/1 is the same as the configuration on Eth0/0/1 and is not mentioned here.

    [RouterC] interface ethernet 0/0/1
    [RouterC-Ethernet0/0/1] dhcp snooping alarm mac-address enable
    [RouterC-Ethernet0/0/1] dhcp snooping alarm user-bind enable
    [RouterC-Ethernet0/0/1] dhcp snooping alarm untrust-reply enable
    [RouterC-Ethernet0/0/1] dhcp snooping alarm mac-address threshold 120 
    [RouterC-Ethernet0/0/1] dhcp snooping alarm user-bind threshold 120 
    [RouterC-Ethernet0/0/1] dhcp snooping alarm untrust-reply threshold 120 
    [RouterC-Ethernet0/0/1] quit 

  8. Verify the configuration.

    # Run the display dhcp snooping configuration command to view the DHCP snooping configuration.

    [RouterC] display dhcp snooping configuration
    #                                                                               
    dhcp snooping enable                                                            
    arp dhcp-snooping-detect enable                                                 
    #                                                                               
    interface Ethernet0/0/1                                        
     dhcp snooping enable                                                          
     dhcp snooping check dhcp-giaddr enable  
     dhcp snooping check user-bind enable                                           
     dhcp snooping alarm user-bind enable                                           
     dhcp snooping alarm user-bind threshold 120                                    
     dhcp snooping check mac-address enable                                         
     dhcp snooping alarm mac-address enable                                         
     dhcp snooping alarm mac-address threshold 120                                  
     dhcp snooping alarm untrust-reply enable                                       
     dhcp snooping alarm untrust-reply threshold 120                                
     dhcp snooping max-user-number 20
    #                                                                               
    interface Ethernet2/0/1                                        
     dhcp snooping enable                                                          
     dhcp snooping check dhcp-giaddr enable  
     dhcp snooping check user-bind enable                                           
     dhcp snooping alarm user-bind enable                                           
     dhcp snooping alarm user-bind threshold 120                                    
     dhcp snooping check mac-address enable                                         
     dhcp snooping alarm mac-address enable                                         
     dhcp snooping alarm mac-address threshold 120                                  
     dhcp snooping alarm untrust-reply enable                                       
     dhcp snooping alarm untrust-reply threshold 120                                
     dhcp snooping max-user-number 20
    #                                                                               
    interface Ethernet2/0/2                
     dhcp snooping trusted                                                          
    #                                                           

    # Run the display dhcp snooping interface command to view DHCP snooping information on an interface.

    [RouterC] display dhcp snooping interface ethernet 0/0/1
     DHCP snooping running information for interface Ethernet0/0/1 :        
     DHCP snooping                            : Enable                              
     Trusted interface                        : No                                  
     Dhcp user max number                     : 20                                  
     Current dhcp user number                 : 0                                   
     Check dhcp-giaddr                        : Enable                              
     Check dhcp-chaddr                        : Enable                              
     Alarm dhcp-chaddr                        : Enable                              
     Alarm dhcp-chaddr threshold              : 120                                 
     Discarded dhcp packets for check chaddr  : 0                                   
     Check dhcp-request                       : Enable                              
     Alarm dhcp-request                       : Enable                              
     Alarm dhcp-request threshold             : 120                                 
     Discarded dhcp packets for check request : 0                                   
     Alarm dhcp-reply                         : Enable                              
     Alarm dhcp-reply threshold               : 120                                 
     Discarded dhcp packets for check reply   : 0                                   
    [RouterC] display dhcp snooping interface ethernet 2/0/2
     DHCP snooping running information for interface Ethernet2/0/2 :         
     DHCP snooping                            : Disable  (default)                  
     Trusted interface                        : Yes                                 
     Dhcp user max number                     : 512    (default)                  
     Current dhcp user number                 : 0                                   
     Check dhcp-giaddr                        : Disable  (default)                  
     Check dhcp-chaddr                        : Disable  (default)                  
     Alarm dhcp-chaddr                        : Disable  (default)                  
     Check dhcp-request                       : Disable  (default)                  
     Alarm dhcp-request                       : Disable  (default)                  
     Alarm dhcp-reply                         : Disable  (default)   

