No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Public-Network-based Inband NMS

Public-Network-based Inband NMS

Configuring a Service Interface and Loopback Interface as Management Interfaces

Networking Requirements

None

Configuration Roadmap

Configure IP addresses for the service interfaces and loopback interface for management. Bind no VPNs to the interfaces.

Data Preparation

None

# Configure IP addresses for the management interface and loopback interface for management.

[*HUAWEI-GigabitEthernet3/0/1] ip address 10.3.1.1 24
[*HUAWEI-GigabitEthernet3/0/1] commit
[~HUAWEI-GigabitEthernet3/0/1] display this
#
interface GigabitEthernet3/0/1
 undo shutdown
 ip address 10.3.1.1 255.255.255.0 
#
[~HUAWEI-GigabitEthernet3/0/1] quit
[~HUAWEI] interface LoopBack 0
[~HUAWEI-LoopBack0] ip address 1.1.1.1 32
[*HUAWEI-LoopBack0] commit
[~HUAWEI-LoopBack0] display this
#
interface LoopBack0
  ip address 1.1.1.1 255.255.255.255
#

Disabling the Service Plane from Sending Management Protocol Packets to the Management Plane

Networking Requirements

Specific service interfaces are disabled from sending management protocol packets to the management plane so that the management plane receives management protocol packets only from the other service interfaces.

Configuration Roadmap
The configuration roadmap is as follows:
  1. Create a global MA-defend policy to disable the service plane from sending management protocol packets to the management plane.
  2. Create an interface policy to allow specific management protocol packets to pass.
  3. Apply the interface policy to an interface.
  4. Check the configurations and the number of dropped packets.
  1. Create a global MA defense policy to disable the service plane from sending FTP, SNMP, SSH, Telnet, and TFTP packets to the management plane.
    [~HUAWEI] ma-defend global-policy
    [*HUAWEI-app-sec-global] protocol ftp deny
    [*HUAWEI-app-sec-global] protocol snmp deny
    [*HUAWEI-app-sec-global] protocol ssh deny
    [*HUAWEI-app-sec-global] protocol telnet deny
    [*HUAWEI-app-sec-global] protocol tftp deny
    [*HUAWEI-app-sec-global] enable
    [*HUAWEI-app-sec-global] commit
    [~HUAWEI-app-sec-global] quit
  2. Allow GE 3/0/1 to send management protocol packets to the management plane.
    [~HUAWEI] ma-defend interface-policy 1
    [*HUAWEI-app-sec-interface-1] protocol ftp permit
    [*HUAWEI-app-sec-interface-1] protocol snmp permit
    [*HUAWEI-app-sec-interface-1] protocol ssh permit
    [*HUAWEI-app-sec-interface-1] protocol telnet permit
    [*HUAWEI-app-sec-interface-1] protocol tftp permit
    [*HUAWEI-app-sec-interface-1] commit
    [~HUAWEI-app-sec-interface-1] quit
    [~HUAWEI] interface gigabitethernet3/0/1
    [~HUAWEI-GigabitEthernet3/0/1] ma-defend-interface 1
    [*HUAWEI-GigabitEthernet3/0/1] commit
    [~HUAWEI-GigabitEthernet3/0/1] quit
    NOTE:

    With the current configurations, only GE 3/0/1 in this configuration example can be used for access. Other interfaces including the management network interface cannot be used for access. The devices with non-gigabitethernet 3/0/1 as the access interface will be disconnected from the NMS.

