No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CloudEC V600R019C00 Security Maintenance (Enterprise On-premises, Only Conference)

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
System Access Control

System Access Control

You can configure trusted IP addresses to control rights of third-party applications and users to access the SC, USM-EUA,RSE6500, CloudMCU, and VP9600 series MCU.

Configuring the SMC2.0 Whitelist

Configuring the SMC2.0 Whitelist

It is recommended that the SMC2.0 whitelist be enabled. After the SMC2.0 whitelist is enabled, only the IP addresses and network segments in the whitelist are allowed to access the SMC2.0.

  1. Log in to the SMC2.0 web interface.
  2. Choose System > Settings > Security Policy.
  3. In the IP Lock Settings area on the right, select Enable IP lock.
  4. In the IP whitelist text box, enter the IP address that is allowed to access the SMC2.0.
  5. ClickSave.

Configuring the SC Whitelist

Configuring the SC SSH/HTTPS Whitelist

The SSH/HTTPS whitelist is used to prevent unauthorized connection, protect the server from network attacks, and improve the system security. After the SSH/HTTPS whitelist is enabled, only IP addresses and network segments listed in the whitelist can access the SC server.

  1. Run the SSH tool and log in to SC as the admin user.
  2. Run the following command to add or delete whitelist entries.

    firewall whitelist protocol {SSH|HTTPS} ADD|DELETE {IP address}

    The following information is displayed, indicating that the whitelist is successfully configured.

    set config success!

Configuring the SC Registration Blacklist
  • If the whitelist is used to control SC registration, the SC accepts a registration request if any alias in the request is listed in the SC whitelist. Other requests that contain no alias listed in the SC whitelist are rejected.
  • If the blacklist is used to control SC registration, the SC rejects a registration request if any alias in the request is listed in the SC blacklist. Other requests that contain no alias listed in the SC blacklist are accepted.
  1. Open the SSH tool and log in to the SC CLI as the admin user.
  2. Configure the blacklist and whitelist.

    system-view roster-item add name name match-type match-type {[pattern-type pattern-type pattern-str pattern-str] | [begin-ip begin-ip end-ip end-ip]} type type [enable enable] [description description]
    Table 2-5 Parameter description

    Parameter

    Parameter Description

    Value

    name

    Rule name.

    -

    match-type

    Matching type.

    The options are as follows:

    IP: Match by IP address.

    ALIAS: Match by alias.

    pattern-type

    Alias matching type.

    The options are as follows:

    EXACT: exact match

    REGEX: regular expression match

    PREFIX: prefix match

    SUFFIX: suffix match

    pattern-str

    Character string for alias matching.

    -

    begin-ip

    Start IP address.

    The value is an IPv4 or IPv6 address.

    end-ip

    End IP address.

    The value is an IPv4 or IPv6 address.

    type

    List type.

    The options are as follows:

    BLACK: blacklist

    WHITE: whitelist

    enable

    Whether to enable the blacklist or whitelist.

    • The options are as follows:

    TRUE: yes

    FALSE: no

    • The default value is TRUE.

    description

    Description of the blacklist and whitelist.

    -

Configuring the CloudMCU Web Whitelist

Configuring the CloudMCU Web Whitelist

Only the IP addresses listed in the whitelist of the CloudMCU web interface can access the Cloud web interface.

  1. Log in to the CloudMCU web interface.
  2. Choose System > Security.
  3. Select Enable web whitelist and set IP address 1, IP address 2, and IP address 3.
  4. Click Save.
Configuring the CloudMCU TCP Whitelist

After the CloudMCU TCP whitelist is configured, the SMC2.0 user can only use IP addresses in the whitelist to control CloudMCU services.

  1. Log in to the CloudMCU web interface.
  2. Choose System > Security.
  3. Select Enable TCP whitelist and set IP address 1, IP address 2, and IP address 3.
  4. Click Save.
Configuring the CloudMCU SNMP Whitelist

An SMC2.0 can remotely control the CloudMCU only when its IP address has been added to the CloudMCU Simple Network Management Protocol (SNMP) whitelist.