Configuration Files

RouterC configuration file

#                                                                               
sysname RouterC
#                                                                               
dhcp enable                                                                     
#                                                                               
dhcp snooping enable                                                        
arp dhcp-snooping-detect enable   
#
interface Ethernet0/0/1
 dhcp snooping enable                                                           
 dhcp snooping check dhcp-giaddr enable                                         
 dhcp snooping check user-bind enable                                           
 dhcp snooping alarm user-bind enable                                           
 dhcp snooping alarm user-bind threshold 120                                    
 dhcp snooping check mac-address enable                                         
 dhcp snooping alarm mac-address enable                                         
 dhcp snooping alarm mac-address threshold 120                                  
 dhcp snooping alarm untrust-reply enable                                       
 dhcp snooping alarm untrust-reply threshold 120                                
 dhcp snooping max-user-number 20 
#
interface Ethernet2/0/1
 dhcp snooping enable                                                           
 dhcp snooping check dhcp-giaddr enable                                         
 dhcp snooping check user-bind enable                                           
 dhcp snooping alarm user-bind enable                                           
 dhcp snooping alarm user-bind threshold 120                                    
 dhcp snooping check mac-address enable                                         
 dhcp snooping alarm mac-address enable                                         
 dhcp snooping alarm mac-address threshold 120                                  
 dhcp snooping alarm untrust-reply enable                                       
 dhcp snooping alarm untrust-reply threshold 120
 dhcp snooping max-user-number 20 
#
interface Ethernet2/0/2
 dhcp snooping trusted
#
return

Access Control Based on the Path Distance

Devices are deployed on customer networks to forward packets. The number of hosts that need to access devices is limited. The path along which a host travels to access a device and the distance between hops used by the host to access the device are fixed.

Devices are configured to limit the packets that are sent over the distance greater than the fixed inter-hop distance along the path. This prevents attacks from untrusted networks and ensures device security.

Figure 1-12  GTSM access control model based on the path distance

Example for Configuring BGP GTSM
Networking Requirements

As shown in Figure 1-13, Router A belongs to AS 10, and Router B, Router C, and Router D belong to AS 20. BGP is run in the network and it is required to protect Router B against CPU-utilization attacks.

Figure 1-13  Figure 1 Networking diagram of configuring BGP GTSM

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure OSPF on Router B, Router C, and Router D to implement interworking in AS 20.
  2. Set up an EBGP connection between Router A and Router B, and set up IBGP connections between Router B, Router C, and Router D through loopback interfaces.
  3. Configure GTSM on Router A, Router B, Router C, and Router D so that it can protect Router B against CPU-utilization attacks.

Procedure

  1. Configure an IP address to each interface.

    # Configure IP addresses for all interfaces of RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] undo portswitch
    [RouterA-GigabitEthernet1/0/0] ip address 10.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet1/0/0] quit

    The configurations of RouterB, RouterC and RouterD are similar to the configuration of RouterA, and are not mentioned here.

  2. Configure OSPF.

    # Configure RouterB.

    [RouterB] ospf
    [RouterB-ospf-1] area 0
    [RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
    [RouterB-ospf-1-area-0.0.0.0] quit
    [RouterB-ospf-1] area 1
    [RouterB-ospf-1-area-0.0.0.1] network 2.2.2.9 0.0.0.0
    [RouterB-ospf-1-area-0.0.0.1] quit
    [RouterB-ospf-1] quit

    # Configure RouterC.

    [RouterC] ospf
    [RouterC-ospf-1] area 0
    [RouterC-ospf-1-area-0.0.0.0] network 20.1.2.0 0.0.0.255
    [RouterC-ospf-1-area-0.0.0.0] quit
    [RouterC-ospf-1] area 1
    [RouterC-ospf-1-area-0.0.0.1] network 20.1.1.0 0.0.0.255
    [RouterC-ospf-1-area-0.0.0.1] quit
    [RouterC-ospf-1] area 2
    [RouterC-ospf-1-area-0.0.0.1] network 3.3.3.9 0.0.0.0
    [RouterC-ospf-1-area-0.0.0.1] quit
    [RouterC-ospf-1] quit

    # Configure RouterD.

    [RouterD] ospf
    [RouterD-ospf-1] area 0
    [RouterD-ospf-1-area-0.0.0.0] network 20.1.2.0 0.0.0.255
    [RouterD-ospf-1-area-0.0.0.0] quit
    [RouterD-ospf-1] area 1
    [RouterD-ospf-1-area-0.0.0.1] network 4.4.4.9 0.0.0.0
    [RouterD-ospf-1-area-0.0.0.1] quit
    [RouterD-ospf-1] quit

