No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Access Authentication Security

Access Authentication Security

CONSOLE

Security Policy

Serial ports are physical interfaces. Isolating serial ports in device deployment and networking can prevent malicious users from accessing devices by means of serial ports.

Two authentication methods are available for users logging in through serial ports, namely, password authentication, and AAA.

When a new device is used for the first time, it needs to be configured through the console port.

NOTE:

The default user name is admin, and the default password is Admin@huawei.

You are advised to change the password after login and update the password regularly to ensure security.

Attack Modes

When no serial server is available, an attacker may attempt to break down physical isolation. After the attacker accesses a serial port, a device is exposed to the attacker and the device becomes unsafe. The attacker can damage the device even if the attacker does not obtain the user name or password of the device.

When a serial server is used, potential attackers may attempt to crack the user name and password over network connections and obtain the system administrator rights.

Configuration and Maintenance Methods

Set the authentication mode for the serial port to AAA.

  1. Run the system-view command to enter the system view.

  2. Run the user-interface console interface-number command to enter the Console user interface view.

  3. Run the authentication-mode aaa command to set the authentication mode to AAA.

  4. Run the quit command to exit from the Console user interface view.

  5. Run the aaa command to enter the AAA view.

  6. Run the local-user user-name password { irreversible-cipher | cipher } password command to configure a local user name and password.

  7. Run the local-user user-name service-type terminal command to set the access type of the local user to Console.
  8. Run the local-user user-name privilege level level command to configure the level of the local user.
  9. Run the quit command to exit from the AAA view.

Configuration and Maintenance Suggestions

For the security of a serial port, it is recommended that you configure a correct authentication mode for the serial port.

Password authentication and AAA authentication can be used for user access by means of serial ports. It is recommended that AAA authentication be configured to authenticate users by means of user names and passwords.

When no authentication configuration is available on a serial port, a user can access a device and configure a password. In this case, the user is advised to change user-interface con 0 to the AAA authentication mode and configure a user name and password in the AAA view.

TELNET

Security Policy
  • Supporting authentication

    A Telnet server supports password authentication, AAA authentication, and non-authentication. After an authentication method is configured, only authenticated users can log in to the device and enter the command line views.

  • Supporting service disabling

    When the Telnet server is enabled, the socket listening is enabled for devices. In this case, the devices are easily scanned by attackers. When the Telnet server is not used, the Telnet server and listening port number can be disabled.

  • Supporting port number change

    Port 23 of the Telnet server is a well-known port number. Therefore, the port number is easily scanned and attacked. The port number of the Telnet server can be changed to a private port number to reduce the probability of being scanned and attacked.

  • Supporting access control lists (ACLs)

    ACLs can be configured for virtual type terminal (VTL) channels in the user-interface view. ACLs are used to limit the client IP addresses that can access a device.

Attack Modes
  • Port scanning

    Attackers attempt to obtain user interaction packets in network scanning and listening of the device network management system (NMS). Plaintext is used for user interaction over Telnet. In this case, device information can be easily stolen.

  • Password crack

    After an attacker obtains the Telnet port number, the attacker attempts to access a device. When the device asks authentication information, the attacker may crack the password, pass the authentication, and obtain the access right.

  • Denial of service (DoS)

    The Telnet server supports a limited number of users. When the number of admitted users reaches the upper limit, other users cannot access the device. This situation may appear when users normally use the Telnet server or when the Telnet server is attacked.

Configuration and Maintenance Methods
  • Set the authentication mode to AAA authentication.

    NOTE:

    When the authentication mode is AAA authentication, the access type of local users must be specified.

    • Run:

      system-view

      The system view is displayed.

    • Run:
      aaa

      The AAA view is displayed.

    • Run:
      local-user user-name password cipher password

      The local user name and password are configured.

    • Run:
      local-user user-name service-type Telnet

      The access type of the local user is set to Telnet.

    • Run:
      local-user user-name privilege level level

      The level of the local user is set.

    • Run:
      quit

      Exit from the AAA view.

    • Run:
      user-interface vty first-ui-number [ last-ui-number ]

      A VTY user interface view is displayed.

    • Run:
      authentication-mode aaa

      The AAA authentication mode is set.