  1. Log in to the CloudMCU web interface.
  2. Choose System > SNMP.
  3. Select Enable SNMP whitelist and set IP address 1, IP address 2, and IP address 3.
  4. Click Save.

Configuring the Web Whitelist of the VP9600 series MCU(V500R002C10)

Configuring the Web Whitelist of the VP9600 series MCU(V500R002C10)

To prevent illegal attack, it is recommended that you enable the web whitelist function to ensure that the only the computers whose IP addresses listed in the whitelist can access to the MCU web interface.

  1. Log in to the MCU from PuTTY.
  2. At the <HUAWEI VP9650> prompt, enter system-view web-connect-ipconfig and press Enter.
  3. At the web connect white list enable{0: disable, 1:enable; default:0} prompt, enter 1 and press Enter.
  4. At the web connect Ip 1{string, max len: 64} through web connect Ip 3{string, max len: 64} prompt, enter trusted IP addresses of computers respectively, and press Enter.
  5. At the <HUAWEI VP9650> prompt, enter save and press Enter.

    The following information is displayed:

    are you sure to save config?(y/n)

  6. Enter y and press Enter.
Configuring the TCP Whitelist of the VP9600 series MCU(V500R002C10)

When the MCU is facing TCP attack, please enable the TCP whitelist function to prevent the attack.

  1. Log in to the MCU from PuTTY.
  2. At the <HUAWEI VP9650> prompt, enter system-view tcp-connect-ipconfig and press Enter.
  3. At the tcp connect ip list enable{0: disable, 1:enable; default:0} prompt, enter 1 and press Enter.
  4. At the tcp connect ip 1{string, max len: 64} through tcp connect ip 10{string, max len: 64} prompt, enter trusted IP addresses, and press Enter.
  5. At the ipv4 Mask [255.255.255.0] prompt, enter the IPv4 gateway address and press Enter if the system uses IPv4 addresses. At the ipv6 prefix len prompt, enter the IPv6 gateway address and press Enter if the system uses IPv6 addresses.
  6. Enter y and press Enter.
Configuring the SNMP Whitelist of the VP9600 series MCU(V500R002C10)

To ensure the security of configuration operation, it is recommended that you enable the SNMP whitelist function to set trusted network management system (NMS) on the MCU.

  1. Log in to the MCU from PuTTY.
  2. At the <HUAWEI VP9650> prompt, enter system-view snmp-connect-ipconfig and press Enter.
  3. At the SNMP connect white list enable{0: disable, 1:enable; default:0} prompt, enter 1 and press Enter.
  4. At the SNMP connect Ip 1{string, max len: 64} through SNMP connect Ip 3{string, max len: 64} prompt, enter the IP addresses of trusted NMS respectively, and press Enter.
  5. At the <HUAWEI VP9650> prompt, enter save and press Enter.

    The following information is displayed:

    are you sure to save config?(y/n)

  6. Enter y and press Enter.

Configuring the Web Whitelist of the VP9600 series MCU(V600R019C00)

Configuring the Web Whitelist of the VP9600 series MCU(V600R019C00)

Only the IP addresses listed in the whitelist of the MCU web interface can access the Cloud web interface,preventing attacks.

  1. Log in to the MCU web interface.
  2. Choose System > Security.
  3. Select Enable web whitelist and set IP address 1, IP address 2, and IP address 3.
  4. Click Save.
Configuring the TCP Whitelist of the VP9600 series MCU(V600R019C00)

If this option is selected, only the whose IP addresses are whitelisted can control services of the MCU,preventing attacks.

  1. Log in to the MCU web interface.
  2. Choose System > Security.
  3. Select Enable TCP whitelist and set IP address 1, IP address 2, and IP address 3.
  4. Click Save.
Configuring the SNMP Whitelist of the VP9600 series MCU(V600R019C00)

If this option is selected, the MCU uses SNMP to communicate with the SMC2.0 and is remotely managed by the SMC2.0 as a network element,preventing attacks.