  3. Configure an IBGP connection.

    # Configure Router B.

    [RouterB] bgp 20
    [RouterB-bgp] router-id 2.2.2.9
    [RouterB-bgp] peer 3.3.3.9 as-number 20
    [RouterB-bgp] peer 3.3.3.9 connect-interface LoopBack0
    [RouterB-bgp] peer 3.3.3.9 next-hop-local
    [RouterB-bgp] peer 4.4.4.9 as-number 20
    [RouterB-bgp] peer 4.4.4.9 connect-interface LoopBack0
    [RouterB-bgp] peer 4.4.4.9 next-hop-local

    # Configure Router C.

    [RouterC] bgp 20
    [RouterC-bgp] router-id 3.3.3.9
    [RouterC-bgp] peer 2.2.2.9 as-number 20
    [RouterC-bgp] peer 2.2.2.9 connect-interface LoopBack0
    [RouterC-bgp] peer 4.4.4.9 as-number 20
    [RouterC-bgp] peer 4.4.4.9 connect-interface LoopBack0

    # Configure Router D.

    [RouterD] bgp 20
    [RouterD-bgp] router-id 4.4.4.9
    [RouterD-bgp] peer 2.2.2.9 as-number 20
    [RouterD-bgp] peer 2.2.2.9 connect-interface LoopBack0
    [RouterD-bgp] peer 3.3.3.9 as-number 20
    [RouterD-bgp] peer 3.3.3.9 connect-interface LoopBack0

  4. Configure an EBGP connection.

    # Configure Router A.

    [RouterA] bgp 10
    [RouterA-bgp] router-id 1.1.1.9
    [RouterA-bgp] peer 10.1.1.2 as-number 20

    # Configure Router B.

    [RouterB-bgp] peer 10.1.1.1 as-number 10

    # Display the connection status of the BGP peers.

    [RouterB-bgp] display bgp peer
     BGP local router ID : 2.2.2.9
     Local AS number : 20
     Total number of peers : 3                 Peers in established state : 3
    
      Peer            V    AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv
    
      3.3.3.9         4    20        8        7     0 00:05:06 Established       0
      4.4.4.9         4    20        8       10     0 00:05:33 Established       0
      10.1.1.1        4    10        7        7     0 00:04:09 Established       0

    You can view that Router B has set up BGP connections with other routers.

  5. Configure GTSM on Router A and Router B. Router A and Router B are directly connected, so the range of the TTL value between the two routers is [255, 255]. The value of valid-ttl-hops is 1.

    # Configure GTSM on Router A.

    [RouterA-bgp] peer 10.1.1.2 valid-ttl-hops 1

    # Configure GTSM of the EBGP connection on Router B.

    [RouterB-bgp] peer 10.1.1.1 valid-ttl-hops 1

    # Check the GTSM configuration.

    [RouterB-bgp] display bgp peer 10.1.1.1 verbose
             BGP Peer is 10.1.1.1,  remote AS 10
             Type: EBGP link
             BGP version 4, Remote router ID 1.1.1.9
    
             Update-group ID : 2
             BGP current state: Established, Up for 00h49m35s
             BGP current event: RecvKeepalive
             BGP last state: OpenConfirm
             BGP Peer Up count: 1
             Received total routes: 0
             Received active routes total: 0
             
             Advertised total routes: 0
             Port:  Local - 179      Remote - 52876
             Configured: Connect-retry Time: 32 sec
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 59 messages
                      Update messages                0
                      Open messages                  2
                      KeepAlive messages             57
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 79 messages
                      Update messages                5
                      Open messages                  2
                      KeepAlive messages             71
                      Notification messages          1
                      Refresh messages               0
     Authentication type configured: None
     Last keepalive received: 2011/09/25 16:41:19                                   
     Last keepalive sent    : 2011/09/25 16:41:22                                   
     Last update    received: 2011/09/25 16:11:28
     Last update    sent    : 2011/09/25 16:11:32
     Minimum route advertisement interval is 30 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     GTSM has been enabled, valid-ttl-hops: 1
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    You can view that GTSM is enabled, the valid hop count is 1, and the BGP connection is in the Established state.

