No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Outband NMS

Outband NMS

Binding a VPN to Management Interfaces

Networking Requirements

Figure 7-10 shows the networking of three-plane isolation.

Figure 7-10 Three-Plane Isolation
Configuration Roadmap

Bind the mVPN to the management network interface and the loopback interface for management and bind another VPN to service interfaces so that the service interfaces are isolated from the management plane.

Data Preparation

None

Configuration Procedure
  1. Create a management VPN.

    <HUAWEI> system-view
    [~HUAWEI] ip vpn-instance management
    [*HUAWEI-vpn-instance-management] ipv4-family
    [*HUAWEI-vpn-instance-management] commit
    [~HUAWEI-vpn-instance-management-af-ipv4] quit
    [~HUAWEI-vpn-instance-management] display this 
    #                                                                               
    ip vpn-instance management                                                      
     ipv4-family                                                                    
    #                                                                               
    return  
    [~HUAWEI-vpn-instance-management] quit
    
  2. Bind the VPN to the management interface and loopback interface for management.
    [~HUAWEI] interface GigabitEthernet1/0/0
    [~HUAWEI-GigabitEthernet1/0/0] ip binding vpn-instance management
    [*HUAWEI-GigabitEthernet1/0/0] commit
    [~HUAWEI-GigabitEthernet1/0/0] quit 
    [~HUAWEI] interface LoopBack0
    [~HUAWEI-LoopBack0] ip binding vpn-instance management
    [*HUAWEI-LoopBack0] commit
    [~HUAWEI-LoopBack0] quit
    
  3. Configure IP addresses for the management interface and loopback interface for management.
    [~HUAWEI] interface GigabitEthernet1/0/0
    [~HUAWEI-GigabitEthernet1/0/0] ip address 10.10.11.100 24
    [*HUAWEI-GigabitEthernet1/0/0] commit
    [~HUAWEI-GigabitEthernet1/0/0] display this
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     ip binding vpn-instance management
     ip address 10.10.11.100 255.255.255.0
    #
    [~HUAWEI] interface LoopBack0
    [~HUAWEI-LoopBack0] ip address 1.1.1.1 32
    [*HUAWEI-LoopBack0] commit
    [~HUAWEI-LoopBack0] display this
    #
    interface LoopBack0
     ip binding vpn-instance management
     ip address 1.1.1.1 255.255.255.255
    #
    return
    [~HUAWEI-LoopBack0] quit
  4. View the routing table to check whether routes on the management and control planes are isolated.
    [~HUAWEI] display ip routing-table
    Route Flags: R - relay, D - download
    to fib, T - to vpn-instance, B - black hole route
    ------------------------------------------------------------------------------
    Routing Tables: Public
             Destinations : 2        Routes : 2
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
          127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
          127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    
    [~HUAWEI] display ip routing-table vpn-instance management
    Route Flags: R - relay, D - download
    to fib, T - to vpn-instance, B - black hole route
    ------------------------------------------------------------------------------
    Routing Tables: management
             Destinations : 3        Routes : 3
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
            1.1.1.1/32  Direct  0    0           D   127.0.0.1       LoopBack0
         10.10.11.0/24  Direct  0    0           D   10.10.11.100    GigabitEthernet1/0/0
       10.10.11.100/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0
    
    
  5. Perform the ping operation to check whether routes on the management and control planes are isolated.
    <HUAWEI> ping 10.10.11.100
    PING 10.10.11.100: 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 10.10.11.100 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        10.00% packet loss
    <HUAWEI> ping –vpn-instance management 10.10.11.100
    PING 10.10.11.100: 56  data bytes, press CTRL_C to break
        Reply from 10.10.11.100: bytes=56 Sequence=1 ttl=255 time=1 ms
        Reply from 10.10.11.100: bytes=56 Sequence=2 ttl=255 time=30 ms
        Reply from 10.10.11.100: bytes=56 Sequence=3 ttl=255 time=10 ms
        Reply from 10.10.11.100: bytes=56 Sequence=4 ttl=255 time=30 ms
        Reply from 10.10.11.100: bytes=56 Sequence=5 ttl=255 time=30 ms
    
      --- 10.10.11.100 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 1/20/30 ms

Disabling the Service Plane from Sending Management Protocol Packets to the Management Plane

Networking Requirements

The service plane is disabled from sending management protocol packets to the management plane so that the management plane receives management protocol packets only from the management network interface.

Configuration Roadmap
The configuration roadmap is as follows:
  1. Create a global MA-defend policy to disable the service plane from sending management protocol packets to the management plane.

  2. Check the configurations and the number of dropped packets.
  1. Create a global MA-defend policy to disable the service plane from sending FTP, SNMP, SSH, Telnet, and TFTP protocol packets to the management plane.
    [~HUAWEI] ma-defend global-policy
    [*HUAWEI-app-sec-global] protocol ftp deny
    [*HUAWEI-app-sec-global] protocol snmp deny
    [*HUAWEI-app-sec-global] protocol ssh deny
    [*HUAWEI-app-sec-global] protocol telnet deny
    [*HUAWEI-app-sec-global] protocol tftp deny
    [*HUAWEI-app-sec-global] enable
    [*HUAWEI-app-sec-global] commit
    [~HUAWEI-app-sec-global] quit
  2. Verify the configuration.
    [~HUAWEI] display ma-defend global-policy
    MA-defend policy type: global-policy
    ----------------------------------------------------
      The global-policy is enabled
      --------------------------------------------------
      protocol       rule
      --------------------------------------------------
      FTP            deny
      SSH            deny
      SNMP           deny
      TELNET         deny
      TFTP           deny
  3. Check whether all the service interfaces drop management protocol packets.
    [~HUAWEI] display cpu-defend ma-defend statistics
    Slot/Intf Attack-Type               Total-Packets Passed-Packets Dropped-Packets
    -------------------------------------------------------------------------------
    3         MA-Defend                            100            0               100
    -------------------------------------------------------------------------------
              FTP SERVER                           100            0               100