  1. Log in to the MCU web interface.
  2. Choose System > SNMP.
  3. Select Enable SNMP whitelist and set IP address 1, IP address 2, and IP address 3.
  4. Click Save.

Configuring the RSE6500 Whitelist

Configuring the RSE6500 Web Whitelist

The RSE6500 provides the web whitelist function. The whitelist function is disabled by default. To prevent illegal attack, only the computers whose IP addresses listed in the whitelist can access to the RSE6500 web interface. After the RSE6500 web whitelist is enabled, the whitelist controls access as follows:

  • Only users listed in the whitelist are allowed to log in to the RSE6500 web interface.
  • Only the third-party applications listed in the whitelist are allowed to invoke the SDKs of RSE6500.
  • Only SMC2.0s listed in the whitelist are allowed to manage RSE6500.
  1. Log in to RSE6500 as the admin user through PuTTY.
  2. Run the following command to configure the web whitelist:

    system-view http-whitelist-config

  3. Set related parameters according to Table 2-6.

    The following information is displayed, indicating that the web whitelist is successfully configured:

    set config success!
    Table 2-6 Description of web whitelist parameters

    Parameter

    Description

    How to Set

    http whitelist enable{0:disable 1:enable}[0]

    Whether to enable the web whitelist

    Set this parameter to 1.

    ip address1{ipv4/v6 address or 0.0.0.0}[0.0.0.0]

    IP address and subnet mask (optional) listed in the whitelist. The whitelist supports a maximum of five IP addresses.

    Example: 192.168.2.10/32 or 192.168.2.10
    NOTE:

    If you want to delete an IP address, enter 0.0.0.0.

Configuring the SSH, Telnet, MCU, and Endpoint Whitelist of the RSE6500

RSE6500 supports the whitelist function for web clients, MCUs, endpoints, and SSH and Telnet clients. The whitelist function is disabled by default. When the system is under cyber attacks, it is recommended that you enable the whitelist function to prevent unauthorized network connections to enhance system security. After the whitelist is enabled, only devices with IP addresses and network segments listed in the whitelist can access RSE6500. The following describes the whitelist function:

  • Only SSH or Telnet clients listed in the whitelist are allowed to log in to RSE6500 in CLI mode.
  • Only MCUs and endpoints listed in the whitelist are allowed to call RSE6500.
  1. Log in to RSE6500 as the admin user through PuTTY.
  2. Run the following command to configure the SSH, Telnet, and MCU whitelist:

    system-view whitelist-config

  3. Set related parameters according to Description of SSH, Telnet, MCU, and endpoint whitelist parameters.

    The following information is displayed, indicating that the SSH, Telnet, and MCU whitelist is successfully configured:

    set config success!
    Table 2-7 Description of SSH, Telnet, MCU, and endpoint whitelist parameters

    Parameter

    Description

    How to Set

    whitelist enable{0:disable 1:enable}[0]

    Whether to enable the SSH, Telnet, MCU, and endpoint whitelist.

    Set this parameter to 1.

    ip address1{ipv4/v6 address or 0.0.0.0}[0.0.0.0]

    IP address listed in the whitelist. The whitelist supports a maximum of five IP addresses.

    Example: 192.168.2.10
    NOTE:

    If you want to delete an IP address, enter 0.0.0.0.

Configuring the Whitelist of the USM-EUA

Configuring the Whitelist of the USM-EUA

To change or add IP addresses for accessing the USM-EUA, modify the EUA.soap.server.whiteips parameter in the ebus.properties file in the USM-EUA installation directory.

