No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Area Isolation

Security Area Isolation

Access control policies are complex due to the complexity of the configuration models and services of ME devices. The security defense policies of ME devices can be described properly based on the logical model of security area isolation.

Figure 7-4 Model of the secure access control policies of ME devices

The external interfaces of a ME device are classified based on the following security areas:

  • Management network of the customer
  • Residential network of the user
  • Public network of the Internet

The following table lists the access control models used to achieve high-level security defense.

Table 7-3 Secure access control policies

Access Channel

Management Network

Residential Network

Internet

Telnet/SSH/SNMP/Radius/TACACS/Syslog Mgmt

Trusted, access allowed

Untrusted, access denied

Untrusted, access denied

IPoE

Untrusted, access denied

Trusted, access allowed

Untrusted, access denied

RIP/OSPF/BGP/IS-IS internetworking

Untrusted, access denied

Untrusted, access denied

Trusted, access allowed

Access control policies help eliminate the security risks caused by access requests from untrusted networks to ME devices.

Example for Configuring Login to Devices Through Telnet Performed by Users in Different Isolated Areas

Networking Requirements

In Figure 7-5, the Device connects to the residential network on the left with the interface GE1/0/2 in the network segment 10.1.2.0/24. The Device connects to the management network on the top with the interface GE1/0/1 in the network segment 10.1.1.0/24. The Device connects to the Internet on the right with the interface GE1/0/3 in the network segment 10.1.3.0/24.

Users on the management network are allowed to log in to the Device using Telnet, whereas users on the residential network and Internet are not allowed to log in to the Device using Telnet. This ensures the security of the Device.

Figure 7-5 Model of the secure access control policies of Devices

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure different access control policies on the Device to isolate the management network, residential network, and Internet.
  2. Apply the access control policies on the interfaces of the Device to restrict the Telnet authorities of users in different areas.
Data Preparation

To complete the configuration, you need the following data:

  • Network segment for the IP address of each area
  • ACL numbers and policy names
  • Applications
Procedure
  1. Configure access control policies.

    # Configure the ACLs that allow users in the network segment 10.1.1.0/24 to log in to the Device using Telnet and forbid users in the network segments 10.1.2.0/24 and 10.1.3.0/24 to log in to the Device using Telnet.

    <HUAWEI> system-view
    [~HUAWEI] acl number 3000
    [*HUAWEI-acl4-advance-3000] rule permit tcp destination-port eq telnet source 10.1.1.0 0.0.0.255
    [*HUAWEI-acl4-advance-3000] commit
    [~HUAWEI-acl4-advance-3000] quit
    [~HUAWEI] acl number 3001
    [*HUAWEI-acl4-advance-3001] rule deny tcp destination-port eq telnet source 10.1.2.0 0.0.0.255
    [*HUAWEI-acl4-advance-3001] commit
    [~HUAWEI-acl4-advance-3001] quit
    [~HUAWEI] acl number 3002
    [*HUAWEI-acl4-advance-3002] rule deny tcp destination-port eq telnet source 10.1.3.0 0.0.0.255
    [*HUAWEI-acl4-advance-3002] commit
    [~HUAWEI-acl4-advance-3002] quit
    

    # Configure traffic classifiers and define ACL-based matching rules.

    [~HUAWEI] traffic classifier classifier1
    [*HUAWEI-classifier-classifier1] if-match acl 3000
    [*HUAWEI-classifier-classifier1] commit
    [~HUAWEI-classifier-classifier1] quit
    [~HUAWEI] traffic classifier classifier2
    [*HUAWEI-classifier-classifier2] if-match acl 3001
    [*HUAWEI-classifier-classifier2] commit
    [~HUAWEI-classifier-classifier2] quit
    [~HUAWEI] traffic classifier classifier3
    [*HUAWEI-classifier-classifier3] if-match acl 3002
    [*HUAWEI-classifier-classifier3] commit
    [~HUAWEI-classifier-classifier3] quit
    
    

    # Define traffic behaviors that allow users on the management network to log in to the Device using Telnet and forbid users on other networks to log in to the Device using Telnet.