  • Disable the Telnet service. (In V200R005C20 and earlier versions, the Telnet service is enabled by default. In V200R005C30 and later versions, the Telnet service is disabled by default)

    • Run:

      system-view

      The system view is displayed.

    • Run:
      undo telnet server enable

      The Telnet service is disabled.

  • Change the port number to 53555.

    • Run:

      system-view

      The system view is displayed.

    • Run:
      telnet server port 53555

      The port number is changed to 53555.

  • Configure an ACL to control the calling in and calling out rights.

    • Run:

      system-view

      The system view is displayed.

    • Run:acl [ number ] acl-number [ match-order { auto | config } ]A numbered ACL with the specified number is created and the advanced ACL view is displayed.
    • Run:
      rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment | source { source-ip-address source-wildcard | any } | time-range time-name | dscp dscp  ]

      ACL rules are configured.

    • Run:
      quit

      Exit from the ACL view.

    • Run:
      user-interface vty first-ui-number [ last-ui-number ]

      A VTY user interface view is displayed.

    • Run:

      acl acl-number { inbound | outbound }

      The calling in and calling out functions of a VTY connection are configured.

      To prevent users using an IP address or IP addresses in a network segment from accessing a router, run inbound.

      To prevent users that successfully access a router from accessing other routers, run outbound.

Configuration and Maintenance Suggestions
  • Plan IP addresses for managing devices separately to prevent the devices from being scanned and listened on.

  • Change the port number of the Telnet server.

  • Configure ACLs to limit the IP addresses that can access the Telnet server.

  • Replace Telnet with SSH to provide safe management channels.

Remote Login Through SSH

Security Policy
  • Supporting authentication

    The SSH server supports password authentication and public-key authentication. Only the authenticated users can log in to the device and enter the command line views.

  • Supporting service disabling

    When the SSH server is enabled, the socket listening is enabled for devices. In this case, the devices are easily scanned by attackers. When the SSH server is not used, the SSH server and listening port number can be disabled.

  • Supporting port number change

    Port 22 of the SSH server is a well-known port number. Therefore, the port number is easily scanned and attacked. The port number of the SSH server can be changed to a private port number to reduce the probability of being scanned and attacked.

  • Supporting ACLs

    ACLs can be configured for VTL channels in the user-interface view. ACLs are used to limit the client IP addresses that can access a device.

Attack Modes
  • Password crack

    After an attacker obtains the SSH port number, the attacker attempts to access a device. When the device asks authentication information, the attacker may crack the password, pass the authentication, and obtain the access right.

  • DoS

    The SSH server supports a limited number of users. When the number of admitted users reaches the upper limit, other users cannot access the device. This situation may appear when users normally use the SSH server or when the SSH server is attacked.

Configuration and Maintenance Methods
  • Disable the SSH service .

    • Run:

      system-view

      The system view is displayed.

    • Run:

      undo stelnet server enable

      The STelnet service is disabled.

  • Change the port number to 53555.

    • Run:

      system-view

      The system view is displayed.

    • Run:
      ssh server port 53555

      The port number is changed to 53555.

  • Configure an ACL to control the calling in and calling out rights.

    • Run:

      system-view

      The system view is displayed.

    • Run:acl [ number ] acl-number [ match-order { auto | config } ]A numbered ACL with the specified number is created and the advanced ACL view is displayed.
    • Run:
      rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment | source { source-ip-address source-wildcard | any } | time-range time-name | dscp dscp ]

      ACL rules are configured.

    • Run:
      quit

      Exit from the ACL view.

    • Run:
      user-interface vty first-ui-number [ last-ui-number ]

      A VTY user interface view is displayed.

    • Run:

      acl acl-number { inbound | outbound }

      The calling in and calling out functions of a VTY connection are configured.

      To prevent users using an IP address or IP addresses in a network segment from accessing a router, run inbound.

      To prevent users that successfully access a router from accessing other routers, run outbound.

Configuration and Maintenance Suggestions
  • Plan IP addresses for managing devices separately to prevent the devices from being scanned and listened on.

  • Change the port number of the SSH server.

  • Configure ACLs to limit the IP addresses that can access the SSH server.

  • Provide the public-key authentication mode for SSH users.

HTTP

Security Policy
  • Supporting security authentication

    The Web server supports AAA authentication. Only users that pass authentication can access devices and the command line window. Upon access, a user must enter the user name, password, and a verification code that is generated in random. In this way, the probability of account crack is reduced.