  • If the EUA.soap.server.whiteips parameter is set to 127.0.0.1, only the local computer can access the USM-EUA.
  • If the EUA.soap.server.whiteips parameter is set to *.*.*.*, clients of all IP addresses can access the USM-EUA.
  • If you want to allow other clients to access the USM-EUA, set the EUA.soap.server.whiteips parameter to the IP addresses of those clients. Each two IP addresses are separated by a semicolon (;).

It is recommended that you enable the whitelist of the USM-EUA to prevent unauthorized connection and effectively protect the USM-EUA against sockstress attack, improving security.

  1. If the USM-EUA is deployed on the Windows operating system, perform the following steps to configure the whitelist of the USM-EUA:
    1. Go to the directory where the ebus.properties file is located. The path is (here, the default USM-EUA installation path is used as an example) D:\EUA\EUA_OpenAS\kernel\OpenAS_Tomcat7\webapps\EUA\WEB-INF\classes.
    2. Open the ebus.properties file, and configure the client whitelist of the USM-EUA.

      Set the EUA.soap.server.whiteips parameter to the client IP address that needs to be accessed. Then, save and close the file.

    3. Restart EUA SERVICE for the whitelist to take effect.

      net stop "EUA SERVICE"

      net start "EUA SERVICE"

  2. If the USM-EUA is deployed on the Linux operating system, perform the following steps to configure the whitelist of the USM-EUA:
    1. Log in to the USM-EUA server as the OMUSER user.

      NOTE:

      The OMUSER user is the maintenance user that is manually created by the operation personnel. Its password is user-defined.

    2. Go to the USM-EUA installation directory where the ebus.properties file resides.

      su - root

      su - euauser

      cd /home/euauser/EUA_OpenAS/kernel/OpenAS_Tomcat7/webapps/EUA/WEB-INF/classes

    3. Edit ebus.properties, configure the client whitelist of the USM-EUA, and save and exit.

      vi ebus.properties

      Set EUA.soap.server.whiteips to the IP address of the client for accessing the USM-EUA.

    4. Restart EUA SERVICE for the whitelist to take effect.

      su - root

      service EUAService restart

Configuring the USM-EUA's Listening IP Address

Configure the USM-EUA's listening IP address, which is used to connect to the SMC2.0.

  • If you set 0.0.0.0, all IP addresses can access the port of the USM-EUA's management plane, which poses security risks.
  • If you set the listening IP address to the IP address of the USM-EUA's management plane, only the IP addresses in the same network segment can access the port of the USM-EUA's management plane, ensuring high security.

It is recommended that you change the USM-EUA's listening IP address to improve access security.

  1. If the USM-EUA is deployed on the Windows operating system, perform the following steps to configure the listening IP address of the USM-EUA:
    1. Go to the directory where the server.xml file is located. The path is (here, the default USM-EUA installation path is used as an example)D:\EUA\EUA_OpenAS\kernel\OpenAS_Tomcat7\conf.
    2. Open the ebus.properties file, and configure the listening IP address of the USM-EUA.

      Change the IP address corresponding to port="8542", save the setting, and close the file.

    3. Restart EUA SERVICE for the listening IP address to take effect.

      net stop "EUA SERVICE"

      net start "EUA SERVICE"

  2. If the USM-EUA is deployed on the Linux operating system, perform the following steps to configure the listening IP address of the USM-EUA:
    1. Log in to the USM-EUA server as the OMUSER user.

      NOTE:

      The OMUSER user is the maintenance user that is automatically created when the USM-EUA is installed. Its password is user-defined.

    2. Go to the USM-EUA installation directory where the server.xml file resides.

      su - root

      su - EUAuser

      cd /home/EUAuser/EUA_OpenAS/kernel/OpenAS_Tomcat7/conf

    3. Edit ebus.properties, configure the client whitelist of the USM-EUA, and save and exit.

      vi server.xml

      Change the IP address corresponding to port="8542", save the setting, and close the file.

    4. Restart EUA SERVICE for the listening IP address to take effect.

      su - root

      service EUAService restart

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100059091

Views: 18395

Downloads: 10

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next