  3. Verify the configuration.
    [~HUAWEI] display ma-defend all
    MA-defend policy type: global-policy
    ----------------------------------------------------
      The global-policy is enabled
      --------------------------------------------------
      protocol       rule
      --------------------------------------------------
      FTP            deny
      SSH            deny
      SNMP           deny
      TELNET         deny
      TFTP           deny
    ----------------------------------------------------
    MA-defend policy type: interface-policy 1
    ----------------------------------------------------
      The interface-policy is bound to interface:
      GigabitEthernet3/0/1
      --------------------------------------------------
      protocol       rule
      --------------------------------------------------
      FTP            permit
      SSH            permit
      SNMP           permit
      TELNET         permit
      TFTP           permit
  4. Check whether all the service interfaces, excluding GE 3/0/1, drop management protocol packets.
    [~HUAWEI] display cpu-defend ma-defend statistics
    Slot/Intf Attack-Type               Total-Packets Passed-Packets Dropped-Packets
    --------------------------------------------------------------------------------
    3         MA-Defend                            100           20               80
    --------------------------------------------------------------------------------
              FTP SERVER                           100           20               80

Access Restriction

Networking Requirements

By default, a server receives connection requests from all interfaces and is therefore vulnerable to attacks. To improve the security of a server, configure the server to receive connection requests from only the specified source interface and address.

Configuration Roadmap
The configuration roadmap is as follows:
  • Configure a client to communicate with the source interfaces to be specified at Layer 3.
  • Configure the source interface and address for each server.
Data Preparation

None

Telnet Server

After the source interface of the Telnet server is configured, the client can access the Telnet server only through this interface.

[~HUAWEI] telnet server-source -i LoopBack 1
Warning: Telnet server source configuration will take effect in the next login. Do you want to continue?  [Y/N]:y
Info: Succeeded in setting the source interface of the Telnet server to LoopBack1.
After the source IPv6 address of the Telnet server is configured, the client can access the Telnet server only through this address.
[~HUAWEI] telnet ipv6 server-source -a 3::2
Warning: Telnet server source configuration will take effect in the next login. Do you want to continue?  [Y/N]:y
SSH Server

After the source interface of the SSH server is configured, the client can access the SSH server only through this interface.

[~HUAWEI] ssh server-source -i LoopBack 1
Warning: SSH server source configuration will take effect in the next login. Do you want to continue? [Y/N]:y
Info: Succeeded in setting the source interface of the SSH server to LoopBack1.
After the source IPv6 address of the SSH server is configured, the client can access the SSH server only through this address.
[~HUAWEI] ssh ipv6 server-source -a 3::2
Warning: SSH server source configuration will take effect in the next login. Do you want to continue? [Y/N]:y
FTP Server

After the source address of the FTP server is configured, the client can access the FTP server only through this address.

[~HUAWEI] ftp server-source -a 1.1.1.1 
Info: Succeeded in setting the source address of the FTP server to 1.1.1.1.
After the source IPv6 address of the FTP server is configured, the client can access the FTP server only through this address.
[~HUAWEI] ftp ipv6 server-source -a 3::2
Warning: To make the server source configuration take effect, the FTP server will be restarted. Continue? [Y/N]:y

After the source interface of the SSH server is configured, the client can access the FTP server only through this interface.

[~HUAWEI] ftp server-source -i LoopBack 1
Info: Succeeded in setting the source interface of the FTP server to LoopBack1.

Disabling Specific Service Interfaces from Sending Management Protocol Packets to the Management Plane Using MPAC

Networking Requirements

Specific service interfaces are disabled from sending management protocol packets to the management plane so that the management plane receives management protocol packets only from the other service interfaces.

Configuration Roadmap
Create two MPAC policy profiles: one for global application, and the other for interface application. Configure a rule to disable management protocol packets from being sent to the management plane in the globally applied profile. Configure a rule to allow only specific management protocol packets to be sent to the management plane in the profile applied to an interface. The configuration roadmap is as follows:
  1. Create two MPAC policy profiles in the system view, with one being applied globally and the other being applied to an interface.
  2. Disable management protocol packets from being sent to the management plane in the profile for global application, and allow only specific management protocol packets to be sent to the management plane in the profile for interface application.
  3. Apply the former policy globally and the latter policy to GE 3/0/1 and the management network interface GE 0/0/0.
  4. Check the configurations and the number of dropped packets.
  1. Create two MPAC policy profiles in the system view, with one being applied globally and the other being applied to an interface.
    [~HUAWEI] service-security policy ipv4 global
    [*HUAWEI-service-sec-global] commit
    [*HUAWEI-service-sec-global] quit
    [~HUAWEI] service-security policy ipv4 interface
    [*HUAWEI-service-sec-interface] commit
    [*HUAWEI-service-sec-global] quit
    