  • Supporting service disabling

    When the Web server is enabled, the socket listening is enabled for devices. In this case, the devices are easily scanned by attackers. When the Web server is not used, the Web server and listening port number can be disabled.

  • Supporting port number change

    Port 80 of the Web server is a well-known port number. Therefore, the port number is easily scanned and attacked. The port number of the Web server can be changed to a private port number to reduce the probability of being scanned and attacked.

  • Supporting ACLs

    ACLs can be configured for the Web server in the system view. ACLs are used to limit the client IP addresses that can access a device.

  • Supporting HTTP over Secure Sockets Layer (SSL)

    A secure transfer service is provided to prevent data from being stolen.

  • Supporting source interface configuration

    Source interfaces supported by the HTTP server can be configured. Users must access a device using the IP addresses of the configured source interfaces. In this way, the access range is controlled and the device security is enhanced.

Attack Modes
  • DoS

  • The Web server supports a limited number of users. When the number of admitted users reaches the upper limit, other users cannot access the device. This situation may appear when users normally use the Web server or when the Web server is attacked.

Configuration and Maintenance Methods
  • Disable the Web service.

    [Huawei] undo http server enable
    Warning: The operation will stop HTTP service. Continue? [Y/N]:y
  • Change the port number of the Web server.

    [Huawei] http server port 55535
    Warning: The operation will disconnect all online users. Continue? [Y/N]:y
  • Configure an ACL.

    [Huawei] acl 2000
    [Huawei-acl-basic-2000] display this
    #
    acl number 2000
     rule 15 permit source 10.1.1.1 0
     rule 20 deny
    #
    return
    [Huawei-acl-basic-2000]
    [Huawei-acl-basic-2000] quit
    [Huawei]  http acl 2000
  • Configure HTTP over SSL.

    # Specify the PKI domain default in the client SSL policy.

    [Huawei] ssl policy userserver type server
    [Huawei-ssl-policy-userserver] pki-realm default
    
    # Apply the SSL policy userserver to the HTTPS service.
    [Huawei] http secure-server ssl-policy userserver

    # # Enable the HTTPS server function on the device.

    [Huawei] http secure-server enable
    Warning: The HTTP server has not configured with SSL policy. Continue starting HTTP secure server? [Y/N]: y
      This operation will take several minutes, please wait.........................................................
    Info: Succeeded in starting the HTTPS server
    [Huawei] quit
    
Configuration and Maintenance Suggestions
  • Disable the Web server when not using it.

  • Change the listening port number of the Web server.

  • Configure ACLs.

FTP

Security Policy
  • Supporting authentication

    The File Transfer Protocol (FTP) server supports AAA authentication. Only users that pass authentication can access devices and the command line window.

  • Supporting service disabling

    When the FTP server is enabled, the socket listening is enabled for devices. In this case, the devices are easily scanned by attackers. When the FTP server is not used, the FTP server and listening port number can be disabled.

    The FTP server is disabled by default.

  • Supporting port number change

    Port 21 of the FTP server is a well-known port number. Therefore, the port number is easily scanned and attacked. The port number of the FTP server can be changed to a private port number to reduce the probability of being scanned and attacked.

  • Supporting ACLs

    ACLs can be configured for the FTP server in the system view. ACLs are used to limit the client IP addresses that can access a device.

  • Supporting source interface configuration

    Source interfaces supported by the FTP server can be configured. Users must access a device using the IP addresses of the configured source interfaces. In this way, the access range is controlled and the device security is enhanced.

Attack Modes
  • Password crack

    After an attacker obtains the FTP port number, the attacker attempts to access a device. When the device asks authentication information, the attacker may crack the password, pass the authentication, and obtain the access right.

  • DoS

    The FTP server supports a limited number of users. When the number of admitted users reaches the upper limit, other users cannot access the device. This situation may appear when users normally use the FTP server or when the FTP server is attacked.

Configuration and Maintenance Methods
  • Disable the FTP service.

    [Huawei]  undo ftp server
    Info: Succeeded in closing the FTP server.
  • Change the port number of the FTP server.

    [Huawei] ftp server port 5553
    Info: Port change successful. Please execute ftp server enable to start ftp service.
  • Configure an ACL.