    [~HUAWEI] traffic behavior behavior1
    [*HUAWEI-behavior-behavior1] quit
    [*HUAWEI] traffic behavior behavior2
    [*HUAWEI-behavior-behavior2] quit
    [*HUAWEI] traffic behavior behavior3
    [*HUAWEI-behavior-behavior3] quit
    [*HUAWEI] commit
    
    

    # Define traffic policies to associate the traffic classifiers with the traffic behaviors.

    [~HUAWEI] traffic policy policy1
    [*HUAWEI-trafficpolicy-policy1] classifier classifier1 behavior behavior1
    [*HUAWEI-trafficpolicy-policy1] commit
    [~HUAWEI-trafficpolicy-policy1] quit
    [~HUAWEI] traffic policy policy2
    [*HUAWEI-trafficpolicy-policy2] classifier classifier2 behavior behavior2
    [*HUAWEI-trafficpolicy-policy2] commit
    [~HUAWEI-trafficpolicy-policy2] quit
    [~HUAWEI] traffic policy policy3
    [*HUAWEI-trafficpolicy-policy3] classifier classifier3 behavior behavior3
    [*HUAWEI-trafficpolicy-policy3] quit
    [*HUAWEI] commit
    
    
  2. Apply the access control policies.
    [~HUAWEI] interface gigabitethernet 1/0/1
    [~HUAWEI-GigabitEthernet1/0/1] undo shutdown
    [~HUAWEI-GigabitEthernet1/0/1] ip address 10.1.1.100 255.255.255.0
    [*HUAWEI-GigabitEthernet1/0/1] traffic-policy policy1 inbound
    [*HUAWEI-GigabitEthernet1/0/1] commit
    [~HUAWEI-GigabitEthernet1/0/1] quit
    [~HUAWEI] interface gigabitethernet 1/0/2
    [~HUAWEI-GigabitEthernet1/0/2] undo shutdown
    [~HUAWEI-GigabitEthernet1/0/2] ip address 10.1.2.100 255.255.255.0
    [*HUAWEI-GigabitEthernet1/0/2] traffic-policy policy2 inbound
    [*HUAWEI-GigabitEthernet1/0/2] commit
    [~HUAWEI-GigabitEthernet1/0/2] quit
    [~HUAWEI] interface gigabitethernet 1/0/3
    [~HUAWEI-GigabitEthernet1/0/3] undo shutdown
    [~HUAWEI-GigabitEthernet1/0/3] ip address 10.1.3.100 255.255.255.0
    [*HUAWEI-GigabitEthernet1/0/3] traffic-policy policy3 inbound
    [*HUAWEI-GigabitEthernet1/0/3] commit
    
Configuration Files
  • Configuration file of the Device
#
acl number 3000
 rule 5 permit tcp source 10.1.1.0 0.0.0.255 destination-port eq telnet
#
acl number 3001
 rule 5 deny tcp source 10.1.2.0 0.0.0.255 destination-port eq telnet
#
acl number 3002
 rule 5 deny tcp source 10.1.3.0 0.0.0.255 destination-port eq telnet
#
traffic classifier classifier1 operator or
 if-match acl 3000
traffic classifier classifier3 operator or
 if-match acl 3002
traffic classifier classifier2 operator or
 if-match acl 3001
#
traffic behavior behavior3
traffic behavior behavior2
traffic behavior behavior1
#
traffic policy policy1
 share-mode
 classifier classifier1 behavior behavior1
traffic policy policy2
 share-mode
 classifier classifier2 behavior behavior2
traffic policy policy3
 share-mode
 classifier classifier3 behavior behavior3
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.1.1.100 255.255.255.0
 traffic-policy policy1 inbound
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.1.2.100 255.255.255.0
 traffic-policy policy2 inbound
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 10.1.3.100 255.255.255.0
 traffic-policy policy3 inbound
#
return
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 7440

Downloads: 9

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next