  6. Configure GTSM on Router B and Router C. Router B and Router C are directly connected, so the range of the TTL value between the two routers is [255, 255]. The value of valid-ttl-hops is 1.

    # Configure GTSM on Router B.

    [RouterB-bgp] peer 3.3.3.9 valid-ttl-hops 1

    # Configure GTSM of the IBGP connection on Router C.

    [RouterC-bgp] peer 2.2.2.9 valid-ttl-hops 1

    # View the GTSM configuration.

    [RouterB-bgp] display bgp peer 3.3.3.9 verbose
             BGP Peer is 3.3.3.9,  remote AS 20
             Type: IBGP link
             BGP version 4, Remote router ID 3.3.3.9
    
             Update-group ID : 0
             BGP current state: Established, Up for 00h54m36s
             BGP current event: KATimerExpired
             BGP last state: OpenConfirm
             BGP Peer Up count: 1
             Received total routes: 0
             Received active routes total: 0
             
             Advertised total routes: 0
             Port:  Local - 54998    Remote - 179
             Configured: Connect-retry Time: 32 sec 
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 63 messages
                      Update messages                0
                      Open messages                  1
                      KeepAlive messages             62
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 69 messages
                      Update messages                10
                      Open messages                  1
                      KeepAlive messages             58
                      Notification messages          0
                      Refresh messages               0
     Authentication type configured: None
     Last keepalive received: 2011/09/25 16:46:19                                   
     Last keepalive sent    : 2011/09/25 16:46:21                                   
     Last update    received: 2011/09/25 16:11:28
     Last update    sent    : 2011/09/25 16:11:32
     Minimum route advertisement interval is 15 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Nexthop self has been configured
     Connect-interface has been configured
     GTSM has been enabled, valid-ttl-hops: 1
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    You can view that GTSM is enabled, the valid hop count is 1, and the BGP connection is in the Established state.

  7. Configure GTSM on Router C and Router D. Router C and Router D are directly connected, so the range of the TTL value between the two routers is [255, 255]. The value of valid-ttl-hops is 1.

    # Configure GTSM of the IBGP connection on Router C.

    [RouterC-bgp] peer 4.4.4.9 valid-ttl-hops 1

    # Configure GTSM of the IBGP connection on Router D.

    [RouterD-bgp] peer 3.3.3.9 valid-ttl-hops 1

    # Check the GTSM configuration.

    [RouterC-bgp] display bgp peer 4.4.4.9 verbose
             BGP Peer is 4.4.4.9,  remote AS 20
             Type: IBGP link
             BGP version 4, Remote router ID 4.4.4.9
    
             Update-group ID : 1
             BGP current state: Established, Up for 00h56m06s
             BGP current event: KATimerExpired
             BGP last state: OpenConfirm
             BGP Peer Up count: 1
             Received total routes: 0
             Received active routes total: 0
             
             Advertised total routes: 0
             Port:  Local - 179      Remote - 53758
             Configured: Connect-retry Time: 32 sec 
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 63 messages
                      Update messages                0
                      Open messages                  1
                      KeepAlive messages             62
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 63 messages
                      Update messages                0
                      Open messages                  2
                      KeepAlive messages             61
                      Notification messages          0
                      Refresh messages               0
     Authentication type configured: None
     Last keepalive received: 2011/09/25 16:47:19                                   
     Last keepalive sent    : 2011/09/25 16:47:21                                   
     Last update    received: 2011/09/25 16:11:28 
     Last update    sent    : 2011/09/25 16:11:32 
     Minimum route advertisement interval is 15 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Connect-interface has been configured
     GTSM has been enabled, valid-ttl-hops: 1
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    You can view that GTSM is enabled, the valid hop count is 1, and the BGP connection is in the Established state.

  8. Configure GTSM on Router B and Router D. Router B and Router D are connected by Router C, so the range of the TTL value between the two routers is [254, 255]. The value of valid-ttl-hops is 2.

