No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
VPN-based Inband NMS

VPN-based Inband NMS

Binding a Management VPN to a Service Interface

Networking Requirements

An independent VPN is bound to a service interface so that only the service interface can receive management protocol packets.

Configuration Roadmap

Create an mVPN. Bind the mVPN to selected service interfaces and loopback interface and bind another VPN to the other service interfaces so that the interfaces in different VPNs cannot intercommunicate.

Data Preparation

None

  1. Create a management VPN.
    [~HUAWEI] ip vpn-instance management
    [*HUAWEI-vpn-instance-management] ipv4-family
    [*HUAWEI-vpn-instance-management] commit
    [~HUAWEI-vpn-instance-management-af-ipv4] quit
    [~HUAWEI-vpn-instance-management] display this
    #
    ip vpn-instance management
     ipv4-family
    #
    return
    
  2. Bind the VPN to the management interface and loopback interface for management.
    [~HUAWEI] interface gigabitethernet3/0/1
    [~HUAWEI-GigabitEthernet3/0/1] ip binding vpn-instance management
    Info: All IPv4 and IPv6 related configurations on this interface are removed.
    [*HUAWEI-GigabitEthernet3/0/1] commit
    [~HUAWEI-GigabitEthernet3/0/1] quit
    [~HUAWEI] interface LoopBack0
    [~HUAWEI-LoopBack0]ip binding vpn-instance management
    Info: All IPv4 and IPv6 related configurations on this interface are removed.
    [*HUAWEI-LoopBack0]commit
    
  3. Configure IP addresses for the management interface and loopback interface for management.
    [~HUAWEI-GigabitEthernet3/0/1] ip address 10.3.1.1 24
    [*HUAWEI-GigabitEthernet3/0/1] commit
    [~HUAWEI-GigabitEthernet3/0/1] display this
    #
    interface GigabitEthernet3/0/1
     undo shutdown
     ip binding vpn-instance management
     ip address 10.3.1.1 255.255.255.0
    #
    [~HUAWEI]interface LoopBack 0
    [~HUAWEI-LoopBack0] ip address 1.1.1.1 32
    [*HUAWEI-LoopBack0]commit
    [~HUAWEI-LoopBack0] display this
    #
    interface LoopBack0
     ip binding vpn-instance management
     ip address 1.1.1.1 255.255.255.255
    #
    return
    

Disabling the Service Plane from Sending Management Protocol Packets to the Management Plane

Networking Requirements

Specific service interfaces are disabled from sending management protocol packets to the management plane so that the management plane receives management protocol packets only from the other service interfaces.

Configuration Roadmap
The configuration roadmap is as follows:
  1. Create a global MA-defend policy to disable the service plane from sending management protocol packets to the management plane.
  2. Create an interface policy to allow specific management protocol packets to pass.
  3. Apply the interface policy to an interface.
  4. Check the configurations and the number of dropped packets.
  1. Create a global MA defense policy to disable the service plane from sending FTP, SNMP, SSH, Telnet, and TFTP packets to the management plane.
    [~HUAWEI] ma-defend global-policy
    [*HUAWEI-app-sec-global] protocol ftp deny
    [*HUAWEI-app-sec-global] protocol snmp deny
    [*HUAWEI-app-sec-global] protocol ssh deny
    [*HUAWEI-app-sec-global] protocol telnet deny
    [*HUAWEI-app-sec-global] protocol tftp deny
    [*HUAWEI-app-sec-global] enable
    [*HUAWEI-app-sec-global] commit
    [~HUAWEI-app-sec-global] quit
  2. Allow GE 3/0/1 to send management protocol packets to the management plane.
    [~HUAWEI] ma-defend interface-policy 1
    [*HUAWEI-app-sec-interface-1] protocol ftp permit
    [*HUAWEI-app-sec-interface-1] protocol snmp permit
    [*HUAWEI-app-sec-interface-1] protocol ssh permit
    [*HUAWEI-app-sec-interface-1] protocol telnet permit
    [*HUAWEI-app-sec-interface-1] protocol tftp permit
    [*HUAWEI-app-sec-interface-1] commit
    [~HUAWEI-app-sec-interface-1] quit
    [~HUAWEI] interface gigabitethernet3/0/1
    [~HUAWEI-GigabitEthernet3/0/1] ma-defend-interface 1
    [*HUAWEI-GigabitEthernet3/0/1] commit
    [~HUAWEI-GigabitEthernet3/0/1] quit
    NOTE:

    With the current configurations, only GE 3/0/1 in this configuration example can be used for access. Other interfaces including the management network interface cannot be used for access. The devices with non-gigabitethernet 3/0/1 as the access interface will be disconnected from the NMS.

  3. Verify the configuration.
    [~HUAWEI] display ma-defend all
    MA-defend policy type: global-policy
    ----------------------------------------------------
      The global-policy is enabled
      --------------------------------------------------
      protocol       rule
      --------------------------------------------------
      FTP            deny
      SSH            deny
      SNMP           deny
      TELNET         deny
      TFTP           deny
    ----------------------------------------------------
    MA-defend policy type: interface-policy 1
    ----------------------------------------------------
      The interface-policy is bound to interface:
      GigabitEthernet3/0/1
      --------------------------------------------------
      protocol       rule
      --------------------------------------------------
      FTP            permit
      SSH            permit
      SNMP           permit
      TELNET         permit
      TFTP           permit
  4. Check whether all the service interfaces, excluding GE 3/0/1, drop management protocol packets.
    [~HUAWEI] display cpu-defend ma-defend statistics
    Slot/Intf Attack-Type               Total-Packets Passed-Packets Dropped-Packets
    ---------------------------------------------------------------------------------
    3         MA-Defend                            100           50                50
    ---------------------------------------------------------------------------------
              FTP SERVER                           100           50                50

Disabling Specific Service Interfaces from Sending Management Protocol Packets to the Management Plane Using MPAC

Networking Requirements

Specific service interfaces are disabled from sending management protocol packets to the management plane so that the management plane receives management protocol packets only from the other service interfaces.