  2. Disable FTP, SNMP, SSH, Telnet, and TFTP protocol packets from being sent to the management plane in the profile for global application, and allow only FTP, SNMP, SSH, Telnet, and TFTP protocol packets to be sent to the management plane in the profile for interface application.
    [*HUAWEI-service-sec-global] rule deny protocol ftp
    [*HUAWEI-service-sec-global] rule deny protocol snmp
    [*HUAWEI-service-sec-global] rule deny protocol ssh
    [*HUAWEI-service-sec-global] rule deny protocol telnet
    [*HUAWEI-service-sec-global] rule deny protocol tftp
    [*HUAWEI-service-sec-global] commit
    [~HUAWEI-service-sec-global] quit
    [*HUAWEI-service-sec-interface] rule permit protocol ftp
    [*HUAWEI-service-sec-interface] rule permit protocol snmp
    [*HUAWEI-service-sec-interface] rule permit protocol ssh
    [*HUAWEI-service-sec-interface] rule permit protocol telnet
    [*HUAWEI-service-sec-interface] rule permit protocol tftp
    [*HUAWEI-service-sec-interface] commit
    [~HUAWEI-service-sec-interface] quit
  3. Apply the former policy globally and the latter policy to GE 3/0/1 and the management network interface GE 0/0/0.
    [~HUAWEI] interface GigabitEthernet 0/0/0
    [*HUAWEI-GigabitEthernet0/0/0] service-security binding ipv4 interface
    [*HUAWEI-GigabitEthernet0/0/0] commit
    [~HUAWEI-GigabitEthernet0/0/0] quit
    [~HUAWEI] interface GigabitEthernet 3/0/1
    [*HUAWEI-GigabitEthernet3/0/1] service-security binding ipv4 interface
    [*HUAWEI-GigabitEthernet3/0/1] commit
    [~HUAWEI-GigabitEthernet3/0/1] quit
    [*HUAWEI] service-security global-binding ipv4 global
    [*HUAWEI] commit
    
  4. Verify the configuration.
    [~HUAWEI] display service-security binding ipv4 
      Configured : Global
      Policy Name: global
      
    Interface  : GigabitEthernet0/0/0
      Policy Name: interface
      
    Interface  : GigabitEthernet3/0/1
      Policy Name: interface
    [~HUAWEI] display service-security policy ipv4
      Policy Name : global
      Step        : 5
       rule 5 deny protocol ftp
       rule 10 deny protocol snmp
       rule 15 deny protocol ssh
       rule 20 deny protocol tftp
       rule 25 deny protocol telnet
    
    Policy Name : interface
    Step        : 5
     rule 5 permit protocol ftp
     rule 10 permit protocol snmp
     rule 15 permit protocol ssh
     rule 20 permit protocol tftp
     rule 25 permit protocol telnet
  5. Check whether all management protocol packets are dropped and whether all service interfaces do not send management protocol packets to the management plane.
    [~HUAWEI] display service-security statistics ipv4 
      Policy Name : global
      Step        : 5
       rule 5 deny protocol ftp (9 times matched)
       rule 10 deny protocol snmp (0 times matched)
       rule 15 deny protocol ssh (0 times matched)
       rule 20 deny protocol tftp (0 times matched)
       rule 25 deny protocol telnet (20 times matched)
      
    Policy Name : interface
    Step        : 5
     rule 5 permit protocol ftp (100 times matched)
     rule 10 permit protocol snmp (0 times matched)
     rule 15 permit protocol ssh (0 times matched)
     rule 20 permit protocol tftp (0 times matched)
     rule 25 permit protocol telnet (652 times matched)
    
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 7405

Downloads: 9

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next