    # Configure GTSM of the IBGP connection on Router B.

    [RouterB-bgp] peer 4.4.4.9 valid-ttl-hops 2

    # Configure GTSM on Router D.

    [RouterD-bgp] peer 2.2.2.9 valid-ttl-hops 2

    # Check the GTSM configuration.

    [RouterB-bgp] display bgp peer 4.4.4.9 verbose
             BGP Peer is 4.4.4.9,  remote AS 20
             Type: IBGP link
             BGP version 4, Remote router ID 4.4.4.9
    
             Update-group ID : 0
             BGP current state: Established, Up for 00h57m48s
             BGP current event: RecvKeepalive
             BGP last state: OpenConfirm
             BGP Peer Up count: 1
             Received total routes: 0
             Received active routes total: 0
             
             Advertised total routes: 0
             Port:  Local - 53714    Remote - 179
             Configured: Connect-retry Time: 32 sec 
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 72 messages
                      Update messages                0
                      Open messages                  1
                      KeepAlive messages             71
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 82 messages
                      Update messages                10
                      Open messages                  1
                      KeepAlive messages             71
                      Notification messages          0
                      Refresh messages               0
     Authentication type configured: None
     Last keepalive received: 2011/09/25 16:47:19                                   
     Last keepalive sent    : 2011/09/25 16:47:21                                   
     Last update    received: 2011/09/25 16:11:28
     Last update    sent    : 2011/09/25 16:11:32
     Minimum route advertisement interval is 15 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Nexthop self has been configured
     Connect-interface has been configured
     GTSM has been enabled, valid-ttl-hops: 2
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    You can view that GTSM is configured, the valid hop count is 2, and the BGP connection is in the Established state.

    NOTE:
    • In this example, if the value of valid-ttl-hops of either Router B or Router D is smaller than 2, the IBGP connection cannot be set up.

    • GTSM must be configured on the two ends of the BGP connection.

  9. Verify the configuration.

    # Run the display gtsm statistics all command on Router B to check the GTSM statistics of Router B. By default, Router B does not discard any packet when all packets match the GTSM policy.

    [RouterB-bgp] display gtsm statistics all
    GTSM Statistics Table
    ----------------------------------------------------------------
    SlotId  Protocol  Total Counters  Drop Counters  Pass Counters
    ----------------------------------------------------------------
     0      BGP       17              0              17
     0      BGPv6     0               0              0
     0      OSPF      0               0              0
     0      LDP       0               0              0
     1      BGP       0               0              0
     1      BGPv6     0               0              0
     1      OSPF      0               0              0
     1      LDP       0               0              0
     2      BGP       0               0              0
     2      BGPv6     0               0              0
     2      OSPF      0               0              0
     2      LDP       0               0              0
     3      BGP       0               0              0
     3      BGPv6     0               0              0
     3      OSPF      0               0              0
     3      LDP       0               0              0
     4      BGP       32              0              32
     4      BGPv6     0               0              0
     4      OSPF      0               0              0
     4      LDP       0               0              0
     5      BGP       0               0              0
     5      BGPv6     0               0              0
     5      OSPF      0               0              0
     5      LDP       0               0              0
     7      BGP       0               0              0
     7      BGPv6     0               0              0
     7      OSPF      0               0              0
     7      LDP       0               0              0
    ----------------------------------------------------------------

    If the host simulates the BGP packets of Router A to attack Router B, the packets are discarded because their TTL value is not 255 when reaching Router B. In the GTSM statistics of Router B, the number of dropped packets increases accordingly.

Configuration Files
  • Configuration file of Router A

    #
     sysname RouterA
    #
    interface GigabitEthernet1/0/0
     undo portswitch
     ip address 10.1.1.1 255.255.255.0
    #
    bgp 10
     router-id 1.1.1.9
     peer 10.1.1.2 as-number 20
     peer 10.1.1.2 valid-ttl-hops 1
     #
     ipv4-family unicast
      undo synchronization
      peer 10.1.1.2 enable
    #
    return
  • Configuration file of Router B