Configuration Roadmap
Create two MPAC policy views, one for global application, and the other for interface application. Configure a rule to disable management protocol packets from being sent to the management plane in the globally applied profile. Configure a rule to allow only specific management protocol packets to be sent to the management plane in the profile applied to an interface. The configuration roadmap is as follows:
  1. Create two MPAC policy profiles in the system view, with one being applied globally and the other being applied to an interface.
  2. Disable management protocol packets from being sent to the management plane in the profile for global application, and allow only specific management protocol packets to be sent to the management plane in the profile for interface application.
  3. Apply the former policy globally and the latter policy to GE 3/0/1 and the management network interface GE 0/0/0.
  4. Check the configurations and the number of dropped packets.
  1. Create two MPAC policy profiles in the system view, with one being applied globally and the other being applied to an interface.
    [~HUAWEI] service-security policy ipv4 global
    [*HUAWEI-service-sec-global] commit
    [*HUAWEI-service-sec-global] quit
    [~HUAWEI] service-security policy ipv4 interface
    [*HUAWEI-service-sec-interface] commit
    [*HUAWEI-service-sec-global] quit
    
  2. Disable FTP, SNMP, SSH, Telnet, and TFTP protocol packets from being sent to the management plane in the profile for global application, and allow only FTP, SNMP, SSH, Telnet, and TFTP protocol packets to be sent to the management plane in the profile for interface application.
    [*HUAWEI-service-sec-global] rule deny protocol ftp
    [*HUAWEI-service-sec-global] rule deny protocol snmp
    [*HUAWEI-service-sec-global] rule deny protocol ssh
    [*HUAWEI-service-sec-global] rule deny protocol telnet
    [*HUAWEI-service-sec-global] rule deny protocol tftp
    [*HUAWEI-service-sec-global] commit
    [~HUAWEI-service-sec-global] quit
    [*HUAWEI-service-sec-interface] rule permit protocol ftp
    [*HUAWEI-service-sec-interface] rule permit protocol snmp
    [*HUAWEI-service-sec-interface] rule permit protocol ssh
    [*HUAWEI-service-sec-interface] rule permit protocol telnet
    [*HUAWEI-service-sec-interface] rule permit protocol tftp
    [*HUAWEI-service-sec-interface] commit
    [~HUAWEI-service-sec-interface] quit
  3. Apply the former policy globally and the latter policy to GE 3/0/1 and the management network interface GE 0/0/0.
    [~HUAWEI] interface GigabitEthernet 0/0/0
    [*HUAWEI-GigabitEthernet0/0/0] service-security binding ipv4 interface
    [*HUAWEI-GigabitEthernet0/0/0] commit
    [~HUAWEI-GigabitEthernet0/0/0] quit
    [~HUAWEI] interface GigabitEthernet 3/0/1
    [*HUAWEI-GigabitEthernet3/0/1] service-security binding ipv4 interface
    [*HUAWEI-GigabitEthernet3/0/1] commit
    [~HUAWEI-GigabitEthernet3/0/1] quit
    [*HUAWEI] service-security global-binding ipv4 global
    [*HUAWEI] commit
    
  4. Verify the configuration.
    [~HUAWEI] display service-security binding ipv4 
      Configured : Global
      Policy Name: global
      
    Interface  : GigabitEthernet0/0/0
      Policy Name: interface
      
    Interface  : GigabitEthernet3/0/1
      Policy Name: interface
    [~HUAWEI] display service-security policy ipv4
      Policy Name : global
      Step        : 5
       rule 5 deny protocol ftp
       rule 10 deny protocol snmp
       rule 15 deny protocol ssh
       rule 20 deny protocol tftp
       rule 25 deny protocol telnet
    
    Policy Name : interface
    Step        : 5
     rule 5 permit protocol ftp
     rule 10 permit protocol snmp
     rule 15 permit protocol ssh
     rule 20 permit protocol tftp
     rule 25 permit protocol telnet
  5. Check whether all management protocol packets are dropped and whether all service interfaces do not send management protocol packets to the management plane.
    [~HUAWEI] display service-security statistics ipv4 
      Policy Name : global
      Step        : 5
       rule 5 deny protocol ftp (9 times matched)
       rule 10 deny protocol snmp (0 times matched)
       rule 15 deny protocol ssh (0 times matched)
       rule 20 deny protocol tftp (0 times matched)
       rule 25 deny protocol telnet (20 times matched)
      
    Policy Name : interface
    Step        : 5
     rule 5 permit protocol ftp (100 times matched)
     rule 10 permit protocol snmp (0 times matched)
     rule 15 permit protocol ssh (0 times matched)
     rule 20 permit protocol tftp (0 times matched)
     rule 25 permit protocol telnet (652 times matched)
    
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 9173

Downloads: 12

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next