Preventing Theft of the Administrator Right
This topic describes how to isolate the public network from the private network, configure the whitelist, and configure the user login right and login authentication for preventing theft of the administrator right.
Isolating Private and Public Networks
To ensure security, the device is required to be deployed on the private network. If the device is deployed on the public network, risks (such as network attacks, unauthorized registration, and account theft) may occur. If the device must be deployed on the public network, take network isolation approaches, for example, disabling SIP port 5060, SSH service port 22, and Telnet management port 23 on the SBC and firewall to prevent communication through these ports. For detailed firewall configuration, see Firewall Configuration.
If the device is deployed on the public network or the preceding ports are not disabled on the SBC or firewall, unauthorized users may log in to the device and modify the configuration data.
Configuring the Whitelist
If users on the public network need to access the device, configure the whitelist. Users with the whitelisted IP addresses can perform administrator operations on the device through the public network. For details about how to configure the whitelist, see Configuring the Whitelist.
Configuring the User Login Right and Login Authentication
When a user logs in to the device through Telnet or SSH for local or remote maintenance, perform the operation of Configuring the VTY User Interface according to user and security requirements.
- User levels correspond to command levels. A user can run only the commands of the same level or lower levels. You can configure different user levels for different Telnet or SSH login users to ensure device security.
- The device provides AAA and password authentication. Configuring a user authentication mode enhances device security. Ensure complexity of the authentication password to prevent the password from being easily cracked. To ensure password security, change the password periodically.
If the user level and login authentication are not configured, unauthorized users can easily log in to the device and modify the configuration data.