Disabling the Service Plane from Sending Management Protocol Packets to the Management Plane Using MPAC

Networking Requirements

The service plane is disabled from sending management protocol packets to the management plane so that the management plane receives management protocol packets only from the management network interface.

Configuration Roadmap
Create two MPAC policy profiles: one for global application, and the other for interface application. Configure a rule to disable management protocol packets from being sent to the management plane in the globally applied profile. Configure a rule to allow only specific management protocol packets to be sent to the management plane in the profile applied to an interface. The configuration roadmap is as follows:
  1. Create two MPAC policy profiles in the system view, with one being applied globally and the other being applied to an interface.
  2. Disable management protocol packets from being sent to the management plane in the profile for global application, and allow only specific management protocol packets to be sent to the management plane in the profile for interface application.
  3. Apply the former policy globally and the latter policy to the management network interface GE 0/0/0.
  4. Check the configurations and the number of dropped packets.
  1. Create two MPAC policy profiles in the system view, with one being applied globally and the other being applied to an interface.
    [~HUAWEI] service-security policy ipv4 global
    [*HUAWEI-service-sec-global] commit
    [~HUAWEI] service-security policy ipv4 interface
    [*HUAWEI-service-sec-interface] commit
    
  2. Disable FTP, SNMP, SSH, Telnet, and TFTP protocol packets from being sent to the management plane in the profile for global application, and allow only FTP, SNMP, SSH, Telnet, and TFTP protocol packets to be sent to the management plane in the profile for interface application.
    [*HUAWEI-service-sec-global] rule deny protocol ftp
    [*HUAWEI-service-sec-global] rule deny protocol snmp
    [*HUAWEI-service-sec-global] rule deny protocol ssh
    [*HUAWEI-service-sec-global] rule deny protocol telnet
    [*HUAWEI-service-sec-global] rule deny protocol tftp
    [*HUAWEI-service-sec-global] commit
    [~HUAWEI-service-sec-global] quit
    [*HUAWEI-service-sec-interface] rule permit protocol ftp
    [*HUAWEI-service-sec-interface] rule permit protocol snmp
    [*HUAWEI-service-sec-interface] rule permit protocol ssh
    [*HUAWEI-service-sec-interface] rule permit protocol telnet
    [*HUAWEI-service-sec-interface] rule permit protocol tftp
    [*HUAWEI-service-sec-interface] commit
    [~HUAWEI-service-sec-interface] quit
  3. Apply the former policy globally and the latter policy to the management network interface GE 0/0/0.
    [~HUAWEI] interface GigabitEthernet 0/0/0
    [*HUAWEI-GigabitEthernet0/0/0] service-security binding ipv4 interface
    [*HUAWEI-GigabitEthernet0/0/0] commit
    [~HUAWEI-GigabitEthernet 0/0/0] quit
    [*HUAWEI] service-security global-binding ipv4 global
    [*HUAWEI] commit
    
  4. Verify the configuration.
    [~HUAWEI] display service-security binding ipv4 
    Configured : Global
    Policy Name: global
    
    Interface  : GigabitEthernet0/0/0
    Policy Name: interface
    [~HUAWEI] display service-security policy ipv4
    Policy Name : global
    Step        : 5
     rule 5 deny protocol ftp
     rule 10 deny protocol snmp
     rule 15 deny protocol ssh
     rule 20 deny protocol tftp
     rule 25 deny protocol telnet
    
    Policy Name : interface
    Step        : 5
     rule 5 permit protocol ftp
     rule 10 permit protocol snmp
     rule 15 permit protocol ssh
     rule 20 permit protocol tftp
     rule 25 permit protocol telnet
  5. Check whether all management protocol packets are dropped and whether all service interfaces do not send management protocol packets to the management plane.
    [~HUAWEI] display service-security statistics ipv4 
    Policy Name : global
    Step        : 5
     rule 5 deny protocol ftp (9 times matched)
     rule 10 deny protocol snmp (0 times matched)
     rule 15 deny protocol ssh (0 times matched)
     rule 20 deny protocol tftp (0 times matched)
     rule 25 deny protocol telnet (15 times matched)
    
    Policy Name : interface
    Step        : 5
     rule 5 permit protocol ftp (74 times matched)
     rule 10 permit protocol snmp (0 times matched)
     rule 15 permit protocol ssh (0 times matched)
     rule 20 permit protocol tftp (0 times matched)
     rule 25 permit protocol telnet (237 times matched)
    
NOTE:
If only a global policy profile is configured and management protocol packets are disabled from being sent to the management plane in the profile, the device fails to be managed. To resolve this problem, allow specific service interfaces to send management protocol packets to the management plane first. Ensure that these interfaces are Up.
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 9104

Downloads: 12

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next