    #
     sysname RouterB
    #
    interface GigabitEthernet1/0/0
     undo portswitch
     ip address 10.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     undo portswitch
     ip address 20.1.1.1 255.255.255.0
    #
    interface LoopBack0
     ip address 2.2.2.9 255.255.255.255
    #
    bgp 20
     router-id 2.2.2.9
     peer 3.3.3.9 as-number 20
     peer 3.3.3.9 valid-ttl-hops 1
     peer 3.3.3.9 connect-interface LoopBack0
     peer 4.4.4.9 as-number 20
     peer 4.4.4.9 valid-ttl-hops 2
     peer 4.4.4.9 connect-interface LoopBack0
     peer 10.1.1.1 as-number 10
     peer 10.1.1.1 valid-ttl-hops 1
    #
     ipv4-family unicast
      undo synchronization
      peer 3.3.3.9 enable
      peer 3.3.3.9 next-hop-local
      peer 4.4.4.9 enable
      peer 4.4.4.9 next-hop-local
      peer 10.1.1.1 enable
    #
    ospf 1
     area 0.0.0.0
      network 20.1.1.0 0.0.0.255
      network 2.2.2.9 0.0.0.0
    #
    return
  • Configuration file of Router C

    #
     sysname RouterC
    #
    interface GigabitEthernet1/0/0
     undo portswitch
     ip address 20.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     undo portswitch
     ip address 20.1.2.1 255.255.255.0
    #
    interface LoopBack0
     ip address 3.3.3.9 255.255.255.255
    #
    bgp 20
     router-id 3.3.3.9
     peer 2.2.2.9 as-number 20
     peer 2.2.2.9 valid-ttl-hops 1
     peer 2.2.2.9 connect-interface LoopBack0
     peer 4.4.4.9 as-number 20
     peer 4.4.4.9 valid-ttl-hops 1
     peer 4.4.4.9 connect-interface LoopBack0
    #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
      peer 4.4.4.9 enable
    #
    ospf 1
     area 0.0.0.0
      network 20.1.2.0 0.0.0.255
      network 20.1.1.0 0.0.0.255
      network 3.3.3.9 0.0.0.0
    #
    return
  • Configuration file of Router D

    #
     sysname RouterD
    #
    interface GigabitEthernet1/0/0
     undo portswitch
     ip address 20.1.2.2 255.255.255.0
    #
    interface LoopBack0
     ip address 4.4.4.9 255.255.255.255
    #
    bgp 20
     router-id 4.4.4.9
     peer 2.2.2.9 as-number 20
     peer 2.2.2.9 valid-ttl-hops 2
     peer 2.2.2.9 connect-interface LoopBack0
     peer 3.3.3.9 as-number 20
     peer 3.3.3.9 valid-ttl-hops 1
     peer 3.3.3.9 connect-interface LoopBack0
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
      peer 3.3.3.9 enable
    #
    ospf 1
     area 0.0.0.0
      network 20.1.2.0 0.0.0.255
      network 4.4.4.9 0.0.0.0
    #
    return

Improving Account and Authority Management

In scenarios with low security requirements, devices store passwords and keys in plaintext mode, which facilitates viewing of configurations during device maintenance and usage. However, it is strongly recommended that the following requirements be met when accounts, passwords, and keys are configured and used:

  • The cipher mode must be used to replace the simple mode.
  • Same accounts and passwords must not be configured for devices on all telecommunication networks.
  • The same account and password must not be shared by many people.
  • Passwords must be updated periodically.
  • The password strength must meet security requirements.
  • A unified authentication, authorization and accounting (AAA) system must be configured on the entire network to authenticate login accounts. Accounts must not be authenticated on devices locally.
  • Authorities must be allocated to accounts based on the minimum authorization principle. Allocation of authorities beyond the responsibility range is not allowed.
  • The non-authentication access mode must not be configured. Channels that request access to devices must pass the authentication, authorization, and accounting.
  • All activity logs of accounts must be recorded for subsequent analysis.

Improving IT Management on Networks

The following requirements must be met to prevent security attack events caused by manual operation errors or inappropriate IT management:

  • Patches must be installed in operating systems periodically.
  • The virus library of antivirus software must be updated periodically.
  • The system software must be updated to the latest version and patches based on the software version and patches provided by vendors.
  • Network reconstruction engineering must comply with operation standards.
  • All schemes must be reviewed before network reconstruction engineering, and service verification must be completed after network reconstruction engineering.
  • Network topology changes and construction scheme requirements must be confirmed with all neighboring departments of the change units. Engineering construction must not be started without the knowledge of the neighboring departments and should not bring adverse impact on the neighboring departments.
  • When access control policies are changed, the end-to-end nodes, services, and network elements (NEs) that may be affected by the policies must be determined to ensure normal end-to-end communication.
Translation
Download
Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 4770

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next