    [Huawei] acl 2000
    [Huawei-acl-basic-2000] display this
    #
    acl number 2000
     rule 15 permit source 10.1.1.1 0
     rule 20 deny
    #
    return
    [Huawei-acl-basic-2000] quit
    [Huawei] ftp acl 2000
  • Configure a source interface.

    [Huawei] interface loopback 0
    [Huawei-LoopBack0] display this
    #
    interface LoopBack0
     ip binding vpn-instance vpn1
     ipv6 enable
     ip address 1.2.3.4 255.255.255.255
    #
    return
    [Huawei-LoopBack0] quit
    [Huawei] ftp server-source -i loopback 0
    configuration take effect, the FTP server will be restarted. Continue? (y/n)[n]:y
    Info: Succeeded in setting the source interface of the FTP server to LoopBack0
    [Huawei] 
Configuration and Maintenance Suggestions
  • Disable the FTP service when not using it.

  • Change the port number of the FTP server.

  • Configure ACLs.

TFTP

Security Policy

The Trivial File Transfer Protocol (TFTP) does not support authentication. It is an insecure file copy protocol. Therefore, devices support only TFTP clients, but do not support TFTP servers.

The command for managing TFTP clients is a level-3 management command. That is, only users with management rights can perform operations on device files.

Attack Modes

N/A

Configuration and Maintenance Methods

N/A

Configuration and Maintenance Suggestions

N/A

SNMP

SNMP is used to manage network devices. Network administrators can use SNMP to obtain data from devices or implement configuration on devices. SNMP can also implement trap operations. When an important state of a device changes, SNMP notifies the NMS of the event.

Security Policy

SNMPv1, SNMPv2c, and SNMPv3 support different security policies.

SNMPv1 and SNMPv2 support ACLs and the view-based access control model (VACM). When an ACL and a mib-view are associated with a community name, the NMSs and nodes that can access a device are limited. In this way, the system security is enhanced.

SNMPv3 supports the user-based security model (USM), the message digest algorithm 5 (MD5)/secure hash algorithm (SHA) authentication, data encryption standard (DES), and AES. SNMPv3 authenticates and encrypts communication data to solve security problems such as message forging, modification, and disclosure.

Attack Modes
Common SNMP attacks are as follows:
  • An attacker obtains the rights of an authorized user by modifying the source IP address of sent packets to perform unauthorized management operations.
  • An attacker listens on the communication between NMSs and SNMP agents to obtain information such as user names, passwords, and community names and unauthorized rights.
  • SNMP messages are intercepted for re-sorting, delay, and resending. In this case, normal operations are affected and then attackers obtain unauthorized access rights.

SNMP identifies and encrypts data in the USM to reduce and defend the preceding attacks.

Discrimination: The data integrity and data source are discriminated to ensure that messages are sent from the source and data packets are not forged or modified during transmission. The MD5 and SHA are used to obtain data digest and verify whether data is modified.

Encryption: The data is encrypted, so data packets cannot be intercepted by network technologies such as packet header obtaining. The DES or AES ensures the efficiency and strength of data encryption and decryption.

Configuration and Maintenance Methods

For security, it is recommended that an SNMPv3 user whose authentication information is encrypted be configured, that the SNMPv3 authentication encryption mode be used to manage devices, and that an ACL and a mib-view be associated with the user to control the access rights of the user.

  1. Configure an ACL named ACL 2001 to allow or reject certain IP addresses.

    [Huawei-acl-basic-2001]display this
    #
    acl number 2001
     rule 5 deny source 10.138.20.123 0
     rule 10 permit source 10.138.90.111 0
    #
    return
    [Huawei-acl-basic-2001]
  2. Configure a mib-view named iso-view to access nodes under the sub-tree whose root node is the International Organization for Standardization (ISO).

    [Huawei] snmp-agent mib-view iso-view include iso
  3. Configure an SNMPv3 group named v3group, associate the read view, write view, and notification view named iso-view with the group, and associate ACL 2001 with the group.

    [Huawei] snmp-agent group v3 v3group privacy read-view iso-view write-view iso-view notify-view iso-view acl 2001
  4. Configure an SNMPv3 user named v3user. The user belongs to the v3group. For the user, the authentication mode is MD5, the password is hello1234, the encryption mode is des56, and the password is tianxianbaobao2012. ACL 2001 is associated with the user.

