No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Access Control Based on Identity Hiding

Access Control Based on Identity Hiding

ME devices are the infrastructure of customer networks and their physical existence does not need to be presented to the public. In locations that have high security requirements or face serious security risks (for example, at the edge of a customer network), the identities of ME devices can be hidden so that ME devices do not respond to external detection messages.

Currently, ME devices use ICMP packets to indicate identity reachability. Therefore, the Ping command and response to ICMP packets can be disabled on ME devices to prevent attackers from performing reachability detection at the early stage of attacks.

Example for Disabling Response to ICMP Packets

Networking Requirements

In Figure 7-8, the Device is at the edge of the network. Network attackers often use ICMP packets to detect the internal structure of the network. The identity of the Device must be hidden by disabling response to ICPM packets to ensure the security of the Device and prevent unauthorized users from attacking the Device.

Figure 7-8 Networking diagram for disabling response to ICMP packets

Device Name Interface IP Address

Device

GE1/0/1 10.137.217.221/16
Configuration Roadmap

The configuration roadmap is as follows:

  1. Run the Ping command on the PC to check whether the Device responds to ICMP packets.
  2. Disable response to ICMP packets on the Device.
  3. Run the Ping command again to check whether response to ICMP packets is disabled on the Device.
Data Preparation

To complete the configuration, you need the following data:

None

Procedure
  1. Run the Ping command on the PC to check whether the Device responds to ICMP packets.

    # View the statistics on ICMP traffic before you run the Ping command.

    <HUAWEI> display icmp statistics
    Input:  bad format           0          bad checksum              0         
            echo                 0          destination unreachable   0         
            source quench        0          redirects                 0         
            echo reply           0          parameter problem         0         
            timestamp request    0          information request       0         
            mask requests        0          mask replies              0         
            time exceeded        0          timestamp reply           0         
            Mping request        0          Mping reply               0         
    
    Output: echo                 0          destination unreachable   0         
            source quench        0          redirects                 0         
            echo reply           0          parameter problem         0         
            timestamp request    0          information reply         0         
            mask requests        0          mask replies              0         
            time exceeded        0          timestamp reply           0         
            Mping request        0          Mping reply               0 

    # View the statistics on ICMP traffic after you run the Ping command.

    <HUAWEI> display icmp statistics
    Input:  bad format           0          bad checksum              0         
            echo                 2          destination unreachable   0         
            source quench        0          redirects                 0         
            echo reply           0          parameter problem         0         
            timestamp request    0          information request       0         
            mask requests        0          mask replies              0         
            time exceeded        0          timestamp reply           0         
            Mping request        0          Mping reply               0         
    
    Output: echo                 0          destination unreachable   0         
            source quench        0          redirects                 0         
            echo reply           2          parameter problem         0         
            timestamp request    0          information reply         0         
            mask requests        0          mask replies              0         
            time exceeded        0          timestamp reply           0         
            Mping request        0          Mping reply               0 

    The preceding command output shows that the Device responds to ICMP packets of the Ping type.

  2. Disable response to ICMP packets on the Device.
    <HUAWEI> system-view
    [~HUAWEI] undo icmp name echo receive
    [*HUAWEI] commit
    [~HUAWEI] quit
    [~HUAWEI] undo icmp name ?
      echo                  Echo request(Type=8, Code=0)
      echo-reply            Echo Reply(Type=0, Code=0)
      fragmentneed-dfset    Fragmentation needed but no frag bit set(Type=3, Code=4)
      host-redirect         Redirect for host(Type=5, Code=1)
      host-tos-redirect     Redirect for TOS and host(Type=5, Code=3)
      host-unreachable      Host Unreachable(Type=3, Code=1)
      information-reply     Information reply(Type=16, Code=0)
      information-request   Information request(Type=15, Code=0)
      net-redirect          Redirect for network(Type=5, Code=0)
      net-tos-redirect      Redirect for TOS and network(Type=5, Code=2)
      net-unreachable       Network Unreachable(Type=3, Code=0)
      parameter-problem     IP header bad (catchall error)(Type=12, Code=0)
      port-unreachable      Port Unreachable(Type=3, Code=3)
      protocol-unreachable  Protocol Unreachable(Type=3, Code=2)
      reassembly-timeout    TTL equals 0 during reassembly(Type=11, Code=1)
      source-quench         Source quench(Type=4, Code=0)
      source-route-failed   Source routing failed(Type=3, Code=5)
      timestamp-reply       Timestamp reply(Type=14, Code=0)
      timestamp-request     Timestamp request(Type=13, Code=0)
      ttl-exceeded          TTL equals 0 during transit(Type=11, Code=0)
  3. Run the Ping command again to check whether response to ICMP packets is disabled on the Device.

    # Clear the statistics on ICMP traffic.

    <HUAWEI> reset ip statistics

    # View the statistics on ICMP traffic before you run the Ping command.

    <HUAWEI> display icmp statistics
    Input:  bad format           0          bad checksum              0         
            echo                 0          destination unreachable   0         
            source quench        0          redirects                 0         
            echo reply           0          parameter problem         0         
            timestamp request    0          information request       0         
            mask requests        0          mask replies              0         
            time exceeded        0          timestamp reply           0         
            Mping request        0          Mping reply               0         
    
    Output: echo                 0          destination unreachable   0         
            source quench        0          redirects                 0         
            echo reply           0          parameter problem         0         
            timestamp request    0          information reply         0         
            mask requests        0          mask replies              0         
            time exceeded        0          timestamp reply           0         
            Mping request        0          Mping reply               0 

    # View the statistics on ICMP traffic after you run the Ping command.

    <HUAWEI> display icmp statistics
    Input:  bad format           0          bad checksum              0         
            echo                 0          destination unreachable   0         
            source quench        0          redirects                 0         
            echo reply           0          parameter problem         0         
            timestamp request    0          information request       0         
            mask requests        0          mask replies              0         
            time exceeded        0          timestamp reply           0         
            Mping request        0          Mping reply               0         
    
    Output: echo                 0          destination unreachable   0         
            source quench        0          redirects                 0         
            echo reply           0          parameter problem         0         
            timestamp request    0          information reply         0         
            mask requests        0          mask replies              0         
            time exceeded        0          timestamp reply           0         
            Mping request        0          Mping reply               0 

    The preceding command output shows that response to ICMP packets is disabled on the Device.

Configuration Files
  • Configuration file of the Device
    #
    aaa
     authentication-scheme default
     #
     authorization-scheme default
     #
     accounting-scheme default
     #
     domain default
     #
    #
    interface GigabitEthernet1/0/1
     undo shutdown
     ip address 10.137.217.221 255.255.0.0    
    #
    interface NULL0
    #
    undo icmp echo receive
    undo icmp echo-reply receive
    #
    return                      
    
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 7437

Downloads: 9

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next