    [Huawei] snmp-agent usm-user v3 v3user group v3group acl 2001
    [Huawei] snmp-agent usm-user v3 v3user authentication-mode md5
    Please configure the authentication password (<8-64>) 
    Enter Password:                            
    Confirm password: 
    
    [Huawei] snmp-agent usm-user v3 v3user privacy-mode des56
    Please configure the privacy password (<8-64>)                                                                                      
    Enter Password:   
    Confirm password: 
  5. View the current SNMP configurations.

    [Huawei] display current-configuration | include snmp
     snmp-agent local-engineid 800007DB03548998F3A49C                                                                                   
     snmp-agent group v3 vrgroup privacy read-view iso-view write-view iso-view notify-view iso-view acl 2001                           
     snmp-agent mib-view iso-view include iso                                                                                           
     snmp-agent usm-user v3 v3user                                                                                                      
     snmp-agent usm-user v3 v3user group v3group                                                                                        
     snmp-agent usm-user v3 v3user authentication-mode md5 %@%@o6Y8~W`>GMcaE;UAsR%0#7#T%@%@                                             
     snmp-agent usm-user v3 v3user privacy-mode des56 %@%@w}msPaBFPTKI#E8R#5n5#7+"%@%@                                                  
     snmp-agent usm-user v3 v3user acl 2001                                                                                             
     snmp-agent  
Configuration and Maintenance Suggestions

Community words of SNMPv1 and SNMPv2c are stored in cipher text.

When the user authentication and encrypted password are configured for an SNMP user, the password must be confirmed twice. In addition, the configured password is not displayed and stored in cipher text.

Store community names and user passwords in cipher text to effectively protect them from being disclosed.

AAA User Management

AAA provides the following types of security services:

  • Authentication: determines the users who can access the network.

  • Authorization: authorizes the users to access certain services.

  • Accounting: records the utilization of network resources.

AAA is closely related to services and therefore its configuration is flexible.

Security Policy

Remote authentication: User information (including the user names, passwords, and attributes of local users) is configured on the authentication server. Remote authentication over the Remote Authentication Dial In User Service (RADIUS) or HUAWEI Terminal Access Controller Access Control System (HWTACACS) is supported. HWTACACS is an enhancement of TACACS (RFC1492).

Authorization: Users are authorized after successful RADIUS or HWTACACS authentication.

Local authentication and RADIUS authentication are implemented in order on certain administrators. When an administrator accesses a device in Telnet or SSH mode, the device assumes that the administrator belongs to a default management domain if the user name entered by the user does not contain a domain name.

Attack Modes

An attack may traverse key information (such as user names and passwords) to obtain the access rights of the system administrator.

Configuration and Maintenance Methods

For common user name and password attack and crack attempts, configure the maximum authentication failure times and the authentication interval to prevent access of unauthorized users. After the two parameters are configured, a user is blocked for a period after n times of login failures. In this way, the attempt success ratio is decreased and the device security is enhanced.

Configuration and Maintenance Suggestions

N/A

HWTACACS User Management

HWTACACS is an enhancement of TACACS. Similar to RADIUS, the HWTACACS client uses the client/server model to communicate with the HWTACACS server, implementing AAA for users. HWTACACS provides authentication, authorization, and accounting for Point-to-Point Protocol (PPP) users and login users.

Security Policy

HWTACACS uses the Transmission Control Protocol (TCP) for transmission, which is more reliable than RADIUS transmission over the User Datagram Protocol (UDP). HWTACACS encrypts standard HWTACACS packet headers and bodies by using MD5, which ensures high security during data transmission. The shared keys for packet encryption can be configured by users.

Attack Modes

N/A

Configuration and Maintenance Methods

Run hwtacacs-server shared-key cipher key-string to configure a shared key for each HWTACACS group. The shared key is used to encrypt packets transmitted over HWTACACS by using MD5, increasing the transmission security. The cipher keyword is used when the shared key is configured. When the shared key is viewed, the encrypted key is displayed, increasing the key security.

Configuration and Maintenance Suggestions

Run hwtacacs-server shared-key cipher key-string to configure keys for encrypting packet bodies.

Translation
Download
Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 4800

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next